Re: AWS Elastic IP architecture
On Wed, Jun 3, 2015 at 7:56 AM, Owen DeLong o...@delong.com wrote: For example, let’s say you have 20 machines for whom you want to allow inbound SSH access. In the IPv4 world, with NAT, you have to configure an individual port mapping for each machine and you have to either configure all of the SSH clients, or, specify the particular port for the machine you want to get to on the command line. in the original case in question the fact that there's nat happeng isn't material... so all of this discussion of NAT is a red herring, right? the user of AWS services cares not that 'nat is happening', because they can simply RESTful up a VM instance and ssh into it in ~30 seconds, no config required. let's skip all NAT discussions on this topic from here on out, yes?
Re: Routing Insecurity (Re: BGP in the Washington Post)
On 2015-06-01 22:07, Mark Andrews wrote: If you have secure BGP deployed then you could extend the authenication to securely authenticate source addresses you emit and automate BCP38 filter generation and then you wouldn't have to worry about DNS, NTP, CHARGEN etc. reflecting spoofed traffic. I don't believe this is entirely true, and BGPSEC certainly doesn't solve most of what I'm concerned about from a routing security perspective. See, e.g.: https://tools.ietf.org/html/draft-ietf-grow-simple-leak-attack-bgpsec-no-help-04 That said, a Internet number resource certification infrastructure, be it RPKI or something with s single root and scalable(!), is certainly necessary, and can be used to bootstrap policy databases (e.g., IRRs) that address both the inter-domain routing (e.g., origin validation) and data plane anti-spoofing security problems, and perhaps not require operators (enterprises and nation states alike) to trade the autonomy and flexibility they have in routing today for what others see as their infrastructure security needs. After all, stability, resiliency, and availability are ALSO factors in the risk management gumbo that need to be considered by organizations, and the tight coupling of RPKI and BGPSEC as designed, are quite possibly not as attractive to some operators as the designers might suggest, particularly in light of new external dependencies, competitive markets, Internet governance, geopolitical climate, etc.. Many that haven't deployed or have lost interest in having the conversation have done so deliberately, and would prefer a routing by rumor paradigm that affords autonomy and flexibility to one where new control points and exorbitant costs and complexity simply scare the heck out of them, the primitives of which surely extend to many of the luminaries quoted in those articles. YMMV, -danny
Re: AWS Elastic IP architecture
we are starting to waste packets arguing over some private intellectual property On Wed, Jun 3, 2015 at 3:24 PM, Christopher Morrow morrowc.li...@gmail.com wrote: On Wed, Jun 3, 2015 at 7:56 AM, Owen DeLong o...@delong.com wrote: For example, let’s say you have 20 machines for whom you want to allow inbound SSH access. In the IPv4 world, with NAT, you have to configure an individual port mapping for each machine and you have to either configure all of the SSH clients, or, specify the particular port for the machine you want to get to on the command line. in the original case in question the fact that there's nat happeng isn't material... so all of this discussion of NAT is a red herring, right? the user of AWS services cares not that 'nat is happening', because they can simply RESTful up a VM instance and ssh into it in ~30 seconds, no config required. let's skip all NAT discussions on this topic from here on out, yes?
Re: FastNetMon 1.1.2 - open source solution for DoS/DDoS mitigation
Yep, definitely i'll give this a trial run. We are developing nullroute application internally. I'll try to run this in our lab. On Wed, Jun 3, 2015 at 3:16 AM, Pavel Odintsov pavel.odint...@gmail.com wrote: Hello, Nanog! I'm very pleased to present my open source DoS/DDoS attack monitoring toolkit here! We have spent about 10 months for development of FastNetMon and could present huge feature list now! :) Stop! What is FastNetMon? It's really very fast toolkit which could find attacked host in your network and block it (or redirect to filtering appliance) This solution could save your network and your sleep :) Our site located here: https://github.com/FastVPSEestiOu/fastnetmon We support following engines for traffic capture: - Netflow (v5, v9 and IPFIX) - sFLOW v5 - port mirror/SPAN (PF_RING and netmap supported) Also we have deep integration with ExaBGP (huge thanks to Thomas Mangin) for triggering blackhole on the Core Router or upstream. Since 1.0 version we have added support for following features: - Ability to detect most popular attack types: syn_flood, icmp_flood, udp_flood, ip_fragmentation_flood - Add support for Netmap for Linux (we have prepared special driver for ixgbe users: https://github.com/pavel-odintsov/ixgbe-linux-netmap) and FreeBSD. - Add support for PF_RING ZC (very fast but need license from ntop folks) - Add ability to collect netflow v9/IPFIX data from multiple devices with different templates set - Basic support for IPv6 (we could receive netflow data over IPv6) - Add plugin support for capture engines - Add support of L2TP decapsulation (important for DDoS attack detection inside tunnel) - Add ability to store attack details in Redis - Add Graphite/Grafana integration for traffic visualization - Add systemd unit file - Add ability to unblock host after some timeout - Introduce support of moving average for all counters - Add ExaBGP integration. We could announce attacked host with BGP to border router or uplink - Add so much details in attack report - Add ability to store attack fingerprint in file We have complete support for following platforms: - Fedora 21 - Debian 6, 7, 8 - CentOS 6, 7 - FreeBSD 9, 10, 11 - DragonflyBSD 4 - MacOS X 10.10 From network equipment side we have tested solution with: - Cisco ASR - Juniper MX - Extreme Summit - ipt_NETFLOW Linux We have binary packages for this operation systems: - CentOS 6: https://github.com/FastVPSEestiOu/fastnetmon/tree/master/packages/CentOS6 - CentOS 7: https://github.com/FastVPSEestiOu/fastnetmon/tree/master/packages/CentOS7 - Fedora 21: https://github.com/FastVPSEestiOu/fastnetmon/tree/master/packages/Fedora21 - FreeBSD: https://github.com/FastVPSEestiOu/fastnetmon/tree/master/src/FreeBSD_port For any other operation systems we recommend automatic installer script: https://github.com/FastVPSEestiOu/fastnetmon/blob/master/docs/INSTALL.md Please join to our mail list or ask about anything here https://groups.google.com/forum/#!forum/fastnetmon Thank you for your attention! -- Sincerely yours, Pavel Odintsov
Re: AWS Elastic IP architecture
On Jun 2, 2015, at 4:08 PM, Matthew Kaufman matt...@matthew.at wrote: On 6/2/15 2:35 AM, Owen DeLong wrote: On Jun 2, 2015, at 5:49 AM, Matthew Kaufman matt...@matthew.at wrote: On 6/1/2015 6:32 PM, Mark Andrews wrote: In message CAL9jLaaQUP1UzoKag3Kuq8a5bMcB2q6Yg=B_=1ffwxrn6k-...@mail.gmail.com , Christopher Morrow writes: On Mon, Jun 1, 2015 at 9:02 PM, Ca By cb.li...@gmail.com wrote: On Monday, June 1, 2015, Mark Andrews ma...@isc.org wrote: In message CAL9jLaYXCdfViHbUPx-=rs4vsx5mfecpfue8b7vq+au2hcx...@mail.gmail.com , Christopher Morrow writes: So... I don't really see any of the above arguments for v6 in a vm setup to really hold water in the short term at least. I think for sure you'll want v6 for public services 'soon' (arguably like 10 yrs ago so you'd get practice and operational experience and ...) but for the rest sure it's 'nice', and 'cute', but really not required for operations (unless you have v6 only customers) Everyone has effectively IPv6-only customers today. IPv6 native + CGN only works for services. Similarly DS-Lite and 464XLAT. ok, and for the example of 'put my service in the cloud' ... the service is still accessible over ipv4 right? It depends on what you are trying to do. Having something in the cloud manage something at home. You can't reach the home over IPv4 more and more these days as. IPv6 is the escape path for that but you need both ends to be able to speak IPv6. ...and for firewalls to not exist. Since they do, absolutely all the techniques required to reach something at home over IPv4 are required for IPv6. This is on the great myths of the advantages of IPv6 list. IPv4 with NAT, you can open one host at home to remote access, or, in some cases, you can select different hosts by using the port number in lieu of the host name/address. IPv4 with NAT, standard NAT/firewall traversal techniques are used so that things inside your house are reachable as necessary. Almost nobody configures their firewall to open up anything. HuH? How do I SSH into my host behind my home NAT firewall without configuration of the firewall? You are making no sense here. NAT Traversal techniques provide for outbound connections and/or a way that a pseudo-service can create an inbound connection that looks like an outbound connection to the firewall. It does not in any way provide for generic inbound access to ordinary services without configuration. IPv6 — I add a permit statement to the firewall to allow the traffic in to each host/group of hosts that I want and I am done. IPv6, standard NAT?firewall traversal techniques are used so that things inside your house are reachable as necessary. Still almost nobody configures their firewall to open up anything. Why would one use NAT with IPv6… You’re making no sense there. For those who do, the work needed to open up a few host/port mappings in IPv4 is basically identical to opening up a few hosts and ports for IPv6. Not really… For example, let’s say you have 20 machines for whom you want to allow inbound SSH access. In the IPv4 world, with NAT, you have to configure an individual port mapping for each machine and you have to either configure all of the SSH clients, or, specify the particular port for the machine you want to get to on the command line. On the other hand, with IPv6, let’s say the machines are all on 2001:db8::/64. Further, let’s say that I group machines for which I want to provide SSH access within 2001:db8::22:0:0:0/80. I can add a single firewall entry which covers this /80 and I’m done. I can put many millions of hosts within that range and they all are accessible directly for SSH from the outside world. Takes about 20 seconds to configure my firewall once and then I never really need to worry about it again. Further, in the IPv4 case, I need special client configuration or client invocation effort every time, while with the IPv6 case, I can simply put the hostname in DNS and then use the name thereafter. I do not see the above as being equal effort or as yielding equal results. For the automatic traversal cases, the end-user effort is identical. Sure, but automatic traversal is the exception not the rule when considering internet services. For the incredibly rare case of manual configuration (which as NANOG participants we often forget, since we're adjusting our routers all the time) there is almost no difference for most use cases. Not true as noted above. Yes, the results are marginally superior in the IPv6 case. Nobody cares. I would argue that it’s more than marginal. As such, I’d say that your statement gets added to the great myths of Matthew Kauffman rather than there being any myth about this being an IPv6 advantage. I can assure you that it is MUCH easier for me to remote-manage my mother’s machines over their IPv6 addresses than to get to them over IPv4. Only because you've insisted on doing
Re: Routing Insecurity (Re: BGP in the Washington Post)
On 3 Jun 2015, at 9:04, Ethan Katz-Bassett wrote: The same folks also followed up that workshop paper with a longer paper on the topic: https://www.cs.bu.edu/~goldbe/papers/sigRPKI.pdf Thanks to you and to Dale Carter - I was unaware of these papers. Nonetheless, the risk remains of authorities interfering with the BGP as they've interfered with the DNS. I'm very cognizant of the non-trivial effects of route-hijacking, having been involved in helping get a few of them resolved. Nonetheless, my natural skepticism leads me to wonder whether we aren't better off with the problematic, error-prone system we have (not to mention the enumeration and enhanced DDoS impact of packeting routers doing crypto for their BGP sessions and which aren't protected via iACLs/GTSM). --- Roland Dobbins rdobb...@arbor.net
Re: FastNetMon 1.1.2 - open source solution for DoS/DDoS mitigation
Interesting project, Pavel. I'll most certainly give this a trial run. On Tue, Jun 2, 2015 at 10:16 PM, Pavel Odintsov pavel.odint...@gmail.com wrote: Hello, Nanog! I'm very pleased to present my open source DoS/DDoS attack monitoring toolkit here! We have spent about 10 months for development of FastNetMon and could present huge feature list now! :) Stop! What is FastNetMon? It's really very fast toolkit which could find attacked host in your network and block it (or redirect to filtering appliance) This solution could save your network and your sleep :) Our site located here: https://github.com/FastVPSEestiOu/fastnetmon We support following engines for traffic capture: - Netflow (v5, v9 and IPFIX) - sFLOW v5 - port mirror/SPAN (PF_RING and netmap supported) Also we have deep integration with ExaBGP (huge thanks to Thomas Mangin) for triggering blackhole on the Core Router or upstream. Since 1.0 version we have added support for following features: - Ability to detect most popular attack types: syn_flood, icmp_flood, udp_flood, ip_fragmentation_flood - Add support for Netmap for Linux (we have prepared special driver for ixgbe users: https://github.com/pavel-odintsov/ixgbe-linux-netmap) and FreeBSD. - Add support for PF_RING ZC (very fast but need license from ntop folks) - Add ability to collect netflow v9/IPFIX data from multiple devices with different templates set - Basic support for IPv6 (we could receive netflow data over IPv6) - Add plugin support for capture engines - Add support of L2TP decapsulation (important for DDoS attack detection inside tunnel) - Add ability to store attack details in Redis - Add Graphite/Grafana integration for traffic visualization - Add systemd unit file - Add ability to unblock host after some timeout - Introduce support of moving average for all counters - Add ExaBGP integration. We could announce attacked host with BGP to border router or uplink - Add so much details in attack report - Add ability to store attack fingerprint in file We have complete support for following platforms: - Fedora 21 - Debian 6, 7, 8 - CentOS 6, 7 - FreeBSD 9, 10, 11 - DragonflyBSD 4 - MacOS X 10.10 From network equipment side we have tested solution with: - Cisco ASR - Juniper MX - Extreme Summit - ipt_NETFLOW Linux We have binary packages for this operation systems: - CentOS 6: https://github.com/FastVPSEestiOu/fastnetmon/tree/master/packages/CentOS6 - CentOS 7: https://github.com/FastVPSEestiOu/fastnetmon/tree/master/packages/CentOS7 - Fedora 21: https://github.com/FastVPSEestiOu/fastnetmon/tree/master/packages/Fedora21 - FreeBSD: https://github.com/FastVPSEestiOu/fastnetmon/tree/master/src/FreeBSD_port For any other operation systems we recommend automatic installer script: https://github.com/FastVPSEestiOu/fastnetmon/blob/master/docs/INSTALL.md Please join to our mail list or ask about anything here https://groups.google.com/forum/#!forum/fastnetmon Thank you for your attention! -- Sincerely yours, Pavel Odintsov -- Met vriendelijke groeten / With kind regards, Johan Kooijman
Re: Password Decryption Methods?
Grab the firmware and run it through BinWalk. Your should be able to pull out the firmware and see what it does to the password before storing it. On 2 Jun 2015 22:03, Landon Stewart landonstew...@gmail.com wrote: On Jun 2, 2015, at 9:23 AM, Michael O Holstein michael.holst...@csuohio.edu wrote: If you can share the other details (make, model, firmware revision, processor type, etc.) .. whatever you know and can share) .. it would be more helpful. Also, how'd you get the hash? .. from a config file backup or from another device that used it to access this one? If so, what software, etc. Serial # too. :-D
Re: FastNetMon 1.1.2 - open source solution for DoS/DDoS mitigation
Thank you for interest! Feel free to ask me about anything! Feature requests very appreciate! On Wed, Jun 3, 2015 at 9:31 AM, Johan Kooijman m...@johankooijman.com wrote: Interesting project, Pavel. I'll most certainly give this a trial run. On Tue, Jun 2, 2015 at 10:16 PM, Pavel Odintsov pavel.odint...@gmail.com wrote: Hello, Nanog! I'm very pleased to present my open source DoS/DDoS attack monitoring toolkit here! We have spent about 10 months for development of FastNetMon and could present huge feature list now! :) Stop! What is FastNetMon? It's really very fast toolkit which could find attacked host in your network and block it (or redirect to filtering appliance) This solution could save your network and your sleep :) Our site located here: https://github.com/FastVPSEestiOu/fastnetmon We support following engines for traffic capture: - Netflow (v5, v9 and IPFIX) - sFLOW v5 - port mirror/SPAN (PF_RING and netmap supported) Also we have deep integration with ExaBGP (huge thanks to Thomas Mangin) for triggering blackhole on the Core Router or upstream. Since 1.0 version we have added support for following features: - Ability to detect most popular attack types: syn_flood, icmp_flood, udp_flood, ip_fragmentation_flood - Add support for Netmap for Linux (we have prepared special driver for ixgbe users: https://github.com/pavel-odintsov/ixgbe-linux-netmap) and FreeBSD. - Add support for PF_RING ZC (very fast but need license from ntop folks) - Add ability to collect netflow v9/IPFIX data from multiple devices with different templates set - Basic support for IPv6 (we could receive netflow data over IPv6) - Add plugin support for capture engines - Add support of L2TP decapsulation (important for DDoS attack detection inside tunnel) - Add ability to store attack details in Redis - Add Graphite/Grafana integration for traffic visualization - Add systemd unit file - Add ability to unblock host after some timeout - Introduce support of moving average for all counters - Add ExaBGP integration. We could announce attacked host with BGP to border router or uplink - Add so much details in attack report - Add ability to store attack fingerprint in file We have complete support for following platforms: - Fedora 21 - Debian 6, 7, 8 - CentOS 6, 7 - FreeBSD 9, 10, 11 - DragonflyBSD 4 - MacOS X 10.10 From network equipment side we have tested solution with: - Cisco ASR - Juniper MX - Extreme Summit - ipt_NETFLOW Linux We have binary packages for this operation systems: - CentOS 6: https://github.com/FastVPSEestiOu/fastnetmon/tree/master/packages/CentOS6 - CentOS 7: https://github.com/FastVPSEestiOu/fastnetmon/tree/master/packages/CentOS7 - Fedora 21: https://github.com/FastVPSEestiOu/fastnetmon/tree/master/packages/Fedora21 - FreeBSD: https://github.com/FastVPSEestiOu/fastnetmon/tree/master/src/FreeBSD_port For any other operation systems we recommend automatic installer script: https://github.com/FastVPSEestiOu/fastnetmon/blob/master/docs/INSTALL.md Please join to our mail list or ask about anything here https://groups.google.com/forum/#!forum/fastnetmon Thank you for your attention! -- Sincerely yours, Pavel Odintsov -- Met vriendelijke groeten / With kind regards, Johan Kooijman -- Sincerely yours, Pavel Odintsov
Re: WiFi courses/vendors recommendation
+1 for CWNP courses. The CWNA and CWDP cover RF quite well too you'll pick up most of what's needed. ..imho most of the vendor specific courses only benefit is to tell you how to manage their control plane. Which button to click on the interface etc ;) alan
Re: BGP in the Washngton Post
On (2015-06-02 21:51 -0700), Randy Bush wrote: The RPKI is an X.509 based hierarchy [rfc 6481] which is congruent with the internet IP address allocation administration, the IANA, Hijacking this thread. I've requested both our main vendors for 'loose rpki' years ago, nothing has happened. SP trying to deploy RPKI may have negative business impact, if far-end fat-fingers and fail RPKI, then my connectivity to them is broken, while competitor who isn't running RPKI still works fine. Essentially suits may view deploying RPKI as spending money to lose money. Comfortable slow-start would be to have 'loose rpki' which essentially has 3 adj-ribs, verified-rpki, missing-rpki, failed-rpki. Then loc-rib is build from each of these, so that no overlapping routes are installed from inferior ribs. That is, if verified-rpki has 192.0.2.0/24, missing/failed-rpki cannot install it or more-specific of it. Net result is, we will always use verified-rpki route if existing, but if no other options exist, we're happy to use any available route. JunOS allows routing-policy to match on verified status, but this cannot obviously override more-specifics. -- ++ytti
Re: FastNetMon 1.1.2 - open source solution for DoS/DDoS mitigation
Hello! Thank you! Please share your experience after tests! On Wed, Jun 3, 2015 at 5:50 PM, Budiwijaya bbuuddi...@gmail.com wrote: Yep, definitely i'll give this a trial run. We are developing nullroute application internally. I'll try to run this in our lab. On Wed, Jun 3, 2015 at 3:16 AM, Pavel Odintsov pavel.odint...@gmail.com wrote: Hello, Nanog! I'm very pleased to present my open source DoS/DDoS attack monitoring toolkit here! We have spent about 10 months for development of FastNetMon and could present huge feature list now! :) Stop! What is FastNetMon? It's really very fast toolkit which could find attacked host in your network and block it (or redirect to filtering appliance) This solution could save your network and your sleep :) Our site located here: https://github.com/FastVPSEestiOu/fastnetmon We support following engines for traffic capture: - Netflow (v5, v9 and IPFIX) - sFLOW v5 - port mirror/SPAN (PF_RING and netmap supported) Also we have deep integration with ExaBGP (huge thanks to Thomas Mangin) for triggering blackhole on the Core Router or upstream. Since 1.0 version we have added support for following features: - Ability to detect most popular attack types: syn_flood, icmp_flood, udp_flood, ip_fragmentation_flood - Add support for Netmap for Linux (we have prepared special driver for ixgbe users: https://github.com/pavel-odintsov/ixgbe-linux-netmap) and FreeBSD. - Add support for PF_RING ZC (very fast but need license from ntop folks) - Add ability to collect netflow v9/IPFIX data from multiple devices with different templates set - Basic support for IPv6 (we could receive netflow data over IPv6) - Add plugin support for capture engines - Add support of L2TP decapsulation (important for DDoS attack detection inside tunnel) - Add ability to store attack details in Redis - Add Graphite/Grafana integration for traffic visualization - Add systemd unit file - Add ability to unblock host after some timeout - Introduce support of moving average for all counters - Add ExaBGP integration. We could announce attacked host with BGP to border router or uplink - Add so much details in attack report - Add ability to store attack fingerprint in file We have complete support for following platforms: - Fedora 21 - Debian 6, 7, 8 - CentOS 6, 7 - FreeBSD 9, 10, 11 - DragonflyBSD 4 - MacOS X 10.10 From network equipment side we have tested solution with: - Cisco ASR - Juniper MX - Extreme Summit - ipt_NETFLOW Linux We have binary packages for this operation systems: - CentOS 6: https://github.com/FastVPSEestiOu/fastnetmon/tree/master/packages/CentOS6 - CentOS 7: https://github.com/FastVPSEestiOu/fastnetmon/tree/master/packages/CentOS7 - Fedora 21: https://github.com/FastVPSEestiOu/fastnetmon/tree/master/packages/Fedora21 - FreeBSD: https://github.com/FastVPSEestiOu/fastnetmon/tree/master/src/FreeBSD_port For any other operation systems we recommend automatic installer script: https://github.com/FastVPSEestiOu/fastnetmon/blob/master/docs/INSTALL.md Please join to our mail list or ask about anything here https://groups.google.com/forum/#!forum/fastnetmon Thank you for your attention! -- Sincerely yours, Pavel Odintsov -- Sincerely yours, Pavel Odintsov
nanog.org Website down ?
Not sure what's up - however I see what's down this AM. From the hotel nanog.org was not reachable. S, I tunneled out of the hotel to my office, still not reachable at 6:15 AM nanog.org (50.31.151.73) www.nanog.org (50.31.151.73) Bob Evans CTO Fiber Internet Center
Re: nanog website down
At this time, we believe all services have been restored. On Wed, Jun 3, 2015 at 11:16 AM, Eric Oosting eric.oost...@gmail.com wrote: This morning we suffered a hardware failure in our production environment. The outage affected nanog mail and web services. While mail services have recovered, web services are still down. We apologize for the inconvenience. -e
nanog website down
This morning we suffered a hardware failure in our production environment. The outage affected nanog mail and web services. While mail services have recovered, web services are still down. We apologize for the inconvenience. -e
Re: AWS Elastic IP architecture
On 6/3/2015 4:56 AM, Owen DeLong wrote: On Jun 2, 2015, at 4:08 PM, Matthew Kaufman matt...@matthew.at mailto:matt...@matthew.at wrote: On 6/2/15 2:35 AM, Owen DeLong wrote: On Jun 2, 2015, at 5:49 AM, Matthew Kaufman matt...@matthew.at mailto:matt...@matthew.at wrote: On 6/1/2015 6:32 PM, Mark Andrews wrote: In message CAL9jLaaQUP1UzoKag3Kuq8a5bMcB2q6Yg=B_=1ffwxrn6k-...@mail.gmail.com mailto:CAL9jLaaQUP1UzoKag3Kuq8a5bMcB2q6Yg=B_=1ffwxrn6k-...@mail.gmail.com , Christopher Morrow writes: On Mon, Jun 1, 2015 at 9:02 PM, Ca By cb.li...@gmail.com mailto:cb.li...@gmail.com wrote: On Monday, June 1, 2015, Mark Andrews ma...@isc.org mailto:ma...@isc.org wrote: In message CAL9jLaYXCdfViHbUPx-=rs4vsx5mfecpfue8b7vq+au2hcx...@mail.gmail.com mailto:CAL9jLaYXCdfViHbUPx-=rs4vsx5mfecpfue8b7vq+au2hcx...@mail.gmail.com , Christopher Morrow writes: So... I don't really see any of the above arguments for v6 in a vm setup to really hold water in the short term at least. I think for sure you'll want v6 for public services 'soon' (arguably like 10 yrs ago so you'd get practice and operational experience and ...) but for the rest sure it's 'nice', and 'cute', but really not required for operations (unless you have v6 only customers) Everyone has effectively IPv6-only customers today. IPv6 native + CGN only works for services. Similarly DS-Lite and 464XLAT. ok, and for the example of 'put my service in the cloud' ... the service is still accessible over ipv4 right? It depends on what you are trying to do. Having something in the cloud manage something at home. You can't reach the home over IPv4 more and more these days as. IPv6 is the escape path for that but you need both ends to be able to speak IPv6. ...and for firewalls to not exist. Since they do, absolutely all the techniques required to reach something at home over IPv4 are required for IPv6. This is on the great myths of the advantages of IPv6 list. IPv4 with NAT, you can open one host at home to remote access, or, in some cases, you can select different hosts by using the port number in lieu of the host name/address. IPv4 with NAT, standard NAT/firewall traversal techniques are used so that things inside your house are reachable as necessary. Almost nobody configures their firewall to open up anything. HuH? How do I SSH into my host behind my home NAT firewall without configuration of the firewall? Nobody but you and a few hundred other people on this mailing list SSH into hosts at your home. Everyone else in the entire world reaches hosts at their house through their firewall just fine because those hosts are their Nest thermostat, or their Dropcam, or their PC running Skype, or maybe (in rare cases) something like LogMeIn. None of those people ever touch the settings of the device they had delivered by their ISP and/or purchased at Best Buy. Not ever. You are making no sense here. NAT Traversal techniques provide for outbound connections and/or a way that a pseudo-service can create an inbound connection that looks like an outbound connection to the firewall. It does not in any way provide for generic inbound access to ordinary services without configuration. So what? Nobody (to several levels of statistical significance) needs generic inbound access to ordinary services. Heck, the only ordinary services that exist any more are HTTP/HTTPS. IPv6 — I add a permit statement to the firewall to allow the traffic in to each host/group of hosts that I want and I am done. IPv6, standard NAT?firewall traversal techniques are used so that things inside your house are reachable as necessary. Still almost nobody configures their firewall to open up anything. Why would one use NAT with IPv6… You’re making no sense there. I didn't say you would... but you need firewall traversal, and the standard NAT and firewall traversal techniques are how you traverse your IPv6 firewall. For those who do, the work needed to open up a few host/port mappings in IPv4 is basically identical to opening up a few hosts and ports for IPv6. Not really… For example, let’s say you have 20 machines for whom you want to allow inbound SSH access. In the IPv4 world, with NAT, you have to configure an individual port mapping for each machine and you have to either configure all of the SSH clients, or, specify the particular port for the machine you want to get to on the command line. Ok, you go find me 1000 households where nobody in the house is on the NANOG list but where there are 20 machines running SSH already installed. On the other hand, with IPv6, let’s say the machines are all on 2001:db8::/64. Further, let’s say that I group machines for which I want to provide SSH access within 2001:db8::22:0:0:0/80. I can add a single firewall entry which covers this /80 and I’m done. I can put many millions of hosts within that range and they all are accessible directly for SSH from the outside world.
Re: nanog.org Website down ?
Yeah, looks like this just made it to the list: This morning we suffered a hardware failure in our production environment. The outage affected nanog mail and web services. While mail services have recovered, web services are still down. On Wed, Jun 3, 2015 at 8:31 AM, Bob Evans b...@fiberinternetcenter.com wrote: Not sure what's up - however I see what's down this AM. From the hotel nanog.org was not reachable. S, I tunneled out of the hotel to my office, still not reachable at 6:15 AM nanog.org (50.31.151.73) www.nanog.org (50.31.151.73) Bob Evans CTO Fiber Internet Center
Re: AWS Elastic IP architecture
On Wed 2015-Jun-03 13:11:34 -0400, valdis.kletni...@vt.edu valdis.kletni...@vt.edu wrote: On Tue, 02 Jun 2015 09:35:11 -0700, Matthew Kaufman said: Ah, the IPv6 subnets are so big you can't find the hosts myth. Let's see... to find which hosts are active in IPv6 I can: - run a popular web service that people connect to, revealing their addresses If your vulnerable laser printer or webcam is calling out to Hotmail or Google or whatever, you got *bigger* problems, dude Not to support Mr. Kaufman's line of reasoning, but: https://h30495.www3.hp.com/c/46775/US/en/?jumpid=in_R11549%2Feprintcenter https://www.google.com/cloudprint/#printers :( signature.asc Description: Digital signature
Re: BGP offloading (fixing legacy router BGP scalability issues)
On Mon, May 11, 2015 at 8:38 PM, Chaim Rieger chaim.rie...@gmail.com wrote: Freddy, did you get your test up ? Finally had some time to setup a lab environment and do some basic testing regarding the fully transparent approach mentioned in the initial email. My biggest concern was that the cisco wouldn't like packets with it's own MAC source address. But luckily it's dumb enough to just forward them. Hacked together a small scapy program to implement selective proxy ARP/NDP spoofing. It's working perfectly fine in my lab setup. As it turns out a quick reality check on our peering ports shows that most BGP implementations are correctly setting TTL to 1 for ebgp sessions by default. That of course breaks my initial plan to just route the BGP packets to the server (cisco will drop them due to TTL expiration). Using a vlan access-map it might be possible to redirect the packets to another interface to fix that. The worst case solution for that should be a RSPAN session with corresponding filter. Essentially all the bricks are there, they just need to be assembled. Best Regards, Freddy
Re: AWS Elastic IP architecture
On Mon, 01 Jun 2015 21:25:52 -0700, Tony Hain said: Try https://snapchat.com and see if you ever get an IPv6 connection... Obviously some gremlins got busy when they got called out on NANOG... % wget https://www.snapchat.com --2015-06-03 13:13:00-- https://www.snapchat.com/ Resolving www.snapchat.com (www.snapchat.com)... 2607:f8b0:400d:c06::79, 74.125.22.121 Connecting to www.snapchat.com (www.snapchat.com)|2607:f8b0:400d:c06::79|:443... connected. HTTP request sent, awaiting response... 200 OK Length: unspecified [text/html] Saving to: 'index.html' index.html [ = ] 4.35K --.-KB/s in 0s 2015-06-03 13:13:03 (33.5 MB/s) - 'index.html' saved [4458] When I hit it with Firefox, IPFox reports the connection is ipv6 as well (but a bit harder to get a screenshot)... .. pgpmszY2PpMWO.pgp Description: PGP signature
Re: AWS Elastic IP architecture
On Tue, 02 Jun 2015 09:35:11 -0700, Matthew Kaufman said: Ah, the IPv6 subnets are so big you can't find the hosts myth. Let's see... to find which hosts are active in IPv6 I can: - run a popular web service that people connect to, revealing their addresses If your vulnerable laser printer or webcam is calling out to Hotmail or Google or whatever, you got *bigger* problems, dude pgpwEPrx2fNiK.pgp Description: PGP signature
NANOG 64 recordings
Hi all, For those that missed them: https://www.youtube.com/playlist?list=PLO8DR5ZGla8ju3ftZv_S6L12jBkZKEJVZ -- Sadiq Saif (AS393949) https://staticsafe.ca
Re: BGP in the Washngton Post
On 6/2/2015 00:27, Scott Weeks wrote: Great article for the WP and they asked good questions from the correct people, but I have to take issue with the lack of network operator's participation comments: : But getting network operators to participate is proving : difficult. : Many network operators also are cool to taking the further : step of adopting a secure new routing protocol called BGPSEC : to replace BGP. : “Unless [network] operators can see that the benefits will : generally outweigh the costs, they just won’t deploy it.” It's more that the managers who have no idea what is going on are forcing operators to focus their attention elsewhere, rather than the important things until everyone's behind the 8-ball. Then, all of the sudden, the mostly clueless managers are all about it. But, by then it's too late. Farting in a hurricane and hoping it makes a difference... ;-) Pardon me, (and please forgive me if I am wrong), but I think that from the viewpoints of the Washington Post, its readers, and probably all of humanity save the view on this list, the MANAGEMENT of the several ISP firms and organizations IS the operators. Folks out on the operating floor don't really exist. -- sed quis custodiet ipsos custodes? (Juvenal)
Re: BGP in the Washngton Post
--- larryshel...@cox.net wrote: From: Larry Sheldon larryshel...@cox.net On 6/2/2015 00:27, Scott Weeks wrote: Great article for the WP and they asked good questions from the correct people, but I have to take issue with the lack of network operator's participation comments: : But getting network operators to participate is proving : difficult. : Many network operators also are cool to taking the further : step of adopting a secure new routing protocol called BGPSEC : to replace BGP. : “Unless [network] operators can see that the benefits will : generally outweigh the costs, they just won’t deploy it.” It's more that the managers who have no idea what is going on are forcing operators to focus their attention elsewhere, rather than the important things until everyone's behind the 8-ball. Then, all of the sudden, the mostly clueless managers are all about it. But, by then it's too late. Farting in a hurricane and hoping it makes a difference... ;-) Pardon me, (and please forgive me if I am wrong), but I think that from the viewpoints of the Washington Post, its readers, and probably all of humanity save the view on this list, the MANAGEMENT of the several ISP firms and organizations IS the operators. Folks out on the operating floor don't really exist. -- No, looking at it the way you phrase it, you're not wrong. To me, the operators are the folks with the technical know how and the admin password. I guess I have been out on the raggedy edges (likely soon to change...) too long and I am not used to managers that have any understanding of network operations/engineering. But I do understand what you're saying. And I'm on the list. ;-) scott
RE: AWS Elastic IP architecture
IoT says your toaster will be uploading your breakfast to 10 social media accounts and your socks will be connected to the hospital. Your fridge is also a spambot now too! http://www.businessinsider.com/hackers-use-a-refridgerator-to-attack-businesses-2014-1 IoT means everything gets hacked. Maybe someone can make Cryptolocker to lock you out of your fridge until you pay a ransom. We are entering a whole new era of exciting vulnerabilities. Steve Mikulasik -Original Message- From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of valdis.kletni...@vt.edu Sent: Wednesday, June 03, 2015 11:12 AM To: Matthew Kaufman Cc: nanog@nanog.org Subject: Re: AWS Elastic IP architecture On Tue, 02 Jun 2015 09:35:11 -0700, Matthew Kaufman said: Ah, the IPv6 subnets are so big you can't find the hosts myth. Let's see... to find which hosts are active in IPv6 I can: - run a popular web service that people connect to, revealing their addresses If your vulnerable laser printer or webcam is calling out to Hotmail or Google or whatever, you got *bigger* problems, dude