Re: Verizon Public Policy on Netflix
On Fri, 11 Jul 2014 11:38:03 -0400 Miles Fidelman wrote: Ahad Aboss wrote: Interesting point. The truth is, the ISP is responsible for the quality of experience for their end customers regardless of what content the customers consume or what time they consume it. They pay a monthly subscription / access fee and that is where it stops. ISPs can chose to blame Netflix until the cows come home or alternatively, they can do something more constructive, like deploying a cache solution or establishing direct peering with Netflix in one of the POIs. Well... if you make a phone call to a rural area, or a 3rd world country, with a horrible system, is it your telco's responsibility to go out there and fix it? One might answer, "of course not." It's a legitimate position, and by this argument, Netflix should be paying for bigger pipes. SNIP... Of course it is not my telco's responsibility to fix the other telco's network. But you analogy is not valid here. Lets change it up a little bit to be more in line with the issue at hand. You make a phone call to a rural carrier or another country and get a horrible connection. If that degradation takes place on the link, that your telco owns, where it is handed off to the next network, then yes, it IS the originating telco's responsibility to pay to have it fixed. The same goes for the Verizon/Netflix issue. The problem is at the edge where Verizon connects to the rest of the internet. They are deliberately letting those links become congested to degrade Netflix, and any other provider, in order to protect their own video revenue stream. They could care less about the customer experience as long as they can blame someone else and keep the money flowing and add additional revenue by pissing off said Netflix customer enough that they move to a Verizon solution. Robert
Re: Comcast Business Internet Options
I have a cable based business in my residence. There is no SLA with the standard business class service. However, I have typically seen about a 4 hour response time during the week for a tech and never any longer than the next day. As far as install fees and such, the only way to get it waived, as others have mentioned, is a 3 year contract. Lower fee for 2 year contract and full install fee for 1 year contract. Good deal with the Visa Card as I have never heard of that being offered before. You get the saem "up to" BS as residential and if you want static IP's with that, be prepared for a required $12.95 equipment rental fee on top of the monthly price, static IP price, and tax. Robert On Mon, 30 Jun 2014 15:49:50 -0400 Phil Gardner wrote: Damn, interesting. Though for my needs, I'm more interested in the response time for service than all out speed. I'd also be surprised if they offer that in my state. On 06/30/2014 02:37 PM, Will Dean wrote: Phil, Comcast does have a residential fiber tier that leverages their metro ethernet network. https://www.comcast.com/505
Re: Help with route latency between TATA and Comcast
Now that I look at it again, I believe you are correct. This is my first overseas server so I was not really sure what to expect in latency. It has been one of those days that doing a reverse had not occurred to me to try as suggested by another reply. I am seeing about the same on the reverse so I am good to go. Robert On Tue, 24 Jun 2014 11:18:09 -0700 Matthew Petach wrote: 260ms from VA to SG is about right. I'd suspect the DNS is wrong in this case, as otherwise they somehow went from LAX to SG in less than 10ms--and if they found a way to do that, I suspect they'd have a *lot* more customers beating down their doors to get onto that pathway. :P Matt On Tue, Jun 24, 2014 at 10:49 AM, rw...@ropeguru.com wrote: I am doing some testing between my Comcast Business connection and a Singapore server that I have just setup. I am seeing high latency to the server but it appears it is the Comcast to TATA link and not the link between the U.S. and Singapore. At least that is what I can gather from the reverse lookup in the traceroute. Can someone please enlighten me as to if I am correct or not? Tracing route to 128.199.162.241 over a maximum of 30 hops 1<1 ms<1 ms<1 ms 192.168.1.254 2 1 ms<1 ms<1 ms 23-25-112-190-static.hfc. comcastbusiness.net [23.25.xxx.xxx] 327 ms22 ms19 ms 96.178.10.1 410 ms 9 ms10 ms te-1-3-ur01.shadygrove.va. richmond.comcast.net [68.86.124.241] 517 ms17 ms17 ms xe-12-0-1-0-ar02.charlvilleco. va.richmond.comcast.net [68.86.172.17] 624 ms24 ms25 ms pos-1-2-0-0-cr01.ashburn.va. ibone.comcast.net [68.86.91.53] 724 ms23 ms23 ms pos-0-3-0-0-pe01.ashburn.va. ibone.comcast.net [68.86.86.142] 820 ms20 ms20 ms 66.208.233.38 9 268 ms 264 ms 265 ms if-6-8.tcore2.lvw-los-angeles.as6453.net [216.6.87.114] 10 *** Request timed out. 11 270 ms 255 ms 256 ms if-2-2.tcore1.svw-singapore.as6453.net [180.87.12.1] 12 270 ms 271 ms 275 ms if-11-2.thar1.svq-singapore.as6453.net [180.87.98.37] 13 260 ms 258 ms 260 ms 180.87.98.6 14 256 ms 256 ms 258 ms 103.253.144.242 15 262 ms 258 ms 259 ms 128.199.162.241 Trace complete.?
Help with route latency between TATA and Comcast
I am doing some testing between my Comcast Business connection and a Singapore server that I have just setup. I am seeing high latency to the server but it appears it is the Comcast to TATA link and not the link between the U.S. and Singapore. At least that is what I can gather from the reverse lookup in the traceroute. Can someone please enlighten me as to if I am correct or not? Tracing route to 128.199.162.241 over a maximum of 30 hops 1<1 ms<1 ms<1 ms 192.168.1.254 2 1 ms<1 ms<1 ms 23-25-112-190-static.hfc.comcastbusiness.net [23.25.xxx.xxx] 327 ms22 ms19 ms 96.178.10.1 410 ms 9 ms10 ms te-1-3-ur01.shadygrove.va.richmond.comcast.net [68.86.124.241] 517 ms17 ms17 ms xe-12-0-1-0-ar02.charlvilleco.va.richmond.comcast.net [68.86.172.17] 624 ms24 ms25 ms pos-1-2-0-0-cr01.ashburn.va.ibone.comcast.net [68.86.91.53] 724 ms23 ms23 ms pos-0-3-0-0-pe01.ashburn.va.ibone.comcast.net [68.86.86.142] 820 ms20 ms20 ms 66.208.233.38 9 268 ms 264 ms 265 ms if-6-8.tcore2.lvw-los-angeles.as6453.net [216.6.87.114] 10 *** Request timed out. 11 270 ms 255 ms 256 ms if-2-2.tcore1.svw-singapore.as6453.net [180.87.12.1] 12 270 ms 271 ms 275 ms if-11-2.thar1.svq-singapore.as6453.net [180.87.98.37] 13 260 ms 258 ms 260 ms 180.87.98.6 14 256 ms 256 ms 258 ms 103.253.144.242 15 262 ms 258 ms 259 ms 128.199.162.241 Trace complete.?
Re: Credit to Digital Ocean for ipv6 offering
On Tue, 17 Jun 2014 11:26:16 -0400 "rw...@ropeguru.com" wrote: I don't think it is harsh when they lead their customers on with no progress. https://www.digitalocean.com/community/questions/is-ipv6-available digitalocean.uservoice.com/forums/136585-digital-ocean/suggestions/2639897-ipv6-addresses Take note of the original post dates and the responses. Original questions were in 2012 with responses of Q4 2012 to Q1 2013. Robert To add on to this, it appears that DO now considers the request for IPv6 as now being "COMPLETE" because they have rolled it out in a single DC in Singapore, when the request was made by a lot of people BEFORE the Singapore DC was ever avaiable. Great lack of respect to your customer base http://digitalocean.uservoice.com/forums/136585-digitalocean/suggestions/2639897-ipv6-addresses
Re: Credit to Digital Ocean for ipv6 offering
On Tue, 17 Jun 2014 13:25:37 -0400 valdis.kletni...@vt.edu wrote: On Tue, 17 Jun 2014 13:14:04 -0400, "rw...@ropeguru.com" said: No, 8 individual IPv6 addresses. Wow. Harsh. I burn more than that just in my living room. I don't think that is too harsh as all 8 are assigned to a single server. So if I have three VPS's, I have 24 total addresses.
Re: Credit to Digital Ocean for ipv6 offering
There are other VPS's out there that are already givinf IPv6 addresses. Yep, I use rootbsd.net and arpnetworks.com and have been happy with both. I have two with www.peakservers.com where I get one IPv4 and 8 IPv6 addresses. Wait. What? Do you mean 8 /64s? No, 8 individual IPv6 addresses. There have also been reports from some DO users of HE tunnels being blocked. Not sure what the status of that is.
Re: Credit to Digital Ocean for ipv6 offering
I don't think it is harsh when they lead their customers on with no progress. https://www.digitalocean.com/community/questions/is-ipv6-available digitalocean.uservoice.com/forums/136585-digital-ocean/suggestions/2639897-ipv6-addresses Take note of the original post dates and the responses. Original questions were in 2012 with responses of Q4 2012 to Q1 2013. Robert On Tue, 17 Jun 2014 11:17:41 -0400 Jared Mauch wrote: I think that's a bit harsh. I congratulate them for getting the first step done in the process of making it available for all customers. Jared Mauch On Jun 17, 2014, at 10:35 AM, "rw...@ropeguru.com" wrote: Not impressed at all. DO customers have been asking for IPv6 for around two years now with responses of, "It's coming". Now they are getting press because they are rollingit our ONLY in their Singapore market which is its newest data center. Those of us here in the US are still getting the same ole, "It's coming" responses. There are other VPS's out there that are already givinf IPv6 addresses. I have two with www.peakservers.com where I get one IPv4 and 8 IPv6 addresses. On Tue, 17 Jun 2014 07:06:49 -0700 Ca By wrote: I have not tried it out, this makes it look like DO beat Azure to market on ipv6 http://venturebeat.com/2014/06/17/digitalocean-ipv6/ Speaking of Azure and ip adresses http://www.pcworld.com/article/2363580/need-to-move-to-ipv6-highlighted-as-microsoft-runs-out-of-us-address-space.html
Re: Credit to Digital Ocean for ipv6 offering
Not impressed at all. DO customers have been asking for IPv6 for around two years now with responses of, "It's coming". Now they are getting press because they are rollingit our ONLY in their Singapore market which is its newest data center. Those of us here in the US are still getting the same ole, "It's coming" responses. There are other VPS's out there that are already givinf IPv6 addresses. I have two with www.peakservers.com where I get one IPv4 and 8 IPv6 addresses. On Tue, 17 Jun 2014 07:06:49 -0700 Ca By wrote: I have not tried it out, this makes it look like DO beat Azure to market on ipv6 http://venturebeat.com/2014/06/17/digitalocean-ipv6/ Speaking of Azure and ip adresses http://www.pcworld.com/article/2363580/need-to-move-to-ipv6-highlighted-as-microsoft-runs-out-of-us-address-space.html
Re: Time Warner IPv6 Reverse DNS?
If your IPv6 subnet is being allocated by TW, then it is up to them whether or not to allow the customer to manage their own rDNS. I have not asked about IPv6 with Comcast Business, but I know with IPv4 IP blcks, they will turn the request around pretty quickly once asked. Robert On Thu, 12 Jun 2014 17:58:08 +0200 hasser css wrote: Some IPv6 email is not working well for me on my TWC Internet connection due to their IPv6 block not having PTR records. Is it possible for me to delegate my IPv6 range to my own DNS server, or something similar? I have talked to level 3 support and they were pretty much clueless, so I decide to ask here if anyone has insight or similar issues in the past. Thanks!
Peak Servers Contact
Anyone at peak servers on this list? I am seeing major latency and packetloss inside your network to both of my vps servers. Please contact off list. Robert
Re: crave your indulgence
Looks good from here: Tracing route to 2001:500:84::b over a maximum of 30 hops 1<1 ms<1 ms<1 ms 2601:8:1400:880::1 2 *** Request timed out. 310 ms 9 ms 8 ms te-9-3-ur01.shadygrove.va.richmond.comcast.net [2001:558:182:fb::1] 4 9 ms 9 ms 7 ms xe-12-0-1-0-ar02.staplesmllrd.va.richmond.comcast.net [2001:558:180:25::1] 524 ms24 ms26 ms pos-3-10-0-0-cr01.56marietta.ga.ibone.comcast.net [2001:558:0:f6e6::1] 6 *** Request timed out. 723 ms24 ms23 ms 2001:559::1056 823 ms23 ms24 ms ae-6.r03.atlnga05.us.bb.gin.ntt.net [2001:418:0:2000::31] 942 ms76 ms90 ms ae-7.r21.dllstx09.us.bb.gin.ntt.net [2001:418:0:2000::37d] 1043 ms41 ms41 ms ae-0.r20.dllstx09.us.bb.gin.ntt.net [2001:418:0:2000::a9] 1171 ms73 ms90 ms ae-5.r20.lsanca03.us.bb.gin.ntt.net [2001:418:0:2000::295] 1271 ms72 ms74 ms ae-1.r05.lsanca03.us.bb.gin.ntt.net [2001:418:0:2000::116] 1373 ms72 ms74 ms 2001:418:1401:1a::2 1472 ms75 ms72 ms 2001:1878::181:177 1574 ms71 ms71 ms 2001:500:84::b On Tue, 27 May 2014 11:28:00 -0700 manning bill wrote: If you wouldn’t mind a quick tracerooute - Can you confirm reachability to the following: 2001:500:84::b Thanks in advance. /bill Neca eos omnes. Deus suos agnoscet.
Re: Comcast transit problems?
Looks like they are having issues other than Atlanta. http://downdetector.com/status/comcast-xfinity/map On Tue, 22 Apr 2014 09:06:35 -0500 Blair Trosper wrote: I'm being inundated with reports from Comcast customers in various markets about their inability to reach anything on AWS. For example, we have a few people in Atlanta that are all having this issue. What's more, they're having weird issues reaching things like Twitter or RingCentral (while other sites like Google and CNN work fine). (RingCentral's support department apparently knows about this and is telling their customers that use Comcast that they're aware of the issue but don't know what's going on at the present time.) Calls to the Comcast customer support just yield the "everything's fine, you're crazy" response from the staff. Can anyone from Comcast give me some help (or information) off list? -bt
RE: DMARC -> CERT?
Plus I guarantee that something this SIGNIFICANT would catch the attention of many tech news outlets, social sites, and many email lists if they had given due notice and allowed people time to digest the change. But, I guess since everything except their email has become pretty much irrelevant these days, they had to do something to get attention and try to be the big bully again. I personally run only a couple of small email lists in which the subscribers are specifically added by me when someone wants on, and this has caused us, because the submitter has a long time Yahoo email address and will not change, a huge headache. The sender has had to resort to sending email from Yahoo account multiple time in order to get the emails out to the 180+ subscribers. Some people cannot change their email due to having it for so long it is just not practical. Only other work around I have for this user is to give them a private email list on the email server where he can send from that is not a Yahoo address. This causes extra work because every email he wants to forward on, he must now first send it to the new private address, then login to the private email address web mail, then forward. I have to agree with this others out there that Yahoo SHOULD, not COULD, have handled this a lot better. All the other big ISP's out there should be whipping Yahoo's a$$ about right now. But as usual, not a peep! Robert -Original Message- From: Miles Fidelman [mailto:mfidel...@meetinghouse.net] Sent: Monday, April 14, 2014 5:28 PM Cc: NANOG Subject: Re: DMARC -> CERT? Christopher Morrow wrote: > On Mon, Apr 14, 2014 at 4:44 PM, Scott Howard wrote: >> On Mon, Apr 14, 2014 at 1:39 PM, Christopher Morrow >> wrote: >>> On Mon, Apr 14, 2014 at 4:34 PM, Matthias Leisi >>> wrote: They could have communicated, as in "listen folks, we are going to make a critical change that will affect mailing lists (etc...) in four weeks time". >>> communicated it where? >> >> "The Internet". > I was trying, really, to be not-funny with my question. > > if you're going to do something that has the potential to affect (say, > for example) email to a wide set of people, most of which are NOT your > direct users, how do you go about making that public? > > 'the internet' isn't really a good answer for 'how do you notify'. > Doug's note that: "email mailops" is good... but I'm not sure how many > people that run lists listen to mailops? (I don't ... i don't run any > big list, but...) > > I also wonder about update cycles for software in this realm? and for > very larger list operators there's probably some customization and > such to hurdle over on the upgrade path, eh? so how much leadtime is > enough? how much is too much? 1yr seems like a long time - people will > forget, 1wk doesn't seem like enough to avoid firedrills and > un-intended bugs. > >> A blog entry and a post to a few key relevant mailing lists would have > specifically which mail-lists? > > How about the support lists for all the email list packages they could think of - let's start with mailman, majordomo, listserve, listproc, sympa, ezmlm, . Might have been nice if they'd offered some support for patching the open source ones. Miles Fidelman -- In theory, there is no difference between theory and practice. In practice, there is. Yogi Berra
Re:
It is actually a 4001i for an IBM Blade Chassis. Sorry for that. So in this setup, port a would be a trunk with multiple vlans connection back to a 6509. port b would be a switch port in access mode that connects to an IBM blade in the chassis. Not sure that this situation fits either of those scenarios. Overall problem is that we are seeing performance issues between servers. These servers are all AIX based. We believe/know that we have some misconfigurations in the environment with jumbo frames and flow control. My curiosity about the discards is due to those misconfigurations. The port I mentioned in my original email has around 480 million output packes to the 1.1 million discards. We do have IBM and Cisco support engaged, I am just trying to make sure I understand enough to be dangerous when I am working with them. Robert On Thu, 27 Mar 2014 12:55:46 -0400 Lee wrote: On 3/27/14, rw...@ropeguru.com wrote: So I certainly admit I am a basic networking guy and in the past have not had to get into the nitty gritty of port statistics. I am trying to understand some statistics off a switch port in a Nexus 4001i. Good luck. I couldn't find anything for a nexus 4000, but did find this for IOS: In-Discard - The result of inbound valid frames that were discarded because the frame did not need to be switched. This can be normal if a hub is connected to a port and two devices on that hub exchange data. The switch port still sees the data but does not have to switch it (since the CAM table shows the MAC address of both devices associated with the same port), and so it is discarded. This counter can also increment on a port configured as a trunk if that trunk blocks for some VLANs, or on a port that is the only member of a VLAN. so if you've got something like switch a: switchport trunk allowed vlan 1-5 switch b: switchport trunk allowed vlan 1-4 when switch a sends a frame on vlan 5, switch b counts it as an input discard. Lee All TX and RX counters look normal except on the TX side, I am showing 1107597 input discards. Last clearing of show counters is 1d8h ago. I have it in my mind that this particular counter is dropping packets coming in from another port inside the switch that are to be transmitted out to the end server. So lets say the interface I am looking at is port 2 on the switch. So server 1 sends a packet to port 1 on the switch. That packet then traverses to backplane, or inside the same ASIC, to port 2 on the switch. It is then dropped and not transmitted out to server 2. Is the scenario I just presented correct? Not looking for the reason in this email, just that my logical understanding is correct. Robert Sent from my Verizon Wireless 4G LTE smartphone
Switchport Counters - Take two
Apologies to everyone for the original email with no subject. I am having some senior email moments today. Anyway So I certainly admit I am a basic networking guy and in the past have not had to get into the nitty gritty of port statistics. I am trying to understand some statistics off a switch port in a Nexus 4001i. All TX and RX counters look normal except on the TX side, I am showing 1107597 input discards. Last clearing of show counters is 1d8h ago. I have it in my mind that this particular counter is dropping packets coming in from another port inside the switch that are to be transmitted out to the end server. So lets say the interface I am looking at is port 2 on the switch. So server 1 sends a packet to port 1 on the switch. That packet then traverses to backplane, or inside the same ASIC, to port 2 on the switch. It is then dropped and not transmitted out to server 2. Is the scenario I just presented correct? Not looking for the reason in this email, just that my logical understanding is correct. Robert
RE: Switchport Counters
Sent from my Verizon Wireless 4G LTE smartphone Original message From: rw...@ropeguru.com Date:03/27/2014 11:52 AM (GMT-05:00) To: nanog@nanog.org Subject:
[no subject]
So I certainly admit I am a basic networking guy and in the past have not had to get into the nitty gritty of port statistics. I am trying to understand some statistics off a switch port in a Nexus 4001i. All TX and RX counters look normal except on the TX side, I am showing 1107597 input discards. Last clearing of show counters is 1d8h ago. I have it in my mind that this particular counter is dropping packets coming in from another port inside the switch that are to be transmitted out to the end server. So lets say the interface I am looking at is port 2 on the switch. So server 1 sends a packet to port 1 on the switch. That packet then traverses to backplane, or inside the same ASIC, to port 2 on the switch. It is then dropped and not transmitted out to server 2. Is the scenario I just presented correct? Not looking for the reason in this email, just that my logical understanding is correct. Robert Sent from my Verizon Wireless 4G LTE smartphone
Re: Cisco Security Advisory: Cisco IOS Software SSL VPN Denial of Service Vulnerability
Thanks everyone for the replies. I guess since they are done so infrequently, I was not a list member the last go around. Robert On Wed, 26 Mar 2014 12:58:44 -0400 Andrew Latham wrote: Robert Perfectly normal, almost an announce list for issues like this. On Wed, Mar 26, 2014 at 12:45 PM, rw...@ropeguru.com wrote: Is this normal for the list to diretly get Cisco security advisories or something new. First time I have seen these. Robert On Wed, 26 Mar 2014 12:10:00 -0400 Cisco Systems Product Security Incident Response Team wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cisco IOS Software SSL VPN Denial of Service Vulnerability Advisory ID: cisco-sa-20140326-ios-sslvpn Revision 1.0 For Public Release 2014 March 26 16:00 UTC (GMT) Summary === A vulnerability in the Secure Sockets Layer (SSL) VPN subsystem of Cisco IOS Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition. The vulnerability is due to a failure to process certain types of HTTP requests. To exploit the vulnerability, an attacker could submit crafted requests designed to consume memory to an affected device. An exploit could allow the attacker to consume and fragment memory on the affected device. This may cause reduced performance, a failure of certain processes, or a restart of the affected device. Cisco has released free software updates that address this vulnerability. There are no workarounds to mitigate this vulnerability. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140326-ios-sslvpn Note: The March 26, 2014, Cisco IOS Software Security Advisory bundled publication includes six Cisco Security Advisories. All advisories address vulnerabilities in Cisco IOS Software. Each Cisco IOS Software Security Advisory lists the Cisco IOS Software releases that correct the vulnerability or vulnerabilities detailed in the advisory as well as the Cisco IOS Software releases that correct all Cisco IOS Software vulnerabilities in the March 2014 bundled publication. Individual publication links are in Cisco Event Response: Semiannual Cisco IOS Software Security Advisory Bundled Publication at the following link: http://www.cisco.com/web/about/security/intelligence/Cisco_ERP_mar14.html -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.22 (Darwin) Comment: GPGTools - http://gpgtools.org iQIcBAEBAgAGBQJTMeUtAAoJEIpI1I6i1Mx3BJ4P/Aytcbvaue49DkNDq0G+3C8+ mv2W8/1HeqSvrmbc8QUJrelPA1kfYXGSf+7VX9lpwTdKKPrMPpkso1WXA7tK2t5i uiaqy8+KON/V3uFTjLhSBxZsMmSYws/uO8rV9oY7NLGfv2cwGztEbrKwz9g5Hsfc X3TlEgPaX73a/xb92eP//+e31ZNCPw6NRKmUfi6v7YG38WNghT7lqtI7GVlHiAkd atAqZ8NOyn7V+lHNjdOpAzFplo6R+GZCBfAFkEYuEU3dAAccMQbkaq6XgZAigycn dko3EWzfa+I/4RHDrRIa/XAY6Ogrnp/jmaTm4sGF2aqQOASH7X/oDU4X6KnD6ixo RicU1XeEsxgh5/FOf0wWo53BTcf/1nx34LkazZ6k6+jh8193IRWGb9J90E7S+/M8 2jbB8kwxuroH1qQ73jqguiuTC0eemPn2k5MS01ZAfcIEJPcA4OyTkuA/3tiISeYQ 0GesrJ3m7WOovFNSIq8v4WaTMcvZO9vHLZ/6BMcd4a+1uPnzPeR9rfI8JA2VA8Wd EAjbKdWA/kPxbVop2ajRjYTl7uMN6/g9SFP/eBjWpAFLnUfE6n1b24cn9v26OQpB ZxuMKA6eaeoT88KlouxudQcAgtpZZFzp4/ghWCy8q82WhHg4uDqw3R243rRxaBa7 RF3x0wYuErbbC7N9m1UH =1Ixo -END PGP SIGNATURE- -- ~ Andrew "lathama" Latham lath...@gmail.com http://lathama.net ~
Re: Cisco Security Advisory: Cisco IOS Software SSL VPN Denial of Service Vulnerability
Is this normal for the list to diretly get Cisco security advisories or something new. First time I have seen these. Robert On Wed, 26 Mar 2014 12:10:00 -0400 Cisco Systems Product Security Incident Response Team wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cisco IOS Software SSL VPN Denial of Service Vulnerability Advisory ID: cisco-sa-20140326-ios-sslvpn Revision 1.0 For Public Release 2014 March 26 16:00 UTC (GMT) Summary === A vulnerability in the Secure Sockets Layer (SSL) VPN subsystem of Cisco IOS Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition. The vulnerability is due to a failure to process certain types of HTTP requests. To exploit the vulnerability, an attacker could submit crafted requests designed to consume memory to an affected device. An exploit could allow the attacker to consume and fragment memory on the affected device. This may cause reduced performance, a failure of certain processes, or a restart of the affected device. Cisco has released free software updates that address this vulnerability. There are no workarounds to mitigate this vulnerability. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140326-ios-sslvpn Note: The March 26, 2014, Cisco IOS Software Security Advisory bundled publication includes six Cisco Security Advisories. All advisories address vulnerabilities in Cisco IOS Software. Each Cisco IOS Software Security Advisory lists the Cisco IOS Software releases that correct the vulnerability or vulnerabilities detailed in the advisory as well as the Cisco IOS Software releases that correct all Cisco IOS Software vulnerabilities in the March 2014 bundled publication. Individual publication links are in Cisco Event Response: Semiannual Cisco IOS Software Security Advisory Bundled Publication at the following link: http://www.cisco.com/web/about/security/intelligence/Cisco_ERP_mar14.html -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.22 (Darwin) Comment: GPGTools - http://gpgtools.org iQIcBAEBAgAGBQJTMeUtAAoJEIpI1I6i1Mx3BJ4P/Aytcbvaue49DkNDq0G+3C8+ mv2W8/1HeqSvrmbc8QUJrelPA1kfYXGSf+7VX9lpwTdKKPrMPpkso1WXA7tK2t5i uiaqy8+KON/V3uFTjLhSBxZsMmSYws/uO8rV9oY7NLGfv2cwGztEbrKwz9g5Hsfc X3TlEgPaX73a/xb92eP//+e31ZNCPw6NRKmUfi6v7YG38WNghT7lqtI7GVlHiAkd atAqZ8NOyn7V+lHNjdOpAzFplo6R+GZCBfAFkEYuEU3dAAccMQbkaq6XgZAigycn dko3EWzfa+I/4RHDrRIa/XAY6Ogrnp/jmaTm4sGF2aqQOASH7X/oDU4X6KnD6ixo RicU1XeEsxgh5/FOf0wWo53BTcf/1nx34LkazZ6k6+jh8193IRWGb9J90E7S+/M8 2jbB8kwxuroH1qQ73jqguiuTC0eemPn2k5MS01ZAfcIEJPcA4OyTkuA/3tiISeYQ 0GesrJ3m7WOovFNSIq8v4WaTMcvZO9vHLZ/6BMcd4a+1uPnzPeR9rfI8JA2VA8Wd EAjbKdWA/kPxbVop2ajRjYTl7uMN6/g9SFP/eBjWpAFLnUfE6n1b24cn9v26OQpB ZxuMKA6eaeoT88KlouxudQcAgtpZZFzp4/ghWCy8q82WhHg4uDqw3R243rRxaBa7 RF3x0wYuErbbC7N9m1UH =1Ixo -END PGP SIGNATURE-
Re: A little silly for IPv6
I would support THIS as a better reference than some of the other email responses I have gotten. Again comparing something like factual numbers of IPv6 addresses the the very fuzzy math of guessing how many atoms there are is very silly indeed. On Wed, 26 Mar 2014 13:06:15 + Gary Buhrmaster wrote: On Wed, Mar 26, 2014 at 12:55 PM, rw...@ropeguru.com wrote: . I want to see HIS source of hpow many atoms are actually on the earth. Somehow, I do not think anyone knows that answer. So his comparision is a joke. Obligatory xkcd ref: https://xkcd.com/865/
Re: IPv6 isn't SMTP
On Wed, 26 Mar 2014 07:45:06 -0500 Daniel Taylor wrote: On 03/25/2014 11:18 PM, John Levine wrote: 3. Arguing about IPv6 in the context of requirements upon SMTP connections is playing that uncomfortable game with one�s own combat boots. And not particularly productive. If you can figure out how to do effective spam filtering without looking at the IP addresses from which mail arrives, you will be in a position to make a whole lot of money. But, as always, I'm not holding my breath. R's, John PS: Note the word "effective". You look at the IP, and verify forward and reverse DNS. IPv6 doesn't make this any harder a problem than IPv4, it just means that we're going to *have* to reject mail that comes in from IPv6 addresses that don't have clean DNS. -- Daniel Taylor VP OperationsVocal Laboratories, Inc. dtay...@vocalabs.com http://www.vocalabs.com/ (612)235-5711 Actually, with all the discussion about ipv6 not having rDNS, in most cases, would that not make things easier? So those that want to run email servers SHOULD be on ISP's that allow for rDNS configuration for IPv6. There should be some vetting in the process by the ISP, maybe, before allowing this. So in essence, if you are a legitimate email host, you will have rDNS configured on IPv6 for your server. Again, as others have stated, rDNS should NOT be the only deciding factor in whether or not an email is legit. No rDNS, or havinf rDNS, should have some weight assigned to it for the overall evaluation of the sender. Robert
Re: A little silly for IPv6
On Tue, 25 Mar 2014 23:28:04 -0500 Larry Sheldon wrote: According to the Ace of Spades HQ blog: IPv6 would allow every atom on the surface of the earth to have its own IP address, with enough spare to do Earth 100+ times. -- Requiescas in pace o email Two identifying characteristics of System Administrators: Ex turpi causa non oritur actio Infallibility, and the ability to learn from their mistakes. (Adapted from Stephen Pinker) I want to see HIS source of hpow many atoms are actually on the earth. Somehow, I do not think anyone knows that answer. So his comparision is a joke. Robert