Re: ISP CALEA compliance

On Thu, 24 May 2007 09:01:26 +0530, Suresh Ramasubramanian said: > > On 5/24/07, Owen DeLong <[EMAIL PROTECTED]> wrote: > > The more I think about this, the more I think a refereed > > boxing^h^h^h^h^h^hpanel discussion between representatives > > from DHS, FBI, EFF, FCC, Verisign, Neustar, and IT

Re: NANOG 40 agenda posted

On Tue, 29 May 2007 09:21:49 EDT, Donald Stahl said: > So many people seem to be obsessed with getting the end users connected > via IPv6 but there is no point in doing so until the content is reachable. > The built in tunneling in Windows could be a problem so let's start by > using different

Re: NANOG 40 agenda posted

On Tue, 29 May 2007 14:34:59 -, "Chris L. Morrow" said: > On Tue, 29 May 2007, John Curran wrote: > > This changeover will not: 1) Fix the routing problem > > inherent with present locator/endpoint binding, nor > > 2) solve your favorite fib/rib/cam/convergence limit, > > nor 3) make the infras

Re: Advice requested

On Tue, 29 May 2007 08:21:47 PDT, Matthew Black said: > What would you do if a major US computer security firm > attempted to hack your site's servers and networks? > Would you tell the company or let their experts figure > it out? Step 0: Define "attempted to hack"? Step 1: Ask whoever acts as

Re: IPv6 Deployment

On Wed, 30 May 2007 18:52:12 PDT, Randy Bush said: > > i think anycast is still broken, though we can at least ignore it and > > use v4-style anycast, which turns out to be what we need. > > i am told by a good friend who lurks that this was actually fixed a year > or two ago. a team of ops-orie

Re: NANOG 40 agenda posted

On Sun, 03 Jun 2007 15:35:29 EDT, Donald Stahl said: > That said- your v6 support does not have to match your v4 support to at > least allow you to begin testing. You could set up a single server with v6 > support, test, and not worry about it affecting production. If I read the thread so far c

Re: Security gain from NAT (was: Re: Cool IPv6 Stuff)

On Mon, 04 Jun 2007 11:32:39 PDT, Jim Shankland said: > *No* security gain? No protection against port scans from Bucharest? > No protection for a machine that is used in practice only on the > local, office LAN? Or to access a single, corporate Web site? Nope. Zip. Zero. Ziltch. Nothing over a

Re: The Choice: IPv4 Exhaustion or Transition to IPv6

On Thu, 28 Jun 2007 10:33:25 EDT, JORDI PALET MARTINEZ said: > I'm working on it ... But I think it will be really difficult to capture in > a couple of pages what the document try to explain ! The story goes: Richard Feynman, the late Nobel Laureate in physics, was once asked by a Caltech fac

Re: The Choice: IPv4 Exhaustion or Transition to IPv6

On Thu, 28 Jun 2007 16:00:36 BST, Alexander Harrowell said: > 1. IPv4 address space is a scarce resource and it will soon be exhausted. > > 2. It hasn't run out already due to various efficiency improvements. > > 3. These are themselves limited. > > 4. IPv6, though, will provide abundant addres

Re: The Choice: IPv4 Exhaustion or Transition to IPv6

On Thu, 28 Jun 2007 16:00:36 BST, Alexander Harrowell said: > 1. IPv4 address space is a scarce resource and it will soon be exhausted. > > 2. It hasn't run out already due to various efficiency improvements. > > 3. These are themselves limited. > > 4. IPv6, though, will provide abundant addres

Re: Thoughts on best practice for naming router infrastructure in DNS

On Fri, 29 Jun 2007 16:35:09 BST, "Neil J. McRae" said: > I remember in the past an excellent system using Sesame Street characters > names. This only works in small shops. If you have more routers than muppets, you have a problem. Had a lab once where we named machines after colors. That hit s

Re: Thoughts on best practice for naming router infrastructure in DNS

On Fri, 29 Jun 2007 10:15:30 PDT, you said: > Star Trek Federation Starships... they seem to invent more daily, so no > problems running out. If your DNS is RFC3490-enabled, you can go for the Klingon and Romulan ships too. Particularly handy if you're into security through obscurity. :) pgp

Re: Yahoo outage summary

On Mon, 09 Jul 2007 02:18:25 -, "Chris L. Morrow" said: > While S*BGP seem like they may offer additional protections and additional > knobs to be used for protecting 'us' from 'them', the very basics are > obviously not being done so added complexity is not going to really help > :( Or, perha

Re: peter lothberg's mother slashdotted

On Fri, 13 Jul 2007 00:19:08 BST, Leigh Porter said: > I see a global demand for perhaps 5 CRS-1s ;-) To be fair, the original of said comment has to be taken in context. If he were alive today, he'd probably say "There's a world market for maybe 5 fully max-config'ed Blue Gene systems". pgpCcH

Re: peter lothberg's mother slashdotted

On Fri, 13 Jul 2007 13:57:01 EDT, [EMAIL PROTECTED] said: > Maybe I'm missing something as I'm not the smartest guy on this list, but > what exactly did this prove? Always an important question to ask... > Although, a picture of Peter Lothberg in his mothers basement standing > next to a CRS-1

Re: DNS issues?

On Fri, 20 Jul 2007 14:25:41 CDT, Erik Amundson said: > We just lost DNS totally for a while and just got it back...XO > communications also lost almost all Internet routes at the same time... Cause (losing all routes) -> effect (can't reach stuff other side of the routes, including DNS servers)?

Re: DNS issues?

On Fri, 20 Jul 2007 19:52:34 -, =?utf-8?B?Q2hyaXN0aWFuIEt1aHR6?= said: > To Vladis' point, how do you know that you couldn't reach the roots vs the > roots not being able to reach you? In addition to which, his nameservers probably wouldn't *need* to reach the actual roots unless they'd manag

Re: large organization nameservers sending icmp packets to dns servers.

On Mon, 06 Aug 2007 17:21:49 -, John Levine said: > > >> Sounds like one of the global-scale load balancers - when you do a > >> (presumably) recursive DNS lookup of one of their hosts, they'll ping > >> the nameserver from several locations and see which one gets an > >> answer the fastest. >

Re: large organization nameservers sending icmp packets to dns servers.

On Tue, 07 Aug 2007 14:38:06 EDT, "Patrick W. Gilmore" said: >> In addition, any UDP truncated response needs to be retried via >> TCP- blocking it would cause a variety of problems. > Since we are talking about authorities here, one can control the size > of ones responses. Barely. % dig ao

Re: large organization nameservers sending icmp packets to dns servers.

On Tue, 07 Aug 2007 16:10:17 EDT, "Patrick W. Gilmore" said: > The point is, if you are the authority, you know how big the packet > is. If you know it ain't over 512, then you don't need TCP. Right. But remember the discussion is that *we* (for some value of "we") are querying some *other* n

Re: large organization nameservers sending icmp packets to dns servers.

On Wed, 08 Aug 2007 10:33:56 EDT, "Patrick W. Gilmore" said: > Paying $10 and registering a domain IN NOW WAY means I promised a > bazillion people anything. > > What happened to: "You can run your network however you want"? You're totally welcome to run your own network backbone as IPv6-only

Re: [policy] When Tech Meets Policy...

On Mon, 13 Aug 2007 11:40:32 PDT, Steve Atkins said: > If grandma-jones orders custom stationery and doesn't > manage to spell her name correctly, she'll end up with > misspelled stationery. The main difference is that > a misspelled domain name is likely to be a much cheaper > mistake than misspe

Re: MTAs used

On Wed, 26 Aug 2009 16:50:51 +0300, Sharef Mustafa said: > Can anyone please point me to a list of the most used MTAs (mail > servers) and their market share? Now, did you want that in terms of "number of copies installed" or "amount of mail handled"? There's probably zillions of little Fedora a

Re: Ready to get your federal computer license?

On Sun, 30 Aug 2009 10:59:34 +1000, Jeff Young said: > Having met more than a few people in government IT, all jokes aside, > I think they're pretty well equipped to know when and if they need to > disconnect from the Internet, even without an executive order. Department of the Interior had *how*

Re: Ready to get your federal computer license?

On Fri, 28 Aug 2009 16:51:39 CDT, "Hiers, David" said: > Governments already license stock brokers, pilots, commercial drivers, > accountants, engineers, all sorts of people whose mistakes can be measured > in the loss of hundreds of lives and millions of dollars. In many localities, hairdressers

Re: Ready to get your federal computer license?

On Mon, 31 Aug 2009 14:06:56 EDT, "Sachs, Marcus Hans (Marc)" said: > (d) CERTIFICATION.-Beginning 3 years after the date of enactment of > this Act, it shall be unlawful for an individual who is not certified > under the program to represent himself or herself as a cybersecurity > professional.

Re: Repeated Blacklisting / IP reputation

On Tue, 08 Sep 2009 13:43:39 EDT, John Curran said: >I'm sure there's an excellent reason why these addresses stay >blocked, but am unable to fathom what exactly that is... If I'm a smaller shop with limited clue, there's 3 likely colloraries: 1) Even a smallish spam blast is big enough t

Re: Repeated Blacklisting / IP reputation

On Wed, 09 Sep 2009 15:13:44 EDT, Martin Hannigan said: > Not sure that this is an ARIN problem more than an operational problem since > RBL's are opt-in. An effort to identify RBL's that are behaving poorly is > probably more interesting at this point, no? I suspect the problem isn't poor RBLs, i

Re: Repeated Blacklisting / IP reputation

On Wed, 09 Sep 2009 20:30:02 PDT, Leo Vegoda said: > Putting these addresses back into use does not mean that they have to > be allocated to networks where they'll number mail servers. ARIN staff > is doubtless aware of the history of these blocks and will presumably > do their best to allocate th

Re: Hijacked Blocks

On Mon, 14 Sep 2009 16:52:26 CDT, Jorge Amodio said: > In the transition from the old IANA to FrICANNstein Well, that monitor needed cleaning anynow... ;) pgpnWwneWCOxL.pgp Description: PGP signature

Re: Repeated Blacklisting / IP reputation

On Tue, 15 Sep 2009 08:01:48 PDT, Shawn Somers said: > Anyone that intentionally uses address space in a manner that they > know will cause it to become contaminated should be denied on any > further address space requests. You *do* realize that the people you're directing that paragraph at a

Re: cross connect reliability

On Fri, 18 Sep 2009 13:15:37 CDT, Chris Adams said: > Oh, come on; everybody knows 1 doesn't belong in that list! :-) Microcode bug, obviously. ;) pgp1QWLWs9wYw.pgp Description: PGP signature

Re: Gmail Down?

On Thu, 24 Sep 2009 11:20:06 EDT, Michael Holstein said: > I dunno boss, just ask "the cloud" .. you're the one that wanted to > compute there instead of here. > > /dilbert :) Actually, yes, there *is* a rather recent Dilbert about it. http://www.dilbert.com/strips/comic/2009-08-30/ :) pg

Re: Dearborn: Calling all CAcert and/or Thawte Notaries

On Tue, 29 Sep 2009 15:30:36 PDT, Owen DeLong said: > It occurs to me that in addition to the PGP key signings that tend to > happen at NANOG > meetings it might be worth having a group notary event for CAcert and/ > or Thawte > notarizations. Umm.. aren't the Thawte web-of-trust going belly-up

Re: ISP customer assignments

On Mon, 05 Oct 2009 16:13:37 CDT, Dan White said: > a publicly routeable stateless auto configured address is no less > secure than a publicly routeable address assigned by DHCP. Security is, and > should be, handled by other means. The problem is user tracking and privacy. RFC4941's problem sta

Re: ISP customer assignments

On Mon, 05 Oct 2009 20:40:28 EDT, TJ said: > Isn't this really a security by obscurity argument? No - security through obscurity is "security measures that only seem to work because you hope the attacker doesn't know how they are implemented". In this case, making sure somebody else can't aggre

Re: ISP customer assignments

On Tue, 06 Oct 2009 09:34:28 PDT, Owen DeLong said: > although that isn't the case today. However, I believe > that 90.1 is supposed to be parsed equivalent to 90.0.0.1 > and 90.5.1 is supposed to be treated as 90.5.0.1, so, > 32.1.13.184.241.1 should also work for the above if > you expanded tod

Re: IPv6 internet broken, Verizon route prefix length policy

On Mon, 12 Oct 2009 17:40:36 PDT, David Conrad said: > On Oct 12, 2009, at 5:09 PM, Owen DeLong wrote: > > With IPv6, it probably won't be the ideal 1:1 ratio, but, it will come > much closer. > > I wasn't aware people would be doing traffic engineering differently in > IPv6 than in IPv4. You get

Re: IPv6 internet broken, Verizon route prefix length policy

On Tue, 13 Oct 2009 00:46:00 EDT, Kevin Loch said: > Adrian Chadd wrote: > > On Tue, Oct 13, 2009, valdis.kletni...@vt.edu wrote: > > > >> You get some substantial wins for the non-TE case by being able to fix > >> the legacy cruft. For instance, AS1312 advertises 4 prefixes: > >> 63.164.28.0/22,

Re: ISP customer assignments

On Tue, 13 Oct 2009 07:39:46 EDT, Scott Morris said: > No idea, I haven't looked at that stuff in a while. But I would assume > so, as it's easier to build a foundation than jumping straight to > something difficult? Unfortunately, classful addressing is a foundation for networking the same way

Re: ISP port blocking practice

On Thu, 22 Oct 2009 13:22:17 EDT, Zhiyun Qian said: > Hi all, > > What is the common practice for enforcing port blocking policy (or > what is the common practice for you and your ISP)? More specifically, > when ISPs try to block certain outgoing port (port 25 for instance), > they could do

Re: ISP port blocking practice

On Thu, 22 Oct 2009 22:36:13 EDT, Jon Kibler said: >4) Never allow traffic to ingress any network if the source address is > bogus. 4a) Never flag a source address as bogus unless you can verify it is bogus *today*, not when you installed the filter. Out of date bogon filters are evil. p

Re: dealing with bogon spam ?

On Tue, 27 Oct 2009 16:57:17 PDT, Leslie said: > We're seeing a decent chunk of spam coming from an unallocated block of > address space. Fear not, this will end when we run out of IPv4 space not too many months down the road :) I admit to remaining confused as to why we still keep seeing provid

Re: Upstream BGP community support

On Sat, 31 Oct 2009 19:33:52 CDT, Dorian Kim said: > Fact is, regardless of whether you or I think it makes any sense or > not is that some peering agreements preclude disclosure of the locations > of peering, and in some extreme cases even the disclosure of the > existance of said peering. As

Re: small site multi-homing (related to: Small guys with BGP issues)

On Tue, 03 Nov 2009 08:11:15 PST, Mike said: > > Small-site multi-homing is one of the great inequities of the > Internet and one that can, and should, be solved. I envision an Internet > of the future where anyone with any mixture of any type of network > connections can achieve, automatic

Re: Congress may require ISPs to block fraud sites H.R.3817

On Thu, 05 Nov 2009 16:40:09 CST, Bryan King said: > Did I miss a thread on this? Has anyone looked at this yet? > `(2) INTERNET SERVICE PROVIDERS- Any Internet service provider that, on > or through a system or network controlled or operated by the Internet > service provider, transmits, routes

Re: Failover how much complexity will it add?

On Sun, 08 Nov 2009 08:23:41 MST, Blake Pfankuch said: > I wouldn't sway from the big names for your primary connections either. This is, of course, dependent on the OP's location and budget. I know when we were getting our NLR connection set up, there was a fair amount of "You want 40G worth o

Re: Failover how much complexity will it add?

On Mon, 09 Nov 2009 13:39:34 GMT, Adam Armstrong said: > Sure, if you want to hand over your entire profit margin to a 3rd party. > Do you really want to give away the keys to your business, and rely > entirely upon a third party organisation? Better to acquire the skills > which are vital to yo

Re: What DNS Is Not

On Mon, 09 Nov 2009 15:04:06 PST, Bill Stewart said: > For instance, returning the IP address of your company's port-80 web > server instead of NXDOMAIN > not only breaks non-port-80-http applications Remember this... > There is one special case for which I don't mind having DNS servers > lie ab

Re: What DNS Is Not

On Wed, 11 Nov 2009 21:48:39 +0100, Florian Weimer said: > > Since people need to *explicitly* choose using the OpenDNS servers, I > > can hardly see how anybody's wishes are foisted on these people. > > > > If you don't like the answers you get from this (free) service, you > > can of course choos

Re: AT&T SMTP Admin contact?

On Tue, 24 Nov 2009 11:50:54 EST, Brad Laue said: > maintained. I'm unclear as to why mail administrators don't work more > proactively with things like SenderID and SPF, as these seem to be far > more maintainable in the long-run than an ever-growing list of IP > address ranges. There's a diff

Re: AT&T SMTP Admin contact?

On Tue, 24 Nov 2009 16:38:33 EST, Brad Laue said: > True, but wouldn't a blacklist of SPF records for known spam issuing > domains be a more maintainable list than an IP block whitelist? > > (I'm no doubt missing something very obvious with this question) 140M+ .com where a malicious DNS server

Re: fight club :) richard bennett vs various nanogers, on paid peering

On Wed, 25 Nov 2009 03:32:02 PST, Richard Bennett said: >ITIF is not opposed to network neutrality > in principle, having released a paper on "A Third Way on Network > Neutrality", http://www.itif.org/index.php?id=63. All of four paragraphs, which don't in fact address w

Re: What DNS Is Not

On Thu, 26 Nov 2009 12:25:49 CST, Dan White said: > That's a disagreement we'll have to have. Anytime this issue has been brought > up in a public setting (here, slashdot, etc.) has resulted in terrible press > and even corrective action. In particular, Network Solutions' attempt to > at this at th

Re: What DNS Is Not

On Thu, 26 Nov 2009 21:57:46 CST, James Hess said: > Just because someone registered EXAMPLE.COM with one particular > internet registry, doesn't mean they own the lookup result for every > DNS server in the world. All they have paid for is the creation > and maintenance of entries in one p

Re: FTTH Active vs Passive

On Wed, 02 Dec 2009 00:58:48 CST, Will Clayton said: > enable the masses to communicate and, at the same time, appease, for lack of > a better word, those who would capitalize on the sheer lack of unified > infrastructure. The same way we appeased them the *last* time we gave them incentives to de

Re: AT&T SMTP Admin contact?

On Wed, 02 Dec 2009 12:38:54 CST, Chris Owen said: > On Dec 2, 2009, at 12:31 PM, Rich Kulawiec wrote: > > > Because SenderID and SPF have no anti-spam value, and almost no > > anti-forgery value. Not that this stops a *lot* of people who've drunk > > the kool-aid from trying to use them anyway,

Re: Arrogant RBL list maintainers

On Wed, 09 Dec 2009 15:09:20 EST, Ken Chase said: > To be clear: because the legitimate mailserver with a proper non-generic > reverse was in a block with other generic reverses, they blacklisted you? > > That's egregiously harsh. > > SORBS was blocking a customer for a generic reverse entry, I

Re: Consumer Grade - IPV6 Enabled Router Firewalls.

On Fri, 11 Dec 2009 07:41:59 EST, Simon Perreault said: > Mark Newton wrote, on 2009-12-11 03:09: > > You kinda do if you're using a stateful firewall with a "deny > > everything that shouldn't be accepted" policy. UPnP (or something > > like it) would have to tell the firewall what should be acce

Re: Arrogant RBL list maintainers

On Wed, 16 Dec 2009 07:06:55 EST, Mike Lieman said: > What's the word for 'mail server' in Lower Sorbian, and does your algorithm > properly detect it in a hostname? See the problem here? When the hostname at that IP address is exactly one incremented character different than the preceding addre

Re: Arrogant RBL list maintainers

On Wed, 16 Dec 2009 09:21:42 PST, Matthew Petach said: > You clearly haven't set up webmail farms to handle half a billion accounts > before. ^_^; Yes, but we all already know who those 800 pound gorillas are. If you're doing automagic handling of this sort of DNS data, and not using a regexp to

Re: Routing to multiple uplinks

On Fri, 18 Dec 2009 19:46:42 EST, rodrick brown said: > The applicatiOn running on these hosts must only see/use one target > address this needs to be transparent as possible. NIC bonding/teaming > on the host side isn't a viable solution because of the latency > overhead same goes for vrrp/

Re: FYI, new USG Cybersecurity Coordinator ...

On Tue, 22 Dec 2009 07:42:18 CST, Jorge Amodio said: > http://www.whitehouse.gov/blog/2009/12/22/introducing-new-cybersecurity-coordinator/?e=23&ref=image "Meet the new boss / Same as the old boss" -- The Who, "Won't Get Fooled Again". Do we have any indication that anything has been changed this

Re: FYI, new USG Cybersecurity Coordinator ...

On Tue, 22 Dec 2009 09:44:09 CST, "Brandon M. Lapointe" said: > municipal, county, and some state offices are requiring network > engineers to be licensed SE's (Software Engineers) under the authority > of the Texas Board of Professional Engineers. Except it's not actually very clear that Softwar

Re: ip-precedence for management traffic

On Tue, 29 Dec 2009 10:00:57 CST, Joe Greco said: > Do we really want to spread that sort of model to the rest of the > Internet? All it really encourages is for more and more things to > be ported to HTTP, including, amusingly, management of devices... I can remember at one time, some of the sam

Re: ip-precedence for management traffic

On Tue, 29 Dec 2009 11:43:25 EST, "Sachs, Marcus Hans (Marc)" said: > one-size-fits-all model like the hotels try to do. Imagine a > residential ISP that offers castration at a lower price point than what > is currently charged for monthly "raw" access. The gene pool needed some chlorine anyhow,

Re: I don't need no stinking firewall!

On Tue, 05 Jan 2010 23:14:05 CST, Ryan Brooks said: > Everyone needs to listen to Roland's mantra: "stateless ACLs in hardware > than can handle Mpps". It's more than just a hint. I suspect that more than a few need to be reminded that "stateless ACLs in switch hardware" is just another name fo

Re: he.net down/slow?

On Thu, 07 Jan 2010 13:51:41 CST, Brian Johnson said: > > On 7 Jan 2010, at 18:18, William Pitcock wrote: > > > ...why would you have that on a mailing list post? > > because the mail server that adds it is too dumb to differentiate > > between list and direct mail? > Bingo! ;) That sort of gratu

Re: I don't need no stinking firewall!

On Fri, 08 Jan 2010 08:22:00 EST, bill from home said: > My question is at what size connection does a state table become > vulnerable, are we talking 1mb dsl's with a soho firewall? Security - you're doing it wrong. ;) The question you *should* be asking yourself is "at what size connection am

Re: D/DoS mitigation hardware/software needed.

On Sun, 10 Jan 2010 08:19:27 PST, Roger Marquis said: > > Then you need to get rid of that '90's antique web server and get > > something modern. When you say "interrupt-bound hardware," all you > > are doing is showing that you're not familiar with modern servers > > and quality operating systems

Re: he.net down/slow?

On Sun, 10 Jan 2010 08:54:09 CST, Joe Greco said: > The use of the words "intended recipient" are also extremely problematic; > by definition, if it is addressed to me, I can be construed as being the > "intended recipient." If I then turn around and forward it to you, you > are now also an "inte

Re: SORBS on autopilot?

On Tue, 12 Jan 2010 11:51:47 EST, Jed Smith said: > The vibe I got from a number of administrators I talked to about it was "why > would a standards document assume an IPv4/IPv6 unicast address is a > residential > customer with a modem, forcing those with allocations to prove that they are > not

Re: Is FRR protection good enough?

On Tue, 12 Jan 2010 12:33:46 EST, Ye Wang said: > My question is: current FRR scheme seems only guarantee network reachability > under link/node failure, but not bandwidth (say, if my primary link is > carrying 1Gbps, but my bypass path has a capacity of only 100Mbps, then the > bandwidth for the

Re: SORBS on autopilot?

On Tue, 12 Jan 2010 11:27:32 PST, Brian Keefer said: > On Jan 12, 2010, at 10:48 AM, Dave Martin wrote: > listen to the guy in the next cube over say "setup your RDNS" probably > half a dozen times a day. It's funny that you say that in reply to Dave's note - I usually wear headphones in the offi

Re: Default Passwords for World Wide Packets/Lightning Edge Equipment

On Tue, 12 Jan 2010 17:50:37 PST, Bill Stewart said: > A password recovery method I've found very frustrating is to use the > serial number or similar value that's on a label on the bottom of the > equipment. Related pet peeve: Inventory and asset control people that stick a sticker on hardware a

Re: SORBS on autopilot?

On Wed, 13 Jan 2010 09:07:28 +0100, Martin Hotze said: > ... without need of providing any services "back" to the 'net. At > least with IPv6 one has to rethink this position as there finally is > end-to-end communication "as we finally *return to* end-to-end communication". An important distinc

Re: Default Passwords for World Wide Packets/Lightning Edge Equipment

On Wed, 13 Jan 2010 12:55:00 EST, Matt Simmons said: > That would be excellent for both the administrator, and anyone walking > down the row with a wand in their pocket. Barry's right, for at least some scenarios. If I have an unauthorized somebody walking down the row with a wand in their pocket,

Re: Default Passwords for World Wide Packets/Lightning Edge Equipment

On Wed, 13 Jan 2010 11:23:59 MST, "Lyndon Nerenberg (VE6BBM/VE7TFX)" said: > > Barry's right, for at least some scenarios. If I have an unauthorized > > somebody > > walking down the row with a wand in their pocket, the fact they have a wand > > in > > their pocket is the least of my problems. >

Re: more news from Google

On Wed, 13 Jan 2010 17:31:44 +0100, Anthony Uk said: > "Second, we have evidence to suggest that a primary goal of the > attackers was accessing the Gmail accounts of Chinese human rights > activists. " > I have orders of magnitude fewer users than gmail does, and often look > at their mailbox

Re: Default Passwords for World Wide Packets/Lightning Edge Equipment

On Wed, 13 Jan 2010 12:50:03 PST, Nathan Eisenberg said: > I think the impulse to challenge and question assertions probably tends to > be a common personality feature in (good) network admins. Something to keep in mind is that this list is, by and large, comprised of people who are paid large sum

Re: OT: old farts recollecting -- Re: ASR1002

On Wed, 20 Jan 2010 08:01:50 CST, Jorge Amodio said: > Ohh yeah, now we can send sort of a telegram with multiple fonts and > colors almost from anywhere... At least it doesn't do BLINK ;) pgpAPxTQSvjnu.pgp Description: PGP signature

Re: Anyone see a game changer here?

On Fri, 22 Jan 2010 05:52:11 +0200, Gadi Evron said: > 1. Did Google hack a Taiwanese server to investigate the breach? If so, > good for them. No, *not* good. If *you* had a server that got compromised, and used to launch attacks on 500 sites, would you want to try to deal with 500 return str

Re: Using /126 for IPv6 router links

On Sat, 23 Jan 2010 22:04:31 CST, Larry Sheldon said: > I remember a day when 18 was the largest number of computers that would > ever be needed. First off, it was 5, not 18. :) Second, there's not much evidence that TJ Watson actually said it. http://en.wikipedia.org/wiki/Thomas_J._Watson#Fam

Re: Using /126 for IPv6 router links

On Sun, 24 Jan 2010 17:01:21 EST, Steven Bellovin said: > Actually, Scott Bradner and I share most of the credit (or blame) for > the change from 64 bits to 128. > > During the days of the IPng directorate, quite a number of different > alternatives were considered. At one point, there was a com

Re: DDoS mitigation recommendations

On Tue, 26 Jan 2010 09:56:14 PST, Gerald Wluka said: > To date the company has over-invested in technology and under-invested in > sales and marketing. That is changing now: the company is moving to The Bay > Area. Hate to say this, but that change is hardly a selling point to this crowd. ;) pg

Re: Comcast IPv6 Trials

On Wed, 27 Jan 2010 17:50:22 EST, Steven Bellovin said: > In all seriousness, will any attempt be made to select trial applicants > based on (apparent) clue level and/or to receive feedback through > channels other than the usual Tier 1 support? Two comments: 1) People who manage to find out abou

Re: lawful intercept/IOS at BlackHat DC, bypassing and recommendations

On Thu, 04 Feb 2010 15:04:22 PST, "andrew.wallace" said: > On Thu, Feb 4, 2010 at 8:19 PM, Gadi Evron wrote: > > "That peer-review is the basic purpose of my Blackhat talk and the > > associated paper. I plan to review Cisco’s architecture for lawful > > intercept > Gadi Evron has absolutely n

Re: Regular Expression for IPv6 addresses

On Wed, 10 Feb 2010 09:12:11 +1100, Mark Andrews said: > In message , > Thomas > Habets writes: > > On Fri, 5 Feb 2010, Mark Andrews wrote: > > > And now for the trick question. Is :::077.077.077.077 a legal > > > mapped address and if it, does it match 077.077.077.077? > > > > Forget IPv6.

Re: black listing of web traffic

On Tue, 09 Feb 2010 17:44:01 EST, Andrey Gordon said: > It does seem much like NAT exhaustion even though the f/w claims only 13K > session for two dynamic NATs and about 20 static ones. > What I don't get is why there is consistency in opening sites. Why does > facebook open all the time and stor

Re: dns interceptors [SEC=UNCLASSIFIED]

On Sat, 13 Feb 2010 12:02:48 +0800, "Wilkinson, Alex" said: > IMPORTANT: This email remains the property of the Australian Defence > Organisation Have fun trying to enforce that after posting to a public mailing list in North America, with recipients all over the world. Care to cite any relevan

Re: dns interceptors [SEC=UNCLASSIFIED]

On Sat, 13 Feb 2010 17:53:19 EST, Dean Anderson said: (One of these days, somebody will find a way to correct things for the benefit of those googling and reading the thread in the list archives in the future, without feeding the trolls) > Robert Bonomi appears to have no valid premise of first s

Re: dns interceptors

On Sun, 14 Feb 2010 18:59:56 EST, Steven Bellovin said: > Yes -- and as a reward for your expertise, you get to explain the > problem with a transparent DNS proxy to the judge. For bonus points, > explain it to a jury The transparent DNS proxies aren't the problem. It's the translucent ones

Re: Spamhaus...

On Sat, 20 Feb 2010 09:51:33 EST, Daniel Senie said: > Instead of saying "well, it's obvious to everyone," do something about it. *brrring... bring...brrriiing...* Cluephone. It's for you. 5321 Simple Mail Transfer Protocol. J. Klensin. October 2008. (Format: TXT=225929 bytes) (Obsolet

Re: Spamhaus...

On Sat, 20 Feb 2010 09:46:21 EST, Daniel Senie said: > I don't know when this was that they didn't do validation. So they validate... > The Barracuda boxes will accept mail for domains they know about but > without validating the email address in the event the target mail server > is down. And y

Re: Spamhaus...

On Sat, 20 Feb 2010 11:36:37 EST, William Herrin said: > They didn't exactly fix it. What they did is reinforce the importance > of generating a bounce message by keeping the existing "must" language > from 2821 but adding: > > "A server MAY attempt to verify the return path before using its > ad

Re: "Cyber Shockwave" on CNN

On Sat, 20 Feb 2010 16:50:06 PST, "andrew.wallace" said: > I am from the UK and don't know how to watch CNN Cyber Shockwave via an > internet live stream. Quick summary an hour in: "Heck of a cyber-job, Brownie". Nothing surprising here. If they wanted to be more realistic, they'd include some

Re: Email Portability Approved by Knesset Committee

On Mon, 22 Feb 2010 10:30:53 CST, Larry Sheldon said: > > Unfortunately the links cited are in Hebrew so I'm only going on Gadi's > > report here. > > Why is that relevant? For the same reason that if I cited a link that lead to a page in Latvian, you'd have a hard time double-checking that my

Re: Email Portability Approved by Knesset Committee

On Mon, 22 Feb 2010 11:24:09 CST, Larry Sheldon said: > You don't note when you are taking somebody's word when they write in > English. Actually, we do. So tell me Larry - if I cited a Latvian web page, and gave a summary, would you feel comfortable blindly passing it along without mentioning t

Re: Email Portability Approved by Knesset Committee

On Mon, 22 Feb 2010 19:02:38 GMT, Michael Dillon said: > > Unfortunately the links cited are in Hebrew so I'm only going on Gadi's > > report here. > > Why on earth would you trust Gadi when you could trust me and some > acquaintances at Google? >

Re: Spamhaus...

On Sun, 21 Feb 2010 14:57:31 GMT, Paul Vixie said: > Rich Kulawiec writes: > > We're well past that. Every minimally-competent postmaster on this > > planet knows that clause became operationally obsolete years ago [1], and > > has configured their mail systems to always reject, never bounce. [2]

  1   2   3   4   5   6   7   8   9   10   >