Re: Verisign vs. ICANN
On Thu, 17 Jun 2004, Jeff Shultz wrote: > > I'm having fun figuring out how altering BIND (since I assume that is > the basis of their arguements) rises to the level of conspiracy... > IANAL, obviously. I read you loud and clear. I believe most rational people among us do, see below. Oh my, a vendor that actually listens to the cryout of its customers. That cannot be tolerated. This, in my own humble opinion, climbs slowly but surely to the levels of being ridiculous. Paul did exactly what any good vendor would do. If many customers or users asked for a feature, the vendor would issue the feature. It is the administrators choice to use the feature. As such, it is not the vendors fault in any way. After the courts drop this one as well, I am curious what will be the next Verisign idea. They (read: their lawyers) have proved themselves to be full of bright ideas (that lead to a dead end due to irrationality), and I am curious to see what's next. happy sailing, --Ariel > > ** Reply to message from Bob Martin <[EMAIL PROTECTED]> on Thu, 17 Jun > 2004 16:54:20 -0500 > > > Anything I/we can do to help the cause? > > > > Bob Martin > > > > Quoted from different thread: > > > > > > >(note that verisign has amended their complaint against icann (since the > > >court dismissed the first one) and i'm now named as a co-conspirator.if > > >you reply to this message, there's a good chance of your e-mail appearing > > >in court filings at some point.) > > > -- Paul Vixie > > -- > Jeff Shultz > A railfan pulls up to a RR crossing hoping that > there will be a train. > > > +++ > This Mail Was Scanned By Mail-seCure System > at the Tel-Aviv University CC. > -- Ariel Biener e-mail: [EMAIL PROTECTED] PGP(6.5.8) public key http://www.tau.ac.il/~ariel/pgp.html +++ This Mail Was Scanned By Mail-seCure System at the Tel-Aviv University CC.
Re: New IANA allocations to RIPE NCC
On Fri, 7 May 2004, william(at)elan.net wrote: > Why so many ip6 blocks at once? > > Its not that I'm worrried about us running out of ip space for ip6 :) > but is ripe really using ip6 20 times more then rest of the world? Not 20 times more (AFAIK), but Europe is using IPv6 much more than anyone else. --Ariel > > On Fri, 7 May 2004, John L Crain wrote: > > > > > -BEGIN PGP SIGNED MESSAGE- > > Hash: SHA1 > > > > Greetings, > > > > This is to inform you that the IANA has allocated the following > > sixteen (16) IPv6 /23 blocks to RIPE NCC: > > > > 2001:1C00::/23 RIPE NCC > > 2001:1E00::/23 RIPE NCC > > 2001:2000::/23 RIPE NCC > > 2001:2200::/23 RIPE NCC > > 2001:2400::/23 RIPE NCC > > 2001:2600::/23 RIPE NCC > > 2001:2800::/23 RIPE NCC > > 2001:2A00::/23 RIPE NCC > > 2001:2C00::/23 RIPE NCC > > 2001:2E00::/23 RIPE NCC > > 2001:3000::/23 RIPE NCC > > 2001:3200::/23 RIPE NCC > > 2001:3400::/23 RIPE NCC > > 2001:3600::/23 RIPE NCC > > 2001:3800::/23 RIPE NCC > > 2001:3A00::/23 RIPE NCC > > > > For a full list of IANA IPv6 allocations please see: > > <http://www.iana.org/assignments/ipv6-tla-assignments> > > > > Thanks, > > > > John L Crain > > IANA > > > > == > > > > > > > > -BEGIN PGP SIGNATURE- > > Version: PGP 8.0 - not licensed for commercial use: www.pgp.com > > > > iQA/AwUBQJvtIdGxp5XUiliSEQLaagCg0Y/pRQcTAnlsRjzfQU2fKzNSW9oAn37X > > UGz4VQHBrGD23aFqYYyXo7JX > > =2oTv > > -END PGP SIGNATURE- > > -- > William Leibzon > Elan Networks > [EMAIL PROTECTED] > > > +++ > This Mail Was Scanned By Mail-seCure System > at the Tel-Aviv University CC. > -- Ariel Biener e-mail: [EMAIL PROTECTED] PGP(6.5.8) public key http://www.tau.ac.il/~ariel/pgp.html +++ This Mail Was Scanned By Mail-seCure System at the Tel-Aviv University CC.
Re: New cisco exploit published in the media today
On Mon, 29 Mar 2004, Scott Call wrote: > > Forgive the not panicing, but none of the exploits utilized by this tool > are new, the newest being a year old, most being 2-3 years old, judging by > the dates on the cisco pages. Which brings to mind the question of when will reporters be able to "objectively" report something, and not "attenuate" certain aspects for the benefit of creating a "scoop". I perfectly understand the need to make public the availability of this new cracking tool, but I do not understand why there was no mention of the fact it exploits bugs that are 1.5-3 years old, which would have put matters in the proper perspective, instead of trying to create commotion as if some immediate danger was hanging above our enterprise LANs. *sigh* --Ariel > > -S > > On Mon, 29 Mar 2004, Henry Linneweh wrote: > > > > > Cisco warns of new hacking toolkit > > http://www.infoworld.com/article/04/03/29/HNhackingtoolkit_1.html > > > > exploit location > > http://www.blackangels.it/ > > > > -Henry > > > > > > > > !DSPAM:4068933e94641474817789! > > > > > > > > -- > Scott CallRouter Geek, ATGi, home of$6.95 Prime Rib > I make the world a better place, I boycott Wal-Mart > VoIP incoming: +1 360-382-1814 > > > +++ > This Mail Was Scanned By Mail-seCure System > at the Tel-Aviv University CC. > -- Ariel Biener e-mail: [EMAIL PROTECTED] PGP(6.5.8) public key http://www.tau.ac.il/~ariel/pgp.html
short question
Hi guys/gals, I have a question. I need for a project a small router than can do 2xFE @wire speed, IOS IP feature set, and it will do BGP with a small subset of the global routing table (~1000 networks). Price is a big issue, but so is stability and reliability of the platform. Any quick suggestions ? My experience in the low end lacks. --Ariel -- Ariel Biener e-mail: [EMAIL PROTECTED] PGP(6.5.8) public key http://www.tau.ac.il/~ariel/pgp.html
Re: CCO/cisco.com issues.
On Mon, 6 Oct 2003, Peter E. Fry wrote: Hi, As a jew, I must admit that I also understood the point, and didn't think of Nazi Germany, although you'd think it would evoke an immediate emotional reaction (which it admitedly did), but that reaction did not cloud my judgement. I think it's safe to assume that most people on this list have a reason for being on it. Although I am not trying to say that sometimes we get to see posts that are ... well, that shouldn't be sent before thinking, it would be wise to read an e-mail twice, even three times, before assuming mal-intent from its originator. peace, --Ariel > Read it again. He has a point (not yours). > Perhaps this should be an agenda topic for the upcoming get- > together: A common strategy for dealing with Internet crime.Much of > it does appear to have common roots.(And I'm not even a conspiracy > buff.) > Hm. Oddly enough there's a blurb on that > follows this somewhat: <http://www.overclockers.com/articles843/>. > > Peter E. Fry > -- Ariel Biener e-mail: [EMAIL PROTECTED] PGP(6.5.8) public key http://www.tau.ac.il/~ariel/pgp.html
Re: NTP, possible solutions, and best implementation
Hi, I wish to thank all who answered, indeed, it was helpful. But, as it was mentioned here, any further dwelling into this particular topic would be more appropriate in the NTP forums available, be it mailing lists or newsgroups. So, I would like to request that further replies on this topic are sent to me in private, and wish to thank again all that answered. --Ariel -- Ariel Biener e-mail: [EMAIL PROTECTED] PGP(6.5.8) public key http://www.tau.ac.il/~ariel/pgp.html
Re: NTP, possible solutions, and best implementation
On Thu, 2 Oct 2003 [EMAIL PROTECTED] wrote: > Beware the single point of failure. If all your clocks come from GPS, then > GPS is the SPOF. If they all come fram brand X manufacturer then that is > the SPOF. A commercial service should be robust and use a combination of > atomic clocks, GPS, radio time services, CDMA/GSM clocks combined with a > sanity checker to watch all the clocks and detect bad timekeepers. Yes, this is definetly an issue, and thus the clocks are at least one cesium, and the other two are different vendors. > Indeed. > Hide this clock behind a packet filtering firewall or else use udprelay > and an application layer gateway on UNIX to block everythingexcept NTP. > In fact, if this is a commercial service you should hack udprelay so that > it knows about the NTP protocol and can block non-customer traffic or > malformed traffic or high volumes of traffic. That way, the UNIX So what you are suggesting basically is to add an application layer sanity checker and DoS preventer, am I right ? --Ariel -- Ariel Biener e-mail: [EMAIL PROTECTED] PGP(6.5.8) public key http://www.tau.ac.il/~ariel/pgp.html
NTP, possible solutions, and best implementation
Hi, Assuming one wanted to provide a high profile (say, at the TLD level) NTP service, how would you go about it ? The possibilities I encountered are diverse, the problem is not the back-end device (be it a GPS based NTP source + atomic clock backup, based on cesium or similar), but the front end to the network. Such a time service is something that is considered a trusted stratum 1 server, and assuring that no tampering with the time is possible is of very high priority, if not top priority. There are a few NTP servers solutions, I like the following comparison between one company's products (Datum, merged into Symmetricom): http://www.ntp-systems.com/product_comparison.asp However, when you put such a device on a network, you want to have some kind of clue about the investment made in that product when security comes to mind, and also the turnaround time for bug fixes should such security bug become public. Here is the problem, or actually, my problem with these devices. I know that if I use a Unix machine or a Cisco router as front end to the network for this back-end device, then if a bug in NTP occurs, Cisco or the Unix vendor will fix it quickly. BUT!, if I want to put the device itself on the network, as this is what a NTP device was built for, I feel that I have no real sense of how secure the device really is, and how long it would take for the vendor to actually fix the bug, should such be discovered. It's a black box, and I am supposed to provide a secure time source based on ... "what ?" This is my dillema. While I don't want to put a NTP front end, which becomes a stratum 2 in this case, but to provide direct stratum 1 service to stratum 2 servers in the TLD in question, I do not know how can I safely trust a device that I have no experience with how the vendor deals with bugs, and also, I have no idea what is the underlying software (although it's safe to assume that it is an implementation of xntpd, in one form or the other). Did any of you have to create/run/maintain such a service, and does any of you have experience with vendors/products that can be trusted when security is concerned (including the vendor and the products I specified above). thanks for your time, --Ariel -- Ariel Biener e-mail: [EMAIL PROTECTED] PGP(6.5.8) public key http://www.tau.ac.il/~ariel/pgp.html
Re: Riverhead or Lancope?
On Monday 22 September 2003 11:13, John Obi wrote: > Nanogers, > > Did you ever tested Riverhead or Lancope? I know > rackspace uses one or both of them. > > Are they good products and worth the try? We use Riverhead at IIUCC/ILAN (AS378) to protect the .il root name servers, it is active for a few months, and seems to work well. Maybe Hank will comment on this as well. --Aroel > > Can they really decrease the the DDoS damage? > > Are they better than CISCO products? > > Are there any tips? > > Thanks, > > -J > > __ > Do you Yahoo!? > Yahoo! SiteBuilder - Free, easy-to-use web site design software > http://sitebuilder.yahoo.com -- -- Ariel Biener e-mail: [EMAIL PROTECTED] PGP(6.5.8) public key http://www.tau.ac.il/~ariel/pgp.html
Re: South Asia Network Operators Group (SANOG)
On Thu, 28 Nov 2002, Bill Woodcock wrote: > For everybody else, yes, I know I'm being grouchy.I just find this kind > of behavior incredibly offensive; this kind of reality-defying jingoism is > one of the most embarassing things about being identified as an American > while travelling.Happy Thanksgiving. Just to add on what Bill said, I've been to Nepal for a month, I think it's the most beautiful place I've ever seen so far anywhere in the world (and yet so much remains to be seen). Also, the people there are nice, helpful, peaceful (yes, I know they have inner turmoil right now) and the whole mentality is way different than any of us have been brought up upon. Even if it weren't for SANOG, it is a place well worth visiting, IMHO. I may be way off, but the way I see it, there is so much to see in this world, and such a short life, why not use it... enjoy SANOG, --Ariel > > -Bill > > -- Ariel Biener e-mail: [EMAIL PROTECTED] PGP(6.5.8) public key http://www.tau.ac.il/~ariel/pgp.html
Re: Looking for a piece of gear to do...
On Thu, 21 Nov 2002, Alex Rubenstein wrote: Try this: http://www.rad.com/products/family/ace-101/ace-101.htm --Ariel > > > Hi. > > I am looking for a very simple piece of gear that will do the following: > > Fast-E |thing|---ATM OC3--|thing| Fast-E > > I am not looking for a discussion on how this, me, or ATM is bad. It's > just a solution I need. > > Anyway, I am looking for 'thing' to be a simple device. Perhaps it would > have more than one FE port, and you'd map PVC's to ports, or whatever. The > key is that this totally transparent, and able to pass 802.1q vlan tags. > It'd be used in a point-to-point topology only. > > Any clues would be great. > > > > -- Alex Rubenstein, AR97, K2AHR, [EMAIL PROTECTED], latency, Al Reuben -- > -- Net Access Corporation, 800-NET-ME-36, http://www.nac.net -- > > -- Ariel Biener e-mail: [EMAIL PROTECTED] PGP(6.5.8) public key http://www.tau.ac.il/~ariel/pgp.html
upcoming NANOG
Hi, Does any of you plan to make it to the upcoming Nanog ? If so, please contact me off list. thanks, --Ariel -- Ariel Biener e-mail: [EMAIL PROTECTED] PGP(6.5.8) public key http://www.tau.ac.il/~ariel/pgp.html
Re: Certification or College degrees?
Hi all, I've read this thread with quite a bit of interest, I must admit. I must say that after reading it all, I see alot of ... misguided perceptions. Certifications, of any kind, be it university degrees, or other generic certifications, or even the product specific ones, are just a way to ascertain material knowledge. Nothing, nothing more. By no means are they any good at ascertaining the persons ability to implement knowledge (no matter what Cisco says about its hands on lab test). Like any other program, they are built around a specific structure. That doesn't predict the ability of a person to implement knowledge in new situations, adapt it to his/her needs, and find a solution to a new problem. If the original question that started this thread meant to ask which is better for getting a job, then I don't know, it depends on who's hiring. Ideally though, a persons resume is built upon a few factors. You have the core knowledge, which is - as some put it here - just data you accumulate. Unless you practice with it, it stays fresh in your mind for a few months tops, and then fades (remember those university mid terms ?). For knowledge to be useful, one needs to apply it. Thus, a resume should mainly point out, apart from the "what you read from books" part, and what toys you played with (be it routers, servers, and so on) how you have implemented that knowledge, and where. This is, the "experience" part. This includes references from former employers, whom you can call, and other pertinent stuff. One of the qualities I look for most in people, is the ability to learn and adapt, self motivation and independence. Of course there are other personality issues taken into consideration, but this is off topic. For the degree vs. certification bit, I'd say I treat them with the same suspicion. The ability to learn from books and take tests is not really a good predictor of a successful network engineer, or a successful anything for that matter. IT environment tends to be very flexible and fast paced. Technologies and products change at a fast pace, and at this point, only the ability to learn and adapt, and I mean, learn by yourself, not have me push you from behind, this predicts, IMHO, much better, the chance of being able to hire someone that will last more than a short while. Learning never stops. It's a never ending process, and that's the beauty of it. Patting yourself on the back while looking at your resume, where you see that you have X Y and Z diplomas will do no one any good. I have nothing against college degrees, or vendor based (or independant based) certifications. People should learn, and for all I care, as much as they can. What matters, in the end, is their ability to implement what they have learned. So, experience and abilities based on character and intelect are the most important job ingredients you'll ever have. That doesn't mean knowledge is not important. The IT business is not medicine, or engineering of structures. The reason those require certifications up front is because they deal with human lives. And yet, most doctors I know are incompetent, despite the fact they passed their exams, and have their doctors license. my 2 cents, --Ariel -- Ariel Biener e-mail: [EMAIL PROTECTED] PGP(6.5.8) public key http://www.tau.ac.il/~ariel/pgp.html
verio.net
Hi, I need someone in a senior position at verio.net (if on the list) to contact me offlist, on something of a personal nature (no I am not looking for a job). --Ariel -- Ariel Biener e-mail: [EMAIL PROTECTED] PGP(6.5.8) public key http://www.tau.ac.il/~ariel/pgp.html
Re: Internet Exchange Questions
On Tue, 19 Mar 2002, Streiner, Justin wrote: Hi, I don't know if the question was mainly intended towards the american based IXes. If so, then the below may be of little interest. If not, please read on. There are scenarios when IXes are built and maintained by a non-profit body, (a .org for example). The peering policies of such IXes are also very appealing to small/mid range ISPs, since they may offer a one to many peering model (where the IX itself is an AS - you peer with it, and it peers with all). This allows an open peering based IX, where larger entities do not charge the smaller ones for the ability to peer with them. Running an IX by a 3rd party, not for profit, ensures among others, the ability to focus on quality rather than quantity, equal rights to all peers, flexibility of the service, and the ability to create a *community*, where exchanging information and learning benefits all of the peers, and helps improve on the IX itself. Such an IX will usually charge low connectivity prices, based on how much it costs them, plus maintenance (staff + service contracts with vendors) and a marginal value to allow for future expansion (bigger/faster equipment). There are a few examples around the world, one of which is the IIX (Israeli Internet eXchange). On a market economy, I don't know what is exactly the right place for such entities, and how well can they scale into a large scale operation, moving hundreds of terrabytes, and employing alot of staff. But, if you'll take a peek at LINX (www.linx.org), it would seem that it is possible. Usually, the people involved in setting up such an IX from the ground up, and also those running it, are people well known for their integrity and skill, and usually trusted among the peers they aim to serve. I hope this angle of IXs is of interest to the original person who initiated this discussion. best, --Ariel P.S. It would seem that Europe in general has more of these type of IXes than other places in the world. -- Ariel Biener e-mail: [EMAIL PROTECTED] PGP(6.5.8) public key http://www.tau.ac.il/~ariel/pgp.html