On Mon, Jun 04, 2007 at 02:53:52AM +, Paul Vixie wrote:
ipv6 load balancers exist, one's current load balancer is/may probably
not be up to the task.
my favourite load balancer is OSPF ECMP, since there are no extra boxes,
just the routers and switches and hosts i'd have to have
On Sun, 3 Jun 2007, matthew zeier wrote:
John Curran wrote:
Best of luck with it; load-balancers aren't generally hiding
in ISP's backbones and it hasn't been major revenue for
the traditional router crowd. Net result is there hasn't
been much IPv6 attention in that market...
I suppose,
william(at)elan.net wrote:
.
I suppose, but certain places like Mozilla, would be dead in the water
without load balancers. Citrix got their act together and shipped 8.0
with v6 vips on the front talking to v4 servers on the backend.
While I understand that some place may want to put
I saw this question a while ago but no (maybe one) answers. Who does
have IPv6 in production today. Of the fixedorbit.com top ten for
example?
701 (MCI) - ?
7018 (ATT) - ?
1239 (Sprint) - ?
174 (Cogent) - No.
3356 (Level3) - ?
209 (Qwest) - No.
3549 (Global Crossing) - ?
4323 (Time Warner
Understood. One more alternative to just keep the existing load-balancer
infrastructure is to setup a NAT-PT box. Again, even if this may not scale
for millions of users, it may be a good solution for the few users that can
be accessing with IPv6 your contents.
Of course, all this may not
This is one of the ways some load-balancer vendors do IPv6 today. They still
talk IPv4 to the servers, so you don't need to modify anything, just add an
managed by the load balancer. It is a kind of combination between
NAT-PT and load-balancer.
Regards,
Jordi
De: matthew zeier [EMAIL
:- Krichbaum, == Krichbaum, Eric [EMAIL PROTECTED] writes:
I saw this question a while ago but no (maybe one) answers. Who does
have IPv6 in production today. Of the fixedorbit.com top ten for
example?
701 (MCI) - ?
yes, but from 12702 (at least in europe)
7018
two replies here. i ([EMAIL PROTECTED]) said:
quagga ospf6d works great, and currently lacks only a health check API.
Donald Stahl [EMAIL PROTECTED] answered:
Health checks are unfortunately the most important aspect of a LB for some
people.
understood.
Can you elaborate on where you
Krichbaum, Eric wrote:
I saw this question a while ago but no (maybe one) answers. Who does
have IPv6 in production today. Of the fixedorbit.com top ten for
example?
http://www.sixxs.net/tools/grh/lg/
You can check the routing tables for which ASN's are active or check
the DFP list to see
On Mon, Jun 04, 2007 at 07:29:03AM +, Paul Vixie wrote:
If you're load-balancing N nodes, and 1 node dies, the distribution hash
is re-calced and TCP sessions to all N are terminated simultaneously.
i could just say that since i'm serving mostly UDP i don't care about this,
but then
On Sun, Jun 03, 2007 at 07:33:45PM -0700,
Stephen Satchell [EMAIL PROTECTED] wrote
a message of 29 lines which said:
The last time I renumbered, I found that quite a few people were not
honoring the TTLs I put in my DNS zone files. [...] Custom customer
zone files hosted elsewhere?
Do not
On 2-jun-2007, at 23:07, Donald Stahl wrote:
The simplistic answer is that nearly all assigned/allocated blocks
will be minimum-sized, which means ISPs will be capable of
filtering deaggregates if they wish. Some folks have proposed
allowing a few extra bits for routes with short
Antonio Querubin wrote:
On Mon, 4 Jun 2007, Jeroen Massar wrote:
Please at least honor: ip6.de.easynet.net/ipv6-minimum-peering.txt
A typical trans-Pacific path is significantly longer than a typical
trans-Atlantic path. The 40 ms policy recommendation in the above is
unrealistically
On 4-jun-2007, at 4:33, Stephen Satchell wrote:
The last time I renumbered, I found that quite a few people were
not honoring the TTLs I put in my DNS zone files. I would clone
the new address and monitor traffic to the old address -- and it
took up to seven days for the traffic to the
Krichbaum, Eric [EMAIL PROTECTED] wrote:
I saw this question a while ago but no (maybe one) answers. Who does
have IPv6 in production today. Of the fixedorbit.com top ten for
example?
701 (MCI) - ?
Yes, although I don't know whether tunneled or not. I see 16 prefixes
through 701. 12702
Nathan Ward [EMAIL PROTECTED] wrote:
The other mode would be to set up mail.ipv6.yahoo.com and have
customers use that for whatever protocol they send/receive mail with,
and not point an MX at an for the time being.
Actually I would do it the other way around, adding to the MX
It depends on the length of those TCP sockets. If you were load-balancing
the increasingly common video-over-http, it would be very unacceptable.
yes. i believe i said that my preferred approach works really well with UDP
and marginally well with current WWW. video over http is an example of
The last time I renumbered, I found that quite a few people were not
honoring the TTLs I put in my DNS zone files. [...] Custom customer
zone files hosted elsewhere?
Do not forget that applications have their own caches, too, and they
typically ignore completely the DNS TTL. A typical Web
Adrian Chadd wrote:
On Mon, Jun 04, 2007, Sam Stickland wrote:
Personally I hate NAT. But I currently work in a large enterprise
environment and NAT is suprisingly popular. I came from a service
provider background and some of the attitudes I've discovered towards
private addresses in
Even people I have spoken that understand the difference between
firewalling/reachability and NATing are still in favour of NAT. The argument
basically goes Yes, I understand that have a public address does not
neccessarily mean being publically reachable. But having a private address
means
From [EMAIL PROTECTED] Mon Jun 4 13:54:55 2007
Subject: Re: Security gain from NAT (was: Re: Cool IPv6 Stuff)
Date: Mon, 4 Jun 2007 14:47:06 -0400
On 4-Jun-2007, at 14:32, Jim Shankland wrote:
Shall I do the experiment again where I set up a Linux box
at an RFC1918 address, behind a
[EMAIL PROTECTED] wrote:
On Mon, 04 Jun 2007 11:32:39 PDT, Jim Shankland said:
*No* security gain? No protection against port scans from Bucharest?
No protection for a machine that is used in practice only on the
local, office LAN? Or to access a single, corporate Web site?
Nope. Zip.
On Mon, Jun 04, 2007 at 11:47:15AM -0700, Owen DeLong wrote:
*No* security gain? No protection against port scans from Bucharest?
No protection for a machine that is used in practice only on the
local, office LAN? Or to access a single, corporate Web site?
Correct. There's nothing you
On Mon, 04 Jun 2007 12:20:38 PDT, Jim Shankland said:
I can't pass over Valdis's statement that a good properly configured
stateful firewall should be doing [this] already without noting
that on today's Internet, the gap between should and is is
often large.
Let's not forget all the NAT
On Monday 04 June 2007 13:54, [EMAIL PROTECTED] wrote:
On Mon, 04 Jun 2007 11:32:39 PDT, Jim Shankland said:
*No* security gain? No protection against port scans from Bucharest?
No protection for a machine that is used in practice only on the
local, office LAN? Or to access a single,
I have a hard time finding people who know what an Avaya converged
network analyzer is in my social circle, so I turn to you folks to see if
anyone has any experience with them.
We have had one deployed at our edge for awhile and I wanted to compare notes
on performance with other
On 4-Jun-2007, at 02:03, Colm MacCarthaigh wrote:
On Mon, Jun 04, 2007 at 02:53:52AM +, Paul Vixie wrote:
ipv6 load balancers exist, one's current load balancer is/may
probably
not be up to the task.
my favourite load balancer is OSPF ECMP, since there are no extra
boxes,
just
On Jun 4, 2007, at 11:32 AM, Jim Shankland wrote:
Owen DeLong [EMAIL PROTECTED] writes:
There's no security gain from not having real IPs on machines.
Any belief that there is results from a lack of understanding.
This is one of those assertions that gets repeated so often people
[EMAIL PROTECTED] writes:
Let's not forget all the NAT boxes out there that are *perfectly*
willing to let a system make an *outbound* connection. So the user
makes a first outbound connection to visit a web page, gets exploited,
and the exploit then phones home to download more malware.
As with all things, the trick is to weigh the risk of disaster against the
probability of benefit and do whatever makes sense within your own
particular constraints.
is nobody using a host based solution to this? that is, are times when HA LB
is needed for TCP (like video over http) also
JS Date: Mon, 04 Jun 2007 12:20:38 -0700
JS From: Jim Shankland
JS If what you meant to say is that NAT provides no security benefits
JS that can't also be provided by other means, then I completely
What Owen said is that [t]here's no security gain from not having real
IPs on machines. That is
DI Date: Mon, 04 Jun 2007 15:22:11 -0400
DI From: Dave Israel
DI So you make end devices unaddressable by normal means, and while it
DI shouldn't give them more security, it turns out it does. No matter
DI how much it shouldn't, and how much we wish it didn't, it does.
Hey, this so-called
For all you NAT is soo secure I need to NAT folks please take the
time and read the following RFC that the IETF has carefully put
together to address all those arguments.
URL: http://myietf.unfix.org/documents/rfc4864.txt
Abstract:
On Jun 4, 2007, at 1:41 PM, David Schwartz wrote:
On Jun 4, 2007, at 11:32 AM, Jim Shankland wrote:
Owen DeLong [EMAIL PROTECTED] writes:
There's no security gain from not having real IPs on machines.
Any belief that there is results from a lack of understanding.
This is one of those
Matthew Palmer wrote:
I can think of one counter-example to this argument, and that's
SSL-protected services, where having a proxy, transparent or otherwise, in
your data stream just isn't going to work.
Not so. Look at: http://muffin.doit.org/docs/rfc/tunneling_ssl.html
S
- Forwarded message from [EMAIL PROTECTED] -
Date: Mon, 4 Jun 2007 18:58:26 -0400
From: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: NIST Special Publication 800-54 Draft - BGP Security
I made an announcement today during the ISP Security session (at NANOG40)
about the release
Matthew Palmer wrote:
While protection from mistakes is a valid reason, it's a pretty
weak one.
It is indeed a weak reason but, evidently, much stronger as a straw
man argument. NAT is A security tool, not THE security tool.
I would say that those who rely on NAT for security are the ones
A core but often neglected factor in IT security is KIS. NAT,
particularly in the form of PAT, is an order of magnitude simpler to
administer than a stateful firewall with one-to-one address mappings.
Why would a stateful firewall have one-to-one address mappings? I'm not
even sure what you
On Jun 4, 2007, at 9:51 PM, Donald Stahl wrote:
A SI firewall ruleset equivalent to PAT is a single rule on a
CheckPoint firewall (as an example):
Src: Internal - Dst: Any - Action: Allow
Done.
Done indeed! Botnet operators *love* this policy. This type of policy
is probably worse
39 matches
Mail list logo
