Re: OpenNTPProject.org

BCP38 will only ever get implemented if governments and ruling 'net bodies force deployment. There's otherwise very little benefit seen by the access network providers, since the targets are other orgs and the attacks are happening in a different backyard. On 14/01/2014 10:36 AM, Paul Ferguson

Re: Internet Routing Registries - RADb, etc

Eric Krichbaum wrote the following on 1/15/2014 5:30 PM: I 100% agree with Nick. But, in dealing with Level3, you need Level3 Members Remarks in your objects to deal with multiple registries etc. They have an ok system that is a nightmare to pull from different datasources with them and they

Re: OpenNTPProject.org

On Jan 15, 2014, at 12:05 AM, Saku Ytti wrote: > (We do BCP38 on all ports and verify programmatically, but I know it's not at > all practical solution globally for access). Anti-spoofing is eminently practical for most types of access network topologies using even slightly modern equipment;

Re: OpenNTPProject.org

On (2014-01-16 14:30 +), Dobbins, Roland wrote: > In point of fact, anti-spoofing is most useful and most practical at the > access-network edge, or as close to it as possible. We must disagree on definition of practical. Maybe if I'd reword it realistic we might be closer. It is not going

Re: OpenNTPProject.org

On Jan 16, 2014, at 9:56 PM, Saku Ytti wrote: > It is not going to happen, the most suspect places are places where it's > going to be most difficult to get, either fully on autopilot with no technical > personnel capable or having the power to make the change or ghetto gear with > no capabili

"trivial" changes to DNS (was: OpenNTPProject.org)

On Tue, Jan 14, 2014 at 09:18:30AM +0200, Saku Ytti wrote: > > mid term, transport area in IETF. DNS, NTP, SNMP, chargen et.al. could > trivially change to QUIC/MinimaLT Oh, yes, it'd obviously be trivial to change DNS to use a different transport. This is shown by the massive success of getting

Re: Proxy ARP detection

* c...@bloomcounty.org (Clay Fiske) [Thu 16 Jan 2014, 01:25 CET]: On Jan 15, 2014, at 4:03 PM, Niels Bakker wrote: * c...@bloomcounty.org (Clay Fiske) [Thu 16 Jan 2014, 00:59 CET]: This is where theory diverges nicely from practice. In some cases the offender broadcast his reply, and guess wha

Re: "trivial" changes to DNS (was: OpenNTPProject.org)

On Thu, Jan 16, 2014 at 2:27 PM, Andrew Sullivan wrote: > On Tue, Jan 14, 2014 at 09:18:30AM +0200, Saku Ytti wrote: > > > > mid term, transport area in IETF. DNS, NTP, SNMP, chargen et.al. could > > trivially change to QUIC/MinimaLT > > Oh, yes, it'd obviously be trivial to change DNS to use a d

Re: "trivial" changes to DNS (was: OpenNTPProject.org)

On Thu, Jan 16, 2014 at 11:27 AM, Andrew Sullivan wrote: > On Tue, Jan 14, 2014 at 09:18:30AM +0200, Saku Ytti wrote: >> >> mid term, transport area in IETF. DNS, NTP, SNMP, chargen et.al. could >> trivially change to QUIC/MinimaLT > > Oh, yes, it'd obviously be trivial to change DNS to use a diff

Re: Proxy ARP detection

Cisco ASA's still have proxy ARP enabled by default when certain NAT types are configured. http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/nat_objects.html "Default Settings (8.3(1), 8.3(2), and 8.4(1)) The default behavior for identity NAT has proxy ARP disabled. You

Re: "trivial" changes to DNS (was: OpenNTPProject.org)

On Thu, Jan 16, 2014 at 11:32:05AM -0500, Christopher Morrow wrote: > pretty easy to believe that quic would be helpful right? Yes. It's also pretty easy to believe that ditching DNS completely in favour of something without 8 billion warts would be helpful. > seems totally feasible. Certai

Re: "trivial" changes to DNS (was: OpenNTPProject.org)

On Thu, Jan 16, 2014 at 11:39 AM, Andrew Sullivan wrote: > On Thu, Jan 16, 2014 at 11:32:05AM -0500, Christopher Morrow wrote: > >> pretty easy to believe that quic would be helpful right? > > Yes. It's also pretty easy to believe that ditching DNS completely in > favour of something without 8 bi

Re: Proxy ARP detection

* vrist...@ramapo.edu (Vlade Ristevski) [Thu 16 Jan 2014, 17:46 CET]: Cisco ASA's still have proxy ARP enabled by default when certain NAT types are configured. That wasn't the question. The question was what equipment would send proxy ARP replies as broadcasts, possibly causing poisoning in

Re: "trivial" changes to DNS (was: OpenNTPProject.org)

On Thu, Jan 16, 2014 at 11:48:56AM -0500, Christopher Morrow wrote: > > I totally agree... I was actually joking in my last note :( sorry for > not adding the ":)" as requisite in email. I'm sorry my humour is now so impaired from reading 1net and other such things that I didn't figure it out! >

Re: Proxy ARP detection

I seem to recall some video encoders doing that, but I can't remember the vendor. Sent from my Mobile Device. Original message From: Niels Bakker Date: 01/16/2014 8:54 AM (GMT-08:00) To: nanog@nanog.org Subject: Re: Proxy ARP detection * vrist...@ramapo.edu (Vlade Ristevsk

Re: "trivial" changes to DNS (was: OpenNTPProject.org)

On Jan 16, 2014 9:08 AM, "Andrew Sullivan" wrote: > > On Thu, Jan 16, 2014 at 11:48:56AM -0500, Christopher Morrow wrote: > > > > I totally agree... I was actually joking in my last note :( sorry for > > not adding the ":)" as requisite in email. > > I'm sorry my humour is now so impaired from rea

Re: Internet Routing Registries - RADb, etc

On 16/01/2014 14:32, Blake Hudson wrote: > Thanks for the responses, these objects are all older. However, none of > them are stale or from previous owners, allocations, etc. Each of these > objects were posted to their respective IRR's after the IP space was > allocated to us. This leads me to bel

Re: "trivial" changes to DNS (was: OpenNTPProject.org)

On Thu, Jan 16, 2014 at 09:19:44AM -0800, Cb B wrote: > I hate to throw the baby out with the bathwater, but in my network, IPv4 > UDP is overstaying it's welcome. Just like IPv4 ICMP in 2001 - 2003, its > fate is nearly certain. I won't speak about the other protocols, but I encourage you to tur

Re: "trivial" changes to DNS (was: OpenNTPProject.org)

On Jan 16, 2014 9:31 AM, "Andrew Sullivan" wrote: > > On Thu, Jan 16, 2014 at 09:19:44AM -0800, Cb B wrote: > > I hate to throw the baby out with the bathwater, but in my network, IPv4 > > UDP is overstaying it's welcome. Just like IPv4 ICMP in 2001 - 2003, its > > fate is nearly certain. > > I w

Re: "trivial" changes to DNS (was: OpenNTPProject.org)

On Thu, Jan 16, 2014 at 11:39:46AM -0500, Andrew Sullivan wrote: > On Thu, Jan 16, 2014 at 11:32:05AM -0500, Christopher Morrow wrote: > > > pretty easy to believe that quic would be helpful right? > > Yes. It's also pretty easy to believe that ditching DNS completely in > favour of something w

Re: Experiences with Spamhaus BGP DROP, EDROP and BGPCC BGP feeds

Probably not a bug, but par for their technical prowess. The SpamTeq website includes your account number and password in every URI. I'm not sure I'd trust a company that does something as terrible as that to practice good coding elsewhere and not cause major damage with their data feeds. -richard

Re: "trivial" changes to DNS (was: OpenNTPProject.org)

On 16 Jan 2014, at 17:30 , Andrew Sullivan wrote: > On Thu, Jan 16, 2014 at 09:19:44AM -0800, Cb B wrote: >> I hate to throw the baby out with the bathwater, but in my network, IPv4 >> UDP is overstaying it's welcome. Just like IPv4 ICMP in 2001 - 2003, its >> fate is nearly certain. > > I won

Re: "trivial" changes to DNS (was: OpenNTPProject.org)

On (2014-01-16 09:19 -0800), Cb B wrote: > I hope QUIC does not stay on UDP, as it may find itself cut off at the > legs. Any new L4 would need to support both flavours, over UDP and native. Over UDP is needed to be deployable right now and be working to vast majority of the end users. Native-onl

[NANOG-announce] NANOG Reminders

Colleagues: A few reminders regarding the Education Series, Routing Fundamentals, class Sunday, February 9, 2014 and NANOG 60, February 10-12, 2014 in Atlanta, GA. In addition to

Re: "trivial" changes to DNS (was: OpenNTPProject.org)

On Jan 16, 2014 10:16 AM, "Saku Ytti" wrote: > > On (2014-01-16 09:19 -0800), Cb B wrote: > > > I hope QUIC does not stay on UDP, as it may find itself cut off at the > > legs. > > Any new L4 would need to support both flavours, over UDP and native. Over UDP > is needed to be deployable right now

Re: Internet Routing Registries - RADb, etc

On 16/01/2014 14:32, Blake Hudson wrote: > Thanks for the responses, these objects are all older. However, none of > them are stale or from previous owners, allocations, etc. Each of these > objects were posted to their respective IRR's after the IP space was > allocated to us. This leads me t

Re: Experiences with Spamhaus BGP DROP, EDROP and BGPCC BGP feeds

In article <030101cf0e0e$71088af0$5319a0d0$@truenet.com> you write: >Looks like a bug, if you stick a 1 in total email users: >Per Year: $504.00 No, that's right. If you're a tiny little network, you can use the public DNS servers for the BL lookups, and you can FTP the text version of DROP

Re: "trivial" changes to DNS (was: OpenNTPProject.org)

On Thu, Jan 16, 2014 at 12:55:18PM -0500, Jared Mauch wrote: > I can point anyone interested to the place in the > bind source to force it to reply to all UDP queries with TC=1 > to force TCP. should be safe on any authority servers, as a recursive > server should be able to do outbound TCP.

Re: "trivial" changes to DNS (was: OpenNTPProject.org)

On Thu, Jan 16, 2014 at 10:48 AM, Christopher Morrow < morrowc.li...@gmail.com> wrote: > On Thu, Jan 16, 2014 at 11:39 AM, Andrew Sullivan > wrote: > > On Thu, Jan 16, 2014 at 11:32:05AM -0500, Christopher Morrow wrote: > So... what other options are there to solve the larger problem of: > "So

Re: "trivial" changes to DNS (was: OpenNTPProject.org)

On Thu, 16 Jan 2014 13:35:00 -0600, Jimmy Hess said: > Then the client's UDP stack must construct and send a Hashcash proof > of work, of sufficient difficulty based on the estimated query plus > response size, > up to the first full round trip; > containing a message digest of the first

Re: Internet Routing Registries - RADb, etc

courtneysm...@comcast.net wrote the following on 1/16/2014 12:26 PM: On 16/01/2014 14:32, Blake Hudson wrote: Thanks for the responses, these objects are all older. However, none of them are stale or from previous owners, allocations, etc. Each of these objects were posted to their respective I

Re: "trivial" changes to DNS (was: OpenNTPProject.org)

We don't need to change transport, we don't need to port knock. We just need to implementent a slightly modified dns cookies which reminds me that I need to review Donald Eastlake's new draft to be. -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742

Re: Experiences with Spamhaus BGP DROP, EDROP and BGPCC BGP feeds

On Thu, Jan 16, 2014 at 11:04 AM, John Levine wrote: > If you're a tiny little network, you can > use the public DNS servers for the BL lookups, and you can > FTP the text version of DROP and turn in into firewall > rules or whatever. That's what I do (hack perl scripts > available on request.)

RE: Internet Routing Registries - RADb, etc

On Wed, 15 Jan 2014, Eric Krichbaum wrote: I 100% agree with Nick. But, in dealing with Level3, you need Level3 Members Remarks in your objects to deal with multiple registries etc. They have an ok system that is a nightmare to pull from different datasources with them and they've churned the

Re: Internet Routing Registries - RADb, etc

On 16/01/2014 21:22, Jon Lewis wrote: > Also, at least of the ones I've dealt with, there is no verification of > records as they're entered. on the RIPE IRRDB, there is validation, so you can't just go in and register route: objects for someone else's allocations or assignments. Not sure about t

Re: OpenNTPProject.org

In message <52d7e98b.4040...@userid.org>, Pierre Lamy writes: > BCP38 will only ever get implemented if governments and ruling 'net > bodies force deployment. There's otherwise very little benefit seen by > the access network providers, since the targets are other orgs and the > attacks are hap

Re: Internet Routing Registries - RADb, etc

On 2014-01-16 23:11, Nick Hilliard wrote: > On 16/01/2014 21:22, Jon Lewis wrote: >> Also, at least of the ones I've dealt with, there is no verification of >> records as they're entered. > > on the RIPE IRRDB, there is validation, so you can't just go in and > register route: objects for someone

Re: OpenNTPProject.org

--- ma...@isc.org wrote: In message <52d7e98b.4040...@userid.org>, Pierre Lamy writes: > BCP38 will only ever get implemented if governments and ruling 'net > bodies force deployment. There's otherwise very little benefit seen by > the access network providers, since the targets are other orgs an

Re: "trivial" changes to DNS (was: OpenNTPProject.org)

On Thu, Jan 16, 2014 at 3:05 PM, Mark Andrews wrote: > We don't need to change transport, we don't need to port knock. We > just need to implementent a slightly modified dns cookies which > reminds me that I need to review Donald Eastlake's new draft to be. > But a change to DNS doesn't solve t

Re: OpenNTPProject.org

On 01/16/2014 03:45 PM, Scott Weeks wrote: Many/most CEOs would not have an understanding of what a BCP is and their first response likely would be to ask, "What's the business case?" What I've tried to explain to people is that not being used as a botnet will reduce their outbound traffic. I

Re: OpenNTPProject.org

--- do...@dougbarton.us wrote: From: Doug Barton On 01/16/2014 03:45 PM, Scott Weeks wrote: > Many/most CEOs would not have an understanding of what a BCP is and > their first response likely would be to ask, "What's the business > case?" What I've tried to explain to people is that not being us

Re: "trivial" changes to DNS (was: OpenNTPProject.org)

In message , Jimmy Hess writes: > On Thu, Jan 16, 2014 at 3:05 PM, Mark Andrews wrote: > > > We don't need to change transport, we don't need to port knock. We > > just need to implementent a slightly modified dns cookies which > > reminds me that I need to review Donald Eastlake's new draft t

Re: Proxy ARP detection

On Thu, Jan 16, 2014 at 10:51 AM, Niels Bakker wrote: > That wasn't the question. The question was what equipment would send > proxy ARP replies as broadcasts, possibly causing poisoning in other > routers (which still sounds far-fetched to me). > Which current routers will actually _listen_ to

Re: "trivial" changes to DNS (was: OpenNTPProject.org)

On Jan 16, 2014 5:10 PM, "Mark Andrews" wrote: > > > In message < caaawwbvjkeok-ydweqd4cowj9qaatbc8mkqwnxrsud55+h9...@mail.gmail.com> > , Jimmy Hess writes: > > On Thu, Jan 16, 2014 at 3:05 PM, Mark Andrews wrote: > > > > > We don't need to change transport, we don't need to port knock. We > > >

Re: "trivial" changes to DNS (was: OpenNTPProject.org)

In message , Cb B writes: > > On Jan 16, 2014 5:10 PM, "Mark Andrews" wrote: > > > > > > In message < > caaawwbvjkeok-ydweqd4cowj9qaatbc8mkqwnxrsud55+h9...@mail.gmail.com> > > , Jimmy Hess writes: > > > On Thu, Jan 16, 2014 at 3:05 PM, Mark Andrews wrote: > > > > > > > We don't need to change

BCP38.info (was: Re: OpenNTPProject.org)

- Original Message - > From: "Scott Weeks" > And it doesn't require governments, it just requires CEO's with the > gumption to say we are not going to accept routes from you, via > transit or direct, until you publically state that you are > implementing > BCP38 within your network and th

Windows Update subnets

Does anyone have a list of all of the ranges Microsoft uses for Windows Update? I've found domains but not a full list of subnets.

Re: Windows Update subnets

I think you'll find that windows update heavily leverages 3rd party CDN providers as well as their own... http://technet.microsoft.com/en-us/library/cc627316.aspx On 1/16/14, 11:04 PM, shawn wilson wrote: > Does anyone have a list of all of the ranges Microsoft uses for > Windows Update? I've fou