Title: Message
hi,
this topic
seemsbeing at least semi-operational to me :)
i'd like to make an
idea of which sniffers and (the more important part) decoders are included in
the arsenal of engineering tools used by network engineers at various isp
sizes
practical experience
would be the
On Tue, 4 Jun 2002, Sean Donelan wrote:
:Some ISPs are practically religious about using them, usually the result
:of a single person at the ISP pushing it. But for the most part it hasn't
:really taken hold in the professional security consulting field.
I would suggest that it is also ISP's
I am encouraging my local ISP/consortium (www.oshean.org) to utilize MD5
auth for BGP, but have been unsuccessful so far. The most difficult
challenge I face there is convincing people of the need with the lack of a
published exploit that the MD5 authentication would prevent.
So much for best
[ On Tuesday, June 4, 2002 at 09:52:20 (+0200), Daniska Tomas wrote: ]
Subject: packet sniffers and protocol decoders used by isps
i'd like to make an idea of which sniffers and (the more important part)
decoders are included in the arsenal of engineering tools used by
network engineers at
On Tue, 4 Jun 2002, Joshua Wright wrote:
:I am encouraging my local ISP/consortium (www.oshean.org) to utilize MD5
:auth for BGP, but have been unsuccessful so far. The most difficult
:challenge I face there is convincing people of the need with the lack of a
:published exploit that the MD5
On Tue, Jun 04, 2002 at 10:20:10AM -0400, batz wrote:
Maybe Cisco could add this as a default requirement of the configuration
that had to be explicitly disabled? In fact, it would be nice if all
protocol configurations had to have their authentication manually
disabled.
With respect
When I've tried asking about this I generally am told...
(a) it was perceived to cause performance issues,
(b) the routing software is so brittle that adding this feature
is considered too high a risk,
(c) they person at the other end
didn't know how to enable it so you
How do you enable an IP interface because you need a unique address
for your interfaces? When I say not part of the default configuration I
mean the default configuration doesn't even have a space for put key
here.
On Tue, 4 Jun 2002, Farhan Memon wrote:
How can u enable auth by default,
Hi, folks.
For a while folks have asked me to add an aggregated ACL, prefix-list,
or black hole routes to the various templates on my site. I've avoided
this for a variety of reasons, and decided to create the best of all
worlds - the bogon list. :)
This list includes the bogons, in both
On Tue, Jun 04, 2002 at 10:30:33AM -0500, Rob Thomas wrote:
For a while folks have asked me to add an aggregated ACL, prefix-list,
or black hole routes to the various templates on my site. I've avoided
this for a variety of reasons, and decided to create the best of all
worlds - the bogon
Then we come to the extra bogons like exchange point allocations. Can't
forget them. :)
I've never heard anyone refer to the IXP allocations as bogons. Plus, I've
not heard of anyone filtering the IXP prefixes on their ingress peering
filters. Egress peering filters - yes.
On Tuesday, June 4, 2002, at 12:48 , Barry Raveendran Greene wrote:
Then we come to the extra bogons like exchange point allocations. Can't
forget them. :)
I've never heard anyone refer to the IXP allocations as bogons. Plus,
I've
not heard of anyone filtering the IXP prefixes on their
Hi, folks.
If you are interested in yet another view of the global table size, you
can take a look here:
http://www.cymru.com/BGP/
I graph routing table size based on the data collected from my BGP peers.
I also display any bogon prefixes, complete with origin ASN.
Comments and feedback are
I agree with Joe on this. At one time we were filtering 198.32/16 from
our peers but ran into things like ep.net (198.32.6.31) breaking. We now
only filter on IXP blocks for which we participate.
While on the subject of IXP blocks, we also ended up redistributing the
IXP blocks and sending them
On Tue, Jun 04, 2002 at 11:04:40AM -0700, David McGaugh wrote:
I agree with Joe on this. At one time we were filtering 198.32/16 from
our peers but ran into things like ep.net (198.32.6.31) breaking. We now
only filter on IXP blocks for which we participate.
While on the subject of IXP
On Tue, Jun 04, 2002 at 04:17:04PM -0400, Joe Abley wrote:
On Tuesday, June 4, 2002, at 03:47 , Richard A Steenbergen wrote:
Exchange point blocks SHOULDN'T be transited by anyone, therefore you
should not hear them from your peers.
[snip]
Messy traceroutes make the helpdesk phone
On Tue, Jun 04, 2002 at 11:04:40AM -0700, David McGaugh wrote:
I agree with Joe on this. At one time we were filtering 198.32/16 from
our peers but ran into things like ep.net (198.32.6.31) breaking. We now
only filter on IXP blocks for which we participate.
While on the subject of
On Tue, Jun 04, 2002 at 01:24:04PM -0700, Clayton Fiske wrote:
How does the absence of an IXP route affect traceroutes -through- it?
The IXP device has a route back to the source of the trace, so it can
reply. The traceroute packets are addressed to the ultimate destination,
so they don't
In a message written on Tue, Jun 04, 2002 at 03:47:00PM -0400, Richard A Steenbergen
wrote:
Exchange point blocks SHOULDN'T be transited by anyone, therefore you
should not hear them from your peers.
I would say this the other way around, all exchange point blocks
should be transited by
On Tue, Jun 04, 2002 at 04:47:51PM -0400, Leo Bicknell wrote:
In a message written on Tue, Jun 04, 2002 at 03:47:00PM -0400, Richard A Steenbergen
wrote:
Exchange point blocks SHOULDN'T be transited by anyone, therefore you
should not hear them from your peers.
I would say this the
as peers do not give eachother transit, you don't need to announce
the IX to eachother to get traceroute to work. you just carry it
in your own network.
randy
as peers do not give eachother transit, you don't need to announce
the IX to eachother to get traceroute to work. you just carry it
in your own network.
Weren't they talking about customers at a downstream ISPs which don't
connect directly to the exchange?
one gives transit customers the
We announce the IXP blocks to customers and not peers for IXs which we
participate. Additionally we don't filter our peers if they were to
announce an IXP block so long as it is not an IXP block for an IX which
we participate. (grammar?) This way we can continue to learn routes for
things like
In a message written on Tue, Jun 04, 2002 at 01:54:07PM -0700, Aditya wrote:
Am I right that I don't see a reason why IX blocks should be transited other
than traceroute should work? I can think of a couple of reasons why the blocks
SHOULDN'T be transitted by anyone.
Traceroute to
i hate spamarrest. i really do. i hate it.
as if i don't get enough junk mail from the nanog list itself,
and the advertisers who troll it.
you don't know who you are, but lots of the rest of us do.
Sean.
Tweaking our Looking Glass software by itself would not fix the problem
(ours doesn't have this problem anyway). To fix the problem everyone
would have to tweak their Looking Glass software since the problem can
be seen when someone traceroutes from a peer or 3rd party's Looking
Glass into our
It just occurred to me that one could use the extended traceroute on the
back end for a Cisco to tweak the source IP but there again, it would
not be completely effective unless everyone did this.
-Dave
David McGaugh wrote:
Tweaking our Looking Glass software by itself would not fix the
On 05:15 PM 6/4/02, Sean M. Doran wrote:
i hate spamarrest. i really do. i hate it.
Aha, you too! Got one like this, did you?
[sender] would like to receive your email Re: [subject].
[sender] is now using Spamarrest to block unwanted email.
Spamarrest is a revolutionary and
| Tweaking our Looking Glass software by itself would not fix the problem
| (ours doesn't have this problem anyway). To fix the problem everyone
| would have to tweak their Looking Glass software since the problem can
| be seen when someone traceroutes from a peer or 3rd party's Looking
| Glass
On Tuesday, June 4, 2002, at 07:49 , Sean M. Doran wrote:
| Messy traceroutes make the helpdesk phone ring.
Messy architecture is worse!
Agreed. An inconsistent architecture is a messy one. Why treat exchange
subnets differently to any other bit of backbone infrastructure? Why
number
| Why treat exchange subnets differently to any other bit of backbone
| infrastructure?
Oh, I wholeheartedly agree. I would love them all to use RFC 1918
addresses, because it is VERY VERY VERY rare that anything outside
the scope in which the 1918 local use addresses are unique actually
Targeting people who look up in-addr.arpa mappings, you could
always emit pointers to would-be tracerouters -- get yer real
data at http://...
Points to the person who first puts such a thing into the DNS.
Started it in 1997... Presented it INET in 1998.
UCB a couple
[[ What's with the huge CC list everyone? Aren't we all subscribers? Do
y'all enjoy getting multiple copies of replies? I don't! ;-) ]]
[ On Tuesday, June 4, 2002 at 18:33:23 (-0700), Sean M. Doran wrote: ]
Subject: Re: Bogon list
| Why treat exchange subnets differently to any other
33 matches
Mail list logo
