RE: tcp bgp vulnerability looking glass and route server issues.

2004-04-21 Thread David Luyer
Lane Patterson wrote: > While I agree that publicly open route-views routers should not allow > display of "sho ip bgp nei" information, this is only giving away 4-tuple > info regarding non-production BGP sessions, right? So folks could > potentially flap the route-views sessions, but this will

RE: TCP/BGP vulnerability - easier than you think

2004-04-21 Thread David Luyer
Paul Jakma wrote: > On Wed, 21 Apr 2004, Iljitsch van Beijnum wrote: > > > On 21-apr-04, at 21:17, Paul Jakma wrote: > > > > > > I'm not recommending this for "small" peers as the crypto DoS risk > > > > is worse than what happens when the attack is executed > > > > successfully. > > > > > Why wo

BGP session reset in one packet [where a looking glass or route server is available]

2004-04-21 Thread David Luyer
It's not the general case, however... Some looking glass CGIs (in some cases, into production routers) permit "sh ip bgp nei " -- try typing "sum" and then "nei x.x.x.x" into the "show ip bgp" box on a looking glass CGI, or using the command on a route server with CLI access. This gives you: Lo

RE: Winstar says there is no TCP/BGP vulnerability

2004-04-21 Thread David Luyer
Michael, > > David Luyer wrote: > > Have done around 100 of these in the past 24 hours. It's > > not related to platform AFAIK - we've successfully done > > the changes on a lowly 2651 and 3620 without outages, but > > a 7200 with older IOS did have an

RE: Winstar says there is no TCP/BGP vulnerability

2004-04-21 Thread David Luyer
Michael Py wrote: > Christopher / Patrick, > > > Christopher L. Morrow wrote: > > I wasn't clear and for that I'm sorry. Except in the later > > code trains, or until the recent past (1 year or so) changing > > the BGP MD5 auth bits required the session to be reset. > > Then I'm the one sorry be

RE: TCP/BGP vulnerability - easier than you think

2004-04-20 Thread David Luyer
> > A significant number of BGP sessions will be with a source > > port of 11000, 11001 or 11002; BGP sessions are generally > > quite stable and Cisco routers start the source port at > > 11000. So attackers could cause enough disruption just > > targeting these three source ports. The other th

TCP/BGP vulnerability - easier than you think

2004-04-20 Thread David Luyer
> You missed the "(assuming the attacker can accurately guess both > ports)" part. > > This is BY NO MEANS a given. In fact, it is pretty much guaranteed to > not be a given on any router which has not recently been rebooted. (Or > at least that the attacker doesn't know has been recently reboo

RE: [IP] VeriSign prepares to relaunch "Site Finder" -- calls

2004-02-10 Thread David Luyer
> (Yes, that's an operational issue - if they are harvesting and selling a > list of known-good From: addresses on misrouted mail, this will eventually > end up adding to spam - and that's operational) Site Finder on its own added to spam; spam volumes increased as the number of "sender domain d

RE: CIsco 7206VXR w/NPE-G1 Question

2004-01-31 Thread David Luyer
Luke Starrett wrote (quoting me): > > PXF is found in the 7400 (old) and 7300 (newer) series. > > Not true. 7401 has a PXF. It's essentially an NSE-1 with GE/IO in a > pizza box. 7301 is based on the NPE-G1 and doesn't have a PXF anywhere > in sight. OK, more precisely (I did refer to the r

Re: CIsco 7206VXR w/NPE-G1 Question

2004-01-30 Thread David Luyer
On Fri, Jan 30, 2004 at 03:29:41PM -0200, Rubens Kuhl Jr. wrote: > > * The 7206VXR prior to the NPE-G1 could only do around 560Mbps > > per bus typically, due to PCI limitations. > > Which usually was not a problem with i-mix traffic or ddos-traffic, because > pps limitation would hit soo

RE: CIsco 7206VXR w/NPE-G1 Question

2004-01-30 Thread David Luyer
Michel Py wrote: > My limited experience with the 7206 > says that it might eventually be able to push _one_ gig from one PA to > another, but not aggregate: say you have 4 or 5 OC3s aggregating into a > GigE with some ACLs (which would run distributed on a 7500) I don't > think that even the NPE-

RE: Cisco 7600

2004-01-27 Thread David Luyer
Christopher Wolff wrote: > Several weeks ago there was a lively debate on Nanog regarding cisco > performance, if I recall correctly, one party indicated that they upgraded > from a 7206 NPE400 to a GSR and only saw a 30% improvement in CPU > utilization. That's a lot of bling bling for 30%... E

RE: in case nobody else noticed it, there was a mail worm released today

2004-01-27 Thread David Luyer
> This lovely little worm will start beating on the door at www.sco.com come > Feb 1/04. Interesting huh? Wonder if we should all be proactive to prevent the DoS attack, and drop the A records for www.sco.com now? Just in case any customers' clocks are set forward ;-) This virus, so far, has be

RE: IPv6

2003-06-13 Thread David Luyer
Daryl G. Jurbala wrote: > I guess that means vendor C has no excuse on the 7200 VXR > series (and I believe a few of the newer models). But I > still don't see anthing fantastically IPv6 happening there. The 7206VXR (along with all 7200/7400) supports IPv6 in IOS 12.2S, 12.2T and 12.3. 12.2S is

RE: IPv6

2003-06-13 Thread David Luyer
Petri Helenius wrote: > The inventors of tag-switching^H^H^H^H^H^H^H^H^H MPLS seem to be > firm believers in that if they donĀ“t deliver the goods, the world will > stand still and wait. And of course you can tag^H^H^Hlabel switch IPv6 through a non-IPv6-aware core, it just breaks traceroute (as e

RE: IANA reserved Address Space

2003-05-31 Thread David Luyer
> > But not to be a pest but what are the odds > > the IANA would ever allocate the 1 and 100 > > nets to someone? > > 99% I can't imagine 100.0.0.0/8 remaining reserved - there's nothing particularly special about it (100=0x64... a number which represented in hex has digits which form a power o

RE: AS number consolidation

2003-05-30 Thread David Luyer
> Does anyone know of case studies of companies collapsing > multiple ASes > into one on their network? I have the Allegiance Telecom > presentation from > NANOG 27 but I would like to hear how other people have done > it as well. We have to date collapsed 6 AS numbers into 1. Approach was

RE: 69/8...this sucks

2003-03-12 Thread David Luyer
Stephen J Wilcox wrote: > On Wed, 12 Mar 2003, David Luyer wrote: > > Iljitsch van Beijnum wrote: > > > On Tue, 11 Mar 2003, Owen DeLong wrote: > > > > > > > In short, it doesn't. Longer answer, if the ISP configures > > > >

RE: 69/8...this sucks

2003-03-12 Thread David Luyer
Iljitsch van Beijnum wrote: > On Tue, 11 Mar 2003, Owen DeLong wrote: > > > In short, it doesn't. Longer answer, if the ISP configures > > his router correctly, he can actually refuse to accept > > advertisements from other sessions that are longer versions > > of prefixes received through this

RE: VoIP over IPsec

2003-02-18 Thread David Luyer
Iljitsch van Beijnum wrote: > So if the router uses tunnel mode (as per the RFC) despite the GRE > tunnel the packet has three IP headers... So that's 160 bits ethernet > layer 1 + 18 bytes ethernet layer 2 overhead, 24 bytes for the GRE > tunnel, 20 bytes for the IPsec tunnel mode IP header, 10

Re: [dmoore@caida.org: Re: Symantec detected Slammer worm "hours" before]

2003-02-14 Thread David Luyer
David Moore <[EMAIL PROTECTED]> wrote: > So actually thinking about this a bit more, our numbers count from > when single well connected or a set of less well connected hosts > are infected. If a single (or small number) of infected machines > were on slow links (dsl/cable modem/etc) it

Re: Lawful Interception in the world...

2003-02-11 Thread David Luyer
y also require keeping of the proxy logs. I don't know if it's still the case, but it used to be that Singapore had a "banned list" for the proxies and China took things to a further extreme by having an "ok sites list" rather than a "banned list". David. --

Re: redistribute bgp considered harmful

2002-10-07 Thread David Luyer
Iljitsch van Beijnum <[EMAIL PROTECTED]> wrote: > But not allowing BGP -> IGP -> BGP might be a good one. On the other hand, > someone who is determined to screw up could do BGP -> IGP on one router > and IGP -> BGP on another. I've seen that done. And usefully. The case involved an AGS+ (BGP

Re: AP IX locations

2002-09-26 Thread David Luyer
> |I'm looking to improve my connectivity into the AP region, in > |a cost effective [i.e. for as little as possible :-)]. I have > |ruled out buying transit as it doesn't help the issue that I'm > |trying to resolve, so I was wondering if there was a location/IXP > |in the AP region that would

RE: IP address fee??

2002-09-06 Thread David Luyer
> I have tended as of late to avoid using the term "class > A/B/C". Too many > people at my job do not understand the meaning and make > themselves look > stupid. I have instead resorted to using mask be it a /24 or a /27 aka > "slash 27" it seems to work well with the people who have some > ex

Re: rewars/benefit bogon filters

2002-07-08 Thread David Luyer
jnelson wrote: > Bogon lists? How effective are they? DDoS scripts are abundant to > those who seek them. Am I going to reep any rewards by taxing my > edge routers an extra 25 lines of ACL? If you're using 'access-list compiled', you're not adding any load whatsoever, since there should be an

Bogus bogon?

2002-07-08 Thread David Luyer
Something looks wrong here: ; host ns.eu.sun.com ns.eu.sun.com A 192.18.1.3 ; wget -q -O- http://www.cymru.com/Documents/bogon-dd.html | grep '192.18' 192.18.0.0 255.254.0.0 192.18.0.0 255.254.0.0 192.18.0.0 0.1.255.255 192.18.0.0 0.1.255.255 The bogon list references rfc2455 as

Re: Sprint peering policy

2002-06-30 Thread David Luyer
> when this situation has existed in other industries, gov't intervention > has always resulted. even when the scope is international. i've not > been able to puzzle out the reason why the world's gov'ts have not > stepped in with some basic interconnection requirements for IP carriers. Some g

RE: Bet on with my boss

2002-06-23 Thread David Luyer
Scott Francis wrote: > On Fri, Jun 21, 2002 at 03:37:56PM -0400, > [EMAIL PROTECTED] said: > > Hi, > > > > How important is the phone to you? I mean, given some situation that > > arises, can we solve it without the phones? > > If the network is down, the phone is critical. For any > complica

RE: Error in assignments....?

2002-06-11 Thread David Luyer
istry. Consult ARIN, APNIC, RIPE, etc for IP space ownership details. Any RADB member can register pretty much any route/AS pair and many members don't bother to put real details when it comes to owner of the route, etc (putting the ISP instead of the c

RE: genuity - any good?

2002-04-12 Thread David Luyer
255.0 255.255.0.0 0.0.255.0 (might look less clear than a prefix list when you start wanting to let them permit say /19 thru /22, but then, router configs come from automated systems now, right? :-)) David. -- David Luyer Phone: +61 3 9674 7525 Network Dev

RE: genuity - any good?

2002-04-12 Thread David Luyer
o be able to prevent exceeding the limit and reset or restrict prefixes on your side, so you can fix the problem without having to contact all your peers and upstreams if something does go majorly wrong. David. -- David Luyer Phone: +61 3 9674 7525 Network Developmen

RE: More Questions of Exchange Points

2002-04-07 Thread David Luyer
Stephen J. Wilcox wrote (to Ruomei Gao): > I think your mistaken to believing the Internet is structured and > organised in some way! :) The internet was an experiment to design a network resiliant to attack, seeing as www.gov.ps has gone offline when Palestine was attacked, the experiment is

RE: Help with bad announcement from UUnet

2002-03-31 Thread David Luyer
> What would work better/faster? > > my-noc -> b0rken-noc > > or > > my-noc -> my-upstream-noc -> b0rken-noc-upstream-noc -> b0rken-noc > > ? OK, rant time (blame the easter long weekend... a 4 day weekend down here... and associated excessive alcohol)... General comment: the below isn't m

RE: Satellite latency

2002-03-05 Thread David Luyer
ven unable to directly communicate, but the good TCP stack in the middle can communicate to both of the dodgy TCP stacks at either end as well as providing a good window size to receive from the server and splitting the latency in half on each TCP connection leg a