Re: BCP38 dismissal
On Sep 4, 2008, at 3:22 PM, Gadi Evron wrote: On that you'll have to speak for yourself. We have it on every customer port ;-) Now that is interesting. Can you share a bit about you rimplementation hardships, costs, customer complaints, etc? One customer complaint. Found the customer was looping traffic between two uplinks and helped them fix the problem ;-) Implementation cost: time/labor to implement automatic management of ACLs on the customer ports. Not all that much cost, since we had already developed infrastructure to do the same thing for customer configurations. Maybe 12 hours of my time coding and testing. Honestly, I expected a lot more problems than we've had. Especially given the fallout I'd seen on the networks trying to do it with Cisco. But the Force10 gear didn't even notice the effect, and it's been ~2 years since I've even thought much about it. -- Jo Rhett Net Consonance : consonant endings by net philanthropy, open source and other randomness
Re: BCP38 dismissal
On Sep 7, 2008, at 12:18 AM, Randy Bush wrote: normally i would have just hit delete. but your ad hominem attack on the messenger need a response. the reality of life is that he is correct in that attack traffic comes from legitimate IP sources anyway. therefore, your first duty should be to keep your hosts from joining the massive army of botnets. Having no hosts, I can't do much about that other than use various good best practices (including BCP38), run ids units looking for compromised hosts, and respond quickly to each abuse report if my IDS doesn't observe it first. Given that I know of no provider larger than us using BCP38 on every port, and no other provider larger than us that responds to every abuse report, it would appear that we are top of the class in that aspect. Therefore, when someone says I don't need to do BCP38 because BCP38 doesn't cause problems for them, I consider them a jerk. And yeah, I feel pretty confident looking down my nose at someone like that. -- Jo Rhett Net Consonance : consonant endings by net philanthropy, open source and other randomness
Re: BCP38 dismissal
normally i would have just hit delete. but your ad hominem attack on the messenger need a response. the reality of life is that he is correct in that attack traffic comes from legitimate IP sources anyway. therefore, your first duty should be to keep your hosts from joining the massive army of botnets. Having no hosts, I can't do much about that other than ... i suggest you go back to the mail to which you responded obscenely vilifying the poster who was specifically saying he worried about his host before bcp38. that was specifically the subject. Given that I know of no provider larger than us using BCP38 on every port well, that sets an upper bound on the extent of your knowledge, eh. and not a very high one. randy
RE: BCP38 dismissal
i suggest you go back to the mail to which you responded obscenely vilifying the poster who was specifically saying he worried about his host before bcp38. that was specifically the subject. host in that context was his router, which makes your comment make less sense. (having never seen a big iron router become a client in a botnet, myself) He was talking about big iron control plane policy controls. You must have missed the context. Actually, Randy is right. We were discussing in context of routers and botnets themselves. Host in my context was about the botnets sending attack from legitimate IP sources that BCP38 will not be able to defeat. You want to stop being rude, and start making positive assertations about things you know? I'd love to be wrong, but I've got a whole lot of experience on this topic. If you know better, educate the rest of us. No, you have demonstrated that the only jerk in this entire forum is no one but you with limited bounds of intelligence. Before you go on and call someone a jerk, idiot and falsely accuse him of ~not wanting to deploy BCP38[1]~, read your own posts and start making positive assertions about things that you know yourself. [1]: Almost every network that I help manage is operated with BCP38 either with uRPF or even with automatic-scripted SAV (source address verification/filtering)/ ACL's. james
Re: BCP38 dismissal
Jo Rhett wrote: On Sep 4, 2008, at 7:24 AM, James Jun wrote: Indeed... In today's internet, protecting your own box (cp-policer/control plane filtering) is far more important IMO than implementing BCP38 when much of attack traffic comes from legitimate IP sources anyway (see botnets). I'm sorry, but nonsense statements such as these burn the blood. Sure, yes, protecting yourself is so much more important than protecting anyone else. Anyone else want to stand up and join the I am an asshole club? normally i would have just hit delete. but your ad hominem attack on the messenger need a response. the reality of life is that he is correct in that attack traffic comes from legitimate IP sources anyway. therefore, your first duty should be to keep your hosts from joining the massive army of botnets. randy
Re: BCP38 dismissal
On Thu, Sep 4, 2008 at 2:12 PM, Greg Hankins [EMAIL PROTECTED] wrote: Hey Paul, would you be able to demonstrate this problem? I'd like to see it so that we can investigate and fix it. You are correct that the first generation of E-Series hardware (EtherScale) had little control plane protection. The current E-Series hardware (TeraScale) has a completely different architecture that rate limits, queues and filters all packets destined to the control plane. In my current job, I don't have access to this kind of iron. The afforementioned Linksys solution provides more than enough capacity. If you could provide me login/enable access to a current E-series box with no firewalls sitting in front, I can most likely replicate. (Off-list, in the interest of keeping things on-topic, with a follow-up summary sent on-...) Drive Slow, Paul Wall
BCP38 dismissal
On Sep 4, 2008, at 7:24 AM, James Jun wrote: Indeed... In today's internet, protecting your own box (cp-policer/ control plane filtering) is far more important IMO than implementing BCP38 when much of attack traffic comes from legitimate IP sources anyway (see botnets). I'm sorry, but nonsense statements such as these burn the blood. Sure, yes, protecting yourself is so much more important than protecting anyone else. Anyone else want to stand up and join the I am an asshole club? -- Jo Rhett Net Consonance : consonant endings by net philanthropy, open source and other randomness
Re: BCP38 dismissal
Count me in. There is no reason to limit our defenses to the one thing that we think is important at one instance in time... attackers change and adapt and multimodal defense is simply good policy. On Thu, Sep 4, 2008 at 11:45 AM, Jo Rhett [EMAIL PROTECTED] wrote: On Sep 4, 2008, at 7:24 AM, James Jun wrote: Indeed... In today's internet, protecting your own box (cp-policer/control plane filtering) is far more important IMO than implementing BCP38 when much of attack traffic comes from legitimate IP sources anyway (see botnets). I'm sorry, but nonsense statements such as these burn the blood. Sure, yes, protecting yourself is so much more important than protecting anyone else. Anyone else want to stand up and join the I am an asshole club? -- Jo Rhett Net Consonance : consonant endings by net philanthropy, open source and other randomness
RE: BCP38 dismissal
I'm sorry, but nonsense statements such as these burn the blood. Sure, yes, protecting yourself is so much more important than protecting anyone else. Indeed it is important. And we were discussing about the fact that Force10 does not even offer this critical feature. Anyone else want to stand up and join the I am an asshole club? You are falsely claiming that somehow we're dismissing BCP38 or otherwise writing it off as some kind of non-important hassle. You are confused and misinformed as to the concurrent nature of the ongoing discussion and your assumptions are far from what I personally think about BCP38. It appears you are the first member of I am an asshole club by the strict title definition. james
Re: BCP38 dismissal
Count you which way? You seem to agree with me. Everyone should be doing both, not discounting BCP38 because they aren't seeing an attack right now. On Sep 4, 2008, at 9:50 AM, John C. A. Bambenek wrote: Count me in. There is no reason to limit our defenses to the one thing that we think is important at one instance in time... attackers change and adapt and multimodal defense is simply good policy. On Thu, Sep 4, 2008 at 11:45 AM, Jo Rhett [EMAIL PROTECTED] wrote: On Sep 4, 2008, at 7:24 AM, James Jun wrote: Indeed... In today's internet, protecting your own box (cp-policer/ control plane filtering) is far more important IMO than implementing BCP38 when much of attack traffic comes from legitimate IP sources anyway (see botnets). I'm sorry, but nonsense statements such as these burn the blood. Sure, yes, protecting yourself is so much more important than protecting anyone else. Anyone else want to stand up and join the I am an asshole club? -- Jo Rhett Net Consonance : consonant endings by net philanthropy, open source and other randomness -- Jo Rhett Net Consonance : consonant endings by net philanthropy, open source and other randomness
Re: BCP38 dismissal
On Sep 4, 2008, at 12:52 PM, Jo Rhett wrote: Count you which way? You seem to agree with me. Everyone should be doing both, not discounting BCP38 because they aren't seeing an attack right now. No one sees attacks that BCP38 would stop? Wow, I thought things like the Kaminsky bug were big news. I guess all that was for nothing? (Yes, I am being sarcastic. Anyone who thinks attacks which BCP 38 would stop are not happening in the wild is .. I believe the phrase used was confused and misinformed.) -- TTFN, patrick On Sep 4, 2008, at 9:50 AM, John C. A. Bambenek wrote: Count me in. There is no reason to limit our defenses to the one thing that we think is important at one instance in time... attackers change and adapt and multimodal defense is simply good policy. On Thu, Sep 4, 2008 at 11:45 AM, Jo Rhett [EMAIL PROTECTED] wrote: On Sep 4, 2008, at 7:24 AM, James Jun wrote: Indeed... In today's internet, protecting your own box (cp- policer/control plane filtering) is far more important IMO than implementing BCP38 when much of attack traffic comes from legitimate IP sources anyway (see botnets). I'm sorry, but nonsense statements such as these burn the blood. Sure, yes, protecting yourself is so much more important than protecting anyone else. Anyone else want to stand up and join the I am an asshole club? -- Jo Rhett Net Consonance : consonant endings by net philanthropy, open source and other randomness -- Jo Rhett Net Consonance : consonant endings by net philanthropy, open source and other randomness
Re: BCP38 dismissal
On Sep 4, 2008, at 7:24 AM, James Jun wrote: Indeed... In today's internet, protecting your own box (cp-policer/ control plane filtering) is far more important IMO than implementing BCP38 when much of attack traffic comes from legitimate IP sources anyway (see botnets). I'm sorry, but nonsense statements such as these burn the blood.Sure, yes, protecting yourself is so much more important than protecting anyone else. Anyone else want to stand up and join the I am an asshole club? OK, I'm an asshole. I'm sure BCP38 can prove to be useful, but I'll never drop my shields. I guess being an asshole is not so bad given that I have plenty of company.
Re: BCP38 dismissal
On Thu, Sep 4, 2008 at 12:45 PM, Jo Rhett [EMAIL PROTECTED] wrote: I'm sorry, but nonsense statements such as these burn the blood. Sure, yes, protecting yourself is so much more important than protecting anyone else. Anyone else want to stand up and join the I am an asshole club? uRPF is important. But all the uRPF in the world won't protect you against a little tcp/{22,23,179} SYN aimed at your Force 10 box. Ya know what I mean? Paul Wall
Re: BCP38 dismissal
Patrick, it would appear that you are insulting me by your choice of quotes but from content one would assume you agree with me. Perhaps next time quote the idiot that said attacks BCP38 would stop don't happen any more? (top posted because the thread is already confused) On Sep 4, 2008, at 10:05 AM, Patrick W. Gilmore wrote: On Sep 4, 2008, at 12:52 PM, Jo Rhett wrote: Count you which way? You seem to agree with me. Everyone should be doing both, not discounting BCP38 because they aren't seeing an attack right now. No one sees attacks that BCP38 would stop? Wow, I thought things like the Kaminsky bug were big news. I guess all that was for nothing? (Yes, I am being sarcastic. Anyone who thinks attacks which BCP 38 would stop are not happening in the wild is .. I believe the phrase used was confused and misinformed.) -- TTFN, patrick On Sep 4, 2008, at 9:50 AM, John C. A. Bambenek wrote: Count me in. There is no reason to limit our defenses to the one thing that we think is important at one instance in time... attackers change and adapt and multimodal defense is simply good policy. On Thu, Sep 4, 2008 at 11:45 AM, Jo Rhett [EMAIL PROTECTED] wrote: On Sep 4, 2008, at 7:24 AM, James Jun wrote: Indeed... In today's internet, protecting your own box (cp- policer/control plane filtering) is far more important IMO than implementing BCP38 when much of attack traffic comes from legitimate IP sources anyway (see botnets). I'm sorry, but nonsense statements such as these burn the blood. Sure, yes, protecting yourself is so much more important than protecting anyone else. Anyone else want to stand up and join the I am an asshole club? -- Jo Rhett Net Consonance : consonant endings by net philanthropy, open source and other randomness -- Jo Rhett Net Consonance : consonant endings by net philanthropy, open source and other randomness -- Jo Rhett Net Consonance : consonant endings by net philanthropy, open source and other randomness
Re: BCP38 dismissal
On Sep 4, 2008, at 10:14 AM, Paul Wall wrote: On Thu, Sep 4, 2008 at 12:45 PM, Jo Rhett [EMAIL PROTECTED] wrote: I'm sorry, but nonsense statements such as these burn the blood. Sure, yes, protecting yourself is so much more important than protecting anyone else. Anyone else want to stand up and join the I am an asshole club? uRPF is important. But all the uRPF in the world won't protect you against a little tcp/{22,23,179} SYN aimed at your Force 10 box. Ya know what I mean? No. Because our F10s aren't suspectible to that, period. I think this whole control panel policing is flat out wrong, but honestly to argue that point I'd have to do some research into what Cisco is doing these days (never had most of the good anti-dos and flood-control stuff F10 has last time I looked) and frankly, it's not within my scope of work so I left that alone. The focus of my comment was on the BCP38 isn't important, because *THAT* is something that causes grief for me (and everyone) in the day job. -- Jo Rhett Net Consonance : consonant endings by net philanthropy, open source and other randomness
Re: BCP38 dismissal
On Sep 4, 2008, at 10:14 AM, james wrote: OK, I'm an asshole. I'm sure BCP38 can prove to be useful I guess being an asshole is not so bad given that I have plenty of company. It is unfortunately true that you do have lots of company. If I could get away with dropping all routes from people like you I'd be a lot happier. (and we'd all be a lot safer) -- Jo Rhett Net Consonance : consonant endings by net philanthropy, open source and other randomness
Re: BCP38 dismissal
On Sep 4, 2008, at 1:14 PM, james wrote: On Sep 4, 2008, at 7:24 AM, James Jun wrote: Indeed... In today's internet, protecting your own box (cp-policer/ control plane filtering) is far more important IMO than implementing BCP38 when much of attack traffic comes from legitimate IP sources anyway (see botnets). I'm sorry, but nonsense statements such as these burn the blood.Sure, yes, protecting yourself is so much more important than protecting anyone else. Anyone else want to stand up and join the I am an asshole club? OK, I'm an asshole. I'm sure BCP38 can prove to be useful, but I'll never drop my shields. I am pretty certain James was not suggesting you drop your shields. My understanding is he thinks anyone who -only- protects their own router CPUs, but lets random packets leave their network with fake source addresses for other networks is an ass hole (shields up or not). Assuming that is what he meant, I agree with him. Now, would you care to reiterate your ass-hole-ness and admit to 10s of 1000s of your closest friends that you let your users attack them (and me!) in undetectable ways, make things like the Kaminsky DNS vulnerability possible, etc.? -- TTFN, patrick
Re: BCP38 dismissal
On Sep 4, 2008, at 10:14 AM, james wrote: OK, I'm an asshole. I'm sure BCP38 can prove to be useful I guess being an asshole is not so bad given that I have plenty of company. It is unfortunately true that you do have lots of company. If I could get away with dropping all routes from people like you I'd be a lot happier. (and we'd all be a lot safer) Let me put this another way. Calling people names doesn't promote your interests. It starts flame wars.
Re: BCP38 dismissal
On Sep 4, 2008, at 1:12 PM, Jo Rhett wrote: Patrick, it would appear that you are insulting me by your choice of quotes but from content one would assume you agree with me. Perhaps next time quote the idiot that said attacks BCP38 would stop don't happen any more? (top posted because the thread is already confused) Sorry for the confusion. Yes, I am a BCP38 evangelist. I apologize if it came across wrong. -- TTFN, patrick On Sep 4, 2008, at 10:05 AM, Patrick W. Gilmore wrote: On Sep 4, 2008, at 12:52 PM, Jo Rhett wrote: Count you which way? You seem to agree with me. Everyone should be doing both, not discounting BCP38 because they aren't seeing an attack right now. No one sees attacks that BCP38 would stop? Wow, I thought things like the Kaminsky bug were big news. I guess all that was for nothing? (Yes, I am being sarcastic. Anyone who thinks attacks which BCP 38 would stop are not happening in the wild is .. I believe the phrase used was confused and misinformed.) -- TTFN, patrick On Sep 4, 2008, at 9:50 AM, John C. A. Bambenek wrote: Count me in. There is no reason to limit our defenses to the one thing that we think is important at one instance in time... attackers change and adapt and multimodal defense is simply good policy. On Thu, Sep 4, 2008 at 11:45 AM, Jo Rhett [EMAIL PROTECTED] wrote: On Sep 4, 2008, at 7:24 AM, James Jun wrote: Indeed... In today's internet, protecting your own box (cp- policer/control plane filtering) is far more important IMO than implementing BCP38 when much of attack traffic comes from legitimate IP sources anyway (see botnets). I'm sorry, but nonsense statements such as these burn the blood. Sure, yes, protecting yourself is so much more important than protecting anyone else. Anyone else want to stand up and join the I am an asshole club? -- Jo Rhett Net Consonance : consonant endings by net philanthropy, open source and other randomness -- Jo Rhett Net Consonance : consonant endings by net philanthropy, open source and other randomness -- Jo Rhett Net Consonance : consonant endings by net philanthropy, open source and other randomness
Re: BCP38 dismissal
On Thu, Sep 04, 2008 at 01:14:20PM -0400, Paul Wall wrote: On Thu, Sep 4, 2008 at 12:45 PM, Jo Rhett [EMAIL PROTECTED] wrote: I'm sorry, but nonsense statements such as these burn the blood. Sure, yes, protecting yourself is so much more important than protecting anyone else. Anyone else want to stand up and join the I am an asshole club? uRPF is important. But all the uRPF in the world won't protect you against a little tcp/{22,23,179} SYN aimed at your Force 10 box. Ya know what I mean? Hey Paul, would you be able to demonstrate this problem? I'd like to see it so that we can investigate and fix it. You are correct that the first generation of E-Series hardware (EtherScale) had little control plane protection. The current E-Series hardware (TeraScale) has a completely different architecture that rate limits, queues and filters all packets destined to the control plane. Greg* (* I am currently employed by Force10.) -- Greg Hankins [EMAIL PROTECTED]
Re: BCP38 dismissal
On Thu, 4 Sep 2008, Jo Rhett wrote: On Sep 4, 2008, at 7:24 AM, James Jun wrote: Indeed... In today's internet, protecting your own box (cp-policer/control plane filtering) is far more important IMO than implementing BCP38 when much of attack traffic comes from legitimate IP sources anyway (see botnets). I'm sorry, but nonsense statements such as these burn the blood. Sure, yes, protecting yourself is so much more important than protecting anyone else. Anyone else want to stand up and join the I am an asshole club? I'm an a??hole! :o) (lotsa folks get corporate bad words filters, here). Seriously though, everyone should take care of their own end first. The problem is Jo doesn't seem to be in the loopon attacks from recent years, but I am unsure he would change his mind if he was/ -- Jo Rhett Net Consonance : consonant endings by net philanthropy, open source and other randomness
RE: BCP38 dismissal
Sorry for the confusion. ^ Yes, I am a BCP38 evangelist. I apologize if it came across wrong. ^^^ OK, Patrick is setting an example. Could we all do likewise and get back to a civil conversation? TTFN, patrick Kudos for a good example. People on this list should not be surprised that other list members do not know everything. This doesn't make them idiots, it just means that there is an opportunity for you to politely educate them and hopefully gain a few converts to whatever cause you are championing. --Michael Dillon
Re: BCP38 dismissal
On Sep 4, 2008, at 3:38 PM, Gadi Evron wrote: On Thu, 4 Sep 2008, Jo Rhett wrote: On Sep 4, 2008, at 7:24 AM, James Jun wrote: Indeed... In today's internet, protecting your own box (cp-policer/ control plane filtering) is far more important IMO than implementing BCP38 when much of attack traffic comes from legitimate IP sources anyway (see botnets). I'm sorry, but nonsense statements such as these burn the blood. Sure, yes, protecting yourself is so much more important than protecting anyone else. Anyone else want to stand up and join the I am an asshole club? I'm an a??hole! :o) (lotsa folks get corporate bad words filters, here). Seriously though, everyone should take care of their own end first. The problem is Jo doesn't seem to be in the loopon attacks from recent years, but I am unsure he would change his mind if he was/ Gadi, Do you really want to suggest to people that they not implement BCP38? -- TTFN, patrick
Re: BCP38 dismissal
On Sep 4, 2008, at 12:38 PM, Gadi Evron wrote: Seriously though, everyone should take care of their own end first. The problem is Jo doesn't seem to be in the loopon attacks from recent years, but I am unsure he would change his mind if he was/ Nice going, Gadi -- let's insult someone who does a good job of protecting your network from his customers. I spend at least 8 hours a week tracking down attacks originating from non-BCP38 networks. This is still a real problem, and the idea that BCP-38 is some fad that is irrelevant now ... I have no words for this kind of idiocy. Everyone should be doing BCP-38. Why don't you apply this to your network, instead of sitting around insulting people for your incorrect assumptions about their job? -- Jo Rhett Net Consonance : consonant endings by net philanthropy, open source and other randomness
Re: BCP38 dismissal
On Thu, 4 Sep 2008, Patrick W. Gilmore wrote: On Sep 4, 2008, at 3:38 PM, Gadi Evron wrote: On Thu, 4 Sep 2008, Jo Rhett wrote: On Sep 4, 2008, at 7:24 AM, James Jun wrote: Indeed... In today's internet, protecting your own box (cp-policer/ control plane filtering) is far more important IMO than implementing BCP38 when much of attack traffic comes from legitimate IP sources anyway (see botnets). I'm sorry, but nonsense statements such as these burn the blood. Sure, yes, protecting yourself is so much more important than protecting anyone else. Anyone else want to stand up and join the I am an asshole club? I'm an a??hole! :o) (lotsa folks get corporate bad words filters, here). Seriously though, everyone should take care of their own end first. The problem is Jo doesn't seem to be in the loopon attacks from recent years, but I am unsure he would change his mind if he was/ Gadi, Do you really want to suggest to people that they not implement BCP38? No. Thank you for calling me on not explaining well. I suggest that the guy is right. People should tajke care of their security first before going out and shouting at the world. That said, I also state that he is probably not in touch with what's been going on in the past few years. Meaning, botnets *do* use spoofing, and DNS amplification attacks. The threat is not theoretical for a few years now and he may simply not be in on it. As to preaching BCP38, well... it's not an easy leap of thought to make, that your security is tied into the state of security of a box sitting half-way around the world. But that's the case. Gadi. -- TTFN, patrick
Re: BCP38 dismissal
On Thu, 4 Sep 2008, Jo Rhett wrote: On Sep 4, 2008, at 12:38 PM, Gadi Evron wrote: Seriously though, everyone should take care of their own end first. The problem is Jo doesn't seem to be in the loopon attacks from recent years, but I am unsure he would change his mind if he was/ Nice going, Gadi -- let's insult someone who does a good job of protecting your network from his customers. I spend at least 8 hours a week tracking down attacks originating from non-BCP38 networks. This is still a real problem, and the idea that BCP-38 is some fad that is irrelevant now ... I have no words for this kind of idiocy. Everyone should be doing BCP-38. Why don't you apply this to your network, instead of sitting around insulting people for your incorrect assumptions about their job? I apologize for making an incorrect assumption and apparently insulting you. My assumption was based on the threading in the email I replied to, as what you write here conpletely contradicts what was written there. So, we all support BCP38 and nothing really changed from the last time we all had this discussion about why most of us don't use it. -- Jo Rhett Net Consonance : consonant endings by net philanthropy, open source and other randomness
Re: BCP38 dismissal
On Sep 4, 2008, at 2:56 PM, Gadi Evron wrote: I apologize for making an incorrect assumption and apparently insulting you. My assumption was based on the threading in the email I replied to, as what you write here conpletely contradicts what was written there. Yeah, I think the threading was getting confused quite a bit. So, we all support BCP38 and nothing really changed from the last time we all had this discussion about why most of us don't use it. On that you'll have to speak for yourself. We have it on every customer port ;-) -- Jo Rhett Net Consonance : consonant endings by net philanthropy, open source and other randomness
Re: BCP38 dismissal
On Thu, 4 Sep 2008, Jo Rhett wrote: On Sep 4, 2008, at 2:56 PM, Gadi Evron wrote: I apologize for making an incorrect assumption and apparently insulting you. My assumption was based on the threading in the email I replied to, as what you write here conpletely contradicts what was written there. Yeah, I think the threading was getting confused quite a bit. So, we all support BCP38 and nothing really changed from the last time we all had this discussion about why most of us don't use it. On that you'll have to speak for yourself. We have it on every customer port ;-) Now that is interesting. Can you share a bit about you rimplementation hardships, costs, customer complaints, etc? Gadi. -- Jo Rhett Net Consonance : consonant endings by net philanthropy, open source and other randomness
Re: BCP38 dismissal
So, we all support BCP38 and nothing really changed from the last time we all had this discussion about why most of us don't use it. On that you'll have to speak for yourself. We have it on every customer port ;-) I hope you *also* have it on your NOC and everywhere else that it is practical to have it. Every machine can potentially be taken over and used as a launch point. Mark -- Jo Rhett Net Consonance : consonant endings by net philanthropy, open source and other randomness