essage-
> From: George Herbert [mailto:george.herb...@gmail.com]
> Sent: Friday, September 28, 2012 11:17 PM
> To: John R. Levine; George Herbert
> Cc: Tomas L. Byrnes; nanog@nanog.org
> Subject: Re: IPv6 Ignorance
>
> My customer the Dark Matter local galaxy group beg to disag
You won't have enough addresses for Dark Matter, Neutrinos, etc. Atoms
wind up using up about 63 bits (2^10^82) based on the current SWAG. The
missing mass is 84% of the universe.
> -Original Message-
> From: Randy Bush [mailto:ra...@psg.com]
> Sent: Monday, September 17, 2012 8:30 PM
> To
For anyone who wants to find any hosts behind their firewall that are
still infected, you can post a firewall log into our public site, and
we'll call out all attempts to contact the sinkhole servers (with the
internal IPs), assuming you log outbound DNS or all connections.
http://www.threatstop.c
id:
> > So insteading of turning the servers off, would it not have been
> > helpful to have the servers return a "captive portal" type of
reponse
>
> Not all DNS lookups are for HTTP.
[Tomas L. Byrnes]
It's still better to do this than simply turn off all resolution.
I think having the ISC DNS changer sinkhole servers return the DCWG
check page IP for all queries would be a good final act.
> -Original Message-
> From: Andrew Fried [mailto:andrew.fr...@gmail.com]
> Sent: Friday, July 06, 2012 11:16 AM
> To: Cameron Byrne
> Cc: nanog@nanog.org
> Subject:
Because no-one who could do it for less can afford to respond to government
contracts, and make sure they comply with all the applicable laws and
regulations, and keep the sort of records, and be prepared for the audits of
said records, required.
As soon as you do business with the govt, the ov
While the DISA STIGs are probably the archetype, you have to start with
whatever the sponsoring or certifying authority uses, if you need to
pass some audit later.
Those almost always reference NIST docs:
http://www.nist.gov/itl/publications.cfm?defaultSearch=false&authorlist=
&keywords=&topics=3
orld population of 7 billion, you certainly can't
> >have "Internet [...] for everyone" with only 4 billion IP addresses,
> >unless you put a *lot* of NAT in place.
>
> What's the average household size, especially in developing countries.
> And does "everyo
There's more to it than just that Facebook themselves occasionally fit
the profile of a spammer, and so some of the more stringent networks may
filter mail from them.
Facebook is a major source of drive-by malware, and some of the apps on
Facebook tread close to the spyware/adware/parasite line an
ou should not randomly respond to packets at arbitrary rates. If you
> do, you are being a bad Netizen for exactly this reason. See things
> like amplification attacks for why.
>
> Of course, if you can get proper responses, say TCP sequence numbers,
> proving the other side really is
a bad
> actor can originate packets with a forged source address and I
> wouldn't want to abuse your network with unwanted echo-replies,
> syn-acks and rejs.
>
> Regards,
> Bill Herrin
[Tomas L. Byrnes]
Maybe he should avoid any traffic on any non Point to Point only link with
Right, because GCHQ doesn't/hasn't/never would do such a thing...
At least the US has a written constitution and the concept of the people being
sovereign.
I'll take that over trusting "Her Majesty's..." whatever.
But then again, I'm Irish, so I have a bit more direct personal and familial
exp
n Feb 17, 2010, at 3:51 PM, Tomas L. Byrnes wrote:
>
> >> In summary, could someone educate me on the benefits of having
RNSes
> >> outside your network?
> >>
> > [Tomas L. Byrnes] We were a small regional ISP with only one main
POP
> at
> > the time.
> -Original Message-
> From: Nick Hilliard [mailto:n...@foobar.org]
> Sent: Wednesday, February 17, 2010 12:56 PM
> To: Tomas L. Byrnes
> Cc: NANOG list
> Subject: Re: History of 4.2.2.2. What's the story?
>
> On 17/02/2010 20:51, Tomas L. Byrnes wrote:
&g
> In summary, could someone educate me on the benefits of having RNSes
> outside your network?
>
[Tomas L. Byrnes] We were a small regional ISP with only one main POP at
the time.
We actively sought reciprocal secondaries, and offered and received
reciprocal query hosts, from other regional ISPs when I was CTO @ ADN.
We saw it as "strengthening the regional Internet".
So our users used CTSnet as their tertiary NS, and CTSNet used ours, FE.
Of course, not CTS/CARI and ADN
issues of pathological
traffic in the bearer channel interrupting your control traffic (as with ISDN
subscriber trunks).
> -Original Message-
> From: Randy Bush [mailto:ra...@psg.com]
> Sent: Tuesday, February 16, 2010 7:56 PM
> To: Tomas L. Byrnes
> Cc: Nick Hilliard; NANOG li
As in SS7, which has successfully managed the phone system for decades,
where the control and data plane are explicitly separated?
There's significant theoretical work, backed up with lots of practical
experience connecting a lot more nodes in real time in a lot more places
than the Internet curre
The MEF has a set of specs for this.
http://metroethernetforum.org/
In general, it's built as a "dumb pipe" virtual circuit, IE your client
BPDUs and other IEEE 802.* signaling are ignored, as they are
encapsulated, and forwarded explicitly to a given port. What you do on
the switch that gets th
He's also assuming that US on-shore law applies, which it doesn't when
any one party is a non-US person, at which point it passes to the real
of National Security.
-Original Message-
From: Paul Ferguson [mailto:fergdawgs...@gmail.com]
Sent: Wednesday, December 30, 2009 8:12 PM
To: Keith
I actually proposed this (bounced it off Paul Mockapetris and Dave
Roberts at the time), and we did it for our internal routing in the
co-lo/hosted apps, when I was CTO at American Digital Network
(1996-1998). Basically, SNMP and our IGPs as well as IBGP rode a totally
private RFC 1918 network that
>-Original Message-
>From: Bradley Freeman [mailto:bradley.free...@csirt.ja.net]
>Sent: Tuesday, August 11, 2009 6:37 AM
>To: 'NANOG'
>Subject: RE: Botnet hunting resources
>
>I surprised that nobody has mentioned the work of shadowserver.org,
they
>are
>able to send reports of malware in
>Why do you think this might be? Fear of (extralegal) retaliation by
>botnet owners? or fear of getting sued by listed network owners?
[TLB:] No more than any anti-spam RBL
or
>is
>the idea (shunning packets from ISPs that host botnets) fundamentally
>unsound?
>
[TLB:] That's an ongoing ragi
That host is not on any ThreatSTOP lists. (DShield, Cyber-TA,
Shadowserver, and several others).
>-Original Message-
>From: jamie [mailto:j...@arpa.com]
>Sent: Sunday, July 26, 2009 7:48 PM
>To: nanog@nanog.org
>Subject: Re: AT&T. Layer 6-8 needed.
>
>img.4chan.org is the biggest site
Give Vyatta on a decent x86 server a try.
http://www.vyatta.com/downloads/appbrief/Vyatta_app_BGP.pdf
-Original Message-
From: Mark Radabaugh [mailto:m...@amplex.net]
Sent: Friday, July 10, 2009 9:42 AM
To: nanog list
Subject: BGP Growth projections
I'm looking for new core routers for
>People bitch and whine about free services more than when they actually
>pay for something. Sad.
That's the nature of people who want something for nothing. When you charge,
even a little bit, you select the bottom part of the gene pool out of your
client base.
Overhead shmoverhead.
Seriously, we're fighting over the non-issue. It's not the "wasted"
0.02% of bandwidth (@ 1Gbps) that's the issue. It's the utility of a
"come as you are" "plug and play" network that "Ethernet" (which really
loosely means all IEEE 802 protocols) provides, which the current
The fundamental disconnect here is that a bunch of Layer 3 guys are
trying to define Layer 2.
History shows us that Layer 2 winds up being IEEE, and Layer 3 IETF.
ITU-T and others write long "standards" that wind up not being so, due
to too many "options", while spending lots of money and keeping
>-Original Message-
>From: Frank Bulk [mailto:frnk...@iname.com]
>Sent: Saturday, July 04, 2009 4:51 PM
>To: 'JC Dill'
>Cc: na...@merit.edu
>Subject: RE: Using twitter as an outage notification
>
>So does twitter address the mass public,
[TLB:]
The whole point of Twitter is that it wor
>
>Earth is a single point of failure, where is your backup site?
[TLB:] Given that all my customers are on Earth, I don't need one if my
customers also are "down".
This begs the question of what basic parameters should be for a "carrier
hotel" or co-lo.
Given that we're getting designated "Critical Infrastructure", we'd
getter start coming up with some, or we'll have them defined for us.
The old NEBS standards were too much of a straightjacket, but the
curr
Even more off-topic: What he said.
I've brought WINE back into the US as checked luggage from wine tasting
trips abroad, but I had printed out all the applicable regulations,
declared it, and had a cashier's check ready for the tariff, and I STILL
had to deal with a supervisor.
The guy at the air
I've found Avocents to be a nightmare, and the company to be horrible to
deal with.
They work fine as a local console switch, but they are absurdly
expensive for that use. The rest of their features are byzantine in
implementation and usage, and their support and licensing policies
exorbitant.
Ol
Disclaimer: I have a dog in this fight, since ThreatSTOP is dependent on
DNS/TCP.
>-Original Message-
>From: Mark Andrews [mailto:mark_andr...@isc.org]
>Sent: Thursday, May 14, 2009 4:59 PM
>To: John Levine
>Cc: nanog@nanog.org; r...@seastrom.com
>Subject: Re: you're not interesting,was Re
All well from Cox in San Diego:
PING googlemail.l.google.com (74.125.19.18) 56(84) bytes of data.
64 bytes from cf-in-f18.google.com (74.125.19.18): icmp_seq=0 ttl=246
time=32.9 ms
64 bytes from cf-in-f18.google.com (74.125.19.18): icmp_seq=1 ttl=246
time=33.7 ms
64 bytes from cf-in-f18.google.com
ilto:k...@theangryangel.co.uk]
>Sent: Thursday, May 14, 2009 1:10 AM
>To: Tomas L. Byrnes
>Cc: na...@merit.edu
>Subject: Re: questions about DVFS in saving energy
>
>Tomas L. Byrnes wrote:
>> Basically the CPU scaling on the host makes the guest OS fall apart.
>>
>Apologi
o:neno...@systeminplace.net]
>Sent: Wednesday, May 13, 2009 3:20 PM
>To: Tomas L. Byrnes; Kai Chen; na...@merit.edu
>Subject: Re: questions about DVFS in saving energy
>
>Xen handles the AMD HE CPUs just fine here. What sort of breakage are
>you experiencing?
>
>William
>------Original Mes
-Original Message-
From: Kai Chen [mailto:kch...@eecs.northwestern.edu]
Sent: Wednesday, May 13, 2009 12:25 PM
To: na...@merit.edu
Subject: questions about DVFS in saving energy
Hi, could anyone here have some idea of the following questions about
Dynamic Voltage/Frequency Scaling techni
Anyone who reads their description of it would be:
http://www.uceprotect.net/en/index.php?m=3&s=5
Are you one of the ASes they blacklist on that list?
>-Original Message-
>From: Seth Mattinen [mailto:se...@rollernet.us]
>Sent: Thursday, May 07, 2009 11:44 AM
>To: nanog@nanog.org
>Subje
7 170 ms 163 ms 167 ms cr2-pos-0-3-0-2.sanfrancisco.savvis.net [204.70.
95.25]
8 * 208 ms * cr1-tengig-0-15-0-0.NewYork.savvis.net [204.70.1
6.117]
9 170 ms ** kar1-ge-0-0-0.newyork.savvis.net [204.70.193.1]
10 *** Request timed o
[mailto:mar...@airwire.ie]
>Sent: Wednesday, December 24, 2008 11:06 AM
>To: Tomas L. Byrnes
>Cc: nanog@nanog.org
>Subject: Re: What to do when your ISP off-shores tech support
>
>Tomas L. Byrnes wrote:
>> Sounds like a business opportunity to me.
>>
>> Given any thou
Sounds like a business opportunity to me.
Given any thought to Sprint EV-DO?
>-Original Message-
>From: Matthew Black [mailto:bl...@csulb.edu]
>Sent: Wednesday, December 24, 2008 10:02 AM
>To: Tomas L. Byrnes; chaim.rie...@gmail.com; Jay Hennigan
>Cc: nanog@nanog.org
>
Cox Communications has fully on-shore support. Here in SD they are
actually LOCAL.
Their TS staff are responsive and courteous. I only wish their network
were more reliable. (They're better than SBC in my experience, however.)
>-Original Message-
>From: chaim.rie...@gmail.com [mailto:ch
What I was describing is filtering the announcements of /24s that are
part of larger allocations. Not filtering the announcements of "The
Swamp".
>-Original Message-
>From: Skywing [mailto:skyw...@valhallalegends.com]
>Sent: Monday, December 22, 2008 7:08 PM
>To: valdis.kletni...@vt.edu;
BGP Hijacking.
Fully peered network A accepts routes from its peers based on prefix
allocation to AS maps.
Network B, which is either pathological (criminal, or bent on
censorship) or lacking clue, propagates /24 subnet of Network C's CIDR
(Pakistan/YouTube anyone).
If network A accepts Network
Because anyone with half a brain blocks proxies from their e-commerce
site.
>-Original Message-
>From: Owen DeLong [mailto:o...@delong.com]
>Sent: Friday, December 12, 2008 3:49 PM
>To: Nathan Stratton
>Cc: nanog@nanog.org
>Subject: Re: Netblock reassigned from Chile to US ISP...
>
>
>On D
We probably should move this to funsec, but I'll bite.
The basic problem is the lack of security and non-repudiation in credit
cards in general, and the US in particular. Non-clonable, card-present,
technologies have existed for a long time, and card readers are cheap.
AMEX tried to make this fre
If they had made any decent investment in plant, or had not run the DSL
CLECs out of business, they could make money on DSL and Video services,
or by leasing the unused copper.
There's no sympathy for companies that have been nothing more than
obstacles to progress.
>-Original Message-
>
A Marine VHF works under almost any circumstances, and anywhere coastal
in the world. You can almost always reach the Coast Guard.
>-Original Message-
>From: Marshall Eubanks [mailto:[EMAIL PROTECTED]
>Sent: Thursday, December 04, 2008 4:56 AM
>To: Russell J. Lahti
>Cc: nanog@nanog.org;
>
>Fault free datacenters include neither people, nor computers, nor
>connectivity, nor HVAC, nor electricity. If you can eliminate those
>things you will have a 100% uptime datacenter.
>
>Andrew
Is this the network equivalent of Yin and Yang, or Darkness and Light
being the same?
Perhaps it is
This sort of thing is usually done with some sort of multi-port outbound
NAT device that chooses the source interface to NAT from based on some
"quality" metric it generates for the destination, and a state table it
keeps for all the outside IPs.
Products that do this include FatPipe, Radware Link
-Original Message-
From: Tomas L. Byrnes
Sent: Tuesday, November 04, 2008 4:08 PM
To: 'Niels Bakker'
Subject: RE: Sprint v. Cogent, some clarity & facts
There was nothing in my post advocating free transit or peering. I
merely pointed out that peering only with
The concept of "Transit Free" is a political failure, not a technical
one.
The protocols are designed, and the original concept behind the Internet
is, to propagate all reachability via all paths. IE to use Transit if
peering fails.
Not doing so is a policy decision that breaks the redundancy in
Well put. The etymology of the whole mindset around peering is a legacy
from the academic/socialist roots of the Internet. There are still a
great number of people who think this is some kind of social engineering
experiment, as opposed to a communications infrastructure run by, and
for the benefit
As with all things, this isn't so cut and dried as everyone makes it
seem. The OP was asking for an easy answer to a complex question, which
usually shows a lack of understanding of the issues, or is an attempt to
provoke controversy.
So far, most of the discussion has focused on peering as a subs
Not using that prepended route is exactly what the point of the prepend
is, so that's not "punishment".
It may, in fact, be exactly what they're trying to get you to do.
>-Original Message-
>From: Jon Lewis [mailto:[EMAIL PROTECTED]
>Sent: Wednesday, October 22, 2008 8:17 PM
>To: Mike Le
If P2P became IPV6, and therefore universally endpoint addressable, and
therefore seeded by every download, as opposed to solely seeded by those
who have enough clue to configure the inbound ports through their IPV4
NAT, then the bandwidth problem should solve itself, at least for the
widely popula
http://www.ipitek.com/products/broadband/ethernet.htm
used by Cox and others.
http://www.ipitek.com/products/subsystems/transceivers.htm
Certified to 120Km, you may be able to run it further.
>-Original Message-
>From: Tim Durack [mailto:[EMAIL PROTECTED]
>Sent: Friday, October 10, 20
People, and manage them appropriately.
>-Original Message-
>From: Sean Donelan [mailto:[EMAIL PROTECTED]
>Sent: Tuesday, October 07, 2008 11:07 AM
>To: [EMAIL PROTECTED]
>Cc: nanog@nanog.org
>Subject: Re: Fwd: cnn.com - Homeland Security seeks cyber
>counterattacksystem(Einstein 3.0)
>
>
To some extent, you're both right. I actually have some background in
this, so bear with me.
The telecom business is, fundamentally, about wringing as much marginal
additional cash flow out of your fixed infrastructure and operations
costs as possible. There are variances around the margins, such
Am I the only one who read that as intending to be "Veneer", a thin
covering to make it look like, even if the subsurface reality is the raw
randomness of particle board?
I would note that; while it seems like the OP wanted to say that we were
to make the process of running outlaws out of town (wh
Or the highly likely scenario that the primary gateway accessible to the
survey tool is some load balanced SPAM filtering cluster, and not the
MTA in use as final delivery.
> -Original Message-
> From: William Pitcock [mailto:[EMAIL PROTECTED]
> Sent: Thursday, September 25, 2008 1:28
Welcome the Internet version of "Too big to fail".
I like the corollary: If it's too big to fail, it's too big, and needs
to be broken up.
Otherwise, we get an oligarchy,
> -Original Message-
> From: Seth Mattinen [mailto:[EMAIL PROTECTED]
> Sent: Wednesday, September 17, 2008 11:27 AM
You're missing one of the basic issues with bogon sources: they are
often advertised bogons, IE the bad guy DOES care about getting the
packets back, and has, in fact, created a way to do so.
This is usually VERY BAD traffic, and EVEN WORSE if a user goes TO a
site hosted in such IP space.
So, Bo
If all you're using is BGP null routes, that's true. I would posit that
BCP include Prefix filtering and ACLs as well, with dynamic updates.
YMMV.
> -Original Message-
> From: Chris Adams [mailto:[EMAIL PROTECTED]
> Sent: Monday, August 18, 2008 7:30 AM
> To: NANOG list
> Subject: Re: Is
ACLs
> -Original Message-
> From: Pete Templin [mailto:[EMAIL PROTECTED]
> Sent: Sunday, August 17, 2008 5:57 PM
> To: Tomas L. Byrnes
> Cc: NANOG list
> Subject: Re: Is it time to abandon bogon prefix filters?
>
> Tomas L. Byrnes wrote:
> > Since there
In the case of routers and firewalls, managing your block lists
dynamically is akin to checking the oil. Which is something too few car
owners do as well.
It's also relatively easy to do:
For firewalls, I came up with ThreatSTOP to make this simple for
everyone.
Team Cymru has been doing this
Since there are ways to dynamically filter the bogons, using BGP or DNS,
I don't really see the need to stop doing so. If you're managing your
routing and firewall filters manually, you have bigger problems than the
release of Bogon space.
It's not just the number of attacks that is the issue, bu
Unix machines set up by anyone with half a brain run a local caching
server, and use forwarders. IE, the nameserver process can establish a
persistent TCP connection to its trusted forwarders, if we just let it.
That old sneer we used to use against Windows users of not having a
"full featured hos
-Original Message-
From: Tomas L. Byrnes
Sent: Saturday, August 09, 2008 9:01 PM
To: 'Chris Paul'
Subject: RE: maybe a dumb idea on how to fix the dns problems i don't
know
Actually, the RFCs (RFC-1034 3.7RFC-1035 4.2, ref RFC-793;
Implementation spec in RFC-1035
There's a big difference between the airlines hiking fares for future
flights, which you can see when searching, and choose the competition;
and companies adding "surcharges" to pre-existing contracts, some with
terms and penalties for termination; all of which have a relatively high
switching cost
Between a potential problem with privacy, and an actual problem with
having my sessions redirected to the RBN, I'll take the privacy risk.
YMMV.
> -Original Message-
> From: Martin Hannigan [mailto:[EMAIL PROTECTED]
> Sent: Wednesday, July 30, 2008 9:13 PM
> To: Suresh Ramasubramanian
If you do invert, don't forget the cooling budget. Inverters run HOT!
> -Original Message-
> From: Tim Jackson [mailto:[EMAIL PROTECTED]
> Sent: Wednesday, July 30, 2008 5:36 PM
> To: Andreas Ott; [EMAIL PROTECTED]
> Subject: Re: big DC -48V to AC inverters
>
> Unipower out of florida.
As you pointed out, the protocol, if properly implemented, addresses
this.
There should always be Glue (A records for the NS) in a delegation. RFC
1034 even specifies this:
4.2.2
As the last installation step, the delegation NS RRs and glue RRs
necessary to make the delegation effective should
> >> On Thu, 24 Jul 2008 17:43:10 PDT, David Conrad said:
> >>
> >>> On Jul 24, 2008, at 4:24 PM, Tomas L. Byrnes wrote:
> >>>
> >>>> The problem is, once the ICANNt root is self-signed, the hope of
> >>>> ever revoking that dysfunctional mess as authority is gone.
> >>>>
> >>>
>
The problem is, once the ICANNt root is self-signed, the hope of ever
revoking that dysfunctional mess as authority is gone.
Perhaps the IETF or DoC should sign the root, that way we have a prayer
of wresting control from ICANN, as opposed to paying a tax, in
perpetuity, for registration services
PROTECTED]; [EMAIL PROTECTED]; Tomas
L. Byrnes
Subject: Re: Independent Testing for Network Hardware
Isocore is good, but there are many others to choose from:
Network Test, ExtremeLabs, Miercom, Core Competence, Opus One, in no
particular order. I can personally
For independent testing, Kevin Tolly's been at it a long time, and has
shown himself to be fair.
http://www.tolly.com/
> -Original Message-
> From: Sean Hafeez [mailto:[EMAIL PROTECTED]
> Sent: Friday, July 18, 2008 2:07 PM
> To: Frank P. Troy
> Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED
Please contact me off-list.
Tomas L. Byrnes
ByrneIT
Phone (it will find me): 760.444.4727
Text Message: [EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]>
e-mail: [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>
IM: MSN Messenger [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>
The real solution to the scorched earth problem is for aging from
blacklists to be dynamic.
If a given IP hasn't spammed or otherwise been naughty in some period of
time, and the RP contact information for that netblock exists and
responds, then the benefit of the doubt should go to the neblock
Shouldn't we take all the ICANNt and DNS Related stuff to
dns-operations?
-Original Message-
From: Jay R. Ashworth [mailto:[EMAIL PROTECTED]
Sent: Tuesday, July 01, 2008 11:48 AM
To: nanog@nanog.org
Subject: Re: what problem are we solving? (was Re: ICANN opens
upPandora's Box of
On T
ginal Message-
> From: Gadi Evron [mailto:[EMAIL PROTECTED]
> Sent: Friday, June 27, 2008 8:33 PM
> To: Tomas L. Byrnes
> Cc: Christopher Morrow; Roger Marquis; nanog@nanog.org
> Subject: RE: ICANN opens up Pandora's Box of new TLDs
>
> On Fri, 27 Jun 2008, Tomas L. Byrnes w
These issues are not separate and distinct, but rather related.
A graduated level of analysis of membership in any of the sets of:
1: Recently registered domain.
2: Short TTL
3: Appearance in DShield, Shadowserver, Cyber-TA and other sensor lists.
4: Invalid/Non-responsive RP info in Whois
Cr
If they assign .local, they will break the default for AD, especially
SBS, Apple Rendezvous, anything using mDNS/Zeroconf, and a lot of other
"local significance only" uses of DNS, or, which is more likely, the
domains in .local will find themselves unresolvable from a very large
portion of the Int
Followed by .bites
And .rules and .rules
And so the DNS descends into anarchy, and search engines become more
empowered.
Cacophony merely empowers those who control the amp.
> -Original Message-
> From: Marshall Eubanks [mailto:[EMAIL PROTECTED]
> Sent: Thursday, June 26, 2008 5:20 P
You can easily make IP reputation scale to IPV6 using the APL RRTYPE.
See RFC3123
> -Original Message-
> From: Colin Alston [mailto:[EMAIL PROTECTED]
> Sent: Monday, June 23, 2008 8:18 AM
> To: Paul Vixie
> Cc: [EMAIL PROTECTED]
> Subject: Re: EC2 and GAE means end of ip address reput
Barracuda, or you could build the exact same thing using OSS.
Procmail, Spamassasin, ClamAV, and your choice of RBLs (or use
karmashpere to custom roll a hybrid one).
> -Original Message-
> From: Suresh Ramasubramanian [mailto:[EMAIL PROTECTED]
> Sent: Monday, June 23, 2008 7:16 AM
>
Just because something doesn't solve all your problems doesn't mean it
has no value. Anything that can reduce the amount of inspection you have
to do @ content, and filters out the gross cruft, buys you additional
network and systems capacity, using what you have now (firewall, mail
relay). This is
And there is also no black market in credit card, social security, and
PIN numbers.
"See no evil, hear no evil, fear no evil"
> -Original Message-
> From: Randy Bush [mailto:[EMAIL PROTECTED]
> Sent: Tuesday, June 17, 2008 10:56 PM
> To: Suresh Ramasubramanian
> Cc: nanog@nanog.org
> S
First: if you don't allow TCP queries, then you're going to break lots
of recent applications for DNS.
Second: unless your server and resolver support EDNS0, there is no way
to increase the size of a UDP response, and even then, it's not large
enough for many applications (ENUM, TXT, APL, etc.).
Perhaps the NYPD are not worried about Geeks bearing Gifs?
> -Original Message-
> From: Steve Feldman [mailto:[EMAIL PROTECTED]
> Sent: Tuesday, June 03, 2008 7:14 PM
> To: [EMAIL PROTECTED]
> Cc: nanog@nanog.org; Fisher, Shawn
> Subject: Re: NANOG NYC Event
>
>
> On Jun 3, 2008, at 8
before the endless September back?
> -Original Message-
> From: Iljitsch van Beijnum [mailto:[EMAIL PROTECTED]
> Sent: Wednesday, May 07, 2008 2:40 PM
> To: Tomas L. Byrnes
> Cc: [EMAIL PROTECTED]
> Subject: Re: [NANOG] Microsoft.com PMTUD black hole?
>
> On 7 m
nal Message-
> From: Nathan Anderson/FSR [mailto:[EMAIL PROTECTED]
> Sent: Wednesday, May 07, 2008 2:08 PM
> To: [EMAIL PROTECTED]
> Subject: Re: [NANOG] Microsoft.com PMTUD black hole?
>
> Tomas L. Byrnes wrote:
>
> > The remedy you have below is NOT the only on
Some Edumacation on the topic is here:
http://www.netheaven.com/pmtu.html
> -Original Message-
> From: Iljitsch van Beijnum [mailto:[EMAIL PROTECTED]
> Sent: Wednesday, May 07, 2008 1:35 PM
> To: Michael Sinatra
> Cc: [EMAIL PROTECTED]
> Subject: Re: [NANOG] Microsoft.com PMTUD black h
The remedy you have below is NOT the only one, and is, in fact, a
non-sequitur in this case.
PMTUD uses the DF (for Don't_Fragment) bit, and works by getting an ICMP
Fragmentation needed response from the hop on the path where the packet
is too large, not a fragmentation and forward, so the union
I'm not sure what the issue is here.
Just about every modern firewall I've used has an option to enable PMTU
on interfaces, while blocking all other ICMP.
Is MS not running something manufactured in the last 10 years at their
perimeter?
> -Original Message-
> From: Nathan Anderson/FSR
Interestingly, Windows XP, Sp3, released today, describes changes in
PMTUD behavior.
Black Hole Router detection is now on by default:
http://download.microsoft.com/download/6/8/7/687484ed-8174-496d-8db9-f02
b40c12982/Overview%20of%20Windows%20XP%20Service%20Pack%203.pdf
> -Original Messag
I'm not sure that I would tar everyone who does NXDOMAIN remapping with
the same brush as SPAM and DDOS. Handled the way OpenDNS does, on an
opt-in basis, it's a "good thing" IMO.
I would also say that disaggregating and remarketing dark address space,
assuming it's handled above board and in a wa
In my experience, ATT(SBC at that time) hit over its effective capacity
(over 50% average utilization, and therefore no redundancy) around 2001.
At least for clients I was working with, it was always evident that they
didn't have enough capacity in any node to carry the traffic if they had
a probl
99 matches
Mail list logo
