Re: Weekend Gedankenexperiment - The Kill Switch

[andrew.wallace]

On Tue, Feb 8, 2011 at 4:11 AM,   wrote:
> On Mon, 07 Feb 2011 17:49:36 EST, Josh Smith said:
>
>> even if it was I suspect any service available via satellite might
>> suffer from similar problems if the methods used to disrupt
>> connectivity in Egypt were employed here.
>
> The real question isn't "If they shut you down, can you restart?".
>
> The real question is "If they shut you down, can you restart in a way that
> avoids them attempting a second shutdown with a bullet?"
>
>
>

May I suggest -


A bunker built for Scottish Office staff in the event of a nuclear attack is up 
for sale.
The complex at Cultybraggan Camp near Comrie, Perthshire, was completed in 1990 
and is believed to be one of the most advanced 
structures of its kind.
It was built to house 150 people and protect them from nuclear, biological and 
electromagnetic attacks.
http://www.bbc.co.uk/news/uk-scotland-tayside-central-12311164

Andrew

Re: Weekend Gedankenexperiment - The Kill Switch

[Valdis . Kletnieks]

On Mon, 07 Feb 2011 17:49:36 EST, Josh Smith said:

> even if it was I suspect any service available via satellite might
> suffer from similar problems if the methods used to disrupt
> connectivity in Egypt were employed here.

The real question isn't "If they shut you down, can you restart?".

The real question is "If they shut you down, can you restart in a way that
avoids them attempting a second shutdown with a bullet?"




pgpeyOgeFlsHE.pgp
Description: PGP signature

I've joined NEWNOG

[Owen DeLong]

OK...

They got the IPv6 issues resolved, the page is working great now.

Yes, Paypal broke when I clicked the pay now button with IPv4 turned off.

However, everything else worked.

I've now paid my fee and joined NEWNOG.

Thanks to the technical crew for addressing this issue so promptly and showing
leadership in this area. Welcome NEWNOG to the NEW NET.

Owen

Re: BGP Looking glass and monitoring

[Charles N Wyble]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 02/03/2011 03:59 PM, Bret Palsson wrote:
> I'm interested to know what tools everyone uses for the following:
> 
> Looking Glass server.

I think there was a recent thread on this subject. From this month
maybe. Not sure. Check the archives.

> BGP Monitoring

Can you expand on this? Something like bgpmon?

> BGP Management, ie. cost/preferred path management.

Not sure what is meant by this.

> 
> Does anyone use tools to make changes to configurations? For example svn. 
> How do you push changes? Manually, approval process, scripts?

I've used Network Authority Inventory. Looking at nocproject.org now.

> 
> Currently the only thing we use is subversion to track changes in 
> configurations.

Hey that's a step up from a lot of shops. :)

 Now that we are up to around 20 routers and growing we are looking for
better methods to manage our infrastructure.

Sure. I'm sure folks here will have much to share. If we have any
subscribers after the last couple v6 wars. I guess I spoke too soon when
I said the threads seemed less trollish/childish. :)

> 
> Thanks guys!

Thanks for brining up a solid operational topic and giving us a break. :)


- -- 
Charles N Wyble (char...@knownelement.com)
Systems craftsman for the stars
http://www.knownelement.com
Mobile: 626 539 4344
Office: 310 929 8793
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJNUKNgAAoJEMvvG/TyLEAtT/cQAIxi4JtuvRlIhg6oQwCiaQR1
mZQMexUIqTxO9k4DqnImgpCQNoRpwZGS6cm3/r1syutGWz2oBy1UdsswwXvDumxN
O9ktI2pCEcRAIHwWh94p/eHR4VY48AlHwLQX6FYAbsxj8m2cV2IE4F393cuy/Q0X
KvPVIJ73e+Db7eE+iUtZ8h6GoLuK2M6Imt2yoGew8FP4hvcaC+Ief6GQvU+RRyCY
LCnausBA4l/lZzvXfBhzp/C8eIvU7KYo5AQDUx7qmHjWtHu4DnkajdInSuej96wY
1mJ2UNMx/Eb5Tci89hH9oe4dhoL362qI/8Q3Ot2mvxKUBbBtYcFKlbv5Ve8AS1SF
P/KMcY2PJhRc67H9SmvF8HbZnn5YlPo64YHWezEV/rotRngJmwBzQ98uIk1zk9qM
pUApV4R52WS5D1IavnOtHE2b8ZS/ZpYE7Cr9sQcWfnVyVj+O/tRvXztLSF2ze43k
HZSH5qoBmlF+2W2Jz96eKqtmS/AF2Gz2J5FNnwqvrJzHW9yuCoZ64AOS1wHovMps
yQ62ovO2u6mwUDnk5pJcaEvd46ao8n1PgVA5+jKuzi7gGdo7yOGqr8hKTejF4pcC
LJYdpzbCQQrcBfJtpGhH3dyRU1wD2VI6XRAo4fLvKhcwJLkD4hgJXB0MJYF0mmH6
PYjPfjckrxfwhxHZm1I8
=sQbK
-END PGP SIGNATURE-

Re: It's the end of IPv4 as we know it... and I feel fine..

[Owen DeLong]

On Feb 7, 2011, at 3:36 PM, Barney Wolff wrote:

> On Tue, Feb 08, 2011 at 10:26:16AM +1100, Mark Andrews wrote:
>> 
> ...
>> 
>> But please have them daisy chain CPE devices so that they are in
>> the X% that have more than one CPE devices connected today.  I agree
>> it should just work.  I've seen more that one household of non geeks
>> with multiple CPE devices.
>> 
>> e.g.
>>  cable/adsl CPE wired CPE wireless
> 
> When I do that, I use a lan port on CPE2 rather than the wan port.
> Using CPE2 as just a switch rather than a router/natbox makes life
> much simpler.
> 
> -- 
> Barney Wolff I never met a computer I didn't like.
> 

Unless you want to enforce policy between wired and wireless.

As soon as you want that, you need to put the wired on the WAN
port of the wireless. You also have to be careful about which
boxes you purchase since many will hard-coded assume that
the wireless is the internal trusted side of the equation.

Owen

Re: It's the end of IPv4 as we know it... and I feel fine..

[Mark Andrews]

In message <20110207233627.ga64...@pit.databus.com>, Barney Wolff writes:
> On Tue, Feb 08, 2011 at 10:26:16AM +1100, Mark Andrews wrote:
> > 
> ...
> > 
> > But please have them daisy chain CPE devices so that they are in
> > the X% that have more than one CPE devices connected today.  I agree
> > it should just work.  I've seen more that one household of non geeks
> > with multiple CPE devices.
> > 
> > e.g.
> > cable/adsl CPE wired CPE wireless
> 
> When I do that, I use a lan port on CPE2 rather than the wan port.
> Using CPE2 as just a switch rather than a router/natbox makes life
> much simpler.

Then you may as well have bought a access point. 

> -- 
> Barney Wolff I never met a computer I didn't like.
> 
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org

Time Warner Transit

[Christopher Wolff]

Hey guys,

What are you thinking about Time Warner transit lately?  They claim to 
be fully ready to support IPv6.


Thanks in advance, you can hit me offlist if you're not able to share 
your TWTC opinion publicly.

Christopher

Re: Membership model

[Owen DeLong]

On Feb 7, 2011, at 3:23 PM, John van Oppen wrote:

 I'd be happy if https://newnog.org/join.php loaded a page instead of an 
 SSL error.
> 
> Good to see that you have working v6 connectivity.  :)This is being 
> worked on now, it is ironically only broken in v6.
> 
> 
> John
> 

Cool... Guess there is an issue beyond the  record to getting the web site 
on IPv6.

Anyway, glad they're working on it. I do want to join.

Owen

Re: US Warships jamming Lebanon Internet

[George Herbert]

On Mon, Feb 7, 2011 at 2:23 PM, Ryan Wilkins  wrote:
>
> On Feb 7, 2011, at 4:06 PM, Michael Painter wrote:
>>
>> Hi Denys
>> I doubt it's intentional jamming since I've had the same problem.
>> Aegis radar is very high power in full radiate mode and as such creates 
>> problems for Low Noise Amplifiers listening at 3.4-4.2 GHz.
>> Someone needs to talk to Microwave Filter Company.
>> http://www.microwavefilter.com/c-band_radar_elimination.htm
>>
>> --Michael
>
> +1 for Microwave Filter.  They've helped me out in a couples jams before.  
> They're very responsive and the products are good, too.

I think people in San Diego and near Norfolk, VA have the same problems.

The C-band frequencies are 2x those of the S-band (4-8 GHz for C, 2-4
GHz for S); if the SPY-1 / SPY-1D radar is frequency hopping it may
well step on someone's C-band links at twice the radar's basic
frequency.  Just need a filter to remove actual S-band frequencies
from C-band feeds.


-- 
-george william herbert
george.herb...@gmail.com

Re: It's the end of IPv4 as we know it... and I feel fine..

[Barney Wolff]

On Tue, Feb 08, 2011 at 10:26:16AM +1100, Mark Andrews wrote:
> 
...
> 
> But please have them daisy chain CPE devices so that they are in
> the X% that have more than one CPE devices connected today.  I agree
> it should just work.  I've seen more that one household of non geeks
> with multiple CPE devices.
> 
> e.g.
>   cable/adsl CPE wired CPE wireless

When I do that, I use a lan port on CPE2 rather than the wan port.
Using CPE2 as just a switch rather than a router/natbox makes life
much simpler.

-- 
Barney Wolff I never met a computer I didn't like.

Re: Membership model

[Randy Carpenter]

- Original Message -
> >>>I'd be happy if https://newnog.org/join.php loaded a page instead
> >>>of an SSL error.
> 
> Good to see that you have working v6 connectivity. :) This is being
> worked on now, it is ironically only broken in v6.
> 
> 
> John

Ahhh... that makes sense :-) Will check back later.

-Randy

Re: It's the end of IPv4 as we know it... and I feel fine..

[Mark Andrews]

In message <4d503e5e.5000...@ispalliance.net>, Scott Helms writes:
> On 2/7/2011 1:17 PM, Seth Mattinen wrote:
> > On 2/3/2011 08:38, Josh Smith wrote:
> >> Seth,
> >> What sort of ISP do your "not technically inclined" parents have that
> >> offers native ipv6? :-)
> >>
> >
> > I'm doing it via fixed wireless. They'll actually be my second access
> > customer to get native IPv6. My parents are a good test case for the
> > kind of user who doesn't care about the difference between IPv4 or IPv6
> > or the debates whether to /64 or not, only that the internet works.
> >
> > ~Seth
> >
> >
> Ahh, that makes them like 99.99% of all retail internet users.

But please have them daisy chain CPE devices so that they are in
the X% that have more than one CPE devices connected today.  I agree
it should just work.  I've seen more that one household of non geeks
with multiple CPE devices.

e.g.
cable/adsl CPE wired CPE wireless

Mark

> -- 
> Scott Helms
> Vice President of Technology
> ISP Alliance, Inc. DBA ZCorum
> (678) 507-5000
> 
> http://twitter.com/kscotthelms
> 
> 
> 
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org

RE: Membership model

[John van Oppen]

>>>I'd be happy if https://newnog.org/join.php loaded a page instead of an SSL 
>>>error.

Good to see that you have working v6 connectivity.  :)This is being worked 
on now, it is ironically only broken in v6.


John

Re: Membership model

[Philip Dorr]

No SSL errors here using Chrome, IE, or Firefox.

On Mon, Feb 7, 2011 at 5:16 PM, Randy Carpenter  wrote:
> - Original Message -
>> I'll happily join Newnog/NANOG and pay my dues when I can reach the
>> web site to do so
>> on IPv6 rather than legacy IPv4.
>>
>> Owen
>
> I'd be happy if https://newnog.org/join.php loaded a page instead of an SSL 
> error.
>
> -Randy
>
>
>

Re: Membership model

[Randy Carpenter]

- Original Message -
> I'll happily join Newnog/NANOG and pay my dues when I can reach the
> web site to do so
> on IPv6 rather than legacy IPv4.
> 
> Owen

I'd be happy if https://newnog.org/join.php loaded a page instead of an SSL 
error.

-Randy

Re: My upstream ISP does not support IPv6

[Cutler James R]

All this talk about CPE is wasted until folks like ATT have someone on the 
retail interface (store, phone, or, web) who even knows what is this "IPv6" 
thing.  Exploring this issue with DSL providers and Uverse is like that old 
exercise with combat boots. It feels much better when I stop.

James R. Cutler
james.cut...@consultant.com

My ISP can't answer the question.

Re: My upstream ISP does not support IPv6

[Blake Hudson]

 Original Message  
Subject: My upstream ISP does not support IPv6
From: Franck Martin 
To: nanog@nanog.org
Date: Thursday, February 03, 2011 9:04:14 PM
> The biggest complaint that I hear from ISPs, is that their upstream ISP does 
> not support IPv6 or will not provide them with a native IPv6 circuit. 
>
> Is that bull? 
>
> I thought the whole backbone is IPv6 now, and it is only the residential ISPs 
> that are still figuring it out because CPE are still not there yet. 
>
> Where can I get more information? Any list of peering ISPs that have IPv6 as 
> part of their products? 
>
> It seems to me the typical answer sales people say when asked about IPv6: 
> "Gosh, this is the first time I'm asked this one". 

We've been checking with our two regional upstreams and the answer seems
to vary between 'not yet...', 'testing...', 'we're planning...' etc.
I've been checking with my technical contacts, vs sales people. Perhaps
if there was a drive from the sales perspective I could get more
traction - money talks.

In the mean time, we've setup a tunnel with HE. At least our network
will be tested and ready to go whenever native transit is available.

--Blake

Re: Weekend Gedankenexperiment - The Kill Switch

[Josh Smith]

On Mon, Feb 7, 2011 at 5:01 PM, Ryan Wilkins  wrote:
>
> On Feb 7, 2011, at 3:53 PM, Josh Smith wrote:
>
>> I agree that setting up "local" connectivity between the folks in my
>> neighborhood wouldn't be too much of a challenge.  Getting anything
>> much beyond that up and running would be a stretch.
>
> Yeah, but the more people communicating the better.  I don't know what all my 
> neighbors are capable of doing.  Some of them may be capable of helping the 
> cause in ways that I hadn't considered.
>
> Regards,
> Ryan Wilkins
>
>

Ryan,
I agree the more people communicating the better.  I was just
commenting on what my own, and suspect many others on the list's
capabilities are.  While I would love to have access to a satellite
type of data service as a backup link its simply not in my budget and
even if it was I suspect any service available via satellite might
suffer from similar problems if the methods used to disrupt
connectivity in Egypt were employed here.

Thanks,
-- 
Josh Smith
KD8HRX
email/jabber:  juice...@gmail.com
phone:  304.237.9369(c)

Re: Membership model

[Owen DeLong]

Apologies to Mike,

It was not my intention to brow-beat him publicly. Indeed, I acknowledge
that he has the problem well in hand and is actively working on resolving
the issue.

My only intent was to point out to the person who claimed an ip6.arpa
record and a host which had an IPv6 address on its interface alone were
not a web site accessible on IPv6.

I fully expect the  record to be placed soon and it looks like that
is the last remaining hurdle. Once that is done, I will pay my dues.

Owen

On Feb 7, 2011, at 2:10 PM, Patrick W. Gilmore wrote:

> [Reply-To: set to -futures@, as I don't think this is an operational issue.]
> 
> On Feb 7, 2011, at 4:55 PM, Owen DeLong wrote:
> 
>> Reaching the web site requires more than an ip6.arpa record.
>> 
>> It requires an  record:
> 
> In the e-mail to which you are replying (and top-posting, no less :), Mike 
> said: "I'm bugging the powers-that-be about getting forward records working." 
>  While I agree doing v6 is nice and all, I think brow-beating an un-paid 
> volunteer on something they already said they were trying to get working is a 
> bit much.
> 
> Remember, this is a community effort.  The people running the web & name 
> servers are donating their time & their companies' resources to the 
> community.  If you believe they are doing it wrong, please step up and help.  
> Input is great, encouraged even.  Help is better.
> 
> Complaining about NewNOG (soon to be NANOG) is complaining about -yourself-.  
> If you are reading this message, you ARE NewNOG.
> 
> -- 
> TTFN,
> patrick
> 
> 
>> baikal:owen (68) ~ % host -t  www.newnog.org 
>>  2011/02/07 13:51:23
>> www.newnog.org has no  record
>> 
>> And it requires the host answer on port 80 at its IPv6 address, which
>> does appear to already be the case.
>> 
>> So, when I'm informed that the  record is up, I'll retest.
>> 
>> Owen
>> 
>> 
>> On Feb 7, 2011, at 1:45 PM, Scott Weeks wrote:
>> 
>>> 
>>> 
>>> ---
 On Mon, Feb 07, 2011 at 12:40:41PM -0800, Owen DeLong wrote:
 
> I'll happily join Newnog/NANOG and pay my dues when I can reach the
> web site ot do so on IPv6 rather than legacy IPv4.
>>> 
>>> Yes it does.  2001:4970::::2  I'm bugging the powers-that-be about 
>>> getting forward records working.
>>> 
>>> [root@wa-geeks ~]# host 2001:4970::::2
>>> 2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.7.7.7.7.e.e.e.e.0.7.9.4.1.0.0.2.ip6.arpa 
>>> domain name pointer www.newnog.org.
>>> --
>>> 
>>> 
>>> 
>>> Now your only question is check or pay pal...  :-)
>>> 
>>> scott
>> 
>> 
> 

Re: US Warships jamming Lebanon Internet

[Ryan Wilkins]

On Feb 7, 2011, at 4:06 PM, Michael Painter wrote:
> 
> Hi Denys
> I doubt it's intentional jamming since I've had the same problem.
> Aegis radar is very high power in full radiate mode and as such creates 
> problems for Low Noise Amplifiers listening at 3.4-4.2 GHz.
> Someone needs to talk to Microwave Filter Company.
> http://www.microwavefilter.com/c-band_radar_elimination.htm
> 
> --Michael

+1 for Microwave Filter.  They've helped me out in a couples jams before.  
They're very responsive and the products are good, too.

Ryan Wilkins

Re: Membership model

[Benson Schliesser]

We all know that many people have no IPv6 connectivity.  But I've only heard 
about future Internet-users without IPv4 connectivity...  I didn't realize it 
was reality for Owen today.

(Even my IPv6 phone via T-Mobile has NAT64 connectivity to www.newnog.org.)

Cheers,
-Benson


On Feb 7, 2011, at 4:10 PM, Patrick W. Gilmore wrote:

> [Reply-To: set to -futures@, as I don't think this is an operational issue.]
> 
> On Feb 7, 2011, at 4:55 PM, Owen DeLong wrote:
> 
>> Reaching the web site requires more than an ip6.arpa record.
>> 
>> It requires an  record:
> 
> In the e-mail to which you are replying (and top-posting, no less :), Mike 
> said: "I'm bugging the powers-that-be about getting forward records working." 
>  While I agree doing v6 is nice and all, I think brow-beating an un-paid 
> volunteer on something they already said they were trying to get working is a 
> bit much.
> 
> Remember, this is a community effort.  The people running the web & name 
> servers are donating their time & their companies' resources to the 
> community.  If you believe they are doing it wrong, please step up and help.  
> Input is great, encouraged even.  Help is better.
> 
> Complaining about NewNOG (soon to be NANOG) is complaining about -yourself-.  
> If you are reading this message, you ARE NewNOG.
> 
> -- 
> TTFN,
> patrick
> 
> 
>> baikal:owen (68) ~ % host -t  www.newnog.org 
>>  2011/02/07 13:51:23
>> www.newnog.org has no  record
>> 
>> And it requires the host answer on port 80 at its IPv6 address, which
>> does appear to already be the case.
>> 
>> So, when I'm informed that the  record is up, I'll retest.
>> 
>> Owen
>> 
>> 
>> On Feb 7, 2011, at 1:45 PM, Scott Weeks wrote:
>> 
>>> 
>>> 
>>> ---
 On Mon, Feb 07, 2011 at 12:40:41PM -0800, Owen DeLong wrote:
 
> I'll happily join Newnog/NANOG and pay my dues when I can reach the
> web site ot do so on IPv6 rather than legacy IPv4.
>>> 
>>> Yes it does.  2001:4970::::2  I'm bugging the powers-that-be about 
>>> getting forward records working.
>>> 
>>> [root@wa-geeks ~]# host 2001:4970::::2
>>> 2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.7.7.7.7.e.e.e.e.0.7.9.4.1.0.0.2.ip6.arpa 
>>> domain name pointer www.newnog.org.
>>> --
>>> 
>>> 
>>> 
>>> Now your only question is check or pay pal...  :-)
>>> 
>>> scott
>> 
>> 
> 
> 

Re: Weekend Gedankenexperiment - The Kill Switch

[Jay Ashworth]

- Original Message -
> From: "Nick Hilliard" 

> Subject: Re: Weekend Gedankenexperiment - The Kill Switch
> On 07/02/2011 21:53, Josh Smith wrote:
> > I agree that setting up "local" connectivity between the folks in my
> > neighborhood wouldn't be too much of a challenge. Getting anything
> > much beyond that up and running would be a stretch.
> 
> I can't help noticing some irony in seeing one nanog thread about
> working around a supposed government internet kill switch by using wireless
> transmission kit, and another about the US Navy reputedly trashing
> connectivity in an entire country by, uh, jamming wireless
> transmission links.

Irony != coincidence.

One is the government interrupting communications, and the other one 
is ... the government interrupting communications.

Oh look: those even came out in the same character positions.  :-)

Cheers,
-- jra

Re: Weekend Gedankenexperiment - The Kill Switch

[Nick Hilliard]

On 07/02/2011 21:53, Josh Smith wrote:

I agree that setting up "local" connectivity between the folks in my
neighborhood wouldn't be too much of a challenge.  Getting anything
much beyond that up and running would be a stretch.


I can't help noticing some irony in seeing one nanog thread about working 
around a supposed government internet kill switch by using wireless 
transmission kit, and another about the US Navy reputedly trashing 
connectivity in an entire country by, uh, jamming wireless transmission links.


Nick

Re: Membership model

[Patrick W. Gilmore]

[Reply-To: set to -futures@, as I don't think this is an operational issue.]

On Feb 7, 2011, at 4:55 PM, Owen DeLong wrote:

> Reaching the web site requires more than an ip6.arpa record.
> 
> It requires an  record:

In the e-mail to which you are replying (and top-posting, no less :), Mike 
said: "I'm bugging the powers-that-be about getting forward records working."  
While I agree doing v6 is nice and all, I think brow-beating an un-paid 
volunteer on something they already said they were trying to get working is a 
bit much.

Remember, this is a community effort.  The people running the web & name 
servers are donating their time & their companies' resources to the community.  
If you believe they are doing it wrong, please step up and help.  Input is 
great, encouraged even.  Help is better.

Complaining about NewNOG (soon to be NANOG) is complaining about -yourself-.  
If you are reading this message, you ARE NewNOG.

-- 
TTFN,
patrick


> baikal:owen (68) ~ % host -t  www.newnog.org  
> 2011/02/07 13:51:23
> www.newnog.org has no  record
> 
> And it requires the host answer on port 80 at its IPv6 address, which
> does appear to already be the case.
> 
> So, when I'm informed that the  record is up, I'll retest.
> 
> Owen
> 
> 
> On Feb 7, 2011, at 1:45 PM, Scott Weeks wrote:
> 
>> 
>> 
>> ---
>>> On Mon, Feb 07, 2011 at 12:40:41PM -0800, Owen DeLong wrote:
>>> 
 I'll happily join Newnog/NANOG and pay my dues when I can reach the
 web site ot do so on IPv6 rather than legacy IPv4.
>> 
>> Yes it does.  2001:4970::::2  I'm bugging the powers-that-be about 
>> getting forward records working.
>> 
>> [root@wa-geeks ~]# host 2001:4970::::2
>> 2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.7.7.7.7.e.e.e.e.0.7.9.4.1.0.0.2.ip6.arpa 
>> domain name pointer www.newnog.org.
>> --
>> 
>> 
>> 
>> Now your only question is check or pay pal...  :-)
>> 
>> scott
> 
> 

Re: US Warships jamming Lebanon Internet

[Michael Painter]

Denys Fedoryshchenko wrote:

Hi

I'm sysadmin of Lebanese ISP.
Almost at same time i got heavy interference on few of my C-Band carriers, and
it looks like electronic warfare jamming, because i can see phase modulated,
very weak signal, but it is completely breaking almost any communications on
my carriers.

Strange thing, that our uplink station confirm that interference is not local
on my side, but on satellite carrier. If this will be confirmed, that means it
is not just miscommunication between authorities about frequency usage, it
will be intentional damage for Lebanese communications.

Sure it can be coincidence in time or something else, but last 6 years i
experience similar terrible interference only during 2006 Lebanon vs Israel
war.



Hi Denys
I doubt it's intentional jamming since I've had the same problem.
Aegis radar is very high power in full radiate mode and as such creates problems for Low Noise Amplifiers listening at 
3.4-4.2 GHz.

Someone needs to talk to Microwave Filter Company.
http://www.microwavefilter.com/c-band_radar_elimination.htm

--Michael










Lebanon's Telecom minister is claiming that US Navy radar is blocking the
country's Internet..

http://www.naharnet.com/domino/tn/NewsDesk.nsf/0/93A95CA1A4E42178C225782E007371AF


"The problem, however, is due to a coordination error related to waves,"
Nahhas told OTV, adding that an investigation was underway to find out
whether this act is "intentional or not."



also at
http://www.naharnet.com/domino/tn/NewsDesk.nsf/Lebanon/EFCEF203B3C315A5C225782E0020C75F 

Re: Weekend Gedankenexperiment - The Kill Switch

[Ryan Wilkins]

On Feb 7, 2011, at 3:53 PM, Josh Smith wrote:

> I agree that setting up "local" connectivity between the folks in my
> neighborhood wouldn't be too much of a challenge.  Getting anything
> much beyond that up and running would be a stretch.

Yeah, but the more people communicating the better.  I don't know what all my 
neighbors are capable of doing.  Some of them may be capable of helping the 
cause in ways that I hadn't considered.

Regards,
Ryan Wilkins

Re: Membership model

[Owen DeLong]

Reaching the web site requires more than an ip6.arpa record.

It requires an  record:

baikal:owen (68) ~ % host -t  www.newnog.org
  2011/02/07 13:51:23
www.newnog.org has no  record

And it requires the host answer on port 80 at its IPv6 address, which
does appear to already be the case.

So, when I'm informed that the  record is up, I'll retest.

Owen


On Feb 7, 2011, at 1:45 PM, Scott Weeks wrote:

> 
> 
> ---
>> On Mon, Feb 07, 2011 at 12:40:41PM -0800, Owen DeLong wrote:
>> 
>>> I'll happily join Newnog/NANOG and pay my dues when I can reach the
>>> web site ot do so on IPv6 rather than legacy IPv4.
> 
> Yes it does.  2001:4970::::2  I'm bugging the powers-that-be about 
> getting forward records working.
> 
> [root@wa-geeks ~]# host 2001:4970::::2
> 2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.7.7.7.7.e.e.e.e.0.7.9.4.1.0.0.2.ip6.arpa 
> domain name pointer www.newnog.org.
> --
> 
> 
> 
> Now your only question is check or pay pal...  :-)
> 
> scott

Re: Weekend Gedankenexperiment - The Kill Switch

[Josh Smith]

On Thu, Feb 3, 2011 at 11:46 PM, Ryan Wilkins  wrote:
>
> On Feb 3, 2011, at 10:10 PM, Jay Ashworth wrote:
>
>>  Original Message -
>>> What do you do when you get home to put it back on the air -- let's
>>> say email as a base service, since it is -- do you have the gear laying 
>>> around,
>>> and how long would it take?
>>
>> Focus on this part, BTW, folks; let's ignore the politics behind the
>> shutdown.  :-)
>>
>
> So if I get what you're saying, I could have something operational from 
> scratch in a few hours.  I've got a variety of Cisco routers and switches, 
> Linux and Mac OS X boxes in various shapes and sizes, and a five CPE + one AP 
> 5 GHz Mikrotik RouterOS-based radio system, 802.11b/g wireless AP, 800' of 
> Cat 5e cable, connectors, and crimpers.  The radios, if well placed, could 
> allow me to connect up several strategic locations, or perhaps use them to 
> connect to other sources of Internet access, if available.  If it really came 
> down to it, I could probably gather enough satellite communications gear from 
> the office to allow me to stand up satellite Internet to someone.  Of course, 
> the trick would be to talk to that "someone" to coordinate connectivity over 
> the satellite which may be hard to do given the communications outage you 
> described.  I wouldn't be so worried about transmitting to the satellite, in 
> this case I'd just transmit without authorization, but someone needs to be 
> receiving my transmission and vice versa for this to be useful.  At a 
> minimum, I could enable communications between my neighbors.
>
> Regards,
> Ryan Wilkins
>

I agree that setting up "local" connectivity between the folks in my
neighborhood wouldn't be too much of a challenge.  Getting anything
much beyond that up and running would be a stretch.

-- 
Josh Smith
KD8HRX
email/jabber:  juice...@gmail.com
phone:  304.237.9369(c)

RE: What's really needed is a routing slot market (was: Using IPv6 withprefixes shorter than a /64 on a LAN)

[Koch, Andrew]

On Mon, Feb 7, 2011 at 3:10 PM, Owen DeLong

> That's as close as I think I can get to an IPv6 CIDR report
> for the moment.

Looks like Geoff has you already setup.

http://www.cidr-report.org/v6/as2.0/

Andy Koch

RE: Membership model

[Scott Weeks]

---
> On Mon, Feb 07, 2011 at 12:40:41PM -0800, Owen DeLong wrote:
>
> > I'll happily join Newnog/NANOG and pay my dues when I can reach the
> > web site ot do so on IPv6 rather than legacy IPv4.

Yes it does.  2001:4970::::2  I'm bugging the powers-that-be about 
getting forward records working.

[root@wa-geeks ~]# host 2001:4970::::2
2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.7.7.7.7.e.e.e.e.0.7.9.4.1.0.0.2.ip6.arpa domain 
name pointer www.newnog.org.
--



Now your only question is check or pay pal...  :-)

scott

RE: Membership model

[Michael K. Smith - Adhost]

> -Original Message-
> From: Majdi S. Abbas [mailto:m...@latt.net]
> Sent: Monday, February 07, 2011 1:29 PM
> To: Owen DeLong
> Cc: NANOG list
> Subject: Re: Membership model
> 
> On Mon, Feb 07, 2011 at 12:40:41PM -0800, Owen DeLong wrote:
> > I'll happily join Newnog/NANOG and pay my dues when I can reach the
> > web site ot do so on IPv6 rather than legacy IPv4.
> 
>   I noticed that too, but shoot, I'm not even sure their
> host supports it.
> 
>   Besides, you'd still be v4 to Paypal.
> 
>   I opted to use IPv0 and mail them a check.
> 
>   --msa

Yes it does.  2001:4970::::2  I'm bugging the powers-that-be about 
getting forward records working.

[root@wa-geeks ~]# host 2001:4970::::2
2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.7.7.7.7.e.e.e.e.0.7.9.4.1.0.0.2.ip6.arpa domain 
name pointer www.newnog.org.

Mike
--
Michael K. Smith - CISSP, GSEC, GISP
Chief Technical Officer - Adhost Internet LLC mksm...@adhost.com
w: +1 (206) 404-9500 f: +1 (206) 404-9050
PGP: B49A DDF5 8611 27F3  08B9 84BB E61E 38C0 (Key ID: 0x9A96777D)

Re: Membership model

[Majdi S. Abbas]

On Mon, Feb 07, 2011 at 12:40:41PM -0800, Owen DeLong wrote:
> I'll happily join Newnog/NANOG and pay my dues when I can reach the 
> web site ot do so on IPv6 rather than legacy IPv4.

I noticed that too, but shoot, I'm not even sure their
host supports it.

Besides, you'd still be v4 to Paypal.

I opted to use IPv0 and mail them a check.

--msa

Re: What's really needed is a routing slot market (was: Using IPv6 withprefixes shorter than a /64 on a LAN)

[c...@daydream.com]

If you look at Gert Doering's slides that I presented at NANOG (in the IPv6
Deployment Experiences track)  I believe it is 1.4 prefixes per ASN in IPv6
and something like 10.5 prefixes per ASN in IPv4.   There are also
descriptions of the reasons for some of these multiple advertisements in
IPv6 as well as how many ASNs have just one and how many have 2 etc.   The
slides are here

http://www.nanog.org/meetings/nanog51/presentations/Monday/NANOG51.Talk13.Aronson-doring-v6-table.pdf

Enjoy!
-Cathy

On Mon, Feb 7, 2011 at 2:10 PM, Owen DeLong  wrote:

>
> On Feb 7, 2011, at 12:19 PM, Matthew Petach wrote:
>
> > On Mon, Feb 7, 2011 at 12:04 PM, Owen DeLong  wrote:
> >>
> > ...
> >> On the other hand, when we can deprecate global routing of IPv4, we
> >> will see an earth shattering improvement as the current 10:1 prefix
> >> to provider ratio (300,000 prefixes for ~30,000 active ASNs) drops
> >> to something more like 2:1 in IPv6 due to providers not having to
> >> constantly run back to the RIR for additional slow-start allocations.
> >>
> >> Owen
> >
> > I suspect as we start seeing the CIDR report for IPv6, we'll see that
> > ASNs are announcing considerably more prefixes than that, in order
> > to localize traffic better.  I don't think it'll be 300,000 prefixes, but
> > I'd be willing to bet it'll be more than 100,000--not exactly "earth
> > shattering improvement".
> >
> > Matt
> > (hopeless deaggregator)
>
> Currently: 3,134 IPv6 ASNs active.
> Currently: 4,265 IPv6 prefixes.
>
> Looks like less than 2:1 to me.
>
> That's as close as I think I can get to an IPv6 CIDR report for the moment.
>
> Owen
>
>
>

Re: What's really needed is a routing slot market (was: Using IPv6 withprefixes shorter than a /64 on a LAN)

[Owen DeLong]

On Feb 7, 2011, at 12:19 PM, Matthew Petach wrote:

> On Mon, Feb 7, 2011 at 12:04 PM, Owen DeLong  wrote:
>> 
> ...
>> On the other hand, when we can deprecate global routing of IPv4, we
>> will see an earth shattering improvement as the current 10:1 prefix
>> to provider ratio (300,000 prefixes for ~30,000 active ASNs) drops
>> to something more like 2:1 in IPv6 due to providers not having to
>> constantly run back to the RIR for additional slow-start allocations.
>> 
>> Owen
> 
> I suspect as we start seeing the CIDR report for IPv6, we'll see that
> ASNs are announcing considerably more prefixes than that, in order
> to localize traffic better.  I don't think it'll be 300,000 prefixes, but
> I'd be willing to bet it'll be more than 100,000--not exactly "earth
> shattering improvement".
> 
> Matt
> (hopeless deaggregator)

Currently: 3,134 IPv6 ASNs active.
Currently: 4,265 IPv6 prefixes.

Looks like less than 2:1 to me.

That's as close as I think I can get to an IPv6 CIDR report for the moment.

Owen

Re: Failure modes: NAT vs SPI

[Iljitsch van Beijnum]

On 7 feb 2011, at 17:15, Jay Ashworth wrote:

>> Ok, I had a hard time making up my mind whether a sarcastic or a
>> factual response was in order...

> I see you decided to go with "sarcastic".

Not sure if Owen noticed...  :-)

> I'm sure it's clear to you that "no one's doing it now" is not a valid
> response to prophylactic secure network planning...

Well, no and yes. There's only a few panes of glass keeping people out of most 
houses. We know glass is easy to break. We know it gets broken and people get 
in who aren't wanted there once in a while. Still only a few people see the 
need to install steel bars in front of their windows.

In real life we take risks all the time. In the networked world somehow it 
always has to be all or nothing, with few people occupying the reasonable 
middle ground.

But in this case, we know there's a potential problem and waiting for it to 
become acute is not the best approach.

> So, you're not going to actually address the problem seriously?

Vendors should modify their neighbor discovery implementations such that it 
still works even when large numbers of addresses are scanned. The easiest way 
would be to keep only a limited number of incomplete ND cache entries and throw 
those away on an LRU base, but create a full ND cache entry that is kept around 
when a neighbor advertisement is received, even if there is no incomplete ND 
cache entry at that time. AFAIK the incomplete ND cache entries don't do 
anything we can't do without.

"Solving" this with NAT is the classic example of shooting a mosquito with a 
canon.

I also don't think any protocol modifications are necessary.

Re: Membership model

[kris foster]

On Feb 7, 2011, at 12:40 PM, Owen DeLong wrote:

> I'll happily join Newnog/NANOG and pay my dues when I can reach the web site 
> to do so
> on IPv6 rather than legacy IPv4.

http://newnog.org/wg.php

I'm sure the technical WG will be happy to hear you're volunteering.

--
kris

Re: "Leasing" of space via non-connectivity providers

[Owen DeLong]

On Feb 7, 2011, at 10:25 AM, Randy Bush wrote:

>> So, what exactly is broken and needs to be changed?
> 
> the policy making process.  we have created a minor industry in telling
> other people how to run their network.
> 
> how about no more ipv4 policy proposals and charge $1,000 to file an
> ipv6 policy proposal?
> 
> randy

If you believe this is a good idea, submit it to ARIN Consultation and 
Suggestion
Process.

If not, then I'm willing to bet you could actually find something more 
constructive to do
than making comments like this.

Owen

Membership model

[Owen DeLong]

I'll happily join Newnog/NANOG and pay my dues when I can reach the web site to 
do so
on IPv6 rather than legacy IPv4.

Owen

Re: What's really needed is a routing slot market (was: Using IPv6 withprefixes shorter than a /64 on a LAN)

[Matthew Petach]

On Mon, Feb 7, 2011 at 12:04 PM, Owen DeLong  wrote:
>
...
> On the other hand, when we can deprecate global routing of IPv4, we
> will see an earth shattering improvement as the current 10:1 prefix
> to provider ratio (300,000 prefixes for ~30,000 active ASNs) drops
> to something more like 2:1 in IPv6 due to providers not having to
> constantly run back to the RIR for additional slow-start allocations.
>
> Owen

I suspect as we start seeing the CIDR report for IPv6, we'll see that
ASNs are announcing considerably more prefixes than that, in order
to localize traffic better.  I don't think it'll be 300,000 prefixes, but
I'd be willing to bet it'll be more than 100,000--not exactly "earth
shattering improvement".

Matt
(hopeless deaggregator)

Re: What's really needed is a routing slot market (was: Using IPv6 withprefixes shorter than a /64 on a LAN)

[Owen DeLong]

On Feb 7, 2011, at 8:30 AM, William Herrin wrote:

> On Mon, Feb 7, 2011 at 9:25 AM, Jamie Bowden  wrote:
>> It would help if we weren't shipping the routing equivalent of the pre
>> DNS /etc/hosts all over the network (it's automated, but it's still the
>> equivalent).  There has to be a better way to handle routing information
>> than what's currently being done.
> 
> Hi Jamie,
> 
> Consensus in the routing research arena is that it's a layer boundary
> problem. Layer 4/5 (TCP, various UDP-based protocols) intrudes to
> deeply into layer 3. Sessions are statically bound at creation to the
> layer 3 address. Unlike the dynamic MAC to IP bindings (with ARP) the
> TCP to IP bindings can't change during the potentially long-lived
> session. Thus route proliferation is needed to maintain them.
> 
> Much better routing protocols are possible, but you first either have
> to break layer 3 in half (with a dynamic binding between the two
> halves that renders the lower half inaccessible to layer 4) or you
> have to redesign TCP with dynamic bindings to the layer 3 address.
> Ideas like LISP take the former approach. Ideas like SCTP and
> Multipath TCP take the latter. The deployment prospects are not
> promising.
> 
> Modest improvements like FIB compression are in the pipeline for DFZ
> routing, but don't expect any earth shattering improvements.
> 
On the other hand, when we can deprecate global routing of IPv4, we
will see an earth shattering improvement as the current 10:1 prefix
to provider ratio (300,000 prefixes for ~30,000 active ASNs) drops
to something more like 2:1 in IPv6 due to providers not having to
constantly run back to the RIR for additional slow-start allocations.

Owen

RE: Web Server and Firewall Hellp

[Ingo Flaschberger]

I run a web-server based on ubuntu server and the LAMP stack.
I used Ubuntu's UFW firewall model and have enabled only Web and SSH ports.
Namely port 80 and port 22 only.

Unfortunately once a while some guys get to inject some content onto our web
pages.

Now managements are looking at getting a well proven infrastructure to
counter that.
But I also think i can fall on this community to help me get the right stuff
done. Where
i can protect the server from such attack.


I want to know what measure i can do on the server to get it protected which
mysql protection
I should implement. since i can see that it might be a php or mysql
injection that is been used.

Currently I run these security measures on it.
Ubuntu UFW
Fail2ban
PHP model security
Apache security


have a look at mod_security, helps very successfull against outdated, 
exploitable user webpages.

mod_security ist a layer 7 firewall wich runs as a apache module.

Kind regards,
Ingo Flaschberger

Root Zone DNSSEC KSK Ceremony 4 (UTC correction)

[Joe Abley]

> KSK CEREMONY 4
> 
> The fourth KSK ceremony for the root zone will take place in El
> Segundo, CA, USA on Monday 2011-02-07. The ceremony is scheduled
> to begin at 1300 local time (1700 UTC) and is expected to end by
> 1900 local time (2300 UTC).

Apologies for the time zone miscalculation.

El Segundo is in the Pacific time zone, UTC-8.

The ceremony is scheduled to begin at 1300 local time (2100 UTC)
and is expected to end by 1900 local time (2011-02-08 0300 UTC).


Joe

Root Zone DNSSEC KSK Ceremony 4

[Joe Abley]

KSK CEREMONY 4

The fourth KSK ceremony for the root zone will take place in El
Segundo, CA, USA on Monday 2011-02-07. The ceremony is scheduled
to begin at 1300 local time (1700 UTC) and is expected to end by
1900 local time (2300 UTC).

Video from Ceremony 4 will be recorded for audit purposes.  Video
and associated audit materials will be published 1 to 2 weeks after
the ceremony, and will be available as usual by following the "KSK
Ceremony Materials" link at .

ICANN will operate a separate camera whose video will not be retained
for audit purposes, but which will instead be streamed live in order
to provide remote observers an opportunity to watch the ceremony.
The live stream will be provided on a best-effort basis. The live
video stream will be available at .

Ceremony 4 will include processing of a Key Signing Request (KSR)
generated by VeriSign, and the resulting Signed Key Response (SKR)
will contain signatures for Q2 2011, for use in the root zone between
2011-04-01 and 2011-07-05.


CONTACT INFORMATION
 
We'd like to hear from you. If you have feedback for us, please
send it to roots...@icann.org.

RE: Web Server and Firewall Hellp

[Brandon Kim]

If you're getting SQL injections through your website, then you have to look at 
the programming of your website.
It has nothing to do with your firewall. Definitely patch and update all your 
software running LAMP, but also have
to check how you allow input on your websites.




> Subject: Re: Web Server and Firewall Hellp
> From: ts...@oitc.com
> Date: Mon, 7 Feb 2011 13:26:39 -0500
> To: joshua.kl...@gmail.com
> CC: nanog@nanog.org
> 
> 
> On Feb 7, 2011, at 1:18 PM, Joshua William Klubi wrote:
> 
> > Hi,
> > 
> > I run a web-server based on ubuntu server and the LAMP stack.
> > I used Ubuntu's UFW firewall model and have enabled only Web and SSH ports.
> > Namely port 80 and port 22 only.
> > 
> > Unfortunately once a while some guys get to inject some content onto our web
> > pages.
> > 
> > Now managements are looking at getting a well proven infrastructure to
> > counter that.
> > But I also think i can fall on this community to help me get the right stuff
> > done. Where
> > i can protect the server from such attack.
> > 
> > 
> > I want to know what measure i can do on the server to get it protected which
> > mysql protection
> > I should implement. since i can see that it might be a php or mysql
> > injection that is been used.
> > 
> > Currently I run these security measures on it.
> > Ubuntu UFW
> > Fail2ban
> > PHP model security
> > Apache security
> 
> Josh
> 
> Patch your lamps , collab env, builtin boards and everything, make sure mySQL 
> has a password on it since it doesn't out of the box,  also update all 
> passwords to hard ones and change all updates in the future to not use ftp 
> first. Close firewall ports you are not useing and then check your logs to 
> see what vulnerabilities you still have if any.
> 
> Tom
> 
> 
  

Re: US Warships jamming Lebanon Internet

[Randy Bush]

i can not ping the in-country secondries for the LB cctld.  been the
same for a few days.

i visited last (northern) fall.  what a beautiful country with such a
tragic layer nine.

randy

Re: It's the end of IPv4 as we know it... and I feel fine..

[Scott Helms]

On 2/7/2011 1:17 PM, Seth Mattinen wrote:

On 2/3/2011 08:38, Josh Smith wrote:

Seth,
What sort of ISP do your "not technically inclined" parents have that
offers native ipv6? :-)



I'm doing it via fixed wireless. They'll actually be my second access
customer to get native IPv6. My parents are a good test case for the
kind of user who doesn't care about the difference between IPv4 or IPv6
or the debates whether to /64 or not, only that the internet works.

~Seth



Ahh, that makes them like 99.99% of all retail internet users.

--
Scott Helms
Vice President of Technology
ISP Alliance, Inc. DBA ZCorum
(678) 507-5000

http://twitter.com/kscotthelms

Re: "Leasing" of space via non-connectivity providers

[Peter Maccauley]

All this talk of ARIN's power and rights versus others is rather despairing. I 
will now explain what we, a  'non-connectivity' ISP, are providing as useful 
service.

Many of customers value anonymity/pseudonymity. We can provide these things. 
Sure, there is a great potential for abuse, but we take steps to prevent this, 
such as careful control over port 25.

Our customers can appear on the net from one of several IPv4 addresses in 
various places, which can be used for testing location-based services. Yes, 
this 
could be abused.

We can aggregate broadband connections at our router, or provide instant 
switchover. This is useful for various people and organizations which have to 
use low-grade broadband (consumer quality, or often consumer quality relabeled 
'business' and sold at a higher price).

We find a way for people to use their legacy space. A few hobbyist types with 
their legacy Class Cs are customers.

We've managed to get around some censorship blocks. Private http proxies to 
facebook/youtube and other less-known sites have an IP in some of our space. 
This is not saying these named organizations are our customers (nor am I saying 
they are not).

We remain quiet at the moment because we do not have the infrastructure in 
place 
to handle any more traffic than the people who have found out about us by 
word-of-mouth. Maintaining a low profile also allows us to escape being added 
to 
lists of those censors of one type or another. It has allowed us to avoid 
spammers, thieves and crackers as customers

I hope that many of you will see our use of IP space as a legitimate one. Like 
many of the rest of you, we provide services which may be valuable to 
spammers/crackers, but this doesn't mean we're in bed with them. If ARIN/RIPE 
etc ever decide to edit their databases in a way that interferes with our 
valuable services, I hope that some of you will raise an alarm in our defense.



  

Re: Web Server and Firewall Hellp

[TR Shaw]

On Feb 7, 2011, at 1:18 PM, Joshua William Klubi wrote:

> Hi,
> 
> I run a web-server based on ubuntu server and the LAMP stack.
> I used Ubuntu's UFW firewall model and have enabled only Web and SSH ports.
> Namely port 80 and port 22 only.
> 
> Unfortunately once a while some guys get to inject some content onto our web
> pages.
> 
> Now managements are looking at getting a well proven infrastructure to
> counter that.
> But I also think i can fall on this community to help me get the right stuff
> done. Where
> i can protect the server from such attack.
> 
> 
> I want to know what measure i can do on the server to get it protected which
> mysql protection
> I should implement. since i can see that it might be a php or mysql
> injection that is been used.
> 
> Currently I run these security measures on it.
> Ubuntu UFW
> Fail2ban
> PHP model security
> Apache security

Josh

Patch your lamps , collab env, builtin boards and everything, make sure mySQL 
has a password on it since it doesn't out of the box,  also update all 
passwords to hard ones and change all updates in the future to not use ftp 
first. Close firewall ports you are not useing and then check your logs to see 
what vulnerabilities you still have if any.

Tom

Re: "Leasing" of space via non-connectivity providers

[Randy Bush]

> So, what exactly is broken and needs to be changed?

the policy making process.  we have created a minor industry in telling
other people how to run their network.

how about no more ipv4 policy proposals and charge $1,000 to file an
ipv6 policy proposal?

randy

WebServer and Firewall Help

[Joshua William Klubi]

Hi,

I run a web-server based on ubuntu server and the LAMP stack.
I used Ubuntu's UFW firewall model and have enabled only Web and SSH ports.
Namely port 80 and port 22 only.

Unfortunately once a while some guys get to inject some content onto our web
pages.

Now managements are looking at getting a well proven infrastructure to
counter that.
But I also think i can fall on this community to help me get the right stuff
done. Where
i can protect the server from such attack.


I want to know what measure i can do on the server to get it protected which
mysql protection
I should implement. since i can see that it might be a php or mysql
injection that is been used.

Currently I run these security measures on it.
Ubuntu UFW
Fail2ban
PHP model security
Apache security

Joshua

Web Server and Firewall Hellp

[Joshua William Klubi]

Hi,

I run a web-server based on ubuntu server and the LAMP stack.
I used Ubuntu's UFW firewall model and have enabled only Web and SSH ports.
Namely port 80 and port 22 only.

Unfortunately once a while some guys get to inject some content onto our web
pages.

Now managements are looking at getting a well proven infrastructure to
counter that.
But I also think i can fall on this community to help me get the right stuff
done. Where
i can protect the server from such attack.


I want to know what measure i can do on the server to get it protected which
mysql protection
I should implement. since i can see that it might be a php or mysql
injection that is been used.

Currently I run these security measures on it.
Ubuntu UFW
Fail2ban
PHP model security
Apache security

Joshua

Re: It's the end of IPv4 as we know it... and I feel fine..

[Seth Mattinen]

On 2/3/2011 08:38, Josh Smith wrote:
> Seth,
> What sort of ISP do your "not technically inclined" parents have that
> offers native ipv6? :-)
> 


I'm doing it via fixed wireless. They'll actually be my second access
customer to get native IPv6. My parents are a good test case for the
kind of user who doesn't care about the difference between IPv4 or IPv6
or the debates whether to /64 or not, only that the internet works.

~Seth

Re: Failure modes: NAT vs SPI

[Jack Bates]

On 2/7/2011 10:43 AM, valdis.kletni...@vt.edu wrote:

For what it's worth, I've never seen an IPv6 scan cause a problem for our
network.  Not saying that such a scan*wouldn't*  cause a problem, but the fact
we've been doing it for over a decade and not seen a big problem seems to go
counter to "everyone who turns on IPv6 gets hit by it".


I think it becomes a problem only in certain architectures. ie, 
providing /64 subnets without SPI can lead to a scan actually able to 
create effect ND.


This implies that many networks aren't necessarily effected by it, as 
they implement a certain level of security.


I'd also surmise that IPv6 scanning isn't as prevalent today as it will 
be at some point. Nachi was an interesting (even if illegal) concept 
except for being overly aggressive.



Jack

Re: What's really needed is a routing slot market

[Jack Bates]

On 2/7/2011 10:30 AM, William Herrin wrote:

Ideas like LISP take the former approach. Ideas like SCTP and
Multipath TCP take the latter. The deployment prospects are not
promising.


I'm rusty on LISP, but I believe it was designed to solve the DFZ 
problem itself, while SCTP and Multipath TCP solve issues such as being 
able to change the layer3 address on an existing connection (supporting 
rapid renumbering and multipath failover/loadbalancing utilizing 
multiple layer 3 addresses (1 per path).


In an ideal world, we'd be using both.


Jack

Re: Failure modes: NAT vs SPI

[Valdis . Kletnieks]

On Mon, 07 Feb 2011 11:15:51 EST, Jay Ashworth said:
> > From: "Iljitsch van Beijnum" 
> > This is of course a very big problem, and one of the reasons why
> > everyone who's tried IPv6 immediately turns it off again: script
> > kiddies are continuously scanning the entire IPv6 address space so
> > this happens to regular IPv6 users all the time.
> 
> I'm sure it's clear to you that "no one's doing it now" is not a valid
> response to prophylactic secure network planning...

Iljitsch's claim is that enough script kiddies *are* doing it now that people's
routers crash and they turn off IPv6, not that "people are so scare of it they
panic and turn it off before they see if it's a problem".

For what it's worth, I've never seen an IPv6 scan cause a problem for our
network.  Not saying that such a scan *wouldn't* cause a problem, but the fact
we've been doing it for over a decade and not seen a big problem seems to go
counter to "everyone who turns on IPv6 gets hit by it".



pgp4S0kISBVGa.pgp
Description: PGP signature

Re: "Leasing" of space via non-connectivity providers

[David Conrad]

On Feb 6, 2011, at 2:51 PM, Randy Bush wrote:
> it is both amusing and horrifying to watch two old dogs argue about
> details of written rules as if common sense had died in october 1998.

http://xkcd.com/386/

> what is good for the internet?  what is simple?  what is pragmatic?  if
> the answer is not simple and obvious, we should go break something else.

As would seem apparent, what is simple and obvious to some may be insane and 
Byzantine to others.

Increasingly nteresting times.

Regards,
-drc

Re: Weekend Gedankenexperiment - The Kill Switch

[Lamar Owen]

On Saturday, February 05, 2011 11:29:44 pm Fred Baker wrote:
> To survive an EMP, electronics needs some fancy circuitry. I've never worked 
> with a bit of equipment that had it. It would therefore have to have been 
> through path redundancy.

Surviving EMP is similar to surviving several (dozen) direct lightning strikes, 
and requires the same sort of protection, both in terms of shielding and in 
terms of filtering, as well as the methods used for connections, etc.  There is 
plenty of documentation out there on how to do this, even with commercial 
stuff, if you look.

The biggest issue in EMP is power, however, since the grid in the affected area 
will likely be down.

Re: What's really needed is a routing slot market (was: Using IPv6 withprefixes shorter than a /64 on a LAN)

[William Herrin]

On Mon, Feb 7, 2011 at 9:25 AM, Jamie Bowden  wrote:
> It would help if we weren't shipping the routing equivalent of the pre
> DNS /etc/hosts all over the network (it's automated, but it's still the
> equivalent).  There has to be a better way to handle routing information
> than what's currently being done.

Hi Jamie,

Consensus in the routing research arena is that it's a layer boundary
problem. Layer 4/5 (TCP, various UDP-based protocols) intrudes to
deeply into layer 3. Sessions are statically bound at creation to the
layer 3 address. Unlike the dynamic MAC to IP bindings (with ARP) the
TCP to IP bindings can't change during the potentially long-lived
session. Thus route proliferation is needed to maintain them.

Much better routing protocols are possible, but you first either have
to break layer 3 in half (with a dynamic binding between the two
halves that renders the lower half inaccessible to layer 4) or you
have to redesign TCP with dynamic bindings to the layer 3 address.
Ideas like LISP take the former approach. Ideas like SCTP and
Multipath TCP take the latter. The deployment prospects are not
promising.

Modest improvements like FIB compression are in the pipeline for DFZ
routing, but don't expect any earth shattering improvements.

Regards,
Bill Herrin


-- 
William D. Herrin  her...@dirtside.com  b...@herrin.us
3005 Crane Dr. .. Web: 
Falls Church, VA 22042-3004

New IPv4 block allocated to RIPE NCC

[Andrea Cima]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1


[Apologies for duplicate mails]

Dear Colleagues,

The RIPE NCC has received the IPv4 address range 185/8 from the IANA.

This is the final allocation of IPv4 address space that the RIPE NCC
will receive from the IANA as stated in ripe-436, "Global Policy for the
Allocation of the Remaining IPv4 Address Space".

The minimum allocation size for this /8 has been set at /22.

You may wish to adjust any filters you have in place accordingly.

More information on the IP address space administered by the RIPE NCC
can be found on our website at:

https://www.ripe.net/ripe/docs/ripe-ncc-managed-address-space.html

Additionally, please note that three "pilot" prefixes will be announced
from this /8. The prefixes are:

185.0.0.0/16
185.1.0.0/21
185.1.24.0/24

They all originate in AS12654.

The pingable addresses will be:

185.0.0.1
185.1.0.1
185.1.24.1

More information on this activity is available in the document
"De-Bogonising New Address Blocks", which can be found at:

http://www.ripe.net/ripe/docs/ripe-351.html


Kind regards,

Andrea Cima
Registration Services Manager
RIPE NCC




-BEGIN PGP SIGNATURE-
Version: GnuPG/MacGPG2 v2.0.11 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAk1Pu9kACgkQXOgsmPkFrjM9FgCgsaT8cFxK0YKTFUFzj41L0PQT
N1AAoIgmL1zUY8JjkCSa05xt0t8oppgP
=woX5
-END PGP SIGNATURE-

Re: Failure modes: NAT vs SPI

[Jay Ashworth]

- Original Message -
> From: "Iljitsch van Beijnum" 

> On 4 feb 2011, at 22:02, Dave Cardwell wrote:
> > Without wanting to get into whether NAT provides security to hosts
> > that exist on the inside. I am curious if the potential to overflow
> > ND caches with incomplete* entries exists on currently shipping CPE
> > hardware and if NAT helps prevent this?
> 
> > e.g.
> > In v4 with a /24 on the inside an attacker can send a single packet to
> > each consecutive address causing at most 254 arp requests to be sent
> > on the lan segment and upto 253 incomplete entries, until they
> > timeout.
> > In v6 with a /64 on the inside it seems like the same tactic would
> > lead to more outstanding ND requests than any realistically sized
> > cache would support.
> 
> Ok, I had a hard time making up my mind whether a sarcastic or a
> factual response was in order...

I see you decided to go with "sarcastic".

> This is of course a very big problem, and one of the reasons why
> everyone who's tried IPv6 immediately turns it off again: script
> kiddies are continuously scanning the entire IPv6 address space so
> this happens to regular IPv6 users all the time.

I'm sure it's clear to you that "no one's doing it now" is not a valid
response to prophylactic secure network planning...

> Since this is a problem that is inherent to the ND protocol that is
> impossible to fix without modifying the IPv6 standards significantly,
> the easiest way to solve this with the least amount of impact to
> applications, the ability to host services and the end-to-end model in
> particular is to use a single public IPv6 address and NAT all local
> stuff behind it.

So, you're not going to actually address the problem seriously?

Got it.

Cheers,
-- jra

RE: What's really needed is a routing slot market (was: Using IPv6 withprefixes shorter than a /64 on a LAN)

[Jamie Bowden]

It would help if we weren't shipping the routing equivalent of the pre
DNS /etc/hosts all over the network (it's automated, but it's still the
equivalent).  There has to be a better way to handle routing information
than what's currently being done.  The old voice telephony guys built a
system that built SVCs on the fly from any phone in the world to any
other phone in the world; it (normally) took less than a second for it
to do it between any pair of phones under the NANPA, and only slightly
longer for international outside the US and Canada.  There have to be
things to be learned from there.

Jamie

-Original Message-
From: John Curran [mailto:jcur...@istaff.org] 
Sent: Sunday, February 06, 2011 11:00 AM
To: Mark Andrews
Cc: NANOG list
Subject: What's really needed is a routing slot market (was: Using IPv6
withprefixes shorter than a /64 on a LAN)

On Feb 5, 2011, at 9:40 PM, Mark Andrews wrote:

> What's really needed is seperate the routing slot market from the
> address allocation market.

Bingo! In fact, having an efficient market for obtaining routing of a 
given prefix, combined with IPv6 vast identifier space, could actually
satisfy the primary goals that we hold for a long-term scalable address
architecture, and enable doing it in a highly distributed, automatable
fashion:

Aggregation would be encouraged, since use of non-aggregatable address
space would entail addition costs. These costs might be seen as minimal 
for some organizations that desire addressing autonomy, but others might
decide treating their address space portable and routable results in 
higher cost than is desired. Decisions about changing prefixes with 
ISPs can be made based on a rational tradeoff of costs, rather than in
a thicket of ISP and registry policies.  

Conservation would actually be greatly improved, since address space 
would only be sought after because of the need for additional unique 
identifiers, rather than obtaining an address block of a given size 
to warrant implied routability.  In light of IPv6's vast address 
space, it actually would be possible to provide minimally-sized but
assured unique prefixes automatically via nearly any mechanism (i.e.
let your local user or trade association be a registry if they want)

With a significantly reduced policy framework, Registration could be
fully automated, with issuance being as simple as assurance the right
level of verification of requester identity (You might even get rid
of this, if you can assure that ISPs obtain clear identity of clients 
before serving them but that would preclude any form of reputation 
systems based on IP address prefix such as we have in use today...)

Just think: the savings in storage costs alone (from the reduction in 
address policy-related email on all our mailing lists) could probably
fund the system. :-)

Oh well, one project at a time...
/John

Re: US Warships jamming Lebanon Internet

[Denys Fedoryshchenko]

Hi

I'm sysadmin of Lebanese ISP. 
Almost at same time i got heavy interference on few of my C-Band carriers, and 
it looks like electronic warfare jamming, because i can see phase modulated, 
very weak signal, but it is completely breaking almost any communications on 
my carriers.

Strange thing, that our uplink station confirm that interference is not local 
on my side, but on satellite carrier. If this will be confirmed, that means it 
is not just miscommunication between authorities about frequency usage, it 
will be intentional damage for Lebanese communications.

Sure it can be coincidence in time or something else, but last 6 years i 
experience similar terrible interference only during 2006 Lebanon vs Israel 
war.

>Lebanon's Telecom minister is claiming that US Navy radar is blocking the
>country's Internet..
>
>http://www.naharnet.com/domino/tn/NewsDesk.nsf/0/93A95CA1A4E42178C225782E007371AF
>
>>"The problem, however, is due to a coordination error related to waves,"
>> Nahhas told OTV, adding that an investigation was underway to find out
>> whether this act is "intentional or not."
>
>
>also at
>http://www.naharnet.com/domino/tn/NewsDesk.nsf/Lebanon/EFCEF203B3C315A5C225782E0020C75F

Re: Failure modes: NAT vs SPI

[Owen DeLong]

On Feb 7, 2011, at 12:50 AM, Iljitsch van Beijnum wrote:

> On 4 feb 2011, at 22:02, Dave Cardwell wrote:
> 
>> Without wanting to get into whether NAT provides security to hosts
>> that exist on the inside.  I am curious if the potential to overflow
>> ND caches with incomplete* entries exists on currently shipping CPE
>> hardware and if NAT helps prevent this?
> 
>> e.g.
>> In v4 with a /24 on the inside an attacker can send a single packet to
>> each consecutive address causing at most 254 arp requests to be sent
>> on the lan segment and upto 253 incomplete entries, until they
>> timeout.
>> In v6 with a /64 on the inside it seems like the same tactic would
>> lead to more outstanding ND requests than any realistically sized
>> cache would support.
> 
> Ok, I had a hard time making up my mind whether a sarcastic or a factual 
> response was in order...
> 
> This is of course a very big problem, and one of the reasons why everyone 
> who's tried IPv6 immediately turns it off again: script kiddies are 
> continuously scanning the entire IPv6 address space so this happens to 
> regular IPv6 users all the time.
> 
Uh, no.

1.  Scanning even an entire /64 at 1,000 pps will take 
18,446,744,073,709,551 seconds
which is 213,503,982,334 days or 584,542,000 years.

I would posit that since most networks cannot absorb a 1,000 pps attack 
even without
the deleterious effect of incomplete ND on the router, no network has 
yet had even
a complete /64 scanned. IPv6 simply hasn't been around that long.

Claiming that anyone (or any collection of random people) is even 
capable of continuously
scanning the entire IPv6 address space is absurd.

2.  The few scanning attacks we've seen haven't gotten very far before 
giving up.
We've not had any negative ND effects as a result.

> Since this is a problem that is inherent to the ND protocol that is 
> impossible to fix without modifying the IPv6 standards significantly, the 
> easiest way to solve this with the least amount of impact to applications, 
> the ability to host services and the end-to-end model in particular is to use 
> a single public IPv6 address and NAT all local stuff behind it.
> 
That's a horrible solution. For one thing, it breaks the end-to-end model you 
claim you are protecting.

Further, it doesn't really help and there are much better solutions.

For example, on point-to-point links, block traffic to addresses outside of the 
assigned addresses
on the link.

Fast flushing of incomplete ND entries can also help here. That may require a 
software upgrade in
some routers, but, it doesn't require a rewrite of the protocol standards.

Finally, an SPI firewall shouldn't be permitting most of that traffic in, since 
it should only be
permitting packets in to hosts that have legitimate external services on them. 
As such the
sweep should only generate ND traffic for hosts that exist and provide external 
services.

> (BTW, there have been some discussions on NAT66 in the IETF, but that 
> wouldn't be a port overloading 1-to-many NAT, but rather a 1-to-1 NAT, 
> because with IPv6, there obviously isn't any reason to use address sharing. 
> The thinking is that such a 1-to-1 NAT is less harmful than a port 
> overloading 1-to-many NAT so it would be beneficial to specify the former to 
> avoid the latter. But many people within the IETF don't support that 
> strategy.)

A 1:1 NAT wouldn't solve your ND problem. The traffic will be dutifully 
translated and
still generate a sweep of ND packets.

Owen

Re: Failure modes: NAT vs SPI

[Iljitsch van Beijnum]

On 4 feb 2011, at 22:02, Dave Cardwell wrote:

> Without wanting to get into whether NAT provides security to hosts
> that exist on the inside.  I am curious if the potential to overflow
> ND caches with incomplete* entries exists on currently shipping CPE
> hardware and if NAT helps prevent this?

> e.g.
> In v4 with a /24 on the inside an attacker can send a single packet to
> each consecutive address causing at most 254 arp requests to be sent
> on the lan segment and upto 253 incomplete entries, until they
> timeout.
> In v6 with a /64 on the inside it seems like the same tactic would
> lead to more outstanding ND requests than any realistically sized
> cache would support.

Ok, I had a hard time making up my mind whether a sarcastic or a factual 
response was in order...

This is of course a very big problem, and one of the reasons why everyone who's 
tried IPv6 immediately turns it off again: script kiddies are continuously 
scanning the entire IPv6 address space so this happens to regular IPv6 users 
all the time.

Since this is a problem that is inherent to the ND protocol that is impossible 
to fix without modifying the IPv6 standards significantly, the easiest way to 
solve this with the least amount of impact to applications, the ability to host 
services and the end-to-end model in particular is to use a single public IPv6 
address and NAT all local stuff behind it.

(BTW, there have been some discussions on NAT66 in the IETF, but that wouldn't 
be a port overloading 1-to-many NAT, but rather a 1-to-1 NAT, because with 
IPv6, there obviously isn't any reason to use address sharing. The thinking is 
that such a 1-to-1 NAT is less harmful than a port overloading 1-to-many NAT so 
it would be beneficial to specify the former to avoid the latter. But many 
people within the IETF don't support that strategy.)