Re: old media (was: wannabe isp)

On Tue, Sep 20, 2011 at 12:20 AM, Randy Bush wrote: >> Does anybody actually *have* a functional 7 track drive? > > if you really need one, i know what trail i would start to follow. > there are folk keeping old stuff alive and pulling arcane things > off old media (like the besm-6 system). the t

Re: 4.0.0.0/8?

On Tue, Sep 20, 2011 at 1:27 PM, Richard A Steenbergen wrote: > On Tue, Sep 20, 2011 at 08:13:09PM +0300, Hank Nussbacher wrote: >> Did Level3 withdraw 4.0.0.0/8 today and start announcing it as two /9s? > > Level3 has been announcing 2x /9's as well as the /8 for some time now, > ever since Tele

Re: RADB/RIR Scraper

has some pointers to tools Richard wrote (and presented a few times now) at nanog meetings. (to save you reading the pdf... which is a good read: On Wed, Sep 21, 2011 at 9:01 AM, Nick Hilliard w

Re: Verizon / FiOS network

On Thu, Sep 22, 2011 at 8:55 PM, Ryan Pugatch wrote: > Hi, > > Anyone noticing anything weird with the Verizon / FiOS network? > > Seems like many people on their network are having trouble getting to us > (on Sidera / RCN) but not everyone. > it's, obviously, simpler to help diagnose this when y

Re: Commercial DNS service opinions?

On Fri, Sep 23, 2011 at 10:17 AM, Jay Ashworth wrote: > Open, Super, Dyn? > > Will any of them do hidden-master? > > Off list; I'll summarize. recursive AND authoritative? or ?

Re: Strange static route

On Fri, Sep 23, 2011 at 9:57 PM, jim deleskie wrote: > Wouldn't it make more sense to filter in bound default?  or use a single > static default if you where worried about that? there's lots of smarter things you COULD do :) this, it seems to me, is a great thing for the operations bcp folks to w

Re: Earthlink Contact - DNS cache poisoning

On Sat, Sep 24, 2011 at 8:51 PM, Jimmy Hess wrote: > On Sat, Sep 24, 2011 at 7:43 PM, Will Dean wrote: > > The  "JOMAX.NET"  response is  indicative that there's a  Paxfire box > in the mix, > intercepting the DNS query  (probably installed by the ISP). > I think actually.. earthlink uses barefr

Re: Earthlink Contact - DNS cache poisoning

On Sat, Sep 24, 2011 at 9:21 PM, Will Dean wrote: > > On Sep 24, 2011, at 9:07 PM, Christopher Morrow wrote: > >> On Sat, Sep 24, 2011 at 8:51 PM, Jimmy Hess wrote: >> I think actually.. earthlink uses barefruit? (or they did when ... >> kaminsky was off doing his d

Re: Nxdomain redirect revenue

On Sat, Sep 24, 2011 at 9:33 PM, Cameron Byrne wrote: > Just an fyi for anyone who has a marketing person dreaming up a big nxdomain > redirect business cases, the stats are actually very very poor... it does > not make much money at all. > > It is very important to ask the redirect partners about

Re: Nxdomain redirect revenue

On Mon, Sep 26, 2011 at 10:25 AM, Cameron Byrne wrote: > On Sep 26, 2011 1:29 AM, "Florian Weimer" wrote: >> >> * Cameron Byrne: >> >> > It is very important to ask the redirect partners about yields... > meaning, >> > you may find that less than 5% of nxdomain redirects can be actually > served

Re: Nxdomain redirect revenue

On Mon, Sep 26, 2011 at 2:11 PM, wrote: > On Mon, 26 Sep 2011 10:36:51 EDT, Christopher Morrow said: > >> I'm curious, is there some belief that the use of hte nxdomain >> hijacking/rewriting is actually of use to 'users' ? > > "of use to users&quo

Re: Nxdomain redirect revenue

On Mon, Sep 26, 2011 at 2:17 PM, Christopher Morrow wrote: > On Mon, Sep 26, 2011 at 2:11 PM,   wrote: >> On Mon, 26 Sep 2011 10:36:51 EDT, Christopher Morrow said: >> >>> I'm curious, is there some belief that the use of hte nxdomain >>> hijacking/

Re: Nxdomain redirect revenue

On Tue, Sep 27, 2011 at 7:50 AM, Jimmy Hess wrote: > On Tue, Sep 27, 2011 at 3:57 AM, William Allen Simpson > wrote: > [snip] >> Certainly, hijacking google.com NS records to JOMAX.NET would be a >> criminal interference.  After all, that's all DNSsec signed now, >> isn't it? > > I would rather s

Re: Nxdomain redirect revenue

On Tue, Sep 27, 2011 at 10:19 AM, wrote: > On Tue, 27 Sep 2011 09:27:00 EDT, Christopher Morrow said: >> On Tue, Sep 27, 2011 at 7:50 AM, Jimmy Hess wrote: > >> > I would rather see DNSSEC and TLS/HTTPS get implemented end to end. >> >> how does tls/https

Re: Cisco 7600 PFC3B(XL) and IPv6 packets with fragmentation header

On Fri, Sep 30, 2011 at 1:07 AM, Mikael Abrahamsson wrote: > > Just thought I'd share some operational info. > > PFC3B will by default punt IPv6 packets with fragmentation header to RP and > route them there, with the obvious performance penalty this incurs. when will vendors learn that punting t

Re: Cisco 7600 PFC3B(XL) and IPv6 packets with fragmentation header

On Fri, Sep 30, 2011 at 6:02 AM, Saku Ytti wrote: > On (2011-09-30 01:55 -0400), Christopher Morrow wrote: > >> when will vendors learn that punting to the RE/RP/smarts for packets >> in the fastpath is ... not just 'unwise' but wholesale stupid? :( > > What to

Re: Cisco 7600 PFC3B(XL) and IPv6 packets with fragmentation header

On Fri, Sep 30, 2011 at 10:26 AM, Saku Ytti wrote: > explained. And probably issues I'm not aware of. Unsure if blind forwarding is > best option. But I'm all for giving operator options, but calling it stupid > that vendors punt something is misguided. after this long, yes... this is just dumb,

Re: Cisco 7600 PFC3B(XL) and IPv6 packets with fragmentation header

On Fri, Sep 30, 2011 at 11:24 AM, Nick Hilliard wrote: > On 30/09/2011 15:45, Christopher Morrow wrote: >> traceroute could certainly be handled in the fastpath. > > which traceroute?  icmp?  udp?  tcp?  Traceroute is not a single protocol. > traceroute is really an example

Re: Cisco 7600 PFC3B(XL) and IPv6 packets with fragmentation header

On Fri, Sep 30, 2011 at 12:00 PM, Nick Hilliard wrote: > Of course, if you wanted a 10g capable service provider router and didn't > want an asr9k, they were pushing the 7600 because the 6500 is a switch and > the 7600 is a router and the two are totally different, no really you've > gotta believe

Re: Cisco 7600 PFC3B(XL) and IPv6 packets with fragmentation header

On Fri, Sep 30, 2011 at 12:38 PM, Nick Hilliard wrote: > On 30/09/2011 17:30, Christopher Morrow wrote: >> traceroute is really an example of 'packet expired, send >> unreachable'... that, today is basically: >>   o grab 64bytes of header (or something similar)

Re: Cisco 7600 PFC3B(XL) and IPv6 packets with fragmentation header

On Fri, Sep 30, 2011 at 9:32 PM, Dobbins, Roland wrote: > On Sep 30, 2011, at 11:44 PM, Christopher Morrow wrote: > >> this is exactly why punting anything NOT management and/or routing-protocols >> should be banned. Thanks for making that point explicitly. > > And this

Re: Cisco 7600 PFC3B(XL) and IPv6 packets with fragmentation header

On Fri, Sep 30, 2011 at 9:44 PM, Christopher Morrow wrote: > On Fri, Sep 30, 2011 at 9:32 PM, Dobbins, Roland wrote: >> On Sep 30, 2011, at 11:44 PM, Christopher Morrow wrote: >> >>> this is exactly why punting anything NOT management and/or >>> routing-proto

Re: Re: Mails to Google being blocked for illegal attachments

On Sat, Oct 1, 2011 at 10:24 AM, foks wrote: > I also tried to send the same mail without the attached gif image, so it > seems to be something else that triggers the error message. So, to be clear, sending the message without the image attachment also bounced?

Re: F.ROOT-SERVERS.NET moved to Beijing?

On Mon, Oct 3, 2011 at 12:38 PM, Danny McPherson wrote: >  If the operator of a network service > can't detect issues *when they occur* in the current system in some > automated manner, whether unintentional or malicious, they won't be > alerted, they certainly can't "fix" the problem, and the pot

Re: FW: [arin-announce] Whois Query Behavior is Updated

On Mon, Oct 3, 2011 at 3:11 PM, Mark Kosters wrote: > Hi > > Apologies for the cross post from ARIN-Announce. Thought that many of you > would be interested in hearing about the recent ARIN Whois change given > the recent discussion on NANOG. thanks! :)

Re: he.net down?

On Mon, Oct 3, 2011 at 6:37 PM, chris wrote: > Down here as well > ~$ ping6 www.he.net PING www.he.net(he.net) 56 data bytes 64 bytes from he.net: icmp_seq=2 ttl=54 time=124 ms > chris > On Oct 3, 2011 6:36 PM, "Aiden Sullivan" wrote: >> www.he.net seems to be down on both IPv4 and IPv6 -- does

Re: Botnets buying up IPv4 address space

On Fri, Oct 7, 2011 at 3:10 PM, Arturo Servin wrote: > >        I agree with Benson. > >        In fact, for this "problem" I find irrelevant that IPv4 is running > out. They are just looking for good reputation IP nodes. isn't this a short-lived problem then?

Re: DPI deployment use case

On Fri, Oct 7, 2011 at 12:44 PM, PC wrote: > Your use case is not beyond the possibility of full DPI, but a transparent > proxy box of some nature would be sufficient for most of that.  Usage limits > on the other hand is often easier done via your AAA accounting/radius > solution, including polic

Re: Botnets buying up IPv4 address space

On Fri, Oct 7, 2011 at 3:32 PM, William Herrin wrote: > As for auctioning IP blocks, my experience is that hackers don't > bother. If they want IP addresses beyond what the colo provider > offers, they steal them: find a block of addresses not routed on the > public Internet and forge LoAs they pr

Re: meeting network

On Mon, Oct 10, 2011 at 9:01 AM, Dobbins, Roland wrote: > On Oct 10, 2011, at 7:46 PM, Nick Hilliard wrote: > >> if it's wifi that's causing the trouble, the usual causes are: is the complaint the hotel ROOM wireless? or the meeting-room? I noticed the nanog-a-secure bounce me 2x, so I moved back

Re: meeting network

On Mon, Oct 10, 2011 at 1:29 PM, Randy Carpenter wrote: > > I have been at other conference that have triple or more participants, and it > has never been anything close to the issues we are having at this hotel. > Slightly slower performance is expected. Completely not working is not. hotel or

Re: new guest room SSID for NANOG

On Mon, Oct 10, 2011 at 5:43 PM, Noah Weis wrote: > All, > > The hotel is in the process of deploying an SSID throughout the guest room > network that terminates to the NANOG external router, rather than the > hotel's gateway. > > The SSID is NANOG-guest. > > They stated it will take a couple of h

Re: meeting network

On Mon, Oct 10, 2011 at 11:36 PM, Owen DeLong wrote: > I don't think it is. I think that you can negotiate and I will point out that > the hotel > here has wanted our business enough that they have now scrambled to make > life significantly better. You can also bet I'll be demanding that they >

Re: SP / Enterprise design (dis)similarities

On Tue, Oct 11, 2011 at 1:12 AM, Keegan Holley wrote: > The definition of clean is also subjective.  There are many who would run > the IGP only for loopbacks and /30's and force everything into BGP even at > small scale.  BGP makes it easier to control the routing relationships > between companie

Re: SP / Enterprise design (dis)similarities

On Tue, Oct 11, 2011 at 1:19 AM, Keegan Holley wrote: > > > 2011/10/11 Christopher Morrow >> >> On Tue, Oct 11, 2011 at 1:12 AM, Keegan Holley >> wrote: >> > The definition of clean is also subjective.  There are many who would >> > run >&g

Re: Y'all know Google is offering public DNS services now?

On Tue, Oct 11, 2011 at 1:19 AM, Scott Howard wrote: > the initial release date (not > actually shown in the that version as far as I can see, but it was around > the same time Google announced their public DNS servers). jan 27 2011, so says the doc header...

Re: [outages] News item: Blackberry services down worldwide

On Wed, Oct 12, 2011 at 6:40 PM, Phil Regnauld wrote: >        Correct - they need to transit at some point through the RIM servers. > >         > http://www.interworks.com/blogs/wlyles/2010/01/14/why-rim-outage-affects-users-corporate-bes > >        That's just wrong on so many levels. yet... p

Re: [outages] News item: Blackberry services down worldwide

On Thu, Oct 13, 2011 at 11:13 AM, Jay Ashworth wrote: > - Original Message - >> From: "Jamie Bowden" > >> Someday either Google or Apple will get >> off their rear ends and roll out an end to end encrypted service that >> plugs into corporate email/calendar/workgroup services and we can a

Re: Outsourcing DDOS

On Wed, Oct 19, 2011 at 9:13 AM, wrote: > We are considering using Prolexic to 'defend' our Internet-facing network > from DDOS attacks.  Anyone have any known issues or word of warnings before > we proceed? > you appear to be an ATT customer (and qwest) ATT has a dos-mitigation solution, it w

Re: Can this bgp work?

Check routeviews? On Oct 22, 2011 9:07 PM, "Deric Kwok" wrote: > Hello > > We would like to split our network advertising with same AS no. in > different our bgp routers to same or different upstream provider > > eg: > > 66.70.0.0/20 in bgpRouterA > 67.170.0.0/20 in bgpRouterB > 174.70.0.0/20 in

Re: Juniper DOS/Blackhole question

On Sat, Oct 22, 2011 at 11:26 PM, Jack Bates wrote: > On 10/22/2011 10:14 PM, Stefan Fouant wrote: >> Not sure about the PPS limitations... The PFE ASICs should be able to >> handle a 750Mbps / 1.5 Mpps DoS pretty easy... > > That's what I'm thinking. My m120 shows 0 problems with the load, but 2

Re: Outsourcing DDOS

On Mon, Oct 24, 2011 at 3:29 PM, Stefan Fouant wrote: > On 10/24/2011 1:54 PM, Andreas Echavez wrote: > >> obviously they will get blocked. My personal experience is that when >> you're >> dealing with a DoS at the scale that you need Prolexic, there is simply no >> one else that can handle that l

Re: Outsourcing DDOS

On Mon, Oct 24, 2011 at 6:46 PM, Andreas Echavez wrote: > certain timeframe? Finally, and most importantly to us, was how much do they > charge per attack, or if it a flat "insurance" type agreement where they > block unlimited attacks. for verizon the 'time to mitigate' is gated on you sending a

Re: Senate Bill S.968

On Tue, Oct 25, 2011 at 12:58 PM, Jason LeBlanc wrote: > Anyone read this? > > http://en.wikipedia.org/wiki/Protect_IP_Act > > More attempts to regulate Internet usage. > > Not in favor. folk ought to reach out to the largest opponent on this: Senator Wyden and see

Re: the route is not in our bgprouter

deric, you really ought to hire a consultant for this sort of thing... just sayin! On Tue, Oct 25, 2011 at 9:49 PM, Deric Kwok wrote: > Hi > > Our upstream provider said that destination network is blocking our ip. > > Now my question is how we can know it you can't really, if they do things rig

Re: Fiber in Atlantic City, NJ

On Thu, Oct 27, 2011 at 5:16 PM, wrote: > Hello, > > If anyone has/knows of contacts among the fiber providers in Atlantic City, > NJ as close to the Broadwalk as possible ( especially those that might have > a leg to Philadelphia, PA ), could you kindly reply off list? sounds like quite the gam

Re: Update Bogon Lists

On Thu, Oct 27, 2011 at 11:49 PM, Ross Annetts wrote: > Hi, > > > > We have been allocated the IP range: > > > > 101.0.64.0/18 > (soon-to-be-released rfc about same) > > > And have had issues with 2 networks in re

Re: where was my white knight....

On Tue, Nov 8, 2011 at 1:14 PM, wrote: > >  that was/is kindof orthoginal to the question... would the sidr plan > for routing security have been a help in this event?  nice to know > unsecured IPv6 took some of the load when the unsecured IPv4 path > failed. > if all routing goes boom, would se

Re: where was my white knight....

On Tue, Nov 8, 2011 at 1:48 PM, Nick Hilliard wrote: > On 08/11/2011 18:14, bmann...@vacation.karoshi.com wrote: >>  the answer seems to be NO, it would not have helped and would have actually >> contributed to network instability with large numbers of validation requests >> sent to the sidr/ca no

Re: where was my white knight....

On Tue, Nov 8, 2011 at 4:08 PM, Leigh Porter wrote: > > On 8 Nov 2011, at 18:24, "Dobbins, Roland" wrote: > >> Validation storm-control is something which must be accounted for in >> SIDR/DANE architecture, implementation, and deployment.  But at the end of >> the day, vendors are still respons

Re: where was my white knight....

On Tue, Nov 8, 2011 at 5:26 PM, Dobbins, Roland wrote: > > On Nov 9, 2011, at 4:22 AM, Christopher Morrow wrote: > >>  the routers have (in some form of the plan) a cache > > A cache that's persistent across reboots? > not across reboots, but in this case routers did

Question about operational concerns with Routing Protocol Security

Howdy, while enjoying some (oddly not controversial) meeting time at the IETF, one of the presenters (Sam Hartman[1]) noted he's looking for some people to chat with with respect to 'deployment scenarios' surrounding network gear and protocol security. Today that probably takes the form of things

Re: OT -- seeking a knowledgable AS 701 technical contact.

sorry grant :( (gmail user fail) On Wed, Nov 16, 2011 at 8:12 PM, Christopher Morrow wrote: > On Wed, Nov 16, 2011 at 8:12 PM, Christopher Morrow > wrote: >> what are you trying to do with ftp.uu.net? is it broken in some way? >> > > is it possibly that no login inf

Re: IP Options

got pcaps? On Thu, Nov 17, 2011 at 10:04 AM, harbor235 wrote: > Is it just me or has there been an increase in packets with IP options set > hitting > our front door? There are ways to mitigate e.g. IP options selective > discard, and ACL > IP options support. ACL entries on the edge appear to be

Re: IP Options

7;problem', though in theory they can be painful :( Some vendor gear has 'no ip-options' as an option...(which is really, 'ignore ip options', I believe), some has the ability to filter based on option(s). -chris > Mike > > On Thu, Nov 17, 2011 at 10:07 AM, Ch

Re: Looking for a Tier 1 ISP Mentor for career advice.

On Sun, Nov 20, 2011 at 9:40 PM, Tyler Haske wrote: > I'm looking for a mentor who can help me focus my career so eventually I > wind up working at one of the Tier I ISPs as a senior tech. I want to > handle the big pipes that hold everyone's data. why not just apply as a tech at any of the dozen

Re: First real-world SCADA attack in US

On Mon, Nov 21, 2011 at 4:51 PM, Jason Gurtz wrote: >> Having worked on plenty of industrial and other control systems I can >> safely say security on the systems is generally very poor.   The >> vulnerabilities have existed for years but are just now getting >> attention. > > +1 > > Just for cont

Re: automated config backups for SFTOS

On Wed, Nov 23, 2011 at 8:36 PM, James Harr wrote: > Second rancid. +3 > If SFTOS supports per-command authorization (via RADIUS/TACACS), you can it does > limit the script account to only be able to use 'show run' and whatever > else it needs (even when it logs in). > you can > That said, i

Re: automated config backups for SFTOS

On Thu, Nov 24, 2011 at 12:03 PM, Christopher Morrow wrote: > On Wed, Nov 23, 2011 at 8:36 PM, James Harr wrote: >> Second rancid. > > +3 > >> If SFTOS supports per-command authorization (via RADIUS/TACACS), you can > > it does > >> limit the script accoun

Re: bgp update destroying transit on redback routers ?

On Thu, Dec 1, 2011 at 3:15 PM, Igor Ybema wrote: > Hi all, > > A new update. A coder from ericsson told me that the problem is not > 4-byte asn related. It is related to aggregator-asn=0 and > aggregator-ip=0.0.0.0. Ericsson does not accept this as valid ASN and > IP-address. > > The question is

Re: bgp update destroying transit on redback routers ?

On Thu, Dec 1, 2011 at 3:23 PM, Igor Ybema wrote: >> >> >> one of the reasons the above was written... > > That does not include when ASN=0 is used in the aggregator attribute. > Could you add that? that's a warren question...

Re: bgp update destroying transit on redback routers ?

On Fri, Dec 2, 2011 at 9:35 AM, Alexandre Snarskii wrote: > This draft says that ...note it's a DRAFT, not a STANDARD... > > If a BGP speaker receives a route which has an AS number of zero in the > AS_PATH (or AS4_PATH) attribute, it SHOULD be logged and treated as a > WITHDRAW. This same beha

Re: HP IPv6 RA Guard

On Sun, Dec 4, 2011 at 2:21 PM, wrote: > Hi, > >  sorry to disappoint you, but there´s a reason why HP bought H3C/3Com. And of > course, those switches have some advanced features, as well: > does the set of 'advanced features' include: "A cli that is scriptable" ? cause the HPOS interface is f

Re: Writable SNMP

On Tue, Dec 6, 2011 at 11:16 AM, Jared Mauch wrote: > > On Dec 6, 2011, at 11:07 AM, Keegan Holley wrote: > >> For a few years now I been wondering why more networks do not use writable >> SNMP.  Most automation solutions actually script a login to the various >> equipment.  This comes with extra

Re: Writable SNMP

On Tue, Dec 6, 2011 at 12:15 PM, Jared Mauch wrote: > > On Dec 6, 2011, at 11:28 AM, Christopher Morrow wrote: > >> long ago, in a network far away (not on the interwebs) we used snmp >> write to trigger a tftp config load. It worked nicely... I'm fairly >> certai

Re: Writable SNMP

On Tue, Dec 6, 2011 at 11:49 AM, Keegan Holley wrote: > 2011/12/6 Christopher Morrow >> >> On Tue, Dec 6, 2011 at 11:16 AM, Jared Mauch >> wrote: >> > >> > On Dec 6, 2011, at 11:07 AM, Keegan Holley wrote: >> > >> >> For a

Re: Writable SNMP

On Tue, Dec 6, 2011 at 12:39 PM, Dorian Kim wrote: > On Tue, Dec 06, 2011 at 12:15:35PM -0500, Mauch, Jared wrote: >> > Also, who tests snmp WRITE in their code? at scale? for daily >> > operations tasks? ... (didn't the snmp incident in 2002 teach us >> > something?) >> >> There's no reason one c

Re: Writable SNMP

On Tue, Dec 6, 2011 at 2:56 PM, Jethro R Binks wrote: > So what are the alternatives these days then for automation or batch > operations? > > clogin etc from shrubbery's rancid? > > Net::Appliance::Session netconf!

Re: carping about CARP

On Fri, Nov 30, 2012 at 12:52 AM, Robert E. Seastrom wrote: > Note that the Ciscos didn't exhibit any untoward behavior, and there > were "passwords" on the VRRP sessions too. case of the same situation all[1] 'software md5 tcp' implementations have? sign but never verify... -chris [1]: solaris

Re: /. ITU Approves Deep Packet Inspection

On Wed, Dec 5, 2012 at 2:01 PM, Tom Taylor wrote: > I'm seriously not clear why Y.2770 is characterized as "negotiated behind > closed doors". Any drafts were available to all participants in the ITU-T, > on exactly the same terms as drafts of other Recommendations. As an example, > the draft comi

Re: China Telecom VPN problems (again)

On Wed, Dec 5, 2012 at 2:19 PM, Tom Paseka wrote: > Its quite easy to get MPLS-VPN connectivity into China (Pacnet, Singtel, > CPCNet, etc, will offer), but at a price. mpls != ipsec ... perhaps the OP wants some privacy and authentication and such? > > Suzhou and Shenzhen are easily in reach of

Re: Solutions for DoS & DDoS

On Mon, Dec 10, 2012 at 9:33 AM, Ameen Pishdadi wrote: > Sounds like an advertisement to me In the end there are few actual options (in general): 1) do it yourself 2) have your carrier do it for you 3) have a third party do it for you There are cost and capability considerations with all o

Re: RADB entry

On Tue, Dec 11, 2012 at 8:31 AM, Eric Krichbaum wrote: > The origin being entered by a > provider as their own allows them to add the prefix (and have it accepted by > anyone who filters them by prefix generated) without being forced to add a > downstream (and downstream's downstreams) AS to thei

Re: RADB entry

opher.mor...@gmail.com] On > Behalf Of Christopher Morrow > Sent: Tuesday, December 11, 2012 8:51 AM > To: Eric Krichbaum > Cc: Chuck Church; nanog@nanog.org > Subject: Re: RADB entry > > On Tue, Dec 11, 2012 at 8:31 AM, Eric Krichbaum wrote: >> The origin being entered by a

Re: RADB entry

On Tue, Dec 11, 2012 at 10:11 AM, Chuck Church wrote: > -Original Message- >>From: Eric Krichbaum [mailto:e...@telic.us] >>Sent: Tuesday, December 11, 2012 8:31 AM >>To: 'Chuck Church'; nanog@nanog.org >>Subject: RE: RADB entry > >>While not 100% accurate, it is very common. The origin be

Re: Gmail and SSL

On Fri, Dec 14, 2012 at 11:21 AM, Tim Franklin wrote: >> http://www.startssl.com/ >> >> Their certs are free and, from what I hear, are accepted by Google. > > Seconded. I was a hold-out for a long time on personal stuff - I trust me, > I'm not paying someone else to trust me - but StartSSL make

Re: Gmail and SSL

On Fri, Dec 14, 2012 at 12:04 PM, Eugen Leitl wrote: > On Fri, Dec 14, 2012 at 11:36:08AM -0500, Christopher Morrow wrote: > >> > Seconded. I was a hold-out for a long time on personal stuff - I trust >> > me, I'm not paying someone else to trust me - but StartSSL

Re: Advisory — D-root is changing its IPv4 address on the 3rd of January.

On Fri, Dec 14, 2012 at 11:59 AM, Michael Thomas wrote: > Matthew Newton wrote: >> >> On Fri, Dec 14, 2012 at 04:42:46PM +, Nick Hilliard wrote: >>> >>> On 13/12/2012 22:54, Jason Castonguay wrote: Advisory — D-root is changing its IPv4 address on the 3rd of January. >>> >>> You've j

Re: Re: Advisory — D-root is changing its IPv4 address

dnssec On Dec 14, 2012 1:06 PM, "Joe Greco" wrote: > > > So really stupid question, and hopefully it's just me, do I need to do > > > something > > > on my servers? > > > > your crontab that updates your root-hints may already have caught the > chang= > > e... > > That seems like a spectacularly

Re: Gmail and SSL

On Fri, Dec 14, 2012 at 6:03 PM, Peter Kristolaitis wrote: > In my experience, free/cheap certs "not working" on some clients is, in > 99.9% of cases, a misconfiguration error where the server isn't presenting > the cert chain properly (usually omitting the intermediate cert), which > works on som

Re: www.eftps.gov contact

if only some us-gov folks read this mailing list... maybe someone form NIST could aim the right question to the right eftps.gov people? you'd think helping the taxman would be appreciated. On Tue, Dec 18, 2012 at 10:26 AM, Dennis Burgess wrote: > I tried to this a month ago, no luck :( i.e. nothi

Re: www.eftps.gov contact

On Tue, Dec 18, 2012 at 10:33 AM, Christopher Morrow wrote: > if only some us-gov folks read this mailing list... > maybe someone form NIST could aim the right question to the right > eftps.gov people? > you'd think helping the taxman would be appreciated. > it's probab

Re: www.eftps.gov contact

On Tue, Dec 18, 2012 at 10:35 AM, Christopher Morrow wrote: > On Tue, Dec 18, 2012 at 10:33 AM, Christopher Morrow > wrote: >> if only some us-gov folks read this mailing list... >> maybe someone form NIST could aim the right question to the right >> eftps.gov people? &g

Re: www.eftps.gov contact

On Tue, Dec 18, 2012 at 10:49 AM, Darren Pilgrim wrote: > On 2012-12-18 07:36, Christopher Morrow wrote: >> >> On Tue, Dec 18, 2012 at 10:35 AM, Christopher Morrow >> >>> it's probably also fair to point out that ... it seems to be working. >>> (

Re: www.eftps.gov contact

On Tue, Dec 18, 2012 at 11:02 AM, Darren Pilgrim wrote: > On 2012-12-18 07:52, Christopher Morrow wrote: >> >> see, now we're getting information that FDC/IRS could actually use! >> :) This looks like an MTU issue then? > > > I believe so. so, a suggestion to e

Re: www.eftps.gov contact

On Tue, Dec 18, 2012 at 11:15 AM, Darren Pilgrim wrote: > 4890 it might not be their (eftps.gov's) fault though... but sure.

Re: www.eftps.gov contact

On Tue, Dec 18, 2012 at 3:19 PM, Mark Andrews wrote: > > In message > , > Christopher Morrow > writes: >> On Tue, Dec 18, 2012 at 11:15 AM, Darren Pilgrim wrote: >> > 4890 >> >> it might not be their (eftps.gov's) fault though... but sure. >

Re: www.eftps.gov contact

On Tue, Dec 18, 2012 at 3:35 PM, Owen DeLong wrote: > > On Dec 18, 2012, at 12:22 , Christopher Morrow > wrote: > >> On Tue, Dec 18, 2012 at 3:19 PM, Mark Andrews wrote: >>> >>> In message >>> , >>> Christopher Morrow >>>

Re: regions.com down??

Most ddos games On Dec 26, 2012 4:53 PM, "Scott Howard" wrote: > But only over HTTP. Working fine over HTTPS for me. > > Scott > > > > On Wed, Dec 26, 2012 at 1:46 PM, Joshua Goldbard wrote: > > > Http://www.downforeveryoneorjustme.com/regions.com > > > > Down. > > > > Sent from my iPad > > >

Re: SSL Certificates and ... Providers

On Thu, Dec 27, 2012 at 3:37 PM, Blake Pfankuch wrote: > Our stuff is currently through Verisign because of the "reliability of the > name" and the nature of the industry. verisign sold this business (like 2+ years ago?), maybe it's time to find someone else with a reliable name? (who hasn't sol

Re: Gmail and SSL

On Sun, Dec 30, 2012 at 3:30 PM, Keith Medcalf wrote: > Your assertion that using "bought" certificates provides any security benefit > whatsoever assumes facts not in evidence. > > Given recent failures in this space I would posit that the requirement to use > certificates purchased from entiti

Re: Gmail and SSL

On Mon, Dec 31, 2012 at 9:07 AM, John R. Levine wrote: > Also keep in mind that this particular argument is about the certs used to > submit mail to Gmail, which requires a separate SMTP AUTH within the SSL > session before you can send any mail. This isn't belt and suspenders, this > is belt and

Re: Gmail and SSL

On Tue, Jan 1, 2013 at 2:04 PM, Keith Medcalf wrote: > Perhaps Googles other "harvesters" and the government agents they sell or > give user credentials to, don't work against privately (not under the > goverment thumb) encryption keys without the surveillance state expending > significantly more

Re: Gmail and SSL

On Wed, Jan 2, 2013 at 1:08 PM, William Herrin wrote: > As for Google (and anyone else) it escapes me why you would require a > signed certificate for any connection that you're willing to also > permit completely unencrypted. Encryption stops nearly every purely raising the bar for observers is

Re: Gmail and SSL

On Wed, Jan 2, 2013 at 2:36 PM, William Herrin wrote: > On Wed, Jan 2, 2013 at 1:39 PM, Christopher Morrow > wrote: >> goodness-scale (goodness to the left) >> signed > self-signed > unsigned > > Hi Chris, > > Self-signed and unsigned are identical. Th

Re: Gmail and SSL

On Jan 2, 2013 7:36 PM, "William Herrin" wrote: > > > > > Me, no, although I have read credible reports that otherwise reputable SSL > > signers have issued MITM certs to governments for their filtering firewalls. > That's not the case join is referring to. > The governments in question are wat

Re: Gmail and SSL

On Wed, Jan 2, 2013 at 8:03 PM, Christopher Morrow wrote: > > On Jan 2, 2013 7:36 PM, "William Herrin" wrote: >> > >> > >> > Me, no, although I have read credible reports that otherwise reputable >> > SSL >> > signers have issued

Re: Gmail and SSL

On Wed, Jan 2, 2013 at 8:51 PM, William Herrin wrote: > secure cryptosystems." Has the EFF's SSL Observatory project detected > even one case of a fake certificate under Etilisat's trust chain since > then? it's possible that the observatory won't see these in the wild, if the observatory is on t

Re: OOB core router connectivity wish list

On Wed, Jan 9, 2013 at 11:18 AM, William Herrin wrote: > About the only time you'd strictly *need* dynamic configuration in an > OOB is when directly connecting it to a commodity Internet link. If > you're willing to give your poorly secured and rarely updated OOB a > public IP address, you're a b

Re: OOB core router connectivity wish list

On Thu, Jan 10, 2013 at 9:10 AM, Nick Hilliard wrote: > - netflow: seriously, this is not an appropriate sort of port of > exporting > netflow. this is a "your RP is toast" recovery mechanism, at which point > netflow is probably long gone. it's possible that roland was saying that the

<    4   5   6   7   8   9   10   11   12   13   >