The whole thread made me thought about this:
http://www.ipinc.net/IPv4.GIF
The energy that people are willing to spend to fix it (NAT, LSN), rather than
bite the bullet is amazing.
On Wed, Apr 21, 2010 at 9:35 PM, wrote:
> On Thu, 22 Apr 2010 07:30:51 +0930, Mark Smith said:
>
>> " The following table shows the probability of a collision for a range
>> of connections using a 40-bit Global ID field.
>>
>> Connections Probability of Collision
>>
>> 2
On Wed, Apr 21, 2010 at 5:47 PM, Mark Smith
wrote:
> On Wed, 21 Apr 2010 09:25:46 -0400
> Christopher Morrow wrote:
>
>> On Wed, Apr 21, 2010 at 1:29 AM, Owen DeLong wrote:
>> > While I think this is an improvement, unless the distribution of ULA-C is
>> > no cheaper
>> > and no easier to get t
On Apr 21, 2010, at 3:26 PM, Roger Marquis wrote:
> William Herrin wrote:
>>> Not to take issue with either statement in particular, but I think there
>>> needs to be some consideration of what "fail" means.
>>
>> Fail means that an inexperienced admin drops a router in place of the
>> firewall
No. UCEProtect is certainly not a decent or any other kind of place to start.
The MAAWG BCPs have far more available than one of the worst
maintained blacklists that has ever been in existence.
If you want FAQs from blocklists - there is much that's available on
the spamhaus.org website
On Thu,
If you have left port 25 open, this is a good place to start.
http://www.uceprotect.net/en/rblcheck.php
I suspect any decent IDS will tell you which machine has weird traffic. I
suppose you can put rules based on the IDS result to redirect them to a special
web page to tell them, they have to d
On Thu, 22 Apr 2010 07:30:51 +0930, Mark Smith said:
> " The following table shows the probability of a collision for a range
>of connections using a 40-bit Global ID field.
>
> Connections Probability of Collision
>
> 21.81*10^-12
> 10
Log and monitor all that you can. And watch for a large number of IPs
logging into an account over a day (over a set limit - even across
country - that takes into account "home - blackberry - airport lounge
- airport lounge in another country - hotel - RIPE meeting venue"
type scenarios).
And esp
gordon b slater [gordsla...@ieee.org] wrote:
> On Mon, 2010-04-12 at 16:06 -0400, James Jones wrote:
> > kind ofrouterOS supports MPLS, linux does not
>
> Likewise the FreeBSD MPLS effort, though this seems to be more like
> familiar territory for BSD-heads, but, as ever, funding and equipment
Consider also smtps port which should be treated like smtp port and not like
submission port, or simply do not listen on smtps as TLS is available on smtp
port via esmtp.
A lot of providers are now blocking smtp traffic from dynamic/residential IPs,
and all clients support to enter submission p
Charles Morris wrote:
http://www.os-bc.de/home.php
This is spam by the way. The url redirects to a Canadian med site. The
original sender may check if he has any malware running...
--
http://goldmark.org/jeff/stupid-disclaimers/
on Tue, Apr 20, 2010 at 11:39:11PM -0500, James Hess wrote:
> EXCEPT that is just an example,don't actually use a hostname
> like "ip192-0-0-1.example.com." in real life.
>
> [*] Certain overly aggressive blacklists assume that the host must be
> a dynamic / dial-up user due to the pre
Jack Bates wrote:
If you mean, "do we still need protocols similar to uPNP" the answer is
yes. Of course, uPNP is designed with a SPI in mind. However, we
simplify a lot of problems when we remove address mangling from the
equation.
Let's not forget why UPNP is what it is and why it should go a
William Herrin wrote:
Not to take issue with either statement in particular, but I think there
needs to be some consideration of what "fail" means.
Fail means that an inexperienced admin drops a router in place of the
firewall to work around a priority problem while the senior engineer
is on va
On 4/21/2010 6:49 AM, Claudio Lapidus wrote:
So we are considering ways to further filter this traffic. We are evaluating
implementation of MSA through port 587.
RFC 5068, Email Submission Operations: Access and Accountability Requirements,
is a BCP. It specifies authenticated port 587 for
On Thu, Apr 22, 2010 at 07:17:20AM +0930, Mark Smith wrote:
> On Wed, 21 Apr 2010 09:25:46 -0400
> Christopher Morrow wrote:
>
> > On Wed, Apr 21, 2010 at 1:29 AM, Owen DeLong wrote:
> > > While I think this is an improvement, unless the distribution of ULA-C is
> > > no cheaper
> > > and no ea
On Wed, 21 Apr 2010 09:11:38 -0700
David Conrad wrote:
> On Apr 21, 2010, at 7:56 AM, Christopher Morrow wrote:
> > yes... for those less willing to search: "Unique Addresses are Good"
> > ...
> > This does seem to be pretty much exactly my point (their point I suppose)
>
> Yup. Back in the day
On 21 apr 2010, at 16.14, Leen Besselink wrote:
> We added SSL to our SMTP-service and tell our customers to use SSL (not TLS)
> with authentication and have the mailserver listen on the TCP-ports which
> the mailclients pick for that (of which their are a few if I'm not mistaken).
Assuming that
On Wed, 21 Apr 2010 09:25:46 -0400
Christopher Morrow wrote:
> On Wed, Apr 21, 2010 at 1:29 AM, Owen DeLong wrote:
> > While I think this is an improvement, unless the distribution of ULA-C is
> > no cheaper
> > and no easier to get than GUA, I still think there is reason to believe
> > that i
On Wed, Apr 21, 2010 at 03:22:47PM -0500, Randy Bush wrote:
> > if you think something like this is a good idea, worth
> > persuing, I'd like to hear from you.
>
> and for those of us who think this whack-a-mole is still a stupid idea,
> where do we write?
>
> randy
apparently the same
> I see a need for stable, permanent blocks of addresses within an
> organization.
yep. unicast ipv6 address space will do just fine.
randy
> if you think something like this is a good idea, worth
> persuing, I'd like to hear from you.
and for those of us who think this whack-a-mole is still a stupid idea,
where do we write?
randy
Dave Sparro wrote:
Don't you get all of the same problems when there is a properly
restrictive SPI firewall at both ends of the connection regardless of
weather NAT is used as well.
If you mean, "do we still need protocols similar to uPNP" the answer is
yes. Of course, uPNP is designed with
On Tue, Apr 20, 2010 at 9:34 PM, Karl Auer wrote:
> On Tue, 2010-04-20 at 12:59 -0700, Owen DeLong wrote:
>> On Apr 20, 2010, at 12:31 PM, Roger Marquis wrote:
>> > NAT _always_ fails-closed
>> Stateful Inspection can be implemented fail-closed.
>
> Not to take issue with either statement in parti
No. You get a different set of problems, mostly administrative.
On Apr 21, 2010, at 1:53 PM, Dave Sparro wrote:
> On 4/21/2010 8:46 AM, Jim Burwell wrote:
>>
>> Despite it doing the job it was intended to do, I've always seen NAT
>> as a bit of an ugly hack, with potential to get even uglier w
On 4/21/2010 8:46 AM, Jim Burwell wrote:
Despite it doing the job it was intended to do, I've always seen NAT
as a bit of an ugly hack, with potential to get even uglier with LSN
and multi-level NAT in the future. I personally welcome a return to a
NAT-less world with IPv6. :)
Don't you
On Wed, Apr 21, 2010 at 09:11:38AM -0700, David Conrad wrote:
> On Apr 21, 2010, at 7:56 AM, Christopher Morrow wrote:
> > yes... for those less willing to search: "Unique Addresses are Good"
> > ...
> > This does seem to be pretty much exactly my point (their point I suppose)
>
> Yup. Back in th
On Apr 21, 2010, at 7:56 AM, Christopher Morrow wrote:
> yes... for those less willing to search: "Unique Addresses are Good"
> ...
> This does seem to be pretty much exactly my point (their point I suppose)
Yup. Back in the day, the folks who ran the RIRs (at the time) were a bit
distressed at
At 15:37 -0500 4/20/10, Larry Sheldon wrote:
To minimize unwarranted hassle, if you will have email senders, spend
some time looking into the "requirements". I don't think there are any
RFC or other authoritative standards in the matter.
This is as close as the IETF has come to a document.
ht
On Apr 21, 2010, at 7:23 AM, David Conrad wrote:
> On Apr 21, 2010, at 6:25 AM, Christopher Morrow wrote:
>> I agree with owen, mostly... except I think we should just push RIR's
>> to make GUA accessible to folks that need ipv6 adress space,
>> regardless of connectiivty to thegreater 'internet'
On Wed, Apr 21, 2010 at 10:49:07AM -0300, Claudio Lapidus wrote:
> At our ISP operation, we are seeing increasing levels of traffic in our
> outgoing MTA's, presumably due to spammers abusing some of our subscribers'
> accounts. [snip]
A discussion on this topic is happening on spam-l at the mome
On Wed, Apr 21, 2010 at 10:23 AM, David Conrad wrote:
> On Apr 21, 2010, at 6:25 AM, Christopher Morrow wrote:
>> I agree with owen, mostly... except I think we should just push RIR's
>> to make GUA accessible to folks that need ipv6 adress space,
>> regardless of connectiivty to thegreater 'inter
On Wed, Apr 21, 2010 at 9:42 AM, Daniel Senie wrote:
>
> On Apr 21, 2010, at 9:25 AM, Christopher Morrow wrote:
>
>> On Wed, Apr 21, 2010 at 1:29 AM, Owen DeLong wrote:
>>> While I think this is an improvement, unless the distribution of ULA-C is
>>> no cheaper
>>> and no easier to get than GUA,
On Apr 21, 2010, at 6:25 AM, Christopher Morrow wrote:
> I agree with owen, mostly... except I think we should just push RIR's
> to make GUA accessible to folks that need ipv6 adress space,
> regardless of connectiivty to thegreater 'internet' (for some
> definition of that thing).
See RFC 1814.
>>Inside customers, we have not changed to force port 587 and
>>authentication for email clients, but the topic has come up in
>>discussions. This won't of course, stop spammers if they are hijacking
>>the users local email client settings.
How best would you stop spammers hijacking local users e
On Wed, Apr 21, 2010 at 10:05:34AM -0400, Mike Walter wrote:
> We have had very good luck with using port 587 and requiring the users
> to authenticate to send email from outside our network.
>
> Inside customers, we have not changed to force port 587 and
> authentication for email clients, but t
On Wed, Apr 21, 2010 at 10:49:07AM -0300, Claudio Lapidus wrote:
> Hello all,
>
Hello Claudio,
> At our ISP operation, we are seeing increasing levels of traffic in our
> outgoing MTA's, presumably due to spammers abusing some of our subscribers'
> accounts. In fact, we are seeing connections fr
>And when ISPs start using NAT for their customers, there will be more
>problems leading to more support calls.
You say this as though they don't do it now.
R's,
John
On Apr 21, 2010, at 9:57 AM, Dan White wrote:
> On 21/04/10 10:49 -0300, Claudio Lapidus wrote:
>> Hello all,
>>
>> At our ISP operation, we are seeing increasing levels of traffic in our
>> outgoing MTA's, presumably due to spammers abusing some of our subscribers'
>> accounts. In fact, we are
We have had very good luck with using port 587 and requiring the users
to authenticate to send email from outside our network.
Inside customers, we have not changed to force port 587 and
authentication for email clients, but the topic has come up in
discussions. This won't of course, stop spamme
On 21/04/10 10:49 -0300, Claudio Lapidus wrote:
Hello all,
At our ISP operation, we are seeing increasing levels of traffic in our
outgoing MTA's, presumably due to spammers abusing some of our subscribers'
accounts. In fact, we are seeing connections from IPs outside of our network
as many as t
On Apr 19, 2010, at 7:32 PM, Jeffrey Negro wrote:
Has anyone on Nanog had any hands on experience with the lower end
of the
new SRX series Junipers? We're looking to purchase two new
firewalls, and
I'm debating going with SSG series or to make the jump to the SRX
line. Any
input, especia
Hello all,
At our ISP operation, we are seeing increasing levels of traffic in our
outgoing MTA's, presumably due to spammers abusing some of our subscribers'
accounts. In fact, we are seeing connections from IPs outside of our network
as many as ten times of that from inside IPs. Probably all of
Hello,
The IDR working group of the IETF has worked during the last years on
the development of BGP extensions that allow a BGP router to advertise
several paths towards the same prefix over a BGP session. This feature,
usually called add-apths, is being implemented by router vendors and
network o
On Apr 21, 2010, at 9:25 AM, Christopher Morrow wrote:
> On Wed, Apr 21, 2010 at 1:29 AM, Owen DeLong wrote:
>> While I think this is an improvement, unless the distribution of ULA-C is no
>> cheaper
>> and no easier to get than GUA, I still think there is reason to believe that
>> it is likel
On Wed, Apr 21, 2010 at 1:29 AM, Owen DeLong wrote:
> While I think this is an improvement, unless the distribution of ULA-C is no
> cheaper
> and no easier to get than GUA, I still think there is reason to believe that
> it is likely
> ULA-C will become de facto GUA over the long term.
>
> As s
Once upon a time, Franck Martin said:
> Why don't they use IPv6 instead of uPnP?
UPnP (or something like it) is needed for any kind of firewall for some
devices.
At least on Xbox, some games are essentially peer-to-peer; when userA
starts it up and invites friends, their Xbox becomes the game se
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 4/21/2010 03:38, Mark Smith wrote:
> On Tue, 20 Apr 2010 21:16:10 -0700 Owen DeLong
> wrote:
>
>>>
>>> Frankly, when you hear people strongly using the argument
>>> stateful firewalling == NAT, you start to wonder if they've
>>> ever seen a statef
> "John R. Levine" writes:
> >> Did you run any services?
> >
> > Of course not, it's consumer DSL. I run services on my server which is
> > somewhere else and tunnel in via ssh which, of course, works fine
> > through NAT.
>
> Take a look at all those small SOHO storage boxes. They all offer we
On Tue, 20 Apr 2010 21:16:10 -0700
Owen DeLong wrote:
> >
> > Frankly, when you hear people strongly using the argument stateful
> > firewalling == NAT, you start to wonder if they've ever seen a stateful
> > firewall using public addresses.
> >
> I've run several of them.
>
My comment wasn't
"John R. Levine" writes:
>> Did you run any services?
>
> Of course not, it's consumer DSL. I run services on my server which is
> somewhere else and tunnel in via ssh which, of course, works fine
> through NAT.
Take a look at all those small SOHO storage boxes. They all offer web
and FTP servi
John Levine writes:
> I'm not saying that NAT is wonderful, but my experience, in which day
> to day stuff all works fine, is utterly different from the doom and
> disaster routinely predicted here.
Ever tried too troubleshoot networks which where using multiple NAT?
Every time I have to I'll ha
On Wed, 21 Apr 2010 01:46:47 -0400
Daniel Senie wrote:
> I see a need for stable, permanent blocks of addresses within an
> organization. For example, a branch office connecting to a central office
> over VPN: firewall rules need to be predictable. If the branch office' IPv6
> block changes, m
53 matches
Mail list logo