Re: fuzzy subnet aggregation

n't that much unless you're suffering from hardware routing table limitations.  In my world the cost of a false positive match would far outweigh the cost of upgrading hardware.  YMMV. Do you have a git repo? On Sun, Oct 27, 2019 at 9:58 PM Joe Maimon <mailto:jmai...@jmaimon.com

Re: fuzzy subnet aggregation

is welcome to it. Joe Joe Maimon wrote: Does anyone have or seen any such tool? I have a script that seems to work, but its terribly slow. Currently I can produce aggregated subnets that can be mising up to a specified number of individual addresses. Which can be fed back in for multiple passes

Re: fuzzy subnet aggregation

> On Sun, Oct 27, 2019 at 3:09 PM Joe Maimon wrote: >> > > your aim is to get to maximum aggregation .. with some overage, like > 90% of a /24 ? > so missing like 25 addresses in a whole /24.. (for instance) I would be happy to get /29's missing 3 /28's missing

Re: fuzzy subnet aggregation

2.0/24 > 203.0.113.0/32 > 203.0.113.2/31 > 203.0.113.4/30 > 203.0.113.8/29 > 203.0.113.16/28 > 203.0.113.32/27 > 203.0.113.64/26 > 203.0.113.128/25 > 203.0.114.0/23 > 203.0.116.0/22 > 203.0.120.0/21 > 203.0.128.0/17 > 203.1.0.0/16 > 203.2.0.0/15 > 203.4.0.0/14

fuzzy subnet aggregation

Does anyone have or seen any such tool? I have a script that seems to work, but its terribly slow. Currently I can produce aggregated subnets that can be mising up to a specified number of individual addresses. Which can be fed back in for multiple passes. Doing RTBH on individual /32 does not sc

Re: Massive Price Increase for X-conns at Telehouse Chelsea, NYC

Ethan O'Toole wrote: If it’s in an interduct by itself, how much would the square footage per month occupied by the average cross connect be worth? These big datacenter companies are REITs. Similar to self-storage units and apartment buildings, they exist to extract as much money as possib

Re: automatic rtbh trigger using flow data

Michel Py wrote: Aaron Gould wrote : Hi, does anyone know how to use flow data to trigger a rtbh (remotely triggered blackhole) route using bgp ? ...I'm thinking we could use quagga or a script of some sort to interact with a router to advertise to bgp the /32 host route of the victim under

improving signal to noise ratio from centralized network syslogs

Hey All, Centralized logging is a good thing. However, what happens is that every repetitive, annoying but not (usually) important thing fills up the log with reams of what you are not looking for. Networks are a noisy place and silencing every logged condition is impractical and sometimes u

Re: Waste will kill ipv6 too

Owen DeLong wrote: 200 might be optimistic, agreed. I think 100 is pretty well assured absent something much more profligate than current policies. Profligacy based on the assumption of exhaustion impossibility needs to be avoided. Agreed. we've run a number conversion / renumbering on

Re: Waste will kill ipv6 too

valdis.kletni...@vt.edu wrote: On Wed, 20 Dec 2017 18:15:44 -0500, Joe Maimon said: There is plenty more to wonder about, for example, will the rest of the unicast space get Class E'd? That's a non-starter, as pretty much all the gear out there has code that says 'Clas

Re: Waste will kill ipv6 too

William Herrin wrote: It's not a problem, exactly, but it cuts the gain vs. IPv4 from ~29 orders of magnitude to just 9 orders of magnitude. Your link which needed at most 2 bits of IPv4 address space now consumes 64 bits of IPv6 address space. Then we do /48s from which the /64s are assigned

Re: Handling of Abuse Complaints

There is a distance to travel between cant and cant effectively. Perhaps they can share how they ever so effectively have solved this conundrum. After all, they are apparently not getting any abuse reports ever. As an operator of several open resolvers (with rate limiting and automatic mitigat

Re: nxdomain rfc2308 type 2, but authority is incorrect

Tony Finch wrote: Joe Maimon wrote: www.kissimmee.org Windows appears to believe the rfc2308 type 2 response, RFC 2308 isn't relevant to this domain. The responses aren't NXDOMAIN, so section 2.1 doesn't apply, and the response includes answers, so section 2.2 doens't

Re: nxdomain rfc2308 type 2, but authority is incorrect

Mark Andrews wrote: Nameresovle.com's servers are returning answers that can be seen as a cache poisioning attempt. They are NOT authorative for ".hosting" but have been configured as if they are. This is a big NO NO. You don't configure youself as authoritative for a zone that has not bee

Re: nxdomain rfc2308 type 2, but authority is incorrect

William Herrin wrote: On Wed, Aug 10, 2016 at 2:05 PM, Joe Maimon wrote: www.kissimmee.org Windows 2008 dns cannot resolve it. BIND can. Hi Joe, Does Windows 2008 like anything in the "hosting" TLD? I notice that the nameresolve.com servers returning the CNAME to

nxdomain rfc2308 type 2, but authority is incorrect

www.kissimmee.org Windows 2008 dns cannot resolve it. BIND can. Windows appears to believe the rfc2308 type 2 response, even though recursing the CNAME results in a different authority, ns, and A response, which I assuming is why BIND returns the answer. I must be missing a switch somewhere

google routing noc/looking glass/contact

I would appreciate it if anyone could put me in touch or send me any tips to deal with packet loss and problems routing to google, but only along certain paths from certain points in the network (like as in ecmp problems) from as21719 I would like to rule out local issues if possible and that

Re: remote serial console (IP to Serial)

You can use a 2600 or 2800 with the 16 port serial module. Stephen Satchell wrote: On 03/08/2016 07:30 AM, greg whynott wrote: I'd like to purchase a IP to Serial port device I can use for each location in the event I lock myself out. The requirement would be an Ethernet port, a serial por

Re: The IPv6 Travesty that is Cogent's refusal to peer Hurricane Electric - and how to solve it

Mark Tinka wrote: You may want to signal failure more quickly than BGP's own timers can handle. I dont want to churn a full table any quicker then BGP timers. And if you choose to run that ebgp loopback multihop on the same router, you can track routes and interfaces in realtime, to th

Re: The IPv6 Travesty that is Cogent's refusal to peer Hurricane Electric - and how to solve it

Mark Tinka wrote: On 25/Jan/16 20:13, Joe Maimon wrote: Maybe not for some people, but I have a hard time understanding why one extra ebgp session is such a novel concept for all you networking folk. It's not that novel - I share my view of the Internet with various ind

Re: The IPv6 Travesty that is Cogent's refusal to peer Hurricane Electric - and how to solve it

Mark Tinka wrote: On 25/Jan/16 12:15, Joe Maimon wrote: No static routes, dedicated BGP routed loopbacks on each side from an allocated /31, strict definitions on which routes belong to which session. Its gone about very properly. And all of this is simpler than having a native BGP

Re: The IPv6 Travesty that is Cogent's refusal to peer Hurricane Electric - and how to solve it

Mark Tinka wrote: On 22/Jan/16 22:28, Joe Maimon wrote: I like that setup. And it never struck me as crazy. In fact, their implementation avoids all multihop setup shortcuts and is quite purist from a routing standpoint. First time I've heard that... Mark. No static r

Re: The IPv6 Travesty that is Cogent's refusal to peer Hurricane Electric - and how to solve it

Owen DeLong wrote: Crazy multihop BGP setups I like that setup. And it never struck me as crazy. In fact, their implementation avoids all multihop setup shortcuts and is quite purist from a routing standpoint. The multihop approach gives you the option of where to slice and dice yo

ridiculous problems getting an ATT circuit port mode changed

Apparently there is still raison d'etre for everyone not a giant telco. We placed the circuit with tagging expected for the service vlan. We got it delivered without. We requested it be changed. Apparently that takes a change order, which when it is finally filed, takes 7-10BD to complete.

Traceroute troubleshooting

So we all know that its much more difficult to diagnose using that tool than just reading its output more often than not. Whats usually more important is correlation, over time and at any specific time. While tools such as mtr provide over time viewpoints, what can be run, user style, that w

Re: Dual stack IPv6 for IPv4 depletion

Owen DeLong wrote: On Jul 16, 2015, at 15:29 , Joe Maimon wrote: All I am advocating is that if ever another draft standard comes along to enable people to try and make something of it, lead follow or get out of the way. Sometimes good leadership is knowing when to say “not just no

Re: Dual stack IPv6 for IPv4 depletion

Baldur Norddahl wrote: On 17 July 2015 at 00:29, Joe Maimon wrote: All I am advocating is that if ever another draft standard comes along to enable people to try and make something of it, lead follow or get out of the way. If I understand correctly you want someone (not you) to write a

Re: Dual stack IPv6 for IPv4 depletion

Lee Howard wrote: > > > On 7/16/15, 4:32 PM, "Joe Maimon" wrote: > >> >> >> Lee Howard wrote: >>> >>> So, you would like to update RFC 1112, which defines and reserves Class >>> E? >>> That¹s easy enough. If

Re: Dual stack IPv6 for IPv4 depletion

John Levine wrote: Just as nobody is preventing you from going ipv6 only right now, I advocate against hindering anybody going ipv4 only for as long as they want/can. But you're asking other people to spend their own time and money to change their equipment to handle class E. For reasons

Re: Dual stack IPv6 for IPv4 depletion

Lee Howard wrote: I don¹t see anybody hindering any efforts; I don¹t see any efforts. There were efforts in the past. I am highlighting our malfeasance as a community in our past behavior. I have little hope of it changing in the future, but I can vent about it every couple years or so.

Re: Dual stack IPv6 for IPv4 depletion

Jacques Latour wrote: Hi, Dual stack is where we need to go 'now', but we need to think about the future where we run an IPv6 only stack and stop thinking how to leverage, extend, expand and create ugly IPv4 solutions. IPv4 is done; it served its purpose well, thank you. We need a date wher

Re: Dual stack IPv6 for IPv4 depletion

Doug Barton wrote: Joe, In this post, and in your many other posts today, you seem to be asserting that this would work if "$THEY" would just get out of the way, and let it work. You've also said explicitly that you believe that this is an example of top-down dictates. I know you may find th

Re: Dual stack IPv6 for IPv4 depletion

Jared Mauch wrote: This isn’t really a giant set of naysayers IMHO, but there is enough embedded logic in devices that it doesn’t make that much sense. Enough to scuttle all previous drafts. linux a little google comes up with this http://www.gossamer-threads.com/lists/linux/kernel/86

Re: Dual stack IPv6 for IPv4 depletion

Owen DeLong wrote: On Jul 15, 2015, at 10:24 , Joe Maimon wrote: I suspect a 16 /8 right about now would be very welcome for everybody other then the ipv6 adherents. But it wouldn’t be right now. It would be after everyone put lots of effort into updating lots of systems so that they

Re: Dual stack IPv6 for IPv4 depletion

John Levine wrote: I suspect a 16 /8 right about now would be very welcome for everybody other then the ipv6 adherents. It would, if the software supported it. But it doesn't. Is there any reason to think the world would update its TCP stacks to handle those extra IPv4 addresses any sooner t

Re: Dual stack IPv6 for IPv4 depletion

Doug Barton wrote: On 7/15/15 10:24 AM, Joe Maimon wrote: I suspect a 16 /8 right about now would be very welcome for everybody other then the ipv6 adherents. Globally we were burning through about a /8 every month or two in "the good old days." So in the best case scenario we

Re: Dual stack IPv6 for IPv4 depletion

Ricky Beam wrote: On Wed, 15 Jul 2015 15:20:08 -0400, Owen DeLong wrote: That's the big difference - IPv6 has been designed to provide abundant address space. There is no amount of fixed address space that can't be consumed with stupid allocation policies. True. However, are you making th

Re: Dual stack IPv6 for IPv4 depletion

joel jaeggli wrote: On 7/15/15 10:24 AM, Joe Maimon wrote: The jury is still out on class E, but the verdict is in for the community who created it. joel@ubuntu:~$ uname -a Linux ubuntu 3.8.0-44-generic #66~precise1-Ubuntu SMP Tue Jul 15 04:01:04 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux

Re: Dual stack IPv6 for IPv4 depletion

Mark Andrews wrote: In message We don't use Class E because were using up IPv4 space too quickly to make it worthwhile to make it work cleanly for everyone. That is a self fulfilling prophecy. I suspect a 16 /8 right about now would be very welcome for everybody other then the ipv6 adhe

Re: Dual stack IPv6 for IPv4 depletion

Owen DeLong wrote: JimBob’s ISP can apply to ARIN for a /16 Like I said, very possibly not a good thing for the address space.

Re: Dual stack IPv6 for IPv4 depletion

There has been tomes on this topic. There will continue to be many more. That is because many of you continue in trying to defend the following concept. customer subnet bits == isp customers bits So now, the ISP is supposed to put some effort and gain more bits. Why not the customer? Its

Re: random dns queries with random sources

Beeman, Davis wrote: rather the authoritative name server in these domains is the rouge DNS server in use by the bad actor running a botnet. Davis Beeman Network Security Engineer Somebody must be registering these domain names. And I should be able to compile a list of the auth servers

Re: random dns queries with random sources

Dobbins, Roland wrote: On Feb 19, 2014, at 1:07 PM, Joe Maimon wrote: There are ways to deal with it on resolvers as well, like RRL and IDS and iptables None of these things work well for recursive resolvers; they cause more problems than they solve. Whatever I am doing appears to

Re: random dns queries with random sources

Owen DeLong wrote: On Feb 18, 2014, at 9:48 PM, Joe Maimon wrote: This assumes several facts not in evidence: 1. It is an attack. 2. It is deliberate 3. There is a target 4. It is more effective than others On what do you base those assumptions? To me this looks to

Re: random dns queries with random sources

Dobbins, Roland wrote: On Feb 19, 2014, at 12:48 PM, Joe Maimon wrote: What I cant figure out is what is the target and how this attack method is any more effective then the others. The target appears to be the authoritative servers for the domain in question, yes? I dont think so

Re: random dns queries with random sources

Dobbins, Roland wrote: On Feb 19, 2014, at 12:44 PM, Joe Maimon wrote: Get back to me when the same cant be done with auth servers. There are ways to deal with it on authoritative servers, like RRL. There are ways to deal with it on resolvers as well, like RRL and IDS and iptables

Re: random dns queries with random sources

George Herbert wrote: Right. Nonzero chances that you (Joe's site) are the target... Also, check if you have egress filtering of spoofed addresses below these DNS resources, between them and any user objects. You could be sourcing the spoofing if not... It seems to me that the same|similar

Re: random dns queries with random sources

Doug Barton wrote: On 02/18/2014 07:59 PM, Joe Maimon wrote: Are you running open resolvers? Yes If so, please stop doing that, No it's widely known to be a bad idea for over a decade now, At this point, doing anything on the internet is a bad idea. and you are providin

Re: random dns queries with random sources

Dobbins, Roland wrote: On Feb 19, 2014, at 10:08 AM, Joe Maimon wrote: What is the purpose of this? Resource-exhaustion attack against the recursive DNS? On anything that is going to stay open, not even close.

Re: random dns queries with random sources

Doug Barton wrote: On 02/18/2014 07:08 PM, Joe Maimon wrote: Thousand of queries with thousands of source ip addresses. Pardon if I missed a memo, but how are your resolver systems receiving these thousands of very different source addresses? Doug Thousands of queries _from_ thousands

Re: random dns queries with random sources

Mark Andrews wrote: What is the purpose of this? Indirect attack on the 5kkx.com servers? 18-Feb-2014 21:45:24.982 queries: info: client 38.89.3.12#19391: query: swe.5kkx.com IN A + (66.199.132.5) I have seen dozens of different second level parts. How is this any more effective then s

random dns queries with random sources

Hey all, DNS amplification spoofed source attacks, I get that. I even thought I was getting mitigation down to acceptable levels. But now this. At different times during the previous days and on different resolvers, routers with proxy turned on, etc... Thousand of queries with thousands of

Re: will ISP peer with 2 local WAN routers?

Adam Greene wrote: Hi guys, I have a customer who peers via eBGP with Lightpath aka Cablevision (AS 6128) and Level3 (AS 3356) and wants to do some dual-WAN router redundancy. I am not optimistic for your odds in having 6128 do anything other than /30 for you. (Though even then you st

Re: Cogent multi-hop BGP

Tim Durack wrote: I was under the impression Cogent no longer did the multi-hop BGP thing, but then I got a copy of their NA user guide, and saw the peer-a/peer-b configuration. Not a fan. Anyone know if this is still required for Cogent IP transit service? (on/off list is fine.) A/B multih

Re: Looking for success stories in Qwest/Centurylink land

Constantine A. Murenin wrote: On 28 January 2013 13:57, david peahi wrote: http://www.nbn.gov.au/2012/12/03/did-you-know-that-our-copper-network-is-being-switched-off/ Do they have any customers object? I recall a few recent stories about Verizon having problems after Sandy with NYC cust

Re: Looking for success stories in Qwest/Centurylink land

. The first nationwide 4G network. Original message From: Brent Jones Date: 01/28/2013 10:07 AM (GMT-08:00) To: Joe Maimon Cc: North American Networking and Offtopic Gripes List Subject: Re: Looking for success stories in Qwest/Centurylink land s/CenturyLink/ATT and I'v

Re: IPV6 in enterprise best practices/white papaers

Eugeniu Patrascu wrote: On Sat, Jan 26, 2013 at 11:26 AM, Pavel Dimow wrote: As being personally involved deploying IPv6 on an enterprise network, here's how I did it (keeping in mind the fact that we have our own ASN): I suggest this be step 0 - get a /48 PI from the local LIR And t

Looking for success stories in Qwest/Centurylink land

Anybody have some happy success stories to share about service in Qwest service area post Centurylink acquisition? Unfortunately the ones I have contain more humor than success. Story #1 Ethernet/Fiber service near Tampa ordered via partner, misordered as MPLS, re-ordered as vpls. Delivered

Re: Slashdot: UK ISP PlusNet Testing Carrier-Grade NAT Instead of IPv6

Lee Howard wrote: If an ISP is so close to running out of addresses that they need CGN, let's say they have 1 year of addresses remaining. Given how many ports apps use, recommendations are running to 10:1 user:address (but I could well imagine that increasing to 50:1). That means that for e

Re: Slashdot: UK ISP PlusNet Testing Carrier-Grade NAT Instead of IPv6

Lee Howard wrote: You are welcome to deploy it if you choose to. Part of the reason I'm arguing against it is that if everyone deploys it, then everyone has to deploy it. If it is seen as an alternative to IPv6 by some, then others' deployment of IPv6 is made less useful: network effect. Als

Re: Slashdot: UK ISP PlusNet Testing Carrier-Grade NAT Instead of IPv6

Owen DeLong wrote: Clearly we have run out of trickery as multiple layers of NAT stumps even the finest of our tricksters. Yes, we can dedicate thousands more developer hours to making yet more extensions to code to work around yet more NAT and maybe make it sort of kind of work almost a

Re: Slashdot: UK ISP PlusNet Testing Carrier-Grade NAT Instead of IPv6

Owen DeLong wrote: And this is where you run off the rails… You are assuming that NAT today and CGN provide similar functionality from an end-user perspective. To the extent that CGN functions like the clueless linksys daisy-chain, then yes it does. The reality is that they do not. CGN is

Re: Issues with level3?

valdis.kletni...@vt.edu wrote: On Tue, 15 Jan 2013 14:52:24 -0500, Joe Maimon said: I only ever say class-c sized. And only when trying to communicate with the slash-whats. Your mistake there is trying to communicate with people who have been in networking long enough to understand "

Re: Issues with level3?

joel jaeggli wrote: On 1/15/13 9:31 AM, Bruce H McIntosh wrote: On Tue, 2013-01-15 at 17:23 +, Warren Bailey wrote: I still call a /24 a class c too.. :/ lol More efficient that way - "class c" uses fewer syllables than "slash twenty four" :-) You realize that class-c address space was

Verizon ISP ATM ports

Hey All, Its that time of the year again, and I am looking for verizon ATM/DSL wholesale DSL ports for NY/NJ latas. Off-list replies are welcome. Thanks, Joe

Re: Big day for IPv6 - 1% native penetration

Owen DeLong wrote: less than 60% of the internet will still be IPv4 at that time. Do you mean "IPv4" or "IPv4 Only"? Because unless the remaining percentage of IPv4 is noticeably less usable, it will still not incur any user demand, and IPv6 is still a cost mitigation strategy, and unl

Re: Big day for IPv6 - 1% native penetration

Arturo Servin wrote: It won't. Users do not care about IPv6 or IPv4. They want a fast and reliable Internet connection. Which likely decreases the network effect. Joe

Re: Big day for IPv6 - 1% native penetration

Tony Hain wrote: Tomas Podermanski wrote: Hi, It seems that today is a "big day" for IPv6. It is the very first time when native IPv6 on google statistics (http://www.google.com/intl/en/ipv6/statistics.html) reached 1%. Some might say it is tremendous success after 16 years of deployi

Re: IP tunnel MTU

bmann...@vacation.karoshi.com wrote: you mean its safe to turn off the VPNs? /bill Quite the reverse. Joe so its tunnels all the way down... maybe we should just go back to a circuit oriented network, eh? /bill Its not safe to turn on VPNs. Joe

Re: IP tunnel MTU

Jared Mauch wrote: ICMP is just not the way it is ever going to work. I wish you luck in getting your host IP stacks to work properly without ICMP, especially as you deploy IPv6. - Jared Precisely the state we are in. Looking for luck. Joe

Re: IP tunnel MTU

bmann...@vacation.karoshi.com wrote: On Mon, Oct 29, 2012 at 03:46:57PM -0400, Joe Maimon wrote: Templin, Fred L wrote: Yes; I was aware of this. But, what I want to get to is setting the tunnel MTU to infinity. Essentially, its time the network matured to the point where inter

Re: IP tunnel MTU

Jared Mauch wrote: On Oct 29, 2012, at 3:46 PM, Joe Maimon wrote: Templin, Fred L wrote: Yes; I was aware of this. But, what I want to get to is setting the tunnel MTU to infinity. Essentially, its time the network matured to the point where inter-networking actually works (again

Re: IP tunnel MTU

Templin, Fred L wrote: Yes; I was aware of this. But, what I want to get to is setting the tunnel MTU to infinity. Essentially, its time the network matured to the point where inter-networking actually works (again), seamlessly. I agree. Joe

Re: RFC becomes Visio

Justin M. Streiner wrote: On Fri, 28 Sep 2012, Joe Maimon wrote: Just got told by a Lightpath person that in order to do BGP on a customer gig circuit to them they would need a visio diagram (of what I dont know). Has anybody else seen this brain damage? I can understand wanting to

RFC becomes Visio

Just got told by a Lightpath person that in order to do BGP on a customer gig circuit to them they would need a visio diagram (of what I dont know). Has anybody else seen this brain damage? Joe

Re: The Department of Work and Pensions, UK has an entire /8

TJ wrote: Let us spin this another way. If you cannot even expect mild change such as 240/4 to become prevalent enough to be useful, on what do you base your optimism that the much larger changes IPv6 requires will? Joe Easy - Greater return on the investment; i.e. - instead of getting an I

Re: The Department of Work and Pensions, UK has an entire /8

George Herbert wrote: We could have started it at a more opportune time in the past. We could also have done other things like a straight IPv4-48 or IPv4-64, without the other protocol suite foo that's delayed IPv6 rollout. Operators could have either used larger baseball bats or more par

Re: The Department of Work and Pensions, UK has an entire /8

Leo Vegoda wrote: There was even a dedicated mailing list. But the drafts never made it beyond drafts, which suggests there was not a consensus in favour of an extra 18 months of IPv4 space with dubious utility value because of issues with deploy-and-forget equipment out in the wild. The

Re: The Department of Work and Pensions, UK has an entire /8

valdis.kletni...@vt.edu wrote: On Wed, 19 Sep 2012 18:36:08 -0400, Joe Maimon said: So 6-8 years to try and rehabilitate 240/4 was not even enough to try? 6 years of work What I said is that they knew they would have had at least 6 years or _more_ to rehabilitate it, had they made a

Re: The Department of Work and Pensions, UK has an entire /8

Doug Barton wrote: We were already looking at the IPv4 runout problems when I was at IANA in 2004. We already knew (in large part thanks to folks like Tony Hain and Geoff Huston) that we'd run out in the 2010-2012 time frame, and a lot of us pushed a lot of rocks up a lot of hills to get our

Re: Cisco 7200 PCI Limitations

shthead wrote: Hi all, I have a 7200 series router (7204) here and I am trying to figure out something with it. Currently the router has a NPE-G1 card in it, giving it 3 gig interfaces but I need an extra gig interface on it to make 4. Having a look around the available options are either get

Re: [c-nsp] automatic bgp route refresh

Joe Maimon wrote: Hey All, I would greatly appreciate it if somebody would point me to the release notes for the change I see in 15.1 where BGP neighbor route-map configurations happen in real time, without needing any clearing, soft or otherwise. Much obliged. Best, Joe So I opened the

Re: LinkedIn password database compromised

David Walker wrote: Self signed certificates does sound great and for most purposes, certainly in this case, fulfills all the requirements. There's no need to verify anything about me is correct other than to tie my authentication to my account. If I fail to meet the TOS then the plug is easil

Re: Dear Linkedin,

Michael Thomas wrote: Linkedin has a blog post that ends with this sage advice: * Make sure you update your password on LinkedIn (and any site that you visit on the Web) at least once every few months. I have accounts at probably 100's of sites. Am I to understand that I am supposed to remembe

Re: Open DNS Resolver reflection attack Mitigation

Stephane Bortzmeyer wrote: On Fri, Jun 08, 2012 at 03:09:04PM -0400, Joe Maimon wrote a message of 7 lines which said: Is there any publicly available rate limiting for BIND? Not as far as I know. I'm not sure it would be a good idea. BIND is feature-rich enough. I really hop

Re: Open DNS Resolver reflection attack Mitigation

Dobbins, Roland wrote: On Jun 9, 2012, at 2:09 AM, Joe Maimon wrote: Google and Level3 manage to run open resolvers, why cant I? Because they have probably have opsec resources you don't. If you can't defend it/keep it from being abused, don't do it. ;> I think

Open DNS Resolver reflection attack Mitigation

Is there any publicly available rate limiting for BIND? How about host-based IDS that can be used to trigger rtbh or iptables? Google and Level3 manage to run open resolvers, why cant I? Joe

Re: IPv6 day and tunnels

Owen DeLong wrote: Really, no. The L3 MTU on an interface should be configured to the lowest MTU reachable via that link without crossing a router. It's just that simple. Anything else _IS_ a misconfiguration. Perhaps this should be thought of as a limitation, rather then a feature. Joe

Re: IPv6 day and tunnels

Owen DeLong wrote: > Given the combination of Moore's law and the deployment > lifecycle, designs we do today in this regard can be expected > to last ~12 years or more, so they should be prepared for > at least 16x. At 1,600 Gbps, that puts our target maximum > MTU up around 200M octets. > I

Re: IPv6 day and tunnels

Owen DeLong wrote: But that's a whole lot more packets than working PMTU-D to get there and you're also waiting for all those round trips, not just the 4 timeouts. The round trips add up if you're dealing with a 100ms+ RTT. 22 RTTs at 100ms is 2.2 seconds. That's a long time to go without fi

Re: IPv6 day and tunnels

Jeroen Massar wrote: That indeed matches most of the corporate world quite well. That they are heavily misinformed does not make it the correct answer though. Either you are correct and they are all wrong, or they have a perspective that you dont or wont see. Either way I dont see them

Re: IPv6 day and tunnels

Owen DeLong wrote: Fail. What, exactly are you saying is a failure? The single word here even in context is very ambiguous. The failure is that even now, when tunnels are critical to transition, a proper solution that improves on the IPv4 problems does not exist And if tunnels do be

Re: IPv6 day and tunnels

Jeroen Massar wrote: If people want to use a tunnel for the purpose of a VPN, then they will, be that IPv4 or IPv6 or both inside that tunnel. Instead of having a custom VPN protocol one can do IPSEC properly now as there is no NAT that one has to get around. Microsoft's Direct Access do

Re: IPv6 day and tunnels

Jeroen Massar wrote: Tunnels therefor only should exist at the edge where native IPv6 cannot be made possible without significant investments in hardware and or other resources. Of course every tunnel should at one point in time be replaced by native where possible, thus hopefully the folks p

Re: IPv6 day and tunnels

Owen DeLong wrote: There should be no such thing as packet fragmentation in the current protocol. What is needed is for people to simply configure things correctly and allow PTB messages to pass as designed. Owen You are absolutely correct. Are you talking about IPv4 or IPv6? Joe

Re: IPv6 day and tunnels

Cameron Byrne wrote: #1 don't tunnel unless you really need to. Tunnels are ipv4 only now? #2 see #1 #3 use happy eyeballs, http://tools.ietf.org/html/rfc6555, Chrome has a good implementation, but this does not solve MTU issues. Because the initial connections are made just fine.

Re: IPv6 day and tunnels

Joe Maimon wrote: Looks like a tunnel mtu issue. I have not as of yet traced the definitive culprit, who is (not) sending ICMP too big, who is (not) receiving them, etc. The culprit is the v6 tunnel, which wanders into v4 ipsec/gre tunnels, which means the best fix is ipv6 mtu 1280 on the

IPv6 day and tunnels

Well, IPv6 day isnt here yet, and my first casualty is the browser on the wife's machine, firefox now configured to not query . Now www.facebook.com loads again. Looks like a tunnel mtu issue. I have not as of yet traced the definitive culprit, who is (not) sending ICMP too big, who is (no

Re: Cogent for ISP bandwidth

Michael J McCafferty wrote: Jason, I agree with John. You can't use them as your only provider, but you wouldn't do that with *any* provider. I will add that they answer the phone quickly, and the person who answers usually has a clue, has access to the routers, and can be helpful. It's one of

Re: Squeezing IPs out of ARIN

Owen DeLong wrote: RWHOIS is a perfectly valid alternative to SWIP. Owen I actually got RWHOIS working a while back. But then faced with the prospect of loading it up, I decided that ARIN templates were actually easier to use. And with their restful interface, even more so. Unless

<    1   2   3   >