Re: IPv6 filtering

On Wed, 26 Jan 2011, Franck Martin wrote: ? ipv6 41 IPv6 # IPv6 ? ipv6-route 43 IPv6-Route # Routing Header for IPv6 ? ipv6-frag 44 IPv6-Frag # Fragment Header for IPv6 ? ipv6-crypt 50 IPv6-Crypt # Encryption Header for IPv6 ? ipv6-auth 51 IPv6-Auth # Authentication Header for

Re: Using IPv6 with prefixes shorter than a /64 on a LAN

On 25/01/2011 11:29 p.m., Roland Dobbins wrote: > On Jan 26, 2011, at 8:12 AM, Fernando Gont wrote: > >> Also, the claim that "IPv6 address scanning is impossible" is >> generally based on the (incorrect) assumption that host addresses >> are spread (randomly) over the 64-bit IID. -- But they usua

Re: Using IPv6 with prefixes shorter than a /64 on a LAN

On 24/01/2011 05:53 p.m., Ray Soucy wrote: > Every time I see this question it' usually related to a fundamental > misunderstanding of IPv6 and the attempt to apply v4 logic to v6. > > That said. Any size prefix will likely work and is even permitted by > the RFC. You do run the risk of encounte

Re: Using IPv6 with prefixes shorter than a /64 on a LAN

On 24/01/2011 07:41 p.m., Michael Loftis wrote: >> Many cite concerns of potential DoS attacks by doing sweeps of IPv6 >> networks. I don't think this will be a common or wide-spread problem. >> The general feeling is that there is simply too much address space >> for it to be done in any reason

Re: IPv6 filtering

On Wed, 26 Jan 2011, Franck Martin wrote: But what about the others, should they be blocked, restricted? "Recommendations for Filtering ICMPv6 Messages in Firewalls" -- Mikael Abrahamssonemail: swm...@swm.pp.se

Re: Using IPv6 with prefixes shorter than a /64 on a LAN

On Wed, 26 Jan 2011 12:49:13 +0700 Roland Dobbins wrote: > > On Jan 26, 2011, at 12:33 PM, Mark Smith wrote: > > > The correct assumption is that most people will try and usually succeed at > > follow the specifications, as that is what is required to > > successfully participate in a protocol

Re: PPPOE vs DHCP

On 1/25/2011 6:34 PM, Paul Stewart wrote: PPPOE Pros -- Allows full authentication of customers (requires username/password) Authentication isn't necessary if you have other methods of turning off a port. Authentication can actually be a Con, as the username/password can be forgott

Re: PPPOE vs DHCP

On Tue, 25 Jan 2011, Paul Stewart wrote: I'm meeting with a customer tomorrow (service provider, rural telco) and we're pitching they move to a PPPOE platform most likely. But to be fair, I'm looking to draw up a comparison so they are "well informed" of the pros/cons. Has anyone done this?

RE: Using IPv6 with prefixes shorter than a /64 on a LAN

On Tue, 25 Jan 2011, Tony Hain wrote: Every organization with a *real* customer base should have significantly shorter than a /32. In particular every organization that says "I can't give my customers prefix length X because I only have a /32" needs to go back to ARIN today and trade that in f

Re: Understanding reverse DNS better

On 2011-01-25 17:21, Jethro R Binks wrote: > On Tue, 25 Jan 2011, Larry Smith wrote: > >> I use Squish (www.squish.net/dnscheck) for this purpose. Reasonable web >> interface and gives lots of info about where things are breaking down... >> >> -- >> Larry Smith > > squish.net/dnscheck is great,

Re: Using IPv6 with prefixes shorter than a /64 on a LAN

On Jan 26, 2011, at 12:33 PM, Mark Smith wrote: > The correct assumption is that most people will try and usually succeed at > follow the specifications, as that is what is required to > successfully participate in a protocol (any protocol, not just networking > ones). IPv4 history has shown th

Re: IPv6 filtering

On 1/25/2011 9:25 PM, Owen DeLong wrote: > > DO NOT filter IPv6 ICMP like you filter IPv4. > > If you do, you will break PMTU-Discovery, Neighbor Discovery, > and RA/SLAAC, all of which depend on ICMPv6. > This can bite you in unexpected ways, too. For example, on a Cisco ASA, if you add a system

Re: IPv6 filtering

At 18:20 26/01/2011 +1300, Franck Martin wrote: Content-Transfer-Encoding: 7bit Well we filter icmp due to exploits, if no exploits, then we can let the whole of icmpv6 through. Or is there something terribly dangerous in icmpv6 already? Ever since Cisco came out with "IPv6 Routing Header Vu

Re: IPv6 filtering

I may be dense, networking isn't my primary field (sysadmin).. but isn't ICMP there for a good reason? I.e. congestion control? I've always argued vehemently with PCI-DSS and similar auditors that I will not filter /all/ ICMP traffic on the border. Paul On 1/25/2011 7:20 PM, Franck Martin w

Re: Understanding reverse DNS better

At 08:47 25/01/2011 -0600, Larry Smith wrote: I use Squish (www.squish.net/dnscheck) for this purpose. Reasonable web interface and gives lots of info about where things are breaking down... Seems to be having issues: Finding servers for . from A.ROOT-SERVERS.NET (198.41.0.4) Error:

Re: Using IPv6 with prefixes shorter than a /64 on a LAN

On Wed, 26 Jan 2011 11:53:23 +0700 Roland Dobbins wrote: > > On Jan 26, 2011, at 11:37 AM, Adrian Chadd wrote: > > > But simply assuming that the IPv6 address space will forever remain that - > > only unique host identifiers - I think is disingenious at best. :-) > > I think 'disingenuous' is

Re: Using IPv6 with prefixes shorter than a /64 on a LAN

> ... > > What did that just do to your per-site /64? That you have > no hope of ever seeing a user use up? It just turned > that /64 into a /112 (16 bits of port space, 32 bits > of cloud identifier space.) What's the next killer app > that'll chew up more of your IPv6 space? > Dude... You miss

Re: IPv6 filtering

On Jan 25, 2011, at 9:03 PM, Franck Martin wrote: > >• ipv6 41 IPv6 # IPv6 >• ipv6-route 43 IPv6-Route # Routing Header for IPv6 >• ipv6-frag 44 IPv6-Frag # Fragment Header for IPv6 >• ipv6-crypt 50 IPv6-Crypt # Encryption Header for IPv6 >• ipv6-auth 51 IPv6-Auth # Authe

Re: IPv6 filtering

On 1/25/11 9:13 PM, Roland Dobbins wrote: > > On Jan 26, 2011, at 12:03 PM, Franck Martin wrote: > >> Ok filtering ipv6 and ipv6-icmp is understood, it is like ipv4. > > Be advised, ICMPv6 is *not* like ICMP in IPv4, and knowing what can be > filtered, what to filter, and where to filter it is

Re: IPv6 filtering

Well we filter icmp due to exploits, if no exploits, then we can let the whole of icmpv6 through. Or is there something terribly dangerous in icmpv6 already? - Original Message - From: "Roland Dobbins" To: "nanog group" Sent: Wednesday, 26 January, 2011 6:13:26 PM Subject: Re: IPv6 filt

Re: Using IPv6 with prefixes shorter than a /64 on a LAN

On Jan 25, 2011, at 8:47 PM, George Bonser wrote: > > >> From: Adrian Chadd >> Sent: Tuesday, January 25, 2011 8:37 PM >> To: Owen DeLong >> Cc: nanog@nanog.org >> Subject: Re: Using IPv6 with prefixes shorter than a /64 on a LAN >> >> (Top-posting because the whole message is context. Oh, an

Re: IPv6 filtering

On Jan 26, 2011, at 12:03 PM, Franck Martin wrote: > Ok filtering ipv6 and ipv6-icmp is understood, it is like ipv4. Be advised, ICMPv6 is *not* like ICMP in IPv4, and knowing what can be filtered, what to filter, and where to filter it is considerably more complex than in IPv4 - which, given

Re: Future of the IPv6 CPE survey on RIPE Labs - Your Input Needed

What about an Airport Extreme? It has a wan interface that does PPPOE The IPv6 feature seems working, with 6to4 or static tunnels and a basic IPv6 firewall. - Original Message - From: "Mirjam Kuehne" To: nanog@nanog.org Sent: Tuesday, 25 January, 2011 3:34:14 AM Subject: Future of the I

IPv6 filtering

• ipv6 41 IPv6 # IPv6 • ipv6-route 43 IPv6-Route # Routing Header for IPv6 • ipv6-frag 44 IPv6-Frag # Fragment Header for IPv6 • ipv6-crypt 50 IPv6-Crypt # Encryption Header for IPv6 • ipv6-auth 51 IPv6-Auth # Authentication Header for IPv6 • ipv6-icmp 58 IPv6-ICMP icm

Re: Using IPv6 with prefixes shorter than a /64 on a LAN

On Jan 26, 2011, at 11:37 AM, Adrian Chadd wrote: > But simply assuming that the IPv6 address space will forever remain that - > only unique host identifiers - I think is disingenious at best. :-) I think 'disingenuous' is too strong a word - 'overly optimistic' better reflects the position, I

RE: Using IPv6 with prefixes shorter than a /64 on a LAN

> From: Adrian Chadd > Sent: Tuesday, January 25, 2011 8:37 PM > To: Owen DeLong > Cc: nanog@nanog.org > Subject: Re: Using IPv6 with prefixes shorter than a /64 on a LAN > > (Top-posting because the whole message is context. Oh, and I'm lazy.) > > I do indeed love it when people break out IPv

Re: Using IPv6 with prefixes shorter than a /64 on a LAN

(Top-posting because the whole message is context. Oh, and I'm lazy.) I do indeed love it when people break out IPv6 addressing as "there's so many addresses, we'll never ever go through them!" Sure, if they're only used as end-point identifiers. Say you want to crack out that 64k-port space int

Re: Network Naming

On 1/25/2011 8:15 PM, Gary Steers wrote: James makes a good point... Pick a scheme which: 1. Uses simple memorable names. 2. Makes business sense to you. 3. You know how to manage (database, publication, updates, etc. If I had to weight these criteria, I would weight 3 most heavily. The

Re: Using IPv6 with prefixes shorter than a /64 on a LAN

On Jan 26, 2011, at 11:17 AM, Jimmy Hess wrote: > There are other methods of discovery as well, but they are not close in > scale or 'ease of use' to what brute-force address space scanning > could easily accomplish with IPv4. Most botted hosts today are compromised in the first place via laye

Re: IPv6 - real vs theoretical problems

On 1/11/11 11:15 AM, Jack Bates wrote: > > > On 1/11/2011 1:05 PM, George Bonser wrote: >> Many of us are looking at things from today's >> perspective. Maybe each room of my house will have its own subnet with >> a low power access point and I can find which room something is in by >> the IP ad

Re: Using IPv6 with prefixes shorter than a /64 on a LAN

On Tue, Jan 25, 2011 at 8:29 PM, Roland Dobbins wrote: > On Jan 26, 2011, at 8:12 AM, Fernando Gont wrote: >> Also, the claim that "IPv6 address scanning is impossible" is generally >> based on the (incorrect) assumption that host addresses are spread >> (randomly) over the 64-bit IID. -- But the

Re: [arin-announce] ARIN Resource Certification Update

On 1/24/2011 8:52 PM, Roland Dobbins wrote: On Jan 25, 2011, at 11:35 AM, Christopher Morrow wrote: thinking of using DNS is tempting The main arguments I see against it are: 2. The generally creaky, fragile, brittle, non-scalable state of the overall DNS infrastructure in general.

Re: Using IPv6 with prefixes shorter than a /64 on a LAN

On Jan 26, 2011, at 8:12 AM, Fernando Gont wrote: > Also, the claim that "IPv6 address scanning is impossible" is generally based > on the (incorrect) assumption that host addresses are spread > (randomly) over the 64-bit IID. -- But they usually aren't. It also doesn't take into account hinted

Re: Using IPv6 with prefixes shorter than a /64 on a LAN

On Jan 25, 2011, at 5:33 PM, Nathan Eisenberg wrote: >> Even if every RIR gets to 3 /12s in 50 years, that's still only 15/512ths of >> the >> initial /3 delegated to unicast space by IETF. There are 6+ more /3s >> remaining >> in the IETF pool. > > That's good news - we need to make sure we h

Re: Using IPv6 with prefixes shorter than a /64 on a LAN

On 24/01/2011 08:42 p.m., Douglas Otis wrote: > It seems efforts related to IP address specific policies are likely > doomed by the sheer size of the address space, and to be pedantic, ARP > has been replaced with multicast neighbor discovery which dramatically > reduces the overall traffic involv

RE: Using IPv6 with prefixes shorter than a /64 on a LAN

> Even if every RIR gets to 3 /12s in 50 years, that's still only 15/512ths of > the > initial /3 delegated to unicast space by IETF. There are 6+ more /3s remaining > in the IETF pool. That's good news - we need to make sure we have a /3 for both the Moon and Mars colonies. ;) Nathan

RE: Network Naming

James makes a good point... > Pick a scheme which: > 1. Uses simple memorable names. > 2. Makes business sense to you. > 3. You know how to manage (database, publication, updates, etc. > If I had to weight these criteria, I would weight 3 most heavily. The other key thing to bear in mind is c

Re: Using IPv6 with prefixes shorter than a /64 on a LAN

On 25/01/2011 11:44 a.m., Ray Soucy wrote: > The argument can also be made that using smaller prefixes with > sequential host numbering will lead to making network sweeps and port > scanning viable in IPv6 where it would otherwise be useless. At that > point you just need evidence of one IPv6 add

Re: Using IPv6 with prefixes shorter than a /64 on a LAN

On 24/01/2011 09:46 p.m., Owen DeLong wrote: >>> Many cite concerns of potential DoS attacks by doing sweeps of >>> IPv6 networks. I don't think this will be a common or >>> wide-spread problem. >> >> Myopia doesn't make the problem go away. The point of such an >> attack is not to "find things

Re: Using IPv6 with prefixes shorter than a /64 on a LAN

On Jan 25, 2011, at 4:20 PM, Tony Hain wrote: > Owen DeLong wrote: >> .. >> I suspect that there are probably somewhere between 30,000 >> and 120,000 ISPs world wide that are likely to end up with a /32 >> or shorter prefix. > > A /32 is the value that a start-up ISP would have. Assuming tha

Re: Another v6 question

>I think you may still be missing my point... >There are way more /48s available than will ever get used. >There are way more /32s available than will ever get used. No, I think you're missing my point. Your statements above are of your opinion. The same opinion was said about v4 30 years ago whic

PPPOE vs DHCP

Hey folks... I'm meeting with a customer tomorrow (service provider, rural telco) and we're pitching they move to a PPPOE platform most likely. But to be fair, I'm looking to draw up a comparison so they are "well informed" of the pros/cons. Has anyone done this? I came up with the follow

RE: Using IPv6 with prefixes shorter than a /64 on a LAN

Owen DeLong wrote: > .. > I suspect that there are probably somewhere between 30,000 > and 120,000 ISPs world wide that are likely to end up with a /32 > or shorter prefix. A /32 is the value that a start-up ISP would have. Assuming that there is a constant average rate of startups/failures pe

Re: Using IPv6 with prefixes shorter than a /64 on a LAN

On Jan 25, 2011, at 2:32 PM, valdis.kletni...@vt.edu wrote: > On Tue, 25 Jan 2011 14:21:12 PST, Leo Bicknell said: > >> If you were allocating individual /48's, perhaps. But see, I'm a >> cable company, and I want a /48 per customer, and I have a couple >> of hundred thousand per pop, so I need

Re: Network Naming

Nick, I do not believe there is a written standard for naming gear ( or at least I have never seen one) Most naming scheme's are usually something arbitrary RAS gave a pretty good tutorial on traceroutes once, specifically he covered the topic of interpreting DNS in a traceroute. I know we ar

Re: Network Naming

On Jan 25, 2011, at 3:50 PM, Nick Olsen wrote: > Whats the rule of thumb for naming gear these days > (routers,switches...etc). Or is there one? Pick a scheme which: 1. Uses simple memorable names. 2. Makes business sense to you. 3. You know how to manage (database, publication, updates, etc. I

Re: Using IPv6 with prefixes shorter than a /64 on a LAN

On Tue, 25 Jan 2011 14:21:12 PST, Leo Bicknell said: > If you were allocating individual /48's, perhaps. But see, I'm a > cable company, and I want a /48 per customer, and I have a couple > of hundred thousand per pop, so I need a /30 per pop. Oh, and I > have a few hundred pops, and I need to

Re: Using IPv6 with prefixes shorter than a /64 on a LAN

On Jan 25, 2011, at 2:21 PM, Leo Bicknell wrote: > In a message written on Tue, Jan 25, 2011 at 05:07:16PM -0500, > valdis.kletni...@vt.edu wrote: >> To burn through all the /48s in 100 years, we'll have to use them up >> at the rate of 89,255 *per second*. >> >> That implies either *really* go

Re: Using IPv6 with prefixes shorter than a /64 on a LAN

On Tue, 25 Jan 2011 16:32:59 -0500 "Ricky Beam" wrote: > On Tue, 25 Jan 2011 13:42:29 -0500, Owen DeLong wrote: > > Seriously? Repetitively sweeping a /64? Let's do the math... > ... > > We've had this discussion before... > > If the site is using SLAAC, then that 64bit target is effectively 4

Re: Using IPv6 with prefixes shorter than a /64 on a LAN

In a message written on Tue, Jan 25, 2011 at 05:07:16PM -0500, valdis.kletni...@vt.edu wrote: > To burn through all the /48s in 100 years, we'll have to use them up > at the rate of 89,255 *per second*. > > That implies either *really* good aggregation, or your routers having enough > CPU to hand

Re: Another v6 question

On Jan 25, 2011, at 1:43 PM, Max Pierson wrote: > Great reply's on and off-list so far. > > To hit on a few points ... > > Owen, thank you for catching my terminology blunder there. I understand > smaller is != shorter. Complete mistake :) > > Glad to see most have loosened that policy, as I

Re: Using IPv6 with prefixes shorter than a /64 on a LAN

On Jan 25, 2011, at 1:17 PM, Ricky Beam wrote: > On Mon, 24 Jan 2011 19:46:19 -0500, Owen DeLong wrote: >> Dude... In IPv6, there are 18,446,744,073,709,551,616 /64s. > > Those who don't learn from history are doomed to repeat it. > Correct, but... > "Dude, there are 256 /8 in IPv4." > There

Re: Using IPv6 with prefixes shorter than a /64 on a LAN

On Tue, 25 Jan 2011 16:17:59 EST, Ricky Beam said: > On Mon, 24 Jan 2011 19:46:19 -0500, Owen DeLong wrote: > > Dude... In IPv6, there are 18,446,744,073,709,551,616 /64s. > > Those who don't learn from history are doomed to repeat it. > > "Dude, there are 256 /8 in IPv4." > > "640k ought to be

Re: Network Naming

Punk bands here - Reply message - From: "Christopher" Date: Tue, Jan 25, 2011 3:11 pm Subject: Network Naming To: I usually name them after ex-girlfriends On 01/25/2011 03:50 PM, Nick Olsen wrote: > Whats the rule of thumb for naming gear these days > (routers,switches...etc). Or

Re: Using IPv6 with prefixes shorter than a /64 on a LAN

In message , "Ricky Beam" writes: > On Mon, 24 Jan 2011 19:46:19 -0500, Owen DeLong wrote: > > Dude... In IPv6, there are 18,446,744,073,709,551,616 /64s. > > Those who don't learn from history are doomed to repeat it. > > "Dude, there are 256 /8 in IPv4." > > "640k ought to be enough for anyon

Re: Using IPv6 with prefixes shorter than a /64 on a LAN

- Original Message - > On Tue, 25 Jan 2011 13:42:29 -0500, Owen DeLong > wrote: > > Seriously? Repetitively sweeping a /64? Let's do the math... > ... > > We've had this discussion before... > > If the site is using SLAAC, then that 64bit target is effectively > 48bits. > And I can make

Re: Another v6 question

Great reply's on and off-list so far. To hit on a few points ... Owen, thank you for catching my terminology blunder there. I understand smaller is != shorter. Complete mistake :) Glad to see most have loosened that policy, as I figured it wouldn't hold at the time I originally heard it 2 or so

Re: Another v6 question

On Tue, 25 Jan 2011 12:19:34 -0600 Max Pierson wrote: > Hi List, > > Sorry to bring up yet ANOTHER v6 question/topic, but this seems to be one > that I cannot get a solid answer on (and probably won't and in the event > that I do, it will probably change down the road anyways), but here goes. >

Re: Using IPv6 with prefixes shorter than a /64 on a LAN

On Tue, 25 Jan 2011 13:42:29 -0500, Owen DeLong wrote: Seriously? Repetitively sweeping a /64? Let's do the math... ... We've had this discussion before... If the site is using SLAAC, then that 64bit target is effectively 48bits. And I can make a reasonable guess at 24 of those bits. (esp.

Re: Another v6 question

On Jan 25, 2011, at 12:03 PM, bmann...@vacation.karoshi.com wrote: >>> Second, as I was crunching a few numbers to get a rough estimate of what a >>> global table would look like in say 3 or 5 years after v4 is exhausted (I >>> understand that it's completely unpredictable to do this, but curiosi

Re: Using IPv6 with prefixes shorter than a /64 on a LAN

On Mon, 24 Jan 2011 19:46:19 -0500, Owen DeLong wrote: Dude... In IPv6, there are 18,446,744,073,709,551,616 /64s. Those who don't learn from history are doomed to repeat it. "Dude, there are 256 /8 in IPv4." "640k ought to be enough for anyone." People can mismange anything into oblivion.

Re: Network Naming

I usually name them after ex-girlfriends On 01/25/2011 03:50 PM, Nick Olsen wrote: Whats the rule of thumb for naming gear these days (routers,switches...etc). Or is there one? looks like level3 does something like interface.routertype.location.level3.net Nick Olsen Network Operations (855) F

Re: Another v6 question

On 1/25/2011 10:19, Max Pierson wrote: > >>From the provider perspective, what is the prefix-length that most are > accepting to be injected into your tables?? 2 or so years ago, I read where > someone stated that they were told by ATT that they weren't planning on > accepting anything smaller t

Network Naming

Whats the rule of thumb for naming gear these days (routers,switches...etc). Or is there one? looks like level3 does something like interface.routertype.location.level3.net Nick Olsen Network Operations (855) FLSPEED x106

Re: Another v6 question

> > Second, as I was crunching a few numbers to get a rough estimate of what a > > global table would look like in say 3 or 5 years after v4 is exhausted (I > > understand that it's completely unpredictable to do this, but curiosity > > killed the cat I guess), and in a few cases, I stopped due to

Re: Another v6 question

On Tue, 25 Jan 2011, Max Pierson wrote: From the provider perspective, what is the prefix-length that most are accepting to be injected into your tables?? 2 or so years ago, I read where someone stated that they were told by ATT that they weren't planning on accepting anything smaller than a /

RE: Another v6 question

> From: Max Pierson > Sent: Tuesday, January 25, 2011 10:20 AM > To: nanog group > Subject: Another v6 question > > > >From the provider perspective, what is the prefix-length that most are > accepting to be injected into your tables?? 2 or so years ago, I read > where > someone stated that th

Re: Another v6 question

On Jan 25, 2011, at 10:19 AM, Max Pierson wrote: > Hi List, > > Sorry to bring up yet ANOTHER v6 question/topic, but this seems to be one > that I cannot get a solid answer on (and probably won't and in the event > that I do, it will probably change down the road anyways), but here goes. > >> F

Another v6 question

Hi List, Sorry to bring up yet ANOTHER v6 question/topic, but this seems to be one that I cannot get a solid answer on (and probably won't and in the event that I do, it will probably change down the road anyways), but here goes. >From the provider perspective, what is the prefix-length that most

RE: Using IPv6 with prefixes shorter than a /64 on a LAN

> > > > So I pretty strongly disagree about your statement. Repetitively > > sweeping an IPv6 network to DoS/DDoS the ND protocol thereby flooding > > the ND cache/LRUs could be extremely effective and if not payed > > serious attention will cause serious issues. > > > > > Yes This is an iss

Re: Using IPv6 with prefixes shorter than a /64 on a LAN

On Jan 25, 2011, at 8:58 AM, Patrick Sumby wrote: > On 24/01/2011 22:41, Michael Loftis wrote: >> On Mon, Jan 24, 2011 at 1:53 PM, Ray Soucy wrote: >> >>> Many cite concerns of potential DoS attacks by doing sweeps of IPv6 >>> networks. I don't think this will be a common or wide-spread proble

Re: Using IPv6 with prefixes shorter than a /64 on a LAN

On Jan 26, 2011, at 12:44 AM, Jack Bates wrote: > DDoS mitigation is handled differently. Concur 100%. Also note that firewalls don't provide any sort of useful DDoS protection, marketing claims aside, so reaction tools such as S/RTBH, et. al. are required to protect stateful firewalls in fr

Re: Using IPv6 with prefixes shorter than a /64 on a LAN

On 1/25/2011 10:58 AM, Patrick Sumby wrote: I would assume that in the LAN scenario where you have a /64 for your internal network that you would have some sort of stateful firewall sitting infront of the network to stop any un-initiated sessions. This therefore stops any hammering of ND cache

Re: Using IPv6 with prefixes shorter than a /64 on a LAN

On 24/01/2011 22:41, Michael Loftis wrote: On Mon, Jan 24, 2011 at 1:53 PM, Ray Soucy wrote: Many cite concerns of potential DoS attacks by doing sweeps of IPv6 networks. I don't think this will be a common or wide-spread problem. The general feeling is that there is simply too much address

Re: Understanding reverse DNS better

On 2011-01-25 17:21, Jethro R Binks wrote: > On Tue, 25 Jan 2011, Larry Smith wrote: > >> I use Squish (www.squish.net/dnscheck) for this purpose. Reasonable web >> interface and gives lots of info about where things are breaking down... >> >> -- >> Larry Smith > > squish.net/dnscheck is great

Re: Understanding reverse DNS better

On Tue, 25 Jan 2011, Larry Smith wrote: > I use Squish (www.squish.net/dnscheck) for this purpose. Reasonable web > interface and gives lots of info about where things are breaking down... > > -- > Larry Smith squish.net/dnscheck is great, except when I've had problems with it, or wanted a s

Re: DSL options in NYC for OOB access

AFAIK all DSL providers will end up going through Verizon wires, you are just shifting customer service & billing. Alternatives are the Cable Co, probably Time Warner, or, more expensively, http://www.towerstream.com/ j > -Original Message- > From: Andy Ash

Re: Update Spamhaus DROP list from Cisco CLI (TCL)

I made a version of Mr. Magill's script to read the dshield.org's block list and create null routes for it. He deserves all of the credit, but none of the blame in case it doesn't work for you. I'm not a TCL programmer - use at your own risk. Anyone else have any nifty TCL for Cisco scripts they ca

Re: IPv6: numbering of point-to-point-links

On Tue, Jan 25, 2011 at 9:44 AM, Lasse Jarlskov wrote: > Thank you all for your comments - it appears that there is no consensus > on how this should be done. The best piece of advice I received when asking similar questions in the past is to allocate a /64 for every network regardless of it's po

Re: [arin-announce] ARIN Resource Certification Update

On Jan 25, 2011, at 9:52 PM, Joe Abley wrote: > If the DNS was as unreliable as those words suggested, nobody would use it. I see evidence of this unreliability every day, so I must respectfully disagree. ;> > The reality is that everybody uses it. The reality is that they don't really have a

Re: [arin-announce] ARIN Resource Certification Update

On 2011-01-25, at 01:25, Christopher Morrow wrote: > On Mon, Jan 24, 2011 at 11:52 PM, Roland Dobbins wrote: > >> 2. The generally creaky, fragile, brittle, non-scalable state of the >> overall DNS infrastructure in general. > > this is getting better, no? I mean for the in-addr and larg

Re: Understanding reverse DNS better

I use Squish (www.squish.net/dnscheck) for this purpose. Reasonable web interface and gives lots of info about where things are breaking down... -- Larry Smith lesm...@ecsis.net On Tue January 25 2011 08:38, p8x wrote: > +1, also a quick check to make sure your name servers are actually set > c

Re: IPv6: numbering of point-to-point-links

Thank you all for your comments - it appears that there is no consensus on how this should be done. Thank you for the reference to this draft, Marco - and to Ron as well. Both RFC3627 and this draft appears to be stating that these issues a implementation-specific. E.g. whether an implementation

Re: Using IPv6 with prefixes shorter than a /64 on a LAN

On Mon, Jan 24, 2011 at 7:10 PM, Ricky Beam wrote: > On Mon, 24 Jan 2011 15:53:32 -0500, Ray Soucy wrote: >> >> Every time I see this question it' usually related to a fundamental >> misunderstanding of IPv6 and the attempt to apply v4 logic to v6. > > Not exactly.  If it's a point-to-point link,

Re: Understanding reverse DNS better

Excellent, the +trace option is most helpful, thank you. On Jan 25, 2011, at 9:34 AM, Jared Mauch wrote: > I suggest doing something like: > > dig +trace -x 204.42.254.5 > > You can watch the delegation authority for the in-addr at each stage. > > - Jared > > On Jan 25, 2011, at 9:30 AM, Cale

Re: Understanding reverse DNS better

+1, also a quick check to make sure your name servers are actually set can be done with host.. host -t ns 0.168.192.in-addr.arpa On 25/01/2011 10:34 PM, Jared Mauch wrote: I suggest doing something like: dig +trace -x 204.42.254.5 You can watch the delegation authority for the in-addr at e

Re: Understanding reverse DNS better

I suggest doing something like: dig +trace -x 204.42.254.5 You can watch the delegation authority for the in-addr at each stage. - Jared On Jan 25, 2011, at 9:30 AM, Caleb Tennis wrote: > We have a /24 from one of our upstream providers that we handoff to a > customer. The /24 has been SWIPd

Understanding reverse DNS better

We have a /24 from one of our upstream providers that we handoff to a customer. The /24 has been SWIPd to us, and we have nameservers setup with ARIN against that record. Twice now this information has just "disappeared". That is, if do reverse DNS lookups, they returns nothing, whereas they

RE: DSL options in NYC for OOB access

Speakeasy/Covad/Megapath is now all one company. -Original Message- From: Michael Costello [mailto:mc3...@columbia.edu] Sent: Tuesday, January 25, 2011 9:01 AM To: nanog@nanog.org Subject: Re: DSL options in NYC for OOB access On Mon, 24 Jan 2011 22:04:25 + Andy Ashley wrote: > Hi

Re: DSL options in NYC for OOB access

On Mon, 24 Jan 2011 22:04:25 + Andy Ashley wrote: > Hi, > > Im looking for a little advice about DSL circuits in New York, > specifically at 111 8th Ave. > Going to locate a console server there for out-of-band serial > management. The router will need connectivity for remote telnet/ssh > a

Re: Using IPv6 with prefixes shorter than a /64 on a LAN

On Tue, 25 Jan 2011 07:02:30 +0100 (CET) sth...@nethelp.no wrote: > > > IPv6 is classless; routers cannot blindly make that assumption for > > > "performance optimization". > > > > > Blindly, no. However, it's not impractical to implement fast path switching > > that > > handles things on /64s