RE: Aggregation for IPv4-compatible IPv6 address space

[Scott Morris]

You mean do you have to express it in hex?  The original spec allowed both
ways I believe...  but just so you realize, this has been deprecated.
Mostly 'cause people can't subnet.  :)

Scott
 

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
snort bsd
Sent: Sunday, February 03, 2008 11:10 PM
To: nanog@merit.edu
Subject: Aggregation for IPv4-compatible IPv6 address space


Hi all:

With IPv4-compatible IPv6 address space, could I aggregate the address
space?

say 192.168.0.0/16 become ::192.168/112? or It must be converted to native
IPv6 address space?

Just wondering, 




  Get the name you always wanted with the new y7mail email address.
www.yahoo7.com.au/y7mail

RE: IPv6 questions

[Scott Morris]

And unless you are on only certain particular devices (e.g. L3 switches)
then the end device won't necessarily have any relevant clue what VLAN it's
on.

I have never seen/heard of an RFC for it either and would certainly wonder
"WHY?".  :)

Scott 

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Erik
Nordmark
Sent: Tuesday, January 29, 2008 1:44 PM
To: snort bsd
Cc: nanog@merit.edu; juniper-nsp
Subject: Re: IPv6 questions


snort bsd wrote:
> Never mind
> 
> it is the VLAN number. But which RFC define this? 

I've never seen an IPv6 RFC specify to put the VLAN number in the link-local
address.
Thus this must be an (odd) choice made by some implementation. Perhaps the
implementation somehow requires that all the link-local addresses for all
its (sub)interfaces be unique, even though the RFCs assume that the
implementation should be able to deal with multiple interfaces with same
same link-local address.

Erik

> Thanks all
> 
> Dave
> 
> - Original Message 
> From: snort bsd <[EMAIL PROTECTED]>
> To: nanog@merit.edu; juniper-nsp <[EMAIL PROTECTED]>
> Sent: Monday, 28 January, 2008 3:05:59 PM
> Subject: IPv6 questions
> 
> 
> Hi All:
> 
> With link-local IPv6 address, the converting from MAC-48 to EDU-64  
> address format (FF FE stuffing). How does the VLAN tags affect the  
> conversion?
> 
> With the rule of FF FE stuffing, I can see clearly work on the ptp  
> interfaces. But on those Ethernet based VLANs, it doesn't seem to 
> follow  that pattern:
> 
> Current address: 00:90:69:4a:b9:5d, Hardware address: 
> 00:90:69:4a:b9:5d
> 
> well, i assume the link-local should be fe80::290:69ff:fe4a:b95d/64.
>  actually, it shows:
> 
> Destination: fe80::/64, Local: fe80::290:6903:94a:b95d
> 
> how does the router get this 03 09 instead of ff fe?
> 
> Thanks all
> 
> 
> 
> 
> 
> 
> 
> 
>   Make the switch to the world's best email. Get the new Yahoo!7  
> Mail now. www.yahoo7.com.au/worldsbestemail
> 
> 
> 
> 
> 
> 
> 
>   Make the switch to the world's best email. Get the new Yahoo!7 
> Mail now. www.yahoo7.com.au/worldsbestemail
> 
> 

RE: Asymmetrical routing opinions/debate

[Scott Morris]

Routing in general is based of the premise of "my decision, my control" and
therefore you have some (albeit limited) controls about how YOU can
influence someone else's routing decision.

So any time you have more than one connection to the collective ('Net) then
you simply run the risk of you make one decision to send a packet out a
particular link, but a bunch of other people make decisions about routing as
well and it may very well come back another path.

Presumably you have your IP addressing as a constant.  If you are NATting,
you may have some interesting problems with this, but that would be a design
problem on your end.  Same with stateful firewalls.

>From an appplication viewpoint though, it really shouldn't make any
difference.  Packet goes out.  Packet comes back.  Life is good.

In short though, you have some choices with this, but they are all design
choices on your end.  If you want to be multihomed, this is the way life is.

HTH,

Scott 

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Drew
Weaver
Sent: Monday, January 14, 2008 10:31 AM
To: nanog@merit.edu
Subject: Asymmetrical routing opinions/debate


Pardon me if I am using the wrong term, I am using the term
Asymmetrical routing to describe a scenario in which a request packet enters
a network via one path and the response packet exits the network via a
different path.

For example an ICMP ping request enters a network via ISP A and the reply
leaves via ISP B (due to multi-homing on both networks, and or some kind of
manual or automatic 'tweaking' of route preferences on one end or the
other).

I haven't noticed too many instances of this causing huge performance
problems, but I have noticed some, has anyone noticed any instances in the
real world where this has actually caused performance gains over symmetrical
routing? Also in a multi-homed environment is there any way to automatically
limit or control the amount of Asymmetrical routing which takes place?
(should you?) I have read a few papers [what few I could find] and they are
conflicted about whether or not it is a real problem for performance of
applications although I cannot see how it wouldn't be. Has there been any
real community consensus on this issue published that I may have overlooked?

Thank you,
-Drew

RE: What's the real issue here?

[Scott Morris]

My whois program returns:


97.81.31.19
Host unreachable

97.81.24.0 - 97.81.31.255

Charter Communications
12405 Powerscourt Dr.
St. Louis
MO
63131
United States

IPAddressing
+1-314-288-3889
[EMAIL PROTECTED]

Abuse:
+1-314-288-3111
[EMAIL PROTECTED]

KNG-TN-97-81-24
Created: 2007-04-11
Updated: 2007-04-11
Source: whois.arin.net 

Perhaps a function of how lookups are being done?  *shrug*

 
Scott


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
NetSecGuy
Sent: Wednesday, September 19, 2007 10:29 AM
To: nanog@merit.edu
Subject: What's the real issue here?


:~> whois 97.81.31.19
Unknown AS number or IP network. Please upgrade this program.

Is this a function of whois hardcoded to no do lookups for this address
space?  I can't seem to find any info about the range, beyond
"registered but unallocated".   I figured whois would at least return
something about it not being allocated.

Is this hijacked space?

RE: IPv6 Training?

[Scott Morris]

There are a few books out there that will give mention of IPv6
configurations, but most are vendor-specific as far as I have seen.

Cisco and Juniper both have at least modules (if not full courses) on IPv6.
Each is obviously not vendor-agnostic.  Something could always be customized
to cover whatever specifics you are looking to cover.

What is the scope you are thinking of for your training?  Would a
multi-vendor concept be better fir your needs rather than theory-only
agnostic?

Scott
[EMAIL PROTECTED]
 

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alex
Rubenstein
Sent: Thursday, May 31, 2007 12:32 PM
To: NANOG
Subject: IPv6 Training?


Does anyone know of any good IPv6 training resources (classroom, or
self-guided)? Looking to send several 1st and 2nd tier guys, for some
platform/vendor-agnostic training.

Any clues?

Thanks..

--
Alex Rubenstein, AR97, K2AHR, [EMAIL PROTECTED], latency, Al Reuben Net Access
Corporation, 800-NET-ME-36, http://www.nac.net

RE: Question on 7.0.0.0/8

[Scott Morris]

They could always configure destination-based NAT and perhaps "assist" by
allocating 10/8 space for those networks if they so choose to reach them!  

(smirk)

Scott 

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
Joseph S D Yao
Sent: Monday, April 16, 2007 7:13 PM
To: [EMAIL PROTECTED]
Cc: nanog@merit.edu
Subject: Re: Question on 7.0.0.0/8


On Sun, Apr 15, 2007 at 11:25:58PM +0100, [EMAIL PROTECTED] wrote:
...
> And I know a company that has been using 1/8, 2/8, 3/8, 4/8, 5/8, 6/8,
> 7/8 and 8/8 for many years, also behind NAT or on non-Internet 
> connected networks. But that is not what I am talking about here.
...


And what happens if the legitimate owners of those already allocated start
advertising routes for them on the public Internet, or IANA decides to
release some of those not already allocated?  Those NATs, if single-NAT'ed,
will find themselves unable to reach those resources.
*sigh*


In fact, I think I have seen some of those on the public Internet, I could
be wrong.


--
Joe Yao
Analex Contractor

RE: IPv6 Finally gets off the ground

[Scott Morris]

HAHAHAHAHA  I always knew that this stuff was the most prevalent and
billable content on the web, but I never thought of using it as a motivating
factor for chage!

Good one!

Scott
 

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
Stephane Bortzmeyer
Sent: Tuesday, April 10, 2007 9:55 AM
To: J. Oquendo
Cc: nanog@merit.edu
Subject: Re: IPv6 Finally gets off the ground


On Sun, Apr 08, 2007 at 06:15:34PM -0500,  J. Oquendo <[EMAIL PROTECTED]>
wrote  a message of 24 lines which said:

> was successfully configured by NASA Glenn Research Center to use IPsec 
> and IPv6 technologies in space."

Any human on board? Because he would have been able to access useful
content:

http://www.ipv6experiment.com/

The great chicken or the egg dilemma. IPv6 has had operating system and
router support for years. But, content providers don't want to deploy it
because there aren't enough potential viewers to make it worth the effort.
There are concerns about compatibility and breaking IPv4 accessibility just
by turning IPv6 on. ISPs don't want to provide IPv6 to end users until there
is a killer app on IPv6 that will create demand for end users to actually
want IPv6. There hasn't been any reason for end users to want IPv6 -
nobody's dumb enough to put desirable content on IPv6 that isn't accessible
on IPv4. Until now.

We're taking 10 gigabytes of the most popular "adult entertainment" videos
from one of the largest subscription websites on the internet, and giving
away access to anyone who can connect to it via IPv6. No advertising, no
subscriptions, no registration. If you access the site via IPv4, you get a
primer on IPv6, instructions on how to set up IPv6 through your ISP, a list
of ISPs that support IPv6 natively, and a discussion forum to share tips and
troubleshooting. If you access the site via IPv6 you get instant access to
"the goods". 

RE: Cable-Tying with Waxed Twine

[Scott Morris]

It's called cable lacing...  And CO guys have done it forever.  Looks really
pretty, but it's a pain in the butt to do.  :)  And sucks if you have to rip
a cable out to replace things.

Other than that, check out:

http://www.dairiki.org/hammond/cable-lacing-howto/

Cheers,

Scott

PS.  A really good pair of flush cuts (wire snips, but not the "diamond-cut"
ones) will help with the tie wraps too!

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan
Mahoney, System Admin
Sent: Wednesday, January 24, 2007 7:30 PM
To: nanog@merit.edu
Subject: Cable-Tying with Waxed Twine


Hey all,

This seems a wee bit off topic, but definitely relates to network operations
(somewhere below layer 1) and I can't think of a better place to ask.

Upon leaving a router at telx and asking one of their techs to plug in the
equipment for me, I came back to find all my cat5 cables neatly tied with
some sort of waxed twine, using an interesting looping knot pattern that
repeated every six inches or so using a single piece of string.  For some
reason, I found this trick really cool.

I have tried googling for the method, (it's apparently standard, I've seen
it in play elsewhere), and for the type of twine, but had little luck.  I
was wondering if any of the gurus out there would care to share what this
knot-pattern is actually called, and/or if there's a (illustrated) howto
somewhere?

-Dan "Tired of getting scratched up by jagged cable ties" Mahoney

--

Dan Mahoney
Techie,  Sysadmin,  WebGeek
Gushi on efnet/undernet IRC
ICQ: 13735144   AIM: LarpGM
Site:  http://www.gushi.org
---

RE: http://cisco.com 403 Forbidden

[Scott Morris]

Works fine for me.

And a 403 Forbidden is a web server error, not a resolution error if I
remember right.

Scott 

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike
Tancsa
Sent: Wednesday, January 03, 2007 11:35 AM
To: James Baldwin; [EMAIL PROTECTED]
Subject: Re: http://cisco.com 403 Forbidden


At 11:24 AM 1/3/2007, James Baldwin wrote:

>Anyone else getting a 403 Forbidden when trying to access http://
cisco.com?

Yes.  Resolves to 198.133.219.25 for me.

 ---Mike

RE: Bogon Filter - Please check for 77/8 78/8 79/8

[Scott Morris]

So we're saying that a lawsuit is an intelligent method to force someone
else to correct something that you are simply using to avoid the irritation
of manually updating things yourself???

That seems to be the epitomy of laziness vs. litigousness. 

Scott

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
Sent: Monday, December 11, 2006 9:55 AM
To: Jack Bates
Cc: nanog@merit.edu
Subject: Re: Bogon Filter - Please check for 77/8 78/8 79/8


On Mon, 11 Dec 2006, Jack Bates wrote:

>
> Allan Houston wrote:
> > This probably isn't helped much by sites like completewhois.com 
> > still showing these ranges as bogons..
> >
> > http://www.completewhois.com/bogons/active_bogons.htm
> >
> > They've ignored all my attempts to get them to update so far.. sigh..
> >
>
> They just need someone using the address space to slap them with a
lawsuit.

RE: The Cidr Report

[Scott Morris]

It sounds like government work!  When something doesn't work, they just make
numbers up!  (Just be sure to create more plausible numbers next time!
(smirk))

Scott
 

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
Geoff Huston
Sent: Sunday, November 12, 2006 12:15 PM
To: Fergie; [EMAIL PROTECTED]
Cc: nanog@merit.edu
Subject: Re: The Cidr Report


When my zebra BGP daemin looses its grip on life and dies a horrible death
the rest to the scripts wander into a strange twilight zone and make up
numbers

sorry

(I really need to code more defensively for this type of condition!)

   geoff

At 04:56 AM 11/11/2006, Fergie wrote:

>Indeed -- it apears to have flaked out a bit this (IETF) week. :-)
>
>Date  PrefixesCIDR Aggregated
>04-11-06  199323  129829
>05-11-06  199330  129854
>06-11-06  199273  129854
>07-11-06  -1077937252 129854
>08-11-06  -1077936760 129854
>09-11-06  672037797   129854
>10-11-06  -1077937324 129854
>11-11-06  134555024   129854
>
>- ferg
>
>
>
>-- Simon Leinen <[EMAIL PROTECTED]> wrote:
>
>cidr-report  writes:
> > Recent Table History
> > Date  PrefixesCIDR Agg
> > 03-11-06199409  129843
>[...]
> > 10-11-06  134555024  129854
>
>Growth of the "global routing table" really picked up pace this week!
>(But maybe I'm just hallucinating for having heard the report from the 
>IAB Routing Workshop report three times in a week :-) Or the CIDR 
>Report software has an R200K problem?
>--
>Simon.
>
>
>
>--
>"Fergie", a.k.a. Paul Ferguson
>  Engineering Architecture for the Internet
>  fergdawg(at)netzero.net
>  ferg's tech blog: http://fergdawg.blogspot.com/

RE: Broadband ISPs taxed for "generating light energy"

[Scott Morris]

But they clearly have too much time on their hands.  Whodathunkit?
 

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
Suresh Ramasubramanian
Sent: Tuesday, October 10, 2006 10:51 AM
To: Fergie
Cc: [EMAIL PROTECTED]
Subject: Re: Broadband ISPs taxed for "generating light energy"


On 10/10/06, Fergie <[EMAIL PROTECTED]> wrote:
> Is it April 1st already?  :-)
>
> - ferg
>

Sadly, I dont think taxmen ever had a sense of humor

RE: New Laptop Polices

[Scott Morris]

Not that I have a whole lot to add (other than we're spending lots of time
talking about something only affecting UK --:> US flights at this moment)...
But I was intrigued by your latin there.

"E-mail rest in peace?

A cause does not create/allow action? "

My memories from high school are a tad shady these days, but am I getting
the general idea there?  Definitely interesting.  Caught my eye.

;)

Scott

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
Laurence F. Sheldon, Jr.
Sent: Sunday, August 13, 2006 6:35 PM
To: nanog@merit.edu
Subject: Re: New Laptop Polices


joe mcguckin wrote:

> Why not put critical or proprietary files on a flash key? I carry a  
> 4G flash key on my keyring. Airport security has never given it a 
> second look. If the laptop ends up in the hands of a sticky-fingered 
> baggage handler (or the TSA), there's nothing there for them to find.

Recent reports said you were allowed to carry passport, medicines required
for the trip, and one or two other items that did not include any metallic
objects as I recall.

> And, to defeat the nosey customs folk who now want to login and  
> rummage around your files when you enter the US, create a dummy 
> account and give them that login when they insist on inspecting your 
> laptop for "child porn". I've got nothing to hide, but I don't want 
> some ham handed idiot accidently deleting stuff either...

I wonder what they are trained to look for.

--
Requiescas in pace o email

Ex turpi causa non oritur actio

http://members.cox.net/larrysheldon/

RE: Presumed RF Interference

[Scott Morris]

The isolated grounds are definitely a recommended idea for telco/server
rooms...  Perhaps an array of them depending on the size power feed we're
talking about.  I'm assuming it's a sizeable UPS that runs your telco and
data equipment (or small server room).  The irritation, if you haven't done
this step already, is that adding a TRUE isolated ground after you've
already built your building and room is not exactly a cheap thing to do.  

Especially in nice metal framed buildings that like to have  a tendency of
becoming the nearest path ground themselves.  But I agree that it's
certainly something as a worthwhile "first path" to look into!

Scott

PS.  I agree it's not good business practice to kill your clients! 

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
Steven M. Bellovin
Sent: Sunday, March 05, 2006 6:21 PM
To: [EMAIL PROTECTED]
Cc: nanog@merit.edu
Subject: Re: Presumed RF Interference


On Sun, 5 Mar 2006 18:00:36 -0500 (EST)
David Lesher <[EMAIL PROTECTED]> wrote:

> 
> > Cut the ground wire in your power cords but ground the equipment 
> > directly to a metal frame.
> 
> I would NEVER tell a client to do this. 
> That could easily kill someone.

Correct.

The safety purpose of the ground cord is to cause a short circuit in case
line voltage energizes the case, in which case the breaker will trip. If you
cut that wire, the metal frame frame can become hot; unless it's firmly
grounded itself, there will be a potential between it and ground.  Along
comes the next well-grounded person to touch it
-- poof!

Even if the frame were grounded properly, that's a local ground, which may
differ in potential from the breaker box's ground.  The neutral wire in the
circuit is tied to ground at the breaker box, which means there could be a
potential difference between it and the frame.  That also creates a
potential shock hazard, though presumably not that great.

What might be useful -- ask an EE, not me -- is a circuit with an isolated
ground.  In that case, the ground wire from the power plug is routed all the
way back to the breaker panel, and isn't connected to, say, the local
electrical box that the cord is plugged into.  I've seen computer equipment
wired that way in the past.

RE: keeping the routing table in check: step 1

[Scott Morris]

So while this may look nice and sound good and all that, I hate to ask the
obvious question...  Who is going to obtain the authority and/or balls to
take everyone's currently allocated IP addresses away and start over?

Perhaps I missed something in an earlier discussion, but this to me sounds
like a very nice, very academic "Hm" thought process.

Unfortunately reformatting the Internet is a little more painful that
reformatting your hard drive when it gets out of whack.

I guess my question is, what's the point of asking this question now?

Scott 

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
Edward B. DREGER
Sent: Wednesday, February 15, 2006 10:48 PM
To: nanog@merit.edu
Subject: keeping the routing table in check: step 1


Hopefully this thread will be quick and less convoluted.  Rather than simply
alluding to "one prefix per ASN", I'd like to detail an allocation scheme
that works toward that.

Find the largest contiguous block.  Split in half.  Round to appropriate
boundary.  Assign.  Space at the end of the block is reserved for expansion.

Ignoring special subnets for simplicity:

0/x, 128/x,
64/x, 192/x,
32/x, 96/x, 160/x, 224/x,
16/x, 48/x, 80/x, 112/x, 144/x, 176/x, 208/x

assuming all grow at equal rates.  96/x ends up growing quickly?  No
problem.  Skip 112/x for the time being.

In short, allocate IP space logarithmically.  Start with /1 alignment,
proceed to /2, then /3, and so on.  Keep the array as sparse as possible so
an assignment can be extended without hitting, say, a stride 4 boundary.

Perhaps RIRs should look at filesystems for some hints.  Imagine a
filesystem that's 30% full yet has as much fragmentation as IPv4 space. 
Something is wrong.


Eddy
--
Everquick Internet - http://www.everquick.net/
A division of Brotsman & Dreger, Inc. - http://www.brotsman.com/
Bandwidth, consulting, e-commerce, hosting, and network building
Phone: +1 785 865 5885 Lawrence and [inter]national
Phone: +1 316 794 8922 Wichita

DO NOT send mail to the following addresses:
[EMAIL PROTECTED] -*- [EMAIL PROTECTED] -*- [EMAIL PROTECTED]
Sending mail to spambait addresses is a great way to get blocked.
Ditto for broken OOO autoresponders and foolish AV software backscatter.

RE: T1 bonding

[Scott Morris]

I'm re-reading it, and slowly, but I don't see mention of having two
different vendors.  Perhaps I need to put the beer a bit further away, but
he talks about generic vendor 'x' and notes that it starts with letter 'A'
as further definition, not as two separate vendors.

*shrug*

Scott 

-Original Message-
From: Elijah Savage [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, January 24, 2006 8:20 PM
To: [EMAIL PROTECTED]
Cc: 'Matt Bazan'; nanog@merit.edu
Subject: Re: T1 bonding

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Scott Morris wrote:
> If you're treating them as two separate links (e.g. two POPs, etc.) 
> then that's correct, it'll be done by the routers choice of load-balancing
(L3).
> If you are going to the same POP (or box potentially) you can do MLPPP 
> and have a more effective L2 load balancing.
> 
> Otherwise, it's possible to get an iMux DSU (Digital Link is a vendor 
> as I recall, but there may be others) that allow that magical bonding 
> to occur prior to the router seeing the link.  At that point, the 
> router just sees a bigger line coming in (some do 6xT-1 and have a 
> 10meg ethernet output to your router).
> 
> If you're seeing the balancing the way that you are, most likely that 
> vendor (I have no specific knowledge about the A-vendor) is doing 
> usage-based aggregation which isn't exactly a balancing act.  The ones 
> at some of my sites are MLPPP which is a vendor-agnostic approach for the
most part.
> 
> Scott
> 
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf 
> Of Elijah Savage
> Sent: Tuesday, January 24, 2006 7:28 PM
> To: Matt Bazan
> Cc: nanog@merit.edu
> Subject: Re: T1 bonding
> 
> 
> Matt Bazan wrote:
>>> Can someone shed some technical light on the details of how two T1's 
>>> are bonded (typically).  We've got two sets of T's at two different 
>>> location with vendor 'X' (name starts w/ an 'A') and it appears that 
>>> we're really only getting about 1 full T's worth of bandwidth and 
>>> maybe 20% of the second.
>>>
>>> Seems like they're bonded perhaps using destination IP?  It's a 
>>> vendor managed solution and I need to get some answers faster than 
>>> they're coming in.  Thanks.
>>>
>>>   Matt
>>>
> More than likely they are not bonded t1's they are just load balanced 
> by the router which by default on Cisco is per session. Meaning pc1 to 
> t1#1, pc2to t1#2, pc3 to t1#1. If they are truly bonded with some sort 
> of MUX for a 3 meg port then you would not see the results you are seeing.
> 
> --
> http://www.digitalrage.org/
> The Information Technology News Center
Remember he said both t1's are coming from different vendors, which would
only leave the Mux route which is why I said what I said :)
- --
http://www.digitalrage.org/
The Information Technology News Center
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFD1tJWt06NWq3hlzkRApDsAJ9nq+J+26EKYy9cwlFRmN3zhT/EFQCfdf2v
IX2wkyZvsGM1sPvcEMSyK+0=
=WINE
-END PGP SIGNATURE-

RE: T1 bonding

[Scott Morris]

If you're treating them as two separate links (e.g. two POPs, etc.) then
that's correct, it'll be done by the routers choice of load-balancing (L3).
If you are going to the same POP (or box potentially) you can do MLPPP and
have a more effective L2 load balancing.

Otherwise, it's possible to get an iMux DSU (Digital Link is a vendor as I
recall, but there may be others) that allow that magical bonding to occur
prior to the router seeing the link.  At that point, the router just sees a
bigger line coming in (some do 6xT-1 and have a 10meg ethernet output to
your router).

If you're seeing the balancing the way that you are, most likely that vendor
(I have no specific knowledge about the A-vendor) is doing usage-based
aggregation which isn't exactly a balancing act.  The ones at some of my
sites are MLPPP which is a vendor-agnostic approach for the most part.

Scott 

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
Elijah Savage
Sent: Tuesday, January 24, 2006 7:28 PM
To: Matt Bazan
Cc: nanog@merit.edu
Subject: Re: T1 bonding


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Matt Bazan wrote:
> Can someone shed some technical light on the details of how two T1's 
> are bonded (typically).  We've got two sets of T's at two different 
> location with vendor 'X' (name starts w/ an 'A') and it appears that 
> we're really only getting about 1 full T's worth of bandwidth and 
> maybe 20% of the second.
> 
> Seems like they're bonded perhaps using destination IP?  It's a vendor 
> managed solution and I need to get some answers faster than they're 
> coming in.  Thanks.
> 
>   Matt
> 
More than likely they are not bonded t1's they are just load balanced by the
router which by default on Cisco is per session. Meaning pc1 to t1#1, pc2to
t1#2, pc3 to t1#1. If they are truly bonded with some sort of MUX for a 3
meg port then you would not see the results you are seeing.

- --
http://www.digitalrage.org/
The Information Technology News Center
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFD1sXyt06NWq3hlzkRAvi4AJ0R4RVii+Wrxzs5WI5es+FYhxHD0ACgioFW
/UHUMapXnmuPFSpKrXzD3JU=
=MqxV
-END PGP SIGNATURE-

RE: Cisco, haven't we learned anything? (technician reset)

[Scott Morris]

Many products have default STARTING passwords.  Whose fault is it that
someone can't figure out that it's not real bright if they don't change it?

The hidden ones are more an issue (with static passwords as opposed to
generated ones).

Scott

PS.  If your briefcase still uses  as the combination, I have no
sympathy for your missing items...  ;) 

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
Jared Mauch
Sent: Thursday, January 12, 2006 12:39 PM
To: Rob Thomas
Cc: NANOG
Subject: Re: Cisco, haven't we learned anything? (technician reset)


On Thu, Jan 12, 2006 at 10:53:32AM -0600, Rob Thomas wrote:
> 
> Hi, Matthew.
> 
> ] Cisco Router and Security Device Manager (SDM) is installed on this
device.
> ] This feature requires the one-time use of the username "cisco"
> ] with the password "cisco".
> 
> Interesting.  Is it limited to one-time use?  Are the network login 
> services (SSH, telnet, et al.) prevented from using this login and 
> password?

I know the AP350 comes with a default Cisco/Cisco account..

(as opposed to doing a nvram/config clear and it only lets you login
on console).

problem is with cisco each product group controls how they ship
their system, so the Aironet teams don't quite seem to get this IMHO.  That
doesn't mean your 76k/GSR/CRS-1 will have Cisco/Cisco, but your aironet
products sure may.

- jared


--
Jared Mauch  | pgp key available via finger from [EMAIL PROTECTED]
clue++;  | http://puck.nether.net/~jared/  My statements are only mine.

RE: Infected list

[Scott Morris]

Irregardless of that, I always thought the whole point of a DDoS attack was
quantity of hosts, not relying on quality of connection.

I thought we were theorizing anyway.  ;) 

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
Florian Weimer
Sent: Monday, December 26, 2005 2:47 PM
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]; nanog@merit.edu
Subject: Re: Infected list


* Scott Morris:

> Not to mention that many IP's may be set to one device, yet there are 
> multiple things NAT'd behind it.

Are there any devices which perform non-static NAT and can forward
significant DoS traffic? 8-) Perhaps if it's just a single flow, but this
kind of DoS traffic would be rather unusual.

RE: Infected list

[Scott Morris]

Not to mention that many IP's may be set to one device, yet there are
multiple things NAT'd behind it. 

Perhaps they're even non-related folks.  Do we go after the ISP, the smaller
ISP, the Starbucks WiFi hotspot (example), or the user with the compromised
laptop that plugged in a whatever time that was???

Scott 

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
Richard Cox
Sent: Monday, December 26, 2005 12:24 PM
To: nanog@merit.edu
Subject: Re: Infected list


On Sun, 25 Dec 2005 13:33:44 -0600 (CST) Rob Thomas <[EMAIL PROTECTED]> wrote:

> Here is Barrett's list, including and sorted by ASN.

And even that won't be sufficient for many networks to take action.

A lot of people provide lists of the IPs that spam/attack/etc them, but do
not provide the actual time.  Since many "consumer" networks are running
DHCP, they will have no way to know which of their many customers using the
claimed IP on the day in question was actually an attacker, and so they will
almost certainly ignore such a report.

To get action, lists of compromised (etc) systems NEED to include:
Date/Time (preferably UTC), exact IP (as hostnames can have multiple
A-records) and AS number.

--
Richard

RE: QoS for ADSL customers

[Scott Morris]

There was a 3.0 PDLM release on 11/1/05 for Bittorrent traffic.  See
http://www.cisco.com/cgi-bin/tablebuild.pl/pdlm

Scott
 

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ejay
Hire
Sent: Thursday, December 01, 2005 8:41 AM
To: 'Kim Onnel'
Cc: 'NANGO'
Subject: RE: QoS for ADSL customers


I got an off-list reply about using Nbar, but I've never seen a class map
that would match torrent.

-e 

> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On 
> Behalf Of Kim Onnel
> Sent: Thursday, December 01, 2005 7:12 AM
> To: Ejay Hire
> Cc: NANGO
> Subject: Re: QoS for ADSL customers
> 
> Our ADSL customers traffic is 3 OC3 worth of traffic, I
dont 
> think our management would buy the idea.
> 
> thanks
> 
> 
> On 12/1/05, Ejay Hire <[EMAIL PROTECTED]> wrote:
> 
>   Hello.
>   
>   Going back to your original question, how to keep
from
>   saturating the network with residential users using
>   bittorrent/edonkey et al, while suffocating business
>   customers.  Here goes.
>   
>   Netfilter/IpTables (and a slew of commercial
products I'm 
>   sure) has a Layer 7 traffic classifier, meaning it
can
>   identify specific file transfer applications and set
a
>   DiffServ bit.  This means it can tell between a real
http
>   request and a edonkey transfer, even if they are
both using 
>   http.  It also has rate-limiting capability.  So...
If you
>   pass all of the traffic destined for your DSL
customers
>   through an iptables box (single point of failure)
then you
>   can classify and rate-limit the downstream rate on a

>   per-application basis.
>   
>   Fwiw, if you are using diffserv bits, you could push
the
>   rate-limits down to the router with a qos policy in
it
>   instead of doing it all in the iptables box.
>   
>   References on this..  The netfilter website (for 
>   classification info) and the Linux advanced router
tools
>   (LART) (qos info/rate limiting)
>   
>   -e
>   
>   
>   > -Original Message-
>   > From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
>   On
>   > Behalf Of Kim Onnel
>   > Sent: Thursday, December 01, 2005 3:26 AM
>   > To: NANGO
>   > Subject: Re: QoS for ADSL customers 
>   >
>   > Can any one please suggest to me any commercial or
none
>   > solution to cap the download stream traffic, our
upstream
>   > will not recieve marked traffic from us, so what
can be
>   done ?
>   >
>   >
>   > On 11/29/05, Kim Onnel <[EMAIL PROTECTED]>
wrote:
>   >
>   >   Hello everyone,
>   >
>   >   We have Juniper ERX as BRAS for ADSL, its
GigE
>   > interface is on an old Cisco 3508 switch with an
old IOS,
>   its
>   > gateway to the internet is a 7609, our transit
internet
>   links
>   > terminate on GigaE, Flexwan on the 7600
>   >
>   >   The links are now almost always fully
utilized, we 
>   want
>   > to do some QoS to cap our ADSL downstream, to give
room
>   for
>   > the Corp. customers traffic to flow without pain.
>   >
>   >   I'm here to collect ideas, comments, advises
and
>   > experiences for such situations. 
>   >
>   >   Our humble approach was to collect some p2p
ports
>   and
>   > police traffic to these ports, but the traffic
wasnt much,
>   
>   > one other thing is rate-limiting per ADSL
customers IPs,
>   but 
>   > that wasnt supported by management, so we thought
of
>   matching
>   > ADSL www traffic and doing exceed action is
transmit, and
>   > police other IP traffic.
>   >
>   >   Doing so on the ERX wasnt a nice experience,
so 
>   we're
>   > trying to do it on the cisco.
>   >
>   >   Thanks
>   >
>   >
>   >
>   
>   
> 
> 
> 

RE: paypal down!

[Scott Morris]

It appears they're really down.  I just tried 'em, and the IP address that
comes back really does resolve to Ebay's holdings

Or someone scammed a whole /19 to make the whole thing up, in which case I
have to hand it to 'em!  Compromising one host is dandy, but a whole
netblock is pretty damned festive!  (AS11643 is reporting it, which again
appears to be correct)

Perhaps it is what it is and they're having karma problems.

Scott

 

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
Kevin Day
Sent: Tuesday, November 15, 2005 10:58 PM
To: Hannigan, Martin
Cc: nanog@merit.edu
Subject: Re: paypal down!



On Nov 15, 2005, at 9:45 PM, Hannigan, Martin wrote:
>>>  www.paypal.com
>>>
>>>  Internal Server Error
>>>
>>> The server encountered an internal error or misconfiguration and was 
>>> unable to complete your request.
>>>
>>> Please contact the server administrator,
>> [EMAIL PROTECTED] and inform
>>> them of the time the error occurred, and anything you might
>> have done
>>> that may have caused the error.
>>>
>>> More information about this error may be available in the
>> server error
>>> log.
>>
>> Works for me.  Same BS splash advertising that always comes up.  Damn 
>> that is annoying.
>>
>
> Yes, but it *is* up. Same here. Probably one of the rotation web  
> servers had
> an issue or something minor.
>


Or there's a chance that you've got a trojan/malware install on the  
computer.

I had someone contact me the other day with a nearly identical  
complaint, "Why have PayPal and eBay been down all day?" They were  
alternately getting a 404 or 503 for those sites, but everything else  
worked. Their hosts file had entries for ebay, google, a number of  
banks, common phishing targets. Even more fun was when I deleted the  
hosts file, after his next reboot it pulled an updated hosts file  
with new working IPs from somewhere.

I'm guessing the malware phishers don't have a five-nines array of  
redundant proxies yet. :)

RE: IPv6 news

[Scott Morris]

The problem with that (and many premises) is that we need to remember these
arguments and foreseen "problems" were all dreamed up 10 or so years ago.
The status of everyone's network, everyone's business needs and everyone's
network design (and capabilities) were drastically different that long ago.

It's a solution that made sense for far different reasons when it was
created then it makes sense for now.

*shrug*

Scott
 

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul
Vixie
Sent: Sunday, October 16, 2005 12:08 AM
To: nanog@merit.edu
Subject: Re: IPv6 news


[EMAIL PROTECTED] (David Conrad) writes:

> On Oct 15, 2005, at 3:27 PM, Tony Li wrote:
> > When we explored site multihoming (not rehoming) in the ways that 
> > you seem to suggest, it was effectively a set of coordinated NAT 
> > boxes around the periphery of the site.  That was rejected quite 
> > quickly.
> 
> What were the reasons for rejection?

i wasn't there for that meeting.  but when similar things were proposed at
other meetings, somebody always said "no! we have to have end-to-end, and if
we'd wanted nat-around-every-net we'd've stuck with IPv4."
--
Paul Vixie

RE: UNITED.COM (United Airlines) has been down for days! Any info on this?

[Scott Morris]

Works fine for me.
 
*shrug*
 
www.ual.com also forwards 
appropriately.
 
Scott


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of John PalmerSent: 
Thursday, September 01, 2005 1:55 PMTo: 
nanog@merit.eduSubject: UNITED.COM (United Airlines) has been down 
for days! Any info on this?

The United Airlines website appears to be down and has been 
down for days.
 
Is this a network issue or are they out of 
business??

RE: Rip again!

[Scott Morris]

How about the source IP?

RIP v1 is sent to 255.255.255.255 broadcast.  RIPv2 is sent to 224.0.0.9
multicast.  Both are local-link only, so won't go THROUGH a router.  The
sending source IP will tell you where they came from.

If you're using VLANs (trunks), there won't be any issues.  If you're using
secondary addresses, this will depend on whose devices you use.   In the
Cisco world, packets will always be sourced from the primary IP address on
an interface.  And if the receiving router doesn't have a subnet matching
the sender, packets/updates are ignored.  (Again, Cisco world you can use
"no validate-update-source" to override this check)

But that gives you a tracking method on packets.  

Scott 

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom
Sanders
Sent: Sunday, August 21, 2005 12:13 PM
To: [EMAIL PROTECTED]
Subject: Rip again!


Hi,

There isnt IMO a way in RIP to identify the source of the RIP packet (the
way we have Router ID in OSPF, system ID in ISIS, etc.)

Now assume we have 2 vlans defined on an ethernet. Thus we would have two IP
interfaces, 1.1.1.1/24 and 2.2.2.2/24 and both using the same physical
interface. RIP is running on both these interfaces.

My doubt is that how will another router, which is configured in the same
way (2 vlans) be able to differentiate between the RIP responses originated
by 1.1.1.1 and 2.2.2.2?

Thanks,
Toms

RE: Tags

[Scott Morris]

Tags are simply a way to mark the routes.  Typically people will do it if
they have multiple redistribution points (or if someone tells them to set a
tag).

Depending on the complexity of the network, tags are used for many different
reasons, but those are all "internal" reasons to a company unless you have a
relationship and reason to exchange RIP with your customer (MPLS VPN?).

If you are seeing this on VRF customers, would you have any reason to be
concerned about it?  The VRF should keep things separate from the rest of
your network.  If you aren't running a VRF, why do you have RIP enabled on
the edge interface to see these things anyway? (e.g. why do you care?)


Scott 

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom
Sanders
Sent: Friday, August 19, 2005 5:34 AM
To: [EMAIL PROTECTED]
Subject: Tags


Hi,

I know RIP is outdated and IETF doesnt support it anymore. Knowing this i
couldnt think of a more appropriate place to post this query:

I keep seeing RIP packets with a tag field filled with some non zero number.
Any clues on why this is happening?

I know that the border routers were meant to use this to fill their AS
numbers there, but is there any vendor that really uses this.
Moreover, does it make any sense now in doing so.

Thanks,
Tom

RE: OT: Cisco.com password reset.

[Scott Morris]

No, it means that the password scheme of whatever the web-site uses to allow
access or not is not directly a Cisco product.  It means it's something that
could happen to anyone.

One could have a great network of great products and all it takes is one
small door to remain open someplace in a seemingly unrelated issue to bring
down the house.

Bummer on the IOS download part, but that would be crappy timing, not
necessarily a correlation!

Scott 

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
Chris Adams
Sent: Wednesday, August 03, 2005 10:23 AM
To: nanog@merit.edu
Subject: Re: OT: Cisco.com password reset.


Once upon a time, Jared Mauch <[EMAIL PROTECTED]> said:
>   From the Cisco website:
> 
> IMPORTANT NOTICE:



> * This incident does not appear to be due to a weakness in Cisco
products or technologies.

Does this mean that CCO is not a Cisco product or technology?

Odd that lots of people are trying to download new IOS images and then CCO
locks them out.
--
Chris Adams <[EMAIL PROTECTED]>
Systems and Network Administrator - HiWAAY Internet Services I don't speak
for anybody but myself - that's enough trouble.

RE: Cisco.com password reset.

[Scott Morris]

I think just about everyone's got reset.  Internal and external folks from
what I've heard.  *shrug*

On the other hand, people aren't usually good about resetting passwords, so
that's one way to mitigate problems.  :)

Scott 

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe
Blanchard
Sent: Wednesday, August 03, 2005 9:41 AM
To: nanog@merit.edu
Subject: OT: Cisco.com password reset.




FYI 

I got an email that my CCO account's password was reset last night. Not sure
how widespread this issue was, but I called my account contact and verified
that this is a valid email, and that my password needed to be reset.

Just a heads up.

-Joe Blanchard

RE: More info on the Exploit from Black Hat conference

[Scott Morris]

Based on some pictures from
http://tomsnetworking.com/Sections-article131.php I would agree with you
that they were edited.

Scott

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
Florian Weimer
Sent: Saturday, July 30, 2005 1:42 AM
To: Brad Knowles
Cc: NANOG
Subject: Re: More info on the Exploit from Black Hat conference


* Brad Knowles:

>   This makes me a little suspicious that the slides we have are not
the 
> real ones.

The dates embedded in the PDF file indeed suggest that they were edited
afterwards.

RE: Cisco IOS Exploit Cover Up

[Scott Morris]

And quite honestly, we can probably be pretty safe in assuming they will not
be running IPv6 (current exploit) or SNMP (older exploits) or BGP (other
exploits) or SSH (even other exploits) on that box.  :)  (the 1601 or the
2500's)

But, in the advisory that Cisco put out, it did mention free software
upgrades were available even to non-contract customers.  They simply had to
originate from a call to TAC about it.  Doesn't seem too bad. 

Not everyone has to worry about these things.  Place and time.

Scott


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
David Barak
Sent: Friday, July 29, 2005 2:52 PM
To: nanog@merit.edu
Subject: Re: Cisco IOS Exploit Cover Up




--- John Forrister <[EMAIL PROTECTED]> wrote:
> Indeed - Cisco's hardware, especially the older, smaller boxes, tended 
> to be really solid once you got them running.  I was just pondering a 
> few minutes ago on how many 2500's I configured & installed in 1996 & 
> 1997 are still running today, on code that's no longer supported by 
> Cisco, and which are incapable of taking enough flash to load a newer 
> image.

As a definite example, A client of mine has a 1601 sitting on the end of a
T1 running 11.3...  They're not interested in spending any money on an
upgrade, as the box is doing exactly what they want: running RIP internally,
and taking Ethernet-in and Serial-out.

-David

 

__
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around
http://mail.yahoo.com 

RE: Cisco IOS Exploit Cover Up

[Scott Morris]

Bear in mind though that when the M$ SQL Slammer worm hit everyone, the same
attitude existed.   The patch had been available for months.  People knew
about the vulnerability and it wasn't anything "new".

And yet, look how much havoc was created there.  It's always the "potential"
stuff that scares people more.  While I do think it's obnoxious to try to
censor someone, on the other hand if they have proprietary internal
information somehow that they aren't supposed to have to begin with, I don't
think it is in security's best interested to commit a crime in order to get
tighter security.

Is this the technical version of civil disobedience?

Scott 

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
James Baldwin
Sent: Thursday, July 28, 2005 9:24 AM
To: Neil J.McRae
Cc: nanog@merit.edu
Subject: Re: Cisco IOS Exploit Cover Up


On Jul 28, 2005, at 3:29 AM, Neil J. McRae wrote:


> I couldn't disagree more. Cisco are trying to control the situation as 
> best they can so that they can deploy the needed fixes before the 
> $scriptkiddies start having their fun. Its no different to how any 
> other vendor handles a exploit and I'm surprised to see network 
> operators having such an attitude.
>

That's part of the issue: this wasn't an exploit in the sense of something a
$scriptkiddie could exploit. The sheer technical requirements of the exploit
itself ensure that it will only be reproduced by a small number of people
across the globe. There was no source or proof of concept code released and
duplicating the information would only provide you a method to increase the
severity of other potential exploits. It does not create any new exploits.  
Moreover, the fix for this was already released and you have not been able
to download a vulnerable version of the software for months however there
was no indication from Cisco regarding the severity of the required upgrade.
That is to say, they knew in April that arbitrary code execution was
possible on routers, they had it fixed by May, and we're hearing about it
now and if Cisco had its way we might still not be hearing about it.

How many network engineers knew there was a potential problem of this
magnitude at the beginning of May? If, knock on wood, someone had released
this code into the wild then how many networks who have been vulnerable
despite the availability of a fix?

Considering that Mr. Lynn's presentation was flawless, it is interesting to
note that Cisco and ISS considered the information to be "not quite
complete." This is especially interesting since the research was done weeks
ago according the researcher. Its surprising that such a decision as to the
incompleteness of the presentation and the retraction of Cisco's support for
the presentation were withdrawn only several days before the talk. It would
lead me to believe that both companies had less interest in a "process of
disclosure and communication" and more with burying this information for a
year or more.

I agree with everyone that making attack tools and exploit information
available to the public prior to a fix being generated with the vendor is a
poor method of encouraging good security, however that is far from the case
in this matter. A fix had been generated with the vendor and it was time
that the information to become public so network operators understood that
the remote execution empty world we had lived in until now was over.

More links:
http://www.wired.com/news/privacy/0,1848,68328,00.html? 
tw=wn_story_page_prev2
http://securityfocus.com/news/11259

RE: Fundamental changes to Internet architecture

[Scott Morris]

But he DID make it more feasible and useful.  And he DID throw thousands of
them away!

;)

Scott 

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jay
R. Ashworth
Sent: Sunday, July 03, 2005 10:07 PM
To: nanog@merit.edu
Subject: Re: Fundamental changes to Internet architecture


On Sun, Jul 03, 2005 at 02:08:39PM -0700, Joel Jaeggli wrote:
> On Sun, 3 Jul 2005, J.D. Falk wrote:
> > On 07/03/05, "Jay R. Ashworth" <[EMAIL PROTECTED]> wrote:
> >> How do we *know* there are no fundamentally new great concepts ...
> >> unless we *try a lot of stuff*.
> >
> > Trying stuff is good -- until something's tried, none of us can
> > really know what it'll do.  At what point do entirely off-network
> > experiments become on-topic for nanog?  (I doubt anyone has an
> > easy answer, I just wanted to throw the question out there.)
> >
> >> How many light bulbs did Edison throw away?
> 
> edison didn't invent the light bulb...

So he didn't.  And me a regular Wikipedian...

Cheers,
-- jra
-- 
Jay R. Ashworth
[EMAIL PROTECTED]
Designer+-Internetworking--+--+   RFC
2100
Ashworth & Associates   |  Best Practices Wiki |  |'87
e24
St Petersburg FL USAhttp://bestpractices.wikicities.com+1 727 647
1274

  If you can read this... thank a system administrator.  Or two.  --me

RE: OMB: IPv6 by June 2008

[Scott Morris]

Heheheh...  But see, wasn't that one of the whole theories behind the
"aggregation" schemes built into the allocation of IPv6 address?  Come
now...

Because we have deployed it today in a manner where that's not possible
doesn't make it a "rule" per se.

Is this theory any different that simply filtering the multiple allocations
denoted as RIPE or APNIC allocated IPv6 chunks?  I'd think not.

*shrug*  You're reading way too many politics into this, but not seeing the
designs of IPv6 in the same light.  SSDP.  (Same  Different Protocol) 

Scott

-Original Message-
From: Andre Oppermann [mailto:[EMAIL PROTECTED] 
Sent: Thursday, June 30, 2005 5:27 PM
To: [EMAIL PROTECTED]
Cc: 'Fergie (Paul Ferguson)'; [EMAIL PROTECTED]; nanog@merit.edu
Subject: Re: OMB: IPv6 by June 2008

Scott Morris wrote:
> We could have been much better served adding 3-bits at the beginning.
> Effectively giving a full IP v4 space to every continent (even 
> Antartica) and having an extra one for the extra-terrestrial working 
> group.  ;)
> 
> And it would have given us real geographic-based filtering 
> capabilities at the same time without any major changes to everything 
> we have worked so hard to get to the level of insanity where we are today.
> 
> *shrug*  Simple things often get overlooked.

bzzzt...  You just described a rule #1 violation; IP addresses are routable
entities and thus by definition unsuitable for any kind of geo-location.

Rule #2 would be that IP addresses do (and must) not encode routing
information, they just serve to transport data.  All routing information is
carried on the routing layer and applied to the forwarding layer from there.

When do people learn that these layers do not intermix just like water and
oil do not?  I guess the only lession history teaches us is that it doesn't.

--
Andre

RE: OMB: IPv6 by June 2008

[Scott Morris]

We could have been much better served adding 3-bits at the beginning.
Effectively giving a full IP v4 space to every continent (even Antartica)
and having an extra one for the extra-terrestrial working group.  ;)

And it would have given us real geographic-based filtering capabilities at
the same time without any major changes to everything we have worked so hard
to get to the level of insanity where we are today.

*shrug*  Simple things often get overlooked.

Notice though that the deadline in the US terms is squarely inside the "next
guy's term".  ;)  Things that make you go "Hmmm..."

Scott
 

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
Fergie (Paul Ferguson)
Sent: Thursday, June 30, 2005 4:37 PM
To: [EMAIL PROTECTED]
Cc: nanog@merit.edu
Subject: Re: OMB: IPv6 by June 2008



The author of the TechWeb article wrote those words extolling "improved
security measures", not me, dude. :-)

I stated explicitly that all of the "new features" lauded by v6 proponents
have effectively been retro-fitted to v4, thereby negating almost every v6
migration argument, with the exception of a larger host address pool.

Equally dumbfounded in v4-land,

- ferg



-- "Christopher L. Morrow" <[EMAIL PROTECTED]> wrote:

>over the current IPv4 technology. Among the additional
>advantages of IPv6 are improved security measures and
>additional links for wireless devices.
>

which 'security measures' are included in ipv6? which additional links for
wireless devices?

This keeps coming up in each discussion about v6, 'what security measures'
is never really defined in any real sense. As near as I can tell it's level
of 'security' is no better (and probably worse at the outset, for the
implementations not the protocol itself)  than v4. I could be wrong, but I'm
just not seeing any 'inherent security' in v6, and selling it that way is
just a bad plan.

-dazed and confused in ipv4-land.

--
"Fergie", a.k.a. Paul Ferguson
 Engineering Architecture for the Internet  [EMAIL PROTECTED] or
[EMAIL PROTECTED]  ferg's tech blog: http://fergdawg.blogspot.com/

RE: Internet Attack Called Broad and Long Lasting by Investigators

[Scott Morris]

Closing people's systems down from "any" other software installations isn't
necessarily the solution.  It can delay progress in many cases, and not
everyone has IT staff that may be as up to speed as necessary.

The requirement should be more along the lines of software designed to scan
the system for things like that and alert/remove it.  That kind of
requirement at least gives flexibility and a good kick in the butt to
implement good assessment tools at the PC or network level.

All it takes is one user outside the "norm" to mess up LOTS of work and
policies trying to keep things right!

Scott 

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
Scott Weeks
Sent: Tuesday, May 10, 2005 2:16 AM
To: [EMAIL PROTECTED]
Subject: Re: Internet Attack Called Broad and Long Lasting by Investigators




Eventhough this article wasn't specifically regarding network operations, it
does come down to the most fundamental of network operating practices.
Create policies and the procedures that enable those policies.  Then enforce
them VERY strictly.

   The crucial element in the password thefts that provided access at
   Cisco and elsewhere was the intruder's use of a corrupted version of a
   standard software program, SSH.

   The intruder probed computers for vulnerabilities that allowed the
   installation of the corrupted program, known as a Trojan horse

   In the Cisco case, the passwords to Cisco computers were sent from a
   compromised computer by a legitimate user unaware of the Trojan horse

Folks that handle sensitive info (proprietary code, personal info, HIPPA
FERPA, SOX, .mil, etc, etc) should be allowed to download software only from
company servers where all software has been cleared by folks that're experts
in evaluating software packages.  Not from the general internet.

scott

RE: Getting a BGP table in to a lab

[Scott Morris]

Forget part of my reply here...  I thought someone was posting from the CCIE
forum stuff I do.  

So disregard the lack-of-caffeine-induced, retarded command about no router
being able to support a full feed.  :)

My apologies

Zebra is still a good idea though!

Scott 

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
Scott Morris
Sent: Wednesday, April 20, 2005 8:42 PM
To: 'Nathan Ward'; nanog@merit.edu
Subject: RE: Getting a BGP table in to a lab


None of the routers that are tested in the lab are capable of supporting a
full BGP feed

If you just want to play with BGP stuff, you can use Zebra (unix) or go to
www.nantech.com and get their BGP4WIN program.

That may help you a bit more.

Scott 

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
Nathan Ward
Sent: Wednesday, April 20, 2005 8:35 PM
To: nanog@merit.edu
Subject: Getting a BGP table in to a lab


I'm trying to come up with a way to get a full BGP routing table in to my
lab.
I'm not really fussed about keeping it up to date, so a snapshot is fine.
At the moment, I'm thinking about spending a few hours hacking together a
BGP daemon in perl to peer with and record a table from a production router,
disconnect, and then start peering with lab routers.

Am I reinventing a wheel here?

--
Nathan Ward

RE: Getting a BGP table in to a lab

[Scott Morris]

None of the routers that are tested in the lab are capable of supporting a
full BGP feed

If you just want to play with BGP stuff, you can use Zebra (unix) or go to
www.nantech.com and get their BGP4WIN program.

That may help you a bit more.

Scott 

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
Nathan Ward
Sent: Wednesday, April 20, 2005 8:35 PM
To: nanog@merit.edu
Subject: Getting a BGP table in to a lab


I'm trying to come up with a way to get a full BGP routing table in to my
lab.
I'm not really fussed about keeping it up to date, so a snapshot is fine.
At the moment, I'm thinking about spending a few hours hacking together a
BGP daemon in perl to peer with and record a table from a production router,
disconnect, and then start peering with lab routers.

Am I reinventing a wheel here?

--
Nathan Ward

RE: More on Vonage service disruptions...

[Scott Morris]

Actually, many of the EMTAs in the cable world derive AC power from the
coax...  Powered inline just like all the amps are.  At least the ones that
hang outside your house...

But with the Vonage idea of stuff inside your house that can't be done...
Old federal laws about the concept that the electric company is the only one
who can deliver power into your house.

Scott
 

-Original Message-
From: Deleskie, Jim [mailto:[EMAIL PROTECTED] 
Sent: Friday, March 04, 2005 12:47 PM
To: 'Christopher Woodfield'; [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]; 'John Levine'; [EMAIL PROTECTED]
Subject: RE: More on Vonage service disruptions...


There are EMTAs cable modems with VoIP ATA's that have 4 hr battery in the
market already.  

-Jim
-Original Message-
From: Christopher Woodfield [mailto:[EMAIL PROTECTED]
Sent: Friday, March 04, 2005 12:46 PM
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]; 'John Levine'; [EMAIL PROTECTED]
Subject: Re: More on Vonage service disruptions...



This does bring up a hardware design question...I'm wondering how difficult
of an engineering/marketing problem it would be to design VoIP adapters with
built-in backup batteries. How does the power consumption profile of a VoIP
adapter compare to, say, a cellphone? 
What would this add to the cost of the device, and how long could the
battery last?

-C

On Mar 3, 2005, at 10:25 PM, Scott Morris wrote:

>
> Perhaps it varies by state, but I thought part of the E-911 service 
> regulations was that if you were offering (charging) for it, you had 
> to offer it as "lifeline" service which meant it had to survive power 
> outage.
> *shrug*
>
> I guess the original regs weren't written with these things in mind!
>
> Scott
>
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf 
> Of John Levine
> Sent: Thursday, March 03, 2005 9:17 PM
> To: [EMAIL PROTECTED]
> Cc: [EMAIL PROTECTED]
> Subject: Re: More on Vonage service disruptions...
>
>
>> There was actually a story in USA Today a couple of days ago where a
>> family tried calling 911 on their VoIP service during a burglary only
>> to be told by a recorded message that they must "dial 911 from another
>> phone"...
>
> I was surprised to see on Packet8's web site that they now offer E911 
> in a
> lot of places.  You have to have a local phone number and pay an extra
> $1.50/mo.  They remind you that if your power goes out, your phone 
> still
> won't work, but if you can call 911, it'll be a real 911 call.
>
> This still has little to do with port blocking, but a lot to do with 
> the
> whole question of what level of service people are paying for vs.
> what level they think they are paying for.
>
> Regards,
> John Levine, [EMAIL PROTECTED], Primary Perpetrator of "The Internet for
> Dummies", Information Superhighwayman wanna-be, 
> http://www.johnlevine.com,
> Mayor "I dropped the toothpaste", said Tom, crestfallenly.
>
>

RE: More on Vonage service disruptions...

[Scott Morris]

Perhaps it varies by state, but I thought part of the E-911 service
regulations was that if you were offering (charging) for it, you had to
offer it as "lifeline" service which meant it had to survive power outage.
*shrug*

I guess the original regs weren't written with these things in mind!  

Scott 

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John
Levine
Sent: Thursday, March 03, 2005 9:17 PM
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: Re: More on Vonage service disruptions...


>There was actually a story in USA Today a couple of days ago where a 
>family tried calling 911 on their VoIP service during a burglary only 
>to be told by a recorded message that they must "dial 911 from another 
>phone"...

I was surprised to see on Packet8's web site that they now offer E911 in a
lot of places.  You have to have a local phone number and pay an extra
$1.50/mo.  They remind you that if your power goes out, your phone still
won't work, but if you can call 911, it'll be a real 911 call.

This still has little to do with port blocking, but a lot to do with the
whole question of what level of service people are paying for vs.
what level they think they are paying for.

Regards,
John Levine, [EMAIL PROTECTED], Primary Perpetrator of "The Internet for
Dummies", Information Superhighwayman wanna-be, http://www.johnlevine.com,
Mayor "I dropped the toothpaste", said Tom, crestfallenly.

RE: seed resolvers? Re: panix.com hijacked (VeriSign refuses to help)

[Scott Morris]

As much as it pains me to say, I'm sure there is a little difference when it
comes to some of the big domains.

1.  It doesn't take any rocket scientist to sit back and say "U...  I
really don't think this is a legit move" without a lot of thinking!

2.  If a lawyer for AOL or MS or some really big company sent a letter
saying something about if you don't change this back in the next 30 seconds
or we will destroy your company, it would be more believable!

Unfortunately, size does matter.  :)

Scott
 

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
Petra Zeidler
Sent: Sunday, January 16, 2005 6:28 AM
To: nanog@merit.edu
Subject: seed resolvers? Re: panix.com hijacked (VeriSign refuses to help)


Hi,

Thus wrote Alexei Roudnev ([EMAIL PROTECTED]):

> What happen if someone stole 'aol.com'domain tomorrow?  Or
'microsoft.com'?
> How much damage will be done until this sleeping behemots wake up, set 
> up a meeting (in Tuesday I believe - because Monday is a holiday), 
> make any decision, open a toicket, pass thru change control and 
> restore domain? 5 days?

I remember that in a similar case in .de several larger ISPs put the
previous ('correct') zone on their resolvers. Would
a) people here feel that is an appropriate measure for this case
b) do it on their resolvers
c) the panix.com people want that to happen in the first place?

regards,
Petra Zeidler

RE: New Computer? Six Steps to Safer Surfing

[Scott Morris]

So when the majority of people begin using a different operating system, is
there some reason that the majority of virus-writers or other malcontents
wouldn't focus on the flaws there?

Or are we stuck in this little bubble thinking that unix REALLY is THAT
secure?

Perhaps it is, but my viewpoint is that it's really shortsighted to make
this assumption.  Just because it hasn't happened yet doesn't mean that it
can't.  Wolves go where the sheep are plentiful and less protected.  As they
get hungry, they'll go other places.  :)

Just my two cents.

Scott 

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
Matthew S. Hallacy
Sent: Sunday, December 19, 2004 7:37 AM
To: Sean Donelan; [EMAIL PROTECTED]
Subject: Re: New Computer? Six Steps to Safer Surfing


On Sat, Dec 18, 2004 at 09:14:30PM -0500, Sean Donelan wrote:
> 
> I wouldn't rely on software firewalls.  At the same store you buy your 
> computer, also buy a hardware firewall.  Hopefully soon the 
> motherboard and NIC manufacturers will start including built-in hardware
firewalls.
> But sometimes, such as dialup modems, software firewalls are the only 
> alternative.

Hopefully soon people will start running operating systems, web browsers,
and email clients where they have no need for a "personal firewall". 

(Or, with luck, certain vendors will fix their buggy software)

-- 
Matthew S. HallacyFUBAR, LART, BOFH Certified
http://www.poptix.net   GPG public key 0x01938203

RE: Sensible geographical addressing [Was: 16 vs 32 bit ASNs yadda, yadda]

[Scott Morris]

Because then the specificity of the routes would become less relevant.  If
you have two highways available to you, then it's 6 of one and half dozen of
another.  You could care less which way you go.

 

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
Iljitsch van Beijnum
Sent: Tuesday, November 30, 2004 7:01 PM
To: [EMAIL PROTECTED]
Cc: 'NANOG list'
Subject: Re: Sensible geographical addressing [Was: 16 vs 32 bit ASNs yadda,
yadda]


On 30-nov-04, at 23:32, Scott Morris wrote:

> At large NAP points (the higher order ISP's) this may make some sense 
> because of the ubiquity of larger scale lines.

Why would geographical aggregation need bigger lines?

RE: Sensible geographical addressing [Was: 16 vs 32 bit ASNs yadda, yadda]

[Scott Morris]

I'm well aware that BGP is link speed agnostic.  That makes it even more
important (or less "not important"?) when looking at moving towards a
geographical routing concept.  If everything were equal, as I noted, then
geographical would make perfect sense.

But it isn't, so it doesn't.  :)

At large NAP points (the higher order ISP's) this may make some sense
because of the ubiquity of larger scale lines.  Throughout the entire bgp
structure though, this doesn't make as much sense.  The flip side, of
course, is that you rely on the higher-level ISPs to do some serious policy
upkeep.  This hasn't seemed to help much so far, and of course, as the
lower-tier ISPs or large-scale enterprises become multihomed, we still lose
out on what is being bantered.

Scott 

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
Iljitsch van Beijnum
Sent: Tuesday, November 30, 2004 2:55 PM
To: NANOG list
Subject: Re: Sensible geographical addressing [Was: 16 vs 32 bit ASNs yadda,
yadda]


On 30-nov-04, at 16:29, Scott Morris wrote:

> In the interconnected world, geography is very much irrelevant to best 
> path routing.  It's all about speeds and feeds where a local-access 
> T-1 is obviously not preferable to a cross-country OC-3.

I have a very hard time seeing this as a realistic example in interdomain
routing. BGP has no idea about link speeds. I've seen many occasions where
BGP selects a path that is inferior because all the paths cross the same
number of ASes and that's the extent of BGP's knowledge.

When looking at a small scale, you're right that network topology and
geography are very different. For instance, I live in The Hague, which is in
a very small country very close to a major international fiber hub
(Amsterdam). This means that it's almost impossible for me to reach someone
else in The Hague (or the world, for that matter) without going through
Amsterdam. If you look at Holland as a whole, the picture is very different:
the vast majority of traffic between any two points within the country stays
within the country. If you look at a Western-European scale, there is almost
no traffic that leaves the region. And in 10 years, I've never seen any
traffic between two points in Holland go through Africa, Asia or South
America.

This means that with geographic aggregation in effect, 90% of Dutch more
specific routing information can be aggregated away elsewhere in Europe, 98%
in North America and (possibly) 100% elsewhere in the world.

Yes, there will always be exceptions. When you have a million entries in the
routing table, you don't worry about the 3 special cases as long as you
can get the 97 simple cases right.

Another misconception: the aggregation doesn't have to line up with the
fiber. If London needs two aggregates because one half is in the western
hemnisphere and the other half is in the eastern hemnisphere, who cares? And
it gets even better when you consider that an ISP will carry all of its
customer routes everywhere anyway: there is no need for two peers to agree
where the routing information for a certain geographic area is exchanged:
peer A simply listens for the information in the location that it finds most
suitable, and so does peer B. There is no requirement for this to happen in
the same location, or in the "target area" itself.

RE: Sensible geographical addressing [Was: 16 vs 32 bit ASNs yadda, yadda]

[Scott Morris]

In the interconnected world, geography is very much irrelevant to best path
routing.  It's all about speeds and feeds where a local-access T-1 is
obviously not preferable to a cross-country OC-3.

Sounds nice on paper, but isn't really where things are at these days.  Now
on the other hand if bandwidth were unlimited and we all had great
super-duper links between every ISP regardless of tier, THEN geographical
routing would make sense.

Whether you have 16 or more geographical locations doesn't necessarily
equate to geographic routing.  It's still longest prefix match which may be
interrupted by misconfigured filters, or other circumstances.  

This is what happens when we try to borrow ideas from the 40-50-year-old
telecom world and how basic call-routing worked in a TDM environment.
 
Scott

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Tuesday, November 30, 2004 9:28 AM
To: [EMAIL PROTECTED]
Subject: Sensible geographical addressing [Was: 16 vs 32 bit ASNs yadda,
yadda]

> Anything that takes geography into the routing is plain and simple 
> broken.

Then why do major American providers require peers to be in 16 or more
geographic locations? Why do people aggregate addresses geographically in
their networks? It can't all be broken.

RE: Sensible geographical addressing

[Scott Morris]

3 bits as a prefix would work perfectly fine IMHO.

This gives us an entire 32-bit space PER CONTINENT.  As I noted before I
don't think the penguins really need that many Ips in Antartica, but that
could always be set aside.  In addition, there's an extra set (only 7
continents at last count) for extra-terrestrial expansion or other needs.

And, that gives the ability to filter entire continents out if necessary.
The country code (ITU) isn't really a bad idea either, but I'm just thinking
less overall binary bits.

Scott 

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
David Barak
Sent: Tuesday, November 30, 2004 9:58 AM
To: [EMAIL PROTECTED]
Subject: Re: Sensible geographical addressing



--- [EMAIL PROTECTED] wrote:
> 10 years ago we didn't have the RIR system in place to help us with 
> geographic addressing. Today we do. Now you might be able to convince 
> me that we could achieve similar goals by putting together route 
> registries, RIRs and some magic pixie dust.
> As far as I'm concerned, geographical route aggregation is necessary 
> for the v6 network to scale. It will happen, the only question is how 
> we solve the problem.
> 

What exactly would be so bad about taking a page from the PSTN and using a
country-code-like system?  There are under 200 countries on the whole
planet, so that's not a huge number of bits...



=
David Barak
-fully RFC 1925 compliant-



__
Do you Yahoo!? 
All your favorites on one personal page  Try My Yahoo!
http://my.yahoo.com 

RE: size of the routing table is a big deal, especially in IPv6

[Scott Morris]

You make it sound like the politics involved in a regulatory/governed
setting are different than those involved in a commercial setting.  In the
end, it's all about economics.

I think the UN has enough trouble managing the things it attempts to manage
right now.  Don't let them try to be technical too!

We should have looked at IPv4 and simply added three bits as a prefix to
denote continent.  Giving lots of Ips in lots of different areas.  Of
course, then we'd argue about how the Ips for Antartica would get allocated.
And then there would be the one leftover set, presumably for outer space.
Just in case the United Federation of Planets ever needed to worry about IP
address allocation.

Gotta plan ahead, right?

Same basic problems we've always had, just changing the scale to reflect the
times.  Technology isn't much different than any other economic/social
history in that matter.  :)

Scott 

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony
Li
Sent: Monday, November 29, 2004 11:14 PM

In the decentralized world of the Internet, we have a bigger problem in 
that we do not have a clear entity that impose the necessary regulatory 
pressures and there is no commercial pressure.  All we can do is to ask 
people to be good Internet citizens and to act locally for the global 
good.  The challenge, of course, is that this is in almost no one's 
immediate best interest.

My preferred solution at this point is for the UN to take over 
management of the entire Internet and for them to issue a policy of one 
prefix per country.  This will have all sorts of nasty downsides for 
national providers and folks that care about optimal routing, but it's 
the only way that I can see that will allow the Internet to continue to 
operate over the long term.

Tony

RE: Stupid Ipv6

[Scott Morris]

While the concept of classes has changed, I'm not so sure that I agree with
the complaint here...

Everything I've seen about the multi TLA/SLA concepts always seem to leave
64 bits at the end for the actual host address, so it would be a logical
step at that point to have the ASICs spun so that 64 bits was the limit for
routing tables.

Perhaps I have had the same assumption/misunderstanding that the programmer
guys have had then?!?!?

Scott 

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Saturday, November 20, 2004 9:56 PM
To: Kevin Oberman
Cc: [EMAIL PROTECTED]; Lars Erik Gullerud; Stephen Sprunk; North
American Noise and Off-topic Gripes
Subject: Re: Stupid Ipv6 


> Just to introduce a touch of practicality to this discussion, it might 
> be worth noting that Cisco and Juniper took the RFC stating that the 
> smallest subnet assignments would be a /64 seriously and the ASICs 
> only route on 64 bits. I suspect that they influenced the spec in this 
> area as expending them to 128 bits would have been rather expensive.

darn...  and we fought so hard last time we had to expunge
classfull addressing asics/hardware in the late 1990s.
looks like it crept back into vendor gear.  IPv6 was -never-
supposed to be classful.

--bill

RE: [nanog] RE: Stupid Ipv6 question...

[Scott Morris]

Very true...  But if we are assuming that the ISP isn't the end customer who
may receive an allocation, then who really is the "consumer"?

One has to wonder how much time was spent drunk underneath chairs and/or
mattresses to come up with a rule like that!

Scott

-Original Message-
From: Dan Mahoney, System Admin [mailto:[EMAIL PROTECTED] 
Sent: Friday, November 19, 2004 2:12 PM
To: Scott Morris
Cc: 'Kevin Loch'; [EMAIL PROTECTED]
Subject: Re: [nanog] RE: Stupid Ipv6 question...

On Fri, 19 Nov 2004, Scott Morris wrote:

No, nobody ever reads that tag.  It says "not to be removed except by the
consumer".

Which with at least one severly drunk friend of mine, has meant that if you
remove it, you have to eat it :)

-Dan


>
> Does that mean if we rip them off that we may be prosecuted?
>
> ;)
>
> Scott
>
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf 
> Of Kevin Loch
> Sent: Friday, November 19, 2004 1:41 PM
> To: [EMAIL PROTECTED]
> Subject: Re: Stupid Ipv6 question...
>
>
> Leo Bicknell wrote:
>
>> With the exception of auto-configuration, I have yet to see any
>> IPv6 gear that cares about prefix length.  Configuring a /1 to a
>> /128 seems to work just fine.  If anyone knows of gear imposing 
>> narrower limits on what can be configured I'd be facinated to know 
>> about them.
>>
>
> 64 bit prefixes are the mattress tags of IPv6 interfaces.
>
> --
> Kevin Loch
>
>

--

"We need another cat.  This one's retarded."

-Cali, March 8, 2003 (3:43 AM)

Dan Mahoney
Techie,  Sysadmin,  WebGeek
Gushi on efnet/undernet IRC
ICQ: 13735144   AIM: LarpGM
Site:  http://www.gushi.org
---

RE: Stupid Ipv6 question...

[Scott Morris]

Does that mean if we rip them off that we may be prosecuted?

;)

Scott 

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
Kevin Loch
Sent: Friday, November 19, 2004 1:41 PM
To: [EMAIL PROTECTED]
Subject: Re: Stupid Ipv6 question...


Leo Bicknell wrote:

> With the exception of auto-configuration, I have yet to see any
> IPv6 gear that cares about prefix length.  Configuring a /1 to a
> /128 seems to work just fine.  If anyone knows of gear imposing 
> narrower limits on what can be configured I'd be facinated to know 
> about them.
> 

64 bit prefixes are the mattress tags of IPv6 interfaces.

--
Kevin Loch

RE: How to Blocking VoIP ( H.323) ?

[Scott Morris]

Tcp/1719 is part of the H323 Gatekeeper default ports (which can be changed)

Tcp/1720 is the H.225 call setup port, and I haven't heard of this being a
configurable port.

HTH,

 
Scott Morris, MCSE, CCDP, CCIE4 (R&S/ISP-Dial/Security/Service Provider)
#4713, JNCIP, CCNA-WAN Switching, CCSP, Cable Communications Specialist, IP
Telephony Support Specialist, IP Telephony Design Specialist, CISSP
CCSI #21903
[EMAIL PROTECTED]
 
 
 

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe
Shen
Sent: Thursday, November 11, 2004 6:40 AM
To: NANGO
Subject: How to Blocking VoIP ( H.323) ?


Hi,

How could it be done to block VoIP at access router?

I've thought about using ACL to block UDP port 1719,but this could be
overcome by modifying protocol port number. 

regards

Joe 

__
Do You Yahoo!?
Log on to Messenger with your mobile phone!
http://sg.messenger.yahoo.com

RE: Okay, I'm just going to _assume_...

[Scott Morris]

We see it all the time...

It's call "percussive maintenance" !!!

It's actually Step 4 in TAC's escalation procedures! (smirk)

Scott 

-Original Message-
From: Chris Moody [mailto:[EMAIL PROTECTED] 
Sent: Monday, October 25, 2004 12:40 AM
To: Scott Morris
Cc: 'Martin J. Levy'; 'Brian Wallingford'; 'Bill Woodcock'; [EMAIL PROTECTED]
Subject: RE: Okay, I'm just going to _assume_...

ok, sorry for the double post...but LMFAO
The router is broken and he KICKS IT to get it up again!!

-C


On Fri, 22 Oct 2004, Scott Morris wrote:

>
> I want the MP3 of the theme song to the game!   ;)
>
> Scott
>
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf 
> Of Martin J. Levy
> Sent: Friday, October 22, 2004 1:17 AM
> To: 'Brian Wallingford'; 'Bill Woodcock'
> Cc: [EMAIL PROTECTED]
> Subject: RE: Okay, I'm just going to _assume_...
>
>
> One word of advice... Don't skip the intro.  "I'm a hacker and I steal 
> data from the Internet".  I love the parachutes (it somewhat reminds 
> me of a Woody Allen movie, but that's another story).
>
> I want a QoS rocket
>
> Martin
>
>
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf 
> Of Brian Wallingford
> Sent: Thursday, October 21, 2004 9:53 PM
> To: Bill Woodcock
> Cc: [EMAIL PROTECTED]
> Subject: Re: Okay, I'm just going to _assume_...
>
>
> It's official - pigs are aloft, the forecast for Hell is freezing 
> rain, the Sox have nearly broken the Curse (and will... :), and Cisco 
> has taken over Looney Tunes.  The end is near.
>
> No, no operational content...  Did John Chambers have an aneurysm
recently?
>
> On Thu, 21 Oct 2004, Bill Woodcock wrote:
>
> :
> :...that there's some operational content somewhere in here:
> :
> :http://www.cisco.com/edu/peterpacket/
> :
> :...though I'm on kind of a slow link, so I'm still looking.  My 
> eternal :thanks to Suresh for finding this.  My day is complete.
> :
> :-Bill
>
>

RE: Okay, I'm just going to _assume_...

[Scott Morris]

I want the MP3 of the theme song to the game!   ;)

Scott 

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
Martin J. Levy
Sent: Friday, October 22, 2004 1:17 AM
To: 'Brian Wallingford'; 'Bill Woodcock'
Cc: [EMAIL PROTECTED]
Subject: RE: Okay, I'm just going to _assume_...


One word of advice... Don't skip the intro.  "I'm a hacker and I steal data
from the Internet".  I love the parachutes (it somewhat reminds me of a
Woody Allen movie, but that's another story).

I want a QoS rocket

Martin


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
Brian Wallingford
Sent: Thursday, October 21, 2004 9:53 PM
To: Bill Woodcock
Cc: [EMAIL PROTECTED]
Subject: Re: Okay, I'm just going to _assume_...


It's official - pigs are aloft, the forecast for Hell is freezing rain, the
Sox have nearly broken the Curse (and will... :), and Cisco has taken over
Looney Tunes.  The end is near.

No, no operational content...  Did John Chambers have an aneurysm recently?

On Thu, 21 Oct 2004, Bill Woodcock wrote:

:
:...that there's some operational content somewhere in here:
:
:http://www.cisco.com/edu/peterpacket/
:
:...though I'm on kind of a slow link, so I'm still looking.  My eternal
:thanks to Suresh for finding this.  My day is complete.
:
:-Bill

RE: Another one bites the dust

[Scott Morris]

Yeah, I noticed the different sender when I went back.  (ah well...)

Need more caffeine today.  :)  (Although it's hard to drink with the hole
left by the fishhook)

Scott  

-Original Message-
From: D'Arcy J.M. Cain [mailto:[EMAIL PROTECTED] 
Sent: Thursday, October 14, 2004 2:05 PM
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: Re: Another one bites the dust

On Thu, 14 Oct 2004 13:26:55 -0400
"Scott Morris" <[EMAIL PROTECTED]> wrote:
> Bear in mind, I apparantly haven't paid attention or noticed any of 
> his past behavior that may have warranted this.  But it seems equally 
> counter-productive to the operation of the list for what he did as 
> what you did in order to let him know that.

Better have a professional remove that fishhook from your cheek.  :-)

-- 
D'Arcy J.M. Cain <[EMAIL PROTECTED]> |  Democracy is three wolves
http://www.druid.net/darcy/|  and a sheep voting on
+1 416 425 1212 (DoD#0082)(eNTP)   |  what's for dinner.

RE: Another one bites the dust

[Scott Morris]

Now perhaps this is a little off, but given the logic that you suggest his
mention of He Who Had a Short Mustache might be offensive (by merely
mentioning the name)...  Aren't you therefore guilty of the same offensive
violation?  Gratuitous mentioning does imply that there is a context, and
the context is something that would/should/could become offensive.

*shrug*

Seems odd.  Humor is good occasionally.  Oblique and non-meritorious
censorship, however, is not.

Bear in mind, I apparantly haven't paid attention or noticed any of his past
behavior that may have warranted this.  But it seems equally
counter-productive to the operation of the list for what he did as what you
did in order to let him know that. 

IMHO,

Scott

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
Husan Sarris
Sent: Thursday, October 14, 2004 1:03 PM
To: [EMAIL PROTECTED]
Subject: Another one bites the dust


Stephen - although you have often been a valuable contributor to the NANOG
list, you received your "last warning" about list AUP violations last
spring.  Because of your non-operational post below, and your gratuitous
mention of Hitler, which could be offensive to some, we have removed your
posting privileges from the NANOG list for a period of four months.
Please refer to the AUP:

http://www.nanog.org/aup.html

Susan Harris, Ph.D.
Merit Network/Univ. of Mich.


On Wed, 13 Oct 2004, Stephen J. Wilcox wrote:

>
> On Wed, 13 Oct 2004, Christian Malo wrote:
>
> > FREE RICHARD
>
> Of course my understanding of revoking posting privileges is that you 
> cant post to the list.. not you are imprisoned in the merit dungeons, 
> i think that punishment is reserved for Bandy/Husan/etc
>
> However I do like some humor being injected onto the list, so long as 
> the SNR doesnt diminish too much it can help to inject some life 
> inbetween the 'paging bob smith' / 'anyone help me configure bgp' / path
mtu / urpf cyclical debates..
> actually we've not had Hitler discussed for a while, perhaps I can 
> start a thread... ooops
>
> Steve

RE: House Toughens Spyware Penalties

[Scott Morris]

Oh, how festive.  Anyone got that "Bill (Gates) Blocker" filter ready?  :)

Left to their own devices, congressmen should NOT be allowed to write bills
about things they don't understand.  Well...  Ok, that's too restrictive.
No bills would ever get written.  

We'll still see the same problems coming from the same non-US places where
it isn't exactly feasible to prosecute.  But it made someone someplace feel
better, I'm sure!

Scott
 

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
Nicole
Sent: Friday, October 08, 2004 4:33 PM
To: [EMAIL PROTECTED]
Subject: FW: House Toughens Spyware Penalties



 It all reads ok until the latter part... shudder...

  Nicole


-FW: <[EMAIL PROTECTED]>-

Date: Fri, 08 Oct 2004 16:00:53 -0400
Sender: [EMAIL PROTECTED]
From: cybercrime-alerts <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: House Toughens Spyware Penalties

October 8, 2004
House Toughens Spyware Penalties 

http://www.internetnews.com/bus-news/article.php/3419211

For the second time in three days, the U.S. House of Representatives has
passed an anti-spyware bill, this time adding criminal penalties to tough
civil provisions of legislation passed on Tuesday. 

The Internet Spyware Prevention Act of 2004 (H.R. 4661), which passed on a
415-0 vote Thursday, makes it a crime to intentionally access a computer
without authorization or to intentionally exceed authorized access. If the
unauthorized intrusion is to further another federal crime such as secretly
accessing personal data, the penalty is up to five years in prison. 

Deliberately injuring or defrauding a person or damaging a computer through
the unauthorized installation of spyware carry prison terms of up to two
years. The legislation also authorizes $10 million for the Department of
Justice to combat spyware and phishing (define) scams, although the bill
does not specifically make phishing a crime. 

"By imposing criminal penalties on these bad actors, this legislation will
help deter the use of spyware, and will thus help protect consumers from
these aggressive attacks," Rep. Bob Goodlatte (R-VA), the bill's author,
said in a statement. "At the same time, the legislation leaves the door open
for innovative technology developments to continue to combat spyware
programs." 

Tuesday night, the House passed legislation prohibiting unfair or deceptive
practices related to spyware. The bill, known as the Spy Act (H.R. 2929),
also requires an opt-in notice and consent form for legal software that
collects personally identifiable information from consumers. The penalties
in H.R. 2929 are limited to civil fines of up to $3 million. 

Both bills now go the Senate, which has pending legislation similar to the
House bills. House Energy and Commerce Committee Chairman Joe Barton
(R-Texas) said earlier this week he thought the two chambers could agree on
a spyware bill before lawmakers adjourn on Friday or Saturday. 

"[We've] seen several egregious examples of spyware being used in ways that
most Americans would think clearly ought to be criminal," Ari Schwartz,
associate director of the Center for Democracy and Technology, said in
another statement. "The bill will help make sure there are strong deterrents
to using spyware to defraud or injure consumers." 

The two House bills are supported by a broad array of trade groups,
including the U.S. Chamber of Commerce and the Business Software Alliance
(BSA). "This anti-spyware legislation ensures that criminal penalties are
imposed upon those persons who aim to harm innocent Internet users via
spyware applications," said Robert Holleyman, president and CEO of the BSA. 

Dell (Quote, Chart), eBay (Quote, Chart)>, Microsoft (Quote, Chart), Time
Warner (Quote, Chart), Yahoo (Quote, Chart) and Earthlink (Quote, Chart)
endorsed the Tuesday legislation. They did so after exemptions were added to
the bill for network monitoring for security purposes, technical support or
repair, or the detection or prevention of fraudulent activities. 

The bill also permits computer software providers to interact with a user's
computer without notice and consent in order to determine whether the
computer user is authorized to use the software upon initialization of the
software or an update of the software. 

"Every day thousands of unsuspecting Americans have their identities
hijacked by a new breed of cyber criminals because of spyware. People whose
identities have been stolen can spend months or years -- and much of their
hard-earned money -- trying to restore their good name and credit record.
This legislation will help prevent bad things from happening to good names,"
Rep. Lamar Smith
(R-Texas) said. 


--
Articles distributed for the purposes of education, discussion and review.

Archives and Subscription Updates: http://cybercrime.theMezz.com
Guestbook: http://guestbook.theMezz.com
PGP Key: http://pgp.theMezz.com

 
 

--End of forwarded message---

RE: Cisco moves even more to china.

[Scott Morris]

You can't logically, in the same e-mail talk about Cisco wanting to dominate
a new/growing market (e.g. would account for new jobs, new stuff, new monies
previously unseen) and then talk about Bush (or whomever) getting money from
this and not caring therefore screwing US workers.

If it's a new market, nobody is getting screwed.  There are certainly no
rules saying that every sale that Cisco (or any other US-based company)
makes must flow through American hands.  That would be absurd.

If it were growing or supplementing existing business in the US where they
deliberately go in and lay off US workers in order to bring on workers in
other countries, then THAT is the part where you may be upset about this.

Outsourcing may indeed be a problem in some aspects and some industries, but
(IMHO) THIS particular announcement about playing by the necessary political
rules and seeking to establish a firm hold in a new/growing market doesn't
even come close to the issues that you seem to be complaining about.

So please, if you're going to try to bring politics into the thread and
blame it on whoever (which the particular administration really has nothing
to impact this one way or the other) then stick with some semblance of logic
that follows all the way through.

Personally, I don't like the concept of certain types of outsourcing where
jobs are indeed lost to save a buck or two.  But I think that too many
people go off the "logical deep-end" on what items fall into this category
and soon we are looking at McCarty's tactics for deciding the conforming or
non-conforming which is not a good idea.

Someone in a previous e-mail mentioned someone's law about annihilating this
thread.  While I don't know whose law that was I hope whatever it is takes
effect soon because the sky really is not falling.

Scott 

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
Henry Linneweh
Sent: Saturday, September 25, 2004 1:42 PM
To: Alexei Roudnev; Paul Jakma; Robin Lynn Frank
Cc: [EMAIL PROTECTED]
Subject: Re: Cisco moves even more to china.


The only event that is driving this, is Cisco wants to dominate the Chinese
market and the only way to sell in China is to manufacture product there,
using their people to manufacture, that is how the game is played there and
for the chinese it makes sense, considering the government there has has
around 1.3 billion people to care for.

The lack of understanding here is that Americans need to be cared for to,
with economy that providers us with a sense of financial security.

The problem centers around jobs now being promoted for poltical purposes as
jobs, when you focus on these jobs, you will discover they are not living
wage jobs and certainly not jobs that provide for intelligent people
staffing them.

The other issue that fits into this problem, is the Bush administration gets
$1.12 for every dollar earned offshore from any product, so it basically
doesn't care, since it keeps the US government solvent, while the rest of us
get flushed down the tubes. Making matter's worse is the fact, that
executives that support the Bush administration with outsourcing offshore,
are financial rewards and tax incentrives that make it attractive to do so.

If you don't like the politics of what is happening to you change it in
November and work to turn our country around and preserve our friendships
globally in the process. My 2 cents

-henry

RE: Cisco moves even more to china.

[Scott Morris]

Without getting into the entire conceptual argument about 
capitalism in general and why some semi-sane economic decisions are 
made...  What is it that makes you think that boycotting a company 
(particularly one the size or deployment of Cisco and/or Juniper) would make 
someone say "oh, I'm sorry, it looks like we made a bad decision in saving some 
money"???
 
Now, let's also go back and look at the original 
post.  Cisco is putting in what?  $32 million.  in the grand 
scheme of things, just what kind of impact do you really believe this is going 
to have?  Committing to training people in another country is not a 
commitment to abandon jobs elsewhere.  Look at the economics of how much 
the Chinese market is growing.  Or should we handle all of that extra work 
in supporting that country's expanding market with jobs already here in the US 
(or wherever).
 
Oh wait, don't many US folks already complain about the 
down-, right-, left-, some-direction-sizing that's going on and how overworked 
they may be?  
 
There are SOME areas where the outsourcing may hit a chord, 
and everyone is always welcome to their soapbox.  I just don't think it 
really applies to the particulars that were announced here, and certainly not to 
this level.  As ANY good job-seeker should realize, it's all about 
economics.  So make yourself a more marketable or valuable person than 
others.  Whether through certifications (not starting this war) or 
experiences or the ability to demonstrate business prowess along with technical 
skills...
 
But where do we draw the line?  Almost ANY electronics 
company uses non-American parts.  Many clothing manufacturers use off-shore 
assembly.  Everyone is entitled to desire purchasing locally-produced goods 
only, but at the same time it's hard to justify complaining about how much more 
expensive some of those items may be!
 
It's everywhere  As long as there are options, 
it'll never change.  We see the shift now because of the ease of travel and 
shipping and ubiquitous communications (oh damn, that means were in an industry 
that may have helped this "evil" trend).  It's economic destiny, which 
means to fight it we need to make the overall economic choice one that leans our 
direction (whever that "our" may be).  But simply complaining about it is 
the easy part.  Figuring out the "why" and then working to make the 
decision better to go a different direction is harder.  Business decisions, 
like routes, have metrics.  Figure out what they are and change them if 
desired.  but it's not nearly as simple!
 
Scott
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of JosephSent: 
Friday, September 24, 2004 7:19 AMTo: [EMAIL PROTECTED]Cc: 
[EMAIL PROTECTED]Subject: RE: Cisco moves even more to 
china.


Hello Erik,
 Although I agree with you on many points I 
think its time people stop complaining and take action. My point was not to idly 
complain about the outsourcing trend and claim that protectionism is the answer 
but, to ask if there is a better way to deal with the long term trend for ALL of 
us. Boycotting is just one way to send a message rather than simply complaining. 


  Your perception of Americans I think is 
very skewed by the media. You obviously did not read my post and wanted take a 
cheap shot. Many Americans like myself have always been fighting for equity, 
fairness and democracy from the beginning in all our activities. Try not to 
equate a people with what you read and hear in the media and realize they have 
much more diversity of opinion than is portrayed therein. I argue we BOTH 
American and international workers (that means you) need to change the system so 
that we are all treated fairly. I don't think this is an off the wall ideal. But 
to each his own. 

  Hmmm. I had no idea there were only 2 
networking companies, 1 database and 1 OS. =) With the rich competitive nature 
of the market I will continue to support companies which conform to a baseline 
of ethical business practice for all workers worldwide. 

With deepest respect,
JErik Haagsman 
<[EMAIL PROTECTED]> wrote: 
On 
  Fri, 2004-09-24 at 03:53, Joseph wrote:> Its time for all American Tech 
  workers to stand up and let our voices> be heard.Perhaps it's 
  time instead to make sure you're good at what you do andtry to be on the 
  forefront of tech, rather than whining about how allthose bad people from 
  abroad are stealing your job. It's largely our ownfault labour pricing in 
  large outsourcing countries like India are solow, and now it's coming back 
  to bite some of us.> We as world citizens need to come to grips 
  with the fact that we must> compete with workers internationally but we 
  should be doing so on FAIR> playing field. Strangely people 
  only start calling for a level, fair playing field whenthey feel 
  something's threatening their own little piece of the cake. Ifmost 
  companies and governments we're happy to work for wouldn't havebeen 
  undermining