Re: [Nanog-futures] [NANOG-announce] Important Reminders and Announcement
On 3 Sep 2008, at 13:41, Betty Burke wrote: As many of you know, Merit has been working to improve the NANOG.ORG website. We are very pleased to announce the new site will be launched on Thursday morning, Sept. 4, at 7 am EST. Members of the NANOG Steering Committee have been working with Merit, and we hope all issues have been resolved. We believe the community will find the new site to be much more useful. The new web page looks great. Very nicely done. Joe ___ Nanog-futures mailing list Nanog-futures@nanog.org http://mailman.nanog.org/mailman/listinfo/nanog-futures
[Nanog-futures] new website
--- [EMAIL PROTECTED] wrote: From: Joe Abley [EMAIL PROTECTED] On 3 Sep 2008, at 13:41, Betty Burke wrote: As many of you know, Merit has been working to improve the NANOG.ORG website. We are very pleased to announce the new site will be launched on Thursday morning, Sept. 4, at 7 am EST. Members of the NANOG Steering Committee have been working with Merit, and we hope all issues have been resolved. We believe the community will find the new site to be much more useful. The new web page looks great. Very nicely done. I agree. Great job! It even works perfectly fine with Firefox on FreeBSD with javascript not allowed via NoScript. Impressive. (It takes a lot to make me say that! :-) scott -- --- - ___ Nanog-futures mailing list Nanog-futures@nanog.org http://mailman.nanog.org/mailman/listinfo/nanog-futures
Re: [Nanog-futures] new website
On Thu, Sep 04, 2008 at 12:43:54PM -0700, Scott Weeks wrote: [snip] I agree. Great job! It even works perfectly fine with Firefox on FreeBSD with javascript not allowed via NoScript. Impressive. (It takes a lot to make me say that! :-) Brian @merit did a great job taking pains to placate cantankerous SC members with lynx/links tests and accessibility concerns. -- RSUC / GweepNet / Spunk / FnB / Usenix / SAGE ___ Nanog-futures mailing list Nanog-futures@nanog.org http://mailman.nanog.org/mailman/listinfo/nanog-futures
Re: [Nanog-futures] new website
--- [EMAIL PROTECTED] wrote: From: Joe Provo [EMAIL PROTECTED] On Thu, Sep 04, 2008 at 12:43:54PM -0700, Scott Weeks wrote: [snip] I agree. Great job! It even works perfectly fine with Firefox on FreeBSD with javascript not allowed via NoScript. Impressive. (It takes a lot to make me say that! :-) Brian @merit did a great job taking pains to placate cantankerous SC members with lynx/links tests and accessibility concerns. Then also: Thanks to the cantankerous SC members for thinking of the cantankerous ops that refuse to follow the sheep-crowd into the Micro$loth pit! :-) scott --- --- --- ___ Nanog-futures mailing list Nanog-futures@nanog.org http://mailman.nanog.org/mailman/listinfo/nanog-futures
Re: Force10 Gear - Opinions
Paul Wall wrote: On Wed, Sep 3, 2008 at 8:29 PM, Jo Rhett [EMAIL PROTECTED] wrote: On Aug 26, 2008, at 12:26 AM, Paul Wall wrote: Routing n*GE at line rate isn't difficult these days, even with all 64-byte packets and other DoS conditions. Linksys, D-Link, SMC, etc are able to pull it off on the layer 3 switches sold at Fry's for a couple benjamins a pop. :) Sorry, I thought you were serious. I am. All of these boxes can forward packets at line rate, and list for a fraction of the price of the Force 10 S-Series. a dlink dsg-3627g is a quite a few benjamins... but given that switch asics for said class of products are widely available and cheap, the difference between vender a and vendor b in that class of switch is futher up in the software stack. I'll be correcting your other posts shortly! Drive Slow, Paul Wall
Re: Force10 Gear - Opinions
On Wed, Sep 3, 2008 at 8:28 PM, Jo Rhett [EMAIL PROTECTED] wrote: For equivalent redundancy and ports, the Force10 is always cheaper - even just in list price. (on the E-series -- Cisco has some cheaper options than the S-series so I've heard - don't care) Some food for thought, comparing apples to apples... FORCE 10 * CH-E300-BNA8-L $35,000.00 E300 110V AC Terascale Chassis Bundle: 6-slot E300 chassis with 400 Gb backplane, fan subsystem, 3 AC Power Supplies (CC-E300-1200W-AC) 1 Route Processor Module (EF3), 2 Switch Fabric Modules LC-EF3-1GE-24P $30,000.00 E300 Terascale 24-port Gigabit Ethernet line card - SFP optics required (series EF3) CC-E300-1200W-AC $4,000.00 E300 1200W/800W AC Power Supply CC-E-SFM3 $12,500.00 E-Series Switch Fabric Module LC-EF3-RPM $30,000.00E300 Terascale Route processor module (series EF3) ** BASIC CONFIG WITH 24 GIG-E (SFP PORTS): $65000.00 (USD) ** CISCO WS-C6503-E Catalyst 6500 Enhanced 3-slot chassis,4RU,no PS,no Fan Tray 2500 WS-SUP720-3BXL= Catalyst 6500/Cisco 7600 Supervisor 720 Fabric MSFC3 PFC3BXL 4 WS-X6724-SFP= Catalyst 6500 24-port GigE Mod: fabric-enabled (Req. SFPs) 15000 WS-CAC-3000W= Catalyst 6500 3000W AC power supply (spare) 3000 PWR-950-DC= Spare 950W DC P/S for CISCO7603/Cat 65031245 WS-C6503-E-FAN= Catalyst 6503-E Chassis Fan Tray495 ** BASIC CONFIG WITH 24 GIG-E (SFP PORTS) (not counting two bonus ports on Sup :) 62240.00 (USD) ** Please realize that the above is list vs. list. Cisco 6500 series hardware is extremely popular in the secondary market, with discounts of 80% or greater on linecards, etc common, furthering the argument that Cisco is the cheaper of the two solutions. As a box designed with the enterprise datacenter in mind, the E-series looks to be missing several key service provider features, including MPLS and advanced control plane filtering/policing. Ah, because Cisco does either of these in hardware? Yes, they do, on the s720-3B and better. No, they don't. There are *no* *zero* providers doing line-speed uRPF on Cisco for a reason. Stop reading, start testing. Cisco absolutely does MPLS and control-plane policing in hardware on the SUP720 (3B and higher), ditto uRPF. Force 10 doesn't even support the first two last I checked! On the subject of uRPF, it's true, Cisco's implementation is less than ideal, and is not without caveats. Nobody seems to get this right, though Juniper tries the hardest. Practically speaking, it can be made to work just fine. Possible solutions commonplace among larger tier 1/2 providers include having your OSS auto-generate an inbound access-list against a list of networks routed to the customer, or just applying a boilerplate don't allow bad stuff filter on the ingress. uRPF strict as a configuration default, on customers without possible asymmetry (multihoming, one-way tunneling, etc) is not a bad default. But when the customers increase in complexity, the time might come to relax things some. It's certainly not a be-all-end-all. And it's been demonstrated time after time here that anti-spoof/bogon filtering isn't even a factor in most large-scale attacks on the public Internet these days. Think massively sized, well connected, botnets. See also CP attacks (which, again, the F10 can't even help you with). Drive Slow, Paul Wall
Re: Force10 Gear - Opinions
On Thursday 04 September 2008 15:47:01 Paul Wall wrote: uRPF strict as a configuration default, on customers without possible asymmetry (multihoming, one-way tunneling, etc) is not a bad default. But when the customers increase in complexity, the time might come to relax things some. It's certainly not a be-all-end-all. Our experience with uRPF has been some unpleasant badness when dealing with a few private peers. Our private peering routers don't hold full routes (naturally), so we had to relax (even) the loose-mode uRPF scheme we had for this because some of our peers were leaking our routes to the Internet. Customer-facing, strict-mode uRPF is standard practice across the board for all customers single-homed to us. Customers for whom we know have multiple connections get loose-mode uRPF. For good measure, each edge router has outbound ACL's on the core-facing interfaces catching RFC 1918 and RFC 3330 junk. On border (transit) routers, we employ loose-mode uRPF with no issues, since these carry a full table. In addition, we catch inbound RFC 1918 and RFC 3330 with ACL's; and just to see how crazy things get, we stick our own prefixes in there since we really shouldn't be seeing them as sources from the wild. It's quite interesting how many matches we log, particularly for own addresses, on transit and peering links. Of course, the RFC 1918 and RFC 3330 are not without increment as well. No filtering in the core. Cheers, Mark. signature.asc Description: This is a digitally signed message part.
Re: ingress SMTP
re: intercepting port 25 calls and routing them to the ISP's own SMTP server. Consider an employee of chocolate.com working from home. he connects to Chocolate.com's SMTP server to send mail, but his ISP intercepts the connection and routes the email via its own. The email will then be sent by the ISP's SMTP server. In a context where SPF has been implemented, it means that the email will have been sent by an SMTP server that has not been authorized to send emails from chocolate.com and thus rejected by the recipient, and it is not clear how the rejection message would be handled. Also, the ISP might not only intercept the call, but then reject the email because it doesn't have a from from the ISP's domain. Secondly, and more importantly. If you are dealing with mass market ISPs who have clear no servers policies, then no customer would have legitimate need to run an SMTP server from home. However, there are smaller ISPs who do cater to SOHO /small businesses and those would have legitimate needs to run their own SMTP servers, and if the small ISP ends up using last mile from a large ISP, that large ISP would be negatively impacting the smaller ISP's customers. One option is to block port 25, but allow unblocking on an individual basis to those who have fixed IPs or make a good justification to their ISP that they need the port unblocked. In terms of mass-market people using email services from the outside of their ISP (hotmail, yahoo, gmail), then I guess port 587 would be the required way to get it done).
Re: Force10 Gear - Opinions
Paul Wall wrote: Please realize that the above is list vs. list. Cisco 6500 series hardware is extremely popular in the secondary market, with discounts of 80% or greater on linecards, etc common, furthering the argument that Cisco is the cheaper of the two solutions. Secondary market prices aren't a fair measure, unless you include the corresponding cost for software and support. And the fact is, when we put this out for an RFP, we ended up with Force10 having the lowest price by a fair margin; the closest competitor in price was Foundry, with Cisco a distant third. List prices aren't a good measure o actual price; they're a number for salesmen to compare their discount to to make people feel special. In short: You can get the Force10 cheap.
Re: ingress SMTP
On Wed, 3 Sep 2008, Jay R. Ashworth wrote: Well, that depends on MUA design, of course, but it's just been pointed out to me that the RFC says MAY, not MUST. Note that there are TWO relevant RFCs: RFC 4409 and RFC 5068. The latter says: 3.1. Best Practices for Submission Operation Submission Authentication: MSAs MUST perform authentication on the identity asserted during all mail transactions on the SUBMISSION port, even for a message having a RCPT TO address that would not cause the message to be relayed outside of the local administrative domain. Tony. -- f.anthony.n.finch [EMAIL PROTECTED] http://dotat.at/ FISHER GERMAN BIGHT: SOUTHWESTERLY 5 TO 7, OCCASIONALLY GALE 8 IN GERMAN BIGHT, DECREASING 4 AT TIMES. ROUGH OR VERY ROUGH, BECOMING MODERATE LATER. SQUALLY SHOWERS. MODERATE OR GOOD.
Re: ingress SMTP
On Thu, 4 Sep 2008, Jean-François Mezei wrote: Consider an employee of chocolate.com working from home. he connects to Chocolate.com's SMTP server to send mail, but his ISP intercepts the connection and routes the email via its own. The email will then be sent by the ISP's SMTP server. A user that has this problem has failed to choose the right port number and set up SMTP authentication and TLS properly. Tony. -- f.anthony.n.finch [EMAIL PROTECTED] http://dotat.at/ ROCKALL MALIN: MAINLY NORTHERLY 4 OR 5 INCREASING 5 TO 7, PERHAPS GALE 8 LATER IN ROCKALL. MODERATE OR ROUGH. SHOWERS. GOOD.
Re: ingress SMTP
On Wed, 3 Sep 2008, Keith Medcalf wrote: Why would the requirements for authentication be different depending on the port used to connect to the MTA? It's easier to configure the MTA if you make a distinction between server-to-server traffic and client-to-server traffic. In fact my systems distinguish three classes of traffic: MX, message submission, and smarthost. The MX service has lots of anti-spam features. You want to separate it from the others so that techniques like teergrubing don't make message submission painfully slow. You can also avoid interoperability problems with server-to-server TLS. You can limit the number of connections used by the MX service to that when it is being hammered by spammers, you can reserve some capacity so that message submission and outgoing relay still work. Having a message submission service that always requires TLS and authentication makes it easier for users to check their configuration. A mistake such as not turning on AUTH can be hidden when they test on their home network, only to be discovered later when they are roaming far from tech support. Separating your smarthost (outgoing relay service) from your MX can avoid some strange problems. Back in the dim and distant past before remote AUTHed message submission and before separate MX and smarthost, our roaming users who failed to change their smarthost setting would have working email when contacting colleagues but not anyone else, with a mysterious relaying is not permitted error instead of something clear and helpful. There's also some advantage to making it harder for spammers to work out the name of your smarthost: we once (years ago) had a problem with an open web proxy that spammers used as the first half of a two-stage open relay, the second half of which was the MX of the proxy's parent domain. We separate these functions by having separate names and IP addresses for each one. They are all just facets of the same MTA, so we don't have to maintainn lots of different configurations. Tony. -- f.anthony.n.finch [EMAIL PROTECTED] http://dotat.at/ LUNDY FASTNET IRISH SEA: WESTERLY OR SOUTHWESTERLY 4 OR 5, BECOMING CYCLONIC OR NORTHEASTERLY 5 TO 7, PERHAPS GALE 8 LATER. ROUGH OR VERY ROUGH. RAIN OR SHOWERS. MODERATE OR GOOD, OCCASIONALLY POOR.
Re: ingress SMTP
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Robert Bonomi wrote: One small data-point -- on a personal vanity domain, approximately 2/3 of all the spam (circa 15k junk emails/month) was 'direct to inbound MX' transmissions. The vast majority of this is coming from end-user machines outside of North America. This confirms the limited data I have. I configure my edge firewall (pf) to drop anything to/from the Spamhaus DROP list, as well as sendmail to use their XBL. The DROP list seems like it blocks mostly MX lookups (nice to see the blocking of mail start so early in the process!), so it is hard to say how many SMTP connections never happen (remote server/bot does not know where to connect). The XBL list, which is mostly residential IPs around the world, seems to be the single most effective technique in blocking incoming traffic-- on port 25. Obviously, these connections are coming from ISPs that do *not* block egress TCP 25. Slightly off topic-- I found it quite easy to configure the DROP list to work with pf (or is that the other way around?). I would be happy to share the small Perl script that updates the pf table. When I configured the DROP list on a free public wireless system I maintain, I was amazed at how much egress traffic it blocked-- obviously rogue/bad/evil webservers, IRC hosts, etc. I wonder if anyone else is using it that way? ... alec - -- ` / Alec Berry \__ | Senior Partner and Director of Technology \ | PGP/GPG key 0xE8E9030F| | http://alec.restontech.com/#PGP | |---| | RestonTech, Ltd. | |http://www.restontech.com/ | | Phone: (703) 234-2914| \___/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFIv+YdREO1P+jpAw8RAnWzAKDxOmneR6j6DBVyo5/CO1wRYngorQCgo9SJ sArBQqQStX7zIuYK3qo1El0= =C2FM -END PGP SIGNATURE-
RE: Force10 Gear - Opinions
uRPF strict as a configuration default, on customers without possible asymmetry (multihoming, one-way tunneling, etc) is not a bad default. But when the customers increase in complexity, the time might come to relax things some. It's certainly not a be-all-end-all. And it's been demonstrated time after time here that anti-spoof/bogon filtering isn't even a factor in most large-scale attacks on the public Internet these days. Think massively sized, well connected, botnets. See also CP attacks (which, again, the F10 can't even help you with). Indeed... In today's internet, protecting your own box (cp-policer/control plane filtering) is far more important IMO than implementing BCP38 when much of attack traffic comes from legitimate IP sources anyway (see botnets). james
Re: ingress SMTP
In article [EMAIL PROTECTED] you write: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Robert Bonomi wrote: One small data-point -- on a personal vanity domain, approximately 2/3 of all the spam (circa 15k junk emails/month) was 'direct to inbound MX' transmissions. The vast majority of this is coming from end-user machines outside of North America. This confirms the limited data I have. I configure my edge firewall (pf) to drop anything to/from the Spamhaus DROP list, as well as sendmail to use their XBL. The DROP list seems like it blocks mostly MX lookups (nice to see the blocking of mail start so early in the process!), so it is hard to say how many SMTP connections never happen (remote server/bot does not know where to connect). The XBL list, which is mostly residential IPs around the world, seems to be the single most effective technique in blocking incoming traffic-- on port 25. Obviously, these connections are coming from ISPs that do *not* block egress TCP 25. You do realise that there a mail clients that check MX records *before* submitting email (or before on sending the email) so that typos get detected in the client before any email is sent from the client. But you would never see those false positives. I know they exist because I've experienced them because I work from home and even though I tunnel email out via the office servers I prefer the typos to be caught locally. I doubt this will change your mind but it might stop someone else from making a bad decision to do what you are doing. Mark Slightly off topic-- I found it quite easy to configure the DROP list to work with pf (or is that the other way around?). I would be happy to share the small Perl script that updates the pf table. When I configured the DROP list on a free public wireless system I maintain, I was amazed at how much egress traffic it blocked-- obviously rogue/bad/evil webservers, IRC hosts, etc. I wonder if anyone else is using it that way? ... alec - -- ` / Alec Berry \__ | Senior Partner and Director of Technology \ | PGP/GPG key 0xE8E9030F| | http://alec.restontech.com/#PGP | |---| | RestonTech, Ltd. | |http://www.restontech.com/ | | Phone: (703) 234-2914| \___/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFIv+YdREO1P+jpAw8RAnWzAKDxOmneR6j6DBVyo5/CO1wRYngorQCgo9SJ sArBQqQStX7zIuYK3qo1El0= =C2FM -END PGP SIGNATURE-
Re: ingress SMTP
Well, that depends on MUA design, of course, but it's just been pointed out to me that the RFC says MAY, not MUST. (That was me.) Note that there are TWO relevant RFCs: RFC 4409 and RFC 5068. The latter says: 3.1. Best Practices for Submission Operation Thanks, Tony. I hadn't taken account of superceding RFCs, and quoted 2476 to Jay. 2476 permits authN without encouraging or requiring it, but 4409 both obsoletes 2476 and makes authN mandatory, so it's more even than a best practice. It's the law, to the extent that two sites involved in a dispute may or may not consider RFC to be law. But as I noted privately, sendmail for one enables MSP out of the box without authentication -- or did the last few times I set it up -- so there's certainly a significant base of systems that at least are running MSP on 587 without requiring authentication. In such cases, blocking ports is just whacking moles, whether you ticket and fine the moles for violating RFC or not. -- -D.[EMAIL PROTECTED]NSITUniversity of Chicago
Re: ingress SMTP
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Mark Andrews wrote: You do realise that there a mail clients that check MX records *before* submitting email (or before on sending the email) so that typos get detected in the client before any email is sent from the client. I think you are not familiar with the difference between the DROP list and the XBL. The DROP list is *not* an RBL! I do not allow any traffic at all to or from the DROP list-- including MX lookups. I can't think of any good reasons why I would. The XBL is used only to block mail transport-- it is configured in sendmail, not at the firewall. The scenario you lay out will still work: - - end user on a dial up that happens to be on the XBL (common) - - end user queries MX records, either directly or via their name server - - end user submits mail to their SMTP server (not on the XBL) - - SMTP server transports mail to my system Unless one of those systems mentioned above is a hijacked name server in Kyiv (and thus on the DROP list), everything will work. ... alec - -- ` / Alec Berry \__ | Senior Partner and Director of Technology \ | PGP/GPG key 0xE8E9030F| | http://alec.restontech.com/#PGP | |---| | RestonTech, Ltd. | |http://www.restontech.com/ | | Phone: (703) 234-2914| \___/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFIv/dTREO1P+jpAw8RAqiyAKDJt7FbFvplXB1JTe+dKDOOSXUijQCdH/cZ 4m4o9vE5FS96huARs2Rq5yU= =Paen -END PGP SIGNATURE-
Re: GLBX De-Peers Intercage [Was: RE: Washington Post: Atrivo/Intercag e, w hy are we peering with the American RBN?]
On Mon, Sep 01, 2008 at 11:08:20AM -0400, [EMAIL PROTECTED] wrote: What is your price for cocaine? No, seriously.. If, as some estimates have it, 80% of the traffic is P2P, and as other estimates have it, 90% of that is copyright-infringing, then if that traffic disappears, anybody who was selling transit for that traffic is going to take a *big* revenue hit. Not for long. The *problem* is edge customers having to continually increase the size of their pipes to make room for the good stuff amongst the crap. If the crap goes away, there will then be room for the chicken and egg problem with the steady march of IPTV etc to finally take off for real, I should think... I think it's very disingenuous to pretend that there have been *no* providers that haven't said to themselves We're selling to scum, but it pays the bills, and we'd be in bankruptcy court otherwise... Sure. And those are the people we don't *care* if they take it in the wallet, no? Cheers, -- jra -- Jay R. Ashworth Baylink [EMAIL PROTECTED] Designer The Things I Think RFC 2100 Ashworth Associates http://baylink.pitas.com '87 e24 St Petersburg FL USA http://photo.imageinc.us +1 727 647 1274 Those who cast the vote decide nothing. Those who count the vote decide everything. -- (Josef Stalin)
Cisco uRPF failures
(changing subject line) On Sep 3, 2008, at 7:06 PM, Rubens Kuhl Jr. wrote: This statement is patently false. The uRPF failures I dealt with were based entirely on the recommended settings, and were confirmed by Cisco. Last I heard (2 months ago) the problems remain. Cisco just isn't being honest with you about them. Would you mind telling us what is the scenario so we can avoid it ? That's the surprising thing -- no scenario. Very basic configuration. Enabling uRPF and then hitting it with a few gig of non-routable packets consistently caused the sup module to stop talking on the console, and various other problems to persist throughout the unit, ie no arp response. We were able to simulate this with two 2 pc's direction connected to a 6500 in a lab. If I remember right, we had to enable CEF to see the problem, but since CEF is a kitchen sink that dozens of other features require you simply couldn't disable it. We also discovered problems related to uRPF and load balanced links, but those were difficult to reproduce in the lab and we couldn't affect their peering, so we had to disable uRPF and ignore so I don't have much details. I kept thinking that this was a serious problem that Cisco would address quickly, but that turns out not to be the case. To this day I've never found a network operator using uRPF on Cisco gear. (note: network operator. it's probably fine for several-hundred-meg enterprise sites) -- Jo Rhett Net Consonance : consonant endings by net philanthropy, open source and other randomness
Re: Force10 Gear - Opinions
On Sep 3, 2008, at 8:45 PM, Paul Wall wrote: Linksys, D-Link, SMC, etc are able to pull it off on the layer 3 switches sold at Fry's for a couple benjamins a pop. :) I am. All of these boxes can forward packets at line rate, and list for a fraction of the price of the Force 10 S-Series. You and I (and any real network operator) must have different definitions of forward at line rate. -- Jo Rhett Net Consonance : consonant endings by net philanthropy, open source and other randomness
uRPF
On Sep 4, 2008, at 1:34 AM, Mark Tinka wrote: catch inbound RFC 1918 and RFC 3330 with ACL's; and just to see how crazy things get, we stick our own prefixes in there since we really shouldn't be seeing them as sources from the wild. So you are talking single site, or single peering location? -- Jo Rhett Net Consonance : consonant endings by net philanthropy, open source and other randomness
BCP38 dismissal
On Sep 4, 2008, at 7:24 AM, James Jun wrote: Indeed... In today's internet, protecting your own box (cp-policer/ control plane filtering) is far more important IMO than implementing BCP38 when much of attack traffic comes from legitimate IP sources anyway (see botnets). I'm sorry, but nonsense statements such as these burn the blood. Sure, yes, protecting yourself is so much more important than protecting anyone else. Anyone else want to stand up and join the I am an asshole club? -- Jo Rhett Net Consonance : consonant endings by net philanthropy, open source and other randomness
Re: BCP38 dismissal
Count me in. There is no reason to limit our defenses to the one thing that we think is important at one instance in time... attackers change and adapt and multimodal defense is simply good policy. On Thu, Sep 4, 2008 at 11:45 AM, Jo Rhett [EMAIL PROTECTED] wrote: On Sep 4, 2008, at 7:24 AM, James Jun wrote: Indeed... In today's internet, protecting your own box (cp-policer/control plane filtering) is far more important IMO than implementing BCP38 when much of attack traffic comes from legitimate IP sources anyway (see botnets). I'm sorry, but nonsense statements such as these burn the blood. Sure, yes, protecting yourself is so much more important than protecting anyone else. Anyone else want to stand up and join the I am an asshole club? -- Jo Rhett Net Consonance : consonant endings by net philanthropy, open source and other randomness
RE: BCP38 dismissal
I'm sorry, but nonsense statements such as these burn the blood. Sure, yes, protecting yourself is so much more important than protecting anyone else. Indeed it is important. And we were discussing about the fact that Force10 does not even offer this critical feature. Anyone else want to stand up and join the I am an asshole club? You are falsely claiming that somehow we're dismissing BCP38 or otherwise writing it off as some kind of non-important hassle. You are confused and misinformed as to the concurrent nature of the ongoing discussion and your assumptions are far from what I personally think about BCP38. It appears you are the first member of I am an asshole club by the strict title definition. james
Re: BCP38 dismissal
Count you which way? You seem to agree with me. Everyone should be doing both, not discounting BCP38 because they aren't seeing an attack right now. On Sep 4, 2008, at 9:50 AM, John C. A. Bambenek wrote: Count me in. There is no reason to limit our defenses to the one thing that we think is important at one instance in time... attackers change and adapt and multimodal defense is simply good policy. On Thu, Sep 4, 2008 at 11:45 AM, Jo Rhett [EMAIL PROTECTED] wrote: On Sep 4, 2008, at 7:24 AM, James Jun wrote: Indeed... In today's internet, protecting your own box (cp-policer/ control plane filtering) is far more important IMO than implementing BCP38 when much of attack traffic comes from legitimate IP sources anyway (see botnets). I'm sorry, but nonsense statements such as these burn the blood. Sure, yes, protecting yourself is so much more important than protecting anyone else. Anyone else want to stand up and join the I am an asshole club? -- Jo Rhett Net Consonance : consonant endings by net philanthropy, open source and other randomness -- Jo Rhett Net Consonance : consonant endings by net philanthropy, open source and other randomness
Re: Force10 Gear - Opinions
On Thu, Sep 4, 2008 at 12:36 PM, Jo Rhett [EMAIL PROTECTED] wrote: Linksys, D-Link, SMC, etc are able to pull it off on the layer 3 switches sold at Fry's for a couple benjamins a pop. :) I am. All of these boxes can forward packets at line rate, and list for a fraction of the price of the Force 10 S-Series. You and I (and any real network operator) must have different definitions of forward at line rate. forwards a gig-e full of 64 byte packets, random src/dst, when you hook a smartbits/ixia up to it is mine. What's yours? Mind you, this is probably one of the more useless metrics for vendor selection these days, and nobody has a major problem with it. Drive Slow, Paul Wall
Re: BCP38 dismissal
On Sep 4, 2008, at 12:52 PM, Jo Rhett wrote: Count you which way? You seem to agree with me. Everyone should be doing both, not discounting BCP38 because they aren't seeing an attack right now. No one sees attacks that BCP38 would stop? Wow, I thought things like the Kaminsky bug were big news. I guess all that was for nothing? (Yes, I am being sarcastic. Anyone who thinks attacks which BCP 38 would stop are not happening in the wild is .. I believe the phrase used was confused and misinformed.) -- TTFN, patrick On Sep 4, 2008, at 9:50 AM, John C. A. Bambenek wrote: Count me in. There is no reason to limit our defenses to the one thing that we think is important at one instance in time... attackers change and adapt and multimodal defense is simply good policy. On Thu, Sep 4, 2008 at 11:45 AM, Jo Rhett [EMAIL PROTECTED] wrote: On Sep 4, 2008, at 7:24 AM, James Jun wrote: Indeed... In today's internet, protecting your own box (cp- policer/control plane filtering) is far more important IMO than implementing BCP38 when much of attack traffic comes from legitimate IP sources anyway (see botnets). I'm sorry, but nonsense statements such as these burn the blood. Sure, yes, protecting yourself is so much more important than protecting anyone else. Anyone else want to stand up and join the I am an asshole club? -- Jo Rhett Net Consonance : consonant endings by net philanthropy, open source and other randomness -- Jo Rhett Net Consonance : consonant endings by net philanthropy, open source and other randomness
Re: Force10 Gear - Opinions
On Thu, Sep 4, 2008 at 12:40 PM, Jo Rhett [EMAIL PROTECTED] wrote: You added a third SFM3 which has no place to go in this chassis. No, I did not. I did, however, list it as a point of reference for a-la-carte analysis. So $52,500 versus $62,240 for the Cisco. No, $65000.00 vs $62240.00. Then you need to add recertify cost, which isn't cheap. And given that you can purchase Force10 stuff *NEW* at 60% discount, you're pitting new against used for similar prices. Yes and no. Level3 might have an aversion to running random refurbs in production (just using them as an example, they also might not :). Smaller hosting or SP shop represented on the list, not so much. And 60 points off Cisco is possible, even for small shops with some negotiating ability. Drive Slow, Paul Wall
Re: Force10 Gear - Opinions
On Sep 4, 2008, at 10:03 AM, Paul Wall wrote: You and I (and any real network operator) must have different definitions of forward at line rate. forwards a gig-e full of 64 byte packets, random src/dst, when you hook a smartbits/ixia up to it is mine. What's yours? Forwards a mixed bag of small and large packets from tens of thousands of streams (not random) 1. at sub-millisecond latency 2. no packet loss at full line rate on multiple ports 3. deals appropriately with multiple ports at full line rate leading to a single port And finally, is responsive to operator control even when full line rate is directed at switch itself. Note the not random comment. People love to use the random feature of ixia/etc but it rarely displays actual performance in a production network. -- Jo Rhett Net Consonance : consonant endings by net philanthropy, open source and other randomness
Re: BCP38 dismissal
On Sep 4, 2008, at 7:24 AM, James Jun wrote: Indeed... In today's internet, protecting your own box (cp-policer/ control plane filtering) is far more important IMO than implementing BCP38 when much of attack traffic comes from legitimate IP sources anyway (see botnets). I'm sorry, but nonsense statements such as these burn the blood.Sure, yes, protecting yourself is so much more important than protecting anyone else. Anyone else want to stand up and join the I am an asshole club? OK, I'm an asshole. I'm sure BCP38 can prove to be useful, but I'll never drop my shields. I guess being an asshole is not so bad given that I have plenty of company.
Re: BCP38 dismissal
On Thu, Sep 4, 2008 at 12:45 PM, Jo Rhett [EMAIL PROTECTED] wrote: I'm sorry, but nonsense statements such as these burn the blood. Sure, yes, protecting yourself is so much more important than protecting anyone else. Anyone else want to stand up and join the I am an asshole club? uRPF is important. But all the uRPF in the world won't protect you against a little tcp/{22,23,179} SYN aimed at your Force 10 box. Ya know what I mean? Paul Wall
Re: BCP38 dismissal
Patrick, it would appear that you are insulting me by your choice of quotes but from content one would assume you agree with me. Perhaps next time quote the idiot that said attacks BCP38 would stop don't happen any more? (top posted because the thread is already confused) On Sep 4, 2008, at 10:05 AM, Patrick W. Gilmore wrote: On Sep 4, 2008, at 12:52 PM, Jo Rhett wrote: Count you which way? You seem to agree with me. Everyone should be doing both, not discounting BCP38 because they aren't seeing an attack right now. No one sees attacks that BCP38 would stop? Wow, I thought things like the Kaminsky bug were big news. I guess all that was for nothing? (Yes, I am being sarcastic. Anyone who thinks attacks which BCP 38 would stop are not happening in the wild is .. I believe the phrase used was confused and misinformed.) -- TTFN, patrick On Sep 4, 2008, at 9:50 AM, John C. A. Bambenek wrote: Count me in. There is no reason to limit our defenses to the one thing that we think is important at one instance in time... attackers change and adapt and multimodal defense is simply good policy. On Thu, Sep 4, 2008 at 11:45 AM, Jo Rhett [EMAIL PROTECTED] wrote: On Sep 4, 2008, at 7:24 AM, James Jun wrote: Indeed... In today's internet, protecting your own box (cp- policer/control plane filtering) is far more important IMO than implementing BCP38 when much of attack traffic comes from legitimate IP sources anyway (see botnets). I'm sorry, but nonsense statements such as these burn the blood. Sure, yes, protecting yourself is so much more important than protecting anyone else. Anyone else want to stand up and join the I am an asshole club? -- Jo Rhett Net Consonance : consonant endings by net philanthropy, open source and other randomness -- Jo Rhett Net Consonance : consonant endings by net philanthropy, open source and other randomness -- Jo Rhett Net Consonance : consonant endings by net philanthropy, open source and other randomness
Re: Force10 Gear - Opinions
On Sep 4, 2008, at 10:07 AM, Paul Wall wrote: On Thu, Sep 4, 2008 at 12:40 PM, Jo Rhett [EMAIL PROTECTED] wrote: You added a third SFM3 which has no place to go in this chassis. No, I did not. I did, however, list it as a point of reference for a-la-carte analysis. So $52,500 versus $62,240 for the Cisco. No, $65000.00 vs $62240.00. I have a current spreadsheet here, and trust me your math went wrong somewhere. A completely full chassis is only a bit more than what you are quoting (at list) and the chassis itself is practically free. But no, I'm not going to redo the math. I'm not a F10 salesperson and I have much more important things to do right now. (not trying to be rude, just seriously...) -- Jo Rhett Net Consonance : consonant endings by net philanthropy, open source and other randomness
Re: BCP38 dismissal
On Sep 4, 2008, at 10:14 AM, Paul Wall wrote: On Thu, Sep 4, 2008 at 12:45 PM, Jo Rhett [EMAIL PROTECTED] wrote: I'm sorry, but nonsense statements such as these burn the blood. Sure, yes, protecting yourself is so much more important than protecting anyone else. Anyone else want to stand up and join the I am an asshole club? uRPF is important. But all the uRPF in the world won't protect you against a little tcp/{22,23,179} SYN aimed at your Force 10 box. Ya know what I mean? No. Because our F10s aren't suspectible to that, period. I think this whole control panel policing is flat out wrong, but honestly to argue that point I'd have to do some research into what Cisco is doing these days (never had most of the good anti-dos and flood-control stuff F10 has last time I looked) and frankly, it's not within my scope of work so I left that alone. The focus of my comment was on the BCP38 isn't important, because *THAT* is something that causes grief for me (and everyone) in the day job. -- Jo Rhett Net Consonance : consonant endings by net philanthropy, open source and other randomness
Re: BCP38 dismissal
On Sep 4, 2008, at 10:14 AM, james wrote: OK, I'm an asshole. I'm sure BCP38 can prove to be useful I guess being an asshole is not so bad given that I have plenty of company. It is unfortunately true that you do have lots of company. If I could get away with dropping all routes from people like you I'd be a lot happier. (and we'd all be a lot safer) -- Jo Rhett Net Consonance : consonant endings by net philanthropy, open source and other randomness
Re: BCP38 dismissal
On Sep 4, 2008, at 1:14 PM, james wrote: On Sep 4, 2008, at 7:24 AM, James Jun wrote: Indeed... In today's internet, protecting your own box (cp-policer/ control plane filtering) is far more important IMO than implementing BCP38 when much of attack traffic comes from legitimate IP sources anyway (see botnets). I'm sorry, but nonsense statements such as these burn the blood.Sure, yes, protecting yourself is so much more important than protecting anyone else. Anyone else want to stand up and join the I am an asshole club? OK, I'm an asshole. I'm sure BCP38 can prove to be useful, but I'll never drop my shields. I am pretty certain James was not suggesting you drop your shields. My understanding is he thinks anyone who -only- protects their own router CPUs, but lets random packets leave their network with fake source addresses for other networks is an ass hole (shields up or not). Assuming that is what he meant, I agree with him. Now, would you care to reiterate your ass-hole-ness and admit to 10s of 1000s of your closest friends that you let your users attack them (and me!) in undetectable ways, make things like the Kaminsky DNS vulnerability possible, etc.? -- TTFN, patrick
Re: Force10 Gear - Opinions
And 60 points off Cisco is possible, even for small shops with some negotiating ability. That's not our experience; it seems that BUs protecting margins talk louder than the sales guys, so when it reaches discounts like that, even because of lack of adequate product from Cisco (lower gear can't handle it, big gear is too expensive), the competition winning is worse to Cisco but better to the BU numbers, so they leave it to that. Rubens
Re: BCP38 dismissal
On Sep 4, 2008, at 10:14 AM, james wrote: OK, I'm an asshole. I'm sure BCP38 can prove to be useful I guess being an asshole is not so bad given that I have plenty of company. It is unfortunately true that you do have lots of company. If I could get away with dropping all routes from people like you I'd be a lot happier. (and we'd all be a lot safer) Let me put this another way. Calling people names doesn't promote your interests. It starts flame wars.
Re: Force10 Gear - Opinions
I've recently seen Cisco, loose an approx ~$1MM deal at an all Cisco shop to Force10 Cisco wouldn't better mid 40's discount. On Thu, Sep 4, 2008 at 2:23 PM, Rubens Kuhl Jr. [EMAIL PROTECTED] wrote: And 60 points off Cisco is possible, even for small shops with some negotiating ability. That's not our experience; it seems that BUs protecting margins talk louder than the sales guys, so when it reaches discounts like that, even because of lack of adequate product from Cisco (lower gear can't handle it, big gear is too expensive), the competition winning is worse to Cisco but better to the BU numbers, so they leave it to that. Rubens
Re: BCP38 dismissal
On Sep 4, 2008, at 1:12 PM, Jo Rhett wrote: Patrick, it would appear that you are insulting me by your choice of quotes but from content one would assume you agree with me. Perhaps next time quote the idiot that said attacks BCP38 would stop don't happen any more? (top posted because the thread is already confused) Sorry for the confusion. Yes, I am a BCP38 evangelist. I apologize if it came across wrong. -- TTFN, patrick On Sep 4, 2008, at 10:05 AM, Patrick W. Gilmore wrote: On Sep 4, 2008, at 12:52 PM, Jo Rhett wrote: Count you which way? You seem to agree with me. Everyone should be doing both, not discounting BCP38 because they aren't seeing an attack right now. No one sees attacks that BCP38 would stop? Wow, I thought things like the Kaminsky bug were big news. I guess all that was for nothing? (Yes, I am being sarcastic. Anyone who thinks attacks which BCP 38 would stop are not happening in the wild is .. I believe the phrase used was confused and misinformed.) -- TTFN, patrick On Sep 4, 2008, at 9:50 AM, John C. A. Bambenek wrote: Count me in. There is no reason to limit our defenses to the one thing that we think is important at one instance in time... attackers change and adapt and multimodal defense is simply good policy. On Thu, Sep 4, 2008 at 11:45 AM, Jo Rhett [EMAIL PROTECTED] wrote: On Sep 4, 2008, at 7:24 AM, James Jun wrote: Indeed... In today's internet, protecting your own box (cp- policer/control plane filtering) is far more important IMO than implementing BCP38 when much of attack traffic comes from legitimate IP sources anyway (see botnets). I'm sorry, but nonsense statements such as these burn the blood. Sure, yes, protecting yourself is so much more important than protecting anyone else. Anyone else want to stand up and join the I am an asshole club? -- Jo Rhett Net Consonance : consonant endings by net philanthropy, open source and other randomness -- Jo Rhett Net Consonance : consonant endings by net philanthropy, open source and other randomness -- Jo Rhett Net Consonance : consonant endings by net philanthropy, open source and other randomness
Re: BCP38 dismissal
On Thu, Sep 04, 2008 at 01:14:20PM -0400, Paul Wall wrote: On Thu, Sep 4, 2008 at 12:45 PM, Jo Rhett [EMAIL PROTECTED] wrote: I'm sorry, but nonsense statements such as these burn the blood. Sure, yes, protecting yourself is so much more important than protecting anyone else. Anyone else want to stand up and join the I am an asshole club? uRPF is important. But all the uRPF in the world won't protect you against a little tcp/{22,23,179} SYN aimed at your Force 10 box. Ya know what I mean? Hey Paul, would you be able to demonstrate this problem? I'd like to see it so that we can investigate and fix it. You are correct that the first generation of E-Series hardware (EtherScale) had little control plane protection. The current E-Series hardware (TeraScale) has a completely different architecture that rate limits, queues and filters all packets destined to the control plane. Greg* (* I am currently employed by Force10.) -- Greg Hankins [EMAIL PROTECTED]
Re: BCP38 dismissal
On Thu, 4 Sep 2008, Jo Rhett wrote: On Sep 4, 2008, at 7:24 AM, James Jun wrote: Indeed... In today's internet, protecting your own box (cp-policer/control plane filtering) is far more important IMO than implementing BCP38 when much of attack traffic comes from legitimate IP sources anyway (see botnets). I'm sorry, but nonsense statements such as these burn the blood. Sure, yes, protecting yourself is so much more important than protecting anyone else. Anyone else want to stand up and join the I am an asshole club? I'm an a??hole! :o) (lotsa folks get corporate bad words filters, here). Seriously though, everyone should take care of their own end first. The problem is Jo doesn't seem to be in the loopon attacks from recent years, but I am unsure he would change his mind if he was/ -- Jo Rhett Net Consonance : consonant endings by net philanthropy, open source and other randomness
RE: BCP38 dismissal
Sorry for the confusion. ^ Yes, I am a BCP38 evangelist. I apologize if it came across wrong. ^^^ OK, Patrick is setting an example. Could we all do likewise and get back to a civil conversation? TTFN, patrick Kudos for a good example. People on this list should not be surprised that other list members do not know everything. This doesn't make them idiots, it just means that there is an opportunity for you to politely educate them and hopefully gain a few converts to whatever cause you are championing. --Michael Dillon
Re: BCP38 dismissal
On Sep 4, 2008, at 3:38 PM, Gadi Evron wrote: On Thu, 4 Sep 2008, Jo Rhett wrote: On Sep 4, 2008, at 7:24 AM, James Jun wrote: Indeed... In today's internet, protecting your own box (cp-policer/ control plane filtering) is far more important IMO than implementing BCP38 when much of attack traffic comes from legitimate IP sources anyway (see botnets). I'm sorry, but nonsense statements such as these burn the blood. Sure, yes, protecting yourself is so much more important than protecting anyone else. Anyone else want to stand up and join the I am an asshole club? I'm an a??hole! :o) (lotsa folks get corporate bad words filters, here). Seriously though, everyone should take care of their own end first. The problem is Jo doesn't seem to be in the loopon attacks from recent years, but I am unsure he would change his mind if he was/ Gadi, Do you really want to suggest to people that they not implement BCP38? -- TTFN, patrick
Re: BCP38 dismissal
On Sep 4, 2008, at 12:38 PM, Gadi Evron wrote: Seriously though, everyone should take care of their own end first. The problem is Jo doesn't seem to be in the loopon attacks from recent years, but I am unsure he would change his mind if he was/ Nice going, Gadi -- let's insult someone who does a good job of protecting your network from his customers. I spend at least 8 hours a week tracking down attacks originating from non-BCP38 networks. This is still a real problem, and the idea that BCP-38 is some fad that is irrelevant now ... I have no words for this kind of idiocy. Everyone should be doing BCP-38. Why don't you apply this to your network, instead of sitting around insulting people for your incorrect assumptions about their job? -- Jo Rhett Net Consonance : consonant endings by net philanthropy, open source and other randomness
Re: BCP38 dismissal
On Thu, 4 Sep 2008, Patrick W. Gilmore wrote: On Sep 4, 2008, at 3:38 PM, Gadi Evron wrote: On Thu, 4 Sep 2008, Jo Rhett wrote: On Sep 4, 2008, at 7:24 AM, James Jun wrote: Indeed... In today's internet, protecting your own box (cp-policer/ control plane filtering) is far more important IMO than implementing BCP38 when much of attack traffic comes from legitimate IP sources anyway (see botnets). I'm sorry, but nonsense statements such as these burn the blood. Sure, yes, protecting yourself is so much more important than protecting anyone else. Anyone else want to stand up and join the I am an asshole club? I'm an a??hole! :o) (lotsa folks get corporate bad words filters, here). Seriously though, everyone should take care of their own end first. The problem is Jo doesn't seem to be in the loopon attacks from recent years, but I am unsure he would change his mind if he was/ Gadi, Do you really want to suggest to people that they not implement BCP38? No. Thank you for calling me on not explaining well. I suggest that the guy is right. People should tajke care of their security first before going out and shouting at the world. That said, I also state that he is probably not in touch with what's been going on in the past few years. Meaning, botnets *do* use spoofing, and DNS amplification attacks. The threat is not theoretical for a few years now and he may simply not be in on it. As to preaching BCP38, well... it's not an easy leap of thought to make, that your security is tied into the state of security of a box sitting half-way around the world. But that's the case. Gadi. -- TTFN, patrick
Re: BCP38 dismissal
On Thu, 4 Sep 2008, Jo Rhett wrote: On Sep 4, 2008, at 12:38 PM, Gadi Evron wrote: Seriously though, everyone should take care of their own end first. The problem is Jo doesn't seem to be in the loopon attacks from recent years, but I am unsure he would change his mind if he was/ Nice going, Gadi -- let's insult someone who does a good job of protecting your network from his customers. I spend at least 8 hours a week tracking down attacks originating from non-BCP38 networks. This is still a real problem, and the idea that BCP-38 is some fad that is irrelevant now ... I have no words for this kind of idiocy. Everyone should be doing BCP-38. Why don't you apply this to your network, instead of sitting around insulting people for your incorrect assumptions about their job? I apologize for making an incorrect assumption and apparently insulting you. My assumption was based on the threading in the email I replied to, as what you write here conpletely contradicts what was written there. So, we all support BCP38 and nothing really changed from the last time we all had this discussion about why most of us don't use it. -- Jo Rhett Net Consonance : consonant endings by net philanthropy, open source and other randomness
Re: BCP38 dismissal
On Sep 4, 2008, at 2:56 PM, Gadi Evron wrote: I apologize for making an incorrect assumption and apparently insulting you. My assumption was based on the threading in the email I replied to, as what you write here conpletely contradicts what was written there. Yeah, I think the threading was getting confused quite a bit. So, we all support BCP38 and nothing really changed from the last time we all had this discussion about why most of us don't use it. On that you'll have to speak for yourself. We have it on every customer port ;-) -- Jo Rhett Net Consonance : consonant endings by net philanthropy, open source and other randomness
Re: BCP38 dismissal
On Thu, 4 Sep 2008, Jo Rhett wrote: On Sep 4, 2008, at 2:56 PM, Gadi Evron wrote: I apologize for making an incorrect assumption and apparently insulting you. My assumption was based on the threading in the email I replied to, as what you write here conpletely contradicts what was written there. Yeah, I think the threading was getting confused quite a bit. So, we all support BCP38 and nothing really changed from the last time we all had this discussion about why most of us don't use it. On that you'll have to speak for yourself. We have it on every customer port ;-) Now that is interesting. Can you share a bit about you rimplementation hardships, costs, customer complaints, etc? Gadi. -- Jo Rhett Net Consonance : consonant endings by net philanthropy, open source and other randomness
Re: BCP38 dismissal
So, we all support BCP38 and nothing really changed from the last time we all had this discussion about why most of us don't use it. On that you'll have to speak for yourself. We have it on every customer port ;-) I hope you *also* have it on your NOC and everywhere else that it is practical to have it. Every machine can potentially be taken over and used as a launch point. Mark -- Jo Rhett Net Consonance : consonant endings by net philanthropy, open source and other randomness
Re: ingress SMTP
On Thu, Sep 04, 2008 at 02:01:48PM +1200, Mark Foster wrote: So in terms of the OP, I don't see why joe-user on a dynamic-IP home connection should need the ability to use port 25 to talk to anywhere but their local ISP SMTP server on a normal basis[1]. Whats a normal basis? My Home ISP won't let me send to more than 200 (or so) email addresses per day. If I used my ISP's email system I would constantly be losing my email service due to hitting the limit. I do the field scheduling for my local town soccer league. [Never volunteer! :-) ] So when I send a few announcements out to coaches, referees and administrators, I hit that limit and get my email shutoff for two days or so. I eventually switched to MailHop at DynDNS (smtp auth) I would have used port 25 but our ISP has begun blocking outbound port 25 nationwide, due to large amount of outbound spam from their customers. :-) *rest snipped* Is the above described limitation a common occurrance in the world-at-large? I've not heard of ISPs doing number-of-recipients-per-day limitations. I've heard of them doing number-of-recipients-per-email limitations (thus limiting large cc/bcc lists) but not total number of emails. Who's to say that there arent legitimate reasons to email a large number of people - perhaps your customers?? Certainly if my own ISP did something like that, you're quite right, i'd have to find an alternative. (Or perhaps, an alternative ISP. ) (who set the limit at 200? Can you opt-out of the limit or have it upped?) Mark.
BCP here and there
In my mind, a suite of practices to keep one's garbage contained and not all over the neighbor's lawn is a good thing and covers many bases. RPF/BCP38 seems to be the IP level equivalent of blocking ingress SMTP and forcing delivery through outbound-only servers that check the claimed envelope and/or header senders for sanity relative to the authorized sending networks. If so many people are agreeing on BCP38, what's with the resistance about email, clearly an equally polluted swamp? Why would one not want to view the two issues as much the same problem, at different layers? And yes, I was assuming split-brained mail infrastructure to make port-25 filtering much simpler. To counter someone's counterargument, it could boil down to two ACL lines in *many* places, but clearly not all. Said two lines can come right before the one that says permit ip my-source-only any, couldn't they?? Not in a blanket sense, of course -- these things done *where appropriate* and tuned to known requirements could vastly improve matters, but it seems that even after all these years so many of the appropriate places haven't even been touched let alone fixed. _H*
BCP IETFs and RFCs
Well at the risk of getting flammed here.. lol I don't believe there is a real clear answer here to this BCP38 debate. Great suggestions, great comments, and great what ifs. From the old days, I always recalled ACLing non-existant scopes within my nets, again not that that is the answer, but it was a recommended practice, and when we saw non-existant spaces trying to leave one of our feeds it was quickly handled internally (i.e. killed the downstream link). As well we always had to do an internal audit of why/who/where the event took place and a remedy to it (HIPAA SOX compliance stuff) While this thread is informative at times, I think the name calling and insults really serve no purpose to it. I recall a funny saying regarding this, opinions are like a..s, everyone has one and everyone else thinks it stinks. Doesn't mean anyones right. Agree to dis-agree and lets be on with it. Deja-vu, Wasn't there a thread about this same subject a while ago something regarding RFC2827? Might just be me. Just my 2¢s Regards, -Joe Blanchard I am Joe Blanchard and I approve this message lol