Re: Schneier: ISPs should bear security burden

Hi, maybe this is an OLD topic, but the problem is "what is security? " or "how to define a secure internet access service ". E.g. should ISP respond for managing application transmitted across its backbone? if so, how to define "standard" appliation model while keeping internet a flexible platfo

Re: Schneier: ISPs should bear security burden

On Tue, Apr 26, 2005 at 10:38:00PM -0700, Owen DeLong wrote: > I think it's absurd. I expect my water delivery company not to add > polutants in transit. I expect my water production company to provide > clean water. er.. bad analogy warning... please take a sample of tap water to

Re: Schneier: ISPs should bear security burden

On Wed, Apr 27, 2005 at 06:06:22AM +, Fergie (Paul Ferguson) wrote: > -- Mark Newton <[EMAIL PROTECTED]> wrote: > > On Tue, Apr 26, 2005 at 10:38:00PM -0700, Owen DeLong wrote: > > > So much for any sort of journalistic ethic, fact checking, or, unbiased > > > reporting. > > Schneier i

Re: Schneier: ISPs should bear security burden

And you're a network engineer. What's your point? - ferg -- Mark Newton <[EMAIL PROTECTED]> wrote: On Tue, Apr 26, 2005 at 10:38:00PM -0700, Owen DeLong wrote: > So much for any sort of journalistic ethic, fact checking, or, unbiased > reporting. Schneier isn't a journalist or reporter;

Re: Schneier: ISPs should bear security burden

On Tue, Apr 26, 2005 at 10:38:00PM -0700, Owen DeLong wrote: > So much for any sort of journalistic ethic, fact checking, or, unbiased > reporting. Schneier isn't a journalist or reporter; He's a security vendor. - mark -- Mark Newton Email: [EMAIL PROTECTE

Re: Schneier: ISPs should bear security burden

Oh, please. If you think that the Internet should remain an "every man for himself", wild wild west, Ok Corral, situation (not my words, mind you), then you better get with the powers that will steam-roll all of us if we let it -- money and marketing. This ain't no science project anymore. Bru

Re: Schneier: ISPs should bear security burden

Why do ISPs owe this to their customers. I expect my ISP to deliver packets sent to me, and, to pass along packets I send out. That is the sum total of what I expect from my ISP, and, it's what my contract says is supposed to happen. Where does this belief that when user A at company Y sends a p

Re: Schneier: ISPs should bear security burden

Oh, come on Jerry, you're beginning to sound like part of the problem. Stop being a knee-jerking crumudgeon for a moment and thhink about what Schneier is _really_ saying. Being vague, and obfuscating the issue with vague answers doesn't do due diligence. - ferg Jerry Pasker <[EMAIL PROTECTED

Re: Schneier: ISPs should bear security burden

I think it's absurd. I expect my water delivery company not to add polutants in transit. I expect my water production company to provide clean water. This is like asking the phone company to prevent minors from hearing swear-words on telephone calls or prevent people from being able to make prank

Re: Schneier: ISPs should bear security burden

I've been there -- I know how I feel about it -- but I'd love to know how ISP operations folk feel about this. It means 10 different things to 10 different people. The article was vague. "Security" could mean blocking a few ports, simple Proxy/NAT, blocking port 25 (or 139... or 53.. heh heh)

Re: Schneier: ISPs should bear security burden

On 4/27/05, Fergie (Paul Ferguson) <[EMAIL PROTECTED]> wrote: > > I've been there -- I know how I feel about it -- but I'd love > to know how ISP operations folk feel about this. > He's right. ISPs owe it to their users, if not to the rest of the Internet community, to do this. A lot of it is

Schneier: ISPs should bear security burden

I've been there -- I know how I feel about it -- but I'd love to know how ISP operations folk feel about this. Links here: http://www.vnunet.com/news/1162720 ...and, of course, here: http://fergdawg.blogspot.com/2005/04/schneier-isps-should-bear-security.html Off list, if you'd like. Or not.

Re: The "not long discussion" thread....

On Tue, 26 Apr 2005, Steve Sobol wrote: > Jerry Pasker wrote: > > Steve Sobol replied with: > >> I'm not going to enter into a long discussion with you. :) > >> I'm just curious why you didn't restrict AXFR to certain IPs instead. > > > > And I had router ACLs doing the same thing. Allow to hosts

FCC Chief Wants 911 Service for Internet Phones

Prepare for the inevitable. http://news.yahoo.com/news?tmpl=story&u=/nm/20050426/wr_nm/telecoms_voip_911_dc - ferg -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet [EMAIL PROTECTED] or [EMAIL PROTECTED] ferg's tech blog: http://fergdawg.blogspot.com/

Re: The "not long discussion" thread....

Jerry Pasker wrote: Steve Sobol replied with: I'm not going to enter into a long discussion with you. :) I'm just curious why you didn't restrict AXFR to certain IPs instead. And I'm posting back to NANOG: I did. And I had router ACLs doing the same thing. Allow to hosts that needed it, deny for

NPR program: "The Internet as a public utility"

NPR program: "The Internet as a public utility" Talking heads (audio only) http://www.npr.org/templates/story/story.php?storyId=4618769 A worthy listen, imo, focused primarily on municipal wireless nets. With thanks to Tom Hertz of Fiber utilities of Iowa who posted to the Cook Report discussio

Re: Internet2

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 since you deviated from my original post... http://www.icir.org/floyd/ccmeasure.html regards, /vicky Daniel Roesen wrote: | On Tue, Apr 26, 2005 at 02:07:15PM -0700, Vicky Rode wrote: | |>Basically I meant to say not congested as the current Internet i

Re: Internet2

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Maybe you should checkout some performance measurement numbers/papers from ACM (www.acm.org) which should help answer some of your questions. We are doing some interesting measurement research (qos related) and unfortunately I don't have any data to sha

Sheet could shelter Wi-Fi from eavesdroppers

Well, occasionally something really cool comes along, and you just gotta share it. :-) This is semi-operational, so http://news.com.com/Sheet+could+shelter+Wi-Fi+from+eavesdroppers/2100-1029_3-5685431.html ..there. :-) - ferg -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for

Re: Internet2

On Tue, 26 Apr 2005, Vicky Rode wrote: > Just wondering how's internet2 community/partners protecting themselves > from lawsuits of illegal use of music/movie downloads. > > In general, how are they protecting themselves from malicious code > infection spreading at internet2 speed? How are the dev

Re: Port 25 - Blacklash

[In the message entitled "Re: Port 25 - Blacklash" on Apr 26, 17:50, Daniel Golding writes:] > > Do all of Comcast's markets block port 25? Is there a correlation between > spam volume and the ones that do (or don't)? No. Yes. The ones that don't block port 25 emit more spam than the ones tha

Re: Port 25 - Blacklash

Do all of Comcast's markets block port 25? Is there a correlation between spam volume and the ones that do (or don't)? In any event the malware is already ahead of port 25 blocking and is leveraging ISP smarthosting. SMTP-Auth is the pill to ease this pain/ - Dan On 4/26/05 2:49 PM, "Hank Nus

Re: Port 25 - Blacklash

On Tue, 26 Apr 2005 14:10:33 PDT, Dave Rand said: > [In the message entitled "Re: Port 25 - Blacklash" on Apr 26, 16:30, Valdis.K [EMAIL PROTECTED] writes:] > > Comcast.net has 31,923 addresses listed at the moment. > They have approximately 40,000 zombies (as mesured over all of their > ASNs, fro

Re: Internet2

On Tue, Apr 26, 2005 at 11:18:08PM +0200, Mikael Abrahamsson wrote: > > On Tue, 26 Apr 2005, Vicky Rode wrote: > > >Basically I meant to say not congested as the current Internet is. > > If your ISP has congested links you should complain and switch if not > fixed promptly. WTF.. She asked a

Re: Internet2

On Apr 26, 2005, at 5:17 PM, Daniel Roesen wrote: On Tue, Apr 26, 2005 at 02:07:15PM -0700, Vicky Rode wrote: Basically I meant to say not congested as the current Internet is. It is? Parts. Other parts have better connectivity than I2 nodes. You can't really say anything about the _entire_ Interne

Re: Internet2

On Tue, 26 Apr 2005, Vicky Rode wrote: Basically I meant to say not congested as the current Internet is. If your ISP has congested links you should complain and switch if not fixed promptly. -- Mikael Abrahamssonemail: [EMAIL PROTECTED]

Re: Internet2

> Basically I meant to say not congested as the current Internet is. cool. and your measurements of internet congestion are? cites, please. randy

Re: Internet2

On Tue, Apr 26, 2005 at 02:07:15PM -0700, Vicky Rode wrote: > Basically I meant to say not congested as the current Internet is. It is? Regards, Daniel -- CLUE-RIPE -- Jabber: [EMAIL PROTECTED] -- [EMAIL PROTECTED] -- PGP: 0xA85C8AA0

Re: using TCP53 for DNS

On Tue, 26 Apr 2005, Florian Weimer wrote: > * Christopher L. Morrow: > > > its a both directions thing. Some folks dropped tcp/53 TO their AUTH > > servers to protect against AXFR's from folks not their normal secondaries. > > Ugh. And they didn't think something like "permit tcp any any eq 53

Re: Port 25 - Blacklash

[In the message entitled "Re: Port 25 - Blacklash" on Apr 26, 16:30, [EMAIL PROTECTED] writes:] > Comcast.net has 31,923 addresses listed at the moment. > > Do they have 30,000 zombies, or 30,000 customers that post to popular mailing > lists? Quite possibly at least partly the latter, as 24.22

Re: Internet2

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I made that up :-) Basically I meant to say not congested as the current Internet is. regards, /vicky Mikael Abrahamsson wrote: | On Tue, 26 Apr 2005, Vicky Rode wrote: | | |>In general, how are they protecting themselves from malicious code |>infectio

Re: Internet2

On Tue, 26 Apr 2005, Mikael Abrahamsson wrote: What is "internet2 speed"? As far as I can see Internet2 is a 10G based national network. What is so special about that in this day and age? I think the difference is the average connection speeds of the "end users" of the network. It's not at all u

Re: Internet2

On Tue, 26 Apr 2005, Vicky Rode wrote: In general, how are they protecting themselves from malicious code infection spreading at internet2 speed? How are the devices coping up with filters in place, if any? What is "internet2 speed"? As far as I can see Internet2 is a 10G based national network.

Re: Port 25 - Blacklash

On Tue, 26 Apr 2005 21:49:24 +0300, Hank Nussbacher said: > > On Tue, 26 Apr 2005, Adam Jacob Muller wrote: > > Doesn't seem to be stemming the tide of emails from Comcast though: > I'm not arguing about Comcast stil

Internet2

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi there, Just wondering how's internet2 community/partners protecting themselves from lawsuits of illegal use of music/movie downloads. In general, how are they protecting themselves from malicious code infection spreading at internet2 speed? How are t

The "not long discussion" thread....

I posted to NANOG: Jerry Pasker <[EMAIL PROTECTED]> wrote: fine. (after a few tries) I'm using BIND 9.2.4 without the eye pee vee six stuff compiled in. Because I don't want to start something; No discussion about me blocking port 53, ok? I got tired of gobs of log files of script kiddies t

Re: using TCP53 for DNS

* Christopher L. Morrow: > its a both directions thing. Some folks dropped tcp/53 TO their AUTH > servers to protect against AXFR's from folks not their normal secondaries. Ugh. And they didn't think something like "permit tcp any any eq 53 established" was necessary? >> Hopefully not. Resolv

Re: using TCP53 for DNS

On Apr 26, 2005, at 2:45 PM, Florian Weimer wrote: * Patrick W. Gilmore: At least one DoS mitigation box uses TCP53 to "protect" name servers. Personally I thought this was a pretty slick trick, but it appears to have caused a lot of problems. From the thread (certainly not a scientific sampling)

Re: using TCP53 for DNS

On Tue, 26 Apr 2005, Florian Weimer wrote: > * Patrick W. Gilmore: > > At least one DoS mitigation box uses TCP53 to "protect" name > > servers. Personally I thought this was a pretty slick trick, but it > > appears to have caused a lot of problems. From the thread (certainly > > not a scientifi

Re: Port 25 - Blacklash

On Tue, 26 Apr 2005, Adam Jacob Muller wrote: Doesn't seem to be stemming the tide of emails from Comcast though: -Hank > For example, about 2 months ago, comcast decided to block outgoing > port 25 from my entire n

Re: Port 25 - Blacklash

* Martin Hannigan: > Why would an ISP block port 25 for .edu customers? BelWue does this:

Re: using TCP53 for DNS

* Patrick W. Gilmore: > At least one DoS mitigation box uses TCP53 to "protect" name > servers. Personally I thought this was a pretty slick trick, but it > appears to have caused a lot of problems. From the thread (certainly > not a scientific sampling), many people seem to be filtering

Anyone from Verizon familiar with physical plant in PHL

If, by a fluke of nature, there is a person from Verizon or someone who knows a person from Verizon that can answer a question "Where does this line go?" in a former Bell Atlantic plant in Philadelphia, I would really appreciate an off-list email. Thanks, Alex

RE: Port 25 - Blacklash

> -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of > Adam Jacob Muller > Sent: Tuesday, April 26, 2005 2:18 PM > To: Eric Gauthier > Cc: Paul Ryan; Nanog Mailing list > Subject: Re: Port 25 - Blacklash > > > > The fact that most people did not complain i

Re: Port 25 - Blacklash

The fact that most people did not complain is not likely due to the fact that they were not annoyed by the change, but rather it's easier to simply get around it than it is to bother complaining to network admins. For example, about 2 months ago, comcast decided to block outgoing port 25 f

Re: FW: Port 25 - Blacklash

Paul, > For any educational institutions on this list - what has been the impact on > your mail services once your ISP started blocking port 25 - what if any was > the backlash - and how difficult was it to provide alternatives ...587,465 > etc ... Our ISPs don't filter our traffic. If they con

Re: FW: Port 25 - Blacklash

Our ISPs don't block anything, to my knowledge; but when our users' ISPs began blocking port 25 (especially SBC DSL) we had already been encouraging users to configure their clients to use 587. matto On Tue, 26 Apr 2005, Paul Ryan wrote: For any educational institutions on this list - wha

Re: Slashdot: Providers Ignoring DNS TTL?

> Date: Sun, 24 Apr 2005 02:00:48 -0400 > From: [EMAIL PROTECTED] > What you seem to be missing is that the *really* smart people will be prepared > for it when it actually gets here - and will take advantage of it's lack of > arrival in the meantime. Na the code in my lab and the work-i

Re: Slashdot: Providers Ignoring DNS TTL?

DA> Date: Sat, 23 Apr 2005 16:13:22 -0400 (EDT) DA> From: Dean Anderson DA> And it violates RFC 1546, as previously explained. Who cares? You've railed against SMTP+AUTH because it's not a "standard". Why do you give a rat's rump about 1546? DA> Well, PPLB isn't the end of the world. But PPL

using TCP53 for DNS

In the thread about ns*.worldnic.com, many people were complaining about DNS responses/queries on TCP port 53. At least one DoS mitigation box uses TCP53 to "protect" name servers. Personally I thought this was a pretty slick trick, but it appears to have caused a lot of problems. From the

Re: Problems with NS*.worldnic.com

- Original Message - From: "Randy Bush" <[EMAIL PROTECTED]> To: "Christopher L. Morrow" <[EMAIL PROTECTED]> Cc: Sent: Tuesday, April 26, 2005 16:35 Subject: Re: Problems with NS*.worldnic.com > > lots of folk sent email to me and not the list. most report > worldnic responding with t

RE: Port 25 - Blacklash

> -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of > Paul Ryan > Sent: Tuesday, April 26, 2005 11:11 AM > To: Nanog Mailing list > Subject: FW: Port 25 - Blacklash > Importance: High > > For any educational institutions on this list - what has been > the

FW: Port 25 - Blacklash

For any educational institutions on this list - what has been the impact on your mail services once your ISP started blocking port 25 - what if any was the backlash - and how difficult was it to provide alternatives ...587,465 etc ... best regards, _ P

Re: Problems with NS*.worldnic.com

In message <[EMAIL PROTECTED]>, "Christ opher L. Morrow" writes: > > >On Tue, 26 Apr 2005, Randy Bush wrote: > >> lots of folk sent email to me and not the list. most report >> worldnic responding with tcp 53 and not udp. would love to >> hear confirmation on list. can think of a number of caus

CircleID, was: Re: Paul Wilson and Geoff Huston of APNIC on IP address allocation ITU v/s ICANN etc

On that note, I suggest that folks from the NANOG community get involved with CircleID. Its a great site with articles on everything from DNS and addressing issues to domain naming and ICANN. It sometimes misses the network operator perspective - a few articles or comments by some of the folks on

Re: Problems with NS*.worldnic.com

On Tue, 26 Apr 2005, Brett Frankenberger wrote: > On Tue, Apr 26, 2005 at 01:22:41PM +, Christopher L. Morrow wrote: > > > > On Tue, 26 Apr 2005, Simon Waters wrote: > > > > > The worldnic.com and worldnic.net appear to use the MMDDVV convention > > > for > > > SOA serial numbers, and s

Re: Problems with NS*.worldnic.com

On Tue, 26 Apr 2005, Randy Bush wrote: > lots of folk sent email to me and not the list. most report > worldnic responding with tcp 53 and not udp. would love to > hear confirmation on list. can think of a number of causes, > one possible, but just a stab in the dark, would be an > intentiona

Re: Problems with NS*.worldnic.com

Randy Bush <[EMAIL PROTECTED]> wrote: > lots of folk sent email to me and not the list. most report worldnic > responding with tcp 53 and not udp. would love to hear confirmation > on list. can think of a number of causes, one possible, but just a > stab in the dark, would be an intentional hack a

Re: Problems with NS*.worldnic.com

At 21:34 -0700 4/25/05, Rodney Joffe wrote: The culprit is dig. Ahh, dig. What version? You have to be running the latest at all times these days...so many changes... In my experiences with v6 the problems I have come down two are: 1) Broken testing tools. (See change 1610 in the BIND CHANGES

Re: Problems with NS*.worldnic.com

lots of folk sent email to me and not the list. most report worldnic responding with tcp 53 and not udp. would love to hear confirmation on list. can think of a number of causes, one possible, but just a stab in the dark, would be an intentional hack as a defense to a spoofed-ip attack. what a

Re: Problems with NS*.worldnic.com

On Tue, 26 Apr 2005, Simon Waters wrote: > Have to say we see no issues here with the worldnic.com nameservers, other > than they appear to be located on the same physical network. > > I think people should post queries that fail, including date/time, and full > "dig" output for that query from

Re: Problems with NS*.worldnic.com

Suresh Ramasubramanian wrote: I'd say fix the resolver to not try resolve v6 where there exists no v6 connectivity I'd say fix the broken v6 connectivity. - Kevin

Re: Qwest protests SBC-AT&T merger as harmful to competition

On Tue, 19 Apr 2005, Justin M. Streiner wrote: If Qwest would have won the bid, then it would be up to Verizon to cry foul - and rest assured they would. Funny how that works :-) We may yet see that happening as it appears the bidding war is far from over - latest news article on this issue (al

Re: Problems with NS*.worldnic.com

Have to say we see no issues here with the worldnic.com nameservers, other than they appear to be located on the same physical network. I think people should post queries that fail, including date/time, and full "dig" output for that query from the server they used, and the version of recursiv

Re: Problems with NS*.worldnic.com

On Mon, 25 Apr 2005 22:19:51 PDT, "william(at)elan.net" said: > Perhaps a solution is to specifically enable ipv6 dns resolution as > preferable to ipv4 or the other way around. This could perhaps be > switch in resolv.conf or nsswitch.conf. Something like: > /etc/resolv.conf > search example.co