Re: DHS and NSA getting married?

On Oct 22, 2010, at 11:04 37AM, Christopher Morrow wrote: > On Fri, Oct 22, 2010 at 1:46 AM, George Bonser wrote: >> An agreement signed this month with the Department of Homeland Security >> and an earlier initiative to protect companies in the defense industrial >> base make it likely that the

Re: Current trends in capacity planning and oversubscription

On Nov 10, 2010, at 12:40 56PM, George Bonser wrote: >> From: Steve Meuse > Sent: Wednesday, November 10, 2010 9:31 AM >> To: Michael Loftis >> Cc: nanog >> Subject: Re: Current trends in capacity planning and oversubscription >> >> Michael Loftis expunged (mlof...@wgops.com): >>> >>> Actually.

Re: non operational question related to IP

On Nov 22, 2010, at 2:52 52PM, Greg Whynott wrote: > > i was pinging a host from a windows machine and made a typo which seemed > harmless. the end result was it interpreted my input differently than what I > had intended. thinking this was a m$ issue I quickly took the opportunity > to po

Re: Blocking International DNS

On Dec 1, 2010, at 8:18 42PM, David Conrad wrote: > On Dec 1, 2010, at 11:41 AM, Randy Bush wrote: >> the more i think about this, the more i am inclined to consider a second >> trusted root not (easily) attackable by the usg, who owns the root now, >> or the acta vigilantes. as dissent becomes

Re: Want to move to all 208V for server racks

On Dec 2, 2010, at 3:54 15PM, Jay Ashworth wrote: > - Original Message - >> From: "Ingo Flaschberger" >> >> in europe GFIs are always needed for prection and by law. >> to avoid the cascading effects the GFCIs are better. >> break current ranges from 10mA (bath) up to 300mA; for servers

Re: ARIN space not accepted

On Dec 4, 2010, at 1:43 09AM, Kevin Oberman wrote: >> From: valdis.kletni...@vt.edu >>> From: valdis.kletni...@vt.edu >> Date: Fri, 03 Dec 2010 20:00:15 -0500 >> >> On Fri, 03 Dec 2010 14:24:16 PST, Leo Bicknell said: >> >>> It is speculated that no later than Q1, two more /8's will be allocate

A fascinating piece of spam

Well -- spammers are following the NANOG list in real-time, it seems. A few hours after my post this afternoon, I received some spam with a correct Subject: line for that post. I'll be happy to forward the email to anyone who wants to analyze it or find the offender and permanently blacklist "

Re: A fascinating piece of spam

Yup, same purported sender... On Dec 7, 2010, at 6:46 40PM, Joe Greco wrote: >> Well -- spammers are following the NANOG list in real-time, it seems. A = >> few hours after my post this afternoon, I received some spam with a = >> correct Subject: line for that post. I'll be happy to forward th

Re: Some truth about Comcast - WikiLeaks style

On Dec 20, 2010, at 8:51 01PM, JC Dill wrote: > On 20/12/10 2:15 PM, David Sparro wrote: >> >> >> There is no monopoly. They've already experimented with that and >> (apparently) decided that it wasn't worth it. >> >> http://www.dallasnews.com/sharedcontent/dws/bus/ptech/stories/DN-verizon_1

Re: The tale of a single MAC

On Jan 1, 2011, at 11:33 24PM, Mark Smith wrote: > On Sat, 01 Jan 2011 20:59:16 -0700 > Brielle Bruns wrote: > >> On 1/1/11 8:33 PM, Graham Wooden wrote: >>> So here is the interesting part... Both servers are HP Proliant DL380 G4s, >>> and both of their NIC1 and NIC2 MACs addresses are exactl

Re: The tale of a single MAC

I should note -- this isn't that surprising. The IPv6 stateless autoconfig RFCs have always assumed that this could happen, which is why duplicate address detection is mandatory.

Re: The tale of a single MAC

On Jan 2, 2011, at 5:15 54PM, Mark Smith wrote: > Hi, > > On Sun, 2 Jan 2011 08:50:42 -0500 > Steven Bellovin wrote: > >> >> On Jan 1, 2011, at 11:33 24PM, Mark Smith wrote: >> >>> On Sat, 01 Jan 2011 20:59:16 -0700 >>> Brielle Bruns wrot

Re: sudden low spam levels?

On Jan 3, 2011, at 1:04 55PM, Ken Chase wrote: > I have two independent mailservers, and two other customers that run their own > servers, all largely unrelated infrastructures and target domains, suddenly > experiencing low levels of spam. > > Total emails/day dropping from some 175,000-250,000

The FCC on IPv6

http://hraunfoss.fcc.gov/edocs_public/attachmatch/DOC-303870A1.pdf --Steve Bellovin, http://www.cs.columbia.edu/~smb

Re: Problems with removing NAT from a network

On Jan 6, 2011, at 8:48 12PM, Owen DeLong wrote: > Doesn't all of this become moot if Skype just develops a dual-stack capable > client > and servers? Skype is an interesting case because of its peer-to-peer nature. Given the state of v6 deployment and operational experience[1], and especially

Re: [arin-announce] ARIN Resource Certification Update

On Jan 24, 2011, at 10:31 30PM, Christopher Morrow wrote: > On Mon, Jan 24, 2011 at 9:02 PM, Joe Abley wrote: >> >> On 2011-01-24, at 20:24, Danny McPherson wrote: >> >>> >>> Beginning to wonder why, with work like DANE and certificates in DNS >>> in the IETF, we need an RPKI and new hierarc

Re: Found: Who is responsible for no more IP addresses

On Jan 27, 2011, at 4:53 22PM, mikea wrote: > On Thu, Jan 27, 2011 at 12:26:58PM -0800, Mark Keymer wrote: >> What I don't understand is I can only guess they must have a IT team. >> And Maybe even 1 or more people that view this list. Why don't they just >> talk to there own staff about the issu

Re: IPv6 and DNS

On Jun 12, 2011, at 1:46 20PM, Jeff Kell wrote: > On 6/12/2011 11:44 AM, Matthew Palmer wrote: >> I don't believe we were talking about DHCPv6, we were talking about SLAAC. >> And I *still* think it's a better idea for the client to be registering >> itself in DNS; the host knows what domain(s) i

Re: Address Assignment Question

On Jun 20, 2011, at 5:52 27PM, John Levine wrote: >> They have inquired about IPv6 already, but it's only gone so far as >> that. I would gladly give them a /64 and be done with it, but my >> concern is that they are going to want several /64 subnets for the >> same reason and I don't really *th

Re: Address Assignment Question

On Jun 20, 2011, at 10:22 45PM, John R. Levine wrote: >> All they need -- or, I suspect, need to assert -- is to have >> multiple physical networks. They can claim a production net, a DMZ, >> a management net, a back-end net for their databases, a developer >> net, and no one would question an a

Re: Strange TCP connection behavior 2.0 RC2 (+3)

On Jun 29, 2011, at 8:59 49AM, Ryan Malayter wrote: > > > On Jun 28, 3:35 pm, Cameron Byrne wrote: > >> >> AFAIK, Verizon and all the other 4 largest mobile networks in the USA >> have transparent TCP proxies in place. > > Do you have a reference for that information? Neither AT&T nor Spri

Re: Comcast Bussiness Class and GRE Tunnels

On Jul 26, 2011, at 11:07 37AM, Nate Burke wrote: > Hello, I'm hoping that someone here might have run into a similar issue and > might be able to offer me some pointers. > > I have a customer that I am providing redundant paths to, one link over a > microwave connection, and a backup link ove

Re: NANOGers home data centers - What's in your closet?

> The holy grail I'm searching for now? A GigE switch with POE, > unmanaged is ok, and probably preferred from a price perspective; > but with NO FAN. I can't help with the POE part. I have a 16-port D-Link DGS-1016D -- GigE, no fan, unmanaged. --Steve Bellovin, http://www.cs.c

Re: NANOGers home data centers - What's in your closet?

On Aug 12, 2011, at 10:17 39PM, Joe Greco wrote: >> What nobody wired their abode with fiber ? >> >> Am i the only one here > > I ran a bunch of fiber from the telco rack to the server rack to reduce > the risk of damage to expensive servers ... it's likely to be > meaningless but it is just a

Re: How long is your rack?

On Aug 15, 2011, at 10:12 21AM, Randy Bush wrote: >> I've always wondered if the next cisco/juniper 0 day will be delivered >> via a set of exploits delivered via a link posted to NANOG. :) Maybe >> I'll do a talk at DEFCON next year about that. > > more likely a 'shortened' url. how anyone can

Re: East Coast Earthquake 8-23-2011

On Aug 24, 2011, at 9:44 20AM, Patrick W. Gilmore wrote: > On Aug 24, 2011, at 8:55 AM, JC Dill wrote: >> On 23/08/11 3:13 PM, William Herrin wrote: >>> A. Our structures aren't built to seismic zone standards. Our >>> construction workers aren't familiar with*how* to build to seismic >>> zone

Re: 13 years ago today - October 16, 1998...

On Oct 15, 2011, at 11:20 58PM, Jay Ashworth wrote: > - Original Message - >> From: "Rodney Joffe" > >> Subject: 13 years ago today - October 16, 1998... >> we lost Jon. >> >> It feels like just yesterday. >> >> http://www.apps.ietf.org/rfc/rfc2468.html > > My path didn't cross Jon's

Re: using IPv6 address block across multiple locations

On Oct 31, 2011, at 12:30 49PM, Joel jaeggli wrote: > On 10/31/11 03:43 , Jeroen Massar wrote: >> On 2011-10-31 08:56 , Dmitry Cherkasov wrote: >>> Hello, >>> >>> Please advice what is the best practice to use IPv6 address block >>> across distributed locations. >> >> You go to multiple RIRs an

Re: airgap / negligent homicide charge

Here's a quote from a famous court case (T.J. Hooper) on liability and industry standards: Indeed in most cases reasonable prudence is in face common prudence; but strictly it is never its measure; a whole calling may have unduly lagged in the adoption of new and available devices. It

Re: First real-world SCADA attack in US

On Nov 21, 2011, at 4:30 PM, Mark Radabaugh wrote: >> >> > Probably nowhere near that sophisticated. More like somebody owned the PC > running Windows 98 being used as an operator interface to the control system. > Then they started poking buttons on the pretty screen. > > Somewhere there

Re: First real-world SCADA attack in US

On Nov 22, 2011, at 7:51 59PM, valdis.kletni...@vt.edu wrote: > On Tue, 22 Nov 2011 13:32:23 -1000, Michael Painter said: > >>> http://jeffreycarr.blogspot.com/2011/11/latest-fbi-statement-on-alleged.html > >> And "In addition, DHS and FBI have concluded that there was no malicious >> traffic

Re: First real-world SCADA attack in US

On Nov 22, 2011, at 8:08 58PM, Steven Bellovin wrote: > > On Nov 22, 2011, at 7:51 59PM, valdis.kletni...@vt.edu wrote: > >> On Tue, 22 Nov 2011 13:32:23 -1000, Michael Painter said: >> >>>> http://jeffreycarr.blogspot.com/2011/11/latest-fbi-statement-on-alle

Re: IPv6 prefixes longer then /64: are they possible in DOCSIS networks?

On Nov 28, 2011, at 4:51 52PM, Owen DeLong wrote: > > On Nov 28, 2011, at 7:29 AM, Ray Soucy wrote: > >> It's a good practice to reserve a 64-bit prefix for each network. >> That's a good general rule. For point to point or link networks you >> can use something as small as a 126-bit prefix (w

Re: [fyo...@insecure.org: C|Net Download.Com is now bundling Nmap with malware!]

> > > F*ck them! If anyone knows a great copyright attorney in the U.S., > please send me the details or ask them to get in touch with me. Hmm -- did you say "copyright"? I wonder what would happen if you sent them a DMCA takedown notice. To quote Salvor Hardin, "It's a poor atom blaster th

Re: [fyo...@insecure.org: C|Net Download.Com is now bundling Nmapwith malware!]

On Dec 6, 2011, at 12:34 31PM, William Allen Simpson wrote: > On 12/6/11 12:00 PM, Eric Tykwinski wrote: >> Maybe it's just me, but I would think that simply getting them listed on >> stopbadware.org and other similar sites would probably have much more of an >> effect. >> The bad publicity can c

Re: Gmail and SSL

On Jan 2, 2013, at 7:53 AM, valdis.kletni...@vt.edu wrote: > On Sun, 30 Dec 2012 19:25:04 -0600, Jimmy Hess said: > >> I would say those claiming certificates from a public CA provide no >> assurance of authentication of server identity greater than that of a >> self-signed one would have the bu

Re: Gmail and SSL

On Jan 2, 2013, at 7:15 PM, Randy Bush wrote: >> Do you run Cert Patrol (a Firefox extension) in your browser? > > yes, but my main browser is chrome (ff does poorly with nine windows and > 60+ tabs). there is some sort of pinning, or at least discussion of it. > but it is not clear what is ac

Re: Gmail and SSL

On Jan 2, 2013, at 8:25 PM, Seth David Schoen wrote: > Steven Bellovin writes: > >> The only Chrome browser I have lying around right now is on a Nexus 7 tablet; >> I don't see any way to list the pinned certs from the browser. There is a >> list at http://ww

Re: Gmail and SSL

On Jan 3, 2013, at 3:52 PM, Matthias Leisi wrote: > On Thu, Jan 3, 2013 at 4:59 AM, Damian Menscher wrote: > > >> While I'm writing, I'll also point out that the Diginotar hack which came >> up in this discussion as an example of why CAs can't be trusted was >> discovered due to a feature of

Re: OOB core router connectivity wish list

On Jan 9, 2013, at 1:18 PM, Leo Bicknell wrote: > In a message written on Wed, Jan 09, 2013 at 06:39:28PM +0100, Mikael > Abrahamsson wrote: >> IPMI is exactly what we're going for. > > For Vendors that use a "PC" motherboard, IPMI would probably not be > difficult at all! :) > > I think IPMI

Re: Network security on multiple levels (was Re: NYT covers China cyberthreat)

On Feb 20, 2013, at 3:20 PM, Jack Bates wrote: > On 2/20/2013 1:05 PM, Jon Lewis wrote: >> >> See thread: nanog impossible circuit >> >> Even your leased lines can have packets copied off or injected into them, >> apparently so easily it can be done by accident. >> > > This is especially tr

Re: NYT covers China cyberthreat

On Feb 20, 2013, at 1:33 PM, valdis.kletni...@vt.edu wrote: > On Wed, 20 Feb 2013 15:39:42 +0900, Randy Bush said: >> boys and girls, all the cyber-capable countries are cyber-culpable. you >> can bet that they are all snooping and attacking eachother, the united >> states no less than the rest.

Re: NYT covers China cyberthreat

On Feb 20, 2013, at 9:07 PM, Steven Bellovin wrote: > > On Feb 20, 2013, at 1:33 PM, valdis.kletni...@vt.edu wrote: > >> On Wed, 20 Feb 2013 15:39:42 +0900, Randy Bush said: >>> boys and girls, all the cyber-capable countries are cyber-culpable. you >>> can b

Re: internet in the box

On Mar 8, 2013, at 2:30 PM, Philip Lavine wrote: > Has anybody set up a Cellular front end (LTE or 3G) access to the Internet > and a WiFi backend supporting 150 devices. > I need to provide temporary Internet access (7 days) to a convention center > room that is about 2000 square feet. > Stoo

Re: What are y'all doing for CALEA compliance?

On Mar 15, 2013, at 9:38 AM, Ben Bartsch wrote: > Is there actually any teeth to the law? Find a real lawyer and show her/him http://www.law.cornell.edu/uscode/text/18/2522 --Steve Bellovin, https://www.cs.columbia.edu/~smb

Re: Line cut in Mediterranean?

The BBC has a similar story: http://www.bbc.co.uk/news/world-middle-east-21963100 On Mar 27, 2013, at 6:41 PM, Neil J. McRae wrote: > Via renesys > > http://www.washingtonpost.com/world/middle_east/egypt-naval-forces-capture-3-scuba-divers-trying-to-sabotage-undersea-internet-cable/2013/03/27/

Re: RFC 1149

DLT? I first heard it as a station wagon full of (9-track, 1600 bpi, that having been the state of the art) mag tapes on the Taconic Parkway, circa 1970. I suspect, though, that Herman Hollerith expressed the idea about a stage coach full of punchcards, back in the 1880s. On Apr 2, 2013, at 3:

Re: RFC 1149

On Apr 2, 2013, at 9:16 PM, Jay Ashworth wrote: > - Original Message - >> From: "Steven Bellovin" > >> DLT? I first heard it as a station wagon full of (9-track, 1600 bpi, >> that having been the state of the art) mag tapes on the Taconic Parkway

Re: skype shoots self in foot

On Apr 26, 2013, at 3:24 AM, Randy Bush wrote: >>> until widespread availability of webrtc, a bunch of us are using >>> jitsi for video, https://jitsi.org/ >> And last I tried it, it kept segfaulting on something dumb ;) > > try the nightlies > I'm trying the latest two nightlies -- two annoy

Re: Traceroute explanation

On Dec 7, 2011, at 2:51 08PM, Meftah Tayeb wrote: > big thank for that > but, i am testing that for one day :) Can you do an AStraceroute or manually translate those addresses into AS#s? That is, might level3 and tinet be using multiple AS#s, in which case this isn't unreasonable? > >

Re: Traceroute explanation

using Windows, I have no idea what's available. On Dec 7, 2011, at 2:56 16PM, Meftah Tayeb wrote: > please tel me how to ? > i don't know astraceroute:) > > - Original Message - From: "Steven Bellovin" > To: "Meftah Tayeb" > Cc: "Fr

Re: what if...?

On Dec 22, 2011, at 7:04 PM, Jeroen van Aart wrote: > Marshall Eubanks wrote: >> Does your Mom call you up every time she gets a dialog box complaining >> about an invalid certificate ? >> If she has been conditioned just to click "OK" when that happens, then >> she probably can't. > > Everyone

Re: IPv6 RA vs DHCPv6 - The chosen one?

On Dec 26, 2011, at 1:23 46PM, Mark Radabaugh wrote: > On 12/26/11 12:56 PM, valdis.kletni...@vt.edu wrote: >> On Mon, 26 Dec 2011 12:32:46 EST, Ray Soucy said: >>> 2011/12/26 Masataka Ohta: And, if RA is obsoleted, which is a point of discussion, there is no reason to keep so bloated N

Re: Misconceptions, was: IPv6 RA vs DHCPv6 - The chosen one?

On Dec 29, 2011, at 5:30 16PM, Masataka Ohta wrote: > valdis.kletni...@vt.edu wrote: > >>> IGP snooping is not necessary if the host have only one next >>> hop router. > >> You don't need an IGP either at that point, no matter what some paper from >> years ago tries to assert. :) > > IGP is th

Re: Does anybody out there use Authentication Header (AH)?

On Jan 1, 2012, at 8:34 PM, TR Shaw wrote: > John, > > Unlike AH, ESP in transport mode does not provide integrity and > authentication for the entire IP packet. However, in Tunnel Mode, where the > entire original IP packet is encapsulated with a new packet header added, > ESP protection

Re: Does anybody out there use Authentication Header (AH)?

ons to deal with. This time there is some > support for it .. > > Jack > > On Mon, Jan 2, 2012 at 7:20 AM, Steven Bellovin wrote: >> >> On Jan 1, 2012, at 8:34 PM, TR Shaw wrote: >> >>> John, >>> >>> Unlike AH, ESP in transport mode does no

Re: AD and enforced password policies

On Jan 2, 2012, at 7:05 PM, Gary Buhrmaster wrote: > On Mon, Jan 2, 2012 at 22:32, Jimmy Hess wrote: > >> The sole root cause for "easily guessable passwords" is not lack of >> technical restrictions. It's also: lazy or limited memory humans who need >> passwords that they can remember.

Re: AD and enforced password policies

On Jan 2, 2012, at 9:10 PM, Lyndon Nerenberg wrote: >> I just went through some calculations for a (government) site that has the >> following rules: > [...] >> Under the plausible assumption that very many people will start with a string >> of digits, continue with a string of lower-case letters

Re: AD and enforced password policies

On Jan 3, 2012, at 8:09 19AM, Greg Ihnen wrote: > > On Jan 3, 2012, at 4:14 AM, Måns Nilsson wrote: > >> Subject: RE: AD and enforced password policies Date: Mon, Jan 02, 2012 at >> 11:15:08PM + Quoting Blake T. Pfankuch (bl...@pfankuch.me): >> >>> However I would say 365 day expiration i

Re: question regarding US requirements for journaling public email (possible legislation?)

On Jan 5, 2012, at 2:16 PM, Fred Baker wrote: > > On Jan 5, 2012, at 10:42 AM, William Herrin wrote: > >> On Thu, Jan 5, 2012 at 10:56 AM, Eric J Esslinger >> wrote: >>> His response was there is legislation being pushed in both >>> House and Senate that would require journalling for 2 or 5 >

Re: question regarding US requirements for journaling public email (possible legislation?)

On Jan 5, 2012, at 11:05 37PM, Suresh Ramasubramanian wrote: > There's no shortage of stuff that reaches you 80..90 days after the fact > > The UK voluntary retention rules make a lot more sense, compared to "a > few days", which is entirely impractical > > On Fri, Jan 6, 2012 at 9:30 AM, wro

Re: DNS Attacks

On Jan 18, 2012, at 10:41 30AM, Christopher Morrow wrote: > On Wed, Jan 18, 2012 at 10:05 AM, Nick Hilliard wrote: >> On 18/01/2012 14:18, Leigh Porter wrote: >>> Yeah like I say, it wasn't my idea to put DNS behind firewalls. As long >>> as it is not *my* firewalls I really don't care what they

Re: Megaupload.com seized

On Jan 19, 2012, at 6:44 PM, ja...@smithwaysecurity.com wrote: > You guys serous, when did the order come in to sezie the domain? http://arstechnica.com/tech-policy/news/2012/01/why-the-feds-smashed-megaupload.ars has a good analysis; also see http://online.wsj.com/article_email/SB100014240529

Re: Megaupload.com seized

On Jan 19, 2012, at 10:07 PM, Suresh Ramasubramanian wrote: > I would agree. They've dotted every i and crossed every t here. > > This will inevitably be followed by a prosecution of some sort and/or > there's also scope for Megaupload to sue the USG for restitution. > > It'll be interesting t

Re: Megaupload.com seized

> If megaupload's corporate email was siezed to provide due diligence in > such a prosecution - it would quite probably not constitute private > mail > > On Fri, Jan 20, 2012 at 8:49 AM, Steven Bellovin wrote: >> >> >>The Megaupload case is unusual, sa

Re: Megaupload.com seized

On Jan 21, 2012, at 8:00 PM, Jay Ashworth wrote: > - Original Message - >> From: "Lyle Giese" > >> Not that I would not be a bit miffed if personal files disappeared, but >> that's one of the risks associated with using a cloud service for file >> storage. It could have been a fire, a v

Re: LAw Enforcement Contact

On Jan 23, 2012, at 2:46 AM, Chris wrote: > The appropriately named SS mainly deals with counterfeit currency, > widespread ID theft (See also: Ryan1918) and threats to the President. Actually, they have statutory authority to deal with computer crime, too; see http://www.secretservice.gov/crimi

Dear RIPE: Please don't encourage phishing

I received the enclosed note, apparently from RIPE (and the headers check out). Why are you sending messages with clickable objects that I'm supposed to use to change my password? --- From: ripe_dbannou...@ripe.net Subject: Advisory notice on passwords in the RIPE Database Date: February 9, 2

Re: Dear RIPE: Please don't encourage phishing

If they're intended as a path to log in with a typed password, that's correct. Sad, but correct. On Feb 10, 2012, at 12:18 PM, Richard Barnes wrote: > So because of phishing, nobody should send messages with URLs in them? > > > > On Fri, Feb 10, 2012 at 8:56 AM, Ste

Re: Dear RIPE: Please don't encourage phishing

On Feb 10, 2012, at 12:29 30PM, Randy Bush wrote: >> So because of phishing, nobody should send messages with URLs in them? > > more and more these days, i have taken to not clicking the update messages, > but going to the web site manyually to get it. Yup -- I wrote about that a while back (

Re: Dear RIPE: Please don't encourage phishing

On Feb 10, 2012, at 12:37 01PM, Leo Bicknell wrote: > In a message written on Fri, Feb 10, 2012 at 09:29:30AM -0800, Randy Bush > wrote: >> more and more these days, i have taken to not clicking the update messages, >> but going to the web site manyually to get it. >> >> wy to much phishin

Re: Dear RIPE: Please don't encourage phishing

> > > Oh, and 'i' and 'l' need to be banned as well, because a san-serif uppercase I > looks a lot like a san-serif lowercase l. (In fact, in the font I'm currently > using, > the two are pixel-identical). > > I don't see anybody calling for the banning of 'i' and 'l' in domain names > due to

Re: public scalable vpn?

On Feb 18, 2012, at 6:51 PM, George Bonser wrote: >> academics in ontario are gonna need a scalable vpn service until they >> find jobs elsewhere. >> >> http://www.cautbulletin.ca/en_article.asp?SectionID=1386&SectionName=Ne >> ws&VolID=336&VolumeName=No%202&VolumeStartDate=2/10/2012&EditionID=3

Re: Common operational misconceptions

> > >> The timer for Linux is 5 minute by default but you can change it. > > Timer timeouts do not affect TCP MSS. > RFC 2923: TCP should notice that the connection is timing out. After several timeouts, TCP should attempt to send smaller packets, perhaps turning off the DF

Re: Common operational misconceptions

On Feb 20, 2012, at 10:27 PM, Masataka Ohta wrote: > Steven Bellovin wrote: > >>> Timer timeouts do not affect TCP MSS. > >> RFC 2923: >> TCP should notice that the connection is timing out. After >> several timeouts, TCP should attempt to se

Re: do not filter your customers

On Feb 24, 2012, at 7:46 40AM, Danny McPherson wrote: > > On Feb 23, 2012, at 10:42 PM, Randy Bush wrote: > >> the problem is that you have yet to rigorously define it and how to >> unambiguously and rigorously detect it. lack of that will prevent >> anyone from helping you prevent it. > > Yo

Re: do not filter your customers

On Feb 24, 2012, at 2:26 14PM, Danny McPherson wrote: > > On Feb 24, 2012, at 1:10 PM, Steven Bellovin wrote: > >> But just because we can't solve the whole problem, does that >> mean we shouldn't solve any of it? > > Nope, we most certainly should deco

Re: BBC reports Kenya fiber break

On Feb 29, 2012, at 11:17 17AM, Marshall Eubanks wrote: > On Wed, Feb 29, 2012 at 10:08 AM, Justin M. Streiner > wrote: >> On Wed, 29 Feb 2012, Rodrick Brown wrote: >> >>> There's about 1/2 a dozen or so known private and government research >>> facilities on Antarctica and I'm surprised to see

Re: Most energy efficient (home) setup

On Apr 18, 2012, at 5:55 32PM, Douglas Otis wrote: > On 4/18/12 12:35 PM, Jeroen van Aart wrote: >> Laurent GUERBY wrote: >> > Do you have reference to recent papers with experimental data about >> > non ECC memory errors? It should be fairly easy to do >> Maybe this provides some information: >>

Re: Most energy efficient (home) setup

On Apr 19, 2012, at 6:31 43PM, Douglas Otis wrote: > On 4/18/12 8:09 PM, Steven Bellovin wrote: >> >> On Apr 18, 2012, at 5:55 32PM, Douglas Otis wrote: >> > Dear Jeroen, >> > >> > In the work that led up to RFC3309, many of the errors found on the &

Re: Host scanning in IPv6 Networks

Also see https://www.cs.columbia.edu/~smb/papers/v6worms.pdf (Worm propagation strategies in an IPv6 Internet. ;login:, pages 70-76, February 2006.) On Apr 20, 2012, at 3:08 50AM, Fernando Gont wrote: > FYI > > Original Message > Subject: IPv6 host scanning in IPv6 > Date: Fri

Re: Protocols for Testing Intrusion Detection?

On May 14, 2012, at 7:52 PM, Bill Stewart wrote: > > - Is there any application that can actually set the RFC3514 Evil Bit? Code was added to FreeBSD to set it (though I think the commit was later reverted); see the change logs at https://www.cs.columbia.edu/~smb/3514.html --St

Re: F-ckin Leap Seconds, how do they work?

On Jul 2, 2012, at 11:47 AM, AP NANOG wrote: > Do you happen to know all the kernels and versions affected by this? > > See http://landslidecoding.blogspot.com/2012/07/linuxs-leap-second-deadlocks.html --Steve Bellovin, https://www.cs.columbia.edu/~smb

Re: FYI Netflix is down

On Jul 2, 2012, at 3:43 PM, Greg D. Moore wrote: > At 03:08 PM 7/2/2012, George Herbert wrote: > > If folks have not read it, I would suggest reading Normal Accidents by > Charles Perrow. Strong second to that suggestion. --Steve Bellovin, https://www.cs.columbia.edu/~smb

Re: F-ckin Leap Seconds, how do they work?

On Jul 3, 2012, at 5:06 PM, Peter Lothberg wrote: > > > On one of my BSD boxes. /usr/src/share/zoneinfo/leapseconds, I see no > "-" No, but they're allowed; see Figure 9 of RFC 5905: LI Leap Indicator (leap): 2-bit integer warning of an impending leap second to be inserted or deleted i

Re: F-ckin Leap Seconds, how do they work?

On Jul 5, 2012, at 10:49 48AM, Peter Lothberg wrote: >>> On one of my BSD boxes. /usr/src/share/zoneinfo/leapseconds, I see no >>> "-" >> No, but they're allowed; see Figure 9 of RFC 5905: > > Steve, > > I commented that it was stated that we where doing both positive and > negative correction

Fw: new message

Hey! New message, please read <http://baldrfilm.nl/mind.php?5f3> Steven Bellovin

Fw: new message

Hey! New message, please read <http://bambooco.ru/ladies.php?5al> Steven Bellovin

Fw: new message

Hey! New message, please read <http://maaike.info/could.php?b> Steven Bellovin

Fw: new message

Hey! New message, please read <http://wbank.info/company.php?bc> Steven Bellovin

IPMI vulnerabilities

http://www.wired.com/threatlevel/2013/07/ipmi/ Capsule summary: watch out! --Steve Bellovin, https://www.cs.columbia.edu/~smb

Practical effects of DNSSEC deployment

There was an interesting paper at Usenix Security on the effects of deploying DNSSEC; see https://www.usenix.org/conference/usenixsecurity13/measuring-practical-impact-dnssec-deployment . The difference in geographical impact was quite striking. --Steve Bellovin, https://www.cs

Re: Filter-based routing table management (was: Re: minimum IPv6 announcement size)

On Sep 26, 2013, at 11:07 AM, John Curran wrote: > On Sep 26, 2013, at 4:52 AM, bmann...@vacation.karoshi.com wrote: > >> sounds just like folks in 1985, talking about IPv4... > > If there were ever were a need for an market/settlement model, it is with > respect > to routing table slots. h

Re: Hubs on a NIC (was:Re: what about 48 bits?)

On Apr 7, 2010, at 11:03 16AM, Joe Greco wrote: >> On Wednesday 07 April 2010 07:18:57 am Joe Greco wrote: >>> To me, this is a Dilbert-class engineering failure. I would imagine that >>> if you could implement a hub on the network card, the same chip(s) would >>> work in an external tin can wit

Re: Finding content in your job title

On Apr 7, 2010, at 4:28 32PM, Martin Hannigan wrote: > On Tue, Mar 30, 2010 at 11:14 PM, Steve Bertrand wrote: > > [ snip ] > > >> >> For instance, I like to present myself as a 'network engineer'. I have >> never taken formal education, don't hold any certifications (well, since >> 2001), a

Re: Cheers to the Communication Committee [was: Likely /8 Scenario - Carriers will TAKE what they want ?]

On Apr 8, 2010, at 6:39 45PM, Michael Dillon wrote: >> I guarantee you the Communications Committee is on the job. What's more, >> they are doing a GREAT job - for no money and apparently no gratitude. It >> is worse than thankless, no matter what they do they will be derided. >> Filter som

Re: Rate of growth on IPv6 not fast enough?

On Apr 19, 2010, at 1:22 31PM, Bryan Fields wrote: > On 4/19/2010 10:14, Patrick Giagnocavo wrote: >> The eyeball ISPs will find it trivial to NAT should they ever need to do >> so however, something servers cannot do - you are looking at numbers, >> not operational considerations. > > LSN is no

Re: any "bring your own bandwidth" IPv4 over IPv4 tunnel merchants?

> > > - many ISPs, especially cable modem, have annoying policies that say > you can't run a server at home. But many don't. Right. Often, this is due to a combination of technology limitations -- with DSL, upstream and downstream bandwidths are tradeoffs; with cable modems, limited upstream

BGP (in)security makes the AP wire

http://www.nytimes.com/aponline/2010/05/08/business/AP-US-TEC-Fragile-Internet.html It's a pretty reasonable article, too, though I don't know that I agree about the "simplicity of the routing system" --Steve Bellovin, http://www.cs.columbia.edu/~smb

Re: BGP (in)security makes the AP wire

On May 9, 2010, at 12:30 47PM, Eugen Leitl wrote: > On Sun, May 09, 2010 at 10:54:46AM -0500, Larry Sheldon wrote: > >> And when I drive someplace, I do indeed go by the signs I see, which are >> not erected by a central authority, as I move along. (I don't have a >> route from here to Fairbank

  1   2   3   >