Re: de-peering for security sake

cats are nice colin Sent from my iPhone > On 19 Jan 2016, at 15:12, "Michael O'Connor" wrote: > > Why do we believe network administrators can advocate perfectly for > customer access? > I couldn't control my own children's access without making us all > miserable. > > Nation

Re: de-peering for security sake

Why do we believe network administrators can advocate perfectly for customer access? I couldn't control my own children's access without making us all miserable. Nation state access control in a free country at the network layer is bound to fail, way too many cats to herd. On Mon, Jan 18, 2016

Re: de-peering for security sake

On January 19, 2016 at 10:12 m...@es.net (Michael O'Connor) wrote: > Why do we believe network administrators can advocate perfectly for > customer access? Which is why I was advocating for some sort of generally agreed upon standards and process written into contractual agreements. This

Re: de-peering for security sake

On January 18, 2016 at 00:21 valdis.kletni...@vt.edu (valdis.kletni...@vt.edu) wrote: > On Sun, 17 Jan 2016 19:39:52 -0500, b...@theworld.com said: > > How about if backed by an agreement with the 5 RIRs stating no new > > resource allocations or transfers etc unless a contract is signed and

Re: de-peering for security sake

On Sun, 17 Jan 2016 19:39:52 -0500, b...@theworld.com said: > How about if backed by an agreement with the 5 RIRs stating no new > resource allocations or transfers etc unless a contract is signed and > enforced? Or similar. Then they'd just resort to hijacking address space. Oh wait, they

Re: de-peering for security sake

On Sun, 17 Jan 2016, Doug Barton wrote: On 1/17/2016 12:44 PM, b...@theworld.com wrote: We need an effective forum with effective participation perhaps eventually leading to signed contractual obligations agreed to by all parties. Not gonna help. The same people who have no incentive to do the

Re: de-peering for security sake

On Sunday, January 17, 2016, Dan Hollis wrote: > On Sun, 17 Jan 2016, b...@theworld.com wrote: > >> Sure, you have your hands on BGP etc, so what router commands (hammer) >> can effect international policy (nail)? >> >> This is fundamentally a social and political issue

Re: de-peering for security sake

On 1/17/2016 12:44 PM, b...@theworld.com wrote: We need an effective forum with effective participation perhaps eventually leading to signed contractual obligations agreed to by all parties. Not gonna help. The same people who have no incentive to do the right thing now will still have no

Re: de-peering for security sake

When all you have is a hammer the whole world looks like a nail. That's what "de-peering for security sake" sounds like to me. Sure, you have your hands on BGP etc, so what router commands (hammer) can effect international policy (nail)? This is fundamentally a social and political issue and

Re: de-peering for security sake

On Sun, 17 Jan 2016, b...@theworld.com wrote: Sure, you have your hands on BGP etc, so what router commands (hammer) can effect international policy (nail)? This is fundamentally a social and political issue and needs to be dealt with on that level, not with changes in router configs. bgp

Re: de-peering for security sake

On January 17, 2016 at 13:06 goe...@sasami.anime.net (Dan Hollis) wrote: > On Sun, 17 Jan 2016, b...@theworld.com wrote: > > Sure, you have your hands on BGP etc, so what router commands (hammer) > > can effect international policy (nail)? > > > > This is fundamentally a social and political

Re: de-peering for security sake

On January 17, 2016 at 13:09 do...@dougbarton.us (Doug Barton) wrote: > On 1/17/2016 12:44 PM, b...@theworld.com wrote: > > We need an effective forum with effective participation perhaps > > eventually leading to signed contractual obligations agreed to by all > > parties. > > Not gonna

Re: de-peering for security sake

On Thu, Dec 24, 2015 at 11:44:10PM +, Colin Johnston wrote: > We really need to ask if China and Russia for that matter will not > take abuse reports seriously why allow them to network to the internet ? One could ask the exact same question about Amazon -- which, as of the moment, is the

Re: de-peering for security sake

wiec" <r...@gsp.org> Cc: nanog@nanog.org Sent: Saturday, January 16, 2016 7:43:56 AM Subject: Re: de-peering for security sake On Saturday, January 16, 2016, Rich Kulawiec <r...@gsp.org> wrote: > On Thu, Dec 24, 2015 at 11:44:10PM +, Colin Johnston wrote: > >

Re: de-peering for security sake

On Sat, 16 Jan 2016 09:53:40 -0500, Rich Kulawiec said: > I've said this many times: abuse does not magically fall out of the sky. > It comes from hosts, on networks, run by people. It is time -- well > past time -- to hold those people *personally* acountable. And who, *exactly*, are you

Re: de-peering for security sake

On Sat, 16 Jan 2016 11:09:27 -0800, Owen DeLong said: > > Making the owner of the host responsible for an attack -personally- > > responsible would require every grandma & 6 year old to have insurance > > before > > buying a laptop or Xbox. And would bankrupt your favorite startup no matter > >

Re: de-peering for security sake

On Saturday, January 16, 2016, Rich Kulawiec wrote: > On Thu, Dec 24, 2015 at 11:44:10PM +, Colin Johnston wrote: > > We really need to ask if China and Russia for that matter will not > > take abuse reports seriously why allow them to network to the internet ? > > One could

Re: de-peering for security sake

On Jan 16, 2016, at 9:53 AM, Rich Kulawiec wrote: > On Sat, Jan 16, 2016 at 05:43:56AM -0800, Ca By wrote: >> I see a great deal of folks on nanog clamoring to buy ddos gear. Packets >> are starting to become like spam email, where 90% are pure rubbish, and >> us good guys have

Re: de-peering for security sake

On Saturday, January 16, 2016, Patrick W. Gilmore wrote: > On Jan 16, 2016, at 9:53 AM, Rich Kulawiec > > wrote: > > On Sat, Jan 16, 2016 at 05:43:56AM -0800, Ca By wrote: > > >> I see a great deal of folks on nanog clamoring to buy ddos gear.

Re: de-peering for security sake

On Sat, Jan 16, 2016 at 05:43:56AM -0800, Ca By wrote: > I see a great deal of folks on nanog clamoring to buy ddos gear. Packets > are starting to become like spam email, where 90% are pure rubbish, and > us good guys have to spend a lot of money and time sorting signal from > noise. I've said

Re: de-peering for security sake

> The pessimistic side of me believes cloudflare and akamai want the internet > to be choked with bots such that everyone must pay their toll, so the > information on the bots is a trade secret... But please prove me wrong so > we can drive higher accountability on the internet. I am not speaking

Re: de-peering for security sake

Purposefully hosting an "inflammatory" site that the Russians or Chinese object to is a valid way to get your AS null routed inside those countries. Same goes for Turkey, India, Australia... Solves the DDoS and malware problem inside their borders, not yours. On Dec 25, 2015 4:43 AM, "Max Tulyev"

Re: de-peering for security sake

> Purposefully hosting an "inflammatory" site that the Russians or > Chinese object to is a valid way to get your AS null routed inside > those countries. Same goes for Turkey, India, Australia... luckily this is not true in the US. oh wait. >> We really need to ask if China and Russia for

Re: de-peering for security sake

> On Dec 26, 2015, at 20:35 , Baldur Norddahl wrote: > > Owen you misunderstood what two factor is about. It is not practical to > brute force the key file. Nor is it practical to brute force a good > passphrase or password. Both have sufficient strength to withstand

Re: de-peering for security sake

On Sun, 27 Dec 2015 05:35:19 +0100, Baldur Norddahl said: > SSH password + key file is accepted as two factor by PCI DSS auditors, so > yes it is in fact two factor. They also accept NAT as "security". If anything, PCI DSS is yet another example of a money grab masquerading as security theater

Re: de-peering for security sake

"done right the cost shouldn't be super much more." I disagree. Done wrong, it's not super much more. Done right, it's massively more. Like Randy said, compare salaries alone. A good security employee will run you, what, 100k or more in the major job markets? And how many do you need, full

Re: de-peering for security sake

On Sun, Dec 27, 2015 at 2:49 PM, Mike Hale wrote: > "really isn't a whole lot different from 'lock your damned doors and > windows' brick/mortar security." > > Except it's *massively* more expensive. > is it? how much does a datacenter pay for people + locks + card-key

Re: de-peering for security sake

> 'cyber security' really isn't a whole lot different from 'lock your > damned doors and windows' brick/mortar security. hellofalot more holes to cover. and the salaries of the guards are a bit higher for the net; so more incentive for pointy heads to skimp. randy

Re: de-peering for security sake

> On Dec 27, 2015, at 11:26 , Christopher Morrow > wrote: > > On Sun, Dec 27, 2015 at 1:59 PM, wrote: >> On Sun, 27 Dec 2015 05:35:19 +0100, Baldur Norddahl said: >> >>> SSH password + key file is accepted as two factor by PCI DSS auditors,

Re: de-peering for security sake

On Sun, Dec 27, 2015 at 3:32 PM, Mike Hale wrote: > "done right the cost shouldn't be super much more." > I disagree. Done wrong, it's not super much more. > > Done right, it's massively more. please cite useful numbers... It's not (I think) really all that much more.

Re: de-peering for security sake

On Sun, Dec 27, 2015 at 1:59 PM, wrote: > On Sun, 27 Dec 2015 05:35:19 +0100, Baldur Norddahl said: > >> SSH password + key file is accepted as two factor by PCI DSS auditors, so >> yes it is in fact two factor. > > They also accept NAT as "security". If anything, PCI

Re: de-peering for security sake

> The costs add up really fast without a corresponding return. i think there is a corresponding return, just not one that is perceived by the pointy heads. yet. but that is changing as more and more get pwned and the public and legal costs become greater and more apparent. patience. randy

Re: de-peering for security sake

"please cite useful numbers" For what? IDS? SIEM? Log aggregation in general? For companies that have none of that, spinning up the best practice systems can easily cost half a mil a year (QRadar is 200k for our sized environment; a good netflow system is like 50 [100k+ for something like

Re: de-peering for security sake

"really isn't a whole lot different from 'lock your damned doors and windows' brick/mortar security." Except it's *massively* more expensive. On Sun, Dec 27, 2015 at 11:26 AM, Christopher Morrow wrote: > On Sun, Dec 27, 2015 at 1:59 PM, wrote:

Re: de-peering for security sake

> On Dec 26, 2015, at 12:34, Owen DeLong wrote: > > Also, note that the only difference between a good long passphrase and a > private key is, > uh, wait, um, come to think of it, really not much. Are you equating a long PSK with PKE? They’re quite different.

Re: de-peering for security sake

> On Dec 27, 2015, at 14:33 , Baldur Norddahl wrote: > > > > On 27 December 2015 at 22:08, Owen DeLong > wrote: > This is a bit of a tangent, really. The discussion was about authentication > factor > counts and Baldur

Re: de-peering for security sake

On 27 December 2015 at 22:08, Owen DeLong wrote: > This is a bit of a tangent, really. The discussion was about > authentication factor > counts and Baldur tried to use PCI-DSS acceptance of password-encrypted > private key authentication as two-factor to bolster his claim that

Re: de-peering for security sake

Also think of it from the perspective of the authenticating host. That SSH connection relies *only* on the key for authentication. It requires nothing else. How you protect that key is irrelevant. All that matters is that the host is accepting a single form of authentication. It's clearly

Re: de-peering for security sake

On Dec 26, 2015, at 10:09, Stephen Satchell wrote: > My gauge is volume of obnoxious traffic. When I get lots of SSH probes from > a /32, I block the /32. ... without any knowledge of how many end systems are going to be affected. A significant campus or provider user base

Re: de-peering for security sake

> Midwest Internet Exchange > http://www.midwest-ix.com > > > - Original Message - > > From: "Owen DeLong" <o...@delong.com> > To: "Dan Hollis" <goe...@anime.net> > Cc: "Mike Hammett" <na...@ics-il.net>, "

Re: de-peering for security sake

On Sat, 26 Dec 2015 11:14:25 -0500, Joe Abley said: >> My gauge is volume of obnoxious traffic. When I get lots of >> SSH probes from a /32, I block the /32. > ... without any knowledge of how many end systems are going to > be affected. A significant

Re: de-peering for security sake

> On Dec 26, 2015, at 08:14 , Joe Abley wrote: > > On Dec 26, 2015, at 10:09, Stephen Satchell wrote: > >> My gauge is volume of obnoxious traffic. When I get lots of SSH probes from >> a /32, I block the /32. > > ... without any knowledge of how many

Re: de-peering for security sake

On Sat, Dec 26, 2015 at 12:34 PM, Owen DeLong wrote: >> On Dec 26, 2015, at 08:14 , Joe Abley wrote: >> On Dec 26, 2015, at 10:09, Stephen Satchell wrote >>> My gauge is volume of obnoxious traffic. When I get lots of SSH probes >>> from

Re: de-peering for security sake

On 26 December 2015 at 16:09, Stephen Satchell wrote: > On 12/26/2015 06:19 AM, Mike Hammett wrote: > >> How much is an acceptable standard to the community? Individual /32s >> ( or /64s)? Some tipping point where 50% of a /24 (or whatever it's >> IPv6 equivalent would be) has

Re: de-peering for security sake

://www.ics-il.com Midwest Internet Exchange http://www.midwest-ix.com - Original Message - From: "Baldur Norddahl" <baldur.nordd...@gmail.com> To: nanog@nanog.org Sent: Saturday, December 26, 2015 9:19:15 AM Subject: Re: de-peering for security sake On 26 Decemb

Re: de-peering for security sake

g> Sent: Saturday, December 26, 2015 1:00:35 AM Subject: Re: de-peering for security sake > On Dec 25, 2015, at 22:16 , Dan Hollis <goe...@anime.net> wrote: > > On Fri, 25 Dec 2015, Owen DeLong wrote: >> Merely because people are asleep at the switch does not give those

Re: de-peering for security sake

On 12/26/2015 06:19 AM, Mike Hammett wrote: How much is an acceptable standard to the community? Individual /32s ( or /64s)? Some tipping point where 50% of a /24 (or whatever it's IPv6 equivalent would be) has made your naughty list that you block the whole prefix? My gauge is volume of

Re: de-peering for security sake

> On Dec 25, 2015, at 3:10 PM, Colin Johnston wrote: > > why do the chinese network folks never reply and action abuse reports, normal > slow speed network abuse is tolerated, but not high speed deliberate abuse > albeit compromised machines Biggest reason I’ve seen is

Re: de-peering for security sake

> On Dec 26, 2015, at 11:14 AM, Joe Abley wrote: > > With respect to ssh scans in particular -- disable all forms of > password authentication and insist upon public key authentication > instead. If the password scan log lines still upset you, stop logging > them. Or if you

Re: de-peering for security sake

et> To: "Joe Abley" <jab...@hopcount.ca> Cc: nanog@nanog.org Sent: Saturday, December 26, 2015 3:21:03 PM Subject: Re: de-peering for security sake > On Dec 26, 2015, at 11:14 AM, Joe Abley <jab...@hopcount.ca> wrote: > > With respect to ssh scans in

Re: de-peering for security sake

> On Dec 26, 2015, at 12:50 , Matthew Petach wrote: > > On Sat, Dec 26, 2015 at 12:34 PM, Owen DeLong > wrote: >>> On Dec 26, 2015, at 08:14 , Joe Abley wrote: >>> On Dec 26, 2015, at 10:09, Stephen Satchell

Re: de-peering for security sake

On Sat, 26 Dec 2015 15:11:13 -0800, Owen DeLong said: > Or contexts where the user is sloppy about securing their private key, e.g. > the real world. I seem to remember that enough people stashed their entire home directory to github, including their keys, that github had to put in special hacks

Re: de-peering for security sake

> On Dec 26, 2015, at 15:54 , Baldur Norddahl wrote: > > On 27 December 2015 at 00:11, Owen DeLong wrote: > >> No… You are missing the point. Guessing a private key is roughly >> equivalent to guessing a really long >> pass phrase. There is no way

Re: de-peering for security sake

On Sat, 26 Dec 2015 12:50:27 -0800, Matthew Petach said: > No, the difference is that a passphrase works > in conjunction with the private key, which is > the "something you have" vs the "something > you know" in two-factor authentication. > > With password authentication, there's only a > single

Re: de-peering for security sake

On 27 December 2015 at 00:11, Owen DeLong wrote: > No… You are missing the point. Guessing a private key is roughly > equivalent to guessing a really long > pass phrase. There is no way that the server side can enforce password > protection of the private key > on the client

Re: de-peering for security sake

Owen you misunderstood what two factor is about. It is not practical to brute force the key file. Nor is it practical to brute force a good passphrase or password. Both have sufficient strength to withstand attack. But two factor is about having two things that needs to be broken. The key can be

Re: de-peering for security sake

On Sat, Dec 26, 2015 at 10:06 PM, Matthew Petach wrote: > Thanks for the reminder to look at it from multiple perspectives. > The key attribute missing from the discussion so far is that the factors be *different*, from the set of: - something you know (password / PIN)

Re: de-peering for security sake

interesting:) but useful to make a attempt at cleaning up traffic from china and russia colin Sent from my iPhone > On 27 Dec 2015, at 06:32, Hugo Slabbert wrote: > >> On Fri 2015-Dec-25 08:55:24 +0530, Suresh Ramasubramanian >> wrote: >> >> Hmm, has

Re: de-peering for security sake

On Sat, Dec 26, 2015 at 6:37 PM, Owen DeLong wrote: >> On Dec 26, 2015, at 15:54 , Baldur Norddahl >> wrote: >> [...] >> The key approach is still better. Even if the password is 123456 the >> attacker is not going to get in, unless he somehow stole

Re: de-peering for security sake

On Fri 2015-Dec-25 08:55:24 +0530, Suresh Ramasubramanian wrote: Hmm, has anyone at all kept count of the number of times such a discussion has started up in just the last year... Not on an ongoing basis, but I was curious as well, so a quick mailbox search for 2015:

Re: de-peering for security sake

> On 25 Dec 2015, at 00:48, valdis.kletni...@vt.edu wrote: > > On Thu, 24 Dec 2015 23:44:10 +, Colin Johnston said: >> We really need to ask if China and Russia for that matter will not take abuse >> reports seriously why allow them to network to the internet ? > > Well, first off, it isn't

Re: de-peering for security sake

> On Dec 25, 2015, at 7:14 AM, Nick Hilliard wrote: > > Daniel Corbe wrote: >> Let’s just cut off the entirety of the third world instead of having >> a tangible mitigation plan in place. > > You mean, cut off Sweden, Ireland, Finland, Switzerland and Israel? > >>

Re: de-peering for security sake

On 12/25/2015 06:18 AM, Mike Hammett wrote: To the thread, not necessarily Daniel, if blocking countries\continents is a bad thing (not saying I disagree), how do you deal with the flood of trash? Just take it on the chin? The degree of splash damage by blocking this way will vary based

Re: de-peering for security sake

Come on, keep calm and wait a year: Russia and China will de-peer with all the world for their security (AKA censorship) reasons! ;) On 25.12.15 01:44, Colin Johnston wrote: > see > http://map.norsecorp.com > > We really need to ask if China and Russia for that matter will not take abuse >

Re: de-peering for security sake

- Original Message - From: "Daniel Corbe" <dco...@hammerfiber.com> To: "Nick Hilliard" <n...@foobar.org> Cc: "NANOG" <nanog@nanog.org> Sent: Friday, December 25, 2015 8:11:55 AM Subject: Re: de-peering for security sake > On Dec 25, 2015

Re: de-peering for security sake

ons > http://www.ics-il.com > > > > Midwest Internet Exchange > http://www.midwest-ix.com > > > - Original Message - > > From: "Daniel Corbe" <dco...@hammerfiber.com> > To: "Nick Hilliard" <n...@foobar.org>

Re: de-peering for security sake

> On Dec 25, 2015, at 06:18 , Mike Hammett wrote: > > To the thread, not necessarily Daniel, if blocking countries\continents is a > bad thing (not saying I disagree), how do you deal with the flood of trash? > Just take it on the chin? Allowing hate speech is the price of

Re: de-peering for security sake

Daniel Corbe wrote: > Let’s just cut off the entirety of the third world instead of having > a tangible mitigation plan in place. You mean, cut off Sweden, Ireland, Finland, Switzerland and Israel? > https://en.wikipedia.org/wiki/Third_World What an enormously silly idea. Seasons greetings to

Re: de-peering for security sake

;> >> >> - Original Message - >> >> From: "Daniel Corbe" <dco...@hammerfiber.com> >> To: "Nick Hilliard" <n...@foobar.org> >> Cc: "NANOG" <nanog@nanog.org> >> Sent: Friday, December 25

Re: de-peering for security sake

Just an off the cuff thought but if the format of the abuse messages could be standardized so handling them would be semi-automated somewhat like ACNS notices, it might improve response. Maybe such a format already exists and just isn't widely used. Sent from my iPhone > On Dec 25, 2015, at

Re: de-peering for security sake

> On Dec 25, 2015, at 22:16 , Dan Hollis wrote: > > On Fri, 25 Dec 2015, Owen DeLong wrote: >> Merely because people are asleep at the switch does not give those of us in >> a position to understand the consequences license to abuse our position. > > At what point do you cut

Re: de-peering for security sake

On 25 December 2015 at 21:10, Colin Johnston wrote: > why do the chinese network folks never reply and action abuse reports, > normal slow speed network abuse is tolerated, but not high speed deliberate > abuse albeit compromised machine > They do not speak the same

Re: de-peering for security sake

On 25/Dec/15 14:14, Nick Hilliard wrote: > You mean, cut off Sweden, Ireland, Finland, Switzerland and Israel? And watch the transit per-Mbps price go up? Who do we think funds the low bandwidth costs of the "first world"? Mark.

Re: de-peering for security sake

been there, done that 网络滥用 fix you ntp reflection servers :) Sent from my iPhone > On 25 Dec 2015, at 20:29, Baldur Norddahl wrote: > >> On 25 December 2015 at 21:10, Colin Johnston wrote: >> >> why do the chinese network folks never reply

Re: de-peering for security sake

On 25 December 2015 at 20:06, Lee wrote: > Enable IPv6 for your users. 1) it's not going to have any "history" & > 2) ipv6 probably isn't blocked. > I am not aware of just one single government site in this country (Denmark) that is IPv6 enabled. There are zero danish news

Re: de-peering for security sake

ARF (http://www.rfc-editor.org/rfc/rfc5965.txt , https://www.rfc-editor.org/rfc/rfc6650.txt) and X-ARF (http://www.x-arf.org/index.html ) are used quite alot and many, like Yahoo, only accept ARF reports on abusive

Re: de-peering for security sake

On 12/24/15, Baldur Norddahl wrote: > I am afraid people are already doing this. Every time I bring a new IP > series into production, my users will complain that they are locked out > from sites including many government sites. This is because people will > load IP

Re: de-peering for security sake

why do the chinese network folks never reply and action abuse reports, normal slow speed network abuse is tolerated, but not high speed deliberate abuse albeit compromised machines Sent from my iPhone > On 25 Dec 2015, at 19:43, Baldur Norddahl wrote: > >> On 25

Re: de-peering for security sake

On Fri, 25 Dec 2015, Colin Johnston wrote: why do the chinese network folks never reply and action abuse reports, normal slow speed network abuse is tolerated, but not high speed deliberate abuse albeit compromised machines This is not a chinese problem, this is a general ISP problem. Most

Re: de-peering for security sake

Speaking as a former DNSBL operator, NANOG has a poor history of dealing with those who report abuse as well. On Fri, Dec 25, 2015 at 4:52 PM, Mikael Abrahamsson wrote: > On Fri, 25 Dec 2015, Colin Johnston wrote: > >> why do the chinese network folks never reply and action

Re: de-peering for security sake

I think that even in the US, a provider would want a more specific complaint than “The network abuses”. Owen > On Dec 25, 2015, at 12:40 , Colin Johnston wrote: > > been there, done that > 网络滥用 fix you ntp reflection servers :) > > Sent from my iPhone > >> On 25 Dec

Re: de-peering for security sake

Just in case I missed the /s on there: > Maybe such a format already exists and just isn't widely used. It does and it isn't. http://www.x-arf.org/ -- Hugo h...@slabnet.com: email, xmpp/jabber also on Signal From: Clayton Zekelman -- Sent: 2015-12-25 - 14:12 >

Re: de-peering for security sake

Well, at least she's here rather than sprinkling eggnog and brandy flavoured pixie dust on our gear over the Christmas break. --srs > On 25-Dec-2015, at 9:08 AM, Owen DeLong wrote: > > Yes… Isn’t it impressive just how persistent the bad idea fairy can be? > > Owen

Re: de-peering for security sake

While you have a great deal of control over what prefixes you choose to accept... You have very little control over your advertised prefixes once they exit your ASN. Maybe your transits offer communities to control their peer advertisements. In general assuming you're paying for the Internet

Re: de-peering for security sake

On Thu, 24 Dec 2015 23:44:10 +, Colin Johnston said: > We really need to ask if China and Russia for that matter will not take abuse > reports seriously why allow them to network to the internet ? Well, first off, it isn't like China or Russia are just one ASN. You'd have to de-peer a bunch

Re: de-peering for security sake

On 12/24/2015 04:50 PM, Daniel Corbe wrote: Let’s just cut off the entirety of the third world instead of having a tangible mitigation plan in place. While you thing you are making a snarky response, it would be handy for end users to be able to turn on and off access to other countries

Re: de-peering for security sake

I am afraid people are already doing this. Every time I bring a new IP series into production, my users will complain that they are locked out from sites including many government sites. This is because people will load IP location lists into their firewall and drop packets at the border. Of

Re: de-peering for security sake

> On Dec 24, 2015, at 17:25 , Stephen Satchell wrote: > > On 12/24/2015 04:50 PM, Daniel Corbe wrote: >> Let’s just cut off the entirety of the third world instead of having >> a tangible mitigation plan in place. > > While you thing you are making a snarky response, it

Re: de-peering for security sake

Let’s just cut off the entirety of the third world instead of having a tangible mitigation plan in place. > On Dec 24, 2015, at 6:44 PM, Colin Johnston wrote: > > see > http://map.norsecorp.com > > We really need to ask if China and Russia for that matter will not take

Re: de-peering for security sake

Hmm, has anyone at all kept count of the number of times such a discussion has started up in just the last year, and how many more times in the past 16 or so years? Mind you, back in say 2004, this discussion would have run to 50 or 60 emails at a bare minimum, in no time at all. --srs On

Re: de-peering for security sake

Yes… Isn’t it impressive just how persistent the bad idea fairy can be? Owen > On Dec 24, 2015, at 19:25 , Suresh Ramasubramanian > wrote: > > Hmm, has anyone at all kept count of the number of times such a discussion > has started up in just the last year, and how many