On Jul 8, 2005, at 9:49 AM, Jay R. Ashworth wrote:
A machine behind a NAT box simply is not visible to the outside world,
except for the protocols you tunnel to it, if any. This *has* to
vastly reduce it's attack exposure.
It is true that the exposure is reduced, just as it is with a statef
On Jul 13, 2005, at 2:38 PM, Brad Knowles wrote:
Does anyone know if any of these presentations are available anywhere?
Eric would have to point to his presentation, but you can find the
internet drafts at the following:
http://www.ietf.org/internet-drafts/draft-allman-dkim-base-0
Cisco, are you listening?
Cisco is in fact listening. Cisco, like other companies, generally
does not release security notices until enough information exists to
allow customers to make a reasonable determination as to whether or
not they are at risk and how to mitigate possible risk.
I am told that some of the access providers are starting to deploy in
the US, or at least that's what they tell us. Macs and Linux come
with v6 enabled, and Longhorn will as well. So with any luck we will
squeak through this one.
On Oct 12, 2005, at 12:13 PM, Randy Bush wrote:
four year
is that anything like using, in Cisco terms, a "fast-switching cache"
vs a "FIB"?
On Oct 17, 2005, at 6:47 AM, Mikael Abrahamsson wrote:
Well, let's try to turn the problem on its head and see if thats
clearer; Imagine an internet where only your closest neighbors
know you exist. The rest
its load and convergence properties can be improved on.
I'll let you read there.
On Oct 17, 2005, at 9:20 AM, Per Heldal wrote:
man, 17,.10.2005 kl. 07.25 -0700, skrev Fred Baker:
is that anything like using, in Cisco terms, a "fast-switching cache"
vs a "FIB"?
re able to reduce the routing table size by an order of
magnitude, I don't see that we have a requirement to fundamentally
change the routing technology to support it. We may *want* to (and
yes, I would like to, for various reasons), but that is a different
assertion.
On Oct 17, 2005, at
works for me - I did say I'd like to change the routing protocol -
but I think the routing protocol can be changed asynchronously, and
will have to.
On Oct 17, 2005, at 1:51 PM, Tony Li wrote:
Fred,
If we are able to reduce the routing table size by an order of
magnitude, I don't see
we agree that at least initially every prefix allocated should belong
to a different AS (eg, no AS gets more than one); the fly in that is
whether there is an ISP somewhere that is so truly large that it
needs two super-sized blocks. I don't know if such exists, but one
hopes it is very m
On Oct 17, 2005, at 2:24 PM, Tony Li wrote:
To not even *attempt* to avoid future all-systems changes is
nothing short of negligent, IMHO.
On Oct 17, 2005, at 2:17 PM, Randy Bush wrote:
and that is what the other v6 ivory tower crew said a decade ago.
which is why we have the disaster we ha
the principal issue I see with your proposal is that it is DUAL
homing vs MULTI homing. To make it viable, I think you have to say
something like "two or more ISPs must participate in a multilateral
peering arrangement that shares the address pool among them". The
location of the actual p
actually, no, I could compare a /48 to a class A.
On Nov 2, 2005, at 3:51 PM, [EMAIL PROTECTED] wrote:
er.. would this be a poor characterization of the IPv6 addressing
architecture which is encouraged by the IETF and the various RIR
members?
class A == /32
class B == /48
On Nov 2, 2005, at 4:01 PM, Bill Woodcock wrote:
On Wed, 2 Nov 2005, Fred Baker wrote:
actually, no, I could compare a /48 to a class A.
...which makes the /32s-and-shorter that everybody's actually getting
double-plus-As, or what?
A class A gives you 16 bits to enumerate
and, if you're interested,
http://www.ietf.org/rfc/rfc3924.txt
3924 Cisco Architecture for Lawful Intercept in IP Networks. F. Baker,
B. Foster, C. Sharp. October 2004. (Format: TXT=40826 bytes)
(Status:
INFORMATIONAL)
On Nov 3, 2005, at 9:17 AM, Vicky Rode wrote:
You might want to
None that I have spoken with. What I hear continually is that people
would like operational viewpoints on what they're doing and are
concerned at the fact that operators don't involve themselves in IETF
discussions.
On Nov 11, 2005, at 6:03 AM, Randy Bush wrote:
that's what a number of
yes, a specific member of the IAB said that. A few moments ago, I was
chatting with the chair of the IAB, who wondered out loud whether he
had noticed everyone else on the IAB edging away from him (something
about lightning strikes emanating from the dagger-eyes of fellow IAB
members I th
I believe that it is attributable to John Hart, Vitalink, late
1980's. If he didn't coin it, he sure quoted it a lot.
Radia would have said something more like "bridge within a campus and
route between them", I suspect.
On Nov 11, 2005, at 1:36 PM, [EMAIL PROTECTED] wrote:
"bridge where
At 11:17 AM 12/09/04 -0500, Richard Irving wrote:
That, or they finally got the nail out of the door, from his last
resignation.
there were two nails in that board... It's a long story... But the
interesting part was that all those toys actually fit into Dr. Bug...
At 09:14 PM 12/18/04 -0500, Sean Donelan wrote:
I wouldn't rely on software firewalls. At the same store you buy your
computer, also buy a hardware firewall. Hopefully soon the motherboard
and NIC manufacturers will start including built-in hardware firewalls.
I guess my question is: why rely o
At 02:01 PM 12/20/04 -0800, william(at)elan.net wrote:
Can somebody also share good definition of "BOT" and "BOTNET" for glossary
and description of 2-4 lines? Should I also list it as synonymous with
Zombie (bot being more hacker-oriented use and zombie being more toward
spammer-oriented use)?
At 09:40 PM 12/20/04 +, Fergie (Paul Ferguson) wrote:
Here's a decent pointer:
http://en.wikipedia.org/wiki/Botnet
- ferg
that is a very good pointer.
At 01:43 PM 12/29/04 -0500, Joe Abley wrote:
Is there an RFC that clearly states: "The internet needs to transit 1500
byte packets without fragmentation."??
Not to my knowledge, and since the hoardes of users mentioned above
present a clear, deployed counter-example it seems unlikely that one wil
On May 2, 2005, at 2:34 AM, Jay R. Ashworth wrote:
How about an anycast address implement(ed|able) by every network
provider that would return a zipcode?
That would be fine in the US, and with some extension in Canada and a
few other countries.
No, I think the service would have to be built usin
RFC 2474 permits the DSCP to be over-written on ingress to a network.
RFC 3168 gives rules for over-writing the ECN flags.
US NCS currently has a filing before the FCC (unless FCC has recently
responded) asking for a DSCP value that would be set only by
NCS-authorized users, never over-writt
On May 25, 2005, at 10:39 AM, Sam Stickland wrote:
While it's true that IP is end-to-end, are fields such as TOS and DSCP
meant to be end to end? A case could be argued that they are used by
the actual forwarding devices on route in order to make QoS or even
routing decisions, and that the e
you saw marshall's comment. If you're interested in a moving average,
he's pretty close.
If I understood your question, though, you simply wanted to quantify
the jitter in a set of samples. I should think there are two obvious
definitions there.
A statistician would look, I should think, a
On Jun 30, 2005, at 5:37 PM, Todd Underwood wrote:
where is the service that is available only on IPv6? i can't seem to
find it.
You might ask yourself whether the Kame Turtle is dancing at
http://www.kame.net/. This is a service that is *different* (returns a
different web page) depending o
At 12:58 PM 08/15/04 -0700, Alexei Roudnev wrote:
SuSe linux can be installed on the first attempt by Windoze-only gurus (I
did such experiment) and never require any command line interaction (except
if you decide to run something complicated).
My then-16-year-old son did the same, building a dual
I think you just tripped across the difference between a user and an SP.
SPs don't generally have 28 KBPS dial links between them and their
upstream, and folks that have 28 KBPS dial uplinks don't generally host
Akamai servers. Assuming that just because you have effectively-infinite
bandwidth
At 05:03 PM 08/30/04 -0400, Sean Donelan wrote:
I've always wondered what really makes P2P different from anything else on
the Internet? From the service provider's point of view, users accessing
CNN.COM is a peer-to-peer activity between the user and CNN. From the
service provider's point of
At 06:04 PM 09/02/04 -0700, Joe Rhett wrote:
> Also note due to fraud mitigation, most phones only allow you to call
> within the country you are in or back to the home country, all the while
> charging you an exhorbitant price.
Um, sorry but I've never seen this. I used to world-roam on AT&T, and
At 04:29 PM 09/08/04 +, Paul Vixie wrote:
i guess this is progress. the press keeps bleating about stopping spam
from being received -- perhaps if they start paying attention to how it
gets sent and how many supposedly-legitimate businesses profit from the
sending, there could be some flatt
At 08:39 AM 10/12/04 +0530, Suresh Ramasubramanian wrote:
Yes I know that multihoming customers must make sure packets going out to
the internet over a link match the route advertised out that link .. but
stupid multihoming implementations do tend to ensure that lots of people
will yell loudly,
At 12:01 PM 10/13/04 +0200, Iljitsch van Beijnum wrote:
Trusting the source when it says that its packets aren't evil might be
sub-optimal. Evaluation of evilness is best left up to the receiver.
Likely true. Next question is whether the receiver can really determine
that in real time. For some t
At 01:11 PM 10/19/04 +0200, JP Velders wrote:
As it was "in the old days": first clean up your own act and then start
pointing at others that they're doing "it" wrong.
hear hear... But Paul knows and in fact does that. He is pointing out the
difficulty of getting people to do basic things that ar
At 11:31 PM 11/25/04 -0800, Owen DeLong wrote:
I think the policy _SHOULD_ make provisions for end sites and
circumstances like this, but, currently, I believe it _DOES NOT_ make such
a provision.
I understand the policy in the same way. That said, I believe that the
policy is wrong.
IMHO, the
At 10:09 PM 11/26/04 -0800, Fred Baker wrote:
IMHO, the rules that qualify someone for an AS number should qualify them
for a prefix. It need not be a truly long prefix, but larger than a /48.
Reading my own email - that isn't clear.
I think the length of the prefix given to a PI edge ne
At 11:54 PM 11/26/04 -0800, Owen DeLong wrote:
IMHO, the rules that qualify someone for an AS number should qualify them
for a prefix. It need not be a truly long prefix, but larger than a /48.
I agree with the first part, but, a /48 is 65,536 64 bit subnets. Do you
really think most organizations
At 08:56 AM 12/01/04 -0800, Greg Albrecht wrote:
are we obligated, as a user of ARIN ip space, or per some BCP, to provide
ad-hoc reverse dns to our customers with-out cost, or without financial
obligation.
As noted, reverse DNS is pretty universally considered a normal operating
practice, "part
Pekka and I have been discussing the impact of ingress filters on
multihomed networks - which may be ISPs or edge networks, and may have an
arbitrary number of upstream ISPs.
We wonder what your thoughts might be regarding
http://www.ietf.org/internet-drafts/draft-savola-bcp38-multihoming-updat
At 12:53 PM 8/13/2003 -0500, Ejay Hire wrote:
I don't care what defective operating system a worm uses.
Yes. Lets recall that the first worm on the net was a sendmail worm, and
attacked UNIX systems. I'm no friend of Windows either, but a little
humility is in order. Windows is attacked because i
At 01:31 PM 8/14/2003 -0700, Aaron D. Britt wrote:
I just lost 80 circuits (Voice and Data), across multiple states on the
East Coast in the last 10 minutes. Is there a Northeast power outage or
fiber cut that anyone knows about?
CNN speaks:
Major power outage hits New York, other large ci
At 04:18 PM 9/15/2003, Jeroen Massar wrote:
Even worse of this is that you can't verify domain names under .net
any more for 'existence' as every .net domain suddenly has a A record
and then can be used for spamming...
so, every spammer in the world spams versign. The down side of this is ...
what
At 09:01 AM 10/9/2003, McBurnett, Jim wrote:
Can Broadband ISP's require a Linksys, dlink or other
broadband router without too many problems?
The router vendors would like that to happen :^)
At 03:00 PM 10/9/2003, [EMAIL PROTECTED] wrote:
We seem to be slowly transforming the network into more and more just a
network of port 80 boxes. :( Perhaps the Internet really is going to end
up being just the Web, not through evil intervention, but by our own
well-intentioned efforts.
I imag
At 09:07 AM 10/10/2003, Steven M. Bellovin wrote:
Out of curiousity, has anyone tried turning this over to law
enforcement? It's another form of hacking, but the money trail back
through the spammers might provide enough evidence for prosecution.
From my read, it sounds sufficient in its own right
At 11:13 AM 10/23/2003, Sean Donelan wrote:
How many other ISPs intend to follow AOL's practice and use their
connection support software to fix the defaults on their customer's
Windows computers?
Interesting question from several angles. Here's the flip side. Our
corporate IT department likes t
Are they in .org? If so, I would call PIR. More generally, I would
suggest you contact the registrar, not ICANN.
http://www.icann.org/registrars/accredited-list.html
On Jan 23, 2006, at 2:55 PM, Wil Schultz wrote:
Hey all, probably not the best place to ask this but thought that I
would
The big question there is whether it is helpful for an operator of a
wired network to comment on a routing technology for a network that
is fundamentally dissimilar from his target topology. Not that there
is no valid comment - the security issues are certainly related. But
if you want to
On Feb 15, 2006, at 9:13 AM, Edward B. DREGER wrote:
Of course not. Let SBC and Cox obtain a _joint_ ASN and _joint_
address
space. Each provider announces the aggregate co-op space via the
joint
ASN as a downstream.
Interesting. This is what has been called metropolitan addressing.
I'
the
appropriate industry forum to work out IP routing issues etc? What
is the appropriate context for manet if it isn't what I read the
charter to state? Is it really just, for example, autonomous
devices navigating in a sensor network?
Best regards,
Christian
On Feb 15, 2006
On Mar 7, 2006, at 12:13 AM, tom wrote:
I hope you don't mind this commentary from a European...
I certainly don't mind commentary from a European. I just wouldn't
want to hear the same European complaining about the Chinese...
:-)
On May 11, 2006, at 8:42 PM, Jim Popovitch wrote:
Why not just plain ole hostnames like nanog, www.nanog, mail.nanog
For the same reason DNS was created in the first place. You will
recall that we actually HAD a hostname file that we traded around...
On May 11, 2006, at 11:28 PM, Martin Hannigan wrote:
Im having an offline discussion with a list member and I'll ask,
why does it matter if you have a domain name if a directory can
hold everything you need to know about them via key words and ip-
addrs, NAT's and all?
I think there is a p
I'm willing to reply on-list, but obviously any business or legal
contacts have to be off-list. For those, I can point you to the
product manager for the technology, but it would frankly be better
for one to go through one's account team, for scaling reasons.
Yes, the vendors are aware of
On Jun 20, 2006, at 11:44 AM, Eric A. Hall wrote:
This is interesting approach. For one, it seems to cover a lot more
technology than CALEA requires. I suppose that is an artifact of
trying to
serve multiple countries' requiresments in a single architecture.
Actually, no.
IANAL
US laws
On Sep 12, 2006, at 2:45 AM, Daniel Golding wrote:
What would establish IP addresses as some sort of ARIN-owned and
licensed community property? Well, winning a court case like this,
or congress passing a law.
Korea also has passed a law that any addresses assign to KRNIC become
the pro
On Aug 15, 2007, at 8:35 AM, Sean Donelan wrote:
Or should IP backbones have methods to predictably control which IP
applications receive the remaining IP bandwidth? Similar to the
telephone network special information tone -- All Circuits are
Busy. Maybe we've found a new use for ICMP
te limit the passage of TCP SYN/
SYN-ACK and SCTP INIT in such a way that the hosed links remain fully
utilized but sessions that have become established get acceptable
service (maybe not great service, but they eventually complete
without failing).
On Aug 15, 2007, at 8:59 AM, Sean Donelan
On Aug 15, 2007, at 2:55 PM, Barry Shein wrote:
It seems to me that this should be an issue between the domain
registrars and their customers, but maybe some over-arching policy
is making it difficult to do the right thing?
Charging a "re-stocking fee" sounded perfectly reasonable. I don't
(UDP, ICMP, GRE, TCP ACK/FIN, etc) normal queue
And finally why only do this during extreme congestion? Why not
always
do it?
I think I would always do it, and expect it to take effect only under
extreme congestion.
On Aug 15, 2007, at 8:39 PM, Sean Donelan wrote:
On Wed, 15 Aug 2007, Fred
On Aug 15, 2007, at 10:13 PM, Adrian Chadd wrote:
Well, emprically (on multi-megabit customer-facing links) it takes
effect immediately and results in congestion being "avoided" (for
values of avoided.) You don't hit a "hm, this is fine" and "hm,
this is congested"; you actually notice a mu
yes.
On Aug 16, 2007, at 12:29 AM, Randy Bush wrote:
So that's why I keep returning to the need to pushback traffic a
couple
of ASNs back. If its going to get dropped anyway, drop it sooner.
ECN
On Aug 16, 2007, at 7:46 AM, <[EMAIL PROTECTED]> wrote:
In many cases, yes. I know of a certain network that ran with 30%
loss for a matter of years because the option didn't exist to
increase the bandwidth. When it became reality, guess what they did.
How many people have noticed that whe
On Sep 3, 2007, at 6:44 PM, Steven M. Bellovin wrote:
More seriously -- the question is whether new services will cause
operator congestion problems that today's mechanisms don't handle.
and, it includes the questions of what operators will be willing to
deploy. One of the questions on the
On Sep 5, 2007, at 8:01 AM, Sean Donelan wrote:
That's the issue with per-flow sharing, 10 institutions may be
sharing a cost equally but if one student in one department at one
institution generates 95% of the flows should he be able to consume
95% of the capacity?
The big problem with
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Could someone please tell me what 192.42.172.0/24 is or why it
should be handled as a special prefix?
ftp://ftp-eng.cisco.com/cons/isp/security/Ingress-Prefix-Filter-
Templates/T-ip-prefix-filter-ingress-strict-check-v18.txt
You might review t
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Jan 24, 2008, at 2:09 AM, Mikael Abrahamsson wrote:
The local antipiracy organization in Sweden needed a permit to
collect/handle IP+timestamp and save it in their database, as this
information was regarded as personal information. Since ISP
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Jan 24, 2008, at 12:50 PM, Roland Perry wrote:
no fundamental contradiction in the proposition that private sector
information can be mandated to be kept for minimum periods, is
confidential, but nevertheless can be acquired by lawful subpoe
in the most recent architecture, rfc 4291, that was deprecated. The
exact statement is
2.5.5.1. IPv4-Compatible IPv6 Address
The "IPv4-Compatible IPv6 address" was defined to assist in the IPv6
transition. The format of the "IPv4-Compatible IPv6 address" is as
follows:
|
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Apr 7, 2008, at 8:36 AM, Lucy Lynch wrote:
Anyone out there attend this event?
The Future of TCP: Train-wreck or Evolution?
http://yuba.stanford.edu/trainwreck/agenda.html
how did the demos go?
The researchers demonstrated four things that m
That and someone can't tell the difference between a network and an
application that runs in a network.
On Apr 7, 2008, at 10:38 AM, [EMAIL PROTECTED] wrote:
On Mon, 07 Apr 2008 20:21:26 +0530, Glen Kent said:
says the solemn headline of Telegraph.
http://www.telegraph.co.uk/news/main.jht
I know the common wisdom is that putting 192.168 addresses in a
public zonefile is right up there with kicking babies who have just
had their candy stolen, but I'm really struggling to come up with
anything more authoritative than "just because, now eat your
brussel sprouts".
I think th
no; what OS and what applications are you using? Anything
particularly unusual?
On Sep 25, 2006, at 8:55 AM, [EMAIL PROTECTED] wrote:
On Mon, 25 Sep 2006, Alexander Harrowell wrote:
Well, if anyone wants to add more to it, there are quite a few
prominent 'noggers still to cast.
Can
I agree with many of your thoughts. This is essentially the same
discussion we had upgrading from the 576 byte common MTU of the
ARPANET to the 1500 byte MTU of Ethernet-based networks. Larger MTUs
are a good thing, but are not a panacea. The biggest value in real
practice is IMHO that th
On Jul 12, 2007, at 11:42 AM, Brian Knoll ((TTNET)) wrote:
If the receiver is sending a DUP ACK, then the sender either never
received the first ACK or it didn't receive it within the timeframe it
expected.
or received it out of order.
Yes, a tcpdump trace is the first step.
76 matches
Mail list logo
