> On Oct 7, 2019, at 20:16 , b...@theworld.com wrote:
>
>
> Well if you all really want your heads to explode I was invited to
> give a talk a few years ago in Singapore at the local HackerSpace.
>
> It called for something creative and different, not really an IETF
> sort of crowd.
>
> So
William Herrin wrote:
I think TCPng/UDPng with 32/48 bit port numbers combined with NAT/A+P,
which is obviously fully operational with existing IPv4 backbone, is
better.
Not a fan of port numbers.
Separation between address and port is vague.
If we're going to replace TCP and UDP,
> On Oct 7, 2019, at 20:00 , Michel Py wrote:
>
>> Owen DeLong wrote :
>> Well… I don’t run into this very often any more, but I guess if you have a
>> poorly run DNS environment, it might be more of an issue.
>
> About half of my devices, including all the VOIP phones, do not have DNS. I
> On Oct 7, 2019, at 23:59 , Masataka Ohta
> wrote:
>
> William Herrin wrote:
>
>>> I think TCPng/UDPng with 32/48 bit port numbers combined with NAT/A+P,
>>> which is obviously fully operational with existing IPv4 backbone, is
>>> better.
>
>> Not a fan of port numbers.
>
> Separation
Owen DeLong wrote:
Separation between address and port is vague.
Explain that to ICMP packets.
Why do you think ICMP any different?
Just as usual IP packets, inner IP packets contained in
ICMPv4 error packets contain port numbers just after IP headers.
Moreover, unlike stupid ICMPv6,
See RFC 1149 & 2549
;-)
--
J. Hellenthal
The fact that there's a highway to Hell but only a stairway to Heaven says a
lot about anticipated traffic volume.
> On Oct 7, 2019, at 11:29, Keith Medcalf wrote:
>
>
>> On Monday, 7 October, 2019 08:55, Rich Kulawiec wrote:
>>
>> On Mon, Oct
On Mon, Oct 07, 2019 at 05:28:08PM -0700, Matt Corallo wrote:
> Is it time to have ARIN add a ???abuse contact available only after
> captcha??? option?
No. Captchas are a worst practice and should never be used.
---rsk
William Herrin wrote:
>
> You may be looking at a web browser "feature" called "DNS pinning." This is
> used to defeat the "DNS rebinding" attack on javascript that would allow a
> web site to instruct a browser to scan the interior behind its user's
> firewall by having an attacker rotate the IP
On Tue, Oct 8, 2019 at 4:22 AM Tony Finch wrote:
> William Herrin wrote:
> > Depending on the implementation, DNS pinned browsers may not recognize a
> > change to your IP address until the browser is stopped and restarted.
>
> I thought DNS pinning was only for the lifetime of the web page, so
On Tue, Oct 08, 2019 at 01:35:16PM +0100, Mike Meredith via NANOG wrote:
> You've ignored step 1 - identifying critical information that needs
> protecting. It makes sense to protect information that needs protecting and
> don't lose sleep over information that doesn't need protecting. Not many of
> Owen DeLong wrote :
> I’m not sure how giving them DNS names makes them less resilient to DNS
> failures.
How do you resolve the IP address of the PBX ? I hard-code (in the master
config).
The PBX does not have a DNS name. I want my support staff to know its IP on the
top of their head.
DNS
On Tue, Oct 8, 2019 at 6:51 AM Rich Kulawiec wrote:
> On Tue, Oct 08, 2019 at 01:35:16PM +0100, Mike Meredith via NANOG wrote:
> > You've ignored step 1 - identifying critical information that needs
> > protecting. It makes sense to protect information that needs protecting
and
> > don't lose
On 10/7/2019 3:23 PM, William Herrin wrote:
You don't happen to have some documented examples of this do you? I
could use examples of stuff that broke and was hard to diagnose and fix
due to unexpected proxying behavior for an argument I'm having elsewhere.
I'll see what I can dig up from
>Not everyone attacking your systems is going to have the skills or
>knowledge to get in though - simple tricks (like hiding what web server
>you use) can prevent casual attacks from script kiddies and others who
>aren't committed to targeting you, freeing your security teams to focus
>on the
Not everyone attacking your systems is going to have the skills or knowledge to
get in though - simple tricks (like hiding what web server you use) can prevent
casual attacks from script kiddies and others who aren't committed to targeting
you, freeing your security teams to focus on the
On Mon, Oct 7, 2019 at 11:59 PM Masataka Ohta <
mo...@necom830.hpcl.titech.ac.jp> wrote:
> William Herrin wrote:
> > If we're going to replace TCP and UDP, initiate
> > the link with a name (e.g. dns name),
>
> The point of TCP use IP address for identification is hosts
> can confirm IP address is
Nicholas Warren wrote:
It's not 1990 any more, a TB of RAM now costs a few thousand dollars
Maybe.
and is dropping rapidly (similar for fancy router RAM),
Definitely not. It's not 2010 any more.
Masataka Ohta
On Tue, 08 Oct 2019 11:53:33 -0600, "Keith Medcalf" said:
> So while the cost of doing the thing may be near-zero, it is not zero.
And in fact, there's more than just the costs of doing it. There's also the
costs
of having done it.
Obfuscating your OpenSSH versions is a *really* good way to
On Tuesday, 8 October, 2019 11:03, William Herrin wrote:
>Limiting the server banner so it doesn't tell an adversary the exact OS-
>specific binary you're using has a near-zero cost and forces an adversary
>to expend more effort searching for a vulnerability. It doesn't magically
>protect you
On October 7, 2019 at 23:13 o...@delong.com (Owen DeLong) wrote:
>
>
> > On Oct 7, 2019, at 20:16 , b...@theworld.com wrote:
> >
> >
> > Well if you all really want your heads to explode I was invited to
> > give a talk a few years ago in Singapore at the local HackerSpace.
> >
> >
Sweet deals, would you kindly share your vendor?
It's not 1990 any more, a TB of RAM now costs a few thousand dollars
and is dropping rapidly (similar for fancy router RAM), we have
processor chips with 64 cores available practically off the shelf for
under $10K (32-core literally off the shelf,
Equinix renumber the IP Block from a /24 to a /23 and everyone was suppose to
be off the old block I think around a year ago. I am sure some providers did
not migrate everything off that IP Block. Everyone that was a member at that
time was given a new IP Address on the /23 subnet, I believe
Hi all
I realize this might not be the right list but I have a request to peer on the
Chicago Equinix IX to a 206.223.119 IP but we and many others are on the
208.115.137 network. While I await a response from the peering partner, I’d
curious to know if this is an error, perhaps there was a
I know this is a North America list, but anyone here connected with Three or
have a contact there?
I am investigating an issue related to the default adult filter settings that
are becoming more common (maybe required now?) in the UK on mobile data
networks.
I work at a large search engine,
William Herrin wrote:
The point of TCP use IP address for identification is hosts can
confirm IP address is true by 3 way handshaking.
Yeah, but that touches one of the central flaws of the design of IP,
v4 and v6.
We are talking about design of TCP, not IP.
No part of identifying and
On October 8, 2019 at 03:00 michel...@tsisemi.com (Michel Py) wrote:
> > Owen DeLong wrote :
> > Well… I don’t run into this very often any more, but I guess if you have a
> > poorly run DNS environment, it might be more of an issue.
>
> About half of my devices, including all the VOIP
On Tue, 08 Oct 2019 19:12:30 -, Nicholas Warren said:
> Sweet deals, would you kindly share your vendor?
Well, I just type "128G DIMM" into google, and the very first hit tells me that
I can
get a 128G DIMM for $1,398, that and 8 DiMM slots gets me to 1T just over $11K.
If I have 16 DIMM
You would still be better served by forgetting about hiding the
webserver vendor name and using that money to buy an IDS/IPS that works
properly by detecting the actual exploit attempt rather than looking for
"a spike of errors in the log" in order to block the originating
address, especially
Maybe ask on UKNOF? https://www.uknof.org.uk/
- Cynthia
On Tue, 8 Oct 2019, 21:58 John Von Essen, wrote:
> I know this is a North America list, but anyone here connected with Three
> or have a contact there?
>
> I am investigating an issue related to the default adult filter settings
> that
On October 8, 2019 at 12:04 b...@herrin.us (William Herrin) wrote:
> On Tue, Oct 8, 2019 at 12:01 PM wrote:
>
> My main point is, as I said, Bits is Bits, whether they're human
> readable (for some value of "human") like URLs or long hex strings
> which perhaps are less human
On October 8, 2019 at 19:12 nwar...@barryelectric.com (Nicholas Warren) wrote:
> Sweet deals, would you kindly share your vendor?
>
>
> It's not 1990 any more, a TB of RAM now costs a few thousand dollars
> and is dropping rapidly (similar for fancy router RAM), we have
> processor chips
Got it, thanks for that. I’ll have to give the big E a call and see how to sort
this one out.
J~
> On Oct 8, 2019, at 13:55, James Cornman wrote:
>
>
> There was a subnet expansion/migration there earlier this year (maybe late
> last year?)
>
> We have an old and new address on our
On Tue, Oct 8, 2019 at 12:01 PM wrote:
> My main point is, as I said, Bits is Bits, whether they're human
> readable (for some value of "human") like URLs or long hex strings
> which perhaps are less human readable.
>
Bits aren't just bits. Bits with useful properties (such as aggregability
As an Evil Firewall Administrator™, I have an interest in this area ...
On Fri, 4 Oct 2019 15:05:29 -0700, William Herrin may have
written:
> On Thu, Oct 3, 2019 at 2:28 PM Keith Medcalf wrote
> > Anyone who says something like that is not a "security geek". They are
> > a "security poser",
34 matches
Mail list logo
