Re: Fire in bakery fries fiber optic cable
On Thu, 23 Mar 2006, Sean Donelan wrote: http://timesunion.com/AspStories/story.asp?storyID=463928category=BUSINESSnewsdate=3/23/2006 A fire Tuesday that tore through a popular bakery in Cohoes left 70,000 Time Warner Cable subscribers without TV service. Some who also rely on the cable company for their high-speed Internet or telephone found all three out of commission. In the pictures, it appears electric, telephone and cable lines were all on the utility poles damaged by the fire. I'm not sure why time-warner cable had the brunt of the outages in the newspaper reports. It may have just been bad luck on which company's lines got baked (sorry, more bad puns). ... why is a backbone circuit is unprotected? there shouldnt have been an outage Steve
Re: Middle Eastern Exchange Points
On Tue, 7 Feb 2006, william(at)elan.net wrote: On Tue, 7 Feb 2006, Bill Woodcock wrote: different definitions. If you say transit is peering, just not by our definitions, then you're into 1984 territory. So what exactly is definition of transit that does not make it peering? And when ISP A buys access from ISP B for purpose of getting to ISP C is that peering or transit? cant believe you are even invoking this debate.. *cough troll* its quite simple: http://dictionary.reference.com/search?q=transit 1. The act of passing over, across, or through; passage. if another networks traffic enters your network, then you send it out to another network it has transitted you. doesnt matter what money is involved, its about the act of 'transitting' peering is just the act of exchanging traffic with another network, whether this is a transit or peering relationship depends on what routes are exchanged and whose customers are within those routes.. i think you can work the rest out Steve
Re: metric 0 vs 'no metric at all'
On Tue, 3 Jan 2006, Alexander Koch wrote: I was wondering if someone had done any or some research on this before... basically I am not sure with all the many implementations of BGP and all the vendors if and what those will do when they see a metric of 0 and no metric. I am not an expert knowing the actual protocol's messages exchanged, but I see some routes with nothing in the metric field on the various show commands, and some have explicit '0' metric. I do not trust all the BGP implementations around, and we consider changing the default outbound, with MEDs of course still available on request. i had this some time ago, cant remember where but i found some answers... basically no metric is undefined, and can be handled either as all-zero or all-ones or anything you want really the best practice was to set med manually to ensure the expected behaviour occurred. Steve
Re: SMTP store and forward requires DSN for integrity (was Re:Clueless anti-virus )
On Sat, 10 Dec 2005, Matthew Sullivan wrote: Please remember people.. RFC 2821 states explicitly that once the receiving server has issued a 250 Ok to the end-of-data command, the receiving server has accepted responsibility for either delivering the message or notifying the sender that it has been unable to deliver. RFC2821 also says that a message MUST NOT be dropped for trivial reasons such as lack of storage space for the message. To that end is a detected virus/trajan/malware/phishing scam etc... a trivial reason to drop the message? Personally I believe that not trivial means not unless the entire server crashes and disks fry etc... To that end I am a firm believer that malware messages SHOULD BE rejected at the end of the data command rfc2821 was written prior to this problem we should also take the rfc in context and differentiate between email sent between individuals for which the responsibility applies, and email generated by systems (spam, virus bounces) in which we the providers carry some responsibility to drop them (okay, it would be better if they didnt exist in the first place, but thats not reality) if they can be identified in the best interests of the user to not do this is like saying we have a responsibility to ensure end to end delivery of packets in a DoS attack just because the rules governing routing and ip stacks dont explicitly cover the use of sinks and filters. Steve
Re: Wifi Security
On Mon, 21 Nov 2005, Patrick W. Gilmore wrote: On Nov 21, 2005, at 9:42 AM, Ross Hosman wrote: So my question is pretty simple. You have all these major companies such as google/earthlink/sprint/etc. building wifi networks. Lets say I want to collect peoples information so I setup an AP with the same ssid as google's ap so people connect to it and I log all of their traffic. Most people won't check beyond the ssid to look at the mac address but even that could be spoofed. Is there anyway to verify a certain ap beyond mac/ssid, will there be in the future? How do these companies plan to mitigate this threat or are they just going to hope consumers are smart enough to figure it out? Why would you even need to set up an AP? Why not just sit and sniff traffic? Gets you the _exact_ same information. man in the middle is easier if you are the gateway, no need to steal arp And why worry about Google, etc., when Starbucks and airports have been doing this for _years_? yup Lastly, most consumers are smart enough to know to use encryption (the little pad-lock in their browser). Some aren't. Changing the WiFi architecture is not going to save those who aren't. 'most consumers' .. cmon, less than one percent.. seriously.. ymmv tho, eg at airports you stand a higher chance of sniffing a vpn connection but as has been demonstrated many times, even us techies havent got our heads around encryption yet. heres some fun, next time you're at nanog or your favourite geek conference, just run 'tcpdump -w - -s1500 -nn|strings|grep -i password' and be prepared to hit scroll lock ;) Steve
Re: Wifi Security
On Mon, 21 Nov 2005, Niels Bakker wrote: * [EMAIL PROTECTED] (Stephen J. Wilcox) [Mon 21 Nov 2005, 16:07 CET]: On Mon, 21 Nov 2005, Patrick W. Gilmore wrote: Why would you even need to set up an AP? Why not just sit and sniff traffic? Gets you the _exact_ same information. man in the middle is easier if you are the gateway, no need to steal arp It's *wireless*! You can just sit and sniff traffic, no need to play ARP games to redirect traffic to you. i was more thinking in terms of breaking into encrypted sessions by spoofing the server and client heres some fun, next time you're at nanog or your favourite geek conference, just run 'tcpdump -w - -s1500 -nn|strings|grep -i password' and be prepared to hit scroll lock ;) I've visited conferences where the wireless LAN was deemed secure by the organisation because they had outlawed sniffers. hehe :) Steve
Re: Wifi Security
On Mon, 21 Nov 2005, Joel Jaeggli wrote: On Mon, 21 Nov 2005, Stephen J. Wilcox wrote: On Mon, 21 Nov 2005, Patrick W. Gilmore wrote: On Nov 21, 2005, at 9:42 AM, Ross Hosman wrote: Why would you even need to set up an AP? Why not just sit and sniff traffic? Gets you the _exact_ same information. man in the middle is easier if you are the gateway, no need to steal arp you don't have to steal arp on a wireless network, you just sniff the frames as they go by. What do you learn by looking at someone's ipsec, ssl-wrappered, or ssh tunneled traffic? no, we're not trying to do that, you dont really think that because its encrypted it cant be decrypted do you? for example, we want to intercept the encrypted data which we do by putting ourselves inbetween the client and the server and pretending to be the server to the client and the client to the server.. we relay security information and hope the user clicks 'yes' when they are told the host key has changed you dont have to break the code if the endpoints trust sessions with you and share their encryption keys Steve
Re: Wifi Security
On Mon, 21 Nov 2005, Joel Jaeggli wrote: On Mon, 21 Nov 2005, Stephen J. Wilcox wrote: snip What do you learn by looking at someone's ipsec, ssl-wrappered, or ssh tunneled traffic? no, we're not trying to do that, you dont really think that because its encrypted it cant be decrypted do you? I do believe (reasonably so, I think) that if I'm going have a conversation with a second party whom I already trust, that a third party will have trouble inserting themself into the path of that conversation without revealing their presence.. this is assuming that you are talking to the second party and not in fact me sitting in the middle grabbing credentials, possibly by this stage already pretending to be that second party its also assuming you understand your certificates, keys and trust. i'd bet most users will click yes when presented with a 'do you trust this new key' message. you dont have to break the code if the endpoints trust sessions with you and share their encryption keys Successfully inserting yourself in the middle requires some social-engineering or really bad protocol design. The former can be mitigated through vigilance, the later falls into the realm of peer review and security research. you forgot to include 'or user error'.. the protocol may be fantastic but if the user fails to notice a security alert or does something stupid it can be compromised. depending on how good you are you may be able to thwart all but the determined hacker, altho to be fair most people are not going to be a target once they employ basic security such as weak encryption. but if you are a target then its vital to be using strong trusted secuity and know your onions! If I may paraphrase the original posters question (Ross Hosman), it was: Do large wireless buildouts present a new security threat due to the potential to spoof AP's? The answer to that is no, this is a threat we live with currently. We have tools to mitigate the risks associated with it. mm.. i'd say yes. wifi is still pretty niche, its in the offices, its in airports and starbucks. once billy bob and his grandpa start using it tho you're bringing it to the masses who arent IT trained, who havent had a security brief, who are running windows thats not been patched for 2 years and who think 'billy' is reasonable for their password so the technology is the same, but the users are new You can say that consumers are stupid, and won't figure this out, okay consumers are stupid, and won't figure this out :-) and that may be true; however when it's starts to cost them losts money, they will sit-up take notice and buy tools to solve this problem for them, just like they do with any other security threat that goes beyond being an anoyance. probably said product will be blue, say linksys on it, and have the word vpn (among others) buried on the packaging someplace. i'm thinking beyond your corporate staff who are currently using these systems (and quite badly if my casual network sniffing in environments with supposedly clued individuals is anything to go by!) my 2-cents :0) Steve
Re: Peering VLANs and MAC addresses
Hi Simon, so you have: IX---SwitchA---SwitchB---Router why not disable spanning tree? There is no redundancy here anyway so disable it in that particular VLAN. Steve On Wed, 9 Nov 2005, Simon Brilus wrote: Hi , We are unable to resolve a problem with our peering exchange connection and would like any assistance. Our peering setup is a follows: - Our peering exchange connection goes into switch A - Switch A has a dark fibre connection to switch B, which is in a different PoP - Our peering router is connected to switch B We use spanning tree across our network to allow the VLANs connectivity across our network. The peering exchange has an MoU that only 1 MAC address should be visible on their switch. However they see 2 MAC addresses on our port. - MAC address of Peering router - MAC address of the port they are connected to on switch A Is there any way to prevent switch A from presenting the interface MAC address? Or is this a symptom of spanning tree that cannot be stopped? Your input will be most welcome. The config on switch A is as follows: interface GigabitEthernet0/5 description Peering Link switchport access vlan 148 switchport mode access speed nonegotiate storm-control broadcast level 5.00 no cdp enable spanning-tree portfast spanning-tree bpdufilter enable spanning-tree guard root Regards Simon Brilus
Re: classful routes redux
On Thu, 3 Nov 2005, Richard A Steenbergen wrote: On Thu, Nov 03, 2005 at 03:29:35PM -0500, Todd Vierling wrote: On Thu, 3 Nov 2005, Stephen J. Wilcox wrote: well, /56 /48 /32 seem to have resonance but are not special in any way Well, they are somewhat special. All of them are on eight-bit boundaries. The importance of this comes in when deciding how to lay out a routing table in a gate array or memory-based table. A routing table capable of handling a flat 2^128 addressing space goes beyond the realm of known physics -- and flat 2^64 comes close, at least for a while (consider semiconductor atomic weights, and the fact that 1 mole is approximately 2^79 atoms). That's quite a stretch, but should give a hint as to why flat addressing does not work for every model. Come on now, a lot of new routing gear made today can just barely handle 2^18 routes, and even the high end stuff tops out at 2^20. We're nowhere near handling 2^32 routes even for IPv4, nor should we be, so lets not start the whole but ipv6 has more space therefore routes will increase to 7873289439872361837492837493874982347932847329874293874 nonsense again. Removing the extreme restrictions on IP space allocation by being able to allocate chunks so large that you would RARELY need to go back for a second block would immediate reduce the size of the routing table. Let me state the stats again for the record: Total ASes present in the Internet Routing Table: 20761 Origin-only ASes present in the Internet Routing Table: 18044 Origin ASes announcing only one prefix:8555 Transit ASes present in the Internet Routing Table:2717 There are just not that many distinct BGP speaking networks out there, nor will there ever be. NOW is the time to make certain that IPv6 deployments makes sense in practice and not just in theory, so we don't work ourselves into exactly the same mess that we did in IPv4. Lets stop trying to solve theoretical scaling problems which will never happen at the expense of creating problems which actually DO exist, and apply a little bit of common sense. ack that. assign one ipv6 prefix to every asn of sufficient size that most will not need to request additional space whilst i'm at the mic here, ditch the idea of microassignments, just give out a standard /32 block ... lets not start out with ge 33 prefixes in the table when theres no need Steve
Re: To get internet full routing table
On Wed, 2 Nov 2005, Joe Shen wrote: Is that possible to get full internet routing table without help from upstream ISP? or is there anyway to get some backbone network's internet routing table directly? is this one of those deep philosophical questions .. like trees falling in forests with no one around? :) you can look at route-views.oregon-ix.net if you want to take a peak at the bgp table. alternatively you can find a friendly ISP to send you a bgp table if you want your own copy. www.traceroute.org may also be helpful for you Steve
Re: cogent+ Level(3) are ok now
On Wed, 2 Nov 2005, Jeff Aitken wrote: On Wed, Nov 02, 2005 at 02:44:20PM -0600, Pete Templin wrote: I came up with a reasonably scalable solution using communities and route-map continue, but: For what value of scalable? anything, its 'scalable' :) Steve
Re: classful routes redux
On Wed, 2 Nov 2005, Fred Baker wrote: A class A gives you 16 bits to enumerate 8 bit subnets. If you start from the premise that all subnets are 8 bits (dubious, but I have heard it asserted) in IPv4, not according to my view of the internet.. /8: 18 /9: 5 /10: 8 /11: 17 /12: 79 /13: 179 /14: 335 /15: 651 /16: 8553 /17: 2855 /18: 4793 /19: 10791 /20: 11877 /21: 9990 /22: 13168 /23: 14299 /24: 93293 and that all subnets in IPv6 are 16 bits (again dubious, given the recent suggestion of a /56 allocation to an edge network), a /48 is the counterpart of a class A. We just have a lot more of them. well, /56 /48 /32 seem to have resonance but are not special in any way All of which seems a little twisted to me. you think? :) While I think /32, /48, / 56, and /64 are reasonable prefix lengths for what they are proposed for, I have this feeling of early fossilization when it doesn't necessarily make sense. classes are bad. but recognise v6 is a bit different, /48 or /56 is the per site bit which is not comparable to v4. then /32 is is largest generally accepted prefix for bgp. this suggests anything can happen from 0-32 in bgp and anything can happen in provider igp for 32-48 or 32-56 and again anything in end user igp for 48/56-128 repeat 3 times, twice daily. classes are bad, v6 is not v4 Steve
Re: cogent+ Level(3) are ok now
Hi John, Even with cold-potato routing, there is an expense in handling increased levels of traffic that is destined for your network. This increase in traffic often has no new revenue associated with it, because it is fanning out to thousands of flat-rate consumer/small-business connections (e.g. DSL) where billing is generally by peak capacity not usage. not true for cogent tho, we know that virtually all their traffic is usage based transit customers Steve
Re: cogent+ Level(3) are ok now
On Tue, 1 Nov 2005, Brandon Ross wrote: On Tue, 1 Nov 2005, John Payne wrote: What am I missing? That it's a pure power play. market position is important Peering is only distantly associated with costs or responsibilities. no, peering is entirely associated with costs or responsibilities.. what other reason is there to peer ? It has to do with what company has the intestinal fortitude to draw a line in the sand and stick with it no matter how many customers cancel their service. have to weigh up the gains and losses to see if that is a good or bad thing tho. Those with a critical mass of traffic and the right amount of guts win. markets are always stacked in favour of the larger players in that way.. saying 'hey i'm a little guy, give me chance' generally goes unheard Everyone else loses the peering game. not peering isnt necessarily losing, there are networks who would peer with me if i turned up in asia or the west coast, but my cost to get there is greater than sticking to transit. to get a new peer, both sides need to feel they are gaining value Steve
Re: oh k can you see
On Tue, 1 Nov 2005, Randy Bush wrote: my naive view of your current deployment means that k can not be seen from any multi-homed sites unless one or more of their upstreams (recurse for tier-n) is even more clever and implements t0 is our customer and we ignore NO_EXPORT toward customers, thus piling on yet another bit of cleverness, the implications of which we can discover in the next level of purgatory. assuming we are talking about the well known community no-export, then i understand the problem. a better solution would be to peer only the anycast node, such that transit providers continue to propagate to the global internet (minus the peers seeing the shorter path). for wider distribution within the region, possibly using a transit provider for the anycast and use communities supported by the upstream to restrict announcement to its peers or upstreams or am i naive too? Steve
Re: oh k can you see
On Tue, 1 Nov 2005, Joe Abley wrote: On 1-Nov-2005, at 14:19, Stephen J. Wilcox wrote: or am i naive too? I think you underestimate the tendencies of ISPs all over the world to leak peering routes towards their transit providers. Contrary to popular belief, leaks through peers in remote regions do not always result in huge AS_PATHs which are never selected by the rest of the network. For example, some of the most remote and poorly- connected ISPs that F is announced to from local nodes are transit customers of international, default-free carriers. ok sure, but is this not just normal transit issues, these are not special because they are a) anycast b) root-servers? if any networks peers leak they should be reprimanded Steve
Re: Fwd: The Root has got an A record
i'm reading looking for your explanation but there isnt one. and the A record is for what? anyway its on a private dns server, the internet roots are fine so why worry? :) Steve On Mon, 10 Oct 2005, Peter Dambier wrote: See with your own eyes: ; DiG 9.1.3 -t any . @a.public-root.net ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 18588 ;; flags: qr aa rd; QUERY: 1, ANSWER: 15, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;. IN ANY ;; ANSWER SECTION: . 172800 IN SOA a.public-root.net. hostmaster.public-root.net.\ 2005101006 43200 3600 1209600 14400 . 172800 IN A 57.67.193.188 . 172800 IN NS k.public-root.net. . ... . 172800 IN NS j.public-root.net. ;; Query time: 81 msec ;; SERVER: 205.189.71.2#53(a.public-root.net) ;; WHEN: Mon Oct 10 16:01:11 2005 Original Message Return-Path: [EMAIL PROTECTED] X-Flags: Delivered-To: GMX delivery to [EMAIL PROTECTED] Received: (qmail invoked by alias); 10 Oct 2005 13:07:54 - Received: from LAIR.LIONPOST.NET (EHLO LAIR.LIONPOST.NET) [199.5.157.32] by mx0.gmx.net (mx072) with SMTP; 10 Oct 2005 15:07:54 +0200 Received: from list.public-root.com ([199.5.157.32]) by LAIR.LIONPOST.NET with esmtp (Exim 4.24) id 1EOx3o-ny-HQ for [EMAIL PROTECTED]; Mon, 10 Oct 2005 08:47:20 -0400 Received: from [206.254.45.93] (helo=ruby.cynikal.net ident=qmremote) by LAIR.LIONPOST.NET with esmtp (Exim 4.24) id 1EOx3n-nt-5J for [EMAIL PROTECTED]; Mon, 10 Oct 2005 08:47:19 -0400 Received: (qmail 9881 invoked by uid 1018); 10 Oct 2005 13:10:36 - Received: from localhost ([EMAIL PROTECTED]) by localhost with SMTP; 10 Oct 2005 13:10:36 - Date: Mon, 10 Oct 2005 09:10:36 -0400 (EDT) From: Joe Baptista [EMAIL PROTECTED] To: [EMAIL PROTECTED] Message-ID: [EMAIL PROTECTED] MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Subject: [Pr-plan] BAD NEWS Re: IASON Root Domain Observatory (fwd) X-BeenThere: [EMAIL PROTECTED] X-Mailman-Version: 2.1.2 Precedence: list List-Id: pr-plan.LAIR.LIONPOST.NET List-Unsubscribe: http://LAIR.LIONPOST.NET/mailman/listinfo/pr-plan, mailto:[EMAIL PROTECTED] List-Archive: http://LAIR.LIONPOST.NET/pipermail/pr-plan List-Post: mailto:[EMAIL PROTECTED] List-Help: mailto:[EMAIL PROTECTED] List-Subscribe: http://LAIR.LIONPOST.NET/mailman/listinfo/pr-plan, mailto:[EMAIL PROTECTED] Sender: [EMAIL PROTECTED] Errors-To: [EMAIL PROTECTED] X-GMX-Antivirus: 0 (no virus found) X-GMX-Antispam: 0 (Mail was not recognized as spam) X-GMX-UID: /QI4Y8R1eSEkOtTJ43QhaXN1IGRvb4Di Folks - got some bad news. The Public-Root has aquired an A record - yup thats right - an A record. Which see below. Have tried to contact Paul Scheepers - our absent minded root operator - who now hovers very close to criminal conspiracy - to get him to fix this mistake. Noone is at home at the inn. Not good. See appened message to Peter Dambier and our public-root associates. I have no idea how a root will respond with an A record in it. Should be interesting - but have no doubt a few things out in the wild have been broken. regards joe -- Forwarded message -- Date: Mon, 10 Oct 2005 09:03:04 -0400 (EDT) From: Joe Baptista [EMAIL PROTECTED] To: Peter Dambier [EMAIL PROTECTED] Cc: [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED] Subject: Re: IASON Root Domain Observatory Report this to NANOG and the IETF. Make sure you send them a copy of my response and the headers of this message. I am holding UNIDT personally responsible for this technical nightmare. regards joe On Mon, 10 Oct 2005, Peter Dambier wrote: Kewl, '.' has got an A record :) ; DiG 9.1.3 @a.public-root.net . axfr ;; global options: printcmd . 172800 IN SOA a.public-root.net. hostmaster.public-root.net. 2005100906 43200 3600 1209600 14400 . 172800 IN A 57.67.193.188 . 172800 IN NS a.public-root.net. Joe Baptista, Official Public-Root Representative and Lobbyist to the United States Congress and Senate / Tel: +1 (202) 517-1593 Public-Root Disclosure Documents: http://www.cynikal.net/~baptista/P-R/ Public-Root Discussion Forum: http://lair.lionpost.net/mailman/listinfo/pr-plan ___ Pr-plan mailing list [EMAIL PROTECTED] http://LAIR.LIONPOST.NET/mailman/listinfo/pr-plan
Re: OT: Connection restored between feuding Net providers Cogent/L3
its only temporary, level3 have given a temporary stay until 9th nov On Sun, 9 Oct 2005, Henry Linneweh wrote: Connection restored between feuding Net providers http://news.yahoo.com/s/nm/backbone_dc;_ylt=ArskJPD_l3TpJ01SroWSOdQjtBAF;_ylu=X3oDMTBiMW04NW9mBHNlYwMlJVRPUCUl
Re: Cogent/Level 3 depeering
On Sat, 8 Oct 2005, [EMAIL PROTECTED] wrote: On Sat, 08 Oct 2005 20:41:55 BST, Stephen J. Wilcox said: my rule would be if your provider can manage an autonomous system better than you and multihoming isnt a requirement of your business then let them take on the management I'm willing to bet there's a lot of single-homed customers of both Cogent and L3 that 2 weeks ago didn't think multihoming was a requirement of their business either, who now are contemplating it. Plus possibly some single-homed customers of other large providers as well. Sure, but consider is it worse to have a very small number of complaining customers who cant get to a bit of the web for 2 or 3 days, or a complete outage to the Internet for a few hours because of a problem you cant fix. I see the latter occurring quite frequently, in particular I see support queries about loss of connectivity to large parts of the Internet which on inspection was caused by dampening because the ISP was flapping. I'm just saying, you fix one problem and create a whole bunch of new ones and it depends on the customer as to which results in the optimum situation. Steve
Re: Cogent/Level 3 Contracts (was: Cogent/Level 3 depeering)
On Fri, 7 Oct 2005, William Allen Simpson wrote: Stephen J. Wilcox wrote: On Fri, 7 Oct 2005, William Allen Simpson wrote: Rather than speculation, it would be helpful to refer to the actual contracts. Please post the relevant sections, Mr Wilcox. the contract talks of on-net traffic, off-net traffic and excused outages excused outages includes that of third party network providers off-net traffic has a 99% SLA excluding excused outages. Again, rather than speculation, it would be helpful to refer to the actual contracts. Please post the relevant sections, not your summary of an index of definitions, Mr Wilcox. that was it, i just shortened it For instance, I rather doubt that the contract language defines a decision of L(3) to terminate connectivity to a third party as an excused outage. But we won't know without the contract. Enlighten us. excused outages ... includes ... third party network providers it doesnt go anywhere talking about peerings or specifics of the connectivity, but it seems to me that the ability to pass traffic to cogent falls right in this get out clause as it is a third party ianal but i'd push to break contract rather than sue Level3 as the latter seems to be a very big gamble Steve
Re: Cogent/Level 3 Contracts (was: Cogent/Level 3 depeering)
On Fri, 7 Oct 2005, [EMAIL PROTECTED] wrote: Seems to me that the ideal here would be for the industry to agree on a dispute resolution mechanism and for all bilateral peering agreements to include the same arbitration clause. For this kind of arbitration to function well, the arbitrators need to have some understanding of the industry and the technology. This can only be accomplished by selecting one arbitration organization to handle all the arbitration duties for the whole industry. the trouble is that there is no regulatory requirement of peering, there is no accepted standard for peering, the definition of fair varies greatly and the policies that exist are based on many criteria and personalities the problem that would arise as i see it is that such an arbitrator would be consistent with its decisions but that would be consistently right for one player and consistently wrong for another.. and if we apply that to the current scenario we can see arguments for both cogent and level3s positions Airing dirty landry in public like this hurts the whole industry, not just Level 3 and Cogent in particular. The solution is to use binding arbitration clauses in all interconnect agreements whether settlement-free, paid peering or settlement-based. i'm not sure the industry does get hurt, to us this is a major incident, but in reality there appears to only be a handful of affected customers and its not getting much attention from the press someone implied this might work in the favour of non-tier-1 networks so if that were true that would be a benefit to such networks! Steve
Re: Cogent/Level 3 depeering
On Fri, 7 Oct 2005, Daniel Golding wrote: On 10/6/05 10:37 AM, Patrick W. Gilmore [EMAIL PROTECTED] wrote: On Oct 6, 2005, at 10:19 AM, tony sarendal wrote: This is not the first and certainly not the last time we see this kind of event happen. Purchasing a single-homed service from a Tier-1 provider will guarantee that you are affected by this every time it happens. s/every time it happens/every time it happens to YOUR upstream People on Sprint, ATT, GLBX, MCI, etc. were unaffected. Only people who single-home to L3 or Cogent have disconnectivity. Take-away: Do not single home. I'm shocked folks aren't figuring this out. If you are a webhoster or enterprise and your business model can not support multiple Internet pipes, than you have a suboptimal business model (to put it lightly) disagree. i know networks who multihome to avoid this kind of problem but introduce new problems with greater risk because they are unable to run bgp properly (be it from inadequate hardware, bad config, bad administration) my rule would be if your provider can manage an autonomous system better than you and multihoming isnt a requirement of your business then let them take on the management Steve
Re: Level 3's side of the story
On Sat, 8 Oct 2005, Richard A Steenbergen wrote: the last two times Cogent was depeered, it responded by intentionally blocking connectivity to the network in question, despite the fact that both of those networks were Sprint customers and thus perfectly reachable under the Sprint transit Cogent gets from Verio. While no one has come forward to say if the Cogent/Verio agreement is structured for full transit or only Sprint/ATDN routes, Cogent has certainly set a precedent for intentionally disrupting connectivity in response to depeering, as a scare tactic to keep other networks from depeering them. i dont see it like that.. and you reapply your view in your later email to me. cogent and level3 were peers. level3 want to change that, the only solution level3 will consider is for cogent to purchase transit with another provider (sprint/verio) or pay them direct. whether cogent's contract with verio could provide it transit to level3 for the same price is irrelevant. the fact is cogent currently does not use verio for this and they do not want to add a number of Gbps to their transit service theres nothing special about level3 being tier-1 and cogent being tier-2 with verio transit. the status of these networks is not of issue, both sides have a right to decide whether to connect via settlement free peering or not. of course for level3 to transit to cogent would be inconceivable to them, but thats ego / economics / marketing, not a principle of networking that either network could use transit to reach the other is an engineering point, that neither wants to pay to do so is a business point. and this is a business problem. Steve
Re: Cogent/Level 3 depeering
On Thu, 6 Oct 2005, tony sarendal wrote: On 06/10/05, Patrick W. Gilmore [EMAIL PROTECTED] wrote: On Oct 6, 2005, at 10:19 AM, tony sarendal wrote: This is not the first and certainly not the last time we see this kind of event happen. Purchasing a single-homed service from a Tier-1 provider will guarantee that you are affected by this every time it happens. s/every time it happens/every time it happens to YOUR upstream People on Sprint, ATT, GLBX, MCI, etc. were unaffected. Only people who single-home to L3 or Cogent have disconnectivity. Now, is being a tier-1 now a good or bad sales argument when selling internet access ? It's still a good argument, because Marketing != Reality. :) Patrick, it happens to every PA customer who buys his service from one of the Tier-1 providers active in the de-peering. If a PA customer buys his service from a non-tier1 this will most likely not happen, unless that provider has bought transit in a very unwise way. The entire point is that it's not always good to be too close to tier-1 space. See my other post tho, connectivity disputes and problems can arise between any networks, being tier-1 isnt special.. anyone can choose not to give access or send routes to any other network. Steve
Re: Cogent/Level 3 depeering
On Thu, 6 Oct 2005, JC Dill wrote: Alex Rubenstein wrote: Further, the internet has always been a best-effort medium. Can someone please explain how Level 3 is making a best effort to connect their customers to Cogent's customers? thats not what alex means as you know. and Level(3)/Cogent are playing a pain game here, its 'no effort' not 'best effort' Various people have stated that uneven data flows (e.g. from mostly-content networks to mostly-eyeball networks) is a good reason to not peer. I'd love to know how it improves Level 3's network to have data from Cogent arrive over some *other* connection rather than directly from a peering connection. Do perhaps the other connection is already carrying significant outbound so this extra inbound is a small net cost, that would support L3's argument So why break off peering??? this is about politics not engineering, dont try to confuse them. peering often is. AFAICT there's only one reason to break off peering, and it's to force Cogent to pay (anyone) to transit the data. Why does L3 care if Cogent sends the data for free via peering, or pays someone ELSE to transit the data? the economics are different for cogent, cogent loses some marketing advantage.. i can think of other reasons I think this is about a big bully trying to force a smaller player off of the big guys' playing field (tier 1 peering). From where I sit it cogent isnt a small player, they are a real threat to L(3).. dont feel sorry for them, they're not being bullied! looks like an anti-competitive move that is not a best effort to serve their customers but a specific effort to put another (smaller) competitor out of business (of being a transit-free or mostly transit-free backbone) by forcing them to pay (someone), forcing their really? you mean one company wants to take business from the other company? thats amazing.. and i thought ISPs existed together in harmony never looking at each others customer bases IMHO all L3 customers have a valid argument that Level 3 is in default of any service contract that calls for best effort or similar on L3's part. can you cite the relevant clause in your Level3 contract that brings you to this conclusion.. hint: you might be looking a long time because it doesnt exist and they're not in breach I also believe that Cogent has a valid argument that Level 3's behavior is anti-competitive in a market where the tier 1 networks *collectively* have a 100% complete monopoly on the business of offering transit-free backbone internet services. As such, L3's behavior might fall into anti-trust territory - because if Cogent caves in over this and buys transit for the traffic destined for L3 then what's to stop the rest of the tier 1 guys from following suit and forcing Cogent to buy transit to get to *all* tier 1 networks? Then who will they (TINT) force out next? these are big companies, they can fight their own battles. there is no tier-1 monopoly. in many cases its cheaper to send data via transit than peering so why do you care about transit-free anyway? What's to stop a big government (like the US) from stepping in and attempting to regulate peering agreements, using the argument that internet access is too important to allow individual networks to bully other networks out of the market - at the expense of customers - and ultimately resulting in less competition and higher rates? Is this type of regulation good for the internet? OTOH is market consolidation good for the internet? they're not acting illegally or as a monopoly, and theres no anti-trust so theres no reason to expect any government interventions. Steve
Re: Cogent/Level 3 Contracts (was: Cogent/Level 3 depeering)
On Fri, 7 Oct 2005, William Allen Simpson wrote: Stephen J. Wilcox wrote: On Thu, 6 Oct 2005, JC Dill wrote: IMHO all L3 customers have a valid argument that Level 3 is in default of any service contract that calls for best effort or similar on L3's part. can you cite the relevant clause in your Level3 contract that brings you to this conclusion.. hint: you might be looking a long time because it doesnt exist and they're not in breach Rather than speculation, it would be helpful to refer to the actual contracts. Please post the relevant sections, Mr Wilcox. the contract talks of on-net traffic, off-net traffic and excused outages excused outages includes that of third party network providers off-net traffic has a 99% SLA excluding excused outages. Steve
Re: Cogent/Level 3 depeering
On Thu, 6 Oct 2005, tony sarendal wrote: Is being a tier-1 now a good or bad sales argument when selling internet access ? its the same as it always was, its a marketing positive. but thats because the market is dumb. if you wish to make your purchasing decision on 'tier-1' status thats up to you, but i'll be looking at performance, price, strategy, service level and what type of supplier i want for a company like mine. cogent is cheap and you get what you pay for. level3 is mid-price, but they really dont care much about their customers (or thats what i found). perhaps you want better customer service or to deal with a smaller company to gain their attention and respect. choose your supplier based on your own criteria, not someone elses or on who has the most marketing points. Steve
Re: While Bush fiddles, New Orleans dies
wheres the ops in this? dont get me wrong, i'm sympathetic with new orleans and also definitely not a bush supporter but this is verging on incitement and i dont see the point of the post to here On Tue, 6 Sep 2005, [EMAIL PROTECTED] wrote: This story was sent to you by: Fergie (Paul Ferguson) While Bush fiddles, New Orleans dies Jimmy Breslin September 4, 2005 This is a review of the performance of George W. Bush in tight times in this nation. It might explain the single solitary most catastrophic collapse of American government in all of our times. Mark ye well. This was the week when we turned a major American city into Haiti, and racism put its hand out and started to choke a nation, and it may not let go. With the water coming from the sky and the bottom of the sea, driving with such ferocity that a major American city, New Orleans, followed its face into the water, George W. Bush was at North Island in Coronado, Calif., speaking to a blindingly white audience of 9,000 sailors in uniform. At the hour, blacks were drowning in New Orleans. Blacks pushed through water that was up to their chests and was thick with the rawest sewage of a major city. Blacks were on rooftops begging to live. Wherever cameras swept, the only thing that was white was a towel being waved by a black woman begging for help, while the tiny black legs of a baby dangled from her shoulder. Bush was in white Coronado to speak to a military audience on the anniversary of V-J Day. Get those sailors in their whites clapping. He barely seemed to understand there was a hurricane for the first three days. He was in Coronado, outside San Diego, and in his speech, he managed to mention New Orleans, by saying that people should not return to their homes until rescue crews could do their work. Nobody had to be told not to return to their homes because they don't have homes to return to, and no bus fare to go anywhere. He then told Americans to send donations to the Red Cross and the Salvation Army. How marvelous! His administration sends billions and billions of tax money to his personal war in Iraq to shoot up Fallujah for the third or fourth time since he started the war with his lies, and now he wants everybody to go out on the street and give forty dollars to hurricane charity. Bush's style is to be nowhere if things that carry a bit of fear happen. During Vietnam, he kept all dental appointments. For the World Trade Center attack, he first froze in a classroom in Florida. Then he flew off in his plane for long hours. Three days later, he got to New York where a flunky placed a retired firefighter, Bob Beckwith from Long Island, alongside him atop a truck. Then Bush called out a football dressing room speech over a bullhorn. Last week, he spoke in Coronado with the carrier Ronald Reagan parked in the background. This was his sixth visit to San Diego as president. In May 2003 Bush landed on the carrier Abraham Lincoln in the waters off San Diego. He wore a green flight suit, with a helmet under his arm. Why shouldn't he look like this? He was an American warrior. He changed into a business suit and spoke in front of a banner proclaiming, Mission Accomplished. There have been nearly 1,800 bodies in boxes returned from Iraq since then. Friday, showing up on the fifth day of a national tragedy, Bush made a little humorous aside about the times he was in New Orleans celebrating too much. Beautiful! If he tried to walk fifty yards he could have tripped over somebody's dead black grandmother under a blanket. How do you like it? How do you like having a president who at a time like this reminisces about getting drunk in New Orleans? White boy with Daddy's money roaring at Mardi Gras in a town black for the rest of the year. If whites were in trouble in New Orleans, trust that his government would have been there early and the aid massive. This racism, which is at the bottom of everything in America, makes it only natural for Bush and his people to talk about turning to Rudolph Giuliani to save New Orleans as he supposedly saved New York after the World Trade Center attack. In New York, Giuliani did nothing but go on television. That's all he did and all he ever can do. Beautiful! There are television cameras in New Orleans. And just like Bush, Giuliani doesn't want many blacks near him. If more than two blacks entered City Hall, he called for snipers. Giuliani doesn't even have a show black like Condoleezza Rice, who bought shoes in Ferragamo in Manhattan this week. Bush got found out this week and he needs his own rescue. Assure Giuliani that he could run for president if he does the job. As New York found, he can do nothing good about anything. That doesn't matter. Without somebody in front, Bush stands there, uncovered, without an
Re: While Bush fiddles, New Orleans dies
Apologies to the 'dawg.. perhaps those responsible would stop, its not very amusing Steve On Wed, 7 Sep 2005, Fergie (Paul Ferguson) wrote: I absolutely am _not_ responsible in any way, shape, or form, for those messages. While some of my posts skirt the ever-changing topicality of the list, you have to admit -- I always send directly from my webmail account (wouldn't dream of sending from my corporate account :-) - ferg -- Robert E.Seastrom [EMAIL PROTECTED] wrote: Stephen J. Wilcox [EMAIL PROTECTED] writes: wheres the ops in this? dont get me wrong, i'm sympathetic with new orleans and also definitely not a bush supporter but this is verging on incitement and i dont see the point of the post to here My guess: someone who doesn't like Paul (and there are plenty of people who have groused privately about his prolific posting of current news stories) is trying to make him look bad (or doing a savage parody, depending on how you look at it) by abusing the http://www.tribuneinteractive.com/ mail someone this story feature. Look at the headers... it was obviously sent by tribuneinteractive, and it's pretty unlike Paul to do something like this. So that's my hypothesis anyway. We'll wait till Paul is awake to be able to confirm or deny it. ---Rob -- Fergie, a.k.a. Paul Ferguson Engineering Architecture for the Internet [EMAIL PROTECTED] or [EMAIL PROTECTED] ferg's tech blog: http://fergdawg.blogspot.com/
Re: P2P Darknets to eclipse bandwidth management?
On Thu, 1 Sep 2005, Fergie (Paul Ferguson) wrote: Interesting article, and something I think that will certainly becaome an issue for ISPs. Is this a real issue ISPs are thinking about? Its a concern.. Encrypted P2P networks will soon make bandwidth management based on deep packet inspection obsolete, says Staselog, a Finnish appliance outfit. obsolete is one of those words folks like to use to make an impact, then later fall on their face.. like the internet will implode and all that. packet inspection will just evolve, thats the nature of this problem.. there are things you can find out from encrypted flows - what the endpoints and ports are, who the CA is. then you can look at the characteristics of the data. Around 80 per cent of all traffic in the Internet is already P2P. This traffic will increase 1,000-fold in the next five years and most of it will be encrypted P2P, according to a study by Staselog and researchers at Finnish Universities. maybe, 5 year predictions are at best voodoo, who knows what next years killer app will be, or the year after, or the year after Overlooking the point that this kind of smells like a pitch for Staselog, I'd be curious to hear of this is an issue on ISP bandwidth management radar... or already is... i can tell you what 95% of my traffic is currently, the other 5% i dont care Steve
Re: trying to move web site for New Orleans schools
get the school to contact netsol, they can authorize it without the sysadmin... On Thu, 1 Sep 2005, Mark Boolootian wrote: Outside the NANOG charter, but given the current circumstances, this seemed to be a reasonable forum for suggestions on solving this problem. --- Subject: Web aid Date: Thu, 01 Sep 2005 09:05:22 -0500 From: Paul Tatarsky [EMAIL PROTECTED] This is something that until a few minutes ago I never even considered as part of this whole Hurricane fallout. I got a call from a high school friend who lived in New Orleans. He's in Florida now. There is a emerging need to use the web to help scattered folks get status from schools, businesses, etc. Many many servers are gone. People are at relatives homes and are trying to use the Internet to get status. They want to swing DNS for their kids school to a new server but cannot contact their sysadmin who has the accounts at Network Solutions. Does anybody have an idea how to solve that? But, I'm starting to setup a template BSD machine to provide basic web vhosts and squirrel mail. We're going to start with his kids school. Here's all that is currently left electronically: http://64.233.167.104/search?q=cache:009iQtpHviwJ:www.stuarthall.org/+hl=enlr=strip=1 Paul Tatarsky[EMAIL PROTECTED] Sysadmin Consultant(608) 441-7365 http://www.tatarsky.com/
Re: Order of ASes in the BGP Path
On Tue, 30 Aug 2005, Abhishek Verma wrote: Since i smell some traces of sarcasm here. On 8/30/05, Randy Bush [EMAIL PROTECTED] wrote: I thank everyone who took time off their busy schedules and answered me on this. I now understand that people do look at the AS_PATH and the order of ASes is important for debugging, etc. and thank you for reading the rfc Randy, I respect your knowledge and wisdom and that of other people on this list here which is why i asked this question. Yes, i have gone through the RFC 1771 throughly and trust me it does not mention any other use of this Path attribute, except for the path length/loop detection. People on this list have a *lot* of experience and its these people who actually use this protocol. To me these were the best people to tell me if they indeed use it for other purposes also. from time to time people say 'but the rfc says...'. but theres a big place for precedent and common practice too. Steve
Re: Order of ASes in the BGP Path
On Mon, 29 Aug 2005, Abhishek Verma wrote:
Hi,
Is the order of AS numbers (except for perhaps the first one which
denotes the AS the route was originated from) in the AS_PATH in BGP
important? In fact, does anybody even care for the first AS number
that appears in the Path?
AFAIK, AS numbers in the BGP serves two purposes. It helps in loop
detection and it helps us count the AS Path length.
If this is the case then the order should not really matter much.
My question is that whether the operators care if the order, for some
reason changes?
Eg.
Legend: {} denotes the sequence, while [] denotes the set
Path {1 2} [3 4] {5}
Would somebody mind if this was represented as {1 2 5} [3 4] ?
I'd mind, I value the predictability and ability to understand how a bgp path
arrives into my network. Fiddling with this kind of thing is quite similar to
spoofing in some ways, particularly that I can see fabricating the as-path
could be used to confuse folks tracing announcements, perhaps I'm missing the
positive use for this.
As no one has asked yet, allow me.. what are you trying to do?
Steve
Re: speaking of lynn...
On Sat, 13 Aug 2005, Gadi Evron wrote: Cisco flaw presentation spreads across the Web FBI Investigation... New copies of Michael Lynn's presentation on the Cisco router operating system flaw are springing up faster than the lawyers can take them down Cisco's lawyers are sending out cease-and-desist notices to Web sites that have published a controversial presentation by ex-Internet Security Systems (ISS) employee Michael Lynn that exposes the potential dangers of a flaw in the network giant's router operating system.The presentation, which was due to be given by Lynn at the Defcon conference in Las Vegas last week, was cancelled after legal threats from Cisco and ISS. The parties resolved the matter on Thursday last week. i guess they're still reacting to old information. this one is well and truly in the public domain, heck.. if you google you can find foreign language translations of it i've not seen any discussion on the application of the information.. is there any working exploit code yet? Steve
Re: Cisco crapaganda
Hi Rich, A. If open publication of the full source code of XYZ would render it insecure, then XYZ is _already_ insecure. i like that way of looking at it.. B. In analyzing any attack, it's prudent to presume that the attackers have the full source code of every piece of software involved. [1] sure, or even a snippet would be sufficient to find and exploit a hole It's time to level the playing field. It's time for all the vendors to publish ALL the source code so that we at least have the same information as our adversaries. thats going to be a leap too far, its not an issue of security its a question of property and value [1] Either because it leaked (discarded computer equipment, backup tapes, source code is much wider distributed than people might think, its possible to be a contractor (individual or company) or for example in MS's case a partner and get source code supplied under NDA what's the dollar value on the open market of, oh, let's say, the full source code to one of Cisco's popular routers? Maybe $100K? $250K? Maybe more, considering what it might facilitate? naww. $0. pre IOS-12 versions are in circulation already, 12.something was partially leaked a year or two ago, and i'm sure other bits can be picked up. who would be willing to pay? not companies, thats illegal. blackhats? maybe, but they can juts grab the circulating bootlegs Whatever that number is, that's the amount that prospective attackers may be presumed to be willing to spend to get it. And whether they spend it on RD, or paying someone who's already done the RD, or just cutting to the chase and paying off someone with access to it, doesn't really matter: if they're willing to spend to the money, they _will_ get it. wonder why they dont already have it, maybe they do... Steve
Re: Fiber cut in SJ
Maybe a market difference.. most maps I've obtained in the UK have been under NDA with established relationships already. Altho I suspect they're more concerned at showing me who's duct and fiber they're actually on.. Steve On Sun, 7 Aug 2005, Joe McGuckin wrote: Stephen, The point I'm trying to make is that over classifying everything as 'secret' or 'confidential' at this late date is useless. The horse is already out of the barn. You can omit the site of a fiber backhoe accident from an email and say it's due to security concerns, but I can call any telecom vendor who sells SONET or metro ethernet services and get them to fax me a map of their network. At the very minimum all I have to do is keep an eye out for USA markings on the street. Or I could call USA and the next day people with paint cans would be marking up the street, showing me exactly where to dig. If someone wants to cause trouble, the information they need is freely available. The so-called security provisions most telecom companies use are just enough to deter curious teen-agers. On 8/7/05 8:15 AM, Stephen J. Wilcox [EMAIL PROTECTED] wrote: On Sat, 6 Aug 2005, Joe McGuckin wrote: On 8/5/05 8:12 PM, George William Herbert [EMAIL PROTECTED] wrote: First, an electrical contractor backhoed a large fiber link in downtown San Jose (address deleted due to security concerns) this morning, causing moderate damage. That's just plain silly. As if we (or even your imagined 'terrorist') don't know where the fiber runs around here. well.. theres lots of ducting going down streets but not that many folks know which of them are the major cable routes, i think keeping specific detail discrete is reasonable in a fire near where i am a couple years ago: http://www.theregister.co.uk/2002/10/23/arson_suspected_in_manchester_cable/ it seemed a bit of a coincidence that both the active and protect paths of a major sdh route got hit in this attack and it took out a lot of long distance circuits Steve
Re: Fiber cut in SJ
On Sat, 6 Aug 2005, Joe McGuckin wrote: On 8/5/05 8:12 PM, George William Herbert [EMAIL PROTECTED] wrote: First, an electrical contractor backhoed a large fiber link in downtown San Jose (address deleted due to security concerns) this morning, causing moderate damage. That's just plain silly. As if we (or even your imagined 'terrorist') don't know where the fiber runs around here. well.. theres lots of ducting going down streets but not that many folks know which of them are the major cable routes, i think keeping specific detail discrete is reasonable in a fire near where i am a couple years ago: http://www.theregister.co.uk/2002/10/23/arson_suspected_in_manchester_cable/ it seemed a bit of a coincidence that both the active and protect paths of a major sdh route got hit in this attack and it took out a lot of long distance circuits Steve
Re: RFC for Mask/Gateway
On Fri, 5 Aug 2005, Scott Altman wrote: Apologies upfront for my not being able to successfully google this on my own... Is there an RFC or other standard that specifies that IPv4 connected devices must support the concepts of Subnet Mask and Default Gateway? I have a kludgy (- technical term) vendor that has developed a custom AP that only has an IP address. Whilst cleaning up our network and turning off proxy-arp, lo and behold, it isn't really all that functional anymore. like IP: http://www.faqs.org/rfcs/rfc791.html hth Steve
Re: RFC for Mask/Gateway
On Fri, 5 Aug 2005, Jay R. Ashworth wrote: On Fri, Aug 05, 2005 at 03:09:53PM -0400, [EMAIL PROTECTED] wrote: On Fri, 05 Aug 2005 13:55:58 CDT, Scott Altman said: Is there an RFC or other standard that specifies that IPv4 connected devices must support the concepts of Subnet Mask and Default Gateway? No, because there's plenty of applications (embedded systems, for example), where you have no need or desire to be able to talk to things off-local-net. Which doesn't really excuse you from subnet mask, I wouldn't think. You clearly don't need a default gateway if you're not going to reply to off-net packets, but how would you idenfity broadcast packets if you didn't know the netmask? all bits set in the dst mac is one way.. not sure how you send them tho if you dont know the dstIP to put into the packet Steve I have a kludgy (- technical term) vendor that has developed a custom AP that only has an IP address. Be afraid. Be very afraid. Any vendor in *this* year who makes gear that is supposed to connect edge devices to the rest of the net but doesn't get the ideas of subnet masks and default gateways should be feared. Indeed, run far, far away. And yes, Scott: RFC 791. It's not just a good idea... Cheers, -- jra
/8 end user assignment?
Ok, back up a second 126/8 Jan 05 APNIC (whois.apnic.net) inetnum: 126.0.0.0 - 126.255.255.255 netname: BBTEC descr:Japan Nation-wide Network of Softbank BB Corp. status: ALLOCATED PORTABLE changed: [EMAIL PROTECTED] 20050208 i thought the decade of giving class A's to large corporates had long since passed.. we've got some major network rollout coming up, i need an extra 16 million IPs, so can i get one? wtf? Steve
Re: /8 end user assignment?
Hi David, I realise that but: 1. Softbank BB is not on my radar of likely /8 candidates (of course, geography may be the reason for that) 2. We know cable companies, dsl providers and mobile companies can use this many IPs, but they generally seem to make use of NAT and IPv6. If everyone in this category who could justify a /8 applied and received them we might be in real trouble with our IPv4 space. I had said elsewhere this was unprecedented but was then pointed at 73.0.0.0/9, 73.128.0.0/10 which is Comcast assigned in April. I'm surprised none of these assignemtns have shown up on mailing lists.. Steve On Thu, 4 Aug 2005, David Conrad wrote: Stephen, If you can justify a /8, ARIN will allocate one to you (not that I speak for ARIN or anything, but that's how things work). Presumably Softbank BB justified the /8 APNIC allocated to them. Rgds, -drc On Aug 4, 2005, at 11:07 AM, Stephen J. Wilcox wrote: Ok, back up a second 126/8 Jan 05 APNIC (whois.apnic.net) inetnum: 126.0.0.0 - 126.255.255.255 netname: BBTEC descr:Japan Nation-wide Network of Softbank BB Corp. status: ALLOCATED PORTABLE changed: [EMAIL PROTECTED] 20050208 i thought the decade of giving class A's to large corporates had long since passed.. we've got some major network rollout coming up, i need an extra 16 million IPs, so can i get one? wtf? Steve
Re: /8 end user assignment?
On Thu, 4 Aug 2005, Daniel Roesen wrote: So you ask folks to resort to hacks like NAT or force IPv6-only to their users when there is still a lack-of-content problem there? Can you show me your business plan draft for that? I'm curious. :-) ok, thats not what i mean.. i am saying /8,/9 etc are not normal If everyone in this category who could justify a /8 applied and received them we might be in real trouble with our IPv4 space. We are already, but you seem to have your head firmly sticking in the sand, together with the content providers. :-) i thought we had years to go according to some decent sources? It looks like IPv4 space really needs to run out before the residential access ISPs are really being forced to IPv6 and thus the content providers wake up too. BTW, Softbank got 2400:2000::/20. I had said elsewhere this was unprecedented but was then pointed at 73.0.0.0/9, 73.128.0.0/10 which is Comcast assigned in April. I'm surprised none of these assignemtns have shown up on mailing lists.. Why should they? Business as usual. :-) I hope that more ISPs stop doing NAT/RFC1918 and just request whatever they need. how long does it take such an org to use 16 million IPs? based on the above comment of '..need to run out' should they not maybe get 1million then come back when they use it all to give some other folks a chance? i'm not suggesting denying anyone the IPs they require but i am suggesting we shouldnt steam ahead into exhaustion either Steve
Re: Cisco gate and Meet the Fed at Defcon....
On Wed, 3 Aug 2005, Bill Woodcock wrote: note image size of 11/12/16 mb... note that many (most?) 2500's don't have 16M flash. If you feel like keeping 2500s in service, rather than replacing them with something that holds NM-32As, the flash problem is easily resolved for less than US$50: http://www.memorydealers.com/8mbcisthirpa.html to be fair... 2500s are quite useful for things other than what their original purpose intended, but that usefulness diminishes with memory upgrades that are comparable in price to the value of the router having said that, as they are often not used as public routers, a suitably placed acl/fw can keep them out of harms way and still run the old code Steve
Re: Tiscali switches to Public-Root?? What do you think?
On Mon, 1 Aug 2005, Stephen J. Wilcox wrote: On Mon, 1 Aug 2005, Bjørn Mork wrote: The poor guy/gal at the other end of the line will need a really good answer. Does anyone here have one? to avoid being technical i guess the only answer would be to say this is a private service offered to tiscali users and is not available to any non tiscali users (you might want to point out this is 99.9% of the world in case $cust feels like switching) Not to mention the answers we need for the market droids... Hey, I heard that Tiscali is offering more Internet than us at no extra cost, and they make a lot of money on it too. How soon can we start doing the same? tell them you've been able to do it all along, its your network and you can provide any unique content that you like, providing they understand this is unique for your custs only .. think intranet This puts a lot of pressure on other European ISPs, and eventually also North American ISPs (to make this on-topic :-) I hope the rest of us can stand together against it. A good start would be to come up with a common response to the two pressure groups outlined above. a better worded explanation on a webpage would be good i guess... anyway, i'm off the the UNIDT website, i hear '.tiscali' hasnt been registered yet ;p replying to myself. bad :) had this pointed out.. these are official according to inaic http://inaic.com/index.php?p=faq006 and resolving all known tlds seems a bit of a stretch, i think they've missed my '.foobar' tld on my local nameservers.. http://inaic.com/index.php?p=faq014 also for added humour, from the press release http://inaic.com/index.php?p=tiscali-introduces following the link: http://home.tiscali/ doesnt seem to work for me, hmm.. not great to have a broken link in a public press release ;) Steve
Re: as numbers
On Sun, 31 Jul 2005, Geoff Huston wrote: So - to NANOG at large - if you want your vendor to include 4-Byte AS support in their BGP code anytime soon, in order to avoid some last minute panic in a couple of years hence, then it would appear that you should talk to them now and say clearly that you want 4-Byte AS support in your BGP software right now. Geoff, excellent idea.. before I forward this email to my suppliers tho, is there a reference I can send.. excuse my ignorance but I'm not familiar with research done on 4-byte ASNs, is there a proposed standard implementation? If I have something definite to request I will immediately send those emails, Steve
Re: Tiscali switches to Public-Root?? What do you think?
On Mon, 1 Aug 2005, Bjørn Mork wrote: The poor guy/gal at the other end of the line will need a really good answer. Does anyone here have one? to avoid being technical i guess the only answer would be to say this is a private service offered to tiscali users and is not available to any non tiscali users (you might want to point out this is 99.9% of the world in case $cust feels like switching) Not to mention the answers we need for the market droids... Hey, I heard that Tiscali is offering more Internet than us at no extra cost, and they make a lot of money on it too. How soon can we start doing the same? tell them you've been able to do it all along, its your network and you can provide any unique content that you like, providing they understand this is unique for your custs only .. think intranet This puts a lot of pressure on other European ISPs, and eventually also North American ISPs (to make this on-topic :-) I hope the rest of us can stand together against it. A good start would be to come up with a common response to the two pressure groups outlined above. a better worded explanation on a webpage would be good i guess... anyway, i'm off the the UNIDT website, i hear '.tiscali' hasnt been registered yet ;p Steve
Re: Cisco cover up
On Wed, 27 Jul 2005, James Baldwin wrote: Cisco had initially approved this talk. My understanding is that this has been fixed and no current IOS images were vulnerable to the techniques he was describing. ISS, Lynn, and Cisco had been working together for months on this issue before the talk. Just because they fixed the bugs doesnt mean there arent a large number of publically accessible routers out there still running affected versions.. I suspect there was something slightly more than just giving information about the vulnerabilities.. the inference is that they demonstrated executing arbitrary code from buffer overflows.. perhaps for example they developed ways of opening up privilege vty which I dont think has been shown before Steve
Re: OMB: IPv6 by June 2008
intel systems can do this. forget the talk of juniper t320s in the core.. you are talking about the problem caused by multihoming and multihoming prefixes are not originated typically by such large and expensive routers but by small cheap systems at the edge. Steve On Sat, 9 Jul 2005, Alexei Roudnev wrote: It's chiken and egg problem. They do not have 4 Gb, because they do not need it_now_. techbnically it is not a problem even today. Small RAID systems have 1 Gb RAM easily. Line cards do not need so much memory - they can always cache routing tables. Just again - it is not _technical_ problem. IPv6 addressed problem which do note exists in reality. - Original Message - From: Christopher L. Morrow [EMAIL PROTECTED] To: Alexei Roudnev [EMAIL PROTECTED] Cc: NANOG nanog@merit.edu; Brad Knowles [EMAIL PROTECTED] Sent: Friday, July 08, 2005 11:12 PM Subject: Re: OMB: IPv6 by June 2008 randy already asked for a kibosh on the lunacy here... I agree, it'd be nice, but... On Fri, 8 Jul 2005, Alexei Roudnev wrote: You do not need to - any router have only `1 - 10% of all routing table active, and it is always possible to optimize these alghoritms. and routing vendor's haven't already done some optomizing you think? On the other hand - what's wrong with 4Gb on line card in big core router? oh, please please name the router vendor that has 4gb of 'ram' (tcam/fpga/asic-'memory') on the 'linecard'. Oh, can't come up with one? One wonders why that is? If the solution were as simple as: Joe, add 1.21jigawatts of memory to the linecard so we can support +1M routes Don't you think the vendor would have done this to get people to stop bitching at them? It's cheap enough, even today. And we have not 1,000,000 routes yet. In YOUR network you don't... I'd venture to guess there are quite a few very large networks with +1M routes in them today. remember though, I'm the chemical engineer... and I was trained to MAKE the crack cocaine...
Re: The whole alternate-root ${STATE}horse
I didnt realise it was that time of year again already, it feels like only a couple months since the last annual alternate root debate. Still its nice to see all the old kooks still alive and well and not yet locked up in mental homes. I'd better do my part to feed the trolls i guess... On Sat, 9 Jul 2005, John Palmer (NANOG Acct) wrote: Please prove that Inclusive Namespace roots put name resolution at risk. No proof is needed, this is not maths. If there are two roots then a query to each server has the potential to return a different reply. The chance of this happening increases over time plus if an alternate root were to become popular their power to challenge authority if a class were found grows. Client side users, conversely, expect that published addresses by businesses or individuals go to the intended party. This is the key point, clients and domain owners need this consistency. Read this a few times and consider how you'd feel if $large_provider decided to point your domain name or their competitors domains to their website .. its the same problem. Introducing fragmented TLDs or the opportunity to supplant the common TLDs places the DNS infrastructure at risk. This is not just FUD -- DNS hijacking in alternate roots has already happened. (But if you had actually read RFC2826, you would already understand this.) Please post a link or give an example. If you mean .BIZ, I would agree, it was hijacked, but by ICANN, not by any Inclusive Roots. It belonged to AtlanticRoot and ICANN deliberatly created a collision. Collisions cause instability and the biggest one was caused by ICANN. Those who consider ICANN the authority would disagree, I believe those are the majority. Steve
Re: OMB: IPv6 by June 2008
On Sat, 9 Jul 2005, [EMAIL PROTECTED] wrote: On Sat, 09 Jul 2005 18:14:48 BST, Stephen J. Wilcox said: forget the talk of juniper t320s in the core.. you are talking about the problem caused by multihoming and multihoming prefixes are not originated typically by such large and expensive routers but by small cheap systems at the edge. Yes, but how well does that multihoming work if the Junipers in the core can't/ won't carry your announcement? Currently, multihoming only works because it's cost-shifting - the pain of carrying the announcement is felt by the carriers, not the originators. sorry, my point was perhaps unclear.. it was suggested that the increasing requirements to operate routers would be a natural prevention to multihoming.. i am saying that it is not the multihomers at the edge feeling that pain it is those already in the core Steve
Re: what will all you who work for private isp's be doing in a few years?
On Wed, 11 May 2005, Matt Bazan wrote: why in the world would anyone want to purchase dsl from a private reseller when i can get 4mb down 384 up from comcast for $25? think you dsl resellers out there are doomed. in fact, just a matter of time before most of you isps are down the toilet. im reminded of the mom and pop grocery store phenomenon that has now been replaced by the kohls, ap, whole foods etc. of course there will always be niche markets but this is less applicable for a pure commodity like bandwidth. yeah, i suppose you'll say something about value added services and such and you may have a point but i doubt that will keep the ship afloat for long. Matt, first whats your affiliation and experience in this arena? That these markets exist and more profitably so than the large carriers suggest the problems you are raising dont exist. What is your theory based on, you only cite your personal preference to buy from Comcast which cannot be said to be indicative of the market. Grocery stores are not comparable, this is a different industry and different market. Also bandwidth is not a pure commodity, and DSL is not pure bandwidth. I think your argument is at best uninformed, at worst non-existent.. you need to provide some references, examples, figures, whatever.. else this is little more than trolling. Steve
Re: PAIX Outages
On Fri, 29 Apr 2005, Alexander Koch wrote: On Fri, 29 April 2005 13:04:05 +0100, Neil J. McRae wrote: and we happily overloaded our peers' interfaces at the respective other IX... That sounds more like a planning issue than anything else. If you have traffic going through a pipe, then you need to make sure you have somewhere else to send it. If you are managing your peers properly, private or public, there should be no issue. With public peering you simply never know how much spare capacity your peer has free. And would you expect your peer with 400 Mbit/s total to have 400 reserved on his AMSIX port for you when you see 300 at LINX and LINX goes down? what makes this a public peering issue.. i see a couple folks already made the point i wanted to do but just because you have capacity to a peer (on a public interface or a dedicated) PI doesnt mean they arent aggregating at their side and/or have enough capacity to carry the traffic where it needs to go this is also about scale, i would hope you arent peering 400Mb flows across a 1Gb port at an IX, this would imho not be good practice.. if your example were 40Mb then it would be different or perhaps 400mb on a 10Gb port. you might even argue there is more incentive to ensure public ix ports have capacity as congestion will affect multiple peers Steve
Re: Schneier: ISPs should bear security burden
On Tue, 26 Apr 2005, Jerry Pasker wrote: I've been there -- I know how I feel about it -- but I'd love to know how ISP operations folk feel about this. It means 10 different things to 10 different people. The article was yep, and the danger is you agree with the article and some politicians or journalists think you are advocating a full police service which would be bad. i do think we have an obligation to try to keep the net clean to a certain degree, think anti-ddos wg's etc but providing full security for all users is unrealistic. there seems to be some moves to offering partial security and this is probably a good thing eg blocking common ms ports will likely be effective. Steve
Re: Slashdot: Providers Ignoring DNS TTL?
On Sun, 24 Apr 2005, Steve Gibbard wrote: On Sun, 24 Apr 2005, Robert M. Enger wrote: Steinar: There is a large body of work from competent and well known researchers that assert the claim. I certainly lack standing to question their results. Empirically, download speeds to home are nearly cut in half (18Mbps) from sources that are subjected to packet reordering along the path. I'm trying to sort out the various claims here, since I think right now this is a case of people talking past each other, and arguing completely different points. First of all, let's ditch the term PPLB. The usual alternative to per packet load balancing (what's been being talked about here) is per prefix load balancing, which would also be PPLB. The abbreviation is therefore more confusing than anything else. Now, onto the argument that's going on here. Dean says per packet load balancing is coming, and then goes on to assume it's going to be used in such a way that it will cause packets to route through widely divergent paths. Several others have responded that that would cause packet reordering and break TCP. Robert says that even used correctly (on identical circuits between the same set of routers), per packet load balancing can cause packet reordering. Steiner says that when used correctly, per packet load balancing causes packet reordering only rarely, and speeds things up enough when it doesn't that the slowdowns caused by occasional packet reordering may be worth putting up with. Robert says well known researchers say that packet reordering is bad. So, as far as I can tell, everybody except perhaps Dean agrees that: - Used incorrectly (on divergent paths), per packet load balancing can cause packet reordering. - Used correctly (on non-diverging paths), packet reordering doesn't happen often. - Packet reordering is bad, and should be avoided. I'm less clear on Dean's position, but I think it's something along the lines of: Per packet load balancing over divergent paths is coming, by fiat from marketing departments even if engineers don't like it, and anything that doesn't play well with it needs fixing. While Dean focuses on anycast, that would presumably extend to TCP and to anything jitter sensitive, such as streaming audio or video. Anything that's being missed here, or does this sum it all up? I think thats a fair summary. So agreeing for a second with Dean that indeed this behaviour would appear to be prohibited or at least inconsistent with the RFCs, the fact is anycast is widely deployed and is proven to be stable. Perhaps a solution to this is to look at what would be the best consistent view and to write an RFC to clarify this and obsolete the old ones that produce the inconsistency. I'm not sure what that would look like but that would appear to be a way to eliminate the theoretical problem.. Steve
Re: Slashdot: Providers Ignoring DNS TTL?
On Fri, 22 Apr 2005, Dean Anderson wrote: On Thu, 21 Apr 2005, Stephen J. Wilcox wrote: On Wed, 20 Apr 2005, Dean Anderson wrote: On Wed, 20 Apr 2005 [EMAIL PROTECTED] wrote: I'd rather expect this sort of behavior with anycasted servers... Where do you see any connection between anycast and ignoring DNS TTL? Or is this just part of your usual rant against anycast DNS service? The data he showed isn't necessarilly ignoring ttl. If there are multiple anycasted caching servers behind a specific IP address, then those several cache's will each have a different state. Since, [as I I fail to see the correlation still.. anycasted caches should all be operating independently getting their DNS data from authoritative sources. If at any point one of them uses a TTL that it has not received from the authoritative source it is ignoring the ttl, where does anycast get involved with this particular problem? The queries produce different data, but none of the data is inconsistent if there are different caches responding on the same address. Here is the original description: (slightly reformated with roman numerals) (I) I ran a query for a name in a zone I control that has a five minute TTL on 204.127.198.4. The first query came up with 5 minutes. (II) I quickly made a change to the zone. (III) Thirty seconds after the initial query, I try again...err... and come up with the change. Hmm... Not caching at all? (IV) Another 30 seconds and I get the change, with 5m TTL. (V) Thirty seconds later, I get the original response with appropriately decremented TTL. (VI) Another thirty seconds, I get the change, with 4m TTL. Here is the detailed anycast explanation: (I) Cache 1 gets answer to query X? = Y (II) Authority changes X? to Z (III) Cache 2 gets answer to query X? = Z (IV) Cache 3 gets answer to query X? = Z (V) Cache 1 responds (VI) Cache 3 responds No TTLs were ignored. Ok gotcha, and you point seems valid except aiui the previous post was concerning providers who are actually overriding the TTL eg your zone has a 5m ttl, the provider caches it but sets TTL to 10 days. i think this thread forked quite early :) Steve
Re: Slashdot: Providers Ignoring DNS TTL?
On Wed, 20 Apr 2005, Dean Anderson wrote: On Wed, 20 Apr 2005 [EMAIL PROTECTED] wrote: I'd rather expect this sort of behavior with anycasted servers... Where do you see any connection between anycast and ignoring DNS TTL? Or is this just part of your usual rant against anycast DNS service? The data he showed isn't necessarilly ignoring ttl. If there are multiple anycasted caching servers behind a specific IP address, then those several cache's will each have a different state. Since, [as I I fail to see the correlation still.. anycasted caches should all be operating independently getting their DNS data from authoritative sources. If at any point one of them uses a TTL that it has not received from the authoritative source it is ignoring the ttl, where does anycast get involved with this particular problem? thanks Steve
Re: OpenTransit (france telecom) depeers cogent
On Fri, 15 Apr 2005, Patrick W. Gilmore wrote: On Apr 15, 2005, at 2:10 PM, Fredy Kuenzler wrote: Paul Vixie wrote: in other words, sometimes it's better to take pain in a lump sum than on the time payment plan. if that's what cogent's trying to do, they've got my support. if on the other hand cogent is, as accused here today, dumping transit at below cost, then may they rot in hell. (could i say that simpler?) I'm not sure about the US price war, I just can say that I've seen an offer of AS174 in Switzerland which is 38% of the price of AS1239 we currently pay (same CDR). I'm not sure if ths already justifies hell, but at least purgatory ;-) Strange, I am REALLY HAPPY when someone offers me a comparable product for less money. If you prefer to pay more, well, I'm happy for you. (And no flames about Cogent not being comparable. I've already posted here that their network runs just fine. Of course, now that they are no longer offering full transit, we are re-considering how good their pricing is.) Back on topic, I am unclear on why you sell X for less than I do is justification for rotting in hell. Whether X is below your cost is COMPLETELY immaterial. Whether it is below their cost is irrelevant to me, but it might be important to some countries / laws / whatever. If they are breaking a law, have someone investigate charge them. If there is no law against it, deal with it. They should be going out of business RSN anyway. The carrier transit market is in a real mess, many of the large players having already gone bankrupt once, when that happened with the so called dot-com crash it affected the global economy. What we see now are todays carriers facing the risk of bankruptcy again, some for the second time round. One possible interpretation of Cogent's price erosion is that networks have been built that will not make a profit until 2 or 3 years and being forced to cut prices heavily in order to compete is pushing that profitability curve such that the companies will run out of funding before they hit profit. The short term benefit as a buyer is reduced costs, but long term this could affect the very market that you're operating in and your own viability and profit margins. For many folks too the falling price they buy transit for just means they are being forced to take that off their product sell prices so they dont actually make any more profit.. in which case there is no advantage to buying below cost services. In general I'd prefer to operate in a healthy marketplace, where all parties are making money, theres little risk of the supplier filing bankrupcty and I am getting reasonable customers service. That can only lead to growth of the industry, healthy businesses and healthy economies. Unforunately none of these things appear to be happening at the moment... Steve
Re: Anyone familiar with the SBC product lingo?
On Thu, 14 Apr 2005, [EMAIL PROTECTED] wrote: On Thu, 14 Apr 2005 16:15:41 EDT, Luke Youngblood said: SONET simply means you are on a Sonet ring: Two redundant connections to the central office. If someone gets a little crazy with a backhoe your line is guaranteed to stay up (ask about SLAs, and make sure they will refund part of your monthly bill if you have an outage). That's why it costs over twice as much. And remember to ask questions - make sure they've actually got the two connections routed differently. Remember that if the backhoe hits the conduit, *all* the fiber pairs go - and if both runs were in the same conduit, you're still dead (Anybody here *NOT* seen cases where the 2 fibers leave the building on opposite sides, go down different streets - and rejoin 2 miles down the way because there's only one convenient bridge/tunnel/etc over the river, or similar?) yes. but in my case we checked it and it was okay on install but was rerouted at some point. someone broke the ducting and we lost a bunch of oc48s which was bad. you'll never get better redundancy than having more than one carrier. Steve
Re: Anyone familiar with the SBC product lingo?
On Thu, 14 Apr 2005, Randy Bush wrote: you'll never get better redundancy than having more than one carrier. very often, they buy segments from eachother, run in the same trench, change the dlr six months later, ... trust and test just as you would a single carrier. trust 0 test 100. when this has been critical i've insisted on seeing duct maps to ensure they really are different. but as you say even that doesnt prevent a change of path in the future i guess it helps us to know a bit more than the average circuit buyer tho too.. Steve
Re: OpenTransit (france telecom) depeers cogent
On Thu, 14 Apr 2005, Patrick W Gilmore wrote: On Apr 14, 2005, at 5:16 PM, Richard A Steenbergen wrote: Surely FT's customers pay for access to Cogents network and vice versa? In such a case, FT has done its part by paying Sprint for full transit service. It is Cogent who is not accepting the route from their transit, and who intentionally does not carry the global routing table. If I put up a filter on my transit that says I will not accept routes from you unless you peer with me, should your customers leave you because I did this? Doesn't sound very fair to me. I guess it depends how important I am, doesn't it? Is Cogent filtering the prefixes they get from Verio? Or is Verio filtering what they send to Cogent? Does it matter? I think you have a very good point - FT is buying full transit. Cogent is the one without full reachability. Doesn't mean that FT didn't know this would be a problem when they took the step, though. Well, FT took the step as you say.. they are the instigator here. But, they are in their right to do so and would have given proper written notice to Cogent so this isnt as much a surprise to them as is being suggested either. Steve
Re: so, how would you justify giving users security?
On Mon, 4 Apr 2005, Florian Weimer wrote: * Stephen J. Wilcox: On Mon, 4 Apr 2005, Gadi Evron wrote: Anyone ever considered just closing these ports? People will pay you more and just for your ACL services! You can put all your troubles you would need to do this on a per customer interface basis ie not at an aggregation point but on each ppp interface.. Not necessarily. Some Windows malware prefers local address ranges, but not all. If you quickly disconnect those who caught something, it's a great help in keeping the number of infected machines down. You could even spin this in a way that encourages your customers to recommend you to their friends: no hassle with the filters. I thought of that but then its only half a filtering effort, how would you package it up 'Telecomplete Broadband **Now with a bit of filtering**' ? Then a bunch of smallprint about how you dont actually provide any additional security? :) Steve
Re: so, how would you justify giving users security? [was: Re: botted hosts]
On Mon, 4 Apr 2005, Gadi Evron wrote: Anyone ever considered just closing these ports? People will pay you more and just for your ACL services! You can put all your troubles you would need to do this on a per customer interface basis ie not at an aggregation point but on each ppp interface.. does that scale? i've not tried it, what i mean by scale is if this is eg auto-config'd by radius to cisco does it move the switching path to software or do anything else that would crash a fully load dialup/lac/lns/etc ? Steve
Re: botted hosts
On Sun, 3 Apr 2005, Petri Helenius wrote: I run some summaries about spam-sources by country, AS and containing BGP route. These are from a smallish set of servers whole March aggregated. Percentage indicates incidents out of total. Conclusion is that blocking 25 inbound from a handful of prefixes would stop 10% of spam. and your second highest is 4.0.0.0/8 your advice is blocking it would help your email? Steve +-+--+ | 26.8013 | US | | 25.6489 | KR | | 11.2896 | CN | | 4.3139 | FR | | 2.8045 | BR | +-+--+ | 11.3916 | 4766 | | 6.3791 | 9318 | | 5.1094 | 4134 | | 3.3910 | 7132 | | 3.1717 |29963 | ++--+ | 2.0754 | 207.182.144.0/20 | | 1.7184 | 4.0.0.0/8| | 1.3054 | 82.224.0.0/11| | 1.1116 | 221.144.0.0/12 | | 1.0963 | 207.182.136.0/21 | | 0.9943 | 61.78.37.0/24| | 0.9586 | 218.144.0.0/12 | | 0.9484 | 222.96.0.0/12| | 0.7394 | 222.65.0.0/16| | 0.7343 | 211.200.0.0/13 | Pete
Re: MD5 for TCP/BGP Sessions
On Thu, 31 Mar 2005, Pekka Savola wrote: On Thu, 31 Mar 2005, Stephen J. Wilcox wrote: without wishing to repeat what can be googled for.. putting acls on your edge to protect your ebgp sessions wont work for obvious reasons -- to spoof data and disrupt a session you have to spoof the srcip which of course the acl will allow in This is why this helps for eBGP sessions only the peer is also protecting its borders. I.e., if you know the peer's network has spoofing-prevention enabled, nobody is able to spoof the srcip the peer uses. trusting a third party to protect your network is imho not best practice, in addition many networks may have considerable customers inside them making attacking from inside trivial Steve
Re: MD5 for TCP/BGP Sessions
without wishing to repeat what can be googled for.. putting acls on your edge to protect your ebgp sessions wont work for obvious reasons -- to spoof data and disrupt a session you have to spoof the srcip which of course the acl will allow in Steve On Thu, 31 Mar 2005, Pekka Savola wrote: On Wed, 30 Mar 2005, John Kristoff wrote: [on bgp/md5 and acl's] ACLs are often used, but vary widely depending on organization. It can be difficult to manage ACLs on a box with a large number of peers that uses many local BGP peering addresses. I'm sure some organizations reviewed and updated their ACLs as a result of the last scare, but that is a local, private decision and it would probably be hard to get good sample of who and what changed. I would be double careful here, just to make sure everybody understands what you're protecting. iBGP sessions? ACLs are trivial if you have your borders secured. eBGP sessions? GTSM is your friend (if supported). Practically, if you know your peer and you also protect your borders, ACLs are rather trivial as well. What you seem to be saying is using ACLs to enumerate the valid endpoints for eBGP sessions. That goes further than the above but indeed is also a pain to set up and maintain. There are other attacks you can make against TCP sessions (protected by MD5 or not) using ICMP, though. (see draft-gont-tcpm-icmp-attacks-03.txt).
Re: Clearwire May Block VoIP Competitors
On 30 Mar 2005, Paul Vixie wrote: the bigger issue with 802.11 and VoIP is that wireless ethernet tends to be half duplex whereas codecs tend to run both directions at once. who's getting good service over 802.11 using G.711 or G.729? (no fair if your wireless handset has its own proprietary halfdup codec, i'm talking real SIP here.) hmm running g711 on a wifi handset or a lan phone with wifi bridging in the middle results in decent quality. at 2x80kbps vs 11mbps or 54mbps there should be plenty room for both directions to communicate without too much delay Steve
Re: T1 vs. T2 [WAS: Apology: [Tier-2 reachability and multihoming]]
On Tue, 29 Mar 2005, [EMAIL PROTECTED] wrote: and if you peer with all networks in the 'transit free zone' then you too become transit free also. er.. hate to rain on your parade but if I peer with everyone these are not the words of someone hating to rain on me! i need/want to exchange traffic with, i am transit-free, even if I -NEVER- touch any other part of the commercial Internet... mmm yeah but in the context we have here of ISPs providing connectivity to other ISPs or enterprises this isnt very realistic so i dont see the point of arguing the technicality. my packets get to where they need to go and all packets I want get to me. my life is good ... even if I only appear as vestigal to the commercial Internet, if I appear at all. sounds more like an enterprise with specific requirements to connect to a limited part of the internet.. this is not the sort of ISP operation that i am working in. how would you classify such a network? T1, T2, ODDBALL-0, non-Internet-265, ??? enterprise Steve
Re: T1 vs. T2 [WAS: Apology: [Tier-2 reachability and multihoming]]
On Tue, 29 Mar 2005, Richard A Steenbergen wrote: On Tue, Mar 29, 2005 at 02:23:06AM +0100, Stephen J. Wilcox wrote: 701 is not the most connected, it has only customers and a restrictive set of peers? Ok, I'm just bored enough to bite. but not as bored as bill, randy or patrick it would seem :) If we're talking about a contest to see who has the most number of directly connected ASNs, I think UU might still win, even with a restrictive set of peers. I didnt think we were, kinda happened.. if peering partners is a compensation for something else its pretty sad ;) Maybe I'm wrong, i checked with renesys and their data has 701 with 5200 adjacencies followed by 1239 with 3500 anyway i care enough to have snipped the data. Which begs the question, what is the largest number of ASNs that someone peers with? Patrick? :) Somehow I suspect that 701's customer base (702 and 703 aren't included in the above count BTW) overpower even the most aggressively open of peering policies, in this particular random pointless and arbitrary contest at any rate. so what are we debating again? :) Steve
Re: T1 vs. T2 [WAS: Apology: [Tier-2 reachability and multihoming]]
On Tue, 29 Mar 2005, John Dupuy wrote: I was looking at it from a route announcement point of view. Transit is where AS A advertises full routes to AS B. Thus, AS B is getting transit from A. Peering is where A B only advertise their network and, possibly, the networks that stub or purchase transit from them. no, they MUST send their customer nets else their customers will not have global reachability It is my understanding that the top ISPs trade transit. They provide full routes to each other without payment, regardless of how or where the route was learned from. They are willing to pass some traffic without compensation because it makes for better connectivity. From an announcement POV they are not peering. ahhh. no, they send peering only between each other (approx 5 routes for each of the biggest providers - level3, sprint, uunet, att) Steve I am still curious: do any of the larger ISPs on this list want to confirm/deny the previous paragraph? I think we are getting into defining terms territory. So, I will bow out of the discussion. John At 01:56 PM 3/29/2005, David Barak wrote: --- John Dupuy [EMAIL PROTECTED] wrote: But by the technical description of a transit free zone, then 701 is not tier one, since I have encountered scenarios where many AS are transversed between 701 and other networks, not just a peer of a peer. Unless, by transit free zone you mean transit trading where large providers permit each other to transit for free. (Which gets back to my 'who hurts more' discussion.) oversimplification Transit = being someone's customer Peering = permitting your customers to go to your peer's customers or the peer's network, but not the peer's peers, without exchange of money. Any other relationship != peering for my purposes (although lots of subtly different relationships exist, the largest networks tend to take a view which is not too dissimilar to the one shown above) /oversimplification Are you implying that 701 is paying someone to carry their prefixes? While I'm not the peering coordinator for 701, I would find that improbable. I would expect that money would flow the other direction (and thus 701 would become a more valuable peer for other networks). I'm willing to be wrong. If any of the large providers on the list will say that their network does not transit beyond the customer of a peer; and they still maintain full connectivity, I will gladly be corrected. oodles and oodles of people can say this (and already have). A paying customer of mine can readvertise (with a non-munged AS_PATH) any of my prefixes which they want, and thus provide transit for other people to reach me. That does not change the fact that I'm not paying for transit. So in short, I would say that T1 vs T2 etc is a follow the money: T1 = doesn't pay anyone else to carry their prefixes, and runs a default-free network. T2 = pays one or more T1 providers to carry their prefixes, may or may not run a default-free network. T3 = leaf node, pays one or more T1/T2 providers to carry their traffic, probably uses default route. YMMV, blah blah blah David Barak Need Geek Rock? Try The Franchise: http://www.listentothefranchise.com __ Do you Yahoo!? Yahoo! Sports - Sign up for Fantasy Baseball. http://baseball.fantasysports.yahoo.com/
Re: T1 vs. T2 [WAS: Apology: [Tier-2 reachability and multihoming]]
On Mon, 28 Mar 2005, John Dupuy wrote: I'll be brief, but I do want to perhaps word Alex's definition in a different way that might be more useful. Even tier 1 providers regularly trade transit. They must since no single network is connected to all the other ones. Not even close. Even UUNet (ASN 701), arguably the most-connected network on the planet, only connects to a fraction of the possible peerings. 701 is not the most connected, it has only customers and a restrictive set of peers? you dont need to peer with all networks tho, if all networks are buying from 701 or one of its peers then it will get those routes via peering not transit or transit trades... you seem to be forgetting what peering is. and if you peer with all networks in the 'transit free zone' then you too become transit free also. The true definition is more vague: if a peering or transit circuit between A or B is taken down, who will be hurt the most: A or B? If it predominantly B, and much less A, then A is more Tier 1 and B is of a lesser Tier. If they are equally hurt, they the are of equal status. Essentially, Tier 1 is whatever the other Tier 1 providers believe at the moment is Tier 1. It is self-referential and not distinct at all. i believe the distinction exists as shown above ie transit free.. as to why this might be considered a goal i'm not sure, its not obvious that transit free is cheaper than buying transit! this thing about 'who hurts most' is an entirely different topic and has nothing to do with who is in the transit free zone. altho destructive depeering does seem to be common practice within that zone :) This is, frustratingly, a very non-technical definition. But it seems to map with what I've actually seen the industry do. thats because non-technical definitions mean anyone can call themselves anything they like.. wiltel recently spammed me to buy their 'tier1 transit'.. presumably they are tier1 within their own definition of tier1. if you want to be technical tho, and aiui we are a technical forum, then tier1 means transit free. i reaffirm my earlier point - but why care, isnt it about cost and reliability, and as peering and transit are about the same cost who cares who you dont peer with Steve John At 09:17 AM 3/28/2005, Stephen J. Wilcox wrote: On Mon, 28 Mar 2005, Randy Bush wrote: Firstly, peering isn't binary. Is peering vs transit a distinction based on routes taken / accepted readvertised, or on cost? Does paid for peering count as peering or transit? If you pay by volume? If you pay for more than your fair share of the interconnect pipes? (if the latter, I am guessing there are actually no Tier 1s as everyone reckons they pay for more than their fair share...). pay? did i say pay? i discussed announcement and receipt of prefixes. this was not an accident. it is measurable. i also avoided money.. i dont think its that relevant, everyone is paying for peering or transit in one form or another, i dont think any peering is free (free != settlement free) Secondly, it doesn't cover scenarios that have have happened in the past. For instance, the route swap. EG Imagine networks X1, X2, X3, X4 are Tier 1 as Randy describes them. Network Y peers with all the above except X1. Network Z peers with all the above except X2. Y Z peer. To avoid Y or Z needing to take transit, Y sends Z X2's routes (and sends Z's routes to X2 routes marked no export to X2's peers), and Z sends Y X1's routes (and sends Y's routes to X1 marked no export to X1's peers). Perhaps they do this for free. Perhaps they charge eachother for it and settle up at the end of each month. Perhaps it's one company that's just bought another. transit (n). The act of passing over, across, or through; passage. whether it is a settlement arrangement or a mutual swap, they do NOT have peering, they ARE transitting and by our definition are not transit-free (and hence not tier1) however alex, you do highlight an excellent point - things are not as simple as 'tier1, tier2', there are complicated routing and financial arrangements in operation, which brings me back to my earlier point: does it matter what a network is paying for some connectivity providing they deliver to you the connectivity you need at the quality you desire? Steve
Re: T1 vs. T2 [WAS: Apology: [Tier-2 reachability and multihoming]]
On Sun, 27 Mar 2005, Patrick W Gilmore wrote: On Mar 26, 2005, at 11:21 PM, Randy Bush wrote: forget this concept of tier1, 2, 3 .. they are little more than terms used by salesmen. at least t1 and t2, also permeate academic papers where the real topology is actually measured. but we should not let demonstrable measurements get in the way of our defense of the position of our smaller networks by marketing people. And how, pray tell, does one actually measure T1 vs. T2 networks? (Assuming you are not talking about two of the Terminator movies. ;-) i would agree it is possible to mark some networks as transit free - tier1 - and therefore any network using a tier1 to access another tier1 is tier2. arguably a tier3 would be a network not connected to a tier1. If someone is paying Network A, but sends communities to be treated as a peer, are they T1 or T2? imho: T1, forget the money other points snipped, i largely agree :) Back on a more operational topic, it really doesn't matter what tier you are, it just matters how good your connectivity is. There is no need to 'defend' the 'smaller networks'. Some of the tier 1 networks have totally suck ass connectivity. (Yes, 'suck ass' is a technical term. =) absolutely!! it amazes me how much value is placed in this 'tier' system, why not just buy connectivity that (a) is compatible with your size as an ISP (b) reliably delivers bits from A to B Steve
Re: Apology: [Re: Tier-2 reachability and multihoming]
So anyway, this internet thing.. forget this concept of tier1, 2, 3 .. they are little more than terms used by salesmen. instead assume all ISPs have connectivity to the whole internet, and that you're a new ISP wanting connectivity of your own. you can buy transit from any ISP and you will get global reachability, you could also buy from any two hence multihoming and have the same global reachability now you're up and running, consider peering.. peering with another isp will give you access to that isp and their customers (ie other isps buying global reachability as you are doing) so as per your original query, if any two nodes/asns dont have a direct connection you can assume one or both is relying on their upstream to provide the necessary global connectivity now, i see your data is from oregon.. i think theres around 50 'views' of the internet from about 25 ASNs. consider there are about 2 active ASNs currently. you would need to get all 2 routing tables in order to see exactly what relationships are active. (the reason is that from any single ASN the internet will appear to you as a tree much like your original email, showing the 'up-down' relationships but not the 'left-right' ones) also, in the context that you use 'multihoming' you're really referring to a leaf node such as an enterprise which may buy from 2 or 3 isps to have global connectivity with some redundancy. if you are looking at transit ISPs (ie tier1, 2 in your description) their connectivity is more complicated and you need to continue your reading with some of the suggested papers.. Steve On Sat, 26 Mar 2005, G Pavan Kumar wrote: This is with my deepest regrets that I apologize from the bottom of my heart to Mr.Gilmore, Mr.Woodcock, Mr.Bush and also the rest of the honourable members of the list for being ignorant of how high-profile a list this is. I couldn't be more sorry. Please, please forgive me. ps: I sure meant no harm, was just trying to be humorous,(I hope the exclamation marks might have given some hint) anyway it is too late. They say there is no natural punishment than remorse. Also, I was too embarrassed to post a quick apology. Thanking you, pavan.
Re: High volume WHOIS queries
altho arguably its not up to arin to provide processing power for all these deployments. if you can get a local copy why not have your clients resolve back to that? Steve On Tue, 1 Mar 2005, joe mcguckin wrote: How about caching the data from previous ARIN whois lookups? I do agree that the bulk data and high volume limitations on whois servers are silly... -joe On 2/28/05 1:30 PM, Dan Lockwood [EMAIL PROTECTED] wrote: I'm in a disagreement with ARIN about my application for bulk whois data. I've got a software program that needs resolve AS numbers to the Company Name of the owner. The software app has need to do this on a very high volume. E.g. I run a report that returns the top 100 AS destinations for my network and I want to resolve the numbers to the names as part of the report generation. Since ARIN throttles the number of queries that you can execute against their servers I seems to just make sense that you would do the processing using local data. That is all fine and good, but the problem comes when I distribute the software to users. ARIN's AUP for bulk whois states: Redistributing bulk ARIN WHOIS data is explicitly forbidden. It is permissible to publish the data on an individual query or small number of queries at a time basis, as long as reasonable precautions are taken to prevent automated querying by database harvesters. My original AUP application stated that I would transfer the data to the users using an XML file on a regular basis. Clearly in violation of the first point. Fine. But now after a phone conversation they are telling me that I can not operate a server to distribute the data on a per query basis too. Providing a server that answers whois queries just like ARIN seems to be clearly permissible based on the remaining AUP verbage. At this point the only thing I can get out of the guy/gal on the phone is NO!. Does anyone have any experience doing something like this? How about a sanity check? Am I completely wrong in how I'm interpreting the AUP? Thanks, Dan
Re: NANOG Changes
Arhchive here michael: http://www.merit.edu/mail.archives/nanog-futures/ not sure if its complete yet but i know merit are trying to include the first few messages nanog-reform here: http://mailarchive.oct.nac.net/nanog-reform/maillist.html again, dont know how complete it is. understand also, the list has been open to subscriptions, the reason for creating it was to allow a bunch of people to kick some ideas around before airing them and getting into a mess of discussions much like what we have now. we saw this successful in vegas with the community forum and the document on the nanog-reform site was well put together. what we have now is what happens when 5000 people try to negotiate which is many varying opinions, vocal people getting more airtime than they ought to when their opinions are only their opeinions and nnot necessarily the opinions of any large group. some folks need to write a document, propose it, vote on it and majority rules.. not everyone will like all of it but its not possible to write a document that satisfies everyone 100%. i believe thats the aim of the bbylaws doc - please dont flame it, provide constructive comments, be prepared to compromise and dont get lost in minutia when the major points have yet to be fixed. Steve On Mon, 21 Feb 2005, [EMAIL PROTECTED] wrote: Aha! So there really is more stuff hidden away on that site for the chosen few. Perception is reality, eh? People, please, gain some perspective here. Nobody wants the thankless job of maintaining a mailing list that badly. Perhps I'm being too subtle here. I fully realize that all these irregularities are the result of incompetence and not of malice. But, as Paul Vixie wisely pointed out, in the realm of politics, perception equals reality. If something is not completely in the open then people tend to believe that there are nefarious plotters doing backroom deals to sieze power. The i's need to be dotted and the t's need to be crossed. If there is really a nanog-reform mailing list associated with nanog-reform.org then put information about it on the website. Move the petition signers to a secondary page. Put a link to (and explanation of) the wiki on the nanog-reform.org homepage. If there really is an archive of nanog-futures then put information about it on the website. If there really are some interim results as reflected by the several emails on the NANOG list, then put this info on the nanog-reform.org website. Dot the i's. Cross the t's. The community to which NANOG addresses itself is only partially represented by this mailing list and even less represented by the NANOG meetings themselves. There are many, many IP network operators in North America (and elsewhere) who would benefit from greater cooperation and communication through a medium like NANOG. In order to reach out to them, we have to stop posting in cryptic language and assuming that everyone is part of the in-crowd and knows how to find that one reference to a nanog-reform list buried somewhere in the archives of this mailing list. This is not an attack on any one person but rather a general comment on behavior which is widespread on this list. It's the middle of the noughties now and the Internet has grown up. We need to move on and restructure our forums and organizations to better meet the needs of the industry and the IP network operations community. --Michael Dillon
Re: NANOG Changes
On Fri, 18 Feb 2005, William Allen Simpson wrote: Paul Vixie wrote: ... I just wish that all the political I's would get dotted and all the political T's would get crossed. Perception isn't *actually* reality, but in politics (which this is) the difference between perception and reality is just not worth discussing. Speaking as someone with more than a passing familiarity with practical political process, Paul's comments are correct. Please, the interim-moderators should moderate, and the bylaws drafters should draft, and they should be separate. It's the usual difference between the Chair and the Editor (or Raporteur, or Recording Secretary). I introduced this important division to the IETF many years ago Since they accepted the moderation function, they've disqualified themselves from the drafting function. And I especially like Paul's point that those serving as the moderators be disqualified from serving in another postition for at least a year. I'm not sure what the purpose of that is, seems a bit arbitrary. As I see it, this is a process, some short term improvements have been made as an interim fix and response to vegas's community meeting but theres also more to come before its complete. Lets not get sidetracked with issues that arent there.. Merit has setup the nanog-futures list and made it public and open from the outset.. that is the forum to take this discussion to but focus on what you want not whats past or interim. Steve
Re: NANOG Changes
On Thu, 17 Feb 2005, Gadi Evron wrote: Perfect, but let's not repeat past mistakes. Let's set a date for this temporary government to expire, and start discussing how the process of a more permanent governing body will be achieved. I think 3 months is the longest we should decide on (not consider, the NANOG community has enough considering to do), we can do it in a month. I believe this is important enough, either someone who has been here forever steps forward and volunteers to get the emails of who people want to see at this headache of a position, or we do it openly on the list. A poll can be done later on. something has to be arbitrary in the absence of a government, its a chicken and egg. i think you're looking for problems that arent there - do you or anyone have issue with the progress thus far? if not the question is moot. Steve
Re: ChinaNet Contacts
Hi Jon, there were two guys at nanog33.. if you didnt meet them then perhaps keep an eye out at nanog34 http://www.nanog.org/mtg-0501/attendee.list.html short answer is i see chinanet folks on a whole bunch of forums and lists, Steve On Thu, 17 Feb 2005, Jon R. Kibler wrote: I know that this is a REALLY sore point, but has anyone ever established any good working relations with anyone in CHINANET or other China-based ISPs? In recent weeks, over 80% of our port scans and various miscreant probes have originated from a very small number of IPs in China. Trying to contact the IP owner via email usually finds either the mailbox is full, the email address is invalid, or the mail server is not working. Anyone had any success in this area? THANKS! Jon Kibler
Re: Old McDonald Had a Pharm?!
Hmm, at the point where malicious software is modifying the behaviour of applications you may as well compare it to a keylogger. If the miscreant has control of the machine anything is possible, so sure I can see how it could be a real threat but it might not perhaps deserve its own silly name. I think better deployment of certificates and 2 stage token/passwords is the way forwards for both phishing and pharming (if pharming exists) from the server perspective. For the clients, continued education and improvement to default security. There seems to be movement with the latter, for the former tho the institutions still seem to insist that we the ISPs should be paying to fix their poor security. Steve On Tue, 15 Feb 2005, Daniel Golding wrote: There have been a couple recent articles about a phenomenon allegedly known as pharming, which people are supposedly worried about. This includes some combination of DNS cache poisoning and/or worm-powered URL rewriting. This may also be a form of fear-driven marketing by companies inventing solutions to fix the problem which may not exist. (Mac Anti-virus software, anyone? ;) Is anyone aware of actual pharming in the wild? Please reply off-list and I will summarize answers to the list. Thanks,
Re: The Cidr Report
On Mon, 14 Feb 2005, Warren Kumari, Ph.D, CCIE# 9190 wrote: On Feb 13, 2005, at 2:31 AM, Christopher L. Morrow wrote: There are multiple reasons for deaggregation aside from 'dumb operator', some are even 'valid' if you look at them from the protection standpoint. That and the I have 1 circuit to $good_provider and 1 circuit to $bad_provider and the only way I can make them balance is to split my space in half and announce more specifics out through each provider argument. I have also often seen people do this without announcing the aggregate because some undefined bad thing will happen, usually justified with much hand-waving. The people who do this can usually not be reasoned with this just reinforces the argument that they are lacking in technical savvy. i have a transit provider who i dont want to carry much traffic and i dont want to prepend my announcements.. by looking at that providers supported customer communities i just get them to prepend as they export to other major networks thus moving the main volume of the traffic to the desired ingress paths no deaggregation, no prepending.. Steve
RE: The Cidr Report
On Sun, 13 Feb 2005, Justin Ryburn wrote: I have recently heard companies saying their reasoning for de-aggregation was 1) to protect against outages to their customer base when a more specific of their aggregate was announced somewhere else and 2) if they are getting DDOS attacked on a given /24 they can just drop that advertisement and only affect part of their customer base. 1) this only provides partial protection, even if you announce a /24 i can still announce my own /24 and get some of your traffic 2) either they are operating networks that cant support their business and i dont see why we should bale them out or in the cases where certain hosts are accepted by us as targets (ircnets etc) you could argue to obtain a discrete /24 which is the better evil than taking a /16 and breaking it down to take out a /24 i'm not keen on this latter idea, what if i operate an anti-ddos specialist isp, hosting ircnets, gambling, security sites etc - do i put each host in a /24 and waste a whole /16 with a couple hundred customers? i strongly believe if you want to be an autonomous internet provider then you should be able to run your network by accepted means not thro cheap hacks As technically savvy folks, we may not agree with this line of reasoning. However, keep in mind that the technically savvy folks are not always the ones making the decisions within a company. Just because someone has enable access and clue does not mean they have the authority to make certain decisions. Most of those people probably spend a large amount of their time arguing with the decision makers to try and do the right thing but at some point they lose those arguments. if their suppliers/peers disagree strongly they would not be able to present these options in the first place.. lack of regulation has its downsides it would seem.. Steve
Re: The Cidr Report
On Sun, 13 Feb 2005, Michael Smith wrote: From: Warren Kumari, Ph.D, CCIE# 9190 [EMAIL PROTECTED] Date: Mon, 14 Feb 2005 10:14:38 -0500 To: nanog@merit.edu Subject: Re: The Cidr Report -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Feb 13, 2005, at 2:31 AM, Christopher L. Morrow wrote: On Sat, 12 Feb 2005, Alexander Koch wrote: On Sat, 12 February 2005 14:58:42 +, Stephen J. Wilcox wrote: From: Stephen J. Wilcox [EMAIL PROTECTED] [...] - would you agree that most of the poor deaggregating is not intentional ie that they're announcing their '16 class Cs' or historically had 2 /21s and Think about someone putting in a Null0 route and re- exporting stuff unconditionally, now after he originates his /19 he is then adding a /24 here, and a /25 there. Lack of experience, when you suggest to them they should remove these announcements they are afraid to change it, not understanding the implications, etc. Not to mention ppl using cisco and prefix lists, it is way too easy with cisco to say '/19 le 24', and then they use outbound prefix lists to their transit supplier (different, but related as I see it). Some transit ISPs use that a lot, and encourage the table growth. There are some business reasons to de-aggregate. Look at some outages caused by 'routing problems' (someone leaked my /24's to their peers, peers, peer and my traffic got blackholed, because the public net only knows me as a /20) There are multiple reasons for deaggregation aside from 'dumb operator', some are even 'valid' if you look at them from the protection standpoint. -Chris That and the I have 1 circuit to $good_provider and 1 circuit to $bad_provider and the only way I can make them balance is to split my space in half and announce more specifics out through each provider argument. I have also often seen people do this without announcing the aggregate because some undefined bad thing will happen, usually justified with much hand-waving. The people who do this can usually not be reasoned with It happens all the time... Warren. So, say I'm a provider that has received a /22 from UUNet (just for example Chris :-) ) and I now get another transit provider and announce the /22 there. So, I call UUNet and ask them to announce the /22 as a more specific because I don't want a de-facto asymmetric configuration. I *want* to get a /20 from ARIN but my usage doesn't justify it yet, so I have to ride the /22 for some time. Hi Mike, this isnt the scenario being discussed. The scenario of issue is where you get your /22 from UUNET and announce 4x /24 ie based on what ips you have you choose to announce more than the minimum to make them routable By the long string of anecdotal attacks in the string to date, listing most or all such providers as bad or uninformed how do you separate out those providers who are legitimately interested in routing redundancy and not clue impaired? Do we just say too bad, routing table bloat is more important than your need for redundancy small guy!? As I say this isnt the issue here, altho what you suggest would be an example of further aggregation that i personally think is extreme. Multihoming must be possible and a hierarchical structure to the internet is not appropriate. I find it interesting that the general theme is one of we're smarter than they are because we aggregate more routes as if clue were directly correlated to aggregated routing announcements. Well, there does seem to be some loose correlation it cant be denied... (counter examples not required, we know they exist) Steve
Re: The Cidr Report
Hi Philip, On Sat, 12 Feb 2005, Philip Smith wrote: Quite often many service providers are de-aggregating without knowing it. They receive their /20 or whatever from the RIR, but they consider this to be 16 Class Cs - I'm not joking - and announce them as such to the Internet. I spend a lot of time getting these folks to announce aggregates, but it is hard work convincing people that this will even work. Even if the RIR recommends that they announce their address block, they still consider it as Class Cs - even Class Bs for some big allocations. :( this is getting into what i was implying earlier.. you have wider experience than me - would you agree that most of the poor deaggregating is not intentional ie that they're announcing their '16 class Cs' or historically had 2 /21s and dont even realise they could fix it.. that applies to medium and large providers too reading this list - how often do they actually check what prefixes they are sourcing, from my recent work at a couple of european IXes i had a number of folks email me offlist as they hadnt realised til I sent out an email they had deaggregation and once it was pointed out they just fixed it. so to repeat my earlier suggestion - if transit providers, particularly the larger ones setup scripts to notify their customers daily/weeks of routing deaggregation do you think we might gain some traction in educating and fixing this? Steve
RE: The Cidr Report
On Fri, 11 Feb 2005, Frotzler, Florian wrote: Recent Table History Date PrefixesCIDR Agg 04-02-05151613 103143 05-02-05152142 103736 06-02-05152231 103721 07-02-05152353 103830 08-02-05152514 103966 09-02-05153855 104090 10-02-05154283 104246 11-02-05154341 104240 ... ~ +3000 routes in one week? Anyone else frightened by this? Florian any thoughts on how to fix it? my peers keep sending these to me and i'll even admit my customers do too. telling people its bad doesnt appear to have an effect, at the small end networks seem to collect /24s and announce them freely, at the large end i'm still without an explanation as to why large networks require so many prefixes - none of them seem to comment? if people arent self policing it seems the only other way is for the larger transit providers to stop accepting prefixes and telling their customers to fix their s**t. and i dont see them doing this. Steve
RE: The Cidr Report
On Fri, 11 Feb 2005, Mike Leber wrote: On Fri, 11 Feb 2005, Stephen J. Wilcox wrote: On Fri, 11 Feb 2005, Frotzler, Florian wrote: Recent Table History Date PrefixesCIDR Agg 04-02-05151613 103143 05-02-05152142 103736 06-02-05152231 103721 07-02-05152353 103830 08-02-05152514 103966 09-02-05153855 104090 10-02-05154283 104246 11-02-05154341 104240 ... ~ +3000 routes in one week? Anyone else frightened by this? Florian any thoughts on how to fix it? my peers keep sending these to me and i'll even admit my customers do too. telling people its bad doesnt appear to have an effect, at the small end networks seem to collect /24s and announce them freely, at the large end i'm still without an explanation as to why large networks require so many prefixes - none of them seem to comment? if people arent self policing it seems the only other way is for the larger transit providers to stop accepting prefixes and telling their customers to fix their s**t. and i dont see them doing this. It seems to me they get paid to carry prefixes by their customers. the payment would be the same if it was a /19 or 32x/24 announced at source And their peers listen to the prefixes because they make money by using those prefixes. So, to the extent you make money listening to them, use the routes. so the problem is noone wants to be the first to jump as it costs money? so whats the suggestion for how to not be first? ie is it possible for a small group of large operators to agree a consensus? you dont even have to actively filter to start this, if a script were run to advise customers daily when they were announcing routes incompliant to the transits 'routing policy' it would have some effect. one thing i've found from some of my customers is they're actually ignorant to the problems they cause, they think its cool to announce 10 prefixes and can be educated otherwise. Steve And if they start to cause you problems you will have to take corrective action to stablize your network, as was done a long time ago (internet time): http://www.merit.edu/mail.archives/nanog/1995-09/msg00047.html (link grabbed at random from the archives, I'm sure there are better posts that actually list the full old school sprint filters.) However, if you are the one filtering and all your competitors figure out how to handle 154,000 routes then you will be at a competitive disadvantage. Coincidentally, the largest networks also spend the most with their vendors and get to tell the vendors what they want in the next generation of boxes they buy. Mike. +- H U R R I C A N E - E L E C T R I C -+ | Mike Leber Direct Internet Connections Voice 510 580 4100 | | Hurricane Electric Web Hosting Colocation Fax 510 580 4151 | | [EMAIL PROTECTED] http://www.he.net | +---+
Re: IRC Bot list (cross posting)
Hi, you probably didnt think of this but it might not be a good idea to publish a list of 3000 computers than can be infected/taken over for further nastiness. if you can privately send me a list of Ip addresses (no need to sort) i can assist you to distribute this information securely? Steve On Tue, 8 Feb 2005, J. Oquendo wrote: On Tue, 8 Feb 2005, Justin Azoff wrote: I found an irc channel with 3000+ irc bots in it including a few hundred edu's. I have it posted at http://www.albany.edu/~ja6447/hacked_bots8.txt I started to sort them... Maybe I will finish when I get out of work or so. Here is the prettified/sorted list of the above... http://www.infiltrated.net/nanog-list-botlist lynx -dump http://www.infiltrated.net/nanog-list-botlist|grep -i $MYDOMAIN Further sorted http://www.infiltrated.net/nanog-botlist-comcast http://www.infiltrated.net/nanog-botlist-edu http://www.infiltrated.net/nanog-botlist-optonline http://www.infiltrated.net/nanog-botlist-vz http://www.infiltrated.net/nanog-botlist-cox http://www.infiltrated.net/nanog-botlist-mspring http://www.infiltrated.net/nanog-botlist-rr =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo GPG Key ID 0x0D99C05C http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x0D99C05C sil @ infiltrated . net http://www.infiltrated.net How a man plays the game shows something of his character - how he loses shows all - Mr. Luckey
Re: BCP38 making it work, solving problems
On 13 Oct 2004, Paul Vixie wrote: How many people have seen forged spoofed IP addresses being used for DOS attacks lately? syn-flood protection, and random TCP ISS, are now common enough that spoofed-source isn't effective for TCP flows. if you want to bring down somebody's web server then blackhats really do have to use real addresses. of course the docs were written a couple years ago, and things have changed a lot in that time. the proliference of and ease of establishing bot networks is such that their controllers dont care if you track them and shut them down as they are easily replaced Steve
Re: NANOG Posting
On Wed, 13 Oct 2004, Christian Malo wrote: FREE RICHARD Of course my understanding of revoking posting privileges is that you cant post to the list.. not you are imprisoned in the merit dungeons, i think that punishment is reserved for Bandy/Husan/etc However I do like some humor being injected onto the list, so long as the SNR doesnt diminish too much it can help to inject some life inbetween the 'paging bob smith' / 'anyone help me configure bgp' / path mtu / urpf cyclical debates.. actually we've not had Hitler discussed for a while, perhaps I can start a thread... ooops Steve
Re: 3 Mb question
multilinking t1s will work fine. but depending on your customer, there are lots of things between a T1 and DS3.. such as 10Mb ethernet Steve On Wed, 13 Oct 2004, Gerald wrote: I've got what seems to me like an innocuous question for this list... Someone is requesting access to about 3 mb of traffic up/dn. I figure 2 T1s will give them the 3 Mb I need, but I'm looking for suggestions on either efficiently combining those 2 to get the most bandwidth for their buck or else I have to look at getting them a ds3 and scaling back to what they need. Is there an good low end suggestion for making effective use of 2 T1s to give 3 Mb of bandwidth? In practice, I've seen 2 T1s load balanced with CEF not do very well at giving a full 3 Mb. (This was without turning on per-packet CEF) I'm not personally experienced with MLPPP or mux hardware if that helps, but I could get it set up if that's the consensus as the best option. The NRC of something that would effectively couple the 2 T1s would easily beat the MRC of a DS3 which I think might be overkill for just 3 Mb. Thanks for suggestions and tips. Gerald
Re: deprecating BCP38 and similar
with everything you should look at the effort, the returns and the risks. some simple things can have major benefits but we shouldnt waste effort on major changes that have little effect and that can be circumvented (i'm referring to the port 25 blocking discussion of course, wrt bcp38 i dont think anyone [with clue] thinks its not worthwhile) Steve On Mon, 11 Oct 2004, Edward B. Dreger wrote: I think I'll change my position on BCP38. It's pointless to try blocking spoofed source addresses because: * It doesn't solve every single problem * It means more effort for service providers * It requires more CPU processing power * Using it will generate smarter black hats. I also think everyone should drop all forms of IP ACLs and password checking. Neither of those have solved every Internet problem, they require more effort and CPU, and smarter crackers have surfaced as a result of their deployment. These measures are ineffective, and it is silly to waste time with them. Anyone from Microsoft listening? I suggest you terminate your Trustworthy Computing Initiative. Not every problem is caused by a buffer overrun or race condition, and you're wasting billions of dollars. I suggest you post regularly to NANOG, helping educate the masses that anything less than a silver bullet is wasteful. Eddy, who hopes everyone recognizes hyperbole and sarcasm -- Everquick Internet - http://www.everquick.net/ A division of Brotsman Dreger, Inc. - http://www.brotsman.com/ Bandwidth, consulting, e-commerce, hosting, and network building Phone: +1 785 865 5885 Lawrence and [inter]national Phone: +1 316 794 8922 Wichita _ DO NOT send mail to the following addresses: [EMAIL PROTECTED] -*- [EMAIL PROTECTED] -*- [EMAIL PROTECTED] Sending mail to spambait addresses is a great way to get blocked.
Re: short Botnet list and Cashing in on DoS
On Sat, 9 Oct 2004, Gadi Evron wrote: Blocking port 25 for dynamic ranges means they can't send email, so that drone are pretty useless for spammers on that account. Trojan horses would have to use local information for the user's own account (from Outlook or such). my users like being able to send email. i dont think this can work! (and there are many legit reasons for not using our own smtp servers.. indeed we have custs on other ISPs network who use our smtp server) ISP's could then, I suppose, limit every user to 5 emails a minute (or any other number). 5 emails or 5 recipients? i can send one email with hundreds/thousands of rcpts.. and again, there are lots of legit reasons for sending a batch of emails That combined with domain-keys and sender-ID could make for a much prettier Internet, don't you think? you mean SPF? i agree, use as many tools as are available in conjunction with something like spamassassin to score mails as likely spam Abuse using port 25 is a major issue today, why not solve it? If a user wants it open, they could always ask for it or even pay more money. Perhaps move to a static IP? there are many ways of sending spam that dont use port 25.. individual rules are costly to implement and users wont use a service where you have to pay more for basic services Steve
Re: short Botnet list and Cashing in on DoS
On Sat, 9 Oct 2004, Gadi Evron wrote: there are many ways of sending spam that dont use port 25.. True, but reducing spam from millions to thousands seems like something good, no? their market wont change tho, you will just force them to use another method.. at one time open relays were almost exclusively the way used to send spam, now they arent nearly as popular (or available) you can see the same with other problems eg dos attacks were once all smurfs, a lot of effort was put into removing amplifiers and now we have the botnets.. i'm not saying do nothing, just only do things which make sense and are practical individual rules are costly to implement and users wont use a service where you have to pay more for basic services Several big ISP's are blocking port 25 now. I believe this will catch. we need to look at some examples and what theyre doing exactly.. some redirect it forcibly to their own servers. but i believe this approach is limited in how you can apply it.. someone like aol can pretty well classify their users as low end residential and thats fine ... but move away from this and special requirements start creeping in and exceptions are not scalable enough. It limits the amount of junk coming out from their users, and the usage of their tubes. I doubt even 0.001% of dynamic range Cable/DSL users will ever call to ask for port 25 to be opened. i'd suggest your estimate is too low based on all end users This is something ISP's can implement, and it works. this is something *some* isps can do ... and i'm not arguing that we shouldnt do these little things but its just one limited way and serves more to reduce problems with your own users than to reduce inbound spam Steve
Re: routing sniffed traffic
On Fri, 8 Oct 2004, Nils Ketelsen wrote: On Thu, Oct 07, 2004 at 09:43:47PM +0100, Stephen J. Wilcox wrote: [switching/routing traffic from a passive tap] Hi Peter, if you are feeding this into a switch you should be able to switch it just like the real traffic.. ie plug your fibers into gbics on whatever switch you want to use, i dont see any special requirements for this application I have no practical experience on that, I always used the monitor directly on the Tap, but I see a theoretical problem: Where does the switch switch it to? The Target MAC of the packet coming from the Tap will be still pointing to the device in the production network. statically configure your mac to spoof that of the real interface. If you want to route it you will run into the same problem: The copied ethernet frame is not addresses to the router in the monitoring network, so it will not accept the Ethernet frame. again just duplicate the ip address Maybe you could do something with faking the MAC on the router in the monitoring network to be the same as the MACaddress of the target in the production network, but it feels like a dirty hack. Or am I missnig something obvious here? ok so you have the same thoughts.. the key point is the original question suggested this 'copycat' network is not connected to the real net, and so long as you dont allow the packets to be routed back into the real net (and hence create dups) you should be fine. Steve Nils
Re: routing sniffed traffic
Hi Peter, if you are feeding this into a switch you should be able to switch it just like the real traffic.. ie plug your fibers into gbics on whatever switch you want to use, i dont see any special requirements for this application Steve On Thu, 7 Oct 2004, Patrick Arguello wrote: In my datacenter, I have three Gig links coming in that I am sniffing using passive taps. What I want to do is feed these links into a layer 3 switch so that I can have them sent to different packet analysis boxes by destination address or packet types or ports. What should I look for in a switch for such a use -- something that can take in sniffed traffic on fiber gig links and parcel them out to different servers on copper gig links based on routing rules. Please email me your recommendation or suggestion directly and I will summarize what I find out for the list. Thanks, Patrick A. __ Do you Yahoo!? Y! Messenger - Communicate in real time. Download now. http://messenger.yahoo.com
RE: Internet Connectivity
ahh then you have one of the new wormy things that scans aggressively for easy accounts on ssh. find src host and disinfect. Steve On Fri, 1 Oct 2004, Jack Vizelter wrote: Investigation is still ongoing, but from what they can tell, majority of the attempted connections have been going over TCP port 22. -jack -Original Message- From: Josh Duffek [mailto:[EMAIL PROTECTED] Sent: Friday, October 01, 2004 11:05 AM To: Jack Vizelter; [EMAIL PROTECTED] Subject: RE: Internet Connectivity Did you run a sniffer to get an idea of what all the traffic is? Curious what, if any, port(s) are being flooded. J -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jack Vizelter Sent: Friday, October 01, 2004 9:56 AM To: [EMAIL PROTECTED] Subject: Internet Connectivity We had several machines start spewing huge amounts of data causing our pipe to the public Internet to stop. We had no traffic coming in or out of the campus. We're unsure of whether it's virus related, but wanted to inquire if anyone else has heard of or came across something similar. It appears to be an DDOS attack, but, originating from the inside. This started last night at about 10pm EST. Thanks, -jack
Re: Blackhole Routes
There are several sources of eBGP feeds for blackholing, they can be very useful depending on what your requirements are. You can get feeds for spam, ddos bots, bogon routes etc For iBGP this can be useful too, if you are being DDoS'd you can inject an iBGP route and have all your routers instantly blackhole traffic at your edge instead of having to static config all of them.. regards Steve On Thu, 30 Sep 2004, Abhishek Verma wrote: Hi, There are ways to add static routes that can be blackholed. I can understand the utility of such routes if those are installed in my forwarding table. What bewilders me is why would anyone want to advertise blackhole routes using say, BGP? Is it only to prevent some sort of DoS attacks or are there other uses also of advertising black hole routes? Thanks, Abhishek -- Class of 2004 Institute of Technology, BHU Varanasi, India
Re: Blackhole Routes
we can handle most DoS's ourselves, this is the case with a lot/most? upstreams, we dont automatically forward blackholes upstream the only time anyone would need to do that is if a particular upstream's connection was saturated with the DoS. i'd agree automatically propogating these isnt good practice.. (imho) Steve On Thu, 30 Sep 2004, Deepak Jain wrote: It goes a little further than that these days. Folks are openly allowing customers to advertize routes with something lika a 666 community which will then be blackholed within their network. So if you're a service provider with your own blackhole system, you can easily tie it into your upstream's system and dump the traffic many hops away from you meaning that the traffic is getting dumped closer to the source than the destination in a fair number of cases. This is very dangerous however. If providers start tying their customer's blackhole announcements to the provider's upstreams' blackhole announcements in an AUTOMATIC process, bad things tm are likely to happen. What happens when a customer of a provider mistakenly advertises more routes than he should [lets say specifics in case #1] you can flood your upstreams' routers with specifics and potentially cause flapping or memory overflows... In case #2, presumably the blackhole community takes precedence, so if a customer is mistakenly readvertising their multihome provider's table with a 666 tag, all of the upstream providers might be blackholing the majority of their non-customer routes. Non-automatic tying of customer blackholes to upstream or peer blackholes is a powerful tool to improve the stability of the net as a whole. Deepak Jain AiNET
Re: how much routed IP is PI?
At least for RIPE (not sure about the others) you could ftp down a copy of the inetnum db and using a script cross reference to a bgp table .. should be easy enough.. Steve On Sat, 25 Sep 2004, Tom Vest wrote: Does anyone have a ballpark figure for how much of what's currently in the routing table is provider independent? Are there systematic variations in PI IP availability between ARIN, RIPE, and APNIC? thanks, Tom
Re: RIP in Operation
On Thu, 16 Sep 2004, Abhishek Verma wrote: I am sure that there would be very few people running RIP in their networks, Actually you'd be surprised.. its quite common as its very simple and used on a lot of low end routers in favor of more cpu/memory intensive ospf/isis. I know of a number of customers we have using RIP v1 and v2 Steve
Re: RIP in Operation
On Thu, 16 Sep 2004, [EMAIL PROTECTED] wrote: We route filter and tune the RIP times down quite a bit. Meets our needs on the edges. I assume you mean RIPv2, ie. classless. With that caveat, I can certainly see why RIP would be used. not necessarily, classful may still work for many applications altho vlsm is likely to be the sticking point rather than classful boundaries Steve
