Re: Who wants to be in charge of the Internet today?
- Original Message Follows - From: Sean Donelan [EMAIL PROTECTED] The U.S. is poorly prepared for a major disruption of the Internet, according to a study that an influential group Wow! They mean the internet backbone might break? We better shore up that puppy and warn the tier 1 folks... ;-) scott
BGP Update Report
BGP Update Report Interval: 09-Jun-06 -to- 22-Jun-06 (14 days) Observation Point: BGP Peering with AS4637 TOP 20 Unstable Origin AS Rank ASNUpds % Upds/PfxAS-Name 1 - AS25543 33646 3.0% 961.3 -- FASONET-AS ONATEL/FasoNet's Autonomous System 2 - AS432314525 1.3% 11.1 -- TWTC - Time Warner Telecom, Inc. 3 - AS17974 13545 1.2% 32.8 -- TELKOMNET-AS2-AP PT TELEKOMUNIKASI INDONESIA 4 - AS912113120 1.2% 38.4 -- TTNET TTnet Autonomous System 5 - AS15611 13049 1.2% 127.9 -- Iranian Research Organisation 6 - AS10139 10868 1.0% 44.5 -- MERIDIAN-PH-AP Meridian Telekoms 7 - AS175579285 0.8% 22.9 -- PKTELECOM-AS-AP Pakistan Telecom 8 - AS702 9208 0.8% 12.3 -- AS702 MCI EMEA - Commercial IP service provider in Europe 9 - AS3475 9024 0.8% 564.0 -- LANT-AFLOAT - NCTAMS LANT DET HAMPTON ROADS 10 - AS7018 8995 0.8% 5.9 -- ATT-INTERNET4 - ATT WorldNet Services 11 - AS5803 8640 0.8% 109.4 -- DDN-ASNBLK - DoD Network Information Center 12 - AS6198 8423 0.8% 20.4 -- BATI-MIA - BellSouth Network Solutions, Inc 13 - AS8452 8207 0.7% 49.4 -- TEDATA TEDATA 14 - AS4134 8105 0.7% 10.3 -- CHINANET-BACKBONE No.31,Jin-rong Street 15 - AS4837 7270 0.6% 25.9 -- CHINA169-BACKBONE CNCGROUP China169 Backbone 16 - AS4621 6925 0.6% 52.1 -- UNSPECIFIED UNINET-TH 17 - AS195486597 0.6% 14.8 -- ADELPHIA-AS2 - Adelphia 18 - AS239186118 0.5% 46.3 -- CBB-BGP-IBARAKI Connexion By Boeing Ibaraki AS 19 - AS337836071 0.5% 57.8 -- EEPAD 20 - AS701 6030 0.5% 6.4 -- ALTERNET-AS - UUNET Technologies, Inc. TOP 20 Unstable Origin AS (Updates per announced prefix) Rank ASNUpds % Upds/PfxAS-Name 1 - AS3043 2906 0.3%2906.0 -- AMPHIB-AS - Amphibian Media Corporation 2 - AS210272825 0.2%2825.0 -- ASN-PARADORES PARADORES Autonomous System 3 - AS260152041 0.2%2041.0 -- THINKORSWIM - Thinkorswim inc 4 - AS398631571 0.1%1571.0 -- CROSSNET Crossnet LLC 5 - AS353792560 0.2%1280.0 -- EASYNET EASYNET s.c. 6 - AS368771976 0.2% 988.0 -- MWEB_AFRICA-NAMIBIA 7 - AS25543 33646 3.0% 961.3 -- FASONET-AS ONATEL/FasoNet's Autonomous System 8 - AS34378 865 0.1% 865.0 -- RUG-AS Razguliay-UKRROS Group 9 - AS236071550 0.1% 775.0 -- ITXPRESS-AS-AP itXpress Pty Ltd. Network AS ISP and DSL 10 - AS19908 694 0.1% 694.0 -- HOENIGRYENY9149359000 - Hoenig Co., Inc. 11 - AS4678 2732 0.2% 683.0 -- FINE CANON NETWORK COMMUNICATIONS INC. 12 - AS36897 591 0.1% 591.0 -- AEROSAT 13 - AS24896 579 0.1% 579.0 -- UKRINTELL-AS IntellCOM Provider LIR, Kiev, Ukraine Northern Nowhere 14 - AS36565 574 0.1% 574.0 -- COUNTY-OF-MONTGOMERY-PA - County of Montgomery 15 - AS144102832 0.2% 566.4 -- DALTON - MCM, Inc., DBA: [EMAIL PROTECTED] 16 - AS3475 9024 0.8% 564.0 -- LANT-AFLOAT - NCTAMS LANT DET HAMPTON ROADS 17 - AS9157 1045 0.1% 522.5 -- SAO-RAS SAO-RAS AS 18 - AS199821768 0.2% 442.0 -- TOWERSTREAM-PROV - Towerstream 19 - AS24308 434 0.0% 434.0 -- DAFFODILBD-AS Daffodil Online AS for BDIX Connection 20 - AS177834203 0.4% 420.3 -- SRILRPG-AS SRIL RPG Autonomous System TOP 20 Unstable Prefixes Rank Prefix Upds % Origin AS -- AS Name 1 - 203.112.154.0/24 4008 0.3% AS17783 -- SRILRPG-AS SRIL RPG Autonomous System 2 - 152.74.0.0/16 4002 0.3% AS11340 -- Red Universitaria Nacional 3 - 209.140.24.0/242906 0.2% AS3043 -- AMPHIB-AS - Amphibian Media Corporation 4 - 62.81.240.0/24 2825 0.2% AS21027 -- ASN-PARADORES PARADORES Autonomous System 5 - 61.0.0.0/8 2729 0.2% AS4678 -- FINE CANON NETWORK COMMUNICATIONS INC. 6 - 65.175.45.0/24 2041 0.2% AS26015 -- THINKORSWIM - Thinkorswim inc 7 - 198.92.192.0/212038 0.2% AS16559 -- REALCONNECT-01 - RealConnect, Inc 8 - 209.160.56.0/221877 0.1% AS14361 -- HOPONE-DCA - HopOne Internet Corporation 9 - 81.212.125.0/241597 0.1% AS9121 -- TTNET TTnet Autonomous System 10 - 81.89.208.0/20 1571 0.1% AS39863 -- CROSSNET Crossnet LLC 11 - 81.212.141.0/241530 0.1% AS9121 -- TTNET TTnet Autonomous System 12 - 81.212.124.0/241509 0.1% AS9121 -- TTNET TTnet Autonomous System 13 - 81.212.149.0/241506 0.1% AS9121 -- TTNET TTnet Autonomous System 14 - 195.28.178.0/231280 0.1% AS35379 -- EASYNET EASYNET s.c. 15 - 193.239.244.0/23 1280 0.1% AS35379 -- EASYNET EASYNET s.c. 16 -
The Cidr Report
This report has been generated at Fri Jun 23 21:44:32 2006 AEST.
The report analyses the BGP Routing Table of an AS4637 (Reach) router
and generates a report on aggregation potential within the table.
Check http://www.cidr-report.org/as4637 for a current version of this report.
Recent Table History
Date PrefixesCIDR Agg
16-06-06186927 122948
17-06-06186942 122902
18-06-06187088 122947
19-06-06187137 123059
20-06-06187338 123220
21-06-06187505 123270
22-06-06187672 123352
23-06-06187830 123332
AS Summary
22410 Number of ASes in routing system
9388 Number of ASes announcing only one prefix
1464 Largest number of prefixes announced by an AS
AS7018 : ATT-INTERNET4 - ATT WorldNet Services
91697152 Largest address span announced by an AS (/32s)
AS721 : DISA-ASNBLK - DoD Network Information Center
Aggregation Summary
The algorithm used in this report proposes aggregation only
when there is a precise match using the AS path, so as
to preserve traffic transit policies. Aggregation is also
proposed across non-advertised address space ('holes').
--- 23Jun06 ---
ASnumNetsNow NetsAggr NetGain % Gain Description
Table 187920 1233136460734.4% All ASes
AS4323 1313 269 104479.5% TWTC - Time Warner Telecom,
Inc.
AS4134 1227 293 93476.1% CHINANET-BACKBONE
No.31,Jin-rong Street
AS18566 945 158 78783.3% COVAD - Covad Communications
Co.
AS4755 938 221 71776.4% VSNL-AS Videsh Sanchar Nigam
Ltd. Autonomous System
AS721 1021 318 70368.9% DISA-ASNBLK - DoD Network
Information Center
AS22773 665 47 61892.9% CCINET-2 - Cox Communications
Inc.
AS6197 1014 484 53052.3% BATI-ATL - BellSouth Network
Solutions, Inc
AS7018 1464 942 52235.7% ATT-INTERNET4 - ATT WorldNet
Services
AS19916 563 65 49888.5% ASTRUM-0001 - OLM LLC
AS9498 677 180 49773.4% BBIL-AP BHARTI BT INTERNET
LTD.
AS855553 64 48988.4% CANET-ASN-4 - Aliant Telecom
AS17488 519 46 47391.1% HATHWAY-NET-AP Hathway IP Over
Cable Internet
AS3602 525 104 42180.2% AS3602-RTI - Rogers Telecom
Inc.
AS18101 417 28 38993.3% RIL-IDC Reliance Infocom Ltd
Internet Data Centre,
AS15270 433 52 38188.0% AS-PAETEC-NET - PaeTec.net -a
division of
PaeTecCommunications, Inc.
AS17676 489 110 37977.5% JPNIC-JP-ASN-BLOCK Japan
Network Information Center
AS11492 621 261 36058.0% CABLEONE - CABLE ONE
AS4766 654 305 34953.4% KIXS-AS-KR Korea Telecom
AS6467 393 50 34387.3% ESPIRECOMM - Xspedius
Communications Co.
AS22047 418 75 34382.1% VTR BANDA ANCHA S.A.
AS812370 30 34091.9% ROGERS-CABLE - Rogers Cable
Inc.
AS16852 355 50 30585.9% FOCAL-CHICAGO - Focal Data
Communications of Illinois
AS8151 707 407 30042.4% Uninet S.A. de C.V.
AS19262 669 374 29544.1% VZGNI-TRANSIT - Verizon
Internet Services Inc.
AS16814 329 48 28185.4% NSS S.A.
AS3352 306 30 27690.2% TELEFONICA-DATA-ESPANA
Internet Access Network of
TDE
AS5668 524 249 27552.5% AS-5668 - CenturyTel Internet
Holdings, Inc.
AS6198 511 243 26852.4% BATI-MIA - BellSouth Network
Solutions, Inc
AS14654 282 15 26794.7% WAYPORT - Wayport
AS9583 909 645 26429.0% SIFY-AS-IN Sify Limited
Total
Re: Who wants to be in charge of the Internet today?
At one of my old jobs, my boss honestly believed that we had a 'switch' that turned the entire internet off or on. When she was having problems accessing her shopping sites, she'd storm in the office and say something like 'did you guys turn the the internet off again?' sigh Then again, this is the same person that tried to tell me that 768 OC-192s are carried on a single DS1.. - Peter On Fri, 23 Jun 2006, Patrick W. Gilmore wrote: On Jun 23, 2006, at 12:45 AM, Sean Donelan wrote: I shudder to think what would happen under large scale attack if one of the CEOs in that room had responsibility for the correct functioning of the Internet. This definitely falls into the Just Doesn't Get It category. -- TTFN, patrick
RE: Who wants to be in charge of the Internet today?
Sounds like our typical customer service calls. Them: Is the Internet down? Us: Yes, someone will turn it back on soon. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peter Ferrigan Sent: Friday, June 23, 2006 10:04 AM To: nanog@merit.edu Subject: Re: Who wants to be in charge of the Internet today? At one of my old jobs, my boss honestly believed that we had a 'switch' that turned the entire internet off or on. When she was having problems accessing her shopping sites, she'd storm in the office and say something like 'did you guys turn the the internet off again?' sigh Then again, this is the same person that tried to tell me that 768 OC-192s are carried on a single DS1.. - Peter On Fri, 23 Jun 2006, Patrick W. Gilmore wrote: On Jun 23, 2006, at 12:45 AM, Sean Donelan wrote: I shudder to think what would happen under large scale attack if one of the CEOs in that room had responsibility for the correct functioning of the Internet. This definitely falls into the Just Doesn't Get It category. -- TTFN, patrick
Re: Who wants to be in charge of the Internet today?
Scott Weeks wrote: - Original Message Follows - From: Sean Donelan [EMAIL PROTECTED] The U.S. is poorly prepared for a major disruption of the Internet, according to a study that an influential group Wow! They mean the internet backbone might break? We better shore up that puppy and warn the tier 1 folks... ;-) scott The levees will break and you will be flooded. You do have an Internet evacuation plan don't you? That is where you make all your lines outbound and move your bits to higher ground.
Re: Who wants to be in charge of the Internet today?
Sean Donelan wrote: The Business Roundtable, composed of the CEOs of 160 large U.S. companies, said neither the government nor the private sector has a coordinated plan to respond to an attack, natural disaster or other disruption of the Internet. While individual government agencies and companies have their own emergency plans in place, little coordination exists between the groups, according to the study. It's a matter of more clearly defining who has responsibility, said Edward Rust Jr., CEO of State Farm Mutual Automobile Insurance Co., who leads the Roundtable's Internet-security effort. [...] Thus explainith why CEOs should not be responsible for this. I wonder if their CIOs or other techies have ever tried to explain the concept of a CERT to them. -- Jeff Shultz
Re: Who wants to be in charge of the Internet today?
On Fri, 23 Jun 2006, Jeff Shultz wrote: Thus explainith why CEOs should not be responsible for this. I wonder if their CIOs or other techies have ever tried to explain the concept of a CERT to them. Of course they have. Gives you minty fresh breath, right? jms
Re: Who wants to be in charge of the Internet today?
At 10:04 AM 6/23/2006, you wrote: Then again, this is the same person that tried to tell me that 768 OC-192s are carried on a single DS1. Now THAT is impressive compression! I don't know what your former company did, but they should focus on selling that compression technology. ;) The buffers must be enormous! -Robert Tellurian Networks - The Ultimate Internet Connection http://www.tellurian.com | 888-TELLURIAN | 973-300-9211 Well done is better than well said. - Benjamin Franklin
Re: Who wants to be in charge of the Internet today?
On Fri, 23 Jun 2006 11:33:43 EDT, Robert Boyle said: Now THAT is impressive compression! I don't know what your former company did, but they should focus on selling that compression technology. ;) The buffers must be enormous! Infinite compression is easy, if you use a sufficiently lossy compression algorithm. Ask anybody who's talked to a journalist for an hour, and ends up as a one-sentence misquote. pgp7ZpyNrRNAO.pgp Description: PGP signature
Re: Who wants to be in charge of the Internet today?
My favorite was always the (potential) customers who would call up and ask Can I get the Internet in my house? -- I would always answer That depends, how big is your house?, but they NEVER got it... On Jun 23, 2006, at 7:09 AM, Jason Gauthier wrote: Sounds like our typical customer service calls. Them: Is the Internet down? Us: Yes, someone will turn it back on soon. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peter Ferrigan Sent: Friday, June 23, 2006 10:04 AM To: nanog@merit.edu Subject: Re: Who wants to be in charge of the Internet today? At one of my old jobs, my boss honestly believed that we had a 'switch' that turned the entire internet off or on. When she was having problems accessing her shopping sites, she'd storm in the office and say something like 'did you guys turn the the internet off again?' sigh Yah, I would have customers call and ask me to reboot the Internet, its down again... Ok, let the customer support anecdotes flow... W Then again, this is the same person that tried to tell me that 768 OC-192s are carried on a single DS1.. - Peter On Fri, 23 Jun 2006, Patrick W. Gilmore wrote: On Jun 23, 2006, at 12:45 AM, Sean Donelan wrote: I shudder to think what would happen under large scale attack if one of the CEOs in that room had responsibility for the correct functioning of the Internet. This definitely falls into the Just Doesn't Get It category. -- TTFN, patrick
[OT] Re: Who wants to be in charge of the Internet today?
RB Date: Fri, 23 Jun 2006 11:33:43 -0400 RB From: Robert Boyle RB Now THAT is impressive compression! I don't know what your former company RB did, but they should focus on selling that compression technology. ;) Irrational numbers can be described in finite space, yet extend indefinitely with no discernable pattern. Perhaps said company has found a way to map arbitrary infinite-length data streams to short, simple representations a la digits 'x' through 'y' of pi. ;-) (Note smiley. This is tongue-in-cheek commentary on entropy.) Eddy -- Everquick Internet - http://www.everquick.net/ A division of Brotsman Dreger, Inc. - http://www.brotsman.com/ Bandwidth, consulting, e-commerce, hosting, and network building Phone: +1 785 865 5885 Lawrence and [inter]national Phone: +1 316 794 8922 Wichita DO NOT send mail to the following addresses: [EMAIL PROTECTED] -*- [EMAIL PROTECTED] -*- [EMAIL PROTECTED] Sending mail to spambait addresses is a great way to get blocked. Ditto for broken OOO autoresponders and foolish AV software backscatter.
Re: Who wants to be in charge of the Internet today?
One two three NOT IT! Sorry, when I saw the subject, I couldn't resist.
Re: Who wants to be in charge of the Internet today?
On Fri, 23 Jun 2006 09:09:19 PDT, Warren Kumari said: Ok, let the customer support anecdotes flow... Part of the gear I usually lug around is an old bulky pair of Kenwood KPM-410 headphones. I've had people convinced that it's for computer security, because when you ping the internet, you of course have to listen for the echoes. (It is, of course, *really* about trying to listen to Nine Inch Nails while trapped in cubicle land... ;) pgpzuorry0Pzx.pgp Description: PGP signature
Re: Who wants to be in charge of the Internet today?
this is all silly. the answer to these is usually the folk asking the question of who is in charge are the ones who want to be. randy
Weekly Routing Table Report
This is an automated weekly mailing describing the state of the Internet Routing Table as seen from APNIC's router in Japan. Daily listings are sent to [EMAIL PROTECTED] If you have any comments please contact Philip Smith [EMAIL PROTECTED]. Routing Table Report 04:00 +10GMT Sat 24 Jun, 2006 Analysis Summary BGP routing table entries examined: 191664 Prefixes after maximum aggregation: 105172 Unique aggregates announced to Internet: 92904 Total ASes present in the Internet Routing Table: 22516 Origin-only ASes present in the Internet Routing Table: 19587 Origin ASes announcing only one prefix:9392 Transit ASes present in the Internet Routing Table:2929 Transit-only ASes present in the Internet Routing Table: 63 Average AS path length visible in the Internet Routing Table: 3.5 Max AS path length visible: 24 Max AS path prepend of ASN (32609) 16 Prefixes from unregistered ASNs in the Routing Table: 2 Unregistered ASNs in the Routing Table: 3 Special use prefixes present in the Routing Table:0 Prefixes being announced from unallocated address space: 9 Number of addresses announced to Internet: 1543273736 Equivalent to 91 /8s, 252 /16s and 125 /24s Percentage of available address space announced: 41.6 Percentage of allocated address space announced: 60.2 Percentage of available address space allocated: 69.1 Total number of prefixes smaller than registry allocations: 95120 APNIC Region Analysis Summary - Prefixes being announced by APNIC Region ASes:40985 Total APNIC prefixes after maximum aggregation: 16907 Prefixes being announced from the APNIC address blocks: 38706 Unique aggregates announced from the APNIC address blocks:18500 APNIC Region origin ASes present in the Internet Routing Table:2620 APNIC Region origin ASes announcing only one prefix:752 APNIC Region transit ASes present in the Internet Routing Table:397 Average APNIC Region AS path length visible:3.5 Max APNIC Region AS path length visible: 18 Number of APNIC addresses announced to Internet: 234437216 Equivalent to 13 /8s, 249 /16s and 58 /24s Percentage of available APNIC address space announced: 73.3 APNIC AS Blocks4608-4864, 7467-7722, 9216-10239, 17408-18431 (pre-ERX allocations) 23552-24575, 37888-38911 APNIC Address Blocks 58/7, 60/7, 121/8, 122/7, 124/7, 126/8, 202/7 210/7, 218/7, 220/7 and 222/8 ARIN Region Analysis Summary Prefixes being announced by ARIN Region ASes: 98398 Total ARIN prefixes after maximum aggregation:58065 Prefixes being announced from the ARIN address blocks:72194 Unique aggregates announced from the ARIN address blocks: 26957 ARIN Region origin ASes present in the Internet Routing Table:10799 ARIN Region origin ASes announcing only one prefix:4077 ARIN Region transit ASes present in the Internet Routing Table: 989 Average ARIN Region AS path length visible: 3.3 Max ARIN Region AS path length visible: 18 Number of ARIN addresses announced to Internet: 294470400 Equivalent to 17 /8s, 141 /16s and 67 /24s Percentage of available ARIN address space announced: 76.3 ARIN AS Blocks 1-1876, 1902-2042, 2044-2046, 2048-2106 (pre-ERX allocations) 2138-2584, 2615-2772, 2823-2829, 2880-3153 3354-4607, 4865-5119, 5632-6655, 6912-7466 7723-8191, 10240-12287, 13312-15359, 16384-17407 18432-20479, 21504-23551, 25600-26591, 26624-27647, 29696-30719, 31744-33791 35840-36863, 39936-40959 ARIN Address Blocks24/8, 63/8, 64/5, 72/6, 76/8, 199/8, 204/6, 208/7 and 216/8 RIPE Region Analysis Summary Prefixes being announced by RIPE Region ASes: 38249 Total RIPE prefixes after maximum aggregation:25557 Prefixes being announced from the RIPE address blocks:35302 Unique aggregates announced from the RIPE address blocks: 23164 RIPE Region origin ASes present in the Internet Routing Table: 8177 RIPE Region origin ASes announcing only one prefix:4288 RIPE Region transit ASes present in the Internet Routing Table:1359 Average RIPE Region AS path
Re: Who wants to be in charge of the Internet today?
Now we are all allowed the occasional fun at the management lacking a clue - but come on. The users have an expectation that their "access to the Internet" works like a utility. When you say the "power is shut off" you don't expect to expand on whether the power grid in your state had a cascading failure but people on the other coast still have power and when your "water supply is shut off" does not mean that all the people in the world can't get a drop.It just means that her "Internet is off" and as far as she is concerned the whole Internet/Power/Water supply might as well be "off"p.s768 OC-192s worth of Internet traffic can indeed be carried on a single DS1 if the "Internet is off " :-)- Original Message From: Peter Ferrigan [EMAIL PROTECTED]To: nanog@merit.eduSent: Friday, June 23, 2006 7:04:18 AMSubject: Re: Who wants to be in charge of the Internet today?At one of my old jobs, my boss honestly believed that we had a 'switch' that turned the entire internet off or on.When she was having problems accessing her shopping sites, she'd storm in the office and say something like 'did you guys turn the the internet off again?'sighThen again, this is the same person that tried to tell me that 768 OC-192s are carried on a single DS1..- PeterOn Fri, 23 Jun 2006, Patrick W. Gilmore wrote: On Jun 23, 2006, at 12:45 AM, Sean Donelan wrote: I shudder to think what would happen under large scale attack if one of the CEOs in that room had "responsibility" for the correct functioning of the "Internet". This definitely falls into the "Just Doesn't Get It" category. -- TTFN, patrick
Re: Who wants to be in charge of the Internet today?
on Fri, Jun 23, 2006 at 11:23:44AM -0700, [EMAIL PROTECTED] wrote: The users have an expectation that their access to the Internet works like a utility. When you say the power is shut off you don't expect to expand on whether the power grid in your state had a cascading failure but people on the other coast still have power and when your water supply is shut off does not mean that all the people in the world can't get a drop. It just means that her Internet is off and as far as she is concerned the whole Internet/Power/Water supply might as well be off Yep. I eventually just trained myself into hearing my Internet access when I heard the Internet from someone who doesn't know what the Internet is. e.g., s/Is the Internet down?/Is my Internet access down?/ YMMV, Steve -- hesketh.com/inc. v: +1(919)834-2552 f: +1(919)834-2553 w: http://hesketh.com/ antispam news, solutions for sendmail, exim, postfix: http://enemieslist.com/ rambling, amusements, edifications and suchlike: http://interrupt-driven.com/
RE: key change for TCP-MD5
If DOS is such a large concern, IPSEC to an extent can be used to mitigate against it. And IKEv1/v2 with IPSEC is not the horribly inefficient mechanism it is made out to be. In practice, it is quite easy to use. IPSEC does nothing to protect a network device from a DOS attack. You know that. DOS prevention on a network device needs to happen before the TCP/Packet termination - not the Key/MD5/IPSEC stage. The signing or encrypting of the BGP message protects against Man in the Middle and replay attacks - not DOS attacks. Once a bad packet gets terminated, your DOS stress on the router kicks in (especially on ASIC/NP routers). The few extra CPU cycles it takes for walking through keys or IPSEC decrypt are irrelevant to the router's POV. You SOL if a miscreant can get a packet through your classification queuing protections on the router and have it terminated. The key to DOS mitigation on a network device is to have many fields in the packet to classify as possible before the TCP/Packet termination. The more you have to classify on, the more granular you can construct your policy. This is one of the reasons for GTSM - which adds one more field (the IP packet's TTL) to the classification options. Yes Jared - our software does the TTL after the MD5, but the hardware implementations does the check in hardware before the packet gets punted to the receive path. That is exactly where you need to do the classification to minimize DOS on a router - as close to the point where the optical-electrical-airwaves convert to a IP packet as possible.
RE: key change for TCP-MD5
-Original Message- From: Barry Greene (bgreene) [mailto:[EMAIL PROTECTED] Sent: Friday, June 23, 2006 11:50 AM To: Bora Akyol; Ross Callon; nanog@merit.edu Subject: RE: key change for TCP-MD5 If DOS is such a large concern, IPSEC to an extent can be used to mitigate against it. And IKEv1/v2 with IPSEC is not the horribly inefficient mechanism it is made out to be. In practice, it is quite easy to use. IPSEC does nothing to protect a network device from a DOS attack. You know that. Barry The validity of your statement depends tremendously on how IPSEC is implemented. Bora
Re: key change for TCP-MD5
On Fri, Jun 23, 2006 at 11:49:33AM -0700, Barry Greene (bgreene) wrote: Yes Jared - our software does the TTL after the MD5, but the hardware implementations does the check in hardware before the packet gets punted to the receive path. That is exactly where you need to do the classification to minimize DOS on a router - as close to the point where the optical-electrical-airwaves convert to a IP packet as possible. i'm not that bright, so maybe i'm missing something, but i've heard this claim from cisco people before and never understood it. just to clarify: you're saying that doing the (expensive) md5 check before the (almost free) ttl check makes sense because that *minimizes* the DOS vectors against a router? can someone walk me through the logic here using small words? i am obviously not able to follow this due to my distance from the optical-electrical-airwaves. t. -- _ todd underwood +1 603 643 9300 x101 renesys corporationchief of operations security [EMAIL PROTECTED] http://www.renesys.com/blog/todd.shtml
Re: key change for TCP-MD5
On Fri, 23 Jun 2006 13:35:20 PDT, Bora Akyol said: The validity of your statement depends tremendously on how IPSEC is implemented. If 113 million packets all show up at once, you're going to get DoS'ed, whether or not you have IPSEC enabled. pgpRRK8AbWIKX.pgp Description: PGP signature
Re: key change for TCP-MD5
On Fri, Jun 23, 2006 at 04:43:29PM -0400, Todd Underwood wrote: On Fri, Jun 23, 2006 at 11:49:33AM -0700, Barry Greene (bgreene) wrote: Yes Jared - our software does the TTL after the MD5, but the hardware implementations does the check in hardware before the packet gets punted to the receive path. That is exactly where you need to do the classification to minimize DOS on a router - as close to the point where the optical-electrical-airwaves convert to a IP packet as possible. i'm not that bright, so maybe i'm missing something, but i've heard this claim from cisco people before and never understood it. just to clarify: you're saying that doing the (expensive) md5 check before the (almost free) ttl check makes sense because that *minimizes* the DOS vectors against a router? can someone walk me through the logic here using small words? i am obviously not able to follow this due to my distance from the optical-electrical-airwaves. As I parsed Barry's post, he was saying that Cisco currently does the wrong thing today, but that some day when they actually support doing the check in hardware, that will be the right place to do it. (aka duh :P) Obviously in a perfect world, you don't want to do the expensive MD5 check anywhere sooner than the last possible moment before you declare the data valid and add it to the socket buffer. I assume that the reason they can't do the check sooner in software is they lack a mechanism to tell the IP or even TCP input code we want to discard these packets if they are less than TTL x. They probably can't make that decision until the packet gets validated by TCP and makes it all the way to BGP code. But, they should still be able to do all of the TCP layer checks which don't require outside information, such as matching the segment to a proper TCB by ip/port/seq #, before doing the MD5 calculation. This makes DoS against MD5 where you don't know the full L4 port #'s and the seq # pretty impossible on its own, without needing to involve the TTL hack. -- Richard A Steenbergen [EMAIL PROTECTED] http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)
RE: key change for TCP-MD5
Assumptions, assumptions. If your IPSEC is being done in hardware and you have appropriate QoS mechanisms in your network, you will probably not be able to pass your best effort traffic but the rest should be OK. Can we get back to the regularly scheduled programming instead of throwing big numbers around? Barry had a point, if you do IPSEC stupidly, it does not protect you. If you pay attention to detail, it does help. It is not the panacea. For the purpose of securing BGP, I think IPSEC is easy to configure (at least on IOS which is what I'm used to), and will do the job. And for this application, I don't see why cert's can't be used either. Regards Bora -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Friday, June 23, 2006 1:46 PM To: Bora Akyol Cc: Barry Greene (bgreene); Ross Callon; nanog@merit.edu Subject: Re: key change for TCP-MD5 On Fri, 23 Jun 2006 13:35:20 PDT, Bora Akyol said: The validity of your statement depends tremendously on how IPSEC is implemented. If 113 million packets all show up at once, you're going to get DoS'ed, whether or not you have IPSEC enabled.
Re: key change for TCP-MD5
On Fri, Jun 23, 2006 at 05:01:00PM -0400, Richard A Steenbergen wrote: Obviously in a perfect world, you don't want to do the expensive MD5 check anywhere sooner than the last possible moment before you declare the data valid and add it to the socket buffer. I assume that the reason they can't do the check sooner in software is they lack a mechanism to tell the IP or even TCP input code we want to discard these packets if they are less than TTL x. They probably can't make that decision until the packet gets validated by TCP and makes it all the way to BGP code. Actually I take that back, it should be easy enough to configure a minimum TTL requirement on the TCB through a socket interface. Obviously they're doing something to pass the IP TTL data outside of its normal in_input() function (or whatever passes for such on IOS), so if you've got that data avilable in the tcp_input() code you should be able to do the check after you find your TCB but before the MD5 check, yes? Since there hasn't been an IOS source code leak in a while, does someone from Cisco who actually knows how this is implemented want to comment so we can stop guessing? :) -- Richard A Steenbergen [EMAIL PROTECTED] http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)
Re: key change for TCP-MD5
On Jun 23, 2006, at 2:02 PM, Bora Akyol wrote: If your IPSEC is being done in hardware and you have appropriate QoS mechanisms in your network, you will probably not be able to pass your best effort traffic but the rest should be OK. Unless the DoS is within the IPSEC tunnel and crowds out the good traffic. ; Your original post seemed to imply that IPSEC is an anti-DoS mechanism, as does the statement 'If you pay attention to detail, it does help.' IPSEC is not an anti-DoS mechanism at all, it's important to be clear about that. -- Roland Dobbins [EMAIL PROTECTED] // 408.527.6376 voice Everything has been said. But nobody listens. -- Roger Shattuck
Re: key change for TCP-MD5
On 24-jun-2006, at 0:43, Owen DeLong wrote: Why couldn't the network device do an AH check in hardware before passing the packet to the receive path? If you can get to a point where all connections or traffic TO the router should be AH, then, that will help with DOS. If you care that much, why don't you just add an extra loopback address, give it an RFC 1918 address, have your peer talk BGP towards that address and filter all packets towards the actual interface address of the router? The chance of an attacker sending an RFC 1918 packet that ends up at your router is close to zero and even though the interface address still shows up in traceroutes etc it is bullet proof because of the filters. (This works even better with IPv6 link local addresses, those are guaranteed to be unroutable.)
Re: key change for TCP-MD5
On Jun 23, 2006, at 7:17 PM, Iljitsch van Beijnum wrote: On 24-jun-2006, at 0:43, Owen DeLong wrote: Why couldn't the network device do an AH check in hardware before passing the packet to the receive path? If you can get to a point where all connections or traffic TO the router should be AH, then, that will help with DOS. If you care that much, why don't you just add an extra loopback address, give it an RFC 1918 address, have your peer talk BGP towards that address and filter all packets towards the actual interface address of the router? The chance of an attacker sending an RFC 1918 packet that ends up at your router is close to zero and even though the interface address still shows up in traceroutes etc it is bullet proof because of the filters. Why is this better than using the TTL hack? Which is easier to configure, and at least as secure. -- TTFN, patrick
Re: Who wants to be in charge of the Internet today?
The Business Roundtable, composed of the CEOs of 160 large U.S. companies, said neither the government nor the private sector has a coordinated plan to respond to an attack, natural disaster or other disruption of the Internet. While individual government agencies and companies have their own emergency plans in place, little coordination exists between the groups, according to the study. I don't believe that this is entirely true. I think that there is a lot of coordination between companies at an industry level, for instance the automotive industry or the financial services industry. This coordination doesn't get much visibility outside of the industry concerned but that doesn't mean that it isn't there. In fact, I strongly suspect that visibility of this coordination does not often reach the CEO level in these companies because much of the coordination is between specialist groups within the companies. Does your CEO know that you participate in NANOG? One might even venture to suggest that there is no point in coordinating emergency plans between companies who have little or no direct business relationships unless it is at a metropolitan level, i.e. New York area businesses, Los Angeles area businesses. After all, why should NY businesses plan for earthquakes and why should LA plan for a hurricane? --Michael Dillon
Re: Who wants to be in charge of the Internet today?
### On Fri, 23 Jun 2006 09:09:19 -0700, Warren Kumari [EMAIL PROTECTED] ### casually decided to expound upon Jason Gauthier [EMAIL PROTECTED] ### the following thoughts about Re: Who wants to be in charge of the ### Internet today?: WK My favorite was always the (potential) customers who would call up WK and ask Can I get the Internet in my house? -- I would always WK answer That depends, how big is your house?, but they NEVER got WK it... They have the Internet on computers now!? - Homer Simpson -- /*===[ Jake Khuon [EMAIL PROTECTED] ]==+ | Packet Plumber, Network Engineers /| / [~ [~ |) | | --- | | for Effective Bandwidth Utilisation / |/ [_ [_ |) |_| N E T W O R K S | +=*/
Multihomed to 2 ISPs - Load Balance?
Hi Fellow Nanogers: I searched the archives and could not find anything that really matches with my requirement. I have been stalking this mailing list since quite some time and its extremely rare that i post. We are multihomed and connected to the Internet via two upstream providers. The initial idea was to get more bandwidth and redundancy. Now, we're past this stage and want to try out something different. Please note that we also provide transit services to a few downstream providers. We wish to load balance the traffic for a block/range of IP addresses that we learn via BGP4 from our two upstream providers. The problem is that my favorite vendor does not let me install ECMP routes in case of routes learnt from extrnal BGP peers. Assuming that we are able to install EBGP ECMP routes, how do we advertise this information to our downstream peers? As far as my working knowledge of BGP4 goes, it wouldnt let me do this. I wish to understand how other network operators do this? You can, if you wish, send me a message offline and i will collate all the information that i receive and send out a consolidated reply for the benefit of others to this mailing list. Thanks, John
