On Thu, 20 Jan 2005, James Laszko wrote:
> Well, if the router CAN run BGP, the feed from Cymru is only about 84
> prefixes - not a lot of memory tied up there, is there?
I am *not* talking about the leaf - rather the core. I am curious what
resources are needed to manage 200K BGP peers other t
Well, if the router CAN run BGP, the feed from Cymru is only about 84
prefixes - not a lot of memory tied up there, is there?
If the router isn't capable of BGP, someone earlier today was kind
enough to post a script that they use to find changes to one of the
BOGON lists and suggested an Expect
We've had complaints from people at the other side of Broadwing
connections -- anyone here from Broadwing? Looks like you may even be
stripping 72.0.0.0/8 from BGP announcements.
James Laszko
Pipeline Communications, Inc.
[EMAIL PROTECTED]
-Original Message-
From: Christopher L. Mo
On Thu, 20 Jan 2005, James Laszko wrote:
> sort of mechanism. If they're not going to use something like the Cymru
> BOGON BGP feed they should build their own and should have configured
> their managed routers to query that from the beginning. As more
How would this scale for say 200K routers
On Thu, 20 Jan 2005, James Laszko wrote:
> > Wash, rinse, repeat for the other 70,000 routers you manage for
> > customers... This is definitely NOT a half-rack in a colo fix. Just
> > contacting the customers is a feat.
>
> In the same hand, do you know how hard it was to get in touch with
> so
On Fri, 21 Jan 2005, Bruce Tonkin wrote:
> > We know how to do 3-way handshakes. Rather a fundamental of
> > the Internet. So quickly folks forget
>
> The ICANN policy change had no impact on this particular incident.
>
> As the incident has been documented so far, the transfer would ha
On Thu, 20 Jan 2005, James Laszko wrote:
>
> > Wash, rinse, repeat for the other 70,000 routers you manage for
> > customers... This is definitely NOT a half-rack in a colo fix. Just
> > contacting the customers is a feat.
>
>
> And I completely agree that it's a big pain to coordinate this. I
On Fri, 21 Jan 2005 00:55:45 GMT, Will Hargrave said:
> I beg to differ - 3/4 of the Cisco routers in (enterprise) production are
> *unmaintained*. These will have a variety of vulnerable, buggy or just plain
> crap IOS versions and no-one would've even considered upgrading for years.
Oh.. I w
> Wash, rinse, repeat for the other 70,000 routers you manage for
> customers... This is definitely NOT a half-rack in a colo fix. Just
> contacting the customers is a feat.
And I completely agree that it's a big pain to coordinate this. In the
same hand, SBC and all other 'big' providers use
> Wash, rinse, repeat for the other 70,000 routers you manage for
> customers... This is definitely NOT a half-rack in a colo fix. Just
> contacting the customers is a feat.
In the same hand, do you know how hard it was to get in touch with
someone at SBC/SBC-IS/PBI/PacBell that knew what the hec
On Thu, 20 Jan 2005, James Laszko wrote:
>
> > > Whats so bad about decent secure defaults?
>
> > I don't consider a configuration that disenfranchises part of the
> > internet as "decent [...] defaults." :)
>
> The big problem that we're experiencing here is that the big telco
> ISP's, network
On Thu, 20 Jan 2005 21:14:12 -0800, James Laszko <[EMAIL PROTECTED]> wrote:
> ...
> Why more people don't use resources like what Cymru offer is beyond
> me...
Not-Invented-Here syndrome?
--
GDB has a 'break' feature; why doesn't it have 'fix' too?
>
> I can confirm that * did get in touch with our Production
> Manager (*) around 1pm Sunday
>
What I want to know, as a customer of a domain registrar and a holder of
many domains, is why wasn't the person/company paying for the domain
contacted through out this process? It s
> > Whats so bad about decent secure defaults?
> I don't consider a configuration that disenfranchises part of the
> internet as "decent [...] defaults." :)
The big problem that we're experiencing here is that the big telco
ISP's, network providers and managed service providers that should have
Vicky Rode <[EMAIL PROTECTED]> wrote:
> not sure if spiders falls under spam or ddos bracket when they
> repeatedly start hammering one's network. you could possible report to
> spamcop (*grin*) to get a quicker response. spamcom hasn't been accurate
> in some instances :-)
Er.. just what would
"Chris A. Epler" <[EMAIL PROTECTED]> wrote:
> Whats so bad about decent secure defaults? I just see it as a shortcut
Nothing at all as long as they remain decent.
New /8s getting allocated every few months make it positively indecent.
srs
On Fri, Jan 21, 2005 at 12:55:45AM +, Will Hargrave wrote:
> If filters depend on IOS upgrades then those filters are there to stay.
Perhaps the feature/filters ought to have an expiration date/TTL.
Hello Mark,
> That's what happened last weekend: Martin Hannigan and I got
> the ball rolling on Sunday morning about 1000 EST. Our 24x7
> customer service department contacted Dotster and Melbourne
> IT. Melbourne IT changed the panix.com name servers back to
> their original settings and
Hi, NANOGers.
Will makes an excellent point here:
] I beg to differ - 3/4 of the Cisco routers in (enterprise) production are
] *unmaintained*. These will have a variety of vulnerable, buggy or just plain
] crap IOS versions and no-one would've even considered upgrading for years.
While I don'
On Wed, 19 Jan 2005, Bruce Tonkin wrote:
> > > (5) The registry will send a message to the losing registrar
> > > confirming that a transfer has been initiated.
> >
> > Can you confirm or deny whether this actually happened in the
> > case of the panix.com transfer?
>
> I don't have any direct
On Thu, Jan 20, 2005 at 01:44:04PM -0500, [EMAIL PROTECTED] wrote:
> I'll go out on a limb and say that 3/4 of the Cisco routers in production use
> are managed by unqualified network monkeys employed by the leaf sites. The
> fact
[...]
I beg to differ - 3/4 of the Cisco routers in (enterprise)
On Fri, 2005-01-21 at 10:28 +1100, Bruce Tonkin wrote:
> Interestingly, the ICANN equivalent in Australia (auDA), does
> pro-actively enforce policies, and even took Capital Networks to court
> on the basis that they could be de-accredited as a registrar for .au, if
> they continued not to allow
> >
> > Accountability. Responsibility.
>
> I agree with you on this 100%. ICANN needs to enforce there
> current policies.
I agree too.
> Look at totalnic/pacnames. They have been
> refusing transfer requests years now until very very recent.
> What has ICANN done about all those co
Hello William,
>
> We know how to do 3-way handshakes. Rather a fundamental of
> the Internet. So quickly folks forget
>
> We knew in advance that the VRSN/NetSol/whatever protocol was
> terrible, and that the ICANN policy change was not going to
> be helpful.
The ICANN policy change
> However, that still looks to me like "Users can only ask that
> domains be locked." Unless you are claiming that users can
> send the lock request directly to the registry, and monitor
> its status.
Only a registrar can send commands directly the registry.
Different registrars offer dif
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
not sure if spiders falls under spam or ddos bracket when they
repeatedly start hammering one's network. you could possible report to
spamcop (*grin*) to get a quicker response. spamcom hasn't been accurate
in some instances :-)
do you remember this inc
On Thu, 20 Jan 2005, Suresh Ramasubramanian wrote:
> On Thu, 20 Jan 2005 14:30:04 +0200, Gadi Evron <[EMAIL PROTECTED]> wrote:
> > Inktomi (now Yahoo!) sends it's spiders all over the Internet. Lately
> > some of our systems are reporting that they open many HTTP connections
> > to our web sites,
Ok. I think at this point we all know there are problems with the domain
transfer process. I suspect we can further agree that, as with many
serious problems, there were probably multiple contributing factors here.
I'd like to suggest that getting into a public screaming match or trying
to esta
On Thu, 20 Jan 2005 13:20:45 EST, "Chris A. Epler" said:
> Whats so bad about decent secure defaults? I just see it as a shortcut
> to getting a router online, not a solution to security. If you're
> implementing a new router and setting up Bogon filters you should
> already know that they'll ne
On (20/01/05 13:20), Chris A. Epler wrote:
>
> Whats so bad about decent secure defaults?
secure defaults are good...but there are other aspects of cisco ios which
would be better suited to be disabled out of the box: redirects, proxy
arp, tcp/udp small-servers, the lack of decent ssh (th
> Whats so bad about decent secure defaults?
I don't consider a configuration that disenfranchises part of the
internet as "decent [...] defaults." :)
Cheers,
Rob
--- "Chris A. Epler" <[EMAIL PROTECTED]> wrote:
>
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> Jared Mauch wrote:
>
> | I'm not saying this to trash cisco, many people
> there know that,
> | but the important thing is insuring that the
> global internet isn't
> | further harmed,
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Jared Mauch wrote:
| I'm not saying this to trash cisco, many people there know that,
| but the important thing is insuring that the global internet isn't
| further harmed, and as more allocations are done the harm becomes
| greater and it hurts e
Apparently, some folks just don't get it
Richard Parker wrote:
... However, all domain holders
can directly monitor the status of their domain using the .com registry's
whois server - including whether or not their domain has a status of
registrar-lock. They do not have to rely on their regis
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
in-line:
Jared Mauch wrote:
| On Thu, Jan 20, 2005 at 06:26:15PM +0530, Suresh Ramasubramanian wrote:
|
|>David Barak <[EMAIL PROTECTED]> wrote:
|>
|>>While it says that bogon filters change, and provides
|>>a URL to check it, what percentage of folks w
11:02am Daniel Golding said:
> Is there an RFC or other standards document that clearly states that static
> bogon filter lists are a bad idea? While this seems like common sense, there
Since this keeps coming up. I'll toss my quick and dirty reminder cronjob
into the discussion. I cannot imagi
I will check on this and get back with
you.
Rodney
On Thu, Jan 20, 2005 at 11:18:10AM -0500, Joe Maimon wrote:
>
>
>
> David Barak wrote:
>
> >--- Suresh Ramasubramanian <[EMAIL PROTECTED]>
> >wrote:
> >
> >
> >
> >>David Barak <[EMAIL PROTECTED]> wrote:
> >>
> >>
> >>>While it says t
Andrew,
The 32 bit counters are a significant problem when using gigabit ethernet
public peering interfaces. Needless to say, MAC accounting was not designed
for gigabit speeds. Frequent polling is, sadly the only solution. If you
write your own scripts, make sure to account for counter wrapping.
David Barak wrote:
--- Suresh Ramasubramanian <[EMAIL PROTECTED]>
wrote:
David Barak <[EMAIL PROTECTED]> wrote:
While it says that bogon filters change, and
provides
a URL to check it, what percentage of folks who
would
use a feature like "autosecure" would ever upd
Is there an RFC or other standards document that clearly states that static
bogon filter lists are a bad idea? While this seems like common sense, there
was just an RFC published on why IP addresses for specific purposes (like
NTP) shouldn't be encoded into hardware.
Using a dynamic feed needs t
I'm hunting for some presentations or papers on what I've seen called
a "peering module", using a router, a L2 switch, and a router in
series, rather than a single router. Unfortunately, I can't remember
where I saw the detailed description, and I haven't been able to find
it in the NANOG archi
Take a look at http://jffnms.sourceforge.net
According to the Author whom I know very well it will do exactly what
you need it to do:
---SNIP---
Yes, JFFNMS has a specific system to do this.
Using MAC Accounting, we track each MAC address, using ARP its IP, and using
BG
--- Suresh Ramasubramanian <[EMAIL PROTECTED]>
wrote:
> David Barak <[EMAIL PROTECTED]> wrote:
> >
> > While it says that bogon filters change, and
> provides
> > a URL to check it, what percentage of folks who
> would
> > use a feature like "autosecure" would ever update
> > their filters?
>
...and it's not like ARIN, etc., does not announce to the
Internet community when it allocates from address space
which may have previously been listed in various operational
places as "bogon" or "unalloacted" -- they do.
I recall seeing similar announcements on the list from time
to time, sugg
On Thu, Jan 20, 2005 at 08:16:14PM +0530, Suresh Ramasubramanian wrote:
> On Thu, 20 Jan 2005 09:42:54 -0500, Jared Mauch <[EMAIL PROTECTED]> wrote:
> > No, cisco providing a time sensitive feature like this
> > implies free upgrades to repair this critical defect. Just like
> > they give
On Wed, 2005-01-19 at 22:41, andrew matthews wrote:
> Anyone have any suggestions on graphing peering on a cisco router? I'm
> using mrtg and i did mac address accounting but the numbers are off.
off in what sense? We use mac-accounting, snmp nad mrtg to graph per
peer utilization. The following
On Thu, 20 Jan 2005 09:42:54 -0500, Jared Mauch <[EMAIL PROTECTED]> wrote:
> No, cisco providing a time sensitive feature like this
> implies free upgrades to repair this critical defect. Just like
> they give out free software to people without contracts when
> they have a major security
On Thu, Jan 20, 2005 at 08:03:42PM +0530, Suresh Ramasubramanian wrote:
> On Thu, 20 Jan 2005 09:29:34 -0500, Jared Mauch <[EMAIL PROTECTED]> wrote:
> > Actually, my assumption is anyone with autosecure gets
> > free software upgrades for life, as this is a flexible list that
>
> ... or
On Thu, 20 Jan 2005 13:18:03 +, [EMAIL PROTECTED]
<[EMAIL PROTECTED]> wrote:
>
> I hope that the NANOG reform discussion spends a good
> bit of its time on articulating a vision for the future
> of a membership-based NANOG organization, and not worry
> so much about past problems.
>
That is
On Thu, 20 Jan 2005 09:29:34 -0500, Jared Mauch <[EMAIL PROTECTED]> wrote:
> Actually, my assumption is anyone with autosecure gets
> free software upgrades for life, as this is a flexible list that
... or as long as your support contract with cisco lasts, whichever
comes earlier.
--
S
On Thu, Jan 20, 2005 at 06:26:15PM +0530, Suresh Ramasubramanian wrote:
>
> David Barak <[EMAIL PROTECTED]> wrote:
> >
> > While it says that bogon filters change, and provides
> > a URL to check it, what percentage of folks who would
> > use a feature like "autosecure" would ever update
> > thei
Speaking on Deep Background, the Press Secretary whispered:
>
> (1) Stop blaming the victim!
To me, as big an issue as the original FUBAR is the
alleged/reported failure of both MelIT and VGRS to respond and
attempt to lessen the damage they had helped cause.
I'm no lawyer, but believe under US
Speaking on Deep Background, the Press Secretary whispered:
>
>
> on 1/19/05 9:56 PM, Bruce Tonkin at [EMAIL PROTECTED] wrote:
>
> > Here is the copy of the email Melbourne IT received.
>
> Thanks for providing a copy of the e-mail Bruce. You've been
> extraordinarily forthcoming on NANOG. I
> And not to forget that Panix was the 1st victim ever of a SYN attack in
> Sept 1996:
> http://www.panix.com/press/synattack.html
> http://www.panix.com/press/synattack2.html
And due to coordinated action between members of the
NANOG mailing list and the FIREWALLS mailing list,
within 24 hours
David Barak <[EMAIL PROTECTED]> wrote:
>
> While it says that bogon filters change, and provides
> a URL to check it, what percentage of folks who would
> use a feature like "autosecure" would ever update
> their filters?
>
What do they do to update that bogon list anyway - push a new IOS image
At 12:22 AM 20-01-05 +, Eric Brunner-Williams in Portland Maine wrote:
I picked 1990 because Panix is 15 year old.
And not to forget that Panix was the 1st victim ever of a SYN attack in
Sept 1996:
http://www.panix.com/press/synattack.html
http://www.panix.com/press/synattack2.html
Seems like
On Thu, 20 Jan 2005 14:30:04 +0200, Gadi Evron <[EMAIL PROTECTED]> wrote:
>
> Inktomi (now Yahoo!) sends it's spiders all over the Internet. Lately
> some of our systems are reporting that they open many HTTP connections
> to our web sites, without ever sending any data and immediately
> disconne
Inktomi (now Yahoo!) sends it's spiders all over the Internet. Lately
some of our systems are reporting that they open many HTTP connections
to our web sites, without ever sending any data and immediately
disconnecting. This is getting to a level where it disturbs us.
Is something broke over th
On Wed, 19 Jan 2005, Richard Parker wrote:
> on 1/19/05 9:56 PM, Bruce Tonkin at [EMAIL PROTECTED] wrote:
>
> > Here is the copy of the email Melbourne IT received.
>
> Thanks for providing a copy of the e-mail Bruce. You've been
> extraordinarily forthcoming on NANOG. I wish that Dotster, a
On Jan 19, 1:41pm, andrew matthews <[EMAIL PROTECTED]> wrote:
> Anyone have any suggestions on graphing peering on a cisco router? I'm
> using mrtg and i did mac address accounting but the numbers are off.
If you don't mind a reasonably inexpensive commercial solution, BENTO
does exactly what yo
oh my bad:
85.68/15
sorry for the mistake.
>>> RAMAHEFASON David FTC <[EMAIL PROTECTED]> 01/20 10:44 >>>
Hi,
we're AS34033 and have been assigned the 85.68/19 address space from the RIPE
on October 2004.
But we still have some network reachability issues, due often to the use "old"
BOGON
Hi,
You can also use NetFlow/SFlow foncionalities on your Peering Interface.
And then parse/treat data using tools like ntop/flowscan and such.
David R.
>>> Daniel Golding <[EMAIL PROTECTED]> 01/20 12:04 >>>
Andrew's issue is this - he's got an Ethernet port on a public peering
switch with
Hi,
we're AS34033 and have been assigned the 85.68/19 address space from the RIPE
on October 2004.
But we still have some network reachability issues, due often to the use "old"
BOGON filters, can you check that this
supernet is not part of your bogon filters anymore.
Thanks a lot
David Rama
63 matches
Mail list logo