Re: why IPv6 isn't ready for prime time, SMTP edition
On Mar 27, 2014, at 1:38 PM, Brandon Ross br...@pobox.com wrote: On Thu, 27 Mar 2014, Owen DeLong wrote: On Mar 27, 2014, at 11:15 AM, Barry Shein b...@world.std.com wrote: Please explain in detail where the fraud potential comes in. Spammer uses his botnet of zombie machines to send email from each of them to his own domain using the user's legitimate email address as From:. Spammer says it was unsolicited and keeps the full $.10/email that victim users have deposited into this escrow thing. Sounds a lot more profitable than regular spam. You say this like having a tax on running a botted computer on the internet would be a bad thing. I agree that it would provide a bit of profit to the spammers for a very short period of time, but I bet it would get a lot of bots fixed pretty quick. Owen
Re: ARIN board accountability to network operators (was: RE: [arin-ppml] [arin-discuss] Term Limit Proposal)
I, for one, would not want to start having to pay RIPE-level fees. ARIN fees are a much better deal than RIPE fees. Owen On Mar 27, 2014, at 3:10 PM, Cb B cb.li...@gmail.com wrote: On Mar 27, 2014 3:03 PM, John Curran jcur...@istaff.org wrote: And I would welcome discussion of how ARIN (and nanog) can be more like RIPE - that is very much up to this community and its participation far more than ARIN.. /John How about we fold ARIN into RIPE? Why not? I agree with all of Randy's points. I am sure RIPE can easily scale up to take on ARIN services, with fees being reduced for all involved due to economies of scale. CB On Mar 28, 2014, at 5:27 AM, Randy Bush ra...@psg.com wrote: john, i think your attemt to move the discussion to the arin ppml list exemplifies one core of the problem. this is not about address policy, but arin thinks of itelf as a regulator not a registry. contrast with the ripe community and the ncc, which is not nirvana but is a hell of a lot better. among other key differences, the ncc is engaged with the community through technical and business working groups. e.g. the database working group covers what you think of as whois and the routing registry. the wg developed the darned irr definition and continues to evolve it. consequence? the irr is actively used in two regions in the world, europe and japan (which likes anything ocd:-). the routing wg works with the ops to develop routing technology such as route flap damping. there is a reason that serious ops attend ripe meetings. yes, a whole lot of folk with enable are engaged. for years there has been a wg on the global layer nine issues. the dns wg deals with reverse delegation, root server ops, etc. and guess what, all the dns heavy techs and ops are engaged. there is a wg for discussing what services the ncc offers. the recent simplification and opening of services to legacy and PI holders happened in the ncc services wg, it was about services not addressing policy. and this is aside from daniel's global measurement empire. not sure it is a registry's job to do this, but it is a serious contribution to the internet. the ncc is engaged with its community on the subhects that actually interest operators and affect our daily lives. there is nothing of interest at an arin meeting, a bunch of junior wannabe regulators and vigilantes making an embarrassing mess. i've even taken to skipping nanog, if ras talks i can watch the recording. all the cool kids will be in warsaw. ops vote with our feet. randy
Re: Cisco Security Advisory: Cisco IOS Software SSL VPN Denial of Service Vulnerability
On Friday, March 28, 2014 05:48:29 AM Shrdlu wrote: Why? Personally, I think it's fine. It only happens (at most) every six months (and sometimes more like a year). I think it's fine too. As I'm sure you know, if you're a Cisco customer, you can subscribe to their internal notification services where you'll get this anyway. That they consolidate the most critical bug information and push it out to the typical operational mailing lists a couple of times a year is not such a problem, I'd say. For some, this could be the only way they find out. Mark. signature.asc Description: This is a digitally signed message part.
Re: why IPv6 isn't ready for prime time, SMTP edition
On Mar 27, 2014, at 10:31 PM, Barry Shein b...@world.std.com wrote: On March 27, 2014 at 12:14 o...@delong.com (Owen DeLong) wrote: On Mar 27, 2014, at 11:15 AM, Barry Shein b...@world.std.com wrote: On March 26, 2014 at 22:25 o...@delong.com (Owen DeLong) wrote: Actually, a variant on that that might be acceptable… Make e-postage a deposit-based thing. If the recipient has previously white-listed you or marks your particular message as “desired”, then you get your postage back. If not, then your postage is put into the recipients e-postage account to offset the cost of their emails. Thoughts? It's a fine idea but too complicated. Look, the (paper) post office doesn't say oh, you WANTED that mail, ok, then we'll return the cost of postage to the sender! Why? Because if they did that people would game the system, THEY'D SPAM! How would they benefit from that? From what, being able to send free paper mail? I think that would be considered a benefit by most junk mail advertisers. But see next... SPAM — Pay, say $0.10/message. Then Claim you wanted the SPAM, get your $0.10/message back for each SPAM you sent to yourself. Or, claim you didn’t want the SPAM and get $0.05/message for each message you received while the original provider keeps the other $0.05. And it would take way too much bookkeeping and fraud identification etc. Please explain in detail where the fraud potential comes in. By my interpretation, you’d have to somehow get more back than you deposited (not really possible) in order to profit from sending SPAM this way. Well, it's advertising, so they do. Advertising is a valuable commodity. Free advertising is particularly valuable, ROI with I close to zero. But it’s only free if you send it to yourself and then approve it. Any message you send to someone else who doesn’t want it isn’t free. So offering to not charge you because you wanted that mail makes no sense, right? But this isn’t a charge for the post office and by the time you’re connected to the internet, the cost of receiving the mail and transporting it and the sender sending it is pretty much sunk by some arguments. This is an effort to provide a financial disincentive for spamming. Let's take a deep breath and re-examine the assumptions: Full scale spammers send on the order of one billion msgs per day. Which means if I gave your account 1M free msgs/day and could reasonably assure that you can't set up 1,000 such accts then you could not operate as a spammer. Not sure how you enforce these user account requirements or how you avoid duplicative accounts. If you want to attach e-postage you have to go get some and that can be a contract which says you don't do that, if you have multiple accounts you split it among your accounts or buy more. And if you do what you describe you understand that it is criminal fraud. Click Agree [ ] before proceeding, or similar. Because spammers are all on the up and up and never commit fraud in order to send their SPAM, right? Who can't operate with 1M msgs/day? Well, maybe Amazon or similar. But as I said earlier MAYBE THEY SHOULD PAY ALSO! I, for one, don’t want my Amazon prices increased by a pseudo-tax on the fact that they do a large volume of email communications with their customers. They have enough problems trying to get IPv6 deployed without adding this to their list of problems. That assumes that spam is free for them, and you. Including free as in stealing your time”. No, it assumes that most of the messages I get from Amazon are NOT SPAM. The vast majority of messages I get from Amazon are order confirmations, shipping status reports, etc. Messages related to transactions I have conducted with them. Yes, I get a little bit of SPAM from them and I wouldn’t mind seeing them forced to pay me for those messages, but I certainly don’t want to see them paying for every message they send. We really need to get over the moral component of spam content (and senders' intentions) and see it for what it is: A free ride anyone would take if available. I disagree. I see it as a form of theft of service that only immoral thieves would take if available. How can it be a theft of service if we're not charging anything? I didn’t authorize the spammer to use my computer, systems, disk, network, etc. They simply did so without my authorization. If I had a cost effective way to identify them, track them down, and hold them accountable for this, I would gladly do so. Well, if they use others' resources it's a theft of those resources, such as botnets, is that what you mean? Botnets, my mail server, my disk storage, my network, etc. where my mail is processed… All of the above. But by morality I mean that we tend to define spam in terms of generally agreed to be undesirable email content such as questionable herbal cures or other apparent fraud or
Re: ARIN board accountability to network operators (was: RE: [arin-ppml] [arin-discuss] Term Limit Proposal)
On 27.03.2014, at 22:27, Randy Bush ra...@psg.com wrote: ...and this is aside from daniel's global measurement empire. not sure it is a registry's job to do this, but it is a serious contribution to the internet. ... there is the 'measurement analysis and tools' working group http://www.ripe.net/ripe/groups/wg/mat guiding this work, and it even has an 'out-of-area' co-chair to emphasize the *globalness* of our empire ;-) :-) :-) :-) :-) :-) seriously: the ripe ncc was not conceived as a registry but as an association of operators where they can organise common activities that require neutrality, expertise and common funding. so whether it is a 'registry job' is irrelevant in our context as long as the community agrees it is useful and the membership of the association agrees to fund it with their fees. the huge overlap between community at large and paying membership keeps this consistent. daniel -- Sent from a hand held device.
Re: Why IPv6 isn't ready for prime time :-)
On Mar 27, 2014 8:01 PM, Tim Durack tdur...@gmail.com wrote: NANOG arguments on IPv6 SMTP spam filtering. Deutsche Telecom discusses IPv4-IPv6 migration: https://ripe67.ripe.net/presentations/131-ripe2-2.pdf Facebook goes public with their IPv4-IPv6 migration: http://www.internetsociety.org/deploy360/blog/2014/03/facebooks-extremely-impressive-internal-use-of-ipv6/ If you haven't started, you've got some work to do. Indeed. Having been deeply involved leading the technical side of our transition at my organiati
Re: IPv6 isn't SMTP
Barry Shein wrote the following on 3/27/2014 6:32 PM: On March 27, 2014 at 14:16 bl...@ispn.net (Blake Hudson) wrote: Barry Shein wrote the following on 3/27/2014 2:06 PM: I suppose the obvious question is: What's to stop a spammer from putting a totally legitimate key into their spam? It's entirely likely that a spammer would try to get a hold of a key due to its value or that someone you've done business with would share keys with a business partner . But ideally you'd authorize each sender with a unique key (or some sort of pair/combination). So that 1) you can tell who the spammer sourced the key from and 2) you can revoke the compromised key's authorization to send you subsequent email messages. There's probably some way to generate authorization such that each sender gets a unique key or a generic base is in some way salted or combined with information from the individual you're giving your authorization to such that the result is both unique and identifiable. Ok, this is a form of whitelisting with some authentication using public key technology. Sure. But is this really the problem you run into much? Someone impersonating a sender you consider whitelisted? I'm sure it happens. But at a systems level I think most of us are talking about the much more nefarious non-stop fire-hose of pure sewage. Some white list, but for many that runs too great a risk of rejecting serendipity, that great job offer from someone who was impressed by a post you made on NANOG, etc. So we get Challenge-Response etc as a workaround, which also has problems. Well, whatever, SPAM IS A BIG SUBJECT and there are a lot of perspectives. P.S. I always figured the problem you describe could be very trivially solved by just agreeing to stick some word in the header like: X-PassCode: swordfish It's not like anyone but the sender is likely to know that unless they really are in your mail stream in which case you have other problems. It would be nice if that were automated but it could be done manually. I have certain Subject: phrases I use with people, some funny, so they know it's almost certainly me. You're on the right track with what I was proposing. While spoofing can be addressed, it's not the primary goal. The idea was to verify whether an incoming email was authorized or not. Authentication is just a prereq to that. It is up to the recipient to choose what to do with unauthorized mail: Treat them the same as any other, tag them, put them in a separate folder or quarantine, reject them, or send them to the bit bucket. This may be a list, but I wouldn't consider a whitelist unless implemented as such by the user/client.
Re: ARIN board accountability to network operators (was: RE: [arin-ppml] [arin-discuss] Term Limit Proposal)
Hi Owen, I, for one, would not want to start having to pay RIPE-level fees. ARIN fees are a much better deal than RIPE fees. Only up to Small... The RIPE NCC membership fee is €1750 (±$2400 currently) for everybody. The ARIN fees are between $500 and $32000, with category Small at $2000 and Medium at $4000. I personally am glad about this (although in ARIN I would probably be Small) because it doesn't give operators any financial incentive to stingy when giving their customers IPv6 prefixes. If you want to give a million customers a /48 it is not going to cost you more then giving them a /60. IPv6 resources are not such a scarce resource compared to IPv4, so differentiating price based on the amount of integers you need doesn't make much sense in the current world anymore :) But: this is all RIPE NCC members/AGM stuff, independent of the RIPE community and its working groups. (well the RIPE NCC facilitates the RIPE meetings (note: RIPE meeting, not RIPE NCC meeting) and without the help of the NCC the RIPE community wouldn't have such well organised meetings. The NCC only facilitates though, it doesn't control or influence the RIPE working groups) and the structure of the RIPE working groups was what Randy was referring to. Cheers, Sander
Re: Why IPv6 isn't ready for prime time :-)
Hmmm. Phone accidentally sent email before it was finished. Indeed. Having been deeply involved leading the technical side of our transition at my organization for the past three years, I think those who wait until the IPv6/IPv4 divide is roughly 50/50 or later are going to be in for a world of hurt.
Re: why IPv6 isn't ready for prime time, SMTP edition
On Mar 28, 2014, at 5:27 AM, Brandon Ross br...@pobox.com wrote: On Thu, 27 Mar 2014, Owen DeLong wrote: On Mar 27, 2014, at 1:38 PM, Brandon Ross br...@pobox.com wrote: On Thu, 27 Mar 2014, Owen DeLong wrote: On Mar 27, 2014, at 11:15 AM, Barry Shein b...@world.std.com wrote: Please explain in detail where the fraud potential comes in. Spammer uses his botnet of zombie machines to send email from each of them to his own domain using the user's legitimate email address as From:. Spammer says it was unsolicited and keeps the full $.10/email that victim users have deposited into this escrow thing. Sounds a lot more profitable than regular spam. You say this like having a tax on running a botted computer on the internet would be a bad thing. Heh, perhaps not... I agree that it would provide a bit of profit to the spammers for a very short period of time, but I bet it would get a lot of bots fixed pretty quick. I don't think so. The motivations to continue to game the system are much stronger under this scheme because the profits are immediate and direct. A spammer no longer has to just hope that the advertising, phishing or whatever they are up to is acted upon by the user, instead they get a somewhat immediate cash payout that's not dependent on the user. This assumes a different economic model of SPAM that I have been lead to believe exists. My understanding is that the people sending the SPAM get paid immediately and that the people paying them to send it are the ones hoping that the advertising/phishing/etc. are acted on. Owen
Re: why IPv6 isn't ready for prime time, SMTP edition
On Fri, 28 Mar 2014, Owen DeLong wrote: This assumes a different economic model of SPAM that I have been lead to believe exists. My understanding is that the people sending the SPAM get paid immediately and that the people paying them to send it are the ones hoping that the advertising/phishing/etc. are acted on. Fine, then the people paying the people who do the spamming have more of an incentive to pay higher rates and more spammers. It doesn't really matter how may layers of abstraction there are, the point is that the main motivator has become more attractive. -- Brandon Ross Yahoo AIM: BrandonNRoss +1-404-635-6667ICQ: 2269442 Skype: brandonross Schedule a meeting: http://www.doodle.com/bross
Re: ARIN board accountability to network operators (was: RE: [arin-ppml] [arin-discuss] Term Limit Proposal)
On Mar 28, 2014, at 5:58 AM, Sander Steffann san...@steffann.nl wrote: Hi Owen, I, for one, would not want to start having to pay RIPE-level fees. ARIN fees are a much better deal than RIPE fees. Only up to Small... The RIPE NCC membership fee is €1750 (±$2400 currently) for everybody. The ARIN fees are between $500 and $32000, with category Small at $2000 and Medium at $4000. I personally am glad about this (although in ARIN I would probably be Small) because it doesn't give operators any financial incentive to stingy when giving their customers IPv6 prefixes. If you want to give a million customers a /48 it is not going to cost you more then giving them a /60. IPv6 resources are not such a scarce resource compared to IPv4, so differentiating price based on the amount of integers you need doesn't make much sense in the current world anymore :) But: this is all RIPE NCC members/AGM stuff, independent of the RIPE community and its working groups. (well the RIPE NCC facilitates the RIPE meetings (note: RIPE meeting, not RIPE NCC meeting) and without the help of the NCC the RIPE community wouldn't have such well organised meetings. The NCC only facilitates though, it doesn't control or influence the RIPE working groups) and the structure of the RIPE working groups was what Randy was referring to. Compare and contrast the costs of being a PI holding end-user in the RIPE region to those in the ARIN region and the difference becomes much more noticeable. Owen
Re: why IPv6 isn't ready for prime time, SMTP edition
On Fri, 28 Mar 2014 06:22:32 -0700, Owen DeLong said: This assumes a different economic model of SPAM that I have been lead to believe exists. My understanding is that the people sending the SPAM get paid immediately and that the people paying them to send it are the ones hoping that the advertising/ phishing/etc. are acted on. Only because we haven't given them a way to monetize it immediately. pgpIKbGXYKjph.pgp Description: PGP signature
Re: ARIN board accountability to network operators (was: RE: [arin-ppml] [arin-discuss] Term Limit Proposal)
Hi Owen, Compare and contrast the costs of being a PI holding end-user in the RIPE region to those in the ARIN region and the difference becomes much more noticeable. Yeah, RIPE NCC is definitely much cheaper for PI: no initial registration fee of ≥$500. The maintenance cost is $100/year vs €100/year (±$137) so there is a little difference there. The $37 difference will take at least 13.5 years to make up for the $500 though. And that is just for up to a /22. The $4000 initial fee for a /16 PI would take you more than a hundred years :) So yes: for PI the difference is much more noticeable, in favour of the RIPE NCC :) Cheers, Sander
Re: ARIN board accountability to network operators
On 28/03/2014 14:03, Sander Steffann wrote: Yeah, RIPE NCC is definitely much cheaper for PI: no initial registration fee of ≥$500. The maintenance cost is $100/year vs €100/year (±$137) so there is a little difference there. The $37 €50 per PI assignment from the ripe ncc, no? http://www.ripe.net/ripe/docs/ripe-591 Nick
3356 leaking routes out 3549 lately?
Has anyone had issues with Level 3 leaking advertisements out their Global Crossing AS3356 for customers of 3549, but not accepting the traffic back? We've been encountering this more and more recently, bgpmon always detects it, and all we ever get from them is there's nothing wrong. Today it affected CloudFlare's ability to talk to us. It seems to happen mostly with Europe and Asian peering points. Typically lasts five to ten minutes which makes me think someone working on merging the two networks is doing some 'no one will notice this' changes in the middle of the night. David
Re: Why IPv6 isn't ready for prime time : -)
Indeed. Having been deeply involved leading the technical side of our transition at my organiati Yeah, IPv6 can be like that. Helpfully, John
Re: ARIN board accountability to network operators (was: RE: [arin-ppml] [arin-discuss] Term Limit Proposal)
On 3/27/14 6:42 PM, Randy Bush ra...@psg.com wrote: nanog is a separable game. it is currently very confused between form and substance, making committees for everything. like the bcop thing. two organizations, nanog and isoc, forming organizational structures to create a document store. the ops' doc store is ripe's because the ripe wgs produced work and someone realized they needed a place to stash it. I like this example, but not sure how it could apply here. Need a NANOG document series? It wouldn't be an ARIN document series, would it? Or did I miss the point of your example? i purposefully phrased it a bit differently, how can arin engage, get real participation from, and serve its community, the operators. i was stealing examples from ripe. but, for concrete action, how about a half day session at the next nanog meeting on, for example, arin database services, whois and irr. not to try to reach hard conclusions or plans. but to open a dialog to explore what the community gets and wants from these services and how they are provided. I like this example. I also appreciate the policy hour, where NANOG attendees get a few minutes on ARIN proposals. In another message you complimented the RIPE Atlas project. I like the work from APNIC's labs, too. I also like LACNIC's development projects, FRIDA, +RAICES, and education efforts. Would these kinds of efforts be in scope for ARIN? Does ARIN need a Chief Scientist (a la Karrenberg or Huston)? Or is that a NANOG role, since it might include things outside of management of number resources? I think North American operators are missing some advantages of the closely coordinated RIR/NOG operations in other regions, and I would like to see them closer together here. Unfortunately, it is not clear to me that the examples above are in charter for either NANOG or ARIN. I'd be happy to re-charter either, but that's probably a topic for NANOG-futures. or pick another key service. DNS? DNSsec? Security? randy Lee
Re: anti-spam WKBIs, was why IPv6 isn't ready for prime time, SMTP edition
You say this like having a tax on running a botted computer on the internet would be a bad thing. I agree that it would provide a bit of profit to the spammers for a very short period of time, but I bet it would get a lot of bots fixed pretty quick. What would actually happen is that the users would refuse to pay their ISPs for their bot mail, the ISPs would refuse to pay the recipients, and the whole thing would collapse. Like I said in my decade old white paper, the problems when real money are involved will be worse than the ones they purport to solve. On the other hand, if you plan to go ahead with this WKBI, I'll let Phil Raymond know. He'd love to do something with that patent. R's, John
Re: WISP or other options
Thanks for all the ideas. Right now, Im talking with Maxwifi. Go the route of letting them deal with everything. Im still exploring other cheaper options: A) 3G/4G wireless service. A Orange rep is building a data plan to support 160 devices and to find out data usage in the area and available bandwidth. B) Getting wireless service from the near by datacenter(~6 miles away in South Gyle). Can anyone recommended a good 3G/4G router? The follow link looks good. http://www.proroute.co.uk/proroute-4g-routers/proroute-h820-4g-router/ Would it be better to run one 4G route or bond many of cheap hotspot? Thanks, Nick Poulakos
Re: why IPv6 isn't ready for prime time, SMTP edition
On Mar 28, 2014, at 6:30 AM, Brandon Ross br...@pobox.com wrote: On Fri, 28 Mar 2014, Owen DeLong wrote: This assumes a different economic model of SPAM that I have been lead to believe exists. My understanding is that the people sending the SPAM get paid immediately and that the people paying them to send it are the ones hoping that the advertising/phishing/etc. are acted on. Fine, then the people paying the people who do the spamming have more of an incentive to pay higher rates and more spammers. It doesn't really matter how may layers of abstraction there are, the point is that the main motivator has become more attractive. Perhaps… But I’m not convinced. Today we have more than sufficient motivation to continue to game the system and virtually no incentive to make the system less open to gaming. While I agree this would increase economic incentives to game the system slightly, it would also add some rather strong incentives to improve security and make the process of gaming much harder. Perhaps this isn’t a good solution, but it certainly cannot be argued that what we are doing so far is working. Owen
Re: ARIN board accountability to network operators
Oops. /me was confused. €50 indeed! Met vriendelijke groet, Sander Steffann Op 28 mrt. 2014 om 15:20 heeft Nick Hilliard n...@foobar.org het volgende geschreven: On 28/03/2014 14:03, Sander Steffann wrote: Yeah, RIPE NCC is definitely much cheaper for PI: no initial registration fee of ≥$500. The maintenance cost is $100/year vs €100/year (±$137) so there is a little difference there. The $37 €50 per PI assignment from the ripe ncc, no? http://www.ripe.net/ripe/docs/ripe-591 Nick
Weekly Routing Table Report
This is an automated weekly mailing describing the state of the Internet Routing Table as seen from APNIC's router in Japan. The posting is sent to APOPS, NANOG, AfNOG, AusNOG, SANOG, PacNOG, LacNOG, TRNOG, CaribNOG and the RIPE Routing Working Group. Daily listings are sent to bgp-st...@lists.apnic.net For historical data, please see http://thyme.rand.apnic.net. If you have any comments please contact Philip Smith pfsi...@gmail.com. Routing Table Report 04:00 +10GMT Sat 29 Mar, 2014 Report Website: http://thyme.rand.apnic.net Detailed Analysis: http://thyme.rand.apnic.net/current/ Analysis Summary BGP routing table entries examined: 489473 Prefixes after maximum aggregation: 192590 Deaggregation factor: 2.54 Unique aggregates announced to Internet: 241381 Total ASes present in the Internet Routing Table: 46469 Prefixes per ASN: 10.53 Origin-only ASes present in the Internet Routing Table: 35716 Origin ASes announcing only one prefix: 16381 Transit ASes present in the Internet Routing Table:6035 Transit-only ASes present in the Internet Routing Table:173 Average AS path length visible in the Internet Routing Table: 4.6 Max AS path length visible: 53 Max AS path prepend of ASN ( 50404) 51 Prefixes from unregistered ASNs in the Routing Table: 1863 Unregistered ASNs in the Routing Table: 476 Number of 32-bit ASNs allocated by the RIRs: 6256 Number of 32-bit ASNs visible in the Routing Table:4718 Prefixes from 32-bit ASNs in the Routing Table: 15266 Number of bogon 32-bit ASNs visible in the Routing Table:50 Special use prefixes present in the Routing Table:0 Prefixes being announced from unallocated address space:444 Number of addresses announced to Internet: 2662858628 Equivalent to 158 /8s, 183 /16s and 255 /24s Percentage of available address space announced: 71.9 Percentage of allocated address space announced: 71.9 Percentage of available address space allocated: 100.0 Percentage of address space in use by end-sites: 96.0 Total number of prefixes smaller than registry allocations: 170530 APNIC Region Analysis Summary - Prefixes being announced by APNIC Region ASes: 116226 Total APNIC prefixes after maximum aggregation: 34666 APNIC Deaggregation factor:3.35 Prefixes being announced from the APNIC address blocks: 118899 Unique aggregates announced from the APNIC address blocks:49753 APNIC Region origin ASes present in the Internet Routing Table:4908 APNIC Prefixes per ASN: 24.23 APNIC Region origin ASes announcing only one prefix: 1230 APNIC Region transit ASes present in the Internet Routing Table:855 Average APNIC Region AS path length visible:4.7 Max APNIC Region AS path length visible: 25 Number of APNIC region 32-bit ASNs visible in the Routing Table:879 Number of APNIC addresses announced to Internet: 729984896 Equivalent to 43 /8s, 130 /16s and 175 /24s Percentage of available APNIC address space announced: 85.3 APNIC AS Blocks4608-4864, 7467-7722, 9216-10239, 17408-18431 (pre-ERX allocations) 23552-24575, 37888-38911, 45056-46079, 55296-56319, 58368-59391, 63488-63999, 131072-133631 APNIC Address Blocks 1/8, 14/8, 27/8, 36/8, 39/8, 42/8, 43/8, 49/8, 58/8, 59/8, 60/8, 61/8, 101/8, 103/8, 106/8, 110/8, 111/8, 112/8, 113/8, 114/8, 115/8, 116/8, 117/8, 118/8, 119/8, 120/8, 121/8, 122/8, 123/8, 124/8, 125/8, 126/8, 133/8, 150/8, 153/8, 163/8, 171/8, 175/8, 180/8, 182/8, 183/8, 202/8, 203/8, 210/8, 211/8, 218/8, 219/8, 220/8, 221/8, 222/8, 223/8, ARIN Region Analysis Summary Prefixes being announced by ARIN Region ASes:166997 Total ARIN prefixes after maximum aggregation:83020 ARIN Deaggregation factor: 2.01 Prefixes being announced from the ARIN address blocks: 168430 Unique aggregates announced from the ARIN address blocks: 78330 ARIN Region origin ASes present in the Internet Routing Table:16204 ARIN
2nd. Call for Papers and Participation - I Workshop pre-IETF (Side Event to CSBC 2014)
Re: Access Lists for Subscriber facing ports?
Shawn L wrote the following on 3/27/2014 7:44 AM: With all of the new worms / denial of service / exploits, etc. that are coming out, I'm wondering what others are using for access-lists on residential subscriber-facing ports. We've always taken the stance of 'allow unless there is a compelling reason not to', but with everything that is coming out lately, I'm not sure that's the correct position any more. thanks By default on all devices and customers we enforce BCP 38 as close to the subscriber as possible (as well as any other L2/L3 abuse mitigation techniques that the equipment supports well), and possibly again at the network border. On residential accounts we only consider blocking TCP/UDP ports 1024 and even then that typically means blocking just SMB (135-139, 445). With SMB blocking becoming a largely irrelevent need given the move to more secure Windows versions, OS firewalls, and firewall enabled CPEs. In the context of an ISP, I very strongly believe in a policy of non-blocking and neutrality. If there's an issue with telco provided CPE that is running services accessible via the WAN (DNS, Telnet, etc), that's an issue best addressed at the CPE level, although temproary ACLs could be applied upstream. If a customer is running their own vulnerable equipment, we may try to notify him or her, but if it does not impact service to other subscribers then we won't go through too many hoops to educate them. --Blake
Re: 3356 leaking routes out 3549 lately?
On 2014-03-28, David Hubbard dhubb...@dino.hostasaurus.com sent: Has anyone had issues with Level 3 leaking advertisements out their Global Crossing AS3356 for customers of 3549, but not accepting the traffic back? We've been encountering this more and more recently, bgpmon always detects it, and all we ever get from them is there's nothing wrong. Today it affected CloudFlare's ability to talk to us. It seems to happen mostly with Europe and Asian peering points. Typically lasts five to ten minutes which makes me think someone working on merging the two networks is doing some 'no one will notice this' changes in the middle of the night. I'm not sure if it's the same thing, but I've had a few alerts from Renesys lately seeing a path to my AS via GLBX 3549 that shouldn't exist, as we only have connections with Level 3 3356. For example, Renesys reports x 3549 33517 where it should only be able to see x 3356 33517 or maybe x 3549 3356 33517. (Due to Renesys policy, I can't know what x is) -- Chip Marshall c...@2bithacker.net http://2bithacker.net/ pgpUcrBhQwmHj.pgp Description: PGP signature
Re: arin representation
On 3/24/2014 9:03 PM, Owen DeLong wrote: [0] As a member of the nominating committee in question, I will disagree with your claim that our declining to nominate you constitutes rigging the election. While I can’t disclose the details due to NDA restrictions on the NomCom, I will say that in my experience having served on the NomCom several times, they consider each potential nominee and do not take their duties lightly. There is a simple way to solve this problem and indemnify the nomcom against all further such claims. Let anyone volunteer for a spot on the ballot. Let the membership decide who should be elected. Doug
Re: Cisco Security Advisory
On 3/27/2014 7:44 PM, Alexander Neilson wrote: I wonder if they should be invited to only post a single message with the titles and links to the alerts so that people can follow it up. -- If a person is on multiple of *NOG mailing lists a lot of these're received. For example, I got well over 30 of them this round. It'd be nice to get something brief like this: -- The Semiannual Cisco IOS Software Security Advisory has been released. For information please goto this URL: http://www.cisco.com/web/about/security/intelligence/Cisco_ERP_mar14.html Advisory titles: - Session Initiation Protocol Denial of Service Vulnerability - Cisco 7600 Series Route Switch Processor 720 with 10 Gigabit Ethernet Uplinks Denial of Service Vulnerability - Internet Key Exchange Version 2 Denial of Service Vulnerability - Network Address Translation Vulnerabilities - SSL VPN Denial of Service Vulnerability - Crafted IPv6 Packet Denial of Service Vulnerability --- Not everyone uses cisco and not everyone needs to see every vulnerability detail email multiple times. Imagine if all vendors started doing what cisco is doing. :-( scott
Re: arin representation
On Mar 25, 2014, at 12:53 PM, Bob Evans b...@fiberinternetcenter.com wrote: Like every governing body, it's easy to criticize it. However, if it were some big monopoly with giant hidden agendas accomplished behind closed doors, I wouldn't see networks like Verizon disappointed at an ARIN meeting as their perspective was being over ruled by the majority. I have seen this at a meeting when Verizon decided to go purchase IPv4 space in the marketplace as they could not obtain what they tried to justify. It would have been a huge chunk of what remained. The IPv4 marketplace grew even more that week. I like term limits for every governing body - except when it's a company I built with my money. :-) I've seen term limits significantly harm organizations due to the churn that can happen as a result. Folks aren't as invested long-term as a consequence. This can clearly cut both ways resulting in some positions being protected longer than they should, or allowing the entire vote the bums out crowd to cause unstable behavior afterwards. I believe there are things that ARIN could do better but don't have the time to invest in the process to correct these. I do take time to lobby those who I know that are involved in the process and express my opinion of the ways that ARIN could do a better service for the community. - Jared
Re: 3356 leaking routes out 3549 lately?
On Mar 28, 2014, at 3:42 PM, Chip Marshall c...@2bithacker.net wrote: On 2014-03-28, David Hubbard dhubb...@dino.hostasaurus.com sent: Has anyone had issues with Level 3 leaking advertisements out their Global Crossing AS3356 for customers of 3549, but not accepting the traffic back? We've been encountering this more and more recently, bgpmon always detects it, and all we ever get from them is there's nothing wrong. Today it affected CloudFlare's ability to talk to us. It seems to happen mostly with Europe and Asian peering points. Typically lasts five to ten minutes which makes me think someone working on merging the two networks is doing some 'no one will notice this' changes in the middle of the night. I'm not sure if it's the same thing, but I've had a few alerts from Renesys lately seeing a path to my AS via GLBX 3549 that shouldn't exist, as we only have connections with Level 3 3356. For example, Renesys reports x 3549 33517 where it should only be able to see x 3356 33517 or maybe x 3549 3356 33517. (Due to Renesys policy, I can't know what x is) It's been a few years i think now since the level-crossing merger so I'm certainly not surprised to see them doing work on this front. This often happens during integration work, and networks of that scale I would imagine tools that detect routing leaks need to account for this merger activity. I can see I need to update my tools :) http://puck.nether.net/bgp/leakinfo.cgi?search=dosearch_prefix=search_aspath=3549_3356search_asn=recent=1000 http://puck.nether.net/bgp/leakinfo.cgi?search=dosearch_prefix=search_aspath=3356_3549search_asn=recent=1000
Re: why IPv6 isn't ready for prime time, SMTP edition
On March 28, 2014 at 00:06 o...@delong.com (Owen DeLong) wrote: Advertising is a valuable commodity. Free advertising is particularly valuable, ROI with I close to zero. But it?s only free if you send it to yourself and then approve it. Any message you send to someone else who doesn?t want it isn?t free. I thought the suggestion was that a recipient (email, or by analogy postal) could indicate they wanted an email which would cancel the postage attached, that is, no charge to sender if they wanted it. So if a spammer or junk mailer could, say, trick you into accepting mail in those schemes then they get free advertising, no postage anyhow. We're getting lost in the metaphors methinks. So offering to not charge you because you wanted that mail makes no sense, right? But this isn?t a charge for the post office and by the time you?re connected to the internet, the cost of receiving the mail and transporting it and the sender sending it is pretty much sunk by some arguments. FIRST: There's a typo/thinko in my sentence! Should be: So offering to not charge THE SENDER because THE RECIPIENT wanted that mail makes no sense, right? SECOND: In response, someone has to scale resources to match volume. But maybe my typo/thinko confused this because you know that, sorry. This is an effort to provide a financial disincentive for spamming. Did I say that or you? I agree! Possibly with myself. Which judging by my just previous comments is not always a given. If you want to attach e-postage you have to go get some and that can be a contract which says you don't do that, if you have multiple accounts you split it among your accounts or buy more. And if you do what you describe you understand that it is criminal fraud. Click Agree [ ] before proceeding, or similar. Because spammers are all on the up and up and never commit fraud in order to send their SPAM, right? I'm trying to create an economics around enforcement. But it's helpful to convince the relatively honest public that what you describe is a serious crime tantamount to counterfeiting. And we don't want to be in a situation like we were in 1996 where we were debating whether Spam is even a crime. Enforcement is your usual avoidance, detection, recovery, sort of affair. But there has to be an economics pushing it or it gets mostly ignored (except for people complaining about spam.) Compare and contrast for example spamming vs RIAA style enforcement of copyright violations. Spamming? The occasional shutdown of a botnet tho those may be more motivated by DDoS and phishing. Copyright? Megaupload, wham, Bit torrents, wham, site takedowns, RIAA lawsuits, wham wham wham. Lawyers, guns, and money. What's the difference? Clear monied interests in the latter. Who can't operate with 1M msgs/day? Well, maybe Amazon or similar. But as I said earlier MAYBE THEY SHOULD PAY ALSO! I, for one, don?t want my Amazon prices increased by a pseudo-tax on the fact that they do a large volume of email communications with their customers. They have enough problems trying to get IPv6 deployed without adding this to their list of problems. That assumes that spam is free for them, and you. Including free as in stealing your time?. No, it assumes that most of the messages I get from Amazon are NOT SPAM. And I'm arguing we need to change our attitudes on this. This whole idea that because the recipient wants it it isn't spam is wearing thin. Just like my analogy with the post office, they wouldn't deliver mail for free just because the recipient wanted it. It's a fundamentally broken idea and spam is its bastard offspring. The vast majority of messages I get from Amazon are order confirmations, shipping status reports, etc. Messages related to transactions I have conducted with them. Yes, I get a little bit of SPAM from them and I wouldn?t mind seeing them forced to pay me for those messages, but I certainly don?t want to see them paying for every message they send. The vast majority of paper mail I get from my bank accounts is useful and informative and often legally important. But every one of them has postage attached. But maybe there could be some way to reverse charges like you can with fedex and similar. When you sign up with Amazon et al you also enter your (free) e-postage cert (whatever, some cookie) giving them permission to charge against it for some list of mutually agreeable emailings like order confirms and maybe even marketing materials. There are some implementation details involved but it doesn't strike me as a crazy idea. We really need to get over the moral component of spam content (and senders' intentions) and see it for what it is: A free ride anyone would take if available. I disagree. I see it as a form of theft of service that only immoral thieves would take if available.
The Cidr Report
This report has been generated at Fri Mar 28 21:13:59 2014 AEST.
The report analyses the BGP Routing Table of AS2.0 router
and generates a report on aggregation potential within the table.
Check http://www.cidr-report.org/2.0 for a current version of this report.
Recent Table History
Date PrefixesCIDR Agg
21-03-14494294 278866
22-03-14495055 279654
23-03-14495459 279808
24-03-14495254 277341
25-03-14492381 277631
26-03-14492485 277939
27-03-14492416 277972
28-03-14492834 278168
AS Summary
46632 Number of ASes in routing system
19077 Number of ASes announcing only one prefix
3626 Largest number of prefixes announced by an AS
AS28573:
119829504 Largest address span announced by an AS (/32s)
AS4134 :
Aggregation Summary
The algorithm used in this report proposes aggregation only
when there is a precise match using the AS path, so as
to preserve traffic transit policies. Aggregation is also
proposed across non-advertised address space ('holes').
--- 28Mar14 ---
ASnumNetsNow NetsAggr NetGain % Gain Description
Table 493014 278159 21485543.6% All ASes
AS6389 3008 56 295298.1%
AS28573 3626 797 282978.0%
AS17974 2777 160 261794.2%
AS4766 2972 905 206769.5%
AS18881 1917 35 188298.2%
AS1785 2194 370 182483.1%
AS18566 2048 565 148372.4%
AS36998 1637 175 146289.3%
AS4323 2943 1520 142348.4%
AS10620 2804 1478 132647.3%
AS7303 1750 456 129473.9%
AS4755 1843 615 122866.6%
AS7545 2233 1092 114151.1%
AS7552 1229 121 110890.2%
AS22561 1304 247 105781.1%
AS6983 1328 315 101376.3%
AS22773 2413 1449 96440.0%
AS4808 1359 425 93468.7%
AS9829 1621 716 90555.8%
AS24560 1123 297 82673.6%
AS18101 918 163 75582.2%
AS7738 912 161 75182.3%
AS8151 1405 654 75153.5%
AS701 1484 755 72949.1%
AS855759 56 70392.6%
AS4788 1000 306 69469.4%
AS6147 784 113 67185.6%
AS4780 1030 366 66464.5%
AS9808 967 317 65067.2%
AS8551 966 321 64566.8%
Total 52354150063734871.3% Top 30 total
Possible Bogus Routes
27.100.7.0/24AS56096
41.73.1.0/24 AS37004
41.73.2.0/24 AS37004
41.73.10.0/24AS37004
41.73.11.0/24AS37004
41.73.12.0/24AS37004
41.73.13.0/24AS37004
41.73.14.0/24AS37004
41.73.15.0/24AS37004
41.73.16.0/24AS37004
41.73.18.0/24AS37004
41.73.20.0/24AS37004
41.73.21.0/24AS37004
41.76.48.0/21AS36969
41.78.120.0/23 AS22351
41.78.236.0/24 AS37290
41.78.237.0/24 AS37290
41.78.238.0/24 AS37290
41.78.239.0/24 AS37290
41.190.72.0/23 AS37451
41.190.74.0/23 AS37451
41.191.108.0/22 AS37004
41.191.108.0/24 AS37004
41.191.109.0/24 AS37004
41.191.110.0/24 AS37004
41.191.111.0/24 AS37004
41.217.208.0/22 AS37158
62.61.220.0/24 AS24974
62.61.221.0/24 AS24974
63.247.0.0/19AS226
63.247.0.0/24AS27609
63.247.1.0/24AS27609
63.247.2.0/24AS27609
63.247.3.0/24AS27609
63.247.4.0/24AS27609
63.247.5.0/24AS27609
63.247.6.0/24AS27609
63.247.7.0/24AS27609
63.247.8.0/24AS27609
63.247.9.0/24AS27609
63.247.10.0/24 AS27609
63.247.11.0/24 AS27609
63.247.13.0/24 AS27609
63.247.14.0/24 AS27609
63.247.15.0/24 AS27609
63.247.16.0/24 AS27609
63.247.17.0/24 AS27609
63.247.18.0/24 AS27609
63.247.19.0/24 AS27609
63.247.20.0/24 AS27609
63.247.21.0/24 AS27609
63.247.22.0/24 AS27609
63.247.23.0/24 AS27609
63.247.24.0/24 AS27609
63.247.25.0/24 AS27609
63.247.26.0/24 AS27609
63.247.27.0/24 AS27609
BGP Update Report
BGP Update Report Interval: 20-Mar-14 -to- 27-Mar-14 (7 days) Observation Point: BGP Peering with AS131072 TOP 20 Unstable Origin AS Rank ASNUpds % Upds/PfxAS-Name 1 - AS483741011 1.4% 60.8 -- CHINA169-BACKBONE CNCGROUP China169 Backbone 2 - AS840235505 1.2% 18.7 -- CORBINA-AS OJSC Vimpelcom 3 - AS982935504 1.2% 22.6 -- BSNL-NIB National Internet Backbone 4 - AS29571 31812 1.1% 170.1 -- CITelecom-AS 5 - AS25184 28844 1.0% 225.3 -- AFRANET AFRANET Co. Tehran, Iran 6 - AS45169 24876 0.9%1658.4 -- GLOBAL-DESCON-AS-AP Descon Limited 7 - AS28573 24765 0.9% 6.7 -- NET Serviços de Comunicação S.A. 8 - AS13118 22468 0.8% 488.4 -- ASN-YARTELECOM OJSC Rostelecom 9 - AS41691 20828 0.7% 867.8 -- SUMTEL-AS-RIPE Summa Telecom LLC 10 - AS755220276 0.7% 17.6 -- VIETEL-AS-AP Viettel Corporation 11 - AS50710 19542 0.7% 86.9 -- EARTHLINK-AS EarthLink Ltd. CommunicationsInternet Services 12 - AS36998 18568 0.6% 11.3 -- SDN-MOBITEL 13 - AS815118305 0.6% 13.0 -- Uninet S.A. de C.V. 14 - AS35819 18279 0.6% 36.0 -- MOBILY-AS Etihad Etisalat Company (Mobily) 15 - AS17974 18025 0.6% 6.5 -- TELKOMNET-AS2-AP PT Telekomunikasi Indonesia 16 - AS48159 16354 0.6% 89.9 -- TIC-AS Telecommunication Infrastructure Company 17 - AS453816280 0.6% 30.4 -- ERX-CERNET-BKB China Education and Research Network Center 18 - AS17557 15697 0.5% 130.8 -- PKTELECOM-AS-PK Pakistan Telecommunication Company Limited 19 - AS980815203 0.5% 15.7 -- CMNET-GD Guangdong Mobile Communication Co.Ltd. 20 - AS45899 14515 0.5% 39.3 -- VNPT-AS-VN VNPT Corp TOP 20 Unstable Origin AS (Updates per announced prefix) Rank ASNUpds % Upds/PfxAS-Name 1 - AS20450 14151 0.5%7075.5 -- THL16-ASN - Trojan Hosting, LLC. 2 - AS544658022 0.3%2674.0 -- QPM-AS-1 - QuickPlay Media Inc. 3 - AS45169 24876 0.9%1658.4 -- GLOBAL-DESCON-AS-AP Descon Limited 4 - AS60345 995 0.0% 995.0 -- NBITI-AS Nahjol Balagheh International Research Institution 5 - AS41691 20828 0.7% 867.8 -- SUMTEL-AS-RIPE Summa Telecom LLC 6 - AS14340 10962 0.4% 783.0 -- SALESFORCE - Salesforce.com, Inc. 7 - AS47714 750 0.0% 750.0 -- DRIESSEN-AS Driessen Aerospace Group NV 8 - AS55746 637 0.0% 637.0 -- WITT-AS-AP Western Institute of Technology at Taranaki, 9 - AS165613008 0.1% 501.3 -- ARIBANETWORK Ariba Inc. Autonomous System 10 - AS13118 22468 0.8% 488.4 -- ASN-YARTELECOM OJSC Rostelecom 11 - AS11054 11226 0.4% 488.1 -- LIVEPERSON LivePerson, Inc 12 - AS57201 481 0.0% 481.0 -- EDF-AS Estonian Defence Forces 13 - AS47918 934 0.0% 467.0 -- GIGABASE Gigabase ltd 14 - AS22688 897 0.0% 448.5 -- DOLGENCORP - Dollar General Corporation 15 - AS3 441 0.0%1987.0 -- MIT-GATEWAYS - Massachusetts Institute of Technology 16 - AS278286947 0.2% 434.2 -- Universidad Mayor de San Andres 17 - AS35463 850 0.0% 425.0 -- PSM-AS Pulawska Spoldzielnia Mieszkaniowa 18 - AS121316528 0.2% 408.0 -- IJ-NET - Internet Junction Corporation 19 - AS62431 403 0.0% 403.0 -- NCSC-IE-AS National Cyber Security Centre 20 - AS45703 767 0.0% 383.5 -- BKPM-AS-ID Badan Koordinasi Penanaman Modal (BKPM) TOP 20 Unstable Prefixes Rank Prefix Upds % Origin AS -- AS Name 1 - 109.161.64.0/20 22255 0.7% AS13118 -- ASN-YARTELECOM OJSC Rostelecom 2 - 89.221.206.0/24 20666 0.7% AS41691 -- SUMTEL-AS-RIPE Summa Telecom LLC 3 - 121.52.144.0/24 15121 0.5% AS17557 -- PKTELECOM-AS-PK Pakistan Telecommunication Company Limited AS45773 -- HECPERN-AS-PK PERN AS Content Servie Provider, Islamabad, Pakistan 4 - 192.58.232.0/249987 0.3% AS6629 -- NOAA-AS - NOAA 5 - 216.109.107.0/24 9868 0.3% AS11486 -- COLO-PREM-VZB - Verizon Online LLC AS16561 -- ARIBANETWORK Ariba Inc. Autonomous System 6 - 78.109.192.0/209246 0.3% AS25184 -- AFRANET AFRANET Co. Tehran, Iran 7 - 66.210.60.0/24 8066 0.3% AS20450 -- THL16-ASN - Trojan Hosting, LLC. 8 - 206.152.15.0/248008 0.3% AS54465 -- QPM-AS-1 - QuickPlay Media Inc. 9 - 205.247.12.0/247498 0.2% AS6459 -- TRANSBEAM - I-2000, Inc. 10 - 42.83.48.0/20 7412 0.2% AS18135 -- BTV BTV Cable television 11 - 199.187.118.0/24 6233 0.2% AS11054 -- LIVEPERSON LivePerson, Inc 12 - 74.231.237.0/246085 0.2% AS20450 -- THL16-ASN - Trojan Hosting,
Re: ARIN board accountability to network operators
Yeah, RIPE NCC is definitely much cheaper for PI: no initial registration fee of ≥$500. The maintenance cost is $100/year vs €100/year (±$137) so there is a little difference there. The $37 €50 per PI assignment from the ripe ncc, no? http://www.ripe.net/ripe/docs/ripe-591 guys, you are following an arin policy weenie's red herring. this was not about fees. it was about arin's board being it's own governance review committee and having no term limits, arin forcing folk to sign contracts with clauses saying arin can change the TsCs unilaterally and arbitrarily, ... randy
Re: why IPv6 isn't ready for prime time
Apropos nothing, I tried to bring up IPv6 with another service provider today (this being the fourth I've attempted with only one success) but all I'm getting is: %BGP-3-NOTIFICATION: sent to neighbor ::1000:A000::6 2/7 (unsupported/disjoint capability) 0 bytes :( -Bill -- William D. Herrin her...@dirtside.com b...@herrin.us 3005 Crane Dr. .. Web: http://bill.herrin.us/ Falls Church, VA 22042-3004
Re: ARIN board accountability to network operators
On Fri, Mar 28, 2014 at 6:13 PM, Randy Bush ra...@psg.com wrote: arin forcing folk to sign contracts with clauses saying arin can change the TsCs unilaterally and arbitrarily, ... Exactly! -- Jay
Re: Cisco Security Advisory
On 3/28/2014 4:11 PM, Scott Weeks wrote: If a person is on multiple of *NOG mailing lists a lot of these're received. For example, I got well over 30 of them this round. It'd be nice to get something brief like this: -- The Semiannual Cisco IOS Software Security Advisory has been released. For information please goto this URL: http://www.cisco.com/web/about/security/intelligence/Cisco_ERP_mar14.html Advisory titles: - Session Initiation Protocol Denial of Service Vulnerability - Cisco 7600 Series Route Switch Processor 720 with 10 Gigabit Ethernet Uplinks Denial of Service Vulnerability - Internet Key Exchange Version 2 Denial of Service Vulnerability - Network Address Translation Vulnerabilities - SSL VPN Denial of Service Vulnerability - Crafted IPv6 Packet Denial of Service Vulnerability --- Not everyone uses cisco and not everyone needs to see every vulnerability detail email multiple times. Imagine if all vendors started doing what cisco is doing. I hate that it's spam for some and relevant for others, but in the NSP world you can almost be certain that someone is going to have at least some Cisco equipment (even companies who are known to dislike Cisco enough to avoid them religiously have bought other companies who might have Cisco gear) Having the vulnerability in the subject draws attention to the problems and makes people less likely to ignore it. When I see keywords of technologies I'm using, like IPv6 or 6500 I tend to read through carefully to see if I'm vulnerable. Because it can be difficult and time consuming to see if all your gear is vulnerable, If it's a bug in obscure card I didn't buy one of or weird technology I haven't had a chance to run then I'm not as diligent. I guess I might be selfish because seeing 5 advisories at once is like a giant line break in NANOG discussions, so it's harder to tune it out and skip the emails :) They could Bcc: all the lists they are sending to in one set of emails so the message-id is the same, then you could filter duplicates at least. Or they could do the summary email like you guys want, whichever makes people happy. :) :-( scott :-( Robert
Re: Cisco Security Advisory
--- rdr...@direcpath.com wrote: From: Robert Drake rdr...@direcpath.com because seeing 5 advisories at once is like a giant line break in NANOG discussions, so it's harder to tune it out and skip the emails :) They could Bcc: all the lists they are sending to in one set of emails so the message-id is the same, then you could filter duplicates at least. Or they could do the summary email like you guys want, whichever makes people happy. :) You got 5 (actually 6 this time) perhaps because you're only on NANOG. I got over 30 this time and once when there were 9 vulnerabilities I got almost 50 emails from cisco. scott
Re: Cisco Security Advisory
On Saturday, March 29, 2014 02:34:13 AM Scott Weeks wrote: You got 5 (actually 6 this time) perhaps because you're only on NANOG. I got over 30 this time and once when there were 9 vulnerabilities I got almost 50 emails from cisco. I've always known that Cisco will submit their notices to multiple lists, including their own. So when I see it on one list, I already know to expect it on others. Given how easy they are to identify, I immediately delete them from other lists which I've decided is not the primary list I want to learn them on. It does help that they stack them up in one batch, so you don't even need to think about it much. But clearly, this is one of those issues where you have a good amount of folk on either side of the fence. Mark. signature.asc Description: This is a digitally signed message part.
Re: Cisco Security Advisory
On 3/29/2014 12:43 AM, Mark Tinka wrote: But clearly, this is one of those issues where you have a good amount of folk on either side of the fence. I wonder what the ratio of I don't want that info here (for various values of here) to Geez! WHY didn't somebody tell me is. -- Requiescas in pace o email Two identifying characteristics of System Administrators: Ex turpi causa non oritur actio Infallibility, and the ability to learn from their mistakes. (Adapted from Stephen Pinker)
