-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Wed, Jan 5, 2011 at 11:46 PM, Joel Jaeggli wrote:
> On 1/5/11 10:36 PM, Dobbins, Roland wrote:
>>
>> On Jan 6, 2011, at 1:26 PM, Joe Greco wrote:
>>
>>> A bunch of very smart people have worked on IPv6 for a very long
>>> time, and justification f
On Jan 6, 2011, at 1:51 PM, Joe Greco wrote:
> There are numerous parallels between physical and electronic security.
> Let's just concede that for a moment.
I can't, and here's why:
1. In the physical world, attackers run a substantial risk of being
caught, and of tangible, severe penalt
On Jan 6, 2011, at 2:42 PM, Joel Jaeggli wrote:
> icmp6 rate limiting both reciept and origination is not rocket science.
But it's *considerably* more complex and has far more potential implications
than ICMP rate-limiting in IPv4 (which in and of itself is more complex and has
more implicati
On 1/5/11 10:36 PM, Dobbins, Roland wrote:
>
> On Jan 6, 2011, at 1:26 PM, Joe Greco wrote:
>
>> A bunch of very smart people have worked on IPv6 for a very long
>> time, and justification for /64's was hashed out at extended
>> length over the period of years.
>
> Very smart people can and do c
On 1/5/11 11:03 PM, Matthew Petach wrote:
> On Wed, Jan 5, 2011 at 10:51 PM, Joe Greco wrote:
> Hi Joe,
>
> I think what people are trying to say is that it doesn't matter whether
> or not your host is easily findable or not, if I can trivially take out your
> upstream router. With your upstream
On Jan 5, 2011, at 8:43 PM, Christopher Morrow wrote:
> pls express this to your local BoT or AC or ARIN Rep... see the other thread.
As I am not an ARIN member nor do I have any ARIN-delegated resources, it isn't
clear to me who my local BoT/AC/ARIN Rep might be. However, as I'm aware some
of
On Jan 6, 2011, at 2:03 PM, Matthew Petach wrote:
> I think what people are trying to say is that it doesn't matter whether or
> not your host is easily findable or not, if I can trivially take out your
> upstream router.
That's part of it - the other part is that the host will be found, irresp
On Wed, Jan 5, 2011 at 10:51 PM, Joe Greco wrote:
>> On Jan 6, 2011, at 12:54 PM, Joe Greco wrote:
...
> To say that "the endpoint *will be found*" is a truism, in the same
> way that a bank *will* be robbed. You're not trying to guarantee that
> it will never happen. You're trying to *deter* th
> On Jan 6, 2011, at 12:54 PM, Joe Greco wrote:
>
> > Generally speaking, security professionals prefer for there to be more ro=
> adblocks rather than fewer. =20
>
> The soi-disant security 'professionals' who espouse layering unnecessary mu=
> ltiple, inefficient, illogical, and iatrogenic road
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Wed, Jan 5, 2011 at 10:36 PM, Dobbins, Roland
wrote:
>
> On Jan 6, 2011, at 1:26 PM, Joe Greco wrote:
>
>> A bunch of very smart people have worked on IPv6 for a very long time,
>> and justification for /64's was hashed out at extended length over
We use it for some of our juice bar operations but we buy the service from
Sprint. We have been very happy with the service.
Cheers
Ryan
-Original Message-
From: Brandon Galbraith [mailto:brandon.galbra...@gmail.com]
Sent: Wednesday, January 05, 2011 5:16 PM
To: nanog@nanog.org
Subjec
> I heard about the delay, but not about ARIN possibly not doing RPKI.
there are arin board members, one in particular i am told, that do not
like the rpki. including side contracts to turn the irr pig's ear into
a silk purse.
randy
On Thu, Jan 6, 2011 at 1:21 AM, David Conrad wrote:
> On Jan 5, 2011, at 12:32 PM, Randy Bush wrote:
>> i have a rumor that arin is delaying and possibly not doing rpki that
>> seems to have been announced on the ppml list (to which i do not
>> subscribe).
>
> I heard about the delay, but not abou
On Jan 6, 2011, at 1:26 PM, Joe Greco wrote:
> A bunch of very smart people have worked on IPv6 for a very long time, and
> justification for /64's was hashed out at extended length
> over the period of years.
Very smart people can and do come up with bad ideas, and IPv6 is a textbook
example
> On Thu, Jan 6, 2011 at 12:17 AM, Joe Greco wrote:
> > However, that's not the only potential use! =A0A client that initiates
> > each new outbound connection from a different IP address is doing
> > something Really Good.
>
> No, Joe, it is not doing anything Good. =A0This would require the
> s
On Thu, Jan 6, 2011 at 12:54 AM, Joe Greco wrote:
> I'm starting off with the assumption that knowledge of the host
> address *might* be something of value. If it isn't, no harm done.
> If it is, and the address becomes virtually impossible to find, then
> we've just defeated an attack, and it's
On Jan 5, 2011, at 12:32 PM, Randy Bush wrote:
> i have a rumor that arin is delaying and possibly not doing rpki that
> seems to have been announced on the ppml list (to which i do not
> subscribe).
I heard about the delay, but not about ARIN possibly not doing RPKI. That would
be ... surprisi
thanks to all who replied, my family really enjoyed it.
- Original Message -
From: "JC Dill"
Cc: "NANOG list"
Sent: Wednesday, December 22, 2010 3:13 AM
Subject: Re: Holiday Songs
>
>
> Network Working Group B. Hancock
> Request for Comments:
On Wed, Jan 5, 2011 at 9:55 PM, Mark Andrews wrote:
>
> In message ,
> Came
> ron Byrne writes:
>> As long as dual-stack is around, the app vendors don't have to move
>> and network guys have to dream up hacks to support these legacy apps
>> (CGN ).
>
> NAT64 is CGN expecially when it is bein
On Jan 6, 2011, at 12:54 PM, Joe Greco wrote:
> Generally speaking, security professionals prefer for there to be more
> roadblocks rather than fewer.
The soi-disant security 'professionals' who espouse layering unnecessary
multiple, inefficient, illogical, and iatrogenic roadblocks in pref
> From: Joe Greco
> Date: Wed, 5 Jan 2011 21:27:14 -0600 (CST)
>
> >
> > On Wed, Jan 5, 2011 at 8:57 PM, Joe Greco wrote:
> > >> > This is a much smaller issue with IPv4 ARP, because routers generally
> > >> > have very generous hardware ARP tables in comparison to the typical
> > >> > size of
In message , Came
ron Byrne writes:
> As long as dual-stack is around, the app vendors don't have to move
> and network guys have to dream up hacks to support these legacy apps
> (CGN ).
NAT64 is CGN expecially when it is being implemented by the cellular
carriers.
> Cameron
>
> >
> > Matth
>
> On Jan 6, 2011, at 12:17 PM, Joe Greco wrote:
>
> > If you don't understand the value of such an increase in magnitude,
>
> I can count as well as you can, I assure you.
>
> > I invite you to switch all your ssh keys to 56 bit.
>
> The difference is that if someone compromises/brute-forces
On Thu, Jan 6, 2011 at 12:17 AM, Joe Greco wrote:
> However, that's not the only potential use! A client that initiates
> each new outbound connection from a different IP address is doing
> something Really Good.
No, Joe, it is not doing anything Good. This would require the
software being writ
On Jan 6, 2011, at 12:17 PM, Joe Greco wrote:
> If you don't understand the value of such an increase in magnitude,
I can count as well as you can, I assure you.
> I invite you to switch all your ssh keys to 56 bit.
The difference is that if someone compromises/brute-forces one of my ssh keys,
On Wed, Jan 5, 2011 at 9:10 PM, Matthew Kaufman wrote:
> On 1/5/2011 8:47 PM, Cameron Byrne wrote:
>>
>> And, you will notice that the list at
>> http://groups.google.com/group/ipv4literals shows only a few web site,
>> because there are only a few that have this design flaws.
>
> And the list loo
In message , Came
ron Byrne writes:
> On Wed, Jan 5, 2011 at 8:31 PM, Mark Andrews wrote:
> >
> > In message m>, Came
> > ron Byrne writes:
> >> On Wed, Jan 5, 2011 at 6:42 PM, Dobbins, Roland wro=
> te:
> >> >
> >> > On Jan 6, 2011, at 9:38 AM, ML wrote:
> >> >
> >> >> At least not without som
On Jan 5, 2011, at 7:04 AM, Jack Bates wrote:
> On 1/5/2011 6:29 AM, Dobbins, Roland wrote:
>>
>> Using /64s is insane because a) it's unnecessarily wasteful (no
>> lectures on how large the space is, I know, and reject that argument
>> out of hand) and b) it turns the routers/switches into sink
Is there any reason we really need to care what size other people use for their
Point to Point
links?
Personally, I think /64 works just fine.
I won't criticize anyone for using it. It's what I choose to use.
However, if someone else wants to keep track of /112s, /120s, /124s, /126s, or
even /
On Jan 5, 2011, at 10:31 PM, Mark Andrews wrote:
>
> Which is one of the reasons why DS-lite is a better solution for
> providing legacy access to the IPv4 Internet than NAT64/DNS64.
> DS-lite only breaks what NAT44 breaks. DS-lite doesn't break new
> things.
>
Or just run a dual-stack network
> I think ACLs here means prefix-lists ... or I hope that's what Randy
> meant?
sorry. yes, irr based prefix lists. and, sad to say, data which have
sucked for 15+ years. i was the poster child for the irr, and it just
never took off.
[ irr data are pretty bad except for some islands where the
> > It has nothing to do with "security by obscurity".
>
> You may wish to re-read what Joe was saying - he was positing sparse addres=
> sing as a positive good because it will supposedly make it more difficult f=
> or attackers to locate endpoints in the first place, i.e., security through=
> o
>> actually, the formal rpki-based origin-validation stuff is measured
>> to take *less* cpu, a lot less, than ACLs
> On the platforms which really matter in terms of rPKI, ACLs are
> handled in hardware, so this is pretty much a wash.
really? it was measured on a GSR. full check on a prefix, 10
On 1/5/2011 8:47 PM, Cameron Byrne wrote:
And, you will notice that the list at
http://groups.google.com/group/ipv4literals shows only a few web site,
because there are only a few that have this design flaws.
And the list looks like it does because the list only shows a *few* web
sites. Other s
>Still, the idea that "nobody will scan a /64" reminds me of the days
>when 640K ought to be enough for anybody, ...
We really need to wrap our heads around the orders of magnitude
involved here. If you could scan an address every nanosecond, which I
think is a reasonable upper bound what with th
On Wed, Jan 5, 2011 at 8:31 PM, Mark Andrews wrote:
>
> In message ,
> Came
> ron Byrne writes:
>> On Wed, Jan 5, 2011 at 6:42 PM, Dobbins, Roland wrote:
>> >
>> > On Jan 6, 2011, at 9:38 AM, ML wrote:
>> >
>> >> At least not without some painful rebuilds of criticals systems which ha=
>> ve the
Lenny Giuliano of Juniper (IETF MBONED co-chair) has written an article in
Network World that I thought
NANOGers might be interested in :
http://www.networkworld.com/news/tech/2011/010511-tech-update-next-gen-tv.html
He clearly describes the need for multicast in the upcoming video-centric
Int
On Wed, Jan 5, 2011 at 11:30 PM, Dobbins, Roland wrote:
>
> On Jan 6, 2011, at 11:16 AM, Randy Bush wrote:
>
>> actually, the formal rpki-based origin-validation stuff is measured to take
>> *less* cpu, a lot less, than ACLs
>
> On the platforms which really matter in terms of rPKI, ACLs are hand
In message , Came
ron Byrne writes:
> On Wed, Jan 5, 2011 at 6:42 PM, Dobbins, Roland wrote:
> >
> > On Jan 6, 2011, at 9:38 AM, ML wrote:
> >
> >> At least not without some painful rebuilds of criticals systems which ha=
> ve these IPs deeply embedded in their configs.
> >
> > They shouldn't be
On Jan 6, 2011, at 11:16 AM, Randy Bush wrote:
> actually, the formal rpki-based origin-validation stuff is measured to take
> *less* cpu, a lot less, than ACLs
On the platforms which really matter in terms of rPKI, ACLs are handled in
hardware, so this is pretty much a wash.
Concur on all t
On Jan 6, 2011, at 11:21 AM, Jeff Kell wrote:
> I hesitate to write anything off to impossibility, having witnessed the 8 to
> 16 to 32 to 64-bit processor progression :)
Indeed; how quickly we forget, eh?
;>
> And the "depth" of infrastructure at which you can decide the traffic is
> bogus i
On Jan 6, 2011, at 11:16 AM, George Bonser wrote:
> I thought the entire notion of actually getting to a host was orthogonal to
> the discussion as that wasn't the point. It wasn't about
> exploitation of anything on the host, the discussion was about the act of
> scanning a network itself bei
On Wed, Jan 5, 2011 at 7:51 PM, Richard A Steenbergen wrote:
> On Wed, Jan 05, 2011 at 05:46:36PM -0600, John Kristoff wrote:
>> Friends and colleagues,
>>
>> At NANOG 48 I talked about a community flow-spec service we were
>> looking at trying to make work. This is the idea of using IETF RFC
>>
On Wed, Jan 5, 2011 at 11:16 PM, Randy Bush wrote:
>> We need at least these things to exist:
>> o an accurate mapping of resource (netblock/asn) to
>> authorized-entity (RIR/NIR/LIR/Customer/...)
>> o a system to manage this data for our routing equipment
>
> see all the sidr documents in
On 1/5/2011 10:18 PM, Dobbins, Roland wrote:
> This whole focus on sparse addressing is just another way to tout
> security-by-obscurity. We already know that security-by-obscurity is a
> fundamentally-flawed concept, so it doesn't make sense to try and keep
> rationalizing it in various domain
>
> I've understood the problem for years, thanks, and have commented on
it
> in other portions of this thread, as well as in may earlier threads
> around this general set of issues - and it's completely orthogonal to
> this particular discussion.
I suppose what confused me was this:
"
I don't b
> We need at least these things to exist:
> o an accurate mapping of resource (netblock/asn) to
> authorized-entity (RIR/NIR/LIR/Customer/...)
> o a system to manage this data for our routing equipment
see all the sidr documents in last call to go from i-ds to rfcs. oh,
you co-chair sidr
On Wed, Jan 5, 2011 at 6:42 PM, Dobbins, Roland wrote:
>
> On Jan 6, 2011, at 9:38 AM, ML wrote:
>
>> At least not without some painful rebuilds of criticals systems which have
>> these IPs deeply embedded in their configs.
>
> They shouldn't be using IP addresses in configs, they should be using
Sorry for the subject change, it seems now we're talking about
something perhaps more relevant to me (security and routing stuff)
On Wed, Jan 5, 2011 at 5:32 PM, Randy Bush wrote:
> i have a rumor that arin is delaying and possibly not doing rpki that
> seems to have been announced on the ppml li
- Original Message -
> From: "Jo Rhett"
> On Nov 25, 2010, at 2:11 PM, Kevin Oberman wrote:
> > Have you tried 611 (from an AT&T land-line phone)?
>
> Many people don't have one. I haven't had one for over 12 years now,
> nor have any of my employers for the last 8 years.
For what its w
On Jan 6, 2011, at 10:42 AM, George Bonser wrote:
> It will be a problem if people learn they can DoS routers by doing it by
> maxing out the neighbor table.
I understand this - that's a completely separate issue from the supposed
benefits of sparse addressing for endpoint host security.
> I
> From: Dobbins, Roland
> Sent: Wednesday, January 05, 2011 7:19 PM
> To: Nanog Operators' Group
> Subject: Re: NIST IPv6 document
>
>
> On Jan 6, 2011, at 10:08 AM, Joe Greco wrote:
>
> I don't believe that host-/port-scanning is as serious a problem as
you
> seem to think it is, nor do I thin
>
> On Wed, Jan 5, 2011 at 8:57 PM, Joe Greco wrote:
> >> > This is a much smaller issue with IPv4 ARP, because routers generally
> >> > have very generous hardware ARP tables in comparison to the typical
> >> > size of an IPv4 subnet.
> >>
> >> no it isn't, if you've ever had your juniper router
On Jan 6, 2011, at 10:08 AM, Joe Greco wrote:
> Packing everything densely is an obvious problem with IPv4; we learned early
> on that having a 48-bit (32 address, 16 port) space to scan made
> port-scanning easy, attractive, productive, and commonplace.
I don't believe that host-/port-scanning
> > The switch from IPv4 to IPv6 itself is such a change; it renders random t=
> rolling through IP space much less productive.
>
> And renders hinted trolling far more productive/necessary, invariably leadi=
> ng to increased strain on already-brittle/-overloaded DNS, whois, route ser=
> vers, et
You didn't mention, but are you introducing a second border router? Is
the new upstream circuit from a new provider, or is it a second,
redundant circuit to the same provider in a different POP? Does your
customer have their own portable address space, or are they using
provider address space?
I'l
The devil's in the details (obviously), and someone that reads into the
scenario better than me might have a more direct suggestion, but...
I'd start by moving the NAT at least one hop into the AS so that routing
symmetry can be enforced there. This allows for multi-homing (asymmetric
routing at
On Wed, Jan 5, 2011 at 8:57 PM, Joe Greco wrote:
>> > This is a much smaller issue with IPv4 ARP, because routers generally
>> > have very generous hardware ARP tables in comparison to the typical
>> > size of an IPv4 subnet.
>>
>> no it isn't, if you've ever had your juniper router become unavail
On Jan 6, 2011, at 9:38 AM, ML wrote:
> At least not without some painful rebuilds of criticals systems which have
> these IPs deeply embedded in their configs.
They shouldn't be using IP addresses in configs, they should be using DNS
names. Time to bite the bullet and get this fixed prior to
I've got a customer that is looking to multihome with upstreams in two
POPs. Currently they multihome in one POP and utilize a single edge
router for some one to one NAT and some PAT for their users.
Before they turn up the BGP peer in the new POP I've advised them to
abolish NAT once and for
On Jan 6, 2011, at 8:57 AM, Joe Greco wrote:
> The switch from IPv4 to IPv6 itself is such a change; it renders random
> trolling through IP space much less productive.
And renders hinted trolling far more productive/necessary, invariably leading
to increased strain on already-brittle/-overloa
> > This is a much smaller issue with IPv4 ARP, because routers generally
> > have very generous hardware ARP tables in comparison to the typical
> > size of an IPv4 subnet.
>
> no it isn't, if you've ever had your juniper router become unavailable
> because the arp policer caused it to start igno
On Wed, Jan 05, 2011 at 05:46:36PM -0600, John Kristoff wrote:
> Friends and colleagues,
>
> At NANOG 48 I talked about a community flow-spec service we were
> looking at trying to make work. This is the idea of using IETF RFC
> 5575 to pass around flow-based rules, in this case, primarily for
>
On Wed, Jan 05, 2011 at 04:15:43PM -0600, Brandon Galbraith wrote:
> Is anyone using Clearwire/Clear's wireless broadband offering for stationary
> branch offices/remote equipment monitoring? Looking for results/experiences
> off-list. We're looking at it for industrial telemetry, and have spoken t
> There
> appears to be zero interest in their business model to accommodate the
> enterprise.
In my own personal experience, there appears to be zero interest in their
business model to accommodate the CUSTOMER.
They go on and on about how their frequency-space gives them a competitive
advanta
My coworker has a total of 6 hours into calling each and every Clear number
that is publically facing and has yet to reach a person that even understands
the question. We have boiled it down to the Clear business model is designed
merely to sell you the generic modem and have a nice day. There a
On Wed, 5 Jan 2011, tico wrote:
Is anyone using Clearwire/Clear's wireless broadband offering for
Me too! I'd love to hear from anyone that's used it extensively.
I haven't in a few years (I worked for someone who thought of themselves
as a clearwire competitor), but we replaced a bunch of
Friends and colleagues,
At NANOG 48 I talked about a community flow-spec service we were
looking at trying to make work. This is the idea of using IETF RFC
5575 to pass around flow-based rules, in this case, primarily for
dropping unwanted packets.
This technology is not as widely deployed as tr
> Is anyone using Clearwire/Clear's wireless broadband offering for
> stationary
> branch offices/remote equipment monitoring? Looking for
> results/experiences
> off-list. Curious as to reliability, link performance, and support
> quality.
Me too! I'd love to hear from anyone that's used it exten
On Jan 6, 2011, at 1:14 AM, Jeff Wheeler wrote:
> A stateful firewall on every router interface has been suggested already on
> this thread. It is unrealistic.
It isn't just unrealistic, it's highly undesirable, since it represents an huge
DoS state vector.
--
On Jan 6, 2011, at 1:02 AM, TJ wrote:
> if you are permitting external hosts the ability to scan your internal
> network in an unrestricted
> fashion
DCN aside, how precisely does one define 'internal network' in, say, the
context of the production network of a broadband access SP, or
hostin
> 1) If ARIN doesn't provide the level of authentication you desire, as
> an ARIN member you should send a note to ppml each day until it's
> available
this is not address policy. this is ops. surely one does not have to
dirty one's self with the ppml list to get an ops fix done in arin. it
is
Is anyone using Clearwire/Clear's wireless broadband offering for stationary
branch offices/remote equipment monitoring? Looking for results/experiences
off-list. We're looking at it for industrial telemetry, and have spoken to
people using ATT and VZW who are doing the same, but we wanted to look
On 4 Jan 2011, at 3:29, Iljitsch van Beijnum wrote:
[...]
> Note that I slightly changed the way addresses are counted: previously, all
> the legacy blocks that didn't have an RIR listed were assumed to be used
> 100%. But with the return of most of the Interop block this is no longer the
> ca
On Jan 3, 2011, at 1:04 55PM, Ken Chase wrote:
> I have two independent mailservers, and two other customers that run their own
> servers, all largely unrelated infrastructures and target domains, suddenly
> experiencing low levels of spam.
>
> Total emails/day dropping from some 175,000-250,000
On 1/5/2011 10:02, TJ wrote:
>
> Many would argue that the version of IP is irrelevant, if you are permitting
> external hosts the ability to scan your internal network in an unrestricted
> fashion (no stateful filtering or rate limiting) you have already lost, you
> just might not know it yet.
>
On Wed, Jan 5, 2011 at 1:02 PM, TJ wrote:
> Many would argue that the version of IP is irrelevant, if you are permitting
> external hosts the ability to scan your internal network in an unrestricted
> fashion (no stateful filtering or rate limiting) you have already lost, you
How do you propose t
> All the same, beware of the anycast addresses if you want to use a smaller
> block for point-to-point and for LANs, you break stateless autoconfig and
> very likely terminally confuse DHCPv6 if your prefix length isn't /64.
Breaking stateless autoconfig such that it *cannot* ever work, on my
r
>
> IPv4) I can scan your v4 subnet, let's say it's a /24, and your router
> might send 250 ARP requests and may even add 250 "incomplete" entries
> to its ARP table. This is not a disaster for that LAN, or any others.
> No big deal. I can also intentionally send a large amount of traffic
> to u
Jeff Wheeler (jsw) writes:
> are badly needed. The largest current routing devices have room for
> about 100,000 ARP/NDP entries, which can be used up in a fraction of a
> second with a gigabit of malicious traffic flow. What happens after
> that is the problem, and we need to tell our vendors wh
On Wed, Jan 5, 2011 at 12:26 PM, Phil Regnauld wrote:
> Jeff Wheeler (jsw) writes:
>> Not good, but also does not affect any other interfaces on the router.
> You're assuming that all routing devices have per-interface ARP tables.
No, Phil, I am assuming that the routing device has a large
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 01/05/2011 09:11 AM, Jo Rhett wrote:
> On Nov 25, 2010, at 2:11 PM, Kevin Oberman wrote:
>> Have you tried 611 (from an AT&T land-line phone)?
>
> Many people don't have one. I haven't had one for over 12 years now, nor
> have any of my employers
On 2011-01-05, at 12:31, Jared Mauch wrote:
> 2) If you DEPEND on something for your business, it may just be "worth it" to:
> a) pay RADB who operates professionally
> b) use your ISP provided IRR (eg: NTT, level3, savvis, etc)
I generally recommend that people use the RIPE database, regardl
> IPv6) I can scan your v6 /64 subnet, and your router will have to send
> out NDP NS for every host I scan. If it requires "incomplete" entries
> in its table, I will use them all up, and NDP learning will be broken.
> Typically, this breaks not just on that interface, but on the entire
> router
On Jan 5, 2011, at 12:15 PM, Jay Coley wrote:
> On 05/01/2011 17:09, Craig Pierantozzi wrote:
>> On Jan 5, 2011, at 9:26 AM, Jon Lewis wrote:
>>
>> [snip]
>>
>>> Can anyone from Level3 say how this will impact customer BGP filters. Will
>>> L3 keep working with the last data sync they got from
On 1/5/2011 11:19 AM, Jeff Wheeler wrote:
IPv6) I can scan your v6 /64 subnet, and your router will have to send
out NDP NS for every host I scan. If it requires "incomplete" entries
in its table, I will use them all up, and NDP learning will be broken.
Typically, this breaks not just on that
>So has anyone had any contact from ALTDB as to what's going on?
>Thanks!
>--J
I just got off the phone with Steve Rubin. He restarted it 45 minutes ago
and it's back up.
Regards,
Randy
Jeff Wheeler (jsw) writes:
>
> IPv4)
[...]
> Not good, but also does not affect any other interfaces on the router.
You're assuming that all routing devices have per-interface ARP tables.
> IPv6)
> Typically, this breaks not just on that interface, but on the entire
> router
On Wed, Jan 5, 2011 at 12:04 PM, Joel Jaeggli wrote:
> no it isn't, if you've ever had your juniper router become unavailable
> because the arp policer caused it to start ignoring updates, or seen
> systems become unavailable due to an arp storm you'd know that you can
> abuse arp on a rather smal
On 05/01/2011 17:09, Craig Pierantozzi wrote:
> On Jan 5, 2011, at 9:26 AM, Jon Lewis wrote:
>
> [snip]
>
>> Can anyone from Level3 say how this will impact customer BGP filters. Will
>> L3 keep working with the last data sync they got from altdb?
>
> Yes, Level 3 will continue to use the last
On Nov 25, 2010, at 2:11 PM, Kevin Oberman wrote:
> Have you tried 611 (from an AT&T land-line phone)?
Many people don't have one. I haven't had one for over 12 years now, nor have
any of my employers for the last 8 years.
--
Jo Rhett
Net Consonance : consonant endings by net philanthropy, ope
On Jan 5, 2011, at 9:26 AM, Jon Lewis wrote:
[snip]
> Can anyone from Level3 say how this will impact customer BGP filters. Will L3
> keep working with the last data sync they got from altdb?
Yes, Level 3 will continue to use the last data mirrored and archived. New
filters are not pushed dail
On Wed, Jan 5, 2011 at 11:26 AM, Jon Lewis wrote:
>> Anyone here use AltDB? It seems their servers have been down for two days.
> Can anyone from Level3 say how this will impact customer BGP filters. Will
> L3 keep working with the last data sync they got from altdb? I'm guessing
Since Level3 up
On 1/5/11 8:49 AM, Jeff Wheeler wrote:
> On Wed, Jan 5, 2011 at 9:39 AM, Iljitsch van Beijnum
> wrote:
>>> that a lot of smart people agree is a serious design flaw in any IPv6
>>> network where /64 LANs are used
>>
>> It's not a design flaw, it's an implementation flaw. The same one that's in
We use Ahsay online backup server
(http://www.ahsay.com/jsp/en/home/index.jsp). I've been very happy with it.
- Original Message -
> From: "Richard Zheng"
> To: nanog@nanog.org
> Sent: Tuesday, January 4, 2011 9:02:23 PM
> Subject: online backup software vendor
> Hi,
>
> We are loo
Asigra is a great product, however branding isn’t possible from what I know of
the solution. We use Asigra through a partner, and when well managed it is a
GREAT solution, however it can easily spin out of control if someone doesn't
keep on top of it. Randy if you are looking for a little more
On Wed, Jan 5, 2011 at 9:39 AM, Iljitsch van Beijnum wrote:
>> that a lot of smart people agree is a serious design flaw in any IPv6
>> network where /64 LANs are used
>
> It's not a design flaw, it's an implementation flaw. The same one that's in
> ARP (or maybe RFC 894 wasn't published on april
Does anyone have any comments on any of these solutions being easily managed
for end users? We need something that is easy for the customers to install and
configure, and is centrally managed. It would also be very nice if it could be
fully branded (the one thing that Vembu does well)
thanks,
[moved to nanog as it seems a far more appropriate forum than cisco-nsp]
On Wed, 5 Jan 2011, Jose Madrid wrote:
Anyone here use AltDB? It seems their servers have been down for two days.
I have emailed their admin alias but have gotten nothing. Anyone?
whois -h whois.altdb.net 199.48.252.0
[Qu
Randy Bush (randy) writes:
> borked vmware boot, reset says no opsys found. it's a 4.0 system.
>
> can i do recovery (saving vmfs) using 4.1 cd, or must i use 4.0?
Yes, it will work for accessing the vmfs, at the very least.
Phil
1 - 100 of 121 matches
Mail list logo
