RE: Aggregation for IPv4-compatible IPv6 address space
You mean do you have to express it in hex? The original spec allowed both ways I believe... but just so you realize, this has been deprecated. Mostly 'cause people can't subnet. :) Scott -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of snort bsd Sent: Sunday, February 03, 2008 11:10 PM To: nanog@merit.edu Subject: Aggregation for IPv4-compatible IPv6 address space Hi all: With IPv4-compatible IPv6 address space, could I aggregate the address space? say 192.168.0.0/16 become ::192.168/112? or It must be converted to native IPv6 address space? Just wondering, Get the name you always wanted with the new y7mail email address. www.yahoo7.com.au/y7mail
RE: IPv6 questions
And unless you are on only certain particular devices (e.g. L3 switches) then the end device won't necessarily have any relevant clue what VLAN it's on. I have never seen/heard of an RFC for it either and would certainly wonder "WHY?". :) Scott -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Erik Nordmark Sent: Tuesday, January 29, 2008 1:44 PM To: snort bsd Cc: nanog@merit.edu; juniper-nsp Subject: Re: IPv6 questions snort bsd wrote: > Never mind > > it is the VLAN number. But which RFC define this? I've never seen an IPv6 RFC specify to put the VLAN number in the link-local address. Thus this must be an (odd) choice made by some implementation. Perhaps the implementation somehow requires that all the link-local addresses for all its (sub)interfaces be unique, even though the RFCs assume that the implementation should be able to deal with multiple interfaces with same same link-local address. Erik > Thanks all > > Dave > > - Original Message > From: snort bsd <[EMAIL PROTECTED]> > To: nanog@merit.edu; juniper-nsp <[EMAIL PROTECTED]> > Sent: Monday, 28 January, 2008 3:05:59 PM > Subject: IPv6 questions > > > Hi All: > > With link-local IPv6 address, the converting from MAC-48 to EDU-64 > address format (FF FE stuffing). How does the VLAN tags affect the > conversion? > > With the rule of FF FE stuffing, I can see clearly work on the ptp > interfaces. But on those Ethernet based VLANs, it doesn't seem to > follow that pattern: > > Current address: 00:90:69:4a:b9:5d, Hardware address: > 00:90:69:4a:b9:5d > > well, i assume the link-local should be fe80::290:69ff:fe4a:b95d/64. > actually, it shows: > > Destination: fe80::/64, Local: fe80::290:6903:94a:b95d > > how does the router get this 03 09 instead of ff fe? > > Thanks all > > > > > > > > > Make the switch to the world's best email. Get the new Yahoo!7 > Mail now. www.yahoo7.com.au/worldsbestemail > > > > > > > > Make the switch to the world's best email. Get the new Yahoo!7 > Mail now. www.yahoo7.com.au/worldsbestemail > >
RE: Asymmetrical routing opinions/debate
Routing in general is based of the premise of "my decision, my control" and therefore you have some (albeit limited) controls about how YOU can influence someone else's routing decision. So any time you have more than one connection to the collective ('Net) then you simply run the risk of you make one decision to send a packet out a particular link, but a bunch of other people make decisions about routing as well and it may very well come back another path. Presumably you have your IP addressing as a constant. If you are NATting, you may have some interesting problems with this, but that would be a design problem on your end. Same with stateful firewalls. >From an appplication viewpoint though, it really shouldn't make any difference. Packet goes out. Packet comes back. Life is good. In short though, you have some choices with this, but they are all design choices on your end. If you want to be multihomed, this is the way life is. HTH, Scott -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Drew Weaver Sent: Monday, January 14, 2008 10:31 AM To: nanog@merit.edu Subject: Asymmetrical routing opinions/debate Pardon me if I am using the wrong term, I am using the term Asymmetrical routing to describe a scenario in which a request packet enters a network via one path and the response packet exits the network via a different path. For example an ICMP ping request enters a network via ISP A and the reply leaves via ISP B (due to multi-homing on both networks, and or some kind of manual or automatic 'tweaking' of route preferences on one end or the other). I haven't noticed too many instances of this causing huge performance problems, but I have noticed some, has anyone noticed any instances in the real world where this has actually caused performance gains over symmetrical routing? Also in a multi-homed environment is there any way to automatically limit or control the amount of Asymmetrical routing which takes place? (should you?) I have read a few papers [what few I could find] and they are conflicted about whether or not it is a real problem for performance of applications although I cannot see how it wouldn't be. Has there been any real community consensus on this issue published that I may have overlooked? Thank you, -Drew
RE: What's the real issue here?
My whois program returns: 97.81.31.19 Host unreachable 97.81.24.0 - 97.81.31.255 Charter Communications 12405 Powerscourt Dr. St. Louis MO 63131 United States IPAddressing +1-314-288-3889 [EMAIL PROTECTED] Abuse: +1-314-288-3111 [EMAIL PROTECTED] KNG-TN-97-81-24 Created: 2007-04-11 Updated: 2007-04-11 Source: whois.arin.net Perhaps a function of how lookups are being done? *shrug* Scott -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of NetSecGuy Sent: Wednesday, September 19, 2007 10:29 AM To: nanog@merit.edu Subject: What's the real issue here? :~> whois 97.81.31.19 Unknown AS number or IP network. Please upgrade this program. Is this a function of whois hardcoded to no do lookups for this address space? I can't seem to find any info about the range, beyond "registered but unallocated". I figured whois would at least return something about it not being allocated. Is this hijacked space?
RE: IPv6 Training?
There are a few books out there that will give mention of IPv6 configurations, but most are vendor-specific as far as I have seen. Cisco and Juniper both have at least modules (if not full courses) on IPv6. Each is obviously not vendor-agnostic. Something could always be customized to cover whatever specifics you are looking to cover. What is the scope you are thinking of for your training? Would a multi-vendor concept be better fir your needs rather than theory-only agnostic? Scott [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alex Rubenstein Sent: Thursday, May 31, 2007 12:32 PM To: NANOG Subject: IPv6 Training? Does anyone know of any good IPv6 training resources (classroom, or self-guided)? Looking to send several 1st and 2nd tier guys, for some platform/vendor-agnostic training. Any clues? Thanks.. -- Alex Rubenstein, AR97, K2AHR, [EMAIL PROTECTED], latency, Al Reuben Net Access Corporation, 800-NET-ME-36, http://www.nac.net
RE: Question on 7.0.0.0/8
They could always configure destination-based NAT and perhaps "assist" by allocating 10/8 space for those networks if they so choose to reach them! (smirk) Scott -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joseph S D Yao Sent: Monday, April 16, 2007 7:13 PM To: [EMAIL PROTECTED] Cc: nanog@merit.edu Subject: Re: Question on 7.0.0.0/8 On Sun, Apr 15, 2007 at 11:25:58PM +0100, [EMAIL PROTECTED] wrote: ... > And I know a company that has been using 1/8, 2/8, 3/8, 4/8, 5/8, 6/8, > 7/8 and 8/8 for many years, also behind NAT or on non-Internet > connected networks. But that is not what I am talking about here. ... And what happens if the legitimate owners of those already allocated start advertising routes for them on the public Internet, or IANA decides to release some of those not already allocated? Those NATs, if single-NAT'ed, will find themselves unable to reach those resources. *sigh* In fact, I think I have seen some of those on the public Internet, I could be wrong. -- Joe Yao Analex Contractor
RE: IPv6 Finally gets off the ground
HAHAHAHAHA I always knew that this stuff was the most prevalent and billable content on the web, but I never thought of using it as a motivating factor for chage! Good one! Scott -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Stephane Bortzmeyer Sent: Tuesday, April 10, 2007 9:55 AM To: J. Oquendo Cc: nanog@merit.edu Subject: Re: IPv6 Finally gets off the ground On Sun, Apr 08, 2007 at 06:15:34PM -0500, J. Oquendo <[EMAIL PROTECTED]> wrote a message of 24 lines which said: > was successfully configured by NASA Glenn Research Center to use IPsec > and IPv6 technologies in space." Any human on board? Because he would have been able to access useful content: http://www.ipv6experiment.com/ The great chicken or the egg dilemma. IPv6 has had operating system and router support for years. But, content providers don't want to deploy it because there aren't enough potential viewers to make it worth the effort. There are concerns about compatibility and breaking IPv4 accessibility just by turning IPv6 on. ISPs don't want to provide IPv6 to end users until there is a killer app on IPv6 that will create demand for end users to actually want IPv6. There hasn't been any reason for end users to want IPv6 - nobody's dumb enough to put desirable content on IPv6 that isn't accessible on IPv4. Until now. We're taking 10 gigabytes of the most popular "adult entertainment" videos from one of the largest subscription websites on the internet, and giving away access to anyone who can connect to it via IPv6. No advertising, no subscriptions, no registration. If you access the site via IPv4, you get a primer on IPv6, instructions on how to set up IPv6 through your ISP, a list of ISPs that support IPv6 natively, and a discussion forum to share tips and troubleshooting. If you access the site via IPv6 you get instant access to "the goods".
RE: Cable-Tying with Waxed Twine
It's called cable lacing... And CO guys have done it forever. Looks really pretty, but it's a pain in the butt to do. :) And sucks if you have to rip a cable out to replace things. Other than that, check out: http://www.dairiki.org/hammond/cable-lacing-howto/ Cheers, Scott PS. A really good pair of flush cuts (wire snips, but not the "diamond-cut" ones) will help with the tie wraps too! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan Mahoney, System Admin Sent: Wednesday, January 24, 2007 7:30 PM To: nanog@merit.edu Subject: Cable-Tying with Waxed Twine Hey all, This seems a wee bit off topic, but definitely relates to network operations (somewhere below layer 1) and I can't think of a better place to ask. Upon leaving a router at telx and asking one of their techs to plug in the equipment for me, I came back to find all my cat5 cables neatly tied with some sort of waxed twine, using an interesting looping knot pattern that repeated every six inches or so using a single piece of string. For some reason, I found this trick really cool. I have tried googling for the method, (it's apparently standard, I've seen it in play elsewhere), and for the type of twine, but had little luck. I was wondering if any of the gurus out there would care to share what this knot-pattern is actually called, and/or if there's a (illustrated) howto somewhere? -Dan "Tired of getting scratched up by jagged cable ties" Mahoney -- Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org ---
RE: http://cisco.com 403 Forbidden
Works fine for me. And a 403 Forbidden is a web server error, not a resolution error if I remember right. Scott -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike Tancsa Sent: Wednesday, January 03, 2007 11:35 AM To: James Baldwin; [EMAIL PROTECTED] Subject: Re: http://cisco.com 403 Forbidden At 11:24 AM 1/3/2007, James Baldwin wrote: >Anyone else getting a 403 Forbidden when trying to access http:// cisco.com? Yes. Resolves to 198.133.219.25 for me. ---Mike
RE: Bogon Filter - Please check for 77/8 78/8 79/8
So we're saying that a lawsuit is an intelligent method to force someone else to correct something that you are simply using to avoid the irritation of manually updating things yourself??? That seems to be the epitomy of laziness vs. litigousness. Scott -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Monday, December 11, 2006 9:55 AM To: Jack Bates Cc: nanog@merit.edu Subject: Re: Bogon Filter - Please check for 77/8 78/8 79/8 On Mon, 11 Dec 2006, Jack Bates wrote: > > Allan Houston wrote: > > This probably isn't helped much by sites like completewhois.com > > still showing these ranges as bogons.. > > > > http://www.completewhois.com/bogons/active_bogons.htm > > > > They've ignored all my attempts to get them to update so far.. sigh.. > > > > They just need someone using the address space to slap them with a lawsuit.
RE: The Cidr Report
It sounds like government work! When something doesn't work, they just make numbers up! (Just be sure to create more plausible numbers next time! (smirk)) Scott -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Geoff Huston Sent: Sunday, November 12, 2006 12:15 PM To: Fergie; [EMAIL PROTECTED] Cc: nanog@merit.edu Subject: Re: The Cidr Report When my zebra BGP daemin looses its grip on life and dies a horrible death the rest to the scripts wander into a strange twilight zone and make up numbers sorry (I really need to code more defensively for this type of condition!) geoff At 04:56 AM 11/11/2006, Fergie wrote: >Indeed -- it apears to have flaked out a bit this (IETF) week. :-) > >Date PrefixesCIDR Aggregated >04-11-06 199323 129829 >05-11-06 199330 129854 >06-11-06 199273 129854 >07-11-06 -1077937252 129854 >08-11-06 -1077936760 129854 >09-11-06 672037797 129854 >10-11-06 -1077937324 129854 >11-11-06 134555024 129854 > >- ferg > > > >-- Simon Leinen <[EMAIL PROTECTED]> wrote: > >cidr-report writes: > > Recent Table History > > Date PrefixesCIDR Agg > > 03-11-06199409 129843 >[...] > > 10-11-06 134555024 129854 > >Growth of the "global routing table" really picked up pace this week! >(But maybe I'm just hallucinating for having heard the report from the >IAB Routing Workshop report three times in a week :-) Or the CIDR >Report software has an R200K problem? >-- >Simon. > > > >-- >"Fergie", a.k.a. Paul Ferguson > Engineering Architecture for the Internet > fergdawg(at)netzero.net > ferg's tech blog: http://fergdawg.blogspot.com/
RE: Broadband ISPs taxed for "generating light energy"
But they clearly have too much time on their hands. Whodathunkit? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Suresh Ramasubramanian Sent: Tuesday, October 10, 2006 10:51 AM To: Fergie Cc: [EMAIL PROTECTED] Subject: Re: Broadband ISPs taxed for "generating light energy" On 10/10/06, Fergie <[EMAIL PROTECTED]> wrote: > Is it April 1st already? :-) > > - ferg > Sadly, I dont think taxmen ever had a sense of humor
RE: New Laptop Polices
Not that I have a whole lot to add (other than we're spending lots of time talking about something only affecting UK --:> US flights at this moment)... But I was intrigued by your latin there. "E-mail rest in peace? A cause does not create/allow action? " My memories from high school are a tad shady these days, but am I getting the general idea there? Definitely interesting. Caught my eye. ;) Scott -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laurence F. Sheldon, Jr. Sent: Sunday, August 13, 2006 6:35 PM To: nanog@merit.edu Subject: Re: New Laptop Polices joe mcguckin wrote: > Why not put critical or proprietary files on a flash key? I carry a > 4G flash key on my keyring. Airport security has never given it a > second look. If the laptop ends up in the hands of a sticky-fingered > baggage handler (or the TSA), there's nothing there for them to find. Recent reports said you were allowed to carry passport, medicines required for the trip, and one or two other items that did not include any metallic objects as I recall. > And, to defeat the nosey customs folk who now want to login and > rummage around your files when you enter the US, create a dummy > account and give them that login when they insist on inspecting your > laptop for "child porn". I've got nothing to hide, but I don't want > some ham handed idiot accidently deleting stuff either... I wonder what they are trained to look for. -- Requiescas in pace o email Ex turpi causa non oritur actio http://members.cox.net/larrysheldon/
RE: Presumed RF Interference
The isolated grounds are definitely a recommended idea for telco/server rooms... Perhaps an array of them depending on the size power feed we're talking about. I'm assuming it's a sizeable UPS that runs your telco and data equipment (or small server room). The irritation, if you haven't done this step already, is that adding a TRUE isolated ground after you've already built your building and room is not exactly a cheap thing to do. Especially in nice metal framed buildings that like to have a tendency of becoming the nearest path ground themselves. But I agree that it's certainly something as a worthwhile "first path" to look into! Scott PS. I agree it's not good business practice to kill your clients! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steven M. Bellovin Sent: Sunday, March 05, 2006 6:21 PM To: [EMAIL PROTECTED] Cc: nanog@merit.edu Subject: Re: Presumed RF Interference On Sun, 5 Mar 2006 18:00:36 -0500 (EST) David Lesher <[EMAIL PROTECTED]> wrote: > > > Cut the ground wire in your power cords but ground the equipment > > directly to a metal frame. > > I would NEVER tell a client to do this. > That could easily kill someone. Correct. The safety purpose of the ground cord is to cause a short circuit in case line voltage energizes the case, in which case the breaker will trip. If you cut that wire, the metal frame frame can become hot; unless it's firmly grounded itself, there will be a potential between it and ground. Along comes the next well-grounded person to touch it -- poof! Even if the frame were grounded properly, that's a local ground, which may differ in potential from the breaker box's ground. The neutral wire in the circuit is tied to ground at the breaker box, which means there could be a potential difference between it and the frame. That also creates a potential shock hazard, though presumably not that great. What might be useful -- ask an EE, not me -- is a circuit with an isolated ground. In that case, the ground wire from the power plug is routed all the way back to the breaker panel, and isn't connected to, say, the local electrical box that the cord is plugged into. I've seen computer equipment wired that way in the past.
RE: keeping the routing table in check: step 1
So while this may look nice and sound good and all that, I hate to ask the obvious question... Who is going to obtain the authority and/or balls to take everyone's currently allocated IP addresses away and start over? Perhaps I missed something in an earlier discussion, but this to me sounds like a very nice, very academic "Hm" thought process. Unfortunately reformatting the Internet is a little more painful that reformatting your hard drive when it gets out of whack. I guess my question is, what's the point of asking this question now? Scott -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Edward B. DREGER Sent: Wednesday, February 15, 2006 10:48 PM To: nanog@merit.edu Subject: keeping the routing table in check: step 1 Hopefully this thread will be quick and less convoluted. Rather than simply alluding to "one prefix per ASN", I'd like to detail an allocation scheme that works toward that. Find the largest contiguous block. Split in half. Round to appropriate boundary. Assign. Space at the end of the block is reserved for expansion. Ignoring special subnets for simplicity: 0/x, 128/x, 64/x, 192/x, 32/x, 96/x, 160/x, 224/x, 16/x, 48/x, 80/x, 112/x, 144/x, 176/x, 208/x assuming all grow at equal rates. 96/x ends up growing quickly? No problem. Skip 112/x for the time being. In short, allocate IP space logarithmically. Start with /1 alignment, proceed to /2, then /3, and so on. Keep the array as sparse as possible so an assignment can be extended without hitting, say, a stride 4 boundary. Perhaps RIRs should look at filesystems for some hints. Imagine a filesystem that's 30% full yet has as much fragmentation as IPv4 space. Something is wrong. Eddy -- Everquick Internet - http://www.everquick.net/ A division of Brotsman & Dreger, Inc. - http://www.brotsman.com/ Bandwidth, consulting, e-commerce, hosting, and network building Phone: +1 785 865 5885 Lawrence and [inter]national Phone: +1 316 794 8922 Wichita DO NOT send mail to the following addresses: [EMAIL PROTECTED] -*- [EMAIL PROTECTED] -*- [EMAIL PROTECTED] Sending mail to spambait addresses is a great way to get blocked. Ditto for broken OOO autoresponders and foolish AV software backscatter.
RE: T1 bonding
I'm re-reading it, and slowly, but I don't see mention of having two different vendors. Perhaps I need to put the beer a bit further away, but he talks about generic vendor 'x' and notes that it starts with letter 'A' as further definition, not as two separate vendors. *shrug* Scott -Original Message- From: Elijah Savage [mailto:[EMAIL PROTECTED] Sent: Tuesday, January 24, 2006 8:20 PM To: [EMAIL PROTECTED] Cc: 'Matt Bazan'; nanog@merit.edu Subject: Re: T1 bonding -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Scott Morris wrote: > If you're treating them as two separate links (e.g. two POPs, etc.) > then that's correct, it'll be done by the routers choice of load-balancing (L3). > If you are going to the same POP (or box potentially) you can do MLPPP > and have a more effective L2 load balancing. > > Otherwise, it's possible to get an iMux DSU (Digital Link is a vendor > as I recall, but there may be others) that allow that magical bonding > to occur prior to the router seeing the link. At that point, the > router just sees a bigger line coming in (some do 6xT-1 and have a > 10meg ethernet output to your router). > > If you're seeing the balancing the way that you are, most likely that > vendor (I have no specific knowledge about the A-vendor) is doing > usage-based aggregation which isn't exactly a balancing act. The ones > at some of my sites are MLPPP which is a vendor-agnostic approach for the most part. > > Scott > > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf > Of Elijah Savage > Sent: Tuesday, January 24, 2006 7:28 PM > To: Matt Bazan > Cc: nanog@merit.edu > Subject: Re: T1 bonding > > > Matt Bazan wrote: >>> Can someone shed some technical light on the details of how two T1's >>> are bonded (typically). We've got two sets of T's at two different >>> location with vendor 'X' (name starts w/ an 'A') and it appears that >>> we're really only getting about 1 full T's worth of bandwidth and >>> maybe 20% of the second. >>> >>> Seems like they're bonded perhaps using destination IP? It's a >>> vendor managed solution and I need to get some answers faster than >>> they're coming in. Thanks. >>> >>> Matt >>> > More than likely they are not bonded t1's they are just load balanced > by the router which by default on Cisco is per session. Meaning pc1 to > t1#1, pc2to t1#2, pc3 to t1#1. If they are truly bonded with some sort > of MUX for a 3 meg port then you would not see the results you are seeing. > > -- > http://www.digitalrage.org/ > The Information Technology News Center Remember he said both t1's are coming from different vendors, which would only leave the Mux route which is why I said what I said :) - -- http://www.digitalrage.org/ The Information Technology News Center -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFD1tJWt06NWq3hlzkRApDsAJ9nq+J+26EKYy9cwlFRmN3zhT/EFQCfdf2v IX2wkyZvsGM1sPvcEMSyK+0= =WINE -END PGP SIGNATURE-
RE: T1 bonding
If you're treating them as two separate links (e.g. two POPs, etc.) then that's correct, it'll be done by the routers choice of load-balancing (L3). If you are going to the same POP (or box potentially) you can do MLPPP and have a more effective L2 load balancing. Otherwise, it's possible to get an iMux DSU (Digital Link is a vendor as I recall, but there may be others) that allow that magical bonding to occur prior to the router seeing the link. At that point, the router just sees a bigger line coming in (some do 6xT-1 and have a 10meg ethernet output to your router). If you're seeing the balancing the way that you are, most likely that vendor (I have no specific knowledge about the A-vendor) is doing usage-based aggregation which isn't exactly a balancing act. The ones at some of my sites are MLPPP which is a vendor-agnostic approach for the most part. Scott -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Elijah Savage Sent: Tuesday, January 24, 2006 7:28 PM To: Matt Bazan Cc: nanog@merit.edu Subject: Re: T1 bonding -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Matt Bazan wrote: > Can someone shed some technical light on the details of how two T1's > are bonded (typically). We've got two sets of T's at two different > location with vendor 'X' (name starts w/ an 'A') and it appears that > we're really only getting about 1 full T's worth of bandwidth and > maybe 20% of the second. > > Seems like they're bonded perhaps using destination IP? It's a vendor > managed solution and I need to get some answers faster than they're > coming in. Thanks. > > Matt > More than likely they are not bonded t1's they are just load balanced by the router which by default on Cisco is per session. Meaning pc1 to t1#1, pc2to t1#2, pc3 to t1#1. If they are truly bonded with some sort of MUX for a 3 meg port then you would not see the results you are seeing. - -- http://www.digitalrage.org/ The Information Technology News Center -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFD1sXyt06NWq3hlzkRAvi4AJ0R4RVii+Wrxzs5WI5es+FYhxHD0ACgioFW /UHUMapXnmuPFSpKrXzD3JU= =MqxV -END PGP SIGNATURE-
RE: Cisco, haven't we learned anything? (technician reset)
Many products have default STARTING passwords. Whose fault is it that someone can't figure out that it's not real bright if they don't change it? The hidden ones are more an issue (with static passwords as opposed to generated ones). Scott PS. If your briefcase still uses as the combination, I have no sympathy for your missing items... ;) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jared Mauch Sent: Thursday, January 12, 2006 12:39 PM To: Rob Thomas Cc: NANOG Subject: Re: Cisco, haven't we learned anything? (technician reset) On Thu, Jan 12, 2006 at 10:53:32AM -0600, Rob Thomas wrote: > > Hi, Matthew. > > ] Cisco Router and Security Device Manager (SDM) is installed on this device. > ] This feature requires the one-time use of the username "cisco" > ] with the password "cisco". > > Interesting. Is it limited to one-time use? Are the network login > services (SSH, telnet, et al.) prevented from using this login and > password? I know the AP350 comes with a default Cisco/Cisco account.. (as opposed to doing a nvram/config clear and it only lets you login on console). problem is with cisco each product group controls how they ship their system, so the Aironet teams don't quite seem to get this IMHO. That doesn't mean your 76k/GSR/CRS-1 will have Cisco/Cisco, but your aironet products sure may. - jared -- Jared Mauch | pgp key available via finger from [EMAIL PROTECTED] clue++; | http://puck.nether.net/~jared/ My statements are only mine.
RE: Infected list
Irregardless of that, I always thought the whole point of a DDoS attack was quantity of hosts, not relying on quality of connection. I thought we were theorizing anyway. ;) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Florian Weimer Sent: Monday, December 26, 2005 2:47 PM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED]; nanog@merit.edu Subject: Re: Infected list * Scott Morris: > Not to mention that many IP's may be set to one device, yet there are > multiple things NAT'd behind it. Are there any devices which perform non-static NAT and can forward significant DoS traffic? 8-) Perhaps if it's just a single flow, but this kind of DoS traffic would be rather unusual.
RE: Infected list
Not to mention that many IP's may be set to one device, yet there are multiple things NAT'd behind it. Perhaps they're even non-related folks. Do we go after the ISP, the smaller ISP, the Starbucks WiFi hotspot (example), or the user with the compromised laptop that plugged in a whatever time that was??? Scott -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Richard Cox Sent: Monday, December 26, 2005 12:24 PM To: nanog@merit.edu Subject: Re: Infected list On Sun, 25 Dec 2005 13:33:44 -0600 (CST) Rob Thomas <[EMAIL PROTECTED]> wrote: > Here is Barrett's list, including and sorted by ASN. And even that won't be sufficient for many networks to take action. A lot of people provide lists of the IPs that spam/attack/etc them, but do not provide the actual time. Since many "consumer" networks are running DHCP, they will have no way to know which of their many customers using the claimed IP on the day in question was actually an attacker, and so they will almost certainly ignore such a report. To get action, lists of compromised (etc) systems NEED to include: Date/Time (preferably UTC), exact IP (as hostnames can have multiple A-records) and AS number. -- Richard
RE: QoS for ADSL customers
There was a 3.0 PDLM release on 11/1/05 for Bittorrent traffic. See http://www.cisco.com/cgi-bin/tablebuild.pl/pdlm Scott -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ejay Hire Sent: Thursday, December 01, 2005 8:41 AM To: 'Kim Onnel' Cc: 'NANGO' Subject: RE: QoS for ADSL customers I got an off-list reply about using Nbar, but I've never seen a class map that would match torrent. -e > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > Behalf Of Kim Onnel > Sent: Thursday, December 01, 2005 7:12 AM > To: Ejay Hire > Cc: NANGO > Subject: Re: QoS for ADSL customers > > Our ADSL customers traffic is 3 OC3 worth of traffic, I dont > think our management would buy the idea. > > thanks > > > On 12/1/05, Ejay Hire <[EMAIL PROTECTED]> wrote: > > Hello. > > Going back to your original question, how to keep from > saturating the network with residential users using > bittorrent/edonkey et al, while suffocating business > customers. Here goes. > > Netfilter/IpTables (and a slew of commercial products I'm > sure) has a Layer 7 traffic classifier, meaning it can > identify specific file transfer applications and set a > DiffServ bit. This means it can tell between a real http > request and a edonkey transfer, even if they are both using > http. It also has rate-limiting capability. So... If you > pass all of the traffic destined for your DSL customers > through an iptables box (single point of failure) then you > can classify and rate-limit the downstream rate on a > per-application basis. > > Fwiw, if you are using diffserv bits, you could push the > rate-limits down to the router with a qos policy in it > instead of doing it all in the iptables box. > > References on this.. The netfilter website (for > classification info) and the Linux advanced router tools > (LART) (qos info/rate limiting) > > -e > > > > -Original Message- > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > On > > Behalf Of Kim Onnel > > Sent: Thursday, December 01, 2005 3:26 AM > > To: NANGO > > Subject: Re: QoS for ADSL customers > > > > Can any one please suggest to me any commercial or none > > solution to cap the download stream traffic, our upstream > > will not recieve marked traffic from us, so what can be > done ? > > > > > > On 11/29/05, Kim Onnel <[EMAIL PROTECTED]> wrote: > > > > Hello everyone, > > > > We have Juniper ERX as BRAS for ADSL, its GigE > > interface is on an old Cisco 3508 switch with an old IOS, > its > > gateway to the internet is a 7609, our transit internet > links > > terminate on GigaE, Flexwan on the 7600 > > > > The links are now almost always fully utilized, we > want > > to do some QoS to cap our ADSL downstream, to give room > for > > the Corp. customers traffic to flow without pain. > > > > I'm here to collect ideas, comments, advises and > > experiences for such situations. > > > > Our humble approach was to collect some p2p ports > and > > police traffic to these ports, but the traffic wasnt much, > > > one other thing is rate-limiting per ADSL customers IPs, > but > > that wasnt supported by management, so we thought of > matching > > ADSL www traffic and doing exceed action is transmit, and > > police other IP traffic. > > > > Doing so on the ERX wasnt a nice experience, so > we're > > trying to do it on the cisco. > > > > Thanks > > > > > > > > > > >
RE: paypal down!
It appears they're really down. I just tried 'em, and the IP address that comes back really does resolve to Ebay's holdings Or someone scammed a whole /19 to make the whole thing up, in which case I have to hand it to 'em! Compromising one host is dandy, but a whole netblock is pretty damned festive! (AS11643 is reporting it, which again appears to be correct) Perhaps it is what it is and they're having karma problems. Scott -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin Day Sent: Tuesday, November 15, 2005 10:58 PM To: Hannigan, Martin Cc: nanog@merit.edu Subject: Re: paypal down! On Nov 15, 2005, at 9:45 PM, Hannigan, Martin wrote: >>> www.paypal.com >>> >>> Internal Server Error >>> >>> The server encountered an internal error or misconfiguration and was >>> unable to complete your request. >>> >>> Please contact the server administrator, >> [EMAIL PROTECTED] and inform >>> them of the time the error occurred, and anything you might >> have done >>> that may have caused the error. >>> >>> More information about this error may be available in the >> server error >>> log. >> >> Works for me. Same BS splash advertising that always comes up. Damn >> that is annoying. >> > > Yes, but it *is* up. Same here. Probably one of the rotation web > servers had > an issue or something minor. > Or there's a chance that you've got a trojan/malware install on the computer. I had someone contact me the other day with a nearly identical complaint, "Why have PayPal and eBay been down all day?" They were alternately getting a 404 or 503 for those sites, but everything else worked. Their hosts file had entries for ebay, google, a number of banks, common phishing targets. Even more fun was when I deleted the hosts file, after his next reboot it pulled an updated hosts file with new working IPs from somewhere. I'm guessing the malware phishers don't have a five-nines array of redundant proxies yet. :)
RE: IPv6 news
The problem with that (and many premises) is that we need to remember these arguments and foreseen "problems" were all dreamed up 10 or so years ago. The status of everyone's network, everyone's business needs and everyone's network design (and capabilities) were drastically different that long ago. It's a solution that made sense for far different reasons when it was created then it makes sense for now. *shrug* Scott -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul Vixie Sent: Sunday, October 16, 2005 12:08 AM To: nanog@merit.edu Subject: Re: IPv6 news [EMAIL PROTECTED] (David Conrad) writes: > On Oct 15, 2005, at 3:27 PM, Tony Li wrote: > > When we explored site multihoming (not rehoming) in the ways that > > you seem to suggest, it was effectively a set of coordinated NAT > > boxes around the periphery of the site. That was rejected quite > > quickly. > > What were the reasons for rejection? i wasn't there for that meeting. but when similar things were proposed at other meetings, somebody always said "no! we have to have end-to-end, and if we'd wanted nat-around-every-net we'd've stuck with IPv4." -- Paul Vixie
RE: UNITED.COM (United Airlines) has been down for days! Any info on this?
Works fine for me. *shrug* www.ual.com also forwards appropriately. Scott From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John PalmerSent: Thursday, September 01, 2005 1:55 PMTo: nanog@merit.eduSubject: UNITED.COM (United Airlines) has been down for days! Any info on this? The United Airlines website appears to be down and has been down for days. Is this a network issue or are they out of business??
RE: Rip again!
How about the source IP? RIP v1 is sent to 255.255.255.255 broadcast. RIPv2 is sent to 224.0.0.9 multicast. Both are local-link only, so won't go THROUGH a router. The sending source IP will tell you where they came from. If you're using VLANs (trunks), there won't be any issues. If you're using secondary addresses, this will depend on whose devices you use. In the Cisco world, packets will always be sourced from the primary IP address on an interface. And if the receiving router doesn't have a subnet matching the sender, packets/updates are ignored. (Again, Cisco world you can use "no validate-update-source" to override this check) But that gives you a tracking method on packets. Scott -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Sanders Sent: Sunday, August 21, 2005 12:13 PM To: [EMAIL PROTECTED] Subject: Rip again! Hi, There isnt IMO a way in RIP to identify the source of the RIP packet (the way we have Router ID in OSPF, system ID in ISIS, etc.) Now assume we have 2 vlans defined on an ethernet. Thus we would have two IP interfaces, 1.1.1.1/24 and 2.2.2.2/24 and both using the same physical interface. RIP is running on both these interfaces. My doubt is that how will another router, which is configured in the same way (2 vlans) be able to differentiate between the RIP responses originated by 1.1.1.1 and 2.2.2.2? Thanks, Toms
RE: Tags
Tags are simply a way to mark the routes. Typically people will do it if they have multiple redistribution points (or if someone tells them to set a tag). Depending on the complexity of the network, tags are used for many different reasons, but those are all "internal" reasons to a company unless you have a relationship and reason to exchange RIP with your customer (MPLS VPN?). If you are seeing this on VRF customers, would you have any reason to be concerned about it? The VRF should keep things separate from the rest of your network. If you aren't running a VRF, why do you have RIP enabled on the edge interface to see these things anyway? (e.g. why do you care?) Scott -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Sanders Sent: Friday, August 19, 2005 5:34 AM To: [EMAIL PROTECTED] Subject: Tags Hi, I know RIP is outdated and IETF doesnt support it anymore. Knowing this i couldnt think of a more appropriate place to post this query: I keep seeing RIP packets with a tag field filled with some non zero number. Any clues on why this is happening? I know that the border routers were meant to use this to fill their AS numbers there, but is there any vendor that really uses this. Moreover, does it make any sense now in doing so. Thanks, Tom
RE: OT: Cisco.com password reset.
No, it means that the password scheme of whatever the web-site uses to allow access or not is not directly a Cisco product. It means it's something that could happen to anyone. One could have a great network of great products and all it takes is one small door to remain open someplace in a seemingly unrelated issue to bring down the house. Bummer on the IOS download part, but that would be crappy timing, not necessarily a correlation! Scott -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chris Adams Sent: Wednesday, August 03, 2005 10:23 AM To: nanog@merit.edu Subject: Re: OT: Cisco.com password reset. Once upon a time, Jared Mauch <[EMAIL PROTECTED]> said: > From the Cisco website: > > IMPORTANT NOTICE: > * This incident does not appear to be due to a weakness in Cisco products or technologies. Does this mean that CCO is not a Cisco product or technology? Odd that lots of people are trying to download new IOS images and then CCO locks them out. -- Chris Adams <[EMAIL PROTECTED]> Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble.
RE: Cisco.com password reset.
I think just about everyone's got reset. Internal and external folks from what I've heard. *shrug* On the other hand, people aren't usually good about resetting passwords, so that's one way to mitigate problems. :) Scott -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe Blanchard Sent: Wednesday, August 03, 2005 9:41 AM To: nanog@merit.edu Subject: OT: Cisco.com password reset. FYI I got an email that my CCO account's password was reset last night. Not sure how widespread this issue was, but I called my account contact and verified that this is a valid email, and that my password needed to be reset. Just a heads up. -Joe Blanchard
RE: More info on the Exploit from Black Hat conference
Based on some pictures from http://tomsnetworking.com/Sections-article131.php I would agree with you that they were edited. Scott -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Florian Weimer Sent: Saturday, July 30, 2005 1:42 AM To: Brad Knowles Cc: NANOG Subject: Re: More info on the Exploit from Black Hat conference * Brad Knowles: > This makes me a little suspicious that the slides we have are not the > real ones. The dates embedded in the PDF file indeed suggest that they were edited afterwards.
RE: Cisco IOS Exploit Cover Up
And quite honestly, we can probably be pretty safe in assuming they will not be running IPv6 (current exploit) or SNMP (older exploits) or BGP (other exploits) or SSH (even other exploits) on that box. :) (the 1601 or the 2500's) But, in the advisory that Cisco put out, it did mention free software upgrades were available even to non-contract customers. They simply had to originate from a call to TAC about it. Doesn't seem too bad. Not everyone has to worry about these things. Place and time. Scott -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barak Sent: Friday, July 29, 2005 2:52 PM To: nanog@merit.edu Subject: Re: Cisco IOS Exploit Cover Up --- John Forrister <[EMAIL PROTECTED]> wrote: > Indeed - Cisco's hardware, especially the older, smaller boxes, tended > to be really solid once you got them running. I was just pondering a > few minutes ago on how many 2500's I configured & installed in 1996 & > 1997 are still running today, on code that's no longer supported by > Cisco, and which are incapable of taking enough flash to load a newer > image. As a definite example, A client of mine has a 1601 sitting on the end of a T1 running 11.3... They're not interested in spending any money on an upgrade, as the box is doing exactly what they want: running RIP internally, and taking Ethernet-in and Serial-out. -David __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
RE: Cisco IOS Exploit Cover Up
Bear in mind though that when the M$ SQL Slammer worm hit everyone, the same attitude existed. The patch had been available for months. People knew about the vulnerability and it wasn't anything "new". And yet, look how much havoc was created there. It's always the "potential" stuff that scares people more. While I do think it's obnoxious to try to censor someone, on the other hand if they have proprietary internal information somehow that they aren't supposed to have to begin with, I don't think it is in security's best interested to commit a crime in order to get tighter security. Is this the technical version of civil disobedience? Scott -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of James Baldwin Sent: Thursday, July 28, 2005 9:24 AM To: Neil J.McRae Cc: nanog@merit.edu Subject: Re: Cisco IOS Exploit Cover Up On Jul 28, 2005, at 3:29 AM, Neil J. McRae wrote: > I couldn't disagree more. Cisco are trying to control the situation as > best they can so that they can deploy the needed fixes before the > $scriptkiddies start having their fun. Its no different to how any > other vendor handles a exploit and I'm surprised to see network > operators having such an attitude. > That's part of the issue: this wasn't an exploit in the sense of something a $scriptkiddie could exploit. The sheer technical requirements of the exploit itself ensure that it will only be reproduced by a small number of people across the globe. There was no source or proof of concept code released and duplicating the information would only provide you a method to increase the severity of other potential exploits. It does not create any new exploits. Moreover, the fix for this was already released and you have not been able to download a vulnerable version of the software for months however there was no indication from Cisco regarding the severity of the required upgrade. That is to say, they knew in April that arbitrary code execution was possible on routers, they had it fixed by May, and we're hearing about it now and if Cisco had its way we might still not be hearing about it. How many network engineers knew there was a potential problem of this magnitude at the beginning of May? If, knock on wood, someone had released this code into the wild then how many networks who have been vulnerable despite the availability of a fix? Considering that Mr. Lynn's presentation was flawless, it is interesting to note that Cisco and ISS considered the information to be "not quite complete." This is especially interesting since the research was done weeks ago according the researcher. Its surprising that such a decision as to the incompleteness of the presentation and the retraction of Cisco's support for the presentation were withdrawn only several days before the talk. It would lead me to believe that both companies had less interest in a "process of disclosure and communication" and more with burying this information for a year or more. I agree with everyone that making attack tools and exploit information available to the public prior to a fix being generated with the vendor is a poor method of encouraging good security, however that is far from the case in this matter. A fix had been generated with the vendor and it was time that the information to become public so network operators understood that the remote execution empty world we had lived in until now was over. More links: http://www.wired.com/news/privacy/0,1848,68328,00.html? tw=wn_story_page_prev2 http://securityfocus.com/news/11259
RE: Fundamental changes to Internet architecture
But he DID make it more feasible and useful. And he DID throw thousands of them away! ;) Scott -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jay R. Ashworth Sent: Sunday, July 03, 2005 10:07 PM To: nanog@merit.edu Subject: Re: Fundamental changes to Internet architecture On Sun, Jul 03, 2005 at 02:08:39PM -0700, Joel Jaeggli wrote: > On Sun, 3 Jul 2005, J.D. Falk wrote: > > On 07/03/05, "Jay R. Ashworth" <[EMAIL PROTECTED]> wrote: > >> How do we *know* there are no fundamentally new great concepts ... > >> unless we *try a lot of stuff*. > > > > Trying stuff is good -- until something's tried, none of us can > > really know what it'll do. At what point do entirely off-network > > experiments become on-topic for nanog? (I doubt anyone has an > > easy answer, I just wanted to throw the question out there.) > > > >> How many light bulbs did Edison throw away? > > edison didn't invent the light bulb... So he didn't. And me a regular Wikipedian... Cheers, -- jra -- Jay R. Ashworth [EMAIL PROTECTED] Designer+-Internetworking--+--+ RFC 2100 Ashworth & Associates | Best Practices Wiki | |'87 e24 St Petersburg FL USAhttp://bestpractices.wikicities.com+1 727 647 1274 If you can read this... thank a system administrator. Or two. --me
RE: OMB: IPv6 by June 2008
Heheheh... But see, wasn't that one of the whole theories behind the "aggregation" schemes built into the allocation of IPv6 address? Come now... Because we have deployed it today in a manner where that's not possible doesn't make it a "rule" per se. Is this theory any different that simply filtering the multiple allocations denoted as RIPE or APNIC allocated IPv6 chunks? I'd think not. *shrug* You're reading way too many politics into this, but not seeing the designs of IPv6 in the same light. SSDP. (Same Different Protocol) Scott -Original Message- From: Andre Oppermann [mailto:[EMAIL PROTECTED] Sent: Thursday, June 30, 2005 5:27 PM To: [EMAIL PROTECTED] Cc: 'Fergie (Paul Ferguson)'; [EMAIL PROTECTED]; nanog@merit.edu Subject: Re: OMB: IPv6 by June 2008 Scott Morris wrote: > We could have been much better served adding 3-bits at the beginning. > Effectively giving a full IP v4 space to every continent (even > Antartica) and having an extra one for the extra-terrestrial working > group. ;) > > And it would have given us real geographic-based filtering > capabilities at the same time without any major changes to everything > we have worked so hard to get to the level of insanity where we are today. > > *shrug* Simple things often get overlooked. bzzzt... You just described a rule #1 violation; IP addresses are routable entities and thus by definition unsuitable for any kind of geo-location. Rule #2 would be that IP addresses do (and must) not encode routing information, they just serve to transport data. All routing information is carried on the routing layer and applied to the forwarding layer from there. When do people learn that these layers do not intermix just like water and oil do not? I guess the only lession history teaches us is that it doesn't. -- Andre
RE: OMB: IPv6 by June 2008
We could have been much better served adding 3-bits at the beginning. Effectively giving a full IP v4 space to every continent (even Antartica) and having an extra one for the extra-terrestrial working group. ;) And it would have given us real geographic-based filtering capabilities at the same time without any major changes to everything we have worked so hard to get to the level of insanity where we are today. *shrug* Simple things often get overlooked. Notice though that the deadline in the US terms is squarely inside the "next guy's term". ;) Things that make you go "Hmmm..." Scott -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Fergie (Paul Ferguson) Sent: Thursday, June 30, 2005 4:37 PM To: [EMAIL PROTECTED] Cc: nanog@merit.edu Subject: Re: OMB: IPv6 by June 2008 The author of the TechWeb article wrote those words extolling "improved security measures", not me, dude. :-) I stated explicitly that all of the "new features" lauded by v6 proponents have effectively been retro-fitted to v4, thereby negating almost every v6 migration argument, with the exception of a larger host address pool. Equally dumbfounded in v4-land, - ferg -- "Christopher L. Morrow" <[EMAIL PROTECTED]> wrote: >over the current IPv4 technology. Among the additional >advantages of IPv6 are improved security measures and >additional links for wireless devices. > which 'security measures' are included in ipv6? which additional links for wireless devices? This keeps coming up in each discussion about v6, 'what security measures' is never really defined in any real sense. As near as I can tell it's level of 'security' is no better (and probably worse at the outset, for the implementations not the protocol itself) than v4. I could be wrong, but I'm just not seeing any 'inherent security' in v6, and selling it that way is just a bad plan. -dazed and confused in ipv4-land. -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet [EMAIL PROTECTED] or [EMAIL PROTECTED] ferg's tech blog: http://fergdawg.blogspot.com/
RE: Internet Attack Called Broad and Long Lasting by Investigators
Closing people's systems down from "any" other software installations isn't necessarily the solution. It can delay progress in many cases, and not everyone has IT staff that may be as up to speed as necessary. The requirement should be more along the lines of software designed to scan the system for things like that and alert/remove it. That kind of requirement at least gives flexibility and a good kick in the butt to implement good assessment tools at the PC or network level. All it takes is one user outside the "norm" to mess up LOTS of work and policies trying to keep things right! Scott -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott Weeks Sent: Tuesday, May 10, 2005 2:16 AM To: [EMAIL PROTECTED] Subject: Re: Internet Attack Called Broad and Long Lasting by Investigators Eventhough this article wasn't specifically regarding network operations, it does come down to the most fundamental of network operating practices. Create policies and the procedures that enable those policies. Then enforce them VERY strictly. The crucial element in the password thefts that provided access at Cisco and elsewhere was the intruder's use of a corrupted version of a standard software program, SSH. The intruder probed computers for vulnerabilities that allowed the installation of the corrupted program, known as a Trojan horse In the Cisco case, the passwords to Cisco computers were sent from a compromised computer by a legitimate user unaware of the Trojan horse Folks that handle sensitive info (proprietary code, personal info, HIPPA FERPA, SOX, .mil, etc, etc) should be allowed to download software only from company servers where all software has been cleared by folks that're experts in evaluating software packages. Not from the general internet. scott
RE: Getting a BGP table in to a lab
Forget part of my reply here... I thought someone was posting from the CCIE forum stuff I do. So disregard the lack-of-caffeine-induced, retarded command about no router being able to support a full feed. :) My apologies Zebra is still a good idea though! Scott -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott Morris Sent: Wednesday, April 20, 2005 8:42 PM To: 'Nathan Ward'; nanog@merit.edu Subject: RE: Getting a BGP table in to a lab None of the routers that are tested in the lab are capable of supporting a full BGP feed If you just want to play with BGP stuff, you can use Zebra (unix) or go to www.nantech.com and get their BGP4WIN program. That may help you a bit more. Scott -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Nathan Ward Sent: Wednesday, April 20, 2005 8:35 PM To: nanog@merit.edu Subject: Getting a BGP table in to a lab I'm trying to come up with a way to get a full BGP routing table in to my lab. I'm not really fussed about keeping it up to date, so a snapshot is fine. At the moment, I'm thinking about spending a few hours hacking together a BGP daemon in perl to peer with and record a table from a production router, disconnect, and then start peering with lab routers. Am I reinventing a wheel here? -- Nathan Ward
RE: Getting a BGP table in to a lab
None of the routers that are tested in the lab are capable of supporting a full BGP feed If you just want to play with BGP stuff, you can use Zebra (unix) or go to www.nantech.com and get their BGP4WIN program. That may help you a bit more. Scott -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Nathan Ward Sent: Wednesday, April 20, 2005 8:35 PM To: nanog@merit.edu Subject: Getting a BGP table in to a lab I'm trying to come up with a way to get a full BGP routing table in to my lab. I'm not really fussed about keeping it up to date, so a snapshot is fine. At the moment, I'm thinking about spending a few hours hacking together a BGP daemon in perl to peer with and record a table from a production router, disconnect, and then start peering with lab routers. Am I reinventing a wheel here? -- Nathan Ward
RE: More on Vonage service disruptions...
Actually, many of the EMTAs in the cable world derive AC power from the coax... Powered inline just like all the amps are. At least the ones that hang outside your house... But with the Vonage idea of stuff inside your house that can't be done... Old federal laws about the concept that the electric company is the only one who can deliver power into your house. Scott -Original Message- From: Deleskie, Jim [mailto:[EMAIL PROTECTED] Sent: Friday, March 04, 2005 12:47 PM To: 'Christopher Woodfield'; [EMAIL PROTECTED] Cc: [EMAIL PROTECTED]; 'John Levine'; [EMAIL PROTECTED] Subject: RE: More on Vonage service disruptions... There are EMTAs cable modems with VoIP ATA's that have 4 hr battery in the market already. -Jim -Original Message- From: Christopher Woodfield [mailto:[EMAIL PROTECTED] Sent: Friday, March 04, 2005 12:46 PM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED]; 'John Levine'; [EMAIL PROTECTED] Subject: Re: More on Vonage service disruptions... This does bring up a hardware design question...I'm wondering how difficult of an engineering/marketing problem it would be to design VoIP adapters with built-in backup batteries. How does the power consumption profile of a VoIP adapter compare to, say, a cellphone? What would this add to the cost of the device, and how long could the battery last? -C On Mar 3, 2005, at 10:25 PM, Scott Morris wrote: > > Perhaps it varies by state, but I thought part of the E-911 service > regulations was that if you were offering (charging) for it, you had > to offer it as "lifeline" service which meant it had to survive power > outage. > *shrug* > > I guess the original regs weren't written with these things in mind! > > Scott > > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf > Of John Levine > Sent: Thursday, March 03, 2005 9:17 PM > To: [EMAIL PROTECTED] > Cc: [EMAIL PROTECTED] > Subject: Re: More on Vonage service disruptions... > > >> There was actually a story in USA Today a couple of days ago where a >> family tried calling 911 on their VoIP service during a burglary only >> to be told by a recorded message that they must "dial 911 from another >> phone"... > > I was surprised to see on Packet8's web site that they now offer E911 > in a > lot of places. You have to have a local phone number and pay an extra > $1.50/mo. They remind you that if your power goes out, your phone > still > won't work, but if you can call 911, it'll be a real 911 call. > > This still has little to do with port blocking, but a lot to do with > the > whole question of what level of service people are paying for vs. > what level they think they are paying for. > > Regards, > John Levine, [EMAIL PROTECTED], Primary Perpetrator of "The Internet for > Dummies", Information Superhighwayman wanna-be, > http://www.johnlevine.com, > Mayor "I dropped the toothpaste", said Tom, crestfallenly. > >
RE: More on Vonage service disruptions...
Perhaps it varies by state, but I thought part of the E-911 service regulations was that if you were offering (charging) for it, you had to offer it as "lifeline" service which meant it had to survive power outage. *shrug* I guess the original regs weren't written with these things in mind! Scott -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Levine Sent: Thursday, March 03, 2005 9:17 PM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Re: More on Vonage service disruptions... >There was actually a story in USA Today a couple of days ago where a >family tried calling 911 on their VoIP service during a burglary only >to be told by a recorded message that they must "dial 911 from another >phone"... I was surprised to see on Packet8's web site that they now offer E911 in a lot of places. You have to have a local phone number and pay an extra $1.50/mo. They remind you that if your power goes out, your phone still won't work, but if you can call 911, it'll be a real 911 call. This still has little to do with port blocking, but a lot to do with the whole question of what level of service people are paying for vs. what level they think they are paying for. Regards, John Levine, [EMAIL PROTECTED], Primary Perpetrator of "The Internet for Dummies", Information Superhighwayman wanna-be, http://www.johnlevine.com, Mayor "I dropped the toothpaste", said Tom, crestfallenly.
RE: seed resolvers? Re: panix.com hijacked (VeriSign refuses to help)
As much as it pains me to say, I'm sure there is a little difference when it comes to some of the big domains. 1. It doesn't take any rocket scientist to sit back and say "U... I really don't think this is a legit move" without a lot of thinking! 2. If a lawyer for AOL or MS or some really big company sent a letter saying something about if you don't change this back in the next 30 seconds or we will destroy your company, it would be more believable! Unfortunately, size does matter. :) Scott -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Petra Zeidler Sent: Sunday, January 16, 2005 6:28 AM To: nanog@merit.edu Subject: seed resolvers? Re: panix.com hijacked (VeriSign refuses to help) Hi, Thus wrote Alexei Roudnev ([EMAIL PROTECTED]): > What happen if someone stole 'aol.com'domain tomorrow? Or 'microsoft.com'? > How much damage will be done until this sleeping behemots wake up, set > up a meeting (in Tuesday I believe - because Monday is a holiday), > make any decision, open a toicket, pass thru change control and > restore domain? 5 days? I remember that in a similar case in .de several larger ISPs put the previous ('correct') zone on their resolvers. Would a) people here feel that is an appropriate measure for this case b) do it on their resolvers c) the panix.com people want that to happen in the first place? regards, Petra Zeidler
RE: New Computer? Six Steps to Safer Surfing
So when the majority of people begin using a different operating system, is there some reason that the majority of virus-writers or other malcontents wouldn't focus on the flaws there? Or are we stuck in this little bubble thinking that unix REALLY is THAT secure? Perhaps it is, but my viewpoint is that it's really shortsighted to make this assumption. Just because it hasn't happened yet doesn't mean that it can't. Wolves go where the sheep are plentiful and less protected. As they get hungry, they'll go other places. :) Just my two cents. Scott -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matthew S. Hallacy Sent: Sunday, December 19, 2004 7:37 AM To: Sean Donelan; [EMAIL PROTECTED] Subject: Re: New Computer? Six Steps to Safer Surfing On Sat, Dec 18, 2004 at 09:14:30PM -0500, Sean Donelan wrote: > > I wouldn't rely on software firewalls. At the same store you buy your > computer, also buy a hardware firewall. Hopefully soon the > motherboard and NIC manufacturers will start including built-in hardware firewalls. > But sometimes, such as dialup modems, software firewalls are the only > alternative. Hopefully soon people will start running operating systems, web browsers, and email clients where they have no need for a "personal firewall". (Or, with luck, certain vendors will fix their buggy software) -- Matthew S. HallacyFUBAR, LART, BOFH Certified http://www.poptix.net GPG public key 0x01938203
RE: Sensible geographical addressing [Was: 16 vs 32 bit ASNs yadda, yadda]
Because then the specificity of the routes would become less relevant. If you have two highways available to you, then it's 6 of one and half dozen of another. You could care less which way you go. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Iljitsch van Beijnum Sent: Tuesday, November 30, 2004 7:01 PM To: [EMAIL PROTECTED] Cc: 'NANOG list' Subject: Re: Sensible geographical addressing [Was: 16 vs 32 bit ASNs yadda, yadda] On 30-nov-04, at 23:32, Scott Morris wrote: > At large NAP points (the higher order ISP's) this may make some sense > because of the ubiquity of larger scale lines. Why would geographical aggregation need bigger lines?
RE: Sensible geographical addressing [Was: 16 vs 32 bit ASNs yadda, yadda]
I'm well aware that BGP is link speed agnostic. That makes it even more important (or less "not important"?) when looking at moving towards a geographical routing concept. If everything were equal, as I noted, then geographical would make perfect sense. But it isn't, so it doesn't. :) At large NAP points (the higher order ISP's) this may make some sense because of the ubiquity of larger scale lines. Throughout the entire bgp structure though, this doesn't make as much sense. The flip side, of course, is that you rely on the higher-level ISPs to do some serious policy upkeep. This hasn't seemed to help much so far, and of course, as the lower-tier ISPs or large-scale enterprises become multihomed, we still lose out on what is being bantered. Scott -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Iljitsch van Beijnum Sent: Tuesday, November 30, 2004 2:55 PM To: NANOG list Subject: Re: Sensible geographical addressing [Was: 16 vs 32 bit ASNs yadda, yadda] On 30-nov-04, at 16:29, Scott Morris wrote: > In the interconnected world, geography is very much irrelevant to best > path routing. It's all about speeds and feeds where a local-access > T-1 is obviously not preferable to a cross-country OC-3. I have a very hard time seeing this as a realistic example in interdomain routing. BGP has no idea about link speeds. I've seen many occasions where BGP selects a path that is inferior because all the paths cross the same number of ASes and that's the extent of BGP's knowledge. When looking at a small scale, you're right that network topology and geography are very different. For instance, I live in The Hague, which is in a very small country very close to a major international fiber hub (Amsterdam). This means that it's almost impossible for me to reach someone else in The Hague (or the world, for that matter) without going through Amsterdam. If you look at Holland as a whole, the picture is very different: the vast majority of traffic between any two points within the country stays within the country. If you look at a Western-European scale, there is almost no traffic that leaves the region. And in 10 years, I've never seen any traffic between two points in Holland go through Africa, Asia or South America. This means that with geographic aggregation in effect, 90% of Dutch more specific routing information can be aggregated away elsewhere in Europe, 98% in North America and (possibly) 100% elsewhere in the world. Yes, there will always be exceptions. When you have a million entries in the routing table, you don't worry about the 3 special cases as long as you can get the 97 simple cases right. Another misconception: the aggregation doesn't have to line up with the fiber. If London needs two aggregates because one half is in the western hemnisphere and the other half is in the eastern hemnisphere, who cares? And it gets even better when you consider that an ISP will carry all of its customer routes everywhere anyway: there is no need for two peers to agree where the routing information for a certain geographic area is exchanged: peer A simply listens for the information in the location that it finds most suitable, and so does peer B. There is no requirement for this to happen in the same location, or in the "target area" itself.
RE: Sensible geographical addressing [Was: 16 vs 32 bit ASNs yadda, yadda]
In the interconnected world, geography is very much irrelevant to best path routing. It's all about speeds and feeds where a local-access T-1 is obviously not preferable to a cross-country OC-3. Sounds nice on paper, but isn't really where things are at these days. Now on the other hand if bandwidth were unlimited and we all had great super-duper links between every ISP regardless of tier, THEN geographical routing would make sense. Whether you have 16 or more geographical locations doesn't necessarily equate to geographic routing. It's still longest prefix match which may be interrupted by misconfigured filters, or other circumstances. This is what happens when we try to borrow ideas from the 40-50-year-old telecom world and how basic call-routing worked in a TDM environment. Scott -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, November 30, 2004 9:28 AM To: [EMAIL PROTECTED] Subject: Sensible geographical addressing [Was: 16 vs 32 bit ASNs yadda, yadda] > Anything that takes geography into the routing is plain and simple > broken. Then why do major American providers require peers to be in 16 or more geographic locations? Why do people aggregate addresses geographically in their networks? It can't all be broken.
RE: Sensible geographical addressing
3 bits as a prefix would work perfectly fine IMHO. This gives us an entire 32-bit space PER CONTINENT. As I noted before I don't think the penguins really need that many Ips in Antartica, but that could always be set aside. In addition, there's an extra set (only 7 continents at last count) for extra-terrestrial expansion or other needs. And, that gives the ability to filter entire continents out if necessary. The country code (ITU) isn't really a bad idea either, but I'm just thinking less overall binary bits. Scott -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barak Sent: Tuesday, November 30, 2004 9:58 AM To: [EMAIL PROTECTED] Subject: Re: Sensible geographical addressing --- [EMAIL PROTECTED] wrote: > 10 years ago we didn't have the RIR system in place to help us with > geographic addressing. Today we do. Now you might be able to convince > me that we could achieve similar goals by putting together route > registries, RIRs and some magic pixie dust. > As far as I'm concerned, geographical route aggregation is necessary > for the v6 network to scale. It will happen, the only question is how > we solve the problem. > What exactly would be so bad about taking a page from the PSTN and using a country-code-like system? There are under 200 countries on the whole planet, so that's not a huge number of bits... = David Barak -fully RFC 1925 compliant- __ Do you Yahoo!? All your favorites on one personal page Try My Yahoo! http://my.yahoo.com
RE: size of the routing table is a big deal, especially in IPv6
You make it sound like the politics involved in a regulatory/governed setting are different than those involved in a commercial setting. In the end, it's all about economics. I think the UN has enough trouble managing the things it attempts to manage right now. Don't let them try to be technical too! We should have looked at IPv4 and simply added three bits as a prefix to denote continent. Giving lots of Ips in lots of different areas. Of course, then we'd argue about how the Ips for Antartica would get allocated. And then there would be the one leftover set, presumably for outer space. Just in case the United Federation of Planets ever needed to worry about IP address allocation. Gotta plan ahead, right? Same basic problems we've always had, just changing the scale to reflect the times. Technology isn't much different than any other economic/social history in that matter. :) Scott -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony Li Sent: Monday, November 29, 2004 11:14 PM In the decentralized world of the Internet, we have a bigger problem in that we do not have a clear entity that impose the necessary regulatory pressures and there is no commercial pressure. All we can do is to ask people to be good Internet citizens and to act locally for the global good. The challenge, of course, is that this is in almost no one's immediate best interest. My preferred solution at this point is for the UN to take over management of the entire Internet and for them to issue a policy of one prefix per country. This will have all sorts of nasty downsides for national providers and folks that care about optimal routing, but it's the only way that I can see that will allow the Internet to continue to operate over the long term. Tony
RE: Stupid Ipv6
While the concept of classes has changed, I'm not so sure that I agree with the complaint here... Everything I've seen about the multi TLA/SLA concepts always seem to leave 64 bits at the end for the actual host address, so it would be a logical step at that point to have the ASICs spun so that 64 bits was the limit for routing tables. Perhaps I have had the same assumption/misunderstanding that the programmer guys have had then?!?!? Scott -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Saturday, November 20, 2004 9:56 PM To: Kevin Oberman Cc: [EMAIL PROTECTED]; Lars Erik Gullerud; Stephen Sprunk; North American Noise and Off-topic Gripes Subject: Re: Stupid Ipv6 > Just to introduce a touch of practicality to this discussion, it might > be worth noting that Cisco and Juniper took the RFC stating that the > smallest subnet assignments would be a /64 seriously and the ASICs > only route on 64 bits. I suspect that they influenced the spec in this > area as expending them to 128 bits would have been rather expensive. darn... and we fought so hard last time we had to expunge classfull addressing asics/hardware in the late 1990s. looks like it crept back into vendor gear. IPv6 was -never- supposed to be classful. --bill
RE: [nanog] RE: Stupid Ipv6 question...
Very true... But if we are assuming that the ISP isn't the end customer who may receive an allocation, then who really is the "consumer"? One has to wonder how much time was spent drunk underneath chairs and/or mattresses to come up with a rule like that! Scott -Original Message- From: Dan Mahoney, System Admin [mailto:[EMAIL PROTECTED] Sent: Friday, November 19, 2004 2:12 PM To: Scott Morris Cc: 'Kevin Loch'; [EMAIL PROTECTED] Subject: Re: [nanog] RE: Stupid Ipv6 question... On Fri, 19 Nov 2004, Scott Morris wrote: No, nobody ever reads that tag. It says "not to be removed except by the consumer". Which with at least one severly drunk friend of mine, has meant that if you remove it, you have to eat it :) -Dan > > Does that mean if we rip them off that we may be prosecuted? > > ;) > > Scott > > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf > Of Kevin Loch > Sent: Friday, November 19, 2004 1:41 PM > To: [EMAIL PROTECTED] > Subject: Re: Stupid Ipv6 question... > > > Leo Bicknell wrote: > >> With the exception of auto-configuration, I have yet to see any >> IPv6 gear that cares about prefix length. Configuring a /1 to a >> /128 seems to work just fine. If anyone knows of gear imposing >> narrower limits on what can be configured I'd be facinated to know >> about them. >> > > 64 bit prefixes are the mattress tags of IPv6 interfaces. > > -- > Kevin Loch > > -- "We need another cat. This one's retarded." -Cali, March 8, 2003 (3:43 AM) Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org ---
RE: Stupid Ipv6 question...
Does that mean if we rip them off that we may be prosecuted? ;) Scott -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin Loch Sent: Friday, November 19, 2004 1:41 PM To: [EMAIL PROTECTED] Subject: Re: Stupid Ipv6 question... Leo Bicknell wrote: > With the exception of auto-configuration, I have yet to see any > IPv6 gear that cares about prefix length. Configuring a /1 to a > /128 seems to work just fine. If anyone knows of gear imposing > narrower limits on what can be configured I'd be facinated to know > about them. > 64 bit prefixes are the mattress tags of IPv6 interfaces. -- Kevin Loch
RE: How to Blocking VoIP ( H.323) ?
Tcp/1719 is part of the H323 Gatekeeper default ports (which can be changed) Tcp/1720 is the H.225 call setup port, and I haven't heard of this being a configurable port. HTH, Scott Morris, MCSE, CCDP, CCIE4 (R&S/ISP-Dial/Security/Service Provider) #4713, JNCIP, CCNA-WAN Switching, CCSP, Cable Communications Specialist, IP Telephony Support Specialist, IP Telephony Design Specialist, CISSP CCSI #21903 [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe Shen Sent: Thursday, November 11, 2004 6:40 AM To: NANGO Subject: How to Blocking VoIP ( H.323) ? Hi, How could it be done to block VoIP at access router? I've thought about using ACL to block UDP port 1719,but this could be overcome by modifying protocol port number. regards Joe __ Do You Yahoo!? Log on to Messenger with your mobile phone! http://sg.messenger.yahoo.com
RE: Okay, I'm just going to _assume_...
We see it all the time... It's call "percussive maintenance" !!! It's actually Step 4 in TAC's escalation procedures! (smirk) Scott -Original Message- From: Chris Moody [mailto:[EMAIL PROTECTED] Sent: Monday, October 25, 2004 12:40 AM To: Scott Morris Cc: 'Martin J. Levy'; 'Brian Wallingford'; 'Bill Woodcock'; [EMAIL PROTECTED] Subject: RE: Okay, I'm just going to _assume_... ok, sorry for the double post...but LMFAO The router is broken and he KICKS IT to get it up again!! -C On Fri, 22 Oct 2004, Scott Morris wrote: > > I want the MP3 of the theme song to the game! ;) > > Scott > > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf > Of Martin J. Levy > Sent: Friday, October 22, 2004 1:17 AM > To: 'Brian Wallingford'; 'Bill Woodcock' > Cc: [EMAIL PROTECTED] > Subject: RE: Okay, I'm just going to _assume_... > > > One word of advice... Don't skip the intro. "I'm a hacker and I steal > data from the Internet". I love the parachutes (it somewhat reminds > me of a Woody Allen movie, but that's another story). > > I want a QoS rocket > > Martin > > > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf > Of Brian Wallingford > Sent: Thursday, October 21, 2004 9:53 PM > To: Bill Woodcock > Cc: [EMAIL PROTECTED] > Subject: Re: Okay, I'm just going to _assume_... > > > It's official - pigs are aloft, the forecast for Hell is freezing > rain, the Sox have nearly broken the Curse (and will... :), and Cisco > has taken over Looney Tunes. The end is near. > > No, no operational content... Did John Chambers have an aneurysm recently? > > On Thu, 21 Oct 2004, Bill Woodcock wrote: > > : > :...that there's some operational content somewhere in here: > : > :http://www.cisco.com/edu/peterpacket/ > : > :...though I'm on kind of a slow link, so I'm still looking. My > eternal :thanks to Suresh for finding this. My day is complete. > : > :-Bill > >
RE: Okay, I'm just going to _assume_...
I want the MP3 of the theme song to the game! ;) Scott -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Martin J. Levy Sent: Friday, October 22, 2004 1:17 AM To: 'Brian Wallingford'; 'Bill Woodcock' Cc: [EMAIL PROTECTED] Subject: RE: Okay, I'm just going to _assume_... One word of advice... Don't skip the intro. "I'm a hacker and I steal data from the Internet". I love the parachutes (it somewhat reminds me of a Woody Allen movie, but that's another story). I want a QoS rocket Martin -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Wallingford Sent: Thursday, October 21, 2004 9:53 PM To: Bill Woodcock Cc: [EMAIL PROTECTED] Subject: Re: Okay, I'm just going to _assume_... It's official - pigs are aloft, the forecast for Hell is freezing rain, the Sox have nearly broken the Curse (and will... :), and Cisco has taken over Looney Tunes. The end is near. No, no operational content... Did John Chambers have an aneurysm recently? On Thu, 21 Oct 2004, Bill Woodcock wrote: : :...that there's some operational content somewhere in here: : :http://www.cisco.com/edu/peterpacket/ : :...though I'm on kind of a slow link, so I'm still looking. My eternal :thanks to Suresh for finding this. My day is complete. : :-Bill
RE: Another one bites the dust
Yeah, I noticed the different sender when I went back. (ah well...) Need more caffeine today. :) (Although it's hard to drink with the hole left by the fishhook) Scott -Original Message- From: D'Arcy J.M. Cain [mailto:[EMAIL PROTECTED] Sent: Thursday, October 14, 2004 2:05 PM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Re: Another one bites the dust On Thu, 14 Oct 2004 13:26:55 -0400 "Scott Morris" <[EMAIL PROTECTED]> wrote: > Bear in mind, I apparantly haven't paid attention or noticed any of > his past behavior that may have warranted this. But it seems equally > counter-productive to the operation of the list for what he did as > what you did in order to let him know that. Better have a professional remove that fishhook from your cheek. :-) -- D'Arcy J.M. Cain <[EMAIL PROTECTED]> | Democracy is three wolves http://www.druid.net/darcy/| and a sheep voting on +1 416 425 1212 (DoD#0082)(eNTP) | what's for dinner.
RE: Another one bites the dust
Now perhaps this is a little off, but given the logic that you suggest his mention of He Who Had a Short Mustache might be offensive (by merely mentioning the name)... Aren't you therefore guilty of the same offensive violation? Gratuitous mentioning does imply that there is a context, and the context is something that would/should/could become offensive. *shrug* Seems odd. Humor is good occasionally. Oblique and non-meritorious censorship, however, is not. Bear in mind, I apparantly haven't paid attention or noticed any of his past behavior that may have warranted this. But it seems equally counter-productive to the operation of the list for what he did as what you did in order to let him know that. IMHO, Scott -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Husan Sarris Sent: Thursday, October 14, 2004 1:03 PM To: [EMAIL PROTECTED] Subject: Another one bites the dust Stephen - although you have often been a valuable contributor to the NANOG list, you received your "last warning" about list AUP violations last spring. Because of your non-operational post below, and your gratuitous mention of Hitler, which could be offensive to some, we have removed your posting privileges from the NANOG list for a period of four months. Please refer to the AUP: http://www.nanog.org/aup.html Susan Harris, Ph.D. Merit Network/Univ. of Mich. On Wed, 13 Oct 2004, Stephen J. Wilcox wrote: > > On Wed, 13 Oct 2004, Christian Malo wrote: > > > FREE RICHARD > > Of course my understanding of revoking posting privileges is that you > cant post to the list.. not you are imprisoned in the merit dungeons, > i think that punishment is reserved for Bandy/Husan/etc > > However I do like some humor being injected onto the list, so long as > the SNR doesnt diminish too much it can help to inject some life > inbetween the 'paging bob smith' / 'anyone help me configure bgp' / path mtu / urpf cyclical debates.. > actually we've not had Hitler discussed for a while, perhaps I can > start a thread... ooops > > Steve
RE: House Toughens Spyware Penalties
Oh, how festive. Anyone got that "Bill (Gates) Blocker" filter ready? :) Left to their own devices, congressmen should NOT be allowed to write bills about things they don't understand. Well... Ok, that's too restrictive. No bills would ever get written. We'll still see the same problems coming from the same non-US places where it isn't exactly feasible to prosecute. But it made someone someplace feel better, I'm sure! Scott -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Nicole Sent: Friday, October 08, 2004 4:33 PM To: [EMAIL PROTECTED] Subject: FW: House Toughens Spyware Penalties It all reads ok until the latter part... shudder... Nicole -FW: <[EMAIL PROTECTED]>- Date: Fri, 08 Oct 2004 16:00:53 -0400 Sender: [EMAIL PROTECTED] From: cybercrime-alerts <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: House Toughens Spyware Penalties October 8, 2004 House Toughens Spyware Penalties http://www.internetnews.com/bus-news/article.php/3419211 For the second time in three days, the U.S. House of Representatives has passed an anti-spyware bill, this time adding criminal penalties to tough civil provisions of legislation passed on Tuesday. The Internet Spyware Prevention Act of 2004 (H.R. 4661), which passed on a 415-0 vote Thursday, makes it a crime to intentionally access a computer without authorization or to intentionally exceed authorized access. If the unauthorized intrusion is to further another federal crime such as secretly accessing personal data, the penalty is up to five years in prison. Deliberately injuring or defrauding a person or damaging a computer through the unauthorized installation of spyware carry prison terms of up to two years. The legislation also authorizes $10 million for the Department of Justice to combat spyware and phishing (define) scams, although the bill does not specifically make phishing a crime. "By imposing criminal penalties on these bad actors, this legislation will help deter the use of spyware, and will thus help protect consumers from these aggressive attacks," Rep. Bob Goodlatte (R-VA), the bill's author, said in a statement. "At the same time, the legislation leaves the door open for innovative technology developments to continue to combat spyware programs." Tuesday night, the House passed legislation prohibiting unfair or deceptive practices related to spyware. The bill, known as the Spy Act (H.R. 2929), also requires an opt-in notice and consent form for legal software that collects personally identifiable information from consumers. The penalties in H.R. 2929 are limited to civil fines of up to $3 million. Both bills now go the Senate, which has pending legislation similar to the House bills. House Energy and Commerce Committee Chairman Joe Barton (R-Texas) said earlier this week he thought the two chambers could agree on a spyware bill before lawmakers adjourn on Friday or Saturday. "[We've] seen several egregious examples of spyware being used in ways that most Americans would think clearly ought to be criminal," Ari Schwartz, associate director of the Center for Democracy and Technology, said in another statement. "The bill will help make sure there are strong deterrents to using spyware to defraud or injure consumers." The two House bills are supported by a broad array of trade groups, including the U.S. Chamber of Commerce and the Business Software Alliance (BSA). "This anti-spyware legislation ensures that criminal penalties are imposed upon those persons who aim to harm innocent Internet users via spyware applications," said Robert Holleyman, president and CEO of the BSA. Dell (Quote, Chart), eBay (Quote, Chart)>, Microsoft (Quote, Chart), Time Warner (Quote, Chart), Yahoo (Quote, Chart) and Earthlink (Quote, Chart) endorsed the Tuesday legislation. They did so after exemptions were added to the bill for network monitoring for security purposes, technical support or repair, or the detection or prevention of fraudulent activities. The bill also permits computer software providers to interact with a user's computer without notice and consent in order to determine whether the computer user is authorized to use the software upon initialization of the software or an update of the software. "Every day thousands of unsuspecting Americans have their identities hijacked by a new breed of cyber criminals because of spyware. People whose identities have been stolen can spend months or years -- and much of their hard-earned money -- trying to restore their good name and credit record. This legislation will help prevent bad things from happening to good names," Rep. Lamar Smith (R-Texas) said. -- Articles distributed for the purposes of education, discussion and review. Archives and Subscription Updates: http://cybercrime.theMezz.com Guestbook: http://guestbook.theMezz.com PGP Key: http://pgp.theMezz.com --End of forwarded message---
RE: Cisco moves even more to china.
You can't logically, in the same e-mail talk about Cisco wanting to dominate a new/growing market (e.g. would account for new jobs, new stuff, new monies previously unseen) and then talk about Bush (or whomever) getting money from this and not caring therefore screwing US workers. If it's a new market, nobody is getting screwed. There are certainly no rules saying that every sale that Cisco (or any other US-based company) makes must flow through American hands. That would be absurd. If it were growing or supplementing existing business in the US where they deliberately go in and lay off US workers in order to bring on workers in other countries, then THAT is the part where you may be upset about this. Outsourcing may indeed be a problem in some aspects and some industries, but (IMHO) THIS particular announcement about playing by the necessary political rules and seeking to establish a firm hold in a new/growing market doesn't even come close to the issues that you seem to be complaining about. So please, if you're going to try to bring politics into the thread and blame it on whoever (which the particular administration really has nothing to impact this one way or the other) then stick with some semblance of logic that follows all the way through. Personally, I don't like the concept of certain types of outsourcing where jobs are indeed lost to save a buck or two. But I think that too many people go off the "logical deep-end" on what items fall into this category and soon we are looking at McCarty's tactics for deciding the conforming or non-conforming which is not a good idea. Someone in a previous e-mail mentioned someone's law about annihilating this thread. While I don't know whose law that was I hope whatever it is takes effect soon because the sky really is not falling. Scott -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Henry Linneweh Sent: Saturday, September 25, 2004 1:42 PM To: Alexei Roudnev; Paul Jakma; Robin Lynn Frank Cc: [EMAIL PROTECTED] Subject: Re: Cisco moves even more to china. The only event that is driving this, is Cisco wants to dominate the Chinese market and the only way to sell in China is to manufacture product there, using their people to manufacture, that is how the game is played there and for the chinese it makes sense, considering the government there has has around 1.3 billion people to care for. The lack of understanding here is that Americans need to be cared for to, with economy that providers us with a sense of financial security. The problem centers around jobs now being promoted for poltical purposes as jobs, when you focus on these jobs, you will discover they are not living wage jobs and certainly not jobs that provide for intelligent people staffing them. The other issue that fits into this problem, is the Bush administration gets $1.12 for every dollar earned offshore from any product, so it basically doesn't care, since it keeps the US government solvent, while the rest of us get flushed down the tubes. Making matter's worse is the fact, that executives that support the Bush administration with outsourcing offshore, are financial rewards and tax incentrives that make it attractive to do so. If you don't like the politics of what is happening to you change it in November and work to turn our country around and preserve our friendships globally in the process. My 2 cents -henry
RE: Cisco moves even more to china.
Without getting into the entire conceptual argument about capitalism in general and why some semi-sane economic decisions are made... What is it that makes you think that boycotting a company (particularly one the size or deployment of Cisco and/or Juniper) would make someone say "oh, I'm sorry, it looks like we made a bad decision in saving some money"??? Now, let's also go back and look at the original post. Cisco is putting in what? $32 million. in the grand scheme of things, just what kind of impact do you really believe this is going to have? Committing to training people in another country is not a commitment to abandon jobs elsewhere. Look at the economics of how much the Chinese market is growing. Or should we handle all of that extra work in supporting that country's expanding market with jobs already here in the US (or wherever). Oh wait, don't many US folks already complain about the down-, right-, left-, some-direction-sizing that's going on and how overworked they may be? There are SOME areas where the outsourcing may hit a chord, and everyone is always welcome to their soapbox. I just don't think it really applies to the particulars that were announced here, and certainly not to this level. As ANY good job-seeker should realize, it's all about economics. So make yourself a more marketable or valuable person than others. Whether through certifications (not starting this war) or experiences or the ability to demonstrate business prowess along with technical skills... But where do we draw the line? Almost ANY electronics company uses non-American parts. Many clothing manufacturers use off-shore assembly. Everyone is entitled to desire purchasing locally-produced goods only, but at the same time it's hard to justify complaining about how much more expensive some of those items may be! It's everywhere As long as there are options, it'll never change. We see the shift now because of the ease of travel and shipping and ubiquitous communications (oh damn, that means were in an industry that may have helped this "evil" trend). It's economic destiny, which means to fight it we need to make the overall economic choice one that leans our direction (whever that "our" may be). But simply complaining about it is the easy part. Figuring out the "why" and then working to make the decision better to go a different direction is harder. Business decisions, like routes, have metrics. Figure out what they are and change them if desired. but it's not nearly as simple! Scott From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of JosephSent: Friday, September 24, 2004 7:19 AMTo: [EMAIL PROTECTED]Cc: [EMAIL PROTECTED]Subject: RE: Cisco moves even more to china. Hello Erik, Although I agree with you on many points I think its time people stop complaining and take action. My point was not to idly complain about the outsourcing trend and claim that protectionism is the answer but, to ask if there is a better way to deal with the long term trend for ALL of us. Boycotting is just one way to send a message rather than simply complaining. Your perception of Americans I think is very skewed by the media. You obviously did not read my post and wanted take a cheap shot. Many Americans like myself have always been fighting for equity, fairness and democracy from the beginning in all our activities. Try not to equate a people with what you read and hear in the media and realize they have much more diversity of opinion than is portrayed therein. I argue we BOTH American and international workers (that means you) need to change the system so that we are all treated fairly. I don't think this is an off the wall ideal. But to each his own. Hmmm. I had no idea there were only 2 networking companies, 1 database and 1 OS. =) With the rich competitive nature of the market I will continue to support companies which conform to a baseline of ethical business practice for all workers worldwide. With deepest respect, JErik Haagsman <[EMAIL PROTECTED]> wrote: On Fri, 2004-09-24 at 03:53, Joseph wrote:> Its time for all American Tech workers to stand up and let our voices> be heard.Perhaps it's time instead to make sure you're good at what you do andtry to be on the forefront of tech, rather than whining about how allthose bad people from abroad are stealing your job. It's largely our ownfault labour pricing in large outsourcing countries like India are solow, and now it's coming back to bite some of us.> We as world citizens need to come to grips with the fact that we must> compete with workers internationally but we should be doing so on FAIR> playing field. Strangely people only start calling for a level, fair playing field whenthey feel something's threatening their own little piece of the cake. Ifmost companies and governments we're happy to work for wouldn't havebeen undermining