Re: ED25519 SSHFP in OpenSSH IETF

Le 2014-04-09 12:47, Loganaden Velvindron a écrit : This situation is rather unusual, and that makes me wonder what's exactly going on there, as I believe that we've done our homework correctly. UNUSUAL??? The IETF is notorious for its incredible delays. The situation is typical IMHO. Nobody

Re: PF rule for transparent siproxd ?

I don't know the direct answer to your question, but taking a step back... Any reason you want a transparent SIP proxy rather than an explicitly-configured SIP B2BUA? The latter is usually much easier to set up and maintain. Simon -- DTN made easy, lean, and smart --

Re: NAT reliability in light of recent checksum changes

Le 2014-01-27 21:21, Geoff Steckel a écrit : It would be good if when data protected by a checksum is modified, the current checksum is validated and some appropriate? action is done (drop? produce invalid new checksum?) when proceeding. This is exactly what's being done. Don't you listen

Re: NAT reliability in light of recent checksum changes

Le 2014-01-28 03:39, Richard Procter a écrit : In order to hide payload corruption the update code would have to modify the checksum to exactly account for it. But that would have to happen by accident, as it never considers the payload. It's not impossible, but, on the other hand, checksum

Re: NAT reliability in light of recent checksum changes

Le 2014-01-28 12:45, Stuart Henderson a écrit : This analysis is bullshit. You need to take into account the fact that checksums are verified before regenerating them. That is, you need to compare a) verifying + regenerating vs b) updating. If there's an undetectable error, you're going to

Re: NAT reliability in light of recent checksum changes

Le 2014-01-25 14:40, Richard Procter a écrit : I'm not saying the calculation is bad. I'm saying it's being calculated from the wrong copy of the data and by the wrong device. And it's not just me saying it: I'm quoting the guys who designed TCP. Those guys didn't envision NAT. If you want

Re: Why anyone in their right mind would like to use NAT64

Le 2012-10-25 07:45, chrisbenn...@bennettconstruction.us a écrit : I have two very old IP print servers that work just fine. You just have to flip those 4 tiny little switches to get access to program them over IP. Can I get another tiny switch to add IPv6? You could just map an IPv6 address

Re: Why anyone in their right mind would like to use NAT64

Le 2012-10-25 00:20, Constantine A. Murenin a écrit : No dual-stacking is provided; in their slides from [0], T-Mobile USA claims that IPv6-only with NAT64/DNS64 is cheaper than dual-stack with NAT44. Yes. I forgot to mention another reason why the 3GPP folks like NAT64: most 3GPP equipment

Re: Why anyone in their right mind would like to use NAT64

One use case: ISP who wants to provide IPv4+IPv6 to customers, but does not have enough IPv4 addresses for everyone, so has to NAT anyway, and wants to simplify the operation of its edge network by running only one protocol. Quite popular with 3GPP folks since they have zillions of customers

Re: Why anyone in their right mind would like to use NAT64

Le 2012-10-24 14:25, Kurt Mosiejczuk a écrit : The one use I could think of us to make your internal network independent of your ISP. Right now, if you change ISPs, your network prefix changes and your whole network has to be renumbered. I read about it in the following article earlier this

Re: Why anyone in their right mind would like to use NAT64

Le 2012-10-24 14:54, Claudio Jeker a écrit : But less PI space. Since some evangelists belive in the superiority of IPv6 and try everything to make it impossible to get routable PI space. At the moment IPv6 is a step backwards in all regards. Wait wait wait... what RIR doesn't take multihoming

Re: Why anyone in their right mind would like to use NAT64

Le 2012-10-24 15:29, Barbier, Jason a écrit : Well expanding on the address space and numbering issue, that would be a valid use for NAT but I honestly think it would be better to actually try and fix that before trying to put a hack over the top of it. I'm going to wait a long time for a

Re: Why anyone in their right mind would like to use NAT64

Le 2012-10-24 15:38, Barbier, Jason a écrit : I'm going to wait a long time for a firmware update that makes my IPv4-only printer speak IPv6. Well man there are several stable implementations of 4 to 6 and 6 to 4 bridges. I don't know what kind of bridges you're talking about, but I'll

Re: Why anyone in their right mind would like to use NAT64

Le 2012-10-24 15:59, Paul de Weerd a écrit : On Wed, Oct 24, 2012 at 03:42:52PM -0400, Simon Perreault wrote: | Le 2012-10-24 15:38, Barbier, Jason a ?crit : | I'm going to wait a long time for a firmware update that makes my | IPv4-only printer speak IPv6. Even if it did, would you trust

Re: Why anyone in their right mind would like to use NAT64

Le 2012-10-24 16:30, Claudio Jeker a écrit : With IPv6 multihoming should work trivially: plug two access lines into a switch, get RAs from both, get addresses from both on your end-host, and your end-host needs to select the proper route for each source address. Again, no NAT or BGP.

Re: Why anyone in their right mind would like to use NAT64

Le 2012-10-24 15:12, Jussi Peltola a écrit : On Wed, Oct 24, 2012 at 02:43:14PM -0400, Simon Perreault wrote: What you need to multihome is either BGP or NAT. Exactly as in IPv4. Nothing has changed. The only new thing with IPv6 is that there's more bits. Oh? I have two internet connections

Re: [OpenBGPd = Cisco] error in OPEN message, unknown subcode 8

Le 2012-10-10 06:13, Laurent CARON a écrit : On my side I do have 2 OpenBSD (OpenBGPd) boxes. What versions? In my logs I do observe this: A pcap dump would be useful... Oct 9 09:44:40 bgpgw-003 bgpd[17498]: neighbor 193.105.232.181 (pv4_gw-003_to_ISC): state change Idle - Connect,

Re: [OpenBGPd = Cisco] error in OPEN message, unknown subcode 8

Le 2012-10-10 11:51, Laurent CARON a écrit : A pcap dump would be useful... Here it is: http://elfe.lncsa.com/get?k=5Rya5Acaq26TqJ9MXG The pcap shows that the Cisco box is refusing your OPEN message. It doesn't like it for some reason. You need to figure out why. Probably because of the

Re: SSI

Le 2012-09-27 16:04, Brian Empson a écrit : Has there been/are there plan to include some SSI functionality for BSD? Try mod_include. Doc here: http://httpd.apache.org/docs/1.3/mod/mod_include.html Simon

Re: How to PROVE your system is up to date?

Le 2012-09-18 12:36, Ed Flecko a écrit : I have State and Federal regulators that want me to PROVE (since their only used to looking at Micro$oft servers) my OBSD 5.1 server is up to date, and there are no outstanding patches that need to be applied. *I* know that's the case, because I follow

Re: pf change state's altq queue

Le 2012-09-17 11:57, Ted Unangst a écrit : Here's the background. My cable ISP has this turbo boost thing where the first ~2 seconds of a connection download at 50Mbps, then it's throttled back to 20Mbps. I want to do this in pf (differentiate casual web browsing from long downloads). My

Re: pf change state's altq queue

Le 2012-09-17 13:19, Ted Unangst a écrit : I probably have missed something obvious... Why don't you just use hfsc? I want the queue to change based on the length of time (or data) the connection has been around. All of my traffic is going to be coming from port 80, so there's way to identify

Re: problem setting inet6 route

Le 2012-09-04 02:13, Remi Locherer a écrit : I now got an answer from Hetzner: - I'm not allowed to use an address from the gateway subnet. They will block my traffic if I'm using such an address - They recommend that I configure a /59 prefix. In my opinion this makes no sense. I now

Re: problem setting inet6 route

(I rearranged your email: provider info at the top, your actions at the bottom.) Le 2012-08-31 03:19, Remi Locherer a écrit : I rented a server from Hetzner where I installed OpenBSD 5.1. Hetzner also provides IPv6 but somehow with a strange setup. I got something like the following from them:

Re: problem setting inet6 route

Le 2012-08-31 10:52, Remi Locherer a écrit : Gateway Address: 2001:db8:1:1110::1/64 Subnet I can use: 2001:db8:1:/64 For Linux they give these instructions: linux# ip route add 2001:db8:1:1110::1 dev eth0 linux# ip route add default via 2001:db8:1:1110::1 I would understand this to mean:

Re: More sensible and consistent rc.conf.local

Le 2012-08-29 09:57, Mikkel Bang a écrit : If OpenBSD was on Git / at GitHub, youngins like me would have patched this baby up a long time ago. Sadly, a good argument against moving to Git. Simon

Re: IPv6, OpenBSD and .. Mac OS X Lion

On 07/12/2012 02:41 PM, Tor Houghton wrote: On Thu, Jul 12, 2012 at 12:32:52PM -0500, Mark Felder wrote: That's odd... I swear my wife's macbook has had functional IPv6 for quite a while... unless the recent Lion update nuked it and I didn't notice? Please report your findings -- I'd love to

Re: simple PF rule? redirect port without touching address

On 2012-07-09 10:17, Stuart Henderson wrote: On 2012-07-09, Fil DiNotofdin...@gmail.com wrote: But i was wondering if I could achieve something that would work for ALL the addresses behind the router as well without creating individual rules for each address. Something like this: pass in on

Re: OpenBSD as IPv4+6 gateway

On 2012-06-21 22:00, Hugo Osvaldo Barrera wrote: On 2012-06-21 17:22, Simon Perreault wrote: On 2012-06-21 15:50, Hugo Osvaldo Barrera wrote: I have read a great deal regarding IPv6 and IIRC, if I subnet my network block, my ISP would have to know it has to route traffic to that subnet

Re: OpenBSD as IPv4+6 gateway

On 2012-06-22 09:13, Mark Felder wrote: All someone out on the 'net needs to do is scan up through your address space on the link as quickly as possible, sending single packets at all the non-existent addresses on the link, and watch as your router CPU starts to churn keeping track of all the

Re: OpenBSD as IPv4+6 gateway

On 2012-06-21 03:46, Hugo Osvaldo Barrera wrote: My assigned block is 2800:40:402::0/48 My default gateway is 2800:40:402::: (it's inside my assigned block). Hugo, Friendly suggestion: read a book on IPv6. If you had understood the above information, you wouldn't be talking about

Re: Learning C Programming

On 2012-06-21 15:21, Juan Francisco Cantero Hurtado wrote: Some good or bad comments about Deitel's C How to program? http://www.deitel.com/Books/C/CHowtoProgram7e/tabid/3635/Default.aspx The worst book on C programming I've ever read. No, scratch that. The worst book on programming I've ever

Re: OpenBSD as IPv4+6 gateway

On 2012-06-21 15:50, Hugo Osvaldo Barrera wrote: I have read a great deal regarding IPv6 and IIRC, if I subnet my network block, my ISP would have to know it has to route traffic to that subnet through the WAN IP address of my router. Yes. If they don't allow that, then they don't know what

Re: pf and ICMP in asymmetric routing setups

On 2012-06-12 14:08, Bernd wrote: I've got two OpenBSD 5.1-stable/amd64 boxes employed which do all the routing for our AS (OpenBGPd and OpenOSPFd). I see asymmetric traffic (I thought it to be that way), which itself doesn't really create problems. However, I see problems with ICMP. pf seems to

Re: pf and ICMP in asymmetric routing setups

On 2012-06-12 15:55, Bernd wrote: What might be the easiest solution to have pf not care about states any longer -- using 'keep state sloppy'? Or disabling statefulness entirely (how?)? If you don't need it, just disable pf. echo pf=NO /etc/rc.conf.local Sloppy tracking could work. Also check

Re: setsockopt question

On 2012-06-10 11:26, Peter J. Philipp wrote: + if (setsockopt(udp[i], IPPROTO_IPV6, + IPV6_HOPLIMIT,on, sizeof(on)) 0) { s/IPV6_HOPLIMIT/IPV6_RECVHOPLIMIT/ RFC 3542 for more info. Simon

Re: OpenBSD mailing lists demime in an ascii world

On 2012-06-04 19:10, Jérémie Courrèges-Anglas wrote: AFAIK SMTP without MIME can only transport ASCII. Sure, but shear.ucar.edu advertizes 8BITMIME, the only problem here is demime. 8BITMIME is useless. It only allows SMTP to transport arbitrary 8-bit content. It still doesn't allow you to

Re: OpenBSD mailing lists demime in an ascii world

, Simon Perreault wrote: On 2012-06-04 19:10, Jérémie Courrèges-Anglas wrote: AFAIK SMTP without MIME can only transport ASCII. Sure, but shear.ucar.edu advertizes 8BITMIME, the only problem here is demime. 8BITMIME is useless. It only allows SMTP to transport arbitrary 8-bit content. It still

Re: OpenBSD mailing lists demime in an ascii world

On 2012-06-02 13:19, JC)rC)mie CourrC(ges-Anglas wrote: As you'll see in my signature above, 8 bit characters are mangled on OpenBSD mailing lists. Not that I care much, but passing the demime perl script a ''-8'' argument would be enough to solve that (if that is desired). AFAIK SMTP without

Re: SMTP server pools at odds with the RFC?

On 2012-06-04 06:06, David Diggles wrote: I was just thinking surely resending from a different IP breaks the RFC for SMTP? Then I did some googling, and found this. http://bsdly.blogspot.com.au/2008/10/ietf-failed-to-account-for-greylisting.html Not only is greylisting fine from a protocol

Re: OpenBSD in April's issue of the CACM

On 2012-05-29 19:40, Theo de Raadt wrote: http://www.freebsd.org/news/status/report-2011-10-2011-12.html#The-New-CARP Look at that last entry about talking to IANA! The entry in question is: 4. Work with IANA to get an official protocol number. gnn@ to handle. This shows ignorance about how

Re: Recent BIND ports

Le 12-05-25 06:24, Kostas Zorbadelos a icrit : Henning Brauerlists-open...@bsws.de writes: * Kostas Zorbadeloskzo...@otenet.gr [2012-05-25 10:06]: from all relevant discussions I have seen it seems that BIND in base will not be updated to a newer version and unbound has a good chance to be

Re: Recent BIND ports

On 2012-05-25 15:14, Kostas Zorbadelos wrote: filter--on-v4 (9.7+) (needed now) purely out of curiosity: why? Crude workaround for increased levels of IPv6 brokeness in our networks (aka CPE with broken firmware). Needed until the proper solution is given. Interesting, thanks. In any

Re: Recent BIND ports

On 2012-05-25 15:33, Kostas Zorbadelos wrote: Yes, I have understood that. The question remains: what do you think of ports for recent BIND versions? I am running a hand-compiled BIND 9.9 right now for the DNS64 feature. I'd like to have an up to date port. I don't one to contribute, so I

Re: Watchdog timeout reset in 5.1 on intel nic:s

On 2012-05-11 04:15, Garry Dolley wrote: I now have an amd64 test VM set up, where I installed stock 5.0. I ran a lot of traffic over em0 without any timeouts. That's expected. 5.0 has been running without issue for me for a long time. I also have been trying several -current kernels. As

Re: IPv6 and carp(4) problems

Resurrecting an old topic... On 2011-10-27 16:05, Stefan Rinkes wrote: I'm currently using a current kernel with following patch: --- sys/netinet6/in6.c 8 Aug 2011 13:04:35 - 1.93 +++ sys/netinet6/in6.c 27 Oct 2011 19:59:00 - @@ -2476,6 +2476,14 @@ in6if_do_dad(struct ifnet *ifp) * NS

Re: slightly OT be my own dyndns provider

On 2012-05-08 08:09, Stuart Henderson wrote: One method is to run your own name server and have a way to update the zone database with your dynamically updated entries.[...] Another option is to use generated zone files [...] Alternatively outsource DNS hosting [...] Or you could do a

Re: Watchdog timeout reset in 5.1 on intel nic:s

On 2012-05-08 19:08, Per-Olov Sjvholm wrote: It says em1: watchdog timeout -- resetting aol I saw the same on an amd64 VPS from arpnetworks.com. Network was not functional. Backed out. Did not investigate further. /aol Simon

Re: Memory usage of BIND process

On 2012-04-20 07:43, Kostas Zorbadelos wrote: I understand the kernel VM layers are completely different, but how come the named process on OpenBSD for the same load consumes so low resident memory? Also, why VZS RSS on OpenBSD? The general question I am trying to answer is, can BIND utilize

Re: Memory usage of BIND process

On 2012-04-20 14:07, Kostas Zorbadelos wrote: Eventually you are right. However I am trying to answer the primitive question: should I buy servers with a lot of RAM or not? If BIND cannot utilize more than 4GB let's say, it makes no sense to buy servers with 32GB. The servers' only role will be

Re: random nat, ftp clients and 425: Securiy: Bad IP connecting

On 2012-02-28 08:23, Stuart Henderson wrote: btw: that random stuff, at least without source-tracking, is likely to break bank websites etc. This is right. Random pools break a lot of things in practice. Do use random it if you're paranoid and don't care about breaking things. Otherwise, the

Keyboard mapping

Here's yet another question about keyboard mapping... When I boot bsd.rd and pick the cf keyboard mapping in the installer, everything works perfectly. After I reboot (bsd.mp), the keyboard seems correctly mapped (keys are at the right places), but some keys do nothing (e-acute (not a dead

Re: Keyboard mapping

On 2012-01-23 16:40, Steffen Daode Nurpmeso wrote: If the program you are working with is eight bit clean (ksh(1) doesn't work, csh(1) does), maybe it's the mapping. THANK YOU! Keys work fine in csh, not in ksh. And bsd.rd uses sh IIRC, so that would be the answer. Thanks! Simon

Re: Limit ICMP echo reply

On 01/11/2012 06:39 PM, Limaunion wrote: Hi all! very simple PF question, is it possible to limit the number of ICMP echo replies, like 5/min from any source address ? If you're looking to limit the rate emitted by OpenBSD as a host, check out the net.inet.icmp.errppslimit sysctl. If you're

Re: CARP health check ?

On 01/12/2012 01:18 PM, PP;QQ P(P8P?P8QP8P= wrote: we are using nagios for monitoring and it is running on separate server. we do not want to monitor server from inside. we want to run run something via ssh and see whether carp peer is dead or not. Give each server it's unique IP address.

Re: CARP health check ?

On 01/12/2012 01:49 PM, PP;QQ P(P8P?P8QP8P= wrote: most of our carp clusters run on single address. no spare IP space. That's the root of the problem. Use IPv6 for the non-carp addresses? RFC 1918? rdr on some ports? Otherwise, you'll have to invent a hackish and fragile solution...

Re: inet6 autoconfprivacy broken on -current ?

Le 02/01/2012 6:00 PM, Mattieu Baptiste a icrit : On my machine running -current/amd64, inet6 autoconfprivacy seems to broke neighbor sol/adv. I just tested this and it works for me. Sorry. Simon

Re: ping6 bug or feature?

Peter J. Philipp wrote, on 12/04/2011 08:06 AM: Somehere inside ping6 the return address is not checked with the outgoing address and it happily accepts 2001:a60:f074::25 as a valid return address in my case. That's a feature. Think about what would happen when pinging a multicast or an

How to use /dev/srandom

Hello, I'm trying to use /dev/srandom, but I can't get even a single byte out of it. To reproduce: $ hexdump -n 1 /dev/srandom It just hangs there, sleeping. If I use /dev/urandom instead, it returns immediately, as expected: $ hexdump -n 1 /dev/urandom 000 0069 001 I tried on

Re: How to use /dev/srandom

On 2010-09-29 10:36, Theo de Raadt wrote: it is hanging because: 23208 hexdump CALL read(0,0x81ffc000,0x1) It is trying to read too much. A whole buffer, into stdio. So it empties the pool it can have, and then has to wait for more. eventually it does get data, and print 1 char.

Re: How to use /dev/srandom

On 2010-09-29 10:49, Theo de Raadt wrote: Perhaps a posix weenie can look into making hexdump use setvbuf and adjusting the read requirements for fread() when the length (-n argument) is specified as being short of the blocksize. How about this weenie? Index: display.c

Re: Source Overview

On 2010-04-21 14:35, Theo de Raadt wrote: They mailed diffs. Not requests for tasks. If you request a task, it means you have no itch to scratch. You're just looking for an excuse to program. And it's often not enough motivation.

Re: Question regarding MSS

On 2010-04-15 12:18, Matthew Sullenberger wrote: I understand the host I am trying to communicate with has its own set of issues, but my question to Misc is that I was under the belief that if either side did not explicitly send a MSS during the handshake the required behavior was to default to

Re: Question regarding MSS

On 2010-04-15 13:46, Matthew Sullenberger wrote: So would this be possibly a bug in the OpenBSD PMTU implementation (the expected behavior occurs and the connection works normally if I disable PMTU) and if so should I be submitting some kind of official report? Maybe. Use sendbug(1). Simon --

Re: Load Balance Outgoing Traffic and Killing Interface-Specific States

On 2010-03-23 18:54, Daniel Melameth wrote: Using the example from the PF User's Guide (http://www.openbsd.org/faq/pf/pools.html#outgoing), what's the best way to kill all states related to ONE of the route-to interfaces created by the pass in on $int_if route-to { ($ext_if1 $ext_gw1), ($ext_if2

Re: Load Balance Outgoing Traffic and Killing Interface-Specific States

On 2010-03-23 19:13, Simon Perreault wrote: How about this? pfctl -k $int_lan -k $ext_gw1 This is so wrong, I am ashamed. Simon -- NAT64/DNS64 open-source -- http://ecdysis.viagenie.ca STUN/TURN server-- http://numb.viagenie.ca vCard 4.0 -- http://www.vcarddav.org

Re: How to make FTP work from the firewall system?

On 03/15/2010 11:49 PM, Dave Anderson wrote: I'm configuring a notebook which will use PF to protect itself from the environments in which I use it, and would like to have FTP 'just work' on it -- whether it's from an explicit FTP command, from a browser, or embedded in some other program or

Re: How to make FTP work from the firewall system?

J.C. Roberts wrote: match out on ? proto tcp from ? to any port ftp \ rdr-to 127.0.0.1 port 8021 You can't do that. rdr-to only works on input. Without testing it, I don't know how the potential loop can be avoided, or if it even needs to be avoided (note the match out