Re: Fire in bakery fries fiber optic cable

2006-03-25 Thread Stephen J. Wilcox

On Thu, 23 Mar 2006, Sean Donelan wrote:

> 
> 
> http://timesunion.com/AspStories/story.asp?storyID=463928&category=BUSINESS&newsdate=3/23/2006
>   A fire Tuesday that tore through a popular bakery in Cohoes left 70,000
>   Time Warner Cable subscribers without TV service. Some who also rely on
>   the cable company for their high-speed Internet or telephone found all
>   three out of commission.
> 
> In the pictures, it appears electric, telephone and cable lines were all
> on the utility poles damaged by the fire.  I'm not sure why time-warner
> cable had the brunt of the outages in the newspaper reports.  It may have
> just been bad luck on which company's lines got baked (sorry, more bad
> puns).

... why is a backbone circuit is unprotected? there shouldnt have been an outage

Steve



Re: Middle Eastern Exchange Points

2006-02-08 Thread Stephen J. Wilcox

On Tue, 7 Feb 2006, william(at)elan.net wrote:

> On Tue, 7 Feb 2006, Bill Woodcock wrote:
> 
> > different definitions.  If you say transit is peering, just not by our
> > definitions, then you're into 1984 territory.
> 
> So what exactly is definition of transit that does not make it peering?
> 
> And when ISP A buys access from ISP B for purpose of getting to ISP C is that
> peering or transit?

cant believe you are even invoking this debate.. *cough troll*

its quite simple:
http://dictionary.reference.com/search?q=transit

1. The act of passing over, across, or through; passage.


if another networks traffic enters your network, then you send it out to 
another 
network it has transitted you.

doesnt matter what money is involved, its about the act of 'transitting'


peering is just the act of exchanging traffic with another network, whether this
is a transit or peering relationship depends on what routes are exchanged and
whose customers are within those routes.. i think you can work the rest out

Steve



Re: metric 0 vs 'no metric at all'

2006-01-03 Thread Stephen J. Wilcox

On Tue, 3 Jan 2006, Alexander Koch wrote:

> I was wondering if someone had done any or some research on this before...
> basically I am not sure with all the many implementations of BGP and all the
> vendors if and what those will do when they see a metric of 0 and no metric. I
> am not an expert knowing the actual protocol's messages exchanged, but I see
> some routes with nothing in the metric field on the various show commands, and
> some have explicit '0' metric.
> 
> I do not trust all the BGP implementations around, and we consider changing
> the default outbound, with MEDs of course still available on request.

i had this some time ago, cant remember where but i found some answers...

basically no metric is undefined, and can be handled either as all-zero or 
all-ones or anything you want really

the best practice was to set med manually to ensure the expected behaviour 
occurred.

Steve




Re: SMTP store and forward requires DSN for integrity (was Re:Clueless anti-virus )

2005-12-10 Thread Stephen J. Wilcox

On Sat, 10 Dec 2005, Matthew Sullivan wrote:

> Please remember people..
> 
> RFC 2821 states explicitly that once the receiving server has issued a 
> 250 Ok to the end-of-data command, the receiving server has accepted 
> responsibility for either delivering the message or notifying the sender 
> that it has been unable to deliver.  RFC2821 also says that a message 
> MUST NOT be dropped for trivial reasons such as lack of storage space 
> for the message.  To that end is a detected 
> virus/trajan/malware/phishing scam etc... a trivial reason to drop the 
> message?
> 
> Personally I believe that not trivial means not unless the entire server 
> crashes and disks fry etc...  To that end I am a firm believer that 
> malware messages SHOULD BE rejected at the end of the data command 

rfc2821 was written prior to this problem

we should also take the rfc in context and differentiate between email sent
between individuals for which the responsibility applies, and email generated by
systems (spam, virus bounces) in which we the providers carry some
responsibility to drop them (okay, it would be better if they didnt exist in the
first place, but thats not reality) if they can be identified in the best
interests of the user 

to not do this is like saying we have a responsibility to ensure end to end 
delivery of packets in a DoS attack just because the rules governing routing 
and 
ip stacks dont explicitly cover the use of sinks and filters.

Steve



Re: Wifi Security

2005-11-21 Thread Stephen J. Wilcox

On Mon, 21 Nov 2005, Joel Jaeggli wrote:

> On Mon, 21 Nov 2005, Stephen J. Wilcox wrote:
> 
> 
> >
> >> What do you learn by looking at someone's ipsec, ssl-wrappered, or ssh
> >> tunneled traffic?
> >
> > no, we're not trying to do that, you dont really think that because its
> > encrypted it cant be decrypted do you?
> 
> I do believe (reasonably so, I think) that if I'm going have a conversation
> with a second party whom I already trust, that a third party will have trouble
> inserting themself into the path of that conversation without revealing their
> presence..

this is assuming that you are talking to the second party and not in fact me 
sitting in the middle grabbing credentials, possibly by this stage already 
pretending to be that second party

its also assuming you understand your certificates, keys and trust. i'd bet most
users will click yes when presented with a 'do you trust this new key' message.

> > you dont have to break the code if the endpoints trust sessions with you and
> > share their encryption keys
> 
> Successfully inserting yourself in the middle requires some social-engineering
> or really bad protocol design. The former can be mitigated through vigilance,
> the later falls into the realm of peer review and security research.

you forgot to include 'or user error'.. the protocol may be fantastic but if 
the 
user fails to notice a security alert or does something stupid it can be 
compromised. 

depending on how good you are you may be able to thwart all but the determined
hacker, altho to be fair most people are not going to be a target once they
employ basic security such as weak encryption. but if you are a target then its 
vital to be using strong trusted secuity and know your onions!

> If I may paraphrase the original posters question (Ross Hosman), it was:
> 
> Do large wireless buildouts present a new security threat due to the potential
> to spoof AP's?
> 
> The answer to that is no, this is a threat we live with currently. We have 
> tools to mitigate the risks associated with it.

mm.. i'd say yes. wifi is still pretty niche, its in the offices, its in 
airports and starbucks. 

once billy bob and his grandpa start using it tho you're bringing it to the 
masses who arent IT trained, who havent had a security brief, who are running 
windows thats not been patched for 2 years and who think 'billy' is reasonable 
for their password

so the technology is the same, but the users are new

> You can say that consumers are stupid, and won't figure this out, 

okay "consumers are stupid, and won't figure this out" :-)

> and that may be true; however when it's starts to cost them losts money, they
> will sit-up take notice and buy tools to solve this problem for them, just
> like they do with any other security threat that goes beyond being an
> anoyance.  probably said product will be blue, say linksys on it, and have the
> word vpn (among others) buried on the packaging someplace.

i'm thinking beyond your corporate staff who are currently using these systems
(and quite badly if my casual network sniffing in environments with supposedly
clued individuals is anything to go by!) 

my 2-cents :0)

Steve



Re: Wifi Security

2005-11-21 Thread Stephen J. Wilcox

On Mon, 21 Nov 2005, Joel Jaeggli wrote:
> On Mon, 21 Nov 2005, Stephen J. Wilcox wrote:
> > On Mon, 21 Nov 2005, Patrick W. Gilmore wrote:
> >> On Nov 21, 2005, at 9:42 AM, Ross Hosman wrote:
> >>
> >> Why would you even need to set up an AP?  Why not just sit and sniff 
> >> traffic?
> >> Gets you the _exact_ same information.
> >
> > man in the middle is easier if you are the gateway, no need to steal arp
> 
> you don't have to steal arp on a wireless network, you just sniff the 
> frames as they go by.

> What do you learn by looking at someone's ipsec, ssl-wrappered, or ssh
> tunneled traffic?

no, we're not trying to do that, you dont really think that because its
encrypted it cant be decrypted do you?

for example, we want to intercept the encrypted data which we do by putting
ourselves inbetween the client and the server and pretending to be the server to
the client and the client to the server.. we relay security information and hope
the user clicks 'yes' when they are told the host key has changed

you dont have to break the code if the endpoints trust sessions with you and 
share their encryption keys

Steve



Re: Wifi Security

2005-11-21 Thread Stephen J. Wilcox

On Mon, 21 Nov 2005, Niels Bakker wrote:

> * [EMAIL PROTECTED] (Stephen J. Wilcox) [Mon 21 Nov 2005, 16:07 CET]:
> >On Mon, 21 Nov 2005, Patrick W. Gilmore wrote:
> >>Why would you even need to set up an AP?  Why not just sit and sniff
> >>traffic?  Gets you the _exact_ same information.
> >man in the middle is easier if you are the gateway, no need to steal arp
> 
> It's *wireless*!  You can just sit and sniff traffic, no need to play 
> ARP games to redirect traffic to you.

i was more thinking in terms of breaking into encrypted sessions by spoofing 
the 
server and client

> >heres some fun, next time you're at nanog or your favourite geek conference,
> >just run 'tcpdump -w - -s1500 -nn|strings|grep -i password' and be prepared
> >to hit scroll lock ;)
> 
> I've visited conferences where the wireless LAN was deemed "secure" by the
> organisation because they had outlawed sniffers.

hehe :)

Steve



Re: Wifi Security

2005-11-21 Thread Stephen J. Wilcox

On Mon, 21 Nov 2005, Patrick W. Gilmore wrote:

> 
> On Nov 21, 2005, at 9:42 AM, Ross Hosman wrote:
> 
> > So my question is pretty simple. You have all these major companies such as
> > google/earthlink/sprint/etc. building wifi networks. Lets say I want to
> > collect peoples information so I setup an AP with the same ssid as google's
> > ap so people connect to it and I log all of their traffic.  Most people
> > won't check beyond the ssid to look at the mac address but even that could
> > be spoofed. Is there anyway to verify a certain ap beyond mac/ssid, will
> > there be in the future? How do these companies plan to mitigate this threat
> > or are they just going to hope consumers are smart enough to figure it out?
> 
> Why would you even need to set up an AP?  Why not just sit and sniff traffic? 
>  
> Gets you the _exact_ same information.

man in the middle is easier if you are the gateway, no need to steal arp

> And why worry about Google, etc., when Starbucks and airports have been doing
> this for _years_?

yup

> Lastly, most consumers are smart enough to know to use encryption (the little
> pad-lock in their browser).  Some aren't.  Changing the WiFi architecture is
> not going to save those who aren't.

'most consumers' .. cmon, less than one percent.. seriously.. ymmv tho, eg at 
airports you stand a higher chance of sniffing a vpn connection but as has been 
demonstrated many times, even us techies havent got our heads around encryption 
yet.

heres some fun, next time you're at nanog or your favourite geek conference, 
just run 'tcpdump -w - -s1500 -nn|strings|grep -i password' and be prepared to 
hit scroll lock ;)

Steve




Re: Peering VLANs and MAC addresses

2005-11-09 Thread Stephen J. Wilcox

Hi Simon,

so you have:

IX---SwitchA---SwitchB---Router

why not disable spanning tree? There is no redundancy here anyway so disable it 
in that particular VLAN.

Steve


On Wed, 9 Nov 2005, Simon Brilus wrote:

> 
> Hi ,
> 
> We are unable to resolve a problem with our peering exchange connection and 
> would like any assistance.  Our peering setup is a follows:
> 
> - Our peering exchange connection goes into switch A
> - Switch A has a dark fibre connection to switch B, which is in a different 
> PoP
> - Our peering router is connected to switch B
> 
> We use spanning tree across our network to allow the VLANs connectivity 
> across our network.
> 
> The peering exchange has an MoU that only 1 MAC address should be visible on 
> their switch.  However they see 2 MAC addresses on our port.
> 
> - MAC address of Peering router
> - MAC address of the port they are connected to on switch A
> 
> Is there any way to prevent switch A from presenting the interface MAC 
> address?  Or is this a symptom of spanning tree that cannot be stopped?
> 
> Your input will be most welcome.
> 
> The config on switch A is as follows:
> 
> interface GigabitEthernet0/5
>  description Peering Link
>  switchport access vlan 148
>  switchport mode access
>  speed nonegotiate
>  storm-control broadcast level 5.00
>  no cdp enable
>  spanning-tree portfast
>  spanning-tree bpdufilter enable
>  spanning-tree guard root
> 
> Regards
> 
> Simon Brilus
> 
> 



Re: classful routes redux

2005-11-03 Thread Stephen J. Wilcox

On Thu, 3 Nov 2005, Richard A Steenbergen wrote:

> 
> On Thu, Nov 03, 2005 at 03:29:35PM -0500, Todd Vierling wrote:
> > On Thu, 3 Nov 2005, Stephen J. Wilcox wrote:
> > 
> > > well, /56 /48 /32 seem to have resonance but are not special in any way
> > 
> > Well, they are somewhat special.  All of them are on eight-bit boundaries.
> > The importance of this comes in when deciding how to lay out a routing table
> > in a gate array or memory-based table.
> > 
> > A routing table capable of handling a flat 2^128 addressing space goes
> > beyond the realm of known physics -- and flat 2^64 comes close, at least for
> > a while (consider semiconductor atomic weights, and the fact that 1 mole is
> > approximately 2^79 atoms).  That's quite a stretch, but should give a hint
> > as to why flat addressing does not work for every model.
> 
> Come on now, a lot of new routing gear made today can just barely handle 
> 2^18 routes, and even the high end stuff tops out at 2^20. We're nowhere 
> near handling 2^32 routes even for IPv4, nor should we be, so lets not 
> start the whole "but ipv6 has more space therefore routes will increase to 
> 7873289439872361837492837493874982347932847329874293874" nonsense again.
> 
> Removing the extreme restrictions on IP space allocation by being able to 
> allocate chunks so large that you would RARELY need to go back for a 
> second block would immediate reduce the size of the routing table. Let me 
> state the stats again for the record:
> 
> Total ASes present in the Internet Routing Table: 20761
> Origin-only ASes present in the Internet Routing Table:   18044
> Origin ASes announcing only one prefix:8555
> Transit ASes present in the Internet Routing Table:2717
> 
> There are just not that many distinct BGP speaking networks out there, nor
> will there ever be. NOW is the time to make certain that IPv6 deployments
> makes sense in practice and not just in theory, so we don't work ourselves
> into exactly the same mess that we did in IPv4. Lets stop trying to solve
> theoretical scaling problems which will never happen at the expense of
> creating problems which actually DO exist, and apply a little bit of common
> sense.

ack that.

assign one ipv6 prefix to every asn of sufficient size that most will not need 
to request additional space

whilst i'm at the mic here, ditch the idea of microassignments, just give out a 
standard /32 block ... lets not start out with ge 33 prefixes in the table when 
theres no need

Steve



Re: classful routes redux

2005-11-02 Thread Stephen J. Wilcox

On Wed, 2 Nov 2005, Fred Baker wrote:

> A class A gives you 16 bits to enumerate 8 bit subnets. If you start  
> from the premise that all subnets are 8 bits (dubious, but I have  
> heard it asserted) in IPv4, 

not according to my view of the internet.. 
 
/8: 18 /9: 5 /10: 8 /11: 17 /12: 79 /13: 179 /14: 335 /15: 651 /16: 8553 
/17: 2855 /18: 4793 /19: 10791 /20: 11877 /21: 9990 /22: 13168 /23: 14299 
/24: 93293

> and that all subnets in IPv6 are 16 bits > (again dubious, given the recent
> suggestion of a /56 allocation to an edge network), a /48 is the counterpart
> of a class A. We just have a lot more of them.

well, /56 /48 /32 seem to have resonance but are not special in any way

> All of which seems a little twisted to me. 

you think? :)

> While I think /32, /48, / 56, and /64 are reasonable prefix lengths for what
> they are proposed for, I have this feeling of early fossilization when it
> doesn't necessarily make sense.

classes are bad. but recognise v6 is a bit different, /48 or /56 is the per 
site 
bit which is not comparable to v4. then /32 is is largest generally accepted 
prefix for bgp. this suggests anything can happen from 0-32 in bgp and anything 
can happen in provider igp for 32-48 or 32-56 and again anything in end user 
igp 
for 48/56-128

repeat 3 times, twice daily. classes are bad, v6 is not v4

Steve



Re: cogent+ Level(3) are ok now

2005-11-02 Thread Stephen J. Wilcox

On Wed, 2 Nov 2005, Jeff Aitken wrote:

> 
> On Wed, Nov 02, 2005 at 02:44:20PM -0600, Pete Templin wrote:
> > I came up with a reasonably scalable solution using communities and 
> > route-map continue, but:
> 
> For what value of "scalable"?

anything, its 'scalable' :)

Steve



Re: To get internet full routing table

2005-11-02 Thread Stephen J. Wilcox

On Wed, 2 Nov 2005, Joe Shen wrote:

> Is that possible to get full internet routing table without help from upstream
> ISP? or is there anyway to get some backbone network's internet routing table
> directly?

is this one of those deep philosophical questions .. like trees falling in 
forests with no one around? :)

you can look at route-views.oregon-ix.net if you want to take a peak at the bgp 
table. alternatively you can find a friendly ISP to send you a bgp table if you 
want your own copy. www.traceroute.org may also be helpful for you

Steve





Re: oh k can you see

2005-11-01 Thread Stephen J. Wilcox

On Tue, 1 Nov 2005, Joe Abley wrote:

> On 1-Nov-2005, at 14:19, Stephen J. Wilcox wrote:
> 
> > or am i naive too?
> 
> I think you underestimate the tendencies of ISPs all over the world  
> to leak peering routes towards their transit providers.
> 
> Contrary to popular belief, leaks through peers in remote regions do  
> not always result in huge AS_PATHs which are never selected by the  
> rest of the network. For example, some of the most remote and poorly- 
> connected ISPs that F is announced to from local nodes are transit  
> customers of international, default-free carriers.

ok sure, but is this not just normal transit issues, these are not special 
because they are a) anycast b) root-servers? if any networks peers leak they 
should be reprimanded

Steve



Re: oh k can you see

2005-11-01 Thread Stephen J. Wilcox

On Tue, 1 Nov 2005, Randy Bush wrote:

> my naive view of your current deployment means that k can not
> be seen from any multi-homed sites unless one or more of their
> upstreams (recurse for tier-n) is even more clever and
> implements "t0 is our customer and we ignore NO_EXPORT toward
> customers," thus piling on yet another bit of cleverness, the
> implications of which we can discover in the next level of
> purgatory.

assuming we are talking about the well known community no-export, then i 
understand the problem.

a better solution would be to peer only the anycast node, such that transit
providers continue to propagate to the global internet (minus the peers seeing
the shorter path).

for wider distribution within the region, possibly using a transit provider for
the anycast and use communities supported by the upstream to restrict 
announcement to its peers or upstreams

or am i naive too?

Steve



Re: cogent+ Level(3) are ok now

2005-11-01 Thread Stephen J. Wilcox

On Tue, 1 Nov 2005, Brandon Ross wrote:

> On Tue, 1 Nov 2005, John Payne wrote:
> 
> > What am I missing?
> 
> That it's a pure power play.  

market position is important

> Peering is only distantly associated with costs or responsibilities.  

no, peering is entirely associated with costs or responsibilities.. what other 
reason is there to peer ?

> It has to do with what company has the intestinal fortitude to draw a line in
> the sand and stick with it no matter how many customers cancel their service. 
>  

have to weigh up the gains and losses to see if that is a good or bad thing 
tho. 

> Those with a critical mass of traffic and the right amount of guts win.  

markets are always stacked in favour of the larger players in that way.. saying 
'hey i'm a little guy, give me chance' generally goes unheard

> Everyone else loses the peering game.

not peering isnt necessarily losing, there are networks who would peer with me 
if i turned up in asia or the west coast, but my cost to get there is greater 
than sticking to transit. 

to get a new peer, both sides need to feel they are gaining value

Steve



Re: cogent+ Level(3) are ok now

2005-11-01 Thread Stephen J. Wilcox

Hi John,

> Even with cold-potato routing, there is an expense in handling increased
> levels of traffic that is destined for your network.  This increase in traffic
> often has no new revenue associated with it, because it is fanning out to
> thousands of flat-rate consumer/small-business connections (e.g. DSL)
> where billing is generally by peak capacity not usage.

not true for cogent tho, we know that virtually all their traffic is usage 
based 
transit customers

Steve



Re: Fwd: The Root has got an A record

2005-10-10 Thread Stephen J. Wilcox

i'm reading looking for your explanation but there isnt one.

and the A record is for what?

anyway its on a private dns server, the internet roots are fine so why worry? :)

Steve

On Mon, 10 Oct 2005, Peter Dambier wrote:

> 
> See with your own eyes:
> 
> ; <<>> DiG 9.1.3 <<>> -t any . @a.public-root.net
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18588
> ;; flags: qr aa rd; QUERY: 1, ANSWER: 15, AUTHORITY: 0, ADDITIONAL: 0
> 
> ;; QUESTION SECTION:
> ;.  IN  ANY
> 
> ;; ANSWER SECTION:
> .   172800  IN  SOA a.public-root.net. 
> hostmaster.public-root.net.\
>  2005101006 43200 3600 
> 1209600 14400
> .   172800  IN  A   57.67.193.188
> .   172800  IN  NS  k.public-root.net.
> .   ...
> .   172800  IN  NS  j.public-root.net.
> 
> ;; Query time: 81 msec
> ;; SERVER: 205.189.71.2#53(a.public-root.net)
> ;; WHEN: Mon Oct 10 16:01:11 2005
> 
> 
>  Original Message 
> Return-Path: <[EMAIL PROTECTED]>
> X-Flags: 
> Delivered-To: GMX delivery to [EMAIL PROTECTED]
> Received: (qmail invoked by alias); 10 Oct 2005 13:07:54 -
> Received: from LAIR.LIONPOST.NET (EHLO LAIR.LIONPOST.NET) [199.5.157.32]
>by mx0.gmx.net (mx072) with SMTP; 10 Oct 2005 15:07:54 +0200
> Received: from list.public-root.com ([199.5.157.32])
>   by LAIR.LIONPOST.NET with esmtp (Exim 4.24) id 1EOx3o-ny-HQ
>   for [EMAIL PROTECTED]; Mon, 10 Oct 2005 08:47:20 -0400
> Received: from [206.254.45.93] (helo=ruby.cynikal.net ident=qmremote)
>   by LAIR.LIONPOST.NET with esmtp (Exim 4.24) id 1EOx3n-nt-5J
>   for [EMAIL PROTECTED]; Mon, 10 Oct 2005 08:47:19 -0400
> Received: (qmail 9881 invoked by uid 1018); 10 Oct 2005 13:10:36 -
> Received: from localhost ([EMAIL PROTECTED])
>   by localhost with SMTP; 10 Oct 2005 13:10:36 -
> Date: Mon, 10 Oct 2005 09:10:36 -0400 (EDT)
> From: Joe Baptista <[EMAIL PROTECTED]>
> To: [EMAIL PROTECTED]
> Message-ID: <[EMAIL PROTECTED]>
> MIME-Version: 1.0
> Content-Type: TEXT/PLAIN; charset=US-ASCII
> Subject: [Pr-plan] BAD NEWS Re: IASON Root Domain Observatory (fwd)
> X-BeenThere: [EMAIL PROTECTED]
> X-Mailman-Version: 2.1.2
> Precedence: list
> List-Id: 
> List-Unsubscribe: ,
>   
> List-Archive: 
> List-Post: 
> List-Help: 
> List-Subscribe: ,
>   
> Sender: [EMAIL PROTECTED]
> Errors-To: [EMAIL PROTECTED]
> X-GMX-Antivirus: 0 (no virus found)
> X-GMX-Antispam: 0 (Mail was not recognized as spam)
> X-GMX-UID: /QI4Y8R1eSEkOtTJ43QhaXN1IGRvb4Di
> 
> 
> Folks - got some bad news.  The Public-Root has aquired an A record - yup
> thats right - an A record.  Which see below.  Have tried to contact Paul
> Scheepers - our absent minded root operator - who now hovers very close to
> criminal conspiracy - to get him to fix this mistake.  Noone is at home at
> the inn.  Not good.  See appened message to Peter Dambier and our
> public-root associates.
> 
> I have no idea how a root will respond with an A record in it.  Should be
> interesting - but have no doubt a few things out in the wild have been
> broken.
> 
> regards
> joe
> 
> -- Forwarded message --
> Date: Mon, 10 Oct 2005 09:03:04 -0400 (EDT)
> From: Joe Baptista <[EMAIL PROTECTED]>
> To: Peter Dambier <[EMAIL PROTECTED]>
> Cc: [EMAIL PROTECTED], [EMAIL PROTECTED],
>   [EMAIL PROTECTED]
> Subject: Re: IASON Root Domain Observatory
> 
> 
> Report this to NANOG and the IETF.  Make sure you send them a copy of my
> response and the headers of this message.  I am holding UNIDT personally
> responsible for this technical nightmare.
> 
> regards
> joe
> 
> On Mon, 10 Oct 2005, Peter Dambier wrote:
> 
> > Kewl, '.' has got an A record :)
> >
> > ; <<>> DiG 9.1.3 <<>> @a.public-root.net . axfr
> > ;; global options:  printcmd
> > .   172800  IN  SOA a.public-root.net. 
> > hostmaster.public-root.net. 2005100906 43200 3600 1209600 14400
> > .   172800  IN  A   57.67.193.188
> > .   172800  IN  NS  a.public-root.net.
> 
> Joe Baptista, Official Public-Root Representative and Lobbyist to the
> United States Congress and Senate / Tel: +1 (202) 517-1593
> 
> Public-Root Disclosure Documents: http://www.cynikal.net/~baptista/P-R/
> Public-Root Discussion Forum: 
> http://lair.lionpost.net/mailman/listinfo/pr-plan
> 
> 
> 
> ___
> Pr-plan mailing list
> [EMAIL PROTECTED]
> http://LAIR.LIONPOST.NET/mailman/listinfo/pr-plan
> 
> 
> 



Re: Cogent/Level 3 depeering

2005-10-09 Thread Stephen J. Wilcox

On Sat, 8 Oct 2005, [EMAIL PROTECTED] wrote:

> On Sat, 08 Oct 2005 20:41:55 BST, "Stephen J. Wilcox" said:
> > my rule would be if your provider can manage an autonomous system better 
> > than 
> > you and multihoming isnt a requirement of your business then let them take 
> > on 
> > the management
> 
> I'm willing to bet there's a lot of single-homed customers of both Cogent and
> L3 that 2 weeks ago didn't think multihoming was a requirement of their
> business either, who now are contemplating it.  Plus possibly some
> single-homed customers of other large providers as well.

Sure, but consider is it worse to have a very small number of complaining 
customers who cant get to a bit of the web for 2 or 3 days, or a complete 
outage 
to the Internet for a few hours because of a problem you cant fix.

I see the latter occurring quite frequently, in particular I see support 
queries 
about loss of connectivity to large parts of the Internet which on inspection 
was caused by dampening because the ISP was flapping.

I'm just saying, you fix one problem and create a whole bunch of new ones and 
it 
depends on the customer as to which results in the optimum situation.

Steve



Re: OT: Connection restored between feuding Net providers Cogent/L3

2005-10-09 Thread Stephen J. Wilcox

its only temporary, level3 have given a temporary stay until 9th nov


On Sun, 9 Oct 2005, Henry Linneweh wrote:

> Connection restored between feuding Net providers
> 
> http://news.yahoo.com/s/nm/backbone_dc;_ylt=ArskJPD_l3TpJ01SroWSOdQjtBAF;_ylu=X3oDMTBiMW04NW9mBHNlYwMlJVRPUCUl
> 



Re: Level 3's side of the story

2005-10-08 Thread Stephen J. Wilcox

On Sat, 8 Oct 2005, Richard A Steenbergen wrote:

> the last two times Cogent was depeered, it responded by intentionally blocking
> connectivity to the network in question, despite the fact that both of those
> networks were Sprint customers and thus perfectly reachable under the Sprint
> transit Cogent gets from Verio. While no one has come forward to say if the
> Cogent/Verio agreement is structured for full transit or only Sprint/ATDN
> routes, Cogent has certainly set a precedent for intentionally disrupting
> connectivity in response to depeering, as a scare tactic to keep other
> networks from depeering them.

i dont see it like that.. and you reapply your view in your later email to me.

cogent and level3 were peers. level3 want to change that, the only solution 
level3 will consider is for cogent to purchase transit with another provider 
(sprint/verio) or pay them direct.


whether cogent's contract with verio could provide it transit to level3 for the 
same price is irrelevant. the fact is cogent currently does not use verio for 
this and they do not want to add a number of Gbps to their transit service

theres nothing special about level3 being tier-1 and cogent being tier-2 with 
verio transit. the status of these networks is not of issue, both sides have a 
right to decide whether to connect via settlement free peering or not. of 
course 
for level3 to transit to cogent would be inconceivable to them, but thats ego / 
economics / marketing, not a principle of networking

that either network could use transit to reach the other is an engineering 
point, that neither wants to pay to do so is a business point. and this is a 
business problem.

Steve



Re: Level 3's side of the story

2005-10-08 Thread Stephen J. Wilcox

On Sat, 8 Oct 2005, Eric Louie wrote:

> DISCLAIMER:  From one of the clueless
i'm not picking on you as theres a huge amount of misinformation being posted 
on 
this thread but perhaps a private email to someone with questions might be 
better. having said that, perhaps this will serve to educate..

> During this entire debaucle, I never saw any mention of:
> 
> 1)  Cogent sending "transit" traffic to Level3, which leads me to believe that
> all the traffic from Cogent through the peering points was actually *destined*
> for Level3 customers.  Does the routing support this idea?  Is it safe to
> assume the opposite, also... that only traffic destined for Cogent customers
> came through the Level3 peering points?  And that Level3 had one and only one
> path to Cogent (no one else providing transit for them to Cogent AS'es?)

peering is all about exchanging bgp on your customers with the peer, it excludes
sending routes from another peer which is usually called transit

> 2)  Level3 making any contingency for their own customers to reach Cogent
> networks (any announcements to their own customers)

understand the inability to reach cogent was the desired result for level3, had 
a contingency been put in place level3 would have been heading in the opposite 
direction to which they are moving (they are moving to force cogent to buy 
transit, not moving to pay for their connectivity to cogent nor to keep the 
current settlement free arrangement)

> 3)  Possible traffic issues.  Was Cogent guilty of not transporting the 
> Level3-bound packets within the Cogent network to the closest point-of-entry 
> peer to the host in the Level3 network, therefore "costing" Level3 transit 
> of their own packets?  In other words is it also a traffic engineering 
> issue?

cogent has not got a transit provider giving them level3 routes (as far as we 
understand) and they have not gone and setup any such transit arrangement 
whilst 
waiting for the depeering.

it is not allowed for you to send traffic to another network via a peering. so
eg if you peer with me we will send you only our customer routes, if you
forcibly get cogents routes and route them over us without our permission you
are stealing bandwidth and we will either depeer, sue, or both. to obtain this 
'permission' would mean us acting as a transit for you and we'd probably want 
some money to do that. (consider i do not exchange money with my peers, if one 
peer uses me to reach another peer nobody is paying me for the use of my 
network).

> Are some of the business issues solvable by proper engineering and filtering
> (or statistics-jockeying)?

short answer: no, this is a political and business problem not one of 
engineering.

longer answer: level3 may be claiming that either cogent has insufficient 
traffic, that it has too much outbound or that it isnt in enough geographic 
locations. cogent could invest money to comply with level3s peering 
requirement. 
but this ultimately results in cogent spending money either to meet a new 
peering requirement or paying level3 direct to maintain a settlement peering.

Steve

> 
> - Original Message - 
> From: "Jon Lewis" <[EMAIL PROTECTED]>
> To: 
> Sent: Friday, October 07, 2005 9:45 PM
> Subject: RE: Level 3's side of the story
> 
> 
> >
> > On Fri, 7 Oct 2005, David Hubbard wrote:
> >
> >>> I don't remember seeing this public notice from Level(3) posted
> >>> Wouldn't that be "without notice from Level(3)"?
> >>
> >> They notified Cogent, not the public.  Cogent chose to
> >
> > I think it's also interesting, that AFAIK, Level3 didn't give their own 
> > customers any advance notice.  We're a customer.  I saw nothing about this 
> > until it hit nanog.  We're multi homed, so the impact on us was unnoticed.
> >
> > Suppose you're a single homed L3 or Cogent customer doing regular business 
> > with a single homed Cogent or L3 customer.  If your provider gave you 
> > several weeks notice, and if you realized the coming problem, you might 
> > take some steps to work around the issue, depending on how important your 
> > internet communications are.  Do the typical peering NDAs forbid giving 
> > customers this sort of notice?  Is it better to surprise them with a 
> > multi-day outage and then give them 30 days notice that it's going to 
> > happen again??
> >
> >>> Splendid, that gives the world sufficient time to accept
> >>> Cogent's offer of 1 year free service.
> >>
> >> This is not the first time Cogent has used their customers
> >> as pawns in peering disputes, I don't know if I'd jump on
> >> the bandwagon so quickly (spoken as a customer of both
> >> companies).
> >
> > If you're multihomed and using Cogent as a cheap bandwidth whore, does it 
> > matter if their cheap bandwidth gives you 155k routes instead of 168k 
> > routes?  After all, if its cheap and off-loads enough traffic from your 
> > more expensive 168k route circuits, isn't it doing what you bought it for?
> >
> > Also, is 30 days r

Re: Cogent/Level 3 depeering

2005-10-08 Thread Stephen J. Wilcox

On Fri, 7 Oct 2005, Daniel Golding wrote:

> On 10/6/05 10:37 AM, "Patrick W. Gilmore" <[EMAIL PROTECTED]> wrote:
> 
> > 
> > On Oct 6, 2005, at 10:19 AM, tony sarendal wrote:
> > 
> >> This is not the first and certainly not the last time we see this kind
> >> of event happen.
> >> Purchasing a single-homed service from a Tier-1 provider will
> >> guarantee that you
> >> are affected by this every time it happens.
> > 
> > s/every time it happens/every time it happens to YOUR upstream
> > 
> > People on Sprint, AT&T, GLBX, MCI, etc. were unaffected.  Only people
> > who single-home to L3 or Cogent have disconnectivity.
> 
> Take-away: Do not single home. I'm shocked folks aren't figuring this out.
> If you are a webhoster or enterprise and your business model can not support
> multiple Internet pipes, than you have a suboptimal business model (to put
> it lightly)

disagree.

i know networks who multihome to avoid this kind of problem but introduce new 
problems with greater risk because they are unable to run bgp properly (be it 
from inadequate hardware, bad config, bad administration)

my rule would be if your provider can manage an autonomous system better than 
you and multihoming isnt a requirement of your business then let them take on 
the management 

Steve



Re: Cogent/Level 3 Contracts (was: Cogent/Level 3 depeering)

2005-10-08 Thread Stephen J. Wilcox

On Fri, 7 Oct 2005, [EMAIL PROTECTED] wrote:

> Seems to me that the ideal here would be for the industry to agree on a
> dispute resolution mechanism and for all bilateral peering agreements to
> include the same arbitration clause. For this kind of arbitration to function
> well, the arbitrators need to have some understanding of the industry and the
> technology. This can only be accomplished by selecting one arbitration
> organization to handle all the arbitration duties for the whole industry.

the trouble is that there is no regulatory requirement of peering, there is no 
accepted standard for peering, the definition of fair varies greatly and the 
policies that exist are based on many criteria and personalities

the problem that would arise as i see it is that such an arbitrator would be 
consistent with its decisions but that would be consistently right for one 
player and consistently wrong for another.. and if we apply that to the current 
scenario we can see arguments for both cogent and level3s positions

> Airing dirty landry in public like this hurts the whole industry, not just
> Level 3 and Cogent in particular. The solution is to use binding arbitration
> clauses in all interconnect agreements whether settlement-free, paid peering
> or settlement-based.

i'm not sure the industry does get hurt, to us this is a major incident, but in 
reality there appears to only be a handful of affected customers and its not 
getting much attention from the press

someone implied this might work in the favour of non-tier-1 networks so if that 
were true that would be a benefit to such networks!

Steve



Re: Cogent/Level 3 Contracts (was: Cogent/Level 3 depeering)

2005-10-08 Thread Stephen J. Wilcox

On Fri, 7 Oct 2005, William Allen Simpson wrote:

> 
> Stephen J. Wilcox wrote:
> > On Fri, 7 Oct 2005, William Allen Simpson wrote:
> >>Rather than speculation, it would be helpful to refer to the actual
> >>contracts.  Please post the relevant sections, Mr Wilcox.
> > 
> > the contract talks of on-net traffic, off-net traffic and excused outages
> > 
> > excused outages includes that of third party network providers
> > 
> > off-net traffic has a 99% SLA excluding excused outages.
> > 
> Again, rather than speculation, it would be helpful to refer to the actual
> contracts.  Please post the relevant sections, not your summary of an index of
> definitions, Mr Wilcox.

that was it, i just shortened it

> For instance, I rather doubt that the contract language defines a decision of
> L(3) to terminate connectivity to a third party as an "excused outage".  But
> we won't know without the contract.
> 
> Enlighten us.

"excused outages ... includes ... third party network providers"

it doesnt go anywhere talking about peerings or specifics of the connectivity, 
but it seems to me that the ability to pass traffic to cogent falls right in 
this get out clause as it is a third party

ianal but i'd push to break contract rather than sue Level3 as the latter seems 
to be a very big gamble

Steve



Re: Cogent/Level 3 Contracts (was: Cogent/Level 3 depeering)

2005-10-07 Thread Stephen J. Wilcox

On Fri, 7 Oct 2005, William Allen Simpson wrote:

> 
> Stephen J. Wilcox wrote:
> > On Thu, 6 Oct 2005, JC Dill wrote:
> >>IMHO all L3 customers have a valid argument that Level 3 is in default of 
> >>any
> >>service contract that calls for "best effort" or similar on L3's part.
> > 
> > can you cite the relevant clause in your Level3 contract that brings you to 
> > this 
> > conclusion.. hint: you might be looking a long time because it doesnt exist 
> > and 
> > they're not in breach
> > 
> Rather than speculation, it would be helpful to refer to the actual
> contracts.  Please post the relevant sections, Mr Wilcox.

the contract talks of on-net traffic, off-net traffic and excused outages

excused outages includes that of third party network providers

off-net traffic has a 99% SLA excluding excused outages.

Steve



Re: Cogent/Level 3 depeering

2005-10-07 Thread Stephen J. Wilcox

On Thu, 6 Oct 2005, JC Dill wrote:

> Alex Rubenstein wrote:
> 
> > Further, the internet has always been a best-effort medium.
> 
> Can someone please explain how Level 3 is making a "best effort" to connect
> their customers to Cogent's customers?

thats not what alex means as you know. and Level(3)/Cogent are playing a pain 
game here, its 'no effort' not 'best effort'

> Various people have stated that uneven data flows (e.g. from mostly-content
> networks to mostly-eyeball networks) is a good reason to not peer.  I'd love
> to know how it improves Level 3's network to have data from Cogent arrive over
> some *other* connection rather than directly from a peering connection.  Do

perhaps the other connection is already carrying significant outbound so this 
extra inbound is a small net cost, that would support L3's argument

> So why break off peering???

this is about politics not engineering, dont try to confuse them. peering often 
is.

> AFAICT there's only one reason to break off peering, and it's to force 
> Cogent to pay (anyone) to transit the data.  Why does L3 care if Cogent 
> sends the data for free via peering, or pays someone ELSE to transit the 
> data?

the economics are different for cogent, cogent loses some marketing advantage.. 
i can think of other reasons

> I think this is about a big bully trying to force a smaller player off 
> of the big guys' playing field (tier 1 peering).  From where I sit it 

cogent isnt a small player, they are a real threat to L(3).. dont feel sorry 
for 
them, they're not being bullied!

> looks like an anti-competitive move that is not a "best effort" to serve 
> their customers but a specific effort to put another (smaller) 
> competitor out of business (of being a transit-free or mostly 
> transit-free backbone) by forcing them to pay (someone), forcing their 

really? you mean one company wants to take business from the other company? 
thats amazing.. and i thought ISPs existed together in harmony never looking at 
each others customer bases

> IMHO all L3 customers have a valid argument that Level 3 is in default of any
> service contract that calls for "best effort" or similar on L3's part.

can you cite the relevant clause in your Level3 contract that brings you to 
this 
conclusion.. hint: you might be looking a long time because it doesnt exist and 
they're not in breach

> I also believe that Cogent has a valid argument that Level 3's behavior is
> anti-competitive in a market where the tier 1 networks *collectively* have a
> 100% complete monopoly on the business of offering transit-free backbone
> internet services.  As such, L3's behavior might fall into anti-trust
> territory - because if Cogent caves in over this and buys transit for the
> traffic destined for L3 then what's to stop the rest of the tier 1 guys from
> following suit and forcing Cogent to buy transit to get to *all* tier 1
> networks?  Then who will they (TINT) force out next?

these are big companies, they can fight their own battles. there is no tier-1 
monopoly. in many cases its cheaper to send data via transit than peering so 
why 
do you care about transit-free anyway?
 
> What's to stop a big government (like the US) from stepping in and attempting
> to regulate peering agreements, using the argument that internet access is too
> important to allow individual networks to bully other networks out of the
> market - at the expense of customers - and ultimately resulting in less
> competition and higher rates?  Is this type of regulation good for the
> internet?  OTOH is market consolidation good for the internet?

they're not acting illegally or as a monopoly, and theres no anti-trust so 
theres no reason to expect any government interventions.

Steve



Re: Cogent/Level 3 depeering

2005-10-07 Thread Stephen J. Wilcox

On Thu, 6 Oct 2005, tony sarendal wrote:

> On 06/10/05, Patrick W. Gilmore <[EMAIL PROTECTED]> wrote:
> >
> > On Oct 6, 2005, at 10:19 AM, tony sarendal wrote:
> >
> > > This is not the first and certainly not the last time we see this kind
> > > of event happen.
> > > Purchasing a single-homed service from a Tier-1 provider will
> > > guarantee that you
> > > are affected by this every time it happens.
> >
> > s/every time it happens/every time it happens to YOUR upstream
> >
> > People on Sprint, AT&T, GLBX, MCI, etc. were unaffected.  Only people
> > who single-home to L3 or Cogent have disconnectivity.
> >
> >
> > > Now, is being a tier-1 now a good or bad sales argument when selling
> > > internet access ?
> >
> > It's still a good argument, because Marketing != Reality. :)
> >
> 
> Patrick, it happens to every PA customer who buys his service from one
> of the Tier-1 providers active in the de-peering.
> 
> If a PA customer buys his service from a non-tier1 this will most
> likely not happen, unless that provider has bought transit in a very
> unwise way.
> 
> The entire point is that it's not always good to be too close to tier-1 space.

See my other post tho, connectivity disputes and problems can arise between any 
networks, being tier-1 isnt special.. anyone can choose not to give access or 
send routes to any other network.

Steve



Re: Cogent/Level 3 depeering

2005-10-06 Thread Stephen J. Wilcox

On Thu, 6 Oct 2005, tony sarendal wrote:

> 
> On 06/10/05, Stephen J. Wilcox <[EMAIL PROTECTED]> wrote:
> > On Thu, 6 Oct 2005, tony sarendal wrote:
> >
> > > Is being a tier-1 now a good or bad sales argument when selling internet
> > > access ?
> >
> > its the same as it always was, its a marketing positive. but thats because 
> > the
> > market is dumb.
> >
> > if you wish to make your purchasing decision on 'tier-1' status thats up to 
> > you,
> > but i'll be looking at performance, price, strategy, service level and what 
> > type
> > of supplier i want for a company like mine.
> >
> > cogent is cheap and you get what you pay for. level3 is mid-price, but they
> > really dont care much about their customers (or thats what i found). 
> > perhaps you
> > want better customer service or to deal with a smaller company to gain their
> > attention and respect.
> >
> 
> I didn't mean for this to sound so much like a question, but I belive
> I posted before my first cup of coffee.
> 
> This is not the first and certainly not the last time we see this kind
> of event happen.
> Purchasing a single-homed service from a Tier-1 provider will guarantee that 
> you
> are affected by this every time it happens.
> 
> Now, is being a tier-1 now a good or bad sales argument when selling
> internet access ?

how would purchasing from a tier-2 be any different (and by historical 
definition cogent is a tier-2), i've seen networks intentionally block routes 
from competitors for various reasons, and ultimately this is about your level 
of 
connectivity to the parts of the Internet

anyone can have connectivity issues either by choice or by accident, you have 
to 
decide whether your chosen supplier is giving you a service level you are happy 
with for the price, what the risks are and what failure modes they are likely 
to 
present.

Steve




Re: Cogent/Level 3 depeering

2005-10-06 Thread Stephen J. Wilcox

On Thu, 6 Oct 2005, tony sarendal wrote:

> Is being a tier-1 now a good or bad sales argument when selling internet
> access ?

its the same as it always was, its a marketing positive. but thats because the 
market is dumb.

if you wish to make your purchasing decision on 'tier-1' status thats up to 
you, 
but i'll be looking at performance, price, strategy, service level and what 
type 
of supplier i want for a company like mine.

cogent is cheap and you get what you pay for. level3 is mid-price, but they 
really dont care much about their customers (or thats what i found). perhaps 
you 
want better customer service or to deal with a smaller company to gain their 
attention and respect.

choose your supplier based on your own criteria, not someone elses or on who 
has 
the most marketing points.

Steve





Re: While Bush fiddles, New Orleans dies

2005-09-07 Thread Stephen J. Wilcox

Apologies to the 'dawg..

perhaps those responsible would stop, its not very amusing

Steve

On Wed, 7 Sep 2005, Fergie (Paul Ferguson) wrote:

> I absolutely am _not_ responsible in any way, shape, or form, for those
> messages.
> 
> While some of my posts skirt the ever-changing topicality of the list, you
> have to admit -- I always send directly from my webmail account (wouldn't
> dream of sending from my corporate account :-)
> 
> - ferg
>
> -- Robert E.Seastrom <[EMAIL PROTECTED]> wrote:
> 
> "Stephen J. Wilcox" <[EMAIL PROTECTED]> writes:
> 
> > wheres the ops in this? 
> >
> > dont get me wrong, i'm sympathetic with new orleans and also
> > definitely not a bush supporter but this is verging on incitement
> > and i dont see the point of the post to here
> 
> My guess: someone who doesn't like Paul (and there are plenty of
> people who have groused privately about his prolific posting of
> current news stories) is trying to make him look bad (or doing a
> savage parody, depending on how you look at it) by abusing the
> http://www.tribuneinteractive.com/ "mail someone this story" feature.
> Look at the headers...  it was obviously sent by tribuneinteractive,
> and it's pretty unlike Paul to do something like this.
> 
> So that's my hypothesis anyway.  We'll wait till Paul is awake to be
> able to confirm or deny it.
> 
> ---Rob
> 
> --
> "Fergie", a.k.a. Paul Ferguson
>  Engineering Architecture for the Internet
>  [EMAIL PROTECTED] or [EMAIL PROTECTED]
>  ferg's tech blog: http://fergdawg.blogspot.com/
> 
> 



Re: While Bush fiddles, New Orleans dies

2005-09-07 Thread Stephen J. Wilcox

wheres the ops in this? 

dont get me wrong, i'm sympathetic with new orleans and also definitely not a 
bush supporter but this is verging on incitement and i dont see the point of 
the 
post to here

On Tue, 6 Sep 2005, [EMAIL PROTECTED] wrote:

> 
> This story was sent to you by: Fergie (Paul Ferguson)
> 
> 
> While Bush fiddles, New Orleans dies 
> 
> 
> Jimmy Breslin
> 
> September 4, 2005
> 
> This is a review of the performance of George W. Bush in tight times in this 
> nation. It might explain the single solitary most catastrophic collapse of 
> American government in all of our times. Mark ye well. This was the week when 
> we turned a major American city into Haiti, and racism put its hand out and 
> started to choke a nation, and it may not let go.
> 
> With the water coming from the sky and the bottom of the sea, driving with 
> such ferocity that a major American city, New Orleans, followed its face into 
> the water, George W. Bush was at North Island in Coronado, Calif., speaking 
> to a blindingly white audience of 9,000 sailors in uniform.
> 
> At the hour, blacks were drowning in New Orleans. Blacks pushed through water 
> that was up to their chests and was thick with the rawest sewage of a major 
> city. Blacks were on rooftops begging to live. Wherever cameras swept, the 
> only thing that was white was a towel being waved by a black woman begging 
> for help, while the tiny black legs of a baby dangled from her shoulder.
> 
> Bush was in white Coronado to speak to a military audience on the anniversary 
> of V-J Day.
> 
> Get those sailors in their whites clapping.
> 
> He barely seemed to understand there was a hurricane for the first three 
> days. He was in Coronado, outside San Diego, and in his speech, he managed to 
> mention New Orleans, by saying that people should not return to their homes 
> until rescue crews could do their work.
> 
> Nobody had to be told not to return to their homes because they don't have 
> homes to return to, and no bus fare to go anywhere.
> 
> He then told Americans to send donations to the Red Cross and the Salvation 
> Army. How marvelous! His administration sends billions and billions of tax 
> money to his personal war in Iraq to shoot up Fallujah for the third or 
> fourth time since he started the war with his lies, and now he wants 
> everybody to go out on the street and give forty dollars to hurricane charity.
> 
> Bush's style is to be nowhere if things that carry a bit of fear happen. 
> During Vietnam, he kept all dental appointments. For the World Trade Center 
> attack, he first froze in a classroom in Florida. Then he flew off in his 
> plane for long hours. Three days later, he got to New York where a flunky 
> placed a retired firefighter, Bob Beckwith from Long Island, alongside him 
> atop a truck. Then Bush called out a football dressing room speech over a 
> bullhorn.
> 
> Last week, he spoke in Coronado with the carrier Ronald Reagan parked in the 
> background. This was his sixth visit to San Diego as president.
> 
> In May 2003 Bush landed on the carrier Abraham Lincoln in the waters off San 
> Diego. He wore a green flight suit, with a helmet under his arm. Why 
> shouldn't he look like this? He was an American warrior. He changed into a 
> business suit and spoke in front of a banner proclaiming, "Mission 
> Accomplished."
> 
> There have been nearly 1,800 bodies in boxes returned from Iraq since then.
> 
> Friday, showing up on the fifth day of a national tragedy, Bush made a little 
> humorous aside about the times he was in New Orleans celebrating too much. 
> Beautiful! If he tried to walk fifty yards he could have tripped over 
> somebody's dead black grandmother under a blanket.
> 
> How do you like it? How do you like having a president who at a time like 
> this reminisces about getting drunk in New Orleans? White boy with Daddy's 
> money roaring at Mardi Gras in a town black for the rest of the year.
> 
> If whites were in trouble in New Orleans, trust that his government would 
> have been there early and the aid massive.
> 
> This racism, which is at the bottom of everything in America, makes it only 
> natural for Bush and his people to talk about turning to Rudolph Giuliani to 
> save New Orleans as he supposedly saved New York after the World Trade Center 
> attack.
> 
> In New York, Giuliani did nothing but go on television. That's all he did and 
> all he ever can do. Beautiful! There are television cameras in New Orleans. 
> And just like Bush, Giuliani doesn't want many blacks near him. If more than 
> two blacks entered City Hall, he called for snipers. Giuliani doesn't even 
> have a show black like Condoleezza Rice, who bought shoes in Ferragamo in 
> Manhattan this week.
> 
> Bush got found out this week and he needs his own rescue. Assure Giuliani 
> that he could run for president if he does the job. As New York found, he can 
> do nothing good about anything

Re: P2P Darknets to eclipse bandwidth management?

2005-09-02 Thread Stephen J. Wilcox

On Thu, 1 Sep 2005, Fergie (Paul Ferguson) wrote:

> Interesting article, and something I think that will certainly becaome an
> issue for ISPs. Is this a real issue ISPs are thinking about?

Its a concern..
> Encrypted P2P networks will soon make bandwidth management based on deep
> packet inspection obsolete, says Staselog, a Finnish appliance outfit.

obsolete is one of those words folks like to use to make an impact, then later 
fall on their face.. like the internet will implode and all that.

packet inspection will just evolve, thats the nature of this problem.. there 
are 
things you can find out from encrypted flows - what the endpoints and ports 
are, 
who the CA is. then you can look at the characteristics of the data.

> Around 80 per cent of all traffic in the Internet is already P2P. This traffic
> will increase 1,000-fold in the next five years and most of it will be
> encrypted P2P, according to a study by Staselog and researchers at Finnish
> Universities.

maybe, 5 year predictions are at best voodoo, who knows what next years killer 
app will be, or the year after, or the year after

> Overlooking the point that this kind of smells like a pitch for Staselog, I'd
> be curious to hear of this is an issue on ISP bandwidth management radar... or
> already is...

i can tell you what 95% of my traffic is currently, the other 5% i dont care

Steve



Re: trying to move web site for New Orleans schools

2005-09-01 Thread Stephen J. Wilcox

get the school to contact netsol, they can authorize it without the sysadmin...

On Thu, 1 Sep 2005, Mark Boolootian wrote:

> 
> 
> Outside the NANOG charter, but given the current circumstances, this seemed 
> to be a reasonable forum for suggestions on solving this problem.  
> 
> ---
> 
> Subject: Web aid
> Date: Thu, 01 Sep 2005 09:05:22 -0500
> >From: Paul Tatarsky <[EMAIL PROTECTED]>
> 
> 
> This is something that until a few minutes ago I never even
> considered as part of this whole Hurricane fallout. 
> 
> I got a call from a high school friend who lived in New Orleans. 
> He's in Florida now. 
> 
> There is a emerging need to use the web to help scattered folks
> get status from schools, businesses, etc. Many many servers are gone. 
> People are at relatives homes and are trying to use the Internet
> to get status. 
> 
> They want to swing DNS for their kids school to a new server but
> cannot contact their sysadmin who has the accounts at Network Solutions.
> Does anybody have an idea how to solve that? 
> 
> But, I'm starting to setup a template BSD machine to provide basic
> web vhosts and squirrel mail. We're going to start with his kids
> school. 
> 
> Here's all that is currently left electronically:
> 
> http://64.233.167.104/search?q=cache:009iQtpHviwJ:www.stuarthall.org/+&hl=en&lr=&strip=1
> 
> 
> Paul Tatarsky[EMAIL PROTECTED]
> Sysadmin Consultant(608) 441-7365
>  http://www.tatarsky.com/
> 
> 



Re: Order of ASes in the BGP Path

2005-08-30 Thread Stephen J. Wilcox

On Tue, 30 Aug 2005, Abhishek Verma wrote:

> Since i smell some traces of sarcasm here.
> 
> On 8/30/05, Randy Bush <[EMAIL PROTECTED]> wrote: 
> > 
> > > I thank everyone who took time off their busy schedules and answered me 
> > on
> > > this. I now understand that people do look at the AS_PATH and the order 
> > of
> > > ASes is important for debugging, etc.
> > 
> > and thank you for reading the rfc
> 
>  Randy,
>  I respect your knowledge and wisdom and that of other people on this list
> here which is why i asked this question. Yes, i have gone through the RFC 1771
> throughly and trust me it does not mention any other use of this Path
> attribute, except for the path length/loop detection. People on this list have
> a *lot* of experience and its these people who actually use this protocol.
>  To me these were the best people to tell me if they indeed use it for other
> purposes also.

from time to time people say 'but the rfc says...'. but theres a big place for 
precedent and common practice too.

Steve



Re: Order of ASes in the BGP Path

2005-08-29 Thread Stephen J. Wilcox

On Mon, 29 Aug 2005, Abhishek Verma wrote:

> 
> Hi,
> 
> Is the order of AS numbers (except for perhaps the first one which
> denotes the AS the route was originated from) in the AS_PATH in BGP
> important? In fact, does anybody even care for the first AS number
> that appears in the Path?
> 
> AFAIK, AS numbers in the BGP serves two purposes. It helps in loop
> detection and it helps us count the AS Path length.
> 
> If this is the case then the order should not really matter much.
> 
> My question is that whether the operators care if the order, for some
> reason changes?
> 
> Eg.
> 
> Legend: {} denotes the sequence, while [] denotes the set
> 
> Path {1 2} [3 4] {5} 
> 
> Would somebody mind if this was represented as {1 2 5} [3 4] ?

I'd mind, I value the predictability and ability to understand how a bgp path 
arrives into my network. Fiddling with this kind of thing is quite similar to 
spoofing in some ways, particularly that I can see fabricating the as-path 
could be used to confuse folks tracing announcements, perhaps I'm missing the 
positive use for this.

As no one has asked yet, allow me.. what are you trying to do?

Steve



Re: speaking of lynn...

2005-08-13 Thread Stephen J. Wilcox

On Sat, 13 Aug 2005, Gadi Evron wrote:

> Cisco flaw presentation spreads across the Web
> 
> FBI Investigation...
> 
> New copies of Michael Lynn's presentation on the Cisco router operating
> system flaw are springing up faster than the lawyers can take them down
> 
> Cisco's lawyers are sending out cease-and-desist notices to Web sites that
> have published a controversial presentation by ex-Internet Security Systems
> (ISS) employee Michael Lynn that exposes the potential dangers of a flaw in
> the network giant's router operating system.The presentation, which was due to
> be given by Lynn at the Defcon conference in Las Vegas last week, was
> cancelled after legal threats from Cisco and ISS. The parties resolved the
> matter on Thursday last week.

i guess they're still reacting to old information. this one is well and truly 
in 
the public domain, heck.. if you google you can find foreign language 
translations of it 

i've not seen any discussion on the application of the information.. is there 
any working exploit code yet?

Steve



Re: Cisco crapaganda

2005-08-12 Thread Stephen J. Wilcox

Hi Rich,

> A. If open publication of the full source code of XYZ would render it
> insecure, then XYZ is _already_ insecure.

i like that way of looking at it..
 
> B. In analyzing any attack, it's prudent to presume that the attackers have
> the full source code of every piece of software involved. [1]

sure, or even a snippet would be sufficient to find and exploit a hole

> It's time to level the playing field.  It's time for all the vendors to
> publish ALL the source code so that we at least have the same information as
> our adversaries.

thats going to be a leap too far, its not an issue of security its a question 
of 
property and value 

> [1] Either because it leaked (discarded computer equipment, backup tapes,

source code is much wider distributed than people might think, its possible to 
be a contractor (individual or company) or for example in MS's case a partner 
and get source code supplied under NDA

> what's the dollar value on the open market of, oh, let's say, the full source
> code to one of Cisco's popular routers? Maybe $100K?  $250K?  Maybe more,
> considering what it might facilitate?

naww. $0. pre IOS-12 versions are in circulation already, 12.something was 
partially leaked a year or two ago, and i'm sure other bits can be picked up.

who would be willing to pay? not companies, thats illegal. blackhats? maybe, 
but 
they can juts grab the circulating bootlegs

> Whatever that number is, that's the amount that prospective attackers may be
> presumed to be willing to spend to get it.  And whether they spend it on R&D,
> or paying someone who's already done the R&D, or just cutting to the chase and
> paying off someone with access to it, doesn't really matter: if they're
> willing to spend to the money, they _will_ get it.

wonder why they dont already have it, maybe they do...

Steve



Re: Fiber cut in SJ

2005-08-08 Thread Stephen J. Wilcox

Maybe a market difference.. most maps I've obtained in the UK have been under 
NDA with established relationships already. Altho I suspect they're more 
concerned at showing me who's duct and fiber they're actually on..

Steve

On Sun, 7 Aug 2005, Joe McGuckin wrote:

> 
> Stephen,
> 
> The point I'm trying to make is that over classifying everything as 'secret'
> or 'confidential' at this late date is useless. The horse is already out of
> the barn. 
> 
> You can omit the site of a fiber backhoe accident from an email and say it's
> due to security concerns, but I can call any telecom vendor who sells SONET
> or metro ethernet services and get them to fax me a map of their network. At
> the very minimum all I have to do is keep an eye out for USA markings on the
> street. Or I could call USA and the next day people with paint cans would be
> marking up the street, showing me exactly where to dig.
> 
> If someone wants to cause trouble, the information they need is freely
> available. The so-called security provisions most telecom companies use are
> just enough to deter curious teen-agers.
> 
> On 8/7/05 8:15 AM, "Stephen J. Wilcox" <[EMAIL PROTECTED]> wrote:
> 
> > 
> > 
> > On Sat, 6 Aug 2005, Joe McGuckin wrote:
> > 
> >> 
> >> On 8/5/05 8:12 PM, "George William Herbert" <[EMAIL PROTECTED]> wrote:
> >> 
> >>> First, an electrical contractor backhoed a large fiber
> >>> link in downtown San Jose (address deleted due to security
> >>> concerns) this morning, causing moderate damage.
> >> 
> >> That's just plain silly. As if we (or even your imagined 'terrorist') don't
> >> know where the fiber runs around here.
> > 
> > well.. theres lots of ducting going down streets but not that many folks 
> > know
> > which of them are the major cable routes, i think keeping specific detail
> > discrete is reasonable
> > 
> > in a fire near where i am a couple years ago:
> > http://www.theregister.co.uk/2002/10/23/arson_suspected_in_manchester_cable/
> > 
> > it seemed a bit of a coincidence that both the active and protect paths of a
> > major sdh route got hit in this attack and it took out a lot of long 
> > distance
> > circuits
> > 
> > Steve
> > 
> 
> 



Re: Fiber cut in SJ

2005-08-07 Thread Stephen J. Wilcox


On Sat, 6 Aug 2005, Joe McGuckin wrote:

> 
> On 8/5/05 8:12 PM, "George William Herbert" <[EMAIL PROTECTED]> wrote:
> 
> > First, an electrical contractor backhoed a large fiber
> > link in downtown San Jose (address deleted due to security
> > concerns) this morning, causing moderate damage.
> 
> That's just plain silly. As if we (or even your imagined 'terrorist') don't
> know where the fiber runs around here.

well.. theres lots of ducting going down streets but not that many folks know 
which of them are the major cable routes, i think keeping specific detail 
discrete is reasonable

in a fire near where i am a couple years ago:
http://www.theregister.co.uk/2002/10/23/arson_suspected_in_manchester_cable/

it seemed a bit of a coincidence that both the active and protect paths of a 
major sdh route got hit in this attack and it took out a lot of long distance 
circuits

Steve



Re: RFC for Mask/Gateway

2005-08-05 Thread Stephen J. Wilcox

On Fri, 5 Aug 2005, Jay R. Ashworth wrote:

> 
> On Fri, Aug 05, 2005 at 03:09:53PM -0400, [EMAIL PROTECTED] wrote:
> > On Fri, 05 Aug 2005 13:55:58 CDT, Scott Altman said:
> > > Is there an RFC or other standard that specifies that IPv4 connected
> > > devices must support the concepts of Subnet Mask and Default Gateway?
> > 
> > No, because there's plenty of applications (embedded systems, for example),
> > where you have no need or desire to be able to talk to things off-local-net.
> 
> Which doesn't really excuse you from subnet mask, I wouldn't think.
> 
> You clearly don't need a default gateway if you're not going to reply
> to off-net packets, but how would you idenfity broadcast packets if you
> didn't know the netmask?

all bits set in the dst mac is one way.. not sure how you send them tho if you 
dont know the dstIP to put into the packet

Steve

> > > I have a kludgy (<- technical term) vendor that has developed a custom
> > > AP that only has an IP address.
> > 
> > Be afraid. Be very afraid.  Any vendor in *this* year who makes gear that
> > is supposed to connect edge devices to the rest of the net but doesn't
> > get the ideas of subnet masks and default gateways should be feared.
> 
> Indeed, run far, far away.
> 
> And yes, Scott: RFC 791.  It's not just a good idea...
> 
> Cheers,
> -- jra
> 



Re: RFC for Mask/Gateway

2005-08-05 Thread Stephen J. Wilcox

On Fri, 5 Aug 2005, Scott Altman wrote:

> 
> Apologies upfront for my not being able to successfully google this on my 
> own...
> 
> Is there an RFC or other standard that specifies that IPv4 connected
> devices must support the concepts of Subnet Mask and Default Gateway?
> 
> I have a kludgy (<- technical term) vendor that has developed a custom
> AP that only has an IP address.  Whilst cleaning up our network and
> turning off proxy-arp, lo and behold, it isn't really all that
> functional anymore.

like IP: http://www.faqs.org/rfcs/rfc791.html

hth

Steve



Re: /8 end user assignment?

2005-08-04 Thread Stephen J. Wilcox

On Thu, 4 Aug 2005, Daniel Roesen wrote:

> So you ask folks to resort to hacks like NAT or force IPv6-only to their users
> when there is still a lack-of-content problem there? Can you show me your
> business plan draft for that? I'm curious. :-)

ok, thats not what i mean.. i am saying /8,/9 etc are not normal

> > If everyone in this category who could justify a /8 applied and
> > received them we might be in real trouble with our IPv4 space.
> 
> We are already, but you seem to have your head firmly sticking in the
> sand, together with the content providers. :-)

i thought we had years to go according to some decent sources?

> It looks like IPv4 space really needs to "run out" before the residential
> access ISPs are really being forced to IPv6 and thus the content providers
> wake up too.
> 
> BTW, Softbank got 2400:2000::/20.
> 
> > I had said elsewhere this was unprecedented but was then pointed at
> > 73.0.0.0/9, 73.128.0.0/10 which is Comcast assigned in April. I'm surprised
> > none of these assignemtns have shown up on mailing lists..
> 
> Why should they? Business as usual. :-)
> 
> I hope that more ISPs stop doing NAT/RFC1918 and just request whatever they
> need.

how long does it take such an org to use 16 million IPs? based on the above 
comment of '..need to run out' should they not maybe get 1million then come 
back 
when they use it all to give some other folks a chance?

i'm not suggesting denying anyone the IPs they require but i am suggesting we 
shouldnt steam ahead into exhaustion either

Steve



Re: /8 end user assignment?

2005-08-04 Thread Stephen J. Wilcox

Hi David,
 I realise that but:

1. Softbank BB is not on my radar of likely /8 candidates (of course, geography 
may be the reason for that)

2. We know cable companies, dsl providers and mobile companies can use this 
many 
IPs, but they generally seem to make use of NAT and IPv6. If everyone in this 
category who could justify a /8 applied and received them we might be in real 
trouble with our IPv4 space.

I had said elsewhere this was unprecedented but was then pointed at 73.0.0.0/9, 
73.128.0.0/10 which is Comcast assigned in April. I'm surprised none of these 
assignemtns have shown up on mailing lists..

Steve

On Thu, 4 Aug 2005, David Conrad wrote:

> Stephen,
> 
> If you can justify a /8, ARIN will allocate one to you (not that I  
> speak for ARIN or anything, but that's how things work).  Presumably  
> Softbank BB justified the /8 APNIC allocated to them.
> 
> Rgds,
> -drc
> 
> On Aug 4, 2005, at 11:07 AM, Stephen J. Wilcox wrote:
> 
> >
> > Ok, back up a second
> >
> > 126/8   Jan 05   APNIC   (whois.apnic.net)
> >
> > inetnum:  126.0.0.0 - 126.255.255.255
> > netname:  BBTEC
> > descr:Japan Nation-wide Network of Softbank BB Corp.
> > status:   ALLOCATED PORTABLE
> > changed:  [EMAIL PROTECTED] 20050208
> >
> >
> > i thought the decade of giving class A's to large corporates had  
> > long since
> > passed.. we've got some major network rollout coming up, i need an  
> > extra 16
> > million IPs, so can i get one?
> >
> > wtf?
> >
> > Steve
> >
> 
> 



/8 end user assignment?

2005-08-04 Thread Stephen J. Wilcox

Ok, back up a second

126/8   Jan 05   APNIC   (whois.apnic.net)

inetnum:  126.0.0.0 - 126.255.255.255
netname:  BBTEC
descr:Japan Nation-wide Network of Softbank BB Corp.
status:   ALLOCATED PORTABLE
changed:  [EMAIL PROTECTED] 20050208


i thought the decade of giving class A's to large corporates had long since 
passed.. we've got some major network rollout coming up, i need an extra 16 
million IPs, so can i get one?

wtf?

Steve



Re: "Cisco gate" and "Meet the Fed" at Defcon....

2005-08-03 Thread Stephen J. Wilcox

On Wed, 3 Aug 2005, Bill Woodcock wrote:

> > note image size of 11/12/16 mb... note that many (most?) 2500's don't 
> have
> > 16M flash.
> 
> If you feel like keeping 2500s in service, rather than replacing them with
> something that holds NM-32As, the flash problem is easily resolved for less
> than US$50:
> 
> http://www.memorydealers.com/8mbcisthirpa.html

to be fair... 2500s are quite useful for things other than what their original 
purpose intended, but that usefulness diminishes with memory upgrades that are 
comparable in price to the value of the router

having said that, as they are often not used as public routers, a suitably
placed acl/fw can keep them out of harms way and still run the old code

Steve



Re: Tiscali switches to Public-Root?? What do you think?

2005-08-02 Thread Stephen J. Wilcox


On Mon, 1 Aug 2005, Stephen J. Wilcox wrote:

> 
> On Mon, 1 Aug 2005, Bjørn Mork wrote:
> 
> > The poor guy/gal at the other end of the line will need a really good
> > answer.  Does anyone here have one?
> 
> to avoid being technical i guess the only answer would be to say this is a 
> private service offered to tiscali users and is not available to any non 
> tiscali 
> users (you might want to point out this is 99.9% of the world in case $cust 
> feels like switching)
> 
> > Not to mention the answers we need for the market droids...
> > 
> > "Hey, I heard that Tiscali is offering more Internet than us at no
> > extra cost, and they make a lot of money on it too.  How soon can we
> > start doing the same?"
> 
> tell them you've been able to do it all along, its your network and you can 
> provide any unique content that you like, providing they understand this is 
> unique for your custs only .. think intranet
> 
> > This puts a lot of pressure on other European ISPs, and eventually also 
> > North
> > American ISPs (to make this on-topic :-) I hope the rest of us can stand
> > together against it.  A good start would be to come up with a common 
> > response
> > to the two pressure groups outlined above.
> 
> a better worded explanation on a webpage would be good i guess...
> 
> anyway, i'm off the the UNIDT website, i hear '.tiscali' hasnt been 
> registered 
> yet ;p

replying to myself. bad :)

had this pointed out.. these are "official" according to inaic
http://inaic.com/index.php?p=faq006

and resolving "all known tlds" seems a bit of a stretch, i think they've missed 
my '.foobar' tld on my local nameservers..

http://inaic.com/index.php?p=faq014


also for added humour, from the press release
http://inaic.com/index.php?p=tiscali-introduces

following the link: http://home.tiscali/

doesnt seem to work for me, hmm.. not great to have a broken link in a public 
press release ;)

Steve



Re: Tiscali switches to Public-Root?? What do you think?

2005-08-01 Thread Stephen J. Wilcox

On Mon, 1 Aug 2005, Bjørn Mork wrote:

> The poor guy/gal at the other end of the line will need a really good
> answer.  Does anyone here have one?

to avoid being technical i guess the only answer would be to say this is a 
private service offered to tiscali users and is not available to any non 
tiscali 
users (you might want to point out this is 99.9% of the world in case $cust 
feels like switching)

> Not to mention the answers we need for the market droids...
> 
> "Hey, I heard that Tiscali is offering more Internet than us at no
> extra cost, and they make a lot of money on it too.  How soon can we
> start doing the same?"

tell them you've been able to do it all along, its your network and you can 
provide any unique content that you like, providing they understand this is 
unique for your custs only .. think intranet

> This puts a lot of pressure on other European ISPs, and eventually also North
> American ISPs (to make this on-topic :-) I hope the rest of us can stand
> together against it.  A good start would be to come up with a common response
> to the two pressure groups outlined above.

a better worded explanation on a webpage would be good i guess...

anyway, i'm off the the UNIDT website, i hear '.tiscali' hasnt been registered 
yet ;p

Steve



Re: as numbers

2005-08-01 Thread Stephen J. Wilcox

On Sun, 31 Jul 2005, Geoff Huston wrote:

> So - to NANOG at large - if you want your vendor to include 4-Byte AS support
> in their BGP code anytime soon, in order to avoid some last minute panic in a
> couple of years hence, then it would appear that you should talk to them now
> and say clearly that you want 4-Byte AS support in your BGP software right
> now.

Geoff, excellent idea..

before I forward this email to my suppliers tho, is there a reference I can
send.. excuse my ignorance but I'm not familiar with research done on 4-byte
ASNs, is there a proposed standard implementation?

If I have something definite to request I will immediately send those emails,

Steve



Re: Cisco cover up

2005-07-28 Thread Stephen J. Wilcox

On Wed, 27 Jul 2005, James Baldwin wrote:

> Cisco had initially approved this talk. My understanding is that this has been
> fixed and no current IOS images were vulnerable to the techniques he was
> describing. ISS, Lynn, and Cisco had been working together for months on this
> issue before the talk.

Just because they fixed the bugs doesnt mean there arent a large number of 
publically accessible routers out there still running affected versions..

I suspect there was something slightly more than just giving information about
the vulnerabilities.. the inference is that they demonstrated executing
arbitrary code from buffer overflows.. perhaps for example they developed ways
of opening up privilege vty which I dont think has been shown before

Steve



Re: OMB: IPv6 by June 2008

2005-07-09 Thread Stephen J. Wilcox

On Sat, 9 Jul 2005, [EMAIL PROTECTED] wrote:

> On Sat, 09 Jul 2005 18:14:48 BST, "Stephen J. Wilcox" said:
> > forget the talk of juniper t320s in the core.. you are talking about the
> > problem caused by multihoming and multihoming prefixes are not originated
> > typically by such large and expensive routers but by small cheap systems at
> > the edge.
> 
> Yes, but how well does that multihoming work if the Junipers in the core
> can't/ won't carry your announcement? Currently, multihoming only works
> because it's cost-shifting - the pain of carrying the announcement is felt by
> the carriers, not the originators.

sorry, my point was perhaps unclear.. it was suggested that the increasing
requirements to operate routers would be a natural prevention to multihoming.. i
am saying that it is not the multihomers at the edge feeling that pain it is
those already in the core

Steve



Re: The whole alternate-root ${STATE}horse

2005-07-09 Thread Stephen J. Wilcox

I didnt realise it was that time of year again already, it feels like only a 
couple months since the last annual alternate root debate.

Still its nice to see all the old kooks still alive and well and not yet locked 
up in mental homes. I'd better do my part to feed the trolls i guess...

On Sat, 9 Jul 2005, John Palmer (NANOG Acct) wrote:

> Please prove that Inclusive Namespace roots put name resolution at risk.

No proof is needed, this is not maths. If there are two roots then a query to 
each server has the potential to return a different reply. The chance of this 
happening increases over time plus if an alternate root were to become popular 
their power to challenge authority if a class were found grows.

> > Client side users, conversely, expect that published addresses by businesses
> > or individuals go to the intended party.

This is the key point, clients and domain owners need this consistency. Read 
this a few times and consider how you'd feel if $large_provider decided to 
point 
your domain name or their competitors domains to their website .. its the same 
problem.

> > Introducing fragmented TLDs or the opportunity to supplant the common TLDs
> > places the DNS infrastructure at risk.  This is not just FUD -- DNS
> > hijacking in alternate roots has already happened.  (But if you had actually
> > read RFC2826, you would already understand this.)
> 
> Please post a link or give an example. If you mean .BIZ, I would agree, it was
> hijacked, but by ICANN, not by any Inclusive Roots. It belonged to
> AtlanticRoot and ICANN deliberatly created a collision. Collisions cause
> instability and the biggest one was caused by ICANN.

Those who consider ICANN the authority would disagree, I believe those are the 
majority.

Steve



Re: OMB: IPv6 by June 2008

2005-07-09 Thread Stephen J. Wilcox

intel systems can do this.

forget the talk of juniper t320s in the core.. you are talking about the 
problem 
caused by multihoming and multihoming prefixes are not originated typically by 
such large and expensive routers but by small cheap systems at the edge.

Steve

On Sat, 9 Jul 2005, Alexei Roudnev wrote:

> 
> It's chiken and egg problem. They do not have 4 Gb, because they do not need
> it_now_. techbnically it is not a problem even today.
> Small RAID systems have 1 Gb RAM easily.
> 
> Line cards do not need so much memory - they can always cache routing
> tables. Just again - it is not _technical_ problem.
> IPv6 addressed problem which do note exists in reality.
> 
> 
> - Original Message - 
> From: "Christopher L. Morrow" <[EMAIL PROTECTED]>
> To: "Alexei Roudnev" <[EMAIL PROTECTED]>
> Cc: "NANOG" ; "Brad Knowles" <[EMAIL PROTECTED]>
> Sent: Friday, July 08, 2005 11:12 PM
> Subject: Re: OMB: IPv6 by June 2008
> 
> 
> >
> >
> > randy already asked for a kibosh on the lunacy here... I agree, it'd be
> > nice, but...
> >
> > On Fri, 8 Jul 2005, Alexei Roudnev wrote:
> >
> > >
> > > You do not need to - any router have only `1 - 10% of all routing table
> > > active, and it is always possible to optimize these alghoritms.
> > >
> >
> > and routing vendor's haven't already done some optomizing you think?
> >
> > > On the other hand - what's wrong with 4Gb on line card in big core
> router?
> >
> > oh, please please name the router vendor that has 4gb of 'ram'
> > (tcam/fpga/asic-'memory') on the 'linecard'. Oh, can't come up with one?
> > One wonders why that is? If the solution were as simple as: "Joe, add
> > 1.21jigawatts of memory to the linecard so we can support +1M routes"
> > Don't you think the vendor would have done this to get people to stop
> > bitching at them?
> >
> > > It's cheap enough, even today. And we have not 1,000,000 routes yet.
> > >
> >
> > In YOUR network you don't... I'd venture to guess there are quite a few
> > very large networks with +1M routes in them today.
> >
> > remember though, I'm the chemical engineer... and I was trained to MAKE
> > the crack cocaine...
> 
> 



Re: what will all you who work for private isp's be doing in a few years?

2005-05-11 Thread Stephen J. Wilcox

On Wed, 11 May 2005, Matt Bazan wrote:

> why in the world would anyone want to purchase dsl from a private reseller
> when i can get 4mb down 384 up from comcast for $25?  think you dsl resellers
> out there are doomed.  in fact, just a matter of time before most of you isps
> are down the toilet.  im reminded of the mom and pop grocery store phenomenon
> that has now been replaced by the kohls, a&p, whole foods etc.  of course
> there will always be niche markets but this is less applicable for a pure
> commodity like bandwidth.  yeah, i suppose you'll say something about value
> added services and such and you may have a point but i doubt that will keep
> the ship afloat for long.

Matt,
 first whats your affiliation and experience in this arena? That these markets 
exist and more profitably so than the large carriers suggest the problems you 
are raising dont exist.

What is your theory based on, you only cite your personal preference to buy 
from 
Comcast which cannot be said to be indicative of the market. Grocery stores are 
not comparable, this is a different industry and different market. Also 
bandwidth is not a pure commodity, and DSL is not pure bandwidth.

I think your argument is at best uninformed, at worst non-existent.. you need 
to 
provide some references, examples, figures, whatever.. else this is little more 
than trolling.

Steve




Re: PAIX Outages

2005-04-29 Thread Stephen J. Wilcox

On Fri, 29 Apr 2005, Alexander Koch wrote:

> On Fri, 29 April 2005 13:04:05 +0100, Neil J. McRae wrote:
> > > and we happily overloaded our peers' interfaces at the respective other
> > > IX...
> > 
> > That sounds more like a planning issue than anything else. If you have
> > traffic going through a pipe, then you need to make sure you have somewhere
> > else to send it. If you are managing your peers properly, private or public,
> > there should be no issue.
> 
> With public peering you simply never know how much spare capacity your peer
> has free. And would you expect your peer with 400 Mbit/s total to have 400
> reserved on his AMSIX port for you when you see 300 at LINX and LINX goes
> down?

what makes this a public peering issue.. i see a couple folks already made the 
point i wanted to do but just because you have capacity to a peer (on a public 
interface or a dedicated) PI doesnt mean they arent aggregating at their side 
and/or have enough capacity to carry the traffic where it needs to go

this is also about scale, i would hope you arent peering 400Mb flows across a 
1Gb port at an IX, this would imho not be good practice.. if your example were 
40Mb then it would be different or perhaps 400mb on a 10Gb port.

you might even argue there is more incentive to ensure public ix ports have 
capacity as congestion will affect multiple peers

Steve



Re: Schneier: ISPs should bear security burden

2005-04-27 Thread Stephen J. Wilcox

On Tue, 26 Apr 2005, Jerry Pasker wrote:

> >I've been there -- I know how I feel about it -- but I'd love to know how ISP
> >operations folk feel about this.
> 
> It means 10 different things to 10 different people.  The article was 

yep, and the danger is you agree with the article and some politicians or
journalists think you are advocating a full police service which would be bad.

i do think we have an obligation to try to keep the net clean to a certain 
degree, think anti-ddos wg's etc but providing full security for all users is 
unrealistic. there seems to be some moves to offering partial security and this 
is probably a good thing eg blocking common ms ports will likely be effective.

Steve



Re: Slashdot: Providers Ignoring DNS TTL?

2005-04-25 Thread Stephen J. Wilcox

On Sun, 24 Apr 2005, Steve Gibbard wrote:

> 
> On Sun, 24 Apr 2005, Robert M. Enger wrote:
> 
> > Steinar:
> >
> > There is a large body of work from competent and well known researchers 
> > that assert the claim.  I certainly lack standing to question their 
> > results.
> >
> > Empirically, download speeds to home are nearly cut in half (18Mbps) 
> > from sources that are subjected to packet reordering along the path.
> 
> I'm trying to sort out the various claims here, since I think right now 
> this is a case of people talking past each other, and arguing completely 
> different points.
> 
> First of all, let's ditch the term "PPLB."  The usual alternative to per 
> packet load balancing (what's been being talked about here) is per prefix 
> load balancing, which would also be "PPLB."  The abbreviation is therefore 
> more confusing than anything else.
> 
> Now, onto the argument that's going on here.
> 
> Dean says "per packet load balancing is coming," and then goes on to 
> assume it's going to be used in such a way that it will cause packets to 
> route through widely divergent paths.
> 
> Several others have responded that that would cause packet reordering and 
> break TCP.
> 
> Robert says that even used correctly (on identical circuits between the 
> same set of routers), per packet load balancing can cause packet 
> reordering.
> 
> Steiner says that when used correctly, per packet load balancing causes 
> packet reordering only rarely, and speeds things up enough when it doesn't 
> that the slowdowns caused by occasional packet reordering may be worth 
> putting up with.
> 
> Robert says well known researchers say that packet reordering is bad.
> 
> So, as far as I can tell, everybody except perhaps Dean agrees that:
> 
> - Used incorrectly (on divergent paths), per packet load balancing can
>cause packet reordering.
> 
> - Used correctly (on non-diverging paths), packet reordering doesn't
>happen often.
> 
> - Packet reordering is bad, and should be avoided.
> 
> I'm less clear on Dean's position, but I think it's something along the 
> lines of:
> 
> "Per packet load balancing over divergent paths is coming, by fiat from 
> marketing departments even if engineers don't like it, and anything that 
> doesn't play well with it needs fixing."  While Dean focuses on anycast, 
> that would presumably extend to TCP and to anything jitter sensitive, such 
> as streaming audio or video.
> 
> Anything that's being missed here, or does this sum it all up?

I think thats a fair summary.

So agreeing for a second with Dean that indeed this behaviour would appear to 
be 
prohibited or at least inconsistent with the RFCs, the fact is anycast is 
widely 
deployed and is proven to be stable.

Perhaps a solution to this is to look at what would be the best consistent view 
and to write an RFC to clarify this and obsolete the old ones that produce the 
inconsistency. I'm not sure what that would look like but that would appear to 
be a way to eliminate the theoretical problem..

Steve



Re: Slashdot: Providers Ignoring DNS TTL?

2005-04-23 Thread Stephen J. Wilcox

On Fri, 22 Apr 2005, Dean Anderson wrote:

> On Thu, 21 Apr 2005, Stephen J. Wilcox wrote:
> 
> > On Wed, 20 Apr 2005, Dean Anderson wrote:
> > 
> > > On Wed, 20 Apr 2005 [EMAIL PROTECTED] wrote:
> > > 
> > > > > I'd rather expect this sort of behavior with anycasted servers... 
> > > > 
> > > > Where do you see any connection between anycast and ignoring DNS TTL? 
> > > > Or is
> > > > this just part of your usual rant against anycast DNS service?
> > > 
> > > The data he showed isn't necessarilly "ignoring ttl".  If there are 
> > > multiple
> > > anycasted caching servers behind a specific IP address, then those several
> > > cache's will each have a different state.  Since, [as I
> > 
> > I fail to see the correlation still.. anycasted caches should all be 
> > operating 
> > independently getting their DNS data from authoritative sources. 
> > 
> > If at any point one of them uses a TTL that it has not received from the 
> > authoritative source it is ignoring the ttl, where does anycast get 
> > involved 
> > with this particular problem?
> 
> The queries produce different data, but none of the data is inconsistent 
> if there are different caches responding on the same address. Here is the 
> original description: (slightly reformated with roman numerals)
> 
>   (I) I ran a query for a name in a zone I control that has a five minute 
> TTL on 204.127.198.4. The first query came up with 5 minutes. 
>   (II) I quickly made  a change to the zone. 
>   (III) Thirty seconds after the initial query, I try 
> again...err... and come up with the change. Hmm... Not caching at all? 
>   (IV) Another 30 seconds and I get the change, with 5m TTL. 
>   (V) Thirty seconds later, I get the original response with appropriately 
> decremented TTL. 
>   (VI) Another thirty seconds, I get the change, with 4m TTL.
> 
> Here is the detailed anycast explanation:
>   (I) Cache 1 gets answer to query X? = Y
>   (II) Authority changes X? to Z
>   (III) Cache 2 gets answer to query X? = Z
>   (IV) Cache 3 gets answer to query X? = Z
>   (V) Cache 1 responds 
>   (VI) Cache 3 responds
> 
> No TTLs were ignored.

Ok gotcha, and you point seems valid except aiui the previous post was 
concerning providers who are actually overriding the TTL eg your zone has a 5m 
ttl, the provider caches it but sets TTL to 10 days.

i think this thread forked quite early :)

Steve



Re: Slashdot: Providers Ignoring DNS TTL?

2005-04-20 Thread Stephen J. Wilcox

On Wed, 20 Apr 2005, Dean Anderson wrote:

> On Wed, 20 Apr 2005 [EMAIL PROTECTED] wrote:
> 
> > > I'd rather expect this sort of behavior with anycasted servers... 
> > 
> > Where do you see any connection between anycast and ignoring DNS TTL? Or is
> > this just part of your usual rant against anycast DNS service?
> 
> The data he showed isn't necessarilly "ignoring ttl".  If there are multiple
> anycasted caching servers behind a specific IP address, then those several
> cache's will each have a different state.  Since, [as I

I fail to see the correlation still.. anycasted caches should all be operating 
independently getting their DNS data from authoritative sources. 

If at any point one of them uses a TTL that it has not received from the 
authoritative source it is ignoring the ttl, where does anycast get involved 
with this particular problem?

thanks
Steve



RE: OpenTransit (france telecom) depeers cogent

2005-04-18 Thread Stephen J. Wilcox

yes they're alive.. but the connectivity to DT was never in question :)

On Mon, 18 Apr 2005, Peter & Karin Dambier wrote:

> 
> They are alive!
> 
> host_name("217.167.29.246","www.francetelecom.com").
> 
> No ping, no traceroute, but I get their homepage.
> 
> host_name("84.167.240.52","p54A7F034.dip.t-dialin.net").
> 
> That is me.
> 
> 217.0.67.105 (217.0.67.105)  9.237 ms  9.128 ms  9.335 ms
> da-ea1.DA.DE.net.DTAG.DE (62.153.179.54)  8.362 ms  8.445 ms  9.784 ms
> 
> That is my way out.
> 
> In europe there seem to be no problems. I have not seen anything in forums
> here.
> 
> From
> 
> http://vision.opentransit.net/docs/peering_policy/
> 
> "If you meet the criteria defined above, please send your formal peering
> application by email to peering5511 at opentransit.net
> ([EMAIL PROTECTED] has been discontinued)"
> 
> I guess they have another mailbox in "qa."
> 
> 
> Regards,
> Peter Dambier
> 
> 



Re: OpenTransit (france telecom) depeers cogent

2005-04-16 Thread Stephen J. Wilcox

On Fri, 15 Apr 2005, Patrick W. Gilmore wrote:

> On Apr 15, 2005, at 2:10 PM, Fredy Kuenzler wrote:
> 
> > Paul Vixie wrote:
> > > in other words, sometimes it's better to take pain in a "lump sum" than on
> > > the "time payment plan."  if that's what cogent's trying to do, they've
> > > got my support.  if on the other hand cogent is, as accused here today,
> > > dumping transit at below cost, then may they rot in hell.  (could i say
> > > that simpler?)
> >
> > I'm not sure about the US price war, I just can say that I've seen an offer
> > of AS174 in Switzerland which is 38% of the price of AS1239 we currently pay
> > (same CDR). I'm not sure if ths already justifies hell, but at least
> > purgatory ;-)
> 
> Strange, I am REALLY HAPPY when someone offers me a comparable product for
> less money.  If you prefer to pay more, well, I'm happy for you.
> 
> (And no flames about Cogent not being comparable.  I've already posted here
> that their network runs just fine.  Of course, now that they are no longer
> offering "full transit", we are re-considering how "good" their pricing is.)
> 
> 
> Back on topic, I am unclear on why "you sell X for less than I do" is
> justification for rotting in hell.  Whether X is below your cost is COMPLETELY
> immaterial.  Whether it is below their cost is irrelevant to me, but it might
> be important to some countries / laws / whatever.  If they are breaking a law,
> have someone investigate & charge them.  If there is no law against it, deal
> with it.  They should be going out of business RSN anyway.

The carrier transit market is in a real mess, many of the large players having 
already gone bankrupt once, when that happened with the so called dot-com crash 
it affected the global economy. 

What we see now are todays carriers facing the risk of bankruptcy again, some 
for the second time round. One possible interpretation of Cogent's price 
erosion 
is that networks have been built that will not make a profit until 2 or 3 years 
and being forced to cut prices heavily in order to compete is pushing that 
profitability curve such that the companies will run out of funding before they 
hit profit.

The short term benefit as a buyer is reduced costs, but long term this could 
affect the very market that you're operating in and your own viability and 
profit margins.

For many folks too the falling price they buy transit for just means they are 
being forced to take that off their product sell prices so they dont actually 
make any more profit.. in which case there is no advantage to buying below cost 
services.


In general I'd prefer to operate in a healthy marketplace, where all parties are
making money, theres little risk of the supplier filing bankrupcty and I am
getting reasonable customers service. That can only lead to growth of the
industry, healthy businesses and healthy economies. Unforunately none of these
things appear to be happening at the moment...

Steve





Re: OpenTransit (france telecom) depeers cogent

2005-04-14 Thread Stephen J. Wilcox

On Thu, 14 Apr 2005, Patrick W Gilmore wrote:

> 
> On Apr 14, 2005, at 5:16 PM, Richard A Steenbergen wrote:
> 
> >> Surely FT's customers pay for access to Cogents network and vice 
> >> versa?
> >
> > In such a case, FT has done its part by paying Sprint for full transit
> > service. It is Cogent who is not accepting the route from their 
> > transit,
> > and who intentionally does not carry the global routing table. If I 
> > put up
> > a filter on my transit that says I will not accept routes from you 
> > unless
> > you peer with me, should your customers leave you because I did this?
> > Doesn't sound very fair to me. I guess it depends how important I am,
> > doesn't it?
> 
> Is Cogent filtering the prefixes they get from Verio?  Or is Verio 
> filtering what they send to Cogent?  Does it matter?
> 
> I think you have a very good point - FT is buying full transit.  Cogent 
> is the one without full reachability.
> 
> Doesn't mean that FT didn't know this would be a problem when they took 
> the step, though.

Well, FT took the step as you say.. they are the instigator here.

But, they are in their right to do so and would have given proper written 
notice 
to Cogent so this isnt as much a surprise to them as is being suggested either.

Steve



Re: Anyone familiar with the SBC product lingo?

2005-04-14 Thread Stephen J. Wilcox

On Thu, 14 Apr 2005, Randy Bush wrote:

> > you'll never get better redundancy than having more than one carrier.
> 
> very often, they buy segments from eachother, run in the same trench, change
> the dlr six months later, ...  trust and test just as you would a single
> carrier.  trust 0 test 100.

when this has been critical i've insisted on seeing duct maps to ensure they
really are different. but as you say even that doesnt prevent a change of path
in the future

i guess it helps us to know a bit more than the average circuit buyer tho too..

Steve



Re: Anyone familiar with the SBC product lingo?

2005-04-14 Thread Stephen J. Wilcox

On Thu, 14 Apr 2005, [EMAIL PROTECTED] wrote:

> On Thu, 14 Apr 2005 16:15:41 EDT, Luke Youngblood said:
> > 
> > SONET simply means you are on a Sonet ring:  Two redundant connections to
> > the central office.  If someone gets a little crazy with a backhoe your line
> > is guaranteed to stay up (ask about SLAs, and make sure they will refund
> > part of your monthly bill if you have an outage).  That's why it costs over
> > twice as much.
> 
> And remember to ask questions - make sure they've actually got the two
> connections routed differently.  Remember that if the backhoe hits the 
> conduit,
> *all* the fiber pairs go - and if both runs were in the same conduit, you're
> still dead
> 
> (Anybody here *NOT* seen cases where the 2 fibers leave the building on 
> opposite
> sides, go down different streets - and rejoin 2 miles down the way because
> there's only one convenient bridge/tunnel/etc over the river, or similar?)

yes. but in my case we checked it and it was okay on install but was rerouted 
at 
some point. someone broke the ducting and we lost a bunch of oc48s which was 
bad.

you'll never get better redundancy than having more than one carrier.

Steve



Re: so, how would you justify giving users security?

2005-04-05 Thread Stephen J. Wilcox

On Mon, 4 Apr 2005, Florian Weimer wrote:

> * Stephen J. Wilcox:
> 
> > On Mon, 4 Apr 2005, Gadi Evron wrote:
> >
> >> Anyone ever considered just closing these ports? People will pay you 
> >> more and just for your ACL services! You can put all your troubles 
> >
> > you would need to do this on a per customer interface basis ie not
> > at an aggregation point but on each ppp interface..
> 
> Not necessarily.  Some Windows malware prefers local address ranges, but not
> all.  If you quickly disconnect those who caught something, it's a great help
> in keeping the number of infected machines down. You could even spin this in a
> way that encourages your customers to recommend you to their friends: no
> hassle with the filters.

I thought of that but then its only half a filtering effort, how would you 
package it up 'Telecomplete Broadband **Now with a bit of filtering**' ?

Then a bunch of smallprint about how you dont actually provide any additional 
security? :)

Steve



Re: so, how would you justify giving users security? [was: Re: botted hosts]

2005-04-04 Thread Stephen J. Wilcox

On Mon, 4 Apr 2005, Gadi Evron wrote:

> Anyone ever considered just closing these ports? People will pay you 
> more and just for your ACL services! You can put all your troubles 

you would need to do this on a per customer interface basis ie not at an 
aggregation point but on each ppp interface.. does that scale? i've not tried 
it, what i mean by scale is if this is eg auto-config'd by radius to cisco does 
it move the switching path to software or do anything else that would crash a 
fully load dialup/lac/lns/etc ?

Steve



Re: botted hosts

2005-04-03 Thread Stephen J. Wilcox

On Sun, 3 Apr 2005, Petri Helenius wrote:

> 
> 
> I run some summaries about spam-sources by country, AS and containing 
> BGP route.
> These are from a smallish set of servers whole March aggregated. 
> Percentage indicates incidents out of total.
> Conclusion is that blocking 25 inbound from a handful of prefixes would 
> stop >10% of spam.

and your second highest is 4.0.0.0/8 your advice is blocking it would help your 
email?

Steve

> 
> +-+--+
> | 26.8013 | US   |
> | 25.6489 | KR   |
> | 11.2896 | CN   |
> |  4.3139 | FR   |
> |  2.8045 | BR   |
> 
> +-+--+
> | 11.3916 | 4766 |
> |  6.3791 | 9318 |
> |  5.1094 | 4134 |
> |  3.3910 | 7132 |
> |  3.1717 |29963 |
> 
> ++--+
> | 2.0754 | 207.182.144.0/20 |
> | 1.7184 | 4.0.0.0/8|
> | 1.3054 | 82.224.0.0/11|
> | 1.1116 | 221.144.0.0/12   |
> | 1.0963 | 207.182.136.0/21 |
> | 0.9943 | 61.78.37.0/24|
> | 0.9586 | 218.144.0.0/12   |
> | 0.9484 | 222.96.0.0/12|
> | 0.7394 | 222.65.0.0/16|
> | 0.7343 | 211.200.0.0/13   |
> 
> Pete
> 
> 



Re: MD5 for TCP/BGP Sessions

2005-03-31 Thread Stephen J. Wilcox

On Thu, 31 Mar 2005, Pekka Savola wrote:

> On Thu, 31 Mar 2005, Stephen J. Wilcox wrote:
> > without wishing to repeat what can be googled for.. putting acls on your 
> > edge to
> > protect your ebgp sessions wont work for obvious reasons -- to spoof data 
> > and
> > disrupt a session you have to spoof the srcip which of course the acl will 
> > allow
> > in
> 
> This is why this helps for eBGP sessions only the peer is also protecting its
> borders. I.e., if you know the peer's network has spoofing-prevention enabled,
> nobody is able to spoof the srcip the peer uses.

trusting a third party to protect your network is imho not best practice, in 
addition many networks may have considerable customers inside them making 
attacking from inside trivial

Steve



Re: Clearwire May Block VoIP Competitors

2005-03-30 Thread Stephen J. Wilcox

On 30 Mar 2005, Paul Vixie wrote:

> 
> the bigger issue with 802.11 and VoIP is that wireless ethernet tends to be
> half duplex whereas codecs tend to run both directions at once.  who's getting
> good service over 802.11 using G.711 or G.729?  (no fair if your wireless
> handset has its own proprietary halfdup codec, i'm talking real SIP here.)

hmm running g711 on a wifi handset or a lan phone with wifi bridging in the 
middle results in decent quality.

at 2x80kbps vs 11mbps or 54mbps there should be plenty room for both directions 
to communicate without too much delay

Steve


Re: MD5 for TCP/BGP Sessions

2005-03-30 Thread Stephen J. Wilcox

without wishing to repeat what can be googled for.. putting acls on your edge 
to 
protect your ebgp sessions wont work for obvious reasons -- to spoof data and 
disrupt a session you have to spoof the srcip which of course the acl will 
allow 
in

Steve

On Thu, 31 Mar 2005, Pekka Savola wrote:

> 
> On Wed, 30 Mar 2005, John Kristoff wrote:
> [on bgp/md5 and acl's]
> > ACLs are often used, but vary widely depending on organization.
> > It can be difficult to manage ACLs on a box with a large number
> > of peers that uses many local BGP peering addresses.  I'm sure
> > some organizations reviewed and updated their ACLs as a result
> > of the last scare, but that is a local, private decision and it
> > would probably be hard to get good sample of who and what changed.
> 
> I would be double careful here, just to make sure everybody 
> understands what you're protecting.
> 
> iBGP sessions?  ACLs are trivial if you have your borders secured.
> 
> eBGP sessions?  GTSM is your friend (if supported).  Practically, if 
> you know your peer and you also protect your borders, ACLs are rather 
> trivial as well.
> 
> What you seem to be saying is using ACLs to enumerate the valid 
> endpoints for eBGP sessions.  That goes further than the above but 
> indeed is also a pain to set up and maintain.
> 
> There are other attacks you can make against TCP sessions (protected 
> by MD5 or not) using ICMP, though. (see 
> draft-gont-tcpm-icmp-attacks-03.txt).
> 
> 


Re: T1 vs. T2 [WAS: Apology: [Tier-2 reachability and multihoming]]

2005-03-29 Thread Stephen J. Wilcox

On Tue, 29 Mar 2005, John Dupuy wrote:

> I was looking at it from a route announcement point of view. Transit is where
> AS A advertises full routes to AS B. Thus, AS B is getting transit from A.
> Peering is where A & B only advertise their network and, possibly, the
> networks that stub or purchase transit from them.

no, they MUST send their customer nets else their customers will not have 
global reachability

> It is my understanding that the top ISPs "trade transit". They provide full 
> routes to each other without payment, regardless of how or where the route 
> was learned from. They are willing to pass some traffic without 
> compensation because it makes for better connectivity. From an announcement 
> POV they are not peering.

ahhh. no, they send peering only between each other (approx 5 routes for 
each of the biggest providers - level3, sprint, uunet, at&t)

Steve

> I am still curious: do any of the larger ISPs on this list want to 
> confirm/deny the previous paragraph?
> 
> I think we are getting into "defining terms" territory. So, I will bow out 
> of the discussion.
> 
> John
> 
> At 01:56 PM 3/29/2005, David Barak wrote:
> 
> >--- John Dupuy <[EMAIL PROTECTED]> wrote:
> >
> > > But by the technical description of a "transit free
> > > zone", then 701 is not
> > > tier one, since I have encountered scenarios where
> > > many AS are transversed
> > > between 701 and other networks, not just a peer of a
> > > peer. Unless, by
> > > "transit free zone" you mean "transit trading" where
> > > large providers permit
> > > each other to transit for free. (Which gets back to
> > > my 'who hurts more'
> > > discussion.)
> > >
> >
> >
> >
> >Transit = being someone's customer
> >
> >Peering = permitting your customers to go to your
> >peer's customers or the peer's network, but not the
> >peer's peers, without exchange of money.
> >
> >Any other relationship != peering for my purposes
> >(although lots of subtly different relationships
> >exist, the largest networks tend to take a view which
> >is not too dissimilar to the one shown above)
> >
> >
> >
> >Are you implying that 701 is paying someone to carry
> >their prefixes?  While I'm not the peering coordinator
> >for 701, I would find that improbable.  I would expect
> >that money would flow the other direction (and thus
> >701 would become a more valuable peer for other
> >networks).
> >
> > > I'm willing to be wrong. If any of the large
> > > providers on the list will say
> > > that their network does not transit beyond the
> > > customer of a peer; and they
> > > still maintain full connectivity, I will gladly be
> > > corrected.
> >
> >oodles and oodles of people can say this (and already
> >have).  A paying customer of mine can readvertise
> >(with a non-munged AS_PATH) any of my prefixes which
> >they want, and thus provide transit for other people
> >to reach me.  That does not change the fact that I'm
> >not paying for transit.
> >
> >So in short, I would say that T1 vs T2 etc is a
> >"follow the money":
> >
> >T1 => doesn't pay anyone else to carry their prefixes,
> >and runs a default-free network.
> >
> >T2 => pays one or more T1 providers to carry their
> >prefixes, may or may not run a default-free network.
> >
> >T3 => leaf node, pays one or more T1/T2 providers to
> >carry their traffic, probably uses default route.
> >
> >YMMV, blah blah blah
> >
> >
> >David Barak
> >Need Geek Rock?  Try The Franchise:
> >http://www.listentothefranchise.com
> >
> >
> >
> >__
> >Do you Yahoo!?
> >Yahoo! Sports - Sign up for Fantasy Baseball.
> >http://baseball.fantasysports.yahoo.com/
> 
> 



Re: T1 vs. T2 [WAS: Apology: [Tier-2 reachability and multihoming]]

2005-03-29 Thread Stephen J. Wilcox

On Tue, 29 Mar 2005, Richard A Steenbergen wrote:

> On Tue, Mar 29, 2005 at 02:23:06AM +0100, Stephen J. Wilcox wrote:
> > 
> > 701 is not the most connected, it has only customers and a restrictive 
> > set of peers?
> 
> Ok, I'm just bored enough to bite. 

but not as bored as bill, randy or patrick it would seem :)

> If we're talking about a contest to see who has the most number of directly
> connected ASNs, I think UU might still win, even with a restrictive set of
> peers.

I didnt think we were, kinda happened.. if peering partners is a compensation 
for something else its pretty sad ;)

Maybe I'm wrong, i checked with renesys and their data has 701 with 5200
adjacencies followed by 1239 with 3500 anyway i care enough to have snipped the
data. 

> Which begs the question, what is the largest number of ASNs that someone peers
> with? Patrick? :) Somehow I suspect that 701's customer base (702 and 703
> aren't included in the above count BTW) overpower even the most aggressively
> open of peering policies, in this particular random pointless and arbitrary
> contest at any rate.

so what are we debating again? :)


Steve





Re: T1 vs. T2 [WAS: Apology: [Tier-2 reachability and multihoming]]

2005-03-29 Thread Stephen J. Wilcox

On Tue, 29 Mar 2005, [EMAIL PROTECTED] wrote:

> > and if you peer with all networks in the 'transit free zone' then you too 
> > become 
> > transit free also.
> > 
> 
>   er.. hate to rain on your parade but if I peer with everyone 

these are not the words of someone hating to rain on me!

>   i need/want to exchange traffic with, i am transit-free, even
>   if I -NEVER- touch any other part of the commercial Internet...

mmm yeah but in the context we have here of ISPs providing connectivity to 
other 
ISPs or enterprises this isnt very realistic so i dont see the point of arguing 
the technicality. 

>   my packets get to where they need to go and all packets I want
>   get to me.  my life is good ... even if I only appear as vestigal
>   to the commercial Internet, if I appear at all.

sounds more like an enterprise with specific requirements to connect to a 
limited part of the internet.. this is not the sort of ISP operation that i am 
working in.

>   how would you classify such a network?  T1, T2, ODDBALL-0, 
>   non-Internet-265, ???  

enterprise

Steve



Re: T1 vs. T2 [WAS: Apology: [Tier-2 reachability and multihoming]]

2005-03-28 Thread Stephen J. Wilcox

On Mon, 28 Mar 2005, John Dupuy wrote:

> I'll be brief, but I do want to perhaps word Alex's definition in a different 
> way
> that might be more useful.
> 
> Even "tier 1" providers regularly trade transit. They must since no single
> network is connected to all the other ones. Not even close. Even UUNet (ASN
> 701), arguably the most-connected network on the planet, only connects to a
> fraction of the possible peerings.

701 is not the most connected, it has only customers and a restrictive set of 
peers?

you dont need to peer with all networks tho, if all networks are buying from 
701 
or one of its peers then it will get those routes via peering not transit or 
transit trades... you seem to be forgetting what peering is.

and if you peer with all networks in the 'transit free zone' then you too 
become 
transit free also.

> The true definition is more vague: if a peering or transit circuit between A 
> or B
> is taken down, who will be hurt the most: A or B? If it predominantly B, and 
> much
> less A, then A is "more Tier 1" and B is of a "lesser Tier". If they are 
> equally
> hurt, they the are of equal status. Essentially, "Tier 1" is whatever the 
> other
> "Tier 1" providers believe at the moment is "Tier 1". It is self-referential 
> and
> not distinct at all.

i believe the distinction exists as shown above ie transit free.. as to why 
this 
might be considered a goal i'm not sure, its not obvious that transit free is 
cheaper than buying transit!

this thing about 'who hurts most' is an entirely different topic and has 
nothing 
to do with who is in the transit free zone. altho destructive depeering does 
seem to be common practice within that zone :)

> This is, frustratingly, a very non-technical definition. But it seems to map
> with what I've actually seen the industry do.

thats because non-technical definitions mean anyone can call themselves 
anything 
they like.. wiltel recently spammed me to buy their 'tier1 transit'.. 
presumably 
they are tier1 within their own definition of tier1.

if you want to be technical tho, and aiui we are a technical forum, then tier1 
means transit free.

i reaffirm my earlier point - but why care, isnt it about cost and reliability, 
and as peering and transit are about the same cost who cares who you dont peer 
with

Steve

> 
> John
> 
> At 09:17 AM 3/28/2005, Stephen J. Wilcox wrote:
> 
>   On Mon, 28 Mar 2005, Randy Bush wrote:
> 
>   > > Firstly, peering isn't binary. Is peering vs transit a distinction
>   based on
>   > > routes taken / accepted & readvertised, or on cost? Does "paid for
>   peering"
>   > > count as peering or transit? If you pay by volume? If you pay for
>   "more than
>   > > your fair share" of the interconnect pipes? (if the latter, I am
>   guessing
>   > > there are actually no Tier 1s as everyone reckons they pay for more
>   than
>   > > their fair share...).
>   >
>   > pay?  did i say pay?  i discussed announcement and receipt of
>   prefixes.  this
>   > was not an accident.  it is measurable.
> 
>   i also avoided money.. i dont think its that relevant, everyone is
>   paying for
>   peering or transit in one form or another, i dont think any peering is
>   free
>   (free != settlement free)
> 
>   > > Secondly, it doesn't cover scenarios that have have happened in the
>   past.
>   > > For instance, the route swap. EG Imagine networks X1, X2, X3, X4
>   are "Tier
>   > > 1" as Randy describes them. Network Y peers with all the above
>   except X1.
>   > > Network Z peers with all the above except X2. Y & Z peer. To avoid
>   Y or Z
>   > > needing to take transit, Y sends Z X2's routes (and sends Z's
>   routes to X2
>   > > routes marked "no export" to X2's peers), and Z sends Y X1's routes
>   (and
>   > > sends Y's routes to X1 marked "no export" to X1's peers). Perhaps
>   they do
>   > > this for free. Perhaps they charge eachother for it and settle up
>   at the end
>   > > of each month. Perhaps it's one company that's just bought another.
> 
>   "transit (n). The act of passing over, across, or through; passage."
> 
>   whether it is a settlement arrangement or a mutual swap, they do NOT
>   have
>   peering, they ARE transitting and by our definition are not
>   transit-free (and
>   hence not tier1)
> 
>   however alex, you do highlight an excellent point - things are not as
>   simple as
>   'tier1, tier2', there are complicated routing and financial
>   arrangements in
>   operation, which brings me back to my earlier point: does it matter
>   what a
>   network is paying for some connectivity providing they deliver to you
>   the
>   connectivity you need at the quality you desire?
> 
>   Steve
> 
> 
> 



Re: T1 vs. T2 [WAS: Apology: [Tier-2 reachability and multihoming]]

2005-03-28 Thread Stephen J. Wilcox

On Mon, 28 Mar 2005, Randy Bush wrote:

> > Firstly, peering isn't binary. Is peering vs transit a distinction based on
> > routes taken / accepted & readvertised, or on cost? Does "paid for peering"
> > count as peering or transit? If you pay by volume? If you pay for "more than
> > your fair share" of the interconnect pipes? (if the latter, I am guessing
> > there are actually no Tier 1s as everyone reckons they pay for more than
> > their fair share...).
> 
> pay?  did i say pay?  i discussed announcement and receipt of prefixes.  this
> was not an accident.  it is measurable.

i also avoided money.. i dont think its that relevant, everyone is paying for 
peering or transit in one form or another, i dont think any peering is free 
(free != settlement free)

> > Secondly, it doesn't cover scenarios that have have happened in the past.
> > For instance, the route swap. EG Imagine networks X1, X2, X3, X4 are "Tier
> > 1" as Randy describes them. Network Y peers with all the above except X1.
> > Network Z peers with all the above except X2. Y & Z peer. To avoid Y or Z
> > needing to take transit, Y sends Z X2's routes (and sends Z's routes to X2
> > routes marked "no export" to X2's peers), and Z sends Y X1's routes (and
> > sends Y's routes to X1 marked "no export" to X1's peers). Perhaps they do
> > this for free. Perhaps they charge eachother for it and settle up at the end
> > of each month. Perhaps it's one company that's just bought another.

"transit (n). The act of passing over, across, or through; passage."

whether it is a settlement arrangement or a mutual swap, they do NOT have
peering, they ARE transitting and by our definition are not transit-free (and 
hence not tier1)

however alex, you do highlight an excellent point - things are not as simple as
'tier1, tier2', there are complicated routing and financial arrangements in
operation, which brings me back to my earlier point: does it matter what a
network is paying for some connectivity providing they deliver to you the 
connectivity you need at the quality you desire?

Steve



Re: T1 vs. T2 [WAS: Apology: [Tier-2 reachability and multihoming]]

2005-03-27 Thread Stephen J. Wilcox

On Sun, 27 Mar 2005, Patrick W Gilmore wrote:

> On Mar 26, 2005, at 11:21 PM, Randy Bush wrote:
> 
> >> forget this concept of tier1, 2, 3 .. they are little more than terms used
> >> by salesmen.
> >
> > at least t1 and t2, also permeate academic papers where the real topology is
> > actually measured.  but we should not let demonstrable measurements get in
> > the way of our defense of the position of our smaller networks by marketing
> > people.
> 
> And how, pray tell, does one actually "measure" T1 vs. T2 networks?  
> (Assuming you are not talking about two of the Terminator movies. ;-)

i would agree it is possible to mark some networks as transit free - tier1 - 
and 
therefore any network using a tier1 to access another tier1 is tier2. arguably 
a 
tier3 would be a network not connected to a tier1.

> If someone is paying Network A, but sends communities to be treated as 
> a peer, are they T1 or T2?

imho: T1, forget the money



> Back on a more operational topic, it really doesn't matter what "tier"  you
> are, it just matters how good your connectivity is.  There is no need to
> 'defend' the 'smaller networks'.  Some of the "tier 1" networks have totally
> suck ass connectivity.  (Yes, 'suck ass' is a technical term. =)

absolutely!! it amazes me how much value is placed in this 'tier' system, why 
not just buy connectivity that (a) is compatible with your size as an ISP (b) 
reliably delivers bits from A to B

Steve



Re: ICANN on the panix.com theft

2005-03-27 Thread Stephen J. Wilcox

On Sat, 26 Mar 2005, David Lesher wrote:

> > > ICANN Blames Melbourne IT for Panix Domain Hijacking
> 
> I also don't see any discussion on what ICANN was during during the
> hijack situation; maybe I missed that part.

i dont believe this is icanns responsibility.. it is however their 
responsibility to ensure proper registry procedures are put in place to prevent 
this kind of occurance and provide emergency procedures for reversals when 
problems such as suspected hijacks are encountered.

Steve



Re: Apology: [Re: Tier-2 reachability and multihoming]

2005-03-26 Thread Stephen J. Wilcox

So anyway, this internet thing..

forget this concept of tier1, 2, 3 .. they are little more than terms used by
salesmen. instead assume all ISPs have connectivity to the whole internet, and
that you're a new ISP wanting connectivity of your own. you can buy transit from
any ISP and you will get global reachability, you could also buy from any two
hence multihoming and have the same global reachability

now you're up and running, consider peering.. peering with another isp will 
give 
you access to that isp and their customers (ie other isps buying global 
reachability as you are doing)

so as per your original query, if any two nodes/asns dont have a direct 
connection you can assume one or both is relying on their upstream to provide 
the necessary global connectivity


now, i see your data is from oregon.. i think theres around 50 'views' of the 
internet from about 25 ASNs. consider there are about 2 active ASNs 
currently. you would need to get all 2 routing tables in order to see 
exactly what relationships are active.

(the reason is that from any single ASN the internet will appear to you as a 
tree much like your original email, showing the 'up-down' relationships but not 
the 'left-right' ones)


also, in the context that you use 'multihoming' you're really referring to a 
leaf node such as an enterprise which may buy from 2 or 3 isps to have global 
connectivity with some redundancy. if you are looking at transit ISPs (ie 
tier1, 
2 in your description) their connectivity is more complicated and you need to 
continue your reading with some of the suggested papers..

Steve

On Sat, 26 Mar 2005, G Pavan Kumar wrote:

> 
> This is with my deepest regrets that I apologize from the bottom
> of my heart to Mr.Gilmore, Mr.Woodcock, Mr.Bush and also the rest
> of the honourable members of the list for being ignorant of how 
> high-profile a list this is. I couldn't be more sorry. Please,
> please forgive me.
> 
> ps: I sure meant no harm, was just trying to be humorous,(I hope
> the exclamation marks might have given some hint) anyway it is
> too late. They say there is no natural punishment than remorse.
> Also, I was too embarrassed to post a quick apology.
> 
> Thanking you,
> pavan.
> 



Re: High volume WHOIS queries

2005-03-01 Thread Stephen J. Wilcox

altho arguably its not up to arin to provide processing power for all these 
deployments.

if you can get a local copy why not have your clients resolve back to that?

Steve

On Tue, 1 Mar 2005, joe mcguckin wrote:

> 
> 
> How about caching the data from previous ARIN whois lookups?
> 
> I do agree that the bulk data and high volume limitations on whois servers
> are silly...
> 
> -joe
> 
> 
> On 2/28/05 1:30 PM, "Dan Lockwood" <[EMAIL PROTECTED]> wrote:
> 
> > 
> > I'm in a disagreement with ARIN about my application for bulk whois
> > data.  I've got a software program that needs resolve AS numbers to the
> > Company Name of the owner.  The software app has need to do this on a
> > very high volume.  E.g.  I run a report that returns the top 100 AS
> > destinations for my network and I want to resolve the numbers to the
> > names as part of the report generation.  Since ARIN throttles the number
> > of queries that you can execute against their servers I seems to "just
> > make sense" that you would do the processing using local data.
> > 
> > That is all fine and good, but the problem comes when I distribute the
> > software to users.  ARIN's AUP for bulk whois states:
> > 
> > "Redistributing bulk ARIN WHOIS data is explicitly forbidden. It is
> > permissible to publish the data on an individual query or
> > small number of queries at a time basis, as long as reasonable
> > precautions are taken to prevent automated querying by
> > database harvesters."
> > 
> > My original AUP application stated that I would transfer the data to the
> > users using an XML file on a regular basis.  Clearly in violation of the
> > first point.  Fine.  But now after a phone conversation they are telling
> > me that I can not operate a server to distribute the data on a "per
> > query" basis too.  Providing a server that answers whois queries just
> > like ARIN seems to be clearly permissible based on the remaining AUP
> > verbage.  At this point the only thing I can get out of the guy/gal on
> > the phone is "NO!".
> > 
> > Does anyone have any experience doing something like this?  How about a
> > sanity check?  Am I completely wrong in how I'm interpreting the AUP?
> > 
> > Thanks,
> > Dan
> > 
> 
> 



Re: NANOG Changes

2005-02-21 Thread Stephen J. Wilcox

Arhchive here michael:
http://www.merit.edu/mail.archives/nanog-futures/

not sure if its complete yet but i know merit are trying to include the first 
few messages

nanog-reform here:
http://mailarchive.oct.nac.net/nanog-reform/maillist.html

again, dont know how complete it is. understand also, the list has been open to 
subscriptions, the reason for creating it was to allow a bunch of people to 
kick 
some ideas around before airing them and getting into a mess of discussions 
much 
like what we have now. 

we saw this successful in vegas with the community forum and the document on 
the 
nanog-reform site was well put together.

what we have now is what happens when 5000 people try to negotiate which is 
many 
varying opinions, vocal people getting more airtime than they ought to when 
their opinions are only their opeinions and nnot necessarily the opinions of 
any 
large group. 

some folks need to write a document, propose it, vote on  it and majority 
rules.. not everyone will like all of it but its not possible to write a 
document that satisfies everyone 100%. i believe thats the aim of the bbylaws 
doc - please dont flame it, provide constructive comments, be prepared to 
compromise and dont get lost in minutia when the major points have yet to be 
fixed.

Steve

On Mon, 21 Feb 2005, [EMAIL PROTECTED] wrote:

> 
> > > Aha! So there really is more stuff hidden away on that
> > > site for the chosen few. Perception is reality, eh?
> 
> >People, please, gain some perspective here.  Nobody wants the 
> > thankless job of maintaining a mailing list that badly.
> 
> Perhps I'm being too subtle here. I fully realize that
> all these irregularities are the result of incompetence and
> not of malice. But, as Paul Vixie wisely pointed out,
> in the realm of politics, perception equals reality.
> 
> If something is not completely in the open then people
> tend to believe that there are nefarious plotters doing
> backroom deals to sieze power.
> 
> The i's need to be dotted and the t's need to be crossed.
> 
> If there is really a nanog-reform mailing list associated
> with nanog-reform.org then put information about it on
> the website. Move the petition signers to a secondary page.
> Put a link to (and explanation of) the wiki on the
> nanog-reform.org homepage.
> 
> If there really is an archive of nanog-futures then put 
> information about it on the website.
> 
> If there really are some interim results as reflected
> by the several emails on the NANOG list, then put this
> info on the nanog-reform.org website.
> 
> Dot the i's. Cross the t's.
> 
> The community to which NANOG addresses itself is only
> partially represented by this mailing list and even less
> represented by the NANOG meetings themselves. There are
> many, many IP network operators in North America (and 
> elsewhere) who would benefit from greater cooperation
> and communication through a medium like NANOG. In order
> to reach out to them, we have to stop posting in cryptic
> language and assuming that everyone is part of the in-crowd
> and knows how to find that one reference to a nanog-reform
> list buried somewhere in the archives of this mailing list.
> This is not an attack on any one person but rather a general
> comment on behavior which is widespread on this list.
> 
> It's the middle of the noughties now and the Internet has
> grown up. We need to move on and restructure our forums and
> organizations to better meet the needs of the industry
> and the IP network operations community.
> 
> --Michael Dillon
> 
> 



Re: NANOG Changes

2005-02-18 Thread Stephen J. Wilcox

On Fri, 18 Feb 2005, William Allen Simpson wrote:

> Paul Vixie wrote:
> 
> >... I just wish that all the political I's would get dotted and all the
> >political T's would get crossed.  Perception isn't *actually* reality, but in
> >politics (which this is) the difference between perception and reality is
> >just not worth discussing.
> >
> Speaking as someone with more than a passing familiarity with practical
> political process, Paul's comments are correct.
> 
> Please, the interim-moderators should moderate, and the bylaws drafters should
> draft, and they should be separate.  It's the usual difference between the
> Chair and the Editor (or Raporteur, or Recording Secretary).
> 
> I introduced this important division to the IETF many years ago
> 
> Since they accepted the moderation function, they've disqualified themselves
> from the drafting function.
> 
> And I especially like Paul's point that those serving as the moderators
> be disqualified from serving in another postition for at least a year.

I'm not sure what the purpose of that is, seems a bit arbitrary.

As I see it, this is a process, some short term improvements have been made as
an interim fix and response to vegas's community meeting but theres also more to
come before its complete.

Lets not get sidetracked with issues that arent there..

Merit has setup the nanog-futures list and made it public and open from the
outset.. that is the forum to take this discussion to but focus on what you want
not whats past or interim.

Steve




Re: ChinaNet Contacts

2005-02-17 Thread Stephen J. Wilcox

Hi Jon,
 there were two guys at nanog33.. if you didnt meet them then perhaps keep an 
eye out at nanog34

http://www.nanog.org/mtg-0501/attendee.list.html

short answer is i see chinanet folks on a whole bunch of forums and lists,

Steve

On Thu, 17 Feb 2005, Jon R. Kibler wrote:

> I know that this is a REALLY sore point, but has anyone ever established any
> good working relations with anyone in CHINANET or other China-based ISPs?
> 
> In recent weeks, over 80% of our port scans and various miscreant probes have 
> originated from a very small number of IPs in China. Trying to contact the IP 
> owner via email usually finds either the mailbox is full, the email address 
> is invalid, or the mail server is not working.
> 
> Anyone had any success in this area?
> 
> THANKS!
> Jon Kibler
> 



Re: NANOG Changes

2005-02-17 Thread Stephen J. Wilcox

On Thu, 17 Feb 2005, Gadi Evron wrote:

> Perfect, but let's not repeat past mistakes.
> 
> Let's set a date for this "temporary government" to expire, and start
> discussing how the process of a more permanent "governing" body will be
> achieved. I think 3 months is the longest we should decide on (not consider,
> the NANOG community has enough considering to do), we can do it in a month.
> 
> I believe this is important enough, either someone who has been here forever
> steps forward and volunteers to get the emails of who people want to see at
> this headache of a position, or we do it openly on the list. A poll can be
> done later on.

something has to be arbitrary in the absence of a government, its a chicken and 
egg. i think you're looking for problems that arent there - do you or anyone 
have issue with the progress thus far? if not the question is moot.

Steve



Re: Old McDonald Had a Pharm?!

2005-02-15 Thread Stephen J. Wilcox

Hmm, at the point where malicious software is modifying the behaviour of 
applications you may as well compare it to a keylogger. If the miscreant has 
control of the machine anything is possible, so sure I can see how it could be 
a 
real threat but it might not perhaps deserve its own silly name.

I think better deployment of certificates and 2 stage token/passwords is the way
forwards for both phishing and pharming (if pharming exists) from the server
perspective. For the clients, continued education and improvement to default
security. There seems to be movement with the latter, for the former tho the 
institutions still seem to insist that we the ISPs should be paying to fix 
their 
poor security.

Steve

On Tue, 15 Feb 2005, Daniel Golding wrote:

> 
> 
> There have been a couple recent articles about a phenomenon allegedly known
> as "pharming", which people are supposedly worried about. This includes some
> combination of DNS cache poisoning and/or worm-powered URL rewriting.
> 
> This may also be a form of "fear-driven marketing" by companies inventing
> solutions to "fix" the problem which may not exist. (Mac Anti-virus
> software, anyone? ;)
> 
> Is anyone aware of actual "pharming" in the wild? Please reply off-list and
> I will summarize answers to the list.
> 
> Thanks,
> 



Re: The Cidr Report

2005-02-13 Thread Stephen J. Wilcox

On Sun, 13 Feb 2005, Michael Smith wrote:

> > From: "Warren Kumari, Ph.D, CCIE# 9190" <[EMAIL PROTECTED]>
> > Date: Mon, 14 Feb 2005 10:14:38 -0500
> > To: 
> > Subject: Re: The Cidr Report
> > 
> > -BEGIN PGP SIGNED MESSAGE-
> > Hash: SHA1
> > 
> > 
> > On Feb 13, 2005, at 2:31 AM, Christopher L. Morrow wrote:
> > 
> >> On Sat, 12 Feb 2005, Alexander Koch wrote:
> >> 
> >>> On Sat, 12 February 2005 14:58:42 +, Stephen J. Wilcox wrote:
> >>>> From: "Stephen J. Wilcox" <[EMAIL PROTECTED]>
> >>>> [...]   - would you agree that most of the poor deaggregating is not
> >>>> intentional
> >>>> ie that they're announcing their '16 class Cs' or historically had 2
> >>>> /21s and
> >>> 
> >>> Think about someone putting in a Null0 route and re-
> >>> exporting stuff unconditionally, now after he originates
> >>> his /19 he is then adding a /24 here, and a /25 there.
> >>> Lack of experience, when you suggest to them they should
> >>> remove these announcements they are afraid to change it,
> >>> not understanding the implications, etc.
> >>> 
> >>> Not to mention ppl using cisco and prefix lists, it is
> >>> way too easy with cisco to say '/19 le 24', and then they
> >>> use outbound prefix lists to their transit supplier
> >>> (different, but related as I see it). Some transit ISPs
> >>> use that a lot, and encourage the table growth.
> >> 
> >> There are some business reasons to de-aggregate. Look at some outages
> >> caused by 'routing problems' (someone leaked my /24's to their peers,
> >> peers, peer and my traffic got blackholed, because the public net only
> >> knows me as a /20)
> >> 
> >> There are multiple reasons for deaggregation aside from 'dumb
> >> operator',
> >> some are even 'valid' if you look at them from the protection
> >> standpoint.
> >> 
> >> -Chris
> > 
> > That and the "I have 1 circuit to $good_provider and 1 circuit to
> > $bad_provider and the only way I can make them balance is to split my
> > space in half and announce more specifics out through each provider"
> > argument. I have also often seen people do this without announcing the
> > aggregate becausewill happen, usually
> > justified with much hand-waving.  The people who do this can usually
> > not be reasoned with
> > 
> > It happens all the time...
> > 
> > Warren.
> 
> So, say  I'm a provider that has received a /22 from UUNet (just for example
> Chris :-) ) and I now get another transit provider and announce the /22
> there.  So, I call UUNet and ask them to announce the /22 as a more specific
> because I don't want a de-facto asymmetric configuration.  I *want* to get a
> /20 from ARIN but my usage doesn't justify it yet, so I have to ride the /22
> for some time.

Hi Mike,
 this isnt the scenario being discussed. The scenario of issue is where you get 
your /22 from UUNET and announce 4x /24 ie based on what ips you have you 
choose 
to announce more than the minimum to make them routable

> By the long string of anecdotal attacks in the string to date, listing most or
> all such providers as "bad" or "uninformed" how do you separate out those
> providers who are legitimately interested in routing redundancy and not clue
> impaired?  Do we just say "too bad, routing table bloat is more important than
> your need for redundancy small guy!"?

As I say this isnt the issue here, altho what you suggest would be an example
of further aggregation that i personally think is extreme. Multihoming must be 
possible and a hierarchical structure to the internet is not appropriate.

> I find it interesting that the general theme is one of "we're smarter than
> they are because we aggregate more routes" as if clue were directly correlated
> to aggregated routing announcements.

Well, there does seem to be some loose correlation it cant be denied... 
(counter 
examples not required, we know they exist)

Steve




RE: The Cidr Report

2005-02-13 Thread Stephen J. Wilcox

On Sun, 13 Feb 2005, Justin Ryburn wrote:

> I have recently heard companies saying their reasoning for de-aggregation was
> 1) to protect against outages to their customer base when a more specific of
> their aggregate was announced somewhere else and 2) if they are getting DDOS
> attacked on a given /24 they can just drop that advertisement and only affect
> part of their customer base.

1) this only provides partial protection, even if you announce a /24 i can 
still 
announce my own /24 and get some of your traffic

2) either they are operating networks that cant support their business and i
dont see why we should bale them out or in the cases where certain hosts are
accepted by us as targets (ircnets etc) you could argue to obtain a discrete /24
which is the better evil than taking a /16 and breaking it down to take out a
/24

i'm not keen on this latter idea, what if i operate an anti-ddos specialist isp,
hosting ircnets, gambling, security sites etc - do i put each host in a /24 and
waste a whole /16 with a couple hundred customers? 

i strongly believe if you want to be an autonomous internet provider then you 
should be able to run your network by accepted means not thro cheap hacks

> As technically savvy folks, we may not agree with this line of reasoning.  
> However, keep in mind that the technically savvy folks are not always the ones
> making the decisions within a company.  Just because someone has enable access
> and clue does not mean they have the authority to make certain decisions.  
> Most of those people probably spend a large amount of their time arguing with
> the decision makers to try and do the right thing but at some point they lose
> those arguments.

if their suppliers/peers disagree strongly they would not be able to present 
these options in the first place.. lack of regulation has its downsides it 
would 
seem..

Steve



Re: The Cidr Report

2005-02-13 Thread Stephen J. Wilcox

On Mon, 14 Feb 2005, Warren Kumari, Ph.D, CCIE# 9190 wrote:

> On Feb 13, 2005, at 2:31 AM, Christopher L. Morrow wrote:
> >
> > There are multiple reasons for deaggregation aside from 'dumb operator',
> > some are even 'valid' if you look at them from the protection standpoint.
> 
> That and the "I have 1 circuit to $good_provider and 1 circuit to
> $bad_provider and the only way I can make them balance is to split my space in
> half and announce more specifics out through each provider"  argument. I have
> also often seen people do this without announcing the aggregate because  undefined bad thing> will happen, usually justified with much hand-waving.  
> The people who do this can usually not be reasoned with

this just reinforces the argument that they are lacking in technical savvy. 

i have a transit provider who i dont want to carry much traffic and i dont want
to prepend my announcements.. by looking at that providers supported customer
communities i just get them to prepend as they export to other major networks
thus moving the main volume of the traffic to the desired ingress paths

no deaggregation, no prepending..

Steve



Re: The Cidr Report

2005-02-12 Thread Stephen J. Wilcox

Hi Philip,

On Sat, 12 Feb 2005, Philip Smith wrote:

> Quite often many service providers are de-aggregating without knowing it. They
> receive their /20 or whatever from the RIR, but they consider this to be 16
> Class Cs - I'm not joking - and announce them as such to the Internet. I spend
> a lot of time getting these folks to announce aggregates, but it is hard work
> convincing people that this will even work. Even if the RIR recommends that
> they announce their address block, they still consider it as Class Cs - even
> Class Bs for some big allocations. :(

this is getting into what i was implying earlier.. you have wider experience 
than me - would you agree that most of the poor deaggregating is not 
intentional 
ie that they're announcing their '16 class Cs' or historically had 2 /21s and 
dont even realise they could fix it.. that applies to medium and large 
providers 
too reading this list - how often do they actually check what prefixes they are 
sourcing, from my recent work at a couple of european IXes i had a number of 
folks email me offlist as they hadnt realised til I sent out an email they had 
deaggregation and once it was pointed out they just fixed it.

so to repeat my earlier suggestion - if transit providers, particularly the 
larger ones setup scripts to notify their customers daily/weeks of routing 
deaggregation do you think we might gain some traction in educating and fixing 
this?

Steve



RE: The Cidr Report

2005-02-11 Thread Stephen J. Wilcox

On Fri, 11 Feb 2005, Mike Leber wrote:
> On Fri, 11 Feb 2005, Stephen J. Wilcox wrote:
> > On Fri, 11 Feb 2005, Frotzler, Florian wrote:
> > 
> > > 
> > > > Recent Table History
> > > > Date  PrefixesCIDR Agg
> > > > 04-02-05151613  103143
> > > > 05-02-05152142  103736
> > > > 06-02-05152231  103721
> > > > 07-02-05152353  103830
> > > > 08-02-05152514  103966
> > > > 09-02-05153855  104090
> > > > 10-02-05154283  104246
> > > > 11-02-05154341  104240
> > > <...>
> > > 
> > > ~ +3000 routes in one week? Anyone else frightened by this?
> > > 
> > > Florian
> > 
> > any thoughts on how to fix it? my peers keep sending these to me and i'll
> > even admit my customers do too. telling people its bad doesnt appear to have
> > an effect, at the small end networks seem to collect /24s and announce them
> > freely, at the large end i'm still without an explanation as to why large
> > networks require so many prefixes - none of them seem to comment?
> > 
> > if people arent self policing it seems the only other way is for the larger
> > transit providers to stop accepting prefixes and telling their customers to
> > fix their s**t. and i dont see them doing this.
> 
> It seems to me they get paid to carry prefixes by their customers.

the payment would be the same if it was a /19 or 32x/24 announced at source

> And their peers listen to the prefixes because they make money by using
> those prefixes.
> 
> So, to the extent you make money listening to them, use the routes.

so the problem is noone wants to be the first to jump as it costs money? so 
whats the suggestion for how to not be first? ie is it possible for a small 
group of large operators to agree a consensus? 

you dont even have to actively filter to start this, if a script were run to 
advise customers daily when they were announcing routes incompliant to the 
transits 'routing policy' it would have some effect. one thing i've found from 
some of my customers is they're actually ignorant to the problems they cause, 
they think its cool to announce 10 prefixes and can be educated otherwise.

Steve



> 
> And if they start to cause you problems you will have to take corrective
> action to stablize your network, as was done a long time ago (internet
> time):
> 
> http://www.merit.edu/mail.archives/nanog/1995-09/msg00047.html
> 
> (link grabbed at random from the archives, I'm sure there are better posts
> that actually list the full old school sprint filters.)
> 
> However, if you are the one filtering and all your competitors figure out
> how to handle 154,000 routes then you will be at a competitive
> disadvantage.
> 
> Coincidentally, the largest networks also spend the most with their
> vendors and get to tell the vendors what they want in the next generation
> of boxes they buy.
> 
> Mike.
> 
> +- H U R R I C A N E - E L E C T R I C -+
> | Mike Leber   Direct Internet Connections   Voice 510 580 4100 |
> | Hurricane Electric Web Hosting  Colocation   Fax 510 580 4151 |
> | [EMAIL PROTECTED]   http://www.he.net |
> +---+
> 
> 


RE: The Cidr Report

2005-02-11 Thread Stephen J. Wilcox

On Fri, 11 Feb 2005, Frotzler, Florian wrote:

> 
> > Recent Table History
> > Date  PrefixesCIDR Agg
> > 04-02-05151613  103143
> > 05-02-05152142  103736
> > 06-02-05152231  103721
> > 07-02-05152353  103830
> > 08-02-05152514  103966
> > 09-02-05153855  104090
> > 10-02-05154283  104246
> > 11-02-05154341  104240
> <...>
> 
> ~ +3000 routes in one week? Anyone else frightened by this?
> 
> Florian

any thoughts on how to fix it? my peers keep sending these to me and i'll even 
admit my customers do too. telling people its bad doesnt appear to have an 
effect, at the small end networks seem to collect /24s and announce them 
freely, 
at the large end i'm still without an explanation as to why large networks 
require so many prefixes - none of them seem to comment?

if people arent self policing it seems the only other way is for the larger 
transit providers to stop accepting prefixes and telling their customers to fix 
their s**t. and i dont see them doing this.

Steve



Re: IRC Bot list (cross posting)

2005-02-08 Thread Stephen J. Wilcox

Hi,
 you probably didnt think of this but it might not be a good idea to publish a 
list of 3000 computers than can be infected/taken over for further nastiness.

if you can privately send me a list of Ip addresses (no need to sort) i can
assist you to distribute this information securely?

Steve

On Tue, 8 Feb 2005, J. Oquendo wrote:

> 
> 
> On Tue, 8 Feb 2005, Justin Azoff wrote:
> 
> > I found an irc channel with 3000+ irc bots in it including a few hundred
> > edu's.
> > I have it posted at
> >
> > http://www.albany.edu/~ja6447/hacked_bots8.txt
> >
> 
> I started to sort them... Maybe I will finish when I get out of work or
> so. Here is the prettified/sorted list of the above...
> http://www.infiltrated.net/nanog-list-botlist
> 
> lynx -dump http://www.infiltrated.net/nanog-list-botlist|grep -i $MYDOMAIN
> 
> Further sorted
> http://www.infiltrated.net/nanog-botlist-comcast
> http://www.infiltrated.net/nanog-botlist-edu
> http://www.infiltrated.net/nanog-botlist-optonline
> http://www.infiltrated.net/nanog-botlist-vz
> http://www.infiltrated.net/nanog-botlist-cox
> http://www.infiltrated.net/nanog-botlist-mspring
> http://www.infiltrated.net/nanog-botlist-rr
> 
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
> J. Oquendo
> GPG Key ID 0x0D99C05C
> http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x0D99C05C
> 
> sil @ infiltrated . net http://www.infiltrated.net
> 
> "How a man plays the game shows something of his
> character - how he loses shows all" - Mr. Luckey
> 



Re: 3 Mb question

2004-10-13 Thread Stephen J. Wilcox

multilinking t1s will work fine. 

but depending on your customer, there are lots of things between a T1 and DS3.. 
such as 10Mb ethernet

Steve

On Wed, 13 Oct 2004, Gerald wrote:

> 
> I've got what seems to me like an innocuous question for this list...
> 
> Someone is requesting access to about 3 mb of traffic up/dn. I figure 2
> T1s will give them the 3 Mb I need, but I'm looking for suggestions on
> either efficiently combining those 2 to get the most bandwidth for their
> buck or else I have to look at getting them a ds3 and scaling back to
> what they need.
> 
> Is there an good low end suggestion for making effective use of 2 T1s to
> give 3 Mb of bandwidth? In practice, I've seen 2 T1s load balanced with
> CEF not do very well at giving a full 3 Mb. (This was without turning on
> per-packet CEF)
> 
> I'm not personally experienced with MLPPP or mux hardware if that helps,
> but I could get it set up if that's the consensus as the best option.
> The NRC of something that would effectively couple the 2 T1s would
> easily beat the MRC of a DS3 which I think might be overkill for just 3
> Mb.
> 
> Thanks for suggestions and tips.
> 
> Gerald
> 



Re: NANOG Posting

2004-10-13 Thread Stephen J. Wilcox

On Wed, 13 Oct 2004, Christian Malo wrote:

> FREE RICHARD

Of course my understanding of revoking posting privileges is that you cant post 
to the list.. not you are imprisoned in the merit dungeons, i think that 
punishment is reserved for Bandy/Husan/etc

However I do like some humor being injected onto the list, so long as the SNR 
doesnt diminish too much it can help to inject some life inbetween the 'paging 
bob smith' / 'anyone help me configure bgp' / path mtu / urpf cyclical debates.. 
actually we've not had Hitler discussed for a while, perhaps I can start a 
thread... ooops

Steve



Re: BCP38 making it work, solving problems

2004-10-13 Thread Stephen J. Wilcox

On 13 Oct 2004, Paul Vixie wrote:

> > >How many people have seen "forged" spoofed IP addresses being used for DOS
> > >attacks lately?
> 
> syn-flood protection, and random TCP ISS, are now common enough that
> spoofed-source isn't effective for TCP flows.  if you want to bring down
> somebody's web server then blackhats really do have to use real addresses.

of course the docs were written a couple years ago, and things have changed a
lot in that time. the proliference of and ease of establishing bot networks is
such that their controllers dont care if you track them and shut them down as 
they are easily replaced

Steve



Re: deprecating BCP38 and similar

2004-10-12 Thread Stephen J. Wilcox

with everything you should look at the effort, the returns and the risks. some 
simple things can have major benefits but we shouldnt waste effort on major 
changes that have little effect and that can be circumvented (i'm referring to 
the port 25 blocking discussion of course, wrt bcp38 i dont think anyone [with 
clue] thinks its not worthwhile)

Steve

On Mon, 11 Oct 2004, Edward B. Dreger wrote:

> 
> I think I'll change my position on BCP38.  It's pointless to try
> blocking spoofed source addresses because:
> 
> * It doesn't solve every single problem
> * It means more effort for service providers
> * It requires more CPU processing power
> * Using it will generate smarter "black hats".
> 
> I also think everyone should drop all forms of IP ACLs and
> password checking.  Neither of those have solved every Internet
> problem, they require more effort and CPU, and smarter crackers
> have surfaced as a result of their deployment.  These measures
> are ineffective, and it is silly to waste time with them.
> 
> Anyone from Microsoft listening?  I suggest you terminate your
> Trustworthy Computing Initiative.  Not every problem is caused by
> a buffer overrun or race condition, and you're wasting billions
> of dollars.  I suggest you post regularly to NANOG, helping
> educate the masses that anything less than a silver bullet is
> wasteful.
> 
> 
> Eddy, who hopes everyone recognizes hyperbole and sarcasm
> --
> Everquick Internet - http://www.everquick.net/
> A division of Brotsman & Dreger, Inc. - http://www.brotsman.com/
> Bandwidth, consulting, e-commerce, hosting, and network building
> Phone: +1 785 865 5885 Lawrence and [inter]national
> Phone: +1 316 794 8922 Wichita
> _
> DO NOT send mail to the following addresses:
> [EMAIL PROTECTED] -*- [EMAIL PROTECTED] -*- [EMAIL PROTECTED]
> Sending mail to spambait addresses is a great way to get blocked.
> 
> 



Re: short Botnet list and Cashing in on DoS

2004-10-09 Thread Stephen J. Wilcox

On Sat, 9 Oct 2004, Gadi Evron wrote:

> > there are many ways of sending spam that dont use port 25.. 
> 
> True, but reducing spam from millions to thousands seems like something good,
> no?

their market wont change tho, you will just force them to use another method..  
at one time open relays were almost exclusively the way used to send spam, now
they arent nearly as popular (or available)

you can see the same with other problems eg dos attacks were once all smurfs, 
a lot of effort was put into removing amplifiers and now we have the botnets..

i'm not saying do nothing, just only do things which make sense and are 
practical

> > individual rules are costly to implement and users wont use a service where you 
> > have to pay more for basic services
> 
> Several big ISP's are blocking port 25 now. I believe this will catch.

we need to look at some examples and what theyre doing exactly.. some redirect 
it forcibly to their own servers. but i believe this approach is limited in how 
you can apply it.. someone like aol can pretty well classify their users as low 
end residential and thats fine ... but move away from this and special 
requirements start creeping in and exceptions are not scalable enough.

> It limits the amount of junk coming out from their users, and the usage 
> of their tubes.
> 
> I doubt even 0.001% of dynamic range Cable/DSL users will ever call to 
> ask for port 25 to be opened.

i'd suggest your estimate is too low based on all end users

> This is something ISP's can implement, and it works.

this is something *some* isps can do ... and i'm not arguing that we shouldnt do 
these little things but its just one limited way and serves more to reduce 
problems with your own users than to reduce inbound spam

Steve



Re: short Botnet list and Cashing in on DoS

2004-10-09 Thread Stephen J. Wilcox

On Sat, 9 Oct 2004, Gadi Evron wrote:

> Blocking port 25 for dynamic ranges means they can't send email, so that 
> drone are pretty useless for spammers on that account. Trojan horses 
> would have to use local information for the user's own account (from 
> Outlook or such).

my users like being able to send email. i dont think this can work! (and there 
are many legit reasons for not using our own smtp servers.. indeed we have custs 
on other ISPs network who use our smtp server)

> ISP's could then, I suppose, limit every user to 5 emails a minute (or 
> any other number).

5 emails or 5 recipients? i can send one email with hundreds/thousands of 
rcpts.. and again, there are lots of legit reasons for sending a batch of emails

> That combined with domain-keys and sender-ID could make for a much 
> prettier Internet, don't you think?

you mean SPF? i agree, use as many tools as are available in conjunction with 
something like spamassassin to score mails as likely spam

> Abuse using port 25 is a major issue today, why not solve it? If a user 
> wants it open, they could always ask for it or even pay more money. 
> Perhaps move to a static IP?

there are many ways of sending spam that dont use port 25.. 

individual rules are costly to implement and users wont use a service where you 
have to pay more for basic services

Steve



Re: Fixing stuff (was Re: short Botnet list and Cashing in on DoS)

2004-10-09 Thread Stephen J. Wilcox

On Sat, 9 Oct 2004, Sean Donelan wrote:

> Why don't people want to fix their computers?  And even worse, why are
> so many people unsuccessfull fixing their computers? 

I had a thread on this a month or two ago (i think it was nanog).. the simple 
answer that I find is they just dont care and/or are incapable. 

They dont care in that for many people, providing the computer still works, 
you're not getting charged (like you would be for pbx hacks) and they dont 
consider their PC to be critical to their daily lives they have no motivation to 
find the information and start to care.

And they are incapable in that many recent worms/malware have spoofed being from 
authorities such as banks, microsoft, their ISP and they cannot distinguish 
between real and spoof and therefore ignore it when windows pops up to tell them 
they need to install the latest security patch. Coupled with this, they dont 
understand what virus scanners, firewalls, security patches are and think that 
by having one of these it will (a) be an all round security solution (b) not 
need their intervention to setup and maintain it.


> If virus writes are smart enough to infect their computers with one-click,
> perhaps the good guys can come up with ways to fix their computer with
> one-click.

Of course the good guys are constrained by the law which the bad guys arent, we 
have seen instances of worms designed to close holes on computers but they are 
illegal (and didnt work). 

Also, the good guys always seek user authorisation (eg the window which pops up 
asking you if you want to install the latest dat) and I suggested above this is 
problematic for several reasons (user confusion, not wanting to install at that 
moment etc) .. the bad guys just go ahead and infect - and usually their payload 
is tiny compared to the Mbs we have to download each month in defenses.

And of course, the final blow .. our OSes and apps will inevitably have holes in 
them, thats a consequence of complexity and I'm not sure how you can overcome 
that even with much more stringent testing and programming rules.. some of these 
hacks are pretty damn clever, abusing systems and having one system exploit a 
weakness in another system (eg using IE to circumvent OS security levels) in 
ways their designers never imagined and catered for. You only need to find one 
chink in the systems to produce malware but you need to find all the bugs to 
produce security apps.

Steve



Re: routing sniffed traffic

2004-10-08 Thread Stephen J. Wilcox



On Fri, 8 Oct 2004, Nils Ketelsen wrote:

> 
> On Thu, Oct 07, 2004 at 09:43:47PM +0100, Stephen J. Wilcox wrote:
> 
> [switching/routing traffic from a passive tap]
> 
> > Hi Peter,
> >  if you are feeding this into a switch you should be able to switch it
> > just like the real traffic.. ie plug your fibers into gbics on
> > whatever switch you want to use, i dont see any special requirements for
> > this application
> 
> I have no practical experience on that, I always used the monitor directly
> on the Tap, but I see a theoretical problem: Where does the switch switch
> it to? The Target MAC of the packet coming from the Tap will
> be still pointing to the device in the production network. 

statically configure your  mac to spoof that of the real interface.

> If you want to route it you will run into the same problem: The copied
> ethernet frame is not addresses to the router in the monitoring network,
> so it will not accept the Ethernet frame.

again just duplicate the ip address

> Maybe you could do something with faking the MAC on the router
> in the monitoring network to be the same as the MACaddress of the target
> in the production network, but it feels like a dirty hack. 
> 
> Or am I missnig something obvious here?

ok so you have the same thoughts.. the key point is the original question 
suggested this 'copycat' network is not connected to the real net, and so long 
as you dont allow the packets to be routed back into the real net (and hence 
create dups) you should be fine.

Steve

> 
> Nils
> 



Re: routing sniffed traffic

2004-10-07 Thread Stephen J. Wilcox

Hi Peter,
 if you are feeding this into a switch you should be able to switch it just like 
the real traffic.. ie plug your fibers into gbics on whatever switch you want to 
use, i dont see any special requirements for this application

Steve

On Thu, 7 Oct 2004, Patrick Arguello wrote:

> 
> In my datacenter, I have three Gig links coming in
> that I am sniffing using passive taps.  What I want to
> do is feed these links into a layer 3 switch so that I
> can have them sent to different packet analysis boxes
> by destination address or packet types or ports.  What
> should I look for in a switch for such a use --
> something that can take in sniffed traffic on fiber
> gig links and parcel them out to different servers on
> copper gig links based on routing rules.  
> 
> Please email me your recommendation or suggestion
> directly and I will summarize what I find out for the
> list.  
> 
> Thanks,
> 
> Patrick A.
> 
> 
> 
> 
> 
> 
> 
> 
>   
> __
> Do you Yahoo!?
> Y! Messenger - Communicate in real time. Download now. 
> http://messenger.yahoo.com
> 



  1   2   3   4   5   6   7   >