Re: AOL Postmaster
I sent your email to their team. -Dennis On Jun 1, 2009, at June 1,9:04 PM, Aaron Wendel wrote: Yes. For the last 2 months I've been getting the nice auto reply/ ticket number but no other contact. Aaron -Original Message- From: Mike Walter [mailto:mwal...@3z.net] Sent: Monday, June 01, 2009 12:23 PM To: nanog@nanog.org Subject: RE: AOL Postmaster Have you been through http://postmaster.aol.com/? Mike -Original Message- From: Aaron Wendel [mailto:aa...@wholesaleinternet.com] Sent: Monday, June 01, 2009 12:48 PM To: nanog@nanog.org Subject: AOL Postmaster Is anyone from AOL lurking on the list that could contact me of-list? I'm having some issues with mail being rejected because AOL believes our IPs are dynamic. Aaron
Re: Fiber cut - response in seconds?
jcdill.li...@gmail.com (JC Dill) wrote: Why do they watch and monitor rather than proactively go out and say watch out, there's an unmarked cable here and keep them from cutting the cable in the first place? *snicker* You ever been to a construction site?
RE: In a bit of bind...
Hi, I have not been following this thread too closely, but I spotted the last poster talking about a database backend to DNS. There are some interesting thoughts on the matter in a Nominet Blog Post here : http://blog.nominet.org.uk/tech/2008/06/02/nameservers-and-very-large-zones/
RE: In a bit of bind...
Once upon a time, whilst working for a fairly well-known UK domain registration company, I put together a system built on an early version of the BIND-DLZ patchset against BIND 9.2.5 (If I recall correctly). It used MySQL as the backend database (because that's what the registration system used for CRM purposes) and worked very nicely, thankyou, for well in excess of a million zones and a query rate which I forget but was of the order of several thousand per second, maybe higher at times. We had a custom-written web management toolbox, part of which was exposed to customers through their control panel so they could manage their zones by themselves. The frontend nameservers - those actually answering queries - had a read only one-way replicated copy of the tables being managed by the CRM system, so all changes were near instantaneous. Copious caching options and indexing in MySQL gave the DB pretty good performance. The frontend servers themselves were load balanced and fault-tolerant and in theory at least a single machine could handle the overall system load. Unfortunately, after I moved on from that job the system broke in some spectacular way (I don't know why) and has since been significantly changed from the original spec, but I couldn't say how... DLZ worked for us - but the DB and management tools were built in house; I don't think there's an ideal off-the-shelf solution built around it (yet). Graeme
Re: White House net security paper
Randy Bush ra...@psg.com writes: ... a few battalions of B's and C's, if wisely deployed, could bridge that gap. there is a reason Bs and Cs have spare round-tuits. fred brooks was no fool. os/360 taught some of us some lessons. batallions work in the infantry, or so i am told. this is rocket science. to me wisely means backfilling 80% of what the Good Guys do that isn't rocket science. (most A's are not doing only what only A's can do.) -- Paul Vixie KI6YSY
Re: Huawei cx300
HI, As far as I understand CX300 does not support vpls (only point-to-point PWE3). I don't think that's even on the road map. kind regards Pshem 2009/5/29 Jack Kohn kohn.j...@gmail.com: Guys, Anybody any experience with VPLS on Huawei cx300? Jack
Re: Fiber cut - response in seconds?
Charles Wyble wrote: I do feel this might be the last post from Mr Pooser. :) Your on to them it seems. ;) A very interesting idea. I imagine it wouldn't be hard for foreign actors to get access to the data feed of construction, observe for signs of a cut and then splice in a tap. Though wouldn't that tap be found via the real response team? No. And here's why: If you're a naughty foreign intelligence team, and you know your stuff, you already know where some of the cables you'd really like a tap on are buried. When you hear of a construction project that might damage one, you set up your innocuous white panel truck somewhere else, near a suitable manhole. When the construction guy with a backhoe chops the cable (and you may well slip him some money to do so), *then* you put your tap in, elsewhere, with your actions covered by the downtime at the construction site. That's why the guys in the SUVs are in such a hurry, because they want to close the window of time in which someone can be tapping the cable elsewhere. At least that's what I heard. I read it somewhere on the internet. Definitely. Not at all a sneaky person. No sir. Dave W At least I'm in Britain. *Slightly* harder for the NSA to make me disappear ;-)
Re: Fiber cut - response in seconds?
On Mon, Jun 1, 2009 at 6:40 PM, Charles Wyble char...@thewybles.com wrote: http://www.washingtonpost.com/wp-dyn/content/article/2009/05/30/AR2009053002114_pf.html Not sure if I fully believe the article. Responding to a fiber cut in seconds? I suppose it's possible if $TLA had people monitoring the construction from across the street, and they were in communication with the NOC. Dig Safe, Miss Utility, etc. notify potential dig impacted entities when activity is occurring around their assets and coordinate the marking of the utilities and start of construction in proximity to the targeted dig zone. This is why calling the state utility locator services is the law (everywhere that I'm aware of). The government isn't exempt from these notifications FWIW. The programs may have a slight tweak in the national capitol area. http://www.ncs.gov/ Best, -M -- Martin Hannigan mar...@theicelandguy.com p: +16178216079 Power, Network, and Costs Consulting for Iceland Datacenters and Occupants
Re: Fiber cut - response in seconds?
On Jun 2, 2009, at 9:19 AM, Martin Hannigan wrote: On Mon, Jun 1, 2009 at 6:40 PM, Charles Wyble char...@thewybles.com wrote: http://www.washingtonpost.com/wp-dyn/content/article/2009/05/30/AR2009053002114_pf.html Not sure if I fully believe the article. Responding to a fiber cut in seconds? I suppose it's possible if $TLA had people monitoring the construction from across the street, and they were in communication with the NOC. Dig Safe, Miss Utility, etc. notify potential dig impacted entities when activity is occurring around their assets and coordinate the marking of the utilities and start of construction in proximity to the targeted dig zone. This is why calling the state utility locator services is the law (everywhere that I'm aware of). The government isn't exempt from these notifications FWIW. The programs may have a slight tweak in the national capitol area. http://www.ncs.gov/ What you're likely interested in is TSP: http://tsp.ncs.gov/ This is something that is placed on your service when it's ordered and alters the design and engineering of the services. - Jared
Re: Fiber cut - response in seconds?
Elmar K. Bins wrote: jcdill.li...@gmail.com (JC Dill) wrote: Why do they watch and monitor rather than proactively go out and say watch out, there's an unmarked cable here and keep them from cutting the cable in the first place? *snicker* You ever been to a construction site? Yes. We have a number here to call Before You Dig and they send people out to mark where underground utilities are. It would be trivially easy for one more set of jump-suited and hard-hat-wearing people to show up during this phase of the project and mark one more line. For the most part the construction teams don't know and don't care who is marking the lines or who is responsible for each, they just want the lines marked (location and type of line - gas, electric, telco) so they can avoid cutting them. In this way the marking team would be undercover and the previously unmarked/unmapped line would be No Big Deal. When an unmarked line is cut and black SUVs show up (the opposite of undercover), the line becomes A Big Deal which is the opposite of what is intended. jc
Re: Fiber cut - response in seconds?
In my experience they are required not only to mark the line, but to identify it with the initials of the owner. On Jun 2, 2009, at 10:44 AM, JC Dill wrote: Elmar K. Bins wrote: jcdill.li...@gmail.com (JC Dill) wrote: Why do they watch and monitor rather than proactively go out and say watch out, there's an unmarked cable here and keep them from cutting the cable in the first place? *snicker* You ever been to a construction site? Yes. We have a number here to call Before You Dig and they send people out to mark where underground utilities are. It would be trivially easy for one more set of jump-suited and hard-hat-wearing people to show up during this phase of the project and mark one more line. For the most part the construction teams don't know and don't care who is marking the lines or who is responsible for each, they just want the lines marked (location and type of line - gas, electric, telco) so they can avoid cutting them. In this way the marking team would be undercover and the previously unmarked/ unmapped line would be No Big Deal. When an unmarked line is cut and black SUVs show up (the opposite of undercover), the line becomes A Big Deal which is the opposite of what is intended. jc
Re: Fiber cut - response in seconds?
They usually hand out tin foil hats to the dig crew. A clear give away and easy to spot too. Next? On 6/2/09, JC Dill jcdill.li...@gmail.com wrote: Elmar K. Bins wrote: jcdill.li...@gmail.com (JC Dill) wrote: Why do they watch and monitor rather than proactively go out and say watch out, there's an unmarked cable here and keep them from cutting the cable in the first place? *snicker* You ever been to a construction site? Yes. We have a number here to call Before You Dig and they send people out to mark where underground utilities are. It would be trivially easy for one more set of jump-suited and hard-hat-wearing people to show up during this phase of the project and mark one more line. For the most part the construction teams don't know and don't care who is marking the lines or who is responsible for each, they just want the lines marked (location and type of line - gas, electric, telco) so they can avoid cutting them. In this way the marking team would be undercover and the previously unmarked/unmapped line would be No Big Deal. When an unmarked line is cut and black SUVs show up (the opposite of undercover), the line becomes A Big Deal which is the opposite of what is intended. jc -- Martin Hannigan mar...@theicelandguy.com p: +16178216079 Power, Network, and Costs Consulting for Iceland Datacenters and Occupants
Re: Fiber cut - response in seconds?
They usually hand out tin foil hats to the dig crew. A clear give away and easy to spot too. Next? On 6/2/09, JC Dill jcdill.li...@gmail.com wrote: Elmar K. Bins wrote: jcdill.li...@gmail.com (JC Dill) wrote: Why do they watch and monitor rather than proactively go out and say watch out, there's an unmarked cable here and keep them from cutting the cable in the first place? *snicker* You ever been to a construction site? Yes. We have a number here to call Before You Dig and they send people out to mark where underground utilities are. It would be trivially easy for one more set of jump-suited and hard-hat-wearing people to show up during this phase of the project and mark one more line. For the most part the construction teams don't know and don't care who is marking the lines or who is responsible for each, they just want the lines marked (location and type of line - gas, electric, telco) so they can avoid cutting them. In this way the marking team would be undercover and the previously unmarked/unmapped line would be No Big Deal. When an unmarked line is cut and black SUVs show up (the opposite of undercover), the line becomes A Big Deal which is the opposite of what is intended. jc -- Martin Hannigan mar...@theicelandguy.com p: +16178216079 Power, Network, and Costs Consulting for Iceland Datacenters and Occupants
Re: Fiber cut - response in seconds?
On Tue, 2 Jun 2009, JC Dill wrote: Why do they watch and monitor rather than proactively go out and say watch out, there's an unmarked cable here and keep them from cutting the cable in the first place? Because if they DON'T hit the line, it is still a secret. Then again, if they DO hit the line, it's pretty obvious what the line is for and at least one place it runs. I wonder if the Gov't schedules a move of the line once it's operational security is comprimised by an accidental cut. Beckman --- Peter Beckman Internet Guy beck...@angryox.com http://www.angryox.com/ ---
Re: Fiber cut - response in seconds?
On Tue, Jun 2, 2009 at 11:19 AM, Peter Beckman beck...@angryox.com wrote: On Tue, 2 Jun 2009, JC Dill wrote: Why do they watch and monitor rather than proactively go out and say watch out, there's an unmarked cable here and keep them from cutting the cable in the first place? Because if they DON'T hit the line, it is still a secret. Then again, if they DO hit the line, it's pretty obvious what the line is for and at least one place it runs. I wonder if the Gov't schedules a move of the line once it's operational security is comprimised by an accidental cut. putting fiber in the ground isn't a quiet task...
Re: Fiber cut - response in seconds?
sro...@fattoc.com (Shane Ronan) wrote: In my experience they are required not only to mark the line, but to identify it with the initials of the owner. Hell yeah - but that's not the point I wanted to make. For any given construction project, the main goal is to build something without destroying something else (unless it's planned to be destroyed). Unfortunately, this goal has to be broken into easy tasks for the people executing the work. And what leaks to them is dig a hole. They definitely don't care whether they _will_ hit something. They do care after they hit something... (sometimes they'll try to cover up like someone did here; after cutting a whole bunch of fibre trunks, they decided to fill the just-dug hole with a ton of concrete...)
RE: Fiber cut - response in seconds?
-Original Message- From: Charles Wyble [mailto:char...@thewybles.com] Sent: Monday, June 01, 2009 7:10 PM To: nanog@nanog.org Subject: Re: Fiber cut - response in seconds? Joel Jaeggli wrote: It's pretty trivial if know where all the construction projects on your path are... How so? Setup OTDR traces and watch them? I've seen this happen on a university campus several times. no black helicopters were involved. Care to expand on the methodology used? A campus network is a lot different then a major metro area. Something like Fiber SenSys (http://www.fibersensys.com/) is probably used. Measures miniscule changes in light levels to tell whether or not fiber has been tampered with. As for the response in seconds, I would have to say that the suits were parked right there watching, assuming the story is true. Not sure if anyone has ever tried to get anywhere in Tysons Corner during roadside construction (or during an afternoon drizzle for that matter), but I can guarantee you that it would be impossible without someone already being stationed onsite.
RE: Fiber cut - response in seconds?
No. And here's why: If you're a naughty foreign intelligence team, and you know your stuff, you already know where some of the cables you'd really like a tap on are buried. When you hear of a construction project that might damage one, you set up your innocuous white panel truck somewhere else, near a suitable manhole. When the construction guy with a backhoe chops the cable (and you may well slip him some money to do so), *then* you put your tap in, elsewhere, with your actions covered by the downtime at the construction site. That's why the guys in the SUVs are in such a hurry, because they want to close the window of time in which someone can be tapping the cable elsewhere. At least that's what I heard. I read it somewhere on the internet. Definitely. Not at all a sneaky person. No sir. And if you were a naughty foreign intelligence team installing a tap, or a bend, or whatever in the fiber contemporaneously with a known cut, you could also reamplify and dispersion compensate for the slight amount of affect your work is having so that when its tested later, the OTDR is blind to your work. Ah, the fun of Paranoia, Inc. Deepak Jain AiNET
Re: Fiber cut - response in seconds?
It would also be cheaper to add an additional layer of security with encryption vs. roving teams of gun toting manhole watchers. YMMV, Best! Marty On 6/2/09, Deepak Jain dee...@ai.net wrote: No. And here's why: If you're a naughty foreign intelligence team, and you know your stuff, you already know where some of the cables you'd really like a tap on are buried. When you hear of a construction project that might damage one, you set up your innocuous white panel truck somewhere else, near a suitable manhole. When the construction guy with a backhoe chops the cable (and you may well slip him some money to do so), *then* you put your tap in, elsewhere, with your actions covered by the downtime at the construction site. That's why the guys in the SUVs are in such a hurry, because they want to close the window of time in which someone can be tapping the cable elsewhere. At least that's what I heard. I read it somewhere on the internet. Definitely. Not at all a sneaky person. No sir. And if you were a naughty foreign intelligence team installing a tap, or a bend, or whatever in the fiber contemporaneously with a known cut, you could also reamplify and dispersion compensate for the slight amount of affect your work is having so that when its tested later, the OTDR is blind to your work. Ah, the fun of Paranoia, Inc. Deepak Jain AiNET -- Martin Hannigan mar...@theicelandguy.com p: +16178216079 Power, Network, and Costs Consulting for Iceland Datacenters and Occupants
Re: Fiber cut - response in seconds?
Cheaper? To quote sneakers were the united states govt. we don't do that sort of thing. Martin Hannigan wrote: It would also be cheaper to add an additional layer of security with encryption vs. roving teams of gun toting manhole watchers. YMMV, Best! Marty On 6/2/09, Deepak Jain dee...@ai.net wrote: No. And here's why: If you're a naughty foreign intelligence team, and you know your stuff, you already know where some of the cables you'd really like a tap on are buried. When you hear of a construction project that might damage one, you set up your innocuous white panel truck somewhere else, near a suitable manhole. When the construction guy with a backhoe chops the cable (and you may well slip him some money to do so), *then* you put your tap in, elsewhere, with your actions covered by the downtime at the construction site. That's why the guys in the SUVs are in such a hurry, because they want to close the window of time in which someone can be tapping the cable elsewhere. At least that's what I heard. I read it somewhere on the internet. Definitely. Not at all a sneaky person. No sir. And if you were a naughty foreign intelligence team installing a tap, or a bend, or whatever in the fiber contemporaneously with a known cut, you could also reamplify and dispersion compensate for the slight amount of affect your work is having so that when its tested later, the OTDR is blind to your work. Ah, the fun of Paranoia, Inc. Deepak Jain AiNET
Re: Fiber cut - response in seconds?
On Tue, 02 Jun 2009 13:54:44 EDT, Martin Hannigan said: It would also be cheaper to add an additional layer of security with encryption vs. roving teams of gun toting manhole watchers. Even if encrypted, you can probably do an amazing amount of traffic analysis to tell when something is afoot. Ask any pizzeria near State Dept or Pentagon. ;) (That, plus it's easier to break an encryption if you have gigabytes of data to work with, than if you don't have any data to work with...) pgp4gdgklll7X.pgp Description: PGP signature
Re: Fiber cut - response in seconds?
Encryption is insufficient - if you let someone have physical access for a long enough period, they'll eventually crack anything. Encryption makes the period of time longer, but let them try? As regards roving, we are talking about Tyson's Corner here: that's pretty close ( 5km) to major offices of lots of folks who would care deeply about such matters. David Barak Need Geek Rock? Try The Franchise: http://www.listentothefranchise.com --- On Tue, 6/2/09, Charles Wyble char...@thewybles.com wrote: From: Charles Wyble char...@thewybles.com Subject: Re: Fiber cut - response in seconds? To: nanog@nanog.org nanog@nanog.org Date: Tuesday, June 2, 2009, 1:57 PM Cheaper? To quote sneakers were the united states govt. we don't do that sort of thing. Martin Hannigan wrote: It would also be cheaper to add an additional layer of security with encryption vs. roving teams of gun toting manhole watchers. YMMV, Best! Marty On 6/2/09, Deepak Jain dee...@ai.net wrote: No. And here's why: If you're a naughty foreign intelligence team, and you know your stuff, you already know where some of the cables you'd really like a tap on are buried. When you hear of a construction project that might damage one, you set up your innocuous white panel truck somewhere else, near a suitable manhole. When the construction guy with a backhoe chops the cable (and you may well slip him some money to do so), *then* you put your tap in, elsewhere, with your actions covered by the downtime at the construction site. That's why the guys in the SUVs are in such a hurry, because they want to close the window of time in which someone can be tapping the cable elsewhere. At least that's what I heard. I read it somewhere on the internet. Definitely. Not at all a sneaky person. No sir. And if you were a naughty foreign intelligence team installing a tap, or a bend, or whatever in the fiber contemporaneously with a known cut, you could also reamplify and dispersion compensate for the slight amount of affect your work is having so that when its tested later, the OTDR is blind to your work. Ah, the fun of Paranoia, Inc. Deepak Jain AiNET
Re: Fiber cut - response in seconds?
link-layer encryption for sonet/atm quite resistant to traffic analysis... The pipe is full of pdus whether you're using them or not. valdis.kletni...@vt.edu wrote: On Tue, 02 Jun 2009 13:54:44 EDT, Martin Hannigan said: It would also be cheaper to add an additional layer of security with encryption vs. roving teams of gun toting manhole watchers. Even if encrypted, you can probably do an amazing amount of traffic analysis to tell when something is afoot. Ask any pizzeria near State Dept or Pentagon. ;) (That, plus it's easier to break an encryption if you have gigabytes of data to work with, than if you don't have any data to work with...)
Re: Fiber cut - response in seconds?
David Barak wrote: Encryption is insufficient - if you let someone have physical access for a long enough period, they'll eventually crack anything. Really? I don't think so. I imagine it would be much more dependent on the amount of computing power the attacker has access to. More encrypted blobs won't help. If that was the case then the various encryption schemes in wide use today would be cracked already. Bad guys can setup networks and blast data through it and have complete access. I don't see them cracking encryption.
Re: Fiber cut - response in seconds?
--- On Tue, 6/2/09, Charles Wyble char...@thewybles.com wrote: David Barak wrote: Encryption is insufficient - if you let someone have physical access for a long enough period, they'll eventually crack anything. Really? I don't think so. I imagine it would be much more dependent on the amount of computing power the attacker has access to. More encrypted blobs won't help. If that was the case then the various encryption schemes in wide use today would be cracked already. Bad guys can setup networks and blast data through it and have complete access. I don't see them cracking encryption. Paranoia 101 teaches us that any given encryption approach will eventually fall before a brute-force onslaught of sufficient power and duration[1]. I'm not trying to argue that the attacker in this case could necessarily detect a flaw in the algorithm; rather, they'll get an effectively infinite number of chances to bang against it with no consequences. Once it's cracked, the attacker will *still* have the physical access which is thus compromised, and then has free access to all of the transmissions. Physical security is a prerequisite to all of the other approaches to communication security. Those cases where physical security is presumed to be non-existant have to rely on a lot of out-of-band knowledge for any given method to be resistant to attack, and it's very hard to make use of a connection of that type for regular operations. Pretty much all security eventually boils down to people with firearms saying don't do that. David Barak Need Geek Rock? Try The Franchise: http://www.listentothefranchise.com
RE: Fiber cut - response in seconds?
Really? I don't think so. I imagine it would be much more dependent on the amount of computing power the attacker has access to. More encrypted blobs won't help. If that was the case then the various encryption schemes in wide use today would be cracked already. Bad guys can setup networks and blast data through it and have complete access. I don't see them cracking encryption. Without getting into the math involved, Vlad (and others) are correct. This is why there is key migration (regeneration/renegotiation/repudiation) along these multi-gigabit/multi-terabit streams. Your obfuscation strength (I don't care how many digits you have in your key, your cipher, what have you) is computed against the amount of data you are obfuscating. If I am obfuscating 1 byte of data, my math functions do not need to be as large as obfuscating 2^128 bits. There are plenty of non-classified books regarding COMSEC, INFOSEC and all their related interworking bits (even COMINT, SIGINT and HUMINT). Plenty of NANOG folks have been in these communities and that is why they say things that make sense regarding physical and network security. Even if you haven't been in these groups, the non-classified books are sufficiently sophisticated as to give even a layperson a respect for the layers of security (and the discipline behind it) needed to provide even the most minimal level of protection. The h4x0r kids who think magnets on their doorways, tin foil hats, or willy-nilly encryption using their email-exchanged PGP keys are protected are welcome to their sandbox too -- let's just keep it away from those of us who like things that provably work [most of the time ;)]. DJ
Re: Fiber cut - response in seconds?
David Barak wrote: Paranoia 101 teaches us that any given encryption approach will eventually fall before a brute-force onslaught of sufficient power and duration[1]. Of course. Hence my comment bout the likely hood of success depending on how much computing power they have access to. How much easier does my job get if I have access to thousands of encrypted e-mails vs 1 encrypted e-mail? Once I factor your PKI root private key, your toast. It was my impression that the various algorithms were designed to prevent traffic analysis attacks, or at least vastly reduce there effectiveness, and if some magical corner case is discovered it should be further mitigated by key rotation right? I'm an operations guy, not a math wizard. :) I'm not trying to argue that the attacker in this case could necessarily detect a flaw in the algorithm; rather, they'll get an effectively infinite number of chances to bang against it with no consequences. Once it's cracked, the attacker will *still* have the physical access which is thus compromised, and then has free access to all of the transmissions. Sure. However couldn't they do this in a lab environment? Various botnets give them access to massive amounts of computing power on an ongoing basis. I presume that the folks with sufficient expertise and knowledge to do these attacks use exploits / back doors that ensure continued access to this computing power, which won't be detected/patched by the little tykes doing spamming/phising/data correlation. Then there is the ability to buy a whole lot of specialized number crunching compute gear as well. Granted the US govt has there own (classified) encryption algorithms and as such that can't be replicated in a lab environment and requires access to the physical medium carrying traffic encrypted by said algorithms. Physical security is a prerequisite to all of the other approaches to communication security. Those cases where physical security is presumed to be non-existant have to rely on a lot of out-of-band knowledge for any given method to be resistant to attack, and it's very hard to make use of a connection of that type for regular operations. Really? The US Military uses a whole lot of wireless (satellite, ground baed, surface to air) links. Those links can be sniffed (by people with sufficient motivation/funding/gear to do so). They rely on encryption to protect them.
Re: Fiber cut - response in seconds?
On Jun 2, 2009, at 3:41 PM, Charles Wyble wrote: David Barak wrote: Paranoia 101 teaches us that any given encryption approach will eventually fall before a brute-force onslaught of sufficient power and duration[1]. Of course. Hence my comment bout the likely hood of success depending on how much computing power they have access to. How much easier does my job get if I have access to thousands of encrypted e- mails vs 1 encrypted e-mail? Once I factor your PKI root private key, your toast. Note that most PKI (such as RSA) may be breakable when and if Quantum computers become practical. http://en.wikipedia.org/wiki/Shor's_algorithm Storing large amounts of PKI encrypted data for that day I am sure would interest some organizations. Regards Marshall It was my impression that the various algorithms were designed to prevent traffic analysis attacks, or at least vastly reduce there effectiveness, and if some magical corner case is discovered it should be further mitigated by key rotation right? I'm an operations guy, not a math wizard. :) I'm not trying to argue that the attacker in this case could necessarily detect a flaw in the algorithm; rather, they'll get an effectively infinite number of chances to bang against it with no consequences. Once it's cracked, the attacker will *still* have the physical access which is thus compromised, and then has free access to all of the transmissions. Sure. However couldn't they do this in a lab environment? Various botnets give them access to massive amounts of computing power on an ongoing basis. I presume that the folks with sufficient expertise and knowledge to do these attacks use exploits / back doors that ensure continued access to this computing power, which won't be detected/patched by the little tykes doing spamming/phising/data correlation. Then there is the ability to buy a whole lot of specialized number crunching compute gear as well. Granted the US govt has there own (classified) encryption algorithms and as such that can't be replicated in a lab environment and requires access to the physical medium carrying traffic encrypted by said algorithms. Physical security is a prerequisite to all of the other approaches to communication security. Those cases where physical security is presumed to be non-existant have to rely on a lot of out-of-band knowledge for any given method to be resistant to attack, and it's very hard to make use of a connection of that type for regular operations. Really? The US Military uses a whole lot of wireless (satellite, ground baed, surface to air) links. Those links can be sniffed (by people with sufficient motivation/funding/gear to do so). They rely on encryption to protect them.
Re: Fiber cut - response in seconds?
Granted the US govt has there own (classified) encryption algorithms and as such that can't be replicated in a lab environment and requires access to the physical medium carrying traffic encrypted by said algorithms. Which is why they do things like this : http://en.wikipedia.org/wiki/Operation_Ivy_Bells Of course these days, it doesn't require nearly as much effort .. just a friendly phone call to ATT (who, ironically, also built the devices used in the above). Cheers, Michael Holstein Cleveland State University
RE: Fiber cut - response in seconds?
Really? The US Military uses a whole lot of wireless (satellite, ground baed, surface to air) links. Those links can be sniffed (by people with sufficient motivation/funding/gear to do so). They rely on encryption to protect them. Which is why, if you have a satellite, you often position DIRECTLY over the antenna you are sending to, and using lasers (rather than other RF) to communicate with it. Likewise, if you want to maintain this kind of security (and reduce the ability to sniff) you do this in space as well. Highly columnated photons are your friend. Encryption helps, but if it was sufficient in all cases, you wouldn't go to such extremes. This (in a much more NANOG related way) has ramifications for those selling/operating Wi-Fi, WiMax, P2P and FSO wireless links and trying to do *commercially important things* -- like finance. The idea here is that fiber is FAR more secure than copper because almost everything you want to do to fiber, you can do to copper, but from a further, less physically-in-contact distance. Another idea is that commercially operated networks have lower standards for data security (but not necessarily data *integrity*) that intelligence *oriented* applications/networks. The idea of installing a tap on an encrypted line to do traffic analysis is all very interesting, but no one mentioned the idea that at a critical time (such as an attack) you could easily DISRUPT vital communications links and prevent their function [and their protected paths]. Security cannot exist without a level of integrity. Most commercial networks only need to concern themselves with integrity and let their customers deal with the security of their own applications. Commercial networks are a great study of highly (in the commercial sense) secure data traversing over LSAs (lower sensitivity areas) with lower control thresholds [think poles, manholes, etc]. The data is highly secure to any particular customer, but in the commercial sense, it's almost always lost in the noise. When a business entity crosses that threshold (e.g. the Federal Reserve banks or a transaction clearinghouse) where their data is *worth* getting at no matter how much sifting has to go on... you see extraordinary measures (e.g. properly implemented obfuscation, or what have you) implemented. Deepak Jain AiNET
.ORG is signed
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Colleagues, On behalf of PIR Technical Support I would like to announce that as of today, 2009-06-02, at 16:00 UTC .ORG is DNSSEC signed. The following KSK is now valid for .ORG org.IN DNSKEY 257 3 7 ( AwEAAYpYfj3aaRzzkxWQqMdl7YExY81NdYSv+qayuZDo dnZ9IMh0bwMcYaVUdzNAbVeJ8gd6jq1sR3VvP/SR36mm GssbV4Udl5ORDtqiZP2TDNDHxEnKKTX+jWfytZeT7d3A bSzBKC0v7uZrM6M2eoJnl6id66rEUmQC2p9DrrDg9F6t XC9CD/zC7/y+BNNpiOdnM5DXk7HhZm7ra9E7ltL13h2m x7kEgU8e6npJlCoXjraIBgUDthYs48W/sdTDLu7N59rj CG+bpil+c8oZ9f7NR3qmSTpTP1m86RqUQnVErifrH8Kj DqL+3wzUdF5ACkYwt1XhPVPU+wSIlzbaAQN49PU= ) ; key id = 21366 Please note that due to the use of NSEC3 this key should not be used with BIND versions less than 9.6.0. Please refer to http://www.pir.org/dnssec for more information. As always, please report operational concerns with any Afilias-hosted zone to n...@afilias-nst.info dave - -- Dave Knight Director, Resolution Services Afilias PIR Technical Support URL: http://www.pir.org E-mail: techsupp...@pir.org Phone: +1.416.646.3308 Fax: +1.416.646.3305 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.8 (Darwin) iEYEARECAAYFAkoljz8ACgkQVFeEx/p946ad1ACfRgX0xjsA19jEgv8FC5ol7CME 8qUAoOx39+ZB/GIQj0/qHPnAA843iVqa =stCt -END PGP SIGNATURE-
Re: .ORG is signed
about time. congrats -j On Tue, Jun 2, 2009 at 3:44 PM, Dave Knight dkni...@ca.afilias.info wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Colleagues, On behalf of PIR Technical Support I would like to announce that as of today, 2009-06-02, at 16:00 UTC .ORG is DNSSEC signed.
Re: Fiber cut - response in seconds?
Once upon a time, Deepak Jain dee...@ai.net said: Which is why, if you have a satellite, you often position DIRECTLY over the antenna you are sending to Unless your target is on the equator, you don't position a satellite directly over anything. -- Chris Adams cmad...@hiwaay.net Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble.
Re: Fiber cut - response in seconds?
On Tue, Jun 2, 2009 at 7:50 AM, Dave Wilson richard.wil...@senokian.com wrote: No. And here's why: If you're a naughty foreign intelligence team, and you know your stuff, you already know where some of the cables you'd really like a tap on are buried. When you hear of a construction project that might damage one, you set up your innocuous white panel truck somewhere else, near a suitable manhole. When the construction guy with a backhoe chops the cable (and you may well slip him some money to do so), *then* you put your tap in, elsewhere, with your actions covered by the downtime at the construction site. That's why the guys in the SUVs are in such a hurry, because they want to close the window of time in which someone can be tapping the cable elsewhere. Sounds like a lot of work to me. Wouldn't it be easier to just find the carrier neutral colo facilities where all the peering/transit between major networks happens, and pay them money to put up a fake wall that you can colo your optical taps behind? Drive Slow, and remember, don't open any doors that say This Is Not An Exit, Paul Wall
Re: Fiber cut - response in seconds?
Sounds like a lot of work to me. Wouldn't it be easier to just find the carrier neutral colo facilities where all the peering/transit between major networks happens, and pay them money to put up a fake wall that you can colo your optical taps behind? Yeah it's not like that's ever gonna happen! :) Drive Slow, and remember, don't open any doors that say This Is Not An Exit, ROFL
RE: Fiber cut - response in seconds?
Once upon a time, Deepak Jain dee...@ai.net said: Which is why, if you have a satellite, you often position DIRECTLY over the antenna you are sending to Unless your target is on the equator, you don't position a satellite directly over anything. I promise you that that is not the case for all applications. Geosynchronous satellites can be anywhere. For the applications you are considering (communications mostly), equatorial orbit is the most advantageous. There are books documenting other locations and reasons for other locations... and we are off topic. Best, Deepak Jain AiNET
Re: Fiber cut - response in seconds?
Once upon a time, Deepak Jain dee...@ai.net said: I promise you that that is not the case for all applications. Geosynchronous satellites can be anywhere. For the applications you are considering (communications mostly), equatorial orbit is the most advantageous. Geosynchronous are only over a particular longitude. They move up and down in latitude, so it isn't over a given point except twice per day (or only once at the extremes). -- Chris Adams cmad...@hiwaay.net Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble.
RE: Fiber cut - response in seconds?
Ok, while this is off-topic, let's just point people to Wikipedia: Other satellites (which are NOT in the same position at all times from the prospective of a spot on earth): http://en.wikipedia.org/wiki/Geosynchronous_orbit TV, and other fixed positioned (relative to the earth are geostationary): http://en.wikipedia.org/wiki/Geostationary_orbit perhaps further comments can go to the discussion pages on Wikipedia since I would wager a very small number of us push any serious number of bits via satellite. John van Oppen Spectrum Networks LLC Direct: 206.973.8302 Main: 206.973.8300 Website: http://spectrumnetworks.us -Original Message- From: Chris Adams [mailto:cmad...@hiwaay.net] Sent: Tuesday, June 02, 2009 3:36 PM To: Deepak Jain Cc: nanog@nanog.org Subject: Re: Fiber cut - response in seconds? Once upon a time, Deepak Jain dee...@ai.net said: I promise you that that is not the case for all applications. Geosynchronous satellites can be anywhere. For the applications you are considering (communications mostly), equatorial orbit is the most advantageous. Geosynchronous are only over a particular longitude. They move up and down in latitude, so it isn't over a given point except twice per day (or only once at the extremes). -- Chris Adams cmad...@hiwaay.net Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble.
Re: Fiber cut - response in seconds?
I do 250 mbits on 21 transponders :) - Original Message - From: John van Oppen j...@vanoppen.com To: Chris Adams cmad...@hiwaay.net; Deepak Jain dee...@ai.net Cc: nanog@nanog.org nanog@nanog.org Sent: Tue Jun 02 14:51:59 2009 Subject: RE: Fiber cut - response in seconds? Ok, while this is off-topic, let's just point people to Wikipedia: Other satellites (which are NOT in the same position at all times from the prospective of a spot on earth): http://en.wikipedia.org/wiki/Geosynchronous_orbit TV, and other fixed positioned (relative to the earth are geostationary): http://en.wikipedia.org/wiki/Geostationary_orbit perhaps further comments can go to the discussion pages on Wikipedia since I would wager a very small number of us push any serious number of bits via satellite. John van Oppen Spectrum Networks LLC Direct: 206.973.8302 Main: 206.973.8300 Website: http://spectrumnetworks.us -Original Message- From: Chris Adams [mailto:cmad...@hiwaay.net] Sent: Tuesday, June 02, 2009 3:36 PM To: Deepak Jain Cc: nanog@nanog.org Subject: Re: Fiber cut - response in seconds? Once upon a time, Deepak Jain dee...@ai.net said: I promise you that that is not the case for all applications. Geosynchronous satellites can be anywhere. For the applications you are considering (communications mostly), equatorial orbit is the most advantageous. Geosynchronous are only over a particular longitude. They move up and down in latitude, so it isn't over a given point except twice per day (or only once at the extremes). -- Chris Adams cmad...@hiwaay.net Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble.
Re: Savvis quality?
On May 27, 2009, at 10:35 AM, David Hubbard wrote: Just wondering if anyone can tell me their opinion on Savvis bandwidth/company preferably from a web host perspective. Considering a connection. I wouldn't touch them with a 10g pole. They were the first and only provider we have dropped for inability to provide reasonable service. 1. They have problems in the bay area (and I've heard other places but I can't confirm) coming up with ports to connect to people on. We had long since outgrown 100mb (was 1g or higher with everyone else) but they couldn't come up with a 1g port to sell us. Then when one became free, they demanded a 700mb commit to get it. After I argued that we never run ports at that level of congestion they backed down to a 500mb commit but that was as low as they'd go. They had no budget to deploy more ports in any of the bay area peering facilities. 2. Their national NOC staff was gut-stripped down to 3 people. 24 hours a day I'd find the same person answering issues we reported. Often outages weren't resolved until they could wake the engineer up. (this isn't surprising in a small company, it's very surprising in a network the size of Savvis) 3. We had repeated issues that needed escalation to our salesperson for credit. We never got calls back on any of these, even when we had escalated through phone, email and paper letters to him. 4. One day they changed the implementation of their community strings to start putting other providers and international customers in their US-Customer-Only community strings. We escalated this issue through management, and the final conclusion was that their community strings advertised to us had to be inconsistent to meet their billing needs. (ie get peers to send them traffic they shouldn't have gotten) We were forced to drop using their community strings and instead build a large complex route-map to determine which traffic should be routed to them. That's nonsense, and was the final straw. In one of the marathon phone calls with the NOC staff about this, a NOC manager frankly told me that Savvis had been stripped and reamed, and they were just trying to stay alive long enough to sell the low- cost carcass to another provider. Yeah, I think that pretty much sums it up. -- Jo Rhett Net Consonance : consonant endings by net philanthropy, open source and other randomness
Re: Savvis quality?
Jo Rhett wrote: On May 27, 2009, at 10:35 AM, David Hubbard wrote: Just wondering if anyone can tell me their opinion on Savvis bandwidth/company preferably from a web host perspective. Considering a connection. I wouldn't touch them with a 10g pole. They were the first and only provider we have dropped for inability to provide reasonable service. 1. They have problems in the bay area (and I've heard other places but I can't confirm) coming up with ports to connect to people on. We had long since outgrown 100mb (was 1g or higher with everyone else) but they couldn't come up with a 1g port to sell us. Then when one became free, they demanded a 700mb commit to get it. After I argued that we never run ports at that level of congestion they backed down to a 500mb commit but that was as low as they'd go. They had no budget to deploy more ports in any of the bay area peering facilities. 2. Their national NOC staff was gut-stripped down to 3 people. 24 hours a day I'd find the same person answering issues we reported. Often outages weren't resolved until they could wake the engineer up. (this isn't surprising in a small company, it's very surprising in a network the size of Savvis) 3. We had repeated issues that needed escalation to our salesperson for credit. We never got calls back on any of these, even when we had escalated through phone, email and paper letters to him. 4. One day they changed the implementation of their community strings to start putting other providers and international customers in their US-Customer-Only community strings. We escalated this issue through management, and the final conclusion was that their community strings advertised to us had to be inconsistent to meet their billing needs. (ie get peers to send them traffic they shouldn't have gotten) We were forced to drop using their community strings and instead build a large complex route-map to determine which traffic should be routed to them. That's nonsense, and was the final straw. In one of the marathon phone calls with the NOC staff about this, a NOC manager frankly told me that Savvis had been stripped and reamed, and they were just trying to stay alive long enough to sell the low-cost carcass to another provider. Yeah, I think that pretty much sums it up. Out of curiosity, how recent was all this? It doesn't really match my experience, however mine isn't very recent. I'm going to be disconnecting my last SAVVIS circuit in a few months so I haven't really tried to do anything new with them. ~Seth
RE: Savvis quality?
This is quite similar to experiences we have had with them. Again the only carrier we have dropped for technical reasons. Blake Dunlap -Original Message- From: Jo Rhett [mailto:jrh...@netconsonance.com] Sent: Tuesday, June 02, 2009 9:59 PM To: David Hubbard Cc: nanog@nanog.org Subject: Re: Savvis quality? On May 27, 2009, at 10:35 AM, David Hubbard wrote: Just wondering if anyone can tell me their opinion on Savvis bandwidth/company preferably from a web host perspective. Considering a connection. I wouldn't touch them with a 10g pole. They were the first and only provider we have dropped for inability to provide reasonable service. 1. They have problems in the bay area (and I've heard other places but I can't confirm) coming up with ports to connect to people on. We had long since outgrown 100mb (was 1g or higher with everyone else) but they couldn't come up with a 1g port to sell us. Then when one became free, they demanded a 700mb commit to get it. After I argued that we never run ports at that level of congestion they backed down to a 500mb commit but that was as low as they'd go. They had no budget to deploy more ports in any of the bay area peering facilities. 2. Their national NOC staff was gut-stripped down to 3 people. 24 hours a day I'd find the same person answering issues we reported. Often outages weren't resolved until they could wake the engineer up. (this isn't surprising in a small company, it's very surprising in a network the size of Savvis) 3. We had repeated issues that needed escalation to our salesperson for credit. We never got calls back on any of these, even when we had escalated through phone, email and paper letters to him. 4. One day they changed the implementation of their community strings to start putting other providers and international customers in their US-Customer-Only community strings. We escalated this issue through management, and the final conclusion was that their community strings advertised to us had to be inconsistent to meet their billing needs. (ie get peers to send them traffic they shouldn't have gotten) We were forced to drop using their community strings and instead build a large complex route-map to determine which traffic should be routed to them. That's nonsense, and was the final straw. In one of the marathon phone calls with the NOC staff about this, a NOC manager frankly told me that Savvis had been stripped and reamed, and they were just trying to stay alive long enough to sell the low- cost carcass to another provider. Yeah, I think that pretty much sums it up. -- Jo Rhett Net Consonance : consonant endings by net philanthropy, open source and other randomness
