snip
http://www.nanog.org/meetings/attending/wavingfee/studentreg.php
doesn't indicate that they need to be full time, so I guess they just
have to be a college or university student. Period. Yes?
why only university? wazza matter with the younger set? i have worked
with some bitchin'
On 2011-01-05, at 09:40, Brian Johnson wrote:
snip
http://www.nanog.org/meetings/attending/wavingfee/studentreg.php
doesn't indicate that they need to be full time, so I guess they just
have to be a college or university student. Period. Yes?
why only university? wazza matter with
Based on the proposal sent last month and discussion on this list, the NewNOG
Board has adopted a membership policy.
As in the proposal, there are two components: a Bylaws amendment to establish a
framework, and a board resolution to set the policy. The full text of both
parts are appended
I'm so sick of this conversation. Why are we discussing this as if it
should have any weight. Find me an organization that has a student
membership without any qualifications and I'll show you exponentially
more that have one.
I also don't like being taken out of context. Please read the thread
On 2011-01-05, at 11:10, Brian Johnson wrote:
I also don't like being taken out of context. Please read the thread
before posting on a single post. You'll see that I'm against this whole
thing.
Sure, but I'm not against student discounts (for whatever, membership,
attendance).
I'm just
On 1/5/11 8:07 AM, Joe Abley wrote:
Who gets to verify the veracity of student IDs from the UK, or from France,
or from Egypt, or from Pakistan? How would they do it? Is it really worth the
trouble?
Someone please explain to me how accepting students outside of North
America as members
--- ra...@psg.com wrote:
From: Randy Bush ra...@psg.com
http://www.nanog.org/meetings/attending/wavingfee/studentreg.php
doesn't indicate that they need to be full time, so I guess they just
have to be a college or university student. Period. Yes?
why only university? wazza matter with
Ok, thanks for the clarification.
scott
--- s...@labrats.us wrote:
From: Sean Figgins s...@labrats.us
To: nanog-futures@nanog.org
Subject: Re: [Nanog-futures] an alternate proposal for NewNOG's
membership structure
Date: Wed, 05 Jan 2011 13:12:35 -0700
On 1/5/11 11:21 AM,
Dear Jeff,
In my opinion the real challenges already in IPv6 networks the
following: SPAM and attacking over IPv6; DoS; track back hosts with
privacy enhanced addresses.
Do you have some methods in your mind to resolve ARP/ND overflow
problem? I think limiting mac address per port on
On Jan 5, 2011, at 1:15 PM, Jeff Wheeler wrote:
I notice that this document, in its nearly 200 pages, makes only casual
mention of ARP/NDP table overflow attacks, which may be among
the first real DoS challenges production IPv6 networks, and equipmentvendors,
have to resolve.
They also
On Jan 5, 2011, at 4:39 PM, Dobbins, Roland wrote:
They also only make small mention of DNS- and broadcast-hinted scanning, and
none at all of routing-hinted scanning.
I meant to include, ' . . . and the strain that this hinted scanning will place
on the DNS and routing/switching
On Jan 4, 2011, at 11:07 PM, Christopher Morrow wrote:
On Tue, Jan 4, 2011 at 10:50 PM, Menerick, John jmener...@netsuite.com
wrote:
Every joke has a bit of truth. For instance, until recently (last 10
years?), O'hare's traffic controllers relied upon vacuum tube technology to
perform
On 01/05/2011 10:39 AM, Dobbins, Roland wrote:
The document itself is a good tutorial on IPv6, and it's great that the
authors did indeed touch upon these security concerns, but the security
aspect as a whole is seemingly deliberately understated, which does a
disservice to the lay reader.
TR Shaw ts...@oitc.com writes:
There is a federal directive that has been in place for a number of
years that requires IPV6 support for all new IT contracts/systems
and also a directive to all federal agencies to support IPV6 by 2008
(See
On Wed, Jan 5, 2011 at 5:34 AM, Leen Besselink l...@consolejunkie.net wrote:
He did a new presentation at 27c3 in december 2010:
http://events.ccc.de/congress/2010/Fahrplan/events/3957.en.html
A video and slides should show up on the list soon:
http://media.ccc.de/tags/27c3.html
(because
I highly recommend looking at Crashplan Pro. We use it for some of our
customers and it works great, and the pricing is very reasonable.
On Jan 4, 2011, at 9:02 PM, Richard Zheng wrote:
Hi,
We are looking at providing backup services for our customers. It should
have software running on
The original poster is looking for software that can be hosted locally, which
Crashplan is not as far as I can tell. I am also looking for something that can
be hosted locally. The only one we have been able to find is Vembu StoreGrid.
Our experience with Vembu has ranged from abysmal to
On Wed, Jan 5, 2011 at 3:31 AM, Mohacsi Janos moha...@niif.hu wrote:
Do you have some methods in your mind to resolve ARP/ND overflow
problem? I think limiting mac address per port on switches both efficient on
IPv4 and IPv6. Equivalent of DHCP snooping and Dynamic ARP Inspection should
On Jan 5, 2011, at 7:21 PM, Jeff Wheeler wrote:
please explain why this is in any way better than operating the same LAN with
a subnet similar in size to its existing IPv4 subnets, e.g. a /120.
Using /64s is insane because a) it's unnecessarily wasteful (no lectures on how
large the space
On Wed, Jan 5, 2011 at 1:20 PM, Randy Carpenter rcar...@network1.netwrote:
The original poster is looking for software that can be hosted locally,
which Crashplan is not as far as I can tell. I am also looking for something
that can be hosted locally. The only one we have been able to find is
Asigra?
http://www.asigra.com/
Regards,
Neil
-Original Message-
From: Marco Matarazzo [mailto:marm...@gmail.com]
Sent: 05 January 2011 12:37
To: Randy Carpenter
Cc: nanog@nanog.org
Subject: Re: online backup software vendor
On Wed, Jan 5, 2011 at 1:20 PM, Randy Carpenter
Absolutely it can be hosted locally, we run the server software in our data
center and our customers are clients who connect to it for backup. In fact,
the server software is free to download and install.
Code42, the makers, also run their own hosted version, which you may be
seeing. Make
Note that the NIST IPv6 document Kevin pointed to, in the acknowledgements
section, includes the following individual who assisted:
Trung Nguyen, FAA
Joe
From:
Ryan Finnesey ryan.finne...@harrierinvestments.com
To:
nanog@nanog.org
Date:
01/04/2011 10:25 PM
Subject:
RE: FAA - ASDI servers
On Wed, Jan 05, 2011 at 06:36:25AM -0500, Robert E. Seastrom wrote:
TR Shaw ts...@oitc.com writes:
There is a federal directive that has been in place for a number of
years that requires IPV6 support for all new IT contracts/systems
and also a directive to all federal agencies to
On 5 jan 2011, at 13:21, Jeff Wheeler wrote:
customers may be driven to expect a /64, or
even believe it is necessary for proper functioning.
RFC 3513 says:
For all unicast addresses, except those that start with binary value
000, Interface IDs are required to be 64 bits long and to be
This is what we worry about as well. Right now, when the complaints start
coming in, we can usually trace the problem to a comcast - level3 - qwest
issue. Our big concern is we start seeing over subscription on the nodes (we
have dealt with this in the past) and our problems start all over
On 1/5/2011 6:29 AM, Dobbins, Roland wrote:
Using /64s is insane because a) it's unnecessarily wasteful (no
lectures on how large the space is, I know, and reject that argument
out of hand) and b) it turns the routers/switches into sinkholes.
Except someone was kind enough to develop a
I was curious if anyone has heard off or is playing around with Intelligent
Route Service Control Point?
Looks like there are some trials going on and it has potential to centralize
routing descsions as well
as a DDOS mitigation tool,
thoughts?
harbor235 ;}
borked vmware boot, reset says no opsys found. it's a 4.0 system.
can i do recovery (saving vmfs) using 4.1 cd, or must i use 4.0?
randy
Randy Bush (randy) writes:
borked vmware boot, reset says no opsys found. it's a 4.0 system.
can i do recovery (saving vmfs) using 4.1 cd, or must i use 4.0?
Yes, it will work for accessing the vmfs, at the very least.
Phil
[moved to nanog as it seems a far more appropriate forum than cisco-nsp]
On Wed, 5 Jan 2011, Jose Madrid wrote:
Anyone here use AltDB? It seems their servers have been down for two days.
I have emailed their admin alias but have gotten nothing. Anyone?
whois -h whois.altdb.net 199.48.252.0
Does anyone have any comments on any of these solutions being easily managed
for end users? We need something that is easy for the customers to install and
configure, and is centrally managed. It would also be very nice if it could be
fully branded (the one thing that Vembu does well)
thanks,
On Wed, Jan 5, 2011 at 9:39 AM, Iljitsch van Beijnum iljit...@muada.com wrote:
that a lot of smart people agree is a serious design flaw in any IPv6
network where /64 LANs are used
It's not a design flaw, it's an implementation flaw. The same one that's in
ARP (or maybe RFC 894 wasn't
Asigra is a great product, however branding isn’t possible from what I know of
the solution. We use Asigra through a partner, and when well managed it is a
GREAT solution, however it can easily spin out of control if someone doesn't
keep on top of it. Randy if you are looking for a little
We use Ahsay online backup server
(http://www.ahsay.com/jsp/en/home/index.jsp). I've been very happy with it.
- Original Message -
From: Richard Zheng rzh...@gmail.com
To: nanog@nanog.org
Sent: Tuesday, January 4, 2011 9:02:23 PM
Subject: online backup software vendor
Hi,
We
On 1/5/11 8:49 AM, Jeff Wheeler wrote:
On Wed, Jan 5, 2011 at 9:39 AM, Iljitsch van Beijnum iljit...@muada.com
wrote:
that a lot of smart people agree is a serious design flaw in any IPv6
network where /64 LANs are used
It's not a design flaw, it's an implementation flaw. The same one
On Wed, Jan 5, 2011 at 11:26 AM, Jon Lewis jle...@lewis.org wrote:
Anyone here use AltDB? It seems their servers have been down for two days.
Can anyone from Level3 say how this will impact customer BGP filters. Will
L3 keep working with the last data sync they got from altdb? I'm guessing
On Jan 5, 2011, at 9:26 AM, Jon Lewis wrote:
[snip]
Can anyone from Level3 say how this will impact customer BGP filters. Will L3
keep working with the last data sync they got from altdb?
Yes, Level 3 will continue to use the last data mirrored and archived. New
filters are not pushed
On Nov 25, 2010, at 2:11 PM, Kevin Oberman wrote:
Have you tried 611 (from an ATT land-line phone)?
Many people don't have one. I haven't had one for over 12 years now, nor have
any of my employers for the last 8 years.
--
Jo Rhett
Net Consonance : consonant endings by net philanthropy, open
On 05/01/2011 17:09, Craig Pierantozzi wrote:
On Jan 5, 2011, at 9:26 AM, Jon Lewis wrote:
[snip]
Can anyone from Level3 say how this will impact customer BGP filters. Will
L3 keep working with the last data sync they got from altdb?
Yes, Level 3 will continue to use the last data
On Wed, Jan 5, 2011 at 12:04 PM, Joel Jaeggli joe...@bogus.com wrote:
no it isn't, if you've ever had your juniper router become unavailable
because the arp policer caused it to start ignoring updates, or seen
systems become unavailable due to an arp storm you'd know that you can
abuse arp on
Jeff Wheeler (jsw) writes:
IPv4)
[...]
Not good, but also does not affect any other interfaces on the router.
You're assuming that all routing devices have per-interface ARP tables.
IPv6)
Typically, this breaks not just on that interface, but on the entire
router.
So has anyone had any contact from ALTDB as to what's going on?
Thanks!
--J
I just got off the phone with Steve Rubin. He restarted it 45 minutes ago
and it's back up.
Regards,
Randy
On 1/5/2011 11:19 AM, Jeff Wheeler wrote:
IPv6) I can scan your v6 /64 subnet, and your router will have to send
out NDP NS for every host I scan. If it requires incomplete entries
in its table, I will use them all up, and NDP learning will be broken.
Typically, this breaks not just on that
IPv6) I can scan your v6 /64 subnet, and your router will have to send
out NDP NS for every host I scan. If it requires incomplete entries
in its table, I will use them all up, and NDP learning will be broken.
Typically, this breaks not just on that interface, but on the entire
router.
On 2011-01-05, at 12:31, Jared Mauch wrote:
2) If you DEPEND on something for your business, it may just be worth it to:
a) pay RADB who operates professionally
b) use your ISP provided IRR (eg: NTT, level3, savvis, etc)
I generally recommend that people use the RIPE database, regardless
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 01/05/2011 09:11 AM, Jo Rhett wrote:
On Nov 25, 2010, at 2:11 PM, Kevin Oberman wrote:
Have you tried 611 (from an ATT land-line phone)?
Many people don't have one. I haven't had one for over 12 years now, nor
have any of my employers for
On Wed, Jan 5, 2011 at 12:26 PM, Phil Regnauld regna...@nsrc.org wrote:
Jeff Wheeler (jsw) writes:
Not good, but also does not affect any other interfaces on the router.
You're assuming that all routing devices have per-interface ARP tables.
No, Phil, I am assuming that the routing
Jeff Wheeler (jsw) writes:
are badly needed. The largest current routing devices have room for
about 100,000 ARP/NDP entries, which can be used up in a fraction of a
second with a gigabit of malicious traffic flow. What happens after
that is the problem, and we need to tell our vendors what
IPv4) I can scan your v4 subnet, let's say it's a /24, and your router
might send 250 ARP requests and may even add 250 incomplete entries
to its ARP table. This is not a disaster for that LAN, or any others.
No big deal. I can also intentionally send a large amount of traffic
to unused
All the same, beware of the anycast addresses if you want to use a smaller
block for point-to-point and for LANs, you break stateless autoconfig and
very likely terminally confuse DHCPv6 if your prefix length isn't /64.
Breaking stateless autoconfig such that it *cannot* ever work, on my
On Wed, Jan 5, 2011 at 1:02 PM, TJ trej...@gmail.com wrote:
Many would argue that the version of IP is irrelevant, if you are permitting
external hosts the ability to scan your internal network in an unrestricted
fashion (no stateful filtering or rate limiting) you have already lost, you
How
On 1/5/2011 10:02, TJ wrote:
Many would argue that the version of IP is irrelevant, if you are permitting
external hosts the ability to scan your internal network in an unrestricted
fashion (no stateful filtering or rate limiting) you have already lost, you
just might not know it yet.
On Jan 3, 2011, at 1:04 55PM, Ken Chase wrote:
I have two independent mailservers, and two other customers that run their own
servers, all largely unrelated infrastructures and target domains, suddenly
experiencing low levels of spam.
Total emails/day dropping from some 175,000-250,000ish
On 4 Jan 2011, at 3:29, Iljitsch van Beijnum wrote:
[...]
Note that I slightly changed the way addresses are counted: previously, all
the legacy blocks that didn't have an RIR listed were assumed to be used
100%. But with the return of most of the Interop block this is no longer the
case:
Is anyone using Clearwire/Clear's wireless broadband offering for stationary
branch offices/remote equipment monitoring? Looking for results/experiences
off-list. We're looking at it for industrial telemetry, and have spoken to
people using ATT and VZW who are doing the same, but we wanted to look
1) If ARIN doesn't provide the level of authentication you desire, as
an ARIN member you should send a note to ppml each day until it's
available
this is not address policy. this is ops. surely one does not have to
dirty one's self with the ppml list to get an ops fix done in arin. it
is
On Jan 6, 2011, at 1:02 AM, TJ wrote:
if you are permitting external hosts the ability to scan your internal
network in an unrestricted
fashion
DCN aside, how precisely does one define 'internal network' in, say, the
context of the production network of a broadband access SP, or
On Jan 6, 2011, at 1:14 AM, Jeff Wheeler wrote:
A stateful firewall on every router interface has been suggested already on
this thread. It is unrealistic.
It isn't just unrealistic, it's highly undesirable, since it represents an huge
DoS state vector.
Is anyone using Clearwire/Clear's wireless broadband offering for
stationary
branch offices/remote equipment monitoring? Looking for
results/experiences
off-list. Curious as to reliability, link performance, and support
quality.
Me too! I'd love to hear from anyone that's used it
Friends and colleagues,
At NANOG 48 I talked about a community flow-spec service we were
looking at trying to make work. This is the idea of using IETF RFC
5575 to pass around flow-based rules, in this case, primarily for
dropping unwanted packets.
This technology is not as widely deployed as
On Wed, 5 Jan 2011, tico wrote:
Is anyone using Clearwire/Clear's wireless broadband offering for
Me too! I'd love to hear from anyone that's used it extensively.
I haven't in a few years (I worked for someone who thought of themselves
as a clearwire competitor), but we replaced a bunch of
My coworker has a total of 6 hours into calling each and every Clear number
that is publically facing and has yet to reach a person that even understands
the question. We have boiled it down to the Clear business model is designed
merely to sell you the generic modem and have a nice day. There
There
appears to be zero interest in their business model to accommodate the
enterprise.
In my own personal experience, there appears to be zero interest in their
business model to accommodate the CUSTOMER.
They go on and on about how their frequency-space gives them a competitive
On Wed, Jan 05, 2011 at 04:15:43PM -0600, Brandon Galbraith wrote:
Is anyone using Clearwire/Clear's wireless broadband offering for stationary
branch offices/remote equipment monitoring? Looking for results/experiences
off-list. We're looking at it for industrial telemetry, and have spoken to
On Wed, Jan 05, 2011 at 05:46:36PM -0600, John Kristoff wrote:
Friends and colleagues,
At NANOG 48 I talked about a community flow-spec service we were
looking at trying to make work. This is the idea of using IETF RFC
5575 to pass around flow-based rules, in this case, primarily for
This is a much smaller issue with IPv4 ARP, because routers generally
have very generous hardware ARP tables in comparison to the typical
size of an IPv4 subnet.
no it isn't, if you've ever had your juniper router become unavailable
because the arp policer caused it to start ignoring
On Jan 6, 2011, at 8:57 AM, Joe Greco wrote:
The switch from IPv4 to IPv6 itself is such a change; it renders random
trolling through IP space much less productive.
And renders hinted trolling far more productive/necessary, invariably leading
to increased strain on
I've got a customer that is looking to multihome with upstreams in two
POPs. Currently they multihome in one POP and utilize a single edge
router for some one to one NAT and some PAT for their users.
Before they turn up the BGP peer in the new POP I've advised them to
abolish NAT once and
On Jan 6, 2011, at 9:38 AM, ML wrote:
At least not without some painful rebuilds of criticals systems which have
these IPs deeply embedded in their configs.
They shouldn't be using IP addresses in configs, they should be using DNS
names. Time to bite the bullet and get this fixed prior to
On Wed, Jan 5, 2011 at 8:57 PM, Joe Greco jgr...@ns.sol.net wrote:
This is a much smaller issue with IPv4 ARP, because routers generally
have very generous hardware ARP tables in comparison to the typical
size of an IPv4 subnet.
no it isn't, if you've ever had your juniper router become
The devil's in the details (obviously), and someone that reads into the
scenario better than me might have a more direct suggestion, but...
I'd start by moving the NAT at least one hop into the AS so that routing
symmetry can be enforced there. This allows for multi-homing (asymmetric
routing at
You didn't mention, but are you introducing a second border router? Is
the new upstream circuit from a new provider, or is it a second,
redundant circuit to the same provider in a different POP? Does your
customer have their own portable address space, or are they using
provider address space?
The switch from IPv4 to IPv6 itself is such a change; it renders random t=
rolling through IP space much less productive.
And renders hinted trolling far more productive/necessary, invariably leadi=
ng to increased strain on already-brittle/-overloaded DNS, whois, route ser=
vers, et. al.,
On Jan 6, 2011, at 10:08 AM, Joe Greco wrote:
Packing everything densely is an obvious problem with IPv4; we learned early
on that having a 48-bit (32 address, 16 port) space to scan made
port-scanning easy, attractive, productive, and commonplace.
I don't believe that host-/port-scanning
On Wed, Jan 5, 2011 at 8:57 PM, Joe Greco jgr...@ns.sol.net wrote:
This is a much smaller issue with IPv4 ARP, because routers generally
have very generous hardware ARP tables in comparison to the typical
size of an IPv4 subnet.
no it isn't, if you've ever had your juniper router
From: Dobbins, Roland
Sent: Wednesday, January 05, 2011 7:19 PM
To: Nanog Operators' Group
Subject: Re: NIST IPv6 document
On Jan 6, 2011, at 10:08 AM, Joe Greco wrote:
I don't believe that host-/port-scanning is as serious a problem as
you
seem to think it is, nor do I think that
On Jan 6, 2011, at 10:42 AM, George Bonser wrote:
It will be a problem if people learn they can DoS routers by doing it by
maxing out the neighbor table.
I understand this - that's a completely separate issue from the supposed
benefits of sparse addressing for endpoint host security.
I
- Original Message -
From: Jo Rhett jrh...@netconsonance.com
On Nov 25, 2010, at 2:11 PM, Kevin Oberman wrote:
Have you tried 611 (from an ATT land-line phone)?
Many people don't have one. I haven't had one for over 12 years now,
nor have any of my employers for the last 8 years.
Sorry for the subject change, it seems now we're talking about
something perhaps more relevant to me (security and routing stuff)
On Wed, Jan 5, 2011 at 5:32 PM, Randy Bush ra...@psg.com wrote:
i have a rumor that arin is delaying and possibly not doing rpki that
seems to have been announced on
On Wed, Jan 5, 2011 at 6:42 PM, Dobbins, Roland rdobb...@arbor.net wrote:
On Jan 6, 2011, at 9:38 AM, ML wrote:
At least not without some painful rebuilds of criticals systems which have
these IPs deeply embedded in their configs.
They shouldn't be using IP addresses in configs, they
We need at least these things to exist:
o an accurate mapping of resource (netblock/asn) to
authorized-entity (RIR/NIR/LIR/Customer/...)
o a system to manage this data for our routing equipment
see all the sidr documents in last call to go from i-ds to rfcs. oh,
you co-chair sidr :)
I've understood the problem for years, thanks, and have commented on
it
in other portions of this thread, as well as in may earlier threads
around this general set of issues - and it's completely orthogonal to
this particular discussion.
I suppose what confused me was this:
I don't
On 1/5/2011 10:18 PM, Dobbins, Roland wrote:
This whole focus on sparse addressing is just another way to tout
security-by-obscurity. We already know that security-by-obscurity is a
fundamentally-flawed concept, so it doesn't make sense to try and keep
rationalizing it in various
On Wed, Jan 5, 2011 at 11:16 PM, Randy Bush ra...@psg.com wrote:
We need at least these things to exist:
o an accurate mapping of resource (netblock/asn) to
authorized-entity (RIR/NIR/LIR/Customer/...)
o a system to manage this data for our routing equipment
see all the sidr
On Wed, Jan 5, 2011 at 7:51 PM, Richard A Steenbergen r...@e-gerbil.net wrote:
On Wed, Jan 05, 2011 at 05:46:36PM -0600, John Kristoff wrote:
Friends and colleagues,
At NANOG 48 I talked about a community flow-spec service we were
looking at trying to make work. This is the idea of using
On Jan 6, 2011, at 11:16 AM, George Bonser wrote:
I thought the entire notion of actually getting to a host was orthogonal to
the discussion as that wasn't the point. It wasn't about
exploitation of anything on the host, the discussion was about the act of
scanning a network itself being
On Jan 6, 2011, at 11:16 AM, Randy Bush wrote:
actually, the formal rpki-based origin-validation stuff is measured to take
*less* cpu, a lot less, than ACLs
On the platforms which really matter in terms of rPKI, ACLs are handled in
hardware, so this is pretty much a wash.
Concur on all
In message aanlktimkgpyky_aka5px4-ca-3=oufhgbnenrkpmp...@mail.gmail.com, Came
ron Byrne writes:
On Wed, Jan 5, 2011 at 6:42 PM, Dobbins, Roland rdobb...@arbor.net wrote:
On Jan 6, 2011, at 9:38 AM, ML wrote:
At least not without some painful rebuilds of criticals systems which ha=
ve
On Wed, Jan 5, 2011 at 11:30 PM, Dobbins, Roland rdobb...@arbor.net wrote:
On Jan 6, 2011, at 11:16 AM, Randy Bush wrote:
actually, the formal rpki-based origin-validation stuff is measured to take
*less* cpu, a lot less, than ACLs
On the platforms which really matter in terms of rPKI,
Lenny Giuliano of Juniper (IETF MBONED co-chair) has written an article in
Network World that I thought
NANOGers might be interested in :
http://www.networkworld.com/news/tech/2011/010511-tech-update-next-gen-tv.html
He clearly describes the need for multicast in the upcoming video-centric
On Wed, Jan 5, 2011 at 8:31 PM, Mark Andrews ma...@isc.org wrote:
In message aanlktimkgpyky_aka5px4-ca-3=oufhgbnenrkpmp...@mail.gmail.com,
Came
ron Byrne writes:
On Wed, Jan 5, 2011 at 6:42 PM, Dobbins, Roland rdobb...@arbor.net wrote:
On Jan 6, 2011, at 9:38 AM, ML wrote:
At least
Still, the idea that nobody will scan a /64 reminds me of the days
when 640K ought to be enough for anybody, ...
We really need to wrap our heads around the orders of magnitude
involved here. If you could scan an address every nanosecond, which I
think is a reasonable upper bound what with the
On 1/5/2011 8:47 PM, Cameron Byrne wrote:
And, you will notice that the list at
http://groups.google.com/group/ipv4literals shows only a few web site,
because there are only a few that have this design flaws.
And the list looks like it does because the list only shows a *few* web
sites. Other
actually, the formal rpki-based origin-validation stuff is measured
to take *less* cpu, a lot less, than ACLs
On the platforms which really matter in terms of rPKI, ACLs are
handled in hardware, so this is pretty much a wash.
really? it was measured on a GSR. full check on a prefix, 10usec.
It has nothing to do with security by obscurity.
You may wish to re-read what Joe was saying - he was positing sparse addres=
sing as a positive good because it will supposedly make it more difficult f=
or attackers to locate endpoints in the first place, i.e., security through=
I think ACLs here means prefix-lists ... or I hope that's what Randy
meant?
sorry. yes, irr based prefix lists. and, sad to say, data which have
sucked for 15+ years. i was the poster child for the irr, and it just
never took off.
[ irr data are pretty bad except for some islands where
On Jan 5, 2011, at 10:31 PM, Mark Andrews wrote:
Which is one of the reasons why DS-lite is a better solution for
providing legacy access to the IPv4 Internet than NAT64/DNS64.
DS-lite only breaks what NAT44 breaks. DS-lite doesn't break new
things.
Or just run a dual-stack network,
Is there any reason we really need to care what size other people use for their
Point to Point
links?
Personally, I think /64 works just fine.
I won't criticize anyone for using it. It's what I choose to use.
However, if someone else wants to keep track of /112s, /120s, /124s, /126s, or
even
On Jan 5, 2011, at 7:04 AM, Jack Bates wrote:
On 1/5/2011 6:29 AM, Dobbins, Roland wrote:
Using /64s is insane because a) it's unnecessarily wasteful (no
lectures on how large the space is, I know, and reject that argument
out of hand) and b) it turns the routers/switches into sinkholes.
1 - 100 of 127 matches
Mail list logo