be looking for a larger number of SFP GE
ports though.
--
Pekka Savola You each name yourselves king, yet the
Netcore Oykingdom bleeds.
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings
setting DF
bit; no MSS clamping and some DSL clients have MTU=1492 exposed to the
user, others have a middlebox router which shows MTU=1500; some
others).
You may want to check that both ends are receiving ICMP packet too big
messages (i.e. a firewall doesn't filter them out).
--
Pekka Savola
document is found for that, I can add some
verbiage to the abovementioned draft.
(Currently, however, it is not obvious to me if that draft is going to
progress, and if so which IETF WG or similar forum would be the right
place to develop it.)
--
Pekka Savola You each name
stack is
higher than the cost of spending timemoney on beind on the bleeding
edge to do v6-only yet supporting v4 for your existing and future
customers still wedded to the older IP protocol?
--
Pekka Savola You each name yourselves king, yet the
Netcore Oy
.
--
Pekka Savola You each name yourselves king, yet the
Netcore Oykingdom bleeds.
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings
2, for decades. I proport there are strong economic
reasons why that is probably not ging to be the case.
I may interpret your steps differently, but I see at least a decade
more of work before we get to step 2) (i.e., before we get to 90%
penetration).
--
Pekka Savola You
it to try to
market v6 to their end-users.
So v6 capabilities in the ISP backbones will improve but the end-users
and sites still don't get v6 ubiquituously. This is a significant
improvement from v6 perspective but is still not enough to get to 90%
global v6 deployment.
--
Pekka Savola
to define a business case for it.
--
Pekka Savola You each name yourselves king, yet the
Netcore Oykingdom bleeds.
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings
a mess, and too long filters,
to fix this way.)
[1] Joe Abley's explanation on SIDR list on 20 Jun 2007:
http://www.ietf.org/mail-archive/web/sidr/current/msg00201.html
--
Pekka Savola You each name yourselves king, yet the
Netcore Oykingdom bleeds.
Systems
be applied today (whether or not
you want to use IRR and/or autogenerated configs is a matter of taste)
but the principle seems sound.
--
Pekka Savola You each name yourselves king, yet the
Netcore Oykingdom bleeds.
Systems. Networks. Security. -- George R.R
On Thu, 18 Oct 2007, Stephen Sprunk wrote:
Thus spake Pekka Savola [EMAIL PROTECTED]
The operators who want to do something private with this space don't need
the IETF or IANA approval to do so. So they should just go
ahead and do it. If they can manage to get it to work, and live to tell
context. Prior to that, there is no need to do
anything.
--
Pekka Savola You each name yourselves king, yet the
Netcore Oykingdom bleeds.
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings
protocols (PIM,
MSDP, various IPv6 stuff)?
The last time we tried running non-C/J as a router was a very Extreme
experience and we swore never again to touch similar router underdogs
in the future.
--
Pekka Savola You each name yourselves king, yet the
Netcore Oy
.. There are also (proprietary)
solutions leveraging cable for symmetric 10/10 or 100/100 Mbit/s.
One example I'm aware of is Teleste's ETTH technology:
http://www.teleste.fi/index.phtml?page_id=1114navi_id=1114
--
Pekka Savola You each name yourselves king, yet the
Netcore Oy
on other, less
network-stressful, ways. At least one way to do so to examine what
can be done to influence your upstreams' (and recursively if
applicable) route preferences (e.g., using communities).
--
Pekka Savola You each name yourselves king, yet the
Netcore Oy
On Fri, 5 Jan 2007, Alexander Koch wrote:
On Fri, 5 January 2007 08:11:41 +0200, Pekka Savola wrote:
Well, the undocumented fact is that RIS does not accept multi-hop BGP
peerings, which may somewhat limit its coverage.
Why then do I have one? They do such things, they indeed do.
Well
, the undocumented fact is that RIS does not accept multi-hop BGP
peerings, which may somewhat limit its coverage.
--
Pekka Savola You each name yourselves king, yet the
Netcore Oykingdom bleeds.
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings
on
and reset the system :-(
--
Pekka Savola You each name yourselves king, yet the
Netcore Oykingdom bleeds.
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings
are likewise less than ideal..
--
Pekka Savola You each name yourselves king, yet the
Netcore Oykingdom bleeds.
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings
still keep wondering why Cisco hasn't implemented something
like Juniper's feasible-path strict uRPF. Works quite well with
multihomed and asymmetric routing as well -- no need to fiddle with
communities, BGP weights etc. to ensure symmetry.
--
Pekka Savola You each name
on nanog
will :-(
--
Pekka Savola You each name yourselves king, yet the
Netcore Oykingdom bleeds.
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings
of the document is to be able to better convey the real story
both between the operator-operator and operator-IETF interfaces :-)
--
Pekka Savola You each name yourselves king, yet the
Netcore Oykingdom bleeds.
Systems. Networks. Security. -- George R.R. Martin: A Clash
longer.
I'd love to see something like that (even better: charging by what
you advertise).. but unfortunately, I don't think it'd happen, and if
it did, I guess the main folks benefiting would be lawyers.. :)
--
Pekka Savola You each name yourselves king, yet the
Netcore Oy
a moving target, but
it should give a hopefully short and relatively concise summary.
Unfortunately, it _doesn't_ describe how to solve the problems that
Randy was referring to... :-)
--
Pekka Savola You each name yourselves king, yet the
Netcore Oykingdom
. Yes, there's a draft -- draft-ietf-rpsec-bgpsecrec-03.txt --
but it has been woefully lacking on the operator deployment
requirements. More people should participate in the effort.
--
Pekka Savola You each name yourselves king, yet the
Netcore Oykingdom
Exactly. If $OTHER_FOLKS don't deploy it, cases like Panix may not
really be avoided.
I think that's what folks proposing perfect -- but practically
undeployable -- security solutions are missing.
--
Pekka Savola You each name yourselves king, yet the
Netcore Oy
, packets coming from other native networks, encapsulated by
their relays with src=192.88.99.1 coming towards your 6to4-using
customers would get blocked.
--
Pekka Savola You each name yourselves king, yet the
Netcore Oykingdom bleeds.
Systems. Networks
addresses from that prefix, no matter what the
folks at bit.nl think).
This is not correct. It's perfectly fine to source packets from
192.88.99.0/24. Please show a citation if you think different.
--
Pekka Savola You each name yourselves king, yet the
Netcore Oy
the protocols are somewhat more limited (though
not zero) when the specs and code (those that don't address the needs
of a particular set of operators as-is, in any case) have already
shipped.
--
Pekka Savola You each name yourselves king, yet the
Netcore Oy
energy fighting that.
--
Pekka Savola You each name yourselves king, yet the
Netcore Oykingdom bleeds.
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings
on
cleaning up the AS number mess a bit rather than throwing more
technology at the problem.
--
Pekka Savola You each name yourselves king, yet the
Netcore Oykingdom bleeds.
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings
transit.
--
Pekka Savola You each name yourselves king, yet the
Netcore Oykingdom bleeds.
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings
to other mechanisms or approaches (e.g., HIP).
--
Pekka Savola You each name yourselves king, yet the
Netcore Oykingdom bleeds.
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings
this).
At least one of these doesn't (IMHO) qualify as native IPv6
[backbone].
--
Pekka Savola You each name yourselves king, yet the
Netcore Oykingdom bleeds.
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings
. My
(unverified) recollection is that BT supports v6 off-the-box in most
linux distros, but I may be wrong.
--
Pekka Savola You each name yourselves king, yet the
Netcore Oykingdom bleeds.
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings
On Thu, 6 Oct 2005, J. Oquendo wrote:
/* tip never write e-mail within the first hour of your waking morning */
if you just would have followed your own advise..
that are
in the FIB?
Yes.
--
Pekka Savola You each name yourselves king, yet the
Netcore Oykingdom bleeds.
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings
it in the contract, and when
the packets get dropped, explain the situation ;-)
--
Pekka Savola You each name yourselves king, yet the
Netcore Oykingdom bleeds.
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings
on what they accept from downstream..
Btw. Juniper's Feasible Path uRPF (mentioned in RFC3704) is your
friend, even on multihomed/asymmetric links.
--
Pekka Savola You each name yourselves king, yet the
Netcore Oykingdom bleeds.
Systems. Networks. Security
On Wed, 21 Sep 2005, Christopher L. Morrow wrote:
On Wed, 21 Sep 2005, Pekka Savola wrote:
Btw. Juniper's Feasible Path uRPF (mentioned in RFC3704) is your
friend, even on multihomed/asymmetric links.
So, say I'm a large consumer broadband ISP, and I made the decision some
years ago to use
--
Pekka Savola You each name yourselves king, yet the
Netcore Oykingdom bleeds.
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings
this be?
--
Pekka Savola You each name yourselves king, yet the
Netcore Oykingdom bleeds.
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings
constraints or ability to decipher the RIR tools to make a
functional policy implementation. But see above, as prefix lists would NOT
have solved the AS9121 problem, as was pointed out.
And managing the certificates, processing them, , would be
significantly easier?
--
Pekka Savola
avoided.
This memo justifies why this is a common, non-trivial problem, and
goes on to describe the different solutions and their characteristics
at some length.
--
Pekka Savola You each name yourselves king, yet the
Netcore Oykingdom bleeds.
Systems
for deployability in mind.)
Maybe the important operational differences are only observable
from 1K feet view ?
--
Pekka Savola You each name yourselves king, yet the
Netcore Oykingdom bleeds.
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings
the
practical deployment issues with the on-the-path signing model seem
prohibitive (too much 3rd party deployment required before the
solution would be useful).
--
Pekka Savola You each name yourselves king, yet the
Netcore Oykingdom bleeds.
Systems. Networks
customers. I.e., strict uRPF -like prevention, so
that nobody (neither a peer, upstream or customer) is able to spoof
the infrastructure IP addresses.
That's what we're doing, and I'd hope more people would as well.
--
Pekka Savola You each name yourselves king, yet the
Netcore Oy
the above but
indeed is also a pain to set up and maintain.
There are other attacks you can make against TCP sessions (protected
by MD5 or not) using ICMP, though. (see
draft-gont-tcpm-icmp-attacks-03.txt).
--
Pekka Savola You each name yourselves king, yet the
Netcore Oy
in
This is why this helps for eBGP sessions only the peer is also
protecting its borders. I.e., if you know the peer's network has
spoofing-prevention enabled, nobody is able to spoof the srcip the
peer uses.
--
Pekka Savola You each name yourselves king, yet the
Netcore Oy
really hope it's bigger this time..
--
Pekka Savola You each name yourselves king, yet the
Netcore Oykingdom bleeds.
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings
On Tue, 30 Nov 2004, Owen DeLong wrote:
--On Tuesday, November 30, 2004 7:44 AM +0200 Pekka Savola
[EMAIL PROTECTED] wrote:
On Mon, 29 Nov 2004, Chris Burton wrote:
It is highly doubtful that the policies in place will become
more relaxed with the introduction of 32-bit ASNs, the more
, and larger blocks will also need
to be provided. Oops, they already have!
--
Pekka Savola You each name yourselves king, yet the
Netcore Oykingdom bleeds.
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings
of routes, but also the churn those
routes would make.. Oh god.
It's better to try to stick to 16 bit ASNs for now, and make stricter
policies and reclaim the space if needed.
--
Pekka Savola You each name yourselves king, yet the
Netcore Oykingdom bleeds
ASNs, pretty much anyone could have an ASN if
they wanted to unless the policies were very strict, and it would be
very difficult to justify why it would have to be strict because there
is so vast resource to be used.
--
Pekka Savola You each name yourselves king, yet
home customers like DSL, and it's going to be a
a pain because they either must get a new prefix or give their
customers a /64 instead of /48.
--
Pekka Savola You each name yourselves king, yet the
Netcore Oykingdom bleeds.
Systems. Networks. Security. -- George
or whoever and we're done.
--
Pekka Savola You each name yourselves king, yet the
Netcore Oykingdom bleeds.
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings
less
protocol complexity?
As you note, A6/DNAME wasn't a panacea. A lot additional stuff is
needed to achieve the goal. It seems to me that actually the A6/DNAME
part is a relatively simple one to achieve using current mechanisms.
--
Pekka Savola You each name yourselves king
.).
To paraphrase Randy from a couple of years ago: 'Ocean: do not drain.'
--
Pekka Savola You each name yourselves king, yet the
Netcore Oykingdom bleeds.
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings
at least :) would rather that that the
endsites had other means to do multihoming which wouldn't require such
global resources.
ASN exhaustion is IMHO just a symptom of the real problem. Enlarging
the ASN space does not cure the disease, just makes it worse.
--
Pekka Savola You each
a few, not tens of thousands as
with AS numbers, and the fairness argument doesn't apply.
--
Pekka Savola You each name yourselves king, yet the
Netcore Oykingdom bleeds.
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings
like the idea myself, but there it is.
--
Pekka Savola You each name yourselves king, yet the
Netcore Oykingdom bleeds.
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings
.
Care to offer a couple of examples of this empirical evidence ?
--
Pekka Savola You each name yourselves king, yet the
Netcore Oykingdom bleeds.
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings
the more specifics to
Internet anywhere. How rare is this?
--
Pekka Savola You each name yourselves king, yet the
Netcore Oykingdom bleeds.
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings
the more specific
multihoming/traffic engineering mess we have with v4, most of those
big enterprises don't really seem to need globally routable PI space,
provided that they can already use ULAs if they want.
--
Pekka Savola You each name yourselves king, yet the
Netcore Oy
space (their employees?), and how ISC would not be an
end-site.
This is a more generic issue, of course.
--
Pekka Savola You each name yourselves king, yet the
Netcore Oykingdom bleeds.
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings
where the application in question would not have to deal
with NAT traversal logic at all if it were to choose v6-only approach.
--
Pekka Savola You each name yourselves king, yet the
Netcore Oykingdom bleeds.
Systems. Networks. Security. -- George R.R. Martin
for bigger enterprises is also one area where
(at the moment) something like ULAs have some questionable uses.
--
Pekka Savola You each name yourselves king, yet the
Netcore Oykingdom bleeds.
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings
and no global connectivity, so the box will
need some automated configuration protocol in any case.
--
Pekka Savola You each name yourselves king, yet the
Netcore Oykingdom bleeds.
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings
-requirements-01.txt
For a lengthier document describing BB ISP IPv6 deployment options,
see:
http://www.ietf.org/internet-drafts/draft-asadullah-v6ops-bb-deployment-scenarios-01.txt
Feedback on these is also welcome, of course!
--
Pekka Savola You each name yourselves king, yet
are available in Gbit/s-grade which do not need you to
configure certain kind of rate-limiters a priori, but can
automatically react to most kinds of attacks, even simple ones (e.g.,
TCP SYN floods).
--
Pekka Savola You each name yourselves king, yet the
Netcore Oy
wrote:
On 11-okt-04, at 10:12, Pekka Savola wrote:
The document is about to be IETF Last Called for Informational RFC,
but prior to that, I'd like to solicit comments/feedback/review from
the people here because I'm 100% sure a lot of people have been faced
with these issues (we certainly
adjusting the weight or preference for the advertisement you receive
w/ eBGP and the advertisement you send in iBGP (so that only that one
router would send its traffic over that link), but that's likely a bit
more work and operational complexity.
--
Pekka Savola You each name yourselves
this is a common, non-trivial problem, and
goes on to describe the different solutions and their characteristics
at some length.
--
Pekka Savola You each name yourselves king, yet the
Netcore Oykingdom bleeds.
Systems. Networks. Security. -- George R.R
On Mon, 30 Aug 2004, Len Sassaman wrote:
On Sun, 29 Aug 2004, Pekka Savola wrote:
The America is not what it used to be. Welcome to the 21st century.
Have those guys rotting at Guantanamo been proven guilty? What was
the deal with Sklyarov (http://www.freesklyarov.org/)? Etc
this concept called innocent until
proven guilty. What country are you from?
The America is not what it used to be. Welcome to the 21st century.
Have those guys rotting at Guantanamo been proven guilty? What was
the deal with Sklyarov (http://www.freesklyarov.org/)? Etc.
--
Pekka Savola
On Wed, 4 Aug 2004, David A.Ulevitch wrote:
SPF's use of TXT records doesn't bother me so much. It's more that
people are (blindly) clamoring for it.
Maybe you should -- draft-ymbk-dns-choices-00.txt
--
Pekka Savola You each name yourselves king, yet the
Netcore Oy
, or even doesn't
support (line-rate) filtering? Change the vendors and filter at your
core connecting those crappy boxes then.
--
Pekka Savola You each name yourselves king, yet the
Netcore Oykingdom bleeds.
Systems. Networks. Security. -- George R.R. Martin
chrooted and setuid'ed with special clock change
privileges for 3+ years now. The code has been shipping for about
three years in Red Hat Linux, for example.
--
Pekka Savola You each name yourselves king, yet the
Netcore Oykingdom bleeds.
Systems. Networks. Security
to provide the IANA web site using HTTPS to
mitigate HTTP hijacking, DNS spoofing, or whatever?
--
Pekka Savola You each name yourselves king, yet the
Netcore Oykingdom bleeds.
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings
redundant as anyone
should Use the Source in any case :)
--
Pekka Savola You each name yourselves king, yet the
Netcore Oykingdom bleeds.
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings
think those still
exist...
(TTL should only be decremented when _forwarding_, and I don't think
you could argue that you need to _forward_ a packet from your ingress
interface to your _loopback_ interface..)
--
Pekka Savola You each name yourselves king, yet the
Netcore Oy
to be forgetting that for these TCP
packets to be processed, they must be spoofed to come from a certain
source IP address. If packets spoofed from that address are summarily
discarded at appropriate places before reaching the infrastructure,
you're pretty much safe.
--
Pekka Savola
saying. You don't need to deploy anti-spoofing
filters everywhere. It needs to be done by those parties which are
the ones setting up MD5 passwords. No more than that. (See my thread
Alternatives to MD5 for more.)
--
Pekka Savola You each name yourselves king, yet the
Netcore Oy
something
you're filtering, tell to peers not to advertise anythnig that's not
properly in the routing DB's, etc.)? This doesn't seem so bad to
me...
--
Pekka Savola You each name yourselves king, yet the
Netcore Oykingdom bleeds.
Systems. Networks. Security
).
--
Pekka Savola You each name yourselves king, yet the
Netcore Oykingdom bleeds.
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings
with that, but will likely be less
effective when the attackers get smarter to choose attacks which are
indistinguishable from mainstream applications.
--
Pekka Savola You each name yourselves king, yet the
Netcore Oykingdom bleeds.
Systems. Networks. Security
to believe this is a problem, so I'm waiting for v6
deployment to get really started before writing bugtraq.
--
Pekka Savola You each name yourselves king, yet the
Netcore Oykingdom bleeds.
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings
to this conversation!
(tongue in cheek)
Maybe you should be listening to the vendors instead, and pick ones
which provide the features you need?
--
Pekka Savola You each name yourselves king, yet the
Netcore Oykingdom bleeds.
Systems. Networks. Security. -- George R.R
)
value of zero.
--
Pekka Savola You each name yourselves king, yet the
Netcore Oykingdom bleeds.
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings
is such
a big thing they'll want to avoid it always. If it happens, for a
brief moment, once in five years (for example), for most companies
that's an acceptable level of risk.
--
Pekka Savola You each name yourselves king, yet the
Netcore Oykingdom bleeds.
Systems
. Public AS number is often
enough (and even private will do, but that leads to other kind of
mess.)
--
Pekka Savola You each name yourselves king, yet the
Netcore Oykingdom bleeds.
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings
to experimental,
the intent of this document is that use of DNAME RRs in the reverse
tree be deprecated.
do you difficulties in parsing?
--
Pekka Savola You each name yourselves king, yet the
Netcore Oykingdom bleeds.
Systems. Networks. Security. -- George R.R
FYI,
Feedback is welcome, either to the list ([EMAIL PROTECTED]) or to me
and the document editor (in Cc:) directly.
-- Forwarded message --
Date: Fri, 6 Feb 2004 07:58:44 +0200 (EET)
From: Pekka Savola [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED], [EMAIL
) is due to the
other reason, because some vendors have sold crappy hardware which
does not support IPv6, or does not offer sufficiently good IPv6
performance.
On Mon, 26 Jan 2004, Pekka Savola wrote:
Just taking a quick poll, as we don't use MPLS and I think this is an
interesting thing to know
to if you're using a vendor
the implementation of which doesn't allow you to do that.. :)
--
Pekka Savola You each name yourselves king, yet the
Netcore Oykingdom bleeds.
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings
for that
(fixing bugs (minor upgrade)? providing new features, if so which
features? etc.?)
Please respond off-list if you feel so. Thanks.
--
Pekka Savola You each name yourselves king, yet the
Netcore Oykingdom bleeds.
Systems. Networks. Security. -- George R.R. Martin
://thrashyour.com/lhr1-wiringdemo.jpg or
http://new.onecall.net/timages/cat5patch.jpg
How do you do good cabling in dynamic, real environments? :-)
--
Pekka Savola You each name yourselves king, yet the
Netcore Oykingdom bleeds.
Systems. Networks. Security. -- George R.R
FYI,
This document has passed the IETF Last Call for Best Current Practice, and
has been significantly revised based on the comments. I'll be on the IESG
agenda in a couple of weeks.
Feedback and comments is still sought (especially, I'd like to reword the
title to be more generic, but
to upgrade, it just harms itself.
Backbone networks harms everyone concerned. It's good to remember who
bears the pain for (in)action in whichever case.
--
Pekka Savola You each name yourselves king, yet the
Netcore Oykingdom bleeds.
Systems. Networks. Security
of
doubts about anything more complex than that.
We made the mistake of one Extreme here as a router, and that has paid us
back with sweat and tears. We'll be switching it to a Juniper freeing up
soon, and we'll be dancing with joy afterwards.
--
Pekka Savola You each name yourselves
1 - 100 of 102 matches
Mail list logo
