so... this thread has a couple of really interesting characteristics.
a couple are worth mentioning more directly (they have been alluded to
elsewhere)...
Who gets to define bad - other than a blacklist operator?
Are the common, consistent defintions of contamination?
On Tue, Sep 15, 2009 at 09:34:14PM -0400, Christopher Morrow wrote:
On Tue, Sep 15, 2009 at 4:46 PM, bmann...@vacation.karoshi.com wrote:
so... this thread has a couple of really interesting characteristics.
a couple are worth mentioning more directly (they have been alluded to
On Thu, Sep 10, 2009 at 04:42:13PM +0200, Benjamin Billon wrote:
Why don't we just blacklist everything and only whitelist those we know
are good?
snip
Note we all could start using IPv6 and avoid this problem altogether.
snip
Yeah. When ISP will start receiving SMTP traffic in IPv6,
On Tue, Sep 08, 2009 at 02:34:10PM -0500, Joe Greco wrote:
there is a fundamental disconnect here. the IP space is neutral.
it has no bias toward or against social behaviours. its a tool.
the actual/real target here are the people who are using these tools
to be antisocial. blacklisting
sounds like domain tasting to me.
--bill
On Wed, Sep 09, 2009 at 01:04:48AM -0400, Peter Beckman wrote:
How about a trial period from ARIN? You get your IP block, and you get 30
days to determine if it is clean or not. Do some testing, check the
blacklists, do some magic to see if there
On Mon, Aug 10, 2009 at 09:49:51PM +0900, Randy Bush wrote:
http://www.nytimes.com/2009/08/10/business/global/10cable.html
if seacom completes, and it is looking likely (yay!), this will be great.
but
Alan Mauldin, research director at TeleGeography, a telecommunications
market
On Thu, Jul 16, 2009 at 03:56:29PM -0700, Pederson, Krishna wrote:
One of our IP addresses is being probed by up to 8 of the 13 root dns servers
every 15 seconds. I'm looking for input on how to contact the admins for the
servers or perhaps a way to figure out if perhaps someone is spoofing
On Wed, Jul 08, 2009 at 11:09:49AM +1000, Mark Andrews wrote:
In message 20090707171251.ga2...@arin.net, Mark Kosters writes:
On Mon, Jul 06, 2009 at 10:35:56AM -0400, Dan White wrote:
Are there any high level operational details you could share?
Specifically, are you using any
On Wed, Jul 08, 2009 at 11:58:17AM +1000, Mark Andrews wrote:
received a lot of good feedback with the conclusion that using a
restful
service would be a useful transport for this type of data transfer.
We certainly need your feedback on future services and encourage you
On Wed, Jul 08, 2009 at 11:58:17AM +1000, Mark Andrews wrote:
hey, thats what the CADR tool does. fully in-band maintainace
for the child/parent interactions. only needs manual re-keying
if a party loses control of the credential.
-- bill
It would be nice if
used them for years, from when they were just a local ISP
till today. a good addition to your mix... great value for money.
--bill
On Wed, Jun 17, 2009 at 08:41:23PM -0400, Paul Stewart wrote:
Hi folks...
Looking for some feedback on using Hurricane Electric as an upstream?
Thanks,
On Fri, May 29, 2009 at 02:48:33PM +0700, Anton Zimm wrote:
I get this: MOBI servers are not authoritative for push.mobi zone,
ns1.push.mobi is authoritative for it.
But since ns1.push.mobi is inside push.mobi zone, this create circular
reference. Afaik to solve this circular dependency,
fine piece of work.
On Fri, May 29, 2009 at 11:37:58AM -0500, jamie rishaw wrote:
The White House just put out a release on net security[1] - at first glance
a mission/vision/values paper, the release page[2] also containing a short
video[3].
At first glance, this looks promising -
On Thu, May 21, 2009 at 12:00:58PM -0400, Joe Abley wrote:
However, you're not necessarily doing anybody any favours in making
statements like faster, more secure and does IPv6. DNS servers
are complicated beasts, and simplistic comparisons are not useful for
much (it'd be trivial to
On Wed, May 06, 2009 at 10:39:23AM +1000, Karl Auer wrote:
On Tue, 2009-05-05 at 15:58 -0400, Ricky Beam wrote:
stateless with constant and consistent. SLAAC doesn't need to
generate the exact same address everytime the system is started.
No - but it is *phenomenally useful* if it
On Fri, May 01, 2009 at 02:29:24PM -0400, LEdouard Louis wrote:
Optimum Online business only offer 5 static IP address.
Where can I buy a block of Internet IP address for Business? How much
does it cost?
how much is Optimum Online charging you for each of the five?
On Thu, Apr 23, 2009 at 09:10:31PM -0400, Joe Abley wrote:
On 23 Apr 2009, at 20:55, Jo Rhett wrote:
And it wasn't specific. Nanog shouldn't be everything-Jo-wants-to-
talk-about or everything-Randy-wants-to-talk-about or anything else.
!snork!... rubbing the sleep from
On Thu, Apr 23, 2009 at 08:17:07PM +0800, Adrian Chadd wrote:
On Thu, Apr 23, 2009, William Allen Simpson wrote:
Some wag around here re-christened it the IVTF (V stands for Vendor, not
Victory). ;-) I haven't bothered to go in years
If the people with operational experience stop
On Tue, Apr 21, 2009 at 11:53:02PM -0700, Zhenkai Zhu wrote:
Hello NANOG,
I noticed that more than 3K prefixes are with 2 Origin ASes.
Are they the simplest cases of anycast? Or they are mainly due to
misconfiguration?
---
--Zhenkai
i honestly don't remember the
On Wed, Apr 22, 2009 at 10:17:38AM -0400, Joe Abley wrote:
On 21-Apr-2009, at 21:50, bmann...@vacation.karoshi.com wrote:
On Tue, Apr 21, 2009 at 08:24:38PM -0400, Ricky Beam wrote:
FTP? Who uses FTP these days? Certainly not consumers. Even Cisco
pushes almost everything via a
On Wed, Apr 22, 2009 at 02:27:14PM +, bmann...@vacation.karoshi.com wrote:
On Wed, Apr 22, 2009 at 10:17:38AM -0400, Joe Abley wrote:
On 21-Apr-2009, at 21:50, bmann...@vacation.karoshi.com wrote:
On Tue, Apr 21, 2009 at 08:24:38PM -0400, Ricky Beam wrote:
FTP? Who uses FTP
On Tue, Apr 21, 2009 at 08:24:38PM -0400, Ricky Beam wrote:
On Tue, 21 Apr 2009 18:40:30 -0400, Chris Adams cmad...@hiwaay.net wrote:
SSL and FTP are techincal justifications for an IP per site.
No they aren't. SSL will work just fine as a name-based virtual host with
any modern webserver
On Sat, Apr 18, 2009 at 05:30:41AM +, Stephen Stuart wrote:
Not sure how switches handle HOL blocking with QinQ traffic across trunks,
but hey...
what's the fun of running an IXP without testing some limits?
Indeed. Those with longer memories will remember that I used to
regularly
On Sat, Apr 18, 2009 at 04:01:41PM +, Paul Vixie wrote:
Date: Sat, 18 Apr 2009 10:09:00 +
From: bmann...@vacation.karoshi.com
... well... while there is a certain childlike obession with the
byzantine, rube-goldburg, lots of bells, knobs, whistles type
machines...
On Sat, Apr 18, 2009 at 09:12:24PM +, Paul Vixie wrote:
Date: Sat, 18 Apr 2009 13:17:11 -0400
From: Steven M. Bellovin s...@cs.columbia.edu
On Sat, 18 Apr 2009 16:58:24 +
bmann...@vacation.karoshi.com wrote:
i make the claim that simple, clean design and execution is
On Fri, Apr 17, 2009 at 10:11:30AM -0400, Sharlon R. Carty wrote:
Hello NANOG,
I like would to know what are best practices for an internet exchange. I
have some concerns about the following;
Can the IXP members use RFC 1918 ip addresses for their peering?
Can the IXP members use private
the vlan tagging idea is a virtualization of the PNI construct.
why use an IX when running 10's/100's/1000's of private network
interconnects will do?
granted, if out of the 120 ASN's at an IX, 100 are exchanging on
average - 80KBs - then its likley safe to dump them all into a single
physical
On Fri, Apr 17, 2009 at 04:52:53PM -0500, Joe Greco wrote:
On Fri, 17 Apr 2009, bmann...@vacation.karoshi.com wrote:
the vlan tagging idea is a virtualization of the PNI construct.
why use an IX when running 10's/100's/1000's of private network
interconnects will do?
granted, if
On Fri, Apr 17, 2009 at 06:50:42PM -0400, Sean Donelan wrote:A
Is anyone still doing personal colo on the west coast? I'm looking for a
new home for my personal server on the west coast, and it seems like
the economy has taken out most of the old personal colo offers.
Even the old web page
On Tue, Apr 14, 2009 at 03:41:25AM +0200, Peter Lothberg wrote:
There are three solutions to the problem;
A: Put a armed soldier every 150ft on the fiber path.
B: Make the infrstructure so redundant that cutting things
just makes you tired, but nothing hapens.
C:
at least this year its been changed from Terrorists to Vandals.
(when most likley, its over-aggressive metals recyclers who have
run out of catalitic converters to steal...)
--bill
On Sun, Apr 05, 2009 at 07:37:15PM +1000, Mark Andrews wrote:
The fault has been rectified. We are still looking into the
underlying cause and what procedural changes need to be made to
prevent a repeat occurance.
Mark Andrews, ISC
could ISC be a bit more open and transparent on
On Sun, Apr 05, 2009 at 06:19:35AM -1000, David Conrad wrote:
On Apr 5, 2009, at 12:09 AM, bmann...@vacation.karoshi.com wrote:
On Sun, Apr 05, 2009 at 07:37:15PM +1000, Mark Andrews wrote:
The fault has been rectified. We are still looking into the
underlying cause and what procedural
On Sun, Mar 22, 2009 at 10:56:06PM +, Nick Hilliard wrote:
On 21/03/2009 16:36, bmann...@vacation.karoshi.com wrote:
er... 'parm me sir, but aren't -all- ASNs 4 bytes?
i mean, for lo these many years we cheated and only
used the first two bytes... but the spec always
the 20th or 21st century answer?
if you really don't care about the actual node, then you should map the
numbers to topologically significant names - after all, the reverse map
follows topology, not some goofball - layer 9 - ego trip thing.
or - the more modern approach is to let the node
On Sat, Mar 21, 2009 at 08:44:23AM -0700, Randy Bush wrote:
perhaps there is a lesson here. move on to 4-byte asns.
randy
er... 'parm me sir, but aren't -all- ASNs 4 bytes?
i mean, for lo these many years we cheated and only
used the first two bytes... but the
you mean these guys? http://inwap.com/pdp10/td-1b.html
--bill (who is almost certainly experiencing Charles Bonet Syndrome)
On Wed, Feb 11, 2009 at 10:33:48AM -0600, Sutterfield, Brian wrote:
Does anyone have any experience using the DXM from XKL for DWDM
deployments?
Any feedback
Cisco VNI projections indicate that IP traffic will increase at a combined
annual growth rate (CAGR) of 46 percent from 2007 to 2012, nearly doubling
every two years. This will result in an annual bandwidth demand on the
world's IP networks of approximately 522 exabytes2, or more than half a
Nortel board of directors vote to file bankruptcy
http://www.nortel.com/corporate/restructuring.html
welcome to the joys of anycast... :)
--bill
On Wed, Jan 14, 2009 at 09:50:39AM -0600, Michienne Dixon wrote:
Interesting - So as a cyber criminal - I could setup a router, start
announcing AS 16733, 18872, and maybe 6966 for good measure and their
routers would ignore my announcements and
On Sun, Jan 04, 2009 at 09:55:20PM -0600, Gadi Evron wrote:
A legal botnet is a distributed system you own.
A legal DDoS network doesn't exist. The question is set wrong, no?
kind of depends on what the model is. a botnet for hire
to red-team my network might be just the
On Tue, Dec 23, 2008 at 02:08:25PM +1300, Nathan Ward wrote:
On 23/12/2008, at 1:31 PM, Seth Mattinen wrote:
Anyone running a platform that can't take a full table would apply
such a filter to weed out anyone who likes to announce all of their
space as /24's for traffic engineering. If one
On Fri, Dec 19, 2008 at 02:40:47AM +, l l9l wrote:
However, what I am really wondering is what is the most standard subnet
length that always can be guaranteed through Internet. less than /24 bit ?
while one can get away w/ /24s (if that is all one has) for many places,
On Thu, Oct 16, 2008 at 10:31:21PM -0400, Dean Anderson wrote:
(Manning and Woodcock have so far refused to
accept the certified letters)
and then sometime in the past 5 days, you posted a comment to DoC
here; http://www.ntia.doc.gov/dns/dnssec.html
that states: Bill Manning refused to
On Tue, Nov 25, 2008 at 08:56:43AM -0800, Bill Woodcock wrote:
On Tue, 25 Nov 2008 [EMAIL PROTECTED] wrote:
If I may... I am in possesion of your certified letter
-AND- the signed acknowledgement that you received notice
that I have taken
On Mon, Nov 03, 2008 at 10:23:07PM -0800, Paul Ferguson wrote:
On Mon, Nov 3, 2008 at 10:15 PM, Glen Kent [EMAIL PROTECTED] wrote:
Hi,
I was wondering what most folks use for NTP security?
Do they use the low cost, light weight symmetric key cryptographic
protection method using MD5
NANOG makes a fine archive of discoverable material in a court case
intending to show collusion to drive folks out of business.
One presumes that each ISP here has some form of AUP and rules on
self-preservation roughly along the lines of if there is material
impact to my network or my
On Thu, Sep 25, 2008 at 02:26:28PM -0400, [EMAIL PROTECTED] wrote:
Of course, there's a discount carpet dealer in the area, has a big sign out
front We will not be knowingly undersold. Nice wording, that...
once burned, twice shy.
--bill
On Thu, Sep 25, 2008 at 05:38:26PM -0500, Craig Holland wrote:
Hi,
I recently ran across a situation where a large ISP only accepts IRR
entries generated by RADB to build their path filters. I use the ARIN
Routing Registry. Is this a common practice? Should I convert over to
RADB?
On Mon, Sep 22, 2008 at 10:52:42AM -0400, Jason Frisvold wrote:
On Mon, Sep 22, 2008 at 10:34 AM, Scott Francis [EMAIL PROTECTED] wrote:
nice to see a wholesale DNSSEC rollout underway (I must confess to being a
little surprised at the source, too!). Granted, it's a much more manageable
On Mon, Sep 22, 2008 at 11:11:40AM -0400, Keith Medcalf wrote:
Correct, you need a validating, security-aware stub resolver, or the
ISP needs to validate the records for you.
That would defeat the entire purpose of using DNSSEC. In order for DNSSEC to
actually provide any improvement
On Mon, Sep 22, 2008 at 05:24:00PM +0200, Florian Weimer wrote:
* marcus sachs:
While we wait for applications to become DNSSEC-aware,
Uhm, applications shouldn't be DNSSEC-aware. Down that road lies
madness. What should an end user do when the browser tells him,
Warning: Could not
The end-stage is secure only if at that stage you also set all DNS
infrastructure to refuse to talk to any DNS client/server/resolver that DOES
NOT validate and enforce DNSSEC. Up until that point in time, there is NO
CHANGE in the security posture from what we have today with no DNSSEC
On Mon, Sep 22, 2008 at 12:06:57PM -0400, Edward Lewis wrote:
At 15:30 + 9/22/08, [EMAIL PROTECTED] wrote:
data. We never finished the discussion on fail/open
fail/closed wrt DNSSEC.
And I'd bet a dollar we never will finish that discussion.
--
On Mon, Sep 22, 2008 at 12:14:53PM -0400, Keith Medcalf wrote:
If I cannot authenticate the data myself, then it is simply
untrusted and untrustworthy -- exactly the same as it is now.
so I guess PGP web of trust is right out, then?
[elided]
If there is a piece of data X signed
On Thu, Sep 18, 2008 at 07:31:37PM -0400, Jay R. Ashworth wrote:
- Crist Clark [EMAIL PROTECTED] wrote:
I want to change the nameservers for a bunch of domains. Really,
all I want to do is change the IP address, but it seems easier
just to change both the name and IP to avoid any
On Sun, Sep 07, 2008 at 07:43:41PM +1200, Randy Bush wrote:
http://www.caida.org/workshops/wide/0808/slides/measuring_reverse_paths.pdf
great work on a tough problem
yes, but would it work if we all did BCP38 filtering?
--bill
it was real. (I still ahve some 3c503's with the problem :)
this is one reason why it is so important to be able to override the MAC.
--bill
On Fri, Sep 05, 2008 at 10:53:28AM -0400, Scott Berkman wrote:
This reminds me of a story I was told a while back that there was a batch
of 3com
well, actually this was the IP address used for l.root-servers.net
from 1998-2008. so i guess you could say its never been used for anything.
we are not currently routing that prefix and there should currently be nothing
at that IP address.
--bill
On Tue, Sep 02, 2008 at 06:24:21PM
On Wed, Sep 03, 2008 at 10:00:41AM -0400, Christopher Morrow wrote:
On Wed, Sep 3, 2008 at 8:48 AM, [EMAIL PROTECTED] wrote:
On Tue, Sep 02, 2008 at 10:08:10PM -0400, Christopher Morrow wrote:
On 9/2/08, Todd Underwood [EMAIL PROTECTED] wrote:
checking our current data, that block is
On Mon, Sep 01, 2008 at 05:36:47AM -0400, [EMAIL PROTECTED] wrote:
Serious question, that - how many long-haul providers would be in serious
trouble if all the spam and filesharing suddenly stopped and only legitimate
traffic travelled through their pipes?
define legitimate
--bill
On Sat, Jul 26, 2008 at 03:05:18PM -0500, Joe Greco wrote:
what i do not understand is why people think screaming to the choir will
make any significant difference?
And Paul's absolutely correct, this is not something where we can afford to
let that happen.
Paul is correct if
On Sat, Jul 26, 2008 at 05:47:54PM -0400, Sean Donelan wrote:
On Sat, 26 Jul 2008, [EMAIL PROTECTED] wrote:
there you go. the massive effort to patch would likley have
better been spent to actually -sign- the stupid zones and
work out key distribution. but no... running around
well... hard to tell...
Secure Connection Failed
asahi-net.jp uses an invalid security certificate.
The certificate is not trusted because the issuer certificate is not trusted.
that said, can I get FIOS w/o any other
Verizon crap? I just want the fiber transport
On Mon, Jun 30, 2008 at 07:19:45PM +0100, Tony Finch wrote:
On Sun, 29 Jun 2008, [EMAIL PROTECTED] wrote:
one might legitimately argue that ICANN is in need of
some serious regulation
that can happen at that national level or on the international
level.
Doesn't
On Sun, Jun 29, 2008 at 02:14:58PM -0400, Joe Abley wrote:
The only decision that is required is whether new generic top-level
domains are desired. If not, do nothing. Otherwise, shake as much
energy into the system as possible and sit back and let it find its
own steady state.
Joe
this may actually be the straw that triggers a serious redesign of the
Internet's lookup system(s)... if not this, then IPv6 has a good chance.
Incremental changes are good - are stable (usually), and often can be
compartmentalized. But sometimes - revolutionary changes are needed.
and if
On Fri, Jun 13, 2008 at 03:08:47PM -0400, David Hubbard wrote:
I remember back in the day of old hardware and operating
systems we'd intentionally avoid using .255 IP addresses
for anything even when the netmask on our side would have
made it fine, so I just thought I'd try it out for kicks
On Mon, Jun 02, 2008 at 02:53:26PM -0400, Sean Donelan wrote:
http://www.donelan.com/dnstimeline.html
1 Jun 1990
NIC.DDN.MIL 26.0.0.73 root service ends (last original root server)
it would much more helpful to have citations for your
dates.
--bill
http://www.nsfnet-legacy.org/webcast
--bill
if you are coming to ABQ and would like to help me out on a
small project, please drop me a line BEFORE you leave.
--bill
one: AS hop count for average e2e packet flow, eg. from origin to destination,
how many ASN's will a packet traverse?
two: number/location of IX that monitor/forbid transit across exchange fabric?
--bill (doing grunt work for a study on Landauer Entropy)
well... i guess i should stop posting then.
--bill
On Tue, May 29, 2007 at 06:14:51PM +0100, Brandon Butterworth wrote:
You get one shot at fixed prefix size filters, miss and you'll pay
forever. Which is more scarce, /32's or routing table entries.
your first lema is false.
and RTE are more scarce.
brandon
let
301 - 374 of 374 matches
Mail list logo