u control of the packets on the wire
like a private network does, so that theory doesn't work.
--
Nathan Ward
esn't rely on context, and quality degrades during packet loss
before you get silence.
The i stands for Internet - so no surprise it works great in typical
Internet conditions.
--
Nathan Ward
On 16/11/2008, at 5:30 PM, Matthew Moyle-Croft wrote:
Is the spam SMTP meant to be originating from the McColo ranges or
is it being used to control other machines elsewhere?
The latter.
--
Nathan Ward
. I'm not sure that needs to be globally
reachable. Maybe to stop uRPF breaking ICMP messages if routers on the
exchange respond from their interface address.. though.. I'd prefer to
make my routers respond from loopback or something.
--
Nathan Ward
[1] Maybe I mean a
- L2VPNs
Because of this, VLAN tag re-write is not an extra feature - it is a
core component of how switching works across the platform.
They really seem to have thrown away a whole bunch of conventional
thinking, and the result is, in my opinion, really quite good.
--
Nathan Ward
[1] I beli
time, however when that non-RFC1918 address is
behind NAT, or some sort of packet filter, then it doesn't work so
well, and the client does not have a way to detect that reliably.
--
Nathan Ward
here on umpteen
million PCs that aren't going to do their patches.
I still plan to.. hopefully I'll get around to it when I feel a bit
less jaded :-)
--
Nathan Ward
On 20/11/2008, at 11:05 AM, Jack Bates wrote:
Nathan Ward wrote:
The problem here is XPSP2/Vista assuming that non-RFC1918 =
unfiltered/unNATed for the purposes of 6to4.
Well, deeper problem is that they're using 6to4 on an end host I
suppose - it's supposed to be used on routers.
tcpdump_filters/malik_tcpdump_filters.html
You might also consider using netflow instead of tcpdump, there are
lots of tools available for processing netflow data in ways that are
useful to network operators.
--
Nathan Ward
om.300 IN NS yf2.yahoo.com.
;; ADDITIONAL SECTION:
yf1.yahoo.com. 1800IN A 68.142.254.15
yf2.yahoo.com. 1800IN A 68.180.130.15
;; Query time: 15 msec
;; SERVER: 68.180.131.16#53(68.180.131.16)
;; WHEN: Wed Dec 3 15:35:07 2008
;; MSG SIZE rcvd: 105
!DSPAM:22,4936edf127844578318734!
--
Nathan Ward
. If anyone knows of some software that works well for this
I would appreciate letting me know.
iPerf.
--
Nathan Ward
other possibilities.
Sad but true, we have had to turn off signups outside the US because of
that very problem. Yes, I am sure we lose some sales, but in general it is
not worth the fraud costs.
<>
Nathan StrattonCTO, BlinkMind, Inc.
nathan at r
cted so I stuck with it.
--
Nathan Ward
[1] I only tried with FreeBSD, I'm told OpenBSD is similar.
ter than regular Linux forwarding a few years ago,
and I imagine would still do so.
The XORP routing suite supports various different FIBs, including Click.
http://read.cs.ucla.edu/click/
--
Nathan Ward
s_&_events/press_release_080429_snort.php
Not sure if anyone has them in products at the moment though.
--
Nathan Ward
Hi Marc,
> We are a software development firm that currently delivers our install ISOs
> via Sourceforge. We need to start serving them ourselves for marketing
> reasons and are therefore increasing our bandwidth and getting a 2nd ISP in
> our datacenter. Both ISPs will be delivering 100mbit/
IUS or
TACACS+!
--
Nathan Ward
#x27;s might
have better examples, but I've often used this one as being pretty good.
(whois -h whois.radb.net AS3356)
--
Nathan Ward
he aggregate as well, one could find themselves
facing random black holes.
People are filtering /24s without a 0/0 route?
--
Nathan Ward
On 23/12/2008, at 2:24 PM, Seth Mattinen wrote:
Nathan Ward wrote:
On 23/12/2008, at 1:31 PM, Seth Mattinen wrote:
Anyone running a platform that can't take a full table would apply
such a filter to weed out anyone who likes to announce all of
their space as /24's for "traf
On 23/12/2008, at 2:39 PM, Joe Provo wrote:
On Tue, Dec 23, 2008 at 02:34:39PM +1300, Nathan Ward wrote:
[snip]
Let me rephrase; Are there people who are filtering /24s received
from
eBGP peers who do not have a default route?
of course.
Curiously, it was really meant as a rhetorical
ready do that internally as an
optimisation when installing routes in to the forwarding hardware?
You would have to still have the routes in your RIB but RIB RAM is
cheap(er).
--
Nathan Ward
l process.
--
Naveen Nathan
To understand the human mind, understand self-deception. - Anon
Thank to everyone that took the time to respond with their ideas.
To those who asked, the client didn't provide details on the application.
However they were insistent that it wasn't possible to have it run in an
active/active configuration, so load balancing at either the application
or BGP level
Hammertime.
On Mon, Jan 12, 2009 at 1:11 AM, Aaron Imbrock wrote:
> Stop
>
>
>
>
nt is required to all the intermediary ASNs because of uRPF.
--
Nathan Ward
[1]
http://www.apricot.net/apricot2007/presentation/conference/plenary3-randy-bogon.pdf
You're not the only one. I'm not getting anything from my home Verizon
access, either.
On Tue, Jan 13, 2009 at 3:42 PM, S. Ryan wrote:
> Anyone else having trouble reaching plaxo.com? Nothing urgent. I can't
> seem to get there via Level 3 or via 360 Networks.
>
> Both die around here:
>
> 10
Here's a question that's been bugging me the whole thread, and it's a
bit of a newbie one. How is this different than someone faking SMTP
headers to make it seem like an email came from my domain when it
didn't? I'm talking in terms of morals, obviously; I understand the
technique is different.
On
e is a new initiative
for another technology to secure BGP.
--
Naveen Nathan
> policy was consistent with their Do No Harm motto?
Google's motto is Do No Evil, not Do No Harm.
ld will follow suit and the bad guys win! yay! :)
Short of getting the rest of the world to properly implement ingress
filtering (ha, ha), I think dropping the specific packets that
generate the reflected traffic is good enough for now. The load on the
reflectors is minimal.
Nathan.
Not only that, but the gMail logo is missing from my gMail for Domains page.
On Sat, Jan 31, 2009 at 10:06 AM, Frank wrote:
> confirmed. same here manila, philippines.
>
> On Sat, Jan 31, 2009 at 10:57 PM, Adam Young > wrote:
>
>> Peter Beckman wrote:
>> > This morning whilest Googling, I got a b
Google's back on my connection on Verizon in the Northeast US.
On Sat, Jan 31, 2009 at 10:25 AM, Murtaza wrote:
> fine in Pakistan.
>
> On Sat, Jan 31, 2009 at 8:15 PM, S, Somasundaram (Somasundaram) <
> somasundara...@alcatel-lucent.com> wrote:
>
>> confirmed..here in India too...
>>
>> ---
hink you will find that "most ISPs, if not all" in the DFZ "null
route" 0.0.0.0/0.
If they don't have a route covering 1.0.0.0/8, of course packets
destined to that prefix will be dropped.
--
Nathan Ward
that it
just gives you 2^96 more addresses to repeat all the old mistakes
with.
Not quite..
2^96 = 79228162514264337593543950336
2^128-2^32 = 340282366920938463463374607427473244160
--
Nathan Ward
e internal recursive DNS server addresses that the DHCPv6 server
hands out.
If they are so inclined, they might even re-number dynamically if they
get their prefix using PD.
--
Nathan Ward
er v6.
Don't advertise v4 prefixes in v6 sessions, keep them separate.
If you do, you have to do set next-hops with route maps and things,
it's kind of nasty.
Better to just run a v4 BGP mesh and a v6 BGP mesh.
--
Nathan Ward
On 4/02/2009, at 2:43 PM, Steve Bertrand wrote:
Nathan Ward wrote:
On 4/02/2009, at 2:33 PM, Steve Bertrand wrote:
- Currently, (as I write), I'm migrating my entire core from IPv4 to
IPv6. I've got the space, and I love to learn, so I'm just lab-ing
it up
now to see how t
recated until it
expires.
The alternative is waiting for hosts to do a DHCPv6 query to get a new
address. That is sub-optimal.
--
Nathan Ward
refer to the 69,000 other NANOG posts on the topic.
--
Nathan Ward
how much address space to give to each customer - if they need
more they ask for it automatically.
--
Nathan Ward
now
have a trade off between 65k ISP server networks, and 65k link nets.
Let's say 32k for each.
--
Nathan Ward
I am told that juniper have just released their E series code to do
hitless failover and ipv6cp at the same time.
If you are not running hitless it has been working for some time.
Apologies if this message is brief, it is sent from my cellphone.
On 5/02/2009, at 17:29, Matthew Moyle-Croft
Apologies if this message is brief, it is sent from my cellphone.
Begin forwarded message:
From: Nathan Ward
On 5/02/2009, at 16:58, Chris Adams wrote:
Since NAT == stateful firewall with packet mangling, it would be much
easier to drop the packet mangling and just use a stateful firewall
than ~1million entries because our hardware-based
routers might run out of TCAM and bring the whole network to a
screeching halt.
Or more than 256k routes on a SUP2, or 192k/239K routes on a SUP720.
We are at 285798 as of last CIDR report.
So, I guess you should be worried.. now :-)
--
N
ing from SLAAC to DHCPv6 based
address assignment only requires touching the router sending the RA
messages.
--
Nathan Ward
will run out of food.
--
Nathan Ward
set network policy differently for multiple hosts on a single
broadcast domain? There are some people that do that, but as Randy
would say, it is something that I would encourage my competitors to do.
--
Nathan Ward
oblem as soon as one customer is
listening to RA messages. The problem may very well exist right now.
--
Nathan Ward
interfaces when their external IPv4 address changes.
--
Nathan Ward
could be wrong though - I don't want to be putting words in
to Iljitsch's mouth.
--
Nathan Ward
u would like to deprecate/fix SLAAC
because you have a problem with it then again, I encourage you to get
involved in the IETF.
--
Nathan Ward
Question about 2k38: Aren't most Unixoid systems using 64-bit clocks now?
On Fri, Feb 13, 2009 at 8:03 PM, Chris Adams wrote:
> Once upon a time, Ravi Pina said:
>> Yes... that is more like the y2k38 problem on 03:14:07 UTC
>> 2038-01-19...
>
> Oddly enough, the end of the current Unix epoch is
XP and older OS
X boxes.
...or, until we have another way of getting resolvers that has
widespread adoption..
--
Nathan Ward
tatement.
Anyway, comments taken on board, I'll have a think about how to do
this differently.
--
Nathan Ward
t to named
IPv4 "servers". NAT-PT allowed for the opposite direction, IPv4
"clients" connecting to IPv6 "servers" - NAT64 does not.
The server must have an A record in DNS, and the client must use that
name to connect to - just like NAT-PT.
--
Nathan Ward
ources for
the edge.
--
Nathan Ward
l around
about $1M per /16, but I could be wrong.
--
Nathan Ward
[1] Yes I know that this is not allowed under current policy at any RIR.
getting "VRRP" without RA as
well for those of you wanting to use DHCPv6 for addressing - RA is not
giving out addressing information, and is only giving out "Use DHCPv6"
bits and a router address.
--
Nathan Ward
solution
to a number of problems.
--
Nathan Ward
.
--
Nathan Ward
seems there are lots of people who want auto configuration in IPv6
but who clearly do not do this in IPv4. That seems strange, to me.
--
Nathan Ward
wever practical
implementation of DHCPv6 for address assignment does.
Better? :-)
--
Nathan Ward
On 19/02/2009, at 9:53 AM, Leo Bicknell wrote:
In a message written on Thu, Feb 19, 2009 at 09:44:38AM +1300,
Nathan Ward wrote:
I guess you don't use DHCP in IPv4 then.
No, you seem to think the failure mode is the same, and it is not.
Let's walk through this:
1) 400 people
ing your DHCPv6 lease" to allow
transition from DHCPv6 to SLAAC if the network wants to do that.
That way, we get DHCPv6 vs. SLAAC selection when a host connects to
the network without having to manually configure, and we get "IPv4
DHCP"-like behaviour.
--
Nathan Ward
On 19/02/2009, at 10:07 AM, Leo Bicknell wrote:
In a message written on Thu, Feb 19, 2009 at 10:00:48AM +1300,
Nathan Ward wrote:
The point I am making is that the solution is still the same -
filtering in ethernet devices.
No.
I agree that in some enviornments DHCPv4/DHCPv6/RA filtering
On 19/02/2009, at 11:20 AM, Adrian Chadd wrote:
On Thu, Feb 19, 2009, Nathan Ward wrote:
So, those people don't use DHCP in IPv4 if this is a concern, so I'm
guessing they are not hoping to use DHCPv6 either.
Static configuration of IP addressing information and other
configuration
vendors - even if they do not have as immediate
requirements as you do, they will want to have the problems removed so
when they *do* have immediate requirements they can go ahead and get
it working.
--
Nathan Ward
it in to a PATA hole with a
very simple adapter.
There are plenty of "network appliance" boxes that are designed for
this sort of thing with lots of network holes mounted on the front and
so on. Lots of them have CF card slots on the front as well, just like
many router vendors
P communities to put prefixes in
to PF tables, and then shaped and accounted based on that. (Here in NZ
we have a few thousand domestic prefixes, which transit to/from is
often cheaper than transit off-shore).
--
Nathan Ward
s
resources, right?
In fact, perhaps some bus architectures know about how multicast
works, and it consumes *less* resources than doing the same thing with
many unicast streams. If the bus does not know about multicast, then
the bus would treat it as 24 unicast streams, surely.
--
Nathan Ward
dress 2001:4860:b003::be
mt.l.google.com has IPv6 address 2001:4860:b003::5b
mt.l.google.com has IPv6 address 2001:4860:b003::5d
etc. etc.
(mt[0-3].google.com are the same)
--
Nathan Ward
erything out to the public network?
If a host is a desktop PC controlled by an end user, should it be able
to send and receive anything it wants?
IMO, host based filtering and ACLs (either firewalls or router ACLs or
whatever) in the network should both be used. They fulfil different
needs.
--
Nathan Ward
cheap live broadcast from an outdoor event for a radio
station.
--
Nathan Ward
tored
house alarms would probably be useful here.
Whack a $5 12v horn on it, and my bet is that it'd become a deterrent
pretty quickly.
--
Nathan Ward
port. If you want to build a "VLAN" that operates like it does on a
Cisco switch or something, you set up a tag on each port, and join the
tags together with a L2 switching service. The tag IDs can be
different on each port, or the same... it has no impact.
--
Nathan Ward
ction could be used to write a URL in to
the database, and then wait for that entry to be called, and viola,
you can execute php code, or whatever.
Obviously that is relevant to the first part of your reply - it would
not work with static content.
--
Nathan Ward
On 22/04/2009, at 3:57 PM, Joe Greco wrote:
It may not be wise to wait until ARIN allocates 256.0.0.0/8 to someone
and everyone chimes in to note that their routers are barfing on that.
:-/
Now that *would* be amusing.
--
Nathan Ward
by two providers as the customer wants redundancy with
their own IP space, but does not have a public ASN. Ie. the customer
has a circuit and possibly a BGP feed to two different providers.
--
Nathan Ward
t are
announced by more than 3 ASes..
I never said that was the only reason, I'm sure plenty of people are
doing anycast with different originating ASes.
For example, check the 192.88.99.0/24 prefix.
--
Nathan Ward
Es that support the outcome of this work are
far behind the RFC being published (or even a late draft).
--
Nathan Ward
to use tools like
curl, and I don't see why HTTP is more difficult than FTP as a
protocol in that case. Perhaps I'm missing something.
It looks like curl can upload stuff (-d @file) but you have to have
something on the server to accept it. FTP sounds easier.
--
Nathan Ward
ng done without going to meetings.
Just participating in mailing lists is good for keeping up to date,
but not so good for getting things changed.
That's what I've found, anyway. Might not always be true.
--
Nathan Ward
On 24/04/2009, at 12:14 AM, Pekka Savola wrote:
On Thu, 23 Apr 2009, Nathan Ward wrote:
After trying to participate on mailing lists for about 2 or 3
years, it's pretty hard to get anything done without going to
meetings.
Just participating in mailing lists is good for keeping up to
touch because they were written by that coder who left a few years
ago and work just fine.
--
Nathan Ward
ls http://nms.lcs.mit.edu/software/bgp/bgptools/
- tools that can deal with SQL and MRT dump files.
--
Nathan Ward
fixes, get/use a 0/0 route.
--
Nathan Ward
here are
several living servers, open to the world. They should all work just
fine for you, unless someone is blocking the Teredo port.
Unluckily, there's no content there. "Yet" - it's been "yet" for
about a year now.
--
Nathan Ward
or present-day
data?
--
Nathan Ward
caches that as the best relay to use to
talk to that host. So, you get close-to-IPv4-path for both forward
and reverse.
So, content providers should run Teredo relays also - their over-
Teredo performance will be almost the same as their over-IPv4
performance.
There should be no reason that 6to4 can't do the same thing, I suppose.
--
Nathan Ward
RFC1918 address. To avoid address
conflicts with people who NAT their address, etc.)
The difference between the two things above is that the former is
single NAT, the latter is double. The former is much more
complicated, though.
--
Nathan Ward
nelling stuff (based on
researching a random sample of users), I'd lose about 4% of visitors
to my web-sites if I were to turn on records.
For a transit provider, having an unreachable (or seemingly
unreachable) web-site is a really bad idea.
--
Nathan Ward
On 12/10/2007, at 9:43 AM, Tony Hain wrote:
Nathan Ward wrote:
On 6/10/2007, at 3:18 AM, Stephen Wilcox wrote:
Given the above, I think there is no myth.. !
That's because the 'v6 network' is broken enough that putting
records on sites that need to be well reachabl
the same is true of MTA and MX servers. (ie. MX
record points at the same place for domains you host, as your
customers do to send mail to domains you don't host).
--
Nathan Ward
ny T&C's don't allow that.
Blocking 587/TCP prevents people using someone elses mail service.
I view the latter as no different to preventing you viewing someone
elses website.
--
Nathan Ward
On 21/10/2007, at 7:22 PM, Adrian Chadd wrote:
On Sun, Oct 21, 2007, Nathan Ward wrote:
Blocking 25/TCP is acceptable, blocking 587/TCP is not - it is
designed for mail submission to an MSA, so serves little use for
spam, save when a spammer has detected an open mail relay listening
on 587/TCP
to those with little-utilised /8s is a fairly small
percentage.
--
Nathan Ward
___
NANOG mailing list
NANOG@nanog.org
http://mailman.nanog.org/mailman/listinfo/nanog
ith
marketing people, etc. unless someone has been doing it for years
already. It'd be good if the world were all engineers though, huh?
--
Nathan Ward
___
NANOG mailing list
NANOG@nanog.org
http://mailman.nanog.org/mailman/listinfo/nanog
load
balancing switches already do all this service health check stuff and
have done for years, so why are we re-inventing the wheel?
--
Nathan Ward
ps. I'm amused that your message that started with "i think the
minutia is good, especially after a long weekend of la
On 6/05/2008, at 1:19 PM, Steven M. Bellovin wrote:
> "Steve"? I assume you meant "Paul"
No, Steve Gibbard referred to not having control of routers, Paul
referred to customers.
--
Nathan Ward
___
NANOG mailing li
301 - 400 of 528 matches
Mail list logo
