Re: NANOG 44 and ARIN XXII - Live from Los Angeles in HD video
Streams are back up for the last day of NANOG, later covering ARIN for the remainder of the week. Since it's mostly talking heads, I've lowered the bitrate of the h264 versions, and removed cpu-consuming options (i.e. no CABAC) ~27 megabit MPEG2 HD: udp://233.0.236.20:1234 (udp, mp2ts) ~2 megabit H.264/AVC HD: udp://233.0.59.44:1234 (udp, mp2ts) ~2 megabit H.264/AVC HD, unicast style: http://kona.doit.wisc.edu:8044 Use VLC to play these streams. When using http streams, tell vlc to buffer 5 or 6 seconds worth. Download VLC here: http://www.videolan.org/ -Tk
Re: NANOG 44 and ARIN XXII - Live from Los Angeles in HD video
One last message... Audio-only streams are up, and will be fur the durration. Mp3 and AAC+ are available. Find them here: http://classic.shoutcast.com/directory/index.phtml?s=ARIN+XXII -Tk
Re: NANOG 44 and ARIN XXII - Live from Los Angeles in HD video
Anton Kapela wrote: Streams are back up for the last day of NANOG, later covering ARIN for the remainder of the week. Since it's mostly talking heads, I've lowered the bitrate of the h264 versions, and removed cpu-consuming options (i.e. no CABAC) ~27 megabit MPEG2 HD: udp://233.0.236.20:1234 (udp, mp2ts) ~2 megabit H.264/AVC HD: udp://233.0.59.44:1234 (udp, mp2ts) ~2 megabit H.264/AVC HD, unicast style: http://kona.doit.wisc.edu:8044 Use VLC to play these streams. When using http streams, tell vlc to buffer 5 or 6 seconds worth. Download VLC here: http://www.videolan.org/ -Tk Why does the quicktime stream 256k show the slides and the 2mbit stream doesn't? -- Ken Anderson Pacific.Net
Network topology
Hi all I'm considering trying to come up with some means to automatically detect a networks topology and draw pretty pictures. This is somewhat boring though if a network isn't well arranged with VLANs and q-tag trunk routers and so on (It will just look like a big cloud of junk connected off an assumed switch). Is there any kind of cunning trick to detect standard layer2 switches along a path without stuff like STP?
Re: Network topology
On Wed, 15 Oct 2008, Colin Alston wrote: I'm considering trying to come up with some means to automatically detect a networks topology and draw pretty pictures. InterMapper. http://dartware.com/network_monitoring_products/intermapper/index.html -Bill
Re: Network topology
And another one, that I believe is a commercial product: http://www.solarwinds.com/products/lansurveyor/ On Oct 15, 2008, at 12:29 PM, Bill Woodcock wrote: On Wed, 15 Oct 2008, Colin Alston wrote: I'm considering trying to come up with some means to automatically detect a networks topology and draw pretty pictures. InterMapper. http://dartware.com/network_monitoring_products/intermapper/index.html -Bill
Re: Network topology
On 2008/10/15 06:29 PM Bill Woodcock wrote: InterMapper. http://dartware.com/network_monitoring_products/intermapper/index.html -Bill Whoa, quite a serious looking piece of software. Will check it out. Was kinda hoping to write my own software though, but perhaps I can craftily learn something from it :)
Re: The DDOS problem security BOF: Am i mistaken?
Scott, Given that I both co-moderated the ISP security BOF AND gave a ~9 minute presentation covering *empirical* data and stats of observed attack vectors across 100 ISP networks over 640 days, and shared a slide or two with stats from an infrastructure security survey we've been doing and sharing with the operations community for 4 years now, I take a bit of offense to your comments below. I make a concerted effort to decouple vendor pitches from both the data sets presented and believe I did so effectively. There was open microphone time and you were welcome to share your thoughts. There has been context set with both the data I presented and the survey in previous meetings and NANOGs, it's unfortunate you're unfamiliar with this. Rodney's presentation was one vendor's approach to a very real problem, one that has consumed a significant amount of ISP operations resources over the past 6 months, and you were certainly welcome to comment on that as well - as you note Vixie and others did - and that's a large part of the point of the BOF, IMO. You're welcome to contribute positively in some manner to the next BOF - proactively - or co-moderate if you'd like, but to address the question in the subject line directly - Am I mistaken, I believe yes. Also, please don't confuse discussion of what happened at beer n gear with what happened at the BOF. -danny
Re: The DDOS problem security BOF: Am i mistaken?
Let me avoid being long winded and just put on my Captain Obvious cape. Avoid magic DDoS appliances, particularly those that require some type of relationship or deposit to be made in advance no matter how risk free. There is a reason why these vendor presentations aren't meeting your expectations. You're also dead on concerning one's ability to develop and deploy OSS. Human capital is generally your best resource. My two cents, Jeff On Tue, Oct 14, 2008 at 7:08 PM, Scott Doty [EMAIL PROTECTED] wrote: First, the good news: so far, the NANOG conference has been very valuable and content-rich, covering a lot of issues that need to be discussed. For that, I am grateful. But now, the bad news(?): Maybe it's just me my paranoia, but do I detect an inkling of murk spam going on with some presentations? Because there seems to be a fundamental misunderstanding, either on my part, or the part of certain vendors: I'm hear to discuss ideas freely share them, and they are here to discuss (it would seem) their products. Sometimes both goals coincide, and that is fine...but... When a vendor at the security BOF starts showing documents that are company confidential, and trying to whip up a climate of fear, that we should all deploy their product in front of our recursive name servers, i get this funny feeling that I am being murk spammed. Perhaps that is my own perspective ( paranoia?), but I found the CERT gentleman's call to monitor icmp backscatter on our authoritative nameservers far more informative -- and open. But I was disappointed with two vendors and their presentations: the first had the tactic of saying DNSSEC is the actual solution when asked about why their product would be necessary...completely ignoring the fact that their proprietary interim solution was by no means the only way to prevent cache poisoning attacks. Indeed, I would daresay it isn't the best, either by a BCP perspective, or a cost analysis perspective. To put a finer point on this, i should say that i found myself discomforted by a presentation suggesting that I should put their proprietary appliances between my recursive name servers the Net, and I am grateful that Mr. Vixie stood up and said that there are other ways of dealing with the problem. Then there was the gentleman with the DDOS detection/mitigation appliance, who flipped through several graphs, which were intended to show the number of each type of attack. It's unfortunate that there wasn't more time for questions, because I really wanted to ask why http GET and spidering attacks weren't listen on their graphs...more on that in a second. Fortunately, said vendor had a table at beer and gear, so I was able to talk with one of their representatives -- and learned that they have just as much trouble with automatic detection of attacks designed to look like a slashdotting...which cleared up the mystery as to why it wasn't on the graphs. Because this is a real problem: anybody, with sufficient knowledge preparation can vandalize _anybody's_ network. Showing me a graph that ping floods happen all the time doesn't impress me -- what would impress me is going over the actual methods, algorithms (and heuristics?) used in these attack mitigation appliances. Because, the best attack mitigation appliance vendor would seem to have 100% of their market, and thus, charge exhorbant prices for their product(s). When I brought this up with Mr. Vendor, his first reaction was to point out that the cost was less than a home-grown solution. When I raised the question of open source software to do the same thing, his reaction was to ask: oh? who's going to write it? And that right there would seem to be a bit of bravado, perhaps fueled by a misunderstanding of the role that FOSS has played on the Net. Fortunately -- and again, I am grateful for this -- the ISC was represented in the security BOF, presenting the SIE concept...as well as what applications _already exist_ to detect and mitigate various attacks. One demonstration that blew me away: detecting a botnet being set up for a phishing attack...and preventing the attack before it even started. So in conclusion, I'll say this: the last NANOG I attended was NANOG 9 -- and i remember that being a more challenging environment for vendors. Probably the biggest problem discussed back then was head-of-line blocking on a vendor's switches. _That_ is the kind of content that i have found valuable, both on this list, and at a conference. And so: If I weren't so knock-kneed in public venues, I would probably be doing what i would like to call on conference participants to do: if someone gives a presentation that includes their own proprietary black-box solution, I think the best benefit for NANOG would be to point out alternatives. -Scott p.s. sorry for the long post. -- Jeffrey Lyon, President Level III Information Systems Technician [EMAIL
Re: Network topology [Solved]
On 2008/10/15 06:29 PM Colin Alston wrote: Is there any kind of cunning trick to detect standard layer2 switches along a path without stuff like STP? Apparently there isn't. Lots of people mentioned other tools, the problem there is they have one thing in common which is polling SNMP. I think it scales badly in general. I was hoping to find a more intelligent way of, I guess, doing an ARP/MAC based traceroute by checking LLC 802.2 headers or something. Yes, it might have been easier if I hoped for it to rain money :) Maybe there should be something (I mean like, someone should come up with a standard :P) to trace switches in a path... Problem is I think even then the simple devices won't bother to support it.
Re: Network topology [Solved]
Colin Alston wrote: Maybe there should be something (I mean like, someone should come up with a standard :P) to trace switches in a path... Problem is I think even then the simple devices won't bother to support it. I have been away from it for ma while and in truth don't know the answer--but-- To the best of my knowledge, Layer two Switches in fact operate as multi-port bridges. If that is true, then they ought to be transmitting BDUs which should be detectable and used for mapping. If the switches are all from the same manufacturer, there is a chance that the manufacture has a proprietary mapping tool. -- Requiescas in pace o email Two identifying characteristics of System Administrators: Ex turpi causa non oritur actioInfallibility, and the ability to learn from their mistakes. Eppure si rinfresca ICBM Targeting Information: http://tinyurl.com/4sqczs
RE: Network topology [Solved]
If the switches are Cisco, then Cisco Works has a L2 STP forwarding path graphical display which can be used in cases where the L3 path is a logical abstraction overlaid on the underlying L2 topology. -Original Message- From: Larry Sheldon [mailto:[EMAIL PROTECTED] Sent: Wednesday, October 15, 2008 11:49 AM Cc: NANOG list Subject: Re: Network topology [Solved] Colin Alston wrote: Maybe there should be something (I mean like, someone should come up with a standard :P) to trace switches in a path... Problem is I think even then the simple devices won't bother to support it. I have been away from it for ma while and in truth don't know the answer--but-- To the best of my knowledge, Layer two Switches in fact operate as multi-port bridges. If that is true, then they ought to be transmitting BDUs which should be detectable and used for mapping. If the switches are all from the same manufacturer, there is a chance that the manufacture has a proprietary mapping tool. -- Requiescas in pace o email Two identifying characteristics of System Administrators: Ex turpi causa non oritur actioInfallibility, and the ability to learn from their mistakes. Eppure si rinfresca ICBM Targeting Information: http://tinyurl.com/4sqczs
Re: Network topology [Solved]
On 2008/10/15 08:49 PM Larry Sheldon wrote: Colin Alston wrote: Maybe there should be something (I mean like, someone should come up with a standard :P) to trace switches in a path... Problem is I think even then the simple devices won't bother to support it. I have been away from it for ma while and in truth don't know the answer--but-- To the best of my knowledge, Layer two Switches in fact operate as multi-port bridges. If that is true, then they ought to be transmitting BDUs which should be detectable and used for mapping. Ahh, you are correct sir (as well as the off list responses :)) Found this rather quickly http://www.geocities.com/milicsasa/Tools/l2trace/index.html as well as http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/l2trace.pdf Not sure why I didn't Google layer 2 traceroute before... Oh well, live and learn, and work shorter hours. Thanks :)
Re: The DDOS problem security BOF: Am i mistaken?
On Oct 14, 2008, at 12:08 PM, Scott Doty wrote: First, the good news: so far, the NANOG conference has been very valuable and content-rich, covering a lot of issues that need to be discussed. For that, I am grateful. But now, the bad news(?): Maybe it's just me my paranoia, but do I detect an inkling of murk spam going on with some presentations? I fully agree with you -- some talks are thinly (or not so thinly) veiled attempts to convince you to buy a vendor's shiny, new solution. There are a large number of reasons for this, and the Program Committee works hard (and I think is doing a great job) to limit the amount of sales pitch but A: there are a limited number of talks and B: many vendors are unable to resist trying to spin their product. I suggest that if you have a topic that you would like to present (and will keep it sales free) you resent it to the PC. I *do* however disagree with you that this happened in the talks to which you are referring... Because there seems to be a fundamental misunderstanding, either on my part, or the part of certain vendors: I'm hear to discuss ideas freely share them, and they are here to discuss (it would seem) their products. Once again, great -- please submit a talk to the PC and they will review it. The PC is always looking for good talks... Sometimes both goals coincide, and that is fine...but... When a vendor at the security BOF starts showing documents that are company confidential, and trying to whip up a climate of fear, that we should all deploy their product in front of our recursive name servers, i get this funny feeling that I am being murk spammed. Hmmm... The vendor that you are referring to provides authoritative DNS for many domains (and, at least some of them I view as important, meaning that I would prefer a correct response!). Yes, I am sure that he would be happy to have you as a customer and, yes, this is feature that differentiates his company, but I did not get the impression AT ALL that he was trying to sell his service, but rather provide better service to his existing customers, even going so far as to provide free devices to people who run large recursive resolvers. This helps both his existing customers (who, yes, will be more likely to continue using him), but, more importantly helps me as an end user feel a little comfortable that the page that I am getting is the correct page... Perhaps that is my own perspective ( paranoia?), but I found the CERT gentleman's call to monitor icmp backscatter on our authoritative nameservers far more informative -- and open. But I was disappointed with two vendors and their presentations: the first had the tactic of saying DNSSEC is the actual solution when asked about why their product would be necessary...completely ignoring the fact that their proprietary interim solution was by no means the only way to prevent cache poisoning attacks. I may be mistaken, but I didn't get the impression that he believed that his solution was the only one -- he repeatedly pointed out that DNSSEC is the correct solution and this his solution does not solve all of the problems that DNSSEC would -- however, DNSSEC is FAR from being fully deployed. Indeed, I would daresay it isn't the best, either by a BCP perspective, or a cost analysis perspective. To put a finer point on this, i should say that i found myself discomforted by a presentation suggesting that I should put their proprietary appliances between my recursive name servers the Net, and I am grateful that Mr. Vixie stood up and said that there are other ways of dealing with the problem. Hmmm.. We must have VERY different recollections -- I don't remember him mentioning how much this would cost, other than that he would be give away some to the biggest wins first. Without knowing how much these widgets will be, it is not possibly to do a cost comparison, but don't discount just how expensive engineering time is, and just how hard it is to find competent DNS folks able to deploy something else. I have chatted with many people about the state of their DNS infrastructure -- many people don't care, many people DO care but just don't have the cycles to properly maintain it, many have weird internal politics around them, and many just don't have the knowledge. Some of these are hard to solve, the lack of knowledge is probably the easiest, so I would welcome any how0-to, etc guides that would feel like writing Then there was the gentleman with the DDOS detection/mitigation appliance, who flipped through several graphs, which were intended to show the number of each type of attack. It's unfortunate that there wasn't more time for questions, because I really wanted to ask why http GET and spidering attacks weren't listen on their graphs...more on that in a second. Hmmm, probably some of this is my
Re: The DDOS problem security BOF: Am i mistaken?
Scott, On Oct 14, 2008, at 9:08 AM, Scott Doty wrote: First, the good news: so far, the NANOG conference has been very valuable and content-rich, covering a lot of issues that need to be discussed. For that, I am grateful. Thank you. We worked hard to make it valuable. But now, the bad news(?): Maybe it's just me my paranoia, but do I detect an inkling of murk spam going on with some presentations? Not sure what you mean by murk spam. Thats a term that died years ago. And it really related to people claiming that spam was in compliance with federal laws. But I think I can guess your intentions from the tone of your email, so let me try and respond. Because there seems to be a fundamental misunderstanding, either on my part, or the part of certain vendors: I'm hear to discuss ideas freely share them, and they are here to discuss (it would seem) their products. Sometimes both goals coincide, and that is fine...but... When a vendor at the security BOF starts showing documents that are company confidential, and trying to whip up a climate of fear, that we should all deploy their product in front of our recursive name servers, i get this funny feeling that I am being murk spammed. Well, that's interesting. I see your last NANOG was 9, in February of 1997. So Welcome back!. We're glad to have you here in person. Things have changed slightly since then. NSP-SEC never existed in 1997. It really came about in the early 2000's where it was developed as a forum for actual operators to share views and thoughts, generally in real time, to help the 'net in general survive disruption, malicious or otherwise. It has really worked pretty well, so if you qualify, I'd encourage you to get involved. See http://puck.nether.net/mailman/listinfo/nsp-security for info. The NSP-SEC bof at NANOG is not quite the same environment as the NSP- SEC mailing list, but it generally includes the same people, plus others from the operations community who take the effort to attend NANOG, and so are sort of self-selected as being one of the operators with an already working amount of clue about the subjects that are being discussed. Additionally, the concept of a trusted environment still sorta applies. You may not have realized it, but unlike all other sessions at NANOG, the slides are not published, they are not available online, and the session is not broadcast. So Confidential was there to remind folks in the BoF that this was a non-public (for a skewed version of public) presentation. Having explained that bit of history which gives you a general background, let me deal with some specifics. Perhaps that is my own perspective ( paranoia?), but I found the CERT gentleman's call to monitor icmp backscatter on our authoritative nameservers far more informative -- and open. I don't think anyone from CERT presented. Perhaps you meant Barry Green from Juniper's CERT team? Another vendor? Well, as you'll see further on, not really. In this context, like everyone else who presented, he was there as an operator, sharing knowledge and experience. But I digress... But I was disappointed with two vendors and their presentations: the first had the tactic of saying DNSSEC is the actual solution when asked about why their product would be necessary...completely ignoring the fact that their proprietary interim solution was by no means the only way to prevent cache poisoning attacks. Indeed, I would daresay it isn't the best, either by a BCP perspective, or a cost analysis perspective. While we may disagree on your last claim (and I actually have a few years of experience to help me argue my point), I specifically said there were a) solutions that solved part of the problem (switching to TCP, detecting and blocking cache poisoning attacks) and b) the right solutions like DLV and DNSSEC that will take some time to be deployed. And I then made sure everyone heard me when I said that we need to find an interim solution that can be deployed *now*, until DNSSEC exists in a useful footprint. I ignore *nothing*. If you have another solution that solves the same problems that has running code now, please share it with all of us. Remember, it has to scale, it has to solve all of the problems, and it has to be implementable across a range of levels of clue. To put a finer point on this, i should say that i found myself discomforted by a presentation suggesting that I should put their proprietary appliances between my recursive name servers the Net, and I am grateful that Mr. Vixie stood up and said that there are other ways of dealing with the problem. Indeed. Read further. Fortunately, said vendor had a table at beer and gear, so I was able to talk with one of their representatives -- and learned that they have just as much trouble with automatic detection of attacks designed to look like a
Re: The DDOS problem security BOF: Am i mistaken?
On Wed, Oct 15, 2008 at 4:05 PM, Warren Kumari [EMAIL PROTECTED] wrote: On Oct 14, 2008, at 12:08 PM, Scott Doty wrote: When a vendor at the security BOF starts showing documents that are company confidential, and trying to whip up a climate of fear, that we should all deploy their product in front of our recursive name servers, i get this funny feeling that I am being murk spammed. Hmmm... The vendor that you are referring to provides authoritative DNS for many domains (and, at least some of them I view as important, meaning that I would prefer a correct response!). Yes, I am sure that he would be happy to have you as a customer and, yes, this is feature that differentiates his company, but I did not get the impression AT ALL that he was trying to sell his service, but rather provide better service to his existing customers, even going so far as to provide free devices to people who run large recursive resolvers. This helps both his existing customers (who, yes, will be more likely to continue using him), but, more importantly helps me as an end user feel a little comfortable that the page that I am getting is the correct page... it's probably also worth noting that the person in question has a history of giving away this sort of protection (in other forms) for the DNS system... and innovating as a DNS service provider, both for free (howdy: 4.2.2.1) and for a price I'm not sure I'd classify anything he does as a sales pitch in the venue in question. -Chris
Re: The DDOS problem security BOF: Am i mistaken?
On Tue, 14 Oct 2008, Scott Doty wrote: First, the good news: so far, the NANOG conference has been very valuable and content-rich, covering a lot of issues that need to be discussed. For that, I am grateful. But now, the bad news(?): Maybe it's just me my paranoia, but do I detect an inkling of murk spam going on with some presentations? Judging by the email after this, the 'vendor' involves Rodney Joffe and probably UltraDNS. My opinion: Yes, you are being 'murk spammed' Joffe and company represent what Professor Dan Bernstein (DJBDNS) calls the 'Bind Company'. I think a better term is the 'BIND Cartel', since it is a collection of companies and individuals. Joffe, Vixie, John Levine et al own or direct Whitehat.com, a spammer. Remember Sanford Wallace? Wallace sent spam and offered anti-spam services; that was a non-starter for many. Vixie, Joffe, Levine et al just stole Wallace's business plan and false-teamed themselves as anti-spammers. What they were really doing was sending spam, and using the MAPS blacklist to detect and interfere with their competitors, and using the credentials with the anti-spam commun and inside information to avoid spam-traps. See http://www.iadl.org/maps/maps-story.html Joffe/Centergate/Bill Manning was the founder of UltraDNS. Manning is also connected to Vixie through PAIX, and to ISC employee Susan Woolf through ISI. Vixie, Conrad, Manning, Woodcock, Curran, Plzak, Ed Lewis, etc all worked together at ARIN, and have had 22 ARIN employees attend NANOG, including the ARIN executive secretary. ARIN is giving NANOG $50,000 checks, even though the Board members have undisclosed conflicts of interest. ARIN resource analysts have (and probably are now) attending NANOG. The resource analysts are the guys who make allocation decisions, so getting chummy with NANOG people is a conflict of interest in the making. So far, I've discovered two cases where ARIN has made allocations in 2 hours. Have they done this before? The answer is yes. The previous scam was AXFR-clarify draft. The draft was presented by the BIND Cartel as not changing the DNS protocol, but in fact did change the protocol. When Dr. Bernstein discovered this, and reported it, Bernstein's email was disrupted and censored. There are other scams that I'm writing up, but this gives you some inkling of what's going on now and what's gone on before. --Dean -- Av8 Internet Prepared to pay a premium for better service? www.av8.net faster, more reliable, better service 617 344 9000
Re: Network topology [Solved]
On Wed, Oct 15, 2008 at 08:35:33PM +0200, Colin Alston wrote: Apparently there isn't. Lots of people mentioned other tools, the problem there is they have one thing in common which is polling SNMP. I think it scales badly in general. I was hoping to find a more intelligent way of, I I don't know what scaling parameters you're looking for. The tool I wrote to recursively traverse Cisco CDP caches via SNMP, from ~7 seed routers, autodetected the interconnections of a ~100 node network (back in 1998) in just seconds (I think it was 3, but that was ten years ago). Using SNMP. It didn't strain our P90 it was running on, nor the network. People often do SNMP wrong (one PDU per packet, single-threaded transmitters, etc). Maybe there should be something (I mean like, someone should come up with a standard :P) to trace switches in a path... Problem is I think even then the simple devices won't bother to support it. Or if they do, they'll do it wrong. They can't even get ifDescr right. -- Ash bugud-gul durbatuluk agh burzum-ishi krimpatul. Why settle for the lesser evil? https://secure.isc.org/store/t-shirt/ -- David W. HankinsIf you don't do it right the first time, Software Engineeryou'll just have to do it again. Internet Systems Consortium, Inc. -- Jack T. Hankins pgphlwK9I0MH7.pgp Description: PGP signature
Re: The DDOS problem security BOF: Am i mistaken?
Vixie, Conrad, Manning, Woodcock, Curran, Plzak, Ed Lewis, etc all worked together at ARIN, and have had 22 ARIN employees attend NANOG, including the ARIN executive secretary. ARIN is giving NANOG $50,000 checks, even though the Board members have undisclosed conflicts of interest. ARIN resource analysts have (and probably are now) attending NANOG. The resource analysts are the guys who make allocation decisions, so getting chummy with NANOG people is a conflict of interest in the making. So far, I've discovered two cases where ARIN has made allocations in 2 hours. Didn't you get banned temporarily from this list, then banned for life + 5 years, your children and grandchildren also banned for their lives + 5 years once before for all this? Tuc/TBOH
Re: The DDOS problem security BOF: Am i mistaken?
Christopher Morrow [EMAIL PROTECTED] writes: On Wed, Oct 15, 2008 at 4:05 PM, Warren Kumari [EMAIL PROTECTED] wrote: On Oct 14, 2008, at 12:08 PM, Scott Doty wrote: When a vendor at the security BOF starts showing documents that are company confidential, and trying to whip up a climate of fear, that we should all deploy their product in front of our recursive name servers, i get this funny feeling that I am being murk spammed. ... I did not get the impression AT ALL that he was trying to sell his service, but rather provide better service to his existing customers, even going so far as to provide free devices to people who run large recursive resolvers. ... i've heard the following concerns about this free device expressed to me. first, its value-add is its proprietary relationship to one dns authority (ultradns), so if neustar deploys a lot of them it will create third party incentive among domainholders to move their authority service to neustar. so while other commercial authority dns vendors (such as nominum or microsoft) might be willing to license this proprietary technology from neustar and we can all assume that there are commercial terms under which neustar would do this, we can also expect that domainholders who prefer to self-host using f/l/oss (bind, nsd, tinydns, powerdns, etc) won't have that option. rodney said it was necessary that neustar not have to wait for the standards community before deploying this service, but noone asked him why he hasn't open-sourced his solution so that other dns authority suppliers can also benefit from the recursive-dns frontend boxes he's giving away. i know that neustar is in the business of selling outsourced authority dns, so i understood scott doty's comments as referring to the pressure a large deployment of free recursive-dns frontend boxes will put on anyone who isn't a neustar customer to please become a neustar customer so that their zones will be safer. second, there's no real possibility that someone who deploys a free neustar box inline/upstream of their recursive dns server would also deploy a second one if anyone else with a proprietary solution wanted to follow neustar's example. rodney did not say whether the front-end boxes were user programmable or whether he planned to make it possible for competitors of neustar to embed their solutions in this free box. rodney also did not say how many boxes would be available for free before neustar would have to start charging for them, nor whether the price at that point would represent cost recovery or also be a profit center for neustar. these questions also appear (to me) to be implied by scott doty's original question. now for my own concerns. it's probably also worth noting that the person in question has a history of giving away this sort of protection (in other forms) for the DNS system... and innovating as a DNS service provider, both for free (howdy: 4.2.2.1) and for a price I'm not sure I'd classify anything he does as a sales pitch in the venue in question. in spite of my great admiration for rodney's lifetime of contribution, i do not see any natural consequence toward dnssec from this dns frontend giveaway. i have total confidence that the solution will work, and reasonable confidence that it will indirectly improve neustar's revenue outlook, but no confidence that anyone who wasn't planning to deploy dnssec in their product or network will, as a result of rodney's work, decide to deploy dnssec. far better in my opinion would be for rodney to sign all the zone he carries (keeping the keys he has to generate in escrow to be surrendered to the domainholders upon demand with a reasonable escrow and transfer fee), and to either start his own DLV registry or to offer free secondary service to ISC's DLV registry, and to submit all his customer keys to whichever DLV registry he decided upon. anyone running BIND 9.3.0 (not 9.6.0 as was mentioned -- we're talking about old and somewhat stable code here) can just speak DLV directly. anyone who can and wants to upgrade to BIND with its DLV support can do that. anyone else could install a free recursive dns frontend box from neustar that would do inline DLV. but there's a pure software-only solution that would work. (noting that in rodney's preso he spoke of the many folks who have never upgraded their nameservers, are still running BIND4, etc, but for the larger recursive dns operators this isn't how they work and they can deploy new code, and it would be very easy for nominum-ans and nlnetlabs-unbound to implement DLV, which is unencumbered even though never subject to IETF delays.) it's easy to assume that my worry about this is as someone in the authority dns business whose customers (the vast majority of whom pay nothing), who stands to lose market share when rodney starts pushing his boxes into the field. but since i've been giving away free shovels to people who mostly want to buy holes, and rodney sells
Re: The DDOS problem security BOF: Am i mistaken?
Vixie, Conrad, Manning, Woodcock, Curran, Plzak, Ed Lewis, etc all worked together at ARIN, and have had 22 ARIN employees attend NANOG, including the ARIN executive secretary. ARIN is giving NANOG $50,000 checks, even though the Board members have undisclosed conflicts of interest. ARIN resource analysts have (and probably are now) attending NANOG. The resource analysts are the guys who make allocation decisions, so getting chummy with NANOG people is a conflict of interest in the making. So far, I've discovered two cases where ARIN has made allocations in 2 hours. Didn't you get banned temporarily from this list, then banned for life + 5 years, your children and grandchildren also banned for their lives + 5 years once before for all this? I was never temporarilly banned. I was banned in 2000 so that I couldn't gloat that the CFAA applied to ISPs. See http://www.iadl.org/nanog/nanog-story.html Looks like someone messed up. ;-) --Dean -- Av8 Internet Prepared to pay a premium for better service? www.av8.net faster, more reliable, better service 617 344 9000
ADMIN: off-topic emails
A reminder to all list members that: 1. DNS related questions should usually be sent to more specific lists such as DNS operations: http://lists.oarci.net/mailman/listinfo/dns-operations 2. Discussion regarding the NANOG organisation and political issues surrounding it are off-topic for the main list and must only occur on the nanog-futures list http://mailman.nanog.org/mailman/listinfo/nanog-futures Simon Lyall NANOG Mailing List Committee -- Simon Lyall | Very Busy | Web: http://www.darkmere.gen.nz/ To stay awake all night adds a day to your life - Stilgar | eMT.
Re: The DDOS problem security BOF: Am i mistaken?
Vixie, Conrad, Manning, Woodcock, Curran, Plzak, Ed Lewis, etc all worked together at ARIN, and have had 22 ARIN employees attend NANOG, including the ARIN executive secretary. ARIN is giving NANOG $50,000 checks, even though the Board members have undisclosed conflicts of interest. ARIN resource analysts have (and probably are now) attending NANOG. The resource analysts are the guys who make allocation decisions, so getting chummy with NANOG people is a conflict of interest in the making. So far, I've discovered two cases where ARIN has made allocations in 2 hours. Didn't you get banned temporarily from this list, then banned for life + 5 years, your children and grandchildren also banned for their lives + 5 years once before for all this? I was never temporarilly banned. I was banned in 2000 so that I couldn't gloat that the CFAA applied to ISPs. See http://www.iadl.org/nanog/nanog-story.html Looks like someone messed up. ;-) Well, yes and no... I actually was thinking of the ARIN list that you had the temporary ban on : http://lists.arin.net/pipermail/arin-discuss/2008-February/000897.html and then the permanent ban : http://lists.arin.net/pipermail/arin-discuss/2008-June/001058.html as for banning from NANOG, there is a message, purportedly from you : http://lists.arin.net/pipermail/arin-discuss/2008-February/000890.html contains So Harris banned me from NANOG. . Not sure if thats the meeting, the NANOG list, or one of the NANOG/Merit other lists. Also, in : http://www.iadl.org/nanog/nanog-story.html I see So, effective May 4 2005, Harris again banned Anderson. Although the new reformed rules require a limit of 6 months, Anderson remains banned as of April 16th, 2006. It seems permanent. but I think that refers to another NANOG group, dnsop. Tuc/TBOH
Re: Network topology [Solved]
On Oct 15, 2008, at 1:35 PM, Colin Alston wrote: On 2008/10/15 06:29 PM Colin Alston wrote: Is there any kind of cunning trick to detect standard layer2 switches along a path without stuff like STP? Apparently there isn't. Lots of people mentioned other tools, the problem there is they have one thing in common which is polling SNMP. I think it scales badly in general. What is your reasoning behind this claim? I would claim quite the opposite compared to CLI or TL1. Maybe there should be something (I mean like, someone should come up with a standard :P) to trace switches in a path I've written a cruddy script that given a seed bridge, scrapes L2 information obtained via CDP (I guess it could do LLDP, too) and does a breadth-first search through a network. Then I just dump that into gnuplot format. Getting the data is easy compared to visualization. A coworker of mine has written script to ask Rapid-STP speaking switches about their current topology and builds a graph again in gnuplot format. A more challenging approach would be to scrape the mac forwarding tables and stitch things together. This would have to be done per-vlan. I think this approach (or similar) might be done by Openview's L2 featureset. Dale -- Dale W. Carder - Network Engineer University of Wisconsin / WiscNet http://net.doit.wisc.edu/~dwcarder
Re: The DDOS problem security BOF: Am i mistaken?
[snip] http://www.gweep.net/~crimson/Don't_Feed_The_Trolls.mp3 -- RSUC / GweepNet / Spunk / FnB / Usenix / SAGE
Re: The DDOS problem security BOF: Am i mistaken?
I do seem to have put my foot in my mouth. I apologize for any offense my comments made, as well as any misunderstanding on my part. I see the note to take this discussion to nanog-futures, so I'll reply further there. And the Security BOF was very good, I was thankful to have been there and hear the discussion. Next time I'll use the microphone. Thank you, -Scott
