RE: Outgoing traffic problem on Citrix Netscaler Load Balancer
Hi again, I continue to work on fixing the problem, but no success so far. Is there any way to use client port number without enabling use source ip?? -Original Message- From: Anil KARADAG [mailto:akara...@netas.com.tr] Sent: Monday, March 31, 2014 3:51 PM To: Pui Edylie; Paul Bertain Cc: nanog@nanog.org Subject: RE: Outgoing traffic problem on Citrix Netscaler Load Balancer Hi, Thanks for solution but I cannot use it, because backend servers must know netscaler snip ip for clients. So I need fixed proxy port to communication with backend servers. -Original Message- From: Pui Edylie [mailto:em...@edylie.net] Sent: Monday, March 31, 2014 3:23 PM To: Anil KARADAG; Paul Bertain Cc: nanog@nanog.org Subject: Re: Outgoing traffic problem on Citrix Netscaler Load Balancer Hi Anil, Take a look at http://support.citrix.com/proddocs/topic/ns-system-10-1-map/ns-nw-ipaddrssng-enabling-use-src-ip-mode-tsk.html - use the client's port. We prefer F5 LTM much better than Netscaler :) Cheers, Edy On 3/31/2014 8:17 PM, Anil KARADAG wrote: Hi Paul, Thanks for reply, it works :). But I have another problem; source port is altered by the virtual service. However, we need the source port to be the same on the destination servers. Is there a way to ensure this? Thanks -Original Message- From: Paul Bertain [mailto:p...@bertain.net] Sent: Tuesday, March 25, 2014 10:47 PM To: Anil KARADAG Cc: nanog@nanog.org Subject: Re: Outgoing traffic problem on Citrix Netscaler Load Balancer Hi Anil, Have you setup MBF? I've seen that as an issue before. If you don't have a default route set, than MBF might help you send the response out the interface on which it was received. Paul On Mar 24, 2014, at 11:46 PM, Anil KARADAG akara...@netas.com.trmailto:akara...@netas.com.tr wrote: Hi, I setup a netscaler load balancer for sip traffic on Amazon EC2. Clients packets are arrived to the backend servers over to the load balancer but any responses cannot be arrived to clients. I see the responses on the load balancer. I think there is a config problem for that but I don't know and did not find any solution for that. How can I fix the outbound traffic issue. thanks Bu e-posta mesaj? ve ekleri g?nderildi?i ki?i ya da kuruma ?zeldir ve gizlidir. Ayr?ca hukuken de gizli olabilir. Hi?bir ?ekilde ???nc? ki?ilere a??klanamaz ve yay?nlanamaz. E?er mesaj?n g?nderildi?i al?c? de?ilseniz bu elektronik postan?n i?eri?ini a??klaman?z, kopyalaman?z, y?nlendirmeniz ve kullanman?z kesinlikle yasakt?r ve bu elektronik postay? ve eklerini derhal silmeniz gerekmektedir. NETA? TELEKOM?N?KASYON A.?. bu mesaj?n i?erdi?i bilgilerin do?rulu?u veya eksiksiz oldu?u konusunda herhangi bir garanti vermemektedir. Bu nedenle bu bilgilerin ne ?ekilde olursa olsun i?eri?inden, iletilmesinden, al?nmas?ndan, saklanmas?ndan ve kullan?lmas?ndan sorumlu de?ildir. Bu mesajdaki g?r??ler g?nderen ki?iye ait olup, NETA? TELEKOM?N?KASYON A.?.'nin g?r??lerini yans?tmayabilir. --- This e-mail and its attachments are private and confidential and intended for the exclusive use of the individual or entity to whom it is addressed. It may also be legally confidential. Any disclosure, distribution or other dissemination of this message to any third party is strictly prohibited. If you are not the intended recipient you are hereby notified that any dissemination, forwarding, copying or use of any of the information is strictly prohibited, and the e-mail should immediately be deleted. NETA? TELEKOM?N?KASYON A.?. makes no warranty as to the accuracy or completeness of any information contained in this message and hereby excludes any liability of any kind for the information contained therein or for the transmission, reception, storage or use of such information in any way whatsoever. The opinions expressed in this message are those of the sender and may not necessarily reflect the opinions of NETA? TELEKOM?N?KASYON A.?. Bu e-posta mesajı ve ekleri gönderildiği kişi ya da kuruma özeldir ve gizlidir. Ayrıca hukuken de gizli olabilir. Hiçbir şekilde üçüncü kişilere açıklanamaz ve yayınlanamaz. Eğer mesajın gönderildiği alıcı değilseniz bu elektronik postanın içeriğini açıklamanız, kopyalamanız, yönlendirmeniz ve kullanmanız kesinlikle yasaktır ve bu elektronik postayı ve eklerini derhal silmeniz gerekmektedir. NETAŞ TELEKOMÜNİKASYON A.Ş. bu mesajın içerdiği bilgilerin doğruluğu veya eksiksiz olduğu konusunda herhangi bir garanti vermemektedir. Bu nedenle bu bilgilerin ne şekilde olursa olsun içeriğinden, iletilmesinden, alınmasından, saklanmasından ve kullanılmasından sorumlu değildir. Bu mesajdaki görüşler gönderen kişiye ait olup, NETAŞ TELEKOMÜNİKASYON A.Ş.’nin görüşlerini yansıtmayabilir.
RE: [mailop] IPv6 DNSBL
Maybe you did not understand my message. I know what you say. However: I see a message from a list as a message-from-a-list , not as a forwarded-message-from-a-list-user. Because: How can a user authorize someone to send a message on behalf of his/her name (by sending an email). This should not ever happen. Example: A bank sends me an email which was authorized (in some way). I now forward this message. The message is genuinely not modified. But it still does not authorize me to send this email pretending to be the bank, even if it is the same message. Conclusion: If an email was sent by me, it should be authorized/authenticated by me. For mailing lists you might want to indicate that the message can be interpreted as being forwarded for a specific user. In that way the user-interface of the email client can reply to a user directly instead of the mailing list. If that is what one wants. David Hofstee Deliverability Management MailPlus B.V. Netherlands (ESP) -Oorspronkelijk bericht- Van: John Levine [mailto:jo...@taugh.com] Verzonden: Monday, March 31, 2014 4:47 PM Aan: mai...@mailop.org CC: David Hofstee Onderwerp: Re: [mailop] IPv6 DNSBL I don't see how forwarding should break authentication. This is SPF's famous limitation. It's been debated to death, no need to rerun the argument again. DKIM survives normal forwarding, which was one of its design goals, but mailing lists typically modify the message by adding subject tags or message footers, stripping attachments, and the like, which breaks the incoming signature. That's been debated to death, too. It always seemed to me that lists should sign their mail, publish SPF for the lists's bounce addresses, and recipients would use the list's reputation to filter, Some people apparently have a security model I don't understand that evaluates the spamminess of list messages by the presence of signatures from the individual contributors. R's, John
Re: Outgoing traffic problem on Citrix Netscaler Load Balancer
Have you configured RNAT yet? Might tidy up your SIP problem. Do you need the servers to see the client's source port, or is your issue that SIP response traffic is not on the port the client expects? Give the guide to setting up RNAT here a try - http://support.citrix.com/proddocs/topic/netscaler-traffic-management-10-1-map/ns-lb-commonprotocols-sip-con.html tl;dr though - set rnat server subnet netmask set lb sipParameters -rnatSrcPort 5060 -rnatDstPort 5060 -retryDur 1000 -addRportVip ENABLED -sip503RateThreshold 1000 On Tue, Apr 1, 2014 at 7:33 PM, Anil KARADAG akara...@netas.com.tr wrote: Hi again, I continue to work on fixing the problem, but no success so far. Is there any way to use client port number without enabling use source ip?? -Original Message- From: Anil KARADAG [mailto:akara...@netas.com.tr] Sent: Monday, March 31, 2014 3:51 PM To: Pui Edylie; Paul Bertain Cc: nanog@nanog.org Subject: RE: Outgoing traffic problem on Citrix Netscaler Load Balancer Hi,SIP source ports destination ports SIP source ports destination ports Thanks for solution but I cannot use it, because backend servers must know netscaler snip ip for clients. So I need fixed proxy port to communication with backend servers. -Original Message- From: Pui Edylie [mailto:em...@edylie.net] Sent: Monday, March 31, 2014 3:23 PM To: Anil KARADAG; Paul Bertain Cc: nanog@nanog.org Subject: Re: Outgoing traffic problem on Citrix Netscaler Load Balancer Hi Anil, Take a look at http://support.citrix.com/proddocs/topic/ns-system-10-1-map/ns-nw-ipaddrssng-enabling-use-src-ip-mode-tsk.html - use the client's port. We prefer F5 LTM much better than Netscaler :) Cheers, Edy On 3/31/2014 8:17 PM, Anil KARADAG wrote: Hi Paul, Thanks for reply, it works :). But I have another problem; source port is altered by the virtual service. However, we need the source port to be the same on the destination servers. Is there a way to ensure this? Thanks -Original Message- From: Paul Bertain [mailto:p...@bertain.net] Sent: Tuesday, March 25, 2014 10:47 PM To: Anil KARADAG Cc: nanog@nanog.org Subject: Re: Outgoing traffic problem on Citrix Netscaler Load Balancer Hi Anil, Have you setup MBF? I've seen that as an issue before. If you don't have a default route set, than MBF might help you send the response out the interface on which it was received. Paul On Mar 24, 2014, at 11:46 PM, Anil KARADAG akara...@netas.com.tr mailto:akara...@netas.com.tr wrote: Hi, I setup a netscaler load balancer for sip traffic on Amazon EC2. Clients packets are arrived to the backend servers over to the load balancer but any responses cannot be arrived to clients. I see the responses on the load balancer. I think there is a config problem for that but I don't know and did not find any solution for that. How can I fix the outbound traffic issue. thanks Bu e-posta mesaj? ve ekleri g?nderildi?i ki?i ya da kuruma ?zeldir ve gizlidir. Ayr?ca hukuken de gizli olabilir. Hi?bir ?ekilde ???nc? ki?ilere a??klanamaz ve yay?nlanamaz. E?er mesaj?n g?nderildi?i al?c? de?ilseniz bu elektronik postan?n i?eri?ini a??klaman?z, kopyalaman?z, y?nlendirmeniz ve kullanman?z kesinlikle yasakt?r ve bu elektronik postay? ve eklerini derhal silmeniz gerekmektedir. NETA? TELEKOM?N?KASYON A.?. bu mesaj?n i?erdi?i bilgilerin do?rulu?u veya eksiksiz oldu?u konusunda herhangi bir garanti vermemektedir. Bu nedenle bu bilgilerin ne ?ekilde olursa olsun i?eri?inden, iletilmesinden, al?nmas?ndan, saklanmas?ndan ve kullan?lmas?ndan sorumlu de?ildir. Bu mesajdaki g?r??ler g?nderen ki?iye ait olup, NETA? TELEKOM?N?KASYON A.?.'nin g?r??lerini yans?tmayabilir. --- This e-mail and its attachments are private and confidential and intended for the exclusive use of the individual or entity to whom it is addressed. It may also be legally confidential. Any disclosure, distribution or other dissemination of this message to any third party is strictly prohibited. If you are not the intended recipient you are hereby notified that any dissemination, forwarding, copying or use of any of the information is strictly prohibited, and the e-mail should immediately be deleted. NETA? TELEKOM?N?KASYON A.?. makes no warranty as to the accuracy or completeness of any information contained in this message and hereby excludes any liability of any kind for the information contained therein or for the transmission, reception, storage or use of such information in any way whatsoever. The opinions expressed in this message are those of the sender and may not necessarily reflect the opinions of NETA? TELEKOM?N?KASYON A.?. Bu e-posta mesajı ve ekleri gönderildiği kişi ya da kuruma özeldir ve gizlidir. Ayrıca hukuken de gizli olabilir. Hiçbir şekilde üçüncü kişilere
RE: Outgoing traffic problem on Citrix Netscaler Load Balancer
My aim is forwarding all sip packages from netscaler snip:client port number to backend server ip: backend server port. I tried the following scenarios; - use source ip is enabled, use proxy port is set no o Result: we see client port as source port but no SNIP for source ip-address - In additional above configured also RNAT o Result: we see SNIP ip address as source ip address but source port again become random. Checked the citrix support link for rnat, but our sip packages include 'via header' option with SNIP: client port number; Via: SIP/2.0/UDP netscaler SNIP:5060;received=192.168.184.13;branch=z9hZ4bb1ce74d0f-a161-43af-8f08-2d98cf702742_0efcfc5e_71732184846337 From: Alex White-Robinson [mailto:ale...@gmail.com] Sent: Tuesday, April 01, 2014 11:00 AM To: Anil KARADAG Cc: Pui Edylie; Paul Bertain; nanog@nanog.org Subject: Re: Outgoing traffic problem on Citrix Netscaler Load Balancer Have you configured RNAT yet? Might tidy up your SIP problem. Do you need the servers to see the client's source port, or is your issue that SIP response traffic is not on the port the client expects? Give the guide to setting up RNAT here a try - http://support.citrix.com/proddocs/topic/netscaler-traffic-management-10-1-map/ns-lb-commonprotocols-sip-con.html tl;dr though - set rnat server subnet netmask set lb sipParameters -rnatSrcPort 5060 -rnatDstPort 5060 -retryDur 1000 -addRportVip ENABLED -sip503RateThreshold 1000 On Tue, Apr 1, 2014 at 7:33 PM, Anil KARADAG akara...@netas.com.trmailto:akara...@netas.com.tr wrote: Hi again, I continue to work on fixing the problem, but no success so far. Is there any way to use client port number without enabling use source ip?? -Original Message- From: Anil KARADAG [mailto:akara...@netas.com.trmailto:akara...@netas.com.tr] Sent: Monday, March 31, 2014 3:51 PM To: Pui Edylie; Paul Bertain Cc: nanog@nanog.orgmailto:nanog@nanog.org Subject: RE: Outgoing traffic problem on Citrix Netscaler Load Balancer Hi,SIP source ports destination ports SIP source ports destination ports Thanks for solution but I cannot use it, because backend servers must know netscaler snip ip for clients. So I need fixed proxy port to communication with backend servers. -Original Message- From: Pui Edylie [mailto:em...@edylie.netmailto:em...@edylie.net] Sent: Monday, March 31, 2014 3:23 PM To: Anil KARADAG; Paul Bertain Cc: nanog@nanog.orgmailto:nanog@nanog.org Subject: Re: Outgoing traffic problem on Citrix Netscaler Load Balancer Hi Anil, Take a look at http://support.citrix.com/proddocs/topic/ns-system-10-1-map/ns-nw-ipaddrssng-enabling-use-src-ip-mode-tsk.html - use the client's port. We prefer F5 LTM much better than Netscaler :) Cheers, Edy On 3/31/2014 8:17 PM, Anil KARADAG wrote: Hi Paul, Thanks for reply, it works :). But I have another problem; source port is altered by the virtual service. However, we need the source port to be the same on the destination servers. Is there a way to ensure this? Thanks -Original Message- From: Paul Bertain [mailto:p...@bertain.netmailto:p...@bertain.net] Sent: Tuesday, March 25, 2014 10:47 PM To: Anil KARADAG Cc: nanog@nanog.orgmailto:nanog@nanog.org Subject: Re: Outgoing traffic problem on Citrix Netscaler Load Balancer Hi Anil, Have you setup MBF? I've seen that as an issue before. If you don't have a default route set, than MBF might help you send the response out the interface on which it was received. Paul On Mar 24, 2014, at 11:46 PM, Anil KARADAG akara...@netas.com.trmailto:akara...@netas.com.trmailto:akara...@netas.com.trmailto:akara...@netas.com.tr wrote: Hi, I setup a netscaler load balancer for sip traffic on Amazon EC2. Clients packets are arrived to the backend servers over to the load balancer but any responses cannot be arrived to clients. I see the responses on the load balancer. I think there is a config problem for that but I don't know and did not find any solution for that. How can I fix the outbound traffic issue. thanks Bu e-posta mesaj? ve ekleri g?nderildi?i ki?i ya da kuruma ?zeldir ve gizlidir. Ayr?ca hukuken de gizli olabilir. Hi?bir ?ekilde ???nc? ki?ilere a??klanamaz ve yay?nlanamaz. E?er mesaj?n g?nderildi?i al?c? de?ilseniz bu elektronik postan?n i?eri?ini a??klaman?z, kopyalaman?z, y?nlendirmeniz ve kullanman?z kesinlikle yasakt?r ve bu elektronik postay? ve eklerini derhal silmeniz gerekmektedir. NETA? TELEKOM?N?KASYON A.?. bu mesaj?n i?erdi?i bilgilerin do?rulu?u veya eksiksiz oldu?u konusunda herhangi bir garanti vermemektedir. Bu nedenle bu bilgilerin ne ?ekilde olursa olsun i?eri?inden, iletilmesinden, al?nmas?ndan, saklanmas?ndan ve kullan?lmas?ndan sorumlu de?ildir. Bu mesajdaki g?r??ler g?nderen ki?iye ait olup, NETA? TELEKOM?N?KASYON A.?.'nin g?r??lerini yans?tmayabilir.
Re: Outgoing traffic problem on Citrix Netscaler Load Balancer
Hi Anil, The command is for the service or servicegroup and it is: set service name -useproxyport (NO|YES) Paul On Apr 1, 2014, at 1:38, Anil KARADAG akara...@netas.com.tr wrote: My aim is forwarding all sip packages from netscaler snip:client port number to backend server ip: backend server port. I tried the following scenarios; - “use source ip” is enabled, “use proxy port” is set no o Result: we see client port as source port but no SNIP for source ip-address - In additional above configured also RNAT o Result: we see SNIP ip address as source ip address but source port again become random. Checked the citrix support link for rnat, but our sip packages include ‘via header’ option with SNIP: client port number; Via: SIP/2.0/UDP netscaler SNIP:5060;received=192.168.184.13;branch=z9hZ4bb1ce74d0f-a161-43af-8f08-2d98cf702742_0efcfc5e_71732184846337 From: Alex White-Robinson [mailto:ale...@gmail.com] Sent: Tuesday, April 01, 2014 11:00 AM To: Anil KARADAG Cc: Pui Edylie; Paul Bertain; nanog@nanog.org Subject: Re: Outgoing traffic problem on Citrix Netscaler Load Balancer Have you configured RNAT yet? Might tidy up your SIP problem. Do you need the servers to see the client's source port, or is your issue that SIP response traffic is not on the port the client expects? Give the guide to setting up RNAT here a try - http://support.citrix.com/proddocs/topic/netscaler-traffic-management-10-1-map/ns-lb-commonprotocols-sip-con.html tl;dr though - set rnat server subnet netmask set lb sipParameters -rnatSrcPort 5060 -rnatDstPort 5060 -retryDur 1000 -addRportVip ENABLED -sip503RateThreshold 1000 On Tue, Apr 1, 2014 at 7:33 PM, Anil KARADAG akara...@netas.com.tr wrote: Hi again, I continue to work on fixing the problem, but no success so far. Is there any way to use client port number without enabling use source ip?? -Original Message- From: Anil KARADAG [mailto:akara...@netas.com.tr] Sent: Monday, March 31, 2014 3:51 PM To: Pui Edylie; Paul Bertain Cc: nanog@nanog.org Subject: RE: Outgoing traffic problem on Citrix Netscaler Load Balancer Hi,SIP source ports destination ports SIP source ports destination ports Thanks for solution but I cannot use it, because backend servers must know netscaler snip ip for clients. So I need fixed proxy port to communication with backend servers. -Original Message- From: Pui Edylie [mailto:em...@edylie.net] Sent: Monday, March 31, 2014 3:23 PM To: Anil KARADAG; Paul Bertain Cc: nanog@nanog.org Subject: Re: Outgoing traffic problem on Citrix Netscaler Load Balancer Hi Anil, Take a look at http://support.citrix.com/proddocs/topic/ns-system-10-1-map/ns-nw-ipaddrssng-enabling-use-src-ip-mode-tsk.html - use the client's port. We prefer F5 LTM much better than Netscaler :) Cheers, Edy On 3/31/2014 8:17 PM, Anil KARADAG wrote: Hi Paul, Thanks for reply, it works :). But I have another problem; source port is altered by the virtual service. However, we need the source port to be the same on the destination servers. Is there a way to ensure this? Thanks -Original Message- From: Paul Bertain [mailto:p...@bertain.net] Sent: Tuesday, March 25, 2014 10:47 PM To: Anil KARADAG Cc: nanog@nanog.org Subject: Re: Outgoing traffic problem on Citrix Netscaler Load Balancer Hi Anil, Have you setup MBF? I've seen that as an issue before. If you don't have a default route set, than MBF might help you send the response out the interface on which it was received. Paul On Mar 24, 2014, at 11:46 PM, Anil KARADAG akara...@netas.com.trmailto:akara...@netas.com.tr wrote: Hi, I setup a netscaler load balancer for sip traffic on Amazon EC2. Clients packets are arrived to the backend servers over to the load balancer but any responses cannot be arrived to clients. I see the responses on the load balancer. I think there is a config problem for that but I don't know and did not find any solution for that. How can I fix the outbound traffic issue. thanks Bu e-posta mesaj? ve ekleri g?nderildi?i ki?i ya da kuruma ?zeldir ve gizlidir. Ayr?ca hukuken de gizli olabilir. Hi?bir ?ekilde ???nc? ki?ilere a??klanamaz ve yay?nlanamaz. E?er mesaj?n g?nderildi?i al?c? de?ilseniz bu elektronik postan?n i?eri?ini a??klaman?z, kopyalaman?z, y?nlendirmeniz ve kullanman?z kesinlikle yasakt?r ve bu elektronik postay? ve eklerini derhal silmeniz gerekmektedir. NETA? TELEKOM?N?KASYON A.?. bu mesaj?n i?erdi?i bilgilerin do?rulu?u veya eksiksiz oldu?u konusunda herhangi bir garanti vermemektedir. Bu nedenle bu bilgilerin ne ?ekilde olursa olsun i?eri?inden, iletilmesinden, al?nmas?ndan, saklanmas?ndan ve kullan?lmas?ndan sorumlu de?ildir. Bu mesajdaki
Calculator written in route-map
Hi all, Do you often find yourself in need of a simple calculator, and all you have available to you is a Brocade or Cisco IOS router? No longer will you experience the horror and dread of mental arithmetics. The route-map calculator is here! Brocade : http://instituut.net/~job/calculator-route-map.brocade.txt Cisco IOS : http://instituut.net/~job/calculator-route-map.ioscisco.txt (file size ~ 12 megabyte) In general I don't find route-maps useful to accomplish, well, anything. However, this is a striking example of re-usable configuration that has a measurable impact on daily operations! Calculations can be performed with integers between 1 and 256. The answer will be presented as a rounded positive integer. In case the calculation would result in a negative integer, larger than 2^16 (65536), an helpful error message is generated: 65000:. For divisions and substractions the order of the BGP communities is relevant, one must always place the operator first! arithmetic operators: 'add' operator community:65000:1 'multiply' operator community: 65000:2 'substract' operator community: 65000:3 'divide' operator community: 65000:4 example output: telnet@input-router#show ip bgp routes detail 10.1.1.1 | i COMMUNITIES COMMUNITIES: 65000:2 0:63 0:113! calculate 63 * 113 telnet@input-router# telnet@calculator#show ip bgp routes detail 10.1.1.1 | i COMMUNITIES COMMUNITIES: 0:7119! result: 7119 telnet@calculator# Super convenient right?! WARNING: due to IOS/Ironware architecture this route-map consumes quite some memory. Always test in a lab before deploying in production! Kind regards, Job
Re: Calculator written in route-map
On Tue, 1 Apr 2014, Job Snijders wrote: Do you often find yourself in need of a simple calculator, and all you have available to you is a Brocade or Cisco IOS router? No longer will you experience the horror and dread of mental arithmetics. The route-map calculator is here! Is this meant as a proof that we need better operators for doing stuff based on contents of bgp communities? Because I concur that this is needed! Making it understand that 65000:65003 65000:6500x means take X and prepend your own ASn X times, and not have to do this explicitly. -- Mikael Abrahamssonemail: swm...@swm.pp.se
Microsoft mail contact
Hi all, I'm looking for a Microsoft mail contact, specifically for MTAs in 2a01:111:f400::/48 address space. Please contact me off-list. Thanks, Casey
Re: Microsoft mail contact
Replied Off-list Mehmet On Apr 1, 2014, at 10:53, Casey Deccio ca...@deccio.net wrote: Hi all, I'm looking for a Microsoft mail contact, specifically for MTAs in 2a01:111:f400::/48 address space. Please contact me off-list. Thanks, Casey
Re: Cisco Security Advisory: Cisco IOS Software SSL VPN Denial of Service Vulnerability
Hi All - The Cisco PSIRT has been sending IOS Security Advisories to the NANOG mailing list for well over a decade. We started this process a long time ago at the request of the list’s then-membership and haven’t been asked to change since. Admittedly, vulnerability disclosure/discussion/reporting has changed a bit over the years and we may be a bit overdue on rethinking the need to send to NANOG. :) Given that there are a number of forums that more directly address either Cisco-specific issues or are specific to vulnerability announcements, we’re happy to discontinue sending to the NANOG list directly. Cisco maintains a mailing list and RSS feed to which we send our Security Advisories, and you’re welcome to join if interested: http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html#rsvifc Thanks, Clay signature.asc Description: Message signed with OpenPGP using GPGMail
RE: Cisco Security Advisory: Cisco IOS Software SSL VPN Denial of Service Vulnerability
Given that probably 80+% (a guess, but I'd be really surprised at a lower figure) of all internet traffic crosses at least one Cisco device somewhere, I think it would be a huge disservice to discontinue sending these emails. 10 to 15 emails per year isn't much overhead, compared to seemingly never-discussions on mandatory email legal signatures and other fluff. Chuck -Original Message- From: Clay Kossmeyer [mailto:ckoss...@cisco.com] Sent: Tuesday, April 01, 2014 2:44 PM To: nanog@nanog.org Cc: Clay Seaman-Kossmeyer (ckossmey) Subject: Re: Cisco Security Advisory: Cisco IOS Software SSL VPN Denial of Service Vulnerability Hi All - The Cisco PSIRT has been sending IOS Security Advisories to the NANOG mailing list for well over a decade. We started this process a long time ago at the request of the list's then-membership and haven't been asked to change since. Admittedly, vulnerability disclosure/discussion/reporting has changed a bit over the years and we may be a bit overdue on rethinking the need to send to NANOG. :) Given that there are a number of forums that more directly address either Cisco-specific issues or are specific to vulnerability announcements, we're happy to discontinue sending to the NANOG list directly. Cisco maintains a mailing list and RSS feed to which we send our Security Advisories, and you're welcome to join if interested: http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy. html#rsvifc Thanks, Clay
Re: Cisco Security Advisory: Cisco IOS Software SSL VPN Denial of Service Vulnerability
On Tue, 01 Apr 2014 15:24:32 -0400, Chuck Church said: Given that probably 80+% (a guess, but I'd be really surprised at a lower figure) of all internet traffic crosses at least one Cisco device somewhere, I think it would be a huge disservice to discontinue sending these emails. Actually, the *real* value here is for those of us who are *not* Cisco shops, but the box at the other end of the wire *is*, so that we can be aware of what possible problems the other end may encounter pgp6sOTouUnck.pgp Description: PGP signature
Re: Cisco Security Advisory: Cisco IOS Software SSL VPN Denial of Service Vulnerability
--- ckoss...@cisco.com wrote: From: Clay Kossmeyer ckoss...@cisco.com [...] we’re happy to discontinue sending to the NANOG list directly. -- Instead of discontinuing them how about one email that contains all the details, rather than one email per detail. Similar to what I sent to the list earlier. For example: -- The Semiannual Cisco IOS Software Security Advisory has been released. For information please goto this URL: http://www.cisco.com/web/about/security/intelligence/Cisco_ERP_mar14.html Advisory titles: - Session Initiation Protocol Denial of Service Vulnerability - Cisco 7600 Series Route Switch Processor 720 with 10 Gigabit Ethernet Uplinks Denial of Service Vulnerability - Internet Key Exchange Version 2 Denial of Service Vulnerability - Network Address Translation Vulnerabilities - SSL VPN Denial of Service Vulnerability - Crafted IPv6 Packet Denial of Service Vulnerability --- scott
Re: Cisco Security Advisory: Cisco IOS Software SSL VPN Denial of Service Vulnerability
The Cisco PSIRT has been sending IOS Security Advisories to the NANOG mailing list for well over a decade Thank you, much appreciated Given that there are a number of forums that more directly address either Cisco-specific issues or are specific to vulnerability announcements, were happy to discontinue sending to the NANOG list directly. They are lost in the noise of some endless threads Cisco maintains a mailing list and RSS feed to which we send our Security Advisories NANOG having a filtered feed of ISP backbone risk level advisorises seems fair brandon
Re: Cisco Security Advisory: Cisco IOS Software SSL VPN Denial of Service Vulnerability
On Tue, 1 Apr 2014, Brandon Butterworth wrote: The Cisco PSIRT has been sending IOS Security Advisories to the NANOG mailing list for well over a decade Thank you, much appreciated Given that there are a number of forums that more directly address either Cisco-specific issues or are specific to vulnerability announcements, we?re happy to discontinue sending to the NANOG list directly. They are lost in the noise of some endless threads Cisco maintains a mailing list and RSS feed to which we send our Security Advisories NANOG having a filtered feed of ISP backbone risk level advisorises seems fair brandon One of the reasons I subscribe to the NANOG list is to get these security advisories. I can always subscribe to another security list if necessary but I would would hope that CISCO would continue to send these notices, even if they are in a digest format. Ted Hatfield
Re: Cisco Security Advisory: Cisco IOS Software SSL VPN Denial of Service Vulnerability
On 04/01/2014 11:44 AM, Clay Kossmeyer wrote: Hi All - The Cisco PSIRT has been sending IOS Security Advisories to the NANOG mailing list for well over a decade. We started this process a long time ago at the request of the list’s then-membership and haven’t been asked to change since. Admittedly, vulnerability disclosure/discussion/reporting has changed a bit over the years and we may be a bit overdue on rethinking the need to send to NANOG. :) Given that there are a number of forums that more directly address either Cisco-specific issues or are specific to vulnerability announcements, we’re happy to discontinue sending to the NANOG list directly. Cisco maintains a mailing list and RSS feed to which we send our Security Advisories, and you’re welcome to join if interested: http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html#rsvifc Its true this information is also available in other forums, but I don't have time to filter thru all of those. I *do* have time for nanog, however, because of the good cross section represented here and because it's worthwhile to be aware of what may be happening in other people's camps, because very frequently problems on one side of the wire can spill over and affect the other side as well. I think the advisories are highly relevent then and absolutely should be included here on nanog. Thanks.
Re: Calculator written in route-map
Job, Fun! More generally, BGP has the same computing power as a Turing Machine: Marco Chiesa, Luca Cittadini, Guiseppe Di Battista, Laurent Vanbever, and Stefano Vissicchio Using routers to build logic circuits: How powerful is BGP? (ICNP'13) http://vanbever.eu/pdfs/vanbever_turing_icnp_2013.pdf -- Jen On Apr 1, 2014, at 11:11 AM, Job Snijders j...@instituut.net wrote: Hi all, Do you often find yourself in need of a simple calculator, and all you have available to you is a Brocade or Cisco IOS router? No longer will you experience the horror and dread of mental arithmetics. The route-map calculator is here! Brocade : http://instituut.net/~job/calculator-route-map.brocade.txt Cisco IOS : http://instituut.net/~job/calculator-route-map.ioscisco.txt (file size ~ 12 megabyte) In general I don't find route-maps useful to accomplish, well, anything. However, this is a striking example of re-usable configuration that has a measurable impact on daily operations! Calculations can be performed with integers between 1 and 256. The answer will be presented as a rounded positive integer. In case the calculation would result in a negative integer, larger than 2^16 (65536), an helpful error message is generated: 65000:. For divisions and substractions the order of the BGP communities is relevant, one must always place the operator first! arithmetic operators: 'add' operator community:65000:1 'multiply' operator community: 65000:2 'substract' operator community: 65000:3 'divide' operator community: 65000:4 example output: telnet@input-router#show ip bgp routes detail 10.1.1.1 | i COMMUNITIES COMMUNITIES: 65000:2 0:63 0:113! calculate 63 * 113 telnet@input-router# telnet@calculator#show ip bgp routes detail 10.1.1.1 | i COMMUNITIES COMMUNITIES: 0:7119! result: 7119 telnet@calculator# Super convenient right?! WARNING: due to IOS/Ironware architecture this route-map consumes quite some memory. Always test in a lab before deploying in production! Kind regards, Job
Re: Cisco Security Advisory: Cisco IOS Software SSL VPN Denial of Service Vulnerability
From: Clay Kossmeyer ckoss...@cisco.com To: nanog@nanog.org Cc: Clay Seaman-Kossmeyer (ckossmey) ckoss...@cisco.com Sent: Tuesday, April 1, 2014 11:44 AM Subject: Re: Cisco Security Advisory: Cisco IOS Software SSL VPN Denial of Service Vulnerability Hi All - The Cisco PSIRT has been sending IOS Security Advisories to the NANOG mailing list for well over a decade. We started this process a long time ago at the request of the list’s then-membership and haven’t been asked to change since. Admittedly, vulnerability disclosure/discussion/reporting has changed a bit over the years and we may be a bit overdue on rethinking the need to send to NANOG. :) Given that there are a number of forums that more directly address either Cisco-specific issues or are specific to vulnerability announcements, we’re happy to discontinue sending to the NANOG list directly. Cisco maintains a mailing list and RSS feed to which we send our Security Advisories, and you’re welcome to join if interested: http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html#rsvifc Thanks, Clay Touche'! such is NANOG...a few who post more frequently than most like to umm... Speak-UP. ./Randy
RE: Outgoing traffic problem on Citrix Netscaler Load Balancer
Hi Paul, I use Netscaler 10.1, and “use proxy port” option depends on “use source ip”. I don’t understand why I cannot set no for proxy port without enabling source ip. Its very bad solution for that. From: Paul Bertain [mailto:p...@bertain.net] Sent: Tuesday, April 01, 2014 4:58 PM To: Anil KARADAG Cc: Alex White-Robinson; Pui Edylie; Paul Bertain; nanog@nanog.org Subject: Re: Outgoing traffic problem on Citrix Netscaler Load Balancer Hi Anil, The command is for the service or servicegroup and it is: set service name -useproxyport (NO|YES) Paul On Apr 1, 2014, at 1:38, Anil KARADAG akara...@netas.com.trmailto:akara...@netas.com.tr wrote: My aim is forwarding all sip packages from netscaler snip:client port number to backend server ip: backend server port. I tried the following scenarios; - “use source ip” is enabled, “use proxy port” is set no o Result: we see client port as source port but no SNIP for source ip-address - In additional above configured also RNAT o Result: we see SNIP ip address as source ip address but source port again become random. Checked the citrix support link for rnat, but our sip packages include ‘via header’ option with SNIP: client port number; Via: SIP/2.0/UDP netscaler SNIP:5060;received=192.168.184.13;branch=z9hZ4bb1ce74d0f-a161-43af-8f08-2d98cf702742_0efcfc5e_71732184846337 From: Alex White-Robinson [mailto:ale...@gmail.com] Sent: Tuesday, April 01, 2014 11:00 AM To: Anil KARADAG Cc: Pui Edylie; Paul Bertain; nanog@nanog.orgmailto:nanog@nanog.org Subject: Re: Outgoing traffic problem on Citrix Netscaler Load Balancer Have you configured RNAT yet? Might tidy up your SIP problem. Do you need the servers to see the client's source port, or is your issue that SIP response traffic is not on the port the client expects? Give the guide to setting up RNAT here a try - http://support.citrix.com/proddocs/topic/netscaler-traffic-management-10-1-map/ns-lb-commonprotocols-sip-con.html tl;dr though - set rnat server subnet netmask set lb sipParameters -rnatSrcPort 5060 -rnatDstPort 5060 -retryDur 1000 -addRportVip ENABLED -sip503RateThreshold 1000 On Tue, Apr 1, 2014 at 7:33 PM, Anil KARADAG akara...@netas.com.trmailto:akara...@netas.com.tr wrote: Hi again, I continue to work on fixing the problem, but no success so far. Is there any way to use client port number without enabling use source ip?? -Original Message- From: Anil KARADAG [mailto:akara...@netas.com.trmailto:akara...@netas.com.tr] Sent: Monday, March 31, 2014 3:51 PM To: Pui Edylie; Paul Bertain Cc: nanog@nanog.orgmailto:nanog@nanog.org Subject: RE: Outgoing traffic problem on Citrix Netscaler Load Balancer Hi,SIP source ports destination ports SIP source ports destination ports Thanks for solution but I cannot use it, because backend servers must know netscaler snip ip for clients. So I need fixed proxy port to communication with backend servers. -Original Message- From: Pui Edylie [mailto:em...@edylie.netmailto:em...@edylie.net] Sent: Monday, March 31, 2014 3:23 PM To: Anil KARADAG; Paul Bertain Cc: nanog@nanog.orgmailto:nanog@nanog.org Subject: Re: Outgoing traffic problem on Citrix Netscaler Load Balancer Hi Anil, Take a look at http://support.citrix.com/proddocs/topic/ns-system-10-1-map/ns-nw-ipaddrssng-enabling-use-src-ip-mode-tsk.html - use the client's port. We prefer F5 LTM much better than Netscaler :) Cheers, Edy On 3/31/2014 8:17 PM, Anil KARADAG wrote: Hi Paul, Thanks for reply, it works :). But I have another problem; source port is altered by the virtual service. However, we need the source port to be the same on the destination servers. Is there a way to ensure this? Thanks -Original Message- From: Paul Bertain [mailto:p...@bertain.netmailto:p...@bertain.net] Sent: Tuesday, March 25, 2014 10:47 PM To: Anil KARADAG Cc: nanog@nanog.orgmailto:nanog@nanog.org Subject: Re: Outgoing traffic problem on Citrix Netscaler Load Balancer Hi Anil, Have you setup MBF? I've seen that as an issue before. If you don't have a default route set, than MBF might help you send the response out the interface on which it was received. Paul On Mar 24, 2014, at 11:46 PM, Anil KARADAG akara...@netas.com.trmailto:akara...@netas.com.trmailto:akara...@netas.com.trmailto:akara...@netas.com.tr wrote: Hi, I setup a netscaler load balancer for sip traffic on Amazon EC2. Clients packets are arrived to the backend servers over to the load balancer but any responses cannot be arrived to clients. I see the responses on the load balancer. I think there is a config problem for that but I don't know and did not find any solution for that. How can I fix the outbound traffic issue. thanks Bu e-posta mesaj? ve ekleri g?nderildi?i ki?i ya da kuruma ?zeldir ve gizlidir. Ayr?ca hukuken de gizli olabilir. Hi?bir ?ekilde ???nc? ki?ilere a??klanamaz ve