that.
That way, we get DHCPv6 vs. SLAAC selection when a host connects to
the network without having to manually configure, and we get IPv4
DHCP-like behaviour.
--
Nathan Ward
On 19/02/2009, at 10:07 AM, Leo Bicknell wrote:
In a message written on Thu, Feb 19, 2009 at 10:00:48AM +1300,
Nathan Ward wrote:
The point I am making is that the solution is still the same -
filtering in ethernet devices.
No.
I agree that in some enviornments DHCPv4/DHCPv6/RA filtering
boxes.
...or, until we have another way of getting resolvers that has
widespread adoption..
--
Nathan Ward
this differently.
--
Nathan Ward
IPv4 servers. NAT-PT allowed for the opposite direction, IPv4
clients connecting to IPv6 servers - NAT64 does not.
The server must have an A record in DNS, and the client must use that
name to connect to - just like NAT-PT.
--
Nathan Ward
for
the edge.
--
Nathan Ward
/16, but I could be wrong.
--
Nathan Ward
[1] Yes I know that this is not allowed under current policy at any RIR.
in
to Iljitsch's mouth.
--
Nathan Ward
/fix SLAAC
because you have a problem with it then again, I encourage you to get
involved in the IETF.
--
Nathan Ward
their external IPv4 address changes.
--
Nathan Ward
customer is
listening to RA messages. The problem may very well exist right now.
--
Nathan Ward
~1million entries because our hardware-based
routers might run out of TCAM and bring the whole network to a
screeching halt.
Or more than 256k routes on a SUP2, or 192k/239K routes on a SUP720.
We are at 285798 as of last CIDR report.
So, I guess you should be worried.. now :-)
--
Nathan
only requires touching the router sending the RA
messages.
--
Nathan Ward
will run out of food.
--
Nathan Ward
differently for multiple hosts on a single
broadcast domain? There are some people that do that, but as Randy
would say, it is something that I would encourage my competitors to do.
--
Nathan Ward
is waiting for hosts to do a DHCPv6 query to get a new
address. That is sub-optimal.
--
Nathan Ward
to the 69,000 other NANOG posts on the topic.
--
Nathan Ward
to each customer - if they need
more they ask for it automatically.
--
Nathan Ward
a trade off between 65k ISP server networks, and 65k link nets.
Let's say 32k for each.
--
Nathan Ward
I am told that juniper have just released their E series code to do
hitless failover and ipv6cp at the same time.
If you are not running hitless it has been working for some time.
Apologies if this message is brief, it is sent from my cellphone.
On 5/02/2009, at 17:29, Matthew Moyle-Croft
Apologies if this message is brief, it is sent from my cellphone.
Begin forwarded message:
From: Nathan Ward
On 5/02/2009, at 16:58, Chris Adams cmad...@hiwaay.net wrote:
Since NAT == stateful firewall with packet mangling, it would be much
easier to drop the packet mangling and just use
recursive DNS server addresses that the DHCPv6 server
hands out.
If they are so inclined, they might even re-number dynamically if they
get their prefix using PD.
--
Nathan Ward
advertise v4 prefixes in v6 sessions, keep them separate.
If you do, you have to do set next-hops with route maps and things,
it's kind of nasty.
Better to just run a v4 BGP mesh and a v6 BGP mesh.
--
Nathan Ward
On 4/02/2009, at 2:43 PM, Steve Bertrand wrote:
Nathan Ward wrote:
On 4/02/2009, at 2:33 PM, Steve Bertrand wrote:
- Currently, (as I write), I'm migrating my entire core from IPv4 to
IPv6. I've got the space, and I love to learn, so I'm just lab-ing
it up
now to see how things will flow
, but I've often used this one as being pretty good.
(whois -h whois.radb.net AS3356)
--
Nathan Ward
could find themselves
facing random black holes.
People are filtering /24s without a 0/0 route?
--
Nathan Ward
On 23/12/2008, at 2:39 PM, Joe Provo wrote:
On Tue, Dec 23, 2008 at 02:34:39PM +1300, Nathan Ward wrote:
[snip]
Let me rephrase; Are there people who are filtering /24s received
from
eBGP peers who do not have a default route?
of course.
Curiously, it was really meant as a rhetorical
+!
--
Nathan Ward
with it.
--
Nathan Ward
[1] I only tried with FreeBSD, I'm told OpenBSD is similar.
. If anyone knows of some software that works well for this
I would appreciate letting me know.
iPerf.
--
Nathan Ward
IN A 68.142.254.15
yf2.yahoo.com. 1800IN A 68.180.130.15
;; Query time: 15 msec
;; SERVER: 68.180.131.16#53(68.180.131.16)
;; WHEN: Wed Dec 3 15:35:07 2008
;; MSG SIZE rcvd: 105
!DSPAM:22,4936edf127844578318734!
--
Nathan Ward
/malik_tcpdump_filters.html
You might also consider using netflow instead of tcpdump, there are
lots of tools available for processing netflow data in ways that are
useful to network operators.
--
Nathan Ward
, however when that non-RFC1918 address is
behind NAT, or some sort of packet filter, then it doesn't work so
well, and the client does not have a way to detect that reliably.
--
Nathan Ward
million PCs that aren't going to do their patches.
I still plan to.. hopefully I'll get around to it when I feel a bit
less jaded :-)
--
Nathan Ward
On 20/11/2008, at 11:05 AM, Jack Bates wrote:
Nathan Ward wrote:
The problem here is XPSP2/Vista assuming that non-RFC1918 =
unfiltered/unNATed for the purposes of 6to4.
Well, deeper problem is that they're using 6to4 on an end host I
suppose - it's supposed to be used on routers.
While I
to be globally
reachable. Maybe to stop uRPF breaking ICMP messages if routers on the
exchange respond from their interface address.. though.. I'd prefer to
make my routers respond from loopback or something.
--
Nathan Ward
[1] Maybe I mean allocated, whatever.
--
Nathan Ward
- it is a
core component of how switching works across the platform.
They really seem to have thrown away a whole bunch of conventional
thinking, and the result is, in my opinion, really quite good.
--
Nathan Ward
[1] I believe that it's the same L2 service that you use when creating
On 16/11/2008, at 5:30 PM, Matthew Moyle-Croft wrote:
Is the spam SMTP meant to be originating from the McColo ranges or
is it being used to control other machines elsewhere?
The latter.
--
Nathan Ward
on context, and quality degrades during packet loss
before you get silence.
The i stands for Internet - so no surprise it works great in typical
Internet conditions.
--
Nathan Ward
for many people.
--
Nathan Ward
down it, perhaps talk to your L2
service provider and see if they can provide you with this in parallel
to your L2 service.
--
Nathan Ward
this chicken/egg thing it's not even funny, just do it
already. Well, if you don't it's no problem I suppose, your users are
automatically tunnelling across you already.
If you're only thinking about doing a small IPv6 deployment now,
you're behind the curve.
--
Nathan Ward
network now. That makes it a monetary thing,
something they understand better perhaps..
Yep, this post is going against my best instincts.
--
Nathan Ward
.
--
Nathan Ward
to perform poorly.
--
Nathan Ward
On 13/10/2008, at 7:18 PM, Mikael Abrahamsson wrote:
On Mon, 13 Oct 2008, Nathan Ward wrote:
6to4 is enabled by default in Vista - any Vista machine with a non-
RFC1918 address will use 6to4. It is also available in some linksys
routers, and is enabled by default in Apple Airport Extreme
around this, encourage your ISP to build a 6to4 relay,
which is a couple of commands on a spare Cisco router. For extra
points, get them to build out a Teredo relay as well, which is a few
commands on a spare Linux box.
--
Nathan Ward
gets you best of both
worlds.
--
Nathan Ward
On 13/10/2008, at 3:46 PM, Daniel Senie wrote:
At 06:05 PM 10/12/2008, Nathan Ward wrote:
On 13/10/2008, at 9:53 AM, Stephen Sprunk wrote:
Mikael Abrahamsson wrote:
This brings up an interesting question, should we stop announcing
our 6to4 relays outside of Europe? Is there consensus
is not going to his IP address, but to AND from
addresses that are not his. That, plus the fact that there 'is'
traffic on 240/4 and 224/4, and it sounds like a bug.
--
Nathan Ward
and 240/4 in your pictures.
--
Nathan Ward
collection points in say 10 networks, and the attack becomes
pretty useless.
Unless of course you are announcing a more specific prefix than the
authentic one.
--
Nathan Ward
, and then reference to longer optional text for those that
care about why, people will get a false sense of security.
--
Nathan Ward
this, and I suspect having BGP feeds from many many places is the most
reliable way for it to happen, I just haven't figured out why yet.
This seems like a service that Renesys etc. could/should (or maybe
do?) offer, they seem well placed with all their BGP feeds..
--
Nathan Ward
this trick
for non-malicious day-to-day traffic engineering.
The technique of path stuffing ASes who you do not want to receive an
announcement is called AS PATH poisoning. It's a fairly well known
trick.
--
Nathan Ward
On 20/08/2008, at 4:42 PM, Nathan Ward wrote:
Teredo uses 3544/UDP to for Client-Server communication. That is
for relay discovery when needed, and the qualification procedure -
not much traffic. Client-Relay communication MAY use 3544/UDP,
Client-Client communication MAY use 3544/UDP
On 19/08/2008, at 6:28 PM, Mikael Abrahamsson wrote:
On Tue, 19 Aug 2008, Nathan Ward wrote:
uTorrent actively enables IPv6 on XP SP2 and Vista machines in the
install process (by default, it can be turned off). IPv6 is turned
on, on lots of PCs.
We looked into this, and IPv6
On 19/08/2008, at 6:34 PM, Nathan Ward wrote:
On 19/08/2008, at 6:28 PM, Mikael Abrahamsson wrote:
On Tue, 19 Aug 2008, Nathan Ward wrote:
uTorrent actively enables IPv6 on XP SP2 and Vista machines in the
install process (by default, it can be turned off). IPv6 is turned
on, on lots
that the first 64 bits is for
routing.
--
Nathan Ward
On 20/08/2008, at 6:39 AM, Jay R. Ashworth wrote:
On Tue, Aug 19, 2008 at 04:56:33PM +1200, Nathan Ward wrote:
Sit up and pay attention, even if you don't now run IPv6, or even if
you don't ever intend to run IPv6. Your off-net bandwidth is going to
increase, unless you put some relays
encapsulated, once when native.
--
Nathan Ward
for example.
I agree that bogon filtering with a Team Cymru BGP feed is good - it
will do the job most of the time. However, it cannot be considered a
complete solution.
--
Nathan Ward
the last wee while. I'll be rambling about this
and pointing at pretty graphs in about a week at APNIC26.
--
Nathan Ward
though, but doesn't work for me in a complex network.
One cool thing about OpenBGPd is bgpctl irrfilter, which pulls in RPSL
and does the business with it, and stuffs it in to your live BGP daemon.
--
Nathan Ward
?
--
Nathan Ward
for download over HTTPS with a key that
was generated by the vendor and signed by well trusted root CAs on a
boxes with OpenSSL versions not released by Debian?
PATCH NOW PATCH NOW seems like a fantastic way to get nefarious code
deployed in really, really interesting places.
:-)
--
Nathan
several 10GE's per
chassis I'd recommend these.
/braindump
--
Nathan Ward
'normal' web hosting providers allow customer created scripts to
create TCP sessions out to arbitrary things?
- --
Nathan Ward
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.7 (Darwin)
iQEVAwUBSF83c6hXB4ariYS3AQIBzAgAqiWxzvBjTfjzuf1GyE+PM9doF2S11d94
eKlWGeSjzqob2onSYbm46ffUNTkLQdwkt
left in the rack just in case it attached to some
other host and you fear causing an unplanned outage.
You whack on one of these things when there's still active gear on the
end?
--
Nathan Ward
, networks move less traffic off-net.
.. this is the part where someone bustles off and makes it go.
--
Nathan Ward
files. Spit them out with this option on the
tcpdump commandline.
-w file
--
Nathan Ward
.
--
Nathan Ward
negative caches, but that
might be fixed. YMMV, etc.
Usual common sense warnings apply.
--
Nathan Ward
.
--
Nathan Ward
___
NANOG mailing list
NANOG@nanog.org
http://mailman.nanog.org/mailman/listinfo/nanog
may find it more economical to become an APNIC member and
apply for a portable allocation using the APNIC IPv4 ISP request form.
/snip
Note that you must be the end user of the space, as it is assigned not
allocated.
--
Nathan Ward
___
NANOG
On 17/05/2008, at 5:53 PM, Matthew Moyle-Croft wrote:
Nathan Ward wrote:
If the foreign AS really wants to send you routes that way, they
can do it regardless of how you stop your advertisements being
accepted by/ reaching them. We're hardly talking high security here.
ip route prefix
those prefixes hitting.
Similar, not identical, so may not work for you how you want.
Googling around finds some explanation of it here:
http://ispcolumn.isoc.org/2005-08/as1.html
Nothing really about how it works in a MLPA IXP though.
--
Nathan Ward
it for years
already. It'd be good if the world were all engineers though, huh?
--
Nathan Ward
___
NANOG mailing list
NANOG@nanog.org
http://mailman.nanog.org/mailman/listinfo/nanog
this service health check stuff and
have done for years, so why are we re-inventing the wheel?
--
Nathan Ward
ps. I'm amused that your message that started with i think the
minutia is good, especially after a long weekend of layer 9 threads.
ended with a paragraph of L9
On 6/05/2008, at 1:19 PM, Steven M. Bellovin wrote:
Steve? I assume you meant Paul
No, Steve Gibbard referred to not having control of routers, Paul
referred to customers.
--
Nathan Ward
___
NANOG mailing list
NANOG@nanog.org
http
On 21/10/2007, at 7:22 PM, Adrian Chadd wrote:
On Sun, Oct 21, 2007, Nathan Ward wrote:
Blocking 25/TCP is acceptable, blocking 587/TCP is not - it is
designed for mail submission to an MSA, so serves little use for
spam, save when a spammer has detected an open mail relay listening
on 587/TCP
place for domains you host, as your
customers do to send mail to domains you don't host).
--
Nathan Ward
that.
Blocking 587/TCP prevents people using someone elses mail service.
I view the latter as no different to preventing you viewing someone
elses website.
--
Nathan Ward
On 12/10/2007, at 9:43 AM, Tony Hain wrote:
Nathan Ward wrote:
On 6/10/2007, at 3:18 AM, Stephen Wilcox wrote:
stuff
Given the above, I think there is no myth.. !
That's because the 'v6 network' is broken enough that putting
records on sites that need to be well reachable is a bad
conflicts with people who NAT their address, etc.)
The difference between the two things above is that the former is
single NAT, the latter is double. The former is much more
complicated, though.
--
Nathan Ward
-day
data?
--
Nathan Ward
consumer router, as far as I'm aware,
and this issue was found and fixed within weeks. I've got no doubt
that other vendors will learn from this mistake.
--
Nathan Ward
(Disclaimer: On reading my post it sounds like advertising - I don't
work for, and am not otherwise affiliated with, Apple.)
). Both do SI, the Airport does it by default (now).
--
Nathan Ward
the pros/cons of NAPT's ability
to provide security for the 500th time, we're essentially debating
the pros/cons of a technology that is going to (hopefully) be
outdated soon. I suggest we move on.
Sam, have you heard any concerns, other than that NAPT provides us
security one?
--
Nathan Ward
if it becomes a problem
(although, you could switch the out for an A), and when you end
up being able to do a proper IPv6 deployment you end up with
customers still caring about this legacy DNS entry. That, in short,
sounds painful.
--
Nathan Ward
at the enterprise which rigorously
firewalls all ingress/egress traffic at the edge.
Yes, I don't know if possible security concerns with Teredo are
applicable to ISPs, unless you offer a firewalled service. Then those
concerns are really the same as an enterprise.
--
Nathan Ward
that, I'm sure.
--
Nathan Ward
it improved reachability/reliability of dual stack or v6-only
content? How do you know?
Any thoughts about how content providers could use Teredo servers/
relays to improve their connectivity?
--
Nathan Ward
Donald)
--
Nathan Ward
101 - 194 of 194 matches
Mail list logo