On Mon, Feb 09, 2009 at 09:27:59PM -0500, TJ wrote:
> >> > The SOX auditor ought to know better. Any auditor that
> >> > requires NAT is incompenent.
> >>
> >> Sadly, there are many audit REQUIREMENTS explicitly naming NAT and
> >> RFC1918 addressing ...
> >
> >SOX auditors are incompetent. I've
On Mon, 9 Feb 2009, TJ wrote:
My pleasure, now everyone - feel free to ring up your local
sales/support rep and "encourage" their product to implement this ...
please!
What about "DHCPv6 / DHCPV6-PD" sniffing (and using that info to create L3
filter rules in L2 devices), is a standard needed
On Mon, Feb 9, 2009 at 9:54 PM, John Osmon wrote:
> It isn't SOX, but sadly enough, PCI DSS Requirement 1.5 says:
> Implement IP address masquerading to prevent internal addresses from
> being translated and revealed on the Internet. Use technologies that
> implement RFC 1918 address space,
security by obscurity is not the way, everyone knows it.
those guys will figure it out sooner or later (where later, might take ages).
in the meanwhile, a lot have pseudo-secured networks thru triple-nat,
quadruple-nat, multiple ipsec'd layered and so, and others live with the hammer
in their s
On Tue, Feb 10, 2009 at 02:16:10PM +1100, Mark Andrews wrote:
>
> In message <00df01c98b27$3181b7e0$948527...@com>, "TJ" writes:
[...SOX auditor stuff...]
> > When the compliance explicitly requires something they are required to check
> > for it, they don't have the option of ignoring or waving r
On Mon, Feb 9, 2009 at 9:47 PM, TJ wrote:
>>Why would anyone NOT want that?? what replaces that option in current RA
>>deployments?
>
> One nit - I like to differentiate between the presence of RAs (which should
> be every user where IPv6 is present) and the use of SLAAC (RA + prefix).
>
Sure, bu
Mark Andrews wrote:
Please cite references.
I can find plenty of firewall required references but I'm
yet to find a NAT and/or RFC 1918 required.
(Skip if you've participated in a SOX audit from the IT department POV)
The way it works is that the law doesn't call for s
>> When the compliance explicitly requires something they are required to
>> check for it, they don't have the option of ignoring or waving
>requirements ...
>> and off the top of my head I don't recall if it is SOX that calls for
>> RFC1918 explicitly but I know there are some that do.
>
>I believ
> Seth Mattinen wrote:
> > I hate to interrupt the IPv6 and RFC 1918 mega-threads...
> >
> > Does anyone know of a company that makes 208v (3-wire line-line ground,
> > no neutral, 208v loads only, single phase) 30-60 amp automatic transfer
> > switches with sub-30ms switching time? APC used to ma
In message <00df01c98b27$3181b7e0$948527...@com>, "TJ" writes:
> >> > The SOX auditor ought to know better. Any auditor that
> >> > requires NAT is incompenent.
> >>
> >> Sadly, there are many audit REQUIREMENTS explicitly naming NAT and
> >> RFC1918 addressing ...
> >
> >SOX auditors are incom
Comtrend DSL modem use iptables in their code. I discovered this while
trying to understood why small-MTU FTP breaks when issuing the PORT command.
Frank
-Original Message-
From: Ricky Beam [mailto:jfb...@gmail.com]
Sent: Monday, February 09, 2009 4:01 PM
To: Owen DeLong
Cc: nanog@nanog
>> http://tools.ietf.org/html/draft-ietf-v6ops-ra-guard-01
>Thanks for pointing us to this. It's encouraging to know that it is being
worked on.
My pleasure, now everyone - feel free to ring up your local sales/support
rep and "encourage" their product to implement this ... please!
/TJ
>Why would anyone NOT want that?? what replaces that option in current RA
>deployments?
One nit - I like to differentiate between the presence of RAs (which should
be every user where IPv6 is present) and the use of SLAAC (RA + prefix).
Right now - Cheat off of IPv4's config.
(Lack of DHCPv6 cli
TJ wrote:
When the compliance explicitly requires something they are required to check
for it, they don't have the option of ignoring or waving requirements ...
and off the top of my head I don't recall if it is SOX that calls for
RFC1918 explicitly but I know there are some that do.
I believe
>> >The SOX auditor ought to know better. Any auditor that
>> >requires NAT is incompenent.
>>
>> Sadly, there are many audit REQUIREMENTS explicitly naming NAT and
>> RFC1918 addressing ...
>
>SOX auditors are incompetent. I've been asked about anti-virus software on
>UNIX servers and the
John Peach wrote:
>
> On Mon, 9 Feb 2009 21:16:49 -0500
> "TJ" wrote:
>
>>> The SOX auditor ought to know better. Any auditor that
>>> requires NAT is incompenent.
>> Sadly, there are many audit REQUIREMENTS explicitly naming NAT and
>> RFC1918 addressing ...
>
> SOX auditors are inco
On Mon, Feb 9, 2009 at 6:16 PM, Ricky Beam wrote:
> On Fri, 06 Feb 2009 09:39:01 -0500, Iljitsch van Beijnum
> wrote:
>>>
>>> If you want the machine to always have the same address, either enter it
>>> manually or set your DHCP server to always give it the same address.
>>
>> Manual configuratio
On Mon, 9 Feb 2009 21:16:49 -0500
"TJ" wrote:
> > The SOX auditor ought to know better. Any auditor that
> > requires NAT is incompenent.
>
> Sadly, there are many audit REQUIREMENTS explicitly naming NAT and
> RFC1918 addressing ...
SOX auditors are incompetent. I've been asked abo
In message <00cf01c98b24$efe42680$cfac73...@com>, "TJ" writes:
> Also, it is not true in every case that hosts need a "lot more" than an
> address.
> In many cases all my machine needs is an address, default gateway and DNS
> server (cheat off of v4 | RFC5006 | Stateless DHCPv6).
address
> The SOX auditor ought to know better. Any auditor that
> requires NAT is incompenent.
Sadly, there are many audit REQUIREMENTS explicitly naming NAT and RFC1918
addressing ...
>As I read it, you don't want to use DHCP because "it's an other service to
>fail." Well, what do you think is broadcasting RA's? My DHCP servers have
>proven far more stable than my routers. (and one of them is a windows
server
>:-)) Most dhcp clients that keep any state will continue using the
Hi everyone,
I wonder which percentage is good level of CPU and Memory util of network
equipment ?
In my case, I try to keep under 30% cpu util and 70% memory util. My most
equipment are Cisco product.
I have no technical reference about that, it is just a rule of mine or my
predecessor.
Could
Mark Newton wrote:
On a commodity consumer CPE device, the ALG code doubles as a
stateful inspection engine.
So it _is_ required when address translations are not being performed.
H, the code may be there, but I suspect that not all of it will
apply to v6 and be used.
Is security some
On 10/02/2009, at 11:03 AM, Jack Bates wrote:
There is if you have a dual-stack device, your L4-and-above protocols
are the same under v4 and v6, and you don't want to reinvent the
ALG wheel.
ALG only fixes some problems, and it's not required for as much when
address translations are not
Mark Newton wrote:
Fine, you don't like rewriting L3 addresses and L4 port numbers. Yep,
I get that. Relevance?
Just out of what I like and might use, GRE (no port), ESP (no port), AH
(no port), SCTP (would probably work fine with NAT, but I haven't seen
it supported yet and because every bo
In message <4990c38c.8060...@eeph.com>, Matthew Kaufman writes:
> Owen DeLong wrote:
> > In terms of implementing the code, sure, the result is about the same,
> > but, the key point here is that there really isn't a benefit to having that
> > packet mangling code in IPv6.
>
> Unless your SOX aud
Owen DeLong wrote:
In terms of implementing the code, sure, the result is about the same,
but, the key point here is that there really isn't a benefit to having that
packet mangling code in IPv6.
Unless your SOX auditor requires it in order to give you a non-qualified
audit of your infrastruct
On 10/02/2009, at 10:17 AM, Owen DeLong wrote:
Sure, but at the end of the day a non-NAT firewall is just a
special case
of NAT firewall where the "inside" and "outside" addresses happen to
be the same.
Uh, that's a pretty twisted view. I would say that NAT is a special
additional capabil
On Feb 9, 2009, at 3:33 PM, Mark Newton wrote:
On 10/02/2009, at 9:54 AM, Stephen Sprunk wrote:
Yes, an ALG needs to understand the packet format to open pinholes
-- but with NAT, it also needs to mangle the packets. A non-NAT
firewall just examines the packets and then passes them on u
On 10/02/2009, at 9:54 AM, Stephen Sprunk wrote:
Yes, an ALG needs to understand the packet format to open pinholes
-- but with NAT, it also needs to mangle the packets. A non-NAT
firewall just examines the packets and then passes them on unmangled.
Sure, but at the end of the day a non-
Ricky Beam wrote:
On Sat, 07 Feb 2009 14:31:57 -0500, Stephen Sprunk
wrote:
Non-NAT firewalls do have some appeal, because they don't need to
mangle the packets, just passively observe them and open pinholes
when appropriate.
This is exactly the same with NAT and non-NAT -- making any anti-N
Nathan Ward wrote:
On 10/02/2009, at 11:35 AM, Scott Howard wrote:
Go and ask those people who "feel statics are a given for IPv6" if they
would prefer static or dynamic IPv4 addresses, and I suspect most/all of
them will want the static there too. Now ask your average user the same
question a
On Fri, 06 Feb 2009 09:39:01 -0500, Iljitsch van Beijnum
wrote:
If you want the machine to always have the same address, either enter
it manually or set your DHCP server to always give it the same address.
Manual configuration doesn't scale. With IPv4, it's quite hard to make
this work wit
On Feb 9, 2009, at 2:11 PM, Ricky Beam wrote:
On Sat, 07 Feb 2009 14:31:57 -0500, Stephen Sprunk
wrote:
Non-NAT firewalls do have some appeal, because they don't need to
mangle
the packets, just passively observe them and open pinholes when
appropriate.
This is exactly the same with NAT
On 10/02/2009, at 11:35 AM, Scott Howard wrote:
Go and ask those people who "feel statics are a given for IPv6" if
they
would prefer static or dynamic IPv4 addresses, and I suspect most/
all of
them will want the static there too. Now ask your average user the
same
question and see if you
On Sat, Feb 7, 2009 at 5:56 PM, Matthew Moyle-Croft
wrote:
> My issue is that customers have indicated that they feel statics are a
> given for IPv6 and this would be a problem if I went from tens of thousands
> of statics to hundreds of thousands of static routes (ie. from a minority to
> all).
Ricky Beam wrote:
On Sat, 07 Feb 2009 14:31:57 -0500, Stephen Sprunk
wrote:
Non-NAT firewalls do have some appeal, because they don't need to mangle
the packets, just passively observe them and open pinholes when
appropriate.
This is exactly the same with NAT and non-NAT -- making any anti-NA
On Sat, 07 Feb 2009 14:31:57 -0500, Stephen Sprunk
wrote:
Non-NAT firewalls do have some appeal, because they don't need to mangle
the packets, just passively observe them and open pinholes when
appropriate.
This is exactly the same with NAT and non-NAT -- making any anti-NAT
arguments null
On Fri, 06 Feb 2009 22:32:10 -0500, Owen DeLong wrote:
IPTables is decent firewall code.
Not really. It's quite complicated for a non-engineer type to manage.
Think of all the unpatched windows xp/vista users of the world.
It's free.
...
Further, since more and more CPE is being built
> Indeed, this is a problem.
> RA Guard is a very straight-forward, hopefully
soon-to-be-widely-supported,
> defense.
> http://tools.ietf.org/html/draft-ietf-v6ops-ra-guard-01
Thanks for pointing us to this. It's encouraging to know that it is
being worked on.
Ray
>> So Cisco (and other vendors) needs to introduce two things for LAN
>> switching. DHCPv6 snooping, and more importantly, RA suppression (or
>> RA snooping).
>
>For IOS, have you tried the command:
>
>int gi0/1
> ipv6 nd ra suppress
>
That stops your router from sending any RAs.
Does nothing to p
>A big one is a solution to address the security concerns with IPv6 RA
>(Router Advertisement) and rogue DHCPv6. On IPv4 networks we have the
option
>of using DHCP snooping to suppress unauthorized DHCP servers from handing
>out address information. With IPv6, any host can announce itself as a
rout
Oddly enough, we've got a few customers that are on Qwest network on the
east coast and we see packet loss in the same range to them, we've
tested origination packets from 6-7 networks. The customer has reported
it and the issue has been ongoing for at least a week or two, but so far
nothing has b
This has been a recurring problem, especially in the Bay Area - and it
seems as though neither side really cares all that much.
-Dave
Andris Kalnozols wrote:
This post to the NANOG list in the hope that an interested
engineer from either Qwest or GBLX will act on the problem
I have observed.
On Fri, Feb 06, 2009 at 01:13:14PM -0500, Joe Maimon wrote:
> Perhaps ebgp-multihop with this ISP's upstream provider might offer you
> an advantage combined with this approach.
This is quite neat, but the ISP may be multihomed and support BGP at
one edge (several transits, several peers), but no
We're not a big verizon wireless customer, (we have been allocated a /25
for remote data access devices). We run multi-homed BGP with vw. vw says
that they must advertise 48 summarized prefixes to us, instead of just
the /25. The 48 prefixes are apparently advertised to all of the
de-aggregated use
On Monday 09 February 2009 11:54:41 pm Soucy, Ray wrote:
> I think this only applies to RA originating from the L3
> interface in question... not an L2 interface.
Quite right, indeed.
Mark.
signature.asc
Description: This is a digitally signed message part.
> For IOS, have you tried the command:
>
> int gi0/1
> ipv6 nd ra suppress
I think this only applies to RA originating from the L3 interface in
question... not an L2 interface. I could be mistaken. I'll have to
poke at it.
On Sun, Feb 8, 2009 at 7:07 PM, Mark Andrews wrote:
>
> In message <1234128761.17985.352.ca...@guardian.inconcepts.net>, Jeff S
> Wheeler
> writes:
> > On Sun, 2009-02-08 at 14:37 -0800, Aaron Glenn wrote:
> > > NAT? why isn't Verizon 'It's the Network' Wireless using IPv6?
> > > there should be
On Monday 09 February 2009 10:21:24 pm Soucy, Ray wrote:
> So Cisco (and other vendors) needs to introduce two
> things for LAN switching. DHCPv6 snooping, and more
> importantly, RA suppression (or RA snooping).
For IOS, have you tried the command:
int gi0/1
ipv6 nd ra suppress
Cheers,
Mark.
On Sat, Feb 7, 2009 at 9:24 PM, Jeff S Wheeler wrote:
> Sure, smart phones are becoming more popular.
My ancient and crufty Nextel iDEN i530 phone, manufactured circa
2003, with a monochrome 4-line text display, and about as "dumb" as
they get, gets assigned an IP address. Now, that IP address
> It's scenario 2 I'm worried about, all those machanisms haven't been
> implemented for IPv6 as far as I know and if you're only doing 2.2-2.5
> then you're open to the IPv6 security issue I described.
We've been seeing problems with this for the last year or so (since
Vista started showing up)
>So far as I am aware, this is default behaviour only on certain versions of
>Mac OSX, and must be explicitly enabled on all others.
>Manually, on the console. RA does not dynamically distribute this
>behaviour; the client has to choose it. Usually it is a sysctl or a
>registry variable or the li
On Mon, 9 Feb 2009, Andy Davidson wrote:
On Thu, Feb 05, 2009 at 07:19:37PM -0500, Robert D. Scott wrote:
Wii should not even consider developing " a cool new protocol for the Wii"
that is not NAT compliant via V4 or V6. And if they do, we should elect a
NANOG regular to go "POSTAL" and hand
> This post to the NANOG list in the hope that an interested
> engineer from either Qwest or GBLX will act on the problem
> I have observed.
>
> I've identified a packet loss problem (10-15%) between Qwest
> and Global Crossing.
Thanks to whomever has fixed the problem. Packet loss is now
zero a
On Thu, Feb 05, 2009 at 07:19:37PM -0500, Robert D. Scott wrote:
> Wii should not even consider developing " a cool new protocol for the Wii"
> that is not NAT compliant via V4 or V6. And if they do, we should elect a
> NANOG regular to go "POSTAL" and handle the problem. The solution to many of
>
On Mon, 9 Feb 2009, Pekka Savola wrote:
I may be missing something. "only have ethernet and IP". Why is
plain-ethernet with each subscriber provisioned in a separate router's
vlan subinterface insufficient? There is no security issue because each
subscriber only sees its own traffic.
It's
On Sun, Feb 8, 2009 at 11:42 PM, Joel Jaeggli wrote:
> FD00::/8
>
> ula-l rfc 4139
s/4139/4193/
--
Thanks; Bill
Note that this isn't my regular email account - It's still experimental so far.
And Google probably logs and indexes everything you send it.
On Sat, 7 Feb 2009, Mikael Abrahamsson wrote:
But I wasn't talking (A)DSL. DSL is last century. I am talking VDSL2/ETTH.
Security model there is to only have ethernet and IP, no PPP/ATM, no L2TPv3
or PPPoE. Let's skip the terms BRAS/LNS etc. Anything that terminates tunnels
is expensive (apart
59 matches
Mail list logo