Provider feedback
I am considering using Aleron (http://www.aleron.com/network) as an internet service provider and wondering if anyone has an opinion on their network, service or it's support. You can contact me off-list if you like. David A. Lauer Network Engineer Tristar Communications [EMAIL PROTECTED]
RE: VU#210321
Ian, So right now this is a scary rumor floating around the security scene? Is there any particular trace, or any further details your aware of? Also, I think it may be safe to assume the Mac OS X/Jaguar may be vulnerable as well. AFAIK it runs of the BSD IP Stack, so it's more than likely that it is vulnerable if this exploit is in fact a reality. I'll keep an eye out for any suspicious traffic myself, as I'm sure will the rest of the list. Thanks for the warning, as if this is real, it could be be potentially very harmful. Any great C Coders out there start pouring over the code yet? Derek -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of CERT(R) Coordination Center Sent: Tuesday, September 10, 2002 10:16 AM To: [EMAIL PROTECTED] Cc: CERT(R) Coordination Center Subject: VU#210321 -BEGIN PGP SIGNED MESSAGE- Hello, The CERT/CC has recently seen discussions in a public forum detailing potential vulnerabilities in several TCP/IP implementations (Linux, OpenBSD, and FreeBSD). We are particularly concerned about these types of vulnerabilities because they have the potential to be exploited even if the target machine has no open ports. The messages can be found here: http://lists.netsys.com/pipermail/full-disclosure/2002- September/001667.html http://lists.netsys.com/pipermail/full-disclosure/2002- September/001668.html http://lists.netsys.com/pipermail/full-disclosure/2002- September/001664.html http://lists.netsys.com/pipermail/full-disclosure/2002- September/001643.html Note that one individual claims two exploits exist in the underground. At this point in time, we do not have any more information, nor have we been able to confirm the existence of these vulnerabilities. We would appreciate any feedback or insight you may have. We will continue to keep an eye out for further discussions regarding this topic. FYI, Ian Ian A. Finlay CERT (R) Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA USA 15213-3890 -BEGIN PGP SIGNATURE- Version: PGPfreeware 5.0i for non-commercial use Charset: noconv iQCVAwUBPX3/VqCVPMXQI2HJAQFEqQQAr54e9c5SGgrIfmK5+EWqSOdvySKRtjwa 6dE4Z4DcoyHS57W5BEwW2OSXSGwrBL+mzippfTEnwAVT/otLYAADsnlPSQioRYNi qHVh8yRXgh3kBgx3cMdhe3NC6zaSWffOsc/EvhkCDo2xa8FQItOqE5MjOeASjt1L st5qq4mgM+E= =kHt1 -END PGP SIGNATURE-
RE: IP address fee??
Just because I'm tired of this, it's mostly due to customer work. I learned CIDR first and foremost. I payed near no attention to Classful addressing. I just am in the habit, in particular, of saying Class C instead of /24. Any other block I use the CIDR notation, and then still have to explain how many this is. I cannot believe that everyone is really being this ridiculous. Can you all let this thread die. Yes, we should refer to everything as CIDR. No, 90% of our clients don't understand that. Yes, sometimes that carries over into tech conversations. Enough. Derek -Original Message- From: Joe Abley [mailto:[EMAIL PROTECTED]] Sent: Friday, September 06, 2002 10:01 AM To: Stephen Sprunk Cc: Richard A Steenbergen; Derek Samford; 'Owens, Shane (EPIK.ORL)'; [EMAIL PROTECTED] Subject: Re: IP address fee?? On Thu, Sep 05, 2002 at 01:13:27PM -0500, Stephen Sprunk wrote: Because Cee is easier to pronounce than slash twenty-four. Ease of use trumps open standards yet again :) Nobody was talking. /24 is easier to type than class C. No trumps! Everybody loses! How many people learn about networks from certification courses or in school, anyway? It was always my impression that people learnt mainly by listening to other people. If networking on the front lines is an informal oral tradition more than it is a taught science, then perhaps it's natural for obsolete terminology to continue to be taught long after it stopped having any relevance. Joe
RE: IP address fee??
Title: Message Shane, There is a practice on that (At least here.). Generally we provide a Class C to our customers at no additional charge, but we have been charging recently for the use of additional blocks. After all, we have to pay those charges to ARIN, and we do need to defer those costs down to the customer if they are going to use a chunk of the address space. At some point well need to get more, and that only increases are costs. Gone are the days when the carriers eat all the side costs. Derek -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Owens, Shane (EPIK.ORL) Sent: Thursday, September 05, 2002 1:36 PM To: [EMAIL PROTECTED] Subject: IP address fee?? Quick question, does there exist a practice of charging customer for IP address blocks used? My theory is that the first Class C is included with the service, but I'm wondering what happens when the customer wants 2,3,4 or more? Shane
Apologies.
Just wanted to publicly apologize for posting HTML to the list. Thanks to Robert Seastrom for pointing it out to me. Still not sure why it posted as html. Derek
RE: IP address fee??
Haha. Mighty good question. No good answer. Derek -Original Message- From: Richard A Steenbergen [mailto:[EMAIL PROTECTED]] Sent: Thursday, September 05, 2002 1:48 PM To: Derek Samford Cc: 'Owens, Shane (EPIK.ORL)'; [EMAIL PROTECTED] Subject: Re: IP address fee?? On Thu, Sep 05, 2002 at 01:36:27PM -0400, Derek Samford wrote: Shane, There is a practice on that (At least here.). Generally we provide a Class C to our customers at no additional charge, but we have Why in this day and age, 9 years after the invention of CIDR, are we still refering to class C's? -- Richard A Steenbergen [EMAIL PROTECTED] http://www.e-gerbil.net/ras PGP Key ID: 0x138EA177 (67 29 D7 BC E8 18 3E DA B2 46 B3 D8 14 36 FE B6)
RE: ATT NYC
I personally prefer using IS-IS for loopback/infrastructure routes, and I use confederations for my IBGP. If a confederation ever gets to large, I can always add a route-reflector inside the confederation. Ralph, you have never failed to amaze me with your love for WCP (Worst Current Practices.) Derek -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Robert A. Hayden Sent: Thursday, August 29, 2002 3:53 PM To: Michael Hallgren Cc: Ralph Doncaster; Peter van Dijk; [EMAIL PROTECTED] Subject: RE: ATT NYC Yup. I like using OSPF to set up the mesh to the loopbacks and then ibgp as the IGP. On Thu, 29 Aug 2002, Michael Hallgren wrote: Um. Set up more than one reflector yes... and align your setup with your physical topology(so making it useful); use other proto for mapping your infra, etc, etc,.. mh On Thu, 29 Aug 2002, Ralph Doncaster wrote: On Thu, 29 Aug 2002, Peter van Dijk wrote: On Thu, Aug 29, 2002 at 01:09:54PM -0400, [EMAIL PROTECTED] wrote: Has anybody mentioned the benefits of ISIS as an IGP to them. Link-state protocols are evil, and when they break, they *really* break. I still do not see a compeling argument for not using BGP as your IGP. Slow convergence. As well there is the issues of running a full iBGP mesh. I've actually been doing it, and now that I'm about o add my 5th router, OSPF is looking a lot better than configuring 4 more BGP sessions. I've heard some people recommend a route-reflector, but that would mean if the route-reflector goes down you're screwed. -Ralph
RE: ATT NYC
Ralph, Okay, no one ever said an IBGP mesh was bad. We were all upset by the mention of an IGP distributed into an EGP. Let's do a little math here. The formula for IBGP sessions goes as follows. n*(n-1)/2 2=1 3=3 4=6 5=10 So you've only got 4 routers? That's fine, 6 sessions is not too hard to maintain. However, one more router, annd10 can get to be cumbersome and 10 Routers in your network, you have to maintain 45 BGP sessions. My personal favorite approach (And this may, or may not, start a religious war.) is confederations. The great part is, if your IBGP mesh inside a Sub-as gets to large, you can add a route-reflector, and have a hybrid RR/Confederation approach. This is very scalable, although there are some issues with being able to follow shortest path out of a confederation, so you need to have a little skill at traffic engineering. Building networks is easy Ralph, building SCALEABLE networks, is not. Derek -Original Message- From: Ralph Doncaster [mailto:[EMAIL PROTECTED]] Sent: Thursday, August 29, 2002 4:44 PM To: Derek Samford Cc: 'Robert A. Hayden'; 'Michael Hallgren'; 'Peter van Dijk'; [EMAIL PROTECTED] Subject: RE: ATT NYC On Thu, 29 Aug 2002, Derek Samford wrote: I personally prefer using IS-IS for loopback/infrastructure routes, and I use confederations for my IBGP. If a confederation ever gets to large, I can always add a route-reflector inside the confederation. Ralph, you have never failed to amaze me with your love for WCP (Worst Current Practices.) OK, then hand me a clue and explain why ruing an iBGP mesh with 3-4 routers is so bad (seeing as Bassam Halabi didn't in his book). -Ralph
RE: ATT NYC
Dmitri, Absolutely unavoidable. I think it's called Dalph Roncaster's Law of Impropability. Derek -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Dmitri Krioukov Sent: Thursday, August 29, 2002 5:10 PM To: Daniel Golding Cc: [EMAIL PROTECTED] Subject: RE: ATT NYC daniel, why would you return to that state? -- dima. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Daniel Golding Sent: Thursday, August 29, 2002 3:27 PM To: Ralph Doncaster; Peter van Dijk Cc: [EMAIL PROTECTED] Subject: RE: ATT NYC We now return to our regularly scheduled, low level of signal to noise. - Daniel Golding
RE: ASN registry?
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Andy Dills Sent: Monday, August 19, 2002 3:42 PM To: Ralph Doncaster Cc: [EMAIL PROTECTED] Subject: Re: ASN registry? On Mon, 19 Aug 2002, Ralph Doncaster wrote: I've always used whois.arin.net to check ASN registrations, and until now it's always had information on those that I've checked. It doesn't have anything for 1221, which according to route-views.oregon-ix.net is Telstra. Is there a single complete database that has ASN assignment info? Well, when I can't find it quickly, I usually check RIPE, as the RIPE whois will tell you which region the ASN is delegated to, and which registrar to check with. And according to RIPE, 1221 is most definitely in the lower range controlled by ARIN. No idea why ARIN doesn't have a record for it...they only carry records for ASN 16779, which is Telstra-USA. Andy I noticed that as well. But a quick google shows that Telstra is most definitely AS1221. Maybe they forgot to renew one of their AS Numbers? Derek
RE: ASN registry?
That's a little odd, considering that's included in a range of AS' that RIPE shows as delegated to ARIN. Anyone have any ideas? Derek -Original Message- From: Kris Foster [mailto:[EMAIL PROTECTED]] Sent: Monday, August 19, 2002 3:56 PM To: 'Derek Samford'; 'Andy Dills'; 'Ralph Doncaster' Cc: [EMAIL PROTECTED] Subject: RE: ASN registry? maybe you're forgetting Australia... think APNIC... -Original Message- From: Derek Samford [mailto:[EMAIL PROTECTED]] Sent: Monday, August 19, 2002 3:51 PM To: 'Andy Dills'; 'Ralph Doncaster' Cc: [EMAIL PROTECTED] Subject: RE: ASN registry? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Andy Dills Sent: Monday, August 19, 2002 3:42 PM To: Ralph Doncaster Cc: [EMAIL PROTECTED] Subject: Re: ASN registry? On Mon, 19 Aug 2002, Ralph Doncaster wrote: I've always used whois.arin.net to check ASN registrations, and until now it's always had information on those that I've checked. It doesn't have anything for 1221, which according to route-views.oregon-ix.net is Telstra. Is there a single complete database that has ASN assignment info? Well, when I can't find it quickly, I usually check RIPE, as the RIPE whois will tell you which region the ASN is delegated to, and which registrar to check with. And according to RIPE, 1221 is most definitely in the lower range controlled by ARIN. No idea why ARIN doesn't have a record for it...they only carry records for ASN 16779, which is Telstra-USA. Andy I noticed that as well. But a quick google shows that Telstra is most definitely AS1221. Maybe they forgot to renew one of their AS Numbers? Derek
RE: redundancy [was: something about arrogance]
That is even worse than what we have been talking about. You should be running a P2P T1 back to yourself, and distributing the access from a POP, or have the carrier you're reselling the T1 for allocate a /24. There is no reason to run BGP for a single /24 whatsoever, it should be announced in Carrier address space. Using your AS for another company totally violates the whole idea of an Autonomous System. Derek -Original Message- From: Manolo Hernandez [mailto:[EMAIL PROTECTED]] Sent: Tuesday, July 30, 2002 1:30 PM To: Derek Samford Cc: [EMAIL PROTECTED]; 'Pedro R Marques'; [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: RE: redundancy [was: something about arrogance] Yes their is a reason to some /24s advertised to the world. If this a class on BGP they would tell you that was a nono, but since this is the real world it happens and is sometimes required. It is required when you need to give a customer T-1 access at a location seperate from yours and has a seperate connection to the net and you are using your AS on the access router. A /24 is a solution that works nicely and still works with your aggregated /20 address. On Tue, 2002-07-30 at 13:23, Derek Samford wrote: I couldn't possibly agree more. In fact, my approach has been to create a mesh between different Colo centers, and keep it at about 3 Transit carriers. Because of the different methods of interconnection, I haven't ever had a long-term outage. Also, I've been able to filter any issues that are beyond my carrier's immediate reach (i.e. congested peering points.) At the same time, I've been able to maintain aggregation of all of my routes, and maintain true stability in my network. There is absolutely no excuse to fill up the routing tables with nonsense. Derek -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Phil Rosenthal Sent: Tuesday, July 30, 2002 12:52 PM To: 'Pedro R Marques'; [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: RE: redundancy [was: something about arrogance] I have in the past single-homed to Level(3) and Verio, each in their own facility in NC. In that time, both carriers had about 1 solid hour a month of solid downtime (some months were worse, some were better). Some of the outages were on the order of 8 solid hours (verio) or 4 hours (level3). We did not run HSRP with Level3, so it may be difficult to guarantee the uptime of one gige handoff... But we ran HSRP with verio, and of all the outages (about 20 of them) -- Maybe two of them were avoided because of HSRP. Other than that, it was all downtime. At this point, I couldn't conceive single-homing to any uplink anymore. --Phil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Pedro R Marques Sent: Tuesday, July 30, 2002 6:23 AM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: redundancy [was: something about arrogance] Brad writes: I'm probably demonstrating my ignorance here (and my stupidity in stepping into a long-standing highly charged argument), but I'm completely missing something. For reasons of redundancy reliability, even if you were to buy bandwidth in only one location, wouldn't you want to buy it from at least two different providers? If you buy bandwidth from two different providers at two different locations, this would seem to me to be a good way to provide backup in case on provider or one location goes Tango-Uniform, and you could always backhaul the bandwidth for the site/provider that is down. Several other posters have mentioned reasons why redundancy between 2 different connections to separate providers are not, in most situations, the preferable aproach but i would like to add another point/question... When considering redudancy/reliability/etc it is important to think about what kind of failures do you want to protect against vs cost of doing so. It is my impression, from reading this list and tidbits of gossip, that the most common causes of failure are: - link failure - equipment failure (routers mostly), both software and hardware - configuration errors All of those are much more frequent than the failure of an entire ISP (a transit provider). It is expected, i believe, of a competent ISP to provide redudancy both within a POP and intra-POP links/equipment and its connections to upstreams/peers. As such, probably the first level of redundancy that a origin AS (non-transit) would look at would be with the intent to protect from failures of its external connectivity link and termination equipment (routers on both ends). To do so, one can look at: - 2 external links to distinct providers - 2 external links to the same provider While i can't speak to the economics part of the equation (although i would expect it to be cheaper to buy an additional link than connect
RE: Draft of Rep. Berman's bill authorizes anti-P2P hacking
I second that. If I see any of my clients having any sort of malicious activity directed at them, then there is no chance of me allowing their traffic through. I would be more than happy to send all their traffic to packet hell. Large corporations do not get any special consideration if it comes down to the stability of my network vs. receiving their traffic. Derek -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of James Thomason Sent: Wednesday, July 24, 2002 2:10 PM To: Marshall Eubanks Cc: [EMAIL PROTECTED] Subject: Re: Draft of Rep. Berman's bill authorizes anti-P2P hacking Would malicious actions on the part of copyright holders violate the AUP of most networks? Or are service providers more willing to tolerate denial of service attacks by large corporations than say, spam? If this legislation is passed, they certainly will earn Null0 on mine. Regards, James Thomason On Wed, 24 Jul 2002, Marshall Eubanks wrote: Thought this would be considered on-topic as guess who would have to clean up the resulting messes... Regards Marshall Eubanks - Forwarded message from Declan McCullagh [EMAIL PROTECTED] - From: Declan McCullagh [EMAIL PROTECTED] Subject: FC: Draft of Rep. Berman's bill authorizes anti-P2P hacking To: [EMAIL PROTECTED] Date: Tue, 23 Jul 2002 20:29:35 -0400 X-URL: http://www.mccullagh.org/ X-URL: Politech is at http://www.politechbot.com/ http://news.com.com/2100-1023-945923.html?tag=politech Could Hollywood hack your PC? By Declan McCullagh July 23, 2002, 4:45 PM PT WASHINGTON--Congress is about to consider an entertainment industry proposal that would authorize copyright holders to disable PCs used for illicit file trading. A draft bill seen by CNET News.com marks the boldest political effort to date by record labels and movie studios to disrupt peer-to-peer networks that they view as an increasingly dire threat to their bottom line. Sponsored by Reps. Howard Berman, D-Calif., and Howard Coble, R-N.C., the measure would permit copyright holders to perform nearly unchecked electronic hacking if they have a reasonable basis to believe that piracy is taking place. Berman and Coble plan to introduce the 10-page bill this week. The legislation would immunize groups such as the Motion Picture Association of America and the Recording Industry Association of America from all state and federal laws if they disable, block or otherwise impair a publicly accessible peer-to-peer network. Anyone whose computer was damaged in the process must receive the permission of the U.S. attorney general before filing a lawsuit, and a suit could be filed only if the actual monetary loss was more than $250. According to the draft, the attorney general must be given complete details about the specific technologies the copyright holder intends to use to impair the normal operation of the peer-to-peer network. Those details would remain secret and would not be divulged to the public. The draft bill doesn't specify what techniques, such as viruses, worms, denial-of-service attacks, or domain name hijacking, would be permissible. It does say that a copyright-hacker should not delete files, but it limits the right of anyone subject to an intrusion to sue if files are accidentally erased. [...] - POLITECH -- Declan McCullagh's politics and technology mailing list You may redistribute this message freely if you include this notice. To subscribe to Politech: http://www.politechbot.com/info/subscribe.html This message is archived at http://www.politechbot.com/ Declan McCullagh's photographs are at http://www.mccullagh.org/ - Like Politech? Make a donation here: http://www.politechbot.com/donate/ - - End forwarded message - -- Regards Marshall Eubanks T.M. Eubanks Multicast Technologies, Inc 10301 Democracy Lane, Suite 410 Fairfax, Virginia 22030 Phone : 703-293-9624 Fax : 703-293-9609 e-mail : [EMAIL PROTECTED] http://www.multicasttech.com Test your network for multicast : http://www.multicasttech.com/mt/ Status of Multicast on the Web : http://www.multicasttech.com/status/index.html
RE: Cogent issues at AADS PVC 5.34?
John, I can't be certain this has anything to do with it, as I haven't called for a report today. But as of Friday I was seeing upwards of 1200 ms due to a fiber outage (Either a cut or turnoff, they wouldn't say.) and them running over capacity due to the outage. If I hear anything else I'll post to the list. Derek -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of John Kristoff Sent: Monday, July 22, 2002 1:49 PM To: [EMAIL PROTECTED] Subject: Cogent issues at AADS PVC 5.34? We're currently experiencing significant latency through Cogent at AADS. I've heard they have some general latency issues, but nothing concrete yet as to what and where. Does anyone have any details of any problems while we're waiting for a response back from the NOC? Thanks, John
RE: Cogent issues at AADS PVC 5.34?
Okay...Just talked to Cogent. The fiber outage was resolved on Saturday. I'm not actually seeing latency on their network (I Just changed my preferences to actually follow some of their routes.) I'm out on AS 1 at 60 ms. Derek -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Derek Samford Sent: Monday, July 22, 2002 1:49 PM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: RE: Cogent issues at AADS PVC 5.34? John, I can't be certain this has anything to do with it, as I haven't called for a report today. But as of Friday I was seeing upwards of 1200 ms due to a fiber outage (Either a cut or turnoff, they wouldn't say.) and them running over capacity due to the outage. If I hear anything else I'll post to the list. Derek -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of John Kristoff Sent: Monday, July 22, 2002 1:49 PM To: [EMAIL PROTECTED] Subject: Cogent issues at AADS PVC 5.34? We're currently experiencing significant latency through Cogent at AADS. I've heard they have some general latency issues, but nothing concrete yet as to what and where. Does anyone have any details of any problems while we're waiting for a response back from the NOC? Thanks, John
PSINet/Cogent Latency
There was some mail being tossed around earlier about Cogent having latency. I'm actually seeing this on PSINet (Now owned by Cogent.) Is anyone else still seeing the latency they were experiencing earlier? Derek