...on the list who might be able to comment on how they/you/BT is
detecting downstream clients that are bot-infected, and how exactly
you are dealing with them?
Unfortunately, the way you phrased that question is
rather journalistic and in BT, as in most large companies,
employees are
We also see this with extranet/supply-chain-type connectivity
between large companies who have overlapping address space,
and I'm afraid it's only going to become more common as more
of these types of relationships are established.
Fortunately, IP addresses are not intended for use on the
The problem is that you can't be sure that if you use RFC1918
today you won't be bitten by it's non-uniqueness property in
the future. When you're asked to diagnose a fault with a
device with the IP address 192.168.1.1, and you've got an
unknown number of candidate devices using that
how do you define your schema?
how long does it take to insert/index/whatnot the data?
This is a much bigger deal than most people realize.
Poor schema design will cause your system to choke
bade when you try to scale it. In fact, relational
databases are not the ideal way to store this kind
But to start with, just solving the data storage problem is a good
place to start.
How about something like:
http://www.hdfgroup.org/whatishdf5.html
That certainly has a lot of support in the scientific community
in similar applications such as astronomy and high-energy
physics.
This is where dbms' designed for data warehouses might come
into play, something like SybaseIQ. It is adapted for long
term storage and retrieval.
If you understand the finer details of schema design for
data warehousing such as star schemas and snowflake schemas
then you will probably
Define legit spammer. Do you mean one who was just advertising a
real product, albeit in an objectionable fashion, as opposed to those
who are trying to spread malware or commit fraud?
If you can read foreign languages, you are probably still receiving SPAM
for legitimate products. Just
Going back to this thread, http://www.kx.com/ deals in
financial transaction
databases where they store millions of ticks. They appear to have a
transactional based language with a solution that appears
to be robust and
fail resistant.
hmm, that is quite interesting. and apparently
An SLA is a contract.
A contract is... a contract.
Does that mean you can take them to small claims court if they don't pay
you the agreed SLA credits?
--Michael Dillon
Absolutely, so long as the amount in controversy
doesn't exceed the small claims limit in your jurisdiction.
If it does, off to regular court.
And the nice thing about small claims court, if you meet the maximum
limit of course, is that large companies often are lazy about dealing
with the
[Perhaps my viewpoint is skewed because channel-delivered TV content
in Canada is horrible; it's almost as bad as American TV. I seem to
think that broadcast TV in the UK more tolerable, although I haven't
really seen it since I left the UK in the mid 90s so perhaps
I'm just
I know routers today have the ability to prioritize
traffic, but last I heard, these controls are not
often used for user traffic (let's not discuss
net neutrality here).
Are they used for control (e.g., routing) traffic?
They are used for BUSINESS traffic. Also, since these controls make
Subject: Re: Solaris telnet vuln solutions digest and network risks
This post appears to have been written for another mailing
list (where it is
probably on-topic). Why did you repost it to NANOG-L?
Do you know of any network operators who have no Solaris boxes at all
used in the
I agree with Gadi. Everything which affects Internet
stability (e.g. DNS
denial-of-service attacks) deserves attention of network
operators. IMHO
it's time to think about a new NANOG AUP.
Back in the beginning of December, I posted a message:
I've concluded three things (by doing experiements like
that). (a) Where
there are Windows boxes, there are zombies. Securing
Microsoft operating
systems adequately for use on the Internet is not a solved problem in
computing.
I disagree. Since 1994 I have been in the habit of
Therefore, I assert that securing systems adequately for use on the
Internet is indeed a SOLVED PROBLEM in computing.
A HUNDRED MILLION machines beg to differ.
You misunderstand. The problem of securing machines *IS* solved. It is
possible. It is regularly done with servers connected to
It is regularly done with servers connected to the Internet.
There is no *COMPUTING* problem or technical problem.
I beg to differ. Yes, it is possible for tech-savvy users to secure
their machines pretty effectively. But the level of technical
knowledge required to do so is
But suppose you put such a firewall in place. You'll need to
configure the firewall properly -- paying as much attention to
outbound rules as inbound.
Sounds like a good thing to document in a best practices document that
can be used to certify firewall implementations. When trying to solve
I look forward to your paper on the end to end concept, and
why it doesn't
apply to email ;)
Clearly the answer is that it never has applied to email in the pasts.
Hosts don't email each other, people do. People have always relied on
Internet postmaster services to enable Internet email.
Now, even those people have shifted to a hierarchical
architecture of
instant-messaging servers.
In what way is IM hierarchial?
Jabber/XMPP has a mesh-of-stars topology
That is hierarchy. One level is a star topology, the next level is a
mesh.
which is the same as email's
modulo
Well Steve, it's like this: There are (a) security experts,
(b) security
experts, and (c) guys that spend their day making things
usable in spite of
what the rest of the net throws in their AS's direction.
You're an example of
one, I'm an example of another, and the advocates of
I think this really goes to the heart of the matter - the inability/
unwillingness to prioritize and allocate resources to properly
implement 'good neighbor' policies which are not perceived as having
any financial benefit to the organization.
So, can this sort of activity somehow be
No, the SP can't be the 'Internet
firewall' for customers,
They can if the SP supplies and manages the CPE device. Nowadays, a lot
of functionality could potentially be provided in a CPE device. Hardware
cost and hardware capabilities are no longer barriers to doing this.
There is still
Disabling their port and punting them to customer support is
NOT a cost
efficient way of dealing with the problems, at least not in
the market I
am in.
It's like the car rental business. If you want to provide cars to people
without a drivers license, then your customer support people
I do admit that I haven't been keeping up on BPL technology lately, as
I am not in [and know only one person living in] an area where power
lines are the only cabled connection to the world. My point was more
that there are areas where it's simply impractical to put out many of
the
I have an east coast and west coast data center connected
with a DS3. I am running into issues with streaming data via
TCP and was wondering besides hardware acceleration, is there
any options at increasing throughput and maximizing the
bandwidth?
Use GigE cards on the servers with a
What you want to see is large packets, as large as your end-to-end
infrastructure can support.
Personally, I would prefer to see more people fixing the infrastructure
rather than accepting it as a limit. Install some Linux servers even if
all they do is run an application layer proxy to turn
The original poster was talking about a streaming application -
increasing the frame size can cause it take longer for frames
to fill
a packet and then hit the wire increasing actual latency in your
application.
Probably doesn't matter when the stream is text, but as voice and
The only constant is the malicious domain name.
If we are able to take care of all the rest, and DNS becomes
the one facet
which can rewind the wheel, DNS is the problem.
You have just explained how DNS is *NOT* the problem. The only constant
is the domain name. That is handled by
The US Department of Homeland Security (DHS) ...
wants to have the key to sign the DNS root zone
solidly in the hands of the US government.
This ultimate master key would then allow
authorities to track DNS Security Extensions
(DNSSec) all the way back to the servers that
represent the
It is probably time to start looking at alternative naming
systems. For instance, we have a much better understanding of P2P
technology these days and a P2P mesh could serve as the top level
finder in a naming system rather than having a fixed set of roots.
The only serious (?)
Problems I can see with this would be when someone on the P2P begins
injecting false data into a stream. How would the mesh be
structured so
as to avoid this.
There is a lot of literature about P2P networking in its many
variations. The nice thing is that it is mostly freely available on
[unicity of names] does not exist in DNS unless you take an
extremely narrow technical view.
I thought that NANOG was for extremely narrow technical
discussions. For bold We will replace the DNS and IP while we're at
it discussions, there are other forums :-)
Yes, I was suprised when
I think this might be a bit in conflict with efforts
registries have
to reduce the turnaround in zone modification to the order
of tens of
minutes.
Why is this necessary? Other than the cool factor.
I think the question is why should the Internet be constrained to
engineering
You cannot mandate how hard somebody must work. It doesn't work. Make
it
'expensive enough' to be wrong, and *then* they will make the
necessary effort
to be 'right'.
Some people block mail from bad places in an attempt to hurt the bad
place, i.e. in an etempt to make it expensive for
In the end the cure is worse than the disease (by abusing the
anti-abuse
system. DMCA abuse anyone? Or the stupid bogons list so many people
forget to update every friggin time IANA allocated a new /8 to one of
the RIRs?)
It's interesting to see how bandaid solutions increase the
Perhaps the message here is that you get what you pay for. For a rock
bottom price, You get rock bottom service. There are registrars that
charge considerably more and provide considerably more service.
There just isn't enough hierarchy in the DNS. Back when I was running my
own ISP, I gave
Again - DNS is the infrastructure for EVERYTHING. It facilitates
EVERYTHING.
Not so. On the public Internet applications like Edonkey and Emule work
fine without it. We run a global IP network that is not connected to the
public Internet and over 90% of our customers' applications don't use
: Soon Internet email will be like IRC, a quaint
: service for Internet enthusiasts and oldtimers,
: but not a useful tool for businesses or ordinary
: individuals.
Hey, you've just described the FUSSP! :-(
Solution!?
Since when is a description of one aspect of the problem,
There is no need for rapidly unannounced updates by the
registries.
That simply isn't true.
You're right. Just like there is a very strong need for an airline that
offers 5 minutes from curb to seat checkin service. The need exists but
it ain't gonna be filled anytime soon because the
If you're going to do any vetting, the time to do it is at
registration,
not at crunch time.
The bulk of the discussion over the past few days was directed at the
practice of rapid updates of BRAND NEW DOMAIN NAMES. Clearly this is
entirely separate from the issue of updating information for
Analogies that compare to a postulated situation which is patently
false are amusing, but non-constructive. You might wish to bone up on
your understanding of US firearms law (preferably from a source other
than CSI or Law Order [insert standard disparaging comment about the
mass media
I would have to respectfully disagree with you. When network
operators do due diligence and SWIP their sub-allocations, they
(the sub-allocations) should be authoritative in regards to things
like RBLs.
How do you tell when they have actually done due diligence.
Existence of a SWIP record
I have to disagree. SWIP is not meaningless.
In my company some functions related to sending a SWIP are
automated, but my company has people on staff who know that
it is happening and what it means.
And I talk with plenty of other companies that fall into the
same boat.
In
Because I haven't got unlimited WHOIS queries. (Although I
and everyone
else *should* have those. There are no valid reasons to
rate-limit any
form of WHOIS query.)
Yes there are. The current whois returns way more information on a query
than you need for network operations. That's
SWIP is a process used by organizations to submit information about
downstream customer's address space reassignments to ARIN for
inclusion
in the WHOIS database. Its goal is to ensure the effective
and efficient
maintenance of records for IP address space.
Lovely language but it
Maybe ARIN staff should start re-writing policies and
implementing out punishments. Guarantee you if operators were
penalized for not following rules, for allowing filth to leave
their networks, I bet you many maladies on the net would be
cut substantially.
Sorry, that's not their job.
As for documentation on this... There is PLENTY of it. Why should
I write another document no one would follow.
Because you might be a better writer than those other folks. You might
be able to present the right balance of technical detail and policy
goals to be understood by a larger number
I know from experience this doesn't scale into the hundreds of
thousands of customers and can only imagine the big ass eyeball
network's scalability issues...
Hear hear...
Scaling process and procedures is often as hard or harder than
scaling technical things...
It's true. But
No, I doubt it will change. The CRC algorithm used in Ethernet is
already strained by the 1500-byte-plus payload size. 802.3
won't extend
to any larger size without running a significant risk of the CRC
algorithm failing.
I believe this has already been debunked.
From a
We checked with IANA, ARIN, and the US DoD regarding 7.0.0.0/8. We
were told that this netblock should not see the light of day,
10/8 used to be a DoD address block, but it was also used exclusively in
their blacker networks and similar non-connected infrastructure. The
result is that 10/8
Is it just me or does all of this have the odor of
amateur hour around it? Inconsistencies between
the various databases, IANA can't make
http://www.iana.org/assignments/ipv4-address-space
such that it's unambiguously parsable, ARIN backdates
some of the address space it gives out, RIPE used
10/8 used to be a DoD address block, but it was also used
exclusively in
their blacker networks and similar non-connected infrastructure. The
result is that 10/8 was opened up for others to use as
well. Could we do
similar with 7/8?
What problem would that solve instead of reducing
Why doesn't IANA operate a whois server?
Why should they? What will it produce?
It will produce an authoritative source of information that automated
systems can query and where those systems can reliably parse the output.
In cases where a human needs to check unusual cases, there will be a
Why doesn't IANA and the RIRs collectively get off their butts and
actually make an authoritative IP address allocation
directory one of
their goals?
And why don't they do all this with some 21st century technology?
A new system based on IRIS protocol (XML based using BEEP as
Come on, let's not get carried away.
The problem with the IANA file is that reserved is ambiguous and
there are other things in there that get in the way of easy parsing.
This is easy enough to fix. Geoff Huston wrote a draft
suggesting how
to do it.
Whois, LDAP and other stuff
With whois, I'd need to do 256 lookups, and I'd probably have to
implement the whois protocol myself (ok, trivial, but still) because
I can't just use one of the 3 million HTTP utils/libraries.
Really?
Do you know for a fact that the IANA whois server will not support
lookups for 0.0.0.0
Why don't they publish a more detailled explanation field
in each IANA
allocation record so that they can explain the precise
status of each
block?
IANA's role in this should be 'Ugh. Here Big Block. Go Talk to RIR.'
I was referring to the cases where they don't say that.
For
And I know a company that has been using 1/8, 2/8, 3/8,
4/8, 5/8, 6/8,
7/8 and 8/8 for many years, also behind NAT or on
non-Internet connected
networks. But that is not what I am talking about here.
...
And what happens if the legitimate owners of those already allocated
start
www.hitachi.co.jp
this one is very interesting! :-)
does anybody know more from Japan, regarding largely known brands?
They developed IPv6 shims for their Windows 95 network drivers to all
PCs using their network cards to use IPv6.
--Michael Dillon
As you can see we do indeed own these blocks:
Nope, you do NOT own these blocks:
OrgName:Rogers Cable Communications Inc.
OrgID: RCC-99
Address:One Mount Pleasant
City: Toronto
StateProv: ON
PostalCode: M4Y-2Y5
Country:CA
NetRange: 99.224.0.0 - 99.253.159.255
CIDR:
traceroute to 86.0.6.36 (86.0.6.36), 64 hops max, 40 byte packets
1 192.168.32.1 (192.168.32.1 ) 2.607 ms 1.162 ms 1.068 ms
2 netsgo-195-78-19-65.monaco377.com (195.78.19.65) 745.752 ms
608.475 ms 639.013 ms
WTF?
Did you try tcptraceroute?
Why not?
Did you contact
You might try taking a look at the various presentations at
NANOG/RIPE/ARIN/
APNIC/APRICOT about the whole idea. Central point: the
entity that gives
you a suballocation of its own address space signs something
that says you
now hold it.
If the whois directories actually operated
(email string deleted...)
I'm deeply saddened that the very folks who work so hard to
run the Internet
are publicly speculating that DHS wants to take over the
'net.
Please provide some evidence of your assertion. I have seen no evidence
that the very folks who work so hard to run the
How can anybody be sure that the random peering tech they are
talking
to really works for the organisation listed in the whois record? By
visual inspection of the e-mail address?
Do people really talk to random peering techs? I thought that peering
contacts were all set up via
Please provide some evidence of your assertion. I have seen
no evidence
that
the very folks who work so hard to run the Internet are making any
speculations at all about the DHS.
Scroll backwards through the emails to the first one in this
modified thread
(RE: IP Block 99/8 (DHS
but I'm still unclear on
what an MIB actually _is_,
A MIB is the database schema for an object-oriented hierarchical
database. The key words there are schema and hierarchical. Schema means
that it describes how the data is organized and hierarchical means that
it is *NOT* organized in tables
I do hope that when the UK police get tired of waiting, that they shut
down everything in BT's data centre and take it all as evidence. BT
deserves at least that, and frankly a whole lot more.
I've already replied privately to Jo offering my help to escalate this
internally at BT to the
While NANOG is a nice stopgap for getting to the right people, it
seems
to me that we should, collectively, come up with a better system
for
doing this. If only the RIR databases were verified so that all
contacts
listed were reading, willing and able to act on abuse issues...
[..]
Does anyone have ballpark costs on what colo space costs in
England. We are getting a quote for 7500 gbp per month For
19 square meters of space. In us we pay 3500 a month for
10x10 cage at a quest facility
Also I'd anyone can recommend some british colo companies
would appreciate
In general it is impossible when deleting a zone to know the
full consequences of that action unless you are that zones
DNS administrator, and even then you need to ask any
administrators of delegated domains.
Not just deleting.
So those who think deleting zones is a way to fix things,
The directory that was contracted
and 'supposed to' exist as part of the NNSC-to-InterNIC dance
was to be built by old-ATT Labs. As far as I can recall, it
was ever only an ftp repository and not much of a 'directory
and database service' (corrections welcome).
Anyone remember the
It is an unusual
situation...or at least the first of its kind.
Leaving aside the alleged political involvement of some government or
other, this is far from true. Back in the days, when DOS attacks were
delivered to mailboxes and USENET and IRC were the main tool of
coordinating attacks,
In perfect time, this was published yesterday, to answer that very
question:
http://www.ietf.org/internet-drafts/draft-hoagland-v6ops-
teredosecconcerns-00.txt
Unfortunately, he doesn't say much in the way of solutions. For
instance, if a company has internal IPv6 connectivity to their ISP,
When you have a large company, the company is also split
over several
administrative sites, in some cases you might have a single
administrative group covering several sites though, this
allows you to
provide them with a single /48 as they are one group they will know
how to
I believe that a separate /48 per site is better regardless
of whether
or not the company has contracted with a single ISP for all
sites, or
not. As far as I am concerned if there is a separate access
circuit,
then it is a site and it deserves its own /48 assignment/allocation.
The magic answer to training setups: one big fat Xen box with
a lot of VM's, virtual interfaces and of course: Quagga.
You said magic. Does this mean that there is a site where you can
download ISOs for this big fat XEN box?
That said of course, who still types directly into their
I posit that a screen door does not provide any security.
Any is too strong a word. For people living in an area with
malaria-carrying mosquitoes, that screen door may be more important for
security than a solid steel door with a deadbolt. It all depends on what
the risks are, what you are
There are no British colonies in North America...are there?
Or are the red coats coming again?
In fact, there are several British colonies now squatting in North
America in that great British squatter tradition. One of them occupies a
corner of the NANOG list which is why the meeting was
Anyway, how does BT's cleanfeed work? How are British 3G
operators doing equivalent blocking? I'd be interested in
learning about the implementation.
Well, first of all Cleanfeed's not perfect. And it's not that secret
either.
http://www.cl.cam.ac.uk/~rnc1/cleanfeed.pdf
--Michael Dillon
Have you been asked by the Dibble for the squid's server log
yet? It's the obvious next step - if you had a URL request
blocked, obviously you were where you shouldn't have been.
You're either with us...or you're with the terrorists.
If this website blocking is voluntary and if your goal
As the price of petrol fuel supplies slowly moves upward due to
demand from
China and India, I foresee datacenters moving away from diesel
generators as
backup power sources towards fuel cells/generators that can burn
natural gas and hydrogen.
Technically fuel cells don't burn the fuel;
I think certs provide two things.
One, the ability to show that you know what you are doing (
agreed grey area on that one ) , but also the commitment for
one to better themselves. someone I would look at in the
hiring process first. Any/every applicant still goes through
a
is there any work or research on measuring method for
subscriber (customer)side feelings of network service?
It seems that e2e ping delay, packet loss may miss some
important factor when we consider subscriber's feelings.
Although zero packet loss is a sign of very low jitter, you
Who knows, maybe a few packets got corrupted on the wire, and
the TCP chucksum actually caught it and dropped the offending packets.
Or there could be flags in the bitstream...
--Michael Dillon
Running email abuse desks for about a decade now makes me
tend to agree with you .. and completely unfiltered pipes to
the internet for customer broadband are a pipe dream, most places.
If ISPs were able to standardize consumer Internet access services using
a gateway box, then the
The router is currently configured to use IRB which is a
hybrid process.
The problems is that the IRB process is overloaded and is
dropping traffic faster than it can process it.
Which NPE is in this router?
Basically, the 7200 has underpowered CPUs and if you force it to process
However, what I'm trying to understand is why the motivation
to rapidly go from v4 to v6 only? What are the factors I'm
missing in operating v4/v6 combined for some time?
Growth.
Lack of IPv4 addresses will put the brakes on growth of the Internet
which will have a major impact on revenue
And the stories that the power guy I'm working with tells
about foreign facilities, particularly in middle east war
zones, are really scary...
We fundamentally do not have the facilities problem
completely nailed down to the point that things will never
drop. Level 4
datacenters
Lack of IPv4 addresses will put the brakes on growth of the
Internet
which will have a major impact on revenue growth. Before long stock
market analysts are going to be asking tough questions, and
CEOs are
suddenly going to see the IPv6 light.
What exactly will cease to grow
Does anyone have any thoughts on this? Sorry if this is the
wrong place to ask.
First of all, this strikes me as a legal and policy decision. For the
legal aspects you should ask your lawyer or take it up on a legal blog
like http://www.groklaw.net
For the policy aspects, you really should
I'd suggest:
1) one week latency between registration and entry into the
TLD nameservers.
2) 50% (of 1-year registration fee) 'penalty' for
cancelling the registration
before it hits the TLD servers.
3) $250 'surcharge' (to registrant) for 'immediate'
_irrevocable_
http://www.icann.org/announcements/announcement-2-10aug07.htm
Is this something where a consensus 'vote' from a larger
group would help?
or one of the letter writing campaigns congress loves so much?
My impression is that it will be more useful for many individuals to
make their own
Does anyone known some tool for network documentation with:
- inventory (cards, serial numbers, manufactor...)
- documentation (configurations, software version control, etc)
- topology building (L2, L3.. connections, layer control, ...)
We've been using a modelling tool called WANDL which
Thank you for comments. I know there are economic/contractual
relationships between two networks, and BGP cannot find a
path that the business rules forbid. But when in these
cases, how to recover it? The network operators just wait for
physically reparing the link or they may manully
I think the real question given the facts around this is
whether South East Asia will look to protect against a future
failure by providing new routes that circumvent single points
of failure such as the Luzon straights at Taiwan. But that
costs a lot of money .. so the futures not
Section 5.1 of the updated version of 2821 allows A or
when there is no MX. This allowance must become obsolete and
the process ends when there is no MX record.
This idea is fundamentally flawed.
There is an assumption in the Internet that email is a universal
service. In
In many cases, yes. I know of a certain network that ran with
30% loss for a matter of years because the option didn't
exist to increase the bandwidth. When it became reality,
guess what they did.
How many people have noticed that when you replace a circuit with a
higher capacity one, the
The TCPs don't slow down. They use the bandwidth you have
made available instead.
in your words, the traffic on the new circuit is suddenly
greater than 100% of the old one.
Exactly!
To be honest, I first encountered this when Avi Freedman upgraded one of
his upstream connections from
Ok, I could have picked a better title. I'm looking for a
pointer to a box (pref. an embedded platform of some kind)
that will receive/accept SNMP traps and sound a real world
alarm/siren/klaxon. It can do fancy things like logging and
such, but not strictly required.
The Google keyword
1 - 100 of 191 matches
Mail list logo