Paul Vixie wrote:
aside from the corrosive nature of the salt and other minerals, there is an
unbelievable maze of permits from various layers of government since there's
a protected marshland as well as habitat restoration within a few miles. i
think it's safe to say that Sun Quentin could
Dorn Hetzel wrote:
I believe some of the calculations for hole/trench sizing per ton used
for geothermal exchange heating/cooling applications rely on the
seasonal nature of heating/cooling.
I have heard that if you either heat or cool on a continuous permanent
basis, year-round, then you
Paul Vixie wrote:
this is a strict business decision involving sustainability and TCO. if it
takes one watt of mechanical to transfer heat away from every watt delivered,
whereas ambient air with good-enough filtration will let one watt of roof fan
transfer the heat away from five delivered
Mohacsi Janos wrote:
On Thu, 13 Mar 2008, Matthew Moyle-Croft wrote:
Actually Cisco 850 series does not support IPv6, only 870 series. We
tested earlier cisco models also: 830 series has ipv6 support. My
colleague tested NetScreen routers: apart for the smallest devices
they have
Michael K. Smith - Adhost wrote:
It's not that bad. You can attach a v6 address to the 802.11 interface and the FastEthernet interface, but you can't put one on a BVI which means you need two /64's if you want v6 on wireless and wired.
That workaround does not work on the models with the
Gadi Evron wrote:
I am unsure what to say.
The idea is quite old and I'm happy to see that what started and
continued as a joke is actually being tried out to see if it would
really work. Hope they get it up and running soon.
Pete
-- Forwarded message --
Date: Tue, 04
Stephen Wilcox wrote:
Now, if you suddenly charge $2.50/mo to have a public IP or $15/mo for a /28 it
does become a consideration to the customer as to if they _REALLY_ need it
Where would this money go to?
Pete
[EMAIL PROTECTED] wrote:
Alex Rubenstein writes:
Does anyone know of any good IPv6 training resources (classroom, or
self-guided)?
If your router vendor supports IPv6 (surprisingly, many do!):
Too bad the IPv6 support on the low-end Ciscos is mostly broken in many
ways (does not
Paul Vixie wrote:
i wish that the community had the means to do revenue sharing with such
folks. carrying someone else's TE routes is a global cost for a point
benefit.
There are lessons to be learned from the CO2 emissions trade industry. I
don't think it's really any different since the
Marshall Eubanks wrote:
Dear Pete;
The streaming servers that I have dealt with (such as Darwin Streaming
Server) do the fragmentation at the application layer. They thus send
out lots of packets at or near (in this case) 1450 bytes, but they are
not UDP fragments.
That's the whole point -
Marshall Eubanks wrote:
I advise people doing streaming to not use MTU's larger than ~1450 for
these sorts of reasons.
The unfortunate side-effect of that is that most prominent streaming
apps (don't know about Youtube though) then send fragmented UDP packets
which leads to reassembly
Mattias Ahnberg wrote:
They will adapt to any change like this we would try
to do. The only real way to attempt to stop this is
lobbying for legislation, nailing people for what we
see around us and the damage they cause us and to
make it risky business rather than the piece of cake
it is
Gadi Evron wrote:
Thing is, the problem IS in the core. DNS is no longer just being abused,
it is pretty much an abuse infrastructure. That needs to be fixed if
security operations on the Internet at their current effectiveness
(which is low as it is) are to be maintained past Q4 2007-Q2 2008.
Jeff Shultz wrote:
We're looking at the alligators surrounding us. Gadi is trying to
convince us to help him in draining the swamp (which may indeed be a
positive thing in the long run).
Does that sound about right?
If you drain the swamp the hippo's will be very angry and run at you.
J. Oquendo wrote:
After all these years, I'm still surprised a consortium of ISP's
haven't figured out a way to do something a-la Packet Fence for their
clients where - whenever an infected machine is detected after logging
in, that machine is thrown into say a VLAN with instructions on how
Lucy Lynch wrote:
sensor nets anyone?
On that subject, the current IP protocols are quite bad on delivering
asynchronous notifications to large audiences. Is anyone aware of
developments or research toward making this work better? (overlays,
multicast, etc.)
Pete
research
Gian Constantine wrote:
I agree with you. From a consumer standpoint, a trickle or off-peak
download model is the ideal low-impact solution to content delivery.
And absolutely, a 500GB drive would almost be overkill on space for
disposable content encoded in H.264. Excellent SD (480i)
Joe Abley wrote:
If anybody has tried this, I'd be interested to hear whether on-net
clients actually take advantage of the local monster seed, or whether
they persist in pulling data from elsewhere.
The local seed would serve bulk of the data because as soon as a piece
is served from it,
Marshall Eubanks wrote:
Actually, this is true with unicast as well.
This can (I think) largely be handled by a fairly moderate amount of
Forward Error Correction.
Regards
Marshall
Before streaming meant HTTP-like protocols over port 80 and UDP was
actually used, we did some experiments
Sean Donelan wrote:
1/2, 1/3, etc the bandwidth for each additional viewer of the same
stream?
The worst case for a multicast stream is the same as the unicast
stream, but the unicast stream is always the worst case.
However unicast stream does not require state in the intermediate boxes
Jerry Pasker wrote:
It is the way it is, because the internet works when it's open by
default, and closed off carefully. (blacklists, and the such) Would
email have ever taken off if it were based on white lists of approved
domains and or senders? Sure, it might make email better NOW
Geo. wrote:
I know this is kind of a crazy idea but how about making cleaning up
all these infected machines the priority as a solution instead of
defending your dns from your infected clients. They not only affect
you, they affect the rest of us so why should we give you a solution
to your
Aaron Glenn wrote:
On 12/8/06, Petri Helenius [EMAIL PROTECTED] wrote:
Has anyone figured out a remote but lawful way to repair zombie
machines?
sure, null route the customer until they clean their hosts up
My question was specifically directed towards zombies that are not local
Etaoin Shrdlu wrote:
This is an excellent idea, but please do not select the first block
after 16 bit numbers are up (can you say buffer overflow?). Something
random, in the middle, would be better.
2752512-2818047 ?
Pete
Robert E.Seastrom wrote:
Fascinating... of course, you can see where the confusion came from,
particularly given the source of some of the components and the fact
that they're not actually committed until they get the orders (hence,
no satellite capacity online _today_). Thanks for the
Matthew Palmer wrote:
I've been directed to put all of the internal hosts and such into the public
DNS zone for a client. My typical policy is to have a subdomain of the zone
served internally, and leave only the publically-reachable hosts in the
public zone. But this client, having a large
Arjan Hulsebos wrote:
The ones who've been mugged don't start mugging other people, infected
PCs will infect other PCs. That's the difference, and that's why an
ISP should do something about that. Although it may be out of fashion,
I'd like to see good netizenship.
SPAM as other types of abuse
David Lesher wrote:
I don't know the area; but gather it's hydro territory?
How about water-source heat pumps? It's lots easier to cool
25C air into say 10-15C water than into 30C outside air.
Open loop water source systems do have their issues [algae, etc]
but can save a lot of power
Edward B. DREGER wrote:
Since when does the NSA patent things, anyhow? I'd think they would
keep secret anything that's actually effective.
They are handing out technology transfer program leaflets in
tradeshows now.
Pete
[EMAIL PROTECTED] wrote:
And if you are spending the extra money to implement
preferential treatment, can you be sure that there is
a market willing to pay extra for this?
And the real question is if the money is better spent on implementing
preferential treatment or upgrading the
Chris Owen wrote:
It isn't just that they are wasting my time. They are also wasting their
own time. It's the overall lack efficiency that bothers me ;-]
Don't worry, it wont take long until google parks their
datacenter-in-a-container outside at the fiber junction and the content
Per Gregers Bilse wrote:
Life begins with ARP.
I would have to argue that for majority of things connected to IP
networks, life begins with DHCPDISCOVER.
Pete
John Dupuy wrote:
If you are talking about strictly http, then you are probably right.
If you are hosting any email, then this isn't the case. A live DNS but
dead mail server will cause your mail to queue up for a later resend
on the originating mail servers. A dead DNS will cause the mail
Christopher L. Morrow wrote:
So, I think I'm off the crazy-pills recently... Why is it again that folks
want to balkanize the Internet like this? Why would you intentionally put
your customer base into this situation? If you are going to do this, why
not just drop random packets to 'bad'
Joe Shen wrote:
It seems to focus on P2P application. Is there tool to
support applications as more as possible( include p2p,
voip, web, ftp, network game, etc. )
The emphasis on p2p is mainly due to the usual questions focusing on
them. Obviously the more traditional protocols like
Christopher L. Morrow wrote:
which can't really tell bittorrent (or ssh or aim or...) over tcp/80 from
http over tcp/80... I think Joe's looking for something that knows what
protocols look like below the port number and can spit out numbers for
that... these, it would seem to me, would all
Kim Onnel wrote:
80 deny udp any any eq 1026 (3481591 matches)
This will make one out of 4000 of your udp sessions to fail with older
stacks which have high ports from 1024 to ~5000.
Pete
Drew Linsalata wrote:
Richard A Steenbergen wrote:
$10 says someone forgot ip classless.
Is there a valid argument for making ip classless the default in the
IOS? Seems to me that it would only solve problems, but I don't
profess to be a routing guru, especially in comparison to folks
[EMAIL PROTECTED] wrote:
A similar problem would be created if a web server relied
on DNS that was only hosted on servers in New Orleans.
Do you (or somebody) know of recent numbers of what percentage of
domains have all their DNS servers in;
a) same subnet
b) same AS
c) same
Fergie (Paul Ferguson) wrote:
Overlooking the point that this kind of smells like a pitch for
Staselog, I'd be curious to hear of this is an issue on ISP
bandwidth management radar... or already is...
I've been asked this question repeatedly almost as long as we've had the
traffic
[EMAIL PROTECTED] wrote:
It's clearly possible to find telco engineers with 5/10/15 years experience in
running PSTN (might even find somebody with 40-50 years? :). It's possible to
find network engineers with lots of BGP experience. Where do you find a senior
engineer with 5+ years
David Hagel wrote:
This is interesting. This may sound like a naive question. But if
queuing delays are so insignificant in comparison to other fixed delay
components then what does it say about the usefulness of all the
extensive techniques for queue management and congestion control
Tony Finch wrote:
TCP performs much better if queueing delays are short, because that
means it gets feedback from packet drops more promptly, and its RTT
measurements are more accurate so the retransmission timeout doesn't get
artificially inflated.
Sure, but sending speculative duplicate
Daniel Senie wrote:
One of the dangers is more and more stuff is being shoved over a
limited set of ports. There are VPNs being built over SSL and HTTP to
help bypass firewall rule restrictions. At some point we end up with
another protocol demux layer, and a non-standard one at that if we
Joe Maimon wrote:
This is network self preservation. Otherwise the garbage will
eventually suffocate us all.
It's like cancer initially was treated with drugs and equipment which
did serious damage to the whole body, killing many in the process and
today the methods are much more
[EMAIL PROTECTED] wrote:
Then you'll have to conclude that a lot of managed switches are insecure
since they include some form of packet mirroring capability.
Not to mention most of the routers. They usually can make the copies to
an IP tunnel also.
Pete
Christopher L. Morrow wrote:
This arguement we (mci/uunet) used/use as well: not enough demand to do
any v6, put at bottom of list... (until recently atleast it still flew as
an answer) How would you know if you had demand? how would you know if
people who had dualstack systems were trying to
Daniel Roesen wrote:
I would guesstimate about 8 Terabyte per day, judging from the traffic
I saw towards a virgin /21 (1 GByte per day).
/18 attracts 19kbps on average, with day averages between 5 and 37
kilobits per second. That would translate to only 50 to 400 megabytes a day.
So
Randy Bush wrote:
very helpful analysis. some questions:
mrai stiffle that? could it be used to cascade to a neighbor? i
suppose that diverting the just the right 15-30 seconds of traffic
could be profitable.
More recent hardware allows you to take copies of packets and push them
down
Randy Bush wrote:
You can ping to 126.66.0.30/8.
and how does one ping a /8?
Most trojans for zombie networks provide this functionality. Connect to
your favourite CC server and issue;
.advscan ping 42 2 64 126.X.X.X
(this will ping the address space with 42 threads, using two
C. Jon Larsen wrote:
It was supposed to be a complete ground up re-write in an OO language
and it would have the ability to link new modules or shared objects in
at run time, and it would unify the existing router (25xx / 4[57]xx /
75xx) family with the Grand Junction acquisition - the
[EMAIL PROTECTED] wrote:
nice... so one or more of the RIRs should ask the IANA
for a delegation in the 4byte space and let a few
brave souls run such a trap. The IETF has a proces
for running such experiments that could be applied here.
should I write it up
Stephen Fulton wrote:
That assumes that the worm must discover exploitable hosts. What if
those hosts have already been identified through other means
previously?A nation, terrorist or criminal with the means could
very well compile a relatively accurate database and use such a worm
Suresh Ramasubramanian wrote:
Not allowing your users to run eggdrop or other irc bots on the shells
you give them, and generally not hosting irc stuff would definitely
help there.
Filtering anything else than port 80 and maybe 53 would allow them to
experience the Internet in safe and
Buhrmaster, Gary wrote:
The *best* exploit is the one alluded to in the presentation.
Overwrite the nvram/firmware to prevent booting (or, perhaps,
adjust the voltages to damaging levels and do a smoke test).
If you could do it to all GSR linecards, think of the RMA
costs to Cisco (not to
Francesco Usseglio Gaudi wrote:
My little experience is that cell phones are in the most of cases
nearly congenstion: a simple crow of people calling all together can
shut down or delay every calls and sms
GSM networks running TFR or EFR audio codecs have 8 timeslots on a cell.
Usual
Randy Bush wrote:
Is it a pproblem keeping 500,000 routess in core routers? Of
course, it is not (it was in 1996, but it is not in 2005
really? we have not seen this so how do you know? and it
will be fine with churn and pushing 300k forwarding entries
into the fibs on a well-known
Crist Clark wrote:
And the counter point to that argument is that the sparse population
of IPv6 space will make systematic scanning by worms an ineffective
means of propagation.
Any by connecting to one of the p2p overlay networks you'll have a few
million in-use addresses momentarily.
Peter Dambier wrote:
David Conrad wrote:
The good thing with IPv6 is autoconfiguration. There is no need to
renumber.
With the radvd daemon running your box builds its own ip as soon as you
plug it in.
If your box is allowed then give it a global address from the radvd.
Your box does not
Jay R. Ashworth wrote:
Well, with all due respect, of *course* there isn't any 'killer site'
that is v6 only yet: the only motivation to do so at the moment, given
the proportion of v4 to v6 end-users, is *specifically* to drive v4 to
v6 conversion at the end-user level.
We need either one
Mikael Abrahamsson wrote:
On Sat, 2 Jul 2005, John L Lee wrote:
With routers you will need to turn buffering off and you will still
have propagation in the double to triple milli-seconds range with
jitter in the multi milli-seconds range.
Please elaborate why a router would have
Fergie (Paul Ferguson) wrote:
Yeah, I saw that...
With all respect to Dave, and not to sound too skeptical,
but we're pretty far along in our current architecture to
fundamentally change, don't you think (emphasis on
fundamentally)?
Most of the routing and security issues on todays
Stephen Sprunk wrote:
What this really does is change the detection method. Instead of scanning
randomly, you sit and watch what other IP addresses the local host
communicates with (on- and off-subnet), and attack each of them. How many
degrees of separation are there really between any two
Philip Lavine wrote:
I plan to design a hub and spoke WAN using ATM. The
data traversing the WAN is US equities market data.
Market data can be in two flavors multicast and TCP
client/server. Another facet of market data is it is
bursty in nature and is very sensitive to packet loss
and
Rich Kulawiec wrote:
The best place to stop abuse is as near its source as possible.
Meaning: it's far easier for network X to stop abuse from leaving its
network than it is for 100,000 other networks to defend themselves from it.
Especially since techniques for doing so (for instance,
[EMAIL PROTECTED] wrote:
Today, if Joe Business gets lots of spam, it is not his
ISP's responsibility. He has no-one to take responsibility
for this problem off his hands. But if he only accepts
incoming email through an operator who is part of the
email peering network, he knows that
Jay R. Ashworth wrote:
The Internet needs a PA system.
There is this sparsely deployed technology called multicast which would
work for this application.
Pete
Jay R. Ashworth wrote:
On Wed, Jun 08, 2005 at 09:22:02PM +0300, Petri Helenius wrote:
Jay R. Ashworth wrote:
The Internet needs a PA system.
There is this sparsely deployed technology called multicast which would
work for this application.
Well, that's fine
Suresh Ramasubramanian wrote:
On 5/8/05, aljuhani [EMAIL PROTECTED] wrote:
Well I am not a DNS expert but why Google have the primary gmail MX record
without load balancing and all secondaries are sharing the same priority
level.
Has it occured to you that there are other ways of load
[EMAIL PROTECTED] wrote:
Well... the *original* question was What's an acceptable speed for DSL?,
and
the only *really* correct answer is The one that maximizes your profit
margin, balancing how much you need to build out to improve things against
whatever perceived sluggishness ends up making
Adi Linden wrote:
Its not up to the ISP to determine outbound malicious traffic, but its up
to the ISP to respond in a timely manner to complaints. Many (most?) do not.
If they did their support costs would explode. It is block the customer,
educate the customer why they were blocked,
Suresh Ramasubramanian wrote:
Local telco concerned about voip eating into their revenues, and wants
to push through legislation or something? :)
Or somebody who would like to provision adequate bandwidth to
accommodate for services on the rise?
Not everybody is installed with the evil bit
Fergie (Paul Ferguson) wrote:
We owe to our customers, and we owe it to ourselves, so let's
just stop finding excise to side-step the issue.
So are you saying that managed security services are not avaialble for
paying consumers in USA?
Pete
Daniel Roesen wrote:
I hope to find the time to do some capturing and analysis of this
traffic. If anyone here has experience with that I'd be happy to hear
from them... don't want to waste time doing something others already
did... :-)
Sure, what would you like to know?
Pete
Fergie (Paul Ferguson) wrote:
Of course there are.
What I'm saying is that too many providers do nothing,
regardless of whether it is a managed (read: paid) service,
or not.
So why don't the market economy work and solve the problem? Because
there is no tax on pollution?
Pete
- ferg
-- Petri
http://www.convergedigest.com/Bandwidth/newnetworksarticle.asp?ID=14545
Pete
Daniel Golding wrote:
If you take a look at the dslreports.com forums, there are numerous
complains about DNS performance from various DSL and cable modem users. I'm
not sure how reasonable these complains are. The usual solution from other
users is to install a piece of Windows software called
joe mcguckin wrote:
Isn't there already one 'secret handshake' club in existence already?
Yes, but unlike there is a need for multiple instances of different
governments, there is a need for multiple 'closed communities'.
It will allow them to become corrupt in different ways.
Pete
On
Gadi Evron wrote:
Petri Helenius wrote:
joe mcguckin wrote:
Isn't there already one 'secret handshake' club in existence already?
Yes, but unlike there is a need for multiple instances of different
governments, there is a need for multiple 'closed communities'.
It will allow them to become
Paul Vixie wrote:
no to 1) prolong the pain, 2) beat a horsey.. BUT, why are 1918 ips
'special' to any application? why are non-1918 ips 'special' in a
different way?
i know this is hard to believe, but i was asked to review 1918 before it
went to press, since i'd been vociferous in my
Paul Vixie wrote:
IMO, RFC1918 went off the track when both ISP's and registries started
asking their customers if they have seriously considered using 1918 space
instead of applying for addresses. This caused many kinds of renumbering
nightmares, overlapping addresses, near death of ipv6, etc.
Florian Weimer wrote:
* Suresh Ramasubramanian:
Find them, isolate them into what some providers call a walled
garden - vlan them into their own segment from where all they can
access are antivirus / service pack downloads
Service pack downloads? Do you expect ISPs to pirate Windows (or
Gadi Evron wrote:
Between spam, spyware and worms, not to mention scans ad attacks, I
suppose that a large percentage of the Internet already is pay-for-junk?
No. Most of the Internet is p2p file sharing, which does not fall into
the categories mentioned. (at least mostly it doesn't)
Pete
Peter Corlett wrote:
A side-effect of the greylisting and other mail checks is that I've
got a lovely list of compromised hosts. Is there any way I can
usefully share these with the community?
Set up a website where one can input a route and can see hosts covered
with it?
Pete
Sean Donelan wrote:
Locating bots is relatively easy. If you think that is the hard part, you
don't understand the problem.
It's easy to some extent, databases to a few hundred thousand are easy
to collect but going to the millions is harder.
So how do you encourage people to fix their
I run some summaries about spam-sources by country, AS and containing
BGP route.
These are from a smallish set of servers whole March aggregated.
Percentage indicates incidents out of total.
Conclusion is that blocking 25 inbound from a handful of prefixes would
stop 10% of spam.
Stephen J. Wilcox wrote:
On Sun, 3 Apr 2005, Petri Helenius wrote:
I run some summaries about spam-sources by country, AS and containing
BGP route.
These are from a smallish set of servers whole March aggregated.
Percentage indicates incidents out of total.
Conclusion is that blocking 25
Simon Lyall wrote:
The world has been wait for a list of Florida IPs for a while so we can
block them for a few years, no such luck however.
ip2location.com would be happy to sell you just such a list.
Pete
On a more practical note one possible solution to a similar I heard was
to ensure that
Rich Kulawiec wrote:
Oh...and then we get into P2P distribution mechanisms. How is any
ISP supposed to block content which is everywhere and nowhere?
This would only be possible by whitelisting content, which is not what
most would accept. (although there are countries where this is the norm,
Randy Bush wrote:
a bit more coffee made me realize that what might best occur would
be for the rir, some weeks BEFORE assigning from a new block issued
by the iana, put up a pingable for that space and announce it on
the lists so we can all test BEFORE someone uses space from that
block.
Or
Randy Bush wrote:
i do not understand what you are proposing. ahhh. you mean
o each asn register a pingable address within its normal space,
maybe in their irr route object
o the rirs set up a routing island with only the new prefix in
it
o from a box with that new prefix, the rir pings
Alexei Roudnev wrote:
Hmm, good idea. I add my voice to this question.
But, btw, SNMP implementations are extremely buggy. Last 2 examples from my
experience (with snmpstat system):
- I found Cisco which have packet countters (on interface) _decreased_
instead of _increased_ (but octet counters
Jim Popovitch wrote:
Was the device restarted? Was the polled interface so overloaded that
UDP was dropped and your tool/application just happened to show a zero
instead?
That would be no on both counts. All packets got replies and while
debugging the polling interval was fairly short. (on
Jim Popovitch wrote:
I think this could be relevant. a LOT of devices drop snmp requests
when they get busy or when too many incoming requests occur. Are you
sure that you were the only one polling that device? Perhaps someone
else put it into a busy state. Too often with SNMP devices and
Stephen J. Wilcox wrote:
Hi,
you probably didnt think of this but it might not be a good idea to publish a
list of 3000 computers than can be infected/taken over for further nastiness.
Collecting that kind of list on any machine on the public internet takes
only a day or so, so I don't think
Nils Ketelsen wrote:
Only thing that puzzles me is, why it took spammers so long to go in
this direction.
It didn't. It took the media long to notice.
Pete
Sabri Berisha wrote:
On Wed, Jan 26, 2005 at 11:12:19PM +0200, Petri Helenius wrote:
Hi,
http://www.kb.cert.org/vuls/id/409555
Did anyone here of any exploits being in the wild?
How would one tell if the actual issue is not published? (without
violating possible NDA's)
Pete
http://www.kb.cert.org/vuls/id/409555
Pete
Todd Mitchell - lists wrote:
On 22/01/2005 8:52 PM Darrell Kristof (CE CEN) wrote:
Has anyone heard about some carriers doing emergency maintenance
tonight
on Internet routers due to a code vulnerability? I'm trying to find
out
what vendor it involves and the details behind it. I understand
Jim Popovitch wrote:
I've often wondered, as I work intimately with NMS software, just how
much cross network traffic is are you there? related. Would it have a
positive impact on overall net performance if everyone just turned off
all internetwork status polling?
ducking
Since p2p traffic is
1 - 100 of 416 matches
Mail list logo
