Slashdot Mirror

You seem to be indicating that this plan is for University owned Staff/Faculty/lab machines only. If this is the case, it's no different than standard business policy, and it's just good sense (why would it need to be mandated from on high?).

I did no such thing. The policy is for all devices connecting to the University network. As others have noted, students are free to not use the network if the policy bothers them. Naturally it does not need to be "mandated from on high", yet it is. Data exposures are a big deal in the public sector so we've been given a strict mandate.

GP thinks the plan you're implementing at your superior's request is for student-owned computers that they're using on campus. If that's true, then you'd be a wimp for not quitting when the Trustees planned a "let's roger the students" policy. You furthermore would be a fool for thinking "it's really not that big of a deal."

It's funny, but I've always considered myself as the one to stand up when I feel someone is being wronged or a policy violates someone's rights, but this argument is almost comical. You think it's a significant issue for a network to require a virus scan for access?? Students are not required to use the network and not required to have their own computers. If they want access, they are required to abide by very minimal policies and rules. No one is scanning their traffic, monitoring their e-mails, watching their every move. If they want to download porn or music or software that is their business. The mandate is to do the absolute least that is required to protect the University and the other network users. Would I chose NAC or CleanAccess necessarily if it were my decision? Probably not, but that doesn't make it a poor solution.

I don't know what industry (if any) you work in, but who the hell quits over something as insignificant as forcing a virus scan? If you aren't familiar with NAC, have a read.

I work for Cisco, so this post is biased.

If you want to know more about Intel Nehalem 55xx architecture.

It explains that a the server manufacturer using the Intel Nehalem 55xx processor can support up to 3, 6 or 9 DIMMs/socket. This corresponds with a memory bus speed of 1333, 1066 or 800Mhz. The latter is not often implemented and would give you (9x2x8GB) 144GB in a dual socket system.

What Cisco did is, developing a patented "memory switch" which presents up to 4 DIMMs as 1 to the processor, MULTIPLYING THE ALLOWED RAM TIMES FOUR. If the memory is running at 1066Mhz this gives you 48DIMMs. If the memory is running at 800Mhz this would allow up to 72 DIMMs in one server. The latter one has not been implemented.

Where would you ever need this kind of memory?

* Running VMware ESX, XenServer,... and assuming 3-4GB per VM -> imagine 96 VMs per physical box
* imagine running a 300GB MySQL database out of RAM without the need of a high end machine

Also the price per GB is not linear for memory. 8GB costs currently way more than 4x 2GB. So if you still don't need the 384GB memory, you can fill the 48DIMMs with 2GB and have a 96GB RAM server for a lower price.

There are also a lot of other features which are really different and better than the competition, such as centralized management per 320 servers. In more enterprise environments customers can also consolidate their SAN and their LAN network by using open standard FCoE.

Please check it out at Cisco - Unified Computing System

Were Cisco is going to shine is in virtualization unification or to put it another way, better management of virtualized resources. e.g. storage, network, server. Right now admins are experiencing an explosion in their workload with all these technologies and of course staffing shortages. But there's little standardization in that space.

When a company has over 30 billion dollars in liquid assets (Excel warning), entering a market that's closely related to the one it's currently in does not classify as ballsy, even if said market has competitors.

B. Will this conflict with school policy? Ideally, the phone will be in silent mode during the school day, and my son will have enough discipline to not get himself in trouble with it, and have it confiscated as a result.

Good luck

Most school policies ban all cellphones. You're supposed to keep them in your locker, which I wouldn't do. I had a smartphone as a part of my internship from High School, I wasn't going to risk losing or getting it stolen. I kept it in my pocket at all times on silent, not even vibrate. I never had any problems. I would only take it out to check the time, nothing more.

I ended up having more trouble with a stupid teacher taking away my laptop because she thought that Packet Tracer was a game.

One of the things I have done to describe things in the past where a consensus had not been reached is tell clients something was a "common practice". I think any practice has to spend time in the common practice area before it can become a best practice, and I would be explicit with my clients if something did not match best practices. I have also many times told clients that there is more than one "school of thought" when it came to something with contradictory common practices.

Sources of best practices that I have used beyond my personal experience:

• Companies such as Cisco, Altiris and Microsoft typically produce whitepapers and publish other work that describe best practices.
• Any number of forum sites also produce best practices.
• I read books that cover best practices, and study for new skills (presently getting ready to take my CISSP which is all about best practices)
• I read trade journals, attend user groups and hear what the vendor has to say
• I spend time on forum sites
• I continue my education taking classes at night.
• The best resource of all without question have been the people that were senior to me that were willing to let me ask 101 questions on "why" they did something. Learning to listen when someone describes why something was or wasn't done a certain way and to look past the immediate technical solution I thought was best was the most important thing I ever developed.

Read a lot of good posts and ideas so far here. From my perspective, the most cost effective solution for you and the business is, you need a backup engineer for in case you do get hit by that bus. Having a person knowledgeable enough about your network to keep it running in the event you are incapacitated for a length of time is by far the most beneficial, if for no other reason, because of the quick turnaround time they can come in and take over vs. company looking for another engineer, and the time it takes to learn the network and scrounge threw docs you created.

Very few documents are actually that meaningful if the engineer is halfway competent so as others have mentioned, no need to go documentation crazy. There are key docs I feel though that should be created and maintained and have been mentioned above.

1) Passwords, I cannot stress this enough, get all accounts privileged accounts and service accounts documented with passwords and secured somewhere (preferably off the network, such as a USB key with the data on it in a safe) as without this, it can be a very ugly scene.

2) Next, overall, logical and physical network diagrams are paramount. If done correctly can make troubleshooting a breeze, and a nightmare if not done correctly. One link that I like is a reference to a best practice guide about the Cisco 4000, 5000, and 6000 series equipment found here ( http://www.cisco.com/en/US/products/hw/switches/ps663/products_tech_note09186a0080094713.shtml#management_cfg ). Go to the network diagrams section and review the overall, physical, and logical section. Create your docs with this as a guide and any engineer who may have to troubleshoot the network will love you for it.

3) The answer to what 'other' documents should I create? Comes from you. Knowing what you know about your network, pretend you are coming into the network for the first time, and ask yourself, what I would wish I knew about this network? Make a list of your business critical functions where people would be screaming if the service was inaccessible. Document what would be useful info in a DR scenario of recovering the service. This leads me to the last doc I would recommend as useful only as an insurance policy for the business.

4) A procedural document of how to recover various business critical services. Again, key focus is on business critical, business users or clients will care less about non business critical services or be a lot more forgiving. This can assist greatly an engineer if good recovery procedures are documented, especially in area where customizations have been done (i.e. scripts and what not)

The other biggest important thing you should do is manage the businesses expectations. Talk with the business to get feedback as to What are the business critical services and document them. Next, get your Service Level Agreements ( SLAs ) agreed upon between you and them. And make sure you can meet them. If not, get a projects/tasks list together of what needs to be done so that either A) the business will fork over cash to meet agreed upon SLAs or B) they will accept the current SLAs.

The SLAs are important because it will force you to take a hard look at the network to see if you meeting their expectations. That is really what it all comes down to. When I.T. does not meet expectations is when the business gets all bent outta shape. Manage the expectations and get your SLAs agreed upon for restoration of services and you will be ok.

One more link that can help in ensuring you can meet SLAs is getting your RTO and RPO defined for you business critical services. Here is a nice easy link that talks about this that should help you.
( http://findarticles.com/p/articles/mi_m0BRZ/is_3_24/ai_n6017376/ )

Good Luck!

Every corporate VPN I have ever used has, as part of its function, disabled all network interfaces other than the one it was using once a connection was established. In addition it would prevent any traffic from going through the "normal" connection. The idea was that a machine should never have connectivity to both the internal network and the outside world simultaneously.

And, of course, the simplest away around this from a user perspective is to isolate the corporate VPN session inside of a VM. I have to connect to many customers' VPNs simultaneously from my work laptop as part of my job (and still be able to access my office network, too), and doing otherwise would be terribly inconvenient. Using VMs, however, each session is isolated from the other, and my host session remains connected to my office from home through a Cisco 871W which has a dedicated VPN tunnel/VLANs for that. Now, all I have to do is convince my boss that I really need a Cisco Unified Wireless IP Phone 7921G *grin*

We have a Cisco Cisco Aironet 1130AG IEEE 802.11 A/B/G Access Point.

http://www.cisco.com/en/US/prod/collateral/wireless/ps5678/ps6087/product_data_sheet0900aecd801b9058.html

I think ours is not even being used at this point. I think the only way someone could get into that when setup properly is for them to steal the laptop and drive into range. It's old (I think ours is only (a and g no b) has good range and is fast at at least 50mbs when tested, but damn did it cost a lot more than the consumer stuff.

I would think wireless would be pretty safe when connecting computers but other stuff like printers and everything having a bluetooth device on it somewhere has me a little worried.

When we get more money and we have to upgrade, I'm thinking mostly laptops that most of which would stay here. The CAD would still need old fashion boxes though.

Not sure about his but my friend has a RVS4000 and it seems to have it, LAN does anyway.

The cable modem they're using has a gigabit port.

  http://www.cisco.com/en/US/prod/collateral/video/ps8611/ps8675/ps8676/ps8678/product_data_sheet0900aecd8072a168.pdf

We bought one of these at work and spent WAY too much money on it. I can't even begin to tell you how much this system sucks ass and was a HUGE waste of money.

it's 2009, years after we were supposed to have flying cars, most new computers are 64bit, and Cisco refuses to release a 64bit IPSec client For x64 (64-bit) Windows support, you must utilize Cisco's next-generation Cisco AnyConnect VPN Client." . So umm...we're supposed to think they have any clue what's going on above layer 4 these days? What are they going to be installing on these servers, Windows2000?

GUI in routers do provide a quick glace as to what is going on. High end Cisco routers do NOT have a nice web-gui as it is entirely CLI based except for some home versions of the PIX.

Well, the PIX isn't really a *router*. But as long as you mentioned the Cisco firewall product line (which includes the ASA), have you tried ASDM? It's maturing into a pretty useful way to admin a Cisco firewall through a GUI.

http://www.cisco.com/en/US/products/ps6121/index.html

When you said "home version of the PIX", I assume that you are referring to the PIX 501 and possibly the 506. Those devices can run the PDM GUI interface which is kinda clunky.

I've had the opposite experience. The (WDS) deployment process makes a lot more sense to me than RIS, the network stack improvements will be worthwhile once Vista/7 gets broad client deployment (see http://www.cisco.com/en/US/docs/solutions/Enterprise/Data_Center/App_Networking/extmsftw2k8vistacisco.pdf for Cisco's take). Shoot, the TS Gateway alone is worth the cost of admission if you're a Windows shop and have users who need to access their desktops. Multi-site clustering is interesting too, although we're not using clustering now.

I like Server 2008 so much I run it on my laptop. (MSDN subscription makes the licensing cost irrelevant for me.)

It's probably not worth it to upgrade all your boxes from 2003 to 2008, but for new server deployments in a Windows shop, I'd recommend it.

I believe this has been shown incorrect; from the article:

As it turns out, the reason for all those routing resets and general instability was due to a previously unknown Cisco bug involving AS paths close to 255 in length.

(emphasis mine). More info:

http://blog.ioshints.info/2009/02/oversized-as-paths-cisco-ios-bug.html

And the Cisco description (the bug ID, CSCsx73770, is linked in there, but you need a login to access it):

http://tools.cisco.com/security/center/viewAlert.x?alertId=17670

Mod the parent up - this is the real cause of the problem.

bgp maxas-limit 75

would stop this on most routers.

:) I'm pretty sure that's what I do. I was lazy to log in and look though, and since I don't use it all the time, I don't know it off the top of my head....

    Ok, here's one of my desktop switch ports (we all have Catalyst switches on our desks, don't we?)

interface FastEthernet0/9
  duplex full
  speed 100
  spanning-tree portfast

    There's a nice big warning on the Cisco site about it, which describes what they had...

Caution: Never use the PortFast feature on switch ports that connect to other switches, hubs, or routers. These connections can cause physical loops, and spanning tree must go through the full initialization procedure in these situations. A spanning tree loop can bring your network down. If you turn on PortFast for a port that is part of a physical loop, there can be a window of time when packets are continuously forwarded (and can even multiply) in such a way that the network cannot recover.

You can read about Padmasree Warrior on the Cisco web site. There is a link to a biography of her. (PDF)

Quoting from that biography: "Warrior joined Cisco in 2007." She is not the source of Cisco's problems; those problems were huge long before 2007. Ms. Warrior left Motorola on December 4, 2007. It is not correct to imply that she had a strong connection with Cisco. She was there less than a year.

Another quote: "Prior to that, she was the CTO at Motorola, where she led a team of 26,000 engineers and directed Motorola Labs, with an annual R&D budget of $3.7 billion."

Quote from another source: "Did Motorola do the right thing and retire the head of Thoughtbeam when they shuttered the operation? Nope, in a Dilbert moment they promoted Thoughtbeam's leader Padmasree Warrior to Chief Technology Officer of the entire Motorola company"

Maybe Ms. Warrior helped create Motorola's problems. Motorola has been on a loooong, slow downward slide.

When Intel's 8600 was released the vice-president of technology at the company where I worked was very unhappy. The architecture is poor, as anyone who has programmed in assembly language knows. For a time there was a hope that the 68000 would take over the market. But Motorola's management wasn't able to take advantage of that temporary superiority.

Motorola's Semiconductor Products Sector is now Freescale Semiconductor.

Other people also think Motorola's management is amazingly weak. For example, Carl Icahn said this: "It is essential to the future of Motorola that its directors realize that the BOARD, especially at this precarious time, is NOT A COUNTRY CLUB OR A FRATERNITY, and that truly "qualified" people whose interests are truly aligned with Stockholders, are needed..."

You said, "I personally think the best person for the role would be a non-partisan, non-corporate figure." That's what I think, also.

You can read about Padmasree Warrior on the Cisco web site. There is a link to a biography of her. (PDF)

Quoting from that biography: "Warrior joined Cisco in 2007." She is not the source of Cisco's problems; those problems were huge long before 2007. Ms. Warrior left Motorola on December 4, 2007. It is not correct to imply that she had a strong connection with Cisco. She was there less than a year.

Another quote: "Prior to that, she was the CTO at Motorola, where she led a team of 26,000 engineers and directed Motorola Labs, with an annual R&D budget of $3.7 billion."

Quote from another source: "Did Motorola do the right thing and retire the head of Thoughtbeam when they shuttered the operation? Nope, in a Dilbert moment they promoted Thoughtbeam's leader Padmasree Warrior to Chief Technology Officer of the entire Motorola company"

Maybe Ms. Warrior helped create Motorola's problems. Motorola has been on a loooong, slow downward slide.

When Intel's 8600 was released the vice-president of technology at the company where I worked was very unhappy. The architecture is poor, as anyone who has programmed in assembly language knows. For a time there was a hope that the 68000 would take over the market. But Motorola's management wasn't able to take advantage of that temporary superiority.

Motorola's Semiconductor Products Sector is now Freescale Semiconductor.

Other people also think Motorola's management is amazingly weak. For example, Carl Icahn said this: "It is essential to the future of Motorola that its directors realize that the BOARD, especially at this precarious time, is NOT A COUNTRY CLUB OR A FRATERNITY, and that truly "qualified" people whose interests are truly aligned with Stockholders, are needed..."

You said, "I personally think the best person for the role would be a non-partisan, non-corporate figure." That's what I think, also.

As with much procurement, one of the big problems with IT in government is that it's more geared towards the profit needs of the contractors than towards the actual IT needs of the government---it buys what companies want to sell it.

It seems like a Cisco guy is pretty unlikely to put an end to that, since Cisco has a nice gravy train. Though I guess it's better than an Oracle guy.

So you want to hide your internal IPv6 network behind a NATv6 facade?

It's currently under discussion/development.

• IETF Draft: IPv6-to-IPv6 Network Address Translation (NAT66) (Nov 2008).
• 6net.org: IPv6 Network Architecture Protection (Jan 2005) - see 4.4 Privacy and topology hiding using IPv6 section.
• Cisco white paper: IPv6 Local Network Protection with Cisco IOS Routers and Switches - see Topology Hiding section.

D-Link and Cisco support IPv6. The D-Link-supported routers (a firmware update may be needed) are: DI-784 abg, DI-524 bg, DI-624 bg, WBR-1310 g, WBR-2310 g rangebooster, DIR-615 n. See p. 16 of Ref: http://www.ipv6.org.tw/summit2008/doc/1-4-4.pdf

On p. 15, they say: "Not only [does D-Link] meet IPv6 Ready logo requirements, but also upper layer IPv6 connection mechanisms: Static IP, DHCPv6 (Stateful), DHCPv6 (Stateless), PPPoE, IPv6/IPv4 Tunneling, 6to4 Tunneling, Autoconfiguration, Link-Local connection."

Personally, I use a free IPv6 tunnel service from http://www.tunnelbroker.net/ provided by Hurricane Electric.

I don't use Cisco at home, but IPv6 information is at http://www.cisco.com/ipv6/

Linksys/Cisco 500 series. Retail $595, you can get them around the 380-450 price range. http://www.cisco.com/cisco/web/solutions/small_business/products/routers_switches/500_series_secure_routers/index.html

what percentage is going to be wasted?

Surely most of each assigned range. It is intended that each local LAN segment will have 2^64 usable addresses, half of which are intended to be globally unique and half which aren't. However this is nothing to stop someone from subnetting smaller networks than a /64; it will just break the stateless autoconfiguration ability so you need to assign static addresses or use DHCP6.

Heck, I have a /48--2^16 networks of 2^64 useable addresses--through a tunnel broker and I'm using less than a dozen addresses.

And why is it a good idea to make routing tables simple? IPv4 routing tables must be hideous if were running out of IPv4 addresses.

They are. For each packet a router has to compare the destination to a list of routes to determine where to send the packet. If all the addresses starting with 2001:0db8: by design are accessible by the same border router then your routing tables can be much simpler. That is not the case with IPv4, and the routable address space is about to increase by many orders of magnitude.

Simplified routing makes a huge difference on backbone routers.

Cisco used to be in the blade business. Some of us got to be guinea pigs with the ICS 7750. Then the abandoned us. How will this be different?

Their higher-end ASA firewalls and Call Manager systems are just HP servers with a different paint job.

The ASA5580 is just a HP DL580. http://www.cisco.com/en/US/products/ps6120/index.html

Probably twice as expensive too.

dunno, but cisco have this: http://www.cisco.com/en/US/prod/collateral/switches/ps9441/ps9402/ps9512/Data_Sheet_C78-437757.html 32 ports of 10Gb with 80Gb fabric.

It is like Rsync on steroids. Cisco's Wan optimization and Application Acceleration product allows you to "seed" your remote locations with files. It also utilizes some advanced technology called Dynamic Redundancy Elimination that replaces large data segments that would be sent over your WAN with small signatures.

What this means in a functional sense is that you would push that 4 Gig file over the WAN one time. Any subsequent pushes you would only sync the bit level changes. Effectively transferring only the 10 megabytes that actually changed.

While it is nice to get the propeller spinning, there is no sense reinventing the wheel.

Cisco WAAS - http://www.cisco.com/en/US/products/ps5680/Products_Sub_Category_Home.html

1. Go to
2. Click on "Downloads"
3. Select your product category (w.g. wireless router
4. Select your product (e.g. WRT54G)
5. Select your product version (e.g. 2.0)
6. Click on "Click here to view GPL Code" link

This brings you to the following page (for the US): WTR54G GPL Code Web Page. That page also lists the following FTP site: Cisco/LinkSys Open Source FTP site

So what are the missing that the FSF thinks they need to sue over?

You're right in the first part. But...

>> Nowadays people are fast at work in patches that make IPv6 compatible in the sense of (ii).

That a lot of systems are capable of IPV6 doesn't means the Internet has been migrated, or will be in short term.

For example, there is a nice (and a bit depressing) article available at http://www.cisco.com/web/about/ac123/ac147/archived_issues/ipj_11-3/113_ipv4.html ... extract follows:

"From this observation it appears highly likely that the demand for IPv4 addresses will continue at rates comparable to current rates across the IPv4 unallocated address pool and after it is exhausted. The exhaustion of the current framework of supply of IPv4 addresses will not trigger an abrupt cessation of demand for IPv4 addresses, and this event will not cause the deployment of IPv6-only networks, at least in the short term of the initial years following IPv4 address pool exhaustion. It is therefore possible to indicate that immediately following this exhaustion event there will be a continuing market need for IPv4 addresses for deployment in new networks"

exactly. the argument espoused in this article is fundamentally flawed. in fact, it reads like it was written by an industry mouthpiece for the sole purpose of demonizing P2P users without absolutely no regard to logic or reality.

first off, as you said, it's impossible for the "download fiends" to actually use more than their share of bandwidth. if i have a 56K dial-up connection, there's no way for me to just decide, "hrmmm, this isn't fast enough for me. i think i'll be a dick and download at 9 Mbps by stealing bandwidth from my neighbors."

secondly, the author seems to be suggesting that everyone should use, or have access to, the exact same amount of bandwidth regardless of what they paid for, and that this level of bandwidth is decided by how much he personally uses/needs. well, that's very convenient for him and the ISPs. most of us are paying for 3+ Mbps connections, some people are paying for much more than that, but i guess we should all only be allowed to use 1~3% of the bandwidth we paid for because that's how much the author needs for his daily web surfing, e-mail, and posting of shitty articles on the web.

but why stop there? why not divide up internet bandwidth evenly between all 6.6 billion people around the globe. total global broadband internet bandwidth was estimated by Cisco to be 5,372 petabytes per month in 2008. divided up between 6.6 billion people means we all get a 0.00265869476 Mbps connection--that's each person's 'fair share' of internet bandwidth. of course, we would all have faster internet connections if it weren't for those darn greedy business/enterprise internet subscribers.

internet bandwidth isn't a fixed commodity, or a limited natural resource. technology has always been driven by consumer demand, and broadband internet is no different. it's bandwidth-intensive applications like P2P, streaming-video/audio, enterprise applications, etc. that create the push for infrastructure upgrades and ever-increasing connection speeds/network capacities. it's idiotic to accuse "power users" or "downloaders" of destroying the internet or stealing other people's bandwidth. it's even more idiotic to think that everyone should use as little bandwidth as you do, as there's always going to be a someone who uses even less bandwidth. artificially manipulating internet usage while overselling more and more is what's going to cause broadband connection quality to continue to decrease. meanwhile, there are ISPs in Japan and Korea who are doing the exact opposite by increasing network capacity and connection speeds to meet the growing demand. perhaps if ISPs in the U.S. and Canada focused on making technological progress rather than opposing it, we'd be rolling out 1 Gbps symmetric broadband connections too, rather than fussing over people actually using their 3-4 Mbps connections.

Part of the clue is with WEP...but not muc less either

I disagree. WEP was a marketing phrase -- "See? Our wireless networking gear is just as secure as traditional wired networks!" Unfortunately, it wasn't. WEP was flawed from the start because of some mistakes made in the implementation of encryption (I don't recall exactly what was wrong and I'm too lazy to Google it, but IIRC, they implemented RC4 incorrectly). A more telling clue about the security (or lack thereof) of WEP was in a quote I found while researching wireless networking for a college presentation: "Installing a wireless LAN may seem like putting Ethernet ports everywhere, including in your parking lot." (Cisco Systems document, "Wireless LAN Security"). You are correct that if you are on the inside, getting access to a wire is not terribly difficult. However, if you don't have access to my facilities, getting access to my wired network just got orders of magnitude harder. It might still be possible, but it's certainly not as easy as simply plugging into an empty network jack. For that matter, where I work, we turn off unused network jacks, so even if you get inside the building, you still won't have physical access to my network unless you unplug someone else's connection -- which will probably be noticed, even if it's only for a few seconds while you connect a switch. But it's worse than that, because on my switch, I can filter ports by MAC address, so unless you find an active port *and* clone a valid MAC address for that port you still won't have access.

If all you want to do is passively sniff traffic that is flowing through a wire, then it's certainly much easier for you -- all you have to do, as you state above, is insert a sniffer between a valid network host and the network jack and you're golden...but that's once you are inside my building. Fortunately, I work in a small enough company that if someone unknown starts mucking around with our network cables, someone is going to get suspicious, so even passively sniffing isn't as easy as you suggest.

With WEP -- and now WPA, as well -- all you have to do is sit in your car on the street outside my building, take ten to fifteen minutes (according to the summary above, anyway) and you can sniff to your heart's content. Sounds much easier than gaining access to my wired network, IMHO.

Very informative, thanks!

I found some additional documentation on Cisco's web site about this too. For reference..

Collisions still occur when multiple computers try to talk to a single computer at once.

Collisions occur when there are more than one sender on a collision domain, they don't have to be sending to the same host. Imagine you have four computers on a hub. Computer A sends a message to B while C simultaneously sends a message to D -- this is a collision.

When a packet is sent to a hub the hub immediately sends it out all ports -- it's like a set of spliced together wires. A switch switches, it tries to figure out what port it should send it to based on the destination MAC address, then sends it just to that port. This way multiple packets could be sent to different hosts on the same switch at the same time without causing a collision.

And yes, switches do have outbound buffers for each port so that if two sources try to send to the same host they can be done in sequence rather than causing an outbound collision on the destination port's collision domain. I am not sure what happens if this buffer becomes full, I had always assumed the switch would just begin dropping the packets (as indicated by this Cisco document). I'd be interested to read any sources you might have that talks about generating collision messages though.

http://www.youtube.com/watch?v=rcfNC_x0VvE&NR=1
http://www.youtube.com/watch?v=KInYEpDn7bI
http://www.youtube.com/watch?v=0kd2SO1_kSA&feature=related
http://www.cisco.com/en/US/solutions/ns669/networking_solutions_products_genericcontent0900aecd80546ccd.html

if you dont mind proprietary solutions, might i suggest cisco meetingplace. it works very well, even with "express", which we've recently shown off to the C-level parade at my workplace

being a rather medium sized organization (muni level government organization with approx. 3880 employees), we paid a bit more than a smaller company would for the product, but let me brag about it for a moment:

• screencasting
• integrated chat
• runs as a browser plugin
• integrated conference calling
• scheduled or ad-hoc meetings
• high quality streaming video
• LDAP integration
• integrated presence

the list can go on for quite a bit. cisco is premium, but i can honestly say you get what you pay for. scott adams seemed to like it, anyways... http://newsroom.cisco.com/dlls/partners/news/2006/pr_prod_06-12.html

Yep the spam form was what I was getting at.

I do, it's just that SSL covers both. The difference is that the "where" in this case is not an IP address, but a private key, which is considerably more secure.

As I mentioned before adding security to the location increases the difficulty in pulling off a hack / redirect. I think that using SSL for location security is the wrong approach (application layer) - it should be at the network layer.

So, in other words, anywhere between here and the root servers, someone could pull an effective MITM.

No, since each recursive lookup also involves pulling down a signed record indicating where the next level of lookup should go. That next level pull is for the next level key, signed/hashed using the root level key ad infinitum.

Say I'm looking for www.blah.com (grossly simplified, but gets the idea across)

Now I will have root (level 0) key locally, so my machine goes to level 0 server, asks for where the server for level 1 of blah.com is and gets a signed hash of level 1 key.

It replies with where level 1 server for blah lives signed using level 0 key.

Now I contact level 1 server and ask it for its key info for blah.com.

It replies with the level 1 key that can be used to verify responses from the level 1 server, and I check the hash matches that retrieved in first contact.

Now I ask level 1 server for where www.blah.com can be found, it replies with the IP address signed using its key from level 1.

The chain of trust above is the hierarchical nature of the key signing (search for "secured pointers" and or/DS DNS record), or look here

From a technical standpoint, there is no man in the middle - you must do something equivalent to certificate forging/stealing or some kind of social engineering hack.

I know this isnt a "spam" killer, its one of the tools we will need to begin to fight back. Verifiable sources are vital.

So since you went to the effort of filling the form in, here we go:

* technical approach

As I mentioned, I was not advocating it as being _the_ solution, just one of the tools that will come in handy for various reasons

* It will stop spam for two weeks / open relays in foreign countries / armies of worm riddled broadband windows boxes

Of course all of these things will not go away just from securing domain name lookups - things get a lot easier to check when we "know" the source of the connection. It helps in tracking down where the spam is coming from - the "stopping it" bit has to follow the existing model (police action / court etc), until a more workable situation can be found. But to look at the situation with telephones, caller ID makes a huge difference to tracking down criminals.

* Countermeasures must work if phased in gradually

Lets imagine we have location security, we can begin to build a web of trust for mail servers now. DNSSEC is a pre-requisite to beginning to clean up the dirty parts of the web.

* Ideas similar to yours are easy to come up with, yet none have ever been shown practical / Feel-good measures do nothing to solve the problem

Fair enough, I've tried to show you it does have some benefits, and I will leave it at that.

Have a good day.

Mr Thinly Sliced.

You apparently missed the the announcement from Cisco that they've released their own virtual switch with enterprise features to replace the limited capabilities in VMware's. And, yes, vmware will fully support it and it will be plug and play compatible. Furthermore, on a cluster of ESX hosts, you can have multiple Cisco supervisor appliances running for HA/management, while a Cisco switch configuration/etc is shared across all nodes and ports being logically linked to each vm, regardless of where vm is located and even during vmotion.

Cisco details at: http://www.cisco.com/en/US/products/ps9902/index.html

They could always do something crazy like track the MAC to a port and go trace the cable to find the device, I guess that wouldn't make such a good story though.

If they're using Cisco switches and it's linked via copper then they could probably work out where it is without leaving their seats, use the inbuilt tdr to find out how long the cable is, then use the location of the switch and a bit of common sense to work out where the device is likely to be.

If it's a terminal server then it's not likely to be hanging off a 3km long fibre somewhere in a duct under the city. It'll be within serial cable distance of all the other kit, more than likely in their main computer room with some bloody great octal cables hanging out the back. I suspect it'd take someone clued up approx 5 minutes to identify it as it will look rather different to any of their other routers purely due to the cabling run to/from it.

The more I read about this "ebil admin" story the less I believe any of it.

I had a Cisco 400 with a lifetime warranty. It died a while back. It was out of warranty. Apparently Lifetime for Cisco means 5 years.

While lifetime sounds like it should be your life time, it actually refers to the product life time. In other words, some time after they stop manufacturing the product, it's lifetime is considered over (you're expected to upgrade at that point). "Some time" is usually something like one to three years. Your warranty probably defines "some time" in the pages of legalese.

Yep, here's the Cisco warranty: http://www.cisco.com/en/US/docs/general/warranty/English/LH2DEN__.html which says, "In the event of discontinuance of product manufacture, Cisco warranty support is limited to five (5) years from the announcement of discontinuance."

I used to be able to find internet documentation of this relatively easily, but today it was harder. I did still find http://www.directron.com/warranty-policy.html which says, "Lifetime is defined as the lifetime of the product on the market. Outdated technology is not covered by lifetime warranty if the item is no longer available on the common market as a new product."

And then you realize that routing wires in false-ceiling environments actually IS more expensive than setting up AP from ceiling mounts. You essentially reduce the total amount of cables by a factor of 10.

Ever heard of Cisco's Unified Wireless Architecture?
http://www.cisco.com/en/US/prod/collateral/wireless/ps5678/ps430/prod_brochure09186a0080184925_ns337_Networking_Solution_Solution_Overview.html

Let's remind ourselves here for a moment: large networks are not easy to set up. You run into a number of problems including backend, connectivity, and end user access. The CUWN makes it easier by allowing you to control the AP (Lightweight AP's really - they only work in conjunction with a controller) from a central hook, and you can set the entire scope's settings. It also has guest access features which the article mentions.

Sometimes Wired networks aren't the most straightforward to get a building network access.

An additional feature is being able to seamlessly migrate from AP to AP based on radio signal to noise ratios. This allows the network to authenticate the most appropriate AP to the clients based on load.

This exploit doesn't alter the behavior of BGP in any way. What this exploits is that there is no existing capability in the BGP protocol to sanity check a prefix and its announcer against an authoritative list of prefixes and owners on the fly. This can however be accomplished manually via prefix filters on BGP peerings.

http://www.cisco.com/en/US/docs/ios/12_1/iproute/command/reference/1rdbgp.html#wp1175412

Some attempts have been made to create authoritative route registries from which filters could be updated via scripts, but they are not necessarily used everywhere. Note the email discussion in the faq below is eight years old.

http://www.irr.net/
http://www.irr.net/docs/faq.html

In conclusion, handwaving and drama queening aside, this is nothing new and solutions to the problem exist.

Do it the right way: Cisco Telepresence. Buy yourself a 20 Mbps circuit from the local telco, do the same with the grand parents. Each system is only 300,000 - but I bet you can get a discount if you do a press release. http://www.cisco.com/en/US/products/ps8333/index.html You didn't specify cost as a problem. Do it right!

An embedded appliance between you and the internet *can* have a valid cert signed by an existing CA. Cisco gets an intermediate cert that's valid for signing *.homerouters.cisco.com certs, and your router gets one of those. You bookmark https://1bf5a32a.homerouters.cisco.com/ while connected with a physical ethernet cable. From then on, you know you're connecting to your own router rather than someone else's, and yet you never had to deal with a certificate warning.

There might be more to it, since expiry might make this more complicated. But I'm pretty sure one of the big router vendors is starting to do something like this.

Yes, this has been integrated into Cisco routers for quite some time. It's called Weighted Fair Queueing. WFQ schedules high-bandwidth streams in a round-robin fashion, yielding bandwidth to low-bandwidth streams so applications that speak infrequently don't get starved out. i.e. The more you talk on the pipe, the lower your overall priority becomes.

Cisco also extends this concept with class-based Weighted Fair Queueing. CBWFQ allows you to put traffic into buckets and each bucket can have different queuing strategies. This is commonly used with an LLQ with VoIP RTP traffic to guarantee clear voice communications, put some business critical applications second in line (Citrix, Terminal Server, Exchange, etc.), and put all the traffic in the default WFQ bucket.

Yes, this has been integrated into Cisco routers for quite some time. It's called Weighted Fair Queueing. WFQ schedules high-bandwidth streams in a round-robin fashion, yielding bandwidth to low-bandwidth streams so applications that speak infrequently don't get starved out. i.e. The more you talk on the pipe, the lower your overall priority becomes.

Cisco also extends this concept with class-based Weighted Fair Queueing. CBWFQ allows you to put traffic into buckets and each bucket can have different queuing strategies. This is commonly used with an LLQ with VoIP RTP traffic to guarantee clear voice communications, put some business critical applications second in line (Citrix, Terminal Server, Exchange, etc.), and put all the traffic in the default WFQ bucket.

For those of you interested, Cisco has documented which pieces of their hardware is IPv6 ready: Cisco IPv6 Solutions

What did people do with early websites in the beggining.

At first, they were just boring static pages that were either a horrible marketing attempt. How far has the internet come now that there are things like collaborative Encyclopedia building (Wiki), Google docs, YouTube, Ebay etc.

It is impossible to tell what this medium will make possible in 5 years.

Also, I wouldn't exactly call IBM a furry or weirdo. Nor would I say that Cisco is either. There are also a growing number of universities colleges using the space.

The thing I try to hint at for most is, look at all the different news articles about 3D virtual worlds in general. How many different categories to they fall into? Economics, scams, porn, politics, social, collaboration, business, marketing, play, serious, military, health care... and more. Something that is looked at in so many different ways has huge potential as a medium. And the more open the server side, the more likely it will be adopted by a larger group and customized for even more possibilities.

No, because we all read the part about where he disabled the ability to do exactly what you suggested he do.