RE: NAT444 or ?

[Dan Wing]

> -Original Message-
> From: Owen DeLong [mailto:o...@delong.com]
> Sent: Tuesday, September 13, 2011 9:43 PM
> To: Dan Wing
> Cc: 'Leigh Porter'; 'David Israel'; nanog@nanog.org
> Subject: Re: NAT444 or ?
> 
> >>
> >> Good point, but aside from these scaling issues which I expect can
> be
> >> resolved to a point, the more serious issue, I think, is
> applications
> >> that just do not work with double NAT. Now, I have not conducted any
> >> serious research into this, but it seems that draft-donley-nat444-
> >> impacts does appear to have highlight issues that may have been down
> to
> >> implementation.
> >
> > Draft-donley-nat444-impacts conflates bandwidth constraints with CGN
> > with in-home NAT.  Until those are separated and then analyzed
> carefully,
> > it is harmful to draw conclusions such as "NAT444 bad; NAT44 good".
> >
> 
> Continuing to make this claim does not make it any more true.
> 
> Draft-donley took networks and measured their real-world functionality
> without NAT444, then, added NAT444 and repeated the same tests.
> Regardless of the underlying issue(s), the addition of NAT444 to the
> mix resulted in the forms of service degradation enumerated in the
> draft.

I disagree it reached that conclusion.  That may have been its
intent.

> Further, I would not ever say "NAT444 bad; NAT44 good". I would say,
> rather, "NAT44 bad, NAT444 worse". I think that's a pretty safe and
> non-harmful thing to say.

Yes, your statement is completely accurate.  I agree that IPv4 address 
sharing causes additional problems (which encompasses all forms of 
IPv4 address sharing), and CGN causes additional problems.

> >> Other simple tricks such as ensuring that your own internal services
> >> such as DNS are available without traversing NAT also help.
> >
> > Yep.  But some users want to use other DNS servers for performance
> > (e.g., Google's or OpenDNS servers, especially considering they
> > could point the user at a 'better' (closer) CDN based on Client
> > IP), to avoid ISP DNS hijacking, or for content control (e.g.,
> > "parental control" of DNS hostnames).  That traffic will,
> necessarily,
> > traverse the CGN.  To avoid users burning through their UDP port
> > allocation for those DNS queries it is useful for the CGN to
> > have short timeouts for port 53.
> >
> If the user chooses to use a DNS server on the other side of a NAT,
> then,
> they are choosing to inflict whatever damage upon themselves. I'm not
> saying that short UDP/53 timeouts are a bad idea, but, I am saying that
> the more stuff you funnel through an LSN at the carrier, the more stuff
> you will see break. This would lead me to want to avoid funneling
> anything
> through said NAT which I could avoid. Then again, I run my own
> authoritative and recursive nameservers in my home and don't use
> any NAT at all, so, perhaps my perspective is different from others.

Yeah, you are probably of about 1000 or maybe 3000 people in the 
world that do that.  Seems to be a minority.

> >> Certainly some more work can be done in this area, but I fear that
> the
> >> only way a real idea as to how much NAT444 really doe break things
> will
> >> be operational experience.
> >
> > Yep.  (Same as everything else.)
> >
> 
> I'm sure that will happen soon enough. I, for one, am not looking
> forward to the experience.

Neither am I.

But if major content providers cannot provide  on their
properties, and if ISPs and CPE vendors do not make IPv6
available and working, and if web browsers don't adopt faster
fallback to IPv4 when IPv6 is borked   We will all be 
behind NATs.

-d

RE: what about the users re: NAT444 or ?

[Dan Wing]

> One can do that with or without NAT. This claim that one cannot
> keep a network running without a service provider connected if you
> don't run NAT is a myth of dubious origin.

If the hosts are running DHCP, and the ISP is running the DHCP
server?  I guess they will fall back (after a while) to link-local
and continue on their merry way.

> > can accomplish this pretty easily, because the IPv4 addresses in
> > the home can be any IPv4 address whatsoever -- which allows the
> > in-home CPE ("B4", in Dual Stack-Lite parlance) to assign any address
> > it wants with its built-in DHCP server.)
> >
> 
> There are other ways to accomplish this as well.

-d

> > -d
> >
> >> and less technically but relevant I think is to ask about cost? who
> >> pays?
> 
> In some cases, ISPs will provide new CPE to their end users. In other
> cases,
> end-users will be expected to pay to upgrade their own.
> 
> Owen
> 
> >>
> >>
> >> Christian
> >>
> >> On 8 Sep 2011, at 15:02, Cameron Byrne wrote:
> >>
> >>> On Sep 8, 2011 1:47 AM, "Leigh Porter"
> 
> >> wrote:
> 
> 
> 
> > -Original Message-
> > From: Owen DeLong [mailto:o...@delong.com]
> > Sent: 08 September 2011 01:22
> > To: Leigh Porter
> > Cc: Seth Mos; NANOG
> > Subject: Re: NAT444 or ?
> >
> >> Considering that offices, schools etc regularly have far more
> than
> >> 10
> > users per IP, I think this limit is a little low. I've happily
> had
> > around 300 per public IP address on a large WiFi network, granted
> >> these
> > are all different kinds of users, it is just something that
> >> operational
> > experience will have to demonstrate.
> >>
> > Yes, but, you are counting individual users whereas at the NAT444
> > level, what's really being counted is end-customer sites not
> >> individual
> > users, so the term
> > "users" is a bit misleading in the context. A given end-customer
> >> site
> > may be from 1 to 50 or more individual users.
> 
>  Indeed, my users are using LTE dongles mostly so I expect they
> will
> >> be
> >>> single users. At the moment on the WiMAX network I see around 35
> >> sessions
> >>> from a WiMAX modem on average rising to about 50 at peak times.
> These
> >> are a
> >>> combination of individual users and "home modems".
> 
>  We had some older modems that had integrated NAT that was broken
> and
> >>> locked up the modem at 200 sessions. Then some old base station
> >> software
> >>> died at about 10K sessions. So we monitor these things now..
> 
> 
> >
> >> I would love to avoid NAT444, I do not see a viable way around
> it
> >> at
> > the moment. Unless the Department of Work and Pensions release
> >> their /8
> > that is ;-)
> >>
> >
> > The best mitigation really is to get IPv6 deployed as rapidly and
> > widely as possible. The more stuff can go native IPv6, the less
> >> depends
> > on fragile NAT444.
> 
>  Absolutely. Even things like google maps, if that can be dumped on
> >> v6,
> >>> it'll save a load of sessions from people. The sooner services such
> >> as
> >>> Microsoft Update turn on v6 the better as well. I would also like
> the
> >> CDNs
> >>> to be able to deliver content in v6 (even if the main page is v4)
> >> which
> >>> again will reduce the traffic that has to traverse any NAT.
> 
>  Soon, I think content providers (and providers of other services
> on
> >> the
> >>> 'net) will roll v6 because of the performance increase as v6 will
> not
> >> have
> >>> to traverse all this NAT and be subject to session limits, timeouts
> >> and
> >>> such.
> 
> >>>
> >>> What do you mean by performance increase? If performance equals
> >> latency, v4
> >>> will win for a long while still. Cgn does not add measurable
> latency.
> >>>
> >>> Cb
>  --
>  Leigh
> 
> 
> 
> >>
> __
>  This email has been scanned by the MessageLabs Email Security
> >> System.
>  For more information please visit http://www.messagelabs.com/email
> 
> >>
> __
> 
> >
> >

Re: NAT444 or ?

[Owen DeLong]

>> 
>> Good point, but aside from these scaling issues which I expect can be
>> resolved to a point, the more serious issue, I think, is applications
>> that just do not work with double NAT. Now, I have not conducted any
>> serious research into this, but it seems that draft-donley-nat444-
>> impacts does appear to have highlight issues that may have been down to
>> implementation.
> 
> Draft-donley-nat444-impacts conflates bandwidth constraints with CGN
> with in-home NAT.  Until those are separated and then analyzed carefully,
> it is harmful to draw conclusions such as "NAT444 bad; NAT44 good".
> 

Continuing to make this claim does not make it any more true.

Draft-donley took networks and measured their real-world functionality
without NAT444, then, added NAT444 and repeated the same tests.
Regardless of the underlying issue(s), the addition of NAT444 to the
mix resulted in the forms of service degradation enumerated in the draft.

Further, I would not ever say "NAT444 bad; NAT44 good". I would say,
rather, "NAT44 bad, NAT444 worse". I think that's a pretty safe and non-
harmful thing to say.

>> Other simple tricks such as ensuring that your own internal services
>> such as DNS are available without traversing NAT also help.
> 
> Yep.  But some users want to use other DNS servers for performance
> (e.g., Google's or OpenDNS servers, especially considering they
> could point the user at a 'better' (closer) CDN based on Client
> IP), to avoid ISP DNS hijacking, or for content control (e.g.,
> "parental control" of DNS hostnames).  That traffic will, necessarily,
> traverse the CGN.  To avoid users burning through their UDP port 
> allocation for those DNS queries it is useful for the CGN to 
> have short timeouts for port 53.
> 
If the user chooses to use a DNS server on the other side of a NAT, then,
they are choosing to inflict whatever damage upon themselves. I'm not
saying that short UDP/53 timeouts are a bad idea, but, I am saying that
the more stuff you funnel through an LSN at the carrier, the more stuff
you will see break. This would lead me to want to avoid funneling anything
through said NAT which I could avoid. Then again, I run my own
authoritative and recursive nameservers in my home and don't use
any NAT at all, so, perhaps my perspective is different from others.

>> Certainly some more work can be done in this area, but I fear that the
>> only way a real idea as to how much NAT444 really doe break things will
>> be operational experience.
> 
> Yep.  (Same as everything else.)
> 

I'm sure that will happen soon enough. I, for one, am not looking forward
to the experience.

Owen

Re: what about the users re: NAT444 or ?

[Owen DeLong]

On Sep 8, 2011, at 9:52 AM, Dan Wing wrote:

>> -Original Message-
>> From: Christian de Larrinaga [mailto:c...@firsthand.net]
>> Sent: Thursday, September 08, 2011 8:05 AM
>> To: Cameron Byrne
>> Cc: NANOG
>> Subject: what about the users re: NAT444 or ?
>> 
>> I wonder if the discussion as useful as it is isn't forgetting that the
>> edge of Internet has a stake in getting this right too! This is not
>> just an ISP problem but one where content providers and services that
>> is the users need to get from here to there in good order.
>> 
>> So
>> 
>> What can users do to encourage ISPs to deploy v6 to them?

Call up and ask for it? Vote with their $$ and their feet?

>> What can users do to ease the pain in reaching IPv4 only sites once
>> they are on IPv6 tails?

1. Encourage the sites they care about to implement IPv6.
2. Why is being on an IPv6 tail exclusive of being on an IPv4 tail. I would want
to be on a dual-stack tail (which is what I currently have).

>> 
>> Is there not a bit of CPE needed here? What should the CPE do? and not
>> do? should it deprecate NAT/PAT when it receives 1918 allocation from a
>> CGN?
> 
> Careful with that idea -- people like their in-home network to continue
> functioning even when their ISP is down or having an outage.  Consider
> a home NAS holding delivering content to the stereo or the television.
> It is possible to eliminate reliance on the ISP's network and still
> have the in-home network function, but it's more difficult than just
> continuing to run NAT44 in the home like today.  (Dual Stack-Lite

One can do that with or without NAT. This claim that one cannot
keep a network running without a service provider connected if you
don't run NAT is a myth of dubious origin.

> can accomplish this pretty easily, because the IPv4 addresses in
> the home can be any IPv4 address whatsoever -- which allows the
> in-home CPE ("B4", in Dual Stack-Lite parlance) to assign any address
> it wants with its built-in DHCP server.)
> 

There are other ways to accomplish this as well.

> -d
> 
>> and less technically but relevant I think is to ask about cost? who
>> pays?

In some cases, ISPs will provide new CPE to their end users. In other cases,
end-users will be expected to pay to upgrade their own.

Owen

>> 
>> 
>> Christian
>> 
>> On 8 Sep 2011, at 15:02, Cameron Byrne wrote:
>> 
>>> On Sep 8, 2011 1:47 AM, "Leigh Porter" 
>> wrote:
 
 
 
> -Original Message-
> From: Owen DeLong [mailto:o...@delong.com]
> Sent: 08 September 2011 01:22
> To: Leigh Porter
> Cc: Seth Mos; NANOG
> Subject: Re: NAT444 or ?
> 
>> Considering that offices, schools etc regularly have far more than
>> 10
> users per IP, I think this limit is a little low. I've happily had
> around 300 per public IP address on a large WiFi network, granted
>> these
> are all different kinds of users, it is just something that
>> operational
> experience will have to demonstrate.
>> 
> Yes, but, you are counting individual users whereas at the NAT444
> level, what's really being counted is end-customer sites not
>> individual
> users, so the term
> "users" is a bit misleading in the context. A given end-customer
>> site
> may be from 1 to 50 or more individual users.
 
 Indeed, my users are using LTE dongles mostly so I expect they will
>> be
>>> single users. At the moment on the WiMAX network I see around 35
>> sessions
>>> from a WiMAX modem on average rising to about 50 at peak times. These
>> are a
>>> combination of individual users and "home modems".
 
 We had some older modems that had integrated NAT that was broken and
>>> locked up the modem at 200 sessions. Then some old base station
>> software
>>> died at about 10K sessions. So we monitor these things now..
 
 
> 
>> I would love to avoid NAT444, I do not see a viable way around it
>> at
> the moment. Unless the Department of Work and Pensions release
>> their /8
> that is ;-)
>> 
> 
> The best mitigation really is to get IPv6 deployed as rapidly and
> widely as possible. The more stuff can go native IPv6, the less
>> depends
> on fragile NAT444.
 
 Absolutely. Even things like google maps, if that can be dumped on
>> v6,
>>> it'll save a load of sessions from people. The sooner services such
>> as
>>> Microsoft Update turn on v6 the better as well. I would also like the
>> CDNs
>>> to be able to deliver content in v6 (even if the main page is v4)
>> which
>>> again will reduce the traffic that has to traverse any NAT.
 
 Soon, I think content providers (and providers of other services on
>> the
>>> 'net) will roll v6 because of the performance increase as v6 will not
>> have
>>> to traverse all this NAT and be subject to session limits, timeouts
>> and
>>> such.
 
>>> 
>>> What do you mean by performance increase? If performance equals
>> latency, v4
>>> will win for 

Re: Microsoft deems all DigiNotar certificates untrustworthy, releases

[Ted Cooper]

On 14/09/11 13:44, Christopher Morrow wrote:
> On Tue, Sep 13, 2011 at 11:33 PM, Jima  wrote:
>>  Huh?  I'm a bit lost here, since I had two StartSSL certs issued yesterday
>> afternoon.
> 
> orly? wierd, they made a press release ~last-june (I think?) stating
> they were stopping issuance indefinitely. I do hope they are actually
> issuing again :)
> 
> I like my random numbers to be free.

As claimed by the DigiNotar hacker - He compromised their servers but
Eddy was manually approving certs at the time and so no certs were signed.

There was information about it on the site, but it seems to be gone now.
Articles still show a screenshot of the message you're talking about [1]
, but the site was back alive in July when I needed a certificate.

"A separate notice on another part of the company's site says that its
services would be unavailable until June 20, " [2]

I've certainly been able to issue certificates for myself since then.

[1]
http://news.netcraft.com/archives/2011/06/22/startssl-suspends-services-after-security-breach.html

[2]
http://threatpost.com/en_us/blogs/ca-startssl-compromised-says-certificates-not-affected-062111

Re: Microsoft deems all DigiNotar certificates untrustworthy, releases

[Christopher Morrow]

On Tue, Sep 13, 2011 at 11:44 PM, Christopher Morrow
 wrote:
> On Tue, Sep 13, 2011 at 11:33 PM, Jima  wrote:
>> On 2011-09-13 20:26, Christopher Morrow wrote:
>>>
>>> On Tue, Sep 13, 2011 at 11:22 AM, Michiel Klaver
>>>  wrote:

 No need for (financial) pain, there are free of charge ssl certificates
 available, see for example:

 http://www.startssl.com/?app=1
>>>
>>> eddy stopped issuing
>>
>>  Huh?  I'm a bit lost here, since I had two StartSSL certs issued yesterday
>> afternoon.
>
> orly? wierd, they made a press release ~last-june (I think?) stating
> they were stopping issuance indefinitely. I do hope they are actually
> issuing again :)



has a link to the startssl page about this, which doesn't appear to
load for me (now)... maybe they are back in business!

>
> I like my random numbers to be free.
>
> -chris
>

Re: Microsoft deems all DigiNotar certificates untrustworthy, releases

[Christopher Morrow]

On Tue, Sep 13, 2011 at 11:33 PM, Jima  wrote:
> On 2011-09-13 20:26, Christopher Morrow wrote:
>>
>> On Tue, Sep 13, 2011 at 11:22 AM, Michiel Klaver
>>  wrote:
>>>
>>> No need for (financial) pain, there are free of charge ssl certificates
>>> available, see for example:
>>>
>>> http://www.startssl.com/?app=1
>>
>> eddy stopped issuing
>
>  Huh?  I'm a bit lost here, since I had two StartSSL certs issued yesterday
> afternoon.

orly? wierd, they made a press release ~last-june (I think?) stating
they were stopping issuance indefinitely. I do hope they are actually
issuing again :)

I like my random numbers to be free.

-chris

Re: Microsoft deems all DigiNotar certificates untrustworthy, releases

[Jima]

On 2011-09-13 20:26, Christopher Morrow wrote:

On Tue, Sep 13, 2011 at 11:22 AM, Michiel Klaver  wrote:

No need for (financial) pain, there are free of charge ssl certificates
available, see for example:

http://www.startssl.com/?app=1


eddy stopped issuing


 Huh?  I'm a bit lost here, since I had two StartSSL certs issued 
yesterday afternoon.


 Jima

Re: Microsoft deems all DigiNotar certificates untrustworthy, releases

[Christopher Morrow]

On Tue, Sep 13, 2011 at 11:22 AM, Michiel Klaver  wrote:
> At 22-07-28164 20:59, Tei wrote:
>>
>> *a random php programmer shows*
>>
>> He, I just want to self-sign my CERT's and remove the ugly warning that
>> browsers shows. I don't want to pay 1000$ a year, or 1$ a year for that. I
>> just don't want to use cleartext for internet data transfer.  HTTP is like
>> telnet, and HTTPS is like ssh. But with ssh is just can connect, with
>> browsers theres this ugly warning and "fuck you, self-signed certificate"
>> from the browsers.  Please make the pain stop!.
>>
>> --Tei
>>
>
> No need for (financial) pain, there are free of charge ssl certificates
> available, see for example:
>
> http://www.startssl.com/?app=1

eddy stopped issuing

> http://www.cacert.org/

these I hadn't seen... or I had and promptly forgotten about them
since they don't get included in any browser/app/OS :(

Affirmtrust is supposed to start issuing certs 'soon' though, free.

-chris

Re: vyatta for bgp

[Dobbins, Roland]

On Sep 14, 2011, at 5:54 AM, Deepak Jain wrote:

> Some enterprises get MPLS L3 VPN service from their providers, and need boxes 
> that can route packets to it and speak BGP to inject their routes.  They are 
> not, per se, connected to the Internet, and thus won't be "zorched", at least 
> in the sense you are using it.

Hence 'public-facing'.

;>

---
Roland Dobbins  // 

The basis of optimism is sheer terror.

  -- Oscar Wilde

Transit pricing?

[Jay Ashworth]

Anyone mind telling me, off list and not for attribution, what they're
paying for straight or blended transit in a colo datacenter?  Trying to 
evaluate a quote.  /mbps, GigE fiber access.

Cheers,
-- jr 'S, James :-)' a
-- 
Jay R. Ashworth  Baylink   j...@baylink.com
Designer The Things I Think   RFC 2100
Ashworth & Associates http://baylink.pitas.com 2000 Land Rover DII
St Petersburg FL USA  http://photo.imageinc.us +1 727 647 1274

RE: vyatta for bgp

[Deepak Jain]

In a message written on Mon, Sep 12, 2011 at 06:56:26PM +, Dobbins, Roland 
wrote:
> The days of public-facing software-based routers were over years ago - you 
> need an ASIC-based edge router, else you'll end up getting zorched.

Some enterprises get MPLS L3 VPN service from their providers, and need boxes 
that can route packets to it and speak BGP to inject their routes.  They are 
not, per se, connected to the Internet, and thus won't be "zorched", at least 
in the sense you are using it.

Also, many enterprises get DS-3, Cable Modem, or 100M Ethernet handoffs, and 
won't ever get a faster "zorch" due to link speed.

---

Picking up on what Leo wrote:

I think the OP stated he is using less than 10M (or a few T1s or something). 
The term Enterprise covers a lot of ground from SMEs to LBs. 

It's important to clarify that no router is perfect and all of them are 
sufficiently complex beasties to fully understand your problem/solution set. 

Software routers are simpler in that almost all of their complexities lie in 
their CPU/bus/interrupt limitations and provided you haven't hit those limits 
the software can do just about anything you ask of it. 

Hardware-assisted routers are promised to move lots and lots of pps and 
tolerate all kinds of bad behavior -- with all kinds of caveats, like control 
plane policing, understanding the minutiae of their ASIC design/layout and of 
course various oddities in their software configurations and releases (turn 
this on, but not with that, if you want this feature to work). 

Without rehashing 20+ years of collective knowledge & caveats on 
hardware-assisted routers, smaller guys who want to test their approach to 
purchasing need some kind of answer better than "it depends".

Even though "it depends"  (based on total uplink speeds), here are my 
suggestions:

<200 mb/s a circa 2010+ software router, even talking to the internet as a 
whole, is probably fine, even to run BGP. You may have some weird edge cases 
where you can be attacked, but your pipe will probably limit you. At this 
level, you can also lean on your ISP to help if you get into a jam.

200mb/s to 2Gb/s , your software router may keep up, and you need to start 
considering hardware assisted routing and a stiff breeze could make your router 
fall over. More time will be required to tune your software router that could 
be better spent elsewhere. At the higher end of this range, your ISP is less 
able to help you (filter good traffic from bad) and you need to be able to do 
some of this in your router. Pipe speed is less of an issue and you can have 
badly behaved traffic that "zorches" you at far less than link speed.

2Gb/s +, your software solution is a dead duck or an accident waiting to 
happen. You will be victim to oddities related to inconsistent performance, 
jitter, and of course malicious attacks. You probably want more advanced 
traffic and profiling features a hardware platform allows you (at wire speed) 
too.  Your ISP's hardware router will only do what you ask (nicely) for your 
ISP to do... and even that is limited. You are basically "big enough" to manage 
these connections on your own and should have equipment and staff available to 
do so.

I just took a stab at the ranges and the concepts, only limited to the OP's 
context and directed at "Enterprise" customers. ISP's probably can't use these 
limits for their own router solution/sizing -- and we all know that ISPs vary 
in quality, especially at 4am when you are being DOS'dso ymmv.

HTH,

Deepak Jain
AiNET

NANOG Nomination Dates

[Patrick W . Gilmore]

Everyone,

I would like to remind everyone about some important dates that are coming up:

* September 12, 2011 begins the nomination process for Program 
Committee Candidates.
* September 13, 2011 the nomination process for the Board closes.


As a reminder, the Program Committee is a group of sixteen individuals from the 
NANOG community who together are responsible for the solicitation and selection 
of material for NANOG meeting programs.

Per the NewNOG bylaws, eligible candidates each will serve a two-year term.  To 
be eligible to be appointed as a member of the Program Committee, an individual 
must have attended one NANOG conference within the prior calendar year (12 
months) and be a member in good standing.  Broad technical knowledge of 
Internet operations and familiarity with NANOG meetings are useful attributes.  
Having constructive opinions and ideas about how NANOG meetings might be 
improved is of high value.  A willingness to recruit presentations for each 
meeting is required.  

Please send nominations to nominati...@nanog.org.  If you are nominating 
another person, please provide that person's name and email address.  If you 
are nominating yourself, please provide a Statement of Intent and a Biography, 
each with a suggested limit of 150 words.  For samples, please see the 2010 
candidate lists, .


As always, if you have a questions, please email nominati...@nanog.org.

Thank you for your support, and your participation in the community.

-- 
TTFN,
patrick

Twitter

[Morgan Miskell]

Anyone from twitter on the list?  If so, can you drop me an email so
that I can get some assistance with a routing issue?
-- 
Morgan A. Miskell
CaroNet Data Centers
704-643-8330 x206

The information contained in this e-mail is confidential and is intended
only for the named recipient(s). If you are not the intended recipient
you must not copy, distribute, or take any action or reliance on it. If
you have received this e-mail in error, please notify the sender. Any
unauthorized disclosure of the information contained in this e-mail is
strictly prohibited.

Re: vyatta for bgp

[Leo Bicknell]

In a message written on Mon, Sep 12, 2011 at 06:56:26PM +, Dobbins, Roland 
wrote:
> The days of public-facing software-based routers were over years ago - you 
> need an ASIC-based edge router, else you'll end up getting zorched.

Some enterprises get MPLS L3 VPN service from their providers, and
need boxes that can route packets to it and speak BGP to inject
their routes.  They are not, per se, connected to the Internet, and
thus won't be "zorched", at least in the sense you are using it.

Also, many enterprises get DS-3, Cable Modem, or 100M Ethernet
handoffs, and won't ever get a faster "zorch" due to link speed.

-- 
   Leo Bicknell - bickn...@ufp.org - CCIE 3440
PGP keys at http://www.ufp.org/~bicknell/


pgpAPL6pwPGPo.pgp
Description: PGP signature

Re: Microsoft deems all DigiNotar certificates untrustworthy, releases

[Chris Adams]

Once upon a time, valdis.kletni...@vt.edu  said:
> If you use SSH to connect, and either ignore the "host key has changed" or
> "authenticity can't be established, continue connecting?" messages, you get
> what you deserve - those are the *exact* same issues that your browser warns
> about self-signed certs.  And if you *don't* ignore them on SSH - why do you
> want to ignore them on SSL?

A big difference between SSH keys and SSL certificates is that SSL certs
have a built-in expiration date (which is a good thing, as nothing is
secure forever).  When that expiration date rolls around, the admin may
create a new key/cert pair, rather than just renewing the previous cert,
which would cause all the visitors that accepted the previous cert to
get a new and nastier warning that the cert has changed.  How do the
visitors know the difference between this case and a hijack/MITM?

Certs are almost guaranteed to change over time as technology changes.
For example, it used to be common to have 512 bit certs with an MD5
signature hash.  Now 1024 bit and SHA1 are the norm, and many are moving
to 2048 bit (and some to stronger hashes).  Having people get used to
periodically accepting a changed cert defeats the purpose of signed
certs (and again, effectively breaks SSL).

-- 
Chris Adams 
Systems and Network Administrator - HiWAAY Internet Services
I don't speak for anybody but myself - that's enough trouble.

Re: Microsoft deems all DigiNotar certificates untrustworthy, releases

[Michiel Klaver]

At 22-07-28164 20:59, Tei wrote:

*a random php programmer shows*

He, I just want to self-sign my CERT's and remove the ugly warning that
browsers shows. I don't want to pay 1000$ a year, or 1$ a year for that. I
just don't want to use cleartext for internet data transfer.  HTTP is like
telnet, and HTTPS is like ssh. But with ssh is just can connect, with
browsers theres this ugly warning and "fuck you, self-signed certificate"
from the browsers.  Please make the pain stop!.

--Tei



No need for (financial) pain, there are free of charge ssl certificates 
available, see for example:


http://www.startssl.com/?app=1
http://www.cacert.org/

Re: Microsoft deems all DigiNotar certificates untrustworthy, releases

[Chris Adams]

Once upon a time, Brett Frankenberger  said:
> On Tue, Sep 13, 2011 at 09:45:39AM -0500, Chris Adams wrote:
> > Once upon a time, Tei  said:
> > > He, I just want to self-sign my CERT's and remove the ugly warning that
> > > browsers shows.
> > 
> > SSL without some verification of the far end is useless, as a
> > man-in-the-middle attack can create self-signed certs just as easily.
> 
> It protects against attacks where the attacker merely monitors the
> traffic between the two endpoints.

Someone who can monitor can most likely inject false traffic and thus
MITM.

In any case, a system that is supposed to provide end-to-end security
shouldn't be considered secure if it can be easily bypassed.
-- 
Chris Adams 
Systems and Network Administrator - HiWAAY Internet Services
I don't speak for anybody but myself - that's enough trouble.

Re: Microsoft deems all DigiNotar certificates untrustworthy, releases

[Valdis . Kletnieks]

On Tue, 13 Sep 2011 16:29:30 +0200, Tei said:
> He, I just want to self-sign my CERT's and remove the ugly warning that
> browsers shows. I don't want to pay 1000$ a year, or 1$ a year for that. I

The warning is there for a *reason* - namely that if you have a self-signed
cert, a first time visitor has *zero* way to verify it's *your* self-signed
cert and not some hijacker's self-signed cert.

> just don't want to use cleartext for internet data transfer.  HTTP is like
> telnet, and HTTPS is like ssh. But with ssh is just can connect, with
> browsers theres this ugly warning and "fuck you, self-signed certificate"
> from the browsers.  Please make the pain stop!.

If you use SSH to connect, and either ignore the "host key has changed" or
"authenticity can't be established, continue connecting?" messages, you get
what you deserve - those are the *exact* same issues that your browser warns
about self-signed certs.  And if you *don't* ignore them on SSH - why do you
want to ignore them on SSL?

Note that there's another big difference between SSH and SSL - the number of
people who are allowed to SSH to a given machine is (a) usually small and (b)
pre-identified up front.  So if Fred gets an "unknown host key" while SSH'ing
to the server you just set up, that's probably not a big issue because you
presumably know who Fred is and just created an account for him, so you can
supply him with the footprint of the SSH host key to double-verify.  That does
*not* scale to Internet-facing web services.

Of course, if you have a *private* *internal* webserver with limited users,
you're free to use a self-signed cert and use your browser's handy "Add
security exemption" dialog and check "Permanent".



pgpzM9i1B2oHD.pgp
Description: PGP signature

Re: Microsoft deems all DigiNotar certificates untrustworthy, releases

[Brett Frankenberger]

On Tue, Sep 13, 2011 at 09:45:39AM -0500, Chris Adams wrote:
> Once upon a time, Tei  said:
> > He, I just want to self-sign my CERT's and remove the ugly warning that
> > browsers shows.
> 
> SSL without some verification of the far end is useless, as a
> man-in-the-middle attack can create self-signed certs just as easily.

It protects against attacks where the attacker merely monitors the
traffic between the two endpoints.

As you suggest, it does not protect against MITM, but that's different
from being useless.  

The value of protecting against the former but not the latter may vary
by situation, but it's not always zero.  Not all attackers/attacks that
can sniff also have the capability and willingness to MITM.

(And even SSL w/ endpoint verification isn't absolute security.  For
example, it doesn't protect against endpoint compromises.  But that
doesn't make it endpoint verification useless.)

 -- Brett

Re: Microsoft deems all DigiNotar certificates untrustworthy, releases

[David Israel]

On 9/13/2011 10:29 AM, Tei wrote:

*a random php programmer shows*

He, I just want to self-sign my CERT's and remove the ugly warning that
browsers shows. I don't want to pay 1000$ a year, or 1$ a year for that. I
just don't want to use cleartext for internet data transfer.  HTTP is like
telnet, and HTTPS is like ssh. But with ssh is just can connect, with
browsers theres this ugly warning and "fuck you, self-signed certificate"
from the browsers.  Please make the pain stop!.



With ssh, you will get a warning if the remote host key is not known, 
with a fingerprint and advice not to accept it if you don't know if it 
is correct.  This is a direct analog to the warning that the remote 
host's certificate cannot be verified.  In both cases, you are given the 
chance to accept the key/certificate and continue going; depending on 
the implementation, you might also be given the option to accept it once 
or forever.  Ssh is actually prone to bigger, uglier, more explicit "you 
probably don't want to trust this" warnings, especially about things 
like key changes.

Re: Microsoft deems all DigiNotar certificates untrustworthy, releases

[Peter Kristolaitis]

Really?  You can "just connect" with SSH?

root@somebox:~# ssh 1.2.3.4
The authenticity of host '1.2.3.4 (1.2.3.4)' can't be established.
RSA key fingerprint is 03:26:2c:b2:cd:fd:05:fc:87:70:4b:06:58:40:e7:c3.
Are you sure you want to continue connecting (yes/no)?

That's no different that having to permanently accept a self-signed SSL 
cert...


- Pete


On 9/13/2011 10:29 AM, Tei wrote:

*a random php programmer shows*

He, I just want to self-sign my CERT's and remove the ugly warning that
browsers shows. I don't want to pay 1000$ a year, or 1$ a year for that. I
just don't want to use cleartext for internet data transfer.  HTTP is like
telnet, and HTTPS is like ssh. But with ssh is just can connect, with
browsers theres this ugly warning and "fuck you, self-signed certificate"
from the browsers.  Please make the pain stop!.

--Tei

Soliciting your opinions on routing research: A routing policies survey

[Sharon Goldberg]

Hi NANOG,

27 ops have already responded to our routing policies survey; we're
hoping to gather more responses before the week is over.  We're
collecting information about how you configure routing policies in
your network to improve the models we use in our research on routing
and security.  We'll also share the aggregated results with the NANOG
list.

The survey is anonymous and should take under 5 minutes to complete.
Feel free to answer all our questions, or just a few:
http://www.cs.toronto.edu/~phillipa/measurement/opsurvey/survey.php

We’d also be grateful if you could forward the survey to ops at other
organizations who may not be reading NANOG. Thanks all of you that
have responded so far!

Phillipa Gill (U of Toronto), Michael Schapira (Princeton), Sharon
Goldberg (Boston University)

Re: Microsoft deems all DigiNotar certificates untrustworthy, releases

[Chris Adams]

Once upon a time, Tei  said:
> He, I just want to self-sign my CERT's and remove the ugly warning that
> browsers shows.

SSL without some verification of the far end is useless, as a
man-in-the-middle attack can create self-signed certs just as easily.

-- 
Chris Adams 
Systems and Network Administrator - HiWAAY Internet Services
I don't speak for anybody but myself - that's enough trouble.

Re: Microsoft deems all DigiNotar certificates untrustworthy, releases

[Tei]

*a random php programmer shows*

He, I just want to self-sign my CERT's and remove the ugly warning that
browsers shows. I don't want to pay 1000$ a year, or 1$ a year for that. I
just don't want to use cleartext for internet data transfer.  HTTP is like
telnet, and HTTPS is like ssh. But with ssh is just can connect, with
browsers theres this ugly warning and "fuck you, self-signed certificate"
from the browsers.  Please make the pain stop!.

--Tei

-- 
--
ℱin del ℳensaje.

Re: vyatta for bgp

[Valdis . Kletnieks]

On Mon, 12 Sep 2011 22:38:57 BST, Nick Hilliard said:

> Let's throw some figures around (ridiculously simplified):  a company has a
> choice between a pair of $10k software routers or something like a pair of
> MX80s for $25k each.  So, one solution costs $20k; the other $50k.  $30k
> cost difference works out as $625 per month depreciation (4 year).  I.e.
> not going to affect the bottom line in any meaningful way.
> 
> Now say that this company has a DoS attack for 24h, and the company
> effectively loses one day of revenue.  On the basis that there are 260
> office working days per year, the point at which spending an extra $30k for
> a hardware router would be of net benefit to the company would be 260*30k =
> $7.8m.  I.e. if your annual revenue is higher than that, and if spending
> that cash would mitigate against your DoS problems, then it would be worth
> your while in terms of direct loss mitigation.
> 
> Of course, this analysis is quite simplistic and excludes things like
> damage to reputation, online stores, the likelihood of DoS attacks
> happening in the first place, the cost of transit and many other points of
> reality.

One important thing it overlooks is what percent of DDoS attackqs are simple
"flood the pipe" attacks directed at a target behind the router.  If you got a
100M or  1G pipe to the outside world and you're getting hammered by multiple G
worth of packets, things are going to suck no matter what the router is.  And
let's face it, kicking that pipe to 10G is gonna cost a bit



pgpaOKFyCFolN.pgp
Description: PGP signature

Re: vyatta for bgp

[Valdis . Kletnieks]

On Mon, 12 Sep 2011 20:48:31 CDT, Jimmy Hess said:

> One thing..  the OP was asking about anyone using Vyatta for BGP.
> Using Vyatta for BGP doesn't necessarily mean the Vyatta unit is actually a 
> device
> forwarding the packets...  someone could be using it as a route server, or for
> otherwise populating forwarding  tables of other devices with
> third-party next hops :-)

I would expect a properly configured Vyatta running as a route server
to be pretty darn near zortch-proof, no?  (Barring BGP packet-o-death
issues of course - but is there a router vendor who *hasn't* had at
least 2 or 3 of those? ;)


pgpSmyxnBmYIO.pgp
Description: PGP signature

BGP Communities for H.E. and Deltacom?

[Graham Wooden]

Hi there,

Any one know what are the acceptable BGP communities are for H.E. and
Deltacom?
At one of our POPs we¹re using an aggregate provider and I need to help them
to fix some prefixes that I am announcing from another POP (ie. Lower the
metric so only use the backhaul for failure of the other side).

I was hoping that they would be listed on the One Step¹s bgp community
listing.  Any links to such documents for both HE and Deltacom would be
great and would be much appreciated. Thank you,

-graham

Re: vyatta for bgp

[Alain Hebert]

 Hi,

In the past, I helped a few small ISP (sub 1Gbps) with software 
routers setup like Vyatta (Well FreeBSD/64 + Quagga really).


Until recently the hardware required to run over 500Mbps + could be 
as pricey as a pair recycle Cisco 7206VXR since most MBs where coming 
with only 1 PCI busses which could kills the BW+PPS depending on the 
amount of interfaces you use.


Now-a-days MBs with more than 1 PCI bus have become cheaper and 
shouldn't be a problem.


Its all in the setup anyway:

2 servers ($3k each with 4 interface).
Split your uplink on each router.
1 link for "client-reflector" | OSPF |  between 
the router.

VRRP back-end.

PS: Sub 10Gbps, any DDoS will kill the link before killing those 
routers, but there is solutions to this which is hella-easy to deal with 
in this situation.


-
Alain Hebertaheb...@pubnix.net
PubNIX Inc.
50 boul. St-Charles
P.O. Box 26770 Beaconsfield, Quebec H9W 6G7
Tel: 514-990-5911  http://www.pubnix.netFax: 514-990-9443


On 09/12/11 14:42, Ben Albee wrote:

Does anybody currently use vyatta as a bgp router for their company? If
so have you ran into any problems with using that instead of a cisco or
juniper router?

Re: vyatta for bgp

[Tom Hill]

On Mon, 2011-09-12 at 15:41 -0400, Jared Geiger wrote:
> There was a bug where you couldn't use two IPv4 peers and then add
> IPv6. I haven't tested the newest versions yet to see if it still
> exists. Works great for two IPv4 peers.

Discussion between developers on bugfixes can often be seen in ##vyatta
on Freenode. :)

I find it interesting to idle/chime-in occasionally at least.

Tom