On Jan 6, 2011, at 10:50 PM, Jima wrote:
On 1/7/2011 12:11 AM, Owen DeLong wrote:
That's a draft, and, it doesn't really eliminate the idea that /48s are
generally
a good thing so much as it recognizes that there might be SOME circumstances
in which they are either not necessary or
On Jan 6, 2011, at 11:49 PM, Benson Schliesser wrote:
On Jan 7, 2011, at 12:39 AM, Matthew Kaufman wrote:
On 1/6/2011 9:28 PM, Dan Wing wrote:
Skype could make it work with direct UDP packets in about 92% of
cases, per Google's published direct-to-direct statistic at
On Thu, 6 Jan 2011 21:13:52 -0500
Jeff Wheeler j...@inconcepts.biz wrote:
On Thu, Jan 6, 2011 at 8:47 PM, Owen DeLong o...@delong.com wrote:
1. Block packets destined for your point-to-point links at your
borders. There's no legitimate reason someone should be
Most networks do
Are there any large transit networks doing /64 on point-to-point
networks to BGP customers? Who are they? What steps have they taken
to eliminate problems, if any?
Our Global Crossing IPv6 transit is on a /64 Ethernet point-to-point.
Steinar Haug, Nethelp consulting, sth...@nethelp.no
On Jan 7, 2011, at 4:14 PM, Mark Smith wrote:
Doesn't this risk already exist in IPv4?
There are various vendor knobs/features to ameliorate ARP-level issues in
switching gear. Those same knobs aren't viable in IPv6 due to the way ND/NS
work, and as you mention, the ND stuff is
On Jan 7, 2011, at 4:02 PM, Owen DeLong wrote:
No, it hasn't always been a Bad Idea.
Yes, it has. There're lots of issues with embedding IP addresses directly into
apps and so forth which have nothing to do with NAT.
Kevin Oberman ober...@es.net writes:
The next ship will be departing in a hundred years or so, advance
registration for the IPv7 design committee are available over there.
Sorry, but IPv7 has come and gone. It was assigned to the TUBA proposal,
basically replacing IP with CLNP. IPv8 has
On Jan 6, 2011, at 8:01 PM, Paul Scanlon wrote:
NANOG 51 in Miami is rapidly approaching, January 30 - February 2, and we are
looking for topics for the ISP Security BOF. Eric Osterweil and I are going
to be moderating this year with the assistance of Danny McPherson. We would
very much
On 6 Jan 2011, at 17:17, Jack Bates wrote:
A randomly setup ssh server without DNS will find itself brute force
attacked. Darknets are setup specifically for detection of scans. One side
effect of v6, is determining how best to deploy darknets, as we can't just
take one or two blocks to
On 6 Jan 2011, at 18:20, Owen DeLong wrote:
On Jan 5, 2011, at 7:18 PM, Dobbins, Roland wrote:
On Jan 6, 2011, at 10:08 AM, Joe Greco wrote:
Packing everything densely is an obvious problem with IPv4; we learned
early on that having a 48-bit (32 address, 16 port) space to scan made
On 1/6/2011 6:23 PM, Dobbins, Roland wrote:
On Jan 6, 2011, at 9:29 PM, Joe Greco wrote:
Sorry, but I see this as not grasping a fundamental security concept.
I see it as avoiding a common security misconception.
I find that the security Layers advocates tend not to look at the
On Thu, Jan 6, 2011 at 21:13, Jeff Wheeler j...@inconcepts.biz wrote:
On Thu, Jan 6, 2011 at 8:47 PM, Owen DeLong o...@delong.com wrote:
1. Block packets destined for your point-to-point links at your
borders. There's no legitimate reason someone should be
Most networks do not
On 1/7/2011 4:44 AM, Dobbins, Roland wrote:
Yes, it has. There're lots of issues with embedding IP addresses
directly into apps and so forth which have nothing to do with NAT.
Embedding into apps isn't the same as embedding into protocol packets.
While NAT and stateful firewalls do tend to
On 7 Jan 2011, at 06:11, Owen DeLong wrote:
That's a draft, and, it doesn't really eliminate the idea that /48s are
generally
a good thing so much as it recognizes that there might be SOME circumstances
in which they are either not necessary or insufficient.
As a draft, it hasn't been
On 1/7/2011 8:17 AM, Tim Chown wrote:
As RFC6018 suggests, this could be done dynamically on any given active subnet.
Unfortunately, I don't see support for it in major router vendors for
service providers. Currently, flow + arp/ND/routing tables are utilized
to determine a variety of
On Jan 7, 2011, at 9:30 PM, TJ wrote:
Today (IPv4) they may not, but many recommendations for tomorrow (IPv6) are
to use discrete network allocations for your infrastructure (loopbacks and
PtP links, specifically) and to filter traffic destined to those at your
edges ...
Actually, this
On Jan 7, 2011, at 9:23 PM, Tim Chown wrote:
The main operational problem we see is denial of service caused by
unintentional IPv6 RAs from hosts.
Which is a whole other can of IPv6 worms, heh.
;
Roland Dobbins
On Fri, Jan 7, 2011 at 09:57, Dobbins, Roland rdobb...@arbor.net wrote:
On Jan 7, 2011, at 9:23 PM, Tim Chown wrote:
The main operational problem we see is denial of service caused by
unintentional IPv6 RAs from hosts.
Which is a whole other can of IPv6 worms, heh.
But atleast we are
On Fri, Jan 7, 2011 at 09:56, Dobbins, Roland rdobb...@arbor.net wrote:
On Jan 7, 2011, at 9:30 PM, TJ wrote:
Today (IPv4) they may not, but many recommendations for tomorrow (IPv6)
are to use discrete network allocations for your infrastructure (loopbacks
and
PtP links, specifically)
On 1/6/2011 9:28 PM, Dan Wing wrote:
-Original Message-
From: Matthew Kaufman [mailto:matt...@matthew.at]
Not really. Imagine the case where you're on IPv6 and you can only
reach
IPv4 via a NAT64, and there's no progress made on the detection
problem.
And your family member
On Jan 7, 2011, at 5:44 AM, Dobbins, Roland wrote:
On Jan 7, 2011, at 4:02 PM, Owen DeLong wrote:
No, it hasn't always been a Bad Idea.
Yes, it has. There're lots of issues with embedding IP addresses directly
into apps and so forth which have nothing to do with NAT.
Let me know
On 1/6/2011 9:01 PM, Jeff Wheeler wrote:
Are there any large transit networks doing /64 on point-to-point
networks to BGP customers? Who are they?
Our Qwest and TW Telecom links are /64.
--
Devon
Hello,
we have multiple internet connections of which one is a research network where
many medical institutions and universities are also connected to threw out the
country. This research network (ORION) also has internet access but is not
meant to be used as a primary path to the internet
-- Original Message ---
From: Jeff Wheeler j...@inconcepts.biz
Sent: Thu, 6 Jan 2011 21:01:12 -0500
Are there any large transit networks doing /64 on point-to-point
networks to BGP customers? Who are they?
Add HE.net to the list.
-Randy
www.fastserv.com
On Fri, 7 Jan 2011 12:40:32 -0500
Greg Whynott greg.whyn...@oicr.on.ca wrote:
we have multiple internet connections of which one is a research
network where many medical institutions and universities are also
connected to threw out the country. This research network (ORION)
also has internet
Thanks John for your input.
You are correct, ORION is a dedicated high speed research network.
Based on the fact that we access ORION via one of our ISPs (3rd party, we
don't BGP/directly peer with ORION), I'm not sure if i can use this solution
here. I could do that for the routes
On Thu, 6 Jan 2011, Jeff Wheeler wrote:
On Thu, Jan 6, 2011 at 8:47 PM, Owen DeLong o...@delong.com wrote:
1. Block packets destined for your point-to-point links at your
borders. There's no legitimate reason someone should be
Most networks do not do this today. Whether or not
On Fri, Jan 07, 2011 at 01:56:00PM -0500, Greg Whynott said:
Based on the fact that we access ORION via one of our ISPs (3rd party, we
don't BGP/directly peer with ORION), I'm not sure if i can use this solution
here. I could do that for the routes learned from that ISP, but we receive
You can allow asymmetric traffic on the Fortinet, but you lose some
functionality. Firewalls aren't routers and pretty much all of them
behave in the similar manner.
On Fri, Jan 7, 2011 at 11:40 AM, Greg Whynott greg.whyn...@oicr.on.ca wrote:
Hello,
we have multiple internet connections of
On Jan 7, 2011, at 6:23 AM, Tim Chown wrote:
On 6 Jan 2011, at 18:20, Owen DeLong wrote:
On Jan 5, 2011, at 7:18 PM, Dobbins, Roland wrote:
On Jan 6, 2011, at 10:08 AM, Joe Greco wrote:
Packing everything densely is an obvious problem with IPv4; we learned
early on that having
On Jan 7, 2011, at 6:32 AM, Jack Bates wrote:
On 1/7/2011 4:44 AM, Dobbins, Roland wrote:
Yes, it has. There're lots of issues with embedding IP addresses
directly into apps and so forth which have nothing to do with NAT.
Embedding into apps isn't the same as embedding into protocol
Thanks Grant, I've already read this. :)
I have no problem with enabling /64s for everyone/everything in the future, as
the equipment capability increases, but right now there are real concerns about
en masse deployment and the vulnerabilities we open our hardware to.
Which is why I was
Thanks Ken,
Some good stuff there, thanks.
Since my original email, i think i've come up with a partial solution not
requiring the far end's involvement. If not, at least it would get us into
a better position to utilize the ORION network when possible. We peer over a
L2 tunnel with
On Fri, Jan 07, 2011 at 03:13:02PM -0500, Greg Whynott said:
Thanks Ken,
Some good stuff there, thanks.
Since my original email, i think i've come up with a partial solution not
requiring the far end's involvement. If not, at least it would get us into
a better position to
On 1/7/2011 1:47 PM, Owen DeLong wrote:
Compatibility addresses don't work on the wire. They're not supposed to. It's a
huge problem if they do.
Sounds like someone should have developed more than 1 compatibility
addressing then.
Jack
http://www.ietf.org/mail-archive/web/v6ops/current/msg06820.html
Jima
Just skimming through the draft:
1) It is no longer recommended that /128s be given out. While there
may be some cases where assigning only a single address may be
justified, a site by
Does anyone have any good contacts for Starbucks network admins?
--
Chris Harvey
Distinguished Engineer
o: 703-939-8479
m: 703-967-4229
On Fri, 7 Jan 2011, Deepak Jain wrote:
least technical user base. (side note, if I were a residential ISP I'd
configure a /64 to my highly-controlled CPE router and issue /128s to
each and every device that plugged in on the customer site, and only one
per MAC and have a remotely configurable
On Fri, Jan 7, 2011 at 3:29 PM, Deepak Jain dee...@ai.net wrote:
Question - Whatever happened to the concept of a customer
coming to their SP for more space? [E]very week we could
widen their subnet without causing any negative
impact on them?
Clever folks figured that making the customer
On Fri, 7 Jan 2011 09:38:32 +
Dobbins, Roland rdobb...@arbor.net wrote:
On Jan 7, 2011, at 4:14 PM, Mark Smith wrote:
Doesn't this risk already exist in IPv4?
There are various vendor knobs/features to ameliorate ARP-level issues in
switching gear. Those same knobs aren't
BGP Update Report
Interval: 30-Dec-10 -to- 06-Jan-11 (7 days)
Observation Point: BGP Peering with AS131072
TOP 20 Unstable Origin AS
Rank ASNUpds % Upds/PfxAS-Name
1 - AS18025 31461 3.2% 873.9 -- ACE-1-WIFI-AS-AP Ace-1 Wifi
Network
2 - AS17974
This report has been generated at Fri Jan 7 21:11:48 2011 AEST.
The report analyses the BGP Routing Table of AS2.0 router
and generates a report on aggregation potential within the table.
Check http://www.cidr-report.org for a current version of this report.
Recent Table History
Date
On Jan 7, 2011, at 10:12 AM, Randy McAnally wrote:
-- Original Message ---
From: Jeff Wheeler j...@inconcepts.biz
Sent: Thu, 6 Jan 2011 21:01:12 -0500
Are there any large transit networks doing /64 on point-to-point
networks to BGP customers? Who are they?
Add HE.net
On Jan 7, 2011, at 7:12 AM, Justin M. Streiner wrote:
On Thu, 6 Jan 2011, Jeff Wheeler wrote:
On Thu, Jan 6, 2011 at 8:47 PM, Owen DeLong o...@delong.com wrote:
1. Block packets destined for your point-to-point links at your
borders. There's no legitimate reason someone should
On Fri, 7 Jan 2011 13:56:00 -0500
Greg Whynott greg.whyn...@oicr.on.ca wrote:
the localpref is something I'll look at, thanks for that. I'm not
a BGP expert by any stretch, and our requirements here are
simple. we are not a transit.I've only attempted to make the
config safe, not
On Jan 7, 2011, at 12:29 PM, Deepak Jain wrote:
http://www.ietf.org/mail-archive/web/v6ops/current/msg06820.html
Jima
Just skimming through the draft:
1) It is no longer recommended that /128s be given out. While there
may be some cases where assigning only a single
On Jan 7, 2011, at 1:28 PM, Mark Smith wrote:
On Fri, 7 Jan 2011 09:38:32 +
Dobbins, Roland rdobb...@arbor.net wrote:
On Jan 7, 2011, at 4:14 PM, Mark Smith wrote:
Doesn't this risk already exist in IPv4?
There are various vendor knobs/features to ameliorate ARP-level issues
I'm having some issues with personal domains that forward to gmail being
blacklist. If anyone from gmail would be available to talk through it with
me offlist I would greatly appreciate it.
Thanks,
Mikeal
On Jan 8, 2011, at 3:29 AM, Deepak Jain wrote:
There are now years of security dogma that says NAT is a good thing,
Actually, this isn't the case. There's some *security theater* dogma which
makes totally unsupported claims about the supposed security benefits of NAT,
but that's not quite
On Jan 8, 2011, at 5:44 AM, Owen DeLong wrote:
You say dogma, I say mythology.
Concur 100%.
Stateful inspection provides security.
To clarify, stateful inspection only provides security in a context where
there's state to inspect - i.e., at the southernmost end of access networks,
On Jan 8, 2011, at 4:28 AM, Mark Smith wrote:
The problem is that somebody on the Internet
could send 1000s of UDP packets (i.e. an offlink traffic source) towards
destinations that don't exist on the target subnet.
I meant to type 'ND-triggering stuff', concur 100%.
you have sent a message to me which seems to contain a legal
warning on who can read it, or how it may be distributed, or
whether it may be archived, etc.
i do not accept such email. my mail user agent detected a legal
notice when i was opening your mail, and automatically deleted it.
so do not
On Fri, Jan 7, 2011 at 8:02 PM, Dobbins, Roland rdobb...@arbor.net wrote:
NAT has no inherent security benefits whatsoever.
Hi Roland,
With that statement, you paint with a remarkably broad brush. As you
know, folks use (or perhaps misuse) the term NAT to describe
everything from RFC 1631 to
On Jan 8, 2011, at 8:54 AM, William Herrin wrote:
I presume you don't intend us to conclude that a bastion host firewall
provides no security benefit to the equipment it
protects.
If it's protecting workstations, yes, it has some positive security value - but
not due to NAT.
If it's
On Fri, Jan 7, 2011 at 9:00 PM, Dobbins, Roland rdobb...@arbor.net wrote:
On Jan 8, 2011, at 8:54 AM, William Herrin wrote:
I presume you don't intend us to conclude that a bastion
host firewall provides no security benefit to the equipment it
protects.
If it's protecting workstations, yes,
I wanted to thank everyone for both their online and offline replies.
At this time the FAA does not support IPv6 to connect to the ASDI
servers.
Cheers
Ryan
-Original Message-
From: Merike Kaeo [mailto:mer...@doubleshotsecurity.com]
Sent: Wednesday, January 05, 2011 12:14 AM
To: Ryan
note that while i am also an ARIN trustee, i am speaking here as what randy
calls just another bozo on this bus. for further background, ISC has done
some rpki work and everybody at ISC including me likes rpki just fine. when
the ARIN board was first considering funding ISC to do some early rpki
[ caveat: i am *one of* the architects of all this, and am paid to work
on it, currently (indirectly) by the usg dhs. ]
for background, the other four rirs have rolled rpki out in the last
weeks, apnic and afrinic with the up/down protocol, ripe web only, and i
am not well informed about
Paul,
On Jan 7, 2011, at 7:33 PM, Paul Vixie wrote:
The definition of what comes under the public policy mailing list
umbrella has always been a bit confusing to me. Too bad something like
the APNIC SIGs and RIPE Working Groups don't really exist in the ARIN
region.
do you have a specific
The issue I see is that there are non-address allocation{, policy}
topics that can deeply affect network operations in which ARIN has a
direct role, yet network operators (outside of the normal ARIN
participants) have no obvious mechanism in which to
comment/discuss/etc. Examples would
60 matches
Mail list logo