I don't get it. As I mentioned about a year ago, when we last had this
discussion, I have been handing out /23s to DHCP customers for years. No
problems. .0 and .255 are not on WAN circuits or anything else, but zero
problems for dynamically assigned customers.
scott
On Sat, Jun 14, 2008 at 01:34:53PM -0500, Frank Bulk - iNAME wrote:
> It's not free, but at a recent trade show I did see what appeared to be an
> affordable unit from Apposite Technologies (apposite-tech.com). And there's
> always PacketStorm.
>
> Frank
>
> -Original Message-
> From: Mi
On 15/06/2008, at 9:18 AM, Scott McGrath wrote:
Yes - we are blocking TCP too many problems with drone armies and we
started about a year ago when our DNS servers became unresponsive
for no apparent reason. Investigation showed TCP flows of hundreds
of megabits/sec and connection table ov
On 15/06/2008, at 12:45 PM, Mike Lewinski wrote:
2) The biggest drawback to separation after years of service is that
customers have come to expect their DNS changes are propagated
instantly when they are on-net. This turns out to be more of an
annoyance to us than our customers, since our
Sean Donelan wrote:
1. Separate your authoritative and recursive name servers
2. Recursive name servers should only get replies to their own DNS
queries from the Internet, they can use both UDP and TCP
We've just completed a project to separate our authoritative and
recursive servers and I h
On Sat, 14 Jun 2008, Scott McGrath wrote:
Also recall we have a comittment to openess so we would like to make TCP
services available but until we have effective DNS DoS mitigation which can
work with 10Gb links It's not going to happen.
I feel your pain, but I think there may be a slight mis-
Anyone here use Bandcon's transport services? Positive/Negative experiences,
any feedback would be helpful..
Thanks
ck
> Mostly I think that people "approaching this from a security
> perspective only" often forget that by fencing in the(ir idea of the)
> current status quo, they often prevent beneficial evolution of
> protocols as well, contributing to the Internet's "ossification".
folk do not always get the imp
Scott McGrath wrote:
There is no call for insults on this list
Insults? Where? If you feel insulted by any of the comments made on this
list by people, then you probably are indeed on the wrong list. But that
is just me.
- Rather thought this list was
about techincal discussions affecting
Jon Kibler writes:
> Also, other than "That's what the RFCs call for," why use TCP for
> data exchange instead of larger UDP packets?
TCP is more robust for large (>Path MTU) data transfers, and less
prone to spoofing.
A few months ago I sent a message to SwiNOG (like NANOG only less
North Americ
There is no call for insults on this list - Rather thought this list was
about techincal discussions affecting all of us and keeping DNS alive
for the majority of our customers certainly qualifies.
We/I am more than aware of the DNS mechanisms and WHY there are there
trouble is NO DNS server
Chris Marlatt wrote:
Frank Bulk - iNAME wrote:
It's not free, but at a recent trade show I did see what appeared to
be an
affordable unit from Apposite Technologies (apposite-tech.com). And
there's
always PacketStorm.
Frank
-Original Message-
From: Mike Lyon [mailto:[EMAIL PROTECTED
Frank Bulk - iNAME wrote:
It's not free, but at a recent trade show I did see what appeared to be an
affordable unit from Apposite Technologies (apposite-tech.com). And there's
always PacketStorm.
Frank
-Original Message-
From: Mike Lyon [mailto:[EMAIL PROTECTED]
Sent: Friday, May 02,
Scott McGrath wrote:
[..]
For a long time there has been a effective practice of
UDP == resolution requests
TCP == zone transfers
WRONG. TCP is there as a fallback when the answer of the question is too
large. Zone transfer you can limit in your software. If you can't
configure your dns serv
Not to toss flammables onto the pyre.
BUT there is a large difference from what the RFC's allow and common
practice. In our shop TCP is blocked to all but authoratative
secondaries as TCP is sinply too easy to DoS a DNS server with. We
simply don't need a few thousand drones clogging the T
On Jun 14, 2008, at 12:26 AM, Mike Lewinski wrote:
David Hubbard wrote:
I remember back in the day of old hardware and operating
systems we'd intentionally avoid using .255 IP addresses
for anything even when the netmask on our side would have
made it fine, so I just thought I'd try it out for
It's not free, but at a recent trade show I did see what appeared to be an
affordable unit from Apposite Technologies (apposite-tech.com). And there's
always PacketStorm.
Frank
-Original Message-
From: Mike Lyon [mailto:[EMAIL PROTECTED]
Sent: Friday, May 02, 2008 3:13 PM
To: NANOG
Subj
Jon Kibler <[EMAIL PROTECTED]> writes:
> Okay, I stand corrected. I was approaching this from a security
> perspective only, and apparently based on incorrect information.
It always puzzles me when people say things like that - it's as if
they've lost sight of the *whole point* of security being
* Valdis Kletnieks:
> RFC1519 is 15 years old now. I *still* heard a trainer (in a Cisco
> class no less) mention class A/B/C in the last few months. Some evil
> will obviously take generations to fully stamp out.
You need to know something about classes when you deal with Cisco gear
because IO
19 matches
Mail list logo
