* Alex Le Heux:
The RIPE NCC is aware that 128.0.0.0/16 is configured as a martian by
default in (some) Juniper OS, even though RFC 5735 and RFC3330 outline
that this /16 should no longer be reserved as specialised address
space.
Would someone please clarify the impact? Will it result in a
On Tuesday, December 06, 2011 04:50:46 PM Florian Weimer wrote:
Would someone please clarify the impact? Will it result in a blackhole,
or will the entire announcement be suppressed? I suspect the latter,
given what we see and what Chris Adams has reported.
This is what we see on Cisco IOS
I think of RA Guard as a Layer-2 stability feature, rather than a
security feature.
You're correct that it is unable to deal with RA crafted in a
fragmented packet on the majority (if not all) of implementations.
The issue of rogue RA exists on every network, regardless of whether
or not the IT
Beware the office with an Internet connection too:
http://xkcd.com/862/
Don't forget to 'mouseover' the graphic.
Joe
William Herrin b...@herrin.us wrote on 12/05/2011 11:20:04 PM:
3. Beware tracking hours. Try to select work which is goal and
deadline based. Your supervisor won't see you in
Dear colleagues,
Related to the discussion about 128.0/16, we did some measurements. The
details can be found on RIPE Labs:
https://labs.ripe.net/Members/emileaben/the-curious-case-of-128.0-16
Kind regards,
Mirjam Kuehne
RIPE NCC
Once upon a time, Mirjam Kuehne m...@ripe.net said:
Dear colleagues,
Related to the discussion about 128.0/16, we did some measurements. The
details can be found on RIPE Labs:
https://labs.ripe.net/Members/emileaben/the-curious-case-of-128.0-16
Kind regards,
Mirjam Kuehne
RIPE NCC
On 12/6/2011 9:38 AM, Chris Adams wrote:
I believe that Sprint is using Cisco, not Juniper. This is either a
manual filter or there is another (unidentified) issue with some Cisco
configurations.
People are less likely to read an RFC changing the reserved addresses.
Even people who didn't
I'm looking for connectivity options in the Mexico City area. Initial
impressions suggest Mexico has a fairly closed market. That being
said:
Who offers good IP/BGP connectivity in and around Mexico City?Who
offers good Ethernet connectivity in and around Mexico City?Who offers
wave/fiber services
On 12/6/11 00:50 , Florian Weimer wrote:
* Alex Le Heux:
The RIPE NCC is aware that 128.0.0.0/16 is configured as a martian by
default in (some) Juniper OS, even though RFC 5735 and RFC3330 outline
that this /16 should no longer be reserved as specialised address
space.
Would someone
For a few years now I been wondering why more networks do not use writable
SNMP. Most automation solutions actually script a login to the various
equipment. This comes with extra code for different vendors, different
prompts and any quirk that the developer is aware of and constant patches
as
On Dec 6, 2011, at 11:07 AM, Keegan Holley wrote:
For a few years now I been wondering why more networks do not use writable
SNMP. Most automation solutions actually script a login to the various
equipment. This comes with extra code for different vendors, different
prompts and any quirk
On Tue, Dec 6, 2011 at 11:16 AM, Jared Mauch ja...@puck.nether.net wrote:
On Dec 6, 2011, at 11:07 AM, Keegan Holley wrote:
For a few years now I been wondering why more networks do not use writable
SNMP. Most automation solutions actually script a login to the various
equipment. This
On Mon, 05 Dec 2011 22:14:48 PST, andrew.wallace said:
Using fruitful language and acting like a child isn't going to see you taken
seriously.
No, he *does* want fruitful language - one that produces results. I think you
meant
some other word instead.
As far as acting like a child, I'm
Not that anyone cares but personally, I'm happy fyodor posted this and I'm
forwarding it to anyone that I think might use download.com. I think it's crap
anyone changes anyone's code like that
-Original Message-
From: valdis.kletni...@vt.edu [mailto:valdis.kletni...@vt.edu]
Sent:
Maybe it's just me, but I would think that simply getting them listed on
stopbadware.org and other similar sites would probably have much more of an
effect.
The bad publicity can cause them to change tactics, but it takes some time.
I've seen much quicker results from blacklisting on Google and
http://krebsonsecurity.com/2011/12/download-com-bundling-toolbars-trojans/
Its already getting some press...
He could always send them a Cease and Desist letter like Wireshark had to
do
-Kyle
On Tue, Dec 6, 2011 at 9:00 AM, Eric Tykwinski eric-l...@truenet.comwrote:
Maybe it's just me,
On Dec 6, 2011, at 11:28 AM, Christopher Morrow wrote:
long ago, in a network far away (not on the interwebs) we used snmp
write to trigger a tftp config load. It worked nicely... I'm fairly
certain I'd not do this on an internet connected network today though.
Many vendors have poor TFTP
On 12/6/11 12:00 PM, Eric Tykwinski wrote:
Maybe it's just me, but I would think that simply getting them listed on
stopbadware.org and other similar sites would probably have much more of an
effect.
The bad publicity can cause them to change tactics, but it takes some time.
I've seen much
On Tue, 6 Dec 2011, Jared Mauch wrote:
I recall some bay networks gear you could only program with the proper OID
as the cli was basically a SNMP-SET operation on the device.
The mere mention of Bay Networks and Site Manager (read: Site Mangler or
Site Damager) is enough to get my blood
On Tue, Dec 06, 2011 at 12:15:35PM -0500, Mauch, Jared wrote:
Also, who tests snmp WRITE in their code? at scale? for daily
operations tasks? ... (didn't the snmp incident in 2002 teach us
something?)
There's no reason one can't program a device with SNMP, the main issue IMHO
There is
-Original Message-
From: valdis.kletni...@vt.edu [mailto:valdis.kletni...@vt.edu]
- Forwarded message from Fyodor fyo...@insecure.org
On the other hand, just being Fyodor is sufficient to get him taken seriously.
--- bka...@ford.com wrote:
On Dec 6, 2011, at 12:34 31PM, William Allen Simpson wrote:
On 12/6/11 12:00 PM, Eric Tykwinski wrote:
Maybe it's just me, but I would think that simply getting them listed on
stopbadware.org and other similar sites would probably have much more of an
effect.
The bad publicity can cause
On Tue, Dec 6, 2011 at 4:48 PM, valdis.kletni...@vt.edu wrote:
On the other hand, just being Fyodor is sufficient to get him taken seriously.
It could be argued that Nmap is malware, and such software has already been
called to be made illegal.
If I was Cnet, I would stop distributing his
Yes, Site Mangler. Do not stir that nest. Thar be dragons.
-Blake
On Tue, Dec 6, 2011 at 11:35, Justin M. Streiner strei...@cluebyfour.orgwrote:
On Tue, 6 Dec 2011, Jared Mauch wrote:
I recall some bay networks gear you could only program with the proper OID
as the cli was basically a
It could be argued that Nmap is malware, and such software has already
been called to be made illegal.
If I was Cnet, I would stop distributing his software altogether.
Link: http://nmap.org/book/legal-issues.html
It could. But making such an argument calls the arguer's grasp of reality
On Dec 6, 2011, at 10:30 AM, andrew.wallace wrote:
On Tue, Dec 6, 2011 at 4:48 PM, valdis.kletni...@vt.edu wrote:
On the other hand, just being Fyodor is sufficient to get him taken
seriously.
It could be argued that Nmap is malware, and such software has already been
called to be made
I'm pretty sure nmap is the exact opposite of Malware.
It's an essential information security tool.
Fyodor,
Reach out to the Free Software Foundation and EFF. They may not be
able to help directly, but I'm sure that they could put you in touch
with some pro bono legal experts that could give
Having seen the previous owner of my house's cabinet building skills, and
living with them, I'm all for licensing!
-Original Message-
From: Nathan Eisenberg [mailto:nat...@atlasnetworks.us]
Sent: Tuesday, December 06, 2011 1:55 PM
To: nanog@nanog.org
Subject: RE: [fyo...@insecure.org:
On Tue, Dec 06, 2011 at 09:38:31AM -0600, Chris Adams wrote:
Using RIPE's traceroute web interface, I can see that Sprint is
filtering 128.0.0.0/16:
I believe that Sprint is using Cisco, not Juniper. This is either a
manual filter or there is another (unidentified) issue with some Cisco
I was wondering if anyone has had experience with the vrf cli upgrade
command that upgrades an existing V4 only VRf to a multi-protocol vrf?
command:
(config)# vrf upgrade-cli multi-af-mode
My issue is that it fails to upgrade the my, one of the pre-requisites is
that the
vrf must
On Tue, Dec 6, 2011 at 11:07 AM, Keegan Holley
keegan.hol...@sungard.com wrote:
For a few years now I been wondering why more networks do not use writable
SNMP. Most automation solutions actually script a login to the various
I've spent enough time writing code to deal with SNMP (our own
- Original Message -
From: Bob Rasmussen r...@anzio.com
On my OSR5 test system, I see SSH_CLIENT and SSH_CONNECTION set in
the environment upon login. Does that help?
These are set by the SSH daemon, only if you're running an SSH
connection. If you're not, you should be :-)
Well,
Hello NANOG,
Due to unforeseen circumstances we need to consider alternative vendors for our
GPON system, moving away from Motorola. We wanted to throw out a line and find
out what other networks have deployed and what experiences they have had
positive or negative with them. Thanks in
On Tue, 6 Dec 2011, Jeff Wheeler wrote:
On Tue, Dec 6, 2011 at 11:07 AM, Keegan Holley
keegan.hol...@sungard.com wrote:
For a few years now I been wondering why more networks do not use writable
SNMP. Most automation solutions actually script a login to the various
...
Juniper does not
On Tue, Dec 6, 2011 at 12:15 PM, Jared Mauch ja...@puck.nether.net wrote:
On Dec 6, 2011, at 11:28 AM, Christopher Morrow wrote:
long ago, in a network far away (not on the interwebs) we used snmp
write to trigger a tftp config load. It worked nicely... I'm fairly
certain I'd not do this on
On Tue, Dec 6, 2011 at 11:49 AM, Keegan Holley
keegan.hol...@sungard.com wrote:
2011/12/6 Christopher Morrow morrowc.li...@gmail.com
On Tue, Dec 6, 2011 at 11:16 AM, Jared Mauch ja...@puck.nether.net
wrote:
On Dec 6, 2011, at 11:07 AM, Keegan Holley wrote:
For a few years now I been
On Tue, Dec 6, 2011 at 12:39 PM, Dorian Kim dor...@blackrose.org wrote:
On Tue, Dec 06, 2011 at 12:15:35PM -0500, Mauch, Jared wrote:
Also, who tests snmp WRITE in their code? at scale? for daily
operations tasks? ... (didn't the snmp incident in 2002 teach us
something?)
There's no
On Tue, Dec 6, 2011 at 2:56 PM, Jethro R Binks
jethro.bi...@strath.ac.uk wrote:
So what are the alternatives these days then for automation or batch
operations?
clogin etc from shrubbery's rancid?
Net::Appliance::Session
netconf!
In a message written on Tue, Dec 06, 2011 at 11:16:02AM -0500, Jared Mauch
wrote:
Anyone that has spent any quantity of time with ASN.1 generally would agree.
SNMP has two fatal flaws for large scale write based configuration.
ASN.1 was basically obsolete before it was written. It was
From: Jeff Wheeler j...@inconcepts.biz
Juniper does not support writing via SNMP. I am glad. Hopefully that
is the first step toward not supporting SNMP at all.
If I recall correctly, wasn't the old FORE CLI implemented via localhost SNMP?
I liked using them, but that's a special case...
What SNMP does have for it is it is lightweight (to some extent) vs XML that
can get quite bulky, and certainly is the case when trying to do many
interfaces at once.
I have seen better precision with snmp vs cli interaction/tcp based
interaction.
snmpbulkwalk has been my cruel mistress for
Any recommendations for CMDB software on the cheap? Building out nodes at
a few commercial co-los and a number of non-commercial (member) spaces.
thanks,
brian
--
Brian Stengel
KINBER Director of Operations
bsten...@kinber.org
M: 412.398.2333
GV: 412.254.3481
Skype: brian_stengel
KINBER -
Did Jeff's suggestion work?
: interface POS0/0/0
: frame-relay intf-type dce
If so, please let the list know, so when someone comes
across this thread while searching for the fix they can
figure it out without having to email the list. If it
didn't help contact me off-line and I will be
Some firewall vendors are proposing to collapse all Internet edge functions
into a single device (border router, firewall, IPS, caching engine, proxy,
etc.). A general Internet edge design principle has been the defense in depth
concept. Is anyone collapsing all Internet edge functions into one
Everyone I know has either paid through the nose or written one from
scratch. No good open source projects that worked out.
Most people couldn't build well from scratch. I have been a couple of
places that did, it was man-year of senior grade guy effort range.
On Tue, Dec 6, 2011 at 1:01 PM,
The mismatch problem of DCE/DTE should definitely indicate that your
PVCs aren't up. But that shouldn't result in the high quantity of CRC
errors in the interface counters. That should just result in your LMI
enquiry count increasing with LMI response sitting at zero.
I have to say I've never
I personally have not seen it done in large environments. Hardware isn't
there yet. I've seen it done in small business environments. Not a fan
of the idea.
-Hammer-
I was a normal American nerd
-Jack Herer
On 12/06/2011 03:16 PM, Holmes,David A wrote:
Some firewall vendors are proposing
I have seen at quite a few of our customers locations, starting out with a
lofty goal of putting everything in a single box (UTM) and turning every single
option on.
In ~ 30% of the firms who do so it works out ok (not great, but it works). In
the majority, the customer winds up turning
They're proposing that so you buy their device, not renew support on
your existing ones :-D
Personally we just went through this w/ Palo Alto Networks. We bought
a handful of their all-in-one firewalls simply for their web-filtering
functionality (replacing Bluecoats). They pitched repetitively
On Tue, Dec 6, 2011 at 1:16 PM, George Herbert george.herb...@gmail.com wrote:
Everyone I know has either paid through the nose or written one from
scratch. No good open source projects that worked out.
Most people couldn't build well from scratch. I have been a couple of
places that did,
I would argue that collapsing all of your policy evaluation and routing for
a size/zone/area/whatever into one box is actually somewhat detrimental to
stability (and consequently, security to a certain extent).
Cramming every little feature under the sun into one appliance makes for
great glossy
On Tue, 06 Dec 2011 10:30:20 PST, andrew.wallace said:
It could be argued that Nmap is malware, and such software has already been
called to be made illegal.
Called by whom, other than yourself?
pgpXRyBlKEIYx.pgp
Description: PGP signature
On Tue, 6 Dec 2011, Holmes,David A wrote:
Some firewall vendors are proposing to collapse all Internet edge
functions into a single device (border router, firewall, IPS, caching
engine, proxy, etc.). A general Internet edge design principle has been
the defense in depth concept. Is anyone
On Tue, Dec 6, 2011 at 4:45 PM, valdis.kletni...@vt.edu wrote:
On Tue, 06 Dec 2011 10:30:20 PST, andrew.wallace said:
It could be argued that Nmap is malware, and such software has already been
called to be made illegal.
Called by whom, other than yourself?
Germany?
Here at Blue Ridge InternetWorks we evaluated a few vendors (a couple of years
ago) and are extremely happy with our choice of Calix E7. The engineering is
top-notch, optical components are good quality, boot time is very fast, decent
GUI (not perfect, but improves with each software release),
We have a Calix C7 as well as some E7-2's in a few markets for a little
over a year. We only deal with GPON/AE deployments and the C7 worked to
get us started but the E7 is definitely more purpose built for ethernet
fiber services. Just started several major build-outs which pushed us to
On Tue, 06 Dec 2011 14:18:52 EST, Jeff Wheeler said:
I've spent enough time writing code to deal with SNMP (our own stack,
not using Net-SNMP or friends) to have a more in-depth understanding
of SNMP's pitfalls than most people. It is TERRIBLE and should be
totally gutted and replaced with
On 12/06/2011 11:16 AM, Holmes,David A wrote:
Some firewall vendors are proposing to collapse all Internet edge functions into a single
device (border router, firewall, IPS, caching engine, proxy, etc.). A general Internet
edge design principle has been the defense in depth concept. Is anyone
On 6 Dec 2011, at 22:07, Dan Collins wrote:
On Tue, Dec 6, 2011 at 4:45 PM, valdis.kletni...@vt.edu wrote:
On Tue, 06 Dec 2011 10:30:20 PST, andrew.wallace said:
It could be argued that Nmap is malware, and such software has already been
called to be made illegal.
Called by whom, other
To echo what James has already said..
I would say it's possible on the low/medium size enterprise network
market. With that stated 70-80% of the time it's not designed
correctly or a vendor issue pops up causing them to disable the
feature.
Careful planning must be done ahead of time. When
On Tue, 6 Dec 2011, Holmes,David A wrote:
Some firewall vendors are proposing to collapse all Internet edge
functions into a single device (border router, firewall, IPS, caching
engine, proxy, etc.). A general Internet edge design principle has been
the defense in depth concept. Is anyone
On 12/6/2011 13:30, andrew.wallace wrote:
It could be argued that Nmap is malware, and such software has already been
called to be made illegal.
If I was Cnet, I would stop distributing his software altogether.
Link: http://nmap.org/book/legal-issues.html
If this is not trolling and you
Another vote for Calix here, but we started with Occam B-series gear (DSL+POTS)
and
kept buying their gear into the GPON times. Calix bought them.. so the vote is
for
Calix, even though I haven't used their C or E series gear.
I do a fair amount of scripting for various tasks and have been
A trojan can be used for good if in the right hands as a remote access tool for
business use.
Andrew
From: Bryan Fields br...@bryanfields.net
To: nanog@nanog.org nanog@nanog.org
Sent: Tuesday, December 6, 2011 11:24 PM
Subject: Re: [fyo...@insecure.org:
I can't believe this...
Andrew, please check the dictionary second definition of Trojan before
proceeding.
A remote access tool is ssh, VNC and others and these are definitely not
trojans. Get a grip.
Trojan Horse
noun noun Greek Mythology
a hollow wooden statue of a horse in which the Greeks
On Tue, 06 Dec 2011 17:07:47 EST, Dan Collins said:
On Tue, Dec 6, 2011 at 4:45 PM, valdis.kletni...@vt.edu wrote:
On Tue, 06 Dec 2011 10:30:20 PST, andrew.wallace said:
It could be argued that Nmap is malware, and such software has already
been called to be made illegal.
Called by
On Dec 7, 2011, at 6:20 AM, Robert Brockway wrote:
This is completely separate to whether servers should even have a firewall or
IPS in front of them. That's another (interesting) discussion :)
http://www.nanog.org/meetings/nanog48/presentations/Monday/Kaeo_FilterTrend_ISPSec_N48.pdf
Hi,
valdis.kletni...@vt.edu wrote on Mi, 2011-12-07 at 00:59+0100:
On Tue, 06 Dec 2011 17:07:47 EST, Dan Collins said:
On Tue, Dec 6, 2011 at 4:45 PM, valdis.kletni...@vt.edu wrote:
On Tue, 06 Dec 2011 10:30:20 PST, andrew.wallace said:
It could be argued that Nmap is malware, and such
On Tue, 06 Dec 2011 15:49:29 PST, andrew.wallace said:
A trojan can be used for good if in the right hands as a remote access tool
for business use.
Best troll line since n3td3v got banned from full-disclosure. Well played,
I've been
outclassed, I'm outta here.
pgpISZBNqu43g.pgp
On 12/06/2011 05:03 PM, valdis.kletni...@vt.edu wrote:
On Tue, 06 Dec 2011 15:49:29 PST, andrew.wallace said:
A trojan can be used for good if in the right hands as a remote access tool for
business use.
Best troll line since n3td3v got banned from full-disclosure. Well played,
I've been
- Original Message -
From: valdis.kletni...@vt.edu
To: nanog@nanog.org
Sent: Tuesday, December 06, 2011 3:03 PM
Subject: Re: [fyo...@insecure.org: C|Net Download.Com is now bundling Nmap with
malware!]
On Tue, 06 Dec 2011 15:49:29 PST, andrew.wallace said:
A trojan can be used for
Carrier IQ does not qualify as a good use of a Trojan and comes about as close
to your definition as I can think of.
No, a Trojan is malware. Any software which operates without the knowledge or
consent of the user to engage in operations the user would not reasonably
expect is not being used
On Tue, 06 Dec 2011 17:09:54 PST, Michael Thomas said:
On 12/06/2011 05:03 PM, valdis.kletni...@vt.edu wrote:
On Tue, 06 Dec 2011 15:49:29 PST, andrew.wallace said:
A trojan can be used for good if in the right hands as a remote access
tool for business use.
I had assumed that he meant
On Tue, 06 Dec 2011 18:10:14 PST, Owen DeLong said:
No, a Trojan is malware. Any software which operates without the
knowledge or consent of the user to engage in operations the user would
not reasonably expect is not being used for good, no matter how well
intentioned.
Strictly speaking,
On Wednesday, December 07, 2011 03:52:20 AM Josh V. Hoppes
wrote:
Due to unforeseen circumstances we need to consider
alternative vendors for our GPON system, moving away
from Motorola. We wanted to throw out a line and find
out what other networks have deployed and what
experiences they
Well, as a stability feature may work if better understanding of the
internet protocols is given to all the network specialist (almost a
paradox, all those documents are free to be checked for all the people).
Of course, the problem with the rogue IPv6 packets and malformed
packets will exists as
On Wednesday, December 07, 2011 06:18:07 AM Jeff Saxe wrote:
- Currently runs only RSTP, but not MST. So difficult to
load-balance redundant links into our switching core. I
don't remember if MST is on the planned feature list.
We run LACP either to the same or different routers
depending on
We've been fairly against centralizing functions, even
though marketing scripts suggest it is worth doing.
Not security-related per se, but for smaller PoP's, we'll
collapse P/PE functions into a single box. As others have
mentioned, this makes sense when scale is small.
But on a large scale,
On Mon, Dec 05, 2011 at 10:14:48PM -0800, andrew.wallace wrote:
Using fruitful language and acting like a child isn't going to see
you taken seriously.
I'm sorry that my language offended you. But if you ever spend more
than 14 years creating free software as a gift to the community, only
to
Fyodor wrote:
On Mon, Dec 05, 2011 at 10:14:48PM -0800, andrew.wallace wrote:
Using fruitful language and acting like a child isn't going to see
you taken seriously.
I'm sorry that my language offended you. But if you ever spend more
than 14 years creating free software as a gift to the
On Tue, 6 Dec 2011 11:07:44 -0500, Keegan Holley
keegan.hol...@sungard.com said:
KH Admittedly, you will have to deal with proprietary mibs and reformat
KH the data once it's returned.
That's the nail in the coffin of just about every configuration
protocol. Until multiple vendors implement
On Tue, 6 Dec 2011 12:39:34 -0500, Dorian Kim dor...@blackrose.org said:
DK There is one good reason. Every vendor seem to assign a junior intern to
DK maintanining SNMP code, so you are interfacing with your router via a very
DK suspect interface.
The marking folks believed that when X
On Wednesday, December 07, 2011 11:58:59 AM Mark Tinka
wrote:
But on a large scale, we've not been one to buy into
multi- chassis-type arrangements.
s/multi-chassis-type/logical routers.
Mark.
signature.asc
Description: This is a digitally signed message part.
On Dec 6, 2011, at 6:20 PM, valdis.kletni...@vt.edu valdis.kletni...@vt.edu
wrote:
On Tue, 06 Dec 2011 18:10:14 PST, Owen DeLong said:
No, a Trojan is malware. Any software which operates without the
knowledge or consent of the user to engage in operations the user would
not reasonably
In any such vendor choice, I'd say make sure that they have workable
IPv6 before making any major investments. Otherwise, you've got a
dead-end platform that won't serve you very well for very many years.
Owen
On Dec 6, 2011, at 7:25 PM, Mark Tinka wrote:
On Wednesday, December 07, 2011
Amused thought, may have no basis in law
Could he send their hosting company a take-down order for the download.com site?
/Amused thought
On Dec 6, 2011, at 8:53 PM, Michael Painter wrote:
Fyodor wrote:
On Mon, Dec 05, 2011 at 10:14:48PM -0800, andrew.wallace wrote:
Using fruitful language
On Dec 7, 2011, at 2:47 AM, Owen DeLong wrote:
Amused thought, may have no basis in law
Could he send their hosting company a take-down order for the download.com
site?
/Amused thought
Might be feasible to take over the domain if SOPA were passed :)
I am glad that CBS Interactive/CNET
88 matches
Mail list logo