[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: SUNY-Albany and AFIT
- Subject: RE: SUNY-Albany and AFIT
- Date: Mon, 11 Mar 2002 08:35:15 -0700 (MST)
Hi Jeff,
traceroute is an executable performed from a UNIX machine.
In this case your LDM machine..
At the prompt type:
traceroute "domain name"
i.e.
traceroute redwood.atmos.albany.edu
and the output to screen or to a file if you append a
| filename.txt to the traceroute command.
This will give you the time and route your packets are taking to the
domain indicated...I think you will find it quite useful..
Thanks,
-Jeff
____________________________ _____________________
Jeff Weber address@hidden
Unidata Support PH:303-497-8676
NWS-COMET Case Study Library FX:303-497-8690
University Corp for Atmospheric Research 3300 Mitchell Ln
http://www.unidata.ucar.edu/staff/jweber Boulder,Co 80307-3000
________________________________________ ______________________
On Mon, 11 Mar 2002, Sitler Jeffrey L Civ AFIT/ENP wrote:
> Sorry Jeff
> I was gone from Wed at 1300 hours til this morning.
> I am unsure of traceroutes, that is a foreign term to me as
> far as computers go, munitions I understand, I am sure
> it is the same principle.
> Just don't know how to do it.
> I will get with somebody here and find out.
> Thanks for the support.
> Jeff
>
> -----Original Message-----
> From: Jeff Weber [mailto:address@hidden]
> Sent: Wednesday, March 06, 2002 1:00 PM
> To: Sitler Jeffrey L Civ AFIT/ENP
> Subject: RE: SUNY-Albany and AFIT
>
>
> I would not suggest navier...
>
> They have been rather unstable of late.
>
> Do a traceroute, proximity geographically does not always translate
> electronically.
>
> Either you or I can contact the site admin and request a feed, just cc me
> on any correspondence if you take the lead. Other wise I will do the
> same..let me know how the traceroutes come back..
>
> -Jeff
> ____________________________ _____________________
> Jeff Weber address@hidden
> Unidata Support PH:303-497-8676
> NWS-COMET Case Study Library FX:303-497-8690
> University Corp for Atmospheric Research 3300 Mitchell Ln
> http://www.unidata.ucar.edu/staff/jweber Boulder,Co 80307-3000
> ________________________________________ ______________________
>
> On Wed, 6 Mar 2002, Sitler Jeffrey L Civ AFIT/ENP wrote:
>
> > Jeff
> > How about navierldm at Penn State?
> > They are probably the closest at 6 hours away.
> > Do I need to contact them and request or do you do that?
> > Thanks
> > Jeff
> >
> > -----Original Message-----
> > From: Jeff Weber [mailto:address@hidden]
> > Sent: Wednesday, March 06, 2002 12:47 PM
> > To: Sitler Jeffrey L Civ AFIT/ENP
> > Cc: address@hidden
> > Subject: RE: SUNY-Albany and AFIT
> >
> >
> > Hi Jeff,
> >
> > Anyone from the second level on this URL:
> > http://www.unidata.ucar.edu/projects/idd/nexradFeed.html
> >
> > with you being in Ohio, I would suggest either stokes, profhorn, or
> > flood..
> >
> >
> > traceroutes to each will shed some light as to how well you are connected
> > to these machines..
> >
> > Yes, I do not forsee any security issues either but David is in the
> > position of holding propriatary data, so I certainly understand his
> > concerns. He is providing a valuable service distributing the NLDN feed.
> >
> >
> > Let me know what you find and who you will be feeding NNEXRAD from so I
> > can update our records here at the UPC.
> >
> >
> > Thanks,
> >
> > -Jeff
> > ____________________________ _____________________
> > Jeff Weber address@hidden
> > Unidata Support PH:303-497-8676
> > NWS-COMET Case Study Library FX:303-497-8690
> > University Corp for Atmospheric Research 3300 Mitchell Ln
> > http://www.unidata.ucar.edu/staff/jweber Boulder,Co 80307-3000
> > ________________________________________ ______________________
> >
> > On Wed, 6 Mar 2002, Sitler Jeffrey L Civ AFIT/ENP wrote:
> >
> > > Jeff,
> > > Who can we get NNEXRAD from? I will place the request.
> > > I understand David's concern, but I will bet we are much
> > > more secure than almost any .edu site out there.
> > > We also don't do any operational weather, it is used
> > > strictly for research and synoptic lab. While we are on
> > > a military base, and we are the Air Force Institute of Technology
> > > we have all the same credentials as every other .edu site out there
> > > except the cirriculum is tailored to meet the Air Forces needs as
> > > far as research goes. Which in David's case, we just had 3 students
> > > each do a different thesis on lightning for Cape Canaveral.
> > > Have a good day.
> > > Jeff
> > >
> > >
> > > -----Original Message-----
> > > From: Jeff Weber [mailto:address@hidden]
> > > Sent: Tuesday, March 05, 2002 3:12 PM
> > > To: Sitler Jeffrey L Civ AFIT/ENP
> > > Cc: 'Anne Wilson'; David Knight; address@hidden;
> > > address@hidden
> > > Subject: RE: SUNY-Albany and AFIT
> > >
> > >
> > > Hi Jeff,
> > >
> > > I understand your security issues.
> > >
> > > However, if you want NNEXRAD data, you will need to allow another IP for
> > > that feed source. Redwood only carries a brief subset of NNEXRAD..only
> one
> > > site. So if you desire NNEXRAD we need to evaluate that issue. Also,
> > > regarding the NLDN data, we need to be certain David feels comfortable
> > > feeding an IP, and then you would need to allow the IP for striker as
> > > well, so now we are up to 3 IP (holes) in your firewall not to mention
> > > allowing at least imogene from unidata access to your machine...
> > >
> > >
> > > Keep us posted we will do all we can from here,
> > >
> > > -Jeff
> > > ____________________________ _____________________
> > > Jeff Weber address@hidden
> > > Unidata Support PH:303-497-8676
> > > NWS-COMET Case Study Library FX:303-497-8690
> > > University Corp for Atmospheric Research 3300 Mitchell Ln
> > > http://www.unidata.ucar.edu/staff/jweber Boulder,Co 80307-3000
> > > ________________________________________ ______________________
> > >
> > > On Tue, 5 Mar 2002, Sitler Jeffrey L Civ AFIT/ENP wrote:
> > >
> > > > Hello all,
> > > > Just to keep you updated on where we stand. I have found out that as
> far
> > > as
> > > > incoming data.
> > > > Our SC people want to know the specific IP address and the port, and
> who
> > > > they are.
> > > > They allow by IP only outside of "fujita", basically once our request
> > > leaves
> > > > fujita for Albany, it will only allow back in from the IP of redwood,
> > but
> > > > not the name redwood.
> > > > I think they forget we are an .edu site inside of a .mil site, so you
> > can
> > > > see our
> > > > firewall nightmare. Anything we open up has to clear the military side
> > of
> > > > things, then the education side of things
> > > > before we can even get the clearance. I am sure you can imagine the
> > > > paperwork and the explanations I had to go
> > > > through to get the data coming in from Unidata, then I was told, "OK,
> > this
> > > > is the only site you want, correct?".
> > > > They don't even like that I have a failover site, they want one site
> and
> > > one
> > > > site only.
> > > > I really appreciate all the help I am getting from outside the base
> > > believe
> > > > me, as well as the understanding.
> > > > I hope I am explaining all this so you understand, please remember I
> am
> > a
> > > > weather person in a computer position, with a whole 1 year of UNIX now
> > > under
> > > > my belt.
> > > > Thanks
> > > > Jeff
> > > >
> > > >
> > > >
> > > > -----Original Message-----
> > > > From: Anne Wilson [mailto:address@hidden]
> > > > Sent: Tuesday, March 05, 2002 1:27 PM
> > > > To: David Knight
> > > > Cc: address@hidden; address@hidden;
> > > > address@hidden; address@hidden
> > > > Subject: Re: SUNY-Albany and AFIT
> > > >
> > > >
> > > > David Knight wrote:
> > > > >
> > > > > Hi Anne,
> > > > >
> > > > > Jeff Sitler at afit tells me the machine is/will
> > > > > be known as fujita.afit.edu (not that it really matters
> > > > > since the name seems to be irelavant...).
> > > > > We have an allow for both the machine name and the IP
> > > > > number. It appears that when they they connect the request
> > > > > comes from the ip#
> > > > >
> > > > > Mar 04 19:30:34 redwood rpc.ldmd[6793]: gethostbyaddr: failed for
> > > > > 129.92.9.62
> > > > > Mar 04 19:30:34 redwood 129.92.9.62[6827]: Connection from
> 129.92.9.62
> > > > > Mar 04 19:30:34 redwood 129.92.9.62(feed)[6827]: Starting Up:
> > > > > 20020304190240.510
> > > > > TS_ENDT {{NNEXRAD|UNIDATA, ".*"}}
> > > > > Mar 04 19:30:34 redwood 129.92.9.62(feed)[6827]: topo: 129.92.9.62
> > > > > NNEXRAD|UNIDATA
> > > > >
> > > > > Even though the gethostbyaddr fails we apparently accept their
> > > > > connection (I'm not sure if this is because we have an explicit
> > > > > allow for the IP address, or if it is a change we made to our ldm
> > > > > configuration some time ago that I simply forget right now).
> > > > > There is no entry for fujita in /etc/hosts or our NIS+ tables.
> > > > > I really don't like feeding an IP number - it doesn't bother
> > > > > me with the NOAAPORT feed, but, given the restrictions we face
> > > > > with the NLDN feed I'd really much rather be able to document
> > > > > we are feeding an .edu site.
> > > > >
> > > > > Hope this helps...
> > > > > David
> > > > >
> > > > > p.s. I understand that afit has security concerns, but, they are
> > > > > not alone in this regard. In fact I am becoming less and less
> > > > > comfortable feeding an essentially anonymous host at what appears
> > > > > to be a military site. For example, what if despite our best
> > > > > efforts either redwood or striker get hacked, and the hacker
> > > > > uses these machines to send nasty stuff over the IDD to
> > > > > the afit site - should we even be taking that risk, or, be
> > > > > exposing ourselves to that responsibility? Also IP numbers
> > > > > can be easily spoofed, and a military machine might be a likely
> > > > > target for this. If I had any hair left I'd probably have to
> > > > > say I must be having a "bad hair day" ;-)
> > > > >
> > > >
> > > > Hi David,
> > > >
> > > > Thanks for the information. You raise very good points regarding both
> > > > proprietary feeds and security. I will raise these issues here for
> > > > discussion, this time in the context of .mil sites. (LDM security is
> a
> > > > perennial topic.) Although, Jeff Stitler assures us that fujita is a
> > > > .edu site. This morning I was able to confirm that on the AFIT
> network
> > > > fujita is known as fujita.afit.edu.
> > > >
> > > > Regarding the hacking potential, one significant safeguard is that the
> > > > LDM uses its own protocol. Thus, there are only a few messages to
> which
> > > > the ldm will respond (HEREIS, COMINGSOON, BLKDATA, etc.), and it will
> > > > respond in well understood, predictable ways. It would be very hard
> to
> > > > write some nefarious executable, wrap it properly, send it properly,
> and
> > > > get the remote ldm to do something beyond just stuffing it in the
> queue.
> > > >
> > > > And, due to your message I learned something about the LDM this
> > > > morning. When the IP addresses is used in ldmd.conf, the server will
> > > > try only once to do a reverse lookup. And, that lookup doesn't need
> to
> > > > succeed, just as we saw in your logs above.
> > > >
> > > > This means that some machine could spoof being AFIT by providing that
> IP
> > > > address to you and get you to feed them data. This could be an issue
> > > > for your proprietary data. I can understand your wanting to verify
> that
> > > > you're feeding a .edu. With AFIT's restrictions that currently can't
> be
> > > > done. We'll have to leave it to you to decide whether or not to feed
> > > > such sites.
> > > >
> > > > Regarding security on AFIT's side, AFIT is using names in their
> > > > ldmd.conf file instead of IP addresses, which forces the forward and
> > > > reverse lookup requirement. So, it would be harder for some machine
> to
> > > > spoof being redwood.atmos.albany.edu.
> > > >
> > > > I don't mean to dismiss your concerns, only to allay them. We must
> > > > always be thinking about security.
> > > >
> > > > Anne
> > > > ***************************************************
> > > > Anne Wilson UCAR Unidata Program
> > > > address@hidden P.O. Box 3000
> > > > Boulder, CO 80307
> > > > ----------------------------------------------------
> > > > Unidata WWW server http://www.unidata.ucar.edu/
> > > > ****************************************************
> > > >
> > >
> >
>