Re: Configuration Systems

On Thu, 07 Jun 2012 13:30:53 -1000, Paul Graydon said: > Your original definition: "cloud" == "you rented a colo, but have no > clue where". I know exactly where my colo is. I know exactly where my > physical servers are. If I run a private cloud on those servers and > provision stuff there, I'

Re: Configuration Systems

By my count, we now have 3 engineers that have chimed in and somewhere between 5 and 6 definitions. Q.E. D. Owen On Jun 7, 2012, at 8:53 PM, Suresh Ramasubramanian wrote: > It is like that supreme court judge who defined porn as "i know it > when I see it" > > On Fri, Jun 8, 2012 at 5:00 AM, Pa

Re: AAAA's for www.netflix.com

> > Netflix may have created its own IPv6-specific domain which is responsible > for almost a third of all IPv6 traffic. If this is the case it might not be > in full compliance with the spirit of World IPv6 Day, as the aim should > have been for Netflix to operate one single domain with both

Re: AAAA's for www.netflix.com

On 6/7/12 10:23 PM, Daniel Roesen wrote: On Fri, Jun 08, 2012 at 12:11:20PM +1000, Mark Andrews wrote: $ dig @pdns3.ultradns.org www.netflix.com. A +norec +short wwwservice--frontend-313423742.us-east-1.elb.amazonaws.com. $ dig @pdns3.ultradns.org www.netflix.com. +norec +short dualstack.ww

Re: IPv6 /64 links (was Re: ipv6 book recommendations?)

On Fri, 2012-06-08 at 03:08 +, Dave Hart wrote: > networks. With IPv4, ARP presents not only a network capacity issue, > but also a host capacity issue as every node expends software > resources processing every broadcast ARP. With ND, only a tiny > fraction of hosts expend any software capac

Re: Configuration Systems

It is like that supreme court judge who defined porn as "i know it when I see it" On Fri, Jun 8, 2012 at 5:00 AM, Paul Graydon wrote: > Your original definition: "cloud" == "you rented a colo, but have no clue > where".  I know exactly where my colo is.  I know exactly where my physical > servers

Re: IPv6 /64 links (was Re: ipv6 book recommendations?)

On Fri, Jun 8, 2012 at 12:48 AM, Karl Auer wrote: > Yes - whether with ARP or ND, any node has to filter out the packets > that do not apply to it (whether it's done by the NIC or the host CPU is > another question, not relevant here). It is relevant to the question of the scalability of large L2

Re: AAAA's for www.netflix.com

On Fri, Jun 08, 2012 at 12:11:20PM +1000, Mark Andrews wrote: > > $ dig @pdns3.ultradns.org www.netflix.com. A +norec +short > > wwwservice--frontend-313423742.us-east-1.elb.amazonaws.com. > > $ dig @pdns3.ultradns.org www.netflix.com. +norec +short > > dualstack.wwwservice--frontend-313423742

Re: AAAA's for www.netflix.com

In message <20120608011910.ga16...@srv03.cluenet.de>, Daniel Roesen writes: > On Thu, Jun 07, 2012 at 04:43:41PM -0700, David Temkin wrote: > > What do you mean? www.netflix.com is dual stacked, which represents > > availability of our website (and PC/Mac streaming clients) to100% of our > > user

Re: IPv6 /64 links (was Re: ipv6 book recommendations?)

On Fri, 2012-06-08 at 11:08 +1000, Mark Andrews wrote: > > This is pretty much the *point* of using multicast instead of > broadcast. > > The point of multicast is be able to reject traffic sooner rather > than later. Well - yes - and my description was of how, when properly configured and on the

Re: AAAA's for www.netflix.com

On Fri, Jun 08, 2012 at 03:19:10AM +0200, Daniel Roesen wrote: > The zero TTL on the CNAME an RRs makes www.netflix.com > zero-stacked at least for some resolvers: Correction... I don't really know wether the zero TTL on the CNAME provokes problems, but not returning any RR on ANY RRtype quer

Re: AAAA's for www.netflix.com

On Thu, Jun 07, 2012 at 04:43:41PM -0700, David Temkin wrote: > What do you mean? www.netflix.com is dual stacked, which represents > availability of our website (and PC/Mac streaming clients) to100% of our > users who have IPv6. The zero TTL on the CNAME an RRs makes www.netflix.com zero-st

Re: IPv6 /64 links (was Re: ipv6 book recommendations?)

In message <1339116492.2754.162.camel@karl>, Karl Auer writes: > > --=-ebOzahzuucm9tstf70zM > Content-Type: text/plain; charset="UTF-8" > Content-Transfer-Encoding: quoted-printable > > On Thu, 2012-06-07 at 22:27 +, Dave Hart wrote: > > Karl, you seem to fail to understand how ethernet NICs

Re: IPv6 /64 links (was Re: ipv6 book recommendations?)

On Thu, 2012-06-07 at 22:27 +, Dave Hart wrote: > Karl, you seem to fail to understand how ethernet NICs are implemented > in the real world. Ignoring the optional (but common) promiscuous > mode support and various offloading, IPv4 ARP is sent as ethernet > broadcast and the NIC hardware and

Re: LinkedIn password database compromised

>> this is a feature, not a bug. you should be explaining to them why >> they should never type passwords on another's keyboard, log on to >> anything from an internet cafe, ... > And this is where you lose the user. actually, not. it's like safe sex, an anology they understand. you may be temp

Re: LinkedIn password database compromised

On Jun 7, 2012, at 19:24, Randy Bush wrote: > this is a feature, not a bug. you should be explaining to them why they > should never type passwords on another's keyboard, log on to anything > from an internet cafe, ... And this is where you lose the user. It doesn't matter that you're entirely

RE: sporadic IPv6 connectivity to forums.comcast.com

We are investigating. Original Message From: Casey Deccio Sent: Thu, 07/06/2012 18:47 To: nanog@nanog.org CC: Subject: sporadic IPv6 connectivity to forums.comcast.com I'm seeing sporadic IPv6 connectivity issues to forums.comcast.com: casey@rome$ curl -I6 forums.comcast

Re: AAAA's for www.netflix.com

Joly, What do you mean? www.netflix.com is dual stacked, which represents availability of our website (and PC/Mac streaming clients) to100% of our users who have IPv6. -Dave On Thursday, June 7, 2012, Joly MacFie wrote: > well, something appears to be working.. > > http://www.betterbroadbandbl

Re: Configuration Systems

On 06/07/2012 12:59 PM, valdis.kletni...@vt.edu wrote: On Thu, 07 Jun 2012 12:12:09 -1000, Paul Graydon said: what cloud is you've also got to go into the realms of private clouds (using, for example, openstack), on your own infrastructure in your own datacenter. Same definition. The user I've

Re: LinkedIn password database compromised

> Plus, now you have the problem of users not being able to login to > their favourite websites when they're using a friend's computer, > internet cafe, etc, unless they've remembered to bring a copy of their > private key with them. this is a feature, not a bug. you should be explaining to them

Re: AAAA's for www.netflix.com

well, something appears to be working.. http://www.betterbroadbandblog.com/2012/06/world-ipv6-daywe-have-liftoff/ Netflix moved up to second in the IPv6 list – as noted above, Netflix has been rolling out IPv6 coverage over the last few weeks. Interestingly, it appears as if Netflix may have cre

Re: LinkedIn password database compromised

In message <4fd0ae52.20...@alter3d.ca>, Peter Kristolaitis writes: > On 6/7/2012 9:22 AM, James Snow wrote: > > On Wed, Jun 06, 2012 at 11:14:58PM -0700, Aaron C. de Bruyn wrote: > >> Imaging signing up for a site by putting in your email and pasting > >> your public key. > > Yes! Yes! Yes! > > >

Re: Configuration Systems

On Thu, 07 Jun 2012 12:12:09 -1000, Paul Graydon said: > what cloud is you've also got to go into the realms of private clouds > (using, for example, openstack), on your own infrastructure in your own > datacenter. Same definition. The user I've provisioned still has no idea where I provisioned

Re: LinkedIn password database compromised

>> the 'single sign on' i encourage for the end using human beings i >> support is 1password and its ilk. it provides the user with one >> sign-on yet strongly encourages separation of identities and strong >> passwords for sites. > > Local repository of passwords, aggregation in a way. Right? En

sporadic IPv6 connectivity to forums.comcast.com

I'm seeing sporadic IPv6 connectivity issues to forums.comcast.com: casey@rome$ curl -I6 forums.comcast.com HTTP/1.1 200 OK Date: Thu, 07 Jun 2012 21:48:37 GMT [snip...] casey@rome$ curl -I6 forums.comcast.com curl: (7) couldn't connect to host casey@rome:~$ traceroute6 forums.comcast.com tracer

Re: IPv6 /64 links (was Re: ipv6 book recommendations?)

On Thu, Jun 7, 2012 at 10:14 PM, Karl Auer wrote: > On Thu, 2012-06-07 at 21:07 +, Dave Hart wrote: >> Bzzt.  With ARP, every IPv4 node on the link indicates each ARP packet >> to the OS.  With ND, only those nodes sharing the same last 24 bits of >> the IPv6 address indicate the packet up the

Re: IPv6 /64 links (was Re: ipv6 book recommendations?)

On Thu, 2012-06-07 at 21:07 +, Dave Hart wrote: > Bzzt. With ARP, every IPv4 node on the link indicates each ARP packet > to the OS. With ND, only those nodes sharing the same last 24 bits of > the IPv6 address indicate the packet up the stack. The rest of the > IPv6 nodes filter the multica

Re: Configuration Systems

On 06/07/2012 11:49 AM, valdis.kletni...@vt.edu wrote: On Thu, 07 Jun 2012 11:51:51 -0700, Owen DeLong said: This is a hard problem to solve. Not the least of the difficulties is the fact that if you ask 50 engineers to define "Cloud", you will get at least 100 definitions many of which are in

Re: LinkedIn password database compromised

On 08/06/2012, Matthew Kaufman wrote: > It also allows them to sign anyone they want as someone pretending to be > you, but with a different key pair. You're exacly correct but in this case I don't think CAs are necessary and probably detrimental so it's moot. Currently I don't care at all if so

Re: IPv6 /64 links (was Re: ipv6 book recommendations?)

On Thu, 2012-06-07 at 16:42 -0400, Ricky Beam wrote: > On Wed, 06 Jun 2012 17:17:37 -0400, Karl Auer wrote: > > a) DAD only happens when an IPv6 node is starting up. ARP happens > > whenever a node needs to talk to another node that it hasn't seen in > > while. > > DAD is a special case of ND. It

Re: Configuration Systems

On Jun 7, 2012, at 2:49 PM, valdis.kletni...@vt.edu wrote: > On Thu, 07 Jun 2012 11:51:51 -0700, Owen DeLong said: > >> This is a hard problem to solve. Not the least of the difficulties is the >> fact that >> if you ask 50 engineers to define "Cloud", you will get at least 100 >> definitions

Re: AAAA's for www.netflix.com

In message <20120607165818.ga30...@srv03.cluenet.de>, Daniel Roesen writes: > On Thu, Jun 07, 2012 at 07:52:29AM -0600, Dave Temkin wrote: > > Just to close the loop on this - UltraDNS has an issue with CNAMEs and > > their Directional DNS service. We (Netflix) have applied a workaround and > >

Re: LinkedIn password database compromised

No argument about that at all. Owen On Jun 7, 2012, at 2:26 PM, Matthew Kaufman wrote: > It also allows them to sign anyone they want as someone pretending to be you, > but with a different key pair. > > Just like the DMV could, if it wanted to (or was ordered to) issue a drivers > license wi

Re: LinkedIn password database compromised

On 07/06/2012, Lynda wrote: > Sorry to be the bearer of such bad tidings. I'm a very amateur cryptologist so some of this is new to me: "Any organization using SHA-1 without salting user passwords is running a great risk -- much higher than they should," said Per Thorsheim, chief information secu

Re: Configuration Systems

On Thu, 07 Jun 2012 11:51:51 -0700, Owen DeLong said: > This is a hard problem to solve. Not the least of the difficulties is the > fact that > if you ask 50 engineers to define "Cloud", you will get at least 100 > definitions > many of which are incompatible to the point of mutually exclusive.

Re: IPv6 /64 links (was Re: ipv6 book recommendations?)

On Jun 7, 2012, at 1:27 PM, Ricky Beam wrote: > On Wed, 06 Jun 2012 10:58:05 -0400, Chuck Church > wrote: >> Does anyone know the reason /64 was proposed as the size for all L2 domains? > > There is one, and only one, reason for the ::/64 split: SLAAC. IPv6 is a > classless addressing system

Re: LinkedIn password database compromised

Hi Randy, Le jeudi 07 juin 2012 à 10:03 -0700, Randy Bush a écrit : > hi etaoin, > > > I still don't want single sign on. Not anywhere. > > i believe that 'single sign on' is a bad deal and dangerous for all, not > just we geeks. essentially it means that the 'identiry provider' owns > your id

Re: LinkedIn password database compromised

It also allows them to sign anyone they want as someone pretending to be you, but with a different key pair. Just like the DMV could, if it wanted to (or was ordered to) issue a drivers license with my name and DL number but an FBI agent's photo and thumbprint associated. You'd want your login

Re: IPv6 /64 links (was Re: ipv6 book recommendations?)

On Thu, Jun 7, 2012 at 8:42 PM, Ricky Beam wrote: > On Wed, 06 Jun 2012 17:17:37 -0400, Karl Auer wrote: >> >> c) Similarly, ND (the direct equivalent of ARP) goes only to solicited >> node multicast addresses, ARP goes to every node on the link. > > Effectively the same as broadcast in the IPv6

Re: IPv6 /64 links (was Re: ipv6 book recommendations?)

On Wed, 06 Jun 2012 17:17:37 -0400, Karl Auer wrote: a) DAD only happens when an IPv6 node is starting up. ARP happens whenever a node needs to talk to another node that it hasn't seen in while. DAD is a special case of ND. It happens every time the system selects an address. (i.e. startup

Re: LinkedIn password database compromised

Thank you for educating without insulting. Always professional Owen. It's appreciated. -Hammer- "I was a normal American nerd" -Jack Herer On 6/7/2012 3:18 PM, Owen DeLong wrote: A proper CA does not have your business or personal keys, they merely sign them and attest to the fact that they

Re: IPv6 /64 links (was Re: ipv6 book recommendations?)

On Wed, 06 Jun 2012 10:58:05 -0400, Chuck Church wrote: Does anyone know the reason /64 was proposed as the size for all L2 domains? There is one, and only one, reason for the ::/64 split: SLAAC. IPv6 is a classless addressing system. You can make your LAN ::/117 if you want to; SLAAC

Re: LinkedIn password database compromised

A proper CA does not have your business or personal keys, they merely sign them and attest to the fact that they actually represent you. You are free to seek and obtain such validation from any and as many parties as you see fit. At no point should any CA be given your private key data. They merel

Re: LinkedIn password database compromised

On Jun 7, 2012, at 12:37 PM, Aaron C. de Bruyn wrote: > On Thu, Jun 7, 2012 at 12:24 PM, Owen DeLong wrote: >>> Heck no to X.509. We'd run into the same issue we have right now--a >>> select group of companies charging users to prove their identity. >> >> Not if enough of us get behind CACERT.

Re: LinkedIn password database compromised

On Jun 7, 2012, at 10:03 AM, Randy Bush wrote: > hi etaoin, > >> I still don't want single sign on. Not anywhere. > > i believe that 'single sign on' is a bad deal and dangerous for all, not > just we geeks. essentially it means that the 'identiry provider' owns > your identity. i love that

Re: LinkedIn password database compromised

I gotta agree with Aaron here. What would be my motivation to "trust" an open and public infrastructure? With my business or personal keys? -Hammer- "I was a normal American nerd" -Jack Herer On 6/7/2012 2:37 PM, Aaron C. de Bruyn wrote: On Thu, Jun 7, 2012 at 12:24 PM, Owen DeLong wrote:

Re: LinkedIn password database compromised

On Jun 7, 2012, at 9:29 AM, Bruch, Mark wrote: > I rarely reply to threads. However the point of interest that is missed is > "Not supported anymore because Microsoft says so". So Microsoft starts > putting out systems at one per year and not supporting old ones because they > "Have you over a

Re: LinkedIn password database compromised

On Thu, Jun 7, 2012 at 12:24 PM, Owen DeLong wrote: >> Heck no to X.509.  We'd run into the same issue we have right now--a >> select group of companies charging users to prove their identity. > > Not if enough of us get behind CACERT. Yet again, another org (free or not) that is holding my ident

Re: LinkedIn password database compromised

On Jun 7, 2012, at 6:36 AM, Peter Kristolaitis wrote: > On 6/7/2012 9:22 AM, James Snow wrote: >> On Wed, Jun 06, 2012 at 11:14:58PM -0700, Aaron C. de Bruyn wrote: >>> Imaging signing up for a site by putting in your email and pasting >>> your public key. >> Yes! Yes! Yes! >> >> I've been makin

Re: LinkedIn password database compromised

On Jun 6, 2012, at 11:14 PM, Aaron C. de Bruyn wrote: > On Wed, Jun 6, 2012 at 8:34 PM, Jimmy Hess wrote: >> Which digital id architecture should web sites implement, and what's >> going to make them all agree on one SSO system and move from the >> current state to one of the possible solutio

Re: Configuration Systems

On Jun 6, 2012, at 7:58 PM, Andrew Latham wrote: > Jonathan > > That is the exact question I have asked myself many times. All of the > major players in Configuration management have a "client" program that > must run and at times requires some libraries that are newer than the > platforms a co

Re: LinkedIn password database compromised

On Thu, 07 Jun 2012 13:33:59 -0400, Marshall Eubanks said: > Maybe so, but anonymous entries on linkedin seems like a zen koan, > beyond the powers of my simple mind. There's a distinction between anonymous and pseudonymous. I'm certainly not the former, but to all but maybe a dozen or two NANOG

Re: LinkedIn password database compromised

>>> so... now that this can is open, has anyone looked at: >>>   >> >> yep.  yet another bucket of identity slime wanting to resell my >> identity. > > maybe? they don't seem to want to be the 'identity provider' directly > though, or rather they point out that your corpora

AT&T Bucks IPv6 Trend

Since AT&T has not said much about ipv6, here is their position on it and how they intend to deploy http://www.lightreading.com/blog.asp?blog_sectionid=847&doc_id=221739&f_src=lrdailynewsletter -Henry

Re: LinkedIn password database compromised

On Thu, Jun 7, 2012 at 1:30 PM, Tei wrote: > The problem: > - Modern internet users must have lots of different login/passwords around > the internet.  Most of then in easy-to-break poorly-patched poorly-managed > servers,  like linkedin. > > The solution: > -  Reduce the number of authentication.

Re: LinkedIn password database compromised

On Thu, Jun 7, 2012 at 1:14 PM, Randy Bush wrote: >> so... now that this can is open, has anyone looked at: >>   > > yep.  yet another bucket of identity slime wanting to resell my > identity. maybe? they don't seem to want to be the 'identity provider' directly though, or

Re: LinkedIn password database compromised

The problem: - Modern internet users must have lots of different login/passwords around the internet. Most of then in easy-to-break poorly-patched poorly-managed servers, like linkedin. The solution: - Reduce the number of authentication. Allow anonymous posting in more sites. Imagine this.

Re: LinkedIn password database compromised

> so... now that this can is open, has anyone looked at: > yep. yet another bucket of identity slime wanting to resell my identity. randy

Re: LinkedIn password database compromised

On Thu, Jun 7, 2012 at 1:03 PM, Randy Bush wrote: > hi etaoin, > >> I still don't want single sign on.  Not anywhere. > > i believe that 'single sign on' is a bad deal and dangerous for all, not > just we geeks.  essentially it means that the 'identiry provider' owns > your identity.  i love that

Re: LinkedIn password database compromised

hi etaoin, > I still don't want single sign on. Not anywhere. i believe that 'single sign on' is a bad deal and dangerous for all, not just we geeks. essentially it means that the 'identiry provider' owns your identity. i love that they call themselves 'identity providers' when it is MY fracki

Re: AAAA's for www.netflix.com

On Thu, Jun 07, 2012 at 07:52:29AM -0600, Dave Temkin wrote: > Just to close the loop on this - UltraDNS has an issue with CNAMEs and > their Directional DNS service. We (Netflix) have applied a workaround and > it appears stable. Hm, looking at http://v6launch.ripe.net/, whatever you changed d

Re: LinkedIn password database compromised

On 6/7/2012 8:58 AM, Jared Mauch wrote: On Jun 7, 2012, at 2:14 AM, Aaron C. de Bruyn wrote: Imaging signing up for a site by putting in your email and pasting your public key. I'm imagining my mother trying this, or trying to help her change it after the hard drive dies and the media in th

RE: LinkedIn password database compromised

I rarely reply to threads. However the point of interest that is missed is "Not supported anymore because Microsoft says so". So Microsoft starts putting out systems at one per year and not supporting old ones because they "Have you over a barrel"? Tell your daughter she can't get married? You

Re: LinkedIn password database compromised

On Thu, Jun 7, 2012 at 11:58 AM, Jared Mauch wrote: > > On Jun 7, 2012, at 2:14 AM, Aaron C. de Bruyn wrote: > >> Imaging signing up for a site by putting in your email and pasting >> your public key. >> > > I'm imagining my mother trying this, or trying to help her change it after > the hard dri

Re: LinkedIn password database compromised

On Thu, Jun 7, 2012 at 8:58 AM, Jared Mauch wrote: > I'm imagining my mother trying this, or trying to help her change it after > the hard drive dies and the media in the safe deposit box doesn't read > anymore. I would think it's fairly simple. What if she forgot her existing password? Most s

RE: IPv6 day and tunnels

Here is Matt's full table and descriptive text: "Note that there is no specific reason to require any particular MTU at any particular rate. As a general principle, we prefer declining packet times (and declining worst case jitter) as you go to higher rates. Actual Visio

Re: LinkedIn password database compromised

On Jun 7, 2012, at 2:14 AM, Aaron C. de Bruyn wrote: > Imaging signing up for a site by putting in your email and pasting > your public key. > I'm imagining my mother trying this, or trying to help her change it after the hard drive dies and the media in the safe deposit box doesn't read anymo

RE: LinkedIn password database compromised

True, Back in 1998-1999 timeline, there was an ongoing project to have the US Postal service issue X.509 certificates at a nominal fee. The fact that even the most rural areas have access to a post office made a lot of sense. After the 2000 election, the project was cancelled because "private busi

Re: LinkedIn password database compromised

On Thu, Jun 7, 2012 at 6:36 AM, Peter Kristolaitis wrote: > On 6/7/2012 9:22 AM, James Snow wrote: >> On Wed, Jun 06, 2012 at 11:14:58PM -0700, Aaron C. de Bruyn wrote: >>> > "Imagine if the website has a lock on it, and you tell them what key you > want to use by giving them a copy." > "But if th

Re: LinkedIn password database compromised

On 07/06/12 6:36 AM, Peter Kristolaitis wrote: Plus, now you have the problem of users not being able to login to their favourite websites when they're using a friend's computer, internet cafe, etc, unless they've remembered to bring a copy of their private key with them. I've run into this p

Re: LinkedIn password database compromised

On Jun 7, 2012, at 9:58 AM, Leo Bicknell wrote: > In a message written on Wed, Jun 06, 2012 at 11:14:58PM -0700, Aaron C. de > Bruyn wrote: >> Heck no to X.509. We'd run into the same issue we have right now--a >> select group of companies charging users to prove their identity. > ...

Re: LinkedIn password database compromised

In a message written on Wed, Jun 06, 2012 at 11:14:58PM -0700, Aaron C. de Bruyn wrote: > Heck no to X.509. We'd run into the same issue we have right now--a > select group of companies charging users to prove their identity. Why? A user providing the public half of a self-signed certificate is

Re: AAAA's for www.netflix.com

Just to close the loop on this - UltraDNS has an issue with CNAMEs and their Directional DNS service. We (Netflix) have applied a workaround and it appears stable. -Dave On 6/6/12 8:05 AM, Frank Bulk wrote: I started monitoring IPv6 access to www.netflix.com after seeing this posting (http://

Re: LinkedIn password database compromised

On 6/7/2012 9:22 AM, James Snow wrote: On Wed, Jun 06, 2012 at 11:14:58PM -0700, Aaron C. de Bruyn wrote: Imaging signing up for a site by putting in your email and pasting your public key. Yes! Yes! Yes! I've been making this exact argument for about a year. It even retains the same "email a

Re: LinkedIn password database compromised

On Wed, Jun 06, 2012 at 11:14:58PM -0700, Aaron C. de Bruyn wrote: > > Imaging signing up for a site by putting in your email and pasting > your public key. Yes! Yes! Yes! I've been making this exact argument for about a year. It even retains the same "email a link" reset mechanism when someone