RE: Is there another NANOG somewhere?
the copying and reposting of others' ideas and work, ... This is an odd comment to see regarding the NANOG mailing list. NANOG is not an academic research publishing venue. It is an information sharing venue for people working in Internet operations. Copying and reposting of others ideas and work is a *GOOD* thing! That is what information sharing is all about. I don't see anything in the AUP that requires list members to only post their own original work. --Michael Dillon
Throwing out the NANOG AUP
I created a draft Wiki article to try and bring together everything we've argued^H^H^H^H^H^H^H discussed over the last few years and I it boils down to a few standards (duh). http://nanog.cluepon.net/index.php/Will_of_the_Members I don't know if this will work, but my motiviation is an experiment I read about in Drachten, NL where all traffic signals were removed as an experiment and only a few standards are implemented. The rest is left up to the community. Apparently, the roads are proving to be safer. Perhaps this concept can work in this community? The NANOG AUP and all associated order from past Politburos are way out of date and overly complex. The AUP and all the subsequent FAQ's around posting, etc are outdated and archane. It should be thrown out entirely. -M
Re: botnets: web servers, end-systems and Vint Cerf
On Fri, 16 Feb 2007, [EMAIL PROTECTED] wrote: And most ISPs don't provide in-house tech support and an orientation lecture when you sign up - though some *do* provide the free A/V these days. :) Working a day on the help desk at the *other* ISPs, which ever ISP you want to point fingers at, is always an eye-opening experience. Even when you think things should be the same, they sometimes have very different problems to solve.
BGP Update Report
BGP Update Report Interval: 02-Feb-07 -to- 15-Feb-07 (14 days) Observation Point: BGP Peering with AS4637 TOP 20 Unstable Origin AS Rank ASNUpds % Upds/PfxAS-Name 1 - AS413415620 1.0% 12.3 -- CHINANET-BACKBONE No.31,Jin-rong Street 2 - AS939414262 0.9% 4.8 -- CRNET CHINA RAILWAY Internet(CRNET) 3 - AS17974 13915 0.9% 26.6 -- TELKOMNET-AS2-AP PT TELEKOMUNIKASI INDONESIA 4 - AS15611 13178 0.9% 149.8 -- Iranian Research Organisation 5 - AS702 11831 0.8% 16.6 -- AS702 MCI EMEA - Commercial IP service provider in Europe 6 - AS24731 10513 0.7% 250.3 -- ASN-NESMA National Engineering Services and Marketing Company Ltd. (NESMA) 7 - AS477510195 0.7% 39.8 -- GLOBE-TELECOM-AS Telecom Carrier / ISP Plus + 8 - AS8151 9927 0.6% 9.7 -- Uninet S.A. de C.V. 9 - AS4323 9606 0.6% 7.3 -- TWTC - Time Warner Telecom, Inc. 10 - AS243269217 0.6% 83.8 -- TTT-AS-AP TTT Public Company Limited, Service Provider,Bangkok 11 - AS287518576 0.6% 35.6 -- CAUCASUS-NET-AS Caucasus Network Tbilisi, Georgia 12 - AS204267715 0.5%1928.8 -- PWC-AS - PriceWaterhouseCoopers, LLP 13 - AS306 7515 0.5% 41.3 -- DNIC - DoD Network Information Center 14 - AS7018 7304 0.5% 4.7 -- ATT-INTERNET4 - ATT WorldNet Services 15 - AS126547063 0.5% 172.3 -- RIPE-NCC-RIS-AS RIPE NCC RIS project 16 - AS9737 7041 0.5% 60.2 -- TOTNET-TH-AS-AP Telephone Organization of Thailand 17 - AS308907015 0.5% 32.2 -- EVOLVA Evolva Telecom 18 - AS701 6913 0.5% 7.2 -- UUNET - MCI Communications Services, Inc. d/b/a Verizon Business 19 - AS7545 6428 0.4% 11.1 -- TPG-INTERNET-AP TPG Internet Pty Ltd 20 - AS4249 6352 0.4% 45.7 -- LILLY-AS - Eli Lilly and Company TOP 20 Unstable Origin AS (Updates per announced prefix) Rank ASNUpds % Upds/PfxAS-Name 1 - AS315944455 0.3%4455.0 -- FORTESS-AS Fortess LLC Network 2 - AS204267715 0.5%1928.8 -- PWC-AS - PriceWaterhouseCoopers, LLP 3 - AS157741830 0.1%1830.0 -- MEDIANAT LLC MEDIANAT, ISP primarily for educational institution 4 - AS313071139 0.1%1139.0 -- YKYATIRIM YAPI KREDI YATIRIM 5 - AS381511032 0.1%1032.0 -- ENUM-AS-ID APJII-RD 6 - AS4587 3028 0.2%1009.3 -- ONEWORLD2 - One World Internetworking, Inc 7 - AS34378 955 0.1% 955.0 -- RUG-AS Razguliay-UKRROS Group 8 - AS3727 831 0.1% 831.0 -- SHRUBB - Shrubbery Networks 9 - AS14548 785 0.1% 785.0 -- LISTEN-SF-1 - Listen.com 10 - AS316243797 0.2% 759.4 -- VFMNL-AS Verza Facility Management BV 11 - AS307072081 0.1% 693.7 -- SICOR-US-CA-IRVINE - SICOR Pharmaceuticals, Inc. 12 - AS21761 661 0.0% 661.0 -- BERTS-MEGA-MALL - BERT'S MEGA MALL 13 - AS12408 654 0.0% 654.0 -- BIKENT-AS Bikent Ltd. Autonomous system 14 - AS3043 3118 0.2% 623.6 -- AMPHIB-AS - Amphibian Media Corporation 15 - AS331881038 0.1% 519.0 -- SCS-NETWORK-1 - Sono Corporate Suites 16 - AS83478 0.2% 496.9 -- COMTECK - ComTeck 17 - AS20050 959 0.1% 479.5 -- SPPINTERNET01 - Southwest Power Pool 18 - AS35489 958 0.1% 479.0 -- TOTO-TECH-AS Toto Ltd. 19 - AS29630 478 0.0% 478.0 -- AZRENA-AS Azerbaijan Research and Educational Networking 20 - AS36893 477 0.0% 477.0 -- DURAVITEG-AS TOP 20 Unstable Prefixes Rank Prefix Upds % Origin AS -- AS Name 1 - 155.201.48.0/217702 0.4% AS20426 -- PWC-AS - PriceWaterhouseCoopers, LLP 2 - 194.242.124.0/22 4455 0.2% AS31594 -- FORTESS-AS Fortess LLC Network 3 - 89.4.128.0/24 3443 0.2% AS24731 -- ASN-NESMA National Engineering Services and Marketing Company Ltd. (NESMA) 4 - 89.4.129.0/24 3237 0.2% AS24731 -- ASN-NESMA National Engineering Services and Marketing Company Ltd. (NESMA) 5 - 203.177.144.0/23 3208 0.2% AS4775 -- GLOBE-TELECOM-AS Telecom Carrier / ISP Plus + 6 - 209.140.24.0/243061 0.1% AS3043 -- AMPHIB-AS - Amphibian Media Corporation 7 - 89.4.131.0/24 3046 0.1% AS24731 -- ASN-NESMA National Engineering Services and Marketing Company Ltd. (NESMA) 8 - 146.222.76.0/242709 0.1% AS9502 -- OOCL-HKG-AP Hong Kong Headquarters 9 - 216.32.206.0/242552 0.1% AS20473 -- AS-CHOOPA - Choopa, LLC 10 - 62.89.226.0/24 2130 0.1% AS20663 -- INAR-VOLOGDA-AS Autonomous System of Vologda 11 - 64.95.193.0/24 2060 0.1% AS30707 -- SICOR-US-CA-IRVINE - SICOR Pharmaceuticals, Inc. 12 - 62.68.143.0/24 1830 0.1%
The Cidr Report
This report has been generated at Fri Feb 16 21:46:52 2007 AEST.
The report analyses the BGP Routing Table of an AS4637 (Reach) router
and generates a report on aggregation potential within the table.
Check http://www.cidr-report.org/as4637 for a current version of this report.
Recent Table History
Date PrefixesCIDR Agg
09-02-07207532 134730
10-02-07207587 134670
11-02-07207535 134728
12-02-07207502 134837
13-02-07207542 135067
14-02-07207922 135243
15-02-07208070 135655
16-02-07208954 135562
AS Summary
24276 Number of ASes in routing system
10245 Number of ASes announcing only one prefix
1485 Largest number of prefixes announced by an AS
AS7018 : ATT-INTERNET4 - ATT WorldNet Services
90478336 Largest address span announced by an AS (/32s)
AS721 : DISA-ASNBLK - DoD Network Information Center
Aggregation Summary
The algorithm used in this report proposes aggregation only
when there is a precise match using the AS path, so as
to preserve traffic transit policies. Aggregation is also
proposed across non-advertised address space ('holes').
--- 16Feb07 ---
ASnumNetsNow NetsAggr NetGain % Gain Description
Table 209067 1356437342435.1% All ASes
AS18566 990 28 96297.2% COVAD - Covad Communications
Co.
AS4134 1242 309 93375.1% CHINANET-BACKBONE
No.31,Jin-rong Street
AS4755 1063 190 87382.1% VSNL-AS Videsh Sanchar Nigam
Ltd. Autonomous System
AS9498 955 140 81585.3% BBIL-AP BHARTI BT INTERNET
LTD.
AS4323 1293 512 78160.4% TWTC - Time Warner Telecom,
Inc.
AS6478 1130 400 73064.6% ATT-INTERNET3 - ATT WorldNet
Services
AS22773 725 47 67893.5% CCINET-2 - Cox Communications
Inc.
AS11492 959 342 61764.3% CABLEONE - CABLE ONE
AS17488 598 54 54491.0% HATHWAY-NET-AP Hathway IP Over
Cable Internet
AS8151 1018 483 53552.6% Uninet S.A. de C.V.
AS19262 711 179 53274.8% VZGNI-TRANSIT - Verizon
Internet Services Inc.
AS6197 1016 506 51050.2% BATI-ATL - BellSouth Network
Solutions, Inc
AS7018 1485 980 50534.0% ATT-INTERNET4 - ATT WorldNet
Services
AS19916 568 71 49787.5% ASTRUM-0001 - OLM LLC
AS18101 521 33 48893.7% RIL-IDC Reliance Infocom Ltd
Internet Data Centre,
AS17676 502 65 43787.1% JPNIC-JP-ASN-BLOCK Japan
Network Information Center
AS4812 492 74 41885.0% CHINANET-SH-AP China Telecom
(Group)
AS15270 504 87 41782.7% AS-PAETEC-NET - PaeTec.net -a
division of
PaeTecCommunications, Inc.
AS4766 727 315 41256.7% KIXS-AS-KR Korea Telecom
AS2386 1108 736 37233.6% INS-AS - ATT Data
Communications Services
AS721635 276 35956.5% DISA-ASNBLK - DoD Network
Information Center
AS3602 526 187 33964.4% AS3602-RTI - Rogers Telecom
Inc.
AS16852 393 70 32382.2% BROADWING-FOCAL - Broadwing
Communications Services, Inc.
AS7011 786 475 31139.6% FRONTIER-AND-CITIZENS -
Frontier Communications, Inc.
AS33588 432 127 30570.6% BRESNAN-AS - Bresnan
Communications, LLC.
AS6198 556 266 29052.2% BATI-MIA - BellSouth Network
Solutions, Inc
AS6517 405 120 28570.4% YIPESCOM - Yipes
Communications, Inc.
AS7029 509 224 28556.0% WINDSTREAM - Windstream
Re: wifi for 600, alex
Another mobile-land feature 802.11 could do with - dynamic TX power management. All the cellular systems have the ability to dial down the transmitter power the nearer to the BTS/Node B you get. This is not just good for batteries, but also good for radio, as s/n has diminishing returns to transmitter power. WLAN, though, shouts as loud next to the AP as on the other side of the street, which is Not Good for a system that operates in unlicensed spectrum. UMTS, for example, has a peak tx wattage an order of magnitude greater than WLAN, but due to the power management, in a picocell environment comparable to a WLAN the mean tx wattage is less by a factor of 10.
Re: botnets: web servers, end-systems and Vint Cerf
On Fri, 16 Feb 2007 03:55:58 EST, Sean Donelan said: On Fri, 16 Feb 2007, [EMAIL PROTECTED] wrote: And most ISPs don't provide in-house tech support and an orientation lecture when you sign up - though some *do* provide the free A/V these days. :) Working a day on the help desk at the *other* ISPs, which ever ISP you want to point fingers at, is always an eye-opening experience. I hear enough from people who *do* work at Some Other Place. :) Even when you think things should be the same, they sometimes have very different problems to solve. Never claimed *our* solution would work everywhere (heck, I even admit it isn't 100% effective for *us*). A very large chunk of what *we* do would be doomed to failure at any organization where the problem set includes make a profit selling connectivity to cost-conscious general consumers. I just often wish Vint's 140 million would switch to Some Other ISP where the traffic I see from them didn't cause operational issues for *my* organization. (And yes, that was carefully phrased - there's multiple solutions that work for customer and ISP *and* get them off my radar. But there's no *single* workable solution.) pgp6mQBaR9D6W.pgp Description: PGP signature
Re: botnets: web servers, end-systems and Vint Cerf
Heya, And the fact that web servers are getting botted is just the cycle of reincarnation - it wasn't that long ago that .edu's had a reputation of getting pwned for the exact same reasons that webservers are targets now: easy to attack, and usually lots of bang-for-buck in pipe size and similar. You mean they aren't now? Do we have any EDU admins around who want to tell us how bad it still is, despite attempts at working on this? Dorms are basically large honey nets. :) I run the network for a University with about 12,000 students and 12,000 computers in our dormitories. We, like many other Universities, have spent the last five or six years putting systems in place that are both reactive and preventative. From my perspective, the issues are still there but I'm not sure that I agree with your implications. Do we still have compromised systems? Yes. Is the number of compromosed systems at any time large? No. Is the situation out of control? No. Email me off-list if you want more details. IMHO, Its too bad broadband providers have not yet picked up on what the Universities have done. Eric :)
Re: botnets: web servers, end-systems and Vint Cerf
On Fri, 16 Feb 2007, Eric Gauthier wrote: Heya, And the fact that web servers are getting botted is just the cycle of reincarnation - it wasn't that long ago that .edu's had a reputation of getting pwned for the exact same reasons that webservers are targets now: easy to attack, and usually lots of bang-for-buck in pipe size and similar. You mean they aren't now? Do we have any EDU admins around who want to tell us how bad it still is, despite attempts at working on this? Dorms are basically large honey nets. :) I run the network for a University with about 12,000 students and 12,000 computers in our dormitories. We, like many other Universities, have spent the last five or six years putting systems in place that are both reactive and preventative. From my perspective, the issues are still there but I'm not sure that I agree with your implications. Do we still have compromised systems? Yes. Is the number of compromosed systems at any time large? No. Is the situation out of control? No. Email me off-list if you want more details. IMHO, Its too bad broadband Will do, and also below... providers have not yet picked up on what the Universities have done. Thank you Eric. :) Can you elaborate a bit on what universities have done which would be relevant to service providers here? Eric :)
Re: botnets: web servers, end-systems and Vint Cerf
On Fri, 16 Feb 2007, [EMAIL PROTECTED] wrote: I hear enough from people who *do* work at Some Other Place. :) Hearing about it is not the same as experiencing it first-hand. Never claimed *our* solution would work everywhere (heck, I even admit it isn't 100% effective for *us*). A very large chunk of what *we* do would be doomed to failure at any organization where the problem set includes make a profit selling connectivity to cost-conscious general consumers. The Other ISPs do all of the things you mentioned, except they don't give their techs free rooms. Instead they give out $50 or $100 gift cards for in-home or in-store techs from several consumer electronics chains to fix customer computers; which may be similar to the level of expertise you would get from unpaid residential dorm techs. However, the environment and populations aren't necessarily comparable. Understanding why those things have been doomed to failure is an important difference. It isn't because ISPs unwilling to try them. But instead its because ISPs have tried those things (and many other things). They fail not because of the cost side of the equation, but because they don't have much effect on the problem over the long-term in that environment and population. If someone (vendor, academic, etc) comes up with something that works well for the environment and population facing the general public ISP, there are a lot of ISPs with money constantly asking what can they buy/pay/do to fix it. However, they are also very skeptical, because this is a well-travelled road, and they've seen a lot of claims that didn't pan out.
resnets and naming (was: Re: botnets: web servers, end-systems and Vint Cerf)
on Fri, Feb 16, 2007 at 07:43:38AM -0500, Eric Gauthier wrote: Dorms are basically large honey nets. :) I run the network for a University with about 12,000 students and 12,000 computers in our dormitories. We, like many other Universities, have spent the last five or six years putting systems in place that are both reactive and preventative. From my perspective, the issues are still there but I'm not sure that I agree with your implications. Do we still have compromised systems? Yes. Is the number of compromosed systems at any time large? No. Is the situation out of control? No. Email me off-list if you want more details. IMHO, Its too bad broadband providers have not yet picked up on what the Universities have done. Hear, hear. It's also too bad that there are still so many .edus without rDNS that identifies their resnets and dynamic/anonymous space easily, though the situation seems to be improving. Not knowing which .edu is yours, I'll refrain from further comment, but I will give some examples from some that I know about: Good examples: [0-9a-z\-]+\.[0-9a-z\-]+\.resnet\.ubc\.ca [0-9a-z\-]+\.[0-9a-z]+\.resnet\.yorku\.ca ip\-[0-9]+\.student\.appstate\.edu r[0-9]+\.resnet\.cornell\.edu ip\-[0-9]+\-[0-9]+\.resnet\.emich\.edu [0-9a-z\-]+\.resnet\.emory\.edu dynamic\-[0-9]+\-[0-9]+\.dorm\.natpool\.uc\.edu Bad examples: resnet\-[0-9]+\.saultc\.on\.ca [0-9a-z\-]+\.(brooks|camp|congdon|cubley|graham|hamlin|moore|powers|price|townhouse|woodstock)\.clarkson\.edu [a-z]+\.(andr|carm|ford|laws|stev|thom|ucrt)[0-9]+\.eiu\.edu (linden|parkave|ruthdorm|ucrt|village)[0-9a-z]+\-[0-9a-z]+\.fdu\.edu resnet[0-9]+\.saintmarys\.edu [0-9a-z\-]+(aolcom|uncgedu)\.uncg\.edu ** (l[0-9]+stf|bl)[0-9]+\.bluford\.ncat\.edu The general idea is, as has been mentioned before, to use a naming convention that can easily be blocked in sendmail and other MTAs by the simple addition of a domain tail or substring to an ACL, such as 'resnet.miskatonic.edu' or 'dyn.miskatonic.edu'. As interesting it can be to explore the campus map trying to figure out whether a given DNS token represents a lab, the administration building, the faculty lounge, or a dorm, over and over again, there's gotta be some activity that is more rewarding in the long run, such as skeet shooting or helping people disinfect their computers (or, joy of joys - both simultaenously!) ** I'd like to single out uncg.edu for special ridicule here - I hope they're still not doing this, but at one point over the last three years at least, their DHCP addresses were comprised of the end user's email address, sans '.' and '@', AS THE HOSTNAME in an otherwise non-subdomained whole: e.g., '[EMAIL PROTECTED]' got the hostname 'britney1986aolcom.uncg.edu', '[EMAIL PROTECTED]' got 'billguncgedu.uncg.edu', etc. I'm sure the spammers who plague uncg.edu today didn't get their entire computer-literate student body's addresses through an rDNS scan. After all, not /all/ of the addresses were in uncg.edu. The rest were in AOLland or at hotmail or a few other obvious freemail providers. -- hesketh.com/inc. v: +1(919)834-2552 f: +1(919)834-2553 w: http://hesketh.com/ antispam news, solutions for sendmail, exim, postfix: http://enemieslist.com/ rambling, amusements, edifications and suchlike: http://interrupt-driven.com/
Information about Foundry Layer 4-7 Switches
Fellow NANOGers, Are there in this list someone which worked with Foundry Layer 4-7 switches? Are they up with manufacturer's promises? Please shed some light on this subject, testimonials, experience. I am specially interested in Application Load Balancing solutions. Foundry's web site is at http://www.foundrynet.com/solutions/sol-app-switch/sol-app-avail/ TIA, Marlon Borba, CISSP.
Re: RBL for bots?
I had started to create a list for brute forcers and have been updating them when I can. It's sort of like a personal RBL list with solely the ip address of the offender based off of some scripts that I wrote. For those interested, the script is twofold: 1) Script runs from cron checking /var/log/*secure/messages/etc, depending on the system. If it finds an attacker it blocks them via /etc/hosts.deny and or iptables 2) My version posts the attacking host to www.infiltrated.net/bruteforcers When I started it, I hadn't heard of or used Denyhosts else I would have modified that script in itself. When I first wrote sharpener, I had intended on finding the abuse contact for the offending attacker and send an automated reply with the date, time, host address and log file information. Scenario: Attack begins Script sees attack Script blocks out attack Script checks the owner of the netblock and finds their abuse contact Script sends an automated message stating something like: At 02/17/07 10:20am EST, our host was attacked from a machine in your netblock. The offending IP address is xxx.xxx.xxx.xxx I hadn't had the time to finish the whois $attacker|grep -i abuse portion of it though, then I got bored, sidetracked. What I instead do now is, I use the bruteforcer list from cron on all machines I maintain/manage and have those machines auto block out attackers. The theory is if one machine is getting attacked from luzerA, all machines should block luzerA, and they do now: http://www.infiltrated.net/sharpener for those interested in modifying/finishing/tweaking the script. As for creating an RBL such as SORBS or something along those lines. Last I need is a packet attack or political Take my netblock off! crap. Hence me not really wanting to bother updating it for the Interweb folk. For those who find it useful, kudos... For those who want to ramble on I have mail filters for you so don't bother. -- J. Oquendo http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x1383A743 sil . infiltrated @ net http://www.infiltrated.net The happiness of society is the end of government. John Adams smime.p7s Description: S/MIME Cryptographic Signature
RE: botnets: web servers, end-systems and Vint Cerf
I've concluded three things (by doing experiements like that). (a) Where there are Windows boxes, there are zombies. Securing Microsoft operating systems adequately for use on the Internet is not a solved problem in computing. I disagree. Since 1994 I have been in the habit of setting up MS Windows boxes with Win98 and up, by installing from CD, connecting to the net and installing various patches and updates from the Windows Update service. I've never had a virus infection, a bot, a root kit or whatever. The secret is simple. These machines never connected directly to the Internet but went through a NAT box. Way back when it was a FreeBSD machine running TIS Firewalls Toolkit. These days it is an off-the-shelf Ethernet switch with DSL modem and NAT built-in. Therefore, I assert that securing systems adequately for use on the Internet is indeed a SOLVED PROBLEM in computing. However, it isn't yet solved in a social or business sense. On the business side, I wonder why PC's don't come with a built-in firewall/NAT device. It is cheap enough to do these days. This means that a computer would have no Ethernet ports on it. Instead, an internal Ethernet port would be directly connected to a NAT/firewall device on the same circuit board (or via PCI/PCMCIA/etc.). The external Ethernet port would belong to the firewall/NAT device. On the social side, people don't realize that such a solution is possible and therefore they aren't demanding computer vendors to build it in. The box vendors only build what the OS vendors want and the OS vendors are not interested in a piece of hardware that runs its own OS, most likely FreeBSD or Linux. In the UK, companies who sell TV services (cable and satellite) give there customers a box to connect with. Why can't ISPs also sell their services with a proper box included? By proper, I mean a NAT/firewall, not a USB-connected DSL modem. (c) Amusingly, it's possible to detect new end-user allocations and service rollouts by noting when spam starts to arrive from them. (e.g. the Verizon FIOS deployment, if I may use hostnames of the form *.fios.verizon.net as a guide, is going well in NYC, Dallas, DC, Tampa, Philly, LA, Boston and Newark, but lags behind in Seattle, Pittsburgh, Buffalo and Syracuse.) I wonder if Verizon is violating any SEC rules by not reporting this information publicly? This is a good example of something that would not be revealed if they provided a NAT/firewall box to every customer who didn't already have one. Has anyone implemented a tool that ISPs could use to detect whether or not a NAT/firewall device is present? Perhaps based on OS fingerprinting? Or even based on an agent that must be installed by the customer? If such tools are available then an ISP could offer customers a discount for being compliant with a NAT/firewall rule in their contract. --Michael Dillon
Re: botnets: web servers, end-systems and Vint Cerf
* [EMAIL PROTECTED] ([EMAIL PROTECTED]) [Fri 16 Feb 2007, 17:31 CET]: [..] Therefore, I assert that securing systems adequately for use on the Internet is indeed a SOLVED PROBLEM in computing. A HUNDRED MILLION machines beg to differ. -- Niels. --
Re: wifi for 600, alex
On 2/16/07, JAKO Andras [EMAIL PROTECTED] wrote: Please don't forget that 802.11 uses the CSMA/CA protocol. All nodes, including the AP and _all_ the clients should hear each others' transmissions so that they can decide when to transmit (when the medium is idle). Yes. But so long as they can all interfere with each other, you're still going to pay a cost in informational overhead to sort it out at a higher protocol layer, and you're still going to have the electronic warfare in a phone box problem at places like NANOG meetings. 3GSM is the same - even the presence of ~10,000 RF engineers doesn't prevent the dozens of contending networks.. Essentially, this is a problem that perhaps shouldn't be fixed. Having an open-slather RF design and sorting it out in meta means that WLAN is quick, cheap, and hackable. Trust me, you don't want to think about radio spectrum licensing. On the other hand, that particular sufficiently advanced technology is indistinguishable from magic quality about it causes problems. Intentionally limiting the clients' TX powers to the minimum needed to communicate with the AP makes RTS/CTS almost obligatory, which may be considered a bad thing. Once again, in the ideal situation all nodes hear each other, at least from the CSMA/CA's point of view. Regards, Andras I'm not sure that's ideal in my point of view, in so far as we're talking about a point-to-multipoint network rather than a mesh. And why would anyone ever want to use more power/create more entropy than necessary? This argument sailed around in the early days of WiMAX, when people were talking about running it in unlicensed 5.8GHz spectrum and finally getting away from the telcos and the government, until they realised that it's not big wi-fi and isn't designed to cope with contending networks.. Alex
North East fiber cut?
Hello, Anyone seeing fiber cut issues around DC area? Thanks German pgpdip6eue4kS.pgp Description: PGP signature
RE: botnets: web servers, end-systems and Vint Cerf
Therefore, I assert that securing systems adequately for use on the Internet is indeed a SOLVED PROBLEM in computing. A HUNDRED MILLION machines beg to differ. You misunderstand. The problem of securing machines *IS* solved. It is possible. It is regularly done with servers connected to the Internet. There is no *COMPUTING* problem or technical problem. The problem of the 100 million machines is a social or business problem. We know how they can be secured, but the solution is not being implemented. --Michael Dillon
Re: botnets: web servers, end-systems and Vint Cerf
You misunderstand. The problem of securing machines *IS* solved. It is possible. It is regularly done with servers connected to the Internet. There is no *COMPUTING* problem or technical problem. The problem of the 100 million machines is a social or business problem. We know how they can be secured, but the solution is not being implemented. Eh? Sure, we can secure servers, but that's not where the trouble is. It's the client systems with browsers and P2P software and people mindlessly banging on keyboards running arbitrary executables. I'm interested in hearing how they can be secured, since you seem to believe this is a solved problem.
Re: wifi for 600, alex
On 2/15/07, Pickett, McLean (OCTO) [EMAIL PROTECTED] wrote: Works well if everyone has 802.11a/g card. That's been my biggest concern with deploying 802.11a recently. -Original Message- The oft-overlooked 802.11a is great for this purpose when there isn't enough wiring infrastructure to drop a RJ45 in all the necessary conference rooms. I was mainly referring to the conference infra network, used for presentations and such. Rather than a scattered AP layout, a semi-point-to-point system targeted only to the critical resources works well with 11a. If you keep attendees tethered to 2.4GHz, you probably only need to alternate between at most two 5.xGHz channels to cover the necessary endpoints, and can locate the APs in a less dense pattern. As for whether presenters have 11a cards, there's the alternate possibility of running another 11a AP in AP-client mode (inside the conference hall) in a wired-to-wireless-to-wired sort of setup. This could also work for a terminal room setup. Of course, a lot of the convenience of frequency segregation will go out the window in a few years when the final 11n document exists, as it now looks like 11n will be earmarked for use in all three bands (2.4GHz and both 5GHz ranges). I'll just hope that my residential neighbors stay out of my 5GHz space a little while longer. 8-) -- -- Todd Vierling [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED]
Re: botnets: web servers, end-systems and Vint Cerf
On Feb 16, 2007, at 9:12 AM, [EMAIL PROTECTED] wrote: It is regularly done with servers connected to the Internet. There is no *COMPUTING* problem or technical problem. I beg to differ. Yes, it is possible for tech-savvy users to secure their machines pretty effectively. But the level of technical knowledge required to do so is completely out of line with, say, the level of automotive knowledge required to safely operate an automobile. The problem of the 100 million machines is a social or business problem. We know how they can be secured, but the solution is not being implemented. We know how -people with specialized knowledge- can secure them, not ordinary people - and I submit that we in fact do not know how to clean and validate compromised systems running modern general-purpose operating systems, that the only sane option is re-installation of OS and applications from scratch. There have been very real strides in increasing the default security posture of general-purpose operating systems and applications in recent years, but there is still a large gap in terms of what a consumer ought to be able to reasonably expect in terms of security and resiliency from his operating systems/applications, and what he actually gets. This gap has been narrowed, but is still quite wide, and will be for the foreseeable future (witness the current renaissance in the area of browser/HTML/XSS/Javascript vulnerabilities as an example of how the miscreants can change their focus as needs must). --- Roland Dobbins [EMAIL PROTECTED] // 408.527.6376 voice The telephone demands complete participation. -- Marshall McLuhan
Re: botnets: web servers, end-systems and Vint Cerf
Therefore, I assert that securing systems adequately for use on the Internet is indeed a SOLVED PROBLEM in computing. A HUNDRED MILLION machines beg to differ. * [EMAIL PROTECTED] [Fri 16 Feb 2007, 18:27 CET]: You misunderstand. The problem of securing machines *IS* solved. It is possible. It is regularly done with servers connected to the Internet. Given that even NASA has issues writing correct programs I would call it far from solved for any reasonable definition of the word, even in hyper-correct environments such as programming spacecraft where time and budget constraints are secondary to safety (security). Or did you forget to mention that your secured machine is powered off? There is no *COMPUTING* problem or technical problem. Denying that there is a technical problem with a hundred million machines out there not under full control of its owners is delusional. The problem of the 100 million machines is a social or business problem. We know how they can be secured, but the solution is not being implemented. Clearly the solution you have in your mind isn't obvious to us out here in the real world, nor simple, as we haven't figured it out yet. -- Niels.
RE: North East fiber cut?
Not seeing any evidence of it in Pittsburgh. Several of the local providers peer between here and DC and no one has reported anything. Chuck Charles L. Mills Senior Network Engineer Access Data Corporation Pittsburgh, PA 15238 (412) 968-4024 cmills at accessdc dot com http://www.accessdc.com Hosting, Colocation, Disaster Recovery and Managed Services -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of German Martinez Sent: Friday, February 16, 2007 12:18 PM To: nanog@merit.edu Subject: North East fiber cut? Hello, Anyone seeing fiber cut issues around DC area? Thanks German
Re: botnets: web servers, end-systems and Vint Cerf
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 [EMAIL PROTECTED] wrote: You misunderstand. The problem of securing machines *IS* solved. It is possible. It is regularly done with servers connected to the Internet. There is no *COMPUTING* problem or technical problem. True *BUT* (and this is a really big but) it requires that you do something *BEFORE* you connect it to the Internet. The problem of the 100 million machines is a social or business problem. We know how they can be secured, but the solution is not being implemented. Whilst the problem is social in terms of people not knowing/wanting to do the securing before connecting, the technical solution is to make the software secure by default. If you think anything else then you are delusional. J - -- COO Entanet International T: 0870 770 9580 http://www.enta.net/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFF1fBaR+KszLBLUT8RAo+AAJ97RxMBhyZY2MQMRAFs3KWM7EPkHACgqebN g/nOPkbZffyEDoWAIEvQUK0= =w0iC -END PGP SIGNATURE-
Weekly Routing Table Report
This is an automated weekly mailing describing the state of the Internet Routing Table as seen from APNIC's router in Japan. Daily listings are sent to [EMAIL PROTECTED] For historical data, please see http://thyme.apnic.net. If you have any comments please contact Philip Smith [EMAIL PROTECTED]. Routing Table Report 04:00 +10GMT Sat 17 Feb, 2007 Analysis Summary BGP routing table entries examined: 212075 Prefixes after maximum aggregation: 114136 Deaggregation factor: 1.86 Unique aggregates announced to Internet: 103539 Total ASes present in the Internet Routing Table: 24373 Origin-only ASes present in the Internet Routing Table: 21224 Origin ASes announcing only one prefix: 10245 Transit ASes present in the Internet Routing Table:3149 Transit-only ASes present in the Internet Routing Table: 76 Average AS path length visible in the Internet Routing Table: 3.6 Max AS path length visible: 32 Max AS path prepend of ASN (20858) 18 Prefixes from unregistered ASNs in the Routing Table: 4 Unregistered ASNs in the Routing Table: 6 Special use prefixes present in the Routing Table:0 Prefixes being announced from unallocated address space: 13 Number of addresses announced to Internet: 1685198316 Equivalent to 100 /8s, 114 /16s and 21 /24s Percentage of available address space announced: 45.5 Percentage of allocated address space announced: 62.5 Percentage of available address space allocated: 72.8 Total number of prefixes smaller than registry allocations: 109306 APNIC Region Analysis Summary - Prefixes being announced by APNIC Region ASes:47744 Total APNIC prefixes after maximum aggregation: 19291 APNIC Deaggregation factor:2.47 Prefixes being announced from the APNIC address blocks: 45040 Unique aggregates announced from the APNIC address blocks:20417 APNIC Region origin ASes present in the Internet Routing Table:2858 APNIC Region origin ASes announcing only one prefix:785 APNIC Region transit ASes present in the Internet Routing Table:416 Average APNIC Region AS path length visible:3.6 Max APNIC Region AS path length visible: 16 Number of APNIC addresses announced to Internet: 290731616 Equivalent to 17 /8s, 84 /16s and 54 /24s Percentage of available APNIC address space announced: 72.0 APNIC AS Blocks4608-4864, 7467-7722, 9216-10239, 17408-18431 (pre-ERX allocations) 23552-24575, 37888-38911 APNIC Address Blocks 58/7, 60/7, 116/6, 120/6, 124/7, 126/8, 202/7 210/7, 218/7, 220/7 and 222/8 ARIN Region Analysis Summary Prefixes being announced by ARIN Region ASes:103906 Total ARIN prefixes after maximum aggregation:61209 ARIN Deaggregation factor: 1.70 Prefixes being announced from the ARIN address blocks:75934 Unique aggregates announced from the ARIN address blocks: 29457 ARIN Region origin ASes present in the Internet Routing Table:11340 ARIN Region origin ASes announcing only one prefix:4339 ARIN Region transit ASes present in the Internet Routing Table:1052 Average ARIN Region AS path length visible: 3.4 Max ARIN Region AS path length visible: 21 Number of ARIN addresses announced to Internet: 318291328 Equivalent to 18 /8s, 248 /16s and 189 /24s Percentage of available ARIN address space announced: 70.3 ARIN AS Blocks 1-1876, 1902-2042, 2044-2046, 2048-2106 (pre-ERX allocations) 2138-2584, 2615-2772, 2823-2829, 2880-3153 3354-4607, 4865-5119, 5632-6655, 6912-7466 7723-8191, 10240-12287, 13312-15359, 16384-17407 18432-20479, 21504-23551, 25600-26591, 26624-27647, 29696-30719, 31744-33791 35840-36863, 39936-40959 ARIN Address Blocks24/8, 63/8, 64/5, 72/6, 76/8, 96/6, 199/8, 204/6, 208/7 and 216/8 RIPE Region Analysis Summary Prefixes being announced by RIPE Region ASes: 43881 Total RIPE prefixes after maximum aggregation:28621 RIPE Deaggregation factor: 1.53 Prefixes being announced from the
RE: North East fiber cut?
And from the outages mailing list: Word is savvis has a fiber cut from ATL to CHG of some sort and re-routing things through Dallas. Atleast that's what I've seen on traces. Savvis has confirmed an outage on the east coast just not sure exactly where and what all it affects. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mills, Charles Sent: Friday, February 16, 2007 12:52 PM To: German Martinez; nanog@merit.edu Subject: RE: North East fiber cut? Not seeing any evidence of it in Pittsburgh. Several of the local providers peer between here and DC and no one has reported anything. Chuck Charles L. Mills Senior Network Engineer Access Data Corporation Pittsburgh, PA 15238 (412) 968-4024 cmills at accessdc dot com http://www.accessdc.com Hosting, Colocation, Disaster Recovery and Managed Services -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of German Martinez Sent: Friday, February 16, 2007 12:18 PM To: nanog@merit.edu Subject: North East fiber cut? Hello, Anyone seeing fiber cut issues around DC area? Thanks German
Re: botnets: web servers, end-systems and Vint Cerf
[EMAIL PROTECTED] wrote: You misunderstand. The problem of securing machines *IS* solved. It is possible. It is regularly done with servers connected to the Internet. There is no *COMPUTING* problem or technical problem. The problem of the 100 million machines is a social or business problem. We know how they can be secured, but the solution is not being implemented. --Michael Dillon After all these years, I'm still surprised a consortium of ISP's haven't figured out a way to do something a-la Packet Fence for their clients where - whenever an infected machine is detected after logging in, that machine is thrown into say a VLAN with instructions on how to clean their machines before they're allowed to go further and stay online. If you ask me, traffic providers (NSP's/NAP's) and ISP's don't mind this garbage coming out of their networks, if they did they'd actually ban together and do something about it. Its obvious those charging for traffic will say little. Minimized traffic means minimized revenue. All I see is No we despise that kind of traffic along with a shrug and nothing being done about it. I'm sure if some legislative body somewhere started levying fines against providers, the net would be a cleaner place. For comments on 100 million infected machines... Doubtable. Anyone can play fuzzy math games, heck I just strangely figured out that MS is costing me an arm and a leg! http://www.merit.edu/mail.archives/nanog/msg04755.html -- J. Oquendo http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x1383A743 sil . infiltrated @ net http://www.infiltrated.net The happiness of society is the end of government. John Adams smime.p7s Description: S/MIME Cryptographic Signature
RE: North East fiber cut?
Looks like SAVVIS is having a LOT of problems in the DC area. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mills, Charles Sent: Friday, February 16, 2007 11:52 AM To: German Martinez; nanog@merit.edu Subject: RE: North East fiber cut? Not seeing any evidence of it in Pittsburgh. Several of the local providers peer between here and DC and no one has reported anything. Chuck Charles L. Mills Senior Network Engineer Access Data Corporation Pittsburgh, PA 15238 (412) 968-4024 cmills at accessdc dot com http://www.accessdc.com Hosting, Colocation, Disaster Recovery and Managed Services -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of German Martinez Sent: Friday, February 16, 2007 12:18 PM To: nanog@merit.edu Subject: North East fiber cut? Hello, Anyone seeing fiber cut issues around DC area? Thanks German * The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential, proprietary, and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from all computers. GA623
RPSL question
Hi, I'm trying to learn about BGP and just ran across RPSL. I've seen www.radb.net and know that lots of people are registering their policies here. Are organizations also using these RPSL policies to compile configuration files for their routers (via RtConfig)? Or do they just maintain their RPSL policies and router configurations separately? Thanks, Andreas
Re: botnets: web servers, end-systems and Vint Cerf
On Fri, 16 Feb 2007, J. Oquendo wrote: After all these years, I'm still surprised a consortium of ISP's haven't figured out a way to do something a-la Packet Fence for their clients where - whenever an infected machine is detected after logging in, that machine is thrown into say a VLAN with instructions on how to clean their machines before they're allowed to go further and stay online. All very nice. This sort of things has been detailed a few dozen times by various people. Doing this is not hard from a technical point of view (which isn't to say it won't cost a lot of money to impliment). The hard bit is creating a business case to show how spending the money to impliment it and then wearing the cost of pissed off customers results in a net gain to the bottom line. If someone could actually do a survey to show how much each bot infested customer is costing their ISP then people might be able to do something. Right now AFAIK an extra 10,000 botted customers costs the average ISP no more than a dozen heavy p2p users. On the other hand Port 25 filtering probably is something that has low enough negatives vs the positives for people to actually do. -- Simon J. Lyall | Very Busy | Web: http://www.darkmere.gen.nz/ To stay awake all night adds a day to your life - Stilgar | eMT.
Re: botnets: web servers, end-systems and Vint Cerf
On Fri, 16 Feb 2007, Eric Gauthier wrote: I run the network for a University with about 12,000 students and 12,000 computers in our dormitories. We, like many other Universities, have spent the last five or six years putting systems in place that are both reactive and preventative. From my perspective, the issues are still there but I'm not sure that I agree with your implications. Do we still have compromised systems? Yes. Is the number of compromosed systems at any time large? No. Is the situation out of control? No. Email me off-list if you want more details. IMHO, Its too bad broadband providers have not yet picked up on what the Universities have done. Why do you claim broadband providers haven't picked up on what universities have done? Couldn't broadband providers say the same thing Do we still have compromised systems? Yes. Is the number of compromosed systems at any time large? No. Is the situation out of control? No. If you compare infection rates of a broadband provider with 10 million subscribers, which probably translates to at least 30 million devices with NAT, WiFi and mobile devices; would its infection rate be significantly different from a university with 12,000 students with 1 computer each? If your university's upstream ISP implemented a policy of cutting off the university's Internet connection anytime a device in the university network was compromised; how many hours a year would the university be down? What if the university's ISP had a three-strikes policy, would the university have used up all of its three-strikes? What proof should the univeristy's upstream ISP accept the problem is corrected? Is there some infection rate of university networks that upstream ISPs should accept as normal? Or should ISPs have a zero-tolorance policy for universities becoming infected repeatedly? How is the acceptable infection rate for universities different than the infection rate of other types of networks?
RE: botnets: web servers, end-systems and Vint Cerf
On Fri, 16 Feb 2007, Nicholas J. Shank wrote: How is the acceptable infection rate for universities different than the infection rate of other types of networks? Because other types of networks are expected (expected being the keyword) to have competent administrators. Expected by whom? How many home networks or even small business networks have competent administrators? What is the infection rate for the network at a typical NANOG meeting full of Internet experts? What was the infection rate at the RSA security conference network earlier this month? Although some specific individual networks may have higher or lower infection rates, I haven't see a significant difference in infection rates between types of networks or industries. For universities with low infection rates, there are just as many universities with high infection rates. For government networks with low infection rates, there are just as many government networks with high infection rates. Would taking the practices from the specific individual networks with low infection rates and using them elsewhere change the infection rate of other networks?
Re: botnets: web servers, end-systems and Vint Cerf
J. Oquendo wrote: After all these years, I'm still surprised a consortium of ISP's haven't figured out a way to do something a-la Packet Fence for their clients where - whenever an infected machine is detected after logging in, that machine is thrown into say a VLAN with instructions on how to clean their machines before they're allowed to go further and stay online. This has been commercially available for quite some time so it would be only up to the providers to implement it. Pete
tracking fiber assets
Daniel, Ordinarily, I might suggest a straightforward software-based cable management system. However, since your list of concerns also includes active elements and their wavelength and probably sub- lambda derivatives, you'll probably want something that's rule-based with a bit more smarts. Give a look at the One Plan system from VPIsystems Inc (Holmdel, NJ). It was written up recently in Lightwave Magazine: http://tinyurl.com/25q88n One Plan has a photonic-layer inventory and configuration module that will very likely satisfy your needs at the cable, strand and multimplexed levels, and then some. Whether or not it is available as a standalone module, however, I can't rightly say. Good Luck. Frank A. Coluccio DTI Consulting Inc. New York City 347-526-6788 [EMAIL PROTECTED] --- On Thu Feb 15 18:52 , Daniel J McDonald sent: What do people use to keep track of fiber-optic assets? We own fiber on electric transmission lines - a hundred spans or so, mostly 24-48 count, about 800-900 total route-miles. But we lack a tool to keep track of what is in use, which customers would be affected when we perform maintenance, and the like. Any suggestions for good tools to manage this would be most appreciated. Our spreadsheets, CAD drawings, and directories full of OTDR shots are just not cutting it. -- Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX Austin Energy http://www.austinenergy.com
