Re: Testing procedures for new network implementation?

[Rafi Sadowsky]

Hi Rick 

 You seem slightly confused:

All the URLs you sent are for 10/100 ethernet switches/hubs
(I inserted the relevant title below each url )

-- 
Rafi

## On 2004-08-11 10:39 -0400 Ricardo "Rick" Gonzalez typed:

R"G> 
R"G> Wayne,
R"G> 
R"G> My organization has recently switched from a similar infrastructure to
R"G> the following:
R"G> 
R"G> Core: http://www.svec.com/PRODUCTS/fd800ds/FD800DS2.htm
FD800DS 8-port Dual Speed Hub 

R"G> Distribution layer: http://www.svec.com/Products/FD521EDS.HTM
FD521 5-port Fast Ethernet Switch

R"G> Wire closet: http://www.svec.com/Products/fd510eds.htm
FD510 5-Port Fast Ethernet Hub 

R"G> 
R"G> We have seen a noticeable increase in performance, ROI, and
R"G> manageability following the migration away from the prior 3Com
R"G> solution.  If you have any implementation-specific questions, please
R"G> mail me off list and I'll do my best to answer them.
R"G> 
R"G> With regards,
R"G> ---Rico
R"G> 

Re: "Default" Internet Service

[Rafi Sadowsky]

 How the H*** did "Hitler and Nazis" relate to the subject ???

Susan 

-- 
Rafi

## On 2004-06-13 16:08 +0100 Per Gregers Bilse typed:

PGB> 
PGB> 
PGB> Anybody care to mention Hitler and Nazis?  Yes?  Please?  Pretty please?
PGB> 
PGB>   -- Per
PGB> 
PGB> 

Re: IT security people sleep well

[Rafi Sadowsky]

## On 2004-06-07 10:29 -0400 Daniel Corbe typed:

DC> 
DC> 
DC> You have to have an IOS image with the 3DES feature set to run ssh

 Not quite: single DES will do fine 
(if you use an SSH client that supports it)

-- 
Rafi

DC> 
DC> Edward B. Dreger wrote:
DC> 
DC> >DS> Date: Thu, 03 Jun 2004 17:56:55 -0400
DC> >DS> From: Daniel Senie
DC> >
DC> >
DC> >DS> Cisco 26xx, 36xx routers at least, current 12.3 IOS, no ssh
DC> >DS> support in the basic loads that I can find. Telnet is the
DC> >DS> only way in other than the console port.

 True for(at least) 72XX and 75XX as well 
SSH support is definitely in "IP IPSEC" (or or SP/SSH ;-) feature sets 

DC> >
DC> >Correct.  One must shell out more money for a bigger feature set
DC> >to obtain SSH.  I don't recall specifics off the top of my head,
DC> >and don't have a javascript-cable machine handy to use Feature
DC> >Navigator[*], but certain { feature sets | trains } only support
DC> >SSHv1.
DC> >
DC> >[*] Quick gripe: Did anyone at Cisco ever consider that people
DC> >might like to use Feature Navigator without javascript?
DC> >What's next?  Mandatory Flash Player?
DC> >
DC> >
DC> >Eddy

Re: [Fwd: [IP] New flaw takes Wi-Fi off the air]

[Rafi Sadowsky]

## On 2004-05-13 21:43 -0400 [EMAIL PROTECTED] typed:

> 
> 
> Any bets on what will be rediscovered next?  Some CERT will realize that
> if a DDoS uses RFC1918 source addresses, it will be hard to track down the
> misbehaving sources? ;)
> 

 No - then someone would have to re-invent backscatter analysis ... ;-)


-- 
Rafi

RE: Cisco Router best for full BGP on a sub 5K bidget 7500 7200 orother vendor ?

[Rafi Sadowsky]

## On 2004-04-26 10:31 +0100 Stephen J. Wilcox typed:

SJW> On Sun, 25 Apr 2004, Alexander Hagen wrote:
SJW> 
SJW> > I was surprised by the similarities between the 7507 and 7513. Why EOL
SJW> > the one device that has a pleasing form factor ? There are MANY
SJW> > providers who would be quite happy with ~ 600 mbps? That's a lot of
SJW> > billings...
SJW> 
SJW> >From past experience there is no way you can get a 7507 to switch 600Mbps..
SJW> 

 I'm not sure who wrote the above line - but since the 7507 and 7513 are
basically the same(other than the number of slots) 
the (long)appended stats are from a 7513 that exceeds 600Mbps every day


Traffic aggregate MRTG stats (24 hours of 5 minute averages)

Max  In:718.5 Mb/s (44.4%)  Average  In:427.0 Mb/s
(26.4%) Current  In:426.4 Mb/s (26.4%)

Max  Out:   636.6 Mb/s (39.4%)  Average  Out:   382.9 Mb/s
(23.7%) Current  Out:   383.6 Mb/s (23.7%)

===  
C7513>sh hard
Cisco Internetwork Operating System Software
IOS (tm) RSP Software (RSP-K3PV-M), Version 12.0(19)S4, EARLY DEPLOYMENT
RELEASE SOFTWARE (fc1)
TAC Support: http://www.cisco.com/tac
Copyright (c) 1986-2003 by cisco Systems, Inc.
Compiled Tue 24-Jun-03 15:04 by nmasa
Image text-base: 0x60010968, data-base: 0x60E66000

ROM: System Bootstrap, Version 12.0(10r)S1, RELEASE SOFTWARE (fc1)
BOOTLDR: RSP Software (RSP-K3PV-M), Version 12.0(19)S4, EARLY DEPLOYMENT
RELEASE SOFTWARE (fc1)

C7513 uptime is 32 weeks, 21 hours, 16 minutes
System returned to ROM by reload at 03:14:23 IDT Tue Sep 16 2003
System restarted at 02:15:58 IST Tue Sep 16 2003
System image file is "slot0:rsp-k3pv-mz.120-19.S4.bin"
Host configuration file is "tftp://CENSORED/XXX/C7513-confg";

cisco RSP8 (R7000) processor with 131072K/8216K bytes of memory.
R7000 CPU at 250Mhz, Implementation 39, Rev 1.0, 256KB L2, 2048KB L3 Cache
Last reset from power-on
G.703/E1 software, Version 1.0.
G.703/JT2 software, Version 1.0.
X.25 software, Version 3.0.0.
Chassis Interface.
1 VIP2 R5K controller (1 FastEthernet).
7 VIP4-80 RM7000 controllers (12 Serial)(5 ATM)(6 POS).
1 FastEthernet/IEEE 802.3 interface(s)
12 Serial network interface(s)
5 ATM network interface(s)
6 Packet over SONET network interface(s)
2043K bytes of non-volatile configuration memory.

20480K bytes of Flash PCMCIA card at slot 0 (Sector size 128K).
16384K bytes of Flash internal SIMM (Sector size 256K).
No slave installed in slot 7.
Configuration register is 0x102


C7513>sh proc cpu | exc 0\.00%__0
CPU utilization for five seconds: 0%/0%; one minute: 1%; five minutes: 1%
 PID Runtime(ms)   Invoked  uSecs   5Sec   1Min   5Min TTY Process
  4727767224 429797799 64  0.08%  0.09%  0.08%   0 IP Input

C7513>sh contr vip all t | inc ^(CPU|VIP)

VIP-Slot0 uptime is 21 weeks, 6 days, 18 hours, 41 minutes
CPU utilization for five seconds: 44%/43%; one minute: 43%; five minutes: 42%
VIP-Slot1 uptime is 21 weeks, 6 days, 18 hours, 41 minutes
CPU utilization for five seconds: 1%/0%; one minute: 0%; five minutes: 0%
VIP-Slot2 uptime is 21 weeks, 6 days, 18 hours, 41 minutes
CPU utilization for five seconds: 46%/45%; one minute: 48%; five minutes: 49%
VIP-Slot3 uptime is 21 weeks, 6 days, 18 hours, 41 minutes
CPU utilization for five seconds: 13%/12%; one minute: 13%; five minutes: 13%
VIP-Slot8 uptime is 21 weeks, 6 days, 18 hours, 41 minutes
CPU utilization for five seconds: 60%/60%; one minute: 61%; five minutes: 62%
VIP-Slot9 uptime is 21 weeks, 6 days, 18 hours, 41 minutes
CPU utilization for five seconds: 48%/48%; one minute: 49%; five minutes: 49%
VIP-Slot10 uptime is 21 weeks, 6 days, 18 hours, 41 minutes
CPU utilization for five seconds: 4%/3%; one minute: 4%; five minutes: 4%
VIP-Slot11 uptime is 21 weeks, 6 days, 18 hours, 41 minutes
CPU utilization for five seconds: 14%/14%; one minute: 13%; five minutes: 13%


C7513>
 sh int | 
  inc (_rate_[1-9]|^[A-Z][A-Za-z]+[0-9]+/[0-9]+/[0-9]+_.*line_protocol_is_up)

ATM0/0/0 is up, line protocol is up
  30 second input rate 37934000 bits/sec, 10756 packets/sec
  30 second output rate 45111000 bits/sec, 12439 packets/sec
POS0/1/0 is up, line protocol is up
  5 minute input rate 1734 bits/sec, 4829 packets/sec
  5 minute output rate 59077000 bits/sec, 17200 packets/sec
FastEthernet1/1/0 is up, line protocol is up
ATM2/0/0 is up, line protocol is up
  30 second input rate 69443000 bits/sec, 21261 packets/sec
  30 second output rate 67462000 bits/sec, 17687 packets/sec
ATM2/1/0 is up, line protocol is up
  30 second input rate 20964000 bits/sec, 4081 packets/sec
  30 second output rate 1164 bits/sec, 3242 packets/sec
Serial3/0/0 is up, line protocol is up
  5 minute input rate 9625000 bits/sec, 2163 packets/sec
  5 minute output rate 9327000 bits/sec, 2131 packets/sec
Serial3/0/1 is up, line protocol is up
  5 minute input rate 9464000 bits/sec, 1927 packets/sec
  5 minute output rate 4633000 bits/sec, 1405 packets/sec
POS3/1/0 is up,

RE: Cisco Router best for full BGP on a sub 5K bidget 7500 7200 orother vendor ?

[Rafi Sadowsky]

Hi Alexander 

 I'm not sure what you're trying to say 
You asked why the Cisco website tool won't give you a 7505 as a config
option I replied that it's EOL - with a quote from Cisco website

 All I see in the HTML table you sent is that the 7507(or 7513) is better
than a 7505 - is there a non-obvious point I missed ?


-- 
Regards
Rafi


## On 2004-04-25 06:33 -0700 Alexander Hagen typed:

AH> 
AH> Specifications
AH> 
AH> 
AH> Feature 
AH> 
AH> Cisco 7505 
AH> 
AH> Cisco 7507 
AH> 
AH> Cisco 7513 
AH> 
AH> 
AH> Fixed Ports 
AH> 
AH> None 
AH> 
AH> Same as Cisco 7505 
AH> 
AH> Same as Cisco 7505 
AH> 
AH> 
AH> Expansion Slots 
AH> 
AH> 5 
AH> 
AH> 7 
AH> 
AH> 13 
AH> 
AH> 
AH> WAN Interface Range 
AH> 
AH> DS0 to OC-12 
AH> 
AH> Same as Cisco 7505 
AH> 
AH> Same as Cisco 7505 
AH> 
AH> 
AH> Processor 
AH> 
AH> MIPS RISC Processor 
AH> 
AH> Same as Cisco 7505 
AH> 
AH> Same as Cisco 7505 
AH> 
AH> 
AH> Forwarding Rate 
AH> 
AH> Up to 1.1 Mpps 
AH> 
AH> Up to 2.2 Mpps 
AH> 
AH> Up to 2.2 Mpps 
AH> 
AH> 
AH> Backplane Capacity 
AH> 
AH> 1 Gbps 
AH> 
AH> 2 Gbps 
AH> 
AH> 2 Gbps 
AH> 
AH> 
AH> Flash PCMCIA Memory 
AH> 
AH> 16MB (expandable to 128MB) 
AH> 
AH> Same as Cisco 7505 
AH> 
AH> Same as Cisco 7505 
AH> 
AH> 
AH> System DRAM Memory 
AH> 
AH> 32MB (expandable to 1GB) 
AH> 
AH> Same as Cisco 7505 
AH> 
AH> Same as Cisco 7505 
AH> 
AH> 
AH> Minimum Cisco IOS Release 
AH> 
AH> 11.3 
AH> 
AH> Same as Cisco 7505 
AH> 
AH> Same as Cisco 7505 
AH> 
AH> 
AH> Internal Power Supply 
AH> 
AH> AC or DC 
AH> 
AH> AC, dual AC/DC, or dual DC 
AH> 
AH> AC, dual AC/DC, or dual DC 
AH> 
AH> 
AH> Redundant Power Supply Support 
AH> 
AH> No 
AH> 
AH> Yes 
AH> 
AH> Yes 
AH> 
AH> 
AH> Chassis Size 
AH> 
AH> 6 RU 
AH> 
AH> 13 RU 
AH> 
AH> 20 RU 
AH> 
AH> 
AH> Rack Mountable 
AH> 
AH> Yes, up to 6 per rack 
AH> 
AH> Yes, up to 3 per rack 
AH> 
AH> Yes, up to 2 per rack 
AH> 
AH> 
AH> Dimensions (HxWxD) 
AH> 
AH> 10.5 x 17.5 x 17 in. 
AH> 
AH> 19.25 x 17.5 x 25 in. 
AH> 
AH> 33.75 x 17.5 x 22 in. 
AH> 
AH>  
AH> 
AH>  
AH> 
AH> Alexander Hagen
AH> 
AH> Etheric Networks Incorporated, A California Corporation
AH> 
AH> 527 Sixth Street No 371261
AH> 
AH> Montara CA 94037
AH> 
AH> Main Line: (650)-728-3375
AH> 
AH> Direct Line: (650) 728-3086
AH> 
AH> Cell: (650) 740-0650 (Does not work at our office in Montara)
AH> 
AH> Home: (Emgcy or weekends) 650-728-5820
AH> 
AH> fax: (650) 240-1750
AH> 
AH> http://www.etheric.net
AH> 
AH>  
AH> 
AH> -Original Message-
AH> From: Rafi Sadowsky [mailto:[EMAIL PROTECTED] 
AH> Sent: Sunday, April 25, 2004 12:25 PM
AH> To: Alexander Hagen
AH> Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED]
AH> Subject: RE: Cisco Router best for full BGP on a sub 5K bidget 7500 7200
AH> orother vendor ?
AH> 
AH>  
AH> 
AH>  
AH> 
AH>  
AH> 
AH> ## On 2004-04-25 06:06 -0700 Alexander Hagen typed:
AH> 
AH>  
AH> 
AH> AH> 
AH> 
AH> AH> It is a great box. But I need BGP. I notice Cisco does not support
AH> 7505
AH> 
AH> AH> with Software Advisor but does 7507 whats the deal with that ?
AH> 
AH>  
AH> 
AH>  That would probably be that the 7505 is EOL(End Of Life)
AH> 
AH>  
AH> 
AH> <http://www.cisco.com/en/US/products/hw/routers/ps359/prod_eol_notice091
AH> 86a00801dcba7.html>
AH> 
AH>  
AH> 
AH>  Cisco SystemsR announces the end of life of the CiscoR 7505 Series
AH> Router
AH> 
AH> chassis. Note: This end-of-life announcement does not affect the Cisco
AH> 
AH> 7507 and 7513 chassis. The Cisco 7507 and 7513 will remain orderable.
AH> The
AH> 
AH> last day to order the Cisco 7505 is June 30, 2004. Customers will
AH> continue
AH> 
AH> to receive support from the Cisco Technical Assistance Center (TAC)
AH> until
AH> 
AH> June 30, 2009. Table 1 describes the end-of-life milestones,
AH> definitions,
AH> 
AH> and dates for the Cisco 7505. Table 2 lists the part numbers for
AH> affected
AH> 
AH> products
AH> 
AH>  
AH> 
AH> 
AH> 
AH>  
AH> 
AH> 

RE: Cisco Router best for full BGP on a sub 5K bidget 7500 7200 orother vendor ?

[Rafi Sadowsky]

## On 2004-04-25 06:06 -0700 Alexander Hagen typed:

AH> 
AH> It is a great box. But I need BGP. I notice Cisco does not support 7505
AH> with Software Advisor but does 7507 whats the deal with that ?

 That would probably be that the 7505 is EOL(End Of Life)



 Cisco Systems® announces the end of life of the Cisco® 7505 Series Router
chassis. Note: This end-of-life announcement does not affect the Cisco
7507 and 7513 chassis. The Cisco 7507 and 7513 will remain orderable. The
last day to order the Cisco 7505 is June 30, 2004. Customers will continue
to receive support from the Cisco Technical Assistance Center (TAC) until
June 30, 2009. Table 1 describes the end-of-life milestones, definitions,
and dates for the Cisco 7505. Table 2 lists the part numbers for affected
products



-- 
HTH,
Rafi

Re: Overflow circuit

[Rafi Sadowsky]

## On 2004-03-27 19:30 -0800 Alexei Roudnev typed:

AR> 
AR> It means, that satellite (with it's 1 second delay and unavoidable echo)

 Geosynchronous satellite IP link RTT can be just over 500 mill-sec 
(real life experience) IMHO thats a rather significant difference  

-- 

Rafi

Re: who offers cheap (personal) 1U colo?

[Rafi Sadowsky]

## On 2004-03-14 11:58 - Simon Lockhart typed:

SL>  
SL> If someone can point me to Virtual Solaris Machine, then I'd willingly offer
SL> that as a service (the colo I help run as a "hobby" is Sun only).

 AFAIK that will be in Solaris 10 -
See "N1 Grid Containers" on 

 You can get a non-supported preview for free
(or pay 99$ for one year support)


-- 
HTH,
Rafi


SL> 
SL> The reason people are doing it on Linux is that it's available. (And, in the
SL> case of LVM, free)
SL> 
SL> Simon
SL> 

Re: BL of Compromised Hosts?

[Rafi Sadowsky]

## On 2004-02-22 19:20 +0100 Daniel Concepcion typed:

DC> 
DC> 
DC> Hi Deepak,
DC> 
DC> Check 
DC> http://www.cymru.com/BGP/bogon-rs.html
DC> They are doing a good job in this issue.

 Not quite - That is a list of BOGON networks
(such as non-allocated, private(RFC1918), ... ) 

 You're probably thinking of a non-public service run by the same people
you may want to ask them off-list about that 

DC> 
DC> Regards,
DC> Daniel
DC> 
DC> >
DC> > If this is already done and I don't have a good set of skills with
DC> > Google, please let me know.

 non-public stuff shouldn't be on Google ...


-- 

Rafi

DC> >
DC> > Thanks in advance,
DC> >
DC> > Deepak Jain
DC> > AiNET
DC> 

Re: Nachi/Welchia Aftermath

[Rafi Sadowsky]

## On 2004-01-20 20:02 -0800 Tom (UnitedLayer) typed:

T(> 
T(> On Tue, 20 Jan 2004, Rubens Kuhl Jr. wrote:
T(> > Not all L3-switches are flow-based; prefix-based ones should do just fine.
T(> > Can people add/correct this initial list ?
T(> >
T(> > Flow-based: Foundry with IronCore modules, Cisco Catalyst 6500 with Sup1(A)
T(> > Prefix-based: Foundry with JetCore modules, Cisco Catalyst 6500/7600 with
T(> > Sup2(A), Sup3(A/BXL)
T(> 
T(> The 2948G-L3 and the 4908G-L3 I believe are Prefix/ASIC based.
T(> I believe the 3550-EMI is as well, but I'm not familiar with that
T(> equipment.
T(> 
T(> 

 Anyone know about the:
  Cisco Catalyst 3750 ?
  Nortel Passport 8600/1600 ?

 As for the 3550-EMI "real life" experience as a 10/100 BT aggregation switch 
wasn't affected(CPU <5%) at all by rather aggressive scanning but did
generate around 11 Mb/sec of ARP requests on all the 100Mb/sec ports in the same
VLAN and totally killed connectivity to legacy equipment connected at 10 Mb/s ...

-- 
Thanks!
Rafi

Re: router design (was Re: /24s run amuck)

[Rafi Sadowsky]

## On 2004-01-13 14:35 -0500 Richard A Steenbergen typed:

RAS> 
RAS> 
RAS> As far as pricing for these things goes, let us take an example here... 
RAS> The Juniper routing engine is actually a 6U blade server on it's side:
RAS> 
RAS> 
http://www.kontron.com/products/pdproductsubcategory.cfm?keyProductCategory=3&kps=681
RAS> 

 Highly Informational URL ;-) 
==
 Error Occurred While Processing Request
Element KEYSITEREGION is undefined in COOKIE.
 
Please try the following:

 * Enable Robust Exception Information to provide greater detail about
the source of errors. In the Administrator, click Debugging & Logging >
Debugging Settings, and select the Robust Exception Information option.

 * Check the ColdFusion documentation to verify that you are using the
correct syntax.

 * Search the Knowledge Base to find a solution to your problem.

 Browser Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.5)
Gecko/20031007 Firebird/0.7

 Remote Address XXX.XXX.2.210

 Referrer   

 Date/Time  17-Jan-04 03:03 AM


-- 
Rafi

Re: Cachibility analysis software ?

[Rafi Sadowsky]

HN> >
HN> >Go to http://www.ircache.net/ and click on the "cachability checker"
HN> >link in the left navigation menu.
HN> 
HN> Or: http://www.mnot.net/cacheability/
HN> 
HN> -Hank
HN> 

 Or:

   

-- 
Rafi

[OT] RE: Extreme BlackDiamond

[Rafi Sadowsky]

## On 2003-10-14 21:51 -0700 Michel Py typed:

MP> 
MP> > Vivien M. wrote:
MP> > it does look like Randy hit the bounce option in pine
MP> 
MP> A bounce that does not say "undeliverable"?
MP> 

 That would be manual bounce(that is resend with the same headers/body)
and _not_ an MTA bounce

-- 
Rafi

Re: VeriSign Capitulates

[Rafi Sadowsky]

## On 2003-10-03 15:56 -0400 Sean Donelan typed:

SD> 
SD> 
SD> > "Without so much as a hearing, ICANN today formally asked us to shut down
SD> > the Site Finder service," said VeriSign spokesman Tom Galvin. "We will
SD> > accede to their request while we explore all of our options."
SD> 
SD> Uhm, was that the same hearing Verisign didn't have prior to instigating
SD> their actions?

 Why should they need a hearing ? 

 IMHO the ICANN demand is only to remove the wildcard DNS pointers to the
"Site Finder" service and they're completely free to point say "*.verisign.com" 
to their "Site Finder" (Which they're free to leave running as long as
they want ;-)
 
-- 
Regards, 
Rafi

Re: Any way to P-T-P Distribute the RBL list

[Rafi Sadowsky]

Hi Rik 

 You may to have a look at "Vipul's Razor"

Specifically:
(from:  feature #8)

Truth Evaluation System (TeS) 

 Razor v2 has a transparent, back-end component known as TeS. TeS is a
combination of a reputation system and pattern recognition heuristics
that assigns trust to reporters and confidence values (between 0-100)
to every signature. Users can set an acceptable confidence level in
their Razor configuration. The server also publishes a recommended
confidence level. TeS has been designed to eliminate false positives
of legit bulk email that were occasionally generated by bad reports
in Razor v1.



General overview:
 

---
May 16,2003 - Razor-agents 2.36 released!

The release of Vipul's Razor v2.36 is now available for public
download. The software is comprised of two source packages, razor-agents
and razor-agents-sdk that can be downloaded by following these links:

* razor-agents-sdk-2.03
* razor-agents-2.36

What is Vipul's Razor?

Vipul's Razor is a distributed, collaborative, spam detection and
filtering network. Through user contribution, Razor establishes a
distributed and constantly updating catalogue of spam in propagation that
is consulted by email clients to filter out known spam. Detection is done
with statistical and randomized signatures that efficiently spot mutating
spam content. User input is validated through reputation assignments based
on consensus on report and revoke assertions which in turn is used for
computing confidence values associated with individual signatures.

-- 
Rafi

## On 2003-09-27 12:04 -0400 Rik van Riel typed:

RvR> 
RvR> On Thu, 25 Sep 2003, Stewart, William C (Bill), RTSLS wrote:
RvR> 
RvR> > Distributing an RBL list is the easy part.
RvR> 
RvR> Why stop there ?
RvR> 
RvR> The generating of the list itself can be a P2P thing too.
RvR> 
RvR> You could peer with a group of people you trust and exchange the
RvR> list of IP addresses that send crap into each other's spamtraps.
RvR> 
RvR> Then block IP addresses that have sent crap (measured by SA?) into
RvR> the spamtraps of multiple people, or come up with other nice metrics.
RvR> 
RvR> I'm sure you can come up with all kinds of tricks here.
RvR> 
RvR> I started a project with this goal a while ago, but to my shame it
RvR> still hasn't moved beyond the "spamtrap fed blocklist" stage yet,
RvR> we simply haven't gotten around to writing the p2p parts yet. ;(
RvR> 
RvR> I'd appreciate help though ;)
RvR> 
RvR>http://spamikaze.nl.linux.org/
RvR> 
RvR> Rik
RvR> 

Re: Home Storage Area Network security

[Rafi Sadowsky]

Hi Seam


## On 2003-09-21 17:58 -0400 Sean Donelan typed:

SD> 
SD> I received a few comments about file servers not serving files by default.
SD> 
SD> There are a bunch of home SAN products on the market.  They are designed
SD> to make it very easy for customers to set up and use a home storage area
SD> network.
SD> 

  IMHO you got the terminology wrong - these are nice NAS(Network 
Attached Storage) devices - not SAN

 SAN(as in Fiber channel or possibly iSCSI over GigE) is a touch expensive
for SOHO(typically starting off in the 5 digit (US$) range)

-- 
Thanks
Rafi

Re: change to the COM and NET TLD

[Rafi Sadowsky]

Hi Neil

 Maybe I'm being naive(or silly ;-)
but wouldn't complaining to FTC.gov be more effective ?

 
--
Thanks, 
Rafi


## On 2003-09-16 08:40 +0100 Neil J. McRae typed:

NJM> 
NJM> Dear Incredibly Bright Chaps over at Verisign,
NJM> 
NJM> I accidentally typed www.msnnn.net and
NJM> was redirected to a page that displayed your Terms
NJM> of Use for a platform that I have not signed up for, nor
NJM> do I wish to be signed up for:
NJM> 
NJM> ---
NJM> AGREEMENT TO BE BOUND.
NJM> By using the service(s) provided by VeriSign under these Terms of
NJM> Use, you acknowledge that you have read and agree to be bound by
NJM> all terms and conditions here in and documents incorporated by
NJM> reference.
NJM> 
NJM> 
NJM> I do not wish to be bound to your terms and I do not agree
NJM> with them. Please take this as notice of such.
NJM> 
NJM> Please can you remove the configuration that forces me to use
NJM> your "superb" service that is liable to cause more confusion for
NJM> net users who have eyes in their head and can see that they
NJM> have mis-typed something.
NJM> 
NJM> I do not wish to be bound to your terms of use as I do not wish
NJM> to use your service. You are forcing me to use this service by
NJM> the incredibly short sighted deployment of a wildcard domain
NJM> record for the NET TLD. Please confirm that you will remove
NJM> this configuration as soon as possible, there by not forcing me
NJM> to agree to terms for something that I don't want.
NJM> 
NJM> Regards,
NJM> Neil.
NJM> 

Off-topic followups [Was: Re: East Coast outage?]

[Rafi Sadowsky]

Hi Guys

 I must say I'm enjoying all of these fascinating off topic followups
but isn't about time to move this discussion to [EMAIL PROTECTED] ?

-- 
Thanks,
Rafi


-- 
Rafi Sadowsky [EMAIL PROTECTED]
 Network Operations Center  | VoiceMail: +972-3-646-0592   FAX: +972-3-646-0454
  ILAN - IUCC -I2(Israel)   | FIRST-REP  ILAN-CERT([EMAIL PROTECTED])
(Israeli Academic Network)  | (PGP key -> )  http://telem.openu.ac.il/~rafi


## On 2003-08-18 02:22 -0700 Vadim Antonov typed:

VA> 
VA> On Sun, 17 Aug 2003 [EMAIL PROTECTED] wrote:
VA> 
VA> > Use hydrogen. One solar panel (which will last forever unless you drop 
VA> > something on it) can split H2O into H and O.
VA> 
VA> Solar panels do not last forever. In fact, they degrade rather quickly due
VA> to the radiation damage to the semiconductor (older thin film panels were
VA> guaranteed to perform within specs for 2-5 years, new crystalline ones
VA> stay within nominal parameters for 20 years).  Lifetimes of hydrogen
VA> storage products, and electrolytic converters are also limited.  Note that
VA> exploitation of those involve creation and eventual disposal of toxic compounds.
VA> 
VA> Making those panels requires energy, and involves processes producing
VA> pollition.  So does their disposal. Besides, solar panels convert
VA> visible-light high-energy photons (used by the biosphere) into low-energy
VA> (infrared) photons which are a form of pollution, and are useless for the
VA> biosphere.  Fossil fuels and nuclear energy do not steal this source of
VA> negative enthropy from the biospere (just a counterpoint - I'm no big fan
VA> of those ways of producing energy, for different reasons).  Given the
VA> relatively low power density of the solar energy, the full-lifecycle
VA> adjustments are much higher on per-joule basis than for traditional energy
VA> sources.
VA> 
VA> So when you talk about advantages of the solar (or any other renewable
VA> power) you need to take into account the full energy budget (including
VA> manufacturing and disposal) and ecological impact of the entire lifecycle
VA> of the product, not just the generation phase.  Such analysis will likely
VA> show that renewables are not as green or renewable as they seem to be.
VA> 
VA> It seems to me that the debate on superiority of different methods of
VA> producing useable energy is high on emotions and very low on useful
VA> data; it will be a horrible mistake to waste lots of time or resources on
VA> an approach which may turn out to be worse than others in the final
VA> analysis.
VA> 
VA> --vadim
VA> 
VA> PS My personal favourite option is to move power generation out to space,
VA>where pollution will not be a problem for a very long time.
VA> 
VA>This option is technically feasible now, economics and political will
VA>are entirely different matters, however. Quoting from one of my
VA>favourite authors: "...most of people ... were quite unhappy for pretty
VA>much of the time. Many solutions were suggested for this problem, but
VA>most of these were largely concerned with the movements of small green
VA>pieces of paper, which is odd because on the whole it was not the small
VA>green pieces of paper that were unhappy." 
VA> 
VA> 

RE: WANTED: ISPs with DDoS defense solutions

[Rafi Sadowsky]

## On 2003-07-31 09:27 -0400 McBurnett, Jim typed:

MJ> 
MJ> I tend to agree here.
MJ> I have noticed so many attacks etc coming from 
MJ> APNIC as of recent that on our corp network we have an ACL 
MJ> to block a number of APNIC blocks.
MJ> If there was a dynamic method to add null0 routes to
MJ> identified zombies, I think that would help.
MJ> IE. security company A provides a feed  (BGP etc)
MJ> to null route zombies that it has identified.

 You may want to ask Rob Thomas about that
(especially since he was involved in this thread)

MJ> 
MJ> But that opens a whole other can of worms.
MJ> 
MJ> 

-- 
Rafi

Re: Major E-mail Delivery for FTC DNCR Launch

[Rafi Sadowsky]

## On 2003-06-25 21:25 -0400 Leo Bicknell typed:

LB> 
LB> 
LB> * Put in the e-mail a clear, short, easy to read over the phone
LB>   link (http://www.yoursite.com/spam.html)

 Oops: this is an existing URL titled "FREE Credit Card Gateway"  :-(


LB>   that describes what
LB>   action on the web site sends these e-mails, how to identify an
LB>   e-mail as actually coming from the site, and where to report any
LB>   sort of mailbombing (back to the first point).
LB> 
LB> 
LB> 

-- 
Rafi

Re: internet.com

[Rafi Sadowsky]

## On 2003-03-31 18:14 -1000 Michael Painter typed:

MP> 
MP> Time to get *nix loaded on this new laptop I suppose...what's your favorite 
traceroute prog.?
MP> 
MP> --Michael
MP> 
MP> 

 May I suggest using tcptraceroute ?

-- 
Rafi

Re: NANOG Splinter List (Was: State Super-DMCA Too True)

[Rafi Sadowsky]

Hi guys,


 Whats wrong with the nanog-offtopic list ?


-- 
Rafi



## On 2003-03-30 14:07 -0500 Jared Mauch typed:

JM> 
JM> 
JM> Hello,
JM> 
JM> Someone write up a list charter for a new list and let me know.
JM> 
JM> I can host such a list.
JM> 
JM> - Jared
JM> 
JM> On Sun, Mar 30, 2003 at 11:04:07AM -0800, todd glassey wrote:
JM> > 
JM> > That's why we need separate lists for them. This is a real
JM> > issue though and its important to the global operations of
JM> > the bigger picture Internet -
JM> > 
[snipped]

Re: Using Policy Routing to stop DoS attacks

[Rafi Sadowsky]

## On 2003-03-25 09:06 -0500 Christian Liendo typed:

[snip]
CL> 
CL> Depending on the router and the code, if I implement an access-list then 
CL> the CPU utilization shoots through the roof.
CL> What I would like to try and do is use source routing to route that traffic 
CL> to null. I figured it would be easier on the router than an access-list.
CL> 
CL> Has anyone else tried this successfully on ciscos and junipers?
CL> Is it easier on the CPU than access-lists?

Details ?

 Which Cisco router ? IOS ?
 HW/SW/CEF/netflow/  "IP switching"  ?

 As you seem to have noticed these "little details" matter ...  

-- 
Rafi

Re: BGP to doom us all

[Rafi Sadowsky]

## On 2003-03-04 09:26 - [EMAIL PROTECTED] typed:

> 
> > U it's nice to be able to change routing information in a
> > timely fashion without needing intensive therapy afterward.  The
> > idea isn't inherently bad, but I'd not want the current ARIN
> > acting as a route registry.
> 
> How would you feel about ARIN being the root of a registry hierarchy that 
> works similar to the DNS?

 I hope you meant IANA as the root of the registry ?
ARIN is (just ;-) a RIR just like RIPE or APNIC  

>> In that case, ARIN would not necessarily hold 
> the route information, they would just be at the top of the search 
> hierarchy just like the root name servers are at the top of the DNS 
> hierarchy. ARIN would authoritatively identify the leaseholder of an 
> address block and give you a pointer to that leaseholder's LDAP server 
> where you could query for whatever info they have available. This could 
> include route registry info.
> 
> --Michael Dillon


-- 
Rafi
> 
> 
> 
> 
> 

OT: Re: WANAL (Re: What could have been done differently?)

[Rafi Sadowsky]

## On 2003-01-28 17:49 - Paul Vixie typed:

PV> 
PV> In any case, all of these makers (including Microsoft) seem to make a very
PV> good faith effort to get patches out when vulnerabilities are uncovered.  I
PV> wish we could have put time bombs in older BINDs to force folks to upgrade,
PV> but that brings more problems than it takes away, so a lot of folks run old
PV> broken software even though our web page tells them not to.
PV> 

Hi Paul,

 What do you think of OpenBSD still installing BIND4 as part of the
default base system and  recommended as secure by the OpenBSD FAQ ?
(See Section 6.8.3 in  )

-- 
Thanks
Rafi

Re: Level3 routing issues?

[Rafi Sadowsky]

## On 2003-01-25 20:04 - Stephen J. Wilcox typed:

SJW> 
SJW> 
SJW> Heres my advice to the uninitiated. Run linux, run firewalls, disable what you
SJW> dont need and listen to folks who have real world experience.
SJW> 
SJW> Steve
SJW> 
 
 Please don't start a flame war about this but are you implying that the
Major Linux distributions are the "most secure" Unix-like OS 
(at least out of the box) ???


-- 
Thanks
Rafi

[OT]Re: MBONE

[Rafi Sadowsky]

Hi Nicolas

 It seems you have an IPv6 tunnel to SWITCH - 
AFAIK they should be getting an MBONE feed via GEANT 

 Why not ask them(since you seem to already have a working arrangement)?

Alternatively try Renater (the French NRN) who is also downstream from GEANT 

-- 
Rafi

## On 2002-12-28 00:33 +0100 Nicolas DEFFAYET typed:

ND> 
ND> Hello,
ND> 
ND> Who can provide me an IPv4 multicast tunnel with a mbgp session ?
ND> 
ND> My multicast router is located at Paris, FR.
ND> 

Re: MBONE

[Rafi Sadowsky]

## On 2002-12-28 01:39 +0100 Daniel Roesen typed:

DR> 
DR> 
DR> Why don't you ask on your own continent? Is there any particular
DR> attractive idea behind sending traffic unnecessarily over the Atlantic
DR> which I miss?
DR>

Seems your network(cluenet.de) finds sending traffic that way attractive 

 Otherwise why does traffic from Israel(via Italy) to your website
in Germany go via C&W in the USA ?


-- 
Rafi
 
---
Tracing the route to www.cluenet.de (62.208.181.129)

  1 128.139.216.1 0 msec 0 msec 0 msec
  2 62.40.103.225 [AS 20965] 0 msec 0 msec 0 msec
  3 il.it1.it.geant.net (62.40.96.154) [AS 20965] 52 msec 56 msec 52 msec
  4 so-0-1-0.ar2.LIN1.gblx.net (208.48.23.157) 88 msec 88 msec 88 msec
  5 pos4-0-622M.cr1.LIN1.gblx.net (208.51.236.57) 88 msec 88 msec 88 msec
  6 pos0-0-622M.cr1.WDC2.gblx.net (208.178.174.78) 168 msec 168 msec 168 msec
  7 so1-2-0-2488M.ar1.DCA3.gblx.net (64.214.65.141) 172 msec 168 msec 172 msec
  8 bpr2-so-7-3-0.VirginiaEquinix.cw.net (208.173.50.237) 172 msec 168 msec 172 msec
  9 bpr1-ae0.VirginiaEquinix.cw.net (208.173.50.254) 172 msec 168 msec 172 msec
 10 dcr1-so-4-3-0.Washington.cw.net (208.173.52.114) 172 msec 172 msec 172 msec
 11 bcr1.Frankfurt.cw.net (166.63.194.61) 160 msec
bcr2.Frankfurt.cw.net (166.63.194.62) 160 msec 160 msec
 12 iar1.Frankfurt.cw.net (166.63.194.6) 164 msec 160 msec 160 msec
 13 cable-and-wireless-internal-isp.Frankfurt.cw.net (166.63.198.38) 160 msec 160 msec 
160 msec
 14 ge-0-0-0-100-crj2-FFM1.de.cw.net (62.208.244.66) 160 msec 160 msec 164 msec
 15 so-6-0-0-crj2-MUC1.de.cw.net (62.208.240.206) 168 msec 168 msec 168 msec
 16 vlan56-r10-MUC1.de.cw.net (62.208.225.10) 168 msec 348 msec 168 msec
 17 www.cluenet.de (62.208.181.129) 168 msec 272 msec 168 msec
mcast#

Re: Operational Issues with 69.0.0.0/8...

[Rafi Sadowsky]

## On 2002-12-09 20:19 -0600 Rob Thomas typed:

RT> 
RT> Hi, Eddy.
RT> 
RT> ] Give Rob Thomas official authority, a paycheck, and the necessary
RT> ] bandwidth. ;-)
RT> 
RT> Hehe!  I'll second that!  :)  No one would support it, though, once they
RT> saw my lousy code.  :)

Hi Rob

 1) I'd take your "lousy" >>>working<<< over "clean" 
bug riddled code any day ...
(and who says that "closed source" code isn't built from lousy source anyway?)

 2) Would you _really_ want official authority ?

-- 
Regards
Rafi

Re: Spanning tree melt down ?

[Rafi Sadowsky]

## On 2002-11-30 15:41 +0100 Jim Segrave typed:

JS> 
JS> I find the reactions on this mailing list disturbing, to say the
JS> least. The rush to judgement about what happened appears to be based
JS> on speculation and assumptions about how this large facility was run,
JS> managed and staffed.
JS> 
JS> As far as I can see, the known facts are:
JS> 
JS> There was an oversize layer 2 network and it broke.
JS> It was hard to repair.
JS> The CTO is a physician on the hospital board who, on first sight,
JS> appears to have considerable qualifications in the IT area.

 I agree except that it's not CTO but rather the CIO

JS> 
JS> The unknowns are:
[snipped  for brevity]

 Many unknowns - no argument here
 
JS> 
JS> 
JS> But people are speculating with no knowledge of the
JS> actual organisation, history, planning, what risk assesment had or had
JS> not been done, or any other information excpet guesses and prejudices
JS> about what they think might have happened and an apparent assumption
JS> that this is all the result of turning over a large enterprise network
JS> to a jumped up physician whose only qualification was running a couple
JS> of Linux boxes on a home network. None of the above unknown issues
JS> have been addressed anywhere.

## On 2002-11-29 23:43 +0200 I typed:
RS> 
RS> 
RS>  Are you suggesting that a CIO at a "huge hospital"(or any other enterprise)
RS> Needs to be an expert at LAN/WAN networking, Systems, DBA & Security
RS> Rather than a management expert that has a good grasp of the basic IT 
RS> issues and understands the core business needs of the enterprise ?
RS> 

 Can you please indicate the assumptions/speculations in the above question?

JS> I hope the posters never pull jury service, as there seems to be a
JS> complete disregard for the idea of gathering facts before passing
JS> judgement.
JS> 

 1) You seem to imply *all* previous posters in this thread
(which is why I'm responding to you in public)

 2) IMHO you should try having a good long look in a mirror  ;-)


-- 
Rafi

Re: Spanning tree melt down ?

[Rafi Sadowsky]

## On 2002-11-29 15:05 -0600 Daniel Golding typed:

DG> 
DG> 
DG> Yes, I read his bio. I'm sure he's quite the techie amongst his fellow
DG> physicans, and I think thats a great thing. However, its more than just a
DG> bad idea to put someone who isn't completely proficient in a job like this
DG> - its bad for the patients. If you want to run a shoe company, and put a
DG> shoe salesman with a couple linux boxes in charge of your network, more
DG> power to you. However, if you run a huge hospital, at which, there are
DG> numerous patient affecting IT systems, you really have an obligation to
DG> hire a professional, rather than a talented amateur, with all due respect
DG> to the good doctor.

Hi Daniel,

 Are you suggesting that a CIO at a "huge hospital"(or any other enterprise)
Needs to be an expert at LAN/WAN networking, Systems, DBA & Security
Rather than a management expert that has a good grasp of the basic IT 
issues and understands the core business needs of the enterprise ?

-- 
Rafi

Re: What? : Delivery Status Notification (Failure) (fwd)

[Rafi Sadowsky]

me too :-(

-- 
Rafi

## On 2002-11-16 15:07 +0100 Andre Chapuis typed:

AC> 
AC> Yes I do too...
AC> Andr&yod;
AC> 
AC> - Original Message -
AC> From: "Stephen J. Wilcox" <[EMAIL PROTECTED]>
AC> To: <[EMAIL PROTECTED]>
AC> Sent: Saturday, November 16, 2002 1:28 PM
AC> Subject: What? : Delivery Status Notification (Failure) (fwd)
AC> 
AC> >
AC> > anyone else receiving a large number of bounces from nanog deliveries to
AC> >the below address dated over the past 3 months?
AC> > anyone at shure.com care to stop it as they're still coming!

Re: PAIX

[Rafi Sadowsky]

## On 2002-11-14 14:44 -0800 Vadim Antonov typed:

VA> 
VA> 
VA> On Thu, 14 Nov 2002, David Diaz wrote:
VA> 
VA> > 2) There is a lack of a killer app requiring peering every 100 sq Km. 
VA> 
VA> Peering every 100 sq km is absolutely infeasible.  Just think of the 
VA> number of alternative paths routing algorithms wil lhave to consider.
VA> 
VA> Anything like that would require serious redesign of Internet's routing 
VA> architecture.

  What about:

 IPv6 with hierarchial(sp?) geographical allocation ?

 BGP with some kind of tag limiting it to  AS hops ?
( say N=2 or N=3? )


VA> 
VA> --vadim
VA> 
VA> 

-- 
Rafi

Re: Need help with ~100Mbps layer2 or 3 to Alexandria/Egypt

[Rafi Sadowsky]

## On 2002-11-07 16:30 -0800 Arman typed:

A> 
A> Hello,
A> 
A> We have been tasked with finding ~100 megs of IP transit in
A> Alexandria/Egypt.
A> Options;
A> 1.  Lease E3 circuit between Italy or any location within the oceanic fiber
A> route or direct IP connectivity in Alexandria.  

 Planning pushing 100Mbps over an E3 link ? 
Are you counting on 3:1compression ??

A> 2.  Cost is a big factor, ofcourse.
A> 
A> Any help/pointers/leads would greatly be appreciated.
A> 
A> Sincerely,
A> Arman
A> 

  You may want to check with MedNautilus when they're connecting at
Alexandria 


-- 
Rafi

Re: High Processor Rates on Routers.

[Rafi Sadowsky]

## On 2002-11-06 15:54 - Chris Roberts typed:

CR> 
CR> 
CR> BGP can cause a lot of processor utilisation when updates are received,
CR> although this is not normally at accurate 30 second intervals, so I
CR> wouldn't suspect this particularly.
CR> 
 
 I've seen this happen with OSPF routes flapping(due to a flapping
interface) causing the BGP next-hop to flap - the OSPF didn't seem to be
the culprit as it only had ~150 routes while BGP had ~110K routes
(mostly iBGP)


-- 
Rafi

Re: ICMP filtering, was Re: ICANN Targets DDoS Attacks

[Rafi Sadowsky]

## On 2002-10-29 19:55 -0600 Rob Thomas typed:

RT> 
RT> Hi, NANOGers.
RT> 
RT> ]   ICMP?
RT> 
RT> I have my own thoughts on ICMP filtering, which you will find here:
RT> 
RT> http://www.cymru.com/Documents/icmp-messages.html
RT> 
RT> I don't claim to have correct thoughts, however, so input and suggestions
RT> are always welcome.  :)  If anyone could pick up a NANOG t-shirt for me,
RT> that would be welcome as well.  :)

Hi Rob

 I find it hard to believe You have no thoughts about:

  1) rate-limiting ICMP 

  2) passing ICMP "statefully"
 (that is for example ICMP echo reply only accepted in reply to an ICMP echo)

  3) DoS problems related to ICMP unreachables

-- 
Regards,
Rafi

RT> 
RT> Thanks,
RT> Rob.
RT> 

Re: UUNET Routing issues

[Rafi Sadowsky]

## On 2002-10-04 23:50 +0200 Iljitsch van Beijnum typed:

IvB>
IvB> Obviously "some" packet loss and jitter are normal. But how much is
IvB> normal? Even at a few tenths of a percent packet loss hurts TCP
IvB> performance. The only way to keep jitter really low without dropping large
IvB> numbers of packets is to severely overengineer the network. That costs
IvB> money. So how much are customers prepared to pay to avoid jitter?

 There may be better ways to keep "reasonable" jitter but that depends on
what is "really low" jitter - care to define numbers ?

IvB>
IvB> In any case, delays of 1000 ms aren't within any accepted definition of
IvB> "normal".

 Ever used a satellite link ?
Practical RTT("normal" - end to end including the local loops at both
sides) starts at about 600msec

 >>> With these delays, high-bandwidth batch applications will
IvB> monopolize the links and interactive traffic suffers.

 I'm assuming TCP since you didn't state otherwise
TCP extensions for "fat pipes"(such as window scaling and SACK) disabled
(as both sides of the TCP connection need to have them)

 IIRC the maximum TCP(theoretical)session BW under these conditions
Is less than 1Mb/sec (for 600msec RTT)


   For a reality check you may want to have look at the links under
"Satellite links and performance" on
 
(yes the docs are a bit dated but the principles aren't)

 >>> 20 ms worth of
IvB> buffer space with RED would keep those high-bandwidth applications in
IvB> check and allow a reasonable degree of interactive traffic. Maybe a
IvB> different buffer size would be better, but the 20 ms someone mentioned
IvB> seems as good a starting point as anything else.
IvB>
IvB>


-- 
Rafi

RE: How do you stop outgoing spam?

[Rafi Sadowsky]

## On 2002-09-10 13:41 -0700 Tony Hain typed:

TH>
TH> Rafi Sadowsky wrote:
TH> >  How about using a combination of technical and "social"
TH> > measures For example in a Cyber Cafe use passive technical
TH> > measures to count the total number of outbound SMTP sessions
TH> > and charge 1$ per Email over an average rate of 2
TH> > Emails/minute and 10$ per Email exceeding a rate of 10 per minute
TH>
TH> So the person who connects after sitting on a plane for 5 hours gets
TH> charged extra because the laptop bursts 50 messages ...

 Well the numbers may need adjusting but please note that I
suggested measuring the average not burst - so if said person buys 30
minutes online his *average* rate would be (just) under the
2 Emails/minute threshold

 If needed change the first threshold to 4/5 per minute and the second
threshold to 20 per minutes

 TH> There is no
TH> automated technical approach to a social problem. Public executions
TH> would be much more effective than preventing legitimate customers from
TH> getting their job done.

 True in many cases but the punishment should be reasonable
You could define SPAM as theft in Saudi-Arabia & then a a spammer would
probably have his right hand chopped off ...

 A little common sense would probably be useful in matching the punishment
to the "crime"

TH>
TH> Tony
TH>

-- 
Rafi

Re: How do you stop outgoing spam?

[Rafi Sadowsky]

## On 2002-09-10 09:45 -0400 [EMAIL PROTECTED] typed:

>
> > Hi Eliot
> >
> >  Maybe I'm missing something obvious but do how you get rate-limiting per
> > TCP *flow* with Cisco IOS ?
>
> It is more trouble than its worth.

 IMHO there are other problems beside SPAM that can use per flow
shaping/rate-limiting


 > SPAM is not a technical problem. It is a
> social problem. Using technical methods is not going to solve the problem.
> In the end, every time we come up with another method of detecting and
> blocking spam, another method is bypassing this defense is going to show up.

 How about using a combination of technical and "social" measures
For example in a Cyber Cafe use passive technical measures to count the
total number of outbound SMTP sessions and charge 1$ per Email over an
average rate of 2 Emails/minute and 10$ per Email exceeding a rate of 10
per minute


>
> Alex
>
>

-- 
Rafi

Re: How do you stop outgoing spam?

[Rafi Sadowsky]

## On 2002-09-10 10:02 +0300 Petri Helenius typed:

PH> >
PH> If somebody is ignorant enough to implement IP over HTTP, why should
PH> they be accommodated? There are numerous reasons why there are other
PH> port numbers to TCP than 80 and other protocol numbers to IP than 6.

 Why do you think they're ignorant ?
Isn't TCP over HTTP is normally used to attempt bypassing of firewalls ?

 IMHO Firewall/Security admins are ignorant
if they don't take this into account

AFAIK you can tunnel IP over(at least):

 1) HTTP(not just use port 80 for non HTTP traffic)

 2) ICMP ...

 3) DNS queries(needs an external "custom" cooperating DNS)

-- 
Rafi

Re: How do you stop outgoing spam?

[Rafi Sadowsky]

## On 2002-09-09 17:15 -0700 Eliot Lear typed:

EL>
EL> Paul Vixie wrote:
EL> > per-destination host AND port egress rate shaping.  if someone tries to send
EL> > more than 1Kbit/sec to all port 80's, or more than 1Kbit/sec to any single
EL> > IP address, then you can safely RED their overage.  this violates the whole
EL> > peer-to-peer model but there's no help for that in the short term.  if some
EL> > internet cafe has a CuCme camera setup then you can find a way to let that
EL> > traffic off-net without rate shaping.  this will be the exception.
EL>
EL> Please be aware that this could have unintended consequences, and should
EL> be used in very constrained ways.  In particular, there are any number
EL> of applications, including VPN applications that use port 80.  I would
EL> recommend that only specified destinations get such treatment, if you
EL> apply it at all.

Hi Eliot

 Maybe I'm missing something obvious but do how you get rate-limiting per
TCP *flow* with Cisco IOS ?

-- 
Regards,
Rafi

Re: How do you stop outgoing spam?

[Rafi Sadowsky]

## On 2002-09-09 17:53 -0400 Marshall Eubanks typed:

ME> >
ME>
ME> When I go to Internet cafe's (I like Global Gossip), I connect my Ti-book
ME> to the local ethernet if at all possible (that's why I like Global Gossip) and
ME> use high bit rates (i.e., file transfers) in both direction.
ME>
ME> If I was limited to 4 kbps outbound, I would want my money back.

 Are you doing your file transfers via HTTP or SMTP ?
What about rate limiting TCP SYN packets ?

 I assume you're not doing more than say 1 file per second ?

ME>
ME> Just one customer viewpoint :)
ME>
ME> Regards
ME> Marshall Eubanks
ME>

P.S. funny thing is I learnt the SYN rate limiting "trick" from Hank ...

-- 
Rafi

Re: Traffic Threshold monitoring?

[Rafi Sadowsky]

## On 2002-08-25 23:54 -0700 Rob Mitzel typed:

RM>
RM> Hi everyone,
RM>
RM> Quick question.  We're currently using MRTG to monitor traffic on a
RM> number of cisco switches connected to various customers.  Now, this is
RM> all great and everything, except there's no real way to monitor if a
RM> customer's traffic goes completely out of whack (i.e. they start
RM> hammering 20 mbps instead of 300kbps) without manually checking MRTG
RM> every few minutes (and that'd be kinda time-consuming, you'd think.)  We
RM> also show individual MRTG pages to our customer base via some handy mods
RM> we made.

 Try searching

for "THRESHOLD CHECKING" at which point (hopefully ;-) you can RTFM ..

-- 
Rafi

Re: Eat this RIAA (or, the war has begun?) - Why not all ISPs?

[Rafi Sadowsky]

 OOPS - my typo sorry! (standing in the corner with egg on my face ;-)

## On 2002-08-22 11:10 +0300 Rafi Sadowsky typed:

RS>
RS>
RS> ## On 2002-08-22 08:04 +0100 Avleen Vig typed:
RS>
RS> AV>
RS> AV> Start here:
RS> AV> avleen@apple:avleen : host -t MX riaa.org
RS> AV> riaa.org mail is handled (pri=50) by mail3.riaa.com
RS> AV> riaa.org mail is handled (pri=10) by list.sparklist.com
RS> AV> riaa.org mail is handled (pri=10) by mail.riaa.com
RS> AV> riaa.org mail is handled (pri=25) by mail2.riaa.com
RS> AV>
RS> AV>
RS> AV>
RS>
RS>
RS>  Not quite ;-)
RS>
RS> (1021)> whois -h whois.networksolutions.com riia.org
RS>
RS>
RS> Registrant:
RS> Royal Institute of International Affairs (RIIA-DOM)
RS>Chatham House, 10 St James Square
RS>London, SW1Y 4YE
RS>ENGLAND
RS>
RS>Domain Name: RIIA.ORG
RS>
RS>
RS>
RS>
RS>
RS>

Re: Eat this RIAA (or, the war has begun?) - Why not all ISPs?

[Rafi Sadowsky]

## On 2002-08-22 08:04 +0100 Avleen Vig typed:

AV>
AV> Start here:
AV> avleen@apple:avleen : host -t MX riaa.org
AV> riaa.org mail is handled (pri=50) by mail3.riaa.com
AV> riaa.org mail is handled (pri=10) by list.sparklist.com
AV> riaa.org mail is handled (pri=10) by mail.riaa.com
AV> riaa.org mail is handled (pri=25) by mail2.riaa.com
AV>
AV>
AV>


 Not quite ;-)

(1021)> whois -h whois.networksolutions.com riia.org


Registrant:
Royal Institute of International Affairs (RIIA-DOM)
   Chatham House, 10 St James Square
   London, SW1Y 4YE
   ENGLAND

   Domain Name: RIIA.ORG

Re: Identifying DoS sources quickly (was: Bogon list or Dshield.orgtype list)

[Rafi Sadowsky]

## On 2002-07-31 10:09 +0200 Jesper Skriver typed:

JS> On Wed, Jul 31, 2002 at 12:22:30AM -0700, Randy Bush wrote:
JS> >
JS> > > AFAIK 12.0S only has the "service provider" feature set
JS> >
JS> > i fear that the joke is on us.  at least one other train seems to
JS> > have been merged into the ex-isp train.  not sure how much.  can't
JS> > get a straight answer.  welcome back to 1997, and bye bye what
JS> > stability we had.
JS>
JS> It looks something like
JS>
JS>   12.0(21)S112.0(21)S2 ... only for a limited time
JS>/
JS> ---12.0(x)S-12.0(21)S +---12.0(22)S12.0(23)S ...
JS>  /
JS> ---12.0(x)ST12.0(21)ST--+
JS>
JS> So basicly 12.0(22)S is what would have been 12.0(22)ST if they hadn't
JS> renumbered.
JS>
JS> The "old" S train will be recieving bug fixes as 12.0(21)S1 S2 S3 etc.
JS> for a limited period of time.
JS>
JS> So be carefull when you go from 12.0(x)S, x <= 21 to 12.0(y)S, y > 21

 Thanks for the info

 I thought that the next evolution in the "S" series was supposed to be
merger of 12.1E and 12.0S into 12.2S ? - anyone know about that ?

-- 
Rafi


JS>
JS> /Jesper
JS>
JS>

Re: Identifying DoS sources quickly (was: Bogon list or Dshield.orgtype list)

[Rafi Sadowsky]

## On 2002-07-30 08:23 -0700 Randy Bush typed:

RB>
RB> >> Not a complete solution but a start:
RB> >> IP Source Tracker:
RB> > http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/120newft/120
RB> > limit/120s/120s21/ipst.htm
RB> >> Available as of 12.0(22)S for 7500 and 12000 series Cisco routers.
RB>
RB> ah yes.  the new enterprise image.  :-(
RB>
RB>

 Am I missing the joke ?
AFAIK 12.0S only has the "service provider" feature set


-- 
Rafi

Re: fractional gigabit ethernet links?

[Rafi Sadowsky]

Sush,

 Are you thinking of rate-limiting or traffic shaping ?
I'd expect rate-limiting of bursty traffic to lose some packets
irrespective of the L3 hardware/CPU capacity

-- 
Rafi

## On 2002-07-15 23:57 -0400 Sush Bhattarai typed:

SB>
SB> Might want to query your provider as to where the rate limitting is being
SB> done. In some cases, if rate limit is being done egress from the layer 3
SB> infracture towards the MAN layer 2 equipment, there might be a lack of
SB> processing power on that device, causing the drops. Of course this will
SB> depend on the type of device and whether the rate limiting is being done on
SB> hardware or not too.
SB>
SB> Sush
SB>

Re: The Cidr Report - web site inaccessible ?

[Rafi Sadowsky]

 Is it just me ?

-- 
Thanks
Rafi

[rafi@noc ~]$ date
Sun Jul 14 21:30:54 IDT 2002
[rafi@noc ~]$ lynx -dump "http://www.employees.org/~tbates/cidr-report.html";

   Forbidden

   You don't have permission to access /~tbates/cidr-report.html on this
 server.

   Additionally, a 403 Forbidden error was encountered while trying to
   use an ErrorDocument to handle the request.
 _


Apache/2.0.39 Server at www.employees.org Port 8080


[rafi@noc ~]$ lynx -dump "http://www.employees.org/~tbates/cidr-report-region.html";

   Forbidden

   You don't have permission to access /~tbates/cidr-report-region.html
   on this server.

   Additionally, a 403 Forbidden error was encountered while trying to
   use an ErrorDocument to handle the request.
 _


Apache/2.0.39 Server at www.employees.org Port 8080


[rafi@noc ~]$ lynx -dump "http://www.employees.org/~tbates/autnums.html";

   Forbidden

   You don't have permission to access /~tbates/autnums.html on this
   server.

   Additionally, a 403 Forbidden error was encountered while trying to
   use an ErrorDocument to handle the request.
 _


Apache/2.0.39 Server at www.employees.org Port 8080
[rafi@noc ~]$ date
Sun Jul 14 21:31:33 IDT 2002
[rafi@noc ~]$

## On 2002-07-12 23:00 -0700 CIDR Report typed:

CR>
CR>
CR> This is an auto-generated mail on Fri Jul 12 23:00:00 PDT 2002
CR> It is not checked before it leaves my workstation.  However, hopefully
CR> you will find this report interesting and will take the time to look
CR> through this to see if you can improve the amount of aggregation you
CR> perform.
CR>
CR> Check http://www.employees.org/~tbates/cidr-report.html for a daily
CR> update of this report.
CR>
CR> NEW: Check http://www.employees.org/~tbates/cidr-report-region.html for
CR> the regional version of this report.
CR>
CR> NEW: Check http://www.employees.org/~tbates/autnums.html for a complete
CR> list of autonomous system number to name mappings as used by the CIDR-Report.
CR>
CR> The report is split into sections:
CR>
CR>0) General Status
CR>
CR>   List the route table history for the last week, list any possibly
CR>   bogus routes seen and give some status on ASes.
CR>
CR>1) Gains by aggregating at the origin AS level
CR>
CR>   This lists the "Top 30" players who if they decided to aggregate
CR>   their announced classful prefixes at the origin AS level could
CR>   make a significant difference in the reduction of the current
CR>   size of the Internet routing table. This calculation does not
CR>   take into account the inclusion of holes when forming an aggregate
CR>   so it is possible even larger reduction should be possible.
CR>
CR>2) Weekly Delta
CR>
CR>   A summary of the last weeks changes in terms of withdrawn and
CR>   added routes. Please note that this is only a snapshot but does
CR>   give some indication of ASes participating in CIDR. Clearly,
CR>   it is generally a good thing to see a large amount of withdrawls.
CR>
CR>3) Interesting aggregates
CR>
CR>   Interesting here means not an aggregate made as a set of
CR>   classful routes.
CR>
CR> Thanks to GX Networks for giving me access to their routing tables once a
CR> day.
CR>
CR> Please send any comments about this report directly to CIDR Report 
<[EMAIL PROTECTED]>.
CR>
CR>
CR>
CR> --
CR>
CR> CIDR REPORT for 12Jul02
CR>
CR>
CR> 0) General Status
CR>
CR> Table History
CR> -
CR>
CR> DatePrefixes
CR> 050702  110820
CR> 060702  29
CR> 070702  111069
CR> 080702  111088
CR> 090702  111212
CR> 100702  53
CR> 110702  111369
CR> 120702  111339
CR>
CR> Check http://www.employees.org/~tbates/cidr.plot.html for a plot
CR> of the table history.
CR>
CR>
CR> Possible Bogus Routes
CR> -
CR>
CR>
CR> AS Summary
CR> --
CR>
CR> Number of ASes in routing system:  13208
CR>
CR> Number of ASes announcing only one prefix:  8040 (4516 cidr, 3524 classful)
CR>
CR> Largest number of  cidr routes:  615 announced by AS3908
CR> Largest number of classful routes:  1230 announced by  AS701
CR>
CR>
CR>
CR> 1) Gains by aggregating at the origin AS level
CR>
CR>  --- 12Jul02 ---
CR> ASnumNetsNow NetsCIDR  NetGain  % Gain   Description
CR>
CR> AS1221  1089  840  249   22.9%   Telstra Pty Ltd
CR> AS701   1230  982  248   20.2%   UUNET Technologies, Inc.
CR> AS17557  304  107  197   64.8%   Pakistan Telecom
CR> AS6595   221   54  167   75.6%   DoD Education A

Re: European packet loss average increasing

[Rafi Sadowsky]

## On 2002-07-02 09:12 -0400 German Martinez typed:
GM>
GM> Date: Tue, 2 Jul 2002 09:12:47 -0400 (EDT)
GM> From: German Martinez <[EMAIL PROTECTED]>
GM> To: [EMAIL PROTECTED]
GM> Subject: Ebone Shutdown
GM>
GM>
GM> http://www.nocpeople.org/ebone/broadcast2.html
GM>
GM>
GM>


Broadcast Message
KPNQwest
TO:
CUSTOMER CONTACT:
FROM: [EMAIL PROTECTED]
DATE: 02/JUL/2002 09:00:29
ATTN:

KPNQWEST TT NUMBER:
KPNQWEST CONTACT: Walker
CSC PHONE NUMBER: Any Queries please contact theCSC.

BROADCAST MESSAGE

 To all our customers despite the Efforts of the 40 people at Ebone NOC
these last few months to keep the network up and running our efforts have
been in vain, as finally the banks and other parties concerned have
stopped the proposed sale of Ebone happening.As a result of this we have
now been ordered by the curators to shut down the Network.this will happen
today 2nd July 1, 2002 at 11:00AM CET.

 I wish to thank our entire customers for their support over these last
few months and only wish that things could have turned out differently. If
you need any further information regarding this please feel free to
contact me on the following number +32 486 747140 or email address.
iaintw@brutele.



## On 2002-07-03 03:03 -0400 Sean Donelan typed:

SD>
SD>
SD> My non-scientific measurements (i.e. pings to well known european
SD> sites) show an increase in packet loss to about 6%, the 10 day
SD> average previously was less than 1%.
SD>
SD> Neither ns.ebone.net nor auth1.ebone.net are answering queries.
SD>
SD> BGP data still looks normal
SD> KPNQwest data http://bgp.potaroo.net/as286/
SD>
SD> So far I don't see much change in traffic levels at LINX
SD> http://www.linx.net/tools/stats/index.thtml
SD>
SD> AMS-IX graphs seem to have a glitch, or one heck of a DDOS.
SD> http://www.ams-ix.net/hugegraph.html
SD>
SD>
SD>

Re: Allocated IP blocks

[Rafi Sadowsky]

Rob Thomas maintains a a nice list:

 http://www.cymru.com/Documents/bogon-list.html

-- 
Rafi

## On 2002-07-01 10:12 -0700 Mike Batchelor typed:

MB>
MB> Is there a list anywhere of allocated IP blocks?
MB>
MB> I need to update my IDS sensor's table of valid blocks.  It's alarming on
MB> some traffic coming from 67, 68 and 219, which I know were not allocated
MB> until fairly recently.
MB>
MB> Is there a simple list somewhere, i.e:
MB>
MB> 4.0.0.0/8
MB> 6.0.0.0/8
MB> 
MB> 219.0.0.0/24
MB> etc... ??
MB>
MB>
MB> ---
MB> "The avalanche has already begun. It is too late for the pebbles to vote."
MB>  -- Kosh
MB>

Re: KPNQWEST cease operation?

[Rafi Sadowsky]

## On 2002-06-14 04:08 +0100 Chrisy Luke typed:

CL>
CL> ?$BLpEDIt?(B wrote (on Jun 14):
CL> > I heard that NOC of KPQWEST in Frankfurt would cease operation at 1400
CL> > hour (local time) today.
CL> >
CL> > Is there any additional information about this?
CL>
CL> http://live.ebone.com/ is probably about as much info as you can get unless

 You mean  or  ?

-- 
Rafi

Re: OT: Re: Bogon list

[Rafi Sadowsky]

Richard,

 Kindly explain how not knowing procmail (or Unix for that matter)
relates to configuring BGP/OSPF/Cisco IOS/JunOS
(Yes I know JunOS is based on FreeBSD -
 but I doubt anyone runs an MTA or MUA on it ... ;-)

For Example:

 I happen to know a senior technical consultant who went from reading his
Email on VM(IBM Mainframe) to reading it on his laptop with Eudora(POP3)
and couldn't(shouldn't?) care less whether what OS the MTA and POP3 server
run on

 Said person happens to be (semi)regular poster on NANOG and I seriously
doubt he's made anyone's kill rule ...

  Also don't even get me started on *security* consultants that are forced
(by corporate policy) to read Email on MS OutLook from an Exchange server :-(

-- 
Rafi




## On 2002-06-05 15:54 -0400 Richard A Steenbergen typed:

RAS>
RAS> On Wed, Jun 05, 2002 at 09:50:17PM +0300, Rafi Sadowsky wrote:
RAS> >
RAS> > ## On 2002-06-05 04:45 -0700 Randy Bush typed:
RAS> >
RAS> > RB> :0 Wh: msgid.lock
RAS> > RB> | formail -D 8192 msgid.cache
RAS> >
RAS> > Randy,
RAS> >
RAS> > Are you sure that:
RAS> >
RAS> >   1) All NANOG subscribers recognize the above as a procmail rule ?
RAS>
RAS> If they don't, they're probably in one.
RAS>
RAS> >   2) That all NANOG subscribers read list E-mail on machines that have
RAS> >  procmail on them ?
RAS>
RAS> This is still (for some definition of still) a technical list, mainly
RAS> composed of network engineers (you know, the people who don't buy clothes
RAS> because their entire wardrobe is paid for by vendors, and who have a
RAS> statistically high chance of being fat, bald, bearded, and/or spotted at a
RAS> NANOG bar), and other people involved in "operating the internet".
RAS>
RAS> As such, the posters are expected to have a certain level of common sense,
RAS> for example:
RAS>   * Knowing what procmail is and how to use it

 What is the logical connection between that and the following ?

RAS>   * Not posting in HTML
RAS>   * Not posting "where can I get a T1 in BF Egypt"

 What is BF ?

RAS>   * Not posting "everyone on the internet is down but me!"
RAS> etc.
RAS>
RAS> Not to be mean to anyone, but if you're expecting something else, you
RAS> should probably look at one of the isp-* lists.
RAS>
RAS>

OT: Re: Bogon list

[Rafi Sadowsky]

## On 2002-06-05 04:45 -0700 Randy Bush typed:

RB>
RB> > [[ What's with the huge CC list everyone?  Aren't we all subscribers?  Do
RB> > y'all enjoy getting multiple copies of replies?   I don't!  ;-) ]]
RB>
RB> :0 Wh: msgid.lock
RB> | formail -D 8192 msgid.cache
RB>
RB>

Randy,

Are you sure that:

  1) All NANOG subscribers recognize the above as a procmail rule ?

  2) That all NANOG subscribers read list E-mail on machines that have
 procmail on them ?


-- 

Rafi

Re: Does anyone still offer DVMRP tunnels?

[Rafi Sadowsky]

## On 2002-05-17 16:57 -0600 Lyndon Nerenberg typed:

LN>
LN> Is there anyone out there still providing DVMRP multicast tunnels?
LN> Our network provider simply isn't interested in providing native
LN> multicast. If anyone close to Group Telecom (sorry, I don't have
LN> their AS handy at the moment) would be willing to establish a
LN> tunnel with us, please contact me directly. Thanks.
LN>
LN> --lyndon
LN>


Try 

 Or try and find something under



-- 
Rafi

Re: Arbor Networks DoS defense product

[Rafi Sadowsky]

Hi Rob

## On 2002-05-15 16:01 -0500 Rob Thomas typed:


RT>  On the other hand, you could wonder why it is that the
RT> non-geek broadband users must be system, network, and firewall
RT> administrators.

 You might prefer to wonder when home users will start using an OS that
doesn't have security holes you can drive a truck through and the default
config would at least be semi-secure ...

 If the home(or at least broadband) users would demand such an OS
they *might* just get it  ... ;-)

RT>
RT> Thanks,
RT> Rob.

Regards,
Rafi

RT> --
RT> Rob Thomas
RT> http://www.cymru.com/~robt
RT> ASSERT(coffee != empty);
RT>
RT>
RT>

limiting # of prefixes from a BGP peer (Was: Re: genuity - any good?)

[Rafi Sadowsky]

## On 2002-04-12 17:27 -0700 Mark Kent typed:

MK>
MK> To address Sean's point about mistakes turning one /16 into a zillion
MK> entries, is there any way to allow only some specified maximum number
MK> of routes from a bgp neighbor?  I know that I'ld be happy if my
MK> upstreams gave me a buffer of, say, 10 entries above my typical number
MK> of aggregates.
MK>
MK> -mark
MK>
MK>

 For Cisco IOS just add this under the "router bgp" section

---
neighbor  maximum-prefix 
---

 Exceeding the maximum prefix number will shutdown the BGP session until a
manual clear

Enjoy
Rafi
-- 
Rafi Sadowsky   [EMAIL PROTECTED]
Network/System/Security  VoiceMail: +972-3-646-0592   FAX: +972-3-649-8629
   Mangler ( :-)  |  FIRST-REP for ILAN-CERT([EMAIL PROTECTED])
Open University of Israel |  (PGP key -> )  http://telem.openu.ac.il/~rafi