Re: Using Mobile Phone email addys for monitoring
* matthew zeier [EMAIL PROTECTED] [2007-09-06 23:39]: It's more effective to spend the money on SMS messages. Mobile providers are forced to use very aggressive anti spam measures, which can add significant delays in message delivery. Recommendations on software and modems? the UMTS PC-Cards you can get rather cheap these days show up as usb controllers with usb-cereal converters behind. add a little kermit magic and you're done (this is on OpenBSD). unlock at boottime (replace with your PIN): #!/usr/local/bin/kermit + set line /dev/ttyU0 if failure exit 1 set carrier-watch off set input echo on lineout AT+CPIN? input 10 +CPIN: SIM PIN if failure exit 1 input 10 OK if failure exit 1 lineout AT+CPIN= input 20 OK if failure exit 1 lineout AT+CPIN? input 10 +CPIN: SIM PIN2 if failure exit 1 input 10 OK if failure exit 1 exit 0 send an sms: parameters: number message (+49177... is the SMSC, replace by your provider's one) #!/usr/local/bin/kermit + set line /dev/ttyU0 if failure exit 1 set carrier-watch off lineout ATZ input 10 OK if failure exit 1 lineout AT+CSCA=+49177061 input 10 OK if failure exit 1 lineout AT+CMGF=1 input 10 OK if failure exit 1 lineout AT+CMGS=\%1 input 10 lineout \%2 output \26 input 100 ok if failure exit 1 exit 0 of course I have some shell around it for failure handling (retries) etc -- Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED] BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg Amsterdam
Re: Google wants to be your Internet
* Joseph S D Yao [EMAIL PROTECTED] [2007-01-30 01:59]: On Wed, Jan 24, 2007 at 01:48:04PM -, [EMAIL PROTECTED] wrote: ... IPv6 makes NAT obsolete because IPv6 firewalls can provide all the useful features of IPv4 NAT without any of the downsides. ... IPv6 firewalls? Where? Good ones? OpenBSD's pf has support for v6 for years now. -- Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED] BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg Amsterdam
Re: FW: [cacti-announce] Cacti 0.8.6j Released (fwd)
* Berkman, Scott [EMAIL PROTECTED] [2007-01-18 22:34]: Cacti is a free open source tool, and in my opinion these should never be expected to be 100% free of bugs, errors, and exploits. very much opposed to commercial software, where you can be 100% sure that they are full of bugs, errors, and exploits -- Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED] BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg Amsterdam
Re: DARPA and the network
* Todd Vierling [EMAIL PROTECTED] [2005-08-05 00:26]: I'm one of the developers for NetBSD. From what I can see, on average, all the BSDs are about the same when it comes to addressing vulnerabilities. They're almost on par when it comes to preventative measures (but remember, some preventative measures can go too far: OpenBSD has fallen victim to that more than once). The real end-of-the-day tangible difference wrt security is how vocal the project's security team is. so if the BSDs are en par with preventive measures, why is OpenBSD (to my knowledge) the only one shipping ProPolice, which prevented basically any buffer overflow seen in the wild for some time now? Why is OpenBSD the only one to have randomized library loading, rendering basicaly all exploits with fixed offsets unuseable? Why is OpenBSD the only one to have W^X, keeping memory pages writeable _or_ executable, but not both, unless an application fixes us to (by respective mprotect calls)? Where's the non-root, chrooted httpd, dhcpd, mopd, rbootd, afs, pppd etc on the other BSDs? The privilege seperated tcpdump? This list is not even remotely complete... And, why's OpenBSd the only one that has systematically removed all uses of dangerous string handling functions like strcpy, strcat, sprintf etc? so, claiming the difference is how vocal a project is is, in this case, just far off reality. -- Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED] BS Web Services, http://bsws.de OpenBSD-based Webhosting, Mail Services, Managed Servers, ...
Re: DARPA and the network
* Florian Weimer [EMAIL PROTECTED] [2005-09-06 11:44]: * Henning Brauer: so if the BSDs are en par with preventive measures, why is OpenBSD (to my knowledge) the only one shipping ProPolice, which prevented basically any buffer overflow seen in the wild for some time now? Why is OpenBSD the only one to have randomized library loading, rendering basicaly all exploits with fixed offsets unuseable? Why is OpenBSD the only one to have W^X, keeping memory pages writeable _or_ executable, but not both, unless an application fixes us to (by respective mprotect calls)? All these pamper over the real problems and are not very helpful in a service provider environment, where availability might well be more important than integrity. Buffer overflows still lead to crashes. oh, so turning a remote root into an application crash is something I value quite a bit. this is propolice and w^x, mostly. you skipped all the other stuff I listed that we do. Some of the countermeasures also break lots of legitimate applications (Lisp implementations, for example, or precompiled headers for GCC). clisp is the only thing I am aware of that got broken. even emancs works, and those who know how emacs works can value that :) (Isn't this quite off-topic for NANOG?) yes, it is. we can further dicuss that in private if you wish; however, claiming OpenBSD is just more vocal about security is just far off reality, and that had to be put in perspective. -- Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED] BS Web Services, http://bsws.de OpenBSD-based Webhosting, Mail Services, Managed Servers, ...
Re: DARPA and the network
* [EMAIL PROTECTED] [EMAIL PROTECTED] [2005-09-06 20:04]: On Tue, 06 Sep 2005 11:35:22 +0200, Henning Brauer said: (Off-topic, but needs correcting...) well, then please correct correctly... so if the BSDs are en par with preventive measures, why is OpenBSD (to my knowledge) the only one shipping ProPolice, which prevented basically any buffer overflow seen in the wild for some time now? Not familiar with ProPolice, but much of Fedora is compiled with the FORTIFY_SOURCE option, which presumably does similar stuff? FORTIFY_SOURCE seems to be closer to our -Wbounded than PorPolice, ProPolice goes way further. please check http://www.openbsd.org/papers/auug04/index.html for an overview of exploit mitigation techniques in OpenBSD. I didn't even mention stackgap, stackghost (on sparc and sparc64) and some others yet. More in-depth inofrmation about ProPolice can be found at http://www.trl.ibm.com/projects/security/ssp/ but note that there's some more modifcations in OpenBSD, for example we have the stack smash handler in libc. Why is OpenBSD the only one to have randomized library loading, rendering basicaly all exploits with fixed offsets unuseable? Why is OpenBSD the only one to have W^X, keeping memory pages writeable _or_ executable, but not both, unless an application fixes us to (by respective mprotect calls)? See the ExecShield stuff in RedHat/Fedora, or the Pax patch in grsecurity, which both address these two points. well, again, they're not even rmeotely going as far as W^X goes. There's probably more systems running a Linux with one of these than OpenBSD. I am pretty certain this is not the case, not even remotely. But since neither you nor I have numbers to back this I don't see the point in speculating further. -- Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED] BS Web Services, http://bsws.de OpenBSD-based Webhosting, Mail Services, Managed Servers, ...
Re: is reverse dns required? (policy question)
* Andre Oppermann [EMAIL PROTECTED] [2004-12-03 11:04]: Mark Andrews wrote: In article [EMAIL PROTECTED] you write: You would put in a global wildcard that says no smtp sender here. Only for those boxes being legitimate SMTP to outside senders you'd put in a more specific record as shown above. You probably have to enter some dozen to one hundred servers this way. Sure your reverse zone scripts need some changes but it's only two or three lines. Ideally you could tell your DNS server in the zone file this: _send._smtp._srv.*.*.173.128.in-addr.arpa. IN TXT 0 _send._smtp._srv.*.*.82.198.in-addr.arpa. IN TXT 0 being overidden by more specific information on single IP addresses. You obviouly do not know how wildcard work in the DNS or you would not have made this suggestion. Please read RFC 1034 and work though Section 4.3.2. Algorithm with a QNAME of _send._smtp._srv.1.1.173.128.in-addr.arpa. The wildcards are in the DNS server zone file for interpretation by the DNS server itself. It would not be published as such because that obviously wouldn't work as you prove. But nothing is preventing BIND or whatever from taking this wildcard record and answering every request with the wildcard _send._smtp._srv.* RR if no more-specific exists. This should be relatively straight forward to code. Wouldn't want to touch the code base of BIND but for DJBDNS I could somewhat easily implement it. eh? no need to... Thus we propose expanding the reverse DNS tree with a subdomain with the well known name _srv This subdomain MAY be inserted at any level in the DNS tree for IPv4 IN-ADDR.ARPA reverse zones. For IPv6, to limit the number of DNS queries, _srv is only queried at the /128 (host), /64 (subnet) and / 32 (site) level. That way it can either provide information for a specific IP address or for a whole network block. More specific information takes precedence over information found closer to the top of the tree. -- Henning Brauer, BS Web Services, http://bsws.de [EMAIL PROTECTED] - [EMAIL PROTECTED] Unix is very simple, but it takes a genius to understand the simplicity. (Dennis Ritchie)
Re: BBC does IPv6 ;) (Was: large multi-site enterprises and PI
* Cliff Albert [EMAIL PROTECTED] [2004-11-28 13:13]: Therefore I also agree with daniel that there is not really a problem with the 1 ASN == 1 IPv6 Prefix. unless I miss something in that proposal that means that we'll see a dramatic increase in ASNs - I mean, it is not like only organizations with an ASN assigned have v4 space now. If they have their portable address space now, why should they suddenly accept that they had to renumber when changing providers? -- Henning Brauer, BS Web Services, http://bsws.de [EMAIL PROTECTED] - [EMAIL PROTECTED] Unix is very simple, but it takes a genius to understand the simplicity. (Dennis Ritchie)
Re: BBC does IPv6 ;) (Was: large multi-site enterprises and PI
* Daniel Roesen [EMAIL PROTECTED] [2004-11-28 14:05]: On Sun, Nov 28, 2004 at 01:21:05PM +0100, Henning Brauer wrote: * Cliff Albert [EMAIL PROTECTED] [2004-11-28 13:13]: Therefore I also agree with daniel that there is not really a problem with the 1 ASN == 1 IPv6 Prefix. unless I miss something in that proposal that means that we'll see a dramatic increase in ASNs - I mean, it is not like only organizations with an ASN assigned have v4 space now. If they have their portable address space now, why should they suddenly accept that they had to renumber when changing providers? Because they would have to _qualify_ for an ASN first. And the rules for that are sufficiently strict - you have to prove a distinct routing policy. That means either multihoming two at least two upstreams, or upstream plus peering. The shops who have only legacy PI space announced by their single static routed upstream won't qualify. Plain simple. there are a lot of organizations now having PI without having an ASN and beeing multihomed. a transition to v6 with this policy would make things much worse for them, so why should they? on the other hand, 1 ASN - 1 v6 prefix does not necessarily mean 1 v6 prefix - 1 ASN. might work out. The convenience factor _is_ already outlawed. true for new allocations, but there is a gigantic installed base, and making their situation worse isn't exactly helping in getting v6 deployed. -- Henning Brauer, BS Web Services, http://bsws.de [EMAIL PROTECTED] - [EMAIL PROTECTED] Unix is very simple, but it takes a genius to understand the simplicity. (Dennis Ritchie)
Re: BBC does IPv6 ;) (Was: large multi-site enterprises and PI
* Cliff Albert [EMAIL PROTECTED] [2004-11-28 14:22]: As I also stated in my last post (which you snipped out, and is pretty relevant) is that the handing out of ASN's should be harder. Currently ASN's are given to every silly dude that says 'i want multihoming'. I snipped that because I have nothing to add... as in, I agree that care should be taken to only give out ASNs to those who are really going to use it in a sane fashion. and maybe revoked easier when they're not in use. However I understand your statement, but the IPv4 policy's are mostly there because you still have to support the old way. In IPv6 we can do things the new way, so why shouldn't we decide on new policies that get us to stop all issues we had with IPv4. we'll never see the new way if it has so big drawbacks for so many organizations that are happy with the old way. -- Henning Brauer, BS Web Services, http://bsws.de [EMAIL PROTECTED] - [EMAIL PROTECTED] Unix is very simple, but it takes a genius to understand the simplicity. (Dennis Ritchie)
Re: BBC does IPv6 ;) (Was: large multi-site enterprises and PI
* Owen DeLong [EMAIL PROTECTED] [2004-11-28 19:51]: there are a lot of organizations now having PI without having an ASN and beeing multihomed. a transition to v6 with this policy would make things much worse for them, so why should they? They shouldn't unless they need features that are available in v6 that are not available in v4. Where's the harm in this? The v6 stack provides for encapsulating v4 addresses in v6 easily enough and the v6 specs already make allowance for this. I don't see any reason we need to get such a site over to v6. ehm the v4-in-v6 mapping is a gigantic security issue. this is nothing but establishing tunnels automagically and extremely dangerous. v4-in-v6 is not supported on purpose or at least disabled by default on many OSes, and that is a good thing. so you say they should just keep v4 - that does not really help in getting v6 deployed. on the other hand, 1 ASN - 1 v6 prefix does not necessarily mean 1 v6 prefix - 1 ASN. might work out While I think a policy of If you qualify for an ASN, you qualify for a prefix makes sense, I do not think that the reverse makes any sense whatsoever. ack. The convenience factor _is_ already outlawed. true for new allocations, but there is a gigantic installed base, and making their situation worse isn't exactly helping in getting v6 deployed. As near as I can tell, there's very little reason for such a site to ever adopt v6 and very little reason for the world to care that they didn't. i think there's many many many more of those sites than you think. and we really don't want to run in two parallel universes for longer than it has to be... As such, I'm not sure I understand why this is a significant issue. Is there some reason it's important for these sites to go to v6 instead of using 4-to-6 address encapsulation at their border? 4-to-6 is a horrible mess. -- Henning Brauer, BS Web Services, http://bsws.de [EMAIL PROTECTED] - [EMAIL PROTECTED] Unix is very simple, but it takes a genius to understand the simplicity. (Dennis Ritchie)
Re: IPV6 renumbering painless?
* Owen DeLong [EMAIL PROTECTED] [2004-11-13 09:11]: Or... Recognizing that you have a dependency on DNS, you include S10WaitForDns in your rc3.d and don't continue the bootstrap until DNS is reachable. in my what? ;) this is just sick, in any case. Not to forget all the IP address based ACLs. I suspect that eventually, we will discover that ADDRESS-based ACLs simply do not scale to a V6 world, and, you will see support for other strategies, such as host-name based ACLs. Layer 3 doesn't know host names. Nor does layer 4. Applications do. Security requirements do often mandate working access control even when DNS doesn't work or is compromised. Security requirements are that you not permit packets that should not be when DNS is not working. Nothing says the router cannot run a resolver pass when parsing the ACL or when told to refresh the ACL to translate the configured names into IP addresses. Nothing precludes a periodic automatic refresh. this is completely unacceptable and fails the point entirely. Hope this helps show that these problems can be mitigated in more scalable ways. why do the v6 proponents always pretend that they can change everything? there's a reason for how things are now, and many of them are good reasons (and some are poor, yes). v6 should solve 1) the address space problem 2) autoconfiguation however, by giving this to academics with much too much time on their hands, v6 transformed into unusable crap, and we are where we are now, as in, no real world relevance for v6, and it doesn't look like that will change anytime soon. face some facts, you are not going to change the way the net works in such ways. go back to the drawing board and start cutting out the crap. then v6 (or whatever it might be called then) has a chance.
Re: IPV6 renumbering painless?
* Iljitsch van Beijnum [EMAIL PROTECTED] [2004-11-13 13:48]: Filtering based on IP addresses is a broken concept. this arrogance and misguided view of the 'net is probably the main reason why v6 doesn't work.
Re: BGP question
* adrian kok [EMAIL PROTECTED] [2004-11-10 21:32]: 2/ I saw article. a full BGP feed is about 110,000 routes. we're at 140..150k these days. Do you have experience that AMD64 with 3G memory in Unix Box can handle it? I've done it on a soekris box, that is, a 266MHz Geode CPU with 128MB RAM, using OpenBSD and OpenBGPD... -- Henning Brauer, BS Web Services, http://bsws.de [EMAIL PROTECTED] - [EMAIL PROTECTED] Unix is very simple, but it takes a genius to understand the simplicity. (Dennis Ritchie)
Re: [Insight?] OutPut Drops Cisco 7206VXR
* Gyorfy, Shawn [EMAIL PROTECTED] [2004-10-26 16:30]: Now the puppy decides to reboot every 15 minutes returning a, System returned to ROM by bus error at PC 0x60132C44, address 0xE16E2CD at 13:38:47 UTC Tue Oct 26 2004 (b) what is that bus error? usually unaligned memory access on a strict alignment architecture. in other words, a software bug. -- Henning Brauer, BS Web Services, http://bsws.de [EMAIL PROTECTED] - [EMAIL PROTECTED] Unix is very simple, but it takes a genius to understand the simplicity. (Dennis Ritchie)
Re: MD5 BGP performance on a VXR?
* Patrick W.Gilmore [EMAIL PROTECTED] [2004-06-11 20:54]: On Jun 11, 2004, at 8:21 AM, Newell, Tony wrote: My first question would be how big is your prefix list per BGP session? What is really going to task this router with 25 sessions is the BGP Scanner and BGP Router processes. To my knowledge MD5 is just for authenticating the session. I could be wrong. Every TCP packet in the BGP session (including HELLOs) will have to go through the MD5 process. there is no HELLO in bgp. and it is not really related to bgp either, it is just the common case that they're used together. with tcp md5sig, each and every packet gets a md5 signature - build from the packet header and a shared secret - added, and the receiving side - which, of course, has to have the secret for that - does the same again. if the signature in the packet and the signature the receiver calculated don't match, the packet is discarded (well, should. FreeBSD's implementation does sign outgoing packets and simply ignores signatures on incoming packets, very useful. ok, I don't know wether this has been fixed, but thanks for the laugh). This happens even if things like the sequence number is wrong (at least on some versions of IOS). I consider this Yet Another IOS Bug. -- Henning Brauer, BS Web Services, http://bsws.de [EMAIL PROTECTED] - [EMAIL PROTECTED] Unix is very simple, but it takes a genius to understand the simplicity. (Dennis Ritchie)
Re: Charter blocking Port 25
* Arman [EMAIL PROTECTED] [2000-01-09 03:07]: Does anybody else know of other cable/DSL providers that simply block outbound port 25? wish just everybody did...
Re: IT security people sleep well
* Stephen Sprunk [EMAIL PROTECTED] [2004-06-08 13:05]: Thus spake Henning Brauer [EMAIL PROTECTED] You loose nothing with using ssh instead of telnet. You win a lot. You lose money and time because you have to license more expensive code, upgrade RAM and flash to handle larger images this, again, is an exclusive cisco problem. blame them. -- Henning Brauer, BS Web Services, http://bsws.de [EMAIL PROTECTED] - [EMAIL PROTECTED] Unix is very simple, but it takes a genius to understand the simplicity. (Dennis Ritchie)
Re: SSH on the router - was( IT security people sleep well)
* [EMAIL PROTECTED] [EMAIL PROTECTED] [2004-06-07 14:15]: complaining that cisco charges extra for such a critical component is exactly the right thing to do; it is fucking scary. every damn network device which used to have telnet should ship with ssh, it's free. Why? The typical network architecture of an ISP sees routers located in large clusters in a PoP or on a customer's site directly connected to a PoP. Since it is dead simple to place a 1U Linux box or similar SPARC server in a PoP to act as a secure gateway, why should router vendors encourage laziness and sloppiness? ssh on the router doesn't make this - indeed wise - setup impossible or anything. but get real: you don't have a secure box next to those little 26xx deployed at customer sites. Or 36x, or whatever. Pointing out that one can work around the missing ssh on cisco devices doesn't solve the issue, it is still a workround. -- Henning Brauer, BS Web Services, http://bsws.de [EMAIL PROTECTED] - [EMAIL PROTECTED] Unix is very simple, but it takes a genius to understand the simplicity. (Dennis Ritchie)
Re: IT security people sleep well
* Robert Boyle [EMAIL PROTECTED] [2004-06-07 14:08]: I really truly don't see the problem with plaintext telnet management of routers. It is exactly this belief in the security of your networks that gets this industry in so deep shit. ever heard of multilayer security? some little problem somewhere that allows an attacker to sniff your telnet traffic and you are d00med. that might be as simple as a routing fuckup. You loose nothing with using ssh instead of telnet. You win a lot. ssh is a basic component for secure network management. it is not the one magic piece that turns a collection of crap into an ubersecure network of course, as some people seem to imply. not seeing the problem with cleartext telnet for remote logins in 2004, wether ACL'd or not, is just ... oh man, I don't have words for this. -- Henning Brauer, BS Web Services, http://bsws.de [EMAIL PROTECTED] - [EMAIL PROTECTED] Unix is very simple, but it takes a genius to understand the simplicity. (Dennis Ritchie)
Re: IT security people sleep well
* Robert Boyle [EMAIL PROTECTED] [2004-06-07 21:40]: which is why I am against running ssh AND leaving it open to the world the only one who talks about that is you. You loose nothing with using ssh instead of telnet. You win a lot. I agree 100%. However, is that worth $x thousand more per IOS image? Maybe. not the point - cisco is to blame for that. Should it be included by default, yes. that is the entire point. -- Henning Brauer, BS Web Services, http://bsws.de [EMAIL PROTECTED] - [EMAIL PROTECTED] Unix is very simple, but it takes a genius to understand the simplicity. (Dennis Ritchie)
Re: IT security people sleep well
* Paul Jakma [EMAIL PROTECTED] [2004-06-06 09:03]: On Sat, 5 Jun 2004, Mike Lewinski wrote: And that provides protection against MITM attacks how? kerberised telnet can be encrypted (typically DES - sufficient to guard MITM). this is not nearly the same league as (proper) ssh. complaining that cisco charges extra for such a critical component is exactly the right thing to do; it is fucking scary. every damn network device which used to have telnet should ship with ssh, it's free. well, I understand that cisco has problems with their 3$ CPUs with the crypto load, bit that's an extremely poor excuse.
Re: Cisco's Statement about IPR Claimed in draft-ietf-tcpm-tcpsecure
* Iljitsch van Beijnum [EMAIL PROTECTED] [2004-05-13 19:52]: I don't think you can fully randomize the source port as it might clash with well-known ports. of course. 1024 - 49151, on OpenBSD. Also, it may be somewhat expensive to make ports truly random. (But not as expensive as doing MD5 for the whole session.) We have randomized src ports in OpenBSD since 1996 - on all platforms, including vax and such. No, it is not expensive. But why are you assuming the window size is 64k? This is completely unnecessary, and not done in practice by real routers: those typically use a 16k window. It should even be possible to set the window to a very small size, such as 64 bytes. That's enough to receive the initial BGP header, after which the window can be set to a larger size until the session is idle again. In OpenBSD's bgpd, we only scale the window up of md5sig or ipsec is in use... -- Henning Brauer, BS Web Services, http://bsws.de [EMAIL PROTECTED] - [EMAIL PROTECTED] Unix is very simple, but it takes a genius to understand the simplicity. (Dennis Ritchie)
Hardware for full mesh bgp
In the light of people dicussing the hardware requirements for running full mesh bgp with tcmd5 and minimal filtering I just have to point out what we're doing here currently... 14 OpenBSD developers who hack networking stuff from all over the world have flown in to enjoy 4 days of coding. OF course we are also working on our bgpd. As we're a little low on electrical power here we use a lot of small embedded machines - and I have full mesh bgp sessions on quite some of those, using tcp md5sig sessions of course. check this out: http://somewhere.whereever/pic.jpg that little green box bob and myself are holding in our hands has a full feed. It is a 266 MHz Geode with 128MB RAM working off a CF card. Getting the session established and the full table transferred takes less than 8 seconds...
Re: Hardware for full mesh bgp
* Henning Brauer [EMAIL PROTECTED] [2004-04-25 18:04]: check this out: http://somewhere.whereever/pic.jpg eek. that should have been http://misc.bsws.de/img_1001.jpg
Re: Hardware for full mesh bgp
* Brad Knowles [EMAIL PROTECTED] [2004-04-25 18:16]: At 6:09 PM -0700 2004/04/25, Henning Brauer wrote: * Henning Brauer [EMAIL PROTECTED] [2004-04-25 18:04]: check this out: http://somewhere.whereever/pic.jpg eek. that should have been http://misc.bsws.de/img_1001.jpg Okay, so you've got the picture now. However, I'm sure that some people are going to be interested in more details on the hardware -- you might want to tell them it's a Soekris net4501, or whatever. it's a 4801. Also, are you using the crypto accelerator for calculating the MD5 hashes? no, we have no cards here currently.
Re: Hardware for full mesh bgp
* Randy Bush [EMAIL PROTECTED] [2004-04-25 19:16]: yes, one can use freebsd as a router. and i think it's kick-ass that md5 tcp is being worked to freebsd's normal level of support. thank you! You're welcome, but our code goes to the OpenBSD reporsitory before the others can pick it up. even in the developing economies, where labor is even cheaper than here in george's economic disaster, folk trying to build and maintain real commercial isps use real commercial routers. and yes, they cost too bleeping much, are too large, take too much power, and blow more heat than a vendor engineer blows smoke. My main issue with those big commercial routers, especially those from this San Jose based company, is the quality of their software. -- Henning Brauer, BS Web Services, http://bsws.de [EMAIL PROTECTED] - [EMAIL PROTECTED] Unix is very simple, but it takes a genius to understand the simplicity. (Dennis Ritchie)
