Well, sometime yesterday www.centurylink.com removed it record(s).
www.qwest.com still has them.
Frank
-Original Message-
From: Frank Bulk [mailto:frnk...@iname.com]
Sent: Monday, October 24, 2011 1:47 PM
To: 'nanog@nanog.org'
Subject: RE: IPv6 version of
On Nov 29, 2011, at 8:17 PM, compt...@kc.rr.com wrote:
We lost several of our GigE links to ATT for 6 hours on 11/19, anyone else
see this and get a root cause from ATT? All I can get is that they believe a
change caused the issue.
We lost several (but not all) of our Optiman circuits on
Yikes, Owen. That's a lot of responses...
Saying you can mitigate neighbor table exhaustion with a simple ACL
is misleading (and you're not the only one who has tried to make that
claim).
You can mitigate it by:
1. Using a stateful firewall (not an ACL) outside the router
responsible for the
On Wed, Nov 30, 2011 at 8:21 AM, Brad Fleming bdfle...@gmail.com wrote:
On Nov 29, 2011, at 8:17 PM, compt...@kc.rr.com wrote:
We lost several of our GigE links to ATT for 6 hours on 11/19, anyone else
see this and get a root cause from ATT? All I can get is that they believe
a change
Stefan wrote the following on 11/30/2011 8:53 AM:
On Wed, Nov 30, 2011 at 8:21 AM, Brad Flemingbdfle...@gmail.com wrote:
On Nov 29, 2011, at 8:17 PM,compt...@kc.rr.com wrote:
We lost several of our GigE links to ATT for 6 hours on 11/19, anyone else see
this and get a root cause from ATT?
signature
database 6671 (2030) __
The message was checked by ESET NOD32 Antivirus.
http://www.eset.com
c2800-confg
Description: Binary data
On Wed, Nov 30, 2011 at 8:48 AM, Ray Soucy r...@maine.edu wrote:
Saying you can mitigate neighbor table exhaustion with a simple ACL
is misleading (and you're not the only one who has tried to make that
claim).
It's true, though, you can.
But you can also mitigate neighbor table exhaustion by
Hi All,
I am wondering if anyone else is seeing a sudden increase in DNS attacks
emanating from chinese IP addresses? Over the past 24 hours we've seen a
sudden rash of chinese IPs attacking our DNS servers in the order of 5 to 10
million PPS for periods of 5 to 10 mins, repeated every 20
On Wed, Nov 30, 2011 at 9:48 AM, Ray Soucy r...@maine.edu wrote:
1. Using a stateful firewall (not an ACL) outside the router
responsible for the 64-bit prefix. This doesn't scale, and is not a
design many would find acceptable (it has almost all the problems of
an ISP running NAT)
Owen has
If so, this might be a good time to change passwords, and to review
what other information has transited your phone.
(Note: androidsecuritytest.com appears to be slashdotted at the moment.)
November 16: initial reports of Carrier IQ spyware surface:
CarrierIQ: Most Phones Ship
From a requirements point of view I am not sure I would enforce these sort
of restrictions.
John
On 11/29/11 6:59 AM, Dmitry Cherkasov doctor...@gmail.com wrote:
John,
I am determining technical requirements to IPv6 provisioning system
for DOCSIS networks and I am deciding if it is worth to
-Original Message-
From: Jimmy Hess [mailto:mysi...@gmail.com]
Sent: Wednesday, November 30, 2011 11:14 AM
To: Ray Soucy
Cc: NANOG
Subject: Re: IPv6 prefixes longer then /64: are they possible in
DOCSIS
networks?
On Wed, Nov 30, 2011 at 8:48 AM, Ray Soucy r...@maine.edu wrote:
Technically this is not true. SLAAC is not prohibited, it does come with
side affects that complicate the deployment of IPv6. It is technically
feasible to use SLAAC, it is just not practical in most cases.
Stateful DHCPv6 is the preferred mechanism for address and configuration
assignment.
Hello Leland,
Yes we do see the same behavior!
regards,
Rob Vercouteren
Owen and I have gone back and fourth over the year(s) as well.
I think it really comes down to Owen's adamant belief that _every_
network should be a 64-bit prefix, and that SLAAC should be used for
addressing, because it's simple and people will only adopt IPv6 if
it's simple. The whole
There was a new BIND vulnerability announced...
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4313
-Hammer-
I was a normal American nerd
-Jack Herer
On 11/30/2011 10:59 AM, rob.vercoute...@kpn.com wrote:
Hello Leland,
Yes we do see the same behavior!
regards,
Rob Vercouteren
On Nov 30, 2011, at 9:51 AM, Blake Hudson wrote:
Stefan wrote the following on 11/30/2011 8:53 AM:
On Wed, Nov 30, 2011 at 8:21 AM, Brad Flemingbdfle...@gmail.com wrote:
On Nov 29, 2011, at 8:17 PM,compt...@kc.rr.com wrote:
We lost several of our GigE links to ATT for 6 hours on 11/19,
On Nov 30, 2011, at 9:13 AM, -Hammer- wrote:
There was a new BIND vulnerability announced...
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4313
I strongly suspect the BIND vulnerability is unrelated. These attacks appear
to be simple (if large) DDoSes.
Regards,
-drc
On Wed, 30 Nov 2011, Leland Vandervort wrote:
I am wondering if anyone else is seeing a sudden increase in DNS attacks
emanating from chinese IP addresses? Over the past 24 hours we've seen a
sudden rash of chinese IPs attacking our DNS servers in the order of 5 to 10
million PPS for
Just offering it up. It's not a 0day or anything but it is recently
published. I am not receiving the DoS so I haven't had a chance to
observe the traffic.
-Hammer-
I was a normal American nerd
-Jack Herer
On 11/30/2011 11:40 AM, David Conrad wrote:
On Nov 30, 2011, at 9:13 AM, -Hammer-
Brad Fleming wrote:
In either case I'm a customer and will likely never be told what went wrong.
I'm OK with that so long as it doesn't happen again!
Does being told what happened somehow prevent it from happening it again?
What is the utilitarian value in an RFO?
Joe
In either case I'm a customer and will likely never be told what went wrong.
I'm OK with that so long as it doesn't happen again!
Does being told what happened somehow prevent it from happening it again?
Nope. But if this same issue crops up again we'll have to work the system
harder and
No. It doesn't prevent it from happening again. But at least you can
have them check for that same issue when it happens next time.
I guess the RFO gives the customer the feeling that the vendor was able
to isolate the issue and fix it; as opposed to issue was resolved
before isolation.
- Miraaj
Once upon a time, Leland Vandervort lel...@taranta.discpro.org said:
I am wondering if anyone else is seeing a sudden increase in DNS attacks
emanating from chinese IP addresses? Over the past 24 hours we've seen a
sudden rash of chinese IPs attacking our DNS servers in the order of 5 to 10
Before we see knee-jerk conclusions about who to blame, these attacks could be
carried out by anyone.
Is country even relevant in the cyberscape?
Andrew
From: Leland Vandervort lel...@taranta.discpro.org
To: nanog@nanog.org
Cc: Leland Vandervort
On Wed, 30 Nov 2011 10:24:21 PST, andrew.wallace said:
Before we see knee-jerk conclusions about who to blame, these attacks could
be carried out by anyone. Is country even relevant in the cyberscape?
Reading comprehension, Andrew. Leland never said the Chinese were behind it,
he never even
An attack originating from somewhere indicates the presence of either
an attacker or a compromised host. A particular density of either in
a particular geographical area would seem like an interesting data
point.
--Richard
On Wed, Nov 30, 2011 at 1:24 PM, andrew.wallace
tyler,
some additional soft skills that will help you distinguish yourself
from others:
- learn to write well: take some creative writing classes in addition
to technical writing. being able to efficiently write clear,
concise, and effective documentation is a skill that is necessary,
What I have seen lately with telco's building and operating Metro Ethernet
Forum (MEF) based Ethernet networks is that relatively inexperienced telco
staff are in charge of configuring and operating the networks, where telco
operational staff are unaware of layer 2 Ethernet network nuances,
Except in this case it's a DNS attack, which implies UDP based and easily
spoofed. The source IP may or may not actually be accurate.
Ken
From: Richard Barnes [mailto:richard.bar...@gmail.com]
Sent: Wed 11/30/2011 11:51 AM
To: andrew.wallace
Cc:
On 30 November 2011 17:45, Joe Maimon jmai...@ttec.com wrote:
Brad Fleming wrote:
In either case I'm a customer and will likely never be told what went
wrong. I'm OK with that so long as it doesn't happen again!
Does being told what happened somehow prevent it from happening it again?
On Wed, Nov 30, 2011 at 10:39 AM, Jeff Wheeler j...@inconcepts.biz wrote:
On Wed, Nov 30, 2011 at 9:48 AM, Ray Soucy r...@maine.edu wrote:
Owen has suggested stateful firewall as a solution to me in the
past. There is not currently any firewall with the necessary features
to do this. We
In a message written on Wed, Nov 30, 2011 at 01:41:49PM -0600, Jimmy Hess wrote:
What's the overwhelming benefit of forcing in a /126 on your P-t-P
inter-router links if it has risks and complicates matters so much?
Making Owen happy. :)
--
Leo Bicknell - bickn...@ufp.org - CCIE 3440
Yes it is, but the problem is that our servers are attacking the so called
source address. All the answers are going back to the source. It is huge
amplification attacks. (some sort of smurf if you want)
The ip addresses are spoofed (We did a capture and saw all different ttl's so
coming from
-Original Message-
From: rob.vercoute...@kpn.com [mailto:rob.vercoute...@kpn.com]
Sent: Wednesday, November 30, 2011 3:05 PM
To: matlo...@exempla.org; richard.bar...@gmail.com;
andrew.wall...@rocketmail.com
Cc: nanog@nanog.org; lel...@taranta.discpro.org
Subject: RE: Recent DNS attacks
For those who missed it, Linux is adding NAT for IPv6 to netfilter:
http://www.spinics.net/lists/netfilter-devel/msg19979.html
Along with tradition SNAT, and DNAT targets most of us are familiar
with, a new NETMAP target is included that implements NPT (network
prefix translation).
I for one am
On Nov 30, 2011, at 9:10 AM, Ray Soucy wrote:
Owen and I have gone back and fourth over the year(s) as well.
I think it really comes down to Owen's adamant belief that _every_
network should be a 64-bit prefix, and that SLAAC should be used for
addressing, because it's simple and people
In a message written on Wed, Nov 30, 2011 at 03:14:07PM -0500, Ray Soucy wrote:
I for one am happy to see this; despite not wanting to see people NAT
IPv6 as the norm, having the NETMAP target will largely replace the
use of SNAT and MASQUERADE for many deployments, while keeping those
tools
On Nov 30, 2011, at 2:14 PM, Ray Soucy wrote:
For those who missed it, Linux is adding NAT for IPv6 to netfilter:
http://www.spinics.net/lists/netfilter-devel/msg19979.html
Along with tradition SNAT, and DNAT targets most of us are familiar
with, a new NETMAP target is included that
I am wondering if anyone else is seeing a sudden increase in DNS attacks
emanating from chinese IP addresses? Over the past 24 hours we've seen a
sudden rash of chinese IPs attacking our DNS servers in the order of 5 to 10
million PPS for periods of 5 to 10 mins, repeated every 20 to 30
On Wed, Nov 30, 2011 at 3:13 PM, Owen DeLong o...@delong.com wrote:
As such, I prefer to deploy IPv6 as it is today and resolve the bugs
and the security issues along the way (much like we did with IPv4).
Why is the Hurricane Electric backbone using /126 link-nets, not /64?
You used to
I am wondering if anyone else is seeing a sudden increase in DNS attacks
emanating from chinese IP addresses? Over the past 24 hours we've seen a
sudden rash of chinese IPs attacking our DNS servers in the order of 5 to 10
million PPS for periods of 5 to 10 mins, repeated every 20 to 30
On Wed, Nov 30, 2011 at 3:13 PM, Owen DeLong o...@delong.com wrote:
I do believe that there is no benefit to longer prefixes than /64.
Nobody has provided any convincing evidence to the contrary.
There are better ways to mitigate ND than longer prefixes.
Agree to disagree, I guess.
--
Ray
On 30 Nov 2011, at 21:10, Ray Soucy wrote:
On Wed, Nov 30, 2011 at 3:13 PM, Owen DeLong o...@delong.com wrote:
I do believe that there is no benefit to longer prefixes than /64.
Nobody has provided any convincing evidence to the contrary.
There are better ways to mitigate ND than longer
To be honest, I can't work out the point of preferring a /64 in the
first place if
you're not using SLAAC and I'm not sure why SLAAC wanted more than 48
bits.
If you use broad ACLs to lock down to a /126 or /112 equivalent, why
bother with
the /64 in the first place?
However, I'm new
On Tue, Nov 29, 2011 at 3:46 AM, Dmitry Cherkasov doctor...@gmail.com wrote:
Currently I research on IPv6 provisioning systems and I need to decide
whether the ability to use longer then /64 prefixes should be
supported in them or not. If we restrict user to using /64 per network
we need to
On 11/30/2011 14:46, Bill Stewart wrote:
There's a very strong case to be made for Be conservative in what you
generate and liberal in what you accept here.
I've been saying for years that your safest bet is to reserve a /64,
regardless of how many bits you use out of it, or why. If you do that
On Wed, Nov 30, 2011 at 1:18 PM, Mark Blackman m...@exonetric.com wrote:
... and I'm not sure why SLAAC wanted more than 48 bits.
One reason IPv6 addresses are 128 bits long instead of 40, 48, 64 or
80 is because converting from IPv4 to IPv6 is really painful and we
don't want to ever have to do
On 30 Nov 2011, at 23:02, Bill Stewart wrote:
On Wed, Nov 30, 2011 at 1:18 PM, Mark Blackman m...@exonetric.com wrote:
... and I'm not sure why SLAAC wanted more than 48 bits.
One reason IPv6 addresses are 128 bits long instead of 40, 48, 64 or
80 is because converting from IPv4 to IPv6 is
Another really useful skill is knowing what it looks like to be a
customer / end user of one of those networks. Sure, it's fun to crank
obscure BGP load-balancing techniques, but you also need to know where
the industry as a whole is going technically and business-wise. Tier
1s sell to Tier 2s,
I agree with pretty much everything Bill, Doug, and Nathan just said.
Just remember 640K ought to be enough for anybody. ;-)
It's usually unwise to make statements about never needing more than
where technology is concerned. IPv6 is still in its let's get people
to use this phase; I don't think
On Wed, Nov 30, 2011 at 2:13 PM, Owen DeLong o...@delong.com wrote:
On Nov 30, 2011, at 9:10 AM, Ray Soucy wrote:
I do believe that there is no benefit to longer prefixes than /64.
Nobody has provided any convincing evidence to the contrary.
Yes they have, thoroughly; mitigation of this one
I am in great hopes that a Microsoft Postmaster could get in contact
with me. This is dealing with a delisting of a banned IP
blocked using Blocklist 3, mail from IP banned My client is e-mailing
a vendor of theirs who's mail goes to mail.messaging.microsoft.com
We have submitted a request
This is great news.
I wonder if this is evidence that they plan to continue to develop the
Procurve line and eventually abandon the 3Com line. Uncertainty of
which line would win out has kept me (and others I'm sure) from
wanting to invest in anything HP.
On Wed, Nov 30, 2011 at 8:40 PM, Jason
On 1 December 2011 00:55, Jimmy Hess mysi...@gmail.com wrote:
Please explain. What are the better ways that you would propose
of mitigating ND table overflows?
If you can show a rational alternative, then it would be persuasive as
a better option.
Link-Local?
For true P-t-P links I guess
I for one get really irritated when my traceroutes and pings are
broken and I need to troubleshoot things. ;-) But I guess something
has to give.
On Wed, Nov 30, 2011 at 9:15 PM, Mike Jones m...@mikejones.in wrote:
On 1 December 2011 00:55, Jimmy Hess mysi...@gmail.com wrote:
Please explain.
On 1 December 2011 02:22, Ray Soucy r...@maine.edu wrote:
I for one get really irritated when my traceroutes and pings are
broken and I need to troubleshoot things. ;-) But I guess something
has to give.
My home connection gets IPv6 connectivity via a tunnelbroker tunnel, i
didn't use the
I was half joking, but you know, you might be on to something there.
I'll have to try it out and see what the implications are.
I know that for our gear, it uses the interface address so we can map
rDNS to something useful. The other thing to look into would be
neighbor configuration for
Comment can be appreciated but please remove the I2 WG address from
responses unless it's something you want to blast to that community, I
don't want them upset at me for filling their inbox with a 40 email
NANOG thread (you know how this list can get).
;-)
On Wed, Nov 30, 2011 at 9:52 PM, Brent
On Wed, 30 Nov 2011 19:19:51 EST, Ray Soucy said:
There is a lot of talk about buggy systems that are unable to handle
prefixes longer than 64; but I've yet to encounter one. I imagine if
I did it would be treated as a bug and fixed.
What year did Cisco first release IOS?
What year did
In a message written on Wed, Nov 30, 2011 at 07:19:51PM -0500, Ray Soucy wrote:
There is a lot of talk about buggy systems that are unable to handle
prefixes longer than 64; but I've yet to encounter one. I imagine if
This has been one of the first thing I tested with new router gear
for,
Well, traceroutes and other ICMP functions would break. It is occasionally
useful to be able to address a specific router interface from someplace other
than its connected peer.
-Gabriel
-Original Message-
From: Mike Jones [mailto:m...@mikejones.in]
Sent: Wednesday, November 30, 2011
On Wed, Nov 30, 2011 at 10:33 PM, McCall, Gabriel
gabriel.mcc...@thyssenkrupp.com wrote:
Well, traceroutes and other ICMP functions would break. It is occasionally
useful to be able to address a specific router interface from someplace other
than its connected peer.
Unless your router always
63 matches
Mail list logo