> What functionality does PVC give you that the ethernet VLAN does not?
>
That´s quite easy. Endpoint liveness. A IPv4 host on a VLAN has no idea
if the guy on the "other end" died until the BGP timer expires.
FR has LMI, ATM has OAM. (and ILMI)
Pete
Paul Vixie wrote:
> Adding complexity to a system increases its cost but not nec'ily its value.
> Consider the question: how often do you expect endpoint liveness to matter?
The issue I'm trying to address is to figure out how to extend the robustness
that can be achieved with tuned IGP's with s
Mike Hughes wrote:
> But, how does that work when you may be delivering multiple q-tags on a
> single GigE port (for example)? If only one tag is affected, you don't
> want to drop link, right?
>
> So, we're back to detection at layer 3, can I ping it, do I have
> adjacency, etc.
>
> Some sort
Paul Vixie wrote:
>
> warning: i've had one "high gravity steel reserve" over my quota. hit D now.
>
> > The issue I'm trying to address is to figure out how to extend the robustness
> > that can be achieved with tuned IGP's with subsecond convergence across
> > an exchange point without suffe
Jesper Skriver wrote:
> Your Cisco router (say a GSR) will go foobar if you use 10/30 seconds
> timers, a IGP topology change, causing a new next-hop interface for
> 100k routes, will cause processes (probably CEF related) to run for so
> long, that you will loose your BGP keepalives, thus loose
Crist Clark wrote:
And the counter point to that argument is that the sparse population
of IPv6 space will make systematic scanning by worms an ineffective
means of propagation.
Any by connecting to one of the p2p overlay networks you'll have a few
million in-use addresses momentarily.
Pe
Randy Bush wrote:
Is it a pproblem keeping 500,000 routess in core routers? Of
course, it is not (it was in 1996, but it is not in 2005
really? we have not seen this so how do you know? and it
will be fine with churn and pushing 300k forwarding entries
into the fibs on a well-known ven
Francesco Usseglio Gaudi wrote:
My little experience is that cell phones are in the most of cases
nearly congenstion: a simple crow of people calling all together can
shut down or delay every calls and sms
GSM networks running TFR or EFR audio codecs have 8 timeslots on a cell.
Usual 900M
Suresh Ramasubramanian wrote:
Not allowing your users to run eggdrop or other irc bots on the shells
you give them, and generally not hosting irc stuff would definitely
help there.
Filtering anything else than port 80 and maybe 53 would allow them to
experience the Internet in safe and co
Buhrmaster, Gary wrote:
The *best* exploit is the one alluded to in the presentation.
Overwrite the nvram/firmware to prevent booting (or, perhaps,
adjust the voltages to damaging levels and do a "smoke test").
If you could do it to all GSR linecards, think of the RMA
costs to Cisco (not to men
Stephen Fulton wrote:
That assumes that the worm must "discover" exploitable hosts. What if
those hosts have already been identified through other means
previously?A nation, terrorist or criminal with the means could
very well compile a relatively accurate database and use such a worm
C. Jon Larsen wrote:
It was supposed to be a complete ground up re-write in an OO language
and it would have the ability to link new modules or shared objects in
at run time, and it would unify the existing router (25xx / 4[57]xx /
75xx) family with the Grand Junction acquisition - the CAT
[EMAIL PROTECTED] wrote:
nice... so one or more of the RIRs should ask the IANA
for a delegation in the 4byte space and let a few
brave souls run such a trap. The IETF has a proces
for running such experiments that could be applied here.
should I write it up an
Randy Bush wrote:
very helpful analysis. some questions:
mrai stiffle that? could it be used to cascade to a neighbor? i
suppose that diverting the just the right 15-30 seconds of traffic
could be profitable.
More recent hardware allows you to take copies of packets and push them
down a
Randy Bush wrote:
You can ping to 126.66.0.30/8.
and how does one ping a /8?
Most trojans for zombie networks provide this functionality. Connect to
your favourite C&C server and issue;
.advscan ping 42 2 64 126.X.X.X
(this will ping the address space with 42 threads, using two sec
Daniel Roesen wrote:
I would guesstimate about 8 Terabyte per day, judging from the traffic
I saw towards a virgin /21 (1 GByte per day).
/18 attracts 19kbps on average, with day averages between 5 and 37
kilobits per second. That would translate to only 50 to 400 megabytes a day.
So
Christopher L. Morrow wrote:
This arguement we (mci/uunet) used/use as well: "not enough demand to do
any v6, put at bottom of list"... (until recently atleast it still flew as
an answer) How would you know if you had demand? how would you know if
people who had dualstack systems were trying t
[EMAIL PROTECTED] wrote:
Then you'll have to conclude that a lot of managed switches are insecure
since they include some form of packet mirroring capability.
Not to mention most of the routers. They usually can make the copies to
an IP tunnel also.
Pete
Joe Maimon wrote:
This is network self preservation. Otherwise the garbage will
eventually suffocate us all.
It's like cancer initially was treated with drugs and equipment which
did serious damage to the whole body, killing many in the process and
today the methods are much more targete
Daniel Senie wrote:
One of the dangers is more and more stuff is being shoved over a
limited set of ports. There are VPNs being built over SSL and HTTP to
help bypass firewall rule restrictions. At some point we end up with
another protocol demux layer, and a non-standard one at that if we
David Hagel wrote:
This is interesting. This may sound like a naive question. But if
queuing delays are so insignificant in comparison to other fixed delay
components then what does it say about the usefulness of all the
extensive techniques for queue management and congestion control
(includin
Tony Finch wrote:
TCP performs much better if queueing delays are short, because that
means it gets feedback from packet drops more promptly, and its RTT
measurements are more accurate so the retransmission timeout doesn't get
artificially inflated.
Sure, but sending speculative duplicate
[EMAIL PROTECTED] wrote:
It's clearly possible to find telco engineers with 5/10/15 years experience in
running PSTN (might even find somebody with 40-50 years? :). It's possible to
find network engineers with lots of BGP experience. Where do you find a senior
engineer with 5+ years experience
Fergie (Paul Ferguson) wrote:
Overlooking the point that this kind of smells like a pitch for
Staselog, I'd be curious to hear of this is an issue on ISP
bandwidth management radar... or already is...
I've been asked this question repeatedly almost as long as we've had the
traffic engineeri
[EMAIL PROTECTED] wrote:
A similar problem would be created if a web server relied
on DNS that was only hosted on servers in New Orleans.
Do you (or somebody) know of recent numbers of what percentage of
domains have all their DNS servers in;
a) same subnet
b) same AS
c) same geographic
Drew Linsalata wrote:
Richard A Steenbergen wrote:
$10 says someone forgot "ip classless".
Is there a valid argument for making "ip classless" the default in the
IOS? Seems to me that it would only solve problems, but I don't
profess to be a routing guru, especially in comparison to fo
Kim Onnel wrote:
80 deny udp any any eq 1026 (3481591 matches)
This will make one out of 4000 of your udp "sessions" to fail with older
stacks which have high ports from 1024 to ~5000.
Pete
Christopher L. Morrow wrote:
which can't really tell bittorrent (or ssh or aim or...) over tcp/80 from
http over tcp/80... I think Joe's looking for something that knows what
protocols look like below the port number and can spit out numbers for
that... these, it would seem to me, would all req
Joe Shen wrote:
It seems to focus on P2P application. Is there tool to
support applications as more as possible( include p2p,
voip, web, ftp, network game, etc. )
The emphasis on p2p is mainly due to the usual questions focusing on
them. Obviously the more "traditional" protocols like R
Christopher L. Morrow wrote:
So, I think I'm off the crazy-pills recently... Why is it again that folks
want to balkanize the Internet like this? Why would you intentionally put
your customer base into this situation? If you are going to do this, why
not just drop random packets to 'bad' desti
John Dupuy wrote:
If you are talking about strictly http, then you are probably right.
If you are hosting any email, then this isn't the case. A live DNS but
dead mail server will cause your mail to queue up for a later resend
on the originating mail servers. A dead DNS will cause the mail
Per Gregers Bilse wrote:
Life begins with ARP.
I would have to argue that for majority of things connected to IP
networks, life begins with DHCPDISCOVER.
Pete
Chris Owen wrote:
It isn't just that they are wasting my time. They are also wasting their
own time. It's the overall lack efficiency that bothers me ;-]
Don't worry, it wont take long until google parks their
datacenter-in-a-container outside at the fiber junction and the content
distri
Bob Snyder wrote:
And oddly enough, Sandvine offers a box that does this! :-) They're
jumping on the press coverage of Halo 2 to try and raise awareness of
their product line. Not that what's being said doesn't have merit, but
it's definately a PR push, and definately not a "End of the net
predicte
Sean Donelan wrote:
Security vendors are quick to sell new pills, but where are the studies
that show their products' safety and effectiveness in the real world?
It does not make commercial sense to develop cure for something you can
treat for decades. The cure has to come from somewhere funded
Paul Vixie wrote:
of course it will work. it just won't be particularly fast. specifically,
it won't allow tcp to discover the actual end-to-end bandwidth*delay product,
and therefore tcp won't set its window size advantageously, and some or all
of the links along the path won't run at capacity.
Jim Popovitch wrote:
I've often wondered, as I work intimately with NMS software, just how
much cross network traffic is "are you there?" related. Would it have a
positive impact on overall net performance if everyone just turned off
all internetwork status polling?
Since p2p traffic is >50% g
Todd Mitchell - lists wrote:
On 22/01/2005 8:52 PM Darrell Kristof (CE CEN) wrote:
> Has anyone heard about some carriers doing emergency maintenance
tonight
> on Internet routers due to a code vulnerability? I'm trying to find
out
> what vendor it involves and the details behind it. I understa
matthew zeier wrote:
Not directly but two of my links that underwent emergency maintenance
I know are Juniper routers.
It's just the end-of-MPLS day coming. The second coming of "pure IP" is
upon us.
Pete
http://www.kb.cert.org/vuls/id/409555
Pete
Sabri Berisha wrote:
On Wed, Jan 26, 2005 at 11:12:19PM +0200, Petri Helenius wrote:
Hi,
http://www.kb.cert.org/vuls/id/409555
Did anyone here of any exploits being in the wild?
How would one tell if the actual issue is not published? (without
violating possible NDA's)
Pete
Nils Ketelsen wrote:
Only thing that puzzles me is, why it took spammers so long to go in
this direction.
It didn't. It took the media long to notice.
Pete
Stephen J. Wilcox wrote:
Hi,
you probably didnt think of this but it might not be a good idea to publish a
list of 3000 computers than can be infected/taken over for further nastiness.
Collecting that kind of list on any machine on the public internet takes
only a day or so, so I don't think
Alexei Roudnev wrote:
Hmm, good idea. I add my voice to this question.
But, btw, SNMP implementations are extremely buggy. Last 2 examples from my
experience (with snmpstat system):
- I found Cisco which have packet countters (on interface) _decreased_
instead of _increased_ (but octet counters are
Jim Popovitch wrote:
Was the device restarted? Was the polled interface so overloaded that
UDP was dropped and your tool/application just happened to show a zero
instead?
That would be no on both counts. All packets got replies and while
debugging the polling interval was fairly short. (on ord
Jim Popovitch wrote:
I think this could be relevant. a LOT of devices drop snmp requests
when they get busy or when too many incoming requests occur. Are you
sure that you were the only one polling that device? Perhaps someone
else put it into a "busy" state. Too often with SNMP devices and too
Simon Lyall wrote:
The world has been wait for a list of Florida IPs for a while so we can
block them for a few years, no such luck however.
ip2location.com would be happy to sell you just such a list.
Pete
On a more practical note one possible solution to a similar I heard was
to ensure that th
Rich Kulawiec wrote:
Oh...and then we get into P2P distribution mechanisms. How is any
ISP supposed to block content which is everywhere and nowhere?
This would only be possible by whitelisting content, which is not what
most would accept. (although there are countries where this is the norm,
Randy Bush wrote:
a bit more coffee made me realize that what might best occur would
be for the rir, some weeks BEFORE assigning from a new block issued
by the iana, put up a pingable for that space and announce it on
the lists so we can all test BEFORE someone uses space from that
block.
Or may
Randy Bush wrote:
i do not understand what you are proposing. ahhh. you mean
o each asn register a pingable address within its normal space,
maybe in their irr route object
o the rirs set up a routing island with only the new prefix in
it
o from a box with that new prefix, the rir pings
I run some summaries about spam-sources by country, AS and containing
BGP route.
These are from a smallish set of servers whole March aggregated.
Percentage indicates incidents out of total.
Conclusion is that blocking 25 inbound from a handful of prefixes would
stop >10% of spam.
+-+-
Stephen J. Wilcox wrote:
On Sun, 3 Apr 2005, Petri Helenius wrote:
I run some summaries about spam-sources by country, AS and containing
BGP route.
These are from a smallish set of servers whole March aggregated.
Percentage indicates incidents out of total.
Conclusion is that blocking 25
Gadi Evron wrote:
Between spam, spyware and worms, not to mention scans ad attacks, I
suppose that a large percentage of the Internet already is pay-for-junk?
No. Most of the Internet is p2p file sharing, which does not fall into
the categories mentioned. (at least mostly it doesn't)
Pete
Peter Corlett wrote:
A side-effect of the greylisting and other mail checks is that I've
got a lovely list of compromised hosts. Is there any way I can
usefully share these with the community?
Set up a website where one can input a route and can see hosts covered
with it?
Pete
Sean Donelan wrote:
Locating bots is relatively easy. If you think that is the hard part, you
don't understand the problem.
It's easy to some extent, databases to a few hundred thousand are easy
to collect but going to the millions is harder.
So how do you encourage people to fix their comput
Florian Weimer wrote:
* Suresh Ramasubramanian:
Find them, isolate them into what some providers call a "walled
garden" - vlan them into their own segment from where all they can
access are antivirus / service pack downloads
Service pack downloads? Do you expect ISPs to pirate Windows (or
Paul Vixie wrote:
no to 1) prolong the pain, 2) beat a horsey.. BUT, why are 1918 ips
'special' to any application? why are non-1918 ips 'special' in a
different way?
i know this is hard to believe, but i was asked to review 1918 before it
went to press, since i'd been vociferous in my comment
Paul Vixie wrote:
IMO, RFC1918 went off the track when both ISP's and registries started
asking their customers if they have "seriously considered using 1918 space
instead of applying for addresses". This caused many kinds of renumbering
nightmares, overlapping addresses, near death of ipv6, etc.
joe mcguckin wrote:
Isn't there already one 'secret handshake' club in existence already?
Yes, but unlike there is a need for multiple instances of different
governments, there is a need for multiple 'closed communities'.
It will allow them to become corrupt in different ways.
Pete
On 4/10/05
Gadi Evron wrote:
Petri Helenius wrote:
joe mcguckin wrote:
Isn't there already one 'secret handshake' club in existence already?
Yes, but unlike there is a need for multiple instances of different
governments, there is a need for multiple 'closed communities'.
It
Daniel Golding wrote:
If you take a look at the dslreports.com forums, there are numerous
complains about DNS performance from various DSL and cable modem users. I'm
not sure how reasonable these complains are. The usual solution from other
users is to install a piece of Windows software called "Tr
http://www.convergedigest.com/Bandwidth/newnetworksarticle.asp?ID=14545
Pete
Suresh Ramasubramanian wrote:
>Local telco concerned about voip eating into their revenues, and wants
>to push through legislation or something? :)
>
>
>
Or somebody who would like to provision adequate bandwidth to
accommodate for services on the rise?
Not everybody is installed with the evil
Fergie (Paul Ferguson) wrote:
We owe to our customers, and we owe it to ourselves, so let's
just stop finding excise to side-step the issue.
So are you saying that managed security services are not avaialble for
paying consumers in USA?
Pete
Daniel Roesen wrote:
I hope to find the time to do some capturing and analysis of this
traffic. If anyone here has experience with that I'd be happy to hear
from them... don't want to waste time doing something others already
did... :-)
Sure, what would you like to know?
Pete
lution?
Pete
- ferg
-- Petri Helenius <[EMAIL PROTECTED]> wrote:
We owe to our customers, and we owe it to ourselves, so let's
just stop finding excise to side-step the issue.
So are you saying that managed security services are not avaialble for
paying consumers in USA?
Pete
--
Adi Linden wrote:
Its not up to the ISP to determine outbound malicious traffic, but its up
to the ISP to respond in a timely manner to complaints. Many (most?) do not.
If they did their support costs would explode. It is block the customer,
educate the customer why they were blocked, extermin
[EMAIL PROTECTED] wrote:
Well... the *original* question was "What's an acceptable speed for DSL?",
and
the only *really* correct answer is "The one that maximizes your profit
margin", balancing how much you need to build out to improve things against
whatever perceived sluggishness ends up making
Suresh Ramasubramanian wrote:
On 5/8/05, aljuhani <[EMAIL PROTECTED]> wrote:
Well I am not a DNS expert but why Google have the primary gmail MX record
without load balancing and all secondaries are sharing the same priority
level.
Has it occured to you that there are other ways of load bal
Jay R. Ashworth wrote:
The Internet needs a PA system.
There is this sparsely deployed technology called multicast which would
work for this application.
Pete
Jay R. Ashworth wrote:
On Wed, Jun 08, 2005 at 09:22:02PM +0300, Petri Helenius wrote:
Jay R. Ashworth wrote:
The Internet needs a PA system.
There is this sparsely deployed technology called multicast which would
work for this application.
Well, that's fine, a
[EMAIL PROTECTED] wrote:
Today, if Joe Business gets lots of spam, it is not his
ISP's responsibility. He has no-one to take responsibility
for this problem off his hands. But if he only accepts
incoming email through an operator who is part of the
email peering network, he knows that somewher
Rich Kulawiec wrote:
"The best place to stop abuse is as near its source as possible."
Meaning: it's far easier for network X to stop abuse from leaving its
network than it is for 100,000 other networks to defend themselves from it.
Especially since techniques for doing so (for instance, contr
Philip Lavine wrote:
I plan to design a hub and spoke WAN using ATM. The
data traversing the WAN is US equities market data.
Market data can be in two flavors multicast and TCP
client/server. Another facet of market data is it is
bursty in nature and is very sensitive to packet loss
and latency
Fergie (Paul Ferguson) wrote:
Yeah, I saw that...
With all respect to Dave, and not to sound too skeptical,
but we're pretty far along in our current architecture to
"fundamentally" change, don't you think (emphasis on
fundamentally)?
Most of the routing and security issues on todays IP4/I
Stephen Sprunk wrote:
What this really does is change the detection method. Instead of scanning
randomly, you sit and watch what other IP addresses the local host
communicates with (on- and off-subnet), and attack each of them. How many
degrees of separation are there really between any two u
Mikael Abrahamsson wrote:
On Sat, 2 Jul 2005, John L Lee wrote:
With routers you will need to turn buffering off and you will still
have propagation in the double to triple milli-seconds range with
jitter in the multi milli-seconds range.
Please elaborate why a router would have multi-mi
Peter Dambier wrote:
David Conrad wrote:
The good thing with IPv6 is autoconfiguration. There is no need to
renumber.
With the radvd daemon running your box builds its own ip as soon as you
plug it in.
If your box is allowed then give it a global address from the radvd.
Your box does not c
Jay R. Ashworth wrote:
Well, with all due respect, of *course* there isn't any 'killer site'
that is v6 only yet: the only motivation to do so at the moment, given
the proportion of v4 to v6 end-users, is *specifically* to drive v4 to
v6 conversion at the end-user level.
We need either one e
Tim Thorne wrote:
>
> They'd probably end up filing suit for that too. I don't believe that
> will affect them much. The whole music industry seems to be running
> scared of new media. They obviously like the revenue from album sales
> and figure that if people buy only a couple of mp3s tracks t
>
> Treat them sort of like SSL certs now. Charge an annual registrar fee
> per company, not per server. (Something like $100 a year) The more they
> have to go out of their way to get their spam server online, the more
> they would be deterred to do so. They're only going to want to change
>
Kevin Oberman wrote:
> Yes, Windows. Today. Now. But you must explicitly enable it at this
> time.
>
The one that ships with Win XP is quite seriously broken in it's
resolver behaviour (you'll not be able to reach many IPv4 WWW
sites after enabling it) and additionally none of the Windows
serv
It would also be interesting to know which backbone/core product requires a reboot to
activate OSPF configuration changes. Sounds like something one should stay away from.
Pete
Frank Scalzo wrote:
>
> Whoops! 2 hours to find routers w/o an IGP tsk tsk.
>
> Dear AT&T IP Services Customer,
>
>
> Yes, it's an gradual trend. We are seeing and increase over time in
> active tunnels and in average traffic per tunnel.
>
Two easy things to drive v6 traffic:
1) switch your NNTP feeds to ipv6
2) put names which resolve to ipv6 addresses in your MX´s
Both of these have little or no operatio
>Driver #1 : Sell p00rn via IPv6 only.
>
>Sad but true. Content and use is all there is.
Remember that multicast never happened either.
How much it would take to "sponsor" free content over multicast to
get it deployed. Don´t know if this would be approvable for government
subsidies though.
Pe
[EMAIL PROTECTED] wrote:
>
> one area that might be of interest is internet gaming. nowadays,
> all gaming client will connect to the central server, and all traffic
> from client to another client has to go through the central server
This is a feature. It makes cheatin
[EMAIL PROTECTED] wrote:
>
> you can go hybrid, like
> - client connects to server for game playing info (like location on the
> map, inventory and stuff)
> - client will talk with each other directly for video/voice-chat
> even with this, server load/tr
Kurtis Lindqvist wrote:
>
> What might happen is that ISPs start using IPv6 for their (as example) DSL
> services to work around addressing problems. But that is not a userdriven
> demand.
>
I'm already aware of installations where IPv6 gets you globally routable
connectivity and IPv4 gets you
> Interesting points, and although orthogonal to the analysis in "Do
> ATM-based Internet Exchange Points Make Sense Anymore?", I am including
> these in the appendix to show these alternate views of the world. Am I
> missing any of the major (fact-based) views?
>
There is this "small" thing tha
Iljitsch van Beijnum wrote:
> one" and then it levels off again. The question is: where on the S are we
> now? There is something to be said for high (close to leveling off)
> because pretty much anyone who wants/needs IP in North America and Europe
> has it, but maybe we're still quite low, sinc
[EMAIL PROTECTED] wrote:
> With link-state, one interface flap can mean doing SPF on every route.
Only if you learned every one of your routes from different neighbor.
If you have two exits and 10 routes, you calculate twice and
apply the results to the prefixes.
Note that this does not a
"Stephen J. Wilcox" wrote:
> but.. with SPF you need to run the algorithm on all paths for each flap and then
> see what that does to your routes
>
Only the paths that cross the one you lost. Obviously if this happens
or not, depends on your implementation. Look in the documentation under
headin
Eliot Lear wrote:
>
> Please be aware that this could have unintended consequences, and should
> be used in very constrained ways. In particular, there are any number
> of applications, including VPN applications that use port 80. I would
> recommend that only specified destinations get such t
> Dan Lockwood wrote:
>
> Everyone,
>
> I have a customer that is multihomed, to a public ISP and to another large network
>that uses 10.0.0.0 address space. The private address space also has services
>available via public address space and consequently is running a split DNS service,
>pub
"Christopher J. Wolff" wrote:
> My current thoughts on this are to digitize the satellite video into
> mpeg2 and deliver it over TCP/IP through the in-ground cable. This way,
> integrating the video and data portion are easy, however the resident
> would need to buy a mpeg2 set-top-box to split
> Under the best possible circumstances, most of the extra delay is due to
> the fact that routers do "store and forward" forwarding, so you have to
> wait for the last bit of the packet to come in before you can start
> sending the first bit over the next link. This delay is directly
> proportio
(apologies for the previous email being HTML)
>Yes, but only once. With a layer 3 network (or non-ATM layer 2 network)
>you get this at every hop.
About 40% all packets are minimum size. Depending on your encapsulation
these are usually less than 53 bytes on a POS link. So you suffer only the f
Stephen Sprunk wrote:
>
> FIBs did not exist (in production routers) at the time MPLS aka tag switching
> was invented. The problem was that the day's cache-based routers could not
> handle the growing number of destinations on the Internet and crumbled under the
> load of creating and aging cac
>
> Rubbish.
>
> There are only two or three types of locks that cannot be picked from the
> outside by a lockpicker within 10-15 minutes. None of those locks is on your
> outside door. Why do you bother to lock your house?
>
But in the case of public WLAN, who is the one that you´re trying
to ke
> At 155 Mbps you need 32 MB worth of buffer space to arrive at a delay like
> this. I wouldn't put it past ATM vendors to think of this kind of
> over-enthusiastic buffering as a feature rather than a bug.
>
Vendor C sells packet memory up to 256M each way for a line card. Whether
this makes any
1 - 100 of 452 matches
Mail list logo
