Re: Cisco moves even more to china.
Ricardo, If I were you, I'd atleast pipe my shit through aspell a couple hundred times, before I even consider hitting 'y'. That's euphemism. And to you believe everything the liberal news media says? As I recall, this whole thread (which, I might add, is You mean And do you..., right? not in the least bit operational, nor relevent) was started in relevant response to a sound bite you heard on TV, whcih you were unable to which ~Hani Mustafa P.S As a random exercise, compose a sentence from the following scrambled words: house, stones, glass, throw
Re: Strange public traceroutes return private RFC1918 addresses
How does a 50Mbyte MTU sound like? http://www.psc.edu/~mathis/MTU/ ~Hani Mustafa
Re: Minimum Internet MTU
by GRE or IPSec. With this in mind, would we be safe to flag/drop/what ever all fragments smaller than 1200 bytes that are not last fragments (i.e., more fragments is still set)? No. Check previous thread about IPSec and MTU. Some IPSec implementations split the greater-than-mtu sized packet in half in order to avoid the possibility of further fragmentation down the road, thus better performance. ~Hani Mustafa
Re: IANA down?
Same here, pings work but thats about it. Tracing the path to www.iana.org (192.0.34.162) on TCP port 80, 30 hops max [..] 21 ge-1-2.a00.lsanca17.us.ra.verio.net (129.250.29.115) 237.909 ms 238.172 ms 242.828 ms 22 ge-1-0.a01.lsanca02.us.ra.verio.net (129.250.29.131) 252.537 ms 237.021 ms 237.937 ms 23 ge-2-3-0.a02.lsanca02.us.ce.verio.net (198.172.117.163) 240.271 ms 242.279 ms 242.292 ms 24 lngw2-isi-1-atm.ln.net (130.152.180.22) 249.493 ms 245.855 ms 247.489 ms 25 207.151.118.18 (207.151.118.18) 242.645 ms 240.595 ms 241.951 ms 26 * * * 27 * traceroute to www.iana.org (192.0.34.162), 64 hops max, 64 byte packets [ICMP] 21 ge-1-2.a00.lsanca17.us.ra.verio.net (129.250.29.115) 251.679 ms 248.011 ms 251.487 ms 22 ge-1-0.a01.lsanca02.us.ra.verio.net (129.250.29.131) 247.610 ms 252.168 ms 246.358 ms 23 ge-2-3-0.a02.lsanca02.us.ce.verio.net (198.172.117.163) 245.831 ms 240.880 ms 253.079 ms 24 lngw2-isi-1-atm.ln.net (130.152.180.22) 243.358 ms 246.593 ms 243.768 ms 25 207.151.118.18 (207.151.118.18) 252.022 ms 249.046 ms 251.480 ms 26 www.iana.org (192.0.34.162) 248.092 ms 242.184 ms 248.283 ms ~Hani Mustafa
Re: Quarantaine network for infected hosts?
Eric, I wrote up a quick note on what we do at: http://www.roxanne.org/~eric/blaster.html Quote from Known Issues: One of the unfortunate side effects of it is that some spyware/adware either overrides your DNS settings with their own or makes an HTTP call to their website before allowing the browser to download a page normally. A different way to tackle this problem (instead of the dns views approach), is to do it at a lower level. Something like Cisco's SSG (*) can be used to do the equivilant of DNAT for a specified set of source addressees. This being a static configuration, I wonder if SSG's original purpose can be used as a solution which does not need DHCP. In this case, all network users would, by default, be redirected to a verification website (whatever verification method is used to determine whether this host is infected), after which the user is allowed to pass through the gateway without manipulating the packets IF the box was confirmed clean. On a seperate note, with the complexity of setting up ssg aside, you can easily implement something like this using iptables' REDIRECT target. (iptables -s 10.0.0.0/8 -j REDIRECT ... or something) ~Hani Mustafa (*) http://www.cisco.com/warp/public/cc/pd/as/6400/prodlit/ssgw_ds.htm
