Re: news from Google
Anyone volunteer to FedEx Scott here a tin foil hat?? If not, I'll be happy to provide one... *cue xfiles theme* Sent from my Blackberry. Please execute spelling errors. - Original Message - From: Scott Weeks sur...@mauigateway.com To: na...@merit.edu na...@merit.edu Sent: Thu Dec 03 22:14:57 2009 Subject: Re: news from Google j...@thejof.com : 6.6.6.6 belongs to the US Army look at AS 666. At least they know their position in the universe. --- andrey.gor...@gmail.com : IMHO that's where we are heading with google taking over every service imaginable Only if you let them. DBS (don't be sheep) --- At the most basic minimum manage your cookies. Just a quick search (not with google) gives: google.com/support/urchin45/bin/answer.py?answer=28710 (you'll see a LOT of _utmx type cookies as soon as you start watching them) There are many other companies out there that know more about you than you think possible. Small example: Do you allow third party cookies unfettered access to what you do? scott
Re: port scanning from spoofed addresses
On Thu, 3 Dec 2009 13:03:20 -0500 Matthew Huff mh...@ox.com wrote: I'm not at all concerned about door-knob twisting or network scanning. What concerns me is that the source addresses are spoofed from our address range and that our upstream providers aren't willing to even look at the problem. But that can be easy addressed by yourself. just do not allow traffic originating from your range on your external interfaces. -- With best regards, Gregory Edigarov
Re: port scanning from spoofed addresses
On Thu, Dec 3, 2009 at 10:35 PM, Matthew Huff mh...@ox.com wrote: We are seeing a large number of tcp connection attempts to ports known to have security issues. The source addresses are spoofed from our address range. They are easy to block at our border router obviously, but the number and volume is a bit worrisome. Our upstream providers appear to be uninterested in tracing or blocking them. Is this the new normal? One of my concerns is that if others are seeing probe attempts, they will see them from these addresses and of course, contact us. Any suggestions on what to do next? Or just ignore. Filter it out and then ignore. Might as well filter it out - see http://thespamdiaries.blogspot.com/2006/02/new-host-cloaking-technique-used-by.html
Re: news from Google
: IMHO that's where we are heading with google taking over every service imaginable Well nobody is forcing to use their services ... For search you can use bing when is not down, for email you can use outlook when the windoze bootnet is not being used to distribute viruses or malware, or hotmail if you want plenty of nice ads directed to fulfill your needs and preferences, for video you can still use YouTube, uuusss you right evil Google owns them now, for maps you can use mapquest if you want to get to a place a mile away where you intended to go, ohhh but they are owned by one of the failed-ex-evils, want to take a quick peak at a book, you can still go to your local library, what else, ohhh yes wanna blog ? use wordpress and wait for the poetry to become hacked. Yes, all eggs in the same basket for some stuff is not a good approach, but what's wrong about using services that are relatively nice, regularly available and being constantly improved, and free ? Well, right nothing is free, you are part of their monetization and world domination scheme ... bad boy Eric, bad boy ... Only if you let them. DBS (don't be sheep) That's 100% right, if you want privacy just don't make yourself public. I'm more concerned about information that by law is being made public and available on-line (like property records in the US) out of my control, or not very easy to opt-out. Cheers Jorge
Re: Consumer Grade - IPV6 Enabled Router Firewalls.
I guess Cisco's 800's are out of the Consumer Grade price range, but any comments about v6 support on them and how they compare with other options. Just looking for feedback about good options for sort remote/branch/home office. Regards Jorge
Re: Route Target rewrite
Thanks Shahid. On 11/30/09, Lala Lander ssh...@gmail.com wrote: Please try this URL. If it doesnt work for you, let me know and I'll send you a working example. http://www.cisco.com/en/US/docs/ios/12_2s/feature/guide/fsrtrw4.html Pretty straight forward configuration. thanks, Shahid On Sun, Nov 29, 2009 at 6:34 PM, shake righa ssri...@gmail.com wrote: Anyone with material on how to perform route target re-write as well as filtering during vpnv4 BGP sessions. Have been ttying but the rewrite is not occuring. Regards, Shake Righa
Re: Consumer Grade - IPV6 Enabled Router Firewalls.
They work pretty well. They're one of the few that you can buy which supports DSL and they work. IPv6 support on the WIFI interfaces is IOS version dependent. They support DHCPv6 PD etc. I'm using one right now with v6. MMC On 04/12/2009, at 10:41 PM, Jorge Amodio wrote: I guess Cisco's 800's are out of the Consumer Grade price range, but any comments about v6 support on them and how they compare with other options. Just looking for feedback about good options for sort remote/branch/home office. Regards Jorge -- Matthew Moyle-Croft Peering Manager and Team Lead - Commercial and DSLAMs Internode /Agile
Re: news from Google
On Fri, Dec 4, 2009 at 5:29 AM, Jorge Amodio jmamo...@gmail.com wrote: I'm more concerned about information that by law is being made public and available on-line (like property records in the US) out of my control, or not very easy to opt-out. Property records have always been public information in the US, and no one can opt out (well, I suppose you could sell your house). Having information like this available to the public is important because the government uses those records to make decisions like property tax rates. If you were allowed to opt out it would be difficult or impossible for the public to monitor these government actions. For example, if you thought that you were being charged more property tax than you thought you should you could examine the property records for properties that were comparable to yours and see what they were being charged. If all of your neighbors had opted out you wouldn't be able to do that (at least not with out going to court). Similarly, if you were looking at buying a house you could check the property records to see if any liens had been made against the property or if you could afford to pay the property taxes. -- Jeff Ollie
Re: news from Google
On Thu, Dec 3, 2009 at 2:20 PM, Paul S. R. Chisholm psrchish...@gmail.comwrote: On Thu, Dec 3, 2009 at 5:07 PM, Ken Chase m...@sizone.org wrote: We all know that google is leveraging cross-referenceable information from all of its services for its profit/advantage ... /kc -- Ken Chase - k...@heavycomputing.ca - +1 416 897 6284 - Toronto CANADA Heavy Computing - Clued bandwidth, colocation and managed linux VPS @151 Front St. W. Ken, this was addressed in the announcement: http://code.google.com/speed/public-dns/privacy.html We built Google Public DNS to make the web faster and to retain as little information about usage as we could, while still being able to detect and fix problems. Google Public DNS does not permanently store personally identifiable information. http://code.google.com/speed/public-dns/faq.html#account http://code.google.com/speed/public-dns/faq.html#shared http://code.google.com/speed/public-dns/faq.html#info Is any of the information collected stored with my Google account? No. Does Google share the information it collects from the Google Public DNS service with anyone else? No. Is information about my queries to Google Public DNS shared with other Google properties, such as Search, Gmail, ads networks, etc.? No. Hope this helps. --PSRC And this will never change? Not even when you check the box for the latest update that says it changes some terms and here is the link,,, Bruce -- “Discovering...discovering...we will never cease discovering... and the end of all our discovering will be to return to the place where we began and to know it for the first time.” -T.S. Eliot
Re: news from Google
Bruce Williams wrote: On Thu, Dec 3, 2009 at 2:20 PM, Paul S. R. Chisholm [1]psrchish...@gmail.comwrote On Thu, Dec 3, 2009 at 5:07 PM, Ken Chase [2]m...@sizone.org wrote: We all know that google is leveraging cross-referenceable information from all of its services for its profit/advantage ... /kc -- Ken Chase - [3]...@heavycomputing.ca - +1 416 897 6284 - Toronto CANADA Heavy Computing - Clued bandwidth, colocation and managed linux VPS @151 Front St. W. Ken, this was addressed in the announcement: [4]http://code.google.com/speed/public-dns/privacy.html We built Google Public DNS to make the web faster and to retain as little information about usage as we could, while still being able to detect and fix problems. Google Public DNS does not permanently store personally identifiable information. [5]http://code.google.com/speed/public-dns/faq.html#account [6]http://code.google.com/speed/public-dns/faq.html#shared [7]http://code.google.com/speed/public-dns/faq.html#info Is any of the information collected stored with my Google account? No. Does Google share the information it collects from the Google Public DNS service with anyone else? No. Is information about my queries to Google Public DNS shared with other Google properties, such as Search, Gmail, ads networks, etc.? No. Hope this helps. --PSRC And this will never change? Not even when you check the box for the latest update that says it changes some terms and here is the link,,, Bruce The Adsense tracking cookie was once an opt-in, but after Google acquired that company and crushed the competition it became an opt-out, unbeknownst to many consumers. This is the way these generally go. Google will be all sweetness and light until they've crushed OpenDNS, and when the competitor's out of the picture, they'll get down to the monetizing. -- Richard Bennett References 1. mailto:psrchish...@gmail.com 2. mailto:m...@sizone.org 3. mailto:k...@heavycomputing.ca 4. http://code.google.com/speed/public-dns/privacy.html 5. http://code.google.com/speed/public-dns/faq.html#account 6. http://code.google.com/speed/public-dns/faq.html#shared 7. http://code.google.com/speed/public-dns/faq.html#info
Re: Consumer Grade - IPV6 Enabled Router Firewalls.
On Fri, 4 Dec 2009, Jorge Amodio wrote: I guess Cisco's 800's are out of the Consumer Grade price range, but any comments about v6 support on them and how they compare with other options. Just looking for feedback about good options for sort remote/branch/home office. Some 800's are supporting IPv6 very well even DHCPv6-PD. We tested 83x, 87x, 88x. No IPv6 support however for 80x and 85x series. We also tested Juniper Netscreen - they are also very capable devices. Best Regards, Janos Mohacsi
Re: news from Google
I agree, one could find this though paranoid, but even if we don't use google out of fear that they will take over everything they still seem to be growing. What I'm trying to say is that you/we/they can take all the placards you/we/they want and go and try to convince (or at least educate) the public that google is becoming an evil empire, but there are enough sheep out there to make google succeed. Google makes it's services very attractive to use (free, convenient, great functionality, integration, etc) so we do for the most part. There is a chance that soon google will be collecting statistics on all aspects of your digital life and that government has to do is to pass a law or even more than that, nationalize google. That's just one paranoid theory I've got. Send your tin foil hats and emails to PO Box 666, Antarctica, The World. Remember? They started as a search engine? Not sure how, but they are becoming (became) the new Micro$oft, IMHO. - Andrey Gordon [andrey.gor...@gmail.com] On Fri, Dec 4, 2009 at 3:07 AM, Warren Bailey wbai...@gci.com wrote: Anyone volunteer to FedEx Scott here a tin foil hat?? If not, I'll be happy to provide one... *cue xfiles theme* Sent from my Blackberry. Please execute spelling errors. - Original Message - From: Scott Weeks sur...@mauigateway.com To: na...@merit.edu na...@merit.edu Sent: Thu Dec 03 22:14:57 2009 Subject: Re: news from Google j...@thejof.com : 6.6.6.6 belongs to the US Army look at AS 666. At least they know their position in the universe. --- andrey.gor...@gmail.com : IMHO that's where we are heading with google taking over every service imaginable Only if you let them. DBS (don't be sheep) --- At the most basic minimum manage your cookies. Just a quick search (not with google) gives: google.com/support/urchin45/bin/answer.py?answer=28710 (you'll see a LOT of _utmx type cookies as soon as you start watching them) There are many other companies out there that know more about you than you think possible. Small example: Do you allow third party cookies unfettered access to what you do? scott
Re: news from Google
Remember? They started as a search engine? Not sure how, but they are becoming (became) the new Micro$oft, IMHO. Hmnm, I don't agree with your opinion, Micro$oft keeps making money out of you just repackaging and reselling the same crappy software over and over and making people pay for a large number of features they will never use, imposing their OS through hardware distributors and crushing anyone who they may feel becomes a threat to their biz model. Remember? The started as a software company, and still don't get it, IMHO. Regards Jorge
Re: news from Google
I didn't say that google is now a software company, i meant they are present in more and more aspects of your life, but yeah, i guess not the best example. Cheers - Andrey Gordon [andrey.gor...@gmail.com] On Fri, Dec 4, 2009 at 9:34 AM, Jorge Amodio jmamo...@gmail.com wrote: Remember? They started as a search engine? Not sure how, but they are becoming (became) the new Micro$oft, IMHO. Hmnm, I don't agree with your opinion, Micro$oft keeps making money out of you just repackaging and reselling the same crappy software over and over and making people pay for a large number of features they will never use, imposing their OS through hardware distributors and crushing anyone who they may feel becomes a threat to their biz model. Remember? The started as a software company, and still don't get it, IMHO. Regards Jorge
Re: news from Google
We plan to share what we learn from this experimental rollout of Google Public DNS with the broader web community and other DNS providers, to improve the browsing experience for Internet users globally. I wonder how the world managed to function before Google came along Bruce On Fri, Dec 4, 2009 at 5:53 AM, Richard Bennett rich...@bennett.com wrote: Bruce Williams wrote: On Thu, Dec 3, 2009 at 2:20 PM, Paul S. R. Chisholmpsrchish...@gmail.com psrchish...@gmail.comwrote On Thu, Dec 3, 2009 at 5:07 PM, Ken Chase m...@sizone.org m...@sizone.org wrote: We all know that google is leveraging cross-referenceable information from all of its services for its profit/advantage ... /kc -- Ken Chase - k...@heavycomputing.ca - +1 416 897 6284 - Toronto CANADA Heavy Computing - Clued bandwidth, colocation and managed linux VPS @151 Front St. W. Ken, this was addressed in the announcement: http://code.google.com/speed/public-dns/privacy.html We built Google Public DNS to make the web faster and to retain as little information about usage as we could, while still being able to detect and fix problems. Google Public DNS does not permanently store personally identifiable information. http://code.google.com/speed/public-dns/faq.html#accounthttp://code.google.com/speed/public-dns/faq.html#sharedhttp://code.google.com/speed/public-dns/faq.html#info Is any of the information collected stored with my Google account? No. Does Google share the information it collects from the Google Public DNS service with anyone else? No. Is information about my queries to Google Public DNS shared with other Google properties, such as Search, Gmail, ads networks, etc.? No. Hope this helps. --PSRC And this will never change? Not even when you check the box for the latest update that says it changes some terms and here is the link,,, Bruce The Adsense tracking cookie was once an opt-in, but after Google acquired that company and crushed the competition it became an opt-out, unbeknownst to many consumers. This is the way these generally go. Google will be all sweetness and light until they've crushed OpenDNS, and when the competitor's out of the picture, they'll get down to the monetizing. -- Richard Bennett -- “Discovering...discovering...we will never cease discovering... and the end of all our discovering will be to return to the place where we began and to know it for the first time.” -T.S. Eliot
Re: Consumer Grade - IPV6 Enabled Router Firewalls.
On Fri, Dec 04, 2009 at 10:59:49PM +1030, Matthew Moyle-Croft wrote: They work pretty well. They're one of the few that you can buy which supports DSL and they work. IPv6 support on the WIFI interfaces is IOS version dependent. They support DHCPv6 PD etc. I'm using one right now with v6. MMC Can you comment on what version you got it to work on? I haven't futzed with it much, but with 12.4(24)T2, you can't put an ipv6 address directly on the wireless subinterface. I tried putting it on a BVI interface, but didn't have much luck. -- Brandon Ewing(nicot...@warningg.com) pgpilnIUlILxp.pgp Description: PGP signature
SPF Configurations
I'm wondering if a few DNS experts out there could give me some input on SPF record configuration. Our company sends out about 50k - 100k emails a day, and most emails are on behalf of customers to their end users at various domains (no, we're not spammers, these are email notifications the end users have requested to receive). Some customers insist on making the FROM address use their domain name, but the emails leave our mail servers on our domain. SPF seems to be the way we could possibly avoid more spam filters, and delivery rate is very important to our company. The server configuration consists of a mail server that sends outbound only, out of a specific IP with proper MX, A, and PTR records. This is a sample of the SPF configuration I believe would be correct: Our company (example.com) records: IN MX 10 mail.example.com mailIN A ip address example.com IN TXT v=spf1 mx -all example.comIN SPF v=spf1 mx -all mailIN TXT v=spf1 a -all mailIN SPF v=spf1 a -all customer.com IN TXT v=spf1 include:example.com -all customer.com IN SPF v=spf1 include:example.com -all Our customer's (customer.com) records: IN MX 10 mail.customer.com mailIN A ip address customer.com IN TXT v=spf1 mx -all customer.com IN SPF v=spf1 mx -all mailIN TXT v=spf1 a -all mailIN SPF v=spf1 a -all customer.com IN TXT v=spf1 include:example.com -all customer.com IN SPF v=spf1 include:example.com -all I derived this from this tutorial: http://www.zytrax.com/books/dns/ch9/spf.html . The other part of this that may be of importance would be the NATing. The FQDN that the world sees for the outside address of the NAT is not the same as the inside FQDN that Postfix is using internally. Does this cause any problems with SPF? Any comments or suggestions would be great. Thanks in advance! Jeffrey
RE: SPF Configurations
Thanks for your input on this. My main concern is mail filters at the end users side thinking that our mail servers are spoofing our customer's domain. I'll check into MAAWG as well Jeffrey Negro, Network Engineer Billtrust - Improving Your Billing, Improving Your Business www.billtrust.com 609.235.1010 x137 jne...@billtrust.com -Original Message- From: Joe St Sauver [mailto:j...@oregon.uoregon.edu] Sent: Friday, December 04, 2009 11:25 AM To: Jeffrey Negro Subject: Re: SPF Configurations #Some customers insist on #making the FROM address use their domain name, but the emails leave our #mail servers on our domain. Then your IPs or outbound mail servers should be listed on the customer's SPF record... assuming they also send their own mail, they obviously also want to list their own mail servers. #SPF seems to be the way we could possibly avoid more spam filters, SPF only provides a way of avoiding spoofing, it does not necessarily enhance your IP reputation or your domain reputation #and delivery rate is very important to our company. Are you involved with MAAWG? (see www.maawg.org) Regards, Joe
Re: SPF Configurations
If the customer insist on using their domain, then you would have to have the customer setup an SPF record within their domain that points to your email server IP blocks. I would just tell your customer that if they insist of using their FROM domain, to help get past someone's spamming system the customer is going to have to add the a SPF record to their domain similar to the following: [customer domain].com. IN TXT v=spf1 a mx ip4:[your IP block] Putting an SPF record in your DNS record will have no affect on spamming software. SPF is basically another form of reverse DNS at the mail level. Bret Jeffrey Negro wrote: Thanks for your input on this. My main concern is mail filters at the end users side thinking that our mail servers are spoofing our customer's domain. I'll check into MAAWG as well Jeffrey Negro, Network Engineer Billtrust - Improving Your Billing, Improving Your Business www.billtrust.com 609.235.1010 x137 jne...@billtrust.com -Original Message- From: Joe St Sauver [mailto:j...@oregon.uoregon.edu] Sent: Friday, December 04, 2009 11:25 AM To: Jeffrey Negro Subject: Re: SPF Configurations #Some customers insist on #making the FROM address use their domain name, but the emails leave our #mail servers on our domain. Then your IPs or outbound mail servers should be listed on the customer's SPF record... assuming they also send their own mail, they obviously also want to list their own mail servers. #SPF seems to be the way we could possibly avoid more spam filters, SPF only provides a way of avoiding spoofing, it does not necessarily enhance your IP reputation or your domain reputation #and delivery rate is very important to our company. Are you involved with MAAWG? (see www.maawg.org) Regards, Joe
Re: SPF Configurations
2009/12/4 Bret Clark bcl...@spectraaccess.com If the customer insist on using their domain, then you would have to have the customer setup an SPF record within their domain that points to your email server IP blocks. I would just tell your customer that if they insist of using their FROM domain, to help get past someone's spamming system the customer is going to have to add the a SPF record to their domain similar to the following: [customer domain].com. IN TXT v=spf1 a mx ip4:[your IP block] Putting an SPF record in your DNS record will have no affect on spamming software. SPF is basically another form of reverse DNS at the mail level. Bret The problem we face is that some people we work with can't do that, they can't even grasp what an SPF record is and so as far as our own spam filtering goes, we have filtered their emails to us sent with the FROM address being an @mysurname.com domain which doesn't exist and as a result we have filtered out their mails so we have had to lower our SPF checking slightly which is so annoying :S -- Regards, James ;) Charles de Gaullehttp://www.brainyquote.com/quotes/authors/c/charles_de_gaulle.html - The better I get to know men, the more I find myself loving dogs.
Re: news from Google
On Fri, Dec 4, 2009 at 5:53 AM, Richard Bennett rich...@bennett.com wrote: Google will be all sweetness and light until they've crushed OpenDNS, and when the competitor's out of the picture, they'll get down to the monetizing. one note: OpenDNS is not the only 'competitor' here just one of the better obviously known ones. ie: 4.2.2.2 L(3) 198.6.1.1/2/3/4/5/122/142/146/195 ex-UU Neustar (can't recall ips, sorry) -chris
RE: SPF Configurations
On Fri, 2009-12-04 at 11:45 -0500, Jeffrey Negro wrote: Thanks for your input on this. My main concern is mail filters at the end users side thinking that our mail servers are spoofing our customer's domain. If you really feel that SPF is going to help, then keep all the mail in your domain's control by using VERP addresses as the envelope sender address (like most decent modern MLM packages do). That way you can have a From: header in the customer domain (or of your choosing), and the envelope sender in your own. The benefit here is that not only does it make the usage of SPF a lot less complex, but it also means that all bounces come back to the originating system and can be handled accordingly. Have a look at the headers of this message for a well-formed example. Of course, this does depend upon people believing that SPF is actually useful... Graeme
RE: SPF Configurations
From talking to a few people so far it seems like it might be better to have the development team here alter our applications to use a separate Envelope From and friendly From. I can display the email address with the customers domain, but the mail will be coming from our address as the Envelope From. That way the customer is happy their end user is seeing the email coming from their domain, while the Envelope From shows an email address that matches our domain. Seems like a simpler solution. Thank you all for your input, as I know this may be a bit off topic for this list. Jeffrey -Original Message- From: Graeme Fowler [mailto:gra...@graemef.net] Sent: Friday, December 04, 2009 1:59 PM To: NANOG Subject: RE: SPF Configurations On Fri, 2009-12-04 at 11:45 -0500, Jeffrey Negro wrote: Thanks for your input on this. My main concern is mail filters at the end users side thinking that our mail servers are spoofing our customer's domain. If you really feel that SPF is going to help, then keep all the mail in your domain's control by using VERP addresses as the envelope sender address (like most decent modern MLM packages do). That way you can have a From: header in the customer domain (or of your choosing), and the envelope sender in your own. The benefit here is that not only does it make the usage of SPF a lot less complex, but it also means that all bounces come back to the originating system and can be handled accordingly. Have a look at the headers of this message for a well-formed example. Of course, this does depend upon people believing that SPF is actually useful... Graeme
Re: news from Google
Put one more down on the evil list ... http://www.techcrunch.com/2009/12/04/google-acquires-appjet-etherpad/ Cheers Jorge
Re: news from Google
On Fri, Dec 4, 2009 at 1:25 PM, Christopher Morrow morrowc.li...@gmail.comwrote: On Fri, Dec 4, 2009 at 5:53 AM, Richard Bennett rich...@bennett.com wrote: Google will be all sweetness and light until they've crushed OpenDNS, and when the competitor's out of the picture, they'll get down to the monetizing. one note: OpenDNS is not the only 'competitor' here just one of the better obviously known ones. ie: 4.2.2.2 L(3) 198.6.1.1/2/3/4/5/122/142/146/195 ex-UU Neustar (can't recall ips, sorry) -chris Why did Google put an infrastructure critical application into PA space? -- Martin Hannigan mar...@theicelandguy.com p: +16178216079 Power, Network, and Costs Consulting for Iceland Datacenters and Occupants
Weekly Routing Table Report
This is an automated weekly mailing describing the state of the Internet Routing Table as seen from APNIC's router in Japan. Daily listings are sent to bgp-st...@lists.apnic.net For historical data, please see http://thyme.apnic.net. If you have any comments please contact Philip Smith p...@cisco.com. Routing Table Report 04:00 +10GMT Sat 05 Dec, 2009 Report Website: http://thyme.apnic.net Detailed Analysis: http://thyme.apnic.net/current/ Analysis Summary BGP routing table entries examined: 305390 Prefixes after maximum aggregation: 142337 Deaggregation factor: 2.15 Unique aggregates announced to Internet: 150539 Total ASes present in the Internet Routing Table: 32849 Prefixes per ASN: 9.30 Origin-only ASes present in the Internet Routing Table: 28510 Origin ASes announcing only one prefix: 13915 Transit ASes present in the Internet Routing Table:4339 Transit-only ASes present in the Internet Routing Table:103 Average AS path length visible in the Internet Routing Table: 3.6 Max AS path length visible: 39 Max AS path prepend of ASN (22394) 36 Prefixes from unregistered ASNs in the Routing Table: 1081 Unregistered ASNs in the Routing Table: 172 Number of 32-bit ASNs allocated by the RIRs:342 Prefixes from 32-bit ASNs in the Routing Table: 281 Special use prefixes present in the Routing Table:0 Prefixes being announced from unallocated address space:174 Number of addresses announced to Internet: 2139389760 Equivalent to 127 /8s, 132 /16s and 127 /24s Percentage of available address space announced: 57.7 Percentage of allocated address space announced: 65.4 Percentage of available address space allocated: 88.2 Percentage of address space in use by end-sites: 80.2 Total number of prefixes smaller than registry allocations: 146684 APNIC Region Analysis Summary - Prefixes being announced by APNIC Region ASes:72874 Total APNIC prefixes after maximum aggregation: 25430 APNIC Deaggregation factor:2.87 Prefixes being announced from the APNIC address blocks: 69560 Unique aggregates announced from the APNIC address blocks:30973 APNIC Region origin ASes present in the Internet Routing Table:3883 APNIC Prefixes per ASN: 17.91 APNIC Region origin ASes announcing only one prefix: 1057 APNIC Region transit ASes present in the Internet Routing Table:601 Average APNIC Region AS path length visible:3.6 Max APNIC Region AS path length visible: 23 Number of APNIC addresses announced to Internet: 483411744 Equivalent to 28 /8s, 208 /16s and 71 /24s Percentage of available APNIC address space announced: 80.0 APNIC AS Blocks4608-4864, 7467-7722, 9216-10239, 17408-18431 (pre-ERX allocations) 23552-24575, 37888-38911, 45056-46079 55296-56319, 131072-132095 APNIC Address Blocks43/8, 58/8, 59/8, 60/8, 61/8, 110/8, 111/8, 112/8, 113/8, 114/8, 115/8, 116/8, 117/8, 118/8, 119/8, 120/8, 121/8, 122/8, 123/8, 124/8, 125/8, 126/8, 133/8, 175/8, 180/8, 182/8, 183/8, 202/8, 203/8, 210/8, 211/8, 218/8, 219/8, 220/8, 221/8, 222/8, ARIN Region Analysis Summary Prefixes being announced by ARIN Region ASes:128363 Total ARIN prefixes after maximum aggregation:67377 ARIN Deaggregation factor: 1.91 Prefixes being announced from the ARIN address blocks: 102877 Unique aggregates announced from the ARIN address blocks: 38831 ARIN Region origin ASes present in the Internet Routing Table:13385 ARIN Prefixes per ASN: 7.69 ARIN Region origin ASes announcing only one prefix:5182 ARIN Region transit ASes present in the Internet Routing Table:1326 Average ARIN Region AS path length visible: 3.3 Max ARIN Region AS path length visible: 39 Number of ARIN addresses announced to Internet: 731875872 Equivalent to 43 /8s, 159 /16s and 138 /24s Percentage of available ARIN address space announced:
Re: news from Google
On Fri, Dec 04, 2009 at 03:34:10PM -0500, Martin Hannigan wrote: On Fri, Dec 4, 2009 at 1:25 PM, Christopher Morrow morrowc.li...@gmail.comwrote: On Fri, Dec 4, 2009 at 5:53 AM, Richard Bennett rich...@bennett.com wrote: Google will be all sweetness and light until they've crushed OpenDNS, and when the competitor's out of the picture, they'll get down to the monetizing. one note: OpenDNS is not the only 'competitor' here just one of the better obviously known ones. ie: 4.2.2.2 L(3) 198.6.1.1/2/3/4/5/122/142/146/195 ex-UU Neustar (can't recall ips, sorry) -chris Why did Google put an infrastructure critical application into PA space? whats PA space in this context? clearly 8.0.0.0/8 was allocated prior to any current group-think about what PA might be. --bill
BGP Update Report
BGP Update Report Interval: 26-Nov-09 -to- 03-Dec-09 (7 days) Observation Point: BGP Peering with AS131072 TOP 20 Unstable Origin AS Rank ASNUpds % Upds/PfxAS-Name 1 - AS815120301 2.5% 41.4 -- Uninet S.A. de C.V. 2 - AS23700 13865 1.7% 27.3 -- BM-AS-ID PT. Broadband Multimedia, Tbk 3 - AS764313095 1.6% 97.7 -- VNN-AS-AP Vietnam Posts and Telecommunications (VNPT) 4 - AS980011181 1.4% 81.0 -- UNICOM CHINA UNICOM 5 - AS30890 10047 1.2% 19.8 -- EVOLVA Evolva Telecom s.r.l. 6 - AS14420 10023 1.2% 30.0 -- CORPORACION NACIONAL DE TELECOMUNICACIONES CNT S.A. 7 - AS284779205 1.1%1022.8 -- Universidad Autonoma del Esstado de Morelos 8 - AS141878753 1.1% 301.8 -- COMSAT COLOMBIA 9 - AS9829 8676 1.1% 18.2 -- BSNL-NIB National Internet Backbone 10 - AS232168432 1.0% 46.1 -- MEGADATOS S.A. 11 - AS358057942 1.0% 17.2 -- UTG-AS United Telecom AS 12 - AS9394 7415 0.9% 3.9 -- CRNET CHINA RAILWAY Internet(CRNET) 13 - AS336486513 0.8%3256.5 -- ELEPHANT - ColoFlorida / Elephant Outlook 14 - AS6822 6494 0.8% 282.3 -- SUPERONLINE-AS SuperOnline autonomous system 15 - AS243426219 0.8% 144.6 -- BRAC-BDMAIL-AS-BD BRAC BDMail Network Ltd. 16 - AS5800 6071 0.8% 32.1 -- DNIC-ASBLK-05800-06055 - DoD Network Information Center 17 - AS4249 6011 0.7% 34.7 -- LILLY-AS - Eli Lilly and Company 18 - AS179744891 0.6% 18.1 -- TELKOMNET-AS2-AP PT Telekomunikasi Indonesia 19 - AS9583 4822 0.6% 6.1 -- SIFY-AS-IN Sify Limited 20 - AS7738 4660 0.6% 10.9 -- Telecomunicacoes da Bahia S.A. TOP 20 Unstable Origin AS (Updates per announced prefix) Rank ASNUpds % Upds/PfxAS-Name 1 - AS487544398 0.5%4398.0 -- SOBIS-AS SC SOBIS SOLUTIONS SRL 2 - AS336486513 0.8%3256.5 -- ELEPHANT - ColoFlorida / Elephant Outlook 3 - AS362393046 0.4%3046.0 -- EXIGEN-CANADA - Exigen Canada 4 - AS5691 2390 0.3%2390.0 -- MITRE-AS-5 - The MITRE Corporation 5 - AS276672239 0.3%2239.0 -- Universidad Autonoma de la Laguna 6 - AS142511447 0.2%1447.0 -- MLSLI - Multiple Lising Service of Long Island, Inc. 7 - AS393841205 0.1%1205.0 -- GUILAN-UNIV-AS University of Guilan AS System 8 - AS410601078 0.1%1078.0 -- PRIMBANK-AS Joint-Stock Commercial Bank Primorye 9 - AS474171069 0.1%1069.0 -- CELTRAK-AS Celtrak AS Number 10 - AS284779205 1.1%1022.8 -- Universidad Autonoma del Esstado de Morelos 11 - AS229171861 0.2% 930.5 -- INFOCHANNEL ASN-INFOCHAN 12 - AS484811850 0.2% 925.0 -- RYBALKA-AS ISP King-Online 13 - AS127322671 0.3% 890.3 -- bbTT GmbH 14 - AS37035 805 0.1% 805.0 -- MIC-AS 15 - AS178192892 0.4% 723.0 -- ASN-EQUINIX-AP Equinix Asia Pacific 16 - AS243232120 0.3% 530.0 -- GLOBAL-ONLINE-AS-AP aamra networks limited, 17 - AS174691507 0.2% 502.3 -- ACCESSTEL-AS-AP Access Telecom (BD) Ltd. 18 - AS26381 942 0.1% 471.0 -- HSBC-COM - hsbc.com 19 - AS413432543 0.3% 423.8 -- TRIUNFOTEL-ASN TRIUNFOTEL 20 - AS37786 843 0.1% 421.5 -- TOP 20 Unstable Prefixes Rank Prefix Upds % Origin AS -- AS Name 1 - 200.13.36.0/24 9141 1.0% AS28477 -- Universidad Autonoma del Esstado de Morelos 2 - 66.192.106.0/236254 0.7% AS33648 -- ELEPHANT - ColoFlorida / Elephant Outlook 3 - 212.253.4.0/24 4951 0.6% AS6822 -- SUPERONLINE-AS SuperOnline autonomous system 4 - 91.212.23.0/24 4398 0.5% AS48754 -- SOBIS-AS SC SOBIS SOLUTIONS SRL 5 - 203.162.118.128/ 4184 0.5% AS7643 -- VNN-AS-AP Vietnam Posts and Telecommunications (VNPT) 6 - 72.28.75.0/24 3046 0.3% AS36239 -- EXIGEN-CANADA - Exigen Canada 7 - 89.144.140.0/243006 0.3% AS39308 -- ASK-AS Andishe Sabz Khazar Autonomous System AS39384 -- GUILAN-UNIV-AS University of Guilan AS System 8 - 143.138.107.0/24 2699 0.3% AS747 -- TAEGU-AS - Headquarters, USAISC 9 - 222.255.186.0/25 2662 0.3% AS7643 -- VNN-AS-AP Vietnam Posts and Telecommunications (VNPT) 10 - 192.12.120.0/242390 0.3% AS5691 -- MITRE-AS-5 - The MITRE Corporation 11 - 148.245.181.0/24 2239 0.2% AS27667 -- Universidad Autonoma de la Laguna 14 - 212.42.236.0/242065 0.2% AS12732 -- bbTT GmbH 15 - 202.177.223.0/24 1459 0.2% AS17819 -- ASN-EQUINIX-AP Equinix Asia Pacific 16 - 65.223.235.0/241447 0.2% AS14251 -- MLSLI - Multiple Lising Service of Long Island, Inc. 17 -
The Cidr Report
This report has been generated at Fri Dec 4 21:11:26 2009 AEST.
The report analyses the BGP Routing Table of AS2.0 router
and generates a report on aggregation potential within the table.
Check http://www.cidr-report.org for a current version of this report.
Recent Table History
Date PrefixesCIDR Agg
27-11-09309743 191782
28-11-09309731 191730
29-11-09309930 191931
30-11-09310070 192022
01-12-09309965 192378
02-12-09310335 192495
03-12-09310687 192616
04-12-09310737 192817
AS Summary
33047 Number of ASes in routing system
14059 Number of ASes announcing only one prefix
4356 Largest number of prefixes announced by an AS
AS4323 : TWTC - tw telecom holdings, inc.
92613824 Largest address span announced by an AS (/32s)
AS4134 : CHINANET-BACKBONE No.31,Jin-rong Street
Aggregation Summary
The algorithm used in this report proposes aggregation only
when there is a precise match using the AS path, so as
to preserve traffic transit policies. Aggregation is also
proposed across non-advertised address space ('holes').
--- 04Dec09 ---
ASnumNetsNow NetsAggr NetGain % Gain Description
Table 310897 192801 11809638.0% All ASes
AS6389 4235 318 391792.5% BELLSOUTH-NET-BLK -
BellSouth.net Inc.
AS4323 4356 1941 241555.4% TWTC - tw telecom holdings,
inc.
AS1785 1783 321 146282.0% AS-PAETEC-NET - PaeTec
Communications, Inc.
AS4766 1865 584 128168.7% KIXS-AS-KR Korea Telecom
AS17488 1458 314 114478.5% HATHWAY-NET-AP Hathway IP Over
Cable Internet
AS22773 1125 71 105493.7% ASN-CXA-ALL-CCI-22773-RDC -
Cox Communications Inc.
AS8151 1586 674 91257.5% Uninet S.A. de C.V.
AS4755 1280 402 87868.6% TATACOMM-AS TATA
Communications formerly VSNL
is Leading ISP
AS19262 1044 236 80877.4% VZGNI-TRANSIT - Verizon
Internet Services Inc.
AS8452 957 282 67570.5% TEDATA TEDATA
AS18101 984 328 65666.7% RIL-IDC Reliance Infocom Ltd
Internet Data Centre,
AS6478 1179 567 61251.9% ATT-INTERNET3 - ATT WorldNet
Services
AS3356 1221 635 58648.0% LEVEL3 Level 3 Communications
AS24560 805 223 58272.3% AIRTELBROADBAND-AS-AP Bharti
Airtel Ltd., Telemedia
Services
AS10620 1004 431 57357.1% TV Cable S.A.
AS4808 764 196 56874.3% CHINA169-BJ CNCGROUP IP
network China169 Beijing
Province Network
AS4804 635 72 56388.7% MPX-AS Microplex PTY LTD
AS7303 665 103 56284.5% Telecom Argentina S.A.
AS4134 1015 455 56055.2% CHINANET-BACKBONE
No.31,Jin-rong Street
AS7018 1588 1032 55635.0% ATT-INTERNET4 - ATT WorldNet
Services
AS18566 1059 510 54951.8% COVAD - Covad Communications
Co.
AS11492 1145 634 51144.6% CABLEONE - CABLE ONE, INC.
AS22047 546 49 49791.0% VTR BANDA ANCHA S.A.
AS4780 627 147 48076.6% SEEDNET Digital United Inc.
AS9443 533 82 45184.6% INTERNETPRIMUS-AS-AP Primus
Telecommunications
AS17676 564 129 43577.1% GIGAINFRA Softbank BB Corp.
AS5668 786 362 42453.9% AS-5668 - CenturyTel Internet
Holdings, Inc.
AS855614 191 42368.9% CANET-ASN-4 - Bell Aliant
Regional Communications, Inc.
AS28573 818 398 42051.3% NET Servicos de Comunicao S.A.
AS7011 1033 628 40539.2% FRONTIER-AND-CITIZENS -
Frontier Communications of
America, Inc.
Total 37274123152495967.0%
Re: news from Google
Come on. Acquiring a company is now considered evil? It's a sarcasm about the ones crying wolf about Google becoming evil.
Re: news from Google
On Fri, Dec 4, 2009 at 4:37 PM, bmann...@vacation.karoshi.com wrote: On Fri, Dec 04, 2009 at 03:34:10PM -0500, Martin Hannigan wrote: On Fri, Dec 4, 2009 at 1:25 PM, Christopher Morrow morrowc.li...@gmail.comwrote: On Fri, Dec 4, 2009 at 5:53 AM, Richard Bennett rich...@bennett.com wrote: Google will be all sweetness and light until they've crushed OpenDNS, and when the competitor's out of the picture, they'll get down to the monetizing. one note: OpenDNS is not the only 'competitor' here just one of the better obviously known ones. ie: 4.2.2.2 L(3) 198.6.1.1/2/3/4/5/122/142/146/195 ex-UU Neustar (can't recall ips, sorry) -chris Why did Google put an infrastructure critical application into PA space? whats PA space in this context? clearly 8.0.0.0/8 was allocated prior to any current group-think about what PA might be. --bill Let's call it conceptual PA. I'm simply asking why something that has the potential to impact all of us is being numbered into address space other than their own? And before the thinkpol start in, I'm referring to the v4 addresses and their status. It's a fair question since it has major impact on the net. If the store for legacy v4 addresses is open I'd like to know what street it's on. Best, -M -- Martin Hannigan mar...@theicelandguy.com p: +16178216079 Power, Network, and Costs Consulting for Iceland Datacenters and Occupants
AW: SPF Configurations
John , Nice to meet you :-) Right. The only major mail system that pays attention to SPF is Hotmail, but there are enough small poorly run MTAs that use it that an SPF record which lists your outbounds and ~all (not -all) can be marginally useful to avoid bogus rejections of your mail. For example : host -t TXT hotmail.com hotmail.com TXT v=spf1 include:spf-a.hotmail.com include:spf-b.hotmail.com include:spf-c.hotmail.com include:spf-d.hotmail.com ~all host -t TXT google.com : google.com TXT v=spf1 include:_netblocks.google.com ip4:216.73.93.70/31 ip4:216.73.93.72/31 ~all host -t TXT amazon.com : amazon.com TXT v=spf1 ip4:207.171.160.0/19 ip4:87.238.80.0/21 ip4:72.21.193.0/24 ip4:72.21.196.0/22 ip4:72.21.208.0/24 ip4:72.21.205.0/24 ip4:72.21.209.0/24 ip4:194.154.193.200/28 ip4:194.7.41.152/28 ip4:212.123.28.40/32 ip4:203.81.17.0/24 ~all amazon.com TXT spf2.0/pra ip4:207.171.160.0/19 ip4:87.238.80.0/21 ip4:72.21.193.0/24 ip4:72.21.196.0/22 ip4:72.21.208.0/24 ip4:72.21.205.0/24 ip4:72.21.209.0/24 ip4:194.154.193.200/28 ip4:194.7.41.152/28 ip4:212.123.28.40/32 ip4:203.81.17.0/24 ~all host -t TXT ebay.de : ebay.de TXT v=spf1 mx include:s._spf.ebay.com include:m._spf.ebay.com include:p._spf.ebay.com include:c._spf.ebay.com ~all ebay.de TXT spf2.0/pra mx include:s._sid.ebay.com include:m._sid.ebay.com include:p._sid.ebay.com include:c._sid.ebay.com ~all host -t TXT 1und1.de : TXT v=spf1 ip4:82.165.0.0/16 ip4:195.20.224.0/19 ip4:212.227.0.0/16 ip4:87.106.0.0/16 ip4:217.160.0.0/16 ip4:213.165.64.0/19 ip4:217.72.192.0/20 ip4:74.208.0.0/17 ip4:74.208.128.0/18 ip4:66.236.18.66 ip4:67.88.206.40 ip4:67.88.206.48 ~all host -t TXT gmx.com : gmx.com TXT v=spf1 ip4:213.165.64.0/23 ip4:74.208.5.64/26 ip4:74.208.122.0/26 -all host -t TXT enterprisemail.de : enterprisemail.de TXT v=spf1 a:mout.enterprisemail.de -all etc As everyone here should already know, the fundamental problem with SPF is that although it does an OK job of describing the mail sending patterns of dedicated bulk mail systems, it can't model the way that normal mail systems with human users work. But so deep is the faith of the SPF cult that they blame the world for not matching SPF rather than the other way around, believing that it prevent forgery, having redefined forgery as whatever it is that SPF prevents. As the operator of one of the world's more heavily forged domains (abuse.net) I can report that if you think it prevents forgery blowback, you are mistaken. You do know that I love they way abuse.net flys: In mind of the following situation for instance a infection vector around millions of bots which are sending millions of forged mails within evil polymorphic files camouflage as your customers bills you will be glade to enforce the directive -all for a while . Sorry Im almost german : http://www.heise.de/security/meldung/1-1-warnt-Kunden-vor-gefaelschten-Rechn ungen-131420.html I know SPF is not the answer of all but sometimes it helps to secure a little bit of yours critical customers infrastructure and sometimes it helps to save your operative resources . I know there is a problem so far with forwarded emails but there is also a solution : The solution could be to rewrite the envelope from of all forwarded mail so that the given domain is a local domain with matching SPF records to the originating mail server (or no SPF records at all). You have to transform the original envelope from into a localpart and add some special local SRS domain to it. Find http://spf.pobox.com/srs.html http://spf.pobox.com/srs.html and http://www.libsrs2.org/ http://www.libsrs2.org/ for a full description of SRS. In practice andre.en...@fhe3.com could receiving an email from mist...@google.com where andre.en...@fhe3.com could be forwarded to andre.en...@hotmail.de. Before forwarding the email to the hotmail server I could rewrite the envelope-from from mist...@google.com mailto:mist...@google.com to google.com=mist...@srs.enterprisemail.de srs.enterprisemail.de could be a valid domain for mails originating from our main mail clusters(enterprisemail) so possible SPF checks at hotmail would not bother. In case a bounce is generated at hotmail it could be delivered back to the SRS address, thus to our enterprisemail main mail cluster, where we would recognise the SRS scheme and un-rewrite it back to mist...@google.com and deliver the mail onward to the mist...@google.com mail system. But in the real world the rewriting isn't that simple as stated in the previous section. In fact you have to add some kind of checksum where the original mail address is mangled with a secret password, and a time stamp that makes the SRS address valid for some period of time. The mail address from above could look more like this: srs38=ldl23v=tz=google.com=mist...@srs.enterprisemail.de
Re: SPF Configurations
On Fri, Dec 4, 2009 at 9:55 PM, Jeffrey Negro jne...@billtrust.com wrote: I'm wondering if a few DNS experts out there could give me some input on SPF record configuration. Our company sends out about 50k - 100k emails a day, and most emails are on behalf of customers to their end users at SPF records aren't going ot help as much as some list sending and deliverability best practices (feedback loops etc) are. Look at the MAAWG senders best practices document - www.maawg.org - Published Documents Other than delivery to hotmail, spf is a total waste of time - plus it plays russian roulette with whatever email you handle
Re: AW: SPF Configurations
Right. The only major mail system that pays attention to SPF is Hotmail, but there are enough small poorly run MTAs that use it that an SPF record which lists your outbounds and ~all (not -all) can be marginally useful to avoid bogus rejections of your mail. For example : [ various large ISPs that publish SPF ] Perhaps this is a language problem. In English, publishes is not a synonym for pays attention to. As I said, you need to publish SPF to get mail into Hotmail. That's why people do it. I know there is a problem so far with forwarded emails but there is also a solution : [ hoary SRS proposal to change every SMTP server in the world to make them match what SPF does ] Sigh. Every time a mail arrives that is an SRS address the password and timestamp could be checked, and faked or outdated recipients could be rejected. You might want to look at BATV, which has nothing to do with SPF, but I have found is quite useful for recognizing spam blowback. R's, John PS: This message (including any attachments) is the property of FHE3 and may contain confidential or privileged information. Unauthorized use of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please immediately notify the sender by reply e-mail and destroy all copies of the communication and any attachments. Our policy is to send messages with confidentiality notices to all of your competitors.
Re: SPF Configurations
On 2009-12-4, at 7:25, John Levine wrote: The only major mail system that pays attention to SPF is Hotmail FWIW, GMX (pretty popular in Europe) does too. Lars smime.p7s Description: S/MIME cryptographic signature
Re: SPF Configurations
Jeffrey Negro wrote: SPF seems to be the way we could possibly avoid more spam filters, and delivery rate is very important to our company. You've seen the anti-SPF rants. At the least, they should make clear to you that you should use SPF only and exactly for specific destinations that you already know require it. If you have any doubts about the requirement, you'll try to verify it; otherwise assume SPF won't solve your problems. The other obvious mechanisms for validated identification to receiving operators is, of course, with DKIM. DKIM is entirely comfortable having a validated identifier (the d= parameter in the signature header field) be different than whatever is in the author header field (From:) But either way, that's just identification. As already noted on the thread, what matters most is the set of content and operations practices, to establish a rock solid reputation both of you and of your clients. d/ -- Dave Crocker Brandenburg InternetWorking bbiw.net
