On 6/05/2008, at 1:21 PM, Joe Abley wrote:
> On 5 May 2008, at 20:50, Nathan Ward wrote:
>
>> Perhaps what would make more sense here is Foundry (F5, etc.)
>> building
>> an anycast feature - anycast prefixes are withdrawn when a cluster
>> relying on that anycast
ent things to what you're used to - mostly as a function of that
paradigm change.
Ask for a v6 roadmap. Last time I looked (~ a year ago) there were
some strange limitations, for example, a surprisingly small max v6
routing table.
--
Nathan Ward
[1] Admittedly, my experience with othe
d opex) is worth it, I imagine.
RE. your original question (2) - yes a single router in each AS and a
link between them is the simplest. Add more routers and more links as
required to meet capacity and resiliency requirements, where cost
permits.
--
Nathan Ward
___
e ASes you don't want
those prefixes hitting.
Similar, not identical, so may not work for you how you want.
Googling around finds some explanation of it here:
http://ispcolumn.isoc.org/2005-08/as1.html
Nothing really about how it works in a MLPA IXP th
f the foreign AS really wants to send you routes that way, they can
do it regardless of how you stop your advertisements being accepted by/
reaching them. We're hardly talking high security here.
ip route 1.1.1.1 works a treat.
--
Nathan Ward
___
NANOG mailing list
NANOG@nanog.org
http://mailman.nanog.org/mailman/listinfo/nanog
On 17/05/2008, at 5:53 PM, Matthew Moyle-Croft wrote:
> Nathan Ward wrote:
>> If the foreign AS really wants to send you routes that way, they
>> can do it regardless of how you stop your advertisements being
>> accepted by/ reaching them. We're hardly talking hi
igured I'd give
> this a shot, only to be greeted with:
>
> The application VLC quit unexpectedly
>
> Mac OS X and other applications are not affected.
Works fine on VLC/OS X for me - but not with flip4mac - flip4mac does
IPv4 only it seems.
--
Nathan Ward
___
NANOG mailing list
NANOG@nanog.org
http://mailman.nanog.org/mailman/listinfo/nanog
allocation size (/
21), you may find it more economical to become an APNIC member and
apply for a portable allocation using the APNIC IPv4 ISP request form.
Note that you must be the end user of the space, as it is assigned not
allocated.
--
Nathan Ward
flush negative caches, but that
might be fixed. YMMV, etc.
Usual common sense warnings apply.
--
Nathan Ward
ack and figure out how to filter it more
precisely if possible, instead of simply dropping all TCP.
Obviously, you'd want to make sure TCP from your other name servers
always goes to the UDP one, etc. etc.
--
Nathan Ward
ickly.
--
Nathan Ward
ssing?
Wireshark reads pcap files. Spit them out with this option on the
tcpdump commandline.
-w file
--
Nathan Ward
etworks move less traffic off-net.
.. this is the part where someone bustles off and makes it go.
--
Nathan Ward
left in the rack just in case it attached to some
other host and you fear causing an unplanned outage.
You whack on one of these things when there's still active gear on the
end?
--
Nathan Ward
rvice for, but these seem to be the obvious ones that are easy to
limit without big disruptions.
Do 'normal' web hosting providers allow customer created scripts to
create TCP sessions out to arbitrary things?
- --
Nathan Ward
-BEGIN PGP SIGNATURE-
V
hosting customer (i.e.
$10/mo php+mysql service) open outgoing TCP sessions to ports other
than 80 and 443. I'm sure there are exceptions to the rule, and they
should be exactly that - exceptions.
--
Nathan Ward
modity GE
cards. They can do 10GE monitoring, so if you need several 10GE's per
chassis I'd recommend these.
--
Nathan Ward
> The Endace DAG cards claim they can move 7 gbps over a PCI-X bus from
> the NIC to main DRAM. They claim a full 10gbps on a PCIE bus.
I wonder, has anyone heard of this used for IDS? I've been looking at
building a commodity SNORT solution, and wondering if a powerful network
card will help, or
download over HTTPS with a key that
was generated by the vendor and signed by well trusted root CAs on a
boxes with OpenSSL versions not released by Debian?
PATCH NOW PATCH NOW seems like a fantastic way to get nefarious code
deployed in really, really interesting places.
:-)
--
Nathan
would be useful?
--
Nathan Ward
nfig image.
Not really wanting to give it away publicly as I don't want to have to
deal with supporting it, but if anyone wants it as a basis for your
own thing drop me an email ([EMAIL PROTECTED] please).
ps. before someone accuses me of trying to sell stuff, I mean free as
in beer.
Cheers,
--
Nathan Ward
n a border router or something
though, but doesn't work for me in a complex network.
One cool thing about OpenBGPd is bgpctl irrfilter, which pulls in RPSL
and does the business with it, and stuffs it in to your live BGP daemon.
--
Nathan Ward
the guilty party,
in the case of a hacked router for example.
I agree that bogon filtering with a Team Cymru BGP feed is good - it
will do the job most of the time. However, it cannot be considered a
complete solution.
--
Nathan Ward
at packet dumps of things right now, captured from
torrent clients from the last wee while. I'll be rambling about this
and pointing at pretty graphs in about a week at APNIC26.
--
Nathan Ward
On 19/08/2008, at 6:28 PM, Mikael Abrahamsson wrote:
On Tue, 19 Aug 2008, Nathan Ward wrote:
uTorrent actively enables IPv6 on XP SP2 and Vista machines in the
install process (by default, it can be turned off). IPv6 is turned
on, on lots of PCs.
We looked into this, and IPv6 is not
On 19/08/2008, at 6:34 PM, Nathan Ward wrote:
On 19/08/2008, at 6:28 PM, Mikael Abrahamsson wrote:
On Tue, 19 Aug 2008, Nathan Ward wrote:
uTorrent actively enables IPv6 on XP SP2 and Vista machines in the
install process (by default, it can be turned off). IPv6 is turned
on, on lots of
f files - 1 kernel,
1 filesystem image. Filesystem images are good.
That way, you can mount your CF card somewhere, and 'reflash' from a
live system. Just like, for example, a Cisco router. Upgrades are
easy, just copy a new root FS+kernel on there.
--
Nathan Ward
here is nothing, anywhere, that says that the first 64 bits is for
routing.
--
Nathan Ward
On 20/08/2008, at 6:39 AM, Jay R. Ashworth wrote:
On Tue, Aug 19, 2008 at 04:56:33PM +1200, Nathan Ward wrote:
Sit up and pay attention, even if you don't now run IPv6, or even if
you don't ever intend to run IPv6. Your off-net bandwidth is going to
increase, unless you put some relay
counted twice - once when encapsulated, once when native.
--
Nathan Ward
On 20/08/2008, at 4:42 PM, Nathan Ward wrote:
Teredo uses 3544/UDP to for Client<->Server communication. That is
for relay discovery when needed, and the qualification procedure -
not much traffic. Client<->Relay communication MAY use 3544/UDP,
Client<->Client communicatio
o use this trick
for non-malicious day-to-day traffic engineering.
The technique of path stuffing ASes who you do not want to receive an
announcement is called AS PATH poisoning. It's a fairly well known
trick.
--
Nathan Ward
now - anyone have anything more
recent. Anyway, enjoy:
http://www.apricot2016.info/apricot2007/presentation/apia-future-routing/apia-future-routing-vince-fuller.pdf
--
Nathan Ward
network though. I'm sure there's a way to do
this, and I suspect having BGP feeds from many many places is the most
reliable way for it to happen, I just haven't figured out why yet.
This seems like a service that Renesys etc. could/should (or maybe
do?) offer, they seem well placed with all their BGP feeds..
--
Nathan Ward
though.
--
Nathan Ward
ewer networks.
Put collection points in say 10 networks, and the attack becomes
pretty useless.
Unless of course you are announcing a more specific prefix than the
authentic one.
--
Nathan Ward
then reference to longer optional text for those that
care about why, people will get a false sense of security.
--
Nathan Ward
240/4 in your pictures.
--
Nathan Ward
not going to his IP address, but to AND from
addresses that are not his. That, plus the fact that there 'is'
traffic on 240/4 and 224/4, and it sounds like a bug.
--
Nathan Ward
wireshark's Lua
extension system to write a plugin to do this for you right within
wireshark.
The wireshark/Lua stuff is quite powerful (though not super super
fast), it's a really useful tool to have on hand.
--
Nathan Ward
on the outside?
He is confused, and means 6to4.
Also the airport extreme does not do DHCPv6-PD or anything (as far as
I know, they certainly did not last time I tried), so I don't know
that we'd really call them an IPv6 CPE in the way that I suspect Wade
means.
--
Nathan Ward
's nice to have.)
Yes it will break auto MDI/MDI-X.
--
Nathan Ward
uting table explosion religious war here, with snipes from
people saying that we need a new routing system, etc. etc.
So with that in mind, do your concerns from your original post still
make sense?
--
Nathan Ward
/48
portable assignment. In APNIC world anyway, I'm not sure of the terms
and policies used in other regions.
--
Nathan Ward
lse though.
This happens all the time with IPv4 space and AS #'s today, why
would it be any different with v6?
It's not.
--
Nathan Ward
the way, the default username/password for the LightningEdge
47 and other WWP CPEs is su/pureethernet. Hopefully that will save someone
else some pain. :-)
Best Regards,
Nathan Eisenberg
> One should think the fact that there are default passwords at all
> should be a cause for alarm, in and of itself.
I must not have been very clear. I'm resetting these switches to factory
defaults using the hardware reset button, and attempting to log in using
whatever the factory default pas
change this prior to deployment!
Best Regards,
Nathan Eisenberg
be I'm missing something?
Best Regards,
Nathan Eisenberg
the WWP gear is still manufactured.
Thank you all again for helping me sort out what the factory default WWP
passwords are so that I can now have a secure and documented deployment out
here! I've received a couple offers of technical assistance from WWP veterans
that I may well take up moving forward.
Best Regards,
Nathan Eisenberg
o I'm not sure there's a huge difference.
Best Regards,
Nathan Eisenberg
Not if you change the default password like any sane admin does...
-Original Message-
From: Steven Bellovin [mailto:s...@cs.columbia.edu]
Sent: Wednesday, January 13, 2010 11:26 AM
To: Barry Shein
Cc: nanog@nanog.org; nonobvi...@gmail.com
Subject: Re: Default Passwords for World Wide Pack
> From: Graeme Fowler [mailto:gra...@graemef.net]
> And somewhere in the dim and distant past (Jan 6th), Nathan announced
> that he'd sorted out his original problem and now had the defaults.
>
> What a peculiar bunch we are. And this from the group lauded as
> anonym
that far less questionable means are being utilized.
Perhaps there are a sufficient number of pro-free-speech'ers at Google.cn
(which is presumably largely composed of Chinese nationals) that are privy to
such information. It only takes one guy going "hey! I know some of these
email addresses!"...
Nathan
osed
> to someone elses)
> prefix be added to SORBS? e.g.
>
> whois 192.0.2.0
Slightly confused - it sounds like you're asking if you can list yourself on a
blacklist? Is that a self-immolating form of protest, or did I misread?
Best Regards,
Nathan Eisenberg
Isn't there a US destroyer taskforce off the coast now? One would think they'd
have a supply of diesel available.
Best Regards,
Nathan Eisenberg
From: Eric Brunner-Williams [brun...@nic-naa.net]
Sent: Sunday, January 17, 2010 3:02 PM
To: nanog
I have used Ixia, Spirent AX/4000, Spirent Testcenter and Spirent Smartbits for
1-10GE testing, they've all been able to do the things you ask for - they are
quite basic features and any 10GE "router tester" unit will do what you want.
In addition, you should demand much higher than 10Kpps, you
still required on ethernet links, so that the MAC address can be
discovered for use in the ethernet frame header. /31 does not change the
behavior of ARP at all.
--
Nathan Ward
to worry about problems coming from re-use. A single /64 full of /112s
gives you 281 trillion.
For links to customers and other networks, I like /64s, because they are right
now the standard so you're not going to run in to compatibility problems. If
you've got links to customers you should have a /32, so setting aside a /48 or
a /44 or something for those customer links is no huge drama.
--
Nathan Ward
translate between the
two, rather than burn networks in order to fudge some kind of human readability
out of it and sacrificing your address space to get it.
% printf "%04x\n" 4095
0fff
% printf "%d\n" 0x0fff
4095
--
Nathan Ward
ace is
/56s?
Then we have 675,000 networks per person.
If we botch that up then we've done amazingly badly.
Then we'll move on to 4000::/3.
--
Nathan Ward
I'm actually writing some IP management code. Web based, it knows about the
difference between IPv4 and IPv6 in maybe 3 or 4 places.
Intention is to release it publicly when it's good to go.
On 3/02/2010, at 10:14 AM, Scott Berkman wrote:
> I was about to suggest IPPlan, but it is lacking the V6
t; is likely contained on many internal networks for now because a corresponding
> route doesn't show up in the global routing table at the moment. Once that
> changes
1.1.1/24 and 1.2.3/24 are assigned to APNIC. Unless they release them, the
general public will not get addresses in these.
--
Nathan Ward
, puede hacerla al correo electronico
wh...@nic.ve
... etc.
I get a proper response, anyway.
There is no A record in the DNS for ve.whois-servers.net, which is what my
client tries first. Perhaps this is where the confusion lies.
--
Nathan Ward
no experience with it yet.
XORP is also interesting, it's a more JunOS like interface. It's also some
quite heavy C++, so running it on the tiny Soekris boxes that I had meant it
wouldn't work for me. If you can spare the CPU and RAM then give XORP a go.
--
Nathan Ward
too, but my uptime is less. Are
> you using increased hold times?
Nevermind BGP timers, do you normally do well holding TCP connections open for
weeks on end across the Internet?
--
Nathan Ward
d something with the pmtud stuff in the next week or so, and I'll also
push the code to github.
You'll probably want to make you own changes based on what you're interested
in, also.
--
Nathan Ward
On 16/02/2010, at 7:34 PM, Mikael Abrahamsson wrote:
> On Tue, 16 Feb 2010, Nathan Ward wrote:
>
>> You are very unlikely to get traffic from Teredo, because:
>> 1) Windows only asks for if it has non-Teredo IPv6 connectivity
>
> Please don't just say "win
On 16/02/2010, at 7:47 PM, Mikael Abrahamsson wrote:
> On Tue, 16 Feb 2010, Nathan Ward wrote:
>
>> XP won't ask for unless it has non-Teredo connectivity though I don't
>> think.
>
> That doesn't compute considering all the XP machines with Teredo a
me other reason thought you wanted them to be
authoritative for some zone you control.
--
Nathan Ward
It's much more lightweight on
your data storage, and probably doesn't involve you putting in a new server -
but a bit heavier on your network kit.
--
Nathan Ward
ernet, and would require significant implementation complexity.
Since this mechanism has never been in use in the public internet, it is
proposed to reclassify it to Historic.
--
Nathan Ward
is common.
Juniper boxes have re0-hostname.domain and re1-hostname.domain, and also
re-hostname.domain if I've got a moving master IP address configured.
That's about all I can think of to write, I hope it's useful to someone, YMMV,
etc.
--
Nathan Ward
If only there were other security experts on this list with a proven ability to
make this thread even more absurd.
On 16/03/2010, at 4:47 PM, Guillaume FORTAINE wrote:
> Misters,
>
> Thank you for your reply.
>
> 1) First of all, I am absolutely not related to the Obeseus project. From my
> p
localpref 100, valid, external
% whois -a AS36561 | grep -i name
OrgName:YouTube, Inc.
:-)
--
Nathan Ward
was a bit masochistic. Then we got a router tester and did exactly
the same thing, but in a whole lot less space with a whole lot less effort.
Both worked great, naturally I recommend a router tester.
--
Nathan Ward
u all know anyway. :)
Cheers.
--
Nathan Hickson
AS36561 - YouTube
AS15169 - Google
r the purposes
prohibited above. I also don't appreciate 7136k of attachment spam.
Sincerely, Mister Pissed.
P.S. Nanog consists of females too. Stop calling us all Mister, please.
On Wed, Mar 17, 2010 at 4:17 PM, Guillaume FORTAINE
wrote:
> Dear Nathan,
>
> Let me introduce m
Dig up.
On 18/03/2010, at 2:32 PM, Guillaume FORTAINE wrote:
> Misses, Misters,
>
> I have read with interest what everybody told in this thread and it seems
> that they consider everything new as spam.
>
> My conclusion is that they fear what it is new.
>
> Best Regards,
>
> Guillaume FORTA
erminating a PPPoATM connection, not a bridge or anything.
--
Nathan Ward
o the floor to ceiling glass about 2 feet from the bottom of the ladder
you're at the top of a 50RU rack with. Plus the swaying building.
You get over your vertigo pretty quickly, or you just don't go up the tower
more than once.
--
Nathan Ward
Hello List,
I'm looking for recommendations for switches between 5 and 10 ports that meet
the following specifications:
1) Sub-$150 USD
2) Can untag vlans
3) Multicast capable
a. Capable of 30+ multicast groups
Best Regards,
Nathan Eisenberg
.
>
> I'd put 'janitor' on my business card for all I really care.
I'm pretty sure Jonny Martin was Chief Internet Janitor in his previous role.
He cleaned the tubes so the sewage could flow.
--
Nathan Ward
> Still, that is a considerable number of bits we'll have left when the dust
> settles and the RIR allocation rate drastically slows.
Like it did for IPv4? ;)
-Nathan
> Sure. Bet you ten bucks that no hotel in North America offers IPv6 this year
> in the wifi they provide to customers. (Conference networks don't
> count.)
John -
I happen to know with absolute certainty that the above statement is false.
But I'd be happy to take your money! :-)
Nathan
s; it's far more compelling
to send them to the destination PBX directly over UDP/IP. Sadly, the best
mechanism anyone has come up with is manual number publishing in an rDNS style
database, and the results are less than stellar...
Nathan
he next couple years as very small ISPs struggle to implement
native IPv6 over those aging DSLAMs and GPON systems that don't and won't
support it.
Nathan
> Most IPv4 space is unused anyway, but it's not being reclaimed much despite
> that. (How many IP addresses does the US federal government need? Few
> people would think ~ 10 /8s. Especially since many of them aren't even lit
> up.)
What do you mean, lit up? You mean they're not in the routing t
omes that
actually use them - mostly homes that have webcams on them. But most homes go
the overloaded NAT route and just translate different ports to different
RFC1918 addresses...
But at least in theory, what you're saying you haven't seen, is done up to some
limit already at some ISPs.
Nathan
> The problem with this is that both ARES and RACES hams have gotten there
> first (orange lights and strobes flashing) and are now engaged in small-arms
> fire over who gets to set their repeater up. You're now hiding under your
> vehicle. What is your next move?
Larger-arms fire?
Does anyone know who to ping at Microsoft about their teredo platform? Their
relay(s) doesn't/don't seem to have reachability to some bits of IPv6 space.
Nathan
Some provider woes:
FAX over VOIP is a PITA. I've not yet seen an ATA or softswitch that handled
it reliably.
E911 for mobile devices sucks. Regulations, and the E911 system, do not seem
to have the flexibility for handling this in a seamless way.
Call routing (on a more global scale) sucks.
n ALG agent installed
that's trying to proxy the SIP traffic?
(Yes, I hate ALGs. They are evil.)
Nathan
> -Original Message-
> From: Owen DeLong [mailto:o...@delong.com]
> Sent: Monday, February 28, 2011 11:26 AM
> To: Bret Palsson
> Cc: nanog@nanog.org
> Subjec
are still relevant, and
certainly the number of users can be said to count. The number of hops doesn't
matter one iota. Is it not email if you're only 1 hop away from your SMTP
server?
Nathan
> And I fully expect that to be done at some point or another. Country
> takes the entire 32bit address space for itself. You want to serve
> that
> country? Fine, apply for an allocation out of their /0 and route to it
> over v6.
What happens when countries are formed from secession? Does one
uit, there has to be some
long term ROI because that work probably takes the margin out of the service
for months.
Nathan
As always, these are my own views, and not that of my employer.
fix this, and I missed it, then I
apologize for the useless post!)
Nathan
> Why is native IPv6 needed? I'd have thought a tunnel would be fine, too.
I believe the concern is that the higher latency of a tunnel would impact SEO
rankings.
e not to index v6.bobdole.com. Use
an .htaccess rule to rewrite requests for robots.txt based on the host header,
so v4 requests get the v4.robots.txt, and v6 requests get the v6.robots.txt,
which tells Google not to index things.
Nathan
Could someone from the IT department for the City of Panama City Beach, Florida
please contact me off-list?
Best Regards,
Nathan Eisenberg
401 - 500 of 528 matches
Mail list logo
