Re: BCP38 Deployment

The power of defaults. The few successful Internet security "best practice" changes have primarily resulted from changes to default settings, not trying to get ISPs, operators, sysadmins or users to change. Smurf attacks - change default directed-broadcast settings in dominant router vendor

Re: Force10 E Series at the edge?

Brent, While the E300 can probably get your job done for more flexibility and growth I would personally steer you towards the E600 (or E600i now). It is slightly outside of your RU requirement coming in at 16 RU but it fits the bill otherwise. The main reasons I make this suggestion is due to

Re: BCP38 Deployment

On Wed, 28 Mar 2012 13:36:49 -0700, Leo Bicknell said: > I think some engineers need to ask some interesting questions, like > how, in a box doing NAT to an outside IP, does it ever emit a packet > not from that outside IP? The fact that you can spoof packets > through some of the NAT implementat

Re: Muni Fiber (was: Re: last mile, regulatory incentives, etc)

While I can't provide an average, I can say we generally have anywhere from 2-5 microwaves on most sites (with a few exceptions that only have 1, and a few that have more.) Our MWs go up to 1.6gbps. The sites aren't provisioned a set amount of bandwidth, they can use as much as they want (up to t

Re: Quad-A records in Network Solutions ?

On Wed, Mar 28, 2012 at 11:55:35AM -0700, David Conrad wrote: > On Mar 28, 2012, at 11:47 AM, Carlos Martinez-Cagnazzo wrote: > > I'm not a fan of conspiracy theories, but, c'mon. For a provisioning > > system, an record is just a fragging string, just like any other > > DNS record. How diffic

Re: Quad-A records in Network Solutions ?

On Mar 28, 2012, at 3:13 PM, Carlos Martinez-Cagnazzo wrote: > I'm not convinced. What you mention is real, but the code they need is > little more than a regular expression that can be found on Google and a > 20-line script for testing lames. And a couple of weeks of testing, and > I think I'm

Re: Quad-A records in Network Solutions ?

Doesn't netsol charge something crazy like $50/year per for domain services? If that is still the case sounds like ipv6 support for 250k is a drop in the bucket :-). Not sure why any clueful DNS admin would still use netsol though. On Mar 28, 2012, at 5:55 PM, Joseph Snyder wrote: > I agree, b

Re: Quad-A records in Network Solutions ?

On Mar 28, 2012 2:25 PM, "Arturo Servin" @ gmail.com > wrote: > > >Another reason to not use them. > >Seriusly, if they cannot expend some thousands of dollars (because it shouldn't be more than that) in "touching code, (hopefully) testing that code, deploying it, training customer

Re: BCP38 Deployment

In a message written on Wed, Mar 28, 2012 at 02:49:02PM -0700, David Conrad wrote: > On Mar 28, 2012, at 12:03 PM, Leo Bicknell wrote: > > Tier 1 T640 core network with 10GE handoff > > Regional Cisco GSR network with 1GE handoff > > Local1006 to Arris CMTS > > Subscriber Motor

Re: Quad-A records in Network Solutions ?

I am not taking about a big imaginary company. I am taking about NSI and this specific case. Regards, as On 29 Mar 2012, at 00:55, Joseph Snyder wrote: > I agree, but in a big company it generally would cost at least 10s of > thousands of dollars just for training alone. The time away

Re: Quad-A records in Network Solutions ?

I agree, but in a big company it generally would cost at least 10s of thousands of dollars just for training alone. The time away from the phones that would have to be covered would exceed that. Let's say you had 8000 phone staff and they were getting $10/be and training took an hour. That is 80

Re: BCP38 Deployment

On Mar 28, 2012, at 12:03 PM, Leo Bicknell wrote: > Tier 1 T640 core network with 10GE handoff > Regional Cisco GSR network with 1GE handoff > Local1006 to Arris CMTS > Subscriber Motorola Cable Modem to NetGear SOHO Gateway > User Patron with Airport Express sharing a w

Re: Quad-A records in Network Solutions ?

Another reason to not use them. Seriusly, if they cannot expend some thousands of dollars (because it shouldn't be more than that) in "touching code, (hopefully) testing that code, deploying it, training customer support staff to answer questions, updating documentation, etc."

Re: BCP38 Deployment

In a message written on Wed, Mar 28, 2012 at 12:44:04PM -0700, Michael Thomas wrote: > Except for the small problem that getting cheap home router box > manufacturers to do just about anything is a pushing on string exercise. > So if I want to a) protect my network and b) be a good netizen, I'm >

Re: BCP38 Deployment

> 1. Give BCP38 the only practical anti-spoofing technique, can an ISP well > protect its customers by implementing BCP38? I don't think so, because I > think BCP38 is accurate near the source but inaccurate near the > destination, i.e. if its customer is the target of spoofing attack, its > capabi

Re: Quad-A records in Network Solutions ?

On Wed, Mar 28, 2012 at 04:13:53PM -0300, Carlos Martinez-Cagnazzo wrote: > I'm not convinced. What you mention is real, but the code they need is > little more than a regular expression that can be found on Google and a > 20-line script for testing lames. And a couple of weeks of testing, and > I

Re: BCP38 Deployment

On 03/28/2012 12:03 PM, Leo Bicknell wrote: None of the routers are "trusted" if your perspective is right. It's easy to find a path like: "Tier 1 ISP" - Regional ISP - Local Provider - Subscriber - User Techologically it may look like: Tier 1 T640 core network with 10GE handoff Region

Re: Quad-A records in Network Solutions ?

On 3/28/2012 12:13 PM, Carlos Martinez-Cagnazzo wrote: I'm not convinced. What you mention is real, but the code they need is little more than a regular expression that can be found on Google and a 20-line script for testing lames. And a couple of weeks of testing, and I think I'm exaggerating.

Re: Quad-A records in Network Solutions ?

I'm not convinced. What you mention is real, but the code they need is little more than a regular expression that can be found on Google and a 20-line script for testing lames. And a couple of weeks of testing, and I think I'm exaggerating. If they don't want to offer support for it, they can just

Re: Quad-A records in Network Solutions ?

In a message written on Wed, Mar 28, 2012 at 01:51:19PM -0500, Chris Adams wrote: > The same problem exists for DNSSEC; the number of registrars that > support both IPv6 glue and DNSSEC in their standard interfaces is > unfortunately small. joker.com supports both, and has a very nice web interfa

Re: BCP38 Deployment

In a message written on Wed, Mar 28, 2012 at 09:52:49AM -0700, Michael Thomas wrote: > Yeahbut, the CPE isn't trusted. It would be _nice_ for customers > to be bcp38 clueful as well, but I don't think it's _required_ for > successful deployment from the ISP's standpoint. Even with a > system like

Re: Quad-A records in Network Solutions ?

On 3/28/2012 11:51 AM, Chris Adams wrote: Once upon a time, Lynda said: This really points out one of the biggest impediments to moving to IPv6. I just briefly looked at the list of registrars that are able to create glue records for any domain I might have that I wanted to exist in IPv6, and i

Re: Quad-A records in Network Solutions ?

On Mar 28, 2012, at 11:47 AM, Carlos Martinez-Cagnazzo wrote: > I'm not a fan of conspiracy theories, but, c'mon. For a provisioning > system, an record is just a fragging string, just like any other > DNS record. How difficult to support can it be ? Of course it is more than a string. It re

Re: Quad-A records in Network Solutions ?

Once upon a time, Lynda said: > This really points out one of the biggest impediments to moving to IPv6. > I just briefly looked at the list of registrars that are able to create > glue records for any domain I might have that I wanted to exist in IPv6, > and it's a very limited list. I'm curre

Re: FW: Force10 E Series at the edge?

On 3/27/12 23:21 , Roberts, Brent wrote: > Is anyone running an E300 Series Chassis at the internet edge with multiple > Full BGP feeds? 95th percent would be about 300 meg of traffic. BGP session > count would be between 2 and 4 Peers. > 6k internal Prefix count as it stands right now. Alternati

Re: Quad-A records in Network Solutions ?

I'm not a fan of conspiracy theories, but, c'mon. For a provisioning system, an record is just a fragging string, just like any other DNS record. How difficult to support can it be ? regards Carlos On 3/28/12 3:40 PM, Lynda wrote: > On 3/28/2012 10:59 AM, JORDI PALET MARTINEZ wrote: >> And

Re: Quad-A records in Network Solutions ?

On 3/28/2012 10:59 AM, JORDI PALET MARTINEZ wrote: And they need to do anyway, if they want to keep the contract: http://www.ipv6tf.org/index.php?page=news/newsroom&id=8494 This really points out one of the biggest impediments to moving to IPv6. I just briefly looked at the list of registrars

RE: BCP38 Deployment

Also, Don't forget that transit providers currently bill their customers to carry that spoofed/DoS traffic, why would they filter it when it's on their balance sheets? -Drew -Original Message- From: Bingyang LIU [mailto:bjorn...@gmail.com] Sent: Wednesday, March 28, 2012 1:15 PM

Re: Quad-A records in Network Solutions ?

And they need to do anyway, if they want to keep the contract: http://www.ipv6tf.org/index.php?page=news/newsroom&id=8494 Regards, Jordi -Mensaje original- De: Jeff Fisher Responder a: Fecha: Wed, 28 Mar 2012 11:53:35 -0600 Para: Asunto: Re: Quad-A records in Network Solutions ?

Re: Quad-A records in Network Solutions ?

Yup... I was reading the same page myself. Pretty sad. My friend just forwarded me the response from NSI Support. Incredibly lame. I'm tempted to share it here, but my good twin told me not to. I'm recommending they switch registrars. regards, Carlos On 3/28/12 2:57 PM, Alejandro Acosta wrot

Re: Quad-A records in Network Solutions ?

Hi Carlos, You are right... I just entered with my account and after I clicked "Edit DNS" there is a dialog box which says: "Advanced Users: To specify your IPv6 name server address (IPv6 glue record), e-mail us the domain name, the host name of the name server(s), and their IPv6 address(es)."

Re: Quad-A records in Network Solutions ?

I just received a heads-up from a friend telling me that Network Solutions is unable/unwilling to configure 's for .com/.net domains. He works for a large media outlet who will be enabling IPv6 on their sites for World IPv6 Launch Day. I hope it's just a misunderstanding. If it's not, I woul

Quad-A records in Network Solutions ?

Hello all, I just received a heads-up from a friend telling me that Network Solutions is unable/unwilling to configure 's for .com/.net domains. He works for a large media outlet who will be enabling IPv6 on their sites for World IPv6 Launch Day. I hope it's just a misunderstanding. If it's

Re: BCP38 Deployment

Hi Darius, Yes, I agree that feasible RPF solves the problem in a lot of scenarios. However, in some other cases, the asymmetric routing is caused by static routing, traffic engineering, policy routing, etc., where the lengths of forward path and reverse path may differ, so feasible RPF may also

Re: BCP38 Deployment

On Wed, 28 Mar 2012, Bingyang LIU wrote: the provider may not be able to protect its customers, because ingress filtering (including uRPF) is inefficient when done near the destination. In other words, an ISP can deploy BCP38 or whatever, but still cannot well protect its customers from spoofing

Re: BCP38 Deployment

On Wed, Mar 28, 2012 at 12:50, David Conrad wrote: > I would be surprised if this were true. > > I'd argue that today, the vast majority of devices on the Internet (and > certainly the ones that are used in massive D(D)oS attacks) are found hanging > off singly-homed networks. Yes, but RPF can

Re: BCP38 Deployment

Yeah, "contractual closures" might be a way to force the providers to deploy BCP38. However, when the customers become the target of a spoofing attack, the provider may not be able to protect its customers, because ingress filtering (including uRPF) is inefficient when done near the destination. I

Cisco Security Advisory: Cisco IOS Software RSVP Denial of Service Vulnerability

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Cisco Security Advisory: Cisco IOS Software RSVP Denial of Service Vulnerability Advisory ID: cisco-sa-20120328-rsvp Revision 1.0 For Public Release 2012 March 28 16:00 UTC (GMT

Re: BCP38 Deployment

On 3/28/12 11:45 AM, David Conrad wrote: > Actually, given the uptick in spoofing-based DoS attacks, the ease in which > such attacks can be generated, recent high profile targets of said attacks, > and the full-on money pumping freakout about anything with "cyber-" tacked on > the front, I susp

Re: BCP38 Deployment

On 03/28/2012 09:16 AM, Leo Bicknell wrote: In a message written on Wed, Mar 28, 2012 at 08:45:12AM -0700, David Conrad wrote: An interesting assertion. I haven't looked at how end-user networks are built recently. I had assumed there continue to be customer aggregation points within ISP in

Re: BCP38 Deployment

Yep, one way is to give economic penalty. But how about giving the _good_ ISPs economic reward? Say, some transit ISPs deploy anti-spoofing techniques (e.g. uRPF), but only filter those spoofing packets whose destination is the ASes having purchased their *anti-spoofing service* ? Bingyang On We

Re: BCP38 Deployment

On Mar 28, 2012, at 9:39 AM, Darius Jahandarie wrote: > I think the concern of RFC3704/BCP84, i.e., multihoming, is the > primary reason we don't see ingress filtering as much as we should. I would be surprised if this were true. I'd argue that today, the vast majority of devices on the Internet

Re: BCP38 Deployment

On Wed, 28 Mar 2012, David Conrad wrote: Actually, given the uptick in spoofing-based DoS attacks, the ease in which such attacks can be generated, recent high profile targets of said attacks, and the full-on money pumping freakout about anything with "cyber-" tacked on the front, I suspect a l

Re: BCP38 Deployment

On Wed, Mar 28, 2012 at 12:16, Leo Bicknell wrote: > Well, RFC3704 for one has updated the methods and tactics since BCP38 > was written.  Remember BCP38 was before even "unicast RPF" as we know it > existed. I think the concern of RFC3704/BCP84, i.e., multihoming, is the primary reason we don't

Cisco Security Advisory: Cisco IOS Software Network Address Translation Vulnerability

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Cisco Security Advisory: Cisco IOS Software Network Address Translation Vulnerability Advisory ID: cisco-sa-20120328-nat Revision 1.0 For Public Release 2012 March 28 16:00 UTC (GMT

Cisco Security Advisory: Multiple Vulnerabilities in Cisco IOS Software Traffic Optimization Features

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Cisco Security Advisory: Multiple Vulnerabilities in Cisco IOS Software Traffic Optimization Features Advisory ID: cisco-sa-20120328-mace Revision 1.0 For Public Release 2012 March 28 16:00 UTC (GMT

Cisco Security Advisory: Cisco IOS Software Zone-Based Firewall Vulnerabilities

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Cisco Security Advisory: Cisco IOS Software Zone-Based Firewall Vulnerabilities Advisory ID: cisco-sa-20120328-zbfw Revision 1.0 For Public Release 2012 March 28 16:00 UTC (GMT

Re: BCP38 Deployment

While I'm a big fan of RFP, it does require that operators be "good citizens" for it to be effective. Like most of the Internet, it's built on a "web" of trust. On Wed, Mar 28, 2012 at 12:10 PM, Bingyang LIU wrote: > Hi David, Leo, Patrick and all, > > Considering the reasons you raised, do yo

Re: BCP38 Deployment

In a message written on Wed, Mar 28, 2012 at 08:45:12AM -0700, David Conrad wrote: > An interesting assertion. I haven't looked at how end-user networks are > built recently. I had assumed there continue to be customer aggregation > points within ISP infrastructure in which BCP38-type filterin

Re: BCP38 Deployment

Hi David, Leo, Patrick and all, Considering the reasons you raised, do you think the following two things can happen? 1. Give BCP38 the only practical anti-spoofing technique, can an ISP well protect its customers by implementing BCP38? I don't think so, because I think BCP38 is accurate near the

Re: Force10 E Series at the edge?

Brant Ian Stevens March 28, 2012 11:41 AM The CER is the perfect box for this application, save for the redundant processors. The MLXe will work great if you want a small form factor and redundant processors. -Brant George Bonser

Re: BCP38 Deployment

Leo, On Mar 28, 2012, at 8:13 AM, Leo Bicknell wrote: >> #1) Money. >> #2) Laziness. > While Patrick is spot on, there is a third issue which is related > to money and laziness, but also has some unique aspects. > > BCP38 makes the assumption that the ISP does some "configuration" > to insure on

RE: Force10 E Series at the edge?

> -Original Message- > From: Tom Daly > Sent: Tuesday, March 27, 2012 8:59 PM > To: Brent Roberts > Cc: NANOG > Subject: Re: Force10 E Series at the edge? > > Brent, > Your options include, for smaller boxes: > > - Brocade CER series, but make sure you the -RT versions due to RAM > (have

Re: Muni Fiber

Jay Ashworth wrote: - Original Message - From: "Frank Bulk" I don't think a muni can prevent the ILEC from installing fiber in their RoW "Their": pronoun without a referent. The municipality's right of way? I should think they would be able to; the property, or the easement, is th

Re: Muni Fiber

- Original Message - > From: "Frank Bulk" > I don't think a muni can prevent the ILEC from installing fiber in > their RoW "Their": pronoun without a referent. The municipality's right of way? I should think they would be able to; the property, or the easement, is theirs, not any u

Re: BCP38 Deployment

In a message written on Wed, Mar 28, 2012 at 11:00:39AM -0400, Patrick W. Gilmore wrote: > #1) Money. > Whenever someone asks "why...?", the answer is usually "money". It costs > money - CapEx if your equipment doesn't support RPF, and OpEx even if it > does. Plus opportunity cost if your cust

Re: Force10 E Series at the edge?

> I can't speak for forece10 which is DELL now. > As Joe mentioned, the biggest problem is "their-support" of 680k prefixes > with the QUAD-CAM linecards. DUAL-CAM line cards do 512K in theory. Regular > ones don't work because thay support 320K prefifex and "die" around 300K > If memory serves

Re: BCP38 Deployment

On Mar 28, 2012, at 10:44 , Bingyang LIU wrote: > I'm Bingyang Liu, a ph.d student in Tsinghua University. My thesis topic is > on "source address validation". > > Although BCP38 was proposed more than ten years ago, IP spoofing still > remains an attack vector [MIT-Spoofer] [ARBOR-Annual-Report]

BCP38 Deployment

Hi all, I'm Bingyang Liu, a ph.d student in Tsinghua University. My thesis topic is on "source address validation". Although BCP38 was proposed more than ten years ago, IP spoofing still remains an attack vector [MIT-Spoofer] [ARBOR-Annual-Report] [Presentation on NANOG Meeting] [Discussion in NA

Re: Muni Fiber

William Herrin wrote: Even if preempted, a state or municipality can make it make it *very* uncomfortable for a communications provider who doesn't want to play ball. Consider, for example, DC's repaving requirements: if you dig up the street, you're required to repave the whole street all the w

Re: Muni Fiber

On Wed, Mar 28, 2012 at 7:56 AM, Fletcher Kittredge wrote: > Wouldn't Federal and State laws preempt Municipal law in this area? Hi Fletcher, State laws yes. State legislatures tend to narrowly define what laws a municipality is allowed to independently enact. And they tend to be very open to th

Re: Muni Fiber

Charles Gucker wrote: On Wed, Mar 28, 2012 at 12:45 AM, Frank Bulk wrote: I don't think a muni can prevent the ILEC from installing fiber in their RoW First off, IANAL, Secondly, I've had a reasonable amount of experience with Village and Municipal Law.In short, the statement above is

RPKI support from router verndors

Hello all, I was wondering when can we actually expect RPKI / origin validation support from router vendors. I know where Cisco and Juniper stand, in fact, I have been testing both implementations. So, I would like to know if some one has heard anything from: - Huawei - Alcatel - Others ? regar

Re: Muni Fiber

Charles; Wouldn't Federal and State laws preempt Municipal law in this area? I agree YANAL. regards, Fletcher On Wed, Mar 28, 2012 at 1:06 AM, Charles Gucker wrote: > On Wed, Mar 28, 2012 at 12:45 AM, Frank Bulk wrote: > > I don't think a muni can prevent the ILEC from installing fiber in th

Re: Muni Fiber (was: Re: last mile, regulatory incentives, etc)

Hi Nice discussion. Just a small question here - how much backhaul at present 2G, 3G and LTE based towers have? Just curious to hear an average number. I agree it would be a significant difference from busy street in New York to less crowded area say in Michigan but what sort of bandwidth telcos