RE: L2 redundant VPN
Run MPLS over these four boxes and build L2 pseudowires across Using link bundling and one router at each end has faster convergence and it's cheaper, you can do l2tpv3 if you can't have mpls adam
Re: Security reporting response handling [was: Suggestions for the future on your web site]
On Mon, Jan 21, 2013 at 11:23:16PM -0500, Jean-Francois Mezei wrote: This article may be of interest: http://arstechnica.com/security/2013/01/canadian-student-expelled-for-playing-security-white-hat/ Basically, a Montreal student, developping mobile software to interface with schools system found a bug. Reported it. And when he tested to see if the bug had been fixed, got caugh and was expelled. I the context of this thread, they found a vulnerability in the web site's archutecture that allowed the to access any student's records. This is the perfect type of incident you can bring to your boss to justify proper architecture/security for your web site. How would you react if it was your company's name in the headline ? That article doesn't justify security review, it justifies not being a complete knob when someone reports a security hole in your site. There are so many site vulnerabilities these days that they're not news. What *is* news is when the vulnerable organisation goes off the deep end and massively overreacts to the situation. See Also: First State Superannuation. - Matt
Re: Security reporting response handling [was: Suggestions for the future on your web site]
On Tuesday, January 22, 2013, Matt Palmer wrote: That article doesn't justify security review, it justifies not being a complete knob when someone reports a security hole in your site. There are so many site vulnerabilities these days that they're not news. What *is* news is when the vulnerable organisation goes off the deep end and massively overreacts to the situation. Report - yes. What this kid seems to have done is - reported it, got thanked for it. Then went ahead and pentested the site to see for himself whether the bug was fixed or not. Which justifies the company asking him to stop I guess - and it definitely justifies the kid's prof chewing him out. Expulsion, maybe not, though the article I read said 14 out of 15 profs in his college voted to boot the kid out. --srs -- --srs (iPad)
RE: Slashdot: UK ISP PlusNet Testing Carrier-Grade NAT Instead of IPv6
From: valdis.kletni...@vt.edu [mailto:valdis.kletni...@vt.edu] On Fri, 18 Jan 2013 09:03:31 -0500, William Herrin said: On the technical side, enterprises have been doing large-scale NAT for more than a decade now without any doomsday consequences. CGN is not different. Corporate enterprises have been pushing GPO to the desktop for more than a decade as well. Feel free to try to push GPO to Joe Sixpack's PC, let me know how that works out for you. We don't even do NAT here. Our corporate parent has PI space that they've had since the Jurassic period of the internet and we mostly live on that (there are spots of 1918 addresses, but not for NAT purposes, think temporary networks in lab spaces). Access to the internet at large is all via proxy, there is no direct way out. Jamie
Re: DNS resolver addresses for Sprint PCS/3G/4G
On 1/16/2013 7:13 PM, Jay Ashworth wrote: I've noticed, for quite some time, that there seems to be a specific category of slow that I see in using apps on my HTC Supersonic/Sprint EVO, on both their 3G and 4G networks, and I wonder if it isn't because the defined resolvers are 8.8.4.4 and 8.8.8.8, which aren't *on* Sprint's networks. Does anyone have, in their magic bag of tricks, IP addresses for resolvers that *are* native to that network, that they wouldn't mind whispering in my ear? Not directly PCS, but ns[1-3].sprintlink.net are used for their recursive DNS for customers. They're anycasted so you should be able to just use the first IP (204.117.214.10). I don't know what these are because I haven't been a customer for years, but it appears they may have servers specific to PCS as well: PING ns1.sprintpcs.net (69.43.160.200) 56(84) bytes of data. rdrake@terminal:~$ host ns2.sprintpcs.net ns2.sprintpcs.net has address 69.43.160.200 rdrake@terminal:~$ host ns3.sprintpcs.net ns3.sprintpcs.net has address 69.43.160.200 well, at least one server. Except: 69.43.160.200 traces through to an XO customer in California: Castle Access Inc ARIN-CASTLE-ALLOC (NET-69-43-128-0-1) 69.43.128.0 - 69.43.207.255 Perhaps they do some special things on the PCS side to make this DNS server work. I would use 204.117.214.10. Offlist is fine. Yes, I owe the list summaries on a couple earlier questions; I still have the details to write from. :-} Cheers, -- jra
Re: Security reporting response handling [was: Suggestions for the future on your web site]
Hi, (Mind the English, like my French, its awful) Going from, what seems to be, a non-service impacting XSS scan to expulsion is a bit of a trek. I'm sure there is a big chunk of story missing. Beside, a 20yo is rarely aware of the proper etiquette when it comes to scanning websites and the worst he should have got is a sit down with security experts to explain to him how to go about it in the future. Hopefully, stories like this will provide more incentive to 3rd party software providers to add this type of scan to their QA. And train their developers into the art of internet security when it comes to XSS/SQL Injection (see OWAPS/etc). PS: Being in Montreal, too bad someone already offered him a job :( I may have some part-time work for a bright kid soon. - Alain Hebertaheb...@pubnix.net PubNIX Inc. 50 boul. St-Charles P.O. Box 26770 Beaconsfield, Quebec H9W 6G7 Tel: 514-990-5911 http://www.pubnix.netFax: 514-990-9443 On 01/22/13 06:27, Suresh Ramasubramanian wrote: On Tuesday, January 22, 2013, Matt Palmer wrote: That article doesn't justify security review, it justifies not being a complete knob when someone reports a security hole in your site. There are so many site vulnerabilities these days that they're not news. What *is* news is when the vulnerable organisation goes off the deep end and massively overreacts to the situation. Report - yes. What this kid seems to have done is - reported it, got thanked for it. Then went ahead and pentested the site to see for himself whether the bug was fixed or not. Which justifies the company asking him to stop I guess - and it definitely justifies the kid's prof chewing him out. Expulsion, maybe not, though the article I read said 14 out of 15 profs in his college voted to boot the kid out. --srs
Tw telecom noc/routing contact needed
I've been fighting with an issue with a Time Warner Telecom customer whose site is unreachable from our ip blocks, as well as a number of other ip blocks within my upstream's network according to the call I made to them. All I'm getting through listed arin contacts are apparantly unmonitored maildrops and customer contact numbers that won't put me through to a live person without a valid TW phone or circuit number. Based on the behavior I suspect a reverse routing issue back to our ip blocks but have been unable to get much help from the other end of the problem. I need to speak to someone, and if someone reading this list can has info but doesn't want to share it, if they can pass my contact info on I can be contacted via this email or the phone number in my signature. Thank you. __ Eric Esslinger Information Services Manager - Fayetteville Public Utilities http://www.fpu-tn.com/ (931)433-1522 ext 165 This message may contain confidential and/or proprietary information and is intended for the person/entity to whom it was originally addressed. Any use by others is strictly prohibited.
RE: Tw telecom noc/routing contact needed
Someone from Time warner has gotten in contact with me, thanks. __ Eric Esslinger Information Services Manager - Fayetteville Public Utilities http://www.fpu-tn.com/ (931)433-1522 ext 165 -Original Message- From: Eric J Esslinger Sent: Tuesday, January 22, 2013 10:49 AM To: 'nanog@nanog.org' Subject: Tw telecom noc/routing contact needed I've been fighting with an issue with a Time Warner Telecom customer whose site is unreachable from our ip blocks, as well as a number of other ip blocks within my upstream's network according to the call I made to them. All I'm getting through listed arin contacts are apparantly unmonitored maildrops and customer contact numbers that won't put me through to a live person without a valid TW phone or circuit number. Based on the behavior I suspect a reverse routing issue back to our ip blocks but have been unable to get much help from the other end of the problem. I need to speak to someone, and if someone reading this list can has info but doesn't want to share it, if they can pass my contact info on I can be contacted via this email or the phone number in my signature. Thank you. __ Eric Esslinger Information Services Manager - Fayetteville Public Utilities http://www.fpu-tn.com/ (931)433-1522 ext 165 This message may contain confidential and/or proprietary information and is intended for the person/entity to whom it was originally addressed. Any use by others is strictly prohibited. This message may contain confidential and/or proprietary information and is intended for the person/entity to whom it was originally addressed. Any use by others is strictly prohibited. attachment: Eric J Esslinger.vcf
Re: Suggestions for the future on your web site: (was cookies, and before that Re: Dreamhost hijacking my prefix...)
On Mon, 21 Jan 2013 23:23:16 -0500, Jean-Francois Mezei said: This article may be of interest: http://arstechnica.com/security/2013/01/canadian-student-expelled-for-playing-security-white-hat/ Basically, a Montreal student, developping mobile software to interface with schools system found a bug. Reported it. And when he tested to see if the bug had been fixed, got caugh and was expelled. I the context of this thread, they found a vulnerability in the web site's archutecture that allowed the to access any student's records. This is the perfect type of incident you can bring to your boss to justify proper architecture/security for your web site. How would you react if it was your company's name in the headline ? The interesting part is where the same people who were totally unaware that they had a major security hole until it was pointed out to them were also able to issue a very fast blanket denial that any student's information was in fact compromised. Sure, you can check your logs for the footprint of the attack - but apparently this wasn't actually being done before the student mentioned it to them. pgpD1goSCpTQ_.pgp Description: PGP signature
RE: CGN fixed/hashed nat question
-Original Message- From: Eric Oosting [mailto:eric.oost...@gmail.com] Sent: Monday, January 21, 2013 9:06 AM To: NANOG Subject: CGN fixed/hashed nat question Let me start out by saying I'm allergic to CGN, but I got to ask the question: Some of the CGN providers are coming out with fixed nat solutions for their IPv6 transition/IPv4 preservation technologies to reduce logging. This appears to provide for a static mapping of outside ports/IPs to a particular customer such that the service provider doesn't need to log literally every session through the box. At the last nanog, I seem to remember someone stepping up and discussing the problems associated with just taking ports 1025 through 1025+X and giving it to some customer and had brought up the idea of using a hash or salt to map what would appear to be random ports to a customer in such a way that you could reverse the port back to the customer later if need be. For the life of me, I can't find anything on the internets about this concept. I had it in my head it was a lightning talk or something, but reviewing the agenda doesn't ring any bells. Anyone know what I'm talking about and what it's called? later, Eric Oosting eric.oost...@gmail.com wrote: draft-donley-behave-deterministic-cgn That's it. Or more specifically, the section of that draft that points to https://tools.ietf.org/html/rfc6431#section-2.2 I am also not a fan of CGN or NAT, but I co-chair the IETF's BEHAVE working group that works on NAT. draft-donley-behave-deterministic-cgn provides that functionality in an attempt to help randomize ports (see RFC6056). However, because the ports are fixed and there are relatively few ports, an attacker can determine the ports by causing the victim to open a bunch of TCP connections. This can be done by a bunch of img src tags in an HTML-encoded email message, among other mechanisms. If the hashing causes no logging, it creates a new requirement for a strong audit trail of the CGN configuration. The hashing provided by draft-donley-behave-deterministic-cgn is not necessary to avoid logging every session. Rather, the reduction occurs by generating 1 logging event when creating mapped ports. If using the CGN configuration, then no logging event needs to be generated. To date, the BEHAVE working group has not standardized any of the proposed hashing techniques because several require coordination between the devices (such as CPE and CGN), or between the log generator and log consumer, or are functions self-contained within a device and don't require standards action. -d
Re: CGN fixed/hashed nat question
On Jan 23, 2013, at 4:52 AM, Dan Wing wrote: If using the CGN configuration, then no logging event needs to be generated. Behavioral/statistical telemetry is very important for security, traffic engineering/capacity planning, and troubleshooting purposes. The overwhelming need for it is orthogonal to any schemes for hashing NAT source/dest ports. What's needed in this regard for CGNs (for any NATs/proxies, really) is something analogous to Cisco's NSEL for ASA, hopefully implemented as IPFIX EEs. --- Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com Luck is the residue of opportunity and design. -- John Milton
