> Based on this draft the recommended preference order is:
>
> 1) Validation ok
> 2) not found
> 3) Validation nok
>
> Suppose an operator would use local-pref to achieve this.
> This intention (preferring validated routes) will break, when there's a
> more specific announcement that doesn't val
On Sun, 30 Jan 2011, Matthew Petach wrote:
Even without completely overflowing the ND cache, informal lab testing
shows that a single laptop on a well-connected network link can send
sufficient packets at a very-large-scale backbone router's connected /64
subnet to keep the router CPU at 90%,
Carlos,
On Sun, Jan 30, 2011 at 9:22 PM, Carlos Martinez-Cagnazzo
wrote:
> Hi,
>
> this is the second mention I see of RPKI and Egypt in the same
> context. I sincerely fail to see the connection between both
> situations.
>
It is quite simple actually.
1. Governments (eventually) want to take
- Original Message -
> From: "Benson Schliesser"
> To: "andrew.wallace"
> Cc: nanog@nanog.org
> Sent: Saturday, 29 January, 2011 2:47:42 PM
> Subject: Re: Connectivity status for Egypt
> On Jan 28, 2011, at 1:44 PM, andrew.wallace wrote:
>
> > We should be asking the Egyptians to stagg
> From: Alex Band
> Date: Sun, 30 Jan 2011 11:39:36 +0100
>
> I think my question is very pertinent. Of course the number of signed
> prefixes directly influences the number of validators. Do you think
> the RIPE NCC Validator tool would have been downloaded over 100 times
> in the last month if
In message <00bd3d23-12d6-4bb6-882f-3ccae2a67...@delong.com>, Owen DeLong
writes:
> Is it my imagination, or, is the list replaying messages from several =
> days ago?
Yes. Yet another person using microsoft's pickup service and
reinjecting the email using the To and Cc headers from the email
r
Is it my imagination, or, is the list replaying messages from several days ago?
Owen
On Jan 28, 2011, at 4:07 PM, John Payne wrote:
>
>
> On Jan 26, 2011, at 4:52 PM, Charles N Wyble wrote:
>
>> Comcast is currently conducting trials:
>> http://comcast6.net/ (anyone participated in this?)
>
> Yes, and other than the fact that their 6rd implementation only gives me a
> /64,
Write the RFPs asking for L3 -- I don't think they're asking for L3.
Frank
-Original Message-
From: Cameron Byrne [mailto:cb.li...@gmail.com]
Sent: Sunday, January 30, 2011 2:55 PM
To: Mikael Abrahamsson
Cc: nanog@nanog.org
Subject: Re: EPC backhaul networks
On Sun, Jan 30, 2011 at 12:5
Hi, Matthew,
On 30/01/2011 08:17 p.m., Matthew Petach wrote:
>>> The problem I see is the opening of a new, simple, DoS/DDoS scenario.
>>> By repetitively sweeping a targets /64 you can cause EVERYTHING in
>>> that /64 to stop working by overflowing the ND/ND cache, depending on
>>> the specific N
Hi,
this is the second mention I see of RPKI and Egypt in the same
context. I sincerely fail to see the connection between both
situations.
Egypt cut their links the old fashioned way: they pulled the plug. I
fail to see how such a situation could be made worse by RPKI. It
simply has nothing to d
.-- My secret spy satellite informs me that at 11-01-30 1:22 PM Randy
Bush wrote:
So, what are peoples' routing policies on RPKI going to be? Are people
going to drop prefixes with no RPKI record? Or drop prefixes with an
incorrect RPKI record? Or drop prefixes with a revoked status?
draft-
I had an issue on the 28xx with a static NAT that just stopped working. The
router would not publish the MAC for the nat entry. I removed the NAT entry
and reapplied - and magically it worked again.
On Sat, Jan 29, 2011 at 10:05 PM, Jack Bates wrote:
> On 1/29/2011 8:47 PM, ML wrote:
>
>> I just
Can whomever is at NEXTAG.COM please fix the pickup service to
not use to To and Cc lines when re-injecting email.
IT DOES NOT WORK. IT JUST CAUSES MAIL LOOPS.
Received: from mail pickup service by corpmail5.corp.nextag.com with Microsoft
SMTPSVC; Sun, 30 Jan 2011 17:10:55 -0800
--
Mar
On 2011-01-29 00:29, Blake Hudson wrote:
> Does this site have an record? If so, my DNS does not pick it up.
ipv6-test.com itself does not, and that would be 'bad' also as then when
somebody has an IPv6 stack but broken connectivity they would not be
able to reach that site.
>From the oh so
On Sun, Jan 30, 2011 at 12:40 PM, Owen DeLong wrote:
> Because they publish data you have signed. They don't have the ability
> to modify the data and then sign that modification as if they were you if
> they aren't holding the private key. If they are holding the private key,
> then, you have, in
PLANNED IN-ADDR.ARPA NAMESERVER CHANGE
This is a courtesy notification of an upcoming change to the
nameserver set for the IN-ADDR.ARPA zone.
There is no expected impact on the functional operation of the DNS
due to this change.
There are no actions required by DNS server operators or end users.
> I would hope the response to the USG pressuring ARIN to diddle the RPKI
> db would be disabling of RPKI queries by most BGP speakers.
no need. break down, take a break from typing, and actually read
draft-ietf-sidr-rpki-origin-ops-04.txt
On 1/30/2011 4:53 PM, Brandon Butterworth wrote:
I think it is too early in the deployment process to start dropping
routes based on RPKI alone. We'll get there at some point, I guess.
Do we really *want* to get to that point?
I thought that was the point and the goal of securing the routing
My hastily-jotted notes from tonight's community meeting
have been posted to
http://kestrel3.netflight.com/2011.01.30-NANOG51-community-meeting.txt
(though it was so fast, and so non-controversial, with no
input from the audience to speak of, i almost felt silly for
taking notes. ^_^;; )
Matt
On Tue, Jan 25, 2011 at 10:26 PM, Fernando Gont wrote:
> On 24/01/2011 07:41 p.m., Michael Loftis wrote:
>
>>> Many cite concerns of potential DoS attacks by doing sweeps of IPv6
>>> networks. I don't think this will be a common or wide-spread problem.
>>> The general feeling is that there is si
On Jan 30, 2011, at 12:55 PM, Cameron Byrne wrote:
> On Sun, Jan 30, 2011 at 12:52 PM, Mikael Abrahamsson wrote:
>> On Sun, 30 Jan 2011, Cameron Byrne wrote:
>>
>>> The only way to reach 2000 cell sites in Chicago with 100megs of Ethernet
>>> handoff is with L2 metroE. There is not a feasible
In message <4d457f0e.7070...@consolejunkie.net>, Leen Besselink writes:
> Hello Carlos,
>
> On 01/30/2011 02:57 PM, Carlos Martinez-Cagnazzo wrote:
> > What I just don´t get if, we as a society, have created institutions
> > we trust with our *money* (AKA banks), why there can´t be institutions
>
On Sun, Jan 30, 2011 at 5:08 PM, Jack Bates wrote:
> Just a simple, if route invalidly signed, drop it.
What constitutes a invalidly signed route more exactly?
Would a signed route by a signer (ISP) who's status has been revoked
by an entity in the RPKI-hierarchy-of-trust above (for whatever
rea
I work for a MSO and while we do provide L2 services today for wireless
backhaul, the services are based on requirements from the wireless
providers and I haven't seen an RFP yet in which someone wanted a L3
service. If someone really wanted a L3VPN as a backhaul solution we could
oblige them but m
On 1/30/2011 2:47 PM, Nick Hilliard wrote:
I'm concerned that if we're trying to avoid another Youtube affair,
the RPKI policy acceptability criteria will have to be so strict that
this may have a serious effect on overall reachability via the internet.
Not really. Just a simple, if route inv
On 1/30/11 1:13 PM, Ping Pan wrote:
> On Sun, Jan 30, 2011 at 12:55 PM, Cameron Byrne wrote:
>
>> Yep. I hate L2. It is a total nightmare. But, it is literally the
>> only game in town. I blame the MEF for spreading propaganda that
>> MetroEis the best solution for backhaul ... most people don
Easier to troubleshoot is the main reason but also, you would not put the
MME/S-GW in every segment with the eNodeB anyways, so in the end you'd
really want a L3 routed solution between them. One of the things I've
seen is the L3 interface for the eNodeB terminates locally on an attached
smaller c
> > I think it is too early in the deployment process to start dropping
> > routes based on RPKI alone. We'll get there at some point, I guess.
>
> Do we really *want* to get to that point?
I thought that was the point and the goal of securing the routing
infrastructure is laudable. But the voice
> So, what are peoples' routing policies on RPKI going to be? Are people
> going to drop prefixes with no RPKI record? Or drop prefixes with an
> incorrect RPKI record? Or drop prefixes with a revoked status?
draft-ietf-sidr-rpki-origin-ops-04.txt
randy
On Sun, 30 Jan 2011 19:06:05 -0200, "Carlos M. Martinez" said:
> I think it is too early in the deployment process to start dropping
> routes based on RPKI alone. We'll get there at some point, I guess.
Do we really *want* to get to that point?
pgpkwGoDsk8jO.pgp
Description: PGP signature
On Sun, Jan 30, 2011 at 12:55 PM, Cameron Byrne wrote:
> Yep. I hate L2. It is a total nightmare. But, it is literally the
> only game in town. I blame the MEF for spreading propaganda that
> MetroEis the best solution for backhaul ... most people dont even
> think of L3 solutions all the
I think we just don't know (yet) how people are going to apply RPKI. If
I were operating a large network today, I would try to run RPKI in a
sort of warning-only mode, i.e. getting some sort of alert if an invalid
route was detected.
While this wouldn't have prevented YouTube's incident, it would
On Sun, Jan 30, 2011 at 12:52 PM, Mikael Abrahamsson wrote:
> On Sun, 30 Jan 2011, Cameron Byrne wrote:
>
>> The only way to reach 2000 cell sites in Chicago with 100megs of Ethernet
>> handoff is with L2 metroE. There is not a feasible L3 service offered
>> today.
>
> Ah.
>
> We either rent fibe
On Sun, 30 Jan 2011, Cameron Byrne wrote:
The only way to reach 2000 cell sites in Chicago with 100megs of
Ethernet handoff is with L2 metroE. There is not a feasible L3 service
offered today.
Ah.
We either rent fiber or put up our own radio links, I guess different
problems in different m
On Sun, 30 Jan 2011, Ping Pan wrote:
Heard a lot about MPLS-TP to apply in this area. What do you think? Is
it for real?
MPLS-TP is great for SDH people, they don't have to learn anything new.
It's the new SDH, just packet based instead of TDM. Everything else pretty
much stays the same.
I
On 30/01/2011 17:39, Carlos Martinez-Cagnazzo wrote:
The solution to this problem (theoretical at least) already exist in
the form of RPKI.
So, what are peoples' routing policies on RPKI going to be? Are people
going to drop prefixes with no RPKI record? Or drop prefixes with an
incorrect R
Here be dragons,
On Sun, Jan 30, 2011 at 12:39 PM, Carlos Martinez-Cagnazzo
wrote:
> The solution to this problem (theoretical at least) already exist in
> the form of RPKI.
Any top-down RPKI model is intrinsically flawed.
Deploying an overlay of single-point(s) of failure on top of a
well-func
>
> In any case, the fact you can stick a terabyte of RAM into a 4U Dell
> rack mount that sucks a whole lot of power doesn't mean we're anywhere
> near being able to do it for consumer-class hardware. Remember, much
> of the growth is going to be in the embedded and special purpose
> systems - t
On 1/30/2011 11:15 AM, Nick Hilliard wrote:
Depends on which IRR you use. The IRRDBs run by RIPE, APNIC and
AfriNIC implement hierarchical object ownership, which means that if
you're registering their address space, you can only do so if that
address space legitimately belongs to you. This
Heard a lot about MPLS-TP to apply in this area. What do you think? Is it
for real?
Thanks!
Ping
On Sun, Jan 30, 2011 at 11:03 AM, Cameron Byrne wrote:
> On Jan 30, 2011 10:11 AM, "Mikael Abrahamsson" wrote:
> >
> > On Sun, 30 Jan 2011, Cameron Byrne wrote:
> >/
> >> There are just more compa
On Jan 30, 2011, at 10:09 AM, Mikael Abrahamsson wrote:
> On Sun, 30 Jan 2011, Glen Kent wrote:
>
>> I would like to understand why there is a preference for L3 VPNs over L2
>> VPNs for the EPC backhaul networks? We can use both layer 2 and layer 3 VPNs
>> for communication between the eNodeB
On Jan 30, 2011 10:11 AM, "Mikael Abrahamsson" wrote:
>
> On Sun, 30 Jan 2011, Cameron Byrne wrote:
>/
>> There are just more companies offering L2 metroE than L3 in the backhaul
space. I have pushed for L3 but very few offer the speeds and reach
required
>
>
> Could you please elaborate on what
On Sun, 30 Jan 2011, Cameron Byrne wrote:
There are just more companies offering L2 metroE than L3 in the backhaul
space. I have pushed for L3 but very few offer the speeds and reach
required
Could you please elaborate on what you mean by "reach" here?
--
Mikael Abrahamssonemail: swm...
On Sun, 30 Jan 2011, Glen Kent wrote:
I would like to understand why there is a preference for L3 VPNs over L2
VPNs for the EPC backhaul networks? We can use both layer 2 and layer 3
VPNs for communication between the eNodeB and the MME or S-GW, so why is
it that most providers prefer L3 over
On Sun, 30 Jan 2011 17:39:45 +0100, Leen Besselink said:
> On 01/25/2011 11:06 PM, Owen DeLong wrote:
> >
> >
> >> "640k ought to be enough for anyone."
Remember that when this apocryphal statement was allegedly made in 1981, IBM
mainframes and Crays and the like were already well in to the 64-256
Hey!
>> Steinar Haug, Nethelp consulting, sth...@nethelp.no
> Because they publish data you have signed. They don't have the ability
> to modify the data and then sign that modification as if they were you if
> they aren't holding the private key. If they are holding the private key,
> then, you ha
On Jan 30, 2011 9:03 AM, "Glen Kent" wrote:
>
> Hi,
>
> I would like to understand why there is a preference for L3 VPNs over
> L2 VPNs for the EPC backhaul networks? We can use both layer 2 and
> layer 3 VPNs for communication between the eNodeB and the MME or S-GW,
> so why is it that most provi
On Jan 30, 2011, at 8:39 AM, Leen Besselink wrote:
> On 01/25/2011 11:06 PM, Owen DeLong wrote:
>>
>>
>>> "640k ought to be enough for anyone."
>>>
>> If IPv4 is like 640k, then, IPv6 is like having
>> 47,223,664,828,696,452,136,959
>> terabytes of RAM. I'd argue that while 640k was short sig
On Jan 30, 2011, at 8:28 AM, sth...@nethelp.no wrote:
>>> - Hosted solutions offer a low barrier entry to smaller organizations
>>> who simply cannot develop their own PKI infrastructure. This is the
>>> case where they also lack the organizational skills to properly manage
>>> the keys themselve
The solution to this problem (theoretical at least) already exist in
the form of RPKI.
On Sun, Jan 30, 2011 at 6:23 AM, Andrew Alston wrote:
> Hi All,
>
> I've just noticed that Level 3 is allowing people to register space in its
> IRR database that A.) is not assigned to the people registering
On Sun, 2011-01-30 at 17:39 +0100, Leen Besselink wrote:
> On 01/25/2011 11:06 PM, Owen DeLong wrote:
> > If IPv4 is like 640k, then, IPv6 is like having
> > 47,223,664,828,696,452,136,959
> > terabytes of RAM. I'd argue that while 640k was short sighted, I think it is
> > unlikely we will see mac
On 30/01/2011 09:08, Jeff Wheeler wrote:
This brings me to my point, which is that IRR is very good for
preventing accidents and automating some common tasks. It should be
"secure" to a point, but just because a route: object exists does not
mean that mntner: really has authority over that addre
Hi,
I would like to understand why there is a preference for L3 VPNs over
L2 VPNs for the EPC backhaul networks? We can use both layer 2 and
layer 3 VPNs for communication between the eNodeB and the MME or S-GW,
so why is it that most providers prefer L3 over L2.
Glen
On 01/25/2011 11:06 PM, Owen DeLong wrote:
>
>
>> "640k ought to be enough for anyone."
>>
> If IPv4 is like 640k, then, IPv6 is like having 47,223,664,828,696,452,136,959
> terabytes of RAM. I'd argue that while 640k was short sighted, I think it is
> unlikely we will see machines with much more t
> > - Hosted solutions offer a low barrier entry to smaller organizations
> > who simply cannot develop their own PKI infrastructure. This is the
> > case where they also lack the organizational skills to properly manage
> > the keys themselves, so, in most cases at least, they are *better off*
> >
I see also that many concerns expressed here are extensions of the
perceived failures of the whole CA business. I agree that the whole
model of CAs has largely failed. Not only there are too many of them,
but the fact that they try to operate as for-profits makes them
vulnerable to all the pressure
On Jan 29, 2011, at 10:50 PM, Jeff Wheeler wrote:
> On Thu, Jan 27, 2011 at 10:00 PM, John Curran wrote:
>> Based on the ARIN's IRR authentication thread a couple of weeks ago, there
>> were suggestions placed into ARIN's ACSP process for changes to ARIN's IRR
>> system. ARIN has looked at the in
> >There's a big difference. If a bank screws up and loses $5,000 of my
money, I
> > can (at least potentially) sue them and recover $5,000 which is pretty much
> > identical to the $5,000 I lost. If a key escrow company loses my private
> > key,
> > getting back an identical private key is exac
hi alex,
just to be clear
i think your web-based system is a good thing. 97.3% of your members do
not want to go through the effort of installing certifying software and
doing up/down with you. i am not fond of you holding folk's private
keys, but that's what they get for laziness. of course y
On Sun, 30 Jan 2011 11:57:57 -0200, Carlos Martinez-Cagnazzo said:
> What I just don't get if, we as a society, have created institutions
> we trust with our *money* (AKA banks), why there can't be institutions
> we trust with our crypto keys. I know that banks sometimes fail, and
> yes, probably "
On Jan 30, 2011, at 6:11 AM, Carlos Martinez-Cagnazzo wrote:
> Do you really think that a set of keys stored in a random PC in a
> random office is safer than on a periodically backed-up, encrypted
> database? In this future I only see lost keys, keys appearing listed
> in something.ru domains, t
Hello Carlos,
On 01/30/2011 02:57 PM, Carlos Martinez-Cagnazzo wrote:
> What I just don´t get if, we as a society, have created institutions
> we trust with our *money* (AKA banks), why there can´t be institutions
> we trust with our crypto keys. I know that banks sometimes fail, and
> yes, probab
On Jan 30, 2011, at 5:57 AM, Carlos Martinez-Cagnazzo wrote:
> What I just don´t get if, we as a society, have created institutions
> we trust with our *money* (AKA banks), why there can´t be institutions
> we trust with our crypto keys. I know that banks sometimes fail, and
> yes, probably "cryp
On 29/01/11 11:36 AM, Roy wrote:
On 1/29/2011 10:00 AM, Mike wrote:
The rub is, that they want to legislate that web based
'speedtest.com' is the ONLY and MOST AUTHORITATIVE metric that trumps
all other considerations
You took the state's money so you are stuck with their dumb rules.
Do you really think that a set of keys stored in a random PC in a
random office is safer than on a periodically backed-up, encrypted
database? In this future I only see lost keys, keys appearing listed
in something.ru domains, tons of support calls to hostmasters, and
ROAs repeatedly becoming inval
What I just don´t get if, we as a society, have created institutions
we trust with our *money* (AKA banks), why there can´t be institutions
we trust with our crypto keys. I know that banks sometimes fail, and
yes, probably "crypto banks" will sometimes fail as well, but on the
whole, the failure ra
On Thu, 27 Jan 2011 09:20:01 -0600
Max Pierson wrote:
> >I'm not missing your point. I'm saying that in IPv6, we've put enough
> addresses
> >in to allow for things nobody has thought of in 30, 60, 90, even 100 years
> and
> >then some.
>
> As Roland said,
> "Possibly, as long as we don't blow t
Paul,
I think my question is very pertinent. Of course the number of signed prefixes
directly influences the number of validators. Do you think the RIPE NCC
Validator tool would have been downloaded over 100 times in the last month if
there were only 5 certified prefixes?
In my opinion, the wi
On Thu, 27 Jan 2011 11:03:41 -0500
Jared Mauch wrote:
>
> On Jan 27, 2011, at 10:04 AM, Owen DeLong wrote:
>
> >
> > On Jan 27, 2011, at 6:49 AM, Jared Mauch wrote:
> >
> >>
> >> On Jan 26, 2011, at 8:33 PM, Owen DeLong wrote:
> >>
> >>> I'd like to see IPv4 go away in ~3 years. Any faster
On Sun, Jan 30, 2011 at 3:23 AM, Andrew Alston wrote:
> I've just noticed that Level 3 is allowing people to register space in its
> IRR database that A.) is not assigned to the people registering it and B.) is
> not assigned via/to Level 3.
This is not unique to Level3 -- it is the industry st
On Sun, Jan 30, 2011 at 3:52 AM, Joseph Prasad wrote:
> A very good interview with John Young on Russia Today.
>
> http://www.youtube.com/watch?v=oMRUiB_8tTc
One thing that Mr Young mentions in this interview is the threat
secret governance poses for any free and democratic society and how
there
Yes depending on the building location in most places we have two
options for access cable plant (TWC, Comcast ect) or LEC. All via Layer
2.
Cheers
Ryan
-Original Message-
From: Joel Jaeggli [mailto:joe...@bogus.com]
Sent: Sunday, January 30, 2011 2:32 AM
To: Ryan Finnesey
Cc: Andy Ash
Hi All,
I've just noticed that Level 3 is allowing people to register space in its IRR
database that A.) is not assigned to the people registering it and B.) is not
assigned via/to Level 3.
So, I have two queries
A.) Are only customers of Level 3 allowed to use this database
B.) Can someone fr
74 matches
Mail list logo
