Re: Atrivo/Intercage: Now Only 1 Upstream
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Paul Wall [EMAIL PROTECTED] wrote: Cogent is keeping tabs of the Intercage/Atrivo situation in ticket HD000789038. Be sure to e-mail or call them referencing that number with any information you may have to share. AboveNet's ticket auto-responder is broken. I don't have time to pass along intelligence to Cogent, and if I did feel so inclined, somehow I get the feeling that I would largely be ignored since I'm not a direct customer. I'm more inclined to pass along the intelligence to law enforcement, as many of us have been doing for a couple of years now. In any event, the badness is still there. Lots of it. - - ferg -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.6.3 (Build 3017) wj8DBQFIzz/jq1pz9mNUZTMRAoykAKDT0Z9j7zw8RHpO0fSjBIYdbUCTiACg3koi F2OWk5qP+5ZsXdBbBcg6cB4= =Mfgg -END PGP SIGNATURE- -- Fergie, a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/
Re: confusing packet data
On Tue, Sep 16, 2008 at 00:43, Hank Nussbacher [EMAIL PROTECTED] wrote: Are you running Skype? Have you become a supernode? There is now a registry switch in 3.0 that allows you to disable supernode functionality. No. Nothing is running on this host (my laptop) when initiating etherape. Also, etherape reports nothing until I initiate some traffic (i.e. whois www.yahoo.com) I suspect that Nathan is correct and I have filed a bug report with Debian. -Jim P.
Re: confusing packet data
On 16/09/2008, at 4:43 PM, Hank Nussbacher wrote: Are you running Skype? Have you become a supernode? There is now a registry switch in 3.0 that allows you to disable supernode functionality. This would not cause him to see traffic to and from random addresses. Note that traffic is not going to his IP address, but to AND from addresses that are not his. That, plus the fact that there 'is' traffic on 240/4 and 224/4, and it sounds like a bug. -- Nathan Ward
Re: Atrivo/Intercage: Now Only 1 Upstream
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Paul Wall [EMAIL PROTECTED] wrote: Cogent is keeping tabs of the Intercage/Atrivo situation in ticket HD000789038. Be sure to e-mail or call them referencing that number with any information you may have to share. AboveNet's ticket auto-responder is broken. By the way, a lot of folks are watching all domains registered within Atrivo/Intercage IP address space every day. Here's a few for you to decide -- and they have been registered only in the past few days: undaground.biz pillshere.net ukrnic.info (originally registered in Intercage IP space, now in UkrTelecom) This is only a fraction of a percentage of the activities. We are watching. - - ferg -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.6.3 (Build 3017) wj8DBQFIz0ozq1pz9mNUZTMRAnHeAJ4ntfwfiQaQxhTXfs89uo2I3cTJMgCfb41s M7q+r1sgTSmGL1+vszyHYb0= =c6jO -END PGP SIGNATURE- -- Fergie, a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/
Re: Atrivo/Intercage: Now Only 1 Upstream
On Tue, 16 Sep 2008, Paul Ferguson wrote: In any event, the badness is still there. Lots of it. Not according to this: http://www.domainnews.com/en/general/estdomains-denies-links-to-malware-distribution.html The company also has a reliable ally in its battle against malware in a face of Intercage, Inc which provides company with the hosting services of the highest quality. But the outstanding performance of hosting services is not the sole reason why EstDomains, Inc appreciates this partnership so greatly. Intercage, Inc generously provides EstDomains, Inc specialists with reports regarding discovered malware vehicles. As the main database for additional domain name management services is located in Intercage Data Center, EstDomains, Inc has the perfect opportunity to get notifications of the slightest mark of malware presence in the shortest time and take measures in advance. You really need to read the entire posting and not end up ROTFL. -Hank
Re: confusing packet data
On Mon, 15 Sep 2008, Jim Popovitch wrote: Are you running Skype? Have you become a supernode? There is now a registry switch in 3.0 that allows you to disable supernode functionality. -Hank This is something has been bugging me lately Etherape is a Linux tool that graphs packets arriving at your host, and shows paths of connectivity. I captured the graphs, at the URL below, from my Linux laptop connected to a Linksys wifi router that is hooked to a Comcast cable modem. Why is it that I can see packet data from IPs all over the place? http://picasaweb.google.com/jimpop/Public# Any insight is much appreciated. -Jim P.
Anyone know Wiltel's EWAN service
I have EWAN circuits of Wiltel(currently same company with Level3 you know) as my backbone circuit in LA. About 2 months ago, there were some packet loss on L2 circuit, but I didn't get any clear answer from Level3 support center. It became okey without any action, but now, same problem happen again. I feel bored, I need your help. Anyone know if there are any problems of WilTel's L2 circuit on LA area ? or Could anyone advice me the contact person who know well EWAN configuration of Wiltel ? Frankly, I felt Level3 guys seems to be unfamiliar with EWAN circuit of Wiltel. Best regards, Chiyoung = Chi-Young Joung SAMSUNG NETWORKS Inc. Email: [EMAIL PROTECTED] Tel +82 70 7015 0623, Mobile +82 17 520 9193 Fax +82 70 7016 0031 =
Re: Internet Traffic Begins to Bypass the U.S.
Jean-François Mezei wrote: Did western europe ever really have a primary route via the USA to reach asia ? (I realise that during the cable cuts in middle east last year, traffic might have been rerouted via USA but this would be a temporary situation). Yes. And the main issue is not technical, but economic and disorganisation question. For example, we need an Internet connectivity in Kazakhstan. The path through TAE (www.taeint.net) or FLAG-Iran-Turkmenistan-Uzbekistan costs about $6000 per 1Mbit, and lot of nervous. Path through China-USA is said about $100-$400 per 1Mbps and easy to get comparing with first two ones.. Yes, Europe-Asia satellites is a good way too, and it can give less latency than Europe-USA-Asia in some cases. A lot of traffic to Asia and Middle East is going this way. But satellite is expensive, and there is even lack of capacity there. So Fiber around the world is cheaper in most cases. -- WBR, Max Tulyev (MT6561-RIPE, 2:463/[EMAIL PROTECTED])
ATT AS7018 turnup BGP issue
Can someone from ATT with BGP configuration access please contact me off list, the provisioning group has been having trouble turnup our BGP session on our 2xOC3 to AS7018 since 12AM and now its 4:30AM. Erik [EMAIL PROTECTED]
Re: Atrivo/Intercage: Now Only 1 Upstream
On Sep 16, 2008, at 1:55 AM, Paul Ferguson wrote: By the way, a lot of folks are watching all domains registered within Atrivo/Intercage IP address space every day. Here's a few for you to decide -- and they have been registered only in the past few days: undaground.biz pillshere.net ukrnic.info (originally registered in Intercage IP space, now in UkrTelecom) This is only a fraction of a percentage of the activities. We are watching. Not closely enough. It seems some people in San Francisco are selling Intercage outbound only capacity. (I.e. Letting them send packets and not announcing their ASN/prefixes to hide the fact Atrivo is a customer.) If you find packets from Atrivo coming into your network from a network where you do not see a reverse path, please let the rest of us know so we can take appropriate action. -- TTFN, patrick
Creating a visual Map of a network?
I am being tasked to map a network. In the past I have used nmap to find the systems on the local LAN and remote LANs (same enterprise). This time I want to create a visual map of the LAN. With cheops, I reasonably good results but cannot be documented for managers with certainty. What are some good tools now that will create visual maps of the networks? What is the best way to map a network when ICMP echo has been turned off? Thank you in advance for any help. Subba Rao
RE: [SPAM-HEADER] - Today's Point-2Point WAN Options - Email has different SMTP TO: and MIME TO: fields in the email addresses
Actually, it is not true that Layer 2 Ethernet is 'best effort'. It depends. There are Layer 1 Ethernet products that involve no Layer 2 switching or Layer 2 routing, just an efficient and transparent mapping of Ethernet into SDH/SONET. And some of those products can be upgrade in 50 meg increments from 100 to 1,000 megs. After you have outgrown your GigE, then you can migrate to a LAN PHY 10 GigE link using affordable LAN interfaces and keeping your network 'untainted' by SONET/SDH. Regards, Roderick S. Beck Director of European Sales Hibernia Atlantic 13-15, rue Sedaine, 75011 Paris http://www.hiberniaatlantic.com Wireless: 1-212-444-8829. French Wireless: 33-6-14-33-48-97. AOL Messenger: GlobalBandwidth [EMAIL PROTECTED] [EMAIL PROTECTED] ``Unthinking respect for authority is the greatest enemy of truth.'' Albert Einstein. -Original Message- From: Chris Kleban [mailto:[EMAIL PROTECTED] Sent: Tue 9/16/2008 12:33 AM To: nanog@nanog.org Subject: [SPAM-HEADER] - Today's Point-2Point WAN Options - Email has different SMTP TO: and MIME TO: fields in the email addresses Hello Nanog, I'm currently looking into what are the options for enabling inter-datacenter communication. Our current solution is to use ipsec/gre tunnels traversing over the Internet. The specific needs the new solution must meet are: - The ability to run end-to-end QOS. - Dedicated bandwidth - Support 1gbps transfer rates - Enable communication between 3 locations The options I have looked into so far are: - Layer 2 Ethernet (Virtual Private Line): This service seems to be offered by a lot of ISPs using various networking techniques. The price point is attractive however packets are forwarded only at best effort across the ISP's network which means the quality of the service will directly reflect the ISP's network performance. - Traditional Leased Line (dsX/ocX): This service seems to be more expensive then wavelength services however meets my needs. - WaveLength Services (oc3-10gig): This service seems to be cheaper then traditional leased lines when comparing similar bandwidth. However, availability is limited to on-net buildings. This solution meets my needs. - MPLS based VPN solutions: Seems to be a good point to multipoint technology with QOS offerings. However, the price seems to be around the same as wavelength services for the amount of bandwidth we require. If the number of data centers we were looking to connect was larger then this option would be more attractive. This solution meets my needs. Based on my needs and what my options are I am leaning towards point to point wavelength services connecting my 3 locations in a loop like fashion. Are there any other options I should consider? Are my descriptions of the today's possible solutions inaccurate? Are there any thoughts on today's pricing that differs then my findings? Thanks Chris Kleban
Re: Creating a visual Map of a network?
[EMAIL PROTECTED] wrote: I am being tasked to map a network. In the past I have used nmap to find the systems on the local LAN and remote LANs (same enterprise). This time I want to create a visual map of the LAN. With cheops, I reasonably good results but cannot be documented for managers with certainty. What are some good tools now that will create visual maps of the networks? What is the best way to map a network when ICMP echo has been turned off? I've had success using Scapy (http://www.secdev.org/projects/scapy/) and tying it into Graphviz. It can do TCP traces too and has all sorts of built in visualisation options. And look at the bottom here http://www.secdev.org/projects/scapy/demo.html
ATT BGP turnup issue -- FIXED
This issue was finally resolved by ATT.. No need to contact me... Thanks Erik
RE: confusing packet data
Or his DSL is set to bridging. --p -Original Message- From: Nathan Ward [mailto:[EMAIL PROTECTED] Sent: Tuesday, September 16, 2008 12:47 AM To: nanog list Subject: Re: confusing packet data On 16/09/2008, at 4:43 PM, Hank Nussbacher wrote: Are you running Skype? Have you become a supernode? There is now a registry switch in 3.0 that allows you to disable supernode functionality. This would not cause him to see traffic to and from random addresses. Note that traffic is not going to his IP address, but to AND from addresses that are not his. That, plus the fact that there 'is' traffic on 240/4 and 224/4, and it sounds like a bug. -- Nathan Ward
Re: Internet Traffic Begins to Bypass the U.S.
Jean-François Mezei wrote: For instance, out of Australia we have a single, old cable going West out of Perth to Singapore (SEA-ME-WE3) which allows only low speed circuits, Was there any thought about building cables to singapore from darwin now that it has had fibre links to the rest of australia for over a decade ? There are two old cable systems heading out from Western Australia (MMC forgot JASURAUS). Darwin is a monopoly zone, only Telstra have capacity into it although others have thought about it (assuming the government stumps up some cash). The technical issue with submarine cables out of Darwin is avoiding the Timor Trench. It makes more sense for a lot of reasons to head out of Perth if you want to go west. Mark.
LoA (Letter of Authorization) for Prefix Filter Modification?
Recently, one of our Transit providers has started requiring a Letter of Authorization for addition of any of our own Transit customers' prefixes to their filters. The verbiage of the LoA basically states that the owner of the assignment or allocation (not necessarily our customer) allows us to advertise their prefixes through our service. Is this a common practice? Our past experience indicates that a simple request to a NOC or update of a routing registry usually is sufficient. Regards, Mauricio Rodriguez FPL Fibernet, LLC
Re: Anyone know Wiltel's EWAN service
La as in Los Angeles? Or Louisiana? There we're numerous strange issues last night in Los Angeles with T-Mobile that were caused by att loosing some oc12 circuits. That could have affected other carriers I'm sure. --Original Message-- From: ChiYoung Joung To: nanog ReplyTo: [EMAIL PROTECTED] Subject: Anyone know Wiltel's EWAN service Sent: Sep 16, 2008 12:40 AM I have EWAN circuits of Wiltel(currently same company with Level3 you know) as my backbone circuit in LA. About 2 months ago, there were some packet loss on L2 circuit, but I didn't get any clear answer from Level3 support center. It became okey without any action, but now, same problem happen again. I feel bored, I need your help. Anyone know if there are any problems of WilTel's L2 circuit on LA area ? or Could anyone advice me the contact person who know well EWAN configuration of Wiltel ? Frankly, I felt Level3 guys seems to be unfamiliar with EWAN circuit of Wiltel. Best regards, Chiyoung = Chi-Young Joung SAMSUNG NETWORKS Inc. Email: [EMAIL PROTECTED] Tel +82 70 7015 0623, Mobile +82 17 520 9193 Fax +82 70 7016 0031 = Sent via BlackBerry from T-Mobile
Re: LoA (Letter of Authorization) for Prefix Filter Modification?
On Tue, 16 Sep 2008, Rodriguez, Mauricio wrote: Recently, one of our Transit providers has started requiring a Letter of Authorization for addition of any of our own Transit customers' prefixes to their filters. The verbiage of the LoA basically states that the owner of the assignment or allocation (not necessarily our customer) allows us to advertise their prefixes through our service. Is this a common practice? Our past experience indicates that a simple request to a NOC or update of a routing registry usually is sufficient. It's not unheard of. Most providers don't require it, but I have run into a few who do. It's a minor PITA compared to the web interfaces some providers make you use to request filter updates. -- Jon Lewis | I route Senior Network Engineer | therefore you are Atlantic Net| _ http://www.lewis.org/~jlewis/pgp for PGP public key_
Re: Atrivo/Intercage: Now Only 1 Upstream
So in cases like this where the community appears to agree that there's a consistently bad apple, what's preventing everyone from simply nullrouting the netblocks in question and imposing the death penalty? Sorry if this seems naive, but if no legitimate purpose is shown it seems like the obvious thing to do. Maybe they could still *send* packets, but nothing would ever get back to them. _H*
Re: LoA (Letter of Authorization) for Prefix Filter Modification?
I dont mind, i think it is another good step towards 'good filtering' but...i think the PITA part is downstream 'clueless' customers, who may need an explanation on prefix hijacking and the state of the internet today, and that these are all just combined efforts to minimize the risk of accepting allocations that don't belong to you. Christian On Tue, Sep 16, 2008 at 9:56 AM, Jon Lewis [EMAIL PROTECTED] wrote: On Tue, 16 Sep 2008, Rodriguez, Mauricio wrote: Recently, one of our Transit providers has started requiring a Letter of Authorization for addition of any of our own Transit customers' prefixes to their filters. The verbiage of the LoA basically states that the owner of the assignment or allocation (not necessarily our customer) allows us to advertise their prefixes through our service. Is this a common practice? Our past experience indicates that a simple request to a NOC or update of a routing registry usually is sufficient. It's not unheard of. Most providers don't require it, but I have run into a few who do. It's a minor PITA compared to the web interfaces some providers make you use to request filter updates. -- Jon Lewis | I route Senior Network Engineer | therefore you are Atlantic Net| _ http://www.lewis.org/~jlewis/pgp for PGP public key_
RE: LoA (Letter of Authorization) for Prefix Filter Modification?
Is this a common practice? Our past experience indicates that a simple request to a NOC or update of a routing registry usually is sufficient. Regards, Mauricio Rodriguez FPL Fibernet, LLC Cogent AFAIK have been doing this for years. Not many others require this unless there is a serious question over the request. Randy
Re: LoA (Letter of Authorization) for Prefix Filter Modification?
On Tue, 16 Sep 2008, Christian Koch wrote: I dont mind, i think it is another good step towards 'good filtering' but...i think the PITA part is downstream 'clueless' customers, who may need an explanation on prefix hijacking and the state of the internet today, and that these are all just combined efforts to minimize the risk of accepting allocations that don't belong to you. IMO, it's just an illusion of added security and is really just CYA for the provider. When I fax TWTelecom an LOA that a customer faxed to me, how does TWTelecom verify the authenticity of that LOA? I doubt they try. I suspect it's just filed, and will only be pulled out if the advertisement is challenged by some 3rd party. -- Jon Lewis | I route Senior Network Engineer | therefore you are Atlantic Net| _ http://www.lewis.org/~jlewis/pgp for PGP public key_
Re: LoA (Letter of Authorization) for Prefix Filter Modification?
good point... :) On Tue, Sep 16, 2008 at 10:24 AM, Jon Lewis [EMAIL PROTECTED] wrote: On Tue, 16 Sep 2008, Christian Koch wrote: I dont mind, i think it is another good step towards 'good filtering' but...i think the PITA part is downstream 'clueless' customers, who may need an explanation on prefix hijacking and the state of the internet today, and that these are all just combined efforts to minimize the risk of accepting allocations that don't belong to you. IMO, it's just an illusion of added security and is really just CYA for the provider. When I fax TWTelecom an LOA that a customer faxed to me, how does TWTelecom verify the authenticity of that LOA? I doubt they try. I suspect it's just filed, and will only be pulled out if the advertisement is challenged by some 3rd party. -- Jon Lewis | I route Senior Network Engineer | therefore you are Atlantic Net| _ http://www.lewis.org/~jlewis/pgp for PGP public key_
Re: Re: Anyone know Wiltel's EWAN service
Sorry, it is Los Angeles. I don't know whether our circuit is ralative to ATT oc12 = Chi-Young Joung SAMSUNG NETWORKS Inc. Email: [EMAIL PROTECTED] Tel +82 70 7015 0623, Mobile +82 17 520 9193 Fax +82 70 7016 0031 = --- Original Message --- Sender : [EMAIL PROTECTED][EMAIL PROTECTED] Date : 2008-09-16 22:44 (GMT+09:00) Title : Re: Anyone know Wiltel's EWAN service La as in Los Angeles? Or Louisiana? There we're numerous strange issues last night in Los Angeles with T-Mobile that were caused by att loosing some oc12 circuits. That could have affected other carriers I'm sure. --Original Message-- From: ChiYoung Joung To: nanog ReplyTo: [EMAIL PROTECTED] Subject: Anyone know Wiltel's EWAN service Sent: Sep 16, 2008 12:40 AM I have EWAN circuits of Wiltel(currently same company with Level3 you know) as my backbone circuit in LA. About 2 months ago, there were some packet loss on L2 circuit, but I didn't get any clear answer from Level3 support center. It became okey without any action, but now, same problem happen again. I feel bored, I need your help. Anyone know if there are any problems of WilTel's L2 circuit on LA area ? or Could anyone advice me the contact person who know well EWAN configuration of Wiltel ? Frankly, I felt Level3 guys seems to be unfamiliar with EWAN circuit of Wiltel. Best regards, Chiyoung = Chi-Young Joung SAMSUNG NETWORKS Inc. Email: [EMAIL PROTECTED] Tel +82 70 7015 0623, Mobile +82 17 520 9193 Fax +82 70 7016 0031 = Sent via BlackBerry from T-Mobile
IPv6 Penetration Survey: Your Participation Requested
The American Registry for Internet Numbers (ARIN), in cooperation with the Cooperative Association for Internet Data Analysis (CAIDA), is conducting a new survey to gather data regarding current and future use of IPv6. We have expanded the scope of the survey to seek IPv6 penetration data from around the world. We cordially invite and encourage all organizations in the AfriNIC, APNIC, ARIN, LACNIC, and RIPE NCC regions to participate in the survey so we can establish a comprehensive view of present IPv6 penetration and future plans for IPv6 deployment. The survey opened on 8 September and remains available until 17:00 EDT on 1 October. The results of the survey will be presented and discussed at the ARIN XXII Public Policy and Members Meeting to be held in Los Angeles, CA 15-17 October 2008. Additionally, the summary results will be shared with all the RIRs for further distribution within their respective regions. The survey data will support ongoing research. The survey is composed of 22 questions that can be answered in a few minutes. This is a secure survey and all data will be presented in summary form only, and kept confidential between ARIN and CAIDA. When you complete the survey you will be entered in a drawing for prizes, one raffle per RIR region. You must provide your contact information to win. Please take a few moments to complete the survey located at: https://www.surveymonkey.com/s.aspx?sm=loMM8qu18yFoKyi0rTUpQg_3d_3d Regards, Member Services American Registry for Internet Numbers (ARIN)
Re: community real-time BGP hijack notification service
On Fri, 12 Sep 2008, Kevin Oberman wrote: Looks interesting, but it only takes a fairly short list of ASNs for a prefix. For our big CIDR blocks, we have WAY too many ASNs to enter them all, so it's pretty useless for me. I need to be able to enter at very least a dozen ASes and I suspect may folks have a LOT more then that. We made many fixes over the last few days, as well as added a few more feeds. Any volunteers to give us more feeds? :) One of the fixes is that you can add many more ASs now, which should resolve your previous issues. Please let us know if you find any other problems or think of any suggestions, big and small. Gadi. For now, I'll enter some shorter pieces from the block, but I'm most concerned with the pieces that are not currently assigned, so are available for hijack. I have added the larger, unassigned blocks. I'll start adding assigned bits and pieces as well as unassigned pieces, but being able to put all valid origin ASes in the list for the full blocks would be a lot nicer. -- R. Kevin Oberman, Network Engineer Energy Sciences Network (ESnet) Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab) E-mail: [EMAIL PROTECTED] Phone: +1 510 486-8634 Key fingerprint:059B 2DDF 031C 9BA3 14A4 EADA 927D EBB3 987B 3751
Re: Creating a visual Map of a network?
On Tue, 16 Sep 2008 [EMAIL PROTECTED] wrote: This time I want to create a visual map of the LAN. Intermapper. http://dartware.com/network_monitoring_products/intermapper/index.html -Bill
Re: LoA (Letter of Authorization) for Prefix Filter Modification?
On Tue, 16 Sep 2008, Christian Koch wrote: I dont mind, i think it is another good step towards 'good filtering' but...i think the PITA part is downstream 'clueless' customers, who may need an explanation on prefix hijacking and the state of the internet today, and that these are all just combined efforts to minimize the risk of accepting allocations that don't belong to you. IMO, it's just an illusion of added security and is really just CYA for the provider. When I fax TWTelecom an LOA that a customer faxed to me, how does TWTelecom verify the authenticity of that LOA? I doubt they try. I suspect it's just filed, and will only be pulled out if the advertisement is challenged by some 3rd party. How do you verify the authenticity of anything? This is a common problem in the Real World, and is hardly limited to LoA's. How do you prove that what was on Pages 1 to (N-1) of an N page contract contained the words you think they said? I knew a guy, back in the early days, who habitually changed the SLA's in his contracts so that he could cancel a contract for virtually no reason at all ... the folly of mailing around contracts as .doc files in e-mail. But even failing that, it's pretty trivial to reprint a document, so where do you stop, do you use special paper, special ink, watermarking of documents, initial each page, all of the above, etc? Look at what people are willing to go through with paper checks to increase the chances of authenticity. Google Abagnale. The real world already has ways of dealing with fraud and forgery, and while the paper is certainly CYA for the provider, it does provide an actual trail back that can probably be followed to some party. To refer to it as an illusion is only vaguely true. It is an illusion in that it will not prevent all cases of hijacking. Of course. However, it is another step that makes it significantly more difficult for someone to just start announcing random bits of IP space. It's just like physical security, in many ways. Given a sufficiently determined attacker, any door can be broken. Wood door? May require only my boot. Steel door? Prybar. Bank vault? Explosives. Etc. The thing is, as you increase the level of protection, the ease of countermeasures typically decreases (I wear my boots almost 100% of the time, I may have a prybar nearby, but I am unlikely to be carrying explosives at any time.) So let's not trivialize improvements such as LoA's which reduce the ease of hijackings, eh. ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again. - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.
Re: Creating a visual Map of a network?
Hello Subba , On Tue, 16 Sep 2008, [EMAIL PROTECTED] wrote: I am being tasked to map a network. In the past I have used nmap to find the systems on the local LAN and remote LANs (same enterprise). This time I want to create a visual map of the LAN. With cheops, I reasonably good results but cannot be documented for managers with certainty. What are some good tools now that will create visual maps of the networks? nmap can do this now , so I've been told . What is the best way to map a network when ICMP echo has been turned off? Thank you in advance for any help. Subba Rao Hth, JimL -- +--+ | James W. Laferriere | SystemTechniques | Give me VMS | | NetworkSystem Engineer | 2133McCullam Ave | Give me Linux | | [EMAIL PROTECTED] | Fairbanks, AK. 99701 | only on AXP | +--+
Re: Atrivo/Intercage: Now Only 1 Upstream
[EMAIL PROTECTED] (*Hobbit*) writes: So in cases like this where the community appears to agree that there's a consistently bad apple, what's preventing everyone from simply nullrouting the netblocks in question and imposing the death penalty? http://www.spamhaus.org/drop/ seems to have atrivo on it. Sorry if this seems naive, but if no legitimate purpose is shown it seems like the obvious thing to do. Maybe they could still *send* packets, but nothing would ever get back to them. legitimacy is in the mind of the beholder of course. -- Paul Vixie
Procedure to Change Nameservers
This should be easy. But sometimes things that seem like they should be easy are not. I want to change the nameservers for a bunch of domains. Really, all I want to do is change the IP address, but it seems easier just to change both the name and IP to avoid any possibility of confusion. However, I am not physically moving the services. These are the same physical servers, just an additional IP address assigned to the appropriate interface. I want to do this the right way. Here's what I want to do. Am I doing anything wrong? (Am I being way too careful?) For the example, let's use the names, old-dns1, new-dns1, old-dns2, and new-dns2. I think you can guess what they mean. 1) Add new-dns1 and new-dns2 to the NS records for a domain. (Possible problem: I have NS records in my authorative DNS for the zone that are not in the hints at the gTLD server level. But that's not really a problem, right? They are not lame servers.) 2) Change the NAMESERVER entries at the registrar from old-dns1 to new-dn1 and old-dns2 to new-dns2. 3) Wait for the change to be reflected in the gTLD servers. 4) Wait for the TTL on the records to expire. 5) Wait a little bit longer just to be safe (maybe do some query logging to see who still is using the old ones). 6) Remove old-dns1 and old-dns2 NS records from the zone. 7) Wait for the TTL on the records to expire. 8) Wait a bit longer. 9) Turn off DNS services at old-dns1 and old-dns2 (i.e. take out the firewall rules that allow queries to those addresses). 10) ... 11) Profit. Not really too bad. At least we don't have to send in host record templates anymore. B¼information contained in this e-mail message is confidential, intended only for the use of the individual or entity named above. If the reader of this e-mail is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this e-mail in error, please contact [EMAIL PROTECTED]
Re: Procedure to Change Nameservers
Crist Clark wrote: 9) Turn off DNS services at old-dns1 and old-dns2 (i.e. take out the firewall rules that allow queries to those addresses). 10) ... 10 ) Use one of the various sanity checking sites to validate some subset of your hosted domain configurations. We used to like http://www.dnsstuff.com a lot, but they've gone commercial. It's still a great service and possibly worth the money (I bought a membership but will be comparing it with the other free offerings in the coming months before our renewal is up to see if there's really enough value add). Free sites that perform similar DNS configuration checks that I know of are: http://dnssy.com http://www.intodns.com Mike
Re: Procedure to Change Nameservers
Crist Clark wrote: This should be easy. But sometimes things that seem like they should be easy are not. I want to change the nameservers for a bunch of domains. Really, all I want to do is change the IP address, but it seems easier just to change both the name and IP to avoid any possibility of confusion. However, I am not physically moving the services. These are the same physical servers, just an additional IP address assigned to the appropriate interface. I want to do this the right way. Use a /32 routed to a host loopback interface. No reason to tie this to the network ethernet topology. Route it here, route it there, route it through the load balancer, route it dynamically, route it here AND there. Everything critical should be done that way. So much easier. Make a clear distinction between the names in the NS and corresponding records and hostnames you use on the network. They should never correspond. That way you will never need/want to change them. Keep the old addresses queryable for at least as long as your TTL was before the change. Maybe twice that. What does it cost you? If you can do that, make the changes all at once or however suits your fancy, so long as what you put in works when you put it in. if you keep the glue rec names/A the same as the zones NS records, there will be less bogus-lint complaints from things like dnsstuff, but you dont actually have to, as long as both sets work equally well.
RE: LoA (Letter of Authorization) for Prefix Filter Modification?
It is only a good audit trail if the audit log can be trusted, though. Given how secure things like faxes are, well, that's a thing for another day, I suppose. Very few things out there in today's interconnected world really provide hard security, instead of security theatre/CYA/minor deterrants/keeping honest people honest. That is not to say that these things have zero inherent value, at least in my mind, but they are not IMO to be confused with high security (as in military grade versus making a few clever [socially engineered] phone calls). Even so, much of the modern day business world relies on these things to some degree or another. - S -Original Message- From: Joe Greco [EMAIL PROTECTED] Sent: Tuesday, September 16, 2008 11:15 To: Jon Lewis [EMAIL PROTECTED] Cc: Rodriguez Mauricio [EMAIL PROTECTED]; nanog@nanog.org nanog@nanog.org Subject: Re: LoA (Letter of Authorization) for Prefix Filter Modification? On Tue, 16 Sep 2008, Christian Koch wrote: I dont mind, i think it is another good step towards 'good filtering' but...i think the PITA part is downstream 'clueless' customers, who may need an explanation on prefix hijacking and the state of the internet today, and that these are all just combined efforts to minimize the risk of accepting allocations that don't belong to you. IMO, it's just an illusion of added security and is really just CYA for the provider. When I fax TWTelecom an LOA that a customer faxed to me, how does TWTelecom verify the authenticity of that LOA? I doubt they try. I suspect it's just filed, and will only be pulled out if the advertisement is challenged by some 3rd party. How do you verify the authenticity of anything? This is a common problem in the Real World, and is hardly limited to LoA's. How do you prove that what was on Pages 1 to (N-1) of an N page contract contained the words you think they said? I knew a guy, back in the early days, who habitually changed the SLA's in his contracts so that he could cancel a contract for virtually no reason at all ... the folly of mailing around contracts as .doc files in e-mail. But even failing that, it's pretty trivial to reprint a document, so where do you stop, do you use special paper, special ink, watermarking of documents, initial each page, all of the above, etc? Look at what people are willing to go through with paper checks to increase the chances of authenticity. Google Abagnale. The real world already has ways of dealing with fraud and forgery, and while the paper is certainly CYA for the provider, it does provide an actual trail back that can probably be followed to some party. To refer to it as an illusion is only vaguely true. It is an illusion in that it will not prevent all cases of hijacking. Of course. However, it is another step that makes it significantly more difficult for someone to just start announcing random bits of IP space. It's just like physical security, in many ways. Given a sufficiently determined attacker, any door can be broken. Wood door? May require only my boot. Steel door? Prybar. Bank vault? Explosives. Etc. The thing is, as you increase the level of protection, the ease of countermeasures typically decreases (I wear my boots almost 100% of the time, I may have a prybar nearby, but I am unlikely to be carrying explosives at any time.) So let's not trivialize improvements such as LoA's which reduce the ease of hijackings, eh. ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again. - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.
Re: LoA (Letter of Authorization) for Prefix Filter Modification?
It is only a good audit trail if the audit log can be trusted, though. Given how secure things like faxes are, well, that's a thing for another day, I suppose. Very few things out there in today's interconnected world really provide hard security, instead of security theatre/CYA/minor deterrants/keeping honest people honest. That is not to say that these things have zero inherent value, at least in my mind, but they are not IMO to be confused with high security (as in military grade versus making a few clever [socially engineered] phone calls). Even so, much of the modern day business world relies on these things to some degree or another. As I said, there are already ways to deal with these issues. Unfortunately, most of them are reactive in nature. Despite that fact, I would much prefer to see a LoA, which will have some significant deterrent value, rather than nothing at all. The security of faxes has very little to do with it. If twtelecom finds that Jon Lewis over at Atlantic.net is sending in LoA's that turn out to be fraudulent, it is very likely that the level of scrutiny for future LoA's will suddenly increase, maybe involving calls to ARIN, the contact information for the organization in question, etc., to try to further determine the authenticity. On the flip side, if Jon has sent in a hundred LoA's, and none have ever been questioned, the level of scrutiny is likely to be reasonably low. Risk assessment in this environment isn't *that* rough, and worrying about whether or not the trail can be audited/ authenticated, security of faxes, etc., may be excessively paranoid. We do not have an Internet that is designed with hard security in mind, so worrying about the easily attacked portions is certainly worthwhile, but let's be thoughtful, rather than obsessive, about it. ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again. - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.
Re: Atrivo/Intercage: Now Only 1 Upstream
On Tue, 16 Sep 2008 12:47:26 -, *Hobbit* said: So in cases like this where the community appears to agree that there's a consistently bad apple, what's preventing everyone from simply what's preventing everyone? Geez Hobbit, I *know* you've been around long enough to know better than that :) We can't get a clear majority of providers to do BCP38, you expect them to apply a null route? And then to know to *remove* it once the problem withers up? ;) pgpoJMzfeFvF3.pgp Description: PGP signature
Re: Atrivo/Intercage: Now Only 1 Upstream
you expect them to apply a null route? Well, I *have* been talking somewhat idealistically here and there with this crop of questions, but frankly I thought in the 2 or 3 years I was ignoring the list that the NETWORK OPERATORS ostensibly in custody of the intertubes would have pulled things together a little better and grown enough of a pair to firmly state this crap stops here and now and make it happen. I do see pockets of good progress and research here and there and have gotten a lot of good feedback from people, but the big picture [as I watch my logs roll by] is pretty grim. Especially when the big players don't play at all. I've been around long enough to have a good idea of what *can* be done, but totally lost sight of any sensible reason why it *isn't*. Besides quarterly revenue, which is pretty short-sighted. Fortunately, I still have the luxury of being able to have my mailsystems tell cpe-*.rr.com and pool-*.verizon.net and c-24-*.comcast.net, along with large swaths of offshore IP space, to take a powder. Hundreds of times a day. But it's still their trash flying onto my tiny little lawn, and shouldn't be my job to sweep up. I mentally extend that picture to the millions of recipients who possibly aren't able to implement unusual and/or draconian filtering, and wonder how anybody ever gets any productive work done. _H*
Re: Atrivo/Intercage: Now Only 1 Upstream
On 16/09/2008, at 10:17 PM, *Hobbit* wrote: So in cases like this where the community appears to agree that there's a consistently bad apple, what's preventing everyone from simply nullrouting the netblocks in question and imposing the death penalty? Dunno - but something did occur to me this morning on the drive into work: Maybe there's another approach to this problem. Maybe, rather than having the antispam/virus vendors do non-real world lab tests we could get them all to donate some kit to whomever is the unlucky transit- provider du jour and see how well it works providing a nice clean feed and who's better at it? ;-) MMC -- Matthew Moyle-Croft Internode/Agile Peering and Core Networks
