Re: Turkey has switched Root-Servers
--On den 28 september 2005 10.03.47 +0200 Stephane Bortzmeyer <[EMAIL PROTECTED]> wrote: > The problem is that all gTLD are controlled only in the US (even more > than the root is). So, they are international only in name. .museum is operated from Sweden. -- Måns NilssonSystems Specialist +46 70 681 7204 cell KTHNOC +46 8 790 6518 office MN1334-RIPE pgpceAQPyT7kP.pgp Description: PGP signature
RE: ULA and RIR cost-recovery
--On onsdag 24 november 2004 11.40 -0800 Tony Hain <[EMAIL PROTECTED]> wrote: > The current problem is that the RIR membership has self-selected to a > state where they set policies that ensure the end customer has no > alternative except to be locked into their provider's address space. Do note that, IIRC, RIPE had this up for discussion some time ago and opted in-session for an "one AS -- one global prefix" solution which was then overridden because APNIC and ARIN weren't as impressed by that solution. Don't blame Europe ;-) -- Måns Nilsson Systems Specialist +46 70 681 7204 KTHNOC MN1334-RIPE pgp8Zh7NoCaFG.pgp Description: PGP signature
Re: Important IPv6 Policy Issue -- Your Input Requested
--On torsdag 11 november 2004 09.36 -0600 Adi Linden <[EMAIL PROTECTED]> wrote: > RFC1918 address space is free and plentiful for my purposes. It is > provider independent. It is globally unique in the sense that no other > publically routed network is using them. My globally unique address will > come from my provider of the day. NAT is my technology of choice to > connect to the global internet, but other solutions are possible. You are probably going to fare well behind your D-Link residential plastic box. Most people do, as long as they accept the spoon-feeding media model and stay away from potentially dangerous things like trying to challenge who gets to publicise things and whatnot. Anyway, there are other issues with non-unique addresses. Enterprises *WILL* use them, in large, expensive-to-renumber-since-we're-stupid-and-don't-use-DNS schemes. Enterprises merge. I'll gladly hand out the marshmallows to roast on the crash-and-burn fire when "unique behind my firewall" isn't. > If I understand correctly, ipv6 will force me into using provider > dependent globally unique address space. Yes, as long as you don't run a LIR. (One can argue whether this is The Way, I don't agree, but basically, this is what stands for now) > Unless my provider of the day is > required to assign me address space that is and/or permanently assigned > and portable it does not meet my needs. Why not? I am not willing to > renumber when I change providers. You are stuck in a v4 model. Renumbering is fun and healthy. In a residential setting, it should be near automagic. > I have no problem using NAT to obtain > connectivity from provider B using providers A address space internally. Your applications might have issues. Mine do, and I don't like them complaining. Unique is Good(tm). > But that only works if provider A is prevented from reusing 'my' addresses > if I terminate my contract. They are not yours, and why bother anyway? Just digits. (if you say "security", wrong answer, go back and relearn.) > And what do I do if I build my network without ties to any provider? Can I > go to ARIN to get globally unique address space, an ipv6 /48? Without > RFC1918 that would be my only choice to prevent from overlapping my > network with someone elses. There is an issue here -- various schemes have been presented (research ships, planes, anything) that are exotic at best, yet we can't completely ignore them. However, I do not think non-unique prefixen are the way to go. See above under "mergers". -- Måns Nilsson Systems Specialist +46 70 681 7204 KTHNOC MN1334-RIPE pgp7ghB9KmY9R.pgp Description: PGP signature
Re: Important IPv6 Policy Issue -- Your Input Requested
--On måndag 8 november 2004 17.18 -0600 Adi Linden <[EMAIL PROTECTED]> wrote: > RFC1918 addresses are perfect. My AFS, Kerberos, and active FTP sessions think that you are being very, very optimistic about the usability of non-unique adresses and kludgy middleboxen who think they understand networking. There /are/ other protocols besides HTTP, you know. -- Måns Nilsson Systems Specialist +46 70 681 7204 KTHNOC MN1334-RIPE pgpIFMYTc9LCm.pgp Description: PGP signature
Re: Important IPv6 Policy Issue -- Your Input Requested
--On tisdag 9 november 2004 16.32 + Alex Bligh <[EMAIL PROTECTED]> wrote: > --On 09 November 2004 11:09 -0500 Leo Bicknell <[EMAIL PROTECTED]> wrote: > >> I have to believe if the code can do IPv4-IPv6 >> NAT > > I want to see IPv4-IPv4 NAT working first... With sufficent thrust, pigs fly just fine. -- Måns Nilsson Systems Specialist +46 70 681 7204 KTHNOC MN1334-RIPE pgpyjjcLPbzef.pgp Description: PGP signature
Re:
--On fredag 3 september 2004 10.50 -0700 ken lindahl <[EMAIL PROTECTED]> wrote: >> I wouldn't suspect its on a production network at all. :) > > we might disagree wrt the definition of "production" :) > > http://ultralight.caltech.edu/lsr_06252004/ > > shows the path between caltech and cern transiting And likewise so for the single-stream record holder, Sunet. <http://proj.sunet.se/LSR2> The only non-average-production links on the path are the connections between Sunet and Sprint (a separate peering for this, between two otherwise production routers) and the end tails; not all PC machines on Luleå University have 10GE connections to interfaces in the core of Sunet. -- Måns Nilsson Systems Specialist +46 70 681 7204 KTHNOC MN1334-RIPE pgpQxCJWD1RPx.pgp Description: PGP signature
RE: Best Practices for Enterprise networks
--On söndag 29 augusti 2004 17.42 -0700 Michel Py <[EMAIL PROTECTED]> wrote: > >>> Tracy Smith wrote: >>> Specifically, to NAT or not to NAT? > > This is not much of an issue anymore. If you receive IP addresses from > your ISP, not natting would be foolish. No. Renumbering is easy and fun, not to mention a great source of revenue for IT consultants. > Even if you do own your own > public IP space, the NAT issues are fundamentally no different than the > firewall ones Yes, they are. NAT and firewalling are orthogonal. They just are bundled in a lot of bad products. > and since not having a firewall is not an option, Yes, it is. Firewalls in the corporate environments have lead to the pathetic state of notpatchedness that allows simple email virii to take down entire enterprises simply because "inside the firewall everyone are nice". Such solutions make much more damage than good. > most > enterprises will indeed NAT some of their subnets in their firewalls, > whether or not they have or could easily obtain public space. Finally, you are correct, although not because you describe some clever plan for enterprise network management, but instead you describe the pathetic state of notworking that permeates (with the aid of overpaid undercompetent firewall conslutants (I used to be one.)) through the corporate world. >> Paul Ferguson wrote: >> Asymmetric paths are a fact of life in the Internet. > > Not for enterprise operators except the largest ones. Except when people, being people, mess up. -- Måns Nilsson Systems Specialist +46 70 681 7204 KTHNOC MN1334-RIPE pgpvMdtWCtFmd.pgp Description: PGP signature
Re: optics pricing (Re: Weird GigE Media Converter Behavior)
--On onsdag 1 september 2004 10.31 +0200 Kurt Erik Lindqvist <[EMAIL PROTECTED]> wrote: > didn't we have this discussion when the T640 came out. How many have > one? Nordunet has one. Nice box. -- Måns Nilsson Systems Specialist +46 70 681 7204 KTHNOC MN1334-RIPE pgphPzBN1wQld.pgp Description: PGP signature
Re: Mega DOS tomorrow?
--On onsdag 25 augusti 2004 14.53 -0400 Andy Dills <[EMAIL PROTECTED]> wrote: > So, slashdot is linking to some news sites that are reporting that > Aleksandr Gostev from Kapersky Labs in Russia has predicted that a large > chunk of the net will be shut down tomorrow. FWIW, we (Nordunet/Sunet) today saw one of the larger dDoS attacks we've seen so far in our end of the net, totaling around 2MPPS toward a single host. It was coordinated, wery well-spread (came in through both transit providers at equal balance, and almost as much over the REN connection towards the rest of Europe and some spillage over private peers.) and persistent. We've had to deploy several layers of null0 routes to fight it, (our transit providers have been very helpful, btw.) but service to anything except the attacked host has not been affected much. Them tax-financed OC192's come in handy at times ;-) -- Måns Nilsson Systems Specialist +46 70 681 7204 KTHNOC MN1334-RIPE pgpHVY9njLwab.pgp Description: PGP signature
Re: ad.doubleclick.net missing from DNS?
--On tisdag 27 juli 2004 12.34 -0400 Sean Donelan <[EMAIL PROTECTED]> wrote: > > > The A record for ad.doubleclick.net is missing from DNS. This is > causing apparent web page slowdowns when viewing web sites containing ads > linked to ad.doubleclick.net Not here, even works when I'm not connected: ;; ANSWER SECTION: ad.doubleclick.net. 86400 IN A 127.0.0.1 ad.doubleclick.net. 86400 IN ::1 What? Me subverting things? Naaah. /måns, catching up. -- Måns Nilsson Systems Specialist +46 70 681 7204 KTHNOC MN1334-RIPE pgpPqSSEe5ZQC.pgp Description: PGP signature
Re: [IP] VeriSign prepares to relaunch "Site Finder" -- calls
--On Monday, February 23, 2004 12:43:40 -0600 John Palmer <[EMAIL PROTECTED]> wrote: :0 [EMAIL PROTECTED] /dev/null funny thing, all those wackos are always posting using From: addresses in TLDs approved by the system they detest. wonder why they aren't using their own wonderful, free domains. -- Måns NilssonSystems Specialist +46 70 681 7204 KTHNOC MN1334-RIPE pgp0.pgp Description: PGP signature
Re: Verisign Responds
--On Tuesday, September 23, 2003 11:55:41 -0700 Randy Bush <[EMAIL PROTECTED]> wrote: > because some engineers think that all social and business problems > can be solved by technical hacks. it's the godess's revenge for > the lawyers who think all engineering problems can be solved at > layer nine. Bingo! -- Måns NilssonSystems Specialist +46 70 681 7204 KTHNOC MN1334-RIPE We're sysadmins. To us, data is a protocol-overhead. pgp0.pgp Description: PGP signature
Re: Verisign insanity - Distributed non-attack
--On Tuesday, September 16, 2003 10:42:02 -0500 John Palmer <[EMAIL PROTECTED]> wrote: Do not listen to this man. He is trying to do more damage than Verisign. Actually. -- Måns NilssonSystems Specialist +46 70 681 7204 KTHNOC MN1334-RIPE We're sysadmins. To us, data is a protocol-overhead. pgp0.pgp Description: PGP signature
Re: Port blocking last resort in fight against virus
--On Wednesday, August 13, 2003 11:00:56 +0300 Petri Helenius <[EMAIL PROTECTED]> wrote: >>> I think filters/firewalls are useful. I believe every computer should >>> have one. > Firewalls are a patch to broken network application architechture. If > your applications would have been properly designed, you would not have > the need for firewalls. They are for perimeter defence only anyway. The important wording here is "every computer should have one"; indicating that it is the host that protects itself. This said, I do agree that properly written operating systems not even need this. One free Unix-clone I happen to run manages to reach this level of properness; so it is definitely possible. -- Måns NilssonSystems Specialist +46 70 681 7204 KTHNOC MN1334-RIPE We're sysadmins. To us, data is a protocol-overhead. pgp0.pgp Description: PGP signature
Re: Patching for Cisco vulnerability
--On Friday, July 18, 2003 12:29:30 -0600 Irwin Lazar <[EMAIL PROTECTED]> wrote: > > Just out of curiosity, are folks just applying the Cisco patch or do you > go through some sort of testing/validation process to ensure that the > patch doesn't cause any other problems? Given typical change management > procedures how long is taking you to get clearance to apply the patch? > > I'm trying here to gauge the length of time before this vulnerability is > closed out. We had a phone conference with our Cisco people thursday lunch MEST and agreed on a testing scheme, where we would upgrade one of the (redundant) core routers and one access router (our network basically has two kinds of Cisco equipment, 12400 as core and 10700 as CPE) and let them run for an hour -- if no problems by then we'd roll the upgrade through the network, trying not to blackhole our customers. We went from 12.0(23)S1 to 12.0(23)S3, and it was mostly painless. -- Måns NilssonSystems Specialist +46 70 681 7204 KTHNOC MN1334-RIPE We're sysadmins. To us, data is a protocol-overhead. pgp0.pgp Description: PGP signature
Re: OT: Re: WANAL (Re: What could have been done differently?)
--On Tuesday, January 28, 2003 18:06:47 -0800 Scott Francis <[EMAIL PROTECTED]> wrote: > I'm sure > they'll move to a newer version when somebody on the team gets a chance > to give it a thorough code audit, and run it through sufficient testing > prior to release. The -current tree now is at BIND 9.2.2rc-whatever, and has been so for roughly a month. Thank Jakob Schlyter. -- Måns NilssonSystems Specialist +46 70 681 7204 KTHNOC MN1334-RIPE We're sysadmins. To us, data is a protocol-overhead.
Re: NYT on Thing.net (fwd)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - --On Tuesday, January 14, 2003 13:00:38 +0100 Mikael Abrahamsson <[EMAIL PROTECTED]> wrote: > I had great respect for Axelsson before this incident, after seeing his > behaviour more up close I nowadays loathe him for his methods. > > Let's put it this way: > > Nobody is an angel in this mess, definately not Axelsson. I agree. What Björn Fries did (using public resources) was sort of going over the line. What the ISP's did (or did not) does smell somewhat. And the most kind thing one can say about Axelsson is that his "free speech" content has a heavy list towards "sensational" topics, such as: * porn * illegal drugs * illegal manufacture of alcohol * publicising intimate details about criminals and famous people. * lock-picking to name but a few. A tabloid newspaper of the worst kind would be wary of printing this, even if it is in the general direction of their vulture habits. Today this is the content of the spam we all try to discard asap... And I am very well aware of the fact that "free speech" is in theory something binary -- you either have it or not. If we want to have free speech we'll have to tolerate this kind of content. Somewhere. So, last post on this. - -- Måns NilssonSystems Specialist +46 70 681 7204 KTHNOC MN1334-RIPE We're sysadmins. To us, data is a protocol-overhead. -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.7 (OpenBSD) iD8DBQE+Kpb902/pMZDM1cURAjhPAJ9x2DjMcGs6K0HyzLOd7KmIuzmalQCdGGZF UIoiDNek8V2sKBs3LoHpDYU= =Bhsb -END PGP SIGNATURE-
Re: fast ethernet limits
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - --On Tuesday, January 14, 2003 12:31:24 + "Stephen J. Wilcox" <[EMAIL PROTECTED]> wrote: > I thought earthing one side of a shielded cable (be it Cat5, or any other > type) was actually part of electrical regulations. (maybe I just assumed > that as a result of practice) It varies with local regulations. In .uk, I'd say you need to ground the screen, because a floating screen with potential difference is considered a hazard at work. > It is a known fact that earth varies within buildings, and from place to > place in the ground, this is nothing to do with faulty wiring in houses > or fault north american continent, this is a simple chemical/physical > phenomenon as a result of subtle changes in water tables, salt, minerals > etc > > So this means there is a difference in potential from point to point - > thats voltage to you and me. So if you connect both of these together you > get a flow of current - not good.. Current flow is inevitable. The key is to shunt it away ASAP, where "S" means both "soon" and "safe", and to top those requirements, these connections need to look like attractive paths to RF energy, in order to cope with EM/RF interference rules. > Of course, when you ground one end it also means you should be careful > when working at the other end not to touch the shied as you are earthed > to local ground and it may therefore have a live voltage should you touch > it. See above. Summary: Ground often, ground well, mesh it, do away with long isolated runs, and in general, avoid big potentials. Shunt them. This starts to look like the "peer locally" argument. Good to be back in topic ;-) - -- Måns NilssonSystems Specialist +46 70 681 7204 KTHNOC MN1334-RIPE We're sysadmins. To us, data is a protocol-overhead. -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.7 (OpenBSD) iD8DBQE+JKmW02/pMZDM1cURAnLtAKCaLOfEDcqR1/pYjhBxONvj5UEZTgCeL+PM qa3HlMPD+shfM10Bq9mvHDE= =xD2q -END PGP SIGNATURE-
Re: fast ethernet limits
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - --On Monday, January 13, 2003 13:35:14 -0500 blitz <[EMAIL PROTECTED]> wrote: > I find the same Kevin..I've done a lot of work in broadcast stations as > well, and ground loops are a constant problem. Hum is introduced into > audio lines, even in balanced pairs, and Cat5 is not much different. Read the articles at www.compliance-club.com -- there is a two-piece article on audio systems, by the technical manager at Cadac. It definitely goes against all gut reactions we've forced ourselves into; especially in the telco/audio business. But it makes sense! It works! And, usually the audio folks were the last to find out: Look at your average network component; the grounding scheme of a big modern router. It is mesh grounds all over the place -- and because it is the only way it will ever get the box approved by FCC/UL/CSA or any similar agency. > In a high rise, I can see a neutral failing somewhere on a high floor, > and that piece of #10 going incandescent, setting fire to anything > combustible between the floor its terminated on and earth ground. (The > resistance of an old steel framed building is NOT always lower than that > piece of copper, especially old riveted buildings). Which is why one must construct a low-resistance/impedance mesh, connecting shields and grounds all over the place, so as to short out the potentials. The steel frame could serve as one of these grids, but probably needs to be augmented. And, I wrote "AWG way below 10"... If it is not enough, get a thicker one, and get a new electrical contractor. (see below) > Maybe they do it differently in the EU, but fire safety is also a concern > to me. If you have potential differences like these the house needs a new electrical grid. Wait, that means that the entire North American continent needs rewiring ;-) Anyway, the mains PE MUST be made the best path home, and in a fail-safe manner. > Thank you, but I'll ground nearest to the earth, common bonded point. Its > served me well over the years. Look at the emissions that manage to get into a star grounded, one point only system vs emissions bounced off a mesh grounded system with a decent EMC testing rig and repeat that phrase afterwards ;-) - -- Måns NilssonSystems Specialist +46 70 681 7204 KTHNOC MN1334-RIPE We're sysadmins. To us, data is a protocol-overhead. -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.7 (OpenBSD) iD8DBQE+I1NT02/pMZDM1cURAtDHAJ9AwED4nokCNsotQjrNzbkG751m5wCfT2/R a5z6Hij53cuK4UZTwdHxqiE= =elgF -END PGP SIGNATURE-
Re: fast ethernet limits
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - --On Friday, January 10, 2003 17:53:11 -0500 blitz <[EMAIL PROTECTED]> wrote: > > AGREED, one end and one end only, or youre asking for a ground > loopground the end with the best, shortest path to earth > ground.in his case, that would prob be the telco room end, "usually" > theres a decent ground there somewhere. Mileage may differ... Some hours reading the back issues of the journal found at http://www.compliance-club.com will hopefully inform you why star grounding is a thing of the past. Ground both ends. If you are afraid of ground loops, place a heavy (as in 10-16mm2 or AWG way below 10) ground conductor alongside the signal cable, and ground it firmly in both ends. That will take the current away from the shields. Ungrounded shileds are inefficient for EMI and RF shielding, while at times efficient AC hum blockers. And, IANAEE, but I've played with big sound systems that exhibit all these problems. - -- Måns NilssonSystems Specialist +46 70 681 7204 KTHNOC MN1334-RIPE We're sysadmins. To us, data is a protocol-overhead. -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.7 (OpenBSD) iD8DBQE+Ibr902/pMZDM1cURAt+XAKCFc+MVCS5WfkfJGCk5yO+iSVNtEQCfR3Ri 85ebf8wkeypAWWkuRaHbnis= =GiNg -END PGP SIGNATURE-
Re: COM/NET informational message
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - --On Friday, January 03, 2003 18:31:18 + "E.B. Dreger" <[EMAIL PROTECTED]> wrote: > UTF-8 is a standard. MS products have used two-octet chars to > support Unicode for a long time. Any reason to add yet another > encoding? (Sorry, moderator, I have to use upper case here.) PLEASE. This (ie. IDN) has been discussed (and finally decided) in the IETF IDN wg for AGES now. If you are so concerned, why did you not engage yourself there? It is no secret what has been decided there. As to technical merit, the others who responded have outlined pretty well why UTF-8 is a Bad Idea For DNS. That Verisign are taking this forward is, in the way they have chosen to do, not really elegant, but I do understand their reasoning, and to some extent appreciate that things are happening. Keep in mind that they are not breaking standards, they are extending one application. The other, earlier attempts to do things like this (especially NuNames) have been way more rogue than this. - -- Måns NilssonSystems Specialist +46 70 681 7204 KTHNOC MN1334-RIPE We're sysadmins. To us, data is a protocol-overhead. -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.7 (OpenBSD) iD8DBQE+FrGZ02/pMZDM1cURAslNAJ48uUWgHsJrFmt8ypbg9tOSl2h0jQCgqSV5 Gl0DP8lt2H/MUbxcu3LjmdE= =v2ZY -END PGP SIGNATURE-
Re: DC power versus AC power
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - --On Sunday, December 29, 2002 00:46:56 -0500 [EMAIL PROTECTED] wrote: > Does anyone actually wire up > both the A side and B side to a single DC power supply and use diodes to > keep the two supply grids separate? We've built a number of "joiner" boxes in-house at KTHNOC; basically an aluminium box with rectifier bridge and heatsink, and screw terminals. We use them for 2511 terminal servers and similar. So, yes. > DC also avoids bulky AC power cords...and not only are the wires less > bulky, but you'll likely cut them to the actual length needed. Since DC > wiring is usually screwed down, they don't get bumped or accidentally > pulled out of the outlets as often. YMMV, but 4 times 2x10mm² + 16mm² PE (The DC connects for a 12n16 GSR) I find bulkier than 4 10A power cords ;-). You are right on spot about the tidy/sturdy part, though. - -- Måns NilssonSystems Specialist +46 70 681 7204 KTHNOC MN1334-RIPE We're sysadmins. To us, data is a protocol-overhe -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.7 (OpenBSD) iD8DBQE+D2P802/pMZDM1cURAmCfAJ9lumFsIw0n1ZrUjWLg0/Fy1gC2/QCgm2/F NvqZ52RiOzlYKY+ul2YF3lI= =O9Am -END PGP SIGNATURE-
Re: Where is the edge of the Internet? Re: no ipforged-source-address
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - --On Monday, November 04, 2002 19:22:14 -0500 [EMAIL PROTECTED] wrote: > So, in this vein, is there gear other than old 12000 linecards that > can't do RPF? Is anyone still using 2500's or 4500's? > > What non-hardware reasons are there not to do some flavor of rpf? Is > there a situation where even loose rpf will not work? SUNET has had a standing recommendation to its customers to enable RPF for a couple of years now. Our customers come in two flavours, big and small. The small ones get a FE, and there typically is marginal clue at the customer site. For them we do "the long command" (ip verify unicast reverse-path), as it has been known, in the access router, which in the weird scale of a REN is a 12016 or a 12010 chock full with 8-port FE cards. It keeps up with the load, and we've not seen any trouble so far. The big customers are more interesting. They have redundant connections, two 10720 routers on an OC48 SRP ring facing the backbone routers for that city which are two 12408 or similar. There also is an AS transition on the ring; nearly all our big customers have ASen and we speak BGP to them. This setup of course means that traffic may enter via one of the routers and exit via the other, leading to strangeness and confusion, especially when the customer staff is less experienced in non-trivial routing. In some cases we've helped them solve this by simple access lists, but that is a bit too static to be really nice. - -- Måns NilssonSystems Specialist +46 70 681 7204 KTHNOC MN1334-RIPE We're sysadmins. To us, data is a protocol-overhead. -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.7 (OpenBSD) iD8DBQE9x4ry02/pMZDM1cURAkFKAJ99xAl0kWLTK1DpVn1kSOTEHb5kUwCeIcNu C0fOzo0ekX7DFyOh/rmFEhc= =yCn8 -END PGP SIGNATURE-
Re: NSPs filter?
--On Monday, August 05, 2002 15:09:43 -0700 "John M. Brown" <[EMAIL PROTECTED]> wrote: > > Or you could be a good neighbor and have your DNS answer NXDOMAIN for > the RFC1918 zones and stop the traffic before it left your network. > > If you have clients that are using RFC1918 and YOUR NS's then don't > let those packets out. Give a NXDOMAIN answer back towards them > and save us all. :) Or set up an AS112 server, let the customer win2k boxes send updates and then *accept*those*updates*. Watch badly configured networks go bellyup when the updates are served out again and then over-written. *evil grin* -- Måns NilssonSystems Specialist +46 70 681 7204 KTHNOC MN1334-RIPE We're sysadmins. To us, data is a protocol-overhead.
Re: Bogon list or Dshield.org type list
--On Sunday, July 28, 2002 09:35:40 -0500 "John Palmer (NANOG Acct)" <[EMAIL PROTECTED]> wrote: > Yes - DSHEILD has our ORSC root server listed as well. I thought that > was hilarious. Some might beg to differ. -- Måns NilssonSystems Specialist +46 70 681 7204 KTHNOC MN1334-RIPE We're sysadmins. To us, data is a protocol-overhead.
Re: DNS was Re: Internet Vulnerabilities
--On Friday, July 05, 2002 17:50:24 +0100 Simon Waters <[EMAIL PROTECTED]> wrote: > I > would guess the "." zone probably isn't that large in absolute > terms, so large ISPs (NANOG members ?) could arrange for their > recursive servers to act as private secondaries of ".", thus > eliminating the dependence on the root servers entirely for a > large chunks of the Internet user base. -rw-r--r-- 1 9998 213 14102 Jul 14 19:56 root.zone.gz -rw-r--r-- 1 9998 21375 Jul 14 20:41 root.zone.gz.md5 -rw-r--r-- 1 9998 21372 Jul 14 20:42 root.zone.gz.sig > I think the kinds of zones being handled by the gtld-servers > would be harder to relocate, if only due to size, although the > average NANOG reader probably has rather more bandwidth > available than I do, they may not have the right kind of spare > capacity on their DNS servers to secondary ".com" at short > notice. Exactly. The .com zone is large. I doubt that the average NANOG reader has a 16GB RAM machine idling just in case some kiddie wants to DoS Verisign. > All I think root server protection requires is someone with > access to the relevant zone to make it available through other > channels to large ISPs. There is no technical reason why key DNS > infrastructure providers could not implement such a scheme on > their own recursive DNS servers now, and it would offer to > reduce load on both their own, and the root DNS servers and > networks. Network load is hardly the problem, except in very starved cases; a big well-used server will perhaps fill a T-1 or two. > The single limiting factor on implementing such an approach > would be DNS know-how, as whilst it is probably a two line > change for most DNS servers to forward to their ISPs DNS server > (or zone transfer "."), many sites probably lack the inhouse > skills to make that change at short notice. This is the problem with "clever tricks"; they can be implemented by people who are "in the loop", but most others will not make it work. > In practical terms I'd be more worried about smaller attacks > against specific CC domains, I could imagine some people seeing > disruption of "il" as a more potent (and perhaps less globally > unpopular) political statement, than disrupting the whole > Internet. Similarly an attack on a commercial subdomain in a > specific country could be used to make a political statement, > but might have significant economic consequences for some > companies. Attacking 3 or 4 servers is far easier than attacking > 13 geographically diverse, well networked, and well protected > servers. > > Similarly I think many CC domains, and country based SLD are far > more "hackable" than many people realised due to the extensive > use of out of bailiwick data, as described by DJB. At some point > the script kiddies will realise they can "own" a country or two > instead of one website, by hacking one DNS server, and the less > well secured DNS servers will all go in a week or two. I definitely agree. ccTLDen are in very varying states of security awareness, and while I believe .il is aware and prepared, other conflict zone domains might not be... -- Måns NilssonSystems Specialist +46 70 681 7204 KTHNOC MN1334-RIPE We're sysadmins. To us, data is a protocol-overhead.
Re: SPEWS?
--On Thursday, June 20, 2002 19:34:55 -0400 [EMAIL PROTECTED] wrote: > > > When you're dealing with what some people refer to as "tier 1 providers" > (I'll just say really big networks), this can be counter-productive. From > what I've seen the following providers have been notoriously unresponsive > to spam complaints (apologies if any of this is dated): > > UUnet (Worldcom) I have had excellent results with UUnet Sweden. I mainly get in touch with them to tell them they have an AUP-violating customer; most ISPs here have an "thou shalt not spam" part of their AUP, so even if the moron lobbyists for the advertising industry managed to trick the government into an opt-out spam law (which they did, but they haven't figured out who is to run the opt-out list. Quite the farce.) nobody will be able to legally send spam from them. Spam from swedish netblocks is thus mainly due to open relays. -- Måns NilssonSystems Specialist +46 70 681 7204 KTHNOC MN1334-RIPE We're sysadmins. To us, data is a protocol-overhead.
Re: SPEWS?
--On Thursday, June 20, 2002 15:58:35 -0400 [EMAIL PROTECTED] wrote: > What do you do if the ISP says "We want to turn them off, but they've > managed to get a restraining order preventing us"? We've seen THAT > before Emigrate to somewhere with a usable legal system. -- Måns NilssonSystems Specialist +46 70 681 7204 KTHNOC MN1334-RIPE We're sysadmins. To us, data is a protocol-overhead.
Re: Updates to the root zone Re: KPNQwest ns.eu.net server.
--On Thursday, June 06, 2002 10:47:52 -0400 Sean Donelan <[EMAIL PROTECTED]> wrote: > > > This is not a political question, only operational process. > > Has ICANN and NTIA worked out their operational issues so they can quickly > change the root zone to reflect changes in ccTLD nameservers if people > need to change which name servers are handling the ccTLDs. Last year, > some of the ccTLD operators were complaining it sometimes took weeks after > they submitted the change for it to make it into the root zone. I tried this game fall 2000. It was a farce. We (I then worked at NIC-SE, the SE registry) tried to remove "sparky.arl.mil" from the SE delegation. After all the politcs in Sweden wrt this move had been sorted out, we e-mailed the correct (as announced on webpage) contact at IANA/ICANN. Weeks went by. Nothing happened. We grew tired of this and started pulling some threads. ONLY after informal prodding (by well-known people that then had no formal role in SE operations) the root zone was updated! And, we NEVER got any acknowledgement back, we simply noticed that the delegation had been adjusted. We were not impressed. I thought along the same lines as Sean, poor ccTLDs if this (root admin unresponsiveness) is a continuing state of affairs... -- Måns NilssonSystems Specialist +46 70 681 7204 KTHNOC MN1334-RIPE We're sysadmins. To us, data is a protocol-overhead.
Re: Re: KPNQwest ns.eu.net server.
--On Thursday, June 06, 2002 10:16:34 -0400 Jared Mauch <[EMAIL PROTECTED]> wrote: > While a good idea, not everyone can announce or reach the > IX fabrics that they connect to or are out there. > > One solution to that problem is to have the IX operate a > zeebra/gated/whatnot box (or router+machine combo) that > announces a /24 and as part of connecting to the IX people > are required to peer (and provide transit) for that /24 for > the "good of the internet". > > This would allow everyone that connects to the IX to see > the benifits of having a close (to their network that is) dns server > as well as if my provider does not announce the DE-CIX, LINX, mae-e, > mae-w, paix, nyiix, or whatever space to me, i can still reach a server > placed at the IX via their network or via their peers/upstreams. This is done in Sweden, by the exchange point company Netnod, <http://www.netnod.se/>. They have an AS of their own, which is free to peer with, in which a number of crucial services are located, for instance: * Root DNS server * COM/NET/ORG DNS server * DNS for a number of ccTLDs including Sweden. * NTP masters directly synchronised to swedish standard time * RIPE whois mirror. Some of these services are present at several Netnod IXen, notably ccTLD and NTP. It works, and gives excellent service levels. -- Måns NilssonSystems Specialist +46 70 681 7204 KTHNOC MN1334-RIPE We're sysadmins. To us, data is a protocol-overhead.
Re: Certification or College degrees?
(this is actually my first NANOG post ever...) --On Thursday, May 23, 2002 03:07:55 +0100 cw <[EMAIL PROTECTED]> wrote: > I am currently studying a BSc degree in merry old England. I have > just finished my second year (well I'm part way through the exams). > When I applied to do my degree I found two universities whose course > were anything related to Networking. Mine is called Computing > (Networks and Communications). At the Royal Institute of Technology in Stockholm, Sweden, we have a series of courses that focus on networking. The starting one can be seen as "getting the programmer to know IP's quirks", but as we progress, we teach deeper and deeper into the technicalities of routing, including theory of routing (discussion of Dijkstra, and similar) and practice; we have a routing lab where we first make them understand that static routes don't work and then progress into understanding first OSPF, then BGP. The entire package runs over a period of half a year. Prereqisites are that the student is at her/his third year in a Master of Science path aiming for one of Computer Science, Technical Physics or Electric Engineering; i.e. we want people to have a solid ground in theory before we teach them the dirty details of networking. The best students are encouraged to write their final paper in the field of networking. Some of these are later found working at KTHNOC operating the NREN Sunet and the pan-Nordic REN NorduNet. Myself, I teach DNS in the introductory classes, including such novelties as DNSSEC, which we have the students sweat over in the lab. I've been somewhat depressed by the point-and-click generation, who don't understand classic Unix, (because the DNS part does border quite a bit on sysadmin stuff, which we do not teach) but on the whole, it's been successful. -- Måns NilssonSystems Specialist +46 70 681 7204 KTHNOC MN1334-RIPE We're sysadmins. To us, data is a protocol-overhead.
