It also scales better from the SP point of view. If you have 1000 L3VPN
services on your PE node using OSPF to the customer that would require a lot of
memory for the multiple LSDBs and a lot of CPU for the SPF calculations.
BGP is nicer but the reality is that many enterprises don't have the kno
On Oct 5, 2010, at 1:27 AM, Scott Weeks wrote:
> Why are we required to register to look at the survey?
That's how it's set up by the biz folks who provide the funding and resources
which allow us to conduct the survey, analyze the responses, and then write and
publish the report free of char
> Short term cash supply is important; we have a decent lag between now
> and NANOG 52 where there will be a significant outflow of cash for
> salaries, hotel contracts, etc. without any meeting revenue.
yes, the published data do show that plan. and i guess it is not
outrageous. a choice betwee
>> personally, i am not strongly against it, but am sceptical. it may get
>> a cash infusion now, but what will it do to income down the road when
>> folk don't need to renew? [0]
>
> Furthermore, your opposition will surely depress demand even more,
> because now folks are saying "why would I pa
On 10/04/2010 11:47 AM, Greg Whynott wrote:
>
> A partner had a security audit done on their site. The report said they were
> at risk of a DoS due to the fact they didn't have a SPF record.
We publish a ~all record for our domain. I think it's bad practice to
publish any other result becau
> With regards to the Wired Article, I still have my copy of that issue
> and would consider that article perhaps my favorite magazine article
> of all time.
i too thought that a great article and often point folk to it. sadly,
the copy on the wired web site does not have the figures :(
randy
--On Monday, October 04, 2010 9:54 AM -0700 John Adams
wrote:
Without proper SPF records your mail stands little chance of making it
through some of the larger providers, like gmail, if you are sending
in any high volume. You should be using SPF, DK, and DKIM signing.
I don't really unders
With regards to the Wired Article, I still have my copy of that issue and
would consider that article perhaps my favorite magazine article of all
time.
On Mon, Oct 4, 2010 at 1:41 PM, Patrick Giagnocavo wrote:
> On 10/4/2010 1:24 PM, Heath Jones wrote:
> >> By the way, my recollection is the und
What's that quote again...?
Oh, that's it: "The more you know, the more you know you don't."
It feels very appropriate now :)
Cheers Patrick for that great info & to everyone who contacted me off-list also!
> A halfway-decent description of the physics of how this is done, is
> covered in Neal S
Everyone who registered for a NANOG meeting in 2009 or 2010 is eligible to vote
in this year's combined NANOG/NewNOG election.
If you are eligible and have not already done so, please go to
http://www.nanog.org/governance/elections/2010elections/
to review the election materials and vote.
Note
Here's my notes from the Monday afternoon presentations.
Apologies for the gaps where I nodded off in post-lunch
food coma, as well as for the typos and misspellings
that snuck in.
Notes are posted at
http://kestrel3.netflight.com/2010.10.04-NANOG50-afternoon-notes.txt
Off to Bear and Gear now. ^
On 10/4/10 4:58 PM, "David Conrad" wrote:
> On Oct 4, 2010, at 9:58 AM, John Curran wrote:
>> On Oct 4, 2010, at 1:25 PM, Seth Mattinen wrote:
>>> Or the new whois doesn't scale as well as the old one.
>> New WHOIS scales much better than the old one; it would have
>> extremely challenging to a
On Mon, 04 Oct 2010 17:05:12 EDT, Suresh Ramasubramanian said:
> dig throwaway1.com NS
> dig throwaway2.com NS
>
> etc etc ... and then check_sender_ns_access in postfix, for example.
Yes, that *is* better than whack-a-mole on the same DNS server, but...
The NANOG lurker in the next cubicle used
> 1) We have not implemented support for this yet. We plan to go live
> with the fully hosted version first and extend it with support for
> non-hosted systems around Q2/Q3 2011.
this is a significant slip from the 1q11 we were told in prague. care
to explain.
> Randy Bush who is cc-ed may be ab
dig throwaway1.com NS
dig throwaway2.com NS
etc etc ... and then check_sender_ns_access in postfix, for example.
Scales much better than whackamoling one domain after the other on the same NS
On Mon, Oct 4, 2010 at 4:59 PM, wrote:
>
> 140 million .coms. Throw-away domains. I do believe that Ma
On Mon, 04 Oct 2010 13:30:55 PDT, Owen DeLong said:
> Removing a few points probably isn't a bad idea so long as you have a list of
> domains for which points should be added.
140 million .coms. Throw-away domains. I do believe that Marcus Ranum had
"trying to enumerate badness" on his list of "S
On Oct 4, 2010, at 9:58 AM, John Curran wrote:
> On Oct 4, 2010, at 1:25 PM, Seth Mattinen wrote:
>> Or the new whois doesn't scale as well as the old one.
> New WHOIS scales much better than the old one; it would have
> extremely challenging to assemble enough equipment to handle
> the curren
On Oct 4, 2010, at 10:16 AM, Michael Thomas wrote:
> On 10/04/2010 10:05 AM, John Adams wrote:
>> We've seen percentage gains when signing with DK, and we carefully
>> monitor our mail acceptance percentages with ReturnPath. It's around
>> 4-6%. I'd like to stop using it, but some people still ch
Hopefully you are all aware of the NANOG50 VCR, please visit the following
page for additional information:
http://www.nanog.org/meetings/nanog50/vcr.php
We wanted to send you a quick email and provide some additional information
about the VCR. When in or near the VCR feel free to connect any o
Didn't see any spikes here, But from the looks of that graph something sure
happened. It was huge, And only for a short period, Strange.
Nick Olsen
Network Operations
(877) 804-3001 x106
From: "Scott, Robert D."
Sent: Monday, October 04, 2010 3:51 PM
T
On Oct 4, 2010, at 3:50 PM, Scott, Robert D. wrote:
> We were trying to diagnose an issue we had around 1 PM EDST, and were looking
> at net flow data. The data indicated a significant change in our traffic
> patterns, all coming from Akamai address space. The Akamai utilization graphs
> show a
On Oct 4, 2010, at 1:25 PM, Seth Mattinen wrote:
>
>
> Or the new whois doesn't scale as well as the old one.
Seth -
New WHOIS scales much better than the old one; it would have
extremely challenging to assemble enough equipment to handle
the current query rate. Look at the NANOG pre
--- rdobb...@arbor.net wrote:
From: "Dobbins, Roland"
The 2009 edition of the survey is available here (registration required):
Why are we required to register to look at the survey?
scott
We were trying to diagnose an issue we had around 1 PM EDST, and were looking
at net flow data. The data indicated a significant change in our traffic
patterns, all coming from Akamai address space. The Akamai utilization graphs
show a near doubling of retail traffic in the same time period that
On Mon, 4 Oct 2010, Greg Whynott wrote:
>
> A partner had a security audit done on their site. The report said they
> were at risk of a DoS due to the fact they didn't have a SPF record.
Bullshit.
> I commented to his team that the SPF idea has yet to see anything near
> mass deployment and of t
i think it was an observation they made, and suggestions to make things
better. I don't think the message was "fix this or you'll be off the air one
day.".
if they have a 56k port speed(stuck in the 80's), there is potential there
for a DoS from a large volume of spam back splatter..
On Mon, Oct 4, 2010 at 12:47 PM, Greg Whynott wrote:
> A partner had a security audit done on their site.
>The report said they were at risk of a DoS due to
>the fact they didn't have a SPF record.
>
> how many of you are using SPF records? Do you
> have an opinion on their use/non use of?
I us
On Mon, Oct 4, 2010 at 12:47 PM, Greg Whynott wrote:
>
> A partner had a security audit done on their site. The report said they were
> at risk of a DoS due to the fact they didn't have a SPF record.
This is pure unadulterated BS from someone who doesnt understand
either DDOS mitigation, or SPF
> By the way, my recollection is the undersea regenerators do purely optical
> regeneration.
> There is no O-E conversions undersea, only at the landing stations and
> terrestrial components.
I'm not clever enough to know of some way that you could do optical
regeneration without converting the
On Fri, Oct 01, 2010 at 04:28:30PM +, Tim Franklin wrote:
> Leaf-node BGP config is utterly trivial [...]
>
> The Enterprise guys really need to get out of the blanket "BGP is scary"
> mindset
It's not just "enterprise" mindset. Over the years I've seen a lot of
deployed gear that either di
On 10/4/10 12:47 PM, Greg Whynott wrote:
A partner had a security audit done on their site. The report said they were
at risk of a DoS due to the fact they didn't have a SPF record.
I commented to his team that the SPF idea has yet to see anything near mass
deployment and of the millions of
On Mon, Oct 04, 2010 at 12:47:52PM -0400, Greg Whynott wrote:
> how many of you are using SPF records? Do you have an opinion on their
> use/non use of?
1. Not using them, and don't have any (observed) problems despite years
of closely monitoring mail logs looking for just such issues.
2. Note
On 10/4/2010 1:24 PM, Heath Jones wrote:
>> By the way, my recollection is the undersea regenerators do purely optical
>> regeneration.
>> There is no O-E conversions undersea, only at the landing stations and
>> terrestrial components.
>
> I'm not clever enough to know of some way that you coul
On Mon, Oct 4, 2010 at 10:24 AM, Heath Jones wrote:
>
> I'm not clever enough to know of some way that you could do optical
> regeneration without converting the signal to electrical and
> retransmitting back as optical.. How is that done?
>
> I'm not sure how it's done in practice, but check out
I've found lots of domains with +all which really should be -all since they
were all spam.
Jared Mauch
On Oct 4, 2010, at 1:08 PM, Nathan Eisenberg wrote:
>> If it passes SPF we remove a few points of the spam weight.
>
> I would rethink this practice. Many spammers publish SPF valid record
> By the way, my recollection is the undersea regenerators do purely optical
> regeneration.
> There is no O-E conversions undersea, only at the landing stations and
> terrestrial components.
I'm not clever enough to know of some way that you could do optical
regeneration without converting the
On 10/4/2010 10:05, Nathan Eisenberg wrote:
> http://kestrel3.netflight.com/2010.10.04-NANOG50-morning-notes.txt
>
> "
> Whois traffic has been going through the roof; they
> added more proxies in front to support it.
> Apparently, there's IP management packages that do
> whois queries. It would
On 10/04/2010 10:05 AM, John Adams wrote:
We've seen percentage gains when signing with DK, and we carefully
monitor our mail acceptance percentages with ReturnPath. It's around
4-6%. I'd like to stop using it, but some people still check DK.
Sigh. I was hoping not to hear that. It's been about
> If it passes SPF we remove a few points of the spam weight.
I would rethink this practice. Many spammers publish SPF valid records these
days precisely because of this.
Nathan
Hi Frank,
Yes it does include all the O-E conversions. By the way, my recollection is the
undersea regenerators do purely optical regeneration. There is no O-E
conversions undersea, only at the landing stations and terrestrial components.
Since the system is just in the planning stage, the la
it was the backskatter they were referring to, where spamers forge your domain
as the source of the email.
Thanks John for your comments,
-g
On Oct 4, 2010, at 12:54 PM, John Adams wrote:
> Without proper SPF records your mail stands little chance of making it
> through some of the large
http://kestrel3.netflight.com/2010.10.04-NANOG50-morning-notes.txt
"
Whois traffic has been going through the roof; they
added more proxies in front to support it.
Apparently, there's IP management packages that do
whois queries. It would be good to find out who is
doing it, and talk to ARIN engi
We've seen percentage gains when signing with DK, and we carefully
monitor our mail acceptance percentages with ReturnPath. It's around
4-6%. I'd like to stop using it, but some people still check DK.
-j
On Mon, Oct 4, 2010 at 10:02 AM, Michael Thomas wrote:
> On 10/04/2010 09:54 AM, John Adams
On Mon, Oct 04, 2010 at 12:47:52PM -0400, Greg Whynott wrote:
>
> A partner had a security audit done on their site. The report said they were
> at risk of a DoS due to the fact they didn't have a SPF record.
that does not follow at all.
>
> I commented to his team that the SPF ide
Hi,
Earlier today, Geoff Huston presented the following at NANOG 50 in
Atlanta: Background Radiation in IPv6.
You can read the full story now on RIPE Labs:
https://labs.ripe.net/Members/mirjam/background-radiation-in-ipv6
Kind Regards,
Mirjam Kuehne
RIPE NCC
On 10/04/2010 09:54 AM, John Adams wrote:
Without proper SPF records your mail stands little chance of making it
through some of the larger providers, like gmail, if you are sending
in any high volume. You should be using SPF, DK, and DKIM signing.
There should really be no reason to sign with
We use SPF. Lots of the bigger guys require it. Along with DK/DKIM
signing.
In our spam weight based filtering, if it hardfails it drops it,
softfail(no spf record) we don't add or remove points at all. If it passes
SPF we remove a few points of the spam weight.
Nick Olsen
Network Operations
(8
For those who might care, I've put version 1.0 of
my notes from the morning session up at
http://kestrel3.netflight.com/2010.10.04-NANOG50-morning-notes.txt
and I bounced apache on the box, since it seemed to have gotten
hung--sorry about that, for those who were puzzled at the timing
out URL from
Without proper SPF records your mail stands little chance of making it
through some of the larger providers, like gmail, if you are sending
in any high volume. You should be using SPF, DK, and DKIM signing.
I don't really understand how your security company related SPF to DoS
though. They're unre
> how many of you are using SPF records? Do you have an opinion on their
> use/non use of?
We use SPF on most client domains. On inbound filtering, we add no score for a
lack of SPF record, and we reject mail if the SPF record hardfails. We've seen
it reduce domain-imposter spam. It's not t
A partner had a security audit done on their site. The report said they were
at risk of a DoS due to the fact they didn't have a SPF record.
I commented to his team that the SPF idea has yet to see anything near mass
deployment and of the millions of emails leaving our environment yearly,
Here's my notes from the community meeting from last night;
sorry about being a bit late with them, the meeting ran long,
and we dashed straight out from it to the social, which had
already started by the time we wrapped up. ^_^;;
Apologies for any typos still in the notes, I did a quick
proofread
On Mon, 4 Oct 2010, Curtis Maurand wrote:
On 10/2/2010 7:23 PM, Franck Martin wrote:
How long do you keep a router in production?
What is your cycle for replacement of equipment?
For a PC, you usually depreciate it over 3 years, and can make it last 5
years, but then you are stretching the f
>>
>> No... I'm saying that if ISPs aren't the only entities that hold their
>> private keys, then they aren't the only entities that can sign their
>> resources.
>
> The hosted system that we created uses Hardware Signing Modules (HSM)
> for generating keys and signing operations. By design it i
>
>> I'll go a step further and say that the resource holder should be
>> the ONLY holder of the private key for their resources.
>>
>> Owen
>
> If you're saying that ISPs can only participate in an RPKI scheme if they
> run their own Certificate Authority, then I think that would practically
>
The thread got a bit torn apart due to some cross posting, so here are
Randy and Owen's replies to keep it all together:
On Oct 3, 2010, at 7:26 PM, Randy Bush wrote:
Do you think there is value in creating a system like this?
yes. though, given issues of errors and deliberate falsifications
On 10/2/2010 7:23 PM, Franck Martin wrote:
How long do you keep a router in production?
What is your cycle for replacement of equipment?
For a PC, you usually depreciate it over 3 years, and can make it last 5 years,
but then you are stretching the functionality, especially if you upgrade the
On Mon, October 4, 2010 04:38, Owen DeLong wrote:
>
> On Oct 3, 2010, at 7:26 PM, Randy Bush wrote:
>
>>> Do you think there is value in creating a system like this?
>>
>> yes. though, given issues of errors and deliberate falsifications, i am
>> not entirely comfortable with the whois/bgp combo b
Hi Alex,
We are trying to tackle a similar problem with the RADB. The approach
we have
taken is to build into the object management web portal an alerting
system that
provides alerts to a user when there is a mismatch between what is in
the IRR
and what is observed in BGP. Right next to
And here is my reply to them...
On Mon, October 4, 2010 04:38, Owen DeLong wrote:
On Oct 3, 2010, at 7:26 PM, Randy Bush wrote:
Do you think there is value in creating a system like this?
yes. though, given issues of errors and deliberate falsifications,
i am
not entirely comfortable wi
60 matches
Mail list logo
