Re: COVID-19 vs. our Networks

* Mike Hammett: > Netflix recommends 25 megs for Ultra HD, while only 5 megs for > HD. That's a 5x difference in something people likely won't notice > and would make a big difference on the additional VPN, VoIP, video > conferencing, etc. 4K isn't supported by all devices and plans. I'm not

Re: power to the internet

* John Levine: > In article <87y2up1vc4@mid.deneb.enyo.de> you write: >>I found the connection rather puzzling (that is, how switching off >>power distribution prevents wildfires or at least reduces their risk). >>I found some explanations here (downed lines, vegetation contact, >>conductor

Re: power to the internet

* Jason Wilson: > This is all in conjunction with the CPUC. I believe it is also a part of a > court order. I’ll need to find that later > > https://www.cpuc.ca.gov/deenergization/ I found the connection rather puzzling (that is, how switching off power distribution prevents wildfires or at

Re: Stupid Question maybe?

* Baldur Norddahl: > Why do we still have network equipment, where half the configuration > requires netmask notation, the other half requires CIDR and to throw you > off, they also included inverse netmasks. Some also drop the prefix length in diagnostic output if it matches that of the address

Re: It's been 20 years today (Oct 16, UTC). Hard to believe.

* Laszlo Hanyecz: > On 2018-10-17 02:35, Michael Thomas wrote: >> I believe that the IETF party line these days is that Postel was wrong >> on this point. Security is one consideration, but there are others. > > Postel's maxim also allowed extensibility.  If our network code rejects > (or

Re: It's been 20 years today (Oct 16, UTC). Hard to believe.

* Scott Brim: > On Tue, Oct 16, 2018, 22:37 Michael Thomas wrote: > >> I believe that the IETF party line these days is that Postel was wrong >> on this point. Security is one consideration, but there are others. >> >> Mike >> > > I saw just a small swing of the pendulum toward the center, a

Re: Whois vs GDPR, latest news

* Mark Andrews: > Domain whois is absolutely useful. Try contacting a site to report > that their nameservers are hosed without it. A lot of WHOIS servers do not show who's running the name servers, or who maintains the data served by them. Those that do usually provide information which is

Re: Is WHOIS going to go away?

* Filip Hruska: > On 04/14/2018 07:29 PM, Florian Weimer wrote: >> * Filip Hruska: >> >>> EURID (.eu) WHOIS already works on a basis that no information about the >>> registrant is available via standard WHOIS. >>> In order to get any usef

Re: Is WHOIS going to go away?

* Filip Hruska: > EURID (.eu) WHOIS already works on a basis that no information about the > registrant is available via standard WHOIS. > In order to get any useful information you have to go to > https://whois.eurid.eu and make a request there. > > Seems like a reasonable solution. Why? How

Re: Cloudflare 1.1.1.1 public DNS broken w/ AT CPE

* Hank Nussbacher: > Perhaps they are running all  this to shake out exactly these type of > issues?  I think that is exactly why APNIC research is called for. And return another 2**24 addresses to the global IPv4 pool eventually? That would indeed be a loadable goal.

Re: association between ASN and company name in ARIN region

* Arnold Nipper: > On 30.03.2017 17:50, Martin T wrote: > >> Is it possible to make a similar connection between AS number and >> company name in ARIN region? In other words, how do you find out that >> company is eligible to use AS number? >> > > > This doesn't work for you? > > whois -h

Re: Microsoft O365 labels nanog potential fraud?

* Grant Taylor via NANOG: > On 03/29/2017 04:17 AM, Mel Beckman wrote: >> Thanks for the very clear explanation. I use DKIM and SPF, but didn't >> know about this corner case. I'm surprised the SPF, etc architects >> missed it, or seem to have. In any event, I seem to be getting all >> the

Re: BCP 38 coverage if top x providers ...

* Laurent Dumont: > Wouldn't you want BCP38 policies to be as close as possible to the > traffic sources? Instead of creating more "fake" traffic? Maybe as close as possible, but still without sacrificing source network attribution is sufficient. > And at the same time, partial filtering

Re: BCP 38 coverage if top x providers ...

* Jared Mauch: >> On Nov 19, 2016, at 9:13 PM, Frank Bulk wrote: >> >> My google fu is failing me, but I believe there was a NANOG posting a year >> or two ago that mentioned that if the top x providers would >> implement BCP 38 >> then y% of the traffic (or Internet) would

Re: SHA1 collisions proven possisble

* valdis kletnieks: > We negotiate a contract with terms favorable to you. You sign it (or more > correctly, sign the SHA-1 hash of the document). > > I then take your signed copy, take out the contract, splice in a different > version with terms favorable to me. Since the hash didn't change,

Re: backbones filtering unsanctioned sites

* > On Friday, 17 February, 2017 08:29, "Florian Weimer" <f...@deneb.enyo.de> said: > >> Of course they do, see the arrest of Augusto Pinochet. > > Universal Jurisdiction is supposed to cover the likes of war crimes, > torture, extrajudicial executions and

Re: backbones filtering unsanctioned sites

* Todd Crane: > I am not familiar with Cogent’s architecture but why couldn’t they > just null route the IP address at their edge routers from within > Spain? I am not a lawyer but from what I understand, since the Spanish > government has zero say on what goes on outside of their borders, Of

Re: backbones filtering unsanctioned sites

* Jared Mauch: > So risk avoidance on the part of the 100k other sites hosted by CF is > now a conspiracy? Conspiracy is perhaps a bit too strong, but I would be annoyed if someone took my business, but then deliberately undermined the service they provide. Of course, if it's all part of the

Re: backbones filtering unsanctioned sites

* Andrew Paolucci: > Can anyone with a Cogent connection in Canada verify that they are > impacted as well? I think it's global. I tried sites in Canada and Germany, and the traces look like deliberate blocking of /32s. I don't have a BGP view for these sites, though. Why wouldn't it be

Re: pay.gov and IPv6

* Mark Andrews: > The DNSSEC testing is also insufficient. 9-11commission.gov shows > green for example but if you use DNS COOKIES (which BIND 9.10.4 and > BIND 9.11.0 do) then servers barf and return BADVERS and validation > fails. QWEST you have been informed of this already. > > Why the hell

Re: OSPF vs ISIS - Which do you prefer & why?

* Mark Tinka: > I've given a talk about this a couple of times since 2008. But our > reasons are to choosing IS-IS are: Has the name been a problem for you? Asking vendors about support must be a bit awkward these days.

Re: Death of the Internet, Film at 11

* Randy Bush: >> What does BCP38 have to do with this? > > nothing technical, as these iot attacks are not spoofed. How do you know? Has anyone disclosed specifics? I can understand that keeping details under wraps is sometimes required for operational security, but if the attacks are clearly

Re: Death of the Internet, Film at 11

* Keith Medcalf: > On: Saturday, 22 October, 2016 17:41, Jean-Francois Mezei > wrote: > >> On 2016-10-22 19:03, Keith Medcalf wrote: > >> > This does not follow and is not a natural consequence of sealing the >> little buggers up so that they cannot affect the

Re: Death of the Internet, Film at 11

* David Conrad: > Maybe (not sure) one way would be to examine your resolver query logs > to look for queries for names that fit domain generation algorithm > patterns, then tracking down the customers/devices that are issuing > those queries and politely suggest they remove the malware on their

Re: Dyn DDoS this AM?

* Randy Bush: > anyone who relies on a single dns provider is just asking for stuff such > as this. Blaming the victim isn't helpful. And without end-user-visible changes, most of the victims would still depend on Verisign as a single provider for a critical part of their DNS service.

Re: IoT security, was Krebs on Security booted off Akamai network

* John R. Levine: > On Sun, 9 Oct 2016, Florian Weimer wrote: > >> If we want to make consumers to make informed decisions, they need to >> learn how things work up to a certain level. And then current >> technology already works. > > I think it's fair to say

Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey

* Eliot Lear: > Not my end goal. My end goal is that consumers have a means to limit > risk in their home environments, and service providers have a means to > deliver that to them. They already have, with today's technology. It's just not a mass-market business. Consumers either have to

Re: Questions re: VPN protocols globally

* Valdis Kletnieks: > On Wed, 05 Oct 2016 12:06:07 -0400, Eric Germann said: > >> Customers will connect to their respective regional sites separately. >> Any ITAR concerns there? > > If there are serious concerns there, I recommend spending the coin for > an actual ITAR expert. Right. I

Re: nested prefixes in Internet

* Martin T.: > Florian: > >> Are the autonomous systems for the /19 and /24 connected directly? > > Yes they are. Then deaggregation really isn't necessary at all. >> (1) can be better from B's perspective because it prevents certain >> routing table optimizations (due to the lack of the

Re: Legislative proposal sent to my Congressman

* Lyndon Nerenberg: >> In thinking over the last DDos involving IoT devices, I think we >> don't have a good technical solution to the problem. Cutting off >> people with defective devices they they don't understand, and have >> little control over, is an action that makes sense, but hurts the

Re: Request for comment -- BCP38

* Jay R. Ashworth: > - Original Message - >> From: "Florian Weimer" <f...@deneb.enyo.de> > >> * Jason Iannone: > >>> Are urpf and bcp38 interchangeable terms in this discussion? It seems >>> impractical and operationally risky t

Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey

* Roland Dobbins: > On 27 Sep 2016, at 12:17, Sam Silvester wrote: > >> or call their electricity retailer/distributer > > This is the problematic case that is, unfortunately, the default. > > People tend to view anything related to 'the Internet' as a utility, > and for consumers and SMBs, they

Re: nested prefixes in Internet

* Martin T.: > let's assume that there is an ISP "A" operating in Europe region who > has /19 IPv4 allocation from RIPE. From this /19 they have leased /24 > to ISP "B" who is multi-homed. This means that ISP "B" would like to > announce this /24 prefix to ISP "A" and also to ISP "C". AFAIK this

Re: Request for comment -- BCP38

* Stephen Satchell: > Given a single local inside network with: > * multiple uplink providers (typical multi-home situation) > * multiple edge routers, each connected to an upstream via a public > routeable /30, and each further connected to the downstream inside > network > * 50 subnets

Re: Request for comment -- BCP38

* Jason Iannone: > I have a question regarding language. We've seen bcp38 described as a > forwarding filter, preventing unallocated sources from leaving the AS. I > understand that unicast reverse path forwarding checks support bcp38, but > urpf is an input check with significant technical

Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey

* Eliot Lear: > As some on this thread know, I've been working with the folks who make > light bulbs and switches. They fit a certain class of device that is > not general purpose, but rather are specific in nature. For those > devices it is possible for the manufacturers to inform the network

Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey

* Mark Andrews: > Dear customer, >we are seeing traffic coming from your network. > > If you need help isolating the source of the traffic here are a few > companies in your city that can help you. > > > > This is not a exhaustive list. > > Support We already had the problem in

Re: Request for comment -- BCP38

* Baldur Norddahl: > This means we can receive some packet on transit port A and then route out >>> a ICMP response on port B using the interface address from port A. But >>> transit B filters this ICMP packet because it has a source address >>> belonging to transit A. >> Interesting. But this

Re: Request for comment -- BCP38

* Baldur Norddahl: > Den 26. sep. 2016 18.02 skrev "Mike Hammett" : >> >> The only asymmetric routing broken is when the source isn't in public > Internet route-able space. That just leaves those multi-ISP WAN routers > that NAT it. > > Some of our IP transits implement

Re: CDN Overload?

* Jon Lewis: > This is kind of a funny problem though, because CDNs get paid to > deliver data, and they get compared/graded according to who can > deliver the bits the fastest...and here you are complaining that > they're delivering the bits too fast (or at least faster than you'd > like them

Re: PlayStationNetwork blocking of CGNAT public addresses

* Rich Kulawiec: > On Sun, Sep 18, 2016 at 03:56:30PM +0200, Florian Weimer wrote: >> * Rich Kulawiec: >> >> > For example: if the average number of outbound SSH connections >> > established per hour per host across all hosts behind CGNAT is 3.2, >> > a

Re: PlayStationNetwork blocking of CGNAT public addresses

* Simon Lockhart: > On Sun Sep 18, 2016 at 03:58:57PM +0200, Florian Weimer wrote: >> * Tom Beecher: >> > Simon's getting screwed because he's not being given any information to try >> > and solve the problem, and because his customers are likely blaming him >> &g

Re: PlayStationNetwork blocking of CGNAT public addresses

* Tom Beecher: > An email to a user notifying them they're likely compromised costs > basically nothing. If this increases the probability that the customer contacts customer support, in some markets, there is a risk that the account will never turn profitable during the current contract period.

Re: PlayStationNetwork blocking of CGNAT public addresses

* Tom Beecher: > Simon's getting screwed because he's not being given any information to try > and solve the problem, and because his customers are likely blaming him > because he's their ISP. We don't know that for sure. Another potential issue is that the ISP just cannot afford to notify its

Re: PlayStationNetwork blocking of CGNAT public addresses

* Rich Kulawiec: > For example: if the average number of outbound SSH connections > established per hour per host across all hosts behind CGNAT is 3.2, > and you see a host making 1100/hour: that's a problem. It might be > someone who botched a Perl script; or it might be a botted host > trying

Re: "Defensive" BGP hijacking?

* Mel Beckman: > If we can't police ourselves, someone we don't like will do it for us. That hasn't happened with with IP spoofing, has it? As far as I understand it, it is still a major contributing factor in denial-of-service attacks. Self-regulation has been mostly unsuccessful, and yet

Re: Zayo Extortion

* Chris Knipe: > Although a company that can't manage their book keeping properly, is IMHO > enough reason to not use them... :-) Ther used to be a saying that you could choose between carries with functional billing and carriers with a functional network.

Re: NIST NTP servers

* Chris Adams: > First, out of the box, if you use the public pool servers (default > config), you'll typically get 4 random (more or less) servers from the > pool. There are a bunch, so Joe Random Hacker isn't going to have a > high chance of guessing the servers your system is using. A

Re: Why the US Government has so many data centers

* Sean Donelan: > When you say "data center" to an ordinary, average person or reporter; > they think of big buildings filled with racks of computers. Not a > lonely server sitting in a test lab or under someone's desk. I suspect part of the initiative is to get rid of that mindset, which leads

Re: Why the US Government has so many data centers

* Mark T. Ganzer: > Note that I an not answering in any sort of "official" capacitybut > I will instead ask this for your consideration: Do servers in "test, > stage, development, or any other environment" really need to have the > same environmental, power and connectivity requirements that

Re: Is it normal for your provider to withhold BGP peering info until the night of the cut?

* William Herrin: > On Thu, Jan 21, 2016 at 4:26 PM, c b wrote: >> We have 4 full-peering providers between two data centers. Our >> accounting people did some shopping and found that there was >> a competitor who came in substantially lower this year and >> leadership

Re: Android (lack of) support for DHCPv6

* Lorenzo Colitti: I think what I said is that supporting DHCPv6-only networks will eventually force OS manufacturers to implement IPv6 NAT. This is because there are many features inside a mobile OS that require multiple IP addresses. On many networks, there will be fairly tight limits on

Re: Anyone from Cloudflare ? (IPv6 issue)

* Brandon Applegate: Otherwise - if anyone could share a way to get to clue @Cloudflare I would greatly appreciate it. I put a request in through the web support front door, but I got back about what I expected. Did you receive a reply? I tried to notify security@ about some issue, but

Re: How our young colleagues are being educated....

* Valdis Kletnieks: On Mon, 22 Dec 2014 04:13:42 -0500, Javier J said: student graduates. They are teaching classful routing and skimming over CIDR. Is this indicative of the state of our education system as a whole? Did the standard packaged Cisco curriculum finally drop mention of Class

Re: Marriott wifi blocking

* Jay Ashworth: It is OK for an enterprise wifi system to make this sort of attack *on rogue APs which are trying to pretend to be part of it (same ESSID). What if the ESSID is Free Internet, or if the network is completely open? Does it change things if you have data that shows your

Re: DMARC - CERT?

* Christopher Morrow: I sort of wonder if this is really just yahoo trying to use a stick to motivate people to do the right thing? But what is the right thing here? Do we really want that *all* mailing lists must not provider reply to sender option to all their users? Will this list make

Re: Requirements for IPv6 Firewalls

* Simon Perreault: Le 2014-04-18 13:25, Mike Hale a écrit : I agree with Bill. You can poopoo NAT all you want, but it's a fact of most networks and will continue to remain so until you can make a compelling case to move away from it. Does that mean all IPv6 firewalls should support NAT?

Re: US to relinquish control of Internet

* John R. Levine: Let's hope you're right, but I note that the ITU isn't an inter-governmental organization, It was able to obtain a delegation for ITU.INT, so it's inter-governmental enough in DNS terms.

Re: best practice for advertising peering fabric routes

* Patrick W. Gilmore: NEVER EVER EVER put an IX prefix into BGP, IGP, or even static route. An IXP LAN should not be reachable from any device not directly attached to that LAN. Period. Doing so endangers your peers the IX itself. It is on the order of not implementing BCP38, except no one

Re: NSA able to compromise Cisco, Juniper, Huawei switches

* Randy Bush: Clay Kossmeyer here from the Cisco PSIRT. shoveling kitty litter as fast as you can, eh? http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20131229-der-spiegel The article does not discuss or disclose any Cisco product vulnerabilities. this is

Re: NSA able to compromise Cisco, Juniper, Huawei switches

* Randy Bush: There's a limit to what can reasonably be called a *product* vulnerability. right. if the product was wearing a low-cut blouse and a short skirt, it's not. Uh-oh, is this an attempt at an argument based on a blame the victim rape analogy?

Re: NSA able to compromise Cisco, Juniper, Huawei switches

* Warren Bailey: Explaining, not a denial written by their legal department. I find it insanely difficult to believe cisco systems has a backdoor into some of their product lines with no knowledge or participation. As far as I understand it, these are firmware tweaks or implants sitting on a

Re: Spoofing ASNs (Re: SNMP DDoS: the vulnerability you might not know you have)

* Jared Mauch: Number of unique IPs that spoofed a packet to me. (eg: I sent a packet to 1.2.3.4 and 5.6.7.8 responded). That's not necessarily proof of spoofing, isn't it? The system in question might legitimately own IP addresses from very different networks. If the system is a router and

Re: Spoofing ASNs (Re: SNMP DDoS: the vulnerability you might not know you have)

* Jared Mauch: The incidence rate is too high for it to be multihomed hosts. Let me know if you want to look at the raw data. Very interesting stuff. Or just look for 8.8.8.8 in the openresolverproject page. Indeed, I could verify that 5.61.0.0 can indeed spoof one of my IP addresses to the

Re: Spoofing ASNs (Re: SNMP DDoS: the vulnerability you might not know you have)

* Christopher Morrow: On Sun, Aug 11, 2013 at 11:40 AM, Florian Weimer f...@deneb.enyo.de wrote: Apparently, they're implementing DNS proxy by destination-NATting, and because they listen also on the WAN interface, they get the source address wrong. This is quite scary. which part

Re: Illegal usage of AS51888 (and PI 91.220.85.0/24) from AS42989 and AS57954 (in ukraine)

* Nick Hilliard: ripe policy 2007-01 will help with this problem by ensuring that anyone who has got PI address space will be traceable and will be paying for it (i.e. it will appear on the holder's payment radar). I don't think there are plans to publish this information in the WHOIS

Re: Cloudflare is down

* Constantine A. Murenin: And how exactly do they expect end-users clearing the DNS cache? Do I call ATT, and ask them to clear their cache? Sure, and also tell them to clear their BGP cache (aka route flap dampening). 8-)

Re: Level3 worldwide emergency upgrade?

* Andrew Sullivan: My impression is mostly that people are left feeling uncomfortable by a massive upgrade of this sort with so little communication about why and so on. That's a side effect of Juniper's notification policy. Perhaps someone should them take them by their word (Security

Re: GeekTools Whois Proxy and RIPE/RIPE-NCC

* Job Snijders: In the meantime you could consider setting up an irrd[1], redirect queries to that instance instead of whois.ripe.net, and keep it kind of fresh by feeding it ftp://ftp.ripe.net/ripe/dbase/ripe.db.gz on a daily basis. RIPE NCC strips all contact information from the bulk

Internet-wide port scans

Are there somewhat reputable service providers for Internet-wide TCP port scans? What's the typical rate per TCP port? (I'm interested in rather obscure services whose identification may need additional probing, and this data is unlikely on file already.) A full scan needs just 0.5 TB of data

Re: DNS caches that support partitioning ?

* John Levine: Are there DNS caches that allow you to partition the cache for subtrees of DNS names? That is, you can say that all entries from say, in-addr.arpa, are limited to 20% of the cache. You can build something like that using forwarders and most DNS caches. But it won't result in

Re: DNSChanger Prefixes are re-allocated and advertised ...

* Barry Greene: FYI - Two prefixes from the DNS Changer/Rover Digital take down have been re-allocated. One of the prefixes - 85.255.112.0/20 - was advertised Friday morning. There is a blog post with some of the details here: Wow, that was fast. So the police order actually made sense and

Re: Vixie warns: DNS Changer ‘blackouts’ inevitable

[Dnschanger substitute server operations] One thing is clear, Paul is able to tell a great story. PR for ISC is somewhat limited, it's often attributed to the FBI: | The effort, scheduled to begin this afternoon, is designed to let | those people know that their Internet connections will stop

Re: rpki vs. secure dns?

* Alex Band: All in all, for an RPKI-specific court order to be effective in taking a network offline, the RIR would have to tamper with the registry, inject false data and try to make sure it's not detected so nobody applies a local override. Please keep in mind that this is what's

Re: rpki vs. secure dns?

* Paul Vixie: this seems late, compared to the various commitments made to rpki in recent years. is anybody taking it seriously? The idea as such isn't new, this has been floating around for four years or more, including at least one Internet draft,

Re: Operation Ghost Click

* Jeff Kell: And what about the millions of users unknowingly infected with something else ?? You have to start somewhere. I received a warning letter, and four or five very organizations had to cooperate in new ways to make this happen. This is certainly a welcome development, and

Re: rpki vs. secure dns?

* Alex Band: I don't know if we can get RPKI to deployment because RIPE and RIPE NCC have rather serious issues with it. On the other hand, there doesn't seem to be anything else which keeps RIRs relevant in the post-scarcity world, so we'll see what happens. Could you elaborate on what

Re: rpki vs. secure dns?

* Alex Band: At RIPE 63, six months ago, the RIPE NCC membership got a chance to vote on RPKI at the general meeting. The result was that the RIPE NCC has the green light to continue offering the Resource Certification service, including all BGP Origin Validation related functionality. But

Re: Misconceptions, was: IPv6 RA vs DHCPv6 - The chosen one?

it? Oh yeah.. Because there's a CPE which acts as a mediator, or the host uses some dial-up-type protocol which takes care of the IGP interaction. -- Florian Weimerfwei...@bfk.de BFK edv-consulting GmbH http://www.bfk.de/ Kriegsstraße 100 tel: +49-721-96201-1 D

Re: 128.0.0.0/16 configured as martians in some routers

in a blackhole, or will the entire announcement be suppressed? I suspect the latter, given what we see and what Chris Adams has reported. -- Florian Weimerfwei...@bfk.de BFK edv-consulting GmbH http://www.bfk.de/ Kriegsstraße 100 tel: +49-721-96201-1 D-76133

Re: IPv6 prefixes longer then /64: are they possible in DOCSIS networks?

smaller networks per cable interfaces of CMTS. As far as I understan the IPv6 address architecture, if the network prefix is longer than /64, you're not running Unicast IPv6. -- Florian Weimerfwei...@bfk.de BFK edv-consulting GmbH http://www.bfk.de/ Kriegsstraße 100

Re: Botnets buying up IPv4 address space

* Christopher Morrow: On Fri, Oct 7, 2011 at 3:10 PM, Arturo Servin arturo.ser...@gmail.com wrote:        I agree with Benson.        In fact, for this problem I find irrelevant that IPv4 is running out. They are just looking for good reputation IP nodes. isn't this a short-lived problem

Re: Nxdomain redirect revenue

% pool, the click through rates are around 1% Is this with strict NXDOMAIN rewriting, or were existing names redirected as well? (AFAIK, most platforms do the latter, hijacking bfk.de, for example.) -- Florian Weimerfwei...@bfk.de BFK edv-consulting GmbH http://www.bfk.de

Re: Question on 95th percentile and Over-usage transit pricing

, so it doesn't matter how the quantity that comes out of that is priced. -- Florian Weimerfwei...@bfk.de BFK edv-consulting GmbH http://www.bfk.de/ Kriegsstraße 100 tel: +49-721-96201-1 D-76133 Karlsruhe fax: +49-721-96201-99

Re: Disappointing ARIN - A great advertisement for the USA ?

, whois(1) will print useful information | and not just the useless overview. http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=174497 -- Florian Weimerfwei...@bfk.de BFK edv-consulting GmbH http://www.bfk.de/ Kriegsstraße 100 tel: +49-721-96201-1 D-76133

Re: iCloud - Is it going to hurt access providers?

* Wayne E. Bouchard: the users will screw themselves by flooding their uplinks in which case they will know what they've done to themselves and will largely accept the problems for the durration With shared media networks (or insufficient backhaul capacities), congestion affects more than

Re: high performance open source DHCP solution?

* PC: If you're just fighting IOPS, another compromise might be using a ramdisk, and then committing that data to storage every x seconds. In this case, it's more straightforward to remove the fsync call from dhcpd. -- Florian Weimerfwei...@bfk.de BFK edv-consulting GmbH

Re: high performance open source DHCP solution?

on, group commits are not that difficult to implement. With them, you should be able to obtain 8 kHZ leases on a single spindle (assuming the per-client data is just a few hundred bytes), without violating the RFC requirement. -- Florian Weimerfwei...@bfk.de BFK edv-consulting GmbH

Re: NDP DoS attack

* Jared Mauch: Solving a local attack is something I consider different in scope than the current draft being discussed in 6man, v6ops, ipv6@ etc... That's not going to happen because it's a layering violation between the IETF and IEEE. It has not been solved during thirty years of IPv4 over

Re: OT: Given what you know now, if you were 21 again...

* Larry Stites: Given what you know now, if you were 21 and just starting into networking / communications industry which areas of study or specialty would you prioritize? Law. _ NANOG mailing list NANOG@nanog.org https://mailman.nanog.org/mailman/listinfo/nanog

Re: NDP DoS attack

* Mikael Abrahamsson: On Sun, 17 Jul 2011, Florian Weimer wrote: In practice, the IPv4 vs IPv6 difference is that some vendors provide DHCP snooping, private VLANs and unicast flood protection in IPv4 land, which seems to provide a scalable way to build Ethernet networks with address

Re: NDP DoS attack

* Mikael Abrahamsson: On Sun, 17 Jul 2011, Florian Weimer wrote: Others use tunnels, PPPoE or lots of scripting, so certainly something can be done about it. To my knowledge, SAVI SEND is still at a similar stage. Pointers to vendor documentation would be appreciated

Re: NDP DoS attack

* Mikael Abrahamsson: On Sun, 17 Jul 2011, Florian Weimer wrote: Interesting, thnaks. It's not the vendors I would expect, and it's not based on SEND (which is not surprising at all and actually a good thing). Personally I think SEND is never going to get any traction. Last time, I

Re: How long is reasonable to fix a routing issue in IPv6?

On Fri, Jul 08, 2011 at 10:21:13PM +0200, Florian Weimer wrote: * Jared Mauch: 2) is a mapped-v4 address a valid *source* address on the wire even if it's not a valid dest? By the way, has the analogous issue involving v4 addresses from RFC 1918 space ever been settled? define valid

Re: How long is reasonable to fix a routing issue in IPv6?

* Jared Mauch: 2) is a mapped-v4 address a valid *source* address on the wire even if it's not a valid dest? By the way, has the analogous issue involving v4 addresses from RFC 1918 space ever been settled?

Re: unqualified domains, was ICANN to allow commercial gTLDs

. -- Florian Weimerfwei...@bfk.de BFK edv-consulting GmbH http://www.bfk.de/ Kriegsstraße 100 tel: +49-721-96201-1 D-76133 Karlsruhe fax: +49-721-96201-99

Re: reporting Swiss Money Report?

channel for reporting these people? Thanks! Ask RIPE NCC, they have the RIPE member who requested the PI space on record. -- Florian Weimerfwei...@bfk.de BFK edv-consulting GmbH http://www.bfk.de/ Kriegsstraße 100 tel: +49-721-96201-1 D-76133 Karlsruhe

Re: trouble with .gov dns?

* David Conrad: On May 2, 2011, at 10:19 PM, Florian Weimer wrote: I would go even further---the DO bit is not about DNSSEC at all. Err, yes it is. I know you think it is, but you're wrong if you look at the overall protocol. If DO were about DNSSEC, a new flag would have been introduced

Re: trouble with .gov dns?

* William Herrin: Anyone else having trouble with .gov DNS failing with edns-udp-size set to 512? You need an UDP size of at least 1220 for DNSSEC, see RFC 3226, section 3. A query that advertises a smaller buffer size is non-compliant. BIND will send such queries, but this is a

Re: trouble with .gov dns?

* William Herrin: On Mon, May 2, 2011 at 1:13 PM, Florian Weimer f...@deneb.enyo.de wrote: * William Herrin: Anyone else having trouble with .gov DNS failing with edns-udp-size set to 512? You need an UDP size of at least 1220 for DNSSEC, see RFC 3226, section 3.  A query that advertises

  1   2   3   >