Re: .nyc - here we go...
On 2013-07-03, at 01:04, Paul Ferguson fergdawgs...@gmail.com wrote: Why does this discussion have to always be one or the other? We have multiple problems here, friends. Focus. I think you mean de-focus. :-) Joe
Re: .nyc - here we go...
On 03/07/13 11:12, Scott Weeks wrote: As of July 2, 2013, .nyc has been approved by ICANN as a city-level top-level domain (TLD) for New York City Do they have DNSSEC from inception? It would seem a sensible thing to do for a virgin TLD.
Re: .nyc - here we go...
On Thu, Jul 4, 2013 at 12:00 PM, Ted Cooper ml-nanog0903...@elcsplace.comwrote: On 03/07/13 11:12, Scott Weeks wrote: As of July 2, 2013, .nyc has been approved by ICANN as a city-level top-level domain (TLD) for New York City Do they have DNSSEC from inception? It would seem a sensible thing to do for a virgin TLD. All new gTLDs are required to be DNSSEC-signed. The requirement only applies to the parent zone, unless registry policy dictates otherwise, so we can expect many more DS records in the root but a similar DS rate for 2LDs to other gTLDs, likely to be less than 1%: http://scoreboard.verisignlabs.com/percent-trace.png Rubens
Re: Ciena 6200 clue?
On 7/3/13 9:32 PM, Christopher Morrow wrote: honestly? this sounds like typical alu :( some of their kit requires either proxy-arp from the default-gw (and no support for default-gw, all of the 'internet' is out the management ether... on that ether link) or 'can we run ospf with your router?' what?? you put ospf processing/handling/debugging (ha!) but you can't point 0/0 at that ip over - there?? wtf The older microwave radios were like this. Most other vendors just put a serial console on the product at 9600n8 to do a basic config (power, channel, etc). Not ALU. The radio sets up a PPP connection on the serial port and that connects to a windows laptop (XP sp1 or older, win2k works best). Now do you think they use IP for this? nope! ISO CLNS and ISIS to find the radio. Only after these 5 things go right, may you fire up the java GUI that actually talks to it. After about 10 min, it should be up and might talk to it. Now on the odd chance it does not work (shocking, right?), you get to trouble shoot it. Better break out the Italian to English dictionary, all the error messages are in Italian. Thankfully the IP routing development team does not have these issues. Most possess a good amount of clue. -- Bryan Fields 727-409-1194 - Voice 727-214-2508 - Fax http://bryanfields.net
Re: .nyc - here we go...
As of July 2, 2013, .nyc has been approved by ICANN as a city-level top-level domain (TLD) for New York City Do they have DNSSEC from inception? It would seem a sensible thing to do for a virgin TLD. Yes. See the AGB, to which I sent a link a few messages back.
Re: .nyc - here we go...
On 7/4/13 8:00 AM, Ted Cooper wrote: Do they have DNSSEC from inception? It would seem a sensible thing to do for a virgin TLD. In the evolution of the DAG I pointed out that both the DNSSEC and the IPv6 requirements, as well as other SLA requirements, were significantly in excess of those placed upon the legacy registries, and assumed general value and availability with non-trivial cost to entry operators, some of whom might not be capitalized by investors with profit expectations similar to those that existed prior to the catastrophic telecoms build-out and the millennial dotbomb collapse. The v6-is-everywhere and the DNSSEC-greenfields advocates prevailed, and of course, the SLA boggies remain elevated w.r.t. the legacy registry operator obligations. Sensible may be subject to cost-benefit analysis. I did .cat's DNSSEC funnel request at the contracted party's insistence and I thought it pure marketing. The .museum's DNSSEC funnel request must have, under the it is necessary theory, produced demonstrable value beyond the technical pleasure of its implementer. Anyone care to advance evidence that either zone has been, not will someday be, significantly improved by the adoption of DS records? Evidence, not rhetoric, please. #insert usual junk from *nog v6 evangelicals that .africa and .eos (Basque Autonomous Region) must drive v6 adoption from their ever-so-deep-pockets, or the net will die. Eric
Re: .nyc - here we go...
Anyone care to advance evidence that either zone has been, not will someday be, significantly improved by the adoption of DS records? Evidence, not rhetoric, please. I dunno. Can you point to parts of your house that have been significantly improved by fire insurance?
Re: .nyc - here we go...
On Thu, 04 Jul 2013 10:34:41 -0700, Eric Brunner-Williams said: #insert usual junk from *nog v6 evangelicals that .africa and .eos (Basque Autonomous Region) must drive v6 adoption from their ever-so-deep-pockets, or the net will die. I'll bite. What's the *actual* additional cost for dnssec and ipv6 support for a greenfield rollout? It's greenfield, so there's no our older gear/software/admins need upgrading issues. pgp1CZRNcIaQM.pgp Description: PGP signature
Re: What are y'all doing for CALEA compliance?
On Mar 15, 2013 11:37 AM, Christopher Morrow morrowc.li...@gmail.com wrote: On Fri, Mar 15, 2013 at 11:32 AM, Joshua Goldbard j...@2600hz.com wrote: God I want one of those PA firewalls just to play with in the lab. I can't justify the expense, but as far as firewalls go they're gorgeous. From the chassis to the UI, PA is just doing it right. If anyone has a different experience, I'd love to hear it. for any firewall/appliance .. ask this: How can I manage 200 of these things remotely UI is pretty and nice and cool.. but utterly useless if you have more than 1 of the things. also, a firewall is a firewall is a firewall... they all do the basics (nat/filter/'proxy') nothing else in that category really matters... management matters. I know I'm necro'ing a thread, but PA has a centralized management product called Panorama. I threw up a Panorama VM the other day at work and I was thoroughly impressed with how easy it was to set up (establish SIC? What's that?) and the slick management UI on Panorama that basically mirrors the normal PA UI. The App-ID thing that PA implemented *does* matter in my humble opinion... being able to say allow specifically traffic that looks and smells like RADIUS instead of allow UDP 1812 and 1813 is neato PA has had some rough edges (their client VPN solution for Windows and OSX is not ready for prime time in my opinion) but this is one thing they nailed. Chris Morrow - if it's in your budget you can pick up a PA200 on eBay for like $1k. I've only played with PA over the year and a half I've been with my current employer, but they've got a neat product. I've been tempted to buy one for the house even honestly... having URL filtering, SSL decrypt, SSH decrypt (via man-in-the-middle), App-ID, some basic DLP and even some malware analysis (Wildfire) built right in is kind of compelling -- Eric http://linkedin.com/in/ericgearhart
Re: .nyc - here we go...
On 7/4/13 10:48 AM, John Levine wrote: I dunno. Can you point to parts of your house that have been significantly improved by fire insurance? Cute John. Let me know when you've run out of neat things other people should do. Eric
Re: .nyc - here we go...
On 7/4/13 11:11 AM, valdis.kletni...@vt.edu wrote: I'll bite. What's the *actual* additional cost for dnssec and ipv6 support for a greenfield rollout? It's greenfield, so there's no our older gear/software/admins need upgrading issues. You'll let me know there is no place where v6 is not available, and while you're at it, why .frogans (I've met the guy, has to be the least obvious value proposition I've come across) needs to accessible to v6ers before, well, er, that .com thingie. DNSSEC No clue necessary ... so all those guys and gals out there selling training are ... adding no necessary value at some measurable cost? Eric
Re: .nyc - here we go...
Well, for starters there's whole truckloads of surplus gear that you can't get for pennies and use successfully. Matthew Kaufman (Sent from my iPhone) On Jul 4, 2013, at 11:11 AM, valdis.kletni...@vt.edu wrote: On Thu, 04 Jul 2013 10:34:41 -0700, Eric Brunner-Williams said: #insert usual junk from *nog v6 evangelicals that .africa and .eos (Basque Autonomous Region) must drive v6 adoption from their ever-so-deep-pockets, or the net will die. I'll bite. What's the *actual* additional cost for dnssec and ipv6 support for a greenfield rollout? It's greenfield, so there's no our older gear/software/admins need upgrading issues.
Re: .nyc - here we go...
In message 51d5c750.4090...@nic-naa.net, Eric Brunner-Williams writes: On 7/4/13 11:11 AM, valdis.kletni...@vt.edu wrote: I'll bite. What's the *actual* additional cost for dnssec and ipv6 support for a greenfield rollout? It's greenfield, so there's no our older gear/software/admins need upgrading issues. You'll let me know there is no place where v6 is not available, and while you're at it, why .frogans (I've met the guy, has to be the least obvious value proposition I've come across) needs to accessible to v6ers before, well, er, that .com thingie. Well give that .com thingie is IPv6 accessable and has DNSSEC there is nothing we need to let you know. And yes you can get IPv6 everywhere if you want it. Native IPv6 is a little bit harder but definitely not impossible nor more expensive. ; DiG 9.10.0pre-alpha ns com @a.gtld-servers.net -6 +dnssec ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 18176 ;; flags: qr aa rd; QUERY: 1, ANSWER: 14, AUTHORITY: 0, ADDITIONAL: 16 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 512 ;; QUESTION SECTION: ;com. IN NS ;; ANSWER SECTION: com.172800 IN NS a.gtld-servers.net. com.172800 IN NS f.gtld-servers.net. com.172800 IN NS h.gtld-servers.net. com.172800 IN NS k.gtld-servers.net. com.172800 IN NS b.gtld-servers.net. com.172800 IN NS m.gtld-servers.net. com.172800 IN NS c.gtld-servers.net. com.172800 IN NS d.gtld-servers.net. com.172800 IN NS g.gtld-servers.net. com.172800 IN NS i.gtld-servers.net. com.172800 IN NS l.gtld-servers.net. com.172800 IN NS j.gtld-servers.net. com.172800 IN NS e.gtld-servers.net. com.172800 IN RRSIG NS 8 1 172800 20130709042103 20130702031103 35519 com. G9bZIBIFL0MacyGQ9rgx+eFSnp/j11x/OoXJ30ADzYqffm/if68R1DYs v0fA4vqf3NQsUoonSO7t6tCh4Fl5OV/oju0BYXukXOn7bvpiA7Ij+B7H UoSyybVZRsRk4Q4d6t7EJ/gohL/p9B4BFOIiQ1gDIa8dAUzCUOXXo59j Oks= ;; ADDITIONAL SECTION: a.gtld-servers.net. 172800 IN A 192.5.6.30 a.gtld-servers.net. 172800 IN 2001:503:a83e::2:30 f.gtld-servers.net. 172800 IN A 192.35.51.30 h.gtld-servers.net. 172800 IN A 192.54.112.30 k.gtld-servers.net. 172800 IN A 192.52.178.30 b.gtld-servers.net. 172800 IN A 192.33.14.30 b.gtld-servers.net. 172800 IN 2001:503:231d::2:30 m.gtld-servers.net. 172800 IN A 192.55.83.30 c.gtld-servers.net. 172800 IN A 192.26.92.30 d.gtld-servers.net. 172800 IN A 192.31.80.30 g.gtld-servers.net. 172800 IN A 192.42.93.30 i.gtld-servers.net. 172800 IN A 192.43.172.30 l.gtld-servers.net. 172800 IN A 192.41.162.30 j.gtld-servers.net. 172800 IN A 192.48.79.30 e.gtld-servers.net. 172800 IN A 192.12.94.30 ;; Query time: 173 msec ;; SERVER: 2001:503:a83e::2:30#53(2001:503:a83e::2:30) ;; WHEN: Fri Jul 05 09:38:20 EST 2013 ;; MSG SIZE rcvd: 683 DNSSEC No clue necessary ... so all those guys and gals out there selling training are ... adding no necessary value at some measurable cost? Eric -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
Re: .nyc - here we go...
In message 9ff40d24-169e-4568-9f25-ee00beeed...@matthew.at, Matthew Kaufman writes: Well, for starters there's whole truckloads of surplus gear that you can't get for pennies and use successfully. Surplus IPv6 capable gear has been around for a long while now. Remember most gear has had IPv6 for over a decade now. A lot of gear that ISC got given for IPv6 development was on it 2nd or 3rd repurposing before we got it nearly a decade ago. Matthew Kaufman (Sent from my iPhone) On Jul 4, 2013, at 11:11 AM, valdis.kletni...@vt.edu wrote: On Thu, 04 Jul 2013 10:34:41 -0700, Eric Brunner-Williams said: #insert usual junk from *nog v6 evangelicals that .africa and .eos (Basque Autonomous Region) must drive v6 adoption from their ever-so-deep-pockets, or the net will die. I'll bite. What's the *actual* additional cost for dnssec and ipv6 support for a greenfield rollout? It's greenfield, so there's no our older gear/software/admins need upgrading issues. -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
Re: What are y'all doing for CALEA compliance?
Palo Alto has zero support for anything lea wise past the 7200 if I recall. We spent a ton of money on asr's and found out we needed to lawful intercept ios which was only working/tested on a 7206vxr with a g2. Palo Alto is insanely expensive, and (in my opinion) is only really cool for seeing what kind of porn people are looking at. This was an international (literally, every country AND every body of water) and was required as every government on the planet wanted access to data from their flagged airplanes. It was cool, but not cool enough to be priced at what it is (the support and update costs were pretty intense on a larger deployment). Any deeper questions etc, reply off list. Sent from my Mobile Device. Original message From: Eric G e...@nixwizard.net Date: 07/04/2013 11:23 AM (GMT-08:00) To: Christopher Morrow morrowc.li...@gmail.com Cc: NANOG list nanog@nanog.org Subject: Re: What are y'all doing for CALEA compliance? On Mar 15, 2013 11:37 AM, Christopher Morrow morrowc.li...@gmail.com wrote: On Fri, Mar 15, 2013 at 11:32 AM, Joshua Goldbard j...@2600hz.com wrote: God I want one of those PA firewalls just to play with in the lab. I can't justify the expense, but as far as firewalls go they're gorgeous. From the chassis to the UI, PA is just doing it right. If anyone has a different experience, I'd love to hear it. for any firewall/appliance .. ask this: How can I manage 200 of these things remotely UI is pretty and nice and cool.. but utterly useless if you have more than 1 of the things. also, a firewall is a firewall is a firewall... they all do the basics (nat/filter/'proxy') nothing else in that category really matters... management matters. I know I'm necro'ing a thread, but PA has a centralized management product called Panorama. I threw up a Panorama VM the other day at work and I was thoroughly impressed with how easy it was to set up (establish SIC? What's that?) and the slick management UI on Panorama that basically mirrors the normal PA UI. The App-ID thing that PA implemented *does* matter in my humble opinion... being able to say allow specifically traffic that looks and smells like RADIUS instead of allow UDP 1812 and 1813 is neato PA has had some rough edges (their client VPN solution for Windows and OSX is not ready for prime time in my opinion) but this is one thing they nailed. Chris Morrow - if it's in your budget you can pick up a PA200 on eBay for like $1k. I've only played with PA over the year and a half I've been with my current employer, but they've got a neat product. I've been tempted to buy one for the house even honestly... having URL filtering, SSL decrypt, SSH decrypt (via man-in-the-middle), App-ID, some basic DLP and even some malware analysis (Wildfire) built right in is kind of compelling -- Eric http://linkedin.com/in/ericgearhart
Re: .nyc - here we go...
Someone who should know better wrote: Well give that .com thingie is IPv6 accessable and has DNSSEC there is nothing we need to let you know. And yes you can get IPv6 everywhere if you want it. Native IPv6 is a little bit harder but definitely not impossible nor more expensive. And this was true when the v6 and DEC requirements entered the DAG? Try again, and while you're inventing a better past, explain how everyone knew that it would take 6 revisions of the DAG and take until 3Q2012 before an applicant could predict when capabilities could be scheduled. The one thing you've got going for you is that in 2009 no one knew that almost all of the nearly 2,000 applicants would be forced by higher technical and financial requirements to pick one of a universe of fewer than 50 service providers, or that nearly all of the developing economies would be excluded, or self-exclude, from attempting to apply. So the basic diversity assumption was wrong. Why are the people who don't follow the shitty process so full of confidence they have all the clue necessary? Eric
Re: .nyc - here we go...
On 7/4/2013 8:02 PM, Eric Brunner-Williams wrote: And this was true when the v6 and DEC requirements entered the DAG? OK, I 'fess to terminal stupidity--in this contest: DEC? the DAG? Why are the people who don't follow the shitty process so full of confidence they have all the clue necessary? A job requirement? Genetic links to DESIRABLE characteristics? Comes with the territory? -- Requiescas in pace o email Two identifying characteristics of System Administrators: Ex turpi causa non oritur actio Infallibility, and the ability to learn from their mistakes. (Adapted from Stephen Pinker)
Re: .nyc - here we go...
OK, I 'fess to terminal stupidity--in this contest: DEC? the DAG? Draft Applicant's Guidebook.
Re: .nyc - here we go...
On 7/4/13 6:23 PM, Larry Sheldon wrote: OK, I 'fess to terminal stupidity--in this contest: DEC? the DAG? Sigh. DNSSEC and Draft Applicant Guidebook.
Re: .nyc - here we go...
On Thu, 04 Jul 2013 18:02:35 -0700, Eric Brunner-Williams said: higher technical and financial requirements to pick one of a universe of fewer than 50 service providers, I'm reasonably sure that there are more than 50 service providers who are able to privide you with a connection that will do IPv6. or that nearly all of the developing economies would be excluded, or self-exclude, from attempting to apply. % dig so. any ... ;; ADDITIONAL SECTION: a.nic.so. 43165 IN A 72.52.71.4 a.nic.so. 43165 IN 2001:470:1a::4 b.nic.so. 43165 IN A 38.103.2.4 c.nic.so. 43165 IN A 63.243.194.4 c.nic.so. 43165 IN 2001:5a0:10::4 d.nic.so. 43165 IN A 196.216.168.54 d.nic.so. 43165 IN 2001:43f8:120::54 If Somalia, the failed nation state and near-undisputed champion hell-hole of the world, can manage to get quad-A's for its ccTLD, the bar can't be *too* high. (Yes, i see exactly how they did it. And there's nothing prohibiting any of the applicants in developing countries from doing exactly the same thing) pgpDLmmpL9hXC.pgp Description: PGP signature
Re: .nyc - here we go...
I'm reasonably sure that there are more than 50 service providers who are able to privide you with a connection that will do IPv6. In this context the universe of 50 providers are registry service providers, existing and entrant. Verisign, NeuStar, Afilias, CORE, AusReg, ISC, ... Your side won if you predicted in 2009, or even as late as 2011, that there would be many many applicants, using very very few providers, and none in awkward places. If you predicted that, you won on all counts, v6 availability, density of available technical clue for DNSSEC as the cheap box checks -- the real win was access to investment capital and financial instruments, access to American or equivalent legal and ancillary services, shared fate (still being dickered) on insurance bundling and business continuity set-aside, the business advantages offered by Verisign, NeuStar, Afilias, CORE, AusReg, ISC, ... Absent that it really doesn't matter if a light in the sky told you that v6 was everywhere and free, or that DNSSEC was vital to everything, and free too, or not. I didn't predict it, so I lobbied under the assumption that very low capitalizations would attempt to provide some locally needed name to existing address mapping, and that signing the zone had little but cosmetic effect unless there were resources within the zone offering a greater return on attacker investment than any large, and unsigned zone (and there still are some of those). I also tried to get ICANN's attempt to provide Applicant Support to defer these non-essentials for registry start-up, but that whole thing went south and the one qualified application was disallowed because ... .ummah upset someone who didn't care to admit it (the Support Program reviewers are anonymous). .museum started on a desktop. There has to be a good reason why this can never happen again. Eric
Re: .nyc - here we go...
I'll bite. What's the *actual* additional cost for dnssec and ipv6 support for a greenfield rollout? It's greenfield, so there's no our older gear/software/admins need upgrading issues. I've read the IPv6 and DNSSEC parts of a lot of the applications, including the ones that aren't backed by the familiar large registries, and nobody had any great trouble doing DNSSEC or IPv6. There are a couple of adequate DNSSEC toolkits for anyone who doesn't want to buy a prefab system, and even though there are plenty of places where IPv6 isn't available, the sensible thing to do (even for large applicants) is to put the servers where the networks are. R's, John
Re: .nyc - here we go...
Why are the people who don't follow the shitty process so full of confidence they have all the clue necessary? Probably because they don't think that new TLDs are particularly useful or valuable. R's, John
Yahoo! security: are there any lights on?
Y! is haemorrhaging PII to me and I cannot figure out how to make it stop. I have an ancient three-letter account (you can easily guess what the three letters are) and hundreds of people have somehow been led to believe that they own and control it, to the point of associating it with their own accounts, using it as a CC in their communication with their attorneys, banks, spouses and other ... persons. Today during our traditional early-morning July 4 breakfast cookout I got an SMS message, purportedly from Y!, that We detected unusual activity on the network. Log in to yahoo.com from the web to unlock your account. This was an out-of-the-blue first event, but there was no mechanism in the message to do anything dangerous. When back at home, logging in to Y! involved additional authentication steps and a mandatory password change. Fair enough. No sign of account access from anywhere unusual. The password change event was sent to the correct linked external accounts. But then, a new and interesting barrage of mail started coming in, indicating that, as suspected, the account associations were indeed being effected without any involvement of myself. For instance: Hi Vince, We detected a login attempt with valid password to your Yahoo! account ([munged by me, but not by Y!]) from an unrecognized device on Thu, Jul 4, 2013 3:56 PM VET. Location: Venezuela (IP=186.88.201.179) Note: The location is based on information from your Internet service or wireless carrier provider. Was this you? If so, you can disregard the rest of this email. (This is interesting and, perhaps, encouraging -- that's one of the cantv.net addresses I've recently seen in compromised Y! account spam headers.) I have never yet succeeded in contacting a live body at Y!. Does anyone know whether the lights are even on, let alone anybody being home? mdr -- There are no laws here, only agreements. -- Masahiko
Re: Yahoo! security: are there any lights on?
On Thu, 04 Jul 2013 19:12:52 -0700, Michael Rathbun m...@tesp.com wrote: I have never yet succeeded in contacting a live body at Y!. Does anyone know whether the lights are even on, let alone anybody being home? Info received. Thanks all. mdr -- The hits just keep on coming for poor Nadine. See the sad tale of email lists gone horribly wrong at http://www.honet.com/Nadine/ F - IWAA #2157 GEVNP
Re: .nyc - here we go...
In message 51d61b2b.8020...@abenaki.wabanaki.net, Eric Brunner-Williams write s: Someone who should know better wrote: Well give that .com thingie is IPv6 accessable and has DNSSEC there is nothing we need to let you know. And yes you can get IPv6 everywhere if you want it. Native IPv6 is a little bit harder but definitely not impossible nor more expensive. And this was true when the v6 and DEC requirements entered the DAG? DS for COM was added added to the root zone in Feb 2011. The process of getting COM signed started a lot earlier well before the root zone was signed and included ensuring the protocol worked for COM sized zones. But hey if you just look a when records are added to zones you wouldn't see that. Requiring new zones start at the standard you expect existing zones to obtain is neither unexpected nor unreasonable. Try again, and while you're inventing a better past, explain how everyone knew that it would take 6 revisions of the DAG and take until 3Q2012 before an applicant could predict when capabilities could be scheduled. The one thing you've got going for you is that in 2009 no one knew that almost all of the nearly 2,000 applicants would be forced by higher technical and financial requirements to pick one of a universe of fewer than 50 service providers, or that nearly all of the developing economies would be excluded, or self-exclude, from attempting to apply. So the basic diversity assumption was wrong. Why are the people who don't follow the shitty process so full of confidence they have all the clue necessary? Eric -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
Re: .nyc - here we go...
Why are the people who don't follow the shitty process so full of confidence they have all the clue necessary? Probably because they don't think that new TLDs are particularly useful or valuable. Oops, just a minute, gotta grab the popcorn and cooler for this one...ok, proceed. -- -Barry Shein The World | b...@theworld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: 800-THE-WRLD| Dial-Up: US, PR, Canada Software Tool Die| Public Access Internet | SINCE 1989 *oo*