Are you sure? RR should just distribute routes.
RR do not make any route decisions, and (btw) iBGP do not make route
decisions - they are mostly based on IGP routing. All iBGP + RR are doing
is:
- tie external routes to internal IP;
- distribute this information using iBGP mesh, RR's etc.
-
Iljitsch van Beijnum wrote:
On 11-jan-05, at 18:48, Daniel Golding wrote:
True out of band management networks are very hard to build and very
hard to use, and you run the risk that you can't get at your stuff
because the management network is down.
IS-IS can be highly recommended for true out
On 12-jan-05, at 9:06, Alexei Roudnev wrote:
Are you sure? RR should just distribute routes.
RR do not make any route decisions, and (btw) iBGP do not make route
decisions - they are mostly based on IGP routing.
Route reflectors only propagate their idea of the best route for a
destination. If
= seriously, there have been various proposals ([ADV],
etc) to facilitate legit UCE, but that hasn't slowed
the arms race. How would you recommend that we make
it easier for legit businesses?
I don't propose that we make it easier for legit UCE.
I'm simply pointing out that it's an arms race
On 12-jan-05, at 11:30, Gernot W. Schmied wrote:
True out of band management networks are very hard to build and very
hard to use, and you run the risk that you can't get at your stuff
because the management network is down.
IS-IS can be highly recommended for true out of band management, it is
On Wed, 2005-01-12 at 12:25 +0100, Iljitsch van Beijnum wrote:
IPv6 is also very useful in providing non-IPv4 management.
Well if we're offering protocols other than IP(v4) for OOB management
then might I chip in with MPLS?
;)
--
Cheers
Dg
--- Alexei Roudnev [EMAIL PROTECTED] wrote:
Are you sure? RR should just distribute routes.
RR do not make any route decisions, and (btw) iBGP
do not make route
decisions - they are mostly based on IGP routing.
All iBGP + RR are doing
is:
- tie external routes to internal IP;
-
* [EMAIL PROTECTED] ([EMAIL PROTECTED]) [Wed 12 Jan 2005, 12:23 CET]:
[..]
for some reason people are unwilling to imagine an email
system in which an ISP will only accept incoming messages
from another ISP with which they have an existing
agreement, i.e. rather like email peering.
You say
On Wed, 12 Jan 2005 11:23:42 +, [EMAIL PROTECTED]
[EMAIL PROTECTED] wrote:
I would rather see us focus on securing the email
architecture. Secure submission is part of that, but
for some reason people are unwilling to imagine an email
system in which an ISP will only accept incoming
On Wed, 2005-01-12 at 12:20, Iljitsch van Beijnum wrote:
(Obviously the IGP metric will be different at the client, but the
client doesn't see the other routes, so it can't make a different
decision. The real fun starts when the next (intra-AS) hop isn't a
reflector client and the packet
Ah right - let's go right back to the days of X-400 or possibly UUCP
nodes
I don't want to rejuvenate an old obsolete protocol.
Or if this is something newer, well, that's yet another proposal to
take to the IETF
I don't want to develop a new protocol.
This is solving a different
1. Did you try using inoc-dba to contact other Austrian
providers like ACONET to ask them this question?
Yes. They were very nice and saw the missed call (it was 2-3am at the time)
the next morning and called me back. They gave me some information that
confirmed what we'd been told
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of
Iljitsch van Beijnum
Sent: Wednesday, January 12, 2005 6:25 AM
To: Gernot W. Schmied
Cc: NANOG list
Subject: Re: Proper authentication model
On 12-jan-05, at 11:30, Gernot W. Schmied wrote:
On 12 Jan 2005, at 10:16, Hannigan, Martin wrote:
If you have 3 sites and they're interconnected via an OC3
and the internet, you would also have 2 frame or ppp circuits
seperately connecting the terminal server network. You'd do the
different path, different provider, etc. on these circuits.
You
[...]
2) An OpenBSD bastion host(s), where the NOC would ssh in, get
authenticated from TACACS+ or ssh certs, and then just telnet from
there all day,
[...] (and s/telnet/ssh as has been suggested already)
3) Or just an IOS based bastion router that also runs ssh,
[...]
When crafting
for some reason people are unwilling to imagine an email
system in which an ISP will only accept incoming messages
from another ISP with which they have an existing
agreement, i.e. rather like email peering.
You say this as if it's surprising that people are willing to accept
on Wed, Jan 12, 2005 at 01:52:43PM +, [EMAIL PROTECTED] wrote:
I think that a secure email infrastructure is a good thing to have, in
and of itself. By secure, I mean one in which messages get to their
destination reliably, i.e. not lost in some spam filter, and one in
which a recipient
When crafting the ACL that restricts what source IP{,v6} addresses may
ssh to the router, you may want to include each router's neighbors by
both their loopback and any interface addresses that might source a
packet (if your security policy permits it).
I forgot a phrase: [that might source
Right now I have freedom of communication. In your vision I would hand
all that over to my ISP for the benefit of giving complete control over
who can communicate with me to them.
Perhaps you could explain to me just how you
currently manage to get port 25 packets delivered
to your friends
Once upon a time, Steven Champeon [EMAIL PROTECTED] said:
7) all ISPs MUST act on ANY single abuse report (including being
informed of infected customer machines, which MUST be removed from
the Internet ASAP. No excuses)
One problem I have with this one is people do forge reports, and
on Wed, Jan 12, 2005 at 10:32:13AM -0600, Chris Adams wrote:
Once upon a time, Steven Champeon [EMAIL PROTECTED] said:
7) all ISPs MUST act on ANY single abuse report (including being
informed of infected customer machines, which MUST be removed from
the Internet ASAP. No excuses)
4) all domains with invalid whois data MUST be deactivated (not
confiscated, just temporarily removed ...
All? Even those unpublished and therefore non-resolving? Sensible for the
scoped-to-totality trademarks weenies who argue that the stringspace is a
venue for dilution, whether the
On 12 Jan 2005, at 11:53, Hannigan, Martin wrote:
You mean you'd *request* a different path from different providers.
Provisioning a circuit from two different ^providers^, other than
your OC3 provider.
I realise that's what you meant.
My point was that competing, differently-named and
on Wed, Jan 12, 2005 at 12:55:06PM +, Eric Brunner-Williams in Portland
Maine wrote:
4) all domains with invalid whois data MUST be deactivated (not
confiscated, just temporarily removed ...
All? Even those unpublished and therefore non-resolving? Sensible for the
Right now I have freedom of communication. In your vision I would hand
all that over to my ISP for the benefit of giving complete control over
who can communicate with me to them.
Perhaps you could explain to me just how you
currently manage to get port 25 packets delivered
to your
Michael,
Whether you like it or not, SPAM is the problem. There are legitimate
uses of anonymous email. I, for one, think that a web of mail peering
agreements would be detrimental to the situation, not helpful. Yes, people
should have the option of authenticating emails they send, and, end
I realize that this is more of an IETF issue than a NANOG one, but, I'd
like to find a couple of people with some protocol background and a strong
operational background that would be interested in trying to see if we
can come up with a way to develop a version of IP which did not require
a flag
0) for the love of God, Montresor, just block port 25 outbound already.
What is wrong with dedicating port 25 to server to server communication
with some means of authentication (DNS?) to ensure that it is indeed a
vaild mail server. Mail clients should be using port 587 to submit
messages to
On Wed, 2005-01-12 at 10:26 -0800, Owen DeLong wrote:
I realize that this is more of an IETF issue than a NANOG one, but, I'd
like to find a couple of people with some protocol background and a strong
operational background that would be interested in trying to see if we
can come up with a way
--On Wednesday, January 12, 2005 4:11 PM + [EMAIL PROTECTED]
wrote:
Right now I have freedom of communication. In your vision I would hand
all that over to my ISP for the benefit of giving complete control over
who can communicate with me to them.
Perhaps you could explain to me just how
on Wed, Jan 12, 2005 at 01:49:53PM +, Eric Brunner-Williams in Portland
Maine wrote:
Why would it matter if you deactivated an unpublished/non-resolving domain?
How do you deactivate an unpublished/non-resolving domain? You may borrow
a registrar or registry hat if that is useful to
on Wed, Jan 12, 2005 at 10:18:30AM -0800, Owen DeLong wrote:
Michael,
Whether you like it or not, SPAM is the problem.
SPAM is a luncheon meat. UCE is one of the many problems, among the
others being viruses/worms/trojans and their traffic (easily blocked by
the proper upstream
on Wed, Jan 12, 2005 at 12:41:44PM -0600, Adi Linden wrote:
0) for the love of God, Montresor, just block port 25 outbound already.
What is wrong with dedicating port 25 to server to server communication
with some means of authentication (DNS?) to ensure that it is indeed a
vaild mail
On 1/12/05 8:46 AM, Erik Haagsman [EMAIL PROTECTED] wrote:
On Wed, 2005-01-12 at 12:37, David Gethings wrote:
On Wed, 2005-01-12 at 12:25 +0100, Iljitsch van Beijnum wrote:
IPv6 is also very useful in providing non-IPv4 management.
Well if we're offering protocols other than IP(v4) for OOB
On 1/12/05 12:05 PM, Joe Abley [EMAIL PROTECTED] wrote:
On 12 Jan 2005, at 11:53, Hannigan, Martin wrote:
You mean you'd *request* a different path from different providers.
Provisioning a circuit from two different ^providers^, other than
your OC3 provider.
I realise that's what
On 12-jan-05, at 19:26, Owen DeLong wrote:
[...]
I'm thinking along the lines of a new protocol which could look up an
End System Identifier against a local server and receive a response
which was a list of valid Routing Tags for that destination. Sort
of a cross between DNS and ARP. I don't
Numerous (as in at least hundreds, probably more) of spam gangs are
purchasing domains and burning through them in spam runs. In many
cases, there's a pattern to them; in others, if there's a pattern,
it's not clear to me what it might be.
From my point of view, pattern is which registars
I suppose it depends on how you define 'unpublished'; and how you define
'non-resolving'.
Your opening remark was that policy foo must be applied to all domains.
This doesn't accomplish anything for the set of domains that will never
be published (registry reserved strings), nor those that
on Wed, Jan 12, 2005 at 05:28:45PM +, Eric Brunner-Williams in Portland
Maine wrote:
All is too blunt a tool.
So, then, when registering a domain, there should be a little checkbox
saying I intend to abuse the Internet with this domain? It makes no
sense to have a universal policy if it is
Why is it considered such a crazy proposition that domains should have
valid and correct whois data associated with them?
There is no relationship between data and funcion. The data is not
necessary to implement function-based policy.
Bah. You're saying that you're uninterested in discussing
on Wed, Jan 12, 2005 at 04:24:42PM +, Eric Brunner-Williams in Portland
Maine wrote:
(quoting Anonymous):
Numerous (as in at least hundreds, probably more) of spam gangs are
purchasing domains and burning through them in spam runs. In many
cases, there's a pattern to them; in others,
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Greetings,
This is to inform you that the IANA has allocated the following
one (1) IPv6 /18 block to RIPE NCC:
2003:::/18 RIPE NCC 12 Jan 05
For a full list of IANA IPv6 allocations please see:
On Wed, 12 Jan 2005, Hannigan, Martin wrote:
Out of band management isn't telnetting from your desktop to
the serial port.
Mgmt and surveillance is the Bellcore standard for out of band.
It means your M/S is not riding your customer or public networks, and
it's physically seperate. Yes,
On Wed, 12 Jan 2005 11:23:42 GMT, [EMAIL PROTECTED] said:
I happen to believe that a web of email peering
agreements is the best way to get us to the point
where it is difficult for anyone to anonymously
send email because they *MUST* relay it through
an ISP who will not accept the email
-Original Message-
From: Steve Gibbard [mailto:[EMAIL PROTECTED]
Sent: Wednesday, January 12, 2005 5:35 PM
To: Hannigan, Martin
Cc: NANOG list
Subject: RE: Proper authentication model
On Wed, 12 Jan 2005, Hannigan, Martin wrote:
[ snip ]
Obviously, if you are the local
Taking your comment in reverse order.
Or, alternately, you're simply saying that those who care about net
abuse are shackled by ICANN's bylaws and therefore we can do nothing.
I don't think you have a monopoly on care (or clue) about net abuse,
but it is pretty clear that you're not tall
on Wed, Jan 12, 2005 at 07:49:59PM +, Eric Brunner-Williams in Portland
Maine wrote:
snip
Thus far, all you've done is recycle the policy claim of the trademarks
interests, a highly effective stakeholder and rational entity within
ICANN, and the policy claim of the law enforcement
On Wed, 12 Jan 2005, Steven Champeon wrote:
In a sense, I am suggesting a similar reallocation of resources.
Rather than put those resources into filtering spam, I'd suggest that
we will get a better result by shifting the resources into mail
relaying and managing mail peering
On Wed, 12 Jan 2005 17:40:10 -0500, [EMAIL PROTECTED] wrote:
1) any legitimate mail source MUST have valid, functioning, non-generic
rDNS indicating that it is a mail server or source.
And how, exactly, does it indicate it's a mail server or source?
In general, that's what dkeys/iim
Think methodology, as least amount of failure points, less capex, to protect
the sla, real or imagined.
Bellcore/Telcordia guidelines for RBOC CO's are very suitable for
datacenters/colo.
Hybrids.
---
Martin Hannigan
[EMAIL PROTECTED]
Verisign, Inc.
-Original Message-
From: [EMAIL
On Wed, 12 Jan 2005 19:19:24 PST, Dave Crocker said:
On Wed, 12 Jan 2005 17:40:10 -0500, [EMAIL PROTECTED] wrote:
1) any legitimate mail source MUST have valid, functioning, non-generic
rDNS indicating that it is a mail server or source.
And how, exactly, does it indicate it's a
On Wed, 12 Jan 2005 23:19:47 -0500, [EMAIL PROTECTED]
[EMAIL PROTECTED] wrote:
On Wed, 12 Jan 2005 19:19:24 PST, Dave Crocker said:
In general, that's what dkeys/iim and csv (and maybe spf) are attempting to
provide.
Yes, but he asked for a rDNS solution specifically...
I think Steve
on Thu, Jan 13, 2005 at 10:25:18AM +0530, Suresh Ramasubramanian wrote:
On Wed, 12 Jan 2005 23:19:47 -0500, [EMAIL PROTECTED]
[EMAIL PROTECTED] wrote:
On Wed, 12 Jan 2005 19:19:24 PST, Dave Crocker said:
In general, that's what dkeys/iim and csv (and maybe spf) are attempting
to
It is correct more or less (I prefer to say that RR reflects only the best
routes... through I am not sure, is it
theoretical limitation or just implementation - RR can in theory reflect ALL
routes).
Anyway, usual usage of RR is _RR on backbone, and clients in the branches_,
which eliminate this
54 matches
Mail list logo
