NAT-T is made to handle points 2 - 4. The native IPSec ESP packet is encapsulated with UDP on port 4500. Obviously this needs to be supported by both the VPN client & server, however the intermediate network shouldn't need to care.
"On Wednesday, November 13, 2002, the network experienced a major slowdown for three days. The CISCO technical support team found the Layer 2 structure of the network to be unstable and out of specification with 802.1d standards. The management VLAN in some locations had 10 Layer 2 hops from root. The Spanning Tree Protocol (STP) imposes a maximum network diameter default of seven. Thus, two distinct bridges in the network should not be more than seven hops away from one to the other.
A major contributor to this STP issue was the network and Picture Archive Communication System (PACS) network, for sharing high-bandwidth visual files and other clinical data; this was 10 hops away from the closest core network switch, three too many for the spanning tree to handle."
I evaluated the Canopy system about a year ago for a project at work. Motorola is a great RF company but they don't know IP networking very well. Some of the things I noticed were:
-administration via telnet & http, no ssh or https -no way to filter administrative connections based on source IP address -administrative access is based on a locally defined username & password on each access point and subscriber module. they can't authenticate admin sessions from a radius or tacacs server -the encryption suite is proprietary. while they do use AES as the encryption algorithm, the overall protocol is not based on IPSec, WPA, WEP, or any other standard -subscriber modules use a manufacturers default encryption key to authenticate to the access point. a key management server must be implemented use a different key.
I don't know if any of that has been fixed in the past year or not. I have no clue how they got this device FIPS 140-2 certified. Unsurprisingly the security through obscurity worshipping government agencies I deal with are completely ga-ga over the Canopy. They are in love with the idea that the Canopy runs on a non 802.11 a/b/g frequency (because obviously no bad hackers will ever find it).
That may be true, but their article doesn't acknowledge the Supreme Court case at all. I can't give CNN any credit for the nunanced point that you are making.
"The study suggests that students embrace First Amendment freedoms if they are taught about them and given a chance to practice them, but schools don't make the matter a priority.
Students who take part in school media activities, such as student newspapers or TV production, are much more likely to support expression of unpopular views, for example.
About nine in 10 principals said it is important for all students to learn some journalism skills, but most administrators say a lack of money limits their media offerings."
This is either uninformed or disengenuous. High school newspapers have been excluded from first ammendment protections by the Supreme Court.
The idea of what is probably the most highly trafficked website in the world running on IIS due to a Microsoft takeover has endless comedy potential. Check out the lower right corner of the front page currently.
I administered a Shiva vpn server in 2000/2001. I would have preferred to use the open standard IPSEC vs the proprietary SST; however their IPSEC option would not support RADIUS authentication. That was the deciding factor for going with SST. Aside from that it wasn't a bad product.
"...companies as a whole cant put their trust into Linux. Microsoft is a face. It has an address and everyone knows that address. There are phone numbers to call and people to threaten should things break. You cannot call a kid in a garage and threaten him."
I've seen companies exhibit that same mentality, and I've never been able to understand it. The license scheme attached to windows gives you no recourse when (not if) it blows up. No matter how much you swear and bluster at Microsoft they have no obligation to support you in any way, shape, or form. So what exactly is it the tiny little minds of management are convinced Microsoft is providing for them?
I seem to recall that the alleged offending code was present only in the IA-64 kernel. Even if SCO wins on all points (which seems unlikely) wouldn't it be a pretty narrow win? I can't see IA-32 or AMD Opteron 64 users getting hosed with SCO fees over this. Do I have my facts wrong or is SCO just criminally insane?
>When I was responsible for hiring people, a cert was a big strike against you. (insert sweeping dismissal of certs here)
I think more then anything this illustrates that the hiring process is just a great big ego reinforcement act for the hiring manager. They all want to hire whoever mirrors their own worldview to prove it's correctness.
>Elementary. The more people use their connections, the more bandwidth you have to buy from your upstream.
I don't buy into that explanation. Comcast is large enough that they should be peering with ISP's directly instead of purchasing bandwidth. Generally under a peering agreement there is no cost to either party if the traffic load between them is symetrical. Furthermore they own their own infrastructure from the physical layer on up, so they aren't getting hosed with loop costs from the local bell. Not to mention they have money coming in from catv subscription and catv advertising. The broadband side of their business doesn't exist in a vacume. This entire thing stinks of a false dilemma.
Well written articles are to be expected from pro's like Dave Plonka, he's all about network traffic analysis. He gave a presentation on flowscan
at a previous USENIX LISA event.
>...you can fairly easily cut down on the damage being done by blocking all incoming ICMP traffic at your packet filtering bridge/router.
>Sure, traceroute is nice, but things like this mean it's just not worth the ICMP overhead.
Has any thought been given to how IPv6 is going to effect route summarization? Under IP4 user ip's are suballocated by ISP's to users, the ISP's themselves are supposed to announce one aggregate route for all their users. If everyone gets an IPv6 block assigned directly from the numbering authority the internet routing table is going to be staggeringly enormous. Check out the
CIDR Report which details current aggregation effeciency losses under IPv4.
Slashdot Mirror
AMD is the one that came up with x86-64 which Intel subsequently copied. Has anyone ever used an Itanium?
So I gather JMS has an issue with SFX magazine. What's that about?
v .babylon5.moderated/msg/88b1ea53e7879c63
This is the best I've found via google:
http://groups-beta.google.com/group/rec.arts.sf.t
Velcro ties.
NAT-T is made to handle points 2 - 4. The native IPSec ESP packet is encapsulated with UDP on port 4500. Obviously this needs to be supported by both the VPN client & server, however the intermediate network shouldn't need to care.
Fine, fine machines those Packard Bells were. And by 'fine' I mean 'train wreck'.
Ignorance is always a recipe for unintended consequences.
a el.html?page=1
http://www.networkworld.com/news/2002/1125bethisr
http://www.enterpriseleadership.org/read/halamka
"On Wednesday, November 13, 2002, the network experienced a major slowdown for three days. The CISCO technical support team found the Layer 2 structure of the network to be unstable and out of specification with 802.1d standards. The management VLAN in some locations had 10 Layer 2 hops from root. The Spanning Tree Protocol (STP) imposes a maximum network diameter default of seven. Thus, two distinct bridges in the network should not be more than seven hops away from one to the other.
A major contributor to this STP issue was the network and Picture Archive Communication System (PACS) network, for sharing high-bandwidth visual files and other clinical data; this was 10 hops away from the closest core network switch, three too many for the spanning tree to handle."
I evaluated the Canopy system about a year ago for a project at work. Motorola is a great RF company but they don't know IP networking very well. Some of the things I noticed were:
-administration via telnet & http, no ssh or https
-no way to filter administrative connections based on source IP address
-administrative access is based on a locally defined username & password on each access point and subscriber module. they can't authenticate admin sessions from a radius or tacacs server
-the encryption suite is proprietary. while they do use AES as the encryption algorithm, the overall protocol is not based on IPSec, WPA, WEP, or any other standard
-subscriber modules use a manufacturers default encryption key to authenticate to the access point. a key management server must be implemented use a different key.
I don't know if any of that has been fixed in the past year or not. I have no clue how they got this device FIPS 140-2 certified. Unsurprisingly the security through obscurity worshipping government agencies I deal with are completely ga-ga over the Canopy. They are in love with the idea that the Canopy runs on a non 802.11 a/b/g frequency (because obviously no bad hackers will ever find it).
Crafted IPv6 packet vulnerability.
5 0729-ipv6.shtml
s p
http://www.cisco.com/warp/public/707/cisco-sa-200
http://www.eweek.com/article2/0,1759,1841669,00.a
Upshot is that if you aren't running IPv6 on the router, this doesn't affect you.
That may be true, but their article doesn't acknowledge the Supreme Court case at all. I can't give CNN any credit for the nunanced point that you are making.
"The study suggests that students embrace First Amendment freedoms if they are taught about them and given a chance to practice them, but schools don't make the matter a priority.
h ip .html
Students who take part in school media activities, such as student newspapers or TV production, are much more likely to support expression of unpopular views, for example.
About nine in 10 principals said it is important for all students to learn some journalism skills, but most administrators say a lack of money limits their media offerings."
This is either uninformed or disengenuous. High school newspapers have been excluded from first ammendment protections by the Supreme Court.
http://www.fair.org/extra/9403/teaching-censors
1. i can't really tell if the graphics are any good or not because I CAN'T SEE SHIT!
2. i seem to recall playing this game four years ago when it was called 'system shock 2'
Actually, aren't mortising kits for drilling square holes?
The idea of what is probably the most highly trafficked website in the world running on IIS due to a Microsoft takeover has endless comedy potential. Check out the lower right corner of the front page currently.
I administered a Shiva vpn server in 2000/2001. I would have preferred to use the open standard IPSEC vs the proprietary SST; however their IPSEC option would not support RADIUS authentication. That was the deciding factor for going with SST. Aside from that it wasn't a bad product.
"...companies as a whole cant put their trust into Linux. Microsoft is a face. It has an address and everyone knows that address. There are phone numbers to call and people to threaten should things break. You cannot call a kid in a garage and threaten him."
I've seen companies exhibit that same mentality, and I've never been able to understand it. The license scheme attached to windows gives you no recourse when (not if) it blows up. No matter how much you swear and bluster at Microsoft they have no obligation to support you in any way, shape, or form. So what exactly is it the tiny little minds of management are convinced Microsoft is providing for them?
I remember when Usenet didn't suck.
I remember when instant messaging was a combination of finger and ytalk.
internet dork since fall 93 here.
I seem to recall that the alleged offending code was present only in the IA-64 kernel. Even if SCO wins on all points (which seems unlikely) wouldn't it be a pretty narrow win? I can't see IA-32 or AMD Opteron 64 users getting hosed with SCO fees over this. Do I have my facts wrong or is SCO just criminally insane?
Abiword.
What do I win?
>When I was responsible for hiring people, a cert was a big strike against you. (insert sweeping dismissal of certs here)
I think more then anything this illustrates that the hiring process is just a great big ego reinforcement act for the hiring manager. They all want to hire whoever mirrors their own worldview to prove it's correctness.
When are P2P apps going to start wrapping themselves in SSL or IPSEC to defend against being sniffed in transit?
>Elementary. The more people use their connections, the more bandwidth you have to buy from your upstream.
I don't buy into that explanation. Comcast is large enough that they should be peering with ISP's directly instead of purchasing bandwidth. Generally under a peering agreement there is no cost to either party if the traffic load between them is symetrical. Furthermore they own their own infrastructure from the physical layer on up, so they aren't getting hosed with loop costs from the local bell. Not to mention they have money coming in from catv subscription and catv advertising. The broadband side of their business doesn't exist in a vacume. This entire thing stinks of a false dilemma.
expect that ip to get null routed by the backbone carriers real fast.
Well written articles are to be expected from pro's like Dave Plonka, he's all about network traffic analysis. He gave a presentation on flowscan at a previous USENIX LISA event.
>...you can fairly easily cut down on the damage being done by blocking all incoming ICMP traffic at your packet filtering bridge/router.
>Sure, traceroute is nice, but things like this mean it's just not worth the ICMP overhead.
Dropping all ICMP traffic is a bad habit to get into . ICMP is necessary for ip fragmentation and path maximum transmission unit discovery to work properly. You will break things if you drop it.
Has any thought been given to how IPv6 is going to effect route summarization? Under IP4 user ip's are suballocated by ISP's to users, the ISP's themselves are supposed to announce one aggregate route for all their users. If everyone gets an IPv6 block assigned directly from the numbering authority the internet routing table is going to be staggeringly enormous. Check out the CIDR Report which details current aggregation effeciency losses under IPv4.