On Dec 9, 2009, at 10:41 AM, Stephen Sprunk wrote:
Jens Link wrote:
Owen DeLong writes:
I expect my connections to my mail server to actually reach my
mail server. I use TLS and SMTP AUTH as well as IMAP/SSL. Many
of the "just works" settings in question break these things badly.
O
Jens Link wrote:
> Owen DeLong writes:
>
>> I expect my connections to my mail server to actually reach my mail server.
>> I use TLS and SMTP AUTH as well as IMAP/SSL. Many of the "just works"
>> settings in question break these things badly.
>>
>
> One of my customers has an appliance
On Wed, Dec 9, 2009 at 12:11 PM, wrote:
> that the IP datagrams between the source and the target pass through
> the DNS server... which we -KNOW- is false.
dns-tunnel
On Wed, Dec 09, 2009 at 06:30:45AM -0800, Owen DeLong wrote:
>
> On Dec 9, 2009, at 1:26 AM, Jens Link wrote:
>
> > Owen DeLong writes:
> >
> >> I expect my connections to my mail server to actually reach my mail
> >> server. I use TLS and SMTP AUTH as well as IMAP/SSL. Many of the "just
> >>
On Dec 9, 2009, at 1:26 AM, Jens Link wrote:
> Owen DeLong writes:
>
>> I expect my connections to my mail server to actually reach my mail
>> server. I use TLS and SMTP AUTH as well as IMAP/SSL. Many of the "just
>> works" settings in question break these things badly.
>
> One of my custome
Owen DeLong writes:
> I expect my connections to my mail server to actually reach my mail
> server. I use TLS and SMTP AUTH as well as IMAP/SSL. Many of the "just
> works" settings in question break these things badly.
One of my customers has an appliance for his WLAN guest access access
which
On Wed, 9 Dec 2009, Mark Andrews wrote:
Having a DHCP option is better than the mess we have now. To go
further requires agreement on how to present terms, pricing etc.
in a standardised way.
I hate to sound like a broken record, but PPPOE has had that option for a
decade. Major operating sy
Subject: Re: Breaking the internet (hotels, guestnet style)
> Date: Tue, 8 Dec 2009 15:21:30 -0600
> From: Jorge Amodio
>
> Among the many wonderful things Internet has created in the past 2+
> decades, it gave birth to a countless number of "Internet Experts" ...
for
Did you assume that I was insulting Steve ? not at all, and apologies Steve if
my comments were interpreted that way.
When I said "Internet Experts" I was referring to the ones that setup
the network
on his county library.
I agree 100% with Steve that we need a Good solution, both technical and
o
On Tue, 8 Dec 2009, Joe Abley wrote:
>
> I once thought that PANA was the clean answer to this. Now the PANA
> effort has concluded, and documents have been published, but reading
> through them I can't tell whether PANA is in fact any kind of answer to
> this. It'd be nice if there was a hotspot a
On Tue, Dec 8, 2009 at 4:52 PM, Paul Vixie wrote:
> > Date: Tue, 8 Dec 2009 15:21:30 -0600
> > From: Jorge Amodio
> >
> > Among the many wonderful things Internet has created in the past 2+
> > decades, it gave birth to a countless number of "Internet Experts" ...
>
> for example, some of us got
> Date: Tue, 8 Dec 2009 15:21:30 -0600
> From: Jorge Amodio
>
> Among the many wonderful things Internet has created in the past 2+
> decades, it gave birth to a countless number of "Internet Experts" ...
for example, some of us got a chance to witness the following. i've
removed all identifyin
On 12/08/2009 01:21 PM, Jorge Amodio wrote:
(Aside: my local library blocks everything but 80 and 443 outbound. I complained to the director; he cited
"security". I tried explaining that I knew something about Internet security; he told me that the
firm that had installed the system had "do
> (Aside: my local library blocks everything but 80 and 443 outbound. I
> complained to the director; he cited "security". I tried explaining that I
> knew something about Internet security; he told me that the firm that had
> installed the system had "done most of the libraries in the county
On Dec 8, 2009, at 11:59 AM, Paul Vixie wrote:
> Steven Bellovin writes:
>
>> It's why I run an ssh server on 443 somewhere -- and as needed, I
>> ssh-tunnel http to a squid proxy, smtp, and as many IMAP/SSL connections
>> as I really need...
>
> me too, more or less. but steve, if we were on
Leo Bicknell wrote:
>
> Most of the hotels I have used don't actually require authentication.
> They require a click through indemnification agreement. No username,
> no password, no room number, just a "click here to accept our terms
> and conditions".
>
> I would much prefer this be added to t
On Dec 8, 2009, at 7:25 AM, Andrew Cox wrote:
Owen DeLong wrote:
On Dec 8, 2009, at 1:18 AM, Andrew Cox wrote:
Sounds like a great idea in theory but would require OS support or
a dual-hotspot setup that provided for both options until support
was expected.
Until such time it's simply
On 2009-12-08, at 14:52, Mark Andrews wrote:
>> Why would "web browsers" have a hot-spot button?
>
> Because that would be a easy way to implement this sort of thing.
I once thought that PANA was the clean answer to this.
Now the PANA effort has concluded, and documents have been published, bu
On 12/07/2009 09:39 PM, Mark Andrews wrote:
Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net
"We call it the 'one bite at the apple' rule. Give me one chance [and] then I
won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CN
N)
With 24 million sma
Steven Bellovin writes:
> It's why I run an ssh server on 443 somewhere -- and as needed, I
> ssh-tunnel http to a squid proxy, smtp, and as many IMAP/SSL connections
> as I really need...
me too, more or less. but steve, if we were only trying to build digital
infrastructure for people who kno
Juniper SSL VPN FTW!
On Dec 7, 2009, at 9:48 PM, Steven Bellovin wrote:
>
> On Dec 7, 2009, at 6:00 PM, Jared Mauch wrote:
>
>>
>> On Dec 7, 2009, at 5:29 PM, John Levine wrote:
>>
Will be interesting to see if ISPs respond to a large scale thing like
this taking hold by blocking UDP
In a message written on Wed, Dec 09, 2009 at 01:52:49AM +1100, Mark Andrews
wrote:
> > What if I want to just use ssh?
>
> You still need to authenticate. It's better if we can reduce the
> amount of collateral damage required to authenticate. The interception
> is being done today because the
Owen DeLong wrote:
Almost all of these systems require you to call support to get a MAC
authentication Exception if you don't have a web browser on your
device. Most of them grant exceptions on a not to exceed 30 day
basis, too.
Alternatively it's possible to offer both web-based and pppoe
a
Owen DeLong wrote:
On Dec 8, 2009, at 1:18 AM, Andrew Cox wrote:
Sounds like a great idea in theory but would require OS support or a
dual-hotspot setup that provided for both options until support was expected.
Until such time it's simply unworkable.
That and as mentioned in my previous p
>
> I know what you're saying, but seriously, haven't we just repeated all
> the same mistakes in IPv6? And of course it'd be a nightmare to cover
> all the edge cases, this is why nobody tries to figure it out, so in
> the end we end up with many really cruddy hatchet jobs.
>
Not exactly
W
On Dec 8, 2009, at 1:18 AM, Andrew Cox wrote:
> Sounds like a great idea in theory but would require OS support or a
> dual-hotspot setup that provided for both options until support was expected.
> Until such time it's simply unworkable.
>
> That and as mentioned in my previous post, the setup
In message <200912080939.nb89dixn090...@aurora.sol.net>, Joe Greco writes:
> >
> >
> > In message <200912080332.nb83wkso037...@aurora.sol.net>, Joe Greco writes:
> > > > IMHO there is no need for any sort of DNS redirection after user
> > > > authentication has taken place.
> > >
> > > It may
In message <20091208.101453.74674743.sth...@nethelp.no>, sth...@nethelp.no
writes:
> > This really should be a DHCP option which points to the authentification
> > server using ip addresses. This should be return to clients even
> > if they don't request it. Web browers could have a hot-spot bu
Yeah the iPhone changes were a bit of a pain, we had to build a second
iPhone specific version of our login page because the iPhone
"auto-login" feature won't allow more than 1 page to be loaded.
We would normally redirect users to the page they've originally
requested after they click the log
>
>
> In message <200912080332.nb83wkso037...@aurora.sol.net>, Joe Greco writes:
> > > IMHO there is no need for any sort of DNS redirection after user
> > > authentication has taken place.
> >
> > It may be hazardous even before user authentication has taken place.
> > Even given a very low TT
Sounds like a great idea in theory but would require OS support or a
dual-hotspot setup that provided for both options until support was
expected.
Until such time it's simply unworkable.
That and as mentioned in my previous post, the setup we have *just
works* for users who don't have the perm
> This really should be a DHCP option which points to the authentification
> server using ip addresses. This should be return to clients even
> if they don't request it. Web browers could have a hot-spot button that
> retrieves this option then connects using the value returned.
Unfortunately, t
In message <200912080332.nb83wkso037...@aurora.sol.net>, Joe Greco writes:
> > IMHO there is no need for any sort of DNS redirection after user
> > authentication has taken place.
>
> It may be hazardous even before user authentication has taken place.
> Even given a very low TTL, client resolve
On Dec 7, 2009, at 10:18 PM, Lou Katz wrote:
> On Mon, Dec 07, 2009 at 09:48:25PM -0500, Steven Bellovin wrote:
>>
>> On Dec 7, 2009, at 6:00 PM, Jared Mauch wrote:
>>
>>>
>>> On Dec 7, 2009, at 5:29 PM, John Levine wrote:
>>>
> Will be interesting to see if ISPs respond to a large scale t
On Dec 7, 2009, at 10:35 PM, John R. Levine wrote:
>> It's why I run an ssh server on 443 somewhere -- and as needed, I ssh-tunnel
>> http to a squid proxy, smtp, and as many IMAP/SSL connections as I really
>> need...
>
> Same here. It's the most reliable way to break out of a hotel jail.
F
It's why I run an ssh server on 443 somewhere -- and as needed, I
ssh-tunnel http to a squid proxy, smtp, and as many IMAP/SSL connections
as I really need...
Same here. It's the most reliable way to break out of a hotel jail.
Regards,
John Levine, jo...@iecc.com, Primary Perpetrator of "The
> IMHO there is no need for any sort of DNS redirection after user
> authentication has taken place.
It may be hazardous even before user authentication has taken place.
Even given a very low TTL, client resolvers may cache answers returned
during that initial authentication.
> We of course redi
On Mon, Dec 07, 2009 at 09:48:25PM -0500, Steven Bellovin wrote:
>
> On Dec 7, 2009, at 6:00 PM, Jared Mauch wrote:
>
> >
> > On Dec 7, 2009, at 5:29 PM, John Levine wrote:
> >
> >>> Will be interesting to see if ISPs respond to a large scale thing like
> >>> this taking hold by blocking UDP/TC
On Dec 7, 2009, at 6:00 PM, Jared Mauch wrote:
>
> On Dec 7, 2009, at 5:29 PM, John Levine wrote:
>
>>> Will be interesting to see if ISPs respond to a large scale thing like
>>> this taking hold by blocking UDP/TCP 53 like many now do with tcp/25
>>> (albeit for other reasons). Therein lies th
Suresh Ramasubramanian wrote:
You could just firewall off port 25 and leave 587 open - to save
yourself from a bunch of viruses and such.
A lot of people will use webmail anyway - from a hotel. And you avoid
getting blacklisted
The problem with doing that is that users don't understand it. Al
You could just firewall off port 25 and leave 587 open - to save
yourself from a bunch of viruses and such.
A lot of people will use webmail anyway - from a hotel. And you avoid
getting blacklisted
The other option is to install a device that examines email flows and
allows only stuff it doesnt t
Disclaimer: /I work for a company that provides these services./
IMHO there is no need for any sort of DNS redirection after user
authentication has taken place.
We of course redirect UDP/TCP 53 to one of our servers along with 80
(http) 443 (https) 8080, 3128 (proxy) to the local hotspot *be
Swisscom Eurospot - found all through europe and ruinously expensive
at like 25 euro a day, 9 euro an hour
See http://www.mcabee.org/lists/nanog/Feb-07/msg00046.html for what
goes on there .. dns proxying, and broken at that.
On Tue, Dec 8, 2009 at 6:08 AM, Jared Mauch wrote:
>
> On Dec 7, 2009,
On Dec 7, 2009, at 7:23 PM, Brielle Bruns wrote:
> I'm noticing alot of these places are doing things which work perfectly with
> Windows, but not Mac, Linux, etc. Drives me bonkers, and we make sure to let
> management know we won't stay at their hotel in the future because of said
> issues.
On 12/7/09 4:00 PM, Jared Mauch wrote:
Providers to avoid: US Signal Corporation. (64.141.138.226 was my
natted IP in a Hampton Inn depsite whois/swip).
Add Air2Data (seen in Best Western in WY). 20 someodd APs, all
routerboards, all same SSID, overlapping channels, hijacking 80 and 53.
Jared Mauch wrote:
The University of Michigan Hospitals have a guestnet wireless that is ghetto
and blocks
IMAP over SSL. Attempts to get them to correct this have fallen on deaf ears.
I can't even
VPN out to work around the sillyness, which typically works in other
hotel/guestnet scenarios.
On Dec 7, 2009, at 5:29 PM, John Levine wrote:
>> Will be interesting to see if ISPs respond to a large scale thing like
>> this taking hold by blocking UDP/TCP 53 like many now do with tcp/25
>> (albeit for other reasons). Therein lies the problem with some of the
>> "net neturality" arguments .
47 matches
Mail list logo