Re: [c-nsp] DNS amplification

Hi, > First of all, multihomed sites with its own global routing > table entries bloats the global routing table, which is the > major cause of global routing table bloat and is not acceptable. Sorry, but that is false. Looking at the CIDR report (http://www.cidr-report.org/as2.0/#Gains) the rou

Re: Verizon FIOS filtering?

Did you ever resolve this? Harry Hoffman wrote: >Hi All, > >Does anyone know if Verizon automatically performs network filtering in >response to scanning behavior? > >I'm having some weird connectivity issues to a host and trying to >figure >out why. > >Cheers, >Harry -- Sent from my Android p

Re: [c-nsp] DNS amplification

I think BCP it is a solution. Perhaps not complete but hardy any single solution would be suitable for a complex problem as this one. If you are the end-user organization with a multihomed topology you apply BCP38 within your own scope. This will help to have less spoofed

Re: Verizon FIOS filtering?

Hi All, Sorry, got pulled away on other projects. No, still trying to figure out what's going on. This is traffic originating from FIOS's network. I have a host located in a .edu that is configured to send back icmp host prohibited replies for connections that aren't specifically allowed in the h

Re: [c-nsp] DNS amplification

On Mar 17, 2013, at 8:55 PM, Christopher Morrow wrote: > On Sun, Mar 17, 2013 at 6:36 PM, Arturo Servin > wrote: >> >>They should publish the spoofable AS. Not for public shame but at >> least >> to show the netadmins that they are doing something wrong, or if they >> are trying to d

Re: [c-nsp] DNS amplification

Dobbins, Roland wrote: >> See draft-ohta-e2e-multihoming-05 for details. > > See for an actual solution > to the problem of routing-table bloat, It is, by no means, a solution. > which has nothing to do with BCP38/84. Locator ID separation has nothing to

Re: [c-nsp] DNS amplification

On 2013-03-18, at 08:53, Arturo Servin wrote: > And about the routing table size, it is not multihomed sites the > offenders, it is large ISPs fragmenting because of traffic engineering > or because lack of BGP knowledge. The usual concern with multi-homed end sites is that end sites with

Re: [c-nsp] DNS amplification

Sander Steffann wrote: > Sorry, but that is false. Looking at the CIDR report > (http://www.cidr-report.org/as2.0/#Gains) the routing table > could shrink from 449k to 258k just by aggregating > announcements. What if, NLIs are aggregated? > That's a reduction of 42.5%. I can't see how multihome

Re: [c-nsp] DNS amplification

Masataka, Do you have data to support your claim? I would said that poor BCP38 deployment it is because a lack of economical incentive. I have only empirical data to support my claim though (which is private conversations with ISPs not doing it and saying that they do not see a co

Re: [c-nsp] DNS amplification

Arturo Servin wrote: > If you are the end-user organization with a multihomed topology you > apply BCP38 within your own scope. This will help to have less spoofed > traffic. Not solving all the problems but it would help not seeing your > spoofed packets all over the Internet. It does not

Re: Verizon FIOS filtering?

Are you sure the edu isn't triggering any sort of filtering on host that do scanning? Harry Hoffman wrote: >Hi All, > >Sorry, got pulled away on other projects. No, still trying to figure >out >what's going on. This is traffic originating from FIOS's network. > >I have a host located in a .edu

Re: [c-nsp] DNS amplification

It does if I am not the sender. .as On 3/18/13 12:10 PM, Masataka Ohta wrote: > Arturo Servin wrote: > >> >If you are the end-user organization with a multihomed topology you >> > apply BCP38 within your own scope. This will help to have less spoofed >> > traffic. Not solving all th

Cisco Security Response: Cisco IOS and Cisco IOS XE Type 4 Passwords Issue

ityResponse/cisco-sr-20130318-type4 -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.18 (Darwin) Comment: GPGTools - http://gpgtools.org iF4EAREIAAYFAlFHFKYACgkQUddfH3/BbTpPQAD/S/gS0O+btwWu5rI7rugYeRzD m38z8zGANgZ9IlEz/OoA/RZVrhrJJ1eRTlHo0/IHuYK3AYUtT5cA8PprIJoUX1Qg =R0TE -END PGP SIGNATURE-

Re: WW: Bruce Schneier on why security can't work

- Original Message - > From: "." > This is a problem for the future to solve. Not us. Seriously? > In bioweapons, I think we are still on the "happy hackers era", where > people in a biochemical laboratory in Liverpool have access to some > fungus that can wipe half the city, but don't

Re: [c-nsp] DNS amplification

On Mar 18, 2013, at 9:45 PM, Masataka Ohta wrote: > Locator ID separation has nothing to do with routing table bloat. You obviously haven't read through the materials. I'm done feeding trolls for the day. --- Roland Dobbins

using ARIN IP space outside of ARIN region

We're looking at building into a DC in Europe this year and I wanted to run a few questions by the community and make sure I'm not too far off course. We currently have v4 space from ARIN and operate a multihomed datacenter in the US. This thread from September 2012, though the reverse of my si

Re: using ARIN IP space outside of ARIN region

On Mar 18, 2013, at 3:41 PM, Andy Litzinger wrote: > We're looking at building into a DC in Europe this year and I wanted to run a > few questions by the community and make sure I'm not too far off course. > We currently have v4 space from ARIN and operate a multihomed datacenter in > the US.

Re: using ARIN IP space outside of ARIN region

On Mar 18, 2013, at 6:41 PM, Andy Litzinger wrote: > We're looking at building into a DC in Europe this year and I wanted to run a > few questions by the community and make sure I'm not too far off course. > > We currently have v4 space from ARIN and operate a multihomed datacenter in > the

Re: WW: Bruce Schneier on why security can't work

On 3/18/13, Jay Ashworth wrote: [snip] > In the next 3 years, it will become possible to build an autonomously > navigating aircraft that can a) cross the Atlantic and b) carry a > nuclear weapon. Not only is it already possible to build a human manually navigated aircraft that can do both (a), a

Re: using ARIN IP space outside of ARIN region

On Mon, Mar 18, 2013 at 06:50:25PM -0400, Jared Mauch wrote: > > On Mar 18, 2013, at 6:41 PM, Andy Litzinger > wrote> > * Should I use a single AS for both North America and European data > centers? It will be the same small team managing them today but it's not > like the sites are linked to

Re: WW: Bruce Schneier on why security can't work

- Original Message - > From: "Jimmy Hess" > On 3/18/13, Jay Ashworth wrote: > [snip] > > In the next 3 years, it will become possible to build an > > autonomously > > navigating aircraft that can a) cross the Atlantic and b) carry a > > nuclear weapon. > > Not only is it already possibl

Re: using ARIN IP space outside of ARIN region

This is not authoritative, but a friend in Australia used to routinely be given IP addresses by his residential ISP which geolocated in the USA and a whois revealed they were owned by a US network. Turns out that US network owned the ISP operating in Australia. I do not recall if the AS was speci

Re: WW: Bruce Schneier on why security can't work

In history, people get taken unawares, by their neighbours. We don't implement systems to protect against that - no matter how much betrayal stares us in the face. The price of peace is eternal diligence and no-one writes that cheque. >From Troy to Chamberlain - it's not an issue of finding new reg

Re: [c-nsp] DNS amplification

Dobbins, Roland wrote: >> Locator ID separation has nothing to do with routing table bloat. > > You obviously haven't read through the materials. LISP merely attempts to replace BGP routing table bloat with something a lot worse than that, that is, a lot more serious routing table bloat of its m

Re: using ARIN IP space outside of ARIN region

On Mon, Mar 18, 2013 at 03:49:37PM -0700, Bill Woodcock wrote: > HOWEVER, we've been told in the past that space received from ARIN and > used outside the ARIN region did not qualify as "utilization" for the > purposes of justifying new allocations, nor were locations outside the > ARIN region enti

Re: using ARIN IP space outside of ARIN region

On Mar 18, 2013, at 9:41 PM, Matt Palmer wrote: > Which is ironic, because when we recently applied to ARIN for number > resources to support our US operations, we were told to use our APNIC space > instead. That's just the RIRs protecting you from yourself -- after all, everyone knows IP addre