Re: internet governance, rir policy, and the decline of civilization
On (2014-09-20 13:32 +0900), Randy Bush wrote: http://mailman.apnic.net/mailing-lists/sig-policy/archive/2014/09/msg00049.html Interesting quote from the paper. I've sometimes wondered if RIR's do too much, if there is inherent mission creep to justify increasing revenue due to increasing member base. While it is often useful to the community and at least mostly harmless, it may reduce competition in areas that are not strictly needed to be monopolized. I believe monopolies are good for many things, but the scope of each monopoly should be well defined and no mission creep should be allowed. I'm not sure for example, if 11MEUR is needed for number registry personnel costs, that could give you 100 hostmasters with 5500EUR/month salary, in good likelihood, we'd be able to run focused number registry with volunteers. Inside monopoly, there is always honest belief that you are operating as leanly as you can, because usually no organization realizes their inefficiencies until they must to survive. -- ++ytti
Saying goodnight to my GSR
Has been running for a while, time to shut ‘er down. She (is a router a she?) used to handle all of my BGP GigE links but over the years has been demoted to OSPF and T1 aggregation. If anyone needs a boat anchor let me know. gsr8-1#show version Cisco Internetwork Operating System Software IOS (tm) GS Software (GSR-P-M), Version 12.0(30)S3, RELEASE SOFTWARE (fc2) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2005 by cisco Systems, Inc. Compiled Thu 30-Jun-05 18:29 by pwade Image text-base: 0x50010E80, data-base: 0x536E8000 ROM: System Bootstrap, Version 11.2(20030108:132517) [jkuzma-112 2.2] RELEASE SOFTWARE gsr8-1 uptime is 9 years, 9 weeks, 2 days, 8 hours, 39 minutes Uptime for this control processor is 9 years, 2 weeks, 2 days, 18 minutes System returned to ROM by Stateful Switchover at 13:46:36 UTC Tue Sep 6 2005 System image file is slot0:gsr-p-mz.120-30.S3.bin cisco 12008/GRP (R5000) processor (revision 0x05) with 524288K bytes of memory. R5000 CPU at 200Mhz, Implementation 35, Rev 2.1, 512KB L2 Cache Last reset from power-on 2 Route Processor Cards 2 Clock Scheduler Cards 3 Switch Fabric Cards 2 Single Port Gigabit Ethernet/IEEE 802.3z controllers (2 GigabitEthernet). 1 Three Port Gigabit Ethernet/IEEE 802.3z controller (3 GigabitEthernet). 1 Ethernet/IEEE 802.3 interface(s) 5 GigabitEthernet/IEEE 802.3 interface(s) 507K bytes of non-volatile configuration memory. 20480K bytes of Flash PCMCIA card at slot 0 (Sector size 128K). 8192K bytes of Flash internal SIMM (Sector size 256K). Configuration register is 0x2102 -- Matthew S. Crocker President Crocker Communications, Inc. PO BOX 710 Greenfield, MA 01302-0710 E: matt...@crocker.com P: (413) 746-2760 F: (413) 746-3704 W: http://www.crocker.com
Re: Saying goodnight to my GSR
On 2014-09-20 16:18, Matthew Crocker wrote: [..] IOS (tm) GS Software (GSR-P-M), Version 12.0(30)S3, RELEASE SOFTWARE (fc2) [..] gsr8-1 uptime is 9 years, 9 weeks, 2 days, 8 hours, 39 minutes Thank you for finally taking a vulnerable system of the Internet! Greets, Jeroen
Re: Saying goodnight to my GSR
On Sep 20, 2014, at 10:18 AM, Matthew Crocker matt...@corp.crocker.com wrote about his old router: SNIP/ gsr8-1 uptime is 9 years, 9 weeks, 2 days, 8 hours, 39 minutes Uptime for this control processor is 9 years, 2 weeks, 2 days, 18 minutes System returned to ROM by Stateful Switchover at 13:46:36 UTC Tue Sep 6 2005 SNIP/ Matt, Wow. You have amazing power reliability! Want to tell us your secret? Regards. James R. Cutler james.cut...@consultant.com PGP keys at http://pgp.mit.edu signature.asc Description: Message signed with OpenPGP using GPGMail
Re: Saying goodnight to my GSR
-48VDC. On Sep 20, 2014, at 10:58 AM, James R Cutler james.cut...@consultant.com wrote: On Sep 20, 2014, at 10:18 AM, Matthew Crocker matt...@corp.crocker.com wrote about his old router: SNIP/ gsr8-1 uptime is 9 years, 9 weeks, 2 days, 8 hours, 39 minutes Uptime for this control processor is 9 years, 2 weeks, 2 days, 18 minutes System returned to ROM by Stateful Switchover at 13:46:36 UTC Tue Sep 6 2005 SNIP/ Matt, Wow. You have amazing power reliability! Want to tell us your secret? Regards. James R. Cutler james.cut...@consultant.com PGP keys at http://pgp.mit.edu
Re: Saying goodnight to my GSR
So when was the last time you patched this internet facing device? On Sep 20, 2014 7:12 PM, Matthew S. Crocker matt...@corp.crocker.com wrote: -48VDC. On Sep 20, 2014, at 10:58 AM, James R Cutler james.cut...@consultant.com wrote: On Sep 20, 2014, at 10:18 AM, Matthew Crocker matt...@corp.crocker.com wrote about his old router: SNIP/ gsr8-1 uptime is 9 years, 9 weeks, 2 days, 8 hours, 39 minutes Uptime for this control processor is 9 years, 2 weeks, 2 days, 18 minutes System returned to ROM by Stateful Switchover at 13:46:36 UTC Tue Sep 6 2005 SNIP/ Matt, Wow. You have amazing power reliability! Want to tell us your secret? Regards. James R. Cutler james.cut...@consultant.com PGP keys at http://pgp.mit.edu
Re: Saying goodnight to my GSR
OK thank you for decommissioning this.* * Only if you either had authority to do so for max 1 year or had no authority but were fighting to have it patches or replaced for years. On Sep 20, 2014 7:54 PM, Daniel Sterling sterling.dan...@gmail.com wrote: On Sat, Sep 20, 2014 at 1:37 PM, Bacon Zombie baconzom...@gmail.com wrote: So when was the last time you patched this internet facing device? Isn't the better response, thank you for decommissioning it? Can someone from cisco set up a poll or release whatever numbers they have about how many of these old devices are still in service? Thanks, Dan
Re: Saying goodnight to my GSR
On Sep 20, 2014, at 10:37, Bacon Zombie baconzom...@gmail.com wrote: So when was the last time you patched this internet facing device? Sunday sept 4 2005? Seems like a good run. If it hasn't been rooted or fallen over since then it's apparently pretty secure... On Sep 20, 2014 7:12 PM, Matthew S. Crocker matt...@corp.crocker.com wrote: -48VDC. On Sep 20, 2014, at 10:58 AM, James R Cutler james.cut...@consultant.com wrote: On Sep 20, 2014, at 10:18 AM, Matthew Crocker matt...@corp.crocker.com wrote about his old router: SNIP/ gsr8-1 uptime is 9 years, 9 weeks, 2 days, 8 hours, 39 minutes Uptime for this control processor is 9 years, 2 weeks, 2 days, 18 minutes System returned to ROM by Stateful Switchover at 13:46:36 UTC Tue Sep 6 2005 SNIP/ Matt, Wow. You have amazing power reliability! Want to tell us your secret? Regards. James R. Cutler james.cut...@consultant.com PGP keys at http://pgp.mit.edu
Re: internet governance, rir policy, and the decline of civilization
Quis custodiet ipsos custodes? -b
Re: Saying goodnight to my GSR
On Sat, Sep 20, 2014 at 1:37 PM, Bacon Zombie baconzom...@gmail.com wrote: So when was the last time you patched this internet facing device? Isn't the better response, thank you for decommissioning it? Can someone from cisco set up a poll or release whatever numbers they have about how many of these old devices are still in service? Thanks, Dan
Re: Saying goodnight to my GSR
Again, you're focusing resentment towards someone who did the right thing. Negative reinforcement will discourage others from taking action and will discourage them from encouraging others to take action. Let's focus on who still has vulnerable equipment and how to help them. Let's not shame people who did the right thing Thanks, Dan On Sat, Sep 20, 2014 at 1:59 PM, Bacon Zombie baconzom...@gmail.com wrote: OK thank you for decommissioning this.* * Only if you either had authority to do so for max 1 year or had no authority but were fighting to have it patches or replaced for years. On Sep 20, 2014 7:54 PM, Daniel Sterling sterling.dan...@gmail.com wrote: On Sat, Sep 20, 2014 at 1:37 PM, Bacon Zombie baconzom...@gmail.com wrote: So when was the last time you patched this internet facing device? Isn't the better response, thank you for decommissioning it? Can someone from cisco set up a poll or release whatever numbers they have about how many of these old devices are still in service? Thanks, Dan
Re: Saying goodnight to my GSR
On Sep 20, 2014, at 1:54 PM, Daniel Sterling sterling.dan...@gmail.com wrote: On Sat, Sep 20, 2014 at 1:37 PM, Bacon Zombie baconzom...@gmail.com wrote: So when was the last time you patched this internet facing device? Isn't the better response, thank you for decommissioning it? Can someone from cisco set up a poll or release whatever numbers they have about how many of these old devices are still in service? OpenSNMPProject has some of this data for devices that respond to the string ‘public’. Lots of old stuff out there. - Jared
RE: Saying goodnight to my GSR
And what, exactly, is it vulnerable to? -Original Message- From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Daniel Sterling Sent: Saturday, 20 September, 2014 12:06 To: Bacon Zombie Cc: nanog@nanog.org Subject: Re: Saying goodnight to my GSR Again, you're focusing resentment towards someone who did the right thing. Negative reinforcement will discourage others from taking action and will discourage them from encouraging others to take action. Let's focus on who still has vulnerable equipment and how to help them. Let's not shame people who did the right thing Thanks, Dan On Sat, Sep 20, 2014 at 1:59 PM, Bacon Zombie baconzom...@gmail.com wrote: OK thank you for decommissioning this.* * Only if you either had authority to do so for max 1 year or had no authority but were fighting to have it patches or replaced for years. On Sep 20, 2014 7:54 PM, Daniel Sterling sterling.dan...@gmail.com wrote: On Sat, Sep 20, 2014 at 1:37 PM, Bacon Zombie baconzom...@gmail.com wrote: So when was the last time you patched this internet facing device? Isn't the better response, thank you for decommissioning it? Can someone from cisco set up a poll or release whatever numbers they have about how many of these old devices are still in service? Thanks, Dan
Re: Saying goodnight to my GSR
And what, exactly, is it vulnerable to? Most of these, I'd imagine: http://www.cisco.com/c/en/us/td/docs/ios/12_0s/release/ntes/120SCAVS.html On 20 September 2014 14:25, Keith Medcalf kmedc...@dessus.com wrote: And what, exactly, is it vulnerable to? -Original Message- From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Daniel Sterling Sent: Saturday, 20 September, 2014 12:06 To: Bacon Zombie Cc: nanog@nanog.org Subject: Re: Saying goodnight to my GSR Again, you're focusing resentment towards someone who did the right thing. Negative reinforcement will discourage others from taking action and will discourage them from encouraging others to take action. Let's focus on who still has vulnerable equipment and how to help them. Let's not shame people who did the right thing Thanks, Dan On Sat, Sep 20, 2014 at 1:59 PM, Bacon Zombie baconzom...@gmail.com wrote: OK thank you for decommissioning this.* * Only if you either had authority to do so for max 1 year or had no authority but were fighting to have it patches or replaced for years. On Sep 20, 2014 7:54 PM, Daniel Sterling sterling.dan...@gmail.com wrote: On Sat, Sep 20, 2014 at 1:37 PM, Bacon Zombie baconzom...@gmail.com wrote: So when was the last time you patched this internet facing device? Isn't the better response, thank you for decommissioning it? Can someone from cisco set up a poll or release whatever numbers they have about how many of these old devices are still in service? Thanks, Dan
Re: Saying goodnight to my GSR
On (2014-09-20 14:25 -0600), Keith Medcalf wrote: And what, exactly, is it vulnerable to? Fair question. Felix Lindner has shown some ~0 budget attacks on IOS. But I'm not sure if there actually are known attack vectors for properly secured system (iACL, rACL in this case) Crash bugs are there probably, but those are likely in every release and some motivation + lab time might yield success DoS attack on platform, and if you're L2 connected to a router, most are DoSable anyhow, regardless of version. Personally, I wouldn't be too worried about this. If I were, I wouldn't dare to run any commercially or otherwise available networking operating system, they all have terrible history in terms of software reliability against attacks. But there appears to be no actual business-case for security, if we look at fortune500 companies who have been thoroughly pwned, it has not impacted their market cap. Public sector, including military are happy to buy 'audited' network connection from commercial companies running commercial systems, which all certainly are pwnable with extremely modest budget, regardless how new release they are running. -- ++ytti
RE: Saying goodnight to my GSR
I do not see any vulnerabilities listed there. Only documentation of behavioral bugs, caveats, and restrictions. A vulnerability would be something like the one Microsoft introduced into all versions of the Windows IP stack after Windows 2003 and Windows XP wherein the Operating System will execute the payload of an IP packet with SYSTEM authority and SYSTEM integrity when a crafted IP packet is received in which a certain combination of invalid and reserved header bits are set. -Original Message- From: Ruairi Carroll [mailto:ruairi.carr...@gmail.com] Sent: Saturday, 20 September, 2014 14:57 To: Keith Medcalf Cc: Daniel Sterling; Bacon Zombie; nanog@nanog.org Subject: Re: Saying goodnight to my GSR And what, exactly, is it vulnerable to? Most of these, I'd imagine: http://www.cisco.com/c/en/us/td/docs/ios/12_0s/release/ntes/120SCAVS.html On 20 September 2014 14:25, Keith Medcalf kmedc...@dessus.com wrote: And what, exactly, is it vulnerable to? -Original Message- From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Daniel Sterling Sent: Saturday, 20 September, 2014 12:06 To: Bacon Zombie Cc: nanog@nanog.org Subject: Re: Saying goodnight to my GSR Again, you're focusing resentment towards someone who did the right thing. Negative reinforcement will discourage others from taking action and will discourage them from encouraging others to take action. Let's focus on who still has vulnerable equipment and how to help them. Let's not shame people who did the right thing Thanks, Dan On Sat, Sep 20, 2014 at 1:59 PM, Bacon Zombie baconzom...@gmail.com wrote: OK thank you for decommissioning this.* * Only if you either had authority to do so for max 1 year or had no authority but were fighting to have it patches or replaced for years. On Sep 20, 2014 7:54 PM, Daniel Sterling sterling.dan...@gmail.com wrote: On Sat, Sep 20, 2014 at 1:37 PM, Bacon Zombie baconzom...@gmail.com wrote: So when was the last time you patched this internet facing device? Isn't the better response, thank you for decommissioning it? Can someone from cisco set up a poll or release whatever numbers they have about how many of these old devices are still in service? Thanks, Dan
Re: Saying goodnight to my GSR
- Original Message - From: Matthew Crocker matt...@corp.crocker.com Has been running for a while, time to shut ‘er down. She (is a router a she?) used to handle all of my BGP GigE links but over the years has been demoted to OSPF and T1 aggregation. If anyone needs a boat anchor let me know. Please tell me her nodename is 'gracie'. Cheers, -- jra -- Jay R. Ashworth Baylink j...@baylink.com Designer The Things I Think RFC 2100 Ashworth Associates http://www.bcp38.info 2000 Land Rover DII St Petersburg FL USA BCP38: Ask For It By Name! +1 727 647 1274
Re: internet governance, rir policy, and the decline of civilization
On Sat, Sep 20, 2014 at 3:56 AM, Saku Ytti s...@ytti.fi wrote: I'm not sure for example, if 11MEUR is needed for number registry personnel costs, that could give you 100 hostmasters with 5500EUR/month salary, in good likelihood, we'd be able to run focused number registry with volunteers. I think your math is off? 11,000,000 / 100 == 110,000 / 12 == 9,166 month right? Did you mean '200 hostmasters at 5500/month' ? you'd likely also have to put into the mix the cost of infrastructure, right? I'm not sure what current arin/ripe/apnic folk have deployed, I imagine some servers (100k of gear? replaced every 3yrs?) and routing/switching devices (2M replaced every 3 yrs), and link costs. -chris
Re: internet governance, rir policy, and the decline of civilization
I'm not sure for example, if 11GER is needed for number registry personnel costs, that could give you 100 hostmasters with 5500EUR/month salary, in good likelihood, we'd be able to run focused number registry with volunteers. I think your math is off? 11,000,000 / 100 == 110,000 / 12 == 9,166 month right? Did you mean '200 hostmasters at 5500/month' ? you'd likely also have to put into the mix the cost of infrastructure, right? I'm not sure what current arin/ripe/apnic folk have deployed, I imagine some servers (100k of gear? replaced every 3yrs?) and routing/switching devices (2M replaced every 3 yrs), and link costs. we could nit-pick saku's arithmetic to death, but what would we learn? it costs money and clue to run a good registry, news at eleven. in '92 or whenever, when the nic contract went out to bid, rick said he'd do it for free with some simple scripts. it's a long way from that to where we are today, and i doubt either extreme is where we should be. i suspect that if we threw out all the micro-management policies, restrictions on transfers, barriers to entry for legacy and newcomers, etc., we might be able to move significantly closer to rick's idealistic position. buy it would require a change of paradigm, and that usually requires a lot of folk retiring. so to repeat/paraphrase what i just said in the apnic forum, someone too shy to post here (yes, virginia, there are such people:) suggested i shill for them. i think their points are worth it. reasonable public resource governance practice would include at least the following: - term limits for board and committee positions (maybe 2-4 years?) - ten year employment caps on executive staff - members decide bylaws and budgets and as i suggested to arin, a gov/ops review consultation consisting of folk with some stature in these areas, and not having any members from board or staff. i would love to see some folk with enable on the board, such as you. but without the paradigm shift, it would just be pain and torture to no real avail. and good folk with enable are too busy enabling the internet as opposed to making careers as wannabe micro-policy wonks. randy
Re: internet governance, rir policy, and the decline of civilization
On Sat, Sep 20, 2014 at 9:32 PM, Randy Bush ra...@psg.com wrote: I'm not sure for example, if 11GER is needed for number registry personnel costs, that could give you 100 hostmasters with 5500EUR/month salary, in good likelihood, we'd be able to run focused number registry with volunteers. I think your math is off? 11,000,000 / 100 == 110,000 / 12 == 9,166 month right? Did you mean '200 hostmasters at 5500/month' ? you'd likely also have to put into the mix the cost of infrastructure, right? I'm not sure what current arin/ripe/apnic folk have deployed, I imagine some servers (100k of gear? replaced every 3yrs?) and routing/switching devices (2M replaced every 3 yrs), and link costs. we could nit-pick saku's arithmetic to death, but what would we learn? it costs money and clue to run a good registry, news at eleven. sure, my point wasn't really that 'math is wrong', so much as 'running a registry likely costs some cake in gear/bw/admin-time' and that i'm not sure that 11m is off as a number close to the scale of the cost/problem. i would love to see some folk with enable on the board, such as you. can't other officer from same company already serving, phew! :) (see bullfighter turn stance) but without the paradigm shift, it would just be pain and torture to no real avail. and good folk with enable are too busy enabling the internet as opposed to making careers as wannabe micro-policy wonks. I also agree that 'lots of policy' hasn't really gotten us anywhere :(
Re: internet governance, rir policy, and the decline of civilization
I also agree that 'lots of policy' hasn't really gotten us anywhere :( cheap shot this is not exactly true. we just don't like where it has gotten us :) randy
Re: internet governance, rir policy, and the decline of civilization
On Sat, Sep 20, 2014 at 9:47 PM, Randy Bush ra...@psg.com wrote: I also agree that 'lots of policy' hasn't really gotten us anywhere :( cheap shot this is not exactly true. we just don't like where it has gotten us :) that's a fair cheap shot.
Re: internet governance, rir policy, and the decline of civilization
I also agree that 'lots of policy' hasn't really gotten us anywhere :( cheap shot this is not exactly true. we just don't like where it has gotten us :) that's a fair cheap shot. https://www.apnic.net/policy/proposals/prop-103 randy