the equivilent of big 8 (big 2 now?) accounting firms,
and these certifications will be prerequisite to getting BGP set up.)
--
Paul Vixie
http://www.oisafety.org/ announced the GA version of guidelines for security
vulnerability reporting and response process, v1.0, whose URL is
http://www.oisafety.org/reference/process.pdf
this is asynchronous to the NIAC presentation jim duncan gave at the
last nanog, but it's
, because
there's so much inertia to be overcome (patents, false starts, etc) but it
seems to me that computers and networks, with all their cryptogoo and mega-
computrons, should be able to make the average human's privacy better --
but so far they've only succeeded in making it worse.
--
Paul Vixie
... but so far they've only succeeded in making it worse.
Computers are absolutely capable of this, but as with security in
general the problem lies with the people that are controlling what
they do...
i agree, but we may mean different things. most people have no control
over what their
adjacent to
o on the qwerty keyboard, or some other such problem.
--
Paul Vixie
took
the answer in that context, and I completely agree. Not so much that it's
what we are, that it's what they are fighting against.
But I moralize.
--
Paul Vixie
I'd estimate than less than a tenth of a percent (that's 0.1%) of
edge paths use RPF, even though BCP38 states the case clearly and the
technology makes it easy
Makes it easy if you live in an Internet with a number of routes
significantly less than the limit imposed for having stable RPF
We're losing the battle, aren't we?
no. a battle was held, but we didn't even show up. now the world is different.
listen up, you abusedeskers. if you aren't going to track spammers/abusers
WITHIN A FEW HOURS, don't bother, they're LONG GONE by that time. if you
want help from victims in keeping your network clean, READ THE COMPLAINTS.
if you want information intact by the time it reaches you, ACCEPT
foo.vix.com, no matter who the local dhcp server was configured by.
but when i went about removing this sick behaviour from isc dhcp, it turned
out that many people depend on dhcp to get the only dns search list they
ever have. the world seems very strange to me sometimes.
--
Paul Vixie
...are doing more to help spam than to stop it, in spite of themselves.
consider microsoft-yahoo-aol's big fad of the moment which is suing spammers
and blaming asia. the number one (#1) contributor to spam is open proxies
running on windows/xp, several of which are installed by default as side
gr.
telia has been on my list for 2.5 years now for this stuff.
let the public shaming begin, then.
four isp abusebots have rejected my complaints tonight because (gasp!)
i included a copy of the virus i was complaining about. cluestick please!
, implied consent, recourse, and standing.
so if ``someone'' writes this up, count me as a gratefulwilling reviewer.
--
Paul Vixie
[EMAIL PROTECTED] (Huopio Kauto) writes:
How about IODEF? Lots of CERT:s and company-internal abuse teams:s ticketing
systems are going to eat it with ease - if not now, soon.
please post a url so we can all take a look at the IODEF complaint format.
--
Paul Vixie
.
trustlessness is a lifestyle.
--
Paul Vixie
block SYN/ACK's on input too, or else you just give the spammers a
little more work to do instead of a lot more work to do.
--
Paul Vixie
Its a sucky world sometimes. Perhaps Paul complained to
ATT/other-unnamed-provider with logs and such? :)
oh yes. i tried *several* ways to get their attention. however, this
kind of activity is so common these days that a noc literally has no
choice but to focus their efforts on less common
it will be.
--
Paul Vixie
Should ISPs control what applications their customers can run?
frankly and truly, i would be satisfied if isp's wouldn't run outlook/exchange
in their noc/abuse departments, so that they could safely accept mime-mail
rather than bouncing it as their only means of keeping themselves virus-free.
therefore
3) why would anyone ever run outlook
i love outlook2003. no joke, i use it every day. whenever i get an
attachment that seems reasonable and i need to open it, i put it in the
folder that outlook can see, and i read it. i also share a calendar (in
three directions) using
/irresponsibility
and the people who sell/buy/deploy/whatever the technology that strips or
bounces mime attachments because of what they might contain should get a
clue.
--
Paul Vixie
the
steering wheel, and that no technological force will ever change that
fact. but that's not an excuse to design a car without brakes and then
use monopoly power to put other carmakers out of business.
--
Paul Vixie
/whatever.
--
Paul Vixie
(*) best could mean lowest time to last byte, lowest latency for first
byte, lowest average latency for all segments, largest tcp window size,
fewest likely retime/retransmit events; and could be file size dependent
since a satellite connection will probably win on large files
check for updates and issue local mail is appealing, but
i'm more concerned about MIM when fetching update information than i am with
simply registering package version numbers, hosts, and e-mail addresses.
--
Paul Vixie
in addition to many public comments (cc'd to nanog or just sent there),
i received a number of private replies. here's a representative sample:
problem is if the default is off you will probably not catch the
clueless folk that you want to target, better would be default on and
the clueful
scruz.net
X-Original-To: [EMAIL PROTECTED]
From: Gio Sico [EMAIL PROTECTED]
To: [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED],
[EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED],
[EMAIL PROTECTED]
Subject: I need help finding SAN-FRANCISCO.CA.US Registrar
Date:
[EMAIL PROTECTED] (Martin Hannigan) writes:
I applaud RBL, spamcop, etc., but without funding and consolidation, it's
another waste of offensive time that could be spent on a far more
effective defense.
i had no idea that MAPS was unfunded. do tell.
--
Paul Vixie
.
--
Paul Vixie
For the past 15 months, NJABL has reactively tested systems that have
connected to participating SMTP servers to see if those systems are open
relays. ...
We do not consider what NJABL does abuse, ...
Jon,
If they are indeed only testing systems who connect to them, it's not
abuse,
i realize now that i may have misread my IDS reports from the scanning
i received from jon's blackhole list a few months ago, and that i have
no basis for my claim that he scanned every address i own. --paul
prober in asia right now who actually *is* an ISP, though, and so,
there's really no basis for discussion.
--
Paul Vixie
path to always have enough capacity makes planning crunchy.
(which sounds like the same thing as quoted above, but really isn't.)
--
Paul Vixie
Deal Enables ISC to Mirror DNS Root Server in Additional U.S. Locations
http://biz.yahoo.com/bw/030210/102340_1.html
Homogenous, in this context, does not mean similar platform
connectivity, but nodes with same degree connecting to each
other.
Ah, that makes it more clear. So a full mesh would be better? ;-)
no, fine grained peering would be better.
--
Paul Vixie
.
--
Paul Vixie
What do you think of OpenBSD still installing BIND4 as part of the
default base system and recommended as secure by the OpenBSD FAQ ?
(See Section 6.8.3 in http://www.openbsd.org/faq/faq6.html#DNS )
i think that bind4 was relatively easy for them to do a format string
audit on, and that
scale code review one gets from open source software engineering
is only a marginal solution to monocultural weakness vectors.
--
Paul Vixie
by any vendor, so
I'm not intending to pick on Extreme individually here.)
--
Paul Vixie
pulled out of AMS-IX in protest (and in fear). however, if the
expansion was intra-metro, then i must be confused, because KQ's major
source of bandwidth revenue should have been inter-metro not intra-metro.
--
Paul Vixie
to be a complete joke
for peering for any number of reasons.
before any of you argue further, please carefully define your terminology so
the rest of us will know how to fill out our scorecards.
--
Paul Vixie
.
to that end :-), something is happening with a DNS ISAC. (more later.)
--
Paul Vixie
.
--
Paul Vixie
bears directly on your top-line revenue.
--
Paul Vixie
Similarly to peering, a base amount is required to make this crazy
thing we all run work. As we've seen with companies like PSI, those
who terminate, or loose significant peering generally end up dead.
no part of worldcom's failure traces to uunet's decision to restrict
their peering back in
Is it just me or does all this make Internap's Business model look
really good?
i think it's just you.
wow, break bind in a new and horrid way to accomplish this task :) Nice...
perhaps mr. vixie will add this functionality for us?
patches welcomed.
--
Paul Vixie
The perceived money on the table frequently doesn't exist and attempts
to get it may produce the opposite result.
well, yeah, sure, but...
* Who they shift the traffic to may be your competitor.
...at least you know they are paying SOMEBODY, thus supporting the market
you want to be in.
... if everybody who could peer in N places worldwide could just get
peering, then all kinds of per-bit revenue for high tier network
owners would turn into per-port revenue for exchange point
operators. ...
Well, I think as a local operator you can not expect to be able to
peer with
or otherwise; rather, it's about not leaving money on
the table.
--
Paul Vixie
:28.731864+00
2002-12-05 02:39:01.039261+00
2002-12-06 13:34:01.304566+00
2002-12-06 19:18:16.930703+00
2002-12-06 19:27:04.795367+00
2002-12-06 19:36:18.116943+00
2002-12-06 20:13:11.24717+00
2002-12-06 20:21:55.262627+00
2002-12-07 16:22:00.914884+00
(398 rows)
--
Paul Vixie
, and we were very proud of it.)
--
Paul Vixie
more about PAIX-ATL1's
likely future under their ownership.
paul
re:
speaking of paix, for those of you in atlanta (ietf) this week, i'm
going to do a couple of site walkthroughs. send me e-mail if interested.
--
Paul Vixie
in the last few months since i most recently cleared out the database,
my test network (a defunct /16) has received 3.8M http transactions
containing 460K distinct worm bodies sent from 137K source addresses.
the top 8, by quantity, are:
srcaddr | count |first|
http://www.businesswire.com/cgi-bin/f_headline.cgi?day0/223210010ticker=
speaking of paix, for those of you in atlanta (ietf) this week, i'm
going to do a couple of site walkthroughs. send me e-mail if interested.
--
Paul Vixie
I'm putting the number closer to 40 (the NFL cities) right now, and
150 by the end of the decade, and ultimately any metro with population
greater than 50K in a 100 sq Km area will need a neutral exchange point
(even if it's 1500 sqft in the bottom of a bank building.)
What application
of the decade, and ultimately any metro with population
greater than 50K in a 100 sq Km area will need a neutral exchange point
(even if it's 1500 sqft in the bottom of a bank building.)
--
Paul Vixie
1 - Connection Taxonomy
1.1. The Internet is a network of networks, where the component
networks are called Autonomous Systems (AS), each having a unique AS
Number (ASN).
Even if this reflects the original intent of ASNs, it certainly does not fit
current reality.
it is
tradition,
nonexistent.
--
Paul Vixie
server operators are, http://root-servers.org/ has a list. valdis writes:
And remember - Paul Vixie has shown that 10% of the inbound traffic at
c.root-server.net is bogus rfc1918 sourced. Making the addresses public
will serve as a DDoS vector against the root operators
moreover, duane
Source address validation, or more generally anti-spoofing filters, do
not require providers maintain logs, perform content inspection or
install firewalls. But source address validation won't stop attacks,
viruses, child porn, terrorists, gambling, music sharing or any other
evil that
-sides? Sure. But who really needs the end-to-end
principle or uncontrolled innovation.
i can see how the end to end principle applies in cases 2 and 3, but not 1.
--
Paul Vixie
1. Require all providers install and manage firewalls on all subscriber
connections enforcing source address validation.
i can see how the end to end principle applies in cases 2 and 3, but not 1.
I didn't make any of these up. They've all been proposed by serious,
well-meaning
not just the bad people. all the people. a network with 2 or 3 in place
is useless. there is no way to make 2 or 3 happen.
As part of their anti-spam efforts, several providers block SMTP port
25, and force their subscribers to only use that provider's SMTP
relay/proxy to send mail.
(Okay Paul - here's your chance to rant about how badly they misquoted
you! Grin)
I think it's clear that editors were involved.
--
Paul Vixie
[EMAIL PROTECTED] (Sean Donelan) writes:
Best guess, its a smurf attack. Networks which still have ip
directed-broadcast (or your vendor's equivalent) enabled on interfaces.
Its still amazing how much traffic it can generate.
however, this attack was icmp request, not icmp reply.
--
Paul
i wrote:
transit prices have been in free fall, and worldcom has not been
following them downward. however, after the cleansing ritual of
chapter 11, i think they will be in a fine position to reset their
per-megabit charges in ways that make them a compelling transit
provider. their
someone wrote, in response to my piece this morning...
Can you explain more about why you think transit prices will return to
the $200-$300/mbps. I've been quoted $40/mbps on a 50mbps commit
(95th%) ... which I think is pretty much as low as it's going to get.
I can understand prices going
How do you compute CGS on a network that is 25% utilized?
bad
Is it expenses/current utilization or expenses/maximum capacity?
i want to be in a situation where i owe income taxes. so it's all
about costs vs. sales.
I think a lot of the low-ball pricing that is in the market is the
ritual of chapter 11, i think
they will be in a fine position to reset their per-megabit charges in ways
that make them a compelling transit provider. their network's been great.
--
Paul Vixie
no idea this was generally thought to be so complicated.
--
Paul Vixie
yesterday, but I asked that it not be filtered anywhere except C-root itself
(where I can measure it) or distant source-AS's (which is where it makes
sense.)
--
Paul Vixie
Just out of interest how do you co-ordinate use of RFC 1918 addresses
and routes amongst your customers? Do you run a registry for them, or
do you just let them fight it out and the one with the biggest packets
wins or something like that?
there's a registry. we also maintain IN-ADDR
reports of equinix's demise appear to have been grossly premature. see
http://biz.yahoo.com/bw/021002/20088_1.html, whose title is something like:
Equinix Gains Strategic Investment From Singapore Technologies Telemedia
and Creates the Largest Global Network Neutral Internet Exchange
I have heard that the new paix switch will be attached [to laap] as well.
But only rumored not sure if its true.
it's true. there was a launch party recently when the paix switch was
announced for 1 wilshire, and laap was absolutely mentioned along with
the words just like seattle with
Plenty of asian isp's in los angeles for Quite a while now.
there also seems to be a PAIX switch inside 1 Wilshire now. (mfn's chap.11
filing having sawn off any hope we had of opening PAIX-LA.)
--
Paul Vixie
Does anyone have any comments (good or bad) about Cognet as a transit
provider in New York?
No. But we (ISC) are using them in San Francisco (at 200 Paul Street) and
they've been fine.
--
Paul Vixie
One of the basic problems with discussions about spam control is that it
focuses entirely on spam. Blocking output SMTP from individual dial-ups
has a serious negative consequence:
Laptop mobile users cannot use their home SMTP server.
in the business, we call this tough
, and require them to do
likewise?
and if not, why not, and how long do you think it's going to take before
we use economic methods to solve this scourge?
--
Paul Vixie
.procmailrc is not for sale, so go make your own.)
in the general case, we let this happen because there is no procedure for
excluding folks from the list on any basis, including insulting.
--
Paul Vixie
to the need.
--
Paul Vixie
and/or for some brief instant. see the DCC
for an example (http://dcc.rhyolite.com/) of how to build and apply that
leverage. (i'm not giving the reference to vipul's razor because i said
millions.)
--
Paul Vixie
on those very other lists i mentioned -- but to
demonstrate that the most powerful force on the internet is someone who
says something won't work. thank y'all for your help in the demonstration.
--
Paul Vixie
[EMAIL PROTECTED] (Paul Vixie) writes:
whenever you get spammed, it's because some isp somewhere is a slacker,
what i meant to say was whenever you're getting repeat spam from the same
place, day after week after month, it's because some isp somewhere is a
slacker. any given isp can
In the fullness of time, the universe itself will die of heat. So what?
How come this makes me want to raise the issue of our immortal souls?
spammers have souls?
So for example saying this or that filter appears to have repelled 1M
spam msgs per day doesn't really prove much unless
... (http://dcc.rhyolite.com/) ...
Indeed, that is a cool idea. I definitely want to look into
that a lot more closely. Perhaps we can combine this with deep
blacklist checking (beyond just the first hop), tagging, and Bayesian
content filtering. Perhaps then we will have a
names are not the
subject of http://www.vix.com/~vixie/mailfrom.txt; rather, i'm
trying to address the issue of spammers who lie about _existing_
source/return domain names.
--
Paul Vixie
simple things is blocking outbound TCP/25, then I
hope you have alternatives including changing ISP's...
...but if you don't, then it's between you and your ISP, and best of luck.
--
Paul Vixie
professional (and pretty public.)
--
Paul Vixie
If this function of your ISP costs less than 1 FTE per 10,000
dialups or 1,000 T1's or 100 T3's, then your ISP is a slacker and
probably a magnet for professional spammers as well.
... you're offering very definitive figures/labeling, and I'm curious
as to what you are basing your
the example that appears in the rfc. the only
users i'm aware of are Microsoft and Apple for their respective service
discovery systems, and MIT Kerberos iff your domain name and your realm name
are the same.
--
Paul Vixie
technical reason to keep the number of ultimately trusted keys
small. (verisign/thawte may feel that there are compelling business reasons,
however.)
--
Paul Vixie
and
receivers can detect forged source/return addresses in e-mail.
--
Paul Vixie
Speakig of paix's and locations, I know the mfn filings have held up
progress but I wondered and maybe others on this list wonder what the
status of the paix nyiix interconnection might be?
until mfn finishes selling paix, there will likely be no progress on this.
myself. This is not
the same topic. I want to know what the homeland security department is
likely to do about all this, not what is good/bad for the citizens of
hostile nations or even nonhostile nations.)
--
Paul Vixie
after six reports that 192.5.5.241's address has been forged as the source
of a tcp fragmented scan probe, i'm ready to have it stop. but just in
case it doesn't, this is fair warning to the community: F's address is in
unlawful use by as-yet-unidentified third parties.
re:
--- Forwarded
How about [EMAIL PROTECTED]?
Wasn't this set up for this very purpose?
Nobody goes there any more, it's too crowded.
--
Paul Vixie
I suppose the discussion is what do you want from your exchange pt
operator and what do you NOT want.
At the IXP level, bits per month always trumps bits per second,
and usually trumps pennies per bit as well. There are now a number
of companies trying to sell wide area ethernet -- even
misunderstand.
--
Paul Vixie
measured in months or years, then when
it does fail the failure is likely to be *in* the extra complexity you added.
--
Paul Vixie
601 - 700 of 738 matches
Mail list logo
