can you find the fatal flaw?
[ hint: how does an isp in phnom penh validate my route? ]
randy
---BeginMessage---
Our records indicate that you have requested and received access to
ARIN's RPKI Pilot. ARIN is preparing to release our production RPKI
hosted solution in mid to late September of
I was wondering if there is a repository with references of prefix
hijack cases.
We would like to use such information for a BGP anomaly detection
analysis that we are carrying out in our research centre.
Unfortunately, apart from the well known cases (Youtube-Pakistan case in
2008 and the
On 09/04/2012 03:52 PM, Michael Thomas wrote:
On 09/04/2012 09:34 AM, Daniel Taylor wrote:
If you are sending direct SMTP on behalf of your domain from
essentially random locations, how are we supposed to pick you out
from spammers that do the same?
Use DKIM.
You say that like it's a
On Sep 4, 2012, at 11:45 PM, Suresh Ramasubramanian ops.li...@gmail.com wrote:
So - now with ipv6 you're going to see hi, my toto highly
computerized toilet is trying to make outbound port 25 connections to
gmail
On 09/05/12 05:56 , Daniel Taylor wrote:
Use DKIM.
You say that like it's a lower bar than setting up a fixed SMTP server
and using that.
Besides, doesn't DKIM break on mailing lists?
Not only that, but a majority of spam I receive lately has a valid DKIM
signature. They are adaptive, like
On Wed, Sep 05, 2012 at 07:50:12AM -0700, Henry Stryker wrote:
Not only that, but a majority of spam I receive lately has a valid DKIM
signature. They are adaptive, like cockroaches.
This is why tcp port 25 filtering is totally effective and will remain so
forever. Definitely worth breaking
On 09/05/2012 05:56 AM, Daniel Taylor wrote:
On 09/04/2012 03:52 PM, Michael Thomas wrote:
On 09/04/2012 09:34 AM, Daniel Taylor wrote:
If you are sending direct SMTP on behalf of your domain from essentially random
locations, how are we supposed to pick you out from spammers that do the
Just for kicks, I tried using a .0.0/16 and .255.255/16 adress for stuff
in IOS (configured it as loopback and tried to establish bgp sessions
etc), that didn't work so well. I don't remember exactly what the problem
was, but I did indeed run into problems.
LU-CIX uses .255 and .0 for their
On Wed, Sep 5, 2012 at 11:11 AM, Izaac iz...@setec.org wrote:
On Wed, Sep 05, 2012 at 07:50:12AM -0700, Henry Stryker wrote:
Not only that, but a majority of spam I receive lately has a valid DKIM
signature. They are adaptive, like cockroaches.
This is why tcp port 25 filtering is totally
On Sep 5, 2012, at 11:11, Izaac wrote:
This is why tcp port 25 filtering is totally effective and will remain so
forever. Definitely worth breaking basic function principles of a
global communications network over which trillions of dollars of commerce
occur.
Two things to note:
1.
On Sep 5, 2012, at 11:46, Greg Ihnen wrote:
But as someone pointed out further back on this thread people who want to
have their mail servers available to people who are on the other side of
port 25 filtering just use the alternate ports. So then what does filtering
port 25 accomplish?
The
On 09/05/2012 07:50 AM, Henry Stryker wrote:
Not only that, but a majority of spam I receive lately has a valid DKIM signature. They are adaptive, like cockroaches.
The I part of DKIM is Identified. That's all it promises. It's a
feature, not a bug, that spammers use it.
Mike
On 09/05/2012 08:49 AM, Sean Harlow wrote:
2. The reason port 25 blocks remain effective is that there really isn't a
bypass.
In the Maginot Line sense, manifestly.
Mike
On 9/5/12 3:26 AM, Randy Bush ra...@psg.com wrote:
can you find the fatal flaw?
[ hint: how does an isp in phnom penh validate my route? ]
randy
Hi Randy
Your question is a bit cryptic. Could you be more specific about your
concern?
Thanks,
Mark
Anyone on the list from Tata that can help address a Tata Equinix
Ashburn issue?
--
Morgan A. Miskell
CaroNet Data Centers
704-643-8330 x206
The information contained in this e-mail is confidential and is intended
only
I think Randy meant to imply that requiring anyone that wants to
actually use the RPKI to make a legal agreement with ARIN might not be
the best way to encourage deployment.
On Wed, Sep 5, 2012 at 2:56 PM, Mark Kosters ma...@arin.net wrote:
On 9/5/12 3:26 AM, Randy Bush ra...@psg.com wrote:
On 09/05/12 09:13 , Michael Thomas wrote:
The I part of DKIM is Identified. That's all it promises. It's a
feature, not a bug, that spammers use it.
Which is why DKIM does not really address any concerns. The spammers
have reduced its value.
I am retired now, but do run my own mail server
On Wed, Sep 5, 2012 at 3:05 PM, Richard Barnes richard.bar...@gmail.com wrote:
I think Randy meant to imply that requiring anyone that wants to
actually use the RPKI to make a legal agreement with ARIN might not be
define 'use'...
o 'stick their objects into the repo' sure a contract sounds
On Wed, Sep 5, 2012 at 7:24 PM, Christopher Morrow
morrowc.li...@gmail.com wrote:
.
a closer (by me) reading of:
In order to access the
production RPKI TAL, you will first have to agree to ARIN's Relying
Party Agreement before the TAL will be emailed to you. To request the
TAL after the
On 09/05/2012 10:19 AM, Michael Thomas wrote:
On 09/05/2012 05:56 AM, Daniel Taylor wrote:
On 09/04/2012 03:52 PM, Michael Thomas wrote:
On 09/04/2012 09:34 AM, Daniel Taylor wrote:
If you are sending direct SMTP on behalf of your domain from
essentially random locations, how are we
On 09/05/2012 12:50 PM, Daniel Taylor wrote:
On 09/05/2012 10:19 AM, Michael Thomas wrote:
On 09/05/2012 05:56 AM, Daniel Taylor wrote:
On 09/04/2012 03:52 PM, Michael Thomas wrote:
On 09/04/2012 09:34 AM, Daniel Taylor wrote:
If you are sending direct SMTP on behalf of your domain from
On 09/05/2012 03:01 PM, Michael Thomas wrote:
On 09/05/2012 12:50 PM, Daniel Taylor wrote:
On 09/05/2012 10:19 AM, Michael Thomas wrote:
On 09/05/2012 05:56 AM, Daniel Taylor wrote:
On 09/04/2012 03:52 PM, Michael Thomas wrote:
On 09/04/2012 09:34 AM, Daniel Taylor wrote:
If you are
On Wed, Sep 05, 2012 at 11:46:34AM -0400, Greg Ihnen wrote:
On Wed, Sep 5, 2012 at 11:11 AM, Izaac iz...@setec.org wrote:
On Wed, Sep 05, 2012 at 07:50:12AM -0700, Henry Stryker wrote:
signature. They are adaptive, like cockroaches.
This is why tcp port 25 filtering is totally effective
On Sep 5, 2012, at 3:32 PM, Gary Buhrmaster wrote:
My interpretation was what Randy implied, and that ARIN
wants an agreement with everyone who gets a (presumably
unique to the agreement) TAL to protect ARIN. That would
seem like a lot of overhead to maintain to me (since as I recall
a
Izaac iz...@setec.org commented:
#I suspect your ISP is also stripping sarcasm tags. Let's try it out
#again:
#
# You can tell that tcp port 25 filtering is a highly effective spam
# mitigation technique because spam levels have declined in direct
# proportion to their level of deployment.
On Tue, Sep 04, 2012 at 03:45:32PM -0400, William Herrin wrote:
That's what firewalls *are for* Jay. They intentionally break
end-to-end for communications classified by the network owner as
undesirable. Whether a particular firewall employs NAT or not is
largely beside the point here. Either
[ hint: how does an isp in phnom penh validate my route? ]
Your question is a bit cryptic.
moi? :)
Could you be more specific about your concern?
essentially, as the rirs have resisted iana being the root ta, the arin
tal is necessary for anyone to validate anything which dependa on the
On Sep 5, 2012, at 5:12 PM, Izaac iz...@setec.org wrote:
Since tcp25 filtering has been so successful, we should deploy
filters for everything except tcp80 and tcp443 and maaaybe tcp21 --
but NAT already does so much to enhance the user experience there
already. And what with ISP
Hi All,
If there is an Akamai peering tech around could they contact me
off-list regarding a BGP session which has been bouncing for a while.
Cheers,
Kris
On Wed, Sep 5, 2012 at 5:12 PM, Izaac iz...@setec.org wrote:
I suspect your ISP is also stripping sarcasm tags. Let's try it out
again:
You can tell that tcp port 25 filtering is a highly effective spam
mitigation technique because spam levels have declined in direct
proportion to
In article 5047a2ea.8010...@hup.org you write:
On 09/05/12 09:13 , Michael Thomas wrote:
The I part of DKIM is Identified. That's all it promises. It's a
feature, not a bug, that spammers use it.
Which is why DKIM does not really address any concerns. The spammers
have reduced its value.
Well, if you've got proper forward and reverse DNS, and your portable
SMTP server identifies itself properly, and you are using networks that
don't filter outbound port 25, AND you have DKIM configured correctly
and aren't using it for a situation for which it is inappropriate, then
you'll get
On 05 Sep 2012 23:07:07 -, John Levine said:
Not really. Large mail system like Gmail and Yahoo have a pretty good
map of the IPv4 address space. If you're sending from a residential
DSL or cable modem range, they'll likely reject any mail you send
directly no matter what you do.
Which
On 9/4/12, Jay Ashworth j...@baylink.com wrote:
It is regularly alleged, on this mailing list, that NAT is bad *because it
violates the end-to-end principle of the Internet*, where each host is a
full-fledged host, able to connect to any other host to perform
transactions.
Both true. and NAT
On Sep 5, 2012, at 19:07, John Levine wrote:
Not really. Large mail system like Gmail and Yahoo have a pretty good
map of the IPv4 address space. If you're sending from a residential
DSL or cable modem range, they'll likely reject any mail you send
directly no matter what you do.
While
On 9/5/12, Sean Harlow s...@seanharlow.info wrote:
While I've clearly been on the side of don't expect this to work, why do
you have your laptop set up like that?, and defending the default-blocking
behavior on outbound, this is not true at least for Gmail. I have a test
Asterisk box which
Jimmy Hess wrote:
NAT would fall under design flaw, because it breaks end-to-end
connectivity, such that there is no longer an administrative choice
that can be made to restore it (other than redesign with NAT
removed).
The end to end transparency can be restored easily, if an
administrator
On Thu, 06 Sep 2012 13:08:29 +0900, Masataka Ohta said:
The end to end transparency can be restored easily, if an
administrator wishes so, with UPnP capable NAT and modified
host transport layer.
How does the *second* host behind the NAT that wants to use
global port 7719 do it?
(2012/09/06 13:15), valdis.kletni...@vt.edu wrote:
On Thu, 06 Sep 2012 13:08:29 +0900, Masataka Ohta said:
The end to end transparency can be restored easily, if an
administrator wishes so, with UPnP capable NAT and modified
host transport layer.
How does the *second* host behind the NAT
On Sep 5, 2012, at 21:08 , Masataka Ohta mo...@necom830.hpcl.titech.ac.jp
wrote:
Jimmy Hess wrote:
NAT would fall under design flaw, because it breaks end-to-end
connectivity, such that there is no longer an administrative choice
that can be made to restore it (other than redesign with
On Wed, Sep 5, 2012 at 9:39 PM, Owen DeLong o...@delong.com wrote:
On Sep 5, 2012, at 21:08 , Masataka Ohta mo...@necom830.hpcl.titech.ac.jp
wrote:
Jimmy Hess wrote:
NAT would fall under design flaw, because it breaks end-to-end
connectivity, such that there is no longer an administrative
Owen DeLong wrote:
then, if transport layer of the host is modified to perform
reverse translation (information for the translation can be
obtained through UPnP):
(local IP, global port) - (global IP, global port)
Now, NAT is transparent to application layer.
Never mind the fact
42 matches
Mail list logo
