RE: Best VPN Appliance
Hello All, Thank-you all for reply and sugessting the VPN Box. I'm in the process of evaluating different boxes and they are; SA4500 SSL VPN Appliance http://www.juniper.net/us/en/products-services/security/sa-series/sa4500/ Barracuda SSL VPN http://www.barracudanetworks.com/ns/products/sslvpn_overview.php F5 FirePass SSL VPN http://www.f5.com/products/firepass/ The problem i'm facing so far is MAC OS X compatibility. The demo box i had for Juniper was not able to run Network Connect on MAC OS 10.5.8. From your experience from F5, Juniper and Barracuda, which one will be best in terms of; 1) Support 2) Resiliency 3) Security 4) Scalability 5) Manageability Thanks for all your help. Regards, Dawood Iqbal _ Hotmail: Trusted email with powerful SPAM protection. https://signup.live.com/signup.aspx?id=60969
RE: anti-ddos test solutions ?
On a similar note but slightly unrelated note, Not to thread hijack, but does anyone have any useful recipes for generating any basic baseline data (top talkers, SSH brute forcing, SMTP brute forcing, 445,etc) via any of the open source netflow collectors (Flow-Tools, nfdump)? I've had mixed success getting these packages to produce any useful information after getting them to collect the flow data. Thanks, -Drew -Original Message- From: kowsik [mailto:kow...@gmail.com] Sent: Thursday, March 18, 2010 12:33 AM To: Stefan Fouant Cc: nanog@nanog.org Subject: Re: anti-ddos test solutions ? http://labs.mudynamics.com/2009/04/10/ddos-testing-network-applications/ http://www.pcapr.net/dos YMMV, but mudos converts *any* IP packet into a DoS generator (it's free). K. --- http://www.pcapr.net http://labs.mudynamics.com http://twitter.com/pcapr On Wed, Mar 17, 2010 at 11:28 AM, Stefan Fouant sfou...@shortestpathfirst.net wrote: -Original Message- From: Charles N Wyble [mailto:char...@knownelement.com] Sent: Wednesday, March 17, 2010 12:16 PM To: nanog@nanog.org Subject: Re: anti-ddos test solutions ? bit gossip wrote: Nessus is a vulnerability scanner: http://www.nessus.org/nessus/ Ixia provides a full Nessus implementation in one of its platform. Well these days I would use http://www.openvas.org and http://www.metasploit.org for vulnerability scanning and analysis. However that wouldn't be a DDoS, but could certainly lead to DOS. If you can get your hands on a PCAP from a previous attack, you could also use something like Bit-Twist which will allow you to manipulate things like the destination IP and also the transmission rate, etc. Pretty useful tool to include in the DDoS simulation toolbox. http://bittwist.sourceforge.net/ Stefan Fouant, CISSP, JNCIE-M/T www.shortestpathfirst.net GPG Key ID: 0xB5E3803D
RE: Best VPN Appliance
For the Juniper box, make sure you are running the 6.5R3 version of code to get the MAC to work. They put a fix in for it. It is working well for us here. http://kb.juniper.net/index?page=contentid=KB16134actp=searchsearchid=1268921120591 I have no experience with either F5 or Barracuda, but we have found the Juniper SSL to be extremely reliable and flexible to suit all of our needs. We have several 2500's deployed. Joe -Original Message- From: Dawood Iqbal [mailto:dawood_iq...@hotmail.com] Sent: Thursday, March 18, 2010 6:17 AM To: nanog@nanog.org Subject: RE: Best VPN Appliance Hello All, Thank-you all for reply and sugessting the VPN Box. I'm in the process of evaluating different boxes and they are; SA4500 SSL VPN Appliance http://www.juniper.net/us/en/products-services/security/sa-series/sa4500/ Barracuda SSL VPN http://www.barracudanetworks.com/ns/products/sslvpn_overview.php F5 FirePass SSL VPN http://www.f5.com/products/firepass/ The problem i'm facing so far is MAC OS X compatibility. The demo box i had for Juniper was not able to run Network Connect on MAC OS 10.5.8. From your experience from F5, Juniper and Barracuda, which one will be best in terms of; 1) Support 2) Resiliency 3) Security 4) Scalability 5) Manageability Thanks for all your help. Regards, Dawood Iqbal _ Hotmail: Trusted email with powerful SPAM protection. https://signup.live.com/signup.aspx?id=60969
Re: Best VPN Appliance
On Mar 18, 2010, at 5:17 AM, Dawood Iqbal wrote: The problem i'm facing so far is MAC OS X compatibility. The demo box i had for Juniper was not able to run Network Connect on MAC OS 10.5.8. We use an SA700 (lowest-end model) and I use NC regularly form my Mac, but I am running 10.6.2. I did not have trouble running NC when I was on 10.5 however, but that was several months ago. The biggest trick on the Mac is figuring out how to use a client-side certificate properly... From your experience from F5, Juniper and Barracuda, which one will be best in terms of; Speaking only from my experience with the Juniper product: 1) Support When dealing with configuring and troubleshooting the appliance itself, JTAC has been pretty helpful when I've had to call on them. However, it has been hard getting help when dealing with client issues (Bob's PC won't establish tunnel properly, host checker issues, etc.). 2) Resiliency We don't do HA as we only have a handful of users, so I can't speak to this. 3) Security It's good enough for us, and we have lots of rules we have to follow (financial institution). Authentication is hooked into our Active Directory, so passwords are managed from there. We require a client-side certificate issued from a private CA, which works well, even recognizes and enforces certificate revocation lists. 4) Scalability See #2. We have a max of maybe five concurrent users, and that's a rare occurrence. 5) Manageability Set it and forget it. Only thing I have to do is load ESAP updates occasionally (host checker engine definitions). There are a couple useful SNMP oid's but they're not documented very well.
Latency quesstion
have a friend who has 21 floors of a building in DFW, multiple switches, etc and they started to have latency issues this weekend where half if not all packet are being dropped to folder shares, printers, etc. Suggestions on how they can troubleshoot that? call in a company to help identify it? -Dennis
Re: Latency quesstion
That could be a lot of things. Without a network drawing and access to the devices to dig further it is difficult to say. On Thu, Mar 18, 2010 at 10:56 AM, Dennis Dayman dennis-li...@thenose.net wrote: have a friend who has 21 floors of a building in DFW, multiple switches, etc and they started to have latency issues this weekend where half if not all packet are being dropped to folder shares, printers, etc. Suggestions on how they can troubleshoot that? call in a company to help identify it? -Dennis
Re: Latency quesstion
Simplest would be to do a trace route from different sources or loop back interfaces to the servers/computers in question and see where latency starts spiking. this will at the very least point you to what device or devices are possibly over utilized. On Thu, Mar 18, 2010 at 7:56 AM, Dennis Dayman dennis-li...@thenose.netwrote: have a friend who has 21 floors of a building in DFW, multiple switches, etc and they started to have latency issues this weekend where half if not all packet are being dropped to folder shares, printers, etc. Suggestions on how they can troubleshoot that? call in a company to help identify it? -Dennis
Re: Latency quesstion
on of the first things I'd do is check interface statistics from the inter-connecting interfaces for errors. On Cisco switches, the command is fairly straight forward - show interface counters errors. All of the numbers should be low if things are operating well...if you see more than 100 errors on any given port, it is probably worth investigating. Question - are the floors connected by fiber or by copper? On Thu, Mar 18, 2010 at 10:56 AM, Dennis Dayman dennis-li...@thenose.netwrote: have a friend who has 21 floors of a building in DFW, multiple switches, etc and they started to have latency issues this weekend where half if not all packet are being dropped to folder shares, printers, etc. Suggestions on how they can troubleshoot that? call in a company to help identify it? -Dennis -- To him who is able to keep you from falling and to present you before his glorious presence without fault and with great joy
Re: Latency quesstion
Check CPU levels on each switch, pull traffic logs of trunk ports, check syslogs for flapping ports or weird errors. I'd guess someone plugged something underneath their desk they shouldn't have. Jason On Thu, Mar 18, 2010 at 10:06 AM, Edgar Valdes edgargval...@gmail.comwrote: Simplest would be to do a trace route from different sources or loop back interfaces to the servers/computers in question and see where latency starts spiking. this will at the very least point you to what device or devices are possibly over utilized. On Thu, Mar 18, 2010 at 7:56 AM, Dennis Dayman dennis-li...@thenose.net wrote: have a friend who has 21 floors of a building in DFW, multiple switches, etc and they started to have latency issues this weekend where half if not all packet are being dropped to folder shares, printers, etc. Suggestions on how they can troubleshoot that? call in a company to help identify it? -Dennis -- Jason Biel
Re: Latency quesstion
Dennis, In large installations, I've always found it helpful when diagnosing LAN issues to isolate floors and departments first - using routers or with devices that can do transparent bridging. That way, you can walk through each dept/floor testing for the issues, and hopefully find only one location its still affecting. Its entirely likely that there's either a loop of some sort or a switch has gone off the deep end. If you'd like, let him know if he wants to drop me a mail, I can walk through details about the situation and hopefully help him narrow it down. --Original Message-- From: Dennis Dayman To: nanog@nanog.org Subject: Latency quesstion Sent: Mar 18, 2010 7:56 AM have a friend who has 21 floors of a building in DFW, multiple switches, etc and they started to have latency issues this weekend where half if not all packet are being dropped to folder shares, printers, etc. Suggestions on how they can troubleshoot that? call in a company to help identify it? -Dennis -- Brielle Bruns http://www.sosdg.org / http://www.ahbl.org
Hotmail/MSN email admin
If there are any Hotmail/MSN email admins on this list, could you please contact me offlist at daniel.t.st...@uscg.dhs.gov Thanks. Daniel T. Staal --- This email copyright the author. Unless otherwise noted, you are expressly allowed to retransmit, quote, or otherwise use the contents for non-commercial purposes. This copyright will expire 5 years after the author's death, or in 30 years, whichever is longer, unless such a period is in excess of local copyright law. ---
RE: Best VPN Appliance
Thank-you all for reply and sugessting the VPN Box.?? I'm in the process of evaluating different boxes and they are;?? SA4500 SSL VPN Appliance? http://www.juniper.net/us/en/products-services/security/sa-series/sa4500/?? Barracuda SSL VPN? http://www.barracudanetworks.com/ns/products/sslvpn_overview.php F5 ??FirePass SSL VPN ?http://www.f5.com/products/firepass/ The problem i'm facing so far is MAC OS X compatibility. The demo box i had for Juniper was not able to run Network Connect on MAC OS 10.5.8. The Juniper SSL VPN works great with Mac 10.6 (and prior versions going back about 5 years). I'm not sure what issue you might be seeing, but Network Connect is very solid in that environment. Secure Meeting also works fine on the Mac. The place where you will have compatibility issues is the end-point security checking, but this is common to all OS X. If you're not doing EPS checking, you don't care. If you are, you already know that Macs have a different set of software vocabulary than Windows platforms. From your experience from F5, Juniper and Barracuda, which one will be best in terms of; 1) Support 2) Resiliency 3) Security 4) Scalability 5) Manageability The Barracuda box is very new and I haven't looked at it, but certainly the Juniper and F5 boxes are top contenders; you should also be looking at SonicWALL (which used to be Aventail). Your laundry list above is fairly vague, since you don't list YOUR requirements. However, I did a very extensive test of SSL VPN devices a few years ago which is still VERY applicable to the products that were in it. This is considered a fairly mature market, and the F5 box of today is not very different from the one of three years ago. You might consider figuring out what you want to do with the box, and then measuring the contenders against that, rather than asking which is the most scalable, since in the NANOG context that could mean anything from two-node active/active cluster to geographic clustering in 40 data centers. (Nick will at this point chime in with his now-famous string analogy) Try reading this: http://www.networkworld.com/reviews/2005/121905-ssl-test-intro.html?rl It's dated 2005, so you can assume that annoying bugs are fixed, but product feature sets are very similar. There's also some more recent SSL VPN testing I've done in Network World, such as the Netgear box (not designed for the enterprise) and just last week the Microsoft one. Note that Network World writes for enterprises, and NANOG is a service provider mailing list, so depending on why you're asking for this, my results may or may not be applicable. For example, features like delegated and partitioned management, which are SP-critical but often ignored in the enterprise, weren't really part of my evaluation. jms -- Joel M Snyder, 1404 East Lind Road, Tucson, AZ, 85719 Senior Partner, Opus One Phone: +1 520 324 0494 j...@opus1.comhttp://www.opus1.com/jms
Re: Latency quesstion
Hi, Am 18.03.10 15:56 schrieb Dennis Dayman: call in a company to help identify it? yes. Regards, Malte -- Malte von dem Hagen Teamleitung Network Engineering Operation Abteilung Technik --- Host Europe GmbH - http://www.hosteurope.de Welserstraße 14 - 51149 Köln - Germany Telefon: 0800 467 8387 - Fax: +49 180 5 66 3233 (*) HRB 28495 Amtsgericht Köln - USt-IdNr.: DE187370678 Geschäftsführer: Uwe Braun - Alex Collins - Mark Joseph - Patrick Pulvermüller (*) 0,14 EUR/Min. aus dem dt. Festnetz; maximal 0,42 EUR/Min. aus den dt. Mobilfunknetzen signature.asc Description: OpenPGP digital signature
Re: Latency quesstion
On 3/18/2010 10:07, Larry Sheldon wrote: On 3/18/2010 09:56, Dennis Dayman wrote: have a friend who has 21 floors of a building in DFW, multiple switches, etc and they started to have latency issues this weekend where half if not all packet are being dropped to folder shares, printers, etc. Suggestions on how they can troubleshoot that? call in a company to help identify it? I'd start with a map of the network mark the routes (paths) that work. Then redraw the map without those paths and mark which stations talk to which other stations. If that exercise discloses which equipment is broken, fix or replace it and start over. If it does not, and no other you-can-do-it-yourself tests or analyses come to mind, call for expensive help. (If they are competent, they will use an orderly analysis--that one is my favorite--I call it sectionalization. I'm not bright enough to deal with 21 floors. I have to sectionalize it to a particular horizontal or vertical before I can figure where to start.) Have I been banned? -- Democracy: Three wolves and a sheep voting on the dinner menu. (A republic, using parliamentary law, protects the minority.) Requiescas in pace o email Ex turpi causa non oritur actio Eppure si rinfresca ICBM Targeting Information: http://tinyurl.com/4sqczs http://tinyurl.com/7tp8ml
RE: Latency quesstion
Dennis, You have a massive spanning tree issuejust kiddingcheck for that though Please update us more on your situation and if the other suggestions on the list helped. Or we can communicate privately, I love troubleshooting situations like this To: nanog@nanog.org Subject: Re: Latency quesstion From: br...@2mbit.com Date: Thu, 18 Mar 2010 15:12:59 + Dennis, In large installations, I've always found it helpful when diagnosing LAN issues to isolate floors and departments first - using routers or with devices that can do transparent bridging. That way, you can walk through each dept/floor testing for the issues, and hopefully find only one location its still affecting. Its entirely likely that there's either a loop of some sort or a switch has gone off the deep end. If you'd like, let him know if he wants to drop me a mail, I can walk through details about the situation and hopefully help him narrow it down. --Original Message-- From: Dennis Dayman To: nanog@nanog.org Subject: Latency quesstion Sent: Mar 18, 2010 7:56 AM have a friend who has 21 floors of a building in DFW, multiple switches, etc and they started to have latency issues this weekend where half if not all packet are being dropped to folder shares, printers, etc. Suggestions on how they can troubleshoot that? call in a company to help identify it? -Dennis -- Brielle Bruns http://www.sosdg.org / http://www.ahbl.org
Re: Latency quesstion
Found a MAC address spewing stuff. looks like we have our culprit. thanks EVERYONE! -Dennis On Mar 18, 2010, at 9:56 AM, Dennis Dayman wrote: have a friend who has 21 floors of a building in DFW, multiple switches, etc and they started to have latency issues this weekend where half if not all packet are being dropped to folder shares, printers, etc. Suggestions on how they can troubleshoot that? call in a company to help identify it? -Dennis
Using private APNIC range in US
Hi all, I have a client here in the US, that I just discovered is using a host of private IPs that (as I understand) belong to APNIC (i.e. 1.7.154.70, 1.7.154.00-99, etc.) for their web servers. I'm assuming that the addresses probably nat to a [US] public IP. I'm not familiar enough with the use of private address space outside of ARIN (i.e. 192.0.0.0, 10.0.0.0, etc) but I figure if their sites are up and accessible it must be working for them. I'm just wondering if there is any recommendation or practice around this -- using private IP ranges from another country. Thanks. --Jaren
RE: Latency quesstion
That was pretty quick. But what do you mean by spewing stuff? It would help the rest of us understand for possible future issues we may run into ourselves. Subject: Re: Latency quesstion From: dennis-li...@thenose.net Date: Thu, 18 Mar 2010 10:50:20 -0500 To: nanog@nanog.org Found a MAC address spewing stuff. looks like we have our culprit. thanks EVERYONE! -Dennis On Mar 18, 2010, at 9:56 AM, Dennis Dayman wrote: have a friend who has 21 floors of a building in DFW, multiple switches, etc and they started to have latency issues this weekend where half if not all packet are being dropped to folder shares, printers, etc. Suggestions on how they can troubleshoot that? call in a company to help identify it? -Dennis
Re: Latency quesstion
Its also possible there are STP issues, so check where you roots are for the vlans and make sure they are deterministically set. Brian On Mar 18, 2010, at 11:12 AM, Brielle Bruns wrote: Dennis, In large installations, I've always found it helpful when diagnosing LAN issues to isolate floors and departments first - using routers or with devices that can do transparent bridging. That way, you can walk through each dept/floor testing for the issues, and hopefully find only one location its still affecting. Its entirely likely that there's either a loop of some sort or a switch has gone off the deep end. If you'd like, let him know if he wants to drop me a mail, I can walk through details about the situation and hopefully help him narrow it down. --Original Message-- From: Dennis Dayman To: nanog@nanog.org Subject: Latency quesstion Sent: Mar 18, 2010 7:56 AM have a friend who has 21 floors of a building in DFW, multiple switches, etc and they started to have latency issues this weekend where half if not all packet are being dropped to folder shares, printers, etc. Suggestions on how they can troubleshoot that? call in a company to help identify it? -Dennis -- Brielle Bruns http://www.sosdg.org / http://www.ahbl.org
Re: Using private APNIC range in US
I have a client here in the US, that I just discovered is using a host of private IPs that (as I understand) belong to APNIC (i.e. 1.7.154.70, 1.7.154.00-99, etc.) for their web servers. Those aren't private IPs .. (in the RFC1918 sense) .. those are public IPs. They just weren't assigned until recently. accessible it must be working for them. I'm just wondering if there is any recommendation or practice around this -- using private IP ranges from another country. Thanks. Since they're already using NAT, it shouldn't be hard to renumber them into the appropriate RFC1918 space. Cheers, Michael Holstein Cleveland State University
Re: Latency question
On 3/18/2010 11:00, Brandon Kim wrote: That was pretty quick. But what do you mean by spewing stuff? It would help the rest of us understand for possible future issues we may run into ourselves. Good question. Without thinking about it I saw in my mind's eye a situation we used to see at $EX-EMPLOYER (who was fond of the absolute smallest-dollar-amount-per-immediate-problem solutions) who bout toy 4-port hubs by the pallet-load. These little gems had the endearing habit of spewing random bits onto the wire whenever the wall-wart failed--which they frequently did. I had MRTG graphs of every switch and router port so I could quickly determine which leg the current culprit was on. Never solved the problem of having two or three go bad, which, believe it or not, complicates the issue. But the graphs did allow me to identify the port and shut it down saving the rest of the network. Subject: Re: Latency quesstion From: dennis-li...@thenose.net Date: Thu, 18 Mar 2010 10:50:20 -0500 To: nanog@nanog.org Found a MAC address spewing stuff. looks like we have our culprit. thanks EVERYONE! -Dennis On Mar 18, 2010, at 9:56 AM, Dennis Dayman wrote: have a friend who has 21 floors of a building in DFW, multiple switches, etc and they started to have latency issues this weekend where half if not all packet are being dropped to folder shares, printers, etc. Suggestions on how they can troubleshoot that? call in a company to help identify it? -Dennis -- Democracy: Three wolves and a sheep voting on the dinner menu. (A republic, using parliamentary law, protects the minority.) Requiescas in pace o email Ex turpi causa non oritur actio Eppure si rinfresca ICBM Targeting Information: http://tinyurl.com/4sqczs http://tinyurl.com/7tp8ml
Re: Using private APNIC range in US
1.0.0.0/8 is NOT private address space and never was. It was an arbitrary mis-use by your customer of space which is now part of the APNIC pool of addresses to issue in response to requests for new globally unique addresses. The result for your customer is that they've gotten away with treating it like RFC-1918 space (10/8, 172.16/12, 192.168/16) so far because there was no legitimate external use of that address. RFC-1918 in ARIN is the same as everywhere else. There is no region- specific aspect of it. What will happen if your customer does not renumber out of 1/8 is that there will be a portion of the internet rightfully using 1/8 that will be unreachable from your customer's internal systems and any requests to those legitimate hosts in 1/8 will be erroneously routed within your customer's premises. There are other possible issues if your cusotmer leaks DNS entries containing A records pointed towards 1/8 hosts as well. Hope that helps. Owen On Mar 18, 2010, at 8:52 AM, Jaren Angerbauer wrote: Hi all, I have a client here in the US, that I just discovered is using a host of private IPs that (as I understand) belong to APNIC (i.e. 1.7.154.70, 1.7.154.00-99, etc.) for their web servers. I'm assuming that the addresses probably nat to a [US] public IP. I'm not familiar enough with the use of private address space outside of ARIN (i.e. 192.0.0.0, 10.0.0.0, etc) but I figure if their sites are up and accessible it must be working for them. I'm just wondering if there is any recommendation or practice around this -- using private IP ranges from another country. Thanks. --Jaren
Re: Using private APNIC range in US
On 3/18/2010 11:22, Jaren Angerbauer wrote: It sounds like this range was just recently assigned -- is there any document (RFC?) or source I could look through to learn more about this, and/or provide evidence to my client? See related traffic on this list, for openers. -- Democracy: Three wolves and a sheep voting on the dinner menu. (A republic, using parliamentary law, protects the minority.) Requiescas in pace o email Ex turpi causa non oritur actio Eppure si rinfresca ICBM Targeting Information: http://tinyurl.com/4sqczs http://tinyurl.com/7tp8ml
RE: Latency question
Isn't it amazing that one can be so cheap it ends up biting them in the arse? There's a difference between frugal and cheap. Being cheap comes back to you, it's like Karma Date: Thu, 18 Mar 2010 11:11:09 -0500 From: larryshel...@cox.net To: nanog@nanog.org Subject: Re: Latency question On 3/18/2010 11:00, Brandon Kim wrote: That was pretty quick. But what do you mean by spewing stuff? It would help the rest of us understand for possible future issues we may run into ourselves. Good question. Without thinking about it I saw in my mind's eye a situation we used to see at $EX-EMPLOYER (who was fond of the absolute smallest-dollar-amount-per-immediate-problem solutions) who bout toy 4-port hubs by the pallet-load. These little gems had the endearing habit of spewing random bits onto the wire whenever the wall-wart failed--which they frequently did. I had MRTG graphs of every switch and router port so I could quickly determine which leg the current culprit was on. Never solved the problem of having two or three go bad, which, believe it or not, complicates the issue. But the graphs did allow me to identify the port and shut it down saving the rest of the network. Subject: Re: Latency quesstion From: dennis-li...@thenose.net Date: Thu, 18 Mar 2010 10:50:20 -0500 To: nanog@nanog.org Found a MAC address spewing stuff. looks like we have our culprit. thanks EVERYONE! -Dennis On Mar 18, 2010, at 9:56 AM, Dennis Dayman wrote: have a friend who has 21 floors of a building in DFW, multiple switches, etc and they started to have latency issues this weekend where half if not all packet are being dropped to folder shares, printers, etc. Suggestions on how they can troubleshoot that? call in a company to help identify it? -Dennis -- Democracy: Three wolves and a sheep voting on the dinner menu. (A republic, using parliamentary law, protects the minority.) Requiescas in pace o email Ex turpi causa non oritur actio Eppure si rinfresca ICBM Targeting Information: http://tinyurl.com/4sqczs http://tinyurl.com/7tp8ml
Re: Using private APNIC range in US
Are they using them only within their domain(s), and ARIN addresses outside, or are they advertising them to their upstream(s) to be readvertised into the backbone? If they are using them internally and NAT'ing to the outside, they're not hurting themselves or anyone else. I would personally let them alone. If they are advertising them outside, it adds a small prefix in the ARIN domain that doesn't get aggregated by the upstream. Among 300K such prefixes it is probably noise, but gently suggesting that they use something aggregatable into their upstream's allocation would help a little bit in that regard. What they are most likely hurting is themselves, really; a datagram sent to the address from an ISP outside themselves probably travels via Australia or an Australian ISP. On Mar 18, 2010, at 8:52 AM, Jaren Angerbauer wrote: Hi all, I have a client here in the US, that I just discovered is using a host of private IPs that (as I understand) belong to APNIC (i.e. 1.7.154.70, 1.7.154.00-99, etc.) for their web servers. I'm assuming that the addresses probably nat to a [US] public IP. I'm not familiar enough with the use of private address space outside of ARIN (i.e. 192.0.0.0, 10.0.0.0, etc) but I figure if their sites are up and accessible it must be working for them. I'm just wondering if there is any recommendation or practice around this -- using private IP ranges from another country. Thanks. --Jaren http://www.ipinc.net/IPv4.GIF
Re: Using private APNIC range in US
On Thu, Mar 18, 2010 at 09:34:47AM -0700, Fred Baker wrote: Are they using them only within their domain(s), and ARIN addresses outside, or are they advertising them to their upstream(s) to be readvertised into the backbone? If they are using them internally and NAT'ing to the outside, they're not hurting themselves or anyone else. I would personally let them alone. Right up until someone actually starts *using* 1/8, in which case they're hurting both themslves, and who ever gets stuck with it. If they are advertising them outside, it adds a small prefix in the ARIN domain that doesn't get aggregated by the upstream. Among 300K such prefixes it is probably noise, but gently suggesting that they use something aggregatable into their upstream's allocation would help a little bit in that regard. What they are most likely hurting is themselves, really; a datagram sent to the address from an ISP outside themselves probably travels via Australia or an Australian ISP. On Mar 18, 2010, at 8:52 AM, Jaren Angerbauer wrote: Hi all, I have a client here in the US, that I just discovered is using a host of private IPs that (as I understand) belong to APNIC (i.e. 1.7.154.70, 1.7.154.00-99, etc.) for their web servers. I'm assuming that the addresses probably nat to a [US] public IP. I'm not familiar enough with the use of private address space outside of ARIN (i.e. 192.0.0.0, 10.0.0.0, etc) but I figure if their sites are up and accessible it must be working for them. I'm just wondering if there is any recommendation or practice around this -- using private IP ranges from another country. Thanks. --Jaren http://www.ipinc.net/IPv4.GIF -- --
Re: Latency quesstion
On 3/18/2010 09:56, Dennis Dayman wrote: have a friend who has 21 floors of a building in DFW, multiple switches, etc and they started to have latency issues this weekend where half if not all packet are being dropped to folder shares, printers, etc. Suggestions on how they can troubleshoot that? call in a company to help identify it? I'd start with a map of the network mark the routes (paths) that work. Then redraw the map without those paths and mark which stations talk to which other stations. If that exercise discloses which equipment is broken, fix or replace it and start over. If it does not, and no other you-can-do-it-yourself tests or analyses come to mind, call for expensive help. (If they are competent, they will use an orderly analysis--that one is my favorite--I call it sectionalization. I'm not bright enough to deal with 21 floors. I have to sectionalize it to a particular horizontal or vertical before I can figure where to start.) -- Democracy: Three wolves and a sheep voting on the dinner menu. (A republic, using parliamentary law, protects the minority.) Requiescas in pace o email Ex turpi causa non oritur actio Eppure si rinfresca ICBM Targeting Information: http://tinyurl.com/4sqczs http://tinyurl.com/7tp8ml
Re: Latency quesstion
On 3/18/2010 10:07, Larry Sheldon wrote: On 3/18/2010 09:56, Dennis Dayman wrote: have a friend who has 21 floors of a building in DFW, multiple switches, etc and they started to have latency issues this weekend where half if not all packet are being dropped to folder shares, printers, etc. Suggestions on how they can troubleshoot that? call in a company to help identify it? I'd start with a map of the network mark the routes (paths) that work. It would be interesting to know where this message has been for an hour and a half. -- Democracy: Three wolves and a sheep voting on the dinner menu. (A republic, using parliamentary law, protects the minority.) Requiescas in pace o email Ex turpi causa non oritur actio Eppure si rinfresca ICBM Targeting Information: http://tinyurl.com/4sqczs http://tinyurl.com/7tp8ml
Re: Using private APNIC range in US
RFC1918 is a good place to start ;) On 3/18/2010 10:22 AM, Jaren Angerbauer wrote: Thanks all for the on / off list responses on this. I acknowledge I'm playing in territory I'm not familiar with, and was a bad idea to jump to the conclusion that this range was private. I made that assumption originally because the entire /8 was owned by APNIC, and just figured since the registrar owned them, it must have been a private range. :S It sounds like this range was just recently assigned -- is there any document (RFC?) or source I could look through to learn more about this, and/or provide evidence to my client? Thanks, Jaren -- Tom Ammon Network Engineer Office: 801.587.0976 Mobile: 801.674.9273 Center for High Performance Computing University of Utah http://www.chpc.utah.edu
Re: Latency quesstion
On Thu, Mar 18, 2010 at 11:48:31AM -0500, Larry Sheldon wrote: It would be interesting to know where this message has been for an hour and a half. Stuck in the NSA's queues? -r
Re: Latency quesstion
On 18/03/10 11:48 -0500, Larry Sheldon wrote: On 3/18/2010 10:07, Larry Sheldon wrote: On 3/18/2010 09:56, Dennis Dayman wrote: have a friend who has 21 floors of a building in DFW, multiple switches, etc and they started to have latency issues this weekend where half if not all packet are being dropped to folder shares, printers, etc. Suggestions on how they can troubleshoot that? call in a company to help identify it? I'd start with a map of the network mark the routes (paths) that work. It would be interesting to know where this message has been for an hour and a half. Received: from localhost ([::1] helo=s0.nanog.org) by s0.nanog.org with esmtp (Exim 4.68 (FreeBSD)) (envelope-from nanog-boun...@nanog.org) id 1NsIqy-0007si-VK; Thu, 18 Mar 2010 16:45:49 + Received: from eastrmpop110.cox.net ([68.230.240.52]) by s0.nanog.org with esmtp (Exim 4.68 (FreeBSD)) (envelope-from larryshel...@cox.net) id 1NsIq7-00072X-DV for nanog@nanog.org; Thu, 18 Mar 2010 16:44:56 + Received: from eastrmimpo01.cox.net ([68.1.16.119]) by eastrmmtao107.cox.net (InterMail vM.8.00.01.00 201-2244-105-20090324) with ESMTP id 20100318150713.fcrz18765.eastrmmtao107.cox@eastrmimpo01.cox.net for nanog@nanog.org; Thu, 18 Mar 2010 11:07:13 -0400 Received: from [192.168.1.202] ([68.229.170.168]) by eastrmimpo01.cox.net with bizsmtp id uf7E1d00F3eLnoL02f7F7u; Thu, 18 Mar 2010 11:07:15 -0400 -- Dan White
Re: Latency quesstion
On 3/18/2010 12:06, Dan White wrote: On 18/03/10 11:48 -0500, Larry Sheldon wrote: On 3/18/2010 10:07, Larry Sheldon wrote: On 3/18/2010 09:56, Dennis Dayman wrote: have a friend who has 21 floors of a building in DFW, multiple switches, etc and they started to have latency issues this weekend where half if not all packet are being dropped to folder shares, printers, etc. Suggestions on how they can troubleshoot that? call in a company to help identify it? I'd start with a map of the network mark the routes (paths) that work. It would be interesting to know where this message has been for an hour and a half. Received: from localhost ([::1] helo=s0.nanog.org) by s0.nanog.org with esmtp (Exim 4.68 (FreeBSD)) (envelope-from nanog-boun...@nanog.org) id 1NsIqy-0007si-VK; Thu, 18 Mar 2010 16:45:49 + Received: from eastrmpop110.cox.net ([68.230.240.52]) by s0.nanog.org with esmtp (Exim 4.68 (FreeBSD)) (envelope-from larryshel...@cox.net) id 1NsIq7-00072X-DV for nanog@nanog.org; Thu, 18 Mar 2010 16:44:56 + Received: from eastrmimpo01.cox.net ([68.1.16.119]) by eastrmmtao107.cox.net (InterMail vM.8.00.01.00 201-2244-105-20090324) with ESMTP id 20100318150713.fcrz18765.eastrmmtao107.cox@eastrmimpo01.cox.net for nanog@nanog.org; Thu, 18 Mar 2010 11:07:13 -0400 Received: from [192.168.1.202] ([68.229.170.168]) by eastrmimpo01.cox.net with bizsmtp id uf7E1d00F3eLnoL02f7F7u; Thu, 18 Mar 2010 11:07:15 -0400 That _is_ interesting! I wonder if there is a way to get to those headers from Thunderbird. Not much else works and I didn't even think to try. My bad. -- Democracy: Three wolves and a sheep voting on the dinner menu. (A republic, using parliamentary law, protects the minority.) Requiescas in pace o email Ex turpi causa non oritur actio Eppure si rinfresca ICBM Targeting Information: http://tinyurl.com/4sqczs http://tinyurl.com/7tp8ml
Re: Latency quesstion
On 3/18/2010 12:12, Larry Sheldon wrote: On 3/18/2010 12:06, Dan White wrote: [previous comments and header display] That _is_ interesting! I wonder if there is a way to get to those headers from Thunderbird. Not much else works and I didn't even think to try. My bad. It does work (takes a bit of poking to find them, but it does work). My very bad. -- Democracy: Three wolves and a sheep voting on the dinner menu. (A republic, using parliamentary law, protects the minority.) Requiescas in pace o email Ex turpi causa non oritur actio Eppure si rinfresca ICBM Targeting Information: http://tinyurl.com/4sqczs http://tinyurl.com/7tp8ml
Re: Using private APNIC range in US
Excerpts from Jaren Angerbauer's message of Thu Mar 18 09:22:40 -0700 2010: Thanks all for the on / off list responses on this. I acknowledge I'm playing in territory I'm not familiar with, and was a bad idea to jump to the conclusion that this range was private. I made that assumption originally because the entire /8 was owned by APNIC, and just figured since the registrar owned them, it must have been a private range. :S It sounds like this range was just recently assigned -- is there any document (RFC?) or source I could look through to learn more about this, and/or provide evidence to my client? There's a couple of relevant documents you could refer them to: IANA's IPv4 Address Space Registry ( http://www.iana.org/assignments/ipv4-address-space/ ), which will show you a listing of which registries and various entities are assigned /8 chunks of IPv4 space. There's some interesting names and historical registrations in there (including 1.0.0.0/8's recent allocation to APNIC) There's also an RFC, RFC1918 that sets aside some IPv4 space for private, ad-hoc use. http://www.faqs.org/rfcs/rfc1918.html This is also a good lay reference: http://en.wikipedia.org/wiki/Private_network Have fun, jof
Re: Latency quesstion
I wonder if there is a way to get to those headers from Thunderbird. Not much else works and I didn't even think to try. Ctrl + U (or View and then Message source). As an aside .. we see this all the time with some of the cable providers (we have both Cox and TWC here in Cleveland) when investigating wrongly-placed blame for missing or delayed emails. One server at TWC (which still has an *.adelphia.net name) in particular seemed to hold messages for the default retry interval 100% of the time (misconfigured greylisting?). Cheers, Michael Holstein Cleveland State University
Re: IPv6 in Education Question
You're either going to have to sell them on future-proofing or We're sailing off the edge of the world in two years, there be dragons there, train your folks now. Remember that there are two IPv6 transitions - introducing IPv6 and forcing some people onto it - getting rid of IPv4 after IPv6 support is universal. Death of NAT NAT's not going away for a long time - IPv6 doesn't need it for address space conservation, and pretends not to need it very much for renumbering IPv6 to IPv6, but it's widely used as a firewall substitute and administrative convenience. The first IPv6 transition will eliminate some NAT in pure-v6 environments, so there will be applications that are no longer broken and can Just Work, but it'll also introduce several different flavors of IPv4-to-IPv6 NATs/tunnels/etc., so there are other applications that will get broken in new and creative ways. The second IPv6 transition may really finish eliminating NAT, but that won't be for *years*, and you'll need to get all your users deeply involved in IPv6 long before that. Other than networking research and networking-related training, there really aren't education-specific applications of IPv6; there are just sites that you can or can't reach with IPv4 or IPv6. Any big commercial sites will stay reachable with IPv4 for a long time, certainly until IPv6 has been well established for a couple of years, and while there may be new content that's IPv6 only after a while, commercial content sites are more likely to buy IPv4 space if they need it. And most educational sites big enough to be Really Cool already have enough IPv4 space to last a few years, though they may very well start adding IPv6 connectivity just like commercial sites will. -- Thanks; Bill Note that this isn't my regular email account - It's still experimental so far. And Google probably logs and indexes everything you send it.
Re: IPv6 in Education Question
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 18/03/2010 18:16, Bill Stewart wrote: You're either going to have to sell them on future-proofing or We're sailing off the edge of the world in two years, there be dragons there, train your folks now. Most students starting this year will be graduating in 3-4 years time, in a world where IANA depletion will almost certainly have happened and RIR depletion will either have happened or about to happen. If they don't have a working knowledge of ipv6 at that point then they're going to find getting employment a lot tougher. Tony -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJLom+OAAoJEJ1qCQ6ePCDUXq8IAJuNSJRJWtVWycsvMiAlE3fv /ZE8WCH0Jeu56l43Jg7QKf85Sad5dV9fxvsM5+cVXKaGHrPV+z+nFQcXA8RIbsvf lEdZFCK/krMUrWmM0mIEAqlB3FZ64L5xI4EqujRgoUVINToAgC3WR2PHXMf07eRn xYeyw+thiC3XYZNEjCJUwNKdH1N6brvsQ7otmZZrgoyO7J9dQAKEccUtc5euR84j kKO7wn+0LCtUqryM1uE+adBOIlWQG7+3WiaVXICMgKRCuYG/17vY4jec/xHgn3vh Wq98kpddrsmWPib6ezdo9yVFL2j0idoSkJ/s/5zjzKoREmWYBb2viYiL6hoX5w0= =ZWSF -END PGP SIGNATURE-
cisco as pptp client
Hi, I'm searching a working (if possible) configuration for a cisco 1841 as pptp-client. 1841 should do an pptp dialin to another cisco via ethernet-port. Kind regards, Ingo Flaschberger
Re: Using private APNIC range in US
On Mar 18, 2010, at 9:34 AM, Fred Baker wrote: Are they using them only within their domain(s), and ARIN addresses outside, or are they advertising them to their upstream(s) to be readvertised into the backbone? If they are using them internally and NAT'ing to the outside, they're not hurting themselves or anyone else. I would personally let them alone. Except you're missing a keyword on the not hurting themselves part of that... It's YET. Once 1.0.0.0/8 starts getting used in the wild for legitimate sites, it means that this customer won't be able to reach the legitimate 1.0.0.0/8 sites from within their environment and it won't be immediately intuitive to debug the failures. If they are advertising them outside, it adds a small prefix in the ARIN domain that doesn't get aggregated by the upstream. Among 300K such prefixes it is probably noise, but gently suggesting that they use something aggregatable into their upstream's allocation would help a little bit in that regard. What they are most likely hurting is themselves, really; a datagram sent to the address from an ISP outside themselves probably travels via Australia or an Australian ISP. The route announcement notwithstanding, they're using space that does not belong to them and will belong to someone else in the near future. If you think that is OK, please let me know what your addresses are so that I can start re-using them. Owen On Mar 18, 2010, at 8:52 AM, Jaren Angerbauer wrote: Hi all, I have a client here in the US, that I just discovered is using a host of private IPs that (as I understand) belong to APNIC (i.e. 1.7.154.70, 1.7.154.00-99, etc.) for their web servers. I'm assuming that the addresses probably nat to a [US] public IP. I'm not familiar enough with the use of private address space outside of ARIN (i.e. 192.0.0.0, 10.0.0.0, etc) but I figure if their sites are up and accessible it must be working for them. I'm just wondering if there is any recommendation or practice around this -- using private IP ranges from another country. Thanks. --Jaren http://www.ipinc.net/IPv4.GIF
Re: Using private APNIC range in US
On Mar 18, 2010, at 2:25 PM, Owen DeLong wrote: On Mar 18, 2010, at 9:34 AM, Fred Baker wrote: Are they using them only within their domain(s), and ARIN addresses outside, or are they advertising them to their upstream(s) to be readvertised into the backbone? If they are using them internally and NAT'ing to the outside, they're not hurting themselves or anyone else. I would personally let them alone. Except you're missing a keyword on the not hurting themselves part of that... It's YET. Once 1.0.0.0/8 starts getting used in the wild for legitimate sites, it means that this customer won't be able to reach the legitimate 1.0.0.0/8 sites from within their environment and it won't be immediately intuitive to debug the failures. If they are advertising them outside, it adds a small prefix in the ARIN domain that doesn't get aggregated by the upstream. Among 300K such prefixes it is probably noise, but gently suggesting that they use something aggregatable into their upstream's allocation would help a little bit in that regard. What they are most likely hurting is themselves, really; a datagram sent to the address from an ISP outside themselves probably travels via Australia or an Australian ISP. The route announcement notwithstanding, they're using space that does not belong to them and will belong to someone else in the near future. If you think that is OK, please let me know what your addresses are so that I can start re-using them. Does anyone know if the University of Michigan or Cisco are going be updating their systems and documentation to no longer use 1.2.3.4 ? http://www.google.com/search?q=1.2.3.4+site%3Acisco.com I know that the University of Michigan utilize 1.2.3.4 for their captive portal login/logout pages as recently as monday when I was on the medical campus. - Jared
Re: Using private APNIC range in US
On Mar 18, 2010, at 2:25 PM, Owen DeLong wrote: On Mar 18, 2010, at 9:34 AM, Fred Baker wrote: Are they using them only within their domain(s), and ARIN addresses outside, or are they advertising them to their upstream(s) to be readvertised into the backbone? If they are using them internally and NAT'ing to the outside, they're not hurting themselves or anyone else. I would personally let them alone. Except you're missing a keyword on the not hurting themselves part of that... It's YET. Once 1.0.0.0/8 starts getting used in the wild for legitimate sites, it means that this customer won't be able to reach the legitimate 1.0.0.0/8 sites from within their environment and it won't be immediately intuitive to debug the failures. While the analysis above is correct, the original poster talked about the 1/8 addressing being used on web server farms with translation of incoming connections. Sounds like load balancers using 1/8 for the addresses behind them and on the servers that are providing the service. As such, prospective users of the web site(s) provided by the outfit will not function for broadband users and such who get allocated addresses from 1/8. Reality of course is that both are true, but in terms of who gets hurt the issue here may well be a large server farm that is inaccessible from consumer networks in places in Asia. As you note, debugging this type of thing is often not intuitive, as everything appears to work from almost everywhere. If they are advertising them outside, it adds a small prefix in the ARIN domain that doesn't get aggregated by the upstream. Among 300K such prefixes it is probably noise, but gently suggesting that they use something aggregatable into their upstream's allocation would help a little bit in that regard. What they are most likely hurting is themselves, really; a datagram sent to the address from an ISP outside themselves probably travels via Australia or an Australian ISP. The route announcement notwithstanding, they're using space that does not belong to them and will belong to someone else in the near future. If you think that is OK, please let me know what your addresses are so that I can start re-using them. A scenario repeated many times over the years. In the 1990s, it was common to see leakage of the address blocks of vendors that were used in documentation for routers, workstations, etc., as people would look at examples in the manual, and use the exact IP addresses shown, not understanding the go get your own addresses first part of the process. Owen On Mar 18, 2010, at 8:52 AM, Jaren Angerbauer wrote: Hi all, I have a client here in the US, that I just discovered is using a host of private IPs that (as I understand) belong to APNIC (i.e. 1.7.154.70, 1.7.154.00-99, etc.) for their web servers. I'm assuming that the addresses probably nat to a [US] public IP. I'm not familiar enough with the use of private address space outside of ARIN (i.e. 192.0.0.0, 10.0.0.0, etc) but I figure if their sites are up and accessible it must be working for them. I'm just wondering if there is any recommendation or practice around this -- using private IP ranges from another country. Thanks. --Jaren http://www.ipinc.net/IPv4.GIF
Re: Latency quesstion
X-VR-Score: -70.00 Date: Thu, 18 Mar 2010 11:48:31 -0500 From: Larry Sheldon larryshel...@cox.net To: nanog@nanog.org Subject: Re: Latency quesstion On 3/18/2010 10:07, Larry Sheldon wrote: On 3/18/2010 09:56, Dennis Dayman wrote: have a friend who has 21 floors of a building in DFW, multiple [...] It would be interesting to know where this message has been for an hour and a half. It looks like it was stuck on machine eastrmpop110.cox.net for a while: Received: from eastrmpop110.cox.net ([68.230.240.52]) by s0.nanog.org with esmtp (Exim 4.68 (FreeBSD)) (envelope-from larryshel...@cox.net) id 1NsIq7-00072X-DV for nanog@nanog.org; Thu, 18 Mar 2010 16:44:56 + Received: from eastrmimpo01.cox.net ([68.1.16.119]) by eastrmmtao107.cox.net (InterMail vM.8.00.01.00 201-2244-105-20090324) with ESMTP id 20100318150713.fcrz18765.eastrmmtao107.cox@eastrmimpo01.cox.net for nanog@nanog.org; Thu, 18 Mar 2010 11:07:13 -0400 It didn't waste any time getting from you to eastrmimpop01.cox.net but took about 45 minutes to get off of eastrmpop110.cox.net. That backlog has most probably been cleared up by now. Regards, Gregory Hicks - Gregory Hicks | Principal Systems Engineer | Direct: 408.569.7928 People sleep peaceably in their beds at night only because rough men stand ready to do violence on their behalf -- George Orwell The price of freedom is eternal vigilance. -- Thomas Jefferson The best we can hope for concerning the people at large is that they be properly armed. --Alexander Hamilton
Re: Using private APNIC range in US
On 3/18/10 2:35 PM, Jared Mauch wrote: Does anyone know if the University of Michigan or Cisco are going be updating their systems and documentation to no longer use 1.2.3.4 ? http://www.google.com/search?q=1.2.3.4+site%3Acisco.com I know that the University of Michigan utilize 1.2.3.4 for their captive portal login/logout pages as recently as monday when I was on the medical campus. Dunno about cisco. med.umich.edu seems to run their own stuff, separately from umich.edu, and quite badly. I've complained about their setup repeatedly over the past several years. No traction. Should we try again, jointly? ;-)
Re: Using private APNIC range in US
On 3/18/2010 14:30, William Allen Simpson wrote: On 3/18/10 2:35 PM, Jared Mauch wrote: Does anyone know if the University of Michigan or Cisco are going be updating their systems and documentation to no longer use 1.2.3.4 ? http://www.google.com/search?q=1.2.3.4+site%3Acisco.com I know that the University of Michigan utilize 1.2.3.4 for their captive portal login/logout pages as recently as monday when I was on the medical campus. Dunno about cisco. med.umich.edu seems to run their own stuff, separately from umich.edu, and quite badly. I've complained about their setup repeatedly over the past several years. No traction. Is it something about Medical Schools? When we were first putting together the campus network, Surgery was running a Token Ring (I thought Vampire Tap was a fitting item for their inventory) running in Class D space as I recall. Should we try again, jointly? ;-) Towards the end, there were people who insisted I must rout their net to the Internets. I declined. -- Democracy: Three wolves and a sheep voting on the dinner menu. (A republic, using parliamentary law, protects the minority.) Requiescas in pace o email Ex turpi causa non oritur actio Eppure si rinfresca ICBM Targeting Information: http://tinyurl.com/4sqczs http://tinyurl.com/7tp8ml
Re: anti-ddos test solutions ?
I use argus, radium, and the ra clients to do this. Works very well www.qosient.com Dave Edelman +1 917 331-0112 cell On Mar 18, 2010, at 8:05 AM, Drew Weaver drew.wea...@thenap.com wrote: On a similar note but slightly unrelated note, Not to thread hijack, but does anyone have any useful recipes for generating any basic baseline data (top talkers, SSH brute forcing, SMTP brute forcing, 445,etc) via any of the open source netflow collectors (Flow-Tools, nfdump)? I've had mixed success getting these packages to produce any useful information after getting them to collect the flow data. Thanks, -Drew -Original Message- From: kowsik [mailto:kow...@gmail.com] Sent: Thursday, March 18, 2010 12:33 AM To: Stefan Fouant Cc: nanog@nanog.org Subject: Re: anti-ddos test solutions ? http://labs.mudynamics.com/2009/04/10/ddos-testing-network-applications/ http://www.pcapr.net/dos YMMV, but mudos converts *any* IP packet into a DoS generator (it's free). K. --- http://www.pcapr.net http://labs.mudynamics.com http://twitter.com/pcapr On Wed, Mar 17, 2010 at 11:28 AM, Stefan Fouant sfou...@shortestpathfirst.net wrote: -Original Message- From: Charles N Wyble [mailto:char...@knownelement.com] Sent: Wednesday, March 17, 2010 12:16 PM To: nanog@nanog.org Subject: Re: anti-ddos test solutions ? bit gossip wrote: Nessus is a vulnerability scanner: http://www.nessus.org/nessus/ Ixia provides a full Nessus implementation in one of its platform. Well these days I would use http://www.openvas.org and http://www.metasploit.org for vulnerability scanning and analysis. However that wouldn't be a DDoS, but could certainly lead to DOS. If you can get your hands on a PCAP from a previous attack, you could also use something like Bit-Twist which will allow you to manipulate things like the destination IP and also the transmission rate, etc. Pretty useful tool to include in the DDoS simulation toolbox. http://bittwist.sourceforge.net/ Stefan Fouant, CISSP, JNCIE-M/T www.shortestpathfirst.net GPG Key ID: 0xB5E3803D
Re: IPv6 in Education Question
On Thu, 2010-03-18 at 11:16 -0700, Bill Stewart wrote: You're either going to have to sell them on future-proofing or We're sailing off the edge of the world in two years, there be dragons there, train your folks now. Or sell them on the point that IPv6 is where the innovation is. We have literally no idea what our children will be doing with restored end-to-end transparency and abundant addresses. That's where education has to be. It's not an educational feature, but a very important emergent property... Remember that there are two IPv6 transitions - introducing IPv6 and forcing some people onto it - getting rid of IPv4 after IPv6 support is universal. And the third (well, probably the second, between those two) - learning to *really use* IPv6. Death of NAT NAT's not going away for a long time - IPv6 doesn't need it for address space conservation, and pretends not to need it very much for renumbering IPv6 to IPv6, but it's widely used as a firewall substitute and administrative convenience. Both oddities that I confidently predict will not survive long in the face of the enormous advantages that properly-implemented IPv6 can bring. A teensy packet filter substitutes for the security aspect, and PI address space deals with the second. The first IPv6 transition will eliminate some NAT in pure-v6 environments, so there will be applications that are no longer broken and can Just Work, but it'll also introduce several different flavors of IPv4-to-IPv6 NATs/tunnels/etc., Sure, there will be practical reasons why people need this or that half-solution, this or that broken stopgap. But we can keep the Dark Years fewer by trying not to use them. Any big commercial sites will stay reachable with IPv4 for a long time, certainly until IPv6 has been well established for a couple of years, We've all been here before. The same thing will happen globally as happened in thousands of networks with IPX, Appletalk and DECNet. IPv4 remains only on sufferance. The alternative rapidly becomes vastly more attractive as the connectedness of the new protocol snowballs. Pressure builds from inside and out, and - way sooner than anyone expected - there is a sort of communal sigh of relief and the old stuff gets quietly dropped. I wonder what landmarks we should designate as IPv4 is done - Google dropping support for IPv4? And I wonder what the landmarks for the beginning of the end would be - Windows 15 coming out with IPv4 disabled by default? Regards, K. -- ~~~ Karl Auer (ka...@biplane.com.au) +61-2-64957160 (h) http://www.biplane.com.au/~kauer/ +61-428-957160 (mob) GPG fingerprint: B386 7819 B227 2961 8301 C5A9 2EBC 754B CD97 0156 Old fingerprint: 07F3 1DF9 9D45 8BCD 7DD5 00CE 4A44 6A03 F43A 7DEF signature.asc Description: This is a digitally signed message part
Re: IP4 Space
Ok. Let's get back to some basics to be sure we are talking about the same things. First, do you believe that a residential customer of an ISP will get an IPv6 /56 assigned for use in their home? Do you believe that residential customer will often choose to multihome using that prefix? Do you believe that on an Internet that has its primary layer 3 protocol is IPv6 that a residential customer will still desire to do NAT for reaching IPv6 destinations? I am looking forward to your response. On Mar 18, 2010, at 2:25 PM, William Herrin wrote: On Mar 5, 2010, at 7:24 AM, William Herrin wrote: Joel made a remarkable assertion that non-aggregable assignments to end users, the ones still needed for multihoming, would go down under IPv6. I wondered about his reasoning. Stan then offered the surprising clarification that a reduction in the use of NAT would naturally result in a reduction of multihoming. On Thu, Mar 18, 2010 at 11:07 AM, Stan Barber s...@academ.com wrote: I was not trying to say there would be a reduction in multihoming. I was trying to say that the rate of increase in non-NATed single-homing would increase faster than multihoming. I guess I was not very clear. Hi Stan, Your logic still escapes me. Network-wise there's not a lot of difference between a single-homed IPv4 /32 and a single-homed IPv6 /56. Host-wise there may be a difference but why would you expect that to impact networks? Regards, Bill Herrin -- William D. Herrin her...@dirtside.com b...@herrin.us 3005 Crane Dr. .. Web: http://bill.herrin.us/ Falls Church, VA 22042-3004
Re: IP4 Space
On Thu, Mar 18, 2010 at 7:36 PM, Stan Barber s...@academ.com wrote: Ok. Let's get back to some basics to be sure we are talking about the same things. First, do you believe that a residential customer of an ISP will get an IPv6 /56 assigned for use in their home? Do you believe that residential customer will often choose to multihome using that prefix? Do you believe that on an Internet that has its primary layer 3 protocol is IPv6 that a residential customer will still desire to do NAT for reaching how are nat and ipv6 and multihoming related here? (also 'that has a primary layer 3 protocol as ipv6' ... that's a LONG ways off) -chris IPv6 destinations? I am looking forward to your response. On Mar 18, 2010, at 2:25 PM, William Herrin wrote: On Mar 5, 2010, at 7:24 AM, William Herrin wrote: Joel made a remarkable assertion that non-aggregable assignments to end users, the ones still needed for multihoming, would go down under IPv6. I wondered about his reasoning. Stan then offered the surprising clarification that a reduction in the use of NAT would naturally result in a reduction of multihoming. On Thu, Mar 18, 2010 at 11:07 AM, Stan Barber s...@academ.com wrote: I was not trying to say there would be a reduction in multihoming. I was trying to say that the rate of increase in non-NATed single-homing would increase faster than multihoming. I guess I was not very clear. Hi Stan, Your logic still escapes me. Network-wise there's not a lot of difference between a single-homed IPv4 /32 and a single-homed IPv6 /56. Host-wise there may be a difference but why would you expect that to impact networks? Regards, Bill Herrin -- William D. Herrin her...@dirtside.com b...@herrin.us 3005 Crane Dr. .. Web: http://bill.herrin.us/ Falls Church, VA 22042-3004
NSP-SEC
Misses, Misters, I would want to inform you that the security of the Internet, that is discussed in the NSP-SEC mailing-list [0] by a selected group of vendors (Cisco, Juniper Arbor) [1] and operations contacts of the big ISPs [2] : 1) applies the Security through Obscurity paradigm that has been proven inefficient [3]. To quote [4] : Please do not Forward, CC, or BCC this E-mail outside of the nsp-security community. Confidentiality is essential for effective Internet security counter-measures. First question : Why was I able to find this mail on the Internet if it should be kept secret ? 2) includes [5] a) Spammers (Rodney Joffe) [6] [7] b) Freelancers (Gadi Evron) [8] [9] Second question : Do you still ask yourself why the Internet is so insecure ? [10] Best Regards, Guillaume FORTAINE [0] http://puck.nether.net/mailman/listinfo/nsp-security [1] http://www.confickerworkinggroup.org/wiki/pmwiki.php/SP/ServiceProviders [2] http://docs.google.com/viewer?url=http://www.cisco.com/web/ME/exposaudi2009/assets/docs/isp_security_routing_and_switching.pdf [3] http://en.wikipedia.org/wiki/Security_through_obscurity [4] http://lists.ausnog.net/pipermail/ausnog/2007-April/000397.html [5] http://www.google.com/search?hl=ensource=hpq=nsp-sec+site:mailman.nanog.orgaq=faqi=aql=oq=gs_rfai=esrch=FT1 [6] http://mailman.nanog.org/pipermail/nanog/2008-October/004724.html [7] http://www.iadl.org/RodneyJoffe/rodneyjoffe.html [8] http://mailman.nanog.org/pipermail/nanog/2009-November/015354.html [9] http://il.linkedin.com/in/gadievron [10] http://caislab.kaist.ac.kr/77ddos/
Re: NSP-SEC
Hello, Few people actually care about nsp-sec so what exactly are you getting at? Guillaume FORTAINE gforta...@live.com wrote: Misses, Misters, I would want to inform you that the security of the Internet, that is discussed in the NSP-SEC mailing-list [0] by a selected group of vendors (Cisco, Juniper Arbor) [1] and operations contacts of the big ISPs [2] : 1) applies the Security through Obscurity paradigm that has been proven inefficient [3]. To quote [4] : Please do not Forward, CC, or BCC this E-mail outside of the nsp-security community. Confidentiality is essential for effective Internet security counter-measures. First question : Why was I able to find this mail on the Internet if it should be kept secret ? 2) includes [5] a) Spammers (Rodney Joffe) [6] [7] b) Freelancers (Gadi Evron) [8] [9] Second question : Do you still ask yourself why the Internet is so insecure ? [10] Best Regards, Guillaume FORTAINE [0] http://puck.nether.net/mailman/listinfo/nsp-security [1] http://www.confickerworkinggroup.org/wiki/pmwiki.php/SP/ServiceProviders [2] http://docs.google.com/viewer?url=http://www.cisco.com/web/ME/exposaudi2009/assets/docs/isp_security_routing_and_switching.pdf [3] http://en.wikipedia.org/wiki/Security_through_obscurity [4] http://lists.ausnog.net/pipermail/ausnog/2007-April/000397.html [5] http://www.google.com/search?hl=ensource=hpq=nsp-sec+site:mailman.nanog.orgaq=faqi=aql=oq=gs_rfai=esrch=FT1 [6] http://mailman.nanog.org/pipermail/nanog/2008-October/004724.html [7] http://www.iadl.org/RodneyJoffe/rodneyjoffe.html [8] http://mailman.nanog.org/pipermail/nanog/2009-November/015354.html [9] http://il.linkedin.com/in/gadievron [10] http://caislab.kaist.ac.kr/77ddos/ -- Sent from my Android phone with K-9 Mail. Please excuse my brevity.
Re: NSP-SEC
Why respond to an obvious troll? Regards, -drc On Mar 18, 2010, at 8:46 PM, William Pitcock wrote: Hello, Few people actually care about nsp-sec so what exactly are you getting at? Guillaume FORTAINE gforta...@live.com wrote: ...
Re: NSP-SEC
On Mar 18, 2010, at 11:46 PM, William Pitcock wrote: Few people actually care about nsp-sec so what exactly are you getting at? I might argue the few comment, but I think it's better not to reply to Guillaume so people who are smart enough to not see his posts (which would be quite a bit more than a few) will not be force to see them. Although I have to admit I am impressed at how quickly he has managed to piss off, alienate, and pretty much guarantee lasting animosity from, well, pretty much every significant person on the 'Net. Perhaps we should lump Guillaume in with $HE_WHO_MUST_NOT_BE_NAMED[*]? -- TTFN, patrick [*] Lest you receive a bazillion unicast messages CC'ed to a bazillion other people who don't care.
Re: Using private APNIC range in US
I once had a customer who for some reason had all their printers on public addresses they didn't own. Not advertising them outside, but internally whenever a user browsed to a external site that happened to be one of the addresses used, they would just receive a HP or Konica login page :) They didn't mind though. No idea if they've changed it since. On Fri, Mar 19, 2010 at 6:41 AM, Larry Sheldon larryshel...@cox.net wrote: On 3/18/2010 14:30, William Allen Simpson wrote: On 3/18/10 2:35 PM, Jared Mauch wrote: Does anyone know if the University of Michigan or Cisco are going be updating their systems and documentation to no longer use 1.2.3.4 ? http://www.google.com/search?q=1.2.3.4+site%3Acisco.com I know that the University of Michigan utilize 1.2.3.4 for their captive portal login/logout pages as recently as monday when I was on the medical campus. Dunno about cisco. med.umich.edu seems to run their own stuff, separately from umich.edu, and quite badly. I've complained about their setup repeatedly over the past several years. No traction. Is it something about Medical Schools? When we were first putting together the campus network, Surgery was running a Token Ring (I thought Vampire Tap was a fitting item for their inventory) running in Class D space as I recall. Should we try again, jointly? ;-) Towards the end, there were people who insisted I must rout their net to the Internets. I declined. -- Democracy: Three wolves and a sheep voting on the dinner menu. (A republic, using parliamentary law, protects the minority.) Requiescas in pace o email Ex turpi causa non oritur actio Eppure si rinfresca ICBM Targeting Information: http://tinyurl.com/4sqczs http://tinyurl.com/7tp8ml
Re: NSP-SEC
On 03/19/2010 04:52 AM, Patrick W. Gilmore wrote: On Mar 18, 2010, at 11:46 PM, William Pitcock wrote: Few people actually care about nsp-sec so what exactly are you getting at? I might argue the few comment Could you argue, if possible, please ? I look forward to your answer, Best Regards, Guillaume FORTAINE
Re: NSP-SEC
On Thu, 2010-03-18 at 23:52 -0400, Patrick W. Gilmore wrote: On Mar 18, 2010, at 11:46 PM, William Pitcock wrote: Few people actually care about nsp-sec so what exactly are you getting at? I might argue the few comment, but I think it's better not to reply to Guillaume so people who are smart enough to not see his posts (which would be quite a bit more than a few) will not be force to see them. I would say that, in general, more people care about NANOG than nsp-security, although nsp-security is a worthwhile resource for those who are dealing with backbone-level problems (which is a minority of the people on NANOG, who generally are managing single typically-not-multihomed sites for the most part). Although I have to admit I am impressed at how quickly he has managed to piss off, alienate, and pretty much guarantee lasting animosity from, well, pretty much every significant person on the 'Net. Perhaps we should lump Guillaume in with $HE_WHO_MUST_NOT_BE_NAMED[*]? Ugh, that IADL guy. I blackholed his entire IP block at edge because I got tired of receiving his crap. :D And yeah, I'm surprised Guillaume can actually post here still. William