On Sat, 7 Feb 2009, Mikael Abrahamsson wrote:
But I wasn't talking (A)DSL. DSL is last century. I am talking VDSL2/ETTH.
Security model there is to only have ethernet and IP, no PPP/ATM, no L2TPv3
or PPPoE. Let's skip the terms BRAS/LNS etc. Anything that terminates tunnels
is expensive (apart
On Sun, Feb 8, 2009 at 11:42 PM, Joel Jaeggli joe...@bogus.com wrote:
FD00::/8
ula-l rfc 4139
s/4139/4193/
--
Thanks; Bill
Note that this isn't my regular email account - It's still experimental so far.
And Google probably logs and indexes everything you send it.
On Mon, 9 Feb 2009, Pekka Savola wrote:
I may be missing something. only have ethernet and IP. Why is
plain-ethernet with each subscriber provisioned in a separate router's
vlan subinterface insufficient? There is no security issue because each
subscriber only sees its own traffic.
It's
On Thu, Feb 05, 2009 at 07:19:37PM -0500, Robert D. Scott wrote:
Wii should not even consider developing a cool new protocol for the Wii
that is not NAT compliant via V4 or V6. And if they do, we should elect a
NANOG regular to go POSTAL and handle the problem. The solution to many of
these
This post to the NANOG list in the hope that an interested
engineer from either Qwest or GBLX will act on the problem
I have observed.
I've identified a packet loss problem (10-15%) between Qwest
and Global Crossing.
Thanks to whomever has fixed the problem. Packet loss is now
zero and
On Mon, 9 Feb 2009, Andy Davidson wrote:
On Thu, Feb 05, 2009 at 07:19:37PM -0500, Robert D. Scott wrote:
Wii should not even consider developing a cool new protocol for the Wii
that is not NAT compliant via V4 or V6. And if they do, we should elect a
NANOG regular to go POSTAL and handle
So far as I am aware, this is default behaviour only on certain versions of
Mac OSX, and must be explicitly enabled on all others.
Manually, on the console. RA does not dynamically distribute this
behaviour; the client has to choose it. Usually it is a sysctl or a
registry variable or the like.
It's scenario 2 I'm worried about, all those machanisms haven't been
implemented for IPv6 as far as I know and if you're only doing 2.2-2.5
then you're open to the IPv6 security issue I described.
We've been seeing problems with this for the last year or so (since
Vista started showing up).
On Sat, Feb 7, 2009 at 9:24 PM, Jeff S Wheeler j...@inconcepts.biz wrote:
Sure, smart phones are becoming more popular.
My ancient and crufty Nextel iDEN i530 phone, manufactured circa
2003, with a monochrome 4-line text display, and about as dumb as
they get, gets assigned an IP address.
On Monday 09 February 2009 10:21:24 pm Soucy, Ray wrote:
So Cisco (and other vendors) needs to introduce two
things for LAN switching. DHCPv6 snooping, and more
importantly, RA suppression (or RA snooping).
For IOS, have you tried the command:
int gi0/1
ipv6 nd ra suppress
Cheers,
Mark.
On Sun, Feb 8, 2009 at 7:07 PM, Mark Andrews mark_andr...@isc.org wrote:
In message 1234128761.17985.352.ca...@guardian.inconcepts.net, Jeff S
Wheeler
writes:
On Sun, 2009-02-08 at 14:37 -0800, Aaron Glenn wrote:
NAT? why isn't Verizon 'It's the Network' Wireless using IPv6?
For IOS, have you tried the command:
int gi0/1
ipv6 nd ra suppress
I think this only applies to RA originating from the L3 interface in
question... not an L2 interface. I could be mistaken. I'll have to
poke at it.
On Monday 09 February 2009 11:54:41 pm Soucy, Ray wrote:
I think this only applies to RA originating from the L3
interface in question... not an L2 interface.
Quite right, indeed.
Mark.
signature.asc
Description: This is a digitally signed message part.
We're not a big verizon wireless customer, (we have been allocated a /25
for remote data access devices). We run multi-homed BGP with vw. vw says
that they must advertise 48 summarized prefixes to us, instead of just
the /25. The 48 prefixes are apparently advertised to all of the
de-aggregated
On Fri, Feb 06, 2009 at 01:13:14PM -0500, Joe Maimon wrote:
Perhaps ebgp-multihop with this ISP's upstream provider might offer you
an advantage combined with this approach.
This is quite neat, but the ISP may be multihomed and support BGP at
one edge (several transits, several peers), but not
This has been a recurring problem, especially in the Bay Area - and it
seems as though neither side really cares all that much.
-Dave
Andris Kalnozols wrote:
This post to the NANOG list in the hope that an interested
engineer from either Qwest or GBLX will act on the problem
I have observed.
Oddly enough, we've got a few customers that are on Qwest network on the
east coast and we see packet loss in the same range to them, we've
tested origination packets from 6-7 networks. The customer has reported
it and the issue has been ongoing for at least a week or two, but so far
nothing has
A big one is a solution to address the security concerns with IPv6 RA
(Router Advertisement) and rogue DHCPv6. On IPv4 networks we have the
option
of using DHCP snooping to suppress unauthorized DHCP servers from handing
out address information. With IPv6, any host can announce itself as a
router
So Cisco (and other vendors) needs to introduce two things for LAN
switching. DHCPv6 snooping, and more importantly, RA suppression (or
RA snooping).
For IOS, have you tried the command:
int gi0/1
ipv6 nd ra suppress
That stops your router from sending any RAs.
Does nothing to prevent
Indeed, this is a problem.
RA Guard is a very straight-forward, hopefully
soon-to-be-widely-supported,
defense.
http://tools.ietf.org/html/draft-ietf-v6ops-ra-guard-01
Thanks for pointing us to this. It's encouraging to know that it is
being worked on.
Ray
On Fri, 06 Feb 2009 22:32:10 -0500, Owen DeLong o...@delong.com wrote:
IPTables is decent firewall code.
Not really. It's quite complicated for a non-engineer type to manage.
Think of all the unpatched windows xp/vista users of the world.
It's free.
...
Further, since more and more CPE
On Sat, 07 Feb 2009 14:31:57 -0500, Stephen Sprunk step...@sprunk.org
wrote:
Non-NAT firewalls do have some appeal, because they don't need to mangle
the packets, just passively observe them and open pinholes when
appropriate.
This is exactly the same with NAT and non-NAT -- making any
Ricky Beam wrote:
On Sat, 07 Feb 2009 14:31:57 -0500, Stephen Sprunk step...@sprunk.org
wrote:
Non-NAT firewalls do have some appeal, because they don't need to mangle
the packets, just passively observe them and open pinholes when
appropriate.
This is exactly the same with NAT and non-NAT --
On Sat, Feb 7, 2009 at 5:56 PM, Matthew Moyle-Croft
m...@internode.com.auwrote:
My issue is that customers have indicated that they feel statics are a
given for IPv6 and this would be a problem if I went from tens of thousands
of statics to hundreds of thousands of static routes (ie. from a
On 10/02/2009, at 11:35 AM, Scott Howard wrote:
Go and ask those people who feel statics are a given for IPv6 if
they
would prefer static or dynamic IPv4 addresses, and I suspect most/
all of
them will want the static there too. Now ask your average user the
same
question and see if you
On Feb 9, 2009, at 2:11 PM, Ricky Beam wrote:
On Sat, 07 Feb 2009 14:31:57 -0500, Stephen Sprunk
step...@sprunk.org wrote:
Non-NAT firewalls do have some appeal, because they don't need to
mangle
the packets, just passively observe them and open pinholes when
appropriate.
This is exactly
On Fri, 06 Feb 2009 09:39:01 -0500, Iljitsch van Beijnum
iljit...@muada.com wrote:
If you want the machine to always have the same address, either enter
it manually or set your DHCP server to always give it the same address.
Manual configuration doesn't scale. With IPv4, it's quite hard to
Nathan Ward wrote:
On 10/02/2009, at 11:35 AM, Scott Howard wrote:
Go and ask those people who feel statics are a given for IPv6 if they
would prefer static or dynamic IPv4 addresses, and I suspect most/all of
them will want the static there too. Now ask your average user the same
question
Ricky Beam wrote:
On Sat, 07 Feb 2009 14:31:57 -0500, Stephen Sprunk
step...@sprunk.org wrote:
Non-NAT firewalls do have some appeal, because they don't need to
mangle the packets, just passively observe them and open pinholes
when appropriate.
This is exactly the same with NAT and non-NAT
On 10/02/2009, at 9:54 AM, Stephen Sprunk wrote:
Yes, an ALG needs to understand the packet format to open pinholes
-- but with NAT, it also needs to mangle the packets. A non-NAT
firewall just examines the packets and then passes them on unmangled.
Sure, but at the end of the day a
On Feb 9, 2009, at 3:33 PM, Mark Newton wrote:
On 10/02/2009, at 9:54 AM, Stephen Sprunk wrote:
Yes, an ALG needs to understand the packet format to open pinholes
-- but with NAT, it also needs to mangle the packets. A non-NAT
firewall just examines the packets and then passes them on
On 10/02/2009, at 10:17 AM, Owen DeLong wrote:
Sure, but at the end of the day a non-NAT firewall is just a
special case
of NAT firewall where the inside and outside addresses happen to
be the same.
Uh, that's a pretty twisted view. I would say that NAT is a special
additional capability
Owen DeLong wrote:
In terms of implementing the code, sure, the result is about the same,
but, the key point here is that there really isn't a benefit to having that
packet mangling code in IPv6.
Unless your SOX auditor requires it in order to give you a non-qualified
audit of your
In message 4990c38c.8060...@eeph.com, Matthew Kaufman writes:
Owen DeLong wrote:
In terms of implementing the code, sure, the result is about the same,
but, the key point here is that there really isn't a benefit to having that
packet mangling code in IPv6.
Unless your SOX auditor
Mark Newton wrote:
Fine, you don't like rewriting L3 addresses and L4 port numbers. Yep,
I get that. Relevance?
Just out of what I like and might use, GRE (no port), ESP (no port), AH
(no port), SCTP (would probably work fine with NAT, but I haven't seen
it supported yet and because every
On 10/02/2009, at 11:03 AM, Jack Bates wrote:
There is if you have a dual-stack device, your L4-and-above protocols
are the same under v4 and v6, and you don't want to reinvent the
ALG wheel.
ALG only fixes some problems, and it's not required for as much when
address translations are
Mark Newton wrote:
On a commodity consumer CPE device, the ALG code doubles as a
stateful inspection engine.
So it _is_ required when address translations are not being performed.
H, the code may be there, but I suspect that not all of it will
apply to v6 and be used.
Is security
Hi everyone,
I wonder which percentage is good level of CPU and Memory util of network
equipment ?
In my case, I try to keep under 30% cpu util and 70% memory util. My most
equipment are Cisco product.
I have no technical reference about that, it is just a rule of mine or my
predecessor.
As I read it, you don't want to use DHCP because it's an other service to
fail. Well, what do you think is broadcasting RA's? My DHCP servers have
proven far more stable than my routers. (and one of them is a windows
server
:-)) Most dhcp clients that keep any state will continue using the
The SOX auditor ought to know better. Any auditor that
requires NAT is incompenent.
Sadly, there are many audit REQUIREMENTS explicitly naming NAT and RFC1918
addressing ...
In message 00cf01c98b24$efe42680$cfac73...@com, TJ writes:
Also, it is not true in every case that hosts need a lot more than an
address.
In many cases all my machine needs is an address, default gateway and DNS
server (cheat off of v4 | RFC5006 | Stateless DHCPv6).
address + default
On Mon, 9 Feb 2009 21:16:49 -0500
TJ trej...@gmail.com wrote:
The SOX auditor ought to know better. Any auditor that
requires NAT is incompenent.
Sadly, there are many audit REQUIREMENTS explicitly naming NAT and
RFC1918 addressing ...
SOX auditors are incompetent. I've been
On Mon, Feb 9, 2009 at 6:16 PM, Ricky Beam jfb...@gmail.com wrote:
On Fri, 06 Feb 2009 09:39:01 -0500, Iljitsch van Beijnum
iljit...@muada.com wrote:
If you want the machine to always have the same address, either enter it
manually or set your DHCP server to always give it the same address.
John Peach wrote:
On Mon, 9 Feb 2009 21:16:49 -0500
TJ trej...@gmail.com wrote:
The SOX auditor ought to know better. Any auditor that
requires NAT is incompenent.
Sadly, there are many audit REQUIREMENTS explicitly naming NAT and
RFC1918 addressing ...
SOX auditors are
The SOX auditor ought to know better. Any auditor that
requires NAT is incompenent.
Sadly, there are many audit REQUIREMENTS explicitly naming NAT and
RFC1918 addressing ...
SOX auditors are incompetent. I've been asked about anti-virus software on
UNIX servers and then asked to
TJ wrote:
When the compliance explicitly requires something they are required to check
for it, they don't have the option of ignoring or waving requirements ...
and off the top of my head I don't recall if it is SOX that calls for
RFC1918 explicitly but I know there are some that do.
I believe
Why would anyone NOT want that?? what replaces that option in current RA
deployments?
One nit - I like to differentiate between the presence of RAs (which should
be every user where IPv6 is present) and the use of SLAAC (RA + prefix).
Right now - Cheat off of IPv4's config.
(Lack of DHCPv6
http://tools.ietf.org/html/draft-ietf-v6ops-ra-guard-01
Thanks for pointing us to this. It's encouraging to know that it is being
worked on.
My pleasure, now everyone - feel free to ring up your local sales/support
rep and encourage their product to implement this ... please!
/TJ
Comtrend DSL modem use iptables in their code. I discovered this while
trying to understood why small-MTU FTP breaks when issuing the PORT command.
Frank
-Original Message-
From: Ricky Beam [mailto:jfb...@gmail.com]
Sent: Monday, February 09, 2009 4:01 PM
To: Owen DeLong
Cc:
In message 00df01c98b27$3181b7e0$948527...@com, TJ writes:
The SOX auditor ought to know better. Any auditor that
requires NAT is incompenent.
Sadly, there are many audit REQUIREMENTS explicitly naming NAT and
RFC1918 addressing ...
SOX auditors are incompetent. I've been asked
Seth Mattinen wrote:
I hate to interrupt the IPv6 and RFC 1918 mega-threads...
Does anyone know of a company that makes 208v (3-wire line-line ground,
no neutral, 208v loads only, single phase) 30-60 amp automatic transfer
switches with sub-30ms switching time? APC used to make the
When the compliance explicitly requires something they are required to
check for it, they don't have the option of ignoring or waving
requirements ...
and off the top of my head I don't recall if it is SOX that calls for
RFC1918 explicitly but I know there are some that do.
I believe that
Mark Andrews wrote:
Please cite references.
I can find plenty of firewall required references but I'm
yet to find a NAT and/or RFC 1918 required.
(Skip if you've participated in a SOX audit from the IT department POV)
The way it works is that the law doesn't call for
On Mon, Feb 9, 2009 at 9:47 PM, TJ trej...@gmail.com wrote:
Why would anyone NOT want that?? what replaces that option in current RA
deployments?
One nit - I like to differentiate between the presence of RAs (which should
be every user where IPv6 is present) and the use of SLAAC (RA + prefix).
On Tue, Feb 10, 2009 at 02:16:10PM +1100, Mark Andrews wrote:
In message 00df01c98b27$3181b7e0$948527...@com, TJ writes:
[...SOX auditor stuff...]
When the compliance explicitly requires something they are required to check
for it, they don't have the option of ignoring or waving
security by obscurity is not the way, everyone knows it.
those guys will figure it out sooner or later (where later, might take ages).
in the meanwhile, a lot have pseudo-secured networks thru triple-nat,
quadruple-nat, multiple ipsec'd layered and so, and others live with the hammer
in their
On Mon, Feb 9, 2009 at 9:54 PM, John Osmon jos...@rigozsaurus.com wrote:
It isn't SOX, but sadly enough, PCI DSS Requirement 1.5 says:
Implement IP address masquerading to prevent internal addresses from
being translated and revealed on the Internet. Use technologies that
implement RFC
On Mon, 9 Feb 2009, TJ wrote:
My pleasure, now everyone - feel free to ring up your local
sales/support rep and encourage their product to implement this ...
please!
What about DHCPv6 / DHCPV6-PD sniffing (and using that info to create L3
filter rules in L2 devices), is a standard needed or
On Mon, Feb 09, 2009 at 09:27:59PM -0500, TJ wrote:
The SOX auditor ought to know better. Any auditor that
requires NAT is incompenent.
Sadly, there are many audit REQUIREMENTS explicitly naming NAT and
RFC1918 addressing ...
SOX auditors are incompetent. I've been asked about
59 matches
Mail list logo
