[Nanog-futures] Proposed bylaws amendment: committee simplification
NANOG members and other interested folks, The NANOG board is considering a bylaws amendment for the ballot to simplify some of the rules around committees. We plan to vote later this week on the final language for this amendment, and would appreciate any comments or suggestions. Thanks, Steve Rationale: Substantial portions of the roles of the Event Logistics commitee and the Budget and Finance committee are now being carried out by the Executive Director and staff, with oversight by the Treasurer and other board members. This amendment eliminates the permanent status of those committees, and allows the board discretion to create new ad hoc committees as needs change. The proposed language below would: - Eliminate the finance and event committees as standing committees - Allow the board to create other ad-hoc committees as needed to perform specific tasks - Clarify that all committee chairs are given non-voting ex-officio seats on the board, which are not counted towards a quorum - Fix a few other minor language issues and typos The actual proposed ballot language is: -- - In section 8.6, replace the text at least four members with at least four voting members. - Replace section 9 introductory text with: The Board of Directions will create three standing committees to fulfill the NewNOG mission. Those committees will be the Program Committee, the Communication Committee, and the Membership and Development Committee. The Board may also at its discretion create ad hoc committees to carry out other functions as needed. All members of committees must be Members in Good Standing of NewNOG. The chairperson of each committee will serve ex officio in a non-voting role on the Board of Directors, in order to facilitate communication between the groups. - In section 9.1.2, replace the word Council with Committee. - In section 9.2.3, replace the misspelled word Acceptible with Acceptable. - In section 9.2.5, delete the sentence: The chairperson of the Communications Committee will serve ex officio in a non-voting role on the Board of Directors, in order to facilitate communication between the two groups. - In section 9.3.1, delete the sentence: The chairperson of the Membership and Development Committee will serve ex officio in a non-voting role on the Board of Directors, in order to facilitate communication between the two groups. - Replace section 9.4 with: 9.4 Ad Hoc Committees The Board of Directors may from time to time create ad hoc committees and appoint members as needed to carry out specific functions. - Delete section 9.5. - In section 10.3.2, delete the sentence: The Chair of the Program Committee will serve ex officio in a non-voting role on the Board of Directors, in order to facilitate communication between the two groups. -- ___ Nanog-futures mailing list Nanog-futures@nanog.org https://mailman.nanog.org/mailman/listinfo/nanog-futures
Re: wet-behind-the-ears whippersnapper seeking advice on building a nationwide network
valdis.kletni...@vt.edu writes: Does anybody actually *have* a functional 7 track drive? Maybe the people running http://www.cray-cyber.org have one. (If you ever come to Munich, try to visit this museum.) Jens -- - | Foelderichstr. 40 | 13595 Berlin, Germany| +49-151-18721264 | | http://blog.quux.de | jabber: jensl...@guug.de | --- | -
Re: Nxdomain redirect revenue
On Tue, Sep 27, 2011 at 7:50 AM, Jimmy Hess mysi...@gmail.com wrote: On Tue, Sep 27, 2011 at 3:57 AM, William Allen Simpson william.allen.simp...@gmail.com wrote: [snip] Certainly, hijacking google.com NS records to JOMAX.NET would be a criminal interference. After all, that's all DNSsec signed now, isn't it? I would rather see DNSSEC and TLS/HTTPS get implemented end to end. how does tls/https help here? if you get sent to the 'wrong host' whether or not it does https/tls is irrelevant, no? (save the case of chrome and domain pinning) The solution is to spread their name as widely as possible, so consumers can make an informed choice if they wish to avoid service providers that engage in abusive practices, and bring it attention to regulators if the service providers are acting as an abusive monopoly in regards to their interception practices. sadly, not everyone has a choice in providers :(
Re: Nxdomain redirect revenue
On Tue, 27 Sep 2011 09:27:00 EDT, Christopher Morrow said: On Tue, Sep 27, 2011 at 7:50 AM, Jimmy Hess mysi...@gmail.com wrote: I would rather see DNSSEC and TLS/HTTPS get implemented end to end. how does tls/https help here? if you get sent to the 'wrong host' whether or not it does https/tls is irrelevant, no? (save the case of chrome and domain pinning) Well, actually, Chrome-like domain pinning and/or using DNSSEC to verify the provenance of an SSL cert is the whiole reason Jimmy probably wants DNSSEC and TLS...Unless you do that sort of stuff, there's no way to *tell* if you ended up at the wrong host... pgpKfrJMB4jDb.pgp Description: PGP signature
Re: Nxdomain redirect revenue
On 9/27/11 7:50 AM, Jimmy Hess wrote: On Tue, Sep 27, 2011 at 3:57 AM, William Allen Simpson william.allen.simp...@gmail.com wrote: [snip] Certainly, hijacking google.com NS records to JOMAX.NET would be a criminal interference. After all, that's all DNSsec signed now, isn't it? I would rather see DNSSEC and TLS/HTTPS get implemented end to end. They are. The last thing we need is a court to step in and say It's not legal for an ISP to blacklist, block, or redirect traffic, to any hostname or IP address. Don't distort my words. It amuses me when so-called conservative cyber-libertarians hate the idea of courts stepping in to enforce laws, except the laws governing their own contracts enforcing payments regardless of the quality of their goods. The cable and satellite industry forced through digital protection acts -- to protect their revenue streams. Now, it's time to use those acts against them. It's not legal for an ISP to modify computer data. Especially digitally signed data. That's a criminal offense. It's not legal for a vendor to sell or give away equipment that aids interception and modification of data. That's a criminal offense. Most likely the ISPs' lawyers were smart enough to include a clause in the ToS/AUP allowing the ISP to intercept, blackhole, or redirect access to any hostname or IP address. It's not legal to insert a clause allowing criminal conduct. There's no safe haven for criminal conduct. The name for an ISP intercepting traffic from its own users is not interference or DoS, because they're breaking the operation of (er) only their own network. No, they're breaking the operation of my network and my computers. My network connects to their network. The solution is to spread their name as widely as possible, so consumers can make an informed choice if they wish to avoid service providers that engage in abusive practices, and bring it attention to regulators if the service providers are acting as an abusive monopoly in regards to their interception practices. There are no choices. They *are* abusive monopolies. Why are regulators better than courts? After all, the regulators will also involve courts.
Re: Environmental monitoring options
eric clark wrote: I'd like to ask the list what products people are using to monitor their environments. By this I'm referring to datacenters, and other equipment. Temperature, humidity, airflow, cameras, dry contacts, door sensors, leak detection, all that sort of thing. I've used Netbotz in the past. Looking to see what else is out there that people like. Thanks E Coming from a University environment... data center has all sorts of different solutions, including some NetBotz. Leak detection and physical plant/HVAC stuff is mostly legacy (bell and flashing lights) in the Ops room. Latest project has been deploying Websensors (http://www.eesensors.com/WebsensorEM01B.html) distributed around the room. We also have a few prototype boards, sort of like a netbotz without the camera, that were done as a senior project for an EE student a few years back... actually quite stable and useful. In smaller TCs/ERs, i.e. anything one room with a few racks, we generally either have a netbot plus whatever addon for the UPS or, if we have a services machine deployed there (Linux box for dhcp/dns/remote access) we use a Dalls One-Wire adapter with some sensors, accessed through OWFS on that box and monitored in Nagios. -J. Antman -- Jason Antman System Administrator Rutgers University OIT Central Systems Services / NetOps Office: 732-445-6363 Cell: 732-983-7256 jant...@oit.rutgers.edu
RE: Environmental monitoring options
Hi Eric, Also take a look at IT Watch Dogs at http://www.itwatchdogs.com/ Tony Patti CIO S. Walter Packaging Corp. t...@swalter.com phone: 215-676- fax: 215-698-7119 http://www.swalter.com -Original Message- From: eric clark [mailto:cabe...@gmail.com] Sent: Tuesday, September 27, 2011 10:06 AM To: NANOG list Subject: Environmental monitoring options I'd like to ask the list what products people are using to monitor their environments. By this I'm referring to datacenters, and other equipment. Temperature, humidity, airflow, cameras, dry contacts, door sensors, leak detection, all that sort of thing. I've used Netbotz in the past. Looking to see what else is out there that people like. Thanks E
Re: Nxdomain redirect revenue
On Tue, 27 Sep 2011 10:20:25 EDT, William Allen Simpson said: It's not legal for an ISP to modify computer data. Especially digitally signed data. That's a criminal offense. Citation? Hint - a *big* chunk of ISPs have NAT deployed, and that's messing with packet headers. Much as many of us would like to see NAT go away, I don't think we want an environment where deploying NAT gets us a new roommate and best friend named Bubba. Oh, and if you're not modifying the TTL field, you're Doing It Wrong. It's not legal for a vendor to sell or give away equipment that aids interception and modification of data. That's a criminal offense. Again, citiation? Meanwhile, CALEA *requires* you to have a network that aids in at least the interception of data. What's a poor ISP to do? pgplsnprrfd4A.pgp Description: PGP signature
Re: Nxdomain redirect revenue
On Tue, Sep 27, 2011 at 10:19 AM, valdis.kletni...@vt.edu wrote: On Tue, 27 Sep 2011 09:27:00 EDT, Christopher Morrow said: On Tue, Sep 27, 2011 at 7:50 AM, Jimmy Hess mysi...@gmail.com wrote: I would rather see DNSSEC and TLS/HTTPS get implemented end to end. how does tls/https help here? if you get sent to the 'wrong host' whether or not it does https/tls is irrelevant, no? (save the case of chrome and domain pinning) Well, actually, Chrome-like domain pinning and/or using DNSSEC to verify the provenance of an SSL cert is the whiole reason Jimmy probably wants DNSSEC and TLS...Unless you do that sort of stuff, there's no way to *tell* if you ended up at the wrong host... to paraphrase mo: this will not scale (you can't possibly pin everyone that matters (to all users) inside the binary) It's a cute intermediate trick until the CA problem is resolved/executed and DNSSEC arrives in full (on the service AND client side). -chris
Re: Environmental monitoring options
I'd like to ask the list what products people are using to monitor their environments. By this I'm referring to datacenters, and other equipment. Temperature, humidity, airflow, cameras, dry contacts, door sensors, leak detection, all that sort of thing. I've used Netbotz in the past. Looking to see what else is out there that people like. Thanks E We've been using RoomAlert units (http://environmentmonitor.com/) monitored by nagios via snmp. Multiple temp/humidity probes, power, flood, etc. All graphed nicely by pnp4nagios.
Re: Environmental monitoring options
We're using Asentria units. They do temp/humidity monitored via snmp. David Sent from my iPhone On Sep 27, 2011, at 10:05 AM, eric clark cabe...@gmail.com wrote: I'd like to ask the list what products people are using to monitor their environments. By this I'm referring to datacenters, and other equipment. Temperature, humidity, airflow, cameras, dry contacts, door sensors, leak detection, all that sort of thing. I've used Netbotz in the past. Looking to see what else is out there that people like. Thanks E
Re: Nxdomain redirect revenue
On Tue, Sep 27, 2011 at 11:48 AM, valdis.kletni...@vt.edu wrote: On Tue, 27 Sep 2011 10:20:25 EDT, William Allen Simpson said: It's not legal for an ISP to modify computer data. Especially digitally signed data. That's a criminal offense. Citation? Could tampering with DNSSEC and/or TLS fall into DMCA grounds ? Rubens
RE: Nxdomain redirect revenue
Paxfire gets sued: http://www.newscientist.com/article/dn20768-us-internet-providers-hijacking-users-search-queries.html http://www.courthousenews.com/2011/08/08/38796.htm http://www.pcmag.com/article2/0,2817,2390529,00.asp Paxfire files counter suit: http://www.techdirt.com/articles/20110809/17305215460/paxfire-responds-says-it-doesnt-hijack-searches-will-seek-sanctions-against-lawyers.shtml http://www.techdirt.com/articles/20110906/03371515808/paxfire-sues-lawyers-individual-who-filed-class-action-lawsuit-over-its-search-redirects.shtml http://www.prweb.com/releases/2011/9/prweb8765163.htm -Original Message- From: William Allen Simpson [mailto:william.allen.simp...@gmail.com] Sent: Tuesday, September 27, 2011 4:58 AM To: nanog@nanog.org Subject: Re: Nxdomain redirect revenue On 9/26/11 4:29 AM, Florian Weimer wrote: Is this with strict NXDOMAIN rewriting, or were existing names redirected as well? (AFAIK, most platforms do the latter, hijacking bfk.de, for example.) Has anybody tried bringing a criminal complaint for interference with computer (network) data? Certainly, hijacking google.com NS records to JOMAX.NET would be a criminal interference. After all, that's all DNSsec signed now, isn't it? Arguably, substituting a false reply for NXDOMAIN would be, too. It's time to find a champion to lead the charge. Maybe Google?
Re: flow generating tool
you might also try D-ITG http://www.grid.unina.it/software/ITG/index.php james
Re: Nxdomain redirect revenue
On 9/27/2011 11:41 AM, Rubens Kuhl wrote: On Tue, Sep 27, 2011 at 11:48 AM,valdis.kletni...@vt.edu wrote: On Tue, 27 Sep 2011 10:20:25 EDT, William Allen Simpson said: It's not legal for an ISP to modify computer data. Especially digitally signed data. That's a criminal offense. Citation? Could tampering with DNSSEC and/or TLS fall into DMCA grounds ? Doubtful. DMCA (the C is Copyright) protects copyright owners. I have never seen anyone claim copyright over their DNS records. Interesting thought, but copyright law is a tangled mess that I would guess is probably the wrong tactic if someone were planning to legally oppose/attack service providers using NXDOMAIN redirection. Also, only the 'owner' of a copyright can bring suit. -DMM
Re: Nxdomain redirect revenue
On 9/26/11 4:29 AM, Florian Weimer wrote: Is this with strict NXDOMAIN rewriting, or were existing names redirected as well? (AFAIK, most platforms do the latter, hijacking bfk.de, for example.) I responded: Has anybody tried bringing a criminal complaint for interference with computer (network) data? Certainly, hijacking google.com NS records to JOMAX.NET would be a criminal interference. After all, that's all DNSsec signed now, isn't it? Arguably, substituting a false reply for NXDOMAIN would be, too. It's time to find a champion to lead the charge. Maybe Google? On 9/27/11 12:34 PM, Schiller, Heather A top posted: Paxfire gets sued: http://www.newscientist.com/article/dn20768-us-internet-providers-hijacking-users-search-queries.html http://www.courthousenews.com/2011/08/08/38796.htm http://www.pcmag.com/article2/0,2817,2390529,00.asp Paxfire files counter suit: http://www.techdirt.com/articles/20110809/17305215460/paxfire-responds-says-it-doesnt-hijack-searches-will-seek-sanctions-against-lawyers.shtml http://www.techdirt.com/articles/20110906/03371515808/paxfire-sues-lawyers-individual-who-filed-class-action-lawsuit-over-its-search-redirects.shtml http://www.prweb.com/releases/2011/9/prweb8765163.htm Thanks, Heather, I didn't know/remember about the civil suit. Good start. But I'm talking about criminal. They're different.
Re: Nxdomain redirect revenue
On 9/27/11 11:41 AM, Rubens Kuhl wrote: On Tue, Sep 27, 2011 at 11:48 AM,valdis.kletni...@vt.edu wrote: On Tue, 27 Sep 2011 10:20:25 EDT, William Allen Simpson said: It's not legal for an ISP to modify computer data. Especially digitally signed data. That's a criminal offense. Citation? Could tampering with DNSSEC and/or TLS fall into DMCA grounds ? Good thought, but I was thinking more along the lines of UETA and E-SIGN, along with the usual criminal penalties for forgery and fraud (and intent to defraud). I'm pretty sure those are state by state. On the US Federal level, there's 18 USC 2511 - Interception and disclosure of wire, oral, or electronic communications prohibited. In any case, there's plenty of law to choose, we simply need a solid test case. Family members are Wide Open West (WOW) subscribers, and they are listed among the miscreant companies that Heather linked. I'd happily be a plaintiff based on my use of their network, but we probably need some actual affected subscribers.
Re: Nxdomain redirect revenue
It's not legal for an ISP to modify computer data. Especially digitally signed data. That's a criminal offense. It is indeed illegal to break into someone's else's computer and tamper with the data therein. It is frankly ridiculous to try to apply that law to data in your own equipment. If you think computer tampering laws apply to the operation of one's own DNS cache, provide case law. For case law confirming that similar language in the Stored Communication Act doesn't apply to data on your own equipment, see the recently dismissed cases of Holomaxx vs. Microsoft and Holomaxx vs. Yahoo. R's, John PS: Can we stop playing Junior Lawyer now?
Authoritative DNS server for 12.54.94.0/23 PTR
Hello Nanog Members, We have been having some issue doing reverse lookups for ip's in the 12.54.94.0/23 prefix. We know that this block is assigned to ATT and ATT has assigned that block to Siemens Medical (based on whois queries). We are now trying to find out who would be the authoritative DNS server that would resolve PTR queries for these IP addresses. Would someone from ATT (or Siemens) or someone that has that info please contact me offline to discuss? Thanks Everyone, -- Michael Gatti cell.949.735.5612 ekim.it...@gmail.com (UTC-8)
Re: Authoritative DNS server for 12.54.94.0/23 PTR
Hi Michael, Have you tried reaching the contacts at http://whois.arin.net/rest/poc/JMO282-ARIN.html directly? Kind Regards, Wilson On Tue, Sep 27, 2011 at 22:21, Mike Gatti ekim.it...@gmail.com wrote: Hello Nanog Members, We have been having some issue doing reverse lookups for ip's in the 12.54.94.0/23 prefix. We know that this block is assigned to ATT and ATT has assigned that block to Siemens Medical (based on whois queries). We are now trying to find out who would be the authoritative DNS server that would resolve PTR queries for these IP addresses. Would someone from ATT (or Siemens) or someone that has that info please contact me offline to discuss? Thanks Everyone, -- Michael Gatti cell.949.735.5612 ekim.it...@gmail.com (UTC-8)
Re: flow generating tool
If a software based solution is OK, check out IxChariot, endpoints can be Windows, Linux, OS X, and Solaris. Used it years ago and was happy with it. http://www.ixchariot.com/ Sent from my iPhone On Sep 26, 2011, at 6:07, Naiden Dimitrov naiden.dimit...@maxtelecom.bg wrote: Hello, I need a tool that generates traffic flows from different source IP addresses for network tests. Regards, Naiden Dimitrov Mobile: +359 885 906 155 naiden.dimit...@maxtelecom.bgmailto:naiden.dimit...@maxtelecom.bg www.maxtelecom.bghttp://www.maxtelecom.bg
Re: Authoritative DNS server for 12.54.94.0/23 PTR
it looks like ATT still answers the queries. I'd assume that any changes would have to be authorized by the customer though. Why not just call Siemens Medical? ; DiG 9.6.0-APPLE-P2 -x 12.54.91.1 ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NXDOMAIN, id: 21619 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;1.91.54.12.in-addr.arpa.INPTR ;; AUTHORITY SECTION: 54.12.in-addr.arpa.900INSOAxbru.br.ns.els-gms.att.net. rm-hostmaster.ems.att.com. 1179 86400 1 60 172800 2011/9/27 Mike Gatti ekim.it...@gmail.com Hello Nanog Members, We have been having some issue doing reverse lookups for ip's in the 12.54.94.0/23 prefix. We know that this block is assigned to ATT and ATT has assigned that block to Siemens Medical (based on whois queries). We are now trying to find out who would be the authoritative DNS server that would resolve PTR queries for these IP addresses. Would someone from ATT (or Siemens) or someone that has that info please contact me offline to discuss? Thanks Everyone, -- Michael Gatti cell.949.735.5612 ekim.it...@gmail.com (UTC-8)
Re: Nxdomain redirect revenue
On 27/09/2011 19:31, John Levine wrote: For case law confirming that similar language in the Stored Communication Act doesn't apply to data on your own equipment, see the recently dismissed cases of Holomaxx vs. Microsoft and Holomaxx vs. Yahoo. In Europe, things are slightly different. Traffic snooping is considered to be a breach of consumer data protection directives and is treated accordingly. One of the more interesting cases was BT + Phorm: http://en.wikipedia.org/wiki/Phorm#European_Commission_case_against_UK_over_Phorm While the case never went to court, all parties backed down and there hasn't been a similar case since then. There is another aspect to this: european IP service providers can claim mere conduit status (similar to US common carrier) under the terms of the Electronic Commerce Directive 2000/31/EC (as transcribed into local legislation), provided during the process of transmission they do not select or modify the information contained in the transmission. It would seem possible that changing DNS packets in transit could come under the scope of select or modify, thereby leaving the IP service provider liable for the information transmitted. This can act as a deterrent to service providers who feel that modifying data in-flight is a good idea. Nick
Re: Nxdomain redirect revenue
On 27/09/11 7:20 AM, William Allen Simpson wrote: Most likely the ISPs' lawyers were smart enough to include a clause in the ToS/AUP allowing the ISP to intercept, blackhole, or redirect access to any hostname or IP address. It's not legal to insert a clause allowing criminal conduct. There's no safe haven for criminal conduct. I'm not sure that it's *illegal to insert a clause* for conduct that is forbidden by law. I'm pretty sure you can claim almost anything in the contract. What is illegal is enforcement of an illegal clause. Law trumps contract terms - that's WHY we have civil laws - to protect people from unscrupulous business dealings. And that's why most contracts have a clause that says if a particular clause in the contract is found invalid the rest of the contract still stands - because so many contracts DO have invalid clauses. For example, many employment contracts have non-compete clauses that forbid the employee from going to work for a competitor. But in many states these clauses violate the state's right-to-work laws. The company lawyers KNOW the clause is illegal, but they insert it in the employment contracts anyway, to try to fool employees into thinking they will get sued if they go to work for a competitor. The name for an ISP intercepting traffic from its own users is not interference or DoS, because they're breaking the operation of (er) only their own network. No, they're breaking the operation of my network and my computers. My network connects to their network. But you have no recourse, their network, their rules. (Right?) You *might* have recourse if they were modifying traffic you sent to their customer, but in this case they are modifying traffic that originates FROM their customer. I'm not convinced that redirecting this traffic is any different from blocking it (e.g. firewall to prevent employees from accessing facebook or torrents). I believe the only entity who has recourse is the entity who is paying them for service - e.g. their (paying) customer. jc
Re: Nxdomain redirect revenue
From nanog-bounces+bonomi=mail.r-bonomi@nanog.org Tue Sep 27 15:54:37 2011 Date: Tue, 27 Sep 2011 13:54:26 -0700 From: JC Dill jcdill.li...@gmail.com To: NANOG list nanog@nanog.org Subject: Re: Nxdomain redirect revenue On 27/09/11 7:20 AM, William Allen Simpson wrote: Most likely the ISPs' lawyers were smart enough to include a clause in the ToS/AUP allowing the ISP to intercept, blackhole, or redirect access to any hostname or IP address. It's not legal to insert a clause allowing criminal conduct. There's no safe haven for criminal conduct. I'm not sure that it's *illegal to insert a clause* for conduct that is forbidden by law. I'm pretty sure you can claim almost anything in the contract. What is illegal is enforcement of an illegal clause. Law trumps contract terms - that's WHY we have civil laws - to protect people from unscrupulous business dealings. And that's why most contracts have a clause that says if a particular clause in the contract is found invalid the rest of the contract still stands - because so many contracts DO have invalid clauses. For example, many employment contracts have non-compete clauses that forbid the employee from going to work for a competitor. But in many states these clauses violate the state's right-to-work laws. The company lawyers KNOW the clause is illegal, but they insert it in the employment contracts anyway, to try to fool employees into thinking they will get sued if they go to work for a competitor. The name for an ISP intercepting traffic from its own users is not interference or DoS, because they're breaking the operation of (er) only their own network. No, they're breaking the operation of my network and my computers. My network connects to their network. But you have no recourse, their network, their rules. (Right?) You *might* have recourse if they were modifying traffic you sent to their customer, but in this case they are modifying traffic that originates FROM their customer. I'm not convinced that redirecting this traffic is any different from blocking it (e.g. firewall to prevent employees from accessing facebook or torrents). I believe the only entity who has recourse is the entity who is paying them for service - e.g. their (paying) customer. In the specific case of 'falsifying' a DNS return for what would have been a NXDOMAIN, that is mostly' correct. but consider whqat happens when you get into the situation of querying a DNSBL operator -- where an 'error' result _is_ a desired return value. Now, when the provider returns 'false and misleading' data for what would be, under normal conditions, a SUCCESSFUL query -- say, returning a 'bogus' address for a well-known search-engine, so as to bee able to manipulate the results -- then the party whose traffic is being 'stolen', and sent to the bogus server, THAT party may well have grounds for a civil suit for 'tortuous interference with a business relationship'. In this situation, there are also possible criminal sanctions, under 'wiretapping' prohibitions, among others.
RSVP-TE and link coloring
Question, do vendors/protocol work well with specifying different colors on opposite sides of a link? What I was wondering is if I could make one direction of a ring one color and the other direction a different color for ease of path selection in RSVP-TE. Jack
Re: Environmental monitoring options
We use both the ITWatchDogs MiniGoose and the NTI EnviroMux. Both provide similar feature sets, but the MiniGoose has a nicer web interface and is less expensive. Eric Stockwell Optic Fusion On 09/27/2011 07:05 AM, eric clark wrote: I'd like to ask the list what products people are using to monitor their environments. By this I'm referring to datacenters, and other equipment. Temperature, humidity, airflow, cameras, dry contacts, door sensors, leak detection, all that sort of thing. I've used Netbotz in the past. Looking to see what else is out there that people like. Thanks E
Re: Nxdomain redirect revenue
On Sep 27, 2011, at 3:46 PM, Jimmy Hess wrote: On Tue, Sep 27, 2011 at 5:29 PM, David E. Smith d...@mvn.net wrote: On Tue, Sep 27, 2011 at 17:08, Jimmy Hess mysi...@gmail.com wrote: That is, HTTPs should become assumed. As much as that would be wonderful from a security standpoint, IMO it's not realistic to expect every mom-and-pop posting a personal Web site to pay extra for a static/dedicated IP address from their hosting company (even if IPv6 were widely deployed, Web hosts probably would Thanks to TLS SNI (server name indication), a dedicated IP address is no longer necessarily, RFC 3546, 3.1. Except when it is. Yes, it is realistic to expect every mom-and-pop posting a personal web site to utilize a provider that implements SNI, and the sooner they do it. No, it isn't because it requires you to send the domain portion of the URL in clear text and it may be that you don't necessarily want to disclose even that much information about your browsing to the public. It's also realistic to expect them to buy one of those $15 SSL certificates. Heck 1 year .COM registration used to cost a lot more than that. Meh... I disagree. I don't think there's any reason to encrypt web sites that don't use authentication and are not providing personally identifying information or other secret data. I run several web servers virtual and real on one of my systems. Some of them have SSL, some of them don't. Even the ones that have SSL don't encrypt everything. There's no reason to encrypt that which does not need encryption and it's just an extra cost in terms of server resources and client resources to do so. We're not talking about huge recurring costs here. That depends. If it's a popular web site that delivers a lot of content, the additional CPU horsepower just to do the cryptography and the additional power to drive it could actually be very significant. For the average mom and pop, no, it's not a huge cost, but, neither is it necessarily a cost worth bothering with. Frankly, I don't expect static (or at least static-enough) addresses to cost extra in IPv6. You can already get a /48 from Hurricane Electric for free as long as you have IPv4 access. I suspect that eventually other IPv6 providers will have to at least match that standard. Owen
Re: Nxdomain redirect revenue
On Tue, Sep 27, 2011 at 7:29 PM, David E. Smith d...@mvn.net wrote: On Tue, Sep 27, 2011 at 17:08, Jimmy Hess mysi...@gmail.com wrote: That is, HTTPs should become assumed. As much as that would be wonderful from a security standpoint, IMO it's not realistic to expect every mom-and-pop posting a personal Web site to pay extra for a static/dedicated IP address from their hosting company (even if IPv6 were widely deployed, Web hosts probably would charge extra for this just on principle), and to pay extra for an SSL certificate, even a weak one that only verifies the domain name. Self-signed certificates published thru DNSSEC using CAA/DANE can cost nothing. (And somebody else pointed out SNI to have TLS work without exclusive IP requirement) Rubens
Re: Nxdomain redirect revenue
On Tue, Sep 27, 2011 at 6:09 PM, Owen DeLong o...@delong.com wrote: On Sep 27, 2011, at 3:46 PM, Jimmy Hess wrote: No, it isn't because it requires you to send the domain portion of the URL in clear text and it may be that you don't necessarily want to disclose even that much information about your browsing to the public. That's OK. You're kind of mincing security objectives here. In regards to preventing tactics such as domain hijacking bt service providers, the goal behind this would be integrity, not confidentiality. The objective of using SSL is not to strongly encrypt data to keep it secret, it's to apply whatever is necessary to provide a level of integrity assurance. The SSL cipher can almost be the null cipher, for all it matters, but at least RC4 56-bit or so would be needed, because the null cipher doesn't have message digests in TLS. -- -JH
Re: Nxdomain redirect revenue
On Tue, Sep 27, 2011 at 04:09:03PM -0700, Owen DeLong wrote: No, it isn't because it requires you to send the domain portion of the URL in clear text and it may be that you don't necessarily want to disclose even that much information about your browsing to the public. And speaking https to a per-domain ip address reveals nothing about browsing habits?
Re: Nxdomain redirect revenue
On Tue, Sep 27, 2011 at 05:08:42PM -0500, Jimmy Hess wrote: On Tue, Sep 27, 2011 at 8:27 AM, Christopher Morrow morrowc.li...@gmail.com wrote: how does tls/https help here? if you get sent to the 'wrong host' whether or not it does https/tls is irrelevant, no? (save the case of chrome and domain pinning) Because the operator of the wrong hostcannot obtain a SSL certificate for the right host's domain from a legitimate CA. Oh, if only 'twere true... even without control of the DNS for the domain, there have been plenty of certificates erroneously issued. With DNS control, doing the necessary validation steps required for the issuance of a certificate is child's play. Then, of course, there's the issues with what constitutes a legitimate CA; the list of CAs that I'd never want to trust, but which are in my browser by default, is long and notorious. - Matt
