RE: U.S. officials deny technical takedown of WikiLeaks

[Nathan Eisenberg]

> Factoid: we outnumber the pigs by 1000 to 1.  Even if only 1% of us
> were
> to go out and shoot a pig, we would still outnumber them 10 to 1!  We
> *CAN* win -- wake up, people!
 
Dude.

As someone who was personally connected to this 
(http://www.komonews.com/news/local/78088192.html), and this, 
http://www.komonews.com/news/local/68320537.html I feel pretty justified in 
telling you to keep this 'shoot a pig' crap off the list.

Unbelievable.

list archive

[Randy Bush]

how do i find archives of this list from the '90s and early '00s?

randy

Re: list archive

[Michael Painter]

Randy Bush wrote:

how do i find archives of this list from the '90s and early '00s?

randy


Partial list here:
http://www.merit.edu/mail.archives/nanog/historical.html

Warrant Canaries

[Michael DeMan]

On Dec 4, 2010, at 9:06 PM, Jay Ashworth wrote:

>  Original Message -
>> From: "Adrian Chadd" 
>> 
>> On Sat, Dec 04, 2010, Ken Chase wrote:
>>> And if they come and ask the same but without a court order is a bit
>>> trickier and more confusing, and this list is a good place to track the
>>> frequency of and responce to that kind of request.
>> 
>> Except of course when you're "asked" not to share what has occured
>> with anyone. I hear that kind of thing happens today.
> 
> It does.  Hence, the Warrant Canary:
> 
> http://blog.kozubik.com/john_kozubik/2010/08/the-warrant-canary-in-2010-and-beyond.html
> 
> Cheers,
> -- jra
> 

Actually, my intuition is that warrant canaries are not a workable solution 
either.  I would presume that a violation of a 'secret' court order or national 
security letter where you are expressly ordered not to divulge the fact that 
you have received it could be violated either by any 'action' or 'inaction'.  
So the 'inaction' of not updating the warrant canary would be a violation.

The interesting thing of course is that to avoid the 'inaction', and your 
regular process is to say update the warrant canary daily, you would be placed 
in the position where the government was asking you to lie to the public at 
large?

I have wondered about this for quite a while - has anybody on the list ever 
talked with an attorney with specific expertise in this area of law about this? 
 I am not expecting formal legal advice by any means, just curious if anybody 
has done any research on this topic and could share what they discovered.

- Mike

P.S. - Intent here is not to drag out the wikileaks thread, but rather start a 
new thread on the more general topic of legal/policies and warrant canaries, 
which although not a purely technical discussions seems more on-topic for the 
nanog list.  My apologies in advance if it is OT.

(wikileaks) Fwd: [funsec] And Google becomes a DNS..

[Gadi Evron]

I withhold comment... "discuss amongst yourselves".

Best,

Gadi.


 Original Message 
Subject:[funsec] And Google becomes a DNS..
Date:   Sun, 5 Dec 2010 17:34:50 +0200
From:   Imri Goldberg 
To: funsec 


Found on reddit:
http://i.imgur.com/Q5SVu.png

--
Imri Goldberg
--
http://plnnr.com/ - automatic trip planning
http://www.algorithm.co.il/blogs/
--
-- insert signature here 
___
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.

Re: (wikileaks) Fwd: [funsec] And Google becomes a DNS..

[Gadi Evron]

On 12/5/10 5:50 PM, Gadi Evron wrote:

I withhold comment... "discuss amongst yourselves".



Found on reddit:
http:/


Not sure why the URL didn't go through...
http://i.imgur.com/Q5SVu.png

Enjoy.

Gadi.

RE: U.S. officials deny technical takedown of WikiLeaks

[Michael Sokolov]

Nathan Eisenberg  wrote:

> As someone who was personally connected to this (http://www.komonews.com/ne=
> ws/local/78088192.html), and this, http://www.komonews.com/news/local/68320=
> 537.html I feel pretty justified in telling you to keep this 'shoot a pig' =
> crap off the list.

To all uniformed dudes reading this: if you don't want the people you
serve to feel like shooting you, perhaps you should consider going on
strike, immediately stopping enforcing any and all man-made laws that go
against the natural law of Universe, against common sense and against
basic humanity; immediately stopping following any and all orders
telling you to do things that are morally wrong, and finally, switching
over to our side, helping defend America and the American People against
USA.

In the timeless words of The Internationale:

No more deluded by reaction,
On tyrants only we'll make war;
The soldiers too will take strike action,
They'll break ranks and fight no more!
And if those cannibals keep trying
To sacrifice us to their pride,
They soon will hear the bullets flying:
We'll shoot the generals on our own side!

MS

Hold the Heathen Hammer High!
With a battle cry!
For the pagan past I live
and one day will die.

Re: U.S. officials deny technical takedown of WikiLeaks

[Lynda]

On 12/5/2010 11:32 AM, Michael Sokolov wrote:

Pretty much, I no longer care what you wrote. Go away. Seriously. Just 
GO AWAY. Alt.politics is -->> thataway.


*plonk*

--
Die gedanken sind frei.

Re: U.S. officials deny technical takedown of WikiLeaks

[James Hess]

> On Sun, 05 Dec 2010 02:53:22 GMT, Michael Sokolov said:

>> Factoid: we outnumber the pigs by 1000 to 1.  Even if only 1% of us were
>> to go out and shoot a pig, we would still outnumber them 10 to 1!  We
>> *CAN* win -- wake up, people!
> Yes, but shooting down an RFC1925-compliant porker may require larger caliber

If you mean shooting people in order to protest a law, that
proposition is obscene,
and attempting to dehumanize flesh and blood, while hiding the nature
of the act through
name-calling does not make the act more civilized, sane,   or less
deserving of rebuke.

If "pig"  is defined as  person(s) conducting network abuse, violating
the AUP of
services they use in manners, such as sending spam,  transmitting
illegally obtained documents,  or posting  large numbers of off-topic political
rants to a technical discussion listserv contrary to its AUP.

And by "shoot" you mean turning off their network service, being used in
the abusive manner contrary to the terms agreed or as required by the law.

Then this is done every day, and I would applaud those such as Amazon
who have done a service to the network community by doing so.

--
-JH

Re: Pointer for documentation on actually delivering IPv6

[Bill Fehring]

On Sat, Dec 4, 2010 at 19:52, Ben Jencks  wrote:
> DHCPv6-PD (prefix delegation) with the relay installing static routes
> is probably the most straightforward way.

Apparently that has it's own problems right now actually:
http://blog.ioshints.info/2010/10/dhcpv6-relaying-another-trouble-spot.html

> Letting home CPE participate
> in routing does indeed seem like bad idea; I haven't heard that
> seriously suggested before.

I guess "Comcast Business Class" cable service isn't necessarily
considered home service, but I wouldn't call it a dedicated bandwidth
contract either. The CPE that they use (SMCD3G or similar) actually
does this for v4, that is if you purchase a "Static IP Block" from
them, they actually use RIPv2 to send your prefix (usually a /27 or
longer) to the headend. Obviously authentication is used and the CPE
firmware prevents the end user from tampering with any part of the RIP
configuration, but the point is that RIP actually is used at a large
scale for this purpose.

-Bill

Re: Pointer for documentation on actually delivering IPv6

[Miquel van Smoorenburg]

In article 
 you write:
>On Sat, Dec 4, 2010 at 19:52, Ben Jencks  wrote:
>> DHCPv6-PD (prefix delegation) with the relay installing static routes
>> is probably the most straightforward way.
>
>Apparently that has it's own problems right now actually:
>http://blog.ioshints.info/2010/10/dhcpv6-relaying-another-trouble-spot.html

Well, the problem described there is exactly the same problem that
already exists with plain IPv4 DHCP (a pity that FORCERENEW (rfc3203)
or something like it never took off).

If you use PPPoA/PPPoE/PPPoX with DHCPv6 PD, the problem described there
doesn't exist if your CPE is at least halfway intelligent .. it should
ofcourse do a new lease request (at least a renewal) after a PPP reconnect.

Mike.

Re: Pointer for documentation on actually delivering IPv6

[James Hess]

On Sat, Dec 4, 2010 at 9:40 PM, Mark Radabaugh  wrote:
> of running RIPng.  The thought of letting Belkin routers (if you can call
> them that) into the routing table scares me no end.

I think that indeed looks scary. I wouldn't be too concerned about the
Belkin routers.
How many SP routers are really designed to deal with mass numbers of
RIP adjacencies?

RIPng sounds like a plan to deploy 2 or 3  IPv6 end networks,  not really better
than static manual configuration,  and with significant disadvantages.

So  I would suggest  static manual configuration  of the port on
routers facing the
CPE,  no RIPng.  If there are routes to be exchanged with a downstream user,
use a proper EGP  as one would the IPv4.

Use a CPE of a type that scripts can be written to configure,  for
large scale deployments.


If there is an inexpensive CPE with an implementation of DHCPv6 PD
that works without issues,
I would love to hear about  who makes it, and what the device is...


> Is this way easier than I think it is?   Did somebody already write the book
> that I can't find?

-- 
-JH

Re: Network management software with high detailed traffic report

[Vasile Borcan]

On Mon, Nov 22, 2010 at 11:35 AM, Sergey Voropaev
 wrote:
> Does any one know the NMS (network management software) which can do the
> fallowing:
>
> 1. Monitor on Cisco Routers/Switches interface utilization every 5-10
> seconds and send e-mail alarm when utilization low or high of predefined
> thresholds.
> 2. Collect net-flow statistics (at least src/dst) with granularity of 5-10-
> seconds.
>
> The main idea is to have detailed monitoring of the external links and to be
> able to know why (by what traffic type) and when link was highly utilized.
>
> Existing flow-collector can store netflow reports only with 1 minute
> granularity but we need 5-10 second.
>
> As about e-mail alarms - now I do it by embedded event manager on the
> router. But I think it would be better to use external SNMP software for
> that.
> As about detailed to 5-10 second netflow statistics there are 2 ways.
> 1st - Use port mirror and use some software which can analyze captured
> traffic and made a good reports. Do you know such software?
> 2nd - Use SNMP or telnet/ssh for access to the router/switch every 5-10
> seconds and catch netflow counters. Do you now such software?
>
> thanks in advance for you help.
>

Take a look at http://www.andrisoft.com/software/netflow-traffic-monitoring";>WANGuard
Flow. It builds traffic graphs with a configured granularity of 5
seconds and emails alarms when traffic thresholds are reached. It only
needs Netflow.

Re: Pointer for documentation on actually delivering IPv6

[Mark Newton]

On 06/12/2010, at 6:54 AM, Bill Fehring wrote:

> Apparently that has it's own problems right now actually:
> http://blog.ioshints.info/2010/10/dhcpv6-relaying-another-trouble-spot.html

In our deployment mode, the CEs are running PPP sessions to the
BRAS, so they know when it reboots and can respond accordingly.

Layer 3 access networks could conceivably have an issue here, though.
It's almost as if everyone ought to have been working on this a decade
ago so that we'd have a workable solution by now! :-)

  - mark

--
Mark Newton   Email:  new...@internode.com.au (W)
Network Engineer  Email:  new...@atdot.dotat.org  (H)
Internode Pty Ltd Desk:   +61-8-82282999
"Network Man" - Anagram of "Mark Newton"  Mobile: +61-416-202-223

How do you do rDNS for IPv6 ?

[John Levine]

I've been pondering IPv6 setups, and I don't understand how IPv6 rDNS
is supposed to work.  It's clear enough how you look up any particular
address, but it's not at all clear to me what you put into an rDNS
zone and how you put it there.

In IPv4 land, it is standard to assign matching forward and reverse
DNS for every live IP, and a fair number of services treat requests
from hosts without rDNS with added scepticism. For consumer networks,
it's often something like 12-34-56-78.adsl.incompetent.net, with the
numbers being the IP address forward or backwards.

So if every customer gets a /64, what do you do?  You can use a
wildcard to give the same rDNS to all 2^64 addresses, but you can't do
matching forward DNS, since a DNS response with 2^64  records
would be, ah, a little unwieldy.

When hosts self-configure their low 64 bits, do you install a suitable
PTR and  into your DNS?  If so, how?  Do you use DHCPv6 and have it
install the DNS?  Do you do something else?

Signed,
Confused

Ratios & peering [was: The scale of streaming video on the Internet.]

[Patrick W. Gilmore]

On Dec 4, 2010, at 5:28 PM, Bill Stewart wrote:
> On Fri, Dec 3, 2010 at 9:35 AM, Leo Bicknell  wrote:

>> - Ratio needs to be dropped from all peering policies.  It made sense
>>  back when the traffic was two people e-mailing each other.  It was
>>  a measure of "equal value".  However the net has evolved.  In the
>>  face of streaming audio and video, or rich multimedia web sites
>>  Content->User will always be wildly out of ratio.  It has moved from
>>  a useful measure, to an excuse to make Content pay in all
>>  circumstances.
> 
> I think that's the key point here - ratios make sense when similar
> types of carriers are peering with each other, whether that's
> traditional Tier 1s or small carriers or whatever; they don't make
> sense when an eyeball network is connecting to a content-provider
> network.

Ratios either make sense, or they don't.  I don't see how "type of network" 
fits into it.  If you are a restaurant, you do not decide whether or not to 
charge customer for food based on whether or not they work at another 
restaurant.  If your are eyeball and content wants to peer with you, make a 
decision based on your costs and profits.

Ratios are a proxy for real cost / benefit.  As Leo mentioned (and Bill 
snipped), if $LARGE_CONTENT has a single location and $LARGE_EYEBALL has to 
carry it all over the country, the ratio "matters" supposedly because large 
eyeball has to carry those bits everywhere.  The implicit statement here is 
that large content gives a rats ass about large eyeball's costs.

Repeat after me: I DO NOT CARE ABOUT YOUR COSTS.  What's more, you don't care 
about mine.  If cisco says "well, I know the Juniper has the same features and 
is cheaper, but my costs are higher!", do you then buy the cisco?  HELL NO.  
The other person's costs are irrelevant to your decision.

If large eyeball finds it cheaper to pay $LARGE_TRANSIT for those bits, perhaps 
because eyeball can make transit carry the bits to a local hub, then eyeball 
should not peer.  If eyeball would actually pay more to transit than carrying 
the bits from content's single location, yet still does not peer, then 
eyeball's peering manager should be fired.  You cost my company money to boost 
your ego, you're out on your ass.

Of course, I am glossing over the idea that eyeball could pay transit a short 
while to see if he can get a concession out of content.  Maybe eyeball assumes 
content has transit costs as well, so eyeball thinks he can force content to 
pay something.  This is probably where the idea of "similar value" popped into 
the peering lexicon.  But that is standard business negotiations, and honestly 
has nothing to do with similar value.  In reality, content & eyeball have no 
idea of the other's true costs (probably not even the $/Mbps they pay for 
transit), so the idea of coming to a "similar value" agreement is ludicrous.

Make the decisions that are best for your company.  Not best for your ego.

Remember people, the Internet is a business.  Peering is a business tool, not 
some playground where teacher is enforcing some notion of fairness.

-- 
TTFN,
patrick

P.S. I'm ignoring the idea of "if we give it away free to one, everyone will 
want it free".  Trust me, they all want it "free" anyway.  And saying "you gave 
it to him for free!" sounds more like that schoolyard than a business 
negotiation.  Besides, if you come to me and say "this other network got $FOO", 
I will tell you I couldn't possibly talk about that under NDA, their deal is 
irrelevant to our deal, and each deal is far too unique to be compared.  Then 
bitch at the other network for breaking our NDA.  Breaking NDAs is bad, 
m-KAY?

Re: Pointer for documentation on actually delivering IPv6

[Miquel van Smoorenburg]

In article 
 you write:
>If there is an inexpensive CPE with an implementation of DHCPv6 PD
>that works without issues,
>I would love to hear about  who makes it, and what the device is...

AVM Fritzbox 7270/7340/7390
Draytek Vigor 2130/2750

Those are the ones I tested, there are lots more, but according to
http://www.getipv6.info/index.php/Broadband_CPE:
"To date, there is not one complete implementation of IPv6 on a
 residential consumer-grade xDSL modem available in North America."

Mike (using native IPv6 over PPPoA + DHCPv6 PD over ADSL).

Re: How do you do rDNS for IPv6 ?

[Felipe Zanchet Grazziotin]

Hi John,

On Sun, Dec 5, 2010 at 8:13 PM, John Levine  wrote:

> I've been pondering IPv6 setups, and I don't understand how IPv6 rDNS
> is supposed to work.  It's clear enough how you look up any particular
> address, but it's not at all clear to me what you put into an rDNS
> zone and how you put it there.
>

We've already discussed this in April, and answers came to a line of "use
dynamic
updates" to "not necessary".

Problems lay around table sizes, unnecessary PTR records created, and large
end-user blocks.

There are other useful tips too, including ideas for PowerDNS and Bind.

Thread starts here:
http://www.mail-archive.com/nanog@nanog.org/msg22908.html


>
>
> Signed,
> Confused
>
>
Kindly,
Felipe

Re: Pointer for documentation on actually delivering IPv6

[Owen DeLong]

On Dec 5, 2010, at 1:32 PM, James Hess wrote:

> On Sat, Dec 4, 2010 at 9:40 PM, Mark Radabaugh  wrote:
>> of running RIPng.  The thought of letting Belkin routers (if you can call
>> them that) into the routing table scares me no end.
> 
> I think that indeed looks scary. I wouldn't be too concerned about the
> Belkin routers.
> How many SP routers are really designed to deal with mass numbers of
> RIP adjacencies?
> 
RIP doesn't have adjacencies, per se. It's basically a stateless broadcast
based protocol. As such, the number of routers really has no major impact
other than the traffic level generated by all those broadcasts.

Owen

Re: Network management software with high detailed traffic report

[James Hess]

On Mon, Nov 22, 2010 at 8:02 AM, Brandon Ross  wrote:
> On Mon, 22 Nov 2010, Nick Hilliard wrote:
> least once a second.  Perhaps you are thinking about the rate counters that
> are often _configured_ to use the last 30 seconds of data to compute the
> average but also update much more often than every 30 seconds (and default
> to a 5 minute average).

Show interface rate counters,  are not even truly average computed
using the last 30 seconds of data.
It is indicated as an exponential time-weighted (moving),  where data
is gathered every 5 seconds.
Meaning every update time, a new value is calculated,  by   using
three datapoints, the previous value
of the average,  and a calculation based on the change over the past 5
seconds  (Current   -  Previous value).

Avg(N) =  exp(1/W) * (CurrentOctets -  PreviousOctets)   +  (1 -
exp(1/W) *  Avg(N-1))
Where  'W'   is computed  based  on the   "time interval"averaged over



Routers or sniffers can aggregate that data, but a NMS that gathered
every 5s using
SNMP would not scale very well,  and TELNET/CLI  would not work for
that either;  for that,
you would need to use a different protocol,  probably would need to be
a new one designed
for 5 second accurate timestamped readings.

SNMP ifMib readings are not accurately timestamped,  and you would
encounter measurement errors.


Asking a device about  one particular statistic about
one interface every 5 seconds isn't much trouble.If you have a
router with 100 interfaces,
and your NMS needs to query each interface every 5 seconds,  you have
100 / 5 = 20
interfaces to query per second.Imagine how many packets you have
to send if you
have 100 devices with 5 interfaces,  and you want to  track  4
statistics for every interface
12 times per minute.

2000 queries every 5 seconds.You need some serious hardware to
handle that on your routers
and your NMS,  which has 400 values to save per second,  assuming your
NMS perfectly distributes query load,
and responses are never delayed (not likely).



--
-JH

Re: How do you do rDNS for IPv6 ?

[Owen DeLong]

On Dec 5, 2010, at 2:13 PM, John Levine wrote:

> I've been pondering IPv6 setups, and I don't understand how IPv6 rDNS
> is supposed to work.  It's clear enough how you look up any particular
> address, but it's not at all clear to me what you put into an rDNS
> zone and how you put it there.
> 
Pretty much the same thing you put into an IPv4 zone... PTR records.

For example:

owen.delong.com.IN   2620:0:930::200:2
2.0.0.0.0.0.2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.9.0.0.0.0.0.0.2.6.2.ip6.arpa.   
IN  PTR owen.delong.com.

> In IPv4 land, it is standard to assign matching forward and reverse
> DNS for every live IP, and a fair number of services treat requests
> from hosts without rDNS with added scepticism. For consumer networks,
> it's often something like 12-34-56-78.adsl.incompetent.net, with the
> numbers being the IP address forward or backwards.
> 
Ah, so you're not talking about assigning to live hosts, your talking about
the unfortunate habit of assigning to every possible host. Yeah, that trick
doesn't work in IPv6.

> So if every customer gets a /64, what do you do?  You can use a
> wildcard to give the same rDNS to all 2^64 addresses, but you can't do
> matching forward DNS, since a DNS response with 2^64  records
> would be, ah, a little unwieldy.
> 
First, customers should be getting more than a /64. A /64 should be a single
subnet and customers should, ideally, be getting a /48 for each end site.

In general, for the most part, the services that treat missing rDNS with 
additional
skepticism also treat rDNS entries like 12-34-56-78.adsl.incompetent.net with
that same or greater skepticism, so, I wouldn't worry too much about it.

For hosts where it does matter, you've got to create an  record somehow
(just like you needed to create an A record somehow), so, you should be
able to use that same process to generate the  and PTR records.

> When hosts self-configure their low 64 bits, do you install a suitable
> PTR and  into your DNS?  If so, how?  Do you use DHCPv6 and have it
> install the DNS?  Do you do something else?
> 
If you care, you probably need to use DHCPv6 for this and it should be able
to build both the  and PTR records.

Owen

Re: How do you do rDNS for IPv6 ?

[George Michaelson]

On 06/12/2010, at 8:25 AM, Felipe Zanchet Grazziotin wrote:

> Hi John,
> 
> On Sun, Dec 5, 2010 at 8:13 PM, John Levine  wrote:
> 
>> I've been pondering IPv6 setups, and I don't understand how IPv6 rDNS
>> is supposed to work.  It's clear enough how you look up any particular
>> address, but it's not at all clear to me what you put into an rDNS
>> zone and how you put it there.
>> 


There was a session at RIPE61 Rome on this very topic.

the summary is:

wildcard, more specific for all RR when you break out.

http://ripe61.ripe.net/archives/#Thursday

http://ripe61.ripe.net/programme/meeting-plan/dns-agenda/

-George

Re: list archive

[Randy Bush]

>> how do i find archives of this list from the '90s and early '00s?
> http://www.merit.edu/mail.archives/nanog/historical.html

how did you find that?  the link labeled "Historical NANOG List Archive"
on the page http://nanog.org/mailinglist/mailarchives/ got me to this
month's archive.

randy

Re: The scale of streaming video on the Internet.

[Lyndon Nerenberg (VE6BBM/VE7TFX)]

> Just how much free time do you have?  :)

1 minute to google the capacity of a 747-400F.
1 minute to google the dimensions and weight of an lto-4 cartridge.
1 minute to punch the numbers into bc(1).

--lyndon

Re: Pointer for documentation on actually delivering IPv6

[MarcoH - lists]

On 5 dec 2010, at 23:19, Miquel van Smoorenburg wrote:

> In article 
>  you 
> write:
>> If there is an inexpensive CPE with an implementation of DHCPv6 PD
>> that works without issues,
>> I would love to hear about  who makes it, and what the device is...
> 
> AVM Fritzbox 7270/7340/7390
> Draytek Vigor 2130/2750
> 
> Those are the ones I tested, there are lots more, but according to
> http://www.getipv6.info/index.php/Broadband_CPE:
> "To date, there is not one complete implementation of IPv6 on a
> residential consumer-grade xDSL modem available in North America."

Another list of pointers can be found at 
http://labs.ripe.net/Members/mirjam/ipv6-cpe-surveys/.

Feedback on how these boxes do in a real environment are welcome as thers is 
still a lot of beta, unfinished implementations, bugs and vapourware around 
these days.

Marco

RE: list archive

[George Bonser]

> -Original Message-
> From: Randy Bush [mailto:ra...@psg.com]
> Sent: Sunday, December 05, 2010 2:57 PM
> To: Michael Painter
> Cc: North American Network Operators Group
> Subject: Re: list archive
> 
> >> how do i find archives of this list from the '90s and early '00s?
> > http://www.merit.edu/mail.archives/nanog/historical.html
> 
> how did you find that?  the link labeled "Historical NANOG List
> Archive"
> on the page http://nanog.org/mailinglist/mailarchives/ got me to this
> month's archive.
> 
> randy


This one goes back to April 1994: 

http://www.irbs.net/internet/nanog/

I can't seem to locate anything earlier.  Found with a Google search.

Re: list archive

[Michael Costello]

On Mon, 06 Dec 2010 07:56:30 +0900
Randy Bush  wrote:

> >> how do i find archives of this list from the '90s and early '00s?
> > http://www.merit.edu/mail.archives/nanog/historical.html
> 
> how did you find that?  the link labeled "Historical NANOG List
> Archive" on the page http://nanog.org/mailinglist/mailarchives/ got
> me to this month's archive.

After following the the "Historical NANOG List Archive" link, there is
a box on the right-hand side of the page labeled "Archive Views"; click
"Historical".

Impact of Attacks and Outages

[Glen Kent]

Hi,

Is there any paper/link that discusses the financial repercussions
when an ISP's network goes down because of an attack/outage? What i am
looking at is something that i can explain to a lay person, about why
the networks need to remain secure so that they cant be hacked into,
as once it comes down, not only does it impact the ISP but also the
enterprises inside that service provider's domain.

I tried googling but couldnt really come up with something.

Any help in this regard would be really appreciated.

Glen

Re: list archive

[Randy Bush]

>>> http://www.merit.edu/mail.archives/nanog/historical.html
>> how did you find that?  the link labeled "Historical NANOG List
>> Archive" on the page http://nanog.org/mailinglist/mailarchives/ got
>> me to this month's archive.
> After following the the "Historical NANOG List Archive" link, there is
> a box on the right-hand side of the page labeled "Archive Views"; click
> "Historical".

  thanks.

randy

Re: How do you do rDNS for IPv6 ?

[Franck Martin]

- Original Message -
> From: "Owen DeLong" 
> To: "John Levine" 
> Cc: nanog@nanog.org
> Sent: Sunday, 5 December, 2010 2:54:43 PM
> Subject: Re: How do you do rDNS for IPv6 ?
> On Dec 5, 2010, at 2:13 PM, John Levine wrote:
> 

> > When hosts self-configure their low 64 bits, do you install a
> > suitable
> > PTR and  into your DNS? If so, how? Do you use DHCPv6 and have
> > it
> > install the DNS? Do you do something else?
> >
> If you care, you probably need to use DHCPv6 for this and it should be
> able
> to build both the  and PTR records.
> 
Unless you use, privacy extensions, the advantage of IPv6 over IPv4 is that the 
IP address is built based on your network and the mac address of the interface, 
so it is not a random number changed at every connection

I guess when you provision the machine, you can install the  and PTR record 
and then also put the mac address in your access lists...

Re: Impact of Attacks and Outages

[Dobbins, Roland]

On Dec 6, 2010, at 7:53 AM, Glen Kent wrote:

> Any help in this regard would be really appreciated.

This 2009 report (and reports from previous years) may be of interest:



The 2010 report is in process right now, FYI.
 
Here're some additional presentations which may help:







---
Roland Dobbins  // 

   Sell your computer and buy a guitar.

Re: How do you do rDNS for IPv6 ?

[Jima]

On 12/5/2010 4:13 PM, John Levine wrote:

In IPv4 land, it is standard to assign matching forward and reverse
DNS for every live IP, and a fair number of services treat requests
from hosts without rDNS with added scepticism. For consumer networks,
it's often something like 12-34-56-78.adsl.incompetent.net, with the
numbers being the IP address forward or backwards.

So if every customer gets a /64, what do you do?  You can use a
wildcard to give the same rDNS to all 2^64 addresses, but you can't do
matching forward DNS, since a DNS response with 2^64  records
would be, ah, a little unwieldy.


 I thought the same thing, actually, which is why I made my own 
solution.  I ended up writing a DNS server in perl (using 
Net::DNS::Nameserver) that replies to reverse queries with a 
reproducible PTR -- generated by encoding the IP in base32.  (Or the 
second half of the IP, in the case of a few "known" networks.)  Forward 
queries for the matching name decode the base32.
 The host-specific part of the DNS is kind of long (26 characters, or 
13 for known networks), but it's marginally shorter than the full IP 
(which would be 32/16 characters, without separators).  I'm pretty happy 
with the results, but I'd love to hear if anyone's come up with more 
elegant solutions.


 Jima

Re: list archive

[Randy Bush]

> This one goes back to April 1994: 

before then, the opsish list was com-priv

randy

Over a decade of DDOS--any progress yet?

[Sean Donelan]

February 2000 weren't the first DDOS attacks, but the attacks on multiple 
well-known sites did raise DDOS' visibility.


What progress has been made during the last decade at stopping DDOS 
attacks?


SMURF attacks creating a DDOS from directed broadcast replies seems to 
have been mostly mitigated by changing defaults in major router OS's.


TCP SYN attacks creating a DDOS from leaving many half-open connections 
seems to have been mostly mitigated with SYN Cookies or similar OS 
changes.


Other than buying lots of bandwidth and scrubber boxes, have any other 
DDOS attack vectors been stopped or rendered useless during the last 
decade?


Spoofing?

Bots?

Protocol quirks?