From brokenflea at gmail.com Wed Dec 1 00:22:41 2010 From: brokenflea at gmail.com (Khurram Khan) Date: Tue, 30 Nov 2010 23:22:41 -0700 Subject: Level3 issues from Denver to San Jose? In-Reply-To: References: Message-ID: I'm seeing some packet loss out of one of my routers in San Diego, we peer with L3. ping 4.69.132.57 so gi3/8 repeat 1000 size 5000 Type escape sequence to abort. Sending 1000, 5000-byte ICMP Echos to 4.69.132.57, timeout is 2 seconds: Packet sent with a source address of x.y.d.z !!!!!!!!!!!!!.!!!!!!!!!!!!!!.!!!!!!!!!!!!!.!!!!!!!!!!!!!!.!!!!!!!!!!!! !.!!!!!!!!!!!!!!.!!!!!!!!!!!!!.!!!!!!!!!!!!!!.!!!!!!!!!!!!!!.!!!!!!!!! !!!!.!!!!!!!!!!!!!!.!!!!!!!!!!!!!.!!!!!!!!!!!!!!.!!!!!!!!!!!!!.!!!!!!! !!!!!!!.!!!!!!!!!!!!!.!!!!!!!!!!!!!!.!!!!!!!!!!!!!.!!!!!!!!!!!!!!.!!!! !!!!!!!!!.!!!!!!!!!!!!!!.!!!!!!!!!!!!!.!!!!!!!!!!!!!!!!!!!.!!!!!!!!!!! !!.!!!!!!!!!!!!!!.!!!!!!!!!!!!!.!!!!!!!!!!!!!!.!!!!!!!!!!!!!.!!!!!!!!! !!!!!.!!!!!!!!!!!!!.!!!!!!!!!!!!!!.!!!!!!!!!!!!!!.!!!!!!!!!!!!!.!!!!!! !!!!!!!!.!!!!!!!!!!!!!.!!!!!!!!!!!!!!.!!!!!!!!!!!!!!.!!!!!!!!!!!!!.!!! !!!!!!!!!!!.! Success rate is 93 percent (534/573), round-trip min/avg/max = 20/27/204 ms On Tue, Nov 30, 2010 at 10:00 PM, Jared Geiger wrote: > I'm seeing packetloss starting at > ae-1-100.ebr1.Denver1.Level3.net(4.69.132.37) destined down to San > Jose (4.69.132.57). > > > 10. ae-1-100.ebr1.Denver1.Level3.net 1.5% > > 11. ae-3-3.ebr2.SanJose1.Level3.net 3.6% > > 12. ae-92-92.csw4.SanJose1.Level3.net 3.9% > > 13. ae-4-99.edge2.SanJose1.Level3.net 3.9% > > Is anyone else seeing the same thing? I know its not much, but at times it > spikes up, this was just part of a small snapshot taken. > > > > ~Jared > From dr at cluenet.de Wed Dec 1 03:57:13 2010 From: dr at cluenet.de (Daniel Roesen) Date: Wed, 1 Dec 2010 10:57:13 +0100 Subject: Level3 issues from Denver to San Jose? In-Reply-To: References: Message-ID: <20101201095713.GA31685@srv03.cluenet.de> On Tue, Nov 30, 2010 at 11:22:41PM -0700, Khurram Khan wrote: > I'm seeing some packet loss out of one of my routers in San Diego, we peer > with L3. > > ping 4.69.132.57 so gi3/8 repeat 1000 size 5000 > > Type escape sequence to abort. > Sending 1000, 5000-byte ICMP Echos to 4.69.132.57, timeout is 2 seconds: > Packet sent with a source address of x.y.d.z > !!!!!!!!!!!!!.!!!!!!!!!!!!!!.!!!!!!!!!!!!!.!!!!!!!!!!!!!!.!!!!!!!!!!!! > !.!!!!!!!!!!!!!!.!!!!!!!!!!!!!.!!!!!!!!!!!!!!.!!!!!!!!!!!!!!.!!!!!!!!! > !!!!.!!!!!!!!!!!!!!.!!!!!!!!!!!!!.!!!!!!!!!!!!!!.!!!!!!!!!!!!!.!!!!!!! > !!!!!!!.!!!!!!!!!!!!!.!!!!!!!!!!!!!!.!!!!!!!!!!!!!.!!!!!!!!!!!!!!.!!!! > !!!!!!!!!.!!!!!!!!!!!!!!.!!!!!!!!!!!!!.!!!!!!!!!!!!!!!!!!!.!!!!!!!!!!! > !!.!!!!!!!!!!!!!!.!!!!!!!!!!!!!.!!!!!!!!!!!!!!.!!!!!!!!!!!!!.!!!!!!!!! > !!!!!.!!!!!!!!!!!!!.!!!!!!!!!!!!!!.!!!!!!!!!!!!!!.!!!!!!!!!!!!!.!!!!!! > !!!!!!!!.!!!!!!!!!!!!!.!!!!!!!!!!!!!!.!!!!!!!!!!!!!!.!!!!!!!!!!!!!.!!! > !!!!!!!!!!!.! > Success rate is 93 percent (534/573), round-trip min/avg/max = 20/27/204 ms That's most probably ICMP rate-limiting by Level3 - notice the regular pattern. Judging from the reverse DNS of your ping target, this is a Juniper router interface that you are pinging. Best regards, Daniel -- CLUE-RIPE -- Jabber: dr at cluenet.de -- dr at IRCnet -- PGP: 0xA85C8AA0 From jsw at inconcepts.biz Wed Dec 1 05:14:44 2010 From: jsw at inconcepts.biz (Jeff Wheeler) Date: Wed, 1 Dec 2010 06:14:44 -0500 Subject: TWT - Comcast congestion In-Reply-To: References: <20101130194553.CBADA1CC3C@ptavv.es.net> <20101201021223.GE38726@gerbil.cluepon.net> Message-ID: On Tue, Nov 30, 2010 at 9:12 PM, Richard A Steenbergen wrote: > uncongested access. This is the kind of action that virtually BEGS for > government involvement, which will probably end badly for all networks. This depends on the eventual regulatory mechanism and the goals it intends to promote. Everyone in our industry has been aware that security mechanisms related to BGP are needed, but after major incidents making it into the news regularly for ten years, ?little progress has been made. ?A regulator putting the hammer down might be a driving force to solve some of our basically solvable problems that no one is willing to spend any time or money on. Additionally, it is easy to make the argument that reduced interconnection cost for end-user ISPs would never motivate any innovation. ?If any network with 1000 DSL users could connect to the closest PAIX (in every NFL city, of course) and gain access to all the big players for nothing but the cost of transport, it would not significantly reduce their cost to serve their customers. ?The DSLAMs, tech support monkeys, transport, idiotic implementation choices, etc. cost an order of magnitude more than transit. ?No regulator is going to believe that eliminating the cost of transit will encourage more broadband deployment, higher broadband speeds, or new inventions that tax the network more heavily. On the other hand, it is very easy for regulators to imagine that, if Youtube had to bear the whole cost of moving bits from them to the end-user, and broadband access was free for anyone with a house and mailbox, developing new applications would be much more expensive and happen less frequently. I think eyeball networks had better start demonstrating how they are innovating new things that benefit the public, and working hard to run their networks and businesses efficiently, before the regulation gauntlet is thrown down. ?Otherwise, they will be on the losing end. In either case, I don't think it automatically must be bad for all networks, and everyone except those eyeball networks should hope it turns out to be good for the public, increasing consumer choice and bringing new forms of information and entertainment into their homes. -- Jeff S Wheeler Sr Network Operator? /? Innovative Network Concepts From andrea at ripe.net Wed Dec 1 05:36:13 2010 From: andrea at ripe.net (Andrea Cima) Date: Wed, 01 Dec 2010 12:36:13 +0100 Subject: New IPv4 blocks allocated to RIPE NCC Message-ID: <4CF6332D.3070407@ripe.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 [Apologies for duplicate mails] Dear Colleagues, The RIPE NCC received the IPv4 address ranges 5/8 and 37/8 from the IANA in November 2010. We will begin allocating from these ranges in the near future. The minimum allocation size for these two /8s has been set at /21. You may wish to adjust any filters you have in place accordingly. More information on the IP space administered by the RIPE NCC can be found on our web site at: Additionally, please note that three "pilot" prefixes will be announced from each /8. The prefixes are: 5.0.0.0/16 5.1.0.0/21 5.1.24.0/24 37.0.0.0/16 37.1.0.0/21 37.1.24.0/24 They all originate in AS12654. More information on this "pilot" activity is available in the draft document "De-Bogonising New Address Blocks" which can be found at: Kind regards, Andrea Cima Registration Services Manager RIPE NCC -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.11 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkz2My0ACgkQXOgsmPkFrjOT7wCgnNa0eUFwK/ebtSeus3YgMoxZ GnUAnRAPMBMth/eSgX2F/opnY0fQI+Co =z5iw -----END PGP SIGNATURE----- From young at jsyoung.net Wed Dec 1 06:10:33 2010 From: young at jsyoung.net (Jeff Young) Date: Wed, 1 Dec 2010 23:10:33 +1100 Subject: Level 3 Communications Issues Statement Concerning Comcast's Actions In-Reply-To: <4CF5027A.3060603@gmail.com> References: <96CA80CDCD822B4F9B41FB3A109C9359A3E664A22B@E2K7MAILBOX1.corp.cableone.net> <02b701cb9017$be2cdd90$3a8698b0$@net> <4CF43316.9000009@brightok.net> <96CA80CDCD822B4F9B41FB3A109C9359A3E664A254@E2K7MAILBOX1.corp.cableone.net> <02d401cb901f$71682e30$54388a90$@net> <4CF4AEC5.202@gmail.com> <4CF5027A.3060603@gmail.com> Message-ID: <06D9F200-7C94-419C-B987-1A180E03C052@jsyoung.net> Well, I don't work for the NBN, but I do live here and follow the politics with interest. So far the 'experiment' is on track. The political parties who support the NBN are the majority by a slim margin (2 or 3 seats) and the project seems to be going forward. Most recently legislation passed that creates the NBN as a corporation among other things. If you're truly interested: http://australianpolitics.com/downloads/10-11-24_nbn-co-business-case-summary.pdf jy On 01/12/2010, at 12:56 AM, William Allen Simpson wrote: > I've read through the entire thread thus far, and there are several very > interesting points. I'd like to know more about the Australian experiment? > > But there were a couple of disparate comments that seem highly related, so > I'll reply to them jointly here: > > > On 11/30/10 2:59 AM, JC Dill wrote: >> What is happening now between L3 and Comcast also reminds me of the dial-tone settlement deals in the 1990s. The big telcos thought they could push small telcos out by making it more expensive to place calls (paying a fee to the telco that "terminates" the >> call) and less expensive to receive calls (receiving the termination fee). They mistakenly thought the startup telcos would go after consumers (who typically place more calls than they receive) and they didn't think about startup telcos going after ISP >> dial-up services (which receive more calls than they place) and then being forced to pay those startups settlement fees for all the calls their consumer customers made into the startup telco's ISP customer's modem banks. >> > But I remember what happened next. BellSouth refused to pay their settlements. > The CLECs sued and went bankrupt. BellSouth had deeper pockets and more lawyers. > >> We don't have an interstate telephone settlement system or PUC to "decide" what the rules will be for settlements between content providers and eyeball providers. I believe that in the end it will come down to market forces and which group can better >> marshal customer angst to their side when packets don't flow freely between these two types of networks. >> > Maybe. But I'm hoping the consumer angst gives us a better FCC. The "market" > hasn't worked before, and isn't working in this case. So, maybe there isn't a > "market" after all.... > > > On 11/30/10 2:47 AM, Kevin Blackham wrote: > > I'm not convinced. Either I'm calculating something wrong, or greed is at work. > > Greed. > > Reminder: Comcast drastically raised their rates a few years back, saying to > local cable commissions that they needed to "invest" in digital infrastructure. > Instead, they took the massive profits and invested in NBC/Universal. > > When a cable "node" is an entire neighborhood of 500+ homes, because Comcast > never bothered to split the nodes down to a reasonable networking size (as > opposed to CATV-sized), then it's a Comcast greed problem.... > > A half year ago or so, talking with a Google manager about a certain fiber > project, we ended up arguing about the size of cable nodes. He seemed to > think everywhere was like Mountain View. I was trying not to embarrass him; > just let it stand at -- as you drive, you don't look overhead at the cable > infrastructure much, do you? (He admitted he doesn't.) > > > On 11/29/10 11:27 PM, Jared Mauch wrote: > > The issue here is cost of infrastructure. The last mile generally is more valuable than the long-distance part. Everyone can build a nationwide network for a nominal amount of money. All the carriers can provide circuits at the same IXPs where you can public/private peer. The question does become, who is in those smaller and mid-markets. Not everyone is going to build fiber in Akron, Eugene, nor Madison. It gets even more interesting if you look at what happened with Fairpoint in the northeast IMHO. Verizon realized they would not make money there and sold it off. The promises and costs consumed them and forced bankruptcy. > > > > I'm not saying that will happen to Comcast, but it may cause them to divest the unprofitable parts as well, leaving some parts of the country worse-off than we would be today. > > > Or in this case, invest in something else more profitable, NBC/Universal; and > then try to leverage their customer base to gouge their CDN competitors. > > I'd like to see Level 3 pull a Disney/ABC or a Murdock/Fox, and publicly > announce that they expect Comcast to share *their* revenue. And be willing to > pull the plug! > > (Admittedly, I thought Disney/ABC and Murdock/Fox are evil, too. That model > was only reasonable as the CATV channels had no advertising. All we have > left now is Turner Classic Movies. A pox on *all* their houses!) > > It's really time for some anti-trust legislation/regulation. The last mile > market has failed. > > -------------- next part -------------- A non-text attachment was scrubbed... Name: PGP.sig Type: application/pgp-signature Size: 235 bytes Desc: This is a digitally signed message part URL: From bicknell at ufp.org Wed Dec 1 08:31:39 2010 From: bicknell at ufp.org (Leo Bicknell) Date: Wed, 1 Dec 2010 06:31:39 -0800 Subject: TWT - Comcast congestion In-Reply-To: <20101201045925.GJ38726@gerbil.cluepon.net> References: <20101130194553.CBADA1CC3C@ptavv.es.net> <20101201021223.GE38726@gerbil.cluepon.net> <20101201024557.GA54276@ussenterprise.ufp.org> <20101201032447.GG38726@gerbil.cluepon.net> <20101201035325.GA56584@ussenterprise.ufp.org> <20101201045925.GJ38726@gerbil.cluepon.net> Message-ID: <20101201143139.GA69051@ussenterprise.ufp.org> In a message written on Tue, Nov 30, 2010 at 10:59:25PM -0600, Richard A Steenbergen wrote: > I believe that's what I said. To be perfectly clear, what I'm saying is: > > * Comcast acted first by demanding fees > * Level 3 went public first by whining about it after they agreed to pay > * Comcast was well prepared to win the PR war, and had a large pile of > content that sounds good to the uninformed layperson ready to go. I think I can make this very simple. What I am saying is that you're missing a step before your 3 bullet points. Before any of the three things you describe, Level 3 demanded fees from Comcast. Level 3 is doing a great job of getting folks to ignore that fact. Comcast is a customer of L3, and pays them for service. Brining on Netflix will cause Comcast to pay L3 more. More interestingly, in this case it's likely Level 3 went to Comcast and said we don't think your existing customer ports will handle the additional traffic....so...um...you should buy more customer ports. Does network neutrality work both ways? If it is bad for Comcast to hold the users hostage to extort more money from Level 3, is it also bad for Level 3 to hold the content hostage to extort more money from Comcast? -- Leo Bicknell - bicknell at ufp.org - CCIE 3440 PGP keys at http://www.ufp.org/~bicknell/ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 826 bytes Desc: not available URL: From jcdill.lists at gmail.com Wed Dec 1 08:43:25 2010 From: jcdill.lists at gmail.com (JC Dill) Date: Wed, 01 Dec 2010 06:43:25 -0800 Subject: Cage nuts/rack hw near SAVVIS DC3 (Sterling VA) In-Reply-To: <20101130133239.GI30640@0x1.net> References: <20101130133239.GI30640@0x1.net> Message-ID: <4CF65F0D.5060502@gmail.com> On 30/11/10 5:32 AM, Christopher J. Pilkington wrote: > Anyone know where I can buy cage nuts and rack screws locally > near SAVVIS DC3 in Sterling, VA? They don't seem to have a > local supply here, and somehow the racks we bought came with > a 2:1 screw:nuts ratio. I really don't understand why someone hasn't put vending machines in every major colo around the world. We have vending machines that sell ipods at the maul, we can certainly have a vending machine that sells rack nuts and screws, patch cables, tools, etc. at colos. jc From bicknell at ufp.org Wed Dec 1 08:48:18 2010 From: bicknell at ufp.org (Leo Bicknell) Date: Wed, 1 Dec 2010 06:48:18 -0800 Subject: Cage nuts/rack hw near SAVVIS DC3 (Sterling VA) In-Reply-To: <4CF65F0D.5060502@gmail.com> References: <20101130133239.GI30640@0x1.net> <4CF65F0D.5060502@gmail.com> Message-ID: <20101201144818.GB70857@ussenterprise.ufp.org> In a message written on Wed, Dec 01, 2010 at 06:43:25AM -0800, JC Dill wrote: > I really don't understand why someone hasn't put vending machines in > every major colo around the world. We have vending machines that sell > ipods at the maul, we can certainly have a vending machine that sells > rack nuts and screws, patch cables, tools, etc. at colos. Every meeting I have with a colo provider I suggest this exact idea. Patch cables (cat5, single mode, multi-mode), fiber couplers, maybe even SFP's, velcro ties, a 10-in-1 screwdriver, etc. -- Leo Bicknell - bicknell at ufp.org - CCIE 3440 PGP keys at http://www.ufp.org/~bicknell/ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 826 bytes Desc: not available URL: From dmm at 1-4-5.net Wed Dec 1 09:09:44 2010 From: dmm at 1-4-5.net (David Meyer) Date: Wed, 1 Dec 2010 07:09:44 -0800 Subject: [NANOG-announce] Reminder: Today is the last day to register for NANOG 51 at the early bird rate In-Reply-To: References: Message-ID: Jon, Sorry about that; not sure what's up. I'll look into it. Thanks, Dave On Tue, Nov 30, 2010 at 7:57 PM, Jon Lewis wrote: > On Tue, 30 Nov 2010, David Meyer wrote: > > Register today to get the early bird rate. >> >> Looking forward to seeing you in Miami. >> > > I just tried (to take advantage of the early-bird rate) and it looks like > the registration code is busted. > > Internal Server Error > The server encountered an internal error or misconfiguration and was unable > to complete your request. > > Please contact the server administrator, www at merit.edu and inform them of > the time the error occurred, and anything you might have done that may have > caused the error. > > [17270]ERR: 32: Warning in Perl code: DBD::Oracle::db do failed: ORA-00001: > unique constraint (NANOG.SYS_C00319811) violated (DBD ERROR: OCIStmtExecute) > [for Statement " > insert into attendee ( > attendee_id, > attendee_username, > attendee_password, > attendee_email > ) values ( > attendee_seq.nextval, > ?, ?, ? > ) > "] at /afs/ > merit.net/infotech/www/nanog/secdocs/registration/username.epl line 54. > [17270]ERR: 24: Error in Perl code: DBD::Oracle::db do failed: ORA-00001: > unique constraint (NANOG.SYS_C00319811) violated (DBD ERROR: OCIStmtExecute) > [for Statement " > insert into attendee ( > attendee_id, > attendee_username, > attendee_password, > attendee_email > ) values ( > attendee_seq.nextval, > ?, ?, ? > ) > "] at /afs/ > merit.net/infotech/www/nanog/secdocs/registration/username.epl line 54. > > Apache/2.2.14 (Unix) Embperl/2.3.0 mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 > PHP/5.2.12 mod_perl/2.0.4 Perl/v5.10.0 [Tue Nov 30 22:51:44 2010] > > I tried several variations of username and email address just in case > either was already in the database from when I last attended a NANOG in > Miami. It made no difference. Can we extend the early-bird rate until the > web site is fixed such that people can actually create a username in order > to sign up? > > ---------------------------------------------------------------------- > Jon Lewis, MCP :) | I route > Senior Network Engineer | therefore you are > Atlantic Net | > _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________ > From dmm at 1-4-5.net Wed Dec 1 09:09:44 2010 From: dmm at 1-4-5.net (David Meyer) Date: Wed, 1 Dec 2010 07:09:44 -0800 Subject: [NANOG-announce] Reminder: Today is the last day to register for NANOG 51 at the early bird rate In-Reply-To: References: Message-ID: Jon, Sorry about that; not sure what's up. I'll look into it. Thanks, Dave On Tue, Nov 30, 2010 at 7:57 PM, Jon Lewis wrote: > On Tue, 30 Nov 2010, David Meyer wrote: > > Register today to get the early bird rate. >> >> Looking forward to seeing you in Miami. >> > > I just tried (to take advantage of the early-bird rate) and it looks like > the registration code is busted. > > Internal Server Error > The server encountered an internal error or misconfiguration and was unable > to complete your request. > > Please contact the server administrator, www at merit.edu and inform them of > the time the error occurred, and anything you might have done that may have > caused the error. > > [17270]ERR: 32: Warning in Perl code: DBD::Oracle::db do failed: ORA-00001: > unique constraint (NANOG.SYS_C00319811) violated (DBD ERROR: OCIStmtExecute) > [for Statement " > insert into attendee ( > attendee_id, > attendee_username, > attendee_password, > attendee_email > ) values ( > attendee_seq.nextval, > ?, ?, ? > ) > "] at /afs/ > merit.net/infotech/www/nanog/secdocs/registration/username.epl line 54. > [17270]ERR: 24: Error in Perl code: DBD::Oracle::db do failed: ORA-00001: > unique constraint (NANOG.SYS_C00319811) violated (DBD ERROR: OCIStmtExecute) > [for Statement " > insert into attendee ( > attendee_id, > attendee_username, > attendee_password, > attendee_email > ) values ( > attendee_seq.nextval, > ?, ?, ? > ) > "] at /afs/ > merit.net/infotech/www/nanog/secdocs/registration/username.epl line 54. > > Apache/2.2.14 (Unix) Embperl/2.3.0 mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 > PHP/5.2.12 mod_perl/2.0.4 Perl/v5.10.0 [Tue Nov 30 22:51:44 2010] > > I tried several variations of username and email address just in case > either was already in the database from when I last attended a NANOG in > Miami. It made no difference. Can we extend the early-bird rate until the > web site is fixed such that people can actually create a username in order > to sign up? > > ---------------------------------------------------------------------- > Jon Lewis, MCP :) | I route > Senior Network Engineer | therefore you are > Atlantic Net | > _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________ > -------------- next part -------------- _______________________________________________ NANOG-announce mailing list NANOG-announce at nanog.org https://mailman.nanog.org/mailman/listinfo/nanog-announce From cat at reptiles.org Wed Dec 1 09:24:55 2010 From: cat at reptiles.org (Cat Okita) Date: Wed, 1 Dec 2010 10:24:55 -0500 (EST) Subject: Cage nuts/rack hw near SAVVIS DC3 (Sterling VA) In-Reply-To: <20101201144818.GB70857@ussenterprise.ufp.org> References: <20101130133239.GI30640@0x1.net> <4CF65F0D.5060502@gmail.com> <20101201144818.GB70857@ussenterprise.ufp.org> Message-ID: On Wed, 1 Dec 2010, Leo Bicknell wrote: > Every meeting I have with a colo provider I suggest this exact idea. > Patch cables (cat5, single mode, multi-mode), fiber couplers, maybe > even SFP's, velcro ties, a 10-in-1 screwdriver, etc. I'd say skip the colo provider, and look for vending machine companies. The colo provider's unlikely to go to the bother of digging up somebody to provide the vending machines and contents, but seems likely to be quite interested if the thing's provided to them as a package... cheers! ========================================================================== "A cat spends her life conflicted between a deep, passionate and profound desire for fish and an equally deep, passionate and profound desire to avoid getting wet. This is the defining metaphor of my life right now." From tme at americafree.tv Wed Dec 1 09:54:37 2010 From: tme at americafree.tv (Marshall Eubanks) Date: Wed, 1 Dec 2010 10:54:37 -0500 Subject: Cage nuts/rack hw near SAVVIS DC3 (Sterling VA) In-Reply-To: <4CF65F0D.5060502@gmail.com> References: <20101130133239.GI30640@0x1.net> <4CF65F0D.5060502@gmail.com> Message-ID: <807752DD-09B4-4D80-9FEC-D1F612489937@americafree.tv> On Dec 1, 2010, at 9:43 AM, JC Dill wrote: > On 30/11/10 5:32 AM, Christopher J. Pilkington wrote: >> Anyone know where I can buy cage nuts and rack screws locally >> near SAVVIS DC3 in Sterling, VA? They don't seem to have a >> local supply here, and somehow the racks we bought came with >> a 2:1 screw:nuts ratio. > > I really don't understand why someone hasn't put vending machines in every major colo around the world. We have vending machines that sell ipods at the maul, we can certainly have a vending machine that sells rack nuts and screws, patch cables, tools, etc. at colos. > I had that idea back in 2003, after getting very frustrated late one Saturday evening because I didn't have something like cage nuts, and actually tried to interest the management of Switch and Data into doing it, but it went nowhere. I am sure I was not the first here... Regards Marshall > jc > > > From jabley at hopcount.ca Wed Dec 1 09:56:59 2010 From: jabley at hopcount.ca (Joe Abley) Date: Wed, 1 Dec 2010 10:56:59 -0500 Subject: Cage nuts/rack hw near SAVVIS DC3 (Sterling VA) In-Reply-To: <20101201144818.GB70857@ussenterprise.ufp.org> References: <20101130133239.GI30640@0x1.net> <4CF65F0D.5060502@gmail.com> <20101201144818.GB70857@ussenterprise.ufp.org> Message-ID: <0A7AC3FE-975D-4807-A1B8-CA6B2EFB606C@hopcount.ca> On 2010-12-01, at 09:48, Leo Bicknell wrote: > In a message written on Wed, Dec 01, 2010 at 06:43:25AM -0800, JC Dill wrote: >> I really don't understand why someone hasn't put vending machines in >> every major colo around the world. We have vending machines that sell >> ipods at the maul, we can certainly have a vending machine that sells >> rack nuts and screws, patch cables, tools, etc. at colos. > > Every meeting I have with a colo provider I suggest this exact idea. > Patch cables (cat5, single mode, multi-mode), fiber couplers, maybe > even SFP's, velcro ties, a 10-in-1 screwdriver, etc. Two notable places I've done site work where the colo vendor was happy to sell me such things were Terremark/NOTA in Miami and Global Switch in Amsterdam. But even in those cases there were times where I needed something outside normal office hours and couldn't find anybody to sell it to me. Vending machines have the advantage that they don't sleep. Joe From morrowc.lists at gmail.com Wed Dec 1 10:26:09 2010 From: morrowc.lists at gmail.com (Christopher Morrow) Date: Wed, 1 Dec 2010 11:26:09 -0500 Subject: Cage nuts/rack hw near SAVVIS DC3 (Sterling VA) In-Reply-To: References: <20101130133239.GI30640@0x1.net> <4CF65F0D.5060502@gmail.com> <20101201144818.GB70857@ussenterprise.ufp.org> Message-ID: On Wed, Dec 1, 2010 at 10:24 AM, Cat Okita wrote: > On Wed, 1 Dec 2010, Leo Bicknell wrote: >> >> Every meeting I have with a colo provider I suggest this exact idea. >> Patch cables (cat5, single mode, multi-mode), fiber couplers, maybe >> even SFP's, velcro ties, a 10-in-1 screwdriver, etc. > > I'd say skip the colo provider, and look for vending machine companies. > > The colo provider's unlikely to go to the bother of digging up somebody > to provide the vending machines and contents, but seems likely to be > quite interested if the thing's provided to them as a package... the colo provider may not want to 'waste' electricity/cooling on a vending machine... -chris From cmadams at hiwaay.net Wed Dec 1 10:43:29 2010 From: cmadams at hiwaay.net (Chris Adams) Date: Wed, 1 Dec 2010 10:43:29 -0600 Subject: Cage nuts/rack hw near SAVVIS DC3 (Sterling VA) In-Reply-To: References: <20101130133239.GI30640@0x1.net> <4CF65F0D.5060502@gmail.com> <20101201144818.GB70857@ussenterprise.ufp.org> Message-ID: <20101201164329.GE7959@hiwaay.net> Once upon a time, Christopher Morrow said: > the colo provider may not want to 'waste' electricity/cooling on a > vending machine... A plain (non-drink) machine draws a few watts. I don't think rack screws and patch cables need to be refrigerated; if they can't spare a few watts for a vending machine, then you probably can't install anything new there anyway. -- Chris Adams Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble. From woody at pch.net Wed Dec 1 10:48:36 2010 From: woody at pch.net (Bill Woodcock) Date: Wed, 1 Dec 2010 08:48:36 -0800 Subject: Cage nuts/rack hw near SAVVIS DC3 (Sterling VA) In-Reply-To: <20101201164329.GE7959@hiwaay.net> References: <20101130133239.GI30640@0x1.net> <4CF65F0D.5060502@gmail.com> <20101201144818.GB70857@ussenterprise.ufp.org> <20101201164329.GE7959@hiwaay.net> Message-ID: <18B4B87C-F683-4D0A-8907-BCA32BC22610@pch.net> On Dec 1, 2010, at 8:43 AM, Chris Adams wrote: > Once upon a time, Christopher Morrow said: >> the colo provider may not want to 'waste' electricity/cooling on a >> vending machine... > > A plain (non-drink) machine draws a few watts. I don't think rack > screws and patch cables need to be refrigerated; if they can't spare a > few watts for a vending machine, then you probably can't install > anything new there anyway. You know, I don't think the reason this doesn't happen is a technological one. There are a bunch of us who've been pushing this idea to DC and colo providers for well upwards of fifteen years now, and I don't know of anyone who's actually done it. The problem is supply, not demand. Combining someone who's willing to service vending machines for a living with someone who knows what we need the vending machines stocked with is the sticking point, since the market is too small to separate those roles, I think. At least to bootstrap. Of course, if the economy continues downward, maybe there will be more clueful people who figure stocking vending machines is better than no work at all. -Bill -------------- next part -------------- A non-text attachment was scrubbed... Name: PGP.sig Type: application/pgp-signature Size: 194 bytes Desc: This is a digitally signed message part URL: From kompella at cs.purdue.edu Wed Dec 1 10:51:13 2010 From: kompella at cs.purdue.edu (Ramana Kompella) Date: Wed, 1 Dec 2010 11:51:13 -0500 Subject: COMSNETS 2011 (Call for Participation) Message-ID: <20101201165113.GA511@tirupati> COMSNETS 2011 The THIRD International Conference on COMmunication Systems and NETworks January 4-8, 2011, Bangalore, India http://www.comsnets.org Email: comsnets2011 at ece.iisc.ernet.in (In Co-operation with ACM SIGMOBILE) (Technically Co-Sponsored by IEEE COMSOC) The Third International Conference on COMmunication Systems and NETworkS (COMSNETS) will be held in Bangalore, India, from 4 January 2011 to 8 January 2011. COMSNETS is a premier international conference dedicated to addressing advances in Networking and Communications Systems, and Telecommunications services. The goal of the conference is to create a world-class gathering of researchers from academia and industry, practitioners, business leaders, intellectual property experts, and venture capitalists, providing a forum for discussing cutting edge research, and directions for new innovative business and technology. The conference will include a highly selective technical program consisting of parallel tracks of submitted papers, a small set of invited papers on important and timely topics from well-known leaders in the field, and poster sessions of work in progress. Focused workshops and panel discussions will be held on emerging topics to allow for a lively exchange of ideas. International business and government leaders will be invited to share their perspectives, thus complementing the technical program. Registration site: http://www.comsnets.org/registration.html. Heavy student discounts available. We look forward to your participation. Conference Scope ---------------- Internet Architecture and Protocols Network-based Applications Video Distribution (IPTV, Mobile Video, Video on Demand) Network Operations and Management Broadband and Cellular Networks (3G/4G, WiMAX/LTE) Mesh, Sensor and PAN Networks Communication Software (Cognitive Radios, DSA, SDR) Wireless Operating Systems and Mobile Platforms Peer-to-peer Networking Cognitive Radio and White Space Networking Optical Networks Network Security & Cyber Security Technologies Cloud and Utility computing Storage Area Networks Next Generation Web Architectures Vehicular Networking Energy-Efficient Networking Network Science and Emergent Behavior in Socio-Technical Networks Social Networking Analysis, Middleware and Applications Networking Technologies for Smart Energy Grids Disruption/Delay Tolerant Networking Conference Highlights --------------------- Conference Inaugural Speaker: Prof. Raj Jain, Washington U. , St. Louis, USA Banquet speakers: Dr. Rajeev Rastogi, Yahoo Research, India Mr. Venkat Rajendran, Billonways Holdings Pvt. Ltd, India Keynote Speakers: Prof. Don Towsley, U. Mass Amherst, USA Dr. Partho Mishra, Cisco, India Mr. Subu Goparaju, Infosys, India Dr. Pravin Bhagwat, AirTight Networks, India Dr. Jean Bolot, Sprint, USA Mr. Michael Eisler, NetApp Inc, USA Workshops: WISARD (4, 5 Jan) NetHealth (4 Jan) IAMCOM (5 Jan) Mobile India 2011 (7 Jan) Technical Paper and Poster Sessions Ph.D Forum Panel Discussions Demos & Exhibits General Co-Chairs ----------------- David B. Johnson, Rice University, USA Anurag Kumar, IISc Bangalore, India Technical Program Co-Chairs --------------------------- Jon Crowcroft, U. of Cambridge, UK D. Manjunath, IIT Bombay, India Archan Misra, Telcordia Tech., USA Steering Committee Co-Chairs ---------------------------- Uday Desai, IIT Hyderabad, India Giridhar Mandyam, Qualcomm, USA Sanjoy Paul, Infosys, India Rajeev Shorey, NIIT University, India G. Venkatesh, SASKEN, India Panel Co-Chairs --------------- Aditya Akella, U. of Wisconsin, USA Venkat Padmanabhan, MSR, India Ph.D Forum Chair ---------------- Bhaskaran Raman, IIT Bombay, India Publications Chair ------------------ Varsha Apte, IIT Bombay, India Demos and Exhibits Co-Chairs ---------------------------- Aaditeshwar Seth, IIT Delhi, India Ajay Bakre, Netapps, India Sponsorship Chair ----------------- Sudipta Maitra, Delhi, india Workshop Chairs --------------- Sharad Jaiswal, Alcatel-Lucent, India Ravindran Kaliappa, CUNY, USA Neelesh Mehta, IISc Bangalore, India Mobile India 2011 Co-Chairs --------------------------- Gene Landy, Ruperto-Israel & Weiner, USA Rajaraghavan Setlur, SASKEN, India Sridhar Varadharajan, SASKEN, India Publicity Co-Chair ------------------ Augustin Chaintreau, TTL, France Kameswari Chebrolu, IIT Bombay, India Song Chong, KAIST, Korea Ramana Kompella, Purdue Univ, USA Nishanth Sastry, U. of Cambridge, UK Web Co-Chairs ------------- Santhana Krishnan, IIT Bombay, India Vinay Veerappa, SASKEN, India International Advisory Committee -------------------------------- K. K. Ramakrishnan, AT&T, USA Victor Bahl, Microsoft Research, USA Sunghyun Choi, Seoul National U., Korea Sajal Das, U. Texas at Arlington, USA B. N. Jain, IIT Delhi, India P. R. Kumar, UIUC, USA Anurag Kumar, IISc, Bangalore, India L. M. Patnaik, IISc, Bangalore, India Krithi Ramamritham, IIT Bombay, India Parmesh Ramanathan, U. Wisconsin, USA Krishan Sabnani, Alcatel-Lucent, USA Kang Shin, U. Michigan, USA Nitin Vaidya, U. Illinois, USA University Partners: -------------------- IIT Bombay, IIT Delhi, IISc Bangalore, IIT Hyderabad, NIIT University, BITS Pilani Patrons: -------- CISCO, Infosys, Alcatel Lucent, Intel, Microsoft Research, IBM Research, Sasken, Datacipher, Mobile Monday Bangalore From bruns at 2mbit.com Wed Dec 1 10:57:43 2010 From: bruns at 2mbit.com (Brielle Bruns) Date: Wed, 01 Dec 2010 09:57:43 -0700 Subject: Cage nuts/rack hw near SAVVIS DC3 (Sterling VA) In-Reply-To: <20101201164329.GE7959@hiwaay.net> References: <20101130133239.GI30640@0x1.net> <4CF65F0D.5060502@gmail.com> <20101201144818.GB70857@ussenterprise.ufp.org> <20101201164329.GE7959@hiwaay.net> Message-ID: <4CF67E87.80903@2mbit.com> On 12/1/10 9:43 AM, Chris Adams wrote: > A plain (non-drink) machine draws a few watts. I don't think rack > screws and patch cables need to be refrigerated; if they can't spare a > few watts for a vending machine, then you probably can't install > anything new there anyway. Its def not a bad idea, and if you really wanted to, not like it would be hard to put nuts, screws, etc in a can, put a piece of electrical tape over the top, and completely repurpose an existing soda machine or even use one or two spaces in a machine already in the lobby or NOC. It may not look pretty, but its actually a great way to recycle and do something creative. Or, you could do what our co-loc does, have a large coffee can with screws, nuts, etc and a few shared screwdrivers in another. On your way in, grab the nuts/screws and a screwdriver, on your way out put unused and extras back in the can. Little things like that if people cooperate can be an excellent bullet point on why to be in a specific facility. -- Brielle Bruns The Summit Open Source Development Group http://www.sosdg.org / http://www.ahbl.org From ryan.finnesey at HarrierInvestments.com Wed Dec 1 11:13:59 2010 From: ryan.finnesey at HarrierInvestments.com (Ryan Finnesey) Date: Wed, 1 Dec 2010 09:13:59 -0800 Subject: regional ASN's Message-ID: <6EFFEFBAC68377459A2E972105C759EC032BF922@EXVBE005-2.exch005intermedia.net> I see various people are recommending networks setup regional ASN's. I am in the process of setting up a new network which will serve as a transit network for all our operating units. I was planning on using one ASN for North America, Asia and Europe. Is this not recommended? Cheers Ryan From ras at e-gerbil.net Wed Dec 1 11:22:24 2010 From: ras at e-gerbil.net (Richard A Steenbergen) Date: Wed, 1 Dec 2010 11:22:24 -0600 Subject: TWT - Comcast congestion In-Reply-To: <20101201143139.GA69051@ussenterprise.ufp.org> References: <20101130194553.CBADA1CC3C@ptavv.es.net> <20101201021223.GE38726@gerbil.cluepon.net> <20101201024557.GA54276@ussenterprise.ufp.org> <20101201032447.GG38726@gerbil.cluepon.net> <20101201035325.GA56584@ussenterprise.ufp.org> <20101201045925.GJ38726@gerbil.cluepon.net> <20101201143139.GA69051@ussenterprise.ufp.org> Message-ID: <20101201172224.GQ38726@gerbil.cluepon.net> On Wed, Dec 01, 2010 at 06:31:39AM -0800, Leo Bicknell wrote: > In a message written on Tue, Nov 30, 2010 at 10:59:25PM -0600, Richard A Steenbergen wrote: > > I believe that's what I said. To be perfectly clear, what I'm saying is: > > > > * Comcast acted first by demanding fees > > * Level 3 went public first by whining about it after they agreed to pay > > * Comcast was well prepared to win the PR war, and had a large pile of > > content that sounds good to the uninformed layperson ready to go. > > I think I can make this very simple. What I am saying is that > you're missing a step before your 3 bullet points. Before any of > the three things you describe, Level 3 demanded fees from Comcast. > Level 3 is doing a great job of getting folks to ignore that fact. Do you have any basis for this claim, or are you just making it up as a possible scenario that would explain Comcast's actions? I have it on good authority that Level 3 did not attempt to raise their prices or ask for additonal fees beyond their existing contract, nor was their contract coming to term where they could "renegotiate" for more favorable terms. Comcast simply said, we've decided we don't want to pay you, you should pay us instead, and you're going to bend over and like it if you want to be able to reach our customers. Obviously the version I've heard and the version you're pitching can't co-exist, so either you have some REALLY interesting inside info that I don't (which I honestly find hard to believe given your knowledge of the facts so far), or you're stating a theory with no possible basis that I can find as a fact. If it's just a theory, please say so, then we don't keep having to argue these positions that can clearly never converge. > Comcast is a customer of L3, and pays them for service. Brining > on Netflix will cause Comcast to pay L3 more. More interestingly, > in this case it's likely Level 3 went to Comcast and said we don't > think your existing customer ports will handle the additional > traffic....so...um...you should buy more customer ports. Comcast is th customer, they have complete and total control of the traffic being exchabged over their transit ports. If they wanted less traffic, they could announce fewer routes, or add more no-export communities. They also have complete control of traffic being sent outbound, and since Level3 is more than capable of handling 300Gbps (the capacity comcast claims they have), if Comcast actually had 300Gbps of outbound traffic to send they could easily have had a 1:1 ratio. Framing this as a peering ratio debate is absurd, because there two networks were NEVER peers. Any customer could have sent addtional bits to Level3 at any time, and Comcast should be prepared to deal with the TE as a result. That's life on the Internet. > Does network neutrality work both ways? If it is bad for Comcast > to hold the users hostage to extort more money from Level 3, is it > also bad for Level 3 to hold the content hostage to extort more > money from Comcast? You know, most people manage to buy sufficient transit capacity to support the volume of traffic that their customers pay them to deliver. Only Comcast seems to feel that it is proper to use their captive customer base hostage to extort content networks into paying for uncongested access. Level 3 is free to sell full transit or CDN to whomever they like, just as Comcast is free to not buy transit from Level 3 when their contract is up. The net neutrality part starts when Level 3 is NOT free to turn off their customer for non-payment just like what would happen to anyone else who suddenly decided they didn't think they should keep paying their bills, because Comcast maintains so little transit capacity that to shut them off would cause mssive disruptions to large portions of the Internet. -- Richard A Steenbergen http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC) From deleskie at gmail.com Wed Dec 1 11:31:59 2010 From: deleskie at gmail.com (deleskie at gmail.com) Date: Wed, 1 Dec 2010 17:31:59 +0000 Subject: regional ASN's Message-ID: <1727880630-1291224719-cardhu_decombobulator_blackberry.rim.net-154390616-@bda483.bisx.prod.on.blackberry> You can use one AS and communities to seperate your traffic/policies. -jim ------Original Message------ From: Ryan Finnesey To: NANOG list Subject: regional ASN's Sent: Dec 1, 2010 1:13 PM I see various people are recommending networks setup regional ASN's. I am in the process of setting up a new network which will serve as a transit network for all our operating units. I was planning on using one ASN for North America, Asia and Europe. Is this not recommended? Cheers Ryan Sent from my BlackBerry device on the Rogers Wireless Network From bicknell at ufp.org Wed Dec 1 11:34:05 2010 From: bicknell at ufp.org (Leo Bicknell) Date: Wed, 1 Dec 2010 09:34:05 -0800 Subject: TWT - Comcast congestion In-Reply-To: <20101201172224.GQ38726@gerbil.cluepon.net> References: <20101130194553.CBADA1CC3C@ptavv.es.net> <20101201021223.GE38726@gerbil.cluepon.net> <20101201024557.GA54276@ussenterprise.ufp.org> <20101201032447.GG38726@gerbil.cluepon.net> <20101201035325.GA56584@ussenterprise.ufp.org> <20101201045925.GJ38726@gerbil.cluepon.net> <20101201143139.GA69051@ussenterprise.ufp.org> <20101201172224.GQ38726@gerbil.cluepon.net> Message-ID: <20101201173405.GB5551@ussenterprise.ufp.org> Comcast has released additional details publically. Of course, this is their side of the story, so I wouldn't believe it hook line and sinker but it helps fill in the gaps. http://blog.comcast.com/2010/11/comcasts-letter-to-fcc-on-level-3.html -- Leo Bicknell - bicknell at ufp.org - CCIE 3440 PGP keys at http://www.ufp.org/~bicknell/ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 826 bytes Desc: not available URL: From jakari at bithose.com Wed Dec 1 11:47:09 2010 From: jakari at bithose.com (Jameel Akari) Date: Wed, 1 Dec 2010 12:47:09 -0500 (EST) Subject: Cage nuts/rack hw near SAVVIS DC3 (Sterling VA) In-Reply-To: <4CF67E87.80903@2mbit.com> References: <20101130133239.GI30640@0x1.net> <4CF65F0D.5060502@gmail.com> <20101201144818.GB70857@ussenterprise.ufp.org> <20101201164329.GE7959@hiwaay.net> <4CF67E87.80903@2mbit.com> Message-ID: > Or, you could do what our co-loc does, have a large coffee can with screws, > nuts, etc and a few shared screwdrivers in another. On your way in, grab the > nuts/screws and a screwdriver, on your way out put unused and extras back in > the can. I like this idea better - which is what one of our DCs does for snacks and food. Box of Pop-Tarts, with an honor system can for payment. Partially for the staff, but they put it out in the customer area along with free coffee. Coke machine costs $0.50. There is at least one operator on duty 24/7; if I really needed to I could go knock on the door and have them scrounge up tools and screws. There is a Home Depot a half mile away failing that. This all sounds a little silly compared to the normal datacenter facility issues like power, security, telecomm... but indeed these touches go a long way towards customer satisfaction when you're there for an entire weekend for some big install. Next time we look for new facilities, I know I'll have these in mind. An aside: There is a special place in hell reserved for those who throw out "unneeded" rack hardware. ;) -- Jameel Akari From nanog at jima.tk Wed Dec 1 12:02:23 2010 From: nanog at jima.tk (Jima) Date: Wed, 01 Dec 2010 12:02:23 -0600 Subject: Level 3 Communications Issues Statement Concerning Comcast'sActions References: 4CF524D4.7090304@2mbit.com Message-ID: <4CF68DAF.3080704@jima.tk> On 2010-11-30 @ 1122, William Herrin wrote: > I checked it out when I updated my credit card number online recently. > The billing page has a place to describe a cap and overage charges. > It's listed as unlimited. Not saying you're wrong. Just saying that > the billing documentation disagrees. As does the usage tracking system: http://jima.tk/201012/unlimited.png Grandfathered-in account, now on a MiFi device. Jima From joly at punkcast.com Wed Dec 1 13:35:44 2010 From: joly at punkcast.com (Joly MacFie) Date: Wed, 1 Dec 2010 14:35:44 -0500 Subject: TWT - Comcast congestion In-Reply-To: <20101201173405.GB5551@ussenterprise.ufp.org> References: <20101130194553.CBADA1CC3C@ptavv.es.net> <20101201021223.GE38726@gerbil.cluepon.net> <20101201024557.GA54276@ussenterprise.ufp.org> <20101201032447.GG38726@gerbil.cluepon.net> <20101201035325.GA56584@ussenterprise.ufp.org> <20101201045925.GJ38726@gerbil.cluepon.net> <20101201143139.GA69051@ussenterprise.ufp.org> <20101201172224.GQ38726@gerbil.cluepon.net> <20101201173405.GB5551@ussenterprise.ufp.org> Message-ID: I've collected my fav links (inc. nanog posts) on this topic on http://www.isoc-ny.org/p2/?p=1504. If there are issues with my brief explanation please let me know. j On Wed, Dec 1, 2010 at 12:34 PM, Leo Bicknell wrote: > > Comcast has released additional details publically. Of course, this is > their side of the story, so I wouldn't believe it hook line and sinker > but it helps fill in the gaps. > > http://blog.comcast.com/2010/11/comcasts-letter-to-fcc-on-level-3.html > > -- > Leo Bicknell - bicknell at ufp.org - CCIE 3440 > PGP keys at http://www.ufp.org/~bicknell/ > -- --------------------------------------------------------------- Joly MacFie 218 565 9365 Skype:punkcast WWWhatsup NYC - http://wwwhatsup.com http://pinstand.com - http://punkcast.com Secretary - ISOC-NY - http://isoc-ny.org --------------------------------------------------------------- From randy at psg.com Wed Dec 1 14:28:52 2010 From: randy at psg.com (Randy Bush) Date: Thu, 02 Dec 2010 05:28:52 +0900 Subject: FUD: 15% of world's internet traffic hijacked In-Reply-To: <7CA63A8B-3687-4417-A586-46A7EB658AD6@the-watsons.org> References: <20101117164514.GA2251@tico.tsc.com> <7CA63A8B-3687-4417-A586-46A7EB658AD6@the-watsons.org> Message-ID: > At the very least you might want to review: > http://www.renesys.com/blog/2010/11/chinas-18-minute-mystery.shtml > Renesys provides one data point but there are others that clearly show > traffic routed *through* China (meaning they did indeed > originate/hijack, and then pass data on to the original destination). as usual i see no traffic measurements in the renesys note. i see inference of traffic based on some control plane measurements. and, has been shown, such inferences are highly suspect. randy From dredd at megacity.org Wed Dec 1 14:31:41 2010 From: dredd at megacity.org (Derek J. Balling) Date: Wed, 1 Dec 2010 15:31:41 -0500 Subject: Level 3 Communications Issues Statement Concerning Comcast'sActions In-Reply-To: <15615ED6-CEB2-4416-A91A-0B4CF9B82824@delong.com> References: <3F3C0336-9C56-4618-9B33-6578517AAAEF@americafree.tv> <3A5A79C7-0261-4E6E-86E5-95A5DB5C6E4C@americafree.tv> <4CF50E99.2010901@emmanuelcomputerconsulting.com> <4CF524D4.7090304@2mbit.com> <15615ED6-CEB2-4416-A91A-0B4CF9B82824@delong.com> Message-ID: <7DA9C046-8E75-4CC1-AFAB-E9C2CF28CF89@megacity.org> Sprint also offers unlimited 3G/4G data, and they were *really* specific in a mailing to their customers a couple days ago actually that "unlimited means unlimited, not like some of our competitors are doing to their customers". D On Nov 30, 2010, at 11:29 AM, Owen DeLong wrote: > MetroPCS also offers unlimited EVDO. > > Owen > > On Nov 30, 2010, at 8:22 AM, Brielle Bruns wrote: > >> On 11/30/10 9:07 AM, William Herrin wrote: >>> My Verizon Blackberry plan says unlimited data. Including the tether. >>> >> >> Its 5GB, trust me on that one. Former roommate worked for Verizon Wireless as a high level blackberry tech in the local call center - they quietly added the cap to all plans over the past year after adding all these little disclaimers to sales docs, websites, etc. >> >> She came home and warned us one day that our EVDO modem on the business account was now capped, even though it was originally 'unlimited'. IIRC, they'll start billing you per megabyte or gigabyte after 5GB. I've not had an oppertunity to test this, so I'm only going by what I was told. >> >>> IIRC, Clear's 4G service has no monthly cap. >> >> It does, 5GB as well, but I believe they throttle you down majorly once you hit the cap. I'll keep my eyes on the fine print next time I see a Clear commercial here. >> >> -- >> Brielle Bruns >> The Summit Open Source Development Group >> http://www.sosdg.org / http://www.ahbl.org > > From dredd at megacity.org Wed Dec 1 14:38:41 2010 From: dredd at megacity.org (Derek J. Balling) Date: Wed, 1 Dec 2010 15:38:41 -0500 Subject: Level 3 Communications Issues Statement Concerning Comcast'sActions In-Reply-To: References: Message-ID: On Nov 29, 2010, at 10:25 PM, William Herrin wrote: > There are a couple forms of shared billing. There's a third kind you failed to mention that doesn't require equal footing of the parties. The broker. I might pay an apartment broker $X to help find me an apartment. In turn the apartment broker might match me up with an apartment, and charge the landlord $Y for a successful tenancy. $Y is frequently much higher than $X, because the value to the landlord is much higher than the value to the tenant. There's a lot of similarities to the ISP model here. It's not worth "beaucoup cash" to the end-user to pay for all the overhead of the bandwidth costs. Their whole "benefit" is getting to watch a movie. Netflix and L3, on the other hand, stand to make quite a bit of money on the transaction, and could pay the "broker-ISP" a heftier sum to handle all their transactions with their end-users for them. They do that because it's not cost-effective for them to try and do direct transactions with their end-users, just as it's not often not convenient for land-lords to go around trying to actively find tenants. On Nov 29, 2010, at 11:20 PM, Leo Bicknell wrote: > Broadband in the US is not in that boat. Too many consumers have > a "choice" of a single provider. The vast majority of the rest > have the "choice" of two providers. I dunno. I've lived in areas where I had two dozen local providers vying for my last-mile residential connectivity business. Perhaps this is something for you to bring up with your local municipality, tell them to stop strangling the businesses that want to offer service to their residents. But just because your elected officials aren't doing right by you doesn't mean that it justifies telling Comcast that they have to run their network, paid for with their money, according to yours or anyone else's rules. D From tme at americafree.tv Wed Dec 1 14:42:55 2010 From: tme at americafree.tv (Marshall Eubanks) Date: Wed, 1 Dec 2010 15:42:55 -0500 Subject: FUD: 15% of world's internet traffic hijacked In-Reply-To: References: <20101117164514.GA2251@tico.tsc.com> <7CA63A8B-3687-4417-A586-46A7EB658AD6@the-watsons.org> Message-ID: Dear Randy; On Dec 1, 2010, at 3:28 PM, Randy Bush wrote: >> At the very least you might want to review: >> http://www.renesys.com/blog/2010/11/chinas-18-minute-mystery.shtml >> Renesys provides one data point but there are others that clearly show >> traffic routed *through* China (meaning they did indeed >> originate/hijack, and then pass data on to the original destination). > > as usual i see no traffic measurements in the renesys note. i see > inference of traffic based on some control plane measurements. and, has > been shown, such inferences are highly suspect. > Doesn't this traceroute (from the above) seem fairly convincing of transit ? (Not of the _amount_ of transit, just of its _existence_ ?) ...here's one of the typical traceroutes we saw during the incident, between the London Internet Exchange and a host in the USA, passing through China Telecom. This trace was collected at 16:03 UTC, about 13 minutes into the event. Total time in transit is 525ms (this trace typically takes no more than 110ms under normal conditions). 1. 0.785ms # London 2. 195.66.248.229 1.752ms # London 3. 195.66.225.54 1.371ms # London 4. 202.97.52.101 399.707ms # China Telecom 5. 202.97.60.6 408.006ms # China Telecom 6. 202.97.53.121 432.204ms # China Telecom 7. 4.71.114.101 323.690ms # Level3 8. 4.68.18.254 357.566ms # Level3 9. 4.69.134.221 481.273ms # Level3 10. 4.69.132.14 506.159ms # Level3 11. 4.69.132.78 463.024ms # Level3 12. 4.71.170.78 449.416ms # Level3 13. 66.174.98.66 456.970ms # Verizon 14. 66.174.105.24 459.652ms # Verizon [.. four more Verizon hops ..] 19. 69.83.32.3 508.757ms # Verizon 20. 516.006ms # Verizon And doesn't the graph in Craig Labovitz's blog seem consistent with a modest (not overwhelming, or even unusual) amount of excess traffic during the event ? http://asert.arbornetworks.com/2010/11/china-hijacks-15-of-internet-traffic/ So, putting this, and everything else, together, wouldn't it be reasonable to conclude, that - some traffic was diverted but - nowhere near 15% of the Internet, by orders of magnitude ? Regards Marshall > randy > > From morrowc.lists at gmail.com Wed Dec 1 14:43:26 2010 From: morrowc.lists at gmail.com (Christopher Morrow) Date: Wed, 1 Dec 2010 15:43:26 -0500 Subject: FUD: 15% of world's internet traffic hijacked In-Reply-To: References: <20101117164514.GA2251@tico.tsc.com> <7CA63A8B-3687-4417-A586-46A7EB658AD6@the-watsons.org> Message-ID: On Wed, Dec 1, 2010 at 3:28 PM, Randy Bush wrote: > as usual i see no traffic measurements in the renesys note. ?i see > inference of traffic based on some control plane measurements. ?and, has > been shown, such inferences are highly suspect. it's fairly clear though that you won't get traffic information without looking at the interconnects between the offending parties, eh? I think the Arbor notes about this try to address this from a traffic perspective, though they have anonymized stats at best. also, you won't get the traffic stats from the offending parties -chris From randy at psg.com Wed Dec 1 14:52:08 2010 From: randy at psg.com (Randy Bush) Date: Thu, 02 Dec 2010 05:52:08 +0900 Subject: FUD: 15% of world's internet traffic hijacked In-Reply-To: References: <20101117164514.GA2251@tico.tsc.com> <7CA63A8B-3687-4417-A586-46A7EB658AD6@the-watsons.org> Message-ID: > it's fairly clear though that you won't get traffic information > without looking at the interconnects between the offending parties yep > also, you won't get the traffic stats from the > offending parties and how much traffic data does google publish? or iij or ntt? oops! cho, fukuda, esaki, & kato [0] did show real traffic data from japan's largest isps. no accusations meant. just trying to keep the discussion near sea level. randy --- [0] - http://www.iijlab.net/~kjc/papers/rbb-sigcomm2006.pdf and follow-on from 2010 http://www.iij.ad.jp/en/development/iir/pdf/iir_vol08_report_EN.pdf From tme at americafree.tv Wed Dec 1 15:27:10 2010 From: tme at americafree.tv (Marshall Eubanks) Date: Wed, 1 Dec 2010 16:27:10 -0500 Subject: wikileaks unreachable In-Reply-To: References: Message-ID: <7182D9D0-572B-402A-A922-29220AA8F28E@americafree.tv> On Nov 30, 2010, at 11:07 AM, Marshall Eubanks wrote: > > On Nov 28, 2010, at 4:34 PM, Randy Bush wrote: > >> anyone know why https://www.wikileaks.org/ is not reachable? nations >> state level censors trying to close the barn door after the horse has >> left? >> >> randy >> >> > > That was two days ago - as of this morning, there is apparently another > > From @wikileaks on twitter > > wikileaks WikiLeaks > DDOS attack now exceeding 10 Gigabits a second. > 1 hour ago > > wikileaks WikiLeaks > We are currently under another DDOS attack. More routing news : Wikileaks has been booted off Amazon EC2 http://arstechnica.com/security/news/2010/12/wikileaks-kicked-out-of-amazons-cloud.ars "Senator Joe Lieberman (I-CT), chairman of the Homeland Security and Governmental Affairs Committee, was among the congressmen who pressured Amazon to stop hosting Wikileaks... The site was down briefly after being ejected from Amazon, but is back up and once again running on the servers of Bahnhof, its previous Swedish hosting provider." regards Marshall > > Marshall > > > From m.hallgren at free.fr Wed Dec 1 15:30:25 2010 From: m.hallgren at free.fr (Michael Hallgren) Date: Wed, 01 Dec 2010 22:30:25 +0100 Subject: regional ASN's In-Reply-To: <1727880630-1291224719-cardhu_decombobulator_blackberry.rim.net-154390616-@bda483.bisx.prod.on.blackberry> References: <1727880630-1291224719-cardhu_decombobulator_blackberry.rim.net-154390616-@bda483.bisx.prod.on.blackberry> Message-ID: <1291239025.26073.12.camel@home> Le mercredi 01 d?cembre 2010 ? 17:31 +0000, deleskie at gmail.com a ?crit : > You can use one AS and communities to seperate your traffic/policies. Or other iBGP means of internal separation, like BGP confederations (in order to avoid iBGP session hacks). mh > > -jim > ------Original Message------ > From: Ryan Finnesey > To: NANOG list > Subject: regional ASN's > Sent: Dec 1, 2010 1:13 PM > > I see various people are recommending networks setup regional ASN's. I > am in the process of setting up a new network which will serve as a > transit network for all our operating units. I was planning on using > one ASN for North America, Asia and Europe. Is this not recommended? > > Cheers > Ryan > > > > > Sent from my BlackBerry device on the Rogers Wireless Network > -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: This is a digitally signed message part URL: From jared at puck.nether.net Wed Dec 1 15:32:47 2010 From: jared at puck.nether.net (Jared Mauch) Date: Wed, 1 Dec 2010 16:32:47 -0500 Subject: Level 3 Communications Issues Statement Concerning Comcast'sActions In-Reply-To: References: Message-ID: <01EE48F2-6615-4426-809A-0C9013747A9B@puck.nether.net> On Dec 1, 2010, at 3:38 PM, Derek J. Balling wrote: > On Nov 29, 2010, at 11:20 PM, Leo Bicknell wrote: >> Broadband in the US is not in that boat. Too many consumers have >> a "choice" of a single provider. The vast majority of the rest >> have the "choice" of two providers. > > I dunno. I've lived in areas where I had two dozen local providers vying for my last-mile residential connectivity business. Perhaps this is something for you to bring up with your local municipality, tell them to stop strangling the businesses that want to offer service to their residents. I live in an area without two dozen local providers that offer services to my address. Neither T nor CMCSA offer service at my address nor will they even return calls about price quotes to build. The local municipalities were uninterested as well, including putting pressure on the local utilities (T/CMCSA) that have major offices/callcenters located in the township. Ultimately I managed to work something out and get service, but for those on the "edge" areas, its much harder than you would think to gain access. I suspect there will be ongoing property devaluation as a consequence of lack of these utilities.. - Jared From patrick at ianai.net Wed Dec 1 15:37:01 2010 From: patrick at ianai.net (Patrick W. Gilmore) Date: Wed, 1 Dec 2010 16:37:01 -0500 Subject: regional ASN's In-Reply-To: <1291239025.26073.12.camel@home> References: <1727880630-1291224719-cardhu_decombobulator_blackberry.rim.net-154390616-@bda483.bisx.prod.on.blackberry> <1291239025.26073.12.camel@home> Message-ID: <82E46A34-0B5E-4AB0-AFC7-AA6080C9F1E0@ianai.net> On Dec 1, 2010, at 4:30 PM, Michael Hallgren wrote: > Le mercredi 01 d?cembre 2010 ? 17:31 +0000, deleskie at gmail.com a ?crit : >> You can use one AS and communities to seperate your traffic/policies. > > Or other iBGP means of internal separation, like BGP confederations (in > order to avoid iBGP session hacks). Or just have disparate networks using the same ASN. Works fine. Why waste ASNs and try to explain to others how asX,Y,Z, etc., are all the same company? -- TTFN, patrick >> ------Original Message------ >> From: Ryan Finnesey >> To: NANOG list >> Subject: regional ASN's >> Sent: Dec 1, 2010 1:13 PM >> >> I see various people are recommending networks setup regional ASN's. I >> am in the process of setting up a new network which will serve as a >> transit network for all our operating units. I was planning on using >> one ASN for North America, Asia and Europe. Is this not recommended? >> >> Cheers >> Ryan >> >> >> >> >> Sent from my BlackBerry device on the Rogers Wireless Network >> > From mike-nanog at tiedyenetworks.com Wed Dec 1 15:38:58 2010 From: mike-nanog at tiedyenetworks.com (Mike) Date: Wed, 01 Dec 2010 13:38:58 -0800 Subject: wikileaks unreachable In-Reply-To: <7182D9D0-572B-402A-A922-29220AA8F28E@americafree.tv> References: <7182D9D0-572B-402A-A922-29220AA8F28E@americafree.tv> Message-ID: <4CF6C072.4020402@tiedyenetworks.com> Just on an operational front, does anyone know the nature of the DDoS against wikileaks? eg: spoofed source garbage, http get, synfloods, or ? Mike- From randy at psg.com Wed Dec 1 15:41:06 2010 From: randy at psg.com (Randy Bush) Date: Thu, 02 Dec 2010 06:41:06 +0900 Subject: Blocking International DNS In-Reply-To: <20101130055744.GN16087@sizone.org> References: <4CE9F389.7040505@kenweb.org> <889E2C96-FA4A-425F-B243-EAB8860CEAE3@jsyoung.net> <20101122051118.GF20665@sizone.org> <20101130045616.GM16087@sizone.org> <20101130055744.GN16087@sizone.org> Message-ID: the more i think about this, the more i am inclined to consider a second trusted root not (easily) attackable by the usg, who owns the root now, or the acta vigilantes. as dissent becomes less tolerated, let alone supported, we may want to attempt to ensure it in our deployments. randy From Valdis.Kletnieks at vt.edu Wed Dec 1 15:42:30 2010 From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks at vt.edu) Date: Wed, 01 Dec 2010 16:42:30 -0500 Subject: Level 3 Communications Issues Statement Concerning Comcast'sActions In-Reply-To: Your message of "Wed, 01 Dec 2010 16:32:47 EST." <01EE48F2-6615-4426-809A-0C9013747A9B@puck.nether.net> References: <01EE48F2-6615-4426-809A-0C9013747A9B@puck.nether.net> Message-ID: <15823.1291239750@localhost> On Wed, 01 Dec 2010 16:32:47 EST, Jared Mauch said: > Ultimately I managed to work something out and get service, but for > those on the "edge" areas, its much harder than you would think to gain > access. I suspect there will be ongoing property devaluation as a > consequence of lack of these utilities.. Has already started. I was looking for an apartment/house recently, and looked at one place towards the outskirts of town that was rather nicer than the rent price would indicate. The guy admitted the rent had been dropped $150/mo because the location had neither DSL nor cable service. Unfortunately, that was a show-stopper for me as well... -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 227 bytes Desc: not available URL: From jbates at brightok.net Wed Dec 1 15:43:48 2010 From: jbates at brightok.net (Jack Bates) Date: Wed, 01 Dec 2010 15:43:48 -0600 Subject: regional ASN's In-Reply-To: <82E46A34-0B5E-4AB0-AFC7-AA6080C9F1E0@ianai.net> References: <1727880630-1291224719-cardhu_decombobulator_blackberry.rim.net-154390616-@bda483.bisx.prod.on.blackberry> <1291239025.26073.12.camel@home> <82E46A34-0B5E-4AB0-AFC7-AA6080C9F1E0@ianai.net> Message-ID: <4CF6C194.4060906@brightok.net> On 12/1/2010 3:37 PM, Patrick W. Gilmore wrote: > > Or just have disparate networks using the same ASN. Works fine. > > Why waste ASNs and try to explain to others how asX,Y,Z, etc., are all the same company? > I dislike the problem of routes not being accepted with my ASN in it. There's workarounds, but they are all ugly. Jack From patrick at ianai.net Wed Dec 1 15:56:49 2010 From: patrick at ianai.net (Patrick W. Gilmore) Date: Wed, 1 Dec 2010 16:56:49 -0500 Subject: regional ASN's In-Reply-To: <4CF6C194.4060906@brightok.net> References: <1727880630-1291224719-cardhu_decombobulator_blackberry.rim.net-154390616-@bda483.bisx.prod.on.blackberry> <1291239025.26073.12.camel@home> <82E46A34-0B5E-4AB0-AFC7-AA6080C9F1E0@ianai.net> <4CF6C194.4060906@brightok.net> Message-ID: On Dec 1, 2010, at 4:43 PM, Jack Bates wrote: > On 12/1/2010 3:37 PM, Patrick W. Gilmore wrote: >> >> Or just have disparate networks using the same ASN. Works fine. >> >> Why waste ASNs and try to explain to others how asX,Y,Z, etc., are all the same company? > > I dislike the problem of routes not being accepted with my ASN in it. There's workarounds, but they are all ugly. Having islands which point default is not ugly. They are probably pointing default anyway. If not, typing "nei $FOO allowas-in" is also not ugly, IMHO. But your network, your decision. Mine runs fine like that. -- TTFN, patrick From jbates at brightok.net Wed Dec 1 16:05:58 2010 From: jbates at brightok.net (Jack Bates) Date: Wed, 01 Dec 2010 16:05:58 -0600 Subject: regional ASN's In-Reply-To: References: <1727880630-1291224719-cardhu_decombobulator_blackberry.rim.net-154390616-@bda483.bisx.prod.on.blackberry> <1291239025.26073.12.camel@home> <82E46A34-0B5E-4AB0-AFC7-AA6080C9F1E0@ianai.net> <4CF6C194.4060906@brightok.net> Message-ID: <4CF6C6C6.7090601@brightok.net> On 12/1/2010 3:56 PM, Patrick W. Gilmore wrote: > Having islands which point default is not ugly. They are probably pointing default anyway. > If all sites strictly do default, fine. However, one could say static routing would work fine there too; and then you don't need an ASN. If each site is multihomed (the usual reason to run BGP), you might want to see the routes to apply appropriate traffic policies to them. > If not, typing "nei $FOO allowas-in" is also not ugly, IMHO. Works, but you usually need to be careful when utilizing that method to prevent loops. > > But your network, your decision. Mine runs fine like that. > I'm surprised that you left out the obvious workaround and depending on the traffic, the most appropriate model (leaving workaround status), create an encrypted channel between the networks and run iBGP over it. Jack From pete at altadena.net Wed Dec 1 16:18:01 2010 From: pete at altadena.net (Pete Carah) Date: Wed, 01 Dec 2010 17:18:01 -0500 Subject: Cage nuts/rack hw near SAVVIS DC3 (Sterling VA) In-Reply-To: References: <20101130133239.GI30640@0x1.net> <4CF65F0D.5060502@gmail.com> <20101201144818.GB70857@ussenterprise.ufp.org> <20101201164329.GE7959@hiwaay.net> <4CF67E87.80903@2mbit.com> Message-ID: <4CF6C999.8020804@altadena.net> On 12/01/2010 12:47 PM, Jameel Akari wrote: > >> Or, you could do what our co-loc does, have a large coffee can with >> screws, nuts, etc and a few shared screwdrivers in another. On your >> way in, grab the nuts/screws and a screwdriver, on your way out put >> unused and extras back in the can. > > I like this idea better - which is what one of our DCs does for snacks > and food. Box of Pop-Tarts, with an honor system can for payment. > Partially for the staff, but they put it out in the customer area > along with free coffee. Coke machine costs $0.50. There is at least > one operator on duty 24/7; if I really needed to I could go knock on > the door and have them scrounge up tools and screws. There is a Home > Depot a half mile away failing that. Unfortunately rack nuts (really the clips) aren't at HD, and they miss the thread pitch for several rack screw types. They do have cat5 and cat6 jumpers and bulk cable, tho. > > This all sounds a little silly compared to the normal datacenter > facility issues like power, security, telecomm... but indeed these > touches go a long way towards customer satisfaction when you're there > for an entire weekend for some big install. Next time we look for new > facilities, I know I'll have these in mind. There was always Tribeca Ace Hardware... I see it burned out last May, so no longer... Where else could you get retail fiber jumpers on Sunday? -- Pete From patrick at ianai.net Wed Dec 1 16:47:54 2010 From: patrick at ianai.net (Patrick W. Gilmore) Date: Wed, 1 Dec 2010 17:47:54 -0500 Subject: regional ASN's In-Reply-To: <4CF6C6C6.7090601@brightok.net> References: <1727880630-1291224719-cardhu_decombobulator_blackberry.rim.net-154390616-@bda483.bisx.prod.on.blackberry> <1291239025.26073.12.camel@home> <82E46A34-0B5E-4AB0-AFC7-AA6080C9F1E0@ianai.net> <4CF6C194.4060906@brightok.net> <4CF6C6C6.7090601@brightok.net> Message-ID: <9EAD1CE1-7142-43EB-8F2F-253A54AE79B1@ianai.net> On Dec 1, 2010, at 5:05 PM, Jack Bates wrote: > On 12/1/2010 3:56 PM, Patrick W. Gilmore wrote: >> Having islands which point default is not ugly. They are probably pointing default anyway. > > If all sites strictly do default, fine. However, one could say static routing would work fine there too; and then you don't need an ASN. If each site is multihomed (the usual reason to run BGP), you might want to see the routes to apply appropriate traffic policies to them. Just because you have one transit doesn't mean you shouldn't do BGP. Consider the router at an exchange point with 100+ peers and one transit, for instance. >> If not, typing "nei $FOO allowas-in" is also not ugly, IMHO. > > Works, but you usually need to be careful when utilizing that method to prevent loops. There is always a "you usually need to be careful" with any implementation, including a network without islands. If this is, for instance, a bunch of remote offices with a single router & two upstreams each, there is zero risk of routing loops. Otherwise, there are always considerations, whatever your topology choice. >> But your network, your decision. Mine runs fine like that. > > I'm surprised that you left out the obvious workaround and depending on the traffic, the most appropriate model (leaving workaround status), create an encrypted channel between the networks and run iBGP over it. If you think you need to be careful with allowas-in, you need to be an order of magnitude more careful with tunnels. Plus I don't like GRE. :) -- TTFN, patrick From morrowc.lists at gmail.com Wed Dec 1 17:17:26 2010 From: morrowc.lists at gmail.com (Christopher Morrow) Date: Wed, 1 Dec 2010 18:17:26 -0500 Subject: FUD: 15% of world's internet traffic hijacked In-Reply-To: References: <20101117164514.GA2251@tico.tsc.com> <7CA63A8B-3687-4417-A586-46A7EB658AD6@the-watsons.org> Message-ID: On Wed, Dec 1, 2010 at 3:52 PM, Randy Bush wrote: >> also, you won't get the traffic stats from the >> offending parties > > and how much traffic data does google publish? > > or iij or ntt? ?oops! ?cho, fukuda, esaki, & kato [0] did show real > traffic data from japan's largest isps. > > no accusations meant. ?just trying to keep the discussion near sea > level. sometimes I love to pull your chain... :) I agree though that folks won't publish this data (in general) directly, for whatever reason. Also, right '15% of traffic' really should have been '15% of routes*' -chris (*) routes as seen in one set of perspectives... not valid in tennessee, wyoming, parts of Alabama, Albania, Germany, The ex-UK-protectorates or... From brett at the-watsons.org Wed Dec 1 17:42:27 2010 From: brett at the-watsons.org (Brett Watson) Date: Wed, 1 Dec 2010 16:42:27 -0700 Subject: FUD: 15% of world's internet traffic hijacked In-Reply-To: References: <20101117164514.GA2251@tico.tsc.com> <7CA63A8B-3687-4417-A586-46A7EB658AD6@the-watsons.org> Message-ID: On Dec 1, 2010, at 4:17 PM, Christopher Morrow wrote: > sometimes I love to pull your chain... :) I agree though that folks > won't publish this data (in general) directly, for whatever reason. > Also, right '15% of traffic' really should have been '15% of routes*' Agreed, I should have been more clear. I wasn't implying that much traffic either, but rather "15% of global prefixes." I was more focused on, "Seems clear enough that traffic *transited* China ASNs, as opposed to being blackholed as we seen in many hijacks. Further, in hopes of generating discussion... I've seen a lot of comments along the lines of "this was likely an accident, misconfiguration, or fat-finger..." I'm having a really hard time figuring how, if traffic not only diverted to China but *transited* China, this could be any kind of mistake. I'm not able to get my fingers or thumbs to randomly (seemingly) select approximately 15% of all prefixes, originate those, modify filters so I can do so, and also somehow divert it to another router that doesn't have the hijacked prefixes I'm announcing but rather forwards the source traffic on to it's intended destination. I can't seem to work all of that out into any kind of "accident." Anyone? -b From leen at consolejunkie.net Wed Dec 1 18:26:51 2010 From: leen at consolejunkie.net (Leen Besselink) Date: Thu, 02 Dec 2010 01:26:51 +0100 Subject: Blocking International DNS In-Reply-To: References: <4CE9F389.7040505@kenweb.org> <889E2C96-FA4A-425F-B243-EAB8860CEAE3@jsyoung.net> <20101122051118.GF20665@sizone.org> <20101130045616.GM16087@sizone.org> <20101130055744.GN16087@sizone.org> Message-ID: <4CF6E7CB.7030208@consolejunkie.net> On 12/01/2010 10:41 PM, Randy Bush wrote: > the more i think about this, the more i am inclined to consider a second > trusted root not (easily) attackable by the usg, who owns the root now, > or the acta vigilantes. as dissent becomes less tolerated, let alone > supported, we may want to attempt to ensure it in our deployments. > > randy > Before we do this, I do have some other questions: Wasn't this exactly why people suggested ICANN should just move to Switzerland and become an independent international organization ? Would this still be possibility ? An other question, how much does ICANN really have to say about the content of the root ? Isn't their a long process to get something in/out of the root and isn't it the root operators that decide to actually deploy the zone ? From tvhawaii at shaka.com Wed Dec 1 18:53:41 2010 From: tvhawaii at shaka.com (Michael Painter) Date: Wed, 1 Dec 2010 14:53:41 -1000 Subject: Blocking International DNS References: <4CE9F389.7040505@kenweb.org><889E2C96-FA4A-425F-B243-EAB8860CEAE3@jsyoung.net><20101122051118.GF20665@sizone.org><20101130045616.GM16087@sizone.org><20101130055744.GN16087@sizone.org> Message-ID: Randy Bush wrote: > the more i think about this, the more i am inclined to consider a second > trusted root not (easily) attackable by the usg, who owns the root now, > or the acta vigilantes. as dissent becomes less tolerated, let alone > supported, we may want to attempt to ensure it in our deployments. > > randy Might be of interest: http://digitizor.com/2010/12/01/the-pirate-bay-co-founder-starting-a-p2p-based-dns-to-take-on-icann/ From drc at virtualized.org Wed Dec 1 19:18:42 2010 From: drc at virtualized.org (David Conrad) Date: Wed, 1 Dec 2010 15:18:42 -1000 Subject: Blocking International DNS In-Reply-To: References: <4CE9F389.7040505@kenweb.org> <889E2C96-FA4A-425F-B243-EAB8860CEAE3@jsyoung.net> <20101122051118.GF20665@sizone.org> <20101130045616.GM16087@sizone.org> <20101130055744.GN16087@sizone.org> Message-ID: <772A6AAF-DA7B-4A98-94F5-AA62222DB4AB@virtualized.org> On Dec 1, 2010, at 11:41 AM, Randy Bush wrote: > the more i think about this, the more i am inclined to consider a second > trusted root not (easily) attackable by the usg, who owns the root now, > or the acta vigilantes. as dissent becomes less tolerated, let alone > supported, we may want to attempt to ensure it in our deployments. Wouldn't this simply change the focus of who can attack from the USG (which, as far as I am aware, has not attacked the root) to some other government (or worse, the UN)? Given a handle, folks are going to want to grab it when they feel a need to control, regardless of who the folks are. It'd be nice to remove the handle, but that appears to be a very hard problem... Regards, -drc From smb at cs.columbia.edu Wed Dec 1 19:35:12 2010 From: smb at cs.columbia.edu (Steven Bellovin) Date: Wed, 1 Dec 2010 20:35:12 -0500 Subject: Blocking International DNS In-Reply-To: <772A6AAF-DA7B-4A98-94F5-AA62222DB4AB@virtualized.org> References: <4CE9F389.7040505@kenweb.org> <889E2C96-FA4A-425F-B243-EAB8860CEAE3@jsyoung.net> <20101122051118.GF20665@sizone.org> <20101130045616.GM16087@sizone.org> <20101130055744.GN16087@sizone.org> <772A6AAF-DA7B-4A98-94F5-AA62222DB4AB@virtualized.org> Message-ID: <03976E4A-6D24-48B5-8A98-B6B9160342C2@cs.columbia.edu> On Dec 1, 2010, at 8:18 42PM, David Conrad wrote: > On Dec 1, 2010, at 11:41 AM, Randy Bush wrote: >> the more i think about this, the more i am inclined to consider a second >> trusted root not (easily) attackable by the usg, who owns the root now, >> or the acta vigilantes. as dissent becomes less tolerated, let alone >> supported, we may want to attempt to ensure it in our deployments. > > Wouldn't this simply change the focus of who can attack from the USG (which, as far as I am aware, has not attacked the root) to some other government (or worse, the UN)? Given a handle, folks are going to want to grab it when they feel a need to control, regardless of who the folks are. It'd be nice to remove the handle, but that appears to be a very hard problem... > I think that the Pirate Bay announcement was triggered by http://www.npr.org/templates/story/story.php?storyId=131678432 plus the COICA bill (http://www.eff.org/coica) -- though it, at least, appears to be dead for this session and who knows what the new Congress will do. That said, I think the problem is primarily political, not technical. --Steve Bellovin, http://www.cs.columbia.edu/~smb From bill at herrin.us Wed Dec 1 19:47:42 2010 From: bill at herrin.us (William Herrin) Date: Wed, 1 Dec 2010 20:47:42 -0500 Subject: Level 3 Communications Issues Statement Concerning Comcast'sActions In-Reply-To: References: Message-ID: On Wed, Dec 1, 2010 at 3:38 PM, Derek J. Balling wrote: > On Nov 29, 2010, at 10:25 PM, William Herrin wrote: >> There are a couple forms of shared billing. > > There's a third kind you failed to mention that doesn't require equal footing of the parties. The broker. > > I might pay an apartment broker $X to help find me an apartment. > In turn the apartment broker might match me up with an apartment, > and charge the landlord $Y for a successful tenancy. Hi Derek, For the most part the apartment broker process doesn't work quite the way you think. Generally he either gets a fee from you to find you the best apartment or a fee from the landlord to find him a tenant (a "no fee" listing). But not both. Read http://www.nakedapartments.com/blog/broker-fees-explained/. Sometimes the landlord will agree to cover part of the broker's fee but the legal fiction is that the landlord is paying the renter who is paying the broker. Also bear in mind that apartment brokers tend to be a New York City phenomenon where regulated rent stabilization laws and related heavy regulation apply. They exist elsewhere but all top 20 Google hits for "apartment broker fees" were NYC. Let's consider a related example that's more ubiquitous than New York City apartment brokers: the real estate agent. The seller's agent collects a commission. So does the buyer's agent. If they're the same person, they get both commissions. Right? http://homebuying.about.com/od/glossaryd/g/DualAgency.htm "Dual agency is not legal in all 50 states." http://homebuying.about.com/od/realestateagents/qt/92807_DualAgncy.htm "Dual agency must be agreed to in writing between [all three] parties." The problem with dual agency is it's a classic conflict of interest. That's why both buyer and seller have to agree to it and go in eyes-wide-open, even where it's legal. What's more, in the highly competitive real estate market, savvy buyers know it's time to apply the screws -- the agent will earn more money even if he takes a big hit on the buyer's commission. Kinda the opposite of the monopoly/duopoly ISP who doesn't seek your permission in dealing with anyone else. Finally, realize that in both cases (real estate agent and apartment broker) you're dealing with a competitive negotiated process. The law allows -many- things in negotiated contracts that are flat illegal in the contracts of adhesion typically offered to the residential Internet buyer. Regards, Bill Herrin -- William D. Herrin ................ herrin at dirtside.com? bill at herrin.us 3005 Crane Dr. ...................... Web: Falls Church, VA 22042-3004 From labovit at arbor.net Wed Dec 1 19:50:28 2010 From: labovit at arbor.net (Craig Labovitz) Date: Wed, 1 Dec 2010 20:50:28 -0500 Subject: wikileaks unreachable In-Reply-To: <4CF6C072.4020402@tiedyenetworks.com> References: <7182D9D0-572B-402A-A922-29220AA8F28E@americafree.tv> <4CF6C072.4020402@tiedyenetworks.com> Message-ID: <790B3709-C100-4E82-A539-D952ADAD599C@arbor.net> http://asert.arbornetworks.com/2010/11/wikileaks-cablegate-attack/ and http://asert.arbornetworks.com/2010/11/round2-ddos-versus-wikileaks/ - Craig On Dec 1, 2010, at 4:38 PM, Mike wrote: > Just on an operational front, does anyone know the nature of the DDoS against wikileaks? eg: spoofed source garbage, http get, synfloods, or ? > > Mike- From randy at psg.com Wed Dec 1 19:53:10 2010 From: randy at psg.com (Randy Bush) Date: Thu, 02 Dec 2010 10:53:10 +0900 Subject: Blocking International DNS In-Reply-To: <772A6AAF-DA7B-4A98-94F5-AA62222DB4AB@virtualized.org> References: <4CE9F389.7040505@kenweb.org> <889E2C96-FA4A-425F-B243-EAB8860CEAE3@jsyoung.net> <20101122051118.GF20665@sizone.org> <20101130045616.GM16087@sizone.org> <20101130055744.GN16087@sizone.org> <772A6AAF-DA7B-4A98-94F5-AA62222DB4AB@virtualized.org> Message-ID: >> the more i think about this, the more i am inclined to consider a >> second trusted root not (easily) attackable by the usg, who owns the >> root now, or the acta vigilantes. as dissent becomes less tolerated, >> let alone supported, we may want to attempt to ensure it in our >> deployments. > Wouldn't this simply change the focus of who can attack from the USG > (which, as far as I am aware, has not attacked the root) see smb's url re rightsholders having alleged bad sites blocked. randy From tme at americafree.tv Wed Dec 1 20:54:56 2010 From: tme at americafree.tv (Marshall Eubanks) Date: Wed, 1 Dec 2010 21:54:56 -0500 Subject: Blocking International DNS In-Reply-To: References: <4CE9F389.7040505@kenweb.org> <889E2C96-FA4A-425F-B243-EAB8860CEAE3@jsyoung.net> <20101122051118.GF20665@sizone.org> <20101130045616.GM16087@sizone.org> <20101130055744.GN16087@sizone.org> Message-ID: <5D303059-133D-4B91-BAD6-AAFAB5C5340B@americafree.tv> On Dec 1, 2010, at 4:41 PM, Randy Bush wrote: > the more i think about this, the more i am inclined to consider a second > trusted root not (easily) attackable by the usg, who owns the root now, > or the acta vigilantes. as dissent becomes less tolerated, let alone > supported, we may want to attempt to ensure it in our deployments. > Dear Randy; I am beginning to get the same impression, but I see difficulties moving forward. International agencies come to mind (the ITU or WIPO), as they are not subject to government warrants, but I think that the existing ones have their own issues. And I have too many bad memories of Alternic to feel comfortable about Peter Sunde's P2P ideas. Balancing all of that, internationalizing ICANN may be the best solution. Regards Marshall > randy > > From jmamodio at gmail.com Wed Dec 1 21:08:24 2010 From: jmamodio at gmail.com (Jorge Amodio) Date: Wed, 1 Dec 2010 21:08:24 -0600 Subject: Blocking International DNS In-Reply-To: <4CF6E7CB.7030208@consolejunkie.net> References: <4CE9F389.7040505@kenweb.org> <889E2C96-FA4A-425F-B243-EAB8860CEAE3@jsyoung.net> <20101122051118.GF20665@sizone.org> <20101130045616.GM16087@sizone.org> <20101130055744.GN16087@sizone.org> <4CF6E7CB.7030208@consolejunkie.net> Message-ID: > Wasn't this exactly why people suggested ICANN should just move to > Switzerland and become an independent international organization ? Would > this still be possibility ? You can move ICANN to Mars but unless you move the "root", IANA is and will still be under USG control as it is today. Also ICANN didn't touch any operational knobs related to the latest domain names seized by DHS-ICE. - J From randy at psg.com Wed Dec 1 21:10:34 2010 From: randy at psg.com (Randy Bush) Date: Thu, 02 Dec 2010 12:10:34 +0900 Subject: Blocking International DNS In-Reply-To: <5D303059-133D-4B91-BAD6-AAFAB5C5340B@americafree.tv> References: <4CE9F389.7040505@kenweb.org> <889E2C96-FA4A-425F-B243-EAB8860CEAE3@jsyoung.net> <20101122051118.GF20665@sizone.org> <20101130045616.GM16087@sizone.org> <20101130055744.GN16087@sizone.org> <5D303059-133D-4B91-BAD6-AAFAB5C5340B@americafree.tv> Message-ID: > internationalizing ICANN may be the best solution. for sure! if it is truly removed from the states and not put in genf. gedanken experiment: who would i trust more to not interfere with **other people's** data, the usg, icann, the itu, or the pirate bay party? my conclusion makes me very sad. but playing with the current dns is a short term solution. in the long run, centralization/rootification of control is equivalent to monopoly. and we have seen time and again that this leads to despotism, often cloaked in false protectionism and false "we represent the community.". we have a significant failure by the security community in that they keep giving us hierarchic models, pgp being a notable exception. randy From randy at psg.com Wed Dec 1 21:16:46 2010 From: randy at psg.com (Randy Bush) Date: Thu, 02 Dec 2010 12:16:46 +0900 Subject: Blocking International DNS In-Reply-To: References: <4CE9F389.7040505@kenweb.org> <889E2C96-FA4A-425F-B243-EAB8860CEAE3@jsyoung.net> <20101122051118.GF20665@sizone.org> <20101130045616.GM16087@sizone.org> <20101130055744.GN16087@sizone.org> <5D303059-133D-4B91-BAD6-AAFAB5C5340B@americafree.tv> Message-ID: > but playing with the current dns is a short term solution. > > in the long run, centralization/rootification of control is equivalent > to monopoly. and we have seen time and again that this leads to > despotism, often cloaked in false protectionism and false "we represent > the community.". > > we have a significant failure by the security community in that they > keep giving us hierarchic models, pgp being a notable exception. http://lauren.vortex.com/archive/000787.html hmmmm From rdobbins at arbor.net Wed Dec 1 21:16:33 2010 From: rdobbins at arbor.net (Dobbins, Roland) Date: Thu, 2 Dec 2010 03:16:33 +0000 Subject: Blocking International DNS In-Reply-To: References: <4CE9F389.7040505@kenweb.org> <889E2C96-FA4A-425F-B243-EAB8860CEAE3@jsyoung.net> <20101122051118.GF20665@sizone.org> <20101130045616.GM16087@sizone.org> <20101130055744.GN16087@sizone.org> <5D303059-133D-4B91-BAD6-AAFAB5C5340B@americafree.tv> Message-ID: <0A884BA7-178D-4B9C-B288-A3F6D03DBCDB@arbor.net> On Dec 2, 2010, at 10:10 AM, Randy Bush wrote: > we have a significant failure by the security community in that they keep giving us hierarchic models, pgp being a notable exception. ----------------------------------------------------------------------- Roland Dobbins // Sell your computer and buy a guitar. From jmamodio at gmail.com Wed Dec 1 21:37:47 2010 From: jmamodio at gmail.com (Jorge Amodio) Date: Wed, 1 Dec 2010 21:37:47 -0600 Subject: Blocking International DNS In-Reply-To: <5D303059-133D-4B91-BAD6-AAFAB5C5340B@americafree.tv> References: <4CE9F389.7040505@kenweb.org> <889E2C96-FA4A-425F-B243-EAB8860CEAE3@jsyoung.net> <20101122051118.GF20665@sizone.org> <20101130045616.GM16087@sizone.org> <20101130055744.GN16087@sizone.org> <5D303059-133D-4B91-BAD6-AAFAB5C5340B@americafree.tv> Message-ID: > And I have too many bad memories of Alternic > to feel comfortable about Peter Sunde's P2P ideas. IMHO, there is a basic and fundamental flaw on many of the "alternate" schemes. The current "DNS ecosystem" has been feeding the pockets of many for many years and became what a ~$7B? industry ? many folks are making a living out of it, so any alternate solution that doesn't take seriously in account the economic side will encounter high resistance to change. Also, who you will really trust to run it ? > Balancing all of that, internationalizing ICANN may be the best solution. ICANN is not the problem. It is itself a problem because over the years instead of being a technical coordinator for names and numbers became the playground and clearinghouse for IP (Intellectual Property) groups, all sorts of color, sizes and shapes of attorneys milking from the "DNS ecosystem" and Internet Governance wanna be politiks. Also while different segments may have some level of participation (including folks that claim they represent the users which they do not) by design ICANN is a membership less organization so the multi stake holder model is a lie and the bottom up process when the bottom does not have the same level of resources to participate as some of the big corp/lobby groups, ends being a fiasco. With the current architecture what you need to internationalize is IANA, but who you will trust with that ? ITU ? As I commented in other forums, I believe that what we need is a novel and well thought resource directory and location service/protocol where central authority and uniqueness are not fundamental requirements, and as said before something that on the long run can be monetized in a way that creates an economic incentive for people to use it. Meanwhile, as Randy said, our only option is to keep dealing with the current system. Regards Jorge From lyndon at orthanc.ca Wed Dec 1 21:42:10 2010 From: lyndon at orthanc.ca (Lyndon Nerenberg (VE6BBM/VE7TFX)) Date: Wed, 1 Dec 2010 19:42:10 -0800 Subject: Blocking International DNS In-Reply-To: Message-ID: > Also, who you will really trust to run it ? The UUCP network chugged along quite nicely for many years without any central authority. (Pathalias and the maps weren't an authority, just a hint.) --lyndon From jmamodio at gmail.com Wed Dec 1 21:42:35 2010 From: jmamodio at gmail.com (Jorge Amodio) Date: Wed, 1 Dec 2010 21:42:35 -0600 Subject: Blocking International DNS In-Reply-To: References: <4CE9F389.7040505@kenweb.org> <889E2C96-FA4A-425F-B243-EAB8860CEAE3@jsyoung.net> <20101122051118.GF20665@sizone.org> <20101130045616.GM16087@sizone.org> <20101130055744.GN16087@sizone.org> <5D303059-133D-4B91-BAD6-AAFAB5C5340B@americafree.tv> Message-ID: > http://lauren.vortex.com/archive/000787.html I see no drafts, no white or any color papers, no research, no background, good intentions and a napkin list of specs/requirements, no substance. -J From jjohnstone at diamondtech.ca Wed Dec 1 21:46:57 2010 From: jjohnstone at diamondtech.ca (Jeff Johnstone) Date: Wed, 1 Dec 2010 19:46:57 -0800 Subject: Blocking International DNS In-Reply-To: References: Message-ID: *wonders where his fidonet archives are..... dusty. Any system needs to be designed to be open to anyone at any level of the economic chart and a minimum of technical knowledge to implement. This does not necessarily need to encompass the identification requirements for commerce, that may well become a separate system. cheers Jeff On Wed, Dec 1, 2010 at 7:42 PM, Lyndon Nerenberg (VE6BBM/VE7TFX) < lyndon at orthanc.ca> wrote: > > Also, who you will really trust to run it ? > > The UUCP network chugged along quite nicely for many years without any > central authority. (Pathalias and the maps weren't an authority, just > a hint.) > > --lyndon > > > From marka at isc.org Wed Dec 1 21:57:40 2010 From: marka at isc.org (Mark Andrews) Date: Thu, 02 Dec 2010 14:57:40 +1100 Subject: Blocking International DNS In-Reply-To: Your message of "Wed, 01 Dec 2010 19:42:10 -0800." References: Message-ID: <20101202035740.7CE9C73F7AE@drugs.dv.isc.org> In message , "Lyndon Neren berg (VE6BBM/VE7TFX)" writes: > > Also, who you will really trust to run it ? > > The UUCP network chugged along quite nicely for many years without any > central authority. (Pathalias and the maps weren't an authority, just > a hint.) And there would have been total confusion if there had been multiple uunet's and a few other well known nodes. UUCP had anchor points. Just different ones to the DNS. > --lyndon -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka at isc.org From drc at virtualized.org Wed Dec 1 22:19:45 2010 From: drc at virtualized.org (David Conrad) Date: Wed, 1 Dec 2010 18:19:45 -1000 Subject: Blocking International DNS In-Reply-To: <03976E4A-6D24-48B5-8A98-B6B9160342C2@cs.columbia.edu> References: <4CE9F389.7040505@kenweb.org> <889E2C96-FA4A-425F-B243-EAB8860CEAE3@jsyoung.net> <20101122051118.GF20665@sizone.org> <20101130045616.GM16087@sizone.org> <20101130055744.GN16087@sizone.org> <772A6AAF-DA7B-4A98-94F5-AA62222DB4AB@virtualized.org> <03976E4A-6D24-48B5-8A98-B6B9160342C2@cs.columbia.edu> Message-ID: Steve, On Dec 1, 2010, at 3:35 PM, Steven Bellovin wrote: >> Wouldn't this simply change the focus of who can attack from the USG (which, as far as I am aware, has not attacked the root) to some other government (or worse, the UN)? Given a handle, folks are going to want to grab it when they feel a need to control, regardless of who the folks are. It'd be nice to remove the handle, but that appears to be a very hard problem... >> > I think that the Pirate Bay announcement was triggered by > http://www.npr.org/templates/story/story.php?storyId=131678432 Which is, of course, unrelated to ICANN (see http://domainincite.com/icann-had-no-role-in-seizing-torrent-domains/) and is a result of VeriSign following US law in the management of two of the top-level domains they operate. > plus the COICA bill (http://www.eff.org/coica) Yeah, COICA is a barrel of fun. As is LOPPSI-2 in France and the equivalent regulations in places like Sweden, Germany, etc. However, my impression (but will admit not having looked into this very much) is that the guy from Pirate Bay is merely pissed off because he lost a UDRP complaint when he obtained the IFPI.COM domain after the International Federation of the Phonograph Industry let it expire, misunderstood (perhaps purposefully) what happened at VeriSign, and decided to capitalize on it. > That said, I think the problem is primarily political, not technical. Right, but that wasn't what I was questioning. I suspect that no matter what legal venue you put something as tasty as the "control of the DNS", there will be folks who will attempt to exercise that control for their own political purposes. Even internationalizing it doesn't seem to be a good idea to me (based on my impression of how politics get involved in places like the ITU). I'd love to see a non-hierarchical naming system that didn't suck more than the DNS, but as I said, it seems that's a very hard problem... Regards, -drc From johnl at iecc.com Wed Dec 1 22:26:14 2010 From: johnl at iecc.com (John Levine) Date: 2 Dec 2010 04:26:14 -0000 Subject: Blocking International DNS In-Reply-To: Message-ID: <20101202042614.58159.qmail@joyce.lan> >the more i think about this, the more i am inclined to consider a second >trusted root not (easily) attackable by the usg, who owns the root now, This particular domain grab had nothing to do with the root or ICANN. If you look at the name servers and WHOIS of the domains that were seized, you can easily see that the USG served papers on Verisign, who did what the papers told them to, because they're the .COM registry. Anyone who registers a .COM really shouldn't be surprised to find out that Verisign is headquartered in California, and is 100% subject to US law, not to mention still having a side agreement with DoC about .COM due to its history. For several decades the USG has made it crystal clear that they do not mess with ccTLDs, not even ones for countries they don't like such as .CU and .IR. If you want a USG-proof domain, use a ccTLD. I am somewhat more concerned about the possiblity that the government would have a mandatory do-not-resolve list for networks in the US. That would be unlikely to stand up in court, viz. the quick failure of the Pennsylvania child porn IP blacklist, but the process would be painful while it unfolded. Regards, John Levine, johnl at iecc.com, Primary Perpetrator of "The Internet for Dummies", Please consider the environment before reading this e-mail. http://jl.ly From randy at psg.com Wed Dec 1 22:53:00 2010 From: randy at psg.com (Randy Bush) Date: Thu, 02 Dec 2010 13:53:00 +0900 Subject: Blocking International DNS In-Reply-To: <20101202042614.58159.qmail@joyce.lan> References: <20101202042614.58159.qmail@joyce.lan> Message-ID: > For several decades the USG has made it crystal clear that they do > not mess with ccTLDs, not even ones for countries they don't like > such as .CU and .IR. possibly clear to you. the factual experience is that this statement is patently false to those dealing with those particular cctlds. randy From jeffrey.lyon at blacklotus.net Wed Dec 1 22:58:59 2010 From: jeffrey.lyon at blacklotus.net (Jeffrey Lyon) Date: Wed, 1 Dec 2010 23:58:59 -0500 Subject: Blocking International DNS In-Reply-To: References: <20101202042614.58159.qmail@joyce.lan> Message-ID: Randy, Can you cite specific examples of USG interfering with ccTLDs? Jeff On Wed, Dec 1, 2010 at 11:53 PM, Randy Bush wrote: >> For several decades the USG has made it crystal clear that they do >> not mess with ccTLDs, not even ones for countries they don't like >> such as .CU and .IR. > > possibly clear to you. ?the factual experience is that this statement is > patently false to those dealing with those particular cctlds. > > randy > > -- Jeffrey Lyon, Leadership Team jeffrey.lyon at blacklotus.net | http://www.blacklotus.net Black Lotus Communications - AS32421 First and Leading in DDoS Protection Solutions From randy at psg.com Wed Dec 1 23:01:33 2010 From: randy at psg.com (Randy Bush) Date: Thu, 02 Dec 2010 14:01:33 +0900 Subject: Blocking International DNS In-Reply-To: References: <20101202042614.58159.qmail@joyce.lan> Message-ID: > Can you cite specific examples of USG interfering with ccTLDs? >>> For several decades the USG has made it crystal clear that they do >>> not mess with ccTLDs, not even ones for countries they don't like >>> such as .CU and .IR. >> possibly clear to you. ?the factual experience is that this statement is >> patently false to those dealing with those particular cctlds. i am not at liberty to do so. but, for a clue % dig +short cu. ns ns.ceniai.net.cu. ns-cu.ripe.net. ns.dns.br. rip.psg.com. <<-- ns2.gip.net. ns1.gip.net. ns2.ceniai.net.cu. randy --- Q: Because it reverses the logical flow of conversation. A: Why is top posting frowned upon? From fergdawgster at gmail.com Wed Dec 1 23:40:01 2010 From: fergdawgster at gmail.com (Paul Ferguson) Date: Wed, 1 Dec 2010 21:40:01 -0800 Subject: Trying to Make Sense of the Comcast/Level 3 Dispute Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Interesting article: http://www.freedom-to-tinker.com/blog/sjs/trying-make-sense-comcast-level-3 - -dispute Considering the fact that I received an e-mail survey request today from Netflix (I am a subscriber) which, among other questions, asked if I ever did streaming of their services on the Internet, Wii, Live TV, etc. (I don't), as well as asked if I am a Comcast subscriber (I am), among other last-mile service provider options -- I just found the timing of all of this very "interesting". FYI, - - ferg -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.3 (Build 5003) wj8DBQFM9zEnq1pz9mNUZTMRAkZjAJ9hbP54xMUAuXKBM8XFbPlE1in2+gCgiW5m K5IDw1Qo+Su6L0ySdb+kbLE= =H1rb -----END PGP SIGNATURE----- -- "Fergie", a.k.a. Paul Ferguson ?Engineering Architecture for the Internet ?fergdawgster(at)gmail.com ?ferg's tech blog: http://fergdawg.blogspot.com/ From frnkblk at iname.com Wed Dec 1 23:49:26 2010 From: frnkblk at iname.com (Frank Bulk) Date: Wed, 1 Dec 2010 23:49:26 -0600 Subject: Level 3 Communications Issues Statement Concerning Comcast's Actions In-Reply-To: <6EFFEFBAC68377459A2E972105C759EC032BF7CB@EXVBE005-2.exch005intermedia.net> References: <96CA80CDCD822B4F9B41FB3A109C9359A3E664A22B@E2K7MAILBOX1.corp.cableone.net><8BC9AA1D1BA4494F83F8205415225CE826161A00D3@CHIEXMAIL1.ARRS.ARRISI.COM> <6EFFEFBAC68377459A2E972105C759EC032BF7CB@EXVBE005-2.exch005intermedia.net> Message-ID: Makes we wonder if Level3's contract with Netflix has certain performance requirements that would preclude Level3 sending Netflix traffic to Comcast the long way around. http://seekingalpha.com/article/235645-akamai-to-lose-netflix-as-a-customer- level-3-and-limelight-pick-up-the-business If there is one thing Netflix is good at, probably the best in the industry, it's measuring the quality of their streaming. They constantly send out emails asking customers to rank the quality of the video they just watched and they have so much data on what works and what doesn't. So when they choose one provider over another, they really have the data to back it up. George Ou touches on a similar point at the end of his article: http://www.digitalsociety.org/2010/11/level-3-outbid-akamai-on-netflix-by-re selling-stolen-bandwidth/ Frank -----Original Message----- From: Ryan Finnesey [mailto:ryan.finnesey at HarrierInvestments.com] Sent: Tuesday, November 30, 2010 5:54 AM To: Thomas Donnelly; Rettke, Brian; Patrick W. Gilmore; NANOG list; Guerra, Ruben Subject: RE: Level 3 Communications Issues Statement Concerning Comcast'sActions It may have something to do with that Level3 is now hosting all the streaming content for Netflixs. Cheers Ryan -----Original Message----- From: Thomas Donnelly [mailto:tad1214 at gmail.com] Sent: Monday, November 29, 2010 5:52 PM To: Rettke, Brian; Patrick W. Gilmore; NANOG list; Guerra, Ruben Subject: Re: Level 3 Communications Issues Statement Concerning Comcast'sActions "On November 19, 2010, Comcast informed Level 3 that, for the first time, it will demand a recurring fee from Level 3 to transmit Internet online movies and other content to Comcast's customers who request such content." If the issue is bandwidth, then why not charge for bandwidth? Picking a specific service says we are trying to squash the competition. On Mon, 29 Nov 2010 16:48:06 -0600, Guerra, Ruben wrote: > I'd have to agree with Brian. There is no simple answer to this one... > If the ultimate cause is the abuse of bandwidth, I can understand > this... BUT if the underlying motive is to squash competition then > shame on you! > > > > -----Original Message----- > From: Rettke, Brian [mailto:Brian.Rettke at cableone.biz] > Sent: Monday, November 29, 2010 4:41 PM > To: Patrick W. Gilmore; NANOG list > Subject: RE: Level 3 Communications Issues Statement Concerning > Comcast's Actions > > Essentially, the question is who has to pay for the infrastructure to > support the bandwidth requirements of all of these new and booming > streaming ventures. I can understand both the side taken by Comcast, and > the side of the content provider, but I don't think it's as simple as > the slogans spewed out regarding "Net Neutrality", which has become so > misused and abused as a term that I don't think it has any credulous > value remaining. > > I'm hoping that there is an eventual meeting of the minds wherein some > sort of collaboration takes place. If this gets additional government > regulations I fear no one will like the result. > > Sincerely, > > Brian A . Rettke > RHCT, CCDP, CCNP, CCIP > Network Engineer, CableONE Internet Services > > -----Original Message----- > From: Patrick W. Gilmore [mailto:patrick at ianai.net] > Sent: Monday, November 29, 2010 3:28 PM > To: NANOG list > Subject: Level 3 Communications Issues Statement Concerning Comcast's > Actions > > > > I understand that politics is off-topic, but this policy affects > operational aspects of the 'Net. > > Just to be clear, L3 is saying content providers should not have to pay > to deliver content to broadband providers who have their own product > which has content as well. I am certain all the content providers on > this list are happy to hear L3's change of heart and will be applying > for settlement free peering tomorrow. (L3 wouldn't want other providers > to claim the Vyvx or CDN or other content services provided by L3 are > competing and L3 is putting up a "toll booth" on the Internet, would > they?) > > -- > TTFN, > patrick > > > > -- Using Opera's revolutionary email client: http://www.opera.com/mail/ From morrowc.lists at gmail.com Thu Dec 2 00:15:51 2010 From: morrowc.lists at gmail.com (Christopher Morrow) Date: Thu, 2 Dec 2010 01:15:51 -0500 Subject: Trying to Make Sense of the Comcast/Level 3 Dispute In-Reply-To: References: Message-ID: On Thu, Dec 2, 2010 at 12:40 AM, Paul Ferguson wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Interesting article: > > http://www.freedom-to-tinker.com/blog/sjs/trying-make-sense-comcast-level-3 > - -dispute > > Considering the fact that I received an e-mail survey request today from > Netflix (I am a subscriber) which, among other questions, asked if I ever > did streaming of their services on the Internet, Wii, Live TV, etc. (I > don't), as well as asked if I am a Comcast subscriber (I am), among other > last-mile service provider options -- I just found the timing of all of > this very "interesting". I suppose this is all just a smoke screen to force one/both sides to upgrade inter-links before the l3/flix cdn contract goes whole hog. A stalling tactic and one to push buttons (political/PR buttons) raising the stakes/pushing timing up on installs... is interesting though. -chris From mysidia at gmail.com Thu Dec 2 04:15:04 2010 From: mysidia at gmail.com (James Hess) Date: Thu, 2 Dec 2010 04:15:04 -0600 Subject: FUD: 15% of world's internet traffic hijacked In-Reply-To: References: <20101117164514.GA2251@tico.tsc.com> <7CA63A8B-3687-4417-A586-46A7EB658AD6@the-watsons.org> Message-ID: On Wed, Dec 1, 2010 at 5:42 PM, Brett Watson wrote: > I'm not able to get my fingers or thumbs to randomly (seemingly) > select approximately 15% of all prefixes, originate those, modify > filters so I can do so, and also somehow divert it to another router > that doesn't have the hijacked prefixes I'm announcing but rather > forwards the source traffic on to it's intended destination. "What filters?" "We don't need any stinkin' filters" Sometimes disasters such as an accidental hijacking might be the result of multiple different mistakes or errors that occured at different times; separated by months or years, it can include design mistakes that were present all along, and the earlier mistakes might never have been detected, until they catalyzed later mistakes. A device missing filters, a missing config entry to actually apply any filters, or a big hole in a filter set are some possibilities, where an operator would not need to make the same typo twice at a later date. The redirection of packets to the eventual proper destination is not necessarily indicating anything intentional; perhaps packets reached a Chinese router that did not have the error, or that had the right filter set active. So far, I saw nothing reported of sufficient detail to infer with high confidence either that it was by accident or that hijacking was not an accident; it seems, you can proceed using either assumption, without arriving at probable inconsistency or logical contradiction. "We don't know for sure if the hijacking was accidental or not" seems a valid answer. -- -JH From harris.hui at hk1.ibm.com Thu Dec 2 04:33:10 2010 From: harris.hui at hk1.ibm.com (Harris Hui) Date: Thu, 2 Dec 2010 18:33:10 +0800 Subject: AT&T to Level 3 routing issue? Message-ID: Hi, Does anyone using AT&T seeing the routing issue to Level3? We saw some issue with the end users using AT&T as a service provider having issue to our upstream provider. Thanks Tracing route to 74.220.121.100 over a maximum of 30 hops: 1 1 ms 1 ms 1 ms 9.126.177.132 2 5 ms 5 ms 3 ms 9.182.248.14 3 4 ms 3 ms 4 ms 9.182.229.20 4 6 ms 3 ms 3 ms 9.64.194.210 5 9 ms 11 ms 14 ms 9.64.194.253 6 38 ms 34 ms 40 ms 9.64.193.214 7 40 ms 35 ms 32 ms 9.64.193.179 8 32 ms 32 ms 32 ms 9.182.211.22 9 34 ms 33 ms 35 ms 9.124.118.4 10 33 ms 32 ms 33 ms 122.248.182.2 11 241 ms 169 ms 252 ms 122.248.176.50 12 32.114.248.9 reports: Destination host unreachable. NetRange:???????32.0.0.0?-?32.255.255.255 CIDR:???????????32.0.0.0/8 OriginAS: NetName:????????ATT-32-0-0-0-A NetHandle:??????NET-32-0-0-0-1 Parent: NetType:????????Direct?Allocation NameServer:?????NS.DE.PRSERV.NET NameServer:?????NS.UK.PRSERV.NET NameServer:?????NS.NL.PRSERV.NET RegDate:????????1990-05-30 Updated:????????2009-06-19 Ref:????????????http://whois.arin.net/rest/net/NET-32-0-0-0-1 OrgName:????????AT&T?Global?Network?Services,?LLC OrgId:??????????ATGS Address:????????3200?Lake?Emma?Road City:???????????Lake?Mary StateProv:??????FL PostalCode:?????32746 Country:????????US RegDate: Updated:????????2009-05-04 Ref:????????????http://whois.arin.net/rest/org/ATGS From brunner at nic-naa.net Thu Dec 2 06:30:47 2010 From: brunner at nic-naa.net (Eric Brunner-Williams) Date: Thu, 02 Dec 2010 07:30:47 -0500 Subject: Blocking International DNS In-Reply-To: References: <4CE9F389.7040505@kenweb.org> <889E2C96-FA4A-425F-B243-EAB8860CEAE3@jsyoung.net> <20101122051118.GF20665@sizone.org> <20101130045616.GM16087@sizone.org> <20101130055744.GN16087@sizone.org> <5D303059-133D-4B91-BAD6-AAFAB5C5340B@americafree.tv> Message-ID: <4CF79177.1060505@nic-naa.net> > ICANN is not the problem. It is itself a problem because over the > years instead of being a technical coordinator for names and numbers > became the playground and clearinghouse for IP (Intellectual Property) > groups, all sorts of color, sizes and shapes of attorneys milking from > the "DNS ecosystem" and Internet Governance wanna be politiks. there were two other proposals for the structure of the new entity. ira's left verisign with a great deal of control over outcomes, a situation that continues to the present day. we've no data on how either of the other forms would have functioned, or would function now. -e From brunner at nic-naa.net Thu Dec 2 06:53:49 2010 From: brunner at nic-naa.net (Eric Brunner-Williams) Date: Thu, 02 Dec 2010 07:53:49 -0500 Subject: Blocking International DNS In-Reply-To: References: <4CE9F389.7040505@kenweb.org> <889E2C96-FA4A-425F-B243-EAB8860CEAE3@jsyoung.net> <20101122051118.GF20665@sizone.org> <20101130045616.GM16087@sizone.org> <20101130055744.GN16087@sizone.org> <5D303059-133D-4B91-BAD6-AAFAB5C5340B@americafree.tv> Message-ID: <4CF796DD.5060909@nic-naa.net> > Also while different segments may have some level of participation > (including folks that claim they represent the users which they do > not) by design ICANN is a membership less organization so the multi > stake holder model is a lie and the bottom up process when the bottom > does not have the same level of resources to participate as some of > the big corp/lobby groups, ends being a fiasco. the dissolution of the protocol supporting organization in december 2002 removed it as an entity contributing voting seats to the icann board. the advisory role survived in the technical liaison group, now the target of a proposal that could eliminate it too as a entity contributing non-voting seats to the icann board [1]. and as i've pointed out previously, no later than icann-10, in montavideo, no isp, nsp, asp, ... operational interests were present in the "internet service provider constituency", only the trademark interests of the participating operators, e.g., verizon. some responsibility for the non-effectiveness, even of the public-private-multi-stakeholder-bottom-up-consensus-driven model chosen for the new entity, goes to the industry actors which either withdrew their participation, or limited their participation to non-operational, non-technical participation. btw, i spent quite a bit of my time with the berkman center researchers working on accountability and transparency on just the issue of how users can be represented and i think it a hard problem. -e [1] http://icann.org/en/public-comment/#tlg-review-2010 From carlosm3011 at gmail.com Thu Dec 2 07:46:17 2010 From: carlosm3011 at gmail.com (Carlos Martinez-Cagnazzo) Date: Thu, 2 Dec 2010 11:46:17 -0200 Subject: [NANOG-announce] Reminder: Today is the last day to register for NANOG 51 at the early bird rate In-Reply-To: References: Message-ID: Thou shall not spit your DB structure to the wolves... On Wed, Dec 1, 2010 at 1:57 AM, Jon Lewis wrote: > On Tue, 30 Nov 2010, David Meyer wrote: > >> Register today to get the early bird rate. >> >> Looking forward to seeing you in Miami. > > I just tried (to take advantage of the early-bird rate) and it looks like > the registration code is busted. > > Internal Server Error > The server encountered an internal error or misconfiguration and was unable > to complete your request. > > Please contact the server administrator, www at merit.edu and inform them of > the time the error occurred, and anything you might have done that may have > caused the error. > > [17270]ERR: 32: Warning in Perl code: DBD::Oracle::db do failed: ORA-00001: > unique constraint (NANOG.SYS_C00319811) violated (DBD ERROR: OCIStmtExecute) > [for Statement " > ? ? insert into attendee ( > ? ? attendee_id, > ? ? attendee_username, > ? ? attendee_password, > ? ? attendee_email > ? ? ) values ( > ? ? attendee_seq.nextval, > ? ? ?, ?, ? > ? ? ) > ? ? "] at > /afs/merit.net/infotech/www/nanog/secdocs/registration/username.epl line 54. > [17270]ERR: 24: Error in Perl code: DBD::Oracle::db do failed: ORA-00001: > unique constraint (NANOG.SYS_C00319811) violated (DBD ERROR: OCIStmtExecute) > [for Statement " > ? ? insert into attendee ( > ? ? attendee_id, > ? ? attendee_username, > ? ? attendee_password, > ? ? attendee_email > ? ? ) values ( > ? ? attendee_seq.nextval, > ? ? ?, ?, ? > ? ? ) > ? ? "] at > /afs/merit.net/infotech/www/nanog/secdocs/registration/username.epl line 54. > > Apache/2.2.14 (Unix) Embperl/2.3.0 mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 > PHP/5.2.12 mod_perl/2.0.4 Perl/v5.10.0 [Tue Nov 30 22:51:44 2010] > > I tried several variations of username and email address just in case either > was already in the database from when I last attended a NANOG in Miami. ?It > made no difference. ?Can we extend the early-bird rate until the web site is > fixed such that people can actually create a username in order to sign up? > > ---------------------------------------------------------------------- > ?Jon Lewis, MCP :) ? ? ? ? ? | ?I route > ?Senior Network Engineer ? ? | ?therefore you are > ?Atlantic Net ? ? ? ? ? ? ? ?| > _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________ > > -- -- ========================= Carlos M. Martinez-Cagnazzo http://cagnazzo.name ========================= From william.allen.simpson at gmail.com Thu Dec 2 08:04:47 2010 From: william.allen.simpson at gmail.com (William Allen Simpson) Date: Thu, 02 Dec 2010 09:04:47 -0500 Subject: Level 3 Communications Issues Statement Concerning Comcast's Actions In-Reply-To: References: Message-ID: <4CF7A77F.30507@gmail.com> On 12/1/10 8:47 PM, William Herrin wrote: > "Dual agency is not legal in all 50 states." > > Kinda the opposite of the monopoly/duopoly ISP who doesn't seek your > permission in dealing with anyone else. > > Finally, realize that in both cases (real estate agent and apartment > broker) you're dealing with a competitive negotiated process. The law > allows -many- things in negotiated contracts that are flat illegal in > the contracts of adhesion typically offered to the residential > Internet buyer. > I was going to reply to Derek, but William beat me to it. Excellent post. From william.allen.simpson at gmail.com Thu Dec 2 08:28:18 2010 From: william.allen.simpson at gmail.com (William Allen Simpson) Date: Thu, 02 Dec 2010 09:28:18 -0500 Subject: Level 3 Communications Issues Statement Concerning Comcast's Actions In-Reply-To: References: <96CA80CDCD822B4F9B41FB3A109C9359A3E664A22B@E2K7MAILBOX1.corp.cableone.net><8BC9AA1D1BA4494F83F8205415225CE826161A00D3@CHIEXMAIL1.ARRS.ARRISI.COM> <6EFFEFBAC68377459A2E972105C759EC032BF7CB@EXVBE005-2.exch005intermedia.net> Message-ID: <4CF7AD02.4030106@gmail.com> [Changed long CC list to BCC] On 12/2/10 12:49 AM, Frank Bulk wrote: > George Ou touches on a similar point at the end of his article: > http://www.digitalsociety.org/2010/11/level-3-outbid-akamai-on-netflix-by-re > selling-stolen-bandwidth/ > The Ou article makes no sense at all! It's based on the premise that Level 3 and Comcast are peering, and that traffic should be symmetric. Everywhere else, the articles and pundits indicate that Comcast is a transit customer of Level 3. All actual network operators know that traffic isn't symmetric! Ou's hit piece reads more like a pseudo-libertarian rant. In fact, other Ou posts listed there have titles that read like an ultra-conservative cum social-conservative rant: * Wrong On The Internet ? Another Net Neutrality ?violation? debunked * Why Viacom and others justified in blocking Google TV * Wrong On The Internet ? Genachowski pushing ahead with Net Neutrality during lame duck * Google hypocrisy on content blocking * Hijacking the Internet is trivial today You have to consider the source. If Ou doesn't understand contracts, peering, and/or transit, just take his posts with a grain of salt. From andyring at inebraska.com Thu Dec 2 09:50:57 2010 From: andyring at inebraska.com (Andy Ringsmuth) Date: Thu, 2 Dec 2010 09:50:57 -0600 Subject: Anyone here from CSX Transportation? Message-ID: <786584D4-5473-4714-A1C6-801FE18D8D67@inebraska.com> Having an issue with our mail being rejected on account of Microsoft Exchange security policies that I'd like to get resolved. --- Andy Ringsmuth andyring at inebraska.com From zeusdadog at gmail.com Thu Dec 2 09:58:52 2010 From: zeusdadog at gmail.com (Jay Nakamura) Date: Thu, 2 Dec 2010 10:58:52 -0500 Subject: Want to move to all 208V for server racks Message-ID: I really want to move all newly installed internal and customer racks over to all 208v power instead of 120v. As far as I can remember, I can't remember any server/switch/router or any other equipment that didn't run on 208v AC. (Other than you may need a different cable) Anyone have any experience where some oddball equipment that couldn't do 208v and regret going 208v? We won't have any TDM or SONET equipment, all Ethernet switches, routers and servers. I have control over internal equipment but sometimes customers surprises you. From lowen at pari.edu Thu Dec 2 10:02:35 2010 From: lowen at pari.edu (Lamar Owen) Date: Thu, 2 Dec 2010 11:02:35 -0500 Subject: Blocking International DNS In-Reply-To: <20101202035740.7CE9C73F7AE@drugs.dv.isc.org> References: Message-ID: <201012021102.35556.lowen@pari.edu> On Wednesday, December 01, 2010 10:57:40 pm Mark Andrews wrote: > And there would have been total confusion if there had been multiple > uunet's and a few other well known nodes. UUCP had anchor points. > Just different ones to the DNS. Yeah, and with virtually everyone's bangpaths starting with uunet or one of those other anchors (I seem to rememer bangpaths starting at kremvax, but perhaps I'm senile...), it's still a hierarchy. I had a site in the maps years ago, and even had 'registered' a pseudo '.uucp' domain.... remember those? That said, it did work pretty well. SMTP and direct MX was supposed to make all that go away, and now we're talking about it again. Do I need to go back to using smail 2.5 to do mail routing? :-) Web browsing using uucico was rather, uh, interesting (but doable, thanks to the virtually text-only web at the time, and that assumed the target node/server was online at that time). Not really scalable to broadband, as part of the blockability issue is IP and IP routing hijackability (to coin a contrived phrase). It was a different world, especially on the user side. If you had multiple dialin accounts under the uucp system you could very easily bypass many blocks simply using dialup; but dialup is just too slow for today's content. From bill at herrin.us Thu Dec 2 10:18:56 2010 From: bill at herrin.us (William Herrin) Date: Thu, 2 Dec 2010 11:18:56 -0500 Subject: Want to move to all 208V for server racks In-Reply-To: References: Message-ID: On Thu, Dec 2, 2010 at 10:58 AM, Jay Nakamura wrote: > I really want to move all newly installed internal and customer racks > over to all 208v power instead of 120v. ?As far as I can remember, I > can't remember any server/switch/router or any other equipment that > didn't run on 208v AC. ?(Other than you may need a different cable) > Anyone have any experience where some oddball equipment that couldn't > do 208v and regret going 208v? ?We won't have any TDM or SONET > equipment, all Ethernet switches, routers and servers. ?I have control > over internal equipment but sometimes customers surprises you. Hi Jay, Pretty much any little oddball piece of equipment with an external power brick is at risk. The hundred buck ethernet-based USB extender was my particular lesson. If you're talking about paying customers who bring in their own equipment, you'll run in to this a *lot*. Regards, Bill Herrin -- William D. Herrin ................ herrin at dirtside.com? bill at herrin.us 3005 Crane Dr. ...................... Web: Falls Church, VA 22042-3004 From randy at psg.com Thu Dec 2 10:19:33 2010 From: randy at psg.com (Randy Bush) Date: Fri, 03 Dec 2010 01:19:33 +0900 Subject: Blocking International DNS In-Reply-To: <201012021102.35556.lowen@pari.edu> References: <20101202035740.7CE9C73F7AE@drugs.dv.isc.org> <201012021102.35556.lowen@pari.edu> Message-ID: > On Wednesday, December 01, 2010 10:57:40 pm Mark Andrews wrote: >> And there would have been total confusion if there had been multiple >> uunet's and a few other well known nodes. UUCP had anchor points. >> Just different ones to the DNS. > Yeah, and with virtually everyone's bangpaths starting with uunet or > one of those other anchors (I seem to rememer bangpaths starting at > kremvax, but perhaps I'm senile...), it's still a hierarchy. boy, you folk sure remember a different uucp network than i do. randy From if at xip.at Thu Dec 2 10:22:32 2010 From: if at xip.at (Ingo Flaschberger) Date: Thu, 2 Dec 2010 17:22:32 +0100 (CET) Subject: Want to move to all 208V for server racks In-Reply-To: References: Message-ID: Dear Jay, > I really want to move all newly installed internal and customer racks > over to all 208v power instead of 120v. As far as I can remember, I > can't remember any server/switch/router or any other equipment that > didn't run on 208v AC. (Other than you may need a different cable) > Anyone have any experience where some oddball equipment that couldn't > do 208v and regret going 208v? We won't have any TDM or SONET > equipment, all Ethernet switches, routers and servers. I have control > over internal equipment but sometimes customers surprises you. you mean 240V AC 50HZ and move from 120V 60Hz? (or also 50Hz) you will need to check each device if it supports 240V, commonly the specified power ratings are printed at a stricker on the device itself. Kind regards, Ingo Flaschberger From bicknell at ufp.org Thu Dec 2 10:25:37 2010 From: bicknell at ufp.org (Leo Bicknell) Date: Thu, 2 Dec 2010 08:25:37 -0800 Subject: Trying to Make Sense of the Comcast/Level 3 Dispute In-Reply-To: References: Message-ID: <20101202162537.GA15817@ussenterprise.ufp.org> In a message written on Wed, Dec 01, 2010 at 09:40:01PM -0800, Paul Ferguson wrote: > Considering the fact that I received an e-mail survey request today from > Netflix (I am a subscriber) which, among other questions, asked if I ever > did streaming of their services on the Internet, Wii, Live TV, etc. (I > don't), as well as asked if I am a Comcast subscriber (I am), among other > last-mile service provider options -- I just found the timing of all of > this very "interesting". Unfortunately Netflix's state of mind if you will is something we can't derive from the routing tables. They might have gone into this hand in hand with Level 3, wanting to make a point to Comcast/The FCC/The Public about something. On the other hand, Level 3 might have told them things were just peachy with Comcast and they could easily handle this traffic and Netflix got sold a pig in a poke. If so, they could be rather unhappy that their new CDN partner is dragging them into this mess before they even turn up. But I have to wonder, why ask if you are on Comcast? It's not hard to identify all of Comcast's IP space from the routing table, and they know the endpoint of every stream they serve. They have perfect data from their servers, why use error prone data from a survey? -- Leo Bicknell - bicknell at ufp.org - CCIE 3440 PGP keys at http://www.ufp.org/~bicknell/ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 826 bytes Desc: not available URL: From harris.hui at hk1.ibm.com Thu Dec 2 10:28:00 2010 From: harris.hui at hk1.ibm.com (Harris Hui) Date: Fri, 3 Dec 2010 00:28:00 +0800 Subject: AT&T routing issues at 32.114.248.9 in Middletown US Message-ID: Hi, Does anyone from AT&T can contact me off the list? We experienced a routing issues at 09:07GMT to 10:18GMT. The traffics to our subnet was stopped at one the AT&T router 32.114.248.9 in Middletown US. Tracing route to 74.220.121.100 over a maximum of 30 hops: 1 1 ms 1 ms 1 ms 9.126.177.132 2 5 ms 5 ms 3 ms 9.182.248.14 3 4 ms 3 ms 4 ms 9.182.229.20 4 6 ms 3 ms 3 ms 9.64.194.210 5 9 ms 11 ms 14 ms 9.64.194.253 6 38 ms 34 ms 40 ms 9.64.193.214 7 40 ms 35 ms 32 ms 9.64.193.179 8 32 ms 32 ms 32 ms 9.182.211.22 9 34 ms 33 ms 35 ms 9.124.118.4 10 33 ms 32 ms 33 ms 122.248.182.2 11 241 ms 169 ms 252 ms 122.248.176.50 12 32.114.248.9 reports: Destination host unreachable. From dhubbard at dino.hostasaurus.com Thu Dec 2 10:29:08 2010 From: dhubbard at dino.hostasaurus.com (David Hubbard) Date: Thu, 2 Dec 2010 11:29:08 -0500 Subject: Want to move to all 208V for server racks Message-ID: We have run into some reasonably recent flat panel LCD's not running on 208v; we began having our colo build the new cages we order with 208v a few years ago and then found we couldn't use one of our crash carts in the newer cages until we replaced the monitor. If you're doing colo, some customers may have rack mounted LCD panels that could be an issue. And this was not a power brick monitor, straight plug. David > -----Original Message----- > From: Jay Nakamura [mailto:zeusdadog at gmail.com] > Sent: Thursday, December 02, 2010 10:59 AM > To: NANOG > Subject: Want to move to all 208V for server racks > > I really want to move all newly installed internal and customer racks > over to all 208v power instead of 120v. As far as I can remember, I > can't remember any server/switch/router or any other equipment that > didn't run on 208v AC. (Other than you may need a different cable) > Anyone have any experience where some oddball equipment that couldn't > do 208v and regret going 208v? We won't have any TDM or SONET > equipment, all Ethernet switches, routers and servers. I have control > over internal equipment but sometimes customers surprises you. > > > From zeusdadog at gmail.com Thu Dec 2 10:30:45 2010 From: zeusdadog at gmail.com (Jay Nakamura) Date: Thu, 2 Dec 2010 11:30:45 -0500 Subject: Want to move to all 208V for server racks In-Reply-To: References: Message-ID: > you mean 240V AC 50HZ and move from 120V 60Hz? (or also 50Hz) In US, I think everything is 60Hz. But I mean 208v single phase. (Which is what you get when you combine two 120v single phase legs out of three phase, I believe. I am not an expert on AC...) > you will need to check each device if it supports 240V, commonly the > specified power ratings are printed at a stricker on the device itself. I have even been looking at USB HD AC adapter and all other odd ball equipment and I always see the label say "100~240v AC". Dell's old rack mount monitor/KB from 5 years ago even supports 208v (Just wrong connector.) From jra at baylink.com Thu Dec 2 10:32:16 2010 From: jra at baylink.com (Jay Ashworth) Date: Thu, 2 Dec 2010 11:32:16 -0500 (EST) Subject: Want to move to all 208V for server racks In-Reply-To: Message-ID: <17354757.202.1291307536655.JavaMail.root@benjamin.baylink.com> No, I'm pretty sure he means "across the 2 high legs of a 120/208 3ph Wye service", and I'd never heard that idea suggested before. I can see why it reduces the amount of copper you need to run, but it seems as if it would have compensating disadvantages, though I can't think precisely what they might be at the moment. -- jra ----- Original Message ----- > From: "Ingo Flaschberger" > To: "Jay Nakamura" > Cc: "NANOG" > Sent: Thursday, December 2, 2010 11:22:32 AM > Subject: Re: Want to move to all 208V for server racks > Dear Jay, > > > > I really want to move all newly installed internal and customer > > racks > > over to all 208v power instead of 120v. As far as I can remember, I > > can't remember any server/switch/router or any other equipment that > > didn't run on 208v AC. (Other than you may need a different cable) > > Anyone have any experience where some oddball equipment that > > couldn't > > do 208v and regret going 208v? We won't have any TDM or SONET > > equipment, all Ethernet switches, routers and servers. I have > > control > > over internal equipment but sometimes customers surprises you. > > you mean 240V AC 50HZ and move from 120V 60Hz? (or also 50Hz) > > you will need to check each device if it supports 240V, commonly the > specified power ratings are printed at a stricker on the device > itself. > > Kind regards, > Ingo Flaschberger From jakari at bithose.com Thu Dec 2 10:35:34 2010 From: jakari at bithose.com (Jameel Akari) Date: Thu, 2 Dec 2010 11:35:34 -0500 (EST) Subject: Want to move to all 208V for server racks In-Reply-To: References: Message-ID: On Thu, 2 Dec 2010, Ingo Flaschberger wrote: >> I really want to move all newly installed internal and customer racks >> over to all 208v power instead of 120v. As far as I can remember, I >> can't remember any server/switch/router or any other equipment that >> didn't run on 208v AC. (Other than you may need a different cable) >> Anyone have any experience where some oddball equipment that couldn't >> do 208v and regret going 208v? We won't have any TDM or SONET >> equipment, all Ethernet switches, routers and servers. I have control >> over internal equipment but sometimes customers surprises you. > > you mean 240V AC 50HZ and move from 120V 60Hz? (or also 50Hz) Probably not; 208V AC here in the US comes from 3-phase distribution systems and is relatively common in datacenters, as well as other commerical and industrial settings. What we've done is to install one 120V, 15A circuit per rack along with the 2x or 4x 208V 30A circuits. There are too many oddball and/or just plain old devices out there to go totally without. Like another commenter mentioned, the prime offender these days are devices with external power bricks or wall-warts; often times they only have NEMA 5-15 plugs so at least there won't be temptation to stick them in 208V receptacles. Assuming you go with IEC C-13 or C-19 receptacles for those 208V circuits, that is. Just be careful on older non-autosensing power supplies where you have to flip a switch to go from 100-120V to 200-240V input, in that you make sure to flip them to begin with, and that you flip them back should you ever mover them back to a 120V circuit. -- Jameel Akari From jmamodio at gmail.com Thu Dec 2 10:37:01 2010 From: jmamodio at gmail.com (Jorge Amodio) Date: Thu, 2 Dec 2010 10:37:01 -0600 Subject: Blocking International DNS In-Reply-To: References: <20101202035740.7CE9C73F7AE@drugs.dv.isc.org> <201012021102.35556.lowen@pari.edu> Message-ID: > boy, you folk sure remember a different uucp network than i do. Backbone Map from 1984 /-----------------------------\ | | | mcvax------------philabs | | / / | | tektronix-----------------decvax------------linus | | | \ | | | | | uw-beaver | | | | | | | | | | | ubc-vision seismo--harpo---ulysses | | | | | | | | | | | | alberta-------(-----ihnp4 hou3c | | | | | | | | | | | | we13----burl utzoo | | | | | | | | hplabs-------------hao clyde----watmath | | | | | | sdcrdcf---sdcsvax-----------------akgua----------mcnc-----/ pre uunet, we connected to seismo Jorge From sethm at rollernet.us Thu Dec 2 10:38:22 2010 From: sethm at rollernet.us (Seth Mattinen) Date: Thu, 02 Dec 2010 08:38:22 -0800 Subject: Want to move to all 208V for server racks In-Reply-To: References: Message-ID: <4CF7CB7E.2010708@rollernet.us> On 12/2/10 8:30 AM, Jay Nakamura wrote: >> you mean 240V AC 50HZ and move from 120V 60Hz? (or also 50Hz) > > In US, I think everything is 60Hz. But I mean 208v single phase. > (Which is what you get when you combine two 120v single phase legs out > of three phase, I believe. I am not an expert on AC...) Correct, a L-N connection will get you 120V, a L-L connection will get you 208V. Everything in the US is 60Hz. >> you will need to check each device if it supports 240V, commonly the >> specified power ratings are printed at a stricker on the device itself. > > I have even been looking at USB HD AC adapter and all other odd ball > equipment and I always see the label say "100~240v AC". Dell's old > rack mount monitor/KB from 5 years ago even supports 208v (Just wrong > connector.) > The vast majority of power adapters are switching these days and will run up to 240, it's when they have built in NEMA 1-15 or 5-15 prongs that you have to overcome. ~Seth From owen at delong.com Thu Dec 2 10:38:35 2010 From: owen at delong.com (Owen DeLong) Date: Thu, 2 Dec 2010 08:38:35 -0800 Subject: Want to move to all 208V for server racks In-Reply-To: References: Message-ID: <84613374-5CD7-42C0-9326-35DD2FA7BA79@delong.com> On Dec 2, 2010, at 7:58 AM, Jay Nakamura wrote: > I really want to move all newly installed internal and customer racks > over to all 208v power instead of 120v. As far as I can remember, I > can't remember any server/switch/router or any other equipment that > didn't run on 208v AC. (Other than you may need a different cable) > Anyone have any experience where some oddball equipment that couldn't > do 208v and regret going 208v? We won't have any TDM or SONET > equipment, all Ethernet switches, routers and servers. I have control > over internal equipment but sometimes customers surprises you. I once had a cage that was all 220v. Wasn't an issue at all. Had two devices that required some effort to work around... 1. A small media converter. This was powered by a wall-wart style power supply that fed it 12v DC, but, the wall wart that shipped with it did not handle 220v. No regret, but, a quick trip to Fry's to buy a suitable universal wall-wart with 220v capability and problem solved. 2. Our cordless screwdriver charger would not accept 220v. Initially, we just plugged it into an outlet in the customer work area whenever we were at the datacenter. Long term solution, we bought one of those international transformers and hooked it up that way. I think we might have built some of our own adapter cables to deal with plug issues, but, it's pretty easy to build 3-wire pigtail converters and Home Despot has all the necessary supplies. Owen From bill at herrin.us Thu Dec 2 10:40:39 2010 From: bill at herrin.us (William Herrin) Date: Thu, 2 Dec 2010 11:40:39 -0500 Subject: Want to move to all 208V for server racks In-Reply-To: References: Message-ID: On Thu, Dec 2, 2010 at 11:22 AM, Ingo Flaschberger wrote: >> I really want to move all newly installed internal and customer racks >> over to all 208v power instead of 120v. ?As far as I can remember, I >> can't remember any server/switch/router or any other equipment that >> didn't run on 208v AC. ?(Other than you may need a different cable) >> Anyone have any experience where some oddball equipment that couldn't >> do 208v and regret going 208v? ?We won't have any TDM or SONET >> equipment, all Ethernet switches, routers and servers. ?I have control >> over internal equipment but sometimes customers surprises you. > > you mean 240V AC 50HZ and move from 120V 60Hz? (or also 50Hz) > > you will need to check each device if it supports 240V, commonly the > specified power ratings are printed at a stricker on the device itself. Hi Ingo, 208 and 480 both at 60 hz are common three-phase voltages available in commercial buildings in North America. 208 is three hot conductors 120 degrees out of phase with each other, each 120 volts to common. 480 is the same but with 277 volts to common. 208 is often used with higher-wattage computing equipment while 480 is usually used for distribution on the input side of a large UPS and for lighting. Another thought for you Jay - if you deliver L21 series receptacles to the cabinet (5 wires) the customer can employ it as 120vac, 208vac or a mix as they choose, though you will have to facilitate plug converters for their PDUs. Also mixing on the same circuit complicates amperage estimating something fierce unless the use at one of the voltages is trivial. Regards, Bill Herrin -- William D. Herrin ................ herrin at dirtside.com? bill at herrin.us 3005 Crane Dr. ...................... Web: Falls Church, VA 22042-3004 From zeusdadog at gmail.com Thu Dec 2 10:43:17 2010 From: zeusdadog at gmail.com (Jay Nakamura) Date: Thu, 2 Dec 2010 11:43:17 -0500 Subject: Want to move to all 208V for server racks In-Reply-To: References: Message-ID: To clarify, I was going to have 120v in the cage for temporary stuff like laptops, crash cart, etc. On Thu, Dec 2, 2010 at 11:29 AM, David Hubbard wrote: > We have run into some reasonably recent flat panel LCD's > not running on 208v; we began having our colo build the > new cages we order with 208v a few years ago and then > found we couldn't use one of our crash carts in the newer > cages until we replaced the monitor. ?If you're doing > colo, some customers may have rack mounted LCD panels > that could be an issue. ?And this was not a power brick > monitor, straight plug. > > David > >> -----Original Message----- >> From: Jay Nakamura [mailto:zeusdadog at gmail.com] >> Sent: Thursday, December 02, 2010 10:59 AM >> To: NANOG >> Subject: Want to move to all 208V for server racks >> >> I really want to move all newly installed internal and customer racks >> over to all 208v power instead of 120v. ?As far as I can remember, I >> can't remember any server/switch/router or any other equipment that >> didn't run on 208v AC. ?(Other than you may need a different cable) >> Anyone have any experience where some oddball equipment that couldn't >> do 208v and regret going 208v? ?We won't have any TDM or SONET >> equipment, all Ethernet switches, routers and servers. ?I have control >> over internal equipment but sometimes customers surprises you. >> >> >> > > From bicknell at ufp.org Thu Dec 2 10:46:28 2010 From: bicknell at ufp.org (Leo Bicknell) Date: Thu, 2 Dec 2010 08:46:28 -0800 Subject: Want to move to all 208V for server racks In-Reply-To: <17354757.202.1291307536655.JavaMail.root@benjamin.baylink.com> References: <17354757.202.1291307536655.JavaMail.root@benjamin.baylink.com> Message-ID: <20101202164628.GA20227@ussenterprise.ufp.org> In a message written on Thu, Dec 02, 2010 at 11:32:16AM -0500, Jay Ashworth wrote: > No, I'm pretty sure he means "across the 2 high legs of a 120/208 3ph > Wye service", and I'd never heard that idea suggested before. I can see > why it reduces the amount of copper you need to run, but it seems as if > it would have compensating disadvantages, though I can't think precisely > what they might be at the moment. In most residential / small business construction in the US you will find "240V single phase with neutral". There are two hot wires and a neutral from the provider. Hot to hot is 240, hot to neutral is 120. Most colos run their back end plant (e.g. UPS's, Gensets, etc) on 480v 3-phase power. The typical way they get 120v power is to transform that to a 3-phase Y wired output, also known as 3-phase 4 wire. Each hot leg is 120v to the neutral (the fourth wire). You can run hot to hot here as well, where the voltage is 208v. The trick with 208v loads in this situation is you want to keep the load across each pair of phases roughly balanced. What can be particularly confusiong here is the panels look exactly the same. The same physical panel layout your house gets with 2 phases in plus a neutral is now two of the three phases from the three phase power go in, plus a neutral. Same breakers are used, with hot to hot being 208 volt. The difference is, in the colo there are three of them: A N B B N C C N A | | | | | | | | | Panel 1 Panel 2 Panel 3 With A, B, and C being the 3 phases, and N being the neutral. You may also find this arrangement in larger multi-tennent buildings where they are fed with 3-phase power. -- Leo Bicknell - bicknell at ufp.org - CCIE 3440 PGP keys at http://www.ufp.org/~bicknell/ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 826 bytes Desc: not available URL: From stahr at mailbag.com Thu Dec 2 10:50:55 2010 From: stahr at mailbag.com (James Stahr) Date: Thu, 02 Dec 2010 10:50:55 -0600 Subject: AT&T to Level 3 routing issue? In-Reply-To: References: Message-ID: <20101202165103.A59A4A011@h-mailbag-msp-1.msp-coloc.binc.net> At 04:33 AM 12/2/2010, Harris Hui wrote: >Hi, > >Does anyone using AT&T seeing the routing issue to Level3? We saw some >issue with the end users using AT&T as a service provider having issue to >our upstream provider. Thanks > We saw issues with at&t last night as well. We called into Level3, but they "weren't aware of any issues". Not accepting that explanation for things, we eventually looked at Internet Health Report and saw a latency of 115ms and packet loss at 33% between at&t Chicago and Level 3 Detroit. So if anyone has more information, I'd appreciate it. thanks, -James From if at xip.at Thu Dec 2 10:52:30 2010 From: if at xip.at (Ingo Flaschberger) Date: Thu, 2 Dec 2010 17:52:30 +0100 (CET) Subject: Want to move to all 208V for server racks In-Reply-To: References: Message-ID: Dear Jay, >> you mean 240V AC 50HZ and move from 120V 60Hz? (or also 50Hz) > > In US, I think everything is 60Hz. But I mean 208v single phase. > (Which is what you get when you combine two 120v single phase legs out > of three phase, I believe. I am not an expert on AC...) I got the point. 120 * sqrt(3), phase to phase, three-phase current in european; >> you will need to check each device if it supports 240V, commonly the >> specified power ratings are printed at a stricker on the device itself. > > I have even been looking at USB HD AC adapter and all other odd ball > equipment and I always see the label say "100~240v AC". Dell's old > rack mount monitor/KB from 5 years ago even supports 208v (Just wrong > connector.) Whats the idea behind todo this? You will also need circuit breakers that both phases are switched of simultaneous? Kind regards, Ingo Flaschberger From lowen at pari.edu Thu Dec 2 11:02:58 2010 From: lowen at pari.edu (Lamar Owen) Date: Thu, 2 Dec 2010 12:02:58 -0500 Subject: Want to move to all 208V for server racks In-Reply-To: References: Message-ID: <201012021202.58301.lowen@pari.edu> On Thursday, December 02, 2010 10:58:52 am Jay Nakamura wrote: > Anyone have any experience where some oddball equipment that couldn't > do 208v and regret going 208v? Wall wart supplies will need changing, more than likely. I have a few racks with 208V distribution (EMC 40U racks are built this way), and haven't run into many issues. But you do need to watch carefully, and whatever you do do not wire a 5-15R or 5-20R (or any other '5-' receptable or 'L5-' receptacle) to 208; use the proper '6-' receptacles or IEC receptacles (as mentioned) for all 208 power. This is typically mandated by NEC in new installations, and the electrician doing the distribution should be familiar with the NEMA connector chart. See https://secure.wikimedia.org/wikipedia/en/wiki/NEMA_connector for more information on those connectors. Also, if your customers provide their own UPS equipment that could be an issue, as very few UPS I'm aware of are multi-voltage input (APC SmartUPS 3000 is what I use typically, and that by default needs an L5-30R). But if you provide a neutral with your 208 (using an L14 connector) you then can have mixed distribution with 120V available on 5-15R's but 208 receptacles for major power consumers in the rack. That's what I've done in most of my racks that need 208 (like for 7609's and Cisco 12K), other than the EMC's, which use L6-30's for the rack input, and IEC receptacles for the devices in the rack. From randy at psg.com Thu Dec 2 11:07:49 2010 From: randy at psg.com (Randy Bush) Date: Fri, 03 Dec 2010 02:07:49 +0900 Subject: Blocking International DNS In-Reply-To: References: <20101202035740.7CE9C73F7AE@drugs.dv.isc.org> <201012021102.35556.lowen@pari.edu> Message-ID: > /-----------------------------\ > | | > | mcvax------------philabs | > | / / | | > tektronix-----------------decvax------------linus | | > | \ | | | | > | uw-beaver | | | | > | | | | | | > | ubc-vision seismo--harpo---ulysses | | | > | | | | | | | | > | alberta-------(-----ihnp4 hou3c | | | > | | | | | | | > | | we13----burl utzoo | | > | | | | | | > hplabs-------------hao clyde----watmath | | > | | | | > sdcrdcf---sdcsvax-----------------akgua----------mcnc-----/ > > pre uunet, we connected to seismo [ why did jaap call this europe 1984 in his preso? ] and seismo kinda became uunet and oresoft was off tektronix. and m2xenix was off oresoft. and ... and unido was ... so, what's the point? the uucp network was pretty ad hoc and anarchic, aside from horrific phone bills. and anyone who thinks that the fidonet was not hierarchic is not taking their meds. randy From owen at delong.com Thu Dec 2 11:06:19 2010 From: owen at delong.com (Owen DeLong) Date: Thu, 2 Dec 2010 09:06:19 -0800 Subject: Want to move to all 208V for server racks In-Reply-To: <20101202164628.GA20227@ussenterprise.ufp.org> References: <17354757.202.1291307536655.JavaMail.root@benjamin.baylink.com> <20101202164628.GA20227@ussenterprise.ufp.org> Message-ID: <1411250A-38F8-4099-89D4-616D6633F218@delong.com> On Dec 2, 2010, at 8:46 AM, Leo Bicknell wrote: > In a message written on Thu, Dec 02, 2010 at 11:32:16AM -0500, Jay Ashworth wrote: >> No, I'm pretty sure he means "across the 2 high legs of a 120/208 3ph >> Wye service", and I'd never heard that idea suggested before. I can see >> why it reduces the amount of copper you need to run, but it seems as if >> it would have compensating disadvantages, though I can't think precisely >> what they might be at the moment. > > In most residential / small business construction in the US you > will find "240V single phase with neutral". There are two hot wires > and a neutral from the provider. Hot to hot is 240, hot to neutral > is 120. > > Most colos run their back end plant (e.g. UPS's, Gensets, etc) on > 480v 3-phase power. The typical way they get 120v power is to > transform that to a 3-phase Y wired output, also known as 3-phase > 4 wire. Each hot leg is 120v to the neutral (the fourth wire). > > You can run hot to hot here as well, where the voltage is 208v. > The trick with 208v loads in this situation is you want to keep the > load across each pair of phases roughly balanced. > > What can be particularly confusiong here is the panels look exactly > the same. The same physical panel layout your house gets with 2 > phases in plus a neutral is now two of the three phases from the > three phase power go in, plus a neutral. Same breakers are used, > with hot to hot being 208 volt. The difference is, in the colo > there are three of them: > > A N B B N C C N A > | | | | | | | | | > Panel 1 Panel 2 Panel 3 > > With A, B, and C being the 3 phases, and N being the neutral. > It is not uncommon for three-phase panels to be different and have all three phases in the panel each phase feeding every third breaker slot. Owen From brez at brezworks.com Thu Dec 2 11:09:35 2010 From: brez at brezworks.com (Jeremy Bresley) Date: Thu, 02 Dec 2010 11:09:35 -0600 Subject: Want to move to all 208V for server racks In-Reply-To: References: Message-ID: <4CF7D2CF.1030707@brezworks.com> On 12/2/2010 9:58 AM, Jay Nakamura wrote: > I really want to move all newly installed internal and customer racks > over to all 208v power instead of 120v. As far as I can remember, I > can't remember any server/switch/router or any other equipment that > didn't run on 208v AC. (Other than you may need a different cable) > Anyone have any experience where some oddball equipment that couldn't > do 208v and regret going 208v? We won't have any TDM or SONET > equipment, all Ethernet switches, routers and servers. I have control > over internal equipment but sometimes customers surprises you. > Biggest issue we see with people still needing 120V outlets is external modems for out of band access. Most of the time these modems are attached to the console of carrier managed routers. Or as others in the thread have mentioned, wall-warts for things like USB hard drives, low-end KVMs, etc often are NEMA 5-15P plugs hardwired to them. ASA5505s have this problem with the cable as well, but their power supplies will work on 208V with the necessary adapter. Jeremy From mark at noc.mainstreet.net Thu Dec 2 11:20:40 2010 From: mark at noc.mainstreet.net (Mark Kent) Date: Thu, 2 Dec 2010 09:20:40 -0800 (PST) Subject: Want to move to all 208V for server racks In-Reply-To: (nanog-request@nanog.org) References: Message-ID: <201012021720.oB2HKeiL017903@mainstreet.net> "Why do we install 120v instead of 208v?" was asked over a year ago either here or on cisco-nsp. It generated a long discussion, but it should have been cut short as early in the thread someone said all that had to be said: "because we are idiots." -mark From if at xip.at Thu Dec 2 11:26:46 2010 From: if at xip.at (Ingo Flaschberger) Date: Thu, 2 Dec 2010 18:26:46 +0100 (CET) Subject: Blocking International DNS In-Reply-To: References: <20101202035740.7CE9C73F7AE@drugs.dv.isc.org> <201012021102.35556.lowen@pari.edu> Message-ID: > and anyone who thinks that the fidonet was not hierarchic is not taking > their meds. yes, the bad bad node ops :) bye, Ingo From streiner at cluebyfour.org Thu Dec 2 11:27:14 2010 From: streiner at cluebyfour.org (Justin M. Streiner) Date: Thu, 2 Dec 2010 12:27:14 -0500 (EST) Subject: Want to move to all 208V for server racks In-Reply-To: <17354757.202.1291307536655.JavaMail.root@benjamin.baylink.com> References: <17354757.202.1291307536655.JavaMail.root@benjamin.baylink.com> Message-ID: On Thu, 2 Dec 2010, Jay Ashworth wrote: > No, I'm pretty sure he means "across the 2 high legs of a 120/208 3ph > Wye service", and I'd never heard that idea suggested before. I can see > why it reduces the amount of copper you need to run, but it seems as if > it would have compensating disadvantages, though I can't think precisely > what they might be at the moment. The only ones I can think of are relatively modest, such as needing 2-pole breakers or a pair of ganged single-pole breakers for each circuit, so a panelboard would only be able to support half as many 208V circuits as 120V circuits. That could translate into needing more panelboards, more/larger switchgear to feed those panelboards, etc, but you can plan for this up-front easily enough if this new construction or a re-fit of an existing space. The panelboards we put in our DR site last year are quite large, so we have some room to grow, and we also used 3-phase PDUs with both 120V and 208V receptacles, there are fewer individual circuits going out to each cabinet. jms > ----- Original Message ----- >> From: "Ingo Flaschberger" >> To: "Jay Nakamura" >> Cc: "NANOG" >> Sent: Thursday, December 2, 2010 11:22:32 AM >> Subject: Re: Want to move to all 208V for server racks >> Dear Jay, >> >> >>> I really want to move all newly installed internal and customer >>> racks >>> over to all 208v power instead of 120v. As far as I can remember, I >>> can't remember any server/switch/router or any other equipment that >>> didn't run on 208v AC. (Other than you may need a different cable) >>> Anyone have any experience where some oddball equipment that >>> couldn't >>> do 208v and regret going 208v? We won't have any TDM or SONET >>> equipment, all Ethernet switches, routers and servers. I have >>> control >>> over internal equipment but sometimes customers surprises you. >> >> you mean 240V AC 50HZ and move from 120V 60Hz? (or also 50Hz) >> >> you will need to check each device if it supports 240V, commonly the >> specified power ratings are printed at a stricker on the device >> itself. >> >> Kind regards, >> Ingo Flaschberger > > From if at xip.at Thu Dec 2 11:28:11 2010 From: if at xip.at (Ingo Flaschberger) Date: Thu, 2 Dec 2010 18:28:11 +0100 (CET) Subject: Want to move to all 208V for server racks In-Reply-To: <201012021720.oB2HKeiL017903@mainstreet.net> References: <201012021720.oB2HKeiL017903@mainstreet.net> Message-ID: > "Why do we install 120v instead of 208v?" was asked over a year ago > either here or on cisco-nsp. It generated a long discussion, but it > should have been cut short as early in the thread someone said > all that had to be said: "because we are idiots." *GG* good old europp From sethm at rollernet.us Thu Dec 2 11:36:28 2010 From: sethm at rollernet.us (Seth Mattinen) Date: Thu, 02 Dec 2010 09:36:28 -0800 Subject: Want to move to all 208V for server racks In-Reply-To: <201012021720.oB2HKeiL017903@mainstreet.net> References: <201012021720.oB2HKeiL017903@mainstreet.net> Message-ID: <4CF7D91C.2000100@rollernet.us> On 12/2/10 9:20 AM, Mark Kent wrote: > "Why do we install 120v instead of 208v?" was asked over a year ago > either here or on cisco-nsp. It generated a long discussion, but it > should have been cut short as early in the thread someone said > all that had to be said: "because we are idiots." > This one? http://www.merit.edu/mail.archives/nanog/2009-05/msg00649.html ~Seth From sethm at rollernet.us Thu Dec 2 11:43:36 2010 From: sethm at rollernet.us (Seth Mattinen) Date: Thu, 02 Dec 2010 09:43:36 -0800 Subject: Want to move to all 208V for server racks In-Reply-To: References: Message-ID: <4CF7DAC8.7010905@rollernet.us> On 12/2/10 8:35 AM, Jameel Akari wrote: > > Just be careful on older non-autosensing power supplies where you have > to flip a switch to go from 100-120V to 200-240V input, in that you make > sure to flip them to begin with, and that you flip them back should you > ever mover them back to a 120V circuit. > Been there, done that with my nagios box when I had to replace a fan years ago. The build table was 120V so I flipped the switch and forgot to flip it back. It actually booted for about 5 seconds before things inside the PSU started exploding and spewing magic smoke. Scared the daylights out of me. No damage other than requiring a new PSU. ~Seth From toasty at dragondata.com Thu Dec 2 11:51:42 2010 From: toasty at dragondata.com (Kevin Day) Date: Thu, 2 Dec 2010 11:51:42 -0600 Subject: Want to move to all 208V for server racks In-Reply-To: <1411250A-38F8-4099-89D4-616D6633F218@delong.com> References: <17354757.202.1291307536655.JavaMail.root@benjamin.baylink.com> <20101202164628.GA20227@ussenterprise.ufp.org> <1411250A-38F8-4099-89D4-616D6633F218@delong.com> Message-ID: On Dec 2, 2010, at 11:06 AM, Owen DeLong wrote: > It is not uncommon for three-phase panels to be different and have > all three phases in the panel each phase feeding every third breaker > slot. I was just recently trying to explain this to a European friend who thought I was hallucinating this system, so I took a picture. http://dl.dropbox.com/u/230717/temp/208YPanel.jpg That's a picture of one of the breaker boxes in our office, showing what you described. There are 3 phases coming into the panel, each a different coil off a Y transformer, as well as a "neutral". Those are the 4 black wires you see at the bottom. You can see how the three hot phases are staggered as they go up the breaker rails. For standard 110V service, you use a single-wide breaker and send one hot phase + neutral and you get 110V. The difference between two phases is 208 volts though, so you use a double wide breaker and can send to device without using a neutral wire. Just 2 hots and a ground. If that's all you're doing (you don't need legacy 110V service anywhere) you skip the ground wire going into the panel entirely. -- Kevin From lowen at pari.edu Thu Dec 2 11:58:56 2010 From: lowen at pari.edu (Lamar Owen) Date: Thu, 2 Dec 2010 12:58:56 -0500 Subject: Want to move to all 208V for server racks In-Reply-To: <20101202164628.GA20227@ussenterprise.ufp.org> References: Message-ID: <201012021258.57229.lowen@pari.edu> On Thursday, December 02, 2010 11:46:28 am Leo Bicknell wrote: > You may also find this arrangement in larger multi-tennent buildings > where they are fed with 3-phase power. There are two other 3 phase setups that are somewhat common. 120/240V delta (has the third leg 'wild' at 208V to neutral, with the neutral (grounded conductor in NEC parlance) connected to a centertap on one transformer of the three required). This one has special labeling requirements and a prohibition on single-phase loads being connected to the 208V leg. This one is sometimes provided in a two-transformer 'open delta' arrangement (instead of the correct three-transformer 'closed delta') and is, you might say, 'three phase lite' in practice. 480V delta corner ground. This one is 480V three phase on three wires; one phase is grounded at the service entrance, and the other two phases are 480V to ground. This one also has special labeling requirements and no 'neutral' in the conventional sense. From jra at baylink.com Thu Dec 2 12:02:06 2010 From: jra at baylink.com (Jay Ashworth) Date: Thu, 2 Dec 2010 13:02:06 -0500 (EST) Subject: Want to move to all 208V for server racks In-Reply-To: Message-ID: <2093625.214.1291312926780.JavaMail.root@benjamin.baylink.com> ----- Original Message ----- > From: "Kevin Day" > > On Dec 2, 2010, at 11:06 AM, Owen DeLong wrote: > > It is not uncommon for three-phase panels to be different and have > > all three phases in the panel each phase feeding every third breaker > > slot. > > I was just recently trying to explain this to a European friend who > thought I was hallucinating this system, so I took a picture. > > http://dl.dropbox.com/u/230717/temp/208YPanel.jpg Precisely the same panel layout I had in my last facility, though we didn't use any 208V branch circuits; thanks for the pic, Kevin. Cheers, -- jra From if at xip.at Thu Dec 2 12:08:21 2010 From: if at xip.at (Ingo Flaschberger) Date: Thu, 2 Dec 2010 19:08:21 +0100 (CET) Subject: Want to move to all 208V for server racks In-Reply-To: References: <17354757.202.1291307536655.JavaMail.root@benjamin.baylink.com> <20101202164628.GA20227@ussenterprise.ufp.org> <1411250A-38F8-4099-89D4-616D6633F218@delong.com> Message-ID: > I was just recently trying to explain this to a European friend who thought I was hallucinating this system, so I took a picture. > > http://dl.dropbox.com/u/230717/temp/208YPanel.jpg > > That's a picture of one of the breaker boxes in our office, showing what you described. There are 3 phases coming into the panel, each a different coil off a Y transformer, as well as a "neutral". Those are the 4 black wires you see at the bottom. You can see how the three hot phases are staggered as they go up the breaker rails. > > For standard 110V service, you use a single-wide breaker and send one hot phase + neutral and you get 110V. The difference between two phases is 208 volts though, so you use a double wide breaker and can send to device without using a neutral wire. Just 2 hots and a ground. If that's all you're doing (you don't need legacy 110V service anywhere) you skip the ground wire going into the panel entirely. that one looks dangerous. In europe: http://img406.imageshack.us/i/verteilerkasten.jpg/ 64A 240V 3-Phase input. Out to Servers single phase, output to airconditioners with 3 phase (not at this picture). Kind regards, Ingo Flaschberger From if at xip.at Thu Dec 2 12:10:12 2010 From: if at xip.at (Ingo Flaschberger) Date: Thu, 2 Dec 2010 19:10:12 +0100 (CET) Subject: Want to move to all 208V for server racks In-Reply-To: <2093625.214.1291312926780.JavaMail.root@benjamin.baylink.com> References: <2093625.214.1291312926780.JavaMail.root@benjamin.baylink.com> Message-ID: > Precisely the same panel layout I had in my last facility, though we didn't > use any 208V branch circuits; thanks for the pic, Kevin. good thing is, if you have no neutral you can't break it - to whom knows whats happen :) Kind regards, Ingo Flaschberger From toasty at dragondata.com Thu Dec 2 12:13:09 2010 From: toasty at dragondata.com (Kevin Day) Date: Thu, 2 Dec 2010 12:13:09 -0600 Subject: Want to move to all 208V for server racks In-Reply-To: References: <17354757.202.1291307536655.JavaMail.root@benjamin.baylink.com> <20101202164628.GA20227@ussenterprise.ufp.org> <1411250A-38F8-4099-89D4-616D6633F218@delong.com> Message-ID: <7F47C485-4AF0-4C37-B7EB-D89A7E084E30@dragondata.com> On Dec 2, 2010, at 12:08 PM, Ingo Flaschberger wrote: >> >> For standard 110V service, you use a single-wide breaker and send one hot phase + neutral and you get 110V. The difference between two phases is 208 volts though, so you use a double wide breaker and can send to device without using a neutral wire. Just 2 hots and a ground. If that's all you're doing (you don't need legacy 110V service anywhere) you skip the ground wire going into the panel entirely. > > that one looks dangerous. Err, I meant "skip the neutral wire". It's still grounded. And there are normally significantly more covers over the panel than this, there were a dozen screws I had to remove to expose all of this. :) This is a much smaller scale panel though, not far up from a typical home system. The more current you start talking about, the more isolated everything becomes until you wouldn't even be able to see the bus bars like in this one. -- Kevin From lowen at pari.edu Thu Dec 2 12:14:26 2010 From: lowen at pari.edu (Lamar Owen) Date: Thu, 2 Dec 2010 13:14:26 -0500 Subject: Want to move to all 208V for server racks In-Reply-To: References: Message-ID: <201012021314.26452.lowen@pari.edu> On Thursday, December 02, 2010 12:51:42 pm Kevin Day wrote: > For standard 110V service, you use a single-wide breaker and send one hot phase + neutral and you get 110V. The difference between two phases is 208 volts though, so you use a double wide breaker and can send to device without using a neutral wire. Just 2 hots and a ground. If that's all you're doing (you don't need legacy 110V service anywhere) you skip the ground wire going into the panel entirely. The photo of the Square-D QO plugin breaker panel was nice; thanks. Our Liebert 'precision power' PDU's have what appear to be GE panelboards on the 120/208 side, 42 position, two panelboards per PDU. They are wired like the Square-D in you picture. However, there is one thing in your reply that needs clarification. A wye connected branch circuit panelboard must always be equipped with a grounded conductor (neutral) AND a grounding conductor (ground) to meet code. That is unless the panel is listed for delta use in a 'neutral-less' arrangement and no single-pole breakers are present in the panel. The grounding conductor must never be used as the grounded conductor; the ground is only for fault currents, never for load currents, and the grounded conductor must be bonded to the grounding conductor only at the service disconnect. That's in a simple single grounding conductor system; many datacenters are wired with separate safety and signal grounding conductors (ours is) that require special precautions to be taken. The signal ground is often called the technical ground in the industry, and is, per NEC, always bonded to the safety (or NEC) ground at the service disconnect. That makes it real fun. From lowen at pari.edu Thu Dec 2 12:31:48 2010 From: lowen at pari.edu (Lamar Owen) Date: Thu, 2 Dec 2010 13:31:48 -0500 Subject: Blocking International DNS In-Reply-To: References: Message-ID: <201012021331.48695.lowen@pari.edu> On Thursday, December 02, 2010 11:19:33 am Randy Bush wrote: > boy, you folk sure remember a different uucp network than i do. Well, I got in the uucp thing rather late, hooking up in 1991 or so. By then to get e-mail through uucico it was common practice to bangpath off uunet, or some other 'known' host that pathalias/smail could find in the maps. Or worse, to use a bangpath/FQDN frankenaddress. For news over uucp, at least with C-News, which I ran for a while, not so much a big deal as long as you properly passed the post upstream. Usenet is still the standard for decentralized information sharing, IMHO, and for better or for worse. To get files, you needed to know the path to the file; while you could bangpath all the way to the archive and uucp the file directly, it was more common to start at a known node (like uunet or decvax) and path from there, unless you had a full pathalias-aware uucp (I forget if HoneyDanBer did that or not, too many years since doing that). Web browsing through uucico was just a special case of getting a file, at least in the implementation I used. But would pathalias scale to billions of hosts? I don't know the answer; I know on the miniscule Apollo DN3500's I used at the time the pathalias part of the processing frequently took longer than the actual transfer. And even in those days of mostly text web pages, NCSA Mosaic took longer to render the pages into the pads than the other two parts. From toasty at dragondata.com Thu Dec 2 12:39:16 2010 From: toasty at dragondata.com (Kevin Day) Date: Thu, 2 Dec 2010 12:39:16 -0600 Subject: Want to move to all 208V for server racks In-Reply-To: References: <17354757.202.1291307536655.JavaMail.root@benjamin.baylink.com> <20101202164628.GA20227@ussenterprise.ufp.org> <1411250A-38F8-4099-89D4-616D6633F218@delong.com> <7F47C485-4AF0-4C37-B7EB-D89A7E084E30@dragondata.com> Message-ID: On Dec 2, 2010, at 12:20 PM, Ingo Flaschberger wrote: >> Err, I meant "skip the neutral wire". It's still grounded. And there are normally significantly more covers over the panel than this, there were a dozen screws I had to remove to expose all of this. :) >> >> This is a much smaller scale panel though, not far up from a typical home system. The more current you start talking about, the more isolated everything becomes until you wouldn't even be able to see the bus bars like in this one. > > are "Residual-current device" (Fi in German) are common in us? > I use for servers "Residual-current device" and circuit breaker integrated in one device; but I try to use the more expensive pulse tolerant ones. They're called "Ground Fault Interruptors" here, or GFI/GFCI. They're extremely common built into wall power outlets, and GFI outlets are required in wet areas (kitchens, bathrooms, hot tubs, outdoors, etc). Most wall outlets with GFIs built into them have a "daisy chain" system where one outlet in the kitchen has the circuitry and the Test/Reset buttons, and it protects all non-GFI downstream outlets from it. Downstream outlets usually have a sticker on them saying "GFI Protected" which is a hint that if the outlet stops working, check other outlets in the room to see if one of them tripped. Newer versions have a light that comes on to indicate when they've been tripped, which is handy for non-technical people to figure out what happened more easily. You can get breakers with GFIs built into them(called GFCIs), but they're favored less than putting them at the outlet. I haven't seen any datacenters using them, but I haven't looked that closely. An electrician I talked to once about it felt that the panel mounted variety were designed to be less sensitive/slower reacting due to much longer wire lengths, but I'm not sure if that's just urban legend, experience with a single product or fact. -- Kevin From alex at corp.nac.net Thu Dec 2 12:59:33 2010 From: alex at corp.nac.net (Alex Rubenstein) Date: Thu, 2 Dec 2010 13:59:33 -0500 Subject: Want to move to all 208V for server racks In-Reply-To: References: Message-ID: > I really want to move all newly installed internal and customer racks over to > all 208v power instead of 120v. As far as I can remember, I can't remember > any server/switch/router or any other equipment that didn't run on 208v AC. > (Other than you may need a different cable) Anyone have any experience > where some oddball equipment that couldn't do 208v and regret going 208v? I can tell you, that from a collocation operator prospective, we want you to do 208v. I'd love to require it in our facilities, but sales people won't let me go that far. Why? A couple of reasons.. Neutral current, more power delivered using less copper, etc. Personally, I like delivering two L21-30's per rack and call it day - allows for a comfortable 8kw per rack in 2N+1 redundancy. And, it still has a neutral if it's needed, which we hope it isn't. We rarely run into things that require 120v, but it's usually older equipment. Or, most notably, the 'call home' modems that EMC uses on their SANs. From alex at corp.nac.net Thu Dec 2 13:00:38 2010 From: alex at corp.nac.net (Alex Rubenstein) Date: Thu, 2 Dec 2010 14:00:38 -0500 Subject: Want to move to all 208V for server racks In-Reply-To: References: Message-ID: > > you mean 240V AC 50HZ and move from 120V 60Hz? (or also 50Hz) > > In US, I think everything is 60Hz. But I mean 208v single phase. > (Which is what you get when you combine two 120v single phase legs out of > three phase, I believe. I am not an expert on AC...) That would be considered a 2 pole, 208v receptacle, most commonly a L6-20 or L6-30. From alex at corp.nac.net Thu Dec 2 13:12:47 2010 From: alex at corp.nac.net (Alex Rubenstein) Date: Thu, 2 Dec 2010 14:12:47 -0500 Subject: Want to move to all 208V for server racks In-Reply-To: <4CF7D91C.2000100@rollernet.us> References: <201012021720.oB2HKeiL017903@mainstreet.net> <4CF7D91C.2000100@rollernet.us> Message-ID: > On 12/2/10 9:20 AM, Mark Kent wrote: > > "Why do we install 120v instead of 208v?" was asked over a year ago > > either here or on cisco-nsp. It generated a long discussion, but it > > should have been cut short as early in the thread someone said all > > that had to be said: "because we are idiots." > > > > This one? > > http://www.merit.edu/mail.archives/nanog/2009-05/msg00649.html > > ~Seth No, this one. I knew it sounded familiar, it was me. http://www.merit.edu/mail.archives/nanog/2009-05/msg00650.html From jvanoppen at spectrumnet.us Thu Dec 2 13:20:39 2010 From: jvanoppen at spectrumnet.us (John van Oppen) Date: Thu, 2 Dec 2010 19:20:39 +0000 Subject: Want to move to all 208V for server racks In-Reply-To: References: <17354757.202.1291307536655.JavaMail.root@benjamin.baylink.com> <20101202164628.GA20227@ussenterprise.ufp.org> <1411250A-38F8-4099-89D4-616D6633F218@delong.com> Message-ID: It is probably worth nothing that a 3-phase input in Europe is actually 240/415 volt Y (for every panel I have seen in Germany at least, even the places I have lived there had 240/415 three phase). The normal 240v single phase outlet circuits were the phase to neutral voltage. Obviously Europe also runs at 50 hz vs 60 in the US as well but the three phase still works the same way. A Europe 64 amp 240/415 circuit is pretty close to equivalent in to a 277/480 Y configured 60 amp circuit in the US. The biggest notable difference is that equipment that runs on two different service voltage ranges where Europe has far less need for in-building step-down transformers since even small loads work on the phase-to-neutral voltage of the big services. I always find it interesting in the US to note how many 480v to 120/208Y step-down transformers one can find in a big building or datacenter. John -----Original Message----- From: Ingo Flaschberger [mailto:if at xip.at] Sent: Thursday, December 02, 2010 10:08 AM To: Kevin Day Cc: NANOG list Subject: Re: Want to move to all 208V for server racks > I was just recently trying to explain this to a European friend who thought I was hallucinating this system, so I took a picture. > > http://dl.dropbox.com/u/230717/temp/208YPanel.jpg > > That's a picture of one of the breaker boxes in our office, showing what you described. There are 3 phases coming into the panel, each a different coil off a Y transformer, as well as a "neutral". Those are the 4 black wires you see at the bottom. You can see how the three hot phases are staggered as they go up the breaker rails. > > For standard 110V service, you use a single-wide breaker and send one hot phase + neutral and you get 110V. The difference between two phases is 208 volts though, so you use a double wide breaker and can send to device without using a neutral wire. Just 2 hots and a ground. If that's all you're doing (you don't need legacy 110V service anywhere) you skip the ground wire going into the panel entirely. that one looks dangerous. In europe: http://img406.imageshack.us/i/verteilerkasten.jpg/ 64A 240V 3-Phase input. Out to Servers single phase, output to airconditioners with 3 phase (not at this picture). Kind regards, Ingo Flaschberger From jeffrey.lyon at blacklotus.net Thu Dec 2 13:23:41 2010 From: jeffrey.lyon at blacklotus.net (Jeffrey Lyon) Date: Thu, 2 Dec 2010 14:23:41 -0500 Subject: Level 3 Communications Issues Statement Concerning Comcast's Actions In-Reply-To: <4CF7AD02.4030106@gmail.com> References: <96CA80CDCD822B4F9B41FB3A109C9359A3E664A22B@E2K7MAILBOX1.corp.cableone.net> <8BC9AA1D1BA4494F83F8205415225CE826161A00D3@CHIEXMAIL1.ARRS.ARRISI.COM> <6EFFEFBAC68377459A2E972105C759EC032BF7CB@EXVBE005-2.exch005intermedia.net> <4CF7AD02.4030106@gmail.com> Message-ID: I took some time to actually read Comcast's response to the FCC. In hindsight it does not appear to me that Comcast is trying to capitalize on L3's Netflix deal, rather, wants to be compensated for an emergency installation of 270 Gbps of peering that now has them looking more like a transit customer than a settlement free peer. Jeff On Thu, Dec 2, 2010 at 9:28 AM, William Allen Simpson wrote: > [Changed long CC list to BCC] > > On 12/2/10 12:49 AM, Frank Bulk wrote: >> >> George Ou touches on a similar point at the end of his article: >> >> http://www.digitalsociety.org/2010/11/level-3-outbid-akamai-on-netflix-by-re >> selling-stolen-bandwidth/ >> > The Ou article makes no sense at all! ?It's based on the premise that Level > 3 > and Comcast are peering, and that traffic should be symmetric. ?Everywhere > else, > the articles and pundits indicate that Comcast is a transit customer of > Level 3. > > All actual network operators know that traffic isn't symmetric! > > Ou's hit piece reads more like a pseudo-libertarian rant. ?In fact, other Ou > posts listed there have titles that read like an ultra-conservative cum > social-conservative rant: > > ?* Wrong On The Internet ? > ? Another Net Neutrality ?violation? debunked > ?* Why Viacom and others justified in blocking Google TV > ?* Wrong On The Internet ? > ? Genachowski pushing ahead with Net Neutrality during lame duck > ?* Google hypocrisy on content blocking > ?* Hijacking the Internet is trivial today > > You have to consider the source. ?If Ou doesn't understand contracts, > peering, > and/or transit, just take his posts with a grain of salt. > > -- Jeffrey Lyon, Leadership Team jeffrey.lyon at blacklotus.net | http://www.blacklotus.net Black Lotus Communications - AS32421 First and Leading in DDoS Protection Solutions From frnkblk at iname.com Thu Dec 2 13:44:47 2010 From: frnkblk at iname.com (Frank Bulk) Date: Thu, 2 Dec 2010 13:44:47 -0600 Subject: Level 3 Communications Issues Statement Concerning Comcast's Actions In-Reply-To: <4CF7AD02.4030106@gmail.com> References: <96CA80CDCD822B4F9B41FB3A109C9359A3E664A22B@E2K7MAILBOX1.corp.cableone.net><8BC9AA1D1BA4494F83F8205415225CE826161A00D3@CHIEXMAIL1.ARRS.ARRISI.COM> <6EFFEFBAC68377459A2E972105C759EC032BF7CB@EXVBE005-2.exch005intermedia.net> <4CF7AD02.4030106@gmail.com> Message-ID: Then ignore Ou's post and focus on the point I tried to make: that Level3 has a vested interest in making sure the Comcast users have a good Netflix experience. =) Frank -----Original Message----- From: William Allen Simpson [mailto:william.allen.simpson at gmail.com] Sent: Thursday, December 02, 2010 8:28 AM To: NANOG list Subject: Re: Level 3 Communications Issues Statement Concerning Comcast's Actions [Changed long CC list to BCC] On 12/2/10 12:49 AM, Frank Bulk wrote: > George Ou touches on a similar point at the end of his article: > http://www.digitalsociety.org/2010/11/level-3-outbid-akamai-on-netflix-by-re > selling-stolen-bandwidth/ > The Ou article makes no sense at all! It's based on the premise that Level 3 and Comcast are peering, and that traffic should be symmetric. Everywhere else, the articles and pundits indicate that Comcast is a transit customer of Level 3. All actual network operators know that traffic isn't symmetric! Ou's hit piece reads more like a pseudo-libertarian rant. In fact, other Ou posts listed there have titles that read like an ultra-conservative cum social-conservative rant: * Wrong On The Internet > Another Net Neutrality 'violation' debunked * Why Viacom and others justified in blocking Google TV * Wrong On The Internet > Genachowski pushing ahead with Net Neutrality during lame duck * Google hypocrisy on content blocking * Hijacking the Internet is trivial today You have to consider the source. If Ou doesn't understand contracts, peering, and/or transit, just take his posts with a grain of salt. From kevin at steadfast.net Thu Dec 2 14:01:35 2010 From: kevin at steadfast.net (Kevin Stange) Date: Thu, 02 Dec 2010 14:01:35 -0600 Subject: Want to move to all 208V for server racks In-Reply-To: References: Message-ID: <4CF7FB1F.4060404@steadfast.net> On 12/02/2010 09:58 AM, Jay Nakamura wrote: > I really want to move all newly installed internal and customer racks > over to all 208v power instead of 120v. As far as I can remember, I > can't remember any server/switch/router or any other equipment that > didn't run on 208v AC. (Other than you may need a different cable) > Anyone have any experience where some oddball equipment that couldn't > do 208v and regret going 208v? We won't have any TDM or SONET > equipment, all Ethernet switches, routers and servers. I have control > over internal equipment but sometimes customers surprises you. > We run our datacenters with mostly 208V power because it lets us get more power-hungry equipment in a single cabinet. With the exception of very old servers, pretty much all standard power supplies are auto-sensing across the 110 - 240 range voltages and will work fine as long as you use an IEC C13 to C14 cable. Most of the older power supplies have a manual switch you must switch if you don't want to blow the power supply. All network equipment that uses a standard IEC C13 cable that I've seen is auto-sensing, but you should certainly check the documentation. I've seen recent and old Dell, Cisco, HP and Netgear switches that work fine with 208V. For anything with a AC adapter, we check the transformers and find most of those are auto-sensing too. The trick is either the customer has to know in advance and pick up an AC adapter with a C14 connector (which is fairly rare since they all use different polarization, voltage and connector sizes), or to stock some NEMA 5-15 to C14 converters. For a Cisco ASA, which we see a lot, you need a C5 cable. The standard cable is a C5 to NEMA 5-15. We picked up some adapters from C5 to C14 standard pretty cheap to make these work. It is very good practice to check EVERYTHING before plugging it in because if it can't handle 208V, you will hear a pop and it will be dead before you can realize your error. Pretty much anything that uses power has a label on it somewhere describing its supported input voltage. -- Kevin Stange Chief Technology Officer Steadfast Networks http://steadfast.net Phone: 312-602-2689 ext. 203 | Fax: 312-602-2688 | Cell: 312-320-5867 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 261 bytes Desc: OpenPGP digital signature URL: From if at xip.at Thu Dec 2 12:20:44 2010 From: if at xip.at (Ingo Flaschberger) Date: Thu, 2 Dec 2010 19:20:44 +0100 (CET) Subject: Want to move to all 208V for server racks In-Reply-To: <7F47C485-4AF0-4C37-B7EB-D89A7E084E30@dragondata.com> References: <17354757.202.1291307536655.JavaMail.root@benjamin.baylink.com> <20101202164628.GA20227@ussenterprise.ufp.org> <1411250A-38F8-4099-89D4-616D6633F218@delong.com> <7F47C485-4AF0-4C37-B7EB-D89A7E084E30@dragondata.com> Message-ID: > Err, I meant "skip the neutral wire". It's still grounded. And there are normally significantly more covers over the panel than this, there were a dozen screws I had to remove to expose all of this. :) > > This is a much smaller scale panel though, not far up from a typical home system. The more current you start talking about, the more isolated everything becomes until you wouldn't even be able to see the bus bars like in this one. are "Residual-current device" (Fi in German) are common in us? I use for servers "Residual-current device" and circuit breaker integrated in one device; but I try to use the more expensive pulse tolerant ones. Kind regards, Ingo Flaschberger From bicknell at ufp.org Thu Dec 2 14:21:51 2010 From: bicknell at ufp.org (Leo Bicknell) Date: Thu, 2 Dec 2010 12:21:51 -0800 Subject: The scale of streaming video on the Internet. Message-ID: <20101202202151.GA65475@ussenterprise.ufp.org> Hidden in the Comcast and Level 3 press release war are some facinating details about the scale of streaming video. In http://blog.comcast.com/2010/11/comcasts-letter-to-fcc-on-level-3.html, Comcast suggest that "demanded 27 to 30 new interconnection ports". I have to make a few assumptions, all of which I think are quite reasonable, but I want to lay them out: - "ports" means 10 Gigabit ports. 1GE's seems too small, 100GE's seems too large. I suppose there is a small chance they were thinking OC-48 (2.5Gbps) ports, but those seem to be falling out of favor for cost. - They were provisioning for double the anticipated traffic. That is, if there was 10G of traffic total they would ask for 20G of ports. This both provides room for growth, and the fact that you can't perfectly balance traffic over that many ports. - That substantially all of that new traffic was for Netflix, or more accurately "streaming video" from their CDN. Thus in round numbers they were asking for 300Gbps of additional capacity across the US, to move around 150Gbps of actual traffic. But how many video streams is 150Gbps? Google found me this article: http://blog.streamingmedia.com/the_business_of_online_vi/2009/03/estimates-on-what-it-costs-netflixs-to-stream-movies.html It suggests that low-def is 2000Kbps, and high def is 3200Kbps. If we do the math, that suggests the 150Gbps could support 75,000 low def streams, or 46,875 high def streams. Let me round to 50,000 users, for some mix of streams. Comcast has around ~15 million high speed Internet subscribers (based on year old data, I'm sure it is higher), which means at peak usage around 0.3% of all Comcast high speed users would be watching. That's an interesting number, but let's run back the other way. Consider what happens if folks cut the cord, and watch Internet only TV. I went and found some TV ratings: http://tvbythenumbers.zap2it.com/2010/11/30/tv-ratings-broadcast-top-25-sunday-night-football-dancing-with-the-stars-finale-two-and-a-half-men-ncis-top-week-10-viewing/73784 Sunday Night Football at the top last week, with 7.1% of US homes watching. That's over 23 times as many folks watching as the 0.3% in our previous math! Ok, 23 times 150Gbps. 3.45Tb/s. Yowzer. That's a lot of data. 345 10GE ports for a SINGLE TV show. But that's 7.1% of homes, so scale up to 100% of homes and you get 48Tb/sec, that's right 4830 simultaneous 10GE's if all of Comcast's existing high speed subs dropped cable and watched the same shows over the Internet. I think we all know that streaming video is large. Putting the real numbers to it shows the real engineering challenges on both sides, generating and sinking the content, and why comapnies are fighting so much over it. -- Leo Bicknell - bicknell at ufp.org - CCIE 3440 PGP keys at http://www.ufp.org/~bicknell/ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 826 bytes Desc: not available URL: From owen at delong.com Thu Dec 2 14:28:47 2010 From: owen at delong.com (Owen DeLong) Date: Thu, 2 Dec 2010 12:28:47 -0800 Subject: The scale of streaming video on the Internet. In-Reply-To: <20101202202151.GA65475@ussenterprise.ufp.org> References: <20101202202151.GA65475@ussenterprise.ufp.org> Message-ID: You are assuming the absence of any of the following optimizations: 1. Multicast 2. Overlay networks using P2P services (get parts of your stream from some of your neighbors). These are not entirely safe assumptions. Owen On Dec 2, 2010, at 12:21 PM, Leo Bicknell wrote: > > Hidden in the Comcast and Level 3 press release war are some > facinating details about the scale of streaming video. > > In http://blog.comcast.com/2010/11/comcasts-letter-to-fcc-on-level-3.html, > Comcast suggest that "demanded 27 to 30 new interconnection ports". > > I have to make a few assumptions, all of which I think are quite > reasonable, but I want to lay them out: > > - "ports" means 10 Gigabit ports. 1GE's seems too small, 100GE's seems > too large. I suppose there is a small chance they were thinking OC-48 > (2.5Gbps) ports, but those seem to be falling out of favor for cost. > - They were provisioning for double the anticipated traffic. That is, > if there was 10G of traffic total they would ask for 20G of ports. > This both provides room for growth, and the fact that you can't > perfectly balance traffic over that many ports. > - That substantially all of that new traffic was for Netflix, or more > accurately "streaming video" from their CDN. > > Thus in round numbers they were asking for 300Gbps of additional > capacity across the US, to move around 150Gbps of actual traffic. > > But how many video streams is 150Gbps? Google found me this article: > http://blog.streamingmedia.com/the_business_of_online_vi/2009/03/estimates-on-what-it-costs-netflixs-to-stream-movies.html > > It suggests that low-def is 2000Kbps, and high def is 3200Kbps. If > we do the math, that suggests the 150Gbps could support 75,000 low > def streams, or 46,875 high def streams. Let me round to 50,000 users, > for some mix of streams. > > Comcast has around ~15 million high speed Internet subscribers (based on > year old data, I'm sure it is higher), which means at peak usage around > 0.3% of all Comcast high speed users would be watching. > > That's an interesting number, but let's run back the other way. > Consider what happens if folks cut the cord, and watch Internet > only TV. I went and found some TV ratings: > > http://tvbythenumbers.zap2it.com/2010/11/30/tv-ratings-broadcast-top-25-sunday-night-football-dancing-with-the-stars-finale-two-and-a-half-men-ncis-top-week-10-viewing/73784 > > Sunday Night Football at the top last week, with 7.1% of US homes > watching. That's over 23 times as many folks watching as the 0.3% in > our previous math! Ok, 23 times 150Gbps. > > 3.45Tb/s. > > Yowzer. That's a lot of data. 345 10GE ports for a SINGLE TV show. > > But that's 7.1% of homes, so scale up to 100% of homes and you get > 48Tb/sec, that's right 4830 simultaneous 10GE's if all of Comcast's > existing high speed subs dropped cable and watched the same shows over > the Internet. > > I think we all know that streaming video is large. Putting the real > numbers to it shows the real engineering challenges on both sides, > generating and sinking the content, and why comapnies are fighting so > much over it. > > -- > Leo Bicknell - bicknell at ufp.org - CCIE 3440 > PGP keys at http://www.ufp.org/~bicknell/ From if at xip.at Thu Dec 2 12:47:38 2010 From: if at xip.at (Ingo Flaschberger) Date: Thu, 2 Dec 2010 19:47:38 +0100 (CET) Subject: Want to move to all 208V for server racks In-Reply-To: References: <17354757.202.1291307536655.JavaMail.root@benjamin.baylink.com> <20101202164628.GA20227@ussenterprise.ufp.org> <1411250A-38F8-4099-89D4-616D6633F218@delong.com> <7F47C485-4AF0-4C37-B7EB-D89A7E084E30@dragondata.com> Message-ID: >>> Err, I meant "skip the neutral wire". It's still grounded. And there are normally significantly more covers over the panel than this, there were a dozen screws I had to remove to expose all of this. :) >>> >>> This is a much smaller scale panel though, not far up from a typical home system. The more current you start talking about, the more isolated everything becomes until you wouldn't even be able to see the bus bars like in this one. >> >> are "Residual-current device" (Fi in German) are common in us? >> I use for servers "Residual-current device" and circuit breaker integrated in one device; but I try to use the more expensive pulse tolerant ones. > > They're called "Ground Fault Interruptors" here, or GFI/GFCI. > > They're extremely common built into wall power outlets, and GFI outlets are required in wet areas (kitchens, bathrooms, hot tubs, outdoors, etc). Most wall outlets with GFIs built into them have a "daisy chain" system where one outlet in the kitchen has the circuitry and the Test/Reset buttons, and it protects all non-GFI downstream outlets from it. Downstream outlets usually have a sticker on them saying "GFI Protected" which is a hint that if the outlet stops working, check other outlets in the room to see if one of them tripped. Newer versions have a light that comes on to indicate when they've been tripped, which is handy for non-technical people to figure out what happened more easily. > > You can get breakers with GFIs built into them(called GFCIs), but they're favored less than putting them at the outlet. I haven't seen any datacenters using them, but I haven't looked that closely. An electrician I talked to once about it felt that the panel mounted variety were designed to be less sensitive/slower reacting due to much longer wire lengths, but I'm not sure if that's just urban legend, experience with a single product or fact. in europe GFIs are always needed for prection and by law. to avoid the cascading effects the GFCIs are better. break current ranges from 10mA (bath) up to 300mA; for servers I use the 30mA with pulse protection (internal delay) to avoid the server powersupply capacitor loading GFCIs "flip". Kind regards, Ingo Flaschberger From khelms at ispalliance.net Thu Dec 2 14:36:04 2010 From: khelms at ispalliance.net (Scott Helms) Date: Thu, 02 Dec 2010 15:36:04 -0500 Subject: The scale of streaming video on the Internet. In-Reply-To: <20101202202151.GA65475@ussenterprise.ufp.org> References: <20101202202151.GA65475@ussenterprise.ufp.org> Message-ID: <4CF80334.8080003@ispalliance.net> > Sunday Night Football at the top last week, with 7.1% of US homes > watching. That's over 23 times as many folks watching as the 0.3% in > our previous math! Ok, 23 times 150Gbps. > > 3.45Tb/s. > > Yowzer. That's a lot of data. 345 10GE ports for a SINGLE TV show. > > But that's 7.1% of homes, so scale up to 100% of homes and you get > 48Tb/sec, that's right 4830 simultaneous 10GE's if all of Comcast's > existing high speed subs dropped cable and watched the same shows over > the Internet. > > I think we all know that streaming video is large. Putting the real > numbers to it shows the real engineering challenges on both sides, > generating and sinking the content, and why comapnies are fighting so > much over it. > Anything that is "live" & likely to be watched by lots of people at the same time like sports can handled via multicast. The IPTV guys have had a number of years to get that work fairly well in telco environments. The content that can't be handled with multicast, like on demand programming, is where you lose your economy of scale. -- Scott Helms Vice President of Technology ISP Alliance, Inc. DBA ZCorum (678) 507-5000 -------------------------------- Looking for hand-selected news, views and tips for independent broadband providers? Follow us on Twitter! http://twitter.com/ZCorum -------------------------------- From sethm at rollernet.us Thu Dec 2 14:38:11 2010 From: sethm at rollernet.us (Seth Mattinen) Date: Thu, 02 Dec 2010 12:38:11 -0800 Subject: The scale of streaming video on the Internet. In-Reply-To: References: <20101202202151.GA65475@ussenterprise.ufp.org> Message-ID: <4CF803B3.3050202@rollernet.us> On 12/2/10 12:28 PM, Owen DeLong wrote: > You are assuming the absence of any of the following optimizations: > > 1. Multicast Multicast is great for simulating old school broadcasting, but I don't see how it can apply to Netflix/Amazon style demand streaming where everyone can potentially watch a different stream at different points in time with different bitrates. ~Seth From adriankok2000 at yahoo.com.hk Thu Dec 2 14:41:25 2010 From: adriankok2000 at yahoo.com.hk (adrian kok) Date: Thu, 2 Dec 2010 12:41:25 -0800 (PST) Subject: suggestion network devices Message-ID: <533452.97057.qm@web33304.mail.mud.yahoo.com> Hi all I need high laten cy network devices products. eg: router/switch/firewall Can you share to me? and How can I test it also? Thank you so much From jra at baylink.com Thu Dec 2 14:48:29 2010 From: jra at baylink.com (Jay Ashworth) Date: Thu, 2 Dec 2010 15:48:29 -0500 (EST) Subject: The scale of streaming video on the Internet. In-Reply-To: <20101202202151.GA65475@ussenterprise.ufp.org> Message-ID: <20952354.220.1291322909654.JavaMail.root@benjamin.baylink.com> ----- Original Message ----- > From: "Leo Bicknell" >[...] > That's an interesting number, but let's run back the other way. > Consider what happens if folks cut the cord, and watch Internet > only TV. I went and found some TV ratings: > > http://tvbythenumbers.zap2it.com/2010/11/30/tv-ratings-broadcast-top-25-sunday-night-football-dancing-with-the-stars-finale-two-and-a-half-men-ncis-top-week-10-viewing/73784 > > Sunday Night Football at the top last week, with 7.1% of US homes > watching. That's over 23 times as many folks watching as the 0.3% in > our previous math! Ok, 23 times 150Gbps. > > 3.45Tb/s. > > Yowzer. That's a lot of data. 345 10GE ports for a SINGLE TV show. > > But that's 7.1% of homes, so scale up to 100% of homes and you get > 48Tb/sec, that's right 4830 simultaneous 10GE's if all of Comcast's > existing high speed subs dropped cable and watched the same shows over > the Internet. > > I think we all know that streaming video is large. Putting the real > numbers to it shows the real engineering challenges on both sides, > generating and sinking the content, and why companies are fighting so > much over it. It also proves, though I doubt anyone important is listening, *why the network broadcast architecture is shaped the way it is*, and it implies, *to* anyone important who is listening, just how bad a fit that is for a point- or even multi-point server to viewers environment. Oh: and all the extra servers and switches necessary to set that up? *Way* more power than the equivalent transmitters and TV sets. Even if you add in the cable headends, I suspect. In other news: viewers will tolerate Buffering... to watch last night's daily show. They will *not* tolerate it while they're waiting to see if the winning hit in Game 7 is fair or foul -- which means that it will not be possible to replace that architecture until you can do it at technical parity... and that's not to mention the emergency communications uses of "real" broadcasting, which will become untenable if enough critical mass is drained off of said "real broadcasting" by other services which are only Good Enough. The Law of Unexpected Consequences is a *bitch*. Just ask the NCS people; I'm sure they have some interesting 40,000ft stories to tell about the changes in the telco networks since 1983. Cheers, -- jra From jra at baylink.com Thu Dec 2 14:54:15 2010 From: jra at baylink.com (Jay Ashworth) Date: Thu, 2 Dec 2010 15:54:15 -0500 (EST) Subject: Want to move to all 208V for server racks In-Reply-To: Message-ID: <29638373.226.1291323255039.JavaMail.root@benjamin.baylink.com> ----- Original Message ----- > From: "Ingo Flaschberger" > > in europe GFIs are always needed for prection and by law. > to avoid the cascading effects the GFCIs are better. > break current ranges from 10mA (bath) up to 300mA; for servers I use > the 30mA with pulse protection (internal delay) to avoid the server > powersupply capacitor loading GFCIs "flip". And that, indeed, is one of the circumstances in which Chris Lewis and Steve Bellovin's Wiring FAQ suggests that you should *not* use a GFCI: in places where the inevitable "nuisance trip" is troublesome, like powering servers. That FAQ is a bit dated, of course. And indeed, I never liked GFCI breakers for the usages for which they're mandated in the US, cause the milliamp currents they're supposed to trip on are no match for all that copper resistance... Cheers, -- jra From alex at corp.nac.net Thu Dec 2 14:57:29 2010 From: alex at corp.nac.net (Alex Rubenstein) Date: Thu, 2 Dec 2010 15:57:29 -0500 Subject: The scale of streaming video on the Internet. In-Reply-To: <20952354.220.1291322909654.JavaMail.root@benjamin.baylink.com> References: <20101202202151.GA65475@ussenterprise.ufp.org> <20952354.220.1291322909654.JavaMail.root@benjamin.baylink.com> Message-ID: > *Way* more power than the equivalent transmitters and TV sets. Even if > you add in the cable headends, I suspect. Yeah, but... This is really not comparable. Transmitters and TV sets require that everyone watch what is being transmitted. People (myself included) don't like, or don't want this method anymore. I want to watch what I want, when I want to. This is the new age of media. Out with the old. From owen at delong.com Thu Dec 2 15:02:37 2010 From: owen at delong.com (Owen DeLong) Date: Thu, 2 Dec 2010 13:02:37 -0800 Subject: The scale of streaming video on the Internet. In-Reply-To: <20952354.220.1291322909654.JavaMail.root@benjamin.baylink.com> References: <20952354.220.1291322909654.JavaMail.root@benjamin.baylink.com> Message-ID: <59D15CA3-4ACC-4A8A-B66F-73041E722256@delong.com> On Dec 2, 2010, at 12:48 PM, Jay Ashworth wrote: > ----- Original Message ----- >> From: "Leo Bicknell" >> [...] >> That's an interesting number, but let's run back the other way. >> Consider what happens if folks cut the cord, and watch Internet >> only TV. I went and found some TV ratings: >> >> http://tvbythenumbers.zap2it.com/2010/11/30/tv-ratings-broadcast-top-25-sunday-night-football-dancing-with-the-stars-finale-two-and-a-half-men-ncis-top-week-10-viewing/73784 >> >> Sunday Night Football at the top last week, with 7.1% of US homes >> watching. That's over 23 times as many folks watching as the 0.3% in >> our previous math! Ok, 23 times 150Gbps. >> >> 3.45Tb/s. >> >> Yowzer. That's a lot of data. 345 10GE ports for a SINGLE TV show. >> >> But that's 7.1% of homes, so scale up to 100% of homes and you get >> 48Tb/sec, that's right 4830 simultaneous 10GE's if all of Comcast's >> existing high speed subs dropped cable and watched the same shows over >> the Internet. >> >> I think we all know that streaming video is large. Putting the real >> numbers to it shows the real engineering challenges on both sides, >> generating and sinking the content, and why companies are fighting so >> much over it. > > It also proves, though I doubt anyone important is listening, *why the > network broadcast architecture is shaped the way it is*, and it implies, > *to* anyone important who is listening, just how bad a fit that is for > a point- or even multi-point server to viewers environment. > Yes and no... The existing system is a multi-point (transmission towers) to viewers (multicast) environment. No reason that isn't feasible on the internet as well. > Oh: and all the extra servers and switches necessary to set that up? > For equivalent service (linear programming), no need. For VOD, turns out to be basically identical anyway. > *Way* more power than the equivalent transmitters and TV sets. Even if > you add in the cable headends, I suspect. > Not if you allow for multicast. > In other news: viewers will tolerate Buffering... to watch last night's > daily show. They will *not* tolerate it while they're waiting to see if > the winning hit in Game 7 is fair or foul -- which means that it will > not be possible to replace that architecture until you can do it at > technical parity... and that's not to mention the emergency communications > uses of "real" broadcasting, which will become untenable if enough > critical mass is drained off of said "real broadcasting" by other > services which are only Good Enough. > Viewers already tolerate a fair amount of buffering for exactly that. The bleepability delay and other technical requirements, the bouncing of things off satellites, etc. all create delays in the current system. If you keep the delay under 5s, most viewers won't actually know the difference. As to the emergency broadcast system, yeah, that's going to lose. However, the reality is that things are changing and people are tending to move towards wanting VOD based services more than linear programming. Owen From jsw at inconcepts.biz Thu Dec 2 15:05:32 2010 From: jsw at inconcepts.biz (Jeff Wheeler) Date: Thu, 2 Dec 2010 16:05:32 -0500 Subject: The scale of streaming video on the Internet. In-Reply-To: <4CF803B3.3050202@rollernet.us> References: <20101202202151.GA65475@ussenterprise.ufp.org> <4CF803B3.3050202@rollernet.us> Message-ID: On Thu, Dec 2, 2010 at 3:38 PM, Seth Mattinen wrote: > On 12/2/10 12:28 PM, Owen DeLong wrote: >> You are assuming the absence of any of the following optimizations: >> >> 1. ? ?Multicast > > Multicast is great for simulating old school broadcasting, but I don't > see how it can apply to Netflix/Amazon style demand streaming where I do. Let's assume that there is a multicast future where it's being legitimately used for live television, and whatever else. The same mcast infrastructure will be utilized by Amazon.com to stream popular titles (can you say New Releases) onto users' devices. You may be unicast for the first few minutes of the movie (if you really want to start watching immediately) and change over to a multicast-distributed stream once you have "caught up" to an in-progress stream. If Netflix had licensing agreements which made it possible for their users to store movies on their local device, this would work even better for Netflix, because of the "queue and watch later" nature of their site and users. I have a couple dozen movies in my instant queue. It may be weeks before I watch them all. The most popular movies can be multicast, and my DVR can listen to the stream when it comes on, store it, and wait for me to watch it. I am sure Amazon and Netflix have both thought of this already (if not, they need to hire new people who still remember how pay-per-view worked on C-band satellite) and are hoping multicast will one-day come along and massively reduce their bandwidth consumption on the most popular titles. I am also certain the cable companies have thought of it, and added it to the long list of reasons they will never offer Internet multicast, or at least, not until a competitor pops up and does it in such a way that customers understand it's a feature they aren't getting. -- Jeff S Wheeler Sr Network Operator? /? Innovative Network Concepts From ken at sizone.org Thu Dec 2 15:07:40 2010 From: ken at sizone.org (Ken Chase) Date: Thu, 2 Dec 2010 16:07:40 -0500 Subject: The scale of streaming video on the Internet. In-Reply-To: References: <20101202202151.GA65475@ussenterprise.ufp.org> <20952354.220.1291322909654.JavaMail.root@benjamin.baylink.com> Message-ID: <20101202210740.GH24752@sizone.org> On Thu, Dec 02, 2010 at 03:57:29PM -0500, Alex Rubenstein said: >Transmitters and TV sets require that everyone watch what is being transmitted. People (myself included) don't like, or don't want this method anymore. I want to watch what I want, when I want to. > >This is the new age of media. Out with the old. want? You going to pay for it? then go ahead! So what's the cost then - if people paid for their bandwidth instead of freeloading off the asymetric usage patterns? ie when that 0.3% becomes 80%. Anyone analysed this out yet? I think the cost metrics will indicate that any network with video is going to have to setup their own distribution and caching POP mesh (ie a CDN!) to do it anywhere near economically. Additionally, while you may think you want to watch what you want to watch and that's it, it seems likely there'll be a limited amount of material available or the caching metrics go out the window, ie if everyone is watching something different at any one time. /kc -- Ken Chase - ken at heavycomputing.ca - +1 416 897 6284 - Toronto CANADA Heavy Computing - Clued bandwidth, colocation and managed linux VPS @151 Front St. W. From jbates at brightok.net Thu Dec 2 15:13:34 2010 From: jbates at brightok.net (Jack Bates) Date: Thu, 02 Dec 2010 15:13:34 -0600 Subject: The scale of streaming video on the Internet. In-Reply-To: <4CF803B3.3050202@rollernet.us> References: <20101202202151.GA65475@ussenterprise.ufp.org> <4CF803B3.3050202@rollernet.us> Message-ID: <4CF80BFE.1090801@brightok.net> On 12/2/2010 2:38 PM, Seth Mattinen wrote: > On 12/2/10 12:28 PM, Owen DeLong wrote: >> You are assuming the absence of any of the following optimizations: >> >> 1. Multicast > > Multicast is great for simulating old school broadcasting, but I don't > see how it can apply to Netflix/Amazon style demand streaming where > everyone can potentially watch a different stream at different points in > time with different bitrates. This isn't a take it or leave it deal. To start out and branch out, most streaming is VOD, which even within a cable network eats up huge amounts of bandwidth. In the end, it's expected that there will be a mix of multicast and VOD. Watch the game live multicast. Missed the game? Watch it on demand. As things progress, we'll probably see more edge content delivery systems (like Akamai) to cache/store huge amounts of video for the local populace. It won't be every movie, but it will be the ones which have a high repeat rate to ease traffic off critical infrastructure, saving everyone money, making everyone happy. What would be really awesome (unless I've missed it) is Internet access to the emergency broadcast system and local weather services; all easily handled with multicast. Jack From smb at cs.columbia.edu Thu Dec 2 15:22:17 2010 From: smb at cs.columbia.edu (Steven Bellovin) Date: Thu, 2 Dec 2010 16:22:17 -0500 Subject: Want to move to all 208V for server racks In-Reply-To: <29638373.226.1291323255039.JavaMail.root@benjamin.baylink.com> References: <29638373.226.1291323255039.JavaMail.root@benjamin.baylink.com> Message-ID: <17AA7C0E-5BE9-400F-8C23-3596A5772B44@cs.columbia.edu> On Dec 2, 2010, at 3:54 15PM, Jay Ashworth wrote: > ----- Original Message ----- >> From: "Ingo Flaschberger" >> >> in europe GFIs are always needed for prection and by law. >> to avoid the cascading effects the GFCIs are better. >> break current ranges from 10mA (bath) up to 300mA; for servers I use >> the 30mA with pulse protection (internal delay) to avoid the server >> powersupply capacitor loading GFCIs "flip". > > And that, indeed, is one of the circumstances in which Chris Lewis and > Steve Bellovin's Wiring FAQ suggests that you should *not* use a GFCI: > in places where the inevitable "nuisance trip" is troublesome, like > powering servers. > > That FAQ is a bit dated, of course. Indeed; it's been unmaintained for quite a number of years at this point. The major place I personally have trouble with GFCIs is on things with big motors, and in particular my basement dehumidifier -- a place I really want a GFCI because we've occasionally had water problems... > > And indeed, I never liked GFCI breakers for the usages for which they're > mandated in the US, cause the milliamp currents they're supposed to trip > on are no match for all that copper resistance... > Wire resistance shouldn't matter. A GFCI is measuring the current in the hot wire compared to the current in the neutral wire; if they differ by more than about 5 milliamps, the device trips. That's why motors cause problems: the inductance of the windings can cause a brief current imbalance. Anyway -- in response to the original question: the US electrical code requires GFCI protection for outlets in kitchens, bathrooms, or unfinished basements, for outdoor outlets, and for any other outlet near water. Canada has slightly different rules, or at least it did when we last updated the FAQ (Chris Lewis is Canadian): their code requires that every duplex kitchen outlet be served by two separate circuits, which generally share a common neutral. A simple outlet GFCI can't handle that setup, since the actual current flowing through the neutral will vary depending on the loads on the two hot wires. You'd need a specialized outlet or breaker GFCI that summed the current across all three wires; such devices may exist but I've never seen them. (Btw -- the usual reason for using outlet GFCIs is that they're much cheaper than breaker versions.) --Steve Bellovin, http://www.cs.columbia.edu/~smb From drais at icantclick.org Thu Dec 2 15:23:42 2010 From: drais at icantclick.org (david raistrick) Date: Thu, 2 Dec 2010 16:23:42 -0500 (EST) Subject: The scale of streaming video on the Internet. In-Reply-To: <4CF80BFE.1090801@brightok.net> References: <20101202202151.GA65475@ussenterprise.ufp.org> <4CF803B3.3050202@rollernet.us> <4CF80BFE.1090801@brightok.net> Message-ID: On Thu, 2 Dec 2010, Jack Bates wrote: > Watch the game live multicast. Missed the game? Watch it on demand. As things > progress, we'll probably see more edge content delivery systems (like Akamai) Have you ever actually been involved with really large scale multicast implementations? I take it that's a no. The -only- way that would work internet wide, and it defeats the purpose, is if your client side created a tunnel back to your multicast source network. Which would mean you're carrying your multicast data over anycast. If you, the multicast broadcaster, dont have extensive control of the -entire- end to end IP network, it will be significantly broken significant amounts of the time. ...david (former member of a team of engineers who built and maintained a 220,000 seat multicast video network) -- david raistrick http://www.netmeister.org/news/learn2quote.html drais at icantclick.org http://www.expita.com/nomime.html From scg at gibbard.org Thu Dec 2 15:28:00 2010 From: scg at gibbard.org (Steve Gibbard) Date: Thu, 2 Dec 2010 13:28:00 -0800 Subject: Level 3 Communications Issues Statement Concerning Comcast'sActions In-Reply-To: References: Message-ID: <927EC1B9-426B-43C3-A908-A1D46B30F326@gibbard.org> On Dec 1, 2010, at 5:47 PM, William Herrin wrote: > On Wed, Dec 1, 2010 at 3:38 PM, Derek J. Balling wrote: >> On Nov 29, 2010, at 10:25 PM, William Herrin wrote: >>> There are a couple forms of shared billing. >> >> There's a third kind you failed to mention that doesn't require equal footing of the parties. The broker. >> >> I might pay an apartment broker $X to help find me an apartment. >> In turn the apartment broker might match me up with an apartment, >> and charge the landlord $Y for a successful tenancy. > > Hi Derek, > > For the most part the apartment broker process doesn't work quite the > way you think. Generally he either gets a fee from you to find you the Regardless of whether the apartment broker comparison holds up, there are many examples of what economists call two-sided markets: http://en.wikipedia.org/wiki/Two-sided_market They don't all have the same fee-splitting systems, and you can find an example to site as precedent for just about any system you could reasonably advocate. An example raised in a talk I heard a few years ago was of scholarly journals that collect money from both their subscribers and their authors. The authors need to be published in order to get tenure, and the readers pay because they want to know what the authors are saying. Another example is the Golden Gate Bridge, which was funded in the 1930s by the rural counties north of the bridge (including one ~300 miles north), who wanted connectivity to San Francisco. It's probably reasonable to generalize a bit and say that in the systems not imposed by regulators, the distribution of costs has something to do with how much each party cares, within the limits of each party's resources. Whether the response produced by the market is at all fair is another -- far more subjective -- question, and that's where regulators come in. -Steve From jbates at brightok.net Thu Dec 2 15:31:21 2010 From: jbates at brightok.net (Jack Bates) Date: Thu, 02 Dec 2010 15:31:21 -0600 Subject: The scale of streaming video on the Internet. In-Reply-To: References: <20101202202151.GA65475@ussenterprise.ufp.org> <4CF803B3.3050202@rollernet.us> <4CF80BFE.1090801@brightok.net> Message-ID: <4CF81029.2010402@brightok.net> On 12/2/2010 3:23 PM, david raistrick wrote: > Have you ever actually been involved with really large scale multicast > implementations? I take it that's a no. > Nope. I prefer small scale. :) > The -only- way that would work internet wide, and it defeats the > purpose, is if your client side created a tunnel back to your multicast > source network. Which would mean you're carrying your multicast data > over anycast. > So we don't use multicast, fallback to unicast deployments on the Internet today for various events/streams? > If you, the multicast broadcaster, dont have extensive control of the > -entire- end to end IP network, it will be significantly broken > significant amounts of the time. Clients can't fallback to unicast when multicast isn't functional? I'd expect multicast to save some bandwidth, not all of it. > > ...david (former member of a team of engineers who built and maintained > a 220,000 seat multicast video network) Cool. I did a 3 seat multicast video network, and honestly am largely ignorant of multicast over the Internet (on my list!) but do listen to people discuss it. :P Jack From tony at lava.net Thu Dec 2 15:38:40 2010 From: tony at lava.net (Antonio Querubin) Date: Thu, 2 Dec 2010 11:38:40 -1000 (HST) Subject: The scale of streaming video on the Internet. In-Reply-To: <20952354.220.1291322909654.JavaMail.root@benjamin.baylink.com> References: <20952354.220.1291322909654.JavaMail.root@benjamin.baylink.com> Message-ID: On Thu, 2 Dec 2010, Jay Ashworth wrote: > Oh: and all the extra servers and switches necessary to set that up? > *Way* more power than the equivalent transmitters and TV sets. Even if > you add in the cable headends, I suspect. Have you heard of multicast? :) Antonio Querubin 808-545-5282 x3003 e-mail/xmpp: tony at lava.net From jra at baylink.com Thu Dec 2 15:42:05 2010 From: jra at baylink.com (Jay Ashworth) Date: Thu, 2 Dec 2010 16:42:05 -0500 (EST) Subject: CAP / WARN / iPAWS In-Reply-To: <4CF80BFE.1090801@brightok.net> Message-ID: <18994398.232.1291326125283.JavaMail.root@benjamin.baylink.com> ----- Original Message ----- > From: "Jack Bates" > > What would be really awesome (unless I've missed it) is Internet > access to the emergency broadcast system and local weather services; all > easily handled with multicast. Ah, something I know something about for a change. :-) In fact, there's some work in progress on this topic, Jack; FEMA is working on replacing the EAS -- which itself replaced EBS, and earlier, Conelrad -- with a new system called iPAWS: The Integrated Public Alert and Warning System. At the moment, they're working on the "replace the EAS backbone" part of it, which work is about a year behind schedule, and everyone wants an extension, but there are other useful places to apply some effort. I'm a designer, not a coder, so I've been piddling around in the part I'm good at; thinking about design. Some of the results are here: http://www.incident.com/cookbook/index.php/Rough_consensus_and_running_code and http://www.incident.com/cookbook/index.php/Alerting_And_Readiness_Framework and I invite off-list email from anyone who has suggestions to toss in the pot. Cheers, -- jra (I would like to subject-unthread this, but my mailer is too stupid. Sorry) From darren at bolding.org Thu Dec 2 15:42:45 2010 From: darren at bolding.org (Darren Bolding) Date: Thu, 2 Dec 2010 13:42:45 -0800 Subject: Want to move to all 208V for server racks In-Reply-To: <17AA7C0E-5BE9-400F-8C23-3596A5772B44@cs.columbia.edu> References: <29638373.226.1291323255039.JavaMail.root@benjamin.baylink.com> <17AA7C0E-5BE9-400F-8C23-3596A5772B44@cs.columbia.edu> Message-ID: One thing to be aware of- if you are going to be connecting gear with bigger current draws- Cisco 6509's, most blade enclosures etc. come to mind- then many of them effectively require 208V C19 connectors. There are not as many power strips out there that provide sufficient numbers of C19 connectors as would be desired, particularly if you want remote switched power. In that case 3 Phase power becomes more attractive. Since many datacenters are moving towards consolidation on Blades with SAN backend storage, it is worth keeping in mind. In the current DC's we support, we find the only need for 120V is for laptops and such, which is solved by "convenience outlets" that are not on the UPS plant. We always get at least two 120V circuits just in case they are needed, but haven't had any requirements for them recently. --D On Thu, Dec 2, 2010 at 1:22 PM, Steven Bellovin wrote: > > On Dec 2, 2010, at 3:54 15PM, Jay Ashworth wrote: > > > ----- Original Message ----- > >> From: "Ingo Flaschberger" > >> > >> in europe GFIs are always needed for prection and by law. > >> to avoid the cascading effects the GFCIs are better. > >> break current ranges from 10mA (bath) up to 300mA; for servers I use > >> the 30mA with pulse protection (internal delay) to avoid the server > >> powersupply capacitor loading GFCIs "flip". > > > > And that, indeed, is one of the circumstances in which Chris Lewis and > > Steve Bellovin's Wiring FAQ suggests that you should *not* use a GFCI: > > in places where the inevitable "nuisance trip" is troublesome, like > > powering servers. > > > > That FAQ is a bit dated, of course. > > Indeed; it's been unmaintained for quite a number of years at this point. > > The major place I personally have trouble with GFCIs is on things with > big motors, and in particular my basement dehumidifier -- a place I really > want a GFCI because we've occasionally had water problems... > > > > And indeed, I never liked GFCI breakers for the usages for which they're > > mandated in the US, cause the milliamp currents they're supposed to trip > > on are no match for all that copper resistance... > > > Wire resistance shouldn't matter. A GFCI is measuring the current in the > hot wire compared to the current in the neutral wire; if they differ by > more > than about 5 milliamps, the device trips. That's why motors cause > problems: > the inductance of the windings can cause a brief current imbalance. > > Anyway -- in response to the original question: the US electrical code > requires GFCI protection for outlets in kitchens, bathrooms, or unfinished > basements, for outdoor outlets, and for any other outlet near water. > Canada > has slightly different rules, or at least it did when we last updated the > FAQ (Chris Lewis is Canadian): their code requires that every duplex > kitchen outlet be served by two separate circuits, which generally share a > common neutral. A simple outlet GFCI can't handle that setup, since the > actual current flowing through the neutral will vary depending on the loads > on the two hot wires. You'd need a specialized outlet or breaker GFCI that > summed the current across all three wires; such devices may exist but I've > never seen them. (Btw -- the usual reason for using outlet GFCIs is that > they're much cheaper than breaker versions.) > > > --Steve Bellovin, http://www.cs.columbia.edu/~smb > > > > > > > -- -- Darren Bolding -- -- darren at bolding.org -- From tony at lava.net Thu Dec 2 15:44:27 2010 From: tony at lava.net (Antonio Querubin) Date: Thu, 2 Dec 2010 11:44:27 -1000 (HST) Subject: The scale of streaming video on the Internet. In-Reply-To: References: <20101202202151.GA65475@ussenterprise.ufp.org> <4CF803B3.3050202@rollernet.us> <4CF80BFE.1090801@brightok.net> Message-ID: On Thu, 2 Dec 2010, david raistrick wrote: > If you, the multicast broadcaster, dont have extensive control of the > -entire- end to end IP network, it will be significantly broken significant > amounts of the time. > > > ...david (former member of a team of engineers who built and maintained a > 220,000 seat multicast video network) Which points to the need for service providers to deploy robust multicast routing. Antonio Querubin 808-545-5282 x3003 e-mail/xmpp: tony at lava.net From if at xip.at Thu Dec 2 15:46:19 2010 From: if at xip.at (Ingo Flaschberger) Date: Thu, 2 Dec 2010 22:46:19 +0100 (CET) Subject: Want to move to all 208V for server racks In-Reply-To: References: <17354757.202.1291307536655.JavaMail.root@benjamin.baylink.com> <20101202164628.GA20227@ussenterprise.ufp.org> <1411250A-38F8-4099-89D4-616D6633F218@delong.com> Message-ID: > It is probably worth nothing that a 3-phase input in Europe is actually > 240/415 volt Y (for every panel I have seen in Germany at least, even > the places I have lived there had 240/415 three phase). The normal 240v > single phase outlet circuits were the phase to neutral voltage. > Obviously Europe also runs at 50 hz vs 60 in the US as well but the > three phase still works the same way. > > A Europe 64 amp 240/415 circuit is pretty close to equivalent in to a > 277/480 Y configured 60 amp circuit in the US. The biggest notable > difference is that equipment that runs on two different service voltage > ranges where Europe has far less need for in-building step-down > transformers since even small loads work on the phase-to-neutral voltage > of the big services. I always find it interesting in the US to note how > many 480v to 120/208Y step-down transformers one can find in a big > building or datacenter. > aeh.. 230V / 400V is right voltage in technical terms in most european copuntries. (years ago it was 220V / 380V, before it was decided to go up with the voltage) and in bigger datacenters there are also step down transformers from 10kV down. Kind regards, Ingo Flaschberger From tony at lava.net Thu Dec 2 15:50:32 2010 From: tony at lava.net (Antonio Querubin) Date: Thu, 2 Dec 2010 11:50:32 -1000 (HST) Subject: The scale of streaming video on the Internet. In-Reply-To: <4CF80BFE.1090801@brightok.net> References: <20101202202151.GA65475@ussenterprise.ufp.org> <4CF803B3.3050202@rollernet.us> <4CF80BFE.1090801@brightok.net> Message-ID: On Thu, 2 Dec 2010, Jack Bates wrote: > What would be really awesome (unless I've missed it) is Internet access to > the emergency broadcast system and local weather services; all easily handled > with multicast. NWS transmits their NOAAPORT data as a multicast stream from geostationary satellites. All someone has to do (actually it would make more sense if NOAA/NWS did this themselves and bypass the satellites) is to gateway that stuff onto the Internet MBONE. NOAAPORT already has globally-assigned multicast addresses and port numbers reserved for it. Antonio Querubin 808-545-5282 x3003 e-mail/xmpp: tony at lava.net From sethm at rollernet.us Thu Dec 2 15:57:37 2010 From: sethm at rollernet.us (Seth Mattinen) Date: Thu, 02 Dec 2010 13:57:37 -0800 Subject: Want to move to all 208V for server racks In-Reply-To: References: <29638373.226.1291323255039.JavaMail.root@benjamin.baylink.com> <17AA7C0E-5BE9-400F-8C23-3596A5772B44@cs.columbia.edu> Message-ID: <4CF81651.3090402@rollernet.us> On 12/2/2010 13:42, Darren Bolding wrote: > One thing to be aware of- if you are going to be connecting gear with bigger > current draws- Cisco 6509's, most blade enclosures etc. come to mind- then > many of them effectively require 208V C19 connectors. Even smaller stuff like a 2U server will have multiple ratings on the PSU these days: you will only get full capacity out of it at high voltage. Plus, almost any modern PSU will run at higher efficiency compared to 120V. > There are not as many power strips out there that provide sufficient numbers > of C19 connectors as would be desired, particularly if you want remote > switched power. > > In that case 3 Phase power becomes more attractive. Since many datacenters > are moving towards consolidation on Blades with SAN backend storage, it is > worth keeping in mind. > Most blade enclosures can be found with three-phase power supply options as well, making it even more convenient. When they take three-phase directly it's usually a pair of 20A circuits and you're good for full capacity. ~Seth From drais at icantclick.org Thu Dec 2 16:01:27 2010 From: drais at icantclick.org (david raistrick) Date: Thu, 2 Dec 2010 17:01:27 -0500 (EST) Subject: The scale of streaming video on the Internet. In-Reply-To: References: <20101202202151.GA65475@ussenterprise.ufp.org> <4CF803B3.3050202@rollernet.us> <4CF80BFE.1090801@brightok.net> Message-ID: On Thu, 2 Dec 2010, Antonio Querubin wrote: >> -entire- end to end IP network, it will be significantly broken significant >> amounts of the time. > > Which points to the need for service providers to deploy robust multicast > routing. No doubt - it also points to multicast itself needing a bit more sanity and flexibility for implimentation. When you have to tune -every- l3 device along the path for each stream, well.... As Owen pointed out, perhaps carriers will eventually be motivated to make this happen in order to reduce their own bandwidth costs. Eventually. In the meantime, speaking with my content hat on, we stick with unicast. :) -- david raistrick http://www.netmeister.org/news/learn2quote.html drais at icantclick.org http://www.expita.com/nomime.html From jfbeam at gmail.com Thu Dec 2 16:07:08 2010 From: jfbeam at gmail.com (Ricky Beam) Date: Thu, 02 Dec 2010 17:07:08 -0500 Subject: Want to move to all 208V for server racks In-Reply-To: References: <17354757.202.1291307536655.JavaMail.root@benjamin.baylink.com> <20101202164628.GA20227@ussenterprise.ufp.org> <1411250A-38F8-4099-89D4-616D6633F218@delong.com> <7F47C485-4AF0-4C37-B7EB-D89A7E084E30@dragondata.com> Message-ID: On Thu, 02 Dec 2010 13:39:16 -0500, Kevin Day wrote: > You can get breakers with GFIs built into them(called GFCIs), but > they're favored less than putting them at the outlet. ... I think they are now a violation of the NEC. And they were delisted by UL years ago. They pose a hazard as they will not react fast enough to prevent a fatal shock. (and the only one's I've ever seen were outlawed as the breaker itself was a fire hazard.) --Ricky From jra at baylink.com Thu Dec 2 16:08:39 2010 From: jra at baylink.com (Jay Ashworth) Date: Thu, 2 Dec 2010 17:08:39 -0500 (EST) Subject: The scale of streaming video on the Internet. In-Reply-To: Message-ID: <18800441.240.1291327719307.JavaMail.root@benjamin.baylink.com> ----- Original Message ----- > From: "Antonio Querubin" > > On Thu, 2 Dec 2010, Jay Ashworth wrote: > > Oh: and all the extra servers and switches necessary to set that up? > > > *Way* more power than the equivalent transmitters and TV sets. Even > > if you add in the cable headends, I suspect. > > Have you heard of multicast? :) Yes, Tony, but they can't *count the connected users that way*, you see. For my part, as someone who used to run a small edge network, what I wonder is this: is there a multicast repeater daemon of some sort, where I can put it on my edge, and have it catch any source requested by an inside user and re-multicast it to my LAN, so that my uplink isn't loaded by multiple connections? Or do I need to take the Multicast class again? :-) Cheers, -- jra From mpetach at netflight.com Thu Dec 2 16:10:29 2010 From: mpetach at netflight.com (Matthew Petach) Date: Thu, 2 Dec 2010 14:10:29 -0800 Subject: Level 3 Communications Issues Statement Concerning Comcast's Actions In-Reply-To: <4CF7AD02.4030106@gmail.com> References: <96CA80CDCD822B4F9B41FB3A109C9359A3E664A22B@E2K7MAILBOX1.corp.cableone.net> <8BC9AA1D1BA4494F83F8205415225CE826161A00D3@CHIEXMAIL1.ARRS.ARRISI.COM> <6EFFEFBAC68377459A2E972105C759EC032BF7CB@EXVBE005-2.exch005intermedia.net> <4CF7AD02.4030106@gmail.com> Message-ID: On Thu, Dec 2, 2010 at 6:28 AM, William Allen Simpson wrote: > [Changed long CC list to BCC] ... > The Ou article makes no sense at all! ?It's based on the premise that Level > 3 > and Comcast are peering, and that traffic should be symmetric. ?Everywhere > else, > the articles and pundits indicate that Comcast is a transit customer of > Level 3. So, one wonders why Level3 didn't just say "look, I'm the vendor, you're the customer; the customer pays the vendor for service, period. If you don't like the current contract, you can request a renegotiation, or your can submit your notice to terminate, based on the termination clauses listed in the contract (including whatever penalties are included for early termination)." I've never seen another case of a customer trying to bill their upstream provider, without being summarily laughed at. I hope this doesn't set a precedent, where customers of transit providers can turn around and decide that "transit" only means "outbound bit transit", and "inbound bits" are fair game for reverse billing. If it does, it's going to completely eliminate "transit" as a commercial offering; instead, we'll all be stuck doing settlements in every direction for traffic...and that's just *way* too much paperwork. ^_^; Matt (speaking only for the small pile of lint that accumulated under my head after falling asleep under my desk while trying to write this message many hours ago, and certainly not for any employer, ever) From tony at lava.net Thu Dec 2 16:17:37 2010 From: tony at lava.net (Antonio Querubin) Date: Thu, 2 Dec 2010 12:17:37 -1000 (HST) Subject: Want to move to all 208V for server racks In-Reply-To: References: <17354757.202.1291307536655.JavaMail.root@benjamin.baylink.com> <20101202164628.GA20227@ussenterprise.ufp.org> <1411250A-38F8-4099-89D4-616D6633F218@delong.com> <7F47C485-4AF0-4C37-B7EB-D89A7E084E30@dragondata.com> Message-ID: On Thu, 2 Dec 2010, Ricky Beam wrote: > I think they are now a violation of the NEC. And they were delisted by UL > years ago. They pose a hazard as they will not react fast enough to prevent > a fatal shock. (and the only one's I've ever seen were outlawed as the > breaker itself was a fire hazard.) You sure about that? GFCI breakers as well as their close cousins AFCIs are still being sold and bought at hardware stores. Antonio Querubin 808-545-5282 x3003 e-mail/xmpp: tony at lava.net From jbates at brightok.net Thu Dec 2 16:22:24 2010 From: jbates at brightok.net (Jack Bates) Date: Thu, 02 Dec 2010 16:22:24 -0600 Subject: The scale of streaming video on the Internet. In-Reply-To: <18800441.240.1291327719307.JavaMail.root@benjamin.baylink.com> References: <18800441.240.1291327719307.JavaMail.root@benjamin.baylink.com> Message-ID: <4CF81C20.6000001@brightok.net> On 12/2/2010 4:08 PM, Jay Ashworth wrote: > Yes, Tony, but they can't *count the connected users that way*, you see. > Actually, given content protection, I highly expect any device receiving multicast video to also have a session open to handle various things, possibly even getting keys for decrypting streams. I doubt they want anyone hijacking a video stream. I also expect to see video shifting to region specific commercials. After all, why charge just one person for a commercial timeslot, when you can charge hundreds or thousands, each for their own local audience; more if they want national. > For my part, as someone who used to run a small edge network, what I wonder > is this: is there a multicast repeater daemon of some sort, where I can put > it on my edge, and have it catch any source requested by an inside user and > re-multicast it to my LAN, so that my uplink isn't loaded by multiple > connections? If it's actual multicast, it should be there already. I've seen a few interesting daemons for taking unicast and splitting it out, though. Buddy had a little perl script setup with replay-tv which allowed a master connection who could control the replay-tv, and then all other connections were view only. Was simple and cute. > Or do I need to take the Multicast class again? :-) I sure as hell need to read up again. I keep getting sidetracked with other things. Perhaps after I wrap up the IPv6 rollout, I can get back to Multicast support. I believe most of my NSPs support it, I just never have time to iron out the details to a level I'm comfortable enough to risk my production routers. Jack From nathan at robotics.net Thu Dec 2 16:26:51 2010 From: nathan at robotics.net (Nathan Stratton) Date: Thu, 2 Dec 2010 16:26:51 -0600 (CST) Subject: Want to move to all 208V for server racks In-Reply-To: References: <17354757.202.1291307536655.JavaMail.root@benjamin.baylink.com> <20101202164628.GA20227@ussenterprise.ufp.org> <1411250A-38F8-4099-89D4-616D6633F218@delong.com> <7F47C485-4AF0-4C37-B7EB-D89A7E084E30@dragondata.com> Message-ID: On Thu, 2 Dec 2010, Ricky Beam wrote: > On Thu, 02 Dec 2010 13:39:16 -0500, Kevin Day wrote: >> You can get breakers with GFIs built into them(called GFCIs), but they're >> favored less than putting them at the outlet. ... > > I think they are now a violation of the NEC. And they were delisted by UL > years ago. They pose a hazard as they will not react fast enough to prevent > a fatal shock. (and the only one's I've ever seen were outlawed as the > breaker itself was a fire hazard.) They are???? Bought some at Grainger the other day.. http://www.grainger.com/Grainger/wwg/search.shtml?searchQuery=GFCI+breaker&op=search&Ntt=GFCI+breaker&N=0&sst=subset Home Depot also must have missed this: http://www.homedepot.com/webapp/wcs/stores/servlet/Search?keyword=gfci+breaker&langId=-1&storeId=10051&catalogId=10053 ><> Nathan Stratton CTO, BlinkMind, Inc. nathan at robotics.net nathan at blinkmind.com http://www.robotics.net http://www.blinkmind.com From tony at lava.net Thu Dec 2 16:31:54 2010 From: tony at lava.net (Antonio Querubin) Date: Thu, 2 Dec 2010 12:31:54 -1000 (HST) Subject: The scale of streaming video on the Internet. In-Reply-To: <18800441.240.1291327719307.JavaMail.root@benjamin.baylink.com> References: <18800441.240.1291327719307.JavaMail.root@benjamin.baylink.com> Message-ID: On Thu, 2 Dec 2010, Jay Ashworth wrote: > Yes, Tony, but they can't *count the connected users that way*, you see. There are various ways to do that. Eg. Windows Media Server can log multicast Windows Media Clients. > For my part, as someone who used to run a small edge network, what I wonder > is this: is there a multicast repeater daemon of some sort, where I can put > it on my edge, and have it catch any source requested by an inside user and > re-multicast it to my LAN, so that my uplink isn't loaded by multiple > connections? You might want to take a look at AMT: http://tools.ietf.org/html/draft-ietf-mboned-auto-multicast-10 Antonio Querubin 808-545-5282 x3003 e-mail/xmpp: tony at lava.net From mikea at mikea.ath.cx Thu Dec 2 16:32:17 2010 From: mikea at mikea.ath.cx (mikea) Date: Thu, 2 Dec 2010 16:32:17 -0600 Subject: Want to move to all 208V for server racks In-Reply-To: References: <17354757.202.1291307536655.JavaMail.root@benjamin.baylink.com> <20101202164628.GA20227@ussenterprise.ufp.org> <1411250A-38F8-4099-89D4-616D6633F218@delong.com> <7F47C485-4AF0-4C37-B7EB-D89A7E084E30@dragondata.com> Message-ID: <20101202223217.GA28464@mikea.ath.cx> On Thu, Dec 02, 2010 at 12:17:37PM -1000, Antonio Querubin wrote: > On Thu, 2 Dec 2010, Ricky Beam wrote: > > >I think they are now a violation of the NEC. And they were delisted by UL > >years ago. They pose a hazard as they will not react fast enough to > >prevent a fatal shock. (and the only one's I've ever seen were outlawed as > >the breaker itself was a fire hazard.) > > You sure about that? GFCI breakers as well as their close cousins AFCIs > are still being sold and bought at hardware stores. A quick browse of www.homedepot.com and www.lowes.com shows that both of them sell GFCI breakers online and in the stores local to me. Moreover, the UL website (www.ul.com) doesn't say anything about GFCI breakers being delisted, and _does_ mention GFCI breakers as one of three types of GFCI devices. -- Mike Andrews, W5EGO mikea at mikea.ath.cx Tired old sysadmin From gary.buhrmaster at gmail.com Thu Dec 2 16:40:36 2010 From: gary.buhrmaster at gmail.com (Gary Buhrmaster) Date: Thu, 2 Dec 2010 22:40:36 +0000 Subject: Want to move to all 208V for server racks In-Reply-To: References: <17354757.202.1291307536655.JavaMail.root@benjamin.baylink.com> <20101202164628.GA20227@ussenterprise.ufp.org> <1411250A-38F8-4099-89D4-616D6633F218@delong.com> <7F47C485-4AF0-4C37-B7EB-D89A7E084E30@dragondata.com> Message-ID: On Thu, Dec 2, 2010 at 22:07, Ricky Beam wrote: ... > I think they are now a violation of the NEC. ?And they were delisted by UL > years ago. ?They pose a hazard as they will not react fast enough to prevent > a fatal shock. (and the only one's I've ever seen were outlawed as the > breaker itself was a fire hazard.) While I do not have a copy of NFPA 70-2011 (the latest latest, released a few months ago), my reading of NFPA 70-2008 still allows GFCI breakers (NFPA 70 is the official name for NEC). Personally, I prefer to specify and use GFCI outlets (and I tend to not daisy chain) so that the the fault is next to the use (and no collateral outages occur). Of course, specific breakers may not meet the newest requirements. From tony at lava.net Thu Dec 2 16:41:32 2010 From: tony at lava.net (Antonio Querubin) Date: Thu, 2 Dec 2010 12:41:32 -1000 (HST) Subject: The scale of streaming video on the Internet. In-Reply-To: <4CF81C20.6000001@brightok.net> References: <18800441.240.1291327719307.JavaMail.root@benjamin.baylink.com> <4CF81C20.6000001@brightok.net> Message-ID: On Thu, 2 Dec 2010, Jack Bates wrote: > I sure as hell need to read up again. I keep getting sidetracked with other > things. Perhaps after I wrap up the IPv6 rollout, I can get back to Multicast > support. I believe most of my NSPs support it, I just never have time to iron > out the details to a level I'm comfortable enough to risk my production > routers. With the pending large scale IPv6 deployment across the Internet, service providers have a unique opportunity to deploy IPv6 multicast alongside IPv6 unicast instead of trying to shim it in afterwards. The various IPv6 wikis could use a good sprinkling of multicast howtos. Antonio Querubin 808-545-5282 x3003 e-mail/xmpp: tony at lava.net From tony at lava.net Thu Dec 2 16:44:31 2010 From: tony at lava.net (Antonio Querubin) Date: Thu, 2 Dec 2010 12:44:31 -1000 (HST) Subject: Want to move to all 208V for server racks In-Reply-To: <20101202223217.GA28464@mikea.ath.cx> References: <17354757.202.1291307536655.JavaMail.root@benjamin.baylink.com> <20101202164628.GA20227@ussenterprise.ufp.org> <1411250A-38F8-4099-89D4-616D6633F218@delong.com> <7F47C485-4AF0-4C37-B7EB-D89A7E084E30@dragondata.com> <20101202223217.GA28464@mikea.ath.cx> Message-ID: On Thu, 2 Dec 2010, mikea wrote: > A quick browse of www.homedepot.com and www.lowes.com shows that both of > them sell GFCI breakers online and in the stores local to me. Moreover, > the UL website (www.ul.com) doesn't say anything about GFCI breakers > being delisted, and _does_ mention GFCI breakers as one of three types of > GFCI devices. Yep I just did the same check. I think the delisting may have applied to specific models from specific manufacturers. I just don't see UL delisting all GFCI breakers. Antonio Querubin 808-545-5282 x3003 e-mail/xmpp: tony at lava.net From gary.buhrmaster at gmail.com Thu Dec 2 16:48:11 2010 From: gary.buhrmaster at gmail.com (Gary Buhrmaster) Date: Thu, 2 Dec 2010 22:48:11 +0000 Subject: Want to move to all 208V for server racks In-Reply-To: References: <17354757.202.1291307536655.JavaMail.root@benjamin.baylink.com> <20101202164628.GA20227@ussenterprise.ufp.org> <1411250A-38F8-4099-89D4-616D6633F218@delong.com> <7F47C485-4AF0-4C37-B7EB-D89A7E084E30@dragondata.com> Message-ID: On Thu, Dec 2, 2010 at 22:17, Antonio Querubin wrote: ... > You sure about that? ?GFCI breakers as well as their close cousins AFCIs are > still being sold and bought at hardware stores. I am not sure I would call AFCIs a close cousin to the GFCI (except that they are both more expensive that a non-xFCI breaker). They serve different purposes. The (arc) faults that AFCIs are designed to interrupt would commonly be passed through the GFCI without notice. GFCIs are designed to protect people from shock, and AFCIs are designed to protect against fire from the arc (which also tends to protect people, but less directly). From morrowc.lists at gmail.com Thu Dec 2 16:49:53 2010 From: morrowc.lists at gmail.com (Christopher Morrow) Date: Thu, 2 Dec 2010 17:49:53 -0500 Subject: Level 3 Communications Issues Statement Concerning Comcast's Actions In-Reply-To: References: <96CA80CDCD822B4F9B41FB3A109C9359A3E664A22B@E2K7MAILBOX1.corp.cableone.net> <8BC9AA1D1BA4494F83F8205415225CE826161A00D3@CHIEXMAIL1.ARRS.ARRISI.COM> <6EFFEFBAC68377459A2E972105C759EC032BF7CB@EXVBE005-2.exch005intermedia.net> <4CF7AD02.4030106@gmail.com> Message-ID: On Thu, Dec 2, 2010 at 5:10 PM, Matthew Petach wrote: > fair game for reverse billing. ?If it does, it's going to completely > eliminate "transit" as a commercial offering; instead, we'll > all be stuck doing settlements in every direction for > traffic...and that's just *way* too much paperwork. ?^_^; oh! that's the LD network.. that worked out so darned well, can we do it again? and can we have the ITU manage it for us? please? please? please? :) -chris From jfbeam at gmail.com Thu Dec 2 17:02:08 2010 From: jfbeam at gmail.com (Ricky Beam) Date: Thu, 02 Dec 2010 18:02:08 -0500 Subject: Want to move to all 208V for server racks In-Reply-To: References: <17354757.202.1291307536655.JavaMail.root@benjamin.baylink.com> <20101202164628.GA20227@ussenterprise.ufp.org> <1411250A-38F8-4099-89D4-616D6633F218@delong.com> <7F47C485-4AF0-4C37-B7EB-D89A7E084E30@dragondata.com> Message-ID: On Thu, 02 Dec 2010 17:26:51 -0500, Nathan Stratton wrote: > They are???? > > Bought some at Grainger the other day. Just because someone is selling them doesn't mean they meet building codes. (esp. for residential use.) None of the dozen or so licensed electricians I've ever talked to will use them. None of my local Lowes stock anything you'd use in a home. (60A breakers?) [of course, their website does lie.] And some of those available online are not UL listed. I know the one's I've seen installed (circa 1980) were delisted -- GE sent notice to the electricians that installed them. --Ricky From owen at delong.com Thu Dec 2 17:18:22 2010 From: owen at delong.com (Owen DeLong) Date: Thu, 2 Dec 2010 15:18:22 -0800 Subject: The scale of streaming video on the Internet. In-Reply-To: <18800441.240.1291327719307.JavaMail.root@benjamin.baylink.com> References: <18800441.240.1291327719307.JavaMail.root@benjamin.baylink.com> Message-ID: <6D9813A7-5A18-4F8F-8B6B-82D65CF69CEB@delong.com> On Dec 2, 2010, at 2:08 PM, Jay Ashworth wrote: > ----- Original Message ----- >> From: "Antonio Querubin" >> >> On Thu, 2 Dec 2010, Jay Ashworth wrote: >>> Oh: and all the extra servers and switches necessary to set that up? >> >>> *Way* more power than the equivalent transmitters and TV sets. Even >>> if you add in the cable headends, I suspect. >> >> Have you heard of multicast? :) > > Yes, Tony, but they can't *count the connected users that way*, you see. > Sure you can. > For my part, as someone who used to run a small edge network, what I wonder > is this: is there a multicast repeater daemon of some sort, where I can put > it on my edge, and have it catch any source requested by an inside user and > re-multicast it to my LAN, so that my uplink isn't loaded by multiple > connections? > Sounds like you are describing a rendezvous point, but, perhaps I am misunderstanding your intent. Owen From owen at delong.com Thu Dec 2 17:15:57 2010 From: owen at delong.com (Owen DeLong) Date: Thu, 2 Dec 2010 15:15:57 -0800 Subject: The scale of streaming video on the Internet. In-Reply-To: References: <20101202202151.GA65475@ussenterprise.ufp.org> <4CF803B3.3050202@rollernet.us> <4CF80BFE.1090801@brightok.net> Message-ID: <3D4A684A-1977-4367-864D-CBA3F3D4796C@delong.com> On Dec 2, 2010, at 2:01 PM, david raistrick wrote: > On Thu, 2 Dec 2010, Antonio Querubin wrote: > >>> -entire- end to end IP network, it will be significantly broken significant amounts of the time. >> >> Which points to the need for service providers to deploy robust multicast routing. > > No doubt - it also points to multicast itself needing a bit more sanity and flexibility for implimentation. When you have to tune -every- l3 device along the path for each stream, well.... > It's not quite that bad. I've done multiple multicast implementations where this was utterly unnecessary, but, it does take some configuration on most L3 devices to make it work reasonably well. > > As Owen pointed out, perhaps carriers will eventually be motivated to make this happen in order to reduce their own bandwidth costs. Eventually. > > In the meantime, speaking with my content hat on, we stick with unicast. :) > Wrong answer, IMHO. Where it makes sense, use multicast with a fast fallback to unicast if multicast isn't working. In this way, it helps build the case that deploying multicast will save $$$. Without it, the mantra will be "Multicast doesn't matter, even if we implement it, none of the content will use it." Owen From horms at verge.net.au Thu Dec 2 17:21:01 2010 From: horms at verge.net.au (Simon Horman) Date: Fri, 3 Dec 2010 08:21:01 +0900 Subject: RINA - scott whaps at the nanog hornets nest :-) In-Reply-To: <5A6D953473350C4B9995546AFE9939EE0B14C7F2@RWC-EX1.corp.seven.com> References: <5A6D953473350C4B9995546AFE9939EE0B14C7E6@RWC-EX1.corp.seven.com> <20101107033158.GA3640@burnout.tpb.net> <5A6D953473350C4B9995546AFE9939EE0B14C7E8@RWC-EX1.corp.seven.com> <5A6D953473350C4B9995546AFE9939EE0B14C7E9@RWC-EX1.corp.seven.com> <5A6D953473350C4B9995546AFE9939EE0B14C7EC@RWC-EX1.corp.seven.com> <5A6D953473350C4B9995546AFE9939EE0B14C7EF@RWC-EX1.corp.seven.com> <5A6D953473350C4B9995546AFE9939EE0B14C7F2@RWC-EX1.corp.seven.com> Message-ID: <20101202232101.GA14193@verge.net.au> On Sun, Nov 07, 2010 at 01:42:33AM -0700, George Bonser wrote: > > > > > I guess you didn't read the links earlier. It has nothing to do > with > > > stack tweaks. The moment you lose a single packet, you are toast. > > And > > > > TCP SACK. > > > Certainly helps but still has limitations. If you have too many packets > in flight, it can take too long to locate the SACKed packet in some > implementations, this can cause a TCP timeout and resetting the window > to 1. It varies from one implementation to another. The above was for > some implementations of Linux. The larger the window (high speed, high > latency paths) the worse this problem is. In other words, sure, you can > get great performance but when you hit a lost packet, depending on which > packet is lost, you can also take a huge performance hit depending on > who is doing the talking or what they are talking to. > > Common advice on stack tuning " for very large BDP paths where the TCP > window is > 20 MB, you are likely to hit the Linux SACK implementation > problem. If Linux has too many packets in flight when it gets a SACK > event, it takes too long to located the SACKed packet, and you get a TCP > timeout and CWND goes back to 1 packet. Restricting the TCP buffer size > to about 12 MB seems to avoid this problem, but clearly limits your > total throughput. Another solution is to disable SACK." Even if you > don't have such as system, you might be talking to one. Do you know if any work is being done on resolving this problem? It seems that work in that area might be more fruitful than banging your head against increasing the MTU. > But anyway, I still think 1500 is a really dumb MTU value for modern > interfaces and unnecessarily retards performance over long distances. From deepak at ai.net Thu Dec 2 17:50:46 2010 From: deepak at ai.net (Deepak Jain) Date: Thu, 2 Dec 2010 18:50:46 -0500 Subject: Domain shut downs by Registrar? Message-ID: Has this process matured or is it still a wild-west kind of thing? Last time I saw this, it was with a LARGE registrar and we had to threaten them with a TRO before they'd even put their lawyers on the phone. It was a few years ago. This time the issue is with DOTSTER and they never even bothered to contact our support desk about the issue with the customer domain (and we're listed as the support contact, etc). So if anyone has any advice, or anyone from DOTSTER wants to contact me offline, that'd be great. Thanks in advance, DJ From ryan.finnesey at HarrierInvestments.com Thu Dec 2 17:59:05 2010 From: ryan.finnesey at HarrierInvestments.com (Ryan Finnesey) Date: Thu, 2 Dec 2010 15:59:05 -0800 Subject: The scale of streaming video on the Internet. In-Reply-To: References: <20101202202151.GA65475@ussenterprise.ufp.org><20952354.220.1291322909654.JavaMail.root@benjamin.baylink.com> Message-ID: <6EFFEFBAC68377459A2E972105C759EC032BFABD@EXVBE005-2.exch005intermedia.net> I have TWC in NYC. I see now I can restart most of the shows I watch. How is this done? Cheers Ryan -----Original Message----- From: Alex Rubenstein [mailto:alex at corp.nac.net] Sent: Thursday, December 02, 2010 3:57 PM To: Jay Ashworth; NANOG Subject: RE: The scale of streaming video on the Internet. > *Way* more power than the equivalent transmitters and TV sets. Even > if you add in the cable headends, I suspect. Yeah, but... This is really not comparable. Transmitters and TV sets require that everyone watch what is being transmitted. People (myself included) don't like, or don't want this method anymore. I want to watch what I want, when I want to. This is the new age of media. Out with the old. From jra at baylink.com Thu Dec 2 18:02:40 2010 From: jra at baylink.com (Jay Ashworth) Date: Thu, 2 Dec 2010 19:02:40 -0500 (EST) Subject: Want to move to all 208V for server racks In-Reply-To: Message-ID: <30038744.246.1291334560477.JavaMail.root@benjamin.baylink.com> ----- Original Message ----- > From: "Antonio Querubin" > > Yep I just did the same check. I think the delisting may have applied > to specific models from specific manufacturers. I just don't see UL > delisting all GFCI breakers. Clearly, some intermediate gateway set the evil bit on Steven's message. Cheers, -- jra From bross at pobox.com Thu Dec 2 18:19:51 2010 From: bross at pobox.com (Brandon Ross) Date: Thu, 2 Dec 2010 19:19:51 -0500 (EST) Subject: Level 3 Communications Issues Statement Concerning Comcast's Actions In-Reply-To: References: <96CA80CDCD822B4F9B41FB3A109C9359A3E664A22B@E2K7MAILBOX1.corp.cableone.net> <8BC9AA1D1BA4494F83F8205415225CE826161A00D3@CHIEXMAIL1.ARRS.ARRISI.COM> <6EFFEFBAC68377459A2E972105C759EC032BF7CB@EXVBE005-2.exch005intermedia.net> <4CF7AD02.4030106@gmail.com> Message-ID: On Thu, 2 Dec 2010, Matthew Petach wrote: > So, one wonders why Level3 didn't just say "look, I'm the vendor, > you're the customer; the customer pays the vendor for service, > period. There's no wonder here at all. It's not at all hard to imagine the conversation: Level3: I'm the vendor, you're the customer; the customer pays the vendor for service, period. Comcast: Okay vendor, we aren't going to pay you any more. Go ahead and shut down our circuits. We'll go ahead and pay you the early termination penalties or whatever, but keep in mind that the Level3 network has no way to reach Comcast through any other path thanks to our clever routing tricks, so your customers, including Netflix, won't be able to reach our customers. Level3: But, but, but, you are the customer! Comcast: Go ahead, shut us down, we dare you. Perhaps you'll want to find someone to buy transit from that CAN reach us? I have to say, it's not that hard to imagine because it's exactly what I would have done in their position. If I were them, I would then proceed to do the exact same thing to every other "vendor" that they have until they are a transit free network. Then I might even start demanding payments from my peers. Why not? Comcast has all the power. It's exactly what the government has incentivized them to do by allowing them to have all of those cable monopolies around the country. That's right, government is the real problem here, Comcast is simply acting in their own best interest. Now where did I put that CMCS stock... -- Brandon Ross AIM: BrandonNRoss ICQ: 2269442 Skype: brandonross Yahoo: BrandonNRoss From jra at baylink.com Thu Dec 2 18:21:57 2010 From: jra at baylink.com (Jay Ashworth) Date: Thu, 2 Dec 2010 19:21:57 -0500 (EST) Subject: Want to move to all 208V for server racks In-Reply-To: Message-ID: <6525309.254.1291335717065.JavaMail.root@benjamin.baylink.com> ----- Original Message ----- > From: "Ricky Beam" > > Just because someone is selling them doesn't mean they meet building > codes. (esp. for residential use.) None of the dozen or so licensed > electricians I've ever talked to will use them. The breakers, I assume you mean. > None of my local Lowes stock anything you'd use in a home. (60A > breakers?) [of course, their website does lie.] And some of those available > online are not UL listed. > > I know the one's I've seen installed (circa 1980) were delisted -- GE > sent notice to the electricians that installed them. This page: http://www.hilo-electric.com/blank?pageid=63 suggests that 2008 code still *permits* them, but neither it nor the concurring Wikipedia article mentions then category having been delisted or manufacture-decontinued. And indeed, I had little luck with Google trying to find evidence of mass delistings of GFCI breakers. Cheers, -- jr 'are we off-topic enough, now? :-)' a From bill at herrin.us Thu Dec 2 18:25:27 2010 From: bill at herrin.us (William Herrin) Date: Thu, 2 Dec 2010 19:25:27 -0500 Subject: Level 3 Communications Issues Statement Concerning Comcast'sActions In-Reply-To: <927EC1B9-426B-43C3-A908-A1D46B30F326@gibbard.org> References: <927EC1B9-426B-43C3-A908-A1D46B30F326@gibbard.org> Message-ID: On Thu, Dec 2, 2010 at 4:28 PM, Steve Gibbard wrote: > Regardless of whether the apartment broker comparison holds up, >there are many examples of what economists call two-sided markets: > > http://en.wikipedia.org/wiki/Two-sided_market > > They don't all have the same fee-splitting systems, and you can find an >example to site as precedent for just about any system you could reasonably >advocate. ?An example raised in a talk I heard a few years ago was of >scholarly journals that collect money from both their subscribers and their >authors. The authors need to be published in order to get tenure, and the >readers pay because they want to know what the authors are saying. Hi Steve, You've picked a poor example. I had some exposure to that earlier in my career. The rags you're talking about tend to have very poor reputations in academia, and while they do have an official cover price, they have virtually no paid readership. Like unaccredited correspondence classes, they exist primarily to help young and second-tier scientists flesh out their CV's. In fact, if you go through the list in the first paragraph on your referenced Wikipedia article you'll find that most of them have a well defined paying customer on one side and what you might refer to as an "entity of importance to the customer" on the other. The yellow pages for example - the advertisers are the customer. The recipients are important to the customer (hence important to the publisher) but they are not the customer and they don't pay for the phone book. As an eyeball network, the content providers are certainly entities of importance to your customer. But if the yellow pages is your reference, that's all the more reason the content providers shouldn't have to pay you. That having been said, there are some examples of your two-sided markets that are relevant. Here's three: 1. The newspaper. You pay for a copy. The advertisers pay to put ads in it. 2. The telephone. You pay for a phone. Anyone who wants to call you also pays. 3. The credit card. You pay annual fees, interest charges and late fees. The merchant also pays a transaction fee. So, let's scrutinize these examples for insight into how they could apply to an ISP wanting to bill both Joe Blow and Netflix. 1. The newspaper. Yep, they certainly burn both ends of the candle. And in a -strongly competitive market- they're dying for it in the face of TV news and web sites which don't. But dig a little closer... the majority of their revenue on the recipient side is folks buying the paper for the articles. The ads are merely along for the ride. Indeed, the consumer rarely buys a publication primarily for its paid advertising -- examples exist but are fleeting. The publications which do consist of solely paid advertising tend to arrive in the consumer's mailbox without charge. Lesson: you can bill the content provider if the consumer doesn't care about receiving his content AND is receiving enough content you buy for him that he's willing to keep paying you. Helpful for the ISP situation? Yeah - it says if you can get one side of the market to give you, for free, what the other side is willing to pay for, you're ahead of the game. Don't get greedy! 2. The phone. This has been around the regulatory block a few times, usually to the phone company's detriment. The ILECs were compelled to set an interconnect tariff that allowed all comers with exactly the same terms. So the they said, "well, we don't want little competitors cherry picking office buildings so we'll set the tariff as originator-pays per minute." And then ISPs came along with massive receive-only call banks and lo and behold some of the little competitors figured out they could make enough money requiring the telco to pay them minute charges to give the phone lines to the ISPs for free. Lesson: Trying to get money from both ends while a monopoly can be a long and tortuous road to regulatory hell. 3. The credit card. Wait a minute, what do you mean the merchant pays the bank a percentage of each transaction? The merchant doesn't pay the bank anything! The consumer (the customer) pays the bank, the bank keeps part of it and then the bank pays the rest of it to the merchant. And you better keep them both happy -- you face stiff competition from cash. Lesson: In a competitive environment, being the billing agent for the supplier can be a value add. But that doesn't exactly help you when you think you want the supplier to pay you too.... Regards, Bill Herrin -- William D. Herrin ................ herrin at dirtside.com? bill at herrin.us 3005 Crane Dr. ...................... Web: Falls Church, VA 22042-3004 From jra at baylink.com Thu Dec 2 18:26:05 2010 From: jra at baylink.com (Jay Ashworth) Date: Thu, 2 Dec 2010 19:26:05 -0500 (EST) Subject: OT: how smart cable TV works In-Reply-To: <6EFFEFBAC68377459A2E972105C759EC032BFABD@EXVBE005-2.exch005intermedia.net> Message-ID: <2066459.256.1291335965634.JavaMail.root@benjamin.baylink.com> ----- Original Message ----- > From: "Ryan Finnesey" > > I have TWC in NYC. I see now I can restart most of the shows I watch. > How is this done? On digital cable systems, it's because your cable box is now really a GoogleTV/Rokubox like thing that only looks like a "cable converter". You tell it to pause, it allocates a channel for you, and -- courtesy of a Supreme Court decision last year -- turns into a remote node for a massive DVR in the headend. Same way they do all the on-demand stuff. Is it the same MPEG encoding that came out of the station/network's MPEG encoder? Almost certainly not. Is it the same bitrate? Hell^no. Cheers, -- jra From mpetach at netflight.com Thu Dec 2 18:56:47 2010 From: mpetach at netflight.com (Matthew Petach) Date: Thu, 2 Dec 2010 16:56:47 -0800 Subject: The scale of streaming video on the Internet. In-Reply-To: <59D15CA3-4ACC-4A8A-B66F-73041E722256@delong.com> References: <20952354.220.1291322909654.JavaMail.root@benjamin.baylink.com> <59D15CA3-4ACC-4A8A-B66F-73041E722256@delong.com> Message-ID: On Thu, Dec 2, 2010 at 1:02 PM, Owen DeLong wrote: ... > As to the emergency broadcast system, yeah, that's going to lose. Didn't we already replace that with twitter? Matt From jeremy at evilrouters.net Thu Dec 2 20:12:57 2010 From: jeremy at evilrouters.net (Jeremy L. Gaddis) Date: Thu, 2 Dec 2010 21:12:57 -0500 Subject: FUD: 15% of world's internet traffic hijacked In-Reply-To: References: <20101117164514.GA2251@tico.tsc.com> <7CA63A8B-3687-4417-A586-46A7EB658AD6@the-watsons.org> Message-ID: Hanlon's razor? On Dec 1, 2010 6:43 PM, "Brett Watson" wrote: > > On Dec 1, 2010, at 4:17 PM, Christopher Morrow wrote: > >> sometimes I love to pull your chain... :) I agree though that folks >> won't publish this data (in general) directly, for whatever reason. >> Also, right '15% of traffic' really should have been '15% of routes*' > > Agreed, I should have been more clear. I wasn't implying that much traffic either, but rather "15% of global prefixes." > > I was more focused on, "Seems clear enough that traffic *transited* China ASNs, as opposed to being blackholed as we seen in many hijacks. > > Further, in hopes of generating discussion... I've seen a lot of comments along the lines of "this was likely an accident, misconfiguration, or fat-finger..." > > I'm having a really hard time figuring how, if traffic not only diverted to China but *transited* China, this could be any kind of mistake. I'm not able to get my fingers or thumbs to randomly (seemingly) select approximately 15% of all prefixes, originate those, modify filters so I can do so, and also somehow divert it to another router that doesn't have the hijacked prefixes I'm announcing but rather forwards the source traffic on to it's intended destination. > > I can't seem to work all of that out into any kind of "accident." > > Anyone? > > -b From tme at americafree.tv Thu Dec 2 21:05:40 2010 From: tme at americafree.tv (Marshall Eubanks) Date: Thu, 2 Dec 2010 22:05:40 -0500 Subject: The scale of streaming video on the Internet. In-Reply-To: References: <18800441.240.1291327719307.JavaMail.root@benjamin.baylink.com> Message-ID: <92F8B6C9-AA17-4848-9B85-6726BA8EC111@americafree.tv> On Dec 2, 2010, at 5:31 PM, Antonio Querubin wrote: > On Thu, 2 Dec 2010, Jay Ashworth wrote: > >> Yes, Tony, but they can't *count the connected users that way*, you see. > > There are various ways to do that. Eg. Windows Media Server can log > multicast Windows Media Clients. > >> For my part, as someone who used to run a small edge network, what I wonder >> is this: is there a multicast repeater daemon of some sort, where I can put >> it on my edge, and have it catch any source requested by an inside user and >> re-multicast it to my LAN, so that my uplink isn't loaded by multiple >> connections? > > You might want to take a look at AMT: > > http://tools.ietf.org/html/draft-ietf-mboned-auto-multicast-10 Correct. That is exactly the problem AMT is intended to solve. Regards Marshall > > Antonio Querubin > 808-545-5282 x3003 > e-mail/xmpp: tony at lava.net > > From tme at americafree.tv Thu Dec 2 21:18:13 2010 From: tme at americafree.tv (Marshall Eubanks) Date: Thu, 2 Dec 2010 22:18:13 -0500 Subject: The scale of streaming video on the Internet. In-Reply-To: References: <18800441.240.1291327719307.JavaMail.root@benjamin.baylink.com> <4CF81C20.6000001@brightok.net> Message-ID: On Dec 2, 2010, at 5:41 PM, Antonio Querubin wrote: > On Thu, 2 Dec 2010, Jack Bates wrote: > >> I sure as hell need to read up again. I keep getting sidetracked with other things. Perhaps after I wrap up the IPv6 rollout, I can get back to Multicast support. I believe most of my NSPs support it, I just never have time to iron out the details to a level I'm comfortable enough to risk my production routers. > > With the pending large scale IPv6 deployment across the Internet, service providers have a unique opportunity to deploy IPv6 multicast alongside IPv6 unicast instead of trying to shim it in afterwards. Note that IPv6 multicast doesn't really solve multicast problems, except that embedded RPs may make ASM easier to deploy. > The various IPv6 wikis could use a good sprinkling of multicast howtos. > True. Want to help with that ? Regards Marshall > > Antonio Querubin > 808-545-5282 x3003 > e-mail/xmpp: tony at lava.net > > From richard.barnes at gmail.com Thu Dec 2 21:34:37 2010 From: richard.barnes at gmail.com (Richard Barnes) Date: Thu, 2 Dec 2010 22:34:37 -0500 Subject: CAP / WARN / iPAWS In-Reply-To: <18994398.232.1291326125283.JavaMail.root@benjamin.baylink.com> References: <4CF80BFE.1090801@brightok.net> <18994398.232.1291326125283.JavaMail.root@benjamin.baylink.com> Message-ID: There is also some work in the IETF on the more general problem of distributing early warning messages: Right now, they're taking a pretty layer-7 approach (distributing CAP in SIP messages), but part of their charter is figuring out how this application relates to things like iPAWS, CMAS, 3GPP PWS, etc. So they will likely end up looking at some layer-2/3 aspects of the problem as well. --Richard On Thu, Dec 2, 2010 at 4:42 PM, Jay Ashworth wrote: > ----- Original Message ----- >> From: "Jack Bates" >> >> What would be really awesome (unless I've missed it) is Internet >> access to the emergency broadcast system and local weather services; all >> easily handled with multicast. > > Ah, something I know something about for a change. ?:-) > > In fact, there's some work in progress on this topic, Jack; FEMA is working > on replacing the EAS -- which itself replaced EBS, and earlier, Conelrad -- > with a new system called iPAWS: The Integrated Public Alert and Warning > System. > > At the moment, they're working on the "replace the EAS backbone" part of it, > which work is about a year behind schedule, and everyone wants an extension, > but there are other useful places to apply some effort. ?I'm a designer, not > a coder, so I've been piddling around in the part I'm good at; thinking about > design. > > Some of the results are here: > > http://www.incident.com/cookbook/index.php/Rough_consensus_and_running_code > > and > > http://www.incident.com/cookbook/index.php/Alerting_And_Readiness_Framework > > and I invite off-list email from anyone who has suggestions to toss in the > pot. > > Cheers, > -- jra > (I would like to subject-unthread this, but my mailer is too stupid. ?Sorry) > > From cmadams at hiwaay.net Thu Dec 2 21:38:04 2010 From: cmadams at hiwaay.net (Chris Adams) Date: Thu, 2 Dec 2010 21:38:04 -0600 Subject: Want to move to all 208V for server racks In-Reply-To: References: <20101202164628.GA20227@ussenterprise.ufp.org> <1411250A-38F8-4099-89D4-616D6633F218@delong.com> <7F47C485-4AF0-4C37-B7EB-D89A7E084E30@dragondata.com> Message-ID: <20101203033804.GB5521@hiwaay.net> Once upon a time, Ricky Beam said: > Just because someone is selling them doesn't mean they meet building > codes. (esp. for residential use.) None of the dozen or so licensed > electricians I've ever talked to will use them. I saw GFCI breakers installed in a new house this year, and it passed inspection. I think you experienced a recall of a specific device and are confusing that with a general removal. When Toyota recalled a model of car, that didn't mean all cars were banned. -- Chris Adams Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble. From rdobbins at arbor.net Thu Dec 2 21:41:33 2010 From: rdobbins at arbor.net (Dobbins, Roland) Date: Fri, 3 Dec 2010 03:41:33 +0000 Subject: CAP / WARN / iPAWS In-Reply-To: References: <4CF80BFE.1090801@brightok.net> <18994398.232.1291326125283.JavaMail.root@benjamin.baylink.com> Message-ID: <21667373-846D-4506-A4D1-F0BE9A25B87C@arbor.net> On Dec 3, 2010, at 10:34 AM, Richard Barnes wrote: > So they will likely end up looking at some layer-2/3 aspects of the problem as well. ----------------------------------------------------------------------- Roland Dobbins // Sell your computer and buy a guitar. From joelja at bogus.com Thu Dec 2 21:53:06 2010 From: joelja at bogus.com (Joel Jaeggli) Date: Thu, 02 Dec 2010 19:53:06 -0800 Subject: The scale of streaming video on the Internet. In-Reply-To: References: <20952354.220.1291322909654.JavaMail.root@benjamin.baylink.com> <59D15CA3-4ACC-4A8A-B66F-73041E722256@delong.com> Message-ID: <4CF869A2.1070108@bogus.com> On 12/2/10 4:56 PM, Matthew Petach wrote: > On Thu, Dec 2, 2010 at 1:02 PM, Owen DeLong wrote: > ... >> As to the emergency broadcast system, yeah, that's going to lose. > > Didn't we already replace that with twitter? quake/tsunami warnings flow via email rather quickly. > Matt > From fergdawgster at gmail.com Thu Dec 2 21:59:22 2010 From: fergdawgster at gmail.com (Paul Ferguson) Date: Thu, 2 Dec 2010 19:59:22 -0800 Subject: The scale of streaming video on the Internet. In-Reply-To: <4CF869A2.1070108@bogus.com> References: <20952354.220.1291322909654.JavaMail.root@benjamin.baylink.com> <59D15CA3-4ACC-4A8A-B66F-73041E722256@delong.com> <4CF869A2.1070108@bogus.com> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thu, Dec 2, 2010 at 7:53 PM, Joel Jaeggli wrote: > On 12/2/10 4:56 PM, Matthew Petach wrote: >> On Thu, Dec 2, 2010 at 1:02 PM, Owen DeLong wrote: >> ... >>> As to the emergency broadcast system, yeah, that's going to lose. >> >> Didn't we already replace that with twitter? > > quake/tsunami warnings flow via email rather quickly. > Old skool. Twitter is much faster: http://www.thejakartaglobe.com/home/government-disaster-advisors-twitter-ha cked-used-to-send-tsunami-warning/408447 Sorry for the PGP line-wrap foo. - - ferg -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.3 (Build 5003) wj8DBQFM+GsSq1pz9mNUZTMRAtuAAKCp/MEXyQ3BgzdyCIbHsXjL5GjIpACfcxDi n8Q7jHq2XzANIvodHr1Ml3M= =Ts6E -----END PGP SIGNATURE----- -- "Fergie", a.k.a. Paul Ferguson ?Engineering Architecture for the Internet ?fergdawgster(at)gmail.com ?ferg's tech blog: http://fergdawg.blogspot.com/ From jmamodio at gmail.com Thu Dec 2 22:02:41 2010 From: jmamodio at gmail.com (Jorge Amodio) Date: Thu, 2 Dec 2010 22:02:41 -0600 Subject: Blocking International DNS In-Reply-To: <4CF796DD.5060909@nic-naa.net> References: <4CE9F389.7040505@kenweb.org> <889E2C96-FA4A-425F-B243-EAB8860CEAE3@jsyoung.net> <20101122051118.GF20665@sizone.org> <20101130045616.GM16087@sizone.org> <20101130055744.GN16087@sizone.org> <5D303059-133D-4B91-BAD6-AAFAB5C5340B@americafree.tv> <4CF796DD.5060909@nic-naa.net> Message-ID: > btw, i spent quite a bit of my time with the berkman center researchers > working on accountability and transparency on just the issue of how users > can be represented and i think it a hard problem. I bet it is not a trivial enterprise to put together and give shape to an organization like ICANN. My biggest concern is that somewhere in the painful process of building this organization something got completely derailed from its original intents. I'll not deny that there are positives and some accomplishments, not trying to do a substantial balance check, but on a 50Kfeet quick snapshot, I see ICANN as a non-profit org with a ~$60+M annual budget, and I always rise this question on my mind: what it actually produces at that cost for the "common good" of the Internet community ? (lets make clear that the domain registrants are the ones mostly paying for all this). Yes, it has the contract (by now) from DoC to provide the IANA services, it has some DNS operational and coordination role, the folks involved with the DNSSEC implementation did a great job, but the bulk of the budget is not going there, most of it goes to finance the smoke and mirrors processes and the traveling circus. No wonder why in the letter sent today by DoC/NTIA to ICANN, on the very first line Asisstant Secretary Strickling says "I am writing to express my concern regarding the apparent failure of ICANN to carry out its obligations as specified in the Affirmation of Commitments" ... http://forum.icann.org/lists/5gtld-guide/pdf4SSmb5oOd5.pdf I believe that there is a lot of people very concerned with what ICANN is doing and what it is supposed to do, and trying to fix it from within is not an easy task either, getting involved in ICANN's processes and ecosystem is very demanding, and unless you have a big chunk of dough in the bank or are being paid (which brings on front line the interests of who pays you) there is not an easy way to make free volunteer work effective. I guess we are sliding OT for this list ...sigh Best Regards Jorge From jvanoppen at spectrumnet.us Thu Dec 2 22:02:49 2010 From: jvanoppen at spectrumnet.us (John van Oppen) Date: Fri, 3 Dec 2010 04:02:49 +0000 Subject: Want to move to all 208V for server racks In-Reply-To: <20101203033804.GB5521@hiwaay.net> References: <20101202164628.GA20227@ussenterprise.ufp.org> <1411250A-38F8-4099-89D4-616D6633F218@delong.com> <7F47C485-4AF0-4C37-B7EB-D89A7E084E30@dragondata.com> <20101203033804.GB5521@hiwaay.net> Message-ID: GFCI breakers are very common, the slightly less common version are arc fault breakers which are starting to show up more as well. GFCI breakers are often required on large services, most large (new) 480v services I have seen (1000A and larger) a have Ground fault breakers, in fact I have seen some bad outages on entire datacenters where the main breakers had a lower ground-fault current setting (for tripping) than a branch circuit that had a phase-to-ground fault resulting in the main breakers tripping instead of the branch circuit. I don't know if the ground-fault breakers are required just in Washington (I am in seattle) or if it is a NEC requirement. John -----Original Message----- From: Chris Adams [mailto:cmadams at hiwaay.net] Sent: Thursday, December 02, 2010 7:38 PM To: NANOG list Subject: Re: Want to move to all 208V for server racks Once upon a time, Ricky Beam said: > Just because someone is selling them doesn't mean they meet building > codes. (esp. for residential use.) None of the dozen or so licensed > electricians I've ever talked to will use them. I saw GFCI breakers installed in a new house this year, and it passed inspection. I think you experienced a recall of a specific device and are confusing that with a general removal. When Toyota recalled a model of car, that didn't mean all cars were banned. -- Chris Adams Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble. From ken at sizone.org Thu Dec 2 22:05:11 2010 From: ken at sizone.org (Ken Chase) Date: Thu, 2 Dec 2010 23:05:11 -0500 Subject: wikileaks dns (was Re: Blocking International DNS) In-Reply-To: <201012021331.48695.lowen@pari.edu> References: <201012021331.48695.lowen@pari.edu> Message-ID: <20101203040510.GA8484@sizone.org> All our topics of discussion are merging... (soon: "does Wikileaks run on 208V?" :) http://www.everydns.com/ right hand side. (sorry to shift the discussion off of uucp... long live sizone.uucp...) /kc -- Ken Chase - ken at heavycomputing.ca - +1 416 897 6284 - Toronto CANADA Heavy Computing - Clued bandwidth, colocation and managed linux VPS @151 Front St. W. From jmamodio at gmail.com Thu Dec 2 22:16:23 2010 From: jmamodio at gmail.com (Jorge Amodio) Date: Thu, 2 Dec 2010 22:16:23 -0600 Subject: wikileaks dns (was Re: Blocking International DNS) In-Reply-To: <20101203040510.GA8484@sizone.org> References: <201012021331.48695.lowen@pari.edu> <20101203040510.GA8484@sizone.org> Message-ID: On Thu, Dec 2, 2010 at 10:05 PM, Ken Chase wrote: > All our topics of discussion are merging... (soon: "does > Wikileaks run on 208V?" :) If they keep going that way, soon they will be running on nuclear power from the hidden centrifuges in some cave. Cheers Jorge From ken at sizone.org Thu Dec 2 22:19:24 2010 From: ken at sizone.org (Ken Chase) Date: Thu, 2 Dec 2010 23:19:24 -0500 Subject: wikileaks dns (was Re: Blocking International DNS) In-Reply-To: References: <201012021331.48695.lowen@pari.edu> <20101203040510.GA8484@sizone.org> Message-ID: <20101203041923.GA30565@sizone.org> On Thu, Dec 02, 2010 at 10:16:23PM -0600, Jorge Amodio said: >On Thu, Dec 2, 2010 at 10:05 PM, Ken Chase wrote: >> All our topics of discussion are merging... (soon: "does >> Wikileaks run on 208V?" :) > >If they keep going that way, soon they will be running on nuclear >power from the hidden centrifuges in some cave. or p2p or tor or torrents of *.tbz's the other day bloomberg was having issues in their db only for stories about wikileaks and assange as per my quick testing, quite annoying, are major news mediae seeing ddos attempts at censorship (or just leaking at the seams infrastructure issues with the big hits on the topic?) /kc -- Ken Chase - ken at heavycomputing.ca - +1 416 897 6284 - Toronto CANADA Heavy Computing - Clued bandwidth, colocation and managed linux VPS @151 Front St. W. From tony at lava.net Thu Dec 2 22:29:54 2010 From: tony at lava.net (Antonio Querubin) Date: Thu, 2 Dec 2010 18:29:54 -1000 (HST) Subject: The scale of streaming video on the Internet. In-Reply-To: References: <20952354.220.1291322909654.JavaMail.root@benjamin.baylink.com> <59D15CA3-4ACC-4A8A-B66F-73041E722256@delong.com> <4CF869A2.1070108@bogus.com> Message-ID: On Thu, 2 Dec 2010, Paul Ferguson wrote: > Old skool. > > Twitter is much faster: > > http://www.thejakartaglobe.com/home/government-disaster-advisors-twitter-ha > cked-used-to-send-tsunami-warning/408447 But morse code is still faster :) http://www.google.com/search?q=morse+code+beats+texting&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:en-US:official&client=firefox-a Antonio Querubin 808-545-5282 x3003 e-mail/xmpp: tony at lava.net From drc at virtualized.org Thu Dec 2 22:31:28 2010 From: drc at virtualized.org (David Conrad) Date: Thu, 2 Dec 2010 18:31:28 -1000 Subject: Blocking International DNS In-Reply-To: References: <4CE9F389.7040505@kenweb.org> <889E2C96-FA4A-425F-B243-EAB8860CEAE3@jsyoung.net> <20101122051118.GF20665@sizone.org> <20101130045616.GM16087@sizone.org> <20101130055744.GN16087@sizone.org> <5D303059-133D-4B91-BAD6-AAFAB5C5340B@americafree.tv> <4CF796DD.5060909@nic-naa.net> Message-ID: <95041454-A47D-4B9F-A2B6-B663FAC72437@virtualized.org> Jorge, On Dec 2, 2010, at 6:02 PM, Jorge Amodio wrote: > I bet it is not a trivial enterprise to put together and give shape to > an organization like ICANN. My biggest concern is that somewhere in > the painful process of building this organization something got > completely derailed from its original intents. I suppose it depends on your view of "its original intents" (and what you mean by "ICANN"). > I believe that there is a lot of people very concerned with what ICANN > is doing and what it is supposed to do, and trying to fix it from > within is not an easy task either, getting involved in ICANN's > processes and ecosystem is very demanding, and unless you have a big > chunk of dough in the bank or are being paid (which brings on front > line the interests of who pays you) there is not an easy way to make > free volunteer work effective. My view (having been on both sides now) is that despite numerous missteps, particularly early in its life, ICANN really is trying to do "the right thing". There are lots of challenges, not least of which is that given ICANN's structure, the definition of "the right thing" depends on who participates most actively in the myriad ICANN processes. > I guess we are sliding OT for this list ...sigh Yep, and that's unfortunate as folks who participate in NANOG generally have opinions that could counterbalance the folks who usually show up at ICANN meetings. Regards, -drc From tony at lava.net Thu Dec 2 22:38:27 2010 From: tony at lava.net (Antonio Querubin) Date: Thu, 2 Dec 2010 18:38:27 -1000 (HST) Subject: The scale of streaming video on the Internet. In-Reply-To: References: <18800441.240.1291327719307.JavaMail.root@benjamin.baylink.com> <4CF81C20.6000001@brightok.net> Message-ID: On Thu, 2 Dec 2010, Marshall Eubanks wrote: > On Dec 2, 2010, at 5:41 PM, Antonio Querubin wrote: >> The various IPv6 wikis could use a good sprinkling of multicast howtos. >> > > True. Want to help with that ? Working on it... Antonio Querubin 808-545-5282 x3003 e-mail/xmpp: tony at lava.net From tme at americafree.tv Thu Dec 2 22:51:16 2010 From: tme at americafree.tv (Marshall Eubanks) Date: Thu, 2 Dec 2010 23:51:16 -0500 Subject: wikileaks dns (was Re: Blocking International DNS) In-Reply-To: <20101203040510.GA8484@sizone.org> References: <201012021331.48695.lowen@pari.edu> <20101203040510.GA8484@sizone.org> Message-ID: <24D81CB7-2178-45B3-B93B-F9B26A4F0B75@americafree.tv> On Dec 2, 2010, at 11:05 PM, Ken Chase wrote: > All our topics of discussion are merging... (soon: "does > Wikileaks run on 208V?" :) > > http://www.everydns.com/ > > right hand side. > > (sorry to shift the discussion off of uucp... long live > sizone.uucp...) Seems to be down here http://www.everydns.com/ EveryDNS.net provided domain name system (DNS) services to the wikileaks.org domain name until 10PM EST, December 2, 2010, when such services were terminated. As with other users of the EveryDNS.net network, this service was provided for free. The termination of services was effected pursuant to, and in accordance with, the EveryDNS.net Acceptable Use Policy. [TME-MBP-2010:~] tme% dig wikileaks.org ; <<>> DiG 9.6.0-APPLE-P2 <<>> wikileaks.org ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 37692 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;wikileaks.org. IN A ;; Query time: 13 msec ;; SERVER: 63.105.122.34#53(63.105.122.34) ;; WHEN: Thu Dec 2 23:47:19 2010 ;; MSG SIZE rcvd: 31 Regards Marshall > > /kc > -- > Ken Chase - ken at heavycomputing.ca - +1 416 897 6284 - Toronto CANADA > Heavy Computing - Clued bandwidth, colocation and managed linux VPS @151 Front St. W. > > From jeffrey.lyon at blacklotus.net Thu Dec 2 22:55:46 2010 From: jeffrey.lyon at blacklotus.net (Jeffrey Lyon) Date: Thu, 2 Dec 2010 23:55:46 -0500 Subject: Domain shut downs by Registrar? In-Reply-To: References: Message-ID: We use OpenSRS and never have these issues. Many of the other major registrars will freeze domains for whatever reason they choose. OpenSRS basically fulfills their duties to ICANN and leaves it alone at that. The only domain I have ever seen them get involved with was along time ago when someone stole a domain from Network Solutions using fraudulent paperwork and then managed to transfer it out. Jeff On Thu, Dec 2, 2010 at 6:50 PM, Deepak Jain wrote: > > Has this process matured or is it still a wild-west kind of thing? Last time I saw this, it was with a LARGE registrar and we had to threaten them with a TRO before they'd even put their lawyers on the phone. It was a few years ago. > > This time the issue is with DOTSTER and they never even bothered to contact our support desk about the issue with the customer domain (and we're listed as the support contact, etc). > > So if anyone has any advice, or anyone from DOTSTER wants to contact me offline, that'd be great. > > Thanks in advance, > > DJ > > -- Jeffrey Lyon, Leadership Team jeffrey.lyon at blacklotus.net | http://www.blacklotus.net Black Lotus Communications - AS32421 First and Leading in DDoS Protection Solutions From alex at corp.nac.net Thu Dec 2 22:58:37 2010 From: alex at corp.nac.net (Alex Rubenstein) Date: Thu, 2 Dec 2010 23:58:37 -0500 Subject: Want to move to all 208V for server racks In-Reply-To: References: <20101202164628.GA20227@ussenterprise.ufp.org> <1411250A-38F8-4099-89D4-616D6633F218@delong.com> <7F47C485-4AF0-4C37-B7EB-D89A7E084E30@dragondata.com> <20101203033804.GB5521@hiwaay.net> Message-ID: > GFCI breakers are very common, the slightly less common version are arc > fault breakers which are starting to show up more as well. Partly because of a code requirement. Houses burning down, etc. Somehow, we all survived for a long time without them, but now there is a huge requirement. Perhaps Sq-D or Eaton paid the NFPA/NEC to put this in the code to sell pricier breakers. Yes, I believe in conspiracies. > GFCI breakers are often required on large services, most large (new) > 480v services I have seen (1000A and larger) a have Ground fault > breakers, in fact I have seen some bad outages on entire datacenters > where the main breakers had a lower ground-fault current setting (for > tripping) than a branch circuit that had a phase-to-ground fault > resulting in the main breakers tripping instead of the branch circuit. > I don't know if the ground-fault breakers are required just in > Washington (I am in seattle) or if it is a NEC requirement. I believe it to be any service 1200 amps or larger. And, you don't have to have GFI trip, you can have a GFI alarm, especially if you are under "engineering supervision." In fact, it is quite normal to have GFI Alarm on the generator mains, so as to prevent you from having a nuisance trip when you transfer to emergency power. As to the second part of your paragraph, that would be discovered (hopefully) in the commissioning process, where you have your coordination studies done. Anyway, back to topic: Vendors, please a) get all your gear to cool front-to-back, and b) let it take 480 polyphase and not require a neutral. I, for one, will be happier. The datacenter of tomorrow (hell, today) require this. From jmamodio at gmail.com Thu Dec 2 22:59:36 2010 From: jmamodio at gmail.com (Jorge Amodio) Date: Thu, 2 Dec 2010 22:59:36 -0600 Subject: wikileaks dns (was Re: Blocking International DNS) In-Reply-To: <24D81CB7-2178-45B3-B93B-F9B26A4F0B75@americafree.tv> References: <201012021331.48695.lowen@pari.edu> <20101203040510.GA8484@sizone.org> <24D81CB7-2178-45B3-B93B-F9B26A4F0B75@americafree.tv> Message-ID: > [TME-MBP-2010:~] tme% dig wikileaks.org > > ; <<>> DiG 9.6.0-APPLE-P2 <<>> wikileaks.org > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 37692 > ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 > ;; WARNING: recursion requested but not available > > ;; QUESTION SECTION: > ;wikileaks.org. ? ? ? ? ? ? ? ? IN ? ? ?A > > ;; Query time: 13 msec > ;; SERVER: 63.105.122.34#53(63.105.122.34) > ;; WHEN: Thu Dec ?2 23:47:19 2010 > ;; MSG SIZE ?rcvd: 31 shows gone for me too . btw, excuse the blunt, but for an organization like this kind of extremely stupid to have all the secondaries with the same provider no ? -J From jmamodio at gmail.com Thu Dec 2 23:20:37 2010 From: jmamodio at gmail.com (Jorge Amodio) Date: Thu, 2 Dec 2010 23:20:37 -0600 Subject: wikileaks dns (was Re: Blocking International DNS) In-Reply-To: <24D81CB7-2178-45B3-B93B-F9B26A4F0B75@americafree.tv> References: <201012021331.48695.lowen@pari.edu> <20101203040510.GA8484@sizone.org> <24D81CB7-2178-45B3-B93B-F9B26A4F0B75@americafree.tv> Message-ID: Everydns says on their page: "EveryDNS.net provided domain name system (DNS) services to the wikileaks.org domain name until 10PM EST, December 2, 2010, when such services were terminated. As with other users of the EveryDNS.net network, this service was provided for free. The termination of services was effected pursuant to, and in accordance with, the EveryDNS.net Acceptable Use Policy. More specifically, the services were terminated for violation of the provision which states that "Member shall not interfere with another Member's use and enjoyment of the Service or another entity's use and enjoyment of similar services." The interference at issues arises from the fact that wikileaks.org has become the target of multiple distributed denial of service (DDOS) attacks. These attacks have, and future attacks would, threaten the stability of the EveryDNS.net infrastructure, which enables access to almost 500,000 other websites. Thus, last night, at approximately 10PM EST, December 1, 2010 a 24 hour termination notification email was sent to the email address associated with the wikileaks.org account. In addition to this email, notices were sent to Wikileaks via Twitter and the chat function available through the wikileaks.org website. Any downtime of the wikileaks.org website has resulted from its failure to use another hosted DNS service provider." -J From randy at psg.com Thu Dec 2 23:26:35 2010 From: randy at psg.com (Randy Bush) Date: Fri, 03 Dec 2010 14:26:35 +0900 Subject: wikileaks dns (was Re: Blocking International DNS) In-Reply-To: References: <201012021331.48695.lowen@pari.edu> <20101203040510.GA8484@sizone.org> <24D81CB7-2178-45B3-B93B-F9B26A4F0B75@americafree.tv> Message-ID: so, if the site to which a dns entry points suffers a ddos, everydns will no longer serve the domain. i hope they apply this policy even handedly to all sufferers of ddos. if not, as a registrar, i guess i can no longer accept registrations where everydns is the ns delegatee. randy From jmamodio at gmail.com Thu Dec 2 23:51:47 2010 From: jmamodio at gmail.com (Jorge Amodio) Date: Thu, 2 Dec 2010 23:51:47 -0600 Subject: wikileaks dns (was Re: Blocking International DNS) In-Reply-To: References: <201012021331.48695.lowen@pari.edu> <20101203040510.GA8484@sizone.org> <24D81CB7-2178-45B3-B93B-F9B26A4F0B75@americafree.tv> Message-ID: Sort of weird theory, but it sounds really strange that knowing the kind of reactions that one could expect due the content being published in the site that they have such a naive dns setup for that given domain. Unless what you are looking for is actually getting booted so you can cry loud (which they already did via twitter few mins ago), "hey the US killed our domain". BTW, the domain still shows in the PIR WHOIS. -J From ken at sizone.org Thu Dec 2 23:52:29 2010 From: ken at sizone.org (Ken Chase) Date: Fri, 3 Dec 2010 00:52:29 -0500 Subject: wikileaks dns (was Re: Blocking International DNS) In-Reply-To: References: <201012021331.48695.lowen@pari.edu> <20101203040510.GA8484@sizone.org> <24D81CB7-2178-45B3-B93B-F9B26A4F0B75@americafree.tv> Message-ID: <20101203055229.GB30565@sizone.org> On Fri, Dec 03, 2010 at 02:26:35PM +0900, Randy Bush said: >so, if the site to which a dns entry points suffers a ddos, everydns >will no longer serve the domain. i hope they apply this policy even >handedly to all sufferers of ddos. > >if not, as a registrar, i guess i can no longer accept registrations >where everydns is the ns delegatee. Let us know if they deviate from this isometric application of policy. I'll be happy to encourage people not to use them. Anyone have records of what wikileaks (RR, i assume) A record was? I should have queried my favourite open rDNS servers before they expired, assuming that the TTL was long enough (or modified to be long by a local cache policy). Quick, someone power up their hibernated laptop with the network unplugged and ping wikileaks (assuming you looked at it recently before hiberation, before it was pulled... :) Not sure that works in any windows (or other OS's for that matter) however. /kc -- Ken Chase - ken at heavycomputing.ca - +1 416 897 6284 - Toronto CANADA Heavy Computing - Clued bandwidth, colocation and managed linux VPS @151 Front St. W. From strizhov at netsec.colostate.edu Fri Dec 3 00:07:07 2010 From: strizhov at netsec.colostate.edu (Mikhail Strizhov) Date: Thu, 02 Dec 2010 23:07:07 -0700 Subject: wikileaks unreachable In-Reply-To: <790B3709-C100-4E82-A539-D952ADAD599C@arbor.net> References: <7182D9D0-572B-402A-A922-29220AA8F28E@americafree.tv> <4CF6C072.4020402@tiedyenetworks.com> <790B3709-C100-4E82-A539-D952ADAD599C@arbor.net> Message-ID: <4CF8890B.2060005@netsec.colostate.edu> Message from twitter @wikileaks: WikiLeaks,org domain killed by US everydns.net after claimed mass attacks. So, is this the end of the wikileaks? :) -- Sincerely, Mikhail Strizhov On 12/01/2010 06:50 PM, Craig Labovitz wrote: > http://asert.arbornetworks.com/2010/11/wikileaks-cablegate-attack/ > and http://asert.arbornetworks.com/2010/11/round2-ddos-versus-wikileaks/ > > - Craig > > > On Dec 1, 2010, at 4:38 PM, Mike wrote: >> Just on an operational front, does anyone know the nature of the DDoS against wikileaks? eg: spoofed source garbage, http get, synfloods, or ? >> >> Mike- From jmamodio at gmail.com Fri Dec 3 00:11:02 2010 From: jmamodio at gmail.com (Jorge Amodio) Date: Fri, 3 Dec 2010 00:11:02 -0600 Subject: wikileaks unreachable In-Reply-To: <4CF8890B.2060005@netsec.colostate.edu> References: <7182D9D0-572B-402A-A922-29220AA8F28E@americafree.tv> <4CF6C072.4020402@tiedyenetworks.com> <790B3709-C100-4E82-A539-D952ADAD599C@arbor.net> <4CF8890B.2060005@netsec.colostate.edu> Message-ID: > So, is this the end of the wikileaks? :) Hardly, IMHO it is a gambit to ask for money. Craig, don't you guys at Arbor have the IP addresses that were tracking for the DDOS attacks ? -J From randy at psg.com Fri Dec 3 00:15:33 2010 From: randy at psg.com (Randy Bush) Date: Fri, 03 Dec 2010 15:15:33 +0900 Subject: wikileaks unreachable In-Reply-To: <4CF8890B.2060005@netsec.colostate.edu> References: <7182D9D0-572B-402A-A922-29220AA8F28E@americafree.tv> <4CF6C072.4020402@tiedyenetworks.com> <790B3709-C100-4E82-A539-D952ADAD599C@arbor.net> <4CF8890B.2060005@netsec.colostate.edu> Message-ID: > Message from twitter @wikileaks: > WikiLeaks,org domain killed by US everydns.net after claimed mass > attacks. as someone who has done a lot of tunneling, uucping, funny routing relays, ... for democratic movements in lots of countries, i am not pleased at seeing the need arise in the so-called democratic states. randy From randy at psg.com Fri Dec 3 00:17:07 2010 From: randy at psg.com (Randy Bush) Date: Fri, 03 Dec 2010 15:17:07 +0900 Subject: wikileaks unreachable In-Reply-To: References: <7182D9D0-572B-402A-A922-29220AA8F28E@americafree.tv> <4CF6C072.4020402@tiedyenetworks.com> <790B3709-C100-4E82-A539-D952ADAD599C@arbor.net> <4CF8890B.2060005@netsec.colostate.edu> Message-ID: > IMHO it is a gambit to ask for money. and this is based on what facts? when this kind of stuff goes down, we need to pay a bit of attention to actual authenticable fact and not indulge in too much conjecturbation. randy From jmamodio at gmail.com Fri Dec 3 00:19:13 2010 From: jmamodio at gmail.com (Jorge Amodio) Date: Fri, 3 Dec 2010 00:19:13 -0600 Subject: wikileaks unreachable In-Reply-To: References: <7182D9D0-572B-402A-A922-29220AA8F28E@americafree.tv> <4CF6C072.4020402@tiedyenetworks.com> <790B3709-C100-4E82-A539-D952ADAD599C@arbor.net> <4CF8890B.2060005@netsec.colostate.edu> Message-ID: > and this is based on what facts? Instead of tweeting about how to reach their content, or their IP addresses to bypass DNS, they are sending repetedly via twitter the following URL http://collateralmurder.com/en/support.html -J From randy at psg.com Fri Dec 3 00:20:42 2010 From: randy at psg.com (Randy Bush) Date: Fri, 03 Dec 2010 15:20:42 +0900 Subject: wikileaks unreachable In-Reply-To: References: <7182D9D0-572B-402A-A922-29220AA8F28E@americafree.tv> <4CF6C072.4020402@tiedyenetworks.com> <790B3709-C100-4E82-A539-D952ADAD599C@arbor.net> <4CF8890B.2060005@netsec.colostate.edu> Message-ID: >> and this is based on what facts? > Instead of tweeting about how to reach their content, or their IP > addresses to bypass DNS, they are sending repetedly via twitter the > following URL http://collateralmurder.com/en/support.html coincidence != causality From patrick at ianai.net Fri Dec 3 00:30:01 2010 From: patrick at ianai.net (Patrick W. Gilmore) Date: Fri, 3 Dec 2010 01:30:01 -0500 Subject: wikileaks unreachable In-Reply-To: References: <7182D9D0-572B-402A-A922-29220AA8F28E@americafree.tv> <4CF6C072.4020402@tiedyenetworks.com> <790B3709-C100-4E82-A539-D952ADAD599C@arbor.net> <4CF8890B.2060005@netsec.colostate.edu> Message-ID: <1034C152-7A9B-44CE-8CC7-D984FFEE291C@ianai.net> On Dec 3, 2010, at 1:20 AM, Randy Bush wrote: >>> and this is based on what facts? >> Instead of tweeting about how to reach their content, or their IP >> addresses to bypass DNS, they are sending repetedly via twitter the >> following URL http://collateralmurder.com/en/support.html > > coincidence != causality Neither does correlation. :) But Jorge has a point. If they wanted to help users get past their DNS problems, they could tweet for assistance, tweet their IP addy and ask to be re-tweeted, ask owners of authorities to set up wikileaks.$FOO.com to 'crowd source' their name, etc. So at the very least, they are guilty of not being imaginative. BTW: I personally doubt they are doing this for money. But I don't have any proof of that either. -- TTFN, patrick From jmamodio at gmail.com Fri Dec 3 00:36:58 2010 From: jmamodio at gmail.com (Jorge Amodio) Date: Fri, 3 Dec 2010 00:36:58 -0600 Subject: wikileaks unreachable In-Reply-To: <1034C152-7A9B-44CE-8CC7-D984FFEE291C@ianai.net> References: <7182D9D0-572B-402A-A922-29220AA8F28E@americafree.tv> <4CF6C072.4020402@tiedyenetworks.com> <790B3709-C100-4E82-A539-D952ADAD599C@arbor.net> <4CF8890B.2060005@netsec.colostate.edu> <1034C152-7A9B-44CE-8CC7-D984FFEE291C@ianai.net> Message-ID: > But Jorge has a point. ?If they wanted to help users get past their DNS problems, they could tweet for assistance, tweet their IP addy and ask to be re-tweeted, ask owners of authorities to set up wikileaks.$FOO.com to 'crowd source' their name, etc. I'll just point to an article I found very interesting about this matter: http://www.techdirt.com/articles/20101202/02243512089/how-response-to-wikileaks-is-exactly-what-assange-wants.shtml Aren't we being part of some kind of action-reaction game to produce systematic changes as side effects ? -J From sethm at rollernet.us Fri Dec 3 00:39:09 2010 From: sethm at rollernet.us (Seth Mattinen) Date: Thu, 02 Dec 2010 22:39:09 -0800 Subject: Want to move to all 208V for server racks In-Reply-To: References: <20101202164628.GA20227@ussenterprise.ufp.org> <1411250A-38F8-4099-89D4-616D6633F218@delong.com> <7F47C485-4AF0-4C37-B7EB-D89A7E084E30@dragondata.com> <20101203033804.GB5521@hiwaay.net> Message-ID: <4CF8908D.9040501@rollernet.us> On 12/2/10 8:02 PM, John van Oppen wrote: > GFCI breakers are very common, the slightly less common version are arc fault breakers which are starting to show up more as well. > Arc fault breakers are a very new code requirement which I believe is primarily targeted at sleeping areas. My place has them (built about 4 years ago) on the bedroom outlet circuits. If I spin the socket switch on one of the table lamps too fast it'll trip. ~Seth From fergdawgster at gmail.com Fri Dec 3 00:39:47 2010 From: fergdawgster at gmail.com (Paul Ferguson) Date: Thu, 2 Dec 2010 22:39:47 -0800 Subject: wikileaks unreachable In-Reply-To: References: <7182D9D0-572B-402A-A922-29220AA8F28E@americafree.tv> <4CF6C072.4020402@tiedyenetworks.com> <790B3709-C100-4E82-A539-D952ADAD599C@arbor.net> <4CF8890B.2060005@netsec.colostate.edu> <1034C152-7A9B-44CE-8CC7-D984FFEE291C@ianai.net> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thu, Dec 2, 2010 at 10:36 PM, Jorge Amodio wrote: >> But Jorge has a point. If they wanted to help users get past their DNS >> problems, they could tweet for assistance, tweet their IP addy and ask >> to be re-tweeted, ask owners of authorities to set up wikileaks.$FOO.com >> to 'crowd source' their name, etc. > > I'll just point to an article I found very interesting about this matter: > http://www.techdirt.com/articles/20101202/02243512089/how-response-to-wik > ileaks-is-exactly-what-assange-wants.shtml > > Aren't we being part of some kind of action-reaction game to produce > systematic changes as side effects ? Yes. - - ferg -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.3 (Build 5003) wj8DBQFM+JCrq1pz9mNUZTMRAje8AKCSOUdPNKMKhomYOavcAQWeLU9gLwCfTc7W fvFnKA/JRZAOXZ9VMO2zM+k= =3+y3 -----END PGP SIGNATURE----- -- "Fergie", a.k.a. Paul Ferguson ?Engineering Architecture for the Internet ?fergdawgster(at)gmail.com ?ferg's tech blog: http://fergdawg.blogspot.com/ From blake at lindenlab.com Fri Dec 3 01:08:04 2010 From: blake at lindenlab.com (Christopher Phillips) Date: Thu, 2 Dec 2010 23:08:04 -0800 Subject: Want to move to all 208V for server racks In-Reply-To: References: Message-ID: On Thu, Dec 2, 2010 at 7:58 AM, Jay Nakamura wrote: > I really want to move all newly installed internal and customer racks > over to all 208v power instead of 120v. As far as I can remember, I > can't remember any server/switch/router or any other equipment that > didn't run on 208v AC. (Other than you may need a different cable) > Anyone have any experience where some oddball equipment that couldn't > do 208v and regret going 208v? We won't have any TDM or SONET > equipment, all Ethernet switches, routers and servers. I have control > over internal equipment but sometimes customers surprises you. > > I got burned when I tried to install a DSL modem for OOB access, in our 208v network racks. The modem only accepted 120v. My choices were too either run a power cable across the cage to a 120v rack or install a 120v circuit in the network rack. Chris. From nenolod at systeminplace.net Fri Dec 3 01:23:21 2010 From: nenolod at systeminplace.net (William Pitcock) Date: Fri, 03 Dec 2010 01:23:21 -0600 Subject: Want to move to all 208V for server racks In-Reply-To: References: Message-ID: <1291361001.9824.1.camel@petrie.dereferenced.org> Hi, On Thu, 2010-12-02 at 10:58 -0500, Jay Nakamura wrote: > I really want to move all newly installed internal and customer racks > over to all 208v power instead of 120v. As far as I can remember, I > can't remember any server/switch/router or any other equipment that > didn't run on 208v AC. (Other than you may need a different cable) > Anyone have any experience where some oddball equipment that couldn't > do 208v and regret going 208v? We won't have any TDM or SONET > equipment, all Ethernet switches, routers and servers. I have control > over internal equipment but sometimes customers surprises you. > In one colo I helped manage, we had some crappy netgear switches which couldn't handle 208v. Provided you have proper equipment, you should be fine though. This was a non-profit though, so we were trying to get by with whatever was the most cost-efficient option. William From jbates at brightok.net Fri Dec 3 01:29:26 2010 From: jbates at brightok.net (Jack Bates) Date: Fri, 03 Dec 2010 01:29:26 -0600 Subject: wikileaks dns (was Re: Blocking International DNS) In-Reply-To: References: <201012021331.48695.lowen@pari.edu> <20101203040510.GA8484@sizone.org> <24D81CB7-2178-45B3-B93B-F9B26A4F0B75@americafree.tv> Message-ID: <4CF89C56.4090607@brightok.net> On 12/2/2010 11:26 PM, Randy Bush wrote: > so, if the site to which a dns entry points suffers a ddos, everydns > will no longer serve the domain. i hope they apply this policy even > handedly to all sufferers of ddos. > Given "These attacks have, and future attacks would, threaten the stability of the EveryDNS.net infrastructure, which enables access to almost 500,000 other websites." I'd say they had DOS issues with their nameservers. They can't be expected to let their other domains go down in efforts to protect a single domain. I'm guessing they weathered the problem somewhat, as they actually gave 24h notice. However, excessive loads and constant monitoring and protective measures on a free service would definitely be something a company would want to stop. Jack From ben at adversary.org Fri Dec 3 01:36:21 2010 From: ben at adversary.org (Ben McGinnes) Date: Fri, 03 Dec 2010 18:36:21 +1100 Subject: wikileaks dns (was Re: Blocking International DNS) In-Reply-To: <20101203040510.GA8484@sizone.org> References: <201012021331.48695.lowen@pari.edu> <20101203040510.GA8484@sizone.org> Message-ID: <4CF89DF5.8080501@adversary.org> On 3/12/10 3:05 PM, Ken Chase wrote: > All our topics of discussion are merging... (soon: "does > Wikileaks run on 208V?" :) > > http://www.everydns.com/ > > right hand side. > > (sorry to shift the discussion off of uucp... long live > sizone.uucp...) There is a list of mirror sites here: http://wikileaks.info/ There are three IPv4 addresses listed for the cablegate site: 91.194.60.90, 91.194.60.112 and 204.236.131.131. Of these, the first one is not responding (from Australia), the third is an Amazon IP and won't host the site now. The second one is responding, but is not up to date with the full release so far (it has 294 cables, up to November 30). I'm surprised they don't have a proper mirror using a .se, .ch or .is domain. Regards, Ben -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 227 bytes Desc: OpenPGP digital signature URL: From fergdawgster at gmail.com Fri Dec 3 01:39:10 2010 From: fergdawgster at gmail.com (Paul Ferguson) Date: Thu, 2 Dec 2010 23:39:10 -0800 Subject: wikileaks dns (was Re: Blocking International DNS) In-Reply-To: <4CF89C56.4090607@brightok.net> References: <201012021331.48695.lowen@pari.edu> <20101203040510.GA8484@sizone.org> <24D81CB7-2178-45B3-B93B-F9B26A4F0B75@americafree.tv> <4CF89C56.4090607@brightok.net> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thu, Dec 2, 2010 at 11:29 PM, Jack Bates wrote: > On 12/2/2010 11:26 PM, Randy Bush wrote: >> >> so, if the site to which a dns entry points suffers a ddos, everydns >> will no longer serve the domain. i hope they apply this policy even >> handedly to all sufferers of ddos. >> > > Given "These attacks have, and future attacks would, threaten the > stability of the EveryDNS.net infrastructure, which enables access to > almost 500,000 other websites." I'd say they had DOS issues with their > nameservers. They can't be expected to let their other domains go down in > efforts to protect a single domain. > > I'm guessing they weathered the problem somewhat, as they actually gave > 24h notice. However, excessive loads and constant monitoring and > protective > measures on a free service would definitely be something a company would > want to stop. > FYI: http://www.techdirt.com/articles/20101202/22322512099/wikileaks-says-its-si te-has-been-killed.shtml - - ferg -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.3 (Build 5003) wj8DBQFM+J6Vq1pz9mNUZTMRAocNAKCxe3rX9bz1L7tliKdCJfPOvZZybACgrrRF w3whP9J/zHlrWa/yJDMeRQs= =ZT0w -----END PGP SIGNATURE----- -- "Fergie", a.k.a. Paul Ferguson ?Engineering Architecture for the Internet ?fergdawgster(at)gmail.com ?ferg's tech blog: http://fergdawg.blogspot.com/ From tme at americafree.tv Fri Dec 3 01:42:19 2010 From: tme at americafree.tv (Marshall Eubanks) Date: Fri, 3 Dec 2010 02:42:19 -0500 Subject: wikileaks unreachable In-Reply-To: References: <7182D9D0-572B-402A-A922-29220AA8F28E@americafree.tv> <4CF6C072.4020402@tiedyenetworks.com> <790B3709-C100-4E82-A539-D952ADAD599C@arbor.net> <4CF8890B.2060005@netsec.colostate.edu> Message-ID: <5621B21E-E0A9-4BE5-BE23-6719926AD2D1@americafree.tv> On Dec 3, 2010, at 1:11 AM, Jorge Amodio wrote: >> So, is this the end of the wikileaks? :) > > Hardly, IMHO it is a gambit to ask for money. > > Craig, don't you guys at Arbor have the IP addresses that were > tracking for the DDOS attacks ? > http://46.59.1.2 seems to work. Regards Marshall > -J > > From cra at WPI.EDU Fri Dec 3 01:54:37 2010 From: cra at WPI.EDU (Chuck Anderson) Date: Fri, 3 Dec 2010 02:54:37 -0500 Subject: Want to move to all 208V for server racks In-Reply-To: References: Message-ID: <20101203075436.GX1583@angus.ind.WPI.EDU> On Thu, Dec 02, 2010 at 01:59:33PM -0500, Alex Rubenstein wrote: > A couple of reasons.. Neutral current, more power delivered using > less copper, etc. Personally, I like delivering two L21-30's per > rack and call it day - allows for a comfortable 8kw per rack in 2N+1 > redundancy. And, it still has a neutral if it's needed, which we > hope it isn't. Here's a question for you. How do you calculate the total current & power capacity of a L21-20 or L21-30, and how do you do the calculations in order to balance the load between the phase legs? This seems like it would be a trivial thing to do, but given that the three legs are 120 degrees out of phase with each other, I don't think you can just do normal addition. For example, I have APC AP7961 3-phase PDUs with L21-20 plugs. The management interface claims a maximum load per phase of 16A (which I believe is the 80% derating of 20A required by NEC). Does this mean I can draw 16A * 3, or 48A total if I have a perfectly equal balance? Also, how does this relate to power, i.e. how many kVA or kW does this provide? 16A * 208V * 3 phases ~= 10 kVA? On another note, how do you calculate N+1 power feeds in your racks? If you have 2 PDUs fed from two different branch circuits/UPSes/etc. do you just set your PDU load alarm thresholds at 50% of the max rating of each PDU and never load them beyond that point, so that if you lose one PDU/branch circuit/UPS and the dual-power servers transfer their load over to the other side, it doesn't get overloaded? That would be 8A on each phase in the case of my AP7961's. Of course, things get complicated when you have a mix of single- and dual-power servers, especially if you have server admins who don't keep you apprised as to the types of equipment that are installed there as things change over time... From joakim at aronius.com Fri Dec 3 02:35:05 2010 From: joakim at aronius.com (Joakim Aronius) Date: Fri, 3 Dec 2010 09:35:05 +0100 Subject: wikileaks dns (was Re: Blocking International DNS) In-Reply-To: <4CF89C56.4090607@brightok.net> References: <201012021331.48695.lowen@pari.edu> <20101203040510.GA8484@sizone.org> <24D81CB7-2178-45B3-B93B-F9B26A4F0B75@americafree.tv> <4CF89C56.4090607@brightok.net> Message-ID: <20101203083505.GA9454@maya.aronius.com> * Jack Bates (jbates at brightok.net) wrote: > Given "These attacks have, and future attacks would, threaten the > stability of the EveryDNS.net infrastructure, which enables access > to almost 500,000 other websites." I'd say they had DOS issues with > their nameservers. They can't be expected to let their other domains > go down in efforts to protect a single domain. This is then important information that should be spelled out in their terms of service. 'If your domain generate to much traffic we will terminate your service'.. It might very well be reasonable for a free service to have these restrictions but as a customer it could be an important differentiator when choosing service provider. ..assuming that the DOS actually took place.. (tinfoil hat on..:) /Joakim > > I'm guessing they weathered the problem somewhat, as they actually > gave 24h notice. However, excessive loads and constant monitoring > and protective measures on a free service would definitely be > something a company would want to stop. > > > Jack From bortzmeyer at nic.fr Fri Dec 3 02:45:57 2010 From: bortzmeyer at nic.fr (Stephane Bortzmeyer) Date: Fri, 3 Dec 2010 09:45:57 +0100 Subject: wikileaks dns (was Re: Blocking International DNS) In-Reply-To: <20101203055229.GB30565@sizone.org> References: <201012021331.48695.lowen@pari.edu> <20101203040510.GA8484@sizone.org> <24D81CB7-2178-45B3-B93B-F9B26A4F0B75@americafree.tv> <20101203055229.GB30565@sizone.org> Message-ID: <20101203084557.GA26742@nic.fr> On Fri, Dec 03, 2010 at 12:52:29AM -0500, Ken Chase wrote a message of 24 lines which said: > Anyone have records of what wikileaks (RR, i assume) A record was? 91.121.133.41 46.59.1.2 Translated into an URL, the first one does not work (virtual hosting, may be) but the second does. I've found also, thanks to a new name resolution protocol, TDNS (Tweeter DNS), 213.251.145.96, which works. > I should have queried my favourite open rDNS servers before they > expired, dig A wikileaks.org > backup.txt (from cron) is a useful method. Other possible solution would be a DNSarchive, in the same way there is a WebArchive. Any volunteer? From nanog at deman.com Fri Dec 3 03:08:15 2010 From: nanog at deman.com (Michael DeMan) Date: Fri, 3 Dec 2010 01:08:15 -0800 Subject: wikileaks dns (was Re: Blocking International DNS) In-Reply-To: <20101203084557.GA26742@nic.fr> References: <201012021331.48695.lowen@pari.edu> <20101203040510.GA8484@sizone.org> <24D81CB7-2178-45B3-B93B-F9B26A4F0B75@americafree.tv> <20101203055229.GB30565@sizone.org> <20101203084557.GA26742@nic.fr> Message-ID: wikileaks.no and wikleaks.se seem to accept requests on port 80 but appear to be having troubles generating responses, perhaps just overloaded. On Dec 3, 2010, at 12:45 AM, Stephane Bortzmeyer wrote: > On Fri, Dec 03, 2010 at 12:52:29AM -0500, > Ken Chase wrote > a message of 24 lines which said: > >> Anyone have records of what wikileaks (RR, i assume) A record was? > > 91.121.133.41 > 46.59.1.2 > > Translated into an URL, the first one does not work (virtual hosting, > may be) but the second does. > > I've found also, thanks to a new name resolution protocol, TDNS > (Tweeter DNS), 213.251.145.96, which works. > >> I should have queried my favourite open rDNS servers before they >> expired, > > dig A wikileaks.org > backup.txt > > (from cron) > > is a useful method. Other possible solution would be a DNSarchive, in > the same way there is a WebArchive. Any volunteer? > > > > From brunner at nic-naa.net Fri Dec 3 04:04:09 2010 From: brunner at nic-naa.net (Eric Brunner-Williams) Date: Fri, 03 Dec 2010 05:04:09 -0500 Subject: wikileaks dns (was Re: Blocking International DNS) In-Reply-To: <24D81CB7-2178-45B3-B93B-F9B26A4F0B75@americafree.tv> References: <201012021331.48695.lowen@pari.edu> <20101203040510.GA8484@sizone.org> <24D81CB7-2178-45B3-B93B-F9B26A4F0B75@americafree.tv> Message-ID: <4CF8C099.3080601@nic-naa.net> ... > > ... The termination of services was effected pursuant to, and in accordance with, the EveryDNS.net Acceptable Use Policy. the claim is that being ddos'd is an aup violation. go figure. From rsk at gsp.org Fri Dec 3 06:12:46 2010 From: rsk at gsp.org (Rich Kulawiec) Date: Fri, 3 Dec 2010 07:12:46 -0500 Subject: wikileaks unreachable In-Reply-To: <7182D9D0-572B-402A-A922-29220AA8F28E@americafree.tv> References: <7182D9D0-572B-402A-A922-29220AA8F28E@americafree.tv> Message-ID: <20101203121246.GA19224@gsp.org> On Wed, Dec 01, 2010 at 04:27:10PM -0500, Marshall Eubanks wrote: > Wikileaks has been booted off Amazon EC2 > > http://arstechnica.com/security/news/2010/12/wikileaks-kicked-out-of-amazons-cloud.ars > > "Senator Joe Lieberman (I-CT), chairman of the Homeland Security and Governmental Affairs Committee, was among the congressmen who pressured Amazon to stop hosting Wikileaks... Typo there: that's Joe McCarthy. ---rsk From bill at herrin.us Fri Dec 3 06:20:14 2010 From: bill at herrin.us (William Herrin) Date: Fri, 3 Dec 2010 07:20:14 -0500 Subject: Level 3 Communications Issues Statement Concerning Comcast'sActions In-Reply-To: References: <927EC1B9-426B-43C3-A908-A1D46B30F326@gibbard.org> Message-ID: On Thu, Dec 2, 2010 at 7:25 PM, William Herrin wrote: > On Thu, Dec 2, 2010 at 4:28 PM, Steve Gibbard wrote: >> http://en.wikipedia.org/wiki/Two-sided_market >> >> They don't all have the same fee-splitting systems, and you can find an >>example to site as precedent for just about any system you could reasonably >>advocate. ?An example raised in a talk I heard a few years ago was of >>scholarly journals that collect money from both their subscribers and their >>authors. The authors need to be published in order to get tenure, and the >>readers pay because they want to know what the authors are saying. I received an interesting comment off list to the effect that there's been a rise in journals in which the authors pays while the reader has open (free) access via the web citing this example: http://openwetware.org/wiki/Publication_fees Modern newspapers have gravitated towards a comparable model in which the advertisers bear the cost of the content and the readers have free access via the web. I, for example, read washingtonpost.com most days. In the abstract, the model looks like this: 1. Pick which side of the two sided market you expect to always pay you. For example, the advertisers in the newspapers' case. 2. Offer _fully functional_ free access to the other side of the market, where "fully functional" is largely defined by that side's nature. For example washingtonpost.com 3. Ask a convenience fee for access which does not impact functionality but is in some way more desirable to one or another segment of the otherwise unpaid side of the market. For example, paying a subscription to have the hardcopy version of the newspaper delivered. The jury is still out on whether this model is economically sustainable. Still, I think it could offer useful insight to folks like Comcast. I think it likely that the recipient side of the market is going to be the always-payer for ISP service on an eyeball network. That means giving the content side basic fully functional access for free and convenience enhancements for a fee. That's why I suggested: "Maybe you'll openly peer with all comers but only at 100 mbps in any single location. You'll open as many locations deep in the network as they want, but it's the peer's problem to connect there. Naturally you'll sell a convenience service to backhaul all those connection points to a convenient location for the peers... or they can make their own arrangements but either way they don't get to massively consume your backbone for free. There's probably enough separation there between what you sell customer B and what you sell customer C to eke over to the "good" side of the ethics line. And by the way an open peering policy with those parameters would make you the Chamber of Commerce's new best friend, enabling small business to vend innovative products directly to your customers (and then pay you for the convenience of aggregation once they build up a customer base)." The key pitfall with this model is function versus convenience. Your paid enhancements to the second side of the market can offer greater convenience but you cross the line if they offer greater functionality. Connecting where I want (instead of where you offer) is convenient. Connecting with enough bandwidth for my service to be usable is functional. Regards, Bill Herrin -- William D. Herrin ................ herrin at dirtside.com? bill at herrin.us 3005 Crane Dr. ...................... Web: Falls Church, VA 22042-3004 From nanog-post at rsuc.gweep.net Fri Dec 3 06:38:34 2010 From: nanog-post at rsuc.gweep.net (Joe Provo) Date: Fri, 3 Dec 2010 07:38:34 -0500 Subject: Level 3 Communications Issues Statement Concerning Comcast's Actions In-Reply-To: References: <96CA80CDCD822B4F9B41FB3A109C9359A3E664A22B@E2K7MAILBOX1.corp.cableone.net> <8BC9AA1D1BA4494F83F8205415225CE826161A00D3@CHIEXMAIL1.ARRS.ARRISI.COM> <6EFFEFBAC68377459A2E972105C759EC032BF7CB@EXVBE005-2.exch005intermedia.net> <4CF7AD02.4030106@gmail.com> Message-ID: <20101203123833.GA72584@gweep.net> On Thu, Dec 02, 2010 at 05:49:53PM -0500, Christopher Morrow wrote: > On Thu, Dec 2, 2010 at 5:10 PM, Matthew Petach wrote: > > > fair game for reverse billing. ?If it does, it's going to completely > > eliminate "transit" as a commercial offering; instead, we'll > > all be stuck doing settlements in every direction for > > traffic...and that's just *way* too much paperwork. ?^_^; > > oh! that's the LD network.. that worked out so darned well, can we do > it again? and can we have the ITU manage it for us? please? please? > please? :) Obviously, that's what (3) and GLBX want back. Perhps they are feeling nostalgic. -- RSUC / GweepNet / Spunk / FnB / Usenix / SAGE From jared at puck.nether.net Fri Dec 3 07:04:41 2010 From: jared at puck.nether.net (Jared Mauch) Date: Fri, 3 Dec 2010 08:04:41 -0500 Subject: The scale of streaming video on the Internet. In-Reply-To: References: <20101202202151.GA65475@ussenterprise.ufp.org> <4CF803B3.3050202@rollernet.us> <4CF80BFE.1090801@brightok.net> Message-ID: Unless there is robust support for it in home nat/CPE it is dead. Same for these ipv6 challenges at the edge. I am also not aware of any major networks that currently have multicast on their backbone also deploying v6mcast. Corrections to that here or privately welcome. Sent from my iThing On Dec 2, 2010, at 4:44 PM, Antonio Querubin wrote: > On Thu, 2 Dec 2010, david raistrick wrote: > >> If you, the multicast broadcaster, dont have extensive control of the -entire- end to end IP network, it will be significantly broken significant amounts of the time. >> >> >> ...david (former member of a team of engineers who built and maintained a 220,000 seat multicast video network) > > Which points to the need for service providers to deploy robust multicast routing. > > Antonio Querubin > 808-545-5282 x3003 > e-mail/xmpp: tony at lava.net From frnkblk at iname.com Fri Dec 3 07:22:19 2010 From: frnkblk at iname.com (Frank Bulk) Date: Fri, 3 Dec 2010 07:22:19 -0600 Subject: wikileaks dns (was Re: Blocking International DNS) In-Reply-To: References: <201012021331.48695.lowen@pari.edu> <20101203040510.GA8484@sizone.org> <24D81CB7-2178-45B3-B93B-F9B26A4F0B75@americafree.tv> <4CF89C56.4090607@brightok.net> Message-ID: I guess the USG's cyberwar program does work (very dryly said). -----Original Message----- From: Paul Ferguson [mailto:fergdawgster at gmail.com] Sent: Friday, December 03, 2010 1:39 AM To: Jack Bates Cc: North American Network Operators Group Subject: Re: wikileaks dns (was Re: Blocking International DNS) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thu, Dec 2, 2010 at 11:29 PM, Jack Bates wrote: > On 12/2/2010 11:26 PM, Randy Bush wrote: >> >> so, if the site to which a dns entry points suffers a ddos, everydns >> will no longer serve the domain. i hope they apply this policy even >> handedly to all sufferers of ddos. >> > > Given "These attacks have, and future attacks would, threaten the > stability of the EveryDNS.net infrastructure, which enables access to > almost 500,000 other websites." I'd say they had DOS issues with their > nameservers. They can't be expected to let their other domains go down in > efforts to protect a single domain. > > I'm guessing they weathered the problem somewhat, as they actually gave > 24h notice. However, excessive loads and constant monitoring and > protective > measures on a free service would definitely be something a company would > want to stop. > FYI: http://www.techdirt.com/articles/20101202/22322512099/wikileaks-says-its-si te-has-been-killed.shtml - - ferg -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.3 (Build 5003) wj8DBQFM+J6Vq1pz9mNUZTMRAocNAKCxe3rX9bz1L7tliKdCJfPOvZZybACgrrRF w3whP9J/zHlrWa/yJDMeRQs= =ZT0w -----END PGP SIGNATURE----- -- "Fergie", a.k.a. Paul Ferguson ?Engineering Architecture for the Internet ?fergdawgster(at)gmail.com ?ferg's tech blog: http://fergdawg.blogspot.com/ From mikea at mikea.ath.cx Fri Dec 3 07:35:58 2010 From: mikea at mikea.ath.cx (mikea) Date: Fri, 3 Dec 2010 07:35:58 -0600 Subject: The scale of streaming video on the Internet. In-Reply-To: References: <20952354.220.1291322909654.JavaMail.root@benjamin.baylink.com> <59D15CA3-4ACC-4A8A-B66F-73041E722256@delong.com> <4CF869A2.1070108@bogus.com> Message-ID: <20101203133558.GA50682@mikea.ath.cx> On Thu, Dec 02, 2010 at 06:29:54PM -1000, Antonio Querubin wrote: > On Thu, 2 Dec 2010, Paul Ferguson wrote: > > >Old skool. > > > >Twitter is much faster: > > > >http://www.thejakartaglobe.com/home/government-disaster-advisors-twitter-ha > >cked-used-to-send-tsunami-warning/408447 > > But morse code is still faster :) > > http://www.google.com/search?q=morse+code+beats+texting&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:en-US:official&client=firefox-a Faster and doesn't require infrastructure (other than possibly electrical power). Those hams were throttled _way_ back, too, to about 21 words per minute; I frequently hear Morse at speeds up to about 50 wpm in the ham bands. -- Mike Andrews, W5EGO mikea at mikea.ath.cx Tired old sysadmin From simonw at zynet.net Fri Dec 3 08:13:05 2010 From: simonw at zynet.net (Simon Waters) Date: Fri, 3 Dec 2010 14:13:05 +0000 Subject: wikileaks dns (was Re: Blocking International DNS) In-Reply-To: References: Message-ID: <201012031413.05619.simonw@zynet.net> On Friday 03 December 2010 13:22:19 Frank Bulk wrote: > I guess the USG's cyberwar program does work (very dryly said). They missed ;) http://wikileaks.ch http://twitter.com/wikileaks From jmamodio at gmail.com Fri Dec 3 08:15:00 2010 From: jmamodio at gmail.com (Jorge Amodio) Date: Fri, 3 Dec 2010 08:15:00 -0600 Subject: wikileaks dns (was Re: Blocking International DNS) In-Reply-To: References: <201012021331.48695.lowen@pari.edu> <20101203040510.GA8484@sizone.org> <24D81CB7-2178-45B3-B93B-F9B26A4F0B75@americafree.tv> <4CF89C56.4090607@brightok.net> Message-ID: On Fri, Dec 3, 2010 at 7:22 AM, Frank Bulk wrote: > I guess the USG's cyberwar program does work (very dryly said). Perhaps the PRC's works too. -J From neil at tonal.clara.co.uk Fri Dec 3 08:16:17 2010 From: neil at tonal.clara.co.uk (Neil Harris) Date: Fri, 03 Dec 2010 14:16:17 +0000 Subject: The scale of streaming video on the Internet. In-Reply-To: <20101202202151.GA65475@ussenterprise.ufp.org> References: <20101202202151.GA65475@ussenterprise.ufp.org> Message-ID: <4CF8FBB1.4040708@tonal.clara.co.uk> On 02/12/10 20:21, Leo Bicknell wrote: > Comcast has around ~15 million high speed Internet subscribers (based on > year old data, I'm sure it is higher), which means at peak usage around > 0.3% of all Comcast high speed users would be watching. > > That's an interesting number, but let's run back the other way. > Consider what happens if folks cut the cord, and watch Internet > only TV. I went and found some TV ratings: > > http://tvbythenumbers.zap2it.com/2010/11/30/tv-ratings-broadcast-top-25-sunday-night-football-dancing-with-the-stars-finale-two-and-a-half-men-ncis-top-week-10-viewing/73784 > > Sunday Night Football at the top last week, with 7.1% of US homes > watching. That's over 23 times as many folks watching as the 0.3% in > our previous math! Ok, 23 times 150Gbps. > > 3.45Tb/s. > > Yowzer. That's a lot of data. 345 10GE ports for a SINGLE TV show. > > But that's 7.1% of homes, so scale up to 100% of homes and you get > 48Tb/sec, that's right 4830 simultaneous 10GE's if all of Comcast's > existing high speed subs dropped cable and watched the same shows over > the Internet. > > I think we all know that streaming video is large. Putting the real > numbers to it shows the real engineering challenges on both sides, > generating and sinking the content, and why comapnies are fighting so > much over it. > > You might be interested in the EU-funded P2P-NEXT research initiative, which is creating a P2P system capable of handling P2P broadcasting at massive scale: http://www.p2p-next.org/ -- Neil (full disclosure: I'm associated with one of the participants in the project) From dwhite at olp.net Fri Dec 3 08:27:57 2010 From: dwhite at olp.net (Dan White) Date: Fri, 3 Dec 2010 08:27:57 -0600 Subject: wikileaks dns (was Re: Blocking International DNS) In-Reply-To: <20101203055229.GB30565@sizone.org> References: <201012021331.48695.lowen@pari.edu> <20101203040510.GA8484@sizone.org> <24D81CB7-2178-45B3-B93B-F9B26A4F0B75@americafree.tv> <20101203055229.GB30565@sizone.org> Message-ID: <20101203142757.GA4189@dan.olp.net> On 03/12/10?00:52?-0500, Ken Chase wrote: >On Fri, Dec 03, 2010 at 02:26:35PM +0900, Randy Bush said: > >so, if the site to which a dns entry points suffers a ddos, everydns > >will no longer serve the domain. i hope they apply this policy even > >handedly to all sufferers of ddos. > > > >if not, as a registrar, i guess i can no longer accept registrations > >where everydns is the ns delegatee. > >Let us know if they deviate from this isometric application of policy. I'll be >happy to encourage people not to use them. > >Anyone have records of what wikileaks (RR, i assume) A record was? I should >have queried my favourite open rDNS servers before they expired, assuming that >the TTL was long enough (or modified to be long by a local cache policy). > >Quick, someone power up their hibernated laptop with the network unplugged and >ping wikileaks (assuming you looked at it recently before hiberation, before >it was pulled... :) Not sure that works in any windows (or other OS's for that >matter) however. Their A records on Sunday were: #46.51.186.222 wikileaks.org #46.151.171.90 wikileaks.org -- Dan White From jra at baylink.com Fri Dec 3 08:44:56 2010 From: jra at baylink.com (Jay Ashworth) Date: Fri, 3 Dec 2010 09:44:56 -0500 (EST) Subject: The scale of streaming video on the Internet. In-Reply-To: Message-ID: <25445232.274.1291387496599.JavaMail.root@benjamin.baylink.com> ----- Original Message ----- > From: "Paul Ferguson" > > >>> As to the emergency broadcast system, yeah, that's going to lose. > >> > >> Didn't we already replace that with twitter? > > > > quake/tsunami warnings flow via email rather quickly. > > Old skool. > > Twitter is much faster: > > http://www.thejakartaglobe.com/home/government-disaster-advisors-twitter-ha > cked-used-to-send-tsunami-warning/408447 Ok, let's go here. The problem, as a few seconds thought would reveal, is one of *provenance*. You could call it authentication if you wanted to, but to the *end-user*, what the authentication *authenticates* is the provenance. And anti-spoofing is pretty important, when the message might be "run for the hills; the bombers is comin'!" Well, ok, more to the point: "This is the Pinellas County Emergency Manager; I'm declaring an official Level 3 evacuation ahead of Hurricane Guillermo." You can put it on Twitter... but you can't *only* put it on Twitter. Cheers, -- jra From ka at pacific.net Fri Dec 3 08:46:49 2010 From: ka at pacific.net (Ken A) Date: Fri, 03 Dec 2010 08:46:49 -0600 Subject: The scale of streaming video on the Internet. In-Reply-To: <4CF8FBB1.4040708@tonal.clara.co.uk> References: <20101202202151.GA65475@ussenterprise.ufp.org> <4CF8FBB1.4040708@tonal.clara.co.uk> Message-ID: <4CF902D9.4070708@pacific.net> On 12/3/2010 8:16 AM, Neil Harris wrote: > On 02/12/10 20:21, Leo Bicknell wrote: >> Comcast has around ~15 million high speed Internet subscribers (based on >> year old data, I'm sure it is higher), which means at peak usage around >> 0.3% of all Comcast high speed users would be watching. >> >> That's an interesting number, but let's run back the other way. >> Consider what happens if folks cut the cord, and watch Internet >> only TV. I went and found some TV ratings: >> >> http://tvbythenumbers.zap2it.com/2010/11/30/tv-ratings-broadcast-top-25-sunday-night-football-dancing-with-the-stars-finale-two-and-a-half-men-ncis-top-week-10-viewing/73784 >> >> >> Sunday Night Football at the top last week, with 7.1% of US homes >> watching. That's over 23 times as many folks watching as the 0.3% in >> our previous math! Ok, 23 times 150Gbps. >> >> 3.45Tb/s. >> >> Yowzer. That's a lot of data. 345 10GE ports for a SINGLE TV show. >> >> But that's 7.1% of homes, so scale up to 100% of homes and you get >> 48Tb/sec, that's right 4830 simultaneous 10GE's if all of Comcast's >> existing high speed subs dropped cable and watched the same shows over >> the Internet. >> >> I think we all know that streaming video is large. Putting the real >> numbers to it shows the real engineering challenges on both sides, >> generating and sinking the content, and why comapnies are fighting so >> much over it. >> > > You might be interested in the EU-funded P2P-NEXT research initiative, > which is creating a P2P system capable of handling P2P broadcasting at > massive scale: > > http://www.p2p-next.org/ Veetle uses p2p too. It's stream isn't quite 'light speed'; perhaps 30 seconds delayed. Ken > > -- Neil > > (full disclosure: I'm associated with one of the participants in the > project) > > > -- Ken Anderson Pacific Internet - http://www.pacific.net From bortzmeyer at nic.fr Fri Dec 3 08:49:22 2010 From: bortzmeyer at nic.fr (Stephane Bortzmeyer) Date: Fri, 3 Dec 2010 15:49:22 +0100 Subject: wikileaks dns (was Re: Blocking International DNS) In-Reply-To: <20101203142757.GA4189@dan.olp.net> References: <201012021331.48695.lowen@pari.edu> <20101203040510.GA8484@sizone.org> <24D81CB7-2178-45B3-B93B-F9B26A4F0B75@americafree.tv> <20101203055229.GB30565@sizone.org> <20101203142757.GA4189@dan.olp.net> Message-ID: <20101203144922.GA29352@nic.fr> On Fri, Dec 03, 2010 at 08:27:57AM -0600, Dan White wrote a message of 28 lines which said: > Their A records on Sunday were: (No longer working.) Several people are keeping track of working IP addresses and avertise them in the DNS (wikileaks.something.example). Other have full mirrors. A current list: http://etherpad.mozilla.org:9000/wikileaks copy it, so you can access the DNS mirrors even if mozilla.org is taken down... It's a very interesting exercice in resiliency. From bicknell at ufp.org Fri Dec 3 08:49:34 2010 From: bicknell at ufp.org (Leo Bicknell) Date: Fri, 3 Dec 2010 06:49:34 -0800 Subject: Trying to Make Sense of the Comcast/Level 3 Dispute In-Reply-To: References: Message-ID: <20101203144934.GB71451@ussenterprise.ufp.org> In a message written on Wed, Dec 01, 2010 at 09:40:01PM -0800, Paul Ferguson wrote: > Interesting article: > > http://www.freedom-to-tinker.com/blog/sjs/trying-make-sense-comcast-level-3 > - -dispute Here's an excellent summary, complete with some pictures: http://www.voxel.net/blog/2010/12/peering-disputes-comcast-level-3-and-you -- Leo Bicknell - bicknell at ufp.org - CCIE 3440 PGP keys at http://www.ufp.org/~bicknell/ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 826 bytes Desc: not available URL: From dmburgess at linktechs.net Fri Dec 3 09:01:37 2010 From: dmburgess at linktechs.net (Dennis Burgess) Date: Fri, 3 Dec 2010 09:01:37 -0600 Subject: Trying to Make Sense of the Comcast/Level 3 Dispute References: <20101203144934.GB71451@ussenterprise.ufp.org> Message-ID: <91522911795E174F97E7EF8B792A1031315988@ltiserver.LTI.local> Agreed there, very nice. Thanks. ----------------------------------------------------------- Dennis Burgess, Mikrotik Certified Trainer Link Technologies, Inc -- Mikrotik & WISP Support Services Office: 314-735-0270 Website: http://www.linktechs.net LIVE On-Line Mikrotik Training - Author of "Learn RouterOS" -----Original Message----- From: Leo Bicknell [mailto:bicknell at ufp.org] Sent: December 03, 2010 8:50 AM To: nanog at nanog.org Subject: Re: Trying to Make Sense of the Comcast/Level 3 Dispute In a message written on Wed, Dec 01, 2010 at 09:40:01PM -0800, Paul Ferguson wrote: > Interesting article: > > http://www.freedom-to-tinker.com/blog/sjs/trying-make-sense-comcast-leve l-3 > - -dispute Here's an excellent summary, complete with some pictures: http://www.voxel.net/blog/2010/12/peering-disputes-comcast-level-3-and-y ou -- Leo Bicknell - bicknell at ufp.org - CCIE 3440 PGP keys at http://www.ufp.org/~bicknell/ From morrowc.lists at gmail.com Fri Dec 3 09:08:24 2010 From: morrowc.lists at gmail.com (Christopher Morrow) Date: Fri, 3 Dec 2010 10:08:24 -0500 Subject: wikileaks unreachable In-Reply-To: References: <7182D9D0-572B-402A-A922-29220AA8F28E@americafree.tv> <4CF6C072.4020402@tiedyenetworks.com> <790B3709-C100-4E82-A539-D952ADAD599C@arbor.net> <4CF8890B.2060005@netsec.colostate.edu> Message-ID: On Fri, Dec 3, 2010 at 1:19 AM, Jorge Amodio wrote: >> and this is based on what facts? > > Instead of tweeting about how to reach their content, or their IP 'they' is a multicast address ... dyn/everydns or wikileaks? which is the 'they' that is doing the twittering? From nick at foobar.org Fri Dec 3 09:12:28 2010 From: nick at foobar.org (Nick Hilliard) Date: Fri, 03 Dec 2010 15:12:28 +0000 Subject: Google buys 111 8th Message-ID: <4CF908DC.90404@foobar.org> http://www.datacenterknowledge.com/archives/2010/12/03/wsj-google-has-bought-111-8th-avenue/ Nick From johnl at iecc.com Fri Dec 3 09:17:17 2010 From: johnl at iecc.com (John Levine) Date: 3 Dec 2010 15:17:17 -0000 Subject: Domain shut downs by Registrar? In-Reply-To: Message-ID: <20101203151717.82424.qmail@joyce.lan> >We use OpenSRS and never have these issues. Many of the other major >registrars will freeze domains for whatever reason they choose. >OpenSRS basically fulfills their duties to ICANN and leaves it alone >at that. The only domain I have ever seen them get involved with was >along time ago when someone stole a domain from Network Solutions >using fraudulent paperwork and then managed to transfer it out. I am also happy with OpenSRS, but I think it is fair to assume that since they are incorporated in Pennsylvania, they would comply with orders from a US court. We do remember, don't we, that the domain that started this discussion were shut down by Verisign, the registry, not a registrar? R's, John From jeffrey.lyon at blacklotus.net Fri Dec 3 09:22:23 2010 From: jeffrey.lyon at blacklotus.net (Jeffrey Lyon) Date: Fri, 3 Dec 2010 10:22:23 -0500 Subject: Domain shut downs by Registrar? In-Reply-To: <20101203151717.82424.qmail@joyce.lan> References: <20101203151717.82424.qmail@joyce.lan> Message-ID: I'm not asking them to evade court orders, but rather keep their face out of my business unless absolutely required. Other major registrars seem to have a major issue with this. Jeff On Fri, Dec 3, 2010 at 10:17 AM, John Levine wrote: >>We use OpenSRS and never have these issues. Many of the other major >>registrars will freeze domains for whatever reason they choose. >>OpenSRS basically fulfills their duties to ICANN and leaves it alone >>at that. The only domain I have ever seen them get involved with was >>along time ago when someone stole a domain from Network Solutions >>using fraudulent paperwork and then managed to transfer it out. > > I am also happy with OpenSRS, but I think it is fair to assume that > since they are incorporated in Pennsylvania, they would comply with > orders from a US court. > > We do remember, don't we, that the domain that started this discussion > were shut down by Verisign, the registry, not a registrar? > > R's, > John > -- Jeffrey Lyon, Leadership Team jeffrey.lyon at blacklotus.net | http://www.blacklotus.net Black Lotus Communications - AS32421 First and Leading in DDoS Protection Solutions From gary.buhrmaster at gmail.com Fri Dec 3 09:24:21 2010 From: gary.buhrmaster at gmail.com (Gary Buhrmaster) Date: Fri, 3 Dec 2010 07:24:21 -0800 Subject: Want to move to all 208V for server racks In-Reply-To: <4CF8908D.9040501@rollernet.us> References: <20101202164628.GA20227@ussenterprise.ufp.org> <1411250A-38F8-4099-89D4-616D6633F218@delong.com> <7F47C485-4AF0-4C37-B7EB-D89A7E084E30@dragondata.com> <20101203033804.GB5521@hiwaay.net> <4CF8908D.9040501@rollernet.us> Message-ID: On Thu, Dec 2, 2010 at 22:39, Seth Mattinen wrote: ... > Arc fault breakers are a very new code requirement which I believe is > primarily targeted at sleeping areas. My place has them (built about 4 > years ago) on the bedroom outlet circuits. If I spin the socket switch > on one of the table lamps too fast it'll trip. The NFPA priority is to protect life (property/equipment are there too, but lower in priority). (Note that while NFPA 70 is not required, most jurisdictions eventually turn it into their law/codes. But exceptions exist, and your specific requirements may vary, and not all jurisdictions adopt the new rules immediately. Some still (only) require NFPA 70-2005, and not NFPA 70-2008. There is no known case where applying more recent practices has resulted in liability, so some contractors may build to 2008 when only 2005 is being enforced by the inspector). Now that most outlets are grounded, and GFCIs are in locations where people are likely to be the source to ground ("wet" areas), one of the bigger remaining issues for loss of life in the home due to electricity was in the bedroom with arcing between the hot/neutral when people were asleep (and could be overwhelmed by the smoke before they could get out of the house). Another addition to the code a few years ago was what I call "child proofing" the outlets(*). You will see all new (but not existing old stock) outlets having a (usually) mechanical cover for the slots which requires a plug to be pushed in (only the pressure from both prongs will open the cover) to protect against the inquisitive fork or finger problem. NFPA 70 does take into account industry recommendations (for the conspiracy theorists), and the perceived return on the costs (something that saves 1 life over 10 years but costs billions is not likely to make it into "code"). Gary (*) Technically, I think these are called Tamper-Resistant Receptacles, and are required in all new work as of NFPA 70-2008. From linux.yahoo at gmail.com Fri Dec 3 09:26:32 2010 From: linux.yahoo at gmail.com (Manu Chao) Date: Fri, 3 Dec 2010 16:26:32 +0100 Subject: MPLS forwarding for L3VPN only (IOS) Message-ID: I have only GRT and L3VPN traffic and would like to use MPLS forwarding only for L3VPN. Is it possible? Thanks & Best Regards, Manu From jmamodio at gmail.com Fri Dec 3 09:37:37 2010 From: jmamodio at gmail.com (Jorge Amodio) Date: Fri, 3 Dec 2010 09:37:37 -0600 Subject: wikileaks unreachable In-Reply-To: References: <7182D9D0-572B-402A-A922-29220AA8F28E@americafree.tv> <4CF6C072.4020402@tiedyenetworks.com> <790B3709-C100-4E82-A539-D952ADAD599C@arbor.net> <4CF8890B.2060005@netsec.colostate.edu> Message-ID: > 'they' is a multicast address ... dyn/everydns or wikileaks? which is > the 'they' that is doing the twittering? wikileaks. seems that they (wikileaks) got the message, following tweets included their IP address and the new .ch domain. The current IP address for the cablegate stuff is 213.251.145.96 which is RIPE block assigned to wikileaks, the RIPE WHOIS entry shows 213.251.128.0/18 with AS16276 as originwhois AS16276 (OVH in Paris France), mtr from here (SATX) seems to go through Dallas and enter Global Crossing network or hosting services, currently <2% packet loss. Server seems to be configured to return IP address based URLs. -J From morrowc.lists at gmail.com Fri Dec 3 09:43:01 2010 From: morrowc.lists at gmail.com (Christopher Morrow) Date: Fri, 3 Dec 2010 10:43:01 -0500 Subject: Domain shut downs by Registrar? In-Reply-To: <20101203151717.82424.qmail@joyce.lan> References: <20101203151717.82424.qmail@joyce.lan> Message-ID: On Fri, Dec 3, 2010 at 10:17 AM, John Levine wrote: > We do remember, don't we, that the domain that started this discussion > were shut down by Verisign, the registry, not a registrar? what's super fun here is that often in conversations with registries about domains used for malware/spam/etc there's a conversation about: "but we can't just shutdown a domain, we need the registrar to do that... legal/contractual restraints prohibit us..." interesting that in THIS case the registry just took the action, was the domain registered through their registrar arm? -chris From johnl at iecc.com Fri Dec 3 09:45:35 2010 From: johnl at iecc.com (John R. Levine) Date: 3 Dec 2010 10:45:35 -0500 Subject: Domain shut downs by Registrar? In-Reply-To: References: <20101203151717.82424.qmail@joyce.lan> Message-ID: >> We do remember, don't we, that the domain that started this discussion >> were shut down by Verisign, the registry, not a registrar? > interesting that in THIS case the registry just took the action, was > the domain registered through their registrar arm? They haven't had a registrar arm since they spun off Network Solutions in 2002. Regards, John Levine, johnl at iecc.com, Primary Perpetrator of "The Internet for Dummies", Please consider the environment before reading this e-mail. http://jl.ly From bill at herrin.us Fri Dec 3 09:47:44 2010 From: bill at herrin.us (William Herrin) Date: Fri, 3 Dec 2010 10:47:44 -0500 Subject: The scale of streaming video on the Internet. In-Reply-To: References: <20101202202151.GA65475@ussenterprise.ufp.org> Message-ID: On Thu, Dec 2, 2010 at 3:28 PM, Owen DeLong wrote: > On Dec 2, 2010, at 12:21 PM, Leo Bicknell wrote: >> Sunday Night Football at the top last week, with 7.1% of US homes >> watching. That's over 23 times as many folks watching as the 0.3% in >> our previous math! Ok, 23 times 150Gbps. >> >> 3.45Tb/s. >> >> Yowzer. That's a lot of data. 345 10GE ports for a SINGLE TV show. > > You are assuming the absence of any of the following optimizations: > > 1. ? ? ?Multicast > 2. ? ? ?Overlay networks using P2P services (get parts of your stream > ? ? ? ?from some of your neighbors). Leo and Owen: Thank you for reminding us to look at the other side of the problem. If the instant problem is that the character of eyeball-level Internet service has shifted to include a major component of data which is more or less broadcast in nature (some with time shifting, some without). There's a purely technical approach that can resolve it: deeply deployed content caches. Multicasting presents some difficult issues even with live broadcasts and it doesn't work at all for timeshifted delivery (someone else starts watching the same movie 5 minutes later). As for P2P... seriously? I know a couple companies have tinkered with the idea but even if you could get good algorithms for identifying the least consumptive source, it still seems like granting random strangers the use of your computer as a condition of service would get real old real fast. But there's a third mechanism worth considering as well: the caching proxy. Perhaps the eyeball networks should build, standardize and deploy a content caching system so that the popular Netflix streams (and the live broadcast streams) can usually get their traffic from a local source. Deploy a cache to the neighborhood box and a bigger one to the local backend. Then organize your peering so that it's _less convenient_ to request large bandwidths than to write your software so it employs the content caches. Maybe even make that a type of open peering: we'll give all comers any sized port they want, but address-constrained so it can only talk to our content caches. Technology like web proxies has some obvious deficiencies. Implemented transparently they reduce the reliability of your web access. Implemented by configuration, finding the best proxy is a hassle. Either way no real thought has been put in to how to determine that a proxy is misbehaving and bypass it in a timely manner. It just isn't as resilient as a bare Internet connection to the remote server. But with a content cache designed to implement a near-real-time caching protocol from the ground up, these are all solvable problems. Use anycast to find the nearest cache and unicast to talk to it. Use UDP to communicate and escalate lost, delayed or corrupted packets to a higher level cache or even the remote server. Trade auth and decryption keys with the remote server before fetching from the local cache. And so on. So, build a content caching system that gives you a multiplier effect reducing bandwidth aggregates to a reasonable level. And then organize your peering process so when technically possible, it's always more convenient to to use your caching system than request a bigger pipe. You'll still have to eventually address the fairness issues associated with Network Neutrality. But having provided a reasonable technical solution you can do it without the bugaboo of network video breathing down your neck. And oh by the way you can deny your competitors Netflix's business since they'll no longer need quite such huge bandwidths after employing your technology. Here's hoping nobody offers me a refund on my two cents... Regards, Bill Herrin -- William D. Herrin ................ herrin at dirtside.com? bill at herrin.us 3005 Crane Dr. ...................... Web: Falls Church, VA 22042-3004 From morrowc.lists at gmail.com Fri Dec 3 09:49:47 2010 From: morrowc.lists at gmail.com (Christopher Morrow) Date: Fri, 3 Dec 2010 10:49:47 -0500 Subject: Domain shut downs by Registrar? In-Reply-To: References: <20101203151717.82424.qmail@joyce.lan> Message-ID: On Fri, Dec 3, 2010 at 10:45 AM, John R. Levine wrote: >>> We do remember, don't we, that the domain that started this discussion >>> were shut down by Verisign, the registry, not a registrar? > >> interesting that in THIS case the registry just took the action, was >> the domain registered through their registrar arm? > > They haven't had a registrar arm since they spun off Network Solutions in > 2002. > thanks... so, in this case, why did they take this action? why didn't they push the action to the registrar? or did they and the registrar refused to comply? (potentially because the domains weren't violating a TOS?) I suppose though, on the good side, we can expect the Verisign folks to now shutdown other domains we bring to their attention as malware/spamware/etc without protest? -chris From mikea at mikea.ath.cx Fri Dec 3 09:57:55 2010 From: mikea at mikea.ath.cx (mikea) Date: Fri, 3 Dec 2010 09:57:55 -0600 Subject: Domain shut downs by Registrar? In-Reply-To: References: <20101203151717.82424.qmail@joyce.lan> Message-ID: <20101203155755.GA51069@mikea.ath.cx> On Fri, Dec 03, 2010 at 10:49:47AM -0500, Christopher Morrow wrote: > On Fri, Dec 3, 2010 at 10:45 AM, John R. Levine wrote: > >>> We do remember, don't we, that the domain that started this discussion > >>> were shut down by Verisign, the registry, not a registrar? > >> interesting that in THIS case the registry just took the action, was > >> the domain registered through their registrar arm? > > They haven't had a registrar arm since they spun off Network Solutions in > > 2002. > thanks... so, in this case, why did they take this action? why didn't > they push the action to the registrar? or did they and the registrar > refused to comply? (potentially because the domains weren't violating > a TOS?) > I suppose though, on the good side, we can expect the Verisign folks > to now shutdown other domains we bring to their attention as > malware/spamware/etc without protest? Without a doubt. And all the pigs have been fueled and serviced, and are in all respects ready for flight. -- Mike Andrews, W5EGO mikea at mikea.ath.cx Tired old sysadmin From morrowc.lists at gmail.com Fri Dec 3 10:08:21 2010 From: morrowc.lists at gmail.com (Christopher Morrow) Date: Fri, 3 Dec 2010 11:08:21 -0500 Subject: The scale of streaming video on the Internet. In-Reply-To: References: <20101202202151.GA65475@ussenterprise.ufp.org> Message-ID: On Fri, Dec 3, 2010 at 10:47 AM, William Herrin wrote: > If the instant problem is that the character of eyeball-level Internet > service has shifted to include a major component of data which is more > or less broadcast in nature (some with time shifting, some without). > There's a purely technical approach that can resolve it: deeply > deployed content caches. the above is essentially what Akamai (and likely other CDN products) built/build... from what I understand (purely from the threads here) Akamai lost out on the traffic-sales for NetFlix to L3's CDN. Comcast (for this example) lost the localized in-network caching when that happened. Maybe L3 will chose to deploy some of their cache's into Comcast (or other like minded networks) to make this all work out better/faster/stronger for the whole set of participants? > But there's a third mechanism worth considering as well: the caching proxy. I think that's essentially what Akamai/LLNW are (not quite squid, patrick will get all uppity about me calling the akamai boxies 'supped up squid proxies' :) it's a simple model to keep in mind though) Apparently Google-Global-Cache is somewhat like this as well, no? Admittedly these are 'owner specific' solutions, but they do what you propose at the cost of a few gig links in the provider's network (or 10g links depending on the deployment) - all "local" and "cheap" interfaces, not long-haul, and close to the consumer of the data. > Perhaps the eyeball networks should build, standardize and deploy a > content caching system so that the popular Netflix streams (and the > live broadcast streams) can usually get their traffic from a local > source. Deploy a cache to the neighborhood box and a bigger one to the > local backend. Then organize your peering so that it's _less > convenient_ to request large bandwidths than to write your software so > it employs the content caches. This brings with it an unsaid complication, the content-owner (netflix in this example) now depends upon some 'service' in the network (comcast in this example) to be up/operational/provisioned-properly for a service to the end-user (comcast customer in this example), even though NetFlix/Comcast may have no actual relationship. Expand this to PornTube/JustinTV/etc or something similar, how do these content owners assure (and measure and metric and route-around in the case of deviation from acceptable numbers?) that the SLA their customer expects is being respected by the internediate network(s)? How does this play if Comcast (in this example) ends up being just a transit network for another downstream ISP ? The owner-specific solutions today probably include some form of SLA measurement/monitoring and problem avoidance, or I think they probably do, Akamai I believe does at least. That sort of thing would have to be open/available as well in the 'content owner neutral' solutions. Oh, how do you deconflict situations where two content owners are using the 'service' in Comcast, but one is "abusing" the service? Should the content owners expect 'equal share'? or how does that work? resources on the cache system are obviously at a premium, if Netflix overruns (due to their customers demanding a more wide spread of higher resource required content - HD 1080p streams say with a 'less optimal' codec in use...) their share how does JustinTV deal with this? Do they then shift their streams to more direct-to-customer and not via the cache system? that increases their transit costs (potentially) and the costs on Comcast at the peering locations? -Chris From bicknell at ufp.org Fri Dec 3 10:18:23 2010 From: bicknell at ufp.org (Leo Bicknell) Date: Fri, 3 Dec 2010 08:18:23 -0800 Subject: The scale of streaming video on the Internet. In-Reply-To: References: <20101202202151.GA65475@ussenterprise.ufp.org> Message-ID: <20101203161823.GB77297@ussenterprise.ufp.org> In a message written on Fri, Dec 03, 2010 at 11:08:21AM -0500, Christopher Morrow wrote: > the above is essentially what Akamai (and likely other CDN products) > built/build... from what I understand (purely from the threads here) > Akamai lost out on the traffic-sales for NetFlix to L3's CDN. Comcast > (for this example) lost the localized in-network caching when that > happened. Playing devils advocate here.... I think the issue here is that the Akamai model saves the end user providers like Comcast a boatload of money. By putting a cluster in Fargo to serve those local users Comcast doesn't have to build a network to say, Chicago Equinix to get the traffic from peers. However, the convential wisdom is that the Akamai's of the world pay Comcast for this privledge; Comcast charges them for space, power, and port fees in Fargo. The irony here is that Comcast's insistance to charge Akamai customer rates for these ports in Fargo make Akamai's price to Netflix too high, and drove them to Level 3 who wants to drop off the traffic in places like Equinix Chicago. Now they get to build backbone to those locations to support it. In many ways I feel they are reaping what they sowed. I think the OP was actually thinking that /Comcast/ should run the caching boxes in each local market, exporting the 50-100 /32 routes to "content peers" at Equinix's and the like, but NOT the end user blocks. This becomes more symbiotic though as the content providers then need to know how to direct the end users to the Comcast caching boxes, so it's not so simple. -- Leo Bicknell - bicknell at ufp.org - CCIE 3440 PGP keys at http://www.ufp.org/~bicknell/ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 826 bytes Desc: not available URL: From gary.buhrmaster at gmail.com Fri Dec 3 10:30:38 2010 From: gary.buhrmaster at gmail.com (Gary Buhrmaster) Date: Fri, 3 Dec 2010 16:30:38 +0000 Subject: Want to move to all 208V for server racks In-Reply-To: <20101203075436.GX1583@angus.ind.WPI.EDU> References: <20101203075436.GX1583@angus.ind.WPI.EDU> Message-ID: On Fri, Dec 3, 2010 at 07:54, Chuck Anderson wrote: .... > On another note, how do you calculate N+1 power feeds in your racks? > If you have 2 PDUs fed from two different branch circuits/UPSes/etc. > do you just set your PDU load alarm thresholds at 50% of the max > rating of each PDU and never load them beyond that point, so that if > you lose one PDU/branch circuit/UPS and the dual-power servers > transfer their load over to the other side, it doesn't get overloaded? That would be around 40%, not 50% (80% of 50%). Note that there are some caveats. Some power supplies are more or less efficient at different (low vs. high) utilizations, and depending on the design, you are running (with 2 power supplies) either each at (around) 50% of load, or 1 at 100% and the other at 0%. It is *possible* to be able to run near 60% on two UPS circuits if the power supplies are inefficient at 50%. But this requires a lot more design and evaluation work than the (easy to calculate) 40% target. Also note that *your* electrical engineer may de-rate the circuits capacity due to the fact that switching power supplies generate numerous artifacts on the lines. These are all advanced (electrical) engineering topics. Gary From tme at americafree.tv Fri Dec 3 10:31:27 2010 From: tme at americafree.tv (Marshall Eubanks) Date: Fri, 3 Dec 2010 11:31:27 -0500 Subject: The scale of streaming video on the Internet. In-Reply-To: <4CF8FBB1.4040708@tonal.clara.co.uk> References: <20101202202151.GA65475@ussenterprise.ufp.org> <4CF8FBB1.4040708@tonal.clara.co.uk> Message-ID: On Dec 3, 2010, at 9:16 AM, Neil Harris wrote: > On 02/12/10 20:21, Leo Bicknell wrote: >> Comcast has around ~15 million high speed Internet subscribers (based on >> year old data, I'm sure it is higher), which means at peak usage around >> 0.3% of all Comcast high speed users would be watching. >> >> That's an interesting number, but let's run back the other way. >> Consider what happens if folks cut the cord, and watch Internet >> only TV. I went and found some TV ratings: >> >> http://tvbythenumbers.zap2it.com/2010/11/30/tv-ratings-broadcast-top-25-sunday-night-football-dancing-with-the-stars-finale-two-and-a-half-men-ncis-top-week-10-viewing/73784 >> >> Sunday Night Football at the top last week, with 7.1% of US homes >> watching. That's over 23 times as many folks watching as the 0.3% in >> our previous math! Ok, 23 times 150Gbps. >> >> 3.45Tb/s. >> >> Yowzer. That's a lot of data. 345 10GE ports for a SINGLE TV show. >> >> But that's 7.1% of homes, so scale up to 100% of homes and you get >> 48Tb/sec, that's right 4830 simultaneous 10GE's if all of Comcast's >> existing high speed subs dropped cable and watched the same shows over >> the Internet. >> >> I think we all know that streaming video is large. Putting the real >> numbers to it shows the real engineering challenges on both sides, >> generating and sinking the content, and why comapnies are fighting so >> much over it. >> >> > > You might be interested in the EU-funded P2P-NEXT research initiative, which is creating a P2P system capable of handling P2P broadcasting at massive scale: > > http://www.p2p-next.org/ This already exists in China. http://www.ietf.org/proceedings/77/slides/P2PRG-3.pdf Regards Marshall > > -- Neil > > (full disclosure: I'm associated with one of the participants in the project) > > > From bill at herrin.us Fri Dec 3 10:38:07 2010 From: bill at herrin.us (William Herrin) Date: Fri, 3 Dec 2010 11:38:07 -0500 Subject: The scale of streaming video on the Internet. In-Reply-To: References: <20101202202151.GA65475@ussenterprise.ufp.org> Message-ID: On Fri, Dec 3, 2010 at 11:08 AM, Christopher Morrow wrote: > On Fri, Dec 3, 2010 at 10:47 AM, William Herrin wrote: >> Perhaps the eyeball networks should build, standardize and deploy a >> content caching system so that the popular Netflix streams (and the >> live broadcast streams) can usually get their traffic from a local >> source. Deploy a cache to the neighborhood box and a bigger one to the >> local backend. Then organize your peering so that it's _less >> convenient_ to request large bandwidths than to write your software so >> it employs the content caches. > > This brings with it an unsaid complication, the content-owner (netflix > in this example) now depends upon some 'service' in the network > (comcast in this example) to be up/operational/provisioned-properly > for a service to the end-user (comcast customer in this example), even > though NetFlix/Comcast may have no actual relationship. Actually, there was nothing particularly "unsaid" about the complication: >> Technology like web proxies has some obvious deficiencies. [...] >> Either way no real thought has been put in to how to determine that a >> proxy is misbehaving and bypass it in a timely manner. It just isn't >> as resilient as a bare Internet connection to the remote server. >> >> [...] these are all solvable problems. >> Use anycast to find the nearest cache and unicast to talk to it. Use >> UDP to communicate and escalate lost, delayed or corrupted packets to >> a higher level cache or even the remote server. Trade auth and >> decryption keys with the remote server before fetching from the local >> cache. And so on. You put some basic intelligence in the app: if local cache != working, try regional cache. If regional cache != working, go direct to main server. There's no SLA issue... if the ISP doesn't maintain the caching proxy (or doesn't deploy one at all) then they take the bandwidth hit instead with the same protocol served by a CDN or the originating company. > Oh, how do you deconflict situations where two content owners are > using the 'service' in Comcast, but one is "abusing" the service? > Should the content owners expect 'equal share'? or how does that work? What conflict? If the cache isn't working to the app's standard, the app simply requests past it, straight to Netflix's servers if need be. The point is to produce a protocol and system for video and other broadcast delivery that can -opportunistically- reduce the long haul bandwidth consumption (and therefore cost) borne by the eyeball network. What would be the point in building something that critfails because one guy doesn't want to play and another has minor broken component in the middle? Regards, Bill Herrin -- William D. Herrin ................ herrin at dirtside.com? bill at herrin.us 3005 Crane Dr. ...................... Web: Falls Church, VA 22042-3004 From ravi-lists at g8o.net Fri Dec 3 10:38:31 2010 From: ravi-lists at g8o.net (// ravi) Date: Fri, 3 Dec 2010 11:38:31 -0500 Subject: wikileaks unreachable In-Reply-To: References: <7182D9D0-572B-402A-A922-29220AA8F28E@americafree.tv> <4CF6C072.4020402@tiedyenetworks.com> <790B3709-C100-4E82-A539-D952ADAD599C@arbor.net> <4CF8890B.2060005@netsec.colostate.edu> Message-ID: <2F53C050-F40E-4CA1-863B-64E8440C6CAF@g8o.net> On Dec 3, 2010, at 1:19 AM, Jorge Amodio wrote: >> and this is based on what facts? > > Instead of tweeting about how to reach their content, or their IP > addresses to bypass DNS [snip happens] http://twitter.com/#!/wikileaks/status/10621245489938433 7 hours ago (Randy, I plan/hope to requote your earlier message ? non-commercial use ? with attribution) ?ravi From morrowc.lists at gmail.com Fri Dec 3 10:39:32 2010 From: morrowc.lists at gmail.com (Christopher Morrow) Date: Fri, 3 Dec 2010 11:39:32 -0500 Subject: The scale of streaming video on the Internet. In-Reply-To: <20101203161823.GB77297@ussenterprise.ufp.org> References: <20101202202151.GA65475@ussenterprise.ufp.org> <20101203161823.GB77297@ussenterprise.ufp.org> Message-ID: On Fri, Dec 3, 2010 at 11:18 AM, Leo Bicknell wrote: > In a message written on Fri, Dec 03, 2010 at 11:08:21AM -0500, Christopher Morrow wrote: >> the above is essentially what Akamai (and likely other CDN products) >> built/build... from what I understand (purely from the threads here) >> Akamai lost out on the traffic-sales for NetFlix to L3's CDN. Comcast >> (for this example) lost the localized in-network caching when that >> happened. > > Playing devils advocate here.... > > I think the issue here is that the Akamai model saves the end user > providers like Comcast a boatload of money. ?By putting a cluster > in Fargo to serve those local users Comcast doesn't have to build > a network to say, Chicago Equinix to get the traffic from peers. right. > However, the convential wisdom is that the Akamai's of the world > pay Comcast for this privledge; Comcast charges them for space, > power, and port fees in Fargo. > > The irony here is that Comcast's insistance to charge Akamai customer > rates for these ports in Fargo make Akamai's price to Netflix too > high, and drove them to Level 3 who wants to drop off the traffic > in places like Equinix Chicago. ?Now they get to build backbone to > those locations to support it. ?In many ways I feel they are reaping > what they sowed. right. > I think the OP was actually thinking that /Comcast/ should run the > caching boxes in each local market, exporting the 50-100 /32 routes sure... which was what I was addressing. If comcast runs these boxes, how does flix aim their customer 'through' them? how does flix assure their SLA with their customer is being met? how do they then avoid (and assure the traffic is properly handled) these boxes when problems arise? I get that the network operator (comcast here) has the best idea of their internal painpoints and costs, I just don't see that them running a set of boxes is going to actually happen/help. Also, do they charge the content owners (or their customers?) for data that passes through these boxes? how do they do cost-recovery operations for this new infra that they must maintain? > to "content peers" at Equinix's and the like, but NOT the end user > blocks. ?This becomes more symbiotic though as the content providers > then need to know how to direct the end users to the Comcast caching > boxes, so it's not so simple. right, that was the point(s) I was trying to make... sadly I didn't make them I guess. -chris > -- > ? ? ? Leo Bicknell - bicknell at ufp.org - CCIE 3440 > ? ? ? ?PGP keys at http://www.ufp.org/~bicknell/ > From jgreco at ns.sol.net Fri Dec 3 10:50:19 2010 From: jgreco at ns.sol.net (Joe Greco) Date: Fri, 3 Dec 2010 10:50:19 -0600 (CST) Subject: Wikileaks moved to cave bunker in Iran, Mr. Assange reportedly offered asylum by North Korea... In-Reply-To: Message-ID: <201012031650.oB3GoJnP098702@aurora.sol.net> > On Thu, Dec 2, 2010 at 10:05 PM, Ken Chase wrote: > > All our topics of discussion are merging... (soon: "does > > Wikileaks run on 208V?" :) > > If they keep going that way, soon they will be running on nuclear > power from the hidden centrifuges in some cave. And just announced via Twitter ... no, just kidding. However, the events here are troublesome. On one hand, it's kind of predictable. You have some things in the real world, like the arrest alert and being placed on Interpol's "most wanted" for what appears to be not even a case of rape [*1], getting booted from EC2 for "intellectual property" reasons (when the materials in question are not and cannot be copyrighted), having their DNS service disrupted, etc. Assange has irritated a large beast: the US Government. On the other hand, this is the same government that has repeatedly fought to reduce and minimize privacy laws, seen recently in cases such as the GPS tracking fun out in the western states [*2]. None of that might seem relevant to netops, of course, but at some point, we're going to see, and maybe already are seeing, deliberate interference with the network in an effort to make the Internet work the way that the US Government would prefer. We've already seen some examples of this in seizures of domain names [*3], an activity that would doubtlessly explode under COICA, etc., which at the moment is probably the most vulnerable aspect of the Internet, but will this move on to more insidious things, such as redirection of or null routing of Wikileaks IP space "in response to a congressman's request", while simultaneously waving a patriotic flag? And at what point does that stop? Just for "big bad" things like Wikileaks? We seem to be sailing into an interesting new set of challenges. I'm not sure that it'll be healthy for the net for the government to be providing lists of IP addresses that have to be blocked; our routing tables are already quite challenged. [*1] http://www.aolnews.com/world/article/sex-by-surprise-at-heart-of-julian-assange-criminal-probe/19741444 [*2] http://www.wired.com/threatlevel/2010/10/fbi-tracking-device/ [*3] http://www.eff.org/deeplinks/2010/11/us-government-seizes-82-websites-draconian-future ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net "We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples. From gary.buhrmaster at gmail.com Fri Dec 3 10:57:03 2010 From: gary.buhrmaster at gmail.com (Gary Buhrmaster) Date: Fri, 3 Dec 2010 16:57:03 +0000 Subject: Want to move to all 208V for server racks In-Reply-To: References: <20101202164628.GA20227@ussenterprise.ufp.org> <1411250A-38F8-4099-89D4-616D6633F218@delong.com> <7F47C485-4AF0-4C37-B7EB-D89A7E084E30@dragondata.com> <20101203033804.GB5521@hiwaay.net> Message-ID: On Fri, Dec 3, 2010 at 04:02, John van Oppen wrote: ... > GFCI breakers are often required on large services, most large (new) 480v services I have seen (1000A and larger) a have Ground fault breakers, Actually, my recollection is that large new services include arc suppression rather than ground fault (480V service may be floating in any case, since it would depend on delta-wye distribution). There has been strong efforts to protect the low voltage electricians (in common power distribution speak, 12K+ voltage is high voltage, less is considered low voltage; yes, this is a different point of view). Even with a 100Cal suit on, you really want arc suppression at those high joule ratings to protect a life (every master electrician has a story about arc flashes, and some stories include the outline of the ex-individual on the opposite wall). It is now common when doing work on downstream devices to reduce the arc limits so that ones life has increased protection. A protective trip is better than the alternative. > in fact I have seen some bad outages on entire datacenters where the main breakers had a lower ground-fault current setting (for tripping) than a branch circuit that had a phase-to-ground fault resulting in the main breakers tripping instead of the branch circuit. *Proper* engineering is more than just putting in a breaker with a high enough rating. The days of nice resistive (think incandescent light bulbs) or inductive (motor/transformer) loads are long gone. Switching power supplies (or large pulse rectifiers) require a more careful analysis. I have seen too many upstream breakers being set at the wrong trip values (the larger breakers have internal adjustments), and trip first. Gary From M.Hotze at hotze.com Fri Dec 3 11:06:46 2010 From: M.Hotze at hotze.com (Martin Hotze) Date: Fri, 3 Dec 2010 17:06:46 +0000 Subject: The scale of streaming video on the Internet. In-Reply-To: References: Message-ID: <2EAA64100D553F448A3BC8EAEB3D0FDA1AB2D2@EXSRV.hotzecom.local> > Date: Fri, 3 Dec 2010 10:47:44 -0500 > From: William Herrin > Subject: Re: The scale of streaming video on the Internet. > To: Owen DeLong > Cc: nanog at nanog.org (...) > But there's a third mechanism worth considering as well: the caching > proxy. IMHO it is a waste of bandwidth to use IP/network-based infrastructure for stuff like unidirectional data - like distributing a movie (on demand or scheduled). In this case nothing beats a satellite transponder and a dish, also cost-wise. #m From gary.buhrmaster at gmail.com Fri Dec 3 11:09:04 2010 From: gary.buhrmaster at gmail.com (Gary Buhrmaster) Date: Fri, 3 Dec 2010 17:09:04 +0000 Subject: Want to move to all 208V for server racks In-Reply-To: References: Message-ID: btw, one thing I do not recall seeing on this thread is that 208v avoids one of the common problems with 120v, which is the third harmonic issue. With the cheaper switching power supplies, one will often see significant 3rd harmonics in the waveforms(*). The 3rd harmonic, across a 3 phase circuit, are additive on the neutral. In worst case, your (common) neutral current may exceed the line currents. Proper engineering for significant 120v distribution in new DC construction often requires double sized neutrals to mitigate against this. Using 208v mitigates this particular issue. Gary (*) There are also other harmonics, but for this discussion, 3rd is what matters. From jmamodio at gmail.com Fri Dec 3 11:16:18 2010 From: jmamodio at gmail.com (Jorge Amodio) Date: Fri, 3 Dec 2010 11:16:18 -0600 Subject: Wikileaks moved to cave bunker in Iran, Mr. Assange reportedly offered asylum by North Korea... In-Reply-To: <201012031650.oB3GoJnP098702@aurora.sol.net> References: <201012031650.oB3GoJnP098702@aurora.sol.net> Message-ID: > ?Assange has irritated a large beast: the US Government. s/a large beast/a couple of large beasts/ I believe that he is pissing off not only the USG, some other Govts dealing with the USG behind the veil of secrecy are probably getting very pissed with him too. -J From sth at nas.com Fri Dec 3 11:16:29 2010 From: sth at nas.com (sth) Date: Fri, 3 Dec 2010 09:16:29 -0800 Subject: Domain shut downs by Registrar? In-Reply-To: References: Message-ID: <1C0346CC-3409-48E1-AE4A-FCE0FEE55417@nas.com> Does anyone have any experience with eNom in this regard -- compliance and operating under 'pressure' from outside authorities? --sth On Dec 2, 2010, at 8:55 PM, Jeffrey Lyon wrote: > We use OpenSRS and never have these issues. Many of the other major > registrars will freeze domains for whatever reason they choose. > OpenSRS basically fulfills their duties to ICANN and leaves it alone > at that. The only domain I have ever seen them get involved with was > along time ago when someone stole a domain from Network Solutions > using fraudulent paperwork and then managed to transfer it out. > > Jeff From jra at baylink.com Fri Dec 3 11:17:26 2010 From: jra at baylink.com (Jay Ashworth) Date: Fri, 3 Dec 2010 12:17:26 -0500 (EST) Subject: Want to move to all 208V for server racks In-Reply-To: Message-ID: <19317299.342.1291396646566.JavaMail.root@benjamin.baylink.com> ---- Original Message ----- > From: "Gary Buhrmaster" > > A protective trip is better than the alternative. This depends on what you're optimising for; google "battle short" for more on that. Cheers, -- jra From mpetach at netflight.com Fri Dec 3 11:30:20 2010 From: mpetach at netflight.com (Matthew Petach) Date: Fri, 3 Dec 2010 09:30:20 -0800 Subject: Trying to Make Sense of the Comcast/Level 3 Dispute In-Reply-To: <20101203144934.GB71451@ussenterprise.ufp.org> References: <20101203144934.GB71451@ussenterprise.ufp.org> Message-ID: On Fri, Dec 3, 2010 at 6:49 AM, Leo Bicknell wrote: > In a message written on Wed, Dec 01, 2010 at 09:40:01PM -0800, Paul Ferguson wrote: >> Interesting article: >> >> http://www.freedom-to-tinker.com/blog/sjs/trying-make-sense-comcast-level-3 >> - -dispute > > Here's an excellent summary, complete with some pictures: > > http://www.voxel.net/blog/2010/12/peering-disputes-comcast-level-3-and-you > > -- > ? ? ? Leo Bicknell - bicknell at ufp.org - CCIE 3440 > ? ? ? ?PGP keys at http://www.ufp.org/~bicknell/ > Unfortunately, they got at least part of the diagram wrong; Yahoo uses Global Crossing to reach Comcast, not TATA. Matt From bicknell at ufp.org Fri Dec 3 11:35:02 2010 From: bicknell at ufp.org (Leo Bicknell) Date: Fri, 3 Dec 2010 09:35:02 -0800 Subject: The scale of streaming video on the Internet. In-Reply-To: References: <20101202202151.GA65475@ussenterprise.ufp.org> <20101203161823.GB77297@ussenterprise.ufp.org> Message-ID: <20101203173502.GA82989@ussenterprise.ufp.org> In a message written on Fri, Dec 03, 2010 at 11:39:32AM -0500, Christopher Morrow wrote: > right, that was the point(s) I was trying to make... sadly I didn't > make them I guess. Well, I wasn't 100% sure, so best to confirm. But it all goes to the heart of Network Neutrality. It's easy to set up the extreme straw men on both sides: - If Netflix had a single data center in Seattle it is unreasonable for them to expect Comcast to settlment free peer with them and then haul the traffic to every local market. - If Netflix pays Akamai (or similar) to place the content in all local markets saving Comcast all of the backbone costs it is unreasonable for Comcast to then charge them. The question is, what in the middle of those two is fair? That seems to be what the FCC is trying to figure out. It's an extremely hard question, I've pondered many business and technical ideas proposed by a lot of great thinkers, and all of them have significant problems. At a high level, I think peering needs to evolve in two very important ways: - Ratio needs to be dropped from all peering policies. It made sense back when the traffic was two people e-mailing each other. It was a measure of "equal value". However the net has evolved. In the face of streaming audio and video, or rich multimedia web sites Content->User will always be wildly out of ratio. It has moved from a useful measure, to an excuse to make Content pay in all circumstances. - Peering policies need to look closer at where traffic is being dropped off. Hot potato was never a good idea, it placed the burden on the receiver and "propped up" ratio as a valid excuse. We need more cold potato routing, more peering only with regional ASN's/routes. Those connecting to the eyeball networks have a responbility to get the content at least in the same general areas as the end user, and not drop it off across the country. If large ISP's really wanted to get the FCC off their back they would look at writing 21st century peering policies, rather than trying to keep shoehoring 20th century ones into working with a 21st century traffic profile. -- Leo Bicknell - bicknell at ufp.org - CCIE 3440 PGP keys at http://www.ufp.org/~bicknell/ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 826 bytes Desc: not available URL: From gbonser at seven.com Fri Dec 3 11:38:07 2010 From: gbonser at seven.com (George Bonser) Date: Fri, 3 Dec 2010 09:38:07 -0800 Subject: wikileaks dns (was Re: Blocking International DNS) In-Reply-To: References: <201012021331.48695.lowen@pari.edu> <20101203040510.GA8484@sizone.org> <24D81CB7-2178-45B3-B93B-F9B26A4F0B75@americafree.tv> <4CF89C56.4090607@brightok.net> Message-ID: <5A6D953473350C4B9995546AFE9939EE0B14CCDB@RWC-EX1.corp.seven.com> > > I guess the USG's cyberwar program does work (very dryly said). It was reported in the last couple of days that Wikileaks could have been taken off the net but the govt decided not to do it. As for a member of Congress pressuring Amazon, what else would one expect? If a site has content that the USG might see as "damaging", and if a US company is facilitating the distribution of that content, sure, I would expect members of that government to apply "pressure" but I have no idea what that "pressure" might have consisted of. But think about it ... if someone had, for example, deep internal corporate confidential financial information on a company and published that on the web, that company might also attempt to "pressure" the publishing entity to stop it. To expect someone not to "pressure" someone to remove potentially damaging material is probably na?ve. From zaid at zaidali.com Fri Dec 3 11:41:26 2010 From: zaid at zaidali.com (Zaid Ali) Date: Fri, 03 Dec 2010 09:41:26 -0800 Subject: wikileaks unreachable In-Reply-To: <2F53C050-F40E-4CA1-863B-64E8440C6CAF@g8o.net> Message-ID: I see a new T-Shirt "Free speech has an IP address" Zaid On 12/3/10 8:38 AM, "// ravi" wrote: > On Dec 3, 2010, at 1:19 AM, Jorge Amodio wrote: >>> and this is based on what facts? >> >> Instead of tweeting about how to reach their content, or their IP >> addresses to bypass DNS [snip happens] > > > http://twitter.com/#!/wikileaks/status/10621245489938433 > 7 hours ago > > (Randy, I plan/hope to requote your earlier message ? non-commercial use ? > with attribution) > > ?ravi > From bicknell at ufp.org Fri Dec 3 11:42:10 2010 From: bicknell at ufp.org (Leo Bicknell) Date: Fri, 3 Dec 2010 09:42:10 -0800 Subject: Want to move to all 208V for server racks In-Reply-To: References: <7F47C485-4AF0-4C37-B7EB-D89A7E084E30@dragondata.com> <20101203033804.GB5521@hiwaay.net> Message-ID: <20101203174210.GB82989@ussenterprise.ufp.org> In a message written on Fri, Dec 03, 2010 at 04:57:03PM +0000, Gary Buhrmaster wrote: > limits so that ones life has increased protection. A protective trip > is better than > the alternative. Not always. I worked in a data center with something I thought was very, very cool. http://www.hilkar.com/highresistance.htm The concept, at a high level, is rather than tie the (service, not signal) ground back to grounding rods directly you run it through a large resistor. Now when a phase is "grounded" it runs through the resistor, allowing a small but safe current to flow. Why is this cool? Well, say you have a power strip running at 10A with a bunch of servers on it. If you took a paperclip and inserted it in an empty plug connecting hot to ground with a normal system (simulating a faulty bit of gear) the breaker would trip, all your servers would go off. If you did this with a high resistance setup the paperclip would conduct about 0.5A, maybe less. An alarm, dectecting current, at the resistor would go off to say there was a fault. Your circuit would draw 10.5 amps and everything would stay up and running. That faulty bit of gear didn't take down your entire power strip. This totally eliminates arc faults, and there isn't enough current to ground to arc. I think GFCI's are also unnecessary, as the fault can't conduct enough current to be harmful. Not there are a TON of other details to building such a system. Cost is a factor why more folks don't do it, and it takes a lot of pencil scratching by your EE types. Still, one of the coolest things I've ever seen, and I wish more data centers were built this way. -- Leo Bicknell - bicknell at ufp.org - CCIE 3440 PGP keys at http://www.ufp.org/~bicknell/ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 826 bytes Desc: not available URL: From jmamodio at gmail.com Fri Dec 3 11:47:09 2010 From: jmamodio at gmail.com (Jorge Amodio) Date: Fri, 3 Dec 2010 11:47:09 -0600 Subject: wikileaks unreachable In-Reply-To: References: <2F53C050-F40E-4CA1-863B-64E8440C6CAF@g8o.net> Message-ID: > I see a new T-Shirt "Free speech has an IP address" on the front, and on the back "DDOS me Senator if you can" -J From brunner at nic-naa.net Fri Dec 3 12:01:37 2010 From: brunner at nic-naa.net (Eric Brunner-Williams) Date: Fri, 03 Dec 2010 13:01:37 -0500 Subject: wikileaks unreachable In-Reply-To: References: Message-ID: <4CF93081.2040703@nic-naa.net> there exists a free speech application for fast flux hosting networks, and its in connecticut, not china. (during the icann gnso pdp on fast flux hosting the above assertion was generally dismissed) -e On 12/3/10 12:41 PM, Zaid Ali wrote: > I see a new T-Shirt "Free speech has an IP address" > > Zaid > > > On 12/3/10 8:38 AM, "// ravi" wrote: > >> On Dec 3, 2010, at 1:19 AM, Jorge Amodio wrote: >>>> and this is based on what facts? >>> >>> Instead of tweeting about how to reach their content, or their IP >>> addresses to bypass DNS [snip happens] >> >> >> http://twitter.com/#!/wikileaks/status/10621245489938433 >> 7 hours ago >> >> (Randy, I plan/hope to requote your earlier message ? non-commercial use ? >> with attribution) >> >> ?ravi >> > > > > > > From morrowc.lists at gmail.com Fri Dec 3 12:05:32 2010 From: morrowc.lists at gmail.com (Christopher Morrow) Date: Fri, 3 Dec 2010 13:05:32 -0500 Subject: wikileaks unreachable In-Reply-To: <4CF93081.2040703@nic-naa.net> References: <4CF93081.2040703@nic-naa.net> Message-ID: On Fri, Dec 3, 2010 at 1:01 PM, Eric Brunner-Williams wrote: > there exists a free speech application for fast flux hosting networks, and > its in connecticut, not china. > > (during the icann gnso pdp on fast flux hosting the above assertion was > generally dismissed) 'fast flux hosting' == akamai, no? -chris From alex at corp.nac.net Fri Dec 3 12:05:49 2010 From: alex at corp.nac.net (Alex Rubenstein) Date: Fri, 3 Dec 2010 13:05:49 -0500 Subject: Want to move to all 208V for server racks In-Reply-To: References: <20101203075436.GX1583@angus.ind.WPI.EDU> Message-ID: > Also note that *your* electrical engineer may de-rate the circuits capacity > due to the fact that switching power supplies generate numerous artifacts on > the lines. These are all advanced (electrical) engineering topics. >From a practical, real-world standpoint, these are not concerns today. From if at xip.at Fri Dec 3 12:08:09 2010 From: if at xip.at (Ingo Flaschberger) Date: Fri, 3 Dec 2010 19:08:09 +0100 (CET) Subject: Wikileaks moved to cave bunker in Iran, Mr. Assange reportedly offered asylum by North Korea... In-Reply-To: <201012031650.oB3GoJnP098702@aurora.sol.net> References: <201012031650.oB3GoJnP098702@aurora.sol.net> Message-ID: > We seem to be sailing into an interesting new set of challenges. I'm not > sure that it'll be healthy for the net for the government to be providing > lists of IP addresses that have to be blocked; our routing tables are > already quite challenged. if - then welcome to china, we are also there. Kind regards, Ingo Flaschberger From drc at virtualized.org Fri Dec 3 12:10:31 2010 From: drc at virtualized.org (David Conrad) Date: Fri, 3 Dec 2010 08:10:31 -1000 Subject: Domain shut downs by Registrar? In-Reply-To: References: <20101203151717.82424.qmail@joyce.lan> Message-ID: <1180AA2A-3D91-4B58-9D15-54D37F55DC92@virtualized.org> On Dec 3, 2010, at 5:49 AM, Christopher Morrow wrote: > thanks... so, in this case, why did they take this action? When folks with guns and little sense of humor show up at your door with a sealed court ordered warrant relating to resources you have direct authority over, would you tell them to talk to a retailer for that resource? Oh, and don't forget VeriSign has a contract (cooperative agreement? whatever) involving the USG for the administration of COM/NET. > why didn't they push the action to the registrar? or did they and the registrar > refused to comply? (potentially because the domains weren't violating > a TOS?) The registrar in question (GoDaddy) claims no one came to them and they had no idea what was going on (although that didn't stop them from blaming ICANN). > I suppose though, on the good side, we can expect the Verisign folks > to now shutdown other domains we bring to their attention as > malware/spamware/etc without protest? "Got Warrant?" Regards, -drc From fweimer at bfk.de Fri Dec 3 12:11:42 2010 From: fweimer at bfk.de (Florian Weimer) Date: Fri, 03 Dec 2010 18:11:42 +0000 Subject: Domain shut downs by Registrar? In-Reply-To: (John R. Levine's message of "3 Dec 2010 10\:45\:35 -0500") References: <20101203151717.82424.qmail@joyce.lan> Message-ID: <82y686pvz5.fsf@mid.bfk.de> * John R. Levine: >>> We do remember, don't we, that the domain that started this discussion >>> were shut down by Verisign, the registry, not a registrar? > >> interesting that in THIS case the registry just took the action, was >> the domain registered through their registrar arm? > > They haven't had a registrar arm since they spun off Network Solutions > in 2002. I think Verisign DBMS acts as a registrar for ccTLDs. -- Florian Weimer BFK edv-consulting GmbH http://www.bfk.de/ Kriegsstra?e 100 tel: +49-721-96201-1 D-76133 Karlsruhe fax: +49-721-96201-99 From brunner at nic-naa.net Fri Dec 3 12:14:09 2010 From: brunner at nic-naa.net (Eric Brunner-Williams) Date: Fri, 03 Dec 2010 13:14:09 -0500 Subject: wikileaks unreachable In-Reply-To: References: <4CF93081.2040703@nic-naa.net> Message-ID: <4CF93371.8020306@nic-naa.net> On 12/3/10 1:05 PM, Christopher Morrow wrote: > On Fri, Dec 3, 2010 at 1:01 PM, Eric Brunner-Williams > wrote: >> there exists a free speech application for fast flux hosting networks, and >> its in connecticut, not china. >> >> (during the icann gnso pdp on fast flux hosting the above assertion was >> generally dismissed) > > 'fast flux hosting' == akamai, no? of course that use case was considered. it was offered as the rational for default (unconditional) rapid update, though it does fall into the stupid-dns-tricks bucket. -e From morrowc.lists at gmail.com Fri Dec 3 12:16:52 2010 From: morrowc.lists at gmail.com (Christopher Morrow) Date: Fri, 3 Dec 2010 13:16:52 -0500 Subject: Domain shut downs by Registrar? In-Reply-To: <1180AA2A-3D91-4B58-9D15-54D37F55DC92@virtualized.org> References: <20101203151717.82424.qmail@joyce.lan> <1180AA2A-3D91-4B58-9D15-54D37F55DC92@virtualized.org> Message-ID: On Fri, Dec 3, 2010 at 1:10 PM, David Conrad wrote: > On Dec 3, 2010, at 5:49 AM, Christopher Morrow wrote: >> thanks... so, in this case, why did they take this action? > > When folks with guns and little sense of humor show up at your door with a sealed court ordered warrant relating to resources you have direct authority over, would you tell them to talk to a retailer for that resource? ?Oh, and don't forget VeriSign has a contract (cooperative agreement? whatever) involving the USG for the administration of COM/NET. > yup, convenient. >> why didn't they push the action to the registrar? or did they and the registrar >> refused to comply? (potentially because the domains weren't violating >> a TOS?) > > The registrar in question (GoDaddy) claims no one came to them and they had no idea what was going on (although that didn't stop them from blaming ICANN). > ha, why does the USG insist on making things difficult? and making the com/net/icann look like a kangaroo-court? (or that's my perception at times...) >> I suppose though, on the good side, we can expect the Verisign folks >> to now shutdown other domains we bring to their attention as >> malware/spamware/etc without protest? > > "Got Warrant?" yea... so I wonder if the NCFTA folks would pony up warrants for things like the content highlighted by www.abuse.ch ? -chris From alex at corp.nac.net Fri Dec 3 12:22:47 2010 From: alex at corp.nac.net (Alex Rubenstein) Date: Fri, 3 Dec 2010 13:22:47 -0500 Subject: Want to move to all 208V for server racks In-Reply-To: References: <20101202164628.GA20227@ussenterprise.ufp.org> <1411250A-38F8-4099-89D4-616D6633F218@delong.com> <7F47C485-4AF0-4C37-B7EB-D89A7E084E30@dragondata.com> <20101203033804.GB5521@hiwaay.net> Message-ID: > > GFCI breakers are often required on large services, most large (new) > > 480v services I have seen (1000A and larger) a have Ground fault > > breakers, > > Actually, my recollection is that large new services include arc suppression > rather than ground fault (480V service may be floating in any case, since it > would depend on delta-wye distribution). There has been strong efforts to > protect the low voltage electricians (in common power distribution speak, > 12K+ voltage is high voltage, less is considered low voltage; yes, this is a > different point of view). Even with a 100Cal suit on, you really want arc > suppression at those high joule ratings to protect a life (every master > electrician has a story about arc flashes, and some stories include the outline > of the ex-individual on the opposite wall). It is now common when doing > work on downstream devices to reduce the arc limits so that ones life has > increased protection. A protective trip is better than the alternative. Don't confused arc-flash protection with arc-flash circuit breakers. Doesn't sound like you did, but I said it anyway. As far as ground fault protection, in the 2008 NEC Code, it is required on any service 600 volts or less, 1000 amps or more, per 230.95. As an aside, generally it is accepted that 600v and less is 'low voltage' (not to be confused with telecom/datcomm low voltage); 1kv to about 35kv or so is medium voltage, and above that is high voltage. I think IEEE or ANSI or someone defines this. Google around. Arc flash is a whole new requirement, generally for the life safety aspect of the operators of the electrical equipment. I love putting on a arc flash suit to close a 800 amp breaker, when in the old days we'd do it barefooted on a damp floor. Maybe it wasn't smart, but some of the new arc flash stuff is a bit ridiculous. From if at xip.at Fri Dec 3 12:23:44 2010 From: if at xip.at (Ingo Flaschberger) Date: Fri, 3 Dec 2010 19:23:44 +0100 (CET) Subject: Want to move to all 208V for server racks In-Reply-To: <20101203174210.GB82989@ussenterprise.ufp.org> References: <7F47C485-4AF0-4C37-B7EB-D89A7E084E30@dragondata.com> <20101203033804.GB5521@hiwaay.net> <20101203174210.GB82989@ussenterprise.ufp.org> Message-ID: Dear Leo, > I worked in a data center with something I thought was very, very cool. > > http://www.hilkar.com/highresistance.htm > > The concept, at a high level, is rather than tie the (service, not > signal) ground back to grounding rods directly you run it through a > large resistor. Now when a phase is "grounded" it runs through the > resistor, allowing a small but safe current to flow. currents above 1mA and 50V are dangerous. also the net-frequency of 50hz/60hz cause troubles for the heart (Ventricular fibrillation). If a really fail-tolerant system is needed, that the only solution if to have a ground-free system. the incomming power is transformed (1:1 for example) and not earthed. a special device monitors the voltage between earth and power and do an alarm if one of the power-lines connects to earth - but do no shutdown. the fault can then be repaired without shutdowns. only when 2 faults occur the breakers trip. usually hospitals use such a configuration. probably hilkar system is similar to this one. Kind regards, Ingo Flaschberger From alex at corp.nac.net Fri Dec 3 12:23:49 2010 From: alex at corp.nac.net (Alex Rubenstein) Date: Fri, 3 Dec 2010 13:23:49 -0500 Subject: Want to move to all 208V for server racks In-Reply-To: References: Message-ID: > btw, one thing I do not recall seeing on this thread is that 208v avoids one of > the common problems with 120v, which is the third harmonic issue. > > With the cheaper switching power supplies, one will often see significant 3rd > harmonics in the waveforms(*). The 3rd harmonic, across a 3 phase circuit, > are additive on the neutral. In worst case, your (common) neutral current > may exceed the line currents. Proper engineering for significant 120v > distribution in new DC construction often requires double sized neutrals to > mitigate against this. > Using 208v mitigates this particular issue. I should have been clearer, when I originally said, "it lessens neutral currents." I meant that to mean, as well, less harmonics. From ck at sandcastl.es Fri Dec 3 12:34:06 2010 From: ck at sandcastl.es (christian koch) Date: Fri, 3 Dec 2010 10:34:06 -0800 Subject: Trying to Make Sense of the Comcast/Level 3 Dispute In-Reply-To: References: <20101203144934.GB71451@ussenterprise.ufp.org> Message-ID: my guess is the info for that was pulled off comcast's route server, where only tata is seen BGP routing table entry for 98.137.128.0/19, version 681406320 Paths: (8 available, best #8, table Default-IP-Routing-Table) Not advertised to any peer 6453 10310 36752 36752, (received & used) 68.86.1.43 (metric 72251) from 68.86.80.5 (68.86.1.5) Origin IGP, metric 0, localpref 250, valid, internal Community: 7922:43 7922:3050 7922:3120 Originator: 68.86.1.43, Cluster list: 68.86.1.5 6453 10310 36752 36752, (received & used) 68.86.1.40 (metric 78885) from 68.86.80.15 (68.86.1.15) Origin IGP, metric 0, localpref 250, valid, internal Community: 7922:40 7922:3050 7922:3120 Originator: 68.86.1.40, Cluster list: 68.86.1.15 6453 10310 36752 36752, (received & used) 68.86.1.41 (metric 85042) from 68.86.80.7 (68.86.1.7) Origin IGP, metric 0, localpref 250, valid, internal Community: 7922:41 7922:3050 7922:3120 Originator: 68.86.1.41, Cluster list: 68.86.1.7, 68.86.1.13 6453 10310 36752 36752, (received & used) 68.86.1.44 (metric 101555) from 68.86.80.10 (68.86.1.10) Origin IGP, metric 0, localpref 250, valid, internal Community: 7922:44 7922:3050 7922:3120 Originator: 68.86.1.44, Cluster list: 68.86.1.10 6453 10310 36752 36752, (received & used) 68.86.1.42 (metric 70822) from 68.86.80.0 (68.86.1.0) Origin IGP, metric 0, localpref 250, valid, internal Community: 7922:42 7922:3050 7922:3120 Originator: 68.86.1.42, Cluster list: 68.86.1.0 6453 10310 36752 36752, (received & used) 68.86.1.41 (metric 85042) from 68.86.80.13 (68.86.1.13) Origin IGP, metric 0, localpref 250, valid, internal Community: 7922:41 7922:3050 7922:3120 Originator: 68.86.1.41, Cluster list: 68.86.1.13 6453 10310 36752 36752, (received & used) 68.86.80.11 (metric 92374) from 68.86.80.11 (68.86.1.11) Origin IGP, metric 0, localpref 250, valid, internal Community: 7922:11 7922:3050 7922:3120 6453 10310 36752 36752, (received & used) 68.86.1.46 (metric 65585) from 68.86.80.2 (68.86.1.2) Origin IGP, metric 0, localpref 250, valid, internal, best Community: 7922:46 7922:3050 7922:3120 Originator: 68.86.1.46, Cluster list: 68.86.1.2 On Fri, Dec 3, 2010 at 9:30 AM, Matthew Petach wrote: > On Fri, Dec 3, 2010 at 6:49 AM, Leo Bicknell wrote: > > In a message written on Wed, Dec 01, 2010 at 09:40:01PM -0800, Paul > Ferguson wrote: > >> Interesting article: > >> > >> > http://www.freedom-to-tinker.com/blog/sjs/trying-make-sense-comcast-level-3 > >> - -dispute > > > > Here's an excellent summary, complete with some pictures: > > > > > http://www.voxel.net/blog/2010/12/peering-disputes-comcast-level-3-and-you > > > > -- > > Leo Bicknell - bicknell at ufp.org - CCIE 3440 > > PGP keys at http://www.ufp.org/~bicknell/ > > > > > Unfortunately, they got at least part of the diagram wrong; > Yahoo uses Global Crossing to reach Comcast, not TATA. > > Matt > > From johnl at iecc.com Fri Dec 3 12:39:15 2010 From: johnl at iecc.com (John R. Levine) Date: 3 Dec 2010 13:39:15 -0500 Subject: Domain shut downs by Registrar? In-Reply-To: <82y686pvz5.fsf@mid.bfk.de> References: <20101203151717.82424.qmail@joyce.lan> <82y686pvz5.fsf@mid.bfk.de> Message-ID: > I think Verisign DBMS acts as a registrar for ccTLDs. No, they're a registry. Not the same thing. The registry holds the definitive database and manages the DNS zone. Registrars face the public and use some sort of API to pass the changes to the registry. Regards, John Levine, johnl at iecc.com, Primary Perpetrator of "The Internet for Dummies", Please consider the environment before reading this e-mail. http://jl.ly From johnl at iecc.com Fri Dec 3 12:40:40 2010 From: johnl at iecc.com (John R. Levine) Date: 3 Dec 2010 13:40:40 -0500 Subject: Domain shut downs by Registrar? In-Reply-To: References: <20101203151717.82424.qmail@joyce.lan> <1180AA2A-3D91-4B58-9D15-54D37F55DC92@virtualized.org> Message-ID: > yea... so I wonder if the NCFTA folks would pony up warrants for > things like the content highlighted by www.abuse.ch ? They do all sorts of stuff, but for obvious reasons they don't gossip about it in public. Regards, John Levine, johnl at iecc.com, Primary Perpetrator of "The Internet for Dummies", Please consider the environment before reading this e-mail. http://jl.ly From patrick at ianai.net Fri Dec 3 12:43:06 2010 From: patrick at ianai.net (Patrick W. Gilmore) Date: Fri, 3 Dec 2010 13:43:06 -0500 Subject: Trying to Make Sense of the Comcast/Level 3 Dispute In-Reply-To: References: <20101203144934.GB71451@ussenterprise.ufp.org> Message-ID: On Dec 3, 2010, at 1:34 PM, christian koch wrote: > my guess is the info for that was pulled off comcast's route server, where > only tata is seen Asymmetric routing on the Internet? What will they think of next?! That said, does changing the name of the middle network change the substance of the post? -- TTFN, patrick P.S. And does Y! have a route-server to figure this stuff out? :) > On Fri, Dec 3, 2010 at 9:30 AM, Matthew Petach wrote: >> On Fri, Dec 3, 2010 at 6:49 AM, Leo Bicknell wrote: >>> In a message written on Wed, Dec 01, 2010 at 09:40:01PM -0800, Paul >> Ferguson wrote: >>>> Interesting article: >>>> >>>> >> http://www.freedom-to-tinker.com/blog/sjs/trying-make-sense-comcast-level-3 >>>> - -dispute >>> >>> Here's an excellent summary, complete with some pictures: >>> >>> >> http://www.voxel.net/blog/2010/12/peering-disputes-comcast-level-3-and-you >>> >>> -- >>> Leo Bicknell - bicknell at ufp.org - CCIE 3440 >>> PGP keys at http://www.ufp.org/~bicknell/ >>> >> >> >> Unfortunately, they got at least part of the diagram wrong; >> Yahoo uses Global Crossing to reach Comcast, not TATA. >> >> Matt >> >> > From ahodgson at simkin.ca Fri Dec 3 12:50:21 2010 From: ahodgson at simkin.ca (Alan Hodgson) Date: Fri, 3 Dec 2010 10:50:21 -0800 Subject: Domain shut downs by Registrar? In-Reply-To: <1180AA2A-3D91-4B58-9D15-54D37F55DC92@virtualized.org> References: <1180AA2A-3D91-4B58-9D15-54D37F55DC92@virtualized.org> Message-ID: <201012031050.22126@hal.medialogik.com> On December 3, 2010, David Conrad wrote: > When folks with guns and little sense of humor show up at your door with > a sealed court ordered warrant relating to resources you have direct > authority over, would you tell them to talk to a retailer for that > resource? Oh, and don't forget VeriSign has a contract (cooperative > agreement? whatever) involving the USG for the administration of > COM/NET. > It doesn't take guns. Verisign will steal domains from any registrar if they receive a US court order. I've seem them do it based on a Nevada default judgement where the client didn't even know there was a legal action under way. If you want to keep your domains, don't use .com or .net. From nanog-post at rsuc.gweep.net Fri Dec 3 12:50:42 2010 From: nanog-post at rsuc.gweep.net (Joe Provo) Date: Fri, 3 Dec 2010 13:50:42 -0500 Subject: IAB "Evolution of the IP Model" Document Message-ID: <20101203185042.GA27433@gweep.net> Recent IETF announce message (http://www.ietf.org/mail-archive/web/ietf-announce/current/msg08209.html) indicates comments should get in by the 19th. IMO a decent "update your expectations" document with a refreshingly healthy nod to netowkr realities. I'm sure they'd love more operator input, if relevant: http://tools.ietf.org/id/draft-iab-ip-model-evolution-02.txt -- RSUC / GweepNet / Spunk / FnB / Usenix / SAGE From jeffrey.lyon at blacklotus.net Fri Dec 3 13:05:50 2010 From: jeffrey.lyon at blacklotus.net (Jeffrey Lyon) Date: Fri, 3 Dec 2010 14:05:50 -0500 Subject: wikileaks dns (was Re: Blocking International DNS) In-Reply-To: <5A6D953473350C4B9995546AFE9939EE0B14CCDB@RWC-EX1.corp.seven.com> References: <201012021331.48695.lowen@pari.edu> <20101203040510.GA8484@sizone.org> <24D81CB7-2178-45B3-B93B-F9B26A4F0B75@americafree.tv> <4CF89C56.4090607@brightok.net> <5A6D953473350C4B9995546AFE9939EE0B14CCDB@RWC-EX1.corp.seven.com> Message-ID: For the record, I would never remove a customer because a congressman or senator asked for it, however, I would deny service to persons with outstanding felony warrant(s). Jeff On Fri, Dec 3, 2010 at 12:38 PM, George Bonser wrote: > > >> >> I guess the USG's cyberwar program does work (very dryly said). > > It was reported in the last couple of days that Wikileaks could have been taken off the net but the govt decided not to do it. > > As for a member of Congress pressuring Amazon, what else would one expect? ?If a site has content that the USG might see as "damaging", and if a US company is facilitating the distribution of that content, sure, I would expect members of that government to apply "pressure" but I have no idea what that "pressure" might have consisted of. > > But think about it ... if someone had, for example, deep internal corporate confidential financial information on a company and published that on the web, that company might also attempt to "pressure" the publishing entity to stop it. > > To expect someone not to "pressure" someone to remove potentially damaging material is probably na?ve. > > > -- Jeffrey Lyon, Leadership Team jeffrey.lyon at blacklotus.net | http://www.blacklotus.net Black Lotus Communications - AS32421 First and Leading in DDoS Protection Solutions From jmamodio at gmail.com Fri Dec 3 14:00:19 2010 From: jmamodio at gmail.com (Jorge Amodio) Date: Fri, 3 Dec 2010 14:00:19 -0600 Subject: Domain shut downs by Registrar? In-Reply-To: <201012031050.22126@hal.medialogik.com> References: <1180AA2A-3D91-4B58-9D15-54D37F55DC92@virtualized.org> <201012031050.22126@hal.medialogik.com> Message-ID: > If you want to keep your domains, don't use .com or .net. or .jobs, .names, .edu. -J From cscora at apnic.net Fri Dec 3 14:06:38 2010 From: cscora at apnic.net (Routing Analysis Role Account) Date: Sat, 4 Dec 2010 06:06:38 +1000 (EST) Subject: Weekly Routing Table Report Message-ID: <201012032006.oB3K6c8e009170@thyme.rand.apnic.net> This is an automated weekly mailing describing the state of the Internet Routing Table as seen from APNIC's router in Japan. The posting is sent to APOPS, NANOG, AfNOG, AusNOG, SANOG, PacNOG, LacNOG, CaribNOG and the RIPE Routing Working Group. Daily listings are sent to bgp-stats at lists.apnic.net For historical data, please see http://thyme.rand.apnic.net. If you have any comments please contact Philip Smith . Routing Table Report 04:00 +10GMT Sat 04 Dec, 2010 Report Website: http://thyme.rand.apnic.net Detailed Analysis: http://thyme.rand.apnic.net/current/ Analysis Summary ---------------- BGP routing table entries examined: 337120 Prefixes after maximum aggregation: 152448 Deaggregation factor: 2.21 Unique aggregates announced to Internet: 166104 Total ASes present in the Internet Routing Table: 35395 Prefixes per ASN: 9.52 Origin-only ASes present in the Internet Routing Table: 30484 Origin ASes announcing only one prefix: 14904 Transit ASes present in the Internet Routing Table: 4911 Transit-only ASes present in the Internet Routing Table: 119 Average AS path length visible in the Internet Routing Table: 4.3 Max AS path length visible: 31 Max AS path prepend of ASN (36992) 29 Prefixes from unregistered ASNs in the Routing Table: 599 Unregistered ASNs in the Routing Table: 272 Number of 32-bit ASNs allocated by the RIRs: 931 Prefixes from 32-bit ASNs in the Routing Table: 4 Special use prefixes present in the Routing Table: 0 Prefixes being announced from unallocated address space: 189 Number of addresses announced to Internet: 2314105824 Equivalent to 137 /8s, 238 /16s and 115 /24s Percentage of available address space announced: 62.4 Percentage of allocated address space announced: 64.5 Percentage of available address space allocated: 96.8 Percentage of address space in use by end-sites: 86.4 Total number of prefixes smaller than registry allocations: 138390 APNIC Region Analysis Summary ----------------------------- Prefixes being announced by APNIC Region ASes: 83266 Total APNIC prefixes after maximum aggregation: 28276 APNIC Deaggregation factor: 2.94 Prefixes being announced from the APNIC address blocks: 80189 Unique aggregates announced from the APNIC address blocks: 35123 APNIC Region origin ASes present in the Internet Routing Table: 4255 APNIC Prefixes per ASN: 18.85 APNIC Region origin ASes announcing only one prefix: 1199 APNIC Region transit ASes present in the Internet Routing Table: 686 Average APNIC Region AS path length visible: 4.5 Max APNIC Region AS path length visible: 20 Number of APNIC addresses announced to Internet: 571205152 Equivalent to 34 /8s, 11 /16s and 230 /24s Percentage of available APNIC address space announced: 77.4 APNIC AS Blocks 4608-4864, 7467-7722, 9216-10239, 17408-18431 (pre-ERX allocations) 23552-24575, 37888-38911, 45056-46079 55296-56319, 131072-132095 APNIC Address Blocks 1/8, 14/8, 27/8, 36/8, 42/8, 43/8, 49/8, 58/8, 59/8, 60/8, 61/8, 101/8, 110/8, 111/8, 112/8, 113/8, 114/8, 115/8, 116/8, 117/8, 118/8, 119/8, 120/8, 121/8, 122/8, 123/8, 124/8, 125/8, 126/8, 133/8, 175/8, 180/8, 182/8, 183/8, 202/8, 203/8, 210/8, 211/8, 218/8, 219/8, 220/8, 221/8, 222/8, 223/8, ARIN Region Analysis Summary ---------------------------- Prefixes being announced by ARIN Region ASes: 136457 Total ARIN prefixes after maximum aggregation: 69829 ARIN Deaggregation factor: 1.95 Prefixes being announced from the ARIN address blocks: 107499 Unique aggregates announced from the ARIN address blocks: 43811 ARIN Region origin ASes present in the Internet Routing Table: 14051 ARIN Prefixes per ASN: 7.65 ARIN Region origin ASes announcing only one prefix: 5385 ARIN Region transit ASes present in the Internet Routing Table: 1496 Average ARIN Region AS path length visible: 4.0 Max ARIN Region AS path length visible: 23 Number of ARIN addresses announced to Internet: 741381376 Equivalent to 44 /8s, 48 /16s and 149 /24s Percentage of available ARIN address space announced: 62.2 ARIN AS Blocks 1-1876, 1902-2042, 2044-2046, 2048-2106 (pre-ERX allocations) 2138-2584, 2615-2772, 2823-2829, 2880-3153 3354-4607, 4865-5119, 5632-6655, 6912-7466 7723-8191, 10240-12287, 13312-15359, 16384-17407 18432-20479, 21504-23551, 25600-26591, 26624-27647, 29696-30719, 31744-33791 35840-36863, 39936-40959, 46080-47103 53248-55295, 393216-394239 ARIN Address Blocks 3/8, 4/8, 6/8, 7/8, 8/8, 9/8, 11/8, 12/8, 13/8, 15/8, 16/8, 17/8, 18/8, 19/8, 20/8, 21/8, 22/8, 23/8, 24/8, 26/8, 28/8, 29/8, 30/8, 32/8, 33/8, 34/8, 35/8, 38/8, 40/8, 44/8, 47/8, 48/8, 50/8, 52/8, 54/8, 55/8, 56/8, 63/8, 64/8, 65/8, 66/8, 67/8, 68/8, 69/8, 70/8, 71/8, 72/8, 73/8, 74/8, 75/8, 76/8, 96/8, 97/8, 98/8, 99/8, 100/8, 107/8, 108/8, 173/8, 174/8, 184/8, 199/8, 204/8, 205/8, 206/8, 207/8, 208/8, 209/8, 214/8, 215/8, 216/8, RIPE Region Analysis Summary ---------------------------- Prefixes being announced by RIPE Region ASes: 78636 Total RIPE prefixes after maximum aggregation: 45198 RIPE Deaggregation factor: 1.74 Prefixes being announced from the RIPE address blocks: 72182 Unique aggregates announced from the RIPE address blocks: 46814 RIPE Region origin ASes present in the Internet Routing Table: 15076 RIPE Prefixes per ASN: 4.79 RIPE Region origin ASes announcing only one prefix: 7740 RIPE Region transit ASes present in the Internet Routing Table: 2341 Average RIPE Region AS path length visible: 4.6 Max RIPE Region AS path length visible: 30 Number of RIPE addresses announced to Internet: 448559424 Equivalent to 26 /8s, 188 /16s and 121 /24s Percentage of available RIPE address space announced: 74.3 RIPE AS Blocks 1877-1901, 2043, 2047, 2107-2136, 2585-2614 (pre-ERX allocations) 2773-2822, 2830-2879, 3154-3353, 5377-5631 6656-6911, 8192-9215, 12288-13311, 15360-16383 20480-21503, 24576-25599, 28672-29695 30720-31743, 33792-35839, 38912-39935 40960-45055, 47104-52223, 196608-197631 RIPE Address Blocks 2/8, 5/8, 25/8, 31/8, 37/8, 46/8, 51/8, 62/8, 77/8, 78/8, 79/8, 80/8, 81/8, 82/8, 83/8, 84/8, 85/8, 86/8, 87/8, 88/8, 89/8, 90/8, 91/8, 92/8, 93/8, 94/8, 95/8, 109/8, 176/8, 178/8, 193/8, 194/8, 195/8, 212/8, 213/8, 217/8, LACNIC Region Analysis Summary ------------------------------ Prefixes being announced by LACNIC Region ASes: 30812 Total LACNIC prefixes after maximum aggregation: 7123 LACNIC Deaggregation factor: 4.33 Prefixes being announced from the LACNIC address blocks: 29537 Unique aggregates announced from the LACNIC address blocks: 15338 LACNIC Region origin ASes present in the Internet Routing Table: 1406 LACNIC Prefixes per ASN: 21.01 LACNIC Region origin ASes announcing only one prefix: 446 LACNIC Region transit ASes present in the Internet Routing Table: 244 Average LACNIC Region AS path length visible: 4.4 Max LACNIC Region AS path length visible: 18 Number of LACNIC addresses announced to Internet: 78293760 Equivalent to 4 /8s, 170 /16s and 171 /24s Percentage of available LACNIC address space announced: 58.3 LACNIC AS Blocks 26592-26623, 27648-28671, 52224-53247, 262144-263167 plus ERX transfers LACNIC Address Blocks 177/8, 181/8, 186/8, 187/8, 189/8, 190/8, 200/8, 201/8, AfriNIC Region Analysis Summary ------------------------------- Prefixes being announced by AfriNIC Region ASes: 7707 Total AfriNIC prefixes after maximum aggregation: 1901 AfriNIC Deaggregation factor: 4.05 Prefixes being announced from the AfriNIC address blocks: 5966 Unique aggregates announced from the AfriNIC address blocks: 1755 AfriNIC Region origin ASes present in the Internet Routing Table: 423 AfriNIC Prefixes per ASN: 14.10 AfriNIC Region origin ASes announcing only one prefix: 134 AfriNIC Region transit ASes present in the Internet Routing Table: 92 Average AfriNIC Region AS path length visible: 5.2 Max AfriNIC Region AS path length visible: 31 Number of AfriNIC addresses announced to Internet: 21737728 Equivalent to 1 /8s, 75 /16s and 177 /24s Percentage of available AfriNIC address space announced: 43.2 AfriNIC AS Blocks 36864-37887, 327680-328703 & ERX transfers AfriNIC Address Blocks 41/8, 105/8, 197/8, APNIC Region per AS prefix count summary ---------------------------------------- ASN No of nets /20 equiv MaxAgg Description 4766 1862 9449 512 Korea Telecom (KIX) 7545 1467 299 80 TPG Internet Pty Ltd 4755 1391 639 157 TATA Communications formerly 17488 1371 157 121 Hathway IP Over Cable Interne 17974 1318 459 27 PT TELEKOMUNIKASI INDONESIA 9583 1036 75 487 Sify Limited 24560 1030 309 166 Bharti Airtel Ltd., Telemedia 4808 985 1715 268 CNCGROUP IP network: China169 18101 908 116 139 Reliance Infocom Ltd Internet 9829 835 696 31 BSNL National Internet Backbo Complete listing at http://thyme.rand.apnic.net/current/data-ASnet-APNIC ARIN Region per AS prefix count summary --------------------------------------- ASN No of nets /20 equiv MaxAgg Description 6389 3736 3887 270 bellsouth.net, inc. 4323 2650 1088 402 Time Warner Telecom 19262 1833 4861 281 Verizon Global Networks 1785 1791 697 132 PaeTec Communications, Inc. 20115 1508 1530 636 Charter Communications 6478 1414 285 102 AT&T Worldnet Services 7018 1386 5671 884 AT&T WorldNet Services 2386 1308 572 926 AT&T Data Communications Serv 22773 1256 2864 72 Cox Communications, Inc. 11492 1239 233 73 Cable One Complete listing at http://thyme.rand.apnic.net/current/data-ASnet-ARIN RIPE Region per AS prefix count summary --------------------------------------- ASN No of nets /20 equiv MaxAgg Description 6830 457 1757 271 UPC Distribution Services 3292 443 2010 385 TDC Tele Danmark 8866 430 133 23 Bulgarian Telecommunication C 34984 419 92 191 BILISIM TELEKOM 9198 413 202 13 Kazakhtelecom Data Network Ad 8551 402 353 46 Bezeq International 702 396 1864 310 UUNET - Commercial IP service 12479 391 577 6 Uni2 Autonomous System 3301 381 1696 336 TeliaNet Sweden 3320 381 7317 334 Deutsche Telekom AG Complete listing at http://thyme.rand.apnic.net/current/data-ASnet-RIPE LACNIC Region per AS prefix count summary ----------------------------------------- ASN No of nets /20 equiv MaxAgg Description 10620 1344 250 156 TVCABLE BOGOTA 8151 1341 2627 365 UniNet S.A. de C.V. 28573 1197 932 78 NET Servicos de Comunicao S.A 6503 1170 355 80 AVANTEL, S.A. 7303 831 441 106 Telecom Argentina Stet-France 14420 579 49 87 CORPORACION NACIONAL DE TELEC 22047 563 310 15 VTR PUNTO NET S.A. 3816 493 214 97 Empresa Nacional de Telecomun 7738 478 922 30 Telecomunicacoes da Bahia S.A 14117 452 32 30 Telefonica del Sur S.A. Complete listing at http://thyme.rand.apnic.net/current/data-ASnet-LACNIC AfriNIC Region per AS prefix count summary ------------------------------------------ ASN No of nets /20 equiv MaxAgg Description 8452 1108 445 10 TEDATA 24863 744 147 39 LINKdotNET AS number 36992 658 278 159 Etisalat MISR 3741 263 986 225 The Internet Solution 6713 203 199 12 Itissalat Al-MAGHRIB 24835 198 78 10 RAYA Telecom - Egypt 29571 197 19 11 Ci Telecom Autonomous system 2018 196 277 64 Tertiary Education Network 33776 195 12 14 Starcomms Nigeria Limited 16637 162 440 89 MTN Network Solutions Complete listing at http://thyme.rand.apnic.net/current/data-ASnet-AFRINIC Global Per AS prefix count summary ---------------------------------- ASN No of nets /20 equiv MaxAgg Description 6389 3736 3887 270 bellsouth.net, inc. 4323 2650 1088 402 Time Warner Telecom 4766 1862 9449 512 Korea Telecom (KIX) 19262 1833 4861 281 Verizon Global Networks 1785 1791 697 132 PaeTec Communications, Inc. 20115 1508 1530 636 Charter Communications 7545 1467 299 80 TPG Internet Pty Ltd 6478 1414 285 102 AT&T Worldnet Services 4755 1391 639 157 TATA Communications formerly 7018 1386 5671 884 AT&T WorldNet Services Complete listing at http://thyme.rand.apnic.net/current/data-ASnet Global Per AS Maximum Aggr summary ---------------------------------- ASN No of nets Net Savings Description 4323 2650 2248 Time Warner Telecom 1785 1791 1659 PaeTec Communications, Inc. 19262 1833 1552 Verizon Global Networks 7545 1467 1387 TPG Internet Pty Ltd 4766 1862 1350 Korea Telecom (KIX) 6478 1414 1312 AT&T Worldnet Services 17974 1318 1291 PT TELEKOMUNIKASI INDONESIA 17488 1371 1250 Hathway IP Over Cable Interne 4755 1391 1234 TATA Communications formerly 10620 1344 1188 TVCABLE BOGOTA Complete listing at http://thyme.rand.apnic.net/current/data-CIDRnet List of Unregistered Origin ASNs (Global) ----------------------------------------- Bad AS Designation Network Transit AS Description 46164 UNALLOCATED 4.23.88.0/24 7018 AT&T WorldNet Servic 46164 UNALLOCATED 4.23.89.0/24 7018 AT&T WorldNet Servic 46164 UNALLOCATED 4.23.92.0/23 7018 AT&T WorldNet Servic 46164 UNALLOCATED 4.23.94.0/23 7018 AT&T WorldNet Servic 46164 UNALLOCATED 4.38.0.0/21 7018 AT&T WorldNet Servic 46164 UNALLOCATED 4.38.8.0/21 7018 AT&T WorldNet Servic 46164 UNALLOCATED 4.43.50.0/24 7018 AT&T WorldNet Servic 46164 UNALLOCATED 4.43.51.0/24 7018 AT&T WorldNet Servic 46164 UNALLOCATED 4.67.96.0/21 7018 AT&T WorldNet Servic 46164 UNALLOCATED 4.67.104.0/21 7018 AT&T WorldNet Servic Complete listing at http://thyme.rand.apnic.net/current/data-badAS Advertised Unallocated Addresses -------------------------------- Network Origin AS Description 5.0.0.0/16 12654 RIPE NCC RIS Project 5.1.0.0/21 12654 RIPE NCC RIS Project 5.1.24.0/24 12654 RIPE NCC RIS Project 37.0.0.0/16 12654 RIPE NCC RIS Project 37.1.0.0/21 12654 RIPE NCC RIS Project 37.1.24.0/24 12654 RIPE NCC RIS Project 41.222.79.0/24 36938 >>UNKNOWN<< 41.223.92.0/22 36936 >>UNKNOWN<< 46.183.72.0/21 51941 >>UNKNOWN<< 62.61.220.0/24 24974 Tachyon Europe BV - Wireless Complete listing at http://thyme.rand.apnic.net/current/data-add-IANA Number of prefixes announced per prefix length (Global) ------------------------------------------------------- /1:0 /2:0 /3:0 /4:0 /5:0 /6:0 /7:0 /8:19 /9:10 /10:25 /11:70 /12:210 /13:428 /14:749 /15:1336 /16:11346 /17:5491 /18:9149 /19:18581 /20:23839 /21:24131 /22:31737 /23:30519 /24:176659 /25:981 /26:1076 /27:587 /28:155 /29:12 /30:2 /31:0 /32:8 Advertised prefixes smaller than registry allocations ----------------------------------------------------- ASN No of nets Total ann. Description 6389 2306 3736 bellsouth.net, inc. 4323 1431 2650 Time Warner Telecom 6478 1372 1414 AT&T Worldnet Services 10620 1236 1344 TVCABLE BOGOTA 11492 1197 1239 Cable One 18566 1070 1089 Covad Communications 7011 1069 1171 Citizens Utilities 1785 1065 1791 PaeTec Communications, Inc. 8452 973 1108 TEDATA 6503 955 1170 AVANTEL, S.A. Complete listing at http://thyme.rand.apnic.net/current/data-sXXas-nos Number of /24s announced per /8 block (Global) ---------------------------------------------- 1:105 2:24 4:13 5:1 8:316 12:2024 13:6 14:83 15:17 16:3 17:8 20:10 24:1415 27:466 32:61 33:7 34:2 36:1 37:1 38:712 40:101 41:2642 42:1 44:3 46:306 47:10 49:34 50:16 52:12 55:7 56:2 57:29 58:857 59:501 60:482 61:1108 62:1020 63:1943 64:3708 65:2320 66:4089 67:1755 68:999 69:2819 70:717 71:389 72:1923 74:2282 75:287 76:319 77:865 78:691 79:435 80:1056 81:799 82:508 83:445 84:631 85:1030 86:490 87:703 88:395 89:1582 90:128 91:3272 92:455 93:1014 94:1097 95:686 96:405 97:244 98:695 99:33 101:3 107:2 108:69 109:771 110:426 111:667 112:310 113:318 114:479 115:646 116:1133 117:658 118:582 119:1013 120:182 121:713 122:1543 123:972 124:1227 125:1282 128:228 129:152 130:171 131:565 132:234 133:20 134:208 135:46 136:213 137:146 138:288 139:109 140:480 141:195 142:348 143:524 144:485 145:54 146:426 147:178 148:641 149:328 150:149 151:231 152:294 153:173 154:3 155:367 156:167 157:339 158:126 159:366 160:308 161:199 162:276 163:166 164:433 165:332 166:466 167:422 168:709 169:151 170:724 171:67 172:2 173:1124 174:431 175:256 176:1 178:652 180:713 182:523 183:242 184:185 186:886 187:749 188:875 189:1017 190:4229 192:5777 193:4801 194:3470 195:2888 196:1222 197:1 198:3533 199:3660 200:5485 201:1575 202:8254 203:8356 204:4046 205:2337 206:2518 207:2979 208:3857 209:3458 210:2535 211:1307 212:1801 213:1721 214:704 215:62 216:4748 217:1606 218:518 219:399 220:1184 221:436 222:342 223:76 End of report From randy.fischer at gmail.com Fri Dec 3 14:10:20 2010 From: randy.fischer at gmail.com (Randy Fischer) Date: Fri, 3 Dec 2010 15:10:20 -0500 Subject: wikileaks dns (was Re: Blocking International DNS) In-Reply-To: <5A6D953473350C4B9995546AFE9939EE0B14CCDB@RWC-EX1.corp.seven.com> References: <201012021331.48695.lowen@pari.edu> <20101203040510.GA8484@sizone.org> <24D81CB7-2178-45B3-B93B-F9B26A4F0B75@americafree.tv> <4CF89C56.4090607@brightok.net> <5A6D953473350C4B9995546AFE9939EE0B14CCDB@RWC-EX1.corp.seven.com> Message-ID: On Fri, Dec 3, 2010 at 12:38 PM, George Bonser wrote: > As for a member of Congress pressuring Amazon, what else would one expect? ?If a site has content that the USG might see as "damaging", and if a US company is facilitating the distribution of that content, sure, I would expect members of that government to apply "pressure" but I have no idea what that "pressure" might have consisted of. It may be naive, but I expect due process from the USG. Just sayin' -Randy Fischer From richard.barnes at gmail.com Fri Dec 3 14:36:07 2010 From: richard.barnes at gmail.com (Richard Barnes) Date: Fri, 3 Dec 2010 15:36:07 -0500 Subject: wikileaks dns (was Re: Blocking International DNS) In-Reply-To: <20101203084557.GA26742@nic.fr> References: <201012021331.48695.lowen@pari.edu> <20101203040510.GA8484@sizone.org> <24D81CB7-2178-45B3-B93B-F9B26A4F0B75@americafree.tv> <20101203055229.GB30565@sizone.org> <20101203084557.GA26742@nic.fr> Message-ID: > Other possible solution would be a DNSarchive, in > the same way there is a WebArchive. Any volunteer? The RIPE REX tool provides something like this, at least for the reverse tree. Of course, it appears that none of the three cabelgate IP addresses you cite have reverse records provisioned that point to wikileaks (just bahnhof.se and ovh.net). --Richard From cmaurand at xyonet.com Fri Dec 3 14:45:13 2010 From: cmaurand at xyonet.com (Curtis Maurand) Date: Fri, 03 Dec 2010 15:45:13 -0500 Subject: wikileaks dns (was Re: Blocking International DNS) In-Reply-To: References: <201012021331.48695.lowen@pari.edu> <20101203040510.GA8484@sizone.org> <24D81CB7-2178-45B3-B93B-F9B26A4F0B75@americafree.tv> <4CF89C56.4090607@brightok.net> <5A6D953473350C4B9995546AFE9939EE0B14CCDB@RWC-EX1.corp.seven.com> Message-ID: <4CF956D9.6000603@xyonet.com> The patriot act did away with due process. On 12/3/2010 3:10 PM, Randy Fischer wrote: > On Fri, Dec 3, 2010 at 12:38 PM, George Bonser wrote: >> As for a member of Congress pressuring Amazon, what else would one expect? If a site has content that the USG might see as "damaging", and if a US company is facilitating the distribution of that content, sure, I would expect members of that government to apply "pressure" but I have no idea what that "pressure" might have consisted of. > It may be naive, but I expect due process from the USG. > > Just sayin' > > -Randy Fischer > From mpetach at netflight.com Fri Dec 3 15:21:07 2010 From: mpetach at netflight.com (Matthew Petach) Date: Fri, 3 Dec 2010 13:21:07 -0800 Subject: Want to move to all 208V for server racks In-Reply-To: References: <20101202164628.GA20227@ussenterprise.ufp.org> <1411250A-38F8-4099-89D4-616D6633F218@delong.com> <7F47C485-4AF0-4C37-B7EB-D89A7E084E30@dragondata.com> <20101203033804.GB5521@hiwaay.net> Message-ID: On Thu, Dec 2, 2010 at 8:58 PM, Alex Rubenstein wrote: ... > Anyway, back to topic: Vendors, please a) get all your gear to cool front-to-back, and b) let it take 480 polyphase and not require a neutral. I, for one, will be happier. The datacenter of tomorrow (hell, today) require this. > People are still feeding their gear with AC? Save on PS inefficiency, and feed direct 12/5vDC to the servers. Save space, save power, save cooling. Matt *quietly exits, singing "every watt is sacred, every watt is great..." under his breath* From cidr-report at potaroo.net Fri Dec 3 16:00:01 2010 From: cidr-report at potaroo.net (cidr-report at potaroo.net) Date: Fri, 3 Dec 2010 22:00:01 GMT Subject: BGP Update Report Message-ID: <201012032200.oB3M018F096740@wattle.apnic.net> BGP Update Report Interval: 25-Nov-10 -to- 02-Dec-10 (7 days) Observation Point: BGP Peering with AS131072 TOP 20 Unstable Origin AS Rank ASN Upds % Upds/Pfx AS-Name 1 - AS23966 33798 2.1% 103.0 -- LDN-AS-PK LINKdotNET Telecom Limited 2 - AS17908 29867 1.9% 39.9 -- TCISL Tata Communications 3 - AS22767 26306 1.6% 13153.0 -- NASA-ESDIS-NET - National Aeronautics and Space Administration 4 - AS17974 26125 1.6% 24.0 -- TELKOMNET-AS2-AP PT Telekomunikasi Indonesia 5 - AS32528 23264 1.5% 7754.7 -- ABBOTT Abbot Labs 6 - AS36992 22718 1.4% 35.2 -- ETISALAT-MISR 7 - AS10094 22515 1.4% 1023.4 -- BRUNET-AS BruNet ISP, Telekom Brunei Berhad 8 - AS37204 21737 1.4% 1976.1 -- TELONE 9 - AS7018 14498 0.9% 37.8 -- ATT-INTERNET4 - AT&T Services, Inc. 10 - AS9498 13732 0.9% 66.3 -- BBIL-AP BHARTI Airtel Ltd. 11 - AS35931 13582 0.8% 4527.3 -- ARCHIPELAGO - ARCHIPELAGO HOLDINGS INC 12 - AS8452 13408 0.8% 13.1 -- TE-AS TE-AS 13 - AS1785 13197 0.8% 10.3 -- AS-PAETEC-NET - PaeTec Communications, Inc. 14 - AS31148 11625 0.7% 34.6 -- FREENET-AS FreeNet ISP 15 - AS14522 11105 0.7% 27.4 -- Satnet 16 - AS8151 10716 0.7% 8.5 -- Uninet S.A. de C.V. 17 - AS18566 10465 0.7% 9.8 -- COVAD - Covad Communications Co. 18 - AS7552 9650 0.6% 15.8 -- VIETEL-AS-AP Vietel Corporation 19 - AS9829 9585 0.6% 23.6 -- BSNL-NIB National Internet Backbone 20 - AS6316 8724 0.6% 103.9 -- AS-PAETEC-NET - PaeTec Communications, Inc. TOP 20 Unstable Origin AS (Updates per announced prefix) Rank ASN Upds % Upds/Pfx AS-Name 1 - AS22767 26306 1.6% 13153.0 -- NASA-ESDIS-NET - National Aeronautics and Space Administration 2 - AS32528 23264 1.5% 7754.7 -- ABBOTT Abbot Labs 3 - AS35931 13582 0.8% 4527.3 -- ARCHIPELAGO - ARCHIPELAGO HOLDINGS INC 4 - AS43534 4077 0.3% 4077.0 -- CREDITCALL CreditCall Ltd 5 - AS49600 2419 0.1% 2419.0 -- LASEDA La Seda de Barcelona, S.A 6 - AS28175 2370 0.1% 2370.0 -- 7 - AS15984 2334 0.1% 2334.0 -- The Joint-Stock Commercial Bank CentroCredit. 8 - AS37204 21737 1.4% 1976.1 -- TELONE 9 - AS34239 1771 0.1% 1771.0 -- INTERAMERICAN General Insurance Company 10 - AS17904 1479 0.1% 1479.0 -- SLTASUL-LK Sri Lankan Airlines 11 - AS48561 1260 0.1% 1260.0 -- AUTOMIR-AS NP Automir CJSC 12 - AS46928 1204 0.1% 1204.0 -- ACADEMY-SPORTS-OUTDOORS - Academy Sports & Outdoors 13 - AS10094 22515 1.4% 1023.4 -- BRUNET-AS BruNet ISP, Telekom Brunei Berhad 14 - AS15978 3009 0.2% 1003.0 -- BOBST Group autonomous system 15 - AS31011 965 0.1% 965.0 -- UCTM-AS University of Chemical Technology And Metallurgy 16 - AS28666 5789 0.4% 827.0 -- HOSTLOCATION LTDA 17 - AS21252 777 0.1% 777.0 -- NIKOIL-AS NIKOil Autonomous System 18 - AS26746 757 0.1% 757.0 -- HARVARD-PILGRIM-HEALTH-CARE - Harvard Community Health Plan 19 - AS24063 2753 0.2% 688.2 -- DOCOMOINTERTOUCH-IN DOCOMO interTouch - India Operation 20 - AS39200 640 0.0% 640.0 -- IRNICANYCAST-AS .ir ccTLD of Iran TOP 20 Unstable Prefixes Rank Prefix Upds % Origin AS -- AS Name 3 - 202.92.235.0/24 12922 0.8% AS9498 -- BBIL-AP BHARTI Airtel Ltd. 4 - 130.36.35.0/24 11633 0.7% AS32528 -- ABBOTT Abbot Labs 5 - 130.36.34.0/24 11630 0.7% AS32528 -- ABBOTT Abbot Labs 6 - 63.211.68.0/22 8334 0.5% AS35931 -- ARCHIPELAGO - ARCHIPELAGO HOLDINGS INC 7 - 216.126.136.0/22 7828 0.5% AS6316 -- AS-PAETEC-NET - PaeTec Communications, Inc. 8 - 190.65.228.0/22 6131 0.4% AS3816 -- COLOMBIA TELECOMUNICACIONES S.A. ESP 9 - 189.1.173.0/24 5696 0.3% AS28666 -- HOSTLOCATION LTDA 10 - 198.140.43.0/24 4964 0.3% AS35931 -- ARCHIPELAGO - ARCHIPELAGO HOLDINGS INC 11 - 91.197.95.0/24 4077 0.2% AS43534 -- CREDITCALL CreditCall Ltd 12 - 196.29.32.0/21 3926 0.2% AS37204 -- TELONE 13 - 206.184.16.0/24 3556 0.2% AS174 -- COGENT Cogent/PSI 14 - 196.4.80.0/24 3274 0.2% AS37204 -- TELONE 15 - 68.65.152.0/22 3154 0.2% AS11915 -- TELWEST-NETWORK-SVCS-STATIC - TEL WEST COMMUNICATIONS LLC 16 - 208.54.82.0/24 2918 0.2% AS701 -- UUNET - MCI Communications Services, Inc. d/b/a Verizon Business 17 - 41.220.16.0/20 2896 0.2% AS37204 -- TELONE 18 - 194.133.159.0/24 2891 0.2% AS37204 -- TELONE 19 - 209.88.88.0/21 2890 0.2% AS37204 -- TELONE 20 - 194.133.122.0/24 2888 0.2% AS37204 -- TELONE Details at http://bgpupdates.potaroo.net ------------------------------------ Copies of this report are mailed to: nanog at merit.edu eof-list at ripe.net apops at apops.net routing-wg at ripe.net afnog at afnog.org From cidr-report at potaroo.net Fri Dec 3 16:00:00 2010 From: cidr-report at potaroo.net (cidr-report at potaroo.net) Date: Fri, 3 Dec 2010 22:00:00 GMT Subject: The Cidr Report Message-ID: <201012032200.oB3M00oH096733@wattle.apnic.net> This report has been generated at Fri Dec 3 21:11:39 2010 AEST. The report analyses the BGP Routing Table of AS2.0 router and generates a report on aggregation potential within the table. Check http://www.cidr-report.org for a current version of this report. Recent Table History Date Prefixes CIDR Agg 26-11-10 340092 208386 27-11-10 340054 208608 28-11-10 340155 208519 29-11-10 339970 208715 30-11-10 340313 206594 01-12-10 336710 206612 02-12-10 336683 206893 03-12-10 336784 207358 AS Summary 36128 Number of ASes in routing system 15416 Number of ASes announcing only one prefix 3735 Largest number of prefixes announced by an AS AS6389 : BELLSOUTH-NET-BLK - BellSouth.net Inc. 105846528 Largest address span announced by an AS (/32s) AS4134 : CHINANET-BACKBONE No.31,Jin-rong Street Aggregation Summary The algorithm used in this report proposes aggregation only when there is a precise match using the AS path, so as to preserve traffic transit policies. Aggregation is also proposed across non-advertised address space ('holes'). --- 03Dec10 --- ASnum NetsNow NetsAggr NetGain % Gain Description Table 337375 207411 129964 38.5% All ASes AS6389 3735 525 3210 85.9% BELLSOUTH-NET-BLK - BellSouth.net Inc. AS4323 2640 643 1997 75.6% TWTC - tw telecom holdings, inc. AS19262 1832 414 1418 77.4% VZGNI-TRANSIT - Verizon Online LLC AS4766 1738 602 1136 65.4% KIXS-AS-KR Korea Telecom AS17488 1371 296 1075 78.4% HATHWAY-NET-AP Hathway IP Over Cable Internet AS18566 1089 157 932 85.6% COVAD - Covad Communications Co. AS22773 1255 361 894 71.2% ASN-CXA-ALL-CCI-22773-RDC - Cox Communications Inc. AS6503 1169 290 879 75.2% Axtel, S.A.B. de C.V. AS10620 1344 472 872 64.9% Telmex Colombia S.A. AS28573 1186 341 845 71.2% NET Servicos de Comunicao S.A. AS4755 1392 589 803 57.7% TATACOMM-AS TATA Communications formerly VSNL is Leading ISP AS24560 1030 233 797 77.4% AIRTELBROADBAND-AS-AP Bharti Airtel Ltd., Telemedia Services AS18101 904 148 756 83.6% RELIANCE-COMMUNICATIONS-IN Reliance Communications Ltd.DAKC MUMBAI AS7545 1468 715 753 51.3% TPG-INTERNET-AP TPG Internet Pty Ltd AS8151 1349 702 647 48.0% Uninet S.A. de C.V. AS8452 1108 468 640 57.8% TE-AS TE-AS AS4808 930 300 630 67.7% CHINA169-BJ CNCGROUP IP network China169 Beijing Province Network AS17676 641 67 574 89.5% GIGAINFRA Softbank BB Corp. AS7303 830 264 566 68.2% Telecom Argentina S.A. AS6478 1414 875 539 38.1% ATT-INTERNET3 - AT&T Services, Inc. AS22047 563 31 532 94.5% VTR BANDA ANCHA S.A. AS7552 631 123 508 80.5% VIETEL-AS-AP Vietel Corporation AS9443 571 75 496 86.9% INTERNETPRIMUS-AS-AP Primus Telecommunications AS14420 579 90 489 84.5% CORPORACION NACIONAL DE TELECOMUNICACIONES - CNT EP AS1785 1795 1317 478 26.6% AS-PAETEC-NET - PaeTec Communications, Inc. AS11492 1239 770 469 37.9% CABLEONE - CABLE ONE, INC. AS45595 561 92 469 83.6% PKTELECOM-AS-PK Pakistan Telecom Company Limited AS4804 544 76 468 86.0% MPX-AS Microplex PTY LTD AS36992 658 190 468 71.1% ETISALAT-MISR AS4780 718 251 467 65.0% SEEDNET Digital United Inc. Total 36284 11477 24807 68.4% Top 30 total Possible Bogus Routes 5.0.0.0/16 AS12654 RIPE-NCC-RIS-AS RIPE NCC RIS project 5.1.0.0/21 AS12654 RIPE-NCC-RIS-AS RIPE NCC RIS project 5.1.24.0/24 AS12654 RIPE-NCC-RIS-AS RIPE NCC RIS project 37.0.0.0/16 AS12654 RIPE-NCC-RIS-AS RIPE NCC RIS project 37.1.0.0/21 AS12654 RIPE-NCC-RIS-AS RIPE NCC RIS project 37.1.24.0/24 AS12654 RIPE-NCC-RIS-AS RIPE NCC RIS project 41.222.79.0/24 AS36938 AMSCOTELECOMS Amsco Telecommunications Nigeria Limited 41.223.92.0/22 AS36936 CELTEL-GABON Celtel Gabon Internet Service 46.183.72.0/21 AS51941 62.61.220.0/24 AS24974 TACHYON-EU Tachyon Europe BV 62.61.221.0/24 AS24974 TACHYON-EU Tachyon Europe BV 64.21.192.0/20 AS11610 INETNEBR-1 - Internet Nebraska Corporation 64.21.212.0/22 AS11610 INETNEBR-1 - Internet Nebraska Corporation 64.21.216.0/21 AS11610 INETNEBR-1 - Internet Nebraska Corporation 66.180.239.0/24 AS35888 VIGNETTE - VIGNETTE CORPORATION 66.206.32.0/24 AS17787 PSEB-AS-PK Pakistan Software Export Board 66.206.33.0/24 AS17787 PSEB-AS-PK Pakistan Software Export Board 66.206.34.0/24 AS17787 PSEB-AS-PK Pakistan Software Export Board 66.206.35.0/24 AS17787 PSEB-AS-PK Pakistan Software Export Board 66.206.47.0/24 AS17557 PKTELECOM-AS-PK Pakistan Telecommunication Company Limited 66.207.32.0/20 AS23011 66.245.176.0/20 AS19318 NJIIX-AS-1 - NEW JERSEY INTERNATIONAL INTERNET EXCHANGE LLC 69.6.80.0/24 AS13442 69.6.81.0/24 AS13442 71.19.134.0/23 AS3313 INET-AS I.NET S.p.A. 72.22.32.0/19 AS33150 72.22.61.0/24 AS33150 72.22.62.0/24 AS33150 76.77.32.0/19 AS2828 XO-AS15 - XO Communications 80.88.10.0/24 AS33774 DJAWEB 80.88.12.0/24 AS33779 wataniya-telecom-as 96.45.161.0/24 AS3257 TINET-BACKBONE Tinet SpA 96.45.162.0/24 AS3257 TINET-BACKBONE Tinet SpA 96.45.163.0/24 AS3257 TINET-BACKBONE Tinet SpA 96.45.164.0/24 AS3257 TINET-BACKBONE Tinet SpA 96.45.165.0/24 AS3257 TINET-BACKBONE Tinet SpA 96.45.166.0/24 AS3257 TINET-BACKBONE Tinet SpA 96.45.167.0/24 AS3257 TINET-BACKBONE Tinet SpA 96.45.168.0/21 AS3257 TINET-BACKBONE Tinet SpA 110.34.44.0/22 AS12653 COMTONET KB Impuls Hellas 110.173.64.0/19 AS37963 CNNIC-ALIBABA-CN-NET-AP Alibaba (China) Technology Co., Ltd. 115.42.0.0/24 AS24541 FORTYFIVERU-AS-AU 45RU Pty Ltd. Internet Service Provider, Perth, Western Australia. 115.42.5.0/24 AS24541 FORTYFIVERU-AS-AU 45RU Pty Ltd. Internet Service Provider, Perth, Western Australia. 115.42.6.0/24 AS24541 FORTYFIVERU-AS-AU 45RU Pty Ltd. Internet Service Provider, Perth, Western Australia. 115.42.11.0/24 AS24541 FORTYFIVERU-AS-AU 45RU Pty Ltd. Internet Service Provider, Perth, Western Australia. 115.42.20.0/24 AS24541 FORTYFIVERU-AS-AU 45RU Pty Ltd. Internet Service Provider, Perth, Western Australia. 115.42.28.0/24 AS1221 ASN-TELSTRA Telstra Pty Ltd 115.42.29.0/24 AS1221 ASN-TELSTRA Telstra Pty Ltd 115.42.30.0/24 AS1221 ASN-TELSTRA Telstra Pty Ltd 115.42.31.0/24 AS1221 ASN-TELSTRA Telstra Pty Ltd 115.42.40.0/24 AS1221 ASN-TELSTRA Telstra Pty Ltd 115.42.42.0/24 AS1221 ASN-TELSTRA Telstra Pty Ltd 115.42.43.0/24 AS1221 ASN-TELSTRA Telstra Pty Ltd 115.42.44.0/24 AS1221 ASN-TELSTRA Telstra Pty Ltd 115.42.47.0/24 AS1221 ASN-TELSTRA Telstra Pty Ltd 115.42.48.0/24 AS1221 ASN-TELSTRA Telstra Pty Ltd 115.42.49.0/24 AS1221 ASN-TELSTRA Telstra Pty Ltd 115.42.50.0/24 AS1221 ASN-TELSTRA Telstra Pty Ltd 115.42.51.0/24 AS1221 ASN-TELSTRA Telstra Pty Ltd 115.42.52.0/24 AS1221 ASN-TELSTRA Telstra Pty Ltd 115.42.53.0/24 AS1221 ASN-TELSTRA Telstra Pty Ltd 115.42.54.0/24 AS1221 ASN-TELSTRA Telstra Pty Ltd 115.42.55.0/24 AS1221 ASN-TELSTRA Telstra Pty Ltd 115.42.56.0/24 AS1221 ASN-TELSTRA Telstra Pty Ltd 115.42.57.0/24 AS1221 ASN-TELSTRA Telstra Pty Ltd 115.42.58.0/24 AS1221 ASN-TELSTRA Telstra Pty Ltd 115.42.59.0/24 AS1221 ASN-TELSTRA Telstra Pty Ltd 115.42.61.0/24 AS1221 ASN-TELSTRA Telstra Pty Ltd 115.42.62.0/24 AS1221 ASN-TELSTRA Telstra Pty Ltd 115.42.63.0/24 AS1221 ASN-TELSTRA Telstra Pty Ltd 116.68.136.0/21 AS28045 Pantel Communications 117.120.56.0/21 AS4755 TATACOMM-AS TATA Communications formerly VSNL is Leading ISP 121.46.0.0/16 AS4134 CHINANET-BACKBONE No.31,Jin-rong Street 121.50.168.0/21 AS9931 CAT-AP The Communication Authoity of Thailand, CAT 142.54.0.0/19 AS23498 CDSI - Cogeco Data Services Inc. 158.222.70.0/23 AS6137 SISNA - SISNA, Inc. 158.222.72.0/23 AS6137 SISNA - SISNA, Inc. 158.222.224.0/20 AS19864 O1COMM - O1 COMMUNICATIONS 158.222.224.0/22 AS19864 O1COMM - O1 COMMUNICATIONS 158.222.229.0/24 AS19864 O1COMM - O1 COMMUNICATIONS 176.0.0.0/16 AS12654 RIPE-NCC-RIS-AS RIPE NCC RIS project 176.1.0.0/21 AS12654 RIPE-NCC-RIS-AS RIPE NCC RIS project 176.1.24.0/24 AS12654 RIPE-NCC-RIS-AS RIPE NCC RIS project 180.210.128.0/18 AS23893 190.102.32.0/20 AS30058 FDCSERVERS - FDCservers.net 192.9.0.0/16 AS11479 BRM-SUN-AS - Sun Microsystems, Inc 192.64.85.0/24 AS1759 TSF-IP-CORE TeliaSonera Finland IP Network 192.69.108.0/24 AS1759 TSF-IP-CORE TeliaSonera Finland IP Network 192.101.46.0/24 AS6503 Axtel, S.A.B. de C.V. 192.101.64.0/21 AS702 AS702 Verizon Business EMEA - Commercial IP service provider in Europe 192.101.70.0/24 AS701 UUNET - MCI Communications Services, Inc. d/b/a Verizon Business 192.101.71.0/24 AS701 UUNET - MCI Communications Services, Inc. d/b/a Verizon Business 192.101.72.0/24 AS702 AS702 Verizon Business EMEA - Commercial IP service provider in Europe 192.101.74.0/24 AS1239 SPRINTLINK - Sprint 192.124.252.0/22 AS680 DFN-IP service G-WiN 192.131.233.0/24 AS6389 BELLSOUTH-NET-BLK - BellSouth.net Inc. 192.154.32.0/19 AS81 NCREN - MCNC 192.154.64.0/19 AS81 NCREN - MCNC 192.188.208.0/20 AS27064 DNIC-ASBLK-27032-27159 - DoD Network Information Center 196.2.224.0/22 AS24863 LINKdotNET-AS 196.6.108.0/24 AS5713 SAIX-NET 196.13.201.0/24 AS2018 TENET-1 196.13.202.0/24 AS2018 TENET-1 196.13.203.0/24 AS2018 TENET-1 196.13.204.0/24 AS2018 TENET-1 196.110.105.0/24 AS8513 SKYVISION SkyVision Network Services 196.202.224.0/21 AS8818 TELE Greenland Autonomous System 198.1.2.0/24 AS4761 INDOSAT-INP-AP INDOSAT Internet Network Provider 198.23.26.0/24 AS4390 BELLATLANTIC-COM - Bell Atlantic, Inc. 198.73.210.0/24 AS21570 ACI-1 - Accelerated Connections Inc. 198.74.38.0/24 AS16966 SBCIDC-LSAN03 - AT&T Internet Services 198.74.39.0/24 AS16966 SBCIDC-LSAN03 - AT&T Internet Services 198.74.40.0/24 AS16966 SBCIDC-LSAN03 - AT&T Internet Services 198.97.72.0/21 AS27064 DNIC-ASBLK-27032-27159 - DoD Network Information Center 198.97.96.0/19 AS27064 DNIC-ASBLK-27032-27159 - DoD Network Information Center 198.97.240.0/20 AS27064 DNIC-ASBLK-27032-27159 - DoD Network Information Center 198.99.241.0/24 AS11797 AC-NIELSEN-AS AC NIELSEN 198.161.87.0/24 AS6539 GT-BELL - Bell Canada 198.163.214.0/24 AS21804 ACCESS-SK - Access Communications Co-operative Limited 198.167.0.0/16 AS7456 INTERHOP - Interhop Network SERVICES Inc. 198.168.0.0/16 AS701 UUNET - MCI Communications Services, Inc. d/b/a Verizon Business 198.169.0.0/16 AS803 SASKTEL - Saskatchewan Telecommunications 198.180.198.0/24 AS23715 SEOUL-INTGW-GXS-AP Global Exchange Services 198.182.235.0/24 AS3356 LEVEL3 Level 3 Communications 199.16.32.0/19 AS6389 BELLSOUTH-NET-BLK - BellSouth.net Inc. 199.59.204.0/22 AS46786 IPTRANSIT - IP Transit Inc. 199.121.0.0/16 AS27064 DNIC-ASBLK-27032-27159 - DoD Network Information Center 199.123.16.0/20 AS27064 DNIC-ASBLK-27032-27159 - DoD Network Information Center 199.185.130.0/23 AS19662 UNISERVE-ONLINE - Uniserve On Line 199.202.0.0/16 AS701 UUNET - MCI Communications Services, Inc. d/b/a Verizon Business 199.202.216.0/21 AS577 BACOM - Bell Canada 199.233.92.0/24 AS26896 D102-ITC - Data 102, LLC 199.246.116.0/24 AS813 UUNET-CANADA - MCI Communications Services, Inc. d/b/a Verizon Business 200.1.112.0/24 AS29754 GO2TEL GO2TEL.COM INC. 200.24.73.0/24 AS26061 Equant Colombia 200.24.78.0/26 AS3549 GBLX Global Crossing Ltd. 200.24.78.64/26 AS3549 GBLX Global Crossing Ltd. 202.9.55.0/24 AS2764 AAPT AAPT Limited 202.9.57.0/24 AS2764 AAPT AAPT Limited 202.38.63.0/24 AS17557 PKTELECOM-AS-PK Pakistan Telecommunication Company Limited 202.58.113.0/24 AS19161 202.61.75.0/24 AS9927 PHILCOMNET-PH A Multihomed ISP Company 202.66.128.0/18 AS9584 GENESIS-AP Diyixian.com Limited 202.66.160.0/19 AS9584 GENESIS-AP Diyixian.com Limited 202.66.160.0/20 AS9584 GENESIS-AP Diyixian.com Limited 202.66.176.0/20 AS9584 GENESIS-AP Diyixian.com Limited 202.66.184.0/24 AS9584 GENESIS-AP Diyixian.com Limited 202.66.188.0/24 AS9584 GENESIS-AP Diyixian.com Limited 202.66.189.0/24 AS9584 GENESIS-AP Diyixian.com Limited 202.66.190.0/24 AS9584 GENESIS-AP Diyixian.com Limited 202.73.144.0/20 AS4788 TMNET-AS-AP TM Net, Internet Service Provider 202.86.252.0/22 AS4748 RESOLINK-AS-AP Resources Link Network Limited 202.86.252.0/24 AS9304 HUTCHISON-AS-AP Hutchison Global Communications 202.86.253.0/24 AS9304 HUTCHISON-AS-AP Hutchison Global Communications 202.86.254.0/24 AS9304 HUTCHISON-AS-AP Hutchison Global Communications 202.86.255.0/24 AS9304 HUTCHISON-AS-AP Hutchison Global Communications 202.94.1.0/24 AS4808 CHINA169-BJ CNCGROUP IP network China169 Beijing Province Network 202.133.37.0/24 AS17557 PKTELECOM-AS-PK Pakistan Telecommunication Company Limited 202.133.70.0/24 AS38616 WORLDCALL-AS-KHI Worldcall Telecom Limited 202.133.73.0/24 AS38616 WORLDCALL-AS-KHI Worldcall Telecom Limited 202.136.254.0/24 AS4808 CHINA169-BJ CNCGROUP IP network China169 Beijing Province Network 202.136.255.0/24 AS4808 CHINA169-BJ CNCGROUP IP network China169 Beijing Province Network 202.150.227.0/24 AS17727 NAPINFO-AS-AP PT. NAP Info Lintas Nusa 202.174.125.0/24 AS9498 BBIL-AP BHARTI Airtel Ltd. 202.176.1.0/24 AS9942 COMINDICO-AP SOUL Converged Communications Australia 202.179.130.0/24 AS17557 PKTELECOM-AS-PK Pakistan Telecommunication Company Limited 202.179.131.0/24 AS17557 PKTELECOM-AS-PK Pakistan Telecommunication Company Limited 202.179.133.0/24 AS17557 PKTELECOM-AS-PK Pakistan Telecommunication Company Limited 202.179.134.0/24 AS23966 LDN-AS-PK LINKdotNET Telecom Limited 202.179.144.0/24 AS17557 PKTELECOM-AS-PK Pakistan Telecommunication Company Limited 202.179.149.0/24 AS17557 PKTELECOM-AS-PK Pakistan Telecommunication Company Limited 202.179.150.0/24 AS17557 PKTELECOM-AS-PK Pakistan Telecommunication Company Limited 202.181.32.0/24 AS4645 ASN-HKNET-AP HKNet Co. Ltd 203.62.0.0/17 AS7575 AARNET-AS-AP Australian Academic and Reasearch Network (AARNet) 203.78.48.0/20 AS9299 IPG-AS-AP Philippine Long Distance Telephone Company 203.112.111.0/24 AS7474 OPTUSCOM-AS01-AU SingTel Optus Pty Ltd 203.112.113.0/24 AS7474 OPTUSCOM-AS01-AU SingTel Optus Pty Ltd 203.112.114.0/24 AS4802 ASN-IINET iiNet Limited 203.112.116.0/24 AS7474 OPTUSCOM-AS01-AU SingTel Optus Pty Ltd 203.112.117.0/24 AS7474 OPTUSCOM-AS01-AU SingTel Optus Pty Ltd 203.112.118.0/24 AS7474 OPTUSCOM-AS01-AU SingTel Optus Pty Ltd 203.112.119.0/24 AS7474 OPTUSCOM-AS01-AU SingTel Optus Pty Ltd 203.112.120.0/24 AS7474 OPTUSCOM-AS01-AU SingTel Optus Pty Ltd 203.112.121.0/24 AS7474 OPTUSCOM-AS01-AU SingTel Optus Pty Ltd 203.112.127.0/24 AS7474 OPTUSCOM-AS01-AU SingTel Optus Pty Ltd 203.128.128.0/24 AS23849 CNNIC-NET263-AP Beijing Capital-online science development Co.,Ltd. 203.142.219.0/24 AS45149 203.175.107.0/24 AS45595 PKTELECOM-AS-PK Pakistan Telecom Company Limited 204.9.216.0/23 AS6389 BELLSOUTH-NET-BLK - BellSouth.net Inc. 204.10.232.0/21 AS33150 204.19.14.0/23 AS577 BACOM - Bell Canada 204.209.114.0/24 AS13768 PEER1 - Peer 1 Network Inc. 205.150.0.0/15 AS701 UUNET - MCI Communications Services, Inc. d/b/a Verizon Business 205.189.134.0/24 AS11814 DISTRIBUTEL-AS11814 - DISTRIBUTEL COMMUNICATIONS LTD. 205.210.145.0/24 AS11814 DISTRIBUTEL-AS11814 - DISTRIBUTEL COMMUNICATIONS LTD. 206.72.192.0/23 AS16526 BIRCH-TELECOM - Birch Telecom, Inc. 206.72.194.0/23 AS16526 BIRCH-TELECOM - Birch Telecom, Inc. 206.123.129.0/24 AS10790 INREACH-AS - InReach Internet 206.180.240.0/20 AS12083 KNOLOGY-NET - Knology Holdings 206.197.184.0/24 AS23304 DATOTEL-STL-AS - Datotel LLC, a NetLabs LLC Company 207.174.131.0/24 AS26116 INDRA - Indra's Net Inc. 207.174.132.0/23 AS26116 INDRA - Indra's Net Inc. 207.174.152.0/23 AS26116 INDRA - Indra's Net Inc. 207.174.154.0/24 AS26116 INDRA - Indra's Net Inc. 207.174.155.0/24 AS26116 INDRA - Indra's Net Inc. 207.174.188.0/24 AS26116 INDRA - Indra's Net Inc. 207.174.189.0/24 AS26116 INDRA - Indra's Net Inc. 207.174.190.0/24 AS26116 INDRA - Indra's Net Inc. 207.174.191.0/24 AS26116 INDRA - Indra's Net Inc. 207.174.200.0/24 AS22658 EARTHNET - Earthnet, Inc. 207.174.248.0/21 AS6653 PRIVATEI - privateI, LLC 207.231.96.0/19 AS11194 NUNETPA - NuNet Inc. 208.64.200.0/22 AS11730 CIL-ASN - Circle Internet LTD 208.64.240.0/21 AS13871 TELEBYTE-NW - Telebyte NW 208.73.160.0/24 AS32767 208.78.165.0/24 AS16565 208.83.53.0/24 AS40569 YGOMI-AS - Ygomi LLC 208.83.54.0/24 AS23485 SEI-LLC-AS-NUM - SEI LLC 208.92.196.0/22 AS10929 NETELLIGENT - Netelligent Hosting Services Inc. 208.92.199.0/24 AS26198 3MENATWORK - 3Men at Work Integrated Networks, Inc. 209.54.123.0/24 AS6062 NETPLEX - NETPLEX 209.105.224.0/19 AS20074 209.165.239.0/24 AS209 ASN-QWEST - Qwest Communications Company, LLC 209.177.64.0/20 AS6461 MFNX MFN - Metromedia Fiber Network 209.213.0.0/20 AS33005 ELTOPIA - Eltopia.com, LLC 209.213.1.0/24 AS7849 CROCKERCOM - CROCKER COMMUNICATIONS 209.213.4.0/24 AS7849 CROCKERCOM - CROCKER COMMUNICATIONS 210.5.128.0/20 AS4837 CHINA169-BACKBONE CNCGROUP China169 Backbone 210.56.150.0/23 AS38138 INTECH-TRANSIT-BD InTech Online Limited, INTERNET SERVICE LIMITED 210.247.224.0/19 AS7496 WEBCENTRAL-AS WebCentral 216.10.235.0/24 AS13780 NTNCOMMUNICATIONS - NTN 216.10.236.0/24 AS13780 NTNCOMMUNICATIONS - NTN 216.21.196.0/24 AS12251 INVISION - Invision.com, Inc. 216.21.201.0/24 AS12251 INVISION - Invision.com, Inc. 216.21.202.0/24 AS12251 INVISION - Invision.com, Inc. 216.21.206.0/23 AS12251 INVISION - Invision.com, Inc. 216.58.192.0/24 AS22702 X5SOLUTIONS - X5 Solutions, Inc. 216.58.197.0/24 AS22702 X5SOLUTIONS - X5 Solutions, Inc. 216.58.200.0/24 AS18530 ISOMEDIA-1 - Isomedia Inc. 216.172.198.0/24 AS22773 ASN-CXA-ALL-CCI-22773-RDC - Cox Communications Inc. 216.172.199.0/24 AS22773 ASN-CXA-ALL-CCI-22773-RDC - Cox Communications Inc. 216.250.112.0/20 AS7296 ALCHEMYNET - Alchemy Communications, Inc. Please see http://www.cidr-report.org for the full report ------------------------------------ Copies of this report are mailed to: nanog at merit.edu eof-list at ripe.net apops at apops.net routing-wg at ripe.net afnog at afnog.org From dustinnanog at gmail.com Fri Dec 3 16:09:26 2010 From: dustinnanog at gmail.com (Dustin Swinford) Date: Fri, 3 Dec 2010 16:09:26 -0600 Subject: ARIN space not accepted Message-ID: We have run into an issue with the 107.7.0.0/16 assigned to us several months ago. It appears that many sites have not yet accepted this space. I understand this is not a normal type post to NANOG, but hoped to get the word out to as many operators as possible. Does anyone know of a better way to get the word out to ask people to update their BOGONs/filters? Dustin Swinford | Sr. IP/Ethernet Engineer Deltacom | Integrated Communications and Technology Solutions From tvhawaii at shaka.com Fri Dec 3 16:11:27 2010 From: tvhawaii at shaka.com (Michael Painter) Date: Fri, 3 Dec 2010 12:11:27 -1000 Subject: The scale of streaming video on the Internet. References: <20952354.220.1291322909654.JavaMail.root@benjamin.baylink.com><59D15CA3-4ACC-4A8A-B66F-73041E722256@delong.com><4CF869A2.1070108@bogus.com> <20101203133558.GA50682@mikea.ath.cx> Message-ID: <625A839E191C4FC8897CA8FF4EA135EB@DELL16> mikea wrote: > Faster and doesn't require infrastructure (other than possibly electrical > power). Those hams were throttled _way_ back, too, to about 21 words per > minute; I frequently hear Morse at speeds up to about 50 wpm in the ham > bands. In '56 ( I was 13 yrs old...got my General at 11), I handled traffic on PAN (Pacific Area Net) at around 30 wpm with a bug and a stick, stick being a pencil. Bug here: http://www.youtube.com/watch?v=yHz2rEiFnfw&feature=related --Michael (ex K6IYC) From joelja at bogus.com Fri Dec 3 16:14:03 2010 From: joelja at bogus.com (Joel Jaeggli) Date: Fri, 03 Dec 2010 14:14:03 -0800 Subject: ARIN space not accepted In-Reply-To: References: Message-ID: <4CF96BAB.8010300@bogus.com> Got an address we can ping? On 12/3/10 2:09 PM, Dustin Swinford wrote: > We have run into an issue with the 107.7.0.0/16 assigned to us several > months ago. It appears that many sites have not yet accepted this space. I > understand this is not a normal type post to NANOG, but hoped to get the > word out to as many operators as possible. Does anyone know of a better way > to get the word out to ask people to update their BOGONs/filters? > > > > Dustin Swinford | Sr. IP/Ethernet Engineer > > Deltacom | Integrated Communications and > Technology Solutions > > > > > From jbates at brightok.net Fri Dec 3 16:13:58 2010 From: jbates at brightok.net (Jack Bates) Date: Fri, 03 Dec 2010 16:13:58 -0600 Subject: ARIN space not accepted In-Reply-To: References: Message-ID: <4CF96BA6.2070804@brightok.net> On 12/3/2010 4:09 PM, Dustin Swinford wrote: > We have run into an issue with the 107.7.0.0/16 assigned to us several > months ago. It appears that many sites have not yet accepted this space. I > understand this is not a normal type post to NANOG, but hoped to get the > word out to as many operators as possible. Does anyone know of a better way > to get the word out to ask people to update their BOGONs/filters? > The first takers in a space are hit the hardest. Rementioning here is important. Do a google search and find any pages still mentioning blocking the range. Contact them and ask them to update. Then you have to start the long list with others. it's recommended you setup a server with 2 IP addresses, one in the range, one outside the range, so that people can check against them both to verify that the problem is with the range itself. I've seen some networks that run automatic probes from both ranges and compare the results, automatically sending emails to whois contacts concerning the problem. Jack From sethm at rollernet.us Fri Dec 3 16:14:40 2010 From: sethm at rollernet.us (Seth Mattinen) Date: Fri, 03 Dec 2010 14:14:40 -0800 Subject: ARIN space not accepted In-Reply-To: References: Message-ID: <4CF96BD0.6040905@rollernet.us> On 12/3/2010 14:09, Dustin Swinford wrote: > We have run into an issue with the 107.7.0.0/16 assigned to us several > months ago. It appears that many sites have not yet accepted this space. I > understand this is not a normal type post to NANOG, but hoped to get the > word out to as many operators as possible. Does anyone know of a better way > to get the word out to ask people to update their BOGONs/filters? > Can you provide a pingable test address within that space? ~Seth From mike at mtcc.com Fri Dec 3 16:21:56 2010 From: mike at mtcc.com (Michael Thomas) Date: Fri, 03 Dec 2010 14:21:56 -0800 Subject: ARIN space not accepted In-Reply-To: <4CF96BA6.2070804@brightok.net> References: <4CF96BA6.2070804@brightok.net> Message-ID: <4CF96D84.6030408@mtcc.com> On 12/03/2010 02:13 PM, Jack Bates wrote: > On 12/3/2010 4:09 PM, Dustin Swinford wrote: >> We have run into an issue with the 107.7.0.0/16 assigned to us several >> months ago. It appears that many sites have not yet accepted this >> space. I >> understand this is not a normal type post to NANOG, but hoped to get the >> word out to as many operators as possible. Does anyone know of a >> better way >> to get the word out to ask people to update their BOGONs/filters? >> > > The first takers in a space are hit the hardest. Rementioning here is > important. Do a google search and find any pages still mentioning > blocking the range. Contact them and ask them to update. Then you have > to start the long list with others. it's recommended you setup a server > with 2 IP addresses, one in the range, one outside the range, so that > people can check against them both to verify that the problem is with > the range itself. I've seen some networks that run automatic probes from > both ranges and compare the results, automatically sending emails to > whois contacts concerning the problem. Is there much point to bogon filtering now? :) Mike, likely ignorant From bicknell at ufp.org Fri Dec 3 16:24:16 2010 From: bicknell at ufp.org (Leo Bicknell) Date: Fri, 3 Dec 2010 14:24:16 -0800 Subject: ARIN space not accepted In-Reply-To: <4CF96BA6.2070804@brightok.net> References: <4CF96BA6.2070804@brightok.net> Message-ID: <20101203222416.GA4683@ussenterprise.ufp.org> In a message written on Fri, Dec 03, 2010 at 04:13:58PM -0600, Jack Bates wrote: > The first takers in a space are hit the hardest. Rementioning here is > important. Do a google search and find any pages still mentioning > blocking the range. Contact them and ask them to update. Then you have > to start the long list with others. it's recommended you setup a server > with 2 IP addresses, one in the range, one outside the range, so that > people can check against them both to verify that the problem is with > the range itself. I've seen some networks that run automatic probes from > both ranges and compare the results, automatically sending emails to > whois contacts concerning the problem. For those not playing attention, the current bogon list should be: 0/8 10/8 39/8 102/8 103/8 104/8 106/8 127/8 172.16/12 179/8 185/8 192.168/16 224/3 It is speculated that no later than Q1, two more /8's will be allocated, triggering a policy that will give the remaining 5 /8's out to the RIR's. That means, prior to end of Q1, the bogon list will be: 0/8 10/8 127/8 172.16/12 192.168/16 224/3 I'd suggest it would be good if folks updated to that now, to prevent these sorts of problems. I promise, this time it is the last update you'll need to do. :) -- Leo Bicknell - bicknell at ufp.org - CCIE 3440 PGP keys at http://www.ufp.org/~bicknell/ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 826 bytes Desc: not available URL: From randy at psg.com Fri Dec 3 16:34:00 2010 From: randy at psg.com (Randy Bush) Date: Sat, 04 Dec 2010 07:34:00 +0900 Subject: wikileaks dns (was Re: Blocking International DNS) In-Reply-To: <5A6D953473350C4B9995546AFE9939EE0B14CCDB@RWC-EX1.corp.seven.com> References: <201012021331.48695.lowen@pari.edu> <20101203040510.GA8484@sizone.org> <24D81CB7-2178-45B3-B93B-F9B26A4F0B75@americafree.tv> <4CF89C56.4090607@brightok.net> <5A6D953473350C4B9995546AFE9939EE0B14CCDB@RWC-EX1.corp.seven.com> Message-ID: > To expect someone not to "pressure" someone to remove potentially > damaging material is probably na?ve. i believe that the material was not stored on amazon, only torrent pointers. and to cave to that pressure absent of actual legal requirement cost amazon my business. randy From jra at baylink.com Fri Dec 3 17:05:18 2010 From: jra at baylink.com (Jay Ashworth) Date: Fri, 3 Dec 2010 18:05:18 -0500 (EST) Subject: "Unlimited" wireless data... In-Reply-To: <33510504.354.1291416165692.JavaMail.root@benjamin.baylink.com> Message-ID: <9295702.364.1291417517993.JavaMail.root@benjamin.baylink.com> This came up in another thread yesterday or today, and I just got the solicitation mailer for Clearwire's WiMAX service in Tampa Bay, which they call "4G", though the ITU disagrees. The AUP is here: http://www.clear.com/legal/aup and while it really doesn't have any hidden limits (which is good, because as someone pointed out on Slashdot today, you can use up a 5GB limit in about an hour and a half at 21MB/s), it *does* have several limits on content beyond "must not be illegal" and "must not harm our network"... which limits I though were verboten to a "common carrier". Do the high-speed wireless services *not* claim to be common carriers, as that term is understood in telecommunications law? In other news, the words "voice" and "VoIP" do not appear in the Clear AUP. So, presumably, it would be acceptable to throw their portable access point in your backpack, and carry around a WiFi VoIP phone with you... I don't seem to be able to locate the AUP that Sprint imposes on 4G customers, so I can't tell if it differs. I can't locate the VZW LTE700 AUP either. == In other news (cause it's thread-crossing-weekend on NANOG); Comcast announces 250GB residential cablemodem caps -- 2 years ago: http://gizmodo.com/5043253/comcasts-250gb-data-caps-now-official-starting-in-october Cheers, -- jra From jra at baylink.com Fri Dec 3 17:22:18 2010 From: jra at baylink.com (Jay Ashworth) Date: Fri, 3 Dec 2010 18:22:18 -0500 (EST) Subject: Earthlink MX from *Earthlink* dynamic IPs blocked? Message-ID: <4401558.370.1291418538615.JavaMail.root@benjamin.baylink.com> I'm trying to get my sister's MythTV DVR to send her a daily email with its recording schedule. Earthlink is apparently blocking the email because it's coming from a dynamic address -- even though that address *is an Earthlink cablemodem*. Is there anyone from Earthlink email ops around who can confirm that's actually the proper interpretation of your policy? Cheers, -- jra From mike at mtcc.com Fri Dec 3 17:29:32 2010 From: mike at mtcc.com (Michael Thomas) Date: Fri, 03 Dec 2010 15:29:32 -0800 Subject: Earthlink MX from *Earthlink* dynamic IPs blocked? In-Reply-To: <4401558.370.1291418538615.JavaMail.root@benjamin.baylink.com> References: <4401558.370.1291418538615.JavaMail.root@benjamin.baylink.com> Message-ID: <4CF97D5C.9020507@mtcc.com> On 12/03/2010 03:22 PM, Jay Ashworth wrote: > I'm trying to get my sister's MythTV DVR to send her a daily email with its > recording schedule. Earthlink is apparently blocking the email because it's > coming from a dynamic address -- even though that address *is an Earthlink > cablemodem*. > > Is there anyone from Earthlink email ops around who can confirm that's > actually the proper interpretation of your policy? I don't know why this should be especially surprising. They probably use RBL's, etc, just like everybody else and I doubt the RBL cares whether the source is earthlink vs. earthlink's address space. Wouldn't it be easier to just set your linux box to use submission and one of earthlink's mail servers, just like any other client ought to be doing these days? Mike From ikiris at gmail.com Fri Dec 3 17:38:37 2010 From: ikiris at gmail.com (Blake Dunlap) Date: Fri, 3 Dec 2010 17:38:37 -0600 Subject: Earthlink MX from *Earthlink* dynamic IPs blocked? In-Reply-To: <4CF97D5C.9020507@mtcc.com> References: <4401558.370.1291418538615.JavaMail.root@benjamin.baylink.com> <4CF97D5C.9020507@mtcc.com> Message-ID: On Fri, Dec 3, 2010 at 17:29, Michael Thomas wrote: > On 12/03/2010 03:22 PM, Jay Ashworth wrote: > >> I'm trying to get my sister's MythTV DVR to send her a daily email with >> its >> recording schedule. Earthlink is apparently blocking the email because >> it's >> coming from a dynamic address -- even though that address *is an Earthlink >> cablemodem*. >> >> Is there anyone from Earthlink email ops around who can confirm that's >> actually the proper interpretation of your policy? >> > > I don't know why this should be especially surprising. They probably > use RBL's, etc, just like everybody else and I doubt the RBL cares > whether the source is earthlink vs. earthlink's address space. > > Wouldn't it be easier to just set your linux box to use submission > and one of earthlink's mail servers, just like any other client > ought to be doing these days? > > Mike > We do the same thing, if you aren't an authenticated client, you're just another unknown mail server on the internet, so the same deliverability rules apply with DNS etc. You do not get special treatment just because you are on one of our ip blocks as far as inbound MX submission via SMTP. -Blake From jra at baylink.com Fri Dec 3 17:40:28 2010 From: jra at baylink.com (Jay Ashworth) Date: Fri, 3 Dec 2010 18:40:28 -0500 (EST) Subject: Earthlink MX from *Earthlink* dynamic IPs blocked? In-Reply-To: Message-ID: <5584660.376.1291419628148.JavaMail.root@benjamin.baylink.com> ----- Original Message ----- > From: "Blake Dunlap" > > > I don't know why this should be especially surprising. They probably > > use RBL's, etc, just like everybody else and I doubt the RBL cares > > whether the source is earthlink vs. earthlink's address space. > > > > Wouldn't it be easier to just set your linux box to use submission > > and one of earthlink's mail servers, just like any other client > > ought to be doing these days? > > We do the same thing, if you aren't an authenticated client, you're > just another unknown mail server on the internet, so the same > deliverability rules apply with DNS etc. You do not get special treatment just > because you are on one of our ip blocks as far as inbound MX submission via SMTP. Got it; yeah, maybe that shouldn't have been a surprise. I guess I'll have to smart host her to their internal outbound server; that workaround works for me with RoadRunner, it ought to work on EL as well. Nothing to see here; move along. Thanks, -- jra From nathan at atlasnetworks.us Fri Dec 3 17:47:27 2010 From: nathan at atlasnetworks.us (Nathan Eisenberg) Date: Fri, 3 Dec 2010 23:47:27 +0000 Subject: "Unlimited" wireless data... In-Reply-To: <9295702.364.1291417517993.JavaMail.root@benjamin.baylink.com> References: <33510504.354.1291416165692.JavaMail.root@benjamin.baylink.com> <9295702.364.1291417517993.JavaMail.root@benjamin.baylink.com> Message-ID: <8C26A4FDAE599041A13EB499117D3C286B271368@ex-mb-1.corp.atlasnetworks.us> > This came up in another thread yesterday or today, and I just got the > solicitation mailer for Clearwire's WiMAX service in Tampa Bay, which they > call "4G", though the ITU disagrees. > > The AUP is here: http://www.clear.com/legal/aup I cannot strongly enough discourage you from using their service. My experience with them has been consistently awful - and given that they're headquartered in my area, that's unacceptable. I'm informed that my experience is not at all unique - either to the Seattle area or to their service at large. Their Wikipedia article tells you pretty much everything you need to know. http://en.wikipedia.org/wiki/Clearwire Their definition of unlimited tends to be "barely acceptable throughput levels, until you start streaming youtube/netflix or doing a long-running download or using bittorrent to seed files to your work PC and laptop or using your VPN to retrieve a document, in which case, we won't turn you off, we'll just silently jail you into a 32-128kbps bandwidth profile. Also, have some poorly implemented NAT on our ludicrously underpowered CPEs!" I also understand that they've been having financial difficulties, so they're unlikely to address the issues their customers are faced with. If I were you, I would keep your backpack offline until another option is available. You're not going to be able to use VOIP on their service, anyways. Nathan (Speaking as an individual - not as the company I work for.) From williamsjj at digitar.com Fri Dec 3 18:01:41 2010 From: williamsjj at digitar.com (Jason J. W. Williams) Date: Fri, 3 Dec 2010 19:01:41 -0500 Subject: "Unlimited" wireless data... In-Reply-To: <8C26A4FDAE599041A13EB499117D3C286B271368@ex-mb-1.corp.atlasnetworks.us> References: <33510504.354.1291416165692.JavaMail.root@benjamin.baylink.com> <9295702.364.1291417517993.JavaMail.root@benjamin.baylink.com> <8C26A4FDAE599041A13EB499117D3C286B271368@ex-mb-1.corp.atlasnetworks.us> Message-ID: I would second Nathan's experience. Tried to use them for our corporate office as a life boat when our T1 provider was sold to an outfit that didn't answer the support lines. Clear's NAT is atrocious and can't be turned off, so you can't drop a real firewall behind it on a single static. -J -------- Jason J. W. Williams, COO/CTO DigiTar williamsjj at digitar.com V: 208.343.8520 F: 208.322.8522 M: 208.863.0727 www.digitar.com On Dec 3, 2010, at 4:47 PM, Nathan Eisenberg wrote: > >> This came up in another thread yesterday or today, and I just got the >> solicitation mailer for Clearwire's WiMAX service in Tampa Bay, which they >> call "4G", though the ITU disagrees. >> >> The AUP is here: http://www.clear.com/legal/aup > > I cannot strongly enough discourage you from using their service. My experience with them has been consistently awful - and given that they're headquartered in my area, that's unacceptable. I'm informed that my experience is not at all unique - either to the Seattle area or to their service at large. Their Wikipedia article tells you pretty much everything you need to know. > > http://en.wikipedia.org/wiki/Clearwire > > Their definition of unlimited tends to be "barely acceptable throughput levels, until you start streaming youtube/netflix or doing a long-running download or using bittorrent to seed files to your work PC and laptop or using your VPN to retrieve a document, in which case, we won't turn you off, we'll just silently jail you into a 32-128kbps bandwidth profile. Also, have some poorly implemented NAT on our ludicrously underpowered CPEs!" > > I also understand that they've been having financial difficulties, so they're unlikely to address the issues their customers are faced with. > > If I were you, I would keep your backpack offline until another option is available. You're not going to be able to use VOIP on their service, anyways. > > Nathan > (Speaking as an individual - not as the company I work for.) > > !SIG:4cf9826a241136755510774! > From hescominsoon at emmanuelcomputerconsulting.com Fri Dec 3 18:11:24 2010 From: hescominsoon at emmanuelcomputerconsulting.com (William Warren) Date: Fri, 03 Dec 2010 19:11:24 -0500 Subject: "Unlimited" wireless data... In-Reply-To: <8C26A4FDAE599041A13EB499117D3C286B271368@ex-mb-1.corp.atlasnetworks.us> References: <33510504.354.1291416165692.JavaMail.root@benjamin.baylink.com> <9295702.364.1291417517993.JavaMail.root@benjamin.baylink.com> <8C26A4FDAE599041A13EB499117D3C286B271368@ex-mb-1.corp.atlasnetworks.us> Message-ID: <4CF9872C.2060402@emmanuelcomputerconsulting.com> On 12/3/2010 6:47 PM, Nathan Eisenberg wrote: >> This came up in another thread yesterday or today, and I just got the >> solicitation mailer for Clearwire's WiMAX service in Tampa Bay, which they >> call "4G", though the ITU disagrees. >> >> The AUP is here: http://www.clear.com/legal/aup > I cannot strongly enough discourage you from using their service. My experience with them has been consistently awful - and given that they're headquartered in my area, that's unacceptable. I'm informed that my experience is not at all unique - either to the Seattle area or to their service at large. Their Wikipedia article tells you pretty much everything you need to know. > > http://en.wikipedia.org/wiki/Clearwire > > Their definition of unlimited tends to be "barely acceptable throughput levels, until you start streaming youtube/netflix or doing a long-running download or using bittorrent to seed files to your work PC and laptop or using your VPN to retrieve a document, in which case, we won't turn you off, we'll just silently jail you into a 32-128kbps bandwidth profile. Also, have some poorly implemented NAT on our ludicrously underpowered CPEs!" > > I also understand that they've been having financial difficulties, so they're unlikely to address the issues their customers are faced with. > > If I were you, I would keep your backpack offline until another option is available. You're not going to be able to use VOIP on their service, anyways. > > Nathan > (Speaking as an individual - not as the company I work for.) My wife's employer(a multinational grocery conglomerate) tried clear for their internet access as well. It spent more time offline than on. They have since switched that location to 3g cards in the individual machines and vpn back to the home office..:) From jared at puck.nether.net Fri Dec 3 18:32:52 2010 From: jared at puck.nether.net (Jared Mauch) Date: Fri, 3 Dec 2010 19:32:52 -0500 Subject: "Unlimited" wireless data... In-Reply-To: References: <33510504.354.1291416165692.JavaMail.root@benjamin.baylink.com> <9295702.364.1291417517993.JavaMail.root@benjamin.baylink.com> <8C26A4FDAE599041A13EB499117D3C286B271368@ex-mb-1.corp.atlasnetworks.us> Message-ID: <4B4DC6A9-85BB-4F63-BC8A-BC211E87BE20@puck.nether.net> I must once again give props to UBNT if you want awesome wireless gear for CLOS. For $160 or so, you can get a 60Mb/s link up (Mine is a ~3mi/~5km link using two Nanobridge M5's) They also have 3.65ghz gear as well but is a bit more per unit. This per unit cost starts to put them in the 'nearly disposable' category. (Oh, and it includes the dish and can do MCS-15 if your range is enough). Lookup your local/private towers or buildings where you might be able to get space/colo cheap. It may be easier than you think to get a reliable connection... - Jared On Dec 3, 2010, at 7:01 PM, Jason J. W. Williams wrote: > I would second Nathan's experience. Tried to use them for our corporate office as a life boat when our T1 provider was sold to an outfit that didn't answer the support lines. Clear's NAT is atrocious and can't be turned off, so you can't drop a real firewall behind it on a single static. > > -J > -------- > Jason J. W. Williams, COO/CTO > DigiTar > williamsjj at digitar.com > > V: 208.343.8520 > F: 208.322.8522 > M: 208.863.0727 > > www.digitar.com > > On Dec 3, 2010, at 4:47 PM, Nathan Eisenberg wrote: > >> >>> This came up in another thread yesterday or today, and I just got the >>> solicitation mailer for Clearwire's WiMAX service in Tampa Bay, which they >>> call "4G", though the ITU disagrees. >>> >>> The AUP is here: http://www.clear.com/legal/aup >> >> I cannot strongly enough discourage you from using their service. My experience with them has been consistently awful - and given that they're headquartered in my area, that's unacceptable. I'm informed that my experience is not at all unique - either to the Seattle area or to their service at large. Their Wikipedia article tells you pretty much everything you need to know. >> >> http://en.wikipedia.org/wiki/Clearwire >> >> Their definition of unlimited tends to be "barely acceptable throughput levels, until you start streaming youtube/netflix or doing a long-running download or using bittorrent to seed files to your work PC and laptop or using your VPN to retrieve a document, in which case, we won't turn you off, we'll just silently jail you into a 32-128kbps bandwidth profile. Also, have some poorly implemented NAT on our ludicrously underpowered CPEs!" >> >> I also understand that they've been having financial difficulties, so they're unlikely to address the issues their customers are faced with. >> >> If I were you, I would keep your backpack offline until another option is available. You're not going to be able to use VOIP on their service, anyways. >> >> Nathan >> (Speaking as an individual - not as the company I work for.) >> >> !SIG:4cf9826a241136755510774! >> > > From kevin at steadfast.net Fri Dec 3 18:34:04 2010 From: kevin at steadfast.net (Kevin Stange) Date: Fri, 03 Dec 2010 18:34:04 -0600 Subject: Want to move to all 208V for server racks In-Reply-To: References: <20101202164628.GA20227@ussenterprise.ufp.org> <1411250A-38F8-4099-89D4-616D6633F218@delong.com> <7F47C485-4AF0-4C37-B7EB-D89A7E084E30@dragondata.com> <20101203033804.GB5521@hiwaay.net> Message-ID: <4CF98C7C.2000207@steadfast.net> On 12/03/2010 03:21 PM, Matthew Petach wrote: > On Thu, Dec 2, 2010 at 8:58 PM, Alex Rubenstein wrote: > ... >> Anyway, back to topic: Vendors, please a) get all your gear to cool front-to-back, and b) let it take 480 polyphase and not require a neutral. I, for one, will be happier. The datacenter of tomorrow (hell, today) require this. >> > > People are still feeding their gear with AC? Save on PS inefficiency, > and feed direct 12/5vDC to the servers. Save space, save power, > save cooling. If you're already in a datacenter, getting 208V AC from an existing AC infrastructure is a lot easier, cheaper, and sometimes more plausible than building a DC plant. If you have your own facility, it's a different story, but if you do colo, you probably have more customers expecting AC than DC, so you'll at least need to maintain both infrastructure. -- Kevin Stange Chief Technology Officer Steadfast Networks http://steadfast.net Phone: 312-602-2689 ext. 203 | Fax: 312-602-2688 | Cell: 312-320-5867 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 261 bytes Desc: OpenPGP digital signature URL: From jra at baylink.com Fri Dec 3 18:38:35 2010 From: jra at baylink.com (Jay Ashworth) Date: Fri, 3 Dec 2010 19:38:35 -0500 (EST) Subject: Want to move to all 208V for server racks In-Reply-To: <4CF98C7C.2000207@steadfast.net> Message-ID: <1211893.396.1291423115851.JavaMail.root@benjamin.baylink.com> ----- Original Message ----- > From: "Kevin Stange" > > > People are still feeding their gear with AC? Save on PS inefficiency, > > and feed direct 12/5vDC to the servers. Save space, save power, > > save cooling. > > If you're already in a datacenter, getting 208V AC from an existing AC > infrastructure is a lot easier, cheaper, and sometimes more plausible > than building a DC plant. If you have your own facility, it's a > different story, but if you do colo, you probably have more customers > expecting AC than DC, so you'll at least need to maintain both > infrastructure. It *is* Friday night, Kevin. :-) He said 12/5VDC, not -48. Cheers, -- jra From Valdis.Kletnieks at vt.edu Fri Dec 3 18:58:50 2010 From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks at vt.edu) Date: Fri, 03 Dec 2010 19:58:50 -0500 Subject: Want to move to all 208V for server racks In-Reply-To: Your message of "Fri, 03 Dec 2010 13:21:07 PST." References: <20101202164628.GA20227@ussenterprise.ufp.org> <1411250A-38F8-4099-89D4-616D6633F218@delong.com> <7F47C485-4AF0-4C37-B7EB-D89A7E084E30@dragondata.com> <20101203033804.GB5521@hiwaay.net> Message-ID: <91470.1291424330@localhost> On Fri, 03 Dec 2010 13:21:07 PST, Matthew Petach said: > People are still feeding their gear with AC? Save on PS inefficiency, > and feed direct 12/5vDC to the servers. Save space, save power, > save cooling. What does that do to customer equipment choices? I've got a quarter acre of boxes that I know want 12/5vDC inside the case, but that's not an easily available option from the vendor - most of the time the only option is autoswitching 120-240DC with your choice of power cables. (If anybody has a good TCO analysis for doing this with Dell/Sun/IBM/Apple servers, I'm willing to listen...) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 227 bytes Desc: not available URL: From Valdis.Kletnieks at vt.edu Fri Dec 3 19:00:15 2010 From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks at vt.edu) Date: Fri, 03 Dec 2010 20:00:15 -0500 Subject: ARIN space not accepted In-Reply-To: Your message of "Fri, 03 Dec 2010 14:24:16 PST." <20101203222416.GA4683@ussenterprise.ufp.org> References: <4CF96BA6.2070804@brightok.net> <20101203222416.GA4683@ussenterprise.ufp.org> Message-ID: <91524.1291424415@localhost> On Fri, 03 Dec 2010 14:24:16 PST, Leo Bicknell said: > It is speculated that no later than Q1, two more /8's will be allocated, > triggering a policy that will give the remaining 5 /8's out to the > RIR's. That means, prior to end of Q1, the bogon list will be: > > 0/8 > 10/8 > 127/8 > 172.16/12 > 192.168/16 > 224/3 Oh. And don't forget to do *bidirectional* filtering of these addresses. ;) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 227 bytes Desc: not available URL: From brent at servuhome.net Fri Dec 3 19:30:38 2010 From: brent at servuhome.net (Brent Jones) Date: Fri, 3 Dec 2010 17:30:38 -0800 Subject: Google mail admin contact needed (STARTTLS capabilities issue) Message-ID: There appears to be a widespread issue with Google inbound MX's yesterday/today and I am unable to reach sufficient levels of support from Google tickets or forums. The problems seems to be many, if not all inbound Google MX records for Gmail.com and Google Apps hosted domains are no longer reliably advertising TLS as being supported over port 25 via STARTTLS. It also appears TLS on connect over port 465 is also spotty at best, with some servers responding, and some not. Previously 465 was recommended by Google for mail clients to use, but seems to be experience issues the last day or so intermittently. This has been preventing opportunistic TLS from working over the last couple days for my personal Google apps domain, and verified with several other Google apps hosted domains. However, Postini inbound MX'es still show STARTTLS in the capabilities list after EHLO, so this seems to be only Google MX'es, not impacting those who use Postini. For example, below shows the same MX at Google responding with and without TLS. I attempted about a dozen times over a few minutes to the same MX until I got STARTTLS listed in the capabilities list, but the next attempt to the same MX would no longer show STARTTLS Any assistance on or off list would be appreciated. (08:17 PM Fri Dec 03)-(~) $ telnet alt1.gmail-smtp-in.l.google.com 25 Trying 209.85.229.27... Connected to alt1.gmail-smtp-in.l.google.com. Escape character is '^]'. 220 mx.google.com ESMTP y73si4442013weq.155 ehlo domain.com 250-mx.google.com at your service, [64.124.180.7] 250-SIZE 35651584 250-8BITMIME 250 ENHANCEDSTATUSCODES (08:20 PM Fri Dec 03)-(~) $ telnet alt1.gmail-smtp-in.l.google.com 25 Trying 209.85.229.27... Connected to alt1.gmail-smtp-in.l.google.com. Escape character is '^]'. 220 mx.google.com ESMTP j3si4484656wbc.99 ehlo domain.com 250-mx.google.com at your service, [64.124.180.7] 250-SIZE 35651584 250-8BITMIME 250-STARTTLS 250 ENHANCEDSTATUSCODES (08:22 PM Fri Dec 03)-(~) # telnet alt4.gmail-smtp-in.l.google.com 25 Trying 74.125.67.27... Connected to alt4.gmail-smtp-in.l.google.com. Escape character is '^]'. 220 mx.google.com ESMTP g16si6002830ibb.2 ehlo domain.com 250-mx.google.com at your service, [64.124.180.7] 250-SIZE 35651584 250-8BITMIME 250-STARTTLS 250-ENHANCEDSTATUSCODES 250 PIPELINING (08:26 PM Fri Dec 03)-(~) # telnet alt4.gmail-smtp-in.l.google.com 25 Trying 74.125.67.27... Connected to alt4.gmail-smtp-in.l.google.com. Escape character is '^]'. 220 mx.google.com ESMTP e7si5973534ibb.84 ehlo domain.com 250-mx.google.com at your service, [64.124.180.7] 250-SIZE 35651584 250-8BITMIME 250-ENHANCEDSTATUSCODES 250 PIPELINING (08:28 PM Fri Dec 03)-(~) $ telnet ASPMX.L.GOOGLE.COM 25 Trying 74.125.91.27... Connected to ASPMX.L.GOOGLE.COM. Escape character is '^]'. 220 mx.google.com ESMTP n7si5304773qcu.37 ehlo domain.com 250-mx.google.com at your service, [64.124.180.7] 250-SIZE 35651584 250-8BITMIME 250 ENHANCEDSTATUSCODES STARTTLS 502 5.5.1 Unrecognized command. n7si5304773qcu.37 -- Brent Jones brent at servuhome.net From bruns at 2mbit.com Fri Dec 3 20:03:49 2010 From: bruns at 2mbit.com (Brielle Bruns) Date: Fri, 03 Dec 2010 19:03:49 -0700 Subject: "Unlimited" wireless data... In-Reply-To: <8C26A4FDAE599041A13EB499117D3C286B271368@ex-mb-1.corp.atlasnetworks.us> References: <33510504.354.1291416165692.JavaMail.root@benjamin.baylink.com> <9295702.364.1291417517993.JavaMail.root@benjamin.baylink.com> <8C26A4FDAE599041A13EB499117D3C286B271368@ex-mb-1.corp.atlasnetworks.us> Message-ID: <4CF9A185.9030206@2mbit.com> On 12/3/10 4:47 PM, Nathan Eisenberg wrote: > Their definition of unlimited tends to be "barely acceptable > throughput levels, until you start streaming youtube/netflix or doing > a long-running download or using bittorrent to seed files to your > work PC and laptop or using your VPN to retrieve a document, in which > case, we won't turn you off, we'll just silently jail you into a > 32-128kbps bandwidth profile. Also, have some poorly implemented > NAT on our ludicrously underpowered CPEs!" Biggest problems with the home base station Clear modems from Motorola is that you can't turn off the NAT and just use it as a pass through. I believe with the 'normal' non Clear firmware, its not locked like that. The other fun I noticed with those same modems is that some have come wide open, public facing web ui unprotected with a default password. Yay for 'customer experience'. -- Brielle Bruns The Summit Open Source Development Group http://www.sosdg.org / http://www.ahbl.org From nanog at jima.tk Fri Dec 3 20:25:47 2010 From: nanog at jima.tk (Jima) Date: Fri, 03 Dec 2010 20:25:47 -0600 Subject: Earthlink MX from *Earthlink* dynamic IPs blocked? In-Reply-To: <5584660.376.1291419628148.JavaMail.root@benjamin.baylink.com> References: <5584660.376.1291419628148.JavaMail.root@benjamin.baylink.com> Message-ID: <4CF9A6AB.60009@jima.tk> On 12/3/2010 5:40 PM, Jay Ashworth wrote: > Got it; yeah, maybe that shouldn't have been a surprise. I guess I'll have > to smart host her to their internal outbound server; that workaround works > for me with RoadRunner, it ought to work on EL as well. In my experience ssmtp (the software) has done a good job of smarthost-ing mail away from solitary instances with minimal pain; any reason you couldn't use that? Jima From Valdis.Kletnieks at vt.edu Fri Dec 3 20:48:04 2010 From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks at vt.edu) Date: Fri, 03 Dec 2010 21:48:04 -0500 Subject: Google mail admin contact needed (STARTTLS capabilities issue) In-Reply-To: Your message of "Fri, 03 Dec 2010 17:30:38 PST." References: Message-ID: <95183.1291430884@localhost> On Fri, 03 Dec 2010 17:30:38 PST, Brent Jones said: > For example, below shows the same MX at Google responding with and > without TLS. I attempted about a dozen times over a few minutes to the > same MX until I got STARTTLS listed in the capabilities list, but the > next attempt to the same MX would no longer show STARTTLS Equally troubling is the similarly random nature of PIPELINING, which doesn't even match the STARTTLS appearing or not. Definitely bad juju. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 227 bytes Desc: not available URL: From joelja at bogus.com Fri Dec 3 21:18:55 2010 From: joelja at bogus.com (Joel Jaeggli) Date: Fri, 3 Dec 2010 19:18:55 -0800 Subject: Want to move to all 208V for server racks In-Reply-To: <91470.1291424330@localhost> References: <20101202164628.GA20227@ussenterprise.ufp.org> <1411250A-38F8-4099-89D4-616D6633F218@delong.com> <7F47C485-4AF0-4C37-B7EB-D89A7E084E30@dragondata.com> <20101203033804.GB5521@hiwaay.net> <91470.1291424330@localhost> Message-ID: On Dec 3, 2010, at 16:58, Valdis.Kletnieks at vt.edu wrote: > On Fri, 03 Dec 2010 13:21:07 PST, Matthew Petach said: >> People are still feeding their gear with AC? Save on PS inefficiency, >> and feed direct 12/5vDC to the servers. Save space, save power, >> save cooling. > > What does that do to customer equipment choices? I've got a quarter acre of > boxes that I know want 12/5vDC inside the case, but that's not an easily > available option from the vendor - most of the time the only option is > autoswitching 120-240DC with your choice of power cables. > The 10,000amp bus for the 12v feed for a row of server racks would be a thing to behold. I don't think anyone but Paul Wall has seriously considered this. > (If anybody has a good TCO analysis for doing this with Dell/Sun/IBM/Apple > servers, I'm willing to listen...) > From mpetach at netflight.com Fri Dec 3 21:18:08 2010 From: mpetach at netflight.com (Matthew Petach) Date: Fri, 3 Dec 2010 19:18:08 -0800 Subject: Trying to Make Sense of the Comcast/Level 3 Dispute In-Reply-To: References: <20101203144934.GB71451@ussenterprise.ufp.org> Message-ID: On Fri, Dec 3, 2010 at 10:43 AM, Patrick W. Gilmore wrote: > On Dec 3, 2010, at 1:34 PM, christian koch wrote: > >> my guess is the info for that was pulled off comcast's route server, where >> only tata is seen > > Asymmetric routing on the Internet? ?What will they think of next?! > > That said, does changing the name of the middle network change the substance of the post? > Nope--just pointing out that Yahoo content is not stuck on the congested pathway in the direction in which the congestion exists, at least until Comcast decides to start sending sufficient outbound traffic to cause congestion in both directions. Just didn't like the portrayal of our connectivity as being stuck behind a traffic jam of other data, potentially causing Comcast users to subconsciously avoid going to Yahoo sites for fear they might be somehow affected by that line of cars. > -- > TTFN, > patrick > > P.S. And does Y! have a route-server to figure this stuff out? :) Not one that the security team would allow me to open up to outside queries, I'm afraid. :( Matt From mpetach at netflight.com Fri Dec 3 21:25:15 2010 From: mpetach at netflight.com (Matthew Petach) Date: Fri, 3 Dec 2010 19:25:15 -0800 Subject: Want to move to all 208V for server racks In-Reply-To: References: <20101202164628.GA20227@ussenterprise.ufp.org> <1411250A-38F8-4099-89D4-616D6633F218@delong.com> <7F47C485-4AF0-4C37-B7EB-D89A7E084E30@dragondata.com> <20101203033804.GB5521@hiwaay.net> <91470.1291424330@localhost> Message-ID: On Fri, Dec 3, 2010 at 7:18 PM, Joel Jaeggli wrote: > On Dec 3, 2010, at 16:58, Valdis.Kletnieks at vt.edu wrote: > > On Fri, 03 Dec 2010 13:21:07 PST, Matthew Petach said: > > People are still feeding their gear with AC? ?Save on PS inefficiency, > > and feed direct 12/5vDC to the servers. ?Save space, save power, > > save cooling. > > What does that do to customer equipment choices? ?I've got a quarter acre of > boxes that I know want 12/5vDC inside the case, but that's not an easily > available option from the vendor - most of the time the only option is > autoswitching 120-240DC with your choice of power cables. > > The 10,000amp bus for the 12v feed for a row of server racks would be a > thing to behold. I don't think anyone but Paul Wall has seriously considered > this. Some day I'd love to meet that guy--he sure has come up with some revolutionary ideas here! (OK, so it's not as practical when you have other customers to worry about... but it might not be so crazy when you're looking at the efficiency numbers for 100,000 small 1u power supplies vs a set of much larger ones.) Matt From joelja at bogus.com Fri Dec 3 22:01:48 2010 From: joelja at bogus.com (Joel Jaeggli) Date: Fri, 3 Dec 2010 20:01:48 -0800 Subject: Want to move to all 208V for server racks In-Reply-To: References: <20101202164628.GA20227@ussenterprise.ufp.org> <1411250A-38F8-4099-89D4-616D6633F218@delong.com> <7F47C485-4AF0-4C37-B7EB-D89A7E084E30@dragondata.com> <20101203033804.GB5521@hiwaay.net> <91470.1291424330@localhost> Message-ID: On Dec 3, 2010, at 19:25, Matthew Petach wrote: > On Fri, Dec 3, 2010 at 7:18 PM, Joel Jaeggli wrote: >> On Dec 3, 2010, at 16:58, Valdis.Kletnieks at vt.edu wrote: >> >> On Fri, 03 Dec 2010 13:21:07 PST, Matthew Petach said: >> >> People are still feeding their gear with AC? Save on PS inefficiency, >> >> and feed direct 12/5vDC to the servers. Save space, save power, >> >> save cooling. >> >> What does that do to customer equipment choices? I've got a quarter acre of >> boxes that I know want 12/5vDC inside the case, but that's not an easily >> available option from the vendor - most of the time the only option is >> autoswitching 120-240DC with your choice of power cables. >> >> The 10,000amp bus for the 12v feed for a row of server racks would be a >> thing to behold. I don't think anyone but Paul Wall has seriously considered >> this. > > Some day I'd love to meet that guy--he sure has come up with some > revolutionary ideas here! > > (OK, so it's not as practical when you have other customers to worry > about... but it might not be so crazy when you're looking at the > efficiency numbers for 100,000 small 1u power supplies vs a set > of much larger ones.) Ohm's law is a bitch. 10kamp -48v DC plants are bad enough as far as the amount of copper required, running 12v for significant distance is comical, this is the reason small boats airplanes and diesel trucks adopt 24v systems. There's probably some model where top of rack rectifiers makes sense but that's really pretty much what a blade server is. When you look at a motherboard in a server a big chunk of of real-estate is devoted to taking 12v and switching it down to 1.2-1.8 for distribution to the CPU/memory, a 4 socket server might have to carry 400amp around in a space of around 300cm^2 on a layer of the pcb. The justification for running 208 or 480 all the way to a cabinet is all about smaller conductors. Joel > > Matt > > From nanog at jima.tk Fri Dec 3 22:02:12 2010 From: nanog at jima.tk (Jima) Date: Fri, 03 Dec 2010 22:02:12 -0600 Subject: Want to move to all 208V for server racks In-Reply-To: References: <20101202164628.GA20227@ussenterprise.ufp.org> <1411250A-38F8-4099-89D4-616D6633F218@delong.com> <7F47C485-4AF0-4C37-B7EB-D89A7E084E30@dragondata.com> <20101203033804.GB5521@hiwaay.net> <91470.1291424330@localhost> Message-ID: <4CF9BD44.6090803@jima.tk> On 12/3/2010 9:25 PM, Matthew Petach wrote: > (OK, so it's not as practical when you have other customers to worry > about... but it might not be so crazy when you're looking at the > efficiency numbers for 100,000 small 1u power supplies vs a set > of much larger ones.) Particularly if you're running your AC power through UPSes -- especially online ones (where there's a constant AC-DC-AC conversion happening). Go to DC for the batteries, never come back. It's a tempting notion. Jima From brent at servuhome.net Fri Dec 3 22:06:25 2010 From: brent at servuhome.net (Brent Jones) Date: Fri, 3 Dec 2010 20:06:25 -0800 Subject: Google mail admin contact needed (STARTTLS capabilities issue) In-Reply-To: <95183.1291430884@localhost> References: <95183.1291430884@localhost> Message-ID: On Fri, Dec 3, 2010 at 6:48 PM, wrote: > On Fri, 03 Dec 2010 17:30:38 PST, Brent Jones said: > >> For example, below shows the same MX at Google responding with and >> without TLS. I attempted about a dozen times over a few minutes to the >> same MX until I got STARTTLS listed in the capabilities list, but the >> next attempt to the same MX would no longer show STARTTLS > > Equally troubling is the similarly random nature of PIPELINING, which doesn't > even match the STARTTLS appearing or not. Definitely bad juju. > > Yah, I've been trying to find a method to this madness, yet I cannot. Haven't heard from their support escalation, or from NST. I'll randomly get a host that advertises TLS, or pipelining, or both ;) Certainly not the behavior I would expect from Google, now that they're doing government/education e-mail hosting. -- Brent Jones brent at servuhome.net From joelja at bogus.com Fri Dec 3 22:10:38 2010 From: joelja at bogus.com (Joel Jaeggli) Date: Fri, 3 Dec 2010 20:10:38 -0800 Subject: Want to move to all 208V for server racks In-Reply-To: <4CF9BD44.6090803@jima.tk> References: <20101202164628.GA20227@ussenterprise.ufp.org> <1411250A-38F8-4099-89D4-616D6633F218@delong.com> <7F47C485-4AF0-4C37-B7EB-D89A7E084E30@dragondata.com> <20101203033804.GB5521@hiwaay.net> <91470.1291424330@localhost> <4CF9BD44.6090803@jima.tk> Message-ID: Your battery stack isn't like 12v either, unless it's one battery. Joel's widget number 2 On Dec 3, 2010, at 20:02, Jima wrote: > On 12/3/2010 9:25 PM, Matthew Petach wrote: >> (OK, so it's not as practical when you have other customers to worry >> about... but it might not be so crazy when you're looking at the >> efficiency numbers for 100,000 small 1u power supplies vs a set >> of much larger ones.) > > Particularly if you're running your AC power through UPSes -- especially online ones (where there's a constant AC-DC-AC conversion happening). Go to DC for the batteries, never come back. It's a tempting notion. > > Jima > From nanog at jima.tk Fri Dec 3 22:19:26 2010 From: nanog at jima.tk (Jima) Date: Fri, 03 Dec 2010 22:19:26 -0600 Subject: Want to move to all 208V for server racks In-Reply-To: References: <20101202164628.GA20227@ussenterprise.ufp.org> <1411250A-38F8-4099-89D4-616D6633F218@delong.com> <7F47C485-4AF0-4C37-B7EB-D89A7E084E30@dragondata.com> <20101203033804.GB5521@hiwaay.net> <91470.1291424330@localhost> <4CF9BD44.6090803@jima.tk> Message-ID: <4CF9C14E.1080809@jima.tk> On 12/3/2010 10:10 PM, Joel Jaeggli wrote: > Your battery stack isn't like 12v either, unless it's one battery. Try connecting the batteries in parallel rather than in series, then. ;-) Regarding your other message: > The justification for running 208 or 480 all the way to a cabinet is > all about smaller conductors. So 208/480 to each cabinet's UPS, and DC from there? I'm not sure how feasible that is. Jima From gem at rellim.com Fri Dec 3 14:57:21 2010 From: gem at rellim.com (Gary E. Miller) Date: Fri, 3 Dec 2010 12:57:21 -0800 (PST) Subject: wikileaks dns (was Re: Blocking International DNS) In-Reply-To: <4CF956D9.6000603@xyonet.com> References: <201012021331.48695.lowen@pari.edu> <20101203040510.GA8484@sizone.org> <24D81CB7-2178-45B3-B93B-F9B26A4F0B75@americafree.tv> <4CF89C56.4090607@brightok.net> <5A6D953473350C4B9995546AFE9939EE0B14CCDB@RWC-EX1.corp.seven.com> <4CF956D9.6000603@xyonet.com> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Yo Curtis! On Fri, 3 Dec 2010, Curtis Maurand wrote: > The patriot act did away with due process. Yep. More on that today: http://www.wired.com/threatlevel/2010/12/realtime/ RGDS GARY - --------------------------------------------------------------------------- Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97701 gem at rellim.com Tel:+1(541)382-8588 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (GNU/Linux) iD8DBQFM+Vm0BmnRqz71OvMRAsPlAJ9erzScO4+Lsixa3Rk33OS9+X0tPQCeJvqh TASxqIjnaNm+CDVLpS+UEcs= =uFTG -----END PGP SIGNATURE----- From adrian at creative.net.au Fri Dec 3 23:17:24 2010 From: adrian at creative.net.au (Adrian Chadd) Date: Sat, 4 Dec 2010 13:17:24 +0800 Subject: Want to move to all 208V for server racks In-Reply-To: References: <20101203033804.GB5521@hiwaay.net> <91470.1291424330@localhost> Message-ID: <20101204051724.GA11783@skywalker.creative.net.au> On Fri, Dec 03, 2010, Joel Jaeggli wrote: > > (OK, so it's not as practical when you have other customers to worry > > about... but it might not be so crazy when you're looking at the > > efficiency numbers for 100,000 small 1u power supplies vs a set > > of much larger ones.) > > Ohm's law is a bitch. 10kamp -48v DC plants are bad enough as far as the amount of copper required, running 12v for significant distance is comical, this is the reason small boats airplanes and diesel trucks adopt 24v systems. There's probably some model where top of rack rectifiers makes sense but that's really pretty much what a blade server is. When you look at a motherboard in a server a big chunk of of real-estate is devoted to taking 12v and switching it down to 1.2-1.8 for distribution to the CPU/memory, a 4 socket server might have to carry 400amp around in a space of around 300cm^2 on a layer of the pcb. > > The justification for running 208 or 480 all the way to a cabinet is all about smaller conductors. Isn't this one area where Google have already (re-)pioneered recently? Besides, there's a reason why AC won over DC for carrying 0 < x < few hundred (or thousand? Amps) over a reasonable distance. IANA-PowerEngineer, but ISTR the behaviour/efficiency of voltage/current over distance for both AC and DC is well understood. (And no, ISTR it isn't "AC wins." :-) If you're at all serious about discussing this, I bet spending 15 minutes doing some research and then an hour or so crafting some simultaneous equations to solve/graph would be very very eye-opening. Come on guys/girls, you're a bright bunch, post some models and discuss those rather than un-substantiated datapoints! :-) 2c, Adrian From jra at baylink.com Fri Dec 3 23:33:46 2010 From: jra at baylink.com (Jay Ashworth) Date: Sat, 4 Dec 2010 00:33:46 -0500 (EST) Subject: Want to move to all 208V for server racks In-Reply-To: <4CF9BD44.6090803@jima.tk> Message-ID: <10206355.410.1291440826150.JavaMail.root@benjamin.baylink.com> ----- Original Message ----- > From: "Jima" > > On 12/3/2010 9:25 PM, Matthew Petach wrote: > > (OK, so it's not as practical when you have other customers to worry > > about... but it might not be so crazy when you're looking at the > > efficiency numbers for 100,000 small 1u power supplies vs a set > > of much larger ones.) > > Particularly if you're running your AC power through UPSes -- > especially online ones (where there's a constant AC-DC-AC conversion > happening). Go to DC for the batteries, never come back. It's a > tempting notion. And in fact, much carrier class equipment can be had with -48V power, there are ATX and similar power supplies for PCs that are -48, and I *think* I've commercial small UPSs (<3kVa) that give with -48 as well... using 48V battery strings, obviously. Cheers, -- jra From owen at delong.com Sat Dec 4 00:28:55 2010 From: owen at delong.com (Owen DeLong) Date: Fri, 3 Dec 2010 22:28:55 -0800 Subject: Want to move to all 208V for server racks In-Reply-To: <20101204051724.GA11783@skywalker.creative.net.au> References: <20101203033804.GB5521@hiwaay.net> <91470.1291424330@localhost> <20101204051724.GA11783@skywalker.creative.net.au> Message-ID: <121C9CDD-FD69-41D6-B0A0-EEAC1C7F50FC@delong.com> On Dec 3, 2010, at 9:17 PM, Adrian Chadd wrote: > On Fri, Dec 03, 2010, Joel Jaeggli wrote: > >>> (OK, so it's not as practical when you have other customers to worry >>> about... but it might not be so crazy when you're looking at the >>> efficiency numbers for 100,000 small 1u power supplies vs a set >>> of much larger ones.) >> >> Ohm's law is a bitch. 10kamp -48v DC plants are bad enough as far as the amount of copper required, running 12v for significant distance is comical, this is the reason small boats airplanes and diesel trucks adopt 24v systems. There's probably some model where top of rack rectifiers makes sense but that's really pretty much what a blade server is. When you look at a motherboard in a server a big chunk of of real-estate is devoted to taking 12v and switching it down to 1.2-1.8 for distribution to the CPU/memory, a 4 socket server might have to carry 400amp around in a space of around 300cm^2 on a layer of the pcb. >> >> The justification for running 208 or 480 all the way to a cabinet is all about smaller conductors. > > Isn't this one area where Google have already (re-)pioneered recently? > > Besides, there's a reason why AC won over DC for carrying 0 < x < few hundred > (or thousand? Amps) over a reasonable distance. IANA-PowerEngineer, but > ISTR the behaviour/efficiency of voltage/current over distance for both > AC and DC is well understood. (And no, ISTR it isn't "AC wins." :-) > > If you're at all serious about discussing this, I bet spending 15 minutes > doing some research and then an hour or so crafting some simultaneous equations > to solve/graph would be very very eye-opening. > > Come on guys/girls, you're a bright bunch, post some models and discuss > those rather than un-substantiated datapoints! :-) > > 2c, > > > Adrian > This isn't rocket science and doesn't require much math... 1. For long distances, you need higher voltages to overcome line loss. 2. For larger loads, you want to use higher voltages to have lower amperages so that you can use reasonable wire sizes. 3. It's a whole lot easier to change AC voltages than DC. The system that won is a system of very very very high voltages for the core distribution with transformers converting that to intermediate distribution voltages which are then further transformed down to even lower voltages for service delivery. This is easily done with AC and would be quite complex and inefficient (especially with the technology available at the time this decision was made) with DC. It would probably be more efficient to run the entire country on 200,000 VDC, but, the dangers of exposing the general public to that kind of voltage are, well, probably just one of the reasons we use 110 VAC instead. Owen From oberman at es.net Sat Dec 4 00:43:09 2010 From: oberman at es.net (Kevin Oberman) Date: Fri, 03 Dec 2010 22:43:09 -0800 Subject: ARIN space not accepted In-Reply-To: Your message of "Fri, 03 Dec 2010 20:00:15 EST." <91524.1291424415@localhost> Message-ID: <20101204064309.2775B1CC0C@ptavv.es.net> > From: Valdis.Kletnieks at vt.edu > > From: Valdis.Kletnieks at vt.edu > Date: Fri, 03 Dec 2010 20:00:15 -0500 > > On Fri, 03 Dec 2010 14:24:16 PST, Leo Bicknell said: > > > It is speculated that no later than Q1, two more /8's will be allocated, > > triggering a policy that will give the remaining 5 /8's out to the > > RIR's. That means, prior to end of Q1, the bogon list will be: > > > > 0/8 > > 10/8 > > 127/8 > > 172.16/12 > > 192.168/16 > > 224/3 > > Oh. And don't forget to do *bidirectional* filtering of these addresses. ;) Ahh, not quite. Blocking 224/3 bi-directionally might cause a few issues if you accept multicast traffic from anyone. -- R. Kevin Oberman, Network Engineer Energy Sciences Network (ESnet) Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab) E-mail: oberman at es.net Phone: +1 510 486-8634 Key fingerprint:059B 2DDF 031C 9BA3 14A4 EADA 927D EBB3 987B 3751 From fergdawgster at gmail.com Sat Dec 4 00:49:25 2010 From: fergdawgster at gmail.com (Paul Ferguson) Date: Fri, 3 Dec 2010 22:49:25 -0800 Subject: Google acquires Netflix, Vudu, and Blockbuster's streaming video DRM provider Widevine Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Not for nothing, but I figured this has direct relevance to the current dialog regarding Netflix, Comcast, et al. http://www.betanews.com/article/Google-acquires-Netflix-Vudu-and-Blockbuste rs-streaming-video-DRM-provider-Widevine/1291420252 FYI, - - ferg -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.3 (Build 5003) wj8DBQFM+eRqq1pz9mNUZTMRAsm7AJ0Ub6UeMyhjmu8iNZUX9shm+s3r0QCg24b7 YCqeHLPeaNIq+h1zrED4cU4= =Wi/L -----END PGP SIGNATURE----- -- "Fergie", a.k.a. Paul Ferguson ?Engineering Architecture for the Internet ?fergdawgster(at)gmail.com ?ferg's tech blog: http://fergdawg.blogspot.com/ From andrew.wallace at rocketmail.com Sat Dec 4 09:45:04 2010 From: andrew.wallace at rocketmail.com (andrew.wallace) Date: Sat, 4 Dec 2010 07:45:04 -0800 (PST) Subject: U.S. officials deny technical takedown of WikiLeaks Message-ID: <807332.56924.qm@web59605.mail.ac4.yahoo.com> Washington (CNN) -- U.S. officials at the Pentagon and State Department denied Friday knowing of any efforts to take down the WikiLeaks website or asking companies to do so. http://edition.cnn.com/2010/POLITICS/12/03/wikileaks.takedown/index.html Andrew From gary.buhrmaster at gmail.com Sat Dec 4 09:51:52 2010 From: gary.buhrmaster at gmail.com (Gary Buhrmaster) Date: Sat, 4 Dec 2010 07:51:52 -0800 Subject: Want to move to all 208V for server racks In-Reply-To: <121C9CDD-FD69-41D6-B0A0-EEAC1C7F50FC@delong.com> References: <20101203033804.GB5521@hiwaay.net> <91470.1291424330@localhost> <20101204051724.GA11783@skywalker.creative.net.au> <121C9CDD-FD69-41D6-B0A0-EEAC1C7F50FC@delong.com> Message-ID: On Fri, Dec 3, 2010 at 22:28, Owen DeLong wrote: > ... This is easily done with AC and would be quite complex > and inefficient (especially with the technology available at the time this > decision was made) with DC. Correct. Now, of course, with switched mode conversion and power FET technology DC-to-DC converter efficiency can be greater than 95% in optimized designs, but back when Edison and Tesla were arguing the merits, DC conversion was very inefficient compared to AC. From lowen at pari.edu Sat Dec 4 10:05:56 2010 From: lowen at pari.edu (Lamar Owen) Date: Sat, 4 Dec 2010 11:05:56 -0500 Subject: Want to move to all 208V for server racks In-Reply-To: <20101203075436.GX1583@angus.ind.WPI.EDU> References: Message-ID: <201012041105.56388.lowen@pari.edu> On Friday, December 03, 2010 02:54:37 am Chuck Anderson wrote: > Here's a question for you. How do you calculate the total current & > power capacity of a L21-20 or L21-30, and how do you do the > calculations in order to balance the load between the phase legs? > This seems like it would be a trivial thing to do, but given that the > three legs are 120 degrees out of phase with each other, I don't think > you can just do normal addition. You would be correct. A pretty good three-phase calculation reference can be found at http://www.3phasepower.org/3phasepowercalculation.htm It is vector addition, and with the angles involved you end up multiplying and dividing by the square root of 3 a lot. Also see the wikipedia article, and here's a few others: http://www.gavinelectrical.com/content/threephase.htm http://www.servertech.com/uploads/documents/0000/0236/3-Phase_Power_in_the_Data_Center.pdf That last PDF is directly related to this discussion, and a good read. From tme at americafree.tv Sat Dec 4 11:27:17 2010 From: tme at americafree.tv (Marshall Eubanks) Date: Sat, 4 Dec 2010 12:27:17 -0500 Subject: U.S. officials deny technical takedown of WikiLeaks In-Reply-To: <807332.56924.qm@web59605.mail.ac4.yahoo.com> References: <807332.56924.qm@web59605.mail.ac4.yahoo.com> Message-ID: On Dec 4, 2010, at 10:45 AM, andrew.wallace wrote: > Washington (CNN) -- U.S. officials at the Pentagon and State Department denied Friday knowing of any efforts to take down the WikiLeaks website or asking companies to do so. > > http://edition.cnn.com/2010/POLITICS/12/03/wikileaks.takedown/index.html > Yes, that is what both spokesmen literally did "I am not aware of any conversations by the United States government" - said State Department spokesman P.J. Crowley. "I am not aware that the Department of Defense is behind any of the problems that WikiLeaks is experiencing," Col. Dave Lapan, Pentagon spokesman. Not the Department, not the Secretary, not the Joint Chiefs, just the lowly old spokesman, all by himself, who is "not aware." A weaker and less convincing denial can scarcely be imagined this side of the divorce court. And the CNN headline, while technical true : U.S. officials deny they are urging technical takedown of WikiLeaks would be more accurate as Minor U.S. officials deny they are personally urging technical takedown of WikiLeaks which would have not nearly had the same punch. Regards Marshall > Andrew > > > > > From mloftis at wgops.com Sat Dec 4 13:03:34 2010 From: mloftis at wgops.com (Michael Loftis) Date: Sat, 4 Dec 2010 12:03:34 -0700 Subject: Want to move to all 208V for server racks In-Reply-To: <10206355.410.1291440826150.JavaMail.root@benjamin.baylink.com> References: <4CF9BD44.6090803@jima.tk> <10206355.410.1291440826150.JavaMail.root@benjamin.baylink.com> Message-ID: On Fri, Dec 3, 2010 at 10:33 PM, Jay Ashworth wrote: > And in fact, much carrier class equipment can be had with -48V power, there > are ATX and similar power supplies for PCs that are -48, and I *think* I've > commercial small UPSs (<3kVa) that give with -48 as well... using 48V > battery strings, obviously. > Take a look at the Solar/Renewable energy systems, Xantrex (Schneider actually) makes the XW series inverter/chargers which use 48V battery strings and can be paralleled up to a rated total of about 18kW at 120/240. This is done by paralleling 3x 6kW inverter/chargers. They've an integrated transfer switch, load shaving/sharing (IE if you've got say 6kW of generator, but 12kW of Inverter, the system capacity is up to 12kW, with battery assist). And that's just one option, Magnasine makes parallel inverter/charger and inverter systems up to around 12kW, also using 48VDC (or 24VDC) strings. Both of these are sinewave inverters. There's also a telco oriented 48V inverter rack system thats escaping my mind at the moment. It can be setup with A/B 48V strings, and you plug in inverter modules up to IIRC around 8kW. Not parallel capable between racks AFAIK. From jra at baylink.com Sat Dec 4 13:45:08 2010 From: jra at baylink.com (Jay Ashworth) Date: Sat, 4 Dec 2010 14:45:08 -0500 (EST) Subject: Want to move to all 208V for server racks In-Reply-To: Message-ID: <28885761.444.1291491908522.JavaMail.root@benjamin.baylink.com> ----- Original Message ----- > From: "Michael Loftis" > > On Fri, Dec 3, 2010 at 10:33 PM, Jay Ashworth wrote: > > And in fact, much carrier class equipment can be had with -48V > > power, there are ATX and similar power supplies for PCs that are -48, and I > > *think* I've seen commercial small UPSs (<3kVa) that give with -48 > > as well... using 48V battery strings, obviously. > > Take a look at the Solar/Renewable energy systems, Xantrex (Schneider > actually) makes the XW series inverter/chargers which use 48V battery > strings and can be paralleled up to a rated total of about > 18kW at 120/240. This is done by paralleling 3x 6kW inverter/chargers. > They've an integrated transfer switch, load shaving/sharing (IE if > you've got say 6kW of generator, but 12kW of Inverter, the system > capacity is up to 12kW, with battery assist). > > And that's just one option, Magnasine makes parallel inverter/charger > and inverter systems up to around 12kW, also using 48VDC (or 24VDC) > strings. > > Both of these are sinewave inverters. > > There's also a telco oriented 48V inverter rack system thats escaping > my mind at the moment. It can be setup with A/B 48V strings, and you > plug in inverter modules up to IIRC around 8kW. Not parallel capable > between racks AFAIK. I phrased my comment poorly, which mislead you. I was suggesting a UPS which took 208VAC on on the charge side, and charged 48VDC batteries with it, providing -48 to a rack full of equipment which took that. People actually call those "48VDC UPSs", though in fact they're just Little Teeny Battery Plants. :-) Cheers, -- jra From jmamodio at gmail.com Sat Dec 4 13:51:27 2010 From: jmamodio at gmail.com (Jorge Amodio) Date: Sat, 4 Dec 2010 13:51:27 -0600 Subject: U.S. officials deny technical takedown of WikiLeaks In-Reply-To: References: <807332.56924.qm@web59605.mail.ac4.yahoo.com> Message-ID: > Not the Department, not the Secretary, not the Joint Chiefs, just the lowly old spokesman, all by himself, who is "not aware." ?A weaker and less convincing denial can scarcely be imagined this side of the divorce court. > > And the CNN headline, while technical true : > > U.S. officials deny they are urging technical takedown of WikiLeaks > > would be more accurate as > > Minor U.S. officials deny they are personally urging technical takedown of WikiLeaks > > which would have not nearly had the same punch. Who cares ? we'll know what they actually said/did in the next batch of stolen documents. -J From mloftis at wgops.com Sat Dec 4 14:28:10 2010 From: mloftis at wgops.com (Michael Loftis) Date: Sat, 4 Dec 2010 13:28:10 -0700 Subject: Want to move to all 208V for server racks In-Reply-To: <28885761.444.1291491908522.JavaMail.root@benjamin.baylink.com> References: <28885761.444.1291491908522.JavaMail.root@benjamin.baylink.com> Message-ID: On Sat, Dec 4, 2010 at 12:45 PM, Jay Ashworth wrote: > > I phrased my comment poorly, which mislead you. ?I was suggesting a UPS which > took 208VAC on on the charge side, and charged 48VDC batteries with it, > providing -48 to a rack full of equipment which took that. > > People actually call those "48VDC UPSs", though in fact they're just > Little Teeny Battery Plants. ?:-) Ah, well, the XW (6048's) *do* have a 100A charger each (so up to 300A @ ~48VDC) so they could be used for that too :D-- but that same industry segment, solar/renewable, makes 48VDC charger only/rectifier only systems as well. So my answer still sort of stands :D > > Cheers, > -- jra > > From if at xip.at Sat Dec 4 16:26:46 2010 From: if at xip.at (Ingo Flaschberger) Date: Sat, 4 Dec 2010 23:26:46 +0100 (CET) Subject: Want to move to all 208V for server racks In-Reply-To: References: <4CF9BD44.6090803@jima.tk> <10206355.410.1291440826150.JavaMail.root@benjamin.baylink.com> Message-ID: > There's also a telco oriented 48V inverter rack system thats escaping > my mind at the moment. It can be setup with A/B 48V strings, and you > plug in inverter modules up to IIRC around 8kW. Not parallel capable > between racks AFAIK. 48V (and some more when batteries are full) are slightly below the limit of non harmfull voltage. Thus you have a voltage with less power loss at short transports and a secure voltage. (creating a short is still not a great idea). Kind regards, Ingo Flaschberger From nonobvious at gmail.com Sat Dec 4 16:28:46 2010 From: nonobvious at gmail.com (Bill Stewart) Date: Sat, 4 Dec 2010 14:28:46 -0800 Subject: The scale of streaming video on the Internet. In-Reply-To: <20101203173502.GA82989@ussenterprise.ufp.org> References: <20101202202151.GA65475@ussenterprise.ufp.org> <20101203161823.GB77297@ussenterprise.ufp.org> <20101203173502.GA82989@ussenterprise.ufp.org> Message-ID: On Fri, Dec 3, 2010 at 9:35 AM, Leo Bicknell wrote: > - Ratio needs to be dropped from all peering policies. ?It made sense > ?back when the traffic was two people e-mailing each other. ?It was > ?a measure of "equal value". ?However the net has evolved. ?In the > ?face of streaming audio and video, or rich multimedia web sites > ?Content->User will always be wildly out of ratio. ?It has moved from > ?a useful measure, to an excuse to make Content pay in all > ?circumstances. I think that's the key point here - ratios make sense when similar types of carriers are peering with each other, whether that's traditional Tier 1s or small carriers or whatever; they don't make sense when an eyeball network is connecting to a content-provider network. The eyeball network can argue that it's doing all the work, because the content provider is handing it 99% of the bits, but the content provider can argue that the eyeball network makes its money delivering bits asymmetrically to its end users, and they'll be really annoyed if they can't get the content they want. There are still balance-of-power issues - Comcast won't get much complaint if it drops traffic from Podunk Obscure Hosting Services, so they can bully Podunk into paying them, while Podunk Rural Wireless Services will get lots of complaint from its users if it drops traffic from YouTube. Level 3 is functioning not only as a transport provider for smaller content providers, but also as an aggregated negotiation service, though in this case the content provider, Netflix, is big enough to matter. (Some years ago, when they were DVDs by mail only, it was estimated that they had a bandwidth about 1/3 that of the total (US?) internet, just with slightly higher latency) (or significantly lower latency, if you were still on modems.) -- ---- ? ? ? ? ? ?? Thanks;? ?? Bill Note that this isn't my regular email account - It's still experimental so far. And Google probably logs and indexes everything you send it. From oberman at es.net Sat Dec 4 16:52:09 2010 From: oberman at es.net (Kevin Oberman) Date: Sat, 04 Dec 2010 14:52:09 -0800 Subject: Want to move to all 208V for server racks In-Reply-To: Your message of "Sat, 04 Dec 2010 23:26:46 +0100." Message-ID: <20101204225209.CF9251CC12@ptavv.es.net> > Date: Sat, 4 Dec 2010 23:26:46 +0100 (CET) > From: Ingo Flaschberger > > > There's also a telco oriented 48V inverter rack system thats escaping > > my mind at the moment. It can be setup with A/B 48V strings, and you > > plug in inverter modules up to IIRC around 8kW. Not parallel capable > > between racks AFAIK. > > 48V (and some more when batteries are full) are slightly below the limit > of non harmfull voltage. > > Thus you have a voltage with less power loss at short transports and a > secure voltage. (creating a short is still not a great idea). Saying that 48V is not a harmful voltage is a very dangerous statement. It is unlikely to be a threat of electrocution (though even that has exceptions), but people have lost fingers to 12V systems. Lead-acid batteries can deliver way over 100 amps of current and a conductor across "safe" voltage will get hot and, if not heavy enough, will vaporize. The temperatures attained can cause major burns and, should the metal vaporize, can damage tissue so severely that fingers have been lost when the blood vessels were cauterized. While safety rules often list voltages under 50 as being safe, it is still important to exercise caution like removing rings, bracelets and the like. -- R. Kevin Oberman, Network Engineer Energy Sciences Network (ESnet) Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab) E-mail: oberman at es.net Phone: +1 510 486-8634 Key fingerprint:059B 2DDF 031C 9BA3 14A4 EADA 927D EBB3 987B 3751 From jra at baylink.com Sat Dec 4 16:56:45 2010 From: jra at baylink.com (Jay Ashworth) Date: Sat, 4 Dec 2010 17:56:45 -0500 (EST) Subject: The scale of streaming video on the Internet. In-Reply-To: Message-ID: <30298270.510.1291503405458.JavaMail.root@benjamin.baylink.com> ----- Original Message ----- > Level 3 is functioning not only as a transport provider for smaller > content providers, but also as an aggregated negotiation service, > though in this case the content provider, Netflix, is big enough to > matter. (Some years ago, when they were DVDs by mail only, it was > estimated that they had a bandwidth about 1/3 that of the total (US?) > internet, just with slightly higher latency) (or significantly lower > latency, if you were still on modems.) A station wagon full of magtape, yes. Henry Spencer? I recently calculated the capacity of a 747F full of LTO-4 tapes; it's about 8.7 exabytes. I *think* it's within weight and balance for the airframe. Cheers, -- jra From ken.gilmour at gmail.com Sat Dec 4 17:03:19 2010 From: ken.gilmour at gmail.com (Ken Gilmour) Date: Sun, 5 Dec 2010 00:03:19 +0100 Subject: U.S. officials deny technical takedown of WikiLeaks In-Reply-To: References: <807332.56924.qm@web59605.mail.ac4.yahoo.com> Message-ID: Now Sarah Palin is suggesting Wikileaks are terrorists and should be taken offline with technical capabilities http://www.golem.de/1012/79848.html or for anyone who can't speak German: http://translate.google.ie/translate?u=http%3A%2F%2Fwww.golem.de%2F1012%2F79848.html&sl=de&tl=en&hl=&ie=UTF-8 (The translation is about as coherent as Sarah Palin herself). From bonomi at mail.r-bonomi.com Sat Dec 4 17:47:29 2010 From: bonomi at mail.r-bonomi.com (Robert Bonomi) Date: Sat, 4 Dec 2010 17:47:29 -0600 (CST) Subject: Want to move to all 208V for server racks Message-ID: <201012042347.oB4NlTAu022048@mail.r-bonomi.com> > Date: Fri, 3 Dec 2010 09:42:10 -0800 > From: Leo Bicknell > Subject: Re: Want to move to all 208V for server racks > > In a message written on Fri, Dec 03, 2010 at 04:57:03PM +0000, Gary Buhrmas= > ter wrote: > > limits so that ones life has increased protection. A protective trip > > is better than > > the alternative. > > Not always. > > I worked in a data center with something I thought was very, very cool. > > http://www.hilkar.com/highresistance.htm > > The concept, at a high level, is rather than tie the (service, not > signal) ground back to grounding rods directly you run it through a > large resistor. Now when a phase is "grounded" it runs through the > resistor, allowing a small but safe current to flow. > > Why is this cool? Well, say you have a power strip running at 10A > with a bunch of servers on it. If you took a paperclip and inserted it > in an empty plug connecting hot to ground with a normal system > (simulating a faulty bit of gear) the breaker would trip, all your > servers would go off. > > If you did this with a high resistance setup the paperclip would conduct > about 0.5A, maybe less. An alarm, dectecting current, at the resistor > would go off to say there was a fault. Your circuit would draw 10.5 > amps and everything would stay up and running. That faulty bit of gear > didn't take down your entire power strip. > > This totally eliminates arc faults, and there isn't enough current to > ground to arc. I think GFCI's are also unnecessary, as the fault can't > conduct enough current to be harmful. All is "well and good", *UNTIL* "something happens" that introduces _another_ path to 'ground' that bypasses the 'high rresistance' links. (Reminiscent of the old "Branch on C.E. grounded" programming joke.) From barb at ibgames.com Sat Dec 4 17:53:51 2010 From: barb at ibgames.com (Barb Byro) Date: Sat, 04 Dec 2010 23:53:51 +0000 Subject: Google acquires Netflix, Vudu, and Blockbuster's streaming video DRM provider Widevine In-Reply-To: References: Message-ID: <4CFAD48F.8030000@ibgames.com> They must be starting their Christmas shopping; they also just bought 111 8th Avenue. Google Signs Deal to Buy Manhattan Office Building http://www.nytimes.com/2010/12/03/nyregion/03building.html?_r=2 The newspapers keep describing it as "one of New York's largest office buildings", but I remember it somewhat differently from when I worked there at AboveNet's data center. http://www.datacenterknowledge.com/archives/2010/09/14/111-8th-avenue-carrier-hotel-is-for-sale/ Barb On 04/12/2010 06:49 AM, Paul Ferguson wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Not for nothing, but I figured this has direct relevance to the current > dialog regarding Netflix, Comcast, et al. > > http://www.betanews.com/article/Google-acquires-Netflix-Vudu-and-Blockbuste > rs-streaming-video-DRM-provider-Widevine/1291420252 > > FYI, > > - - ferg > > -----BEGIN PGP SIGNATURE----- > Version: PGP Desktop 9.5.3 (Build 5003) > > wj8DBQFM+eRqq1pz9mNUZTMRAsm7AJ0Ub6UeMyhjmu8iNZUX9shm+s3r0QCg24b7 > YCqeHLPeaNIq+h1zrED4cU4= > =Wi/L > -----END PGP SIGNATURE----- > > > From bclark at spectraaccess.com Sat Dec 4 18:24:46 2010 From: bclark at spectraaccess.com (Bret Clark) Date: Sat, 04 Dec 2010 19:24:46 -0500 Subject: U.S. officials deny technical takedown of WikiLeaks In-Reply-To: References: <807332.56924.qm@web59605.mail.ac4.yahoo.com> Message-ID: <4CFADBCE.5060807@spectraaccess.com> On 12/04/2010 06:03 PM, Ken Gilmour wrote: > Now Sarah Palin is suggesting Wikileaks are terrorists and should be taken > offline with technical capabilities > http://www.golem.de/1012/79848.html > > or for anyone who can't speak German: > > http://translate.google.ie/translate?u=http%3A%2F%2Fwww.golem.de%2F1012%2F79848.html&sl=de&tl=en&hl=&ie=UTF-8 > (The > translation is about as coherent as Sarah Palin herself). > Enough already...this is not a political list! From deleskie at gmail.com Sat Dec 4 18:26:59 2010 From: deleskie at gmail.com (jim deleskie) Date: Sat, 4 Dec 2010 20:26:59 -0400 Subject: U.S. officials deny technical takedown of WikiLeaks In-Reply-To: <4CFADBCE.5060807@spectraaccess.com> References: <807332.56924.qm@web59605.mail.ac4.yahoo.com> <4CFADBCE.5060807@spectraaccess.com> Message-ID: +1 On Sat, Dec 4, 2010 at 8:24 PM, Bret Clark wrote: > On 12/04/2010 06:03 PM, Ken Gilmour wrote: >> >> Now Sarah Palin is suggesting Wikileaks are terrorists and should be taken >> offline with technical capabilities >> ?http://www.golem.de/1012/79848.html >> >> or for anyone who can't speak German: >> >> >> http://translate.google.ie/translate?u=http%3A%2F%2Fwww.golem.de%2F1012%2F79848.html&sl=de&tl=en&hl=&ie=UTF-8 >> (The >> translation is about as coherent as Sarah Palin herself). >> > > Enough already...this is not a political list! > From pfunix at gmail.com Sat Dec 4 18:36:27 2010 From: pfunix at gmail.com (Beavis) Date: Sat, 4 Dec 2010 18:36:27 -0600 Subject: U.S. officials deny technical takedown of WikiLeaks In-Reply-To: <4CFADBCE.5060807@spectraaccess.com> References: <807332.56924.qm@web59605.mail.ac4.yahoo.com> <4CFADBCE.5060807@spectraaccess.com> Message-ID: ++ Enough already...this is not a political list -- ()? ascii ribbon campaign - against html e-mail /\? www.asciiribbon.org?? - against proprietary attachments Disclaimer: http://goldmark.org/jeff/stupid-disclaimers/ From jmamodio at gmail.com Sat Dec 4 19:42:36 2010 From: jmamodio at gmail.com (Jorge Amodio) Date: Sat, 4 Dec 2010 19:42:36 -0600 Subject: U.S. officials deny technical takedown of WikiLeaks In-Reply-To: References: <807332.56924.qm@web59605.mail.ac4.yahoo.com> <4CFADBCE.5060807@spectraaccess.com> Message-ID: > ++ << (ie *2) -J From Valdis.Kletnieks at vt.edu Sat Dec 4 19:54:24 2010 From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks at vt.edu) Date: Sat, 04 Dec 2010 20:54:24 -0500 Subject: U.S. officials deny technical takedown of WikiLeaks In-Reply-To: Your message of "Sat, 04 Dec 2010 19:24:46 EST." <4CFADBCE.5060807@spectraaccess.com> References: <807332.56924.qm@web59605.mail.ac4.yahoo.com> <4CFADBCE.5060807@spectraaccess.com> Message-ID: <154052.1291514064@localhost> On Sat, 04 Dec 2010 19:24:46 EST, Bret Clark said: > On 12/04/2010 06:03 PM, Ken Gilmour wrote: > > Now Sarah Palin is suggesting Wikileaks are terrorists and should be taken > > offline with technical capabilities > Enough already...this is not a political list! However, given the political climate and general network cluelessness in the government sector, it probably wouldn't be a bad idea to spend an hour or so thinking what you'd do if the humorless guys in dark suits and sunglasses showed up with a court order to cut off your customer's access to Wikilieaks, even if you aren't their upstream. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 227 bytes Desc: not available URL: From jmamodio at gmail.com Sat Dec 4 20:17:30 2010 From: jmamodio at gmail.com (Jorge Amodio) Date: Sat, 4 Dec 2010 20:17:30 -0600 Subject: U.S. officials deny technical takedown of WikiLeaks In-Reply-To: <154052.1291514064@localhost> References: <807332.56924.qm@web59605.mail.ac4.yahoo.com> <4CFADBCE.5060807@spectraaccess.com> <154052.1291514064@localhost> Message-ID: > However, given the political climate and general network cluelessness in the > government sector, it probably wouldn't be a bad idea to spend an hour or so > thinking what you'd do if the humorless guys in dark suits and sunglasses > showed up with a court order to cut off your customer's access to Wikilieaks, > even if you aren't their upstream. If you get a court order I guess you have two choices, one is to comply with it and the other get used to wear a nice pair of matching bracelets until your attorney shows up. -J From tvhawaii at shaka.com Sat Dec 4 20:24:34 2010 From: tvhawaii at shaka.com (Michael Painter) Date: Sat, 4 Dec 2010 16:24:34 -1000 Subject: Want to move to all 208V for server racks References: <20101204225209.CF9251CC12@ptavv.es.net> Message-ID: <48820FFD6A564F1BA9F3083608DA14CC@DELL16> Kevin Oberman wrote: > Lead-acid batteries can deliver way over 100 amps of current and a > conductor across "safe" voltage will get hot and, if not heavy enough, > will vaporize. The temperatures attained can cause major burns and, > should the metal vaporize, can damage tissue so severely that fingers > have been lost when the blood vessels were cauterized. > > While safety rules often list voltages under 50 as being safe, it is > still important to exercise caution like removing rings, bracelets and > the like. I can't remember what I was trying to accomplish, but when we were building a telco office, and after making sure I was completely "demetalicized", I had to climb up the ladder and sit on one of the 48V 1/4"x4" (2-sandwiched) copper buss-bars and lay out accross the others, everything being already 'hot'. Unnerving to be sure. I can also recall one morning at the S.P. Railroad when they called all us 'Diesel Electricians' together and showed us a wrench from graveyard shift. Most of one end was burned off, and the other end was welded to the thick, gold, wedding-band which had been cut off the guy's finger on the way to the hospital. They reiterated the mantra, 'when working with batteries, always disconnect the grounded/carbody side first'. At IBM, we had a ritual before working on -anything-. Take off rings, watches/bracelet, tie-clasp and put into pocket. Tuck tie into top opening of shirt (white) so your neck doesn't get broken when tie catches on all the spinning crap. Even after the 360/370 came along you could always tell the old hands...the guys with their tie tucked in. From jra at baylink.com Sat Dec 4 20:41:38 2010 From: jra at baylink.com (Jay Ashworth) Date: Sat, 4 Dec 2010 21:41:38 -0500 (EST) Subject: U.S. officials deny technical takedown of WikiLeaks In-Reply-To: <154052.1291514064@localhost> Message-ID: <2270881.572.1291516898287.JavaMail.root@benjamin.baylink.com> ----- Original Message ----- > From: "Valdis Kletnieks" > > On Sat, 04 Dec 2010 19:24:46 EST, Bret Clark said: > > On 12/04/2010 06:03 PM, Ken Gilmour wrote: > > > Now Sarah Palin is suggesting Wikileaks are terrorists and should > > > be taken offline with technical capabilities > > > Enough already...this is not a political list! > > However, given the political climate and general network cluelessness > in the government sector, it probably wouldn't be a bad idea to spend an hour > or so thinking what you'd do if the humorless guys in dark suits and > sunglasses showed up with a court order to cut off your customer's access to > Wikilieaks, even if you aren't their upstream. And enumerating some of those thoughts is Lauren Weinstein of Privacy Forum: http://lauren.vortex.com/archive/000788.html I don't always agree with everything Lauren says, but it seems to me he has this one taped pretty well. Cheers, -- jra From swm at emanon.com Sat Dec 4 20:42:55 2010 From: swm at emanon.com (Scott Morris) Date: Sat, 04 Dec 2010 21:42:55 -0500 Subject: The scale of streaming video on the Internet. In-Reply-To: <30298270.510.1291503405458.JavaMail.root@benjamin.baylink.com> References: <30298270.510.1291503405458.JavaMail.root@benjamin.baylink.com> Message-ID: <4CFAFC2F.9010009@emanon.com> On 12/4/10 5:56 PM, Jay Ashworth wrote: > I recently calculated the capacity of a 747F full of LTO-4 tapes; it's > about 8.7 exabytes. I *think* it's within weight and balance for the > airframe. > > Cheers, > -- jra > Just how much free time do you have? :) Scott From msokolov at ivan.Harhan.ORG Sat Dec 4 20:53:22 2010 From: msokolov at ivan.Harhan.ORG (Michael Sokolov) Date: Sun, 5 Dec 2010 02:53:22 GMT Subject: U.S. officials deny technical takedown of WikiLeaks Message-ID: <1012050253.AA27731@ivan.Harhan.ORG> Jorge Amodio wrote: > If you get a court order I guess you have two choices, one is to > comply with it and the other get used to wear a nice pair of matching > bracelets until your attorney shows up. Option 3: unleash your full firepower against the miscreants who have dared to invade your soil despite the sign at the gate which reads in plain English: THIS FACILITY IS EXTRATERRITORIAL AND IS NOT PART OF ANY COUNTRY NO MAKERS OR ENFORCERS OF ANY FORM OF MAN-MADE LAW ARE ALLOWED ON THE PREMISES DEADLY FORCE WILL BE USED AGAINST ANY NATIONAL AUTHORITIES TRESPASSING PAST THIS BOUNDARY! Factoid: we outnumber the pigs by 1000 to 1. Even if only 1% of us were to go out and shoot a pig, we would still outnumber them 10 to 1! We *CAN* win -- wake up, people! American People vs. USA -- let's see who is stronger. MS Hold the Heathen Hammer High! With a battle cry! For the pagan past I live and one day will die. http://www.youtube.com/watch?v=fu2bgwcv43o From jrd at gerdesas.com Sat Dec 4 20:59:46 2010 From: jrd at gerdesas.com (John R. Dennison) Date: Sat, 4 Dec 2010 20:59:46 -0600 Subject: [NANOG] Re: U.S. officials deny technical takedown of WikiLeaks In-Reply-To: <1012050253.AA27731@ivan.Harhan.ORG> References: <1012050253.AA27731@ivan.Harhan.ORG> Message-ID: <20101205025946.GO18675@frodo.gerdesas.com> On Sun, Dec 05, 2010 at 02:53:22AM +0000, Michael Sokolov wrote: > > Factoid: we outnumber the pigs by 1000 to 1. Even if only 1% of us were > to go out and shoot a pig, we would still outnumber them 10 to 1! We > *CAN* win -- wake up, people! Is there really any need for this nonsense on this list? Can all the rhetoric and politics be kept off and return the list to technical issues? There are venues much better suited for those discussions. John -- We cannot do everything at once, but we can do something at once. -- Calvin Coolidge (1872-1933), 30th president of the United States -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available URL: From john-nanog at johnpeach.com Sat Dec 4 21:06:56 2010 From: john-nanog at johnpeach.com (John Peach) Date: Sat, 04 Dec 2010 22:06:56 -0500 Subject: U.S. officials deny technical takedown of WikiLeaks In-Reply-To: References: <807332.56924.qm@web59605.mail.ac4.yahoo.com> <4CFADBCE.5060807@spectraaccess.com> <154052.1291514064@localhost> Message-ID: <20101204220656.627022a2@milhouse> On Sat, 4 Dec 2010 20:17:30 -0600 Jorge Amodio wrote: > > However, given the political climate and general network cluelessness in the > > government sector, it probably wouldn't be a bad idea to spend an hour or so > > thinking what you'd do if the humorless guys in dark suits and sunglasses > > showed up with a court order to cut off your customer's access to Wikilieaks, > > even if you aren't their upstream. > > If you get a court order I guess you have two choices, one is to > comply with it and the other get used to wear a nice pair of matching > bracelets until your attorney shows up. The land of the free; or so you keep telling everyone. > > -J > -- John From lou at metron.com Sat Dec 4 21:17:17 2010 From: lou at metron.com (Lou Katz) Date: Sat, 4 Dec 2010 19:17:17 -0800 Subject: Wikileaks takedown in US Message-ID: <20101205031717.GA91852@metron.com> Sadly, no report that I have seen has indicated that any legal process or court order was in action. -- -=[L]=- Reassembled from random thought waves ... the puckish comment of Gertrude Stein: "There ain't no answer. There ain't going to be any answer. There never has been an answer. That's the answer." Stein G. Quoted in: Gertrude Stein: In Words and Pictures. Renate Stendhal, ed. New York, NY: Algonquin Books; 1994: 262. From jared at puck.nether.net Sat Dec 4 21:21:29 2010 From: jared at puck.nether.net (Jared Mauch) Date: Sat, 4 Dec 2010 22:21:29 -0500 Subject: Wikileaks takedown in US In-Reply-To: <20101205031717.GA91852@metron.com> References: <20101205031717.GA91852@metron.com> Message-ID: <5164EB72-7441-420A-8AEB-79C18BF9F1AF@puck.nether.net> On Dec 4, 2010, at 10:17 PM, Lou Katz wrote: > Sadly, no report that I have seen has indicated that any legal process or court order > was in action. If you violate my AUP, we can take action. That could be sending spam, it could be illegal activity. Everything I've seen regarding this seems to fall within that discretion. There is also nothing compelling me to take anyones money, so one can also say "No". I had a previous employer that took a "no-pornography hosting" stance. This was before the days of ddos, etc... Nothing to see here, move along. - Jared From randy at psg.com Sat Dec 4 21:32:59 2010 From: randy at psg.com (Randy Bush) Date: Sun, 05 Dec 2010 12:32:59 +0900 Subject: Wikileaks takedown in US In-Reply-To: <5164EB72-7441-420A-8AEB-79C18BF9F1AF@puck.nether.net> References: <20101205031717.GA91852@metron.com> <5164EB72-7441-420A-8AEB-79C18BF9F1AF@puck.nether.net> Message-ID: > Nothing to see here except the chill of repression. thanks for helping the silence. catch where state dept agent told columbia and georgetown to tell students not to talk about wikileaks if they ever wanted usg jobs? randy, ex-amazon user, ex-paypal user From bmanning at vacation.karoshi.com Sat Dec 4 21:31:27 2010 From: bmanning at vacation.karoshi.com (bmanning at vacation.karoshi.com) Date: Sun, 5 Dec 2010 03:31:27 +0000 Subject: The scale of streaming video on the Internet. In-Reply-To: <4CFAFC2F.9010009@emanon.com> References: <30298270.510.1291503405458.JavaMail.root@benjamin.baylink.com> <4CFAFC2F.9010009@emanon.com> Message-ID: <20101205033127.GA15576@vacation.karoshi.com.> On Sat, Dec 04, 2010 at 09:42:55PM -0500, Scott Morris wrote: > On 12/4/10 5:56 PM, Jay Ashworth wrote: > > I recently calculated the capacity of a 747F full of LTO-4 tapes; it's > > about 8.7 exabytes. I *think* it's within weight and balance for the > > airframe. > > > > Cheers, > > -- jra > > > > Just how much free time do you have? :) > > Scott > > A well... here are the numbers (using LTO-5's) you can do the math. 747-8 -- 308647 lb / 8130 km 747-8 -- 600 cubic meters lto-5 -- 3.0 Tb lto-5 -- 0.6 lb lto-5 -- 11.3 x 2.79 x 11.1 cm and althugh its not generally available, the LCF has 4x the load of the 747-4f http://en.wikipedia.org/wiki/File:747_400LCF_DREAM_LIFTER.jpg the killer is going to be the 280m/s write off the tapes. :) --bill From mark at amplex.net Sat Dec 4 21:40:50 2010 From: mark at amplex.net (Mark Radabaugh) Date: Sat, 04 Dec 2010 22:40:50 -0500 Subject: Pointer for documentation on actually delivering IPv6 Message-ID: <4CFB09C2.5090905@amplex.net> Probably a case of something being blindingly obvious but... I have seen plenty of information on IPv6 from a internal network standpoint. I have seen very little with respect to how a ISP is supposed to handle routing to residential consumer networks. I have seen suggestions of running RIPng. The thought of letting Belkin routers (if you can call them that) into the routing table scares me no end. Is this way easier than I think it is? Did somebody already write the book that I can't find? -- Mark Radabaugh Amplex mark at amplex.net 419.837.5015 From mike-nanog at tiedyenetworks.com Sat Dec 4 21:44:58 2010 From: mike-nanog at tiedyenetworks.com (Mike) Date: Sat, 04 Dec 2010 19:44:58 -0800 Subject: Pointer for documentation on actually delivering IPv6 In-Reply-To: <4CFB09C2.5090905@amplex.net> References: <4CFB09C2.5090905@amplex.net> Message-ID: <4CFB0ABA.2060007@tiedyenetworks.com> On 12/04/2010 07:40 PM, Mark Radabaugh wrote: > Probably a case of something being blindingly obvious but... > > I have seen plenty of information on IPv6 from a internal network > standpoint. I have seen very little with respect to how a ISP is > supposed to handle routing to residential consumer networks. I have seen > suggestions of running RIPng. The thought of letting Belkin routers (if > you can call them that) into the routing table scares me no end. > Here here! This cheap consumer junk is KILLING the internet, you can't trust any of this garbage for 5 damn seconds, let alone actually configure any moderately advanced setup and expect them to keep operating for any length of time. > Is this way easier than I think it is? Did somebody already write the > book that I can't find? I'd love to see it too. We're a small ISP and just keeping the business going is hard enough without having to learn the entire v6 protocol suite, we need more help otherwise we're likely to just keep putting it off. Mike From ben at bjencks.net Sat Dec 4 21:52:18 2010 From: ben at bjencks.net (Ben Jencks) Date: Sat, 4 Dec 2010 22:52:18 -0500 Subject: Pointer for documentation on actually delivering IPv6 In-Reply-To: <4CFB09C2.5090905@amplex.net> References: <4CFB09C2.5090905@amplex.net> Message-ID: On Sat, Dec 4, 2010 at 22:40, Mark Radabaugh wrote: > Probably a case of something being blindingly obvious but... > > I have seen plenty of information on IPv6 from a internal network > standpoint. ?I have seen very little with respect to how a ISP is supposed > to handle routing to residential consumer networks. I have seen suggestions > of running RIPng. ?The thought of letting Belkin routers (if you can call > them that) into the routing table scares me no end. > > Is this way easier than I think it is? ? Did somebody already write the book > that I can't find? DHCPv6-PD (prefix delegation) with the relay installing static routes is probably the most straightforward way. Letting home CPE participate in routing does indeed seem like bad idea; I haven't heard that seriously suggested before. -Ben From mark at amplex.net Sat Dec 4 21:59:01 2010 From: mark at amplex.net (Mark Radabaugh) Date: Sat, 04 Dec 2010 22:59:01 -0500 Subject: Pointer for documentation on actually delivering IPv6 In-Reply-To: References: <4CFB09C2.5090905@amplex.net> Message-ID: <4CFB0E05.5090509@amplex.net> On 12/4/10 10:52 PM, Ben Jencks wrote: > On Sat, Dec 4, 2010 at 22:40, Mark Radabaugh wrote: >> Probably a case of something being blindingly obvious but... >> >> I have seen plenty of information on IPv6 from a internal network >> standpoint. I have seen very little with respect to how a ISP is supposed >> to handle routing to residential consumer networks. I have seen suggestions >> of running RIPng. The thought of letting Belkin routers (if you can call >> them that) into the routing table scares me no end. >> >> Is this way easier than I think it is? Did somebody already write the book >> that I can't find? > DHCPv6-PD (prefix delegation) with the relay installing static routes > is probably the most straightforward way. Letting home CPE participate > in routing does indeed seem like bad idea; I haven't heard that > seriously suggested before. > > -Ben I had found the documentation on DHCPv6-PD but didn't see the mechanism for getting the assigned prefixes into the router. Mark From Valdis.Kletnieks at vt.edu Sat Dec 4 22:01:01 2010 From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks at vt.edu) Date: Sat, 04 Dec 2010 23:01:01 -0500 Subject: U.S. officials deny technical takedown of WikiLeaks In-Reply-To: Your message of "Sun, 05 Dec 2010 02:53:22 GMT." <1012050253.AA27731@ivan.Harhan.ORG> References: <1012050253.AA27731@ivan.Harhan.ORG> Message-ID: <158056.1291521661@localhost> On Sun, 05 Dec 2010 02:53:22 GMT, Michael Sokolov said: > Factoid: we outnumber the pigs by 1000 to 1. Even if only 1% of us were > to go out and shoot a pig, we would still outnumber them 10 to 1! We > *CAN* win -- wake up, people! Yes, but shooting down an RFC1925-compliant porker may require larger caliber munitions than most of us have handy. And you may want to check your insurance coverage for liability when it comes back down if you manage to hit it. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 227 bytes Desc: not available URL: From jmamodio at gmail.com Sat Dec 4 22:05:23 2010 From: jmamodio at gmail.com (Jorge Amodio) Date: Sat, 4 Dec 2010 22:05:23 -0600 Subject: U.S. officials deny technical takedown of WikiLeaks In-Reply-To: <158056.1291521661@localhost> References: <1012050253.AA27731@ivan.Harhan.ORG> <158056.1291521661@localhost> Message-ID: BTW, at this time only the server at NL seems to be responding -J From mmc at internode.com.au Sat Dec 4 22:18:47 2010 From: mmc at internode.com.au (Matthew Moyle-Croft) Date: Sun, 5 Dec 2010 14:48:47 +1030 Subject: Pointer for documentation on actually delivering IPv6 In-Reply-To: <4CFB0E05.5090509@amplex.net> References: <4CFB09C2.5090905@amplex.net> <4CFB0E05.5090509@amplex.net> Message-ID: <2A5A9868-FE17-4CBA-982C-4173FEFDA2BF@internode.com.au> On 05/12/2010, at 2:29 PM, Mark Radabaugh wrote: > On 12/4/10 10:52 PM, Ben Jencks wrote: >> On Sat, Dec 4, 2010 at 22:40, Mark Radabaugh wrote: >>> Probably a case of something being blindingly obvious but... >>> >>> I have seen plenty of information on IPv6 from a internal network >>> standpoint. I have seen very little with respect to how a ISP is supposed >>> to handle routing to residential consumer networks. I have seen suggestions >>> of running RIPng. The thought of letting Belkin routers (if you can call >>> them that) into the routing table scares me no end. >>> >>> Is this way easier than I think it is? Did somebody already write the book >>> that I can't find? >> DHCPv6-PD (prefix delegation) with the relay installing static routes >> is probably the most straightforward way. Letting home CPE participate >> in routing does indeed seem like bad idea; I haven't heard that >> seriously suggested before. >> >> -Ben > I had found the documentation on DHCPv6-PD but didn't see the mechanism > for getting the assigned prefixes into the router. RADIUS. When your session comes up you get, in our trial (http://ipv6.internode.on.net) a /64 assigned to your PPP interface. You can choose to send an RA and assigned your router an IP in this or not. Otherwise your router sends a DHCPv6 PD request to our BRAS. Our BRAS knows who you are and does a radius request. Our RADIUS server sends back either a pool name or a static /60 (for the trial) which then gets routed to your interface. You then assign internally as required. MMC From avg at kotovnik.com Sat Dec 4 22:45:16 2010 From: avg at kotovnik.com (Vadim Antonov) Date: Sat, 04 Dec 2010 20:45:16 -0800 Subject: [NANOG] Re: U.S. officials deny technical takedown of WikiLeaks In-Reply-To: <20101205025946.GO18675@frodo.gerdesas.com> References: <1012050253.AA27731@ivan.Harhan.ORG> <20101205025946.GO18675@frodo.gerdesas.com> Message-ID: <4CFB18DC.1080005@kotovnik.com> This nonsense is only non-operational until you suddenly find yourself in a dire need to evade military patrols on a street while you're dragging a bag full of equipment to your "backup" NOC. Been there, done that. What are your contingency plans for the event of a government order (illegal, of course, but that'd be your least worry) to shut the network down? Putting your head into sand saying "it can't happen here?" Yes, it can. In the Soviet Union just emptying datacenters and phone exchanges from any personnel other than security guards - with all technical people making themselves unreachable was sufficient to keep the networks running. The goons, apparently, had no clue which switches to turn. (There also was a capacity problem caused by the surge in the traffic; but this isn't likely to be a problem in the modern networks, but arranging local caches for highly demanded videos and "alternative" news sites - all mainstream outlets will be playing the equivalent of Swan Lake - may be necessary in order to keep service running). --vadim John R. Dennison wrote: > On Sun, Dec 05, 2010 at 02:53:22AM +0000, Michael Sokolov wrote: > >> Factoid: we outnumber the pigs by 1000 to 1. Even if only 1% of us were >> to go out and shoot a pig, we would still outnumber them 10 to 1! We >> *CAN* win -- wake up, people! >> > > Is there really any need for this nonsense on this list? Can > all the rhetoric and politics be kept off and return the list > to technical issues? > > There are venues much better suited for those discussions. > > > > > John > From ken at sizone.org Sat Dec 4 22:56:48 2010 From: ken at sizone.org (Ken Chase) Date: Sat, 4 Dec 2010 23:56:48 -0500 Subject: U.S. officials deny technical takedown of WikiLeaks In-Reply-To: References: <807332.56924.qm@web59605.mail.ac4.yahoo.com> <4CFADBCE.5060807@spectraaccess.com> <154052.1291514064@localhost> Message-ID: <20101205045648.GI30565@sizone.org> On Sat, Dec 04, 2010 at 08:17:30PM -0600, Jorge Amodio said: >> However, given the political climate and general network cluelessness in the >> government sector, it probably wouldn't be a bad idea to spend an hour or so >> thinking what you'd do if the humorless guys in dark suits and sunglasses >> showed up with a court order to cut off your customer's access to Wikilieaks, >> even if you aren't their upstream. > >If you get a court order I guess you have two choices, one is to >comply with it and the other get used to wear a nice pair of matching >bracelets until your attorney shows up. And if they come and ask the same but without a court order is a bit trickier and more confusing, and this list is a good place to track the frequency of and responce to that kind of request. /kc -- Ken Chase - ken at heavycomputing.ca - +1 416 897 6284 - Toronto CANADA Heavy Computing - Clued bandwidth, colocation and managed linux VPS @151 Front St. W. From adrian at creative.net.au Sat Dec 4 23:02:39 2010 From: adrian at creative.net.au (Adrian Chadd) Date: Sun, 5 Dec 2010 13:02:39 +0800 Subject: U.S. officials deny technical takedown of WikiLeaks In-Reply-To: <20101205045648.GI30565@sizone.org> References: <807332.56924.qm@web59605.mail.ac4.yahoo.com> <4CFADBCE.5060807@spectraaccess.com> <154052.1291514064@localhost> <20101205045648.GI30565@sizone.org> Message-ID: <20101205050238.GA32187@skywalker.creative.net.au> On Sat, Dec 04, 2010, Ken Chase wrote: > And if they come and ask the same but without a court order is a bit trickier > and more confusing, and this list is a good place to track the frequency of and > responce to that kind of request. Except of course when you're "asked" not to share what has occured with anyone. I hear that kind of thing happens today. Adrian From jra at baylink.com Sat Dec 4 23:06:28 2010 From: jra at baylink.com (Jay Ashworth) Date: Sun, 5 Dec 2010 00:06:28 -0500 (EST) Subject: Avoiding problems with National Security Letters and such... In-Reply-To: <20101205050238.GA32187@skywalker.creative.net.au> Message-ID: <25995632.600.1291525588303.JavaMail.root@benjamin.baylink.com> ---- Original Message ----- > From: "Adrian Chadd" > > On Sat, Dec 04, 2010, Ken Chase wrote: > > And if they come and ask the same but without a court order is a bit > > trickier and more confusing, and this list is a good place to track the > > frequency of and responce to that kind of request. > > Except of course when you're "asked" not to share what has occured > with anyone. I hear that kind of thing happens today. It does. Hence, the Warrant Canary: http://blog.kozubik.com/john_kozubik/2010/08/the-warrant-canary-in-2010-and-beyond.html Cheers, -- jra From gary.buhrmaster at gmail.com Sat Dec 4 23:08:59 2010 From: gary.buhrmaster at gmail.com (Gary Buhrmaster) Date: Sat, 4 Dec 2010 21:08:59 -0800 Subject: Want to move to all 208V for server racks In-Reply-To: References: <4CF9BD44.6090803@jima.tk> <10206355.410.1291440826150.JavaMail.root@benjamin.baylink.com> Message-ID: > 48V (and some more when batteries are full) are slightly below the limit of > non harmfull voltage. I suspect you have never seen the pictures of a wrench that "exploded"/"splattered" all over someones body. 50V may not (usually, but your mileage will vary) be able to produce enough current in a body to kill via fibrillation, but as usually deployed it has enough joules to kill in other ways. 50V is the number in the regs below which certain controls are not required. In some jurisdictions, it also allows those that are not "electricians" to perform work. Anyone regularly working around that many joules, no matter the voltage, has either been properly trained in a safety regimen, or is extremely lucky. It is no different than people who work around high pressure compressed air/steam. There is a lot of stored energy there, and you need to treat it with respect (same with heavy weights suspended above your head, or lots of other examples). Gary From fergdawgster at gmail.com Sat Dec 4 23:09:43 2010 From: fergdawgster at gmail.com (Paul Ferguson) Date: Sat, 4 Dec 2010 21:09:43 -0800 Subject: U.S. officials deny technical takedown of WikiLeaks In-Reply-To: <20101205050238.GA32187@skywalker.creative.net.au> References: <807332.56924.qm@web59605.mail.ac4.yahoo.com> <4CFADBCE.5060807@spectraaccess.com> <154052.1291514064@localhost> <20101205045648.GI30565@sizone.org> <20101205050238.GA32187@skywalker.creative.net.au> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sat, Dec 4, 2010 at 9:02 PM, Adrian Chadd wrote: > On Sat, Dec 04, 2010, Ken Chase wrote: > >> And if they come and ask the same but without a court order is a bit >> trickier and more confusing, and this list is a good place to track the >> frequency of and responce to that kind of request. > > Except of course when you're "asked" not to share what has occured with > anyone. I hear that kind of thing happens today. > No -- iin the U.S., if you even reveal that you have been served with a National Security Letter [1], you are in violation of the FISA [2] court under the Patriot Act. "Ask" is not the word I would use. Fun stuff, eh? - - ferg [1] https://secure.wikimedia.org/wikipedia/en/wiki/National_Security_Letter [2] https://secure.wikimedia.org/wikipedia/en/wiki/Foreign_Intelligence_Surveil lance_Act -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.3 (Build 5003) wj8DBQFM+x6Tq1pz9mNUZTMRArexAJ0QKJZQFSe/ujsUrCqh8nIcBs4rjQCfdJ9U wjHFgjDtIQdJ6exnFkOAyzQ= =Ej/J -----END PGP SIGNATURE----- -- "Fergie", a.k.a. Paul Ferguson ?Engineering Architecture for the Internet ?fergdawgster(at)gmail.com ?ferg's tech blog: http://fergdawg.blogspot.com/ From nanog at 85d5b20a518b8f6864949bd940457dc124746ddc.nosense.org Sat Dec 4 23:39:53 2010 From: nanog at 85d5b20a518b8f6864949bd940457dc124746ddc.nosense.org (Mark Smith) Date: Sun, 5 Dec 2010 16:09:53 +1030 Subject: Pointer for documentation on actually delivering IPv6 In-Reply-To: <4CFB09C2.5090905@amplex.net> References: <4CFB09C2.5090905@amplex.net> Message-ID: <20101205160953.2297afd4@opy.nosense.org> On Sat, 04 Dec 2010 22:40:50 -0500 Mark Radabaugh wrote: > Probably a case of something being blindingly obvious but... > > I have seen plenty of information on IPv6 from a internal network > standpoint. I have seen very little with respect to how a ISP is > supposed to handle routing to residential consumer networks. I have seen > suggestions of running RIPng. The thought of letting Belkin routers (if > you can call them that) into the routing table scares me no end. > > Is this way easier than I think it is? Did somebody already write the > book that I can't find? > "Deploying IPv6" > -- > Mark Radabaugh > Amplex > > mark at amplex.net 419.837.5015 > > From nanog at 85d5b20a518b8f6864949bd940457dc124746ddc.nosense.org Sat Dec 4 23:40:45 2010 From: nanog at 85d5b20a518b8f6864949bd940457dc124746ddc.nosense.org (Mark Smith) Date: Sun, 5 Dec 2010 16:10:45 +1030 Subject: Pointer for documentation on actually delivering IPv6 In-Reply-To: <4CFB09C2.5090905@amplex.net> References: <4CFB09C2.5090905@amplex.net> Message-ID: <20101205161045.6708938d@opy.nosense.org> On Sat, 04 Dec 2010 22:40:50 -0500 Mark Radabaugh wrote: > Probably a case of something being blindingly obvious but... > > I have seen plenty of information on IPv6 from a internal network > standpoint. I have seen very little with respect to how a ISP is > supposed to handle routing to residential consumer networks. I have seen > suggestions of running RIPng. The thought of letting Belkin routers (if > you can call them that) into the routing table scares me no end. > > Is this way easier than I think it is? Did somebody already write the > book that I can't find? > Make that "Deploying IPv6 Networks" http://www.ciscopress.com/bookstore/product.asp?isbn=1587052105 > -- > Mark Radabaugh > Amplex > > mark at amplex.net 419.837.5015 > > From patrick at ianai.net Sun Dec 5 00:19:56 2010 From: patrick at ianai.net (Patrick W. Gilmore) Date: Sun, 5 Dec 2010 01:19:56 -0500 Subject: Wikileaks takedown in US In-Reply-To: References: <20101205031717.GA91852@metron.com> <5164EB72-7441-420A-8AEB-79C18BF9F1AF@puck.nether.net> Message-ID: On Dec 4, 2010, at 10:32 PM, Randy Bush wrote: >> Nothing to see here > > except the chill of repression. thanks for helping the silence. While I can see your PoV, and even agree with it (especially the ridiculously egregious abuses you list below), Jared posted to an _operational_ list. Operationally, there is nothing to see here. Operationally, a network may do as it pleases with its own resources, including selling them - or not - to a customer. However screwed up the situation is, however much you may agree with the political statements being made, there is no operational significance here. So could we please bring "operational" back into NANOG? -- TTFN, patrick P.S. Yeah, yeah, I know ... Fat Chance! > catch where state dept agent told columbia and georgetown to tell > students not to talk about wikileaks if they ever wanted usg jobs? > > randy, ex-amazon user, ex-paypal user > From nathan at atlasnetworks.us Sun Dec 5 03:51:27 2010 From: nathan at atlasnetworks.us (Nathan Eisenberg) Date: Sun, 5 Dec 2010 09:51:27 +0000 Subject: U.S. officials deny technical takedown of WikiLeaks In-Reply-To: <1012050253.AA27731@ivan.Harhan.ORG> References: <1012050253.AA27731@ivan.Harhan.ORG> Message-ID: <8C26A4FDAE599041A13EB499117D3C286B28F81A@ex-mb-1.corp.atlasnetworks.us> > Factoid: we outnumber the pigs by 1000 to 1. Even if only 1% of us > were > to go out and shoot a pig, we would still outnumber them 10 to 1! We > *CAN* win -- wake up, people! Dude. As someone who was personally connected to this (http://www.komonews.com/news/local/78088192.html), and this, http://www.komonews.com/news/local/68320537.html I feel pretty justified in telling you to keep this 'shoot a pig' crap off the list. Unbelievable. From randy at psg.com Sun Dec 5 04:20:07 2010 From: randy at psg.com (Randy Bush) Date: Sun, 05 Dec 2010 19:20:07 +0900 Subject: list archive Message-ID: how do i find archives of this list from the '90s and early '00s? randy From tvhawaii at shaka.com Sun Dec 5 04:42:49 2010 From: tvhawaii at shaka.com (Michael Painter) Date: Sun, 5 Dec 2010 00:42:49 -1000 Subject: list archive References: Message-ID: <245A1A97AEEF43D28EADD8C615228D47@DELL16> Randy Bush wrote: > how do i find archives of this list from the '90s and early '00s? > > randy Partial list here: http://www.merit.edu/mail.archives/nanog/historical.html From nanog at deman.com Sun Dec 5 06:20:00 2010 From: nanog at deman.com (Michael DeMan) Date: Sun, 5 Dec 2010 04:20:00 -0800 Subject: Warrant Canaries In-Reply-To: <25995632.600.1291525588303.JavaMail.root@benjamin.baylink.com> References: <25995632.600.1291525588303.JavaMail.root@benjamin.baylink.com> Message-ID: On Dec 4, 2010, at 9:06 PM, Jay Ashworth wrote: > ---- Original Message ----- >> From: "Adrian Chadd" >> >> On Sat, Dec 04, 2010, Ken Chase wrote: >>> And if they come and ask the same but without a court order is a bit >>> trickier and more confusing, and this list is a good place to track the >>> frequency of and responce to that kind of request. >> >> Except of course when you're "asked" not to share what has occured >> with anyone. I hear that kind of thing happens today. > > It does. Hence, the Warrant Canary: > > http://blog.kozubik.com/john_kozubik/2010/08/the-warrant-canary-in-2010-and-beyond.html > > Cheers, > -- jra > Actually, my intuition is that warrant canaries are not a workable solution either. I would presume that a violation of a 'secret' court order or national security letter where you are expressly ordered not to divulge the fact that you have received it could be violated either by any 'action' or 'inaction'. So the 'inaction' of not updating the warrant canary would be a violation. The interesting thing of course is that to avoid the 'inaction', and your regular process is to say update the warrant canary daily, you would be placed in the position where the government was asking you to lie to the public at large? I have wondered about this for quite a while - has anybody on the list ever talked with an attorney with specific expertise in this area of law about this? I am not expecting formal legal advice by any means, just curious if anybody has done any research on this topic and could share what they discovered. - Mike P.S. - Intent here is not to drag out the wikileaks thread, but rather start a new thread on the more general topic of legal/policies and warrant canaries, which although not a purely technical discussions seems more on-topic for the nanog list. My apologies in advance if it is OT. From mark at noc.mainstreet.net Sun Dec 5 09:44:48 2010 From: mark at noc.mainstreet.net (Mark Kent) Date: Sun, 5 Dec 2010 07:44:48 -0800 (PST) Subject: list archive Message-ID: <201012051544.oB5FimSA081252@mainstreet.net> Randy Bush wrote: > how do i find archives of this list from the '90s and early '00s? > > randy Nicely organized here: http://seclists.org/nanog/ -mark From ge at linuxbox.org Sun Dec 5 09:50:32 2010 From: ge at linuxbox.org (Gadi Evron) Date: Sun, 05 Dec 2010 17:50:32 +0200 Subject: (wikileaks) Fwd: [funsec] And Google becomes a DNS.. Message-ID: <4CFBB4C8.6090101@linuxbox.org> I withhold comment... "discuss amongst yourselves". Best, Gadi. -------- Original Message -------- Subject: [funsec] And Google becomes a DNS.. Date: Sun, 5 Dec 2010 17:34:50 +0200 From: Imri Goldberg To: funsec Found on reddit: http://i.imgur.com/Q5SVu.png -- Imri Goldberg -------------------------------------- http://plnnr.com/ - automatic trip planning http://www.algorithm.co.il/blogs/ -------------------------------------- -- insert signature here ---- -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: Attached Message Part URL: From ge at linuxbox.org Sun Dec 5 10:06:12 2010 From: ge at linuxbox.org (Gadi Evron) Date: Sun, 05 Dec 2010 18:06:12 +0200 Subject: (wikileaks) Fwd: [funsec] And Google becomes a DNS.. In-Reply-To: <4CFBB4C8.6090101@linuxbox.org> References: <4CFBB4C8.6090101@linuxbox.org> Message-ID: <4CFBB874.1030305@linuxbox.org> On 12/5/10 5:50 PM, Gadi Evron wrote: > I withhold comment... "discuss amongst yourselves". >> Found on reddit: >> http:/ Not sure why the URL didn't go through... http://i.imgur.com/Q5SVu.png Enjoy. Gadi. From msokolov at ivan.Harhan.ORG Sun Dec 5 13:32:25 2010 From: msokolov at ivan.Harhan.ORG (Michael Sokolov) Date: Sun, 5 Dec 2010 19:32:25 GMT Subject: U.S. officials deny technical takedown of WikiLeaks Message-ID: <1012051932.AA29195@ivan.Harhan.ORG> Nathan Eisenberg wrote: > As someone who was personally connected to this (http://www.komonews.com/ne= > ws/local/78088192.html), and this, http://www.komonews.com/news/local/68320= > 537.html I feel pretty justified in telling you to keep this 'shoot a pig' = > crap off the list. To all uniformed dudes reading this: if you don't want the people you serve to feel like shooting you, perhaps you should consider going on strike, immediately stopping enforcing any and all man-made laws that go against the natural law of Universe, against common sense and against basic humanity; immediately stopping following any and all orders telling you to do things that are morally wrong, and finally, switching over to our side, helping defend America and the American People against USA. In the timeless words of The Internationale: No more deluded by reaction, On tyrants only we'll make war; The soldiers too will take strike action, They'll break ranks and fight no more! And if those cannibals keep trying To sacrifice us to their pride, They soon will hear the bullets flying: We'll shoot the generals on our own side! MS Hold the Heathen Hammer High! With a battle cry! For the pagan past I live and one day will die. From shrdlu at deaddrop.org Sun Dec 5 13:38:49 2010 From: shrdlu at deaddrop.org (Lynda) Date: Sun, 05 Dec 2010 11:38:49 -0800 Subject: U.S. officials deny technical takedown of WikiLeaks In-Reply-To: <1012051932.AA29195@ivan.Harhan.ORG> References: <1012051932.AA29195@ivan.Harhan.ORG> Message-ID: <4CFBEA49.7040400@deaddrop.org> On 12/5/2010 11:32 AM, Michael Sokolov wrote: Pretty much, I no longer care what you wrote. Go away. Seriously. Just GO AWAY. Alt.politics is -->> thataway. *plonk* -- Die gedanken sind frei. From mysidia at gmail.com Sun Dec 5 13:57:58 2010 From: mysidia at gmail.com (James Hess) Date: Sun, 5 Dec 2010 13:57:58 -0600 Subject: U.S. officials deny technical takedown of WikiLeaks In-Reply-To: <158056.1291521661@localhost> References: <1012050253.AA27731@ivan.Harhan.ORG> <158056.1291521661@localhost> Message-ID: > On Sun, 05 Dec 2010 02:53:22 GMT, Michael Sokolov said: >> Factoid: we outnumber the pigs by 1000 to 1. ?Even if only 1% of us were >> to go out and shoot a pig, we would still outnumber them 10 to 1! ?We >> *CAN* win -- wake up, people! > Yes, but shooting down an RFC1925-compliant porker may require larger caliber If you mean shooting people in order to protest a law, that proposition is obscene, and attempting to dehumanize flesh and blood, while hiding the nature of the act through name-calling does not make the act more civilized, sane, or less deserving of rebuke. If "pig" is defined as person(s) conducting network abuse, violating the AUP of services they use in manners, such as sending spam, transmitting illegally obtained documents, or posting large numbers of off-topic political rants to a technical discussion listserv contrary to its AUP. And by "shoot" you mean turning off their network service, being used in the abusive manner contrary to the terms agreed or as required by the law. Then this is done every day, and I would applaud those such as Amazon who have done a service to the network community by doing so. -- -JH From lists at billfehring.com Sun Dec 5 14:24:39 2010 From: lists at billfehring.com (Bill Fehring) Date: Sun, 5 Dec 2010 12:24:39 -0800 Subject: Pointer for documentation on actually delivering IPv6 In-Reply-To: References: <4CFB09C2.5090905@amplex.net> Message-ID: On Sat, Dec 4, 2010 at 19:52, Ben Jencks wrote: > DHCPv6-PD (prefix delegation) with the relay installing static routes > is probably the most straightforward way. Apparently that has it's own problems right now actually: http://blog.ioshints.info/2010/10/dhcpv6-relaying-another-trouble-spot.html > Letting home CPE participate > in routing does indeed seem like bad idea; I haven't heard that > seriously suggested before. I guess "Comcast Business Class" cable service isn't necessarily considered home service, but I wouldn't call it a dedicated bandwidth contract either. The CPE that they use (SMCD3G or similar) actually does this for v4, that is if you purchase a "Static IP Block" from them, they actually use RIPv2 to send your prefix (usually a /27 or longer) to the headend. Obviously authentication is used and the CPE firmware prevents the end user from tampering with any part of the RIP configuration, but the point is that RIP actually is used at a large scale for this purpose. -Bill From mikevs at xs4all.net Sun Dec 5 15:11:25 2010 From: mikevs at xs4all.net (Miquel van Smoorenburg) Date: Sun, 5 Dec 2010 22:11:25 +0100 Subject: Pointer for documentation on actually delivering IPv6 In-Reply-To: References: <4CFB09C2.5090905@amplex.net> Message-ID: <201012052111.oB5LBPY7016991@xs8.xs4all.nl> In article you write: >On Sat, Dec 4, 2010 at 19:52, Ben Jencks wrote: >> DHCPv6-PD (prefix delegation) with the relay installing static routes >> is probably the most straightforward way. > >Apparently that has it's own problems right now actually: >http://blog.ioshints.info/2010/10/dhcpv6-relaying-another-trouble-spot.html Well, the problem described there is exactly the same problem that already exists with plain IPv4 DHCP (a pity that FORCERENEW (rfc3203) or something like it never took off). If you use PPPoA/PPPoE/PPPoX with DHCPv6 PD, the problem described there doesn't exist if your CPE is at least halfway intelligent .. it should ofcourse do a new lease request (at least a renewal) after a PPP reconnect. Mike. From mysidia at gmail.com Sun Dec 5 15:32:18 2010 From: mysidia at gmail.com (James Hess) Date: Sun, 5 Dec 2010 15:32:18 -0600 Subject: Pointer for documentation on actually delivering IPv6 In-Reply-To: <4CFB09C2.5090905@amplex.net> References: <4CFB09C2.5090905@amplex.net> Message-ID: On Sat, Dec 4, 2010 at 9:40 PM, Mark Radabaugh wrote: > of running RIPng. ?The thought of letting Belkin routers (if you can call > them that) into the routing table scares me no end. I think that indeed looks scary. I wouldn't be too concerned about the Belkin routers. How many SP routers are really designed to deal with mass numbers of RIP adjacencies? RIPng sounds like a plan to deploy 2 or 3 IPv6 end networks, not really better than static manual configuration, and with significant disadvantages. So I would suggest static manual configuration of the port on routers facing the CPE, no RIPng. If there are routes to be exchanged with a downstream user, use a proper EGP as one would the IPv4. Use a CPE of a type that scripts can be written to configure, for large scale deployments. If there is an inexpensive CPE with an implementation of DHCPv6 PD that works without issues, I would love to hear about who makes it, and what the device is... > Is this way easier than I think it is? ? Did somebody already write the book > that I can't find? -- -JH From naitluzar at gmail.com Sun Dec 5 15:43:59 2010 From: naitluzar at gmail.com (Vasile Borcan) Date: Sun, 5 Dec 2010 23:43:59 +0200 Subject: Network management software with high detailed traffic report In-Reply-To: References: Message-ID: On Mon, Nov 22, 2010 at 11:35 AM, Sergey Voropaev wrote: > Does any one know the NMS (network management software) which can do the > fallowing: > > 1. Monitor on Cisco Routers/Switches interface utilization every 5-10 > seconds and send e-mail alarm when utilization low or high of predefined > thresholds. > 2. Collect net-flow statistics (at least src/dst) with granularity of 5-10- > seconds. > > The main idea is to have detailed monitoring of the external links and to be > able to know why (by what traffic type) and when link was highly utilized. > > Existing flow-collector can store netflow reports only with 1 minute > granularity but we need 5-10 second. > > As about e-mail alarms - now I do it by embedded event manager on the > router. But I think it would be better to use external SNMP software for > that. > As about detailed to 5-10 second netflow statistics there are 2 ways. > 1st - Use port mirror and use some software which can analyze captured > traffic and made a good reports. Do you know such software? > 2nd - Use SNMP or telnet/ssh for access to the router/switch every 5-10 > seconds and catch netflow counters. Do you now such software? > > thanks in advance for you help. > Take a look at WANGuard Flow. It builds traffic graphs with a configured granularity of 5 seconds and emails alarms when traffic thresholds are reached. It only needs Netflow. From newton at internode.com.au Sun Dec 5 15:58:20 2010 From: newton at internode.com.au (Mark Newton) Date: Mon, 6 Dec 2010 08:28:20 +1030 Subject: Pointer for documentation on actually delivering IPv6 In-Reply-To: References: <4CFB09C2.5090905@amplex.net> Message-ID: On 06/12/2010, at 6:54 AM, Bill Fehring wrote: > Apparently that has it's own problems right now actually: > http://blog.ioshints.info/2010/10/dhcpv6-relaying-another-trouble-spot.html In our deployment mode, the CEs are running PPP sessions to the BRAS, so they know when it reboots and can respond accordingly. Layer 3 access networks could conceivably have an issue here, though. It's almost as if everyone ought to have been working on this a decade ago so that we'd have a workable solution by now! :-) - mark -- Mark Newton Email: newton at internode.com.au (W) Network Engineer Email: newton at atdot.dotat.org (H) Internode Pty Ltd Desk: +61-8-82282999 "Network Man" - Anagram of "Mark Newton" Mobile: +61-416-202-223 From johnl at iecc.com Sun Dec 5 16:13:59 2010 From: johnl at iecc.com (John Levine) Date: 5 Dec 2010 22:13:59 -0000 Subject: How do you do rDNS for IPv6 ? Message-ID: <20101205221359.90053.qmail@joyce.lan> I've been pondering IPv6 setups, and I don't understand how IPv6 rDNS is supposed to work. It's clear enough how you look up any particular address, but it's not at all clear to me what you put into an rDNS zone and how you put it there. In IPv4 land, it is standard to assign matching forward and reverse DNS for every live IP, and a fair number of services treat requests from hosts without rDNS with added scepticism. For consumer networks, it's often something like 12-34-56-78.adsl.incompetent.net, with the numbers being the IP address forward or backwards. So if every customer gets a /64, what do you do? You can use a wildcard to give the same rDNS to all 2^64 addresses, but you can't do matching forward DNS, since a DNS response with 2^64 AAAA records would be, ah, a little unwieldy. When hosts self-configure their low 64 bits, do you install a suitable PTR and AAAA into your DNS? If so, how? Do you use DHCPv6 and have it install the DNS? Do you do something else? Signed, Confused From patrick at ianai.net Sun Dec 5 16:15:00 2010 From: patrick at ianai.net (Patrick W. Gilmore) Date: Sun, 5 Dec 2010 17:15:00 -0500 Subject: Ratios & peering [was: The scale of streaming video on the Internet.] In-Reply-To: References: <20101202202151.GA65475@ussenterprise.ufp.org> <20101203161823.GB77297@ussenterprise.ufp.org> <20101203173502.GA82989@ussenterprise.ufp.org> Message-ID: <0CDD15B6-D00A-4519-89D7-70532E0F9056@ianai.net> On Dec 4, 2010, at 5:28 PM, Bill Stewart wrote: > On Fri, Dec 3, 2010 at 9:35 AM, Leo Bicknell wrote: >> - Ratio needs to be dropped from all peering policies. It made sense >> back when the traffic was two people e-mailing each other. It was >> a measure of "equal value". However the net has evolved. In the >> face of streaming audio and video, or rich multimedia web sites >> Content->User will always be wildly out of ratio. It has moved from >> a useful measure, to an excuse to make Content pay in all >> circumstances. > > I think that's the key point here - ratios make sense when similar > types of carriers are peering with each other, whether that's > traditional Tier 1s or small carriers or whatever; they don't make > sense when an eyeball network is connecting to a content-provider > network. Ratios either make sense, or they don't. I don't see how "type of network" fits into it. If you are a restaurant, you do not decide whether or not to charge customer for food based on whether or not they work at another restaurant. If your are eyeball and content wants to peer with you, make a decision based on your costs and profits. Ratios are a proxy for real cost / benefit. As Leo mentioned (and Bill snipped), if $LARGE_CONTENT has a single location and $LARGE_EYEBALL has to carry it all over the country, the ratio "matters" supposedly because large eyeball has to carry those bits everywhere. The implicit statement here is that large content gives a rats ass about large eyeball's costs. Repeat after me: I DO NOT CARE ABOUT YOUR COSTS. What's more, you don't care about mine. If cisco says "well, I know the Juniper has the same features and is cheaper, but my costs are higher!", do you then buy the cisco? HELL NO. The other person's costs are irrelevant to your decision. If large eyeball finds it cheaper to pay $LARGE_TRANSIT for those bits, perhaps because eyeball can make transit carry the bits to a local hub, then eyeball should not peer. If eyeball would actually pay more to transit than carrying the bits from content's single location, yet still does not peer, then eyeball's peering manager should be fired. You cost my company money to boost your ego, you're out on your ass. Of course, I am glossing over the idea that eyeball could pay transit a short while to see if he can get a concession out of content. Maybe eyeball assumes content has transit costs as well, so eyeball thinks he can force content to pay something. This is probably where the idea of "similar value" popped into the peering lexicon. But that is standard business negotiations, and honestly has nothing to do with similar value. In reality, content & eyeball have no idea of the other's true costs (probably not even the $/Mbps they pay for transit), so the idea of coming to a "similar value" agreement is ludicrous. Make the decisions that are best for your company. Not best for your ego. Remember people, the Internet is a business. Peering is a business tool, not some playground where teacher is enforcing some notion of fairness. -- TTFN, patrick P.S. I'm ignoring the idea of "if we give it away free to one, everyone will want it free". Trust me, they all want it "free" anyway. And saying "you gave it to him for free!" sounds more like that schoolyard than a business negotiation. Besides, if you come to me and say "this other network got $FOO", I will tell you I couldn't possibly talk about that under NDA, their deal is irrelevant to our deal, and each deal is far too unique to be compared. Then bitch at the other network for breaking our NDA. Breaking NDAs is bad, mmmmm-KAY? From mikevs at xs4all.net Sun Dec 5 16:19:33 2010 From: mikevs at xs4all.net (Miquel van Smoorenburg) Date: Sun, 5 Dec 2010 23:19:33 +0100 Subject: Pointer for documentation on actually delivering IPv6 In-Reply-To: References: <4CFB09C2.5090905@amplex.net> Message-ID: <201012052219.oB5MJXHr018691@xs8.xs4all.nl> In article you write: >If there is an inexpensive CPE with an implementation of DHCPv6 PD >that works without issues, >I would love to hear about who makes it, and what the device is... AVM Fritzbox 7270/7340/7390 Draytek Vigor 2130/2750 Those are the ones I tested, there are lots more, but according to http://www.getipv6.info/index.php/Broadband_CPE: "To date, there is not one complete implementation of IPv6 on a residential consumer-grade xDSL modem available in North America." Mike (using native IPv6 over PPPoA + DHCPv6 PD over ADSL). From felipe at starbyte.net Sun Dec 5 16:25:03 2010 From: felipe at starbyte.net (Felipe Zanchet Grazziotin) Date: Sun, 5 Dec 2010 20:25:03 -0200 Subject: How do you do rDNS for IPv6 ? In-Reply-To: <20101205221359.90053.qmail@joyce.lan> References: <20101205221359.90053.qmail@joyce.lan> Message-ID: Hi John, On Sun, Dec 5, 2010 at 8:13 PM, John Levine wrote: > I've been pondering IPv6 setups, and I don't understand how IPv6 rDNS > is supposed to work. It's clear enough how you look up any particular > address, but it's not at all clear to me what you put into an rDNS > zone and how you put it there. > We've already discussed this in April, and answers came to a line of "use dynamic updates" to "not necessary". Problems lay around table sizes, unnecessary PTR records created, and large end-user blocks. There are other useful tips too, including ideas for PowerDNS and Bind. Thread starts here: http://www.mail-archive.com/nanog at nanog.org/msg22908.html > > > Signed, > Confused > > Kindly, Felipe From owen at delong.com Sun Dec 5 16:38:32 2010 From: owen at delong.com (Owen DeLong) Date: Sun, 5 Dec 2010 14:38:32 -0800 Subject: Pointer for documentation on actually delivering IPv6 In-Reply-To: References: <4CFB09C2.5090905@amplex.net> Message-ID: On Dec 5, 2010, at 1:32 PM, James Hess wrote: > On Sat, Dec 4, 2010 at 9:40 PM, Mark Radabaugh wrote: >> of running RIPng. The thought of letting Belkin routers (if you can call >> them that) into the routing table scares me no end. > > I think that indeed looks scary. I wouldn't be too concerned about the > Belkin routers. > How many SP routers are really designed to deal with mass numbers of > RIP adjacencies? > RIP doesn't have adjacencies, per se. It's basically a stateless broadcast based protocol. As such, the number of routers really has no major impact other than the traffic level generated by all those broadcasts. Owen From mysidia at gmail.com Sun Dec 5 16:45:59 2010 From: mysidia at gmail.com (James Hess) Date: Sun, 5 Dec 2010 16:45:59 -0600 Subject: Network management software with high detailed traffic report In-Reply-To: References: <20101122.104658.41721102.sthaug@nethelp.no> <4CEA491D.1040101@foobar.org> Message-ID: On Mon, Nov 22, 2010 at 8:02 AM, Brandon Ross wrote: > On Mon, 22 Nov 2010, Nick Hilliard wrote: > least once a second. ?Perhaps you are thinking about the rate counters that > are often _configured_ to use the last 30 seconds of data to compute the > average but also update much more often than every 30 seconds (and default > to a 5 minute average). Show interface rate counters, are not even truly average computed using the last 30 seconds of data. It is indicated as an exponential time-weighted (moving), where data is gathered every 5 seconds. Meaning every update time, a new value is calculated, by using three datapoints, the previous value of the average, and a calculation based on the change over the past 5 seconds (Current - Previous value). Avg(N) = exp(1/W) * (CurrentOctets - PreviousOctets) + (1 - exp(1/W) * Avg(N-1)) Where 'W' is computed based on the "time interval" averaged over Routers or sniffers can aggregate that data, but a NMS that gathered every 5s using SNMP would not scale very well, and TELNET/CLI would not work for that either; for that, you would need to use a different protocol, probably would need to be a new one designed for 5 second accurate timestamped readings. SNMP ifMib readings are not accurately timestamped, and you would encounter measurement errors. Asking a device about one particular statistic about one interface every 5 seconds isn't much trouble. If you have a router with 100 interfaces, and your NMS needs to query each interface every 5 seconds, you have 100 / 5 = 20 interfaces to query per second. Imagine how many packets you have to send if you have 100 devices with 5 interfaces, and you want to track 4 statistics for every interface 12 times per minute. 2000 queries every 5 seconds. You need some serious hardware to handle that on your routers and your NMS, which has 400 values to save per second, assuming your NMS perfectly distributes query load, and responses are never delayed (not likely). -- -JH From owen at delong.com Sun Dec 5 16:54:43 2010 From: owen at delong.com (Owen DeLong) Date: Sun, 5 Dec 2010 14:54:43 -0800 Subject: How do you do rDNS for IPv6 ? In-Reply-To: <20101205221359.90053.qmail@joyce.lan> References: <20101205221359.90053.qmail@joyce.lan> Message-ID: On Dec 5, 2010, at 2:13 PM, John Levine wrote: > I've been pondering IPv6 setups, and I don't understand how IPv6 rDNS > is supposed to work. It's clear enough how you look up any particular > address, but it's not at all clear to me what you put into an rDNS > zone and how you put it there. > Pretty much the same thing you put into an IPv4 zone... PTR records. For example: owen.delong.com. IN AAAA 2620:0:930::200:2 2.0.0.0.0.0.2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.9.0.0.0.0.0.0.2.6.2.ip6.arpa. IN PTR owen.delong.com. > In IPv4 land, it is standard to assign matching forward and reverse > DNS for every live IP, and a fair number of services treat requests > from hosts without rDNS with added scepticism. For consumer networks, > it's often something like 12-34-56-78.adsl.incompetent.net, with the > numbers being the IP address forward or backwards. > Ah, so you're not talking about assigning to live hosts, your talking about the unfortunate habit of assigning to every possible host. Yeah, that trick doesn't work in IPv6. > So if every customer gets a /64, what do you do? You can use a > wildcard to give the same rDNS to all 2^64 addresses, but you can't do > matching forward DNS, since a DNS response with 2^64 AAAA records > would be, ah, a little unwieldy. > First, customers should be getting more than a /64. A /64 should be a single subnet and customers should, ideally, be getting a /48 for each end site. In general, for the most part, the services that treat missing rDNS with additional skepticism also treat rDNS entries like 12-34-56-78.adsl.incompetent.net with that same or greater skepticism, so, I wouldn't worry too much about it. For hosts where it does matter, you've got to create an AAAA record somehow (just like you needed to create an A record somehow), so, you should be able to use that same process to generate the AAAA and PTR records. > When hosts self-configure their low 64 bits, do you install a suitable > PTR and AAAA into your DNS? If so, how? Do you use DHCPv6 and have it > install the DNS? Do you do something else? > If you care, you probably need to use DHCPv6 for this and it should be able to build both the AAAA and PTR records. Owen From ggm at apnic.net Sun Dec 5 16:56:15 2010 From: ggm at apnic.net (George Michaelson) Date: Mon, 6 Dec 2010 08:56:15 +1000 Subject: How do you do rDNS for IPv6 ? In-Reply-To: References: <20101205221359.90053.qmail@joyce.lan> Message-ID: On 06/12/2010, at 8:25 AM, Felipe Zanchet Grazziotin wrote: > Hi John, > > On Sun, Dec 5, 2010 at 8:13 PM, John Levine wrote: > >> I've been pondering IPv6 setups, and I don't understand how IPv6 rDNS >> is supposed to work. It's clear enough how you look up any particular >> address, but it's not at all clear to me what you put into an rDNS >> zone and how you put it there. >> There was a session at RIPE61 Rome on this very topic. the summary is: wildcard, more specific for all RR when you break out. http://ripe61.ripe.net/archives/#Thursday http://ripe61.ripe.net/programme/meeting-plan/dns-agenda/ -George From randy at psg.com Sun Dec 5 16:56:30 2010 From: randy at psg.com (Randy Bush) Date: Mon, 06 Dec 2010 07:56:30 +0900 Subject: list archive In-Reply-To: <245A1A97AEEF43D28EADD8C615228D47@DELL16> References: <245A1A97AEEF43D28EADD8C615228D47@DELL16> Message-ID: >> how do i find archives of this list from the '90s and early '00s? > http://www.merit.edu/mail.archives/nanog/historical.html how did you find that? the link labeled "Historical NANOG List Archive" on the page http://nanog.org/mailinglist/mailarchives/ got me to this month's archive. randy From lyndon at orthanc.ca Sun Dec 5 16:59:05 2010 From: lyndon at orthanc.ca (Lyndon Nerenberg (VE6BBM/VE7TFX)) Date: Sun, 5 Dec 2010 14:59:05 -0800 Subject: The scale of streaming video on the Internet. In-Reply-To: <4CFAFC2F.9010009@emanon.com> Message-ID: <9dce1997f609e5543b3c5663fa52c7db@gandalf.orthanc.ca> > Just how much free time do you have? :) 1 minute to google the capacity of a 747-400F. 1 minute to google the dimensions and weight of an lto-4 cartridge. 1 minute to punch the numbers into bc(1). --lyndon From mch-nanog at xs4all.nl Sun Dec 5 17:25:31 2010 From: mch-nanog at xs4all.nl (MarcoH - lists) Date: Mon, 6 Dec 2010 00:25:31 +0100 Subject: Pointer for documentation on actually delivering IPv6 In-Reply-To: <201012052219.oB5MJXHr018691@xs8.xs4all.nl> References: <4CFB09C2.5090905@amplex.net> <201012052219.oB5MJXHr018691@xs8.xs4all.nl> Message-ID: <20A08E3E-7A42-46E8-88C5-B9C69D97DF89@xs4all.nl> On 5 dec 2010, at 23:19, Miquel van Smoorenburg wrote: > In article you write: >> If there is an inexpensive CPE with an implementation of DHCPv6 PD >> that works without issues, >> I would love to hear about who makes it, and what the device is... > > AVM Fritzbox 7270/7340/7390 > Draytek Vigor 2130/2750 > > Those are the ones I tested, there are lots more, but according to > http://www.getipv6.info/index.php/Broadband_CPE: > "To date, there is not one complete implementation of IPv6 on a > residential consumer-grade xDSL modem available in North America." Another list of pointers can be found at http://labs.ripe.net/Members/mirjam/ipv6-cpe-surveys/. Feedback on how these boxes do in a real environment are welcome as thers is still a lot of beta, unfinished implementations, bugs and vapourware around these days. Marco From gbonser at seven.com Sun Dec 5 17:59:33 2010 From: gbonser at seven.com (George Bonser) Date: Sun, 5 Dec 2010 15:59:33 -0800 Subject: list archive In-Reply-To: References: <245A1A97AEEF43D28EADD8C615228D47@DELL16> Message-ID: <5A6D953473350C4B9995546AFE9939EE0B14CD34@RWC-EX1.corp.seven.com> > -----Original Message----- > From: Randy Bush [mailto:randy at psg.com] > Sent: Sunday, December 05, 2010 2:57 PM > To: Michael Painter > Cc: North American Network Operators Group > Subject: Re: list archive > > >> how do i find archives of this list from the '90s and early '00s? > > http://www.merit.edu/mail.archives/nanog/historical.html > > how did you find that? the link labeled "Historical NANOG List > Archive" > on the page http://nanog.org/mailinglist/mailarchives/ got me to this > month's archive. > > randy This one goes back to April 1994: http://www.irbs.net/internet/nanog/ I can't seem to locate anything earlier. Found with a Google search. From mc3401 at columbia.edu Sun Dec 5 18:19:11 2010 From: mc3401 at columbia.edu (Michael Costello) Date: Sun, 5 Dec 2010 19:19:11 -0500 Subject: list archive In-Reply-To: References: <245A1A97AEEF43D28EADD8C615228D47@DELL16> Message-ID: <20101205191911.22fe7c01@mead.decaying.org> On Mon, 06 Dec 2010 07:56:30 +0900 Randy Bush wrote: > >> how do i find archives of this list from the '90s and early '00s? > > http://www.merit.edu/mail.archives/nanog/historical.html > > how did you find that? the link labeled "Historical NANOG List > Archive" on the page http://nanog.org/mailinglist/mailarchives/ got > me to this month's archive. After following the the "Historical NANOG List Archive" link, there is a box on the right-hand side of the page labeled "Archive Views"; click "Historical". From glen.kent at gmail.com Sun Dec 5 18:53:31 2010 From: glen.kent at gmail.com (Glen Kent) Date: Mon, 6 Dec 2010 06:23:31 +0530 Subject: Impact of Attacks and Outages Message-ID: Hi, Is there any paper/link that discusses the financial repercussions when an ISP's network goes down because of an attack/outage? What i am looking at is something that i can explain to a lay person, about why the networks need to remain secure so that they cant be hacked into, as once it comes down, not only does it impact the ISP but also the enterprises inside that service provider's domain. I tried googling but couldnt really come up with something. Any help in this regard would be really appreciated. Glen From randy at psg.com Sun Dec 5 19:12:11 2010 From: randy at psg.com (Randy Bush) Date: Mon, 06 Dec 2010 10:12:11 +0900 Subject: list archive In-Reply-To: <20101205191911.22fe7c01@mead.decaying.org> References: <245A1A97AEEF43D28EADD8C615228D47@DELL16> <20101205191911.22fe7c01@mead.decaying.org> Message-ID: >>> http://www.merit.edu/mail.archives/nanog/historical.html >> how did you find that? the link labeled "Historical NANOG List >> Archive" on the page http://nanog.org/mailinglist/mailarchives/ got >> me to this month's archive. > After following the the "Historical NANOG List Archive" link, there is > a box on the right-hand side of the page labeled "Archive Views"; click > "Historical". thanks. randy From franck at genius.com Sun Dec 5 19:28:39 2010 From: franck at genius.com (Franck Martin) Date: Sun, 5 Dec 2010 17:28:39 -0800 (PST) Subject: How do you do rDNS for IPv6 ? In-Reply-To: Message-ID: <29247251.37.1291598916527.JavaMail.franck@franck-martins-macbook-pro.local> ----- Original Message ----- > From: "Owen DeLong" > To: "John Levine" > Cc: nanog at nanog.org > Sent: Sunday, 5 December, 2010 2:54:43 PM > Subject: Re: How do you do rDNS for IPv6 ? > On Dec 5, 2010, at 2:13 PM, John Levine wrote: > > > When hosts self-configure their low 64 bits, do you install a > > suitable > > PTR and AAAA into your DNS? If so, how? Do you use DHCPv6 and have > > it > > install the DNS? Do you do something else? > > > If you care, you probably need to use DHCPv6 for this and it should be > able > to build both the AAAA and PTR records. > Unless you use, privacy extensions, the advantage of IPv6 over IPv4 is that the IP address is built based on your network and the mac address of the interface, so it is not a random number changed at every connection.... I guess when you provision the machine, you can install the AAAA and PTR record and then also put the mac address in your access lists... From rdobbins at arbor.net Sun Dec 5 19:36:12 2010 From: rdobbins at arbor.net (Dobbins, Roland) Date: Mon, 6 Dec 2010 01:36:12 +0000 Subject: Impact of Attacks and Outages In-Reply-To: References: Message-ID: <0A0D719C-5A23-4A88-A1FF-92BFC5AEF68B@arbor.net> On Dec 6, 2010, at 7:53 AM, Glen Kent wrote: > Any help in this regard would be really appreciated. This 2009 report (and reports from previous years) may be of interest: The 2010 report is in process right now, FYI. Here're some additional presentations which may help: ----------------------------------------------------------------------- Roland Dobbins // Sell your computer and buy a guitar. From nanog at jima.tk Sun Dec 5 20:41:24 2010 From: nanog at jima.tk (Jima) Date: Sun, 05 Dec 2010 20:41:24 -0600 Subject: How do you do rDNS for IPv6 ? In-Reply-To: <20101205221359.90053.qmail@joyce.lan> References: <20101205221359.90053.qmail@joyce.lan> Message-ID: <4CFC4D54.7060501@jima.tk> On 12/5/2010 4:13 PM, John Levine wrote: > In IPv4 land, it is standard to assign matching forward and reverse > DNS for every live IP, and a fair number of services treat requests > from hosts without rDNS with added scepticism. For consumer networks, > it's often something like 12-34-56-78.adsl.incompetent.net, with the > numbers being the IP address forward or backwards. > > So if every customer gets a /64, what do you do? You can use a > wildcard to give the same rDNS to all 2^64 addresses, but you can't do > matching forward DNS, since a DNS response with 2^64 AAAA records > would be, ah, a little unwieldy. I thought the same thing, actually, which is why I made my own solution. I ended up writing a DNS server in perl (using Net::DNS::Nameserver) that replies to reverse queries with a reproducible PTR -- generated by encoding the IP in base32. (Or the second half of the IP, in the case of a few "known" networks.) Forward queries for the matching name decode the base32. The host-specific part of the DNS is kind of long (26 characters, or 13 for known networks), but it's marginally shorter than the full IP (which would be 32/16 characters, without separators). I'm pretty happy with the results, but I'd love to hear if anyone's come up with more elegant solutions. Jima From randy at psg.com Sun Dec 5 23:20:13 2010 From: randy at psg.com (Randy Bush) Date: Mon, 06 Dec 2010 14:20:13 +0900 Subject: list archive In-Reply-To: <5A6D953473350C4B9995546AFE9939EE0B14CD34@RWC-EX1.corp.seven.com> References: <245A1A97AEEF43D28EADD8C615228D47@DELL16> <5A6D953473350C4B9995546AFE9939EE0B14CD34@RWC-EX1.corp.seven.com> Message-ID: > This one goes back to April 1994: before then, the opsish list was com-priv randy From sean at donelan.com Mon Dec 6 01:50:18 2010 From: sean at donelan.com (Sean Donelan) Date: Mon, 6 Dec 2010 02:50:18 -0500 (EST) Subject: Over a decade of DDOS--any progress yet? Message-ID: February 2000 weren't the first DDOS attacks, but the attacks on multiple well-known sites did raise DDOS' visibility. What progress has been made during the last decade at stopping DDOS attacks? SMURF attacks creating a DDOS from directed broadcast replies seems to have been mostly mitigated by changing defaults in major router OS's. TCP SYN attacks creating a DDOS from leaving many half-open connections seems to have been mostly mitigated with SYN Cookies or similar OS changes. Other than buying lots of bandwidth and scrubber boxes, have any other DDOS attack vectors been stopped or rendered useless during the last decade? Spoofing? Bots? Protocol quirks? From ikiris at gmail.com Mon Dec 6 02:05:04 2010 From: ikiris at gmail.com (Blake Dunlap) Date: Mon, 6 Dec 2010 02:05:04 -0600 Subject: Over a decade of DDOS--any progress yet? In-Reply-To: References: Message-ID: On Mon, Dec 6, 2010 at 01:50, Sean Donelan wrote: > > February 2000 weren't the first DDOS attacks, but the attacks on multiple > well-known sites did raise DDOS' visibility. > > What progress has been made during the last decade at stopping DDOS > attacks? > > SMURF attacks creating a DDOS from directed broadcast replies seems to have > been mostly mitigated by changing defaults in major router OS's. > > TCP SYN attacks creating a DDOS from leaving many half-open connections > seems to have been mostly mitigated with SYN Cookies or similar OS changes. > > Other than buying lots of bandwidth and scrubber boxes, have any other DDOS > attack vectors been stopped or rendered useless during the last decade? > > Spoofing? > > Bots? > > Protocol quirks? > > If anything, the potential is worse now than it ever has been unless you have just ridiculous amounts of bandwidth, as the ratios between leaf user connectivity and data center drops have continued to close. The finger of packety death may be rare, but it is more powerful than ever, just ask Wikileaks, I believe that they were subject to 10Gbit+ at times. At least the frequency has dropped in recent years, if not the amplitude, and I am thankful for that, due to in no small part to what you list above, as it mostly requires compromised bots to preform major attacks now, instead of having many available unwitting non-compromised assists spread across the internet like previously. From jna at retina.net Mon Dec 6 02:08:38 2010 From: jna at retina.net (John Adams) Date: Mon, 6 Dec 2010 00:08:38 -0800 Subject: Looking for security/abuse contact at EGIHosting Message-ID: Contact me off list please. Thanks, -john From jf at probe-networks.de Mon Dec 6 03:07:55 2010 From: jf at probe-networks.de (Jonas Frey (Probe Networks)) Date: Mon, 06 Dec 2010 10:07:55 +0100 Subject: Over a decade of DDOS--any progress yet? In-Reply-To: References: Message-ID: <1291626475.30568.1618.camel@wks02> Besides having *alot* of bandwidth theres not really much you can do to mitigate. Once you have the bandwidth you can filter (w/good hardware). Even if you go for 802.3ba with 40/100 Gbps...you'll need alot of pipes. Spoofed attacks have reduced significally probably because the use of RPF. However we still see these from time to time. TCP SYN attacks are still quite frequent...these can push alot of pps at times. The attack vectors have changed. Years ago people used hacked *nix boxes with big pipes to start their attacks as only these had enough bandwidth. Nowadays the consumers have alot more bandwidth and its easier than ever to setup your own botnet by infecting users with malware and alike. Even tho end users usually have less than 2mbps upstream the pure amount of infected users makes it worse than ever. Most of the time (depending on the attack) its also hard to differentiate which IP addresse are attacking and which are legitimate users. I do not see a real solution to this problem right now...theres not much you can do about the unwilligness of users to keep their software/OS up2date and deploy anti-virus/anti-malware software (and keep it up2date). Some approaches have been made like cutting of internet access for users which have been identified by ISPs for beeing member of some botnet/beeing infected. This might be the only long-term solution to this probably. There is just no patch for human stupidity. Am Montag, den 06.12.2010, 02:50 -0500 schrieb Sean Donelan: > February 2000 weren't the first DDOS attacks, but the attacks on multiple > well-known sites did raise DDOS' visibility. > > What progress has been made during the last decade at stopping DDOS > attacks? > > SMURF attacks creating a DDOS from directed broadcast replies seems to > have been mostly mitigated by changing defaults in major router OS's. > > TCP SYN attacks creating a DDOS from leaving many half-open connections > seems to have been mostly mitigated with SYN Cookies or similar OS > changes. > > Other than buying lots of bandwidth and scrubber boxes, have any other > DDOS attack vectors been stopped or rendered useless during the last > decade? > > Spoofing? > > Bots? > > Protocol quirks? > -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: This is a digitally signed message part URL: From fweimer at bfk.de Mon Dec 6 03:08:41 2010 From: fweimer at bfk.de (Florian Weimer) Date: Mon, 06 Dec 2010 09:08:41 +0000 Subject: ARIN recognizes Interop for return of more than 99% of 45/8 address block In-Reply-To: (John Curran's message of "Wed\, 20 Oct 2010 11\:33\:01 -0400") References: <6FBCF35F-50E6-4EC4-97ED-424E5C09E767@arin.net> <4CBEFFFA.1030002@foobar.org> Message-ID: <82aakji7za.fsf@mid.bfk.de> * John Curran: > I agree with Chris; this (and any other returns) won't change the IPv4 > depletion/IPv6 deployment timeline substantially, I guess there are a lots of unused assignments within provider-dependent address space. In my experience with a couple of LIRs, none of them was very eager to reclaim address space after the contractual requirement to provide it disappeared, and only some of them reclaimed it after I asked them to. All that unused address space adds up, too. On the other hand, it's probably more efficient to switch to an addressing architecture which will not require proper resource management for the forseeable future. -- Florian Weimer BFK edv-consulting GmbH http://www.bfk.de/ Kriegsstra?e 100 tel: +49-721-96201-1 D-76133 Karlsruhe fax: +49-721-96201-99 From rdobbins at arbor.net Mon Dec 6 03:19:38 2010 From: rdobbins at arbor.net (Dobbins, Roland) Date: Mon, 6 Dec 2010 09:19:38 +0000 Subject: Over a decade of DDOS--any progress yet? In-Reply-To: References: Message-ID: <1EF3BF14-B4A4-4FC1-AD9C-55F3AB572403@arbor.net> On Dec 6, 2010, at 2:50 PM, Sean Donelan wrote: > Other than buying lots of bandwidth and scrubber boxes, have any other DDOS attack vectors been stopped or rendered useless during the last > decade? These .pdf presos pretty much express my view of the situation, though I do need to rev the first one: The bottom line is that there are BCPs that help, but which many folks don't seem to deploy, and then there's little or no thought at all given to maintaining availability when it comes to server/service/app architecture and operations, except by the major players who'd been through the wringer and invest the time and resources to increase their resilience to attack. Of course, the fundamental flaws in the quarter-century old protocol stack we're running, with all the same problems plus new ones carried over into IPv6, are still there. Couple that with the brittleness, fragility, and insecurity of the DNS & BGP, and the fact that the miscreants have near-infinite resources at their disposal, and the picture isn't pretty. And nowadays, the attackers are even more organized and highly motivated (OC, financial/ideological) and therefore more highly incentivized to innovate, the tools are easy enough for most anyone to make use of them, and tthe services/apps they attack are now of real importance to ordinary people. So, while the state of the art in defense has improved, the state of the art and resources available to the attackers have also dramatically improved, and the overall level of indifference to the importance of maintaining availability is unchanged - so the overall situation itself is considerably worse, IMHO. The only saving grace is that the bad guys often make so much money via identity theft, click-fraud, spam, and corporate/arm's-length governmental espionage that they'd rather keep the networks/services/servers/apps/endpoints up and running so that they can continue to monetize them in other ways. ----------------------------------------------------------------------- Roland Dobbins // Sell your computer and buy a guitar. From simonw at zynet.net Mon Dec 6 03:27:31 2010 From: simonw at zynet.net (Simon Waters) Date: Mon, 6 Dec 2010 09:27:31 +0000 Subject: (wikileaks) Fwd: [funsec] And Google becomes a DNS.. In-Reply-To: <4CFBB4C8.6090101@linuxbox.org> References: <4CFBB4C8.6090101@linuxbox.org> Message-ID: <201012060927.34360.simonw@zynet.net> On Sunday 05 December 2010 15:50:32 Gadi Evron wrote: > > I withhold comment... "discuss amongst yourselves". Since it is an uncommon but occasional complaint that someones site is indexed in Google by IP address not domain name, I assume simply that since wikileaks were redirecting to URLs with IP addresses in, Google assumed this is what they wanted indexed. I share their pain, we had disk and a botnet issue with one of our sites, and Google's contribution was to drop our ranking (presumably speed penalty because it was now slower and less reliably than normal). Frustrating but Google now reflects the reality of the web experience. They are "lucky" not to have a speed penalty, or perhaps they do but they are still ranked 1 for the term "wikileaks" even with the relevant penalties. I dare say in a few iterations Google will spot DDoS attacks, and other forms of abuse, and bump up your ranking on the basis you are clearly notable enough to attract that sort of attention. From peter at peter-dambier.de Mon Dec 6 03:38:13 2010 From: peter at peter-dambier.de (Peter Dambier) Date: Mon, 06 Dec 2010 10:38:13 +0100 Subject: Cloud proof of failure - was:: wikileaks unreachable In-Reply-To: <4CF93371.8020306@nic-naa.net> References: <4CF93081.2040703@nic-naa.net> <4CF93371.8020306@nic-naa.net> Message-ID: <4CFCAF05.4030709@peter-dambier.de> Hi, there has been a lot of ethics and religio, ... but what is really important for operation: The cloud is a failure. Too easy to get it down. I guess wikileaks returning to dedicated hosting proofs that. Next time the board wants to convince me of cloud computing, I'll propose a botnet is cheaper and more reliable. Besides - outsourcing the directors might be a good idea. GM proofs that :) Cheers Peter -- Peter and Karin Dambier Cesidian Root - Radice Cesidiana Rimbacher Strasse 16 D-69509 Moerlenbach-Bonsweiher +49(6209)795-816 (Telekom) +49(6252)750-308 (VoIP: sipgate.de) mail: peter at peter-dambier.de http://www.peter-dambier.de/ http://iason.site.voila.fr/ https://sourceforge.net/projects/iason/ ULA= fd80:4ce1:c66a::/48 From jay at miscreant.org Mon Dec 6 03:47:43 2010 From: jay at miscreant.org (Jay Mitchell) Date: Mon, 6 Dec 2010 20:47:43 +1100 Subject: Cloud proof of failure - was:: wikileaks unreachable In-Reply-To: <4CFCAF05.4030709@peter-dambier.de> References: <4CF93081.2040703@nic-naa.net> <4CF93371.8020306@nic-naa.net> <4CFCAF05.4030709@peter-dambier.de> Message-ID: <003d01cb952a$a43198f0$ec94cad0$@miscreant.org> "The Cloud" went down? I think not. Having ones account terminated as opposed to an outage caused by DDoS are two very different things. I'm certainly not an advocate of public cloud computing (I love it inside my own private network though :) ), but in this case asserting that the cloud is a failure is just plain wrong. --jm -----Original Message----- From: Peter Dambier [mailto:peter at peter-dambier.de] Sent: Monday, 6 December 2010 8:38 PM To: nanog at nanog.org Subject: Cloud proof of failure - was:: wikileaks unreachable Hi, there has been a lot of ethics and religio, ... but what is really important for operation: The cloud is a failure. Too easy to get it down. I guess wikileaks returning to dedicated hosting proofs that. Next time the board wants to convince me of cloud computing, I'll propose a botnet is cheaper and more reliable. Besides - outsourcing the directors might be a good idea. GM proofs that :) Cheers Peter -- Peter and Karin Dambier Cesidian Root - Radice Cesidiana Rimbacher Strasse 16 D-69509 Moerlenbach-Bonsweiher +49(6209)795-816 (Telekom) +49(6252)750-308 (VoIP: sipgate.de) mail: peter at peter-dambier.de http://www.peter-dambier.de/ http://iason.site.voila.fr/ https://sourceforge.net/projects/iason/ ULA= fd80:4ce1:c66a::/48 From nathan at atlasnetworks.us Mon Dec 6 03:49:17 2010 From: nathan at atlasnetworks.us (Nathan Eisenberg) Date: Mon, 6 Dec 2010 09:49:17 +0000 Subject: Cloud proof of failure - was:: wikileaks unreachable In-Reply-To: <4CFCAF05.4030709@peter-dambier.de> References: <4CF93081.2040703@nic-naa.net> <4CF93371.8020306@nic-naa.net> <4CFCAF05.4030709@peter-dambier.de> Message-ID: <8C26A4FDAE599041A13EB499117D3C286B296B78@ex-mb-1.corp.atlasnetworks.us> > The cloud is a failure. Too easy to get it down. > I guess wikileaks returning to dedicated hosting proofs that. No, it just proves that organizational decisions are made by human beings that have values. Whether or not those values are 'right' isn't the point - the point is that the technology isn't what failed here. There are plenty of dedicated server hosts that would have shut off wikileaks under political pressure - and there are plenty of 'cloud' hosts who would have kept them up. I don't think we can draw any pass/fail conclusions WRT cloud computing (defined here as virtualization-as-a-service) from the removal of Wikileaks from S3. Nathan From simonw at zynet.net Mon Dec 6 03:57:14 2010 From: simonw at zynet.net (Simon Waters) Date: Mon, 6 Dec 2010 09:57:14 +0000 Subject: Cloud proof of failure - was:: wikileaks unreachable In-Reply-To: <003d01cb952a$a43198f0$ec94cad0$@miscreant.org> References: <4CFCAF05.4030709@peter-dambier.de> <003d01cb952a$a43198f0$ec94cad0$@miscreant.org> Message-ID: <201012060957.15013.simonw@zynet.net> On Monday 06 December 2010 09:47:43 Jay Mitchell wrote: > > "The Cloud" went down? I think not. It did for at least one customer. > Having ones account terminated as opposed to an outage caused by DDoS are > two very different things. Although not for all DNS providers. There are operational lessons here. But do they boil down to technical issues may not be the limiting factor on your uptime. As commented already by someone, perhaps time to review plans for responses to non-technical threats to availability. From ops.lists at gmail.com Mon Dec 6 04:03:13 2010 From: ops.lists at gmail.com (Suresh Ramasubramanian) Date: Mon, 6 Dec 2010 15:33:13 +0530 Subject: Cloud proof of failure - was:: wikileaks unreachable In-Reply-To: <4CFCAF05.4030709@peter-dambier.de> References: <4CF93081.2040703@nic-naa.net> <4CF93371.8020306@nic-naa.net> <4CFCAF05.4030709@peter-dambier.de> Message-ID: On Mon, Dec 6, 2010 at 3:08 PM, Peter Dambier wrote: > The cloud is a failure. Too easy to get it down. > I guess wikileaks returning to dedicated hosting proofs that. I haven't used this sign in nearly a decade. And certainly not on nanog. Anyway .. I'll end this thread now. And folks .. .:\:/:. +-------------------+ .:\:\:/:/:. | PLEASE DO NOT | :.:\:\:/:/:.: | FEED THE TROLLS | :=.' - - '.=: | | '=(\ 9 9 /)=' | Thank you, | ( (_) ) | Management | /`-vvv-'\ +-------------------+ / \ | | @@@ / /|,,,,,|\ \ | | @@@ /_// /^\ \\_\ @x@@x@ | | |/ WW( ( ) )WW \||||/ | | \| __\,,\ /,,/__ \||/ | | | jgs (______Y______) /\/\/\/\/\/\/\/\//\/\\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\ -- Suresh Ramasubramanian (ops.lists at gmail.com) From chris at timico.net Mon Dec 6 05:43:06 2010 From: chris at timico.net (Chris Nicholls) Date: Mon, 6 Dec 2010 11:43:06 +0000 Subject: Pointer for documentation on actually delivering IPv6 In-Reply-To: <4CFB09C2.5090905@amplex.net> References: <4CFB09C2.5090905@amplex.net> Message-ID: <20101206114306.GA68751@atsuko> On Saturday, 4 December 2010 at K:40:50 -0500, Mark Radabaugh wrote: > Probably a case of something being blindingly obvious but... > > I have seen plenty of information on IPv6 from a internal network > standpoint. I have seen very little with respect to how a ISP is > supposed to handle routing to residential consumer networks. I have seen > suggestions of running RIPng. The thought of letting Belkin routers (if > you can call them that) into the routing table scares me no end. > > Is this way easier than I think it is? Did somebody already write the > book that I can't find? > > -- > Mark Radabaugh > Amplex > > mark at amplex.net 419.837.5015 > > ---end quoted text--- I found the following very helpful, Hardest thing for me was nailing DHCPv6-PD without an DHCP server :) Deploying IPv6 in Broadband Access Networks By: Adeel Ahmed; Salman Asadullah Publisher: John Wiley & Sons Pub. Date: August 17, 2009 Print ISBN: 978-0-470-19338-9 Web ISBN: 0-470193-38-7 Deploying IPv6 Networks By: Ciprian Popoviciu; Eric Levy-Abegnoli; Patrick Grossetete Publisher: Cisco Press Pub. Date: February 10, 2006 Print ISBN-10: 1-58705-210-5 Print ISBN-13: 978-1-58705-210-1 -- Chris Nicholls Timico Network Operations chris at timico.net From owen at delong.com Mon Dec 6 05:52:14 2010 From: owen at delong.com (Owen DeLong) Date: Mon, 6 Dec 2010 03:52:14 -0800 Subject: How do you do rDNS for IPv6 ? In-Reply-To: <29247251.37.1291598916527.JavaMail.franck@franck-martins-macbook-pro.local> References: <29247251.37.1291598916527.JavaMail.franck@franck-martins-macbook-pro.local> Message-ID: On Dec 5, 2010, at 5:28 PM, Franck Martin wrote: > > > ----- Original Message ----- >> From: "Owen DeLong" >> To: "John Levine" >> Cc: nanog at nanog.org >> Sent: Sunday, 5 December, 2010 2:54:43 PM >> Subject: Re: How do you do rDNS for IPv6 ? >> On Dec 5, 2010, at 2:13 PM, John Levine wrote: >> > >>> When hosts self-configure their low 64 bits, do you install a >>> suitable >>> PTR and AAAA into your DNS? If so, how? Do you use DHCPv6 and have >>> it >>> install the DNS? Do you do something else? >>> >> If you care, you probably need to use DHCPv6 for this and it should be >> able >> to build both the AAAA and PTR records. >> > Unless you use, privacy extensions, the advantage of IPv6 over IPv4 is that the IP address is built based on your network and the mac address of the interface, so it is not a random number changed at every connection.... > > I guess when you provision the machine, you can install the AAAA and PTR record and then also put the mac address in your access lists... That answer presumes an enterprise environment. The question was from the perspective of a residential ISP. I don't think most residential ISPs would regard provisioning individual customer machines as a scalable solution. Owen From maw at dont.beevil.org Mon Dec 6 05:58:02 2010 From: maw at dont.beevil.org (Michael Wildpaner) Date: Mon, 6 Dec 2010 12:58:02 +0100 (CET) Subject: Google mail admin contact needed (STARTTLS capabilities issue) In-Reply-To: <95183.1291430884@localhost> References: <95183.1291430884@localhost> Message-ID: On Fri, 3 Dec 2010, Valdis.Kletnieks at vt.edu wrote: > On Fri, 03 Dec 2010 17:30:38 PST, Brent Jones said: > > For example, below shows the same MX at Google responding with and > > without TLS. I attempted about a dozen times over a few minutes to the > > same MX until I got STARTTLS listed in the capabilities list, but the > > next attempt to the same MX would no longer show STARTTLS > > Equally troubling is the similarly random nature of PIPELINING, which doesn't > even match the STARTTLS appearing or not. Definitely bad juju. PIPELINING and STARTTLS are unrelated issues, and both are currently working as intended. - STARTTLS on MX is in the process of being rolled out and not visible from all client locations at this point. - PIPELINING is not offered under all circumstances. Hope this helps, maw -- maw@{dont.,}beevil.org From rs at seastrom.com Mon Dec 6 06:30:12 2010 From: rs at seastrom.com (Robert E. Seastrom) Date: Mon, 06 Dec 2010 07:30:12 -0500 Subject: ARIN space not accepted In-Reply-To: <20101204064309.2775B1CC0C@ptavv.es.net> (Kevin Oberman's message of "Fri, 03 Dec 2010 22:43:09 -0800") References: <20101204064309.2775B1CC0C@ptavv.es.net> Message-ID: <861v5vf5ij.fsf@seastrom.com> "Kevin Oberman" writes: >> From: Valdis.Kletnieks at vt.edu >> > From: Valdis.Kletnieks at vt.edu >> Date: Fri, 03 Dec 2010 20:00:15 -0500 >> >> On Fri, 03 Dec 2010 14:24:16 PST, Leo Bicknell said: >> >> > It is speculated that no later than Q1, two more /8's will be allocated, >> > triggering a policy that will give the remaining 5 /8's out to the >> > RIR's. That means, prior to end of Q1, the bogon list will be: >> > >> > 0/8 >> > 10/8 >> > 127/8 >> > 172.16/12 >> > 192.168/16 >> > 224/3 >> >> Oh. And don't forget to do *bidirectional* filtering of these addresses. ;) > > Ahh, not quite. Blocking 224/3 bi-directionally might cause a few issues > if you accept multicast traffic from anyone. You mean like other routers that are speaking OSPF? :-) (people should understand the side effects of filtering before they conf t). -r From rdobbins at arbor.net Mon Dec 6 07:27:07 2010 From: rdobbins at arbor.net (Dobbins, Roland) Date: Mon, 6 Dec 2010 13:27:07 +0000 Subject: Pointer for documentation on actually delivering IPv6 In-Reply-To: <20101206114306.GA68751@atsuko> References: <4CFB09C2.5090905@amplex.net> <20101206114306.GA68751@atsuko> Message-ID: <498B56C5-9811-440C-88DE-67C0DFF1A0DB@arbor.net> On Dec 6, 2010, at 6:43 PM, Chris Nicholls wrote: > I found the following very helpful, Hardest thing for me was nailing DHCPv6-PD without an DHCP server :) This is the best/most complete work on IPv6 security to date, IMHO: ----------------------------------------------------------------------- Roland Dobbins // Sell your computer and buy a guitar. From jjohnstone at diamondtech.ca Mon Dec 6 07:35:53 2010 From: jjohnstone at diamondtech.ca (Jeff Johnstone) Date: Mon, 6 Dec 2010 05:35:53 -0800 Subject: Pointer for documentation on actually delivering IPv6 In-Reply-To: <498B56C5-9811-440C-88DE-67C0DFF1A0DB@arbor.net> References: <4CFB09C2.5090905@amplex.net> <20101206114306.GA68751@atsuko> <498B56C5-9811-440C-88DE-67C0DFF1A0DB@arbor.net> Message-ID: On Mon, Dec 6, 2010 at 5:27 AM, Dobbins, Roland wrote: > > On Dec 6, 2010, at 6:43 PM, Chris Nicholls wrote: > > > I found the following very helpful, Hardest thing for me was nailing > DHCPv6-PD without an DHCP server :) > > > This is the best/most complete work on IPv6 security to date, IMHO: > > > > ----------------------------------------------------------------------- > Roland Dobbins // > > Sell your computer and buy a guitar. > > Speaking of IPV6 security, is there any movement towards any open source IPV6 firewall solutions for the consumer / small business? Almost all the info I've managed to find to date indicates no support, nor any planned support in upcoming releases. Any info would be helpful. cheers Jeff From william.allen.simpson at gmail.com Mon Dec 6 07:36:39 2010 From: william.allen.simpson at gmail.com (William Allen Simpson) Date: Mon, 06 Dec 2010 08:36:39 -0500 Subject: Google mail admin contact needed (STARTTLS capabilities issue) In-Reply-To: References: <95183.1291430884@localhost> Message-ID: <4CFCE6E7.3030804@gmail.com> On 12/6/10 6:58 AM, Michael Wildpaner wrote: > PIPELINING and STARTTLS are unrelated issues, and both are currently > working as intended. > > - STARTTLS on MX is in the process of being rolled out and not visible > from all client locations at this point. > > - PIPELINING is not offered under all circumstances. > > Hope this helps, maw > Much appreciated. Could you let operators know where to look for the status as it's rolled out? Or keep us updated here? Since the client TLS (port 995) has been working for a long time, and the https is becoming the default (we used to have to specify it ourselves), getting MX transport secured is a good idea. From jgreco at ns.sol.net Mon Dec 6 07:47:10 2010 From: jgreco at ns.sol.net (Joe Greco) Date: Mon, 6 Dec 2010 07:47:10 -0600 (CST) Subject: Cloud proof of failure - was:: wikileaks unreachable In-Reply-To: <8C26A4FDAE599041A13EB499117D3C286B296B78@ex-mb-1.corp.atlasnetworks.us> Message-ID: <201012061347.oB6DlAbc045367@aurora.sol.net> [peter's theory] > > The cloud is a failure. Too easy to get it down. > > I guess wikileaks returning to dedicated hosting proofs that. > No, it just proves that organizational decisions are made by human beings t= > hat have values. Whether or not those values are 'right' isn't the point -= > the point is that the technology isn't what failed here. > > There are plenty of dedicated server hosts that would have shut off wikilea= > ks under political pressure - and there are plenty of 'cloud' hosts who wou= > ld have kept them up. I don't think we can draw any pass/fail conclusions = > WRT cloud computing (defined here as virtualization-as-a-service) from the = > removal of Wikileaks from S3. The question would appear to be whether attacks outside the technical space should be considered a failure. It should be obvious that if I can attack your site with a blast of IP traffic and deny others access to it, that's an effective takedown. I believe that someone DDoS'ed EveryDNS hosting of Wikileaks DNS. On the other hand, EveryDNS appears to have *chosen* to stop supplying service to Wikileaks, so this was not a purely technological takedown. The neat thing about cloud computing is that it is, to borrow Amazon's term, "elastic." I'm not sure we've seen scalable computing that can be scaled rapidly in this manner for largely arbitrary purposes in the past, and a cloud the size of Amazon's is probably able to cope with a DDoS of virtually any size, assuming a willingness to throw sufficient resources at it. >From that perspective, I cannot see cloud computing as a failure, but instead a massive success. However, I can see outsourcing as a potential failure. When you allow a third party (Amazon, EveryDNS, whoever) to become involved in your operation, you are essentially allowing them a veto over your continued technical operations. This makes the outsourcing provider an attractive target for interference of the legal/political type. How tolerant would your webhosting provider be of continuous DMCA complaints being submitted about your web site, for example, even if they were without merit? >From that point of view, cloud computing may be inherently a bit more vulnerable, because clouds tend to be resources being rented to third parties. With dedicated servers and/or your own IP space/servers, you have increasing amounts of control over the response to certain threats outside the technical realm. A risk analysis of these factors is, therefore, suggested when deploying services. On average, the benefits of being able to rapidly provision and scale resources in the cloud probably vastly outweighs the risks to the average operation of political/legal pressures on the cloud hosting provider; that computation necessarily changes for something like Wikileaks. Of course, if one views the Internet itself as a sort of meta-cloud, it should be obvious that meta-cloud computing is proving to be very resilient. But that brings us to a Tron-like mentality about the whole Internet... how apropos. :-) ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net "We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples. From patrick at ianai.net Mon Dec 6 08:10:21 2010 From: patrick at ianai.net (Patrick W. Gilmore) Date: Mon, 6 Dec 2010 09:10:21 -0500 Subject: Over a decade of DDOS--any progress yet? In-Reply-To: <1291626475.30568.1618.camel@wks02> References: <1291626475.30568.1618.camel@wks02> Message-ID: On Dec 6, 2010, at 4:07 AM, Jonas Frey (Probe Networks) wrote: > Besides having *alot* of bandwidth theres not really much you can do to > mitigate. Once you have the bandwidth you can filter (w/good hardware). > Even if you go for 802.3ba with 40/100 Gbps...you'll need alot of pipes. There is a variation on that theme. Using a distributed architecture (anycast, CDN, whatever), you can limit the attack to certain nodes. If you have 20 nodes and get attacked from a botnet China, only the users on the same node as the Chinese use will be down. The other 95% of your users will be fine. This is true even if you have 1 Gbps per node, and the attack is 100 Gbps strong. > Spoofed attacks have reduced significally probably because the use of > RPF. However we still see these from time to time. I disagree. Spoofed attacks have reduced because the botnets do not need to spoof to succeed in some attacks. RPF is woefully inadequately applied. For attacks which require spoofing, it is still trivial to generate 10s of Gbps of spoofed packets. > I do not see a real solution to this problem right now...theres not much > you can do about the unwilligness of users to keep their software/OS > up2date and deploy anti-virus/anti-malware software (and keep it > up2date). > Some approaches have been made like cutting of internet access for users > which have been identified by ISPs for beeing member of some > botnet/beeing infected. > This might be the only long-term solution to this probably. There is > just no patch for human stupidity. Quarantining end users sounds like a good idea to me. But I Am Not An ISP. :) The idea of auto-updates at the OS level like in iOS (as opposed to big-I "IOS") may be a solution for many people. Supposedly OSX is going that route. But there will be those who do not want to get their software -only- through a walled garden like iTunes. Fortunately, the motivations do have some alignment. The users who do not need full access to their machines are the ones who are more likely to get confused & infected, and the ones who want someone to "protect" them more, which makes OS-level auto-update more appealing. So that may help, even if it is not a panacea. Wish us luck! -- TTFN, patrick From tme at americafree.tv Mon Dec 6 08:16:24 2010 From: tme at americafree.tv (Marshall Eubanks) Date: Mon, 6 Dec 2010 09:16:24 -0500 Subject: Cloud proof of failure - was:: wikileaks unreachable In-Reply-To: <8C26A4FDAE599041A13EB499117D3C286B296B78@ex-mb-1.corp.atlasnetworks.us> References: <4CF93081.2040703@nic-naa.net> <4CF93371.8020306@nic-naa.net> <4CFCAF05.4030709@peter-dambier.de> <8C26A4FDAE599041A13EB499117D3C286B296B78@ex-mb-1.corp.atlasnetworks.us> Message-ID: <658958CE-BDD8-42F7-8E7F-3D921A0DA883@americafree.tv> On Dec 6, 2010, at 4:49 AM, Nathan Eisenberg wrote: >> The cloud is a failure. Too easy to get it down. >> I guess wikileaks returning to dedicated hosting proofs that. > > No, it just proves that organizational decisions are made by human beings that have values. Whether or not those values are 'right' isn't the point - the point is that the technology isn't what failed here. > > There are plenty of dedicated server hosts that would have shut off wikileaks under political pressure - and there are plenty of 'cloud' hosts who would have kept them up. I don't think we can draw any pass/fail conclusions WRT cloud computing (defined here as virtualization-as-a-service) from the removal of Wikileaks from S3. I do, but not because of Amazon specifically. (As far as I know, Amazon's decision depended not at all on where its servers were located or that they were decentralized.) In a cloud hosting environment, you typically don't know where your data and servers are, and thus you don't know what legal and political pressures they may be subject to. If that means that in practice you are subject to the combination of any pressure that can be applied to any one of the hosting centers maintained by your hosting provider, then "the cloud" indeed would seem pretty unattractive to anyone with politically or socially controversial content. Regards Marshall > > Nathan > > > From jared at puck.nether.net Mon Dec 6 08:55:07 2010 From: jared at puck.nether.net (Jared Mauch) Date: Mon, 6 Dec 2010 09:55:07 -0500 Subject: Pointer for documentation on actually delivering IPv6 In-Reply-To: References: <4CFB09C2.5090905@amplex.net> <20101206114306.GA68751@atsuko> <498B56C5-9811-440C-88DE-67C0DFF1A0DB@arbor.net> Message-ID: <7347880A-24A7-4E67-B5CB-93AE90A3CB84@puck.nether.net> On Dec 6, 2010, at 8:35 AM, Jeff Johnstone wrote: > Speaking of IPV6 security, is there any movement towards any open source > IPV6 firewall solutions for the consumer / small business? > > Almost all the info I've managed to find to date indicates no support, nor > any planned support in upcoming releases. > > Any info would be helpful. Honestly (and I'm sure some IPv6 folks will want me injured as a result) there should be some '1918-like' space allocated for the corporate guys who "don't get it", so they can nat everyone through a single /128. It would make life easier for them and quite possibly be a large item in pushing ipv6 deployment in the enterprise. I don't see our corporate IT guys that number stuff in 1918 space wanting to put hosts on 'real' ips. The chances for unintended routing are enough to make them say that v6 is actually a security risk vs security enabler is my suspicion. - Jared From owen at delong.com Mon Dec 6 09:07:11 2010 From: owen at delong.com (Owen DeLong) Date: Mon, 6 Dec 2010 07:07:11 -0800 Subject: Pointer for documentation on actually delivering IPv6 In-Reply-To: <7347880A-24A7-4E67-B5CB-93AE90A3CB84@puck.nether.net> References: <4CFB09C2.5090905@amplex.net> <20101206114306.GA68751@atsuko> <498B56C5-9811-440C-88DE-67C0DFF1A0DB@arbor.net> <7347880A-24A7-4E67-B5CB-93AE90A3CB84@puck.nether.net> Message-ID: <561818C9-A251-4AAA-B6D5-F5B2DAD5FD9D@delong.com> On Dec 6, 2010, at 6:55 AM, Jared Mauch wrote: > > On Dec 6, 2010, at 8:35 AM, Jeff Johnstone wrote: > >> Speaking of IPV6 security, is there any movement towards any open source >> IPV6 firewall solutions for the consumer / small business? >> >> Almost all the info I've managed to find to date indicates no support, nor >> any planned support in upcoming releases. >> >> Any info would be helpful. > > Honestly (and I'm sure some IPv6 folks will want me injured as a result) there should be some '1918-like' space allocated for the corporate guys who "don't get it", so they can nat everyone through a single /128. It would make life easier for them and quite possibly be a large item in pushing ipv6 deployment in the enterprise. > Yes... Those of us who would like to see sanity return to the internet would prefer to have you lynched for such heresy. ;-) Seriously, though, you're welcome to use fd00::/8 for exactly that purpose. The problem is that you (and hopefully it stays this way) won't have much luck finding a vendor that will provide the NAT for you to do it with. > I don't see our corporate IT guys that number stuff in 1918 space wanting to put hosts on 'real' ips. The chances for unintended routing are enough to make them say that v6 is actually a security risk vs security enabler is my suspicion. > There are multiple easy ways to solve this problem that don't require the use of NAT or the damage that comes with it. First, let's clarify things a bit. I don't think unintended routing is what concerns your IT guys. Afterall, even with the NAT box today, there's routing from the outside to the inside. It's just controlled by stateful inspection. It's trivial to implement an IPv6 default-deny-inbound stateful inspection policy that provides exactly the same security model as is afforded by the current NAT box in IPv4 without mangling the packet headers. The rest is superstition. Admittedly, superstition is powerful among IT professionals, especially in the enterprise world. So strong that people on this very list who I generally respect and consider to be good competent professionals tell me that I'm flat out wrong about it. However, not one of them has been able to produce an argument that actually stands up to scrutiny. The closest they can come is what happens when someone misconfigures something. However, I've always been able to show that it's equally easy to make fatal misconfigurations on the NAT box with just as dire consequences. Owen From nathan at atlasnetworks.us Mon Dec 6 09:29:51 2010 From: nathan at atlasnetworks.us (Nathan Eisenberg) Date: Mon, 6 Dec 2010 15:29:51 +0000 Subject: Cloud proof of failure - was:: wikileaks unreachable In-Reply-To: <658958CE-BDD8-42F7-8E7F-3D921A0DA883@americafree.tv> References: <4CF93081.2040703@nic-naa.net> <4CF93371.8020306@nic-naa.net> <4CFCAF05.4030709@peter-dambier.de> <8C26A4FDAE599041A13EB499117D3C286B296B78@ex-mb-1.corp.atlasnetworks.us> <658958CE-BDD8-42F7-8E7F-3D921A0DA883@americafree.tv> Message-ID: <8C26A4FDAE599041A13EB499117D3C286B298022@ex-mb-1.corp.atlasnetworks.us> > In a cloud hosting environment, you typically don't know where your > data and servers are, and thus you don't know what legal and political > pressures they may be subject to. If that means that in practice you > are subject to the combination of any pressure that can be applied to > any one of the hosting centers maintained by your hosting provider, > then "the cloud" indeed would seem pretty unattractive to anyone with > politically or socially controversial content. How is it more or less unattractive than having one's own servers in one's own office? Lieberman and Co would simply have leaned on Mom's Best BGP (r) and Pop's Fastest Packets (r) instead of on Amazon, and the result would have been the same. That's the catch with this here series of tubes - you don't control all of the tubes, even if you're Amazon, or Giant National ISP Co, or Massive National Fiber Plant Co. The server infrastructure is the least interesting part of what happened to WikiLeaks. Nathan From david at ulevitch.com Mon Dec 6 09:34:13 2010 From: david at ulevitch.com (David Ulevitch) Date: Mon, 6 Dec 2010 07:34:13 -0800 Subject: Over a decade of DDOS--any progress yet? In-Reply-To: References: <1291626475.30568.1618.camel@wks02> Message-ID: On Mon, Dec 6, 2010 at 6:10 AM, Patrick W. Gilmore wrote: > On Dec 6, 2010, at 4:07 AM, Jonas Frey (Probe Networks) wrote: > >> Besides having *alot* of bandwidth theres not really much you can do to >> mitigate. Once you have the bandwidth you can filter (w/good hardware). >> Even if you go for 802.3ba with 40/100 Gbps...you'll need alot of pipes. > > There is a variation on that theme. ?Using a distributed architecture (anycast, CDN, whatever), you can limit the attack to certain nodes. ?If you have 20 nodes and get attacked from a botnet China, only the users on the same node as the Chinese use will be down. ?The other 95% of your users will be fine. ?This is true even if you have 1 Gbps per node, and the attack is 100 Gbps strong. I think this is only true if you run your BGP session on a different path (or have your provider pin down a static route). If you are using BGP and run it on the same path, the 100Gbps will cause massive packet loss and likely cause your BGP session to drop which will just move the attack to another site, rinse / repeat. I don't think very many people run BGP over a separate circuit, but for some folks, it might be appropriate. I also recommend folks anycast with a /22 or /23 and then use BGP for the /23 or /24 announcements and have their provider pin down the /22 at a few sites so that if all hell breaks loose and the /23 or /24 is flapping and being dampened then you still have reachability with the covering prefix. It also lets you harden and strengthen a few smaller sites that have the /22 statically pinned down. I'm not sure if people think the "cost" of doing this is worth it, jury still out for us. But as you and others have pointed out, not a lot of defense against DDoS these days besides horsepower and anycast. :-) -David From patrick at ianai.net Mon Dec 6 09:40:20 2010 From: patrick at ianai.net (Patrick W. Gilmore) Date: Mon, 6 Dec 2010 10:40:20 -0500 Subject: Over a decade of DDOS--any progress yet? In-Reply-To: References: <1291626475.30568.1618.camel@wks02> Message-ID: On Dec 6, 2010, at 10:34 AM, David Ulevitch wrote: > On Mon, Dec 6, 2010 at 6:10 AM, Patrick W. Gilmore wrote: >> On Dec 6, 2010, at 4:07 AM, Jonas Frey (Probe Networks) wrote: >> >>> Besides having *alot* of bandwidth theres not really much you can do to >>> mitigate. Once you have the bandwidth you can filter (w/good hardware). >>> Even if you go for 802.3ba with 40/100 Gbps...you'll need alot of pipes. >> >> There is a variation on that theme. Using a distributed architecture (anycast, CDN, whatever), you can limit the attack to certain nodes. If you have 20 nodes and get attacked from a botnet China, only the users on the same node as the Chinese use will be down. The other 95% of your users will be fine. This is true even if you have 1 Gbps per node, and the attack is 100 Gbps strong. > > I think this is only true if you run your BGP session on a different > path (or have your provider pin down a static route). You are assuming many things - such as the fact bgp is used at all. But yes, of course you have to ensure the attack traffic does not move when you get attacked or you end up with a domino effect that takes out your entire infrastructure. > But as you and others have pointed out, not a lot of defense against > DDoS these days besides horsepower and anycast. :-) Not just anycast. I said distributed architecture. There are more ways to distribute than anycast. Not everything is limited to 13 IP addresses at the GTLDs, David. :-) -- TTFN, patrick From jbates at brightok.net Mon Dec 6 09:49:25 2010 From: jbates at brightok.net (Jack Bates) Date: Mon, 06 Dec 2010 09:49:25 -0600 Subject: Pointer for documentation on actually delivering IPv6 In-Reply-To: <561818C9-A251-4AAA-B6D5-F5B2DAD5FD9D@delong.com> References: <4CFB09C2.5090905@amplex.net> <20101206114306.GA68751@atsuko> <498B56C5-9811-440C-88DE-67C0DFF1A0DB@arbor.net> <7347880A-24A7-4E67-B5CB-93AE90A3CB84@puck.nether.net> <561818C9-A251-4AAA-B6D5-F5B2DAD5FD9D@delong.com> Message-ID: <4CFD0605.20604@brightok.net> On 12/6/2010 9:07 AM, Owen DeLong wrote: > Seriously, though, you're welcome to use fd00::/8 for exactly that > purpose. The problem is that you (and hopefully it stays this way) > won't have much luck finding a vendor that will provide the NAT for > you to do it with. > Corporate IT community *expects* a broken Internet. They aren't doing their jobs if they haven't broken everything and it's dog. Vendors will provide what their customers demand, so there will be NAT on the corporate firewalls. What I don't want to see is NAT on home routers. > There are multiple easy ways to solve this problem that don't require > the use of NAT or the damage that comes with it. > Corporations thrive on damaging traffic, and many prefer NAT. Every instinct in their body screams that removing NAT is bad, and you won't win that argument. > First, let's clarify things a bit. I don't think unintended routing > is what concerns your IT guys. Afterall, even with the NAT box today, > there's routing from the outside to the inside. It's just controlled > by stateful inspection. 1918 space generally isn't routed to their firewall from the outside, so some mistakes that leave the inside vulnerable are actually somewhat protected by using 1918 space which isn't routed. It's a limited scenario, but what every corp IT guy I know points to. > So strong that people on this very list who I generally respect and > consider to be good competent professionals tell me that I'm flat > out wrong about it. It's not superstition that the IP addresses assigned to the inside aren't routed from the upstream to to outside interface of the firewall. ie, when NAT/SPI is broken, the traffic itself breaks, not a sudden "We are wide open!" event. This is not about *proper* security. It is about the extra gain when someone screws up and kills the firewall ruleset. In a 1 to 1 NAT environment, losing your SPI would be bad. In a 1 to N NAT environment, a majority of the machines can never be reached if the SPI/NAT engine dies (unless the upstream suddenly adds a 1918 route to reach them). > > However, not one of them has been able to produce an argument that > actually stands up to scrutiny. The closest they can come is what > happens when someone misconfigures something. However, I've always > been able to show that it's equally easy to make fatal > misconfigurations on the NAT box with just as dire consequences. It is possible, yes. However, in the case of an overloaded NAT without port forwarding, there is no way to reach the backend hosts unless the upstream adds a route to the 1918 space behind the firewall. This is what people object to. A single route. That's it. If NAT doesn't work, the route is required. Without NAT, if your SPI doesn't work, the route is already there and you may have defaulted open. So does NAT add to security? Yes; just not very much. It covers one condition; that is all. For that condition, you have a huge amount of service breakage. For a corporate network, this may be perfectly fine and acceptable. Jack From jgreco at ns.sol.net Mon Dec 6 10:08:16 2010 From: jgreco at ns.sol.net (Joe Greco) Date: Mon, 6 Dec 2010 10:08:16 -0600 (CST) Subject: Pointer for documentation on actually delivering IPv6 In-Reply-To: <561818C9-A251-4AAA-B6D5-F5B2DAD5FD9D@delong.com> Message-ID: <201012061608.oB6G8Gg7046886@aurora.sol.net> > First, let's clarify things a bit. I don't think unintended routing is = > what concerns your IT guys. Afterall, even with the NAT > box today, there's routing from the outside to the inside. It's just = > controlled by stateful inspection. It might be better stated differently. With NAT, routing from the outside to the inside is controlled by stateful inspection and also by internal policy. In what we usually mean as IPv4 NAT in today's usage, there is not supposed to be a way for an outside attacker to target a particular inside destination, even if its address were known. 1918 space isn't globally routed and the "real" external IP address is the only thing your firewall has to go on; internal policy controls what happens to unsolicited traffic. With IPv6 and a stateful firewall, an outside attacker gains the ability to address devices within your network, even if he is unable to actually cause packets to arrive at that target thanks to your firewall. There's a fundamental difference here that scares some people. They fear an inadvertent dropping of their stateful firewall ruleset, for example, or maybe even bypassing of the firewall through misconfig or other perils at the network level. You won't make much progress on these fears because there's genuinely something to them. What we really need are killer IPv6 apps that can't easily be NAT'd. :-) ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net "We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples. From jbates at brightok.net Mon Dec 6 10:12:35 2010 From: jbates at brightok.net (Jack Bates) Date: Mon, 06 Dec 2010 10:12:35 -0600 Subject: How do you do rDNS for IPv6 ? In-Reply-To: References: <20101205221359.90053.qmail@joyce.lan> Message-ID: <4CFD0B73.3020600@brightok.net> On 12/5/2010 4:25 PM, Felipe Zanchet Grazziotin wrote: > > There are other useful tips too, including ideas for PowerDNS and Bind. > Yeah, PowerDNS already supports generating AAAA/PTR on the fly. I'm more of the opinion that generic hosts shouldn't have rDNS, but that will depend on banks and other institutions who sometimes make it a requirement. Jack From rdobbins at arbor.net Mon Dec 6 10:23:20 2010 From: rdobbins at arbor.net (Dobbins, Roland) Date: Mon, 6 Dec 2010 16:23:20 +0000 Subject: Pointer for documentation on actually delivering IPv6 In-Reply-To: <4CFD0605.20604@brightok.net> References: <4CFB09C2.5090905@amplex.net> <20101206114306.GA68751@atsuko> <498B56C5-9811-440C-88DE-67C0DFF1A0DB@arbor.net> <7347880A-24A7-4E67-B5CB-93AE90A3CB84@puck.nether.net> <561818C9-A251-4AAA-B6D5-F5B2DAD5FD9D@delong.com> <4CFD0605.20604@brightok.net> Message-ID: <4E427520-5B06-4ECB-9096-00807F88ABB6@arbor.net> On Dec 6, 2010, at 10:49 PM, Jack Bates wrote: > So does NAT add to security? Yes; just not very much. It adds nothing which can't be added in another, better way, and it subtracts a great deal in terms of instantiating unnecessary DoSable stateful chokepoints in the network, not to mention breaking traceback. NAT <> security. NAT is a net security negative. ----------------------------------------------------------------------- Roland Dobbins // Sell your computer and buy a guitar. From lowen at pari.edu Mon Dec 6 10:23:38 2010 From: lowen at pari.edu (Lamar Owen) Date: Mon, 6 Dec 2010 11:23:38 -0500 Subject: Want to move to all 208V for server racks In-Reply-To: <20101204225209.CF9251CC12@ptavv.es.net> References: <20101204225209.CF9251CC12@ptavv.es.net> Message-ID: <201012061123.38869.lowen@pari.edu> On Saturday, December 04, 2010 05:52:09 pm Kevin Oberman wrote: > Lead-acid batteries can deliver way over 100 amps of current and a > conductor across "safe" voltage will get hot and, if not heavy enough, > will vaporize. Our smallish 540Ah -48VDC plant has a 35,000A short circuit rating; important to know when sizing the disconnect breaker, as 50,000AIC breakers are required for that. The A and B side rectifiers are Lorrain 200A three phase units, built like tanks. We have a secondary 12V plant at one solar location that is using six 2,320Ah cells which required two disconnects in series to meet AIC ratings, since the nearly 100,000A short circuit current makes it difficult to get small (<100A) breakers with 100,000+AIC ratings. We're doing the solar thing for our optical telescopes, using Xantrex inverter/chargers and Outback solar charge controllers, 24VDC nominal strings. Works great; DC input switches make it even nicer, although you then need low voltage cutoffs to prevent battery damage when there have been several days in a row of dark skies. At the 5ESS in Buckhead/Brookhaven I recall seeing an operating A buss current of >20KA years ago; the AIC on that plant has to be huge (of course, that's been 25+ years, and that's my memory, which could be mistaken as to the exact current value). A technician there told me he had seen an 18 inch adjustable wrench totally vaporized when it bridged from B- to ground. Yeah, not something to play with. From ka at pacific.net Mon Dec 6 10:27:39 2010 From: ka at pacific.net (Ken A) Date: Mon, 06 Dec 2010 10:27:39 -0600 Subject: (wikileaks) Fwd: [funsec] And Google becomes a DNS.. In-Reply-To: <4CFBB4C8.6090101@linuxbox.org> References: <4CFBB4C8.6090101@linuxbox.org> Message-ID: <4CFD0EFB.4070700@pacific.net> On 12/5/2010 9:50 AM, Gadi Evron wrote: > I withhold comment... "discuss amongst yourselves". > > Best, > > Gadi. > > > -------- Original Message -------- > Subject: [funsec] And Google becomes a DNS.. > Date: Sun, 5 Dec 2010 17:34:50 +0200 > From: Imri Goldberg > To: funsec > > > Found on reddit: > http://i.imgur.com/Q5SVu.png Google has access to historical DNS, and end users, so they could assist end users in also reaching VHosted web sites that did not have current or reachable DNS, if that is the goal. Something as simple as a browser addon that modified the http host header. There are manual ways of doing this now, using the Modify Headers Add-on for Firefox, for example. Ken -- Ken Anderson Pacific Internet - http://www.pacific.net From jbates at brightok.net Mon Dec 6 10:36:17 2010 From: jbates at brightok.net (Jack Bates) Date: Mon, 06 Dec 2010 10:36:17 -0600 Subject: Cloud proof of failure - was:: wikileaks unreachable In-Reply-To: <8C26A4FDAE599041A13EB499117D3C286B298022@ex-mb-1.corp.atlasnetworks.us> References: <4CF93081.2040703@nic-naa.net> <4CF93371.8020306@nic-naa.net> <4CFCAF05.4030709@peter-dambier.de> <8C26A4FDAE599041A13EB499117D3C286B296B78@ex-mb-1.corp.atlasnetworks.us> <658958CE-BDD8-42F7-8E7F-3D921A0DA883@americafree.tv> <8C26A4FDAE599041A13EB499117D3C286B298022@ex-mb-1.corp.atlasnetworks.us> Message-ID: <4CFD1101.5060303@brightok.net> On 12/6/2010 9:29 AM, Nathan Eisenberg wrote: > > How is it more or less unattractive than having one's own servers in > one's own office? Lieberman and Co would simply have leaned on Mom's > Best BGP (r) and Pop's Fastest Packets (r) instead of on Amazon, and > the result would have been the same. > That is a possibility, though it also depends on the business mentality and AUP. The problem is, it didn't necessarily require any *leaning* and the AUP may have been enforced anyways. > That's the catch with this here series of tubes - you don't control > all of the tubes, even if you're Amazon, or Giant National ISP Co, or > Massive National Fiber Plant Co. The server infrastructure is the > least interesting part of what happened to WikiLeaks. > Anytime you are dealing with something highly controversial, you open yourself up for technical and social attack. Your business dependencies may be inclined to disassociate themselves with you on any grounds possible; not that they disagree with you, but perhaps they don't want to be that closely associated. It does not require any leaning, notification, or even noticeable service effect for me to decide to shutdown a site/location which is controversial in nature and causing a DOS. If I sold a 'bulletproof' service, I'd have a different through process, but that's because I'd be selling such a service. I don't sell 'bulletproof', and so I'm quickly inclined to request/takedown anything which causes technical/social issues for the network per the AUP. What the Senators did was wrong, but what Amazon did may have not been due to the pressure, but strictly based on "oh, we didn't notice that, and it's violating our AUP." I'm not saying it's the case, but it does happen. I've had to have others tell me of AUP violations from time to time. Jack From francois at menards.ca Mon Dec 6 10:42:20 2010 From: francois at menards.ca (Francois Menard) Date: Mon, 6 Dec 2010 11:42:20 -0500 Subject: Multipoint VPLS mapping to MEF E-TREE In-Reply-To: References: Message-ID: Is there anyone out there who has a position on whether it is worth the effort to map Multi-root EVPL (E-TREE) atop VPLS or to await for PBB-TE and MEF to come up with somekind of a common roadmap ? F. On 2010-12-03, at 10:26 AM, Manu Chao wrote: > I have only GRT and L3VPN traffic and would like to use MPLS forwarding only > for L3VPN. > > Is it possible? > > Thanks & Best Regards, > Manu From jared at puck.nether.net Mon Dec 6 11:41:19 2010 From: jared at puck.nether.net (Jared Mauch) Date: Mon, 6 Dec 2010 12:41:19 -0500 Subject: How do you do rDNS for IPv6 ? In-Reply-To: <4CFC4D54.7060501@jima.tk> References: <20101205221359.90053.qmail@joyce.lan> <4CFC4D54.7060501@jima.tk> Message-ID: On Dec 5, 2010, at 9:41 PM, Jima wrote: > On 12/5/2010 4:13 PM, John Levine wrote: >> In IPv4 land, it is standard to assign matching forward and reverse >> DNS for every live IP, and a fair number of services treat requests >> from hosts without rDNS with added scepticism. For consumer networks, >> it's often something like 12-34-56-78.adsl.incompetent.net, with the >> numbers being the IP address forward or backwards. >> >> So if every customer gets a /64, what do you do? You can use a >> wildcard to give the same rDNS to all 2^64 addresses, but you can't do >> matching forward DNS, since a DNS response with 2^64 AAAA records >> would be, ah, a little unwieldy. > > I thought the same thing, actually, which is why I made my own solution. I ended up writing a DNS server in perl (using Net::DNS::Nameserver) that replies to reverse queries with a reproducible PTR -- generated by encoding the IP in base32. (Or the second half of the IP, in the case of a few "known" networks.) Forward queries for the matching name decode the base32. > The host-specific part of the DNS is kind of long (26 characters, or 13 for known networks), but it's marginally shorter than the full IP (which would be 32/16 characters, without separators). I'm pretty happy with the results, but I'd love to hear if anyone's come up with more elegant solutions. Anyone done this dynamic synthesis w/ bind? dnssec thoughts as well? i know this isn't namedroppers, but perhaps someone can post some code or examples, or a link to a webpage with them? - Jared From jra at baylink.com Mon Dec 6 12:01:47 2010 From: jra at baylink.com (Jay Ashworth) Date: Mon, 6 Dec 2010 13:01:47 -0500 (EST) Subject: How do you do rDNS for IPv6 ? In-Reply-To: Message-ID: <3837346.1030.1291658507611.JavaMail.root@benjamin.baylink.com> ---- Original Message ----- > From: "Jared Mauch" > Anyone done this dynamic synthesis w/ bind? dnssec thoughts as well? i > know this isn't namedroppers, but perhaps someone can post some code > or examples, or a link to a webpage with them? Earthlink, I believe; DENTS has a module for doing this for reverse DNS. I think it was called DENTS; there's a white paper on it, but it's pretty rough to Google, as you might expect. So far as I can see, they still use it; my sis is an EL cablemodem customer, and her rDNS is algorithmically generated. Cheers, -- jra From straterra at fuhell.com Mon Dec 6 13:15:10 2010 From: straterra at fuhell.com (Thomas York) Date: Mon, 6 Dec 2010 14:15:10 -0500 Subject: ipfix/netflow/sflow generator for Linux Message-ID: At my current place of work, we use all Linux routers. I need to do some IP accounting/reporting and am currently trying to use Scrutinizer. Scrutinizer can use netstream, jstream, ipfix, netflow, and sflow data without qualms. My only issue is that I can't seem to find any good software for Linux that works with multiple interfaces to generate the flow information. I've tried ndsad, nprobe, softflowd, host sflow, and ipcad without much luck. Most of the software only works on one interface (which is useless as I need to do accounting for numerous interfaces). I've had the best luck with ipcad. The only thing that seems to not work with it is that it doesn't correctly give the interface number in the flow information. It refers to all interfaces as interface 65535. I've tried the config option for ipcad to map an interface directly to an SNMP interface ID, but that option of the config file seems to be ignored. Ntop functionally does exactly what I need, but it's extremely buggy. It segfaults after a few minutes, regardless of Linux distro or Ntop version. So..any ideas on what I can do to get good flow information from our Linux routers? From jack at crepinc.com Mon Dec 6 13:25:33 2010 From: jack at crepinc.com (Jack Carrozzo) Date: Mon, 6 Dec 2010 14:25:33 -0500 Subject: ipfix/netflow/sflow generator for Linux In-Reply-To: References: Message-ID: IPtraf can be setup to look at flows per-block, per interface, per vlan, etc and export the data every minute / 5 minutes. Back in the day I had it scripted to dump data into rrdtool and give pretty graphs. See the man page, it's well written. Cheers, -Jack Carrozzo On Mon, Dec 6, 2010 at 2:15 PM, Thomas York wrote: > At my current place of work, we use all Linux routers. I need to do some IP > accounting/reporting and am currently trying to use Scrutinizer. > Scrutinizer > can use netstream, jstream, ipfix, netflow, and sflow data without qualms. > My only issue is that I can't seem to find any good software for Linux that > works with multiple interfaces to generate the flow information. I've tried > ndsad, nprobe, softflowd, host sflow, and ipcad without much luck. Most of > the software only works on one interface (which is useless as I need to do > accounting for numerous interfaces). > > > > I've had the best luck with ipcad. The only thing that seems to not work > with it is that it doesn't correctly give the interface number in the flow > information. It refers to all interfaces as interface 65535. I've tried the > config option for ipcad to map an interface directly to an SNMP interface > ID, but that option of the config file seems to be ignored. > > > > Ntop functionally does exactly what I need, but it's extremely buggy. It > segfaults after a few minutes, regardless of Linux distro or Ntop version. > So..any ideas on what I can do to get good flow information from our Linux > routers? > > From mpalmer at hezmatt.org Mon Dec 6 13:31:41 2010 From: mpalmer at hezmatt.org (Matthew Palmer) Date: Tue, 7 Dec 2010 06:31:41 +1100 Subject: ipfix/netflow/sflow generator for Linux In-Reply-To: References: Message-ID: <20101206193141.GZ4783@hezmatt.org> On Mon, Dec 06, 2010 at 02:15:10PM -0500, Thomas York wrote: > I've had the best luck with ipcad. The only thing that seems to not work > with it is that it doesn't correctly give the interface number in the flow > information. It refers to all interfaces as interface 65535. I've tried the > config option for ipcad to map an interface directly to an SNMP interface > ID, but that option of the config file seems to be ignored. > > Ntop functionally does exactly what I need, but it's extremely buggy. It > segfaults after a few minutes, regardless of Linux distro or Ntop version. > So..any ideas on what I can do to get good flow information from our Linux > routers? Fix ipcad to send the interface number. - Matt -- Just because we work at a University doesn't mean we're surrounded by smart people. -- Brian Kantor, in the monastery From sp446 at georgetown.edu Mon Dec 6 14:37:36 2010 From: sp446 at georgetown.edu (Samuel Petreski) Date: Mon, 6 Dec 2010 15:37:36 -0500 Subject: ipfix/netflow/sflow generator for Linux In-Reply-To: References: Message-ID: <020c01cb9585$6b186160$41492420$@georgetown.edu> I've used fprobe with great success. You can run multiple instances of fprobe for the different interfaces. --Samuel fprobe: a NetFlow probe - libpcap-based tool that collects network traffic data and emit it as NetFlow flows towards the specified collector. WWW: http://sourceforge.net/projects/fprobe -- Samuel Petreski Sr. Security Analyst Georgetown University > -----Original Message----- > From: Thomas York [mailto:straterra at fuhell.com] > Sent: Monday, December 06, 2010 2:15 PM > To: nanog at nanog.org > Subject: ipfix/netflow/sflow generator for Linux > > At my current place of work, we use all Linux routers. I need to do some IP > accounting/reporting and am currently trying to use Scrutinizer. Scrutinizer > can use netstream, jstream, ipfix, netflow, and sflow data without qualms. > My only issue is that I can't seem to find any good software for Linux that > works with multiple interfaces to generate the flow information. I've tried > ndsad, nprobe, softflowd, host sflow, and ipcad without much luck. Most of > the software only works on one interface (which is useless as I need to do > accounting for numerous interfaces). > > > > I've had the best luck with ipcad. The only thing that seems to not work with > it is that it doesn't correctly give the interface number in the flow > information. It refers to all interfaces as interface 65535. I've tried the config > option for ipcad to map an interface directly to an SNMP interface ID, but > that option of the config file seems to be ignored. > > > > Ntop functionally does exactly what I need, but it's extremely buggy. It > segfaults after a few minutes, regardless of Linux distro or Ntop version. > So..any ideas on what I can do to get good flow information from our Linux > routers? From straterra at fuhell.com Mon Dec 6 14:44:57 2010 From: straterra at fuhell.com (Thomas York) Date: Mon, 6 Dec 2010 15:44:57 -0500 Subject: ipfix/netflow/sflow generator for Linux In-Reply-To: <020c01cb9585$6b186160$41492420$@georgetown.edu> References: <020c01cb9585$6b186160$41492420$@georgetown.edu> Message-ID: fprobe doesn't work properly because it has the input and output interface IDs as both 0. In Scrutinizer, this makes the flow look like all the data came in the interface and immediately left via the same interface. Also, this causes problems when running multiple instances of fprobe. This seems to be the issue with most of the flow software I've tried. -----Original Message----- From: Samuel Petreski [mailto:sp446 at georgetown.edu] Sent: Monday, December 06, 2010 3:38 PM To: 'Thomas York'; nanog at nanog.org Subject: RE: ipfix/netflow/sflow generator for Linux I've used fprobe with great success. You can run multiple instances of fprobe for the different interfaces. --Samuel fprobe: a NetFlow probe - libpcap-based tool that collects network traffic data and emit it as NetFlow flows towards the specified collector. WWW: http://sourceforge.net/projects/fprobe -- Samuel Petreski Sr. Security Analyst Georgetown University > -----Original Message----- > From: Thomas York [mailto:straterra at fuhell.com] > Sent: Monday, December 06, 2010 2:15 PM > To: nanog at nanog.org > Subject: ipfix/netflow/sflow generator for Linux > > At my current place of work, we use all Linux routers. I need to do > some IP > accounting/reporting and am currently trying to use Scrutinizer. Scrutinizer > can use netstream, jstream, ipfix, netflow, and sflow data without qualms. > My only issue is that I can't seem to find any good software for Linux that > works with multiple interfaces to generate the flow information. I've tried > ndsad, nprobe, softflowd, host sflow, and ipcad without much luck. > Most of the software only works on one interface (which is useless as > I need to do accounting for numerous interfaces). > > > > I've had the best luck with ipcad. The only thing that seems to not > work with > it is that it doesn't correctly give the interface number in the flow > information. It refers to all interfaces as interface 65535. I've > tried the config > option for ipcad to map an interface directly to an SNMP interface ID, > but that option of the config file seems to be ignored. > > > > Ntop functionally does exactly what I need, but it's extremely buggy. > It segfaults after a few minutes, regardless of Linux distro or Ntop version. > So..any ideas on what I can do to get good flow information from our > Linux routers? From ka at pacific.net Mon Dec 6 15:04:14 2010 From: ka at pacific.net (Ken A) Date: Mon, 06 Dec 2010 15:04:14 -0600 Subject: ipfix/netflow/sflow generator for Linux In-Reply-To: References: <020c01cb9585$6b186160$41492420$@georgetown.edu> Message-ID: <4CFD4FCE.2020304@pacific.net> Have you considered argus? It can deliver "argus flows" from multiple interfaces. From http://www.qosient.com/argus/ : > Argus can be considered an implementation of the architecture > described in the IETF IPFIX Working Group. Argus pre-dates IPFIX, and > the project has actively contributed to the IPFIX effort, however, > Argus technology should be considered a superset of the IPFIX > architecture, providing "proof of concept" implementations for most > aspects of the IPFIX applicability statement. Argus technology can > read and process Cisco Netflow data, and many sites develop audits > using a mixture of Argus and Netflow records. Ken On 12/6/2010 2:44 PM, Thomas York wrote: > fprobe doesn't work properly because it has the input and output > interface IDs as both 0. In Scrutinizer, this makes the flow look > like all the data came in the interface and immediately left via the > same interface. Also, this causes problems when running multiple > instances of fprobe. > > This seems to be the issue with most of the flow software I've > tried. > > -----Original Message----- From: Samuel Petreski > [mailto:sp446 at georgetown.edu] Sent: Monday, December 06, 2010 3:38 > PM To: 'Thomas York'; nanog at nanog.org Subject: RE: > ipfix/netflow/sflow generator for Linux > > I've used fprobe with great success. You can run multiple instances > of fprobe for the different interfaces. > > --Samuel > > fprobe: a NetFlow probe - libpcap-based tool that collects network > traffic data and emit it as NetFlow flows towards the specified > collector. > > WWW: http://sourceforge.net/projects/fprobe > > -- Samuel Petreski Sr. Security Analyst Georgetown University > >> -----Original Message----- From: Thomas York >> [mailto:straterra at fuhell.com] Sent: Monday, December 06, 2010 2:15 >> PM To: nanog at nanog.org Subject: ipfix/netflow/sflow generator for >> Linux >> >> At my current place of work, we use all Linux routers. I need to >> do some > IP >> accounting/reporting and am currently trying to use Scrutinizer. > Scrutinizer >> can use netstream, jstream, ipfix, netflow, and sflow data without >> qualms. My only issue is that I can't seem to find any good >> software for Linux > that >> works with multiple interfaces to generate the flow information. >> I've > tried >> ndsad, nprobe, softflowd, host sflow, and ipcad without much luck. >> Most of the software only works on one interface (which is useless >> as I need to do accounting for numerous interfaces). >> >> >> >> I've had the best luck with ipcad. The only thing that seems to >> not work > with >> it is that it doesn't correctly give the interface number in the >> flow information. It refers to all interfaces as interface 65535. >> I've tried > the config >> option for ipcad to map an interface directly to an SNMP interface >> ID, but that option of the config file seems to be ignored. >> >> >> >> Ntop functionally does exactly what I need, but it's extremely >> buggy. It segfaults after a few minutes, regardless of Linux distro >> or Ntop > version. >> So..any ideas on what I can do to get good flow information from >> our Linux routers? > > > > > -- Ken Anderson Pacific Internet - http://www.pacific.net From straterra at fuhell.com Mon Dec 6 15:15:59 2010 From: straterra at fuhell.com (Thomas York) Date: Mon, 6 Dec 2010 16:15:59 -0500 Subject: ipfix/netflow/sflow generator for Linux In-Reply-To: <4CFD4FCE.2020304@pacific.net> References: <020c01cb9585$6b186160$41492420$@georgetown.edu> <4CFD4FCE.2020304@pacific.net> Message-ID: Never heard of it. I'll give it a shot. Another project that uses argus also looks interesting.. http://nautilus.oshean.org/wiki/Periscope -----Original Message----- From: Ken A [mailto:ka at pacific.net] Sent: Monday, December 06, 2010 4:04 PM To: nanog at nanog.org Subject: Re: ipfix/netflow/sflow generator for Linux Have you considered argus? It can deliver "argus flows" from multiple interfaces. From http://www.qosient.com/argus/ : > Argus can be considered an implementation of the architecture > described in the IETF IPFIX Working Group. Argus pre-dates IPFIX, and > the project has actively contributed to the IPFIX effort, however, > Argus technology should be considered a superset of the IPFIX > architecture, providing "proof of concept" implementations for most > aspects of the IPFIX applicability statement. Argus technology can > read and process Cisco Netflow data, and many sites develop audits > using a mixture of Argus and Netflow records. Ken On 12/6/2010 2:44 PM, Thomas York wrote: > fprobe doesn't work properly because it has the input and output > interface IDs as both 0. In Scrutinizer, this makes the flow look like > all the data came in the interface and immediately left via the same > interface. Also, this causes problems when running multiple instances > of fprobe. > > This seems to be the issue with most of the flow software I've tried. > > -----Original Message----- From: Samuel Petreski > [mailto:sp446 at georgetown.edu] Sent: Monday, December 06, 2010 3:38 PM > To: 'Thomas York'; nanog at nanog.org Subject: RE: > ipfix/netflow/sflow generator for Linux > > I've used fprobe with great success. You can run multiple instances of > fprobe for the different interfaces. > > --Samuel > > fprobe: a NetFlow probe - libpcap-based tool that collects network > traffic data and emit it as NetFlow flows towards the specified > collector. > > WWW: http://sourceforge.net/projects/fprobe > > -- Samuel Petreski Sr. Security Analyst Georgetown University > >> -----Original Message----- From: Thomas York >> [mailto:straterra at fuhell.com] Sent: Monday, December 06, 2010 2:15 PM >> To: nanog at nanog.org Subject: ipfix/netflow/sflow generator for Linux >> >> At my current place of work, we use all Linux routers. I need to do >> some > IP >> accounting/reporting and am currently trying to use Scrutinizer. > Scrutinizer >> can use netstream, jstream, ipfix, netflow, and sflow data without >> qualms. My only issue is that I can't seem to find any good software >> for Linux > that >> works with multiple interfaces to generate the flow information. >> I've > tried >> ndsad, nprobe, softflowd, host sflow, and ipcad without much luck. >> Most of the software only works on one interface (which is useless as >> I need to do accounting for numerous interfaces). >> >> >> >> I've had the best luck with ipcad. The only thing that seems to not >> work > with >> it is that it doesn't correctly give the interface number in the flow >> information. It refers to all interfaces as interface 65535. >> I've tried > the config >> option for ipcad to map an interface directly to an SNMP interface >> ID, but that option of the config file seems to be ignored. >> >> >> >> Ntop functionally does exactly what I need, but it's extremely buggy. >> It segfaults after a few minutes, regardless of Linux distro or Ntop > version. >> So..any ideas on what I can do to get good flow information from our >> Linux routers? > > > > > -- Ken Anderson Pacific Internet - http://www.pacific.net From rdobbins at arbor.net Mon Dec 6 15:20:18 2010 From: rdobbins at arbor.net (Dobbins, Roland) Date: Mon, 6 Dec 2010 21:20:18 +0000 Subject: ipfix/netflow/sflow generator for Linux In-Reply-To: References: <020c01cb9585$6b186160$41492420$@georgetown.edu> Message-ID: <8757E96F-186E-465A-886E-BEA755D1B056@arbor.net> On Dec 7, 2010, at 3:44 AM, Thomas York wrote: > fprobe doesn't work properly because it has the input and output interface IDs as both 0. IIRC, this can be altered via a config change. ----------------------------------------------------------------------- Roland Dobbins // Sell your computer and buy a guitar. From straterra at fuhell.com Mon Dec 6 15:24:30 2010 From: straterra at fuhell.com (Thomas York) Date: Mon, 6 Dec 2010 16:24:30 -0500 Subject: ipfix/netflow/sflow generator for Linux In-Reply-To: <8757E96F-186E-465A-886E-BEA755D1B056@arbor.net> References: <020c01cb9585$6b186160$41492420$@georgetown.edu> <8757E96F-186E-465A-886E-BEA755D1B056@arbor.net> Message-ID: It can, but then you are setting the input/output IDs statically. That would work fine if your router only had 2 interfaces. We currently have routers with a single (or few) WAN interfaces and multiple internal interfaces and there isn't any way to statically categorize the data. -----Original Message----- From: Dobbins, Roland [mailto:rdobbins at arbor.net] Sent: Monday, December 06, 2010 4:20 PM To: North American Network Operators Group Subject: Re: ipfix/netflow/sflow generator for Linux On Dec 7, 2010, at 3:44 AM, Thomas York wrote: > fprobe doesn't work properly because it has the input and output interface IDs as both 0. IIRC, this can be altered via a config change. ----------------------------------------------------------------------- Roland Dobbins // Sell your computer and buy a guitar. From rdobbins at arbor.net Mon Dec 6 15:41:41 2010 From: rdobbins at arbor.net (Dobbins, Roland) Date: Mon, 6 Dec 2010 21:41:41 +0000 Subject: ipfix/netflow/sflow generator for Linux In-Reply-To: References: <020c01cb9585$6b186160$41492420$@georgetown.edu> <8757E96F-186E-465A-886E-BEA755D1B056@arbor.net> Message-ID: <73DDF05C-C52D-41EC-92C4-165A3AA09E12@arbor.net> On Dec 7, 2010, at 4:24 AM, Thomas York wrote: > It can, but then you are setting the input/output IDs statically. That would > work fine if your router only had 2 interfaces. With a probe of this type, northbound/southbound tagging is generally sufficient, in my experience (i.e., let's not make the perfect the enemy of the merely good). ;> ----------------------------------------------------------------------- Roland Dobbins // Sell your computer and buy a guitar. From yiming.gong at xo.com Mon Dec 6 15:45:33 2010 From: yiming.gong at xo.com (Yiming Gong) Date: Mon, 06 Dec 2010 15:45:33 -0600 Subject: ipfix/netflow/sflow generator for Linux In-Reply-To: References: Message-ID: <4CFD597D.4030100@xo.com> Try PMACCT, it is pretty handy. Yiming On 12/06/2010 01:15 PM, Thomas York wrote: > At my current place of work, we use all Linux routers. I need to do some IP > accounting/reporting and am currently trying to use Scrutinizer. Scrutinizer > can use netstream, jstream, ipfix, netflow, and sflow data without qualms. > My only issue is that I can't seem to find any good software for Linux that > works with multiple interfaces to generate the flow information. I've tried > ndsad, nprobe, softflowd, host sflow, and ipcad without much luck. Most of > the software only works on one interface (which is useless as I need to do > accounting for numerous interfaces). > > > > I've had the best luck with ipcad. The only thing that seems to not work > with it is that it doesn't correctly give the interface number in the flow > information. It refers to all interfaces as interface 65535. I've tried the > config option for ipcad to map an interface directly to an SNMP interface > ID, but that option of the config file seems to be ignored. > > > > Ntop functionally does exactly what I need, but it's extremely buggy. It > segfaults after a few minutes, regardless of Linux distro or Ntop version. > So..any ideas on what I can do to get good flow information from our Linux > routers? > > From esj at cs.fiu.edu Mon Dec 6 16:34:47 2010 From: esj at cs.fiu.edu (Eric S. Johnson) Date: Mon, 06 Dec 2010 17:34:47 -0500 Subject: ipfix/netflow/sflow generator for Linux In-Reply-To: Your message of "Mon, 06 Dec 2010 15:44:57 EST." Message-ID: <20101206223447.DB600B88180@cheetah.cs.fiu.edu> >fprobe doesn't work properly because it has the input and output interface >IDs as both 0. fprobe-ulog fixes this. From the http://fprobe.sourceforge.net/ front page: fprobe-ulog - libipulog-based fork of fprobe. It obtains packets through linux netfilter code (iptables ULOG target). The main advantages of this version are native input/output interface SNMP-index support and significant performance benefit. Of course, this version work on linux only. We have used it here for a few years and have been quite happy with it. E From jeroen at mompl.net Mon Dec 6 19:02:40 2010 From: jeroen at mompl.net (Jeroen van Aart) Date: Mon, 06 Dec 2010 17:02:40 -0800 Subject: ARIN space not accepted In-Reply-To: <861v5vf5ij.fsf@seastrom.com> References: <20101204064309.2775B1CC0C@ptavv.es.net> <861v5vf5ij.fsf@seastrom.com> Message-ID: <4CFD87B0.9000703@mompl.net> >>> From: Valdis.Kletnieks at vt.edu >>>> From: Valdis.Kletnieks at vt.edu >>> Date: Fri, 03 Dec 2010 20:00:15 -0500 >>>> 224/3 >>> Oh. And don't forget to do *bidirectional* filtering of these addresses. ;) >> Ahh, not quite. Blocking 224/3 bi-directionally might cause a few issues >> if you accept multicast traffic from anyone. 240/4 appears to be reserved for "Future use"... "[15] Reserved for future use (formerly "Class E") [RFC1112]" -- http://goldmark.org/jeff/stupid-disclaimers/ http://linuxmafia.com/~rick/faq/plural-of-virus.html From truman at suspicious.org Tue Dec 7 00:25:35 2010 From: truman at suspicious.org (Truman Boyes) Date: Tue, 7 Dec 2010 14:25:35 +0800 Subject: Pointer for documentation on actually delivering IPv6 In-Reply-To: <561818C9-A251-4AAA-B6D5-F5B2DAD5FD9D@delong.com> References: <4CFB09C2.5090905@amplex.net> <20101206114306.GA68751@atsuko> <498B56C5-9811-440C-88DE-67C0DFF1A0DB@arbor.net> <7347880A-24A7-4E67-B5CB-93AE90A3CB84@puck.nether.net> <561818C9-A251-4AAA-B6D5-F5B2DAD5FD9D@delong.com> Message-ID: On 6 Dec 2010, at 11:07 PM, Owen DeLong wrote: > > On Dec 6, 2010, at 6:55 AM, Jared Mauch wrote: > >> >> On Dec 6, 2010, at 8:35 AM, Jeff Johnstone wrote: >> >>> Speaking of IPV6 security, is there any movement towards any open source >>> IPV6 firewall solutions for the consumer / small business? >>> >>> Almost all the info I've managed to find to date indicates no support, nor >>> any planned support in upcoming releases. >>> >>> Any info would be helpful. >> >> Honestly (and I'm sure some IPv6 folks will want me injured as a result) there should be some '1918-like' space allocated for the corporate guys who "don't get it", so they can nat everyone through a single /128. It would make life easier for them and quite possibly be a large item in pushing ipv6 deployment in the enterprise. >> > Yes... Those of us who would like to see sanity return to the internet would prefer to have you lynched for such heresy. ;-) > > Seriously, though, you're welcome to use fd00::/8 for exactly that purpose. The problem is that you (and hopefully it stays this way) > won't have much luck finding a vendor that will provide the NAT for you to do it with. You can of course use Unique Local IPv6 Unicast Addresses internally. (RFC 4193). And if you wanted you could NAT66. But, this is not an ideal way to design a network. The benefit of RFC1918 addresses is that you can easily know the perimeter of your global reachability. You can achieve the same with public IPv6 by *knowing* your security policy. Public addresses on internal infrastructure are quite normal. >> I don't see our corporate IT guys that number stuff in 1918 space wanting to put hosts on 'real' ips. The chances for unintended routing are enough to make them say that v6 is actually a security risk vs security enabler is my suspicion. >> > There are multiple easy ways to solve this problem that don't require the use of NAT or the damage that comes with it. > > First, let's clarify things a bit. I don't think unintended routing is what concerns your IT guys. Afterall, even with the NAT > box today, there's routing from the outside to the inside. It's just controlled by stateful inspection. > > It's trivial to implement an IPv6 default-deny-inbound stateful inspection policy that provides exactly the same security > model as is afforded by the current NAT box in IPv4 without mangling the packet headers. The rest is superstition. > Admittedly, superstition is powerful among IT professionals, especially in the enterprise world. So strong that people > on this very list who I generally respect and consider to be good competent professionals tell me that I'm flat out > wrong about it. > > However, not one of them has been able to produce an argument that actually stands up to scrutiny. The closest they > can come is what happens when someone misconfigures something. However, I've always been able to show that > it's equally easy to make fatal misconfigurations on the NAT box with just as dire consequences. > > Owen I agree with Owen. You could NAT66, but seriously, why bother with all that headache in implementing v6 on your hosts and then putting all sessions through NAT. IPv6 security policy would be more explicit security than a NAT perimeter. Truman From drais at icantclick.org Tue Dec 7 07:18:31 2010 From: drais at icantclick.org (david raistrick) Date: Tue, 7 Dec 2010 08:18:31 -0500 (EST) Subject: Pointer for documentation on actually delivering IPv6 In-Reply-To: <561818C9-A251-4AAA-B6D5-F5B2DAD5FD9D@delong.com> References: <4CFB09C2.5090905@amplex.net> <20101206114306.GA68751@atsuko> <498B56C5-9811-440C-88DE-67C0DFF1A0DB@arbor.net> <7347880A-24A7-4E67-B5CB-93AE90A3CB84@puck.nether.net> <561818C9-A251-4AAA-B6D5-F5B2DAD5FD9D@delong.com> Message-ID: On Mon, 6 Dec 2010, Owen DeLong wrote: > Seriously, though, you're welcome to use fd00::/8 for exactly that > purpose. The problem is that you (and hopefully it stays this way) won't > have much luck finding a vendor that will provide the NAT for you to do > it with. [with my flame-retardant hat installed firmly] So what's the IPV6 solution for PCI compliance, where 1.3.8 requires the use of RFC1918 space? Admitedly, it's been a year or two since I last had to engineer around that particular set of rules...but it's life or death for a lot of folks. -- david raistrick http://www.netmeister.org/news/learn2quote.html drais at icantclick.org http://www.expita.com/nomime.html From straterra at fuhell.com Tue Dec 7 07:27:19 2010 From: straterra at fuhell.com (Thomas York) Date: Tue, 7 Dec 2010 08:27:19 -0500 Subject: ipfix/netflow/sflow generator for Linux In-Reply-To: References: Message-ID: I just retested nprobe and it has the same issue as most of the other tools. It doesn't specify the InputInt and OutputInt properly. Yes, you can statically set it but that will drastically skew the data in this environment. I'm not against running multiple processes, I've just not found a product that runs using multiple processes that does what I need to. I just noticed the ntop version in EPEL is fairly old, so I'll try to compile the latest myself and see if it's more stable. Also, FYI to anyone who is interested in this, I've opened a support ticket with ipcad to fix the interface numbering issue. http://tinyurl.com/32pjyfa From: packetmonger at gmail.com [mailto:packetmonger at gmail.com] On Behalf Of Darren Bolding Sent: Monday, December 06, 2010 8:57 PM To: Thomas York Subject: Re: ipfix/netflow/sflow generator for Linux We've used nprobe with good success, passing the flows to ntop, nfsen etc. nProbe supports specifying the interface- so yes, you would have to run multiple processes, but I believe it would work. We went ahead and purchased the PF_RING driver as it significantly improved the capture performance of our systems. I'm assuming since you tried it, you really don't want to fire up a separate process for each interface? I'd love to hear what you thought about the various tools and what you end up deciding on. For us, we collect the data using nprobe and have had no problem getting ntop to stably analyze those flows when pointed to it. NFSEN is pretty damn cool also. We point various nprobe, netflow, sflow data at it with good effect. --D On Mon, Dec 6, 2010 at 11:15 AM, Thomas York wrote: At my current place of work, we use all Linux routers. I need to do some IP accounting/reporting and am currently trying to use Scrutinizer. Scrutinizer can use netstream, jstream, ipfix, netflow, and sflow data without qualms. My only issue is that I can't seem to find any good software for Linux that works with multiple interfaces to generate the flow information. I've tried ndsad, nprobe, softflowd, host sflow, and ipcad without much luck. Most of the software only works on one interface (which is useless as I need to do accounting for numerous interfaces). I've had the best luck with ipcad. The only thing that seems to not work with it is that it doesn't correctly give the interface number in the flow information. It refers to all interfaces as interface 65535. I've tried the config option for ipcad to map an interface directly to an SNMP interface ID, but that option of the config file seems to be ignored. Ntop functionally does exactly what I need, but it's extremely buggy. It segfaults after a few minutes, regardless of Linux distro or Ntop version. So..any ideas on what I can do to get good flow information from our Linux routers? -- -- Darren Bolding -- -- darren at bolding.org -- From cra at WPI.EDU Tue Dec 7 08:05:25 2010 From: cra at WPI.EDU (Chuck Anderson) Date: Tue, 7 Dec 2010 09:05:25 -0500 Subject: Pointer for documentation on actually delivering IPv6 In-Reply-To: References: <4CFB09C2.5090905@amplex.net> <20101206114306.GA68751@atsuko> <498B56C5-9811-440C-88DE-67C0DFF1A0DB@arbor.net> <7347880A-24A7-4E67-B5CB-93AE90A3CB84@puck.nether.net> <561818C9-A251-4AAA-B6D5-F5B2DAD5FD9D@delong.com> Message-ID: <20101207140524.GF22479@angus.ind.WPI.EDU> On Tue, Dec 07, 2010 at 08:18:31AM -0500, david raistrick wrote: > On Mon, 6 Dec 2010, Owen DeLong wrote: > >> Seriously, though, you're welcome to use fd00::/8 for exactly that >> purpose. The problem is that you (and hopefully it stays this way) >> won't have much luck finding a vendor that will provide the NAT for you >> to do it with. > > [with my flame-retardant hat installed firmly] > > So what's the IPV6 solution for PCI compliance, where 1.3.8 requires the > use of RFC1918 space? Admitedly, it's been a year or two since I last > had to engineer around that particular set of rules...but it's life or > death for a lot of folks. Simple. Use RFC1918 IPv4 along side global IPv6 addresses. Done :-) From joelja at bogus.com Tue Dec 7 08:23:07 2010 From: joelja at bogus.com (Joel Jaeggli) Date: Tue, 07 Dec 2010 06:23:07 -0800 Subject: Pointer for documentation on actually delivering IPv6 In-Reply-To: References: <4CFB09C2.5090905@amplex.net> <20101206114306.GA68751@atsuko> <498B56C5-9811-440C-88DE-67C0DFF1A0DB@arbor.net> <7347880A-24A7-4E67-B5CB-93AE90A3CB84@puck.nether.net> <561818C9-A251-4AAA-B6D5-F5B2DAD5FD9D@delong.com> Message-ID: <4CFE434B.7030509@bogus.com> On 12/7/10 5:18 AM, david raistrick wrote: > On Mon, 6 Dec 2010, Owen DeLong wrote: > >> Seriously, though, you're welcome to use fd00::/8 for exactly that >> purpose. The problem is that you (and hopefully it stays this way) >> won't have much luck finding a vendor that will provide the NAT for >> you to do it with. > > [with my flame-retardant hat installed firmly] > > So what's the IPV6 solution for PCI compliance, where 1.3.8 requires the > use of RFC1918 space? Admitedly, it's been a year or two since I last > had to engineer around that particular set of rules...but it's life or > death for a lot of folks. Document a compensating control... That particular case is trivial to demonstrate that the in scope addresses are not exposed to the internet. > > > -- > david raistrick http://www.netmeister.org/news/learn2quote.html > drais at icantclick.org http://www.expita.com/nomime.html > > From owen at delong.com Tue Dec 7 08:27:00 2010 From: owen at delong.com (Owen DeLong) Date: Tue, 7 Dec 2010 06:27:00 -0800 Subject: Pointer for documentation on actually delivering IPv6 In-Reply-To: <20101207140524.GF22479@angus.ind.WPI.EDU> References: <4CFB09C2.5090905@amplex.net> <20101206114306.GA68751@atsuko> <498B56C5-9811-440C-88DE-67C0DFF1A0DB@arbor.net> <7347880A-24A7-4E67-B5CB-93AE90A3CB84@puck.nether.net> <561818C9-A251-4AAA-B6D5-F5B2DAD5FD9D@delong.com> <20101207140524.GF22479@angus.ind.WPI.EDU> Message-ID: <9AEC0112-2246-402A-916F-BBCCB5B298A9@delong.com> On Dec 7, 2010, at 6:05 AM, Chuck Anderson wrote: > On Tue, Dec 07, 2010 at 08:18:31AM -0500, david raistrick wrote: >> On Mon, 6 Dec 2010, Owen DeLong wrote: >> >>> Seriously, though, you're welcome to use fd00::/8 for exactly that >>> purpose. The problem is that you (and hopefully it stays this way) >>> won't have much luck finding a vendor that will provide the NAT for you >>> to do it with. >> >> [with my flame-retardant hat installed firmly] >> >> So what's the IPV6 solution for PCI compliance, where 1.3.8 requires the >> use of RFC1918 space? Admitedly, it's been a year or two since I last >> had to engineer around that particular set of rules...but it's life or >> death for a lot of folks. > > Simple. Use RFC1918 IPv4 along side global IPv6 addresses. Done :-) 1. PCI allows for equivalent effective security. IPv6 privacy addresses actually meet that test, among other possible solutions. 2. I believe there is work underway to correct some of the specious requirements in PCI DSS, among which this is one. Owen From Gavin.Pearce at 3seven9.com Tue Dec 7 10:39:54 2010 From: Gavin.Pearce at 3seven9.com (Gavin Pearce) Date: Tue, 7 Dec 2010 16:39:54 -0000 Subject: Abuse@ contacts Message-ID: Hello, After a weekend of heavy spam last month, we decided to fire some reports over to the abuse contacts for each relevant IP or domain - some US/Europe based, others from more "obscure" locations. We've not had a reply from any of the reports sent over, other than some automated bounces. Each report from us contained detailed information about IP, date, headers, spam content, relevant ranges etc ... How many of you (honestly) actively manage and respond to abuse@ contact details listed in WHOIS? Or have had any luck with abuse@ contacts in the past? Who's good and who isn't? Apologies in advance if this has been around before - I'm new here. (: Gav From tme at americafree.tv Tue Dec 7 10:53:28 2010 From: tme at americafree.tv (Marshall Eubanks) Date: Tue, 7 Dec 2010 11:53:28 -0500 Subject: Darwin becomes home to first multicast mesh network Message-ID: <7C4D0E68-4EED-4BF7-A123-905960BB6D88@americafree.tv> Does anyone know if this is actually an IP multicast mesh network, and, if so, anything about its protocols and deployment experience ? Regards Marshall http://www.computerworld.com.au/article/370450/darwin_becomes_home_first_multicast_mesh_network/ Darwin has become home to the first multicast mesh network in Australia after the installation of an $8 million 109 camera CCTV self-healing wireless network. The project, set up to manage six square kilometres of Darwin's CBD, began after the NT Police, Fire and Emergency Services Department awarded the contract to Darwin-based security company, Security and Technology Services (STS). Managing 109 closed circuit TV cameras initially proved troublesome for the NT Police, which often experienced power outages resulting from lightning strikes as well as the transmission of high definition video streams from cameras to three police stations and a fourth remote storage facility. Adelaide based network company MIMP was chosen by STS to deliver a highly redundant, high performance 128-bit data encrypted wireless network to integrate Darwin?s central camera system.-- From simonw at zynet.net Tue Dec 7 10:53:36 2010 From: simonw at zynet.net (Simon Waters) Date: Tue, 7 Dec 2010 16:53:36 +0000 Subject: Abuse@ contacts In-Reply-To: References: Message-ID: <201012071653.36880.simonw@zynet.net> > Or have had any luck with abuse@ contacts in > the past? Who's good and who isn't? http://www.rfc-ignorant.org/tools/submit_form.php?table=abuse From dseagrav at humancapitaldev.com Tue Dec 7 11:14:40 2010 From: dseagrav at humancapitaldev.com (Daniel Seagraves) Date: Tue, 7 Dec 2010 11:14:40 -0600 Subject: Abuse@ contacts In-Reply-To: References: Message-ID: <33FE687F-9967-4C80-AF6A-3846D8B1787B@humancapitaldev.com> On Dec 7, 2010, at 10:39 AM, Gavin Pearce wrote: > After a weekend of heavy spam last month, we decided to fire some > reports over to the abuse contacts for each relevant IP or domain - some > US/Europe based, others from more "obscure" locations. > > We've not had a reply from any of the reports sent over, other than some > automated bounces. Each report from us contained detailed information > about IP, date, headers, spam content, relevant ranges etc ... > > How many of you (honestly) actively manage and respond to abuse@ contact > details listed in WHOIS? Or have had any luck with abuse@ contacts in > the past? Who's good and who isn't? I answer ours, and I've sent a few abuse complaints (sometimes in error...) I haven't kept count, but I'd say I get an answer at least 50% of the time. From linkconnect at googlemail.com Tue Dec 7 11:26:48 2010 From: linkconnect at googlemail.com (Wayne Lee) Date: Tue, 7 Dec 2010 17:26:48 +0000 Subject: Abuse@ contacts In-Reply-To: <33FE687F-9967-4C80-AF6A-3846D8B1787B@humancapitaldev.com> References: <33FE687F-9967-4C80-AF6A-3846D8B1787B@humancapitaldev.com> Message-ID: >> How many of you (honestly) actively manage and respond to abuse@ contact >> details listed in WHOIS? Or have had any luck with abuse@ contacts in >> the past? Who's good and who isn't? > > I answer ours, and I've sent a few abuse complaints (sometimes in error...) > I haven't kept count, but I'd say I get an answer at least 50% of the time. My support team and I always answer ours. The only mail auto deleted is when the person contacting us actually tried to send us a copy of the virus they received. Damn they got all pissed when the mail was auto dropped. Wayne From jason at i6ix.com Tue Dec 7 11:32:30 2010 From: jason at i6ix.com (Jason Bertoch) Date: Tue, 07 Dec 2010 12:32:30 -0500 Subject: Abuse@ contacts In-Reply-To: References: Message-ID: <4CFE6FAE.9050309@i6ix.com> On 2010/12/07 11:39 AM, Gavin Pearce wrote: > How many of you (honestly) actively manage and respond to abuse@ contact > details listed in WHOIS? Or have had any luck with abuse@ contacts in > the past? Who's good and who isn't? I answer our abuse@ address and file reports daily. I get automated responses from the free providers, but have little faith they care enough to fix the problem. RIPE regions seem to process reports with an attitude that they care, while LACNIC, AFRINIC, and Asian providers seem to ignore all reports if you can even find a working abuse@ contact. Smaller providers in the ARIN region also seem to do a good job. -- /Jason -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 5495 bytes Desc: S/MIME Cryptographic Signature URL: From joe.abley at icann.org Tue Dec 7 12:41:37 2010 From: joe.abley at icann.org (Joe Abley) Date: Tue, 07 Dec 2010 18:41:37 +0000 Subject: IP6.ARPA Nameserver Change Completed Message-ID: IP6.ARPA NAMESERVER CHANGE COMPLETED This is a courtesy notification of a change to the nameserver set for the IP6.ARPA zone. There is no expected impact on the functional operation of the DNS due to this change. There are no actions required by DNS server operators or end users. DETAIL The IP6.ARPA zone is used to provide reverse mapping (number to name) for IPv6, as described in RFC 3596. The servers which previously provided authoritative DNS service for the IP6.ARPA zone were as follows: TINNIE.ARIN.NET NS-SEC.RIPE.NET NS2.LACNIC.NET SEC1.APNIC.NET NS.ICANN.ORG As previously advised, processing began on Wednesday 2010-12-01 to change the nameserver set to the following, as described in RFC 5855: A.IP6-SERVERS.ARPA (operated by ARIN) B.IP6-SERVERS.ARPA (operated by ICANN) C.IP6-SERVERS.ARPA (operated by AfriNIC) D.IP6-SERVERS.ARPA (operated by LACNIC) E.IP6-SERVERS.ARPA (operated by APNIC) F.IP6-SERVERS.ARPA (operated by RIPE NCC) This change is now complete. Regards, Joe Abley Director DNS Operations ICANN From rsk at gsp.org Tue Dec 7 13:10:45 2010 From: rsk at gsp.org (Rich Kulawiec) Date: Tue, 7 Dec 2010 14:10:45 -0500 Subject: Abuse@ contacts In-Reply-To: References: Message-ID: <20101207191045.GA20782@gsp.org> On Tue, Dec 07, 2010 at 04:39:54PM -0000, Gavin Pearce wrote: > How many of you (honestly) actively manage and respond to abuse@ contact > details listed in WHOIS? Or have had any luck with abuse@ contacts in > the past? Who's good and who isn't? Inbound: wherever I am, I try to make it a point of emphasis that incoming mail to abuse very likely represent someone trying to help us by doing the job that we failed to do, and as such, it deserves very high priority, and -- if correct -- our gratitude. Outbound: mixed. I've had excellent response from academic institutions (most recently Indiana University) and from some commercial operations (e.g., mail.com). I've had responses somewhere between "non-existent", "miserable", and "random" from major freemail providers. ---rsk From smb at cs.columbia.edu Tue Dec 7 13:19:15 2010 From: smb at cs.columbia.edu (Steven Bellovin) Date: Tue, 7 Dec 2010 14:19:15 -0500 Subject: ARIN space not accepted In-Reply-To: <20101204064309.2775B1CC0C@ptavv.es.net> References: <20101204064309.2775B1CC0C@ptavv.es.net> Message-ID: <3A9A1D53-C95E-42C0-8607-AEAB410C0B6F@cs.columbia.edu> On Dec 4, 2010, at 1:43 09AM, Kevin Oberman wrote: >> From: Valdis.Kletnieks at vt.edu >>> From: Valdis.Kletnieks at vt.edu >> Date: Fri, 03 Dec 2010 20:00:15 -0500 >> >> On Fri, 03 Dec 2010 14:24:16 PST, Leo Bicknell said: >> >>> It is speculated that no later than Q1, two more /8's will be allocated, >>> triggering a policy that will give the remaining 5 /8's out to the >>> RIR's. That means, prior to end of Q1, the bogon list will be: >>> >>> 0/8 >>> 10/8 >>> 127/8 >>> 172.16/12 >>> 192.168/16 >>> 224/3 >> >> Oh. And don't forget to do *bidirectional* filtering of these addresses. ;) > > Ahh, not quite. Blocking 224/3 bi-directionally might cause a few issues > if you accept multicast traffic from anyone. Bidirectional blocking of traffic with source addresses in 224/3 -- that should never happen unless I badly misunderstand multicast. --Steve Bellovin, http://www.cs.columbia.edu/~smb From tom at dyn.com Tue Dec 7 13:20:46 2010 From: tom at dyn.com (Tom Daly) Date: Tue, 7 Dec 2010 14:20:46 -0500 (EST) Subject: Lightning Debates at NANOG 51 In-Reply-To: <405924977.6641291734110580.JavaMail.tom@dhcp-251.office.mht.dyndns.com> Message-ID: <599568926.521291749641213.JavaMail.tom@dhcp-252.public.mht.dyndns.com> Folks, I've been tempted by the NANOG PC into trying to run some "Lightning Debates" at NANOG 51 in Miami. The idea, similar to lighting talks, is a 30 minute session, covering 3 debate topics, 10 minutes each. Each person would get 5 minutes to argue their side of the issue. Some ideas so far: UPS Systems: Battery vs. Flywheel Cooling: Raised floor vs. Underfloor Power: AC vs. DC Ethernet: 40GE vs. 100GE Optics: XFP vs. SFP+ Address Families: IPv4 vs. IPv6 I'm soliciting panelists, and ideas. Please let me know if you're interested in participating in what will hopefully be a unique and exciting session. Best, Tom -- Tom Daly http://dyn.com/ From jgreco at ns.sol.net Tue Dec 7 13:25:55 2010 From: jgreco at ns.sol.net (Joe Greco) Date: Tue, 7 Dec 2010 13:25:55 -0600 (CST) Subject: Abuse@ contacts In-Reply-To: <20101207191045.GA20782@gsp.org> Message-ID: <201012071925.oB7JPt96065811@aurora.sol.net> > On Tue, Dec 07, 2010 at 04:39:54PM -0000, Gavin Pearce wrote: > > How many of you (honestly) actively manage and respond to abuse@ contact > > details listed in WHOIS? Or have had any luck with abuse@ contacts in > > the past? Who's good and who isn't? > > Inbound: wherever I am, I try to make it a point of emphasis that > incoming mail to abuse very likely represent someone trying to help > us by doing the job that we failed to do, and as such, it deserves > very high priority, and -- if correct -- our gratitude. > > Outbound: mixed. I've had excellent response from academic institutions > (most recently Indiana University) and from some commercial operations > (e.g., mail.com). I've had responses somewhere between "non-existent", > "miserable", and "random" from major freemail providers. Having watched this issue for years, I'll say that there's a large body of good abuse desks you'll never need to talk to, because the very qualities that cause a network to host a responsive abuse desk are in many cases the same things that drive engineering and other processes that minimize the chances for abuse in the first place. For the best networks, the abuse desk exists entirely as a fire alarm, never meant to receive any volume of meaningful complaints, because there should be no abusive traffic originating. This includes many corporate networks. Middle ground are many schools, where policy is to run a clean network, but practical realities of students and faculty result in some problems. They truly appreciate abuse reports, because so few people bother to send them in this era, and doing so helps make the Internet a nicer place to be. On the other hand, other schools have clearly given the issue no thought, or don't wish to deal with the problems... Commercial service providers are more of a mixed bag. Many are very clueful and want to run a clean network. Others look at the abuse desk as a money-losing black hole that serves mainly to cause customer churn. Cheap webhosts and the like are typically under pressure to keep costs low. You may end up with an abuse desk that overreacts, or that doesn't care until the volume of complaints becomes deafening. ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net "We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples. From owen at delong.com Tue Dec 7 13:49:49 2010 From: owen at delong.com (Owen DeLong) Date: Tue, 7 Dec 2010 11:49:49 -0800 Subject: Lightning Debates at NANOG 51 In-Reply-To: <599568926.521291749641213.JavaMail.tom@dhcp-252.public.mht.dyndns.com> References: <599568926.521291749641213.JavaMail.tom@dhcp-252.public.mht.dyndns.com> Message-ID: <6DB8A115-6DB5-41BE-BC39-26A54857BA41@delong.com> On Dec 7, 2010, at 11:20 AM, Tom Daly wrote: > Folks, > I've been tempted by the NANOG PC into trying to run some "Lightning Debates" at NANOG 51 in Miami. The idea, similar to lighting talks, is a 30 minute session, covering 3 debate topics, 10 minutes each. Each person would get 5 minutes to argue their side of the issue. > > Some ideas so far: > > UPS Systems: Battery vs. Flywheel > Which side will be represented by the folks from 365 Main? > Cooling: Raised floor vs. Underfloor > What about overhead (which is the usual opposite to underfloor which is the same as raised floor in most cases) > Power: AC vs. DC > I think this is more context sensitive and that a one-size fits all argument on either side wouldn't make much sense. > Ethernet: 40GE vs. 100GE > ROFL > Optics: XFP vs. SFP+ > This is a debate topic? Really? > Address Families: IPv4 vs. IPv6 > Ooh... This one might be interesting. Owen From Greg.Whynott at oicr.on.ca Tue Dec 7 14:14:04 2010 From: Greg.Whynott at oicr.on.ca (Greg Whynott) Date: Tue, 7 Dec 2010 15:14:04 -0500 Subject: Lightning Debates at NANOG 51 In-Reply-To: <599568926.521291749641213.JavaMail.tom@dhcp-252.public.mht.dyndns.com> References: <599568926.521291749641213.JavaMail.tom@dhcp-252.public.mht.dyndns.com> Message-ID: <26D4C9FD-18E5-411C-AE40-179E02CD5941@oicr.on.ca> > Cooling: Raised floor vs. Underfloor forgive me, but what is the difference between raised floor and underfloor? > > Ethernet: 40GE vs. 100GE people are debating which is better? really? > > Optics: XFP vs. SFP+ ? some interesting choices of things to debate.. are these serious debate sessions or more for fun? -- This message and any attachments may contain confidential and/or privileged information for the sole use of the intended recipient. Any review or distribution by anyone other than the person for whom it was originally intended is strictly prohibited. If you have received this message in error, please contact the sender and delete all copies. Opinions, conclusions or other information contained in this message may not be that of the organization. From bicknell at ufp.org Tue Dec 7 14:17:57 2010 From: bicknell at ufp.org (Leo Bicknell) Date: Tue, 7 Dec 2010 12:17:57 -0800 Subject: Lightning Debates at NANOG 51 In-Reply-To: <599568926.521291749641213.JavaMail.tom@dhcp-252.public.mht.dyndns.com> References: <405924977.6641291734110580.JavaMail.tom@dhcp-251.office.mht.dyndns.com> <599568926.521291749641213.JavaMail.tom@dhcp-252.public.mht.dyndns.com> Message-ID: <20101207201757.GA26837@ussenterprise.ufp.org> I have a suggestion... Nanog Mailing List: Critical Operational Content vs. Break time Amusement *ducks* -- Leo Bicknell - bicknell at ufp.org - CCIE 3440 PGP keys at http://www.ufp.org/~bicknell/ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 826 bytes Desc: not available URL: From tom at dyn.com Tue Dec 7 14:24:16 2010 From: tom at dyn.com (Tom Daly) Date: Tue, 7 Dec 2010 15:24:16 -0500 (EST) Subject: Lightning Debates at NANOG 51 In-Reply-To: <26D4C9FD-18E5-411C-AE40-179E02CD5941@oicr.on.ca> Message-ID: <451771740.671291753452499.JavaMail.tom@dhcp-252.public.mht.dyndns.com> Greg, > forgive me, but what is the difference between raised floor and > underfloor? Excuse me. Raised floor vs. overhead. > > Ethernet: 40GE vs. 100GE > > people are debating which is better? really? I'm sure someone has an opinion... > > Optics: XFP vs. SFP+ > > ? > > some interesting choices of things to debate.. are these serious > debate sessions or more for fun? They are meant to be informative. Maybe you have no idea on what XFP or SFP+ is because you've been running a Gigabit based network and haven't made the jump to 10GE yet - the debate might give you the top 3-5 points on why each might be the right option for you. And then, of course, there is a fun factor. Tom From gbonser at seven.com Tue Dec 7 14:29:54 2010 From: gbonser at seven.com (George Bonser) Date: Tue, 7 Dec 2010 12:29:54 -0800 Subject: Lightning Debates at NANOG 51 In-Reply-To: <451771740.671291753452499.JavaMail.tom@dhcp-252.public.mht.dyndns.com> References: <26D4C9FD-18E5-411C-AE40-179E02CD5941@oicr.on.ca> <451771740.671291753452499.JavaMail.tom@dhcp-252.public.mht.dyndns.com> Message-ID: <5A6D953473350C4B9995546AFE9939EE0B14CDAA@RWC-EX1.corp.seven.com> > They are meant to be informative. Maybe you have no idea on what XFP or > SFP+ is because you've been running a Gigabit based network and haven't > made the jump to 10GE yet - the debate might give you the top 3-5 > points on why each might be the right option for you. And then, of > course, there is a fun factor. > > Tom > In most cases it isn't an option, you use what the hardware uses. I can't decide to use an SFP+ in a unit with XFP form factor. I select the hardware according to the features I need and then buy the optics it requires, I don't select the hardware based on the optics modules it uses. The only drawback I have seen so far is finding ER optics in SFP+ form factor but they might be available now (I couldn't find them a year or so ago). A good topic might be ipv6 migration strategies: dual stack or native v6 with nat64/dns64 From Greg.Whynott at oicr.on.ca Tue Dec 7 14:37:03 2010 From: Greg.Whynott at oicr.on.ca (Greg Whynott) Date: Tue, 7 Dec 2010 15:37:03 -0500 Subject: Lightning Debates at NANOG 51 In-Reply-To: <451771740.671291753452499.JavaMail.tom@dhcp-252.public.mht.dyndns.com> References: <451771740.671291753452499.JavaMail.tom@dhcp-252.public.mht.dyndns.com> Message-ID: <86446A2E-36A3-4EC3-A3F8-AA2E5D491BF2@oicr.on.ca> > > Excuse me. Raised floor vs. overhead. ahh that makes much more sense, thanks Tom. > > I'm sure someone has an opinion? i suspect you are correct, not sure who would elect for the slower standard, considering they hit the streets fairly close to each other and I can't see there being a huge difference in cost, but i could be wrong. (the isp i'm connected to is running100G now) > >>> Optics: XFP vs. SFP+ >> Maybe you have no idea on what XFP or SFP+ is because you've been running a Gigabit based network and haven't made the jump to 10GE yet - i've more 10G ports than you can shake a stick at actually? my '?' was again, people debate this? as the bit rates are verbatum, the major difference which one would choose the other over from my understanding was distance to endpoint.. but again i could be wrong? wishing now i didn't send anything. 8) -g -- This message and any attachments may contain confidential and/or privileged information for the sole use of the intended recipient. Any review or distribution by anyone other than the person for whom it was originally intended is strictly prohibited. If you have received this message in error, please contact the sender and delete all copies. Opinions, conclusions or other information contained in this message may not be that of the organization. From tom at dyn.com Tue Dec 7 14:40:48 2010 From: tom at dyn.com (Tom Daly) Date: Tue, 7 Dec 2010 15:40:48 -0500 (EST) Subject: Lightning Debates at NANOG 51 In-Reply-To: <5A6D953473350C4B9995546AFE9939EE0B14CDAA@RWC-EX1.corp.seven.com> Message-ID: <1527262477.691291754442737.JavaMail.tom@dhcp-252.public.mht.dyndns.com> > In most cases it isn't an option, you use what the hardware uses. I > can't decide to use an SFP+ in a unit with XFP form factor. I select > the hardware according to the features I need and then buy the optics > it requires, I don't select the hardware based on the optics modules > it uses. The only drawback I have seen so far is finding ER optics in > SFP+ form factor but they might be available now (I couldn't find them > a year or so ago). George, Good point. Perhaps the context should be more nebulous? Given a choice in an ideal word, not limited by the selection of hardware manufactures, which do you prefer? ras did a good talk on optics in the past, I'm sure there's some points to discuss. > A good topic might be ipv6 migration strategies: dual stack or native > v6 with nat64/dns64 Alright, added. Are you volunteering to speak to one point or the other? Thanks, Tom From morrowc.lists at gmail.com Tue Dec 7 14:44:39 2010 From: morrowc.lists at gmail.com (Christopher Morrow) Date: Tue, 7 Dec 2010 15:44:39 -0500 Subject: Abuse@ contacts In-Reply-To: References: Message-ID: On Tue, Dec 7, 2010 at 11:39 AM, Gavin Pearce wrote: > Hello, > > > > After a weekend of heavy spam last month, we decided to fire some > reports over to the abuse contacts for each relevant IP or domain - some > US/Europe based, others from more "obscure" locations. > > > > We've not had a reply from any of the reports sent over, other than some > automated bounces. Each report from us contained detailed information > about IP, date, headers, spam content, relevant ranges etc ... > > > > How many of you (honestly) actively manage and respond to abuse@ contact > details listed in WHOIS? Or have had any luck with abuse@ contacts in > the past? Who's good and who isn't? lack or reply to abuse@ does not mean the box is unmonitored... just that they don't feel it's helpful to reply to inbound mail with .. more mail, especially when much of the inbound mail is automated. > Apologies in advance if this has been around before - I'm new here. ? (: sure. -chris From tom at dyn.com Tue Dec 7 14:45:15 2010 From: tom at dyn.com (Tom Daly) Date: Tue, 7 Dec 2010 15:45:15 -0500 (EST) Subject: Lightning Debates at NANOG 51 In-Reply-To: <86446A2E-36A3-4EC3-A3F8-AA2E5D491BF2@oicr.on.ca> Message-ID: <1745314852.731291754707814.JavaMail.tom@dhcp-252.public.mht.dyndns.com> Greg, > i suspect you are correct, not sure who would elect for the slower > standard, considering they hit the streets fairly close to each other > and I can't see there being a huge difference in cost, but i could be > wrong. (the isp i'm connected to is running100G now) Regarding 40G/100G, I'm sure some in the NANOG community have some feeling towards 40G as it was intended to be a server platform standard. With architectures such as 1aq, TRILL, VL2, etc, there may be some grounds here. What's the good of 100G if you can't push the PPS, for example. Just a thought... > i've more 10G ports than you can shake a stick at actually? my '?' > was again, people debate this? as the bit rates are verbatum, the > major difference which one would choose the other over from my > understanding was distance to endpoint.. but again i could be wrong? > wishing now i didn't send anything. 8) Nah, send away. What debate were you volunteering to take a position on again? :) Tom From jtk at cymru.com Tue Dec 7 14:59:07 2010 From: jtk at cymru.com (John Kristoff) Date: Tue, 7 Dec 2010 14:59:07 -0600 Subject: Lightning Debates at NANOG 51 In-Reply-To: <451771740.671291753452499.JavaMail.tom@dhcp-252.public.mht.dyndns.com> References: <26D4C9FD-18E5-411C-AE40-179E02CD5941@oicr.on.ca> <451771740.671291753452499.JavaMail.tom@dhcp-252.public.mht.dyndns.com> Message-ID: <20101207145907.11cd2860@t61p> On Tue, 7 Dec 2010 15:24:16 -0500 (EST) Tom Daly wrote: > They are meant to be informative. Maybe you have no idea on what XFP > or SFP+ is because you've been running a Gigabit based network and > haven't made the jump to 10GE yet - the debate might give you the top > 3-5 points on why each might be the right option for you. And then, > of course, there is a fun factor. Hi Tom, I think this could work. However, instead of in terms of X versus Y, I'd suggest coming up with some proposition, such as "You need to be deploying IPv6 right now" and let people sign up for the affirmative or negative. John From surfer at mauigateway.com Tue Dec 7 15:19:00 2010 From: surfer at mauigateway.com (Scott Weeks) Date: Tue, 7 Dec 2010 13:19:00 -0800 Subject: Lightning Debates at NANOG 51 Message-ID: <20101207131900.7A2B34C3@resin13.mta.everyone.net> --- tom at dyn.com wrote:From: Tom Daly > > Ethernet: 40GE vs. 100GE > people are debating which is better? really? I'm sure someone has an opinion... ---------------------------------------------------- On NANOG? Naahhhhhhh.... >;-) scott From Jac.Kloots at SURFnet.nl Tue Dec 7 15:39:27 2010 From: Jac.Kloots at SURFnet.nl (Jac Kloots) Date: Tue, 7 Dec 2010 22:39:27 +0100 (CET) Subject: Lightning Debates at NANOG 51 In-Reply-To: <6DB8A115-6DB5-41BE-BC39-26A54857BA41@delong.com> References: <599568926.521291749641213.JavaMail.tom@dhcp-252.public.mht.dyndns.com> <6DB8A115-6DB5-41BE-BC39-26A54857BA41@delong.com> Message-ID: On Tue, 7 Dec 2010, Owen DeLong wrote: >> Ethernet: 40GE vs. 100GE >> > ROFL Even more interesting is the 100GE Optics debate. Standardized (expensive and very scarce) 100GBASE-LR4 vs non-standard but cheaper and easier to manufacture LR10 (based on 10x 10Gbit/s on a very narrow DWDM-grid).. Jac -- Jac Kloots Network Services SURFnet bv From s.ewing at aussiehq.com.au Tue Dec 7 16:00:06 2010 From: s.ewing at aussiehq.com.au (Shaun Ewing) Date: Wed, 8 Dec 2010 09:00:06 +1100 Subject: Abuse@ contacts In-Reply-To: Message-ID: From: Gavin Pearce >How many of you (honestly) actively manage and respond to abuse@ contact >details listed in WHOIS? Or have had any luck with abuse@ contacts in >the past? Who's good and who isn't? > We monitor our abuse queues, but when the email is just a stock standard incident (eg: spam or phishing) we don't actually reply to the emails unless more information is required. As mentioned previously, a lot of the traffic in abuse queues is automated and you might have anywhere up to 100 emails for a single incident. In these cases, we merge the messages into one ticket, handle the case and close it off. The nature of our business (hosting) means that we do get a decent amount of abuse traffic - ranging from compromised out of date CMSs used to send spam or host phishing sites right through to fraudulent accounts again used to send spam. Rather than hire additional staff to respond to the each abuse email individually we prefer to invest in systems to stop the abuse in the first place. For example, all outbound email from our shared hosting network is checked for spam/viruses and any unusual traffic (such as a spike from a customer who typically only sends a few messages a day) is flagged. -Shaun From cpena at ststelecom.com Tue Dec 7 16:12:53 2010 From: cpena at ststelecom.com (Christian Pena) Date: Tue, 07 Dec 2010 17:12:53 -0500 Subject: Lightning Debates at NANOG 51 In-Reply-To: <20101207201757.GA26837@ussenterprise.ufp.org> References: <405924977.6641291734110580.JavaMail.tom@dhcp-251.office.mht.dyndns.com> <599568926.521291749641213.JavaMail.tom@dhcp-252.public.mht.dyndns.com> <20101207201757.GA26837@ussenterprise.ufp.org> Message-ID: I agree, I just joined the list today and was about to unsubscribe because of all the realtively useless posts "Leo Bicknell" wrote: > >I have a suggestion... > >Nanog Mailing List: Critical Operational Content vs. Break time >Amusement > >*ducks* > >-- > Leo Bicknell - bicknell at ufp.org - CCIE 3440 > PGP keys at http://www.ufp.org/~bicknell/ -- Sent from my Android phone with K-9 Mail. Please excuse my brevity. From kris.foster at gmail.com Tue Dec 7 16:17:27 2010 From: kris.foster at gmail.com (kris foster) Date: Tue, 7 Dec 2010 14:17:27 -0800 Subject: Lightning Debates at NANOG 51 In-Reply-To: References: <405924977.6641291734110580.JavaMail.tom@dhcp-251.office.mht.dyndns.com> <599568926.521291749641213.JavaMail.tom@dhcp-252.public.mht.dyndns.com> <20101207201757.GA26837@ussenterprise.ufp.org> Message-ID: This is nanog-futures stuff and/or community meeting stuff. Kris On Dec 7, 2010, at 2:12 PM, Christian Pena wrote: > I agree, I just joined the list today and was about to unsubscribe because of all the realtively useless posts > > "Leo Bicknell" wrote: > >> >> I have a suggestion... >> >> Nanog Mailing List: Critical Operational Content vs. Break time >> Amusement >> >> *ducks* >> >> -- >> Leo Bicknell - bicknell at ufp.org - CCIE 3440 >> PGP keys at http://www.ufp.org/~bicknell/ > > -- > Sent from my Android phone with K-9 Mail. Please excuse my brevity. > From gbonser at seven.com Tue Dec 7 16:18:40 2010 From: gbonser at seven.com (George Bonser) Date: Tue, 7 Dec 2010 14:18:40 -0800 Subject: Lightning Debates at NANOG 51 In-Reply-To: <1527262477.691291754442737.JavaMail.tom@dhcp-252.public.mht.dyndns.com> References: <5A6D953473350C4B9995546AFE9939EE0B14CDAA@RWC-EX1.corp.seven.com> <1527262477.691291754442737.JavaMail.tom@dhcp-252.public.mht.dyndns.com> Message-ID: <5A6D953473350C4B9995546AFE9939EE0B14CDB3@RWC-EX1.corp.seven.com> > From: Tom Daly > Sent: Tuesday, December 07, 2010 12:41 PM > To: George Bonser > Cc: nanog at nanog.org; Greg Whynott > Subject: Re: Lightning Debates at NANOG 51 > > > A good topic might be ipv6 migration strategies: dual stack or > native > > v6 with nat64/dns64 > > Alright, added. Are you volunteering to speak to one point or the > other? I might be happy to submit something written but won't be able to get there in person. Being a sole full-time parent causes some adjustment in priorities. I would certainly be interested in the opinions of others, too. From leslien at arin.net Tue Dec 7 16:48:11 2010 From: leslien at arin.net (Leslie Nobile) Date: Tue, 7 Dec 2010 22:48:11 +0000 Subject: ARIN receives 2 new /8 blocks In-Reply-To: Message-ID: Hello- ARIN received the IPv4 address blocks 23.0.0.0/8 and 100.0.0.0/8 from the IANA on November 30, 2010. We will begin making allocations of /22 and shorter prefixes from these blocks in the near future in accordance with ARIN?s minimum allocation policy. Network operators may wish to adjust any filters in place accordingly. For informational purposes, a list of ARIN's currently administered IP address blocks can be found at: https://www.arin.net/knowledge/ip_blocks.html Regards, Leslie Nobile Director, Registration Services American Registry for Internet Numbers (ARIN) From jared at puck.nether.net Tue Dec 7 17:27:51 2010 From: jared at puck.nether.net (Jared Mauch) Date: Tue, 7 Dec 2010 18:27:51 -0500 Subject: BGP attribute 128 activity Message-ID: <050E06A1-5E7B-413C-B8DE-CEF3F72176BE@puck.nether.net> Has anyone else been observing this? This appears to be ATTR_SET and is appearing at route-views. Was curious if anyone else was tracking this (or the origin ;)). It's been going on for some time now and it's not seemed to cause any troubles (part of the reason i monitor for these attributes, early telemetry of attribute noise that has caused vendors trouble..). - Jared -- snip -- 00 00 FD 88 40 01 01 02 40 02 00 40 05 04 00 00 00 64 From Valdis.Kletnieks at vt.edu Tue Dec 7 17:40:20 2010 From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks at vt.edu) Date: Tue, 07 Dec 2010 18:40:20 -0500 Subject: ARIN space not accepted In-Reply-To: Your message of "Mon, 06 Dec 2010 17:02:40 PST." <4CFD87B0.9000703@mompl.net> References: <20101204064309.2775B1CC0C@ptavv.es.net> <861v5vf5ij.fsf@seastrom.com> <4CFD87B0.9000703@mompl.net> Message-ID: <15878.1291765220@localhost> On Mon, 06 Dec 2010 17:02:40 PST, somebody said: > >>> From: Valdis.Kletnieks at vt.edu > >>>> From: Valdis.Kletnieks at vt.edu > >>> Date: Fri, 03 Dec 2010 20:00:15 -0500 > > >>>> 224/3 > >>> Oh. And don't forget to do *bidirectional* filtering of these addresses. ;) > >> Ahh, not quite. Blocking 224/3 bi-directionally might cause a few issues > >> if you accept multicast traffic from anyone. If you're smart enough to actually do multicast, you're smart enough to remove the filter for 224/3. If you're not smart enough to remove the filter, or you're smart enough but you're one of the 95% that doesn't do multicast, your site should be doing bidirectional filtering of 224/3. ;) (Do you really want your users emitting outbound packets to/from 224/3 if you don't actually do multicast? Probably not...) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 227 bytes Desc: not available URL: From smb at cs.columbia.edu Tue Dec 7 17:42:33 2010 From: smb at cs.columbia.edu (Steven Bellovin) Date: Tue, 7 Dec 2010 18:42:33 -0500 Subject: A fascinating piece of spam Message-ID: <4092047F-EB2A-47DE-BE1A-B8F0F65D4822@cs.columbia.edu> Well -- spammers are following the NANOG list in real-time, it seems. A few hours after my post this afternoon, I received some spam with a correct Subject: line for that post. I'll be happy to forward the email to anyone who wants to analyze it or find the offender and permanently blacklist "her" from NANOG... --Steve Bellovin, http://www.cs.columbia.edu/~smb From jgreco at ns.sol.net Tue Dec 7 17:46:40 2010 From: jgreco at ns.sol.net (Joe Greco) Date: Tue, 7 Dec 2010 17:46:40 -0600 (CST) Subject: A fascinating piece of spam In-Reply-To: <4092047F-EB2A-47DE-BE1A-B8F0F65D4822@cs.columbia.edu> Message-ID: <201012072346.oB7Nke9n068626@aurora.sol.net> > Well -- spammers are following the NANOG list in real-time, it seems. A = > few hours after my post this afternoon, I received some spam with a = > correct Subject: line for that post. I'll be happy to forward the email = > to anyone who wants to analyze it or find the offender and permanently = > blacklist "her" from NANOG... Funny you should mention that. About two seconds before your message, I got such a bit of spam. > From carlafletcher24 at yahoo.com Tue Dec 7 17:43:02 2010 > Return-Path: > Received: from nm15.bullet.mail.ne1.yahoo.com (nm15.bullet.mail.ne1.yahoo.com [98.138.90.78]) > by mx1.sol.net (8.14.4/8.14.4/SNNS-1.04) with SMTP id oB7Ngtf7002716 > for ; Tue, 7 Dec 2010 17:43:00 -0600 (CST) > Received: from [98.138.90.51] by nm15.bullet.mail.ne1.yahoo.com with NNFMP; 07 Dec 2010 23:42:50 -0000 > Received: from [98.138.87.1] by tm4.bullet.mail.ne1.yahoo.com with NNFMP; 07 Dec 2010 23:42:50 -0000 > Received: from [127.0.0.1] by omp1001.mail.ne1.yahoo.com with NNFMP; 07 Dec 2010 23:42:50 -0000 > X-Yahoo-Newman-Property: ymail-3 > X-Yahoo-Newman-Id: 9187.54043.bm at omp1001.mail.ne1.yahoo.com > Received: (qmail 17052 invoked by uid 60001); 7 Dec 2010 23:42:49 -0000 > DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1291765369; bh=Nwik8gyzMPW2hSR2Fc+0a6ZUu1s5oHBhOjv0Shs9wCE=; h=Message-ID:X-YMail-OSG:Received:X-Mailer:Date:From:Reply-To:Subject:To:MIME-Version:Content-Type; b=4Yw5bYZ0DJq7pbortuz7YK0J5opr+dQ0vk3FJ3V5uTF/jVuFRcu9hJxBZ/8u4xakvycmSMYOFDMR3oFL6t2JmSt3x4JZmCnDjlS79cL3arFsW/a0aBm9pubfPCYqijis3iCY6uNhji6JxYe0OWsMlHU3qTNohvs+dwMUl/gQ8R0= > DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; > s=s1024; d=yahoo.com; > h=Message-ID:X-YMail-OSG:Received:X-Mailer:Date:From:Reply-To:Subject:To:MIME-Version:Content-Type; > b=a+L6kibArtNLl3qtSuIHEDxKt2dZfrXLRiUE91IWnNsW6NZ11W6RG51LRXFK288erRYh7k9t2evvpBxbkAH7XKQ/B/+lIBaZqgZ5ON3MC3ziMmhrjn3UIX1o1obMDz0vO7R94K4iapDIpVlD9xXPOSgc1ENMoW8GA6eoKKRDUbs=; > Message-ID: <828073.58184.qm at web120306.mail.ne1.yahoo.com> > X-YMail-OSG: tTFoZPoVM1lORXP10bFDAvyxx.jFIQDoUGJ6hUxCf6q8Tbk > 8RkTR2Q6BakFB1l6t1W5BdZ4fPFVQEWRX_TSB16hGCUxPmFhrTru8ItaSrSg > oF9x5JBC6GwAHAwzXaeCohqEqZsyOLa9vBCXu_kKyxJv_zCea2QtIZ_PFH23 > rGr_j.u85nfOQA_6VJ3uLvtpJ75N0.ufEudhqcR6ZhL4bPb8LTxKYxAtZQ2N > _j50f7Uf_DOQ- > Received: from [173.208.43.151] by web120306.mail.ne1.yahoo.com via HTTP; Tue, 07 Dec 2010 15:42:49 PST > X-Mailer: YahooMailClassic/11.4.20 YahooMailWebService/0.8.107.285259 > Date: Tue, 7 Dec 2010 15:42:49 -0800 (PST) > From: Carla Fletcher > Reply-To: carlafletcher24 at yahoo.com > Subject: Re: Re: Abuse@ contacts > To: jgreco at ns.sol.net I didn't know that anybody was still keying on subject lines; our spam filter tossed it anyways. ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net "We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples. From smb at cs.columbia.edu Tue Dec 7 17:47:46 2010 From: smb at cs.columbia.edu (Steven Bellovin) Date: Tue, 7 Dec 2010 18:47:46 -0500 Subject: A fascinating piece of spam In-Reply-To: <201012072346.oB7Nke9n068626@aurora.sol.net> References: <201012072346.oB7Nke9n068626@aurora.sol.net> Message-ID: <306E1EE0-CC3E-4A8C-B0CB-E8B46C9F00D9@cs.columbia.edu> Yup, same purported sender... On Dec 7, 2010, at 6:46 40PM, Joe Greco wrote: >> Well -- spammers are following the NANOG list in real-time, it seems. A = >> few hours after my post this afternoon, I received some spam with a = >> correct Subject: line for that post. I'll be happy to forward the email = >> to anyone who wants to analyze it or find the offender and permanently = >> blacklist "her" from NANOG... > > Funny you should mention that. About two seconds before your message, > I got such a bit of spam. > >> From carlafletcher24 at yahoo.com Tue Dec 7 17:43:02 2010 >> Return-Path: >> Received: from nm15.bullet.mail.ne1.yahoo.com (nm15.bullet.mail.ne1.yahoo.com [98.138.90.78]) >> by mx1.sol.net (8.14.4/8.14.4/SNNS-1.04) with SMTP id oB7Ngtf7002716 >> for ; Tue, 7 Dec 2010 17:43:00 -0600 (CST) >> Received: from [98.138.90.51] by nm15.bullet.mail.ne1.yahoo.com with NNFMP; 07 Dec 2010 23:42:50 -0000 >> Received: from [98.138.87.1] by tm4.bullet.mail.ne1.yahoo.com with NNFMP; 07 Dec 2010 23:42:50 -0000 >> Received: from [127.0.0.1] by omp1001.mail.ne1.yahoo.com with NNFMP; 07 Dec 2010 23:42:50 -0000 >> X-Yahoo-Newman-Property: ymail-3 >> X-Yahoo-Newman-Id: 9187.54043.bm at omp1001.mail.ne1.yahoo.com >> Received: (qmail 17052 invoked by uid 60001); 7 Dec 2010 23:42:49 -0000 >> DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1291765369; bh=Nwik8gyzMPW2hSR2Fc+0a6ZUu1s5oHBhOjv0Shs9wCE=; h=Message-ID:X-YMail-OSG:Received:X-Mailer:Date:From:Reply-To:Subject:To:MIME-Version:Content-Type; b=4Yw5bYZ0DJq7pbortuz7YK0J5opr+dQ0vk3FJ3V5uTF/jVuFRcu9hJxBZ/8u4xakvycmSMYOFDMR3oFL6t2JmSt3x4JZmCnDjlS79cL3arFsW/a0aBm9pubfPCYqijis3iCY6uNhji6JxYe0OWsMlHU3qTNohvs+dwMUl/gQ8R0= >> DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; >> s=s1024; d=yahoo.com; >> h=Message-ID:X-YMail-OSG:Received:X-Mailer:Date:From:Reply-To:Subject:To:MIME-Version:Content-Type; >> b=a+L6kibArtNLl3qtSuIHEDxKt2dZfrXLRiUE91IWnNsW6NZ11W6RG51LRXFK288erRYh7k9t2evvpBxbkAH7XKQ/B/+lIBaZqgZ5ON3MC3ziMmhrjn3UIX1o1obMDz0vO7R94K4iapDIpVlD9xXPOSgc1ENMoW8GA6eoKKRDUbs=; >> Message-ID: <828073.58184.qm at web120306.mail.ne1.yahoo.com> >> X-YMail-OSG: tTFoZPoVM1lORXP10bFDAvyxx.jFIQDoUGJ6hUxCf6q8Tbk >> 8RkTR2Q6BakFB1l6t1W5BdZ4fPFVQEWRX_TSB16hGCUxPmFhrTru8ItaSrSg >> oF9x5JBC6GwAHAwzXaeCohqEqZsyOLa9vBCXu_kKyxJv_zCea2QtIZ_PFH23 >> rGr_j.u85nfOQA_6VJ3uLvtpJ75N0.ufEudhqcR6ZhL4bPb8LTxKYxAtZQ2N >> _j50f7Uf_DOQ- >> Received: from [173.208.43.151] by web120306.mail.ne1.yahoo.com via HTTP; Tue, 07 Dec 2010 15:42:49 PST >> X-Mailer: YahooMailClassic/11.4.20 YahooMailWebService/0.8.107.285259 >> Date: Tue, 7 Dec 2010 15:42:49 -0800 (PST) >> From: Carla Fletcher >> Reply-To: carlafletcher24 at yahoo.com >> Subject: Re: Re: Abuse@ contacts >> To: jgreco at ns.sol.net > > I didn't know that anybody was still keying on subject lines; our spam > filter tossed it anyways. > > ... JG > -- > Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net > "We call it the 'one bite at the apple' rule. Give me one chance [and] then I > won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN) > With 24 million small businesses in the US alone, that's way too many apples. > --Steve Bellovin, http://www.cs.columbia.edu/~smb From surfer at mauigateway.com Tue Dec 7 19:46:34 2010 From: surfer at mauigateway.com (Scott Weeks) Date: Tue, 7 Dec 2010 17:46:34 -0800 Subject: A fascinating piece of spam Message-ID: <20101207174634.7A2B0765@resin13.mta.everyone.net> --- smb at cs.columbia.edu wrote: From: Steven Bellovin Yup, same purported sender... ------------------------------------ >From what company? So we don't make the mistake of buying from them. scott From surfer at mauigateway.com Tue Dec 7 19:51:59 2010 From: surfer at mauigateway.com (Scott Weeks) Date: Tue, 7 Dec 2010 17:51:59 -0800 Subject: A fascinating piece of spam Message-ID: <20101207175159.7A2B0631@resin13.mta.everyone.net> From: "Scott Weeks" From: Steven Bellovin Yup, same purported sender... ------------------------------------ >From what company? So we don't make the mistake of buying from them. ---------------------------------- Never mind, I got one too. www.bradleydentaloffice.com 8 ae1d0.mcr1.saltlake2-ut.us.xo.net (216.156.1.2) 9 ip65-46-63-46.z63-46-65.customer.algx.net (65.46.63.46) 10 206.130.126.61.west-datacenter.net (206.130.126.61) 11 68.169.38.135.static.westdc.net (68.169.38.135) Someone from Westhost here? them please! scott From rdobbins at arbor.net Tue Dec 7 20:11:19 2010 From: rdobbins at arbor.net (Dobbins, Roland) Date: Wed, 8 Dec 2010 02:11:19 +0000 Subject: ipfix/netflow/sflow generator for Linux In-Reply-To: References: Message-ID: On Dec 7, 2010, at 8:27 PM, Thomas York wrote: > Yes, you can statically set it but that will drastically skew the data in this environment. What are you attempting to do that northbound/southbound isn't Good Enough? ----------------------------------------------------------------------- Roland Dobbins // Sell your computer and buy a guitar. From morrowc.lists at gmail.com Tue Dec 7 20:19:34 2010 From: morrowc.lists at gmail.com (Christopher Morrow) Date: Tue, 7 Dec 2010 21:19:34 -0500 Subject: A fascinating piece of spam In-Reply-To: <20101207174634.7A2B0765@resin13.mta.everyone.net> References: <20101207174634.7A2B0765@resin13.mta.everyone.net> Message-ID: same, sent via yahoomail webmail (I think): srcaddr: 173.208.103.211 On Tue, Dec 7, 2010 at 8:46 PM, Scott Weeks wrote: > > > --- smb at cs.columbia.edu wrote: > From: Steven Bellovin > > Yup, same purported sender... > ------------------------------------ > > > >From what company? ?So we don't make the mistake of buying from them. > > scott > > From kris.foster at gmail.com Tue Dec 7 20:41:10 2010 From: kris.foster at gmail.com (kris foster) Date: Tue, 7 Dec 2010 18:41:10 -0800 Subject: A fascinating piece of spam In-Reply-To: References: <20101207174634.7A2B0765@resin13.mta.everyone.net> Message-ID: All Taken care of (at least for the @yahoo address I received the spam from). Chris and Steven, mind fwd'ing the problem emails to admins at nanog.org? Kris On Dec 7, 2010, at 6:19 PM, Christopher Morrow wrote: > same, sent via yahoomail webmail (I think): > srcaddr: 173.208.103.211 > > On Tue, Dec 7, 2010 at 8:46 PM, Scott Weeks wrote: >> >> >> --- smb at cs.columbia.edu wrote: >> From: Steven Bellovin >> >> Yup, same purported sender... >> ------------------------------------ >> >> >>> From what company? So we don't make the mistake of buying from them. >> >> scott >> >> > From tme at americafree.tv Tue Dec 7 21:08:03 2010 From: tme at americafree.tv (Marshall Eubanks) Date: Tue, 7 Dec 2010 22:08:03 -0500 Subject: A fascinating piece of spam In-Reply-To: <201012072346.oB7Nke9n068626@aurora.sol.net> References: <201012072346.oB7Nke9n068626@aurora.sol.net> Message-ID: I have been seeing "targeted" spam for a while now - typically from someone with my last name and a random first name, and a familiar subject line. Just wait until they start using the _text_ from open mail lists as well. Regards Marshall On Dec 7, 2010, at 6:46 PM, Joe Greco wrote: >> Well -- spammers are following the NANOG list in real-time, it seems. A = >> few hours after my post this afternoon, I received some spam with a = >> correct Subject: line for that post. I'll be happy to forward the email = >> to anyone who wants to analyze it or find the offender and permanently = >> blacklist "her" from NANOG... > > Funny you should mention that. About two seconds before your message, > I got such a bit of spam. > >> From carlafletcher24 at yahoo.com Tue Dec 7 17:43:02 2010 >> Return-Path: >> Received: from nm15.bullet.mail.ne1.yahoo.com (nm15.bullet.mail.ne1.yahoo.com [98.138.90.78]) >> by mx1.sol.net (8.14.4/8.14.4/SNNS-1.04) with SMTP id oB7Ngtf7002716 >> for ; Tue, 7 Dec 2010 17:43:00 -0600 (CST) >> Received: from [98.138.90.51] by nm15.bullet.mail.ne1.yahoo.com with NNFMP; 07 Dec 2010 23:42:50 -0000 >> Received: from [98.138.87.1] by tm4.bullet.mail.ne1.yahoo.com with NNFMP; 07 Dec 2010 23:42:50 -0000 >> Received: from [127.0.0.1] by omp1001.mail.ne1.yahoo.com with NNFMP; 07 Dec 2010 23:42:50 -0000 >> X-Yahoo-Newman-Property: ymail-3 >> X-Yahoo-Newman-Id: 9187.54043.bm at omp1001.mail.ne1.yahoo.com >> Received: (qmail 17052 invoked by uid 60001); 7 Dec 2010 23:42:49 -0000 >> DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1291765369; bh=Nwik8gyzMPW2hSR2Fc+0a6ZUu1s5oHBhOjv0Shs9wCE=; h=Message-ID:X-YMail-OSG:Received:X-Mailer:Date:From:Reply-To:Subject:To:MIME-Version:Content-Type; b=4Yw5bYZ0DJq7pbortuz7YK0J5opr+dQ0vk3FJ3V5uTF/jVuFRcu9hJxBZ/8u4xakvycmSMYOFDMR3oFL6t2JmSt3x4JZmCnDjlS79cL3arFsW/a0aBm9pubfPCYqijis3iCY6uNhji6JxYe0OWsMlHU3qTNohvs+dwMUl/gQ8R0= >> DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; >> s=s1024; d=yahoo.com; >> h=Message-ID:X-YMail-OSG:Received:X-Mailer:Date:From:Reply-To:Subject:To:MIME-Version:Content-Type; >> b=a+L6kibArtNLl3qtSuIHEDxKt2dZfrXLRiUE91IWnNsW6NZ11W6RG51LRXFK288erRYh7k9t2evvpBxbkAH7XKQ/B/+lIBaZqgZ5ON3MC3ziMmhrjn3UIX1o1obMDz0vO7R94K4iapDIpVlD9xXPOSgc1ENMoW8GA6eoKKRDUbs=; >> Message-ID: <828073.58184.qm at web120306.mail.ne1.yahoo.com> >> X-YMail-OSG: tTFoZPoVM1lORXP10bFDAvyxx.jFIQDoUGJ6hUxCf6q8Tbk >> 8RkTR2Q6BakFB1l6t1W5BdZ4fPFVQEWRX_TSB16hGCUxPmFhrTru8ItaSrSg >> oF9x5JBC6GwAHAwzXaeCohqEqZsyOLa9vBCXu_kKyxJv_zCea2QtIZ_PFH23 >> rGr_j.u85nfOQA_6VJ3uLvtpJ75N0.ufEudhqcR6ZhL4bPb8LTxKYxAtZQ2N >> _j50f7Uf_DOQ- >> Received: from [173.208.43.151] by web120306.mail.ne1.yahoo.com via HTTP; Tue, 07 Dec 2010 15:42:49 PST >> X-Mailer: YahooMailClassic/11.4.20 YahooMailWebService/0.8.107.285259 >> Date: Tue, 7 Dec 2010 15:42:49 -0800 (PST) >> From: Carla Fletcher >> Reply-To: carlafletcher24 at yahoo.com >> Subject: Re: Re: Abuse@ contacts >> To: jgreco at ns.sol.net > > I didn't know that anybody was still keying on subject lines; our spam > filter tossed it anyways. > > ... JG > -- > Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net > "We call it the 'one bite at the apple' rule. Give me one chance [and] then I > won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN) > With 24 million small businesses in the US alone, that's way too many apples. > > From sean at donelan.com Tue Dec 7 22:26:18 2010 From: sean at donelan.com (Sean Donelan) Date: Tue, 7 Dec 2010 23:26:18 -0500 (EST) Subject: Over a decade of DDOS--any progress yet? In-Reply-To: References: <1291626475.30568.1618.camel@wks02> Message-ID: On Mon, 6 Dec 2010, Patrick W. Gilmore wrote: >> But as you and others have pointed out, not a lot of defense against >> DDoS these days besides horsepower and anycast. :-) > > Not just anycast. I said distributed architecture. There are more > ways to distribute than anycast. The content-side can be duplicated, replicated, distributed. On the eyeball-side its not as easy to replicate things. DDOS against user networks doesn't generate as much publicity, outside of the gammer world, but is also a problem. Other than trying to hide your real address, what can be done to prevent DDOS in the first place. From patrick at ianai.net Tue Dec 7 22:32:16 2010 From: patrick at ianai.net (Patrick W. Gilmore) Date: Tue, 7 Dec 2010 23:32:16 -0500 Subject: Over a decade of DDOS--any progress yet? In-Reply-To: References: <1291626475.30568.1618.camel@wks02> Message-ID: <1ACB4FD0-7F8F-4BE5-B623-ECA9C6D85C79@ianai.net> On Dec 7, 2010, at 11:26 PM, Sean Donelan wrote: > On Mon, 6 Dec 2010, Patrick W. Gilmore wrote: >>> But as you and others have pointed out, not a lot of defense against >>> DDoS these days besides horsepower and anycast. :-) >> >> Not just anycast. I said distributed architecture. There are more ways to distribute than anycast. > > The content-side can be duplicated, replicated, distributed. On the > eyeball-side its not as easy to replicate things. DDOS against user > networks doesn't generate as much publicity, outside of the gammer world, but is also a problem. > > Other than trying to hide your real address, what can be done to prevent > DDOS in the first place. Don't piss people off on IRC? :) -- TTFN, patrick From ops.lists at gmail.com Tue Dec 7 22:33:31 2010 From: ops.lists at gmail.com (Suresh Ramasubramanian) Date: Wed, 8 Dec 2010 10:03:31 +0530 Subject: Abuse@ contacts In-Reply-To: References: Message-ID: On Wed, Dec 8, 2010 at 3:30 AM, Shaun Ewing wrote: > As mentioned previously, a lot of the traffic in abuse queues is automated > and you might have anywhere up to 100 emails for a single incident. In > these cases, we merge the messages into one ticket, handle the case and > close it off. Speaking as someone who's been running abuse desks since the mid 90s [still late to the party compared to other posters in this thread like say, Joe Greco, but what the heck, hi joe, hope you agree] Add to it the fact that you get far less "actual email" coming into abuse desks these days.?? Far more email that's scripted / at least semi automated by smaller trap operators / some small ISPs / spamcop.net ARF'd feedback loops from the large providers (which are mutually provided to each other - each large provider offers one, and subscribes to those provided by other SPs) are usually sent to a separate address and auto processed. -- Suresh Ramasubramanian (ops.lists at gmail.com) From fergdawgster at gmail.com Tue Dec 7 22:38:03 2010 From: fergdawgster at gmail.com (Paul Ferguson) Date: Tue, 7 Dec 2010 20:38:03 -0800 Subject: Over a decade of DDOS--any progress yet? In-Reply-To: <1ACB4FD0-7F8F-4BE5-B623-ECA9C6D85C79@ianai.net> References: <1291626475.30568.1618.camel@wks02> <1ACB4FD0-7F8F-4BE5-B623-ECA9C6D85C79@ianai.net> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tue, Dec 7, 2010 at 8:32 PM, Patrick W. Gilmore wrote: > On Dec 7, 2010, at 11:26 PM, Sean Donelan wrote: >> Other than trying to hide your real address, what can be done to prevent >> DDOS in the first place. > > Don't piss people off on IRC? :) > After I laughed for a minute or two, you're exactly right -- although the social & political issues involved go far beyond IRC. Witness the back-and-forth DoS attacks involving Wikileaks and Anti-Wikileaks proponents going on right now. But this is not a new phenomenon -- every time there is a perceived insult or slight against Chinese pride/culture, it always spurs some sort of DoS attack scenario with grassroots support. These sorts of attacks have been going on for years, and will escalate far into the future, methinks. $.02, - - ferg -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.3 (Build 5003) wj8DBQFM/wulq1pz9mNUZTMRAmITAJ4jZwSSA6dlSN0biMOcSu2FpMPKfwCgp8Qd FQ9mWdVujVK99fxiXdyYWO4= =Mo1H -----END PGP SIGNATURE----- -- "Fergie", a.k.a. Paul Ferguson ?Engineering Architecture for the Internet ?fergdawgster(at)gmail.com ?ferg's tech blog: http://fergdawg.blogspot.com/ From rdobbins at arbor.net Tue Dec 7 22:46:13 2010 From: rdobbins at arbor.net (Dobbins, Roland) Date: Wed, 8 Dec 2010 04:46:13 +0000 Subject: Over a decade of DDOS--any progress yet? In-Reply-To: References: <1291626475.30568.1618.camel@wks02> Message-ID: On Dec 8, 2010, at 11:26 AM, Sean Donelan wrote: > Other than trying to hide your real address, what can be done to prevent DDOS in the first place. DDoS is just a symptom. The problem is botnets. Preventing hosts from becoming bots in the first place and taking down existing botnets is the only way to actually *prevent* DDoS attacks. Note that prevention is distinct from *defending* oneself against DDoS attacks. ----------------------------------------------------------------------- Roland Dobbins // Sell your computer and buy a guitar. From adrian at creative.net.au Tue Dec 7 22:52:16 2010 From: adrian at creative.net.au (Adrian Chadd) Date: Wed, 8 Dec 2010 12:52:16 +0800 Subject: Over a decade of DDOS--any progress yet? In-Reply-To: References: <1291626475.30568.1618.camel@wks02> Message-ID: <20101208045215.GA8713@skywalker.creative.net.au> Botnets are the symptom. The real problem is people. Adrian On Wed, Dec 08, 2010, Dobbins, Roland wrote: > > On Dec 8, 2010, at 11:26 AM, Sean Donelan wrote: > > > Other than trying to hide your real address, what can be done to prevent DDOS in the first place. > > > DDoS is just a symptom. The problem is botnets. > > Preventing hosts from becoming bots in the first place and taking down existing botnets is the only way to actually *prevent* DDoS attacks. Note that prevention is distinct from *defending* oneself against DDoS attacks. > > ----------------------------------------------------------------------- > Roland Dobbins // > > Sell your computer and buy a guitar. > > > > -- - Xenion - http://www.xenion.com.au/ - VPS Hosting - Commercial Squid Support - - $24/pm+GST entry-level VPSes w/ capped bandwidth charges available in WA - From rdobbins at arbor.net Tue Dec 7 23:03:11 2010 From: rdobbins at arbor.net (Dobbins, Roland) Date: Wed, 8 Dec 2010 05:03:11 +0000 Subject: Over a decade of DDOS--any progress yet? In-Reply-To: <20101208045215.GA8713@skywalker.creative.net.au> References: <1291626475.30568.1618.camel@wks02> <20101208045215.GA8713@skywalker.creative.net.au> Message-ID: <1C39BCE5-C446-4967-95D6-2D9FE8996A6A@arbor.net> On Dec 8, 2010, at 11:52 AM, Adrian Chadd wrote: > The real problem is people. Well, yes - but short of mass bombardment, eliminating people doesn't scale very well, and is generally frowned upon. ;> ----------------------------------------------------------------------- Roland Dobbins // Sell your computer and buy a guitar. From adrian at creative.net.au Tue Dec 7 23:09:24 2010 From: adrian at creative.net.au (Adrian Chadd) Date: Wed, 8 Dec 2010 13:09:24 +0800 Subject: Over a decade of DDOS--any progress yet? In-Reply-To: <1C39BCE5-C446-4967-95D6-2D9FE8996A6A@arbor.net> References: <1291626475.30568.1618.camel@wks02> <20101208045215.GA8713@skywalker.creative.net.au> <1C39BCE5-C446-4967-95D6-2D9FE8996A6A@arbor.net> Message-ID: <20101208050924.GC8713@skywalker.creative.net.au> On Wed, Dec 08, 2010, Dobbins, Roland wrote: > > On Dec 8, 2010, at 11:52 AM, Adrian Chadd wrote: > > > The real problem is people. > > Well, yes - but short of mass bombardment, eliminating people doesn't scale very well, and is generally frowned upon. > > ;> I think history can conclusively state we're much, much better at eliminating people then we are hacked boxes; that politicians seem much happier somehow about the former than the latter; and our collective "clue" at being able to do so is growing much faster than our electronic toolkits. :-) (Oh god. :-) Adrian From mysidia at gmail.com Wed Dec 8 00:21:11 2010 From: mysidia at gmail.com (James Hess) Date: Wed, 8 Dec 2010 00:21:11 -0600 Subject: Over a decade of DDOS--any progress yet? In-Reply-To: References: Message-ID: On Mon, Dec 6, 2010 at 1:50 AM, Sean Donelan wrote: > February 2000 weren't the first DDOS attacks, but the attacks on multiple > Other than buying lots of bandwidth and scrubber boxes, have any other DDOS > attack vectors been stopped or rendered useless during the last decade? Very little, no, and no. Not counting occasional application bugs that are quickly fixed. Even TCP weaknesses that can facilitate attack are still present in the protocol. New vectors and variations of those old vectors emerged since the 1990s. So there is an increase in the number of attack vectors to be concerned about, not a reduction. SYN and Smurf are Swords and spears after someone came up with atomic weaponry. The atomic weaponry named "bot net". Which is why there is less concern about the former types of single-real-origin-spoofed-source attacks. Botnet-based DDoS is just "Smurf" where amplification nodes are obtained by system compromise, instead of router misconfiguration, and a minor variation on the theme where the chain reaction is not started by sending spoofed ICMP ECHOs. Since 2005 there are new beasts such as "Slowloris" and "DNS Reflection". DNS Reflection attacks are a more direct successor to smurf; true smurf broadcast amplification points are rare today, diminishing returns for the attacker, trying to find the 5 or 6 misconfigured gateways out there, but that doesn't diminish the vector of spoofed small request large response attacks. Open DNS servers are everywhere. SYN attacks traditionally come from a small number of sources and rely on spoofing to attack limitations on available number of connection slots for success. New vectors that became most well-known in the late 90s utilize botnets, and an attacker can make full connections therefore requiring zero spoofing, negating the benefit of SYN cookies. In other words, SYN floods got supplanted by TCP_Connect floods. -- -JH From mysidia at gmail.com Wed Dec 8 00:21:11 2010 From: mysidia at gmail.com (James Hess) Date: Wed, 8 Dec 2010 00:21:11 -0600 Subject: Over a decade of DDOS--any progress yet? In-Reply-To: References: Message-ID: On Mon, Dec 6, 2010 at 1:50 AM, Sean Donelan wrote: > February 2000 weren't the first DDOS attacks, but the attacks on multiple > Other than buying lots of bandwidth and scrubber boxes, have any other DDOS > attack vectors been stopped or rendered useless during the last decade? Very little, no, and no. Not counting occasional application bugs that are quickly fixed. Even TCP weaknesses that can facilitate attack are still present in the protocol. New vectors and variations of those old vectors emerged since the 1990s. So there is an increase in the number of attack vectors to be concerned about, not a reduction. SYN and Smurf are Swords and spears after someone came up with atomic weaponry. The atomic weaponry named "bot net". Which is why there is less concern about the former types of single-real-origin-spoofed-source attacks. Botnet-based DDoS is just "Smurf" where amplification nodes are obtained by system compromise, instead of router misconfiguration, and a minor variation on the theme where the chain reaction is not started by sending spoofed ICMP ECHOs. Since 2005 there are new beasts such as "Slowloris" and "DNS Reflection". DNS Reflection attacks are a more direct successor to smurf; true smurf broadcast amplification points are rare today, diminishing returns for the attacker, trying to find the 5 or 6 misconfigured gateways out there, but that doesn't diminish the vector of spoofed small request large response attacks. Open DNS servers are everywhere. SYN attacks traditionally come from a small number of sources and rely on spoofing to attack limitations on available number of connection slots for success. New vectors that became most well-known in the late 90s utilize botnets, and an attacker can make full connections therefore requiring zero spoofing, negating the benefit of SYN cookies. In other words, SYN floods got supplanted by TCP_Connect floods. -- -JH From joly at punkcast.com Wed Dec 8 00:33:29 2010 From: joly at punkcast.com (Joly MacFie) Date: Wed, 8 Dec 2010 01:33:29 -0500 Subject: A fascinating piece of spam In-Reply-To: References: <201012072346.oB7Nke9n068626@aurora.sol.net> Message-ID: Nanog is available via at least two archives on the public web - try googling any line of text - even this one . j On Tue, Dec 7, 2010 at 10:08 PM, Marshall Eubanks wrote: > I have been seeing "targeted" spam for a while now - typically from someone > with my last name and a random first name, > and a familiar subject line. > > Just wait until they start using the _text_ from open mail lists as well. > > Regards > Marshall > > > -- --------------------------------------------------------------- Joly MacFie 218 565 9365 Skype:punkcast WWWhatsup NYC - http://wwwhatsup.com http://pinstand.com - http://punkcast.com Secretary - ISOC-NY - http://isoc-ny.org --------------------------------------------------------------- From bmanning at vacation.karoshi.com Wed Dec 8 04:58:38 2010 From: bmanning at vacation.karoshi.com (bmanning at vacation.karoshi.com) Date: Wed, 8 Dec 2010 10:58:38 +0000 Subject: Over a decade of DDOS--any progress yet? In-Reply-To: References: <1291626475.30568.1618.camel@wks02> Message-ID: <20101208105838.GD5841@vacation.karoshi.com.> actually, botnets are an artifact. claiming that the tool is the problem might be a bit short sighted. with the evolution of Internet technologies (IoT) i suspect botnet-like structures to become much more prevelent and useful for things other than coordinated attacks. just another PoV. --bill On Wed, Dec 08, 2010 at 04:46:13AM +0000, Dobbins, Roland wrote: > > On Dec 8, 2010, at 11:26 AM, Sean Donelan wrote: > > > Other than trying to hide your real address, what can be done to prevent DDOS in the first place. > > > DDoS is just a symptom. The problem is botnets. > > Preventing hosts from becoming bots in the first place and taking down existing botnets is the only way to actually *prevent* DDoS attacks. Note that prevention is distinct from *defending* oneself against DDoS attacks. > > ----------------------------------------------------------------------- > Roland Dobbins // > > Sell your computer and buy a guitar. > > > > > From rdobbins at arbor.net Wed Dec 8 05:13:39 2010 From: rdobbins at arbor.net (Dobbins, Roland) Date: Wed, 8 Dec 2010 11:13:39 +0000 Subject: Over a decade of DDOS--any progress yet? In-Reply-To: <20101208105838.GD5841@vacation.karoshi.com.> References: <1291626475.30568.1618.camel@wks02> <20101208105838.GD5841@vacation.karoshi.com.> Message-ID: On Dec 8, 2010, at 5:58 PM, wrote: > actually, botnets are an artifact. claiming that the tool is the problem might be a bit short sighted. with the evolution of Internet technologies > (IoT) i suspect botnet-like structures to become much more prevelent and useful for things other than coordinated attacks. I'm a big advocate of distributed/agile computing models with swarming/flocking behaviors - see slide 32 of this preso for an example: When these things are harnessed together in order to launch DDoS attacks and steal financial information and intellectual property and so forth, we call them 'botnets'. They're a force-multiplier which allow the attacker to avoid the von Clausewitzian friction of conflict, and which give him a comfortable degree of anonymity, not to mention highly asymmetrical force projection capabilities and global presence. 'Botnet-like structures' = botnets, for purposes of this discussion. Semantic hair-splitting. ----------------------------------------------------------------------- Roland Dobbins // Sell your computer and buy a guitar. From arturo.servin at gmail.com Wed Dec 8 06:28:34 2010 From: arturo.servin at gmail.com (Arturo Servin) Date: Wed, 8 Dec 2010 10:28:34 -0200 Subject: Over a decade of DDOS--any progress yet? In-Reply-To: References: Message-ID: <01811070-0EE1-44C2-A79A-FB9E68215D9A@gmail.com> One big problem (IMHO) of DDoS is that sources (the host of botnets) may be completely unaware that they are part of a DDoS. I do not mean the bot machine, I mean the ISP connecting those. In the other hand the target of a DDoS cannot do anything to stop to attack besides adding more BW or contacting one by one the whole path of providers to try to minimize the effect. I know that this has many security concerns, but would it be good a signalling protocol between ISPs to inform the sources of a DDoS attack in order to take semiautomatic actions to rate-limit the traffic as close as the source? Of course that this is more complex that these three or two lines, but I wonder if this has been considerer in the past. Regards. -as On 8 Dec 2010, at 10:00, nanog-request at nanog.org wrote: > Date: Wed, 8 Dec 2010 10:58:38 +0000 > From: bmanning at vacation.karoshi.com > Subject: Re: Over a decade of DDOS--any progress yet? > To: "Dobbins, Roland" > Cc: North American Operators' Group > Message-ID: <20101208105838.GD5841 at vacation.karoshi.com.> > Content-Type: text/plain; charset=us-ascii > > > actually, botnets are an artifact. claiming that the tool is the problem > might be a bit short sighted. with the evolution of Internet technologies > (IoT) i suspect botnet-like structures to become much more prevelent and > useful for things other than coordinated attacks. > > just another PoV. > > --bill > > On Wed, Dec 08, 2010 at 04:46:13AM +0000, Dobbins, Roland wrote: >> >> On Dec 8, 2010, at 11:26 AM, Sean Donelan wrote: >> >>> Other than trying to hide your real address, what can be done to prevent DDOS in the first place. >> >> >> DDoS is just a symptom. The problem is botnets. >> >> Preventing hosts from becoming bots in the first place and taking down existing botnets is the only way to actually *prevent* DDoS attacks. Note that prevention is distinct from *defending* oneself against DDoS attacks. >> >> ----------------------------------------------------------------------- >> Roland Dobbins // >> >> Sell your computer and buy a guitar. >> >> >> >> >> > From rdobbins at arbor.net Wed Dec 8 06:53:51 2010 From: rdobbins at arbor.net (Dobbins, Roland) Date: Wed, 8 Dec 2010 12:53:51 +0000 Subject: Over a decade of DDOS--any progress yet? In-Reply-To: <01811070-0EE1-44C2-A79A-FB9E68215D9A@gmail.com> References: <01811070-0EE1-44C2-A79A-FB9E68215D9A@gmail.com> Message-ID: On Dec 8, 2010, at 7:28 PM, Arturo Servin wrote: > One big problem (IMHO) of DDoS is that sources (the host of botnets) may be completely unaware that they are part of a DDoS. I do not mean the bot machine, I mean the ISP connecting those. The technology exists to detect and classify this attack traffic, and is deployed in production networks today. And of course, the legitimate owners of the botted hosts are generally unaware that their machine is being used for nefarious purposes. > In the other hand the target of a DDoS cannot do anything to stop to attack besides adding more BW or contacting one by one the whole path of providers to try to minimize the effect. Actually, there're lots of things they can do. > I know that this has many security concerns, but would it be good a signalling protocol between ISPs to inform the sources of a DDoS attack in order to take semiautomatic actions to rate-limit the traffic as close as the source? Of course that this is more complex that these three or two lines, but I wonder if this has been considerer in the past. It already exists. ----------------------------------------------------------------------- Roland Dobbins // Sell your computer and buy a guitar. From alvaro.sanchez at adinet.com.uy Wed Dec 8 07:46:10 2010 From: alvaro.sanchez at adinet.com.uy (alvaro.sanchez at adinet.com.uy) Date: Wed, 8 Dec 2010 10:46:10 -0300 (UYT) Subject: Over a decade of DDOS--any progress yet? Message-ID: <23035485.1291815970840.JavaMail.tomcat@fe-ps03> A very common action is to blackhole ddos traffic upstream by sending a bgp route to the next AS with a preestablished community indicating the traffic must be sent to Null0. The route may be very specific, in order to impact as less as possible. This needs previous coordination between providers. Regards. >----Mensaje original---- >De: rdobbins at arbor.net >Fecha: 08/12/2010 10:53 >Para: "North American Operators' Group" >Asunto: Re: Over a decade of DDOS--any progress yet? > > >On Dec 8, 2010, at 7:28 PM, Arturo Servin wrote: > >> One big problem (IMHO) of DDoS is that sources (the host of botnets) may be completely unaware that they are part of a DDoS. I do not mean the bot machine, I mean the ISP connecting those. > >The technology exists to detect and classify this attack traffic, and is deployed in production networks today. > >And of course, the legitimate owners of the botted hosts are generally unaware that their machine is being used for nefarious purposes. > >> In the other hand the target of a DDoS cannot do anything to stop to attack besides adding more BW or contacting one by one the whole path of providers to try to minimize the effect. > >Actually, there're lots of things they can do. > >> I know that this has many security concerns, but would it be good a signalling protocol between ISPs to inform the sources of a DDoS attack in order to take semiautomatic actions to rate-limit the traffic as close as the source? Of course that this is more complex that these three or two lines, but I wonder if this has been considerer in the past. > >It already exists. > >----------------------------------------------------------------------- >Roland Dobbins // > > Sell your computer and buy a guitar. > > > > > > From drew.weaver at thenap.com Wed Dec 8 08:30:24 2010 From: drew.weaver at thenap.com (Drew Weaver) Date: Wed, 8 Dec 2010 09:30:24 -0500 Subject: Over a decade of DDOS--any progress yet? In-Reply-To: <23035485.1291815970840.JavaMail.tomcat@fe-ps03> References: <23035485.1291815970840.JavaMail.tomcat@fe-ps03> Message-ID: Yes, but this obviously completes the 'DDoS attack' and sends the signal that the bully will win. -Drew -----Original Message----- From: alvaro.sanchez at adinet.com.uy [mailto:alvaro.sanchez at adinet.com.uy] Sent: Wednesday, December 08, 2010 8:46 AM To: rdobbins at arbor.net; North American Operators' Group Subject: Re: Over a decade of DDOS--any progress yet? A very common action is to blackhole ddos traffic upstream by sending a bgp route to the next AS with a preestablished community indicating the traffic must be sent to Null0. The route may be very specific, in order to impact as less as possible. This needs previous coordination between providers. Regards. >----Mensaje original---- >De: rdobbins at arbor.net >Fecha: 08/12/2010 10:53 >Para: "North American Operators' Group" >Asunto: Re: Over a decade of DDOS--any progress yet? > > >On Dec 8, 2010, at 7:28 PM, Arturo Servin wrote: > >> One big problem (IMHO) of DDoS is that sources (the host of botnets) may be completely unaware that they are part of a DDoS. I do not mean the bot machine, I mean the ISP connecting those. > >The technology exists to detect and classify this attack traffic, and is deployed in production networks today. > >And of course, the legitimate owners of the botted hosts are generally unaware that their machine is being used for nefarious purposes. > >> In the other hand the target of a DDoS cannot do anything to stop to attack besides adding more BW or contacting one by one the whole path of providers to try to minimize the effect. > >Actually, there're lots of things they can do. > >> I know that this has many security concerns, but would it be good a signalling protocol between ISPs to inform the sources of a DDoS attack in order to take semiautomatic actions to rate-limit the traffic as close as the source? Of course that this is more complex that these three or two lines, but I wonder if this has been considerer in the past. > >It already exists. > >----------------------------------------------------------------------- >Roland Dobbins // > > Sell your computer and buy a guitar. > > > > > > From deleskie at gmail.com Wed Dec 8 08:31:51 2010 From: deleskie at gmail.com (jim deleskie) Date: Wed, 8 Dec 2010 10:31:51 -0400 Subject: Over a decade of DDOS--any progress yet? In-Reply-To: References: <23035485.1291815970840.JavaMail.tomcat@fe-ps03> Message-ID: +1 On Wed, Dec 8, 2010 at 10:30 AM, Drew Weaver wrote: > Yes, but this obviously completes the 'DDoS attack' and sends the signal that the bully will win. > > -Drew > > > -----Original Message----- > From: alvaro.sanchez at adinet.com.uy [mailto:alvaro.sanchez at adinet.com.uy] > Sent: Wednesday, December 08, 2010 8:46 AM > To: rdobbins at arbor.net; North American Operators' Group > Subject: Re: Over a decade of DDOS--any progress yet? > > A very common action is to blackhole ddos traffic upstream by sending a > bgp route to the next AS with a preestablished community indicating the > traffic must be sent to Null0. The route may be very specific, in order > to impact as less as possible. This needs previous coordination between > providers. > Regards. > >>----Mensaje original---- >>De: rdobbins at arbor.net >>Fecha: 08/12/2010 10:53 >>Para: "North American Operators' Group" >>Asunto: Re: Over a decade of DDOS--any progress yet? >> >> >>On Dec 8, 2010, at 7:28 PM, Arturo Servin wrote: >> >>> ? ? ?One big problem (IMHO) of DDoS is that sources (the host of > botnets) may be completely unaware that they are part of a DDoS. I do > not mean the bot machine, I mean the ISP connecting those. >> >>The technology exists to detect and classify this attack traffic, and > is deployed in production networks today. >> >>And of course, the legitimate owners of the botted hosts are > generally unaware that their machine is being used for nefarious > purposes. >> >>> ? ? ?In the other hand the target of a DDoS cannot do anything to stop > to attack besides adding more BW or contacting one by one the whole > path of providers to try to minimize the effect. >> >>Actually, there're lots of things they can do. >> >>> ? ? ?I know that this has many security concerns, but would it be good > a signalling protocol between ISPs to inform the sources of a DDoS > attack in order to take semiautomatic actions to rate-limit the traffic > as close as the source? Of course that this is more complex that these > three or two lines, but I wonder if this has been considerer in the > past. >> >>It already exists. >> >>----------------------------------------------------------------------- >>Roland Dobbins // >> >> ? ? ? ? ? ? ?Sell your computer and buy a guitar. >> >> >> >> >> >> > > > > > From thomas.mangin at exa-networks.co.uk Wed Dec 8 09:04:28 2010 From: thomas.mangin at exa-networks.co.uk (Thomas Mangin) Date: Wed, 8 Dec 2010 15:04:28 +0000 Subject: Over a decade of DDOS--any progress yet? In-Reply-To: References: <1291626475.30568.1618.camel@wks02> Message-ID: On 6 Dec 2010, at 15:34, David Ulevitch wrote: > On Mon, Dec 6, 2010 at 6:10 AM, Patrick W. Gilmore wrote: >> On Dec 6, 2010, at 4:07 AM, Jonas Frey (Probe Networks) wrote: >> >>> Besides having *alot* of bandwidth theres not really much you can do to >>> mitigate. Once you have the bandwidth you can filter (w/good hardware). >>> Even if you go for 802.3ba with 40/100 Gbps...you'll need alot of pipes. >> >> There is a variation on that theme. Using a distributed architecture (anycast, CDN, whatever), you can limit the attack to certain nodes. If you have 20 nodes and get attacked from a botnet China, only the users on the same node as the Chinese use will be down. The other 95% of your users will be fine. This is true even if you have 1 Gbps per node, and the attack is 100 Gbps strong. > > I think this is only true if you run your BGP session on a different > path (or have your provider pin down a static route). If you are > using BGP and run it on the same path, the 100Gbps will cause massive > packet loss and likely cause your BGP session to drop which will just > move the attack to another site, rinse / repeat. I don't think very > many people run BGP over a separate circuit, but for some folks, it > might be appropriate. Running BGP over a different circuit will cause some blackholing of the traffic if the real link is down but not the BGP path. So IIMHO the best way is still a good router with some basic QOS to protect BGP on the link. Thomas From rdobbins at arbor.net Wed Dec 8 09:08:06 2010 From: rdobbins at arbor.net (Dobbins, Roland) Date: Wed, 8 Dec 2010 15:08:06 +0000 Subject: Over a decade of DDOS--any progress yet? In-Reply-To: References: <1291626475.30568.1618.camel@wks02> Message-ID: <2FAA3617-FF49-46D1-A61B-8D682FA96D9C@arbor.net> On Dec 8, 2010, at 10:04 PM, Thomas Mangin wrote: > So IIMHO the best way is still a good router with some basic QOS to protect BGP on the link. iACLs and GTSM are your friends. ;> ----------------------------------------------------------------------- Roland Dobbins // Sell your computer and buy a guitar. From thomas.mangin at exa-networks.co.uk Wed Dec 8 09:10:37 2010 From: thomas.mangin at exa-networks.co.uk (Thomas Mangin) Date: Wed, 8 Dec 2010 15:10:37 +0000 Subject: Over a decade of DDOS--any progress yet? In-Reply-To: <23035485.1291815970840.JavaMail.tomcat@fe-ps03> References: <23035485.1291815970840.JavaMail.tomcat@fe-ps03> Message-ID: <2C4B4ECC-F61E-4059-A8DE-165DD8F85A96@exa-networks.co.uk> A less common action is to use flowspec (if you have some Juniper gear) to drop only the attack and hopefully not any legitimate traffic. What is really missing atm is a way to filter flowspec announcements (limit the number and make sure they are for routes the peer is announcing). Until this is sorted I believe flowspec will be a marginal solution. Thomas PLUG: http://code.google.com/p/exabgp/ On 8 Dec 2010, at 13:46, alvaro.sanchez at adinet.com.uy wrote: > A very common action is to blackhole ddos traffic upstream by sending a > bgp route to the next AS with a preestablished community indicating the > traffic must be sent to Null0. The route may be very specific, in order > to impact as less as possible. This needs previous coordination between > providers. > Regards. > >> ----Mensaje original---- >> De: rdobbins at arbor.net >> Fecha: 08/12/2010 10:53 >> Para: "North American Operators' Group" >> Asunto: Re: Over a decade of DDOS--any progress yet? >> >> >> On Dec 8, 2010, at 7:28 PM, Arturo Servin wrote: >> >>> One big problem (IMHO) of DDoS is that sources (the host of > botnets) may be completely unaware that they are part of a DDoS. I do > not mean the bot machine, I mean the ISP connecting those. >> >> The technology exists to detect and classify this attack traffic, and > is deployed in production networks today. >> >> And of course, the legitimate owners of the botted hosts are > generally unaware that their machine is being used for nefarious > purposes. >> >>> In the other hand the target of a DDoS cannot do anything to stop > to attack besides adding more BW or contacting one by one the whole > path of providers to try to minimize the effect. >> >> Actually, there're lots of things they can do. >> >>> I know that this has many security concerns, but would it be good > a signalling protocol between ISPs to inform the sources of a DDoS > attack in order to take semiautomatic actions to rate-limit the traffic > as close as the source? Of course that this is more complex that these > three or two lines, but I wonder if this has been considerer in the > past. >> >> It already exists. >> >> ----------------------------------------------------------------------- >> Roland Dobbins // >> >> Sell your computer and buy a guitar. >> >> >> >> >> >> > > > From rdobbins at arbor.net Wed Dec 8 09:12:13 2010 From: rdobbins at arbor.net (Dobbins, Roland) Date: Wed, 8 Dec 2010 15:12:13 +0000 Subject: Over a decade of DDOS--any progress yet? In-Reply-To: <2C4B4ECC-F61E-4059-A8DE-165DD8F85A96@exa-networks.co.uk> References: <23035485.1291815970840.JavaMail.tomcat@fe-ps03> <2C4B4ECC-F61E-4059-A8DE-165DD8F85A96@exa-networks.co.uk> Message-ID: <5220B68C-9C8C-460E-B64E-2646BDE2A398@arbor.net> On Dec 8, 2010, at 10:10 PM, Thomas Mangin wrote: > Until this is sorted I believe flowspec will be a marginal solution. We're seeing a significant uptick in flowspec interest, actually, and S/RTBH has been around for ages. ----------------------------------------------------------------------- Roland Dobbins // Sell your computer and buy a guitar. From arturo.servin at gmail.com Wed Dec 8 09:33:01 2010 From: arturo.servin at gmail.com (Arturo Servin) Date: Wed, 8 Dec 2010 13:33:01 -0200 Subject: Over a decade of DDOS--any progress yet? In-Reply-To: References: Message-ID: On 8 Dec 2010, at 13:12, nanog-request at nanog.org wrote: > Date: Wed, 8 Dec 2010 12:53:51 +0000 > From: "Dobbins, Roland" > Subject: Re: Over a decade of DDOS--any progress yet? > To: North American Operators' Group > Message-ID: > Content-Type: text/plain; charset="us-ascii" > > > On Dec 8, 2010, at 7:28 PM, Arturo Servin wrote: > >> One big problem (IMHO) of DDoS is that sources (the host of botnets) may be completely unaware that they are part of a DDoS. I do not mean the bot machine, I mean the ISP connecting those. > > The technology exists to detect and classify this attack traffic, and is deployed in production networks today. Yes, they do exist. But, is people really filtering out attacks or just watching the attacks going out? > > And of course, the legitimate owners of the botted hosts are generally unaware that their machine is being used for nefarious purposes. > >> In the other hand the target of a DDoS cannot do anything to stop to attack besides adding more BW or contacting one by one the whole path of providers to try to minimize the effect. > > Actually, there're lots of things they can do. Yes, but all of them rely on your upstreams or in mirroring your content. If 100 Mbps are reaching your input interface of 10Mbps there is not much that you can do. > >> I know that this has many security concerns, but would it be good a signalling protocol between ISPs to inform the sources of a DDoS attack in order to take semiautomatic actions to rate-limit the traffic as close as the source? Of course that this is more complex that these three or two lines, but I wonder if this has been considerer in the past. > > It already exists. If you have an URL would be good. I only found a few research papers on the topic and RSVP documents but nothing really concrete. Regards, -as From thomas.mangin at exa-networks.co.uk Wed Dec 8 09:36:42 2010 From: thomas.mangin at exa-networks.co.uk (Thomas Mangin) Date: Wed, 8 Dec 2010 15:36:42 +0000 Subject: Over a decade of DDOS--any progress yet? In-Reply-To: <5220B68C-9C8C-460E-B64E-2646BDE2A398@arbor.net> References: <23035485.1291815970840.JavaMail.tomcat@fe-ps03> <2C4B4ECC-F61E-4059-A8DE-165DD8F85A96@exa-networks.co.uk> <5220B68C-9C8C-460E-B64E-2646BDE2A398@arbor.net> Message-ID: On 8 Dec 2010, at 15:12, Dobbins, Roland wrote: > > On Dec 8, 2010, at 10:10 PM, Thomas Mangin wrote: > >> Until this is sorted I believe flowspec will be a marginal solution. > > We're seeing a significant uptick in flowspec interest, actually, and S/RTBH has been around for ages. Great to hear :) But my point is still valid, Flowspec is great if you are are a backbone and are performing the filtering, or if you want to filter outgoing traffic. If you are a smaller network, you need the filtering to be performed by your transit provider, as your uplink will otherwise be congested. So I will stand by my comment that flowspec would see a bigger uptake if T1 could accept the flowspec routes, which they will only do once they can filter them (to insure correctness and resource protection). Thomas PS : Someone need to add IPv6 support to the RFC :p From rdobbins at arbor.net Wed Dec 8 09:39:08 2010 From: rdobbins at arbor.net (Dobbins, Roland) Date: Wed, 8 Dec 2010 15:39:08 +0000 Subject: Over a decade of DDOS--any progress yet? In-Reply-To: References: Message-ID: <84B30811-8E60-493E-8040-C09D3F0102FF@arbor.net> On Dec 8, 2010, at 10:33 PM, Arturo Servin wrote: > If you have an URL would be good. You may wish to do a bit more research on the topic of DDoS in general, as the state of the art in detection/classification/traceback/mitigation is considerably advanced beyond what you've described. // Sell your computer and buy a guitar. From jeffrey.lyon at blacklotus.net Wed Dec 8 09:39:26 2010 From: jeffrey.lyon at blacklotus.net (Jeffrey Lyon) Date: Wed, 8 Dec 2010 10:39:26 -0500 Subject: Over a decade of DDOS--any progress yet? In-Reply-To: References: Message-ID: We have seen a recent trend of attackers "legitimately" purchasing servers to use for attacks. They'll setup a front company, attempt to make the traffic look legitimate, and then launch attacks from their "legitimate" botnet. Jeff On Wed, Dec 8, 2010 at 10:33 AM, Arturo Servin wrote: > > On 8 Dec 2010, at 13:12, nanog-request at nanog.org wrote: > >> Date: Wed, 8 Dec 2010 12:53:51 +0000 >> From: "Dobbins, Roland" >> Subject: Re: Over a decade of DDOS--any progress yet? >> To: North American Operators' Group >> Message-ID: >> Content-Type: text/plain; charset="us-ascii" >> >> >> On Dec 8, 2010, at 7:28 PM, Arturo Servin wrote: >> >>> ? ? ?One big problem (IMHO) of DDoS is that sources (the host of botnets) may be completely unaware that they are part of a DDoS. I do not mean the bot machine, I mean the ISP connecting those. >> >> The technology exists to detect and classify this attack traffic, and is deployed in production networks today. > > ? ? ? ?Yes, they do exist. But, is people really filtering out attacks or just watching the attacks going out? > > >> >> And of course, the legitimate owners of the botted hosts are generally unaware that their machine is being used for nefarious purposes. >> >>> ? ? ?In the other hand the target of a DDoS cannot do anything to stop to attack besides adding more BW or contacting one by one the whole path of providers to try to minimize the effect. >> >> Actually, there're lots of things they can do. > > ? ? ? ?Yes, but all of them rely on your upstreams or in mirroring your content. If 100 Mbps are reaching your input interface of 10Mbps there is not much that you can do. > >> >>> ? ? ?I know that this has many security concerns, but would it be good a signalling protocol between ISPs to inform the sources of a DDoS attack in order to take semiautomatic actions to rate-limit the traffic as close as the source? Of course that this is more complex that these three or two lines, but I wonder if this has been considerer in the past. >> >> It already exists. > > ? ? ? ?If you have an URL would be good. I only found a few research papers on the topic and RSVP documents but nothing really concrete. > > Regards, > -as -- Jeffrey Lyon, Leadership Team jeffrey.lyon at blacklotus.net | http://www.blacklotus.net Black Lotus Communications - AS32421 First and Leading in DDoS Protection Solutions From rdobbins at arbor.net Wed Dec 8 09:40:52 2010 From: rdobbins at arbor.net (Dobbins, Roland) Date: Wed, 8 Dec 2010 15:40:52 +0000 Subject: Over a decade of DDOS--any progress yet? In-Reply-To: References: <23035485.1291815970840.JavaMail.tomcat@fe-ps03> <2C4B4ECC-F61E-4059-A8DE-165DD8F85A96@exa-networks.co.uk> <5220B68C-9C8C-460E-B64E-2646BDE2A398@arbor.net> Message-ID: <63CF5704-B49D-43D5-BC8E-F76336CD0005@arbor.net> On Dec 8, 2010, at 10:36 PM, Thomas Mangin wrote: > If you are a smaller network, you need the filtering to be performed by your transit provider, as your uplink will otherwise be congested. Actually, most DDoS attacks aren't link-flooding attacks - this hasn't been true for the last ~7 years or so. I'm not saying it doesn't happen, because it does, and sometimes quite spectacularly - but in most cases, the attackers don't have to flood the link to achieve their desired goal. ----------------------------------------------------------------------- Roland Dobbins // Sell your computer and buy a guitar. From jcdill.lists at gmail.com Wed Dec 8 09:43:52 2010 From: jcdill.lists at gmail.com (JC Dill) Date: Wed, 08 Dec 2010 07:43:52 -0800 Subject: Over a decade of DDOS--any progress yet? In-Reply-To: <01811070-0EE1-44C2-A79A-FB9E68215D9A@gmail.com> References: <01811070-0EE1-44C2-A79A-FB9E68215D9A@gmail.com> Message-ID: <4CFFA7B8.8000306@gmail.com> On 08/12/10 4:28 AM, Arturo Servin wrote: > One big problem (IMHO) of DDoS is that sources (the host of botnets) may be completely unaware that they are part of a DDoS. I do not mean the bot machine, I mean the ISP connecting those. ISPs are not the source. The source is Microsoft. The source is their buggy OS that is easily compromised to enable the computers to be taken over as part of the botnet. Why isn't ANYONE going after Microsoft over this? If Microsoft were held accountable for the spam and DDOSs that spew from their crappy software, they would find a way to stop the problem. I've raised this issue before, IMHO Windows OSs are "attractive nuisances" and that legal argument can be used to hold Microsoft responsible for not putting an adequate "fence" around their "attractive nuisance". If all the big ISPs banded together to file suit against Microsoft, they could share the cost (and pain) of the lawsuit. Instead, you each individually keep trying to implement in-house solutions to filter/block spam and DDOSs. How's that working for ya? jc From arturo.servin at gmail.com Wed Dec 8 09:47:50 2010 From: arturo.servin at gmail.com (Arturo Servin) Date: Wed, 8 Dec 2010 13:47:50 -0200 Subject: Over a decade of DDOS--any progress yet? In-Reply-To: References: Message-ID: <2ABCD3A4-E2C6-47ED-89FC-957DE79AE033@gmail.com> And those are much more complex to detect than SYN attacks or simple flood attacks with ICMP. But even for simple flood attacks, I still think that the target has very few defence mechanisms, and those that exists require a complex coordination with upstreams. Cheers, .as On 8 Dec 2010, at 13:39, Jeffrey Lyon wrote: > We have seen a recent trend of attackers "legitimately" purchasing > servers to use for attacks. They'll setup a front company, attempt to > make the traffic look legitimate, and then launch attacks from their > "legitimate" botnet. > > Jeff > > On Wed, Dec 8, 2010 at 10:33 AM, Arturo Servin wrote: >> >> On 8 Dec 2010, at 13:12, nanog-request at nanog.org wrote: >> >>> Date: Wed, 8 Dec 2010 12:53:51 +0000 >>> From: "Dobbins, Roland" >>> Subject: Re: Over a decade of DDOS--any progress yet? >>> To: North American Operators' Group >>> Message-ID: >>> Content-Type: text/plain; charset="us-ascii" >>> >>> >>> On Dec 8, 2010, at 7:28 PM, Arturo Servin wrote: >>> >>>> One big problem (IMHO) of DDoS is that sources (the host of botnets) may be completely unaware that they are part of a DDoS. I do not mean the bot machine, I mean the ISP connecting those. >>> >>> The technology exists to detect and classify this attack traffic, and is deployed in production networks today. >> >> Yes, they do exist. But, is people really filtering out attacks or just watching the attacks going out? >> >> >>> >>> And of course, the legitimate owners of the botted hosts are generally unaware that their machine is being used for nefarious purposes. >>> >>>> In the other hand the target of a DDoS cannot do anything to stop to attack besides adding more BW or contacting one by one the whole path of providers to try to minimize the effect. >>> >>> Actually, there're lots of things they can do. >> >> Yes, but all of them rely on your upstreams or in mirroring your content. If 100 Mbps are reaching your input interface of 10Mbps there is not much that you can do. >> >>> >>>> I know that this has many security concerns, but would it be good a signalling protocol between ISPs to inform the sources of a DDoS attack in order to take semiautomatic actions to rate-limit the traffic as close as the source? Of course that this is more complex that these three or two lines, but I wonder if this has been considerer in the past. >>> >>> It already exists. >> >> If you have an URL would be good. I only found a few research papers on the topic and RSVP documents but nothing really concrete. >> >> Regards, >> -as > > > > -- > Jeffrey Lyon, Leadership Team > jeffrey.lyon at blacklotus.net | http://www.blacklotus.net > Black Lotus Communications - AS32421 > First and Leading in DDoS Protection Solutions From rdobbins at arbor.net Wed Dec 8 09:52:14 2010 From: rdobbins at arbor.net (Dobbins, Roland) Date: Wed, 8 Dec 2010 15:52:14 +0000 Subject: Over a decade of DDOS--any progress yet? In-Reply-To: <2ABCD3A4-E2C6-47ED-89FC-957DE79AE033@gmail.com> References: <2ABCD3A4-E2C6-47ED-89FC-957DE79AE033@gmail.com> Message-ID: <391BD2CF-A8FD-42D1-8C1F-A98789867425@arbor.net> On Dec 8, 2010, at 10:47 PM, Arturo Servin wrote: > But even for simple flood attacks, I still think that the target has very few defence mechanisms, and those that exists require a complex coordination with upstreams. This is demonstrably incorrect. ----------------------------------------------------------------------- Roland Dobbins // Sell your computer and buy a guitar. From jbates at brightok.net Wed Dec 8 10:06:27 2010 From: jbates at brightok.net (Jack Bates) Date: Wed, 08 Dec 2010 10:06:27 -0600 Subject: Over a decade of DDOS--any progress yet? In-Reply-To: <4CFFA7B8.8000306@gmail.com> References: <01811070-0EE1-44C2-A79A-FB9E68215D9A@gmail.com> <4CFFA7B8.8000306@gmail.com> Message-ID: <4CFFAD03.3050703@brightok.net> On 12/8/2010 9:43 AM, JC Dill wrote: > Why isn't ANYONE going after Microsoft over this? If Microsoft were held > accountable for the spam and DDOSs that spew from their crappy software, > they would find a way to stop the problem. I've raised this issue > before, IMHO Windows OSs are "attractive nuisances" and that legal > argument can be used to hold Microsoft responsible for not putting an > adequate "fence" around their "attractive nuisance". > I call BS. Windows has it's problems, but it is the most common exploited as it holds the largest market share. Many Windows infections I've seen occur not due to the OS, but due to lack of patching of applications on the OS. The system does as much as it can. I've seen plenty of webmail/php/cgi hacks to not blame M$ for having market share. Jack From drew.weaver at thenap.com Wed Dec 8 10:13:01 2010 From: drew.weaver at thenap.com (Drew Weaver) Date: Wed, 8 Dec 2010 11:13:01 -0500 Subject: Over a decade of DDOS--any progress yet? In-Reply-To: <2ABCD3A4-E2C6-47ED-89FC-957DE79AE033@gmail.com> References: <2ABCD3A4-E2C6-47ED-89FC-957DE79AE033@gmail.com> Message-ID: The most common attacks that I have seen over the last 12 months, and let's say I have seen a fair share have been easily detectable by the source network. It is either protocol 17 (UDP) dst port 80 or UDP Fragments (dst port 0..) What valid application actually uses UDP 80? You could literally wipe out a large amount of these attacks by simply filtering this. -Drew -----Original Message----- From: Arturo Servin [mailto:arturo.servin at gmail.com] Sent: Wednesday, December 08, 2010 10:48 AM To: Jeffrey Lyon Cc: nanog at nanog.org Subject: Re: Over a decade of DDOS--any progress yet? And those are much more complex to detect than SYN attacks or simple flood attacks with ICMP. But even for simple flood attacks, I still think that the target has very few defence mechanisms, and those that exists require a complex coordination with upstreams. Cheers, .as On 8 Dec 2010, at 13:39, Jeffrey Lyon wrote: > We have seen a recent trend of attackers "legitimately" purchasing > servers to use for attacks. They'll setup a front company, attempt to > make the traffic look legitimate, and then launch attacks from their > "legitimate" botnet. > > Jeff > > On Wed, Dec 8, 2010 at 10:33 AM, Arturo Servin wrote: >> >> On 8 Dec 2010, at 13:12, nanog-request at nanog.org wrote: >> >>> Date: Wed, 8 Dec 2010 12:53:51 +0000 >>> From: "Dobbins, Roland" >>> Subject: Re: Over a decade of DDOS--any progress yet? >>> To: North American Operators' Group >>> Message-ID: >>> Content-Type: text/plain; charset="us-ascii" >>> >>> >>> On Dec 8, 2010, at 7:28 PM, Arturo Servin wrote: >>> >>>> One big problem (IMHO) of DDoS is that sources (the host of botnets) may be completely unaware that they are part of a DDoS. I do not mean the bot machine, I mean the ISP connecting those. >>> >>> The technology exists to detect and classify this attack traffic, and is deployed in production networks today. >> >> Yes, they do exist. But, is people really filtering out attacks or just watching the attacks going out? >> >> >>> >>> And of course, the legitimate owners of the botted hosts are generally unaware that their machine is being used for nefarious purposes. >>> >>>> In the other hand the target of a DDoS cannot do anything to stop to attack besides adding more BW or contacting one by one the whole path of providers to try to minimize the effect. >>> >>> Actually, there're lots of things they can do. >> >> Yes, but all of them rely on your upstreams or in mirroring your content. If 100 Mbps are reaching your input interface of 10Mbps there is not much that you can do. >> >>> >>>> I know that this has many security concerns, but would it be good a signalling protocol between ISPs to inform the sources of a DDoS attack in order to take semiautomatic actions to rate-limit the traffic as close as the source? Of course that this is more complex that these three or two lines, but I wonder if this has been considerer in the past. >>> >>> It already exists. >> >> If you have an URL would be good. I only found a few research papers on the topic and RSVP documents but nothing really concrete. >> >> Regards, >> -as > > > > -- > Jeffrey Lyon, Leadership Team > jeffrey.lyon at blacklotus.net | http://www.blacklotus.net > Black Lotus Communications - AS32421 > First and Leading in DDoS Protection Solutions From jbates at brightok.net Wed Dec 8 10:13:44 2010 From: jbates at brightok.net (Jack Bates) Date: Wed, 08 Dec 2010 10:13:44 -0600 Subject: Over a decade of DDOS--any progress yet? In-Reply-To: <391BD2CF-A8FD-42D1-8C1F-A98789867425@arbor.net> References: <2ABCD3A4-E2C6-47ED-89FC-957DE79AE033@gmail.com> <391BD2CF-A8FD-42D1-8C1F-A98789867425@arbor.net> Message-ID: <4CFFAEB8.6030708@brightok.net> On 12/8/2010 9:52 AM, Dobbins, Roland wrote: > > On Dec 8, 2010, at 10:47 PM, Arturo Servin wrote: > >> But even for simple flood attacks, I still think that the target has very few defence mechanisms, and those that exists require a complex coordination with upstreams. > > > This is demonstrably incorrect. > +1 For IPs that don't matter, automated /32 blackholes are usually supported by most providers. For critical infrastructure, I've not had a problem with the security/abuse/noc departments working with me to resolve the issue. The first step to DOS mitigation is being able to shut down the attack vector. If they hit an IP, shut it down, let the 50 other distributed systems take care of it. It's all a matter of perspective, and it has to be handled on a case by case basis. I had a dialup modem bank IP get DOS's due to a customer off it. Well, the modem bank itself doesn't need to talk to the outside world (outside of traceroutes), so a quick blackhole of it stopped the DDOS (which was a small 300mb/s). I've talked with several providers who will gladly redirect a subset of IP's through their high end filters, so in event of DOS, I can drop that /24 down to 1 transit peer, have them redirect it through their filter servers, and get clean traffic back to my network. Jack From drew.weaver at thenap.com Wed Dec 8 10:14:52 2010 From: drew.weaver at thenap.com (Drew Weaver) Date: Wed, 8 Dec 2010 11:14:52 -0500 Subject: Over a decade of DDOS--any progress yet? In-Reply-To: <63CF5704-B49D-43D5-BC8E-F76336CD0005@arbor.net> References: <23035485.1291815970840.JavaMail.tomcat@fe-ps03> <2C4B4ECC-F61E-4059-A8DE-165DD8F85A96@exa-networks.co.uk> <5220B68C-9C8C-460E-B64E-2646BDE2A398@arbor.net> <63CF5704-B49D-43D5-BC8E-F76336CD0005@arbor.net> Message-ID: I would say that > 99% of the attacks that we see are 'link fillers' with < 1% being an application attack. thanks, -Drew -----Original Message----- From: Dobbins, Roland [mailto:rdobbins at arbor.net] Sent: Wednesday, December 08, 2010 10:41 AM To: North American Operators' Group Subject: Re: Over a decade of DDOS--any progress yet? On Dec 8, 2010, at 10:36 PM, Thomas Mangin wrote: > If you are a smaller network, you need the filtering to be performed by your transit provider, as your uplink will otherwise be congested. Actually, most DDoS attacks aren't link-flooding attacks - this hasn't been true for the last ~7 years or so. I'm not saying it doesn't happen, because it does, and sometimes quite spectacularly - but in most cases, the attackers don't have to flood the link to achieve their desired goal. ----------------------------------------------------------------------- Roland Dobbins // Sell your computer and buy a guitar. From jbates at brightok.net Wed Dec 8 10:17:44 2010 From: jbates at brightok.net (Jack Bates) Date: Wed, 08 Dec 2010 10:17:44 -0600 Subject: Over a decade of DDOS--any progress yet? In-Reply-To: References: <2ABCD3A4-E2C6-47ED-89FC-957DE79AE033@gmail.com> Message-ID: <4CFFAFA8.7010209@brightok.net> On 12/8/2010 10:13 AM, Drew Weaver wrote: > The most common attacks that I have seen over the last 12 months, and let's say I have seen a fair share have been easily detectable by the source network. > > It is either protocol 17 (UDP) dst port 80 or UDP Fragments (dst port 0..) > > What valid application actually uses UDP 80? > > You could literally wipe out a large amount of these attacks by simply filtering this. > > -Drew You mean silly things like: Warning, it is an 87160 line flow capture. http://www.brightok.net/~abuse/ddos/flows.txt Jack From alvaro.sanchez at adinet.com.uy Wed Dec 8 10:18:39 2010 From: alvaro.sanchez at adinet.com.uy (alvaro.sanchez at adinet.com.uy) Date: Wed, 8 Dec 2010 13:18:39 -0300 (UYT) Subject: Over a decade of DDOS--any progress yet? Message-ID: <10624077.1291825119668.JavaMail.tomcat@fe-ps03> May be. Anyway, under ddos attack, your links may be congested, and you need to recover them. You have small margin to move. The farther upstream the attack is repelled, the better chances you have for restoring connectivity. >----Mensaje original---- >De: deleskie at gmail.com >Fecha: 08/12/2010 12:31 >Para: "Drew Weaver" >CC: "alvaro.sanchez at adinet.com.uy", "rdobbins at arbor.net", "North American Operators' Group" >Asunto: Re: Over a decade of DDOS--any progress yet? > >+1 > >On Wed, Dec 8, 2010 at 10:30 AM, Drew Weaver wrote: >> Yes, but this obviously completes the 'DDoS attack' and sends the signal that the bully will win. >> >> -Drew >> >> >> -----Original Message----- >> From: alvaro.sanchez at adinet.com.uy [mailto:alvaro.sanchez at adinet. com.uy] >> Sent: Wednesday, December 08, 2010 8:46 AM >> To: rdobbins at arbor.net; North American Operators' Group >> Subject: Re: Over a decade of DDOS--any progress yet? >> >> A very common action is to blackhole ddos traffic upstream by sending a >> bgp route to the next AS with a preestablished community indicating the >> traffic must be sent to Null0. The route may be very specific, in order >> to impact as less as possible. This needs previous coordination between >> providers. >> Regards. >> >>>----Mensaje original---- >>>De: rdobbins at arbor.net >>>Fecha: 08/12/2010 10:53 >>>Para: "North American Operators' Group" >>>Asunto: Re: Over a decade of DDOS--any progress yet? >>> >>> >>>On Dec 8, 2010, at 7:28 PM, Arturo Servin wrote: >>> >>>> ? ? ?One big problem (IMHO) of DDoS is that sources (the host of >> botnets) may be completely unaware that they are part of a DDoS. I do >> not mean the bot machine, I mean the ISP connecting those. >>> >>>The technology exists to detect and classify this attack traffic, and >> is deployed in production networks today. >>> >>>And of course, the legitimate owners of the botted hosts are >> generally unaware that their machine is being used for nefarious >> purposes. >>> >>>> ? ? ?In the other hand the target of a DDoS cannot do anything to stop >> to attack besides adding more BW or contacting one by one the whole >> path of providers to try to minimize the effect. >>> >>>Actually, there're lots of things they can do. >>> >>>> ? ? ?I know that this has many security concerns, but would it be good >> a signalling protocol between ISPs to inform the sources of a DDoS >> attack in order to take semiautomatic actions to rate-limit the traffic >> as close as the source? Of course that this is more complex that these >> three or two lines, but I wonder if this has been considerer in the >> past. >>> >>>It already exists. >>> >>>----------------------------------------------------------------------- >>>Roland Dobbins // >>> >>> ? ? ? ? ? ? ?Sell your computer and buy a guitar. >>> >>> >>> >>> >>> >>> >> >> >> >> >> > From rdobbins at arbor.net Wed Dec 8 10:28:46 2010 From: rdobbins at arbor.net (Dobbins, Roland) Date: Wed, 8 Dec 2010 16:28:46 +0000 Subject: Over a decade of DDOS--any progress yet? In-Reply-To: References: <23035485.1291815970840.JavaMail.tomcat@fe-ps03> <2C4B4ECC-F61E-4059-A8DE-165DD8F85A96@exa-networks.co.uk> <5220B68C-9C8C-460E-B64E-2646BDE2A398@arbor.net> <63CF5704-B49D-43D5-BC8E-F76336CD0005@arbor.net> Message-ID: On Dec 8, 2010, at 11:14 PM, Drew Weaver wrote: > I would say that > 99% of the attacks that we see are 'link fillers' with < 1% being an application attack. Application-layer attacks aside, most packet-flooding attacks these days don't completely fill links, as there's no need for the attacker to do so. ----------------------------------------------------------------------- Roland Dobbins // Sell your computer and buy a guitar. From jed at jedsmith.org Wed Dec 8 10:29:17 2010 From: jed at jedsmith.org (Jed Smith) Date: Wed, 8 Dec 2010 11:29:17 -0500 Subject: Over a decade of DDOS--any progress yet? In-Reply-To: References: Message-ID: On Mon, Dec 6, 2010 at 2:50 AM, Sean Donelan wrote: > What progress has been made during the last decade at stopping DDOS > attacks? > Observing Mastercard today, apparently none. Can't blame stupid users or Microsoft for this one, either. The 'attackers' are using a .NET tool which I'm sure all of us are familiar with, LOIC. It voluntarily (with user's consent!) adds their machine to a botnet controlled by somebody from 4chan over IRC. Because that can end well. Blaming Microsoft for DoS attacks and spam is so pass?. These mouthbreathers are the bigger threat, I think. J From jeffrey.lyon at blacklotus.net Wed Dec 8 10:30:15 2010 From: jeffrey.lyon at blacklotus.net (Jeffrey Lyon) Date: Wed, 8 Dec 2010 11:30:15 -0500 Subject: Over a decade of DDOS--any progress yet? In-Reply-To: <4CFFAFA8.7010209@brightok.net> References: <2ABCD3A4-E2C6-47ED-89FC-957DE79AE033@gmail.com> <4CFFAFA8.7010209@brightok.net> Message-ID: We see a lot of the UDP dest 0. Depending on what you're hosting/protecting you can ACL a lot of the unneeded ports and protocols (easy) then focus on using appliances (commercially available or home grown if you're so inclined) to identify and scrub out the ambiguous traffic (a lot more difficult). Jeff On Wed, Dec 8, 2010 at 11:17 AM, Jack Bates wrote: > > > On 12/8/2010 10:13 AM, Drew Weaver wrote: >> >> The most common attacks that I have seen over the last 12 months, and >> let's say I have seen a fair share have been easily detectable by the source >> network. >> >> It is either protocol 17 (UDP) dst port 80 or UDP Fragments (dst port 0..) >> >> What valid application actually uses UDP 80? >> >> You could literally wipe out a large amount of these attacks by simply >> filtering this. >> >> -Drew > > You mean silly things like: > > Warning, it is an 87160 line flow capture. > > http://www.brightok.net/~abuse/ddos/flows.txt > > > Jack > -- Jeffrey Lyon, Leadership Team jeffrey.lyon at blacklotus.net | http://www.blacklotus.net Black Lotus Communications - AS32421 First and Leading in DDoS Protection Solutions From aaron_peterson at harvard.edu Wed Dec 8 10:30:37 2010 From: aaron_peterson at harvard.edu (Aaron Peterson) Date: Wed, 08 Dec 2010 11:30:37 -0500 Subject: [nanog] Re: Over a decade of DDOS--any progress yet? In-Reply-To: <4CFFA7B8.8000306@gmail.com> References: <01811070-0EE1-44C2-A79A-FB9E68215D9A@gmail.com> <4CFFA7B8.8000306@gmail.com> Message-ID: <4CFFB2AD.9090003@harvard.edu> Hello: On 12/8/10 10:43 AM, JC Dill wrote: > On 08/12/10 4:28 AM, Arturo Servin wrote: >> One big problem (IMHO) of DDoS is that sources (the host of >> botnets) may be completely unaware that they are part of a DDoS. I do >> not mean the bot machine, I mean the ISP connecting those. > > ISPs are not the source. The source is Microsoft. The source is > their buggy OS that is easily compromised to enable the computers to > be taken over as part of the botnet. Many third party vendors like Adobe, Sun and others are just as culpable in this sense, if not more. A large majority of the vulnerabilities leveraged to deploy modern malware / botnets come from these client-side applications (e.g. flash, reader, java, etc) and not the OS specifically. It's beyond the point that we can blame just Microsoft. Yes, they can get better, but they've actually made great strides in software security in the last few years. Now that the other vendors are starting to feel the pain, hopefully they'll start to follow suit. Aaron From jbates at brightok.net Wed Dec 8 10:38:27 2010 From: jbates at brightok.net (Jack Bates) Date: Wed, 08 Dec 2010 10:38:27 -0600 Subject: Over a decade of DDOS--any progress yet? In-Reply-To: References: <23035485.1291815970840.JavaMail.tomcat@fe-ps03> <2C4B4ECC-F61E-4059-A8DE-165DD8F85A96@exa-networks.co.uk> <5220B68C-9C8C-460E-B64E-2646BDE2A398@arbor.net> <63CF5704-B49D-43D5-BC8E-F76336CD0005@arbor.net> Message-ID: <4CFFB483.8010304@brightok.net> On 12/8/2010 10:28 AM, Dobbins, Roland wrote: > > Application-layer attacks aside, most packet-flooding attacks these > days don't completely fill links, as there's no need for the attacker > to do so. > I think the difference here is scale. packet-flooding attacks often do fill links; if the links drop to 155mb/s or below. I've seen some gig+ DOS, but that is less common. The DOS I posted a flow capture link for wasn't that large, but enough to flood out the little DS3 going to the small town where the target DSL customers was. Jack From jeffrey.lyon at blacklotus.net Wed Dec 8 10:41:31 2010 From: jeffrey.lyon at blacklotus.net (Jeffrey Lyon) Date: Wed, 8 Dec 2010 11:41:31 -0500 Subject: Over a decade of DDOS--any progress yet? In-Reply-To: <4CFFB483.8010304@brightok.net> References: <23035485.1291815970840.JavaMail.tomcat@fe-ps03> <2C4B4ECC-F61E-4059-A8DE-165DD8F85A96@exa-networks.co.uk> <5220B68C-9C8C-460E-B64E-2646BDE2A398@arbor.net> <63CF5704-B49D-43D5-BC8E-F76336CD0005@arbor.net> <4CFFB483.8010304@brightok.net> Message-ID: < 1 Gbps attacks used to be standard issue but as of the past 90 days we have been seeing 2 - 8 Gbps a lot more frequently. Jeff On Wed, Dec 8, 2010 at 11:38 AM, Jack Bates wrote: > On 12/8/2010 10:28 AM, Dobbins, Roland wrote: >> >> Application-layer attacks aside, most packet-flooding attacks these >> days don't completely fill links, as there's no need for the attacker >> to do so. >> > > I think the difference here is scale. packet-flooding attacks often do > fill links; if the links drop to 155mb/s or below. I've seen some gig+ DOS, > but that is less common. The DOS I posted a flow capture link for wasn't > that large, but enough to flood out the little DS3 going to the small town > where the target DSL customers was. > > > Jack > > > > -- Jeffrey Lyon, Leadership Team jeffrey.lyon at blacklotus.net | http://www.blacklotus.net Black Lotus Communications - AS32421 First and Leading in DDoS Protection Solutions From jay at prolexic.com Wed Dec 8 10:47:09 2010 From: jay at prolexic.com (Jay Coley) Date: Wed, 08 Dec 2010 16:47:09 +0000 Subject: Over a decade of DDOS--any progress yet? In-Reply-To: References: <23035485.1291815970840.JavaMail.tomcat@fe-ps03> <2C4B4ECC-F61E-4059-A8DE-165DD8F85A96@exa-networks.co.uk> <5220B68C-9C8C-460E-B64E-2646BDE2A398@arbor.net> <63CF5704-B49D-43D5-BC8E-F76336CD0005@arbor.net> Message-ID: <4CFFB68D.4080405@prolexic.com> On 08/12/2010 16:14, Drew Weaver wrote: > I would say that > 99% of the attacks that we see are 'link fillers' with < 1% being an application attack. > > thanks, > -Drew This has been our recent experience as well. There are some pure app attacks, to be sure, but we many blended attacks also. Bandwidth (UDP/ICMP/SYN Flood) attack to distract with a app attack (GET/PUSH floods) attempting to run underneath the radar. We regularly see SYN floods these days > 20 Gb/s. The thing to bear in mind is that app attacks *are* difficult to detect as they are low bandwidth and make a full TCP connection. As a result many IDS/Firewalls etc regularly miss these attacks. Lastly there is usually always someone at the other end of these attacks watching what is working and what is not. If the attack doesn't work they will simply round up more bots to increase the attack bandwidth or change the attack vector. Best, --J --- Jay Coley Prolexic Technologies From jbates at brightok.net Wed Dec 8 10:49:11 2010 From: jbates at brightok.net (Jack Bates) Date: Wed, 08 Dec 2010 10:49:11 -0600 Subject: Over a decade of DDOS--any progress yet? In-Reply-To: References: <23035485.1291815970840.JavaMail.tomcat@fe-ps03> <2C4B4ECC-F61E-4059-A8DE-165DD8F85A96@exa-networks.co.uk> <5220B68C-9C8C-460E-B64E-2646BDE2A398@arbor.net> <63CF5704-B49D-43D5-BC8E-F76336CD0005@arbor.net> <4CFFB483.8010304@brightok.net> Message-ID: <4CFFB707.3090804@brightok.net> On 12/8/2010 10:41 AM, Jeffrey Lyon wrote: > < 1 Gbps attacks used to be standard issue but as of the past 90 days > we have been seeing 2 - 8 Gbps a lot more frequently. > That may well be true. I'm an eyeball network and I can usually point at a user pissing someone off on IRC/Forums for DOS instigating. I probably deal with 1 large scale attack per year at most, though most likely my attacks are from smaller botnet owners. Jack From rdobbins at arbor.net Wed Dec 8 10:49:28 2010 From: rdobbins at arbor.net (Dobbins, Roland) Date: Wed, 8 Dec 2010 16:49:28 +0000 Subject: Over a decade of DDOS--any progress yet? In-Reply-To: <4CFFB483.8010304@brightok.net> References: <23035485.1291815970840.JavaMail.tomcat@fe-ps03> <2C4B4ECC-F61E-4059-A8DE-165DD8F85A96@exa-networks.co.uk> <5220B68C-9C8C-460E-B64E-2646BDE2A398@arbor.net> <63CF5704-B49D-43D5-BC8E-F76336CD0005@arbor.net> <4CFFB483.8010304@brightok.net> Message-ID: <01750CED-ECA8-4A6A-9F53-F29EED505160@arbor.net> On Dec 8, 2010, at 11:38 PM, Jack Bates wrote: > I think the difference here is scale. packet-flooding attacks often do > fill links; if the links drop to 155mb/s or below. I'm not saying that link-flooding attacks don't happen; they certainly do, and on very big links, sometimes. But in the scheme of things, they don't happen nearly as often as they used to, as the attackers simply don't need to fill the links in order to accomplish their goals, in most cases. It's also important to note that a lot of DDoS isn't directly perpetrated by those who wish the DDoS performed, but rather is hired out to botmasters who're paid to execute the attacks. Even if the person who is the motivating force behind the attack is paying in stolen credit cards or whatever, he doesn't want to pay for more than is needed to accomplish his goal. ----------------------------------------------------------------------- Roland Dobbins // Sell your computer and buy a guitar. From drew.weaver at thenap.com Wed Dec 8 10:53:20 2010 From: drew.weaver at thenap.com (Drew Weaver) Date: Wed, 8 Dec 2010 11:53:20 -0500 Subject: Over a decade of DDOS--any progress yet? In-Reply-To: References: <23035485.1291815970840.JavaMail.tomcat@fe-ps03> <2C4B4ECC-F61E-4059-A8DE-165DD8F85A96@exa-networks.co.uk> <5220B68C-9C8C-460E-B64E-2646BDE2A398@arbor.net> <63CF5704-B49D-43D5-BC8E-F76336CD0005@arbor.net> <4CFFB483.8010304@brightok.net> Message-ID: You can get a dedicated server for $80 with a 1Gbps connection to the Internet without looking that hard. It is pretty easy/cheap to kill a 1Gbps connection now a days. Soon several providers will begin offering dedicated servers with a 10Gbps connection to a single machine. -Drew -----Original Message----- From: Jeffrey Lyon [mailto:jeffrey.lyon at blacklotus.net] Sent: Wednesday, December 08, 2010 11:42 AM To: Jack Bates Cc: North American Operators' Group Subject: Re: Over a decade of DDOS--any progress yet? < 1 Gbps attacks used to be standard issue but as of the past 90 days we have been seeing 2 - 8 Gbps a lot more frequently. Jeff On Wed, Dec 8, 2010 at 11:38 AM, Jack Bates wrote: > On 12/8/2010 10:28 AM, Dobbins, Roland wrote: >> >> Application-layer attacks aside, most packet-flooding attacks these >> days don't completely fill links, as there's no need for the attacker >> to do so. >> > > I think the difference here is scale. packet-flooding attacks often do > fill links; if the links drop to 155mb/s or below. I've seen some gig+ DOS, > but that is less common. The DOS I posted a flow capture link for wasn't > that large, but enough to flood out the little DS3 going to the small town > where the target DSL customers was. > > > Jack > > > > -- Jeffrey Lyon, Leadership Team jeffrey.lyon at blacklotus.net | http://www.blacklotus.net Black Lotus Communications - AS32421 First and Leading in DDoS Protection Solutions From rdobbins at arbor.net Wed Dec 8 10:53:34 2010 From: rdobbins at arbor.net (Dobbins, Roland) Date: Wed, 8 Dec 2010 16:53:34 +0000 Subject: Over a decade of DDOS--any progress yet? In-Reply-To: <4CFFB68D.4080405@prolexic.com> References: <23035485.1291815970840.JavaMail.tomcat@fe-ps03> <2C4B4ECC-F61E-4059-A8DE-165DD8F85A96@exa-networks.co.uk> <5220B68C-9C8C-460E-B64E-2646BDE2A398@arbor.net> <63CF5704-B49D-43D5-BC8E-F76336CD0005@arbor.net> <4CFFB68D.4080405@prolexic.com> Message-ID: On Dec 8, 2010, at 11:47 PM, Jay Coley wrote: > This has been our recent experience as well. I see a link-filling attacks with some regularity; but again, what I'm saying is simply that they aren't as prevalent as they used to be, because the attackers don't *need* to fill links in order to achieve their goals, in many cases. That being said, high-bandwidth DNS reflection/amplification attacks tip the scales, every time. > Lastly there is usually always someone at the other end of these attacks watching what is working and what is not This is a very important point - determined attackers will observe and react in order to try and defeat successful countermeasures, so the defenders must watch for shifting attack vectors. ----------------------------------------------------------------------- Roland Dobbins // Sell your computer and buy a guitar. From mc3401 at columbia.edu Wed Dec 8 10:58:46 2010 From: mc3401 at columbia.edu (Michael Costello) Date: Wed, 8 Dec 2010 11:58:46 -0500 Subject: Over a decade of DDOS--any progress yet? In-Reply-To: References: <2ABCD3A4-E2C6-47ED-89FC-957DE79AE033@gmail.com> Message-ID: <20101208115846.4b43ff25@mead.decaying.org> On Wed, 8 Dec 2010 11:13:01 -0500 Drew Weaver wrote: > The most common attacks that I have seen over the last 12 months, and > let's say I have seen a fair share have been easily detectable by the > source network. > > It is either protocol 17 (UDP) dst port 80 or UDP Fragments (dst port > 0..) > > What valid application actually uses UDP 80? The Cisco NAC client for Macs, for the purpose of "VLAN change detection", sends UDP/80 packets to the host's reversed default gateway (i.e., if the actual gateway is 1.2.3.4, it sends the packets to 4.3.2.1) once every five seconds. mc From rsm at fast-serv.com Wed Dec 8 10:59:09 2010 From: rsm at fast-serv.com (Randy McAnally) Date: Wed, 8 Dec 2010 11:59:09 -0500 Subject: Over a decade of DDOS--any progress yet? In-Reply-To: References: <23035485.1291815970840.JavaMail.tomcat@fe-ps03> <2C4B4ECC-F61E-4059-A8DE-165DD8F85A96@exa-networks.co.uk> <5220B68C-9C8C-460E-B64E-2646BDE2A398@arbor.net> <63CF5704-B49D-43D5-BC8E-F76336CD0005@arbor.net> <4CFFB483.8010304@brightok.net> Message-ID: <20101208165833.M7988@fast-serv.com> > Soon several providers will begin offering dedicated servers with a > 10Gbps connection to a single machine. > > -Drew > Several already do. -Randy From andrew.wallace at rocketmail.com Wed Dec 8 11:00:25 2010 From: andrew.wallace at rocketmail.com (andrew.wallace) Date: Wed, 8 Dec 2010 09:00:25 -0800 (PST) Subject: Mastercard problems Message-ID: <995192.18569.qm@web59601.mail.ac4.yahoo.com> It appears the site is under a sustained attack, CNET reports. http://news.cnet.com/8301-13578_3-20024966-38.html Andrew From hescominsoon at emmanuelcomputerconsulting.com Wed Dec 8 11:14:15 2010 From: hescominsoon at emmanuelcomputerconsulting.com (William Warren) Date: Wed, 08 Dec 2010 12:14:15 -0500 Subject: Mastercard problems In-Reply-To: <995192.18569.qm@web59601.mail.ac4.yahoo.com> References: <995192.18569.qm@web59601.mail.ac4.yahoo.com> Message-ID: <4CFFBCE7.8050706@emmanuelcomputerconsulting.com> On 12/8/2010 12:00 PM, andrew.wallace wrote: > It appears the site is under a sustained attack, CNET reports. > > > http://news.cnet.com/8301-13578_3-20024966-38.html > > > Andrew > > > > > It's only their main website it has not affected their ability to process payments as of yet. From john-nanog at johnpeach.com Wed Dec 8 11:14:15 2010 From: john-nanog at johnpeach.com (John Peach) Date: Wed, 8 Dec 2010 12:14:15 -0500 Subject: Mastercard problems In-Reply-To: <4CFFBCE7.8050706@emmanuelcomputerconsulting.com> References: <995192.18569.qm@web59601.mail.ac4.yahoo.com> <4CFFBCE7.8050706@emmanuelcomputerconsulting.com> Message-ID: <20101208121415.26a50fde@jpeach-desktop.anbg.mssm.edu> On Wed, 08 Dec 2010 12:14:15 -0500 William Warren wrote: > On 12/8/2010 12:00 PM, andrew.wallace wrote: > > It appears the site is under a sustained attack, CNET reports. > > > > > > http://news.cnet.com/8301-13578_3-20024966-38.html > > > > > > Andrew > > > > > > > > > > > It's only their main website it has not affected their ability to > process payments as of yet. Yes it has: http://blog.securetrading.com/2010/12/mastercard-maestro-3-d-secure/ > -- John From joseph.prasad at gmail.com Wed Dec 8 11:18:40 2010 From: joseph.prasad at gmail.com (Joseph Prasad) Date: Wed, 8 Dec 2010 09:18:40 -0800 Subject: Mastercard problems In-Reply-To: <995192.18569.qm@web59601.mail.ac4.yahoo.com> References: <995192.18569.qm@web59601.mail.ac4.yahoo.com> Message-ID: google = "Operation: Payback" On Wed, Dec 8, 2010 at 9:00 AM, andrew.wallace < andrew.wallace at rocketmail.com> wrote: > It appears the site is under a sustained attack, CNET reports. > > > http://news.cnet.com/8301-13578_3-20024966-38.html > > > Andrew > > > > > > From jbates at brightok.net Wed Dec 8 11:24:00 2010 From: jbates at brightok.net (Jack Bates) Date: Wed, 08 Dec 2010 11:24:00 -0600 Subject: Mastercard problems In-Reply-To: References: <995192.18569.qm@web59601.mail.ac4.yahoo.com> Message-ID: <4CFFBF30.3070100@brightok.net> On 12/8/2010 11:18 AM, Joseph Prasad wrote: > google = "Operation: Payback" > Sadly, our ineffective government probably won't bring these perpetrators to justice. I have no real opinion concerning wikileaks, but DOS attacks cannot be justified. Jack From william.mccall at gmail.com Wed Dec 8 11:28:58 2010 From: william.mccall at gmail.com (William McCall) Date: Wed, 8 Dec 2010 11:28:58 -0600 Subject: Mastercard problems In-Reply-To: <4CFFBF30.3070100@brightok.net> References: <995192.18569.qm@web59601.mail.ac4.yahoo.com> <4CFFBF30.3070100@brightok.net> Message-ID: On Wed, Dec 8, 2010 at 11:24 AM, Jack Bates wrote: > On 12/8/2010 11:18 AM, Joseph Prasad wrote: >> >> google = "Operation: Payback" >> > > Sadly, our ineffective government probably won't bring these perpetrators to > justice. I have no real opinion concerning wikileaks, but DOS attacks cannot > be justified. > > > Jack > > Are you prepared for "informaton terrorism" laws? -- William McCall, CCIE #25044 From jbates at brightok.net Wed Dec 8 11:34:23 2010 From: jbates at brightok.net (Jack Bates) Date: Wed, 08 Dec 2010 11:34:23 -0600 Subject: Mastercard problems In-Reply-To: References: <995192.18569.qm@web59601.mail.ac4.yahoo.com> <4CFFBF30.3070100@brightok.net> Message-ID: <4CFFC19F.2070001@brightok.net> On 12/8/2010 11:28 AM, William McCall wrote: > > Are you prepared for "informaton terrorism" laws? > DOS attacks are already illegal. I question the ability to track responsible parties down and have appropriate proof to actually prosecute. Let's be honest. Even in the 20th century, more people had been caught by bragging in public than by backtracking. Jack From thomas.mangin at exa-networks.co.uk Wed Dec 8 11:51:31 2010 From: thomas.mangin at exa-networks.co.uk (Thomas Mangin) Date: Wed, 8 Dec 2010 17:51:31 +0000 Subject: Over a decade of DDOS--any progress yet? In-Reply-To: <63CF5704-B49D-43D5-BC8E-F76336CD0005@arbor.net> References: <23035485.1291815970840.JavaMail.tomcat@fe-ps03> <2C4B4ECC-F61E-4059-A8DE-165DD8F85A96@exa-networks.co.uk> <5220B68C-9C8C-460E-B64E-2646BDE2A398@arbor.net> <63CF5704-B49D-43D5-BC8E-F76336CD0005@arbor.net> Message-ID: On 8 Dec 2010, at 15:40, Dobbins, Roland wrote: > On Dec 8, 2010, at 10:36 PM, Thomas Mangin wrote: > >> If you are a smaller network, you need the filtering to be performed by your transit provider, as your uplink will otherwise be congested. > > Actually, most DDoS attacks aren't link-flooding attacks - this hasn't been true for the last ~7 years or so. > > I'm not saying it doesn't happen, because it does, and sometimes quite spectacularly - but in most cases, the attackers don't have to flood the link to achieve their desired goal. Fair point. I never had to face any intelligent type of DDOS ... lucky me :) Thomas From eugen at leitl.org Wed Dec 8 12:13:03 2010 From: eugen at leitl.org (Eugen Leitl) Date: Wed, 8 Dec 2010 19:13:03 +0100 Subject: NWW: Fix to Chinese Internet traffic hijack due in January Message-ID: <20101208181303.GY9434@leitl.org> http://www.networkworld.com/cgi-bin/mailto/x.cgi?pagetosend=/news/2010/120710-chinese-internet-traffic-fix.html&pagename=/news/2010/120710-chinese-internet-traffic-fix.html&pageurl=http://www.networkworld.com/news/2010/120710-chinese-internet-traffic-fix.html&site=printpage&nsdr=n Fix to Chinese Internet traffic hijack due in January Registries to issue digital certificates for verifying IP addresses, routing prefixes By Carolyn Duffy Marsan, Network World December 07, 2010 11:39 AM ET Policymakers disagree about whether the recent Chinese hijacking of Internet traffic was malicious or accidental, but there's no question about the underlying cause of this incident: the lack of built-in security in the Internet's main routing protocol. Network engineers have been talking about this weakness in the Internet infrastructure for a decade. Now a fix is finally on the way. Policymakers disagree about whether the recent Chinese hijacking of Internet traffic was malicious or accidental, but there's no question about the underlying cause of this incident: the lack of built-in security in the Internet's main routing protocol. Network engineers have been talking about this weakness in the Internet infrastructure for a decade. Now a fix is finally on the way. Six worst Internet routing attacks Beginning Jan. 1, Internet registries will add a layer of encryption to their operations so that ISPs and other network operators can verify that they have the authority to route traffic for a block of IP addresses or routing prefixes known as Autonomous System Numbers. The fix ? known as Resource Public Key Infrastructure (RPKI) ? is not perfect. It will require adoption by all of the Internet registries as well as major ISPs before it can provide a significant amount of protection against incidents such as when China Telecom hijacked 15% of the world's Internet traffic in April. Proponents of RPKI say it is a much-needed first step in improving the security of the Border Gateway Protocol (BGP), which is the core routing protocol of the Internet. Not everyone believes it will work. At a minimum, RPKI, if widely adopted, should prevent ISPs from accidentally disrupting the flow of Internet traffic with erroneous routing information. Geoff Huston, chief scientist at the Asia Pacific Network Information Centre (APNIC), says RPKI will eliminate many routing incidents including the China Telecom hijacking when it is coupled with follow-on work aimed at securing BGP routes. "The intent of the overall work, which involves the RPKI as the underlying security platform and secure BGP as a way of introducing signed credentials into the routing system, is to make lies in the routing system automatically detectable and, therefore, automatically removable," Huston says. "It will eliminate a large class of problems?Such a system would directly address the [China Telecom] incident." The RPKI development effort was funded in part by the U.S. Department of Homeland Security, which has made bolstering the security of the Internet's routing system a key cybersecurity initiative. How quickly RPKI will be adopted is unknown. Among the companies that have helped design RPKI are Cisco, Google, Deutsche Telecom, NTT, Sprint and Equinix. "RPKI will solve the vast majority of routing problems that crop up, but it's not the final solution," says Stephen Kent, chief scientist for information security at Raytheon BBN Technologies and a contributor to the RPKI standards effort. Kent says RPKI must be followed by adding security for route paths to BGP, which is under development. This BGP update will take longer and be more expensive to deploy than RPKI because it will require network operators to upgrade their routers. "If it turns out that RPKI solves 80% or 90% of the issues, then there is a tremendous benefit from that," Kent says. "RPKI is the basis for doing the fancier stuff later." Routing attacks multiply The China Telecom incident is the latest in a string of high-profile Internet routing attacks, such as when Pakistan Telecom brought down YouTube's Web site for two hours in February 2008 or when Malaysian ISP DataOne hijacked traffic to Yahoo's Santa Clara data center in May 2004. RPKI was created by the Internet Engineering Task Force's Secure Inter-Domain Routing (SIDR) working group, which has been working on routing security since 2005. RPKI allows ISPs and other network operators to generate digital signatures that verify that they have the authority to make changes to Internet resources such as IP addresses or routing prefixes. Most of the standards documents that describe how RPKI works are in the final stages of approval at the IETF. "There's been a push to get these documents out and approved," Kent says. "I think they will be popping out through the?first quarter of next year." One factor driving the release of the RPKI standards is that the regional Internet registries have already committed to start issuing production-quality certificates to their members. The registries have been working for several years to get the processes, procedures and software in place to support RPKI. They've also been improving the accuracy of their databases that list which IP addresses and routing prefixes are allocated to particular network operators. APNIC already has a resource certification system in production mode. Several other registries, including Europe's RIPE NCC, plan to go live with their implementations of RPKI on Jan. 1, 2011. The American Registry for Internet Numbers (ARIN), which provides IP addresses and routing prefixes to ISPs in North America, said it will support RPKI in the second quarter of 2011. "ARIN plans to release a production-grade Resource Certification service early in the second quarter of 2011," says Mark Kosters, CTO of ARIN. "There is a pilot program as an interim measure that has been in place since June 2009." Network operators must verify their IP addresses and routing prefixes with their registries through the new RPKI system, and they will need to check the authoritative database created by the registries to construct their routing filters. Various organizations including Raytheon BBN have created open source software to handle this extra network management function. "For the really small ISPs, the Web portal design by [registries] makes this trivial. They have to do it once, and set it and forget it," Kent says. "If you're a big ISP, then it will take more effort to integrate [RPKI] into your overall system." Enterprises that multi-home their networks ? or split their network traffic between multiple carriers ? can take advantage of RPKI if they want the extra protection it provides. Huston says enterprise network managers should support the RPKI effort because it bolsters the security of the Internet's routing infrastructure and protects against snooping, traffic redirection, distributed denial of service and man-in-the-middle attacks. "Everyone ultimately relies on the public network," Huston says. "Enterprise folk use it for VPNs, they use it for public facing services, they use it for business-to-business communication. If you can subvert the integrity of the routing system and send packets to the wrong places, all kinds of risks ensue." Doubts about RPKI Not everyone thinks RPKI is going to work. "I'm not wildly optimistic about it," says Bill Woodcock, research director for the Packet Clearing House, which offers open source software called the Prefix Sanity Checker that's used by ISPs to check BGP routing filters for errors. "The theory behind RPKI is that you would do a cryptographic signing of your routing announcements and that other people would build filters to not allow routes that didn't include that cryptographic signature," Woodcock explains. "It's more complicated than our software, and it only works if the person on the other end has done this crypto operation." Woodcock says network operators are notoriously bad at maintaining current information about their IP addresses and routing prefixes in databases operated by the regional registries. And they're also lax about using software such as Prefix Sanity Checker to avoid typographical errors. That's why he thinks it's unlikely that enough ISPs will deploy something as complex as RPKI. "There's no user demand for this, which is going to make it hard to cram down the throats of network operators," Woodcock adds. Woodcock says network operators misconfigure routers regularly, and that there's no reason to believe the China Telecom incident is anything other than another mistake. "This was an embarrassment for the entire world to see," he says. "If it had been malicious, it's very likely it would have taken a very different form. ? The things to look for in a real attack would be specific individual targets whose traffic was being diverted and a cover-up of that. This was so obvious and blatant." Craig Labovitz, chief scientist at Arbor Networks, says he can't tell if the China Telecom incident was accidental or malicious. Labovitz studied errors in routing prefixes for his PhD research 15 years ago. "I just don't know" if China Telecom was being malicious, Labovitz says. "We've seen many errors in the past: errors and fat fingers and incompetence. But at the same time, we've seen malicious use of BGP by spammers." Labovitz says network operators can take steps such as filtering router announcements to avoid these kinds of traffic hijacking incidents between now and when RPKI is widely deployed. "There are things that can be done today without any additional spending, without upgrading routers, but they are just not being done," Labovitz says. "A best common practice for ISPs is that you should filter routing announcements from your customers. It's a little bit depressing that after 15 years, we have large sections of the Internet that are not following best common engineering packages." Labovitz says it may take a more significant routing incident than China Telecom's to prompt deployment of RPKI and BGP security. He points to the example of the Kaminsky threat, which is propelling domain name registries to support new security measures. DNS security "took an event that was so scary to force action," Labovitz says. "Maybe the growing number of BGP incidents will be enough to drive industry and government consensus to act?I think this is something that we need to fix, and we are on borrowed time." From woody at pch.net Wed Dec 8 12:23:46 2010 From: woody at pch.net (Bill Woodcock) Date: Wed, 8 Dec 2010 10:23:46 -0800 Subject: NWW: Fix to Chinese Internet traffic hijack due in January In-Reply-To: <20101208181303.GY9434@leitl.org> References: <20101208181303.GY9434@leitl.org> Message-ID: On Dec 8, 2010, at 10:13 AM, Eugen Leitl wrote: > http://www.networkworld.com/cgi-bin/mailto/x.cgi?pagetosend=/news/2010/120710-chinese-internet-traffic-fix.html&pagename=/news/2010/120710-chinese-internet-traffic-fix.html&pageurl=http://www.networkworld.com/news/2010/120710-chinese-internet-traffic-fix.html&site=printpage&nsdr=n > Fix to Chinese Internet traffic hijack due in January FWIW, I was fairly unhappy with how PCH was portrayed in the article... That was the product of a very long interview, and we certainly didn't suggest that the Prefix Sanity Checker was an _alternative_ to RPKI. I very much think routing security is a critical issue, the Prefix Sanity Checker was a baby-step in that direction, which will help some people some of the time; tools that perform a cryptographic verification of RADb-style origin and transitive-path assertions are the obvious next step, and I'd very much like to see them developed. It does seem to me, and a lot of people who've talked with me about it, however, that using existing cryptographic methods on top of existing routing-policy methods, would get us further, faster, than trying to cook up some whole new single-purpose protocol from scratch. That was the essence of the interview I gave, and I don't think that message made it through into the finished article very obviously. -Bill -------------- next part -------------- A non-text attachment was scrubbed... Name: PGP.sig Type: application/pgp-signature Size: 194 bytes Desc: This is a digitally signed message part URL: From mirotrem at gmail.com Wed Dec 8 12:25:59 2010 From: mirotrem at gmail.com (Chadwick Sorrell) Date: Wed, 8 Dec 2010 13:25:59 -0500 Subject: ALT-DB Question Message-ID: Hello, I'm sending a new MAINT-AS object to the db-admin at altdb.net, but it doesn't appear to be in the database after a few weeks. Are there any requirements that I may be missing on my new request, or some sort of way I can help get it processed? Basically wondering if I'm just not waiting long enough, or if I've done something wrong. Thanks, -chad From iljitsch at muada.com Wed Dec 8 12:30:52 2010 From: iljitsch at muada.com (Iljitsch van Beijnum) Date: Wed, 8 Dec 2010 19:30:52 +0100 Subject: Start accepting longer prefixes as IPv4 depletes? Message-ID: <820DA442-E75E-4128-80B6-F09FF7DA84ED@muada.com> (My apologies if this has been discussed before, I haven't been keeping up with NANOG as well as I should lately.) As the IPv4 address space depletes, various types of use that requires IPv4 addresses will get harder. In some cases, this is unavoidable: if you want to connect a million broadband users you need a million addresses. But for hosting activities you don't need that much space. In fact, often people have to be very creative to qualify for a /24 (/20 even in ARIN-land?) just so they have a large enough assignment that they can announce it in BGP and expect it to be reachable. But you really don't need a /20 or even a /24 to host websites or the like. Why not move away from that /24 requirement and start allowing /28s or a prefix length like that in the global routing table? This will allow content people to stay on IPv4 longer with fewer compromises, so we don't have to start thinking about NAT46 solutions in the near future. (NAT46 is really best avoided.) There are two issues: 1. Growth of the routing table. My answer to this is: although a smaller table would be good, we've been living with 16% or so growth for a decade before the IPv4 crunch, if going to < /28 instead of < /24 allows this growth to continue some more years there is no additional harm. And there is no evidence that /28s will create more growth than unconstrained /24s like we had before the IPv4 crunch. 2. People who think it's neat to deaggregate their /16 into 256 /24 will now go for 4096 /28s. To avoid this, the new /28s should come from separate ranges to be identified by the RIRs. So /28 would only be allowed for this new space that is given out as /28, not for anything that already exists and was thus given out as much bigger blocks. Thoughts? I'm hoping to get some modest support here before jumping into the RIR policy shark tanks. From mpetach at netflight.com Wed Dec 8 12:34:31 2010 From: mpetach at netflight.com (Matthew Petach) Date: Wed, 8 Dec 2010 10:34:31 -0800 Subject: Over a decade of DDOS--any progress yet? In-Reply-To: <4CFFB68D.4080405@prolexic.com> References: <23035485.1291815970840.JavaMail.tomcat@fe-ps03> <2C4B4ECC-F61E-4059-A8DE-165DD8F85A96@exa-networks.co.uk> <5220B68C-9C8C-460E-B64E-2646BDE2A398@arbor.net> <63CF5704-B49D-43D5-BC8E-F76336CD0005@arbor.net> <4CFFB68D.4080405@prolexic.com> Message-ID: On Wed, Dec 8, 2010 at 8:47 AM, Jay Coley wrote: > On 08/12/2010 16:14, Drew Weaver wrote: >> I would say that > 99% of the attacks that we see are 'link fillers' with < 1% being an application attack. >> >> thanks, >> -Drew > > This has been our recent experience as well. ?There are some pure app > attacks, to be sure, but we many blended attacks also. ?Bandwidth > (UDP/ICMP/SYN Flood) attack to distract with a app attack (GET/PUSH > floods) attempting to run underneath the radar. ?We regularly see SYN > floods these days > 20 Gb/s. Another thing to be aware of--when you get hit with what seems to be a "simple" flooding attack aimed at one point of your infrastructure... start checking your logs at _other_ places in your network very, VERY carefully. There seems to be a trend of using larger-scale flooding, or other simple types of attacks to get all the network people at an organization rushing over to throw resources and energy at it...while the real target of the attack is something completely different, on a different subnet, in a different part of the company; and that attack is small, carefully focused at its target, and is designed to be relatively quiet. The "big" attack is used simply to ensure all the human energy is focused on the wrong place, increasing the chance that what otherwise might caused raised eyebrows and double-checking of logs/IDS alerts, etc. gets missed while everyone is focusing on the"big" attack. > The thing to bear in mind is that app attacks *are* difficult to detect > as they are low bandwidth and make a full TCP connection. ?As a result > many IDS/Firewalls etc regularly miss these attacks. > > Lastly there is usually always someone at the other end of these attacks > watching what is working and what is not. ?If the attack doesn't work > they will simply round up more bots to increase the attack bandwidth or > change the attack vector. And, in what seems to be an increasing trend, what they are watching for is *not* necessarily the result of the large botnet attack; they're checking on the results of their targeted probes elsewhere in the network, or on the outbound set of connections from a compromised machine within an organization; after all, during a huge DDoS attack, with everyone focusing on a set of uplinks being flooded with _inbound_ traffic, who is going to notice the (relatively smaller) outbound spike of traffic as the compromised machine sends out a copy of your internal intellectual property to the miscreant recipients? Matt (speaking purely hypothetically, of course, and definitely not on behalf of any institution or entity other than myself) From rdobbins at arbor.net Wed Dec 8 12:41:35 2010 From: rdobbins at arbor.net (Dobbins, Roland) Date: Wed, 8 Dec 2010 18:41:35 +0000 Subject: Over a decade of DDOS--any progress yet? In-Reply-To: References: <23035485.1291815970840.JavaMail.tomcat@fe-ps03> <2C4B4ECC-F61E-4059-A8DE-165DD8F85A96@exa-networks.co.uk> <5220B68C-9C8C-460E-B64E-2646BDE2A398@arbor.net> <63CF5704-B49D-43D5-BC8E-F76336CD0005@arbor.net> <4CFFB68D.4080405@prolexic.com> Message-ID: <7C83A04E-54FE-4B35-B08B-4CED85AF840E@arbor.net> On Dec 9, 2010, at 1:34 AM, Matthew Petach wrote: > There seems to be a trend of using larger-scale flooding, or other simple types of attacks to get all the network people at an organization > rushing over to throw resources and energy at it. Concur, the more serious attackers use diversionary attacks or 'demonstrations' like this from time to time, absolutely. ----------------------------------------------------------------------- Roland Dobbins // Sell your computer and buy a guitar. From morrowc.lists at gmail.com Wed Dec 8 12:47:49 2010 From: morrowc.lists at gmail.com (Christopher Morrow) Date: Wed, 8 Dec 2010 13:47:49 -0500 Subject: Mastercard problems In-Reply-To: <4CFFC19F.2070001@brightok.net> References: <995192.18569.qm@web59601.mail.ac4.yahoo.com> <4CFFBF30.3070100@brightok.net> <4CFFC19F.2070001@brightok.net> Message-ID: On Wed, Dec 8, 2010 at 12:34 PM, Jack Bates wrote: > > > On 12/8/2010 11:28 AM, William McCall wrote: > >> >> Are you prepared for "informaton terrorism" laws? >> > > > DOS attacks are already illegal. I question the ability to track responsible > parties down and have appropriate proof to actually prosecute. > > Let's be honest. Even in the 20th century, more people had been caught by > bragging in public than by backtracking. so... the loic tool uses the host's local address, the attacks are all HTTP based, or tcp/80 with malformed HTTP... someone with server logs could certainly get a list of the ips involved and hand that over to the FBI for proper action. I know that the folks involved on the MC side already have this data, and that the fbi is interested in it. -chris From mpetach at netflight.com Wed Dec 8 12:59:16 2010 From: mpetach at netflight.com (Matthew Petach) Date: Wed, 8 Dec 2010 10:59:16 -0800 Subject: Start accepting longer prefixes as IPv4 depletes? In-Reply-To: <820DA442-E75E-4128-80B6-F09FF7DA84ED@muada.com> References: <820DA442-E75E-4128-80B6-F09FF7DA84ED@muada.com> Message-ID: On Wed, Dec 8, 2010 at 10:30 AM, Iljitsch van Beijnum wrote: > (My apologies if this has been discussed before, I haven't been keeping up with NANOG as well as I should lately.) > > As the IPv4 address space depletes, various types of use that requires IPv4 addresses will get harder. In some cases, this is unavoidable: if you want to connect a million broadband users you need a million addresses. But for hosting activities you don't need that much space. In fact, often people have to be very creative to qualify for a /24 (/20 even in ARIN-land?) just so they have a large enough assignment that they can announce it in BGP and expect it to be reachable. But you really don't need a /20 or even a /24 to host websites or the like. > > Why not move away from that /24 requirement and start allowing /28s or a prefix length like that in the global routing table? This will allow content people to stay on IPv4 longer with fewer compromises, so we don't have to start thinking about NAT46 solutions in the near future. (NAT46 is really best avoided.) > > There are two issues: > > 1. Growth of the routing table. My answer to this is: although a smaller table would be good, we've been living with 16% or so growth for a decade before the IPv4 crunch, if going to < /28 instead of < /24 allows this growth to continue some more years there is no additional harm. And there is no evidence that /28s will create more growth than unconstrained /24s like we had before the IPv4 crunch. Just because we've been treading water as fast as possible to try to stay above the drowing point in small prefix ranges does *not* mean we have extra headroom to waste on even smaller ranges. I've started contemplating filtering out blocks smaller than /22, and trusting that somewhere, someone will be sending out a supernet that covers the smaller bits. As has been said elsewhere, previously; just because you have been allocated IP space does *not* in any way, shape, or form guarantee routability and reachability. The smaller your chunk of space, the less likely it is that other people will choose to listen to it as something discrete from the supernets that may cover it (up to, and including default). You are free to announce whatever small prefix size you would like already, today. However, it is unlikely anyone thinks so poorly of their routers as to blindly accept any and all such small prefixes from the internet at large. It is unlikely you will get much traction in getting those filters updated, due to the increasing stress todays routers are under. > 2. People who think it's neat to deaggregate their /16 into 256 /24 will now go for 4096 /28s. To avoid this, the new /28s should come from separate ranges to be identified by the RIRs. So /28 would only be allowed for this new space that is given out as /28, not for anything that already exists and was thus given out as much bigger blocks. > > Thoughts? Just move to v6, already. v4 is done. trying to keep it on life support is going to cost everyone time, money, and reduced life span due to increased stress. If you have not informed your senior executives that the IPv4 space you have today is likely to be all that you will ever have, as a techie, your are doing your company a disservice. If you have not informed them that in order to expand their business at all in the future, they will need to be prepared to do so using IPv6, and not IPv4, you are doing them a disservice. For new entrants into the market, who want to dip their toe into content hosting, but do not have IPv4 addresses of their own--work with an upstream provider, and get a rent-a-block of v4 from them. Get your primary infrastructure on IPv6, and use a rent-a-block of v4 space from an upstream to host a 4-to-6 proxy box to allow legacy v4 users to reach your content. I'm partial to http://trafficserver.apache.org/ myself as a v4/v6 proxy platform, but you can pick any platform you like. Configure your DNS to return quad-As that point to your real v6-based infrastructure, and configured the A record to point to your v4/v6 proxy box. All done. No need for anyone else to have to accept little tiny chunks of v4 space. > > I'm hoping to get some modest support here before jumping into the RIR policy shark tanks. > Sorry...can't help you on that front. :( Matt From gbonser at seven.com Wed Dec 8 13:01:43 2010 From: gbonser at seven.com (George Bonser) Date: Wed, 8 Dec 2010 11:01:43 -0800 Subject: Start accepting longer prefixes as IPv4 depletes? In-Reply-To: <820DA442-E75E-4128-80B6-F09FF7DA84ED@muada.com> References: <820DA442-E75E-4128-80B6-F09FF7DA84ED@muada.com> Message-ID: <5A6D953473350C4B9995546AFE9939EE0B14CDD8@RWC-EX1.corp.seven.com> > There are two issues: > > 1. Growth of the routing table. My answer to this is: although a > smaller table would be good, we've been living with 16% or so growth > for a decade before the IPv4 crunch, if going to < /28 instead of < /24 > allows this growth to continue some more years there is no additional > harm. And there is no evidence that /28s will create more growth than > unconstrained /24s like we had before the IPv4 crunch. > > 2. People who think it's neat to deaggregate their /16 into 256 /24 > will now go for 4096 /28s. To avoid this, the new /28s should come from > separate ranges to be identified by the RIRs. So /28 would only be > allowed for this new space that is given out as /28, not for anything > that already exists and was thus given out as much bigger blocks. > > Thoughts? Growth of the routing table will be a much larger issue once the stampede to v6 occurs. A v6 route takes 4x the resources of a v4 route. Assuming everyone multihomed in v4 space will also be multihomed in v6 space and assuming that people are going to operate in both v4 and v6 space at the same time, not only will the v4 table explode in size as it fragments, so will the v6 table explode in size at the same time. Granted there will be some consolidation through aggregation with v6 and entities who have multiple discontiguous v4 nets might consolidate into a larger v6 bloc but nevertheless, they are going to have announcements in both spaces. People dual-stacking that have routers capable of <1 million v4 routes are going to have to rethink their strategy if they are currently collecting full routes in both v4 and v6. If compromise must be made, where is one to make it? I believe that will happen with v4 because v6 will be seen as where the growth is and where the future lies and v4 seen as "legacy" and if one must compromise, compromise where you see future decline, not where there will be future growth. So, imagine a multihomed end site announcing a chunk out of one of their provider's PA space where they have that provider de-aggregate that route because the more specific is also being announced by one or more other providers. I believe the first place where compromises might be made in such cases is "I am not going to accept more specifics from PA space but I will accept small blocks from PI space". Some do that today in v6 space but I have a hunch that will begin to happen more in v4 as it begins to fragment and people become resource constrained. The result will be that some sites might find that their multihoming using v4 PA space isn't working as well as it used to, which will provide yet greater incentive to move to v6. To summarize: I believe it is going to be more difficult to get people to accept route announcements for smaller v4 blocks as the v6 table ramps up if they are dual-stacking v4 and v6 on the same gear. Put another way, I don't believe there is going to be a lot of support in bending over backwards to support yet more v4 brokenness or if the support is there in theory, there may not be as much support in practice once the herd begins to move to v6 and v4 starts to shatter into little tiny fragments. From gbonser at seven.com Wed Dec 8 13:07:56 2010 From: gbonser at seven.com (George Bonser) Date: Wed, 8 Dec 2010 11:07:56 -0800 Subject: Start accepting longer prefixes as IPv4 depletes? In-Reply-To: References: <820DA442-E75E-4128-80B6-F09FF7DA84ED@muada.com> Message-ID: <5A6D953473350C4B9995546AFE9939EE0B14CDDA@RWC-EX1.corp.seven.com> > > Just move to v6, already. v4 is done. trying to keep it on life > support > is going to cost everyone time, money, and reduced life span due to > increased stress. Exactly. People need to adopt the "v4 is done" mindset and work going forward on that premise. From mohacsi at niif.hu Wed Dec 8 13:10:46 2010 From: mohacsi at niif.hu (Mohacsi Janos) Date: Wed, 8 Dec 2010 20:10:46 +0100 (CET) Subject: Start accepting longer prefixes as IPv4 depletes? In-Reply-To: <820DA442-E75E-4128-80B6-F09FF7DA84ED@muada.com> References: <820DA442-E75E-4128-80B6-F09FF7DA84ED@muada.com> Message-ID: Dear Iljitsh, Do you plan to put /28 into the DFZ routing table? You thought about routing table capacity of the today's routers.., I think prefix length around /22 is accepted, but blindly accepting any /24 prefix is not a reality today. What about the stability of the routing table without aggregation? Do you consider BGP churning? Do you think adopting LISP or similar architectures to reduce the problems mentioned above? Janos Mohacsi Head of HBONE+ project Network Engineer, Deputy Director of Network Planning and Projects NIIF/HUNGARNET, HUNGARY Key 70EF9882: DEC2 C685 1ED4 C95A 145F 4300 6F64 7B00 70EF 9882 On Wed, 8 Dec 2010, Iljitsch van Beijnum wrote: > (My apologies if this has been discussed before, I haven't been keeping > up with NANOG as well as I should lately.) > > As the IPv4 address space depletes, various types of use that requires > IPv4 addresses will get harder. In some cases, this is unavoidable: if > you want to connect a million broadband users you need a million > addresses. But for hosting activities you don't need that much space. In > fact, often people have to be very creative to qualify for a /24 (/20 > even in ARIN-land?) just so they have a large enough assignment that > they can announce it in BGP and expect it to be reachable. But you > really don't need a /20 or even a /24 to host websites or the like. > > Why not move away from that /24 requirement and start allowing /28s or a > prefix length like that in the global routing table? This will allow > content people to stay on IPv4 longer with fewer compromises, so we > don't have to start thinking about NAT46 solutions in the near future. > (NAT46 is really best avoided.) > > There are two issues: > > 1. Growth of the routing table. My answer to this is: although a smaller > table would be good, we've been living with 16% or so growth for a > decade before the IPv4 crunch, if going to < /28 instead of < /24 allows > this growth to continue some more years there is no additional harm. And > there is no evidence that /28s will create more growth than > unconstrained /24s like we had before the IPv4 crunch. > > 2. People who think it's neat to deaggregate their /16 into 256 /24 will > now go for 4096 /28s. To avoid this, the new /28s should come from > separate ranges to be identified by the RIRs. So /28 would only be > allowed for this new space that is given out as /28, not for anything > that already exists and was thus given out as much bigger blocks. > > Thoughts? > > I'm hoping to get some modest support here before jumping into the RIR policy shark tanks. > From graham at apolix.co.za Wed Dec 8 13:12:45 2010 From: graham at apolix.co.za (Graham Beneke) Date: Wed, 08 Dec 2010 21:12:45 +0200 Subject: Start accepting longer prefixes as IPv4 depletes? In-Reply-To: <820DA442-E75E-4128-80B6-F09FF7DA84ED@muada.com> References: <820DA442-E75E-4128-80B6-F09FF7DA84ED@muada.com> Message-ID: <4CFFD8AD.5040505@apolix.co.za> On 08/12/2010 20:30, Iljitsch van Beijnum wrote: > Why not move away from that /24 requirement and start allowing /28s or a prefix length like that in the global routing table? This will allow content people to stay on IPv4 longer with fewer compromises, so we don't have to start thinking about NAT46 solutions in the near future. (NAT46 is really best avoided.) This was discussed at length during the policy discussions at the recent AfriNIC conference. The soft landing policy was passed with a provision to allocate blocks as small /27. Warning labels were pasted all over this but were ultimately overlooked in favour of getting the policy adopted ASAP. > 1. Growth of the routing table. My answer to this is: although a smaller table would be good, we've been living with 16% or so growth for a decade before the IPv4 crunch, if going to< /28 instead of< /24 allows this growth to continue some more years there is no additional harm. And there is no evidence that /28s will create more growth than unconstrained /24s like we had before the IPv4 crunch. For one think the /24 limit places a barrier to entry on de-aggregation. I don't think that there will be a shortage of prefixes post exhaustion. /24s will be easy to carve out of larger allocations for trading/redistribution. On the operational side I have come across people who carry partial tables on their networks to avoid spending money on upgrades. One way that they seem to be pruning their tables is to drop long prefixes (just dropping /24 makes a big difference) I suspect that this will happen more as people focus their effort and CPU cycles on making IPv6 work. > 2. People who think it's neat to deaggregate their /16 into 256 /24 will now go for 4096 /28s. To avoid this, the new /28s should come from separate ranges to be identified by the RIRs. So /28 would only be allowed for this new space that is given out as /28, not for anything that already exists and was thus given out as much bigger blocks. Its too late to really be thinking along the lines this kind of structured address allocation IMO. If we ever were to get to /28 allocations they would most likely be from many recovered fragments of address space. > I'm hoping to get some modest support here before jumping into the RIR policy shark tanks. I suspect that the operational community would not stand behind this :-) -- Graham Beneke From bicknell at ufp.org Wed Dec 8 13:17:09 2010 From: bicknell at ufp.org (Leo Bicknell) Date: Wed, 8 Dec 2010 11:17:09 -0800 Subject: Start accepting longer prefixes as IPv4 depletes? In-Reply-To: <820DA442-E75E-4128-80B6-F09FF7DA84ED@muada.com> References: <820DA442-E75E-4128-80B6-F09FF7DA84ED@muada.com> Message-ID: <20101208191709.GA74639@ussenterprise.ufp.org> In a message written on Wed, Dec 08, 2010 at 07:30:52PM +0100, Iljitsch van Beijnum wrote: > I'm hoping to get some modest support here before jumping into the RIR policy shark tanks. There is no RIR policy here. There is no authority which can tell you what length are prefixes are accepted. Each backbone network makes their own decision on how to filter their customers and peers. If backbones find it commercially worth while to accept /28's from customers and route them, they will do just that. Some will do it relatively quickly, others will hold out and filter them for years. This is not something RIR's, IETF, NANOG, or anyone else can fix, and in fact they should not try to fix. It will sort itself out, in due time. -- Leo Bicknell - bicknell at ufp.org - CCIE 3440 PGP keys at http://www.ufp.org/~bicknell/ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 826 bytes Desc: not available URL: From cboyd at gizmopartners.com Wed Dec 8 13:19:22 2010 From: cboyd at gizmopartners.com (Chris Boyd) Date: Wed, 8 Dec 2010 13:19:22 -0600 Subject: Over a decade of DDOS--any progress yet? In-Reply-To: References: Message-ID: On Dec 8, 2010, at 9:33 AM, Arturo Servin wrote: > Yes, but all of them rely on your upstreams or in mirroring your content. If 100 Mbps are reaching your input interface of 10Mbps there is not much that you can do. Hmm. What would be really cool is if you could use Snort, NetFlow/NBAR, or some other sort of DPI tech to find specifically the IP addresses of the DDoS bots, and then pass that information back upstream via BGP communities that tell your peer router to drop traffic from those addresses. That way the target of the traffic can continue to function if the DDoS traffic doesn't closely mimic the normal traffic. Your BGP peer router would need to have lots of memory for /32 or /64 routes though. Anyone heard of such a beast? Or is this how the stuff from places like Arbor Networks do their thing? --Chris From cb.list6 at gmail.com Wed Dec 8 13:23:03 2010 From: cb.list6 at gmail.com (Cameron Byrne) Date: Wed, 8 Dec 2010 11:23:03 -0800 Subject: Start accepting longer prefixes as IPv4 depletes? In-Reply-To: <5A6D953473350C4B9995546AFE9939EE0B14CDDA@RWC-EX1.corp.seven.com> References: <820DA442-E75E-4128-80B6-F09FF7DA84ED@muada.com> <5A6D953473350C4B9995546AFE9939EE0B14CDDA@RWC-EX1.corp.seven.com> Message-ID: On Wed, Dec 8, 2010 at 11:07 AM, George Bonser wrote: >> >> Just move to v6, already. ?v4 is done. ?trying to keep it on life >> support >> is going to cost everyone time, money, and reduced life span due to >> increased stress. > > Exactly. ?People need to adopt the "v4 is done" mindset and work going > forward on that premise. > +1 Good luck with that /27 of 1.0.0.0/8 space At the edge, with the down economy, i bet there are plenty of folks that are only accept /21s and shorter from their upstream ISP so they can get some more mileage out of their older gear. Cameron From bruns at 2mbit.com Wed Dec 8 13:26:56 2010 From: bruns at 2mbit.com (Brielle Bruns) Date: Wed, 08 Dec 2010 12:26:56 -0700 Subject: Start accepting longer prefixes as IPv4 depletes? In-Reply-To: References: <820DA442-E75E-4128-80B6-F09FF7DA84ED@muada.com> Message-ID: <4CFFDC00.3080303@2mbit.com> On 12/8/10 11:59 AM, Matthew Petach wrote: > Just because we've been treading water as fast as possible to try to stay > above the drowing point in small prefix ranges does*not* mean we have > extra headroom to waste on even smaller ranges. I've started contemplating > filtering out blocks smaller than /22, and trusting that somewhere, someone > will be sending out a supernet that covers the smaller bits. Except that when you have legacy resources (such as /24 end user allocations), there is no supernet announcement since these blocks could technically be anywhere in their respective regions. -- Brielle Bruns The Summit Open Source Development Group http://www.sosdg.org / http://www.ahbl.org From Valdis.Kletnieks at vt.edu Wed Dec 8 13:28:16 2010 From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks at vt.edu) Date: Wed, 08 Dec 2010 14:28:16 -0500 Subject: Start accepting longer prefixes as IPv4 depletes? In-Reply-To: Your message of "Wed, 08 Dec 2010 20:10:46 +0100." References: <820DA442-E75E-4128-80B6-F09FF7DA84ED@muada.com> Message-ID: <22094.1291836496@localhost> On Wed, 08 Dec 2010 20:10:46 +0100, Mohacsi Janos said: > Do you think adopting LISP or similar architectures to reduce the > problems mentioned above? You're better off taking the mindset that it's time to stick a fork in IPv4, it's done. Focus your attention on getting LISP or similar adopted for IPv6 before *that* routing table explodes. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 227 bytes Desc: not available URL: From rdobbins at arbor.net Wed Dec 8 13:30:14 2010 From: rdobbins at arbor.net (Dobbins, Roland) Date: Wed, 8 Dec 2010 19:30:14 +0000 Subject: Over a decade of DDOS--any progress yet? In-Reply-To: References: Message-ID: <851A3DA2-F026-4ACC-A8E0-9F53484920E5@arbor.net> On Dec 9, 2010, at 2:19 AM, Chris Boyd wrote: > Your BGP peer router would need to have lots of memory for /32 or /64 routes though. Any modern router can handle this. > Anyone heard of such a beast? Or is this how the stuff from places like Arbor Networks do their thing? This can be done with open-source tools or with some commercial tools. [Full disclosure - I work for a vendor which produces commercial tools in this category.] ----------------------------------------------------------------------- Roland Dobbins // Sell your computer and buy a guitar. From rdobbins at arbor.net Wed Dec 8 13:31:58 2010 From: rdobbins at arbor.net (Dobbins, Roland) Date: Wed, 8 Dec 2010 19:31:58 +0000 Subject: Start accepting longer prefixes as IPv4 depletes? In-Reply-To: References: <820DA442-E75E-4128-80B6-F09FF7DA84ED@muada.com> Message-ID: <04F8F711-098B-4886-B32C-97E05902C318@arbor.net> On Dec 9, 2010, at 2:10 AM, Mohacsi Janos wrote: > Do you think adopting LISP or similar architectures to reduce the problems mentioned above? Yes. ----------------------------------------------------------------------- Roland Dobbins // Sell your computer and buy a guitar. From owen at delong.com Wed Dec 8 13:29:49 2010 From: owen at delong.com (Owen DeLong) Date: Wed, 8 Dec 2010 11:29:49 -0800 Subject: Start accepting longer prefixes as IPv4 depletes? In-Reply-To: <5A6D953473350C4B9995546AFE9939EE0B14CDD8@RWC-EX1.corp.seven.com> References: <820DA442-E75E-4128-80B6-F09FF7DA84ED@muada.com> <5A6D953473350C4B9995546AFE9939EE0B14CDD8@RWC-EX1.corp.seven.com> Message-ID: <1C4E7E48-70C5-4FA4-B724-16AB156704A1@delong.com> On Dec 8, 2010, at 11:01 AM, George Bonser wrote: >> There are two issues: >> >> 1. Growth of the routing table. My answer to this is: although a >> smaller table would be good, we've been living with 16% or so growth >> for a decade before the IPv4 crunch, if going to < /28 instead of < > /24 >> allows this growth to continue some more years there is no additional >> harm. And there is no evidence that /28s will create more growth than >> unconstrained /24s like we had before the IPv4 crunch. >> >> 2. People who think it's neat to deaggregate their /16 into 256 /24 >> will now go for 4096 /28s. To avoid this, the new /28s should come > from >> separate ranges to be identified by the RIRs. So /28 would only be >> allowed for this new space that is given out as /28, not for anything >> that already exists and was thus given out as much bigger blocks. >> >> Thoughts? > > Growth of the routing table will be a much larger issue once the > stampede to v6 occurs. A v6 route takes 4x the resources of a v4 route. > Assuming everyone multihomed in v4 space will also be multihomed in v6 > space and assuming that people are going to operate in both v4 and v6 > space at the same time, not only will the v4 table explode in size as it > fragments, so will the v6 table explode in size at the same time. > Granted there will be some consolidation through aggregation with v6 and > entities who have multiple discontiguous v4 nets might consolidate into > a larger v6 bloc but nevertheless, they are going to have announcements > in both spaces. > Actually, in most implementations, due to optimizations with IPv6 that aren't possible with IPv4, a v6 route only takes about 2x the resources of an IPv4 route. Additionally, IPv6 should go from a ~10:1 ratio of prefixes to ASNs to a ratio closer to 1.5-2:1. As such, I only expect the IPv6 table to be about 10-20x it's current size at full deployment. Significant, but, hardly what I would call an explosion. > People dual-stacking that have routers capable of <1 million v4 routes > are going to have to rethink their strategy if they are currently > collecting full routes in both v4 and v6. If compromise must be made, > where is one to make it? I believe that will happen with v4 because v6 > will be seen as where the growth is and where the future lies and v4 > seen as "legacy" and if one must compromise, compromise where you see > future decline, not where there will be future growth. > People running routers with less than 1MM IPv4 prefix capability probably can use defaults to cover for discarding some of the longer prefixes. Generally speaking, those are not major transit backbones where this would be harmful. (Major transit backbones have been out of room in such routers for some time now). Compromising in IPv6 won't buy much, so, I suspect the compromises will have to be made in IPv4. (let's face it, there's just not much there in a <60k route table to reduce). > So, imagine a multihomed end site announcing a chunk out of one of their > provider's PA space where they have that provider de-aggregate that > route because the more specific is also being announced by one or more > other providers. I believe the first place where compromises might be > made in such cases is "I am not going to accept more specifics from PA > space but I will accept small blocks from PI space". Some do that today > in v6 space but I have a hunch that will begin to happen more in v4 as > it begins to fragment and people become resource constrained. The > result will be that some sites might find that their multihoming using > v4 PA space isn't working as well as it used to, which will provide yet > greater incentive to move to v6. > People are doing this in IPv6? Really? What's the point? There simply aren't enough savings to make it significant. > To summarize: I believe it is going to be more difficult to get people > to accept route announcements for smaller v4 blocks as the v6 table > ramps up if they are dual-stacking v4 and v6 on the same gear. Put > another way, I don't believe there is going to be a lot of support in > bending over backwards to support yet more v4 brokenness or if the > support is there in theory, there may not be as much support in practice > once the herd begins to move to v6 and v4 starts to shatter into little > tiny fragments. > Let's hope that's how it goes. The alternatives are significantly bad. Owen From drc at virtualized.org Wed Dec 8 13:35:37 2010 From: drc at virtualized.org (David Conrad) Date: Wed, 8 Dec 2010 11:35:37 -0800 Subject: Start accepting longer prefixes as IPv4 depletes? In-Reply-To: <20101208191709.GA74639@ussenterprise.ufp.org> References: <820DA442-E75E-4128-80B6-F09FF7DA84ED@muada.com> <20101208191709.GA74639@ussenterprise.ufp.org> Message-ID: On Dec 8, 2010, at 11:17 AM, Leo Bicknell wrote: > In a message written on Wed, Dec 08, 2010 at 07:30:52PM +0100, Iljitsch van Beijnum wrote: >> I'm hoping to get some modest support here before jumping into the RIR policy shark tanks. > There is no RIR policy here. Minimum PI allocation size. Regards, -drc From sethm at rollernet.us Wed Dec 8 13:37:47 2010 From: sethm at rollernet.us (Seth Mattinen) Date: Wed, 08 Dec 2010 11:37:47 -0800 Subject: Start accepting longer prefixes as IPv4 depletes? In-Reply-To: References: <820DA442-E75E-4128-80B6-F09FF7DA84ED@muada.com> <5A6D953473350C4B9995546AFE9939EE0B14CDDA@RWC-EX1.corp.seven.com> Message-ID: <4CFFDE8B.2000903@rollernet.us> On 12/8/2010 11:23, Cameron Byrne wrote: > > At the edge, with the down economy, i bet there are plenty of folks > that are only accept /21s and shorter from their upstream ISP so they > can get some more mileage out of their older gear. > Hopefully they have a default route; ARIN now has PI /24 assignments, and none of those would have a large aggregate announcement. ~Seth From cb.list6 at gmail.com Wed Dec 8 13:38:04 2010 From: cb.list6 at gmail.com (Cameron Byrne) Date: Wed, 8 Dec 2010 11:38:04 -0800 Subject: Start accepting longer prefixes as IPv4 depletes? In-Reply-To: <04F8F711-098B-4886-B32C-97E05902C318@arbor.net> References: <820DA442-E75E-4128-80B6-F09FF7DA84ED@muada.com> <04F8F711-098B-4886-B32C-97E05902C318@arbor.net> Message-ID: On Wed, Dec 8, 2010 at 11:31 AM, Dobbins, Roland wrote: > > On Dec 9, 2010, at 2:10 AM, Mohacsi Janos wrote: > >> Do you think adopting LISP or similar architectures to reduce the problems mentioned above? > > Yes. > No. I still fail to see the value of LISP in a mature and sane IPv6 world. LISP may have value in a immature and insane IPv4 and IPv6 world. Cameron From rdobbins at arbor.net Wed Dec 8 13:41:08 2010 From: rdobbins at arbor.net (Dobbins, Roland) Date: Wed, 8 Dec 2010 19:41:08 +0000 Subject: Start accepting longer prefixes as IPv4 depletes? In-Reply-To: References: <820DA442-E75E-4128-80B6-F09FF7DA84ED@muada.com> <04F8F711-098B-4886-B32C-97E05902C318@arbor.net> Message-ID: <334490AF-CB02-4BA0-BBFF-438818C8A2E4@arbor.net> On Dec 9, 2010, at 2:38 AM, Cameron Byrne wrote: > I still fail to see the value of LISP in a mature and sane IPv6 world. Abstraction of the global routing table away from direct dependence upon the underlying transport in use at a given endpoint network alone offers huge benefits for futureproofing; there are lots of other benefits as well, for mobility, CDNs, and so forth. ----------------------------------------------------------------------- Roland Dobbins // Sell your computer and buy a guitar. From cb.list6 at gmail.com Wed Dec 8 13:47:04 2010 From: cb.list6 at gmail.com (Cameron Byrne) Date: Wed, 8 Dec 2010 11:47:04 -0800 Subject: Start accepting longer prefixes as IPv4 depletes? In-Reply-To: <4CFFDE8B.2000903@rollernet.us> References: <820DA442-E75E-4128-80B6-F09FF7DA84ED@muada.com> <5A6D953473350C4B9995546AFE9939EE0B14CDDA@RWC-EX1.corp.seven.com> <4CFFDE8B.2000903@rollernet.us> Message-ID: On Wed, Dec 8, 2010 at 11:37 AM, Seth Mattinen wrote: > On 12/8/2010 11:23, Cameron Byrne wrote: >> >> At the edge, with the down economy, i bet there are plenty of folks >> that are only accept /21s and shorter from their upstream ISP so they >> can get some more mileage out of their older gear. >> > > Hopefully they have a default route; ARIN now has PI /24 assignments, > and none of those would have a large aggregate announcement. > Sorry, getting a default route from the provider was assumed in my mind and not in the email. It goes back to routers that can take only 256k routes ... they cant take full tables these days, so they just ditch the smaller blocks. The default route still work for reachability .... but not route optimization at the edge. Cameron > ~Seth > > From cb.list6 at gmail.com Wed Dec 8 14:01:29 2010 From: cb.list6 at gmail.com (Cameron Byrne) Date: Wed, 8 Dec 2010 12:01:29 -0800 Subject: Start accepting longer prefixes as IPv4 depletes? In-Reply-To: <334490AF-CB02-4BA0-BBFF-438818C8A2E4@arbor.net> References: <820DA442-E75E-4128-80B6-F09FF7DA84ED@muada.com> <04F8F711-098B-4886-B32C-97E05902C318@arbor.net> <334490AF-CB02-4BA0-BBFF-438818C8A2E4@arbor.net> Message-ID: On Wed, Dec 8, 2010 at 11:41 AM, Dobbins, Roland wrote: > > On Dec 9, 2010, at 2:38 AM, Cameron Byrne wrote: > >> ?I still fail to see the value of LISP in a mature and sane ?IPv6 world. > > Abstraction of the global routing table away from direct dependence upon the underlying transport in use at a given endpoint network alone offers huge benefits for futureproofing; there are lots of other benefits as well, for mobility, CDNs, and so forth. > I believe a lot of folks think the routing paths should be tightly coupled with the physical topology. If not, there is MPLS. If underlying transport is IPv6, i don't see the incremental value (hence mature IPv6 world comment, most major ISPs are pretty well along the way). IP Mobility as in Mobile IP already exists .... not terribly popular. There is already abstraction within most ISPs with MPLS. Yet another layer of abstraction is just not something i would consider lightly with Internet scale. Just my humble opinion. Today, IPv6 provides real value with larger address space. MPLS provides real value with FRR and network virtualization (MPLS L3 VPNs). In a mature IPv6 world, that is sane, i am not sure what the real value of LISP is. But, IMHO, i do think there is something to the long term value of ILNP. I am just very biased again additional tunnels, encapsulation/overhead, complexity, and that is what LISP is, edge to edge tunnels. Then there is the question of who benefits from LISP and who pays. The edge pays and the DFZ guys benefit (they deffer router upgrades).... i already pay the DFZ guys enough today. Cameron > ----------------------------------------------------------------------- > Roland Dobbins // > > ? ? ? ? ? ? ? Sell your computer and buy a guitar. > > > > > > From gbonser at seven.com Wed Dec 8 14:01:12 2010 From: gbonser at seven.com (George Bonser) Date: Wed, 8 Dec 2010 12:01:12 -0800 Subject: Start accepting longer prefixes as IPv4 depletes? In-Reply-To: <1C4E7E48-70C5-4FA4-B724-16AB156704A1@delong.com> References: <820DA442-E75E-4128-80B6-F09FF7DA84ED@muada.com> <5A6D953473350C4B9995546AFE9939EE0B14CDD8@RWC-EX1.corp.seven.com> <1C4E7E48-70C5-4FA4-B724-16AB156704A1@delong.com> Message-ID: <5A6D953473350C4B9995546AFE9939EE0B14CDDE@RWC-EX1.corp.seven.com> > Actually, in most implementations, due to optimizations with IPv6 that > aren't possible with IPv4, a v6 route only takes about 2x the resources > of an IPv4 route. I considered that before I wrote the 4x but I couldn't be sure that my implementation was typical so I stuck with the worst case. It also depends on where you are talking about, RIB, FIB, or cache. > Additionally, IPv6 should go from a ~10:1 ratio of > prefixes to ASNs to a ratio closer to 1.5-2:1. As such, I only expect > the IPv6 table to be about 10-20x it's current size at full deployment. > Significant, but, hardly what I would call an explosion. Maybe. There are currently 36178 ASes announcing routes in v4. There are 2882 ASes announcing v6 routes. Assuming that every AS currently in v4 will eventually appear in v6 and also making an assumption that each AS in v4 will announce at least one route in v6, that would indicate at minimum a 12x growth above today. Once you get into deaggregation of PA space to accommodate multihoming or disconnected PI sites, all bets are off but 20x seems a reasonable start. > People running routers with less than 1MM IPv4 prefix capability > probably can use defaults to cover for discarding some of the > longer prefixes. Yup. And that is where I was going with "their multihoming in PA space might not work as well as it used to" when that sort of thing happens on a broader scale. > Generally speaking, those are not major transit > backbones where this would be harmful. (Major transit backbones > have been out of room in such routers for some time now). Yeah, I was considering networks like mine where I am trying to talk to a multihomed site that I am not directly peered with and one transit provider has some peering issue and loses a route to that destination. I need to be able to "see" that route via the other transit provider(s) in a hurry so a default probably isn't going to work well for me though I will be tempted to move in that direction once I come under resource pressure. > Compromising in IPv6 won't buy much, so, I suspect the compromises > will have to be made in IPv4. (let's face it, there's just not much > there > in a <60k route table to reduce). And I don't think anyone is going to *want* to compromise in v6, v4 is where they are going to begin to trim back as that is a dead-end path anyway. Compromising on the v6 side is going to generate an increase in problems going forward. Compromising on the v4 path will produce a decreasing amount of problems over time. The downhill path is the easiest to follow. > People are doing this in IPv6? Really? What's the point? There simply > aren't enough savings to make it significant. There was some chatter on this list of Verizon, for example, not taking smaller than a /32 out of PA space (but accepting down to a /48 in PI space). I don't have access to their routes so I can't say with any authority, I am repeating what was posted here by others. G From jsw at inconcepts.biz Wed Dec 8 14:01:43 2010 From: jsw at inconcepts.biz (Jeff Wheeler) Date: Wed, 8 Dec 2010 15:01:43 -0500 Subject: Start accepting longer prefixes as IPv4 depletes? In-Reply-To: References: <820DA442-E75E-4128-80B6-F09FF7DA84ED@muada.com> Message-ID: How many networks already leak numerous unnecessary /24s to their transit providers, who accept them (not having been asked to do anything else), and contribute to table bloat? ?Quite a lot of networks do this. Imagine if there are many possible inter-domain routes that are being filtered by transit networks, because their customers accidentally announce some number of /25-/32 networks to them. ?These do not affect us today; but I would hate to see all those accidental announcements suddenly appear in my routing table; or for my transit providers to have the bear the expense of dealing with them. -- Jeff S Wheeler Sr Network Operator? /? Innovative Network Concepts From sethm at rollernet.us Wed Dec 8 14:04:50 2010 From: sethm at rollernet.us (Seth Mattinen) Date: Wed, 08 Dec 2010 12:04:50 -0800 Subject: Over a decade of DDOS--any progress yet? In-Reply-To: <4CFFAD03.3050703@brightok.net> References: <01811070-0EE1-44C2-A79A-FB9E68215D9A@gmail.com> <4CFFA7B8.8000306@gmail.com> <4CFFAD03.3050703@brightok.net> Message-ID: <4CFFE4E2.6000802@rollernet.us> On 12/8/2010 08:06, Jack Bates wrote: > I call BS. Windows has it's problems, but it is the most common > exploited as it holds the largest market share. Many Windows infections > I've seen occur not due to the OS, but due to lack of patching of > applications on the OS. The system does as much as it can. > And end users clicking/running every shiny thing they come across, consequences be damned. ~Seth From tagno25 at gmail.com Wed Dec 8 14:06:06 2010 From: tagno25 at gmail.com (Philip Dorr) Date: Wed, 8 Dec 2010 14:06:06 -0600 Subject: Mastercard problems In-Reply-To: References: <995192.18569.qm@web59601.mail.ac4.yahoo.com> <4CFFBF30.3070100@brightok.net> <4CFFC19F.2070001@brightok.net> Message-ID: The problem is that they were also slashdotted. The logs would also have a large number of unrelated. On Dec 8, 2010 12:49 PM, "Christopher Morrow" wrote: > On Wed, Dec 8, 2010 at 12:34 PM, Jack Bates wrote: >> >> >> On 12/8/2010 11:28 AM, William McCall wrote: >> >>> >>> Are you prepared for "informaton terrorism" laws? >>> >> >> >> DOS attacks are already illegal. I question the ability to track responsible >> parties down and have appropriate proof to actually prosecute. >> >> Let's be honest. Even in the 20th century, more people had been caught by >> bragging in public than by backtracking. > > so... the loic tool uses the host's local address, the attacks are all > HTTP based, or tcp/80 with malformed HTTP... someone with server logs > could certainly get a list of the ips involved and hand that over to > the FBI for proper action. > > I know that the folks involved on the MC side already have this data, > and that the fbi is interested in it. > > -chris > From vader at fuse.net Wed Dec 8 14:13:57 2010 From: vader at fuse.net (Chadwick Sorrell) Date: Wed, 8 Dec 2010 15:13:57 -0500 Subject: ALT-DB Question Message-ID: <000501cb9714$721e4e80$565aeb80$@net> Hello, I'm sending a new MAINT-AS object to the?db-admin at altdb.net, but it doesn't appear to be in the database after a few weeks. ?Are there any requirements that I may be missing on my new request, or some sort of way I can help get it processed? Basically wondering if I'm just not waiting long enough, or if I've done something wrong. Thanks, -chad From gbonser at seven.com Wed Dec 8 14:18:32 2010 From: gbonser at seven.com (George Bonser) Date: Wed, 8 Dec 2010 12:18:32 -0800 Subject: Start accepting longer prefixes as IPv4 depletes? In-Reply-To: References: <820DA442-E75E-4128-80B6-F09FF7DA84ED@muada.com> Message-ID: <5A6D953473350C4B9995546AFE9939EE0B14CDE0@RWC-EX1.corp.seven.com> > How many networks already leak numerous unnecessary /24s to their > transit providers, who accept them (not having been asked to do > anything else), and contribute to table bloat? ?Quite a lot of > networks do this. Sure. Even as a prophylactic measure against route hijacking if they aren't using the space for internet routed purposes (company uses a prefix internally, say for VPNs, addresses in the prefixes aren't reachable over the Internet but they announce it anyway to discourage the block being used by someone else or to ensure that wayward traffic finds a home and can be logged for correcting misconfigured VPNs). > I would hate to see all those accidental announcements > suddenly appear in my routing table; or for my transit providers to > have the bear the expense of dealing with them. The probability of service-impacting accidents would definitely increase. From andrew.wallace at rocketmail.com Wed Dec 8 14:30:17 2010 From: andrew.wallace at rocketmail.com (andrew.wallace) Date: Wed, 8 Dec 2010 12:30:17 -0800 (PST) Subject: Mastercard problems Message-ID: <590810.26399.qm@web59603.mail.ac4.yahoo.com> I would say the attack falls under the jurisdiction of the US secret service since this is an attack on the financial system. "Today the agency's primary investigative mission is to safeguard the payment and financial systems of the United States." --- secretservice.gov Andrew ----- Original Message ----- From:Christopher Morrow To:Jack Bates Cc:"nanog at nanog.org" Sent:Wednesday, 8 December 2010, 18:47:49 Subject:Re: Mastercard problems I know that the folks involved on the MC side already have this data, and that the fbi is interested in it. -chris From zeusdadog at gmail.com Wed Dec 8 14:33:00 2010 From: zeusdadog at gmail.com (Jay Nakamura) Date: Wed, 8 Dec 2010 15:33:00 -0500 Subject: SONET and MAC address Message-ID: We have a Gigabit Ethernet transport between cities by a vendor. We found that when there are identical MAC address that are on different VLANs on different side of the circuit, one of the VLAN looses packets. This situation came up because two different networks that travel over the Ethernet were using HSRP with the same virtual MAC address. The vendor says both sides are directly connected to Fujitsu SONET gear and the equipment doesn't even look at the MAC address so it's not their circuit. All I know is, I can't recreate the problem if this circuit is not in the path. I haven't worked with Fujitsu SONET gear so I don't know if their claim is true or not. I vaguely remember someone talking about some equipment actually having a builtin switch on the SONET port and that was messing up the forwarding. Also, on one side of the circuit, there is a copper to fiber media converter. I am going to find out what model this is and see if that could be the cause. Anyone have any thoughts on what I should look into or have the vendor look into? Anyone run into this situation? Thanks! From olof at ethup.se Wed Dec 8 14:37:00 2010 From: olof at ethup.se (Olof Johansson) Date: Wed, 8 Dec 2010 20:37:00 +0000 Subject: Mastercard problems In-Reply-To: References: <995192.18569.qm@web59601.mail.ac4.yahoo.com> <4CFFBF30.3070100@brightok.net> <4CFFC19F.2070001@brightok.net> Message-ID: <20101208203700.GB25753@brutus.ethup.se> On 2010-12-08 14:06 -0600, Philip Dorr wrote: > The problem is that they were also slashdotted. The logs would also have a > large number of unrelated. "so... the loic tool uses the host's local address, the attacks are all HTTP based, or tcp/80 with malformed HTTP..." That should be easy to grep by...? -- - Olof Johansson - www: http://www.stdlib.se/ - {mail,xmpp}: olof at ethup.se - irc: zibri on Freenode/OFTC/... -- -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 197 bytes Desc: Digital signature URL: From jbates at brightok.net Wed Dec 8 14:42:22 2010 From: jbates at brightok.net (Jack Bates) Date: Wed, 08 Dec 2010 14:42:22 -0600 Subject: Mastercard problems In-Reply-To: <20101208203700.GB25753@brutus.ethup.se> References: <995192.18569.qm@web59601.mail.ac4.yahoo.com> <4CFFBF30.3070100@brightok.net> <4CFFC19F.2070001@brightok.net> <20101208203700.GB25753@brutus.ethup.se> Message-ID: <4CFFEDAE.1020407@brightok.net> On 12/8/2010 2:37 PM, Olof Johansson wrote: > On 2010-12-08 14:06 -0600, Philip Dorr wrote: >> The problem is that they were also slashdotted. The logs would also have a >> large number of unrelated. > > "so... the loic tool uses the host's local address, the attacks are all > HTTP based, or tcp/80 with malformed HTTP..." > > That should be easy to grep by...? > Of course, it's debatable if use of LOIC is enough to convict. You'd have to first prove the person installed it themselves, and then you'd have to prove that they knew it would be used for illegal purposes. The hive controller, and the actual operator(s) are who they want, and that's a little more work. This has been an issue in the past, even when we knew exactly where botnet controllers were, concerning the legality of taking control to shut it down. Jack From mlarson at verisign.com Wed Dec 8 14:50:50 2010 From: mlarson at verisign.com (Matt Larson) Date: Wed, 8 Dec 2010 15:50:50 -0500 Subject: .com/.net DNSSEC operational message Message-ID: <20101208205037.GA18943@DUL1MLARSON-M1.vcorp.ad.vrsn.com> VeriSign is in the process of deploying DNSSEC in the .net and .com zones. This message contains operational information related to the .net DNSSEC deployment that might be of interest to the Internet operational community. The .net DNSSEC deployment is underway. On September 25, 2010, the .net registry system was upgraded to allow ICANN-accredited registrars to submit DS records for domains under .net. On October 29, 2010, a deliberately unvalidatable .net zone began to be published. (This zone was a signed version of the .net zone with the key material deliberately obscured so that it could not be used for validation.) VeriSign recently began incrementally "unblinding" the .net zone: one at a time, each authoritative server for .net was changed from serving the unvalidatable .net zone to the signed .net zone with the official keys unobscured. As of approximately 2100 UTC on December 7, all authoritative servers for .net were serving the signed .net zone with the actual, unobscured production keys. The final step in DNSSEC deployment in .net will be publishing its DS record in the root zone, which is currently scheduled for December 9, 2010. If you have any questions or comments, please send email to info at verisign-grs.com or reply to this message. From morrowc.lists at gmail.com Wed Dec 8 15:04:23 2010 From: morrowc.lists at gmail.com (Christopher Morrow) Date: Wed, 8 Dec 2010 16:04:23 -0500 Subject: Mastercard problems In-Reply-To: References: <995192.18569.qm@web59601.mail.ac4.yahoo.com> <4CFFBF30.3070100@brightok.net> <4CFFC19F.2070001@brightok.net> Message-ID: On Wed, Dec 8, 2010 at 3:06 PM, Philip Dorr wrote: > The problem is that they were also slashdotted.? The logs would also have a > large number of unrelated. pro-tip: the tool has a pretty easy to spot signature. -chris From drc at virtualized.org Wed Dec 8 15:12:32 2010 From: drc at virtualized.org (David Conrad) Date: Wed, 8 Dec 2010 13:12:32 -0800 Subject: Start accepting longer prefixes as IPv4 depletes? In-Reply-To: References: <820DA442-E75E-4128-80B6-F09FF7DA84ED@muada.com> <04F8F711-098B-4886-B32C-97E05902C318@arbor.net> <334490AF-CB02-4BA0-BBFF-438818C8A2E4@arbor.net> Message-ID: <1BC76202-2A4E-483F-999F-076DCF746AF9@virtualized.org> Cameron, On Dec 8, 2010, at 12:01 PM, Cameron Byrne wrote: > I believe a lot of folks think the routing paths should be tightly > coupled with the physical topology. The downside, of course, being that if you change your location within the physical topology, you have to renumber. Enterprises have already voted with their feet that this isn't acceptable with IPv4 and they'll no doubt do the same with IPv6. > In a mature IPv6 world, that is sane, i am not sure what the > real value of LISP is. Sanity is in the eye of the beholder. The advantage a LISP(-like) scheme provides is a way of separating location from identity, allowing for arbitrary topology change (and complexity in the form of multi-homing) without affecting the identities of the systems on the network. Changing providers or multi-homing would thus not result in a renumbering event or pushing yet another prefix into the DFZ. > Then there is the question of who benefits from LISP > and who pays. The edge pays and the DFZ guys benefit (they deffer > router upgrades).... i already pay the DFZ guys enough today. Increased size/flux in the DFZ as a result of PI allocations, more specifics announced for traffic engineering, and multi-homing _will_ increase the cost to the "DFZ guys" as they have to upgrade their routers to deal with growth. It is unlikely they'll not pass that cost on to their customers. Regards, -drc From egon at egon.cc Wed Dec 8 15:30:20 2010 From: egon at egon.cc (James Downs) Date: Wed, 8 Dec 2010 13:30:20 -0800 Subject: Mastercard problems In-Reply-To: <590810.26399.qm@web59603.mail.ac4.yahoo.com> References: <590810.26399.qm@web59603.mail.ac4.yahoo.com> Message-ID: <5E8C4234-12F9-44BF-BB00-580EC081F1ED@egon.cc> On Dec 8, 2010, at 12:30 PM, andrew.wallace wrote: > I would say the attack falls under the jurisdiction of the US secret > service since this is an attack on the financial system. > > "Today the agency's primary investigative mission is to safeguard > the payment and financial systems of the United States." --- > secretservice.gov Yikes.. you consider a private company's business to be the financial and payment system of the United States? -j From jmenerick at netsuite.com Wed Dec 8 15:33:09 2010 From: jmenerick at netsuite.com (John Menerick) Date: Wed, 8 Dec 2010 13:33:09 -0800 Subject: Mastercard problems In-Reply-To: <5E8C4234-12F9-44BF-BB00-580EC081F1ED@egon.cc> References: <590810.26399.qm@web59603.mail.ac4.yahoo.com> <5E8C4234-12F9-44BF-BB00-580EC081F1ED@egon.cc> Message-ID: <4CFFF995.7020405@netsuite.com> On 12/8/2010 1:30 PM, James Downs wrote: > On Dec 8, 2010, at 12:30 PM, andrew.wallace wrote: > >> I would say the attack falls under the jurisdiction of the US secret >> service since this is an attack on the financial system. >> >> "Today the agency's primary investigative mission is to safeguard >> the payment and financial systems of the United States." --- >> secretservice.gov > Yikes.. you consider a private company's business to be the financial > and payment system of the United States? > > -j > Look at ADP and their finance payment system statistics. VERY large. Understandable for some financial systems to be possibly considered a financial and payment system of the US. Cheers, John Menerick NOTICE: This email and any attachments may contain confidential and proprietary information of NetSuite Inc. and is for the sole use of the intended recipient for the stated purpose. Any improper use or distribution is prohibited. If you are not the intended recipient, please notify the sender; do not review, copy or distribute; and promptly delete or destroy all transmitted information. Please note that all communications and information transmitted through this email system may be monitored by NetSuite or its agents and that all incoming email is automatically scanned by a third party spam and filtering service. From jbates at brightok.net Wed Dec 8 15:34:47 2010 From: jbates at brightok.net (Jack Bates) Date: Wed, 08 Dec 2010 15:34:47 -0600 Subject: Start accepting longer prefixes as IPv4 depletes? In-Reply-To: <1BC76202-2A4E-483F-999F-076DCF746AF9@virtualized.org> References: <820DA442-E75E-4128-80B6-F09FF7DA84ED@muada.com> <04F8F711-098B-4886-B32C-97E05902C318@arbor.net> <334490AF-CB02-4BA0-BBFF-438818C8A2E4@arbor.net> <1BC76202-2A4E-483F-999F-076DCF746AF9@virtualized.org> Message-ID: <4CFFF9F7.3080003@brightok.net> On 12/8/2010 3:12 PM, David Conrad wrote: > Cameron, > > On Dec 8, 2010, at 12:01 PM, Cameron Byrne wrote: >> I believe a lot of folks think the routing paths should be tightly >> coupled with the physical topology. > > The downside, of course, being that if you change your location > within the physical topology, you have to renumber. Enterprises have > already voted with their feet that this isn't acceptable with IPv4 > and they'll no doubt do the same with IPv6. > >> In a mature IPv6 world, that is sane, i am not sure what the real >> value of LISP is. > > Sanity is in the eye of the beholder. The advantage a LISP(-like) > scheme provides is a way of separating location from identity, > allowing for arbitrary topology change (and complexity in the form of > multi-homing) without affecting the identities of the systems on the > network. Changing providers or multi-homing would thus not result in > a renumbering event or pushing yet another prefix into the DFZ. > I think the issue, and correct me if I'm wrong, is that LISP does not address issues of traffic engineering? A lot of the additional routes in DFZ are there specifically to handle traffic engineering. The flow of traffic is usually based on ASN from a human standpoint, but dividing networks up and changing priorities on a per network basis is the mechanism BGP allows for determining that flow of traffic. Another large increase in DFZ was due to constraints. Even with engineering, I might divide a /16 into 4 /18 networks and be able to obtain the metrics I need. ARIN, over the years gave me a lot of /20 networks. It has been hopeful (and policy is still evolving with ARIN to accomplish this for our region) that IPv6 would not suffer from having to receive multiple small allocations which do not align with our traffic engineering needs but just add additional routes. The policy currently being discussed on PPML supports assigning networks larger than the currently utilized one if necessary and not requiring a renumber (which effectively triples your allocated space or more but only adds a single additional route to DFZ). Jack From Valdis.Kletnieks at vt.edu Wed Dec 8 15:38:14 2010 From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks at vt.edu) Date: Wed, 08 Dec 2010 16:38:14 -0500 Subject: Over a decade of DDOS--any progress yet? In-Reply-To: Your message of "Wed, 08 Dec 2010 07:43:52 PST." <4CFFA7B8.8000306@gmail.com> References: <01811070-0EE1-44C2-A79A-FB9E68215D9A@gmail.com> <4CFFA7B8.8000306@gmail.com> Message-ID: <28793.1291844294@localhost> On Wed, 08 Dec 2010 07:43:52 PST, JC Dill said: > Why isn't ANYONE going after Microsoft over this? If Microsoft were > held accountable for the spam and DDOSs that spew from their crappy > software, they would find a way to stop the problem. I've raised this > issue before, IMHO Windows OSs are "attractive nuisances" and that legal > argument can be used to hold Microsoft responsible for not putting an > adequate "fence" around their "attractive nuisance". Unfortunately, this is one you really don't want to do. Microsoft's current offerings are about as hardened as the competition (Apple and Linux, mostly) right out of the box. And it's not clear that you can *make* a system much harder and still sell it to consumers (try using a Linux box with SELinux turned on in full MLS/MCS mode - quite secure, but *not* the easiest thing in the world to admin, especially if you ever add a third-party program that doesn't have a suitable MLS security policy description already). > If all the big ISPs banded together to file suit against Microsoft, they > could share the cost (and pain) of the lawsuit. And if you win the lawsuit, what does that get you? Microsoft goes broke, quits shipping security updates to everybody - and things are even worse than before, because now *everybody* is unpatched. The second issue is that if you *do* establish a legal precident that software vendors are liable for faults no matter what the contract/EULA says, you're going to see pretty much all the open-source projects pack up and go home unless they find a way to protect themselves. Quite likely some commercial software vendors will bail as well, or charge a *lot* more for their stuff. Be careful what you ask for, for you may surely get it. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 227 bytes Desc: not available URL: From scott at sberkman.net Wed Dec 8 15:57:05 2010 From: scott at sberkman.net (Scott Berkman) Date: Wed, 8 Dec 2010 16:57:05 -0500 Subject: SONET and MAC address In-Reply-To: References: Message-ID: <0b4501cb9722$daf40ae0$90dc20a0$@sberkman.net> Don't know the FlashWave gear well, but in the Cisco ONS/Cerent world GigE ports can be configured in different modes, some of which do in fact learn MAC addresses. Others emulate a single layer-2 link and as the vendor stated, would not look at the MAC address at all. -Scott -----Original Message----- From: Jay Nakamura [mailto:zeusdadog at gmail.com] Sent: Wednesday, December 08, 2010 3:33 PM To: NANOG Subject: SONET and MAC address We have a Gigabit Ethernet transport between cities by a vendor. We found that when there are identical MAC address that are on different VLANs on different side of the circuit, one of the VLAN looses packets. This situation came up because two different networks that travel over the Ethernet were using HSRP with the same virtual MAC address. The vendor says both sides are directly connected to Fujitsu SONET gear and the equipment doesn't even look at the MAC address so it's not their circuit. All I know is, I can't recreate the problem if this circuit is not in the path. I haven't worked with Fujitsu SONET gear so I don't know if their claim is true or not. I vaguely remember someone talking about some equipment actually having a builtin switch on the SONET port and that was messing up the forwarding. Also, on one side of the circuit, there is a copper to fiber media converter. I am going to find out what model this is and see if that could be the cause. Anyone have any thoughts on what I should look into or have the vendor look into? Anyone run into this situation? Thanks! From oberman at es.net Wed Dec 8 16:01:38 2010 From: oberman at es.net (Kevin Oberman) Date: Wed, 08 Dec 2010 14:01:38 -0800 Subject: Start accepting longer prefixes as IPv4 depletes? In-Reply-To: Your message of "Wed, 08 Dec 2010 15:34:47 CST." <4CFFF9F7.3080003@brightok.net> Message-ID: <20101208220138.C01331CC0C@ptavv.es.net> > Date: Wed, 08 Dec 2010 15:34:47 -0600 > From: Jack Bates > > On 12/8/2010 3:12 PM, David Conrad wrote: > > Cameron, > > > > On Dec 8, 2010, at 12:01 PM, Cameron Byrne wrote: > >> I believe a lot of folks think the routing paths should be tightly > >> coupled with the physical topology. > > > > The downside, of course, being that if you change your location > > within the physical topology, you have to renumber. Enterprises have > > already voted with their feet that this isn't acceptable with IPv4 > > and they'll no doubt do the same with IPv6. > > > >> In a mature IPv6 world, that is sane, i am not sure what the real > >> value of LISP is. > > > > Sanity is in the eye of the beholder. The advantage a LISP(-like) > > scheme provides is a way of separating location from identity, > > allowing for arbitrary topology change (and complexity in the form of > > multi-homing) without affecting the identities of the systems on the > > network. Changing providers or multi-homing would thus not result in > > a renumbering event or pushing yet another prefix into the DFZ. > > > > I think the issue, and correct me if I'm wrong, is that LISP does not > address issues of traffic engineering? A lot of the additional routes in > DFZ are there specifically to handle traffic engineering. Yes. Locator-ID separation means that you would no longer have to add prefixes to the DFZ for traffic engineering. That would be in the province of the locator part of the operation. I see nothing preventing this from being done in LISP and being done in a much more manageable manner. This does, of course, increase the number of locators in the FIB, but the number of locators would be tiny compared to the current FIB, so I don't see an issue. > The flow of traffic is usually based on ASN from a human standpoint, but > dividing networks up and changing priorities on a per network basis is > the mechanism BGP allows for determining that flow of traffic. > Another large increase in DFZ was due to constraints. Even with > engineering, I might divide a /16 into 4 /18 networks and be able to > obtain the metrics I need. ARIN, over the years gave me a lot of /20 > networks. It has been hopeful (and policy is still evolving with ARIN to > accomplish this for our region) that IPv6 would not suffer from having > to receive multiple small allocations which do not align with our > traffic engineering needs but just add additional routes. So use locator to do the job right instead of twisting things with machinations in routing that the protocols were not designed for. I am simply amazed that, in this day and age, people still seem to not understand the value of locator-ID separation! Almost all early network protocols other than IP did this. IP, for good reason, became dominant and, in the process, the concept was largely forgotten. There was a contingent of folks who tried to get it into IPv6 as a base part of the standard, but they lost. (Yes, I understand the prevailing arguments, but it was till a HUGE mistake, IMHO.) It certainly would have been much better if locator-ID separation was built into the protocol (IPv6) rather than being shoe-horned in after the fact, but I really think we still need it. Note, LISP has some real corner case issues and may not be implementable on a general basis. I want locator-ID separation, but that does not necessarily mean LISP. -- R. Kevin Oberman, Network Engineer Energy Sciences Network (ESnet) Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab) E-mail: oberman at es.net Phone: +1 510 486-8634 Key fingerprint:059B 2DDF 031C 9BA3 14A4 EADA 927D EBB3 987B 3751 From jmamodio at gmail.com Wed Dec 8 16:05:32 2010 From: jmamodio at gmail.com (Jorge Amodio) Date: Wed, 8 Dec 2010 16:05:32 -0600 Subject: Mastercard problems In-Reply-To: <20101208121415.26a50fde@jpeach-desktop.anbg.mssm.edu> References: <995192.18569.qm@web59601.mail.ac4.yahoo.com> <4CFFBCE7.8050706@emmanuelcomputerconsulting.com> <20101208121415.26a50fde@jpeach-desktop.anbg.mssm.edu> Message-ID: > Yes it has: > > http://blog.securetrading.com/2010/12/mastercard-maestro-3-d-secure/ I've been processing cards all day for my wife's biz without any problems. -J From iljitsch at muada.com Wed Dec 8 16:06:59 2010 From: iljitsch at muada.com (Iljitsch van Beijnum) Date: Wed, 8 Dec 2010 23:06:59 +0100 Subject: Start accepting longer prefixes as IPv4 depletes? In-Reply-To: References: <820DA442-E75E-4128-80B6-F09FF7DA84ED@muada.com> Message-ID: <368B8598-7682-40DC-ACB6-5741A7636ED8@muada.com> On 8 dec 2010, at 19:59, Matthew Petach wrote: > Just because we've been treading water as fast as possible to try to stay > above the drowing point in small prefix ranges does *not* mean we have > extra headroom to waste on even smaller ranges. It's not the size of the prefixes that's the problem, but their number. I'm working under the assumption that the new /28s (or whatever) will appear where /24s would have appeared in earlier years. We can think of several measures to limit the numbers of these small blocks, like only allowing one per AS number, or even limiting the number that the RIRs get to give out each year. Remember there's about 10 times as many prefixes as ASes, having one prefix for each of the 5000 new ASes that are given out each year is NOT the problem. It's the fact that existing ASes increase their prefix load year over year. > Just move to v6, already. v4 is done. trying to keep it on life support > is going to cost everyone time, money, and reduced life span due to > increased stress. There won't be addresses to number new ISP customers in IPv4 anyomore pretty soon. But content doesn't need many addresses, especially if we get rid of artificial barriers like "you need 256 addresses to play". Eyeballs on v6 and content on v4 is workable, the other way around isn't. > and use a rent-a-block of v4 space from an > upstream to host a 4-to-6 proxy box to allow legacy v4 users to reach > your content. You can't do this in a protocol agnostic way. You need to go in at layer 7 to make this work. 6 clients to 4 servers can be done with something that isn't much worse than regular NAT. From iljitsch at muada.com Wed Dec 8 16:08:43 2010 From: iljitsch at muada.com (Iljitsch van Beijnum) Date: Wed, 8 Dec 2010 23:08:43 +0100 Subject: Start accepting longer prefixes as IPv4 depletes? In-Reply-To: References: <820DA442-E75E-4128-80B6-F09FF7DA84ED@muada.com> Message-ID: <18B3F386-AE8D-4B78-8620-823B66AB44D8@muada.com> On 8 dec 2010, at 20:10, Mohacsi Janos wrote: > Do you think adopting LISP or similar architectures to reduce the problems mentioned above? Did the LISP guys solve failover after a locator goes away? And what about the MTU issue? Do you lose initial packets when there is no mapping state yet? (It's been a couple of years since I was current on the RRG stuff and LISP.) From fergdawgster at gmail.com Wed Dec 8 16:09:25 2010 From: fergdawgster at gmail.com (Paul Ferguson) Date: Wed, 8 Dec 2010 14:09:25 -0800 Subject: Mastercard problems In-Reply-To: References: <995192.18569.qm@web59601.mail.ac4.yahoo.com> <4CFFBCE7.8050706@emmanuelcomputerconsulting.com> <20101208121415.26a50fde@jpeach-desktop.anbg.mssm.edu> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Wed, Dec 8, 2010 at 2:05 PM, Jorge Amodio wrote: >> Yes it has: >> >> http://blog.securetrading.com/2010/12/mastercard-maestro-3-d-secure/ > > I've been processing cards all day for my wife's biz without any > problems. > At least some processing ops are experiencing problems: http://heartbeat.skype.com/2010/12/problems_with_mastercard_payme.html - - ferg -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.3 (Build 5003) wj8DBQFNAAINq1pz9mNUZTMRAhbzAJ9nWU6H/X32QYEn2vVlPHKiCe2rkACgvQca sGW2ESTRue1IqJa3YkO6iEg= =xdM6 -----END PGP SIGNATURE----- -- "Fergie", a.k.a. Paul Ferguson ?Engineering Architecture for the Internet ?fergdawgster(at)gmail.com ?ferg's tech blog: http://fergdawg.blogspot.com/ From ken at sizone.org Wed Dec 8 16:10:02 2010 From: ken at sizone.org (Ken Chase) Date: Wed, 8 Dec 2010 17:10:02 -0500 Subject: Mastercard problems In-Reply-To: References: <995192.18569.qm@web59601.mail.ac4.yahoo.com> <4CFFBCE7.8050706@emmanuelcomputerconsulting.com> <20101208121415.26a50fde@jpeach-desktop.anbg.mssm.edu> Message-ID: <20101208221002.GK14239@sizone.org> On Wed, Dec 08, 2010 at 04:05:32PM -0600, Jorge Amodio said: >> Yes it has: >> >> http://blog.securetrading.com/2010/12/mastercard-maestro-3-d-secure/ > >I've been processing cards all day for my wife's biz without any problems. there are other payment processors out there for mastercard and visa, im sure in canada I dont bother clearing the charges I put through with a single master server in the US, they're probably also distributed for various reasons (fibre cuts speed of transaction, etc). When I hit the bigger grocery stores, the approval is almost instantaneous. Not sure what they're using for backhaul to where, but it aint DSL or a phone line. Taking out that kinda distributed architecture would require attacking the protocol with a self propagating attack (~Stuxnet), not the individual sites that do the processing. Im sure Mastercard has some skills on how to run an internal 'cloud'. /kc -- Ken Chase - ken at heavycomputing.ca - +1 416 897 6284 - Toronto CANADA Heavy Computing - Clued bandwidth, colocation and managed linux VPS @151 Front St. W. From owen at delong.com Wed Dec 8 16:12:37 2010 From: owen at delong.com (Owen DeLong) Date: Wed, 8 Dec 2010 14:12:37 -0800 Subject: Start accepting longer prefixes as IPv4 depletes? In-Reply-To: References: <820DA442-E75E-4128-80B6-F09FF7DA84ED@muada.com> <04F8F711-098B-4886-B32C-97E05902C318@arbor.net> <334490AF-CB02-4BA0-BBFF-438818C8A2E4@arbor.net> Message-ID: <5AC169DC-901C-4156-B1BD-1CC7E12E9AA7@delong.com> On Dec 8, 2010, at 12:01 PM, Cameron Byrne wrote: > On Wed, Dec 8, 2010 at 11:41 AM, Dobbins, Roland wrote: >> >> On Dec 9, 2010, at 2:38 AM, Cameron Byrne wrote: >> >>> I still fail to see the value of LISP in a mature and sane IPv6 world. >> >> Abstraction of the global routing table away from direct dependence upon the underlying transport in use at a given endpoint network alone offers huge benefits for futureproofing; there are lots of other benefits as well, for mobility, CDNs, and so forth. >> > > I believe a lot of folks think the routing paths should be tightly > coupled with the physical topology. If not, there is MPLS. > LISP doesn't separate the routing paths from the physical topology. It abstracts the end system identifiers so that they are not tied to the physical topology. > If underlying transport is IPv6, i don't see the incremental value > (hence mature IPv6 world comment, most major ISPs are pretty well > along the way). IP Mobility as in Mobile IP already exists .... not > terribly popular. > It's barely had a chance to see even small deployments, so, judging its popularity is extremely premature. The value of LISP is the ability to have a strictly hierarchical routing table with good aggregation where the Locator (routing field) in the packet header is not directly tied to the Identifier (end-system globally unique value). IMHO, a more ideal way to do this would be to add 32 bits to the packet header for "destination ASN" and do IDR based on that, but, changing the packet header at this time is hard and would require a new IP version number. > There is already abstraction within most ISPs with MPLS. Yet another > layer of abstraction is just not something i would consider lightly > with Internet scale. Just my humble opinion. > MPLS doesn't accomplish IDR abstraction which is the value here. > Today, IPv6 provides real value with larger address space. MPLS > provides real value with FRR and network virtualization (MPLS L3 > VPNs). In a mature IPv6 world, that is sane, i am not sure what the > real value of LISP is. > > But, IMHO, i do think there is something to the long term value of > ILNP. I am just very biased again additional tunnels, > encapsulation/overhead, complexity, and that is what LISP is, edge to > edge tunnels. Then there is the question of who benefits from LISP > and who pays. The edge pays and the DFZ guys benefit (they deffer > router upgrades).... i already pay the DFZ guys enough today. > I agree that tunnels and encapsulation are not ideal. Hence my thinking it would be better to rev. IP again and build the destination ASN into the packet header with a defined value for "not yet known". Owen From andrew.wallace at rocketmail.com Wed Dec 8 16:23:43 2010 From: andrew.wallace at rocketmail.com (andrew.wallace) Date: Wed, 8 Dec 2010 14:23:43 -0800 (PST) Subject: Mastercard problems Message-ID: <231198.95738.qm@web59603.mail.ac4.yahoo.com> "MasterCard works closely with the U.S. Secret Service, the FBI, the Postal Inspection Service, Interpol, Europol and counterpart organizations throughout the world to facilitate investigation and prosecution." http://www.mastercard.com/us/merchant/security/collaborating_experts.html Andrew ----- Original Message ----- From:James Downs To:andrew.wallace Cc:Christopher Morrow ; "nanog at nanog.org" Sent:Wednesday, 8 December 2010, 21:30:20 Subject:Re: Mastercard problems On Dec 8, 2010, at 12:30 PM, andrew.wallace wrote: > I would say the attack falls under the jurisdiction of the US secret service since this is an attack on the financial system. > > "Today the agency's primary investigative mission is to safeguard the payment and financial systems of the United States." --- secretservice.gov Yikes.. you consider a private company's business to be the financial and payment system of the United States? -j From owen at delong.com Wed Dec 8 16:23:17 2010 From: owen at delong.com (Owen DeLong) Date: Wed, 8 Dec 2010 14:23:17 -0800 Subject: Start accepting longer prefixes as IPv4 depletes? In-Reply-To: <5A6D953473350C4B9995546AFE9939EE0B14CDDE@RWC-EX1.corp.seven.com> References: <820DA442-E75E-4128-80B6-F09FF7DA84ED@muada.com> <5A6D953473350C4B9995546AFE9939EE0B14CDD8@RWC-EX1.corp.seven.com> <1C4E7E48-70C5-4FA4-B724-16AB156704A1@delong.com> <5A6D953473350C4B9995546AFE9939EE0B14CDDE@RWC-EX1.corp.seven.com> Message-ID: On Dec 8, 2010, at 12:01 PM, George Bonser wrote: >> Actually, in most implementations, due to optimizations with IPv6 that >> aren't possible with IPv4, a v6 route only takes about 2x the > resources >> of an IPv4 route. > > I considered that before I wrote the 4x but I couldn't be sure that my > implementation was typical so I stuck with the worst case. It also > depends on where you are talking about, RIB, FIB, or cache. > FIB being the only place where there are meaningful resource constraints, I'm willing to treat it as the bottleneck. Most routers can handle several million paths in the RIB and cache overflows shouldn't be fatal if you have sufficient FIB resources. >> Additionally, IPv6 should go from a ~10:1 ratio of >> prefixes to ASNs to a ratio closer to 1.5-2:1. As such, I only expect >> the IPv6 table to be about 10-20x it's current size at full > deployment. >> Significant, but, hardly what I would call an explosion. > > Maybe. There are currently 36178 ASes announcing routes in v4. There > are 2882 ASes announcing v6 routes. Assuming that every AS currently in > v4 will eventually appear in v6 and also making an assumption that each > AS in v4 will announce at least one route in v6, that would indicate at > minimum a 12x growth above today. Once you get into deaggregation of PA > space to accommodate multihoming or disconnected PI sites, all bets are > off but 20x seems a reasonable start. > Even at 20x (I think 15x is a more reasonable guestimate), I still wouldn't call it an explosion. 20x 3843 = 76,860 total IPv6 routes. even at 4x resources, that's less than the current IPv4 table (~340k routes). At the more realistic 2x, it's dramatically less. >> People running routers with less than 1MM IPv4 prefix capability >> probably can use defaults to cover for discarding some of the >> longer prefixes. > > Yup. And that is where I was going with "their multihoming in PA space > might not work as well as it used to" when that sort of thing happens on > a broader scale. > Actually, the people with the smaller routers are probably far enough away that it won't matter. This will only have negative impact on remote hosts that are on the same side of the closest common major transit provider. >> Generally speaking, those are not major transit >> backbones where this would be harmful. (Major transit backbones >> have been out of room in such routers for some time now). > > Yeah, I was considering networks like mine where I am trying to talk to > a multihomed site that I am not directly peered with and one transit > provider has some peering issue and loses a route to that destination. > I need to be able to "see" that route via the other transit provider(s) > in a hurry so a default probably isn't going to work well for me though > I will be tempted to move in that direction once I come under resource > pressure. > If both of your transit providers are default-free, then, likely the default will still work fine. It may not be optimal, but, it'll probably be functional in the vast majority of cases. >> Compromising in IPv6 won't buy much, so, I suspect the compromises >> will have to be made in IPv4. (let's face it, there's just not much >> there >> in a <60k route table to reduce). > > And I don't think anyone is going to *want* to compromise in v6, v4 is > where they are going to begin to trim back as that is a dead-end path > anyway. Compromising on the v6 side is going to generate an increase in > problems going forward. Compromising on the v4 path will produce a > decreasing amount of problems over time. The downhill path is the > easiest to follow. > Compromising in v6 temporarily to preserve v4 functionality may be necessary in some cases. I'm not wiling to rule anything out at this point. >> People are doing this in IPv6? Really? What's the point? There simply >> aren't enough savings to make it significant. > > There was some chatter on this list of Verizon, for example, not taking > smaller than a /32 out of PA space (but accepting down to a /48 in PI > space). I don't have access to their routes so I can't say with any > authority, I am repeating what was posted here by others. > Oh, yeah, that's JUST Verizon, and, I think they've started to get over that religion as well. However, now you're talking about the only provider on the planet with >1MM route capable routers that are actually overflowing due to the utter mess that is their intra-AS routing topology. Owen From theghost101 at gmail.com Wed Dec 8 16:46:16 2010 From: theghost101 at gmail.com (Danijel) Date: Wed, 8 Dec 2010 23:46:16 +0100 Subject: SONET and MAC address In-Reply-To: <0b4501cb9722$daf40ae0$90dc20a0$@sberkman.net> References: <0b4501cb9722$daf40ae0$90dc20a0$@sberkman.net> Message-ID: Same thing with Siemens and Huawei gear, there are "transparent" cards that don't learn anything and L2 cards that do. -- *blap* On Wed, Dec 8, 2010 at 22:57, Scott Berkman wrote: > Don't know the FlashWave gear well, but in the Cisco ONS/Cerent world GigE > ports can be configured in different modes, some of which do in fact learn > MAC addresses. Others emulate a single layer-2 link and as the vendor > stated, would not look at the MAC address at all. > > -Scott > > -----Original Message----- > From: Jay Nakamura [mailto:zeusdadog at gmail.com] > Sent: Wednesday, December 08, 2010 3:33 PM > To: NANOG > Subject: SONET and MAC address > > We have a Gigabit Ethernet transport between cities by a vendor. We found > that when there are identical MAC address that are on different VLANs on > different side of the circuit, one of the VLAN looses packets. This > situation came up because two different networks that travel over the > Ethernet were using HSRP with the same virtual MAC address. > > The vendor says both sides are directly connected to Fujitsu SONET gear and > the equipment doesn't even look at the MAC address so it's not their > circuit. All I know is, I can't recreate the problem if this circuit is > not > in the path. > > I haven't worked with Fujitsu SONET gear so I don't know if their claim is > true or not. I vaguely remember someone talking about some equipment > actually having a builtin switch on the SONET port and that was messing up > the forwarding. > > Also, on one side of the circuit, there is a copper to fiber media > converter. I am going to find out what model this is and see if that could > be the cause. > > Anyone have any thoughts on what I should look into or have the vendor look > into? Anyone run into this situation? > > Thanks! > > > > From jbates at brightok.net Wed Dec 8 16:48:02 2010 From: jbates at brightok.net (Jack Bates) Date: Wed, 08 Dec 2010 16:48:02 -0600 Subject: Start accepting longer prefixes as IPv4 depletes? In-Reply-To: <5AC169DC-901C-4156-B1BD-1CC7E12E9AA7@delong.com> References: <820DA442-E75E-4128-80B6-F09FF7DA84ED@muada.com> <04F8F711-098B-4886-B32C-97E05902C318@arbor.net> <334490AF-CB02-4BA0-BBFF-438818C8A2E4@arbor.net> <5AC169DC-901C-4156-B1BD-1CC7E12E9AA7@delong.com> Message-ID: <4D000B22.9050509@brightok.net> On 12/8/2010 4:12 PM, Owen DeLong wrote: > IMHO, a more ideal way to do this would be to add 32 bits to the > packet header for "destination ASN" and do IDR based on that, > but, changing the packet header at this time is hard and would > require a new IP version number. My only problem with this is how to get certain percentages of traffic to come through different transits. I realize I could specify a separate ASN, and balance traffic based on ASN instead of network, but I'm not sure what is saved. ie, 4 ASNs vs 4 networks? The other issue is that networks are not all equal. Thought I presume you could shift networks around to different ASNs to accomplish this. My hope is that the nature of v6 will actually reduce the routing table naturally (even though we are storing larger prefixes). Handing out address space on a 3-6 month curve is what has made it a nightmare. I'm going to go out on a limb (and not read the last BGP summary reports) and say that ISPs being assigned fragmented space has caused more routing table bloat than deaggregation for traffic engineering. Jack From m.hallgren at free.fr Wed Dec 8 17:04:12 2010 From: m.hallgren at free.fr (Michael Hallgren) Date: Thu, 09 Dec 2010 00:04:12 +0100 Subject: Mastercard problems In-Reply-To: <231198.95738.qm@web59603.mail.ac4.yahoo.com> References: <231198.95738.qm@web59603.mail.ac4.yahoo.com> Message-ID: <1291849452.2774.3.camel@home> Le mercredi 08 d?cembre 2010 ? 14:23 -0800, andrew.wallace a ?crit : > "MasterCard works closely with the > U.S. Secret Service, the FBI, the Postal Inspection Service, Interpol, > Europol and counterpart organizations throughout the world to facilitate investigation and prosecution." > > http://www.mastercard.com/us/merchant/security/collaborating_experts.html Sure, and fortunately,... but that's about fraud prevention... mh > > Andrew > > > > > ----- Original Message ----- > From:James Downs > To:andrew.wallace > Cc:Christopher Morrow ; "nanog at nanog.org" > Sent:Wednesday, 8 December 2010, 21:30:20 > Subject:Re: Mastercard problems > > > On Dec 8, 2010, at 12:30 PM, andrew.wallace wrote: > > > I would say the attack falls under the jurisdiction of the US secret service since this is an attack on the financial system. > > > > "Today the agency's primary investigative mission is to safeguard the payment and financial systems of the United States." --- secretservice.gov > > Yikes.. you consider a private company's business to be the financial and payment system of the United States? > > -j > > > > > From iljitsch at muada.com Wed Dec 8 17:08:20 2010 From: iljitsch at muada.com (Iljitsch van Beijnum) Date: Thu, 9 Dec 2010 00:08:20 +0100 Subject: Start accepting longer prefixes as IPv4 depletes? In-Reply-To: <4D000B22.9050509@brightok.net> References: <820DA442-E75E-4128-80B6-F09FF7DA84ED@muada.com> <04F8F711-098B-4886-B32C-97E05902C318@arbor.net> <334490AF-CB02-4BA0-BBFF-438818C8A2E4@arbor.net> <5AC169DC-901C-4156-B1BD-1CC7E12E9AA7@delong.com> <4D000B22.9050509@brightok.net> Message-ID: <7F68D58A-BB7C-4485-B640-0CFE8A568EFA@muada.com> On 8 dec 2010, at 23:48, Jack Bates wrote: > I'm going to go out on a limb (and not read the last BGP summary reports) and say that ISPs being assigned fragmented space has caused more routing table bloat than deaggregation for traffic engineering. Why would ISPs get fragmented space? The RIRs are still getting /8s from IANA at the moment. And most deaggregation is not for traffic engineering because the attributes are all the same. From owen at delong.com Wed Dec 8 17:07:09 2010 From: owen at delong.com (Owen DeLong) Date: Wed, 8 Dec 2010 15:07:09 -0800 Subject: Start accepting longer prefixes as IPv4 depletes? In-Reply-To: <4D000B22.9050509@brightok.net> References: <820DA442-E75E-4128-80B6-F09FF7DA84ED@muada.com> <04F8F711-098B-4886-B32C-97E05902C318@arbor.net> <334490AF-CB02-4BA0-BBFF-438818C8A2E4@arbor.net> <5AC169DC-901C-4156-B1BD-1CC7E12E9AA7@delong.com> <4D000B22.9050509@brightok.net> Message-ID: <9E7683D3-FC88-4135-83BA-4A17A1EDC9A3@delong.com> On Dec 8, 2010, at 2:48 PM, Jack Bates wrote: > > > On 12/8/2010 4:12 PM, Owen DeLong wrote: >> IMHO, a more ideal way to do this would be to add 32 bits to the >> packet header for "destination ASN" and do IDR based on that, >> but, changing the packet header at this time is hard and would >> require a new IP version number. > > My only problem with this is how to get certain percentages of traffic to come through different transits. I realize I could specify a separate ASN, and balance traffic based on ASN instead of network, but I'm not sure what is saved. > If you have 200 prefixes and 3 routing policies, you need 3 ASNs in the global routing table instead of 200 prefixes in the global routing table. > ie, 4 ASNs vs 4 networks? The other issue is that networks are not all equal. Thought I presume you could shift networks around to different ASNs to accomplish this. > This assumes a 1:1 ratio between prefixes and routing policies. This is unrealistic in all but the most trivial of networks. > My hope is that the nature of v6 will actually reduce the routing table naturally (even though we are storing larger prefixes). Handing out address space on a 3-6 month curve is what has made it a nightmare. I'm going to go out on a limb (and not read the last BGP summary reports) and say that ISPs being assigned fragmented space has caused more routing table bloat than deaggregation for traffic engineering. > Yes... It should. However, even with the reduced IPv6 routing table, there will be circumstances where multiple prefixes can efficiently be coalesced into common routing policies. Unfortunately, the current designs of IPv4 and IPv6 do not allow us to actually do so. What I am proposing would. Owen From black at csulb.edu Wed Dec 8 17:19:52 2010 From: black at csulb.edu (Matthew Black) Date: Wed, 08 Dec 2010 15:19:52 -0800 Subject: Mastercard problems In-Reply-To: <231198.95738.qm@web59603.mail.ac4.yahoo.com> References: <231198.95738.qm@web59603.mail.ac4.yahoo.com> Message-ID: O> ----- Original Message ----- >From:James Downs > To:andrew.wallace > Cc:Christopher Morrow ; "nanog at nanog.org" > > Sent:Wednesday, 8 December 2010, 21:30:20 > Subject:Re: Mastercard problems [snip] > Yikes.. you consider a private company's business to be the financial and >payment system of the United States? Yes, I do. Especially when government agencies accept payments through MasterCard, et al. matthew black comments reflect my opinions and may not represent those of my employer. From owen at delong.com Wed Dec 8 17:36:15 2010 From: owen at delong.com (Owen DeLong) Date: Wed, 8 Dec 2010 15:36:15 -0800 Subject: Start accepting longer prefixes as IPv4 depletes? In-Reply-To: <7F68D58A-BB7C-4485-B640-0CFE8A568EFA@muada.com> References: <820DA442-E75E-4128-80B6-F09FF7DA84ED@muada.com> <04F8F711-098B-4886-B32C-97E05902C318@arbor.net> <334490AF-CB02-4BA0-BBFF-438818C8A2E4@arbor.net> <5AC169DC-901C-4156-B1BD-1CC7E12E9AA7@delong.com> <4D000B22.9050509@brightok.net> <7F68D58A-BB7C-4485-B640-0CFE8A568EFA@muada.com> Message-ID: <7E85174A-9742-43E9-9281-F13E718F3632@delong.com> On Dec 8, 2010, at 3:08 PM, Iljitsch van Beijnum wrote: > On 8 dec 2010, at 23:48, Jack Bates wrote: > >> I'm going to go out on a limb (and not read the last BGP summary reports) and say that ISPs being assigned fragmented space has caused more routing table bloat than deaggregation for traffic engineering. > > Why would ISPs get fragmented space? The RIRs are still getting /8s from IANA at the moment. > Because ISPs get multiple blocks over years from RIRs and don't return their old small block and renumber into a new large one. > And most deaggregation is not for traffic engineering because the attributes are all the same. Which would support the above statement. Owen From zeusdadog at gmail.com Wed Dec 8 18:33:11 2010 From: zeusdadog at gmail.com (Jay Nakamura) Date: Wed, 8 Dec 2010 19:33:11 -0500 Subject: SONET and MAC address In-Reply-To: References: <0b4501cb9722$daf40ae0$90dc20a0$@sberkman.net> Message-ID: I think we narrowed it down to a cheap media converter they supplied. It's a 10/100/1000 copper to gig fiber converter, which makes me think it's got a low grade switch inside that doesn't have a per-VLAN FDB. On Wed, Dec 8, 2010 at 5:46 PM, Danijel wrote: > Same thing with Siemens and Huawei gear, there are "transparent" cards that > don't learn anything and L2 cards that do. > > -- > *blap* > > > On Wed, Dec 8, 2010 at 22:57, Scott Berkman wrote: > >> Don't know the FlashWave gear well, but in the Cisco ONS/Cerent world GigE >> ports can be configured in different modes, some of which do in fact learn >> MAC addresses. ?Others emulate a single layer-2 link and as the vendor >> stated, would not look at the MAC address at all. >> >> ? ? ? ?-Scott >> >> -----Original Message----- >> From: Jay Nakamura [mailto:zeusdadog at gmail.com] >> Sent: Wednesday, December 08, 2010 3:33 PM >> To: NANOG >> Subject: SONET and MAC address >> >> We have a Gigabit Ethernet transport between cities by a vendor. ?We found >> that when there are identical MAC address that are on different VLANs on >> different side of the circuit, one of the VLAN looses packets. ?This >> situation came up because two different networks that travel over the >> Ethernet were using HSRP with the same virtual MAC address. >> >> The vendor says both sides are directly connected to Fujitsu SONET gear and >> the equipment doesn't even look at the MAC address so it's not their >> circuit. ?All I know is, I can't recreate the problem if this circuit is >> not >> in the path. >> >> I haven't worked with Fujitsu SONET gear so I don't know if their claim is >> true or not. ?I vaguely remember someone talking about some equipment >> actually having a builtin switch on the SONET port and that was messing up >> the forwarding. >> >> Also, on one side of the circuit, there is a copper to fiber media >> converter. ?I am going to find out what model this is and see if that could >> be the cause. >> >> Anyone have any thoughts on what I should look into or have the vendor look >> into? ?Anyone run into this situation? >> >> Thanks! >> >> >> >> > From kiriki at streamguys.com Wed Dec 8 20:16:24 2010 From: kiriki at streamguys.com (Kiriki Delany) Date: Wed, 8 Dec 2010 18:16:24 -0800 Subject: MasterCard problems In-Reply-To: <006201cb9746$1cf7d520$56e77f60$@com> References: <231198.95738.qm@web59603.mail.ac4.yahoo.com> <006201cb9746$1cf7d520$56e77f60$@com> Message-ID: <006a01cb9747$2699ffd0$73cdff70$@com> It's a national security issue that the federal and state governments cannot temporarily accept payment from visa/mc? Really? Is this because cash or checks are not viable solutions? This is the result of privatization of government. Pay close to attention to what privatization means. It's a loss of critical accountability. Demand government not rely on a private payment provider. It's a gross neglect of national security for payment processing to be beholden to visa/mc. They have no responsibility to the citizens of the US. I don't think is actually the case, as mc/visa take fee's of all transactions they process. Most vendors prefer cash or a check, I would assume the feds do as well. Of course if you have no actual cash anymore, and can only finance your debts on credit, well..... yet more evidence the lack of regulation of credit card companies is a national security risk. -Kiriki -----Original Message----- From: Matthew Black [mailto:black at csulb.edu] Sent: Wednesday, December 08, 2010 3:20 PM To: nanog at nanog.org Subject: Re: Mastercard problems O> ----- Original Message ----- >From:James Downs > To:andrew.wallace > Cc:Christopher Morrow ; "nanog at nanog.org" > > Sent:Wednesday, 8 December 2010, 21:30:20 > Subject:Re: Mastercard problems [snip] > Yikes.. you consider a private company's business to be the financial and >payment system of the United States? Yes, I do. Especially when government agencies accept payments through MasterCard, et al. matthew black comments reflect my opinions and may not represent those of my employer. From randy at psg.com Wed Dec 8 20:42:11 2010 From: randy at psg.com (Randy Bush) Date: Wed, 08 Dec 2010 18:42:11 -0800 Subject: who dis Message-ID: whois don't work * i2.78.64.0/18 144.232.9.61 1555 100 0 1239 3216 6854 35104 35104 35104 35104 29355 29355 29355 29355 29355 29355 29355 29355 29355 29355 i *> 199.238.113.9 374 0 2914 9002 6854 35104 35104 35104 35104 29355 29355 29355 29355 29355 29355 29355 29355 29355 29355 i * 129.250.11.41 379 0 2914 9002 6854 35104 35104 35104 35104 29355 29355 29355 29355 29355 29355 29355 29355 29355 29355 i * i2.78.128.0/17 144.232.9.61 1555 100 0 1239 3216 6854 35104 35104 35104 35104 29355 29355 29355 29355 29355 29355 29355 29355 29355 29355 i *> 199.238.113.9 374 0 2914 9002 6854 35104 35104 35104 35104 29355 29355 29355 29355 29355 29355 29355 29355 29355 29355 i * 129.250.11.41 379 0 2914 9002 6854 35104 35104 35104 35104 29355 29355 29355 29355 29355 29355 29355 29355 29355 29355 i * i2.79.0.0/16 144.232.9.61 1555 100 0 1239 3216 6854 35104 35104 35104 35104 29355 29355 29355 29355 29355 29355 29355 29355 29355 29355 i *> 199.238.113.9 374 0 2914 9002 6854 35104 35104 35104 35104 29355 29355 29355 29355 29355 29355 29355 29355 29355 29355 i * 129.250.11.41 379 0 2914 9002 6854 35104 35104 35104 35104 29355 29355 29355 29355 29355 29355 29355 29355 29355 29355 i so who is announcing this space that i can not find in ripe (or arin) whois? randy From randy at psg.com Wed Dec 8 20:53:57 2010 From: randy at psg.com (Randy Bush) Date: Wed, 08 Dec 2010 18:53:57 -0800 Subject: who dis In-Reply-To: <00e701cb974b$93ca2130$bb5e6390$@telic.us> References: <00e701cb974b$93ca2130$bb5e6390$@telic.us> Message-ID: > I got both the as and the block from ripe's whois. now i do, before i did not. my apologies. randy From ulf at Alameda.net Wed Dec 8 20:54:14 2010 From: ulf at Alameda.net (Ulf Zimmermann) Date: Wed, 8 Dec 2010 18:54:14 -0800 Subject: who dis In-Reply-To: References: Message-ID: <20101209025414.GL62987@evil.alameda.net> On Wed, Dec 08, 2010 at 06:42:11PM -0800, Randy Bush wrote: > whois don't work > > * i2.78.64.0/18 144.232.9.61 1555 100 0 1239 3216 6854 35104 35104 35104 35104 29355 29355 29355 29355 29355 29355 29355 29355 29355 29355 i > *> 199.238.113.9 374 0 2914 9002 6854 35104 35104 35104 35104 29355 29355 29355 29355 29355 29355 29355 29355 29355 29355 i > * 129.250.11.41 379 0 2914 9002 6854 35104 35104 35104 35104 29355 29355 29355 29355 29355 29355 29355 29355 29355 29355 i > * i2.78.128.0/17 144.232.9.61 1555 100 0 1239 3216 6854 35104 35104 35104 35104 29355 29355 29355 29355 29355 29355 29355 29355 29355 29355 i > *> 199.238.113.9 374 0 2914 9002 6854 35104 35104 35104 35104 29355 29355 29355 29355 29355 29355 29355 29355 29355 29355 i > * 129.250.11.41 379 0 2914 9002 6854 35104 35104 35104 35104 29355 29355 29355 29355 29355 29355 29355 29355 29355 29355 i > * i2.79.0.0/16 144.232.9.61 1555 100 0 1239 3216 6854 35104 35104 35104 35104 29355 29355 29355 29355 29355 29355 29355 29355 29355 29355 i > *> 199.238.113.9 374 0 2914 9002 6854 35104 35104 35104 35104 29355 29355 29355 29355 29355 29355 29355 29355 29355 29355 i > * 129.250.11.41 379 0 2914 9002 6854 35104 35104 35104 35104 29355 29355 29355 29355 29355 29355 29355 29355 29355 29355 i > > so who is announcing this space that i can not find in ripe (or arin) whois? > > randy My whois says: whois -a 2.78.64.0 [Querying whois.arin.net] [Redirected to whois.ripe.net] [Querying whois.ripe.net] [whois.ripe.net] % This is the RIPE Database query service. % The objects are in RPSL format. % % The RIPE Database is subject to Terms and Conditions. % See http://www.ripe.net/db/support/db-terms-conditions.pdf % Note: This output has been filtered. % To receive output for a database update, use the "-B" flag. % Information related to '2.78.64.0 - 2.78.127.255' inetnum: 2.78.64.0 - 2.78.127.255 netname: KCELL-GPRS-SUBSCRIBERS descr: GSM Kazakhstan OJSC Kazakhtelecom LLP (Company) remarks: LLP "GSM Kazakhstan OJSC "Kazakhtelecom" remarks: GPRS/EDGE/3G/WiMAX Subscribers remarks: Atyrau org: ORG-GKOK1-RIPE country: KZ admin-c: VH640-RIPE admin-c: DK1918-RIPE tech-c: VH640-RIPE tech-c: DK1918-RIPE status: ASSIGNED PA mnt-by: KCELL-MNT source: RIPE # Filtered organisation: ORG-GKOK1-RIPE org-name: GSM Kazakhstan OJSC Kazakhtelecom LLP (Company) org-type: LIR address: GSM Kazakhstan OJSC Kazakhtelecom LLP (Company) address: 2g Temiryzev st address: 050013 Almaty address: KZ e-mail: admin at kcell.kz mnt-ref: RIPE-NCC-HM-MNT mnt-by: RIPE-NCC-HM-MNT mnt-ref: KCELL-MNT source: RIPE # Filtered person: Vasiliy Hill address: 2g Temiryazev st.; 050013 address: Almaty, Republic of Kazakhstan e-mail: regmaster at kcell.kz phone: +7 727 2582755 1606 fax-no: +7 727 2582755 1616 nic-hdl: VH640-RIPE source: RIPE # Filtered person: Dmitriy Korovin address: 2g Temiryazev st.; 050013 address: Almaty, Republic of Kazakhstan e-mail: regmaster at kcell.kz phone: +7 727 2582755 1656 nic-hdl: DK1918-RIPE source: RIPE # Filtered % Information related to '2.72.0.0/13AS29355' route: 2.72.0.0/13 descr: GSM Kazakhstan OJSC Kazakhtelecom LLP (Company) descr: KCELL-GPRS-SUBSCRIBERS origin: AS29355 mnt-by: KCELL-MNT source: RIPE # Filtered % Information related to '2.78.64.0/18AS29355' route: 2.78.64.0/18 descr: GSM Kazakhstan OJSC Kazakhtelecom LLP (Company) descr: KCELL-GPRS-SUBSCRIBERS descr: Atyrau origin: AS29355 mnt-by: KCELL-MNT source: RIPE # Filtered -- Regards, Ulf. From mysidia at gmail.com Wed Dec 8 21:23:40 2010 From: mysidia at gmail.com (James Hess) Date: Wed, 8 Dec 2010 21:23:40 -0600 Subject: Start accepting longer prefixes as IPv4 depletes? In-Reply-To: <7F68D58A-BB7C-4485-B640-0CFE8A568EFA@muada.com> References: <820DA442-E75E-4128-80B6-F09FF7DA84ED@muada.com> <04F8F711-098B-4886-B32C-97E05902C318@arbor.net> <334490AF-CB02-4BA0-BBFF-438818C8A2E4@arbor.net> <5AC169DC-901C-4156-B1BD-1CC7E12E9AA7@delong.com> <4D000B22.9050509@brightok.net> <7F68D58A-BB7C-4485-B640-0CFE8A568EFA@muada.com> Message-ID: On Wed, Dec 8, 2010 at 5:08 PM, Iljitsch van Beijnum wrote: > On 8 dec 2010, at 23:48, Jack Bates wrote: >> I'm going to go out on a limb (and not read the last BGP summary reports) and say that ISPs being assigned fragmented space has caused more routing table bloat than deaggregation for traffic engineering. > > Why would ISPs get fragmented space? The RIRs are still getting /8s from IANA at the moment. > And most deaggregation is not for traffic engineering because the attributes are all the same. Because ISP networks are not fixed sized entities that never add more infrastructure (or more customers), like some end users might be. ISPs get contiguous assignments, but when they later require more IP address space, they apply for more space, and wind up with a new assignment that is not aggregable with the previous assignment(s). The RIRs do not predict their members' future requirements, and maintain enough unallocated buffer space around allocations to provide a contiguous extension when more address space is requested. -- -JH From cgucker at onesc.net Wed Dec 8 21:38:06 2010 From: cgucker at onesc.net (Charles Gucker) Date: Wed, 8 Dec 2010 22:38:06 -0500 Subject: ALT-DB Question In-Reply-To: References: Message-ID: On Wed, Dec 8, 2010 at 1:25 PM, Chadwick Sorrell wrote: > Hello, > > I'm sending a new MAINT-AS object to the db-admin at altdb.net, but it > doesn't appear to be in the database after a few weeks. ?Are there any > requirements that I may be missing on my new request, or some sort of > way I can help get it processed? I submitted one over a year ago. Still not sure who's running it these days. charles From ck at sandcastl.es Wed Dec 8 21:45:54 2010 From: ck at sandcastl.es (christian koch) Date: Wed, 8 Dec 2010 19:45:54 -0800 Subject: ALT-DB Question In-Reply-To: References: Message-ID: http://markmail.org/message/7vm3wk6kcnkqvonj On Wed, Dec 8, 2010 at 7:38 PM, Charles Gucker wrote: > On Wed, Dec 8, 2010 at 1:25 PM, Chadwick Sorrell > wrote: > > Hello, > > > > I'm sending a new MAINT-AS object to the db-admin at altdb.net, but it > > doesn't appear to be in the database after a few weeks. Are there any > > requirements that I may be missing on my new request, or some sort of > > way I can help get it processed? > > I submitted one over a year ago. Still not sure who's running it these > days. > > charles > > From jared at puck.nether.net Wed Dec 8 21:56:08 2010 From: jared at puck.nether.net (Jared Mauch) Date: Wed, 8 Dec 2010 22:56:08 -0500 Subject: Are you ready for RPKI in your BGP? Message-ID: <15FF52BA-388A-48E8-BDDE-A151E694E9AC@puck.nether.net> Are you ready for RPKI in your network? While there's some dubious hyperbole in the article, the work that has been undertaken in SIDR wg re: RPKI is moving along. http://www.networkworld.com/cgi-bin/mailto/x.cgi?pagetosend=/news/2010/120710-chinese-internet-traffic-fix.html&pagename=/news/2010/120710-chinese-internet-traffic-fix.html&pageurl=http://www.networkworld.com/news/2010/120710-chinese-internet-traffic-fix.html&site=printpage&nsdr=n For those of you preparing to assign 2011 goals to your employees, or something to self-assign, this should be in the top-5 or top-10 if you configure routers for BGP. - Jared From jcdill.lists at gmail.com Wed Dec 8 22:02:21 2010 From: jcdill.lists at gmail.com (JC Dill) Date: Wed, 08 Dec 2010 20:02:21 -0800 Subject: Over a decade of DDOS--any progress yet? In-Reply-To: <28793.1291844294@localhost> References: <01811070-0EE1-44C2-A79A-FB9E68215D9A@gmail.com> <4CFFA7B8.8000306@gmail.com> <28793.1291844294@localhost> Message-ID: <4D0054CD.60009@gmail.com> On 08/12/10 1:38 PM, Valdis.Kletnieks at vt.edu wrote: > > The second issue is that if you *do* establish a legal precident that > software vendors are liable for faults no matter what the contract/EULA > says, It doesn't matter what contract an auto maker makes with someone who purchases the car, if the brakes fail and the car hits ME, I can sue the auto maker due to the defective brakes. If they design the car in a way that a 3rd party can easily tamper with the brakes, and then the car hits me, I can also sue the auto maker. They are legally required to take due care in how they design the car to ensure that innocent bystanders aren't injured or killed by a design defect. IMHO, there's no difference in the core responsibility that software makers should be held to, to ensure that their software isn't easily compromised and used to attack and injure 3rd parties. The EULA is a red herring, as it only applies to the purchaser (who agrees to the EULA when they purchase the computer or software), not to 3rd parties who are injured. If the software doesn't work as designed and the purchaser is unhappy, that's between them and the company they bought the software from. But when it injures a 3rd party, that's a whole different ball game. I truly don't understand why ISP's (who bear the brunt of the burden of the fall-out from the compromised software, as they fight spam and have to provide customer support to users who complain that the "internet is slow" etc.) haven't said ENOUGH. jc From ben at adversary.org Thu Dec 9 01:34:09 2010 From: ben at adversary.org (Ben McGinnes) Date: Thu, 09 Dec 2010 18:34:09 +1100 Subject: Mastercard problems In-Reply-To: References: <995192.18569.qm@web59601.mail.ac4.yahoo.com> <4CFFBF30.3070100@brightok.net> <4CFFC19F.2070001@brightok.net> Message-ID: <4D008671.6090801@adversary.org> On 9/12/10 8:04 AM, Christopher Morrow wrote: > On Wed, Dec 8, 2010 at 3:06 PM, Philip Dorr wrote: >> The problem is that they were also slashdotted. The logs would also have a >> large number of unrelated. > > pro-tip: the tool has a pretty easy to spot signature. What is that signature? Regards, Ben -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 227 bytes Desc: OpenPGP digital signature URL: From frnkblk at iname.com Thu Dec 9 01:54:48 2010 From: frnkblk at iname.com (Frank Bulk - iName.com) Date: Thu, 9 Dec 2010 01:54:48 -0600 Subject: SONET and MAC address In-Reply-To: References: Message-ID: Fuji 4500 gear, depending on the card, software release, and configuration, can support or not support tagged traffic, which might also be distinguishing aspect that your vendor may not be aware of. Let me know if you need a bit more details, and I can ask our consultant who works with these boxes on a regular basis. Frank -----Original Message----- From: Jay Nakamura [mailto:zeusdadog at gmail.com] Sent: Wednesday, December 08, 2010 2:33 PM To: NANOG Subject: SONET and MAC address We have a Gigabit Ethernet transport between cities by a vendor. We found that when there are identical MAC address that are on different VLANs on different side of the circuit, one of the VLAN looses packets. This situation came up because two different networks that travel over the Ethernet were using HSRP with the same virtual MAC address. The vendor says both sides are directly connected to Fujitsu SONET gear and the equipment doesn't even look at the MAC address so it's not their circuit. All I know is, I can't recreate the problem if this circuit is not in the path. I haven't worked with Fujitsu SONET gear so I don't know if their claim is true or not. I vaguely remember someone talking about some equipment actually having a builtin switch on the SONET port and that was messing up the forwarding. Also, on one side of the circuit, there is a copper to fiber media converter. I am going to find out what model this is and see if that could be the cause. Anyone have any thoughts on what I should look into or have the vendor look into? Anyone run into this situation? Thanks! From swmike at swm.pp.se Thu Dec 9 01:55:22 2010 From: swmike at swm.pp.se (Mikael Abrahamsson) Date: Thu, 9 Dec 2010 08:55:22 +0100 (CET) Subject: Are you ready for RPKI in your BGP? In-Reply-To: <15FF52BA-388A-48E8-BDDE-A151E694E9AC@puck.nether.net> References: <15FF52BA-388A-48E8-BDDE-A151E694E9AC@puck.nether.net> Message-ID: On Wed, 8 Dec 2010, Jared Mauch wrote: > For those of you preparing to assign 2011 goals to your employees, or > something to self-assign, this should be in the top-5 or top-10 if you > configure routers for BGP. It would be nice with an operational write-up on how to get this to work in real life. I've been to presentations about it, but there were serious lack of HOWTOs and requirements in it. I guess router vendors need to start supporting and I'd imagine that'll take 6-12 months after it's even feature commit, so seeing deployment of this in 2011 seems highly doubtful? It's one of those features I doubt would ever be implemented in 12.0S for GSR, but perhaps enough large ISPs have stopped using IOS GSRs at their edge so this is not a problem anymore. -- Mikael Abrahamsson email: swmike at swm.pp.se From sthaug at nethelp.no Thu Dec 9 02:24:17 2010 From: sthaug at nethelp.no (sthaug at nethelp.no) Date: Thu, 09 Dec 2010 09:24:17 +0100 (CET) Subject: Are you ready for RPKI in your BGP? In-Reply-To: References: <15FF52BA-388A-48E8-BDDE-A151E694E9AC@puck.nether.net> Message-ID: <20101209.092417.74729314.sthaug@nethelp.no> > I guess router vendors need to start supporting > and I'd > imagine that'll take 6-12 months after it's even feature commit, so seeing > deployment of this in 2011 seems highly doubtful? > > It's one of those features I doubt would ever be implemented in 12.0S for > GSR, but perhaps enough large ISPs have stopped using IOS GSRs at their > edge so this is not a problem anymore. For some ISPs an upgrade to IOS XR on the GSR is an alternative. But probably not for all... Steinar Haug, Nethelp consulting, sthaug at nethelp.no From mpetach at netflight.com Thu Dec 9 02:37:28 2010 From: mpetach at netflight.com (Matthew Petach) Date: Thu, 9 Dec 2010 00:37:28 -0800 Subject: Over a decade of DDOS--any progress yet? In-Reply-To: <4D0054CD.60009@gmail.com> References: <01811070-0EE1-44C2-A79A-FB9E68215D9A@gmail.com> <4CFFA7B8.8000306@gmail.com> <28793.1291844294@localhost> <4D0054CD.60009@gmail.com> Message-ID: On Wed, Dec 8, 2010 at 8:02 PM, JC Dill wrote: > ?On 08/12/10 1:38 PM, Valdis.Kletnieks at vt.edu wrote: >> >> The second issue is that if you *do* establish a legal precident that >> software vendors are liable for faults no matter what the contract/EULA >> says, > > It doesn't matter what contract an auto maker makes with someone who > purchases the car, if the brakes fail and the car hits ME, I can sue the > auto maker due to the defective brakes. ?If they design the car in a way > that a 3rd party can easily tamper with the brakes, and then the car hits > me, I can also sue the auto maker. ?They are legally required to take due > care in how they design the car to ensure that innocent bystanders aren't > injured or killed by a design defect. ?IMHO, there's no difference in the > core responsibility that software makers should be held to, to ensure that > their software isn't easily compromised and used to attack and injure 3rd > parties. ?The EULA is a red herring, as it only applies to the purchaser > (who agrees to the EULA when they purchase the computer or software), not to > 3rd parties who are injured. > > If the software doesn't work as designed and the purchaser is unhappy, > that's between them and the company they bought the software from. ?But when > it injures a 3rd party, that's a whole different ball game. ?I truly don't > understand why ISP's (who bear the brunt of the burden of the fall-out from > the compromised software, as they fight spam and have to provide customer > support to users who complain that the "internet is slow" etc.) haven't said > ENOUGH. > > jc If you look at the national vulnerability database listings, though, it's really not clear who you'd need to go after: http://blogs.technet.com/b/security/archive/2008/05/15/q1-2008-client-os-vulnerability-scorecard.aspx Granted, that was two years ago; but it sure seems that just vilifying Microsoft, satisfying though it might be, would be to ignore the breadth of the problem. Matt From gbonser at seven.com Thu Dec 9 02:37:33 2010 From: gbonser at seven.com (George Bonser) Date: Thu, 9 Dec 2010 00:37:33 -0800 Subject: Are you ready for RPKI in your BGP? In-Reply-To: <20101209.092417.74729314.sthaug@nethelp.no> References: <15FF52BA-388A-48E8-BDDE-A151E694E9AC@puck.nether.net> <20101209.092417.74729314.sthaug@nethelp.no> Message-ID: <5A6D953473350C4B9995546AFE9939EE0B14CE11@RWC-EX1.corp.seven.com> > > For some ISPs an upgrade to IOS XR on the GSR is an alternative. But > probably not for all... Yeah, particularly the ones who don't run IOS. From gbonser at seven.com Thu Dec 9 02:43:11 2010 From: gbonser at seven.com (George Bonser) Date: Thu, 9 Dec 2010 00:43:11 -0800 Subject: Over a decade of DDOS--any progress yet? In-Reply-To: References: <01811070-0EE1-44C2-A79A-FB9E68215D9A@gmail.com><4CFFA7B8.8000306@gmail.com> <28793.1291844294@localhost><4D0054CD.60009@gmail.com> Message-ID: <5A6D953473350C4B9995546AFE9939EE0B14CE12@RWC-EX1.corp.seven.com> > If you look at the national vulnerability database listings, though, > it's really not clear who you'd need to go after: > > http://blogs.technet.com/b/security/archive/2008/05/15/q1-2008-client- > os-vulnerability-scorecard.aspx > > Granted, that was two years ago; but it sure seems that just > vilifying Microsoft, satisfying though it might be, would be to > ignore the breadth of the problem. > > Matt Is anyone actually using Ubuntu 6.06LTS anymore? That was published for Q1 2008, that was almost three years ago which in "internet years" is a long time. One also has to wonder (since the link to the original paper seems to be dead) if that was "out of the box" 6.06LTS or 6.06LTS kept updated with the security releases. From nenolod at systeminplace.net Thu Dec 9 02:49:42 2010 From: nenolod at systeminplace.net (William Pitcock) Date: Thu, 09 Dec 2010 02:49:42 -0600 Subject: Mastercard problems In-Reply-To: <4D008671.6090801@adversary.org> References: <995192.18569.qm@web59601.mail.ac4.yahoo.com> <4CFFBF30.3070100@brightok.net> <4CFFC19F.2070001@brightok.net> <4D008671.6090801@adversary.org> Message-ID: <1291884582.9824.5.camel@petrie.dereferenced.org> On Thu, 2010-12-09 at 18:34 +1100, Ben McGinnes wrote: > On 9/12/10 8:04 AM, Christopher Morrow wrote: > > On Wed, Dec 8, 2010 at 3:06 PM, Philip Dorr wrote: > >> The problem is that they were also slashdotted. The logs would also have a > >> large number of unrelated. > > > > pro-tip: the tool has a pretty easy to spot signature. > > What is that signature? > The tool makes HTTP/1.0 requests, most browsers make HTTP/1.1 requests. William From prt at prt.org Thu Dec 9 03:37:55 2010 From: prt at prt.org (Paul Thornton) Date: Thu, 09 Dec 2010 09:37:55 +0000 Subject: Mastercard problems In-Reply-To: <4CFFEDAE.1020407@brightok.net> References: <995192.18569.qm@web59601.mail.ac4.yahoo.com> <4CFFBF30.3070100@brightok.net> <4CFFC19F.2070001@brightok.net> <20101208203700.GB25753@brutus.ethup.se> <4CFFEDAE.1020407@brightok.net> Message-ID: <4D00A373.3010806@prt.org> On 08/12/2010 20:42, Jack Bates wrote: > Of course, it's debatable if use of LOIC is enough to convict. You'd > have to first prove the person installed it themselves, and then you'd > have to prove that they knew it would be used for illegal purposes. Earlier this morning there were two people interviewed on the BBC radio 4 Today program (this is considered the BBC's flagship morning news/current affairs show on their serious nationwide talk radio station) about this - one was a security consultant and another was a member of/spokesman for the 'operation payback' group. One wonders why the Met Police didn't have someone waiting to have a quiet chat with the latter when he left the studio. Both of them said that people had been voluntarily downloading and installing botnet clients on their PCs in order to take part in these DDoS attacks. Ignoring, for a moment, the stupidity of such action it is hard to see how you'd be able to argue that this was *not* going to be used for illegal purposes. The other amusing part of the interview was when the security consultant started off very well explaining a DDoS in layman's terms, but then veered off using the terms HTTP, UDP and IP in one sentence causing the presenter to intervene as it "was getting a tad too technical there". Paul. From ben at adversary.org Thu Dec 9 04:08:20 2010 From: ben at adversary.org (Ben McGinnes) Date: Thu, 09 Dec 2010 21:08:20 +1100 Subject: Mastercard problems In-Reply-To: <1291884582.9824.5.camel@petrie.dereferenced.org> References: <995192.18569.qm@web59601.mail.ac4.yahoo.com> <4CFFBF30.3070100@brightok.net> <4CFFC19F.2070001@brightok.net> <4D008671.6090801@adversary.org> <1291884582.9824.5.camel@petrie.dereferenced.org> Message-ID: <4D00AA94.9080500@adversary.org> On 9/12/10 7:49 PM, William Pitcock wrote: > On Thu, 2010-12-09 at 18:34 +1100, Ben McGinnes wrote: >> On 9/12/10 8:04 AM, Christopher Morrow wrote: >>> On Wed, Dec 8, 2010 at 3:06 PM, Philip Dorr wrote: >>>> The problem is that they were also slashdotted. The logs would also have a >>>> large number of unrelated. >>> >>> pro-tip: the tool has a pretty easy to spot signature. >> >> What is that signature? >> > > The tool makes HTTP/1.0 requests, most browsers make HTTP/1.1 requests. Is there anything else to it, or just the protocol version? Regards, Ben -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 227 bytes Desc: OpenPGP digital signature URL: From adrian at creative.net.au Thu Dec 9 04:12:12 2010 From: adrian at creative.net.au (Adrian Chadd) Date: Thu, 9 Dec 2010 18:12:12 +0800 Subject: Mastercard problems In-Reply-To: <4D00AA94.9080500@adversary.org> References: <4CFFBF30.3070100@brightok.net> <4CFFC19F.2070001@brightok.net> <4D008671.6090801@adversary.org> <1291884582.9824.5.camel@petrie.dereferenced.org> <4D00AA94.9080500@adversary.org> Message-ID: <20101209101212.GD11037@skywalker.creative.net.au> On Thu, Dec 09, 2010, Ben McGinnes wrote: > On 9/12/10 7:49 PM, William Pitcock wrote: > > On Thu, 2010-12-09 at 18:34 +1100, Ben McGinnes wrote: > >> On 9/12/10 8:04 AM, Christopher Morrow wrote: > >>> On Wed, Dec 8, 2010 at 3:06 PM, Philip Dorr wrote: > >>>> The problem is that they were also slashdotted. The logs would also have a > >>>> large number of unrelated. > >>> > >>> pro-tip: the tool has a pretty easy to spot signature. > >> > >> What is that signature? > >> > > > > The tool makes HTTP/1.0 requests, most browsers make HTTP/1.1 requests. > > Is there anything else to it, or just the protocol version? Be careful - plenty of Squid's make HTTP/1.0 version. ProTip: be careful. :-) Adrian -- - Xenion - http://www.xenion.com.au/ - VPS Hosting - Commercial Squid Support - - $24/pm+GST entry-level VPSes w/ capped bandwidth charges available in WA - From adrian at creative.net.au Thu Dec 9 04:16:10 2010 From: adrian at creative.net.au (Adrian Chadd) Date: Thu, 9 Dec 2010 18:16:10 +0800 Subject: Mastercard problems In-Reply-To: <20101209101212.GD11037@skywalker.creative.net.au> References: <4CFFBF30.3070100@brightok.net> <4CFFC19F.2070001@brightok.net> <4D008671.6090801@adversary.org> <1291884582.9824.5.camel@petrie.dereferenced.org> <4D00AA94.9080500@adversary.org> <20101209101212.GD11037@skywalker.creative.net.au> Message-ID: <20101209101610.GE11037@skywalker.creative.net.au> On Thu, Dec 09, 2010, Adrian Chadd wrote: > Be careful - plenty of Squid's make HTTP/1.0 version. make HTTP/1.0 requests, not "version". Tsk. (And here I am, studying linguistics. Pshaw.) Adrian From lists at internetpolicyagency.com Thu Dec 9 05:11:59 2010 From: lists at internetpolicyagency.com (Roland Perry) Date: Thu, 9 Dec 2010 11:11:59 +0000 Subject: Mastercard problems In-Reply-To: <4D00A373.3010806@prt.org> References: <995192.18569.qm@web59601.mail.ac4.yahoo.com> <4CFFBF30.3070100@brightok.net> <4CFFC19F.2070001@brightok.net> <20101208203700.GB25753@brutus.ethup.se> <4CFFEDAE.1020407@brightok.net> <4D00A373.3010806@prt.org> Message-ID: <$r10OAV$lLANFAqV@perry.co.uk> In article <4D00A373.3010806 at prt.org>, Paul Thornton writes >Earlier this morning there were two people interviewed on the BBC radio >4 Today program (this is considered the BBC's flagship morning >news/current affairs show on their serious nationwide talk radio >station) about this - one was a security consultant and another was a >member of/spokesman for the 'operation payback' group. One wonders why >the Met Police didn't have someone waiting to have a quiet chat with >the latter when he left the studio. In this case the chap was in their central studio, but the earlier technical expert wasn't (you can tell by the way he's introduced and other verbal clues). I've done several such live interviews, in the studio and both attended and unattended remote - they all work a bit differently. The police would have to act fast to get round there before he left the building, but if the interview was from a regional studio he'd be long gone. On the other hand, if the BBC got hold of him, they must have some contact details to trace him. ps I was surprised the expert claimed that Visa's service had been taken down by DDOS, despite being Akamaised. -- Roland Perry From arturo.servin at gmail.com Thu Dec 9 05:16:18 2010 From: arturo.servin at gmail.com (Arturo Servin) Date: Thu, 9 Dec 2010 09:16:18 -0200 Subject: Are you ready for RPKI in your BGP? In-Reply-To: References: Message-ID: <41D087EB-6E3B-44D3-84DF-DB5FEDB9EEEA@gmail.com> There are some pieces in the RPKI puzzle. One is the definitions of protocols, that one is very advanced in the SIDR WG in the IETF. Not RFCs yet but I am sure we will se some soon. Another piece are repositories of CA's and ROAs and Trust Anchors. RIRs have they implementations or you could create your own if you want to keep your private keys. IMHO one piece missing (not the only one, but one important in this stage) is RTR (RPKI/Router Protocol) working in routers. May be is too soon to see it in production routers but I am only aware of one big vendor with testing code. Also open-source implementations (Quagga, Xorp, Bird, etc.) are not actively (or at all) working in RPKI, I would imagine that one first step for many operators is to test RPKI with these implementations. Regards, -as On 9 Dec 2010, at 06:37, nanog-request at nanog.org wrote: > Date: Wed, 8 Dec 2010 22:56:08 -0500 > From: Jared Mauch > Subject: Are you ready for RPKI in your BGP? > To: North American Network Operators Group > Message-ID: <15FF52BA-388A-48E8-BDDE-A151E694E9AC at puck.nether.net> > Content-Type: text/plain; charset=us-ascii > > Are you ready for RPKI in your network? > > While there's some dubious hyperbole in the article, the work that has been undertaken in SIDR wg re: RPKI is moving along. > > http://www.networkworld.com/cgi-bin/mailto/x.cgi?pagetosend=/news/2010/120710-chinese-internet-traffic-fix.html&pagename=/news/2010/120710-chinese-internet-traffic-fix.html&pageurl=http://www.networkworld.com/news/2010/120710-chinese-internet-traffic-fix.html&site=printpage&nsdr=n > > For those of you preparing to assign 2011 goals to your employees, or something to self-assign, this should be in the top-5 or top-10 if you configure routers for BGP. > > - Jared From b2 at playtime.bg Thu Dec 9 05:32:26 2010 From: b2 at playtime.bg (b2) Date: Thu, 09 Dec 2010 13:32:26 +0200 Subject: BGP multihoming question. In-Reply-To: <050E06A1-5E7B-413C-B8DE-CEF3F72176BE@puck.nether.net> References: <050E06A1-5E7B-413C-B8DE-CEF3F72176BE@puck.nether.net> Message-ID: <1291894346.2820.9.camel@valio> Hi , first sorry for lame question but i'm new to BGP. In my ISP I have two full BGP sessions with my two transit providers (X and Y), and for every provider i have assigned PA (Provider Aggregatable) networks. Is it possible (if there are no filters on other side) to advertise X networks to Y and Y to accept them ? My confusion comes from the PA status , i know if it is PI there are no problem to route it to any AS. Thanks. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 490 bytes Desc: ???? ? ??????? ????????? ???? ?? ??????? URL: From rsk at gsp.org Thu Dec 9 05:45:45 2010 From: rsk at gsp.org (Rich Kulawiec) Date: Thu, 9 Dec 2010 06:45:45 -0500 Subject: Over a decade of DDOS--any progress yet? In-Reply-To: <4CFFA7B8.8000306@gmail.com> References: <01811070-0EE1-44C2-A79A-FB9E68215D9A@gmail.com> <4CFFA7B8.8000306@gmail.com> Message-ID: <20101209114545.GA23199@gsp.org> On Wed, Dec 08, 2010 at 07:43:52AM -0800, JC Dill wrote: > ISPs are not the source. The source is Microsoft. The source is > their buggy OS that is easily compromised to enable the computers to > be taken over as part of the botnet. I often disagree vehemently with JC, but not this time. I've been studying bot-generated spam for most of the last decade, and to about 6 nine's, it's all been from Windows boxes. (The rest? A smattering of "indeterminate" and various 'nix systems including MacOS.) The botnet problem is a Microsoft problem. Now...whether the botnet problem will still be a Microsoft problem in 2015: can't say. Clearly attackers have plenty of reasons to attack other systems and in some cases, they'll be successful. But it appears that to date, the advantages they might accrue from owning a box running one of the superior operating systems are outweighed by the costs of the effort to do so. (With a few rare exceptions, of course.) But you don't have to take my word for this. Turn on passive OS fingerprinting on your MX's and start recording data, including DNS and rDNS, putative sender, recipient, etc. Accumulate a couple years' worth and analyze. This is why some rather effective defensive techniques (not just for spam) can be constructed by differentiating traffic based on the operating system of the host originating that traffic. ---rsk From randy at psg.com Thu Dec 9 06:54:36 2010 From: randy at psg.com (Randy Bush) Date: Thu, 09 Dec 2010 04:54:36 -0800 Subject: Are you ready for RPKI in your BGP? In-Reply-To: <41D087EB-6E3B-44D3-84DF-DB5FEDB9EEEA@gmail.com> References: <41D087EB-6E3B-44D3-84DF-DB5FEDB9EEEA@gmail.com> Message-ID: > IMHO one piece missing (not the only one, but one important in this > stage) is RTR (RPKI/Router Protocol) working in routers. i have been running test versions on ios xr on a gsr and ios classic on a 7200 for a while now. > I am only aware of one big vendor with testing code. see your sales team > Also open-source implementations (Quagga, Xorp, Bird, etc.) are not > actively (or at all) working in RPKI first a nit. i would like to differentiate the RPKI, a certificate and routing infrastructure, from route origin validation. this is needed because there may be other uses of the RPKI. seondly, i believe NIST has a quagga hacked to do origin validation based on rpki-rtr protocol. randy From graham at g-rock.net Thu Dec 9 07:05:00 2010 From: graham at g-rock.net (Graham Wooden) Date: Thu, 09 Dec 2010 07:05:00 -0600 Subject: West coast collos - ones that are VoIP friendly Message-ID: Hi there, I am not familiar with the west coast collocation facilities that are VoIP friendly (either by QoS or good upstreams/peering). Something in the Los Angeles area; been looking at IX2 on Wilshire. Right now looking to collocate a few boxes, switch and a router... Any recommendations? Quality over cost, at this moment. Thanks, -graham From greg at bestnet.kharkov.ua Thu Dec 9 07:11:47 2010 From: greg at bestnet.kharkov.ua (Gregory Edigarov) Date: Thu, 9 Dec 2010 15:11:47 +0200 Subject: BGP multihoming question. In-Reply-To: <1291894346.2820.9.camel@valio> References: <050E06A1-5E7B-413C-B8DE-CEF3F72176BE@puck.nether.net> <1291894346.2820.9.camel@valio> Message-ID: <20101209151147.4911343d@greg.bestnet.kharkov.ua> On Thu, 09 Dec 2010 13:32:26 +0200 b2 wrote: > Hi , first sorry for lame question but i'm new to BGP. > In my ISP I have two full BGP sessions with my two transit providers > (X and Y), and for every provider i have assigned PA (Provider > Aggregatable) networks. Is it possible (if there are no filters on > other side) to advertise X networks to Y and Y to accept them ? My > confusion comes from the PA status , i know if it is PI there are no > problem to route it to any AS. Basically I think you need to check with your providers whether they will accept each other PA's -- With best regards, Gregory Edigarov -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 196 bytes Desc: not available URL: From joseph.prasad at gmail.com Thu Dec 9 07:14:02 2010 From: joseph.prasad at gmail.com (Joseph Prasad) Date: Thu, 9 Dec 2010 05:14:02 -0800 Subject: Mastercard problems In-Reply-To: <4D00A373.3010806@prt.org> References: <995192.18569.qm@web59601.mail.ac4.yahoo.com> <4CFFBF30.3070100@brightok.net> <4CFFC19F.2070001@brightok.net> <20101208203700.GB25753@brutus.ethup.se> <4CFFEDAE.1020407@brightok.net> <4D00A373.3010806@prt.org> Message-ID: here is the audio from BBC Radio 4. http://www.bbc.co.uk/news/technology-11935539 On Thu, Dec 9, 2010 at 1:37 AM, Paul Thornton wrote: > On 08/12/2010 20:42, Jack Bates wrote: > >> Of course, it's debatable if use of LOIC is enough to convict. You'd >> have to first prove the person installed it themselves, and then you'd >> have to prove that they knew it would be used for illegal purposes. >> > > Earlier this morning there were two people interviewed on the BBC radio 4 > Today program (this is considered the BBC's flagship morning news/current > affairs show on their serious nationwide talk radio station) about this - > one was a security consultant and another was a member of/spokesman for the > 'operation payback' group. One wonders why the Met Police didn't have > someone waiting to have a quiet chat with the latter when he left the > studio. > > Both of them said that people had been voluntarily downloading and > installing botnet clients on their PCs in order to take part in these DDoS > attacks. Ignoring, for a moment, the stupidity of such action it is hard to > see how you'd be able to argue that this was *not* going to be used for > illegal purposes. > > The other amusing part of the interview was when the security consultant > started off very well explaining a DDoS in layman's terms, but then veered > off using the terms HTTP, UDP and IP in one sentence causing the presenter > to intervene as it "was getting a tad too technical there". > > Paul. > > From bill at herrin.us Thu Dec 9 08:23:16 2010 From: bill at herrin.us (William Herrin) Date: Thu, 9 Dec 2010 09:23:16 -0500 Subject: BGP multihoming question. In-Reply-To: <1291894346.2820.9.camel@valio> References: <050E06A1-5E7B-413C-B8DE-CEF3F72176BE@puck.nether.net> <1291894346.2820.9.camel@valio> Message-ID: 2010/12/9 b2 : > Hi , first sorry for lame question but i'm new to BGP. > In my ISP I have two full BGP sessions with my two transit providers (X > and Y), and for every provider i have assigned PA (Provider > Aggregatable) networks. Is it possible (if there are no filters on other > side) to advertise X networks to Y and Y to accept them ? My confusion > comes from the PA status , i know if it is PI there are no problem to > route it to any AS. Generally speaking, you need at least a /24 from one or the other of them, you need a letter of authorization (LOA) from the one that provided the /24 permitting you to announce it to other ISP(s) and you'll need to test to make sure the ISP who assigned the /24 has set up their filters properly so that you can communicate with them over the Internet even when your line to them is down. For your first foray in to BGP, I strongly advise you to contract an expert for help both programming your router and interacting with your ISPs. Regards, Bill Herrin -- William D. Herrin ................ herrin at dirtside.com? bill at herrin.us 3005 Crane Dr. ...................... Web: Falls Church, VA 22042-3004 From gourmetcisco at hotmail.com Thu Dec 9 09:02:59 2010 From: gourmetcisco at hotmail.com (Matt Disuko) Date: Thu, 9 Dec 2010 10:02:59 -0500 Subject: Global Crossing/GBLX tech needed - AS3549 Message-ID: Can a Global Crossing IP engineer please contact me off-list? Thanks, Matt From vasil at ludost.net Thu Dec 9 09:09:42 2010 From: vasil at ludost.net (Vasil Kolev) Date: Thu, 09 Dec 2010 17:09:42 +0200 Subject: TCP congestion control and large router buffers Message-ID: <1291907382.19262.212.camel@shrike> https://gettys.wordpress.com/2010/12/06/whose-house-is-of-glasse-must-not-throw-stones-at-another/ I wonder why this hasn't made the rounds here. From what I see, a change in this part (e.g. lower buffers in customer routers, or a change (yet another) to the congestion control algorithms) would do miracles for end-user perceived performance and should help in some way with the net neutrality dispute. I also understand that a lot of the people here operate routers which are a bit far from the end-users and don't have a lot to do with this issue, but the rest should have something to do with choosing/configuring these end-user devices, so this should be relevant. -- Regards, Vasil Kolev -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: This is a digitally signed message part URL: From jbates at brightok.net Thu Dec 9 09:13:43 2010 From: jbates at brightok.net (Jack Bates) Date: Thu, 09 Dec 2010 09:13:43 -0600 Subject: BGP multihoming question. In-Reply-To: <1291894346.2820.9.camel@valio> References: <050E06A1-5E7B-413C-B8DE-CEF3F72176BE@puck.nether.net> <1291894346.2820.9.camel@valio> Message-ID: <4D00F227.2040109@brightok.net> On 12/9/2010 5:32 AM, b2 wrote: > Hi , first sorry for lame question but i'm new to BGP. > In my ISP I have two full BGP sessions with my two transit providers (X > and Y), and for every provider i have assigned PA (Provider > Aggregatable) networks. Is it possible (if there are no filters on other > side) to advertise X networks to Y and Y to accept them ? My confusion > comes from the PA status , i know if it is PI there are no problem to > route it to any AS. > Thanks. If it's SWIP'd to you by your provider, it is yours to use, and most providers will accept it. The difference between them is paperwork; that's all. Jack From morrowc.lists at gmail.com Thu Dec 9 09:15:33 2010 From: morrowc.lists at gmail.com (Christopher Morrow) Date: Thu, 9 Dec 2010 10:15:33 -0500 Subject: Mastercard problems In-Reply-To: <1291884582.9824.5.camel@petrie.dereferenced.org> References: <995192.18569.qm@web59601.mail.ac4.yahoo.com> <4CFFBF30.3070100@brightok.net> <4CFFC19F.2070001@brightok.net> <4D008671.6090801@adversary.org> <1291884582.9824.5.camel@petrie.dereferenced.org> Message-ID: On Thu, Dec 9, 2010 at 3:49 AM, William Pitcock wrote: > On Thu, 2010-12-09 at 18:34 +1100, Ben McGinnes wrote: >> On 9/12/10 8:04 AM, Christopher Morrow wrote: >> > pro-tip: the tool has a pretty easy to spot signature. >> >> What is that signature? >> > > The tool makes HTTP/1.0 requests, most browsers make HTTP/1.1 requests. and spews nothing but the 'message' over HTTP, never an actual request. From swmike at swm.pp.se Thu Dec 9 09:20:10 2010 From: swmike at swm.pp.se (Mikael Abrahamsson) Date: Thu, 9 Dec 2010 16:20:10 +0100 (CET) Subject: TCP congestion control and large router buffers In-Reply-To: <1291907382.19262.212.camel@shrike> References: <1291907382.19262.212.camel@shrike> Message-ID: On Thu, 9 Dec 2010, Vasil Kolev wrote: > I wonder why this hasn't made the rounds here. From what I see, a change > in this part (e.g. lower buffers in customer routers, or a change (yet > another) to the congestion control algorithms) would do miracles for > end-user perceived performance and should help in some way with the net > neutrality dispute. I'd say this is common knowledge and has been for a long time. In the world of CPEs, lowest price and simplicity is what counts, so nobody cares about buffer depth and AQM, that's why you get ADSL CPEs with 200+ ms of upstream FIFO buffer (no AQM) in most devices. Personally I have MQC configured on my interface which has assured bw for small packets and ssh packets, and I also run fair-queue to make tcp sessions get a fair share. I don't know any non-cisco devices that does this. -- Mikael Abrahamsson email: swmike at swm.pp.se From jbates at brightok.net Thu Dec 9 09:21:23 2010 From: jbates at brightok.net (Jack Bates) Date: Thu, 09 Dec 2010 09:21:23 -0600 Subject: Start accepting longer prefixes as IPv4 depletes? In-Reply-To: <9E7683D3-FC88-4135-83BA-4A17A1EDC9A3@delong.com> References: <820DA442-E75E-4128-80B6-F09FF7DA84ED@muada.com> <04F8F711-098B-4886-B32C-97E05902C318@arbor.net> <334490AF-CB02-4BA0-BBFF-438818C8A2E4@arbor.net> <5AC169DC-901C-4156-B1BD-1CC7E12E9AA7@delong.com> <4D000B22.9050509@brightok.net> <9E7683D3-FC88-4135-83BA-4A17A1EDC9A3@delong.com> Message-ID: <4D00F3F3.70603@brightok.net> On 12/8/2010 5:07 PM, Owen DeLong wrote: > This assumes a 1:1 ratio between prefixes and routing policies. This is unrealistic in all but the most > trivial of networks. > Yet we can achieve much closer to this with IPv6 due to looser allocation policies. > Yes... It should. However, even with the reduced IPv6 routing table, there will be circumstances > where multiple prefixes can efficiently be coalesced into common routing policies. Unfortunately, > the current designs of IPv4 and IPv6 do not allow us to actually do so. What I am proposing > would. I agree it would be good, and every new person to BGP always asks why we don't route packets by the AS (seems like common sense). However, I think we'll have to wait and see on how well v6 manages with the new allocation policies and if the routing table for it drops to a reasonable level. This would be more acceptable than trying to shim on the v6 protocol. The problem is, once a protocol is standardized and implemented by the masses, changing is very difficult. It's going to be a bumpy road as we complete v6 transition, and I doubt anyone is looking forward to another change of that magnitude. Jack From lowen at pari.edu Thu Dec 9 09:39:54 2010 From: lowen at pari.edu (Lamar Owen) Date: Thu, 9 Dec 2010 10:39:54 -0500 Subject: Over a decade of DDOS--any progress yet? In-Reply-To: <5A6D953473350C4B9995546AFE9939EE0B14CE12@RWC-EX1.corp.seven.com> References: Message-ID: <201012091039.54526.lowen@pari.edu> On Thursday, December 09, 2010 03:43:11 am George Bonser wrote: > Is anyone actually using Ubuntu 6.06LTS anymore? That was published for > Q1 2008, that was almost three years ago which in "internet years" is a > long time. Yes. I have some desktop users still on 6.06LTS, and they are kept updated. Plans to migrate to CentOS 6 are in the works, with very careful application mapping for the least user retraining, and we should be able to do the migration shortly after CentOS 6 is out, which could be a little while (I would guess February or March timeframes for final C6 release, personally, press reports notwithstanding). So we're taking our time doing that Further, I know of RH9 and RH8.0 systems still in production, and have a Red Hat Linux 5.2 box still in (not connected to the Internet) production, where it's run for the last 12 years, with a few hardware repairs and upgrades of the years. It wouldn't be wise to run that box on an open Internet connection; but for the application it serves it works, and retooling the app to run on something later isn't currently an option (the app uses libc5, and the version in Red Hat Linux 6 doesn't get along with the app very well). It will soon be time to virtualize it, and, like COBOL and FORTRAN apps of yesteryear, it will live on and on and on and on... From tme at americafree.tv Thu Dec 9 10:11:49 2010 From: tme at americafree.tv (Marshall Eubanks) Date: Thu, 9 Dec 2010 11:11:49 -0500 Subject: Mastercard problems In-Reply-To: <4D00A373.3010806@prt.org> References: <995192.18569.qm@web59601.mail.ac4.yahoo.com> <4CFFBF30.3070100@brightok.net> <4CFFC19F.2070001@brightok.net> <20101208203700.GB25753@brutus.ethup.se> <4CFFEDAE.1020407@brightok.net> <4D00A373.3010806@prt.org> Message-ID: On Dec 9, 2010, at 4:37 AM, Paul Thornton wrote: > On 08/12/2010 20:42, Jack Bates wrote: >> Of course, it's debatable if use of LOIC is enough to convict. You'd >> have to first prove the person installed it themselves, and then you'd >> have to prove that they knew it would be used for illegal purposes. > > Earlier this morning there were two people interviewed on the BBC radio 4 Today program (this is considered the BBC's flagship morning news/current affairs show on their serious nationwide talk radio station) about this - one was a security consultant and another was a member of/spokesman for the 'operation payback' group. One wonders why the Met Police didn't have someone waiting to have a quiet chat with the latter when he left the studio. > > Both of them said that people had been voluntarily downloading and installing botnet clients on their PCs in order to take part in these DDoS attacks. Ignoring, for a moment, the stupidity of such action it is hard to see how you'd be able to argue that this was *not* going to be used for illegal purposes. > > The other amusing part of the interview was when the security consultant started off very well explaining a DDoS in layman's terms, but then veered off using the terms HTTP, UDP and IP in one sentence causing the presenter to intervene as it "was getting a tad too technical there". > There is an interesting analysis in today's New York Times http://www.nytimes.com/2010/12/09/technology/09net.html?_r=1 about the attacks on Mastercard, Visa and Ebay, how they were coordinated over Twitter and Facebook, and the free speech issues that that raises for the latter two organizations. My guess is that we will shortly see security folks searching through Facebook and twitter along with IRC for signs of attack coordination. It does seem like these social attacks would lend themselves to obfuscation and steganography (i.e., you don't have to say "let's bombard Ebay with packets using X", you can say "Let's send Elisa lots of poetry using X," or something more clever), so I don't think it will remain as easy as in this case. By the way, I was amused that a Twitter spokesman boasted that "The company is not overly concerned about hackers? attacking Twitter?s site, he said, explaining that it faces security issues all the time and has technology to deal with the situation." I hope he had his fingers crossed when he said that, as Twitter can barely keep the service functioning on a good day, with frequent outages. Regards Marshall > Paul. > > From jim at reptiles.org Thu Dec 9 10:29:36 2010 From: jim at reptiles.org (Jim Mercer) Date: Thu, 9 Dec 2010 11:29:36 -0500 Subject: Mastercard problems In-Reply-To: References: <4CFFBF30.3070100@brightok.net> <4CFFC19F.2070001@brightok.net> <20101208203700.GB25753@brutus.ethup.se> <4CFFEDAE.1020407@brightok.net> <4D00A373.3010806@prt.org> Message-ID: <20101209162936.GA9891@reptiles.org> On Thu, Dec 09, 2010 at 11:11:49AM -0500, Marshall Eubanks wrote: > There is an interesting analysis in today's New York Times > > http://www.nytimes.com/2010/12/09/technology/09net.html?_r=1 > > about the attacks on Mastercard, Visa and Ebay, how they were coordinated > over Twitter and Facebook, and the free speech issues that that raises > for the latter two organizations. paypal has relaxed its restrictions on Wikileaks funds: https://www.thepaypalblog.com/2010/12/updated-statement-about-wikileaks-from-paypal-general-counsel-john-muller/ amazon is selling a Kindle version of the Wikileaks released cables: http://www.amazon.co.uk/WikiLeaks-documents-expose-foreign-conspiracies/dp/B004EEOLIU/ this is all becoming quite surreal. -- Jim Mercer jim at reptiles.org +1 416 410-5633 You are more likely to be arrested as a terrorist than you are to be blown up by one. -- Dianora From joseph.prasad at gmail.com Thu Dec 9 10:55:49 2010 From: joseph.prasad at gmail.com (Joseph Prasad) Date: Thu, 9 Dec 2010 08:55:49 -0800 Subject: Mastercard problems In-Reply-To: <20101209162936.GA9891@reptiles.org> References: <4CFFBF30.3070100@brightok.net> <4CFFC19F.2070001@brightok.net> <20101208203700.GB25753@brutus.ethup.se> <4CFFEDAE.1020407@brightok.net> <4D00A373.3010806@prt.org> <20101209162936.GA9891@reptiles.org> Message-ID: so now they are making a profit from Wikileaks. true Capitalism. - *--------------------------------* * * *http://www.dailypaul.com/* * * *http://www.thenewamerican.com/* * * * -------------------------------- * * * On Thu, Dec 9, 2010 at 8:29 AM, Jim Mercer wrote: > On Thu, Dec 09, 2010 at 11:11:49AM -0500, Marshall Eubanks wrote: > > There is an interesting analysis in today's New York Times > > > > http://www.nytimes.com/2010/12/09/technology/09net.html?_r=1 > > > > about the attacks on Mastercard, Visa and Ebay, how they were coordinated > > over Twitter and Facebook, and the free speech issues that that raises > > for the latter two organizations. > > paypal has relaxed its restrictions on Wikileaks funds: > > > https://www.thepaypalblog.com/2010/12/updated-statement-about-wikileaks-from-paypal-general-counsel-john-muller/ > > amazon is selling a Kindle version of the Wikileaks released cables: > > > http://www.amazon.co.uk/WikiLeaks-documents-expose-foreign-conspiracies/dp/B004EEOLIU/ > > this is all becoming quite surreal. > > -- > Jim Mercer jim at reptiles.org +1 416 410-5633 > You are more likely to be arrested as a terrorist than you are to be > blown up by one. -- Dianora > > From thomas.mangin at exa-networks.co.uk Thu Dec 9 11:06:01 2010 From: thomas.mangin at exa-networks.co.uk (Thomas Mangin) Date: Thu, 9 Dec 2010 17:06:01 +0000 Subject: Over a decade of DDOS--any progress yet? In-Reply-To: References: <23035485.1291815970840.JavaMail.tomcat@fe-ps03> <2C4B4ECC-F61E-4059-A8DE-165DD8F85A96@exa-networks.co.uk> <5220B68C-9C8C-460E-B64E-2646BDE2A398@arbor.net> Message-ID: >> On Dec 8, 2010, at 10:10 PM, Thomas Mangin wrote: >> >>> Until this is sorted I believe flowspec will be a marginal solution. >> >> We're seeing a significant uptick in flowspec interest, actually, and S/RTBH has been around for ages. > > Great to hear :) > > But my point is still valid [...] After some offline discussion with Pedro Marques, I now realise that I misunderstood the flow rule validation process, which mean that my "complain" is really irrelevant, which is good news as it mean that inter ISP flow route exchange really have no technical obstacle that I can now think off. Thomas From lists at internetpolicyagency.com Thu Dec 9 11:18:39 2010 From: lists at internetpolicyagency.com (Roland Perry) Date: Thu, 9 Dec 2010 17:18:39 +0000 Subject: Mastercard problems In-Reply-To: <20101209162936.GA9891@reptiles.org> References: <4CFFBF30.3070100@brightok.net> <4CFFC19F.2070001@brightok.net> <20101208203700.GB25753@brutus.ethup.se> <4CFFEDAE.1020407@brightok.net> <4D00A373.3010806@prt.org> <20101209162936.GA9891@reptiles.org> Message-ID: In article <20101209162936.GA9891 at reptiles.org>, Jim Mercer writes >amazon is selling a Kindle version of the Wikileaks released cables: > >http://www.amazon.co.uk/WikiLeaks-documents-expose-foreign-conspiracies/dp/B004EEOLIU/ > >this is all becoming quite surreal. "Please note: This book contains commentary and analysis regarding recent WikiLeaks disclosures, not the original material disclosed via the WikiLeaks website." -- Roland Perry From scott.brim at gmail.com Thu Dec 9 11:22:04 2010 From: scott.brim at gmail.com (Scott Brim) Date: Thu, 09 Dec 2010 12:22:04 -0500 Subject: Mastercard problems In-Reply-To: <20101209162936.GA9891@reptiles.org> References: <4CFFBF30.3070100@brightok.net> <4CFFC19F.2070001@brightok.net> <20101208203700.GB25753@brutus.ethup.se> <4CFFEDAE.1020407@brightok.net> <4D00A373.3010806@prt.org> <20101209162936.GA9891@reptiles.org> Message-ID: <4D01103C.4040402@gmail.com> On 12/09/2010 11:29 EST, Jim Mercer wrote: > amazon is selling a Kindle version of the Wikileaks released cables: > > http://www.amazon.co.uk/WikiLeaks-documents-expose-foreign-conspiracies/dp/B004EEOLIU/ "This book contains commentary and analysis regarding recent WikiLeaks disclosures, not the original material disclosed via the WikiLeaks website." From tme at americafree.tv Thu Dec 9 11:25:54 2010 From: tme at americafree.tv (Marshall Eubanks) Date: Thu, 9 Dec 2010 12:25:54 -0500 Subject: Mastercard problems In-Reply-To: <20101209162936.GA9891@reptiles.org> References: <4CFFBF30.3070100@brightok.net> <4CFFC19F.2070001@brightok.net> <20101208203700.GB25753@brutus.ethup.se> <4CFFEDAE.1020407@brightok.net> <4D00A373.3010806@prt.org> <20101209162936.GA9891@reptiles.org> Message-ID: <7B407278-22F6-4A33-B0A0-FCC68B5E88FB@americafree.tv> On Dec 9, 2010, at 11:29 AM, Jim Mercer wrote: > On Thu, Dec 09, 2010 at 11:11:49AM -0500, Marshall Eubanks wrote: >> There is an interesting analysis in today's New York Times >> >> http://www.nytimes.com/2010/12/09/technology/09net.html?_r=1 >> >> about the attacks on Mastercard, Visa and Ebay, how they were coordinated >> over Twitter and Facebook, and the free speech issues that that raises >> for the latter two organizations. > > paypal has relaxed its restrictions on Wikileaks funds: > > https://www.thepaypalblog.com/2010/12/updated-statement-about-wikileaks-from-paypal-general-counsel-john-muller/ > > amazon is selling a Kindle version of the Wikileaks released cables: > > http://www.amazon.co.uk/WikiLeaks-documents-expose-foreign-conspiracies/dp/B004EEOLIU/ Not really : Please note: This book contains commentary and analysis regarding recent WikiLeaks disclosures, not the original material disclosed via the WikiLeaks website. Marshall > > this is all becoming quite surreal. > > -- > Jim Mercer jim at reptiles.org +1 416 410-5633 > You are more likely to be arrested as a terrorist than you are to be > blown up by one. -- Dianora > From tme at americafree.tv Thu Dec 9 11:29:54 2010 From: tme at americafree.tv (Marshall Eubanks) Date: Thu, 9 Dec 2010 12:29:54 -0500 Subject: Mastercard problems In-Reply-To: <7B407278-22F6-4A33-B0A0-FCC68B5E88FB@americafree.tv> References: <4CFFBF30.3070100@brightok.net> <4CFFC19F.2070001@brightok.net> <20101208203700.GB25753@brutus.ethup.se> <4CFFEDAE.1020407@brightok.net> <4D00A373.3010806@prt.org> <20101209162936.GA9891@reptiles.org> <7B407278-22F6-4A33-B0A0-FCC68B5E88FB@americafree.tv> Message-ID: <9979F819-45F3-434E-A323-46BD16E1C1E1@americafree.tv> On Dec 9, 2010, at 12:25 PM, Marshall Eubanks wrote: > > On Dec 9, 2010, at 11:29 AM, Jim Mercer wrote: > >> On Thu, Dec 09, 2010 at 11:11:49AM -0500, Marshall Eubanks wrote: >>> There is an interesting analysis in today's New York Times >>> >>> http://www.nytimes.com/2010/12/09/technology/09net.html?_r=1 >>> >>> about the attacks on Mastercard, Visa and Ebay, how they were coordinated >>> over Twitter and Facebook, and the free speech issues that that raises >>> for the latter two organizations. >> >> paypal has relaxed its restrictions on Wikileaks funds: >> >> https://www.thepaypalblog.com/2010/12/updated-statement-about-wikileaks-from-paypal-general-counsel-john-muller/ >> >> amazon is selling a Kindle version of the Wikileaks released cables: >> >> http://www.amazon.co.uk/WikiLeaks-documents-expose-foreign-conspiracies/dp/B004EEOLIU/ > > Not really : > > Please note: > This book contains commentary and analysis regarding recent WikiLeaks disclosures, not the original material disclosed via the WikiLeaks website. > Oh, and there is a blog claiming that the attacks will now expand to include Amazon. http://www.bryanhealey.com/html/home/?entry=111 (This is in retaliation for booting Wikileaks off of EC2, not apparently the Kindle editorial choices.) Regards Marshall > Marshall > >> >> this is all becoming quite surreal. >> >> -- >> Jim Mercer jim at reptiles.org +1 416 410-5633 >> You are more likely to be arrested as a terrorist than you are to be >> blown up by one. -- Dianora >> > > > From jim at reptiles.org Thu Dec 9 12:06:19 2010 From: jim at reptiles.org (Jim Mercer) Date: Thu, 9 Dec 2010 13:06:19 -0500 Subject: Mastercard problems In-Reply-To: References: <4CFFC19F.2070001@brightok.net> <20101208203700.GB25753@brutus.ethup.se> <4CFFEDAE.1020407@brightok.net> <4D00A373.3010806@prt.org> <20101209162936.GA9891@reptiles.org> Message-ID: <20101209180619.GA12061@reptiles.org> On Thu, Dec 09, 2010 at 05:18:39PM +0000, Roland Perry wrote: > In article <20101209162936.GA9891 at reptiles.org>, Jim Mercer > writes > >amazon is selling a Kindle version of the Wikileaks released cables: > > > >http://www.amazon.co.uk/WikiLeaks-documents-expose-foreign-conspiracies/dp/B004EEOLIU/ > > > >this is all becoming quite surreal. > > "Please note: This book contains commentary and analysis regarding > recent WikiLeaks disclosures, not the original material disclosed via > the WikiLeaks website." i don't have a cache, but i'm pretty sure those comments were added after i posted. fortunately, google's cache has a better memory: http://webcache.googleusercontent.com/search?q=cache:GGCo9vYxnHUJ:www.amazon.co.uk/WikiLeaks-documents-expose-foreign-conspiracies/dp/B004EEOLIU+WikiLeaks+documents+expose+US+foreign+policy+conspiracies.+All+cables+with+tags+from+1-+5000+www.amazon.co.uk&cd=1&hl=en&ct=clnk&gl=ca -- Jim Mercer jim at reptiles.org +1 416 410-5633 You are more likely to be arrested as a terrorist than you are to be blown up by one. -- Dianora From michael.holstein at csuohio.edu Thu Dec 9 12:08:12 2010 From: michael.holstein at csuohio.edu (Michael Holstein) Date: Thu, 09 Dec 2010 13:08:12 -0500 Subject: Mastercard problems In-Reply-To: <1291884582.9824.5.camel@petrie.dereferenced.org> References: <995192.18569.qm@web59601.mail.ac4.yahoo.com> <4CFFBF30.3070100@brightok.net> <4CFFC19F.2070001@brightok.net> <4D008671.6090801@adversary.org> <1291884582.9824.5.camel@petrie.dereferenced.org> Message-ID: <4D011B0C.4000405@csuohio.edu> > The tool makes HTTP/1.0 requests, most browsers make HTTP/1.1 requests. > Realistically, if the folks from Anonymous wanted to really cause trouble, they'd be doing (legitimate looking) SSL requests against the actual payment gateways. The force-multiplier there is the computational effort it takes to negotiate a DH key exchange. For bonus points, call the voice auth service simultaneously and just sit on hold. Cheers, Michael Holstein Cleveland State University From cmaurand at xyonet.com Thu Dec 9 12:13:05 2010 From: cmaurand at xyonet.com (Curtis Maurand) Date: Thu, 09 Dec 2010 13:13:05 -0500 Subject: Over a decade of DDOS--any progress yet? In-Reply-To: <4CFFE4E2.6000802@rollernet.us> References: <01811070-0EE1-44C2-A79A-FB9E68215D9A@gmail.com> <4CFFA7B8.8000306@gmail.com> <4CFFAD03.3050703@brightok.net> <4CFFE4E2.6000802@rollernet.us> Message-ID: <4D011C31.5020903@xyonet.com> On 12/8/2010 3:04 PM, Seth Mattinen wrote: > On 12/8/2010 08:06, Jack Bates wrote: >> I call BS. Windows has it's problems, but it is the most common >> exploited as it holds the largest market share. Many Windows infections >> I've seen occur not due to the OS, but due to lack of patching of >> applications on the OS. The system does as much as it can. > And end users clicking/running every shiny thing they come across, > consequences be damned. > ActiveX is the problem. Its got about as much security as a piece of swiss cheese. From jna at retina.net Thu Dec 9 12:16:23 2010 From: jna at retina.net (John Adams) Date: Thu, 9 Dec 2010 10:16:23 -0800 Subject: Mastercard problems In-Reply-To: <1291884582.9824.5.camel@petrie.dereferenced.org> References: <995192.18569.qm@web59601.mail.ac4.yahoo.com> <4CFFBF30.3070100@brightok.net> <4CFFC19F.2070001@brightok.net> <4D008671.6090801@adversary.org> <1291884582.9824.5.camel@petrie.dereferenced.org> Message-ID: Uh, no. Source code from LOIC: byte[] buf; if (random == true) { buf = System.Text.Encoding.ASCII.GetBytes(String.Format("GET {0}{1} HTTP/1.1{2}Host: {3}{2}{2}{2}", Subsite, new Functions().RandomString(), Environment.NewLine, Host)); } else { buf = System.Text.Encoding.ASCII.GetBytes(String.Format("GET {0} HTTP/1.1{1}Host: {2}{1}{1}{1}", Subsite, Environment.NewLine, Host)); } On Thu, Dec 9, 2010 at 12:49 AM, William Pitcock wrote: > On Thu, 2010-12-09 at 18:34 +1100, Ben McGinnes wrote: >> On 9/12/10 8:04 AM, Christopher Morrow wrote: >> > On Wed, Dec 8, 2010 at 3:06 PM, Philip Dorr wrote: >> >> The problem is that they were also slashdotted. ?The logs would also have a >> >> large number of unrelated. >> > >> > pro-tip: the tool has a pretty easy to spot signature. >> >> What is that signature? >> > > The tool makes HTTP/1.0 requests, most browsers make HTTP/1.1 requests. > > William > > > From tifoso.michael at gmail.com Thu Dec 9 12:19:04 2010 From: tifoso.michael at gmail.com (Michael Smith) Date: Thu, 9 Dec 2010 13:19:04 -0500 Subject: [Operational] Internet Police Message-ID: My question is what architectural recommendations will you make to your employer if/when the US Govt compels our employers to accept our role as the "front lines of this "cyberwar"? I figure once someone with a relevant degree of influence in the govts realizes that the "cyberwar" is between content/service controllers and eyeballs. With involuntary and voluntary botnets as the weapons of "the eyeballs", relying exclusively on a line of defense near to the content (services) leaves a great expanse of "battlefield". I would expect the content/service controllers to look for means to move the battleline as close to the eyeballs as possible (this community) So... if/when our employers are unable to resist the US Govt's demand that we "join in the national defense", wouldn't this community be the ones asked to guard the border? Assuming the govt won't send federal agents into each of our NOCs, won't our employers ask us "what can we do?" If inspecting and correlating every single packet/flow for attack signatures is not feasible (on scale), are there name/address registration/resolution measures that could effectively lock-down the edge? ...will we look toward China/Saudi Arabia/etc for lessons learned in there 'great firewalls' to develop a distributed version where central control pushes policy out to the edge (into the private networks that currently provide the dreaded "low barrier for entry")? Obviously the environment is created by layers 8/9, but I'm interested in the layer 1-7 solutions that the community would consider/recommend. -Michael From Greg.Whynott at oicr.on.ca Thu Dec 9 12:23:19 2010 From: Greg.Whynott at oicr.on.ca (Greg Whynott) Date: Thu, 9 Dec 2010 13:23:19 -0500 Subject: Over a decade of DDOS--any progress yet? In-Reply-To: <4D011C31.5020903@xyonet.com> References: <01811070-0EE1-44C2-A79A-FB9E68215D9A@gmail.com> <4CFFA7B8.8000306@gmail.com> <4CFFAD03.3050703@brightok.net> <4CFFE4E2.6000802@rollernet.us> <4D011C31.5020903@xyonet.com> Message-ID: i found it funny how M$ started giving away virus/security software for its OS. it can't fix the leaky roof, so it includes a roof patch kit. (and puts about 10 companies out of business at the same time) >>> Many Windows infections >>> I've seen occur not due to the OS, but due to lack of patching of >>> applications on the OS. The system does as much as it can. which applications are home users using which are exploited more than RPC and friends? -g -- This message and any attachments may contain confidential and/or privileged information for the sole use of the intended recipient. Any review or distribution by anyone other than the person for whom it was originally intended is strictly prohibited. If you have received this message in error, please contact the sender and delete all copies. Opinions, conclusions or other information contained in this message may not be that of the organization. From lists at internetpolicyagency.com Thu Dec 9 12:23:43 2010 From: lists at internetpolicyagency.com (Roland Perry) Date: Thu, 9 Dec 2010 18:23:43 +0000 Subject: Mastercard problems In-Reply-To: <20101209180619.GA12061@reptiles.org> References: <4CFFC19F.2070001@brightok.net> <20101208203700.GB25753@brutus.ethup.se> <4CFFEDAE.1020407@brightok.net> <4D00A373.3010806@prt.org> <20101209162936.GA9891@reptiles.org> <20101209180619.GA12061@reptiles.org> Message-ID: <7+xlLtov6RANFAr6@perry.co.uk> In article <20101209180619.GA12061 at reptiles.org>, Jim Mercer writes >> "Please note: This book contains commentary and analysis regarding >> recent WikiLeaks disclosures, not the original material disclosed via >> the WikiLeaks website." > >i don't have a cache, but i'm pretty sure those comments were added after i >posted. I'm not trying to criticise the chronology; however if this book doesn't have the text of the cables, then it's worth people knowing that. -- Roland Perry From jbates at brightok.net Thu Dec 9 12:25:24 2010 From: jbates at brightok.net (Jack Bates) Date: Thu, 09 Dec 2010 12:25:24 -0600 Subject: [Operational] Internet Police In-Reply-To: References: Message-ID: <4D011F14.80002@brightok.net> On 12/9/2010 12:19 PM, Michael Smith wrote: > So... if/when our > employers are unable to resist the US Govt's demand that we "join in the > national defense", wouldn't this community be the ones asked to guard the > border? CALEA done From ken at sizone.org Thu Dec 9 12:25:48 2010 From: ken at sizone.org (Ken) Date: Thu, 9 Dec 2010 13:25:48 -0500 Subject: Mastercard problems In-Reply-To: <4D011B0C.4000405@csuohio.edu> References: <4CFFBF30.3070100@brightok.net> <4CFFC19F.2070001@brightok.net> <4D008671.6090801@adversary.org> <1291884582.9824.5.camel@petrie.dereferenced.org> <4D011B0C.4000405@csuohio.edu> Message-ID: <20101209182548.GL17898@sizone.org> On Thu, Dec 09, 2010 at 01:08:12PM -0500, Michael Holstein said: > >> The tool makes HTTP/1.0 requests, most browsers make HTTP/1.1 requests. >> > >Realistically, if the folks from Anonymous wanted to really cause >trouble, they'd be doing (legitimate looking) SSL requests against the >actual payment gateways. The force-multiplier there is the computational >effort it takes to negotiate a DH key exchange. > >For bonus points, call the voice auth service simultaneously and just >sit on hold. Did you just aid & abet? Guess we're all about full disclosure here..? Except when its not easy to fix, like DDOS's arent. /kc -- Ken Chase - ken at heavycomputing.ca - +1 416 897 6284 - Toronto CANADA Heavy Computing - Clued bandwidth, colocation and managed linux VPS @151 Front St. W. From rdobbins at arbor.net Thu Dec 9 12:26:30 2010 From: rdobbins at arbor.net (Dobbins, Roland) Date: Thu, 9 Dec 2010 18:26:30 +0000 Subject: [Operational] Internet Police In-Reply-To: References: Message-ID: <39CC48EA-9C95-4666-B1CA-15B3F9E19E1A@arbor.net> On Dec 10, 2010, at 1:19 AM, Michael Smith wrote: > "front lines of this "cyberwar"? Warfare isn't the correct metaphor. Espionage/covert action is the correct metaphor. ----------------------------------------------------------------------- Roland Dobbins // Sell your computer and buy a guitar. From michael at hmsjr.com Thu Dec 9 12:31:03 2010 From: michael at hmsjr.com (Michael Smith) Date: Thu, 9 Dec 2010 13:31:03 -0500 Subject: [Operational] Internet Police In-Reply-To: <4D011F14.80002@brightok.net> References: <4D011F14.80002@brightok.net> Message-ID: How is "what to block" identified? ...by content key words? ..traffic profiles / signatures? Deny all, unless flow (addresses/protocol/port) is pre-approved / registered? What does the technical solution look like? Any solutions to maintain some semblance of freedom? On Thu, Dec 9, 2010 at 1:25 PM, Jack Bates wrote: > > > On 12/9/2010 12:19 PM, Michael Smith wrote: > >> So... if/when our >> employers are unable to resist the US Govt's demand that we "join in the >> national defense", wouldn't this community be the ones asked to guard the >> border? >> > > CALEA > > done > From ljakab at ac.upc.edu Thu Dec 9 12:31:43 2010 From: ljakab at ac.upc.edu (=?ISO-8859-1?Q?Lor=E1nd_Jakab?=) Date: Thu, 09 Dec 2010 19:31:43 +0100 Subject: Start accepting longer prefixes as IPv4 depletes? In-Reply-To: <18B3F386-AE8D-4B78-8620-823B66AB44D8@muada.com> References: <820DA442-E75E-4128-80B6-F09FF7DA84ED@muada.com> <18B3F386-AE8D-4B78-8620-823B66AB44D8@muada.com> Message-ID: <4D01208F.3020606@ac.upc.edu> On 12/08/2010 11:08 PM, Iljitsch van Beijnum wrote: > On 8 dec 2010, at 20:10, Mohacsi Janos wrote: > >> Do you think adopting LISP or similar architectures to reduce the problems mentioned above? [...] > Do you lose initial packets when there is no mapping state yet? Yes. But there are proposals to minimize the chances of that occurring, by pro-actively refreshing mappings in the local cache before their TTL expires, and warming up the cache with all entries of an upstream resolver (with a bulk cache transfer) at router boot time. -Lorand Jakab From michael at hmsjr.com Thu Dec 9 12:34:32 2010 From: michael at hmsjr.com (Michael Smith) Date: Thu, 9 Dec 2010 13:34:32 -0500 Subject: Mastercard problems In-Reply-To: <7+xlLtov6RANFAr6@perry.co.uk> References: <4CFFC19F.2070001@brightok.net> <20101208203700.GB25753@brutus.ethup.se> <4CFFEDAE.1020407@brightok.net> <4D00A373.3010806@prt.org> <20101209162936.GA9891@reptiles.org> <20101209180619.GA12061@reptiles.org> <7+xlLtov6RANFAr6@perry.co.uk> Message-ID: On Thu, Dec 9, 2010 at 1:23 PM, Roland Perry wrote: > In article <20101209180619.GA12061 at reptiles.org>, Jim Mercer < > jim at reptiles.org> writes > > "Please note: This book contains commentary and analysis regarding >>> recent WikiLeaks disclosures, not the original material disclosed via >>> the WikiLeaks website." >>> >> >> i don't have a cache, but i'm pretty sure those comments were added after >> i >> posted. >> > > I'm not trying to criticise the chronology; however if this book doesn't > have the text of the cables, then it's worth people knowing that. > -- > Roland Perry > > I'm not as sure about that. Julian's writings imply that the specific data isn't as important as disrupting "conspiracies" ability to communicate privately. I want to see it all... the philosophy / objective, as well as the specific information... personally, I'm avoiding too many big conclusions and trying to take it all in... From jbates at brightok.net Thu Dec 9 12:44:38 2010 From: jbates at brightok.net (Jack Bates) Date: Thu, 09 Dec 2010 12:44:38 -0600 Subject: [Operational] Internet Police In-Reply-To: References: <4D011F14.80002@brightok.net> Message-ID: <4D012396.8040201@brightok.net> On 12/9/2010 12:31 PM, Michael Smith wrote: > How is "what to block" identified? ...by content key words? ..traffic > profiles / signatures? Deny all, unless flow (addresses/protocol/port) > is pre-approved / registered? > CALEA doesn't provide block. It provides full data dumps to the authorities. It's up to them to analyze, prove illegality, and seek warrants. A single CALEA tap on a bot, for example, could provide the government with a bot controller, or with details of what a specific bot is doing. A tap on the controller itself could show the large number of bots and their location, or provide the next step in backtracking the connection to the person using the controller. On and On. Is it ideal? No. Is it possible to do within current law, until it crosses international boundaries, but even then there is some amount of recourse. The law is designed to track down and prosecute people, not stop malicious activity. In order for the law to try and stop malicious activities (digital or real), it must place constraints on our freedoms. See TSA/Airport Security. Jack From ops.lists at gmail.com Thu Dec 9 12:49:36 2010 From: ops.lists at gmail.com (Suresh Ramasubramanian) Date: Fri, 10 Dec 2010 00:19:36 +0530 Subject: [Operational] Internet Police In-Reply-To: References: <4D011F14.80002@brightok.net> Message-ID: Let's put it this way. 1. If you host government agencies, provide connectivity to say a nuclear power plant or an army base, or a bank or .. .. - you'd certainly work with your customers to meet their security requirements. 2. If you are a service provider serving up DSL - why then, there are some governments (say Australia) that have blacklists of child porn sites - and I think Interpol came up with something similar too. And yes there's CALEA and a few other such things .. not much more that's new. Separating rhetoric and military metaphors will help you see this a lot more clearly. As will not dismissing the entire idea with contempt. As a service provider for anything at all, you'll see your share of attacks. Whether coordinated by 4chan or by comrade joe chan shouldnt really matter, except at the level where you work with law enforcement etc to coordinate a response that goes beyond the technical. [And ALL responses to these are not going to restrict themselves to being solvable by technical means]. --srs On Fri, Dec 10, 2010 at 12:01 AM, Michael Smith wrote: > How is "what to block" identified? ?...by content key words? ?..traffic > profiles / signatures? ?Deny all, unless flow (addresses/protocol/port) is > pre-approved / registered? > > What does the technical solution look like? > > Any solutions to maintain some semblance of freedom? > -- Suresh Ramasubramanian (ops.lists at gmail.com) From ops.lists at gmail.com Thu Dec 9 12:52:04 2010 From: ops.lists at gmail.com (Suresh Ramasubramanian) Date: Fri, 10 Dec 2010 00:22:04 +0530 Subject: [Operational] Internet Police In-Reply-To: References: <4D011F14.80002@brightok.net> Message-ID: And if I ever find the genius who came up with the "we are not the internet police" meme ... On Fri, Dec 10, 2010 at 12:19 AM, Suresh Ramasubramanian wrote: > Let's put it this way. > > 1. If you host government agencies, provide connectivity to say a > nuclear power plant or an army base, or a bank or .. .. - you'd > certainly work with your customers to meet their security > requirements. > > 2. If you are a service provider serving up DSL - why then, there are > some governments (say Australia) that have blacklists of child porn > sites - and I think Interpol came up with something similar too. ?And > yes there's CALEA and a few other such things .. not much more that's > new. > > Separating rhetoric and military metaphors will help you see this a > lot more clearly. ?As will not dismissing the entire idea with > contempt. > > As a service provider for anything at all, you'll see your share of attacks. > > Whether coordinated by 4chan or by comrade joe chan shouldnt really > matter, except at the level where you work with law enforcement etc to > coordinate a response that goes beyond the technical. ?[And ALL > responses to these are not going to restrict themselves to being > solvable by technical means]. > > --srs > > On Fri, Dec 10, 2010 at 12:01 AM, Michael Smith wrote: >> How is "what to block" identified? ?...by content key words? ?..traffic >> profiles / signatures? ?Deny all, unless flow (addresses/protocol/port) is >> pre-approved / registered? >> >> What does the technical solution look like? >> >> Any solutions to maintain some semblance of freedom? >> > > > > -- > Suresh Ramasubramanian (ops.lists at gmail.com) > -- Suresh Ramasubramanian (ops.lists at gmail.com) From mpetach at netflight.com Thu Dec 9 12:53:48 2010 From: mpetach at netflight.com (Matthew Petach) Date: Thu, 9 Dec 2010 10:53:48 -0800 Subject: Over a decade of DDOS--any progress yet? In-Reply-To: <20101209114545.GA23199@gsp.org> References: <01811070-0EE1-44C2-A79A-FB9E68215D9A@gmail.com> <4CFFA7B8.8000306@gmail.com> <20101209114545.GA23199@gsp.org> Message-ID: On Thu, Dec 9, 2010 at 3:45 AM, Rich Kulawiec wrote: > On Wed, Dec 08, 2010 at 07:43:52AM -0800, JC Dill wrote: >> ISPs are not the source. ?The source is Microsoft. ?The source is >> their buggy OS that is easily compromised to enable the computers to >> be taken over as part of the botnet. > > I often disagree vehemently with JC, but not this time. > > I've been studying bot-generated spam for most of the last decade, and to > about 6 nine's, it's all been from Windows boxes. ?(The rest? ?A smattering > of "indeterminate" and various 'nix systems including MacOS.) > > The botnet problem is a Microsoft problem. OK. People took exception to my last message, as the data from it was 2 years old. Here's data from 2010, which shows that the problem isn't the MSFT OS itself; it's the third-party apps that people happily double click on and install willy-nilly: http://blogs.computerworld.com/16575/security_firm_says_apple_has_more_security_holes_than_anyone (yes, you have to read past some apple bashing at the beginning; get past that, and you hit the real aspect, which is that the major security vulnerabilities exist in third party applications, rather than the OS itself.) So, as much as I love Microsoft bashing as much as the next person (and the folks here know there's definite reasons why I'll usually be one of the first in line to bash them, when the situation calls for it), in this case, putting the thumbscrews to Microsoft isn't going to fix buggy Acrobat Reader software, and all those other third party apps that people use to exploit the platform. > Now...whether the botnet problem will still be a Microsoft problem in 2015: > can't say. ?Clearly attackers have plenty of reasons to attack other systems > and in some cases, they'll be successful. ?But it appears that to date, > the advantages they might accrue from owning a box running one of the > superior operating systems are outweighed by the costs of the effort > to do so. ?(With a few rare exceptions, of course.) The sheer volume of bots may still be Windows boxes, yes; but that doesn't mean the initial vulnerability and exploit happened anywhere in the Microsoft code base. Look at how many vulnerabilities have been listed for Adobe Acrobat Reader, for example: https://secunia.com/advisories/product/19237/ 159 vulnerabilities in Adobe Reader, vs 69 in Windows 7: https://secunia.com/advisories/product/27467/ > But you don't have to take my word for this. ?Turn on passive OS > fingerprinting on your MX's and start recording data, including DNS > and rDNS, putative sender, recipient, etc. ?Accumulate a couple > years' worth and analyze. > > This is why some rather effective defensive techniques (not just for > spam) can be constructed by differentiating traffic based on the > operating system of the host originating that traffic. Sure, there's more windows boxes out there than any other OS. But that doesn't mean the weakness and vulnerabilities being exploited are *part of the native OS*. If the OS is 100% bulletproof, but users are still installing insecure third party apps that are riddled with holes, you're still going to see more botnet machines with that OS fingerprint than any other, simply based on their overall percentage representation out of the total count of computers; but hammering on the OS vendor isn't going to do *anything* to slow down the rate of infection--there isn't anything more they can do. So--as much as I dislike Microsoft, beating on them isn't the answer here. Tell people to stop installing buggy software like Adobe Acrobat Reader, and you'll get closer to stemming the tide of infections. Matt From michael.holstein at csuohio.edu Thu Dec 9 13:03:19 2010 From: michael.holstein at csuohio.edu (Michael Holstein) Date: Thu, 09 Dec 2010 14:03:19 -0500 Subject: [Operational] Internet Police In-Reply-To: References: Message-ID: <4D0127F7.70600@csuohio.edu> > Obviously the environment is created by layers 8/9, but I'm interested in > the layer 1-7 solutions that the community would consider/recommend. > > BGP blackhole communities is a good way to push the problem upstream, assuming your provider will agree to it. In theory, that could also work on a larger scale, but it becomes a matter of trust (as has been discussed many times before .. "just because *you* say it's bad, doesn't make it so"). Cheers, Michael Holstein Cleveland State University From randy at psg.com Thu Dec 9 13:12:41 2010 From: randy at psg.com (Randy Bush) Date: Thu, 09 Dec 2010 11:12:41 -0800 Subject: [Operational] Internet Police In-Reply-To: References: <4D011F14.80002@brightok.net> Message-ID: > And if I ever find the genius who came up with the "we are not the > internet police" meme ... he died over a decade ago From msmith at internap.com Thu Dec 9 13:13:04 2010 From: msmith at internap.com (Michael Smith) Date: Thu, 9 Dec 2010 14:13:04 -0500 Subject: [Operational] Internet Police Message-ID: <65C5927BEED3C2428307863DB5C6C6FB02810169@cx49.800onemail.com> Was it the original IANA? ----- Original Message ----- From: Randy Bush To: Suresh Ramasubramanian Cc: North American Network Operators Group Sent: Thu Dec 09 14:12:41 2010 Subject: Re: [Operational] Internet Police > And if I ever find the genius who came up with the "we are not the > internet police" meme ... he died over a decade ago From fred at cisco.com Thu Dec 9 13:22:31 2010 From: fred at cisco.com (Fred Baker) Date: Thu, 9 Dec 2010 11:22:31 -0800 Subject: [Operational] Internet Police In-Reply-To: References: Message-ID: <91509ED3-72F5-4AD6-8140-FCE3324C3FBD@cisco.com> On Dec 9, 2010, at 10:19 AM, Michael Smith wrote: > My question is what architectural recommendations will you make to your employer if/when the US Govt compels our employers to accept our role as the "front lines of this "cyberwar"? > > I figure once someone with a relevant degree of influence in the govts realizes that the "cyberwar" is between content/service controllers and eyeballs. With involuntary and voluntary botnets as the weapons of "the eyeballs", relying exclusively on a line of defense near to the content (services) leaves a great expanse of "battlefield". I would expect the content/service controllers to look for means to move the battleline as close to the eyeballs as possible (this community) So... if/when our employers are unable to resist the US Govt's demand that we "join in the national defense", wouldn't this community be the ones asked to guard the border? > > Assuming the govt won't send federal agents into each of our NOCs, won't our employers ask us "what can we do?" > > If inspecting and correlating every single packet/flow for attack signatures is not feasible (on scale), are there name/address registration/resolution measures that could effectively lock-down the edge? ...will we look toward China/Saudi Arabia/etc for lessons learned in there 'great firewalls' to develop a distributed version where central control pushes policy out to the edge (into the private networks that currently provide the dreaded "low barrier for entry")? > > Obviously the environment is created by layers 8/9, but I'm interested in the layer 1-7 solutions that the community would consider/recommend. > > -Michael In my ever-so-humble opinion, this is not primarily about copyrighted material; it is primarily about content control. Go to any country in the world; they have something they wish wasn't available on the net. It might be child pornography, pornography in general by some definition of that term or lack thereof, journalist reports regarding their country or certain events in their country, paparazzi photos of their leaders or their consorts, or comments or comics featuring important religious figures or violating local social norms (did you know that DSLRs are illegal in Kuwait unless one is a registered journalist?). The UN Al Qua'da Task Force would like to block all files that originate from Al Qua'da. During the US 2004 presidential elections, one of the candidates suggested using CleanFeed to suppress information about dog racing. It might be COICA, HADOPI, or some municipal court judge who has no idea what he is asking but makes a decree that should go away. They are all, at the end of the say, talking about the same thing: "we don't care what other countries or other people think; in our country, should not be available on the Internet." Which is to say that they think that they should be in control of some bit of content. Content control, which they might well decry when others do it and respond very poorly when you point out their own actions. I would note that in many cases similar laws already exist in the various countries' legal systems. For some reason, rather than enforcing the existing law of the land, they feel compelled to make a new law that is specific to the Internet. I asked a lawyer advocating yet another such a law about this once, trying to find out why she thought that was necessary. Her response was that the existing law of the land had been found in court after court and jurisdiction over jurisdiction to be unimplementable and unenforceable; a certain famous statement about the definition of obscenity comes to mind, and very appropriately. "If I have the law, it gives me one more chance to argue the case in court". A case she freely admitted that she would very likely lose. If your boss comes to you and asks you to be part of it, my suggestion (I am not a lawyer, and this is not legal advice) would be to first ask him whether he has a court order. If you are obligated to comply, you are obligated to comply. But in any event, I would suggest that he read http://www.washingtonpost.com/wp-dyn/content/article/2010/12/08/AR2010120804038.html. I suspect we will be reading similar articles about some 70 sites that have been taken down recently, and in some cases they may take whoever-did-it to court and win a judgement. The Internet routes around failure, and people who think they can control content are notorious for failing. That's not a political viewpoint; some of those things that folks would like to go away probably should. From a very pragmatic and practical perspective, any technical mechanism that has been proposed is trivially defeated. The first implementers of DKIM were the spammers. What does CleanFeed do with https or encrypted BitTorrent? DNS Blocking is very interesting in a DNSSEC world, and is trivially overcome by purchasing a name in another TLD - or a thousand of them. Null routes block access to specific addresses; move the content, and the null route is a waste of bits. Look at how successful we have been in erasing botnets from our memory, or viruses, or spam. The way to address these things is not to childishly wish there was a magic silver bullet that would make the problem go away. If it's against the law, and in most cases the content that folks want to control is, go arrest the guy. That's not to say that you couldn't use technologies like CleanFeed or Lawful Intercept, if you use them lawfully, to gather forensic evidence. But that's a far cry from pretending to make the content go away. From mikea at mikea.ath.cx Thu Dec 9 13:23:32 2010 From: mikea at mikea.ath.cx (mikea) Date: Thu, 9 Dec 2010 13:23:32 -0600 Subject: [Operational] Internet Police In-Reply-To: <39CC48EA-9C95-4666-B1CA-15B3F9E19E1A@arbor.net> References: <39CC48EA-9C95-4666-B1CA-15B3F9E19E1A@arbor.net> Message-ID: <20101209192332.GB80848@mikea.ath.cx> On Thu, Dec 09, 2010 at 06:26:30PM +0000, Dobbins, Roland wrote: > On Dec 10, 2010, at 1:19 AM, Michael Smith wrote: > > "front lines of this "cyberwar"? > Warfare isn't the correct metaphor. > Espionage/covert action is the correct metaphor. "Low intensity conflict" may be more correct. -- Mike Andrews, W5EGO mikea at mikea.ath.cx Tired old sysadmin From Valdis.Kletnieks at vt.edu Thu Dec 9 13:24:42 2010 From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks at vt.edu) Date: Thu, 09 Dec 2010 14:24:42 -0500 Subject: Over a decade of DDOS--any progress yet? In-Reply-To: Your message of "Thu, 09 Dec 2010 06:45:45 EST." <20101209114545.GA23199@gsp.org> References: <01811070-0EE1-44C2-A79A-FB9E68215D9A@gmail.com> <4CFFA7B8.8000306@gmail.com> <20101209114545.GA23199@gsp.org> Message-ID: <12779.1291922682@localhost> On Thu, 09 Dec 2010 06:45:45 EST, Rich Kulawiec said: > I've been studying bot-generated spam for most of the last decade, and to > about 6 nine's, it's all been from Windows boxes. (The rest? A smattering > of "indeterminate" and various 'nix systems including MacOS.) > > The botnet problem is a Microsoft problem. If it's a Flash exploit, and the miscreants only do a Windows version because that gets them 85% of the targets and they feel the effort of creating a Mac/ Linux version isn't worth the incremental 15%, then you'll only see hits from Windows boxes. But how does that make it a Microsoft problem? You don't see spam from many Linux boxes because there aren't enough Linux boxes to make it cost-effective to develop malware for. If you need 5,000 bots, it's easier to find 5,000 Windows targets than finding 5,000 Linux targets. And the reason you don't see worms that target Z/OS or VMS or Irix isn't because of their inherent security. The only way you'll get it to be a non-Microsoft problem is by changing the playing field enough so that OSX and Linux and others have enough market share that targeting just Windows is a losing strategy. Good luck with that. Meanwhile, ponder what I mentioned in a previous mail - Windows is *already* close to "as secure as you can sell to an end user". Consider these Google results for SELinux: SELinux howto - about 96,900 results SELInux disable - about 178,000 results SELinux turn off - about 199,000 results It's pretty obvious that there is a point where most users won't put up with the inconvenience of security, and SELinux is already on the far side of it, even for the probably-more-technical users of Linux. How are you going to sell similar hardening to Joe Sixpack, given that most of the hardening will result in either additional "are you sure?" pop-ups or breakage of things they bought the computer to do? The first time a user gets fragged in WoW or other game because the security threw up a pop-up at an inopportune time, that user *will* look for a way to turn the security off. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 227 bytes Desc: not available URL: From dhubbard at dino.hostasaurus.com Thu Dec 9 13:27:13 2010 From: dhubbard at dino.hostasaurus.com (David Hubbard) Date: Thu, 9 Dec 2010 14:27:13 -0500 Subject: Level3/Comcast routing question (not related to the peering dispute) Message-ID: Customers of ours on Comcast are experiencing poor throughput to us when whatever location they're at takes a route to us via Level 3; Level 3 being one of our upstreams. I've set a community of 65004:7922 which is supposed to tell Level 3 to prepend four times to Comcast for our AS but the only route server I know of in comcast land (route-server.newyork.ny.ibone.comcast.net) is not showing the prepend. Is there another way for me to determine if Level 3 is really doing the prepend other than opening a ticket and asking them? I did try http://www.level3.com/LookingGlass/ and plugged in one of our IP's and see "Prepend_4_to_AS7922" so could they be prepending and comcast overriding or ignoring it? We have peering with another provider that's directly connected with comcast so I'd like to have traffic from them use that one instead. Thanks, David From cmadams at hiwaay.net Thu Dec 9 13:59:16 2010 From: cmadams at hiwaay.net (Chris Adams) Date: Thu, 9 Dec 2010 13:59:16 -0600 Subject: [Operational] Internet Police In-Reply-To: <91509ED3-72F5-4AD6-8140-FCE3324C3FBD@cisco.com> References: <91509ED3-72F5-4AD6-8140-FCE3324C3FBD@cisco.com> Message-ID: <20101209195916.GE29478@hiwaay.net> Once upon a time, Fred Baker said: > did you know that DSLRs are illegal in Kuwait unless one is a registered journalist? Did you know that they are not? http://thenextweb.com/me/2010/11/30/kuwait-dslr-ban-does-not-exist-after-all/ This is like the people attacking EasyDNS because they took wikileaks.org down. Oops, except it wasn't, it was EveryDNS. I read it on the Internet so it must be true! -- Chris Adams Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble. From drc at virtualized.org Thu Dec 9 14:03:26 2010 From: drc at virtualized.org (David Conrad) Date: Thu, 9 Dec 2010 12:03:26 -0800 Subject: [Operational] Internet Police In-Reply-To: <4D012396.8040201@brightok.net> References: <4D011F14.80002@brightok.net> <4D012396.8040201@brightok.net> Message-ID: On Dec 9, 2010, at 10:44 AM, Jack Bates wrote: > [CALEA] is designed to track down and prosecute people, not stop malicious activity. Right. > In order for the law to try and stop malicious activities (digital or real), it must place constraints on our freedoms. See TSA/Airport Security. Or, more relevant to NANOG, see COICA (http://www.gpo.gov/fdsys/pkg/BILLS-111s3804rs/pdf/BILLS-111s3804rs.pdf). Regards, -drc From fm-lists at st-kilda.org Thu Dec 9 15:28:04 2010 From: fm-lists at st-kilda.org (Fearghas McKay) Date: Thu, 9 Dec 2010 21:28:04 +0000 Subject: Mastercard problems In-Reply-To: <20101209180619.GA12061@reptiles.org> References: <4CFFC19F.2070001@brightok.net> <20101208203700.GB25753@brutus.ethup.se> <4CFFEDAE.1020407@brightok.net> <4D00A373.3010806@prt.org> <20101209162936.GA9891@reptiles.org> <20101209180619.GA12061@reptiles.org> Message-ID: <08D86EEF-CF8E-47B2-B78D-942358CEABE4@st-kilda.org> On 9 Dec 2010, at 18:06, Jim Mercer wrote: > i don't have a cache, but i'm pretty sure those comments were added after i > posted. The new words are: -=--=- Looking for something? We're sorry. The Web address you entered is not a functioning page on our site -------------- next part -------------- A non-text attachment was scrubbed... Name: orange-arrow._V192240581_.gif Type: image/gif Size: 57 bytes Desc: not available URL: -------------- next part -------------- Go to Amazon.com's Home Page -=-=- f From andrew.wallace at rocketmail.com Thu Dec 9 15:43:42 2010 From: andrew.wallace at rocketmail.com (andrew.wallace) Date: Thu, 9 Dec 2010 13:43:42 -0800 (PST) Subject: Mastercard problems Message-ID: <427762.87638.qm@web59607.mail.ac4.yahoo.com> Dutch authorities have arrested a 16-year old "hacker" in connection with Mastercard. http://news.cnet.com/8301-31921_3-20025215-281.html Andrew From peter at peter-dambier.de Thu Dec 9 16:30:38 2010 From: peter at peter-dambier.de (Peter Dambier) Date: Thu, 09 Dec 2010 23:30:38 +0100 Subject: non operational question related to IP In-Reply-To: <0A3857A2-B215-4592-A288-A534D460CEE7@oicr.on.ca> References: <0A3857A2-B215-4592-A288-A534D460CEE7@oicr.on.ca> Message-ID: <4D01588E.2090907@peter-dambier.de> Mostly the input is done by a library implementing the Posix version of fprintf or fscanf. 10 = 10, 0xa, 012 010 = 8, 0x8, 010 0x10 = 16, 0x10, 020 and there are others. google( fscanf ) Mostly everything understands fscanf syntax. Cheers Peter Greg Whynott wrote: > i was pinging a host from a windows machine and made a typo which seemed harmless. the end result was it interpreted my input differently than what I had intended. thinking this was a m$ issue I quickly took the opportunity to poke fun at windows as the senior m$ admin was near by. > > "look at how brain dead this os is, it can't even do simple math!" > > He is now looking at my screen scratching his head?.. > > "watch, i'll open a shell on os x and show you how it can add 0 +10" > > I open a shell on os x, same behavior as windows. > > " ok so apple is brain dead too, watch, it'll work on linux!" > > same deal? > > > long story short, it does work as expected on all our hardware routing gear. still not sure what is happening here? > > > osx-gwhynott:~ gwhynott$ ping 10.010.10.1 > PING 10.010.10.1 (10.8.10.1): 56 data bytes > > > gwhynott at ops:~$ ping 10.010.10.1 > PING 10.010.10.1 (10.8.10.1) 56(84) bytes of data. > > > CORE1>ping 10.010.10.1 > Type escape sequence to abort. > Sending 5, 100-byte ICMP Echos to 10.10.10.1, timeout is 2 seconds: > !!!!! > > > anyone happen to know how the OS's are interpreting the 010? doesn't appear work out in base[2-10] (1010,101,22,20,14,13,12,11,10,A) > > > thanks! > > greg > > > > > > -- > > This message and any attachments may contain confidential and/or privileged information for the sole use of the intended recipient. Any review or distribution by anyone other than the person for whom it was originally intended is strictly prohibited. If you have received this message in error, please contact the sender and delete all copies. Opinions, conclusions or other information contained in this message may not be that of the organization. > -- Peter and Karin Dambier Cesidian Root - Radice Cesidiana Rimbacher Strasse 16 D-69509 Moerlenbach-Bonsweiher +49(6209)795-816 (Telekom) +49(6252)750-308 (VoIP: sipgate.de) mail: peter at peter-dambier.de http://www.peter-dambier.de/ http://iason.site.voila.fr/ https://sourceforge.net/projects/iason/ ULA= fd80:4ce1:c66a::/48 From andrew.wallace at rocketmail.com Thu Dec 9 17:14:16 2010 From: andrew.wallace at rocketmail.com (andrew.wallace) Date: Thu, 9 Dec 2010 15:14:16 -0800 (PST) Subject: Mastercard problems Message-ID: <476364.37472.qm@web59605.mail.ac4.yahoo.com> It was a quick arrest wasn't it? ----- Original Message ----- From:Michael Smith To:andrew.wallace Cc: Sent:Thursday, 9 December 2010, 21:49:16 Subject:RE: Mastercard problems 1 down, 3896 to go... :) -----Original Message----- From: andrew.wallace [mailto:andrew.wallace at rocketmail.com] Sent: Thursday, December 09, 2010 4:44 PM To: nanog at nanog.org Subject: Re: Mastercard problems Dutch authorities have arrested a 16-year old "hacker" in connection with Mastercard. http://news.cnet.com/8301-31921_3-20025215-281.html Andrew From msmith at internap.com Thu Dec 9 17:16:22 2010 From: msmith at internap.com (Michael Smith) Date: Thu, 9 Dec 2010 18:16:22 -0500 Subject: Mastercard problems Message-ID: <65C5927BEED3C2428307863DB5C6C6FB0281016E@cx49.800onemail.com> Exactly... Rounding up script kiddies one at a time is a pretty serious deterrent ;). I'm sure the bot-masters are quaking in their boots... :) ----- Original Message ----- From: andrew.wallace To: Michael Smith Cc: nanog at nanog.org Sent: Thu Dec 09 18:14:16 2010 Subject: Re: Mastercard problems It was a quick arrest wasn't it? ----- Original Message ----- From:Michael Smith To:andrew.wallace Cc: Sent:Thursday, 9 December 2010, 21:49:16 Subject:RE: Mastercard problems 1 down, 3896 to go... :) -----Original Message----- From: andrew.wallace [mailto:andrew.wallace at rocketmail.com] Sent: Thursday, December 09, 2010 4:44 PM To: nanog at nanog.org Subject: Re: Mastercard problems Dutch authorities have arrested a 16-year old "hacker" in connection with Mastercard. http://news.cnet.com/8301-31921_3-20025215-281.html Andrew From brandon.kim at brandontek.com Thu Dec 9 18:24:03 2010 From: brandon.kim at brandontek.com (Brandon Kim) Date: Thu, 9 Dec 2010 19:24:03 -0500 Subject: Windows Encryption Software Message-ID: Hey guys: This is most definitely OT so please contact me off list. (don't want to annoy anyone) I come to you all because of all your wisdom. =) I want to know if there's software out there that will encrypt files on win2k3, winxp, win7, so that if someone decides to steal the computer and plug the harddrive into a USB external case, they won't be able to read the files on the harddrive. I know windows has bitlocker, but I don't know if that is available for Win2003? And it always seems like 3rd party apps seem to do a better job than what Microsoft gives you. Encryption needs to be done on the fly so if at anytime the harddrive is stolen, there's no way to read the data... Thoughts?? Brandon From jmenerick at netsuite.com Thu Dec 9 18:27:05 2010 From: jmenerick at netsuite.com (John Menerick) Date: Thu, 9 Dec 2010 16:27:05 -0800 Subject: Windows Encryption Software In-Reply-To: References: Message-ID: <4D0173D9.80706@netsuite.com> Truecrypt John Menerick On 12/9/2010 4:24 PM, Brandon Kim wrote: > Hey guys: > > This is most definitely OT so please contact me off list. (don't want to annoy anyone) > > I come to you all because of all your wisdom. =) > > I want to know if there's software out there that will encrypt files on win2k3, winxp, win7, so that if someone > decides to steal the computer and plug the harddrive into a USB external case, they won't be able to read the files > on the harddrive. > > I know windows has bitlocker, but I don't know if that is available for Win2003? And it always seems like 3rd party > apps seem to do a better job than what Microsoft gives you. > > Encryption needs to be done on the fly so if at anytime the harddrive is stolen, there's no way to read the data... > > > Thoughts?? > > Brandon > NOTICE: This email and any attachments may contain confidential and proprietary information of NetSuite Inc. and is for the sole use of the intended recipient for the stated purpose. Any improper use or distribution is prohibited. If you are not the intended recipient, please notify the sender; do not review, copy or distribute; and promptly delete or destroy all transmitted information. Please note that all communications and information transmitted through this email system may be monitored by NetSuite or its agents and that all incoming email is automatically scanned by a third party spam and filtering service. From brandon.kim at brandontek.com Thu Dec 9 18:55:32 2010 From: brandon.kim at brandontek.com (Brandon Kim) Date: Thu, 9 Dec 2010 19:55:32 -0500 Subject: Windows Encryption Software In-Reply-To: <4D0173D9.80706@netsuite.com> References: , <4D0173D9.80706@netsuite.com> Message-ID: Wow, sounds like TrueCrypt it is.....not a single other app was suggested!!! Thank you gentlemen! > Date: Thu, 9 Dec 2010 16:27:05 -0800 > From: jmenerick at netsuite.com > To: nanog at nanog.org > Subject: Re: Windows Encryption Software > > Truecrypt > > John Menerick > > On 12/9/2010 4:24 PM, Brandon Kim wrote: > > Hey guys: > > > > This is most definitely OT so please contact me off list. (don't want to annoy anyone) > > > > I come to you all because of all your wisdom. =) > > > > I want to know if there's software out there that will encrypt files on win2k3, winxp, win7, so that if someone > > decides to steal the computer and plug the harddrive into a USB external case, they won't be able to read the files > > on the harddrive. > > > > I know windows has bitlocker, but I don't know if that is available for Win2003? And it always seems like 3rd party > > apps seem to do a better job than what Microsoft gives you. > > > > Encryption needs to be done on the fly so if at anytime the harddrive is stolen, there's no way to read the data... > > > > > > Thoughts?? > > > > Brandon > > > > > NOTICE: This email and any attachments may contain confidential and proprietary information of NetSuite Inc. and is for the sole use of the intended recipient for the stated purpose. Any improper use or distribution is prohibited. If you are not the intended recipient, please notify the sender; do not review, copy or distribute; and promptly delete or destroy all transmitted information. Please note that all communications and information transmitted through this email system may be monitored by NetSuite or its agents and that all incoming email is automatically scanned by a third party spam and filtering service. > From ops.lists at gmail.com Thu Dec 9 18:59:27 2010 From: ops.lists at gmail.com (Suresh Ramasubramanian) Date: Fri, 10 Dec 2010 06:29:27 +0530 Subject: [Operational] Internet Police In-Reply-To: References: <4D011F14.80002@brightok.net> Message-ID: On Fri, Dec 10, 2010 at 12:42 AM, Randy Bush wrote: >> And if I ever find the genius who came up with the "we are not the >> internet police" meme ... > > he died over a decade ago All due respect to him, but I didnt want to kick his teeth in or anything, merely ask if he'd like to reconsider it, given the new security threats we all face that have outdated that meme. -- Suresh Ramasubramanian (ops.lists at gmail.com) From bill at herrin.us Thu Dec 9 19:20:40 2010 From: bill at herrin.us (William Herrin) Date: Thu, 9 Dec 2010 20:20:40 -0500 Subject: Windows Encryption Software In-Reply-To: References: Message-ID: On Thu, Dec 9, 2010 at 7:24 PM, Brandon Kim wrote: > I want to know if there's software out there that will encrypt files on win2k3, winxp, win7, so that if someone > decides to steal the computer and plug the harddrive into a USB external case, they won't be able to read the files > on the harddrive. Save yourself some grief and buy a self-encrypting disk (SED) instead. OS transparent so you won't have the endemic problems with oops it no longer boots and I can't just boot a live cd and access my business critical data. -Bill -- William D. Herrin ................ herrin at dirtside.com? bill at herrin.us 3005 Crane Dr. ...................... Web: Falls Church, VA 22042-3004 From ops.lists at gmail.com Thu Dec 9 19:28:50 2010 From: ops.lists at gmail.com (Suresh Ramasubramanian) Date: Fri, 10 Dec 2010 06:58:50 +0530 Subject: Windows Encryption Software In-Reply-To: References: <4D0173D9.80706@netsuite.com> Message-ID: On Fri, Dec 10, 2010 at 6:25 AM, Brandon Kim wrote: > > Wow, sounds like TrueCrypt it is.....not a single other app was suggested!!! > > Thank you gentlemen! > There's also PGP WDE (Whole Disk Encryption) -- Suresh Ramasubramanian (ops.lists at gmail.com) From rs at seastrom.com Thu Dec 9 21:01:37 2010 From: rs at seastrom.com (Robert E. Seastrom) Date: Thu, 09 Dec 2010 22:01:37 -0500 Subject: [Operational] Internet Police In-Reply-To: <20101209192332.GB80848@mikea.ath.cx> (mikea@mikea.ath.cx's message of "Thu, 9 Dec 2010 13:23:32 -0600") References: <39CC48EA-9C95-4666-B1CA-15B3F9E19E1A@arbor.net> <20101209192332.GB80848@mikea.ath.cx> Message-ID: <86y67ymium.fsf@seastrom.com> mikea writes: > On Thu, Dec 09, 2010 at 06:26:30PM +0000, Dobbins, Roland wrote: > >> On Dec 10, 2010, at 1:19 AM, Michael Smith wrote: > >> > "front lines of this "cyberwar"? > >> Warfare isn't the correct metaphor. > >> Espionage/covert action is the correct metaphor. > > "Low intensity conflict" may be more correct. For the past several years I've felt that "cyber-intifada" was the proper trope, but so far it has failed to grow legs. -r From joelja at bogus.com Thu Dec 9 23:26:55 2010 From: joelja at bogus.com (Joel Jaeggli) Date: Thu, 09 Dec 2010 21:26:55 -0800 Subject: Pointer for documentation on actually delivering IPv6 In-Reply-To: References: <4CFB09C2.5090905@amplex.net> <20101206114306.GA68751@atsuko> <498B56C5-9811-440C-88DE-67C0DFF1A0DB@arbor.net> Message-ID: <4D01BA1F.8090007@bogus.com> On 12/6/10 5:35 AM, Jeff Johnstone wrote: > > Speaking of IPV6 security, is there any movement towards any open source > IPV6 firewall solutions for the consumer / small business? > > Almost all the info I've managed to find to date indicates no support, nor > any planned support in upcoming releases. > > Any info would be helpful. monowall and openwrt (both for embedded routers support v6 without drama. > cheers > Jeff > From gbonser at seven.com Thu Dec 9 23:39:23 2010 From: gbonser at seven.com (George Bonser) Date: Thu, 9 Dec 2010 21:39:23 -0800 Subject: Pointer for documentation on actually delivering IPv6 In-Reply-To: <4D01BA1F.8090007@bogus.com> References: <4CFB09C2.5090905@amplex.net><20101206114306.GA68751@atsuko> <498B56C5-9811-440C-88DE-67C0DFF1A0DB@arbor.net> <4D01BA1F.8090007@bogus.com> Message-ID: <5A6D953473350C4B9995546AFE9939EE0B14CE41@RWC-EX1.corp.seven.com> > > Speaking of IPV6 security, is there any movement towards any open > source > > IPV6 firewall solutions for the consumer / small business? > > > > Almost all the info I've managed to find to date indicates no > support, nor > > any planned support in upcoming releases. > > > > Any info would be helpful. > > monowall and openwrt (both for embedded routers support v6 without > drama. I believe Shorewall does too, now. From wschultz at bsdboy.com Thu Dec 9 23:52:41 2010 From: wschultz at bsdboy.com (Wil Schultz) Date: Thu, 9 Dec 2010 21:52:41 -0800 Subject: Pointer for documentation on actually delivering IPv6 In-Reply-To: <5A6D953473350C4B9995546AFE9939EE0B14CE41@RWC-EX1.corp.seven.com> References: <4CFB09C2.5090905@amplex.net><20101206114306.GA68751@atsuko> <498B56C5-9811-440C-88DE-67C0DFF1A0DB@arbor.net> <4D01BA1F.8090007@bogus.com> <5A6D953473350C4B9995546AFE9939EE0B14CE41@RWC-EX1.corp.seven.com> Message-ID: <0908B861-9D71-4AE6-B727-D4C5DFA5F209@bsdboy.com> On Dec 9, 2010, at 9:39 PM, George Bonser wrote: > > >>> Speaking of IPV6 security, is there any movement towards any open >> source >>> IPV6 firewall solutions for the consumer / small business? >>> >>> Almost all the info I've managed to find to date indicates no >> support, nor >>> any planned support in upcoming releases. >>> >>> Any info would be helpful. >> >> monowall and openwrt (both for embedded routers support v6 without >> drama. > > I believe Shorewall does too, now. > > > FreeBSD w/ PF seems to work great as well. :-) -wil From rdobbins at arbor.net Fri Dec 10 00:07:47 2010 From: rdobbins at arbor.net (Dobbins, Roland) Date: Fri, 10 Dec 2010 06:07:47 +0000 Subject: [Operational] Internet Police In-Reply-To: <86y67ymium.fsf@seastrom.com> References: <39CC48EA-9C95-4666-B1CA-15B3F9E19E1A@arbor.net> <20101209192332.GB80848@mikea.ath.cx> <86y67ymium.fsf@seastrom.com> Message-ID: On Dec 10, 2010, at 10:01 AM, Robert E. Seastrom wrote: > "cyber-intifada" was the proper trope, but so far it has failed to grow legs. The problem is that non-ironic use of the appellation 'cyber-' is generally inversely proportional to actual clue, so it should be avoided at all costs. ;> ----------------------------------------------------------------------- Roland Dobbins // Sell your computer and buy a guitar. From woody at pch.net Fri Dec 10 00:13:15 2010 From: woody at pch.net (Bill Woodcock) Date: Thu, 9 Dec 2010 22:13:15 -0800 Subject: [Operational] Internet Police In-Reply-To: <86y67ymium.fsf@seastrom.com> References: <39CC48EA-9C95-4666-B1CA-15B3F9E19E1A@arbor.net> <20101209192332.GB80848@mikea.ath.cx> <86y67ymium.fsf@seastrom.com> Message-ID: Butlerian Jihad. -Bill On Dec 9, 2010, at 19:02, "Robert E. Seastrom" wrote: > > mikea writes: > >> On Thu, Dec 09, 2010 at 06:26:30PM +0000, Dobbins, Roland wrote: >> >>> On Dec 10, 2010, at 1:19 AM, Michael Smith wrote: >> >>>> "front lines of this "cyberwar"? >> >>> Warfare isn't the correct metaphor. >> >>> Espionage/covert action is the correct metaphor. >> >> "Low intensity conflict" may be more correct. > > For the past several years I've felt that "cyber-intifada" was the > proper trope, but so far it has failed to grow legs. > > -r > > From pete at altadena.net Fri Dec 10 00:28:55 2010 From: pete at altadena.net (Pete Carah) Date: Fri, 10 Dec 2010 01:28:55 -0500 Subject: Pointer for documentation on actually delivering IPv6 In-Reply-To: <0908B861-9D71-4AE6-B727-D4C5DFA5F209@bsdboy.com> References: <4CFB09C2.5090905@amplex.net><20101206114306.GA68751@atsuko> <498B56C5-9811-440C-88DE-67C0DFF1A0DB@arbor.net> <4D01BA1F.8090007@bogus.com> <5A6D953473350C4B9995546AFE9939EE0B14CE41@RWC-EX1.corp.seven.com> <0908B861-9D71-4AE6-B727-D4C5DFA5F209@bsdboy.com> Message-ID: <4D01C8A7.7040909@altadena.net> On 12/10/2010 12:52 AM, Wil Schultz wrote: > On Dec 9, 2010, at 9:39 PM, George Bonser wrote: > >> >>>> Speaking of IPV6 security, is there any movement towards any open >>> source >>>> IPV6 firewall solutions for the consumer / small business? >>>> >>>> Almost all the info I've managed to find to date indicates no >>> support, nor >>>> any planned support in upcoming releases. >>>> >>>> Any info would be helpful. >>> monowall and openwrt (both for embedded routers support v6 without >>> drama. >> I believe Shorewall does too, now. >> >> >> > FreeBSD w/ PF seems to work great as well. :-) I'll second that; for 8-12 mbit with no vlans it even runs fine on a Soekris 4801 (I have 2 4801's and a 5500 (which has a fairly complicated internal vlan-based network and a 20meg external connection) doing normal nat + HE tunnel to native v6 internally. Since my boss got win7 going there is plenty of exercise for the v6 path. I suspect the OP wants a consumer-level gui though, which plain fbsd doesn't do, and there are some tricky parts to v6 pf configuration to handle ra and ndp (which I hope will get documented someday - 2 extra pass rules that you wouldn't expect to need). One of these days we will get native v6 coming in (hint, comcast :-) -- Pete > -wil From progamler-nanog at free.de Fri Dec 10 02:04:00 2010 From: progamler-nanog at free.de (Jan-Philipp Warmers) Date: Fri, 10 Dec 2010 09:04:00 +0100 Subject: Windows Encryption Software In-Reply-To: References: Message-ID: <20101210080400.GA22585@progamler@free.de> Brandon Kim Tippte am 2010-12-09T19:24-0500: > > Hey guys: [snip] > > I want to know if there's software out there that will encrypt files on win2k3, winxp, win7, so that if someone > decides to steal the computer and plug the harddrive into a USB external case, they won't be able to read the files > on the harddrive. we are using Sophos its ecrypton for busniess with central keysever etc. Jan From thomas at habets.pp.se Fri Dec 10 02:15:32 2010 From: thomas at habets.pp.se (Thomas Habets) Date: Fri, 10 Dec 2010 09:15:32 +0100 (CET) Subject: non operational question related to IP In-Reply-To: <0A3857A2-B215-4592-A288-A534D460CEE7@oicr.on.ca> References: <0A3857A2-B215-4592-A288-A534D460CEE7@oicr.on.ca> Message-ID: On Mon, 22 Nov 2010, Greg Whynott wrote: > osx-gwhynott:~ gwhynott$ ping 10.010.10.1 > PING 10.010.10.1 (10.8.10.1): 56 data bytes You're entering land of weird, misdocumentation and bugs. http://seclists.org/nanog/2010/Feb/285 --------- typedef struct me_s { char name[] = { "Thomas Habets" }; char email[] = { "thomas at habets.pp.se" }; char kernel[] = { "Linux" }; char *pgpKey[] = { "http://www.habets.pp.se/pubkey.txt" }; char pgp[] = { "A8A3 D1DD 4AE0 8467 7FDE 0945 286A E90A AD48 E854" }; char coolcmd[] = { "echo '. ./_&. ./_'>_;. ./_" }; } me_t; From bonomi at mail.r-bonomi.com Fri Dec 10 05:30:46 2010 From: bonomi at mail.r-bonomi.com (Robert Bonomi) Date: Fri, 10 Dec 2010 05:30:46 -0600 (CST) Subject: Start accepting longer prefixes as IPv4 depletes? Message-ID: <201012101130.oBABUkcp008409@mail.r-bonomi.com> > From nanog-bounces+bonomi=mail.r-bonomi.com at nanog.org Wed Dec 8 15:36:44 2010 > Date: Wed, 08 Dec 2010 15:34:47 -0600 > From: Jack Bates > To: David Conrad > Subject: Re: Start accepting longer prefixes as IPv4 depletes? > Cc: NANOG list > > On 12/8/2010 3:12 PM, David Conrad wrote: > > Cameron, > > > > On Dec 8, 2010, at 12:01 PM, Cameron Byrne wrote: > >> I believe a lot of folks think the routing paths should be tightly > >> coupled with the physical topology. > > > > The downside, of course, being that if you change your location > > within the physical topology, you have to renumber. Enterprises have > > already voted with their feet that this isn't acceptable with IPv4 > > and they'll no doubt do the same with IPv6. > > > >> In a mature IPv6 world, that is sane, i am not sure what the real > >> value of LISP is. > > > > Sanity is in the eye of the beholder. The advantage a LISP(-like) > > scheme provides is a way of separating location from identity, > > allowing for arbitrary topology change (and complexity in the form of > > multi-homing) without affecting the identities of the systems on the > > network. Changing providers or multi-homing would thus not result in > > a renumbering event or pushing yet another prefix into the DFZ. > > > > I think the issue, and correct me if I'm wrong, is that LISP does not > address issues of traffic engineering? A lot of the additional routes in > DFZ are there specifically to handle traffic engineering. The primary thing that a LISP-like approach accomplishes is the 'de-coupling" of infrastructure and leaf networks. You can mess with either one, w/o having any effect on the other. From lists at internetpolicyagency.com Fri Dec 10 05:53:11 2010 From: lists at internetpolicyagency.com (Roland Perry) Date: Fri, 10 Dec 2010 11:53:11 +0000 Subject: Mastercard problems In-Reply-To: <476364.37472.qm@web59605.mail.ac4.yahoo.com> References: <476364.37472.qm@web59605.mail.ac4.yahoo.com> Message-ID: In article <476364.37472.qm at web59605.mail.ac4.yahoo.com>, andrew.wallace writes >>Dutch authorities have arrested a 16-year old "hacker" in connection >>with Mastercard. >> >>http://news.cnet.com/8301-31921_3-20025215-281.html >It was a quick arrest wasn't it? Dutch authorities have a slight advantage because ISPs have to send them subscriber details every night. So (within the limitations of specific anonymising techniques by users) they 'know where everyone lives'. -- Roland Perry From jco at direwolf.com Fri Dec 10 07:12:20 2010 From: jco at direwolf.com (John Orthoefer) Date: Fri, 10 Dec 2010 08:12:20 -0500 Subject: Windows Encryption Software In-Reply-To: References: Message-ID: I've been using these and they work great as long as you are using BIOS boot, they don't work with out additional software, with the Mac EFI boot. Johno On Dec 9, 2010, at 20:20, William Herrin wrote: > On Thu, Dec 9, 2010 at 7:24 PM, Brandon Kim wrote: >> I want to know if there's software out there that will encrypt files on win2k3, winxp, win7, so that if someone >> decides to steal the computer and plug the harddrive into a USB external case, they won't be able to read the files >> on the harddrive. > > Save yourself some grief and buy a self-encrypting disk (SED) instead. > OS transparent so you won't have the endemic problems with oops it no > longer boots and I can't just boot a live cd and access my business > critical data. > > -Bill > > > -- > William D. Herrin ................ herrin at dirtside.com bill at herrin.us > 3005 Crane Dr. ...................... Web: > Falls Church, VA 22042-3004 > From fw at deneb.enyo.de Fri Dec 10 07:21:19 2010 From: fw at deneb.enyo.de (Florian Weimer) Date: Fri, 10 Dec 2010 14:21:19 +0100 Subject: Windows Encryption Software In-Reply-To: (Brandon Kim's message of "Thu, 9 Dec 2010 19:24:03 -0500") References: Message-ID: <87zksdbw6o.fsf@mid.deneb.enyo.de> * Brandon Kim: > I know windows has bitlocker, but I don't know if that is available > for Win2003? I believe EFS is available in Windows XP and Windows 2003 Server, too. Software-based solutions have the advantage that they are somewhat more testable and reviewable. If it's all in the disk, you can't really be sure that the data is encrypted with a static key, and the passphrase is used for access control only. The latter approach seems to be somewhat common with encrypting storage devices, unfortunately. From cmaurand at xyonet.com Fri Dec 10 07:29:20 2010 From: cmaurand at xyonet.com (Curtis Maurand) Date: Fri, 10 Dec 2010 08:29:20 -0500 Subject: Windows Encryption Software In-Reply-To: <87zksdbw6o.fsf@mid.deneb.enyo.de> References: <87zksdbw6o.fsf@mid.deneb.enyo.de> Message-ID: <4D022B30.5020709@xyonet.com> On 12/10/2010 8:21 AM, Florian Weimer wrote: > I believe EFS is available in Windows XP and Windows 2003 Server, too. > > Software-based solutions have the advantage that they are somewhat > more testable and reviewable. If it's all in the disk, you can't > really be sure that the data is encrypted with a static key, and the > passphrase is used for access control only. The latter approach seems > to be somewhat common with encrypting storage devices, unfortunately. > After some research, I find that recovery of EFS (available for Win 2000/2003/XP/Vista/7) encrypted files in the case of disaster can be problematic. It has to do with keys, file ownerships, etc., etc., etc. Plan for disaster and know how to recover before you encrypt with EFS. --Curtis From jmamodio at gmail.com Fri Dec 10 07:50:40 2010 From: jmamodio at gmail.com (Jorge Amodio) Date: Fri, 10 Dec 2010 07:50:40 -0600 Subject: [Operational] Internet Police In-Reply-To: References: <4D011F14.80002@brightok.net> Message-ID: On Thu, Dec 9, 2010 at 1:12 PM, Randy Bush wrote: >> And if I ever find the genius who came up with the "we are not the >> internet police" meme ... > > he died over a decade ago He also said "The Internet works because a lot of people cooperate to do things together" Remove the "together" and there is no Internet. -J From michael.holstein at csuohio.edu Fri Dec 10 08:33:24 2010 From: michael.holstein at csuohio.edu (Michael Holstein) Date: Fri, 10 Dec 2010 09:33:24 -0500 Subject: Windows Encryption Software In-Reply-To: <4D022B30.5020709@xyonet.com> References: <87zksdbw6o.fsf@mid.deneb.enyo.de> <4D022B30.5020709@xyonet.com> Message-ID: <4D023A34.1050708@csuohio.edu> > After some research, I find that recovery of EFS (available for Win > 2000/2003/XP/Vista/7) encrypted files in the case of disaster can be > problematic. It has to do with keys, file ownerships, etc., etc., > etc. Plan for disaster and know how to recover before you encrypt > with EFS. This is an interesting point .. it depends on what the "disaster" is that you plan for. In many cases, the "disaster" is the seizure or loss of the device, it which case it's appropriate NOT to have any method of key recovery. In a corporate context, it's debatable if key escrow and multikey methods mitigate the risk or compound it. Regards, Michael Holstein Cleveland State University From luigi at net.t-labs.tu-berlin.de Fri Dec 10 08:56:46 2010 From: luigi at net.t-labs.tu-berlin.de (Luigi Iannone) Date: Fri, 10 Dec 2010 15:56:46 +0100 Subject: Start accepting longer prefixes as IPv4 depletes? In-Reply-To: <201012101130.oBABUkcp008409@mail.r-bonomi.com> References: <201012101130.oBABUkcp008409@mail.r-bonomi.com> Message-ID: On Dec 10, 2010, at 12:30 , Robert Bonomi wrote: >> From nanog-bounces+bonomi=mail.r-bonomi.com at nanog.org Wed Dec 8 15:36:44 2010 >> Date: Wed, 08 Dec 2010 15:34:47 -0600 >> From: Jack Bates >> To: David Conrad >> Subject: Re: Start accepting longer prefixes as IPv4 depletes? >> Cc: NANOG list >> >> On 12/8/2010 3:12 PM, David Conrad wrote: >>> Cameron, >>> >>> On Dec 8, 2010, at 12:01 PM, Cameron Byrne wrote: >>>> I believe a lot of folks think the routing paths should be tightly >>>> coupled with the physical topology. >>> >>> The downside, of course, being that if you change your location >>> within the physical topology, you have to renumber. Enterprises have >>> already voted with their feet that this isn't acceptable with IPv4 >>> and they'll no doubt do the same with IPv6. >>> >>>> In a mature IPv6 world, that is sane, i am not sure what the real >>>> value of LISP is. >>> >>> Sanity is in the eye of the beholder. The advantage a LISP(-like) >>> scheme provides is a way of separating location from identity, >>> allowing for arbitrary topology change (and complexity in the form of >>> multi-homing) without affecting the identities of the systems on the >>> network. Changing providers or multi-homing would thus not result in >>> a renumbering event or pushing yet another prefix into the DFZ. >>> >> >> I think the issue, and correct me if I'm wrong, is that LISP does not >> address issues of traffic engineering? A lot of the additional routes in >> DFZ are there specifically to handle traffic engineering. > LISP has TE properties based on priority of the locators and weight (for load balancing). You can read: http://inl.info.ucl.ac.be/system/files/inm08.pdf Luigi > The primary thing that a LISP-like approach accomplishes is the 'de-coupling" > of infrastructure and leaf networks. You can mess with either one, w/o > having any effect on the other. > > > From dylan.ebner at crlmed.com Fri Dec 10 09:01:37 2010 From: dylan.ebner at crlmed.com (Dylan Ebner) Date: Fri, 10 Dec 2010 15:01:37 +0000 Subject: BGP multihoming question. In-Reply-To: <1291894346.2820.9.camel@valio> References: <050E06A1-5E7B-413C-B8DE-CEF3F72176BE@puck.nether.net> <1291894346.2820.9.camel@valio> Message-ID: <017265BF3B9640499754DD48777C3D206A1241C16B@MBX9.EXCHPROD.USA.NET> Our organization does exactly this. The requirements we have run into are: 1. The block needs to be at least a /24 and registered with SWIP 2. You will need LOAs from the owner of the block. This used to take months to get, now it seems the isps have streamlined this operation 3. You cannot trust the second isp to advertise the SWIP block correctly if they are not a tier 1. Even though they may advertise it for you to their upstream, they don't always have the appropriate procedures in place to get the LOAs to the upstream so your block just gets filtered out. Dylan Ebner -----Original Message----- From: b2 [mailto:b2 at playtime.bg] Sent: Thursday, December 09, 2010 5:32 AM To: North American Network Operators Group Subject: BGP multihoming question. Hi , first sorry for lame question but i'm new to BGP. In my ISP I have two full BGP sessions with my two transit providers (X and Y), and for every provider i have assigned PA (Provider Aggregatable) networks. Is it possible (if there are no filters on other side) to advertise X networks to Y and Y to accept them ? My confusion comes from the PA status , i know if it is PI there are no problem to route it to any AS. Thanks. From cmaurand at xyonet.com Fri Dec 10 09:06:09 2010 From: cmaurand at xyonet.com (Curtis Maurand) Date: Fri, 10 Dec 2010 10:06:09 -0500 Subject: Windows Encryption Software In-Reply-To: <4D023A34.1050708@csuohio.edu> References: <87zksdbw6o.fsf@mid.deneb.enyo.de> <4D022B30.5020709@xyonet.com> <4D023A34.1050708@csuohio.edu> Message-ID: <4D0241E1.10109@xyonet.com> On 12/10/2010 9:33 AM, Michael Holstein wrote: >> After some research, I find that recovery of EFS (available for Win >> 2000/2003/XP/Vista/7) encrypted files in the case of disaster can be >> problematic. It has to do with keys, file ownerships, etc., etc., >> etc. Plan for disaster and know how to recover before you encrypt >> with EFS. > This is an interesting point .. it depends on what the "disaster" is > that you plan for. > > In many cases, the "disaster" is the seizure or loss of the device, it > which case it's appropriate NOT to have any method of key recovery. In a > corporate context, it's debatable if key escrow and multikey methods > mitigate the risk or compound it. Good point, but I'm thinking in terms of failure of the machine that physically houses the files. You and I both know that you're not going to be able to replace server hardware with identical hardware and even if you do, the Windows SID will change. Restoring the system state is going to be a useless exercise. Therefore you will need the keys to decrypt/re-encrypt the files on a new device after you restore from backup. If the disk is lost or stolen, then hell no, I don't want the thief to be able to restore the data. All of this is moot if you're running in a virtual environment and you have good snapshots/backups of your VM. --Curtis From bclark at spectraaccess.com Fri Dec 10 09:08:14 2010 From: bclark at spectraaccess.com (Bret Clark) Date: Fri, 10 Dec 2010 10:08:14 -0500 Subject: BGP multihoming question. In-Reply-To: <017265BF3B9640499754DD48777C3D206A1241C16B@MBX9.EXCHPROD.USA.NET> References: <050E06A1-5E7B-413C-B8DE-CEF3F72176BE@puck.nether.net> <1291894346.2820.9.camel@valio> <017265BF3B9640499754DD48777C3D206A1241C16B@MBX9.EXCHPROD.USA.NET> Message-ID: <4D02425E.1090907@spectraaccess.com> On 12/10/2010 10:01 AM, Dylan Ebner wrote: > 3. You cannot trust the second isp to advertise the SWIP block correctly if they are not a tier 1. Even though they may advertise it for you to their upstream, they don't always have the appropriate procedures in place to get the LOAs to the upstream so your block just gets filtered out. > > > Just got done battling this exact issue with one of our upstream peers...caused a lot of headaches for us. From jsw at inconcepts.biz Fri Dec 10 09:34:58 2010 From: jsw at inconcepts.biz (Jeff Wheeler) Date: Fri, 10 Dec 2010 10:34:58 -0500 Subject: Videotron contact Message-ID: Could someone from Videotron contact me off-list? -- Jeff S Wheeler Sr Network Operator? /? Innovative Network Concepts From bill at herrin.us Fri Dec 10 09:58:48 2010 From: bill at herrin.us (William Herrin) Date: Fri, 10 Dec 2010 10:58:48 -0500 Subject: Windows Encryption Software In-Reply-To: <87zksdbw6o.fsf@mid.deneb.enyo.de> References: <87zksdbw6o.fsf@mid.deneb.enyo.de> Message-ID: On Fri, Dec 10, 2010 at 8:21 AM, Florian Weimer wrote: > Software-based solutions have the advantage that they are somewhat > more testable and reviewable. ?If it's all in the disk, you can't > really be sure that the data is encrypted with a static key, and the > passphrase is used for access control only. ?The latter approach seems > to be somewhat common with encrypting storage devices, unfortunately. It's not just common; it's the official standard. The API doesn't let you set the key or read the bare data. It let's you input a password to unlock both drive and encryption key and it let's you tell the drive to generate a new encryption key ("cryptographic erase"). So yes, you have to trust that the manufacturer is doing what they claim. This caused me some concern when I first got it, but at the end of the day I'm not trying to protect my files from someone with the resources to reconfigure hard drives in a way that allows them to go after the raw data without entering the password. I'm trying to protect them from the casual roadside thief. -Bill -- William D. Herrin ................ herrin at dirtside.com? bill at herrin.us 3005 Crane Dr. ...................... Web: Falls Church, VA 22042-3004 From lowen at pari.edu Fri Dec 10 10:08:00 2010 From: lowen at pari.edu (Lamar Owen) Date: Fri, 10 Dec 2010 11:08:00 -0500 Subject: [Operational] Internet Police In-Reply-To: <39CC48EA-9C95-4666-B1CA-15B3F9E19E1A@arbor.net> References: Message-ID: <201012101108.01089.lowen@pari.edu> On Thursday, December 09, 2010 01:26:30 pm Dobbins, Roland wrote: > On Dec 10, 2010, at 1:19 AM, Michael Smith wrote: > > "front lines of this "cyberwar"? > Warfare isn't the correct metaphor. > Espionage/covert action is the correct metaphor. In reality DoS threats/execution of those threats/ 'pwning' / website vandalism are all forms of terrorism. An easily pronounceable version with a 'net-' 'e-' or even 'cyber-' prefix..... is difficult. From sil at infiltrated.net Fri Dec 10 10:13:15 2010 From: sil at infiltrated.net (J. Oquendo) Date: Fri, 10 Dec 2010 11:13:15 -0500 Subject: [Operational] Internet Police In-Reply-To: <201012101108.01089.lowen@pari.edu> References: <201012101108.01089.lowen@pari.edu> Message-ID: <4D02519B.5090104@infiltrated.net> On 12/10/2010 11:08 AM, Lamar Owen wrote: > > In reality DoS threats/execution of those threats/ 'pwning' / website vandalism are all forms of terrorism. An easily pronounceable version with a 'net-' 'e-' or even 'cyber-' prefix..... is difficult. I thought "e-*" was so yesterday, wouldn't this be "i-*" or to be more complete "i-* 2.0" -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT "It takes 20 years to build a reputation and five minutes to ruin it. If you think about that, you'll do things differently." - Warren Buffett 227C 5D35 7DCB 0893 95AA 4771 1DCE 1FD1 5CCD 6B5E http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x5CCD6B5E From william.mccall at gmail.com Fri Dec 10 10:44:53 2010 From: william.mccall at gmail.com (William McCall) Date: Fri, 10 Dec 2010 10:44:53 -0600 Subject: [Operational] Internet Police In-Reply-To: <201012101108.01089.lowen@pari.edu> References: <39CC48EA-9C95-4666-B1CA-15B3F9E19E1A@arbor.net> <201012101108.01089.lowen@pari.edu> Message-ID: On Fri, Dec 10, 2010 at 10:08 AM, Lamar Owen wrote: > On Thursday, December 09, 2010 01:26:30 pm Dobbins, Roland wrote: >> On Dec 10, 2010, at 1:19 AM, Michael Smith wrote: >> > "front lines of this "cyberwar"? >> Warfare isn't the correct metaphor. > >> Espionage/covert action is the correct metaphor. > > In reality DoS threats/execution of those threats/ 'pwning' / website vandalism are all forms of terrorism. ?An easily pronounceable version with a 'net-' 'e-' or even 'cyber-' prefix..... is difficult. > > Terrorism? Hell, I guess you're right since the definition of "terrorism" seems to extend to anything remotely criminal and scary. Especially if more than one person is involved. I bet the old school terrorists who believed terrorism required massive panic are quite disturbed by this lowered bar for success. I think thats a lot of undue credit given to basic criminal behavior and watching the boogieman come out because the perpetrators either can't be stopped or the reality that SPs apparently don't care to stop it. To the folks out there that presently work for an SP, if someone called you (or the relevant department) and gave you a list of end-user IPs that were DDoSing this person/entity, how long would you take to verify and stop the end user's stream of crap? Furthermore, what is the actual incentive to do something about it? -- William McCall From jcdill.lists at gmail.com Fri Dec 10 10:46:43 2010 From: jcdill.lists at gmail.com (JC Dill) Date: Fri, 10 Dec 2010 08:46:43 -0800 Subject: [Operational] Internet Police In-Reply-To: <201012101108.01089.lowen@pari.edu> References: <201012101108.01089.lowen@pari.edu> Message-ID: <4D025973.4030709@gmail.com> On 10/12/10 8:08 AM, Lamar Owen wrote: > On Thursday, December 09, 2010 01:26:30 pm Dobbins, Roland wrote: >> On Dec 10, 2010, at 1:19 AM, Michael Smith wrote: >>> "front lines of this "cyberwar"? >> Warfare isn't the correct metaphor. >> Espionage/covert action is the correct metaphor. > In reality DoS threats/execution of those threats/ 'pwning' / website vandalism are all forms of terrorism. No one was "terrorized" because they couldn't reach MasterCard or because MasterCard's website was defaced. Vandalism doesn't even begin to equate to terrorism. You demean everyone who has been impacted by true terrorism by trying to equate these relatively trivial events with the real events of terrorism. We *really* don't need Homeland Security and TSA deciding that cyber-vandalism falls into the realm of terrorism and thus comes under their purview to "protect us against". Their security theater at the airport is too much already, I can't begin to imagine how badly they could screw it up if they had a mandate to implement similar "protective" processes on the internet. jc From jbates at brightok.net Fri Dec 10 10:49:14 2010 From: jbates at brightok.net (Jack Bates) Date: Fri, 10 Dec 2010 10:49:14 -0600 Subject: [Operational] Internet Police In-Reply-To: References: <39CC48EA-9C95-4666-B1CA-15B3F9E19E1A@arbor.net> <201012101108.01089.lowen@pari.edu> Message-ID: <4D025A0A.4090108@brightok.net> On 12/10/2010 10:44 AM, William McCall wrote: > To the folks out there that presently work for an SP, if someone > called you (or the relevant department) and gave you a list of > end-user IPs that were DDoSing this person/entity, how long would you > take to verify and stop the end user's stream of crap? Furthermore, > what is the actual incentive to do something about it? > It falls under standard abuse role, though if the destination just wants a filter or their IP nullrouted, that is usually accommodated immediately. Jack From michael at hmsjr.com Fri Dec 10 10:54:16 2010 From: michael at hmsjr.com (Michael Smith) Date: Fri, 10 Dec 2010 11:54:16 -0500 Subject: [Operational] Internet Police In-Reply-To: <4D025973.4030709@gmail.com> References: <201012101108.01089.lowen@pari.edu> <4D025973.4030709@gmail.com> Message-ID: On Fri, Dec 10, 2010 at 11:46 AM, JC Dill > We *really* don't need Homeland Security and TSA deciding that > cyber-vandalism falls into the realm of terrorism and thus comes under their > purview to "protect us against". Their security theater at the airport is > too much already, I can't begin to imagine how badly they could screw it up > if they had a mandate to implement similar "protective" processes on the > internet. > > jc > > > Now, we're getting to the original question. If the Federal Govt decides that state secrets and ability to conduct commerce raise this to the level of a "global guerrilla war", we can all laugh it off for its absurity, but I'm curious what architectural and operational decisions will be if we are *ordered* to consider what options are available... ..or... would it simply be a NSA/DoD appliance that we're all required to place in-line....?... From Valdis.Kletnieks at vt.edu Fri Dec 10 11:06:59 2010 From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks at vt.edu) Date: Fri, 10 Dec 2010 12:06:59 -0500 Subject: [Operational] Internet Police In-Reply-To: Your message of "Fri, 10 Dec 2010 11:08:00 EST." <201012101108.01089.lowen@pari.edu> References: <39CC48EA-9C95-4666-B1CA-15B3F9E19E1A@arbor.net> <201012101108.01089.lowen@pari.edu> Message-ID: <12764.1292000819@localhost> On Fri, 10 Dec 2010 11:08:00 EST, Lamar Owen said: > In reality DoS threats/execution of those threats/ 'pwning' / website > vandalism are all forms of terrorism. Let's not dilute the meaning of terrorism to the point where graffiti, cyber or otherwise, is classifed as terrorism. The USA Patriot act says: "activities that (A) involve acts dangerous to human life that are a violation of the criminal laws of the U.S. or of any state, that (B) appear to be intended (i) to intimidate or coerce a civilian population, (ii) to influence the policy of a government by intimidation or coercion, or (iii) to affect the conduct of a government by mass destruction, assassination, or kidnapping, and (C) occur primarily within the territorial jurisdiction of the U.S." I don't think Joe SIxpack felt intimidated or coerced by a few DDoS attacks, nor did it seem to do much to change official US policy (mostly because the guys in DC are running around like the Headless Horsechicken trying to figure out what our policy *IS*). And it's the rare DDoS that becomes an act "dangerous to human life". I believe the word you wanted was "hooliganism". And we have a legal system that has about 3,000 years of experience in dealing with *that*, thank you very much. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 227 bytes Desc: not available URL: From lowen at pari.edu Fri Dec 10 11:14:20 2010 From: lowen at pari.edu (Lamar Owen) Date: Fri, 10 Dec 2010 12:14:20 -0500 Subject: [Operational] Internet Police In-Reply-To: <4D025973.4030709@gmail.com> References: Message-ID: <201012101214.21119.lowen@pari.edu> On Friday, December 10, 2010 11:46:43 am JC Dill wrote: > On 10/12/10 8:08 AM, Lamar Owen wrote: > > In reality DoS threats/execution of those threats/ 'pwning' / website vandalism are all forms of terrorism. > No one was "terrorized" because they couldn't reach MasterCard or > because MasterCard's website was defaced. Vandalism doesn't even begin > to equate to terrorism. You demean everyone who has been impacted by > true terrorism by trying to equate these relatively trivial events with > the real events of terrorism. As I sat deciding on the words to use before hitting send, that, even though the word terrorism is emotionally and politically charged, that it is an accurate, if vague, term, especially in the age of identity theft. And I say that having family members that have been impacted directly by terrorism, so I certainly am not intending to demean anyone, and I did carefully consider that some might consider it a demeaning statement. But the fact of the matter is that website defacement and DDoS can cause loss of income or even worse, depending upon the exact content of the defacement and the exact nature of the DDoS. Identity theft can cause loss of life due to the stress of mopping up afterwards. If your employer's bottom line is negatively impacted by a website defacement or by DoS, your job itself could be negatively impacted. Just because it's on the web or in e-mail or whatnot (I'm really resisting the c*space metaphor here) doesn't mean dire real-world consequences can't be felt. From gbonser at seven.com Fri Dec 10 11:24:24 2010 From: gbonser at seven.com (George Bonser) Date: Fri, 10 Dec 2010 09:24:24 -0800 Subject: BGP multihoming question. In-Reply-To: <4D02425E.1090907@spectraaccess.com> References: <050E06A1-5E7B-413C-B8DE-CEF3F72176BE@puck.nether.net> <1291894346.2820.9.camel@valio><017265BF3B9640499754DD48777C3D206A1241C16B@MBX9.EXCHPROD.USA.NET> <4D02425E.1090907@spectraaccess.com> Message-ID: <5A6D953473350C4B9995546AFE9939EE0B14CE50@RWC-EX1.corp.seven.com> > -----Original Message----- > From: Bret Clark > Sent: Friday, December 10, 2010 7:08 AM > To: nanog at nanog.org > Subject: Re: BGP multihoming question. > > On 12/10/2010 10:01 AM, Dylan Ebner wrote: > > 3. You cannot trust the second isp to advertise the SWIP block > correctly if they are not a tier 1. Even though they may advertise it > for you to their upstream, they don't always have the appropriate > procedures in place to get the LOAs to the upstream so your block just > gets filtered out. > > > > > > > Just got done battling this exact issue with one of our upstream > peers...caused a lot of headaches for us. Proper registration in a routing registry helps, too. From jbates at brightok.net Fri Dec 10 11:37:15 2010 From: jbates at brightok.net (Jack Bates) Date: Fri, 10 Dec 2010 11:37:15 -0600 Subject: [Operational] Internet Police In-Reply-To: <12764.1292000819@localhost> References: <39CC48EA-9C95-4666-B1CA-15B3F9E19E1A@arbor.net> <201012101108.01089.lowen@pari.edu> <12764.1292000819@localhost> Message-ID: <4D02654B.5050306@brightok.net> On 12/10/2010 11:06 AM, Valdis.Kletnieks at vt.edu wrote: > The USA Patriot act says: "activities that (A) involve acts dangerous to human > life that are a violation of the criminal laws of the U.S. or of any state, > that (B) appear to be intended (i) to intimidate or coerce a civilian > population, (ii) to influence the policy of a government by intimidation or > coercion, or (iii) to affect the conduct of a government by mass destruction, > assassination, or kidnapping, and (C) occur primarily within the territorial > jurisdiction of the U.S." At most, B ii applies, but if I'm not mistaken, A, B, and C must all occur by that statute (the giveaway is C, as it doesn't make sense as a single condition). The Patriot act seems to discount foreign terrorism (unsurprising), but even going by A and B, the DDOS would have to be dangerous to human life and be illegal by US/state law, in addition to intimidating (which purposefully being dangerous to human life definitely falls under intimidation). So attacking infrastructure (effecting traffic lights, power, air traffic control systems, etc) would fall under terrorism (regardless of attack mechanism). I don't think one could constitute the inability to sell a product or process a payment as life threatening. Those acts fall under other legal definitions. Jack From jbates at brightok.net Fri Dec 10 11:40:21 2010 From: jbates at brightok.net (Jack Bates) Date: Fri, 10 Dec 2010 11:40:21 -0600 Subject: [Operational] Internet Police In-Reply-To: <4D02654B.5050306@brightok.net> References: <39CC48EA-9C95-4666-B1CA-15B3F9E19E1A@arbor.net> <201012101108.01089.lowen@pari.edu> <12764.1292000819@localhost> <4D02654B.5050306@brightok.net> Message-ID: <4D026605.2090109@brightok.net> On 12/10/2010 11:37 AM, Jack Bates wrote: >> assassination, or kidnapping, and (C) occur primarily within the > At most, B ii applies, but if I'm not mistaken, A, B, and C must all > occur by that statute (the giveaway is C, as it doesn't make sense as a > single condition). err, or one could just go by the use of "and". head. desk. Jack From Valdis.Kletnieks at vt.edu Fri Dec 10 11:40:44 2010 From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks at vt.edu) Date: Fri, 10 Dec 2010 12:40:44 -0500 Subject: [Operational] Internet Police In-Reply-To: Your message of "Fri, 10 Dec 2010 12:14:20 EST." <201012101214.21119.lowen@pari.edu> References: <201012101108.01089.lowen@pari.edu> <4D025973.4030709@gmail.com> <201012101214.21119.lowen@pari.edu> Message-ID: <14244.1292002844@localhost> On Fri, 10 Dec 2010 12:14:20 EST, Lamar Owen said: > Identity theft can cause loss of life due to the stress of mopping up afterwards. Oh, give me a *break*. This is well off the end of the slippery slope. My car got totaled in a rear-end collision a few weeks ago. If I get so stressed dealing with my insurance company that I die of a heart attack, does that mean the guy who ran into me is guilty of murder? And for bonus points, is he guilty of *attempted* murder if I *don't* have a heart attack? No - in most jurisdictions, if I expire of a heart attack as an unforseen and unpredictable *direct* result of somebody's actions, that would maybe be manslaughter, not murder. And death during "mopping up afterwards" is *so* convoluted I don't think you could even get a win in a civil trial, where the standards of evidence are a lot lower than in criminal cases. Similarly, identity theft isn't committed with the *intent* that people will keel over - that's an unforeseeable and unpredictable result. On the other hand, *real* terrorism usually involved the *intent* that you're going to have some very messy corpses and/or fragments thereof. Let me know when you have a documented case of a DDoS launched with the *intent* of causing dead bodies in the street for the 6PM news crews, so that the populace is in fact terrrified. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 227 bytes Desc: not available URL: From gbonser at seven.com Fri Dec 10 11:45:46 2010 From: gbonser at seven.com (George Bonser) Date: Fri, 10 Dec 2010 09:45:46 -0800 Subject: [Operational] Internet Police In-Reply-To: References: <39CC48EA-9C95-4666-B1CA-15B3F9E19E1A@arbor.net><201012101108.01089.lowen@pari.edu> Message-ID: <5A6D953473350C4B9995546AFE9939EE0B14CE55@RWC-EX1.corp.seven.com> > From: William McCall > Sent: Friday, December 10, 2010 8:45 AM > To: Lamar Owen > Cc: nanog at nanog.org > Subject: Re: [Operational] Internet Police > To the folks out there that presently work for an SP, if someone > called you (or the relevant department) and gave you a list of > end-user IPs that were DDoSing this person/entity, how long would you > take to verify and stop the end user's stream of crap? Furthermore, > what is the actual incentive to do something about it? The behavior is no different than a street gang who would attempt to influence the behavior of a local merchant by threatening damage to the store. In the case of internet operations, we seem to tolerate the behavior or simply assume little can be done so many don't even try. If an ISP were to actively disconnect clients who were infected with a bot (intentionally infected or not), the end users themselves might be a little more vigilant at keeping their systems free of them. *But* any ISP doing that would also have to be prepared to invest some effort in trying to help absolutely clueless people (in many cases) remove these bots from their systems. It can quickly become a huge time swamp. From jbates at brightok.net Fri Dec 10 11:48:18 2010 From: jbates at brightok.net (Jack Bates) Date: Fri, 10 Dec 2010 11:48:18 -0600 Subject: [Operational] Internet Police In-Reply-To: <5A6D953473350C4B9995546AFE9939EE0B14CE55@RWC-EX1.corp.seven.com> References: <39CC48EA-9C95-4666-B1CA-15B3F9E19E1A@arbor.net><201012101108.01089.lowen@pari.edu> <5A6D953473350C4B9995546AFE9939EE0B14CE55@RWC-EX1.corp.seven.com> Message-ID: <4D0267E2.50600@brightok.net> On 12/10/2010 11:45 AM, George Bonser wrote: > If > an ISP were to actively disconnect clients who were infected with a bot > (intentionally infected or not), the end users themselves might be a > little more vigilant at keeping their systems free of them.*But* any > ISP doing that would also have to be prepared to invest some effort in > trying to help absolutely clueless people (in many cases) remove these > bots from their systems. Works well for the most part, and if they are clueless, they can seek professional help from a computer tech. Jack From paul at paulgraydon.co.uk Fri Dec 10 11:50:41 2010 From: paul at paulgraydon.co.uk (Paul Graydon) Date: Fri, 10 Dec 2010 07:50:41 -1000 Subject: [Operational] Internet Police In-Reply-To: <5A6D953473350C4B9995546AFE9939EE0B14CE55@RWC-EX1.corp.seven.com> References: <39CC48EA-9C95-4666-B1CA-15B3F9E19E1A@arbor.net><201012101108.01089.lowen@pari.edu> <5A6D953473350C4B9995546AFE9939EE0B14CE55@RWC-EX1.corp.seven.com> Message-ID: <4D026871.60906@paulgraydon.co.uk> On 12/10/2010 07:45 AM, George Bonser wrote: >> From: William McCall >> Sent: Friday, December 10, 2010 8:45 AM >> To: Lamar Owen >> Cc: nanog at nanog.org >> Subject: Re: [Operational] Internet Police > >> To the folks out there that presently work for an SP, if someone >> called you (or the relevant department) and gave you a list of >> end-user IPs that were DDoSing this person/entity, how long would you >> take to verify and stop the end user's stream of crap? Furthermore, >> what is the actual incentive to do something about it? > The behavior is no different than a street gang who would attempt to > influence the behavior of a local merchant by threatening damage to the > store. In the case of internet operations, we seem to tolerate the > behavior or simply assume little can be done so many don't even try. If > an ISP were to actively disconnect clients who were infected with a bot > (intentionally infected or not), the end users themselves might be a > little more vigilant at keeping their systems free of them. *But* any > ISP doing that would also have to be prepared to invest some effort in > trying to help absolutely clueless people (in many cases) remove these > bots from their systems. It can quickly become a huge time swamp. > > Not to mention the risk of lost business for customers that just can't be bothered to fix broken machines. Paul From gbonser at seven.com Fri Dec 10 11:59:56 2010 From: gbonser at seven.com (George Bonser) Date: Fri, 10 Dec 2010 09:59:56 -0800 Subject: [Operational] Internet Police In-Reply-To: <4D026871.60906@paulgraydon.co.uk> References: <39CC48EA-9C95-4666-B1CA-15B3F9E19E1A@arbor.net><201012101108.01089.lowen@pari.edu> <5A6D953473350C4B9995546AFE9939EE0B14CE55@RWC-EX1.corp.seven.com> <4D026871.60906@paulgraydon.co.uk> Message-ID: <5A6D953473350C4B9995546AFE9939EE0B14CE58@RWC-EX1.corp.seven.com> > Not to mention the risk of lost business for customers that just can't > be bothered to fix broken machines. > > Paul That supposes that another ISP would accept their bot-infected machine. It would require some cooperation among the providers. And should some ISP get the reputation of being a bot-haven, then maybe their customers might notice connectivity issues. From paul at paulgraydon.co.uk Fri Dec 10 12:07:36 2010 From: paul at paulgraydon.co.uk (Paul Graydon) Date: Fri, 10 Dec 2010 08:07:36 -1000 Subject: [Operational] Internet Police In-Reply-To: <5A6D953473350C4B9995546AFE9939EE0B14CE58@RWC-EX1.corp.seven.com> References: <39CC48EA-9C95-4666-B1CA-15B3F9E19E1A@arbor.net><201012101108.01089.lowen@pari.edu> <5A6D953473350C4B9995546AFE9939EE0B14CE55@RWC-EX1.corp.seven.com> <4D026871.60906@paulgraydon.co.uk> <5A6D953473350C4B9995546AFE9939EE0B14CE58@RWC-EX1.corp.seven.com> Message-ID: <4D026C68.3090405@paulgraydon.co.uk> On 12/10/2010 07:59 AM, George Bonser wrote: >> Not to mention the risk of lost business for customers that just can't >> be bothered to fix broken machines. >> >> Paul > > That supposes that another ISP would accept their bot-infected machine. > It would require some cooperation among the providers. And should some > ISP get the reputation of being a bot-haven, then maybe their customers > might notice connectivity issues. > Unless you can get every company to sign up to an agreement it will never work. Even then you'll still find unscrupulous companies that are far more interested in revenue than reputation. There are a number of hosting companies I'm sure most network professionals are aware of that are regular bases for C'n'C servers. From nanog at thedaileyplanet.com Fri Dec 10 12:16:46 2010 From: nanog at thedaileyplanet.com (Chad Dailey) Date: Fri, 10 Dec 2010 12:16:46 -0600 Subject: Windows Encryption Software In-Reply-To: References: <87zksdbw6o.fsf@mid.deneb.enyo.de> Message-ID: http://xkcd.com/538/ On Fri, Dec 10, 2010 at 9:58 AM, William Herrin wrote: > On Fri, Dec 10, 2010 at 8:21 AM, Florian Weimer wrote: > > Software-based solutions have the advantage that they are somewhat > > more testable and reviewable. If it's all in the disk, you can't > > really be sure that the data is encrypted with a static key, and the > > passphrase is used for access control only. The latter approach seems > > to be somewhat common with encrypting storage devices, unfortunately. > > It's not just common; it's the official standard. The API doesn't let > you set the key or read the bare data. It let's you input a password > to unlock both drive and encryption key and it let's you tell the > drive to generate a new encryption key ("cryptographic erase"). So > yes, you have to trust that the manufacturer is doing what they claim. > > This caused me some concern when I first got it, but at the end of the > day I'm not trying to protect my files from someone with the resources > to reconfigure hard drives in a way that allows them to go after the > raw data without entering the password. I'm trying to protect them > from the casual roadside thief. > > -Bill > > > > -- > William D. Herrin ................ herrin at dirtside.com bill at herrin.us > 3005 Crane Dr. ...................... Web: > Falls Church, VA 22042-3004 > > From jbates at brightok.net Fri Dec 10 12:27:03 2010 From: jbates at brightok.net (Jack Bates) Date: Fri, 10 Dec 2010 12:27:03 -0600 Subject: [Operational] Internet Police In-Reply-To: <4D026C68.3090405@paulgraydon.co.uk> References: <39CC48EA-9C95-4666-B1CA-15B3F9E19E1A@arbor.net><201012101108.01089.lowen@pari.edu> <5A6D953473350C4B9995546AFE9939EE0B14CE55@RWC-EX1.corp.seven.com> <4D026871.60906@paulgraydon.co.uk> <5A6D953473350C4B9995546AFE9939EE0B14CE58@RWC-EX1.corp.seven.com> <4D026C68.3090405@paulgraydon.co.uk> Message-ID: <4D0270F7.2070207@brightok.net> On 12/10/2010 12:07 PM, Paul Graydon wrote: > Unless you can get every company to sign up to an agreement it will > never work. Even then you'll still find unscrupulous companies that are > far more interested in revenue than reputation. There are a number of > hosting companies I'm sure most network professionals are aware of that > are regular bases for C'n'C servers. Why does it matter? If a customer isn't going to run a clean system, why would you want them on your network? Commodity customers are quick shutoffs, while businesses often have valid contacts to work with to resolve the issue without a full cutoff. If they go to the competition, it's one less problem for me to deal with in the future (as repeat offenses are not uncommon). MOST of the customers I suspend service due to bots/spam/etc are happy with the service (once they realize the pretty locks on their web browser don't secure their communications from infections). Jack From andrew.wallace at rocketmail.com Fri Dec 10 12:34:03 2010 From: andrew.wallace at rocketmail.com (andrew.wallace) Date: Fri, 10 Dec 2010 10:34:03 -0800 (PST) Subject: Mastercard problems Message-ID: <882110.74795.qm@web59606.mail.ac4.yahoo.com> "Just a day after Dutch police arrested a 16-year-old boy in connection with Wikileaks-related denial-of-service attacks, websites belonging to the Netherlands computer crime cops and prosecutors have been struck with a similar assault." http://nakedsecurity.sophos.com/2010/12/10/dutch-police-website-attacked-after-arrests-of-suspected-hacker/ Andrew ----- Original Message ----- From:Michael Smith To:andrew.wallace at rocketmail.com Cc:nanog at nanog.org Sent:Thursday, 9 December 2010, 23:16:22 Subject:Re: Mastercard problems Exactly... Rounding up script kiddies one at a time is a pretty serious deterrent ;). I'm sure the bot-masters are quaking in their boots... :) ----- Original Message ----- From: andrew.wallace To: Michael Smith Cc: nanog at nanog.org Sent: Thu Dec 09 18:14:16 2010 Subject: Re: Mastercard problems It was a quick arrest wasn't it? ----- Original Message ----- From:Michael Smith To:andrew.wallace Cc: Sent:Thursday, 9 December 2010, 21:49:16 Subject:RE: Mastercard problems 1 down, 3896 to go... :) -----Original Message----- From: andrew.wallace [mailto:andrew.wallace at rocketmail.com] Sent: Thursday, December 09, 2010 4:44 PM To: nanog at nanog.org Subject: Re: Mastercard problems Dutch authorities have arrested a 16-year old "hacker" in connection with Mastercard. http://news.cnet.com/8301-31921_3-20025215-281.html Andrew From joelja at bogus.com Fri Dec 10 12:48:41 2010 From: joelja at bogus.com (Joel Jaeggli) Date: Fri, 10 Dec 2010 10:48:41 -0800 Subject: [Operational] Internet Police In-Reply-To: <12764.1292000819@localhost> References: <39CC48EA-9C95-4666-B1CA-15B3F9E19E1A@arbor.net> <201012101108.01089.lowen@pari.edu> <12764.1292000819@localhost> Message-ID: <4D027609.6000006@bogus.com> On 12/10/10 9:06 AM, Valdis.Kletnieks at vt.edu wrote: > On Fri, 10 Dec 2010 11:08:00 EST, Lamar Owen said: > > I believe the word you wanted was "hooliganism". And we have a legal system > that has about 3,000 years of experience in dealing with *that*, thank you very > much. The code of hamurabi or ur-nammu would probably cut off your hand or require the payment of several minas of silver. The failure isn't one of the legal system not having the tools to prosecute this sort of activity, it's the failure to effectively police it. Other attractive nusances the cause economic damage such as graffiti and antisocial behavior(of which much of this dos activity clearly is) have been around longer than the code of ur-nammu and we haven't solved them yet either. From cconn at b2b2c.ca Fri Dec 10 13:40:02 2010 From: cconn at b2b2c.ca (Chris Conn) Date: Fri, 10 Dec 2010 14:40:02 -0500 Subject: Cogeco MX/SMTP administrator? Message-ID: <4D028212.5080107@b2b2c.ca> Hello, Could a Cogeco MX/SMTP admin contact me off list please, we seem to be suffering from the same fate as these individuals; http://www.dslreports.com/forum/r24888256-Email-sent-to-AOL-is-timing-out Thanks, Chris Conn B2B2C.ca From drew.weaver at thenap.com Fri Dec 10 14:23:30 2010 From: drew.weaver at thenap.com (Drew Weaver) Date: Fri, 10 Dec 2010 15:23:30 -0500 Subject: Over a decade of DDOS--any progress yet? In-Reply-To: References: Message-ID: Upstream providers generally have a hard time allowing you to write routes that you don't own into their table(s). thanks, -Drew -----Original Message----- From: Chris Boyd [mailto:cboyd at gizmopartners.com] Sent: Wednesday, December 08, 2010 2:19 PM To: NANOG Subject: Re: Over a decade of DDOS--any progress yet? On Dec 8, 2010, at 9:33 AM, Arturo Servin wrote: > Yes, but all of them rely on your upstreams or in mirroring your content. If 100 Mbps are reaching your input interface of 10Mbps there is not much that you can do. Hmm. What would be really cool is if you could use Snort, NetFlow/NBAR, or some other sort of DPI tech to find specifically the IP addresses of the DDoS bots, and then pass that information back upstream via BGP communities that tell your peer router to drop traffic from those addresses. That way the target of the traffic can continue to function if the DDoS traffic doesn't closely mimic the normal traffic. Your BGP peer router would need to have lots of memory for /32 or /64 routes though. Anyone heard of such a beast? Or is this how the stuff from places like Arbor Networks do their thing? --Chris From drew.weaver at thenap.com Fri Dec 10 14:30:28 2010 From: drew.weaver at thenap.com (Drew Weaver) Date: Fri, 10 Dec 2010 15:30:28 -0500 Subject: Over a decade of DDOS--any progress yet? In-Reply-To: References: <23035485.1291815970840.JavaMail.tomcat@fe-ps03> <2C4B4ECC-F61E-4059-A8DE-165DD8F85A96@exa-networks.co.uk> <5220B68C-9C8C-460E-B64E-2646BDE2A398@arbor.net> <63CF5704-B49D-43D5-BC8E-F76336CD0005@arbor.net> <4CFFB68D.4080405@prolexic.com> Message-ID: Ah, Honestly we can usually point to the exact cause of the attacks once we have time to triage the situation. Recently it has been stuff like: -Made someone in Asia angry. -Running a runescape server and made someone angry -Made someone on IRC angry It has been pretty rare to see an attack that wasn't just the end result of a pissing contest. and like I said most of the ones I have seen recently are either UDP 80 floods which is probably the result of one of the UDP.PL variants or fragments (UDP DST 0) attacks which kind of indicates at least in part that the 'attacker' simply downloaded the first thing they could find that said 'DDoS' on it and didn't spend too much time worrying about it. This is probably mainly because of how easy it is now to acquire dedicated servers (that arent properly monitored) and have 1Gbps (and now) 10Gbps connections to the Internet. How many organizations are using 10G connections to the Internet these days? -Drew -----Original Message----- From: Matthew Petach [mailto:mpetach at netflight.com] Sent: Wednesday, December 08, 2010 1:35 PM To: jay at prolexic.com Cc: nanog at nanog.org Subject: Re: Over a decade of DDOS--any progress yet? On Wed, Dec 8, 2010 at 8:47 AM, Jay Coley wrote: > On 08/12/2010 16:14, Drew Weaver wrote: >> I would say that > 99% of the attacks that we see are 'link fillers' with < 1% being an application attack. >> >> thanks, >> -Drew > > This has been our recent experience as well. ?There are some pure app > attacks, to be sure, but we many blended attacks also. ?Bandwidth > (UDP/ICMP/SYN Flood) attack to distract with a app attack (GET/PUSH > floods) attempting to run underneath the radar. ?We regularly see SYN > floods these days > 20 Gb/s. Another thing to be aware of--when you get hit with what seems to be a "simple" flooding attack aimed at one point of your infrastructure... start checking your logs at _other_ places in your network very, VERY carefully. There seems to be a trend of using larger-scale flooding, or other simple types of attacks to get all the network people at an organization rushing over to throw resources and energy at it...while the real target of the attack is something completely different, on a different subnet, in a different part of the company; and that attack is small, carefully focused at its target, and is designed to be relatively quiet. The "big" attack is used simply to ensure all the human energy is focused on the wrong place, increasing the chance that what otherwise might caused raised eyebrows and double-checking of logs/IDS alerts, etc. gets missed while everyone is focusing on the"big" attack. > The thing to bear in mind is that app attacks *are* difficult to detect > as they are low bandwidth and make a full TCP connection. ?As a result > many IDS/Firewalls etc regularly miss these attacks. > > Lastly there is usually always someone at the other end of these attacks > watching what is working and what is not. ?If the attack doesn't work > they will simply round up more bots to increase the attack bandwidth or > change the attack vector. And, in what seems to be an increasing trend, what they are watching for is *not* necessarily the result of the large botnet attack; they're checking on the results of their targeted probes elsewhere in the network, or on the outbound set of connections from a compromised machine within an organization; after all, during a huge DDoS attack, with everyone focusing on a set of uplinks being flooded with _inbound_ traffic, who is going to notice the (relatively smaller) outbound spike of traffic as the compromised machine sends out a copy of your internal intellectual property to the miscreant recipients? Matt (speaking purely hypothetically, of course, and definitely not on behalf of any institution or entity other than myself) From drew.weaver at thenap.com Fri Dec 10 14:32:10 2010 From: drew.weaver at thenap.com (Drew Weaver) Date: Fri, 10 Dec 2010 15:32:10 -0500 Subject: Over a decade of DDOS--any progress yet? In-Reply-To: <20101208115846.4b43ff25@mead.decaying.org> References: <2ABCD3A4-E2C6-47ED-89FC-957DE79AE033@gmail.com> <20101208115846.4b43ff25@mead.decaying.org> Message-ID: I should've "qualified" my question by saying "What valid application which traverses the Internet and could be seen at the edge of a network actually uses UDP 80?" I can't imagine there is too much Cisco NAC client for macs carrying on over the Internet, although I have been wrong in the past. -Drew -----Original Message----- From: Michael Costello [mailto:mc3401 at columbia.edu] Sent: Wednesday, December 08, 2010 11:59 AM To: nanog at nanog.org Subject: Re: Over a decade of DDOS--any progress yet? On Wed, 8 Dec 2010 11:13:01 -0500 Drew Weaver wrote: > The most common attacks that I have seen over the last 12 months, and > let's say I have seen a fair share have been easily detectable by the > source network. > > It is either protocol 17 (UDP) dst port 80 or UDP Fragments (dst port > 0..) > > What valid application actually uses UDP 80? The Cisco NAC client for Macs, for the purpose of "VLAN change detection", sends UDP/80 packets to the host's reversed default gateway (i.e., if the actual gateway is 1.2.3.4, it sends the packets to 4.3.2.1) once every five seconds. mc From drew.weaver at thenap.com Fri Dec 10 14:33:46 2010 From: drew.weaver at thenap.com (Drew Weaver) Date: Fri, 10 Dec 2010 15:33:46 -0500 Subject: Over a decade of DDOS--any progress yet? In-Reply-To: References: <23035485.1291815970840.JavaMail.tomcat@fe-ps03> <2C4B4ECC-F61E-4059-A8DE-165DD8F85A96@exa-networks.co.uk> <5220B68C-9C8C-460E-B64E-2646BDE2A398@arbor.net> <63CF5704-B49D-43D5-BC8E-F76336CD0005@arbor.net> <4CFFB68D.4080405@prolexic.com> Message-ID: Nobody has really driven the point home that yes you can purchase a system from Arbor, RioRey, make your own mitigation system; what-have you, but you still have to pay for the transit to digest the attack, which is probably the main cost right now. -Drew -----Original Message----- From: Dobbins, Roland [mailto:rdobbins at arbor.net] Sent: Wednesday, December 08, 2010 11:54 AM To: North American Operators' Group Subject: Re: Over a decade of DDOS--any progress yet? On Dec 8, 2010, at 11:47 PM, Jay Coley wrote: > This has been our recent experience as well. I see a link-filling attacks with some regularity; but again, what I'm saying is simply that they aren't as prevalent as they used to be, because the attackers don't *need* to fill links in order to achieve their goals, in many cases. That being said, high-bandwidth DNS reflection/amplification attacks tip the scales, every time. > Lastly there is usually always someone at the other end of these attacks watching what is working and what is not This is a very important point - determined attackers will observe and react in order to try and defeat successful countermeasures, so the defenders must watch for shifting attack vectors. ----------------------------------------------------------------------- Roland Dobbins // Sell your computer and buy a guitar. From cscora at apnic.net Fri Dec 10 14:35:53 2010 From: cscora at apnic.net (Routing Analysis Role Account) Date: Sat, 11 Dec 2010 06:35:53 +1000 (EST) Subject: Weekly Routing Table Report Message-ID: <201012102035.oBAKZrVM029510@thyme.rand.apnic.net> This is an automated weekly mailing describing the state of the Internet Routing Table as seen from APNIC's router in Japan. The posting is sent to APOPS, NANOG, AfNOG, AusNOG, SANOG, PacNOG, LacNOG, CaribNOG and the RIPE Routing Working Group. Daily listings are sent to bgp-stats at lists.apnic.net For historical data, please see http://thyme.rand.apnic.net. If you have any comments please contact Philip Smith . Routing Table Report 04:00 +10GMT Sat 11 Dec, 2010 Report Website: http://thyme.rand.apnic.net Detailed Analysis: http://thyme.rand.apnic.net/current/ Analysis Summary ---------------- BGP routing table entries examined: 338487 Prefixes after maximum aggregation: 152765 Deaggregation factor: 2.22 Unique aggregates announced to Internet: 166476 Total ASes present in the Internet Routing Table: 35460 Prefixes per ASN: 9.55 Origin-only ASes present in the Internet Routing Table: 30540 Origin ASes announcing only one prefix: 14921 Transit ASes present in the Internet Routing Table: 4920 Transit-only ASes present in the Internet Routing Table: 118 Average AS path length visible in the Internet Routing Table: 4.3 Max AS path length visible: 31 Max AS path prepend of ASN (36992) 29 Prefixes from unregistered ASNs in the Routing Table: 684 Unregistered ASNs in the Routing Table: 323 Number of 32-bit ASNs allocated by the RIRs: 939 Prefixes from 32-bit ASNs in the Routing Table: 4 Special use prefixes present in the Routing Table: 0 Prefixes being announced from unallocated address space: 193 Number of addresses announced to Internet: 2317458720 Equivalent to 138 /8s, 33 /16s and 157 /24s Percentage of available address space announced: 62.5 Percentage of allocated address space announced: 64.6 Percentage of available address space allocated: 96.8 Percentage of address space in use by end-sites: 86.6 Total number of prefixes smaller than registry allocations: 139176 APNIC Region Analysis Summary ----------------------------- Prefixes being announced by APNIC Region ASes: 83574 Total APNIC prefixes after maximum aggregation: 28342 APNIC Deaggregation factor: 2.95 Prefixes being announced from the APNIC address blocks: 80522 Unique aggregates announced from the APNIC address blocks: 34882 APNIC Region origin ASes present in the Internet Routing Table: 4270 APNIC Prefixes per ASN: 18.86 APNIC Region origin ASes announcing only one prefix: 1209 APNIC Region transit ASes present in the Internet Routing Table: 691 Average APNIC Region AS path length visible: 4.5 Max APNIC Region AS path length visible: 20 Number of APNIC addresses announced to Internet: 571740448 Equivalent to 34 /8s, 20 /16s and 17 /24s Percentage of available APNIC address space announced: 77.5 APNIC AS Blocks 4608-4864, 7467-7722, 9216-10239, 17408-18431 (pre-ERX allocations) 23552-24575, 37888-38911, 45056-46079 55296-56319, 131072-132095 APNIC Address Blocks 1/8, 14/8, 27/8, 36/8, 42/8, 43/8, 49/8, 58/8, 59/8, 60/8, 61/8, 101/8, 110/8, 111/8, 112/8, 113/8, 114/8, 115/8, 116/8, 117/8, 118/8, 119/8, 120/8, 121/8, 122/8, 123/8, 124/8, 125/8, 126/8, 133/8, 175/8, 180/8, 182/8, 183/8, 202/8, 203/8, 210/8, 211/8, 218/8, 219/8, 220/8, 221/8, 222/8, 223/8, ARIN Region Analysis Summary ---------------------------- Prefixes being announced by ARIN Region ASes: 136853 Total ARIN prefixes after maximum aggregation: 69866 ARIN Deaggregation factor: 1.96 Prefixes being announced from the ARIN address blocks: 107840 Unique aggregates announced from the ARIN address blocks: 43908 ARIN Region origin ASes present in the Internet Routing Table: 14068 ARIN Prefixes per ASN: 7.67 ARIN Region origin ASes announcing only one prefix: 5390 ARIN Region transit ASes present in the Internet Routing Table: 1494 Average ARIN Region AS path length visible: 4.0 Max ARIN Region AS path length visible: 23 Number of ARIN addresses announced to Internet: 741824128 Equivalent to 44 /8s, 55 /16s and 86 /24s Percentage of available ARIN address space announced: 62.3 ARIN AS Blocks 1-1876, 1902-2042, 2044-2046, 2048-2106 (pre-ERX allocations) 2138-2584, 2615-2772, 2823-2829, 2880-3153 3354-4607, 4865-5119, 5632-6655, 6912-7466 7723-8191, 10240-12287, 13312-15359, 16384-17407 18432-20479, 21504-23551, 25600-26591, 26624-27647, 29696-30719, 31744-33791 35840-36863, 39936-40959, 46080-47103 53248-55295, 393216-394239 ARIN Address Blocks 3/8, 4/8, 6/8, 7/8, 8/8, 9/8, 11/8, 12/8, 13/8, 15/8, 16/8, 17/8, 18/8, 19/8, 20/8, 21/8, 22/8, 23/8, 24/8, 26/8, 28/8, 29/8, 30/8, 32/8, 33/8, 34/8, 35/8, 38/8, 40/8, 44/8, 47/8, 48/8, 50/8, 52/8, 54/8, 55/8, 56/8, 63/8, 64/8, 65/8, 66/8, 67/8, 68/8, 69/8, 70/8, 71/8, 72/8, 73/8, 74/8, 75/8, 76/8, 96/8, 97/8, 98/8, 99/8, 100/8, 107/8, 108/8, 173/8, 174/8, 184/8, 199/8, 204/8, 205/8, 206/8, 207/8, 208/8, 209/8, 214/8, 215/8, 216/8, RIPE Region Analysis Summary ---------------------------- Prefixes being announced by RIPE Region ASes: 79084 Total RIPE prefixes after maximum aggregation: 45393 RIPE Deaggregation factor: 1.74 Prefixes being announced from the RIPE address blocks: 72578 Unique aggregates announced from the RIPE address blocks: 47126 RIPE Region origin ASes present in the Internet Routing Table: 15108 RIPE Prefixes per ASN: 4.80 RIPE Region origin ASes announcing only one prefix: 7748 RIPE Region transit ASes present in the Internet Routing Table: 2336 Average RIPE Region AS path length visible: 4.6 Max RIPE Region AS path length visible: 30 Number of RIPE addresses announced to Internet: 450700800 Equivalent to 26 /8s, 221 /16s and 38 /24s Percentage of available RIPE address space announced: 74.6 RIPE AS Blocks 1877-1901, 2043, 2047, 2107-2136, 2585-2614 (pre-ERX allocations) 2773-2822, 2830-2879, 3154-3353, 5377-5631 6656-6911, 8192-9215, 12288-13311, 15360-16383 20480-21503, 24576-25599, 28672-29695 30720-31743, 33792-35839, 38912-39935 40960-45055, 47104-52223, 196608-197631 RIPE Address Blocks 2/8, 5/8, 25/8, 31/8, 37/8, 46/8, 51/8, 62/8, 77/8, 78/8, 79/8, 80/8, 81/8, 82/8, 83/8, 84/8, 85/8, 86/8, 87/8, 88/8, 89/8, 90/8, 91/8, 92/8, 93/8, 94/8, 95/8, 109/8, 176/8, 178/8, 193/8, 194/8, 195/8, 212/8, 213/8, 217/8, LACNIC Region Analysis Summary ------------------------------ Prefixes being announced by LACNIC Region ASes: 31053 Total LACNIC prefixes after maximum aggregation: 7139 LACNIC Deaggregation factor: 4.35 Prefixes being announced from the LACNIC address blocks: 29788 Unique aggregates announced from the LACNIC address blocks: 15473 LACNIC Region origin ASes present in the Internet Routing Table: 1408 LACNIC Prefixes per ASN: 21.16 LACNIC Region origin ASes announcing only one prefix: 439 LACNIC Region transit ASes present in the Internet Routing Table: 253 Average LACNIC Region AS path length visible: 4.4 Max LACNIC Region AS path length visible: 18 Number of LACNIC addresses announced to Internet: 78606336 Equivalent to 4 /8s, 175 /16s and 112 /24s Percentage of available LACNIC address space announced: 58.6 LACNIC AS Blocks 26592-26623, 27648-28671, 52224-53247, 262144-263167 plus ERX transfers LACNIC Address Blocks 177/8, 181/8, 186/8, 187/8, 189/8, 190/8, 200/8, 201/8, AfriNIC Region Analysis Summary ------------------------------- Prefixes being announced by AfriNIC Region ASes: 7683 Total AfriNIC prefixes after maximum aggregation: 1907 AfriNIC Deaggregation factor: 4.03 Prefixes being announced from the AfriNIC address blocks: 5972 Unique aggregates announced from the AfriNIC address blocks: 1792 AfriNIC Region origin ASes present in the Internet Routing Table: 426 AfriNIC Prefixes per ASN: 14.02 AfriNIC Region origin ASes announcing only one prefix: 135 AfriNIC Region transit ASes present in the Internet Routing Table: 92 Average AfriNIC Region AS path length visible: 5.3 Max AfriNIC Region AS path length visible: 31 Number of AfriNIC addresses announced to Internet: 21769216 Equivalent to 1 /8s, 76 /16s and 44 /24s Percentage of available AfriNIC address space announced: 43.3 AfriNIC AS Blocks 36864-37887, 327680-328703 & ERX transfers AfriNIC Address Blocks 41/8, 105/8, 197/8, APNIC Region per AS prefix count summary ---------------------------------------- ASN No of nets /20 equiv MaxAgg Description 4766 1874 9453 520 Korea Telecom (KIX) 7545 1573 299 79 TPG Internet Pty Ltd 4755 1422 648 141 TATA Communications formerly 17974 1331 459 27 PT TELEKOMUNIKASI INDONESIA 17488 1102 158 113 Hathway IP Over Cable Interne 9583 1043 107 487 Sify Limited 24560 1035 309 170 Bharti Airtel Ltd., Telemedia 4808 990 1715 271 CNCGROUP IP network: China169 18101 939 116 138 Reliance Infocom Ltd Internet 9829 838 696 31 BSNL National Internet Backbo Complete listing at http://thyme.rand.apnic.net/current/data-ASnet-APNIC ARIN Region per AS prefix count summary --------------------------------------- ASN No of nets /20 equiv MaxAgg Description 6389 3736 3887 269 bellsouth.net, inc. 4323 2641 1077 400 Time Warner Telecom 19262 1834 4869 282 Verizon Global Networks 1785 1795 697 132 PaeTec Communications, Inc. 20115 1512 1531 640 Charter Communications 6478 1427 289 75 AT&T Worldnet Services 7018 1360 5652 873 AT&T WorldNet Services 2386 1308 571 926 AT&T Data Communications Serv 22773 1261 2864 74 Cox Communications, Inc. 11492 1256 234 73 Cable One Complete listing at http://thyme.rand.apnic.net/current/data-ASnet-ARIN RIPE Region per AS prefix count summary --------------------------------------- ASN No of nets /20 equiv MaxAgg Description 6830 502 1763 309 UPC Distribution Services 3292 443 2010 385 TDC Tele Danmark 8866 435 137 24 Bulgarian Telecommunication C 9121 431 1690 29 TTnet Autonomous System 34984 422 92 191 BILISIM TELEKOM 9198 414 202 13 Kazakhtelecom Data Network Ad 8551 402 353 46 Bezeq International 702 397 1864 311 UUNET - Commercial IP service 12479 397 577 6 Uni2 Autonomous System 3301 385 1696 341 TeliaNet Sweden Complete listing at http://thyme.rand.apnic.net/current/data-ASnet-RIPE LACNIC Region per AS prefix count summary ----------------------------------------- ASN No of nets /20 equiv MaxAgg Description 8151 1351 2649 369 UniNet S.A. de C.V. 10620 1344 250 156 TVCABLE BOGOTA 28573 1209 932 79 NET Servicos de Comunicao S.A 6503 1175 355 80 AVANTEL, S.A. 7303 830 441 106 Telecom Argentina Stet-France 14420 584 49 88 CORPORACION NACIONAL DE TELEC 22047 563 310 15 VTR PUNTO NET S.A. 3816 492 214 100 Empresa Nacional de Telecomun 7738 478 922 30 Telecomunicacoes da Bahia S.A 14117 452 32 30 Telefonica del Sur S.A. Complete listing at http://thyme.rand.apnic.net/current/data-ASnet-LACNIC AfriNIC Region per AS prefix count summary ------------------------------------------ ASN No of nets /20 equiv MaxAgg Description 8452 1109 445 10 TEDATA 24863 746 147 39 LINKdotNET AS number 36992 657 274 160 Etisalat MISR 3741 263 986 225 The Internet Solution 6713 203 199 12 Itissalat Al-MAGHRIB 29571 199 19 11 Ci Telecom Autonomous system 24835 198 78 10 RAYA Telecom - Egypt 2018 196 277 64 Tertiary Education Network 33776 184 12 14 Starcomms Nigeria Limited 16637 162 440 89 MTN Network Solutions Complete listing at http://thyme.rand.apnic.net/current/data-ASnet-AFRINIC Global Per AS prefix count summary ---------------------------------- ASN No of nets /20 equiv MaxAgg Description 6389 3736 3887 269 bellsouth.net, inc. 4323 2641 1077 400 Time Warner Telecom 4766 1874 9453 520 Korea Telecom (KIX) 19262 1834 4869 282 Verizon Global Networks 1785 1795 697 132 PaeTec Communications, Inc. 7545 1573 299 79 TPG Internet Pty Ltd 20115 1512 1531 640 Charter Communications 6478 1427 289 75 AT&T Worldnet Services 4755 1422 648 141 TATA Communications formerly 7018 1360 5652 873 AT&T WorldNet Services Complete listing at http://thyme.rand.apnic.net/current/data-ASnet Global Per AS Maximum Aggr summary ---------------------------------- ASN No of nets Net Savings Description 4323 2641 2241 Time Warner Telecom 1785 1795 1663 PaeTec Communications, Inc. 19262 1834 1552 Verizon Global Networks 7545 1573 1494 TPG Internet Pty Ltd 4766 1874 1354 Korea Telecom (KIX) 6478 1427 1352 AT&T Worldnet Services 17974 1331 1304 PT TELEKOMUNIKASI INDONESIA 4755 1422 1281 TATA Communications formerly 10620 1344 1188 TVCABLE BOGOTA 22773 1261 1187 Cox Communications, Inc. Complete listing at http://thyme.rand.apnic.net/current/data-CIDRnet List of Unregistered Origin ASNs (Global) ----------------------------------------- Bad AS Designation Network Transit AS Description 46164 UNALLOCATED 4.23.88.0/24 7018 AT&T WorldNet Servic 46164 UNALLOCATED 4.23.89.0/24 7018 AT&T WorldNet Servic 46164 UNALLOCATED 4.23.92.0/23 7018 AT&T WorldNet Servic 46164 UNALLOCATED 4.23.94.0/23 7018 AT&T WorldNet Servic 46164 UNALLOCATED 4.38.0.0/21 7018 AT&T WorldNet Servic 46164 UNALLOCATED 4.38.8.0/21 7018 AT&T WorldNet Servic 46164 UNALLOCATED 4.43.50.0/24 7018 AT&T WorldNet Servic 46164 UNALLOCATED 4.43.51.0/24 7018 AT&T WorldNet Servic 46164 UNALLOCATED 4.67.96.0/21 7018 AT&T WorldNet Servic 46164 UNALLOCATED 4.67.104.0/21 7018 AT&T WorldNet Servic Complete listing at http://thyme.rand.apnic.net/current/data-badAS Advertised Unallocated Addresses -------------------------------- Network Origin AS Description 5.0.0.0/16 12654 RIPE NCC RIS Project 5.1.0.0/21 12654 RIPE NCC RIS Project 5.1.24.0/24 12654 RIPE NCC RIS Project 24.129.192.0/19 7922 Continental Cablevision 37.0.0.0/16 12654 RIPE NCC RIS Project 37.1.0.0/21 12654 RIPE NCC RIS Project 37.1.24.0/24 12654 RIPE NCC RIS Project 41.222.79.0/24 36938 >>UNKNOWN<< 41.223.92.0/22 36936 >>UNKNOWN<< 46.164.128.0/18 21219 Datacom Autonomous System Complete listing at http://thyme.rand.apnic.net/current/data-add-IANA Number of prefixes announced per prefix length (Global) ------------------------------------------------------- /1:0 /2:0 /3:0 /4:0 /5:0 /6:0 /7:0 /8:19 /9:10 /10:25 /11:70 /12:210 /13:429 /14:751 /15:1338 /16:11355 /17:5518 /18:9199 /19:18627 /20:23904 /21:24216 /22:31803 /23:30778 /24:177411 /25:997 /26:1075 /27:572 /28:158 /29:12 /30:2 /31:0 /32:8 Advertised prefixes smaller than registry allocations ----------------------------------------------------- ASN No of nets Total ann. Description 6389 2307 3736 bellsouth.net, inc. 4323 1430 2641 Time Warner Telecom 6478 1384 1427 AT&T Worldnet Services 10620 1236 1344 TVCABLE BOGOTA 11492 1213 1256 Cable One 18566 1070 1089 Covad Communications 7011 1069 1172 Citizens Utilities 1785 1068 1795 PaeTec Communications, Inc. 8452 972 1109 TEDATA 6503 960 1175 AVANTEL, S.A. Complete listing at http://thyme.rand.apnic.net/current/data-sXXas-nos Number of /24s announced per /8 block (Global) ---------------------------------------------- 1:128 2:16 4:13 5:1 8:316 12:2029 13:6 14:88 15:17 16:3 17:8 20:9 24:1423 27:488 32:61 33:6 34:2 36:1 37:1 38:718 40:101 41:2635 42:1 44:3 46:323 47:4 49:38 50:17 52:12 55:6 56:2 57:29 58:856 59:515 60:418 61:1127 62:1025 63:1938 64:3713 65:2319 66:4068 67:1758 68:1002 69:2825 70:716 71:389 72:1947 74:2279 75:287 76:319 77:870 78:738 79:437 80:1059 81:803 82:511 83:445 84:632 85:1040 86:488 87:705 88:406 89:1589 90:137 91:3309 92:457 93:1018 94:1098 95:698 96:406 97:246 98:698 99:33 101:3 107:2 108:69 109:800 110:469 111:668 112:309 113:323 114:482 115:676 116:1000 117:664 118:608 119:1007 120:198 121:731 122:1572 123:1031 124:1224 125:1232 128:232 129:153 130:170 131:567 132:230 133:20 134:208 135:47 136:213 137:148 138:289 139:110 140:477 141:196 142:352 143:516 144:487 145:54 146:424 147:179 148:641 149:326 150:150 151:230 152:295 153:172 154:3 155:367 156:166 157:339 158:126 159:369 160:311 161:197 162:276 163:165 164:434 165:334 166:470 167:420 168:737 169:151 170:723 171:67 172:2 173:1132 174:466 175:274 176:1 178:641 180:734 182:532 183:241 184:190 186:893 187:759 188:875 189:1009 190:4265 192:5786 193:4802 194:3468 195:2894 196:1205 197:1 198:3533 199:3670 200:5539 201:1582 202:8246 203:8368 204:4045 205:2344 206:2517 207:2978 208:3851 209:3477 210:2543 211:1314 212:1875 213:1730 214:727 215:62 216:4795 217:1616 218:522 219:403 220:1207 221:442 222:341 223:76 End of report From drew.weaver at thenap.com Fri Dec 10 14:36:34 2010 From: drew.weaver at thenap.com (Drew Weaver) Date: Fri, 10 Dec 2010 15:36:34 -0500 Subject: Over a decade of DDOS--any progress yet? In-Reply-To: <20101208165833.M7988@fast-serv.com> References: <23035485.1291815970840.JavaMail.tomcat@fe-ps03> <2C4B4ECC-F61E-4059-A8DE-165DD8F85A96@exa-networks.co.uk> <5220B68C-9C8C-460E-B64E-2646BDE2A398@arbor.net> <63CF5704-B49D-43D5-BC8E-F76336CD0005@arbor.net> <4CFFB483.8010304@brightok.net> <20101208165833.M7988@fast-serv.com> Message-ID: Yes, and I have no problem with this in theory, I just wish that some of the larger ones could proactively monitor their networks to avoid crushing the smaller ones but maybe this is intentional. I have seen a huge increase in the number of attacks originating from other "hosting" companies recently. Previously it had mainly been cable modems, etc. It must be much easier to just target IaaS providers to build botnets because each machine there has 1Gbps than to worry about collecting 100 10Mbps cable modem customers. -Drew -----Original Message----- From: Randy McAnally [mailto:rsm at fast-serv.com] Sent: Wednesday, December 08, 2010 11:59 AM To: Drew Weaver; 'Jeffrey Lyon'; Jack Bates Cc: North American Operators' Group Subject: RE: Over a decade of DDOS--any progress yet? > Soon several providers will begin offering dedicated servers with a > 10Gbps connection to a single machine. > > -Drew > Several already do. -Randy From ben at 708x.com Fri Dec 10 14:39:24 2010 From: ben at 708x.com (Ben Carleton) Date: Fri, 10 Dec 2010 15:39:24 -0500 Subject: Windows Encryption Software In-Reply-To: References: Message-ID: <4D028FFC.40901@708x.com> On 12/9/2010 8:20 PM, William Herrin wrote: > On Thu, Dec 9, 2010 at 7:24 PM, Brandon Kim wrote: >> I want to know if there's software out there that will encrypt files on win2k3, winxp, win7, so that if someone >> decides to steal the computer and plug the harddrive into a USB external case, they won't be able to read the files >> on the harddrive. > Save yourself some grief and buy a self-encrypting disk (SED) instead. > OS transparent so you won't have the endemic problems with oops it no > longer boots and I can't just boot a live cd and access my business > critical data. > > -Bill > > +1 - You mentioned Windows 2003 - with truecrypt, you need to type in the password to boot the computer. For desktops and laptops, that's fine, but if your DC looses power or something, you don't want to be the one to have to go around and type in the password for all those servers... Ben From cidr-report at potaroo.net Fri Dec 10 16:00:01 2010 From: cidr-report at potaroo.net (cidr-report at potaroo.net) Date: Fri, 10 Dec 2010 22:00:01 GMT Subject: BGP Update Report Message-ID: <201012102200.oBAM01I8075686@wattle.apnic.net> BGP Update Report Interval: 02-Dec-10 -to- 09-Dec-10 (7 days) Observation Point: BGP Peering with AS131072 TOP 20 Unstable Origin AS Rank ASN Upds % Upds/Pfx AS-Name 1 - AS17974 114160 8.0% 79.3 -- TELKOMNET-AS2-AP PT Telekomunikasi Indonesia 2 - AS17908 31298 2.2% 44.7 -- TCISL Tata Communications 3 - AS22085 28698 2.0% 551.9 -- Telet S.A. 4 - AS32528 24061 1.7% 4812.2 -- ABBOTT Abbot Labs 5 - AS35931 18869 1.3% 6289.7 -- ARCHIPELAGO - ARCHIPELAGO HOLDINGS INC 6 - AS22767 17606 1.2% 8803.0 -- NASA-ESDIS-NET - National Aeronautics and Space Administration 7 - AS7018 14521 1.0% 37.1 -- ATT-INTERNET4 - AT&T Services, Inc. 8 - AS9498 14149 1.0% 77.7 -- BBIL-AP BHARTI Airtel Ltd. 9 - AS9829 13774 1.0% 25.8 -- BSNL-NIB National Internet Backbone 10 - AS26746 13442 0.9% 1493.6 -- HARVARD-PILGRIM-HEALTH-CARE - Harvard Community Health Plan 11 - AS8452 11890 0.8% 15.4 -- TE-AS TE-AS 12 - AS37204 11593 0.8% 1053.9 -- TELONE 13 - AS5800 11312 0.8% 50.7 -- DNIC-ASBLK-05800-06055 - DoD Network Information Center 14 - AS28573 10542 0.7% 13.6 -- NET Servicos de Comunicao S.A. 15 - AS14522 10540 0.7% 52.7 -- Satnet 16 - AS10113 10365 0.7% 119.1 -- DATAFAST-AP DATAFAST TELECOMMUNICATIONS LTD 17 - AS31148 10235 0.7% 29.8 -- FREENET-AS FreeNet ISP 18 - AS4755 9894 0.7% 7.7 -- TATACOMM-AS TATA Communications formerly VSNL is Leading ISP 19 - AS17488 9694 0.7% 8.6 -- HATHWAY-NET-AP Hathway IP Over Cable Internet 20 - AS8151 9444 0.7% 9.3 -- Uninet S.A. de C.V. TOP 20 Unstable Origin AS (Updates per announced prefix) Rank ASN Upds % Upds/Pfx AS-Name 1 - AS22767 17606 1.2% 8803.0 -- NASA-ESDIS-NET - National Aeronautics and Space Administration 2 - AS35931 18869 1.3% 6289.7 -- ARCHIPELAGO - ARCHIPELAGO HOLDINGS INC 3 - AS32528 24061 1.7% 4812.2 -- ABBOTT Abbot Labs 4 - AS46928 3692 0.3% 3692.0 -- ACADEMY-SPORTS-OUTDOORS - Academy Sports & Outdoors 5 - AS28175 2936 0.2% 2936.0 -- 6 - AS49600 2556 0.2% 2556.0 -- LASEDA La Seda de Barcelona, S.A 7 - AS15984 2206 0.1% 2206.0 -- The Joint-Stock Commercial Bank CentroCredit. 8 - AS34239 1837 0.1% 1837.0 -- INTERAMERICAN General Insurance Company 9 - AS21003 1832 0.1% 1832.0 -- GPTC-AS 10 - AS26746 13442 0.9% 1493.6 -- HARVARD-PILGRIM-HEALTH-CARE - Harvard Community Health Plan 11 - AS36961 1058 0.1% 1058.0 -- ZIPNET 12 - AS37204 11593 0.8% 1053.9 -- TELONE 13 - AS43534 3140 0.2% 1046.7 -- CREDITCALL CreditCall Ltd 14 - AS190 4906 0.3% 817.7 -- NSYPTSMH-POE-AS - Navy Network Information Center (NNIC) 15 - AS28666 5347 0.4% 668.4 -- HOSTLOCATION LTDA 16 - AS41163 1149 0.1% 574.5 -- RIZ-IT-MOTION-AS RIZ IT-Motion GmbH 17 - AS22085 28698 2.0% 551.9 -- Telet S.A. 18 - AS34947 1089 0.1% 544.5 -- COPPERNET-AS Coppernet, Zambia 19 - AS10445 2372 0.2% 474.4 -- HTG - Huntleigh Telcom 20 - AS12190 5459 0.4% 454.9 -- OOCL-NET - OOCL (USA), Inc. TOP 20 Unstable Prefixes Rank Prefix Upds % Origin AS -- AS Name 1 - 202.92.235.0/24 13206 0.9% AS9498 -- BBIL-AP BHARTI Airtel Ltd. 2 - 130.36.34.0/24 12028 0.8% AS32528 -- ABBOTT Abbot Labs 3 - 130.36.35.0/24 12024 0.8% AS32528 -- ABBOTT Abbot Labs 4 - 63.211.68.0/22 11469 0.7% AS35931 -- ARCHIPELAGO - ARCHIPELAGO HOLDINGS INC 5 - 202.182.78.0/23 9969 0.7% AS10113 -- DATAFAST-AP DATAFAST TELECOMMUNICATIONS LTD 8 - 216.126.136.0/22 8337 0.5% AS6316 -- AS-PAETEC-NET - PaeTec Communications, Inc. 9 - 155.49.0.0/21 7906 0.5% AS26746 -- HARVARD-PILGRIM-HEALTH-CARE - Harvard Community Health Plan 10 - 198.140.43.0/24 7298 0.5% AS35931 -- ARCHIPELAGO - ARCHIPELAGO HOLDINGS INC 11 - 190.65.228.0/22 5999 0.4% AS3816 -- COLOMBIA TELECOMUNICACIONES S.A. ESP 12 - 189.1.173.0/24 5279 0.3% AS28666 -- HOSTLOCATION LTDA 13 - 208.54.82.0/24 3769 0.2% AS701 -- UUNET - MCI Communications Services, Inc. d/b/a Verizon Business 14 - 174.46.23.0/24 3692 0.2% AS46928 -- ACADEMY-SPORTS-OUTDOORS - Academy Sports & Outdoors 15 - 68.65.152.0/22 3577 0.2% AS11915 -- TELWEST-NETWORK-SVCS-STATIC - TEL WEST COMMUNICATIONS LLC 16 - 206.184.16.0/24 3561 0.2% AS174 -- COGENT Cogent/PSI 17 - 118.96.88.0/22 3448 0.2% AS17974 -- TELKOMNET-AS2-AP PT Telekomunikasi Indonesia 18 - 110.139.172.0/22 3441 0.2% AS17974 -- TELKOMNET-AS2-AP PT Telekomunikasi Indonesia 19 - 61.94.132.0/23 3382 0.2% AS17974 -- TELKOMNET-AS2-AP PT Telekomunikasi Indonesia 20 - 196.4.80.0/24 3139 0.2% AS37204 -- TELONE Details at http://bgpupdates.potaroo.net ------------------------------------ Copies of this report are mailed to: nanog at merit.edu eof-list at ripe.net apops at apops.net routing-wg at ripe.net afnog at afnog.org From cidr-report at potaroo.net Fri Dec 10 16:00:00 2010 From: cidr-report at potaroo.net (cidr-report at potaroo.net) Date: Fri, 10 Dec 2010 22:00:00 GMT Subject: The Cidr Report Message-ID: <201012102200.oBAM00sY075681@wattle.apnic.net> This report has been generated at Fri Dec 10 21:11:47 2010 AEST. The report analyses the BGP Routing Table of AS2.0 router and generates a report on aggregation potential within the table. Check http://www.cidr-report.org for a current version of this report. Recent Table History Date Prefixes CIDR Agg 03-12-10 336784 207326 04-12-10 337283 207378 05-12-10 337487 207471 06-12-10 337640 207636 07-12-10 337991 207777 08-12-10 338201 208061 09-12-10 338515 208138 10-12-10 338660 208312 AS Summary 36205 Number of ASes in routing system 15433 Number of ASes announcing only one prefix 3735 Largest number of prefixes announced by an AS AS6389 : BELLSOUTH-NET-BLK - BellSouth.net Inc. 105846528 Largest address span announced by an AS (/32s) AS4134 : CHINANET-BACKBONE No.31,Jin-rong Street Aggregation Summary The algorithm used in this report proposes aggregation only when there is a precise match using the AS path, so as to preserve traffic transit policies. Aggregation is also proposed across non-advertised address space ('holes'). --- 10Dec10 --- ASnum NetsNow NetsAggr NetGain % Gain Description Table 338835 208209 130626 38.6% All ASes AS6389 3735 536 3199 85.6% BELLSOUTH-NET-BLK - BellSouth.net Inc. AS4323 2631 652 1979 75.2% TWTC - tw telecom holdings, inc. AS19262 1833 417 1416 77.3% VZGNI-TRANSIT - Verizon Online LLC AS4766 1741 617 1124 64.6% KIXS-AS-KR Korea Telecom AS18566 1089 157 932 85.6% COVAD - Covad Communications Co. AS6503 1175 290 885 75.3% Axtel, S.A.B. de C.V. AS28573 1207 344 863 71.5% NET Servicos de Comunicao S.A. AS7545 1574 735 839 53.3% TPG-INTERNET-AP TPG Internet Pty Ltd AS10620 1344 505 839 62.4% Telmex Colombia S.A. AS22773 1258 449 809 64.3% ASN-CXA-ALL-CCI-22773-RDC - Cox Communications Inc. AS4755 1385 585 800 57.8% TATACOMM-AS TATA Communications formerly VSNL is Leading ISP AS17488 1102 315 787 71.4% HATHWAY-NET-AP Hathway IP Over Cable Internet AS18101 905 147 758 83.8% RELIANCE-COMMUNICATIONS-IN Reliance Communications Ltd.DAKC MUMBAI AS24560 1035 300 735 71.0% AIRTELBROADBAND-AS-AP Bharti Airtel Ltd., Telemedia Services AS8151 1357 685 672 49.5% Uninet S.A. de C.V. AS8452 1109 475 634 57.2% TE-AS TE-AS AS4808 947 321 626 66.1% CHINA169-BJ CNCGROUP IP network China169 Beijing Province Network AS6478 1427 806 621 43.5% ATT-INTERNET3 - AT&T Services, Inc. AS17676 642 67 575 89.6% GIGAINFRA Softbank BB Corp. AS7303 829 261 568 68.5% Telecom Argentina S.A. AS22047 563 31 532 94.5% VTR BANDA ANCHA S.A. AS11492 1256 728 528 42.0% CABLEONE - CABLE ONE, INC. AS7552 632 111 521 82.4% VIETEL-AS-AP Vietel Corporation AS9443 571 75 496 86.9% INTERNETPRIMUS-AS-AP Primus Telecommunications AS14420 584 91 493 84.4% CORPORACION NACIONAL DE TELECOMUNICACIONES - CNT EP AS1785 1798 1322 476 26.5% AS-PAETEC-NET - PaeTec Communications, Inc. AS36992 658 189 469 71.3% ETISALAT-MISR AS4804 545 77 468 85.9% MPX-AS Microplex PTY LTD AS45595 547 102 445 81.4% PKTELECOM-AS-PK Pakistan Telecom Company Limited AS4780 716 281 435 60.8% SEEDNET Digital United Inc. Total 36195 11671 24524 67.8% Top 30 total Possible Bogus Routes 5.0.0.0/16 AS12654 RIPE-NCC-RIS-AS RIPE NCC RIS project 5.1.0.0/21 AS12654 RIPE-NCC-RIS-AS RIPE NCC RIS project 5.1.24.0/24 AS12654 RIPE-NCC-RIS-AS RIPE NCC RIS project 24.129.192.0/19 AS7922 COMCAST-7922 - Comcast Cable Communications, Inc. 37.0.0.0/16 AS12654 RIPE-NCC-RIS-AS RIPE NCC RIS project 37.1.0.0/21 AS12654 RIPE-NCC-RIS-AS RIPE NCC RIS project 37.1.24.0/24 AS12654 RIPE-NCC-RIS-AS RIPE NCC RIS project 41.222.79.0/24 AS36938 AMSCOTELECOMS Amsco Telecommunications Nigeria Limited 41.223.92.0/22 AS36936 CELTEL-GABON Celtel Gabon Internet Service 62.61.220.0/24 AS24974 TACHYON-EU Tachyon Europe BV 62.61.221.0/24 AS24974 TACHYON-EU Tachyon Europe BV 64.21.192.0/20 AS11610 INETNEBR-1 - Internet Nebraska Corporation 64.21.212.0/22 AS11610 INETNEBR-1 - Internet Nebraska Corporation 64.21.216.0/21 AS11610 INETNEBR-1 - Internet Nebraska Corporation 66.180.239.0/24 AS35888 VIGNETTE - VIGNETTE CORPORATION 66.206.32.0/24 AS17787 PSEB-AS-PK Pakistan Software Export Board 66.206.33.0/24 AS17787 PSEB-AS-PK Pakistan Software Export Board 66.206.34.0/24 AS17787 PSEB-AS-PK Pakistan Software Export Board 66.206.35.0/24 AS17787 PSEB-AS-PK Pakistan Software Export Board 66.206.47.0/24 AS17557 PKTELECOM-AS-PK Pakistan Telecommunication Company Limited 66.207.32.0/20 AS23011 66.245.176.0/20 AS19318 NJIIX-AS-1 - NEW JERSEY INTERNATIONAL INTERNET EXCHANGE LLC 69.6.80.0/24 AS13442 69.6.81.0/24 AS13442 71.19.134.0/23 AS3313 INET-AS I.NET S.p.A. 72.22.32.0/19 AS33150 72.22.61.0/24 AS33150 72.22.62.0/24 AS33150 76.77.32.0/19 AS2828 XO-AS15 - XO Communications 80.88.10.0/24 AS33774 DJAWEB 80.88.12.0/24 AS33779 wataniya-telecom-as 83.217.224.0/19 AS2914 NTT-COMMUNICATIONS-2914 - NTT America, Inc. 91.220.224.0/24 AS49573 SHOWREELPLAYER Showreel Limited 96.45.161.0/24 AS3257 TINET-BACKBONE Tinet SpA 96.45.162.0/24 AS3257 TINET-BACKBONE Tinet SpA 96.45.163.0/24 AS3257 TINET-BACKBONE Tinet SpA 96.45.164.0/24 AS3257 TINET-BACKBONE Tinet SpA 96.45.165.0/24 AS3257 TINET-BACKBONE Tinet SpA 96.45.166.0/24 AS3257 TINET-BACKBONE Tinet SpA 96.45.167.0/24 AS3257 TINET-BACKBONE Tinet SpA 96.45.168.0/21 AS3257 TINET-BACKBONE Tinet SpA 110.34.44.0/22 AS12653 COMTONET KB Impuls Hellas 110.173.64.0/19 AS37963 CNNIC-ALIBABA-CN-NET-AP Alibaba (China) Technology Co., Ltd. 115.42.0.0/24 AS24541 FORTYFIVERU-AS-AU 45RU Pty Ltd. Internet Service Provider, Perth, Western Australia. 115.42.5.0/24 AS24541 FORTYFIVERU-AS-AU 45RU Pty Ltd. Internet Service Provider, Perth, Western Australia. 115.42.6.0/24 AS24541 FORTYFIVERU-AS-AU 45RU Pty Ltd. Internet Service Provider, Perth, Western Australia. 115.42.11.0/24 AS24541 FORTYFIVERU-AS-AU 45RU Pty Ltd. Internet Service Provider, Perth, Western Australia. 115.42.20.0/24 AS24541 FORTYFIVERU-AS-AU 45RU Pty Ltd. Internet Service Provider, Perth, Western Australia. 115.42.28.0/24 AS1221 ASN-TELSTRA Telstra Pty Ltd 115.42.30.0/24 AS1221 ASN-TELSTRA Telstra Pty Ltd 115.42.31.0/24 AS1221 ASN-TELSTRA Telstra Pty Ltd 115.42.40.0/24 AS1221 ASN-TELSTRA Telstra Pty Ltd 115.42.42.0/24 AS1221 ASN-TELSTRA Telstra Pty Ltd 115.42.43.0/24 AS1221 ASN-TELSTRA Telstra Pty Ltd 115.42.44.0/24 AS1221 ASN-TELSTRA Telstra Pty Ltd 115.42.47.0/24 AS1221 ASN-TELSTRA Telstra Pty Ltd 115.42.48.0/24 AS1221 ASN-TELSTRA Telstra Pty Ltd 115.42.49.0/24 AS1221 ASN-TELSTRA Telstra Pty Ltd 115.42.50.0/24 AS1221 ASN-TELSTRA Telstra Pty Ltd 115.42.51.0/24 AS1221 ASN-TELSTRA Telstra Pty Ltd 115.42.52.0/24 AS1221 ASN-TELSTRA Telstra Pty Ltd 115.42.53.0/24 AS1221 ASN-TELSTRA Telstra Pty Ltd 115.42.54.0/24 AS1221 ASN-TELSTRA Telstra Pty Ltd 115.42.55.0/24 AS1221 ASN-TELSTRA Telstra Pty Ltd 115.42.56.0/24 AS1221 ASN-TELSTRA Telstra Pty Ltd 115.42.57.0/24 AS1221 ASN-TELSTRA Telstra Pty Ltd 115.42.58.0/24 AS1221 ASN-TELSTRA Telstra Pty Ltd 115.42.59.0/24 AS1221 ASN-TELSTRA Telstra Pty Ltd 115.42.61.0/24 AS1221 ASN-TELSTRA Telstra Pty Ltd 115.42.62.0/24 AS1221 ASN-TELSTRA Telstra Pty Ltd 115.42.63.0/24 AS1221 ASN-TELSTRA Telstra Pty Ltd 116.68.136.0/21 AS28045 Pantel Communications 117.120.56.0/21 AS4755 TATACOMM-AS TATA Communications formerly VSNL is Leading ISP 121.46.0.0/16 AS4134 CHINANET-BACKBONE No.31,Jin-rong Street 121.50.168.0/21 AS9931 CAT-AP The Communication Authoity of Thailand, CAT 142.54.0.0/19 AS23498 CDSI - Cogeco Data Services Inc. 158.222.70.0/23 AS6137 SISNA - SISNA, Inc. 158.222.72.0/23 AS6137 SISNA - SISNA, Inc. 158.222.224.0/20 AS19864 O1COMM - O1 COMMUNICATIONS 158.222.224.0/22 AS19864 O1COMM - O1 COMMUNICATIONS 158.222.229.0/24 AS19864 O1COMM - O1 COMMUNICATIONS 172.12.0.0/18 AS28665 PredialNet Provedor de Internet Ltda. 176.0.0.0/16 AS12654 RIPE-NCC-RIS-AS RIPE NCC RIS project 176.1.0.0/21 AS12654 RIPE-NCC-RIS-AS RIPE NCC RIS project 176.1.24.0/24 AS12654 RIPE-NCC-RIS-AS RIPE NCC RIS project 190.102.32.0/20 AS30058 FDCSERVERS - FDCservers.net 192.9.0.0/16 AS11479 BRM-SUN-AS - Sun Microsystems, Inc 192.64.85.0/24 AS1759 TSF-IP-CORE TeliaSonera Finland IP Network 192.69.108.0/24 AS1759 TSF-IP-CORE TeliaSonera Finland IP Network 192.101.46.0/24 AS6503 Axtel, S.A.B. de C.V. 192.101.64.0/21 AS702 AS702 Verizon Business EMEA - Commercial IP service provider in Europe 192.101.70.0/24 AS701 UUNET - MCI Communications Services, Inc. d/b/a Verizon Business 192.101.71.0/24 AS701 UUNET - MCI Communications Services, Inc. d/b/a Verizon Business 192.101.72.0/24 AS702 AS702 Verizon Business EMEA - Commercial IP service provider in Europe 192.101.74.0/24 AS1239 SPRINTLINK - Sprint 192.124.252.0/22 AS680 DFN-IP service G-WiN 192.131.233.0/24 AS6389 BELLSOUTH-NET-BLK - BellSouth.net Inc. 192.154.32.0/19 AS81 NCREN - MCNC 192.154.64.0/19 AS81 NCREN - MCNC 192.188.208.0/20 AS27064 DNIC-ASBLK-27032-27159 - DoD Network Information Center 196.2.224.0/22 AS24863 LINKdotNET-AS 196.6.108.0/24 AS5713 SAIX-NET 196.13.201.0/24 AS2018 TENET-1 196.13.202.0/24 AS2018 TENET-1 196.13.203.0/24 AS2018 TENET-1 196.13.204.0/24 AS2018 TENET-1 196.110.105.0/24 AS8513 SKYVISION SkyVision Network Services 196.202.224.0/21 AS8818 TELE Greenland Autonomous System 198.1.2.0/24 AS4761 INDOSAT-INP-AP INDOSAT Internet Network Provider 198.23.26.0/24 AS4390 BELLATLANTIC-COM - Bell Atlantic, Inc. 198.73.210.0/24 AS21570 ACI-1 - Accelerated Connections Inc. 198.74.38.0/24 AS16966 SBCIDC-LSAN03 - AT&T Internet Services 198.74.39.0/24 AS16966 SBCIDC-LSAN03 - AT&T Internet Services 198.74.40.0/24 AS16966 SBCIDC-LSAN03 - AT&T Internet Services 198.97.72.0/21 AS27064 DNIC-ASBLK-27032-27159 - DoD Network Information Center 198.97.96.0/19 AS27064 DNIC-ASBLK-27032-27159 - DoD Network Information Center 198.97.240.0/20 AS27064 DNIC-ASBLK-27032-27159 - DoD Network Information Center 198.99.241.0/24 AS11797 AC-NIELSEN-AS AC NIELSEN 198.161.87.0/24 AS6539 GT-BELL - Bell Canada 198.163.214.0/24 AS21804 ACCESS-SK - Access Communications Co-operative Limited 198.167.0.0/16 AS7456 INTERHOP - Interhop Network SERVICES Inc. 198.168.0.0/16 AS701 UUNET - MCI Communications Services, Inc. d/b/a Verizon Business 198.169.0.0/16 AS803 SASKTEL - Saskatchewan Telecommunications 198.180.198.0/24 AS23715 SEOUL-INTGW-GXS-AP Global Exchange Services 198.182.235.0/24 AS3356 LEVEL3 Level 3 Communications 199.16.32.0/19 AS6389 BELLSOUTH-NET-BLK - BellSouth.net Inc. 199.121.0.0/16 AS27064 DNIC-ASBLK-27032-27159 - DoD Network Information Center 199.123.16.0/20 AS27064 DNIC-ASBLK-27032-27159 - DoD Network Information Center 199.185.130.0/23 AS19662 UNISERVE-ONLINE - Uniserve On Line 199.202.0.0/16 AS701 UUNET - MCI Communications Services, Inc. d/b/a Verizon Business 199.202.216.0/21 AS577 BACOM - Bell Canada 199.233.92.0/24 AS26896 D102-ITC - Data 102, LLC 199.246.116.0/24 AS813 UUNET-CANADA - MCI Communications Services, Inc. d/b/a Verizon Business 200.1.112.0/24 AS29754 GO2TEL GO2TEL.COM INC. 200.24.73.0/24 AS26061 Equant Colombia 200.24.78.0/26 AS3549 GBLX Global Crossing Ltd. 200.24.78.64/26 AS3549 GBLX Global Crossing Ltd. 202.9.55.0/24 AS2764 AAPT AAPT Limited 202.9.57.0/24 AS2764 AAPT AAPT Limited 202.38.63.0/24 AS17557 PKTELECOM-AS-PK Pakistan Telecommunication Company Limited 202.58.113.0/24 AS19161 202.61.75.0/24 AS9927 PHILCOMNET-PH A Multihomed ISP Company 202.66.128.0/18 AS9584 GENESIS-AP Diyixian.com Limited 202.66.160.0/19 AS9584 GENESIS-AP Diyixian.com Limited 202.66.160.0/20 AS9584 GENESIS-AP Diyixian.com Limited 202.66.176.0/20 AS9584 GENESIS-AP Diyixian.com Limited 202.66.184.0/24 AS9584 GENESIS-AP Diyixian.com Limited 202.66.186.0/24 AS9584 GENESIS-AP Diyixian.com Limited 202.66.188.0/24 AS9584 GENESIS-AP Diyixian.com Limited 202.66.189.0/24 AS9584 GENESIS-AP Diyixian.com Limited 202.66.190.0/24 AS9584 GENESIS-AP Diyixian.com Limited 202.73.144.0/20 AS4788 TMNET-AS-AP TM Net, Internet Service Provider 202.86.252.0/22 AS4748 RESOLINK-AS-AP Resources Link Network Limited 202.86.252.0/24 AS9304 HUTCHISON-AS-AP Hutchison Global Communications 202.86.253.0/24 AS9304 HUTCHISON-AS-AP Hutchison Global Communications 202.86.254.0/24 AS9304 HUTCHISON-AS-AP Hutchison Global Communications 202.86.255.0/24 AS9304 HUTCHISON-AS-AP Hutchison Global Communications 202.94.1.0/24 AS4808 CHINA169-BJ CNCGROUP IP network China169 Beijing Province Network 202.133.37.0/24 AS17557 PKTELECOM-AS-PK Pakistan Telecommunication Company Limited 202.133.70.0/24 AS38616 WORLDCALL-AS-KHI Worldcall Telecom Limited 202.133.73.0/24 AS38616 WORLDCALL-AS-KHI Worldcall Telecom Limited 202.136.254.0/24 AS4808 CHINA169-BJ CNCGROUP IP network China169 Beijing Province Network 202.136.255.0/24 AS4808 CHINA169-BJ CNCGROUP IP network China169 Beijing Province Network 202.150.227.0/24 AS17727 NAPINFO-AS-AP PT. NAP Info Lintas Nusa 202.174.125.0/24 AS9498 BBIL-AP BHARTI Airtel Ltd. 202.176.1.0/24 AS9942 COMINDICO-AP SOUL Converged Communications Australia 202.179.130.0/24 AS17557 PKTELECOM-AS-PK Pakistan Telecommunication Company Limited 202.179.131.0/24 AS17557 PKTELECOM-AS-PK Pakistan Telecommunication Company Limited 202.179.133.0/24 AS17557 PKTELECOM-AS-PK Pakistan Telecommunication Company Limited 202.179.134.0/24 AS23966 LDN-AS-PK LINKdotNET Telecom Limited 202.179.144.0/24 AS17557 PKTELECOM-AS-PK Pakistan Telecommunication Company Limited 202.179.149.0/24 AS17557 PKTELECOM-AS-PK Pakistan Telecommunication Company Limited 202.179.150.0/24 AS17557 PKTELECOM-AS-PK Pakistan Telecommunication Company Limited 202.181.32.0/24 AS4645 ASN-HKNET-AP HKNet Co. Ltd 203.62.0.0/17 AS7575 AARNET-AS-AP Australian Academic and Reasearch Network (AARNet) 203.78.48.0/20 AS9299 IPG-AS-AP Philippine Long Distance Telephone Company 203.112.111.0/24 AS7474 OPTUSCOM-AS01-AU SingTel Optus Pty Ltd 203.112.113.0/24 AS7474 OPTUSCOM-AS01-AU SingTel Optus Pty Ltd 203.112.114.0/24 AS4802 ASN-IINET iiNet Limited 203.112.116.0/24 AS7474 OPTUSCOM-AS01-AU SingTel Optus Pty Ltd 203.112.117.0/24 AS7474 OPTUSCOM-AS01-AU SingTel Optus Pty Ltd 203.112.118.0/24 AS7474 OPTUSCOM-AS01-AU SingTel Optus Pty Ltd 203.112.119.0/24 AS7474 OPTUSCOM-AS01-AU SingTel Optus Pty Ltd 203.112.120.0/24 AS7474 OPTUSCOM-AS01-AU SingTel Optus Pty Ltd 203.112.121.0/24 AS7474 OPTUSCOM-AS01-AU SingTel Optus Pty Ltd 203.112.127.0/24 AS7474 OPTUSCOM-AS01-AU SingTel Optus Pty Ltd 203.128.128.0/24 AS23849 CNNIC-NET263-AP Beijing Capital-online science development Co.,Ltd. 203.142.219.0/24 AS45149 203.175.107.0/24 AS45595 PKTELECOM-AS-PK Pakistan Telecom Company Limited 204.9.216.0/23 AS6389 BELLSOUTH-NET-BLK - BellSouth.net Inc. 204.10.232.0/21 AS33150 204.19.14.0/23 AS577 BACOM - Bell Canada 204.209.114.0/24 AS13768 PEER1 - Peer 1 Network Inc. 205.150.0.0/15 AS701 UUNET - MCI Communications Services, Inc. d/b/a Verizon Business 205.189.134.0/24 AS11814 DISTRIBUTEL-AS11814 - DISTRIBUTEL COMMUNICATIONS LTD. 205.207.148.0/23 AS812 ROGERS-CABLE - Rogers Cable Communications Inc. 205.210.145.0/24 AS11814 DISTRIBUTEL-AS11814 - DISTRIBUTEL COMMUNICATIONS LTD. 206.72.192.0/23 AS16526 BIRCH-TELECOM - Birch Telecom, Inc. 206.72.194.0/23 AS16526 BIRCH-TELECOM - Birch Telecom, Inc. 206.123.129.0/24 AS10790 INREACH-AS - InReach Internet 206.180.240.0/20 AS12083 KNOLOGY-NET - Knology Holdings 206.197.184.0/24 AS23304 DATOTEL-STL-AS - Datotel LLC, a NetLabs LLC Company 207.174.131.0/24 AS26116 INDRA - Indra's Net Inc. 207.174.132.0/23 AS26116 INDRA - Indra's Net Inc. 207.174.152.0/23 AS26116 INDRA - Indra's Net Inc. 207.174.154.0/24 AS26116 INDRA - Indra's Net Inc. 207.174.155.0/24 AS26116 INDRA - Indra's Net Inc. 207.174.188.0/24 AS26116 INDRA - Indra's Net Inc. 207.174.189.0/24 AS26116 INDRA - Indra's Net Inc. 207.174.190.0/24 AS26116 INDRA - Indra's Net Inc. 207.174.191.0/24 AS26116 INDRA - Indra's Net Inc. 207.174.200.0/24 AS22658 EARTHNET - Earthnet, Inc. 207.174.248.0/21 AS6653 PRIVATEI - privateI, LLC 207.231.96.0/19 AS11194 NUNETPA - NuNet Inc. 208.64.200.0/22 AS11730 CIL-ASN - Circle Internet LTD 208.64.240.0/21 AS13871 TELEBYTE-NW - Telebyte NW 208.73.160.0/24 AS32767 208.78.165.0/24 AS16565 208.83.53.0/24 AS40569 YGOMI-AS - Ygomi LLC 208.83.54.0/24 AS23485 SEI-LLC-AS-NUM - SEI LLC 208.92.196.0/22 AS10929 NETELLIGENT - Netelligent Hosting Services Inc. 208.92.199.0/24 AS26198 3MENATWORK - 3Men at Work Integrated Networks, Inc. 209.54.123.0/24 AS6062 NETPLEX - NETPLEX 209.105.224.0/19 AS20074 209.165.239.0/24 AS209 ASN-QWEST - Qwest Communications Company, LLC 209.177.64.0/20 AS6461 MFNX MFN - Metromedia Fiber Network 209.213.0.0/20 AS33005 ELTOPIA - Eltopia.com, LLC 209.213.1.0/24 AS7849 CROCKERCOM - CROCKER COMMUNICATIONS 209.213.4.0/24 AS7849 CROCKERCOM - CROCKER COMMUNICATIONS 210.5.128.0/20 AS4837 CHINA169-BACKBONE CNCGROUP China169 Backbone 210.56.150.0/23 AS38138 INTECH-TRANSIT-BD InTech Online Limited, INTERNET SERVICE LIMITED 210.247.224.0/19 AS7496 WEBCENTRAL-AS WebCentral 216.10.235.0/24 AS13780 NTNCOMMUNICATIONS - NTN 216.10.236.0/24 AS13780 NTNCOMMUNICATIONS - NTN 216.21.196.0/24 AS12251 INVISION - Invision.com, Inc. 216.21.201.0/24 AS12251 INVISION - Invision.com, Inc. 216.21.202.0/24 AS12251 INVISION - Invision.com, Inc. 216.21.206.0/23 AS12251 INVISION - Invision.com, Inc. 216.58.192.0/24 AS22702 X5SOLUTIONS - X5 Solutions, Inc. 216.58.197.0/24 AS22702 X5SOLUTIONS - X5 Solutions, Inc. 216.58.200.0/24 AS18530 ISOMEDIA-1 - Isomedia Inc. 216.172.198.0/24 AS22773 ASN-CXA-ALL-CCI-22773-RDC - Cox Communications Inc. 216.172.199.0/24 AS22773 ASN-CXA-ALL-CCI-22773-RDC - Cox Communications Inc. 216.250.112.0/20 AS7296 ALCHEMYNET - Alchemy Communications, Inc. Please see http://www.cidr-report.org for the full report ------------------------------------ Copies of this report are mailed to: nanog at merit.edu eof-list at ripe.net apops at apops.net routing-wg at ripe.net afnog at afnog.org From joelja at bogus.com Fri Dec 10 16:51:48 2010 From: joelja at bogus.com (Joel Jaeggli) Date: Fri, 10 Dec 2010 14:51:48 -0800 Subject: Over a decade of DDOS--any progress yet? In-Reply-To: References: <23035485.1291815970840.JavaMail.tomcat@fe-ps03> <2C4B4ECC-F61E-4059-A8DE-165DD8F85A96@exa-networks.co.uk> <5220B68C-9C8C-460E-B64E-2646BDE2A398@arbor.net> <63CF5704-B49D-43D5-BC8E-F76336CD0005@arbor.net> <4CFFB68D.4080405@prolexic.com> Message-ID: <4D02AF04.1040608@bogus.com> On 12/10/10 12:33 PM, Drew Weaver wrote: > Nobody has really driven the point home that yes you can purchase a > system from Arbor, RioRey, make your own mitigation system; what-have > you, but you still have to pay for the transit to digest the attack, > which is probably the main cost right now. or you outsource it and it's still costlier. Paying for DOS mitigation you rarely if ever use is quite expensive. If you use it a lot it's even more expensive, but can at least be rationalized on the basis of known costs e.g. npv calculation on the number and duration of outages... > -Drew > > > -----Original Message----- From: Dobbins, Roland > [mailto:rdobbins at arbor.net] Sent: Wednesday, December 08, 2010 11:54 > AM To: North American Operators' Group Subject: Re: Over a decade of > DDOS--any progress yet? > > > On Dec 8, 2010, at 11:47 PM, Jay Coley wrote: > >> This has been our recent experience as well. > > I see a link-filling attacks with some regularity; but again, what > I'm saying is simply that they aren't as prevalent as they used to > be, because the attackers don't *need* to fill links in order to > achieve their goals, in many cases. > > That being said, high-bandwidth DNS reflection/amplification attacks > tip the scales, every time. > >> Lastly there is usually always someone at the other end of these >> attacks watching what is working and what is not > > > This is a very important point - determined attackers will observe > and react in order to try and defeat successful countermeasures, so > the defenders must watch for shifting attack vectors. > > ----------------------------------------------------------------------- > > Roland Dobbins // > > Sell your computer and buy a guitar. > > > > > > > From rdobbins at arbor.net Fri Dec 10 18:30:18 2010 From: rdobbins at arbor.net (Dobbins, Roland) Date: Sat, 11 Dec 2010 00:30:18 +0000 Subject: Over a decade of DDOS--any progress yet? In-Reply-To: <4D02AF04.1040608@bogus.com> References: <23035485.1291815970840.JavaMail.tomcat@fe-ps03> <2C4B4ECC-F61E-4059-A8DE-165DD8F85A96@exa-networks.co.uk> <5220B68C-9C8C-460E-B64E-2646BDE2A398@arbor.net> <63CF5704-B49D-43D5-BC8E-F76336CD0005@arbor.net> <4CFFB68D.4080405@prolexic.com> <4D02AF04.1040608@bogus.com> Message-ID: On Dec 11, 2010, at 5:51 AM, Joel Jaeggli wrote: > Paying for DOS mitigation you rarely if ever use is quite expensive. Some operators offer 'Clean Pipes' commercial DDoS mitigation services; they have various fee models, and they charge their end-customers for it. It's positioned as a form of insurance, for the end-customer. ----------------------------------------------------------------------- Roland Dobbins // Sell your computer and buy a guitar. From simon.leinen at switch.ch Sat Dec 11 05:09:35 2010 From: simon.leinen at switch.ch (Simon Leinen) Date: Sat, 11 Dec 2010 12:09:35 +0100 Subject: Over a decade of DDOS--any progress yet? In-Reply-To: (Greg Whynott's message of "Thu, 9 Dec 2010 13:23:19 -0500") References: <01811070-0EE1-44C2-A79A-FB9E68215D9A@gmail.com> <4CFFA7B8.8000306@gmail.com> <4CFFAD03.3050703@brightok.net> <4CFFE4E2.6000802@rollernet.us> <4D011C31.5020903@xyonet.com> Message-ID: Greg Whynott writes: > i found it funny how M$ started giving away virus/security software > for its OS. it can't fix the leaky roof, so it includes a roof patch > kit. (and puts about 10 companies out of business at the same time) I actually like the new arrangement better, where Microsoft provides the security software to its OS customers "for free". The previous setup had third parties (anti-virus vendors) profiting from the weaknesses in Microsoft's software. The new arrangement provides better incentives for fixing the security weaknesses at the source, at least as far as Microsoft is concerned. Even for third-party providers of buggy software, Microsoft probably better leverage towards them than the numerous anti-virus vendors. But then maybe my armchair economics are totally wrong. -- Simon. From rs at seastrom.com Sat Dec 11 06:54:03 2010 From: rs at seastrom.com (Robert E. Seastrom) Date: Sat, 11 Dec 2010 07:54:03 -0500 Subject: BGP multihoming question. In-Reply-To: <5A6D953473350C4B9995546AFE9939EE0B14CE50@RWC-EX1.corp.seven.com> (George Bonser's message of "Fri, 10 Dec 2010 09:24:24 -0800") References: <050E06A1-5E7B-413C-B8DE-CEF3F72176BE@puck.nether.net> <1291894346.2820.9.camel@valio> <017265BF3B9640499754DD48777C3D206A1241C16B@MBX9.EXCHPROD.USA.NET> <4D02425E.1090907@spectraaccess.com> <5A6D953473350C4B9995546AFE9939EE0B14CE50@RWC-EX1.corp.seven.com> Message-ID: <86d3p8o4gk.fsf@seastrom.com> "George Bonser" writes: >> -----Original Message----- >> From: Bret Clark >> Sent: Friday, December 10, 2010 7:08 AM >> To: nanog at nanog.org >> Subject: Re: BGP multihoming question. >> >> On 12/10/2010 10:01 AM, Dylan Ebner wrote: >> > 3. You cannot trust the second isp to advertise the SWIP block >> correctly if they are not a tier 1. Even though they may advertise it >> for you to their upstream, they don't always have the appropriate >> procedures in place to get the LOAs to the upstream so your block just >> gets filtered out. >> > >> > >> > >> Just got done battling this exact issue with one of our upstream >> peers...caused a lot of headaches for us. > > Proper registration in a routing registry helps, too. As does, frankly, having an ISP with a clue... and purported "tier" has little to do with it. -r From tme at multicasttech.com Sat Dec 11 09:19:32 2010 From: tme at multicasttech.com (Marshall Eubanks) Date: Sat, 11 Dec 2010 10:19:32 -0500 Subject: LOIC tool used in the "Anonymous" attacks Message-ID: <552A8A0C-1F5B-44EB-A75E-A028D5D31C26@multicasttech.com> Interesting analysis of the 3 "LOIC" tool variants used in the "Anonymous" Operation Payback attacks on Mastercard, Paypal, etc. http://www.simpleweb.org/reports/loic-report.pdf LOIC makes no attempt to hide the IP addresses of the attackers, making it easy to trace them if they are using their own computers. Regards Marshall From pfunix at gmail.com Sat Dec 11 10:12:55 2010 From: pfunix at gmail.com (Beavis) Date: Sat, 11 Dec 2010 10:12:55 -0600 Subject: LOIC tool used in the "Anonymous" attacks In-Reply-To: <552A8A0C-1F5B-44EB-A75E-A028D5D31C26@multicasttech.com> References: <552A8A0C-1F5B-44EB-A75E-A028D5D31C26@multicasttech.com> Message-ID: Interesting.. there's an ED about LOIC http://encyclopediadramatica.com/LOIC it even gives a instruction on how to deny the use of the tool: (funny) What if I get caught and V&d? You probably won't. It's recommended that attack with over 9000 other anons while attacking alone pretty much means doing nothing. If you are a complete idiot and LOIC a small server alone, there is a chance of getting V&. No one will bother let alone have the resources to deal with DDoS attacks that happens every minute around the world. Then theres always the botnet excuse. Just say your pc was infected by a botnet and you have since ran antivirus programs and what not to try to get rid of it. Or just say you have NFI what a DDoS is at all. PROTIP: If you do get V&: ALWAYS deny it, Explain it was botnet, Say you have dynamic IP and that they have the wrong guy. Also, epic lolz will be achieved because you are a fag. DDOS ONLY IN GROUPS On Sat, Dec 11, 2010 at 9:19 AM, Marshall Eubanks wrote: > Interesting analysis of the 3 "LOIC" tool variants used in the "Anonymous" Operation Payback attacks on Mastercard, Paypal, etc. > > http://www.simpleweb.org/reports/loic-report.pdf > > LOIC makes no attempt to hide the IP addresses of the attackers, making it easy to trace them if they are using their own computers. > > Regards > Marshall > > > -- ()? ascii ribbon campaign - against html e-mail /\? www.asciiribbon.org?? - against proprietary attachments Disclaimer: http://goldmark.org/jeff/stupid-disclaimers/ From sfouant at shortestpathfirst.net Sat Dec 11 11:34:20 2010 From: sfouant at shortestpathfirst.net (Stefan Fouant) Date: Sat, 11 Dec 2010 12:34:20 -0500 Subject: LOIC tool used in the "Anonymous" attacks In-Reply-To: <552A8A0C-1F5B-44EB-A75E-A028D5D31C26@multicasttech.com> References: <552A8A0C-1F5B-44EB-A75E-A028D5D31C26@multicasttech.com> Message-ID: <001e01cb9959$a5f5f590$f1e1e0b0$@net> > -----Original Message----- > From: Marshall Eubanks [mailto:tme at multicasttech.com] > Sent: Saturday, December 11, 2010 10:20 AM > To: North American Network Operators Group > Subject: LOIC tool used in the "Anonymous" attacks > > Interesting analysis of the 3 "LOIC" tool variants used in the > "Anonymous" Operation Payback attacks on Mastercard, Paypal, etc. > > http://www.simpleweb.org/reports/loic-report.pdf > > LOIC makes no attempt to hide the IP addresses of the attackers, making > it easy to trace them if they are using their own computers. IMO, LOIC is a very unsophisticated tool. There are methods the attackers could have used to obfuscate their IP (while still employing a complete TCP 3-way handshake) if they were a bit more knowledgeable. Although it's equivalent to a sophomore year CS project, it has benefit of being "easy to use" and so lowers the barrier to entry for would-be script kiddies looking for a fun afternoon. There is also evidence of its use in the wild outside of "the hive". I think the skill level of these guys is clearly evidenced by one of the members who forgot to remove the metadata from their most recent "press release". Stefan From andrew.wallace at rocketmail.com Sat Dec 11 13:59:07 2010 From: andrew.wallace at rocketmail.com (andrew.wallace) Date: Sat, 11 Dec 2010 11:59:07 -0800 (PST) Subject: LOIC tool used in the "Anonymous" attacks Message-ID: <472093.18468.qm@web59608.mail.ac4.yahoo.com> I was reading about this- yeah really "anonymous". http://praetorianprefect.com/archives/2010/12/anonymous-releases-very-unanonymous-press-release/ Also: http://www.boingboing.net/2010/12/11/anonymous-isnt-loic.html Andrew From: Stefan Fouant To: 'Marshall Eubanks' ; 'North American Network Operators Group' Cc: Sent: Saturday, 11 December 2010, 17:34:20 Subject: RE: LOIC tool used in the "Anonymous" attacks I think the skill level of these guys is clearly evidenced by one of the members who forgot to remove the metadata from their most recent "press release". Stefan From isabeldias1 at yahoo.com Sat Dec 11 14:36:25 2010 From: isabeldias1 at yahoo.com (isabel dias) Date: Sat, 11 Dec 2010 12:36:25 -0800 (PST) Subject: [Operational] Internet Police In-Reply-To: <4D027609.6000006@bogus.com> References: <39CC48EA-9C95-4666-B1CA-15B3F9E19E1A@arbor.net> <201012101108.01089.lowen@pari.edu> <12764.1292000819@localhost> <4D027609.6000006@bogus.com> Message-ID: <500755.56255.qm@web52606.mail.re2.yahoo.com> check the agreed maintenance windows as defined in the (SLA)section?Maintenance Plans - etc ? ----- Original Message ---- From: Joel Jaeggli To: Valdis.Kletnieks at vt.edu Cc: nanog at nanog.org Sent: Fri, December 10, 2010 6:48:41 PM Subject: Re: [Operational] Internet Police On 12/10/10 9:06 AM, Valdis.Kletnieks at vt.edu wrote: > On Fri, 10 Dec 2010 11:08:00 EST, Lamar Owen said: > > I believe the word you wanted was "hooliganism".? And we have a legal system > that has about 3,000 years of experience in dealing with *that*, thank you very > much. The code of hamurabi or ur-nammu? would probably? cut off your hand or require the payment of several minas of silver. The failure isn't one of the legal system not having the tools to prosecute this sort of activity, it's the failure to effectively police it. Other attractive nusances the cause economic damage such as graffiti and antisocial behavior(of which much of this dos activity clearly is) have been around longer than the code of ur-nammu and we haven't solved them yet either. From isabeldias1 at yahoo.com Sat Dec 11 14:37:47 2010 From: isabeldias1 at yahoo.com (isabel dias) Date: Sat, 11 Dec 2010 12:37:47 -0800 (PST) Subject: Global Crossing/GBLX tech needed - AS3549 In-Reply-To: References: Message-ID: <300548.56665.qm@web52606.mail.re2.yahoo.com> location? ----- Original Message ---- From: Matt Disuko To: NANOG Sent: Thu, December 9, 2010 3:02:59 PM Subject: Global Crossing/GBLX tech needed - AS3549 Can a Global Crossing IP engineer please contact me off-list? Thanks, Matt From jna at retina.net Sat Dec 11 14:52:41 2010 From: jna at retina.net (John Adams) Date: Sat, 11 Dec 2010 12:52:41 -0800 Subject: LOIC tool used in the "Anonymous" attacks In-Reply-To: <552A8A0C-1F5B-44EB-A75E-A028D5D31C26@multicasttech.com> References: <552A8A0C-1F5B-44EB-A75E-A028D5D31C26@multicasttech.com> Message-ID: It's hard to believe that it took eight people to run wireshark and write this simplistic paper about LOIC. The analysis is weak at best (it seems they only had a few days to study the problem), and never analyzes the source code which has been widely available at https://github.com/NewEraCracker/LOIC A cursory analysis of HTTPFlooder.cs would give you all you need to know to understand the attack and block the tool; If you find your network attacked by this tool, you'll immediately discover a large volume of HTTP requests with no User-Agent or Accept: headers. Drop those requests at the border. You can also compile requests of that nature to analyze the size of the swarm that is attacking you. In analysis, I've found this to be on the order of 2000-3000 hosts. It's a decently sized ACL to place on your ingress routers, but these attacks can be thwarted. -j On Sat, Dec 11, 2010 at 7:19 AM, Marshall Eubanks wrote: > Interesting analysis of the 3 "LOIC" tool variants used in the "Anonymous" Operation Payback attacks on Mastercard, Paypal, etc. > > http://www.simpleweb.org/reports/loic-report.pdf > > LOIC makes no attempt to hide the IP addresses of the attackers, making it easy to trace them if they are using their own computers. > > Regards > Marshall > > > From bicknell at ufp.org Sat Dec 11 15:21:29 2010 From: bicknell at ufp.org (Leo Bicknell) Date: Sat, 11 Dec 2010 13:21:29 -0800 Subject: LOIC tool used in the "Anonymous" attacks In-Reply-To: <552A8A0C-1F5B-44EB-A75E-A028D5D31C26@multicasttech.com> References: <552A8A0C-1F5B-44EB-A75E-A028D5D31C26@multicasttech.com> Message-ID: <20101211212129.GA42207@ussenterprise.ufp.org> In a message written on Sat, Dec 11, 2010 at 10:19:32AM -0500, Marshall Eubanks wrote: > LOIC makes no attempt to hide the IP addresses of the attackers, making it easy to trace them if they are using their own computers. Perhaps the authors of the tool would rather keep the finite law enforcement busy rounding up clueless highschool kids who install this tool. In that sense it's both a network packet DDOS, and a law enforcement attacker DDOS. Brilliant in a way. -- Leo Bicknell - bicknell at ufp.org - CCIE 3440 PGP keys at http://www.ufp.org/~bicknell/ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 826 bytes Desc: not available URL: From mc3401 at columbia.edu Sat Dec 11 15:27:44 2010 From: mc3401 at columbia.edu (Michael Costello) Date: Sat, 11 Dec 2010 16:27:44 -0500 Subject: Over a decade of DDOS--any progress yet? In-Reply-To: References: <2ABCD3A4-E2C6-47ED-89FC-957DE79AE033@gmail.com> <20101208115846.4b43ff25@mead.decaying.org> Message-ID: <20101211162744.5967891e@mead.decaying.org> On Fri, 10 Dec 2010 15:32:10 -0500 Drew Weaver wrote: > I should've "qualified" my question by saying "What valid application > which traverses the Internet and could be seen at the edge of a > network actually uses UDP 80?" I'll grant that my response was a bit pedantic: there is no legitimate reason for such traffic to leave a network. > I can't imagine there is too much Cisco NAC client for macs carrying > on over the Internet, although I have been wrong in the past. I imagine you're right, and that any network that detects any significant amount would be one whose first octet is a common fourth-octet-of-a-gateway (1, 65, 129, etc). mc From tme at americafree.tv Sat Dec 11 15:39:55 2010 From: tme at americafree.tv (Marshall Eubanks) Date: Sat, 11 Dec 2010 16:39:55 -0500 Subject: LOIC tool used in the "Anonymous" attacks In-Reply-To: <20101211212129.GA42207@ussenterprise.ufp.org> References: <552A8A0C-1F5B-44EB-A75E-A028D5D31C26@multicasttech.com> <20101211212129.GA42207@ussenterprise.ufp.org> Message-ID: <5A99F7D4-07CC-4DCB-8245-ABB6CC05F7B4@americafree.tv> On Dec 11, 2010, at 4:21 PM, Leo Bicknell wrote: > In a message written on Sat, Dec 11, 2010 at 10:19:32AM -0500, Marshall Eubanks wrote: >> LOIC makes no attempt to hide the IP addresses of the attackers, making it easy to trace them if they are using their own computers. > > Perhaps the authors of the tool would rather keep the finite law > enforcement busy rounding up clueless highschool kids who install > this tool. > > In that sense it's both a network packet DDOS, and a law enforcement > attacker DDOS. Brilliant in a way. Or maybe that's a feature, not a bug. False flag operations to ensnare the clueless have a long history of running code. Regards Marshall > > > -- > Leo Bicknell - bicknell at ufp.org - CCIE 3440 > PGP keys at http://www.ufp.org/~bicknell/ From andrew.wallace at rocketmail.com Sat Dec 11 15:41:48 2010 From: andrew.wallace at rocketmail.com (andrew.wallace) Date: Sat, 11 Dec 2010 13:41:48 -0800 (PST) Subject: LOIC tool used in the "Anonymous" attacks Message-ID: <364428.13105.qm@web59605.mail.ac4.yahoo.com> Like I said the other day on Cnet comments section, December 10, 2010 3:31 PM PST. "It is extremely easy to find out who everyone is, because the "anonymous" is decentralised and easy to infiltrate and manipulate." Andrew From: Leo Bicknell To: North American Network Operators Group Cc: Sent: Saturday, 11 December 2010, 21:21:29 Subject: Re: LOIC tool used in the "Anonymous" attacks Perhaps the authors of the tool would rather keep the finite law enforcement busy rounding up clueless highschool kids who install this tool. In that sense it's both a network packet DDOS, and a law enforcement attacker DDOS. Brilliant in a way. From jeffrey.lyon at blacklotus.net Sat Dec 11 19:16:20 2010 From: jeffrey.lyon at blacklotus.net (Jeffrey Lyon) Date: Sat, 11 Dec 2010 20:16:20 -0500 Subject: Mastercard problems In-Reply-To: <590810.26399.qm@web59603.mail.ac4.yahoo.com> References: <590810.26399.qm@web59603.mail.ac4.yahoo.com> Message-ID: The USSS has jurisdiction over all DDoS (threats to critical infrastructure). Jeff On Wed, Dec 8, 2010 at 3:30 PM, andrew.wallace wrote: > I would say the attack falls under the jurisdiction of the US secret service since this is an attack on the financial system. > > "Today the agency's primary investigative mission is to safeguard the payment and financial systems of the United States." --- secretservice.gov > > > Andrew > > > ----- Original Message ----- > From:Christopher Morrow > To:Jack Bates > Cc:"nanog at nanog.org" > Sent:Wednesday, 8 December 2010, 18:47:49 > Subject:Re: Mastercard problems > > > I know that the folks involved on the MC side already have this data, > and that the fbi is interested in it. > > -chris > > > > > -- Jeffrey Lyon, Leadership Team jeffrey.lyon at blacklotus.net | http://www.blacklotus.net Black Lotus Communications - AS32421 First and Leading in DDoS Protection Solutions From tshaw at oitc.com Sat Dec 11 19:42:05 2010 From: tshaw at oitc.com (TR Shaw) Date: Sat, 11 Dec 2010 20:42:05 -0500 Subject: Mastercard problems In-Reply-To: References: <590810.26399.qm@web59603.mail.ac4.yahoo.com> Message-ID: So then why is there a cyber command and a cyber group part of homeland security charged with protection of critical infrastructure if critical infrastructure is the responsibility of USSS? Looks like we have too many keystone cops (the AF advertises an operational Cyber Command with nothing really there) who might fall over one another not to mention get in the way of the owners of the infrastructure who probably know it better than the feds. On Dec 11, 2010, at 8:16 PM, Jeffrey Lyon wrote: > The USSS has jurisdiction over all DDoS (threats to critical infrastructure). > > Jeff > > On Wed, Dec 8, 2010 at 3:30 PM, andrew.wallace > wrote: >> I would say the attack falls under the jurisdiction of the US secret service since this is an attack on the financial system. >> >> "Today the agency's primary investigative mission is to safeguard the payment and financial systems of the United States." --- secretservice.gov >> >> >> Andrew >> >> >> ----- Original Message ----- >> From:Christopher Morrow >> To:Jack Bates >> Cc:"nanog at nanog.org" >> Sent:Wednesday, 8 December 2010, 18:47:49 >> Subject:Re: Mastercard problems >> >> >> I know that the folks involved on the MC side already have this data, >> and that the fbi is interested in it. >> >> -chris >> >> >> >> >> > > > > -- > Jeffrey Lyon, Leadership Team > jeffrey.lyon at blacklotus.net | http://www.blacklotus.net > Black Lotus Communications - AS32421 > First and Leading in DDoS Protection Solutions > From jeffrey.lyon at blacklotus.net Sat Dec 11 19:49:58 2010 From: jeffrey.lyon at blacklotus.net (Jeffrey Lyon) Date: Sat, 11 Dec 2010 20:49:58 -0500 Subject: Mastercard problems In-Reply-To: References: <590810.26399.qm@web59603.mail.ac4.yahoo.com> Message-ID: http://www.secretservice.gov/ectf_newyork.shtml Each field office has their own page. Jeff On Sat, Dec 11, 2010 at 8:42 PM, TR Shaw wrote: > So then why is there a cyber command and a cyber group part of homeland security charged with protection of critical infrastructure if critical infrastructure is the responsibility of USSS? ?Looks like we have too many keystone cops (the AF advertises an operational Cyber Command with nothing really there) who might fall over one another not to mention get in the way of the owners of the infrastructure who probably know it better than the feds. > > > On Dec 11, 2010, at 8:16 PM, Jeffrey Lyon wrote: > >> The USSS has jurisdiction over all DDoS (threats to critical infrastructure). >> >> Jeff >> >> On Wed, Dec 8, 2010 at 3:30 PM, andrew.wallace >> wrote: >>> I would say the attack falls under the jurisdiction of the US secret service since this is an attack on the financial system. >>> >>> "Today the agency's primary investigative mission is to safeguard the payment and financial systems of the United States." --- secretservice.gov >>> >>> >>> Andrew >>> >>> >>> ----- Original Message ----- >>> From:Christopher Morrow >>> To:Jack Bates >>> Cc:"nanog at nanog.org" >>> Sent:Wednesday, 8 December 2010, 18:47:49 >>> Subject:Re: Mastercard problems >>> >>> >>> I know that the folks involved on the MC side already have this data, >>> and that the fbi is interested in it. >>> >>> -chris >>> >>> >>> >>> >>> >> >> >> >> -- >> Jeffrey Lyon, Leadership Team >> jeffrey.lyon at blacklotus.net | http://www.blacklotus.net >> Black Lotus Communications - AS32421 >> First and Leading in DDoS Protection Solutions >> > > > -- Jeffrey Lyon, Leadership Team jeffrey.lyon at blacklotus.net | http://www.blacklotus.net Black Lotus Communications - AS32421 First and Leading in DDoS Protection Solutions From morrowc.lists at gmail.com Sat Dec 11 23:05:11 2010 From: morrowc.lists at gmail.com (Christopher Morrow) Date: Sun, 12 Dec 2010 00:05:11 -0500 Subject: Over a decade of DDOS--any progress yet? In-Reply-To: <4D02AF04.1040608@bogus.com> References: <23035485.1291815970840.JavaMail.tomcat@fe-ps03> <2C4B4ECC-F61E-4059-A8DE-165DD8F85A96@exa-networks.co.uk> <5220B68C-9C8C-460E-B64E-2646BDE2A398@arbor.net> <63CF5704-B49D-43D5-BC8E-F76336CD0005@arbor.net> <4CFFB68D.4080405@prolexic.com> <4D02AF04.1040608@bogus.com> Message-ID: On Fri, Dec 10, 2010 at 5:51 PM, Joel Jaeggli wrote: > On 12/10/10 12:33 PM, Drew Weaver wrote: >> Nobody has really driven the point home that yes you can purchase a >> system from Arbor, RioRey, make your own mitigation system; what-have >> you, but you still have to pay for the transit to digest the attack, >> which is probably the main cost right now. > > or you outsource it and it's still costlier. > > Paying for DOS mitigation you rarely if ever use is quite expensive. If > you use it a lot it's even more expensive, but can at least be > rationalized on the basis of known costs e.g. npv calculation on the > number and duration of outages... > verizon's ddos service was/is 3250/month flat... not extra if there was some sort of incident, and completely self-service for the customer(s). Is 3250/month a reasonable insurance against loss? (40k/yr or there abouts) -chris >> -Drew >> >> >> -----Original Message----- From: Dobbins, Roland >> [mailto:rdobbins at arbor.net] Sent: Wednesday, December 08, 2010 11:54 >> AM To: North American Operators' Group Subject: Re: Over a decade of >> DDOS--any progress yet? >> >> >> On Dec 8, 2010, at 11:47 PM, Jay Coley wrote: >> >>> This has been our recent experience as well. >> >> I see a link-filling attacks with some regularity; but again, what >> I'm saying is simply that they aren't as prevalent as they used to >> be, because the attackers don't *need* to fill links in order to >> achieve their goals, in many cases. >> >> That being said, high-bandwidth DNS reflection/amplification attacks >> tip the scales, every time. >> >>> Lastly there is usually always someone at the other end of these >>> attacks watching what is working and what is not >> >> >> This is a very important point - determined attackers will observe >> and react in order to try and defeat successful countermeasures, so >> the defenders must watch for shifting attack vectors. >> >> ----------------------------------------------------------------------- >> >> > Roland Dobbins // >> >> Sell your computer and buy a guitar. >> >> >> >> >> >> >> > > > From jeffrey.lyon at blacklotus.net Sat Dec 11 23:20:39 2010 From: jeffrey.lyon at blacklotus.net (Jeffrey Lyon) Date: Sun, 12 Dec 2010 00:20:39 -0500 Subject: Over a decade of DDOS--any progress yet? In-Reply-To: References: <23035485.1291815970840.JavaMail.tomcat@fe-ps03> <2C4B4ECC-F61E-4059-A8DE-165DD8F85A96@exa-networks.co.uk> <5220B68C-9C8C-460E-B64E-2646BDE2A398@arbor.net> <63CF5704-B49D-43D5-BC8E-F76336CD0005@arbor.net> <4CFFB68D.4080405@prolexic.com> <4D02AF04.1040608@bogus.com> Message-ID: I'm certain there are thresholds to that. Carrier grade mitigation solutions will start low and ramp up to 5, 6, 7, etc. figures depending on the attack and amount of bandwidth to be filtered among other variables. Jeff On Sun, Dec 12, 2010 at 12:05 AM, Christopher Morrow wrote: > On Fri, Dec 10, 2010 at 5:51 PM, Joel Jaeggli wrote: >> On 12/10/10 12:33 PM, Drew Weaver wrote: >>> Nobody has really driven the point home that yes you can purchase a >>> system from Arbor, RioRey, make your own mitigation system; what-have >>> you, but you still have to pay for the transit to digest the attack, >>> which is probably the main cost right now. >> >> or you outsource it and it's still costlier. >> >> Paying for DOS mitigation you rarely if ever use is quite expensive. If >> you use it a lot it's even more expensive, but can at least be >> rationalized on the basis of known costs e.g. npv calculation on the >> number and duration of outages... >> > > verizon's ddos service was/is 3250/month flat... not extra if there > was some sort of incident, and completely self-service for the > customer(s). Is 3250/month a reasonable insurance against loss? > (40k/yr or there abouts) > > -chris > >>> -Drew >>> >>> >>> -----Original Message----- From: Dobbins, Roland >>> [mailto:rdobbins at arbor.net] Sent: Wednesday, December 08, 2010 11:54 >>> AM To: North American Operators' Group Subject: Re: Over a decade of >>> DDOS--any progress yet? >>> >>> >>> On Dec 8, 2010, at 11:47 PM, Jay Coley wrote: >>> >>>> This has been our recent experience as well. >>> >>> I see a link-filling attacks with some regularity; but again, what >>> I'm saying is simply that they aren't as prevalent as they used to >>> be, because the attackers don't *need* to fill links in order to >>> achieve their goals, in many cases. >>> >>> That being said, high-bandwidth DNS reflection/amplification attacks >>> tip the scales, every time. >>> >>>> Lastly there is usually always someone at the other end of these >>>> attacks watching what is working and what is not >>> >>> >>> This is a very important point - determined attackers will observe >>> and react in order to try and defeat successful countermeasures, so >>> the defenders must watch for shifting attack vectors. >>> >>> ----------------------------------------------------------------------- >>> >>> >> Roland Dobbins // >>> >>> Sell your computer and buy a guitar. >>> >>> >>> >>> >>> >>> >>> >> >> >> > > -- Jeffrey Lyon, Leadership Team jeffrey.lyon at blacklotus.net | http://www.blacklotus.net Black Lotus Communications - AS32421 First and Leading in DDoS Protection Solutions From morrowc.lists at gmail.com Sat Dec 11 23:41:32 2010 From: morrowc.lists at gmail.com (Christopher Morrow) Date: Sun, 12 Dec 2010 00:41:32 -0500 Subject: Over a decade of DDOS--any progress yet? In-Reply-To: References: <23035485.1291815970840.JavaMail.tomcat@fe-ps03> <2C4B4ECC-F61E-4059-A8DE-165DD8F85A96@exa-networks.co.uk> <5220B68C-9C8C-460E-B64E-2646BDE2A398@arbor.net> <63CF5704-B49D-43D5-BC8E-F76336CD0005@arbor.net> <4CFFB68D.4080405@prolexic.com> <4D02AF04.1040608@bogus.com> Message-ID: On Sun, Dec 12, 2010 at 12:20 AM, Jeffrey Lyon wrote: > I'm certain there are thresholds to that. Carrier grade mitigation > solutions will start low and ramp up to 5, 6, 7, etc. figures > depending on the attack and amount of bandwidth to be filtered among > other variables. > nope, the pricing (when I was there, and I don't think it's changed much) is 3250/month for 500mbps or mitigation, though there was ~12gbps available easily before any work had to be done by the ISP... If the plan I/sfouant put in place was followed you could had scaled the capacity to much higher than that. If a customer continuously abused the 'limit' they may have been boosted to the next tier, but... I'd not ever seen that done. 3250/month... easy, peasy. -chris > Jeff > > > On Sun, Dec 12, 2010 at 12:05 AM, Christopher Morrow > wrote: >> On Fri, Dec 10, 2010 at 5:51 PM, Joel Jaeggli wrote: >>> On 12/10/10 12:33 PM, Drew Weaver wrote: >>>> Nobody has really driven the point home that yes you can purchase a >>>> system from Arbor, RioRey, make your own mitigation system; what-have >>>> you, but you still have to pay for the transit to digest the attack, >>>> which is probably the main cost right now. >>> >>> or you outsource it and it's still costlier. >>> >>> Paying for DOS mitigation you rarely if ever use is quite expensive. If >>> you use it a lot it's even more expensive, but can at least be >>> rationalized on the basis of known costs e.g. npv calculation on the >>> number and duration of outages... >>> >> >> verizon's ddos service was/is 3250/month flat... not extra if there >> was some sort of incident, and completely self-service for the >> customer(s). Is 3250/month a reasonable insurance against loss? >> (40k/yr or there abouts) >> >> -chris >> >>>> -Drew >>>> >>>> >>>> -----Original Message----- From: Dobbins, Roland >>>> [mailto:rdobbins at arbor.net] Sent: Wednesday, December 08, 2010 11:54 >>>> AM To: North American Operators' Group Subject: Re: Over a decade of >>>> DDOS--any progress yet? >>>> >>>> >>>> On Dec 8, 2010, at 11:47 PM, Jay Coley wrote: >>>> >>>>> This has been our recent experience as well. >>>> >>>> I see a link-filling attacks with some regularity; but again, what >>>> I'm saying is simply that they aren't as prevalent as they used to >>>> be, because the attackers don't *need* to fill links in order to >>>> achieve their goals, in many cases. >>>> >>>> That being said, high-bandwidth DNS reflection/amplification attacks >>>> tip the scales, every time. >>>> >>>>> Lastly there is usually always someone at the other end of these >>>>> attacks watching what is working and what is not >>>> >>>> >>>> This is a very important point - determined attackers will observe >>>> and react in order to try and defeat successful countermeasures, so >>>> the defenders must watch for shifting attack vectors. >>>> >>>> ----------------------------------------------------------------------- >>>> >>>> >>> Roland Dobbins // >>>> >>>> Sell your computer and buy a guitar. >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>> >>> >>> >> >> > > > > -- > Jeffrey Lyon, Leadership Team > jeffrey.lyon at blacklotus.net | http://www.blacklotus.net > Black Lotus Communications - AS32421 > First and Leading in DDoS Protection Solutions > From aaron.glenn at gmail.com Sat Dec 11 23:42:07 2010 From: aaron.glenn at gmail.com (Aaron Glenn) Date: Sun, 12 Dec 2010 00:42:07 -0500 Subject: Over a decade of DDOS--any progress yet? In-Reply-To: References: <23035485.1291815970840.JavaMail.tomcat@fe-ps03> <2C4B4ECC-F61E-4059-A8DE-165DD8F85A96@exa-networks.co.uk> <5220B68C-9C8C-460E-B64E-2646BDE2A398@arbor.net> <63CF5704-B49D-43D5-BC8E-F76336CD0005@arbor.net> <4CFFB68D.4080405@prolexic.com> <4D02AF04.1040608@bogus.com> Message-ID: On Sun, Dec 12, 2010 at 12:05 AM, Christopher Morrow wrote: > > verizon's ddos service was/is 3250/month flat... not extra if there > was some sort of incident, and completely self-service for the > customer(s). Is 3250/month a reasonable insurance against loss? > (40k/yr or there abouts) reasonable, but 'completely self-service' ? how much to have an engineer pump my gas for me (full service)? does that include a windshield wipe down, tire pressure and oil check (old timey full service extras)? From morrowc.lists at gmail.com Sun Dec 12 01:58:10 2010 From: morrowc.lists at gmail.com (Christopher Morrow) Date: Sun, 12 Dec 2010 02:58:10 -0500 Subject: Over a decade of DDOS--any progress yet? In-Reply-To: References: <23035485.1291815970840.JavaMail.tomcat@fe-ps03> <2C4B4ECC-F61E-4059-A8DE-165DD8F85A96@exa-networks.co.uk> <5220B68C-9C8C-460E-B64E-2646BDE2A398@arbor.net> <63CF5704-B49D-43D5-BC8E-F76336CD0005@arbor.net> <4CFFB68D.4080405@prolexic.com> <4D02AF04.1040608@bogus.com> Message-ID: On Sun, Dec 12, 2010 at 12:42 AM, Aaron Glenn wrote: > On Sun, Dec 12, 2010 at 12:05 AM, Christopher Morrow > wrote: >> >> verizon's ddos service was/is 3250/month flat... not extra if there >> was some sort of incident, and completely self-service for the >> customer(s). Is 3250/month a reasonable insurance against loss? >> (40k/yr or there abouts) > > reasonable, but 'completely self-service' ? > how much to have an engineer pump my gas for me (full service)? does > that include a windshield wipe down, tire pressure and oil check (old > timey full service extras)? end customer sends the right community and mitigation happens... remove the community it stops. no need to call someone and make it happen, just have the NOC/etc at your network follow a simple procedure. you are funny though :) (and I think you can call for free, 1-800 number, and get an engineer to make things happen for you as well...) -Chris From hank at efes.iucc.ac.il Sun Dec 12 02:13:58 2010 From: hank at efes.iucc.ac.il (Hank Nussbacher) Date: Sun, 12 Dec 2010 10:13:58 +0200 Subject: Prepare for Openleaks and other copycats Message-ID: <5.1.0.14.2.20101212101228.00c0bd58@efes.iucc.ac.il> http://www.independent.co.uk/news/world/politics/wikileaks-splits-as-volunteers-quit-to-set-up-rival-website-2157420.html -Hank From bc-list at beztech.net Sun Dec 12 07:55:29 2010 From: bc-list at beztech.net (Ben C.) Date: Sun, 12 Dec 2010 08:55:29 -0500 Subject: cablevision? Message-ID: Hi all, Does anybody know anything about a large cablevision outage this morning? Their support phone lines are busy signals... Thanks Ben From frnkblk at iname.com Sun Dec 12 11:09:09 2010 From: frnkblk at iname.com (Frank Bulk - iName.com) Date: Sun, 12 Dec 2010 11:09:09 -0600 Subject: cablevision? In-Reply-To: References: Message-ID: Yes: http://www.dslreports.com/forum/r25190780-Optonline-outage-12-12-2010 Frank -----Original Message----- From: Ben C. [mailto:bc-list at beztech.net] Sent: Sunday, December 12, 2010 7:55 AM To: nanog at nanog.org Subject: cablevision? Hi all, Does anybody know anything about a large cablevision outage this morning? Their support phone lines are busy signals... Thanks Ben From jsw at inconcepts.biz Sun Dec 12 12:36:08 2010 From: jsw at inconcepts.biz (Jeff Wheeler) Date: Sun, 12 Dec 2010 13:36:08 -0500 Subject: peering, derivatives, and big brother Message-ID: A read through this New York Times article on derivatives clearing, and the exclusivity that big banks seek to maintain, would look very much like an article on large-scale peering, to someone who is not expert in both topics. The transit-free club and the "derivatives dealers club" may have other similarities in the future, and it's worth watching how further government regulation develops in this area. It may lead to insight into how government might eventually regulate ISPs seeking to become settlement-free. "?It appears that the membership criteria were set so that a certain group of market participants could meet that, and everyone else would have to jump through hoops,? Mr. Katz said." http://www.nytimes.com/2010/12/12/business/12advantage.html?pagewanted=1&_r=1&src=busln -- Jeff S Wheeler Sr Network Operator? /? Innovative Network Concepts From ken at sizone.org Sun Dec 12 12:39:28 2010 From: ken at sizone.org (Ken) Date: Sun, 12 Dec 2010 13:39:28 -0500 Subject: peering, derivatives, and big brother In-Reply-To: References: Message-ID: <20101212183928.GB3704@sizone.org> On Sun, Dec 12, 2010 at 01:36:08PM -0500, Jeff Wheeler said: >A read through this New York Times article on derivatives clearing, >and the exclusivity that big banks seek to maintain, would look very >much like an article on large-scale peering, to someone who is not >expert in both topics. The transit-free club and the "derivatives >dealers club" may have other similarities in the future, and it's >worth watching how further government regulation develops in this >area. It may lead to insight into how government might eventually >regulate ISPs seeking to become settlement-free. >http://www.nytimes.com/2010/12/12/business/12advantage.html?pagewanted=1&_r=1&src=busln dont think so. 'cyber' is a panicword, results in way different regulations. also, the top player's influences through backchannels on the regulation process would be vastly different in those two industries. /kc -- Ken Chase - ken at heavycomputing.ca - +1 416 897 6284 - Toronto CANADA Heavy Computing - Clued bandwidth, colocation and managed linux VPS @151 Front St. W. From wschultz at bsdboy.com Sun Dec 12 15:33:29 2010 From: wschultz at bsdboy.com (Wil Schultz) Date: Sun, 12 Dec 2010 13:33:29 -0800 Subject: Amazon.co.uk, and most of Amazon Europe, appears to be down. Message-ID: <6213EB4F-5C86-4D0E-861F-0B5FD5964D70@bsdboy.com> Unknown if this is due to the recent doings of late, but it appears as if Amazon Europe appears to be down. The anon's are definitely trying to cause disruptions, I find it difficult to believe that they are the actual cause. Time will tell. -wil From frnkblk at iname.com Sun Dec 12 15:39:10 2010 From: frnkblk at iname.com (Frank Bulk - iName.com) Date: Sun, 12 Dec 2010 15:39:10 -0600 Subject: Amazon.co.uk, and most of Amazon Europe, appears to be down. In-Reply-To: <6213EB4F-5C86-4D0E-861F-0B5FD5964D70@bsdboy.com> References: <6213EB4F-5C86-4D0E-861F-0B5FD5964D70@bsdboy.com> Message-ID: This is not Amazon per se, but if you look at http://status.aws.amazon.com/, and choose the Europe tabm, Amazon Elastic Compute Cloud (Ireland), Amazon Simple Notification Service (Ireland), and Amazon Simple Queue Service (Ireland) are having performance issues. Frank -----Original Message----- From: Wil Schultz [mailto:wschultz at bsdboy.com] Sent: Sunday, December 12, 2010 3:33 PM To: North American Network Operators Group Subject: Amazon.co.uk, and most of Amazon Europe, appears to be down. Unknown if this is due to the recent doings of late, but it appears as if Amazon Europe appears to be down. The anon's are definitely trying to cause disruptions, I find it difficult to believe that they are the actual cause. Time will tell. -wil From andrew.wallace at rocketmail.com Sun Dec 12 15:46:23 2010 From: andrew.wallace at rocketmail.com (andrew.wallace) Date: Sun, 12 Dec 2010 13:46:23 -0800 (PST) Subject: Amazon.co.uk, and most of Amazon Europe, appears to be down. Message-ID: <955462.38607.qm@web59611.mail.ac4.yahoo.com> Thenextweb have been quick to push out speculation - http://thenextweb.com/uk/2010/12/12/amazon-co-uk-and-de-are-down-is-anonymous-to-blame/ Andrew ----- Original Message ----- From:Wil Schultz To:North American Network Operators Group Cc: Sent:Sunday, 12 December 2010, 21:33:29 Subject:Amazon.co.uk, and most of Amazon Europe, appears to be down. Unknown if this is due to the recent doings of late, but it appears as if Amazon Europe appears to be down. The anon's are definitely trying to cause disruptions, I find it difficult to believe that they are the actual cause. Time will tell. -wil From joelja at bogus.com Sun Dec 12 20:02:54 2010 From: joelja at bogus.com (Joel Jaeggli) Date: Sun, 12 Dec 2010 18:02:54 -0800 Subject: Pointer for documentation on actually delivering IPv6 In-Reply-To: <7347880A-24A7-4E67-B5CB-93AE90A3CB84@puck.nether.net> References: <4CFB09C2.5090905@amplex.net> <20101206114306.GA68751@atsuko> <498B56C5-9811-440C-88DE-67C0DFF1A0DB@arbor.net> <7347880A-24A7-4E67-B5CB-93AE90A3CB84@puck.nether.net> Message-ID: <4D057ECE.9030902@bogus.com> On 12/6/10 6:55 AM, Jared Mauch wrote: > > On Dec 6, 2010, at 8:35 AM, Jeff Johnstone wrote: > >> Speaking of IPV6 security, is there any movement towards any open >> source IPV6 firewall solutions for the consumer / small business? >> >> Almost all the info I've managed to find to date indicates no >> support, nor any planned support in upcoming releases. >> >> Any info would be helpful. > > Honestly (and I'm sure some IPv6 folks will want me injured as a > result) there should be some '1918-like' space allocated for the > corporate guys who "don't get it", so they can nat everyone through a > single /128. It would make life easier for them and quite possibly > be a large item in pushing ipv6 deployment in the enterprise. There's literally not to prevent them from doing that today. there's a /8 of ual-l and nat66 implementations exist. > I don't see our corporate IT guys that number stuff in 1918 space > wanting to put hosts on 'real' ips. The chances for unintended > routing are enough to make them say that v6 is actually a security > risk vs security enabler is my suspicion. the chances of unitended routing with overlapping rfc-1918 domains and a bit of 2547 vpn in the mix are non trivial... Using GUA ipv6 space there's at least some chance that I'll actually see the leak and interpret it as such rather than wondering why my packets are going into a black hole or being discarded as out of state becuase they come back on a different VRF than they go out on. > - Jared > From gbonser at seven.com Sun Dec 12 21:36:06 2010 From: gbonser at seven.com (George Bonser) Date: Sun, 12 Dec 2010 19:36:06 -0800 Subject: peering, derivatives, and big brother In-Reply-To: References: Message-ID: <5A6D953473350C4B9995546AFE9939EE0B14CEA4@RWC-EX1.corp.seven.com> > -----Original Message----- > From: Jeff Wheeler > Sent: Sunday, December 12, 2010 10:36 AM > To: nanog at nanog.org > Subject: peering, derivatives, and big brother > > A read through this New York Times article on derivatives clearing, > and the exclusivity that big banks seek to maintain, would look very > much like an article on large-scale peering, to someone who is not > expert in both topics. The transit-free club and the "derivatives > dealers club" may have other similarities in the future, and it's > worth watching how further government regulation develops in this > area. It may lead to insight into how government might eventually > regulate ISPs seeking to become settlement-free. I don't see how this can happen with the number of wide open exchanges that exist these days. Take the several Equinix IX exchange points as an example. They aren't controlled by any cartel of participants who dictate who can and who cannot play. Each network sets their own peering policy. As most of the traffic is from content heavy networks to eyeball heavy networks, direct peering between them makes sense. The financial derivatives market isn't, in my opinion, a good analogy of the peering market. A data packet is "perishable" and must be moved quickly. The destination network wants the packet in order to keep their customer happy and the originating network wants to get it to that customer as quickly and cheaply as possible. The proliferation of these peering points means that today there is more traffic going directly from content network to eyeball network. To use a different analogy, it is almost like the market is going to a series of farmer's markets rather than supermarkets in the distribution channel. Sure, there are still the "supermarkets" out there, but increasingly they are selling their "store brand" by becoming content hosting networks themselves. I would expect with the current direction of interconnectivity, third party transit traffic would become a decreasing percentage of the aggregate total bandwidth a network moves. Or at least the third party transit traffic becomes smaller amounts of traffic from a larger number of sources with the big sources of traffic connecting to the big sinks of traffic directly and third party transit collecting the crumbs (albeit probably a large amount of crumbs). From ljakab at ac.upc.edu Mon Dec 13 05:35:00 2010 From: ljakab at ac.upc.edu (=?ISO-8859-1?Q?Lor=E1nd_Jakab?=) Date: Mon, 13 Dec 2010 12:35:00 +0100 Subject: Over a decade of DDOS--any progress yet? In-Reply-To: References: <23035485.1291815970840.JavaMail.tomcat@fe-ps03> <2C4B4ECC-F61E-4059-A8DE-165DD8F85A96@exa-networks.co.uk> <5220B68C-9C8C-460E-B64E-2646BDE2A398@arbor.net> <63CF5704-B49D-43D5-BC8E-F76336CD0005@arbor.net> <4CFFB68D.4080405@prolexic.com> <4D02AF04.1040608@bogus.com> Message-ID: <4D0604E4.8070209@ac.upc.edu> The thread made it to both NetworkWorld: http://www.networkworld.com/news/2010/120910-wikileaks-ddos-attacks.html and Slashdot: http://tech.slashdot.org/story/10/12/12/2120254/Has-Progress-Been-Made-In-Fighting-DDoS-Attacks with the usual set of comments :) -Lorand Jakab On 12/12/2010 08:58 AM, Christopher Morrow wrote: > On Sun, Dec 12, 2010 at 12:42 AM, Aaron Glenn wrote: >> On Sun, Dec 12, 2010 at 12:05 AM, Christopher Morrow >> wrote: >>> verizon's ddos service was/is 3250/month flat... not extra if there >>> was some sort of incident, and completely self-service for the >>> customer(s). Is 3250/month a reasonable insurance against loss? >>> (40k/yr or there abouts) >> reasonable, but 'completely self-service' ? >> how much to have an engineer pump my gas for me (full service)? does >> that include a windshield wipe down, tire pressure and oil check (old >> timey full service extras)? > end customer sends the right community and mitigation happens... > remove the community it stops. no need to call someone and make it > happen, just have the NOC/etc at your network follow a simple > procedure. > > you are funny though :) (and I think you can call for free, 1-800 > number, and get an engineer to make things happen for you as well...) > > -Chris > From drew.weaver at thenap.com Mon Dec 13 07:49:56 2010 From: drew.weaver at thenap.com (Drew Weaver) Date: Mon, 13 Dec 2010 08:49:56 -0500 Subject: Over a decade of DDOS--any progress yet? In-Reply-To: References: <23035485.1291815970840.JavaMail.tomcat@fe-ps03> <2C4B4ECC-F61E-4059-A8DE-165DD8F85A96@exa-networks.co.uk> <5220B68C-9C8C-460E-B64E-2646BDE2A398@arbor.net> <63CF5704-B49D-43D5-BC8E-F76336CD0005@arbor.net> <4CFFB68D.4080405@prolexic.com> <4D02AF04.1040608@bogus.com> Message-ID: verizon's ddos service was/is 3250/month flat... not extra if there was some sort of incident, and completely self-service for the customer(s). Is 3250/month a reasonable insurance against loss? (40k/yr or there abouts) -chris >>> That doesn't sound too unreasonable as long as you are in a market Verizon services and you can find the right Verizon rep who isn't trying to sell transit at $25/mbps. thanks, -Drew From drew.weaver at thenap.com Mon Dec 13 07:52:43 2010 From: drew.weaver at thenap.com (Drew Weaver) Date: Mon, 13 Dec 2010 08:52:43 -0500 Subject: Over a decade of DDOS--any progress yet? In-Reply-To: References: <23035485.1291815970840.JavaMail.tomcat@fe-ps03> <2C4B4ECC-F61E-4059-A8DE-165DD8F85A96@exa-networks.co.uk> <5220B68C-9C8C-460E-B64E-2646BDE2A398@arbor.net> <63CF5704-B49D-43D5-BC8E-F76336CD0005@arbor.net> <4CFFB68D.4080405@prolexic.com> <4D02AF04.1040608@bogus.com> Message-ID: I'm certain there are thresholds to that. Carrier grade mitigation solutions will start low and ramp up to 5, 6, 7, etc. figures depending on the attack and amount of bandwidth to be filtered among other variables. >>> My point was, if you "mitigate" the attack vs. null routing the target you have to pay for the transit that the attack consumes between your network and the upstream network(s). thanks, -Drew From jared at puck.nether.net Mon Dec 13 08:32:03 2010 From: jared at puck.nether.net (Jared Mauch) Date: Mon, 13 Dec 2010 09:32:03 -0500 Subject: Over a decade of DDOS--any progress yet? In-Reply-To: References: <23035485.1291815970840.JavaMail.tomcat@fe-ps03> <2C4B4ECC-F61E-4059-A8DE-165DD8F85A96@exa-networks.co.uk> <5220B68C-9C8C-460E-B64E-2646BDE2A398@arbor.net> <63CF5704-B49D-43D5-BC8E-F76336CD0005@arbor.net> <4CFFB68D.4080405@prolexic.com> <4D02AF04.1040608@bogus.com> Message-ID: <76E52273-83D7-40CE-9380-8FB0ED5565C2@puck.nether.net> On Dec 12, 2010, at 12:05 AM, Christopher Morrow wrote: > verizon's ddos service was/is 3250/month flat... not extra if there > was some sort of incident, and completely self-service for the > customer(s). Is 3250/month a reasonable insurance against loss? > (40k/yr or there abouts) Or just buy a gig-e from cogent at 3$/meg/mo (or is it $4 this month?) to burn for ddos. The problem I've found is that some of the vendors of ddos gear still have significant problems they are working to address. The Cisco (riverhead) guard would have a 1 second delay (for example) for each configuration line one would add. If you dealt with a wildcard rule, it would be 1 second per underlying rule to make the configuration change. The ability to 'paste' something in to a device and have a predictable output seemed to be too high of a bar for them to solve, this could be one of the reasons the product went to the wayside. I'm also not sure that anyone else is much better in this regard. Of course everyone is willing to sell you a seven-figure "solution" for your problems, but once you actually start talking about the usability, ease of provisioning, and the customer education about the caveats most people start to glaze quickly. Even with the right gear, technology, etc.. the vendors don't make it easy to deliver these solutions. - Jared From mikea at mikea.ath.cx Mon Dec 13 08:49:03 2010 From: mikea at mikea.ath.cx (mikea) Date: Mon, 13 Dec 2010 08:49:03 -0600 Subject: LOIC tool used in the "Anonymous" attacks In-Reply-To: <472093.18468.qm@web59608.mail.ac4.yahoo.com> References: <472093.18468.qm@web59608.mail.ac4.yahoo.com> Message-ID: <20101213144903.GA25883@mikea.ath.cx> On Sat, Dec 11, 2010 at 11:59:07AM -0800, andrew.wallace wrote: > I was reading about this- yeah really "anonymous". > > http://praetorianprefect.com/archives/2010/12/anonymous-releases-very-unanonymous-press-release/ > > Also: > > http://www.boingboing.net/2010/12/11/anonymous-isnt-loic.html All we know with certainty is that there is *a* name in the metadata. Why would anyone conclude that it is definitely the name of the author? -- Mike Andrews, W5EGO mikea at mikea.ath.cx Tired old sysadmin From morrowc.lists at gmail.com Mon Dec 13 09:09:16 2010 From: morrowc.lists at gmail.com (Christopher Morrow) Date: Mon, 13 Dec 2010 10:09:16 -0500 Subject: Over a decade of DDOS--any progress yet? In-Reply-To: References: <23035485.1291815970840.JavaMail.tomcat@fe-ps03> <2C4B4ECC-F61E-4059-A8DE-165DD8F85A96@exa-networks.co.uk> <5220B68C-9C8C-460E-B64E-2646BDE2A398@arbor.net> <63CF5704-B49D-43D5-BC8E-F76336CD0005@arbor.net> <4CFFB68D.4080405@prolexic.com> <4D02AF04.1040608@bogus.com> Message-ID: On Mon, Dec 13, 2010 at 8:49 AM, Drew Weaver wrote: > > verizon's ddos service was/is 3250/month flat... not extra if there > was some sort of incident, and completely self-service for the > customer(s). Is 3250/month a reasonable insurance against loss? > (40k/yr or there abouts) > > -chris >>>> > > That doesn't sound too unreasonable as long as you are in a market Verizon services and you can find the right Verizon rep who isn't trying to sell transit at $25/mbps. > if you find that guy, maybe they'll also be the mythical unicorn of a sales person who will sell you ipv6 transit too? -chris From thepacketmaster at hotmail.com Mon Dec 13 09:10:39 2010 From: thepacketmaster at hotmail.com (James Smith) Date: Mon, 13 Dec 2010 10:10:39 -0500 Subject: Wholesale DSL implementation in Canada Message-ID: We're looking at implementing a DSL private network in various provinces in Canada. There seems to be two main ways to do this: build the network yourself by creating relationships with the local DSL providers (Bell, Telus, MTS, etc) ; or build the network using a third-party that already has a DSL infrastructure in place. The third-party DSL infrastructure is a sure thing, since they've been doing it for a while. However, we're looking at a large number of locations so the cost of implementing the DSL internally seems to be more compelling. Not having implemented a DSL infrastructure before, I'm wondering if anyone on NANOG has any advice on this? What technical or political issues might we run into? What is the best choice of hardware? (Juniper or Cisco)? Feel free to contact me off-list if you'd prefer. James From morrowc.lists at gmail.com Mon Dec 13 09:11:13 2010 From: morrowc.lists at gmail.com (Christopher Morrow) Date: Mon, 13 Dec 2010 10:11:13 -0500 Subject: Over a decade of DDOS--any progress yet? In-Reply-To: References: <23035485.1291815970840.JavaMail.tomcat@fe-ps03> <2C4B4ECC-F61E-4059-A8DE-165DD8F85A96@exa-networks.co.uk> <5220B68C-9C8C-460E-B64E-2646BDE2A398@arbor.net> <63CF5704-B49D-43D5-BC8E-F76336CD0005@arbor.net> <4CFFB68D.4080405@prolexic.com> <4D02AF04.1040608@bogus.com> Message-ID: On Mon, Dec 13, 2010 at 8:52 AM, Drew Weaver wrote: > I'm certain there are thresholds to that. Carrier grade mitigation > solutions will start low and ramp up to 5, 6, 7, etc. figures > depending on the attack and amount of bandwidth to be filtered among > other variables. > >>>> > > My point was, if you "mitigate" the attack vs. null routing the target you have to pay for the transit that the attack consumes between your network and the upstream network(s). > so... with a carrier managed solution (or the one ATT/Sprint/VZB sold) the transit of the attack happens inside their networks and isn't charged to the end-customer (the destination, obviously contributing customers get charged :) ) -chris From tshaw at oitc.com Mon Dec 13 09:20:00 2010 From: tshaw at oitc.com (TR Shaw) Date: Mon, 13 Dec 2010 10:20:00 -0500 Subject: Wholesale DSL implementation in Canada In-Reply-To: References: Message-ID: <1F667AAF-2B33-49D0-B17E-317818EED5FA@oitc.com> On Dec 13, 2010, at 10:10 AM, James Smith wrote: > > We're looking at implementing a DSL private network in various provinces in Canada. There seems to be two main ways to do this: build the network yourself by creating relationships with the local DSL providers (Bell, Telus, MTS, etc) ; or build the network using a third-party that already has a DSL infrastructure in place. The third-party DSL infrastructure is a sure thing, since they've been doing it for a while. However, we're looking at a large number of locations so the cost of implementing the DSL internally seems to be more compelling. > > Not having implemented a DSL infrastructure before, I'm wondering if anyone on NANOG has any advice on this? What technical or political issues might we run into? What is the best choice of hardware? (Juniper or Cisco)? Feel free to contact me off-list if you'd prefer. > > James James, You need to be sure that there is DSL coverage everywhere you are looking at. Just as in rural and non metropolitan US there are lots of places in Canada not yet serviced by DSL because they are too far from a POP and/or the infrastructure is not up to snuff. Tom From erik.soosalu at calyxinc.com Mon Dec 13 09:22:25 2010 From: erik.soosalu at calyxinc.com (Erik Soosalu) Date: Mon, 13 Dec 2010 10:22:25 -0500 Subject: Wholesale DSL implementation in Canada In-Reply-To: References: Message-ID: <0B224A2FE01CC54C860290D42474BF600483E228@exchange.nff.local> I'm using a third party for about 15 sites of Private DSL across Canada. Others may have different issues, but mine so far have been: - SaskTel apparently doesn't connect with anybody (or so I have been told) so I'm stuck with VPN. - My connections in Telus country have only been ADSL PVC (not PPPoE Private). Apparently, PPPoE private is coming in the new year. I'm looking forward to this to bring my costs down. I'm running Cisco 800s of various levels with no real issues. I like the one neck to choke thing of the third party (but then again I'm an enterprise guy) Thanks, Erik Soosalu -----Original Message----- From: James Smith [mailto:thepacketmaster at hotmail.com] Sent: Monday, December 13, 2010 10:11 AM To: nanog at nanog.org Subject: Wholesale DSL implementation in Canada We're looking at implementing a DSL private network in various provinces in Canada. There seems to be two main ways to do this: build the network yourself by creating relationships with the local DSL providers (Bell, Telus, MTS, etc) ; or build the network using a third-party that already has a DSL infrastructure in place. The third-party DSL infrastructure is a sure thing, since they've been doing it for a while. However, we're looking at a large number of locations so the cost of implementing the DSL internally seems to be more compelling. Not having implemented a DSL infrastructure before, I'm wondering if anyone on NANOG has any advice on this? What technical or political issues might we run into? What is the best choice of hardware? (Juniper or Cisco)? Feel free to contact me off-list if you'd prefer. James From mike at sentex.net Mon Dec 13 09:31:39 2010 From: mike at sentex.net (Mike Tancsa) Date: Mon, 13 Dec 2010 10:31:39 -0500 Subject: Wholesale DSL implementation in Canada In-Reply-To: References: Message-ID: <4D063C5B.7060408@sentex.net> On 12/13/2010 10:10 AM, James Smith wrote: > > We're looking at implementing a DSL private network in various provinces in Canada. There seems to be two main ways to do this: build the network yourself by creating relationships with the local DSL providers (Bell, Telus, MTS, etc) ; or build the network using a third-party that already has a DSL infrastructure in place. The third-party DSL infrastructure is a sure thing, since they've been doing it for a while. However, we're looking at a large number of locations so the cost of implementing the DSL internally seems to be more compelling. > > Not having implemented a DSL infrastructure before, I'm wondering if anyone on NANOG has any advice on this? What technical or political issues might we run into? What is the best choice of hardware? (Juniper or Cisco)? Feel free to contact me off-list if you'd prefer. For regulations, start with http://www.crtc.gc.ca/ How you can lease copper loops, how you can colo in CO etc are all laid out in various tariffs ---Mike From berry at gadsdenst.org Mon Dec 13 10:08:14 2010 From: berry at gadsdenst.org (Berry Mobley) Date: Mon, 13 Dec 2010 11:08:14 -0500 Subject: Wake on LAN in the enterprise Message-ID: Hello... I'm trying to get a handle on implementation of wake-on-lan in an enterprise environment. Cisco gear, lots of subnets. I've made it work with directed broadcasts, but I'd really rather not have 40 or 50 'ip helper-address x.x.x.bcastaddr' statements on the vlans with the SMS servers. Are there any enterprises that are doing this for large (100+) numbers of subnets? I can't find a single example anywhere with more than 2 networks. I've searched the Cisco-NSP archives as well with no luck, but maybe I didn't go back far enough. Thanks for any help you can provide. Berry Mobley From jbates at brightok.net Mon Dec 13 10:15:00 2010 From: jbates at brightok.net (Jack Bates) Date: Mon, 13 Dec 2010 10:15:00 -0600 Subject: Over a decade of DDOS--any progress yet? In-Reply-To: <76E52273-83D7-40CE-9380-8FB0ED5565C2@puck.nether.net> References: <23035485.1291815970840.JavaMail.tomcat@fe-ps03> <2C4B4ECC-F61E-4059-A8DE-165DD8F85A96@exa-networks.co.uk> <5220B68C-9C8C-460E-B64E-2646BDE2A398@arbor.net> <63CF5704-B49D-43D5-BC8E-F76336CD0005@arbor.net> <4CFFB68D.4080405@prolexic.com> <4D02AF04.1040608@bogus.com> <76E52273-83D7-40CE-9380-8FB0ED5565C2@puck.nether.net> Message-ID: <4D064684.7080801@brightok.net> On 12/13/2010 8:32 AM, Jared Mauch wrote: > Or just buy a gig-e from cogent at 3$/meg/mo (or is it $4 this > month?) to burn for ddos. > *cough* 10G burstable with 1-2G commit. Still cheaper than anything else I have or can get, and more likely to handle those large DDOS cases, where you can just reroute the effected network through the 10G and mitigate with whatever hardware you have. > Of course everyone is willing to sell you a seven-figure "solution" > for your problems, but once you actually start talking about the > usability, ease of provisioning, and the customer education about the > caveats most people start to glaze quickly. > > Even with the right gear, technology, etc.. the vendors don't make it > easy to deliver these solutions. True, but they often will dedicate some time and effort during an attack to make things work. There are many in-house custom solutions you can use, and we've seen public blacklists use many of them over the years. If you want the extra support during the crisis, you pay the 3rd party for their product to get it. Jack From ospfisisis at gmail.com Mon Dec 13 10:23:50 2010 From: ospfisisis at gmail.com (Mark Wall) Date: Mon, 13 Dec 2010 11:23:50 -0500 Subject: Internap FCP Message-ID: Greetings Nanog, Looking for some off-list reviews/insight on the FCP, We are looking into the device for purchase over the next few months, We are in the 10G range of products. Thank you From owen at delong.com Mon Dec 13 10:20:20 2010 From: owen at delong.com (Owen DeLong) Date: Mon, 13 Dec 2010 08:20:20 -0800 Subject: Wake on LAN in the enterprise In-Reply-To: References: Message-ID: WOL is unfortunately terribly deficient in that the spec. never envisioned the possibility of a need for wake on WAN. Bottom line, it's a non-routeable layer 2 protocol. Your choices boil down to the helper address nightmare you describe or proxy servers on every subnet. Owen On Dec 13, 2010, at 8:08 AM, Berry Mobley wrote: > Hello... > > I'm trying to get a handle on implementation of wake-on-lan in an enterprise environment. Cisco gear, lots of subnets. I've made it work with directed broadcasts, but I'd really rather not have 40 or 50 'ip helper-address x.x.x.bcastaddr' statements on the vlans with the SMS servers. > > Are there any enterprises that are doing this for large (100+) numbers of subnets? I can't find a single example anywhere with more than 2 networks. > > I've searched the Cisco-NSP archives as well with no luck, but maybe I didn't go back far enough. > > Thanks for any help you can provide. > > Berry Mobley > From jbates at brightok.net Mon Dec 13 10:32:52 2010 From: jbates at brightok.net (Jack Bates) Date: Mon, 13 Dec 2010 10:32:52 -0600 Subject: Wake on LAN in the enterprise In-Reply-To: References: Message-ID: <4D064AB4.5080706@brightok.net> On 12/13/2010 10:20 AM, Owen DeLong wrote: > WOL is unfortunately terribly deficient in that the spec. never envisioned the possibility > of a need for wake on WAN. > > Bottom line, it's a non-routeable layer 2 protocol. Your choices boil down to the > helper address nightmare you describe or proxy servers on every subnet. > I would suspect that proxy servers being the better deal, though my experience with Cisco is that you may have to use ASR type gear to get a nicer layout (similar to service providers) where you can backend everything to a radius server (I'm still waiting to test this myself, but IOS is really weak on DHCP support). Jack From lowen at pari.edu Mon Dec 13 10:39:04 2010 From: lowen at pari.edu (Lamar Owen) Date: Mon, 13 Dec 2010 11:39:04 -0500 Subject: Wake on LAN in the enterprise In-Reply-To: References: Message-ID: <201012131139.04379.lowen@pari.edu> On Monday, December 13, 2010 11:20:20 am Owen DeLong wrote: > WOL is unfortunately terribly deficient in that the spec. never envisioned the possibility > of a need for wake on WAN. Use case I can think of: 'green' data center running VMware VI3 or vSphere with DRS and dynamically bringing blades online through WoL to handle load peaks and still stay green (when a host is empty, using the VMware API you can take it to maintenance mode and shut it down; use WoL to boot it back up when you need it). > Bottom line, it's a non-routeable layer 2 protocol. Your choices boil down to the > helper address nightmare you describe or proxy servers on every subnet. In the use case I mention it wouldn't be a problem, since under VMware DRS (which relies on VMotion) you have to have layer 2 transparency anyway. Would this not be a use case also for something like VPLS or EoMPLS? From jared at puck.nether.net Mon Dec 13 10:40:20 2010 From: jared at puck.nether.net (Jared Mauch) Date: Mon, 13 Dec 2010 11:40:20 -0500 Subject: Over a decade of DDOS--any progress yet? In-Reply-To: <4D064684.7080801@brightok.net> References: <23035485.1291815970840.JavaMail.tomcat@fe-ps03> <2C4B4ECC-F61E-4059-A8DE-165DD8F85A96@exa-networks.co.uk> <5220B68C-9C8C-460E-B64E-2646BDE2A398@arbor.net> <63CF5704-B49D-43D5-BC8E-F76336CD0005@arbor.net> <4CFFB68D.4080405@prolexic.com> <4D02AF04.1040608@bogus.com> <76E52273-83D7-40CE-9380-8FB0ED5565C2@puck.nether.net> <4D064684.7080801@brightok.net> Message-ID: On Dec 13, 2010, at 11:15 AM, Jack Bates wrote: > On 12/13/2010 8:32 AM, Jared Mauch wrote: >> Or just buy a gig-e from cogent at 3$/meg/mo (or is it $4 this >> month?) to burn for ddos. >> > *cough* 10G burstable with 1-2G commit. Still cheaper than anything else > I have or can get, and more likely to handle those large DDOS cases, > where you can just reroute the effected network through the 10G and > mitigate with whatever hardware you have. my point is, there is this 'middle' space where it's hard to justify spending money on something that isn't used. Of course it's easy to view as "insurance" and easier to justify *after* an attack (or loss). it is hard to proactively justify this type of expense. If for every 10g of capacity, you had a 40k/year "Security" surcharge, at what point do you factor this in as part of your regular bandwidth costs vs the current "down and to the right" pricing trend. Delivering these services is something I have observed it is difficult to ask someone to pay for unless they have experience with it. Most are willing to start off with the "self-insure" premise until it is too much to bear, then immediately they are willing to pay 'something' to allow capital cost recovery. >> Of course everyone is willing to sell you a seven-figure "solution" >> for your problems, but once you actually start talking about the >> usability, ease of provisioning, and the customer education about the >> caveats most people start to glaze quickly. >> >> Even with the right gear, technology, etc.. the vendors don't make it >> easy to deliver these solutions. > > True, but they often will dedicate some time and effort during an attack to make things work. There are many in-house custom solutions you can use, and we've seen public blacklists use many of them over the years. If you want the extra support during the crisis, you pay the 3rd party for their product to get it. I am talking about those purporting to offer ddos solution hardware either past, present or future. If it's 2010 or 2011 and you experience flow-control like issues with your CLI interface, either slow interactive response or garbled processing (over telnet/ssh) there is something not quite right IMHO. Then again, I'm known for being a bit of an odd character. - Jared From patrick at zill.net Mon Dec 13 10:50:49 2010 From: patrick at zill.net (Patrick Giagnocavo) Date: Mon, 13 Dec 2010 11:50:49 -0500 Subject: Wake on LAN in the enterprise In-Reply-To: References: Message-ID: <4D064EE9.7090804@zill.net> On 12/13/2010 11:08 AM, Berry Mobley wrote: > Hello... > > I'm trying to get a handle on implementation of wake-on-lan in an > enterprise environment. Cisco gear, lots of subnets. I've made it work > with directed broadcasts, but I'd really rather not have 40 or 50 'ip > helper-address x.x.x.bcastaddr' statements on the vlans with the SMS > servers. > Assuming you are talking servers and not desktops, you will probably end up doing this with IPMI, which most servers have on-motherboard these days. Cordially Patrick From jbates at brightok.net Mon Dec 13 10:55:20 2010 From: jbates at brightok.net (Jack Bates) Date: Mon, 13 Dec 2010 10:55:20 -0600 Subject: Wake on LAN in the enterprise In-Reply-To: References: <4D064AB4.5080706@brightok.net> Message-ID: <4D064FF8.3000408@brightok.net> On 12/13/2010 10:43 AM, Christopher.Marget at usc-bt.com wrote: > Jack Bates: >> I would suspect that proxy servers being the better deal, though >> my experience with Cisco is that you may have to use ASR type gear >> to get a nicer layout (similar to service providers) where you can >> backend everything to a radius server (I'm still waiting to test >> this myself, but IOS is really weak on DHCP support). > > I hope someone will please clarify the problem statement? > My problem is lack of WOL experience and associating dhcp-helper address with DHCP; ie, speaking without knowledge. I'm bad about that. :) > The only router/switch configuration required was to permit directed > broadcasts from the systems doing the waking. On by default, I > believe, but locked down in my environment. > IOS specific, I believe. Some have it on; some have it off. Jack From grobe0ba at gmail.com Mon Dec 13 11:02:59 2010 From: grobe0ba at gmail.com (Atticus) Date: Mon, 13 Dec 2010 12:02:59 -0500 Subject: No subject Message-ID: Cc From a.harrowell at gmail.com Mon Dec 13 11:07:50 2010 From: a.harrowell at gmail.com (Alexander Harrowell) Date: Mon, 13 Dec 2010 17:07:50 +0000 Subject: In-Reply-To: References: Message-ID: <201012131707.51458.a.harrowell@gmail.com> On Monday 13 December 2010 17:02:59 Atticus wrote: > Cc I presume this is some sort of spam-test? -- The only thing worse than e-mail disclaimers...is people who send e-mail to lists complaining about them -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: This is a digitally signed message part. URL: From jbates at brightok.net Mon Dec 13 11:12:09 2010 From: jbates at brightok.net (Jack Bates) Date: Mon, 13 Dec 2010 11:12:09 -0600 Subject: In-Reply-To: <201012131707.51458.a.harrowell@gmail.com> References: <201012131707.51458.a.harrowell@gmail.com> Message-ID: <4D0653E9.5050003@brightok.net> On 12/13/2010 11:07 AM, Alexander Harrowell wrote: > On Monday 13 December 2010 17:02:59 Atticus wrote: >> Cc > > I presume this is some sort of spam-test? > I got 3 emails from Atticus. one quoting data only, one saying just Z, and another carboned to x at gamil.com with just "zzsxezzzzxzzzzz On Dec 13, 2010 11:34 AM, "Jack Bates" wrote:" In the body and none of the other quotes. So I'm thinking the same thing. From bruns at 2mbit.com Mon Dec 13 11:17:56 2010 From: bruns at 2mbit.com (Brielle Bruns) Date: Mon, 13 Dec 2010 10:17:56 -0700 Subject: In-Reply-To: <4D0653E9.5050003@brightok.net> References: <201012131707.51458.a.harrowell@gmail.com> <4D0653E9.5050003@brightok.net> Message-ID: <4D065544.8010806@2mbit.com> On 12/13/10 10:12 AM, Jack Bates wrote: > On 12/13/2010 11:07 AM, Alexander Harrowell wrote: >> On Monday 13 December 2010 17:02:59 Atticus wrote: >>> Cc >> >> I presume this is some sort of spam-test? >> > > I got 3 emails from Atticus. one quoting data only, one saying just Z, > and another carboned to x at gamil.com with just > > "zzsxezzzzxzzzzz > On Dec 13, 2010 11:34 AM, "Jack Bates" wrote:" > > > In the body and none of the other quotes. > > So I'm thinking the same thing. > I can has training wheels? -- Brielle Bruns The Summit Open Source Development Group http://www.sosdg.org / http://www.ahbl.org From grobe0ba at gmail.com Mon Dec 13 11:24:19 2010 From: grobe0ba at gmail.com (Atticus) Date: Mon, 13 Dec 2010 12:24:19 -0500 Subject: Wake on LAN in the enterprise In-Reply-To: <4D0652B8.7020704@brightok.net> References: <4D064AB4.5080706@brightok.net> <4D0652B8.7020704@brightok.net> Message-ID: Appologies to all that got a quote email from me. My phone decided to pocket-reply to you. From hag at linnaean.org Mon Dec 13 11:47:17 2010 From: hag at linnaean.org (Daniel Hagerty) Date: 13 Dec 2010 12:47:17 -0500 Subject: Wake on LAN in the enterprise In-Reply-To: Owen DeLong's message of "Mon, 13 Dec 2010 08:20:20 -0800" References: Message-ID: Owen DeLong writes: > WOL is unfortunately terribly deficient in that the spec. never = > envisioned the possibility > of a need for wake on WAN. > > Bottom line, it's a non-routeable layer 2 protocol. Your choices boil = > down to the > helper address nightmare you describe or proxy servers on every subnet. WoL works just fine over routed networks; the magic packet format doesn't preclude it. I send WoL over routed networks several times a day. The only gotcha is that you need some kind of arrangement for either directed broadcast, or hardcode ndp/arp entries. Perl code snippet below: my $wolhost = "wolhost.example.com"; my $wolhost_mac = "de:ad:be:ef:ca:fe"; my $mac = $wolhost_mac; $mac =~ s/[: ]//g; # Use socat to build a wakeonlan packet inside a udp6 datagram. my $packed_bcast = pack("H12", "f" x 12); my $packed_mac = pack("H12", $mac); my $dgram = $packed_bcast . ( $packed_mac x 16); # 9 is the discard port. For whatever reason, the wrong thing # happens when the port is referenced by name, despite having the # name in /etc/services. open(SOCAT, "|-", (qw(socat -u STDIN), "UDP6-DATAGRAM:$wolhost:9")) || die "popen: $!"; print SOCAT $dgram || die "print: $!"; close(SOCAT); From woody at pch.net Mon Dec 13 11:58:44 2010 From: woody at pch.net (Bill Woodcock) Date: Mon, 13 Dec 2010 09:58:44 -0800 Subject: That thing the USG keeps sending people to OECD meetings to try to obfuscate: Message-ID: http://tech.slashdot.org/submission/1416250/68-of-US-broadband-connections-arent-broadband -Bill -------------- next part -------------- A non-text attachment was scrubbed... Name: PGP.sig Type: application/pgp-signature Size: 194 bytes Desc: This is a digitally signed message part URL: From sasmekoll at gmail.com Sun Dec 12 20:33:52 2010 From: sasmekoll at gmail.com (Vovan) Date: Mon, 13 Dec 2010 05:33:52 +0300 Subject: =?UTF-8?B?0J3QvtCy0L7QtSDRgdC+0L7QsdGJ0LXQvdC40LU=?= Message-ID: <4d065171.960acc0a.2ff4.1aa6@mx.google.com> http://samec.org.ua/ From bogstad at pobox.com Mon Dec 13 13:04:31 2010 From: bogstad at pobox.com (Bill Bogstad) Date: Mon, 13 Dec 2010 14:04:31 -0500 Subject: Over a decade of DDOS--any progress yet? In-Reply-To: References: <23035485.1291815970840.JavaMail.tomcat@fe-ps03> <2C4B4ECC-F61E-4059-A8DE-165DD8F85A96@exa-networks.co.uk> <5220B68C-9C8C-460E-B64E-2646BDE2A398@arbor.net> <63CF5704-B49D-43D5-BC8E-F76336CD0005@arbor.net> <4CFFB68D.4080405@prolexic.com> <4D02AF04.1040608@bogus.com> <76E52273-83D7-40CE-9380-8FB0ED5565C2@puck.nether.net> <4D064684.7080801@brightok.net> Message-ID: FYI, A single data point on current DDOS traffic levels. An Akamai press release says they handled DDOS attacks peaking at 14Gbps in the Nov. 30 to Dec 2nd time frame. http://finance.yahoo.com/news/Akamai-Shields-Leading-prnews-2768453391.html "The majority of attack traffic against the five retailers initiated from distributed IP addresses out of Thailand, Mexico, Philippines, and Brazil and reached peeks of up to 14 Gbps, with some websites experiencing up to 10,000 times above normal daily traffic. " Bill Bogstad From rdobbins at arbor.net Mon Dec 13 13:11:42 2010 From: rdobbins at arbor.net (Dobbins, Roland) Date: Mon, 13 Dec 2010 19:11:42 +0000 Subject: Over a decade of DDOS--any progress yet? In-Reply-To: References: <23035485.1291815970840.JavaMail.tomcat@fe-ps03> <2C4B4ECC-F61E-4059-A8DE-165DD8F85A96@exa-networks.co.uk> <5220B68C-9C8C-460E-B64E-2646BDE2A398@arbor.net> <63CF5704-B49D-43D5-BC8E-F76336CD0005@arbor.net> <4CFFB68D.4080405@prolexic.com> <4D02AF04.1040608@bogus.com> <76E52273-83D7-40CE-9380-8FB0ED5565C2@puck.nether.net> <4D064684.7080801@brightok.net> Message-ID: On Dec 14, 2010, at 2:04 AM, Bill Bogstad wrote: > A single data point on current DDOS traffic levels. In the 2009 Arbor WWISR, the largest attack reported was 49gb/sec. We're currently wrapping up the 2010 WWISR, and the largest attack report was considerably larger. ----------------------------------------------------------------------- Roland Dobbins // Sell your computer and buy a guitar. From berry at gadsdenst.org Mon Dec 13 13:38:23 2010 From: berry at gadsdenst.org (Berry Mobley) Date: Mon, 13 Dec 2010 14:38:23 -0500 Subject: Wake on LAN in the enterprise In-Reply-To: References: Message-ID: Thanks, everyone, for the replies - looks like I need to get my server team interested in knowing broadcast addresses for hosts, and making SMS send to those addresses. I do have the 'ip directed-broadcast ' in place, but the servers are currently sending the magic packets to the all-1's address. Maybe I can get that changed. Berry From jeffrey.lyon at blacklotus.net Mon Dec 13 13:40:50 2010 From: jeffrey.lyon at blacklotus.net (Jeffrey Lyon) Date: Mon, 13 Dec 2010 14:40:50 -0500 Subject: Over a decade of DDOS--any progress yet? In-Reply-To: References: <23035485.1291815970840.JavaMail.tomcat@fe-ps03> <2C4B4ECC-F61E-4059-A8DE-165DD8F85A96@exa-networks.co.uk> <5220B68C-9C8C-460E-B64E-2646BDE2A398@arbor.net> <63CF5704-B49D-43D5-BC8E-F76336CD0005@arbor.net> <4CFFB68D.4080405@prolexic.com> <4D02AF04.1040608@bogus.com> <76E52273-83D7-40CE-9380-8FB0ED5565C2@puck.nether.net> <4D064684.7080801@brightok.net> Message-ID: The largest attacks we have solid proof on are 20+ Gbps. The only larger ones that i've seen were in company's marketing collateral vs. real life. Jeff On Mon, Dec 13, 2010 at 2:11 PM, Dobbins, Roland wrote: > > On Dec 14, 2010, at 2:04 AM, Bill Bogstad wrote: > >> A single data point on current DDOS traffic levels. > > In the 2009 Arbor WWISR, the largest attack reported was 49gb/sec. ?We're currently wrapping up the 2010 WWISR, and the largest attack report was considerably larger. > > ----------------------------------------------------------------------- > Roland Dobbins // > > ? ? ? ? ? ? ? Sell your computer and buy a guitar. > > > > > > -- Jeffrey Lyon, Leadership Team jeffrey.lyon at blacklotus.net | http://www.blacklotus.net Black Lotus Communications - AS32421 First and Leading in DDoS Protection Solutions From laurent at guerby.net Mon Dec 13 14:07:26 2010 From: laurent at guerby.net (Laurent GUERBY) Date: Mon, 13 Dec 2010 21:07:26 +0100 Subject: peering, derivatives, and big brother In-Reply-To: <5A6D953473350C4B9995546AFE9939EE0B14CEA4@RWC-EX1.corp.seven.com> References: <5A6D953473350C4B9995546AFE9939EE0B14CEA4@RWC-EX1.corp.seven.com> Message-ID: <1292270846.13327.234.camel@pc2.unassigned-domain> On Sun, 2010-12-12 at 19:36 -0800, George Bonser wrote: > (...) The financial derivatives market isn't, in my opinion, a good analogy of > the peering market. A data packet is "perishable" and must be moved > quickly. The destination network wants the packet in order to keep > their customer happy and the originating network wants to get it to that > customer as quickly and cheaply as possible. The proliferation of these > peering points means that today there is more traffic going directly > from content network to eyeball network. To use a different analogy, it > is almost like the market is going to a series of farmer's markets > rather than supermarkets in the distribution channel. Sure, there are > still the "supermarkets" out there, but increasingly they are selling > their "store brand" by becoming content hosting networks themselves. (...) Hi, The electricity spot market is close to your definition of "perishable": http://en.wikipedia.org/wiki/Electricity_market It has a derivative market, google for "electricity derivatives" will give you some papers and models. I'm pretty sure electricity and bandwidth share some patterns. Now who wants to be the Enron of the bandwidth market? :) Sincerely, Laurent http://guerby.org/blog From gbonser at seven.com Mon Dec 13 14:28:45 2010 From: gbonser at seven.com (George Bonser) Date: Mon, 13 Dec 2010 12:28:45 -0800 Subject: peering, derivatives, and big brother In-Reply-To: <1292270846.13327.234.camel@pc2.unassigned-domain> References: <5A6D953473350C4B9995546AFE9939EE0B14CEA4@RWC-EX1.corp.seven.com> <1292270846.13327.234.camel@pc2.unassigned-domain> Message-ID: <5A6D953473350C4B9995546AFE9939EE0B14CEDB@RWC-EX1.corp.seven.com> > The electricity spot market is close to your definition of > "perishable": > > http://en.wikipedia.org/wiki/Electricity_market > > It has a derivative market, google for "electricity derivatives" will > give you some papers and models. > > I'm pretty sure electricity and bandwidth share some patterns. > > Now who wants to be the Enron of the bandwidth market? :) Enron actually WAS dealing in bandwidth at one point: http://www.internetnews.com/xSP/article.php/253861/Enron-Opens-Bandwidth -Commodity-Trading-Service.htm From oberman at es.net Mon Dec 13 14:29:35 2010 From: oberman at es.net (Kevin Oberman) Date: Mon, 13 Dec 2010 12:29:35 -0800 Subject: Over a decade of DDOS--any progress yet? In-Reply-To: Your message of "Mon, 13 Dec 2010 10:09:16 EST." Message-ID: <20101213202935.C482E1CC12@ptavv.es.net> > Date: Mon, 13 Dec 2010 10:09:16 -0500 > From: Christopher Morrow > > On Mon, Dec 13, 2010 at 8:49 AM, Drew Weaver wrote: > > > > verizon's ddos service was/is 3250/month flat... not extra if there > > was some sort of incident, and completely self-service for the > > customer(s). Is 3250/month a reasonable insurance against loss? > > (40k/yr or there abouts) > > > > -chris > >>>> > > > > That doesn't sound too unreasonable as long as you are in a market Verizon services and you can find the right Verizon rep who isn't trying to sell transit at $25/mbps. > > > > if you find that guy, maybe they'll also be the mythical unicorn of a > sales person who will sell you ipv6 transit too? Unless VZB has started accepting prefixes longer than /32, they really don't have real IPv6 transit to sell. -- R. Kevin Oberman, Network Engineer Energy Sciences Network (ESnet) Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab) E-mail: oberman at es.net Phone: +1 510 486-8634 Key fingerprint:059B 2DDF 031C 9BA3 14A4 EADA 927D EBB3 987B 3751 From morrowc.lists at gmail.com Mon Dec 13 14:42:20 2010 From: morrowc.lists at gmail.com (Christopher Morrow) Date: Mon, 13 Dec 2010 15:42:20 -0500 Subject: Over a decade of DDOS--any progress yet? In-Reply-To: <20101213202935.C482E1CC12@ptavv.es.net> References: <20101213202935.C482E1CC12@ptavv.es.net> Message-ID: On Mon, Dec 13, 2010 at 3:29 PM, Kevin Oberman wrote: >> Date: Mon, 13 Dec 2010 10:09:16 -0500 >> From: Christopher Morrow >> if you find that guy, maybe they'll also be the mythical unicorn of a >> sales person who will sell you ipv6 transit too? > > Unless VZB has started accepting prefixes longer than /32, they really > don't have real IPv6 transit to sell. I did say 'mythical unicorn of a sales person' didn't I? :) -chris From rdobbins at arbor.net Mon Dec 13 15:11:17 2010 From: rdobbins at arbor.net (Dobbins, Roland) Date: Mon, 13 Dec 2010 21:11:17 +0000 Subject: Over a decade of DDOS--any progress yet? In-Reply-To: References: <23035485.1291815970840.JavaMail.tomcat@fe-ps03> <2C4B4ECC-F61E-4059-A8DE-165DD8F85A96@exa-networks.co.uk> <5220B68C-9C8C-460E-B64E-2646BDE2A398@arbor.net> <63CF5704-B49D-43D5-BC8E-F76336CD0005@arbor.net> <4CFFB68D.4080405@prolexic.com> <4D02AF04.1040608@bogus.com> <76E52273-83D7-40CE-9380-8FB0ED5565C2@puck.nether.net> <4D064684.7080801@brightok.net> Message-ID: <1505D1D1-50E5-4F90-A2E2-F7461028C7C3@arbor.net> On Dec 14, 2010, at 2:40 AM, "Jeffrey Lyon" wrote: > The only larger ones that i've seen were in company's marketing collateral vs. > real life. Here's a link to last year's Report (previous editions may be downloaded, as well): The WWISR is the result of a survey we perform every year of network operators; survey participants fill in their own answers, & we collect the data, collate it, analyze it, & publish it. We've observed packet-flooding attacks which are considerably larger than what's reported in the WWISR via ATLAS; but as the WWISR is about what operators see and share, we vet, relay & comment upon the observations of survey respondents. --------------------------------------------------------------------- Roland Dobbins // Sell your computer and buy a guitar. From dhetzel at gmail.com Mon Dec 13 15:28:13 2010 From: dhetzel at gmail.com (Dorn Hetzel) Date: Mon, 13 Dec 2010 16:28:13 -0500 Subject: peering, derivatives, and big brother In-Reply-To: <5A6D953473350C4B9995546AFE9939EE0B14CEDB@RWC-EX1.corp.seven.com> References: <5A6D953473350C4B9995546AFE9939EE0B14CEA4@RWC-EX1.corp.seven.com> <1292270846.13327.234.camel@pc2.unassigned-domain> <5A6D953473350C4B9995546AFE9939EE0B14CEDB@RWC-EX1.corp.seven.com> Message-ID: Yeah, well, sorta. sorta not so much :) On Mon, Dec 13, 2010 at 3:28 PM, George Bonser wrote: > > The electricity spot market is close to your definition of > > "perishable": > > > > http://en.wikipedia.org/wiki/Electricity_market > > > > It has a derivative market, google for "electricity derivatives" will > > give you some papers and models. > > > > I'm pretty sure electricity and bandwidth share some patterns. > > > > Now who wants to be the Enron of the bandwidth market? :) > > > > Enron actually WAS dealing in bandwidth at one point: > > http://www.internetnews.com/xSP/article.php/253861/Enron-Opens-Bandwidth > -Commodity-Trading-Service.htm > > > > From Gavin.Pearce at 3seven9.com Mon Dec 13 16:45:18 2010 From: Gavin.Pearce at 3seven9.com (Gavin Pearce) Date: Mon, 13 Dec 2010 22:45:18 -0000 Subject: In-Reply-To: <4D065544.8010806@2mbit.com> References: <201012131707.51458.a.harrowell@gmail.com><4D0653E9.5050003@brightok.net> <4D065544.8010806@2mbit.com> Message-ID: -----Original Message----- From: Atticus [mailto:grobe0ba at gmail.com] Sent: 13 December 2010 17:24 To: nanog at nanog.org Subject: Re: Wake on LAN in the enterprise Appologies to all that got a quote email from me. My phone decided to pocket-reply to you. -----Original Message----- From: Brielle Bruns [mailto:bruns at 2mbit.com] Sent: 13 December 2010 17:18 To: nanog at nanog.org Subject: Re: On 12/13/10 10:12 AM, Jack Bates wrote: > On 12/13/2010 11:07 AM, Alexander Harrowell wrote: >> On Monday 13 December 2010 17:02:59 Atticus wrote: >>> Cc >> >> I presume this is some sort of spam-test? >> > > I got 3 emails from Atticus. one quoting data only, one saying just Z, > and another carboned to x at gamil.com with just > > "zzsxezzzzxzzzzz > On Dec 13, 2010 11:34 AM, "Jack Bates" wrote:" > > > In the body and none of the other quotes. > > So I'm thinking the same thing. > I can has training wheels? -- Brielle Bruns The Summit Open Source Development Group http://www.sosdg.org / http://www.ahbl.org From backdoorsanta1 at hotmail.com Mon Dec 13 23:07:34 2010 From: backdoorsanta1 at hotmail.com (Backdoor Santa) Date: Mon, 13 Dec 2010 21:07:34 -0800 Subject: Some truth about Comcast - WikiLeaks style Message-ID: Ever wonder what Comcast's connections to the Internet look like? In the tradition of WikiLeaks, someone stumbled upon these graphs of their TATA links. For reference, TATA is the only other IP transit provider to Comcast after Level (3). Comcast is a customer of TATA and pays them to provide them with access to the Internet. 1 day graphs: Image #1: http://img149.imageshack.us/img149/78/ntoday.gif Image #1 (Alternate Site): http://www.glowfoto.com/viewimage.php?img=13-224638L&rand=6673&t=gif&m=12&y=2010&srv=img4 Image #2: http://img707.imageshack.us/img707/749/sqnday.gif Image #2 (Alternate Site): http://www.glowfoto.com/static_image/13-205526L/4331/gif/12/2010/img6/glowfoto Notice how those graphs flat-line at the top? That's because they're completely full for most of the day. If you were a Comcast customer attempting to stream Netflix via this connection, the movie would be completely unwatchable. This is how Comcast operates: They intentionally run their IP transit links so full that Content Providers have no other choice but to pay them (Comcast) for access. If you don't pay Comcast, your bits wont make it to their destination. Though they wont openly say that to anyone, the content providers who attempt to push bits towards their customers know it. Comcast customers however have no idea that they're being held hostage in order to extort money from content. Another thing to notice is the ratio of inbound versus outbound. Since Comcast is primarily a broadband access network provider, they're going to have millions of eyeballs (users) downloading content. Comcast claims that a good network maintains a 1:1 with them, but that's simply not possible unless you had Comcast and another broadband access network talking to each other. In the attached graphs you can see the ratio is more along the lines of 5:1, which Comcast was complaining about with Level (3). The reality is that the ratio argument is bogus. Broadband access networks are naturally pull-heavy and it's being used as an excuse to call foul of Level (3) and other content heavy networks. But this shoulnd't surprise anyone, the ratio argument has been used for over a decade by many of the large telephone companies as an excuse to deny peering requests. Guess where most of Comcasts senior network executive people came from? Sprint and AT&T. Welcome to the new monopoly of the 21st century. If you think the above graph is just a bad day or maybe a one off? Let us look at a 30 day graph... Image #3: http://img823.imageshack.us/img823/8917/ntomonth.gif Image #3 (Alternate Site): http://www.glowfoto.com/static_image/13-205958L/4767/gif/12/2010/img6/glowfoto Comcast needs to be truthful with its customers, regulators and the public in general. The Level (3) incident only highlights the fact that Comcast is pinching content and backbone providers to force them to pay for uncongested access to Comcast customers. Otherwise, there's no way to send traffic to Comcast customers via the other paths on the Internet without hitting congested links. Remember that this is not TATA's fault, Comcast is a CUSTOMER of TATA. TATA cannot force Comcast to upgrade its links, Comcast elects to simply not purchase enough capacity and lets them run full. When Comcast demanded that Level (3) pay them, the only choice Level (3) had was to give in or have its traffic (such as Netflix) routed via the congested TATA links. If Level (3) didn't agree to pay, that means Netflix and large portions of the Internet to browse would be simply unusable for the majority of the day for Comcast subscribers. Love, Backdoor Santa From jbates at brightok.net Tue Dec 14 00:22:54 2010 From: jbates at brightok.net (Jack Bates) Date: Tue, 14 Dec 2010 00:22:54 -0600 Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: References: Message-ID: <4D070D3E.9060404@brightok.net> On 12/13/2010 11:07 PM, Backdoor Santa wrote: > Ever wonder what Comcast's connections to the Internet look like? In the tradition of WikiLeaks, someone stumbled upon these graphs of their TATA links. Forgive me for being the skeptic, but I presume there is at least a traceroute with rDNS mentioning one of the 3 10G interfaces on gin-nto-icore1 from comcast? It's not like the image lists the customer name on it; disregarding photoshop concerns. At least wikileaks documents look like they came from the government and have lots of details. :) Jack From streiner at cluebyfour.org Tue Dec 14 00:39:25 2010 From: streiner at cluebyfour.org (Justin M. Streiner) Date: Tue, 14 Dec 2010 01:39:25 -0500 (EST) Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: <4D070D3E.9060404@brightok.net> References: <4D070D3E.9060404@brightok.net> Message-ID: On Tue, 14 Dec 2010, Jack Bates wrote: > On 12/13/2010 11:07 PM, Backdoor Santa wrote: >> Ever wonder what Comcast's connections to the Internet look like? In the >> tradition of WikiLeaks, someone stumbled upon these graphs of their TATA >> links. > > Forgive me for being the skeptic, but I presume there is at least a > traceroute with rDNS mentioning one of the 3 10G interfaces on > gin-nto-icore1 from comcast? > > It's not like the image lists the customer name on it; disregarding photoshop > concerns. At least wikileaks documents look like they came from the > government and have lots of details. :) Agreed. There's no independently verifiable detail to lend any credence to the source(s) of the data. It just shows some 10G links flat-topping due to saturation. There's not enough here to get particularly excited. jms From swmike at swm.pp.se Tue Dec 14 00:40:20 2010 From: swmike at swm.pp.se (Mikael Abrahamsson) Date: Tue, 14 Dec 2010 07:40:20 +0100 (CET) Subject: TCP congestion control and large router buffers In-Reply-To: References: <1291907382.19262.212.camel@shrike> Message-ID: On Mon, 13 Dec 2010, Sam Stickland wrote: > Ironically though, wouldn't smaller buffers cost less thus making the CPEs 1 megabyte of buffer (regular RAM) isn't really expensive. > cheaper still? I believe the argument made in the blog post is that > cheaper RAM been causing the CPE manufacturers to mistakenly provision > too much buffer space, which in turn apparently means that TCP can't > stabilize at a rate less than available bandwidth (I.e. It's the old > 1980's congestion collapse problem all over again). Of course, you'll > only see this if a single TCP stream is actually capable of saturating > the link. Sam I would guess they're running standard OSes and haven't tuned the buffers at all. Implementing WRED or fair-queue (even if it just means turning it on) requires validation which the CPE manufacturers want to minimize. Also it's our fault as a business, how many ISPs have included AQM in their RFPs for CPEs and actually would pay USD5 more per device for this feature? I'm not very surprised at the lack of this though, it's hard to explain to the end customer with some kind of marketing, both for the ISP and the CPE vendor if they're selling to end customers. It's one of those "in the black box" things that should just work, but there is little upside in having it because it's hard to charge for. -- Mikael Abrahamsson email: swmike at swm.pp.se From swmike at swm.pp.se Tue Dec 14 00:45:22 2010 From: swmike at swm.pp.se (Mikael Abrahamsson) Date: Tue, 14 Dec 2010 07:45:22 +0100 (CET) Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: References: Message-ID: On Mon, 13 Dec 2010, Backdoor Santa wrote: > Another thing to notice is the ratio of inbound versus outbound. Since > Comcast is primarily a broadband access network provider, they're going > to have millions of eyeballs (users) downloading content. Actually, there are plenty of access providers with 2:1 ratio (more ul than dl). It's not a matter if you're access provider or not, it's a matter if you offer decent upstream speed or not. In my experience, someone with 10/10 megabit/s ETTH compared to someone with 24/1 ADSL will download the same amount of data on average, but the 10/10 will have four (4) times more upload usage, bringing the ratio from 2:1 (Dl:Ul) on ADSL to 1:2 (Dl:Ul) on ETTH. So because Comcast is offering low upload speeds, they'll have low outgoing amount of traffic compared to incoming. With more and more ISPs offering more symmetric dl/ul speeds, we'll approach 1:1 ratio more and more... -- Mikael Abrahamsson email: swmike at swm.pp.se From Brian.Rettke at cableone.biz Tue Dec 14 00:53:50 2010 From: Brian.Rettke at cableone.biz (Rettke, Brian) Date: Mon, 13 Dec 2010 23:53:50 -0700 Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: References: Message-ID: <96CA80CDCD822B4F9B41FB3A109C9359A3E6832836@E2K7MAILBOX1.corp.cableone.net> I don't see anything listed that indicates operation that is at all different from any other service provider network. The "capacity" issue listed is not an issue at all. It's simply inciting anger and the same rhetoric that pollutes the legitimate discussion of backbone network constraints. When you shout "conspiracy" without offering verifiable facts, and not accounting for the cost (and time) it takes to upgrade networks (much less the fact that it requires capacity upgrades on both sides, in this case between TATA and Comcast), it makes the whole argument invalid in my opinion. That and the "backdoor santa" thing makes me believe the whole thread is designed to flame rather than promote the discourse that is the hallmark of NANOG. I really hope that there are moderators about to verify this: With these kinds of people about I'm less likely to post anything of substance. Sincerely, Brian -----Original Message----- From: Mikael Abrahamsson [mailto:swmike at swm.pp.se] Sent: Monday, December 13, 2010 11:45 PM To: nanog at nanog.org Subject: Re: Some truth about Comcast - WikiLeaks style On Mon, 13 Dec 2010, Backdoor Santa wrote: > Another thing to notice is the ratio of inbound versus outbound. Since > Comcast is primarily a broadband access network provider, they're going > to have millions of eyeballs (users) downloading content. Actually, there are plenty of access providers with 2:1 ratio (more ul than dl). It's not a matter if you're access provider or not, it's a matter if you offer decent upstream speed or not. In my experience, someone with 10/10 megabit/s ETTH compared to someone with 24/1 ADSL will download the same amount of data on average, but the 10/10 will have four (4) times more upload usage, bringing the ratio from 2:1 (Dl:Ul) on ADSL to 1:2 (Dl:Ul) on ETTH. So because Comcast is offering low upload speeds, they'll have low outgoing amount of traffic compared to incoming. With more and more ISPs offering more symmetric dl/ul speeds, we'll approach 1:1 ratio more and more... -- Mikael Abrahamsson email: swmike at swm.pp.se From jeffrey.lyon at blacklotus.net Tue Dec 14 01:54:13 2010 From: jeffrey.lyon at blacklotus.net (Jeffrey Lyon) Date: Tue, 14 Dec 2010 02:54:13 -0500 Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: References: <4D070D3E.9060404@brightok.net> Message-ID: gin-nto-icore1 is a Tata router at Equinix in NY. Whether or not that port belongs to Comcast is anyone's guess. Jeff On Tue, Dec 14, 2010 at 1:39 AM, Justin M. Streiner wrote: > On Tue, 14 Dec 2010, Jack Bates wrote: > >> On 12/13/2010 11:07 PM, Backdoor Santa wrote: >>> >>> ?Ever wonder what Comcast's connections to the Internet look like? In the >>> ?tradition of WikiLeaks, someone stumbled upon these graphs of their TATA >>> ?links. >> >> Forgive me for being the skeptic, but I presume there is at least a >> traceroute ?with rDNS mentioning one of the 3 10G interfaces on >> gin-nto-icore1 from comcast? >> >> It's not like the image lists the customer name on it; disregarding >> photoshop concerns. At least wikileaks documents look like they came from >> the government and have lots of details. :) > > Agreed. ?There's no independently verifiable detail to lend any credence to > the source(s) of the data. ?It just shows some 10G links flat-topping due to > saturation. ?There's not enough here to get particularly excited. > > jms > > -- Jeffrey Lyon, Leadership Team jeffrey.lyon at blacklotus.net | http://www.blacklotus.net Black Lotus Communications - AS32421 First and Leading in DDoS Protection Solutions From ras at e-gerbil.net Tue Dec 14 02:11:56 2010 From: ras at e-gerbil.net (Richard A Steenbergen) Date: Tue, 14 Dec 2010 02:11:56 -0600 Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: References: <4D070D3E.9060404@brightok.net> Message-ID: <20101214081156.GE38726@gerbil.cluepon.net> On Tue, Dec 14, 2010 at 02:54:13AM -0500, Jeffrey Lyon wrote: > gin-nto-icore1 is a Tata router at Equinix in NY. Whether or not that > port belongs to Comcast is anyone's guess. From Tata's looking glass: 3 Vlan550.icore1.NTO-NewYork.as6453.net (209.58.26.78) 4 msec Vlan551.icore1.NTO-NewYork.as6453.net (209.58.26.82) 4 msec 0 msec 4 pos-1-9-0-0-cr01.newyork.ny.ibone.comcast.net (68.86.86.41) [AS 7922] 4 msec 4 msec 4 msec As far as I can tell their DNS doesn't expose Tata's router port names at all: 77.26.58.209.in-addr.arpa domain name pointer Vlan550.icore1.NTO-NewYork.as6453.net. 78.26.58.209.in-addr.arpa domain name pointer Vlan550.icore1.NTO-NewYork.as6453.net. 81.26.58.209.in-addr.arpa domain name pointer Vlan551.icore1.NTO-NewYork.as6453.net. 82.26.58.209.in-addr.arpa domain name pointer Vlan551.icore1.NTO-NewYork.as6453.net. 41.86.86.68.in-addr.arpa domain name pointer pos-1-9-0-0-cr01.newyork.ny.ibone.comcast.net. 42.86.86.68.in-addr.arpa domain name pointer pos-1-0-0-0-pe01.111eighthave.ny.ibone.comcast.net. Though I suppose if someone was photoshopping it, it would be pretty obvious for them to stick something that does show up in DNS into the graphs, so that doesn't exactly prove much. I'm also assuming Comcast wouldn't be very happy to have these out in public, so there is pretty much no way you're going to see a leaked graph that ISN'T from an anonymous source. FWIW these graphs pretty much reflect the massive congestion that I've been observing between Tata and Comcast. I've also seen some third party Smokeping graphs which visually show the rate of loss, and the pattern looks very very similar, but I'll let someone who actually maintains them be the one to post them. -- Richard A Steenbergen http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC) From tore.anderson at redpill-linpro.com Tue Dec 14 02:51:41 2010 From: tore.anderson at redpill-linpro.com (Tore Anderson) Date: Tue, 14 Dec 2010 09:51:41 +0100 Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: <20101214081156.GE38726@gerbil.cluepon.net> References: <4D070D3E.9060404@brightok.net> <20101214081156.GE38726@gerbil.cluepon.net> Message-ID: <4D07301D.9090505@redpill-linpro.com> * Richard A Steenbergen > FWIW these graphs pretty much reflect the massive congestion that I've > been observing between Tata and Comcast. I've also seen some third party > Smokeping graphs which visually show the rate of loss, and the pattern > looks very very similar, but I'll let someone who actually maintains > them be the one to post them. Voxel have also reported seeing congestion to Comcast via Tata: http://www.voxel.net/blog/2010/12/peering-disputes-comcast-level-3-and-you Best regards, -- Tore Anderson Redpill Linpro AS - http://www.redpill-linpro.com Tel: +47 21 54 41 27 From swmike at swm.pp.se Tue Dec 14 07:00:20 2010 From: swmike at swm.pp.se (Mikael Abrahamsson) Date: Tue, 14 Dec 2010 14:00:20 +0100 (CET) Subject: TCP congestion control and large router buffers In-Reply-To: References: <1291907382.19262.212.camel@shrike> Message-ID: On Tue, 14 Dec 2010, Sam Stickland wrote: > But there's no need for AQM, just smaller buffers would make a huge > difference. Well, yes, buffering packets more than let's say 30-50ms on a 1 meg link doesn't make much sense. But doing some basic AQM would make things even better (some packets would see 0 buffering instead of 30ms). > Surely buffers that can store seconds worth of data are simply too big? FIFO with seconds worth of data is just silly, yes. -- Mikael Abrahamsson email: swmike at swm.pp.se From dseagrav at humancapitaldev.com Tue Dec 14 07:26:57 2010 From: dseagrav at humancapitaldev.com (Daniel Seagraves) Date: Tue, 14 Dec 2010 07:26:57 -0600 Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: References: <4D070D3E.9060404@brightok.net> Message-ID: <9E7AE50E-67C5-44D0-8D05-7984B00F5E70@humancapitaldev.com> On Dec 14, 2010, at 12:39 AM, Justin M. Streiner wrote: > On Tue, 14 Dec 2010, Jack Bates wrote: > >> On 12/13/2010 11:07 PM, Backdoor Santa wrote: >>> Ever wonder what Comcast's connections to the Internet look like? In the >>> tradition of WikiLeaks, someone stumbled upon these graphs of their TATA >>> links. >> >> Forgive me for being the skeptic, but I presume there is at least a traceroute with rDNS mentioning one of the 3 10G interfaces on gin-nto-icore1 from comcast? >> >> It's not like the image lists the customer name on it; disregarding photoshop concerns. At least wikileaks documents look like they came from the government and have lots of details. :) > > Agreed. There's no independently verifiable detail to lend any credence to the source(s) of the data. It just shows some 10G links flat-topping due to saturation. There's not enough here to get particularly excited. On the 30-day graph, there's a flat spot in the data that corresponds with the Comcast outage on the 28th, but that's not a sure thing. From rubensk at gmail.com Tue Dec 14 08:28:52 2010 From: rubensk at gmail.com (Rubens Kuhl) Date: Tue, 14 Dec 2010 12:28:52 -0200 Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: References: Message-ID: On Tue, Dec 14, 2010 at 3:07 AM, Backdoor Santa wrote: > > Ever wonder what Comcast's connections to the Internet look like? In the tradition of WikiLeaks, someone stumbled upon these graphs of their TATA links. For reference, TATA is the only other IP transit provider to Comcast after Level (3). Comcast is a customer of TATA and pays them to provide them with access to the Internet. Isn't saturating their TATA links part of their strategy to make people pay to peer with them ? Rubens From patrick at zill.net Tue Dec 14 08:31:33 2010 From: patrick at zill.net (Patrick Giagnocavo) Date: Tue, 14 Dec 2010 09:31:33 -0500 Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: References: Message-ID: <4D077FC5.8040606@zill.net> Thanks for this, I think, as a residential customer of Comcast, the FCC and FTC will both be receiving a letter from me. Clearly Comcast is not making an effort to deliver their advertised service, and instead are actually degrading my service. Cordially Patrick From cluebringer at gmail.com Tue Dec 14 10:24:45 2010 From: cluebringer at gmail.com (Craig L Uebringer) Date: Tue, 14 Dec 2010 11:24:45 -0500 Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: <96CA80CDCD822B4F9B41FB3A109C9359A3E6832836@E2K7MAILBOX1.corp.cableone.net> References: <96CA80CDCD822B4F9B41FB3A109C9359A3E6832836@E2K7MAILBOX1.corp.cableone.net> Message-ID: On Tue, Dec 14, 2010 at 1:53 AM, Rettke, Brian wrote: > I don't see anything listed that indicates operation that is at all > different from any other service provider network. > Yeah, the 30 day looks like a classic uptick in traffic toward the holidays. Some bellhead beancounter maybe took out capacity in the summer lull and ignored the engineers. Or they just have stupidly-slow install intervals. Same crap I've seen on loads of provider networks. > The "capacity" issue listed is not an issue at all. It's simply inciting > anger and the same rhetoric that pollutes the legitimate discussion of > backbone network constraints. > > When you shout "conspiracy" without offering verifiable facts, and not > accounting for the cost (and time) it takes to upgrade networks (much less > the fact that it requires capacity upgrades on both sides, in this case > between TATA and Comcast), it makes the whole argument invalid in my > opinion. > If they wanted to be tru to the claim of "wikileaks style" in the subject line, they'd have an actual memo from some executive stating the policy of purposefully starving traffic. Never attribute to malice* *that which is adequately explained by stupidity. > That and the "backdoor santa" thing makes me believe the whole thread is > designed to flame rather than promote the discourse that is the hallmark of > NANOG. I really hope that there are moderators about to verify this: With > these kinds of people about I'm less likely to post anything of substance. > > Sincerely, > > Brian > > -----Original Message----- > From: Mikael Abrahamsson [mailto:swmike at swm.pp.se] > Sent: Monday, December 13, 2010 11:45 PM > To: nanog at nanog.org > Subject: Re: Some truth about Comcast - WikiLeaks style > > On Mon, 13 Dec 2010, Backdoor Santa wrote: > > > Another thing to notice is the ratio of inbound versus outbound. Since > > Comcast is primarily a broadband access network provider, they're going > > to have millions of eyeballs (users) downloading content. > > Actually, there are plenty of access providers with 2:1 ratio (more ul > than dl). It's not a matter if you're access provider or not, it's a > matter if you offer decent upstream speed or not. > > In my experience, someone with 10/10 megabit/s ETTH compared to someone > with 24/1 ADSL will download the same amount of data on average, but the > 10/10 will have four (4) times more upload usage, bringing the ratio from > 2:1 (Dl:Ul) on ADSL to 1:2 (Dl:Ul) on ETTH. > > So because Comcast is offering low upload speeds, they'll have low > outgoing amount of traffic compared to incoming. With more and more ISPs > offering more symmetric dl/ul speeds, we'll approach 1:1 ratio more and > more... > > -- > Mikael Abrahamsson email: swmike at swm.pp.se > > > From gbonser at seven.com Tue Dec 14 11:28:25 2010 From: gbonser at seven.com (George Bonser) Date: Tue, 14 Dec 2010 09:28:25 -0800 Subject: TCP congestion control and large router buffers In-Reply-To: References: <1291907382.19262.212.camel@shrike> Message-ID: <5A6D953473350C4B9995546AFE9939EE0B14CF14@RWC-EX1.corp.seven.com> > On Tue, 14 Dec 2010, Sam Stickland wrote: > > > But there's no need for AQM, just smaller buffers would make a huge > > difference. > > Well, yes, buffering packets more than let's say 30-50ms on a 1 meg > link > doesn't make much sense. But doing some basic AQM would make things > even > better (some packets would see 0 buffering instead of 30ms). > > > Surely buffers that can store seconds worth of data are simply too > big? > > FIFO with seconds worth of data is just silly, yes. > > -- > Mikael Abrahamsson Well, Jim Getty was reporting seeing "tens of seconds" of buffering (comments in the original LWN link to his first posting) which is just ludicrous. No TCP stack is going to respond properly to congestion with that sort of delay. Some form of AQM is probably a good thing as would be the wider use of ECN. Finding out that a buffer filled and a packet (or many packets) was dropped five seconds after the fact, isn't going to help anyone and you just end up whipsawing the window size (Lawrence Welk effect http://www.oeta.onenet.net/welk/PM/images/Lawrence.jpg ?). I would favor seeing more use of ECN so that a sender can be notified to back off when a buffer is approaching capacity but there is apparently still a lot of hardware out there that has problems with it. You need enough buffering to satisfy packets "in flight" for a connection on the other side of the planet but man, what he has been reporting is just insane and it would be no wonder performance can be crap. From swmike at swm.pp.se Tue Dec 14 11:50:36 2010 From: swmike at swm.pp.se (Mikael Abrahamsson) Date: Tue, 14 Dec 2010 18:50:36 +0100 (CET) Subject: TCP congestion control and large router buffers In-Reply-To: <5A6D953473350C4B9995546AFE9939EE0B14CF14@RWC-EX1.corp.seven.com> References: <1291907382.19262.212.camel@shrike> <5A6D953473350C4B9995546AFE9939EE0B14CF14@RWC-EX1.corp.seven.com> Message-ID: On Tue, 14 Dec 2010, George Bonser wrote: > that sort of delay. Some form of AQM is probably a good thing as would > be the wider use of ECN. Finding out that a buffer filled and a packet > (or many packets) was dropped five seconds after the fact, isn't going ECN pretty much needs WRED, and then people need to implement that first. The only routing platform I know to support it is 7200 and the other types of cpu routers from Cisco running fairly recent IOS (seems to have been introduced in 12.2T). http://www.cisco.com/en/US/docs/ios/12_2t/12_2t8/feature/guide/ftwrdecn.html > You need enough buffering to satisfy packets "in flight" for a > connection on the other side of the planet but man, what he has been > reporting is just insane and it would be no wonder performance can be > crap. Yeah, 30-60ms of buffering is what I have favoured so far. With L2 switches you don't get anywhere near that, but on the other side a few ms of buffering+tail drop has much less impact on interactive applications compared to seconds of buffering. -- Mikael Abrahamsson email: swmike at swm.pp.se From leland at taranta.discpro.org Tue Dec 14 13:22:00 2010 From: leland at taranta.discpro.org (Leland Vandervort) Date: Tue, 14 Dec 2010 20:22:00 +0100 Subject: DNS "Fake" Authority for hidden forwarders? Message-ID: Hi All, Apologies if off topic, but hoping that one of you gurus out there might have some tips on this. I have a rather "unusual" application for DNS which I need to figure out a way to make it work, but running into authority issues. Basically, I have a "fake" server running on a private network which can respond to PTR and A requests dynamically, with their details extracted from a database. In front of that in the public network, I have two servers (load-balanced) which can handle the queries from the "world" for these zones. The problem is that the backend "dummy" server doesn't not actually generate a zone as such, and does not set the AA bit (it's a python script, actually...). I'm trying find a way for the front-end servers to declare themselves as authority for the zones in question, but obtaining the details of the records via forwarder to the dummy server behind, then of course caching the response for the stated TTL in the response. I have looked at various configuration options of BIND and nothing really works, be it a forward, split-horizion, hidden-master, hidden-slave, etc. Is there another daemon somewhere out there that can do something along lines of this pseudo configuration: zone "1.168.192.in-addr.arpa" { type master; // actually a "fake" master to pretend to be the authority allow-query { any; }; recursion no; file "/etc/bind/zones/1.168.192.in-addr.fake-master.zone"; // file contains an SOA and NS record of the zone // pointing to the "public" visible servers (i.e. myself) // actual records (PTR, A, AAAA, etc.) are dynamically retrieved // from a "record-forwarder", but works the same way as // a standard forward type zone: record-forwarders { 10.1.1.2; }; }; When an external query arrives for the zone, the front-end server declares itself to be authoritative for the zone, but obtains the actual A/PTR/AAAA record via the back-end forwarder, and stuffs it into the response as if it was locally configured. It then keeps it in cache. For the moment, I have it setup simply as a forwarder, and it does indeed respond to queries for the dynamically generated queries, but only if queried DIRECTLY (dig -x 1.1.1.1 @frontend-server) , but it responds without authority. As such, this configuration cannot be used for "live" deployment. (the front-end servers are of course fully delegated for the zones in question, so they need to be authoritative). Is there anything out there that can do such authority masquerading/proxying? Thanks in advance Leland From angelarifb at gmail.com Tue Dec 14 13:40:59 2010 From: angelarifb at gmail.com (Eugene Zola) Date: Tue, 14 Dec 2010 21:40:59 +0200 Subject: Post positive reviews Message-ID: Google?s Huge Change and How it affects you. ? Anyone can now post bad reviews and kill your rank. ? We post good reviews and improve your rank. ? We post good reviews to keep others from killing your rank. Google: Judge, Jury and Online Shopping Executioner Google rank is based on reviews of your business? Google Statement: "...in the last few days we developed an algorithmic solution which detects the merchant from the Times article along with hundreds of other merchants that, in our opinion, provide an extremely poor user experience. The algorithm we incorporated into our search rankings represents an initial solution to this issue, and Google users are now getting a better experience as a result." This means that anyone can write bad reviews about your business and lower your ranking. We knew that getting good reviews and not getting bad reviews was always important. Now it is a must to have good reviews for your business to keep the rank safe or to improve rank with Google. We post positive reviews for your company. We have the experience and ability to post hundreds of positive reviews that are all unique content and posted on unique IP addresses. wwwpostgoodreviews.com From josmon at rigozsaurus.com Tue Dec 14 15:00:09 2010 From: josmon at rigozsaurus.com (John Osmon) Date: Tue, 14 Dec 2010 14:00:09 -0700 Subject: DNS "Fake" Authority for hidden forwarders? In-Reply-To: References: Message-ID: <20101214210009.GA13744@jeeves.rigozsaurus.com> On Tue, Dec 14, 2010 at 08:22:00PM +0100, Leland Vandervort wrote: > > Hi All, > > Apologies if off topic, but hoping that one of you gurus out there might have some tips on this. > > I have a rather "unusual" application for DNS which I need to figure > out a way to make it work, but running into authority issues. [...] > Is there anything out there that can do such authority masquerading/proxying? You might look to see if dnsmasq does what you need. It has some interesting modes. I use it on my home network as a local resolver. It serves as a local proxy, and I can override the global DNS view with local entries in /etc/hosts. There are other cool hooks as well. From jeroen at mompl.net Tue Dec 14 15:11:54 2010 From: jeroen at mompl.net (Jeroen van Aart) Date: Tue, 14 Dec 2010 13:11:54 -0800 Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: References: Message-ID: <4D07DD9A.3050408@mompl.net> Backdoor Santa wrote: > Ever wonder what Comcast's connections to the Internet look like? In the tradition of WikiLeaks, someone stumbled upon these graphs of their TATA links. For reference, TATA is the only other IP transit provider to Comcast after Level (3). Comcast is a customer of TATA and pays them to provide them with access to the Internet. > > 1 day graphs: > > Image #1: http://img149.imageshack.us/img149/78/ntoday.gif > Another thing to notice is the ratio of inbound versus outbound. Since Comcast is primarily a broadband access network provider, they're going to have millions of eyeballs (users) downloading content. Comcast claims that a good network maintains a 1:1 with them, but that's simply not possible unless you had Comcast and another broadband access network talking to each other. In the attached graphs you can see the ratio is more along the lines of 5:1, which Comcast was complaining about with Level (3). The reality is that the ratio argument is bogus. Broadband access networks are naturally pull-heavy and it's being used as an excuse to call foul of Level (3) and other content heavy networks. But this shoulnd't surprise anyone, the ratio argument has been used for over a decade by many of the large telephone companies as an excuse to deny peering requests. Guess where most of Comcasts senior network executive people came from? Sprint and AT&T. Welcome to the new monopoly of th e 21st century. > > If you think the above graph is just a bad day or maybe a one off? Let us look at a 30 day graph... > > Image #3: http://img823.imageshack.us/img823/8917/ntomonth.gif This tells me two things: 1 - Don't use comcast as your ISP. Personally I prefer to use a local ISP, maybe even "ma and pa store" style, if available. 2 - If for some reason you just can't live without comcast, then plan ahead do all your leeching between 7 AM and 5 PM. Then watch your previously saved videos at your leisure without interruptions in the evening. And plan on finding a better ISP :-) -- http://goldmark.org/jeff/stupid-disclaimers/ http://linuxmafia.com/~rick/faq/plural-of-virus.html From jfbeam at gmail.com Tue Dec 14 15:20:11 2010 From: jfbeam at gmail.com (Ricky Beam) Date: Tue, 14 Dec 2010 16:20:11 -0500 Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: References: <96CA80CDCD822B4F9B41FB3A109C9359A3E6832836@E2K7MAILBOX1.corp.cableone.net> Message-ID: On Tue, 14 Dec 2010 11:24:45 -0500, Craig L Uebringer wrote: > Same crap I've seen on loads of provider networks. No ISP I've ever worked for or with has ever willingly ran their transit (or peering) links at capacity. (Granted, I've been responsible for saturating links, but I moved user traffic off of them first.) --Ricky PS: TATA confirmed Comcast's behavior before anyone found any traffic graphs. We already knew they were gaming their own customer base. From ras at e-gerbil.net Tue Dec 14 15:29:49 2010 From: ras at e-gerbil.net (Richard A Steenbergen) Date: Tue, 14 Dec 2010 15:29:49 -0600 Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: References: <96CA80CDCD822B4F9B41FB3A109C9359A3E6832836@E2K7MAILBOX1.corp.cableone.net> Message-ID: <20101214212949.GH38726@gerbil.cluepon.net> On Tue, Dec 14, 2010 at 11:24:45AM -0500, Craig L Uebringer wrote: > > Yeah, the 30 day looks like a classic uptick in traffic toward the > holidays. Some bellhead beancounter maybe took out capacity in the > summer lull and ignored the engineers. Or they just have stupidly-slow > install intervals. Same crap I've seen on loads of provider networks. Except that they seem to be busy actively turning down other capacity, and forcing extra traffic through their Tata ports by blocking other paths with BGP no-export communities. For example, we've been observing Comcast turning down some of their Global Crossing capacity in recent days, causing new congestion during peak traffic times. I've even seen people contact the various NOCs involved, and they've been told explicitly and by multiple parties that Comcast is intentionally turning down extra capacity and running their existing ports hot. Everybody who deals with interconnection capacity in this industry knows what's going on, but the graphs and interconnection details are all under NDA, so it takes an inside source secretly leaking graphs to the public to expose this kind of activity. Even then you'll still have people who claim that it proves nothing because the graphs can't be positively associated to a specific customer port, but realistically these kinds of leaks are probably the best public info you'll ever see. -- Richard A Steenbergen http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC) From aaron at wholesaleinternet.net Tue Dec 14 15:39:07 2010 From: aaron at wholesaleinternet.net (Aaron Wendel) Date: Tue, 14 Dec 2010 15:39:07 -0600 Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: <20101214212949.GH38726@gerbil.cluepon.net> References: <96CA80CDCD822B4F9B41FB3A109C9359A3E6832836@E2K7MAILBOX1.corp.cableone.net> <20101214212949.GH38726@gerbil.cluepon.net> Message-ID: <11b801cb9bd7$571774a0$05465de0$@net> To what end? And who's calling the shots there these days? Comcast has been nothing but shady for the last couple years. Spoofing resets, The L3 issue, etc. What's the speculation on the end game? From: Richard A Steenbergen [mailto:ras at e-gerbil.net] Sent: Tuesday, December 14, 2010 3:30 PM To: Craig L Uebringer Cc: nanog at nanog.org; Rettke, Brian Subject: Re: Some truth about Comcast - WikiLeaks style On Tue, Dec 14, 2010 at 11:24:45AM -0500, Craig L Uebringer wrote: > > Yeah, the 30 day looks like a classic uptick in traffic toward the > holidays. Some bellhead beancounter maybe took out capacity in the > summer lull and ignored the engineers. Or they just have stupidly-slow > install intervals. Same crap I've seen on loads of provider networks. Except that they seem to be busy actively turning down other capacity, and forcing extra traffic through their Tata ports by blocking other paths with BGP no-export communities. For example, we've been observing Comcast turning down some of their Global Crossing capacity in recent days, causing new congestion during peak traffic times. I've even seen people contact the various NOCs involved, and they've been told explicitly and by multiple parties that Comcast is intentionally turning down extra capacity and running their existing ports hot. Everybody who deals with interconnection capacity in this industry knows what's going on, but the graphs and interconnection details are all under NDA, so it takes an inside source secretly leaking graphs to the public to expose this kind of activity. Even then you'll still have people who claim that it proves nothing because the graphs can't be positively associated to a specific customer port, but realistically these kinds of leaks are probably the best public info you'll ever see. -- Richard A Steenbergen http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC) _____ No virus found in this message. Checked by AVG - www.avg.com Version: 10.0.1170 / Virus Database: 426/3315 - Release Date: 12/14/10 From mksmith at adhost.com Tue Dec 14 15:47:43 2010 From: mksmith at adhost.com (Michael K. Smith - Adhost) Date: Tue, 14 Dec 2010 21:47:43 +0000 Subject: NANOG Server Maintenance Message-ID: Hello All: This Friday morning, December 17, at 5:00 a.m. EST, Merit staff will relocate the server that operates the NANOG mailing lists and website. This will result in a list outage that should last not more than two hours. If you have any questions, please send them to admins at nanog.org. Regards, Mike On behalf of the Communications Committee -- Michael K. Smith - CISSP, GSEC, GISP Chief Technical Officer - Adhost Internet LLC mksmith at adhost.com w: +1 (206) 404-9500 f: +1 (206) 404-9050 PGP: B49A DDF5 8611 27F3 08B9 84BB E61E 38C0 (Key ID: 0x9A96777D) From ras at e-gerbil.net Tue Dec 14 16:38:27 2010 From: ras at e-gerbil.net (Richard A Steenbergen) Date: Tue, 14 Dec 2010 16:38:27 -0600 Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: <11b801cb9bd7$571774a0$05465de0$@net> References: <96CA80CDCD822B4F9B41FB3A109C9359A3E6832836@E2K7MAILBOX1.corp.cableone.net> <20101214212949.GH38726@gerbil.cluepon.net> <11b801cb9bd7$571774a0$05465de0$@net> Message-ID: <20101214223827.GK38726@gerbil.cluepon.net> On Tue, Dec 14, 2010 at 03:39:07PM -0600, Aaron Wendel wrote: > To what end? And who's calling the shots there these days? Comcast > has been nothing but shady for the last couple years. Spoofing > resets, The L3 issue, etc. What's the speculation on the end game? I believe Comcast has made clear their position that they feel content providers should be paying them for access to their customers. I've seen them repeatedly state that they feel networks who send them too much traffic are "abusing their network". It isn't a ratios argument in the classic sense, between two peers trying to maintain a fair balance of costs and benefits, it's that they object to ANY content provider being able to deliver to their customers without paying them for access. They do this by trying to enforce ratios which are well beyond what their actual end users are routing, and as in the case of Level 3, they leverage that position to claim that other networks should be paying them under threat of blocking uncongested access to their customers. I would say their short term goal is to make people who currently won't peer with them do so, so they can become transit free. This has been seen time and time again, as they move networks who they want to peer with but who will not peer with them into "congested transit" bucket. A while back it was SAVVIS, now it is Tata, but the pattern is clear and repetitive. Note that this only extends to a certain point though, as in the case of Global Crossing, who they claim is a settlement free peer, but who they have recently started pressuring and intentionally congesting because of ratio imbalances. Their long term goal seems to be to force content networks to pay them for direct transit or on-net connectivity, by removing the available capacity from other paths. If you are a content network, and you can't reach them in a reliable fashion via "The Internet", your only choice may be to buy from Comcast directly. This is obviously not the first time that networks have used this strategy, there are several prominent examples in recent history of others using this exact same technique. But this is definitely one of the worst examples in the US of a major eyeball network using access to their customers (who may have little or no choice in their broadband access) to force other networks to pay them, and IMHO it needs to be called out publicly whenever possible. -- Richard A Steenbergen http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC) From khelms at ispalliance.net Tue Dec 14 16:50:19 2010 From: khelms at ispalliance.net (Scott Helms) Date: Tue, 14 Dec 2010 17:50:19 -0500 Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: <20101214223827.GK38726@gerbil.cluepon.net> References: <96CA80CDCD822B4F9B41FB3A109C9359A3E6832836@E2K7MAILBOX1.corp.cableone.net> <20101214212949.GH38726@gerbil.cluepon.net> <11b801cb9bd7$571774a0$05465de0$@net> <20101214223827.GK38726@gerbil.cluepon.net> Message-ID: <4D07F4AB.6090008@ispalliance.net> Can you share any references on this? Everything I've seen has been typical lawyer double speak, i.e. the opposite of clear. On 12/14/2010 5:38 PM, Richard A Steenbergen wrote: > I believe Comcast has made clear their position that they feel content > providers should be paying them for access to their customers. I've seen > them repeatedly state that they feel networks who send them too much > traffic are "abusing their network". -- Scott Helms Vice President of Technology ISP Alliance, Inc. DBA ZCorum (678) 507-5000 -------------------------------- Looking for hand-selected news, views and tips for independent broadband providers? Follow us on Twitter! http://twitter.com/ZCorum -------------------------------- From dotis at mail-abuse.org Tue Dec 14 17:23:08 2010 From: dotis at mail-abuse.org (Douglas Otis) Date: Tue, 14 Dec 2010 15:23:08 -0800 Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: <20101214223827.GK38726@gerbil.cluepon.net> References: <96CA80CDCD822B4F9B41FB3A109C9359A3E6832836@E2K7MAILBOX1.corp.cableone.net> <20101214212949.GH38726@gerbil.cluepon.net> <11b801cb9bd7$571774a0$05465de0$@net> <20101214223827.GK38726@gerbil.cluepon.net> Message-ID: <4D07FC5C.3090206@mail-abuse.org> On 12/14/10 2:38 PM, Richard A Steenbergen wrote: > On Tue, Dec 14, 2010 at 03:39:07PM -0600, Aaron Wendel wrote: >> > To what end? And who's calling the shots there these days? Comcast >> > has been nothing but shady for the last couple years. Spoofing >> > resets, The L3 issue, etc. What's the speculation on the end game? > I believe Comcast has made clear their position that they feel content > providers should be paying them for access to their customers. The Internet would offer lesser value by allowing access providers to hold their customers hostage. Clearly, such providers are not acting in their customer's interests when inhibiting access to desired and legitimate content. What is net neutrality expected to mean? Providers should charge a fair price for bandwidth offered, not over sell the bandwidth, and not constrain bandwidth below advertised rates. Congestion pricing rewards bad practices that leads to the congestion. -Doug From sethm at rollernet.us Tue Dec 14 17:59:04 2010 From: sethm at rollernet.us (Seth Mattinen) Date: Tue, 14 Dec 2010 15:59:04 -0800 Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: <4D07FC5C.3090206@mail-abuse.org> References: <96CA80CDCD822B4F9B41FB3A109C9359A3E6832836@E2K7MAILBOX1.corp.cableone.net> <20101214212949.GH38726@gerbil.cluepon.net> <11b801cb9bd7$571774a0$05465de0$@net> <20101214223827.GK38726@gerbil.cluepon.net> <4D07FC5C.3090206@mail-abuse.org> Message-ID: <4D0804C8.60508@rollernet.us> On 12/14/2010 15:23, Douglas Otis wrote: > On 12/14/10 2:38 PM, Richard A Steenbergen wrote: >> On Tue, Dec 14, 2010 at 03:39:07PM -0600, Aaron Wendel wrote: >>> > To what end? And who's calling the shots there these days? Comcast >>> > has been nothing but shady for the last couple years. Spoofing >>> > resets, The L3 issue, etc. What's the speculation on the end game? >> I believe Comcast has made clear their position that they feel content >> providers should be paying them for access to their customers. > The Internet would offer lesser value by allowing access providers to > hold their customers hostage. Clearly, such providers are not acting in > their customer's interests when inhibiting access to desired and > legitimate content. What is net neutrality expected to mean? > > Providers should charge a fair price for bandwidth offered, not over > sell the bandwidth, and not constrain bandwidth below advertised rates. > Congestion pricing rewards bad practices that leads to the congestion. > I just see this as a natural progression of what happens of a single player with a captive audience due to mergers and attrition. They know their customers aren't going anywhere. The only way to "fix" it would be to go back to the days when there were a bunch of competing local providers. ~Seth From marka at isc.org Tue Dec 14 18:01:52 2010 From: marka at isc.org (Mark Andrews) Date: Wed, 15 Dec 2010 11:01:52 +1100 Subject: DNS "Fake" Authority for hidden forwarders? In-Reply-To: Your message of "Tue, 14 Dec 2010 20:22:00 BST." References: Message-ID: <20101215000152.B61587E0FFC@drugs.dv.isc.org> In message , Leland Van dervort writes: > > Hi All, > > Apologies if off topic, but hoping that one of you gurus out there might > have some tips on this. > > I have a rather "unusual" application for DNS which I need to figure out > a way to make it work, but running into authority issues. > > Basically, I have a "fake" server running on a private network which can > respond to PTR and A requests dynamically, with their details extracted > from a database. In front of that in the public network, I have two > servers (load-balanced) which can handle the queries from the "world" > for these zones. > > The problem is that the backend "dummy" server doesn't not actually > generate a zone as such, and does not set the AA bit (it's a python > script, actually...). Well set the AA bit. It's a python script which you can fix with a text editor. If it's acting as a authoritative DNS server, even in part, then it should be doing what a authoritative DNS server does. > I'm trying find a way for the front-end servers to declare themselves as > authority for the zones in question, but obtaining the details of the > records via forwarder to the dummy server behind, then of course caching > the response for the stated TTL in the response. So you want the cache to lie about being a cache. > I have looked at various configuration options of BIND and nothing > really works, be it a forward, split-horizion, hidden-master, > hidden-slave, etc. > > Is there another daemon somewhere out there that can do something along > lines of this pseudo configuration: > > zone "1.168.192.in-addr.arpa" { > type master; > // actually a "fake" master to pretend to be the authority > > allow-query { any; }; > recursion no; > > file "/etc/bind/zones/1.168.192.in-addr.fake-master.zone"; > > // file contains an SOA and NS record of the zone > // pointing to the "public" visible servers (i.e. myself) > > > // actual records (PTR, A, AAAA, etc.) are dynamically retrieved > // from a "record-forwarder", but works the same way as > // a standard forward type zone: > > record-forwarders { > 10.1.1.2; > }; > }; > > When an external query arrives for the zone, the front-end server > declares itself to be authoritative for the zone, but obtains the actual > A/PTR/AAAA record via the back-end forwarder, and stuffs it into the > response as if it was locally configured. It then keeps it in cache. > > > For the moment, I have it setup simply as a forwarder, and it does > indeed respond to queries for the dynamically generated queries, but > only if queried DIRECTLY (dig -x 1.1.1.1 @frontend-server) , but it > responds without authority. As such, this configuration cannot be used > for "live" deployment. (the front-end servers are of course fully > delegated for the zones in question, so they need to be authoritative). > > > Is there anything out there that can do such authority > masquerading/proxying? > > > Thanks in advance > > > Leland > > > > > > > > -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka at isc.org From Brian.Rettke at cableone.biz Tue Dec 14 18:49:41 2010 From: Brian.Rettke at cableone.biz (Rettke, Brian) Date: Tue, 14 Dec 2010 17:49:41 -0700 Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: <4D07FC5C.3090206@mail-abuse.org> References: <96CA80CDCD822B4F9B41FB3A109C9359A3E6832836@E2K7MAILBOX1.corp.cableone.net> <20101214212949.GH38726@gerbil.cluepon.net> <11b801cb9bd7$571774a0$05465de0$@net> <20101214223827.GK38726@gerbil.cluepon.net>, <4D07FC5C.3090206@mail-abuse.org> Message-ID: <96CA80CDCD822B4F9B41FB3A109C9359A3E5542B83@E2K7MAILBOX1.corp.cableone.net> I'm surprised that no one seems to think that "bandwidth" is really just a series of interconnects. If indeed their links are saturated, they are probably either near an upgrade point (if their forecasting was correct) or trying to negotiate one (if their forecasting is bad or there is a sudden new leech on bandwidth, like streaming video). It's not free, it's never quick and easy. The best thing that can happen is that they are either adding additional links to TATA (which requires TATA, any carrier facilities, and any LECs) to reach an agreement to complete the interconnect, or they are looking at sending traffic to another link. Usually, the balance is between the most direct link to a source, or the most efficient use of resources on the network. There is a balance to be found. No matter what the agenda, no service provider actively tries to make their customers angry - Their job is to be transparent. The problems arise naturally, if I move your bandwidth to provider B where I have free bandwidth, your "ping" increases by 20 ms, the path is not as direct, and complaints roll in. There is no single provider that ever has or ever will be completely ahead of the curve all of the time. It's a constant infrastructure build. As for the Comcast take on content, it's not a new one, not unique to Comcast, but completely foreign to the American consumer. I think both require re-education and a new plan. ________________________________________ From: Douglas Otis [dotis at mail-abuse.org] Sent: Tuesday, December 14, 2010 4:23 PM To: nanog at nanog.org Subject: Re: Some truth about Comcast - WikiLeaks style On 12/14/10 2:38 PM, Richard A Steenbergen wrote: > On Tue, Dec 14, 2010 at 03:39:07PM -0600, Aaron Wendel wrote: >> > To what end? And who's calling the shots there these days? Comcast >> > has been nothing but shady for the last couple years. Spoofing >> > resets, The L3 issue, etc. What's the speculation on the end game? > I believe Comcast has made clear their position that they feel content > providers should be paying them for access to their customers. The Internet would offer lesser value by allowing access providers to hold their customers hostage. Clearly, such providers are not acting in their customer's interests when inhibiting access to desired and legitimate content. What is net neutrality expected to mean? Providers should charge a fair price for bandwidth offered, not over sell the bandwidth, and not constrain bandwidth below advertised rates. Congestion pricing rewards bad practices that leads to the congestion. -Doug From joelja at bogus.com Tue Dec 14 19:34:24 2010 From: joelja at bogus.com (Joel Jaeggli) Date: Tue, 14 Dec 2010 17:34:24 -0800 Subject: Over a decade of DDOS--any progress yet? In-Reply-To: References: <23035485.1291815970840.JavaMail.tomcat@fe-ps03> Message-ID: <4D081B20.3080408@bogus.com> On 12/8/10 6:30 AM, Drew Weaver wrote: > Yes, but this obviously completes the 'DDoS attack' and sends the signal that the bully will win. it's part of a valid mitigation strategy. shifting the target out from underneath the blackholed address is also part of the activity. that's easier in some cases than others. the bots will move and you play whack a rat with your upstreams. joel > -Drew > From: alvaro.sanchez at adinet.com.uy [mailto:alvaro.sanchez at adinet.com.uy] > Sent: Wednesday, December 08, 2010 8:46 AM > To: rdobbins at arbor.net; North American Operators' Group > Subject: Re: Over a decade of DDOS--any progress yet? > > A very common action is to blackhole ddos traffic upstream by sending a > bgp route to the next AS with a preestablished community indicating the > traffic must be sent to Null0. The route may be very specific, in order > to impact as less as possible. This needs previous coordination between > providers. > Regards. > From jg at freedesktop.org Tue Dec 14 19:43:25 2010 From: jg at freedesktop.org (Jim Gettys) Date: Tue, 14 Dec 2010 20:43:25 -0500 Subject: TCP congestion control and large router buffers Message-ID: <4D081D3D.1060600@freedesktop.org> As I'm attempting to lay out in my posts, there are are a plethora of problems, end-to-end in the network. Would that there was only one problem. Excessive, unmanaged buffers afflict the user's OS's (Windows, Mac and Linux alike), particularly on recent hardware. Home routers and the broadband connections (as shown by netalyzr) all have problems. The bottleneck may be anywhere in the path; with the (sometimes) exception of Windows XP, all edge equipment now routinely congests the edge. Multiple seconds of latencies, in both directions, are dismaying commonplace. Retail operators have had a hidden major support problem: how many of the "bad service" calls have been due to the problem? It tends to be transient in behavior, and I've chased the problem personally at least 5 times in the last 3 years. I've placed service calls I now believe likely due to bufferbloat. I've caught problems with crash dumps being uploaded to the net; backup and downloads can all cause trouble. Courtesy of the Netalyzr team, I've been able to post color versions of their results on http://gettys.wordpress.com/2010/12/06/whose-house-is-of-glasse-must-not-throw-stones-at-another/; they first reported results at the NANOG meeting last summer. Disentangling broadband data from home router and operating system bufferbloat is difficult; I've found bufferbloat is present in all of them. The power of two bufferbloat sizes are almost certainly all broadband gear (since the OS buffer sizes are quantised in packets, not bytes). In the downstream direction, one of the possible causes is be failure to run any AQM in the broadband head-ends; this is certainly also the case in home routers. Also, as outlined in: Characterizing Residential Broadband Networks http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.65.6825&rep=rep1&type=pdf we have good reason to believe this is taking place. Since I became aware that bufferbloat might have become a generic problem last summer from anecdotal data and personal experiments, I've probed networks wherever I've travelled. Some of what I've seen was clearly broadband bufferbloat; but more disturbingly, I've also seen other evidence further into several of the networks I've probed (from hotels *not* using broadband for their service), further confirming the initial anecdotal data I was given that queue management is far from universal (and essentially unheard of in the home). If the idea that the buffers have destroyed congestion avoidance doesn't scare you, I don't know what will. It's a major problem. Best Regards, - Jim Gettys From alex at corp.nac.net Tue Dec 14 20:08:10 2010 From: alex at corp.nac.net (Alex Rubenstein) Date: Tue, 14 Dec 2010 21:08:10 -0500 Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: <4D0804C8.60508@rollernet.us> References: <96CA80CDCD822B4F9B41FB3A109C9359A3E6832836@E2K7MAILBOX1.corp.cableone.net> <20101214212949.GH38726@gerbil.cluepon.net> <11b801cb9bd7$571774a0$05465de0$@net> <20101214223827.GK38726@gerbil.cluepon.net> <4D07FC5C.3090206@mail-abuse.org> <4D0804C8.60508@rollernet.us> Message-ID: > I just see this as a natural progression of what happens of a single > player with a captive audience due to mergers and attrition. They know > their customers aren't going anywhere. The only way to "fix" it would be > to go back to the days when there were a bunch of competing local > providers. Wait -- you mean competition that is healthy and fair?! The FCC would not hear of this. -- Alex, remembering the days of 8000 ISP's with substantially better customer service than is available today From jared at puck.nether.net Tue Dec 14 20:24:23 2010 From: jared at puck.nether.net (Jared Mauch) Date: Tue, 14 Dec 2010 21:24:23 -0500 Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: <4D0804C8.60508@rollernet.us> References: <96CA80CDCD822B4F9B41FB3A109C9359A3E6832836@E2K7MAILBOX1.corp.cableone.net> <20101214212949.GH38726@gerbil.cluepon.net> <11b801cb9bd7$571774a0$05465de0$@net> <20101214223827.GK38726@gerbil.cluepon.net> <4D07FC5C.3090206@mail-abuse.org> <4D0804C8.60508@rollernet.us> Message-ID: On Dec 14, 2010, at 6:59 PM, Seth Mattinen wrote: > I just see this as a natural progression of what happens of a single > player with a captive audience due to mergers and attrition. They know > their customers aren't going anywhere. The only way to "fix" it would be > to go back to the days when there were a bunch of competing local providers. This requires one or more of the following: o regulatory action o last mile regulation or competitive access o subsidies for new players o massive capital outlays o state laws changed in various markets o reformation of USF o changes at NTIA o changes at USDA (RUS) I'll once again use my example of the verizon assets going to fairpoint. it shows that the costs are significant. I can get a 10G across an ocean for cheaper than I can get one delivered over a 1 mile distance in a neighborhood. I do believe that FTTH will eventually become the solution to all the edge network ills, but at the same time, replacing that costs a lot of money. Take a look at this article from 2008 - http://bits.blogs.nytimes.com/2008/08/19/a-bear-speaks-why-verizons-pricey-fios-bet-wont-pay-off/ "Here is how Mr. Moffett looks at the costs of the plan that Verizon has announced for FiOS. Through 2010 the company will pay an average of $817 to run the fiber past the 19 million homes, on poles or under the ground. It will also incur $172 per home passed in other costs related to the video infrastructure. He assumes that 40 percent of the customers passed will buy at least one FiOS service. If you allocate the cost of running the fiber past the homes that don?t buy FiOS to those that do, that makes the cost of building the network $2,473 per home. (That cost would be less if more than 40 percent of the potential customers sign up. Or it could be higher, if sales don?t achieve the 40 percent level.)" If you are willing to pay $2500 to have service installed, I'm sure the incumbents would be jumping at you. Instead, these are often regulated, last I recall in Michigan it was $42/line, even if they had to trench a quarter mile to reach you.. or if they just tested the existing copper to your home. This masks the actual costs. - Jared From gbonser at seven.com Tue Dec 14 21:25:14 2010 From: gbonser at seven.com (George Bonser) Date: Tue, 14 Dec 2010 19:25:14 -0800 Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: References: <96CA80CDCD822B4F9B41FB3A109C9359A3E6832836@E2K7MAILBOX1.corp.cableone.net> <20101214212949.GH38726@gerbil.cluepon.net> <11b801cb9bd7$571774a0$05465de0$@net> <20101214223827.GK38726@gerbil.cluepon.net><4D07FC5C.3090206@mail-abuse.org> <4D0804C8.60508@rollernet.us> Message-ID: <5A6D953473350C4B9995546AFE9939EE0B14CF4B@RWC-EX1.corp.seven.com> > From: Jared Mauch > Sent: Tuesday, December 14, 2010 6:24 PM > Subject: Re: Some truth about Comcast - WikiLeaks style > > > > This requires one or more of the following: > > o regulatory action > o last mile regulation or competitive access > o subsidies for new players > o massive capital outlays > o state laws changed in various markets > o reformation of USF > o changes at NTIA > o changes at USDA (RUS) Well I don't believe it requires any of the above. For example, Comcast had the cable TV monopoly where I live. About 2 years ago, AT&T began rolling out their U-verse service and from the looks of things, has taken a serious bite out of Comcast's monopoly here. Comcast has closed many offices including the one in my town. In other areas, Verizon is rolling out their similar FiOS product. Over a growing part of the country, Comcast doesn't have the "captive" audience they once had. Don't get me wrong, they are still in the market. My oldest is a Comcast subscriber but he now has choices he didn't have as little as a year ago. My personal opinion is that increased regulatory action is self-defeating. It ends up causing more problems than it solves. What we need is competition in the marketplace. Deregulation in most cases would actually improve the situation where current regulations grant operating monopolies to certain companies in local regions. These local regulations often do not view things in the global scope. A thousand local cable monopolies granted to any company results in a global aggregate of a lot of "captive" users that can be leveraged in a marketplace outside the jurisdiction granting the monopoly. In the sense that elimination of monopolies is " state laws changed in various markets" then yeah, maybe one of those points makes sense. Competitors are ramping up. I haven't seen any recent numbers but in April, AT&T crossed 2.3 million U-verse users and was available in over 20 million housing units in the US. Verizon FiOS is at about 4 million subscribers. As of September, Comcast is reported to have 16.7 million broadband internet customers. If monopolies are needed in order to get service to an area, make them "last mile" wire monopolies that provide no content of their own and allow the content providers (Comcast, Verizon, AT&T, etc.) provide service over the infrastructure on a competitive basis. Content monopolies tied to the infrastructure are bad for everyone and as existing monopoly agreements expire, more competition is entering the market. I would possibly compromise by saying a company willing to install the infrastructure could get a one-time monopoly for some period of time, after which the infrastructure is spun off as a separate company and opened up to competitive access. Better not to meddle, in my opinion, as the meddling ends up causing unintended consequences. Open up the markets to competition and give people choices, then net the networks establish what policies think best for their networks rather than attempting to dictate policy from a central authority. The one with the policy that best fits the user's needs will get their reward. > I can get a 10G across an ocean for cheaper than I can get one > delivered over a 1 mile distance in a neighborhood. Heh, I can get a 10G metroE across town cheaper than I can get a 10G port and local cross connect inside some colo providers operations. > I do believe that FTTH will eventually become the solution to all the > edge network ills, but at the same time, replacing that costs a lot of > money. I believe AT&T is taking a hybrid approach. Fiber to local distribution boxes within a block or two of the home and using the existing copper but replacing the drops to the home in most cases with something newer. > Take a look at this article from 2008 - > http://bits.blogs.nytimes.com/2008/08/19/a-bear-speaks-why-verizons- > pricey-fios-bet-wont-pay-off/ FiOS seems to be gaining customers at a slightly faster rate than U-Verse but both seem to be gaining users. The Wiki says: "As of June 30, 2009, FiOS Internet had 3.1 million customers (up 31% in last year), and FiOS TV had 2.5 million customers (up 46% in prior year) with FiOS services offered to over 11 million premises nationwide. Verizon announced in March 2010 that they were winding down their FiOS expansion, concentrating on completing their network in areas that already had FiOS franchises but were not deploying to any new areas, which included the cities of Baltimore and Boston, who had not yet secured municipal franchise agreements." So it is those franchise agreements that need to go away and open the markets up to competition and let everyone, including Comcast, compete on an equal basis without "captive" customers. IMHO. From jra at baylink.com Tue Dec 14 21:32:54 2010 From: jra at baylink.com (Jay Ashworth) Date: Tue, 14 Dec 2010 22:32:54 -0500 (EST) Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: <5A6D953473350C4B9995546AFE9939EE0B14CF4B@RWC-EX1.corp.seven.com> Message-ID: <1952332.70.1292383974826.JavaMail.root@benjamin.baylink.com> ----- Original Message ----- > From: "George Bonser" > If monopolies are needed in order to get service to an area, make them > "last mile" wire monopolies that provide no content of their own and > allow the content providers (Comcast, Verizon, AT&T, etc.) provide > service over the infrastructure on a competitive basis. Content > monopolies tied to the infrastructure are bad for everyone and as > existing monopoly agreements expire, more competition is entering the > market. I would possibly compromise by saying a company willing to > install the infrastructure could get a one-time monopoly for some > period of time, after which the infrastructure is spun off as a separate > company and opened up to competitive access. That's the magic answer, right there, yes: fiber last-mile is a natural monopoly, for a whole host of practicality reasons. So, if we could repeal all the laws Verizon's FiOS division has gotten passed forbidding municipalities from building last mile fiber, and renting it to all comers on non-discriminatory terms, as you suggest, and encourage them to do so -- as I strongly suspect is Google's planned end-game -- then we might see some more sanity in the IAP business. I'd like to see a Jesus-load and a half more geographic locality of reference on the backbone too -- my RoadRunner Tampa packets to FiOS Tampa really ought not to have to go via *Dallas* on a regular basis -- but I guess that part's a lost cause. Cheers, -- jra From jra at baylink.com Tue Dec 14 21:36:10 2010 From: jra at baylink.com (Jay Ashworth) Date: Tue, 14 Dec 2010 22:36:10 -0500 (EST) Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: Message-ID: <2888953.72.1292384170339.JavaMail.root@benjamin.baylink.com> ----- Original Message ----- > From: "Alex Rubenstein" > -- Alex, remembering the days of 8000 ISP's with substantially better > customer service than is available today In 1995, when I was the chief engineer for a teeny little ISP called Centurion Technologies, in Largo FL (we had 40 modems here and 20 in Tampa on a 256kb/s frame relay backhaul to the home office in Texas, which itself only uplinked to it's backbone provider via a T-1)... and I *went to several customers' houses* to get their connections up and running for them. These were the Win3/Trumpet days, of course; it was a bunch harder then than it is today... Cheers, -- jra From pfunix at gmail.com Tue Dec 14 22:20:17 2010 From: pfunix at gmail.com (Beavis) Date: Tue, 14 Dec 2010 22:20:17 -0600 Subject: Net-Neutrality or Net-Neutered? Message-ID: I come across this interesting link. http://blogs.techrepublic.com.com/security/?p=4828&tag=nl.e036 Is ICANN really that susceptible to govt. pressure? I only see chaos ahead specially with ipv6 coming into the scene. -- ()? ascii ribbon campaign - against html e-mail /\? www.asciiribbon.org?? - against proprietary attachments Disclaimer: http://goldmark.org/jeff/stupid-disclaimers/ From ken at sizone.org Tue Dec 14 22:50:56 2010 From: ken at sizone.org (Ken) Date: Tue, 14 Dec 2010 23:50:56 -0500 Subject: Net-Neutrality or Net-Neutered? In-Reply-To: References: Message-ID: <20101215045056.GB12881@sizone.org> On Tue, Dec 14, 2010 at 10:20:17PM -0600, Beavis said: >I come across this interesting link. > >http://blogs.techrepublic.com.com/security/?p=4828&tag=nl.e036 > >Is ICANN really that susceptible to govt. pressure? Funny, tho - being succeptible to govt pressure CREATES an alt root DNS structure. You'd think the smart thinkers in the govt woulda figured that out. Apply pressure and it splinters. Sometimes easier to supervise if its in one pile, no? Also, "new DNS = whole new internet"? lol. /kc -- Ken Chase - ken at heavycomputing.ca - +1 416 897 6284 - Toronto CANADA Heavy Computing - Clued bandwidth, colocation and managed linux VPS @151 Front St. W. From drc at virtualized.org Tue Dec 14 23:00:08 2010 From: drc at virtualized.org (David Conrad) Date: Tue, 14 Dec 2010 19:00:08 -1000 Subject: Net-Neutrality or Net-Neutered? In-Reply-To: References: Message-ID: <744C3A4F-E222-42FE-9DB3-050EC5FBDC9E@virtualized.org> On Dec 14, 2010, at 6:20 PM, Beavis wrote: > I come across this interesting link. > > http://blogs.techrepublic.com.com/security/?p=4828&tag=nl.e036 http://domainincite.com/icann-had-no-role-in-seizing-torrent-domains/ > Is ICANN really that susceptible to govt. pressure? Ignoring the fact that ICANN wasn't involved in the takedowns, ICANN is incorporated in California as a 501c(3) non-profit. As such, it is subject to US law, even laws that have impacts on ICANN's attempt to be an international organization. If folks show up at ICANN's door with a warrant or court order, ICANN, like any other company incorporated in the US, must abide. In addition, ICANN performs the IANA functions under contract to the US Dept. of Commerce and in theory, pressure could be brought to bear on ICANN via (at least) threats of refusing to renew that contract. However, to date, I'm unaware of Commerce applying any sort of direct pressure this way (in fact, if Commerce did apply pressure to ICANN to further US gov't interests and it came out, it would likely be quite detrimental to US Gov't efforts in places like the ITU). Looking outside the US, ICANN has an advisory committee called the "Government Advisory Committee". ICANN, in theory, doesn't have to listen to the GAC (they're an "advisory" committee after all), but to paraphrase George Orwell, some advisory committees are more equal than others. > I only see chaos ahead specially with ipv6 coming into the scene. Well, yes, I expect there to be a bit of chaos, but not really related to the P2P DNS stuff (if coming up with a non-hierarchical replacement for the DNS was easy, it'd have been done ages ago): IPv4 free pool exhaustion, IPv6 deployment, new generic TLDs, internationalized TLDs, etc... interesting times ahead. Regards, -drc From pfunix at gmail.com Tue Dec 14 23:01:19 2010 From: pfunix at gmail.com (Beavis) Date: Tue, 14 Dec 2010 23:01:19 -0600 Subject: Net-Neutrality or Net-Neutered? In-Reply-To: <20101215045056.GB12881@sizone.org> References: <20101215045056.GB12881@sizone.org> Message-ID: we'll if ICANN't .. maybe HECANN (*trying out humor*). this idea of second internet doesn't make sense. icann alone is already a handful. On Tue, Dec 14, 2010 at 10:50 PM, Ken wrote: > On Tue, Dec 14, 2010 at 10:20:17PM -0600, Beavis said: > ?>I come across this interesting link. > ?> > ?>http://blogs.techrepublic.com.com/security/?p=4828&tag=nl.e036 > ?> > ?>Is ICANN really that susceptible to govt. pressure? > > Funny, tho - being succeptible to govt pressure CREATES an alt root DNS > structure. You'd think the smart thinkers in the govt woulda figured > that out. Apply pressure and it splinters. Sometimes easier to supervise > if its in one pile, no? > > Also, "new DNS = whole new internet"? lol. > > /kc > -- > Ken Chase - ken at heavycomputing.ca - +1 416 897 6284 - Toronto CANADA > Heavy Computing - Clued bandwidth, colocation and managed linux VPS @151 Front St. W. > > -- ()? ascii ribbon campaign - against html e-mail /\? www.asciiribbon.org?? - against proprietary attachments Disclaimer: http://goldmark.org/jeff/stupid-disclaimers/ From wschultz at bsdboy.com Tue Dec 14 23:17:22 2010 From: wschultz at bsdboy.com (Wil Schultz) Date: Tue, 14 Dec 2010 21:17:22 -0800 Subject: Alleged backdoor in OpenBSD's IPSEC implementation. Message-ID: <15DC968C-64A6-4485-9529-25003AD684BF@bsdboy.com> http://thread.gmane.org/gmane.os.openbsd.tech/22557 This appears to be some serious FUD, but if true could have some serious implications for IPSEC stacks in all kinds of equipment. -wil From mysidia at gmail.com Tue Dec 14 23:38:36 2010 From: mysidia at gmail.com (Jimmy Hess) Date: Tue, 14 Dec 2010 23:38:36 -0600 Subject: Net-Neutrality or Net-Neutered? In-Reply-To: References: Message-ID: On Tue, Dec 14, 2010 at 10:20 PM, Beavis wrote: > I come across this interesting link. > http://blogs.techrepublic.com.com/security/?p=4828&tag=nl.e036 > Is ICANN really that susceptible to govt. pressure? > I only see chaos ahead specially with ipv6 coming into the scene. ICANN is subject to government pressure, but not in the way suggested; it should be obvious fairly quickly if the ICANN board creates new policies requiring registrars to provide a technical means to censor domains governments object to on request. It is possible that ICANN could create something like a UDRP for government censorship, but I don't see a public draft for that yet anyways. ICANN is not the registrar of any domains or the registrar operator of the gTLDs, so ICANN lacks direct operational technical capability to "turn off" domains or implement government censorship; even if ICANN staff wished to do so. Registrars and Registrar operators may be subject to government pressure, in the form of law enforcement requests or court orders that they change contact records and DNS records for a registered domain in the database that they are publishing on their set of servers that have the special status of globally recognized TLD server. Just in the same way a court could issue an order to a RBL service to add (or remove) IP addresses from their community-recognized blacklist, against an RBL operator's will. For most gTLD domains, the registrar would be the weakest link in the chain. Many registrars have a clause in the registration agreement that states something such as "You agree that we may, in our sole discretion, delete or transfer your domain name at any time." So the registrar not only could be pressured; many already opened the gate for them to respond in the manner they like. In the current state of affairs; Network operators concerned about governmental interference with respect to their domains, should register multiple domains under different TLDs with registrar and registry operator in different jurisdictions. Or understand that (yes); DNS can be effected by governments. particularly content is offensive to the local government and might be subject to censorship efforts, -- -JH From chaim.rieger at gmail.com Tue Dec 14 23:39:02 2010 From: chaim.rieger at gmail.com (Chaim Rieger) Date: Tue, 14 Dec 2010 21:39:02 -0800 Subject: Alleged backdoor in OpenBSD's IPSEC implementation. In-Reply-To: <15DC968C-64A6-4485-9529-25003AD684BF@bsdboy.com> References: <15DC968C-64A6-4485-9529-25003AD684BF@bsdboy.com> Message-ID: On Tue, Dec 14, 2010 at 9:17 PM, Wil Schultz wrote: > http://thread.gmane.org/gmane.os.openbsd.tech/22557 > > This appears to be some serious FUD, but if true could have some serious implications for IPSEC stacks in all kinds of equipment. > > -wil > Does anyone remember the last time a law enforcement agency had someone sign a 10 year NDA on a backdoor? "Oh, times up, I can post it on Facebook now. Cool." From ken at sizone.org Tue Dec 14 23:56:09 2010 From: ken at sizone.org (Ken Chase) Date: Wed, 15 Dec 2010 00:56:09 -0500 Subject: Alleged backdoor in OpenBSD's IPSEC implementation. In-Reply-To: References: <15DC968C-64A6-4485-9529-25003AD684BF@bsdboy.com> Message-ID: <20101215055609.GH12881@sizone.org> On Tue, Dec 14, 2010 at 09:39:02PM -0800, Chaim Rieger said: >Does anyone remember the last time a law enforcement agency had >someone sign a 10 year NDA on a backdoor? > >"Oh, times up, I can post it on Facebook now. Cool." 22:42 <@smartboy> curious what the guy's motives really are. pretty sure the NDA expiration on putting a backdoor into software for the FBI would be "when you're dead" 22:42 <@smartboy> or "when you'd like to be dead" /kc -- Ken Chase - ken at heavycomputing.ca - +1 416 897 6284 - Toronto CANADA Heavy Computing - Clued bandwidth, colocation and managed linux VPS @151 Front St. W. From joly at punkcast.com Wed Dec 15 00:14:45 2010 From: joly at punkcast.com (Joly MacFie) Date: Wed, 15 Dec 2010 01:14:45 -0500 Subject: Net-Neutrality or Net-Neutered? In-Reply-To: References: Message-ID: Earlier this evening ISOC-NY hosted a talk "Nations and Networks" by Milton Mueller http://www.livestream.com/isocny/video?clipId=pla_3df8a3b8-e2ee-489d-82d2-d5fb7fc432ef At one point, he said that he'd had conversations with government insiders about their cracking of the whip on ICANN on matters like .xxx etc. Their response had been that the USA's main worry is that, unless they compromise with other governments on dns issues, the rest of the world may decide to jettison the USA root altogether.. of course, any messing with DNS smacks of hypocrisy after Hillary's rant about freedom and openness in the wake of the Google-China frisson a little while back.. I guess the argument would be that the freedom only applies to "legal" sites.. she also suggested in the same speech that anonymity was maybe a luxury that couldn't be afforded in a responsible internet.. http://themorningsidepost.com/2010/01/live-from-dc-21st-century-statecraft/ However it seems increasingly difficult to find a government that doesn't favor its sovereign right to maintain some kind of national blacklist, whether based on dns or ip. To illustrate the occasional foot in bucket effect of the latter he quoted the example of the virgin killer wikimedia incident http://www.dcs.warwick.ac.uk/~rlmw/iwf/Virgin_Killer.html - as noted there the proxy-based blocking system employed had the effect of rendering the entire UK unable to edit wikipedia. The Internet Society has issued a statement criticizing technical efforts to suppress Wikileaks: http://www.isoc-ny.org/p2/?p=1597 j -- --------------------------------------------------------------- Joly MacFie? 218 565 9365 Skype:punkcast WWWhatsup NYC - http://wwwhatsup.com ?http://pinstand.com - http://punkcast.com ? VP (Admin) - ISOC-NY - http://isoc-ny.org --------------------------------------------------------------- From nick.boyce at gmail.com Wed Dec 15 00:32:11 2010 From: nick.boyce at gmail.com (Nick Boyce) Date: Wed, 15 Dec 2010 06:32:11 +0000 Subject: Windows Encryption Software In-Reply-To: References: Message-ID: On Fri, Dec 10, 2010 at 12:24 AM, Brandon Kim wrote: > I want to know if there's software out there that will encrypt files on > win2k3, winxp, win7, so that if someone decides to steal the computer > and plug the harddrive into a USB external case, they won't be able > to read the files on the harddrive. > > I know windows has bitlocker, but I don't know if that is available > for Win2003? And it always seems like 3rd party apps seem to > do a better job than what Microsoft gives you. +1 Truecrypt It's a very good solution, which lacks some of the complications of using BitLocker that others here have described, but is arguably just as secure in terms of cipher usage, and is very well written. Please note that you do *not* have to use Truecrypt in whole-disk-encryption mode (the comment "*with Truecrypt, you need to type in the password to boot the computer*" is not necessarily true - it depends how you set it up). TC has a second usage mode in which you use it to create an encrypted container (in a conventional file or a dedicated disk partition) which appears as a Windows drive when "mounted" (by the TC driver software). I'd bet that far more people use it in this mode than those who use it for WDE ... many folks use it to keep data on memory sticks (and other portable storage media) safe. Icing on the cake: TC also has Mac and Linux versions, and the container files are portable between all 3 environments. Cheers Nick From mjwise at kapu.net Wed Dec 15 01:51:24 2010 From: mjwise at kapu.net (Michael J Wise) Date: Tue, 14 Dec 2010 23:51:24 -0800 Subject: Alleged backdoor in OpenBSD's IPSEC implementation. In-Reply-To: <20101215055609.GH12881@sizone.org> References: <15DC968C-64A6-4485-9529-25003AD684BF@bsdboy.com> <20101215055609.GH12881@sizone.org> Message-ID: On Dec 14, 2010, at 9:56 PM, Ken Chase wrote: > On Tue, Dec 14, 2010 at 09:39:02PM -0800, Chaim Rieger said: >> Does anyone remember the last time a law enforcement agency had >> someone sign a 10 year NDA on a backdoor? >> >> "Oh, times up, I can post it on Facebook now. Cool." > > 22:42 <@smartboy> curious what the guy's motives really are. pretty sure the > NDA expiration on putting a backdoor into software for the > FBI would be "when you're dead" > 22:42 <@smartboy> or "when you'd like to be dead" Someone is confusing FBI with NSA, methinks. And yes, if this is the kind of thing not talked about, "NDA"s expire when you do. But seriously ... this would seem to be the kind of code that Smart People should be doing security audits on Just Because. So rustle up a couple of PostDocs, and give them an idea for a Thesis, and yer set. Aloha, Michael. -- "Please have your Internet License http://kapu.net/~mjwise/ and Usenet Registration handy..." From laurent at guerby.net Wed Dec 15 04:23:54 2010 From: laurent at guerby.net (Laurent GUERBY) Date: Wed, 15 Dec 2010 11:23:54 +0100 Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: References: <96CA80CDCD822B4F9B41FB3A109C9359A3E6832836@E2K7MAILBOX1.corp.cableone.net> Message-ID: <1292408634.13327.383.camel@pc2.unassigned-domain> On Tue, 2010-12-14 at 16:20 -0500, Ricky Beam wrote: > On Tue, 14 Dec 2010 11:24:45 -0500, Craig L Uebringer > wrote: > > Same crap I've seen on loads of provider networks. > > No ISP I've ever worked for or with has ever willingly ran their transit > (or peering) links at capacity. > > (Granted, I've been responsible for saturating links, but I moved user > traffic off of them first.) > > --Ricky > > PS: TATA confirmed Comcast's behavior before anyone found any traffic > graphs. We already knew they were gaming their own customer base. According to: http://en.wikipedia.org/wiki/Comcast "Comcast has 15.930 million high-speed internet customers" If a 10G port for transit is paid by comcast $30/Mbit/s monthly that's 0.19 cent/internet customer/month for a new 10G port to properly desaturate this particular link. Did I compute something wrong? Laurent From nanog at hostleasing.net Wed Dec 15 04:31:19 2010 From: nanog at hostleasing.net (Randy Epstein) Date: Wed, 15 Dec 2010 05:31:19 -0500 Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: <1292408634.13327.383.camel@pc2.unassigned-domain> References: <96CA80CDCD822B4F9B41FB3A109C9359A3E6832836@E2K7MAILBOX1.corp.cableone.net> <1292408634.13327.383.camel@pc2.unassigned-domain> Message-ID: <00f401cb9c43$36c9ae40$a45d0ac0$@net> Laurent, >If a 10G port for transit is paid by comcast $30/Mbit/s monthly >that's 0.19 cent/internet customer/month for a new 10G port >to properly desaturate this particular link. >Did I compute something wrong? >Laurent Yes, now you need to multiply that by the numerous other ports that have the same conditions and need upgrades. Randy From laurent at guerby.net Wed Dec 15 04:44:46 2010 From: laurent at guerby.net (Laurent GUERBY) Date: Wed, 15 Dec 2010 11:44:46 +0100 Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: <00f401cb9c43$36c9ae40$a45d0ac0$@net> References: <96CA80CDCD822B4F9B41FB3A109C9359A3E6832836@E2K7MAILBOX1.corp.cableone.net> <1292408634.13327.383.camel@pc2.unassigned-domain> <00f401cb9c43$36c9ae40$a45d0ac0$@net> Message-ID: <1292409886.13327.393.camel@pc2.unassigned-domain> On Wed, 2010-12-15 at 05:31 -0500, Randy Epstein wrote: > Laurent, > > >If a 10G port for transit is paid by comcast $30/Mbit/s monthly > >that's 0.19 cent/internet customer/month for a new 10G port > >to properly desaturate this particular link. > > >Did I compute something wrong? > > >Laurent > > Yes, now you need to multiply that by the numerous other ports that have the > same conditions and need upgrades. If I look at: http://www.ams-ix.net/statistics/ That's 1.2 Tbit/s peak for European biggest IX so 120 10G ports so about 22 cent/customer/month assuming Comcast alone generates this kind of bandwidth and pays what mom & pop AS pay for transit. It still doesn't compute to me... Laurent From mikea at mikea.ath.cx Wed Dec 15 07:28:09 2010 From: mikea at mikea.ath.cx (mikea) Date: Wed, 15 Dec 2010 07:28:09 -0600 Subject: Alleged backdoor in OpenBSD's IPSEC implementation. In-Reply-To: References: <15DC968C-64A6-4485-9529-25003AD684BF@bsdboy.com> <20101215055609.GH12881@sizone.org> Message-ID: <20101215132809.GA96801@mikea.ath.cx> On Tue, Dec 14, 2010 at 11:51:24PM -0800, Michael J Wise wrote: > On Dec 14, 2010, at 9:56 PM, Ken Chase wrote: > > On Tue, Dec 14, 2010 at 09:39:02PM -0800, Chaim Rieger said: > >> Does anyone remember the last time a law enforcement agency had > >> someone sign a 10 year NDA on a backdoor? > >> > >> "Oh, times up, I can post it on Facebook now. Cool." > > > > 22:42 <@smartboy> curious what the guy's motives really are. pretty sure the > > NDA expiration on putting a backdoor into software for the > > FBI would be "when you're dead" > > 22:42 <@smartboy> or "when you'd like to be dead" > > Someone is confusing FBI with NSA, methinks. And yes, if this is > the kind of thing not talked about, "NDA"s expire when you do. But > seriously ... this would seem to be the kind of code that Smart People > should be doing security audits on Just Because. > > So rustle up a couple of PostDocs, and give them an idea for a Thesis, > and yer set. More to the point, I think it wouldn't be an NDA, but a security classification on the knowledge of the backdoors, and probably one not subject to automatic downgrading. -- Mike Andrews, W5EGO mikea at mikea.ath.cx Tired old sysadmin From ml at kenweb.org Wed Dec 15 09:09:05 2010 From: ml at kenweb.org (ML) Date: Wed, 15 Dec 2010 10:09:05 -0500 Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: <1292408634.13327.383.camel@pc2.unassigned-domain> References: <96CA80CDCD822B4F9B41FB3A109C9359A3E6832836@E2K7MAILBOX1.corp.cableone.net> <1292408634.13327.383.camel@pc2.unassigned-domain> Message-ID: <4D08DA11.3010504@kenweb.org> > According to: > http://en.wikipedia.org/wiki/Comcast > "Comcast has 15.930 million high-speed internet customers" > > If a 10G port for transit is paid by comcast $30/Mbit/s monthly > that's 0.19 cent/internet customer/month for a new 10G port > to properly desaturate this particular link. > > Did I compute something wrong? > > Laurent Assuming that I did my math right. It's actually 1.9 cents/month/per customer. Assuming they pay $30/meg... From jared at puck.nether.net Wed Dec 15 09:22:58 2010 From: jared at puck.nether.net (Jared Mauch) Date: Wed, 15 Dec 2010 10:22:58 -0500 Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: <4D08DA11.3010504@kenweb.org> References: <96CA80CDCD822B4F9B41FB3A109C9359A3E6832836@E2K7MAILBOX1.corp.cableone.net> <1292408634.13327.383.camel@pc2.unassigned-domain> <4D08DA11.3010504@kenweb.org> Message-ID: On Dec 15, 2010, at 10:09 AM, ML wrote: > >> According to: >> http://en.wikipedia.org/wiki/Comcast >> "Comcast has 15.930 million high-speed internet customers" >> >> If a 10G port for transit is paid by comcast $30/Mbit/s monthly >> that's 0.19 cent/internet customer/month for a new 10G port >> to properly desaturate this particular link. >> >> Did I compute something wrong? >> >> Laurent > > Assuming that I did my math right. > > It's actually 1.9 cents/month/per customer. > > Assuming they pay $30/meg... > Assuming you understand some networks end-to-end costs without access to their data may result in suboptimal outcomes. - Jared From jlewis at lewis.org Wed Dec 15 10:46:13 2010 From: jlewis at lewis.org (Jon Lewis) Date: Wed, 15 Dec 2010 11:46:13 -0500 (EST) Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: <1292408634.13327.383.camel@pc2.unassigned-domain> References: <96CA80CDCD822B4F9B41FB3A109C9359A3E6832836@E2K7MAILBOX1.corp.cableone.net> <1292408634.13327.383.camel@pc2.unassigned-domain> Message-ID: On Wed, 15 Dec 2010, Laurent GUERBY wrote: > If a 10G port for transit is paid by comcast $30/Mbit/s monthly > that's 0.19 cent/internet customer/month for a new 10G port > to properly desaturate this particular link. > > Did I compute something wrong? At that bandwidth level, isn't $30/mbit roughly an order of magnitude higher than people are actually paying? ---------------------------------------------------------------------- Jon Lewis, MCP :) | I route Senior Network Engineer | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________ From lists at mtin.net Wed Dec 15 10:49:59 2010 From: lists at mtin.net (Justin Wilson) Date: Wed, 15 Dec 2010 11:49:59 -0500 Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: Message-ID: Ay 10 Gig levels bandwidth should be much much cheaper than $30 /Mbit. -- Justin Wilson Aol & Yahoo IM: j2sw http://www.mtin.net/blog ? xISP News http://www.twitter.com/j2sw ? Follow me on Twitter Wisp Consulting ? Tower Climbing ? Network Support From: Jon Lewis Date: Wed, 15 Dec 2010 11:46:13 -0500 (EST) To: Subject: Re: Some truth about Comcast - WikiLeaks style On Wed, 15 Dec 2010, Laurent GUERBY wrote: > If a 10G port for transit is paid by comcast $30/Mbit/s monthly > that's 0.19 cent/internet customer/month for a new 10G port > to properly desaturate this particular link. > > Did I compute something wrong? At that bandwidth level, isn't $30/mbit roughly an order of magnitude higher than people are actually paying? ---------------------------------------------------------------------- Jon Lewis, MCP :) | I route Senior Network Engineer | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________ From sfouant at shortestpathfirst.net Wed Dec 15 11:00:56 2010 From: sfouant at shortestpathfirst.net (Stefan Fouant) Date: Wed, 15 Dec 2010 12:00:56 -0500 Subject: Alleged backdoor in OpenBSD's IPSEC implementation. In-Reply-To: <20101215132809.GA96801@mikea.ath.cx> References: <15DC968C-64A6-4485-9529-25003AD684BF@bsdboy.com> <20101215055609.GH12881@sizone.org> <20101215132809.GA96801@mikea.ath.cx> Message-ID: <025d01cb9c79$a4fe82b0$eefb8810$@net> > -----Original Message----- > From: mikea [mailto:mikea at mikea.ath.cx] > Sent: Wednesday, December 15, 2010 8:28 AM > To: nanog at nanog.org > Subject: Re: Alleged backdoor in OpenBSD's IPSEC implementation. > > > > > Someone is confusing FBI with NSA, methinks. And yes, if this is > > the kind of thing not talked about, "NDA"s expire when you do. But > > seriously ... this would seem to be the kind of code that Smart > People > > should be doing security audits on Just Because. > > > > So rustle up a couple of PostDocs, and give them an idea for a > Thesis, > > and yer set. > > More to the point, I think it wouldn't be an NDA, but a security > classification on the knowledge of the backdoors, and probably one not > subject to automatic downgrading. Please pardon my ignorance on the matter as I am not involved in any way with Open Source development, but it stands to reason that anything of this sort would have been scrutinized by the many developers involved with OpenBSD and surely would have been discovered at some point. And to further that point, is this not something that can be verified now if this code is still in the public domain? Or is writing a crypto stack such an esoteric task that only a relegated few can possibly decipher the inner workings? Not that I don't love a good government conspiracy theory, and yes I do believe there are a fair amount of backdoors in most code (including that of many private and publicly held corporations)... but open source? Just seems unlikely to me based on my limited understanding... Stefan From mikea at mikea.ath.cx Wed Dec 15 11:07:48 2010 From: mikea at mikea.ath.cx ('mikea') Date: Wed, 15 Dec 2010 11:07:48 -0600 Subject: Alleged backdoor in OpenBSD's IPSEC implementation. In-Reply-To: <025d01cb9c79$a4fe82b0$eefb8810$@net> References: <15DC968C-64A6-4485-9529-25003AD684BF@bsdboy.com> <20101215055609.GH12881@sizone.org> <20101215132809.GA96801@mikea.ath.cx> <025d01cb9c79$a4fe82b0$eefb8810$@net> Message-ID: <20101215170748.GA953@mikea.ath.cx> On Wed, Dec 15, 2010 at 12:00:56PM -0500, Stefan Fouant wrote: > > -----Original Message----- > > From: mikea [mailto:mikea at mikea.ath.cx] > > Sent: Wednesday, December 15, 2010 8:28 AM > > To: nanog at nanog.org > > Subject: Re: Alleged backdoor in OpenBSD's IPSEC implementation. > > > > > > > > Someone is confusing FBI with NSA, methinks. And yes, if this is > > > the kind of thing not talked about, "NDA"s expire when you do. But > > > seriously ... this would seem to be the kind of code that Smart > > People > > > should be doing security audits on Just Because. > > > > > > So rustle up a couple of PostDocs, and give them an idea for a > > Thesis, > > > and yer set. > > > > More to the point, I think it wouldn't be an NDA, but a security > > classification on the knowledge of the backdoors, and probably one not > > subject to automatic downgrading. > > Please pardon my ignorance on the matter as I am not involved in any way > with Open Source development, but it stands to reason that anything of this > sort would have been scrutinized by the many developers involved with > OpenBSD and surely would have been discovered at some point. And to further > that point, is this not something that can be verified now if this code is > still in the public domain? Or is writing a crypto stack such an esoteric > task that only a relegated few can possibly decipher the inner workings? > > Not that I don't love a good government conspiracy theory, and yes I do > believe there are a fair amount of backdoors in most code (including that of > many private and publicly held corporations)... but open source? Just seems > unlikely to me based on my limited understanding... In sober honesty, I doubt that there are any backdoors in any *BSD crypto stack that is really open source -- modulo the issues set out in "On trusting trust". But while I doubt it, that doesn't mean that I'm certain there are none. At this point, a real Conspiracy Theorist (TM) would ramble on about how all the *BSD crypto stack folks either were co-opted by the NSA or were under threat of death or worse if they talked. -- Mike Andrews, W5EGO mikea at mikea.ath.cx Tired old sysadmin From Greg.Whynott at oicr.on.ca Wed Dec 15 11:12:12 2010 From: Greg.Whynott at oicr.on.ca (Greg Whynott) Date: Wed, 15 Dec 2010 12:12:12 -0500 Subject: Alleged backdoor in OpenBSD's IPSEC implementation. In-Reply-To: <20101215132809.GA96801@mikea.ath.cx> References: <15DC968C-64A6-4485-9529-25003AD684BF@bsdboy.com> <20101215055609.GH12881@sizone.org> <20101215132809.GA96801@mikea.ath.cx> Message-ID: <87BCAF4F-EAFA-4BD6-A25E-9D86DA5F5358@oicr.on.ca> update.. hoax it appears. http://www.itworld.com/open-source/130820/openbsdfbi-allegations-denied-named-participant -- This message and any attachments may contain confidential and/or privileged information for the sole use of the intended recipient. Any review or distribution by anyone other than the person for whom it was originally intended is strictly prohibited. If you have received this message in error, please contact the sender and delete all copies. Opinions, conclusions or other information contained in this message may not be that of the organization. From kevin at safelink.net Wed Dec 15 11:15:47 2010 From: kevin at safelink.net (Kevin Neal) Date: Wed, 15 Dec 2010 10:15:47 -0700 Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: <4D08DA11.3010504@kenweb.org> References: <96CA80CDCD822B4F9B41FB3A109C9359A3E6832836@E2K7MAILBOX1.corp.cableone.net> <1292408634.13327.383.camel@pc2.unassigned-domain> <4D08DA11.3010504@kenweb.org> Message-ID: Also assuming the backbone and distribution upgrades required between their data centers and their customers costs nothing. It's not free to get bandwidth from Point A (port with TATA) to Point B (Customer). -Kevin Neal On Wed, Dec 15, 2010 at 8:09 AM, ML wrote: > >> According to: >> http://en.wikipedia.org/wiki/Comcast >> "Comcast has 15.930 million high-speed internet customers" >> >> If a 10G port for transit is paid by comcast $30/Mbit/s monthly >> that's 0.19 cent/internet customer/month for a new 10G port >> to properly desaturate this particular link. >> >> Did I compute something wrong? >> >> Laurent > > Assuming that I did my math right. > > It's actually 1.9 cents/month/per customer. > > Assuming they pay $30/meg... > > > > > > > From sixtwelveohtwo at gmail.com Wed Dec 15 11:17:50 2010 From: sixtwelveohtwo at gmail.com (Ben) Date: Wed, 15 Dec 2010 09:17:50 -0800 Subject: Alleged backdoor in OpenBSD's IPSEC implementation. In-Reply-To: <025d01cb9c79$a4fe82b0$eefb8810$@net> References: <15DC968C-64A6-4485-9529-25003AD684BF@bsdboy.com> <20101215055609.GH12881@sizone.org> <20101215132809.GA96801@mikea.ath.cx> <025d01cb9c79$a4fe82b0$eefb8810$@net> Message-ID: On Wed, Dec 15, 2010 at 9:00 AM, Stefan Fouant < sfouant at shortestpathfirst.net> wrote: > > -----Original Message----- > > From: mikea [mailto:mikea at mikea.ath.cx] > > Sent: Wednesday, December 15, 2010 8:28 AM > > To: nanog at nanog.org > > Subject: Re: Alleged backdoor in OpenBSD's IPSEC implementation. > > > > > > > > Someone is confusing FBI with NSA, methinks. And yes, if this is > > > the kind of thing not talked about, "NDA"s expire when you do. But > > > seriously ... this would seem to be the kind of code that Smart > > People > > > should be doing security audits on Just Because. > > > > > > So rustle up a couple of PostDocs, and give them an idea for a > > Thesis, > > > and yer set. > > > > More to the point, I think it wouldn't be an NDA, but a security > > classification on the knowledge of the backdoors, and probably one not > > subject to automatic downgrading. > > Please pardon my ignorance on the matter as I am not involved in any way > with Open Source development, but it stands to reason that anything of this > sort would have been scrutinized by the many developers involved with > OpenBSD and surely would have been discovered at some point. And to > further > that point, is this not something that can be verified now if this code is > still in the public domain? Or is writing a crypto stack such an esoteric > task that only a relegated few can possibly decipher the inner workings? > > Not that I don't love a good government conspiracy theory, and yes I do > believe there are a fair amount of backdoors in most code (including that > of > many private and publicly held corporations)... but open source? Just > seems > unlikely to me based on my limited understanding... > > Stefan > Stefan, I wouldn't want to debate whether or not this specific theoretical "back door" exists (since it seems to be less than marginally credible at this point,) but it is more plausible than you might think. I believe that most of us a fairly static situation that we think of when we hear "back door" as it pertains to technology and software. This, however, is an alleged "back door" (though perhaps describing it as a weakness is less likely to elicit tin-foil-hat-type predictions) in the crypto. There are tons of brilliant developers in the open source *and* commercial community that could spot a back door in the *code* in a heartbeat. The alleged weakness here, however, is far more likely to be a mathematical weakness in the actual crypo algorithms which wouldn't stand out to most developers - even the top-end folks. Ultimately, it will probably come down to crypto-nerds and mathematicians to verify the algorithms that were used rather than just putting great programming eyes on the code. Such things have happened before, though with much less fanfare to the general community. For example: http://www.schneier.com/blog/archives/2007/11/the_strange_sto.html // Ben S. From the.lists at mgm51.com Wed Dec 15 12:20:55 2010 From: the.lists at mgm51.com (Mike.) Date: Wed, 15 Dec 2010 13:20:55 -0500 Subject: Alleged backdoor in OpenBSD's IPSEC implementation. In-Reply-To: References: <15DC968C-64A6-4485-9529-25003AD684BF@bsdboy.com> <20101215055609.GH12881@sizone.org> <20101215132809.GA96801@mikea.ath.cx> <025d01cb9c79$a4fe82b0$eefb8810$@net> Message-ID: <201012151320550382.0090FCD7@sentry.24cl.com> On 12/15/2010 at 9:17 AM Ben wrote: |On Wed, Dec 15, 2010 at 9:00 AM, Stefan Fouant < |sfouant at shortestpathfirst.net> wrote: | |> > -----Original Message----- |> > From: mikea [mailto:mikea at mikea.ath.cx] |> > Sent: Wednesday, December 15, 2010 8:28 AM |> > To: nanog at nanog.org |> > Subject: Re: Alleged backdoor in OpenBSD's IPSEC implementation. [snip] ============= Another relevant comment from the OpenBSD tech mailing list: http://www.marc.info/?l=openbsd-tech&m=129237675106730&w=2 From sparctacus at gmail.com Wed Dec 15 12:25:53 2010 From: sparctacus at gmail.com (Bryan Irvine) Date: Wed, 15 Dec 2010 10:25:53 -0800 Subject: Alleged backdoor in OpenBSD's IPSEC implementation. In-Reply-To: <201012151320550382.0090FCD7@sentry.24cl.com> References: <15DC968C-64A6-4485-9529-25003AD684BF@bsdboy.com> <20101215055609.GH12881@sizone.org> <20101215132809.GA96801@mikea.ath.cx> <025d01cb9c79$a4fe82b0$eefb8810$@net> <201012151320550382.0090FCD7@sentry.24cl.com> Message-ID: On Wed, Dec 15, 2010 at 10:20 AM, Mike. wrote: > > On 12/15/2010 at 9:17 AM Ben wrote: > > |On Wed, Dec 15, 2010 at 9:00 AM, Stefan Fouant < > |sfouant at shortestpathfirst.net> wrote: > | > |> > -----Original Message----- > |> > From: mikea [mailto:mikea at mikea.ath.cx] > |> > Sent: Wednesday, December 15, 2010 8:28 AM > |> > To: nanog at nanog.org > |> > Subject: Re: Alleged backdoor in OpenBSD's IPSEC implementation. > [snip] > ?============= > > > Another relevant comment from the OpenBSD tech mailing list: > > > http://www.marc.info/?l=openbsd-tech&m=129237675106730&w=2 Also, the original sender of the email confirms he sent it. Also mentions PF as a target in the follow-up. http://blogs.csoonline.com/1296/an_fbi_backdoor_in_openbsd Anyone know the trustworthy-ness of 'csoonline'? -Bryan From paul at paulgraydon.co.uk Wed Dec 15 12:28:23 2010 From: paul at paulgraydon.co.uk (Paul Graydon) Date: Wed, 15 Dec 2010 08:28:23 -1000 Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: <4D08DA11.3010504@kenweb.org> References: <96CA80CDCD822B4F9B41FB3A109C9359A3E6832836@E2K7MAILBOX1.corp.cableone.net> <1292408634.13327.383.camel@pc2.unassigned-domain> <4D08DA11.3010504@kenweb.org> Message-ID: <4D0908C7.6000100@paulgraydon.co.uk> On 12/15/2010 05:09 AM, ML wrote: > >> According to: >> http://en.wikipedia.org/wiki/Comcast >> "Comcast has 15.930 million high-speed internet customers" >> >> If a 10G port for transit is paid by comcast $30/Mbit/s monthly >> that's 0.19 cent/internet customer/month for a new 10G port >> to properly desaturate this particular link. >> >> Did I compute something wrong? >> >> Laurent > > Assuming that I did my math right. > > It's actually 1.9 cents/month/per customer. > > Assuming they pay $30/meg... > Probably preaching to the choir here but there are a lot more costs than that involved. It's all right having the bandwidth at transit points, but you've got to be able to get the bandwidth to the customers locations. With no idea of what Comcast's distribution is like for all we know the graph could be one transit point in one area of the country and indicative of poor localised behaviour rather than centralised. Virgin Media were notorious in various cities in the UK for over-saturating the local network. Out in the towns and smaller cities you'd be okay and have no problem saturating a 20Mb line, but often whole areas of London, Manchester and the like would suffer high latency, packet loss and so on during 'peak' hours because they would over sell their infrastructure (12am-10am fine, then steadily worse until unusable come the evening). They only seemed to add more capacity to the areas when enough people complained. IMO two network graphs are next to useless out of context. Paul From sthaug at nethelp.no Wed Dec 15 13:02:15 2010 From: sthaug at nethelp.no (sthaug at nethelp.no) Date: Wed, 15 Dec 2010 20:02:15 +0100 (CET) Subject: Alleged backdoor in OpenBSD's IPSEC implementation. In-Reply-To: <025d01cb9c79$a4fe82b0$eefb8810$@net> References: <20101215132809.GA96801@mikea.ath.cx> <025d01cb9c79$a4fe82b0$eefb8810$@net> Message-ID: <20101215.200215.74680419.sthaug@nethelp.no> > > More to the point, I think it wouldn't be an NDA, but a security > > classification on the knowledge of the backdoors, and probably one not > > subject to automatic downgrading. > > Please pardon my ignorance on the matter as I am not involved in any way > with Open Source development, but it stands to reason that anything of this > sort would have been scrutinized by the many developers involved with > OpenBSD and surely would have been discovered at some point. And to further > that point, is this not something that can be verified now if this code is > still in the public domain? Or is writing a crypto stack such an esoteric > task that only a relegated few can possibly decipher the inner workings? See Ken Thompson's classic paper "Reflections on trusting trust", http://en.wikipedia.org/wiki/Backdoor_(computing)#Reflections_on_Trusting_Trust http://cm.bell-labs.com/who/ken/trust.html > Not that I don't love a good government conspiracy theory, and yes I do > believe there are a fair amount of backdoors in most code (including that of > many private and publicly held corporations)... but open source? Just seems > unlikely to me based on my limited understanding... The world is not that simple. Steinar Haug, Nethelp consulting, sthaug at nethelp.no From jeffrey.lyon at blacklotus.net Wed Dec 15 13:13:37 2010 From: jeffrey.lyon at blacklotus.net (Jeffrey Lyon) Date: Wed, 15 Dec 2010 14:13:37 -0500 Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: References: Message-ID: They can't be paying more than a couple of dollars per Mbps. Jeff On Wed, Dec 15, 2010 at 11:49 AM, Justin Wilson wrote: > ? ?Ay 10 Gig levels bandwidth should be much much cheaper than $30 /Mbit. > -- > Justin Wilson > Aol & Yahoo IM: j2sw > http://www.mtin.net/blog ? xISP News > http://www.twitter.com/j2sw ? Follow me on Twitter > Wisp Consulting ? Tower Climbing ? Network Support > > > > > From: Jon Lewis > Date: Wed, 15 Dec 2010 11:46:13 -0500 (EST) > To: > Subject: Re: Some truth about Comcast - WikiLeaks style > > On Wed, 15 Dec 2010, Laurent GUERBY wrote: > >> If a 10G port for transit is paid by comcast $30/Mbit/s monthly >> that's 0.19 cent/internet customer/month for a new 10G port >> to properly desaturate this particular link. >> >> Did I compute something wrong? > > At that bandwidth level, isn't $30/mbit roughly an order of magnitude > higher than people are actually paying? > > ---------------------------------------------------------------------- > ?Jon Lewis, MCP :) ? ? ? ? ? | ?I route > ?Senior Network Engineer ? ? | ?therefore you are > ?Atlantic Net ? ? ? ? ? ? ? ?| > _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________ > > > -- Jeffrey Lyon, Leadership Team jeffrey.lyon at blacklotus.net | http://www.blacklotus.net Black Lotus Communications - AS32421 First and Leading in DDoS Protection Solutions From jbates at brightok.net Wed Dec 15 13:17:19 2010 From: jbates at brightok.net (Jack Bates) Date: Wed, 15 Dec 2010 13:17:19 -0600 Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: References: Message-ID: <4D09143F.3000308@brightok.net> On 12/15/2010 1:13 PM, Jeffrey Lyon wrote: > They can't be paying more than a couple of dollars per Mbps. > $10 tops for any provider than can hand off a 10GE pipe; and at full-rate multiple 10GE, you can expect it to be less than $5. Jack From jeffrey.lyon at blacklotus.net Wed Dec 15 13:25:53 2010 From: jeffrey.lyon at blacklotus.net (Jeffrey Lyon) Date: Wed, 15 Dec 2010 14:25:53 -0500 Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: <4D09143F.3000308@brightok.net> References: <4D09143F.3000308@brightok.net> Message-ID: >From Tata? I'd eat my own hand if they were paying more than $1-2 across the board. Jeff On Wed, Dec 15, 2010 at 2:17 PM, Jack Bates wrote: > On 12/15/2010 1:13 PM, Jeffrey Lyon wrote: >> >> They can't be paying more than a couple of dollars per Mbps. >> > > $10 tops for any provider than can hand off a 10GE pipe; and at full-rate > multiple 10GE, you can expect it to be less than $5. > > > Jack > -- Jeffrey Lyon, Leadership Team jeffrey.lyon at blacklotus.net | http://www.blacklotus.net Black Lotus Communications - AS32421 First and Leading in DDoS Protection Solutions From lists at eitanadler.com Wed Dec 15 13:33:23 2010 From: lists at eitanadler.com (Eitan Adler) Date: Wed, 15 Dec 2010 14:33:23 -0500 Subject: Alleged backdoor in OpenBSD's IPSEC implementation. In-Reply-To: <20101215.200215.74680419.sthaug@nethelp.no> References: <20101215132809.GA96801@mikea.ath.cx> <025d01cb9c79$a4fe82b0$eefb8810$@net> <20101215.200215.74680419.sthaug@nethelp.no> Message-ID: > See Ken Thompson's classic paper "Reflections on trusting trust", Also see David A Wheeler's "Countering Trusting Trust through Diverse Double-Compiling" -- Eitan Adler From justin.horstman at gorillanation.com Wed Dec 15 13:41:01 2010 From: justin.horstman at gorillanation.com (Justin Horstman) Date: Wed, 15 Dec 2010 11:41:01 -0800 Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: References: <4D09143F.3000308@brightok.net> Message-ID: <8C164D3BAF7C7F41B9B286385037B13111BECC5059@lax-exch-fe-01.gorillanation.local> You mean it is not a settlement free peering agreement? (sorry top post, following trend) ~J > -----Original Message----- > From: Jeffrey Lyon [mailto:jeffrey.lyon at blacklotus.net] > Sent: Wednesday, December 15, 2010 11:26 AM > To: Jack Bates > Cc: nanog at nanog.org > Subject: Re: Some truth about Comcast - WikiLeaks style > > >From Tata? I'd eat my own hand if they were paying more than $1-2 > across the board. > > Jeff > > On Wed, Dec 15, 2010 at 2:17 PM, Jack Bates > wrote: > > On 12/15/2010 1:13 PM, Jeffrey Lyon wrote: > >> > >> They can't be paying more than a couple of dollars per Mbps. > >> > > > > $10 tops for any provider than can hand off a 10GE pipe; and at full- > rate > > multiple 10GE, you can expect it to be less than $5. > > > > > > Jack > > > > > > -- > Jeffrey Lyon, Leadership Team > jeffrey.lyon at blacklotus.net | http://www.blacklotus.net > Black Lotus Communications - AS32421 > First and Leading in DDoS Protection Solutions From ryan.finnesey at HarrierInvestments.com Wed Dec 15 13:52:37 2010 From: ryan.finnesey at HarrierInvestments.com (Ryan Finnesey) Date: Wed, 15 Dec 2010 11:52:37 -0800 Subject: peering, derivatives, and big brother In-Reply-To: <1292270846.13327.234.camel@pc2.unassigned-domain> References: <5A6D953473350C4B9995546AFE9939EE0B14CEA4@RWC-EX1.corp.seven.com> <1292270846.13327.234.camel@pc2.unassigned-domain> Message-ID: <6EFFEFBAC68377459A2E972105C759EC032C02D5@EXVBE005-2.exch005intermedia.net> I remember 5 years ago a company called Invisible Hand Networks that tried something like that. Cheers Ryan -----Original Message----- From: Laurent GUERBY [mailto:laurent at guerby.net] Sent: Monday, December 13, 2010 3:07 PM To: George Bonser Cc: nanog at nanog.org Subject: Re: peering, derivatives, and big brother On Sun, 2010-12-12 at 19:36 -0800, George Bonser wrote: > (...) The financial derivatives market isn't, in my opinion, a good > analogy of the peering market. A data packet is "perishable" and must > be moved quickly. The destination network wants the packet in order > to keep their customer happy and the originating network wants to get > it to that customer as quickly and cheaply as possible. The > proliferation of these peering points means that today there is more > traffic going directly from content network to eyeball network. To > use a different analogy, it is almost like the market is going to a > series of farmer's markets rather than supermarkets in the > distribution channel. Sure, there are still the "supermarkets" out > there, but increasingly they are selling their "store brand" by > becoming content hosting networks themselves. (...) Hi, The electricity spot market is close to your definition of "perishable": http://en.wikipedia.org/wiki/Electricity_market It has a derivative market, google for "electricity derivatives" will give you some papers and models. I'm pretty sure electricity and bandwidth share some patterns. Now who wants to be the Enron of the bandwidth market? :) Sincerely, Laurent http://guerby.org/blog From ras at e-gerbil.net Wed Dec 15 14:01:39 2010 From: ras at e-gerbil.net (Richard A Steenbergen) Date: Wed, 15 Dec 2010 14:01:39 -0600 Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: References: <4D09143F.3000308@brightok.net> Message-ID: <20101215200139.GQ38726@gerbil.cluepon.net> On Wed, Dec 15, 2010 at 02:25:53PM -0500, Jeffrey Lyon wrote: > From Tata? I'd eat my own hand if they were paying more than $1-2 > across the board. I know people who have offered them hundreds of gigs of settlement free transit (including myself), but clearly they aren't interested. FYI a large number of their wholesale transit/paid peering customer agreements include clauses which prohibit the resale of services to other parties too. They don't want one person being able to buy capacity into their network, then provide it to others. Remember their goal isn't to save money on transit, it's to make the transit paths minimally functional so they can force content networks to buy from them directly (at above market rates, from what people tell me :P), so they don't WANT to add capacity or transit paths. -- Richard A Steenbergen http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC) From the.lists at mgm51.com Wed Dec 15 14:29:28 2010 From: the.lists at mgm51.com (Mike.) Date: Wed, 15 Dec 2010 15:29:28 -0500 Subject: Alleged backdoor in OpenBSD's IPSEC implementation. In-Reply-To: References: <15DC968C-64A6-4485-9529-25003AD684BF@bsdboy.com> <20101215055609.GH12881@sizone.org> <20101215132809.GA96801@mikea.ath.cx> <025d01cb9c79$a4fe82b0$eefb8810$@net> <201012151320550382.0090FCD7@sentry.24cl.com> Message-ID: <201012151529280238.0106AD25@sentry.24cl.com> On 12/15/2010 at 10:25 AM Bryan Irvine wrote: |On Wed, Dec 15, 2010 at 10:20 AM, Mike. wrote: |> |> On 12/15/2010 at 9:17 AM Ben wrote: |> |> |On Wed, Dec 15, 2010 at 9:00 AM, Stefan Fouant < |> |sfouant at shortestpathfirst.net> wrote: |> | |> |> > -----Original Message----- |> |> > From: mikea [mailto:mikea at mikea.ath.cx] |> |> > Sent: Wednesday, December 15, 2010 8:28 AM |> |> > To: nanog at nanog.org |> |> > Subject: Re: Alleged backdoor in OpenBSD's IPSEC implementation. |> [snip] |> ?============= |> |> |> Another relevant comment from the OpenBSD tech mailing list: |> |> |> http://www.marc.info/?l=openbsd-tech&m=129237675106730&w=2 | |Also, the original sender of the email confirms he sent it. Also |mentions PF as a target in the follow-up. | |http://blogs.csoonline.com/1296/an_fbi_backdoor_in_openbsd | |Anyone know the trustworthy-ness of 'csoonline'? ============= Someone's putting up a bounty ... http://maycontaintracesofbolts.blogspot.com/2010/12/openbsd-ipsec-backdo or-allegations.html From dooser at gmail.com Wed Dec 15 14:51:05 2010 From: dooser at gmail.com (Mikel Waxler) Date: Wed, 15 Dec 2010 15:51:05 -0500 Subject: Some truth about Comcast - WikiLeaks style Message-ID: It seems you are making some false assertions. 1) "If you were a Comcast customer attempting to stream Netflix via this connection, the movie would be completely unwatchable." This is a false conclusion. Bandwidth is not allocated in static blocks on a first come first serve basis. It is shared across all users. So adding a single user only slows the speed of all connections proportionally. In a pool roughly 16 million customers (across all regions) a single new connection would not noticeably effect others. 2) "Comcast claims that a good network maintains a 1:1 " I have never heard them assert that. I have heard them assert that they have peering agreements with other providers. Those agreements assert that if the bandwidth ratio remains the same, or close that neither party will charge the other. For a end user network like comcast, that will never be 1:1. For a larger network connecting to Level3 or TaTa, that might be 1:1. Having a peering agreement does not in any way imply a ratio. 3) You assert that the bandwidth is capped and if Comcast purchased more bandwidth it would not hit the cap. With 16 million customers and ~20mbit connections average they would need a 320 terabit connection to ensure that they never hit the cap. The reality is that most customers do not make uncapped connections. File servers cap bandwidth per user and certain services, like gaming or streaming media have a maximum rate. As long as the average data rate allocated per customer is close to the usage then customers will not notice the difference. Does it matter if it takes 10 seconds or 15 seconds to download a 5 minute youtube clip? Could Comcast purchase more bandwidth and speed up a percentage of their users? Probably yes. Would it drive up the cost of monthly internet? Yes. Is your Comcast internet connection to slow to perform reasonable tasks at a decent rate? Mine is not. I am not asserting that Comcast has enough bandwidth, just that some of your assertions are not valid. From sfouant at shortestpathfirst.net Wed Dec 15 14:58:43 2010 From: sfouant at shortestpathfirst.net (Stefan Fouant) Date: Wed, 15 Dec 2010 15:58:43 -0500 Subject: Alleged backdoor in OpenBSD's IPSEC implementation. In-Reply-To: <201012151529280238.0106AD25@sentry.24cl.com> References: <15DC968C-64A6-4485-9529-25003AD684BF@bsdboy.com> <20101215055609.GH12881@sizone.org> <20101215132809.GA96801@mikea.ath.cx> <025d01cb9c79$a4fe82b0$eefb8810$@net> <201012151320550382.0090FCD7@sentry.24cl.com> <201012151529280238.0106AD25@sentry.24cl.com> Message-ID: <02ce01cb9c9a$dcc38990$964a9cb0$@net> > -----Original Message----- > From: Mike. [mailto:the.lists at mgm51.com] > Sent: Wednesday, December 15, 2010 3:29 PM > To: nanog at nanog.org > Subject: Re: Alleged backdoor in OpenBSD's IPSEC implementation. > > On 12/15/2010 at 10:25 AM Bryan Irvine wrote: > | > |Anyone know the trustworthy-ness of 'csoonline'? > ============= > > Someone's putting up a bounty ... > > http://maycontaintracesofbolts.blogspot.com/2010/12/openbsd-ipsec- > backdo > or-allegations.html I might just be me, but a few hundred bucks just doesn't seem like enough to warrant potentially receiving a visit from the men in black... Stefan From jlewis at lewis.org Wed Dec 15 15:51:19 2010 From: jlewis at lewis.org (Jon Lewis) Date: Wed, 15 Dec 2010 16:51:19 -0500 (EST) Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: References: Message-ID: On Wed, 15 Dec 2010, Mikel Waxler wrote: > 1) "If you were a Comcast customer attempting to stream Netflix via this > connection, the movie would be completely unwatchable." > > This is a false conclusion. Bandwidth is not allocated in static blocks on a > first come first serve basis. It is shared across all users. So adding a > single user only slows the speed of all connections proportionally. In a > pool roughly 16 million customers (across all regions) a single new > connection would not noticeably effect others. When the pipes are full, and the latency is up closer to 1s vs a more reasonable 20-100ms, and you have a few percent packet loss, do movies continue to stream? Where are they streaming from? Over the TATA transit, a non-congested Level3 pipe, or on-net CDN servers? > 2) "Comcast claims that a good network maintains a 1:1 " > > I have never heard them assert that. I have heard them assert that they have > peering agreements with other providers. Those agreements assert that if the > bandwidth ratio remains the same, or close that neither party will charge > the other. For a end user network like comcast, that will never be 1:1. For > a larger network connecting to Level3 or TaTa, that might be 1:1. Ratios only make sense between peers. When you're buying transit, you don't get to enforce ratios and tell your transit providers you're not going to pay (or they're going to pay you) because they're sending you too much traffic. Back when I ran a dialup network, and our traffic profile was maybe 5:1 input vs output, UUnet would have laughed at me and shut us off if I told them "you're sending us traffic at a 5:1 ratio...because you're sending us so much more traffic than we send you, you're going to have to pay us to deliver that traffic." Comcast can only get away with that because of their monopoly (captive userbase) and size. > 3) You assert that the bandwidth is capped and if Comcast purchased more > bandwidth it would not hit the cap. > > With 16 million customers and ~20mbit connections average they would need a > 320 terabit connection to ensure that they never hit the cap. That depends on your definition of 'never'. You can oversell your network capacity...everyone does...and not run with the pipes full 99% or better of the time. A responsible network keeps track of bandwidth trends and plans capacity upgrades as needed. Comcast is allegedly intentionally running their transit at or beyond capacity (and removing bandwith capacity instead of adding it, to keep their transit full) and then bullying content providers into buying access to the Comcast network to avoid the congested transit links. ---------------------------------------------------------------------- Jon Lewis, MCP :) | I route Senior Network Engineer | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________ From jbates at brightok.net Wed Dec 15 16:09:11 2010 From: jbates at brightok.net (Jack Bates) Date: Wed, 15 Dec 2010 16:09:11 -0600 Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: References: Message-ID: <4D093C87.1020204@brightok.net> On 12/15/2010 3:51 PM, Jon Lewis wrote: > > That depends on your definition of 'never'. You can oversell your > network capacity...everyone does...and not run with the pipes full 99% > or better of the time. At max capacity, we'd run roughly double our total transit capacity, yet we rarely exceed 70% of N+1 bandwidth before upgrading. Perhaps my model doesn't scale when people utilize multiple 10G, though, as I know I have several burstable 10G available for special events and such as a just in case option. The price of 100G interfaces currently is still too high for someone to actually want a burstable 100G circuit with only a 30 or 50 gig commit. Jack From Valdis.Kletnieks at vt.edu Wed Dec 15 16:13:02 2010 From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks at vt.edu) Date: Wed, 15 Dec 2010 17:13:02 -0500 Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: Your message of "Wed, 15 Dec 2010 15:51:05 EST." References: Message-ID: <22800.1292451182@localhost> On Wed, 15 Dec 2010 15:51:05 EST, Mikel Waxler said: > The reality is that most customers do not make uncapped connections. File > servers cap bandwidth per user and certain services, like gaming or > streaming media have a maximum rate. As long as the average data rate > allocated per customer is close to the usage then customers will not notice > the difference. Does it matter if it takes 10 seconds or 15 seconds to > download a 5 minute youtube clip? The problem starts when that the choke point is congested enough that the question isn't "10 seconds or 15", it's "4 mins 30 or 5 mins 30 for that 5 minute clip". Buffer underruns are incredibly annoying. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 227 bytes Desc: not available URL: From nangel at tetrasec.net Wed Dec 15 16:34:50 2010 From: nangel at tetrasec.net (Nathan Angelacos) Date: Wed, 15 Dec 2010 14:34:50 -0800 Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: <22800.1292451182@localhost> References: <22800.1292451182@localhost> Message-ID: <4D09428A.7010302@tetrasec.net> On 12/15/10 14:13, Valdis.Kletnieks at vt.edu wrote: > On Wed, 15 Dec 2010 15:51:05 EST, Mikel Waxler said: > >> The reality is that most customers do not make uncapped connections. File >> servers cap bandwidth per user and certain services, like gaming or >> streaming media have a maximum rate. As long as the average data rate >> allocated per customer is close to the usage then customers will not notice >> the difference. Does it matter if it takes 10 seconds or 15 seconds to >> download a 5 minute youtube clip? > > The problem starts when that the choke point is congested enough that the > question isn't "10 seconds or 15", it's "4 mins 30 or 5 mins 30 for that 5 > minute clip". Buffer underruns are incredibly annoying. > Or, from personal experience: The movie stops because the buffer was exhausted, Netflix informs you "Your network connection has changed", shows a progress bar while it buffers /at a lower bitrate/. Then you get to watch the rest of the movie like it was 1995. From nanog at hostleasing.net Wed Dec 15 16:37:23 2010 From: nanog at hostleasing.net (Randy Epstein) Date: Wed, 15 Dec 2010 17:37:23 -0500 Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: References: Message-ID: <01bb01cb9ca8$a4dc4950$ee94dbf0$@net> Jon, >Ratios only make sense between peers. When you're buying transit, you >don't get to enforce ratios and tell your transit providers you're not >going to pay (or they're going to pay you) because they're sending you too >much traffic. Back when I ran a dialup network, and our traffic profile >was maybe 5:1 input vs output, UUnet would have laughed at me and shut us >off if I told them "you're sending us traffic at a 5:1 ratio...because >you're sending us so much more traffic than we send you, you're going to >have to pay us to deliver that traffic." Comcast can only get away with >that because of their monopoly (captive userbase) and size. I agree with most of your reply. In regards to ratios, I firmly believe they don't make sense between peers as well. When you operate an eyeball network, you need to expect that your users are pulling the data from the content providers. Your ratios will always be unbalanced with most of your peers. If ratios are really a concern and you really need to maximize your port capacity, there are ways to balance this; balance your customer base. Start hosting content. Now, this might not help on private peering interconnects, but if you peer publicly, this will help you balance (and take advantage of) your public peering capacity. Either way, ratios are very 1990s. As has been mentioned before, it was more of an excuse not to peer by the monopolistic entities that made up a big portion of the Internet in the 90s and isn't very relevant today. Randy From dooser at gmail.com Wed Dec 15 16:44:58 2010 From: dooser at gmail.com (dooser at gmail.com) Date: Wed, 15 Dec 2010 22:44:58 +0000 Subject: Some truth about Comcast - WikiLeaks style Message-ID: <718955553-1292453101-cardhu_decombobulator_blackberry.rim.net-1375263354-@bda2841.bisx.prod.on.blackberry> Again, I was not commenting on the state of comcast's pipe. God knows I want it bigger. I was saying that some of the assumptions upon which he made based points were false. ------Original Message------ From: Nathan Angelacos To: nanog at nanog.org Subject: Re: Some truth about Comcast - WikiLeaks style Sent: Dec 15, 2010 5:34 PM On 12/15/10 14:13, Valdis.Kletnieks at vt.edu wrote: > On Wed, 15 Dec 2010 15:51:05 EST, Mikel Waxler said: > >> The reality is that most customers do not make uncapped connections. File >> servers cap bandwidth per user and certain services, like gaming or >> streaming media have a maximum rate. As long as the average data rate >> allocated per customer is close to the usage then customers will not notice >> the difference. Does it matter if it takes 10 seconds or 15 seconds to >> download a 5 minute youtube clip? > > The problem starts when that the choke point is congested enough that the > question isn't "10 seconds or 15", it's "4 mins 30 or 5 mins 30 for that 5 > minute clip". Buffer underruns are incredibly annoying. > Or, from personal experience: The movie stops because the buffer was exhausted, Netflix informs you "Your network connection has changed", shows a progress bar while it buffers /at a lower bitrate/. Then you get to watch the rest of the movie like it was 1995. Sent via BlackBerry by AT&T From asr+nanog at latency.net Wed Dec 15 16:47:09 2010 From: asr+nanog at latency.net (Adam Rothschild) Date: Wed, 15 Dec 2010 17:47:09 -0500 Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: References: <96CA80CDCD822B4F9B41FB3A109C9359A3E6832836@E2K7MAILBOX1.corp.cableone.net> <1292408634.13327.383.camel@pc2.unassigned-domain> <4D08DA11.3010504@kenweb.org> Message-ID: <20101215224708.GB82574@latency.net> On 2010-12-15-12:15:47, Kevin Neal wrote: > Also assuming the backbone and distribution upgrades required between > their data centers and their customers costs nothing. It's not free > to get bandwidth from Point A (port with TATA) to Point B (Customer). I don't see how this point, however valid, should factor into the discussion. Missing from this thread is that Comcast's topology and economics for hauling bits between a neutral collocation facility and broadband subscriber are the _same_ whether they ingest traffic by way of a settlement-free peer, customer, or paid transit connection. Speaking to Richard's earlier observations, we too have run into issues attempting to deliver content by way of Comcast's Tata transit, dating back to July of this year. (It's possible the issues might have begun sooner, however this is as far back as our analytics go. I've actually been spending some time documenting how we've been measuring this loss, and how folk might measure it on their production infrastructure utilizing policy routing, routing-instances, and the like -- any interested content folk are welcome to contact me off-list. Suffice it to say, configs are the easy part, the hard part is building a statistically valid sample set without degrading connectivity for paying customers...) Whatever the cause, five months should be ample time to turn up some additional transit capacity or otherwise work around the issues; we're talking commodity transit ports in neutral facilities, such as Equinix sites, after all. What we have here is Comcast holding its users captive, plain and simple. They have established an ecosystem where, to reach them, one must pay to play, otherwise there's a good chance that packets are discarded. Alternate paths simply aren't there, given the no-export communities deployed. As it stands, I could multi-home to NTT, Telia, Tata, and XO, and still get stuck with no good paths to Comcast. While this has happened before (see: DTAG, FT, ...), this is probably the first we've seen it occur in the United States, at scale. Folk in content/hosting should find this all more than a little bit scary. -a From jfbeam at gmail.com Wed Dec 15 16:50:25 2010 From: jfbeam at gmail.com (Ricky Beam) Date: Wed, 15 Dec 2010 17:50:25 -0500 Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: References: Message-ID: On Wed, 15 Dec 2010 15:51:05 -0500, Mikel Waxler wrote: > Bandwidth is not allocated in static blocks on a > first come first serve basis. It is shared across all users. ... > a single new connection would not noticeably effect others. I love how people demonstrate how they've failed most of the math classes in their life. Let's start with a 10G link (10,000M). If a live (real-time) video stream needs a minimum of 5Mbps, then the link can support a maximum of 2000 streams. Add one more stream and you will not have the bandwidth to support the required rate for all of them. In a perfectly fair system, everyone's experience begins to be degraded; *every* additional user robs an incremental amount from all the others. With Comcast's 16mil users, it's a safe bet that tens of thousands of them are streaming at any given point. Why do you think Level3 asked for ~30 10G ports? (I know netflix streams are less than 5M.) > 2) "Comcast claims that a good network maintains a 1:1 " > > I have never heard them assert that. Read their blog posts. Read the peering agreement. > Would it drive up the cost of monthly internet? Yes. Of course it would. But not because comcast would go broke doing it. They make plenty already. They aren't interested in doing anything that doesn't immediately *increase* their profits. (which is making content sources pay them to get to their millions of customers.) --Ricky From joelja at bogus.com Wed Dec 15 16:54:10 2010 From: joelja at bogus.com (Joel Jaeggli) Date: Wed, 15 Dec 2010 14:54:10 -0800 Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: <01bb01cb9ca8$a4dc4950$ee94dbf0$@net> References: <01bb01cb9ca8$a4dc4950$ee94dbf0$@net> Message-ID: <4D094712.4090905@bogus.com> On 12/15/10 2:37 PM, Randy Epstein wrote: > Jon, > If ratios are really a concern and you really need to maximize your port > capacity, there are ways to balance this; balance your customer base. Start > hosting content. Now, this might not help on private peering interconnects, > but if you peer publicly, this will help you balance (and take advantage of) > your public peering capacity. To that point, comcast does sell wholesale ip transit and they have a quite a few unused timeslots for packets in the egress direction... Ratios shouldn't matter in sense that unblanced ratios do not imply that mutual benfit is not being derived from the interconnection. If for example, I get access to your customer's and you no longer have to pay a transit provider for my transit then we both win even if the flow is virtually all inbound. > Either way, ratios are very 1990s. As has been mentioned before, it was > more of an excuse not to peer by the monopolistic entities that made up a > big portion of the Internet in the 90s and isn't very relevant today. > > Randy > > > > From dooser at gmail.com Wed Dec 15 17:34:53 2010 From: dooser at gmail.com (Mikel Waxler) Date: Wed, 15 Dec 2010 18:34:53 -0500 Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: References: Message-ID: 1) Sure, if those streams are only video streams and they can only exist at 5mbps. In reality, a network of 16 million users has lots of types of streams and some like file downloads, UDP data for game players, video with user buffers, etc, are capable of getting squeezed a little. It seemed that the OP was stating that once the network was at capacity, all further users got zero bandwidth. Also, adding 1 user to 16 million is very different then adding 1 user to a pool of 10, 20, or 2000. It is a LOT harder to measure the impact. 2) Fair enough, I have not read either of those. Again, I was not arguing the point, simply pointing out that you can't imply that all relationships are 1:1 without some backup or proof. 3) That describes every for profit business on the planet. We pay comcast more then we should for a service, just like buying a burger. On Wed, Dec 15, 2010 at 5:50 PM, Ricky Beam wrote: > On Wed, 15 Dec 2010 15:51:05 -0500, Mikel Waxler wrote: > >> Bandwidth is not allocated in static blocks on a >> first come first serve basis. It is shared across all users. ... >> >> a single new connection would not noticeably effect others. >> > > I love how people demonstrate how they've failed most of the math classes > in their life. > > Let's start with a 10G link (10,000M). If a live (real-time) video stream > needs a minimum of 5Mbps, then the link can support a maximum of 2000 > streams. Add one more stream and you will not have the bandwidth to support > the required rate for all of them. In a perfectly fair system, everyone's > experience begins to be degraded; *every* additional user robs an > incremental amount from all the others. With Comcast's 16mil users, it's a > safe bet that tens of thousands of them are streaming at any given point. > Why do you think Level3 asked for ~30 10G ports? > > (I know netflix streams are less than 5M.) > > > 2) "Comcast claims that a good network maintains a 1:1 " >> >> I have never heard them assert that. >> > > Read their blog posts. Read the peering agreement. > > > Would it drive up the cost of monthly internet? Yes. >> > > Of course it would. But not because comcast would go broke doing it. They > make plenty already. They aren't interested in doing anything that doesn't > immediately *increase* their profits. (which is making content sources pay > them to get to their millions of customers.) > > --Ricky > From rsk at gsp.org Wed Dec 15 17:36:39 2010 From: rsk at gsp.org (Rich Kulawiec) Date: Wed, 15 Dec 2010 18:36:39 -0500 Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: <20101214223827.GK38726@gerbil.cluepon.net> References: <96CA80CDCD822B4F9B41FB3A109C9359A3E6832836@E2K7MAILBOX1.corp.cableone.net> <20101214212949.GH38726@gerbil.cluepon.net> <11b801cb9bd7$571774a0$05465de0$@net> <20101214223827.GK38726@gerbil.cluepon.net> Message-ID: <20101215233639.GA11457@gsp.org> On Tue, Dec 14, 2010 at 04:38:27PM -0600, Richard A Steenbergen wrote: > I believe Comcast has made clear their position that they feel content > providers should be paying them for access to their customers. I've seen > them repeatedly state that they feel networks who send them too much > traffic are "abusing their network". That's rich, given the enormous quantity of spam sourced from Comcast's network over the last decade. (And yes, it's ongoing: 162 unique sources in the last hour noted at one small observation point.) Now I realize that SMTP abuse isn't exactly the most bandwidth-chewing problem. However, it's a surface indicator of underlying security issues, which in this particular case can be summarized as "one heck of a lot of zombies". Given that those systems are known-hostile and under the control of adversaries, it's certain that they're doing all kinds of other things that chew up a lot more bandwidth than the spam does. So maybe instead of engaging in brinkmanship with other network providers or spending engineering time trying to monetize DNS queries, Comcast should try solving this seven-year-old problem and *then* reassess whether or not the pipes are fat enough. ---rsk From jlewis at lewis.org Wed Dec 15 18:14:01 2010 From: jlewis at lewis.org (Jon Lewis) Date: Wed, 15 Dec 2010 19:14:01 -0500 (EST) Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: <20101215233639.GA11457@gsp.org> References: <96CA80CDCD822B4F9B41FB3A109C9359A3E6832836@E2K7MAILBOX1.corp.cableone.net> <20101214212949.GH38726@gerbil.cluepon.net> <11b801cb9bd7$571774a0$05465de0$@net> <20101214223827.GK38726@gerbil.cluepon.net> <20101215233639.GA11457@gsp.org> Message-ID: On Wed, 15 Dec 2010, Rich Kulawiec wrote: > On Tue, Dec 14, 2010 at 04:38:27PM -0600, Richard A Steenbergen wrote: >> I believe Comcast has made clear their position that they feel content >> providers should be paying them for access to their customers. I've seen >> them repeatedly state that they feel networks who send them too much >> traffic are "abusing their network". > > That's rich, given the enormous quantity of spam sourced from Comcast's > network over the last decade. (And yes, it's ongoing: 162 unique sources > in the last hour noted at one small observation point.) Spam is irrelevant. In this context, abuse = sending large amounts of data to Comcast customers (at their request) without paying at the Comcast toll booth. > Now I realize that SMTP abuse isn't exactly the most bandwidth-chewing > problem. However, it's a surface indicator of underlying security issues, > which in this particular case can be summarized as "one heck of a lot > of zombies". Given that those systems are known-hostile and under the > control of adversaries, it's certain that they're doing all kinds of > other things that chew up a lot more bandwidth than the spam does. It might even "improve" their ratios if they stopped those zombies from sendig spam, participating in DDoS's, etc. After all, that's outgoing traffic, and the less they send, the worse the ratio gets for networks sending data to Comcast. ---------------------------------------------------------------------- Jon Lewis, MCP :) | I route Senior Network Engineer | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________ From nanog at hostleasing.net Wed Dec 15 18:19:32 2010 From: nanog at hostleasing.net (Randy Epstein) Date: Wed, 15 Dec 2010 19:19:32 -0500 Subject: FCC filings against Comcast Message-ID: <01d701cb9cb6$e9994cb0$bccbe610$@net> FCC petitions are piling in against Comcast: http://fjallfoss.fcc.gov/ecfs/comment/view?id=6016064165 http://fjallfoss.fcc.gov/ecfs/document/view?id=7020923751 Full disclose: I've signed one as well that should be filed tomorrow. Also: WASHINGTON, Dec. 14 -- The office of Sen. Bernie Sanders, I-Vt., issued the following news release: Warning that a huge media monopoly would drive up cable television prices and stifle the free flow of information, Sen. Bernie Sanders (I-Vt.) today urged the Department of Justice to block Comcast's planned takeover of NBC Universal. Regards, Randy From mysidia at gmail.com Wed Dec 15 18:53:20 2010 From: mysidia at gmail.com (Jimmy Hess) Date: Wed, 15 Dec 2010 18:53:20 -0600 Subject: Alleged backdoor in OpenBSD's IPSEC implementation. In-Reply-To: <20101215132809.GA96801@mikea.ath.cx> References: <15DC968C-64A6-4485-9529-25003AD684BF@bsdboy.com> <20101215055609.GH12881@sizone.org> <20101215132809.GA96801@mikea.ath.cx> Message-ID: On Wed, Dec 15, 2010 at 7:28 AM, mikea wrote: > More to the point, I think it wouldn't be an NDA, but a security > classification on the knowledge of the backdoors, and probably one not > subject to automatic downgrading. Someone working on a classified project or having access to classified info would be signing a lot more than an NDA. Which leads me to the conclusion Perry probably did not have access to classified info; a gov't backdoor planted in OpenBSD would probably be classified, so Perry was more likely than not, either in error or exagerating. If Perry really is risking making authorities frustrated for revealing that they have a backdoor, then it does not help the community much for him to withold the minimal amount of info required to verify the claims. For now it smells of FUD, because the claims are too vague, unsupported, and the extent of what Perry claims to have witnessed has not been explained. An example of Perry being in error would be if the company was paid to merely develop a backdoor or side channel, but not actually to plant it in their contributed code. The FBI might have wanted proof of concepts, or backdoored versions of code as "drop in piece" to use for other projects.. for example, insider penetration testing, or surreptitious monitoring by planting the backdoored version on specific targetted systems. Proof of concept code might have gone nowhere. In that case, it would be impossible to find the backdoor by analyzing the OpenBSD source code. Or a backdoor or coding error made by someone else entirely might be discovered instead. Rewriting instead of merely auditing, of course, presents a risk that new backdoors could be introduced by whoever rewrites. Even if a backdoor were developed, Perry posted very little info about exactly what he knows and how he knows it, what was his role in the project. Such as the question of: 'Did he personally check the contributed code and see the backdoor present?' -- -JH From jbates at brightok.net Wed Dec 15 19:05:26 2010 From: jbates at brightok.net (Jack Bates) Date: Wed, 15 Dec 2010 19:05:26 -0600 Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: <20101215224708.GB82574@latency.net> References: <96CA80CDCD822B4F9B41FB3A109C9359A3E6832836@E2K7MAILBOX1.corp.cableone.net> <1292408634.13327.383.camel@pc2.unassigned-domain> <4D08DA11.3010504@kenweb.org> <20101215224708.GB82574@latency.net> Message-ID: <4D0965D6.3090907@brightok.net> On 12/15/2010 4:47 PM, Adam Rothschild wrote: > Folk in > content/hosting should find this all more than a little bit scary. So you don't think the money content providers will pay Comcast won't reflect on other eyeball networks who aren't important/large enough to request financing? ie, Comcast could run lower rates and offer better service by charging the content provider, while competitive eyeball networks won't get the option to receive compensation from content providers and have to charge appropriate rates to their customers. Jack From Brian.Rettke at cableone.biz Wed Dec 15 19:15:52 2010 From: Brian.Rettke at cableone.biz (Rettke, Brian) Date: Wed, 15 Dec 2010 18:15:52 -0700 Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: <4D0965D6.3090907@brightok.net> References: <96CA80CDCD822B4F9B41FB3A109C9359A3E6832836@E2K7MAILBOX1.corp.cableone.net> <1292408634.13327.383.camel@pc2.unassigned-domain> <4D08DA11.3010504@kenweb.org> <20101215224708.GB82574@latency.net> <4D0965D6.3090907@brightok.net> Message-ID: <96CA80CDCD822B4F9B41FB3A109C9359A3E6832E57@E2K7MAILBOX1.corp.cableone.net> This should also be a wake-up call that for whatever reason (who cares what for this discussion), if our bandwidth demands exceed our bandwidth supply, we must become more efficient at using our bandwidth. I'm hoping that we not only discuss peering and bandwidth, management and implementation, but look at the Content providers with the same level of scrutiny that we hold the Backbone transit providers to. We should look at video compression and codecs with the same level of urgency that we do bandwidth, because there will never be enough if both sides are not looked at. Sincerely, Brian A . Rettke RHCT, CCDP, CCNP, CCIP Network Engineer, CableONE Internet Services -----Original Message----- From: Jack Bates [mailto:jbates at brightok.net] Sent: Wednesday, December 15, 2010 6:05 PM To: Adam Rothschild Cc: Kevin Neal; nanog at nanog.org Subject: Re: Some truth about Comcast - WikiLeaks style On 12/15/2010 4:47 PM, Adam Rothschild wrote: > Folk in > content/hosting should find this all more than a little bit scary. So you don't think the money content providers will pay Comcast won't reflect on other eyeball networks who aren't important/large enough to request financing? ie, Comcast could run lower rates and offer better service by charging the content provider, while competitive eyeball networks won't get the option to receive compensation from content providers and have to charge appropriate rates to their customers. Jack From ras at e-gerbil.net Wed Dec 15 20:45:19 2010 From: ras at e-gerbil.net (Richard A Steenbergen) Date: Wed, 15 Dec 2010 20:45:19 -0600 Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: <4D0965D6.3090907@brightok.net> References: <96CA80CDCD822B4F9B41FB3A109C9359A3E6832836@E2K7MAILBOX1.corp.cableone.net> <1292408634.13327.383.camel@pc2.unassigned-domain> <4D08DA11.3010504@kenweb.org> <20101215224708.GB82574@latency.net> <4D0965D6.3090907@brightok.net> Message-ID: <20101216024519.GW38726@gerbil.cluepon.net> On Wed, Dec 15, 2010 at 07:05:26PM -0600, Jack Bates wrote: > On 12/15/2010 4:47 PM, Adam Rothschild wrote: > > Folk in > > content/hosting should find this all more than a little bit scary. > > So you don't think the money content providers will pay Comcast won't > reflect on other eyeball networks who aren't important/large enough to > request financing? ie, Comcast could run lower rates and offer better > service by charging the content provider, while competitive eyeball > networks won't get the option to receive compensation from content > providers and have to charge appropriate rates to their customers. And if you saw someone getting mugged on the street, you could argue that you're now less likely to be robbed because the guy already has someone else's money... If Comcast wanted to grow its revenue by offering a better, faster, cheaper, etc, wholesale transit service to content networks, I don't think anyone here would object in the slightest. The problem is that rather than compete on any kind of financial or technical merit, they've decided to hold their cable customers hostage and FORCE content networks to buy from them. Rest assured nobody WANTS to buy transit from a network with a 109ms rtt between New York and San Jose (it boggles the mind how one could even manage to assemble that fiber path, let alone try to charge money for it :P), congestion on every port, etc. If Comcast gets away with this, what's to stop every other monopoly/duopoly eyeball network from doing the same thing? And yes maybe if Comcast forces Netflix to pay them to reach you (either directly or indirectly via Level 3), your cable modem bill might go down, but all that means is that your Netflix bill is going to go up. At the end of the day you're probably better off betting on lower costs from the technical innovation of the networks who DON'T pay $50k for a 10GE port. :) -- Richard A Steenbergen http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC) From jsw at inconcepts.biz Wed Dec 15 21:24:25 2010 From: jsw at inconcepts.biz (Jeff Wheeler) Date: Wed, 15 Dec 2010 22:24:25 -0500 Subject: peering, derivatives, and big brother In-Reply-To: <6EFFEFBAC68377459A2E972105C759EC032C02D5@EXVBE005-2.exch005intermedia.net> References: <5A6D953473350C4B9995546AFE9939EE0B14CEA4@RWC-EX1.corp.seven.com> <1292270846.13327.234.camel@pc2.unassigned-domain> <6EFFEFBAC68377459A2E972105C759EC032C02D5@EXVBE005-2.exch005intermedia.net> Message-ID: Invisible Hand Networks was really meant to be a spot market. The same problem exists with bandwidth spot markets that always has existed, the cost of ports to maintain sufficient capacity to the exchange, and the lack of critical mass, meaning that the spot bandwidth is either pretty expensive, or there is not enough capacity for any serious application. Certainly, no spot bandwidth market currently in existence can compete with even mid-sized CDNs; and I do not believe that will ever change. The IHN folks were also disadvantaged because they seemed to know a lot about economics, but basically nothing about networks. So their technology was neat from a reporting perspective, but the actual functioning their exchange fabric was/is a disaster. I do not know if they are still in business or if they are still constrained by the flawed design they had in place several years ago. -- Jeff S Wheeler Sr Network Operator? /? Innovative Network Concepts On Wed, Dec 15, 2010 at 2:52 PM, Ryan Finnesey wrote: > I remember 5 ?years ago a company called Invisible Hand Networks that > tried something like that. > > Cheers > Ryan > > > -----Original Message----- > From: Laurent GUERBY [mailto:laurent at guerby.net] > Sent: Monday, December 13, 2010 3:07 PM > To: George Bonser > Cc: nanog at nanog.org > Subject: Re: peering, derivatives, and big brother > > On Sun, 2010-12-12 at 19:36 -0800, George Bonser wrote: >> (...) The financial derivatives market isn't, in my opinion, a good >> analogy of the peering market. ?A data packet is "perishable" and must > >> be moved quickly. ?The destination network wants the packet in order >> to keep their customer happy and the originating network wants to get >> it to that customer as quickly and cheaply as possible. ?The >> proliferation of these peering points means that today there is more >> traffic going directly from content network to eyeball network. ?To >> use a different analogy, it is almost like the market is going to a >> series of farmer's markets rather than supermarkets in the >> distribution channel. ?Sure, there are still the "supermarkets" out >> there, but increasingly they are selling their "store brand" by >> becoming content hosting networks themselves. ?(...) > > Hi, > > The electricity spot market is close to your definition of "perishable": > > http://en.wikipedia.org/wiki/Electricity_market > > It has a derivative market, google for "electricity derivatives" will > give you some papers and models. > > I'm pretty sure electricity and bandwidth share some patterns. > > Now who wants to be the Enron of the bandwidth market? :) > > Sincerely, > > Laurent > http://guerby.org/blog > From gbonser at seven.com Wed Dec 15 22:02:46 2010 From: gbonser at seven.com (George Bonser) Date: Wed, 15 Dec 2010 20:02:46 -0800 Subject: peering, derivatives, and big brother In-Reply-To: References: <5A6D953473350C4B9995546AFE9939EE0B14CEA4@RWC-EX1.corp.seven.com><1292270846.13327.234.camel@pc2.unassigned-domain><6EFFEFBAC68377459A2E972105C759EC032C02D5@EXVBE005-2.exch005intermedia.net> Message-ID: <5A6D953473350C4B9995546AFE9939EE0B14CF89@RWC-EX1.corp.seven.com> > From: Jeff Wheeler > Sent: Wednesday, December 15, 2010 7:24 PM > To: nanog at nanog.org > Subject: Re: peering, derivatives, and big brother > > Invisible Hand Networks was really meant to be a spot market. The > same problem exists with bandwidth spot markets that always has > existed, the cost of ports to maintain sufficient capacity to the > exchange, and the lack of critical mass, meaning that the spot > bandwidth is either pretty expensive, or there is not enough capacity > for any serious application. Certainly, no spot bandwidth market > currently in existence can compete with even mid-sized CDNs; and I do > not believe that will ever change. The only way I could imagine it working is something like Equinix does with their Equinix Direct product http://www.equinix.com/data-center-services/network-connectivity/ip-conn ectivity/ What I really miss is the old Telseon model. If I had a Telseon connection, I could configure a "logical wire" to any other Telseon customer (basically provision a vlan through their fabric between us) with a web interface. I could call the other end, we agree to create the path, I configure it on the web page, they accept it, the next day there is a path between us. It was a beautiful system. If I wanted to adjust my bandwidth cap on any of the "logical wires", I that was done with a web interface, too. I could raise it for a week and drop it back down and pay only for what I used. It was billed daily at the configured bandwidth cap. Problem was that many of the colo providers hated it as it allowed people basically unencumbered access to any other Telseon customer within 24 hours. Some absolutely refused to allow Telseon into their data centers, others insisted on placing their sales force in the path destroying the value of the product. It was wonderful, I miss it. From jsw at inconcepts.biz Wed Dec 15 22:14:46 2010 From: jsw at inconcepts.biz (Jeff Wheeler) Date: Wed, 15 Dec 2010 23:14:46 -0500 Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: <20101215224708.GB82574@latency.net> References: <96CA80CDCD822B4F9B41FB3A109C9359A3E6832836@E2K7MAILBOX1.corp.cableone.net> <1292408634.13327.383.camel@pc2.unassigned-domain> <4D08DA11.3010504@kenweb.org> <20101215224708.GB82574@latency.net> Message-ID: On Wed, Dec 15, 2010 at 5:47 PM, Adam Rothschild wrote: > I don't see how this point, however valid, should factor into the > discussion. ?Missing from this thread is that Comcast's topology and > economics for hauling bits between a neutral collocation facility and > broadband subscriber are the _same_ whether they ingest traffic by way > of a settlement-free peer, customer, or paid transit connection. Given that transit must be an incredibly small portion of Comcast's cost to provide IP service to its customers, I think there are only three possible reasons why Comcast would focus so much energy on congesting transit to force content networks to purchase connectivity for them, rather than upgrade transit or engage in more peering: 1) Comcast believes they can exact a great deal of revenue from content networks. For this to be comparable to their captive customers, per-megabit rates must be reminiscent of pre-Level3 days, when $30/Mb was a bargain. This would spell bad news for Netflix. Of course, since cable companies typically must pay network affiliates and media companies great sums for television programming packages, it is in direct opposition to the TV content/delivery model. It would be hard to argue both sides if both businesses were faced with like-minded regulators. 2) Comcast is making its engineering decisions in an ego-driven manner, with little or no practical basis for their peering or transit purchasing strategy. 3) Comcast is hoping the phrase "net neutrality" becomes a thing of the past, and that, at some point in the future, they will be free to block or QoS down anyone they please, including content networks, search engines, or MP3 stores that compete with their own offerings. I bet Comcast would love to have a few cents off every iTunes purchase through their network, a handling charge for every amazon.com transaction, or to coerce a million Netflix subscribers into a Comcast-owned service. This is as good a way as any for Comcast to argue their side to potential regulators. In any case, the "net neutrality" side gains credibility anytime a media company can be made to look like they are constraining users' choices by exacting a price from content providers. There has been talk of regulating Internet peering on this list since DIGEX disconnected from ANS, if not before. Reasons in favor of doing it continue to become easier for a lay-person to understand. In my state, there is a law against walking down the street with an ice cream cone in your pocket. I don't know the origin of that law, but I strongly suspect some person did it enough times, for a dumb enough reason, to attract legislative interest. Comcast should keep that in mind before engaging in further peering brinkmanship. -- Jeff S Wheeler Sr Network Operator? /? Innovative Network Concepts From jcdill.lists at gmail.com Wed Dec 15 23:12:57 2010 From: jcdill.lists at gmail.com (JC Dill) Date: Wed, 15 Dec 2010 21:12:57 -0800 Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: <20101215224708.GB82574@latency.net> References: <96CA80CDCD822B4F9B41FB3A109C9359A3E6832836@E2K7MAILBOX1.corp.cableone.net> <1292408634.13327.383.camel@pc2.unassigned-domain> <4D08DA11.3010504@kenweb.org> <20101215224708.GB82574@latency.net> Message-ID: <4D099FD9.2000808@gmail.com> On 15/12/10 2:47 PM, Adam Rothschild wrote: > On 2010-12-15-12:15:47, Kevin Neal wrote: >> Also assuming the backbone and distribution upgrades required between >> their data centers and their customers costs nothing. It's not free >> to get bandwidth from Point A (port with TATA) to Point B (Customer). > I don't see how this point, however valid, should factor into the > discussion. Missing from this thread is that Comcast's topology and > economics for hauling bits between a neutral collocation facility and > broadband subscriber are the _same_ whether they ingest traffic by way > of a settlement-free peer, customer, or paid transit connection. If I drive from SF to LA for business or for personal purposes, my costs for the drive are the same. But the economy of doing it for business depends on what the client is willing to pay me. If they want me to drive to LA but only pay $10, it's not economical (from a business perspective) for me to do it. Right now, Comcast is carrying content to their customers "for free" and they want to be paid by the content providers (thru paid transit connections) to cover the cost of carrying that content traffic across their network to the end customer. Sure, Comcast's customers are also paying Comcast. But Comcast wants to get paid from the content provider. I think they are betting that in the long run it's easier to make money from content providers (and have the content providers charge customers or advertisers as necessary to make a profit) than to make money from the end consumer. And I think they are right about this "easier" part. I think that they will succeed at pressuring big content providers to play by Comcast's rules and shift the cost of running Comcast's network from consumers to content providers. jc From jra at baylink.com Wed Dec 15 23:29:10 2010 From: jra at baylink.com (Jay Ashworth) Date: Thu, 16 Dec 2010 00:29:10 -0500 (EST) Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: <4D099FD9.2000808@gmail.com> Message-ID: <31642562.256.1292477350923.JavaMail.root@benjamin.baylink.com> ----- Original Message ----- > From: "JC Dill" > If I drive from SF to LA for business or for personal purposes, my costs > for the drive are the same. But the economy of doing it for business > depends on what the client is willing to pay me. If they want me to > drive to LA but only pay $10, it's not economical (from a business > perspective) for me to do it. Right now, Comcast is carrying content > to their customers "for free" and they want to be paid by the content > providers (thru paid transit connections) to cover the cost of > carrying that content traffic across their network to the end customer. Comcast is acting, collectively, as the agent of their customers, who I'm sure would tell you if you asked them that they believe the contract is "I pay you, and you carry my packets back and forth as I direct, as long as I follow your TOS" -- which pulling movies from Netflix does not presently violate, AFAICT. > Sure, Comcast's customers are also paying Comcast. But Comcast wants > to get paid from the content provider. I think they are betting that in > the long run it's easier to make money from content providers (and > have the content providers charge customers or advertisers as necessary to > make a profit) than to make money from the end consumer. And I think > they are right about this "easier" part. I think that they will succeed > at pressuring big content providers to play by Comcast's rules and > shift the cost of running Comcast's network from consumers to content > providers. I'm sure that Comcast does think it's easier. But that doesn't mean it's a valid legal interpretation of their contracts with their direct customers, and I smell a class-action lawsuit brewing in the mind of some tort-king on just that point. The underlying problem, of course, is lack of usable last-mile competition; see also my running rant about Verizon-inspired state laws *forbidding* municipalities to charter monopoly transport-only fiber providers, renting to all comers on non-discriminatory terms, which is the only practical way I can see to fix any of this. Cheers, -- jra From gbonser at seven.com Thu Dec 16 00:05:39 2010 From: gbonser at seven.com (George Bonser) Date: Wed, 15 Dec 2010 22:05:39 -0800 Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: <4D099FD9.2000808@gmail.com> References: <96CA80CDCD822B4F9B41FB3A109C9359A3E6832836@E2K7MAILBOX1.corp.cableone.net> <1292408634.13327.383.camel@pc2.unassigned-domain> <4D08DA11.3010504@kenweb.org> <20101215224708.GB82574@latency.net> <4D099FD9.2000808@gmail.com> Message-ID: <5A6D953473350C4B9995546AFE9939EE0B14CF92@RWC-EX1.corp.seven.com> > From: JC Dill > Sent: Wednesday, December 15, 2010 9:13 PM > Cc: nanog at nanog.org > Subject: Re: Some truth about Comcast - WikiLeaks style > > Sure, Comcast's customers are also paying Comcast. But Comcast wants > to > get paid from the content provider. I think they are betting that in > the long run it's easier to make money from content providers (and have > the content providers charge customers or advertisers as necessary to > make a profit) than to make money from the end consumer. And I think > they are right about this "easier" part. I think that they will > succeed > at pressuring big content providers to play by Comcast's rules and > shift > the cost of running Comcast's network from consumers to content > providers. > > jc > There are two different innovation paths according to who is paying. If the customer is paying, innovation is driven by the interest of the customer. If the provider is paying, innovation is driven by the interest of the provider. If the customer pays the cost of the transport, a provider with better transport efficiency / quality ratio wins. It spurs innovation where we get better quality product with a better transport efficiency. If there are three competing content services in the market offering basically the same quality product, the one with the better transport efficiency is going to win customers. Or in some cases the customer might choose to sacrifice some quality for transport efficiency. The market eventually settles on what the customers in the aggregate decide is their willingness to trade price for performance. If the provider pays the cost of the transport, a provider might effectively subsidize the transport cost of a bloated content distribution mechanism. It won't make any difference to the last mile delivery network either way. Either way they get the same amount of money. If provider pays the freight, there might be some company with an absolutely killer technology that can stream much higher quality stuff with less bandwidth usage but if the customer doesn't see the benefit, that in and of itself isn't enough to drive eyeballs to that content. If that content transport method did save the customer money, the eyeballs would move in that direction. Having the provider pay the cost stifles technological advancement. It facilitates a "deep pocket" established company creating a barrier of adoption to a startup who might have a more efficient product but the user doesn't get any direct benefit so they don't adopt it. Having the user pay gives an incentive to develop technologies that reduce the network burden. Having the provider pay distorts innovation. In the end, having the end user pay the cost for the product they are consuming results in better, faster, cheaper (yes, you can have all three). Externalizing those costs through subsidies by outside parties throws things out of balance and drives innovation in a way that benefits the provider, not the consumer. From jcdill.lists at gmail.com Thu Dec 16 00:16:58 2010 From: jcdill.lists at gmail.com (JC Dill) Date: Wed, 15 Dec 2010 22:16:58 -0800 Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: <31642562.256.1292477350923.JavaMail.root@benjamin.baylink.com> References: <31642562.256.1292477350923.JavaMail.root@benjamin.baylink.com> Message-ID: <4D09AEDA.4030202@gmail.com> On 15/12/10 9:29 PM, Jay Ashworth wrote: > > The underlying problem, of course, is lack of usable last-mile competition; I agree. > see also my running rant about Verizon-inspired state laws *forbidding* > municipalities to charter monopoly transport-only fiber providers, renting > to all comers on non-discriminatory terms, which is the only practical > way I can see to fix any of this. The problem is that this should have been addressed 5-10 years ago, when there *were* alternative ISPs who could have provided competition. Now that Comcast has a monopoly on cable, and fiber is so bleeping expensive to install, at best we might get *one* alternative to Comcast, and a duopoly is really no better (for consumers, for the marketplace) than a monopoly. jc From jcdill.lists at gmail.com Thu Dec 16 00:20:14 2010 From: jcdill.lists at gmail.com (JC Dill) Date: Wed, 15 Dec 2010 22:20:14 -0800 Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: <5A6D953473350C4B9995546AFE9939EE0B14CF92@RWC-EX1.corp.seven.com> References: <96CA80CDCD822B4F9B41FB3A109C9359A3E6832836@E2K7MAILBOX1.corp.cableone.net> <1292408634.13327.383.camel@pc2.unassigned-domain> <4D08DA11.3010504@kenweb.org> <20101215224708.GB82574@latency.net> <4D099FD9.2000808@gmail.com> <5A6D953473350C4B9995546AFE9939EE0B14CF92@RWC-EX1.corp.seven.com> Message-ID: <4D09AF9E.8090200@gmail.com> On 15/12/10 10:05 PM, George Bonser wrote: > > If the customer pays the cost of the transport, a provider with better > transport efficiency / quality ratio wins. This (and everything that followed) assumes the customer has a choice of providers. For most customers who already have Comcast, they don't have any choice for similar broadband services (speeds). So open market principles don't come into play, and Comcast knows it. jc From gbonser at seven.com Thu Dec 16 00:35:22 2010 From: gbonser at seven.com (George Bonser) Date: Wed, 15 Dec 2010 22:35:22 -0800 Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: <4D09AF9E.8090200@gmail.com> References: <96CA80CDCD822B4F9B41FB3A109C9359A3E6832836@E2K7MAILBOX1.corp.cableone.net> <1292408634.13327.383.camel@pc2.unassigned-domain> <4D08DA11.3010504@kenweb.org> <20101215224708.GB82574@latency.net><4D099FD9.2000808@gmail.com><5A6D953473350C4B9995546AFE9939EE0B14CF92@RWC-EX1.corp.seven.com> <4D09AF9E.8090200@gmail.com> Message-ID: <5A6D953473350C4B9995546AFE9939EE0B14CF95@RWC-EX1.corp.seven.com> > From: JC Dill > Sent: Wednesday, December 15, 2010 10:20 PM > To: NANOG list > Subject: Re: Some truth about Comcast - WikiLeaks style > > > On 15/12/10 10:05 PM, George Bonser wrote: > > > > If the customer pays the cost of the transport, a provider with > better > > transport efficiency / quality ratio wins. > > > This (and everything that followed) assumes the customer has a choice > of > providers. For most customers who already have Comcast, they don't > have > any choice for similar broadband services (speeds). So open market > principles don't come into play, and Comcast knows it. > > > jc While that is true, it was less true today than it was yesterday and will be even less true tomorrow. The "captive" audience the cable providers have had is shrinking. Even in markets where Comcast might have a monopoly on TV they don't necessarily have a monopoly on a broadband path to the residence for other services. While they might be able to keep out other "cable" companies, it is going to be hard for them to keep the phone company out. They already have a path to the home. I found U-verse and FiOS coverage map here: http://www.dslreports.com/gmaps/uverse but I can't vouch for the accuracy except in my local area. I believe that as these cable agreements expire, it is going to be more difficult to get a monopoly. Where there is already separate television and telephone infrastructure, you will see the "cable" company and the telephone companies competing for triple-play services. From jra at baylink.com Thu Dec 16 00:41:23 2010 From: jra at baylink.com (Jay Ashworth) Date: Thu, 16 Dec 2010 01:41:23 -0500 (EST) Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: <4D09AEDA.4030202@gmail.com> Message-ID: <11842747.264.1292481683883.JavaMail.root@benjamin.baylink.com> ----- Original Message ----- > From: "JC Dill" > > see also my running rant about Verizon-inspired state laws > > *forbidding* > > municipalities to charter monopoly transport-only fiber providers, > > renting > > to all comers on non-discriminatory terms, which is the only > > practical > > way I can see to fix any of this. > > The problem is that this should have been addressed 5-10 years ago, > when > there *were* alternative ISPs who could have provided competition. Now > that Comcast has a monopoly on cable, and fiber is so bleeping > expensive > to install, at best we might get *one* alternative to Comcast, and a > duopoly is really no better (for consumers, for the marketplace) than > a monopoly. I believe you misunderstood my assertion. Many local municipalities are doing the trenching themselves (well, generally, subbing it out to a contractor), and then offering the customers out to all IAP comers -- you meet-me in my fibernoc, and we'll cross connect every customer you sell to you. Lots of *other* municipalities would dearly love to do this, but state laws (lobbied for, in many places, by Verizontal) make this *illegal*. Wonder why Verizon would want to do *that*... See http://money.cnn.com/video/technology/2010/03/15/tech_tt_fiber_fios.cnnmoney/ and also http://www.freepress.net/files/mb_telco_lies.pdf And ORA's Mike Loukides: http://radar.oreilly.com/2010/03/google-fiber-and-the-fcc-natio.html and a whole lot more here: http://www.ftthcouncil.org/en Those links from the consumer-level piece I wrote on this earlier this year: http://baylink.pitas.com/#LASTMILE Cheers, -- jra From gbonser at seven.com Thu Dec 16 00:40:58 2010 From: gbonser at seven.com (George Bonser) Date: Wed, 15 Dec 2010 22:40:58 -0800 Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: <4D09AF9E.8090200@gmail.com> References: <96CA80CDCD822B4F9B41FB3A109C9359A3E6832836@E2K7MAILBOX1.corp.cableone.net> <1292408634.13327.383.camel@pc2.unassigned-domain> <4D08DA11.3010504@kenweb.org> <20101215224708.GB82574@latency.net><4D099FD9.2000808@gmail.com><5A6D953473350C4B9995546AFE9939EE0B14CF92@RWC-EX1.corp.seven.com> <4D09AF9E.8090200@gmail.com> Message-ID: <5A6D953473350C4B9995546AFE9939EE0B14CF96@RWC-EX1.corp.seven.com> > From: JC Dill > Sent: Wednesday, December 15, 2010 10:20 PM > To: NANOG list > Subject: Re: Some truth about Comcast - WikiLeaks style > > > On 15/12/10 10:05 PM, George Bonser wrote: > > > > If the customer pays the cost of the transport, a provider with > better > > transport efficiency / quality ratio wins. > > > This (and everything that followed) assumes the customer has a choice > of > providers. For most customers who already have Comcast, they don't > have > any choice for similar broadband services (speeds). So open market > principles don't come into play, and Comcast knows it. No, you misunderstood. It doesn't matter if you have only one internet service provider. If the end customer foots the bill, the incentive for innovation is for the *content* provider to strike a balance between quality and cost that the customers want. If the *content* provider foots the bill, innovation is driven in a way that the content providers want. Lets say I have foo.com and bar.com that offer video services and I am on Comcast. If Comcast meters my bandwidth usage and foo.com has good quality with a lower bandwidth use, I use foo. In the other model, if the content providers subsidize the bill, bar.com might be completely bloated but they have deep pockets and can pay the subsidy, they drive foo.com out of business and Comcast still has a congested network. From Brian.Rettke at cableone.biz Thu Dec 16 00:49:53 2010 From: Brian.Rettke at cableone.biz (Rettke, Brian) Date: Wed, 15 Dec 2010 23:49:53 -0700 Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: <5A6D953473350C4B9995546AFE9939EE0B14CF96@RWC-EX1.corp.seven.com> References: <96CA80CDCD822B4F9B41FB3A109C9359A3E6832836@E2K7MAILBOX1.corp.cableone.net> <1292408634.13327.383.camel@pc2.unassigned-domain> <4D08DA11.3010504@kenweb.org> <20101215224708.GB82574@latency.net><4D099FD9.2000808@gmail.com><5A6D953473350C4B9995546AFE9939EE0B14CF92@RWC-EX1.corp.seven.com> <4D09AF9E.8090200@gmail.com> <5A6D953473350C4B9995546AFE9939EE0B14CF96@RWC-EX1.corp.seven.com> Message-ID: <96CA80CDCD822B4F9B41FB3A109C9359A3E6832E6C@E2K7MAILBOX1.corp.cableone.net> Interesting point. I'd also like to point out that putting the cost on the content providers rather than the network may raise the cost of the content service, but only to those that want that service. In effect, if the transport provider is paying for the bandwidth generated by a content provider, in effect we have another service bundled to all services offered, which increases the cost to people using Internet service but not necessarily accessing that content. Kind of the same reason TV channels aren't a la carte. Sincerely, Brian A . Rettke RHCT, CCDP, CCNP, CCIP Network Engineer, CableONE Internet Services -----Original Message----- From: George Bonser [mailto:gbonser at seven.com] Sent: Wednesday, December 15, 2010 11:41 PM To: JC Dill; NANOG list Subject: RE: Some truth about Comcast - WikiLeaks style > From: JC Dill > Sent: Wednesday, December 15, 2010 10:20 PM > To: NANOG list > Subject: Re: Some truth about Comcast - WikiLeaks style > > > On 15/12/10 10:05 PM, George Bonser wrote: > > > > If the customer pays the cost of the transport, a provider with > better > > transport efficiency / quality ratio wins. > > > This (and everything that followed) assumes the customer has a choice > of > providers. For most customers who already have Comcast, they don't > have > any choice for similar broadband services (speeds). So open market > principles don't come into play, and Comcast knows it. No, you misunderstood. It doesn't matter if you have only one internet service provider. If the end customer foots the bill, the incentive for innovation is for the *content* provider to strike a balance between quality and cost that the customers want. If the *content* provider foots the bill, innovation is driven in a way that the content providers want. Lets say I have foo.com and bar.com that offer video services and I am on Comcast. If Comcast meters my bandwidth usage and foo.com has good quality with a lower bandwidth use, I use foo. In the other model, if the content providers subsidize the bill, bar.com might be completely bloated but they have deep pockets and can pay the subsidy, they drive foo.com out of business and Comcast still has a congested network. From gbonser at seven.com Thu Dec 16 01:16:55 2010 From: gbonser at seven.com (George Bonser) Date: Wed, 15 Dec 2010 23:16:55 -0800 Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: <96CA80CDCD822B4F9B41FB3A109C9359A3E6832E6C@E2K7MAILBOX1.corp.cableone.net> References: <96CA80CDCD822B4F9B41FB3A109C9359A3E6832836@E2K7MAILBOX1.corp.cableone.net><1292408634.13327.383.camel@pc2.unassigned-domain><4D08DA11.3010504@kenweb.org><20101215224708.GB82574@latency.net><4D099FD9.2000808@gmail.com><5A6D953473350C4B9995546AFE9939EE0B14CF92@RWC-EX1.corp.seven.com><4D09AF9E.8090200@gmail.com> <5A6D953473350C4B9995546AFE9939EE0B14CF96@RWC-EX1.corp.seven.com> <96CA80CDCD822B4F9B41FB3A109C9359A3E6832E6C@E2K7MAILBOX1.corp.cableone.net> Message-ID: <5A6D953473350C4B9995546AFE9939EE0B14CF98@RWC-EX1.corp.seven.com> > -----Original Message----- > From: Rettke, Brian > Sent: Wednesday, December 15, 2010 10:50 PM > To: George Bonser; JC Dill; NANOG list > Subject: RE: Some truth about Comcast - WikiLeaks style > > Interesting point. I'd also like to point out that putting the cost on > the content providers rather than the network may raise the cost of the > content service, but only to those that want that service. In effect, > if the transport provider is paying for the bandwidth generated by a > content provider, in effect we have another service bundled to all > services offered, which increases the cost to people using Internet > service but not necessarily accessing that content. Kind of the same > reason TV channels aren't a la carte. > > Sincerely, > > Brian A . Rettke > RHCT, CCDP, CCNP, CCIP > Network Engineer, CableONE Internet Services There is also another issue. If the content provider (say it is Netflix in this case) is charged extra to reach Comcast's customers, Netflix might raise prices. Now *all* Netflix users no matter what their ISP are, in effect, subsidizing Comcast users. In that case Comcast is "taxing" every other ISPs customers that use that service in addition to their own. It is just a bad idea. It is like an apartment complex that also has its own pizza joint charging Dominoes for access to their tenants because the parking lot is full. From jcdill.lists at gmail.com Thu Dec 16 03:47:32 2010 From: jcdill.lists at gmail.com (JC Dill) Date: Thu, 16 Dec 2010 01:47:32 -0800 Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: <5A6D953473350C4B9995546AFE9939EE0B14CF96@RWC-EX1.corp.seven.com> References: <96CA80CDCD822B4F9B41FB3A109C9359A3E6832836@E2K7MAILBOX1.corp.cableone.net> <1292408634.13327.383.camel@pc2.unassigned-domain> <4D08DA11.3010504@kenweb.org> <20101215224708.GB82574@latency.net><4D099FD9.2000808@gmail.com><5A6D953473350C4B9995546AFE9939EE0B14CF92@RWC-EX1.corp.seven.com> <4D09AF9E.8090200@gmail.com> <5A6D953473350C4B9995546AFE9939EE0B14CF96@RWC-EX1.corp.seven.com> Message-ID: <4D09E034.1010104@gmail.com> On 15/12/10 10:40 PM, George Bonser wrote: >> From: JC Dill >> Sent: Wednesday, December 15, 2010 10:20 PM >> To: NANOG list >> Subject: Re: Some truth about Comcast - WikiLeaks style >> >> >> On 15/12/10 10:05 PM, George Bonser wrote: >>> If the customer pays the cost of the transport, a provider with >> better >>> transport efficiency / quality ratio wins. >> >> This (and everything that followed) assumes the customer has a choice >> of >> providers. For most customers who already have Comcast, they don't >> have >> any choice for similar broadband services (speeds). So open market >> principles don't come into play, and Comcast knows it. > No, you misunderstood. It doesn't matter if you have only one internet > service provider. If the end customer foots the bill, the incentive for > innovation is for the *content* provider to strike a balance between > quality and cost that the customers want. If the *content* provider > foots the bill, innovation is driven in a way that the content providers > want. The customer *always* foots the bill in the end. It's just a matter of how many intermediaries there are between the bill-paying customer and the underlying service they are paying for. Customers clearly prefer to have the true costs of services hidden and obfuscated. Take a look at the byzantine way we pay for health care in the US today, versus how we paid for health care 50 years ago. Then take a look at the industry that has sprung up to wring ever more dollars out of consumers by insulating them from the true costs of health care. Repeat for the cost of body work on your car (paid for with insurance, with the "quality" (and thus cost) of repair being ever escalated because the consumer doesn't see the direct cost of the increased repair), the quality of food production (massive poultry houses where birds are routinely fed antibiotics and infected eggs lead to nationwide recalls) etc. Consumers are too insulated from the production and true costs, and don't realize how the market consolidation is taking away their choices AND producing ever lower quality of goods and services. Why should internet access be any different? There was a story on NPR the other day where the talking head spoke about how "consumers overwhelmingly want a do-not-track system". Hello?! Consumers also don't want spam. Can you point to a SINGLE case where CAN-SPAM actually stopped a significant amount of spam? The reason consumers have functioning email mailboxes isn't because of legislation stopping spam, it's because of ISPs implementing ever increasingly effective anti-spam techniques. Anyone who thinks a "do not track" legislation can have any possible measurable effect on how websites track users is simply ignorant about the magnitude of the problem, and how companies will simply outsource (ultimately to overseas companies) their "customer tracking" services to avoid needing to comply with any US laws. And how can the consumer know if their "do not track" request is being honored anyway? It's not like they get a popup every time a website tracks their activities. What customers *really* want, and what they gladly accept as long as it saves them a few pennies, are miles apart. (Which is why so many people blindly give their data to Facebook etc.) This is why I think the direction Comcast is going is ultimately going to win in the marketplace. Do I *want* to see Comcast win? No! But I think it's an inevitable trend. Customers are lazy. Customers are cheap. They will - en masse - support the lowest cost solution that *appears* to give them something of value, even when it's really not in their best interest. jc From jared at puck.nether.net Thu Dec 16 07:02:02 2010 From: jared at puck.nether.net (Jared Mauch) Date: Thu, 16 Dec 2010 08:02:02 -0500 Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: <4D09AEDA.4030202@gmail.com> References: <31642562.256.1292477350923.JavaMail.root@benjamin.baylink.com> <4D09AEDA.4030202@gmail.com> Message-ID: <150DB0EC-9B32-4D9E-AD2E-9E4CCE5A26FB@puck.nether.net> On Dec 16, 2010, at 1:16 AM, JC Dill wrote: > On 15/12/10 9:29 PM, Jay Ashworth wrote: >> >> The underlying problem, of course, is lack of usable last-mile competition; > > I agree. > >> see also my running rant about Verizon-inspired state laws *forbidding* >> municipalities to charter monopoly transport-only fiber providers, renting >> to all comers on non-discriminatory terms, which is the only practical >> way I can see to fix any of this. > > The problem is that this should have been addressed 5-10 years ago, when there *were* alternative ISPs who could have provided competition. Now that Comcast has a monopoly on cable, and fiber is so bleeping expensive to install, at best we might get *one* alternative to Comcast, and a duopoly is really no better (for consumers, for the marketplace) than a monopoly. This is why I suggested it might take regulatory action, or changes in state laws. If I want to start up a coop, or convince my local county/state they should be a neutral provider of conduits/dark fiber as roads are rebuilt, etc.. there are various barriers. Even if the cost would be nominal. I scaled-up some quotes to be an area-wide effort for fiber down every public road ROW, and came back with $100mil. (you private road types need to shell out your own cash for that leg). The barriers to doing this as a project are well known. Even if you don't like ars, they have decent articles on these topics: http://arstechnica.com/tech-policy/news/2010/01/municipal-fiber-needs-more-fdr-localism-fewer-state-bans.ars http://arstechnica.com/tech-policy/news/2009/06/monticello-appeals-court-win.ars http://arstechnica.com/old/content/2008/07/telco-wont-install-fiber-sues-to-keep-city-from-doing-it.ars Similar to the above, I could not even get Comcast to give me a quote to build to my area. AT&T ... good luck getting any data from them. I can tell they are filling in the gaps based on the trenching/boring going on, but there's no good way to motivate them. And even if I decided to drop $10k to install a bunch of POTS service for 1 month to force a build, who knows if that build would bring the right level of service. (As the POTS is regulated with a low install fee). The incentives are clearly skewed here, but without that $100mil, reaching the 125k properties (111k residences) in my local area may be tough. (Note: there may be actual cost savings by not running down *every* public road, but using public road mileage and property counts seemed like a good method without actually designing the final fiber plant). My notes are here: http://puck.nether.net/~jared/blog/?p=84 The reply I received from my elected reps: "Additionally, offering a millage to build a network for the general public may violate recent provisions within the Michigan Telecommunication Act." - Jared From Valdis.Kletnieks at vt.edu Thu Dec 16 07:47:15 2010 From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks at vt.edu) Date: Thu, 16 Dec 2010 08:47:15 -0500 Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: Your message of "Wed, 15 Dec 2010 19:05:26 CST." <4D0965D6.3090907@brightok.net> References: <96CA80CDCD822B4F9B41FB3A109C9359A3E6832836@E2K7MAILBOX1.corp.cableone.net> <1292408634.13327.383.camel@pc2.unassigned-domain> <4D08DA11.3010504@kenweb.org> <20101215224708.GB82574@latency.net> <4D0965D6.3090907@brightok.net> Message-ID: <34671.1292507235@localhost> On Wed, 15 Dec 2010 19:05:26 CST, Jack Bates said: > request financing? ie, Comcast could run lower rates and offer better > service by charging the content provider, while competitive eyeball > networks won't get the option to receive compensation from content > providers and have to charge appropriate rates to their customers. Yes, Comcast *could* do that. But let's stick to plausible scenarios, OK? -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 227 bytes Desc: not available URL: From cluebringer at gmail.com Thu Dec 16 08:51:28 2010 From: cluebringer at gmail.com (Craig L Uebringer) Date: Thu, 16 Dec 2010 09:51:28 -0500 Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: <150DB0EC-9B32-4D9E-AD2E-9E4CCE5A26FB@puck.nether.net> References: <31642562.256.1292477350923.JavaMail.root@benjamin.baylink.com> <4D09AEDA.4030202@gmail.com> <150DB0EC-9B32-4D9E-AD2E-9E4CCE5A26FB@puck.nether.net> Message-ID: On Thu, Dec 16, 2010 at 8:02 AM, Jared Mauch wrote: > > On Dec 16, 2010, at 1:16 AM, JC Dill wrote: > > > On 15/12/10 9:29 PM, Jay Ashworth wrote: > >> > >> The underlying problem, of course, is lack of usable last-mile > competition; > > > > I agree. > > It exists where there is an ROI on investment. Capital markets haven't been friendly to network build since the dot-bomb, and for some reason localities are more willing to give tax-incentive financing to malls and stadiums rather than incenting over-builders. > >> see also my running rant about Verizon-inspired state laws *forbidding* > >> municipalities to charter monopoly transport-only fiber providers, > renting > >> to all comers on non-discriminatory terms, which is the only practical > >> way I can see to fix any of this. > > > > The problem is that this should have been addressed 5-10 years ago, when > > there *were* alternative ISPs who could have provided competition. Now > that > > Comcast has a monopoly on cable, and fiber is so bleeping expensive to > install, > > at best we might get *one* alternative to Comcast, and a duopoly is really > no > > better (for consumers, for the marketplace) than a monopoly. > Funny thing about competition is that there are losers as well as winners. DSL competition didn't lose by regulation, it lost (nationally) by cheaper, more elastic bandwidth available on other media and JC's previously-noted fickle and lazy consumers. Where there is competition, the little guy gets an easy low percentage (10-25%) of penetration based solely on not being the incumbent, but churn is high as soon as sign-up incentives expire and they get on a downward spiral of catering to complainers. Magic phrases are traded on dslreports and any retention-packages get spread across the entire customer base. Where there isn't market- sustainable competition, there is no actual legislated monopoly but rather ignorant local boards. > This is why I suggested it might take regulatory action, or changes in > state laws. > Also engage locality first, as Jared indicates. The problem in going to the fed is that power will be skewed to the larger entities. Competitive providers breathed a sign of relief when Verizontal lost their attempts to get statewide television franchising and had to deal locality-by-locality, just like the small guys did. Would be worse if there was a single federal entity to buy off now that corporate campaign funding is both anonymous and unlimited. > > If I want to start up a coop, or convince my local county/state they should > be a neutral provider of conduits/dark fiber as roads are rebuilt, etc.. > there are various barriers. Even if the cost would be nominal. I scaled-up > some quotes to be an area-wide effort for fiber down every public road ROW, > and came back with $100mil. (you private road types need to shell out your > own cash for that leg). > > The barriers to doing this as a project are well known. Even if you don't > like ars, they have decent articles on these topics: > > > http://arstechnica.com/tech-policy/news/2010/01/municipal-fiber-needs-more-fdr-localism-fewer-state-bans.ars > > > http://arstechnica.com/tech-policy/news/2009/06/monticello-appeals-court-win.ars > > > http://arstechnica.com/old/content/2008/07/telco-wont-install-fiber-sues-to-keep-city-from-doing-it.ars > > Similar to the above, I could not even get Comcast to give me a quote to > build to my area. AT&T ... good luck getting any data from them. I can > tell they are filling in the gaps based on the trenching/boring going on, > but there's no good way to motivate them. And even if I decided to drop > $10k to install a bunch of POTS service for 1 month to force a build, who > knows if that build would bring the right level of service. (As the POTS is > regulated with a low install fee). > > The incentives are clearly skewed here, but without that $100mil, reaching > the 125k properties (111k residences) in my local area may be tough. (Note: > there may be actual cost savings by not running down *every* public road, > but using public road mileage and property counts seemed like a good method > without actually designing the final fiber plant). > > My notes are here: > > http://puck.nether.net/~jared/blog/?p=84 > > The reply I received from my elected reps: > > "Additionally, offering a millage to build a network for the general public > may violate recent provisions within the Michigan Telecommunication Act." > > - Jared > In a country where government-supplied healthcare is viewed as evil, how can people honestly expect the less-important telecommunications to be allowed to be "government run" as neutral municipal networks? Any unbundling of local HFC or FTTP loops will be slow and problematic. From jared at puck.nether.net Thu Dec 16 08:57:47 2010 From: jared at puck.nether.net (Jared Mauch) Date: Thu, 16 Dec 2010 09:57:47 -0500 Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: References: <31642562.256.1292477350923.JavaMail.root@benjamin.baylink.com> <4D09AEDA.4030202@gmail.com> <150DB0EC-9B32-4D9E-AD2E-9E4CCE5A26FB@puck.nether.net> Message-ID: <55A844B1-D1D8-4627-B284-9C3AB4F59334@puck.nether.net> On Dec 16, 2010, at 9:51 AM, Craig L Uebringer wrote: > > This is why I suggested it might take regulatory action, or changes in state laws. > > Also engage locality first, as Jared indicates. The problem in going to the fed is that power > will be skewed to the larger entities. Competitive providers breathed a sign of relief when > Verizontal lost their attempts to get statewide television franchising and had to deal > locality-by-locality, just like the small guys did. Would be worse if there was a single > federal entity to buy off now that corporate campaign funding is both anonymous and > unlimited. > Maybe in your state. here, one company can get a statewide license. this report may be of interest to those in this space: http://www.hhh.umn.edu/centers/stpp/pdf/VideoFranchisingReport.pdf - Jared From dooser at gmail.com Thu Dec 16 09:17:04 2010 From: dooser at gmail.com (Mikel Waxler) Date: Thu, 16 Dec 2010 10:17:04 -0500 Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: <5A6D953473350C4B9995546AFE9939EE0B14CF92@RWC-EX1.corp.seven.com> References: <96CA80CDCD822B4F9B41FB3A109C9359A3E6832836@E2K7MAILBOX1.corp.cableone.net> <1292408634.13327.383.camel@pc2.unassigned-domain> <4D08DA11.3010504@kenweb.org> <20101215224708.GB82574@latency.net> <4D099FD9.2000808@gmail.com> <5A6D953473350C4B9995546AFE9939EE0B14CF92@RWC-EX1.corp.seven.com> Message-ID: I disagree with this theory. If customers pay comcast for bytes then eventually the upstream (L3) will want some of that revenue. That revenue will be passed onto the provider as a lower bill. This encourages Netflix to send more bytes, because if they do Comcast and L3 get paid more and Netflix's bill goes down. The income stream is now completely dependent on how much money the customer can pay. Sure other services (Hulu, Youtube, etc) could step in and offer lower usage but customers are MUCH more likely to pick based on available content then an abstract "we use N bytes per month fewer then that guy". Also, if income is dependent on sending more bytes, provider usage will creep up as far as they can get push it while still keeping customers. In comparison, does the average person pick their mobile provider based on how many minutes they get or if they get coverage at their house. Keep in mind that all providers are within ~10% of each other on pricing. Where do we see costs in mobile going? How much is a text message these days? That is what happens when the user pays for bytes. If the provider pays for transport then the amount of data going over wires is dependent on that providers customer base. The cost of transport now scales directly with size of business. Netflix or Hulu are now directly responsible for their costs which motivates them to be efficient. Comcast can now charge its customers only for upkeep of its network and use the income they get as an "end point delivery network" to offset customer cost. Comcast's cost, which are upkeep and expansion of its physical network, now scale proportionally with its customer base. So in this model, customers pay for the laying of the wire to their house and the upkeep of that wire, which is a 1:1 ratio for the consumer/comcast. Providers (Netflix) pay per byte to the transport providers. Transport providers make thier money off providing transport. Income and cost of doing business for Netflix is directly tied to their subscriber base so it is easy for them to balance their income. Of course, I am not an economist and could be entirely wrong. There are certainly other HUGE political factors, but I think in theory we would all be happier if the system worked by someone paying for a postage stamp then COD. On Thu, Dec 16, 2010 at 1:05 AM, George Bonser wrote: > > > > From: JC Dill > > Sent: Wednesday, December 15, 2010 9:13 PM > > Cc: nanog at nanog.org > > Subject: Re: Some truth about Comcast - WikiLeaks style > > > > Sure, Comcast's customers are also paying Comcast. But Comcast wants > > to > > get paid from the content provider. I think they are betting that in > > the long run it's easier to make money from content providers (and > have > > the content providers charge customers or advertisers as necessary to > > make a profit) than to make money from the end consumer. And I think > > they are right about this "easier" part. I think that they will > > succeed > > at pressuring big content providers to play by Comcast's rules and > > shift > > the cost of running Comcast's network from consumers to content > > providers. > > > > jc > > > > There are two different innovation paths according to who is paying. If > the customer is paying, innovation is driven by the interest of the > customer. If the provider is paying, innovation is driven by the > interest of the provider. > > If the customer pays the cost of the transport, a provider with better > transport efficiency / quality ratio wins. It spurs innovation where we > get better quality product with a better transport efficiency. If there > are three competing content services in the market offering basically > the same quality product, the one with the better transport efficiency > is going to win customers. Or in some cases the customer might choose > to sacrifice some quality for transport efficiency. The market > eventually settles on what the customers in the aggregate decide is > their willingness to trade price for performance. > > If the provider pays the cost of the transport, a provider might > effectively subsidize the transport cost of a bloated content > distribution mechanism. It won't make any difference to the last mile > delivery network either way. Either way they get the same amount of > money. If provider pays the freight, there might be some company with > an absolutely killer technology that can stream much higher quality > stuff with less bandwidth usage but if the customer doesn't see the > benefit, that in and of itself isn't enough to drive eyeballs to that > content. If that content transport method did save the customer money, > the eyeballs would move in that direction. > > Having the provider pay the cost stifles technological advancement. It > facilitates a "deep pocket" established company creating a barrier of > adoption to a startup who might have a more efficient product but the > user doesn't get any direct benefit so they don't adopt it. Having the > user pay gives an incentive to develop technologies that reduce the > network burden. Having the provider pay distorts innovation. > > In the end, having the end user pay the cost for the product they are > consuming results in better, faster, cheaper (yes, you can have all > three). Externalizing those costs through subsidies by outside parties > throws things out of balance and drives innovation in a way that > benefits the provider, not the consumer. > > > > From jcdill.lists at gmail.com Thu Dec 16 09:41:24 2010 From: jcdill.lists at gmail.com (JC Dill) Date: Thu, 16 Dec 2010 07:41:24 -0800 Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: References: <96CA80CDCD822B4F9B41FB3A109C9359A3E6832836@E2K7MAILBOX1.corp.cableone.net> <1292408634.13327.383.camel@pc2.unassigned-domain> <4D08DA11.3010504@kenweb.org> <20101215224708.GB82574@latency.net> <4D099FD9.2000808@gmail.com> <5A6D953473350C4B9995546AFE9939EE0B14CF92@RWC-EX1.corp.seven.com> Message-ID: <4D0A3324.6040108@gmail.com> On 16/12/10 7:17 AM, Mikel Waxler wrote: > I disagree with this theory. > > If customers pay comcast for bytes then eventually the upstream (L3) > will want some of that revenue. And I want a pony. What the upstream "wants" and what market forces will decide could be very different. And as customers "want" lower internet access costs, if Comcast can collect more money from upstreams then they can lower the rates for customers, gain more customers, and be in an even better position to squeeze money out of upstreams. jc From lowen at pari.edu Thu Dec 16 09:50:32 2010 From: lowen at pari.edu (Lamar Owen) Date: Thu, 16 Dec 2010 10:50:32 -0500 Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: <20101215224708.GB82574@latency.net> References: Message-ID: <201012161050.32896.lowen@pari.edu> On Wednesday, December 15, 2010 05:47:09 pm Adam Rothschild wrote: > What we have here is Comcast holding its users captive, plain and > simple. They have established an ecosystem where, to reach them, one > must pay to play, otherwise there's a good chance that packets are > discarded. [snip] > Folk in > content/hosting should find this all more than a little bit scary. I'm surprised no one here has thought of the obvious thing content providers can do to communicate to the customers of the providers who artificially throttle traffic from 'freeloading' content providers. In the web server configuration, detect what network is accessing the page. If it's a provider who is trying to coerce content provider payment, tell the eyeball up front that that's the case, and give a pointer to the place on the FCC website (or the FCC phone number) where they can lodge a complaint. If it gets ugly, simply don't serve content to those eyeballs. In other words, a content provider boycott of eyeball networks that want to try to play hardball. If you get enough content providers to band together to do this, the customers of those eyeball networks will make a difference. Hrmph, all you really have to do is get google or facebook to boycott an eyeball network. IOW, if there's no content to see, there's no need for an 'Internet' connection. From dooser at gmail.com Thu Dec 16 09:54:46 2010 From: dooser at gmail.com (Mikel Waxler) Date: Thu, 16 Dec 2010 10:54:46 -0500 Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: <201012161050.32896.lowen@pari.edu> References: <20101215224708.GB82574@latency.net> <201012161050.32896.lowen@pari.edu> Message-ID: But in that scheme, Comcast looses in the long run, when the FCC gets around to them, but Netflix looses customers immediately. " I pay Netflix 10$ a month and they wont let me use their service cause I am on Comcast? I am taking my money to Hulu!" Sure netflix is "right" but by the time it matters they are out of business. On Thu, Dec 16, 2010 at 10:50 AM, Lamar Owen wrote: > On Wednesday, December 15, 2010 05:47:09 pm Adam Rothschild wrote: > > What we have here is Comcast holding its users captive, plain and > > simple. They have established an ecosystem where, to reach them, one > > must pay to play, otherwise there's a good chance that packets are > > discarded. > [snip] > > Folk in > > content/hosting should find this all more than a little bit scary. > > I'm surprised no one here has thought of the obvious thing content > providers can do to communicate to the customers of the providers who > artificially throttle traffic from 'freeloading' content providers. > > In the web server configuration, detect what network is accessing the page. > If it's a provider who is trying to coerce content provider payment, tell > the eyeball up front that that's the case, and give a pointer to the place > on the FCC website (or the FCC phone number) where they can lodge a > complaint. If it gets ugly, simply don't serve content to those eyeballs. > > In other words, a content provider boycott of eyeball networks that want to > try to play hardball. If you get enough content providers to band together > to do this, the customers of those eyeball networks will make a difference. > Hrmph, all you really have to do is get google or facebook to boycott an > eyeball network. > > IOW, if there's no content to see, there's no need for an 'Internet' > connection. > > From dooser at gmail.com Thu Dec 16 09:55:08 2010 From: dooser at gmail.com (Mikel Waxler) Date: Thu, 16 Dec 2010 10:55:08 -0500 Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: <4D0A3324.6040108@gmail.com> References: <96CA80CDCD822B4F9B41FB3A109C9359A3E6832836@E2K7MAILBOX1.corp.cableone.net> <1292408634.13327.383.camel@pc2.unassigned-domain> <4D08DA11.3010504@kenweb.org> <20101215224708.GB82574@latency.net> <4D099FD9.2000808@gmail.com> <5A6D953473350C4B9995546AFE9939EE0B14CF92@RWC-EX1.corp.seven.com> <4D0A3324.6040108@gmail.com> Message-ID: If ponies are being handed out, count me in. Sure, market forces can do lots of strange things, for example, see our current position. Pretty much any scheme breaks terribly when there is a monopoly, since the only company involved gets to remove the relationship between cost and profit. On Thu, Dec 16, 2010 at 10:41 AM, JC Dill wrote: > On 16/12/10 7:17 AM, Mikel Waxler wrote: > >> I disagree with this theory. >> >> If customers pay comcast for bytes then eventually the upstream (L3) will >> want some of that revenue. >> > > And I want a pony. > > What the upstream "wants" and what market forces will decide could be very > different. And as customers "want" lower internet access costs, if Comcast > can collect more money from upstreams then they can lower the rates for > customers, gain more customers, and be in an even better position to squeeze > money out of upstreams. > > jc > > > From jcdill.lists at gmail.com Thu Dec 16 10:02:04 2010 From: jcdill.lists at gmail.com (JC Dill) Date: Thu, 16 Dec 2010 08:02:04 -0800 Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: References: <96CA80CDCD822B4F9B41FB3A109C9359A3E6832836@E2K7MAILBOX1.corp.cableone.net> <1292408634.13327.383.camel@pc2.unassigned-domain> <4D08DA11.3010504@kenweb.org> <20101215224708.GB82574@latency.net> <4D099FD9.2000808@gmail.com> <5A6D953473350C4B9995546AFE9939EE0B14CF92@RWC-EX1.corp.seven.com> <4D0A3324.6040108@gmail.com> Message-ID: <4D0A37FC.3010301@gmail.com> On 16/12/10 7:55 AM, Mikel Waxler wrote: > If ponies are being handed out, count me in. > > Sure, market forces can do lots of strange things, for example, see > our current position. > > Pretty much any scheme breaks terribly when there is a monopoly, How well did the lawsuits against Microsoft's monopoly work to reduce their ability to use their monopoly to manipulate the market? jc From patrick at zill.net Thu Dec 16 10:05:02 2010 From: patrick at zill.net (Patrick Giagnocavo) Date: Thu, 16 Dec 2010 11:05:02 -0500 Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: References: <20101215224708.GB82574@latency.net> <201012161050.32896.lowen@pari.edu> Message-ID: <4D0A38AE.9000502@zill.net> On 12/16/2010 10:54 AM, Mikel Waxler wrote: > But in that scheme, Comcast looses in the long run, when the FCC gets around > to them, but Netflix looses customers immediately. > > " I pay Netflix 10$ a month and they wont let me use their service cause I > am on Comcast? I am taking my money to Hulu!" > > Sure netflix is "right" but by the time it matters they are out of business. > Surely serving a "bumper" video at the beginning - "Comcast is trying to charge you more for Netflix - see http://www.netflix.com/comcastripoff/" - would be enough? --Patrick From nanog at hostleasing.net Thu Dec 16 10:09:37 2010 From: nanog at hostleasing.net (Randy Epstein) Date: Thu, 16 Dec 2010 11:09:37 -0500 Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: <4D0A37FC.3010301@gmail.com> References: <96CA80CDCD822B4F9B41FB3A109C9359A3E6832836@E2K7MAILBOX1.corp.cableone.net> <1292408634.13327.383.camel@pc2.unassigned-domain> <4D08DA11.3010504@kenweb.org> <20101215224708.GB82574@latency.net> <4D099FD9.2000808@gmail.com> <5A6D953473350C4B9995546AFE9939EE0B14CF92@RWC-EX1.corp.seven.com> <4D0A3324.6040108@gmail.com> <4D0A37FC.3010301@gmail.com> Message-ID: <02d501cb9d3b$a30bc540$e9234fc0$@net> > How well did the lawsuits against Microsoft's monopoly work to reduce > their ability to use their monopoly to manipulate the market? > > jc Why don't you ask the folks over at The Technical Committee (http://www.thetc.org), since they monitor Microsoft compliancy for the DOJ. Randy From lowen at pari.edu Thu Dec 16 10:14:16 2010 From: lowen at pari.edu (Lamar Owen) Date: Thu, 16 Dec 2010 11:14:16 -0500 Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: <4D0A38AE.9000502@zill.net> References: Message-ID: <201012161114.16972.lowen@pari.edu> On Thursday, December 16, 2010 11:05:02 am Patrick Giagnocavo wrote: > Surely serving a "bumper" video at the beginning - "Comcast is trying to > charge you more for Netflix - see http://www.netflix.com/comcastripoff/" > - would be enough? Yeah, that's the sort of thing I had in mind. Could be on the web page or in a notification area of the client, etc. Video channels routinely do this on satellite and cable networks. From william.allen.simpson at gmail.com Thu Dec 16 10:17:23 2010 From: william.allen.simpson at gmail.com (William Allen Simpson) Date: Thu, 16 Dec 2010 11:17:23 -0500 Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: References: <31642562.256.1292477350923.JavaMail.root@benjamin.baylink.com> <4D09AEDA.4030202@gmail.com> <150DB0EC-9B32-4D9E-AD2E-9E4CCE5A26FB@puck.nether.net> Message-ID: <4D0A3B93.9070907@gmail.com> On 12/16/10 9:51 AM, Craig L Uebringer wrote: > Funny thing about competition is that there are losers as well as winners. > DSL competition > didn't lose by regulation, it lost (nationally) by cheaper, more elastic > bandwidth available > on other media and JC's previously-noted fickle and lazy consumers. Apparently, you've never owned or run an ISP in the past dozen years.... Pacific Bell Telephone v. LinkLine, 07-512 It lost *precisely* by regulation: Google "Tauzin-Dingell". We used to offer up to 7 Mbps bidirectional DSL long before cable or the Bells offered anything in that range. We had our own DSLAMs. How exactly do you compete when the Incumbent charges us $80 per month wholesale for UNE lines that they sell $10 per month retail? http://www.techdirt.com/articles/20061228/181255.shtml http://www.dslreports.com/shownews/ATT-10-DSL-Today-84904 Note that's only $10 for "new" customers (that is, *our* customers). And that's just the tip of the iceberg: http://www.cybertelecom.org/broadband/dslnaked.htm org.law.rutgers.edu/publications/lawjournal/issues/38_1/Sholinsky.pdf ... From streiner at cluebyfour.org Thu Dec 16 10:20:23 2010 From: streiner at cluebyfour.org (Justin M. Streiner) Date: Thu, 16 Dec 2010 11:20:23 -0500 (EST) Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: <4D099FD9.2000808@gmail.com> References: <96CA80CDCD822B4F9B41FB3A109C9359A3E6832836@E2K7MAILBOX1.corp.cableone.net> <1292408634.13327.383.camel@pc2.unassigned-domain> <4D08DA11.3010504@kenweb.org> <20101215224708.GB82574@latency.net> <4D099FD9.2000808@gmail.com> Message-ID: On Wed, 15 Dec 2010, JC Dill wrote: > Sure, Comcast's customers are also paying Comcast. But Comcast wants to get > paid from the content provider. I think they are betting that in the long > run it's easier to make money from content providers (and have the content > providers charge customers or advertisers as necessary to make a profit) than > to make money from the end consumer. And I think they are right about this > "easier" part. I think that they will succeed at pressuring big content > providers to play by Comcast's rules and shift the cost of running Comcast's > network from consumers to content providers. Personally, I'd like to see any provider (content or otherwise) tell Comcast (as things stand today) to pound sand when asked to enter into such a 'paid peering' arrangement with them. As others have said, the fact that Comcast is holding their customers hostage to squeeze money out of providers who often have no direct connectivity to Comcast is particularly troubling. I don't use Comcast for Internet access, but I've been considering kicking their overpriced cable TV service to the curb for some time now... jms From jcdill.lists at gmail.com Thu Dec 16 10:28:58 2010 From: jcdill.lists at gmail.com (JC Dill) Date: Thu, 16 Dec 2010 08:28:58 -0800 Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: <4D0A3B93.9070907@gmail.com> References: <31642562.256.1292477350923.JavaMail.root@benjamin.baylink.com> <4D09AEDA.4030202@gmail.com> <150DB0EC-9B32-4D9E-AD2E-9E4CCE5A26FB@puck.nether.net> <4D0A3B93.9070907@gmail.com> Message-ID: <4D0A3E4A.6080106@gmail.com> On 16/12/10 8:17 AM, William Allen Simpson wrote: > On 12/16/10 9:51 AM, Craig L Uebringer wrote: >> Funny thing about competition is that there are losers as well as >> winners. >> DSL competition >> didn't lose by regulation, it lost (nationally) by cheaper, more elastic >> bandwidth available >> on other media and JC's previously-noted fickle and lazy consumers. > > Apparently, you've never owned or run an ISP in the past dozen years.... > > Pacific Bell Telephone v. LinkLine, 07-512 > > It lost *precisely* by regulation: Google "Tauzin-Dingell". When you hear some congresscritter talking about legislating net neutrality, point out that they wouldn't need to do anything regarding "net neutrality" if they would simply legislate to provide for fair and open access to existing infrastructure (copper, cable, fiber) instead of passing incumbent-friendly legislation that limits competition. jc From lowen at pari.edu Thu Dec 16 10:47:54 2010 From: lowen at pari.edu (Lamar Owen) Date: Thu, 16 Dec 2010 11:47:54 -0500 Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: References: Message-ID: <201012161147.54711.lowen@pari.edu> On Thursday, December 16, 2010 11:20:23 am Justin M. Streiner wrote: > Personally, I'd like to see any provider (content or otherwise) tell > Comcast (as things stand today) to pound sand when asked to enter into > such a 'paid peering' arrangement with them. It comes down to the business decision of the cost of doing business for those eyeballs versus the loss due to not serving (or underserving) those eyeballs. Hmmm, roughly 16 million eyeballs versus how many million eyeballs in the world? (found a statistic; roughly 300 million broadband eyeballs in the world; 84 million or so in the US alone. So we're talking about only 5% of the world eyeballs and about 20% of the US? So they could deal with the other 80% of just the US eyeballs and probably survive just fine. After all, if they put up a disclaimer 'you're currently using an Internet Service Provider who is known to provide inferior service to our customers; if your video does not play properly, or does not play at all, please contact your provider.' You could even detect it during subscription set up. There's nothing that says I have to accept subscriptions from any given netblock, right? If it costs me more to serve that netblock than that netblock is worth, then I would be remiss in my fiduciary duty if I accepted those customers. In fact, if a particular netblock had known performance issues, I would be remiss in my duty to my potential and present customers if I didn't let them know the issue involved (kind of like a pizza delivery place not delivering over 30 minutes away for product quality reasons; I could pop up a notice to let my customer know that they can come to a WiFi hotspot or use a different ISP, and give them pointers to such, if they want to get full service). And, of course, this shoe can be worn on the other foot, and any eyeball network would be free to place as many bottlenecks as meets their business model... Simple economics. From jbates at brightok.net Thu Dec 16 10:52:38 2010 From: jbates at brightok.net (Jack Bates) Date: Thu, 16 Dec 2010 10:52:38 -0600 Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: References: <96CA80CDCD822B4F9B41FB3A109C9359A3E6832836@E2K7MAILBOX1.corp.cableone.net> <1292408634.13327.383.camel@pc2.unassigned-domain> <4D08DA11.3010504@kenweb.org> <20101215224708.GB82574@latency.net> <4D099FD9.2000808@gmail.com> <5A6D953473350C4B9995546AFE9939EE0B14CF92@RWC-EX1.corp.seven.com> Message-ID: <4D0A43D6.80009@brightok.net> On 12/16/2010 9:17 AM, Mikel Waxler wrote: > Comcast can now charge its customers only for upkeep of its network and use > the income they get as an "end point delivery network" to offset customer > cost. Comcast's cost, which are upkeep and expansion of its physical > network, now scale proportionally with its customer base. The problem with your layout is that, as a netflix user, I pay more to netflix so that you can have their service over comcast, and my provider doesn't get income from the netflix streams as it is sub 100k users (so I still have to pay for my provider's upgrades to handle the netflix which percentage wise will be higher than comcast due to less ideal bandwidth discounts and the locality which may even drive up the overall percentage of netflix streams per customer base). Jack From dooser at gmail.com Thu Dec 16 11:02:02 2010 From: dooser at gmail.com (dooser at gmail.com) Date: Thu, 16 Dec 2010 17:02:02 +0000 Subject: Some truth about Comcast - WikiLeaks style Message-ID: <1912159179-1292518924-cardhu_decombobulator_blackberry.rim.net-1324937023-@bda2841.bisx.prod.on.blackberry> It would certainly serve to make customers angry. They have a choice of video provider netflix vs hulu, but only one isp. In this case the customer drops netflix in an angry huff and goes to hulu. That customer is gone forever. ------Original Message------ From: Patrick Giagnocavo To: nanog at nanog.org Subject: Re: Some truth about Comcast - WikiLeaks style Sent: Dec 16, 2010 11:05 AM On 12/16/2010 10:54 AM, Mikel Waxler wrote: > But in that scheme, Comcast looses in the long run, when the FCC gets around > to them, but Netflix looses customers immediately. > > " I pay Netflix 10$ a month and they wont let me use their service cause I > am on Comcast? I am taking my money to Hulu!" > > Sure netflix is "right" but by the time it matters they are out of business. > Surely serving a "bumper" video at the beginning - "Comcast is trying to charge you more for Netflix - see http://www.netflix.com/comcastripoff/" - would be enough? --Patrick Sent via BlackBerry by AT&T From jbates at brightok.net Thu Dec 16 11:12:11 2010 From: jbates at brightok.net (Jack Bates) Date: Thu, 16 Dec 2010 11:12:11 -0600 Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: <34671.1292507235@localhost> References: <96CA80CDCD822B4F9B41FB3A109C9359A3E6832836@E2K7MAILBOX1.corp.cableone.net> <1292408634.13327.383.camel@pc2.unassigned-domain> <4D08DA11.3010504@kenweb.org> <20101215224708.GB82574@latency.net> <4D0965D6.3090907@brightok.net> <34671.1292507235@localhost> Message-ID: <4D0A486B.20606@brightok.net> On 12/16/2010 7:47 AM, Valdis.Kletnieks at vt.edu wrote: > On Wed, 15 Dec 2010 19:05:26 CST, Jack Bates said: > >> request financing? ie, Comcast could run lower rates and offer better >> service by charging the content provider, while competitive eyeball >> networks won't get the option to receive compensation from content >> providers and have to charge appropriate rates to their customers. > > Yes, Comcast *could* do that. But let's stick to plausible scenarios, OK? How is it not plausible for Comcast to undercut competition to take an even larger market share (and in doing so, extract more money from content providers)? If the competition isn't large enough to force subsidization from content providers in the same manner, they will slowly lose to the unfair competition. Add to this, that if every large provider charges content providers, the rates will be pushed higher to access that content, yet the benefits will not be felt by smaller providers who can't extort the extra income and will be forced to run higher rates to their customers. Smaller ISPs will be more expensive, even without competition, and if they are in a competing market with a larger ISP, they will be that much harder pressed to justify their higher costs (you can only push better service so far) Jack From davet1 at gmail.com Thu Dec 16 11:15:51 2010 From: davet1 at gmail.com (Dave Temkin) Date: Thu, 16 Dec 2010 09:15:51 -0800 Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: References: <96CA80CDCD822B4F9B41FB3A109C9359A3E6832836@E2K7MAILBOX1.corp.cableone.net> <1292408634.13327.383.camel@pc2.unassigned-domain> <4D08DA11.3010504@kenweb.org> <20101215224708.GB82574@latency.net> Message-ID: <4D0A4947.2060004@gmail.com> Jeff Wheeler wrote: > > 1) Comcast believes they can exact a great deal of revenue from > content networks. For this to be comparable to their captive > customers, per-megabit rates must be reminiscent of pre-Level3 days, > when $30/Mb was a bargain. This would spell bad news for Netflix. Of > course, since cable companies typically must pay network affiliates > and media companies great sums for television programming packages, it > is in direct opposition to the TV content/delivery model. It would be > hard to argue both sides if both businesses were faced with > like-minded regulators. > I disagree. Even at $1/Mbit and 6Tbit of traffic (they do more), that's still $72M/year in revenue that they weren't recognizing before. Given that that traffic was actually *costing* them money to absorb before, turning the balance and making that kind of money would be very favorably looked upon in a unit where a customers margin for 6+ months can be eaten up in 1 service call. -Dave From jcdill.lists at gmail.com Thu Dec 16 11:22:23 2010 From: jcdill.lists at gmail.com (JC Dill) Date: Thu, 16 Dec 2010 09:22:23 -0800 Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: <4D0A43D6.80009@brightok.net> References: <96CA80CDCD822B4F9B41FB3A109C9359A3E6832836@E2K7MAILBOX1.corp.cableone.net> <1292408634.13327.383.camel@pc2.unassigned-domain> <4D08DA11.3010504@kenweb.org> <20101215224708.GB82574@latency.net> <4D099FD9.2000808@gmail.com> <5A6D953473350C4B9995546AFE9939EE0B14CF92@RWC-EX1.corp.seven.com> <4D0A43D6.80009@brightok.net> Message-ID: <4D0A4ACF.2070001@gmail.com> On 16/12/10 8:52 AM, Jack Bates wrote: > On 12/16/2010 9:17 AM, Mikel Waxler wrote: >> Comcast can now charge its customers only for upkeep of its network >> and use >> the income they get as an "end point delivery network" to offset >> customer >> cost. Comcast's cost, which are upkeep and expansion of its physical >> network, now scale proportionally with its customer base. > > The problem with your layout is that, as a netflix user, I pay more to > netflix so that you can have their service over comcast, and my > provider doesn't get income from the netflix streams as it is sub 100k > users (so I still have to pay for my provider's upgrades to handle the > netflix which percentage wise will be higher than comcast due to less > ideal bandwidth discounts and the locality which may even drive up the > overall percentage of netflix streams per customer base). Problem? For Comcast, none of this is a problem. (Do you see the problem now?) Again, I predict that things ARE heading in this direction, and that market forces and the current regulatory climate encourages it. Dire news for small providers. Saying you "want" it to be different[1] won't change anything. I don't know what the solution is (if there is a solution) but so far all I see are people complaining "but if that happens, it's bad for me and for others". Yes, it's bad. What are you going to do to stop it? If Comcast can continue to force other networks to pay it to carry data to Comcast's users, it will create a tidal wave of momentum in their favor for lowering rates and pushing other eyeball networks aside, buying them up or just taking over their territory and customers. jc [1] I want a pony, etc. From dooser at gmail.com Thu Dec 16 11:50:00 2010 From: dooser at gmail.com (Mikel Waxler) Date: Thu, 16 Dec 2010 12:50:00 -0500 Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: <4D0A4ACF.2070001@gmail.com> References: <96CA80CDCD822B4F9B41FB3A109C9359A3E6832836@E2K7MAILBOX1.corp.cableone.net> <1292408634.13327.383.camel@pc2.unassigned-domain> <4D08DA11.3010504@kenweb.org> <20101215224708.GB82574@latency.net> <4D099FD9.2000808@gmail.com> <5A6D953473350C4B9995546AFE9939EE0B14CF92@RWC-EX1.corp.seven.com> <4D0A43D6.80009@brightok.net> <4D0A4ACF.2070001@gmail.com> Message-ID: If Comcast is charging providers to carry bits, how long until Verizon does the same? it becomes an "everyone else is getting paid" situation. I think it is better for the the content providers to be financially responsible for efficiency of transmission, which only happens when they (not the consumer) pays per byte. The consumer is already paying on a sliding scale to (Netflix). You want 1 dvd a month, that is X dollars, you want Blueray as well, that is X+Y dollars. I cannot image that it will be too long before Netflix has an SD package and an HD package. Consumers are most interested in paying for unlimited access, unless it is overly expensive. I would rather pay comcast and netflix a set fee each month instead of getting charged .$00001 each time I check my email. On Thu, Dec 16, 2010 at 12:22 PM, JC Dill wrote: > On 16/12/10 8:52 AM, Jack Bates wrote: > >> On 12/16/2010 9:17 AM, Mikel Waxler wrote: >> >>> Comcast can now charge its customers only for upkeep of its network and >>> use >>> the income they get as an "end point delivery network" to offset customer >>> cost. Comcast's cost, which are upkeep and expansion of its physical >>> network, now scale proportionally with its customer base. >>> >> >> The problem with your layout is that, as a netflix user, I pay more to >> netflix so that you can have their service over comcast, and my provider >> doesn't get income from the netflix streams as it is sub 100k users (so I >> still have to pay for my provider's upgrades to handle the netflix which >> percentage wise will be higher than comcast due to less ideal bandwidth >> discounts and the locality which may even drive up the overall percentage of >> netflix streams per customer base). >> > > Problem? For Comcast, none of this is a problem. (Do you see the problem > now?) > > Again, I predict that things ARE heading in this direction, and that market > forces and the current regulatory climate encourages it. Dire news for > small providers. Saying you "want" it to be different[1] won't change > anything. I don't know what the solution is (if there is a solution) but so > far all I see are people complaining "but if that happens, it's bad for me > and for others". Yes, it's bad. What are you going to do to stop it? If > Comcast can continue to force other networks to pay it to carry data to > Comcast's users, it will create a tidal wave of momentum in their favor for > lowering rates and pushing other eyeball networks aside, buying them up or > just taking over their territory and customers. > > jc > > [1] I want a pony, etc. > > From backdoorparrot at hotmail.com Thu Dec 16 11:53:28 2010 From: backdoorparrot at hotmail.com (Backdoor Parrot) Date: Thu, 16 Dec 2010 17:53:28 +0000 Subject: Some truth about Comcast - WikiLeaks style Message-ID: Earlier this morning a Comcast peering manager had the following things to say about the recent NANOG thread, in a public IRC channel with many witnesses: my management is pretty disgusted with the badmouthing and accusation slinging on nanog.org btw the demands to disclose confidential data on the blog aren't helping either the budget for hosting will be impacted I guarantee because it came out of folks who are being hassled's budget there is a meeting today to discuss the value of supporting the NANOG community Apparently Comcast's support and sponsorship of NANOG has actually been a ploy to buy our silence, and if we keep talking poorly of them they're going to cut off the funding. Shhhhh don't tell anyone. From jsw at inconcepts.biz Thu Dec 16 12:20:36 2010 From: jsw at inconcepts.biz (Jeff Wheeler) Date: Thu, 16 Dec 2010 13:20:36 -0500 Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: <4D0A4947.2060004@gmail.com> References: <96CA80CDCD822B4F9B41FB3A109C9359A3E6832836@E2K7MAILBOX1.corp.cableone.net> <1292408634.13327.383.camel@pc2.unassigned-domain> <4D08DA11.3010504@kenweb.org> <20101215224708.GB82574@latency.net> <4D0A4947.2060004@gmail.com> Message-ID: On Thu, Dec 16, 2010 at 12:15 PM, Dave Temkin wrote: > I disagree. ?Even at $1/Mbit and 6Tbit of traffic (they do more), that's > still $72M/year in revenue that they weren't recognizing before. ?Given that > that traffic was actually *costing* them money to absorb before, turning the > balance and making that kind of money would be very favorably looked upon in Yeah, because it makes a lot of sense to fuck with a billion dollar a month revenue stream so you can extract a few million dollars more per month from IP carriers. This definitely makes more sense than, say, running the billion dollar a month side a little more efficiently. You need to understand the scale of comcast's expenses and revenue on the access and transport side of their business, in order to have a remotely intelligent opinion about whether or not they are doing anything smart with the peering/transit side, in these conditions. If you really think it's a good idea to attract the attention of government regulators, newspapers, customers, and every major ISP by making a lot of noise over something that might allow you to make 0.5% more money off a product where you could probably save an order of magnitude more money through any number of ignored efficiencies within the organization, I would love for you to post that. I suspect that most folks who are of the opinion that Comcast is motivated by anything but the three things I mentioned have not clearly considered the proportionately small benefit they could gain from selling access to their network at anything approaching a nominal fee. It must be either 1) very high per-Mb price; 2) ego and stupidity; 3) greed of such magnitude that it would make Gordon Gecko proud. -- Jeff S Wheeler Sr Network Operator? /? Innovative Network Concepts From brent at servuhome.net Thu Dec 16 12:22:10 2010 From: brent at servuhome.net (Brent Jones) Date: Thu, 16 Dec 2010 10:22:10 -0800 Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: References: Message-ID: On Thu, Dec 16, 2010 at 9:53 AM, Backdoor Parrot wrote: > > > Earlier this morning a Comcast peering manager had the following things to say about the recent NANOG thread, in a public IRC channel with many witnesses: > > my management is pretty disgusted with the badmouthing and accusation slinging on nanog.org btw > the demands to disclose confidential data on the blog aren't helping either > the budget for hosting will be impacted I guarantee because it came out of folks who are being hassled's budget > there is a meeting today to discuss the value of supporting the NANOG community > > Apparently Comcast's support and sponsorship of NANOG has actually been a ploy to buy our silence, and if we keep talking poorly of them they're going to cut off the funding. Shhhhh don't tell anyone. > > > Any more details to those logs? Timestamps, channel names, nicknames? -- Brent Jones brent at servuhome.net From jgreco at ns.sol.net Thu Dec 16 12:39:57 2010 From: jgreco at ns.sol.net (Joe Greco) Date: Thu, 16 Dec 2010 12:39:57 -0600 (CST) Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: Message-ID: <201012161839.oBGIdwQI014858@aurora.sol.net> > the demands to disclose confidential data on the blog aren't helping either It's always interesting how things like bandwidth displays are considered "confidential data" particularly when they show something bad. The best service providers will actually provide the statistics without being asked, even to the public, for example: https://noc.iphouse.com/?skin=print Comcast may need a reminder that an Internet Service Provider's job is to provide internet service to its customers. If you cannot do the job, open up your infrastructure to sharing and let someone else have a go at it. This leveraging-captive-customers-to-get-money-from- others game is fundamentally dirty, at least if the rumors about your transit connections are true. Which probably brings us around to the reasons that it'd be interesting to have Comcast volunteer the information. ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net "We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples. From paul at paulstewart.org Thu Dec 16 12:37:57 2010 From: paul at paulstewart.org (Paul Stewart) Date: Thu, 16 Dec 2010 13:37:57 -0500 Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: References: Message-ID: <008301cb9d50$6b0b0560$41211020$@org> Pardon my ignorance here but what does Comcast do for the NANOG community? I know they attend many conferences and share their experiences with a lot of us which is very much appreciated... Just asking ;) -----Original Message----- From: Backdoor Parrot [mailto:backdoorparrot at hotmail.com] Sent: December-16-10 12:53 PM To: nanog at nanog.org Subject: Re: Some truth about Comcast - WikiLeaks style Earlier this morning a Comcast peering manager had the following things to say about the recent NANOG thread, in a public IRC channel with many witnesses: my management is pretty disgusted with the badmouthing and accusation slinging on nanog.org btw the demands to disclose confidential data on the blog aren't helping either the budget for hosting will be impacted I guarantee because it came out of folks who are being hassled's budget there is a meeting today to discuss the value of supporting the NANOG community Apparently Comcast's support and sponsorship of NANOG has actually been a ploy to buy our silence, and if we keep talking poorly of them they're going to cut off the funding. Shhhhh don't tell anyone. From davet1 at gmail.com Thu Dec 16 12:53:53 2010 From: davet1 at gmail.com (Dave Temkin) Date: Thu, 16 Dec 2010 10:53:53 -0800 Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: References: <96CA80CDCD822B4F9B41FB3A109C9359A3E6832836@E2K7MAILBOX1.corp.cableone.net> <1292408634.13327.383.camel@pc2.unassigned-domain> <4D08DA11.3010504@kenweb.org> <20101215224708.GB82574@latency.net> <4D0A4947.2060004@gmail.com> Message-ID: <4D0A6041.7070506@gmail.com> Jeff Wheeler wrote: > On Thu, Dec 16, 2010 at 12:15 PM, Dave Temkin wrote: > >> I disagree. Even at $1/Mbit and 6Tbit of traffic (they do more), that's >> still $72M/year in revenue that they weren't recognizing before. Given that >> that traffic was actually *costing* them money to absorb before, turning the >> balance and making that kind of money would be very favorably looked upon in >> > > Yeah, because it makes a lot of sense to fuck with a billion dollar a > month revenue stream so you can extract a few million dollars more per > month from IP carriers. This definitely makes more sense than, say, > running the billion dollar a month side a little more efficiently. > > You need to understand the scale of comcast's expenses and revenue on > the access and transport side of their business, in order to have a > remotely intelligent opinion about whether or not they are doing > anything smart with the peering/transit side, in these conditions. > I do. And yes, they are happy to "fuck with a billion dollar a month revenue stream" (that happens to be low margin) in order to set a precedent so that when traffic is 60Tbit instead of 6Tbit, across the *same* customer base they have today that's insisting on getting that $19.99/month promo deal for life they make up the infrastructure investment on the backs of the content providers and not their customers. $1B/month from your customers + $1B/month from your content providers is what they'd ideally like to see and this is just laying the groundwork for it. They have a captive audience. What percentage of their customers who they're offering 10Mbit+ connections to do you think have a 10Mbit+ alternative? It's not very many. -Dave From jared at puck.nether.net Thu Dec 16 12:58:08 2010 From: jared at puck.nether.net (Jared Mauch) Date: Thu, 16 Dec 2010 13:58:08 -0500 Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: <008301cb9d50$6b0b0560$41211020$@org> References: <008301cb9d50$6b0b0560$41211020$@org> Message-ID: <8224CA72-D111-4EF6-AD94-F52B0A7EFA4B@puck.nether.net> On Dec 16, 2010, at 1:37 PM, Paul Stewart wrote: > Pardon my ignorance here but what does Comcast do for the NANOG community? > I know they attend many conferences and share their experiences with a lot > of us which is very much appreciated... I'm sure the concern is that Comcast signed up to return NANOG (newNOG?) to philly. I think they may be overly sensitive to some of the comments, just as if people were posting similar comments about my employer, I would likely be sensitive. (Also there are a lot of people who post stuff but don't actually attend NANOG meetings. There is this overlap but disjoint as well between the two in my experience. Hope everyone is wearing their teflon pants). Aside from the 'public comments', the leaked graphics (which I personally would believe are accurate, but the motives of the leakers not obvious), I don't directly have a role here. I understand comcast has a lot of infrastructure and costs. Likely more fiber than the incumbent telcos, and they are constrained by a variety of local business conditions from doing what may be a more optimal solution for themselves. All that said, the whole issue of 'local content' is going to continue to rage on for years to come. Getting the content closer to the end user is going to be a key to reducing costs for the long-tail providers to homes and businesses. Should it be incumbent on the CDNs to pay for colo at the headend? That's a business decision that will entirely be driven by these ongoing disputes. It surely feels like we are slowly going down the road of telco-style settlement based on call direction. I've observed some trends that point at this happening when someone has a fortress they wish to defend, monetize or subsidize further. Will it win out? I'm not entirely sure. - Jared From tme at americafree.tv Thu Dec 16 13:03:27 2010 From: tme at americafree.tv (Marshall Eubanks) Date: Thu, 16 Dec 2010 14:03:27 -0500 Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: <8224CA72-D111-4EF6-AD94-F52B0A7EFA4B@puck.nether.net> References: <008301cb9d50$6b0b0560$41211020$@org> <8224CA72-D111-4EF6-AD94-F52B0A7EFA4B@puck.nether.net> Message-ID: <3521D2CA-446A-4A17-9C4E-92F5C9B71611@americafree.tv> On Dec 16, 2010, at 1:58 PM, Jared Mauch wrote: > > On Dec 16, 2010, at 1:37 PM, Paul Stewart wrote: > >> Pardon my ignorance here but what does Comcast do for the NANOG community? >> I know they attend many conferences and share their experiences with a lot >> of us which is very much appreciated... > > I'm sure the concern is that Comcast signed up to return NANOG (newNOG?) to philly. They also were the sponsor for IETF-71 in Philly in 2008. Regards Marshall > > I think they may be overly sensitive to some of the comments, just as if people were posting similar comments about my employer, I would likely be sensitive. (Also there are a lot of people who post stuff but don't actually attend NANOG meetings. There is this overlap but disjoint as well between the two in my experience. Hope everyone is wearing their teflon pants). > > Aside from the 'public comments', the leaked graphics (which I personally would believe are accurate, but the motives of the leakers not obvious), I don't directly have a role here. I understand comcast has a lot of infrastructure and costs. Likely more fiber than the incumbent telcos, and they are constrained by a variety of local business conditions from doing what may be a more optimal solution for themselves. > > All that said, the whole issue of 'local content' is going to continue to rage on for years to come. Getting the content closer to the end user is going to be a key to reducing costs for the long-tail providers to homes and businesses. Should it be incumbent on the CDNs to pay for colo at the headend? That's a business decision that will entirely be driven by these ongoing disputes. > > It surely feels like we are slowly going down the road of telco-style settlement based on call direction. I've observed some trends that point at this happening when someone has a fortress they wish to defend, monetize or subsidize further. Will it win out? I'm not entirely sure. > > - Jared > From nathan at atlasnetworks.us Thu Dec 16 13:24:34 2010 From: nathan at atlasnetworks.us (Nathan Eisenberg) Date: Thu, 16 Dec 2010 19:24:34 +0000 Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: <8224CA72-D111-4EF6-AD94-F52B0A7EFA4B@puck.nether.net> References: <008301cb9d50$6b0b0560$41211020$@org> <8224CA72-D111-4EF6-AD94-F52B0A7EFA4B@puck.nether.net> Message-ID: <8C26A4FDAE599041A13EB499117D3C286B2B3123@ex-mb-1.corp.atlasnetworks.us> > All that said, the whole issue of 'local content' is going to continue to rage on > for years to come. Getting the content closer to the end user is going to be a > key to reducing costs for the long-tail providers to homes and businesses. > Should it be incumbent on the CDNs to pay for colo at the headend? That's a > business decision that will entirely be driven by these ongoing disputes. What I still don't understand is this (and please pardon my ignorance): If the issue is the costs that long-tail providers must bear to transit content across their own network, and the solution is to move the content closer to the providers' customers, (why) is the content provider obligated to subsidize that? If collocating equipment to the headend is truly the correct response (if it truly reduces the ISP's costs to provide access to that content, and truly results in a better customer experience), then surely the savings would cover the ISP's cost of collocating equipment at that ISP's own headends? It seems reasonable to expect that a content provider come up with the equipment to be collocated, as well as bear the cost-burden of supporting that equipment, so there can't be a significant capex for the ISP... The idea of buying colocation from a last-mile ISP to reduce that last-mile ISP's costs seems (at first glance) to be a hysterically unfair proposition - though it seems that incumbent ISPs may have great enough leverage to extract this revenue if they really want to. Or am I off my rocker? What is in the best interests of the customer? Nathan From james.cutler at consultant.com Thu Dec 16 13:35:27 2010 From: james.cutler at consultant.com (Cutler James R) Date: Thu, 16 Dec 2010 14:35:27 -0500 Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: <8C26A4FDAE599041A13EB499117D3C286B2B3123@ex-mb-1.corp.atlasnetworks.us> References: <008301cb9d50$6b0b0560$41211020$@org> <8224CA72-D111-4EF6-AD94-F52B0A7EFA4B@puck.nether.net> <8C26A4FDAE599041A13EB499117D3C286B2B3123@ex-mb-1.corp.atlasnetworks.us> Message-ID: That seems to be "Off Topic". The operational implications for most of us is, most likely, much more technical bookkeeping and data storage. On Dec 16, 2010, at 2:24 PM, Nathan Eisenberg wrote: > > What is in the best interests of the customer? > > Nathan James R. Cutler james.cutler at consultant.com From dseagrav at humancapitaldev.com Thu Dec 16 13:38:45 2010 From: dseagrav at humancapitaldev.com (Daniel Seagraves) Date: Thu, 16 Dec 2010 13:38:45 -0600 Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: References: Message-ID: <829014DC-BA98-470E-B87F-E1803319BC38@humancapitaldev.com> On Dec 16, 2010, at 11:53 AM, Backdoor Parrot wrote: > Earlier this morning a Comcast peering manager had the following things to say about the recent NANOG thread, in a public IRC channel with many witnesses: (snip) With all due respect, logs or GTFO. I can find no mention of this outside of your email. I would expect there to be quite a few mentions of such a statement made in "a public IRC channel with many witnesses". From owen at delong.com Thu Dec 16 13:39:01 2010 From: owen at delong.com (Owen DeLong) Date: Thu, 16 Dec 2010 11:39:01 -0800 Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: <4D0A6041.7070506@gmail.com> References: <96CA80CDCD822B4F9B41FB3A109C9359A3E6832836@E2K7MAILBOX1.corp.cableone.net> <1292408634.13327.383.camel@pc2.unassigned-domain> <4D08DA11.3010504@kenweb.org> <20101215224708.GB82574@latency.net> <4D0A4947.2060004@gmail.com> <4D0A6041.7070506@gmail.com> Message-ID: <8C1D5EB7-4570-4E91-A7EC-FB0C55B2AD63@delong.com> On Dec 16, 2010, at 10:53 AM, Dave Temkin wrote: > Jeff Wheeler wrote: >> On Thu, Dec 16, 2010 at 12:15 PM, Dave Temkin wrote: >> >>> I disagree. Even at $1/Mbit and 6Tbit of traffic (they do more), that's >>> still $72M/year in revenue that they weren't recognizing before. Given that >>> that traffic was actually *costing* them money to absorb before, turning the >>> balance and making that kind of money would be very favorably looked upon in >>> >> >> Yeah, because it makes a lot of sense to fuck with a billion dollar a >> month revenue stream so you can extract a few million dollars more per >> month from IP carriers. This definitely makes more sense than, say, >> running the billion dollar a month side a little more efficiently. >> >> You need to understand the scale of comcast's expenses and revenue on >> the access and transport side of their business, in order to have a >> remotely intelligent opinion about whether or not they are doing >> anything smart with the peering/transit side, in these conditions. >> > > I do. And yes, they are happy to "fuck with a billion dollar a month revenue stream" (that happens to be low margin) in order to set a precedent so that when traffic is 60Tbit instead of 6Tbit, across the *same* customer base they have today that's insisting on getting that $19.99/month promo deal for life they make up the infrastructure investment on the backs of the content providers and not their customers. $1B/month from your customers + $1B/month from your content providers is what they'd ideally like to see and this is just laying the groundwork for it. > > They have a captive audience. What percentage of their customers who they're offering 10Mbit+ connections to do you think have a 10Mbit+ alternative? It's not very many. > > > -Dave Well said, Dave... I've been mostly ignoring this thread in recent days because I had pretty much said my piece. However, if people still aren't understanding that Comcast is attempting to leverage a monopoly here for anti-competitive ends, it boggles the mind. Level3 is no angel, either. IMHO, both organizations are posterchildren for burdensome regulation (no, I'm not a fan of burdensome regulation). The world needs more open peering policies and denser connection between networks. Recouping access costs on the backs of content providers is absurd. So is trying to recoup the costs of content delivery on the backs of access networks (Level3's traditional model). I suspect that is what will happen in the long run. THe question now is whether it will happen through cooperative competition as is the tradition of the internet, or, whether these bozos will force the government into turning it into a system like the telco settlements that made telephony so expensive for so long. Owen From chip at 2bithacker.net Thu Dec 16 13:43:48 2010 From: chip at 2bithacker.net (Chip Marshall) Date: Thu, 16 Dec 2010 14:43:48 -0500 Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: <008301cb9d50$6b0b0560$41211020$@org> References: <008301cb9d50$6b0b0560$41211020$@org> Message-ID: <20101216194348.GD66938@2bithacker.net> On 16-Dec-2010, Paul Stewart sent: > Pardon my ignorance here but what does Comcast do for the NANOG > community? I know they attend many conferences and share their > experiences with a lot of us which is very much appreciated... > > Just asking ;) http://nanog.org/meetings/nanog46/ -- Chip Marshall http://weblog.2bithacker.net/ KB1QYW PGP key ID 43C4819E v4sw5PUhw4/5ln5pr5FOPck4ma4u6FLOw5Xm5l5Ui2e4t4/5ARWb7HKOen6a2Xs5IMr2g6CM From paul at paulgraydon.co.uk Thu Dec 16 13:47:16 2010 From: paul at paulgraydon.co.uk (Paul Graydon) Date: Thu, 16 Dec 2010 09:47:16 -1000 Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: <829014DC-BA98-470E-B87F-E1803319BC38@humancapitaldev.com> References: <829014DC-BA98-470E-B87F-E1803319BC38@humancapitaldev.com> Message-ID: <4D0A6CC4.2090208@paulgraydon.co.uk> On 12/16/2010 09:38 AM, Daniel Seagraves wrote: > On Dec 16, 2010, at 11:53 AM, Backdoor Parrot wrote: > >> Earlier this morning a Comcast peering manager had the following things to say about the recent NANOG thread, in a public IRC channel with many witnesses: > (snip) > > With all due respect, logs or GTFO. I can find no mention of this outside of your email. > I would expect there to be quite a few mentions of such a statement made in "a public IRC channel with many witnesses". > > So far this whole thing disturbs me. We've gone from "Backdoor Santa" dropping graphs that we can't specifically attribute to Comcast, through to "Backdoor Parrot" now adding IRC communication that yet again we can't attribute to Comcast. In the former case we've gone from disbelief through to academic "what if", swiftly moving on to damning accusation without there being /any /supporting evidence, as far as I can see, that the graphs are anything to do with Comcast. I fear we're likely to see the same results from these IRC logs. All we're ending up with is what is mostly hearsay being treated as facts. Paul From nanog at hostleasing.net Thu Dec 16 13:48:56 2010 From: nanog at hostleasing.net (Randy Epstein) Date: Thu, 16 Dec 2010 14:48:56 -0500 Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: <829014DC-BA98-470E-B87F-E1803319BC38@humancapitaldev.com> References: <829014DC-BA98-470E-B87F-E1803319BC38@humancapitaldev.com> Message-ID: <032901cb9d5a$46f79800$d4e6c800$@net> >> Earlier this morning a Comcast peering manager had the following things to say about the recent NANOG thread, in a public IRC channel with many witnesses: (snip) >With all due respect, logs or GTFO. I can find no mention of this outside of your email. >I would expect there to be quite a few mentions of such a statement made in "a public IRC channel with many witnesses". I was in the IRC channel at the time and saw it. It's real. I don't support the posting of IRC logs, but can't control that either. Randy From jared at puck.nether.net Thu Dec 16 13:58:37 2010 From: jared at puck.nether.net (Jared Mauch) Date: Thu, 16 Dec 2010 14:58:37 -0500 Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: <8C26A4FDAE599041A13EB499117D3C286B2B3123@ex-mb-1.corp.atlasnetworks.us> References: <008301cb9d50$6b0b0560$41211020$@org> <8224CA72-D111-4EF6-AD94-F52B0A7EFA4B@puck.nether.net> <8C26A4FDAE599041A13EB499117D3C286B2B3123@ex-mb-1.corp.atlasnetworks.us> Message-ID: <046A8ABD-8778-42F4-98E1-29B5ED4A3471@puck.nether.net> On Dec 16, 2010, at 2:24 PM, Nathan Eisenberg wrote: > The idea of buying colocation from a last-mile ISP to reduce that last-mile ISP's costs seems (at first glance) to be a hysterically unfair proposition - though it seems that incumbent ISPs may have great enough leverage to extract this revenue if they really want to. Or am I off my rocker? > > What is in the best interests of the customer? I think the balance here is: If you can buy wholesale IP for $X/meg from a generic provider that delivers the bits to all destinations vs Buying local IP for $Y (where Y>X) in the local network access, you will pay the $X rate. If there were some price advantage for the CDNs, I doubt the discussion would be happening at all. Some people call this "dumping", others call it market forces. I'm not sure debating the business merits here make sense, as I'm neither comcast nor a CDN, and all my data is based on similar 'backdoor' or 'whisper' comments over many years. I seriously doubt the CDNs care about much other than the price:quality ratio. Clearly what happened here was a business decision that has been dragged out too long in public. If you can't figure that out from this thread yet, you may not "get it" even if you saw an xls telling you the same thing. Most of the companies involved are publicly traded, read their 10-K's and extrapolate the costs and pressures. Either the costs involved here represent enough to be material and something to be noted in a filing at edgar, or they are people fighting over loose change. - Jared From mpetach at netflight.com Thu Dec 16 14:13:21 2010 From: mpetach at netflight.com (Matthew Petach) Date: Thu, 16 Dec 2010 12:13:21 -0800 Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: <5A6D953473350C4B9995546AFE9939EE0B14CF96@RWC-EX1.corp.seven.com> References: <96CA80CDCD822B4F9B41FB3A109C9359A3E6832836@E2K7MAILBOX1.corp.cableone.net> <1292408634.13327.383.camel@pc2.unassigned-domain> <4D08DA11.3010504@kenweb.org> <20101215224708.GB82574@latency.net> <4D099FD9.2000808@gmail.com> <5A6D953473350C4B9995546AFE9939EE0B14CF92@RWC-EX1.corp.seven.com> <4D09AF9E.8090200@gmail.com> <5A6D953473350C4B9995546AFE9939EE0B14CF96@RWC-EX1.corp.seven.com> Message-ID: On Wed, Dec 15, 2010 at 10:40 PM, George Bonser wrote: >> From: JC Dill >> Sent: Wednesday, December 15, 2010 10:20 PM >> To: NANOG list >> Subject: Re: Some truth about Comcast - WikiLeaks style >> >> >> ? On 15/12/10 10:05 PM, George Bonser wrote: >> > >> > If the customer pays the cost of the transport, a provider with >> better >> > transport efficiency / quality ratio wins. >> >> >> This (and everything that followed) assumes the customer has a choice >> of >> providers. ?For most customers who already have Comcast, they don't >> have >> any choice for similar broadband services (speeds). ?So open market >> principles don't come into play, and Comcast knows it. > > No, you misunderstood. ?It doesn't matter if you have only one internet > service provider. ?If the end customer foots the bill, the incentive for > innovation is for the *content* provider to strike a balance between > quality and cost that the customers want. ?If the *content* provider > foots the bill, innovation is driven in a way that the content providers > want. > > Lets say I have foo.com and bar.com that offer video services and I am > on Comcast. ?If Comcast meters my bandwidth usage and foo.com has good > quality with a lower bandwidth use, I use foo. ?In the other model, if > the content providers subsidize the bill, bar.com might be completely > bloated but they have deep pockets and can pay the subsidy, they drive > foo.com out of business and Comcast still has a congested network. > http://techcrunch.com/2010/12/15/yahoo-video-no-longer-accepts-video-uploads/ You may find that simply fewer content providers decide it's worth it to play in that space, under those conditions, which results in fewer choices for the consumer, and something closer to a monopoly on the available content to be consumed. People *were* happy with only having three national TV networks to choose from for their major content in the US, right? bar.com doesn't have to drive foo.com out of business; they just have to outlast them in the war of attrition driven by the monopoly holder, until bar.com decides it's no longer worth providing that content anymore. end game--one monopoly access provider, and one giant content source--and a huge barrier to entry keeping anyone else from providing an alternative view of the world. Matt (speaking only for myself, and definitely not for any companies named foo, bar, or any other combination of letters. Or punctuation marks of any sort.) From ras at e-gerbil.net Thu Dec 16 14:13:47 2010 From: ras at e-gerbil.net (Richard A Steenbergen) Date: Thu, 16 Dec 2010 14:13:47 -0600 Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: <032901cb9d5a$46f79800$d4e6c800$@net> References: <829014DC-BA98-470E-B87F-E1803319BC38@humancapitaldev.com> <032901cb9d5a$46f79800$d4e6c800$@net> Message-ID: <20101216201347.GH38726@gerbil.cluepon.net> On Thu, Dec 16, 2010 at 02:48:56PM -0500, Randy Epstein wrote: > > I was in the IRC channel at the time and saw it. It's real. > > I don't support the posting of IRC logs, but can't control that either. I saw it too. I don't support posting of IRC logs trying to get people "in trouble" (though lord knows it wouldn't be the first time that has happened :P), but I also completely disagree with Comcast's position on this (big shocker, I know). As one of the people who has spoken out against Comcast's actions the most vocally, I suppose the original sentiment might very well be targeted at me. Personally I really don't think that people on the NANOG list posting about their network issues or actions has ANYTHING to do with their sponsorship of the NANOG conferences or community, and I suppose I should be shocked and appalled that it might come down to these type of threats to silence people who have something negative to say. I'm a Comcast customer too (50M/10M or 6M/768K DSL at home, gee, decisions decisions :P), what are they going to do next, shut off my cable modem for TOS violations? :) Seriously guys, this is an operator forum and you're running a congested network, to expect that people are not going to comment on those facts just because you've put money into NANOG sponsorship is absurd. -- Richard A Steenbergen http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC) From steve at ipv6canada.com Tue Dec 14 08:29:46 2010 From: steve at ipv6canada.com (Steve Bertrand) Date: Tue, 14 Dec 2010 09:29:46 -0500 Subject: peering, derivatives, and big brother In-Reply-To: References: <5A6D953473350C4B9995546AFE9939EE0B14CEA4@RWC-EX1.corp.seven.com> <1292270846.13327.234.camel@pc2.unassigned-domain> <5A6D953473350C4B9995546AFE9939EE0B14CEDB@RWC-EX1.corp.seven.com> Message-ID: <4D077F5A.9010104@ipv6canada.com> On 2010.12.13 16:28, Dorn Hetzel wrote: > Yeah, well, sorta. sorta not so much :) LOL. Mark-to-market... facilitating the booking of revenue to make it *appear* as though a business unit has a successful product. Steve From laurent at guerby.net Thu Dec 16 14:17:54 2010 From: laurent at guerby.net (Laurent GUERBY) Date: Thu, 16 Dec 2010 21:17:54 +0100 Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: <4D0A6CC4.2090208@paulgraydon.co.uk> References: <829014DC-BA98-470E-B87F-E1803319BC38@humancapitaldev.com> <4D0A6CC4.2090208@paulgraydon.co.uk> Message-ID: <1292530674.13327.506.camel@pc2.unassigned-domain> On Thu, 2010-12-16 at 09:47 -1000, Paul Graydon wrote: > (...) All we're ending up with is what is mostly hearsay being treated as facts. One consumer organization in France during the ongoing debate with regulators on network neutrality called for network operator to publish some verifiable information on their bandwidth issues: http://www.arcep.fr/index.php?id=10387 http://www.alain-bazot.fr/index.php/neutralite-du-net-n-oublions-pas-l-interet-du-consommateur/ http://www.pcinpact.com/actu/news/55827-alain-bazot-neutralite-ufc-arcep.htm Alain Bazot, president of "UFC - Que Choisir" a well-known french consumer organization wrote on his blog: << (...) Avant toute intervention, l?op?rateur devrait prouver qu?il y a un r?el probl?me sur son r?seau, comme une congestion. Alors que les t?moignages quant ? la r?alit? de la saturation des r?seaux divergent, cette condition me semble essentielle. (...) >> My poor translation: << (...) Before any change the network operator must prove he has a real congestion issue. Since informations on the reality of network saturation are divergent, this condition seems essential to me. (...) >> Regulators and the public need data for proper regulation and future changes in regulation, and the issue is the same everywhere :). Sincerely, Laurent PS: sorry for my miscalculation AMSIX 1.2Tbit/s cost is $2.25 per month per Comcast subscriber assuming 16 millions customers and $30/Mbit/s/month transit but as pointed out by participants of this list for a 10G port at Comcast cost is likely to be closer to $3 Mbit/s so it all cancels out to my original erroneous $0.225 :). From ras at e-gerbil.net Thu Dec 16 14:20:24 2010 From: ras at e-gerbil.net (Richard A Steenbergen) Date: Thu, 16 Dec 2010 14:20:24 -0600 Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: <20101216201347.GH38726@gerbil.cluepon.net> References: <829014DC-BA98-470E-B87F-E1803319BC38@humancapitaldev.com> <032901cb9d5a$46f79800$d4e6c800$@net> <20101216201347.GH38726@gerbil.cluepon.net> Message-ID: <20101216202024.GI38726@gerbil.cluepon.net> On Thu, Dec 16, 2010 at 02:13:47PM -0600, Richard A Steenbergen wrote: > Seriously guys, this is an operator forum and you're running a congested > network, to expect that people are not going to comment on those facts > just because you've put money into NANOG sponsorship is absurd. Forgot to attach a giant disclaimer on the previous post: I'm speaking solely for myself, and not in any way, shape, or form, for the NANOG, NewNOG, or any other organization. -- Richard A Steenbergen http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC) From jbates at brightok.net Thu Dec 16 14:56:44 2010 From: jbates at brightok.net (Jack Bates) Date: Thu, 16 Dec 2010 14:56:44 -0600 Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: <20101216201347.GH38726@gerbil.cluepon.net> References: <829014DC-BA98-470E-B87F-E1803319BC38@humancapitaldev.com> <032901cb9d5a$46f79800$d4e6c800$@net> <20101216201347.GH38726@gerbil.cluepon.net> Message-ID: <4D0A7D0C.30906@brightok.net> On 12/16/2010 2:13 PM, Richard A Steenbergen wrote: > On Thu, Dec 16, 2010 at 02:48:56PM -0500, Randy Epstein wrote: >> >> I was in the IRC channel at the time and saw it. It's real. >> >> I don't support the posting of IRC logs, but can't control that either. > > I saw it too. I don't support posting of IRC logs trying to get people > "in trouble" (though lord knows it wouldn't be the first time that has > happened :P), but I also completely disagree with Comcast's position on > this (big shocker, I know). > I think the "post the logs" comment was due to no one speaking up as to having seen the quote. Anonymous posting without collaborating evidence is useless. I may not agree with Comcast, but I also can't agree with people quoting them without any evidence; and multiple people having seen it is acceptable evidence. Jack From jsw at inconcepts.biz Thu Dec 16 15:22:15 2010 From: jsw at inconcepts.biz (Jeff Wheeler) Date: Thu, 16 Dec 2010 16:22:15 -0500 Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: <4D0A6041.7070506@gmail.com> References: <96CA80CDCD822B4F9B41FB3A109C9359A3E6832836@E2K7MAILBOX1.corp.cableone.net> <1292408634.13327.383.camel@pc2.unassigned-domain> <4D08DA11.3010504@kenweb.org> <20101215224708.GB82574@latency.net> <4D0A4947.2060004@gmail.com> <4D0A6041.7070506@gmail.com> Message-ID: On Thu, Dec 16, 2010 at 1:53 PM, Dave Temkin wrote: > I do. ?And yes, they are happy to "fuck with a billion dollar a month > revenue stream" (that happens to be low margin) in order to set a precedent > so that when traffic is 60Tbit instead of 6Tbit, across the *same* customer We disagree on this point. I do not think anyone knowledgeable at Comcast realistically believes they will be able to charge a business-relevant amount of money for access to their customers. I think regulators would first but the brakes on our whole industry. Cable Internet is far from low-margin; in fact, the cable company in my area, an order of magnitude smaller than Comcast, generates an order of magnitude more profit from IP than from television. What I do think, and what people on this list who engage in peering discussions with Comcast cannot say for fear of reprisal, is that the peering folks at Comcast are driven entirely by ego, and they lack the big picture decision-making capacity of business people making strategy decisions. They have upper management convinced that becoming settlement-free is a golden goose. The peering folks would be wise to reconsider their positions before upper management realizes that their ego-driven staff are risking the golden goose they already have, their captive audience, for little gain. After all, if they can't manage to run their IP and transport network more cost-effectively than they do today, they will never be able to compete as a transit network, and the golden goose they are chasing will never lay any eggs. -- Jeff S Wheeler Sr Network Operator? /? Innovative Network Concepts From andrew.wallace at rocketmail.com Thu Dec 16 15:34:38 2010 From: andrew.wallace at rocketmail.com (andrew.wallace) Date: Thu, 16 Dec 2010 13:34:38 -0800 (PST) Subject: Facebook issue Message-ID: <226002.727.qm@web59611.mail.ac4.yahoo.com> Anyone having issue with Facebook? Andrew From mike at mtcc.com Thu Dec 16 15:38:20 2010 From: mike at mtcc.com (Michael Thomas) Date: Thu, 16 Dec 2010 13:38:20 -0800 Subject: Facebook issue In-Reply-To: <226002.727.qm@web59611.mail.ac4.yahoo.com> References: <226002.727.qm@web59611.mail.ac4.yahoo.com> Message-ID: <4D0A86CC.500@mtcc.com> On 12/16/2010 01:34 PM, andrew.wallace wrote: > Anyone having issue with Facebook? > > Andrew > Yep. Mike From andre at operations.net Thu Dec 16 15:39:24 2010 From: andre at operations.net (Andre Gironda) Date: Thu, 16 Dec 2010 14:39:24 -0700 Subject: Facebook issue In-Reply-To: <226002.727.qm@web59611.mail.ac4.yahoo.com> References: <226002.727.qm@web59611.mail.ac4.yahoo.com> Message-ID: On Thu, Dec 16, 2010 at 2:34 PM, andrew.wallace wrote: > Anyone having issue with Facebook? It's returning an empty set of html tags From robertg at garlic.com Thu Dec 16 15:39:29 2010 From: robertg at garlic.com (Robert Glover) Date: Thu, 16 Dec 2010 13:39:29 -0800 Subject: Facebook issue In-Reply-To: <226002.727.qm@web59611.mail.ac4.yahoo.com> References: <226002.727.qm@web59611.mail.ac4.yahoo.com> Message-ID: <4D0A8711.8000801@garlic.com> Facebook Goes Down Amid Rollout of New Brand Pages - http://on.mash.to/f36qqA Sincerely, Bobby Glover Director of Information Services South Valley Internet On 12/16/2010 1:34 PM, andrew.wallace wrote: > Anyone having issue with Facebook? > > Andrew > > > > > From jvanoppen at spectrumnet.us Thu Dec 16 15:39:33 2010 From: jvanoppen at spectrumnet.us (John van Oppen) Date: Thu, 16 Dec 2010 21:39:33 +0000 Subject: Facebook issue In-Reply-To: <226002.727.qm@web59611.mail.ac4.yahoo.com> References: <226002.727.qm@web59611.mail.ac4.yahoo.com> Message-ID: Yep... Seeing serious issues from our office here at AS11404, we are peered directly and all looks good at the IP layer but all of us who wanted to procrastinate here at the office are having trouble getting page loads to complete. Oddly, no noc tickets yet. John -----Original Message----- From: andrew.wallace [mailto:andrew.wallace at rocketmail.com] Sent: Thursday, December 16, 2010 1:35 PM To: nanog at nanog.org Subject: Facebook issue Anyone having issue with Facebook? Andrew From andyzweb at gmail.com Thu Dec 16 15:39:48 2010 From: andyzweb at gmail.com (Andrew Euell) Date: Thu, 16 Dec 2010 16:39:48 -0500 Subject: Facebook issue In-Reply-To: <226002.727.qm@web59611.mail.ac4.yahoo.com> References: <226002.727.qm@web59611.mail.ac4.yahoo.com> Message-ID: Yup. Productivity just shot up I can feel it On Thu, Dec 16, 2010 at 4:34 PM, andrew.wallace wrote: > Anyone having issue with Facebook? > > Andrew > > > > > > -- Andrew Euell andyzweb [at] gmail [dot] com From ck at sandcastl.es Thu Dec 16 15:40:25 2010 From: ck at sandcastl.es (christian koch) Date: Thu, 16 Dec 2010 13:40:25 -0800 Subject: Facebook issue In-Reply-To: <226002.727.qm@web59611.mail.ac4.yahoo.com> References: <226002.727.qm@web59611.mail.ac4.yahoo.com> Message-ID: stop On Thu, Dec 16, 2010 at 1:34 PM, andrew.wallace < andrew.wallace at rocketmail.com> wrote: > Anyone having issue with Facebook? > > Andrew > > > > > > From maxsec at gmail.com Thu Dec 16 15:40:33 2010 From: maxsec at gmail.com (Martin Hepworth) Date: Thu, 16 Dec 2010 21:40:33 +0000 Subject: Facebook issue In-Reply-To: <4D0A86CC.500@mtcc.com> References: <226002.727.qm@web59611.mail.ac4.yahoo.com> <4D0A86CC.500@mtcc.com> Message-ID: +1 from the uk On Thursday, 16 December 2010, Michael Thomas wrote: > On 12/16/2010 01:34 PM, andrew.wallace wrote: > > Anyone having issue with Facebook? > > Andrew > > > > Yep. > > Mike > > -- -- Martin Hepworth Oxford, UK From ned at mysterymachine.info Thu Dec 16 15:47:59 2010 From: ned at mysterymachine.info (Ned Moran) Date: Thu, 16 Dec 2010 16:47:59 -0500 Subject: Facebook issue In-Reply-To: <4D0A86CC.500@mtcc.com> References: <226002.727.qm@web59611.mail.ac4.yahoo.com> <4D0A86CC.500@mtcc.com> Message-ID: <4D0A890F.8060700@mysterymachine.info> up for me ... On 12/16/10 4:38 PM, Michael Thomas wrote: > On 12/16/2010 01:34 PM, andrew.wallace wrote: >> Anyone having issue with Facebook? >> >> Andrew > > Yep. > > Mike > From brokenflea at gmail.com Thu Dec 16 15:42:06 2010 From: brokenflea at gmail.com (Khurram Khan) Date: Thu, 16 Dec 2010 14:42:06 -0700 Subject: Facebook issue In-Reply-To: <4D0A86CC.500@mtcc.com> References: <226002.727.qm@web59611.mail.ac4.yahoo.com> <4D0A86CC.500@mtcc.com> Message-ID: Ditto On Dec 16, 2010 2:39 PM, "Michael Thomas" wrote: On 12/16/2010 01:34 PM, andrew.wallace wrote: > > Anyone having issue with Facebook? > > Andrew > ... Yep. Mike From daodennis at gmail.com Thu Dec 16 15:42:41 2010 From: daodennis at gmail.com (daodennis at gmail.com) Date: Thu, 16 Dec 2010 21:42:41 +0000 Subject: Facebook issue Message-ID: <519089327-1292535764-cardhu_decombobulator_blackberry.rim.net-1387851223-@bda371.bisx.prod.on.blackberry> Can we just stop this till it comes back up or move to outages? ------Original Message------ From: Andre Gironda To: nanog at nanog.org Subject: Re: Facebook issue Sent: Dec 16, 2010 13:39 On Thu, Dec 16, 2010 at 2:34 PM, andrew.wallace wrote: > Anyone having issue with Facebook? It's returning an empty set of html tags Sent from my Verizon Wireless BlackBerry From ben at 708x.com Thu Dec 16 15:42:08 2010 From: ben at 708x.com (Ben Carleton) Date: Thu, 16 Dec 2010 16:42:08 -0500 Subject: Facebook issue Message-ID: <36f2f7d1$4714b486$7619940b$@com> I am seeing the same thing here. Empty HTML tags... (sorry for the top quote) Regards Ben ---------------------------------------- From: "Andre Gironda" Sent: Thursday, December 16, 2010 4:39 PM To: "nanog at nanog.org" Subject: Re: Facebook issue On Thu, Dec 16, 2010 at 2:34 PM, andrew.wallace wrote: > Anyone having issue with Facebook? It's returning an empty set of html tags From andrew.wallace at rocketmail.com Thu Dec 16 15:46:15 2010 From: andrew.wallace at rocketmail.com (andrew.wallace) Date: Thu, 16 Dec 2010 13:46:15 -0800 (PST) Subject: Facebook issue Message-ID: <157378.72517.qm@web59615.mail.ac4.yahoo.com> This is what I was seeing too. ----- Original Message ----- From:Andre Gironda To:"nanog at nanog.org" Cc:andrew.wallace Sent:Thursday, 16 December 2010, 21:39:24 Subject:Re: Facebook issue It's returning an empty set of html tags From steve at ipv6canada.com Thu Dec 16 15:47:32 2010 From: steve at ipv6canada.com (Steve Bertrand) Date: Thu, 16 Dec 2010 16:47:32 -0500 Subject: Facebook issue In-Reply-To: <226002.727.qm@web59611.mail.ac4.yahoo.com> References: <226002.727.qm@web59611.mail.ac4.yahoo.com> Message-ID: <4D0A88F4.4060002@ipv6canada.com> On 2010.12.16 16:34, andrew.wallace wrote: > Anyone having issue with Facebook? Back up now from Toronto. Steve From tme at americafree.tv Thu Dec 16 15:48:20 2010 From: tme at americafree.tv (Marshall Eubanks) Date: Thu, 16 Dec 2010 16:48:20 -0500 Subject: Facebook issue In-Reply-To: References: <226002.727.qm@web59611.mail.ac4.yahoo.com> Message-ID: On Dec 16, 2010, at 4:39 PM, Andre Gironda wrote: > On Thu, Dec 16, 2010 at 2:34 PM, andrew.wallace > wrote: >> Anyone having issue with Facebook? > > It's returning an empty set of html tags > > Working fine in Northern Virginia on Cox and Cogent. Regards Marshall From mike at mtcc.com Thu Dec 16 15:50:12 2010 From: mike at mtcc.com (Michael Thomas) Date: Thu, 16 Dec 2010 13:50:12 -0800 Subject: Facebook issue In-Reply-To: References: <226002.727.qm@web59611.mail.ac4.yahoo.com> Message-ID: <4D0A8994.9020202@mtcc.com> Somebody obviously backed out the change because it's back up again. Mashable has a blurb on it. Mike On 12/16/2010 01:39 PM, John van Oppen wrote: > Yep... Seeing serious issues from our office here at AS11404, we are peered directly and all looks good at the IP layer but all of us who wanted to procrastinate here at the office are having trouble getting page loads to complete. Oddly, no noc tickets yet. > > John > > -----Original Message----- > From: andrew.wallace [mailto:andrew.wallace at rocketmail.com] > Sent: Thursday, December 16, 2010 1:35 PM > To: nanog at nanog.org > Subject: Facebook issue > > Anyone having issue with Facebook? > > Andrew > > > > > > From drais at icantclick.org Thu Dec 16 15:52:15 2010 From: drais at icantclick.org (david raistrick) Date: Thu, 16 Dec 2010 16:52:15 -0500 (EST) Subject: Facebook issue In-Reply-To: References: <226002.727.qm@web59611.mail.ac4.yahoo.com> Message-ID: We detected it about 3:40 eastern, and they just announced it on the status page. "We are currently investigating sitewide issues that will affect Facebook Platform. We apologize for any inconvenience and will post here with updates." this should maybe be moved to outages@ though (depending on who you ask, of course) -- david raistrick http://www.netmeister.org/news/learn2quote.html drais at icantclick.org http://www.expita.com/nomime.html From ken at stox.org Thu Dec 16 15:52:23 2010 From: ken at stox.org (Ken Stox) Date: Thu, 16 Dec 2010 15:52:23 -0600 Subject: Facebook issue In-Reply-To: <4D0A86CC.500@mtcc.com> References: <226002.727.qm@web59611.mail.ac4.yahoo.com> <4D0A86CC.500@mtcc.com> Message-ID: <1292536343.30779.1.camel@daedelus.stox.org> On Thu, 2010-12-16 at 13:38 -0800, Michael Thomas wrote: > On 12/16/2010 01:34 PM, andrew.wallace wrote: > > Anyone having issue with Facebook? In related news, employers around the country enjoyed a peak of productivity this afternoon..... From brokenflea at gmail.com Thu Dec 16 16:22:00 2010 From: brokenflea at gmail.com (Khurram Khan) Date: Thu, 16 Dec 2010 15:22:00 -0700 Subject: Facebook issue In-Reply-To: <1292536343.30779.1.camel@daedelus.stox.org> References: <226002.727.qm@web59611.mail.ac4.yahoo.com> <4D0A86CC.500@mtcc.com> <1292536343.30779.1.camel@daedelus.stox.org> Message-ID: Our NOC just got off the phone with L3 and they report a "IP issue" out of Philadelphia. No other details though. On Thu, Dec 16, 2010 at 2:52 PM, Ken Stox wrote: > On Thu, 2010-12-16 at 13:38 -0800, Michael Thomas wrote: > > On 12/16/2010 01:34 PM, andrew.wallace wrote: > > > Anyone having issue with Facebook? > > In related news, employers around the country enjoyed a peak of > productivity this afternoon..... > > > From caldcv at gmail.com Thu Dec 16 16:45:01 2010 From: caldcv at gmail.com (Christopher) Date: Thu, 16 Dec 2010 17:45:01 -0500 Subject: Facebook issue - SOLVED In-Reply-To: References: <226002.727.qm@web59611.mail.ac4.yahoo.com> <4D0A86CC.500@mtcc.com> <1292536343.30779.1.camel@daedelus.stox.org> Message-ID: <4D0A966D.2080008@gmail.com> http://downforeveryoneorjustme.com/ http://www.internettrafficreport.com/ These will solve your issue quickly From khomyakov.andrey at gmail.com Thu Dec 16 16:45:23 2010 From: khomyakov.andrey at gmail.com (Andrey Khomyakov) Date: Thu, 16 Dec 2010 17:45:23 -0500 Subject: Facebook issue In-Reply-To: <4D0A8994.9020202@mtcc.com> References: <226002.727.qm@web59611.mail.ac4.yahoo.com> <4D0A8994.9020202@mtcc.com> Message-ID: It must be to busy now running face recognition software all the faces on all the pictures they have. :) -- Andrey Khomyakov [khomyakov.andrey at gmail.com] From jared at puck.nether.net Thu Dec 16 16:57:18 2010 From: jared at puck.nether.net (Jared Mauch) Date: Thu, 16 Dec 2010 17:57:18 -0500 Subject: BGP Attribute 92 ? Message-ID: <828F4953-84B5-4FBA-AA1A-532B27079B8B@puck.nether.net> Someone seems to have leaked this out, with the following data within the bgp update: Unknown BGP attribute 92 (flags: 234) Hexdump start--- DD 78 FF 71 Hexdump end ---- Not sure what prefix this was related to yet, but if you saw your BGP drop, it could be related to improper handling of this. Seemed to go out around 2200 UTC - Jared From darcy at druid.net Thu Dec 16 17:07:20 2010 From: darcy at druid.net (D'Arcy J.M. Cain) Date: Thu, 16 Dec 2010 18:07:20 -0500 Subject: Facebook issue In-Reply-To: <226002.727.qm@web59611.mail.ac4.yahoo.com> References: <226002.727.qm@web59611.mail.ac4.yahoo.com> Message-ID: <20101216180720.da8300e5.darcy@druid.net> On Thu, 16 Dec 2010 13:34:38 -0800 (PST) "andrew.wallace" wrote: > Anyone having issue with Facebook? Always have but that's just me. -- D'Arcy J.M. Cain | Democracy is three wolves http://www.druid.net/darcy/ | and a sheep voting on +1 416 425 1212 (DoD#0082) (eNTP) | what's for dinner. From bclark at spectraaccess.com Thu Dec 16 17:11:08 2010 From: bclark at spectraaccess.com (Bret Clark) Date: Thu, 16 Dec 2010 18:11:08 -0500 Subject: Facebook issue In-Reply-To: <20101216180720.da8300e5.darcy@druid.net> References: <226002.727.qm@web59611.mail.ac4.yahoo.com> <20101216180720.da8300e5.darcy@druid.net> Message-ID: <4D0A9C8C.2090302@spectraaccess.com> On 12/16/2010 06:07 PM, D'Arcy J.M. Cain wrote: > On Thu, 16 Dec 2010 13:34:38 -0800 (PST) > "andrew.wallace" wrote: > >> Anyone having issue with Facebook? >> > Always have but that's just me. > > Comcast must have planned this so that we would flood the list with useless Facebook messages rather then harass them about their lousy traffic management issues ;)! From mikea at mikea.ath.cx Thu Dec 16 17:14:51 2010 From: mikea at mikea.ath.cx (mikea) Date: Thu, 16 Dec 2010 17:14:51 -0600 Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: References: <1292408634.13327.383.camel@pc2.unassigned-domain> <4D08DA11.3010504@kenweb.org> <20101215224708.GB82574@latency.net> <4D099FD9.2000808@gmail.com> <5A6D953473350C4B9995546AFE9939EE0B14CF92@RWC-EX1.corp.seven.com> <4D09AF9E.8090200@gmail.com> <5A6D953473350C4B9995546AFE9939EE0B14CF96@RWC-EX1.corp.seven.com> Message-ID: <20101216231451.GA49359@mikea.ath.cx> On Thu, Dec 16, 2010 at 12:13:21PM -0800, Matthew Petach wrote: > You may find that simply fewer content providers decide it's worth it to play > in that space, under those conditions, which results in fewer choices for the > consumer, and something closer to a monopoly on the available content > to be consumed. > > People *were* happy with only having three national TV networks to choose > from for their major content in the US, right? > > bar.com doesn't have to drive foo.com out of business; they just have to > outlast them in the war of attrition driven by the monopoly holder, until > bar.com decides it's no longer worth providing that content anymore. > > end game--one monopoly access provider, and one giant content source--and > a huge barrier to entry keeping anyone else from providing an alternative view > of the world. Sometimes expressed as "It is not enough that you win; all others must fail." Treating this as a zero-sum game is not good for the end users, however good it may be for the winning enterprise. -- Mike Andrews, W5EGO mikea at mikea.ath.cx Tired old sysadmin From rhys at rhavenindustrys.com Thu Dec 16 17:57:57 2010 From: rhys at rhavenindustrys.com (Rhys Rhaven) Date: Thu, 16 Dec 2010 17:57:57 -0600 Subject: BGP Attribute 92 ? In-Reply-To: <828F4953-84B5-4FBA-AA1A-532B27079B8B@puck.nether.net> References: <828F4953-84B5-4FBA-AA1A-532B27079B8B@puck.nether.net> Message-ID: <4D0AA785.3050602@rhavenindustrys.com> Getting back to networks... Saw our two BGP listening ports drop (Verizon and Qwest) at 2150UTC. Nortel SR1004. Isn't that nice. On 12/16/2010 04:57 PM, Jared Mauch wrote: > Someone seems to have leaked this out, with the following data within the bgp update: > > Unknown BGP attribute 92 (flags: 234) > Hexdump start--- > DD 78 FF 71 > Hexdump end ---- > > Not sure what prefix this was related to yet, but if you saw your BGP drop, it could be related to improper handling of this. > > Seemed to go out around 2200 UTC > > - Jared > > > From gbonser at seven.com Thu Dec 16 18:01:42 2010 From: gbonser at seven.com (George Bonser) Date: Thu, 16 Dec 2010 16:01:42 -0800 Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: References: <96CA80CDCD822B4F9B41FB3A109C9359A3E6832836@E2K7MAILBOX1.corp.cableone.net><1292408634.13327.383.camel@pc2.unassigned-domain><4D08DA11.3010504@kenweb.org><20101215224708.GB82574@latency.net><4D0A4947.2060004@gmail.com><4D0A6041.7070506@gmail.com> Message-ID: <5A6D953473350C4B9995546AFE9939EE0B14CFD1@RWC-EX1.corp.seven.com> > -----Original Message----- > From: Jeff Wheeler [mailto:jsw at inconcepts.biz] > Sent: Thursday, December 16, 2010 1:22 PM > To: nanog at nanog.org > Subject: Re: Some truth about Comcast - WikiLeaks style > > On Thu, Dec 16, 2010 at 1:53 PM, Dave Temkin wrote: > > I do. ?And yes, they are happy to "fuck with a billion dollar a month > > revenue stream" (that happens to be low margin) in order to set a > precedent > > so that when traffic is 60Tbit instead of 6Tbit, across the *same* > customer Turn the question around. What would any provider think if a city said "sure, you can have access to our residents' eyeballs. It will cost you $5 per subscriber per month". Would Comcast or anyone go for that? That is a real question, by the way. For all I know some municipality might already do that. But say one with something between 100,000 and 1,000,000 potential subscribers did that. Would any of the providers think that is "fair"? Particularly *after* the provider is already providing services to those subscribers and then has the rules changed on them after they already have contracts in place with the subscribers? It just seems to me to be an evil Pandora's box that once opened, there is no potential end to. What if several cities ganged up and together decided to charge a last mile provider access to eyeballs? Better in my opinion to let the end user pay for what they use. It doesn't have to be strictly metered per meg but can be put into tiers (as most providers already do anyway). Sort of like "smart meters" they are doing with electricity. People will modify their usage according to what they can afford. Pricing bandwidth according to basic principles of supply and demand would probably work better. Those that use more would pay more, those that use less would pay less. From davet1 at gmail.com Thu Dec 16 18:13:23 2010 From: davet1 at gmail.com (Dave Temkin) Date: Thu, 16 Dec 2010 16:13:23 -0800 Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: <5A6D953473350C4B9995546AFE9939EE0B14CFD1@RWC-EX1.corp.seven.com> References: <96CA80CDCD822B4F9B41FB3A109C9359A3E6832836@E2K7MAILBOX1.corp.cableone.net><1292408634.13327.383.camel@pc2.unassigned-domain><4D08DA11.3010504@kenweb.org><20101215224708.GB82574@latency.net><4D0A4947.2060004@gmail.com><4D0A6041.7070506@gmail.com> <5A6D953473350C4B9995546AFE9939EE0B14CFD1@RWC-EX1.corp.seven.com> Message-ID: <4D0AAB23.6020006@gmail.com> George Bonser wrote: > >> -----Original Message----- >> From: Jeff Wheeler [mailto:jsw at inconcepts.biz] >> Sent: Thursday, December 16, 2010 1:22 PM >> To: nanog at nanog.org >> Subject: Re: Some truth about Comcast - WikiLeaks style >> >> On Thu, Dec 16, 2010 at 1:53 PM, Dave Temkin wrote: >> >>> I do. And yes, they are happy to "fuck with a billion dollar a month >>> revenue stream" (that happens to be low margin) in order to set a >>> >> precedent >> >>> so that when traffic is 60Tbit instead of 6Tbit, across the *same* >>> >> customer >> > > > Turn the question around. What would any provider think if a city said "sure, you can have access to our residents' eyeballs. It will cost you $5 per subscriber per month". Would Comcast or anyone go for that? That is a real question, by the way. For all I know some municipality might already do that. But say one with something between 100,000 and 1,000,000 potential subscribers did that. Would any of the providers think that is "fair"? Particularly *after* the provider is already providing services to those subscribers and then has the rules changed on them after they already have contracts in place with the subscribers? > > It just seems to me to be an evil Pandora's box that once opened, there is no potential end to. What if several cities ganged up and together decided to charge a last mile provider access to eyeballs? > > Better in my opinion to let the end user pay for what they use. It doesn't have to be strictly metered per meg but can be put into tiers (as most providers already do anyway). Sort of like "smart meters" they are doing with electricity. People will modify their usage according to what they can afford. Pricing bandwidth according to basic principles of supply and demand would probably work better. Those that use more would pay more, those that use less would pay less. > > > > These are exactly what Franchise Agreements are for. Yes, cities charge MSOs and LECs for access all the time. -Dave From patrick at zill.net Thu Dec 16 21:38:58 2010 From: patrick at zill.net (Patrick Giagnocavo) Date: Thu, 16 Dec 2010 22:38:58 -0500 Subject: BGP Attribute 92 ? In-Reply-To: <828F4953-84B5-4FBA-AA1A-532B27079B8B@puck.nether.net> References: <828F4953-84B5-4FBA-AA1A-532B27079B8B@puck.nether.net> Message-ID: <4D0ADB52.1040106@zill.net> On 12/16/2010 5:57 PM, Jared Mauch wrote: > Someone seems to have leaked this out, with the following data within the bgp update: > > Unknown BGP attribute 92 (flags: 234) > Hexdump start--- > DD 78 FF 71 > Hexdump end ---- > This appeared to bite my Level3-connected bandwidth as well. Time period was about 2151 UTC with things being restored at 2207 UTC. Do typical BGP sessions end up being reconnected after 15 minutes? Cordially Patrick From randy at psg.com Thu Dec 16 21:41:24 2010 From: randy at psg.com (Randy Bush) Date: Fri, 17 Dec 2010 12:41:24 +0900 Subject: BGP Attribute 92 ? In-Reply-To: <4D0ADB52.1040106@zill.net> References: <828F4953-84B5-4FBA-AA1A-532B27079B8B@puck.nether.net> <4D0ADB52.1040106@zill.net> Message-ID: >> Unknown BGP attribute 92 (flags: 234) >> Hexdump start--- >> DD 78 FF 71 >> Hexdump end ---- > This appeared to bite my Level3-connected bandwidth as well. sigh. is this an attack by a black hat, or by an rir and researchers who do not know how to say "oops, sorreee!?" randy From patrick at zill.net Thu Dec 16 22:53:28 2010 From: patrick at zill.net (Patrick Giagnocavo) Date: Thu, 16 Dec 2010 23:53:28 -0500 Subject: BGP Attribute 92 ? In-Reply-To: References: <828F4953-84B5-4FBA-AA1A-532B27079B8B@puck.nether.net> <4D0ADB52.1040106@zill.net> Message-ID: <4D0AECC8.50807@zill.net> On 12/16/2010 10:41 PM, Randy Bush wrote: >>> Unknown BGP attribute 92 (flags: 234) >>> Hexdump start--- >>> DD 78 FF 71 >>> Hexdump end ---- >> This appeared to bite my Level3-connected bandwidth as well. > > sigh. is this an attack by a black hat, or by an rir and researchers > who do not know how to say "oops, sorreee!?" > > randy > Even weirder, a remote server running SmokePing showed a 11ms increase in latency from 24ms to 35ms, which started after service was restored, then a drop at precisely 11:00PM Eastern back to original, lower levels of latency. That is, 4:45PM 24ms on Level3 4:50PM to 5:07PM - Level3 outage 5:08PM to 10:59: 35ms on Level3 11:00PM and after: 24ms on Level3 Very odd. --Patrick From jbfixurpc at gmail.com Thu Dec 16 23:22:42 2010 From: jbfixurpc at gmail.com (Joe Blanchard) Date: Thu, 16 Dec 2010 23:22:42 -0600 Subject: OT - NO (Non-Operational) Question Message-ID: Happy holidays to all. Quick question with regard "Text/SMS" messaging. I know this is not really the place to ask, so forgive me for bending your eyes. It appears there's really no easy way to determine the origin of a text sent to a cell, at least as far as I can see without involving the provider(611) Any quick links/ideas as to where to research this? Perhaps something obvious I missing? And yes, I tried, lmgtfy.com (: Thanks in advance, and happy holidays/Xmas/New years to all, -Joe Blanchard From jra at baylink.com Thu Dec 16 23:26:40 2010 From: jra at baylink.com (Jay Ashworth) Date: Fri, 17 Dec 2010 00:26:40 -0500 (EST) Subject: Alacarte Cable and Geeks In-Reply-To: <96CA80CDCD822B4F9B41FB3A109C9359A3E6832E6C@E2K7MAILBOX1.corp.cableone.net> Message-ID: <4630279.470.1292563600867.JavaMail.root@benjamin.baylink.com> ----- Original Message ----- > From: "Brian Rettke" > Interesting point. I'd also like to point out that putting the cost on > the content providers rather than the network may raise the cost of > the content service, but only to those that want that service. In > effect, if the transport provider is paying for the bandwidth > generated by a content provider, in effect we have another service > bundled to all services offered, which increases the cost to people > using Internet service but not necessarily accessing that content. > Kind of the same reason TV channels aren't a la carte. Having worked for a small cable TV network in the 90s, I have some insights into why cable systems don't sell most channels alacarte. 1) The accounting goes pear-shaped pretty quickly, or at least, it did in the 80s when that practice got started -- having to account for each individual subscriber pushed the complexity up, in much the same way that flat rate telecom services are popular equally because customers prefer them, and because the *cost of keeping track* becomes >delta. 2) New networks prefer it, and the fact that it happens makes the creation of new cable networks practical -- you don't have to go around and sell your idea to people retail; you sell it to CATV systems (well, really, multi-system operators) *once* -- generally at something like the Western Show -- and they buy it and give it to *all* of their subs as part of a tier. Makes it much easier to achieve critical mass. And finally, 3) the increased complexity of having *everything* alacarte increases the cognitive load on new subscribers to the point where they probably will consider other alternatives -- it's just too many decisions to make when you're trying to sign up. Additionally, it makes marketing harder: there isn't a real "base price, nicely equipped" to point to. In the current tiered approach, a very small group of people inside the cable system is charged with picking the channels, and putting them in the tiers, and they're the only ones who ought to have to care about that, in my mostly humble opinion. The percentage of people who want channel by channel control over their cable service, I think, is roughly akin to the percentage of people who root their Android phone so they can play with the apps and the controls that you can't get without doing that; ie: minuscule. (I actually mistyped "minusclue", but that's what those people are *not*; our only real blindspot as geeks is realizing that we're exceptional -- that most people really couldn't give a damn.) Cheers, -- jra From jra at baylink.com Thu Dec 16 23:29:58 2010 From: jra at baylink.com (Jay Ashworth) Date: Fri, 17 Dec 2010 00:29:58 -0500 (EST) Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: <4D09E034.1010104@gmail.com> Message-ID: <19270456.472.1292563798864.JavaMail.root@benjamin.baylink.com> ----- Original Message ----- > From: "JC Dill" > What customers *really* want, and what they gladly accept as long as > it saves them a few pennies, are miles apart. (Which is why so many > people blindly give their data to Facebook etc.) This is why I think the > direction Comcast is going is ultimately going to win in the > marketplace. Do I *want* to see Comcast win? No! But I think it's an > inevitable trend. Customers are lazy. Customers are cheap. They will > - en masse - support the lowest cost solution that *appears* to give > them something of value, even when it's really not in their best > interest. Unless smart people like us *illustrate for them* why in the long run, it's not really in their best interest. That is our job, at layers 8 and 9, right? Cheers, -- jra From frnkblk at iname.com Thu Dec 16 23:47:17 2010 From: frnkblk at iname.com (Frank Bulk) Date: Thu, 16 Dec 2010 23:47:17 -0600 Subject: Alacarte Cable and Geeks In-Reply-To: <4630279.470.1292563600867.JavaMail.root@benjamin.baylink.com> References: <96CA80CDCD822B4F9B41FB3A109C9359A3E6832E6C@E2K7MAILBOX1.corp.cableone.net> <4630279.470.1292563600867.JavaMail.root@benjamin.baylink.com> Message-ID: The primary reason for the lack of a la carte is that the content providers tie groups of channels together, sometimes for prices less than one of those channels on a stand-a-lone basis. The secondary reason is the one you list as your first, and that's keeping track of what customer has what channel and making sure it's billed appropriately. With digital simulcast, and the right backend system, this could become manageable. Frank -----Original Message----- From: Jay Ashworth [mailto:jra at baylink.com] Sent: Thursday, December 16, 2010 11:27 PM To: NANOG Subject: Alacarte Cable and Geeks ----- Original Message ----- > From: "Brian Rettke" > Interesting point. I'd also like to point out that putting the cost on > the content providers rather than the network may raise the cost of > the content service, but only to those that want that service. In > effect, if the transport provider is paying for the bandwidth > generated by a content provider, in effect we have another service > bundled to all services offered, which increases the cost to people > using Internet service but not necessarily accessing that content. > Kind of the same reason TV channels aren't a la carte. Having worked for a small cable TV network in the 90s, I have some insights into why cable systems don't sell most channels alacarte. 1) The accounting goes pear-shaped pretty quickly, or at least, it did in the 80s when that practice got started -- having to account for each individual subscriber pushed the complexity up, in much the same way that flat rate telecom services are popular equally because customers prefer them, and because the *cost of keeping track* becomes >delta. 2) New networks prefer it, and the fact that it happens makes the creation of new cable networks practical -- you don't have to go around and sell your idea to people retail; you sell it to CATV systems (well, really, multi-system operators) *once* -- generally at something like the Western Show -- and they buy it and give it to *all* of their subs as part of a tier. Makes it much easier to achieve critical mass. And finally, 3) the increased complexity of having *everything* alacarte increases the cognitive load on new subscribers to the point where they probably will consider other alternatives -- it's just too many decisions to make when you're trying to sign up. Additionally, it makes marketing harder: there isn't a real "base price, nicely equipped" to point to. In the current tiered approach, a very small group of people inside the cable system is charged with picking the channels, and putting them in the tiers, and they're the only ones who ought to have to care about that, in my mostly humble opinion. The percentage of people who want channel by channel control over their cable service, I think, is roughly akin to the percentage of people who root their Android phone so they can play with the apps and the controls that you can't get without doing that; ie: minuscule. (I actually mistyped "minusclue", but that's what those people are *not*; our only real blindspot as geeks is realizing that we're exceptional -- that most people really couldn't give a damn.) Cheers, -- jra From jra at baylink.com Fri Dec 17 00:09:50 2010 From: jra at baylink.com (Jay Ashworth) Date: Fri, 17 Dec 2010 01:09:50 -0500 (EST) Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: <5A6D953473350C4B9995546AFE9939EE0B14CFD1@RWC-EX1.corp.seven.com> Message-ID: <17055632.508.1292566190453.JavaMail.root@benjamin.baylink.com> ----- Original Message ----- > From: "George Bonser" > Turn the question around. What would any provider think if a city said > "sure, you can have access to our residents' eyeballs. It will cost > you $5 per subscriber per month". Would Comcast or anyone go for that? > That is a real question, by the way. For all I know some municipality > might already do that. But say one with something between 100,000 and > 1,000,000 potential subscribers did that. Would any of the providers > think that is "fair"? Particularly *after* the provider is already > providing services to those subscribers and then has the rules changed > on them after they already have contracts in place with the > subscribers? I believe you're looking for Rose.net/CNS in Thomasville GA: http://www.cns-internet.com/aboutcns.shtml Why not go *ask* competing providers what they think? > It just seems to me to be an evil Pandora's box that once opened, > there is no potential end to. What if several cities ganged up and > together decided to charge a last mile provider access to eyeballs? What about it? > Better in my opinion to let the end user pay for what they use. It That's orthogonal to who should be providing it, so the rest of your graf: > doesn't have to be strictly metered per meg but can be put into tiers > (as most providers already do anyway). Sort of like "smart meters" > they are doing with electricity. People will modify their usage > according to what they can afford. Pricing bandwidth according to > basic principles of supply and demand would probably work better. > Those that use more would pay more, those that use less would pay > less. is a strawman. And note that I don't *care* whether commercial entities think a given approach is "fair" or not: they sure don't care whether *we* think their practices are "fair". No one is entitled to continue to make a living in any particular way, by law or any other facility. I thought that was attributable to Judge Learned Hand, but as it turns out, I stole it from Robert Heinlein, who used it in a speech from a judge in his very first published story, Lifeline. Perhaps Bill Patterson, his biographer, knows where he stole it from. It's still an excellent thing to remember. Lots of companies have sprung up to fulfill a niche -- full motion NTSC video processing in PCs, frex -- and then had to find something else to do when the pendulum swung from hardware back to software. Cheers, -- jra From ahaning at mindspring.com Fri Dec 17 00:28:47 2010 From: ahaning at mindspring.com (Andrew Haninger) Date: Fri, 17 Dec 2010 01:28:47 -0500 Subject: OT - NO (Non-Operational) Question In-Reply-To: References: Message-ID: On Fri, Dec 17, 2010 at 12:22 AM, Joe Blanchard wrote: > It appears there's really no easy way to determine the origin of a text > sent to a cell... > For shortcodes, Neustar provided a list: https://www.usshortcodes.com/csc/directory/directoryList.do?method=showDirectory&group=all For regular cellular numbers, the Wireless Amber Alert site is popular amongst MVNO (e.g. prepaid) users to find out so they can use the email-to-text gateways: http://www.wirelessamberalerts.com/ (You don't actually sign up, just enter the number and then it will tell you the carrier.) For landlines/VoIP/etc. Google should be able to tell you at least the city/state. Though it's rare that you will get a text from a landline, it is possible. Andy From jra at baylink.com Fri Dec 17 01:14:07 2010 From: jra at baylink.com (Jay Ashworth) Date: Fri, 17 Dec 2010 02:14:07 -0500 (EST) Subject: OT - NO (Non-Operational) Question In-Reply-To: Message-ID: <3577943.522.1292570047831.JavaMail.root@benjamin.baylink.com> ----- Original Message ----- > From: "Andrew Haninger" > To: "Joe Blanchard" > Cc: nanog at nanog.org > Sent: Friday, December 17, 2010 1:28:47 AM > Subject: Re: OT - NO (Non-Operational) Question > On Fri, Dec 17, 2010 at 12:22 AM, Joe Blanchard > wrote: > > > It appears there's really no easy way to determine the origin of a > > text sent to a cell... > > > For shortcodes, Neustar provided a list: > > https://www.usshortcodes.com/csc/directory/directoryList.do?method=showDirectory&group=all > > For regular cellular numbers, the Wireless Amber Alert site is popular > amongst MVNO (e.g. prepaid) users to find out so they can use the > email-to-text gateways: > > http://www.wirelessamberalerts.com/ > > (You don't actually sign up, just enter the number and then it will > tell you > the carrier.) > > For landlines/VoIP/etc. Google should be able to tell you at least the > city/state. Though it's rare that you will get a text from a landline, > it is possible. I could be wrong, but I think the actual question was "is it realistic to assume a text to a cellphone came from the number it *says* it came from?" and I think the answer is "no, there are a few ways to spoof it". Received SMS messages are probably not evidentiary, absent a report from the receiving carrier of the message traffic log involved, which would itself be hearsay unless someone testified about it. Cheers, -- jra From jbfixurpc at gmail.com Fri Dec 17 01:37:06 2010 From: jbfixurpc at gmail.com (Joe Blanchard) Date: Fri, 17 Dec 2010 01:37:06 -0600 Subject: OT - NO (Non-Operational) Question In-Reply-To: <3577943.522.1292570047831.JavaMail.root@benjamin.baylink.com> References: <3577943.522.1292570047831.JavaMail.root@benjamin.baylink.com> Message-ID: Sorry to alll, Yes that in a nutshell woud be my question along with tracking it,, Thanks jay - Joe On Fri, Dec 17, 2010 at 1:14 AM, Jay Ashworth wrote: > ----- Original Message ----- > > From: "Andrew Haninger" > > To: "Joe Blanchard" > > Cc: nanog at nanog.org > > Sent: Friday, December 17, 2010 1:28:47 AM > > Subject: Re: OT - NO (Non-Operational) Question > > On Fri, Dec 17, 2010 at 12:22 AM, Joe Blanchard > > wrote: > > > > > It appears there's really no easy way to determine the origin of a > > > text sent to a cell... > > > > > For shortcodes, Neustar provided a list: > > > > > https://www.usshortcodes.com/csc/directory/directoryList.do?method=showDirectory&group=all > > > > For regular cellular numbers, the Wireless Amber Alert site is popular > > amongst MVNO (e.g. prepaid) users to find out so they can use the > > email-to-text gateways: > > > > http://www.wirelessamberalerts.com/ > > > > (You don't actually sign up, just enter the number and then it will > > tell you > > the carrier.) > > > > For landlines/VoIP/etc. Google should be able to tell you at least the > > city/state. Though it's rare that you will get a text from a landline, > > it is possible. > > I could be wrong, but I think the actual question was "is it realistic > to assume a text to a cellphone came from the number it *says* it came > from?" and I think the answer is "no, there are a few ways to spoof it". > > Received SMS messages are probably not evidentiary, absent a report from > the receiving carrier of the message traffic log involved, which would > itself be hearsay unless someone testified about it. > > Cheers, > -- jra > > From jbfixurpc at gmail.com Fri Dec 17 01:51:41 2010 From: jbfixurpc at gmail.com (Joe Blanchard) Date: Fri, 17 Dec 2010 01:51:41 -0600 Subject: OT - NO (Non-Operational) Question In-Reply-To: <3577943.522.1292570047831.JavaMail.root@benjamin.baylink.com> References: <3577943.522.1292570047831.JavaMail.root@benjamin.baylink.com> Message-ID: Thanks Jay To add to this Sleepy here but a quick script ((linux for you windows guys) [root at sumless3 jgb]# cat send_text.sh #!/bin/sh echo "go" # Server's IP address # IP_ADDRESS='some_smtp_relay.com' mf="mail from:" rp="rcpt to:" echo $mf (sleep 2 ;\ echo "HELO guess.net";\ sleep 2;\ echo $mf " " ;\ echo $rp " <44421211 at tmomail.net>" ;\ \*Bogus return addy *\ sleep 4;\ echo "data";\ sleep 3;\ echo "Subject: Merry Christmas!.. ";\ echo "From: Spammerr";\ echo "To: YOU";\ echo " SPAM SPAM blah blah... - sleep 2;\ echo ".";\ sleep 1;\ echo "quit";\ sleep 2) | telnet $IP_ADDRESS 25 #| telnet $IP_ADDRESS 25 exit Seems to put them thru, and unless you the providers Tier3-4 suport theres nothing you can do... Only a matter of time till something does a count(n) in C or else... Cheers, Thanks Andreww! -Joe On Fri, Dec 17, 2010 at 1:14 AM, Jay Ashworth wrote: > ----- Original Message ----- > > From: "Andrew Haninger" > > To: "Joe Blanchard" > > Cc: nanog at nanog.org > > Sent: Friday, December 17, 2010 1:28:47 AM > > Subject: Re: OT - NO (Non-Operational) Question > > On Fri, Dec 17, 2010 at 12:22 AM, Joe Blanchard > > wrote: > > > > > It appears there's really no easy way to determine the origin of a > > > text sent to a cell... > > > > > For shortcodes, Neustar provided a list: > > > > > https://www.usshortcodes.com/csc/directory/directoryList.do?method=showDirectory&group=all > > > > For regular cellular numbers, the Wireless Amber Alert site is popular > > amongst MVNO (e.g. prepaid) users to find out so they can use the > > email-to-text gateways: > > > > http://www.wirelessamberalerts.com/ > > > > (You don't actually sign up, just enter the number and then it will > > tell you > > the carrier.) > > > > For landlines/VoIP/etc. Google should be able to tell you at least the > > city/state. Though it's rare that you will get a text from a landline, > > it is possible. > > I could be wrong, but I think the actual question was "is it realistic > to assume a text to a cellphone came from the number it *says* it came > from?" and I think the answer is "no, there are a few ways to spoof it". > > Received SMS messages are probably not evidentiary, absent a report from > the receiving carrier of the message traffic log involved, which would > itself be hearsay unless someone testified about it. > > Cheers, > -- jra > > From jsw at inconcepts.biz Fri Dec 17 01:58:40 2010 From: jsw at inconcepts.biz (Jeff Wheeler) Date: Fri, 17 Dec 2010 02:58:40 -0500 Subject: Alacarte Cable and Geeks In-Reply-To: <4630279.470.1292563600867.JavaMail.root@benjamin.baylink.com> References: <96CA80CDCD822B4F9B41FB3A109C9359A3E6832E6C@E2K7MAILBOX1.corp.cableone.net> <4630279.470.1292563600867.JavaMail.root@benjamin.baylink.com> Message-ID: On Fri, Dec 17, 2010 at 12:26 AM, Jay Ashworth wrote: > the 80s when that practice got started -- having to account for each > individual subscriber pushed the complexity up, in much the same way > that flat rate telecom services are popular equally because customers > prefer them, and because the *cost of keeping track* becomes >delta. Having personally and solely designed and written a toll billing system from scratch that directly exchanged billing and settlement data (and end-user data) with hundreds of ILECs, I can tell you a number of things I learned: 1) billing is only as hard as you (or your vendor) make it 2) if your company can't figure out how to bill for a new product or service, blame the billing people, not the product 3) keeping up with taxes and fees consume a lot more resources than calculating the net bills themselves; so adding products is really trivial compared to dealing with every pissant local government that decides to apply a different taxing method to your HBO (or your telephone calls) This is not to say the folks that handle billing at cable companies are equally capable, but if they had legitimate competitors, they would figure out how to run many parts of their businesses more efficiently. Imagine if Wal-Mart was the only game in town that had bar code readers at the cash registers, and every other grocery chain had to look up every item and punch in the price to check you out. Other stores would quickly improve their technology or find themselves out of business. > 2) New networks prefer it, and the fact that it happens makes the > creation of new cable networks practical -- you don't have to go around > and sell your idea to people retail; you sell it to CATV systems (well, My understanding is that networks/media giants like it because they can force cable companies to carry 11 irrelevant channels to get the Disney Channel that your kids want. Would enough people really ask for G4TV to make producing and syndicating shows for that channel cost-effective? I don't know the answer, but my suspicion is that people who really just want CSN, E!, or the Golf Channel are subsidizing G4 viewers. I wanted BBCA a few years ago, but my cable provider required that I buy 30 other channels I did not want or had never even heard of to get BBCA, so I didn't subscribe to it. I do not know if a la carte channel selection would be good for me, as a consumer, or not. I do think the reasons the industry does not want to offer that to end-users are disingenuous. -- Jeff S Wheeler Sr Network Operator? /? Innovative Network Concepts From sjs at Princeton.EDU Fri Dec 17 02:51:21 2010 From: sjs at Princeton.EDU (Steve Schultze) Date: Fri, 17 Dec 2010 03:51:21 -0500 Subject: Some truth about Comcast - WikiLeaks style Message-ID: <598C4A03-6932-4E1B-A518-B8F15BAE651F@Princeton.EDU> George Bonser wrote: > What would any provider think if a city said "sure, you can have access > to our residents' eyeballs. It will cost you $5 per subscriber per month". > Would Comcast or anyone go for that? Dave Temkin wrote: > These are exactly what Franchise Agreements are for. Yes, cities charge > MSOs and LECs for access all the time. I've been lurking on this thread for awhile, but I feel a need to weigh in here. There are some critical distinctions between a city imposing conditions on access to its property and a telecommunications company imposing conditions on access to its network. There are also some important limitations to the cases in which cities can indeed impose any access restrictions, which prompt the question of why parallel policy limitations do not necessarily apply to last-mile companies. First, the justification for cities requiring things of companies in order to gain access to the local market are grounded in practical and policy considerations. On a very concrete level, putting wires in the ground requires permission from the city for rights-of-way (and such activities have genuine costs for the city). This permission comes in the form of the "Franchise Agreements" that Dave refers to. From a policy perspective, the city has an interest in ensuring that it gets the greatest value for its citizens out of the valuable last-mile concessions it grants to private parties. Historically, this meant that last-mile rights-of-way were a hook for enforcing customer service requirements, disciplining pricing, ensuring universal service, and supporting diversity of programming and "public access." Negotiating these terms with each municipality was the price that companies had to pay for monopoly access to local markets. What I think George's comment does not completely appreciate is that (ideally) cities are imposing such requirements at the behest of and for the benefit of the (local) public, whereas private constraints on local access are (by design) motivated by profit. Now, all of these requirements apply to providers of cable video content under the terms of the Cable Act of 1984 (which created a new Title in the Communications Act). None of them applied to LECs, which traditionally had a blanket permission to build out for their telecommunications services. The exception is for LECs that have started to offer video services. In that case, the same requirements kick in (for the video portion of those services). The exception to THAT is for states in which the LECs have successfully lobbied the state government to give them a blanket license to deploy video services statewide without negotiating locally (Michigan, for example, as opposed to Massachusetts). Whether or not you think such statewide agreements are a good thing tends to be a funciton of who you represent. In any event, the FCC has also further weakened localities' ability to impose requirements on even the video portion of these services (22 FCC Rcd. 5101 and 22 FCC Rcd. 19633). Importantly, for the NANOG crowd, none of these local controls applies to the broadband portion of such services. This all goes back to our artificially siloed Communications Act and some decisions made by the FCC almost a decade ago. The 2002 Cable Modem Order said that localities had no power to exercise authority over the broadband portion of such services. That means that they cannot demand payment for access to rights-of-way for broadband services, but it also means that they cannot impose public interest requirements on the provision of that service... for example that such service be provided universally to all citizens or that access to different types of content be provided on a non-discriminatory basis. The reasoning was that these services were not the video services envisioned in the Cable Act of 1984, but rather broadband services that the FCC was newly classifying as "deregulated." The 2002 Cable Modem Order was in fact the event that precipitated the 2005 "Brand X" Supreme Court decision that cemented the FCC's authority to reclassify last-mile broadband services not as common carriers but rather in a vaguely deregulated service. This helped lead to our modern debate about net neutrality. These jurisdictional turf wars are also at the heart of fights to allow cities to create municipally owned broadband networks that may then be leased on equal terms to all comers. It is also the reason that cities do not have the legal authority to compel "open access" or "non-discrimination" requirements on private networks within their boundaries. Broadband providers have understandably sought to gain near-exclusive control over their customers, and the legal framework helps them to avoid municipal networks and other requirements. Whether or not you believe that the local franchising regime that emerged in the 1980s makes sense for internet access today (not that it applies to broadband anyway), you must at least admit a fundamentally different incentive model compared to that of private companies. Whereas localities must now provide equal access to all companies that wish to do a physical buildout, those companies do not have any locally imposed requirement to provide equal access of use of their networks. Regards, Steve From carlosm3011 at gmail.com Fri Dec 17 06:54:40 2010 From: carlosm3011 at gmail.com (Carlos Martinez-Cagnazzo) Date: Fri, 17 Dec 2010 10:54:40 -0200 Subject: Alacarte Cable and Geeks In-Reply-To: References: <96CA80CDCD822B4F9B41FB3A109C9359A3E6832E6C@E2K7MAILBOX1.corp.cableone.net> <4630279.470.1292563600867.JavaMail.root@benjamin.baylink.com> Message-ID: I have been trying to get NASA TV in Uruguay for a long time, obviously to no avail. Even though it's probably free / very cheap. I do believe that video over the Internet is about to change the cable business in a very deep and possibly traumatic way. Even I only have 4 megs DSL at home and have almost 250 msec delay to get to Terremark in Miami, my Apple TV plays YouTube reasonably well and I am probably near to the point where I would probably pay for premium content from YouTube or other providers to get over my crappy cable service. Cheers, Carlos On Fri, Dec 17, 2010 at 5:58 AM, Jeff Wheeler wrote: > On Fri, Dec 17, 2010 at 12:26 AM, Jay Ashworth wrote: >> the 80s when that practice got started -- having to account for each >> individual subscriber pushed the complexity up, in much the same way >> that flat rate telecom services are popular equally because customers >> prefer them, and because the *cost of keeping track* becomes >delta. > > Having personally and solely designed and written a toll billing > system from scratch that directly exchanged billing and settlement > data (and end-user data) with hundreds of ILECs, I can tell you a > number of things I learned: > 1) billing is only as hard as you (or your vendor) make it > 2) if your company can't figure out how to bill for a new product or > service, blame the billing people, not the product > 3) keeping up with taxes and fees consume a lot more resources than > calculating the net bills themselves; so adding products is really > trivial compared to dealing with every pissant local government that > decides to apply a different taxing method to your HBO (or your > telephone calls) > > This is not to say the folks that handle billing at cable companies > are equally capable, but if they had legitimate competitors, they > would figure out how to run many parts of their businesses more > efficiently. ?Imagine if Wal-Mart was the only game in town that had > bar code readers at the cash registers, and every other grocery chain > had to look up every item and punch in the price to check you out. > Other stores would quickly improve their technology or find themselves > out of business. > >> 2) New networks prefer it, and the fact that it happens makes the >> creation of new cable networks practical -- you don't have to go around >> and sell your idea to people retail; you sell it to CATV systems (well, > > My understanding is that networks/media giants like it because they > can force cable companies to carry 11 irrelevant channels to get the > Disney Channel that your kids want. ?Would enough people really ask > for G4TV to make producing and syndicating shows for that channel > cost-effective? ?I don't know the answer, but my suspicion is that > people who really just want CSN, E!, or the Golf Channel are > subsidizing G4 viewers. ?I wanted BBCA a few years ago, but my cable > provider required that I buy 30 other channels I did not want or had > never even heard of to get BBCA, so I didn't subscribe to it. > > I do not know if a la carte channel selection would be good for me, as > a consumer, or not. ?I do think the reasons the industry does not want > to offer that to end-users are disingenuous. > > -- > Jeff S Wheeler > Sr Network Operator? /? Innovative Network Concepts > > -- -- ========================= Carlos M. Martinez-Cagnazzo http://www.labs.lacnic.net ========================= From carlosm3011 at gmail.com Fri Dec 17 07:11:32 2010 From: carlosm3011 at gmail.com (Carlos Martinez-Cagnazzo) Date: Fri, 17 Dec 2010 11:11:32 -0200 Subject: Fwd: Your email message was blocked In-Reply-To: References: Message-ID: I just contributed to the thread called "Cable and Geeks", and (I now realize) included the word "crappy". Then, just like that, my Friday Moment of Fun just happened, like a brilliant ball of light in the sky. I received a bounce from something called rms at bellaliant.ca who rejected my email due to "mild profanity" (sorry, i didn't know people could be so sensitive). Man, i had not had an on-the-job-laugh-out-loud in a long time. I am very tempted of probing the system. Many a question comes to mind, like for example: Does it only worry about profanity in English? I have a dictionary of "bad words" in Spanish, i am resisting the urge to craft a python script and send it word by word to rms at bellaliant.ca. Also mesmerizing is the fact that they will keep my mildly profane email in some storage for five days. Why? If its blocked, so be it, why keep it? Ahhh don't worry, I won't do it anyways. Notwithstanding the laugh and the fun, these are the times when I lose a bit of faith in mankind. Why there are always people out there pretending to know "what it's best for you" ? Well, I am clicking "send", I will probably receive another "mild profanity" warning. There it comes... cheers Carlos ---------- Forwarded message ---------- From: Date: Fri, Dec 17, 2010 at 10:55 AM Subject: Your email message was blocked To: carlosm3011 at gmail.com The following email message was blocked by Bell Aliant Content Filtering Device: ?? From:??????carlosm3011 at gmail.com ?? To:????????jeff.gallagher at bellaliant.ca ?? Subject:???Re: Alacarte Cable and Geeks ?? Message:?? B4d0b5da70002.000000000001.0003.mml Because it may contain unacceptable language, or inappropriate material.? Please remove any unacceptable or inappropriate language and resend the message. The blocked email will be automatically deleted after 5 days. Content?Rule: Policy Management (Inbound) : Block Common & Mild Profanity RMS at BellAliant.ca -------------- next part -------------- 6728 08:55:04.138 17 Dec 2010 - B4d0b5da70002.000000000001.0003.mml 6728 08:55:04.138 Message From , Return-path , Recipients (1) - 6728 08:55:04.138 Thread 2 Starting to unpack 6728 08:55:04.138 MimeTags::Process tag Content-Type = text/plain; charset=ISO-8859-1 6728 08:55:04.138 MimeTags::Process tag Content-Transfer-Encoding = quoted-printable 6728 08:55:04.138 Encoding 6728 08:55:04.138 Quoted-Printable encoded section consumed 3674 bytes - file D:\MailMarshal\Unpacking\T2\U2\Quoted-Printable.txt 6728 08:55:04.138 Type=MAIL, size=6512, Name=B4d0b5da70002.000000000001.0003.mml 6728 08:55:04.138 Type=MHDR, size=2836, Name=MsgHeader.txt 6728 08:55:04.138 Type=MBODY, size=3556, Name=Quoted-Printable.txt 6728 08:55:04.138 1 user(s) match ruleset - Connection Policies 6728 08:55:04.138 0 user(s) match rule - NSP-SEC Email Rule - BA 6728 08:55:04.138 0 user(s) match rule - Delete Postmaster messages - BA 6728 08:55:04.138 1 user(s) match ruleset - Virus & Threats (Inbound) 6728 08:55:04.138 1 user(s) match rule - Block Virus 6728 08:55:04.138 virus scanner OK file after 0 millisecs 6728 08:55:04.138 virus scanner OK file after 0 millisecs 6728 08:55:04.138 virus scanner OK file after 0 millisecs 6728 08:55:04.138 Name=U1\B4d0b5da70002.000000000001.0003.mml (MAIL,6512) False 6728 08:55:04.138 Name=U2\MsgHeader.txt (MHDR,2836) False 6728 08:55:04.138 Name=U2\Quoted-Printable.txt (MBODY,3556) False 6728 08:55:04.138 1 user(s) match rule - Block Known Threats 6728 08:55:04.138 Name=U1\B4d0b5da70002.000000000001.0003.mml (MAIL,6512) False 6728 08:55:04.138 1 user(s) match rule - Block Known Virus Attachments 6728 08:55:04.138 Name=U1\B4d0b5da70002.000000000001.0003.mml (MAIL,6512) False 6728 08:55:04.138 Name=U2\MsgHeader.txt (MHDR,2836) False 6728 08:55:04.138 Name=U2\Quoted-Printable.txt (MBODY,3556) False 6728 08:55:04.138 1 user(s) match rule - Block Virus - Zero Day Protection Framework 6728 08:55:04.138 Name=U1\B4d0b5da70002.000000000001.0003.mml (MAIL,6512) False 6728 08:55:04.138 1 user(s) match rule - Block Virus Hoaxes - BA 6728 08:55:04.138 Name=U1\B4d0b5da70002.000000000001.0003.mml (MAIL,6512) False 6728 08:55:04.138 Name=U2\MsgHeader.txt (MHDR,2836) False 6728 08:55:04.138 Name=U2\Quoted-Printable.txt (MBODY,3556) False 6728 08:55:04.138 0 user(s) match rule - Tony Power Rule #1 - BA 6728 08:55:04.138 1 user(s) match rule - BlockChain Letteres - BA 6728 08:55:04.154 Name=U1\B4d0b5da70002.000000000001.0003.mml (MAIL,6512) False 6728 08:55:04.154 Name=U2\MsgHeader.txt (MHDR,2836) False 6728 08:55:04.154 Name=U2\Quoted-Printable.txt (MBODY,3556) False 6728 08:55:04.154 0 user(s) match ruleset - Virus & Threats (Outbound) 6728 08:55:04.154 1 user(s) match ruleset - Spam - BA 6728 08:55:04.154 0 user(s) match rule - SkepticML - BA 6728 08:55:04.154 1 user(s) match rule - Invalid From - BA 6728 08:55:04.154 Name=U1\B4d0b5da70002.000000000001.0003.mml (MAIL,6512) False 6728 08:55:04.154 1 user(s) match ruleset - Spam 6728 08:55:04.154 1 user(s) match rule - Block Spam - SpamBotCensor AND SpamProfiler 6728 08:55:04.154 Creating substitute mail header file 6728 08:55:04.154 Name=U1\B4d0b5da70002.000000000001.0003.mml (MAIL,6512) False 6728 08:55:04.154 1 user(s) match rule - Block Spam - SpamCensor AND SpamProfiler 6728 08:55:04.185 Name=U1\B4d0b5da70002.000000000001.0003.mml (MAIL,6512) False 6728 08:55:04.185 1 user(s) match rule - Block Spam - SpamProfiler 6728 08:55:04.185 Name=U1\B4d0b5da70002.000000000001.0003.mml (MAIL,6512) False 6728 08:55:04.185 1 user(s) match rule - Block Spam - SpamBotCensor 6728 08:55:04.185 Creating substitute mail header file 6728 08:55:04.185 Name=U1\B4d0b5da70002.000000000001.0003.mml (MAIL,6512) False 6728 08:55:04.185 1 user(s) match rule - Block Spam - SpamCensor 6728 08:55:04.216 Name=U1\B4d0b5da70002.000000000001.0003.mml (MAIL,6512) False 6728 08:55:04.216 1 user(s) match rule - Block Spam - Spamhaus Blacklisted 6728 08:55:04.216 DNS Blacklist lookup: 85.158.138.147 is not listed in - rcode(1) 6728 08:55:04.216 DNS Blacklist lookup: 85.158.138.147 is not listed in - rcode(1) 6728 08:55:04.326 DNS Blacklist lookup: 198.108.95.20 is not listed in - rcode(1) 6728 08:55:04.357 DNS Blacklist lookup: 209.85.214.177 is not listed in - rcode(1) 6728 08:55:04.357 Name=U1\B4d0b5da70002.000000000001.0003.mml (MAIL,6512) False 6728 08:55:04.357 1 user(s) match rule - Block Spam - Zero Day Protection Framework 6728 08:55:04.357 Name=U1\B4d0b5da70002.000000000001.0003.mml (MAIL,6512) False 6728 08:55:04.357 1 user(s) match rule - Block Spam - Administrator Maintained Keyword list 6728 08:55:04.357 Name=U1\B4d0b5da70002.000000000001.0003.mml (MAIL,6512) False 6728 08:55:04.357 Name=U2\MsgHeader.txt (MHDR,2836) False 6728 08:55:04.357 Name=U2\Quoted-Printable.txt (MBODY,3556) False 6728 08:55:04.357 1 user(s) match rule - Block Spam - CountryCensor 6728 08:55:04.357 CountryCensor: 85.158.138.147 appears to be from GB 6728 08:55:04.357 CountryCensor: 198.108.95.20 appears to be from US 6728 08:55:04.357 CountryCensor: 209.85.214.177 appears to be from US 6728 08:55:04.357 CountryCensor: 10.42.179.1 appears to be from ** 6728 08:55:04.357 CountryCensor: 10.42.179.198 appears to be from ** 6728 08:55:04.357 Name=U1\B4d0b5da70002.000000000001.0003.mml (MAIL,6512) False 6728 08:55:04.357 1 user(s) match rule - Asian Spam - BA 6728 08:55:04.357 Name=U1\B4d0b5da70002.000000000001.0003.mml (MAIL,6512) False 6728 08:55:04.357 Name=U2\MsgHeader.txt (MHDR,2836) False 6728 08:55:04.357 Name=U2\Quoted-Printable.txt (MBODY,3556) False 6728 08:55:04.357 1 user(s) match rule - Russian Spam - BA 6728 08:55:04.357 Name=U1\B4d0b5da70002.000000000001.0003.mml (MAIL,6512) False 6728 08:55:04.357 Name=U2\MsgHeader.txt (MHDR,2836) False 6728 08:55:04.357 Name=U2\Quoted-Printable.txt (MBODY,3556) False 6728 08:55:04.357 1 user(s) match rule - German Spam - BA 6728 08:55:04.357 Name=U1\B4d0b5da70002.000000000001.0003.mml (MAIL,6512) False 6728 08:55:04.357 Name=U2\MsgHeader.txt (MHDR,2836) False 6728 08:55:04.357 Name=U2\Quoted-Printable.txt (MBODY,3556) False 6728 08:55:04.357 1 user(s) match rule - Subject Line Filtering - BA 6728 08:55:04.357 Name=U1\B4d0b5da70002.000000000001.0003.mml (MAIL,6512) False 6728 08:55:04.357 Name=U2\MsgHeader.txt (MHDR,2836) False 6728 08:55:04.357 Name=U2\Quoted-Printable.txt (MBODY,3556) False 6728 08:55:04.357 1 user(s) match rule - Medical Filtering - BA 6728 08:55:04.357 Name=U1\B4d0b5da70002.000000000001.0003.mml (MAIL,6512) False 6728 08:55:04.357 Name=U2\MsgHeader.txt (MHDR,2836) False 6728 08:55:04.357 Name=U2\Quoted-Printable.txt (MBODY,3556) False 6728 08:55:04.357 1 user(s) match rule - Message Body Filtering - BA 6728 08:55:04.372 Name=U1\B4d0b5da70002.000000000001.0003.mml (MAIL,6512) False 6728 08:55:04.372 Name=U2\MsgHeader.txt (MHDR,2836) False 6728 08:55:04.372 Name=U2\Quoted-Printable.txt (MBODY,3556) False 6728 08:55:04.372 1 user(s) match rule - Gift in the Subject Line - BA 6728 08:55:04.372 Name=U1\B4d0b5da70002.000000000001.0003.mml (MAIL,6512) False 6728 08:55:04.372 Name=U2\MsgHeader.txt (MHDR,2836) False 6728 08:55:04.372 Name=U2\Quoted-Printable.txt (MBODY,3556) False 6728 08:55:04.372 1 user(s) match ruleset - Message Archiving 6728 08:55:04.372 1 user(s) match rule - Archive All Inbound Messages 6728 08:55:04.372 Name=U1\B4d0b5da70002.000000000001.0003.mml Message level criterion TRUE 6728 08:55:04.372 Requesting Action be run 6728 08:55:04.372 1 user(s) match ruleset - Attachment Management (Inbound) 6728 08:55:04.372 1 user(s) match rule - Block Suspect Attachments 6728 08:55:04.372 Name=U1\B4d0b5da70002.000000000001.0003.mml (MAIL,6512) False 6728 08:55:04.372 Name=U2\MsgHeader.txt (MHDR,2836) False 6728 08:55:04.372 Name=U2\Quoted-Printable.txt (MBODY,3556) False 6728 08:55:04.372 1 user(s) match rule - Block Password Protected Attachments 6728 08:55:04.372 Name=U1\B4d0b5da70002.000000000001.0003.mml (MAIL,6512) False 6728 08:55:04.372 Name=U2\MsgHeader.txt (MHDR,2836) False 6728 08:55:04.372 Name=U2\Quoted-Printable.txt (MBODY,3556) False 6728 08:55:04.372 1 user(s) match rule - Block EXECUTABLE Files 6728 08:55:04.372 Name=U1\B4d0b5da70002.000000000001.0003.mml (MAIL,6512) False 6728 08:55:04.372 Name=U2\MsgHeader.txt (MHDR,2836) False 6728 08:55:04.372 Name=U2\Quoted-Printable.txt (MBODY,3556) False 6728 08:55:04.372 1 user(s) match rule - Block VIDEO Files 6728 08:55:04.372 Name=U1\B4d0b5da70002.000000000001.0003.mml (MAIL,6512) False 6728 08:55:04.372 Name=U2\MsgHeader.txt (MHDR,2836) False 6728 08:55:04.372 Name=U2\Quoted-Printable.txt (MBODY,3556) False 6728 08:55:04.372 1 user(s) match rule - Block Messages Over 20MB - BA 6728 08:55:04.372 Name=U1\B4d0b5da70002.000000000001.0003.mml (MAIL,6512) False 6728 08:55:04.372 0 user(s) match ruleset - Attachment Management (Outbound) 6728 08:55:04.372 1 user(s) match ruleset - Policy Management (Inbound) 6728 08:55:04.372 1 user(s) match rule - Block Pornographic Language - BA 6728 08:55:04.372 Name=U1\B4d0b5da70002.000000000001.0003.mml (MAIL,6512) False 6728 08:55:04.372 Name=U2\MsgHeader.txt (MHDR,2836) False 6728 08:55:04.372 Name=U2\Quoted-Printable.txt (MBODY,3556) False 6728 08:55:04.372 1 user(s) match rule - Block Common & Mild Profanity 6728 08:55:04.372 TextCensor triggered: Script Language - Mild Profanity Triggered in Body Expression: pissant Triggered 1 times weighting 5 6728 08:55:04.372 Name=U1\B4d0b5da70002.000000000001.0003.mml Message level criterion TRUE 6728 08:55:04.372 Requesting Action be run From rsk at gsp.org Fri Dec 17 07:26:46 2010 From: rsk at gsp.org (Rich Kulawiec) Date: Fri, 17 Dec 2010 08:26:46 -0500 Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: References: <96CA80CDCD822B4F9B41FB3A109C9359A3E6832836@E2K7MAILBOX1.corp.cableone.net> <20101214212949.GH38726@gerbil.cluepon.net> <11b801cb9bd7$571774a0$05465de0$@net> <20101214223827.GK38726@gerbil.cluepon.net> <20101215233639.GA11457@gsp.org> Message-ID: <20101217132646.GA30568@gsp.org> On Wed, Dec 15, 2010 at 07:14:01PM -0500, Jon Lewis wrote: > On Wed, 15 Dec 2010, Rich Kulawiec wrote: > >That's rich, given the enormous quantity of spam sourced from Comcast's > >network over the last decade. (And yes, it's ongoing: 162 unique sources > >in the last hour noted at one small observation point.) > > Spam is irrelevant. In this context, abuse = sending large amounts > of data to Comcast customers (at their request) without paying at > the Comcast toll booth. Yes, I know; I did read that in context and understand the point the original author was making. I probably should have made that clear. > >Now I realize that SMTP abuse isn't exactly the most bandwidth-chewing > >problem. However, it's a surface indicator of underlying security issues, > >which in this particular case can be summarized as "one heck of a lot > >of zombies". Given that those systems are known-hostile and under the > >control of adversaries, it's certain that they're doing all kinds of > >other things that chew up a lot more bandwidth than the spam does. > > It might even "improve" their ratios if they stopped those zombies > from sendig spam, participating in DDoS's, etc. After all, that's > outgoing traffic, and the less they send, the worse the ratio gets > for networks sending data to Comcast. True enough. But its continued presence, *seven years* after it was well-known to be a serious problem, tells us that Comcast either (a) can't or (b) won't run its network properly. So given this prima facie evidence of either (a) systemic, chronic incompetence or (b) systemic, chronic negligence, I think it's reasonable to wonder how many other aspects of their operation are just as horribly broken, and what the impact of that on their ability to carry steadily-increasing traffic might be. ---rsk From rganascim at gmail.com Fri Dec 17 07:33:41 2010 From: rganascim at gmail.com (Rafael Ganascim) Date: Fri, 17 Dec 2010 11:33:41 -0200 Subject: OSPF convergence - WAN links Message-ID: Hi all, I have a network with a lot of FastEthernet WAN connections (some metro-ethernet), and using the OSPF as IGP. Today, the OSPF timers are the defaults (hello 10s, dead 40s, SPF initial timer 5s, etc). When a link comes down, the convergence time takes ~45s (ok, it's right). There are a lot of documents explaining about tuning OSPF convergence time, but on LAN environments. I didn't find any references about this OSPF tuning on WAN ethernet links (just serial, frame-relay, etc) and things related to it (such as packet loss, rtt, 'never lost of carrier', etc). I think that, if the timers are aggressive, any flap on the ISP network can cause a re-convergence... if the timers are high, the convergence time on down links is high too. What factors are you considering when tuning this OSPF timers on this type of link? What 'tecnologies' are you using (such as Fast Hellos, incremental SPF, etc) ? Thanks, Rafael From jsaxe at briworks.com Fri Dec 17 07:59:26 2010 From: jsaxe at briworks.com (Jeff Saxe) Date: Fri, 17 Dec 2010 05:59:26 -0800 Subject: OSPF convergence - WAN links In-Reply-To: References: Message-ID: If your routers support Bidirectional Forwarding Detection (BFD), then I would suggest using that. It doesn't actually modify the hello timers or any other timers of any protocol; it merely acts as a supplementary protocol running under (or alongside, I guess) the main routing protocol, and its specialty is detecting failure along MAN circuits, virtual circuits, Ethernet VLANs, and other kinds of circuits in which you don't actually see a Link Down when the circuit is interrupted. http://en.wikipedia.org/wiki/Bidirectional_Forwarding_Detection http://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/fs_bfd.html The nice thing about BFD is that it's optional on a per-interface and per-peer basis, so you don't have to tune the hellos aggressively for the other 10 peers who are on simple, local, or serial links just to get quicker failure detection for that one guy who's off on a virtual circuit. So in your case, on a Cisco for example, it might be as simple as interface Gig0/0/2 bfd interval 800 min_rx 50 multiplier 7 ip ospf bfd (You'd have to do this on both sides of the link.) Now when the OSPF neighbor is established, it will also try to establish a back-and-forth-packet BFD session to the same OSPF neighbor, and if it does successfully establish it, then it will keep sending packets every 800 milliseconds. Then if the BFD packets stop coming for 800ms*7=5.6 seconds, then BFD will inform OSPF that the neighbor is down, even if OSPF hasn't "naturally" discovered that yet. "show bfd neighbors" to see whether it's working. You can tune BFD very aggressively if you want... 50ms intervals and multiplier of maybe 5 or 3 I think, so you can make a failure occur in 250ms or less, if the application is that sensitive. In my experience it works great and does exactly what it's designed for. I use it for BGP peers within my AS and with some customers. -- Jeff Saxe Blue Ridge InternetWorks Charlottesville, VA ________________________________________ From: Rafael Ganascim [rganascim at gmail.com] Sent: Friday, December 17, 2010 8:33 AM To: nanog at nanog.org Subject: OSPF convergence - WAN links Hi all, I have a network with a lot of FastEthernet WAN connections (some metro-ethernet), and using the OSPF as IGP. Today, the OSPF timers are the defaults (hello 10s, dead 40s, SPF initial timer 5s, etc). When a link comes down, the convergence time takes ~45s (ok, it's right). There are a lot of documents explaining about tuning OSPF convergence time, but on LAN environments. I didn't find any references about this OSPF tuning on WAN ethernet links (just serial, frame-relay, etc) and things related to it (such as packet loss, rtt, 'never lost of carrier', etc). I think that, if the timers are aggressive, any flap on the ISP network can cause a re-convergence... if the timers are high, the convergence time on down links is high too. What factors are you considering when tuning this OSPF timers on this type of link? What 'tecnologies' are you using (such as Fast Hellos, incremental SPF, etc) ? Thanks, Rafael From bill at kruchas.com Fri Dec 17 07:46:35 2010 From: bill at kruchas.com (bill at kruchas.com) Date: Fri, 17 Dec 2010 06:46:35 -0700 Subject: off topic "Help" Message-ID: <20101217064635.5f1e402cf2b8f2f1e57b153880067f5a.71e1d984fd.wbe@email10.secureserver.net> Hello, I have a misconfigured postfix installation, I inherited. Does anybody know of anyone who would consider reconfiguring/fixing it. It seems that all mail presented to it appears to be from "localhost", when i reject unautorized destinations, it rejects all mail. Thanks in advance. Bill Kruchas From ops.lists at gmail.com Fri Dec 17 08:34:34 2010 From: ops.lists at gmail.com (Suresh Ramasubramanian) Date: Fri, 17 Dec 2010 20:04:34 +0530 Subject: off topic "Help" In-Reply-To: <20101217064635.5f1e402cf2b8f2f1e57b153880067f5a.71e1d984fd.wbe@email10.secureserver.net> References: <20101217064635.5f1e402cf2b8f2f1e57b153880067f5a.71e1d984fd.wbe@email10.secureserver.net> Message-ID: That's not postfix as such - you probably have a proxy of some sort (or a non transparent hardware NAT / port forwarder) in front The postfix faq should fix that for you. On Fri, Dec 17, 2010 at 7:16 PM, wrote: > ? Hello, > > ? ? ? I have a misconfigured postfix installation, I inherited. Does > ? anybody know of anyone who would consider reconfiguring/fixing it. > > ? ? ? It seems that all mail presented to it appears to be from > ? "localhost", when i reject unautorized destinations, it rejects all > ? mail. > > ? Thanks in advance. > > ? Bill Kruchas > -- Suresh Ramasubramanian (ops.lists at gmail.com) From jcdill.lists at gmail.com Fri Dec 17 09:12:30 2010 From: jcdill.lists at gmail.com (JC Dill) Date: Fri, 17 Dec 2010 07:12:30 -0800 Subject: Alacarte Cable and Geeks In-Reply-To: References: <96CA80CDCD822B4F9B41FB3A109C9359A3E6832E6C@E2K7MAILBOX1.corp.cableone.net> <4630279.470.1292563600867.JavaMail.root@benjamin.baylink.com> Message-ID: <4D0B7DDE.8090207@gmail.com> On 17/12/10 4:54 AM, Carlos Martinez-Cagnazzo wrote: > I do believe that video over the Internet is about to change the cable > business in a very deep and possibly traumatic way. +1 It's clear that this is a major driving factor in the Comcast/L3/Netflix peering/transit issue. Comcast is obviously looking for ways to fill the looming hole in their revenue chart as consumers turn off Cable and get their TV/video entertainment delivered via the internet. jc From jbates at brightok.net Fri Dec 17 09:36:31 2010 From: jbates at brightok.net (Jack Bates) Date: Fri, 17 Dec 2010 09:36:31 -0600 Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: <598C4A03-6932-4E1B-A518-B8F15BAE651F@Princeton.EDU> References: <598C4A03-6932-4E1B-A518-B8F15BAE651F@Princeton.EDU> Message-ID: <4D0B837F.8070408@brightok.net> On 12/17/2010 2:51 AM, Steve Schultze wrote: > Negotiating > these terms with each municipality was the price that companies had to > pay for monopoly access to local markets. I've seen it apply to CLEC access into a market as well; running as a true CLEC and not just borrowing LEC lines. Deals can include anything, including profit sharing, free service to the municipality, etc (and can be very bad if your negotiator is poor). Jack From jbates at brightok.net Fri Dec 17 09:41:25 2010 From: jbates at brightok.net (Jack Bates) Date: Fri, 17 Dec 2010 09:41:25 -0600 Subject: Fwd: Your email message was blocked In-Reply-To: References: Message-ID: <4D0B84A5.4050905@brightok.net> On 12/17/2010 7:11 AM, Carlos Martinez-Cagnazzo wrote: > Notwithstanding the laugh and the fun, these are the times when I lose > a bit of faith in mankind. Why there are always people out there > pretending to know "what it's best for you" ? The keep for 5 days often means that they have a quarantine release for the recipient. It is also very possible that they have rule selection options on a recipient basis, which is not "what is best for you" but "you chose this". I'm not saying it is the case here, but there is a high probability, as their customers would scream otherwise. Exceptions are if it's corporate mail, but I'm not sure that is the corp mail server. Jack From ljakab at ac.upc.edu Fri Dec 17 09:57:58 2010 From: ljakab at ac.upc.edu (=?ISO-8859-1?Q?Lor=E1nd_Jakab?=) Date: Fri, 17 Dec 2010 16:57:58 +0100 Subject: "potential new and different architectural approach" to solve the Comcast - L3 dispute Message-ID: <4D0B8886.5030809@ac.upc.edu> Since it is Friday, maybe some of peering experts have some time to speculate what this new approach proposed by Comcast might be, as they assert it would represent "a significant shift of Internet infrastructure." http://www.lightreading.com/document.asp?doc_id=202121 http://blog.comcast.com/2010/12/comcast-continues-discussions-with-level-3----offers-to-trial-new-solutions.html Well, their previous proposal was already representing quite a significant shift, and not in a good way, but I wonder what the new offer could be so that they figured it would be more acceptable to Level 3. I hope due to the speculative nature of the question it will not be considered off-topic. -Lorand Jakab From gbonser at seven.com Fri Dec 17 10:40:44 2010 From: gbonser at seven.com (George Bonser) Date: Fri, 17 Dec 2010 08:40:44 -0800 Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: <598C4A03-6932-4E1B-A518-B8F15BAE651F@Princeton.EDU> References: <598C4A03-6932-4E1B-A518-B8F15BAE651F@Princeton.EDU> Message-ID: <5A6D953473350C4B9995546AFE9939EE0B14CFE3@RWC-EX1.corp.seven.com> > What I think George's > comment > does not completely appreciate is that (ideally) cities are imposing > such requirements at the behest of and for the benefit of the (local) > public, whereas private constraints on local access are (by design) > motivated by profit. I wasn't really talking about franchise agreements as those are different and in many cases stipulate things like there can be no monopoly, etc. What I was talking about was what if a city simply decided to charge an Internet provider an "access fee" to the city's people. An "eyeball fee". The city says, "hey, you are making millions selling ads that these people view and the more eyeballs you have the more money you make, so we are going to charge you for those eyeballs". Which is basically what Comcast is doing ... charging content networks for access to eyeballs. What if they themselves got charged for the same thing. Would they think that is "fair"? And what if the city had its own community high speed internet that paid no such charge? > > Regards, > Steve Thanks, Steve. From davet1 at gmail.com Fri Dec 17 10:46:22 2010 From: davet1 at gmail.com (Dave Temkin) Date: Fri, 17 Dec 2010 08:46:22 -0800 Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: <5A6D953473350C4B9995546AFE9939EE0B14CFE3@RWC-EX1.corp.seven.com> References: <598C4A03-6932-4E1B-A518-B8F15BAE651F@Princeton.EDU> <5A6D953473350C4B9995546AFE9939EE0B14CFE3@RWC-EX1.corp.seven.com> Message-ID: <4D0B93DE.7020201@gmail.com> George Bonser wrote: >> What I think George's >> comment >> does not completely appreciate is that (ideally) cities are imposing >> such requirements at the behest of and for the benefit of the (local) >> public, whereas private constraints on local access are (by design) >> motivated by profit. >> > > I wasn't really talking about franchise agreements as those are > different and in many cases stipulate things like there can be no > monopoly, etc. > > What I was talking about was what if a city simply decided to charge an > Internet provider an "access fee" to the city's people. An "eyeball > fee". The city says, "hey, you are making millions selling ads that > these people view and the more eyeballs you have the more money you > make, so we are going to charge you for those eyeballs". Which is > basically what Comcast is doing ... charging content networks for access > to eyeballs. What if they themselves got charged for the same thing. > Would they think that is "fair"? And what if the city had its own > community high speed internet that paid no such charge? > > > > They do already. It's called HBO, Showtime, HDNet Sports, etc. - they get charged per eyeball for those networks, and so they pass the charge on per eyeball to the customer. Nothing is new here. From gbonser at seven.com Fri Dec 17 10:56:19 2010 From: gbonser at seven.com (George Bonser) Date: Fri, 17 Dec 2010 08:56:19 -0800 Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: <4D0B93DE.7020201@gmail.com> References: <598C4A03-6932-4E1B-A518-B8F15BAE651F@Princeton.EDU> <5A6D953473350C4B9995546AFE9939EE0B14CFE3@RWC-EX1.corp.seven.com> <4D0B93DE.7020201@gmail.com> Message-ID: <5A6D953473350C4B9995546AFE9939EE0B14CFE6@RWC-EX1.corp.seven.com> > They do already. It's called HBO, Showtime, HDNet Sports, etc. - they > get charged per eyeball for those networks, and so they pass the charge > on per eyeball to the customer. > > Nothing is new here. The municipality charges the cable company per HBO subscriber? From sjs at Princeton.EDU Fri Dec 17 11:07:13 2010 From: sjs at Princeton.EDU (Steve Schultze) Date: Fri, 17 Dec 2010 12:07:13 -0500 Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: <4D0B93DE.7020201@gmail.com> References: <598C4A03-6932-4E1B-A518-B8F15BAE651F@Princeton.EDU> <5A6D953473350C4B9995546AFE9939EE0B14CFE3@RWC-EX1.corp.seven.com> <4D0B93DE.7020201@gmail.com> Message-ID: On Dec 17, 2010, at 11:46 AM, Dave Temkin wrote: > George Bonser wrote: >>> What I think George's >>> comment >>> does not completely appreciate is that (ideally) cities are imposing >>> such requirements at the behest of and for the benefit of the (local) >>> public, whereas private constraints on local access are (by design) >>> motivated by profit. >>> >> >> I wasn't really talking about franchise agreements as those are >> different and in many cases stipulate things like there can be no >> monopoly, etc. >> >> What I was talking about was what if a city simply decided to charge an >> Internet provider an "access fee" to the city's people. An "eyeball >> fee". The city says, "hey, you are making millions selling ads that >> these people view and the more eyeballs you have the more money you >> make, so we are going to charge you for those eyeballs". Which is >> basically what Comcast is doing ... charging content networks for access >> to eyeballs. What if they themselves got charged for the same thing. >> Would they think that is "fair"? And what if the city had its own >> community high speed internet that paid no such charge? >> > > They do already. It's called HBO, Showtime, HDNet Sports, etc. - they get charged per eyeball for those networks, and so they pass the charge on per eyeball to the customer. > > Nothing is new here. Sure, the content providers charge Comcast per eyeball, but localities do not. Part of nearly every franchise agreement is a percentage of gross revenue from video services that is paid to the city. In recent years the FCC has capped this at 5% and subsequently introduced further constraints on what counts and how it is collected. Cities typically use these funds to support public resources related to video (public, educational, and governmental video channels, equipment, and networks). However, I think they have the freedom to use it to fill potholes if they so choose. None of this implicates the revenues from broadband service, because the 2002 Cable Modem Order removed those from the purview of localities. What about bundled "triple-play" style services? This is a mess, and I believe someone has to arbitrate what the percentages are. What about people playing video over their internet connection? Not included. As you can see, if the regulatory dichotomy between video and broadband services ever made sense, it clearly doesn't today. George's concern about a last-mile provider competing with municipal broadband parallels the most common argument made against such efforts: Although private companies do not have to pay any local fees that municipal broadband does not have to pay, the companies argue that municipal efforts have the unfair advantage of being built on taxpayer support and existing outside of the competitive marketplace. Of course if the "competitive marketplace" is a natural near-monopoly, these arguments are less compelling. From davet1 at gmail.com Fri Dec 17 11:08:36 2010 From: davet1 at gmail.com (Dave Temkin) Date: Fri, 17 Dec 2010 09:08:36 -0800 Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: <5A6D953473350C4B9995546AFE9939EE0B14CFE6@RWC-EX1.corp.seven.com> References: <598C4A03-6932-4E1B-A518-B8F15BAE651F@Princeton.EDU> <5A6D953473350C4B9995546AFE9939EE0B14CFE3@RWC-EX1.corp.seven.com> <4D0B93DE.7020201@gmail.com> <5A6D953473350C4B9995546AFE9939EE0B14CFE6@RWC-EX1.corp.seven.com> Message-ID: <4D0B9914.5080705@gmail.com> George Bonser wrote: >> They do already. It's called HBO, Showtime, HDNet Sports, etc. - >> > they > >> get charged per eyeball for those networks, and so they pass the >> > charge > >> on per eyeball to the customer. >> >> Nothing is new here. >> > > The municipality charges the cable company per HBO subscriber? > > > The municipality gets a cut of that in a profit sharing agreement. The point was, everyone gets their tax or toll along the way. -Dave From sjs at Princeton.EDU Fri Dec 17 11:08:51 2010 From: sjs at Princeton.EDU (Steve Schultze) Date: Fri, 17 Dec 2010 12:08:51 -0500 Subject: Level 3 petitions FCC for conditions on Comcast/NBCU merger Message-ID: <3D916F85-3862-417E-AE38-B153277452E5@Princeton.EDU> http://fjallfoss.fcc.gov/ecfs/comment/view?id=6016064625 From bensons at queuefull.net Fri Dec 17 11:15:14 2010 From: bensons at queuefull.net (Benson Schliesser) Date: Fri, 17 Dec 2010 11:15:14 -0600 Subject: "potential new and different architectural approach" to solve the Comcast - L3 dispute In-Reply-To: <4D0B8886.5030809@ac.upc.edu> References: <4D0B8886.5030809@ac.upc.edu> Message-ID: On Dec 17, 2010, at 9:57 AM, Lor?nd Jakab wrote: > Since it is Friday, maybe some of peering experts have some time to > speculate what this new approach proposed by Comcast might be, as they > assert it would represent "a significant shift of Internet infrastructure." > > http://www.lightreading.com/document.asp?doc_id=202121 > http://blog.comcast.com/2010/12/comcast-continues-discussions-with-level-3----offers-to-trial-new-solutions.html I have no direct knowledge of the situation, but my guess: I suspect the proposal was along the lines of longest-path / best-exit routing by Level(3). In other words, if L(3) carries the traffic (most of the way) to the customer, then Comcast has no complaint--the costs can be more fairly distributed. The "modest investment" is probably in tools to evaluate traffic and routing metrics, to make this work. This isn't really *new* to the peering community, but it isn't normal either. If anybody knows for sure, I'd be interested to hear. Cheers, -Benson From jgreco at ns.sol.net Fri Dec 17 11:23:55 2010 From: jgreco at ns.sol.net (Joe Greco) Date: Fri, 17 Dec 2010 11:23:55 -0600 (CST) Subject: "potential new and different architectural approach" to solve the In-Reply-To: Message-ID: <201012171723.oBHHNt0l034446@aurora.sol.net> > On Dec 17, 2010, at 9:57 AM, Lor=E1nd Jakab wrote: > > Since it is Friday, maybe some of peering experts have some time to > > speculate what this new approach proposed by Comcast might be, as they > > assert it would represent "a significant shift of Internet = > infrastructure." > >=20 > > http://www.lightreading.com/document.asp?doc_id=3D202121 > > = > http://blog.comcast.com/2010/12/comcast-continues-discussions-with-level-3= > ----offers-to-trial-new-solutions.html > > I have no direct knowledge of the situation, but my guess: I suspect = > the proposal was along the lines of longest-path / best-exit routing by = > Level(3). In other words, if L(3) carries the traffic (most of the way) = > to the customer, then Comcast has no complaint--the costs can be more = > fairly distributed. The "modest investment" is probably in tools to = > evaluate traffic and routing metrics, to make this work. This isn't = > really *new* to the peering community, but it isn't normal either. > > If anybody knows for sure, I'd be interested to hear. How effective have variations on hot potato routing been, historically? I seem to recall Cogent made lots of noises early on about how they could do hot potato routing to encourage peering, but over the years that didn't seem to pan out that way. ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net "We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples. From bensons at queuefull.net Fri Dec 17 11:28:09 2010 From: bensons at queuefull.net (Benson Schliesser) Date: Fri, 17 Dec 2010 11:28:09 -0600 Subject: "potential new and different architectural approach" to solve the In-Reply-To: <201012171723.oBHHNt0l034446@aurora.sol.net> References: <201012171723.oBHHNt0l034446@aurora.sol.net> Message-ID: <678C170D-C506-4361-9EFC-D3137D73C342@queuefull.net> On Dec 17, 2010, at 11:23 AM, Joe Greco wrote: > How effective have variations on hot potato routing been, historically? > I seem to recall Cogent made lots of noises early on about how they > could do hot potato routing to encourage peering, but over the years > that didn't seem to pan out that way. I can't comment on Cogent... But, in general: hot-potato reduces network costs but doesn't eliminate them--more capacity is still required to carry more traffic. The goal is to balance out the cost, assuming the traffic is of adequate value (or equal value, ideally) to both networks. Cheers, -Benson From jsw at inconcepts.biz Fri Dec 17 11:35:07 2010 From: jsw at inconcepts.biz (Jeff Wheeler) Date: Fri, 17 Dec 2010 12:35:07 -0500 Subject: "potential new and different architectural approach" to solve the Comcast - L3 dispute In-Reply-To: References: <4D0B8886.5030809@ac.upc.edu> Message-ID: On Fri, Dec 17, 2010 at 12:15 PM, Benson Schliesser wrote: > I have no direct knowledge of the situation, but my guess: ?I suspect the proposal was along the lines of longest-path / best-exit routing by Level(3). ?In other words, if L(3) carries the traffic (most of the way) to the customer, then Comcast has no complaint--the costs can be more fairly distributed. ?The "modest investment" is probably in tools to evaluate traffic and routing metrics, to make this work. ?This isn't really *new* to the peering community, but it isn't normal either. That is a reasonable guess, but Level3's FCC filing yesterday spells out with certainty that Level3 did offer to "cold potato" traffic onto Comcast (it does not mention the technical means e.g. MED honoring, CDN smarts, or otherwise) and that Comcast refused. I agree that the proposed Comcast solution may not be truly "new" but instead unusual, but unless "Backdoor Santa" tells us what they really have in mind, I suppose we won't know. If I were Comcast, I would want to move the significant cost of detailed netflow collection and analysis infrastructure onto backbone providers by wrapping that accounting mechanism up into my settlement agreements with peers, as well as the expense of a cost-ineffective network, and demand that Level3 and Comcast really calculate how much each network spends on each bit, and share in that cost. In theory, this is what happens when an ILEC opens a rate case with its state regulator; and it is how settlements for POTS calls work (at a very basic level.) Actually, if I were Comcast, I would focus on running my business more efficiently, as Level3 has thrown down the gauntlet with the FCC and requested that the FCC dictate to Comcast specifically, and explicitly all other broadband access providers, how they will interconnect with peers and transit suppliers. Level3 must think that their business would be better off with regulatory oversight of peering, or they would not have taken this action. Comcast should realize that, of the three potential motives for their recent actions I have previously outlined, #1 and #3 are not just highly unlikely, but would be practically impossible in a regulated environment. As such, they should further realize that their peering committee is driven by motive #2, ego, and find the best way to change their position without losing too much credibility. -- Jeff S Wheeler Sr Network Operator? /? Innovative Network Concepts From ras at e-gerbil.net Fri Dec 17 11:48:25 2010 From: ras at e-gerbil.net (Richard A Steenbergen) Date: Fri, 17 Dec 2010 11:48:25 -0600 Subject: "potential new and different architectural approach" to solve the Comcast - L3 dispute In-Reply-To: References: <4D0B8886.5030809@ac.upc.edu> Message-ID: <20101217174824.GL38726@gerbil.cluepon.net> On Fri, Dec 17, 2010 at 11:15:14AM -0600, Benson Schliesser wrote: > > I have no direct knowledge of the situation, but my guess: I suspect > the proposal was along the lines of longest-path / best-exit routing > by Level(3). In other words, if L(3) carries the traffic (most of the > way) to the customer, then Comcast has no complaint--the costs can be > more fairly distributed. The "modest investment" is probably in tools > to evaluate traffic and routing metrics, to make this work. This > isn't really *new* to the peering community, but it isn't normal > either. Nah, you're still thinking about this like it was a classic peering dispute over ratios, when nothing could be further from the truth. First off, by the very nature of a CDN, all of the Netflix/etc traffic is going to be delivered to the best exit on the long-haul network already. Second, Comcast is a FULL TRANSIT CUSTOMER of Level 3. Typically the customer gets to dictate the handoff point to the provider, by either advertising MEDs, or by sending inconsistent routes. The fact that the existing Level3/Comcast routing DOESN'T make Level 3 haul all of the bits to the best exit mean it's highly likely that Comcast agreeing to haul the bits was part of their commercial transit agreement, probably in exchange for lower transit prices. -- Richard A Steenbergen http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC) From gbonser at seven.com Fri Dec 17 11:51:02 2010 From: gbonser at seven.com (George Bonser) Date: Fri, 17 Dec 2010 09:51:02 -0800 Subject: "potential new and different architectural approach" to solve theComcast - L3 dispute In-Reply-To: References: <4D0B8886.5030809@ac.upc.edu> Message-ID: <5A6D953473350C4B9995546AFE9939EE0B14CFF3@RWC-EX1.corp.seven.com> > Level3 must think that their business > would be better off with regulatory oversight of peering, or they > would not have taken this action. Comcast should realize that, of the > three potential motives for their recent actions I have previously > outlined, #1 and #3 are not just highly unlikely, but would be > practically impossible in a regulated environment. As such, they > should further realize that their peering committee is driven by > motive #2, ego, and find the best way to change their position without > losing too much credibility. > > -- > Jeff S Wheeler > Sr Network Operator? /? Innovative Network Concepts Or maybe Level(3) thinks the entire game could potentially change and are attempting to head that off at the pass. What if instead of the end users paying for Internet service, the content providers did. Sort of like broadcast TV where the broadcasters pay the freight and the user simply turns on their device and they get content. In that model, the providers of the traffic pay the delivery costs of the content. So you would have "consumer" access that is mainly paid for by the content providers and "business" access which would be paid by the end users but would have less "consumer" traffic such as Netflix, Hulu, Facebook, Twitter, etc. If you look at the revenues being reported by some of these content providers, someone might be looking at those numbers saying "why *shouldn't* they pay? They are making money from the end users via ad sales just like broadcasters do, why shouldn't the model be the same?". I am not making any statement of my opinion, simply looking at a possibility. If there were such a sea change, Level3 now being a major content provider might find its long range plans have had a wrench thrown in them. From bensons at queuefull.net Fri Dec 17 12:11:26 2010 From: bensons at queuefull.net (Benson Schliesser) Date: Fri, 17 Dec 2010 12:11:26 -0600 Subject: "potential new and different architectural approach" to solve the Comcast - L3 dispute In-Reply-To: References: <4D0B8886.5030809@ac.upc.edu> Message-ID: On Dec 17, 2010, at 11:35 AM, Jeff Wheeler wrote: > ... Level3 must think that their business > would be better off with regulatory oversight of peering, or they > would not have taken this action. And they might be correct in thinking that, if we assume the peering ecosystem is changing i.e. such that traditional "backbones" are being bypassed. Regulatory oversight might have the effect of locking-in today's interconnect regime, which would be ideal for Level(3). Cheers, -Benson From jra at baylink.com Fri Dec 17 12:17:16 2010 From: jra at baylink.com (Jay Ashworth) Date: Fri, 17 Dec 2010 13:17:16 -0500 (EST) Subject: Alacarte Cable and Geeks In-Reply-To: <4D0B7DDE.8090207@gmail.com> Message-ID: <29672845.662.1292609836880.JavaMail.root@benjamin.baylink.com> ---- Original Message ----- > From: "JC Dill" > On 17/12/10 4:54 AM, Carlos Martinez-Cagnazzo wrote: > > I do believe that video over the Internet is about to change the > > cable business in a very deep and possibly traumatic way. > > +1 > > It's clear that this is a major driving factor in the Comcast/L3/Netflix > peering/transit issue. Comcast is obviously looking for ways to fill > the looming hole in their revenue chart as consumers turn off Cable > and get their TV/video entertainment delivered via the internet. The more I look at this, the more it looks like "pharmaceuticals bought from Canada are cheaper than ones purchased in America -- and they will be *just as long* as only a minority of Americans buy them there. As soon as *everyone* in America is buying their drugs cross-border, the prices will go right back up to what they were paying here." This is what's gonna happen with Comcast, too; if their customers drop CATV, then they're going to have to raise their prices -- and the cable networks themselves will have *no* way to collect revenue; the cable systems being their collection agent network. This Can't End Well. Cheers, -- jra From cscora at apnic.net Fri Dec 17 12:26:08 2010 From: cscora at apnic.net (Routing Analysis Role Account) Date: Sat, 18 Dec 2010 04:26:08 +1000 (EST) Subject: Weekly Routing Table Report Message-ID: <201012171826.oBHIQ8lB004071@thyme.rand.apnic.net> This is an automated weekly mailing describing the state of the Internet Routing Table as seen from APNIC's router in Japan. The posting is sent to APOPS, NANOG, AfNOG, AusNOG, SANOG, PacNOG, LacNOG, CaribNOG and the RIPE Routing Working Group. Daily listings are sent to bgp-stats at lists.apnic.net For historical data, please see http://thyme.rand.apnic.net. If you have any comments please contact Philip Smith . Routing Table Report 04:00 +10GMT Sat 18 Dec, 2010 Report Website: http://thyme.rand.apnic.net Detailed Analysis: http://thyme.rand.apnic.net/current/ Analysis Summary ---------------- BGP routing table entries examined: 338766 Prefixes after maximum aggregation: 153020 Deaggregation factor: 2.21 Unique aggregates announced to Internet: 166625 Total ASes present in the Internet Routing Table: 35498 Prefixes per ASN: 9.54 Origin-only ASes present in the Internet Routing Table: 30573 Origin ASes announcing only one prefix: 14921 Transit ASes present in the Internet Routing Table: 4925 Transit-only ASes present in the Internet Routing Table: 119 Average AS path length visible in the Internet Routing Table: 4.3 Max AS path length visible: 31 Max AS path prepend of ASN (36992) 29 Prefixes from unregistered ASNs in the Routing Table: 325 Unregistered ASNs in the Routing Table: 127 Number of 32-bit ASNs allocated by the RIRs: 960 Prefixes from 32-bit ASNs in the Routing Table: 4 Special use prefixes present in the Routing Table: 0 Prefixes being announced from unallocated address space: 191 Number of addresses announced to Internet: 2341188448 Equivalent to 139 /8s, 139 /16s and 179 /24s Percentage of available address space announced: 63.2 Percentage of allocated address space announced: 65.2 Percentage of available address space allocated: 96.8 Percentage of address space in use by end-sites: 86.7 Total number of prefixes smaller than registry allocations: 139416 APNIC Region Analysis Summary ----------------------------- Prefixes being announced by APNIC Region ASes: 83366 Total APNIC prefixes after maximum aggregation: 28387 APNIC Deaggregation factor: 2.94 Prefixes being announced from the APNIC address blocks: 80309 Unique aggregates announced from the APNIC address blocks: 34993 APNIC Region origin ASes present in the Internet Routing Table: 4272 APNIC Prefixes per ASN: 18.80 APNIC Region origin ASes announcing only one prefix: 1204 APNIC Region transit ASes present in the Internet Routing Table: 693 Average APNIC Region AS path length visible: 4.4 Max APNIC Region AS path length visible: 20 Number of APNIC addresses announced to Internet: 575398688 Equivalent to 34 /8s, 75 /16s and 227 /24s Percentage of available APNIC address space announced: 77.9 APNIC AS Blocks 4608-4864, 7467-7722, 9216-10239, 17408-18431 (pre-ERX allocations) 23552-24575, 37888-38911, 45056-46079 55296-56319, 131072-132095 APNIC Address Blocks 1/8, 14/8, 27/8, 36/8, 42/8, 43/8, 49/8, 58/8, 59/8, 60/8, 61/8, 101/8, 110/8, 111/8, 112/8, 113/8, 114/8, 115/8, 116/8, 117/8, 118/8, 119/8, 120/8, 121/8, 122/8, 123/8, 124/8, 125/8, 126/8, 133/8, 175/8, 180/8, 182/8, 183/8, 202/8, 203/8, 210/8, 211/8, 218/8, 219/8, 220/8, 221/8, 222/8, 223/8, ARIN Region Analysis Summary ---------------------------- Prefixes being announced by ARIN Region ASes: 136919 Total ARIN prefixes after maximum aggregation: 69999 ARIN Deaggregation factor: 1.96 Prefixes being announced from the ARIN address blocks: 108053 Unique aggregates announced from the ARIN address blocks: 43916 ARIN Region origin ASes present in the Internet Routing Table: 14079 ARIN Prefixes per ASN: 7.67 ARIN Region origin ASes announcing only one prefix: 5392 ARIN Region transit ASes present in the Internet Routing Table: 1489 Average ARIN Region AS path length visible: 4.0 Max ARIN Region AS path length visible: 23 Number of ARIN addresses announced to Internet: 743817600 Equivalent to 44 /8s, 85 /16s and 193 /24s Percentage of available ARIN address space announced: 62.4 ARIN AS Blocks 1-1876, 1902-2042, 2044-2046, 2048-2106 (pre-ERX allocations) 2138-2584, 2615-2772, 2823-2829, 2880-3153 3354-4607, 4865-5119, 5632-6655, 6912-7466 7723-8191, 10240-12287, 13312-15359, 16384-17407 18432-20479, 21504-23551, 25600-26591, 26624-27647, 29696-30719, 31744-33791 35840-36863, 39936-40959, 46080-47103 53248-55295, 393216-394239 ARIN Address Blocks 3/8, 4/8, 6/8, 7/8, 8/8, 9/8, 11/8, 12/8, 13/8, 15/8, 16/8, 17/8, 18/8, 19/8, 20/8, 21/8, 22/8, 23/8, 24/8, 26/8, 28/8, 29/8, 30/8, 32/8, 33/8, 34/8, 35/8, 38/8, 40/8, 44/8, 47/8, 48/8, 50/8, 52/8, 54/8, 55/8, 56/8, 63/8, 64/8, 65/8, 66/8, 67/8, 68/8, 69/8, 70/8, 71/8, 72/8, 73/8, 74/8, 75/8, 76/8, 96/8, 97/8, 98/8, 99/8, 100/8, 107/8, 108/8, 173/8, 174/8, 184/8, 199/8, 204/8, 205/8, 206/8, 207/8, 208/8, 209/8, 214/8, 215/8, 216/8, RIPE Region Analysis Summary ---------------------------- Prefixes being announced by RIPE Region ASes: 79524 Total RIPE prefixes after maximum aggregation: 45494 RIPE Deaggregation factor: 1.75 Prefixes being announced from the RIPE address blocks: 73010 Unique aggregates announced from the RIPE address blocks: 47168 RIPE Region origin ASes present in the Internet Routing Table: 15132 RIPE Prefixes per ASN: 4.82 RIPE Region origin ASes announcing only one prefix: 7752 RIPE Region transit ASes present in the Internet Routing Table: 2342 Average RIPE Region AS path length visible: 4.5 Max RIPE Region AS path length visible: 30 Number of RIPE addresses announced to Internet: 451844992 Equivalent to 26 /8s, 238 /16s and 155 /24s Percentage of available RIPE address space announced: 74.8 RIPE AS Blocks 1877-1901, 2043, 2047, 2107-2136, 2585-2614 (pre-ERX allocations) 2773-2822, 2830-2879, 3154-3353, 5377-5631 6656-6911, 8192-9215, 12288-13311, 15360-16383 20480-21503, 24576-25599, 28672-29695 30720-31743, 33792-35839, 38912-39935 40960-45055, 47104-52223, 196608-197631 RIPE Address Blocks 2/8, 5/8, 25/8, 31/8, 37/8, 46/8, 51/8, 62/8, 77/8, 78/8, 79/8, 80/8, 81/8, 82/8, 83/8, 84/8, 85/8, 86/8, 87/8, 88/8, 89/8, 90/8, 91/8, 92/8, 93/8, 94/8, 95/8, 109/8, 176/8, 178/8, 193/8, 194/8, 195/8, 212/8, 213/8, 217/8, LACNIC Region Analysis Summary ------------------------------ Prefixes being announced by LACNIC Region ASes: 30995 Total LACNIC prefixes after maximum aggregation: 7106 LACNIC Deaggregation factor: 4.36 Prefixes being announced from the LACNIC address blocks: 29743 Unique aggregates announced from the LACNIC address blocks: 15445 LACNIC Region origin ASes present in the Internet Routing Table: 1404 LACNIC Prefixes per ASN: 21.18 LACNIC Region origin ASes announcing only one prefix: 436 LACNIC Region transit ASes present in the Internet Routing Table: 252 Average LACNIC Region AS path length visible: 4.4 Max LACNIC Region AS path length visible: 19 Number of LACNIC addresses announced to Internet: 78639552 Equivalent to 4 /8s, 175 /16s and 241 /24s Percentage of available LACNIC address space announced: 58.6 LACNIC AS Blocks 26592-26623, 27648-28671, 52224-53247, 262144-263167 plus ERX transfers LACNIC Address Blocks 177/8, 181/8, 186/8, 187/8, 189/8, 190/8, 200/8, 201/8, AfriNIC Region Analysis Summary ------------------------------- Prefixes being announced by AfriNIC Region ASes: 7724 Total AfriNIC prefixes after maximum aggregation: 1916 AfriNIC Deaggregation factor: 4.03 Prefixes being announced from the AfriNIC address blocks: 6024 Unique aggregates announced from the AfriNIC address blocks: 1777 AfriNIC Region origin ASes present in the Internet Routing Table: 430 AfriNIC Prefixes per ASN: 14.01 AfriNIC Region origin ASes announcing only one prefix: 137 AfriNIC Region transit ASes present in the Internet Routing Table: 93 Average AfriNIC Region AS path length visible: 5.3 Max AfriNIC Region AS path length visible: 31 Number of AfriNIC addresses announced to Internet: 21619712 Equivalent to 1 /8s, 73 /16s and 228 /24s Percentage of available AfriNIC address space announced: 43.0 AfriNIC AS Blocks 36864-37887, 327680-328703 & ERX transfers AfriNIC Address Blocks 41/8, 105/8, 197/8, APNIC Region per AS prefix count summary ---------------------------------------- ASN No of nets /20 equiv MaxAgg Description 4766 1867 9453 519 Korea Telecom (KIX) 7545 1558 299 76 TPG Internet Pty Ltd 4755 1406 651 138 TATA Communications formerly 17974 1342 459 28 PT TELEKOMUNIKASI INDONESIA 24560 1042 312 175 Bharti Airtel Ltd., Telemedia 9583 1041 76 488 Sify Limited 4808 996 1717 273 CNCGROUP IP network: China169 17488 954 157 111 Hathway IP Over Cable Interne 18101 909 116 139 Reliance Infocom Ltd Internet 9829 823 696 31 BSNL National Internet Backbo Complete listing at http://thyme.rand.apnic.net/current/data-ASnet-APNIC ARIN Region per AS prefix count summary --------------------------------------- ASN No of nets /20 equiv MaxAgg Description 6389 3734 3872 270 bellsouth.net, inc. 4323 2641 1077 399 Time Warner Telecom 19262 1836 4873 283 Verizon Global Networks 1785 1788 697 132 PaeTec Communications, Inc. 20115 1514 1531 640 Charter Communications 6478 1437 290 52 AT&T Worldnet Services 7018 1361 5652 872 AT&T WorldNet Services 2386 1313 570 933 AT&T Data Communications Serv 11492 1271 233 75 Cable One 22773 1257 2864 74 Cox Communications, Inc. Complete listing at http://thyme.rand.apnic.net/current/data-ASnet-ARIN RIPE Region per AS prefix count summary --------------------------------------- ASN No of nets /20 equiv MaxAgg Description 6830 503 1763 310 UPC Distribution Services 3292 443 2010 386 TDC Tele Danmark 34984 440 96 133 BILISIM TELEKOM 8866 439 133 23 Bulgarian Telecommunication C 9121 435 1690 29 TTnet Autonomous System 9198 417 202 13 Kazakhtelecom Data Network Ad 8551 402 353 46 Bezeq International 702 397 1864 311 UUNET - Commercial IP service 12479 393 577 6 Uni2 Autonomous System 3320 392 7609 344 Deutsche Telekom AG Complete listing at http://thyme.rand.apnic.net/current/data-ASnet-RIPE LACNIC Region per AS prefix count summary ----------------------------------------- ASN No of nets /20 equiv MaxAgg Description 8151 1347 2617 363 UniNet S.A. de C.V. 10620 1343 250 154 TVCABLE BOGOTA 28573 1225 933 79 NET Servicos de Comunicao S.A 6503 1187 355 80 AVANTEL, S.A. 7303 832 441 109 Telecom Argentina Stet-France 14420 584 49 88 CORPORACION NACIONAL DE TELEC 22047 565 310 15 VTR PUNTO NET S.A. 3816 494 216 101 Empresa Nacional de Telecomun 7738 478 922 30 Telecomunicacoes da Bahia S.A 14117 452 32 30 Telefonica del Sur S.A. Complete listing at http://thyme.rand.apnic.net/current/data-ASnet-LACNIC AfriNIC Region per AS prefix count summary ------------------------------------------ ASN No of nets /20 equiv MaxAgg Description 8452 1125 445 10 TEDATA 24863 746 147 39 LINKdotNET AS number 36992 658 276 158 Etisalat MISR 3741 263 986 225 The Internet Solution 24835 217 78 10 RAYA Telecom - Egypt 6713 203 199 12 Itissalat Al-MAGHRIB 29571 199 19 11 Ci Telecom Autonomous system 2018 196 277 64 Tertiary Education Network 33776 184 12 14 Starcomms Nigeria Limited 16637 161 440 88 MTN Network Solutions Complete listing at http://thyme.rand.apnic.net/current/data-ASnet-AFRINIC Global Per AS prefix count summary ---------------------------------- ASN No of nets /20 equiv MaxAgg Description 6389 3734 3872 270 bellsouth.net, inc. 4323 2641 1077 399 Time Warner Telecom 4766 1867 9453 519 Korea Telecom (KIX) 19262 1836 4873 283 Verizon Global Networks 1785 1788 697 132 PaeTec Communications, Inc. 7545 1558 299 76 TPG Internet Pty Ltd 20115 1514 1531 640 Charter Communications 6478 1437 290 52 AT&T Worldnet Services 4755 1406 651 138 TATA Communications formerly 7018 1361 5652 872 AT&T WorldNet Services Complete listing at http://thyme.rand.apnic.net/current/data-ASnet Global Per AS Maximum Aggr summary ---------------------------------- ASN No of nets Net Savings Description 4323 2641 2242 Time Warner Telecom 1785 1788 1656 PaeTec Communications, Inc. 19262 1836 1553 Verizon Global Networks 7545 1558 1482 TPG Internet Pty Ltd 6478 1437 1385 AT&T Worldnet Services 4766 1867 1348 Korea Telecom (KIX) 17974 1342 1314 PT TELEKOMUNIKASI INDONESIA 4755 1406 1268 TATA Communications formerly 11492 1271 1196 Cable One 10620 1343 1189 TVCABLE BOGOTA Complete listing at http://thyme.rand.apnic.net/current/data-CIDRnet List of Unregistered Origin ASNs (Global) ----------------------------------------- Bad AS Designation Network Transit AS Description 16927 UNALLOCATED 12.0.252.0/23 7018 AT&T WorldNet Servic 15132 UNALLOCATED 12.9.150.0/24 7018 AT&T WorldNet Servic 32567 UNALLOCATED 12.14.170.0/24 4323 Time Warner Telecom 13746 UNALLOCATED 12.24.56.0/24 7018 AT&T WorldNet Servic 32567 UNALLOCATED 12.25.107.0/24 4323 Time Warner Telecom 26973 UNALLOCATED 12.39.152.0/24 7018 AT&T WorldNet Servic 26973 UNALLOCATED 12.39.154.0/23 7018 AT&T WorldNet Servic 26973 UNALLOCATED 12.39.155.0/24 7018 AT&T WorldNet Servic 26973 UNALLOCATED 12.39.159.0/24 7018 AT&T WorldNet Servic 25639 UNALLOCATED 12.41.169.0/24 7018 AT&T WorldNet Servic Complete listing at http://thyme.rand.apnic.net/current/data-badAS Advertised Unallocated Addresses -------------------------------- Network Origin AS Description 5.0.0.0/16 12654 RIPE NCC RIS Project 5.1.0.0/21 12654 RIPE NCC RIS Project 5.1.24.0/24 12654 RIPE NCC RIS Project 24.129.192.0/19 7922 Continental Cablevision 37.0.0.0/16 12654 RIPE NCC RIS Project 37.1.0.0/21 12654 RIPE NCC RIS Project 37.1.24.0/24 12654 RIPE NCC RIS Project 41.222.79.0/24 36938 >>UNKNOWN<< 41.223.92.0/22 36936 >>UNKNOWN<< 46.211.0.0/16 15895 Kyivstar GSM Complete listing at http://thyme.rand.apnic.net/current/data-add-IANA Number of prefixes announced per prefix length (Global) ------------------------------------------------------- /1:0 /2:0 /3:0 /4:0 /5:0 /6:0 /7:0 /8:20 /9:10 /10:25 /11:70 /12:212 /13:431 /14:753 /15:1346 /16:11410 /17:5526 /18:9208 /19:18676 /20:23969 /21:24284 /22:31827 /23:30881 /24:177306 /25:991 /26:1065 /27:579 /28:155 /29:12 /30:2 /31:0 /32:8 Advertised prefixes smaller than registry allocations ----------------------------------------------------- ASN No of nets Total ann. Description 6389 2306 3734 bellsouth.net, inc. 4323 1429 2641 Time Warner Telecom 6478 1394 1437 AT&T Worldnet Services 10620 1235 1343 TVCABLE BOGOTA 11492 1226 1271 Cable One 18566 1076 1095 Covad Communications 7011 1071 1174 Citizens Utilities 1785 1062 1788 PaeTec Communications, Inc. 8452 1021 1125 TEDATA 6503 972 1187 AVANTEL, S.A. Complete listing at http://thyme.rand.apnic.net/current/data-sXXas-nos Number of /24s announced per /8 block (Global) ---------------------------------------------- 1:140 2:11 4:13 5:1 8:317 12:2034 13:6 14:94 15:17 16:3 17:8 20:9 24:1447 27:491 32:61 33:5 34:2 36:1 37:1 38:714 40:102 41:2716 42:1 44:3 46:387 47:4 49:73 50:27 52:12 55:3 56:2 57:29 58:858 59:502 60:393 61:1105 62:1047 63:1941 64:3718 65:2322 66:4082 67:1757 68:991 69:2815 70:714 71:389 72:1946 73:1 74:2283 75:289 76:319 77:852 78:746 79:434 80:1042 81:786 82:516 83:444 84:631 85:1053 86:514 87:708 88:406 89:1586 90:143 91:3342 92:473 93:1010 94:1129 95:698 96:409 97:247 98:709 99:33 101:3 107:2 108:77 109:813 110:474 111:671 112:309 113:321 114:478 115:639 116:890 117:655 118:608 119:1014 120:199 121:725 122:1570 123:1025 124:1232 125:1211 128:230 129:153 130:170 131:564 132:234 133:20 134:206 135:50 136:212 137:148 138:290 139:109 140:481 141:197 142:352 143:358 144:480 145:52 146:424 147:190 148:629 149:327 150:150 151:230 152:297 153:172 154:3 155:372 156:166 157:338 158:126 159:369 160:315 161:198 162:276 163:164 164:434 165:334 166:470 167:417 168:738 169:151 170:726 171:67 172:2 173:1142 174:475 175:264 176:1 177:2 178:654 180:726 182:467 183:241 184:190 186:839 187:773 188:889 189:1041 190:4225 192:5781 193:4795 194:3474 195:2888 196:1191 197:1 198:3535 199:3682 200:5543 201:1581 202:8252 203:8380 204:4048 205:2331 206:2522 207:2971 208:3857 209:3486 210:2559 211:1314 212:1887 213:1705 214:744 215:62 216:4791 217:1622 218:524 219:386 220:1175 221:443 222:342 223:81 End of report From jlewis at lewis.org Fri Dec 17 12:27:44 2010 From: jlewis at lewis.org (Jon Lewis) Date: Fri, 17 Dec 2010 13:27:44 -0500 (EST) Subject: Alacarte Cable and Geeks In-Reply-To: <29672845.662.1292609836880.JavaMail.root@benjamin.baylink.com> References: <29672845.662.1292609836880.JavaMail.root@benjamin.baylink.com> Message-ID: On Fri, 17 Dec 2010, Jay Ashworth wrote: > The more I look at this, the more it looks like "pharmaceuticals bought > from Canada are cheaper than ones purchased in America -- and they will be > *just as long* as only a minority of Americans buy them there. As soon as > *everyone* in America is buying their drugs cross-border, the prices will > go right back up to what they were paying here." > > This is what's gonna happen with Comcast, too; if their customers drop > CATV, then they're going to have to raise their prices -- and the cable > networks themselves will have *no* way to collect revenue; the cable > systems being their collection agent network. > > This Can't End Well. Why not? As people shift from watching broadcast channels to streaming content and look to shut off their cable TV service, but keep internet, the cable co's are just going to have to raise internet prices to compensate. I can see a future where you buy internet from the cable co and they give you the basic cable TV channel lineup at "no charge" but in reality, you're paying for the cable internet what you used to pay for both cable internet and TV. The people I see this being a problem for are HBO/Showtime/Stars etc. unless they can hop on with the streaming providers or make that move themselves. ---------------------------------------------------------------------- Jon Lewis, MCP :) | I route Senior Network Engineer | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________ From lowen at pari.edu Fri Dec 17 12:45:52 2010 From: lowen at pari.edu (Lamar Owen) Date: Fri, 17 Dec 2010 13:45:52 -0500 Subject: "potential new and different architectural approach" to solve theComcast - L3 dispute In-Reply-To: <5A6D953473350C4B9995546AFE9939EE0B14CFF3@RWC-EX1.corp.seven.com> References: <4D0B8886.5030809@ac.upc.edu> Message-ID: <201012171345.52854.lowen@pari.edu> On Friday, December 17, 2010 12:51:02 pm George Bonser wrote: > What if instead of the end users paying for Internet service, the content providers did. I've been following these threads with some interest, and even replying in a couple of places, but now it hits me that a sea change has already occurred, and it's the whole content provider / end user *thing* versus the original 'a host is a host is a host' IP *thing*. But content providers already pay more for their 'service' than the typical asymmetric-towards-the-customer bandwidth user does. From lowen at pari.edu Fri Dec 17 12:54:58 2010 From: lowen at pari.edu (Lamar Owen) Date: Fri, 17 Dec 2010 13:54:58 -0500 Subject: Alacarte Cable and Geeks In-Reply-To: References: <29672845.662.1292609836880.JavaMail.root@benjamin.baylink.com> Message-ID: <201012171354.58769.lowen@pari.edu> On Friday, December 17, 2010 01:27:44 pm Jon Lewis wrote: > On Fri, 17 Dec 2010, Jay Ashworth wrote: > > and the cable > > networks themselves will have *no* way to collect revenue; > The people I see this being a problem for are > HBO/Showtime/Stars etc. HBO, et al == the cable networks themselves. From drais at icantclick.org Fri Dec 17 12:59:03 2010 From: drais at icantclick.org (david raistrick) Date: Fri, 17 Dec 2010 13:59:03 -0500 (EST) Subject: "potential new and different architectural approach" to solve theComcast - L3 dispute In-Reply-To: <5A6D953473350C4B9995546AFE9939EE0B14CFF3@RWC-EX1.corp.seven.com> References: <4D0B8886.5030809@ac.upc.edu> <5A6D953473350C4B9995546AFE9939EE0B14CFF3@RWC-EX1.corp.seven.com> Message-ID: On Fri, 17 Dec 2010, George Bonser wrote: > What if instead of the end users paying for Internet service, the > content providers did. Sort of like broadcast TV where the broadcasters Um. I'm a content provider. I pay a -lot- for internet service already. That's how my bits and bytes arrive in the tubes for those end users to recieve... -- david raistrick http://www.netmeister.org/news/learn2quote.html drais at icantclick.org http://www.expita.com/nomime.html From jeroen at mompl.net Fri Dec 17 13:18:08 2010 From: jeroen at mompl.net (Jeroen van Aart) Date: Fri, 17 Dec 2010 11:18:08 -0800 Subject: Alacarte Cable and Geeks In-Reply-To: <4630279.470.1292563600867.JavaMail.root@benjamin.baylink.com> References: <4630279.470.1292563600867.JavaMail.root@benjamin.baylink.com> Message-ID: <4D0BB770.2010602@mompl.net> Jay Ashworth wrote: > individual subscriber pushed the complexity up, in much the same way > that flat rate telecom services are popular equally because customers > prefer them, and because the *cost of keeping track* becomes >delta. Can someone then please explain me why the hell in many other countries flatrate telecom service (I refer to flatrate local calls) does not exist or has been phased out. In the Netherlands they phased it out in the mid to late 80s. I am sure the then government owned telecom rats saw increased revenue coming real soon now due to increased modem usage. (still pissed at ridiculously and unnecessarily high phonebills...) It seems to me that at least in that case the cost of keeping track was far less than the increased revenue that metered (if that's the right word) local calls would provide. Regards, Jeroen -- http://goldmark.org/jeff/stupid-disclaimers/ http://linuxmafia.com/~rick/faq/plural-of-virus.html From jsw at inconcepts.biz Fri Dec 17 13:19:14 2010 From: jsw at inconcepts.biz (Jeff Wheeler) Date: Fri, 17 Dec 2010 14:19:14 -0500 Subject: "potential new and different architectural approach" to solve the Comcast - L3 dispute In-Reply-To: <20101217174824.GL38726@gerbil.cluepon.net> References: <4D0B8886.5030809@ac.upc.edu> <20101217174824.GL38726@gerbil.cluepon.net> Message-ID: On Fri, Dec 17, 2010 at 12:48 PM, Richard A Steenbergen wrote: > advertising MEDs, or by sending inconsistent routes. The fact that the > existing Level3/Comcast routing DOESN'T make Level 3 haul all of the > bits to the best exit mean it's highly likely that Comcast agreeing to > haul the bits was part of their commercial transit agreement, probably > in exchange for lower transit prices. It's worth asking why Comcast did not accept Level3's suggestion that they use MED as a face-saving maneuver, which would have allowed both sides to declare victory. A) Comcast may already have the contractual right to use MED but chooses not to. I agree with you that this is unlikely, not for pure reasons of economics, but because Comcast has some of the same set of motives not to send MED to their transit provider as every other network: prefix aggregation, quality control, and ego. I'll discount geography, marketing, and inability to calculate useful MED values. For argument's sake, let's say they currently can start sending MEDs to Level3 whenever they want. This being the case, Level3's "offer" would have amounted to Level3 telling Comcast upper management that Comcast's engineering people are leaving a huge amount of money on the table, that Level3 is far more cost-effective at running its long-haul network than Comcast, and that they should leave the big networking to the big boys. Comcast management could either react badly to this, or go back to their network folks and ask why they can't be as cost-effective as Level3. B) Comcast may not be able to use MED today. In this case, management may be asking themselves why. An essentially similar scenario can play out; they can either react badly to Level3, or ask their own staff why they are wasting money. C) Comcast doesn't care about MED or the actual cost of doing business. They are boldly moving towards a future that is opposite the one "net neutrality" folks advocate, one that looks like my "Comcast Motive #3." D) Comcast does not think that beginning to use MED (whether currently enabled or not) is enough to satisfy the federal regulators and legislators who are now taking interest in this game of interconnection brinkmanship, involving 17 million households, between a major IP carrier delivering traffic from everyone including a household name like Netflix, and a major cable company that is waiting for government approval to purchase NBC. They feel they must demand something very concrete to demonstrate that they are looking out for consumers' best interest, which means they must make Level3 and/or Netflix look like the bad guy. E) Comcast thinks that a system of accounting for the cost of bearing traffic and dividing it among the involved parties will actually be good for their business, because they can over-build their infrastructure as much as they like, perhaps even improving quality for end-users, and only have to pay for about half of it. The cost of being inefficient, stupid, or committing purchasing or forecasting errors drops by half. This looks very much like my "Comcast Motive #1." E1) Comcast may also know a thing or two about Hollywood Accounting. If you do not understand this reference, simply look it up on Wikipedia. It suffices to say that cost/revenue sharing agreements of this nature can be manipulated in gross ways to the advantage of the party doing the bulk of the book-keeping. F) Management has the same case of ego-driven decision-making that their technical staff have demonstrated. I find this unlikely but still possible. We all know this has been the case at the CEO level in some major interconnection disputes of the past. I believe this outlines the reasonable scenarios for Comcast avoiding a face-saving maneuver with Level3. -- Jeff S Wheeler Sr Network Operator? /? Innovative Network Concepts From tme at americafree.tv Fri Dec 17 13:20:20 2010 From: tme at americafree.tv (Marshall Eubanks) Date: Fri, 17 Dec 2010 14:20:20 -0500 Subject: "potential new and different architectural approach" to solve theComcast - L3 dispute In-Reply-To: References: <4D0B8886.5030809@ac.upc.edu> <5A6D953473350C4B9995546AFE9939EE0B14CFF3@RWC-EX1.corp.seven.com> Message-ID: On Dec 17, 2010, at 1:59 PM, david raistrick wrote: > On Fri, 17 Dec 2010, George Bonser wrote: > >> What if instead of the end users paying for Internet service, the content providers did. Sort of like broadcast TV where the broadcasters > > Um. > > I'm a content provider. > > I pay a -lot- for internet service already. That's how my bits and bytes arrive in the tubes for those end users to recieve... > > +1 from here. Regards Marshall Eubanks AmericaFree.TV > > -- > david raistrick http://www.netmeister.org/news/learn2quote.html > drais at icantclick.org http://www.expita.com/nomime.html > > > From tim.h at bendtel.com Fri Dec 17 14:07:00 2010 From: tim.h at bendtel.com (Tim Howe) Date: Fri, 17 Dec 2010 12:07:00 -0800 Subject: Comcast routes seen from the cheap seats Message-ID: <20101217120700.03ebfbaa@spook.bendtel.com> I apologize in advance if this information is uninteresting. Since there was talk about Comcast I thought I might share what I have been looking at for the last couple weeks with how I see Comcast route announcements from my network. On November 22nd (early morning US/Pacific time) we noticed a significant increase in traffic over our backup transit connection. Looking at the traffic, I found it was mostly to Comcast. The announced prefixes from Comcast on our backup were more specific (smaller prefix length) than those from our main link. So x.x/16 from our main link might be x.x/16 but also x.x.m/17 and x.x.z/17 from our backup. This probably isn't too strange. It's a pretty effective way to control inbound traffic. What I don't recall ever seeing is using different source AS numbers for the more specific prefixes. The routes kind of all end up looking like this for a given network: x.x/16 from source-as foo on main AS path ends with foo x.x/16 from source-as foo on backup AS path ends with foo x.x.m/17 from source-as bar on backup AS path ends with foo bar x.x.z/17 from source-as bar on backup AS path ends with foo bar foo is AS7922 in every case. bar is any one of at least 24 AS numbers assigned to Comcast, many of which are in sequential blocks (they don't look like customer reassignments to me, in other words) and combine to advertise all of Comcast in smaller prefixes (or so it seems). I didn't see any advertisements from the "bar" AS numbers on our main link (well VERY few, and they were redundant). That single point of data would be pretty easy to filter (by design?) which would leave you with the more equitable distribution comprised of something like the first two routes above. Maybe this isn't that weird; I don't usually look this closely at it. The built-in, single data point is handy... Well, single point per network; I tested a single filter rule with all 24 AS #'s I found. -- TimH From ttauber at 1-4-5.net Fri Dec 17 14:40:56 2010 From: ttauber at 1-4-5.net (Tony Tauber) Date: Fri, 17 Dec 2010 15:40:56 -0500 Subject: Comcast routes seen from the cheap seats In-Reply-To: <20101217120700.03ebfbaa@spook.bendtel.com> References: <20101217120700.03ebfbaa@spook.bendtel.com> Message-ID: This is part of normal cleaning up of more-specifics (lessening our routing table footprint). Apologies for any downstream effects. Please feel free to contact me if there?s a problem you?re seeing and need help with. Thanks, Tony (speaking on behalf of AS7922) On Fri, Dec 17, 2010 at 3:07 PM, Tim Howe wrote: > I apologize in advance if this information is uninteresting. Since > there was talk about Comcast I thought I might share what I have been > looking at for the last couple weeks with how I see Comcast route > announcements from my network. > > On November 22nd (early morning US/Pacific time) we noticed a > significant increase in traffic over our backup transit connection. > > Looking at the traffic, I found it was mostly to Comcast. The announced > prefixes from Comcast on our backup were more specific (smaller prefix > length) than those from our main link. So x.x/16 from our main link > might be x.x/16 but also x.x.m/17 and x.x.z/17 from our backup. > > This probably isn't too strange. It's a pretty effective way to > control inbound traffic. What I don't recall ever seeing is using > different source AS numbers for the more specific prefixes. > > The routes kind of all end up looking like this for a given network: > > x.x/16 from source-as foo on main AS path ends with foo > > x.x/16 from source-as foo on backup AS path ends with foo > > x.x.m/17 from source-as bar on backup AS path ends with foo bar > x.x.z/17 from source-as bar on backup AS path ends with foo bar > > foo is AS7922 in every case. bar is any one of at least 24 AS > numbers assigned to Comcast, many of which are in sequential blocks > (they don't look like customer reassignments to me, in other words) and > combine to advertise all of Comcast in smaller prefixes (or so it > seems). > > I didn't see any advertisements from the "bar" AS numbers on > our main link (well VERY few, and they were redundant). That single > point of data would be pretty easy to filter (by design?) which would > leave you with the more equitable distribution comprised of something > like the first two routes above. > > Maybe this isn't that weird; I don't usually look this closely > at it. The built-in, single data point is handy... Well, single point > per network; I tested a single filter rule with all 24 AS #'s I found. > > -- > TimH > > From sjs at princeton.edu Fri Dec 17 14:42:06 2010 From: sjs at princeton.edu (Steve Schultze) Date: Fri, 17 Dec 2010 15:42:06 -0500 Subject: "potential new and different architectural approach" to solve the Comcast - L3 dispute In-Reply-To: References: <4D0B8886.5030809@ac.upc.edu> Message-ID: <86CBDA23-B8A4-4D1E-BBE4-4404A848AABC@princeton.edu> On Dec 17, 2010, at 12:35 PM, Jeff Wheeler wrote: > On Fri, Dec 17, 2010 at 12:15 PM, Benson Schliesser > wrote: >> I have no direct knowledge of the situation, but my guess: I suspect the proposal was along the lines of longest-path / best-exit routing by Level(3). In other words, if L(3) carries the traffic (most of the way) to the customer, then Comcast has no complaint--the costs can be more fairly distributed. The "modest investment" is probably in tools to evaluate traffic and routing metrics, to make this work. This isn't really *new* to the peering community, but it isn't normal either. > > That is a reasonable guess, but Level3's FCC filing yesterday spells > out with certainty that Level3 did offer to "cold potato" traffic onto > Comcast (it does not mention the technical means e.g. MED honoring, > CDN smarts, or otherwise) and that Comcast refused. > [...] Comcast's latest: http://fjallfoss.fcc.gov/ecfs/comment/view?id=6016064677 From john at sackheads.org Fri Dec 17 15:06:45 2010 From: john at sackheads.org (John Payne) Date: Fri, 17 Dec 2010 16:06:45 -0500 Subject: Bogons Message-ID: With the holiday freezes approaching, it might be worth making sure that the recently allocated /8s are not in your bogon list.... 23/8 100/8 5/8 37/8 Just sayin' From cidr-report at potaroo.net Fri Dec 17 16:00:02 2010 From: cidr-report at potaroo.net (cidr-report at potaroo.net) Date: Fri, 17 Dec 2010 22:00:02 GMT Subject: BGP Update Report Message-ID: <201012172200.oBHM02DU030041@wattle.apnic.net> BGP Update Report Interval: 09-Dec-10 -to- 16-Dec-10 (7 days) Observation Point: BGP Peering with AS131072 TOP 20 Unstable Origin AS Rank ASN Upds % Upds/Pfx AS-Name 1 - AS17974 48255 2.9% 54.5 -- TELKOMNET-AS2-AP PT Telekomunikasi Indonesia 2 - AS8452 33167 2.0% 20.2 -- TE-AS TE-AS 3 - AS24863 30418 1.8% 30.0 -- LINKdotNET-AS 4 - AS4538 24132 1.4% 4.6 -- ERX-CERNET-BKB China Education and Research Network Center 5 - AS32528 22609 1.3% 3768.2 -- ROSS-LABS - ROSS PRODUCTS DIVISION 6 - AS1916 15731 0.9% 253.7 -- Rede Nacional de Ensino e Pesquisa 7 - AS27064 13996 0.8% 37.8 -- DNIC-ASBLK-27032-27159 - DoD Network Information Center 8 - AS35931 13793 0.8% 4597.7 -- ARCHIPELAGO - ARCHIPELAGO HOLDINGS INC 9 - AS28573 11635 0.7% 16.4 -- NET Servicos de Comunicao S.A. 10 - AS1785 11074 0.7% 9.3 -- AS-PAETEC-NET - PaeTec Communications, Inc. 11 - AS9829 10826 0.6% 18.7 -- BSNL-NIB National Internet Backbone 12 - AS9498 10304 0.6% 29.2 -- BBIL-AP BHARTI Airtel Ltd. 13 - AS31148 10015 0.6% 30.3 -- FREENET-AS FreeNet ISP 14 - AS10113 9931 0.6% 115.5 -- DATAFAST-AP DATAFAST TELECOMMUNICATIONS LTD 15 - AS7552 9349 0.6% 16.1 -- VIETEL-AS-AP Vietel Corporation 16 - AS3816 9334 0.6% 23.3 -- COLOMBIA TELECOMUNICACIONES S.A. ESP 17 - AS7011 8784 0.5% 7.5 -- FRONTIER-AND-CITIZENS - Frontier Communications of America, Inc. 18 - AS27947 8626 0.5% 36.6 -- Telconet S.A 19 - AS17488 8562 0.5% 7.7 -- HATHWAY-NET-AP Hathway IP Over Cable Internet 20 - AS6316 8511 0.5% 95.6 -- AS-PAETEC-NET - PaeTec Communications, Inc. TOP 20 Unstable Origin AS (Updates per announced prefix) Rank ASN Upds % Upds/Pfx AS-Name 1 - AS35931 13793 0.8% 4597.7 -- ARCHIPELAGO - ARCHIPELAGO HOLDINGS INC 2 - AS32528 22609 1.3% 3768.2 -- ROSS-LABS - ROSS PRODUCTS DIVISION 3 - AS49600 2264 0.1% 2264.0 -- 4 - AS28175 2644 0.2% 1322.0 -- 5 - AS34239 1106 0.1% 1106.0 -- INTERAMERICAN General Insurance Company 6 - AS15984 989 0.1% 989.0 -- The Joint-Stock Commercial Bank CentroCredit. 7 - AS19347 960 0.1% 960.0 -- INDYMACBANK - IndyMacBank 8 - AS43534 2333 0.1% 777.7 -- 9 - AS3 713 0.0% 134.0 -- MIT-GATEWAYS - Massachusetts Institute of Technology 10 - AS17874 680 0.0% 680.0 -- NPC-AS-KR National Pension Corporation 11 - AS12190 6142 0.4% 511.8 -- OOCL-NET - OOCL (USA), Inc. 12 - AS190 3069 0.2% 511.5 -- NSYPTSMH-POE-AS - Navy Network Information Center (NNIC) 13 - AS44025 455 0.0% 455.0 -- 14 - AS46167 445 0.0% 445.0 -- LANDSERVICESUSA - Land Services USA, Inc 15 - AS37025 421 0.0% 421.0 -- BANKPHB 16 - AS21017 4125 0.2% 412.5 -- VSI-AS VSI AS 17 - AS31966 1513 0.1% 378.2 -- CSAA - CSAA 18 - AS13168 364 0.0% 364.0 -- 19 - AS39200 358 0.0% 358.0 -- 20 - AS49571 4124 0.2% 343.7 -- TOP 20 Unstable Prefixes Rank Prefix Upds % Origin AS -- AS Name 1 - 130.36.35.0/24 11300 0.6% AS32528 -- ROSS-LABS - ROSS PRODUCTS DIVISION 2 - 130.36.34.0/24 11299 0.6% AS32528 -- ROSS-LABS - ROSS PRODUCTS DIVISION 3 - 202.182.78.0/23 9676 0.5% AS10113 -- DATAFAST-AP DATAFAST TELECOMMUNICATIONS LTD 4 - 202.92.235.0/24 8889 0.5% AS9498 -- BBIL-AP BHARTI Airtel Ltd. 5 - 63.211.68.0/22 8670 0.5% AS35931 -- ARCHIPELAGO - ARCHIPELAGO HOLDINGS INC 6 - 216.126.136.0/22 7975 0.4% AS6316 -- AS-PAETEC-NET - PaeTec Communications, Inc. 7 - 190.65.228.0/22 6066 0.3% AS3816 -- COLOMBIA TELECOMUNICACIONES S.A. ESP 8 - 198.140.43.0/24 5092 0.3% AS35931 -- ARCHIPELAGO - ARCHIPELAGO HOLDINGS INC 9 - 189.1.173.0/24 4853 0.3% AS28666 -- HOSTLOCATION LTDA 10 - 208.54.82.0/24 4510 0.2% AS701 -- UUNET - MCI Communications Services, Inc. d/b/a Verizon Business 11 - 68.65.152.0/22 3507 0.2% AS11915 -- TELWEST-NETWORK-SVCS-STATIC - TEL WEST COMMUNICATIONS LLC 12 - 206.184.16.0/24 3467 0.2% AS174 -- COGENT Cogent/PSI 13 - 189.85.51.0/24 2642 0.1% AS28175 -- 14 - 212.215.128.0/18 2550 0.1% AS25019 -- SAUDINETSTC-AS Autonomus System Number for SaudiNet AS8866 -- BTC-AS Bulgarian Telecommunication Company Plc. 15 - 192.122.247.0/24 2474 0.1% AS2828 -- XO-AS15 - XO Communications 16 - 192.122.246.0/24 2470 0.1% AS2828 -- XO-AS15 - XO Communications 17 - 144.243.215.0/24 2274 0.1% AS22773 -- ASN-CXA-ALL-CCI-22773-RDC - Cox Communications Inc. AS4323 -- TWTC - tw telecom holdings, inc. 18 - 213.170.59.0/24 2264 0.1% AS49600 -- 19 - 91.197.95.0/24 2262 0.1% AS43534 -- 20 - 95.32.128.0/18 1982 0.1% AS21017 -- VSI-AS VSI AS Details at http://bgpupdates.potaroo.net ------------------------------------ Copies of this report are mailed to: nanog at merit.edu eof-list at ripe.net apops at apops.net routing-wg at ripe.net afnog at afnog.org From cidr-report at potaroo.net Fri Dec 17 16:00:00 2010 From: cidr-report at potaroo.net (cidr-report at potaroo.net) Date: Fri, 17 Dec 2010 22:00:00 GMT Subject: The Cidr Report Message-ID: <201012172200.oBHM005q029983@wattle.apnic.net> This report has been generated at Fri Dec 17 21:11:44 2010 AEST. The report analyses the BGP Routing Table of AS2.0 router and generates a report on aggregation potential within the table. Check http://www.cidr-report.org for a current version of this report. Recent Table History Date Prefixes CIDR Agg 10-12-10 338660 208206 11-12-10 338800 207920 12-12-10 338619 207908 13-12-10 338585 207984 14-12-10 338814 207984 15-12-10 338758 207506 16-12-10 339240 208029 17-12-10 339290 208204 AS Summary 36270 Number of ASes in routing system 15444 Number of ASes announcing only one prefix 3733 Largest number of prefixes announced by an AS AS6389 : BELLSOUTH-NET-BLK - BellSouth.net Inc. 105846528 Largest address span announced by an AS (/32s) AS4134 : CHINANET-BACKBONE No.31,Jin-rong Street Aggregation Summary The algorithm used in this report proposes aggregation only when there is a precise match using the AS path, so as to preserve traffic transit policies. Aggregation is also proposed across non-advertised address space ('holes'). --- 17Dec10 --- ASnum NetsNow NetsAggr NetGain % Gain Description Table 339436 208249 131187 38.6% All ASes AS6389 3733 589 3144 84.2% BELLSOUTH-NET-BLK - BellSouth.net Inc. AS4323 2629 673 1956 74.4% TWTC - tw telecom holdings, inc. AS19262 1835 418 1417 77.2% VZGNI-TRANSIT - Verizon Online LLC AS4766 1744 641 1103 63.2% KIXS-AS-KR Korea Telecom AS6503 1187 290 897 75.6% Axtel, S.A.B. de C.V. AS28573 1221 327 894 73.2% NET Servicos de Comunicao S.A. AS10620 1319 452 867 65.7% Telmex Colombia S.A. AS4755 1406 554 852 60.6% TATACOMM-AS TATA Communications formerly VSNL is Leading ISP AS7545 1559 722 837 53.7% TPG-INTERNET-AP TPG Internet Pty Ltd AS18101 907 149 758 83.6% RELIANCE-COMMUNICATIONS-IN Reliance Communications Ltd.DAKC MUMBAI AS8151 1356 680 676 49.9% Uninet S.A. de C.V. AS8452 1105 430 675 61.1% TE-AS TE-AS AS24560 1042 380 662 63.5% AIRTELBROADBAND-AS-AP Bharti Airtel Ltd., Telemedia Services AS17488 954 301 653 68.4% HATHWAY-NET-AP Hathway IP Over Cable Internet AS4808 951 325 626 65.8% CHINA169-BJ CNCGROUP IP network China169 Beijing Province Network AS6478 1437 815 622 43.3% ATT-INTERNET3 - AT&T Services, Inc. AS17676 642 67 575 89.6% GIGAINFRA Softbank BB Corp. AS855 628 55 573 91.2% CANET-ASN-4 - Bell Aliant Regional Communications, Inc. AS7303 833 264 569 68.3% Telecom Argentina S.A. AS11492 1271 713 558 43.9% CABLEONE - CABLE ONE, INC. AS22773 1257 703 554 44.1% ASN-CXA-ALL-CCI-22773-RDC - Cox Communications Inc. AS22047 565 31 534 94.5% VTR BANDA ANCHA S.A. AS7552 625 117 508 81.3% VIETEL-AS-AP Vietel Corporation AS9443 571 75 496 86.9% INTERNETPRIMUS-AS-AP Primus Telecommunications AS4804 571 77 494 86.5% MPX-AS Microplex PTY LTD AS14420 584 91 493 84.4% CORPORACION NACIONAL DE TELECOMUNICACIONES - CNT EP AS7011 1174 683 491 41.8% FRONTIER-AND-CITIZENS - Frontier Communications of America, Inc. AS36992 658 190 468 71.1% ETISALAT-MISR AS1785 1791 1325 466 26.0% AS-PAETEC-NET - PaeTec Communications, Inc. AS7738 478 39 439 91.8% Telecomunicacoes da Bahia S.A. Total 36033 12176 23857 66.2% Top 30 total Possible Bogus Routes 5.0.0.0/16 AS12654 RIPE-NCC-RIS-AS RIPE NCC RIS project 5.1.0.0/21 AS12654 RIPE-NCC-RIS-AS RIPE NCC RIS project 5.1.24.0/24 AS12654 RIPE-NCC-RIS-AS RIPE NCC RIS project 24.129.192.0/19 AS7922 COMCAST-7922 - Comcast Cable Communications, Inc. 37.0.0.0/16 AS12654 RIPE-NCC-RIS-AS RIPE NCC RIS project 37.1.0.0/21 AS12654 RIPE-NCC-RIS-AS RIPE NCC RIS project 37.1.24.0/24 AS12654 RIPE-NCC-RIS-AS RIPE NCC RIS project 41.222.79.0/24 AS36938 AMSCOTELECOMS Amsco Telecommunications Nigeria Limited 41.223.92.0/22 AS36936 CELTEL-GABON Celtel Gabon Internet Service 46.211.0.0/16 AS15895 KSNET-AS Kyivstar GSM 46.248.32.0/19 AS30783 RSD Rased Maral Ava Jonoob JSC 62.61.220.0/24 AS24974 TACHYON-EU Tachyon Europe BV 62.61.221.0/24 AS24974 TACHYON-EU Tachyon Europe BV 64.21.192.0/20 AS11610 INETNEBR-1 - Internet Nebraska Corporation 64.21.212.0/22 AS11610 INETNEBR-1 - Internet Nebraska Corporation 64.21.216.0/21 AS11610 INETNEBR-1 - Internet Nebraska Corporation 66.180.239.0/24 AS35888 VIGNETTE - VIGNETTE CORPORATION 66.206.32.0/24 AS17787 PSEB-AS-PK Pakistan Software Export Board 66.206.33.0/24 AS17787 PSEB-AS-PK Pakistan Software Export Board 66.206.34.0/24 AS17787 PSEB-AS-PK Pakistan Software Export Board 66.206.35.0/24 AS17787 PSEB-AS-PK Pakistan Software Export Board 66.206.47.0/24 AS17557 PKTELECOM-AS-PK Pakistan Telecommunication Company Limited 66.207.32.0/20 AS23011 66.245.176.0/20 AS19318 NJIIX-AS-1 - NEW JERSEY INTERNATIONAL INTERNET EXCHANGE LLC 69.6.80.0/24 AS13442 69.6.81.0/24 AS13442 71.19.134.0/23 AS3313 INET-AS I.NET S.p.A. 72.22.32.0/19 AS33150 72.22.61.0/24 AS33150 72.22.62.0/24 AS33150 76.77.32.0/19 AS2828 XO-AS15 - XO Communications 80.88.10.0/24 AS33774 DJAWEB 80.88.12.0/24 AS33779 wataniya-telecom-as 96.45.161.0/24 AS3257 TINET-BACKBONE Tinet SpA 96.45.162.0/24 AS3257 TINET-BACKBONE Tinet SpA 96.45.163.0/24 AS3257 TINET-BACKBONE Tinet SpA 96.45.164.0/24 AS3257 TINET-BACKBONE Tinet SpA 96.45.165.0/24 AS3257 TINET-BACKBONE Tinet SpA 96.45.166.0/24 AS3257 TINET-BACKBONE Tinet SpA 96.45.167.0/24 AS3257 TINET-BACKBONE Tinet SpA 96.45.168.0/21 AS3257 TINET-BACKBONE Tinet SpA 105.0.0.0/8 AS237 MERIT-AS-14 - Merit Network Inc. 110.34.44.0/22 AS12653 COMTONET KB Impuls Hellas 110.173.64.0/19 AS37963 CNNIC-ALIBABA-CN-NET-AP Alibaba (China) Technology Co., Ltd. 115.42.0.0/24 AS24541 FORTYFIVERU-AS-AU 45RU Pty Ltd. Internet Service Provider, Perth, Western Australia. 115.42.5.0/24 AS24541 FORTYFIVERU-AS-AU 45RU Pty Ltd. Internet Service Provider, Perth, Western Australia. 115.42.6.0/24 AS24541 FORTYFIVERU-AS-AU 45RU Pty Ltd. Internet Service Provider, Perth, Western Australia. 115.42.11.0/24 AS24541 FORTYFIVERU-AS-AU 45RU Pty Ltd. Internet Service Provider, Perth, Western Australia. 115.42.28.0/24 AS1221 ASN-TELSTRA Telstra Pty Ltd 115.42.30.0/24 AS1221 ASN-TELSTRA Telstra Pty Ltd 115.42.31.0/24 AS1221 ASN-TELSTRA Telstra Pty Ltd 115.42.40.0/24 AS1221 ASN-TELSTRA Telstra Pty Ltd 115.42.42.0/24 AS1221 ASN-TELSTRA Telstra Pty Ltd 115.42.43.0/24 AS1221 ASN-TELSTRA Telstra Pty Ltd 115.42.44.0/24 AS1221 ASN-TELSTRA Telstra Pty Ltd 115.42.47.0/24 AS1221 ASN-TELSTRA Telstra Pty Ltd 115.42.48.0/24 AS1221 ASN-TELSTRA Telstra Pty Ltd 115.42.49.0/24 AS1221 ASN-TELSTRA Telstra Pty Ltd 115.42.50.0/24 AS1221 ASN-TELSTRA Telstra Pty Ltd 115.42.51.0/24 AS1221 ASN-TELSTRA Telstra Pty Ltd 115.42.52.0/24 AS1221 ASN-TELSTRA Telstra Pty Ltd 115.42.53.0/24 AS1221 ASN-TELSTRA Telstra Pty Ltd 115.42.54.0/24 AS1221 ASN-TELSTRA Telstra Pty Ltd 115.42.55.0/24 AS1221 ASN-TELSTRA Telstra Pty Ltd 115.42.56.0/24 AS1221 ASN-TELSTRA Telstra Pty Ltd 115.42.57.0/24 AS1221 ASN-TELSTRA Telstra Pty Ltd 115.42.58.0/24 AS1221 ASN-TELSTRA Telstra Pty Ltd 115.42.59.0/24 AS1221 ASN-TELSTRA Telstra Pty Ltd 115.42.61.0/24 AS1221 ASN-TELSTRA Telstra Pty Ltd 115.42.62.0/24 AS1221 ASN-TELSTRA Telstra Pty Ltd 115.42.63.0/24 AS1221 ASN-TELSTRA Telstra Pty Ltd 116.68.136.0/21 AS28045 Pantel Communications 117.120.56.0/21 AS4755 TATACOMM-AS TATA Communications formerly VSNL is Leading ISP 121.46.0.0/16 AS4134 CHINANET-BACKBONE No.31,Jin-rong Street 121.50.168.0/21 AS9931 CAT-AP The Communication Authoity of Thailand, CAT 121.200.192.0/24 AS17767 122.200.32.0/20 AS7018 ATT-INTERNET4 - AT&T Services, Inc. 122.200.40.0/21 AS38272 142.54.0.0/19 AS23498 CDSI - Cogeco Data Services Inc. 158.222.70.0/23 AS6137 SISNA - SISNA, Inc. 158.222.72.0/23 AS6137 SISNA - SISNA, Inc. 158.222.224.0/20 AS19864 O1COMM - O1 COMMUNICATIONS 158.222.224.0/22 AS19864 O1COMM - O1 COMMUNICATIONS 158.222.229.0/24 AS19864 O1COMM - O1 COMMUNICATIONS 172.12.0.0/18 AS28665 PredialNet Provedor de Internet Ltda. 176.0.0.0/16 AS12654 RIPE-NCC-RIS-AS RIPE NCC RIS project 176.1.0.0/21 AS12654 RIPE-NCC-RIS-AS RIPE NCC RIS project 176.1.24.0/24 AS12654 RIPE-NCC-RIS-AS RIPE NCC RIS project 190.102.32.0/20 AS30058 FDCSERVERS - FDCservers.net 192.9.0.0/16 AS11479 BRM-SUN-AS - Sun Microsystems, Inc 192.64.85.0/24 AS1759 TSF-IP-CORE TeliaSonera Finland IP Network 192.69.108.0/24 AS1759 TSF-IP-CORE TeliaSonera Finland IP Network 192.101.46.0/24 AS6503 Axtel, S.A.B. de C.V. 192.101.64.0/21 AS702 AS702 Verizon Business EMEA - Commercial IP service provider in Europe 192.101.70.0/24 AS701 UUNET - MCI Communications Services, Inc. d/b/a Verizon Business 192.101.71.0/24 AS701 UUNET - MCI Communications Services, Inc. d/b/a Verizon Business 192.101.72.0/24 AS702 AS702 Verizon Business EMEA - Commercial IP service provider in Europe 192.101.74.0/24 AS1239 SPRINTLINK - Sprint 192.124.252.0/22 AS680 DFN-IP service G-WiN 192.131.233.0/24 AS6389 BELLSOUTH-NET-BLK - BellSouth.net Inc. 192.154.32.0/19 AS81 NCREN - MCNC 192.154.64.0/19 AS81 NCREN - MCNC 192.188.208.0/20 AS27064 DNIC-ASBLK-27032-27159 - DoD Network Information Center 196.2.224.0/22 AS24863 LINKdotNET-AS 196.6.108.0/24 AS5713 SAIX-NET 196.13.201.0/24 AS2018 TENET-1 196.13.202.0/24 AS2018 TENET-1 196.13.203.0/24 AS2018 TENET-1 196.13.204.0/24 AS2018 TENET-1 196.110.105.0/24 AS8513 SKYVISION SkyVision Network Services 196.202.224.0/21 AS8818 TELE Greenland Autonomous System 198.1.2.0/24 AS4761 INDOSAT-INP-AP INDOSAT Internet Network Provider 198.23.26.0/24 AS4390 BELLATLANTIC-COM - Bell Atlantic, Inc. 198.73.210.0/24 AS21570 ACI-1 - Accelerated Connections Inc. 198.74.38.0/24 AS16966 SBCIDC-LSAN03 - AT&T Internet Services 198.74.39.0/24 AS16966 SBCIDC-LSAN03 - AT&T Internet Services 198.74.40.0/24 AS16966 SBCIDC-LSAN03 - AT&T Internet Services 198.97.72.0/21 AS27064 DNIC-ASBLK-27032-27159 - DoD Network Information Center 198.97.96.0/19 AS27064 DNIC-ASBLK-27032-27159 - DoD Network Information Center 198.97.240.0/20 AS27064 DNIC-ASBLK-27032-27159 - DoD Network Information Center 198.99.241.0/24 AS11797 AC-NIELSEN-AS AC NIELSEN 198.161.87.0/24 AS6539 GT-BELL - Bell Canada 198.163.214.0/24 AS21804 ACCESS-SK - Access Communications Co-operative Limited 198.167.0.0/16 AS7456 INTERHOP - Interhop Network SERVICES Inc. 198.168.0.0/16 AS701 UUNET - MCI Communications Services, Inc. d/b/a Verizon Business 198.169.0.0/16 AS803 SASKTEL - Saskatchewan Telecommunications 198.180.198.0/24 AS23715 SEOUL-INTGW-GXS-AP Global Exchange Services 198.182.235.0/24 AS3356 LEVEL3 Level 3 Communications 199.16.32.0/19 AS6389 BELLSOUTH-NET-BLK - BellSouth.net Inc. 199.121.0.0/16 AS27064 DNIC-ASBLK-27032-27159 - DoD Network Information Center 199.123.16.0/20 AS27064 DNIC-ASBLK-27032-27159 - DoD Network Information Center 199.185.130.0/23 AS19662 UNISERVE-ONLINE - Uniserve On Line 199.202.0.0/16 AS701 UUNET - MCI Communications Services, Inc. d/b/a Verizon Business 199.202.216.0/21 AS577 BACOM - Bell Canada 199.233.92.0/24 AS26896 D102-ITC - Data 102, LLC 199.246.116.0/24 AS813 UUNET-CANADA - MCI Communications Services, Inc. d/b/a Verizon Business 200.1.112.0/24 AS29754 GO2TEL GO2TEL.COM INC. 200.24.73.0/24 AS26061 Equant Colombia 200.24.78.0/26 AS3549 GBLX Global Crossing Ltd. 200.24.78.64/26 AS3549 GBLX Global Crossing Ltd. 202.9.55.0/24 AS2764 AAPT AAPT Limited 202.9.57.0/24 AS2764 AAPT AAPT Limited 202.38.63.0/24 AS17557 PKTELECOM-AS-PK Pakistan Telecommunication Company Limited 202.58.113.0/24 AS19161 202.61.75.0/24 AS9927 PHILCOMNET-PH A Multihomed ISP Company 202.66.128.0/18 AS9584 GENESIS-AP Diyixian.com Limited 202.66.160.0/19 AS9584 GENESIS-AP Diyixian.com Limited 202.66.160.0/20 AS9584 GENESIS-AP Diyixian.com Limited 202.66.176.0/20 AS9584 GENESIS-AP Diyixian.com Limited 202.66.184.0/24 AS9584 GENESIS-AP Diyixian.com Limited 202.66.186.0/24 AS9584 GENESIS-AP Diyixian.com Limited 202.66.188.0/24 AS9584 GENESIS-AP Diyixian.com Limited 202.66.189.0/24 AS9584 GENESIS-AP Diyixian.com Limited 202.66.190.0/24 AS9584 GENESIS-AP Diyixian.com Limited 202.73.144.0/20 AS4788 TMNET-AS-AP TM Net, Internet Service Provider 202.86.252.0/22 AS4748 RESOLINK-AS-AP Resources Link Network Limited 202.86.252.0/24 AS9304 HUTCHISON-AS-AP Hutchison Global Communications 202.86.253.0/24 AS9304 HUTCHISON-AS-AP Hutchison Global Communications 202.86.254.0/24 AS9304 HUTCHISON-AS-AP Hutchison Global Communications 202.86.255.0/24 AS9304 HUTCHISON-AS-AP Hutchison Global Communications 202.94.1.0/24 AS4808 CHINA169-BJ CNCGROUP IP network China169 Beijing Province Network 202.133.37.0/24 AS17557 PKTELECOM-AS-PK Pakistan Telecommunication Company Limited 202.133.70.0/24 AS38616 WORLDCALL-AS-KHI Worldcall Telecom Limited 202.133.73.0/24 AS38616 WORLDCALL-AS-KHI Worldcall Telecom Limited 202.136.254.0/24 AS4808 CHINA169-BJ CNCGROUP IP network China169 Beijing Province Network 202.136.255.0/24 AS4808 CHINA169-BJ CNCGROUP IP network China169 Beijing Province Network 202.150.227.0/24 AS17727 NAPINFO-AS-AP PT. NAP Info Lintas Nusa 202.174.125.0/24 AS9498 BBIL-AP BHARTI Airtel Ltd. 202.176.1.0/24 AS9942 COMINDICO-AP SOUL Converged Communications Australia 202.179.130.0/24 AS17557 PKTELECOM-AS-PK Pakistan Telecommunication Company Limited 202.179.131.0/24 AS17557 PKTELECOM-AS-PK Pakistan Telecommunication Company Limited 202.179.133.0/24 AS17557 PKTELECOM-AS-PK Pakistan Telecommunication Company Limited 202.179.134.0/24 AS23966 LDN-AS-PK LINKdotNET Telecom Limited 202.179.144.0/24 AS17557 PKTELECOM-AS-PK Pakistan Telecommunication Company Limited 202.179.149.0/24 AS17557 PKTELECOM-AS-PK Pakistan Telecommunication Company Limited 202.179.150.0/24 AS17557 PKTELECOM-AS-PK Pakistan Telecommunication Company Limited 202.181.32.0/24 AS4645 ASN-HKNET-AP HKNet Co. Ltd 203.62.0.0/17 AS7575 AARNET-AS-AP Australian Academic and Reasearch Network (AARNet) 203.76.161.0/24 AS45465 203.78.48.0/20 AS9299 IPG-AS-AP Philippine Long Distance Telephone Company 203.112.111.0/24 AS7474 OPTUSCOM-AS01-AU SingTel Optus Pty Ltd 203.112.113.0/24 AS7474 OPTUSCOM-AS01-AU SingTel Optus Pty Ltd 203.112.114.0/24 AS4802 ASN-IINET iiNet Limited 203.112.116.0/24 AS7474 OPTUSCOM-AS01-AU SingTel Optus Pty Ltd 203.112.117.0/24 AS7474 OPTUSCOM-AS01-AU SingTel Optus Pty Ltd 203.112.118.0/24 AS7474 OPTUSCOM-AS01-AU SingTel Optus Pty Ltd 203.112.119.0/24 AS7474 OPTUSCOM-AS01-AU SingTel Optus Pty Ltd 203.112.120.0/24 AS7474 OPTUSCOM-AS01-AU SingTel Optus Pty Ltd 203.112.121.0/24 AS7474 OPTUSCOM-AS01-AU SingTel Optus Pty Ltd 203.112.127.0/24 AS7474 OPTUSCOM-AS01-AU SingTel Optus Pty Ltd 203.128.128.0/24 AS23849 CNNIC-NET263-AP Beijing Capital-online science development Co.,Ltd. 203.142.219.0/24 AS45149 203.175.107.0/24 AS45595 PKTELECOM-AS-PK Pakistan Telecom Company Limited 204.9.216.0/23 AS6389 BELLSOUTH-NET-BLK - BellSouth.net Inc. 204.10.232.0/21 AS33150 204.19.14.0/23 AS577 BACOM - Bell Canada 204.209.114.0/24 AS13768 PEER1 - Peer 1 Network Inc. 205.150.0.0/15 AS701 UUNET - MCI Communications Services, Inc. d/b/a Verizon Business 205.189.134.0/24 AS11814 DISTRIBUTEL-AS11814 - DISTRIBUTEL COMMUNICATIONS LTD. 205.207.148.0/23 AS812 ROGERS-CABLE - Rogers Cable Communications Inc. 205.210.145.0/24 AS11814 DISTRIBUTEL-AS11814 - DISTRIBUTEL COMMUNICATIONS LTD. 206.72.192.0/23 AS16526 BIRCH-TELECOM - Birch Telecom, Inc. 206.72.194.0/23 AS16526 BIRCH-TELECOM - Birch Telecom, Inc. 206.123.129.0/24 AS10790 INREACH-AS - InReach Internet 206.180.240.0/20 AS12083 KNOLOGY-NET - Knology Holdings 206.197.184.0/24 AS23304 DATOTEL-STL-AS - Datotel LLC, a NetLabs LLC Company 207.174.131.0/24 AS26116 INDRA - Indra's Net Inc. 207.174.132.0/23 AS26116 INDRA - Indra's Net Inc. 207.174.152.0/23 AS26116 INDRA - Indra's Net Inc. 207.174.154.0/24 AS26116 INDRA - Indra's Net Inc. 207.174.155.0/24 AS26116 INDRA - Indra's Net Inc. 207.174.188.0/24 AS26116 INDRA - Indra's Net Inc. 207.174.189.0/24 AS26116 INDRA - Indra's Net Inc. 207.174.190.0/24 AS26116 INDRA - Indra's Net Inc. 207.174.191.0/24 AS26116 INDRA - Indra's Net Inc. 207.174.200.0/24 AS22658 EARTHNET - Earthnet, Inc. 207.174.248.0/21 AS6653 PRIVATEI - privateI, LLC 207.231.96.0/19 AS11194 NUNETPA - NuNet Inc. 208.64.200.0/22 AS11730 CIL-ASN - Circle Internet LTD 208.64.240.0/21 AS13871 TELEBYTE-NW - Telebyte NW 208.73.160.0/24 AS32767 208.78.165.0/24 AS16565 208.83.53.0/24 AS40569 YGOMI-AS - Ygomi LLC 208.83.54.0/24 AS23485 SEI-LLC-AS-NUM - SEI LLC 208.92.196.0/22 AS10929 NETELLIGENT - Netelligent Hosting Services Inc. 208.92.199.0/24 AS26198 3MENATWORK - 3Men at Work Integrated Networks, Inc. 209.54.123.0/24 AS6062 NETPLEX - NETPLEX 209.105.224.0/19 AS20074 209.141.0.0/20 AS12124 THORN - Thorn Communications 209.165.239.0/24 AS209 ASN-QWEST - Qwest Communications Company, LLC 209.177.64.0/20 AS6461 MFNX MFN - Metromedia Fiber Network 209.213.0.0/20 AS33005 ELTOPIA - Eltopia.com, LLC 209.213.1.0/24 AS7849 CROCKERCOM - CROCKER COMMUNICATIONS 209.213.4.0/24 AS7849 CROCKERCOM - CROCKER COMMUNICATIONS 210.5.128.0/20 AS4837 CHINA169-BACKBONE CNCGROUP China169 Backbone 210.56.150.0/23 AS38138 INTECH-TRANSIT-BD InTech Online Limited, INTERNET SERVICE LIMITED 216.10.235.0/24 AS13780 NTNCOMMUNICATIONS - NTN 216.10.236.0/24 AS13780 NTNCOMMUNICATIONS - NTN 216.21.196.0/24 AS12251 INVISION - Invision.com, Inc. 216.21.201.0/24 AS12251 INVISION - Invision.com, Inc. 216.21.202.0/24 AS12251 INVISION - Invision.com, Inc. 216.21.206.0/23 AS12251 INVISION - Invision.com, Inc. 216.58.192.0/24 AS22702 X5SOLUTIONS - X5 Solutions, Inc. 216.58.197.0/24 AS22702 X5SOLUTIONS - X5 Solutions, Inc. 216.58.200.0/24 AS18530 ISOMEDIA-1 - Isomedia Inc. 216.172.198.0/24 AS22773 ASN-CXA-ALL-CCI-22773-RDC - Cox Communications Inc. 216.172.199.0/24 AS22773 ASN-CXA-ALL-CCI-22773-RDC - Cox Communications Inc. 216.250.112.0/20 AS7296 ALCHEMYNET - Alchemy Communications, Inc. Please see http://www.cidr-report.org for the full report ------------------------------------ Copies of this report are mailed to: nanog at merit.edu eof-list at ripe.net apops at apops.net routing-wg at ripe.net afnog at afnog.org From shacolby at bluejeansnet.com Fri Dec 17 16:10:28 2010 From: shacolby at bluejeansnet.com (Shacolby Jackson) Date: Fri, 17 Dec 2010 14:10:28 -0800 Subject: OT: used / refurb voip phones? Message-ID: A little off topic but anyone have any recommendations for vendors selling used voip handsets, especially Polycom? Looking for some IP335 or better. There are only a couple used gear resellers I trust and none seem to carry Polycom, only Cisco and even those only seem to have low end handsets. -shac From tim.h at bendtel.com Fri Dec 17 16:30:15 2010 From: tim.h at bendtel.com (Tim Howe) Date: Fri, 17 Dec 2010 14:30:15 -0800 Subject: Comcast routes seen from the cheap seats In-Reply-To: References: <20101217120700.03ebfbaa@spook.bendtel.com> Message-ID: <20101217143015.2f975e77@spook.bendtel.com> On Fri, 17 Dec 2010 15:40:56 -0500 Tony Tauber wrote: > This is part of normal cleaning up of more-specifics (lessening our routing > table footprint). > > Apologies for any downstream effects. > > Please feel free to contact me if there?s a problem you?re seeing and need > help with. > > Thanks, > Tony > > (speaking on behalf of AS7922) Thanks for responding, Tony. I will do that. -- Tim Howe tim.h at bendtel.com Data Processing 541-389-8252 BendTel GPG pubkey id: 302D210B From mkarir at merit.edu Fri Dec 17 16:51:31 2010 From: mkarir at merit.edu (mkarir) Date: Fri, 17 Dec 2010 17:51:31 -0500 Subject: Bogons In-Reply-To: References: Message-ID: Also the 105/8 which was recently allocated to AfriNIC. -manish On Dec 17, 2010, at 5:01 PM, nanog-request at nanog.org wrote: > > Message: 1 > Date: Fri, 17 Dec 2010 16:06:45 -0500 > From: John Payne > Subject: Bogons > To: NANOG list > Message-ID: > Content-Type: text/plain; charset=us-ascii > > With the holiday freezes approaching, it might be worth making sure > that the recently allocated /8s are not in your bogon list.... > > 23/8 > 100/8 > 5/8 > 37/8 > > Just sayin' > From nick at foobar.org Fri Dec 17 17:14:39 2010 From: nick at foobar.org (Nick Hilliard) Date: Fri, 17 Dec 2010 23:14:39 +0000 Subject: Bogons In-Reply-To: References: Message-ID: <4D0BEEDF.8060503@foobar.org> On 17/12/2010 22:51, mkarir wrote: > Also the 105/8 which was recently allocated to AfriNIC. all things considered, it's almost time to declare the bogons list dead. Unless there are active updates installed, any new filtering should take place on the basis of the smaller martians list. Nick From jra at baylink.com Fri Dec 17 17:23:24 2010 From: jra at baylink.com (Jay Ashworth) Date: Fri, 17 Dec 2010 18:23:24 -0500 (EST) Subject: Google/Deja backup In-Reply-To: <26654139.780.1292628200116.JavaMail.root@benjamin.baylink.com> Message-ID: <30340462.782.1292628204304.JavaMail.root@benjamin.baylink.com> This is entirely off topic, except that this is the audience who will know off hand. Now that 2TB costs $100, has anyone solicited Google for a copy of the Historical Usenet Archives that were assembled by they and Dejanews, such that this history lives in someplace... less commercial? Like the IA, perhaps? I'm pretty certain that entire archive fits on one drive now. I would set reply-to to me, but Zimbra is even less manageable than GGroups' interface. Cheers, -- jra From jbates at brightok.net Fri Dec 17 17:32:21 2010 From: jbates at brightok.net (Jack Bates) Date: Fri, 17 Dec 2010 17:32:21 -0600 Subject: "potential new and different architectural approach" to solve theComcast - L3 dispute In-Reply-To: <201012171345.52854.lowen@pari.edu> References: <4D0B8886.5030809@ac.upc.edu> <201012171345.52854.lowen@pari.edu> Message-ID: <4D0BF305.9030202@brightok.net> On 12/17/2010 12:45 PM, Lamar Owen wrote: > But content providers already pay more for their 'service' than the typical asymmetric-towards-the-customer bandwidth user does. > > Agreed, though I think they pay less than most eyeball networks pay (the ISP, not the user), depending on where they host it (we have a lot of hauling we have to do). I'd also note, that the Internet is continuing to push more towards blurring the lines of content provider/eyeball, as p2p continues to be deployed with more technologies and for more uses. As households are constantly on, there is benefit in the household hosting content which can be reached directly by those you are sharing it to. As the market shifts to containing a larger market share of households with symmetric bandwidth, we can expect to see this improve (asymmetric last miles has hindered many innovations). Jack From ras at e-gerbil.net Fri Dec 17 18:38:20 2010 From: ras at e-gerbil.net (Richard A Steenbergen) Date: Fri, 17 Dec 2010 18:38:20 -0600 Subject: Comcast vs Level 3 - This time with video Message-ID: <20101218003820.GV38726@gerbil.cluepon.net> A simplified explanation of the situation between Level 3 and Comcast, from the perspective of a Comcast customer who is asking for the same thing Comcast is asking for. :) http://www.xtranormal.com/watch/8124137/ -- Richard A Steenbergen http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC) From jbates at brightok.net Fri Dec 17 18:48:38 2010 From: jbates at brightok.net (Jack Bates) Date: Fri, 17 Dec 2010 18:48:38 -0600 Subject: Comcast vs Level 3 - This time with video In-Reply-To: <20101218003820.GV38726@gerbil.cluepon.net> References: <20101218003820.GV38726@gerbil.cluepon.net> Message-ID: <4D0C04E6.7070507@brightok.net> On 12/17/2010 6:38 PM, Richard A Steenbergen wrote: > A simplified explanation of the situation between Level 3 and Comcast, > from the perspective of a Comcast customer who is asking for the same > thing Comcast is asking for. :) > > http://www.xtranormal.com/watch/8124137/ > lol, now that's the way to start a weekend off. :) Jack From joly at punkcast.com Fri Dec 17 21:25:14 2010 From: joly at punkcast.com (Joly MacFie) Date: Fri, 17 Dec 2010 22:25:14 -0500 Subject: "potential new and different architectural approach" to solve the Comcast - L3 dispute In-Reply-To: <86CBDA23-B8A4-4D1E-BBE4-4404A848AABC@princeton.edu> References: <4D0B8886.5030809@ac.upc.edu> <86CBDA23-B8A4-4D1E-BBE4-4404A848AABC@princeton.edu> Message-ID: http://fcc.gov/ NOTICE: The FCC website and related electronic filing systems and documents (except for NORS) will be unavailable beginning 6:00 p.m. (EST) Friday, December 17 through 6:00 a.m. (EST) Monday, December 20 for scheduled maintenance. :( On Fri, Dec 17, 2010 at 3:42 PM, Steve Schultze wrote: > > > That is a reasonable guess, but Level3's FCC filing yesterday spells > > out with certainty that Level3 did offer to "cold potato" traffic onto > > Comcast (it does not mention the technical means e.g. MED honoring, > > CDN smarts, or otherwise) and that Comcast refused. > > [...] > > Comcast's latest: > http://fjallfoss.fcc.gov/ecfs/comment/view?id=6016064677 > -- --------------------------------------------------------------- Joly MacFie 218 565 9365 Skype:punkcast WWWhatsup NYC - http://wwwhatsup.com http://pinstand.com - http://punkcast.com VP (Admin) - ISOC-NY - http://isoc-ny.org --------------------------------------------------------------- From young at jsyoung.net Fri Dec 17 23:01:04 2010 From: young at jsyoung.net (Jeffrey S. Young) Date: Sat, 18 Dec 2010 00:01:04 -0500 Subject: Alacarte Cable and Geeks In-Reply-To: <29672845.662.1292609836880.JavaMail.root@benjamin.baylink.com> References: <29672845.662.1292609836880.JavaMail.root@benjamin.baylink.com> Message-ID: <9F0E00DF-C5C8-4B42-A09A-7D6C2C32B684@jsyoung.net> On 17/12/2010, at 1:17 PM, Jay Ashworth wrote: > ---- Original Message ----- >> From: "JC Dill" > >> On 17/12/10 4:54 AM, Carlos Martinez-Cagnazzo wrote: >>> I do believe that video over the Internet is about to change the >>> cable business in a very deep and possibly traumatic way. >> >> +1 >> >> It's clear that this is a major driving factor in the Comcast/L3/Netflix >> peering/transit issue. Comcast is obviously looking for ways to fill >> the looming hole in their revenue chart as consumers turn off Cable >> and get their TV/video entertainment delivered via the internet. > > The more I look at this, the more it looks like "pharmaceuticals bought > from Canada are cheaper than ones purchased in America -- and they will be > *just as long* as only a minority of Americans buy them there. As soon as > *everyone* in America is buying their drugs cross-border, the prices will > go right back up to what they were paying here." > > This is what's gonna happen with Comcast, too; if their customers drop > CATV, then they're going to have to raise their prices -- and the cable > networks themselves will have *no* way to collect revenue; the cable > systems being their collection agent network. > > This Can't End Well. > > Cheers, > -- jra > > if the retail price of the content is inflated to support the distribution mechanism (e.g. cable, dsl, fios) and the provider doesn't own the content the result is inevitable. content owners could care less about how the content reaches eyeballs as long as it does so reliably. Comcast/NBC merger in the face of comcast/L3-Netflix fight gets interesting. jy From sjs at Princeton.EDU Fri Dec 17 23:38:19 2010 From: sjs at Princeton.EDU (Steve Schultze) Date: Sat, 18 Dec 2010 00:38:19 -0500 Subject: "potential new and different architectural approach" to solve the Comcast - L3 dispute In-Reply-To: References: <4D0B8886.5030809@ac.upc.edu> <86CBDA23-B8A4-4D1E-BBE4-4404A848AABC@princeton.edu> Message-ID: <1C75966C-4E64-49C0-9AAA-D66D7E577B4C@Princeton.EDU> http://blog.comcast.com/2010/12/comcasts-responds-to-level-3s-fcc-filing.html On Dec 17, 2010, at 10:25 PM, Joly MacFie wrote: > http://fcc.gov/ > > NOTICE: The FCC website and related electronic filing systems and documents (except for NORS) will be unavailable beginning 6:00 p.m. (EST) Friday, December 17 through 6:00 a.m. (EST) Monday, December 20 for scheduled maintenance. > > > :( > > > On Fri, Dec 17, 2010 at 3:42 PM, Steve Schultze wrote: > > > That is a reasonable guess, but Level3's FCC filing yesterday spells > > out with certainty that Level3 did offer to "cold potato" traffic onto > > Comcast (it does not mention the technical means e.g. MED honoring, > > CDN smarts, or otherwise) and that Comcast refused. > > [...] > > Comcast's latest: > http://fjallfoss.fcc.gov/ecfs/comment/view?id=6016064677 > > > > -- > --------------------------------------------------------------- > Joly MacFie 218 565 9365 Skype:punkcast > WWWhatsup NYC - http://wwwhatsup.com > http://pinstand.com - http://punkcast.com > VP (Admin) - ISOC-NY - http://isoc-ny.org > --------------------------------------------------------------- From patrick at zill.net Sat Dec 18 00:07:15 2010 From: patrick at zill.net (Patrick Giagnocavo) Date: Sat, 18 Dec 2010 01:07:15 -0500 Subject: "potential new and different architectural approach" to solve the Comcast - L3 dispute In-Reply-To: <1C75966C-4E64-49C0-9AAA-D66D7E577B4C@Princeton.EDU> References: <4D0B8886.5030809@ac.upc.edu> <86CBDA23-B8A4-4D1E-BBE4-4404A848AABC@princeton.edu> <1C75966C-4E64-49C0-9AAA-D66D7E577B4C@Princeton.EDU> Message-ID: <4D0C4F93.6020605@zill.net> On 12/18/2010 12:38 AM, Steve Schultze wrote: > http://blog.comcast.com/2010/12/comcasts-responds-to-level-3s-fcc-filing.html > I very much doubt whether my comment on the blog will survive their moderation process, so here it is: === I am a Comcast residential HSI customer, and have many clients who are business HSI Comcast customers. At the same time, I do maintain servers in my own racks at a datacenter. What is not mentioned in this letter, is that Comcast is already being paid - by me, and by every other customer, for access to the content. Note that Comcast has never said that the Level3/Netflix issue is about users exceeding their allotted bandwidth (currently at about 250GB/month for residential); presumably, were a Comcast user to use 249GB of bandwidth downloading cute pictures of cats, Comcast would have no objection. It appears to be the specific issue that Netflix is a possible competitor to Comcast's TV business, that somehow causes Comcast to decide that there is a problem. Understand this: every Netflix video to be streamed, is specifically requested by a Comcast user, operating under the Comcast-advertised "High Speed Internet" service and presumably within the bandwidth caps that Comcast's own contract allows. That Comcast presumes to have the right to limit, modify, or decide for me which pieces of the Internet I can have access to, removes Comcast's common carrier protections, calls into question the truth of your advertisements for the HSI service, and raises the issue of whether Comcast is dealing in bad faith with each and every Comcast HSI subscriber. ==== --Patrick From ras at e-gerbil.net Sat Dec 18 00:28:43 2010 From: ras at e-gerbil.net (Richard A Steenbergen) Date: Sat, 18 Dec 2010 00:28:43 -0600 Subject: "potential new and different architectural approach" to solve the Comcast - L3 dispute In-Reply-To: <4D0C4F93.6020605@zill.net> References: <4D0B8886.5030809@ac.upc.edu> <86CBDA23-B8A4-4D1E-BBE4-4404A848AABC@princeton.edu> <1C75966C-4E64-49C0-9AAA-D66D7E577B4C@Princeton.EDU> <4D0C4F93.6020605@zill.net> Message-ID: <20101218062843.GA38726@gerbil.cluepon.net> On Sat, Dec 18, 2010 at 01:07:15AM -0500, Patrick Giagnocavo wrote: > > Note that Comcast has never said that the Level3/Netflix issue is > about users exceeding their allotted bandwidth (currently at about > 250GB/month for residential); presumably, were a Comcast user to use > 249GB of bandwidth downloading cute pictures of cats, Comcast would > have no objection. I believe they want the cat people to pay too, it's just easier to go after Netflix first. Lets say for a moment that Comcast's overall ratio with its customers is approximately the same as their ratio in the leaked Tata graphs (yes I know that this proves nothing, but lets just assume it for a moment), i.e. 5:1. They then ask that every network who sends them traffic, even their transit providers (in the case of Level 3) be under 2:1. What is the point of insisting on a ratio that is not supported by the traffic their customers actually request? Because it gives them a convenient excuse to demand payment from nearly everyone on the Internet for being out of ratio, and to restrict capacity to those who do not pay. With so many transit ports running hot, and even peering ports running hot as in the recent example where they intentionally turned down Global Crossing capacity (which they claim is settlement free) and CAUSED congestion, the ISP who hosts the cute cat pictures may have little choice but to pay Comcast for access, or risk losing their cute cat hosting business to someone else who is willing to do so. I've also seen Comcast ignore several offers to honor MEDs or accept more-specifics from networks who DO meet their published peering requirements in every way except ratios, so I don't think they're interested in technical solutions a potential transport cost imbalance either. If it was about anything other than trying to extract a toll from content providers, one of these technical solutions would clearly have been better for them then continuing to force the traffic into their congested transit ports, which they not only pay for, but then also do the backhaul for across their own network. BTW, they rejected my very nice comment on their blog asking if they would be willing to share the graphs of their transit provider interfaces (which are NOT peering relationships, and not under NDA) to back up their claims that the published graphs are false, so I'm positive yours isn't going to get through. :) -- Richard A Steenbergen http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC) From joly at punkcast.com Sat Dec 18 05:38:17 2010 From: joly at punkcast.com (Joly MacFie) Date: Sat, 18 Dec 2010 06:38:17 -0500 Subject: "potential new and different architectural approach" to solve the Comcast - L3 dispute In-Reply-To: <20101218062843.GA38726@gerbil.cluepon.net> References: <4D0B8886.5030809@ac.upc.edu> <86CBDA23-B8A4-4D1E-BBE4-4404A848AABC@princeton.edu> <1C75966C-4E64-49C0-9AAA-D66D7E577B4C@Princeton.EDU> <4D0C4F93.6020605@zill.net> <20101218062843.GA38726@gerbil.cluepon.net> Message-ID: If I was Comcast and I got this deal I'd set up scripts to continuously spoof requests to Netflix, I mean hey I get paid for the traffic.. j -- --------------------------------------------------------------- Joly MacFie 218 565 9365 Skype:punkcast WWWhatsup NYC - http://wwwhatsup.com http://pinstand.com - http://punkcast.com VP (Admin) - ISOC-NY - http://isoc-ny.org --------------------------------------------------------------- From rs at seastrom.com Sat Dec 18 05:51:17 2010 From: rs at seastrom.com (Robert E. Seastrom) Date: Sat, 18 Dec 2010 06:51:17 -0500 Subject: Alacarte Cable and Geeks In-Reply-To: (Jon Lewis's message of "Fri, 17 Dec 2010 13:27:44 -0500 (EST)") References: <29672845.662.1292609836880.JavaMail.root@benjamin.baylink.com> Message-ID: <86d3ozqoy2.fsf@seastrom.com> Jon Lewis writes: >> This Can't End Well. > > Why not? As people shift from watching broadcast channels to > streaming content and look to shut off their cable TV service, but > keep internet, the cable co's are just going to have to raise internet > prices to compensate. I can see a future where you buy internet from > the cable co and they give you the basic cable TV channel lineup at > "no charge" but in reality, you're paying for the cable internet what > you used to pay for both cable internet and TV. Here in NoVA (Comcast former Adelpha territory), the future is now. I used to have internet-only service (there is little on TV that I care about). A bit over a year and a half ago, we added basic cable to the service. Total additional cost per month to go from Internet-only to Internet-plus-TV-bundle (same speed) was about $4. -r From linford at spamhaus.org Sat Dec 18 06:58:27 2010 From: linford at spamhaus.org (Steve Linford) Date: Sat, 18 Dec 2010 12:58:27 +0000 Subject: Spamhaus under DDOS from AnonOps (Wikileaks.info) Message-ID: As many of you know, both Trend Micro and Spamhaus have published warnings about a Wikileaks mirror site 'wikileaks.info' which is run by the person or persons behind 'AnonOps' from an IP address of a Russian dedicated cybercrime host (Heihachi) on which there is nothing but malware and other cybercrime. Innocent people seeking to read or download Wikileaks documents are being directed to the rogue wikileaks.info server and into the hands of the crime gangs located there. For trying to warn about the crime gangs located at the wikileaks.info mirror IP, Spamhaus is now under ddos by AnonOps. The criminals there do not like our free speech at all. As our site can't be reached now, you can not read our article on this, and we can not continue to warn Wikileaks users not to load things from the Heihachi IP. If you know journalists who would get this message out to Wikileaks users, please forward this message (entire) to them. The anonymous folks at AnonOps did not like our article update, here's what we said and what brought the ddos on us: ---- In a statement released today on wikileaks.info entitled "Spamhaus' False Allegations Against wikileaks.info", the person running the wikileaks.info site (which is not connected with Julian Assange or the real Wikileaks organization) called Spamhaus's information on his infamous cybercrime host "false" and "none of our business" and called on people to contact Spamhaus and "voice your opinion". Consequently Spamhaus has now received a number of emails some asking if we "want to be next", some telling us to stop blacklisting Wikileaks (obviously they don't understand that we never did) and others claiming we are "a pawn of US Government Agencies". None of the people who contacted us realised that the "Wikileaks press release" published on wikileaks.info was not written by Wikileaks and not issued by Wikileaks - but by the person running the wikileaks.info site only - the very site we are warning about. The site data, disks, connections and visitor traffic, are all under the control of the Heihachi cybercrime gang. There are more than 40 criminal-run sites operating on the same IP address as wikileaks.info, including carder-elite.biz, h4ck3rz.biz, elite-crew.net, and bank phishes paypal-securitycenter.com and postbank-kontodirekt.com. Because they are using a Wikileaks logo, many people thought that the "press release" was issued "by Wikileaks". In fact there has been no press release about this by Wikileaks and none of the official Wikileaks mirrors sites even recognise the wikileaks.info mirror. We wonder how long it will be before Wikileaks supporters wake up and start to question why wikileaks.info is not on the list of real Wikileaks mirrors at wikileaks.ch. Currently wikileaks.info is serving highly sensitive leaked documents to the world, from a server fully controlled by Russian malware cybercriminals, to an audience that faithfully believes anything with a 'Wikileaks' logo on it. Spamhaus continues to warn Wikileaks readers to make sure they are viewing and downloading documents only from an official Wikileaks mirror site. We're not saying "don't go to Wikileaks" we're saying "Use the wikileaks.ch server instead". ---- Steve Linford The Spamhaus Project http://www.spamhaus.org From odlyzko at umn.edu Sat Dec 18 08:07:01 2010 From: odlyzko at umn.edu (Andrew Odlyzko) Date: Sat, 18 Dec 2010 08:07:01 -0600 (CST) Subject: Alacarte Cable and Geeks In-Reply-To: <4D0BB770.2010602@mompl.net> References: <4630279.470.1292563600867.JavaMail.root@benjamin.baylink.com> <4D0BB770.2010602@mompl.net> Message-ID: It's an interesting question. Even leaving aside the question of billing costs, there are conflicting incentives. Service providers want to extract maximal revenues, but that requires not just fine-scaled pricing, but very overt and fine-scaled price discrimination (which may often be illegal). On the other hand, even aside from general customer preferences for flat-rate simplicity (and the empirically demonstrated willingness to pay more for flat rates), even in the conventional economic model in which Homo economicus customers are trying to maximize well-defined utilities, flat rates can be seen as a form of bundling, which allow the sellers to benefit from the uneven valuations of buyers. A simple argument demonstrating this is on p. 19 of the preprint of my paper "Internet pricing and the history of communications," http://www.dtc.umn.edu/~odlyzko/doc/history.communications1b.pdf (which appeared in Computer Networks 36 (2001), pp. 493-517). This is something that most people in the telecom industry appear to be blissfully unaware of. Just as they are unaware of the fact that for almost a century, the US, which was an outlier on the world telecom scence in having (predominantly, although not universally) flat rate residential service, had higher telecom spending (as fraction of GDP, say) than countries that switched to metered rates. One cannot say a priori whether flat or metered rates will be better for either sellers or buyers, it all depends. But it is amusing to see the cable companies, in particular, fighting tooth and nail against moves to make them unbundle video channels while at the same time arguing they have to charge by volume (which is a form of bundling). Andrew On Fri, 17 Dec 2010, Jeroen van Aart wrote: > Jay Ashworth wrote: >> individual subscriber pushed the complexity up, in much the same way >> that flat rate telecom services are popular equally because customers >> prefer them, and because the *cost of keeping track* becomes >delta. > > Can someone then please explain me why the hell in many other countries > flatrate telecom service (I refer to flatrate local calls) does not exist or > has been phased out. In the Netherlands they phased it out in the mid to late > 80s. I am sure the then government owned telecom rats saw increased revenue > coming real soon now due to increased modem usage. > > (still pissed at ridiculously and unnecessarily high phonebills...) > > It seems to me that at least in that case the cost of keeping track was far > less than the increased revenue that metered (if that's the right word) local > calls would provide. > > Regards, > Jeroen > > -- > http://goldmark.org/jeff/stupid-disclaimers/ > http://linuxmafia.com/~rick/faq/plural-of-virus.html > From owen at delong.com Sat Dec 18 10:35:42 2010 From: owen at delong.com (Owen DeLong) Date: Sat, 18 Dec 2010 08:35:42 -0800 Subject: "potential new and different architectural approach" to solve the Comcast - L3 dispute In-Reply-To: <4D0C4F93.6020605@zill.net> References: <4D0B8886.5030809@ac.upc.edu> <86CBDA23-B8A4-4D1E-BBE4-4404A848AABC@princeton.edu> <1C75966C-4E64-49C0-9AAA-D66D7E577B4C@Princeton.EDU> <4D0C4F93.6020605@zill.net> Message-ID: <73C4F633-2115-4A73-B04A-FCF47382B1FE@delong.com> +1 In fact, I feel that at home, I need fast, reliable internet access. I wish I could get that from one provider. Unfortunately, instead, I get fast internet service from Comcast (most of the time) and I get reliable internet service from Raw Bandwidth (DSL, 1.5mbps/768k). Owen (Comcast Business HSI customer) On Dec 17, 2010, at 10:07 PM, Patrick Giagnocavo wrote: > On 12/18/2010 12:38 AM, Steve Schultze wrote: >> http://blog.comcast.com/2010/12/comcasts-responds-to-level-3s-fcc-filing.html >> > > I very much doubt whether my comment on the blog will survive their > moderation process, so here it is: > > === > I am a Comcast residential HSI customer, and have many clients who are > business HSI Comcast customers. At the same time, I do maintain servers > in my own racks at a datacenter. > > What is not mentioned in this letter, is that Comcast is already being > paid - by me, and by every other customer, for access to the content. > > Note that Comcast has never said that the Level3/Netflix issue is about > users exceeding their allotted bandwidth (currently at about 250GB/month > for residential); presumably, were a Comcast user to use 249GB of > bandwidth downloading cute pictures of cats, Comcast would have no > objection. > > It appears to be the specific issue that Netflix is a possible > competitor to Comcast's TV business, that somehow causes Comcast to > decide that there is a problem. > > Understand this: every Netflix video to be streamed, is specifically > requested by a Comcast user, operating under the Comcast-advertised > "High Speed Internet" service and presumably within the bandwidth caps > that Comcast's own contract allows. > > That Comcast presumes to have the right to limit, modify, or decide for > me which pieces of the Internet I can have access to, removes Comcast's > common carrier protections, calls into question the truth of your > advertisements for the HSI service, and raises the issue of whether > Comcast is dealing in bad faith with each and every Comcast HSI subscriber. > > ==== > > --Patrick From jbates at brightok.net Sat Dec 18 15:00:28 2010 From: jbates at brightok.net (Jack Bates) Date: Sat, 18 Dec 2010 15:00:28 -0600 Subject: Spamhaus under DDOS from AnonOps (Wikileaks.info) In-Reply-To: References: Message-ID: <4D0D20EC.1050706@brightok.net> On 12/18/2010 6:58 AM, Steve Linford wrote: > For trying to warn about the crime gangs located at the wikileaks.info mirror IP, Spamhaus is now under ddos by AnonOps. The criminals there do not like our free speech at all. > It appears that wikileaks.org is operational again and redirecting to mirros.wikileaks.info, which draws concern of who now controls wikileaks.org. .info definitely isn't the same layout as all the mirrors. Jack From mike-nanog at tiedyenetworks.com Sat Dec 18 15:50:15 2010 From: mike-nanog at tiedyenetworks.com (Mike) Date: Sat, 18 Dec 2010 13:50:15 -0800 Subject: Charter abuse contacts? Message-ID: <4D0D2C97.4090905@tiedyenetworks.com> Greetings, I am having trouble getting network abuse reports to charter. Forwarded spam reports, as well as 'message headers only', are being rejected as spam themselves for no other reason given. Would like to get this out as we've identified an abuser on the charter network who needs to re-read their ToS agreement.... Mike- From davet1 at gmail.com Sat Dec 18 17:05:28 2010 From: davet1 at gmail.com (Dave Temkin) Date: Sat, 18 Dec 2010 18:05:28 -0500 Subject: "potential new and different architectural approach" to solve the Comcast - L3 dispute In-Reply-To: <20101218062843.GA38726@gerbil.cluepon.net> References: <4D0B8886.5030809@ac.upc.edu> <86CBDA23-B8A4-4D1E-BBE4-4404A848AABC@princeton.edu> <1C75966C-4E64-49C0-9AAA-D66D7E577B4C@Princeton.EDU> <4D0C4F93.6020605@zill.net> <20101218062843.GA38726@gerbil.cluepon.net> Message-ID: <4D0D3E38.9080609@gmail.com> Richard A Steenbergen wrote: > > BTW, they rejected my very nice comment on their blog asking if they > would be willing to share the graphs of their transit provider > interfaces (which are NOT peering relationships, and not under NDA) to > back up their claims that the published graphs are false, so I'm > positive yours isn't going to get through. :) > > Seems as though, in both this case and Steve's case, Comcast is going out of their way to spin as much FUD as they can against those who dare speak out and are making a concerted effort to censor their "blog" (ie, press release machine). It's not going unnoticed and I hope they realize that instead of commenting on their blog, "we" will turn to the official FCC comment process. -Dave From tme at americafree.tv Sat Dec 18 17:15:07 2010 From: tme at americafree.tv (Marshall Eubanks) Date: Sat, 18 Dec 2010 18:15:07 -0500 Subject: Spamhaus under DDOS from AnonOps (Wikileaks.info) In-Reply-To: <4D0D20EC.1050706@brightok.net> References: <4D0D20EC.1050706@brightok.net> Message-ID: <61B1E7C7-ED24-4CC2-B9E6-11CCBA1AFC6E@americafree.tv> On Dec 18, 2010, at 4:00 PM, Jack Bates wrote: > On 12/18/2010 6:58 AM, Steve Linford wrote: >> For trying to warn about the crime gangs located at the wikileaks.info mirror IP, Spamhaus is now under ddos by AnonOps. The criminals there do not like our free speech at all. >> > > It appears that wikileaks.org is operational again and redirecting to mirros.wikileaks.info, which draws concern of who now controls wikileaks.org. .info definitely isn't the same layout as all the mirrors. > > I get nothing from wikileaks.org, although the DNS is active : dig wikileaks.org ;; ANSWER SECTION: wikileaks.org. 4774 IN A 64.64.12.170 ;; AUTHORITY SECTION: wikileaks.org. 61470 IN NS ns100.dynadot.com. wikileaks.org. 61470 IN NS ns101.dynadot.com. 64.64.12.170 is NetRange: 64.64.0.0 - 64.64.31.255 CIDR: 64.64.0.0/19 OriginAS: AS25847 NetName: SERVINT and, at least here, a traceroute disappears into servint 8 64.125.195.222.t00883-02.above.net (64.125.195.222) 15.905 ms 12.172 ms 12.072 ms 9 sc-smv1766.servint.net (216.22.61.86) 15.879 ms 11.974 ms 13.761 ms 10 * * * According to this http://nanozen.info/2010/12/spamhaus-under-ddos-from-anonops-wikileaks-info/ wikileaks.info is being hosted by bad guys : "The site data, disks, connections and visitor traffic, are all under the control of the Heihachi cybercrime gang. There are more than 40 criminal-run sites operating on the same IP address as wikileaks.info, including carder-elite.biz, h4ck3rz.biz, elite-crew.net, and bank phishes paypal-securitycenter.com and postbank-kontodirekt.com." However, at least for me here in Virginia, wikileaks.org is not aliasing to anywhere, but instead simply times out. Regards Marshall > Jack > > From oberman at es.net Sat Dec 18 18:27:22 2010 From: oberman at es.net (Kevin Oberman) Date: Sat, 18 Dec 2010 16:27:22 -0800 Subject: Alacarte Cable and Geeks In-Reply-To: Your message of "Sat, 18 Dec 2010 06:51:17 EST." <86d3ozqoy2.fsf@seastrom.com> Message-ID: <20101219002722.E12271CC26@ptavv.es.net> > From: "Robert E. Seastrom" > Date: Sat, 18 Dec 2010 06:51:17 -0500 > > > Jon Lewis writes: > > >> This Can't End Well. > > > > Why not? As people shift from watching broadcast channels to > > streaming content and look to shut off their cable TV service, but > > keep internet, the cable co's are just going to have to raise internet > > prices to compensate. I can see a future where you buy internet from > > the cable co and they give you the basic cable TV channel lineup at > > "no charge" but in reality, you're paying for the cable internet what > > you used to pay for both cable internet and TV. > > Here in NoVA (Comcast former Adelpha territory), the future is now. > > I used to have internet-only service (there is little on TV that I > care about). A bit over a year and a half ago, we added basic cable > to the service. Total additional cost per month to go from > Internet-only to Internet-plus-TV-bundle (same speed) was about $4. Hmmm. Better than the situation in my Comcast area. Internet w/o any cable costs MORE than basic cable (i.e. over the air + PEG). I'm sure that this pricing is to discourage customers from switching to a satellite provider for TV since I'm going to get most of it, anyway, and its not THAT much more to go to the standard package with the popular cable channels. Of course, you may want digital, HD, ... and discover the cable bill hits $200/mo. (Mine doesn't, but I have friends paying that.) -- R. Kevin Oberman, Network Engineer Energy Sciences Network (ESnet) Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab) E-mail: oberman at es.net Phone: +1 510 486-8634 Key fingerprint:059B 2DDF 031C 9BA3 14A4 EADA 927D EBB3 987B 3751 From jbates at brightok.net Sat Dec 18 22:58:48 2010 From: jbates at brightok.net (Jack Bates) Date: Sat, 18 Dec 2010 22:58:48 -0600 Subject: Spamhaus under DDOS from AnonOps (Wikileaks.info) In-Reply-To: <61B1E7C7-ED24-4CC2-B9E6-11CCBA1AFC6E@americafree.tv> References: <4D0D20EC.1050706@brightok.net> <61B1E7C7-ED24-4CC2-B9E6-11CCBA1AFC6E@americafree.tv> Message-ID: <4D0D9108.3000307@brightok.net> On 12/18/2010 5:15 PM, Marshall Eubanks wrote: > > I get nothing from wikileaks.org, although the DNS is active : > $ host wikileaks.org wikileaks.org has address 64.64.12.170 $ telnet 64.64.12.170 80 Trying 64.64.12.170... Connected to 64.64.12.170. Escape character is '^]'. GET / HTTP/1.1 Host: wikileaks.org HTTP/1.1 302 Found Date: Sun, 19 Dec 2010 04:56:23 GMT Server: Apache Location: http://mirror.wikileaks.info/ Content-Length: 213 Content-Type: text/html; charset=iso-8859-1 302 Found

Found

The document has moved here.

Connection to 64.64.12.170 closed by foreign host. > and, at least here, a traceroute disappears into servint > > 8 64.125.195.222.t00883-02.above.net (64.125.195.222) 15.905 ms 12.172 ms 12.072 ms > 9 sc-smv1766.servint.net (216.22.61.86) 15.879 ms 11.974 ms 13.761 ms > 10 * * * > I see same timeouts, but tcp/80 is going through. Filtering, I suspect. Jack From joseph.prasad at gmail.com Sat Dec 18 23:52:41 2010 From: joseph.prasad at gmail.com (Joseph Prasad) Date: Sat, 18 Dec 2010 21:52:41 -0800 Subject: UN mulls internet regulation options Message-ID: http://www.itnews.com.au/News/242051,un-mulls-internet-regulation-options.aspx DISSENT = set interface null *1984* * * -------------------------------- *The only power people exert over us, is the power we allow them to exert.* * * *http://www.dailypaul.com/* * * *http://www.thenewamerican.com/* *--------------------------------* * * From hank at efes.iucc.ac.il Sat Dec 18 23:59:51 2010 From: hank at efes.iucc.ac.il (Hank Nussbacher) Date: Sun, 19 Dec 2010 07:59:51 +0200 Subject: BGP Attribute 92 ? In-Reply-To: References: <4D0ADB52.1040106@zill.net> <828F4953-84B5-4FBA-AA1A-532B27079B8B@puck.nether.net> <4D0ADB52.1040106@zill.net> Message-ID: <5.1.0.14.2.20101219075820.00c5f5b0@efes.iucc.ac.il> At 12:41 17/12/2010 +0900, Randy Bush wrote: > >> Unknown BGP attribute 92 (flags: 234) > >> Hexdump start--- > >> DD 78 FF 71 > >> Hexdump end ---- > > This appeared to bite my Level3-connected bandwidth as well. > >sigh. is this an attack by a black hat, or by an rir and researchers >who do not know how to say "oops, sorreee!?" Or who do not know how to warn us in advance: http://www.merit.edu/mail.archives/nanog/2009-01/msg00306.html http://www.merit.edu/mail.archives/nanog/2009-01/msg00320.html http://www.merit.edu/mail.archives/nanog/2009-01/msg00334.html -Hank From randy at psg.com Sun Dec 19 00:16:55 2010 From: randy at psg.com (Randy Bush) Date: Sun, 19 Dec 2010 15:16:55 +0900 Subject: BGP Attribute 92 ? In-Reply-To: <5.1.0.14.2.20101219075820.00c5f5b0@efes.iucc.ac.il> References: <4D0ADB52.1040106@zill.net> <828F4953-84B5-4FBA-AA1A-532B27079B8B@puck.nether.net> <5.1.0.14.2.20101219075820.00c5f5b0@efes.iucc.ac.il> Message-ID: >> sigh. is this an attack by a black hat, or by an rir and researchers >> who do not know how to say "oops, sorreee!?" > Or who do not know how to warn us in advance: i really enjoy that that experiment pissed you off big-time. like you have the technical incompetence to think it was at all dangerous or a problem. if i took it personally, as you seem to, i would remove my zones from being secondaried on rip.psg.com. and i might do something about the many year storm of recursive dns requests to rip.psg.com (which does not recurse) from your friends. after all, who would want to [ab]use the services of someone you like to excoriate for doing no harm? what bullshit! randy From grobe0ba at gmail.com Sun Dec 19 00:28:40 2010 From: grobe0ba at gmail.com (Atticus) Date: Sun, 19 Dec 2010 01:28:40 -0500 Subject: BGP Attribute 92 ? Message-ID: I'm not a network engineer, I merely subscribe to NANOG for interesting things that come across for me to learn about. That being said, I find it hard to take someone seriously who doesn't know how to write using proper English with words capatalized and punctuation, etc. I also saw noone taking the BGP attribute 92 stuff personally. Not to mention, anything that can disturb services uptime warrants at least a "Sorry guys, my bad." Without a forewarning, its not exactly a wild assumption to think it could have been an attack. I believe I remember a thread from a while back about the same attribute messing a lot of Cisco products up. I also don't see anyone else resorting to foul language to get their point across. Mayhaps I'm out of line for sending this, and just needed to vent. If I've offended anyone, I appologize. Sent from my Motorola Droid. On Dec 19, 2010 1:17 AM, "Randy Bush" wrote: From ops.lists at gmail.com Sun Dec 19 05:40:48 2010 From: ops.lists at gmail.com (Suresh Ramasubramanian) Date: Sun, 19 Dec 2010 17:10:48 +0530 Subject: UN mulls internet regulation options In-Reply-To: References: Message-ID: This hat is sufficiently old enough to predate wikileaks by several years. And it is way too nuanced to be easily dismissed by code is law truisms like the one below. On Sun, Dec 19, 2010 at 11:22 AM, Joseph Prasad wrote: > http://www.itnews.com.au/News/242051,un-mulls-internet-regulation-options.aspx > > > DISSENT = set interface null *1984* > * -- Suresh Ramasubramanian (ops.lists at gmail.com) From jgreco at ns.sol.net Sun Dec 19 07:06:14 2010 From: jgreco at ns.sol.net (Joe Greco) Date: Sun, 19 Dec 2010 07:06:14 -0600 (CST) Subject: Spamhaus under DDOS from AnonOps (Wikileaks.info) In-Reply-To: <4D0D9108.3000307@brightok.net> Message-ID: <201012191306.oBJD6EDM064647@aurora.sol.net> > On 12/18/2010 5:15 PM, Marshall Eubanks wrote: > > > > I get nothing from wikileaks.org, although the DNS is active : > > > > $ host wikileaks.org > wikileaks.org has address 64.64.12.170 Doesn't it seem vaguely suspicious that whois was just updated? Domain ID:D130035267-LROR Domain Name:WIKILEAKS.ORG Created On:04-Oct-2006 05:54:19 UTC Last Updated On:17-Dec-2010 01:57:59 UTC Expiration Date:04-Oct-2018 05:54:19 UTC It seems like it'd be reasonable to be cautious. ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net "We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples. From frnkblk at iname.com Sun Dec 19 12:46:33 2010 From: frnkblk at iname.com (Frank Bulk - iName.com) Date: Sun, 19 Dec 2010 12:46:33 -0600 Subject: Spamhaus under DDOS from AnonOps (Wikileaks.info) In-Reply-To: <4D0D20EC.1050706@brightok.net> References: <4D0D20EC.1050706@brightok.net> Message-ID: The wikileaks.info press release points to Google's Safe Browsing page for wikileaks.info (http://www.google.com/safebrowsing/diagnostic?site=wikileaks.info), which comes up clean. While I tend to trust Steve and Spamhaus because of their built up reputation, it would be helpful if some concrete facts were published about the "more than 40 criminal-run sites operating on the same IP address as wikileaks.info, including carder-elite.biz, h4ck3rz.biz, elite-crew.net, and bank phishes paypal-securitycenter.com and postbank-kontodirekt.com." Any chance that will be done, so wikileaks.info's claims can be publicly refuted? Kind regards, Frank -----Original Message----- From: Jack Bates [mailto:jbates at brightok.net] Sent: Saturday, December 18, 2010 3:00 PM To: nanog at nanog.org Subject: Re: Spamhaus under DDOS from AnonOps (Wikileaks.info) On 12/18/2010 6:58 AM, Steve Linford wrote: > For trying to warn about the crime gangs located at the wikileaks.info mirror IP, Spamhaus is now under ddos by AnonOps. The criminals there do not like our free speech at all. > It appears that wikileaks.org is operational again and redirecting to mirros.wikileaks.info, which draws concern of who now controls wikileaks.org. .info definitely isn't the same layout as all the mirrors. Jack From fergdawgster at gmail.com Sun Dec 19 12:51:45 2010 From: fergdawgster at gmail.com (Paul Ferguson) Date: Sun, 19 Dec 2010 10:51:45 -0800 Subject: Spamhaus under DDOS from AnonOps (Wikileaks.info) In-Reply-To: References: <4D0D20EC.1050706@brightok.net> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Not for nothing, but Spamhaus wasn't the only organization to warn about Heihachi: http://blog.trendmicro.com/wikileaks-in-a-dangerous-internet-neighborhood/ FYI, - - ferg On Sun, Dec 19, 2010 at 10:46 AM, Frank Bulk - iName.com wrote: > The wikileaks.info press release points to Google's Safe Browsing page > for wikileaks.info > (http://www.google.com/safebrowsing/diagnostic?site=wikileaks.info), > which comes up clean. > > While I tend to trust Steve and Spamhaus because of their built up > reputation, it would be helpful if some concrete facts were published > about the "more than 40 criminal-run sites operating on the same IP > address as wikileaks.info, including carder-elite.biz, h4ck3rz.biz, > elite-crew.net, and bank phishes paypal-securitycenter.com and > postbank-kontodirekt.com." Any chance that will be done, so > wikileaks.info's claims can be publicly > refuted? > > Kind regards, > > Frank > > -----Original Message----- > From: Jack Bates [mailto:jbates at brightok.net] > Sent: Saturday, December 18, 2010 3:00 PM > To: nanog at nanog.org > Subject: Re: Spamhaus under DDOS from AnonOps (Wikileaks.info) > > On 12/18/2010 6:58 AM, Steve Linford wrote: >> For trying to warn about the crime gangs located at the wikileaks.info > mirror IP, Spamhaus is now under ddos by AnonOps. The criminals there do > not like our free speech at all. >> > > It appears that wikileaks.org is operational again and redirecting to > mirros.wikileaks.info, which draws concern of who now controls > wikileaks.org. .info definitely isn't the same layout as all the mirrors. > > > Jack > > > > -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.3 (Build 5003) wj8DBQFNDlQ5q1pz9mNUZTMRAn5XAKC0O3ZNO51bnAX7D99SRRqR04QIQQCfZDwH dQN8fG2TYk6RUFYplRAiHDE= =em1c -----END PGP SIGNATURE----- -- "Fergie", a.k.a. Paul Ferguson ?Engineering Architecture for the Internet ?fergdawgster(at)gmail.com ?ferg's tech blog: http://fergdawg.blogspot.com/ From tme at americafree.tv Sun Dec 19 13:02:00 2010 From: tme at americafree.tv (Marshall Eubanks) Date: Sun, 19 Dec 2010 14:02:00 -0500 Subject: Spamhaus under DDOS from AnonOps (Wikileaks.info) In-Reply-To: <201012191306.oBJD6EDM064647@aurora.sol.net> References: <201012191306.oBJD6EDM064647@aurora.sol.net> Message-ID: <089CCD3C-BAF4-4042-8CD1-37DB6F305646@americafree.tv> On Dec 19, 2010, at 8:06 AM, Joe Greco wrote: >> On 12/18/2010 5:15 PM, Marshall Eubanks wrote: >>> >>> I get nothing from wikileaks.org, although the DNS is active : >>> >> >> $ host wikileaks.org >> wikileaks.org has address 64.64.12.170 > > Doesn't it seem vaguely suspicious that whois was just updated? > > Domain ID:D130035267-LROR > Domain Name:WIKILEAKS.ORG > Created On:04-Oct-2006 05:54:19 UTC > Last Updated On:17-Dec-2010 01:57:59 UTC > Expiration Date:04-Oct-2018 05:54:19 UTC > > It seems like it'd be reasonable to be cautious. Yes. Now, for me, wikileaks.org does alias to wikileaks.info wget -r wikileaks.org --13:49:00-- http://wikileaks.org/ => `wikileaks.org/index.html' Resolving wikileaks.org... done. Connecting to wikileaks.org[64.64.12.170]:80... connected. HTTP request sent, awaiting response... 302 Found Location: http://mirror.wikileaks.info/ [following] --13:49:00-- http://mirror.wikileaks.info/ => `mirror.wikileaks.info/index.html' Resolving mirror.wikileaks.info... done. Connecting to mirror.wikileaks.info[92.241.190.202]:80... connected. HTTP request sent, awaiting response... 200 OK Length: 90,059 [text/html] Which, according to RIPE is assigned to Russia, but with a contact in Panama % Information related to '92.241.190.0 - 92.241.190.255' inetnum: 92.241.190.0 - 92.241.190.255 netname: HEIHACHI descr: Heihachi Ltd country: RU admin-c: HEI668-RIPE tech-c: HEI668-RIPE status: ASSIGNED PA mnt-by: RU-WEBALTA-MNT source: RIPE # Filtered person: Andreas Mueller address: Bella Vista, Calle 53, Marbella address: Ciudad de Panama, Panama remarks: Visit us under gigalinknetwork.com remarks: ICQ 7979970 remarks: Dedicated Servers, Webspace, VPS, DDOS protected Webspace remarks: Send abuse ONLY to: abuse at gigalinknetwork.com remarks: Technical and sales info: support at gigalinknetwork.com phone: +5078321458 abuse-mailbox: abuse at gigalinknetwork.com nic-hdl: hei668-RIPE mnt-by: WEBALTA-MNT source: RIPE # Filtered neither of which would give me confidence. Regards Marshall > > ... JG > -- > Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net > "We call it the 'one bite at the apple' rule. Give me one chance [and] then I > won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN) > With 24 million small businesses in the US alone, that's way too many apples. > From joelja at bogus.com Sun Dec 19 13:16:12 2010 From: joelja at bogus.com (Joel Jaeggli) Date: Sun, 19 Dec 2010 11:16:12 -0800 Subject: TCP congestion control and large router buffers In-Reply-To: References: <1291907382.19262.212.camel@shrike> Message-ID: <4D0E59FC.2080706@bogus.com> On 12/9/10 7:20 AM, Mikael Abrahamsson wrote: > On Thu, 9 Dec 2010, Vasil Kolev wrote: > >> I wonder why this hasn't made the rounds here. From what I see, a >> change in this part (e.g. lower buffers in customer routers, or a >> change (yet another) to the congestion control algorithms) would do >> miracles for end-user perceived performance and should help in some >> way with the net neutrality dispute. > > I'd say this is common knowledge and has been for a long time. > > In the world of CPEs, lowest price and simplicity is what counts, so > nobody cares about buffer depth and AQM, that's why you get ADSL CPEs > with 200+ ms of upstream FIFO buffer (no AQM) in most devices. you're going to see more of it, at a minimum cpe are going to have to be able to drain a gig-e into a port that may be only 100Mb/s. The QOS options available in a ~$100 cpe router are adequate for the basic purpose. d-link dir-825 or 665 are examples of such devices > Personally I have MQC configured on my interface which has assured bw > for small packets and ssh packets, and I also run fair-queue to make tcp > sessions get a fair share. I don't know any non-cisco devices that does > this. the consumer cpe that care seem to be mostly oriented along keeping gaming and voip from being interfereed with by p2p and file transfers. From joelja at bogus.com Sun Dec 19 13:18:56 2010 From: joelja at bogus.com (Joel Jaeggli) Date: Sun, 19 Dec 2010 11:18:56 -0800 Subject: Mastercard problems In-Reply-To: References: <995192.18569.qm@web59601.mail.ac4.yahoo.com> <4CFFBF30.3070100@brightok.net> <4CFFC19F.2070001@brightok.net> <20101208203700.GB25753@brutus.ethup.se> <4CFFEDAE.1020407@brightok.net> <4D00A373.3010806@prt.org> Message-ID: <4D0E5AA0.7090903@bogus.com> On 12/9/10 8:11 AM, Marshall Eubanks wrote: > By the way, I was amused that a Twitter spokesman boasted that > > "The company is not overly concerned about hackers? attacking > Twitter?s site, he said, explaining that it faces security issues all > the time and has technology to deal with the situation." > > I hope he had his fingers crossed when he said that, as Twitter can > barely keep the service functioning on a good day, with frequent > outages. Justin beiber is as effective a ddos on twitter as anyone needs. > Regards Marshall > > >> Paul. >> >> > > > From rsk at gsp.org Sun Dec 19 13:25:09 2010 From: rsk at gsp.org (Rich Kulawiec) Date: Sun, 19 Dec 2010 14:25:09 -0500 Subject: Spamhaus under DDOS from AnonOps (Wikileaks.info) In-Reply-To: References: <4D0D20EC.1050706@brightok.net> Message-ID: <20101219192509.GA16700@gsp.org> On Sun, Dec 19, 2010 at 12:46:33PM -0600, Frank Bulk - iName.com wrote: > While I tend to trust Steve and Spamhaus because of their built up > reputation, it would be helpful if some concrete facts were published about > the "more than 40 criminal-run sites operating on the same IP address as > wikileaks.info, including carder-elite.biz, h4ck3rz.biz, elite-crew.net, and > bank phishes paypal-securitycenter.com and postbank-kontodirekt.com." I found this: http://www.spamhaus.org/sbl/listings.lasso?isp=webalta.ru (as well as the SBL records those reference) quite interesting. ---rsk From ned at mysterymachine.info Sun Dec 19 13:33:33 2010 From: ned at mysterymachine.info (Ned Moran) Date: Sun, 19 Dec 2010 14:33:33 -0500 Subject: Spamhaus under DDOS from AnonOps (Wikileaks.info) In-Reply-To: <20101219192509.GA16700@gsp.org> References: <4D0D20EC.1050706@brightok.net> <20101219192509.GA16700@gsp.org> Message-ID: additional evidence http://www.malwaredomainlist.com/mdl.php?search=41947&colsearch=All&quantity=50&inactive=on On Sun, Dec 19, 2010 at 2:25 PM, Rich Kulawiec wrote: > On Sun, Dec 19, 2010 at 12:46:33PM -0600, Frank Bulk - iName.com wrote: > > While I tend to trust Steve and Spamhaus because of their built up > > reputation, it would be helpful if some concrete facts were published > about > > the "more than 40 criminal-run sites operating on the same IP address as > > wikileaks.info, including carder-elite.biz, h4ck3rz.biz, elite-crew.net, > and > > bank phishes paypal-securitycenter.com and postbank-kontodirekt.com." > > I found this: > > http://www.spamhaus.org/sbl/listings.lasso?isp=webalta.ru > > (as well as the SBL records those reference) quite interesting. > > ---rsk > > From simonw at zynet.net Sun Dec 19 14:29:18 2010 From: simonw at zynet.net (Simon Waters) Date: Sun, 19 Dec 2010 20:29:18 +0000 Subject: Spamhaus under DDOS from AnonOps (Wikileaks.info) In-Reply-To: References: <4D0D20EC.1050706@brightok.net> Message-ID: <4D0E6B1E.4070308@zynet.net> On 19/12/10 18:51, Paul Ferguson wrote: > Not for nothing, but Spamhaus wasn't the only organization to warn about > Heihachi: > > http://blog.trendmicro.com/wikileaks-in-a-dangerous-internet-neighborhood/ All the domains listed by Trend Micro as neighbours appear to be down. Have to say as someone whose employer will buy and host a domain name if you fill in the credit card details and the credit card company accept them, if you listed only the sites we've cancelled first thing on a Monday morning (or as soon as we are notified) we'd look pretty poor. >From the many adverse comments about the hosting services in use they look as bad as they come, but on the other hand this weakens the usefulness of the Trend statement (well to people who check what they are told). Were the sites up when the announcement was made? From fergdawgster at gmail.com Sun Dec 19 15:01:42 2010 From: fergdawgster at gmail.com (Paul Ferguson) Date: Sun, 19 Dec 2010 13:01:42 -0800 Subject: Spamhaus under DDOS from AnonOps (Wikileaks.info) In-Reply-To: <4D0E6B1E.4070308@zynet.net> References: <4D0D20EC.1050706@brightok.net> <4D0E6B1E.4070308@zynet.net> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sun, Dec 19, 2010 at 12:29 PM, Simon Waters wrote: > On 19/12/10 18:51, Paul Ferguson wrote: >> Not for nothing, but Spamhaus wasn't the only organization to warn about >> Heihachi: >> >> http://blog.trendmicro.com/wikileaks-in-a-dangerous-internet-neighborhoo >> d/ > > All the domains listed by Trend Micro as neighbours appear to be down. > > Have to say as someone whose employer will buy and host a domain name if > you fill in the credit card details and the credit card company accept > them, if you listed only the sites we've cancelled first thing on a > Monday morning (or as soon as we are notified) we'd look pretty poor. > > >From the many adverse comments about the hosting services in use they > look as bad as they come, but on the other hand this weakens the > usefulness of the Trend statement (well to people who check what they > are told). > > Were the sites up when the announcement was made? > > The sites that were listed are just a few examples of the hundreds of domains located there that are engaged in criminal activity. The fact that they are down now really doesn't factor into the equation -- the history of criminal activity within that prefix speaks for itself. - - ferg -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.3 (Build 5003) wj8DBQFNDnKvq1pz9mNUZTMRAt1oAKDUBfzjaxV2EfXZk5jHvfDew9doRACbBEtw kgzjPTjszG03KdQT+XJakUA= =v2QK -----END PGP SIGNATURE----- -- "Fergie", a.k.a. Paul Ferguson ?Engineering Architecture for the Internet ?fergdawgster(at)gmail.com ?ferg's tech blog: http://fergdawg.blogspot.com/ From dhc2 at dcrocker.net Sun Dec 19 15:30:22 2010 From: dhc2 at dcrocker.net (Dave CROCKER) Date: Sun, 19 Dec 2010 13:30:22 -0800 Subject: UN mulls internet regulation options In-Reply-To: References: Message-ID: <4D0E796E.2040603@dcrocker.net> On 12/18/2010 9:52 PM, Joseph Prasad wrote: > http://www.itnews.com.au/News/242051,un-mulls-internet-regulation-options.aspx Given the season, their efforts appear to be a form of mulled whine. d/ -- Dave Crocker Brandenburg InternetWorking bbiw.net From william.allen.simpson at gmail.com Sun Dec 19 15:36:49 2010 From: william.allen.simpson at gmail.com (William Allen Simpson) Date: Sun, 19 Dec 2010 16:36:49 -0500 Subject: Alacarte Cable and Geeks In-Reply-To: <20101219002722.E12271CC26@ptavv.es.net> References: <20101219002722.E12271CC26@ptavv.es.net> Message-ID: <4D0E7AF1.9060705@gmail.com> On 12/18/10 7:27 PM, Kevin Oberman wrote: >> From: "Robert E. Seastrom" >> ... I can see a future where you buy internet from >>> the cable co and they give you the basic cable TV channel lineup at >>> "no charge" but in reality, you're paying for the cable internet what >>> you used to pay for both cable internet and TV. >> >> Here in NoVA (Comcast former Adelpha territory), the future is now. >> >> I used to have internet-only service (there is little on TV that I >> care about). A bit over a year and a half ago, we added basic cable >> to the service. Total additional cost per month to go from >> Internet-only to Internet-plus-TV-bundle (same speed) was about $4. > > Hmmm. Better than the situation in my Comcast area. Internet w/o any > cable costs MORE than basic cable (i.e. over the air + PEG). ... Likewise, here in Michigan I helped a brother setup Comcast, and discovered that the charge for Internet + Basic Cable was about $2 per month *cheaper* than Internet-only. From fred at cisco.com Sun Dec 19 15:48:45 2010 From: fred at cisco.com (Fred Baker) Date: Sun, 19 Dec 2010 13:48:45 -0800 Subject: UN mulls internet regulation options In-Reply-To: <4D0E796E.2040603@dcrocker.net> References: <4D0E796E.2040603@dcrocker.net> Message-ID: <9942191A-3096-4648-A92F-C0BB1AE2EA59@cisco.com> On Dec 19, 2010, at 1:30 PM, Dave CROCKER wrote: > > > On 12/18/2010 9:52 PM, Joseph Prasad wrote: >> http://www.itnews.com.au/News/242051,un-mulls-internet-regulation-options.aspx > > > Given the season, their efforts appear to be a form of mulled whine. Well, if you have followed the news, it comes down to the fact that some of our old friends from WSIS/WGIG/IGF+ICANN/GAC "we're the government and we like the idea of being in charge" friends are at it again. In one corner, Brazil, China, South Africa, and Saudi Arabia; in the other, US, Austria, and so on. The current state of play is that the folk in the first corner would like an exclusive club, and a combination of parties including the folks in the second corner and a variety of civil society, industry, ad etc parties and rocked the boat back in the direction of multi-stakeholder discussions. My prediction: the boat will keep rocking, and the "givmint" folks will try again. And again. From lists at foks.se Sun Dec 19 15:19:31 2010 From: lists at foks.se (foks) Date: Sun, 19 Dec 2010 22:19:31 +0100 Subject: Spamhaus under DDOS from AnonOps (Wikileaks.info) In-Reply-To: References: <4D0D20EC.1050706@brightok.net> <20101219192509.GA16700@gsp.org> Message-ID: <4D0E76E3.7030809@foks.se> On 12/19/2010 08:33 PM, Ned Moran wrote: > additional evidence > > http://www.malwaredomainlist.com/mdl.php?search=41947&colsearch=All&quantity=50&inactive=on > > On Sun, Dec 19, 2010 at 2:25 PM, Rich Kulawiec wrote: > >> On Sun, Dec 19, 2010 at 12:46:33PM -0600, Frank Bulk - iName.com wrote: >>> While I tend to trust Steve and Spamhaus because of their built up >>> reputation, it would be helpful if some concrete facts were published >> about >>> the "more than 40 criminal-run sites operating on the same IP address as >>> wikileaks.info, including carder-elite.biz, h4ck3rz.biz, elite-crew.net, >> and >>> bank phishes paypal-securitycenter.com and postbank-kontodirekt.com." >> I found this: >> >> http://www.spamhaus.org/sbl/listings.lasso?isp=webalta.ru >> >> (as well as the SBL records those reference) quite interesting. >> >> ---rsk >> >> The evidence is for Webalta, which hosts Heihachi (which hosts wikileaks.info). I spent some minutes checking Heihachis IP block 92.241.190.0 ? 92.241.190.255. I found 255 .com/.net domains which use this IP block and Heihachis DNS servers. Google reports that none of them is used to serve malware. Two of them, dhl24-servicecenter.com and pixel-banner.com, are reported as phishing sites. Both are down at the moment. http://support.clean-mx.de/clean-mx/rss?scope=viruses&as=AS41947 reports 4 addresses on this IP block, all seems to be up. http://www.malwaredomainlist.com/mdl.php?search=92.241.190&colsearch=All&quantity=50 reports 3 addresses on underground-infosource.info. This site is not online at the moment. If Heihachi hasn't cleaned up very good the last days I would say that they behave much better than Webaltas customers in general. From william.allen.simpson at gmail.com Sun Dec 19 16:16:27 2010 From: william.allen.simpson at gmail.com (William Allen Simpson) Date: Sun, 19 Dec 2010 17:16:27 -0500 Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: <4D0B9914.5080705@gmail.com> References: <598C4A03-6932-4E1B-A518-B8F15BAE651F@Princeton.EDU> <5A6D953473350C4B9995546AFE9939EE0B14CFE3@RWC-EX1.corp.seven.com> <4D0B93DE.7020201@gmail.com> <5A6D953473350C4B9995546AFE9939EE0B14CFE6@RWC-EX1.corp.seven.com> <4D0B9914.5080705@gmail.com> Message-ID: <4D0E843B.4010109@gmail.com> On 12/17/10 12:08 PM, Dave Temkin wrote: > George Bonser wrote: >> The municipality charges the cable company per HBO subscriber? >> >> > The municipality gets a cut of that in a profit sharing agreement. The point was, everyone gets their tax or toll along the way. > Dave, perhaps you would be kind enough to tell us where you operate a network and what municipality is able to charge "the cable company" based on a "profit sharing agreement". That would be against the law in Michigan. And I've never heard of any cable company revealing its profits on a per municipality basis.... From frnkblk at iname.com Sun Dec 19 17:26:13 2010 From: frnkblk at iname.com (Frank Bulk - iName.com) Date: Sun, 19 Dec 2010 17:26:13 -0600 Subject: Spamhaus under DDOS from AnonOps (Wikileaks.info) In-Reply-To: References: <4D0D20EC.1050706@brightok.net> Message-ID: Thanks for your note and the many others. I think it could have been stated more clearly that wikileaks.info, while in a bad neighborhood, and set up to suggest it is Wikileaks or part of the Wikileaks organization, does not (at this time) host or facilitate distribution of malware. The Spamhaus announcement was not so clear. Frank -----Original Message----- From: Paul Ferguson [mailto:fergdawgster at gmail.com] Sent: Sunday, December 19, 2010 12:52 PM To: frnkblk at iname.com Cc: Jack Bates; nanog at nanog.org Subject: Re: Spamhaus under DDOS from AnonOps (Wikileaks.info) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Not for nothing, but Spamhaus wasn't the only organization to warn about Heihachi: http://blog.trendmicro.com/wikileaks-in-a-dangerous-internet-neighborhood/ FYI, - - ferg On Sun, Dec 19, 2010 at 10:46 AM, Frank Bulk - iName.com wrote: > The wikileaks.info press release points to Google's Safe Browsing page > for wikileaks.info > (http://www.google.com/safebrowsing/diagnostic?site=wikileaks.info), > which comes up clean. > > While I tend to trust Steve and Spamhaus because of their built up > reputation, it would be helpful if some concrete facts were published > about the "more than 40 criminal-run sites operating on the same IP > address as wikileaks.info, including carder-elite.biz, h4ck3rz.biz, > elite-crew.net, and bank phishes paypal-securitycenter.com and > postbank-kontodirekt.com." Any chance that will be done, so > wikileaks.info's claims can be publicly > refuted? > > Kind regards, > > Frank > > -----Original Message----- > From: Jack Bates [mailto:jbates at brightok.net] > Sent: Saturday, December 18, 2010 3:00 PM > To: nanog at nanog.org > Subject: Re: Spamhaus under DDOS from AnonOps (Wikileaks.info) > > On 12/18/2010 6:58 AM, Steve Linford wrote: >> For trying to warn about the crime gangs located at the wikileaks.info > mirror IP, Spamhaus is now under ddos by AnonOps. The criminals there do > not like our free speech at all. >> > > It appears that wikileaks.org is operational again and redirecting to > mirros.wikileaks.info, which draws concern of who now controls > wikileaks.org. .info definitely isn't the same layout as all the mirrors. > > > Jack > > > > -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.3 (Build 5003) wj8DBQFNDlQ5q1pz9mNUZTMRAn5XAKC0O3ZNO51bnAX7D99SRRqR04QIQQCfZDwH dQN8fG2TYk6RUFYplRAiHDE= =em1c -----END PGP SIGNATURE----- -- "Fergie", a.k.a. Paul Ferguson ?Engineering Architecture for the Internet ?fergdawgster(at)gmail.com ?ferg's tech blog: http://fergdawg.blogspot.com/ From rekordmeister at gmail.com Sun Dec 19 17:38:56 2010 From: rekordmeister at gmail.com (MKS) Date: Sun, 19 Dec 2010 23:38:56 +0000 Subject: DWDM on a single strand Message-ID: Hi there I was wondering about DWDM equipment on a single strand fiber. What are the capabilities of a "mainstream" DWDM equipment operating on a single strand of fiber on terms of number of channels and reach? By mainstream I mean equipment somewhere in the middle of the price range for DWDM, like a standard offer from a reputable manufacturer. Are the same optical ampifiers used on single strand DWDM and DWDM on a pair? Regards MKS From randy at psg.com Sun Dec 19 18:09:44 2010 From: randy at psg.com (Randy Bush) Date: Mon, 20 Dec 2010 09:09:44 +0900 Subject: UN mulls internet regulation options In-Reply-To: <9942191A-3096-4648-A92F-C0BB1AE2EA59@cisco.com> References: <4D0E796E.2040603@dcrocker.net> <9942191A-3096-4648-A92F-C0BB1AE2EA59@cisco.com> Message-ID: > Well, if you have followed the news, it comes down to the fact that > some of our old friends from WSIS/WGIG/IGF+ICANN/GAC "we're the > government and we like the idea of being in charge" friends are at it > again. In one corner, Brazil, China, South Africa, and Saudi Arabia; > in the other, US, Austria, and so on. The current state of play is > that the folk in the first corner would like an exclusive club, and a > combination of parties including the folks in the second corner and a > variety of civil society, industry, ad etc parties and rocked the boat > back in the direction of multi-stakeholder discussions. > > My prediction: the boat will keep rocking, and the "givmint" folks > will try again. And again. s/again/still/ randy From bedard.phil at gmail.com Sun Dec 19 18:35:09 2010 From: bedard.phil at gmail.com (Phil Bedard) Date: Sun, 19 Dec 2010 19:35:09 -0500 Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: <4D0E843B.4010109@gmail.com> Message-ID: The franchise fees in many markets are based on gross revenue. 5% is a fairly standard percentage charged by municipalities to cable companies for right of way access, etc. Not sure if I would call this a profit sharing plan, but it's not too much of a stretch. Today with local agreements somewhat going by the wayside for statewide franchising, I'm not sure how the fees are charged. Phil On 12/19/10 5:16 PM, "William Allen Simpson" wrote: >On 12/17/10 12:08 PM, Dave Temkin wrote: >> George Bonser wrote: >>> The municipality charges the cable company per HBO subscriber? >>> >>> >> The municipality gets a cut of that in a profit sharing agreement. The >>point was, everyone gets their tax or toll along the way. >> >Dave, perhaps you would be kind enough to tell us where you operate a >network and what municipality is able to charge "the cable company" >based on a "profit sharing agreement". > >That would be against the law in Michigan. And I've never heard of any >cable company revealing its profits on a per municipality basis.... > From brunner at nic-naa.net Sun Dec 19 18:43:26 2010 From: brunner at nic-naa.net (Eric Brunner-Williams) Date: Sun, 19 Dec 2010 19:43:26 -0500 Subject: UN mulls internet regulation options In-Reply-To: References: <4D0E796E.2040603@dcrocker.net> <9942191A-3096-4648-A92F-C0BB1AE2EA59@cisco.com> Message-ID: <4D0EA6AE.8020609@nic-naa.net> fred, and others with (misspent) wsis++ / ig++ travel nickles, it would _really_ help me if you provided more context, off-line if necessary, as i spent the week before last more involved with the gac than at any prior point in my decade of icann involvement. i don't mind the 'tude, as we all have 'tude, and it is operational shorthand for broad views on the contending actors and their issues. what would help me most is names of persons and specific positions and any additional decoding you care to offer. i have to rely upon second hand, and usually wsis++ / ig++ favorably inclined second hand data, as my nickle hasn't covered that traveling circus. so clue please. off-line is fine. eric From bicknell at ufp.org Sun Dec 19 19:09:24 2010 From: bicknell at ufp.org (Leo Bicknell) Date: Sun, 19 Dec 2010 17:09:24 -0800 Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: <4D0E843B.4010109@gmail.com> References: <598C4A03-6932-4E1B-A518-B8F15BAE651F@Princeton.EDU> <5A6D953473350C4B9995546AFE9939EE0B14CFE3@RWC-EX1.corp.seven.com> <4D0B93DE.7020201@gmail.com> <5A6D953473350C4B9995546AFE9939EE0B14CFE6@RWC-EX1.corp.seven.com> <4D0B9914.5080705@gmail.com> <4D0E843B.4010109@gmail.com> Message-ID: <20101220010924.GA73595@ussenterprise.ufp.org> In a message written on Sun, Dec 19, 2010 at 05:16:27PM -0500, William Allen Simpson wrote: > That would be against the law in Michigan. And I've never heard of any > cable company revealing its profits on a per municipality basis.... Google finds some: http://www.cityofpaloalto.org/civica/filebank/blobdload.asp?BlobID=7364 "The Franchise Agreement requires AT&T to pay the City $0.88 per residential subscriber per month to maintain and enhance PEG access services provided by MPAC. AT&T has chosen to pass this $0.88 fee on to subscribers, which it is not prohibited to do under Federal law." http://www.montgomerycountymd.gov/mcgtmpl.asp?url=/content/cableoffice/june98franchise.asp#8.%20FRANCHISE%20FEE "Payment to County. Each year during the Franchise term, as compensation for use of Public Rights-of-Way, the Franchisee shall pay to the County, on a quarterly basis, a Franchise fee of five percent (5%) of Gross Revenues, including any Franchise fee owed to the Participating Municipalities." http://www.cityofsouthfield.com/Government/CityDepartments/AC/Cable15/FranchiseFees/tabid/499/Default.aspx "Franchise fees are calculated as a percentage of your bill. Southfield's fee is eight percent of gross revenues." Googling "Franchise Fee" turns up thousands of other documents. This is also why, when speaking to folks at the cable and iLEC companies I remind them that when it comes to network neutrality I do regard them as different from CLEC's and independant companies. They have been granted a monopoly by the local government for wireline services, and in exchange for that monopoly need to act in the public's interest. In the TV world this is things like running the local community interest channel, and paying a franchise fee. In the IP world we're still developing the criteria, but it's not unreasonable to think they might have some government imposed requirements there as well. -- Leo Bicknell - bicknell at ufp.org - CCIE 3440 PGP keys at http://www.ufp.org/~bicknell/ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 826 bytes Desc: not available URL: From fred at cisco.com Sun Dec 19 19:12:33 2010 From: fred at cisco.com (Fred Baker) Date: Sun, 19 Dec 2010 17:12:33 -0800 Subject: UN mulls internet regulation options In-Reply-To: References: <4D0E796E.2040603@dcrocker.net> <9942191A-3096-4648-A92F-C0BB1AE2EA59@cisco.com> Message-ID: On Dec 19, 2010, at 4:09 PM, Randy Bush wrote: >> Well, if you have followed the news, it comes down to the fact that >> some of our old friends from WSIS/WGIG/IGF+ICANN/GAC "we're the >> government and we like the idea of being in charge" friends are at it >> again. In one corner, Brazil, China, South Africa, and Saudi Arabia; >> in the other, US, Austria, and so on. The current state of play is >> that the folk in the first corner would like an exclusive club, and a >> combination of parties including the folks in the second corner and a >> variety of civil society, industry, and etc parties and rocked the boat >> back in the direction of multi-stakeholder discussions. >> >> My prediction: the boat will keep rocking, and the "givmint" folks >> will try again. And again. > > s/again/still/ That too... > randy From Bryan at bryanfields.net Sun Dec 19 19:20:49 2010 From: Bryan at bryanfields.net (Bryan Fields) Date: Sun, 19 Dec 2010 20:20:49 -0500 Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: <20101220010924.GA73595@ussenterprise.ufp.org> References: <598C4A03-6932-4E1B-A518-B8F15BAE651F@Princeton.EDU> <5A6D953473350C4B9995546AFE9939EE0B14CFE3@RWC-EX1.corp.seven.com> <4D0B93DE.7020201@gmail.com> <5A6D953473350C4B9995546AFE9939EE0B14CFE6@RWC-EX1.corp.seven.com> <4D0B9914.5080705@gmail.com> <4D0E843B.4010109@gmail.com> <20101220010924.GA73595@ussenterprise.ufp.org> Message-ID: <4D0EAF71.5090108@bryanfields.net> On 12/19/2010 20:09, Leo Bicknell wrote: > They have been granted a monopoly by the local government for > wireline services, and in exchange for that monopoly need to act > in the public's interest. In the TV world this is things like > running the local community interest channel, and paying a franchise > fee. In the IP world we're still developing the criteria, but it's > not unreasonable to think they might have some government imposed > requirements there as well. The government granting a monopoly is the problem, and more lame government regulation is not the solution. Let everyone compete on a level playing field, not by allowing one company to buy a monopoly enforced by men with guns. -- Bryan Fields 727-409-1194 - Voice 727-214-2508 - Fax http://bryanfields.net From jcurran at arin.net Sun Dec 19 19:28:51 2010 From: jcurran at arin.net (John Curran) Date: Mon, 20 Dec 2010 01:28:51 +0000 Subject: UN mulls internet regulation options In-Reply-To: <4D0EA6AE.8020609@nic-naa.net> References: <4D0E796E.2040603@dcrocker.net> <9942191A-3096-4648-A92F-C0BB1AE2EA59@cisco.com> <4D0EA6AE.8020609@nic-naa.net> Message-ID: On Dec 19, 2010, at 7:43 PM, Eric Brunner-Williams wrote: > fred, and others with (misspent) wsis++ / ig++ travel nickles, > > it would _really_ help me if you provided more context, off-line if necessary, as i spent the week before last more involved with the gac than at any prior point in my decade of icann involvement. Eric (et al) - On Tuesday, December 14th, I spoke in NYC on behalf of the Number Resource Organization (NRO) at the "Open Consultations on the process towards Enhanced Cooperation on International Public Policy Issues pertaining to the Internet" held by the United Nations Department of Economic and Social Affairs (UN DESA). This consultation was being held to get multistakeholder inputs regarding the "process towards the implementation of enhanced cooperation in order to enable governments, on an equal footing to carry out their roles and responsibilities in international public policy issues pertaining to the Internet". This was specifically not about the Internet Governance Forum, but a second initiative for a more decisional body regarding the Internet that some governments assert was already agreed to by means of the UN World Summit on the Information Society (WSIS) Tunis Agenda in 2005[1]. I presented an NRO prepared statement[2] which outlined the considerable progress that had been made in enhanced cooperation between governments, business, and Internet technical organizations in dealing with Internet policy issues, emphasized the increasingly complex nature of the Internet, and asked keeping these factors in mind when considering next steps. I also intervened twice requested clarification of exactly how a government-only decision body for Internet policy would fulfill the "consultation with all stakeholders" paragraph specified in the Tunis agenda. The answer from several countries was not encouraging, suggesting the consultation could be done in the UN manner through their Member State delegations. This government-only view is being asserted by several countries, but India, Brazil, South Africa and Saudi Arabia are carrying it most strongly, and it is likely to result in a recommendation in this matter from the Under Sec General to the UN General Assembly sometime next May. While we had many interventions speaking in favor of a more multistakeholder approach (including the US and UK, the Internet Society on behalf of itself and the IETF, and ICANN), several other presenters did not stay on topic of enhanced cooperation and fulfilling the Tunis Agenda, but instead explored a wide range of topical Internet concerns (those interested in detailed positions of presenters are recommended to review the filed positions, statements as presented or listen/view the UN archives all of which are available online [3]. Overall, I believe that the Internet community did well in presenting its points, and am hopeful that if a more decisional intergovernmental body is formed for addressing these matters, some functional mechanism for consultation with non-governmental parties will receive some consideration. I do not believe that there is much more that can be done until we see the draft recommendation that emerges from this process early next year. I hope this helps provide some context as you requested. Happy Holidays, /John John Curran President and CEO ARIN === REFERENCES [1] WSIS Tunis Agenda: http://www.itu.int/wsis/docs2/tunis/off/6rev1.html [2] NRO statement: http://www.nro.net/documents/pdf/StatementbyJohnCurran.pdf [3] DESA / WSIS Folloup website: http://www.unpan.org/dpadm/wsisfollowup From gbonser at seven.com Sun Dec 19 19:37:12 2010 From: gbonser at seven.com (George Bonser) Date: Sun, 19 Dec 2010 17:37:12 -0800 Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: <20101220010924.GA73595@ussenterprise.ufp.org> References: <598C4A03-6932-4E1B-A518-B8F15BAE651F@Princeton.EDU><5A6D953473350C4B9995546AFE9939EE0B14CFE3@RWC-EX1.corp.seven.com><4D0B93DE.7020201@gmail.com><5A6D953473350C4B9995546AFE9939EE0B14CFE6@RWC-EX1.corp.seven.com><4D0B9914.5080705@gmail.com> <4D0E843B.4010109@gmail.com> <20101220010924.GA73595@ussenterprise.ufp.org> Message-ID: <5A6D953473350C4B9995546AFE9939EE0BC130D1@RWC-EX1.corp.seven.com> > Google finds some: > > http://www.cityofpaloalto.org/civica/filebank/blobdload.asp?BlobID=7364 > > "The Franchise Agreement requires AT&T to pay the City $0.88 per > residential subscriber per month to maintain and enhance PEG access > services provided by MPAC. AT&T has chosen to pass this $0.88 fee on to > subscribers, which it is not prohibited to do under Federal law." ... If you look at that agreement, you will see that it specifically does not apply to Internet services, and it specifically prohibits any monopolies. This is simply a charge for access to "public right of way" or a payment to the city for stuff the city has to maintain to support AT&T's infrastructure. For example, if AT&T undergrounds cables under a street, this increases the maintenance cost of that street because they must now be sure to avoid AT&T's cables when they dig and must take those cables into consideration for any civil engineering work they do. I don't see that as an "access fee for subscribers". What I am concerned with happening is a cash-strapped city seeing Comcast (or any provider, really) trying to charge for access to subscribers and then the city saying "wait a minute, who are you to sell access to our people to a third party? If you are going to charge third parties for access to those eyeballs, then you can pay us, in turn for that access." And from there it all goes down hill. Comcast charges for access to eyeballs and then the cities turn around and charge Comcast an "access" fee and then it becomes ubiquitous and cities start charging all ISPs for "eyeball" access as a revenue source. It is the opening of a box that is better left closed, in my opinion. From ras at e-gerbil.net Sun Dec 19 19:48:04 2010 From: ras at e-gerbil.net (Richard A Steenbergen) Date: Sun, 19 Dec 2010 19:48:04 -0600 Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: <4D0EAF71.5090108@bryanfields.net> References: <598C4A03-6932-4E1B-A518-B8F15BAE651F@Princeton.EDU> <5A6D953473350C4B9995546AFE9939EE0B14CFE3@RWC-EX1.corp.seven.com> <4D0B93DE.7020201@gmail.com> <5A6D953473350C4B9995546AFE9939EE0B14CFE6@RWC-EX1.corp.seven.com> <4D0B9914.5080705@gmail.com> <4D0E843B.4010109@gmail.com> <20101220010924.GA73595@ussenterprise.ufp.org> <4D0EAF71.5090108@bryanfields.net> Message-ID: <20101220014804.GD38726@gerbil.cluepon.net> On Sun, Dec 19, 2010 at 08:20:49PM -0500, Bryan Fields wrote: > > The government granting a monopoly is the problem, and more lame > government regulation is not the solution. Let everyone compete on a > level playing field, not by allowing one company to buy a monopoly > enforced by men with guns. Running a wire to everyone's house is a natural monopoly. It just doesn't make sense, financially or technically, to try and manage 50 different companies all trying to install 50 different wires into every house just to have competition at the IP layer. It also wouldn't make sense to have 5 different competing water companies trying to service your house, etc. This is where government regulation of the entities who ARE granted the monopoly status comes into play, to protect consumers against abuses like we're seeing Comcast commit today. Personally I think the right answer is to enforce a legal separation between the layer 1 and layer 3 infrastructure providers, and require that the layer 1 network provide non-discriminatory access to any company who wishes to provide IP to the end user. But that would take a lot of work to implement, and there are billions of dollars at work lobbying against it, so I don't expect it to happen any time soon. :) -- Richard A Steenbergen http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC) From gbonser at seven.com Sun Dec 19 19:50:17 2010 From: gbonser at seven.com (George Bonser) Date: Sun, 19 Dec 2010 17:50:17 -0800 Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: <20101220014804.GD38726@gerbil.cluepon.net> References: <598C4A03-6932-4E1B-A518-B8F15BAE651F@Princeton.EDU><5A6D953473350C4B9995546AFE9939EE0B14CFE3@RWC-EX1.corp.seven.com><4D0B93DE.7020201@gmail.com><5A6D953473350C4B9995546AFE9939EE0B14CFE6@RWC-EX1.corp.seven.com><4D0B9914.5080705@gmail.com> <4D0E843B.4010109@gmail.com><20101220010924.GA73595@ussenterprise.ufp.org><4D0EAF71.5090108@bryanfields.net> <20101220014804.GD38726@gerbil.cluepon.net> Message-ID: <5A6D953473350C4B9995546AFE9939EE0BC130D2@RWC-EX1.corp.seven.com> > Personally I think the right answer is to enforce a legal separation > between the layer 1 and layer 3 infrastructure providers, and require > that the layer 1 network provide non-discriminatory access to any > company who wishes to provide IP to the end user. But that would take a > lot of work to implement, and there are billions of dollars at work > lobbying against it, so I don't expect it to happen any time soon. :) > > -- > Richard A Steenbergen http://www.e- > gerbil.net/ras > GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 > 2CBC) I agree. The "highway" model of commerce is better than the "railroad" model of commerce. From bicknell at ufp.org Sun Dec 19 19:58:26 2010 From: bicknell at ufp.org (Leo Bicknell) Date: Sun, 19 Dec 2010 17:58:26 -0800 Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: <4D0EAF71.5090108@bryanfields.net> References: <598C4A03-6932-4E1B-A518-B8F15BAE651F@Princeton.EDU> <5A6D953473350C4B9995546AFE9939EE0B14CFE3@RWC-EX1.corp.seven.com> <4D0B93DE.7020201@gmail.com> <5A6D953473350C4B9995546AFE9939EE0B14CFE6@RWC-EX1.corp.seven.com> <4D0B9914.5080705@gmail.com> <4D0E843B.4010109@gmail.com> <20101220010924.GA73595@ussenterprise.ufp.org> <4D0EAF71.5090108@bryanfields.net> Message-ID: <20101220015826.GA75503@ussenterprise.ufp.org> In a message written on Sun, Dec 19, 2010 at 08:20:49PM -0500, Bryan Fields wrote: > The government granting a monopoly is the problem, and more lame government > regulation is not the solution. Let everyone compete on a level playing > field, not by allowing one company to buy a monopoly enforced by men with guns. While I like the concept, reality doesn't allow it. When speaking about the folks who actually run fiber/copper/coax to the home there are a number of physical, real world issues. Rights of way specifically easements, poll space and similar are limited quantities. There is both a finite number of folks who can put in resources in any reasonable way, and an expoentially increasing chance of them damaging each other as they pack in closer and closer. There is also the problem that most residents get really upset if the road between home and the grocery store is torn up this week by AT&T, next week by Comcast, the following week by Level 3, the next week by Cogent and is then a rutted potholed mess. Many cities are requring carriers to do joint physical duct builds to keep from digging up streets repeatedly, but due to the inconvenience factor but also because it reduces the lifespan of the streets, and thus raises costs to residents. After looking at many models I think Australia might be on to something. The model is that a quasi-government monopoly provides the last mile physical wire, but is unable to sell services on it. Basically they only provide UNE's. Then, at the switching center any ISP can pick up those UNE's and provide services. Competition to the end user, while the last mile is always a single povider limiting the issues above. Many cities are trying the same with electric service, one companie provides the transport infrastructure and when you select a generation provider. Simply put, physical real world issues means there will never be individual residences in most places where there are 6-10 wired infrastructures coming in, so the user can select one and 5-9 can go unused. Huge waste, lots of problems running it that add cost and create conditions users don't like. I dream of a day where we have municipal fiber to the home, leased to any ISP who wants to show up at the local central office for a dollar a two a month so there can be true competition in end-user services. -- Leo Bicknell - bicknell at ufp.org - CCIE 3440 PGP keys at http://www.ufp.org/~bicknell/ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 826 bytes Desc: not available URL: From jcdill.lists at gmail.com Sun Dec 19 20:12:02 2010 From: jcdill.lists at gmail.com (JC Dill) Date: Sun, 19 Dec 2010 18:12:02 -0800 Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: <20101220014804.GD38726@gerbil.cluepon.net> References: <598C4A03-6932-4E1B-A518-B8F15BAE651F@Princeton.EDU> <5A6D953473350C4B9995546AFE9939EE0B14CFE3@RWC-EX1.corp.seven.com> <4D0B93DE.7020201@gmail.com> <5A6D953473350C4B9995546AFE9939EE0B14CFE6@RWC-EX1.corp.seven.com> <4D0B9914.5080705@gmail.com> <4D0E843B.4010109@gmail.com> <20101220010924.GA73595@ussenterprise.ufp.org> <4D0EAF71.5090108@bryanfields.net> <20101220014804.GD38726@gerbil.cluepon.net> Message-ID: <4D0EBB72.50106@gmail.com> On 19/12/10 5:48 PM, Richard A Steenbergen wrote: > On Sun, Dec 19, 2010 at 08:20:49PM -0500, Bryan Fields wrote: >> The government granting a monopoly is the problem, and more lame >> government regulation is not the solution. Let everyone compete on a >> level playing field, not by allowing one company to buy a monopoly >> enforced by men with guns. > Running a wire to everyone's house is a natural monopoly. It just > doesn't make sense, financially or technically, to try and manage 50 > different companies all trying to install 50 different wires into every > house just to have competition at the IP layer. It also wouldn't make > sense to have 5 different competing water companies trying to service > your house, etc. This is the argument the government uses to keep first class mail service as an exclusive monopoly service for the USPS, claiming you wouldn't want 50 different mail carriers marching up and down your walk every day. Yet we aren't seeing a big problem with package delivery. Currently you have 3 choices, USPS, UPS, and FedEx. The market can't support more than 3 or 4 package delivery services (e.g. we had 4 with DHL, which didn't survive the financial melt down). Why not open up the market for telco wiring and just see what happens? There might be 5 or perhaps even 10 players who try to enter the market, but there won't be 50 - it simply won't make financial sense for additional players to try to enter the market after a certain number of players are already in. And there certainly won't be 50 all trying to service the same neighborhood. And if a competing water service thought they could do better than the incumbent, why not let them put in a competing water project? If they think they can make money after the cost of the infrastructure, then they may be onto something. We don't have to worry that too many would join in, the laws of diminishing returns would make it unprofitable for the nth company to build out the infrastructure to enter the market. jc From randy at psg.com Sun Dec 19 20:12:51 2010 From: randy at psg.com (Randy Bush) Date: Mon, 20 Dec 2010 11:12:51 +0900 Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: <20101220014804.GD38726@gerbil.cluepon.net> References: <598C4A03-6932-4E1B-A518-B8F15BAE651F@Princeton.EDU> <5A6D953473350C4B9995546AFE9939EE0B14CFE3@RWC-EX1.corp.seven.com> <4D0B93DE.7020201@gmail.com> <5A6D953473350C4B9995546AFE9939EE0B14CFE6@RWC-EX1.corp.seven.com> <4D0B9914.5080705@gmail.com> <4D0E843B.4010109@gmail.com> <20101220010924.GA73595@ussenterprise.ufp.org> <4D0EAF71.5090108@bryanfields.net> <20101220014804.GD38726@gerbil.cluepon.net> Message-ID: > Personally I think the right answer is to enforce a legal separation > between the layer 1 and layer 3 infrastructure providers, and require > that the layer 1 network provide non-discriminatory access to any > company who wishes to provide IP to the end user. SE From drc at virtualized.org Sun Dec 19 20:19:12 2010 From: drc at virtualized.org (David Conrad) Date: Sun, 19 Dec 2010 16:19:12 -1000 Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: <4D0EBB72.50106@gmail.com> References: <598C4A03-6932-4E1B-A518-B8F15BAE651F@Princeton.EDU> <5A6D953473350C4B9995546AFE9939EE0B14CFE3@RWC-EX1.corp.seven.com> <4D0B93DE.7020201@gmail.com> <5A6D953473350C4B9995546AFE9939EE0B14CFE6@RWC-EX1.corp.seven.com> <4D0B9914.5080705@gmail.com> <4D0E843B.4010109@gmail.com> <20101220010924.GA73595@ussenterprise.ufp.org> <4D0EAF71.5090108@bryanfields.net> <20101220014804.GD38726@gerbil.cluepon.net> <4D0EBB72.50106@gmail.com> Message-ID: On Dec 19, 2010, at 4:12 PM, JC Dill wrote: > And if a competing water service thought they could do better than the incumbent, why not let them put in a competing water project? Because they'd have to dig up the streets, people's yards, etc. to do it. There really are some natural monopolies. Regards, -drc From ras at e-gerbil.net Sun Dec 19 20:21:13 2010 From: ras at e-gerbil.net (Richard A Steenbergen) Date: Sun, 19 Dec 2010 20:21:13 -0600 Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: <20101220015826.GA75503@ussenterprise.ufp.org> References: <598C4A03-6932-4E1B-A518-B8F15BAE651F@Princeton.EDU> <5A6D953473350C4B9995546AFE9939EE0B14CFE3@RWC-EX1.corp.seven.com> <4D0B93DE.7020201@gmail.com> <5A6D953473350C4B9995546AFE9939EE0B14CFE6@RWC-EX1.corp.seven.com> <4D0B9914.5080705@gmail.com> <4D0E843B.4010109@gmail.com> <20101220010924.GA73595@ussenterprise.ufp.org> <4D0EAF71.5090108@bryanfields.net> <20101220015826.GA75503@ussenterprise.ufp.org> Message-ID: <20101220022113.GE38726@gerbil.cluepon.net> On Sun, Dec 19, 2010 at 05:58:26PM -0800, Leo Bicknell wrote: > > I dream of a day where we have municipal fiber to the home, leased to > any ISP who wants to show up at the local central office for a dollar > a two a month so there can be true competition in end-user services. Take a second and think about what THAT would do to the ratio wars. Imagine if any hosting/content provider, with potentially hundreds or thousands of gigabits of unused inbound capacity on their networks, could easily get into providing IP service to eyeballs. Even ignoring the existing 95th percentile silliness like "free inbound transit", which would no doubt rapidly evaporate under this kind of model, the difference in efficiencies between the highly competetive hosting world and the highly non-competetive last mile world are simply staggering. For many content networks, it would be an opportunity to start making money on their bits instead of paying for them, and networks without content expertise would be in serious trouble. I personally can't think of a single thing with more potential for massive disruption to the business models of incumbent providers. There are so many billions of dollars at stake protecting the status quo that it's not even funny, which IMHO is why you'll never see any of this happen in the US, in any kind of scale at any rate. :) -- Richard A Steenbergen http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC) From ras at e-gerbil.net Sun Dec 19 20:25:54 2010 From: ras at e-gerbil.net (Richard A Steenbergen) Date: Sun, 19 Dec 2010 20:25:54 -0600 Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: <4D0EBB72.50106@gmail.com> References: <598C4A03-6932-4E1B-A518-B8F15BAE651F@Princeton.EDU> <5A6D953473350C4B9995546AFE9939EE0B14CFE3@RWC-EX1.corp.seven.com> <4D0B93DE.7020201@gmail.com> <5A6D953473350C4B9995546AFE9939EE0B14CFE6@RWC-EX1.corp.seven.com> <4D0B9914.5080705@gmail.com> <4D0E843B.4010109@gmail.com> <20101220010924.GA73595@ussenterprise.ufp.org> <4D0EAF71.5090108@bryanfields.net> <20101220014804.GD38726@gerbil.cluepon.net> <4D0EBB72.50106@gmail.com> Message-ID: <20101220022554.GF38726@gerbil.cluepon.net> On Sun, Dec 19, 2010 at 06:12:02PM -0800, JC Dill wrote: > > And if a competing water service thought they could do better than the > incumbent, why not let them put in a competing water project? If they > think they can make money after the cost of the infrastructure, then > they may be onto something. We don't have to worry that too many > would join in, the laws of diminishing returns would make it > unprofitable for the nth company to build out the infrastructure to > enter the market. The laws of diminishing returns have already set the bar for the point at which it's not profitable for a new company to enter the market and try to compete. Right now the number is roughly 2, cable and dsl, give or take a few outliers. I do believe the point would be to encourage a little more competition than that. :) -- Richard A Steenbergen http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC) From sethm at rollernet.us Sun Dec 19 20:41:09 2010 From: sethm at rollernet.us (Seth Mattinen) Date: Sun, 19 Dec 2010 18:41:09 -0800 Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: <4D0EBB72.50106@gmail.com> References: <598C4A03-6932-4E1B-A518-B8F15BAE651F@Princeton.EDU> <5A6D953473350C4B9995546AFE9939EE0B14CFE3@RWC-EX1.corp.seven.com> <4D0B93DE.7020201@gmail.com> <5A6D953473350C4B9995546AFE9939EE0B14CFE6@RWC-EX1.corp.seven.com> <4D0B9914.5080705@gmail.com> <4D0E843B.4010109@gmail.com> <20101220010924.GA73595@ussenterprise.ufp.org> <4D0EAF71.5090108@bryanfields.net> <20101220014804.GD38726@gerbil.cluepon.net> <4D0EBB72.50106@gmail.com> Message-ID: <4D0EC245.5030103@rollernet.us> On 12/19/10 6:12 PM, JC Dill wrote: > On 19/12/10 5:48 PM, Richard A Steenbergen wrote: >> On Sun, Dec 19, 2010 at 08:20:49PM -0500, Bryan Fields wrote: >>> The government granting a monopoly is the problem, and more lame >>> government regulation is not the solution. Let everyone compete on a >>> level playing field, not by allowing one company to buy a monopoly >>> enforced by men with guns. >> Running a wire to everyone's house is a natural monopoly. It just >> doesn't make sense, financially or technically, to try and manage 50 >> different companies all trying to install 50 different wires into every >> house just to have competition at the IP layer. It also wouldn't make >> sense to have 5 different competing water companies trying to service >> your house, etc. > > This is the argument the government uses to keep first class mail > service as an exclusive monopoly service for the USPS, claiming you > wouldn't want 50 different mail carriers marching up and down your walk > every day. Yet we aren't seeing a big problem with package delivery. > Currently you have 3 choices, USPS, UPS, and FedEx. The market can't > support more than 3 or 4 package delivery services (e.g. we had 4 with > DHL, which didn't survive the financial melt down). Why not open up the > market for telco wiring and just see what happens? There might be 5 or > perhaps even 10 players who try to enter the market, but there won't be > 50 - it simply won't make financial sense for additional players to try > to enter the market after a certain number of players are already in. > And there certainly won't be 50 all trying to service the same > neighborhood. > > And if a competing water service thought they could do better than the > incumbent, why not let them put in a competing water project? If they > think they can make money after the cost of the infrastructure, then > they may be onto something. We don't have to worry that too many would > join in, the laws of diminishing returns would make it unprofitable for > the nth company to build out the infrastructure to enter the market. > Contrary to popular belief the average person tend to severely dislike all forms of road construction or having their yard repeatedly torn up. I know it's all happy fun times to say "let's have 10 water/electrical providers and you can select which molecules/electrons you want!", but there's a practical limit as to how much stuff one can pack under a street's limited right of way. If you look at what's under there right now it's actually quite crowded. We just don't see it because it's buried. ~Seth From young at jsyoung.net Sun Dec 19 21:31:37 2010 From: young at jsyoung.net (Jeffrey S. Young) Date: Sun, 19 Dec 2010 22:31:37 -0500 Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: <20101220014804.GD38726@gerbil.cluepon.net> References: <598C4A03-6932-4E1B-A518-B8F15BAE651F@Princeton.EDU> <5A6D953473350C4B9995546AFE9939EE0B14CFE3@RWC-EX1.corp.seven.com> <4D0B93DE.7020201@gmail.com> <5A6D953473350C4B9995546AFE9939EE0B14CFE6@RWC-EX1.corp.seven.com> <4D0B9914.5080705@gmail.com> <4D0E843B.4010109@gmail.com> <20101220010924.GA73595@ussenterprise.ufp.org> <4D0EAF71.5090108@bryanfields.net> <20101220014804.GD38726@gerbil.cluepon.net> Message-ID: one of the most interesting things about coming to Australia (after working in the USA telecom industry for 20 years) was the opportunity to see such a proposal (the NBN) put into practice. who knows if the NBN will be quite what everyone hopes, but the premise is sound, the last mile is a natural monopoly. I believe that 'competition' in the last mile is a red herring that simply maintains the status quo (which for many broadband consumers is woefully inadequate). I agree with you that the USA has too many lobbyists to ever put such a proposal in place, the telecoms in a large number of states have even limited or prevented municipalities from creating their own solutions, consumers have no hope. one has to wonder how different the telecom world might have been in the USA if a layer 1 - layer 2/3 separation was proposed instead of the at&t breakup and modified judgement jy On 19/12/2010, at 8:48 PM, Richard A Steenbergen wrote: > On Sun, Dec 19, 2010 at 08:20:49PM -0500, Bryan Fields wrote: >> >> The government granting a monopoly is the problem, and more lame >> government regulation is not the solution. Let everyone compete on a >> level playing field, not by allowing one company to buy a monopoly >> enforced by men with guns. > > Running a wire to everyone's house is a natural monopoly. It just > doesn't make sense, financially or technically, to try and manage 50 > different companies all trying to install 50 different wires into every > house just to have competition at the IP layer. It also wouldn't make > sense to have 5 different competing water companies trying to service > your house, etc. This is where government regulation of the entities who > ARE granted the monopoly status comes into play, to protect consumers > against abuses like we're seeing Comcast commit today. > > Personally I think the right answer is to enforce a legal separation > between the layer 1 and layer 3 infrastructure providers, and require > that the layer 1 network provide non-discriminatory access to any > company who wishes to provide IP to the end user. But that would take a > lot of work to implement, and there are billions of dollars at work > lobbying against it, so I don't expect it to happen any time soon. :) > > -- > Richard A Steenbergen http://www.e-gerbil.net/ras > GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC) > > From cmadams at hiwaay.net Sun Dec 19 22:31:53 2010 From: cmadams at hiwaay.net (Chris Adams) Date: Sun, 19 Dec 2010 22:31:53 -0600 Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: <4D0EBB72.50106@gmail.com> References: <598C4A03-6932-4E1B-A518-B8F15BAE651F@Princeton.EDU> <5A6D953473350C4B9995546AFE9939EE0B14CFE3@RWC-EX1.corp.seven.com> <4D0B93DE.7020201@gmail.com> <5A6D953473350C4B9995546AFE9939EE0B14CFE6@RWC-EX1.corp.seven.com> <4D0B9914.5080705@gmail.com> <4D0E843B.4010109@gmail.com> <20101220010924.GA73595@ussenterprise.ufp.org> <4D0EAF71.5090108@bryanfields.net> <20101220014804.GD38726@gerbil.cluepon.net> <4D0EBB72.50106@gmail.com> Message-ID: <20101220043153.GC11644@hiwaay.net> Once upon a time, JC Dill said: > Why not open up the > market for telco wiring and just see what happens? There might be 5 or > perhaps even 10 players who try to enter the market, but there won't be > 50 - it simply won't make financial sense for additional players to try > to enter the market after a certain number of players are already in. Look up pictures of New York City in the early days of electricty. There were streets where you couldn't hardly see the sky because of all the wires on the poles. > And there certainly won't be 50 all trying to service the same neighborhood. And there's the other half of the problem. Without franchise agreements that require (mostly) universal service, you'd get 50 companies trying to serve the richest neighborhoods in town, and none, or maybe one high-priced vendor, serving the poorer areas. > And if a competing water service thought they could do better than the > incumbent, why not let them put in a competing water project? There is limited space, and most people don't want the road and their yard being dug up because their neighbor wants different water service. Also, the more people digging, the more breaks you'll have in existing services (and if there are fibers from 10 different companies cut, they'll be pointing fingers for blame and all trying to get in the hole at the same time to fix theirs first). -- Chris Adams Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble. From gbonser at seven.com Sun Dec 19 22:37:24 2010 From: gbonser at seven.com (George Bonser) Date: Sun, 19 Dec 2010 20:37:24 -0800 Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: References: <598C4A03-6932-4E1B-A518-B8F15BAE651F@Princeton.EDU><5A6D953473350C4B9995546AFE9939EE0B14CFE3@RWC-EX1.corp.seven.com><4D0B93DE.7020201@gmail.com><5A6D953473350C4B9995546AFE9939EE0B14CFE6@RWC-EX1.corp.seven.com><4D0B9914.5080705@gmail.com> <4D0E843B.4010109@gmail.com><20101220010924.GA73595@ussenterprise.ufp.org><4D0EAF71.5090108@bryanfields.net><20101220014804.GD38726@gerbil.cluepon.net> Message-ID: <5A6D953473350C4B9995546AFE9939EE0BC130D4@RWC-EX1.corp.seven.com> > > I believe that 'competition' in the last mile is a red herring that > simply maintains the status quo (which for many broadband consumers is > woefully inadequate). I agree with you that the USA has too many > lobbyists to ever put such a proposal in place, the telecoms in a large > number of states have even limited or prevented municipalities from > creating their own solutions, consumers have no hope. one has to > wonder how different the telecom world might have been in the USA if a > layer 1 - layer 2/3 separation was proposed instead of the at&t breakup > and modified judgement > > jy I like the *idea* of having the infrastructure separate but I am not sure how well that could work unless there was a national infrastructure company that could spread costs over the entire customer base. If you look at what AT&T did in Fairbanks after the 1964 EQ, it was amazing what they were able to do in such a short time. They could draw on resources nationally and spread those costs over the entire operation. A local infrastructure company couldn't do that. I think it would have to be a national layer1 company. Maintaining infrastructure is costly and charges for services help subsidize infrastructure expansion/repair. Then you get to the finger pointing problem where the service provider points at the wire company and vice versa. Then you have to ask yourself ... is the current system really all that broken? The *only* problem I see with the current system is a lack of competition for broadband in many areas. Address that problem and I think the other problems work themselves out. Even if there are only two choices, that is much better than one provider only. From mike-nanog at tiedyenetworks.com Sun Dec 19 22:34:31 2010 From: mike-nanog at tiedyenetworks.com (Mike) Date: Sun, 19 Dec 2010 20:34:31 -0800 Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: <4D0EBB72.50106@gmail.com> References: <598C4A03-6932-4E1B-A518-B8F15BAE651F@Princeton.EDU> <5A6D953473350C4B9995546AFE9939EE0B14CFE3@RWC-EX1.corp.seven.com> <4D0B93DE.7020201@gmail.com> <5A6D953473350C4B9995546AFE9939EE0B14CFE6@RWC-EX1.corp.seven.com> <4D0B9914.5080705@gmail.com> <4D0E843B.4010109@gmail.com> <20101220010924.GA73595@ussenterprise.ufp.org> <4D0EAF71.5090108@bryanfields.net> <20101220014804.GD38726@gerbil.cluepon.net> <4D0EBB72.50106@gmail.com> Message-ID: <4D0EDCD7.9040105@tiedyenetworks.com> On 12/19/2010 06:12 PM, JC Dill wrote: > > > And if a competing water service thought they could do better than the > incumbent, why not let them put in a competing water project? If they > think they can make money after the cost of the infrastructure, then > they may be onto something. We don't have to worry that too many would > join in, the laws of diminishing returns would make it unprofitable for > the nth company to build out the infrastructure to enter the market. On this point I would like to add some anecdotal information that may or may not be relevant: Where I used to live, a rural community in northern california, the township was the exclusive provider of water service to the community. The cost of water service was obscene compared to urban water service, and in fact we had to put up with drought conditions due to insufficient water storage in system and no connections to other water systems. They went ahead and passed laws that made it illegal for you to have your own water storage tanks on your own property (which is something the local population has easy access to and would be considered normal for the area). Furthermore, the lack of available 'water permits' severely restricted the abillity of land owners to build the properties they bought, and drove down property values since you couldn't find a buyer for land you can't develop (in that area). A second water / sewer provider would have set the township govt' on it's ear, to the benefit of the residents and property owners.... From owen at delong.com Sun Dec 19 22:38:32 2010 From: owen at delong.com (Owen DeLong) Date: Sun, 19 Dec 2010 20:38:32 -0800 Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: <5A6D953473350C4B9995546AFE9939EE0BC130D2@RWC-EX1.corp.seven.com> References: <598C4A03-6932-4E1B-A518-B8F15BAE651F@Princeton.EDU><5A6D953473350C4B9995546AFE9939EE0B14CFE3@RWC-EX1.corp.seven.com><4D0B93DE.7020201@gmail.com><5A6D953473350C4B9995546AFE9939EE0B14CFE6@RWC-EX1.corp.seven.com><4D0B9914.5080705@gmail.com> <4D0E843B.4010109@gmail.com><20101220010924.GA73595@ussenterprise.ufp.org><4D0EAF71.5090108@bryanfields.net> <20101220014804.GD38726@gerbil.cluepon.net> <5A6D953473350C4B9995546AFE9939EE0BC130D2@RWC-EX1.corp.seven.com> Message-ID: <2482A525-6FB1-4D5E-BB88-95D013AD010A@delong.com> On Dec 19, 2010, at 5:50 PM, George Bonser wrote: >> Personally I think the right answer is to enforce a legal separation >> between the layer 1 and layer 3 infrastructure providers, and require >> that the layer 1 network provide non-discriminatory access to any >> company who wishes to provide IP to the end user. But that would take > a >> lot of work to implement, and there are billions of dollars at work >> lobbying against it, so I don't expect it to happen any time soon. :) >> >> -- >> Richard A Steenbergen http://www.e- >> gerbil.net/ras >> GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 >> 2CBC) > > > I agree. The "highway" model of commerce is better than the "railroad" > model of commerce. > > Australia is actually experimenting with something like that as we speak. Owen From owen at delong.com Sun Dec 19 22:44:21 2010 From: owen at delong.com (Owen DeLong) Date: Sun, 19 Dec 2010 20:44:21 -0800 Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: <4D0EBB72.50106@gmail.com> References: <598C4A03-6932-4E1B-A518-B8F15BAE651F@Princeton.EDU> <5A6D953473350C4B9995546AFE9939EE0B14CFE3@RWC-EX1.corp.seven.com> <4D0B93DE.7020201@gmail.com> <5A6D953473350C4B9995546AFE9939EE0B14CFE6@RWC-EX1.corp.seven.com> <4D0B9914.5080705@gmail.com> <4D0E843B.4010109@gmail.com> <20101220010924.GA73595@ussenterprise.ufp.org> <4D0EAF71.5090108@bryanfields.net> <20101220014804.GD38726@gerbil.cluepon.net> <4D0EBB72.50106@gmail.com> Message-ID: <720DAAE1-C033-495B-ABCD-286F200B7BD1@delong.com> On Dec 19, 2010, at 6:12 PM, JC Dill wrote: > On 19/12/10 5:48 PM, Richard A Steenbergen wrote: >> On Sun, Dec 19, 2010 at 08:20:49PM -0500, Bryan Fields wrote: >>> The government granting a monopoly is the problem, and more lame >>> government regulation is not the solution. Let everyone compete on a >>> level playing field, not by allowing one company to buy a monopoly >>> enforced by men with guns. >> Running a wire to everyone's house is a natural monopoly. It just >> doesn't make sense, financially or technically, to try and manage 50 >> different companies all trying to install 50 different wires into every >> house just to have competition at the IP layer. It also wouldn't make >> sense to have 5 different competing water companies trying to service >> your house, etc. > > This is the argument the government uses to keep first class mail service as an exclusive monopoly service for the USPS, claiming you wouldn't want 50 different mail carriers marching up and down your walk every day. Yet we aren't seeing a big problem with package delivery. Currently you have 3 choices, USPS, UPS, and FedEx. The market can't support more than 3 or 4 package delivery services (e.g. we had 4 with DHL, which didn't survive the financial melt down). Why not open up the market for telco wiring and just see what happens? There might be 5 or perhaps even 10 players who try to enter the market, but there won't be 50 - it simply won't make financial sense for additional players to try to enter the market after a certain number of players are already in. And there certainly won't be 50 all trying to service the same neighborhood. > You can send letters just as well as packages via the other carriers. The "USPS monopoly" on first class mail is absurd. In fact, FedEx, UPS, et. al could offer a $0.44 letter product if they wanted to. They could not call it mail. They could call it "first class document delivery." However, the reality is that they probably couldn't sustain their business at that price point. The USPS doesn't have an actual monopoly so much as ownership of the term Mail almost like a trademark. What they do have is an infrastructure built at taxpayer expense that creates a very high barrier to entry for competition at their price points. > And if a competing water service thought they could do better than the incumbent, why not let them put in a competing water project? If they think they can make money after the cost of the infrastructure, then they may be onto something. We don't have to worry that too many would join in, the laws of diminishing returns would make it unprofitable for the nth company to build out the infrastructure to enter the market. > The point is that the cost of the infrastructure usually exceeds what you can recoup if you only have part of the population in a given area as your customers, thus, creating natural monopolies. Owen From owen at delong.com Sun Dec 19 22:47:40 2010 From: owen at delong.com (Owen DeLong) Date: Sun, 19 Dec 2010 20:47:40 -0800 Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: <20101220022113.GE38726@gerbil.cluepon.net> References: <598C4A03-6932-4E1B-A518-B8F15BAE651F@Princeton.EDU> <5A6D953473350C4B9995546AFE9939EE0B14CFE3@RWC-EX1.corp.seven.com> <4D0B93DE.7020201@gmail.com> <5A6D953473350C4B9995546AFE9939EE0B14CFE6@RWC-EX1.corp.seven.com> <4D0B9914.5080705@gmail.com> <4D0E843B.4010109@gmail.com> <20101220010924.GA73595@ussenterprise.ufp.org> <4D0EAF71.5090108@bryanfields.net> <20101220015826.GA75503@ussenterprise.ufp.org> <20101220022113.GE38726@gerbil.cluepon.net> Message-ID: On Dec 19, 2010, at 6:21 PM, Richard A Steenbergen wrote: > On Sun, Dec 19, 2010 at 05:58:26PM -0800, Leo Bicknell wrote: >> >> I dream of a day where we have municipal fiber to the home, leased to >> any ISP who wants to show up at the local central office for a dollar >> a two a month so there can be true competition in end-user services. > > Take a second and think about what THAT would do to the ratio wars. > Imagine if any hosting/content provider, with potentially hundreds or > thousands of gigabits of unused inbound capacity on their networks, > could easily get into providing IP service to eyeballs. Even ignoring > the existing 95th percentile silliness like "free inbound transit", > which would no doubt rapidly evaporate under this kind of model, the > difference in efficiencies between the highly competetive hosting world > and the highly non-competetive last mile world are simply staggering. You say this as if having such a disruption would be a bad thing. > For many content networks, it would be an opportunity to start making > money on their bits instead of paying for them, and networks without > content expertise would be in serious trouble. > I'm not seeing the problem here. Like any business in a changing climate, they would have to either develop expertise or perish. > I personally can't think of a single thing with more potential for > massive disruption to the business models of incumbent providers. There > are so many billions of dollars at stake protecting the status quo that > it's not even funny, which IMHO is why you'll never see any of this > happen in the US, in any kind of scale at any rate. :) > Yes... This is where the "market makes it best" philosophy fails. When the market has become entrenched in one way of doing things, a better way can face serious opposition because of this very fact. Personally, I don't see such a disruption as a down-side. I think it would be the introduction of a relatively level playing field in an area where the playing field has long been very uneven. Owen From jcdill.lists at gmail.com Sun Dec 19 23:05:12 2010 From: jcdill.lists at gmail.com (JC Dill) Date: Sun, 19 Dec 2010 21:05:12 -0800 Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: <20101220022554.GF38726@gerbil.cluepon.net> References: <598C4A03-6932-4E1B-A518-B8F15BAE651F@Princeton.EDU> <5A6D953473350C4B9995546AFE9939EE0B14CFE3@RWC-EX1.corp.seven.com> <4D0B93DE.7020201@gmail.com> <5A6D953473350C4B9995546AFE9939EE0B14CFE6@RWC-EX1.corp.seven.com> <4D0B9914.5080705@gmail.com> <4D0E843B.4010109@gmail.com> <20101220010924.GA73595@ussenterprise.ufp.org> <4D0EAF71.5090108@bryanfields.net> <20101220014804.GD38726@gerbil.cluepon.net> <4D0EBB72.50106@gmail.com> <20101220022554.GF38726@gerbil.cluepon.net> Message-ID: <4D0EE408.7010306@gmail.com> On 19/12/10 6:25 PM, Richard A Steenbergen wrote: > On Sun, Dec 19, 2010 at 06:12:02PM -0800, JC Dill wrote: >> And if a competing water service thought they could do better than the >> incumbent, why not let them put in a competing water project? If they >> think they can make money after the cost of the infrastructure, then >> they may be onto something. We don't have to worry that too many >> would join in, the laws of diminishing returns would make it >> unprofitable for the nth company to build out the infrastructure to >> enter the market. > The laws of diminishing returns have already set the bar for the point > at which it's not profitable for a new company to enter the market and > try to compete. Right now the number is roughly 2, cable and dsl, give > or take a few outliers. I do believe the point would be to encourage a > little more competition than that. :) This is true but ONLY in the current climate where the incumbents have a monopoly on the ability to put in cabling for the last mile to homes. I live in an area where there are 2 ILECs (AT&T, Verizon) in nearby proximity. Both are putting in fiber to some homes in their respective areas. Imagine what would happen if they could both put in fiber in the other areas. Then they would be *competitors* for those customers. Right now, they don't compete - they each have a territory and in their territory they are the predominant telco player (competing with the cable incumbent - usually Comcast). jc From jcdill.lists at gmail.com Sun Dec 19 23:25:01 2010 From: jcdill.lists at gmail.com (JC Dill) Date: Sun, 19 Dec 2010 21:25:01 -0800 Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: <20101220043153.GC11644@hiwaay.net> References: <598C4A03-6932-4E1B-A518-B8F15BAE651F@Princeton.EDU> <5A6D953473350C4B9995546AFE9939EE0B14CFE3@RWC-EX1.corp.seven.com> <4D0B93DE.7020201@gmail.com> <5A6D953473350C4B9995546AFE9939EE0B14CFE6@RWC-EX1.corp.seven.com> <4D0B9914.5080705@gmail.com> <4D0E843B.4010109@gmail.com> <20101220010924.GA73595@ussenterprise.ufp.org> <4D0EAF71.5090108@bryanfields.net> <20101220014804.GD38726@gerbil.cluepon.net> <4D0EBB72.50106@gmail.com> <20101220043153.GC11644@hiwaay.net> Message-ID: <4D0EE8AD.7030706@gmail.com> On 19/12/10 8:31 PM, Chris Adams wrote: > Once upon a time, JC Dill said: >> Why not open up the >> market for telco wiring and just see what happens? There might be 5 or >> perhaps even 10 players who try to enter the market, but there won't be >> 50 - it simply won't make financial sense for additional players to try >> to enter the market after a certain number of players are already in. > Look up pictures of New York City in the early days of electricty. > There were streets where you couldn't hardly see the sky because of all > the wires on the poles. > Can you provide a link to a photo of this situation? >> And there certainly won't be 50 all trying to service the same neighborhood. > And there's the other half of the problem. Without franchise agreements > that require (mostly) universal service, you'd get 50 companies trying > to serve the richest neighborhoods in town, No you wouldn't. Remember those diminishing returns. At most you would likely have 4 or 5. If you are player 6 you aren't going to spend the money to build out in an area where there are 5 other players already - you will build out in a different neighborhood where there are only 2 or 3 players. Then, later, you might buy out the weakest of the 5 players in the rich neighborhood to gain access to that neighborhood when player 5 is on the verge of going BK. It's also silly to think that being player 6 to build out in a "richer neighborhood" would be a good move. The rich like to get a good deal just like everyone else. (They didn't *get* rich by spending their money unwisely.) As an example, I will point people to the neighborhood between Page Mill Road and Stanford University, an area originally built out as housing for Stanford professors. They have absolutely awful broadband options in that area. They have been *begging* for someone to come in with a better option. This is a very wealthy community (by US national standards) with median family incomes in the 6 figures according to the 2000 census data. Right now they can only get slow and expensive DSL or slightly faster and also expensive cable service. The city of Palo Alto has sonet fiber running right along the edges of this neighborhood. (see, http://poulton.net/ftth/slides.ps.pdf slide 18.) It's a perfect place for an ISP to put in a junction box and build a local fiber network to connect these homes with fiber to the Palo Alto fiber. But apparently the regulatory obstacles make it too complicated. THAT is what I'm talking about above. Since the incumbents don't want to provide improved services, get rid of those obstacles, let new players move in and put in service without so many obstacles. jc From jcdill.lists at gmail.com Sun Dec 19 23:30:45 2010 From: jcdill.lists at gmail.com (JC Dill) Date: Sun, 19 Dec 2010 21:30:45 -0800 Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: <720DAAE1-C033-495B-ABCD-286F200B7BD1@delong.com> References: <598C4A03-6932-4E1B-A518-B8F15BAE651F@Princeton.EDU> <5A6D953473350C4B9995546AFE9939EE0B14CFE3@RWC-EX1.corp.seven.com> <4D0B93DE.7020201@gmail.com> <5A6D953473350C4B9995546AFE9939EE0B14CFE6@RWC-EX1.corp.seven.com> <4D0B9914.5080705@gmail.com> <4D0E843B.4010109@gmail.com> <20101220010924.GA73595@ussenterprise.ufp.org> <4D0EAF71.5090108@bryanfields.net> <20101220014804.GD38726@gerbil.cluepon.net> <4D0EBB72.50106@gmail.com> <720DAAE1-C033-495B-ABCD-286F200B7BD1@delong.com> Message-ID: <4D0EEA05.6060500@gmail.com> On 19/12/10 8:44 PM, Owen DeLong wrote: > You can send letters Technically, this is illegal. You can send "documents" via FedEx and UPS. > just as well as packages via the other carriers. > > The "USPS monopoly" on first class mail is absurd. In fact, FedEx, UPS, > et. al could offer a $0.44 letter product if they wanted to. No, they can't. http://en.wikipedia.org/wiki/Private_Express_Statutes > They could not call it mail. They could call it "first class document delivery." > > However, the reality is that they probably couldn't sustain their business > at that price point. > > The USPS doesn't have an actual monopoly so much as ownership of > the term Mail almost like a trademark. It's not just a trademark, it's the class of service. Just try starting up a regular mail service, and see how far you get before they SHUT YOU DOWN. > What they do have is an infrastructure > built at taxpayer expense that creates a very high barrier to entry for > competition at their price points. FedEx entered the package delivery market even though there was a very high barrier to entry, and they succeeded. jc From gbonser at seven.com Mon Dec 20 00:09:46 2010 From: gbonser at seven.com (George Bonser) Date: Sun, 19 Dec 2010 22:09:46 -0800 Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: <720DAAE1-C033-495B-ABCD-286F200B7BD1@delong.com> References: <598C4A03-6932-4E1B-A518-B8F15BAE651F@Princeton.EDU> <5A6D953473350C4B9995546AFE9939EE0B14CFE3@RWC-EX1.corp.seven.com> <4D0B93DE.7020201@gmail.com> <5A6D953473350C4B9995546AFE9939EE0B14CFE6@RWC-EX1.corp.seven.com> <4D0B9914.5080705@gmail.com><4D0E843B.4010109@gmail.com> <20101220010924.GA73595@ussenterprise.ufp.org> <4D0EAF71.5090108@bryanfields.net><20101220014804.GD38726@gerbil.cluepon.net><4D0EBB72.50106@gmail.com> <720DAAE1-C033-495B-ABCD-286F200B7BD1@delong.com> Message-ID: <5A6D953473350C4B9995546AFE9939EE0BC130D7@RWC-EX1.corp.seven.com> > > > You can send letters just as well as packages via the other carriers. > > The "USPS monopoly" on first class mail is absurd. In fact, FedEx, UPS, > et. al could offer a $0.44 letter product if they wanted to. There are certain legalities involved with first class mail that is not the same with other forms of transit of written material. Intercept requirements are different, for one thing, as are other privacy requirements. For example, it is a federal crime to tamper with a US mail box or with US mail, not so sure if that is so for a FedEx box. First class mail enjoys certain "expectations of privacy" that other forms of letter transport may not enjoy. From gbonser at seven.com Mon Dec 20 00:11:42 2010 From: gbonser at seven.com (George Bonser) Date: Sun, 19 Dec 2010 22:11:42 -0800 Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: References: <598C4A03-6932-4E1B-A518-B8F15BAE651F@Princeton.EDU><5A6D953473350C4B9995546AFE9939EE0B14CFE3@RWC-EX1.corp.seven.com><4D0B93DE.7020201@gmail.com><5A6D953473350C4B9995546AFE9939EE0B14CFE6@RWC-EX1.corp.seven.com><4D0B9914.5080705@gmail.com> <4D0E843B.4010109@gmail.com><20101220010924.GA73595@ussenterprise.ufp.org><4D0EAF71.5090108@bryanfields.net><20101220015826.GA75503@ussenterprise.ufp.org><20101220022113.GE38726@gerbil.cluepon.net> Message-ID: <5A6D953473350C4B9995546AFE9939EE0BC130D8@RWC-EX1.corp.seven.com> > Yes... This is where the "market makes it best" philosophy fails. When > the > market has become entrenched in one way of doing things, a better way > can face serious opposition because of this very fact. The problem is that we don't *have* a market in many places. We have a monopoly provider and the people have no alternative in too many places, what we need in those places is a market. One provider does not a "market" make. It is a "company store" at that point. From randy at psg.com Mon Dec 20 00:15:25 2010 From: randy at psg.com (Randy Bush) Date: Mon, 20 Dec 2010 15:15:25 +0900 Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: <4D0EE8AD.7030706@gmail.com> References: <598C4A03-6932-4E1B-A518-B8F15BAE651F@Princeton.EDU> <5A6D953473350C4B9995546AFE9939EE0B14CFE3@RWC-EX1.corp.seven.com> <4D0B93DE.7020201@gmail.com> <5A6D953473350C4B9995546AFE9939EE0B14CFE6@RWC-EX1.corp.seven.com> <4D0B9914.5080705@gmail.com> <4D0E843B.4010109@gmail.com> <20101220010924.GA73595@ussenterprise.ufp.org> <4D0EAF71.5090108@bryanfields.net> <20101220014804.GD38726@gerbil.cluepon.net> <4D0EBB72.50106@gmail.com> <20101220043153.GC11644@hiwaay.net> <4D0EE8AD.7030706@gmail.com> Message-ID: >> There were streets where you couldn't hardly see the sky because of all >> the wires on the poles. > Can you provide a link to a photo of this situation? come to tokyo. or hcmc. or ... it's an art form. From gbonser at seven.com Mon Dec 20 00:55:18 2010 From: gbonser at seven.com (George Bonser) Date: Sun, 19 Dec 2010 22:55:18 -0800 Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: References: <598C4A03-6932-4E1B-A518-B8F15BAE651F@Princeton.EDU><5A6D953473350C4B9995546AFE9939EE0B14CFE3@RWC-EX1.corp.seven.com><4D0B93DE.7020201@gmail.com><5A6D953473350C4B9995546AFE9939EE0B14CFE6@RWC-EX1.corp.seven.com><4D0B9914.5080705@gmail.com> <4D0E843B.4010109@gmail.com><20101220010924.GA73595@ussenterprise.ufp.org><4D0EAF71.5090108@bryanfields.net><20101220014804.GD38726@gerbil.cluepon.net><4D0EBB72.50106@gmail.com> <20101220043153.GC11644@hiwaay.net><4D0EE8AD.7030706@gmail.com> Message-ID: <5A6D953473350C4B9995546AFE9939EE0BC130D9@RWC-EX1.corp.seven.com> > > >> There were streets where you couldn't hardly see the sky because of > all > >> the wires on the poles. > > Can you provide a link to a photo of this situation? > > come to tokyo. or hcmc. or ... it's an art form. C 1925 when each subscriber (or party line) had their own pair: http://www.sfgate.com/blogs/images/sfgate/beltran/2009/07/24/Tina_modott i_wires447x625.jpg Vietnam: http://constructionknowledge.files.wordpress.com/2009/05/tangled_power_w ires_vietnam.jpg Nepal: http://constructionknowledge.files.wordpress.com/2009/05/tangled_power_w ires_nepal.jpg Location unknown: http://constructionknowledge.files.wordpress.com/2009/05/tangled_wires_t oilet.jpg India: http://pinkbunnyears.com/wp-content/uploads/2008/05/telephone-pole.jpg From sysoleg at yandex.ru Mon Dec 20 01:36:28 2010 From: sysoleg at yandex.ru (Oleg A. Arkhangelsky) Date: Mon, 20 Dec 2010 10:36:28 +0300 Subject: blackhole-1.iana.org and blackhole-1.iana.org servers are down? Message-ID: <132161292830588@web62.yandex.ru> Hello, It seems that 192.175.48.6 and 192.175.48.42 not replying to RFC1918 addresses DNS-reverse lookups. Does anybody noticed this? -- wbr, Oleg. From randy at psg.com Mon Dec 20 01:41:27 2010 From: randy at psg.com (Randy Bush) Date: Mon, 20 Dec 2010 16:41:27 +0900 Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: <5A6D953473350C4B9995546AFE9939EE0BC130D9@RWC-EX1.corp.seven.com> References: <598C4A03-6932-4E1B-A518-B8F15BAE651F@Princeton.EDU> <5A6D953473350C4B9995546AFE9939EE0B14CFE3@RWC-EX1.corp.seven.com> <4D0B93DE.7020201@gmail.com> <5A6D953473350C4B9995546AFE9939EE0B14CFE6@RWC-EX1.corp.seven.com> <4D0B9914.5080705@gmail.com> <4D0E843B.4010109@gmail.com> <20101220010924.GA73595@ussenterprise.ufp.org> <4D0EAF71.5090108@bryanfields.net> <20101220014804.GD38726@gerbil.cluepon.net> <4D0EBB72.50106@gmail.com> <20101220043153.GC11644@hiwaay.net> <4D0EE8AD.7030706@gmail.com> <5A6D953473350C4B9995546AFE9939EE0BC130D9@RWC-EX1.corp.seven.com> Message-ID: > http://pinkbunnyears.com/wp-content/uploads/2008/05/telephone-pole.jpg true beauty that only a perl code maintainer could fully appreciate From marka at isc.org Mon Dec 20 01:45:42 2010 From: marka at isc.org (Mark Andrews) Date: Mon, 20 Dec 2010 18:45:42 +1100 Subject: blackhole-1.iana.org and blackhole-1.iana.org servers are down? In-Reply-To: Your message of "Mon, 20 Dec 2010 10:36:28 +0300." <132161292830588@web62.yandex.ru> References: <132161292830588@web62.yandex.ru> Message-ID: <20101220074542.A854C8107E9@drugs.dv.isc.org> In message <132161292830588 at web62.yandex.ru>, "\"Oleg A. Arkhangelsky\"" writes : > Hello, > > It seems that 192.175.48.6 and 192.175.48.42 not replying to RFC1918 > addresses DNS-reverse lookups. > > Does anybody noticed this? These machines are anycast and run by multiple operators. You will need to traceroute to them and contact the last operator. See as112.net. > -- > wbr, Oleg. > -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka at isc.org From jeroen at unfix.org Mon Dec 20 01:47:42 2010 From: jeroen at unfix.org (Jeroen Massar) Date: Mon, 20 Dec 2010 08:47:42 +0100 Subject: blackhole-1.iana.org and blackhole-1.iana.org servers are down? In-Reply-To: <132161292830588@web62.yandex.ru> References: <132161292830588@web62.yandex.ru> Message-ID: <4D0F0A1E.9030302@unfix.org> On 2010-12-20 08:36, "Oleg A. Arkhangelsky" wrote: > Hello, > > It seems that 192.175.48.6 and 192.175.48.42 not replying to RFC1918 > addresses DNS-reverse lookups. > > Does anybody noticed this? As those addresses are generally hosted by AS112 instances (see http://www.as112.net) it depends to which one you are trying to talk. Traceroutes are such magical things, and as this is NANOG you most very likely should be able to check your local BGP feed. Also a nice related question of course is why you are hitting those nodes in the first place, as the whole point is that you should not be doing that ;) Greets, Jeroen From mpetach at netflight.com Mon Dec 20 01:48:52 2010 From: mpetach at netflight.com (Matthew Petach) Date: Sun, 19 Dec 2010 23:48:52 -0800 Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: <20101220022113.GE38726@gerbil.cluepon.net> References: <598C4A03-6932-4E1B-A518-B8F15BAE651F@Princeton.EDU> <5A6D953473350C4B9995546AFE9939EE0B14CFE3@RWC-EX1.corp.seven.com> <4D0B93DE.7020201@gmail.com> <5A6D953473350C4B9995546AFE9939EE0B14CFE6@RWC-EX1.corp.seven.com> <4D0B9914.5080705@gmail.com> <4D0E843B.4010109@gmail.com> <20101220010924.GA73595@ussenterprise.ufp.org> <4D0EAF71.5090108@bryanfields.net> <20101220015826.GA75503@ussenterprise.ufp.org> <20101220022113.GE38726@gerbil.cluepon.net> Message-ID: On Sun, Dec 19, 2010 at 6:21 PM, Richard A Steenbergen wrote: > On Sun, Dec 19, 2010 at 05:58:26PM -0800, Leo Bicknell wrote: >> >> I dream of a day where we have municipal fiber to the home, leased to >> any ISP who wants to show up at the local central office for a dollar >> a two a month so there can be true competition in end-user services. > > Take a second and think about what THAT would do to the ratio wars. > Imagine if any hosting/content provider, with potentially hundreds or > thousands of gigabits of unused inbound capacity on their networks, > could easily get into providing IP service to eyeballs. Even ignoring > the existing 95th percentile silliness like "free inbound transit", > which would no doubt rapidly evaporate under this kind of model, the > difference in efficiencies between the highly competetive hosting world > and the highly non-competetive last mile world are simply staggering. > For many content networks, it would be an opportunity to start making > money on their bits instead of paying for them, and networks without > content expertise would be in serious trouble. http://www.google.com/appserve/fiberrfi Uh...yeah, I think they've already been thinking about that for a while now. > I personally can't think of a single thing with more potential for > massive disruption to the business models of incumbent providers. There > are so many billions of dollars at stake protecting the status quo that > it's not even funny, which IMHO is why you'll never see any of this > happen in the US, in any kind of scale at any rate. :) Unless of course, it's a content company with even more billions of dollars that decides it might just be worth it to be able to balance out some of their ratios, and make use of all the idle inbound capacity... Matt From jcdill.lists at gmail.com Mon Dec 20 02:45:09 2010 From: jcdill.lists at gmail.com (JC Dill) Date: Mon, 20 Dec 2010 00:45:09 -0800 Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: <5A6D953473350C4B9995546AFE9939EE0BC130D9@RWC-EX1.corp.seven.com> References: <598C4A03-6932-4E1B-A518-B8F15BAE651F@Princeton.EDU><5A6D953473350C4B9995546AFE9939EE0B14CFE3@RWC-EX1.corp.seven.com><4D0B93DE.7020201@gmail.com><5A6D953473350C4B9995546AFE9939EE0B14CFE6@RWC-EX1.corp.seven.com><4D0B9914.5080705@gmail.com> <4D0E843B.4010109@gmail.com><20101220010924.GA73595@ussenterprise.ufp.org><4D0EAF71.5090108@bryanfields.net><20101220014804.GD38726@gerbil.cluepon.net><4D0EBB72.50106@gmail.com> <20101220043153.GC11644@hiwaay.net><4D0EE8AD.7030706@gmail.com> <5A6D953473350C4B9995546AFE9939EE0BC130D9@RWC-EX1.corp.seven.com> Message-ID: <4D0F1795.1020902@gmail.com> On 19/12/10 10:55 PM, George Bonser wrote: >>>> There were streets where you couldn't hardly see the sky because of >> all >>>> the wires on the poles. >>> Can you provide a link to a photo of this situation? >> come to tokyo. or hcmc. or ... it's an art form. http://www.sfgate.com/blogs/images/sfgate/beltran/2009/07/24/Tina_modotti_wires447x625.jpg This is not the result of many different providers, it's the result of one provider stringing many lines to supply service. I'm guessing this was before they figured out how to run trunk lines and then split out the calls from the trunk into individual lines closer to the end user's location - or how to bundle lines together, etc. So each wire we see in that photo is a *single* wire running from the central office to one subscriber (or party line). > India: > > http://pinkbunnyears.com/wp-content/uploads/2008/05/telephone-pole.jpg Department of Telecommunications (DoT), is the monopoly operator in India. That photo isn't due to a situation where there were numerous different providers, it's due to ONE provider with a monopoly, doing a half-assed job. I checked the first and last links you posted, and neither of them had anything to do with the topic of "50 providers stringing lines to every house". I'm not going to waste my time checking the rest of the links - especially since you can't even bother to properly format them so they don't break and they have to be pieced together to work. jc From choprboy at dakotacom.net Mon Dec 20 05:22:06 2010 From: choprboy at dakotacom.net (Choprboy) Date: Mon, 20 Dec 2010 04:22:06 -0700 Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: <4D0EE8AD.7030706@gmail.com> References: <598C4A03-6932-4E1B-A518-B8F15BAE651F@Princeton.EDU> <20101220043153.GC11644@hiwaay.net> <4D0EE8AD.7030706@gmail.com> Message-ID: <201012200422.07315.choprboy@dakotacom.net> On Sunday 19 December 2010 22:25, JC Dill wrote: > On 19/12/10 8:31 PM, Chris Adams wrote: > > Look up pictures of New York City in the early days of electricty. > > There were streets where you couldn't hardly see the sky because of all > > the wires on the poles. > > Can you provide a link to a photo of this situation? > It wasn't the earlier days of electricity persay, it was the early days the telegraph (late 1800s and early 1900s). Dozens, if not hundreds, of different telegraph companies raced put up different wires and poles to claim the market (and sometimes cut-down each others wires). Fraught with fear of completely losing any view of the sky and the dangers of so much shoddy work over citizens heads (wires would frequently fall in storms and such), New York and many other cities began restricting the number of providers that could service a given area. The "classic" New York telegraph wiring nightmare image: http://www.vny.cuny.edu/Search/search_res_image.php?id=363 Other images: http://www.nlm.nih.gov/onceandfutureweb/database/seca/case3-artifacts/photoslg/photo1.jpg http://www.maggieblanck.com/NewYork/SU.html http://ephemeralnewyork.wordpress.com/2009/12/12/when-the-city-was-criss-crossed-by-wires/ http://www.islandnet.com/~see/weather/graphics/photos0708/blizzard_1888h.jpg Adrian From jsw at inconcepts.biz Mon Dec 20 05:55:22 2010 From: jsw at inconcepts.biz (Jeff Wheeler) Date: Mon, 20 Dec 2010 06:55:22 -0500 Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: <20101220014804.GD38726@gerbil.cluepon.net> References: <598C4A03-6932-4E1B-A518-B8F15BAE651F@Princeton.EDU> <5A6D953473350C4B9995546AFE9939EE0B14CFE3@RWC-EX1.corp.seven.com> <4D0B93DE.7020201@gmail.com> <5A6D953473350C4B9995546AFE9939EE0B14CFE6@RWC-EX1.corp.seven.com> <4D0B9914.5080705@gmail.com> <4D0E843B.4010109@gmail.com> <20101220010924.GA73595@ussenterprise.ufp.org> <4D0EAF71.5090108@bryanfields.net> <20101220014804.GD38726@gerbil.cluepon.net> Message-ID: On Sun, Dec 19, 2010 at 8:48 PM, Richard A Steenbergen wrote: > Running a wire to everyone's house is a natural monopoly. It just > doesn't make sense, financially or technically, to try and manage 50 > different companies all trying to install 50 different wires into every > house just to have competition at the IP layer. It also wouldn't make What no one has mentioned thus far is that CLECs really are able to install their own facilities to homes and businesses if they decide that is a good way to invest their finite resources. This is why we see several options for local loops in the "business district" of every sizable city, as well as in many newly-developed areas such as industrial parks. These infrastructure builds are expensive, the CLECs had limited logistical capabilities and could only manage so many projects at once, and obviously, they focused their efforts on the parts of town where return-on-investment was likely to be highest. Businesses often do have several good choices for voice, data, Internet, and so on. Cogent is an example of an essentially Internet-only service having some degree of success at this without even offering voice, or initially even transport, products. The reason we will not see competitive facility builds to residences is they have a very long ROI scale. Everything in the traditional telecommunications world did. Many POTS customers still pay a fee for DTMF or "touch tone dialing", because when their phone company invested in new cards and software to support DTMF signalling, they passed those expenses on to consumers. These upgrades cost on the order of a thousand dollars per phone line, but consumers could get the benefit of DTMF by paying a couple dollars per month. See also: call waiting, caller ID, and so on. I don't know about you, but I was still using an "ATDP" dialing string until cable and DSL became available to me at home (in about 2002) because I did not want to pay the extra fee for touch tone dialing or other features I didn't need on a dedicated modem line. ;) We see examples of more choice available to business consumers than residences, due to economies of scale, every day. A business, apartment community, or neighborhood association can choose from multiple dumpster-tip services for trash collection. Most residents do not have enough trash volume to justify a bulky dumpster, so their only practical choice is whatever curb-side trash collection company has an agreement with their local government. -- Jeff S Wheeler Sr Network Operator? /? Innovative Network Concepts From bmanning at isi.edu Mon Dec 20 06:43:05 2010 From: bmanning at isi.edu (bill manning) Date: Mon, 20 Dec 2010 04:43:05 -0800 Subject: AS Numbers from a common 32-bit pool. References: <4D0F3B1A.2050900@afrinic.net> Message-ID: are y'all ready for this gift? --bill Begin forwarded message: > From: "Ernest - (AfriNIC)" > Date: December 20, 2010 3:16:42 PST > To: announce at afrinic.net > Subject: [AfriNIC-announce] AfriNIC to assign AS Numbers from a common 32-bit pool. > > Dear Colleagues, > > According to the "IANA Policy for Allocation of ASN Blocks to the > Regional Internet Registries (RIRs)" - > http://www.afrinic.net/docs/policies/AFPUB-2008-ASN-001.htm , IANA > will cease to make any distinction between 16 and 32-bit only > ASN blocks on 31 December 2010 when making allocations to RIRs. > > After this date, the RIRs will assign AS Numbers from an > undifferentiated 32-bit ASN allocation pool. > > Consequently, for any entity requesting an ASN, AfriNIC will cease > to present the ability to opt for a 16- or 32-bit ASN, and will > start issuing ASNs from a common 32-bit pool. > > We therefore urge all IP network operators to ensure that their > routing infrastructure is 32-bit ASN compatible. > > Kind regards, > > Ernest Byaruhanga. > > > > > _______________________________________________ > announce mailing list > announce at afrinic.net > https://lists.afrinic.net/mailman/listinfo.cgi/announce From nanog at hstrauss.co.za Mon Dec 20 06:49:49 2010 From: nanog at hstrauss.co.za (Heinrich Strauss) Date: Mon, 20 Dec 2010 14:49:49 +0200 Subject: AS Numbers from a common 32-bit pool. In-Reply-To: References: <4D0F3B1A.2050900@afrinic.net> Message-ID: <4D0F50ED.1010001@hstrauss.co.za> I'm kinda fearing this in South Africa, as we have a few large incumbents who aren't really driving -NG versions of protocols. They also have a "prove to us it's broken, and we may look at it in a few months' time"-attitude towards it. :O So 32-bit ASNs and IPv6 equally aren't really being driven, apart from by a few key Academic players. Just my ZAR 0.02 -H. On 2010/12/20 14:43, bill manning wrote: > are y'all ready for this gift? > > --bill > > Begin forwarded message: > >> From: "Ernest - (AfriNIC)" >> Date: December 20, 2010 3:16:42 PST >> To: announce at afrinic.net >> Subject: [AfriNIC-announce] AfriNIC to assign AS Numbers from a common 32-bit pool. >> >> Dear Colleagues, >> >> According to the "IANA Policy for Allocation of ASN Blocks to the >> Regional Internet Registries (RIRs)" - >> http://www.afrinic.net/docs/policies/AFPUB-2008-ASN-001.htm , IANA >> will cease to make any distinction between 16 and 32-bit only >> ASN blocks on 31 December 2010 when making allocations to RIRs. >> >> After this date, the RIRs will assign AS Numbers from an >> undifferentiated 32-bit ASN allocation pool. >> >> Consequently, for any entity requesting an ASN, AfriNIC will cease >> to present the ability to opt for a 16- or 32-bit ASN, and will >> start issuing ASNs from a common 32-bit pool. >> >> We therefore urge all IP network operators to ensure that their >> routing infrastructure is 32-bit ASN compatible. >> >> Kind regards, >> >> Ernest Byaruhanga. >> >> >> >> >> _______________________________________________ >> announce mailing list >> announce at afrinic.net >> https://lists.afrinic.net/mailman/listinfo.cgi/announce > From anthony at handynetworks.com Mon Dec 20 07:10:47 2010 From: anthony at handynetworks.com (Anthony Francis - Handy Networks LLC) Date: Mon, 20 Dec 2010 13:10:47 +0000 Subject: used / refurb voip phones? In-Reply-To: References: Message-ID: <0B3B139B67263843A5D72FD2BF3EBA694662E0@OfficeExch2k7A.exchange.handynetworks.com> Aastra http://www.aastra.com/products-desk-phones.htm Thank you and have a nice day, Anthony Francis -----Original Message----- From: Shacolby Jackson [mailto:shacolby at bluejeansnet.com] Sent: Friday, December 17, 2010 3:10 PM To: nanog at merit.edu Subject: OT: used / refurb voip phones? A little off topic but anyone have any recommendations for vendors selling used voip handsets, especially Polycom? Looking for some IP335 or better. There are only a couple used gear resellers I trust and none seem to carry Polycom, only Cisco and even those only seem to have low end handsets. -shac From jmamodio at gmail.com Mon Dec 20 07:10:51 2010 From: jmamodio at gmail.com (Jorge Amodio) Date: Mon, 20 Dec 2010 07:10:51 -0600 Subject: UN mulls internet regulation options In-Reply-To: References: <4D0E796E.2040603@dcrocker.net> <9942191A-3096-4648-A92F-C0BB1AE2EA59@cisco.com> Message-ID: It is amusing to see how with the passing of time we went through the cycles of government research, open collaboration, widespread cooperation, global ubiquity, international coordination, trademark protection, commitments affirmation, content regulation, and we seem to be now in the government masturbation phase, it will pass. and IP packets keep flowing ... and will keep flowing. -J From randy at psg.com Mon Dec 20 07:27:32 2010 From: randy at psg.com (Randy Bush) Date: Mon, 20 Dec 2010 22:27:32 +0900 Subject: UN mulls internet regulation options In-Reply-To: References: <4D0E796E.2040603@dcrocker.net> <9942191A-3096-4648-A92F-C0BB1AE2EA59@cisco.com> Message-ID: > It is amusing to see how with the passing of time we went through the > cycles of government research, open collaboration, widespread > cooperation, global ubiquity, international coordination, trademark > protection, commitments affirmation, content regulation, and we seem > to be now in the government masturbation phase, it will pass. > > and IP packets keep flowing ... and will keep flowing. you may want to look at how television and radio were captured and turned into 500 channels of crap. randy From jmamodio at gmail.com Mon Dec 20 07:31:49 2010 From: jmamodio at gmail.com (Jorge Amodio) Date: Mon, 20 Dec 2010 07:31:49 -0600 Subject: UN mulls internet regulation options In-Reply-To: References: <4D0E796E.2040603@dcrocker.net> <9942191A-3096-4648-A92F-C0BB1AE2EA59@cisco.com> Message-ID: > you may want to look at how television and radio were captured and > turned into 500 channels of crap. but now is digital and HD crap, wired and wireless :-) perhaps we have to develop the Content Removal Admin Protocol, aka CRAP -J From ops.lists at gmail.com Mon Dec 20 07:34:07 2010 From: ops.lists at gmail.com (Suresh Ramasubramanian) Date: Mon, 20 Dec 2010 19:04:07 +0530 Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: <4D0F1795.1020902@gmail.com> References: <598C4A03-6932-4E1B-A518-B8F15BAE651F@Princeton.EDU> <5A6D953473350C4B9995546AFE9939EE0B14CFE3@RWC-EX1.corp.seven.com> <4D0B93DE.7020201@gmail.com> <5A6D953473350C4B9995546AFE9939EE0B14CFE6@RWC-EX1.corp.seven.com> <4D0B9914.5080705@gmail.com> <4D0E843B.4010109@gmail.com> <20101220010924.GA73595@ussenterprise.ufp.org> <4D0EAF71.5090108@bryanfields.net> <20101220014804.GD38726@gerbil.cluepon.net> <4D0EBB72.50106@gmail.com> <20101220043153.GC11644@hiwaay.net> <4D0EE8AD.7030706@gmail.com> <5A6D953473350C4B9995546AFE9939EE0BC130D9@RWC-EX1.corp.seven.com> <4D0F1795.1020902@gmail.com> Message-ID: On Mon, Dec 20, 2010 at 2:15 PM, JC Dill wrote: > Department of Telecommunications (DoT), is the monopoly operator in India. > ?That photo isn't due to a situation where there were numerous different > providers, it's due to ONE provider with a monopoly, doing a half-assed job. DoT is the regulator - kind of like the FCC The monopoly provider (still a very large one) was called BSNL [Bharat Sanchar Nigam Ltd - India Telecom Company, Ltd] as opposed to VSNL / Videsh ... (Videsh = Foreign) VSNL was privatized some years back as you all know .. and as for local phone service you can buy that from at least 4 or 5 nationwide landline providers, besides several cellphone providers. "Monopoly" is what there was like a decade back. -- Suresh Ramasubramanian (ops.lists at gmail.com) From bclark at spectraaccess.com Mon Dec 20 08:11:46 2010 From: bclark at spectraaccess.com (Bret Clark) Date: Mon, 20 Dec 2010 09:11:46 -0500 Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: References: <598C4A03-6932-4E1B-A518-B8F15BAE651F@Princeton.EDU> <5A6D953473350C4B9995546AFE9939EE0B14CFE3@RWC-EX1.corp.seven.com> <4D0B93DE.7020201@gmail.com> <5A6D953473350C4B9995546AFE9939EE0B14CFE6@RWC-EX1.corp.seven.com> <4D0B9914.5080705@gmail.com> <4D0E843B.4010109@gmail.com> <20101220010924.GA73595@ussenterprise.ufp.org> <4D0EAF71.5090108@bryanfields.net> <20101220014804.GD38726@gerbil.cluepon.net> Message-ID: <4D0F6422.9080408@spectraaccess.com> On 12/20/2010 06:55 AM, Jeff Wheeler wrote: > What no one has mentioned thus far is that CLECs really are able to > install their own facilities to homes and businesses if they decide > that is a good way to invest their finite resources. Yes and no, we tried that way back when but found out that there were rules in place allowing only 3 lines on a pole (Elec, tele, cable), basically the rules are there to stop poles from have a gazzillon lines on them; a throwback from the early 1900's. Back then there were numerous Telephone companies competing for the same customer and poles became a nightmare with wires. It was common for competitors to cut other competitors lines back then. Sure CLEC's could go underground, but outside of the expense, the permit's process would be a nightmare. Where there was conduit available we'd go that route, but Verizon would give us a hard time about it. From nenolod at systeminplace.net Mon Dec 20 08:41:31 2010 From: nenolod at systeminplace.net (William Pitcock) Date: Mon, 20 Dec 2010 08:41:31 -0600 Subject: Why do ISPs still not do packet source verification in 2010? Message-ID: <20101220084131.1c3ae53c@petrie.gateway.2wire.net> Hi, I am wondering why it seems that many ISPs still do not do packet source verification in 2010? Just last night I had to deal with a DoS attack that would have been impossible if more ISPs did packet source verification. I mean, it's 2010. We can do IP-level ACLs in hardware on most of the current routing platforms on the market. I know it can be done on Cisco, Brocade, etc. Not sure on the new NX-OS stuff, but the 6500 series chassis can do IP-level ACL in hardware. The ACLs aren't hard either, you set an ACL forbidding traffic from anything other than an access-list containing their allocated IP ranges... Grumble. (on the other hand, it's not like spoofing does any good anyway... if you're willing to work the netflow data and call your upstreams to get at their netflow data you can easily trace each bot in the botnet to it's origination network which can then look at their traffic flow data and shut it down...) William From brunner at nic-naa.net Mon Dec 20 08:52:19 2010 From: brunner at nic-naa.net (Eric Brunner-Williams) Date: Mon, 20 Dec 2010 09:52:19 -0500 Subject: UN mulls internet regulation options In-Reply-To: References: <4D0E796E.2040603@dcrocker.net> <9942191A-3096-4648-A92F-C0BB1AE2EA59@cisco.com> <4D0EA6AE.8020609@nic-naa.net> Message-ID: <4D0F6DA3.6070008@nic-naa.net> On 12/19/10 8:28 PM, John Curran wrote: > ... I also intervened twice requested clarification of exactly how a government-only decision body for Internet policy would fulfill the "consultation with all stakeholders" paragraph specified in the Tunis agenda. The answer from several countries was not encouraging, suggesting the consultation could be done in the UN manner through their Member State delegations. This government-only view is being asserted by several countries, but India, Brazil, South Africa and Saudi Arabia are carrying it most strongly ... john (et al), not that my year as a regional officer within the at-large advisory committee of icann is a pedestal much grander than an acronym to laborious declaim, but the fundamental claim for the at large is to provide an institutional means for public interests not necessarily addressed by national governments, nor necessarily addressed by other supporting organizations or advisory committees, in the curious public-private multi-stakeholder model ira magaziner stuck us with. india abandoned public control of the .in name space, providing the operational franchise to afilias, a for-profit registry services provider who's facilities are located in north america. south africa is currently in the process of re-organizing the .za name space, having issued a tender for consulting, won by ausreg, a for-profit registry services provider who's facilities are located in australia. while this is not a complete retreat from public control of a public resource, as in the case of india, the rfp proposed a subsequent rfp which would similarly transfer operational control to a for-profit registry services provider. brazil's public name space operator is, to the best of my knowledge, is reasonably well-informed of the outstanding issues in the icann experience in a public-private multi-stakeholder model, and reasonably content with the icann instance of this model. fix yes, break no. saudi arabia presents a more nuanced case, at icann. the state is aware that the ratio of arabic langauge content "on the net" is not proportional to the ratio of arabic language speakers. this is the focus of a government initiated program. the state, through the league of arab states, has published an rfi for contractors to operate a pair of name spaces, "arabi" in arabic script, and "arab" in latin script. the adoption of the country code name spaces by the aggregate members of the league of arab states, all of which have significant administrative costs to would-be registrants, is less than the adoption of the .ir name space, which has a healthy and competitive (though consolidation is taking place for market economic reasons) registrar regime, and vastly less effective "statist" administrative cost to would-be registrants. in sum, the state is aware that "statist" approaches to arabic language uptake and operational investment in infrastructure compare poorly to alternatives. in other areas, from wireline to wireless voice, to petroleum, that state uses non-state resources to promote public policy goals. as the gac is working more closely with the alac than at any prior point in the past, and the gac has vigorously and overtly represented private interests (primarily trademark holders), the "governments only" model advanced elsewhere seems ... largely uninformed by the operational practice of a working policy body with significant government participation as governments. > I hope this helps provide some context as you requested. it provides some specific questions to pursue. note that there will be an intersessional meeting arising from the gac's formal notice to the board that it considered its advice on two subject areas to have been rejected by the board, triggering the icann bylaws. are the respective wsis++ folks are not in sync with the respective icann++ folks? granted, almost all of this is on the names side of the {addr,asn,dns} triple that icann is self-or-other-tasked to administer, so the v6 and rir bits are mostly not addressed. thanks for the pointers, i'll catch up on the wsis bits i've ignored for most of a decade, but it will be in my spare time, and there are so many people in wsis i find less pleasant company than a room full of trademark lawyers. eric p.s. the acronym to laborious declaim comes with no other benefits, so someone with travel nickles will have to cover the june wsis in geneva. as i don't work for core any longer i can't wrangle a trip to check on the fondue supplies or the secretariat operations or ... From bonomi at mail.r-bonomi.com Mon Dec 20 09:02:20 2010 From: bonomi at mail.r-bonomi.com (Robert Bonomi) Date: Mon, 20 Dec 2010 09:02:20 -0600 (CST) Subject: Some truth about Comcast - WikiLeaks style Message-ID: <201012201502.oBKF2Ka9029196@mail.r-bonomi.com> > From nanog-bounces+bonomi=mail.r-bonomi.com at nanog.org Sun Dec 19 23:31:25 2010 > Date: Sun, 19 Dec 2010 21:30:45 -0800 > From: JC Dill > To: NANOG list > Subject: Re: Some truth about Comcast - WikiLeaks style > > On 19/12/10 8:44 PM, Owen DeLong wrote: > > You can send letters > > Technically, this is illegal. You can send "documents" via FedEx and UPS. > > > just as well as packages via the other carriers. > > > > The "USPS monopoly" on first class mail is absurd. In fact, FedEx, UPS, > > et. al could offer a $0.44 letter product if they wanted to. > > No, they can't. > > http://en.wikipedia.org/wiki/Private_Express_Statutes > > > They could not call it mail. They could call it "first class document delivery." > > > > However, the reality is that they probably couldn't sustain their business > > at that price point. > > > > The USPS doesn't have an actual monopoly so much as ownership of > > the term Mail almost like a trademark. > > > It's not just a trademark, it's the class of service. Just try starting > up a regular mail service, and see how far you get before they SHUT YOU > DOWN. Actually, the gov't -won't- shut you down in that situation. They *WILL*, however make you pay -them- the statutory "first-class" postage rate for each such piece you carry. Aside: put a 'personal' sealed envelope communication inside a FedEx/UPS/ whatever shimpent, and you are _supposed_ to (a) 'declare' it on the outside of the package, and (b) put the appropriate postage stamps on the package. The "FedEx' 'overnight letter' (and other carrier equivalents) is a really cute case of threading the needle between what does and does not require first-class postage. It makes _interesting_ reading to review the actual tariffs and express service 'rules' on what you can send via that service. From sjs at princeton.edu Mon Dec 20 10:26:11 2010 From: sjs at princeton.edu (Steve Schultze) Date: Mon, 20 Dec 2010 11:26:11 -0500 Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: <4D0F1795.1020902@gmail.com> References: <598C4A03-6932-4E1B-A518-B8F15BAE651F@Princeton.EDU> <5A6D953473350C4B9995546AFE9939EE0B14CFE3@RWC-EX1.corp.seven.com> <4D0B93DE.7020201@gmail.com> <5A6D953473350C4B9995546AFE9939EE0B14CFE6@RWC-EX1.corp.seven.com> <4D0B9914.5080705@gmail.com> <4D0E843B.4010109@gmail.com> <20101220010924.GA73595@ussenterprise.ufp.org> <4D0EAF71.5090108@bryanfields.net> <20101220014804.GD38726@gerbil.cluepon.net> <4D0EBB72.50106@gmail.com> <20101220043153.GC11644@hiwaay.net> <4D0EE8AD.7030706@gmail.com> <5A6D953473350C4B9995546AFE9939EE0BC130D9@RWC-EX1.corp.seven.com> <4D0F1795.1020902@gmail.com> Message-ID: On Dec 20, 2010, at 3:45 AM, JC Dill wrote: > On 19/12/10 10:55 PM, George Bonser wrote: >> http://www.sfgate.com/blogs/images/sfgate/beltran/2009/07/24/Tina_modotti_wires447x625.jpg > > This is not the result of many different providers, it's the result of one provider stringing many lines to supply service. I'm guessing this was before they figured out how to run trunk lines and then split out the calls from the trunk into individual lines closer to the end user's location - or how to bundle lines together, etc. So each wire we see in that photo is a *single* wire running from the central office to one subscriber (or party line). > >> http://pinkbunnyears.com/wp-content/uploads/2008/05/telephone-pole.jpg > > That photo isn't due to a situation where there were numerous different providers, it's due to ONE provider with a monopoly, doing a half-assed job. It should be noted that running an individual line from the central office to the subscriber can be a good thing when done in a sensible fashion. Amsterdam's Fiber-to-the-Home project called Citynet is an excellent example of this. The city ran a fiber line to each subscriber, which facilitates competitive open access to each line (and makes for maximum long-term bandwidth per subscriber). http://opticalreflection.com/2009/02/amsterdam-citynet-scores-a-home-run-for-fibre/ "However, the first decision the Citynet project made was more fundamental: should it deploy a passive optical network (PON) architecture or what Wagter calls ?home run? fibre, which is a point-to-point topology. PONs share fibre and equipment near the head-end of the network, which does result in some cost savings. But infrastructure sharing does not allow unbundling (allowing other service providers to put their equipment into the local exchange). PONs have a 1:32 splitter in the street cabinet, which means that those 32 customers get locked into the same service provider ? and that didn?t fit with the city?s plan to have an open-access network. (Regulators have proposed bitstream access as a solution to this problem, but it?s more complicated to implement.)" See also: http://arstechnica.com/tech-policy/news/2010/03/how-amsterdam-was-wired-for-open-access-fiber.ars From nanog at hostleasing.net Mon Dec 20 10:59:31 2010 From: nanog at hostleasing.net (Randy Epstein) Date: Mon, 20 Dec 2010 11:59:31 -0500 Subject: Comcast vs Level 3 - This time with video In-Reply-To: <20101218003820.GV38726@gerbil.cluepon.net> References: <20101218003820.GV38726@gerbil.cluepon.net> Message-ID: <025d01cba067$45d76210$d1862630$@net> > A simplified explanation of the situation between Level 3 and Comcast, from the perspective of a Comcast customer who is asking for the same thing Comcast is asking for. :) > http://www.xtranormal.com/watch/8124137/ I have to question Richard on this interaction though. There is no way in hell a Comcast customer service rep would respond like that. Not at least without putting you on hold 5 times and then still, wouldn't know what in the hell you're talking about. In the end, the service rep would tell you they need to dispatch someone to your house. Randy From ras at e-gerbil.net Mon Dec 20 11:06:10 2010 From: ras at e-gerbil.net (Richard A Steenbergen) Date: Mon, 20 Dec 2010 11:06:10 -0600 Subject: Comcast vs Level 3 - This time with video In-Reply-To: <025d01cba067$45d76210$d1862630$@net> References: <20101218003820.GV38726@gerbil.cluepon.net> <025d01cba067$45d76210$d1862630$@net> Message-ID: <20101220170610.GI38726@gerbil.cluepon.net> On Mon, Dec 20, 2010 at 11:59:31AM -0500, Randy Epstein wrote: > > A simplified explanation of the situation between Level 3 and Comcast, > from the perspective of a Comcast customer who is asking for the same thing > Comcast is asking for. :) > > > http://www.xtranormal.com/watch/8124137/ > > I have to question Richard on this interaction though. There is no way > in hell a Comcast customer service rep would respond like that. Not at > least without putting you on hold 5 times and then still, wouldn't > know what in the hell you're talking about. In the end, the service > rep would tell you they need to dispatch someone to your house. Hah, yes they did seem to skip over the usual "bad ratios? have you tried rebooting your cable modem?" part didn't they. I suppose I should have added the phrase "highly fictionalized", but Xtranormal has something against allowing punctuation in their descriptions, and the existing one was confusing enough. FYI a bunch of people complained that the voices were hard to distinguish, so I did a modified version which is a little more intelligable. It's also linked to from the original, as part of the same series. http://www.xtranormal.com/watch/8134089/ -- Richard A Steenbergen http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC) From young at jsyoung.net Mon Dec 20 11:19:50 2010 From: young at jsyoung.net (Jeffrey S. Young) Date: Mon, 20 Dec 2010 12:19:50 -0500 Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: <4D0EE8AD.7030706@gmail.com> References: <598C4A03-6932-4E1B-A518-B8F15BAE651F@Princeton.EDU> <5A6D953473350C4B9995546AFE9939EE0B14CFE3@RWC-EX1.corp.seven.com> <4D0B93DE.7020201@gmail.com> <5A6D953473350C4B9995546AFE9939EE0B14CFE6@RWC-EX1.corp.seven.com> <4D0B9914.5080705@gmail.com> <4D0E843B.4010109@gmail.com> <20101220010924.GA73595@ussenterprise.ufp.org> <4D0EAF71.5090108@bryanfields.net> <20101220014804.GD38726@gerbil.cluepon.net> <4D0EBB72.50106@gmail.com> <20101220043153.GC11644@hiwaay.net> <4D0EE8AD.7030706@gmail.com> Message-ID: <0C3702E6-72FC-413D-B429-EDD78DCCFAB3@jsyoung.net> On 20/12/2010, at 12:25 AM, JC Dill wrote: > On 19/12/10 8:31 PM, Chris Adams wrote: >> Once upon a time, JC Dill said: >>> Why not open up the >>> market for telco wiring and just see what happens? There might be 5 or >>> perhaps even 10 players who try to enter the market, but there won't be >>> 50 - it simply won't make financial sense for additional players to try >>> to enter the market after a certain number of players are already in. >> Look up pictures of New York City in the early days of electricty. >> There were streets where you couldn't hardly see the sky because of all >> the wires on the poles. >> > Can you provide a link to a photo of this situation? >>> And there certainly won't be 50 all trying to service the same neighborhood. >> And there's the other half of the problem. Without franchise agreements >> that require (mostly) universal service, you'd get 50 companies trying >> to serve the richest neighborhoods in town, > > No you wouldn't. Remember those diminishing returns. At most you would likely have 4 or 5. If you are player 6 you aren't going to spend the money to build out in an area where there are 5 other players already - you will build out in a different neighborhood where there are only 2 or 3 players. Then, later, you might buy out the weakest of the 5 players in the rich neighborhood to gain access to that neighborhood when player 5 is on the verge of going BK. > > It's also silly to think that being player 6 to build out in a "richer neighborhood" would be a good move. The rich like to get a good deal just like everyone else. (They didn't *get* rich by spending their money unwisely.) > > As an example, I will point people to the neighborhood between Page Mill Road and Stanford University, an area originally built out as housing for Stanford professors. They have absolutely awful broadband options in that area. They have been *begging* for someone to come in with a better option. This is a very wealthy community (by US national standards) with median family incomes in the 6 figures according to the 2000 census data. > > Right now they can only get slow and expensive DSL or slightly faster and also expensive cable service. > > The city of Palo Alto has sonet fiber running right along the edges of this neighborhood. (see, http://poulton.net/ftth/slides.ps.pdf slide 18.) > > It's a perfect place for an ISP to put in a junction box and build a local fiber network to connect these homes with fiber to the Palo Alto fiber. But apparently the regulatory obstacles make it too complicated. THAT is what I'm talking about above. Since the incumbents don't want to provide improved services, get rid of those obstacles, let new players move in and put in service without so many obstacles. > > jc > > > Having lived through the telecom bubble (as many of us did) what makes you believe that player 6 is going to know about the financial conditions of players 1-5? What if player two has a high-profile chief scientist who, on a speaking circuit, starts telling the market that his bandwidth demands are growing at the rate of 300% per year and players 6-10 jump into the market with strong financial backing? While I believe in free-market economics and I will agree with you that the situation will eventually sort itself out; thousands of ditch-diggers and poll-climbers will lose their jobs, but this is "the way of things." I do not agree that the end-consumer should be put through this fiasco and I am confident that the money spent digging more ditches and stringing more ugly overhead cables would be better spent on layers 3 and more importantly on services at layers 4-7. My perception of the current situation in the USA? We have just gone through an era in which the FCC and administration defined "competition" as having more than one provider able to provide service (200 kb/s or better) within a zip code. A zip code can cover quite a large area. This left the major players to their own devices and we saw them overbuild TV and broadband services into the more lucrative areas (because as established providers they actually do have a pretty good idea of the financial condition of their competitors within an area). Quite often 'lucrative' did not equal affluent, lucrative is more a measure of consumption (think VoD) than median household income. The point is that the free-market evolution of broadband has produced a patchwork of services that is hard to decipher and even harder to influence. The utopian solution (pun intended) would be to develop a local, state, federal system of broadband similar to the highway system of roads. Let those broadband providers who can compete by creating layer 3 backbones and services at layers 4-7 (and layer 1-2 with wireless) survive. Let the innovation continue at layers 4-7 without constant saber-rattling from the layer 1-2 providers. And as a byproduct we can stop the ridiculous debate on Net Neutrality which is molded daily by telecom lobbyists. From sjs at princeton.edu Mon Dec 20 11:20:37 2010 From: sjs at princeton.edu (Steve Schultze) Date: Mon, 20 Dec 2010 12:20:37 -0500 Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: <4D0EBB72.50106@gmail.com> References: <598C4A03-6932-4E1B-A518-B8F15BAE651F@Princeton.EDU> <5A6D953473350C4B9995546AFE9939EE0B14CFE3@RWC-EX1.corp.seven.com> <4D0B93DE.7020201@gmail.com> <5A6D953473350C4B9995546AFE9939EE0B14CFE6@RWC-EX1.corp.seven.com> <4D0B9914.5080705@gmail.com> <4D0E843B.4010109@gmail.com> <20101220010924.GA73595@ussenterprise.ufp.org> <4D0EAF71.5090108@bryanfields.net> <20101220014804.GD38726@gerbil.cluepon.net> <4D0EBB72.50106@gmail.com> Message-ID: <37D0927A-0BD4-430C-9552-70D90808B81D@princeton.edu> Evidently this list is interested in telecommunications law. I was worried it would be considered OT, but since people are talking about it, here are some clarifications... On Dec 19, 2010, at 8:20 PM, Bryan Fields wrote: > On 12/19/2010 20:09, Leo Bicknell wrote: >> They have been granted a monopoly by the local government for >> wireline services, and in exchange for that monopoly need to act >> in the public's interest. In the TV world this is things like >> running the local community interest channel, and paying a franchise >> fee. In the IP world we're still developing the criteria, but it's >> not unreasonable to think they might have some government imposed >> requirements there as well. > > The government granting a monopoly is the problem, and more lame government > regulation is not the solution. Let everyone compete on a level playing > field, not by allowing one company to buy a monopoly enforced by men with guns. On Dec 19, 2010, at 9:12 PM, JC Dill wrote: > Why not open up the market for telco wiring and just see what happens? There are no government-enforced monopoly rights on cable or copper/fiber these days. The exclusivity for the telcos went away in the Bell breakup and the Telecommunications Act of 1996. See, for example, the section of the Act codified at 47 USC 253: http://www.law.cornell.edu/uscode/html/uscode47/usc_sec_47_00000253----000-.html Congress went so far as to force ILECs (the incumbents) to lease their lines to competitors for awhile, with the idea that it would lead the competitors to build out their own "facilities-based" lines. Even with those incentives, line-based competition failed to materialize to any substantial degree. The exclusivity for cable providers went away with the Cable Television Consumer Protection and Competition Act of 1992, which you can read about in the Background section of the FCC's 2007 Order Implementation of Section 621(a)(1) (the first of two orders that sought to further remove local control over many aspects of the franchising process): http://www.federalregister.gov/articles/2007/03/21/E7-5119/implementation-of-section-621a1-of-the-cable-communications-policy-act-of-1984-as-amended-by-the#p-21 On Dec 19, 2010, at 8:37 PM, George Bonser wrote: > What I am concerned with happening is a cash-strapped city seeing > Comcast (or any provider, really) trying to charge for access to > subscribers and then the city saying "wait a minute, who are you to sell > access to our people to a third party? If you are going to charge third > parties for access to those eyeballs, then you can pay us, in turn for > that access." And from there it all goes down hill. Cities currently do not recoup anything from telephone and internet services. Cities are capped at 5% of gross revenue from video services, and the definition of what they can recoup has been consistently narrowed by the FCC, as I noted here (in response to the first message in which you raised this concern): http://mailman.nanog.org/pipermail/nanog/2010-December/029444.html From owen at delong.com Mon Dec 20 11:58:29 2010 From: owen at delong.com (Owen DeLong) Date: Mon, 20 Dec 2010 09:58:29 -0800 Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: <201012201502.oBKF2Ka9029196@mail.r-bonomi.com> References: <201012201502.oBKF2Ka9029196@mail.r-bonomi.com> Message-ID: <7F73ABA8-891D-4115-87F2-211E9F6161C7@delong.com> On Dec 20, 2010, at 7:02 AM, Robert Bonomi wrote: >> From nanog-bounces+bonomi=mail.r-bonomi.com at nanog.org Sun Dec 19 23:31:25 2010 >> Date: Sun, 19 Dec 2010 21:30:45 -0800 >> From: JC Dill >> To: NANOG list >> Subject: Re: Some truth about Comcast - WikiLeaks style >> >> On 19/12/10 8:44 PM, Owen DeLong wrote: >>> You can send letters >> >> Technically, this is illegal. You can send "documents" via FedEx and UPS. >> >>> just as well as packages via the other carriers. >>> >>> The "USPS monopoly" on first class mail is absurd. In fact, FedEx, UPS, >>> et. al could offer a $0.44 letter product if they wanted to. >> >> No, they can't. >> >> http://en.wikipedia.org/wiki/Private_Express_Statutes >> >>> They could not call it mail. They could call it "first class document delivery." >>> >>> However, the reality is that they probably couldn't sustain their business >>> at that price point. >>> >>> The USPS doesn't have an actual monopoly so much as ownership of >>> the term Mail almost like a trademark. >> >> >> It's not just a trademark, it's the class of service. Just try starting >> up a regular mail service, and see how far you get before they SHUT YOU >> DOWN. > > Actually, the gov't -won't- shut you down in that situation. They *WILL*, > however make you pay -them- the statutory "first-class" postage rate for > each such piece you carry. > > Aside: put a 'personal' sealed envelope communication inside a FedEx/UPS/ > whatever shimpent, and you are _supposed_ to (a) 'declare' it on the > outside of the package, and (b) put the appropriate postage stamps on > the package. > > The "FedEx' 'overnight letter' (and other carrier equivalents) is a really > cute case of threading the needle between what does and does not require > first-class postage. It makes _interesting_ reading to review the actual > tariffs and express service 'rules' on what you can send via that service. > > Like I said... Once you untangle all the regulations, the net effect is not a monopoly so much as a byzantine set of laws and regulations designed to make it look like you have to pay USPS no matter what when in reality that's not the case. For all practical purposes, the post office faces what competition is practical. Owen From nanog at deman.com Mon Dec 20 12:10:22 2010 From: nanog at deman.com (Michael DeMan) Date: Mon, 20 Dec 2010 10:10:22 -0800 Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: <20101220014804.GD38726@gerbil.cluepon.net> References: <598C4A03-6932-4E1B-A518-B8F15BAE651F@Princeton.EDU> <5A6D953473350C4B9995546AFE9939EE0B14CFE3@RWC-EX1.corp.seven.com> <4D0B93DE.7020201@gmail.com> <5A6D953473350C4B9995546AFE9939EE0B14CFE6@RWC-EX1.corp.seven.com> <4D0B9914.5080705@gmail.com> <4D0E843B.4010109@gmail.com> <20101220010924.GA73595@ussenterprise.ufp.org> <4D0EAF71.5090108@bryanfields.net> <20101220014804.GD38726@gerbil.cluepon.net> Message-ID: <5641E80D-8BEC-4E69-B704-982FCA4A8F07@deman.com> On Dec 19, 2010, at 5:48 PM, Richard A Steenbergen wrote: > > Personally I think the right answer is to enforce a legal separation > between the layer 1 and layer 3 infrastructure providers, and require > that the layer 1 network provide non-discriminatory access to any > company who wishes to provide IP to the end user. But that would take a > lot of work to implement, and there are billions of dollars at work > lobbying against it, so I don't expect it to happen any time soon. :) +1 on this - it is the source of a huge number of problems in the industry. From nick at foobar.org Mon Dec 20 12:11:53 2010 From: nick at foobar.org (Nick Hilliard) Date: Mon, 20 Dec 2010 18:11:53 +0000 Subject: Why do ISPs still not do packet source verification in 2010? In-Reply-To: <20101220084131.1c3ae53c@petrie.gateway.2wire.net> References: <20101220084131.1c3ae53c@petrie.gateway.2wire.net> Message-ID: <4D0F9C69.8070304@foobar.org> On 20/12/2010 14:41, William Pitcock wrote: > [...] but the 6500 > series chassis can do IP-level ACL in hardware. as regards urpf on the sup720 / rsp720: ipv4, yes; ipv6, no. BTW, it's worth asking this question when purchasing new equipment: "does the equipment support both loose and strict ipv6 urpf in hardware right now. if not, what is the timescale for implementation of each?". The results are currently not very good. Vendors: please note that support for ipv6 urpf (both strict and loose) is a basic networking requirement these days. Nick From owen at delong.com Mon Dec 20 12:09:39 2010 From: owen at delong.com (Owen DeLong) Date: Mon, 20 Dec 2010 10:09:39 -0800 Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: <37D0927A-0BD4-430C-9552-70D90808B81D@princeton.edu> References: <598C4A03-6932-4E1B-A518-B8F15BAE651F@Princeton.EDU> <5A6D953473350C4B9995546AFE9939EE0B14CFE3@RWC-EX1.corp.seven.com> <4D0B93DE.7020201@gmail.com> <5A6D953473350C4B9995546AFE9939EE0B14CFE6@RWC-EX1.corp.seven.com> <4D0B9914.5080705@gmail.com> <4D0E843B.4010109@gmail.com> <20101220010924.GA73595@ussenterprise.ufp.org> <4D0EAF71.5090108@bryanfields.net> <20101220014804.GD38726@gerbil.cluepon.net> <4D0EBB72.50106@gmail.com> <37D0927A-0BD4-430C-9552-70D90808B81D@princeton.edu> Message-ID: <822ED2E3-9D98-4ED7-AD18-F07976FC868A@delong.com> > > Cities currently do not recoup anything from telephone and internet services. Cities are capped at 5% of gross revenue from video services, and the definition of what they can recoup has been consistently narrowed by the FCC, as I noted here (in response to the first message in which you raised this concern): > > http://mailman.nanog.org/pipermail/nanog/2010-December/029444.html As someone who has a "City Telephone Tax" on both my cellular and wireline bills, I beg to differ. Owen From jcdill.lists at gmail.com Mon Dec 20 12:22:17 2010 From: jcdill.lists at gmail.com (JC Dill) Date: Mon, 20 Dec 2010 10:22:17 -0800 Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: <0C3702E6-72FC-413D-B429-EDD78DCCFAB3@jsyoung.net> References: <598C4A03-6932-4E1B-A518-B8F15BAE651F@Princeton.EDU> <5A6D953473350C4B9995546AFE9939EE0B14CFE3@RWC-EX1.corp.seven.com> <4D0B93DE.7020201@gmail.com> <5A6D953473350C4B9995546AFE9939EE0B14CFE6@RWC-EX1.corp.seven.com> <4D0B9914.5080705@gmail.com> <4D0E843B.4010109@gmail.com> <20101220010924.GA73595@ussenterprise.ufp.org> <4D0EAF71.5090108@bryanfields.net> <20101220014804.GD38726@gerbil.cluepon.net> <4D0EBB72.50106@gmail.com> <20101220043153.GC11644@hiwaay.net> <4D0EE8AD.7030706@gmail.com> <0C3702E6-72FC-413D-B429-EDD78DCCFAB3@jsyoung.net> Message-ID: <4D0F9ED9.4080002@gmail.com> On 20/12/10 9:19 AM, Jeffrey S. Young wrote: > > Having lived through the telecom bubble (as many of us did) what makes you believe that player 6 is going to know about the financial conditions of players 1-5? What if player two has a high-profile chief scientist who, on a speaking circuit, starts telling the market that his bandwidth demands are growing at the rate of 300% per year and players 6-10 jump into the market with strong financial backing? While I believe in free-market economics and I will agree with you that the situation will eventually sort itself out; thousands of ditch-diggers and poll-climbers will lose their jobs, but this is "the way of things." Apples and oranges. The telcom bubble didn't involve building out *to the home*. The cost to build a data center and put in modems or lease dry copper for DSL is dramatically lower than the cost to build out to the home. It was financially feasible (even if not the best decision, especially if you based the decision on a provably false assumption on market growth) to be player 6 in the early days of the Internet, it's not financially feasible to be player 6 to build out fiber to the home. > I do not agree that the end-consumer should be put through this fiasco and I am confident that the money spent digging more ditches and stringing more ugly overhead cables would be better spent on layers 3 and more importantly on services at layers 4-7. The problem is getting fair access to layer 1 for all players. If it takes breaking the monopoly rules for putting in layer 1 facilities to get past this log jam, then that may be the solution. > The utopian solution (pun intended) would be to develop a local, state, federal system of broadband similar to the highway system of roads. Let those broadband providers who can compete by creating layer 3 backbones and services at layers 4-7 (and layer 1-2 with wireless) survive. Let the innovation continue at layers 4-7 without constant saber-rattling from the layer 1-2 providers. But how do we GET there? I don't see a good path, as the ILECs who own the layer 1 infrastructure have already successfully lobbied for laws and policies that allow them to maintain their monopoly use of the layer 1 facilities to the customer's location. > And as a byproduct we can stop the ridiculous debate on Net Neutrality which is molded daily by telecom lobbyists. Yes, that would be nice. But where's a feasible path to this ultimate goal? jc From sjs at Princeton.EDU Mon Dec 20 12:37:40 2010 From: sjs at Princeton.EDU (Steve Schultze) Date: Mon, 20 Dec 2010 13:37:40 -0500 Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: <822ED2E3-9D98-4ED7-AD18-F07976FC868A@delong.com> References: <598C4A03-6932-4E1B-A518-B8F15BAE651F@Princeton.EDU> <5A6D953473350C4B9995546AFE9939EE0B14CFE3@RWC-EX1.corp.seven.com> <4D0B93DE.7020201@gmail.com> <5A6D953473350C4B9995546AFE9939EE0B14CFE6@RWC-EX1.corp.seven.com> <4D0B9914.5080705@gmail.com> <4D0E843B.4010109@gmail.com> <20101220010924.GA73595@ussenterprise.ufp.org> <4D0EAF71.5090108@bryanfields.net> <20101220014804.GD38726@gerbil.cluepon.net> <4D0EBB72.50106@gmail.com> <37D0927A-0BD4-430C-9552-70D90808B81D@princeton.edu> <822ED2E3-9D98-4ED7-AD18-F07976FC868A@delong.com> Message-ID: On Dec 20, 2010, at 1:09 PM, Owen DeLong wrote: >> Cities currently do not recoup anything from telephone and internet services. Cities are capped at 5% of gross revenue from video services, and the definition of what they can recoup has been consistently narrowed by the FCC, as I noted here (in response to the first message in which you raised this concern): >> >> http://mailman.nanog.org/pipermail/nanog/2010-December/029444.html > > As someone who has a "City Telephone Tax" on both my cellular and wireline > bills, I beg to differ. Fascinating. You appear to be right. For some reason I thought this was standardized at the federal level by the FCC, but it seems to vary depending on the state. For example, it seems that such taxes are prohibited in Oregon: https://www.oregonlaws.org/ors/305.823 But permitted in New York: http://www.dps.state.ny.us/TelecomTaxesSurcharges.html ("Not to exceed 1% except in Buffalo, Rochester and Yonkers, where the rate may not exceed 3%.") From lowen at pari.edu Mon Dec 20 12:43:41 2010 From: lowen at pari.edu (Lamar Owen) Date: Mon, 20 Dec 2010 13:43:41 -0500 Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: <37D0927A-0BD4-430C-9552-70D90808B81D@princeton.edu> References: <598C4A03-6932-4E1B-A518-B8F15BAE651F@Princeton.EDU> Message-ID: <201012201343.42035.lowen@pari.edu> On Monday, December 20, 2010 12:20:37 pm Steve Schultze wrote: > There are no government-enforced monopoly rights on cable or copper/fiber these days. Unless you qualify as a 47USC153(37) 'Rural Telephone Company' and then there are. Example being 253(f). Until recently I was served by such an ILEC. Recently being November 2010. From lowen at pari.edu Mon Dec 20 12:46:00 2010 From: lowen at pari.edu (Lamar Owen) Date: Mon, 20 Dec 2010 13:46:00 -0500 Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: <4D0F9ED9.4080002@gmail.com> References: <598C4A03-6932-4E1B-A518-B8F15BAE651F@Princeton.EDU> Message-ID: <201012201346.00696.lowen@pari.edu> On Monday, December 20, 2010 01:22:17 pm JC Dill wrote: > But how do we GET there? I don't see a good path, as the ILECs who own > the layer 1 infrastructure have already successfully lobbied for laws > and policies that allow them to maintain their monopoly use of the layer > 1 facilities to the customer's location. The 'last mile' is the key, and is where 'net neutrality' and natural monopoly interests collide. He who owns the last mile owns what the user can and can not do. From bicknell at ufp.org Mon Dec 20 13:16:30 2010 From: bicknell at ufp.org (Leo Bicknell) Date: Mon, 20 Dec 2010 11:16:30 -0800 Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: <37D0927A-0BD4-430C-9552-70D90808B81D@princeton.edu> References: <5A6D953473350C4B9995546AFE9939EE0B14CFE3@RWC-EX1.corp.seven.com> <4D0B93DE.7020201@gmail.com> <5A6D953473350C4B9995546AFE9939EE0B14CFE6@RWC-EX1.corp.seven.com> <4D0B9914.5080705@gmail.com> <4D0E843B.4010109@gmail.com> <20101220010924.GA73595@ussenterprise.ufp.org> <4D0EAF71.5090108@bryanfields.net> <20101220014804.GD38726@gerbil.cluepon.net> <4D0EBB72.50106@gmail.com> <37D0927A-0BD4-430C-9552-70D90808B81D@princeton.edu> Message-ID: <20101220191630.GA44701@ussenterprise.ufp.org> In a message written on Mon, Dec 20, 2010 at 12:20:37PM -0500, Steve Schultze wrote: > Congress went so far as to force ILECs (the incumbents) to lease their lines to competitors for awhile, with the idea that it would lead the competitors to build out their own "facilities-based" lines. Even with those incentives, line-based competition failed to materialize to any substantial degree. They did, I had my $300 T1 for a while years ago, and Covad/Megapath et all did a very good business buying the local lines (as UNE)'s and selling DSL services over them. While I don't think the model was the success I had hoped for, I think it was a success. However through a series of steps the iLEC's have effectively shut these folks out of the market. They lobbied, and won, that Fiber is not part of the requirements. Want to buy UNE "FIOS" fiber? Verizon won't sell it, the government won't make them. The AT&T's of the world went and installed "FTTN" (Fiber to the Node), where a node serves a small neighborhood. This allows them to be less than 1m from the house and offer up to 24Mbps DSL. The other providers sued saying they need space in the nodes, and lost. So Covad gets to be in the CO, with 20kft of copper, while AT&T gets to be in the node with 3kft of copper to the user. So from about 1996 to 2000 we had competition. They then figured out how to rig the system so there is no effective competition, and so far the government has been A-Ok with that. > The exclusivity for cable providers went away with the Cable Television Consumer Protection and Competition Act of 1992, which you can read about in the Background section of the FCC's 2007 Order Implementation of Section 621(a)(1) (the first of two orders that sought to further remove local control over many aspects of the franchising process): > > http://www.federalregister.gov/articles/2007/03/21/E7-5119/implementation-of-section-621a1-of-the-cable-communications-policy-act-of-1984-as-amended-by-the#p-21 And yet, I don't know of any location in the US with two cable operators. You see, these rules weren't changed to provide for a second cable TV plant to be put in the ground, even in the FCC knew that cost too much. Rather, if you read carefully the problem was that Verizon, AT&T, and Bell South (all mentioned by name in the article) wanted to deliver video over FIOS/DSL. Most areas had coverage rules, to be a cable provider you had to pass 95%+ of the houses or such, and these folks didn't meet many of the local rules and went to the government for help. So the government did the minimum to get folks who already had infrastructure in the ground the rules to use it to provide this service. The result is not competition, but a government sponsored duopoliy. This didn't bring more players to the table, it just let those already at the table offer a full set of overlapping services. Likely a good step, but not the same as getting new entrants into the market. -- Leo Bicknell - bicknell at ufp.org - CCIE 3440 PGP keys at http://www.ufp.org/~bicknell/ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 826 bytes Desc: not available URL: From nanog-post at rsuc.gweep.net Mon Dec 20 13:31:09 2010 From: nanog-post at rsuc.gweep.net (Joe Provo) Date: Mon, 20 Dec 2010 14:31:09 -0500 Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: <20101220191630.GA44701@ussenterprise.ufp.org> References: <4D0B93DE.7020201@gmail.com> <5A6D953473350C4B9995546AFE9939EE0B14CFE6@RWC-EX1.corp.seven.com> <4D0B9914.5080705@gmail.com> <4D0E843B.4010109@gmail.com> <20101220010924.GA73595@ussenterprise.ufp.org> <4D0EAF71.5090108@bryanfields.net> <20101220014804.GD38726@gerbil.cluepon.net> <4D0EBB72.50106@gmail.com> <37D0927A-0BD4-430C-9552-70D90808B81D@princeton.edu> <20101220191630.GA44701@ussenterprise.ufp.org> Message-ID: <20101220193109.GA46970@gweep.net> On Mon, Dec 20, 2010 at 11:16:30AM -0800, Leo Bicknell wrote: [snip] > So from about 1996 to 2000 we had competition. They then figured out > how to rig the system so there is no effective competition, and so far > the government has been A-Ok with that. You also miss the part about the capital markets being effective closed after the bubble burst closing that window. [snip] > And yet, I don't know of any location in the US with two cable > operators. [snip] Everywhere that had enough paying-humans-per fiber-mile, so primarily the Northeast corridor (Metro DC through Metro Boston). Parts of the SF Bay, Chicago, Cleveland, Denver, Detroit... google "cable overbuilder" (RCN, WOW and several others). Nontrivial capital is required for the build-and-maintain of physical plant, so most all have shrunk since the bubble popping. Cheers, Joe -- RSUC / GweepNet / Spunk / FnB / Usenix / SAGE From owen at delong.com Mon Dec 20 13:30:08 2010 From: owen at delong.com (Owen DeLong) Date: Mon, 20 Dec 2010 11:30:08 -0800 Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: <20101220191630.GA44701@ussenterprise.ufp.org> References: <5A6D953473350C4B9995546AFE9939EE0B14CFE3@RWC-EX1.corp.seven.com> <4D0B93DE.7020201@gmail.com> <5A6D953473350C4B9995546AFE9939EE0B14CFE6@RWC-EX1.corp.seven.com> <4D0B9914.5080705@gmail.com> <4D0E843B.4010109@gmail.com> <20101220010924.GA73595@ussenterprise.ufp.org> <4D0EAF71.5090108@bryanfields.net> <20101220014804.GD38726@gerbil.cluepon.net> <4D0EBB72.50106@gmail.com> <37D0927A-0BD4-430C-9552-70D90808B81D@princeton.edu> <20101220191630.GA44701@ussenterprise.ufp.org> Message-ID: On Dec 20, 2010, at 11:16 AM, Leo Bicknell wrote: > In a message written on Mon, Dec 20, 2010 at 12:20:37PM -0500, Steve Schultze wrote: >> Congress went so far as to force ILECs (the incumbents) to lease their lines to competitors for awhile, with the idea that it would lead the competitors to build out their own "facilities-based" lines. Even with those incentives, line-based competition failed to materialize to any substantial degree. > > They did, I had my $300 T1 for a while years ago, and Covad/Megapath > et all did a very good business buying the local lines (as UNE)'s > and selling DSL services over them. While I don't think the model > was the success I had hoped for, I think it was a success. > > However through a series of steps the iLEC's have effectively shut > these folks out of the market. They lobbied, and won, that Fiber > is not part of the requirements. Want to buy UNE "FIOS" fiber? > Verizon won't sell it, the government won't make them. The AT&T's > of the world went and installed "FTTN" (Fiber to the Node), where > a node serves a small neighborhood. This allows them to be less > than 1m from the house and offer up to 24Mbps DSL. The other > providers sued saying they need space in the nodes, and lost. So > Covad gets to be in the CO, with 20kft of copper, while AT&T gets > to be in the node with 3kft of copper to the user. > The argument being made is that the CLECs could run their own copper from their own COs to the residences. I don't buy that argument, but, that is the argument being made. Personally, I think that enforced UNE is the right model. If you sell higher level services, you should not be allowed to operate the physical plant. The physical plant operating companies should sell access to the physical plant to higher level service providers on an equal footing. Unfortunately, the market forces have way too much invested in the status quo and the lobbyists will block this at every turn. A grass roots consumer movement could probably change that, but, it would require an impractical level of consumer education on the subject. >> >> The exclusivity for cable providers went away with the Cable Television Consumer Protection and Competition Act of 1992, which you can read about in the Background section of the FCC's 2007 Order Implementation of Section 621(a)(1) (the first of two orders that sought to further remove local control over many aspects of the franchising process): >> >> http://www.federalregister.gov/articles/2007/03/21/E7-5119/implementation-of-section-621a1-of-the-cable-communications-policy-act-of-1984-as-amended-by-the#p-21 > > And yet, I don't know of any location in the US with two cable > operators. You see, these rules weren't changed to provide for a > second cable TV plant to be put in the ground, even in the FCC knew > that cost too much. Rather, if you read carefully the problem was > that Verizon, AT&T, and Bell South (all mentioned by name in the > article) wanted to deliver video over FIOS/DSL. Most areas had > coverage rules, to be a cable provider you had to pass 95%+ of the > houses or such, and these folks didn't meet many of the local rules > and went to the government for help. > I think that I recall encountering one or two such places in the past, but, I cannot recall them to make a specific citation. Certainly it is the exception and not the rule. Owen From gbonser at seven.com Mon Dec 20 13:37:21 2010 From: gbonser at seven.com (George Bonser) Date: Mon, 20 Dec 2010 11:37:21 -0800 Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: References: <598C4A03-6932-4E1B-A518-B8F15BAE651F@Princeton.EDU><5A6D953473350C4B9995546AFE9939EE0B14CFE3@RWC-EX1.corp.seven.com><4D0B93DE.7020201@gmail.com><5A6D953473350C4B9995546AFE9939EE0B14CFE6@RWC-EX1.corp.seven.com><4D0B9914.5080705@gmail.com> <4D0E843B.4010109@gmail.com><20101220010924.GA73595@ussenterprise.ufp.org><4D0EAF71.5090108@bryanfields.net><20101220014804.GD38726@gerbil.cluepon.net> Message-ID: <5A6D953473350C4B9995546AFE9939EE0BC130DD@RWC-EX1.corp.seven.com> > -----Original Message----- > From: Jeff Wheeler [mailto:jsw at inconcepts.biz] > Sent: Monday, December 20, 2010 3:55 AM > To: nanog at nanog.org > Subject: Re: Some truth about Comcast - WikiLeaks style > > On Sun, Dec 19, 2010 at 8:48 PM, Richard A Steenbergen gerbil.net> wrote: > > Running a wire to everyone's house is a natural monopoly. It just > > doesn't make sense, financially or technically, to try and manage 50 > > different companies all trying to install 50 different wires into > every > > house just to have competition at the IP layer. It also wouldn't make > > What no one has mentioned thus far is that CLECs really are able to > install their own facilities to homes and businesses if they decide > that is a good way to invest their finite resources. This is why we > see several options for local loops in the "business district" of > every sizable city, as well as in many newly-developed areas such as > industrial parks. These infrastructure builds are expensive, the > CLECs had limited logistical capabilities and could only manage so > many projects at once, and obviously, they focused their efforts on > the parts of town where return-on-investment was likely to be highest. > Businesses often do have several good choices for voice, data, > Internet, and so on. Cogent is an example of an essentially > Internet-only service having some degree of success at this without > even offering voice, or initially even transport, products. Also, there are two ways in to most urban and suburban home. There is the telco and there is the "cable" company. There is no reason those two paths should not compete for the same services, and they do across an increasing area of the US. The rural areas, though, are a completely different story. From jcdill.lists at gmail.com Mon Dec 20 13:44:40 2010 From: jcdill.lists at gmail.com (JC Dill) Date: Mon, 20 Dec 2010 11:44:40 -0800 Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: <20101220193109.GA46970@gweep.net> References: <4D0B93DE.7020201@gmail.com> <5A6D953473350C4B9995546AFE9939EE0B14CFE6@RWC-EX1.corp.seven.com> <4D0B9914.5080705@gmail.com> <4D0E843B.4010109@gmail.com> <20101220010924.GA73595@ussenterprise.ufp.org> <4D0EAF71.5090108@bryanfields.net> <20101220014804.GD38726@gerbil.cluepon.net> <4D0EBB72.50106@gmail.com> <37D0927A-0BD4-430C-9552-70D90808B81D@princeton.edu> <20101220191630.GA44701@ussenterprise.ufp.org> <20101220193109.GA46970@gweep.net> Message-ID: <4D0FB228.5050305@gmail.com> On 20/12/10 11:31 AM, Joe Provo wrote: > On Mon, Dec 20, 2010 at 11:16:30AM -0800, Leo Bicknell wrote: > [snip] >> And yet, I don't know of any location in the US with two cable >> operators. > [snip] > > Everywhere that had enough paying-humans-per fiber-mile, so primarily > the Northeast corridor (Metro DC through Metro Boston). Parts of the > SF Bay, Chicago, Cleveland, Denver, Detroit... google "cable overbuilder" > (RCN, WOW and several others). Can you name/locate the part of the SF Bay Area where this has happened? jc From bicknell at ufp.org Mon Dec 20 13:46:10 2010 From: bicknell at ufp.org (Leo Bicknell) Date: Mon, 20 Dec 2010 11:46:10 -0800 Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: <20101220193109.GA46970@gweep.net> References: <5A6D953473350C4B9995546AFE9939EE0B14CFE6@RWC-EX1.corp.seven.com> <4D0B9914.5080705@gmail.com> <4D0E843B.4010109@gmail.com> <20101220010924.GA73595@ussenterprise.ufp.org> <4D0EAF71.5090108@bryanfields.net> <20101220014804.GD38726@gerbil.cluepon.net> <4D0EBB72.50106@gmail.com> <37D0927A-0BD4-430C-9552-70D90808B81D@princeton.edu> <20101220191630.GA44701@ussenterprise.ufp.org> <20101220193109.GA46970@gweep.net> Message-ID: <20101220194610.GA46791@ussenterprise.ufp.org> In a message written on Mon, Dec 20, 2010 at 02:31:09PM -0500, Joe Provo wrote: > Everywhere that had enough paying-humans-per fiber-mile, so primarily > the Northeast corridor (Metro DC through Metro Boston). Parts of the > SF Bay, Chicago, Cleveland, Denver, Detroit... google "cable overbuilder" > (RCN, WOW and several others). Nontrivial capital is required for the > build-and-maintain of physical plant, so most all have shrunk since the > bubble popping. Interesting, I figured a few major cities would have a second provider, being able to high a large high rise or apartment complex might make the economics make sense. From the first google result for "cable overbuilder" (http://www.satelliteguys.us/live-industry-news-feeds/62015-cable-overbuilders-stage-comeback-near-death.html) cuz "I'm feeling lucky". :) As the biggest cable overbuilder and the 12th largest MSO in the U.S., RCN now boasts about 409,000 overall customers in its large urban markets, which include Boston, New York City, Philadelphia, Washington, D.C., Chicago, San Francisco and Los Angeles. So if you cherry pick for where an overbuild makes sense, you get 409k subscribers. To compare, Comcast has 23 million subscribers (video only, see http://www.cmcsk.com/releasedetail.cfm?ReleaseID=523403) and in fact lost 275,000 _in the third quarter_ alone (http://broadcastengineering.com/news/comcast-loses-subscribers-internet-takes-toll-20101101/). Which brings us back to the argument at hand, the problem is a combination of factors, regulatority (franchise issues), physical (plant in ground, and cost) and money (no one will finance it), but the net result is that even just adding one provider makes sense in only the smallest fraction of the country. Allowing more folks to put plant in the ground is simply not useful to getting real compeition to the vast majority of American homes. We need to share the plant that is already there.... -- Leo Bicknell - bicknell at ufp.org - CCIE 3440 PGP keys at http://www.ufp.org/~bicknell/ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 826 bytes Desc: not available URL: From sethm at rollernet.us Mon Dec 20 13:48:36 2010 From: sethm at rollernet.us (Seth Mattinen) Date: Mon, 20 Dec 2010 11:48:36 -0800 Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: <4D0FB228.5050305@gmail.com> References: <4D0B93DE.7020201@gmail.com> <5A6D953473350C4B9995546AFE9939EE0B14CFE6@RWC-EX1.corp.seven.com> <4D0B9914.5080705@gmail.com> <4D0E843B.4010109@gmail.com> <20101220010924.GA73595@ussenterprise.ufp.org> <4D0EAF71.5090108@bryanfields.net> <20101220014804.GD38726@gerbil.cluepon.net> <4D0EBB72.50106@gmail.com> <37D0927A-0BD4-430C-9552-70D90808B81D@princeton.edu> <20101220191630.GA44701@ussenterprise.ufp.org> <20101220193109.GA46970@gweep.net> <4D0FB228.5050305@gmail.com> Message-ID: <4D0FB314.7010606@rollernet.us> On 12/20/2010 11:44, JC Dill wrote: > On 20/12/10 11:31 AM, Joe Provo wrote: >> On Mon, Dec 20, 2010 at 11:16:30AM -0800, Leo Bicknell wrote: >> [snip] >>> And yet, I don't know of any location in the US with two cable >>> operators. >> [snip] >> >> Everywhere that had enough paying-humans-per fiber-mile, so primarily >> the Northeast corridor (Metro DC through Metro Boston). Parts of the >> SF Bay, Chicago, Cleveland, Denver, Detroit... google "cable overbuilder" >> (RCN, WOW and several others). > > Can you name/locate the part of the SF Bay Area where this has happened? > http://lmgtfy.com/?q=cable+overbuilder+san+fransisco From brez at brezworks.com Mon Dec 20 13:52:11 2010 From: brez at brezworks.com (Jeremy Bresley) Date: Mon, 20 Dec 2010 13:52:11 -0600 Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: References: <5A6D953473350C4B9995546AFE9939EE0B14CFE3@RWC-EX1.corp.seven.com> <4D0B93DE.7020201@gmail.com> <5A6D953473350C4B9995546AFE9939EE0B14CFE6@RWC-EX1.corp.seven.com> <4D0B9914.5080705@gmail.com> <4D0E843B.4010109@gmail.com> <20101220010924.GA73595@ussenterprise.ufp.org> <4D0EAF71.5090108@bryanfields.net> <20101220014804.GD38726@gerbil.cluepon.net> <4D0EBB72.50106@gmail.com> <37D0927A-0BD4-430C-9552-70D90808B81D@princeton.edu> <20101220191630.GA44701@ussenterprise.ufp.org> Message-ID: <4D0FB3EB.5030302@brezworks.com> On 12/20/2010 1:30 PM, Owen DeLong wrote: > On Dec 20, 2010, at 11:16 AM, Leo Bicknell wrote: >> And yet, I don't know of any location in the US with two cable >> operators. You see, these rules weren't changed to provide for a >> second cable TV plant to be put in the ground, even in the FCC knew >> that cost too much. Rather, if you read carefully the problem was >> that Verizon, AT&T, and Bell South (all mentioned by name in the >> article) wanted to deliver video over FIOS/DSL. Most areas had >> coverage rules, to be a cable provider you had to pass 95%+ of the >> houses or such, and these folks didn't meet many of the local rules >> and went to the government for help. >> > I think that I recall encountering one or two such places in the past, > but, I cannot recall them to make a specific citation. Certainly it is the > exception and not the rule. > > Owen > Cedar Rapids, IA is served by both Mediacom (incumbent/original cable company) and Imon (spinoff from McLeodUSA where they used to be called McLeodUSA ATS). As well as having Qwest for telco service. ATS started as an overbuild to compete at the local level in MCLD's hometown. They were started circa 1997, and are still in business today, so they survived the last 2 bubbles. And they caused Mediacom to keep prices down, and compete to offer additional services in Cedar Rapids long before they were available in other cities in their footprint. So examples of competitive overbuilds being successful do exist. Maybe Google's fiber build will inspire some other companies to try to compete in this fashion. Full disclosure: I worked for MCLD from 98-05, and in the ATS division from 00-05. Jeremy From young at jsyoung.net Mon Dec 20 14:00:54 2010 From: young at jsyoung.net (Jeffrey S. Young) Date: Mon, 20 Dec 2010 15:00:54 -0500 Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: <4D0F9ED9.4080002@gmail.com> References: <598C4A03-6932-4E1B-A518-B8F15BAE651F@Princeton.EDU> <5A6D953473350C4B9995546AFE9939EE0B14CFE3@RWC-EX1.corp.seven.com> <4D0B93DE.7020201@gmail.com> <5A6D953473350C4B9995546AFE9939EE0B14CFE6@RWC-EX1.corp.seven.com> <4D0B9914.5080705@gmail.com> <4D0E843B.4010109@gmail.com> <20101220010924.GA73595@ussenterprise.ufp.org> <4D0EAF71.5090108@bryanfields.net> <20101220014804.GD38726@gerbil.cluepon.net> <4D0EBB72.50106@gmail.com> <20101220043153.GC11644@hiwaay.net> <4D0EE8AD.7030706@gmail.com> <0C3702E6-72FC-413D-B429-EDD78DCCFAB3@jsyoung.net> <4D0F9ED9.4080002@gmail.com> Message-ID: <8FBABDC2-D213-4232-9331-A4203A15707A@jsyoung.net> On 20/12/2010, at 1:22 PM, JC Dill wrote: > On 20/12/10 9:19 AM, Jeffrey S. Young wrote: >> >> Having lived through the telecom bubble (as many of us did) what makes you believe that player 6 is going to know about the financial conditions of players 1-5? What if player two has a high-profile chief scientist who, on a speaking circuit, starts telling the market that his bandwidth demands are growing at the rate of 300% per year and players 6-10 jump into the market with strong financial backing? While I believe in free-market economics and I will agree with you that the situation will eventually sort itself out; thousands of ditch-diggers and poll-climbers will lose their jobs, but this is "the way of things." > > Apples and oranges. The telcom bubble didn't involve building out *to the home*. The cost to build a data center and put in modems or lease dry copper for DSL is dramatically lower than the cost to build out to the home. It was financially feasible (even if not the best decision, especially if you based the decision on a provably false assumption on market growth) to be player 6 in the early days of the Internet, it's not financially feasible to be player 6 to build out fiber to the home. >> I do not agree that the end-consumer should be put through this fiasco and I am confident that the money spent digging more ditches and stringing more ugly overhead cables would be better spent on layers 3 and more importantly on services at layers 4-7. > > The problem is getting fair access to layer 1 for all players. If it takes breaking the monopoly rules for putting in layer 1 facilities to get past this log jam, then that may be the solution. > >> The utopian solution (pun intended) would be to develop a local, state, federal system of broadband similar to the highway system of roads. Let those broadband providers who can compete by creating layer 3 backbones and services at layers 4-7 (and layer 1-2 with wireless) survive. Let the innovation continue at layers 4-7 without constant saber-rattling from the layer 1-2 providers. > > But how do we GET there? I don't see a good path, as the ILECs who own the layer 1 infrastructure have already successfully lobbied for laws and policies that allow them to maintain their monopoly use of the layer 1 facilities to the customer's location. >> And as a byproduct we can stop the ridiculous debate on Net Neutrality which is molded daily by telecom lobbyists. > > Yes, that would be nice. But where's a feasible path to this ultimate goal? > > jc > > the point of the bubble analogy had more to do with poor speculation driving poor investments than it had to do with the nature of the build outs. I don't really think it would be far-fetched to see it happen again in broadband (perhaps in a better economy), but then it's only my opinion, everyone has them. the deeper point I was trying to make: all of this (the market evolution) has a detrimental effect on the Internet-consuming public and while the rest of world leads the USA in broadband deployment (pick any category) we debate, lag, and are currently driving policies that only further the patchwork of deployment and ineffective service we already have. jy From nanog-post at rsuc.gweep.net Mon Dec 20 14:02:05 2010 From: nanog-post at rsuc.gweep.net (Joe Provo) Date: Mon, 20 Dec 2010 15:02:05 -0500 Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: <20101220194610.GA46791@ussenterprise.ufp.org> References: <4D0B9914.5080705@gmail.com> <4D0E843B.4010109@gmail.com> <20101220010924.GA73595@ussenterprise.ufp.org> <4D0EAF71.5090108@bryanfields.net> <20101220014804.GD38726@gerbil.cluepon.net> <4D0EBB72.50106@gmail.com> <37D0927A-0BD4-430C-9552-70D90808B81D@princeton.edu> <20101220191630.GA44701@ussenterprise.ufp.org> <20101220193109.GA46970@gweep.net> <20101220194610.GA46791@ussenterprise.ufp.org> Message-ID: <20101220200205.GA76296@gweep.net> On Mon, Dec 20, 2010 at 11:46:10AM -0800, Leo Bicknell wrote: > In a message written on Mon, Dec 20, 2010 at 02:31:09PM -0500, Joe Provo wrote: > > Everywhere that had enough paying-humans-per fiber-mile, so primarily > > the Northeast corridor (Metro DC through Metro Boston). Parts of the > > SF Bay, Chicago, Cleveland, Denver, Detroit... google "cable overbuilder" > > (RCN, WOW and several others). Nontrivial capital is required for the > > build-and-maintain of physical plant, so most all have shrunk since the > > bubble popping. > > Interesting, I figured a few major cities would have a second > provider, being able to high a large high rise or apartment complex > might make the economics make sense. Different problems; the property management adds another administrative layer to the sequence (locality/district/ward; city/town; state; federal) which has varying powers for exclusivity. Which of course vary by (locality/etc; city; state). [snip] > Which brings us back to the argument at hand, the problem is a > combination of factors, regulatority (franchise issues), physical [snip] An assertion which was false; you can discuss the 'practicality' or whatever the experience has taught us as a nation, but to say "there are no" are "this datum generalizes for all" in most all of this and sister threads is a major error. There is no national scope, and the jury is still out if statewide scope [fpr video] is a good or bad thing. Sorry to muddy with facts, please resume pontificating. -- RSUC / GweepNet / Spunk / FnB / Usenix / SAGE From Brian.Rettke at cableone.biz Mon Dec 20 14:16:31 2010 From: Brian.Rettke at cableone.biz (Rettke, Brian) Date: Mon, 20 Dec 2010 13:16:31 -0700 Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: <4D0FB3EB.5030302@brezworks.com> References: <5A6D953473350C4B9995546AFE9939EE0B14CFE3@RWC-EX1.corp.seven.com> <4D0B93DE.7020201@gmail.com> <5A6D953473350C4B9995546AFE9939EE0B14CFE6@RWC-EX1.corp.seven.com> <4D0B9914.5080705@gmail.com> <4D0E843B.4010109@gmail.com> <20101220010924.GA73595@ussenterprise.ufp.org> <4D0EAF71.5090108@bryanfields.net> <20101220014804.GD38726@gerbil.cluepon.net> <4D0EBB72.50106@gmail.com> <37D0927A-0BD4-430C-9552-70D90808B81D@princeton.edu> <20101220191630.GA44701@ussenterprise.ufp.org> <4D0FB3EB.5030302@brezworks.com> Message-ID: <96CA80CDCD822B4F9B41FB3A109C9359A3E683357E@E2K7MAILBOX1.corp.cableone.net> So, we seem to circle the same points: 1. Who pays for the infrastructure to support the increased bandwidth requirements? Comcast and most ISPs want the content provider to do so, since they are collecting fees for the service and they are not, but still have to pay for the bandwidth (maintenance and upgrades). The customer is being billed twice: First to get access to the Internet to reach services, and then for the service offered by the content provider. The concern is that all customers, regardless of the services they select, will end up paying for the upgrades if the ISP has to/does raise rates. This makes the customer using the bandwidth-intensive application happy, and the other customers not using it unhappy. The content provider pays for Internet access, and in some cases puts in proxies to cache closer to the source. They do not pay the end customer ISP for service (assuming different providers in play). The content provider receives revenue for its services. The problem is still that someone has to support and build infrastructure. Some believe that Internet streaming video is the direction we are headed in, and that does appear to be true. But there are still a lot of customers that are not using this service, effectively subsidizing the customers using this service. This can be irksome, because most customers are unwilling to go back to a "pay for what you use plan" after having unlimited access. I think that would really put the pressure on both customers and content providers alike to be more efficient. I understand that the goal is for the customer to get what they want on demand, but that will never be a reality, for anyone, anywhere. I'd love to see content providers continue the push towards more efficient technologies and architecture, but there is no impetus for them to do so unless they have a financial reason. The same is true for the ISP and the customer. Bottom line: Customers need to think about the purchase of content (considering each one as a transaction that has value) more. Not as a worrisome, "bill will be enormous" way, but assigning value to it nonetheless. Content Providers need to continue upgrading methodologies, compression, and technologies in order to make their service a smooth, efficient "essential object." This will help keep any one service from overwhelming the rest, which is the bane of every service provider/transit provider. Service/Transit Providers need to re-evaluate their bandwidth offerings to customers, their relationships with content providers, and with each other. The model is very inefficient and political. The only way to be competitive seems to be, as someone said, to provide a solid Layer 1-3 platform that will drive innovation at layers 4-7. At least, that's my perspective on it. Sincerely, Brian A . Rettke RHCT, CCDP, CCNP, CCIP Network Engineer, CableONE Internet Services -----Original Message----- From: Jeremy Bresley [mailto:brez at brezworks.com] Sent: Monday, December 20, 2010 12:52 PM To: nanog at nanog.org Subject: Re: Some truth about Comcast - WikiLeaks style On 12/20/2010 1:30 PM, Owen DeLong wrote: > On Dec 20, 2010, at 11:16 AM, Leo Bicknell wrote: >> And yet, I don't know of any location in the US with two cable >> operators. You see, these rules weren't changed to provide for a >> second cable TV plant to be put in the ground, even in the FCC knew >> that cost too much. Rather, if you read carefully the problem was >> that Verizon, AT&T, and Bell South (all mentioned by name in the >> article) wanted to deliver video over FIOS/DSL. Most areas had >> coverage rules, to be a cable provider you had to pass 95%+ of the >> houses or such, and these folks didn't meet many of the local rules >> and went to the government for help. >> > I think that I recall encountering one or two such places in the past, > but, I cannot recall them to make a specific citation. Certainly it is the > exception and not the rule. > > Owen > Cedar Rapids, IA is served by both Mediacom (incumbent/original cable company) and Imon (spinoff from McLeodUSA where they used to be called McLeodUSA ATS). As well as having Qwest for telco service. ATS started as an overbuild to compete at the local level in MCLD's hometown. They were started circa 1997, and are still in business today, so they survived the last 2 bubbles. And they caused Mediacom to keep prices down, and compete to offer additional services in Cedar Rapids long before they were available in other cities in their footprint. So examples of competitive overbuilds being successful do exist. Maybe Google's fiber build will inspire some other companies to try to compete in this fashion. Full disclosure: I worked for MCLD from 98-05, and in the ATS division from 00-05. Jeremy From cmadams at hiwaay.net Mon Dec 20 14:19:09 2010 From: cmadams at hiwaay.net (Chris Adams) Date: Mon, 20 Dec 2010 14:19:09 -0600 Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: <20101220191630.GA44701@ussenterprise.ufp.org> References: <4D0B93DE.7020201@gmail.com> <5A6D953473350C4B9995546AFE9939EE0B14CFE6@RWC-EX1.corp.seven.com> <4D0B9914.5080705@gmail.com> <4D0E843B.4010109@gmail.com> <20101220010924.GA73595@ussenterprise.ufp.org> <4D0EAF71.5090108@bryanfields.net> <20101220014804.GD38726@gerbil.cluepon.net> <4D0EBB72.50106@gmail.com> <37D0927A-0BD4-430C-9552-70D90808B81D@princeton.edu> <20101220191630.GA44701@ussenterprise.ufp.org> Message-ID: <20101220201908.GC26101@hiwaay.net> Once upon a time, Leo Bicknell said: > And yet, I don't know of any location in the US with two cable > operators. Huntsville, AL has Comcast and Knology (originally CableAlabama) cable available at virtually every address (except for some apartment complexes, which tend to only be wired for one cable plant and negotiate a deal with one company or the other). I believe some of the surrounding areas have overlap between Knology and Mediacom. A number of years ago (15 or so?), CableAlabama wanted to sell out to Comcast, and the city refused to allow it under the franchise agreement. CA sued and eventually won a settlement, but didn't end up merging (and became or was bought out by Knology). IIRC the settlement was 50% off of the franchise fee for 20 years or so. For a long time, we had the lowest cable prices in the country because of the competition, but I don't think that's the case anymore (Comcast, being the big corporate entity, doesn't care about competition with Knology, and Knology just raises their prices to keep up). -- Chris Adams Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble. From sethm at rollernet.us Mon Dec 20 14:23:10 2010 From: sethm at rollernet.us (Seth Mattinen) Date: Mon, 20 Dec 2010 12:23:10 -0800 Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: References: <4D0B93DE.7020201@gmail.com> <5A6D953473350C4B9995546AFE9939EE0B14CFE6@RWC-EX1.corp.seven.com> <4D0B9914.5080705@gmail.com> <4D0E843B.4010109@gmail.com> <20101220010924.GA73595@ussenterprise.ufp.org> <4D0EAF71.5090108@bryanfields.net> <20101220014804.GD38726@gerbil.cluepon.net> <4D0EBB72.50106@gmail.com> <37D0927A-0BD4-430C-9552-70D90808B81D@princeton.edu> <20101220191630.GA44701@ussenterprise.ufp.org> <20101220193109.GA46970@gweep.net> <4D0FB228.5050305@gmail.com> <4D0FB314.7010606@rollernet.us> Message-ID: <4D0FBB2E.8080704@rollernet.us> On 12/20/2010 12:20, Alex Rubenstein wrote: > Amazing how that worked, even spelling "fransisco" (sic) wrong. > One letter off: http://lmgtfy.com/?q=cable+overbuilder+san+francisco From gbonser at seven.com Mon Dec 20 14:28:38 2010 From: gbonser at seven.com (George Bonser) Date: Mon, 20 Dec 2010 12:28:38 -0800 Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: <20101220191630.GA44701@ussenterprise.ufp.org> References: <5A6D953473350C4B9995546AFE9939EE0B14CFE3@RWC-EX1.corp.seven.com><4D0B93DE.7020201@gmail.com><5A6D953473350C4B9995546AFE9939EE0B14CFE6@RWC-EX1.corp.seven.com><4D0B9914.5080705@gmail.com> <4D0E843B.4010109@gmail.com><20101220010924.GA73595@ussenterprise.ufp.org><4D0EAF71.5090108@bryanfields.net><20101220014804.GD38726@gerbil.cluepon.net><4D0EBB72.50106@gmail.com><37D0927A-0BD4-430C-9552-70D90808B81D@princeton.edu> <20101220191630.GA44701@ussenterprise.ufp.org> Message-ID: <5A6D953473350C4B9995546AFE9939EE0BC130DF@RWC-EX1.corp.seven.com> > The result is not competition, but a government sponsored duopoliy. > This didn't bring more players to the table, it just let those already > at the table offer a full set of overlapping services. Likely a good > step, but not the same as getting new entrants into the market. > > -- > Leo Bicknell - bicknell at ufp.org - CCIE 3440 > PGP keys at http://www.ufp.org/~bicknell/ "Back in the day" people used to get their email, usenet, maybe even hosting their web page, from their ISP. When DSL came about, many of these services migrated to the portals and the ISP became less of a "services provider" and more of a "transport provider". The "problem" with operations like the cable providers is that they seem to want to fight tooth and nail not to allow the video services a person consumes becoming an a la carte service where the end user picks and chooses from what amounts to "video portal" sites. An analogy from the old days might be an ISP trying very hard to prevent users from getting Yahoo! or Google mail or outside web hosting. The cable providers apparently aren't keen on simply being an ISP and allowing end users to get their video content from wherever they choose. In other words, they see themselves as a video content provider that also provides internet service while the market is trying to move them to an internet provider that also offers video content. This is made worse when the content distributor is also the content producer. The migration toward the "siloing" of entertainment content means this problem will just get worse. What's next? AT&T buying Disney and Verizon buying National Amusements? So now you have the company that produces the product also owns the railroad that delivers the product and charges fees for competitors shipping their goods on that railroad that makes the others less competitive. So the competing railroads simply buy up their own freight producers and do the same thing. Or do we create a "highway" that allows any number of freight shippers to operate to ship goods from any number of buyers to any number of sellers. I suppose what it boils down to is making the companies decide what they are. Are they an "internet service provider" or are they an "entertainment content provider" because being both at the same time seems to be a built-in conflict of interest from the consumer's point of view. From jcdill.lists at gmail.com Mon Dec 20 14:37:21 2010 From: jcdill.lists at gmail.com (JC Dill) Date: Mon, 20 Dec 2010 12:37:21 -0800 Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: <8FBABDC2-D213-4232-9331-A4203A15707A@jsyoung.net> References: <598C4A03-6932-4E1B-A518-B8F15BAE651F@Princeton.EDU> <5A6D953473350C4B9995546AFE9939EE0B14CFE3@RWC-EX1.corp.seven.com> <4D0B93DE.7020201@gmail.com> <5A6D953473350C4B9995546AFE9939EE0B14CFE6@RWC-EX1.corp.seven.com> <4D0B9914.5080705@gmail.com> <4D0E843B.4010109@gmail.com> <20101220010924.GA73595@ussenterprise.ufp.org> <4D0EAF71.5090108@bryanfields.net> <20101220014804.GD38726@gerbil.cluepon.net> <4D0EBB72.50106@gmail.com> <20101220043153.GC11644@hiwaay.net> <4D0EE8AD.7030706@gmail.com> <0C3702E6-72FC-413D-B429-EDD78DCCFAB3@jsyoung.net> <4D0F9ED9.4080002@gmail.com> <8FBABDC2-D213-4232-9331-A4203A15707A@jsyoung.net> Message-ID: <4D0FBE81.6030506@gmail.com> On 20/12/10 12:00 PM, Jeffrey S. Young wrote: > > the point of the bubble analogy had more to do with poor speculation driving poor investments than it had to do with the nature of the build outs. I don't really think it would be far-fetched to see it happen again in broadband (perhaps in a better economy), A "bad economy" is the RIGHT time to build out. Labor is much cheaper and more readily found, and money is harder to come by which means your business plan gets more thorough review before you get funding. The booming economy is when money is spent unwisely and labor costs skyrocket. jc From jcdill.lists at gmail.com Mon Dec 20 14:46:39 2010 From: jcdill.lists at gmail.com (JC Dill) Date: Mon, 20 Dec 2010 12:46:39 -0800 Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: <4D0FBB2E.8080704@rollernet.us> References: <4D0B93DE.7020201@gmail.com> <5A6D953473350C4B9995546AFE9939EE0B14CFE6@RWC-EX1.corp.seven.com> <4D0B9914.5080705@gmail.com> <4D0E843B.4010109@gmail.com> <20101220010924.GA73595@ussenterprise.ufp.org> <4D0EAF71.5090108@bryanfields.net> <20101220014804.GD38726@gerbil.cluepon.net> <4D0EBB72.50106@gmail.com> <37D0927A-0BD4-430C-9552-70D90808B81D@princeton.edu> <20101220191630.GA44701@ussenterprise.ufp.org> <20101220193109.GA46970@gweep.net> <4D0FB228.5050305@gmail.com> <4D0FB314.7010606@rollernet.us> <4D0FBB2E.8080704@rollernet.us> Message-ID: <4D0FC0AF.7040907@gmail.com> On 20/12/10 12:23 PM, Seth Mattinen wrote: > On 12/20/2010 12:20, Alex Rubenstein wrote: >> Amazing how that worked, or didn't >> even spelling "fransisco" (sic) wrong. >> > One letter off: > > http://lmgtfy.com/?q=cable+overbuilder+san+francisco Did either of you actually *look* at the search results? Lets take a quote from the first result: www.broadbandmarkets.com/articles/fiberDeep2.htm > With franchises in two communities and others pending, it has begun > building an HFC network that will eventually deliver bundled services > to roughly 280,000 residents and businesses in Contra Costa County in > the East Bay area of San Francisco. OK, let's google for THAT. http://www.google.com/search?q=overbuild+network+contra+costa+county No data, just references back to the initial press releases. I can't find any data that the overbuild *actually took place*. Your lmgtfy link's search finds 5 year old press releases about discussions to PLAN overbuilding in various locations. What I want are the Names of Specific Locations (in the SF Bay Area) where such overbuilds are currently in place and serving customers. jc From owen at delong.com Mon Dec 20 14:44:33 2010 From: owen at delong.com (Owen DeLong) Date: Mon, 20 Dec 2010 12:44:33 -0800 Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: <5A6D953473350C4B9995546AFE9939EE0BC130DD@RWC-EX1.corp.seven.com> References: <598C4A03-6932-4E1B-A518-B8F15BAE651F@Princeton.EDU><5A6D953473350C4B9995546AFE9939EE0B14CFE3@RWC-EX1.corp.seven.com><4D0B93DE.7020201@gmail.com><5A6D953473350C4B9995546AFE9939EE0B14CFE6@RWC-EX1.corp.seven.com><4D0B9914.5080705@gmail.com> <4D0E843B.4010109@gmail.com><20101220010924.GA73595@ussenterprise.ufp.org><4D0EAF71.5090108@bryanfields.net><20101220014804.GD38726@gerbil.cluepon.net> <5A6D953473350C4B9995546AFE9939EE0BC130DD@RWC-EX1.corp.seven.com> Message-ID: <22BDE012-784F-47C8-8664-67564115B18C@delong.com> On Dec 20, 2010, at 11:37 AM, George Bonser wrote: > > >> -----Original Message----- >> From: Jeff Wheeler [mailto:jsw at inconcepts.biz] >> Sent: Monday, December 20, 2010 3:55 AM >> To: nanog at nanog.org >> Subject: Re: Some truth about Comcast - WikiLeaks style >> >> On Sun, Dec 19, 2010 at 8:48 PM, Richard A Steenbergen > gerbil.net> wrote: >>> Running a wire to everyone's house is a natural monopoly. It just >>> doesn't make sense, financially or technically, to try and manage 50 >>> different companies all trying to install 50 different wires into >> every >>> house just to have competition at the IP layer. It also wouldn't > make >> >> What no one has mentioned thus far is that CLECs really are able to >> install their own facilities to homes and businesses if they decide >> that is a good way to invest their finite resources. This is why we >> see several options for local loops in the "business district" of >> every sizable city, as well as in many newly-developed areas such as >> industrial parks. These infrastructure builds are expensive, the >> CLECs had limited logistical capabilities and could only manage so >> many projects at once, and obviously, they focused their efforts on >> the parts of town where return-on-investment was likely to be highest. >> Businesses often do have several good choices for voice, data, >> Internet, and so on. Cogent is an example of an essentially >> Internet-only service having some degree of success at this without >> even offering voice, or initially even transport, products. > > Also, there are two ways in to most urban and suburban home. There is > the telco and there is the "cable" company. There is no reason those > two paths should not compete for the same services, and they do across > an increasing area of the US. The rural areas, though, are a completely > different story. > > In the vast majority of cases, these are not equal competitors. The vast majority of residences are more than 5,000 and a good majority are more than 10,000 cable feet from the CO. This means that average DSL speeds are sub-T1. Most cable systems can deliver at least 10mbps/3mbps. That's not competition unless your internet needs are extremely modest and you are willing to accept some rather severe limitations. I remember when I was on top of the world because I had T1 service to my home and I used an average of 200kbps. Those days are long gone. Today I get more than 200kbps in SPAM traffic. Owen From bicknell at ufp.org Mon Dec 20 15:00:22 2010 From: bicknell at ufp.org (Leo Bicknell) Date: Mon, 20 Dec 2010 13:00:22 -0800 Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: <20101220200205.GA76296@gweep.net> References: <4D0E843B.4010109@gmail.com> <20101220010924.GA73595@ussenterprise.ufp.org> <4D0EAF71.5090108@bryanfields.net> <20101220014804.GD38726@gerbil.cluepon.net> <4D0EBB72.50106@gmail.com> <37D0927A-0BD4-430C-9552-70D90808B81D@princeton.edu> <20101220191630.GA44701@ussenterprise.ufp.org> <20101220193109.GA46970@gweep.net> <20101220194610.GA46791@ussenterprise.ufp.org> <20101220200205.GA76296@gweep.net> Message-ID: <20101220210022.GA51460@ussenterprise.ufp.org> In a message written on Mon, Dec 20, 2010 at 03:02:05PM -0500, Joe Provo wrote: > An assertion which was false; you can discuss the 'practicality' or > whatever the experience has taught us as a nation, but to say "there > are no" are "this datum generalizes for all" in most all of this > and sister threads is a major error. There is no national scope, > and the jury is still out if statewide scope [fpr video] is a good > or bad thing. > > Sorry to muddy with facts, please resume pontificating. Facts are good. It appears there are more areas with two or more cable TV providers than I thought, and that knowledge is useful. I still maintain that the current set of regulation, laws, and economic realities have lead to insigifnicant compeition in that area, but that's purely an opinion. You are also correct that there is a lack of context in these threads. There is a federal role (FCC, congressional), a state role (state PUC's), and a local role (county/city/town PUC's). Looking from the perspective of a town it's clear some have cable compeition, for example. Look at it nationally, and it's a really small percentage (on the order of under 2%, best I can tell so far). One man's everyone is another's no one. I guess the question is, if these overbuilds work out so well in the cities where they do exist, why don't they exist more places? -- Leo Bicknell - bicknell at ufp.org - CCIE 3440 PGP keys at http://www.ufp.org/~bicknell/ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 826 bytes Desc: not available URL: From nanog-post at rsuc.gweep.net Mon Dec 20 15:00:28 2010 From: nanog-post at rsuc.gweep.net (Joe Provo) Date: Mon, 20 Dec 2010 16:00:28 -0500 Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: <4D0FC0AF.7040907@gmail.com> References: <20101220014804.GD38726@gerbil.cluepon.net> <4D0EBB72.50106@gmail.com> <37D0927A-0BD4-430C-9552-70D90808B81D@princeton.edu> <20101220191630.GA44701@ussenterprise.ufp.org> <20101220193109.GA46970@gweep.net> <4D0FB228.5050305@gmail.com> <4D0FB314.7010606@rollernet.us> <4D0FBB2E.8080704@rollernet.us> <4D0FC0AF.7040907@gmail.com> Message-ID: <20101220210027.GA30443@gweep.net> On Mon, Dec 20, 2010 at 12:46:39PM -0800, JC Dill wrote: [snip] > Your lmgtfy link's search finds 5 year old press releases about > discussions to PLAN overbuilding in various locations. What I want are > the Names of Specific Locations (in the SF Bay Area) where such > overbuilds are currently in place and serving customers. original question "was" and I know at least rcn. astound bought out their SF operation when I was leaving but a trivial search show they still service where we did and have added. -- RSUC / GweepNet / Spunk / FnB / Usenix / SAGE From sethm at rollernet.us Mon Dec 20 15:04:38 2010 From: sethm at rollernet.us (Seth Mattinen) Date: Mon, 20 Dec 2010 13:04:38 -0800 Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: <4D0FC0AF.7040907@gmail.com> References: <4D0B93DE.7020201@gmail.com> <5A6D953473350C4B9995546AFE9939EE0B14CFE6@RWC-EX1.corp.seven.com> <4D0B9914.5080705@gmail.com> <4D0E843B.4010109@gmail.com> <20101220010924.GA73595@ussenterprise.ufp.org> <4D0EAF71.5090108@bryanfields.net> <20101220014804.GD38726@gerbil.cluepon.net> <4D0EBB72.50106@gmail.com> <37D0927A-0BD4-430C-9552-70D90808B81D@princeton.edu> <20101220191630.GA44701@ussenterprise.ufp.org> <20101220193109.GA46970@gweep.net> <4D0FB228.5050305@gmail.com> <4D0FB314.7010606@rollernet.us> <4D0FBB2E.8080704@rollernet.us> <4D0FC0AF.7040907@gmail.com> Message-ID: <4D0FC4E6.3060204@rollernet.us> On 12/20/2010 12:46, JC Dill wrote: > > Your lmgtfy link's search finds 5 year old press releases about > discussions to PLAN overbuilding in various locations. What I want are > the Names of Specific Locations (in the SF Bay Area) where such > overbuilds are currently in place and serving customers. > Or conversely, they tried and failed. I found Astound Broadband through the lmgtfy link (yes, I did look and read, thanks) and they appear to be alive. But I don't live in California to verify that personally. ~Seth From owen at delong.com Mon Dec 20 15:07:53 2010 From: owen at delong.com (Owen DeLong) Date: Mon, 20 Dec 2010 13:07:53 -0800 Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: <96CA80CDCD822B4F9B41FB3A109C9359A3E683357E@E2K7MAILBOX1.corp.cableone.net> References: <5A6D953473350C4B9995546AFE9939EE0B14CFE3@RWC-EX1.corp.seven.com> <4D0B93DE.7020201@gmail.com> <5A6D953473350C4B9995546AFE9939EE0B14CFE6@RWC-EX1.corp.seven.com> <4D0B9914.5080705@gmail.com> <4D0E843B.4010109@gmail.com> <20101220010924.GA73595@ussenterprise.ufp.org> <4D0EAF71.5090108@bryanfields.net> <20101220014804.GD38726@gerbil.cluepon.net> <4D0EBB72.50106@gmail.com> <37D0927A-0BD4-430C-9552-70D90808B81D@princeton.edu> <20101220191630.GA44701@ussenterprise.ufp.org> <4D0FB3EB.5030302@brezworks.com> <96CA80CDCD822B4F9B41FB3A109C9359A3E683357E@E2K7MAILBOX1.corp.cableone.net> Message-ID: On Dec 20, 2010, at 12:16 PM, Rettke, Brian wrote: > So, we seem to circle the same points: > > 1. Who pays for the infrastructure to support the increased bandwidth requirements? > > Comcast and most ISPs want the content provider to do so, since they are collecting fees for the service and they are not, but still have to pay for the bandwidth (maintenance and upgrades). > What do you mean they are not? I'm paying Comcast $100/month to deliver the internet content I want to my home. They damn well are getting paid to do so. > The customer is being billed twice: First to get access to the Internet to reach services, and then for the service offered by the content provider. The concern is that all customers, regardless of the services they select, will end up paying for the upgrades if the ISP has to/does raise rates. This makes the customer using the bandwidth-intensive application happy, and the other customers not using it unhappy. > I don't use particularly bandwidth-intensive applications. However, I do think that access networks should cover the costs of delivering the content I request from the fees I pay. All that happens if you let them bill the content provider and double-dip is that the content provider has to pass those fees on to the service I'm using (at a markup, of course) who then passes the cost on to me (again at a markup). I'd much rather pay the cost directly to my access provider without the double (or more) markups, thank you. > The content provider pays for Internet access, and in some cases puts in proxies to cache closer to the source. They do not pay the end customer ISP for service (assuming different providers in play). The content provider receives revenue for its services. > IMHO, this is as it should be. > The problem is still that someone has to support and build infrastructure. Some believe that Internet streaming video is the direction we are headed in, and that does appear to be true. But there are still a lot of customers that are not using this service, effectively subsidizing the customers using this service. This can be irksome, because most customers are unwilling to go back to a "pay for what you use plan" after having unlimited access. I think that would really put the pressure on both customers and content providers alike to be more efficient. > If you don't need broadband, subscribe to narrow-band services. They are still available in most areas for less than broadband. > I understand that the goal is for the customer to get what they want on demand, but that will never be a reality, for anyone, anywhere. I'd love to see content providers continue the push towards more efficient technologies and architecture, but there is no impetus for them to do so unless they have a financial reason. The same is true for the ISP and the customer. > There are already good incentives for the content provider. It's called "user experience". If the content is close, i get a good user experience. If it is far away, I get a poor user experience and I move on to a different content provider. If there were meaningful competition in the access market, I could do the same thing. Unfortunately, there is not where I live and not in most locations. > Bottom line: > > Customers need to think about the purchase of content (considering each one as a transaction that has value) more. Not as a worrisome, "bill will be enormous" way, but assigning value to it nonetheless. > I think I do this already. > Content Providers need to continue upgrading methodologies, compression, and technologies in order to make their service a smooth, efficient "essential object." This will help keep any one service from overwhelming the rest, which is the bane of every service provider/transit provider. > I think that is already happening and will continue to happen. > Service/Transit Providers need to re-evaluate their bandwidth offerings to customers, their relationships with content providers, and with each other. The model is very inefficient and political. The only way to be competitive seems to be, as someone said, to provide a solid Layer 1-3 platform that will drive innovation at layers 4-7. > I think you need to separate Transit Providers from Access Providers here. The reality is that there are four classes of players present without clear delineation: Content Providers (including Content Provider Hosting Networks) Content Delivery Networks Transit Networks Access Networks If there are any pure players in any one space above left, I would be surprised, but, each of these four spaces comes with a different set of tradeoffs and desires. Traditionally, Level3 has been a Transit Network with some Access and some Content Provider aspects. Now they are adding Content Delivery. Traditionally, Comcast has been a pure Access Network with some Transit. Now they are adding more Transit and also doing Content Provider things. As the lines blur, it's going to become increasingly more difficult to define non-peers among these networks. Frankly, IMHO, the right answer is to stop doing so. Recoup your costs from your customers and recognize that whatever packets {enter/exit} your network {to/from} a customer, most likely the other {entry/exit} is NOT a customer, but, a peer. I know that perspective is probably very unpopular, especially among Access Networks, but, I think it is the right approach overall. I also think that it is where the market would drive things if we had actual competition for access services. Owen From jim at reptiles.org Mon Dec 20 15:29:34 2010 From: jim at reptiles.org (Jim Mercer) Date: Mon, 20 Dec 2010 16:29:34 -0500 Subject: SDSL circuits in UK? Message-ID: <20101220212934.GM97456@reptiles.org> in the spirit of globalization, i've now added the UK to north america. 8^) now, can anyone suggest a source for SDSL links, for private networks in the UK? -- Jim Mercer jim at reptiles.org +1 416 410-5633 You are more likely to be arrested as a terrorist than you are to be blown up by one. -- Dianora From Valdis.Kletnieks at vt.edu Mon Dec 20 15:46:19 2010 From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks at vt.edu) Date: Mon, 20 Dec 2010 16:46:19 -0500 Subject: SDSL circuits in UK? In-Reply-To: Your message of "Mon, 20 Dec 2010 16:29:34 EST." <20101220212934.GM97456@reptiles.org> References: <20101220212934.GM97456@reptiles.org> Message-ID: <48330.1292881579@localhost> On Mon, 20 Dec 2010 16:29:34 EST, Jim Mercer said: > > in the spirit of globalization, i've now added the UK to north america. Don't DSL links drop in maximum throughput based on cable-feet from the CO? At 21,495,394 cable feet, your up/down speeds are probably going to be somewhere south of 4bits/sec. :) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 227 bytes Desc: not available URL: From lowen at pari.edu Mon Dec 20 15:47:22 2010 From: lowen at pari.edu (Lamar Owen) Date: Mon, 20 Dec 2010 16:47:22 -0500 Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: <22BDE012-784F-47C8-8664-67564115B18C@delong.com> References: <598C4A03-6932-4E1B-A518-B8F15BAE651F@Princeton.EDU> Message-ID: <201012201647.22870.lowen@pari.edu> On Monday, December 20, 2010 03:44:33 pm Owen DeLong wrote: > The vast majority of residences are more than 5,000 and a good majority > are more than 10,000 cable feet from the CO. > This means that average DSL speeds are sub-T1. FWIW, I'm at 14-15 kilofeet from the CO, and am getting a solid 7Mb/s down and 512kb/s up. The ISP has three tiers of DSL, and I'm at the lowest (which is probably the one that will work at my distance). They also provide a 9M down / 768k up, and a 11M down / 1M up for slightly higher rates. I'm told that the 11 down/1 up will work up to 12 kilofeet by their engineering. I'm running a secondary administrative DSL at my employer's location at the full 7/.5 rate at a distance of nearly 18 kilofeet, the last 2 kilofeet being our inside plant of CAT3 CALPETH. That is on a Cisco ADSL WIC in a 2651; show dsl interface atm0/0 shows a downstream rate of 6.8Mb/s and an upstream of 640kb/s. Not bad for the distance. Margins are good on both directions, being 12dB upstream and 8.5dB downstream. My experience is that the downstream is mildy oversubscribed, and the upstream less so. Their copper in my area is nearly new, they have spent the last five years or so refreshing and updating their copper outside plant. From paul at cupis.co.uk Mon Dec 20 15:51:49 2010 From: paul at cupis.co.uk (Paul Cupis) Date: Mon, 20 Dec 2010 21:51:49 +0000 Subject: SDSL circuits in UK? In-Reply-To: <20101220212934.GM97456@reptiles.org> References: <20101220212934.GM97456@reptiles.org> Message-ID: On 20/12/10 21:29, Jim Mercer wrote: > now, can anyone suggest a source for SDSL links, for private networks in the > UK? There are a number of network operators capable of supplying SDSL (Annex B) in the UK depending on the location. There are a chose of operators with their own DSLANs at the telephone exchanges (COs) as well as a number of wholesalers and retailers who can offer layer 2 or layer 3 access. I'm sure there are a number of UK operators on the list (who may also contact you off-list) - can you be any more specific with your requirements? Regards, From dsparro at gmail.com Mon Dec 20 16:15:46 2010 From: dsparro at gmail.com (David Sparro) Date: Mon, 20 Dec 2010 17:15:46 -0500 Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: <4D0EE408.7010306@gmail.com> References: <598C4A03-6932-4E1B-A518-B8F15BAE651F@Princeton.EDU> <5A6D953473350C4B9995546AFE9939EE0B14CFE3@RWC-EX1.corp.seven.com> <4D0B93DE.7020201@gmail.com> <5A6D953473350C4B9995546AFE9939EE0B14CFE6@RWC-EX1.corp.seven.com> <4D0B9914.5080705@gmail.com> <4D0E843B.4010109@gmail.com> <20101220010924.GA73595@ussenterprise.ufp.org> <4D0EAF71.5090108@bryanfields.net> <20101220014804.GD38726@gerbil.cluepon.net> <4D0EBB72.50106@gmail.com> <20101220022554.GF38726@gerbil.cluepon.net> <4D0EE408.7010306@gmail.com> Message-ID: <4D0FD592.4020908@gmail.com> On 12/20/2010 12:05 AM, JC Dill wrote: > On 19/12/10 6:25 PM, Richard A Steenbergen wrote: >> The laws of diminishing returns have already set the bar for the point >> at which it's not profitable for a new company to enter the market and >> try to compete. Right now the number is roughly 2, cable and dsl, give >> or take a few outliers. I do believe the point would be to encourage a >> little more competition than that. :) In other words; it's an economic problem. Not Technical or regulation. > > This is true but ONLY in the current climate where the incumbents have a > monopoly on the ability to put in cabling for the last mile to homes. > > I live in an area where there are 2 ILECs (AT&T, Verizon) in nearby > proximity. Both are putting in fiber to some homes in their respective > areas. Imagine what would happen if they could both put in fiber in the > other areas. Then they would be *competitors* for those customers. Right > now, they don't compete - they each have a territory and in their > territory they are the predominant telco player (competing with the > cable incumbent - usually Comcast). There is no monopoly. They've already experimented with that and (apparently) decided that it wasn't worth it. http://www.dallasnews.com/sharedcontent/dws/bus/ptech/stories/DN-verizon_17bus.State.Edition1.f7543b.html My theory is that everybody is just waiting around for things like 'network neutrality', 'broadband stimulus', and 'USF reform' to finally get decided before the Big Guys start to spend any money on upgrades. -- Dave From jbates at brightok.net Mon Dec 20 16:24:40 2010 From: jbates at brightok.net (Jack Bates) Date: Mon, 20 Dec 2010 16:24:40 -0600 Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: <201012201647.22870.lowen@pari.edu> References: <598C4A03-6932-4E1B-A518-B8F15BAE651F@Princeton.EDU> <201012201647.22870.lowen@pari.edu> Message-ID: <4D0FD7A8.7040007@brightok.net> On 12/20/2010 3:47 PM, Lamar Owen wrote: > Their copper in my area is nearly new, they have spent the last five > years or so refreshing and updating their copper outside plant. This makes a huge difference. At a little over 18,000 feet, I had to drop to 3m down .5 up to stabilize my DSL connection long term; especially during storms. It could push up to 6 down, .75 up but wouldn't hold stable when I needed it to. Of course, since then, we dropped a system roughly 200 feet from my house and 100 symmetric is possible. Jack From rcarpen at network1.net Mon Dec 20 17:06:20 2010 From: rcarpen at network1.net (Randy Carpenter) Date: Mon, 20 Dec 2010 18:06:20 -0500 (EST) Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: <20101220191630.GA44701@ussenterprise.ufp.org> Message-ID: <1733661803.26536.1292886380498.JavaMail.root@zimbra.network1.net> > > And yet, I don't know of any location in the US with two cable > operators. We have 2 separate cable providers in our town. One of them is a division of the local telephone company, but it is still CATV plant. The telco also operates a FTTH service with IPTV video as well. The result is that the big national CATV provider had incredibly good rates for a long time, and even after they were more than doubled, are still really good. -Randy From dhetzel at gmail.com Mon Dec 20 17:14:30 2010 From: dhetzel at gmail.com (Dorn Hetzel) Date: Mon, 20 Dec 2010 18:14:30 -0500 Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: <1733661803.26536.1292886380498.JavaMail.root@zimbra.network1.net> References: <20101220191630.GA44701@ussenterprise.ufp.org> <1733661803.26536.1292886380498.JavaMail.root@zimbra.network1.net> Message-ID: Where I live, about 50 miles south of Atlanta down I-85, there is no consumer broadband at all. Satellite, Cellular, and T-1, those are my options. A mile away, there are choices, but not here. I am sure we aren't the only neighborhood in this situation, even today. On Mon, Dec 20, 2010 at 6:06 PM, Randy Carpenter wrote: > > > > > And yet, I don't know of any location in the US with two cable > > operators. > > We have 2 separate cable providers in our town. One of them is a division > of the local telephone company, but it is still CATV plant. The telco also > operates a FTTH service with IPTV video as well. > > The result is that the big national CATV provider had incredibly good rates > for a long time, and even after they were more than doubled, are still > really good. > > -Randy > > From jg at freedesktop.org Mon Dec 20 17:20:01 2010 From: jg at freedesktop.org (Jim Gettys) Date: Mon, 20 Dec 2010 18:20:01 -0500 Subject: TCP congestion control and large router buffers In-Reply-To: <4D0E59FC.2080706@bogus.com> References: <1291907382.19262.212.camel@shrike> <4D0E59FC.2080706@bogus.com> Message-ID: <4D0FE4A1.7070103@freedesktop.org> On 12/19/2010 02:16 PM, Joel Jaeggli wrote: > On 12/9/10 7:20 AM, Mikael Abrahamsson wrote: >> On Thu, 9 Dec 2010, Vasil Kolev wrote: >> >>> I wonder why this hasn't made the rounds here. From what I see, a >>> change in this part (e.g. lower buffers in customer routers, or a >>> change (yet another) to the congestion control algorithms) would do >>> miracles for end-user perceived performance and should help in some >>> way with the net neutrality dispute. It's really hard to replace all the home user's hardware. Trying to "fix" the problem by fixing all of that is much more painful (and expensive) than fixing the network to not have the buffers. >> >> I'd say this is common knowledge and has been for a long time. Common knowledge among whom? I'm hardly a naive Internet user. And the statement is wrong: the large router buffers have effectively destroyed TCP's congestion avoidance altogether. >> >> In the world of CPEs, lowest price and simplicity is what counts, so >> nobody cares about buffer depth and AQM, that's why you get ADSL CPEs >> with 200+ ms of upstream FIFO buffer (no AQM) in most devices. > 200ms is good; but it is often up to multiple *seconds*. Resulting latencies on broadband gears are often horrific: see the netalyzr plots that I posted in my blog. See: http://gettys.wordpress.com/2010/12/06/whose-house-is-of-glasse-must-not-throw-stones-at-another/ Dave Clark first discovered bufferbloat on his DSLAM: he used the 6 second latency he saw to DDOS his son's excessive WOW playing. All broadband technologies are affected, as are, it turns out, all operating systems and likely all home routers as well (see other posts I've made recently). DSL, cable and FIOS all have problems. How many of retail ISP's service calls have been due to this terrible performance? I know I was harassing Comcast with multiple service calls over a year ago over what I now think was bufferbloat. And periodically for a number of years before that (roughly since DOCSIS 2 deployed, I would guess). "The Internet is slow today, Daddy" was usually Daddy saturating the home link, and bufferbloat the cause. Every time they would complain, I'd stop what I was doing, and the problem would vanish. A really nice willow the wisp... > you're going to see more of it, at a minimum cpe are going to have to be > able to drain a gig-e into a port that may be only 100Mb/s. The QOS > options available in a ~$100 cpe router are adequate for the basic purpose. But the port may only be 1 Mb/second; 802.11g is 20Mbps tops; but drops to 1Mbps in extremis. So the real dynamic range is at least a factor of 1000 to 1. > > d-link dir-825 or 665 are examples of such devices Yes, and E3000's and others. Some are half measures, and have a single knob for both shaping uplinks and downlink bandwidth. The QOS features in home routers can help, but does not solve all problems. In part, because as broadband bandwidth increases, the bottleneck link may shift/often shifts to the home router to edge device links, and there are similar (or even worse) bufferbloat problems in both the home routers and operating systems. > >> Personally I have MQC configured on my interface which has assured bw >> for small packets and ssh packets, and I also run fair-queue to make tcp >> sessions get a fair share. I don't know any non-cisco devices that does >> this. > > the consumer cpe that care seem to be mostly oriented along keeping > gaming and voip from being interfereed with by p2p and file transfers. > An unappreciated issue is that these buffers have destroyed TCP (and all other congestion avoiding protocols) congestion avoidance. Secondly, any modern operating system (anything other than Windows XP), implements window scaling, and will, within about 10 seconds, *fill* the buffers with a single TCP connection, and they stay full until traffic drops enough to allow them to empty (which may take seconds). Since congestion avoidance has been defeated, you get nasty behaviour out of TCP. Congestion avoidance depends on *timely* notification to the end points of congestion: these buffers have destroyed the *timely* requirement of a fundamental presumption of internet protocol design. If you think that simultaneously: 1) destroying congestion avoidance 2) destroying slow-start, as many major web sites are by increasing their initial window 3) browsers are now using many TCP connections simultaneously 4) while the TCP traffic shifts to window scaling, enabling even a single TCP connection to fill these buffers. 5) increasing numbers of large uploads/downloads (not just bittorrent, HD movie delivery to disk, backup, crash dump uploads, etc) is a good idea, you aren't old enough to have experienced the NSFnet collapse during the 1980's (as I did). I have post-traumatic stress disorder from that experience; I'm worried about the confluence of these changes, folks. And there are network neutrality aspects to bufferbloat: since carriers have been provisioning their telephony service separate from their internet service, *and* there are these bloated buffers, *and* there is no classification that end users can perform over their broadband connections, you can't do as well as a carrier even with fancy home routers for any low latency service such as voip. See: http://gettys.wordpress.com/2010/12/07/bufferbloat-and-network-neutrality-back-to-the-past/ Personally, I don't think this was by malice of forethought, but it's not a good situation. The best you can do is what Ooma has done; bandwidth shaping along with being closest to the broadband connection (or by fancy home routers with classification and bandwidth shaping). That won't help the downstream direction where a single other user (or yourself), can inject large packet bursts routinely by browsing web sites like YouTube or Google images (unless some miracle occurs, and the broadband head ends are classifying traffic in the downstream direction over those links). - Jim From tron at acm.org Mon Dec 20 17:24:08 2010 From: tron at acm.org (Carlos G Mendioroz) Date: Mon, 20 Dec 2010 20:24:08 -0300 Subject: Help with GC/Level3 route issue Message-ID: <4D0FE598.1080106@acm.org> Hi, I'm facing a problem that is becoming a nightmare. Some of our prefixes (ASN 10277) are being redistributed by Level 3 as being learned from/originated by Global Crossing. Thing is, we have no contact with GC nor Level3. I'd appreciate any kind advice as to who to contact regarding this. Sorry if this is not the right channel too. -- Carlos G Mendioroz From nanog at hostleasing.net Mon Dec 20 17:32:57 2010 From: nanog at hostleasing.net (Randy Epstein) Date: Mon, 20 Dec 2010 18:32:57 -0500 Subject: Help with GC/Level3 route issue In-Reply-To: <4D0FE598.1080106@acm.org> References: <4D0FE598.1080106@acm.org> Message-ID: <032d01cba09e$3bf96c70$b3ec4550$@net> Carlos, >Hi, >I'm facing a problem that is becoming a nightmare. >Some of our prefixes (ASN 10277) are being redistributed by Level 3 as >being learned from/originated by Global Crossing. Care to provide some of the prefixes? From owen at delong.com Mon Dec 20 17:36:03 2010 From: owen at delong.com (Owen DeLong) Date: Mon, 20 Dec 2010 15:36:03 -0800 Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: <201012201647.22870.lowen@pari.edu> References: <598C4A03-6932-4E1B-A518-B8F15BAE651F@Princeton.EDU> <201012201647.22870.lowen@pari.edu> Message-ID: On Dec 20, 2010, at 1:47 PM, Lamar Owen wrote: > On Monday, December 20, 2010 03:44:33 pm Owen DeLong wrote: >> The vast majority of residences are more than 5,000 and a good majority >> are more than 10,000 cable feet from the CO. > >> This means that average DSL speeds are sub-T1. > > FWIW, I'm at 14-15 kilofeet from the CO, and am getting a solid 7Mb/s down and 512kb/s up. The ISP has three tiers of DSL, and I'm at the lowest (which is probably the one that will work at my distance). They also provide a 9M down / 768k up, and a 11M down / 1M up for slightly higher rates. I'm told that the 11 down/1 up will work up to 12 kilofeet by their engineering. > Those are all still sub-T1 on the uplink and well below normal CMTS service speeds. Low-end CMTS is around 15Mbps/7Mbps. > I'm running a secondary administrative DSL at my employer's location at the full 7/.5 rate at a distance of nearly 18 kilofeet, the last 2 kilofeet being our inside plant of CAT3 CALPETH. That is on a Cisco ADSL WIC in a 2651; show dsl interface atm0/0 shows a downstream rate of 6.8Mb/s and an upstream of 640kb/s. Not bad for the distance. Margins are good on both directions, being 12dB upstream and 8.5dB downstream. > I'm happy for you. The AT&T cable plant in my neighborhood is unable to sustain any better than 1.5mbps/384k on ADSL. > My experience is that the downstream is mildy oversubscribed, and the upstream less so. > > Their copper in my area is nearly new, they have spent the last five years or so refreshing and updating their copper outside plant. That helps a lot. It still doesn't compete with CMTS which was my point. Owen From tron at acm.org Mon Dec 20 17:40:29 2010 From: tron at acm.org (Carlos G Mendioroz) Date: Mon, 20 Dec 2010 20:40:29 -0300 Subject: Help with GC/Level3 route issue In-Reply-To: <032d01cba09e$3bf96c70$b3ec4550$@net> References: <4D0FE598.1080106@acm.org> <032d01cba09e$3bf96c70$b3ec4550$@net> Message-ID: <4D0FE96D.4030900@acm.org> Sure, I just was unsure that the post was ok in this forum. We are advertising 168.83.20.0/23, 168.83.60.0/22, 168.83.68.0/22, 168.83.72.0/21 & 168.83.80.0/20. (Now we are injecting /24 as a quick hack to patch the situation). GC is advertising various 168.83.0.0/16 subnets too, which is ok, but e.g. the 168.83.20.0/23 is there w/o reason. -Carlos Randy Epstein wrote: > Carlos, > >> Hi, >> I'm facing a problem that is becoming a nightmare. >> Some of our prefixes (ASN 10277) are being redistributed by Level 3 as >> being learned from/originated by Global Crossing. > > Care to provide some of the prefixes? > > -- Carlos G Mendioroz From jcdill.lists at gmail.com Mon Dec 20 19:51:01 2010 From: jcdill.lists at gmail.com (JC Dill) Date: Mon, 20 Dec 2010 17:51:01 -0800 Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: <4D0FD592.4020908@gmail.com> References: <598C4A03-6932-4E1B-A518-B8F15BAE651F@Princeton.EDU> <5A6D953473350C4B9995546AFE9939EE0B14CFE3@RWC-EX1.corp.seven.com> <4D0B93DE.7020201@gmail.com> <5A6D953473350C4B9995546AFE9939EE0B14CFE6@RWC-EX1.corp.seven.com> <4D0B9914.5080705@gmail.com> <4D0E843B.4010109@gmail.com> <20101220010924.GA73595@ussenterprise.ufp.org> <4D0EAF71.5090108@bryanfields.net> <20101220014804.GD38726@gerbil.cluepon.net> <4D0EBB72.50106@gmail.com> <20101220022554.GF38726@gerbil.cluepon.net> <4D0EE408.7010306@gmail.com> <4D0FD592.4020908@gmail.com> Message-ID: <4D100805.4090602@gmail.com> On 20/12/10 2:15 PM, David Sparro wrote: > > > There is no monopoly. They've already experimented with that and > (apparently) decided that it wasn't worth it. > > http://www.dallasnews.com/sharedcontent/dws/bus/ptech/stories/DN-verizon_17bus.State.Edition1.f7543b.html > * Tuesday, June 17, 2008 Do you have any cites saying that this was actually rolled out? Or did the project get cut during the financial crisis, and never actually rolled out? The issue I have with all these "cites" is that none of them are for services that are up and running. They are all press releases about something that will supposedly get built, maybe. http://en.wikipedia.org/wiki/Duke_Nukem_Forever jc * From smb at cs.columbia.edu Mon Dec 20 20:07:14 2010 From: smb at cs.columbia.edu (Steven Bellovin) Date: Mon, 20 Dec 2010 21:07:14 -0500 Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: <4D100805.4090602@gmail.com> References: <598C4A03-6932-4E1B-A518-B8F15BAE651F@Princeton.EDU> <5A6D953473350C4B9995546AFE9939EE0B14CFE3@RWC-EX1.corp.seven.com> <4D0B93DE.7020201@gmail.com> <5A6D953473350C4B9995546AFE9939EE0B14CFE6@RWC-EX1.corp.seven.com> <4D0B9914.5080705@gmail.com> <4D0E843B.4010109@gmail.com> <20101220010924.GA73595@ussenterprise.ufp.org> <4D0EAF71.5090108@bryanfields.net> <20101220014804.GD38726@gerbil.cluepon.net> <4D0EBB72.50106@gmail.com> <20101220022554.GF38726@gerbil.cluepon.net> <4D0EE408.7010306@gmail.com> <4D0FD592.4020908@gmail.com> <4D100805.4090602@gmail.com> Message-ID: <12DA9844-F298-4274-9805-579E3BA136F9@cs.columbia.edu> On Dec 20, 2010, at 8:51 01PM, JC Dill wrote: > On 20/12/10 2:15 PM, David Sparro wrote: >> >> >> There is no monopoly. They've already experimented with that and (apparently) decided that it wasn't worth it. >> >> http://www.dallasnews.com/sharedcontent/dws/bus/ptech/stories/DN-verizon_17bus.State.Edition1.f7543b.html > > * > > > Tuesday, June 17, 2008 > > > Do you have any cites saying that this was actually rolled out? Or did the project get cut during the financial crisis, and never actually rolled out? > > The issue I have with all these "cites" is that none of them are for services that are up and running. They are all press releases about something that will supposedly get built, maybe. > > http://en.wikipedia.org/wiki/Duke_Nukem_Forever > Maybe I've lost the thread context, but if you're talking about FIOS it most certainly is running, in many places (http://www22.verizon.com/Residential/aboutFiOS/Overview.htm?CMP=DMC-CVS_ZZ_ZZ_E_TV_N_X001). My town has it; Comcast's responsiveness improved dramatically after FIOS was rolled out.... Speeds are good, prices less so, and if memory serves they charge something like $40/mo extra for static IP addresses. --Steve Bellovin, http://www.cs.columbia.edu/~smb From aaron at heyaaron.com Mon Dec 20 20:10:05 2010 From: aaron at heyaaron.com (Aaron C. de Bruyn) Date: Mon, 20 Dec 2010 18:10:05 -0800 Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: <720DAAE1-C033-495B-ABCD-286F200B7BD1@delong.com> References: <5A6D953473350C4B9995546AFE9939EE0B14CFE3@RWC-EX1.corp.seven.com> <4D0B93DE.7020201@gmail.com> <5A6D953473350C4B9995546AFE9939EE0B14CFE6@RWC-EX1.corp.seven.com> <4D0B9914.5080705@gmail.com> <4D0E843B.4010109@gmail.com> <20101220010924.GA73595@ussenterprise.ufp.org> <4D0EAF71.5090108@bryanfields.net> <20101220014804.GD38726@gerbil.cluepon.net> <4D0EBB72.50106@gmail.com> <720DAAE1-C033-495B-ABCD-286F200B7BD1@delong.com> Message-ID: <20101221021005.GB2007@chrysalis> On 2010-12-19 at 20:44:21 -0800, Owen DeLong wrote: > On Dec 19, 2010, at 6:12 PM, JC Dill wrote: > The "USPS monopoly" on first class mail is absurd. In fact, FedEx, UPS, > et. al could offer a $0.44 letter product if they wanted to. Like JC said, the Private Express statutes prevent you from being a common mail carrier. The government created USPS and brought us slow bureaucratic mail delivery. The private sector (FedEx/UPS, etc...) brought us overnight delivery where USPS couldn't... ...and next-day air ...and freight delivery ...and package tracking that reports more than just "We don't know where it is/It's at the post office" When was the last time USPS delivered you a 100 pound UPS unit over night from across the country while letting you track it's progress? -A From adrian at creative.net.au Mon Dec 20 20:18:25 2010 From: adrian at creative.net.au (Adrian Chadd) Date: Tue, 21 Dec 2010 10:18:25 +0800 Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: <20101221021005.GB2007@chrysalis> References: <4D0B93DE.7020201@gmail.com> <5A6D953473350C4B9995546AFE9939EE0B14CFE6@RWC-EX1.corp.seven.com> <4D0B9914.5080705@gmail.com> <4D0E843B.4010109@gmail.com> <20101220010924.GA73595@ussenterprise.ufp.org> <4D0EAF71.5090108@bryanfields.net> <20101220014804.GD38726@gerbil.cluepon.net> <4D0EBB72.50106@gmail.com> <720DAAE1-C033-495B-ABCD-286F200B7BD1@delong.com> <20101221021005.GB2007@chrysalis> Message-ID: <20101221021825.GB7019@skywalker.creative.net.au> On Mon, Dec 20, 2010, Aaron C. de Bruyn wrote: > The private sector (FedEx/UPS, etc...) brought us overnight delivery > where USPS couldn't... > > ...and next-day air > ...and freight delivery > ...and package tracking that reports more than just "We don't know where it is/It's at the post office" > > When was the last time USPS delivered you a 100 pound UPS unit over night from across the country while letting you track it's progress? Trouble is, now they can't. Why? Because they'd be threatening the jobs of hard working Fedex/UPS/etc. employees. :-) Adrian (only half tongue in cheek here.) From bicknell at ufp.org Mon Dec 20 20:28:06 2010 From: bicknell at ufp.org (Leo Bicknell) Date: Mon, 20 Dec 2010 18:28:06 -0800 Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: <20101221021825.GB7019@skywalker.creative.net.au> References: <5A6D953473350C4B9995546AFE9939EE0B14CFE6@RWC-EX1.corp.seven.com> <4D0B9914.5080705@gmail.com> <4D0E843B.4010109@gmail.com> <20101220010924.GA73595@ussenterprise.ufp.org> <4D0EAF71.5090108@bryanfields.net> <20101220014804.GD38726@gerbil.cluepon.net> <4D0EBB72.50106@gmail.com> <720DAAE1-C033-495B-ABCD-286F200B7BD1@delong.com> <20101221021005.GB2007@chrysalis> <20101221021825.GB7019@skywalker.creative.net.au> Message-ID: <20101221022806.GA68588@ussenterprise.ufp.org> In a message written on Tue, Dec 21, 2010 at 10:18:25AM +0800, Adrian Chadd wrote: > On Mon, Dec 20, 2010, Aaron C. de Bruyn wrote: > > When was the last time USPS delivered you a 100 pound UPS unit over night from across the country while letting you track it's progress? > > Trouble is, now they can't. Why? Because they'd be threatening the jobs of > hard working Fedex/UPS/etc. employees. It's crazier than you think. http://www.usps.com/news/2001/press/pr01_015.htm Express, Priority, and First Class mail flies FedEx, and has since 2001. I's part of a larger deal which is also why you now see a FedEx drop box at every post office. I guess it's coopertition. I think I just made up a word. :) So if it's illegal for you to put a letter inside a FedEx box, what's the penalty for moving all the first class mail in a FedEx airplane. :D Oh yeah, FedEx can now deliver to APO and P.O. Boxes as well. http://fedex.com/us/smartpost/ -- Leo Bicknell - bicknell at ufp.org - CCIE 3440 PGP keys at http://www.ufp.org/~bicknell/ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 826 bytes Desc: not available URL: From bonomi at mail.r-bonomi.com Mon Dec 20 23:41:52 2010 From: bonomi at mail.r-bonomi.com (Robert Bonomi) Date: Mon, 20 Dec 2010 23:41:52 -0600 (CST) Subject: Some truth about Comcast - WikiLeaks style Message-ID: <201012210541.oBL5fqSQ003384@mail.r-bonomi.com> > From nanog-bounces+bonomi=mail.r-bonomi.com at nanog.org Mon Dec 20 15:01:07 2010 > Date: Mon, 20 Dec 2010 13:00:22 -0800 > From: Leo Bicknell > To: NANOG list > Subject: Re: Some truth about Comcast - WikiLeaks style > > > --fdj2RfSjLxBAspz7 > Content-Type: text/plain; charset=us-ascii > Content-Disposition: inline > Content-Transfer-Encoding: quoted-printable > > In a message written on Mon, Dec 20, 2010 at 03:02:05PM -0500, Joe Provo wr= > ote: > > An assertion which was false; you can discuss the 'practicality' or > > whatever the experience has taught us as a nation, but to say "there > > are no" are "this datum generalizes for all" in most all of this=20 > > and sister threads is a major error. There is no national scope,=20 > > and the jury is still out if statewide scope [fpr video] is a good=20 > > or bad thing.=20 > >=20 > > Sorry to muddy with facts, please resume pontificating. > > Facts are good. It appears there are more areas with two or more > cable TV providers than I thought, and that knowledge is useful. > I still maintain that the current set of regulation, laws, and > economic realities have lead to insigifnicant compeition in that > area, but that's purely an opinion. > > You are also correct that there is a lack of context in these > threads. There is a federal role (FCC, congressional), a state > role (state PUC's), and a local role (county/city/town PUC's). > Looking from the perspective of a town it's clear some have cable > compeition, for example. Look at it nationally, and it's a really > small percentage (on the order of under 2%, best I can tell so far). > One man's everyone is another's no one. > > I guess the question is, if these overbuilds work out so well in the > cities where they do exist, why don't they exist more places? > As a character in a Robert Heinlein book says: "The answer to _any_ question that starts off 'why don't they..' is always 'money'." For a cable built-out to be 'profitable', you have to get some particular percentage of the 'covered' households to sign up for service. To support multiple providers the total 'penertration' in that area has to be at least: #providers * break-even_subscriber_percentage I have no idea what the current break-even percentage is, but (picking numbers out of thin air for the sake of argument) if it is, say 30% of the households within the service area, then there are simply "not enough customers to go around", even at complete market saturation (where 100% of the households have cable service) to support _four_ "profitable" cable providers. "Overbuild" is practical *ONLY* where: (a) the population density is high, lowering 'per customer' costs, and (b) service 'penetration' is high enough that the active subscriber base (as distinct from 'potential' subscribers) sufficient to support the 'overhead' of two complete, parallel, physical plants. This tends to be 'self-limiting', to up-scale, high-density housing, neighborhoods. The 'raw economics' of the situation may well be distorted by local government 'intrference' -- e.g., requiring a provider serve _all_ households within arbitrary boundaries, rather than just 'low hanging fruit' areas. From mpalmer at hezmatt.org Tue Dec 21 00:15:17 2010 From: mpalmer at hezmatt.org (Matthew Palmer) Date: Tue, 21 Dec 2010 17:15:17 +1100 Subject: AS Numbers from a common 32-bit pool. In-Reply-To: <4D0F50ED.1010001@hstrauss.co.za> References: <4D0F3B1A.2050900@afrinic.net> <4D0F50ED.1010001@hstrauss.co.za> Message-ID: <20101221061517.GI5595@hezmatt.org> On Mon, Dec 20, 2010 at 02:49:49PM +0200, Heinrich Strauss wrote: > I'm kinda fearing this in South Africa, as we have a few large > incumbents who aren't really driving -NG versions of protocols. > > They also have a "prove to us it's broken, and we may look at it in a > few months' time"-attitude towards it. :O That would be why 32-bit ASNs have been "requestable" for the last couple of years(?); you could have been prodding providers with "it doesn't work, fix it" for a while now. - Matt -- "For once, Microsoft wasn't exaggerating when they named it the 'Jet Engine' -- your data's the seagull." -- Chris Adams From bonomi at mail.r-bonomi.com Tue Dec 21 00:42:09 2010 From: bonomi at mail.r-bonomi.com (Robert Bonomi) Date: Tue, 21 Dec 2010 00:42:09 -0600 (CST) Subject: Some truth about Comcast - WikiLeaks style Message-ID: <201012210642.oBL6g94Z003903@mail.r-bonomi.com> > Date: Mon, 20 Dec 2010 18:28:06 -0800 > From: Leo Bicknell > Subject: Re: Some truth about Comcast - WikiLeaks style > > In a message written on Tue, Dec 21, 2010 at 10:18:25AM +0800, Adrian Chadd= > wrote: > > On Mon, Dec 20, 2010, Aaron C. de Bruyn wrote: > > > When was the last time USPS delivered you a 100 pound UPS unit over nig= > ht from across the country while letting you track it's progress? > >=20 > > Trouble is, now they can't. Why? Because they'd be threatening the jobs of > > hard working Fedex/UPS/etc. employees. > > It's crazier than you think. > > http://www.usps.com/news/2001/press/pr01_015.htm > > Express, Priority, and First Class mail flies FedEx, and has since > 2001. I's part of a larger deal which is also why you now see a > FedEx drop box at every post office. > > I guess it's coopertition. I think I just made up a word. :) > > So if it's illegal for you to put a letter inside a FedEx box, Bzzt! It's -not- illegal to put a letter inside a FedEx box. It just has to have the appropriate (USPS) postage on it, _as_well_ as paying the FedEx service/delivery fee. This is true if it is just the letter you're sending, or if it is a sealed letter -inside- a box/package being shipped.. Now _live_scorpions_, on the other hand, are someting that the USPS _will_ delive, but AFAIK no 'express' service will handle. (One discovers some of the strangest things when one actually sits down and *reads* the _complete_ rules/regulation on a subject. In this case, it's the "Domestic Mail Manual". Scorpions are 'addressed' in 601.9.3.10) From owen at delong.com Tue Dec 21 01:01:40 2010 From: owen at delong.com (Owen DeLong) Date: Mon, 20 Dec 2010 23:01:40 -0800 Subject: AS Numbers from a common 32-bit pool. In-Reply-To: <20101221061517.GI5595@hezmatt.org> References: <4D0F3B1A.2050900@afrinic.net> <4D0F50ED.1010001@hstrauss.co.za> <20101221061517.GI5595@hezmatt.org> Message-ID: <4C4D3074-424A-4D67-8441-964CCCBB6831@delong.com> On Dec 20, 2010, at 10:15 PM, Matthew Palmer wrote: > On Mon, Dec 20, 2010 at 02:49:49PM +0200, Heinrich Strauss wrote: >> I'm kinda fearing this in South Africa, as we have a few large >> incumbents who aren't really driving -NG versions of protocols. >> >> They also have a "prove to us it's broken, and we may look at it in a >> few months' time"-attitude towards it. :O > > That would be why 32-bit ASNs have been "requestable" for the last couple of > years(?); you could have been prodding providers with "it doesn't work, fix > it" for a while now. > > - Matt > > -- > "For once, Microsoft wasn't exaggerating when they named it the 'Jet Engine' > -- your data's the seagull." > -- Chris Adams I'll point out that there really isn't any alternative at this point. This approach will issue 16-bit compatible ASNs as long as they last. Once they're gone, it's not like there was some new 16-bit compatible alternative. Owen From swmike at swm.pp.se Tue Dec 21 01:18:44 2010 From: swmike at swm.pp.se (Mikael Abrahamsson) Date: Tue, 21 Dec 2010 08:18:44 +0100 (CET) Subject: TCP congestion control and large router buffers In-Reply-To: <4D0FE4A1.7070103@freedesktop.org> References: <1291907382.19262.212.camel@shrike> <4D0E59FC.2080706@bogus.com> <4D0FE4A1.7070103@freedesktop.org> Message-ID: On Mon, 20 Dec 2010, Jim Gettys wrote: > Common knowledge among whom? I'm hardly a naive Internet user. Anyone actually looking into the matter. The Cisco "fair-queue" command was introduced in IOS 11.0 according to to somewhat handle the problem. I have no idea when this was in time, but I guess early 90:ties? > And the statement is wrong: the large router buffers have effectively > destroyed TCP's congestion avoidance altogether. Routers have had large buffers since way before residential broadband even came around, the basic premise of TCP is that routers have buffers and quite a lot of it. > 200ms is good; but it is often up to multiple *seconds*. Resulting latencies > on broadband gears are often horrific: see the netalyzr plots that I posted > in my blog. See: I know of the problem, it's no news to me. You don't have to convince me. I've been using Cisco routers as a CPE because of this for a long time. > Dave Clark first discovered bufferbloat on his DSLAM: he used the 6 > second latency he saw to DDOS his son's excessive WOW playing. When I procured a DSLAM around 2003 or so it had 40ms of buffering at 24meg ADSL2+ speed, when the speed went down, the buffers length in bytes was constant so buffering time also went up. It didn't do any AQM either, but at least it did .1p prioritization and had 4 buffers so there was a little possibility of doing things upstream of it. > All broadband technologies are affected, as are, it turns out, all operating > systems and likely all home routers as well (see other posts I've made > recently). DSL, cable and FIOS all have problems. Yes. > How many of retail ISP's service calls have been due to this terrible > performance? A lot, I'm sure. > Secondly, any modern operating system (anything other than Windows XP), > implements window scaling, and will, within about 10 seconds, *fill* the > buffers with a single TCP connection, and they stay full until traffic > drops enough to allow them to empty (which may take seconds). Since > congestion avoidance has been defeated, you get nasty behaviour out of > TCP. That is exactly what TCP was designed to do, use as much bandwidth as it can. Congestion is detected by two means, latency goes up and/or there is packet loss. TCP was designed with router buffers in mind. Anyhow, one thing that might help would be ECN in conjunction with WRED, but already there you're way over most CPE manufacturers head. > is a good idea, you aren't old enough to have experienced the NSFnet collapse > during the 1980's (as I did). I have post-traumatic stress disorder from > that experience; I'm worried about the confluence of these changes, folks. I'm happy you were there, I was under the impression that routers had large buffers back then as well? > The best you can do is what Ooma has done; bandwidth shaping along with being > closest to the broadband connection (or by fancy home routers with > classification and bandwidth shaping). That won't help the downstream > direction where a single other user (or yourself), can inject large packet > bursts routinely by browsing web sites like YouTube or Google images (unless > some miracle occurs, and the broadband head ends are classifying traffic in > the downstream direction over those links). There is definitely a lot of improvement to be had. For FTTH, if you use an L2 switch with a few ms of buffering as the ISP handoff device, you don't get this problem. There are even TCP algorithms to handle this case where you have little buffers and just tail-drop But yes, I agree that we'd all be much helped if manufacturers of both ends of all links had the common decency of introducing a WRED (with ECN marking) AQM that had 0% drop probability at 40ms and 100% drop probability at 200ms (and linear increase between). -- Mikael Abrahamsson email: swmike at swm.pp.se From tim at pelican.org Tue Dec 21 04:42:32 2010 From: tim at pelican.org (Tim Franklin) Date: Tue, 21 Dec 2010 10:42:32 +0000 (GMT) Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: <12488210.61292927260333.JavaMail.root@jennyfur.pelican.org> Message-ID: <32850415.81292928152372.JavaMail.root@jennyfur.pelican.org> ----- "Owen DeLong" wrote: > Personally, I think that enforced UNE is the right model. If you sell > higher level services, you should not be allowed to operate the physical > plant. The physical plant operating companies should sell access to the > physical plant to higher level service providers on an equal footing. To all intents and purposes what we have in the UK. BT, the old, formally government-owned, then privatised, effective last-mile monopoly, was split up. (I believe in return for some more government cash to build infrastructure, but I could be wrong on the order of events). BT OpenReach is now responsible for wires on poles / in the ground, CO space etc, and has to sell access to these to other divisions of BT (Wholesale, Residential) in the same arms-length way they sell them to other ISPs. It doesn't always work *quite* like that, especially in respect of actually getting space and power in COs, but the framework is there... Regards, Tim. From nanog at hstrauss.co.za Tue Dec 21 04:57:42 2010 From: nanog at hstrauss.co.za (Heinrich Strauss) Date: Tue, 21 Dec 2010 12:57:42 +0200 Subject: AS Numbers from a common 32-bit pool. In-Reply-To: <20101221061517.GI5595@hezmatt.org> References: <4D0F3B1A.2050900@afrinic.net> <4D0F50ED.1010001@hstrauss.co.za> <20101221061517.GI5595@hezmatt.org> Message-ID: <4D108826.6090803@hstrauss.co.za> On 2010/12/21 08:15, Matthew Palmer wrote: > That would be why 32-bit ASNs have been "requestable" for the last > couple of > years(?); you could have been prodding providers with "it doesn't work, fix > it" for a while now. > > - Matt Although I realise that, the problem in South Africa is that we essentially still have a Telecoms Monopoly: The local loop belongs to Telkom SA who also competes with ISPs in providing Internet access to clients, so growth in the ISP sector is stunted. There are only really a handful of other NSPs who service ISPs and those ISPs still have no access to the networking segment from Datacenter to DSLAM. The major hope in .ZA is the unbundling of the local loop around 2012. Until then, there's no real end in sight (apart from mobile access, which is being stunted in many senses by the Communications Authority). ISPs just don't have that kind of prodding power in this country yet :( And the bad news is that I hear our incumbent Telecoms operator is expanding further up the continent, so that their legacy of incompetence may remain for a while. But we will continue pushing for these (legacy-)new technologies. :) One day we will prevail! :P -H. From lowen at pari.edu Tue Dec 21 07:08:52 2010 From: lowen at pari.edu (Lamar Owen) Date: Tue, 21 Dec 2010 08:08:52 -0500 Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: References: <598C4A03-6932-4E1B-A518-B8F15BAE651F@Princeton.EDU> Message-ID: <201012210808.52662.lowen@pari.edu> On Monday, December 20, 2010 06:36:03 pm you wrote: > Those are all still sub-T1 on the uplink and well below normal CMTS service > speeds. Low-end CMTS is around 15Mbps/7Mbps. Yeah, at least with the T-1 you aren't oversubscribed. One company for whom I consult was going to go from their T-1 to an 11/1 DSL, but they do streaming audio and video, and I was able to talk them out of it. I've been asking the provider to sell that place a matched pair; give me an 11/1 DSL, and then give me a 1/11 reverse ADSL on a different pair, and I'd be a happy camper. > The AT&T cable plant in my neighborhood is unable to > sustain any better than 1.5mbps/384k on ADSL. > > Their copper in my area is nearly new, they have spent the last five years or so refreshing and updating their copper outside plant. > That helps a lot. It still doesn't compete with CMTS which was my point. Interestingly enough, we've tried to do H.323 with some folks on a CMTS connection, and have yet to succeed in smooth video. My testing on my home DSL, back when it was 1.5M/.5M (we got two free upgrades; the first one was to 5/.5 and the second to 7/.5) and our main link was an OC3 to a different provider, went well. Never really figured out what it was causing the problems with the CMTS users; the effect was that the H.323 session would start up and negotiate at 384Kb/s, and a few seconds of video would traverse fine, and then the link would start dropping more and more frames until it died entirely; my testing on my slower DSL didn't have this problem, and traceroute showed an equivalent number of hops between. The CMTS connection in use was an 8M down 1M up link. And I don't have cable available to me at all. So it's DSL or nothing at home; even Verizon's 3G, which works fairly well at work, doesn't work at all at home, 1,200 feet away (terrain issues). And I don't have visibility to the most common data satellites on the Clarke Belt. From jared at puck.nether.net Tue Dec 21 07:57:28 2010 From: jared at puck.nether.net (Jared Mauch) Date: Tue, 21 Dec 2010 08:57:28 -0500 Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: References: <20101220191630.GA44701@ussenterprise.ufp.org> <1733661803.26536.1292886380498.JavaMail.root@zimbra.network1.net> Message-ID: I faced a similar challenge. If you have line of sight to something, you can do fixed wireless for maybe 200-400 depending on the gear and frequencies involved. Check out the ubnt 365 or m5 gear. Cheap as in disposable. Works quite well. Then order a Comcast business connection there and call it a day. 16/2 or 50/10 for less than a t1 loop as long as your facility fees on the other side colo aren't too high. Sent from my iThing On Dec 20, 2010, at 6:14 PM, Dorn Hetzel wrote: > Where I live, about 50 miles south of Atlanta down I-85, there is no > consumer broadband at all. > > Satellite, Cellular, and T-1, those are my options. > > A mile away, there are choices, but not here. I am sure we aren't the only > neighborhood in this situation, even today. > > On Mon, Dec 20, 2010 at 6:06 PM, Randy Carpenter wrote: > >> >>> >>> And yet, I don't know of any location in the US with two cable >>> operators. >> >> We have 2 separate cable providers in our town. One of them is a division >> of the local telephone company, but it is still CATV plant. The telco also >> operates a FTTH service with IPTV video as well. >> >> The result is that the big national CATV provider had incredibly good rates >> for a long time, and even after they were more than doubled, are still >> really good. >> >> -Randy >> >> From sreed at nwwnet.net Tue Dec 21 08:18:00 2010 From: sreed at nwwnet.net (Scott Reed) Date: Tue, 21 Dec 2010 09:18:00 -0500 Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: References: <20101220191630.GA44701@ussenterprise.ufp.org> <1733661803.26536.1292886380498.JavaMail.root@zimbra.network1.net> Message-ID: <4D10B718.8060207@nwwnet.net> Check out http://www.wispdirectory.com Go to Contact Us and fill out the form. If you are only a mile away from a WISP, there is a chance they will build out to you. On 12/20/2010 6:14 PM, Dorn Hetzel wrote: > Where I live, about 50 miles south of Atlanta down I-85, there is no > consumer broadband at all. > > Satellite, Cellular, and T-1, those are my options. > > A mile away, there are choices, but not here. I am sure we aren't the only > neighborhood in this situation, even today. > > On Mon, Dec 20, 2010 at 6:06 PM, Randy Carpenterwrote: > >>> And yet, I don't know of any location in the US with two cable >>> operators. >> We have 2 separate cable providers in our town. One of them is a division >> of the local telephone company, but it is still CATV plant. The telco also >> operates a FTTH service with IPTV video as well. >> >> The result is that the big national CATV provider had incredibly good rates >> for a long time, and even after they were more than doubled, are still >> really good. >> >> -Randy >> >> -- Scott Reed Owner NewWays Networking, LLC Wireless Networking Network Design, Installation and Administration Mikrotik Advanced Certified www.nwwnet.net (765) 855-1060 From jbates at brightok.net Tue Dec 21 09:01:00 2010 From: jbates at brightok.net (Jack Bates) Date: Tue, 21 Dec 2010 09:01:00 -0600 Subject: AS Numbers from a common 32-bit pool. In-Reply-To: <4D108826.6090803@hstrauss.co.za> References: <4D0F3B1A.2050900@afrinic.net> <4D0F50ED.1010001@hstrauss.co.za> <20101221061517.GI5595@hezmatt.org> <4D108826.6090803@hstrauss.co.za> Message-ID: <4D10C12C.2070809@brightok.net> On 12/21/2010 4:57 AM, Heinrich Strauss wrote: > Although I realise that, the problem in South Africa is that we > essentially still have a Telecoms Monopoly: The local loop belongs to > Telkom SA who also competes with ISPs in providing Internet access to > clients, so growth in the ISP sector is stunted. There are only really a > handful of other NSPs who service ISPs and those ISPs still have no > access to the networking segment from Datacenter to DSLAM. There was always similar issues in .ZW as well (when it was marginally more stable). Jack From william.allen.simpson at gmail.com Tue Dec 21 09:19:46 2010 From: william.allen.simpson at gmail.com (William Allen Simpson) Date: Tue, 21 Dec 2010 10:19:46 -0500 Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: <201012210642.oBL6g94Z003903@mail.r-bonomi.com> References: <201012210642.oBL6g94Z003903@mail.r-bonomi.com> Message-ID: <4D10C592.2090101@gmail.com> On 12/21/10 1:42 AM, Robert Bonomi wrote: > Bzzt! It's -not- illegal to put a letter inside a FedEx box. It just has > to have the appropriate (USPS) postage on it, _as_well_ as paying the FedEx > service/delivery fee. This is true if it is just the letter you're sending, > or if it is a sealed letter -inside- a box/package being shipped.. > > Now _live_scorpions_, on the other hand, are someting that the USPS _will_ > delive, but AFAIK no 'express' service will handle. (One discovers some > of the strangest things when one actually sits down and *reads* the _complete_ > rules/regulation on a subject. In this case, it's the "Domestic Mail Manual". > Scorpions are 'addressed' in 601.9.3.10) > Kudos to you! It's been 20+ years since I've had a copy of the DMM! To bring this back to the topic at hand, the USPS has worked pretty well and fairly efficiently for 200+ years. It provides universal service to every (US) destination at uniform rates for all content, with some variation by size. Its competitors provide cherry-picked service only to specific areas, and even then at variable rates, by distance *and* by volume. As noted, FedEx simply doesn't deliver some types of content. The lesson here is that we need to decided what it is we are offering. As an ISP, we never offered different rates by distance or for different types of traffic. We did offer different rates for different sized pipes (aka volume). That is, we offered more USPS-like than FedEx-like service. And we certainly never expect to make more money from wealthier deliveries, because their content is possibly more valuable! AFAIK, FedEx doesn't either. The Comcast proposed business model is simply wrong, and unsustainable without essentially being a protection racket. Pay us more money or your service will be kneecapped.... We have laws against extortion. From owen at delong.com Tue Dec 21 09:49:34 2010 From: owen at delong.com (Owen DeLong) Date: Tue, 21 Dec 2010 07:49:34 -0800 Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: <32850415.81292928152372.JavaMail.root@jennyfur.pelican.org> References: <32850415.81292928152372.JavaMail.root@jennyfur.pelican.org> Message-ID: <928D2C2B-0F1F-47AE-87DB-87DF48F6A532@delong.com> On Dec 21, 2010, at 2:42 AM, Tim Franklin wrote: > > ----- "Owen DeLong" wrote: > >> Personally, I think that enforced UNE is the right model. If you sell >> higher level services, you should not be allowed to operate the physical >> plant. The physical plant operating companies should sell access to the >> physical plant to higher level service providers on an equal footing. > > To all intents and purposes what we have in the UK. BT, the old, formally government-owned, then privatised, effective last-mile monopoly, was split up. (I believe in return for some more government cash to build infrastructure, but I could be wrong on the order of events). > > BT OpenReach is now responsible for wires on poles / in the ground, CO space etc, and has to sell access to these to other divisions of BT (Wholesale, Residential) in the same arms-length way they sell them to other ISPs. It doesn't always work *quite* like that, especially in respect of actually getting space and power in COs, but the framework is there... > > Regards, > Tim. Yeah... I'd rather see it done in such a way that there is a prohibition of common ownership or management. Essentially, require that the stock be split and each current owner receives one share in each company with any shareholders who own more than 3% of the companies having 180 days to divest from one company or the other, or, reduce their total investment in both below 3% with a requirement that the infrastructure provider not retain any portion of the name of the original company and no relationship other than supplier to the service provider company. Obviously, this probably won't happen. The Telcos in the US have far too powerful a lobbying force, but, I think that would be the best thing for the consumers. Owen From owen at delong.com Tue Dec 21 10:07:17 2010 From: owen at delong.com (Owen DeLong) Date: Tue, 21 Dec 2010 08:07:17 -0800 Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: <4D10C592.2090101@gmail.com> References: <201012210642.oBL6g94Z003903@mail.r-bonomi.com> <4D10C592.2090101@gmail.com> Message-ID: <06E04F0D-E76D-4A68-BAF0-232DFA0A6E8E@delong.com> > > > The Comcast proposed business model is simply wrong, and unsustainable without > essentially being a protection racket. Pay us more money or your service will > be kneecapped.... > > We have laws against extortion. We also have laws against warrantless wiretaps. Comcast seeks retroactive immunity like what was granted to there Telco brethren. Owen From william.allen.simpson at gmail.com Tue Dec 21 10:13:27 2010 From: william.allen.simpson at gmail.com (William Allen Simpson) Date: Tue, 21 Dec 2010 11:13:27 -0500 Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: <12DA9844-F298-4274-9805-579E3BA136F9@cs.columbia.edu> References: <598C4A03-6932-4E1B-A518-B8F15BAE651F@Princeton.EDU> <5A6D953473350C4B9995546AFE9939EE0B14CFE3@RWC-EX1.corp.seven.com> <4D0B93DE.7020201@gmail.com> <5A6D953473350C4B9995546AFE9939EE0B14CFE6@RWC-EX1.corp.seven.com> <4D0B9914.5080705@gmail.com> <4D0E843B.4010109@gmail.com> <20101220010924.GA73595@ussenterprise.ufp.org> <4D0EAF71.5090108@bryanfields.net> <20101220014804.GD38726@gerbil.cluepon.net> <4D0EBB72.50106@gmail.com> <20101220022554.GF38726@gerbil.cluepon.net> <4D0EE408.7010306@gmail.com> <4D0FD592.4020908@gmail.com> <4D100805.4090602@gmail.com> <12DA9844-F298-4274-9805-579E3BA136F9@cs.columbia.edu> Message-ID: <4D10D227.3050600@gmail.com> On 12/20/10 9:07 PM, Steven Bellovin wrote: > > On Dec 20, 2010, at 8:51 01PM, JC Dill wrote: >> Do you have any cites saying that this was actually rolled out? Or did the project get cut during the financial crisis, and never actually rolled out? >> >> The issue I have with all these "cites" is that none of them are for services that are up and running. They are all press releases about something that will supposedly get built, maybe. >> > Maybe I've lost the thread context, but if you're talking about FIOS it most certainly is running, in many places (http://www22.verizon.com/Residential/aboutFiOS/Overview.htm?CMP=DMC-CVS_ZZ_ZZ_E_TV_N_X001). My town has it; Comcast's responsiveness improved dramatically after FIOS was rolled out.... Speeds are good, prices less so, and if memory serves they charge something like $40/mo extra for static IP addresses. > Heck, we've also had earlier pointers in the thread to competing cable providers! Where I founded an ISP, we used to have 2 competing cable providers, until one bought out the other over a decade ago. In Oakland County, Michigan, various pockets have WOW and Comcast and ATT. My family members there have WOW, having switched from Comcast or ATT. (IMnsHO, the only thing worse than Comcast is Ameritech/SBC/AT&T.) Once upon a time, I compared pricing with Ann Arbor (Washtenaw County), where Comcast (previously Media One) had no broadband competition. In Oakland County, Comcast prices were 20% or so less. Eventually, WOW raised prices to be just a little bit less than competitors -- just as Chrysler and GM used to raise prices following Ford -- and Comcast has gradually reduced the price difference between Oakland and Washtenaw. JC's supposition that competition functions at this level over the long term is egregiously fallacious. Fundamentally an oligopoly. As to "responsiveness", in my experience WOW (and Vonage) have *much* better customer service departments than Comcast or AT&T. Faster, friendlier, and more technically savvy. Comcast call centers apparently don't bother to check for multiple service outages in the same node, resulting in 5 (or more) truck rolls last week before they were finally fixed. Apparently, dispatchers don't have access to the NOC status information from modems, and only respond to actual repair calls from customers. If the customers cannot call because their VoIP is down, then there's nothing wrong?!?! But that's another gripe for another time. :-( From Brian.Rettke at cableone.biz Tue Dec 21 10:26:48 2010 From: Brian.Rettke at cableone.biz (Rettke, Brian) Date: Tue, 21 Dec 2010 09:26:48 -0700 Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: <201012210808.52662.lowen@pari.edu> References: <201012210808.52662.lowen@pari.edu> Message-ID: <96CA80CDCD822B4F9B41FB3A109C9359A3E68336E1@E2K7MAILBOX1.corp.cableone.net> Sincerely, Brian A . Rettke RHCT, CCDP, CCNP, CCIP Network Engineer, CableONE Internet Services "-----Original Message----- From: Lamar Owen [mailto:lowen at pari.edu] Interestingly enough, we've tried to do H.323 with some folks on a CMTS connection, and have yet to succeed in smooth video. My testing on my home DSL, back when it was 1.5M/.5M (we got two free upgrades; the first one was to 5/.5 and the second to 7/.5) and our main link was an OC3 to a different provider, went well. Never really figured out what it was causing the problems with the CMTS users; the effect was that the H.323 session would start up and negotiate at 384Kb/s, and a few seconds of video would traverse fine, and then the link would start dropping more and more frames until it died entirely; my testing on my slower DSL didn't have this problem, and traceroute showed an equivalent number of hops between. The CMTS connection in use was an 8M down 1M up link." The problem is probably not the connection speed, but congestion on the CMTS. If the downstream is saturated (too many people watching Netflix on a node) the available shared bandwidth may not be enough to support your real-time traffic. Which is a pretty good archetype for the discussion anyhow. From tim at pelican.org Tue Dec 21 10:28:50 2010 From: tim at pelican.org (Tim Franklin) Date: Tue, 21 Dec 2010 16:28:50 +0000 (GMT) Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: <928D2C2B-0F1F-47AE-87DB-87DF48F6A532@delong.com> Message-ID: <25540387.111292948930296.JavaMail.root@jennyfur.pelican.org> ----- "Owen DeLong" wrote: > Yeah... I'd rather see it done in such a way that there is a > prohibition of common ownership or management. Essentially, > require that the stock be split and each current owner receives > one share in each company with any shareholders who own more than 3% > of the companies having 180 days to divest from one company or the > other, or, reduce their total investment in both below 3% with a > requirement that the infrastructure provider not retain any portion > of the name of the original company and no relationship other than > supplier to the service provider company. > > Obviously, this probably won't happen. The Telcos in the US have far > too powerful a lobbying force, but, I think that would be the best > thing for the consumers. Presumably for both the consumers *and* every company involved in network services who doesn't have the luck of a historical last-mile monopoly. Regards, Tim. From frnkblk at iname.com Tue Dec 21 10:32:17 2010 From: frnkblk at iname.com (Frank Bulk) Date: Tue, 21 Dec 2010 10:32:17 -0600 Subject: IPv6 BGP table size comparisons Message-ID: A week or more ago someone posted in NANOG or elsewhere a site that had made a comparison of the IPv6 BGP table sizes of different operators (i.e. HE, Cogent, Sprint, etc), making the point that a full view might take multiple feeds. I think that website also had text files with the comparisons. But I can't find that e-mail or website anywhere! Does anyone know where that listserv posting or website is? Frank From jared at puck.nether.net Tue Dec 21 10:38:51 2010 From: jared at puck.nether.net (Jared Mauch) Date: Tue, 21 Dec 2010 11:38:51 -0500 Subject: IPv6 BGP table size comparisons In-Reply-To: References: Message-ID: <2920734B-D115-42D6-AB87-AD05496A0299@puck.nether.net> Maybe this is a good place to start.. http://www.sixxs.net/tools/grh/compare/ - Jared On Dec 21, 2010, at 11:32 AM, Frank Bulk wrote: > A week or more ago someone posted in NANOG or elsewhere a site that had made > a comparison of the IPv6 BGP table sizes of different operators (i.e. HE, > Cogent, Sprint, etc), making the point that a full view might take multiple > feeds. I think that website also had text files with the comparisons. > > But I can't find that e-mail or website anywhere! > > Does anyone know where that listserv posting or website is? > > Frank > > > > From kloch at kl.net Tue Dec 21 10:51:15 2010 From: kloch at kl.net (Kevin Loch) Date: Tue, 21 Dec 2010 11:51:15 -0500 Subject: IPv6 BGP table size comparisons In-Reply-To: <2920734B-D115-42D6-AB87-AD05496A0299@puck.nether.net> References: <2920734B-D115-42D6-AB87-AD05496A0299@puck.nether.net> Message-ID: <4D10DB03.5080204@kl.net> Jared Mauch wrote: > Maybe this is a good place to start.. > > http://www.sixxs.net/tools/grh/compare/ > > - Jared > > On Dec 21, 2010, at 11:32 AM, Frank Bulk wrote: > >> A week or more ago someone posted in NANOG or elsewhere a site that had made >> a comparison of the IPv6 BGP table sizes of different operators (i.e. HE, >> Cogent, Sprint, etc), making the point that a full view might take multiple >> feeds. I think that website also had text files with the comparisons. >> >> But I can't find that e-mail or website anywhere! >> >> Does anyone know where that listserv posting or website is? >> Also route-views6.routeviews.org has several feeds. - Kevin From mksmith at adhost.com Tue Dec 21 11:18:33 2010 From: mksmith at adhost.com (Michael K. Smith - Adhost) Date: Tue, 21 Dec 2010 17:18:33 +0000 Subject: NANOG Server Maintenance - 1700 EST Message-ID: Hello Everyone: Merit will be performing maintenance on the server providing for the NANOG mailing list at 5:00 PM EST today. The anticipated downtime is less than 5 minutes. If you have any questions please send let us know at admins at nanog.org. Regards, Mike On behalf of the NANOG Communications Committee -- Michael K. Smith - CISSP, GSEC, GISP Chief Technical Officer - Adhost Internet LLC mksmith at adhost.com w: +1 (206) 404-9500 f: +1 (206) 404-9050 PGP: B49A DDF5 8611 27F3 08B9 84BB E61E 38C0 (Key ID: 0x9A96777D) From frnkblk at iname.com Tue Dec 21 11:33:16 2010 From: frnkblk at iname.com (Frank Bulk) Date: Tue, 21 Dec 2010 11:33:16 -0600 Subject: IPv6 BGP table size comparisons In-Reply-To: <2920734B-D115-42D6-AB87-AD05496A0299@puck.nether.net> References: <2920734B-D115-42D6-AB87-AD05496A0299@puck.nether.net> Message-ID: Thanks. I think the DFP might be a better fit, but right now it's timing out. Frank -----Original Message----- From: Jared Mauch [mailto:jared at puck.nether.net] Sent: Tuesday, December 21, 2010 10:39 AM To: frnkblk at iname.com Cc: NANOG list Subject: Re: IPv6 BGP table size comparisons Maybe this is a good place to start.. http://www.sixxs.net/tools/grh/compare/ - Jared On Dec 21, 2010, at 11:32 AM, Frank Bulk wrote: > A week or more ago someone posted in NANOG or elsewhere a site that had made > a comparison of the IPv6 BGP table sizes of different operators (i.e. HE, > Cogent, Sprint, etc), making the point that a full view might take multiple > feeds. I think that website also had text files with the comparisons. > > But I can't find that e-mail or website anywhere! > > Does anyone know where that listserv posting or website is? > > Frank > > > > From dsparro at gmail.com Tue Dec 21 11:47:45 2010 From: dsparro at gmail.com (David Sparro) Date: Tue, 21 Dec 2010 12:47:45 -0500 Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: <4D100805.4090602@gmail.com> References: <598C4A03-6932-4E1B-A518-B8F15BAE651F@Princeton.EDU> <5A6D953473350C4B9995546AFE9939EE0B14CFE3@RWC-EX1.corp.seven.com> <4D0B93DE.7020201@gmail.com> <5A6D953473350C4B9995546AFE9939EE0B14CFE6@RWC-EX1.corp.seven.com> <4D0B9914.5080705@gmail.com> <4D0E843B.4010109@gmail.com> <20101220010924.GA73595@ussenterprise.ufp.org> <4D0EAF71.5090108@bryanfields.net> <20101220014804.GD38726@gerbil.cluepon.net> <4D0EBB72.50106@gmail.com> <20101220022554.GF38726@gerbil.cluepon.net> <4D0EE408.7010306@gmail.com> <4D0FD592.4020908@gmail.com> <4D100805.4090602@gmail.com> Message-ID: <4D10E841.3030605@gmail.com> On 12/20/2010 8:51 PM, JC Dill wrote: > On 20/12/10 2:15 PM, David Sparro wrote: >> >> >> There is no monopoly. They've already experimented with that and >> (apparently) decided that it wasn't worth it. >> >> http://www.dallasnews.com/sharedcontent/dws/bus/ptech/stories/DN-verizon_17bus.State.Edition1.f7543b.html >> > > * > > > Tuesday, June 17, 2008 > > > Do you have any cites saying that this was actually rolled out? Or did > the project get cut during the financial crisis, and never actually > rolled out? > > The issue I have with all these "cites" is that none of them are for > services that are up and running. They are all press releases about > something that will supposedly get built, maybe. I still think that the link shows that the factors are more economic than regulatory. As you point out, even where the regulatory obstacles have been overcome, it is not clear that Verizon ever actually did their overbuild to become a third triple-play provider. -- Dave From bicknell at ufp.org Tue Dec 21 12:01:13 2010 From: bicknell at ufp.org (Leo Bicknell) Date: Tue, 21 Dec 2010 10:01:13 -0800 Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: <4D10E841.3030605@gmail.com> References: <4D0E843B.4010109@gmail.com> <20101220010924.GA73595@ussenterprise.ufp.org> <4D0EAF71.5090108@bryanfields.net> <20101220014804.GD38726@gerbil.cluepon.net> <4D0EBB72.50106@gmail.com> <20101220022554.GF38726@gerbil.cluepon.net> <4D0EE408.7010306@gmail.com> <4D0FD592.4020908@gmail.com> <4D100805.4090602@gmail.com> <4D10E841.3030605@gmail.com> Message-ID: <20101221180113.GA37232@ussenterprise.ufp.org> In a message written on Tue, Dec 21, 2010 at 12:47:45PM -0500, David Sparro wrote: > I still think that the link shows that the factors are more economic > than regulatory. As you point out, even where the regulatory obstacles > have been overcome, it is not clear that Verizon ever actually did their > overbuild to become a third triple-play provider. It's not so simple. There are pure regulatory issues, like getting a franchise license to provide video services. There are pure economic issues, like being able to afford the fiber and optics and such. Then there is a mess in the middle. For instance in the early 2000's DC changed its rules for permitting duct installation. Previously if you wanted to dig up a street you applied for a permit and did just that. However too many streets were being dug up too many times in a row, and residents screamed. The city changed it so to dig up a street you had to post what you were going to dig up like 90 or 180 days in advance, and if someone else wanted the same route you were required to install conduit for them in the same trench at cost when you did it. [My understanding is the rules have since been altered again, so I'm likely not up to date.] Is that a regulatory obstical, since it's government rules? Is that an economic obstical, since it just raises costs? -- Leo Bicknell - bicknell at ufp.org - CCIE 3440 PGP keys at http://www.ufp.org/~bicknell/ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 826 bytes Desc: not available URL: From lowen at pari.edu Tue Dec 21 12:33:47 2010 From: lowen at pari.edu (Lamar Owen) Date: Tue, 21 Dec 2010 13:33:47 -0500 Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: <96CA80CDCD822B4F9B41FB3A109C9359A3E68336E1@E2K7MAILBOX1.corp.cableone.net> References: Message-ID: <201012211333.47912.lowen@pari.edu> On Tuesday, December 21, 2010 11:26:48 am Rettke, Brian wrote: > The problem is probably not the connection speed, but congestion on the CMTS. If the downstream is saturated (too many people watching Netflix on a node) the available shared bandwidth may not be enough to support your real-time traffic. Which is a pretty good archetype for the discussion anyhow. Well, at the time we did this test NetFlix was still just a DVD by mail outfit; this has been a couple or three years ago. Congestion == oversubscribed. I would love to see a public posting or notice or something on my ISP's website showing current flows and congestion (the Cacti driven Network Weathermap is one such tool I've seen networks use; one of my providers used to have one publicly available, and it was very useful). Would make it much easier to make informed decisions on my part. But this CMTS subscriber wanting to do medium-low bandwidth H.323 never had trouble seeing our stream to him; that was the funny thing. It was always the return stream from him to us that broke up. And it didn't act like congestion; it acted like some sort of filter in place that would only allow the full upstream briefly, and then would die for some period of time, and then would allow another burst of traffic. (I've received one private reply mentioning a possible technology to do this....) Many if not virtually all residential broadband subscribers are under the impression that they really get the full use of the advertised bandwidth; it is a shock to most when they learn about oversubscription practices and QoS congestion management. From lrosas at wavebroadband.com Tue Dec 21 12:40:22 2010 From: lrosas at wavebroadband.com (Luiz Rosas) Date: Tue, 21 Dec 2010 10:40:22 -0800 Subject: COX NOC Contact Number Message-ID: <8AD79EB3513FB847BCC01FAE8DE6B2900EFA53C0@wdsmtp102.headquarters.wavebroadband.gbl> Does anyone have COX NOC contact number?? Thx Luiz Rosas IP Network Engineer Astound/Wave Broadband San Francisco, CA 94124 415-349-2940 Office 650-642-4638 Mobile From Bryan at bryanfields.net Tue Dec 21 12:56:27 2010 From: Bryan at bryanfields.net (Bryan Fields) Date: Tue, 21 Dec 2010 13:56:27 -0500 Subject: IPv6 BGP table size comparisons In-Reply-To: References: Message-ID: <4D10F85B.2050800@bryanfields.net> On 12/21/2010 11:32, Frank Bulk wrote: > A week or more ago someone posted in NANOG or elsewhere a site that had made > a comparison of the IPv6 BGP table sizes of different operators (i.e. HE, > Cogent, Sprint, etc), making the point that a full view might take multiple > feeds. I think that website also had text files with the comparisons. Whip yours out and lets have an on list comparison of table sizes :-D -- Bryan Fields 727-409-1194 - Voice 727-214-2508 - Fax http://bryanfields.net From swm at emanon.com Tue Dec 21 13:01:26 2010 From: swm at emanon.com (Scott Morris) Date: Tue, 21 Dec 2010 14:01:26 -0500 Subject: IPv6 BGP table size comparisons In-Reply-To: <4D10F85B.2050800@bryanfields.net> References: <4D10F85B.2050800@bryanfields.net> Message-ID: <4D10F986.9030107@emanon.com> Size doesn't matter. It's how well you use it. Route it, baby... ;) On 12/21/10 1:56 PM, Bryan Fields wrote: On 12/21/2010 11:32, Frank Bulk wrote: A week or more ago someone posted in NANOG or elsewhere a site that had made a comparison of the IPv6 BGP table sizes of different operators (i.e. HE, Cogent, Sprint, etc), making the point that a full view might take multiple feeds. I think that website also had text files with the comparisons. Whip yours out and lets have an on list comparison of table sizes :-D From rbf+nanog at panix.com Tue Dec 21 13:18:54 2010 From: rbf+nanog at panix.com (Brett Frankenberger) Date: Tue, 21 Dec 2010 13:18:54 -0600 Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: <201012210642.oBL6g94Z003903@mail.r-bonomi.com> References: <201012210642.oBL6g94Z003903@mail.r-bonomi.com> Message-ID: <20101221191854.GA29455@panix.com> On Tue, Dec 21, 2010 at 12:42:09AM -0600, Robert Bonomi wrote: > > > From: Leo Bicknell > > > > So if it's illegal for you to put a letter inside a FedEx box, > > Bzzt! It's -not- illegal to put a letter inside a FedEx box. It just has > to have the appropriate (USPS) postage on it, _as_well_ as paying the FedEx > service/delivery fee. Bzzt!. It is, in general, as a practical matter, completely legal to send letters overnight via FedEx, without paying any US postage. Under the "Extremely Urgent" exception, any shipment for which the shipper pays more than the greater of $3 and twice what the USPS would charge to send it first class, is deemed extremely urgent (whether or not it reallt is) and is excemt from the requirement to use the USPS or pay USPS postage. Except in some pretty rare cases, any shipment of letters sent via FedEx is going to cost more than $3 and more than double what the USPS would have charged to sent it first class. > This is true if it is just the letter you're sending, > or if it is a sealed letter -inside- a box/package being shipped.. Actually, if the sealed letter relates to the cargo in the box/package, it's legal to include it, under an exception separate from the "Extremely Urgent" exception listed above. -- Brett From sam_mailinglists at spacething.org Tue Dec 21 13:21:58 2010 From: sam_mailinglists at spacething.org (Sam Stickland) Date: Tue, 21 Dec 2010 19:21:58 +0000 Subject: TCP congestion control and large router buffers In-Reply-To: References: <1291907382.19262.212.camel@shrike> <4D0E59FC.2080706@bogus.com> <4D0FE4A1.7070103@freedesktop.org> Message-ID: On 21 Dec 2010, at 07:18, Mikael Abrahamsson wrote: On Mon, 20 Dec 2010, Jim Gettys wrote: Common knowledge among whom? I'm hardly a naive Internet user. Anyone actually looking into the matter. The Cisco "fair-queue" command was introduced in IOS 11.0 according to < http://www.cisco.com/en/US/docs/ios/12_2/qos/command/reference/qrfcmd1.html#wp1098249> to somewhat handle the problem. I have no idea when this was in time, but I guess early 90:ties? 200ms is good; but it is often up to multiple *seconds*. Resulting latencies on broadband gears are often horrific: see the netalyzr plots that I posted in my blog. See: I know of the problem, it's no news to me. You don't have to convince me. I've been using Cisco routers as a CPE because of this for a long time. Interestingly I've just tried to enable WRED on a Cisco 877 (advsecurity 15.1) and the random-detect commands are missing. Cisco's feature navigator says it's supported though. Weird. Also, there doesn't appear to be a way to enable fair-queue on the wireless interface. Is fair-queue seen as a bad strategy for wireless and it's varying throughput/goodput rates? And finally it doesn't support inbound shaping so I can't experience with trying to build the queues on it rather than the DSLAM. I'm a little nonplussed to be honest. However, I did notice the output queue on the dialler interface defaults to 1000 packets. (Perhaps that's a hangover from when it had to queue packets whilst dialling? I've come too late to networking to know). Reducing that number to 10 (~60ms @ 1500 bytes @ 8Mbps) has noticeably increased the latency response and fairness of the connection under load. Sam From Brian.Rettke at cableone.biz Tue Dec 21 13:31:27 2010 From: Brian.Rettke at cableone.biz (Rettke, Brian) Date: Tue, 21 Dec 2010 12:31:27 -0700 Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: <201012211333.47912.lowen@pari.edu> References: <96CA80CDCD822B4F9B41FB3A109C9359A3E68336E1@E2K7MAILBOX1.corp.cableone.net> <201012211333.47912.lowen@pari.edu> Message-ID: <96CA80CDCD822B4F9B41FB3A109C9359A3E683379F@E2K7MAILBOX1.corp.cableone.net> --"Congestion == oversubscribed. I would love to see a public posting or notice or something on my ISP's website showing current flows and congestion (the Cacti driven Network Weathermap is one such tool I've seen networks use; one of my providers used to have one publicly available, and it was very useful). Would make it much easier to make informed decisions on my part. But this CMTS subscriber wanting to do medium-low bandwidth H.323 never had trouble seeing our stream to him; that was the funny thing. It was always the return stream from him to us that broke up. And it didn't act like congestion; it acted like some sort of filter in place that would only allow the full upstream briefly, and then would die for some period of time, and then would allow another burst of traffic. (I've received one private reply mentioning a possible technology to do this....) Many if not virtually all residential broadband subscribers are under the impression that they really get the full use of the advertised bandwidth; it is a shock to most when they learn about oversubscription practices and QoS congestion management."--- I'm not sure you can speak for the majority of all subscribers, but it's fair to assume that people who are not used to "checking under the hood" before making a purchase are of that mind. And congestion does mean oversubscribed, but that's a rather narrow argument. You are buying a shared service, which never guarantees full use of anything. The reason that you pay ~$100 instead of 5-10 times that amount is that you are buying a time share. You do not own or lease any part of your connection. It is the advertising and marketing of such things that generally leaves the consumer clueless unless they do their own research. Being that this is NANOG, and the expectation is that this community is the cognoscenti, I'd say we can dispense with the marketing. If you use a cable modem or DSL service, your expected use is entertainment. Depending upon your neighborhood, and the amount of people that latch onto a trend, you will see oversubscription, because no one ever builds supply that will far exceed demand in an instantaneous manner. If you expect your service to not be oversubscribed, you need to drop your modem for a leased line service. The SLA guarantees you get what you pay for. If the contrary argument is that you pay enough for your service, we need to define the costs of implementing your end-to-end service, and the difference between that and what you pay. From gbonser at seven.com Tue Dec 21 13:28:55 2010 From: gbonser at seven.com (George Bonser) Date: Tue, 21 Dec 2010 11:28:55 -0800 Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: <25540387.111292948930296.JavaMail.root@jennyfur.pelican.org> References: <928D2C2B-0F1F-47AE-87DB-87DF48F6A532@delong.com> <25540387.111292948930296.JavaMail.root@jennyfur.pelican.org> Message-ID: <5A6D953473350C4B9995546AFE9939EE0BC130FF@RWC-EX1.corp.seven.com> > > > > Obviously, this probably won't happen. The Telcos in the US have far > > too powerful a lobbying force, but, I think that would be the best > > thing for the consumers. > > Presumably for both the consumers *and* every company involved in > network services who doesn't have the luck of a historical last-mile > monopoly. > > Regards, > Tim. Well, I really don't see this whole thing as about Comcast, per se. It is bigger than that. Generally, I have no problems with a network doing whatever it wants to do when there is competition for the end users. The problem in my mind comes in when the buyer has no realistic alternative. So I believe the regulations should be at the local level where the actual users are because what is true in Omaha might not be true in Wichita. Attempting to make "one size fits all" regulations at the federal level generally doesn't turn out well, even if done with the best of intentions, because there are just too many one-off situations. Places that, for example, have competition for high-speed triple-play services where the users can "vote with their feet" if a provider's policies don't serve their needs probably need a lot less regulation than a place with only one provider of that sort of service. This shouldn't devolve into a "bash Comcast" session so much as it should address how "single player" markets are handled regardless of the provider involved. From pete at altadena.net Tue Dec 21 13:59:57 2010 From: pete at altadena.net (Pete Carah) Date: Tue, 21 Dec 2010 14:59:57 -0500 Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: References: <598C4A03-6932-4E1B-A518-B8F15BAE651F@Princeton.EDU> <201012201647.22870.lowen@pari.edu> Message-ID: <4D11073D.3040005@altadena.net> On 12/20/2010 06:36 PM, Owen DeLong wrote: > > I'm happy for you. The AT&T cable plant in my neighborhood is unable to > sustain any better than 1.5mbps/384k on ADSL. And mine (older Baltimore-area, ex-bell atlantic, now verizon) won't sustain 384x384 at 15k ft, it works with about 10% packet loss when dry and dies altogether when wet (actually, often even POTS won't work when wet in the last year or so; wires are getting worse). VZ won't do anything about it (well, they *did* finally (5 yrs later) get around to wiring for fios.) VZ *tells* you that 1.5x384 will work. Little do they know about older outside plant... -- Pete From fred at cisco.com Tue Dec 21 15:24:38 2010 From: fred at cisco.com (Fred Baker) Date: Tue, 21 Dec 2010 13:24:38 -0800 Subject: TCP congestion control and large router buffers In-Reply-To: References: <1291907382.19262.212.camel@shrike> <4D0E59FC.2080706@bogus.com> <4D0FE4A1.7070103@freedesktop.org> Message-ID: <607EDCE9-F6BD-4111-B0BD-2C1A535CFBE8@cisco.com> On Dec 20, 2010, at 11:18 PM, Mikael Abrahamsson wrote: > On Mon, 20 Dec 2010, Jim Gettys wrote: > >> Common knowledge among whom? I'm hardly a naive Internet user. > > Anyone actually looking into the matter. The Cisco "fair-queue" command was introduced in IOS 11.0 according to to somewhat handle the problem. I have no idea when this was in time, but I guess early 90:ties? 1995. I know the guy that wrote the code. Meet me in a bar and we can share war stories. The technology actually helps with problems like RFC 6057 addresses pretty effectively. >> is a good idea, you aren't old enough to have experienced the NSFnet collapse during the 1980's (as I did). I have post-traumatic stress disorder from that experience; I'm worried about the confluence of these changes, folks. > > I'm happy you were there, I was under the impression that routers had large buffers back then as well? Not really. Yup, several of us were there. The common routers on the NSFNET and related networks were fuzzballs, which had 8 (count them, 8) 576 byte buffers, Cisco AGS/AGS+, and Proteon routers. The Cisco routers of the day generally had 40 buffers on each interface by default, and might have had configuration changes; I can't comment on the Proteon routers. For a 56 KBPS line, given 1504 bytes per message (1500 bytes IP+data, and four bytes of HDLC overhead), that's theoretically 8.5 seconds. But given that messages were in fact usually 576 bytes of IP data (cf "fuzzballs" and unix behavior for off-LAN communications) and interspersed with TCP control messages (Acks, SYNs, FINs, RST), real queue depths were more like two seconds at a bottleneck router. The question would be the impact of a sequence of routers all acting as bottlenecks. IMHO, AQM (RED or whatever) is your friend. The question is what to set min-threshold to. Kathy Nichols (Van's wife) did a lot of simulations. I don't know that the paper was ever published, but as I recall she wound up recommending something like this: line rate ms queue depth (MBPS) RED min-threshold 2 32 10 16 155 8 622 4 2,500 2 10,000 1 > But yes, I agree that we'd all be much helped if manufacturers of both ends of all links had the common decency of introducing a WRED (with ECN marking) AQM that had 0% drop probability at 40ms and 100% drop probability at 200ms (and linear increase between). so, min-threshold=40 ms and max-threshold=200 ms. That's good on low speed links; it will actually control queue depths to an average of O(min-threshold) at whatever value you set it to. The problem with 40 ms is that it interacts poorly with some applications, notably voice and video. It also doesn't match well to published studies like http://www.pittsburgh.intel-research.net/~kpapagia/papers/p2pdelay-analysis.pdf. In that study, a min-threshold of 40 ms would have cut in only on six a-few-second events in the course of a five hour sample. If 40 ms is on the order of magnitude of a typical RTT, it suggests that you could still have multiple retransmissions from the same session in the same queue. A good photo of buffer bloat is at ftp://ftpeng.cisco.com/fred/RTT/Pages/4.html ftp://ftpeng.cisco.com/fred/RTT/Pages/5.html The first is a trace I took overnight in a hotel I stayed in. Never mind the name of the hotel, it's not important. The second is the delay distribution, which is highly unusual - you expect to see delay distributions more like ftp://ftpeng.cisco.com/fred/RTT/Pages/8.html (which actually shows two distributions - the blue one is fairly normal, and the green one is a link that spends much of the day chock-a-block). My conjecture re 5.html is that the link *never* drops, and at times has as many as nine retransmissions of the same packet in it. The spikes in the graph are about a TCP RTO timeout apart. That's a truly worst case. For N-1 of the N retransmissions, it's a waste of storage space and a waste of bandwidth. AQM is your friend. Your buffer should be able to temporarily buffer as much as an RTT of traffic, which is to say that it should be large enough to ensure that if you get a big burst followed by a silent period you should be able to use the entire capacity of the link to ride it out. Your min-threshold should be at a value that makes your median queue depth relatively shallow. The numbers above are a reasonable guide, but as in all things, YMMV. From frnkblk at iname.com Tue Dec 21 16:18:18 2010 From: frnkblk at iname.com (Frank Bulk) Date: Tue, 21 Dec 2010 16:18:18 -0600 Subject: IPv6 BGP table size comparisons In-Reply-To: <4D10F85B.2050800@bryanfields.net> References: <4D10F85B.2050800@bryanfields.net> Message-ID: There are 4,035 routes in the global IPv6 routing table. This is what one provider passed on to me for routes (/48 or larger prefixes), extracted from public route-view servers. AT&T AS7018: 2,851 (70.7%) Cogent AS174: 2,864 (71.0%) GLBX AS3549: 3,706 (91.8%) Hurricane Electric AS6939: 3,790 (93.9%) Qwest AS209: 3,918 (97.1%) TINET (formerly Tiscali) AS3257: 3,825 (94.8%) Verizon AS701: 3,938 (97.6%) Frank -----Original Message----- From: Bryan Fields [mailto:Bryan at bryanfields.net] Sent: Tuesday, December 21, 2010 12:56 PM To: NANOG list Subject: Re: IPv6 BGP table size comparisons On 12/21/2010 11:32, Frank Bulk wrote: > A week or more ago someone posted in NANOG or elsewhere a site that had made > a comparison of the IPv6 BGP table sizes of different operators (i.e. HE, > Cogent, Sprint, etc), making the point that a full view might take multiple > feeds. I think that website also had text files with the comparisons. Whip yours out and lets have an on list comparison of table sizes :-D -- Bryan Fields 727-409-1194 - Voice 727-214-2508 - Fax http://bryanfields.net From jared at puck.nether.net Tue Dec 21 16:51:02 2010 From: jared at puck.nether.net (Jared Mauch) Date: Tue, 21 Dec 2010 17:51:02 -0500 Subject: IPv6 BGP table size comparisons In-Reply-To: References: <4D10F85B.2050800@bryanfields.net> Message-ID: Not sure what route-server you are speaking of, but a quick peek at what we send on a customer session I see: NTT (2914) sends 3868 prefixes. If the route server contacts me in private, we can likely set up a view from 2914 or 2914-customer perspective. - Jared On Dec 21, 2010, at 5:18 PM, Frank Bulk wrote: > There are 4,035 routes in the global IPv6 routing table. This is what one > provider passed on to me for routes (/48 or larger prefixes), extracted from > public route-view servers. > AT&T AS7018: 2,851 (70.7%) > Cogent AS174: 2,864 (71.0%) > GLBX AS3549: 3,706 (91.8%) > Hurricane Electric AS6939: 3,790 (93.9%) > Qwest AS209: 3,918 (97.1%) > TINET (formerly Tiscali) AS3257: 3,825 (94.8%) > Verizon AS701: 3,938 (97.6%) > > Frank > > -----Original Message----- > From: Bryan Fields [mailto:Bryan at bryanfields.net] > Sent: Tuesday, December 21, 2010 12:56 PM > To: NANOG list > Subject: Re: IPv6 BGP table size comparisons > > On 12/21/2010 11:32, Frank Bulk wrote: >> A week or more ago someone posted in NANOG or elsewhere a site that had > made >> a comparison of the IPv6 BGP table sizes of different operators (i.e. HE, >> Cogent, Sprint, etc), making the point that a full view might take > multiple >> feeds. I think that website also had text files with the comparisons. > > Whip yours out and lets have an on list comparison of table sizes > > :-D > -- > Bryan Fields > > 727-409-1194 - Voice > 727-214-2508 - Fax > http://bryanfields.net > > > From frnkblk at iname.com Tue Dec 21 17:07:54 2010 From: frnkblk at iname.com (Frank Bulk) Date: Tue, 21 Dec 2010 17:07:54 -0600 Subject: IPv6 BGP table size comparisons In-Reply-To: References: <4D10F85B.2050800@bryanfields.net> Message-ID: The provider who gave me the information didn't tell me what public route server they used. They didn't analyze all ASNs, just the handful I listed. It would be interesting if someone set up a daily report that documented all the IPv6 routes an ASN carried, and then tracked both the absolute numbers and percentages over time. Frank -----Original Message----- From: Jared Mauch [mailto:jared at puck.nether.net] Sent: Tuesday, December 21, 2010 4:51 PM To: frnkblk at iname.com Cc: NANOG list Subject: Re: IPv6 BGP table size comparisons Not sure what route-server you are speaking of, but a quick peek at what we send on a customer session I see: NTT (2914) sends 3868 prefixes. If the route server contacts me in private, we can likely set up a view from 2914 or 2914-customer perspective. - Jared On Dec 21, 2010, at 5:18 PM, Frank Bulk wrote: > There are 4,035 routes in the global IPv6 routing table. This is what one > provider passed on to me for routes (/48 or larger prefixes), extracted from > public route-view servers. > AT&T AS7018: 2,851 (70.7%) > Cogent AS174: 2,864 (71.0%) > GLBX AS3549: 3,706 (91.8%) > Hurricane Electric AS6939: 3,790 (93.9%) > Qwest AS209: 3,918 (97.1%) > TINET (formerly Tiscali) AS3257: 3,825 (94.8%) > Verizon AS701: 3,938 (97.6%) > > Frank > > -----Original Message----- > From: Bryan Fields [mailto:Bryan at bryanfields.net] > Sent: Tuesday, December 21, 2010 12:56 PM > To: NANOG list > Subject: Re: IPv6 BGP table size comparisons > > On 12/21/2010 11:32, Frank Bulk wrote: >> A week or more ago someone posted in NANOG or elsewhere a site that had > made >> a comparison of the IPv6 BGP table sizes of different operators (i.e. HE, >> Cogent, Sprint, etc), making the point that a full view might take > multiple >> feeds. I think that website also had text files with the comparisons. > > Whip yours out and lets have an on list comparison of table sizes > > :-D > -- > Bryan Fields > > 727-409-1194 - Voice > 727-214-2508 - Fax > http://bryanfields.net > > > From mksmith at adhost.com Tue Dec 21 17:12:41 2010 From: mksmith at adhost.com (Michael K. Smith - Adhost) Date: Tue, 21 Dec 2010 23:12:41 +0000 Subject: IPv6 BGP table size comparisons In-Reply-To: References: <4D10F85B.2050800@bryanfields.net> Message-ID: Here's what I see: Level 3: 2949 HE: 3775 NTT: 3867 Init7: 3665 Mike -- Michael K. Smith - CISSP, GSEC, GISP Chief Technical Officer - Adhost Internet LLC mksmith at adhost.com w: +1 (206) 404-9500 f: +1 (206) 404-9050 PGP: B49A DDF5 8611 27F3 08B9 84BB E61E 38C0 (Key ID: 0x9A96777D) > -----Original Message----- > From: Frank Bulk [mailto:frnkblk at iname.com] > Sent: Tuesday, December 21, 2010 3:08 PM > To: 'Jared Mauch' > Cc: NANOG list > Subject: RE: IPv6 BGP table size comparisons > > The provider who gave me the information didn't tell me what public route > server they used. They didn't analyze all ASNs, just the handful I listed. > > It would be interesting if someone set up a daily report that documented all > the IPv6 routes an ASN carried, and then tracked both the absolute numbers > and percentages over time. > > Frank > > -----Original Message----- > From: Jared Mauch [mailto:jared at puck.nether.net] > Sent: Tuesday, December 21, 2010 4:51 PM > To: frnkblk at iname.com > Cc: NANOG list > Subject: Re: IPv6 BGP table size comparisons > > Not sure what route-server you are speaking of, but a quick peek at what we > send on a customer session I see: > > NTT (2914) sends 3868 prefixes. > > If the route server contacts me in private, we can likely set up a view from > 2914 or 2914-customer perspective. > > - Jared > > On Dec 21, 2010, at 5:18 PM, Frank Bulk wrote: > > > There are 4,035 routes in the global IPv6 routing table. This is what one > > provider passed on to me for routes (/48 or larger prefixes), extracted > from > > public route-view servers. > > AT&T AS7018: 2,851 (70.7%) > > Cogent AS174: 2,864 (71.0%) > > GLBX AS3549: 3,706 (91.8%) > > Hurricane Electric AS6939: 3,790 (93.9%) > > Qwest AS209: 3,918 (97.1%) > > TINET (formerly Tiscali) AS3257: 3,825 (94.8%) > > Verizon AS701: 3,938 (97.6%) > > > > Frank > > > > -----Original Message----- > > From: Bryan Fields [mailto:Bryan at bryanfields.net] > > Sent: Tuesday, December 21, 2010 12:56 PM > > To: NANOG list > > Subject: Re: IPv6 BGP table size comparisons > > > > On 12/21/2010 11:32, Frank Bulk wrote: > >> A week or more ago someone posted in NANOG or elsewhere a site that > had > > made > >> a comparison of the IPv6 BGP table sizes of different operators (i.e. HE, > >> Cogent, Sprint, etc), making the point that a full view might take > > multiple > >> feeds. I think that website also had text files with the comparisons. > > > > Whip yours out and lets have an on list comparison of table sizes > > > > :-D > > -- > > Bryan Fields > > > > 727-409-1194 - Voice > > 727-214-2508 - Fax > > http://bryanfields.net > > > > > > > > From mike at sentex.net Tue Dec 21 18:10:39 2010 From: mike at sentex.net (Mike Tancsa) Date: Tue, 21 Dec 2010 19:10:39 -0500 Subject: IPv6 BGP table size comparisons In-Reply-To: References: <4D10F85B.2050800@bryanfields.net> Message-ID: <4D1141FF.6000005@sentex.net> On 12/21/2010 5:18 PM, Frank Bulk wrote: > There are 4,035 routes in the global IPv6 routing table. This is what one > provider passed on to me for routes (/48 or larger prefixes), extracted from > public route-view servers. > AT&T AS7018: 2,851 (70.7%) > Cogent AS174: 2,864 (71.0%) > GLBX AS3549: 3,706 (91.8%) > Hurricane Electric AS6939: 3,790 (93.9%) > Qwest AS209: 3,918 (97.1%) > TINET (formerly Tiscali) AS3257: 3,825 (94.8%) > Verizon AS701: 3,938 (97.6%) TATA (AS6453) out of Toronto, Canada 3,747. For my v4 transit, I only see 0.3% difference from my largest and smallest view. Where as with ipv6, the difference is almost 25%. For /48 and shorter, I see 757 paths missing from AS174 that I see on my other 2 v6 transit providers. ---Mike From mike at sentex.net Tue Dec 21 18:19:25 2010 From: mike at sentex.net (Mike Tancsa) Date: Tue, 21 Dec 2010 19:19:25 -0500 Subject: IPv6 BGP table size comparisons In-Reply-To: <4D1141FF.6000005@sentex.net> References: <4D10F85B.2050800@bryanfields.net> <4D1141FF.6000005@sentex.net> Message-ID: <4D11440D.9040709@sentex.net> On 12/21/2010 7:10 PM, Mike Tancsa wrote: > On 12/21/2010 5:18 PM, Frank Bulk wrote: >> There are 4,035 routes in the global IPv6 routing table. This is what one >> provider passed on to me for routes (/48 or larger prefixes), extracted from >> public route-view servers. >> AT&T AS7018: 2,851 (70.7%) >> Cogent AS174: 2,864 (71.0%) >> GLBX AS3549: 3,706 (91.8%) >> Hurricane Electric AS6939: 3,790 (93.9%) >> Qwest AS209: 3,918 (97.1%) >> TINET (formerly Tiscali) AS3257: 3,825 (94.8%) >> Verizon AS701: 3,938 (97.6%) > > TATA (AS6453) out of Toronto, Canada 3,747. > > For my v4 transit, I only see 0.3% difference from my largest and > smallest view. Where as with ipv6, the difference is almost 25%. For > /48 and shorter, I see 757 paths missing from AS174 that I see on my > other 2 v6 transit providers. While looking at whats missing, I found this interesting /48. +2607:fed0::/32 +2607:fed8::/32 +2607:ff08:cafe::/48 +2607:ff20::/32 The 2607:ff08::/32 is visible on Cogent. But I guess they are not serving coffee there, only on TATA and HE. ---Mike From sethm at rollernet.us Tue Dec 21 18:20:33 2010 From: sethm at rollernet.us (Seth Mattinen) Date: Tue, 21 Dec 2010 16:20:33 -0800 Subject: IPv6 BGP table size comparisons In-Reply-To: References: <4D10F85B.2050800@bryanfields.net> Message-ID: <4D114451.9020805@rollernet.us> On 12/21/2010 14:18, Frank Bulk wrote: > There are 4,035 routes in the global IPv6 routing table. This is what one > provider passed on to me for routes (/48 or larger prefixes), extracted from > public route-view servers. > AT&T AS7018: 2,851 (70.7%) > Cogent AS174: 2,864 (71.0%) > GLBX AS3549: 3,706 (91.8%) > Hurricane Electric AS6939: 3,790 (93.9%) > Qwest AS209: 3,918 (97.1%) > TINET (formerly Tiscali) AS3257: 3,825 (94.8%) > Verizon AS701: 3,938 (97.6%) > Does this mean Verizon is carrying PI /48s now? ~Seth From adrian at creative.net.au Tue Dec 21 19:08:23 2010 From: adrian at creative.net.au (Adrian Chadd) Date: Wed, 22 Dec 2010 09:08:23 +0800 Subject: [OT]: WCCPv2 and >gige? Message-ID: <20101222010823.GB406@skywalker.creative.net.au> Hi all, I have a customer who is looking for examples of WCCPv2 deployments for traffic levels > 3 gige (and above, up to 10ge.) Now I know that theoretically there's no reason why this shouldn't be the case, but as I don't have a lab of 10GE capable Cisco L3 devices, I'm unable to verify that level of behaviour. So, is anyone using WCCPv2 redirection on gige and 10ge interfaces, and mind sharing with me the equipment/configuration/IOS version? Thanks, Adrian From ml at kenweb.org Tue Dec 21 19:10:05 2010 From: ml at kenweb.org (ML) Date: Tue, 21 Dec 2010 20:10:05 -0500 Subject: IPv6 BGP table size comparisons In-Reply-To: <4D1141FF.6000005@sentex.net> References: <4D10F85B.2050800@bryanfields.net> <4D1141FF.6000005@sentex.net> Message-ID: <4D114FED.9070008@kenweb.org> On 12/21/2010 7:10 PM, Mike Tancsa wrote: > On 12/21/2010 5:18 PM, Frank Bulk wrote: >> There are 4,035 routes in the global IPv6 routing table. This is what one >> provider passed on to me for routes (/48 or larger prefixes), extracted from >> public route-view servers. >> AT&T AS7018: 2,851 (70.7%) >> Cogent AS174: 2,864 (71.0%) >> GLBX AS3549: 3,706 (91.8%) >> Hurricane Electric AS6939: 3,790 (93.9%) >> Qwest AS209: 3,918 (97.1%) >> TINET (formerly Tiscali) AS3257: 3,825 (94.8%) >> Verizon AS701: 3,938 (97.6%) > > TATA (AS6453) out of Toronto, Canada 3,747. > > For my v4 transit, I only see 0.3% difference from my largest and > smallest view. Where as with ipv6, the difference is almost 25%. For > /48 and shorter, I see 757 paths missing from AS174 that I see on my > other 2 v6 transit providers. > > ---Mike > HE routes missing on Cogents side? From ml at kenweb.org Tue Dec 21 19:20:45 2010 From: ml at kenweb.org (ML) Date: Tue, 21 Dec 2010 20:20:45 -0500 Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: <928D2C2B-0F1F-47AE-87DB-87DF48F6A532@delong.com> References: <32850415.81292928152372.JavaMail.root@jennyfur.pelican.org> <928D2C2B-0F1F-47AE-87DB-87DF48F6A532@delong.com> Message-ID: <4D11526D.2050908@kenweb.org> On 12/21/2010 10:49 AM, Owen DeLong wrote: > > Obviously, this probably won't happen. The Telcos in the US have far too powerful a > lobbying force > > Owen > > Sad that we can admit this fact so freely. From mksmith at adhost.com Tue Dec 21 19:25:31 2010 From: mksmith at adhost.com (Michael K. Smith - Adhost) Date: Wed, 22 Dec 2010 01:25:31 +0000 Subject: IPv6 BGP table size comparisons In-Reply-To: <4D114451.9020805@rollernet.us> References: <4D10F85B.2050800@bryanfields.net> <4D114451.9020805@rollernet.us> Message-ID: On Dec 21, 2010, at 4:20 PM, Seth Mattinen wrote: > On 12/21/2010 14:18, Frank Bulk wrote: >> There are 4,035 routes in the global IPv6 routing table. This is what one >> provider passed on to me for routes (/48 or larger prefixes), extracted from >> public route-view servers. >> AT&T AS7018: 2,851 (70.7%) >> Cogent AS174: 2,864 (71.0%) >> GLBX AS3549: 3,706 (91.8%) >> Hurricane Electric AS6939: 3,790 (93.9%) >> Qwest AS209: 3,918 (97.1%) >> TINET (formerly Tiscali) AS3257: 3,825 (94.8%) >> Verizon AS701: 3,938 (97.6%) >> > > > Does this mean Verizon is carrying PI /48s now? > > ~Seth > Yes they are. Mike From Bryan at bryanfields.net Tue Dec 21 19:33:39 2010 From: Bryan at bryanfields.net (Bryan Fields) Date: Tue, 21 Dec 2010 20:33:39 -0500 Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: <4D10C592.2090101@gmail.com> References: <201012210642.oBL6g94Z003903@mail.r-bonomi.com> <4D10C592.2090101@gmail.com> Message-ID: <4D115573.90103@bryanfields.net> On 12/21/2010 10:19, William Allen Simpson wrote: > The lesson here is that we need to decided what it is we are offering. As an > ISP, we never offered different rates by distance or for different types of > traffic. We did offer different rates for different sized pipes (aka volume). > That is, we offered more USPS-like than FedEx-like service. This gives me an awesome idea for an IP to V&H coordinates look-up with volume recorded. Interface it to the billing system, and we've just created a new revenue source. This if effin genius. -- Bryan Fields 727-409-1194 - Voice 727-214-2508 - Fax http://bryanfields.net From frnkblk at iname.com Tue Dec 21 21:06:40 2010 From: frnkblk at iname.com (Frank Bulk - iName.com) Date: Tue, 21 Dec 2010 21:06:40 -0600 Subject: IPv6 BGP table size comparisons In-Reply-To: <4D11440D.9040709@sentex.net> References: <4D10F85B.2050800@bryanfields.net> <4D1141FF.6000005@sentex.net> <4D11440D.9040709@sentex.net> Message-ID: Looks like AS13722 (Default Route, Inc), is advertising both 2607:ff08:cafe::/48 and 2607:ff08::/32. Frank -----Original Message----- From: Mike Tancsa [mailto:mike at sentex.net] Sent: Tuesday, December 21, 2010 6:19 PM To: NANOG list Subject: Re: IPv6 BGP table size comparisons On 12/21/2010 7:10 PM, Mike Tancsa wrote: > On 12/21/2010 5:18 PM, Frank Bulk wrote: >> There are 4,035 routes in the global IPv6 routing table. This is what one >> provider passed on to me for routes (/48 or larger prefixes), extracted from >> public route-view servers. >> AT&T AS7018: 2,851 (70.7%) >> Cogent AS174: 2,864 (71.0%) >> GLBX AS3549: 3,706 (91.8%) >> Hurricane Electric AS6939: 3,790 (93.9%) >> Qwest AS209: 3,918 (97.1%) >> TINET (formerly Tiscali) AS3257: 3,825 (94.8%) >> Verizon AS701: 3,938 (97.6%) > > TATA (AS6453) out of Toronto, Canada 3,747. > > For my v4 transit, I only see 0.3% difference from my largest and > smallest view. Where as with ipv6, the difference is almost 25%. For > /48 and shorter, I see 757 paths missing from AS174 that I see on my > other 2 v6 transit providers. While looking at whats missing, I found this interesting /48. +2607:fed0::/32 +2607:fed8::/32 +2607:ff08:cafe::/48 +2607:ff20::/32 The 2607:ff08::/32 is visible on Cogent. But I guess they are not serving coffee there, only on TATA and HE. ---Mike From jsw at inconcepts.biz Tue Dec 21 21:08:43 2010 From: jsw at inconcepts.biz (Jeff Wheeler) Date: Tue, 21 Dec 2010 22:08:43 -0500 Subject: IPv6 BGP table size comparisons In-Reply-To: <4D114451.9020805@rollernet.us> References: <4D10F85B.2050800@bryanfields.net> <4D114451.9020805@rollernet.us> Message-ID: I could not find this information on any Wikis, but this is the sort of thing that would be nice to be able to find out without posting on the list or asking around (obviously.) I have quickly made a couple of entries with simple enough formatting that anyone can go onto Wikipedia, click Edit, and add what they know. This is sure to become a frequently asked question before the answer is always "yes" given that some major transit-free networks have no functional IPv6 capability of any kind. http://en.wikipedia.org/wiki/Comparison_of_IPv6_support_by_major_transit_providers -- Jeff S Wheeler Sr Network Operator? /? Innovative Network Concepts From mikea at mikea.ath.cx Tue Dec 21 22:27:17 2010 From: mikea at mikea.ath.cx (mikea) Date: Tue, 21 Dec 2010 22:27:17 -0600 Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: <4D0EC245.5030103@rollernet.us> References: <5A6D953473350C4B9995546AFE9939EE0B14CFE3@RWC-EX1.corp.seven.com> <4D0B93DE.7020201@gmail.com> <5A6D953473350C4B9995546AFE9939EE0B14CFE6@RWC-EX1.corp.seven.com> <4D0B9914.5080705@gmail.com> <4D0E843B.4010109@gmail.com> <20101220010924.GA73595@ussenterprise.ufp.org> <4D0EAF71.5090108@bryanfields.net> <20101220014804.GD38726@gerbil.cluepon.net> <4D0EBB72.50106@gmail.com> <4D0EC245.5030103@rollernet.us> Message-ID: <20101222042717.GA27585@mikea.ath.cx> On Sun, Dec 19, 2010 at 06:41:09PM -0800, Seth Mattinen wrote: > Contrary to popular belief the average person tend to severely dislike > all forms of road construction or having their yard repeatedly torn up. > > I know it's all happy fun times to say "let's have 10 water/electrical > providers and you can select which molecules/electrons you want!", but > there's a practical limit as to how much stuff one can pack under a > street's limited right of way. If you look at what's under there right > now it's actually quite crowded. We just don't see it because it's buried. True indeed. My employer, the Oklahoma Dept. of Transportation, is a major owner, but not the only one, of right-of-way in the state. We have severe problems with trying to wedge into our rights-of-way all the things that people want to wedge in around our structures and drainage: pipelines, fiber, etc. It is beginning to look as though we will have to increase the ROW width in the future, just to make it possible to run everything necessary. The lawmakers were not particularly happy about this, but I understand that they were shown some cross-section maps of places where things are quite dense, and most of them came around. -- Mike Andrews, W5EGO mikea at mikea.ath.cx Tired old sysadmin From nanog at hostleasing.net Tue Dec 21 22:39:54 2010 From: nanog at hostleasing.net (Randy Epstein) Date: Tue, 21 Dec 2010 23:39:54 -0500 Subject: IPv6 BGP table size comparisons In-Reply-To: <4D114FED.9070008@kenweb.org> References: <4D10F85B.2050800@bryanfields.net> <4D1141FF.6000005@sentex.net> <4D114FED.9070008@kenweb.org> Message-ID: <00b801cba192$474e44c0$d5eace40$@net> > HE routes missing on Cogents side? I would guess HE routes missing at Cogent and Cogent routes missing at HE. Remember the cake? http://www.datacenterknowledge.com/wp-content/uploads/2009/10/Hurricane-Cake .jpg Or was that rectified? Mahtan? Randy From hank at efes.iucc.ac.il Tue Dec 21 23:29:20 2010 From: hank at efes.iucc.ac.il (Hank Nussbacher) Date: Wed, 22 Dec 2010 07:29:20 +0200 Subject: IPv6 BGP table size comparisons In-Reply-To: <4D10F986.9030107@emanon.com> References: <4D10F85B.2050800@bryanfields.net> <4D10F85B.2050800@bryanfields.net> Message-ID: <5.1.0.14.2.20101222072819.0365a230@efes.iucc.ac.il> At 14:01 21/12/2010 -0500, Scott Morris wrote: Actually it depends on the # of route injects and withdrawls. Sorry, couldn't help myself. -Hank > Size doesn't matter. It's how well you use it. > Route it, baby... > ;) > > On 12/21/10 1:56 PM, Bryan Fields wrote: > >On 12/21/2010 11:32, Frank Bulk wrote: > >A week or more ago someone posted in NANOG or elsewhere a site that had made >a comparison of the IPv6 BGP table sizes of different operators (i.e. HE, >Cogent, Sprint, etc), making the point that a full view might take multiple >feeds. I think that website also had text files with the comparisons. > >Whip yours out and lets have an on list comparison of table sizes > >:-D From pauldotwall at gmail.com Tue Dec 21 23:53:18 2010 From: pauldotwall at gmail.com (Paul WALL) Date: Wed, 22 Dec 2010 05:53:18 +0000 Subject: Holiday Songs Message-ID: An old classic, but maybe it will help put everyone in the holiday spirit. The Twelve Days of NYIIX ------------------------ On the first day of Christmas, NYIIX gave to me, A BPDU from someone's spanning tree. On the second day of Christmas, NYIIX gave to me, Two forwarding loops, And a BPDU from someone's spanning tree. On the third day of Christmas, NYIIX gave to me, Three routing leaks, Two forwarding loops, And a BPDU from someone's spanning tree. On the fourth day of Christmas, NYIIX gave to me, Four Foundry crashes, Three routing leaks, Two forwarding loops, And a BPDU from someone's spanning tree. On the fifth day of Christmas, NYIIX gave to me, Five flapping sessions, Four Foundry crashes, Three routing leaks, Two forwarding loops, And a BPDU from someone's spanning tree. On the sixth day of Christmas, NYIIX gave to me, Six maintenances notices, Five flapping sessions, Four Foundry crashes, Three routing leaks, Two forwarding loops, And a BPDU from someone's spanning tree. On the seventh day of Christmas, NYIIX gave to me, Seven broadcast floods, Six maintenances notices, Five flapping sessions, Four Foundry crashes, Three routing leaks, Two forwarding loops, And a BPDU from someone's spanning tree. On the eighth day of Christmas, NYIIX gave to me, Eight defaulting peers, Seven broadcast floods, Six maintenances notices, Five flapping sessions, Four Foundry crashes, Three routing leaks, Two forwarding loops, And a BPDU from someone's spanning tree. On the ninth day of Christmas, NYIIX gave to me, Nine CDP neighbors, Eight defaulting peers, Seven broadcast floods, Six maintenances notices, Five flapping sessions, Four Foundry crashes, Three routing leaks, Two forwarding loops, And a BPDU from someone's spanning tree. On the tenth day of Christmas, NYIIX gave to me, Ten proxy ARPs, Nine CDP neighbors, Eight defaulting peers, Seven broadcast floods, Six maintenances notices, Five flapping sessions, Four Foundry crashes, Three routing leaks, Two forwarding loops, And a BPDU from someone's spanning tree. On the eleventh day of Christmas, NYIIX gave to me, Eleven OSPF hellos, Ten proxy ARPs, Nine CDP neighbors, Eight defaulting peers, Seven broadcast floods, Six maintenances notices, Five flapping sessions, Four Foundry crashes, Three routing leaks, Two forwarding loops, And a BPDU from someone's spanning tree. On the twelfth day of Christmas, NYIIX gave to me, Twelve peers in half-duplex, Eleven OSPF hellos, Ten proxy ARPs, Nine CDP neighbors, Eight defaulting peers, Seven broadcast floods, Six maintenances notices, Five flapping sessions, Four Foundry crashes, Three routing leaks, Two forwarding loops, And a BPDU from someone's spanning tree. From pekkas at netcore.fi Wed Dec 22 01:24:12 2010 From: pekkas at netcore.fi (Pekka Savola) Date: Wed, 22 Dec 2010 09:24:12 +0200 (EET) Subject: IPv6 BGP table size comparisons In-Reply-To: References: <4D10F85B.2050800@bryanfields.net> <4D114451.9020805@rollernet.us> Message-ID: On Tue, 21 Dec 2010, Jeff Wheeler wrote: > http://en.wikipedia.org/wiki/Comparison_of_IPv6_support_by_major_transit_providers 'Maximum Prefix Length' may be an over-simplifying metric. FWIW, we're certainly not a major transit provider, but we do allow /48 in the designated PI ranges but not in the PA ranges. So the question is not necessarily just about the prefix length used because it might vary by the prefix. -- Pekka Savola "You each name yourselves king, yet the Netcore Oy kingdom bleeds." Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings From jsw at inconcepts.biz Wed Dec 22 02:13:14 2010 From: jsw at inconcepts.biz (Jeff Wheeler) Date: Wed, 22 Dec 2010 03:13:14 -0500 Subject: IPv6 BGP table size comparisons In-Reply-To: References: <4D10F85B.2050800@bryanfields.net> <4D114451.9020805@rollernet.us> Message-ID: On Wed, Dec 22, 2010 at 2:24 AM, Pekka Savola wrote: > 'Maximum Prefix Length' may be an over-simplifying metric. FWIW, we're > certainly not a major transit provider, but we do allow /48 in the > designated PI ranges but not in the PA ranges. ?So the question is not > necessarily just about the prefix length used because it might vary by the > prefix. I know it is an over-simplification. If someone wishes to edit the page to provide more specific details about the route filtering policy for a given transit network, Wikipedia is pretty easy to edit. Hopefully they would provide a citation/link to the policy page for the NSP as well. -- Jeff S Wheeler Sr Network Operator? /? Innovative Network Concepts From jcdill.lists at gmail.com Wed Dec 22 02:13:35 2010 From: jcdill.lists at gmail.com (JC Dill) Date: Wed, 22 Dec 2010 00:13:35 -0800 Subject: Holiday Songs In-Reply-To: References: Message-ID: <4D11B32F.7010202@gmail.com> Network Working Group B. Hancock Request for Comments: 1882 Network-1 Software and Technology, Inc. Category: Informational December 1995 The 12-Days of Technology Before Christmas Status of this Memo This memo provides information for the Internet community. This memo does not specify an Internet standard of any kind. Distribution of this memo is unlimited. Discussion On the first day of Christmas, technology gave to me: A database with a broken b-tree (what the hell is a b-tree anyway?) On the second day of Christmas, technology gave to me: Two transceiver failures (CRC errors? Collisions? What is going on?) And a database with a broken b-tree (Rebuild WHAT? It's a 10GB database!) On the third day of Christmas, technology gave to me: Three French users (who, of course, think they know everything) Two transceiver failures (which are now spewing packets all over the net) And a database with a broken b-tree (Backup? What backup?) On the fourth day of Christmas, technology gave to me: Four calls for support (playing the same Christmas song over and over) Three French users (Why do they like to argue so much over trivial things?) Two transceiver failures (How the hell do I know which ones they are?) And a database with a broken b-tree (Pointer error? What's a pointer error?) On the fifth day of Christmas, technology gave to me: Five golden SCSI contacts (Of course they're better than silver!) Four support calls (Ever notice how time stands still when on hold? Three French users (No, we don't have footpedals on PC's. Why do you ask?) Two transceiver failures (If I knew which ones were bad, I would know which ones to fix!) And a database with a broken b-tree (Not till next week? Are you nuts?!?!) On the sixth day of Christmas, technology gave to me: Six games a-playing (On the production network, of course!) Five golden SCSI contacts (What do you mean "not terminated!") Four support calls (No, don't transfer me again - do you HEAR? Damn!) Three French users (No, you cannot scan in by putting the page to the screen...) Two transceiver failures (I can't look at the LEDs - they're in the ceiling!) And a database with a broken b-tree (Norway? That's where this was written?) On the seventh day of Christmas, technology gave to me: Seven license failures (Expired? When?) Six games a-playing (Please stop tying up the PBX to talk to each other!) Five golden SCSI contacts (What do you mean I need "wide" SCSI?) Four support calls (At least the Muzak is different this time...) Three French Users (Well, monsieur, there really isn't an "any" key, but...) Two transceiver failures (SQE? What is that? If I knew I would set it myself!) And a database with a broken b-tree (No, I really need to talk to Lars - NOW!) On the eighth day of Christmas, technology gave to me: Eight MODEMs dialing (Who bought these? They're a security violation!) Seven license failures (How many WEEKS to get a license?) Six games a-playing (What do you mean one pixel per packet on updates?!?) Five golden SCSI contacts (Fast SCSI? It's supposed to be fast, isn't it?) Four support calls (I already told them that! Don't transfer me back - DAMN!) Three French users (No, CTL-ALT-DEL is not the proper way to end a program) Two transceiver failures (What do you mean "babbling transceiver"?) And a database with a broken b-tree (Does anyone speak English in Oslo?) On the ninth day of Christmas, technology gave to me: Nine lady executives with attitude (She said do WHAT with the servers?) Eight MODEMs dialing (You've been downloading WHAT?) Seven license failures (We sent the P.O. two months ago!) Six games a-playing (HOW many people are doing this to the network?) Five golden SCSI contacts (What do you mean two have the same ID?) Four support calls (No, I am not at the console - I tried that already.) Three French users (No, only one floppy fits at a time? Why do you ask?) Two transceiver failures (Spare? What spare?) And a database with a broken b-tree (No, I am trying to find Lars! L-A-R-S!) On the tenth day of Christmas, technology gave to me: Ten SNMP alerts flashing (What is that Godawful beeping?) Nine lady executives with attitude (No, it used to be a mens room? Why?) Eight MODEMs dialing (What Internet provider? We don't allow Internet here!) Seven license failures (SPA? Why are they calling us?) Six games a-playing (No, you don't need a graphics accelerator for Lotus! ) Five golden SCSI contacts (You mean I need ANOTHER cable?) Four support calls (No, I never needed an account number before...) Three French users (When the PC sounds like a cat, it's a head crash!) Two transceiver failures (Power connection? What power connection?) And a database with a broken b-tree (Restore what index pointers?) On the eleventh day of Christmas, technology gave to me: Eleven boards a-frying (What is that terrible smell?) Ten SNMP alerts flashing (What's a MIB, anyway? What's an extension?) Nine lady executives with attitude (Mauve? Our computer room tiles in mauve?) Eight MODEMs dialing (What do you mean you let your roommate dial-in?) Seven license failures (How many other illegal copies do we have?!?!) Six games a-playing (I told you - AFTER HOURS!) Five golden SCSI contacts (If I knew what was wrong, I wouldn't be calling!) Four support calls (Put me on hold again and I will slash your credit rating!) Three French users (Don't hang your floppies with a magnet again!) Two transceiver failures (How should I know if the connector is bad?) And a database with a broken b-tree (I already did all of that!) On the twelfth day of Christmas, technology gave to me: Twelve virtual pipe connections (There's only supposed to be two!) Eleven boards a-frying (What a surge suppressor supposed to do, anyway?) Ten SNMP alerts flashing (From a distance, it does kinda look like XMas lights.) Nine lady executives with attitude (What do you mean aerobics before backups?) Eight MODEMs dialing (No, we never use them to connect during business hours.) Seven license failures (We're all going to jail, I just know it.) Six games a-playing (No, no - my turn, my turn!) Five golden SCSI contacts (Great, just great! Now it won't even boot!) Four support calls (I don't have that package! How did I end up with you!) Three French users (I don't care if it is sexy, no more nude screen backgrounds!) Two transceiver failures (Maybe we should switch to token ring...) And a database with a broken b-tree (No, operator - Oslo, Norway. We were just talking and were cut off...) Security Considerations Security issues are not discussed in this memo. Author's Address Bill Hancock, Ph.D. Network-1 Software& Technology, Inc. DFW Research Center 878 Greenview Dr. Grand Prairie, TX 75050 EMail:hancock at network-1.com Phone: (214) 606-8200 Fax: (214) 606-8220 From: http://www.faqs.org/rfcs/rfc1882.html From nanog at hostleasing.net Wed Dec 22 02:36:21 2010 From: nanog at hostleasing.net (Randy Epstein) Date: Wed, 22 Dec 2010 03:36:21 -0500 Subject: FCC petition filed by some members of NANOG in regards to Comcast and ratios as a peering criteria In-Reply-To: <01d701cb9cb6$e9994cb0$bccbe610$@net> References: <01d701cb9cb6$e9994cb0$bccbe610$@net> Message-ID: <00ef01cba1b3$4fee5b30$efcb1190$@net> As previously mentioned, the following FCC petition has been filed in regards to Comcast's peering practices (one issue being ratios as a peering criteria) by a group of NANOG members: http://fjallfoss.fcc.gov/ecfs/document/view?id=7021024373 Regards, Randy From sstack at citco.com Wed Dec 22 03:00:44 2010 From: sstack at citco.com (Stack, Stephen (Citco)) Date: Wed, 22 Dec 2010 09:00:44 +0000 Subject: Holiday Songs In-Reply-To: References: Message-ID: <1691673F105F974E97B60CC2263A6A2F468AAD93B3@CRK2MSEXM01.ad.ent.citco.com> Excellent :) Stephen Stack Systems Administrator - Network -----Original Message----- From: Paul WALL [mailto:pauldotwall at gmail.com] Sent: 22 December 2010 05:53 To: NANOG list Subject: Holiday Songs An old classic, but maybe it will help put everyone in the holiday spirit. The Twelve Days of NYIIX ------------------------ On the first day of Christmas, NYIIX gave to me, A BPDU from someone's spanning tree. On the second day of Christmas, NYIIX gave to me, Two forwarding loops, And a BPDU from someone's spanning tree. On the third day of Christmas, NYIIX gave to me, Three routing leaks, Two forwarding loops, And a BPDU from someone's spanning tree. On the fourth day of Christmas, NYIIX gave to me, Four Foundry crashes, Three routing leaks, Two forwarding loops, And a BPDU from someone's spanning tree. On the fifth day of Christmas, NYIIX gave to me, Five flapping sessions, Four Foundry crashes, Three routing leaks, Two forwarding loops, And a BPDU from someone's spanning tree. On the sixth day of Christmas, NYIIX gave to me, Six maintenances notices, Five flapping sessions, Four Foundry crashes, Three routing leaks, Two forwarding loops, And a BPDU from someone's spanning tree. On the seventh day of Christmas, NYIIX gave to me, Seven broadcast floods, Six maintenances notices, Five flapping sessions, Four Foundry crashes, Three routing leaks, Two forwarding loops, And a BPDU from someone's spanning tree. On the eighth day of Christmas, NYIIX gave to me, Eight defaulting peers, Seven broadcast floods, Six maintenances notices, Five flapping sessions, Four Foundry crashes, Three routing leaks, Two forwarding loops, And a BPDU from someone's spanning tree. On the ninth day of Christmas, NYIIX gave to me, Nine CDP neighbors, Eight defaulting peers, Seven broadcast floods, Six maintenances notices, Five flapping sessions, Four Foundry crashes, Three routing leaks, Two forwarding loops, And a BPDU from someone's spanning tree. On the tenth day of Christmas, NYIIX gave to me, Ten proxy ARPs, Nine CDP neighbors, Eight defaulting peers, Seven broadcast floods, Six maintenances notices, Five flapping sessions, Four Foundry crashes, Three routing leaks, Two forwarding loops, And a BPDU from someone's spanning tree. On the eleventh day of Christmas, NYIIX gave to me, Eleven OSPF hellos, Ten proxy ARPs, Nine CDP neighbors, Eight defaulting peers, Seven broadcast floods, Six maintenances notices, Five flapping sessions, Four Foundry crashes, Three routing leaks, Two forwarding loops, And a BPDU from someone's spanning tree. On the twelfth day of Christmas, NYIIX gave to me, Twelve peers in half-duplex, Eleven OSPF hellos, Ten proxy ARPs, Nine CDP neighbors, Eight defaulting peers, Seven broadcast floods, Six maintenances notices, Five flapping sessions, Four Foundry crashes, Three routing leaks, Two forwarding loops, And a BPDU from someone's spanning tree. Disclaimer link. To see it, click the link below, or copy and paste it into your browser's address line. http://www.citco.com/emaildisclaimer.htm From rluethje at gmail.com Wed Dec 22 03:06:56 2010 From: rluethje at gmail.com (Robert Luethje) Date: Wed, 22 Dec 2010 04:06:56 -0500 Subject: Holiday Songs References: <4D11B32F.7010202@gmail.com> Message-ID: <000e01cba1b7$96491490$6401a8c0@knightmareserv> (must delurk to say) Very nice! May I show this to family? Robert ----- Original Message ----- From: "JC Dill" Cc: "NANOG list" Sent: Wednesday, December 22, 2010 3:13 AM Subject: Re: Holiday Songs > > > Network Working Group B. Hancock > Request for Comments: 1882 Network-1 Software and Technology, Inc. > Category: Informational December 1995 > > The 12-Days of Technology Before Christmas > > Status of this Memo > > This memo provides information for the Internet community. This memo > does not specify an Internet standard of any kind. Distribution of > this memo is unlimited. > > Discussion > > On the first day of Christmas, technology gave to me: > A database with a broken b-tree (what the hell is a b-tree > anyway?) > > On the second day of Christmas, technology gave to me: > Two transceiver failures (CRC errors? Collisions? What is > going on?) > And a database with a broken b-tree (Rebuild WHAT? It's a > 10GB database!) > > On the third day of Christmas, technology gave to me: > Three French users (who, of course, think they know > everything) > Two transceiver failures (which are now spewing packets all > over the net) > And a database with a broken b-tree (Backup? What backup?) > > On the fourth day of Christmas, technology gave to me: > Four calls for support (playing the same Christmas song over > and over) > Three French users (Why do they like to argue so much over > trivial things?) > Two transceiver failures (How the hell do I know which ones > they are?) > And a database with a broken b-tree (Pointer error? What's a > pointer error?) > > On the fifth day of Christmas, technology gave to me: > Five golden SCSI contacts (Of course they're better than > silver!) > Four support calls (Ever notice how time stands still when on > hold? > Three French users (No, we don't have footpedals on PC's. Why > do you ask?) > Two transceiver failures (If I knew which ones were bad, I > would know which ones to fix!) > And a database with a broken b-tree (Not till next week? Are > you nuts?!?!) > > On the sixth day of Christmas, technology gave to me: > Six games a-playing (On the production network, of course!) > Five golden SCSI contacts (What do you mean "not terminated!") > Four support calls (No, don't transfer me again - do you HEAR? > Damn!) > Three French users (No, you cannot scan in by putting the page > to the screen...) > Two transceiver failures (I can't look at the LEDs - they're > in the ceiling!) > And a database with a broken b-tree (Norway? That's where this > was written?) > > On the seventh day of Christmas, technology gave to me: > Seven license failures (Expired? When?) > Six games a-playing (Please stop tying up the PBX to talk to > each other!) > Five golden SCSI contacts (What do you mean I need "wide" > SCSI?) > Four support calls (At least the Muzak is different this > time...) > Three French Users (Well, monsieur, there really isn't an > "any" key, but...) > Two transceiver failures (SQE? What is that? If I knew I would > set it myself!) > And a database with a broken b-tree (No, I really need to talk > to Lars - NOW!) > > On the eighth day of Christmas, technology gave to me: > Eight MODEMs dialing (Who bought these? They're a security > violation!) > Seven license failures (How many WEEKS to get a license?) > Six games a-playing (What do you mean one pixel per packet on > updates?!?) > Five golden SCSI contacts (Fast SCSI? It's supposed to be > fast, isn't it?) > Four support calls (I already told them that! Don't transfer > me back - DAMN!) > Three French users (No, CTL-ALT-DEL is not the proper way to > end a program) > Two transceiver failures (What do you mean "babbling > transceiver"?) > And a database with a broken b-tree (Does anyone speak English > in Oslo?) > > On the ninth day of Christmas, technology gave to me: > Nine lady executives with attitude (She said do WHAT with the > servers?) > Eight MODEMs dialing (You've been downloading WHAT?) > Seven license failures (We sent the P.O. two months ago!) > Six games a-playing (HOW many people are doing this to the > network?) > Five golden SCSI contacts (What do you mean two have the same > ID?) > Four support calls (No, I am not at the console - I tried that > already.) > Three French users (No, only one floppy fits at a time? Why do > you ask?) > Two transceiver failures (Spare? What spare?) > And a database with a broken b-tree (No, I am trying to find > Lars! L-A-R-S!) > > On the tenth day of Christmas, technology gave to me: > Ten SNMP alerts flashing (What is that Godawful beeping?) > Nine lady executives with attitude (No, it used to be a mens > room? Why?) > Eight MODEMs dialing (What Internet provider? We don't allow > Internet here!) > Seven license failures (SPA? Why are they calling us?) > Six games a-playing (No, you don't need a graphics accelerator > for Lotus! ) > Five golden SCSI contacts (You mean I need ANOTHER cable?) > Four support calls (No, I never needed an account number > before...) > Three French users (When the PC sounds like a cat, it's a head > crash!) > Two transceiver failures (Power connection? What power > connection?) > And a database with a broken b-tree (Restore what index > pointers?) > > On the eleventh day of Christmas, technology gave to me: > Eleven boards a-frying (What is that terrible smell?) > Ten SNMP alerts flashing (What's a MIB, anyway? What's an > extension?) > Nine lady executives with attitude (Mauve? Our computer room > tiles in mauve?) > Eight MODEMs dialing (What do you mean you let your roommate > dial-in?) > Seven license failures (How many other illegal copies do we > have?!?!) > Six games a-playing (I told you - AFTER HOURS!) > Five golden SCSI contacts (If I knew what was wrong, I > wouldn't be calling!) > Four support calls (Put me on hold again and I will slash your > credit rating!) > Three French users (Don't hang your floppies with a magnet > again!) > Two transceiver failures (How should I know if the connector > is bad?) > And a database with a broken b-tree (I already did all of > that!) > > On the twelfth day of Christmas, technology gave to me: > Twelve virtual pipe connections (There's only supposed to be > two!) > Eleven boards a-frying (What a surge suppressor supposed to > do, anyway?) > Ten SNMP alerts flashing (From a distance, it does kinda look > like XMas lights.) > Nine lady executives with attitude (What do you mean aerobics > before backups?) > Eight MODEMs dialing (No, we never use them to connect during > business hours.) > Seven license failures (We're all going to jail, I just know > it.) > Six games a-playing (No, no - my turn, my turn!) > Five golden SCSI contacts (Great, just great! Now it won't > even boot!) > Four support calls (I don't have that package! How did I end > up with you!) > Three French users (I don't care if it is sexy, no more nude > screen backgrounds!) > Two transceiver failures (Maybe we should switch to token > ring...) > And a database with a broken b-tree (No, operator - Oslo, > Norway. We were just talking and were cut off...) > > Security Considerations > > Security issues are not discussed in this memo. > > Author's Address > > Bill Hancock, Ph.D. > Network-1 Software& Technology, Inc. > DFW Research Center > 878 Greenview Dr. > Grand Prairie, TX 75050 > > EMail:hancock at network-1.com > Phone: (214) 606-8200 > > Fax: (214) 606-8220 > > From: > http://www.faqs.org/rfcs/rfc1882.html > > > > > From bzeeb-lists at lists.zabbadoz.net Wed Dec 22 03:46:54 2010 From: bzeeb-lists at lists.zabbadoz.net (Bjoern A. Zeeb) Date: Wed, 22 Dec 2010 09:46:54 +0000 (UTC) Subject: IPv6 BGP table size comparisons In-Reply-To: References: <4D10F85B.2050800@bryanfields.net> <4D114451.9020805@rollernet.us> Message-ID: <20101222093958.J6126@maildrop.int.zabbadoz.net> Hi, I love that people compare absolute numbers but have you also checked how much noise is in there? Back in the times when I was handling a /32 for someone, I created really strict filters and was shocked. The last version (really outdated these days, so don't use it, Cisco style) was here: http://sources.zabbadoz.net/ipv6/v6-prefix-filter-20080703-public.cfg People might say that it would not be helpful at all as we want IPv6 deployed but on the other hand people apply their doings of the last 10 years 1:1 to IPv6 and continue on the same mistakes which will not be helpful either. I would really love to see weekly Routing Reports for IPv6 as we have them for legacy IP rather sooner than later. /bz -- Bjoern A. Zeeb Welcome a new stage of life. Going to jail sucks -- All my daemons like it! http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/jails.html From s-kuboki at dti.ad.jp Wed Dec 22 04:53:40 2010 From: s-kuboki at dti.ad.jp (Shinichi Kuboki) Date: Wed, 22 Dec 2010 19:53:40 +0900 Subject: I can't access this page. (http://www.xbox.com) Message-ID: <20101222195340.B29A.61B57386@dti.ad.jp> Hi Everybody We are ISP in Japan to which IP 49/8 is allocated from JPNIC. It seems that it is set that IP that starts from 49/8 is refused on your website. (http://www.xbox.com) As APNIC has permitted us to allocate the customer IP 49/8 (Aug 2010), please remove IP 49/8 from the filtering No. list of your website. Please refer to the following for detailed information on 49/8 http://www.iana.org/assignments/ipv4-address-space/ipv4-address-space.xml From pekkas at netcore.fi Wed Dec 22 05:59:22 2010 From: pekkas at netcore.fi (Pekka Savola) Date: Wed, 22 Dec 2010 13:59:22 +0200 (EET) Subject: IPv6 BGP table size comparisons In-Reply-To: <20101222093958.J6126@maildrop.int.zabbadoz.net> References: <4D10F85B.2050800@bryanfields.net> <4D114451.9020805@rollernet.us> <20101222093958.J6126@maildrop.int.zabbadoz.net> Message-ID: On Wed, 22 Dec 2010, Bjoern A. Zeeb wrote: > People might say that it would not be helpful at all as we want IPv6 > deployed but on the other hand people apply their doings of the last > 10 years 1:1 to IPv6 and continue on the same mistakes which will not > be helpful either. Indeed... > I would really love to see weekly Routing Reports for IPv6 as we have > them for legacy IP rather sooner than later. This would provide statistics and might be useful from historical POV, but I fear the operational impact of published IPv4 Routing Table reports is close to zero. (E.g. 'does it help in making people stop advertising unnecessary more-specific routes?'.) I don't expect that to change. -- Pekka Savola "You each name yourselves king, yet the Netcore Oy kingdom bleeds." Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings From jared at puck.nether.net Wed Dec 22 06:38:34 2010 From: jared at puck.nether.net (Jared Mauch) Date: Wed, 22 Dec 2010 07:38:34 -0500 Subject: IPv6 BGP table size comparisons In-Reply-To: References: <4D10F85B.2050800@bryanfields.net> <4D114451.9020805@rollernet.us> <20101222093958.J6126@maildrop.int.zabbadoz.net> Message-ID: On Dec 22, 2010, at 6:59 AM, Pekka Savola wrote: > This would provide statistics and might be useful from historical POV, but I fear the operational impact of published IPv4 Routing Table reports is close to zero. (E.g. 'does it help in making people stop advertising unnecessary more-specific routes?'.) I don't expect that to change. Actually, at the last NANOG meeting there was some value in calling out one ISP. They didn't respond publicly but several folks came over and said they were going to take corrective action. - Jared From drew.weaver at thenap.com Wed Dec 22 08:14:42 2010 From: drew.weaver at thenap.com (Drew Weaver) Date: Wed, 22 Dec 2010 09:14:42 -0500 Subject: C/D[WDM] Message-ID: Anyone have any opinion on a user friendly and low-to-mid-priced CWDM or DWDM system? We need to take one pair of dark fiber and get about 5-6 10G ports on both sides. This is the info that the DF provider has given us on the route: Operating Wavelength: 1310/1550nm Maximum Attenuation: 0.35 dB/km for 1310 wavelength 0.25 dB/km for 1550 wavelength Any suggestions would be tremendously helpful. thanks, -Drew From theghost101 at gmail.com Wed Dec 22 08:31:32 2010 From: theghost101 at gmail.com (Danijel) Date: Wed, 22 Dec 2010 15:31:32 +0100 Subject: C/D[WDM] In-Reply-To: References: Message-ID: This should fit the pricerange: http://www.cubeoptics.com/passive_components.php Haven't used them yet but know of one local operator that is using them and is very satisfied... -- *blap* On Wed, Dec 22, 2010 at 15:14, Drew Weaver wrote: > Anyone have any opinion on a user friendly and low-to-mid-priced CWDM or > DWDM system? > > We need to take one pair of dark fiber and get about 5-6 10G ports on both > sides. > > This is the info that the DF provider has given us on the route: > > Operating Wavelength: 1310/1550nm > Maximum Attenuation: 0.35 dB/km for 1310 wavelength > 0.25 dB/km for 1550 wavelength > > Any suggestions would be tremendously helpful. > > thanks, > -Drew > > From owen at delong.com Wed Dec 22 10:11:01 2010 From: owen at delong.com (Owen DeLong) Date: Wed, 22 Dec 2010 08:11:01 -0800 Subject: IPv6 BGP table size comparisons In-Reply-To: References: <4D10F85B.2050800@bryanfields.net> <4D114451.9020805@rollernet.us> <20101222093958.J6126@maildrop.int.zabbadoz.net> Message-ID: <95392DE7-BEB6-4A3D-BC54-BD36A1514095@delong.com> > >> I would really love to see weekly Routing Reports for IPv6 as we have >> them for legacy IP rather sooner than later. > > This would provide statistics and might be useful from historical POV, but I fear the operational impact of published IPv4 Routing Table reports is close to zero. (E.g. 'does it help in making people stop advertising unnecessary more-specific routes?'.) I don't expect that to change. Today, probably not much. In the past when it started, yes, a great deal. Owen From jg at freedesktop.org Wed Dec 22 10:48:22 2010 From: jg at freedesktop.org (Jim Gettys) Date: Wed, 22 Dec 2010 11:48:22 -0500 Subject: TCP congestion control and large router buffers In-Reply-To: <607EDCE9-F6BD-4111-B0BD-2C1A535CFBE8@cisco.com> References: <1291907382.19262.212.camel@shrike> <4D0E59FC.2080706@bogus.com> <4D0FE4A1.7070103@freedesktop.org> <607EDCE9-F6BD-4111-B0BD-2C1A535CFBE8@cisco.com> Message-ID: <4D122BD6.5070503@freedesktop.org> On 12/21/2010 04:24 PM, Fred Baker wrote: > > On Dec 20, 2010, at 11:18 PM, Mikael Abrahamsson wrote: > >> On Mon, 20 Dec 2010, Jim Gettys wrote: >> >>> Common knowledge among whom? I'm hardly a naive Internet user. >> >> Anyone actually looking into the matter. The Cisco "fair-queue" command was introduced in IOS 11.0 according to to somewhat handle the problem. I have no idea when this was in time, but I guess early 90:ties? > > 1995. I know the guy that wrote the code. Meet me in a bar and we can share war stories. The technology actually helps with problems like RFC 6057 addresses pretty effectively. > >>> is a good idea, you aren't old enough to have experienced the NSFnet collapse during the 1980's (as I did). I have post-traumatic stress disorder from that experience; I'm worried about the confluence of these changes, folks. >> >> I'm happy you were there, I was under the impression that routers had large buffers back then as well? > > Not really. Yup, several of us were there. The common routers on the NSFNET and related networks were fuzzballs, which had 8 (count them, 8) 576 byte buffers, Cisco AGS/AGS+, and Proteon routers. The Cisco routers of the day generally had 40 buffers on each interface by default, and might have had configuration changes; I can't comment on the Proteon routers. For a 56 KBPS line, given 1504 bytes per message (1500 bytes IP+data, and four bytes of HDLC overhead), that's theoretically 8.5 seconds. But given that messages were in fact usually 576 bytes of IP data (cf "fuzzballs" and unix behavior for off-LAN communications) and interspersed with TCP control messages (Acks, SYNs, FINs, RST), real queue depths were more like two seconds at a bottleneck router. The question would be the impact of a sequence of routers all acting as bottlenecks. > > IMHO, AQM (RED or whatever) is your friend. The question is what to set min-threshold to. Kathy Nichols (Van's wife) did a lot of simulations. I don't know that the paper was ever published, but as I recall she wound up recommending something like this: > > line rate ms queue depth > (MBPS) RED min-threshold > 2 32 > 10 16 > 155 8 > 622 4 > 2,500 2 > 10,000 1 > I don't know if you are referring to the "RED in a different light" paper: that was never published, though an early draft escaped and can be found on the net. "RED in a different light" identifies two bugs in the RED algorithm, and proposes a better algorithm that only depends on the link output bandwidth. That draft still has a bug. The (almost completed) version of the paper that never got published; Van has retrieved it from back up, and I'm trying to pry it out of Van's hands to get it converted to something we can read today (it's in FrameMaker). In the meanwhile, turn on (W)RED! For routers run by most people on this list, it's always way better than nothing, even if Van doesn't think classic RED will solve the home router bufferbloat problem. (where we have 2 orders of magnitude variation of wireless bandwidth along with highly variable workload). That's not true in the internet core. >> But yes, I agree that we'd all be much helped if manufacturers of both ends of all links had the common decency of introducing a WRED (with ECN marking) AQM that had 0% drop probability at 40ms and 100% drop probability at 200ms (and linear increase between). > > so, min-threshold=40 ms and max-threshold=200 ms. That's good on low speed links; it will actually control queue depths to an average of O(min-threshold) at whatever value you set it to. The problem with 40 ms is that it interacts poorly with some applications, notably voice and video. > > It also doesn't match well to published studies like http://www.pittsburgh.intel-research.net/~kpapagia/papers/p2pdelay-analysis.pdf. In that study, a min-threshold of 40 ms would have cut in only on six a-few-second events in the course of a five hour sample. If 40 ms is on the order of magnitude of a typical RTT, it suggests that you could still have multiple retransmissions from the same session in the same queue. > > A good photo of buffer bloat is at > ftp://ftpeng.cisco.com/fred/RTT/Pages/4.html > ftp://ftpeng.cisco.com/fred/RTT/Pages/5.html > > The first is a trace I took overnight in a hotel I stayed in. Never mind the name of the hotel, it's not important. The second is the delay distribution, which is highly unusual - you expect to see delay distributions more like > > ftp://ftpeng.cisco.com/fred/RTT/Pages/8.html Thanks, Fred! Can I use these in the general bufferbloat talk I'm working on with attribution? It's a far better example/presentation in a graphic form than I currently have for the internet core case (where I don't even have anything other than memory of probing the hotel's ISP's network). > > (which actually shows two distributions - the blue one is fairly normal, and the green one is a link that spends much of the day chock-a-block). > > My conjecture re 5.html is that the link *never* drops, and at times has as many as nine retransmissions of the same packet in it. The spikes in the graph are about a TCP RTO timeout apart. That's a truly worst case. For N-1 of the N retransmissions, it's a waste of storage space and a waste of bandwidth. > > AQM is your friend. Your buffer should be able to temporarily buffer as much as an RTT of traffic, which is to say that it should be large enough to ensure that if you get a big burst followed by a silent period you should be able to use the entire capacity of the link to ride it out. Your min-threshold should be at a value that makes your median queue depth relatively shallow. The numbers above are a reasonable guide, but as in all things, YMMV. Yup. AQM is our friend. And we need it in many places we hadn't realised we did (like our OS's). - Jim From fred at cisco.com Wed Dec 22 11:14:33 2010 From: fred at cisco.com (Fred Baker) Date: Wed, 22 Dec 2010 09:14:33 -0800 Subject: TCP congestion control and large router buffers In-Reply-To: <4D122BD6.5070503@freedesktop.org> References: <1291907382.19262.212.camel@shrike> <4D0E59FC.2080706@bogus.com> <4D0FE4A1.7070103@freedesktop.org> <607EDCE9-F6BD-4111-B0BD-2C1A535CFBE8@cisco.com> <4D122BD6.5070503@freedesktop.org> Message-ID: <7218A65E-D0CB-417B-A5F2-9E2337707340@cisco.com> On Dec 22, 2010, at 8:48 AM, Jim Gettys wrote: > I don't know if you are referring to the "RED in a different light" paper: that was never published, though an early draft escaped and can be found on the net. Precisely. > "RED in a different light" identifies two bugs in the RED algorithm, and proposes a better algorithm that only depends on the link output bandwidth. That draft still has a bug. > > The (almost completed) version of the paper that never got published; Van has retrieved it from back up, and I'm trying to pry it out of Van's hands to get it converted to something we can read today (it's in FrameMaker). > > In the meanwhile, turn on (W)RED! For routers run by most people on this list, it's always way better than nothing, even if Van doesn't think classic RED will solve the home router bufferbloat problem. (where we have 2 orders of magnitude variation of wireless bandwidth along with highly variable workload). That's not true in the internet core. > >>> But yes, I agree that we'd all be much helped if manufacturers of both ends of all links had the common decency of introducing a WRED (with ECN marking) AQM that had 0% drop probability at 40ms and 100% drop probability at 200ms (and linear increase between). >> >> so, min-threshold=40 ms and max-threshold=200 ms. That's good on low speed links; it will actually control queue depths to an average of O(min-threshold) at whatever value you set it to. The problem with 40 ms is that it interacts poorly with some applications, notably voice and video. >> >> It also doesn't match well to published studies like http://www.pittsburgh.intel-research.net/~kpapagia/papers/p2pdelay-analysis.pdf. In that study, a min-threshold of 40 ms would have cut in only on six a-few-second events in the course of a five hour sample. If 40 ms is on the order of magnitude of a typical RTT, it suggests that you could still have multiple retransmissions from the same session in the same queue. >> >> A good photo of buffer bloat is at >> ftp://ftpeng.cisco.com/fred/RTT/Pages/4.html >> ftp://ftpeng.cisco.com/fred/RTT/Pages/5.html >> >> The first is a trace I took overnight in a hotel I stayed in. Never mind the name of the hotel, it's not important. The second is the delay distribution, which is highly unusual - you expect to see delay distributions more like >> >> ftp://ftpeng.cisco.com/fred/RTT/Pages/8.html > > Thanks, Fred! Can I use these in the general bufferbloat talk I'm working on with attribution? It's a far better example/presentation in a graphic form than I currently have for the internet core case (where I don't even have anything other than memory of probing the hotel's ISP's network). Yes. Do me a favor and remove the name of the hotel. They don't need the bad press. >> >> (which actually shows two distributions - the blue one is fairly normal, and the green one is a link that spends much of the day chock-a-block). >> >> My conjecture re 5.html is that the link *never* drops, and at times has as many as nine retransmissions of the same packet in it. The spikes in the graph are about a TCP RTO timeout apart. That's a truly worst case. For N-1 of the N retransmissions, it's a waste of storage space and a waste of bandwidth. >> >> AQM is your friend. Your buffer should be able to temporarily buffer as much as an RTT of traffic, which is to say that it should be large enough to ensure that if you get a big burst followed by a silent period you should be able to use the entire capacity of the link to ride it out. Your min-threshold should be at a value that makes your median queue depth relatively shallow. The numbers above are a reasonable guide, but as in all things, YMMV. > > Yup. AQM is our friend. > > And we need it in many places we hadn't realised we did (like our OS's). > - Jim > From kompella at cs.purdue.edu Wed Dec 22 12:39:48 2010 From: kompella at cs.purdue.edu (Ramana Kompella) Date: Wed, 22 Dec 2010 13:39:48 -0500 Subject: COMSNETS 2011 (Call for Participation) Message-ID: <20101222183948.GA17976@tirupati> ** Apologies if you received multiple copies of this call for participation ** ** Conference less than 2 weeks away ** COMSNETS 2011 The THIRD International Conference on COMmunication Systems and NETworks January 4-8, 2011, Bangalore, India http://www.comsnets.org Email: comsnets2011 at ece.iisc.ernet.in (In Co-operation with ACM SIGMOBILE) (Technically Co-Sponsored by IEEE COMSOC) The Third International Conference on COMmunication Systems and NETworkS (COMSNETS) will be held in Bangalore, India, from 4 January 2011 to 8 January 2011. COMSNETS is a premier international conference dedicated to addressing advances in Networking and Communications Systems, and Telecommunications services. The goal of the conference is to create a world-class gathering of researchers from academia and industry, practitioners, business leaders, intellectual property experts, and venture capitalists, providing a forum for discussing cutting edge research, and directions for new innovative business and technology. The conference will include a highly selective technical program consisting of parallel tracks of submitted papers, a small set of invited papers on important and timely topics from well-known leaders in the field, and poster sessions of work in progress. Focused workshops and panel discussions will be held on emerging topics to allow for a lively exchange of ideas. International business and government leaders will be invited to share their perspectives, thus complementing the technical program. Registration site: http://www.comsnets.org/registration.html. Heavy student discounts available. We look forward to your participation. Conference Scope ---------------- Internet Architecture and Protocols Network-based Applications Video Distribution (IPTV, Mobile Video, Video on Demand) Network Operations and Management Broadband and Cellular Networks (3G/4G, WiMAX/LTE) Mesh, Sensor and PAN Networks Communication Software (Cognitive Radios, DSA, SDR) Wireless Operating Systems and Mobile Platforms Peer-to-peer Networking Cognitive Radio and White Space Networking Optical Networks Network Security & Cyber Security Technologies Cloud and Utility computing Storage Area Networks Next Generation Web Architectures Vehicular Networking Energy-Efficient Networking Network Science and Emergent Behavior in Socio-Technical Networks Social Networking Analysis, Middleware and Applications Networking Technologies for Smart Energy Grids Disruption/Delay Tolerant Networking Conference Highlights --------------------- Conference Inaugural Speaker: Prof. Raj Jain, Washington U. , St. Louis, USA Banquet speakers: Dr. Rajeev Rastogi, Yahoo Research, India Mr. Venkat Rajendran, Billonways Holdings Pvt. Ltd, India Keynote Speakers: Prof. Don Towsley, U. Mass Amherst, USA Dr. Partho Mishra, Cisco, India Mr. Subu Goparaju, Infosys, India Dr. Pravin Bhagwat, AirTight Networks, India Dr. Jean Bolot, Sprint, USA Mr. Michael Eisler, NetApp Inc, USA Workshops: WISARD (4, 5 Jan) NetHealth (4 Jan) IAMCOM (5 Jan) Mobile India 2011 (7 Jan) Technical Paper and Poster Sessions Ph.D Forum Panel Discussions Demos & Exhibits General Co-Chairs ----------------- David B. Johnson, Rice University, USA Anurag Kumar, IISc Bangalore, India Technical Program Co-Chairs --------------------------- Jon Crowcroft, U. of Cambridge, UK D. Manjunath, IIT Bombay, India Archan Misra, Telcordia Tech., USA Steering Committee Co-Chairs ---------------------------- Uday Desai, IIT Hyderabad, India Giridhar Mandyam, Qualcomm, USA Sanjoy Paul, Infosys, India Rajeev Shorey, NIIT University, India G. Venkatesh, SASKEN, India Panel Co-Chairs --------------- Aditya Akella, U. of Wisconsin, USA Venkat Padmanabhan, MSR, India Ph.D Forum Chair ---------------- Bhaskaran Raman, IIT Bombay, India Publications Chair ------------------ Varsha Apte, IIT Bombay, India Demos and Exhibits Co-Chairs ---------------------------- Aaditeshwar Seth, IIT Delhi, India Ajay Bakre, Netapps, India Sponsorship Chair ----------------- Sudipta Maitra, Delhi, india Workshop Chairs --------------- Sharad Jaiswal, Alcatel-Lucent, India Ravindran Kaliappa, CUNY, USA Neelesh Mehta, IISc Bangalore, India Mobile India 2011 Co-Chairs --------------------------- Gene Landy, Ruperto-Israel & Weiner, USA Rajaraghavan Setlur, SASKEN, India Sridhar Varadharajan, SASKEN, India Publicity Co-Chair ------------------ Augustin Chaintreau, TTL, France Kameswari Chebrolu, IIT Bombay, India Song Chong, KAIST, Korea Ramana Kompella, Purdue Univ, USA Nishanth Sastry, U. of Cambridge, UK Web Co-Chairs ------------- Santhana Krishnan, IIT Bombay, India Vinay Veerappa, SASKEN, India International Advisory Committee -------------------------------- K. K. Ramakrishnan, AT&T, USA Victor Bahl, Microsoft Research, USA Sunghyun Choi, Seoul National U., Korea Sajal Das, U. Texas at Arlington, USA B. N. Jain, IIT Delhi, India P. R. Kumar, UIUC, USA Anurag Kumar, IISc, Bangalore, India L. M. Patnaik, IISc, Bangalore, India Krithi Ramamritham, IIT Bombay, India Parmesh Ramanathan, U. Wisconsin, USA Krishan Sabnani, Alcatel-Lucent, USA Kang Shin, U. Michigan, USA Nitin Vaidya, U. Illinois, USA University Partners: -------------------- IIT Bombay, IIT Delhi, IISc Bangalore, IIT Hyderabad, NIIT University, BITS Pilani Patrons: -------- CISCO, Infosys, Alcatel Lucent, Intel, Microsoft Research, IBM Research, Sasken, Datacipher, Mobile Monday Bangalore From gbonser at seven.com Wed Dec 22 13:03:29 2010 From: gbonser at seven.com (George Bonser) Date: Wed, 22 Dec 2010 11:03:29 -0800 Subject: TCP congestion control and large router buffers In-Reply-To: <4D122BD6.5070503@freedesktop.org> References: <1291907382.19262.212.camel@shrike><4D0E59FC.2080706@bogus.com> <4D0FE4A1.7070103@freedesktop.org><607EDCE9-F6BD-4111-B0BD-2C1A535CFBE8@cisco.com> <4D122BD6.5070503@freedesktop.org> Message-ID: <5A6D953473350C4B9995546AFE9939EE0BC1311A@RWC-EX1.corp.seven.com> > I don't know if you are referring to the "RED in a different light" > paper: that was never published, though an early draft escaped and can > be found on the net. > > "RED in a different light" identifies two bugs in the RED algorithm, > and > proposes a better algorithm that only depends on the link output > bandwidth. That draft still has a bug. I also noticed another paper published later that references "RED in a different light": http://www.icir.org/floyd/adaptivered/ Adaptive RED: An Algorithm for Increasing the Robustness of RED's Active Queue Management (postscript, PDF). Sally Floyd, Ramakrishna Gummadi, and Scott Shenker. August 1, 2001. And this one: http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.98.1556&rep=rep 1&type=pdf July 15, 2002 Active Queue Management using Adaptive RED Rahul Verma, Aravind Iyer and Abhay Karandikar Abhay But it doesn't look like aRED went anywhere From tmagill at providecommerce.com Wed Dec 22 14:07:59 2010 From: tmagill at providecommerce.com (Thomas Magill) Date: Wed, 22 Dec 2010 20:07:59 +0000 Subject: DDoS Detection with netflow? Message-ID: Has anyone run across any DDoS/anomoly detection applications that are based on netflow, preferable v9? I ran across a really old application called Panoptis, but it does not appear to have any recent development. Does anyone have any experience with this product or anything similar? Thomas Magill Network Engineer Office: (858) 909-3777 Cell: (858) 869-9685 tmagill at providecommerce.com provide-commerce 4840 Eastgate Mall San Diego, CA 92121 ProFlowers | redENVELOPE | Cherry Moon Farms | Shari's Berries From tim.connolly at farecompare.com Wed Dec 22 14:24:59 2010 From: tim.connolly at farecompare.com (Tim Connolly) Date: Wed, 22 Dec 2010 14:24:59 -0600 Subject: Skype info Message-ID: Any word as to the root cause of the skype outage(s)? Tim Connolly Director of IT FareCompare 18111 Preston Rd Suite 800 Dallas, TX 75252 Email: tim.does.not.want.spam.connolly at farecompare.com Phone: +1 (972) 588-xxx Cell: +1 (214) 882-xxxx Web: www.farecompare.com Find deals from your airport | Connect with FareCompare on Facebook From paul at paulgraydon.co.uk Wed Dec 22 14:29:41 2010 From: paul at paulgraydon.co.uk (Paul Graydon) Date: Wed, 22 Dec 2010 10:29:41 -1000 Subject: Skype info In-Reply-To: References: Message-ID: <4D125FB5.4090107@paulgraydon.co.uk> On 12/22/2010 10:24 AM, Tim Connolly wrote: > Any word as to the root cause of the skype outage(s)? > > Tim Connolly > Director of IT > Details are on their blog: http://bit.ly/edtjxB Essentially the supernodes clients connected to started dying, so they're setting up temporary mega-supernodes whilst the supernodes are fixed. Paul From morrowc.lists at gmail.com Wed Dec 22 14:44:14 2010 From: morrowc.lists at gmail.com (Christopher Morrow) Date: Wed, 22 Dec 2010 15:44:14 -0500 Subject: DDoS Detection with netflow? In-Reply-To: References: Message-ID: On Wed, Dec 22, 2010 at 3:07 PM, Thomas Magill wrote: > Has anyone run across any DDoS/anomoly detection applications that are based on netflow, preferable v9? ?I ran across a really old application called Panoptis, but it does not appear to have any recent development. ?Does anyone have any experience with this product or anything similar? > From jack at crepinc.com Wed Dec 22 14:46:11 2010 From: jack at crepinc.com (Jack Carrozzo) Date: Wed, 22 Dec 2010 15:46:11 -0500 Subject: Skype info In-Reply-To: <4D125FB5.4090107@paulgraydon.co.uk> References: <4D125FB5.4090107@paulgraydon.co.uk> Message-ID: On Wed, Dec 22, 2010 at 3:29 PM, Paul Graydon wrote: > > >> Details are on their blog: http://bit.ly/edtjxB %wget http://blogs.skype.com/ -O/dev/null --2010-12-22 20:45:36-- http://blogs.skype.com/ Resolving blogs.skype.com... 204.9.163.155 Connecting to blogs.skype.com|204.9.163.155|:80... failed: Operation timed out. ... -Jack From jeremyparr at gmail.com Wed Dec 22 14:52:11 2010 From: jeremyparr at gmail.com (Jeremy Parr) Date: Wed, 22 Dec 2010 15:52:11 -0500 Subject: Skype info In-Reply-To: References: <4D125FB5.4090107@paulgraydon.co.uk> Message-ID: Skype downtime today Earlier today, we noticed that the number of people online on Skype was falling, which wasn?t typical or expected, so we began to investigate. Skype isn?t a network like a conventional phone or IM network ? instead, it relies on millions of individual connections between computers and phones to keep things up and running. Some of these computers are what we call ?supernodes? ? they act a bit like phone directories for Skype. If you want to talk to someone, and your Skype app can?t find them immediately (for example, because they?re connecting from a different location or from a different device) your computer or phone will first try to find a supernode to figure out how to reach them. Under normal circumstances, there are a large number of supernodes available. Unfortunately, today, many of them were taken offline by a problem affecting some versions of Skype. As Skype relies on being able to maintain contact with supernodes, it may appear offline for some of you. What are we doing to help? Our engineers are creating new ?mega-supernodes? as fast as they can, which should gradually return things to normal. This may take a few hours, and we sincerely apologise for the disruption to your conversations. Some features, like group video calling, may take longer to return to normal. Stay tuned to @skype on Twitter for the latest updates on the situation ? and many thanks for your continued patience in the meantime. On 22 December 2010 15:46, Jack Carrozzo wrote: > > On Wed, Dec 22, 2010 at 3:29 PM, Paul Graydon wrote: > > > > > >> ?Details are on their blog: http://bit.ly/edtjxB > > > %wget http://blogs.skype.com/ -O/dev/null > --2010-12-22 20:45:36-- ?http://blogs.skype.com/ > Resolving blogs.skype.com... 204.9.163.155 > Connecting to blogs.skype.com|204.9.163.155|:80... failed: Operation timed > out. > > ... > > -Jack From arnold at nipper.de Wed Dec 22 15:03:00 2010 From: arnold at nipper.de (Arnold Nipper) Date: Wed, 22 Dec 2010 22:03:00 +0100 Subject: C/D[WDM] In-Reply-To: References: Message-ID: <4D126784.3060002@nipper.de> On 22.12.2010 15:31 Danijel wrote > This should fit the pricerange: > http://www.cubeoptics.com/passive_components.php > Haven't used them yet but know of one local operator that is using them and > is very satisfied... > We are using a couple of CUBO's passive DWDM muxes @ DE-CIX. Work like a charm. Arnold -- Arnold Nipper / nIPper consulting, Sandhausen, Germany email: arnold at nipper.de phone: +49 6224 9259 299 mobile: +49 152 53717690 fax: +49 6224 9259 333 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 251 bytes Desc: OpenPGP digital signature URL: From jack at crepinc.com Wed Dec 22 15:04:47 2010 From: jack at crepinc.com (Jack Carrozzo) Date: Wed, 22 Dec 2010 16:04:47 -0500 Subject: Skype info In-Reply-To: References: <4D125FB5.4090107@paulgraydon.co.uk> Message-ID: "Creating new mega-supernodes as fast as they can!" Definitely using that in a meeting tomorrow. Cheers, -Jack On Wed, Dec 22, 2010 at 3:52 PM, Jeremy Parr wrote: > Skype downtime today > > Earlier today, we noticed that the number of people online on Skype > was falling, which wasn?t typical or expected, so we began to > investigate. > > Skype isn?t a network like a conventional phone or IM network ? > instead, it relies on millions of individual connections between > computers and phones to keep things up and running. Some of these > computers are what we call ?supernodes? ? they act a bit like phone > directories for Skype. If you want to talk to someone, and your Skype > app can?t find them immediately (for example, because they?re > connecting from a different location or from a different device) your > computer or phone will first try to find a supernode to figure out how > to reach them. > > Under normal circumstances, there are a large number of supernodes > available. Unfortunately, today, many of them were taken offline by a > problem affecting some versions of Skype. As Skype relies on being > able to maintain contact with supernodes, it may appear offline for > some of you. > > What are we doing to help? Our engineers are creating new > ?mega-supernodes? as fast as they can, which should gradually return > things to normal. This may take a few hours, and we sincerely > apologise for the disruption to your conversations. Some features, > like group video calling, may take longer to return to normal. > > Stay tuned to @skype on Twitter for the latest updates on the > situation ? and many thanks for your continued patience in the > meantime. > > On 22 December 2010 15:46, Jack Carrozzo wrote: > > > > On Wed, Dec 22, 2010 at 3:29 PM, Paul Graydon >wrote: > > > > > > > > >> Details are on their blog: http://bit.ly/edtjxB > > > > > > %wget http://blogs.skype.com/ -O/dev/null > > --2010-12-22 20:45:36-- http://blogs.skype.com/ > > Resolving blogs.skype.com... 204.9.163.155 > > Connecting to blogs.skype.com|204.9.163.155|:80... failed: Operation > timed > > out. > > > > ... > > > > -Jack > From jeffrey.lyon at blacklotus.net Wed Dec 22 15:08:31 2010 From: jeffrey.lyon at blacklotus.net (Jeffrey Lyon) Date: Wed, 22 Dec 2010 16:08:31 -0500 Subject: Skype info In-Reply-To: References: <4D125FB5.4090107@paulgraydon.co.uk> Message-ID: I was actually going to say, you might as well have said it needs a new flux capacitor. Jeff On Wed, Dec 22, 2010 at 4:04 PM, Jack Carrozzo wrote: > "Creating new mega-supernodes as fast as they can!" > > Definitely using that in a meeting tomorrow. > > Cheers, > > -Jack > > On Wed, Dec 22, 2010 at 3:52 PM, Jeremy Parr wrote: > >> Skype downtime today >> >> Earlier today, we noticed that the number of people online on Skype >> was falling, which wasn?t typical or expected, so we began to >> investigate. >> >> Skype isn?t a network like a conventional phone or IM network ? >> instead, it relies on millions of individual connections between >> computers and phones to keep things up and running. Some of these >> computers are what we call ?supernodes? ? they act a bit like phone >> directories for Skype. If you want to talk to someone, and your Skype >> app can?t find them immediately (for example, because they?re >> connecting from a different location or from a different device) your >> computer or phone will first try to find a supernode to figure out how >> to reach them. >> >> Under normal circumstances, there are a large number of supernodes >> available. Unfortunately, today, many of them were taken offline by a >> problem affecting some versions of Skype. As Skype relies on being >> able to maintain contact with supernodes, it may appear offline for >> some of you. >> >> What are we doing to help? Our engineers are creating new >> ?mega-supernodes? as fast as they can, which should gradually return >> things to normal. This may take a few hours, and we sincerely >> apologise for the disruption to your conversations. Some features, >> like group video calling, may take longer to return to normal. >> >> Stay tuned to @skype on Twitter for the latest updates on the >> situation ? and many thanks for your continued patience in the >> meantime. >> >> On 22 December 2010 15:46, Jack Carrozzo wrote: >> > >> > On Wed, Dec 22, 2010 at 3:29 PM, Paul Graydon > >wrote: >> > > >> > > >> > >> ?Details are on their blog: http://bit.ly/edtjxB >> > >> > >> > %wget http://blogs.skype.com/ -O/dev/null >> > --2010-12-22 20:45:36-- ?http://blogs.skype.com/ >> > Resolving blogs.skype.com... 204.9.163.155 >> > Connecting to blogs.skype.com|204.9.163.155|:80... failed: Operation >> timed >> > out. >> > >> > ... >> > >> > -Jack >> > -- Jeffrey Lyon, Leadership Team jeffrey.lyon at blacklotus.net | http://www.blacklotus.net Black Lotus Communications - AS32421 First and Leading in DDoS Protection Solutions From mlarson at verisign.com Wed Dec 22 15:15:00 2010 From: mlarson at verisign.com (Matt Larson) Date: Wed, 22 Dec 2010 16:15:00 -0500 Subject: .gov DNSSEC operational message Message-ID: <20101222211500.GF97136@DUL1MLARSON-M1.vcorp.ad.vrsn.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 A KSK roll for the .gov zone will occur at the end of January, 2011. This key change is necessitated by a registry operator transition: VeriSign has been selected by the U.S. General Services Administration (GSA) to operate the domain name registry for .gov. It is important that you prepare for this key change NOW. DO NOT WAIT until late January, 2011, to take action: the changes described below should be made as soon as possible. Because .gov was signed prior to the signing of the root zone, it is reasonable to believe that many DNSSEC validators (usually part of recursive name servers) have the .gov zone's KSK statically configured as a trust anchor. Further, because automated trust anchor rollover software implementing the protocol described in RFC 5011 has not been widely available until recently, it is reasonable to believe that few validators with a statically configured .gov trust anchor would be able to understand a KSK roll using RFC 5011 semantics and update their trust anchor store automatically. VeriSign is sending this message to announce the impending .gov KSK roll so that the DNSSEC operational community will be informed of the change and has the opportunity to take the necessary steps to prepare for it. The .gov KSK roll will occur between 27 January 2011 and 31 January 2011. The rollover will not use RFC 5011 semantics because of issues surrounding the registry operator transition. The new KSK will not be published in an authenticated manner outside DNS (e.g., on an SSL-protected web page). Rather, the intended mechanism for trusting the new KSK is via the signed root zone: DS records corresponding to the new KSK are already present in the root zone. Because the root zone has had DS records corresponding to the current .gov KSK since 27 October 2010, static configuration of a trust anchor for .gov is currently no longer strictly necessary. Because there will be no non-DNS-based mechanism to authenticate subsequent .gov KSKs, configuration of the .gov KSK as a trust anchor is NOT RECOMMENDED. Take these steps NOW to prepare for the .gov KSK roll in late January 2011: 1. If your DNSSEC validators DO NOT HAVE a trust anchor for the root zone configured, CONFIGURE the root zone's KSK as a trust anchor. An authenticated version of the root zone's KSK is available at http://data.iana.org/root-anchors/. 2. If your DNSSEC validators have a trust anchor for the .gov zone configured, REMOVE the .gov zone's KSK as a trust anchor from your validator's configuration. If you follow both steps above, your DNSSEC validators should continue to validate names in .gov, but the .gov KSK will be authenticated via the signed root's KSK rather than a locally configured trust anchor. DO NOT WAIT until late January, 2011, to take these actions: the trust anchor changes described above should be made as soon as possible. If you have any questions or comments, please send email to registrar at dotgov.gov or reply to this message. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (Darwin) iQEVAwUBTRJqVNdGiUJktOYBAQJaHQf+OKcKsnUySDLzwdMUdjDpFhvm53iJF4RN /fWMK+5ahTqWpWgDnMi0NZij6OKCu+jUtH75Q9z4iXglyQzl5rweL4N01jV7GquV tYO18ys2lQ7w07XFP2Y8568ckYeWkDgYGwHJ4GKRMW4/cyl6YlE3Z+sxMbn/O3/G CcaTgmVtVHkVvLJfPMotaE9M4ldAlM3yMAHQspadVPrBNtzmYUBjJhjvwe1XxAok UBJLwqubSnY2qoAsXrwcHov4Z1izxMiuLIthyjoc79r11J0CYzwDNpDd2QyPD/3y 7nFHlxCIYDm9r2lnv8sbc/p+/PuM7rpzpkCUvpWY9FArZWt7h7gSfA== =+pAa -----END PGP SIGNATURE----- From rmaunier at neotelecoms.com Wed Dec 22 15:53:24 2010 From: rmaunier at neotelecoms.com (Raphael Maunier) Date: Wed, 22 Dec 2010 22:53:24 +0100 Subject: C/D[WDM] In-Reply-To: <4D126784.3060002@nipper.de> References: <4D126784.3060002@nipper.de> Message-ID: +1 All our dwdm backbone is CubeOptics powered. We have about 30 pairs of DWDM band-spliiters and muxes. The attenuation is the lowest we have seen on all the wdm muxes we have tested. The tech guys @Cube optics are really smart. You can also ask for a specific mux if you have a want THE MUX. You can buy CubeOptics muxes your eyes closed -- Rapha?l Maunier NEO TELECOMS CTO / Responsable Ing?nierie AS8218 On Dec 22, 2010, at 10:03 PM, Arnold Nipper wrote: > On 22.12.2010 15:31 Danijel wrote > >> This should fit the pricerange: >> http://www.cubeoptics.com/passive_components.php >> Haven't used them yet but know of one local operator that is using them and >> is very satisfied... >> > > We are using a couple of CUBO's passive DWDM muxes @ DE-CIX. Work like a > charm. > > > > > Arnold > -- > Arnold Nipper / nIPper consulting, Sandhausen, Germany > email: arnold at nipper.de phone: +49 6224 9259 299 > mobile: +49 152 53717690 fax: +49 6224 9259 333 > From asr+nanog at latency.net Wed Dec 22 17:12:44 2010 From: asr+nanog at latency.net (Adam Rothschild) Date: Wed, 22 Dec 2010 18:12:44 -0500 Subject: C/D[WDM] In-Reply-To: References: <4D126784.3060002@nipper.de> Message-ID: <20101222231244.GB67182@latency.net> +1 on the CUBO recommendation. In addition to muxes, we've worked with them as a supplier of (Finisar) colored optics; our dealings have been extremely favorable on all fronts. -a From randy at psg.com Wed Dec 22 17:34:40 2010 From: randy at psg.com (Randy Bush) Date: Thu, 23 Dec 2010 08:34:40 +0900 Subject: C/D[WDM] In-Reply-To: References: Message-ID: > Anyone have any opinion on a user friendly and low-to-mid-priced CWDM > or DWDM system? > > We need to take one pair of dark fiber and get about 5-6 10G ports on > both sides. what kind of 10G ports? 10gige? if so, i do not see how the cubo stuff helps. will http://xkl.com/ do it for you (if short range)? randy From joshua at itsecureadmin.com Wed Dec 22 17:56:10 2010 From: joshua at itsecureadmin.com (Josh Miller) Date: Wed, 22 Dec 2010 15:56:10 -0800 Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: References: <20101220191630.GA44701@ussenterprise.ufp.org> <1733661803.26536.1292886380498.JavaMail.root@zimbra.network1.net> Message-ID: <4D12901A.5020603@itsecureadmin.com> On 12/20/2010 3:14 PM, Dorn Hetzel wrote: > Where I live, about 50 miles south of Atlanta down I-85, there is no > consumer broadband at all. > > Satellite, Cellular, and T-1, those are my options. > > A mile away, there are choices, but not here. I am sure we aren't the only > neighborhood in this situation, even today. I live 27 miles out of Seattle, WA and have those same limitations. - josh From drew.weaver at thenap.com Wed Dec 22 18:44:31 2010 From: drew.weaver at thenap.com (Drew Weaver) Date: Wed, 22 Dec 2010 19:44:31 -0500 Subject: C/D[WDM] In-Reply-To: References: Message-ID: Yes, sorry I should've specified 10Gig-E and I would like to avoid using CWDM/DWDM optics if possible I would just like to use regular LR optics. thanks, -Drew -----Original Message----- From: Randy Bush [mailto:randy at psg.com] Sent: Wednesday, December 22, 2010 6:35 PM To: Drew Weaver Cc: 'nanog at nanog.org' Subject: Re: C/D[WDM] > Anyone have any opinion on a user friendly and low-to-mid-priced CWDM > or DWDM system? > > We need to take one pair of dark fiber and get about 5-6 10G ports on > both sides. what kind of 10G ports? 10gige? if so, i do not see how the cubo stuff helps. will http://xkl.com/ do it for you (if short range)? randy From asr+nanog at latency.net Wed Dec 22 19:52:08 2010 From: asr+nanog at latency.net (Adam Rothschild) Date: Wed, 22 Dec 2010 20:52:08 -0500 Subject: C/D[WDM] In-Reply-To: References: Message-ID: <20101223015208.GC67182@latency.net> On 2010-12-22-19:44:31, Drew Weaver wrote: > Yes, sorry I should've specified 10Gig-E and I would like to avoid > using CWDM/DWDM optics if possible I would just like to use regular LR > optics. The common misconception is that, just because you're not installing colored optics directly in your router, something similar doesn't live elsewhere in your system, mingled with a number of OEO conversions. Neat packaging and pretty GUI is orthogonal to cheap, and you stated both as initial requirements, so you're probably best choosing one or the other. We may differ on levels of frugality, however I can't think of any active system I'd classify as "cheap"; at the base, you're looking at a 2x multiplier from something assembled with cubes, however you slice it... If you find yourself stuck with SFP+ interfaces, or partners who don't grok this stuff and require a "conventional" LR hand-off, perhaps a 2xXFP transponder is really what you're after -- feed your mux with the colored optics, and the other end with some LR (or SR, CX4, ...). MRV has some good products in this space. HTH, -a From chungjinwha at gmail.com Wed Dec 22 20:45:54 2010 From: chungjinwha at gmail.com (Jinwha Chung) Date: Thu, 23 Dec 2010 11:45:54 +0900 Subject: inquiry on using POS Message-ID: <000401cba24b$8793d310$96bb7930$@com> Hi, there; First of all, thanks you all for your unintended and unnoticed help what I?ve got from nanog. I?m looking for a reference case of a point-to-point POS link. My potential customer asked me to configure their nodes using 40G POS interface cards. The distance of their nodes is between 10 km to 50 km. They are considering Cisco CRS for their core router. I?ve found that CRS has 2 kinds of POS card. One support only up to 2km. so, this one is out. >From the datasheet, the other one can support point-to-point connection up to 80km using this DCU. Dispersion compensating unit. I?ve talked about this configuration with people and no one would recommend those kind of things. Personally, I prefer 10G Ethernet with XENPAK ZR optics. Here is what I want to know. Is there anyone who are using POS with DCUs (without DWDM or something like that) between nodes of less than 80km apart? If there, would you recommend it to others? Jinwha Chung CCIE#11776 u-Eng'g Team | u-Telecom Global Business Unit | SK Engineering & Construction Co. Ltd South Korea TEL 82-2-3700-8822 FAX 82-2-3700-8999 From swmike at swm.pp.se Thu Dec 23 00:00:24 2010 From: swmike at swm.pp.se (Mikael Abrahamsson) Date: Thu, 23 Dec 2010 07:00:24 +0100 (CET) Subject: inquiry on using POS In-Reply-To: <000401cba24b$8793d310$96bb7930$@com> References: <000401cba24b$8793d310$96bb7930$@com> Message-ID: On Thu, 23 Dec 2010, Jinwha Chung wrote: >> From the datasheet, the other one can support point-to-point connection up > to 80km using this DCU. Dispersion compensating unit. > > I?ve talked about this configuration with people and no one would > recommend those kind of things. There is nothing saying this won't work. I'd gladly implement this (if you by this mean the DPSK or dunobinary cards with g.709). The advantage of this is that you get FEC and can see what margin you have until the link starts to give post-FEC errors. > Personally, I prefer 10G Ethernet with XENPAK ZR optics. If dark fiber is available, this is much much cheaper, but then you have to load balance and the customer traffic might not be possible to load balance properly on 4x10GE, but if it is, this is definitely a viable option. Middle ground would be the 4 port 10GE g.709 card with FEC if you really feel you need indications of error rate constantly. It's cheaper than the 40G card, but most likely more expensive than a 4 port 10GE card with ZR optics. -- Mikael Abrahamsson email: swmike at swm.pp.se From steve at pirk.com Thu Dec 23 00:28:29 2010 From: steve at pirk.com (steve pirk [egrep]) Date: Wed, 22 Dec 2010 22:28:29 -0800 Subject: Post positive reviews In-Reply-To: References: Message-ID: Is this spam? ;-] I have been doing a lot of playing with Google Places and the new HotPot user ranking/review product, and for once, you get an honest list of reviews by local people. Only Google account holders can post reviews in the "by Google users" section. I believe they also have to have a public profile. So, trashing is possible, but you have to be able to back it up or you might find the local community shouting you down ;-] I really is a fairly neat twist on building a new kind of Yellow Pages... --steve On Tue, Dec 14, 2010 at 11:40, Eugene Zola wrote: > Google?s Huge Change and How it affects you. > > ? Anyone can now post bad reviews and kill your rank. > ? We post good reviews and improve your rank. > ? We post good reviews to keep others from killing your rank. > > Google: Judge, Jury and Online Shopping Executioner > > Google rank is based on reviews of your business? > > Google Statement: > "...in the last few days we developed an algorithmic solution which detects > the merchant from the Times article along with hundreds of other merchants > that, in our opinion, provide an extremely poor user experience. The > algorithm we incorporated into our search rankings represents an initial > solution to this issue, and Google users are now getting a better > experience > as a result." > > This means that anyone can write bad reviews about your business and lower > your ranking. > We knew that getting good reviews and not getting bad reviews was always > important. Now it is a must to have good reviews for your business to keep > the rank safe or to improve rank with Google. > > We post positive reviews for your company. > > We have the experience and ability to post hundreds of positive reviews > that > are all unique content and posted on unique IP addresses. > > > wwwpostgoodreviews.com > -- steve pirk refiamerica.org "father... the sleeper has awakened..." paul atreides - dune kexp.org member august '09 From jra at baylink.com Thu Dec 23 09:53:32 2010 From: jra at baylink.com (Jay Ashworth) Date: Thu, 23 Dec 2010 10:53:32 -0500 (EST) Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: <20101220015826.GA75503@ussenterprise.ufp.org> Message-ID: <18644515.1938.1293119612139.JavaMail.root@benjamin.baylink.com> ----- Original Message ----- > From: "Leo Bicknell" > After looking at many models I think Australia might be on to > something. The model is that a quasi-government monopoly provides > the last mile physical wire, but is unable to sell services on it. > Basically they only provide UNE's. Then, at the switching center > any ISP can pick up those UNE's and provide services. Competition > to the end user, while the last mile is always a single povider > limiting the issues above. Many cities are trying the same with > electric service, one companie provides the transport infrastructure > and when you select a generation provider. That's what I've been advocating, what Verizon *really* *REALLY* doesn't want to happen (to the point that they've been agitating -- successfully in some cases -- for state laws to forbid it), and what I think, based on not a lot of evidence, Google is quietly encouraging with their Big Secret Project. Last mile fiber *really is* a Natural Monopoly. And yeah, that's roughly how power competition was handled as well. Cheers, -- jra From jra at baylink.com Thu Dec 23 10:03:52 2010 From: jra at baylink.com (Jay Ashworth) Date: Thu, 23 Dec 2010 11:03:52 -0500 (EST) Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: <22999010.1940.1293120219038.JavaMail.root@benjamin.baylink.com> Message-ID: <21261063.1942.1293120232956.JavaMail.root@benjamin.baylink.com> ----- Original Message ----- > From: "JC Dill" > On 19/12/10 8:31 PM, Chris Adams wrote: > > Look up pictures of New York City in the early days of electricty. > > There were streets where you couldn't hardly see the sky because of > > all > > the wires on the poles. > > > Can you provide a link to a photo of this situation? Sure, though they're a bit harder to find on the web than you'd think; it took me almost 20 minutes to find this one when I wrote the piece: http://baylink.pitas.com/#LASTMILE Cheers, -- jra From andrew.koch at gawul.net Thu Dec 23 10:14:32 2010 From: andrew.koch at gawul.net (Andrew Koch) Date: Thu, 23 Dec 2010 10:14:32 -0600 Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: <21261063.1942.1293120232956.JavaMail.root@benjamin.baylink.com> References: <22999010.1940.1293120219038.JavaMail.root@benjamin.baylink.com> <21261063.1942.1293120232956.JavaMail.root@benjamin.baylink.com> Message-ID: On Thu, Dec 23, 2010 at 10:03, Jay Ashworth wrote: > ----- Original Message ----- >> From: "JC Dill" > >> On 19/12/10 8:31 PM, Chris Adams wrote: >> > Look up pictures of New York City in the early days of electricty. >> > There were streets where you couldn't hardly see the sky because of >> > all >> > the wires on the poles. >> > >> Can you provide a link to a photo of this situation? > > Sure, though they're a bit harder to find on the web than you'd > think; it took me almost 20 minutes to find this one when I > wrote the piece: > > http://baylink.pitas.com/#LASTMILE > Those look more like power lines, with a substation in the background. Try this: http://www.copper.org/publications/newsletters/innovations/1998/05/images/historical001.jpg from http://www.copper.org/publications/newsletters/innovations/1998/05/evolution.html or a drawing: http://blog.silive.com/sinotebook/2008/12/Broadway-1885.jpg Andrew From andrew.koch at gawul.net Thu Dec 23 10:20:29 2010 From: andrew.koch at gawul.net (Andrew Koch) Date: Thu, 23 Dec 2010 10:20:29 -0600 Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: References: <22999010.1940.1293120219038.JavaMail.root@benjamin.baylink.com> <21261063.1942.1293120232956.JavaMail.root@benjamin.baylink.com> Message-ID: On Thu, Dec 23, 2010 at 10:14, Andrew Koch wrote: > Those look more like power lines, with a substation in the background. Helps to read the whole thing; you were talking about power lines. I missed a few messages when this took a turn off from last mile communications access. Anyway, found one more from Bangkok, which shows what you might be asking for with competing last mile technologies. http://www.vibrant.com/images/cables/bangkok-wires-nurmi.jpg Andrew From jra at baylink.com Thu Dec 23 11:19:38 2010 From: jra at baylink.com (Jay Ashworth) Date: Thu, 23 Dec 2010 12:19:38 -0500 (EST) Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: <201012210541.oBL5fqSQ003384@mail.r-bonomi.com> Message-ID: <28631642.2014.1293124778689.JavaMail.root@benjamin.baylink.com> ----- Original Message ----- > From: "Robert Bonomi" > "Overbuild" is practical *ONLY* where: (a) the population density is > high,lowering 'per customer' costs, and (b) service 'penetration' is high > enough that the active subscriber base (as distinct from 'potential' > subscribers) sufficient to support the 'overhead' of two complete, parallel, > physical plants. This tends to be 'self-limiting', to up-scale, high-density > housing, neighborhoods. The 'raw economics' of the situation may well be > distorted by local government 'intrference' -- e.g., requiring a provider serve > _all_ households within arbitrary boundaries, rather than just 'low hanging > fruit' areas. Yup. And that's just another argument in favor of muni fiber -- since it's municipal, it will by definition serve every address, and since it's monopoly, it will enable competition by making it practical for competitors to start up, since they'll have trival access to all comers. And since D-CATV is pretty much delivered over IP these days *anyway*, it won't even be technically difficult for cable providers to hook up customers over such a backbone. Gee... I wonder if the teeny little town I live in wants to be the first in our county to do that. :-) Cheers, -- jra From jra at baylink.com Thu Dec 23 11:27:58 2010 From: jra at baylink.com (Jay Ashworth) Date: Thu, 23 Dec 2010 12:27:58 -0500 (EST) Subject: Muni Fiber Last Mile - a contrary opinion Message-ID: <26612496.2020.1293125278405.JavaMail.root@benjamin.baylink.com> I was poking around to see what the current received wisdom was as to average install cost per building for suburban municipal home-run fiber, and ran across this article, which discusses the topic, and itemizes several large such deployments that "failed" or had to be sold private. I'd be interested to see what comments nanogers have on this piece. I'm not well enough read to critically evaluate the guy's assertions. http://www.digitalsociety.org/2010/03/why-municipal-fiber-has-not-succeeded/ Cheers, -- jra From cabo at tzi.org Thu Dec 23 12:00:52 2010 From: cabo at tzi.org (Carsten Bormann) Date: Thu, 23 Dec 2010 19:00:52 +0100 Subject: TCP congestion control and large router buffers In-Reply-To: <4D122BD6.5070503@freedesktop.org> References: <1291907382.19262.212.camel@shrike> <4D0E59FC.2080706@bogus.com> <4D0FE4A1.7070103@freedesktop.org> <607EDCE9-F6BD-4111-B0BD-2C1A535CFBE8@cisco.com> <4D122BD6.5070503@freedesktop.org> Message-ID: <8AF529D3-9B29-4BE4-9989-F6F9EA821BF0@tzi.org> Some more historical pointers: If you want to look at the early history of the latency discussion, look at Stuart Cheshire's famous rant "It's the Latency, Stupid" (http://rescomp.stanford.edu/~cheshire/rants/Latency.html). Then look at Matt Mathis's 1997 TCP equation (and the 1998 Padhye-Firoiu version of that): The throughput is proportional to the inverse square root of the packet loss and the inverse RTT -- so as the RTT starts growing due to increasing buffers, the packet loss must grow to keep equilibrium! We started to understand that you have to drop packets in order to limit queueing pretty well in the late 1990s. E.g., RFC 3819 contains an explicit warning against keeping packets for too long (section 13). But, as you notice, for faster networks, the bufferbloat effect can be limited in effect by intelligent window size management, but the dominating Windows XP was not intelligent, just limited in its widely used default configuration. So the first ones to fully see the effect were the ones with many TCP connections, i.e. Bittorrent. The modern window size "tuning" schemes in Windows 7 and Linux break a lot of things -- you are just describing the tip of the iceberg here. The IETF working group LEDBAT (motivated by the Bittorrent observations) has been working on a scheme to run large transfers without triggering humungous buffer growth. Gruesse, Carsten From tariq198487 at hotmail.com Thu Dec 23 12:18:57 2010 From: tariq198487 at hotmail.com (Tarig Yassin) Date: Thu, 23 Dec 2010 21:18:57 +0300 Subject: Router only speaks IGP in BGP network Message-ID: Dear all In my network, I have a router in a middle only speaks OSPF. is there any solution (without redistribute BGP into OSPF) for this kind of problem? thanks -- Tarig Y. Adam CTO - SUIN www.suin.edu.sd From joelja at bogus.com Thu Dec 23 12:17:46 2010 From: joelja at bogus.com (Joel Jaeggli) Date: Thu, 23 Dec 2010 10:17:46 -0800 Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: <28631642.2014.1293124778689.JavaMail.root@benjamin.baylink.com> References: <28631642.2014.1293124778689.JavaMail.root@benjamin.baylink.com> Message-ID: <4D13924A.9000509@bogus.com> On 12/23/10 9:19 AM, Jay Ashworth wrote: > And that's just another argument in favor of muni fiber -- since it's municipal, > it will by definition serve every address, and since it's monopoly, it will > enable competition by making it practical for competitors to start up, since > they'll have trival access to all comers. Muni-fiber builds do not "by definition serve every address." Municipalities have their own priorities which tend to involve police/fire water treatment/waste handling. Having worked on fiber-builds/swaps with a couple of municipalities, and the corporations that they set up to manage their facilites it's one thing when it runds down the street in front of your building and quite another when you want to extend a spur to some far flug location on the edge of town. The fact that I can get a wavelength to county dump in Eugene OR the composting facility in Palo Alto doesn't really do anything for the residential access market. From jra at baylink.com Thu Dec 23 12:37:13 2010 From: jra at baylink.com (Jay Ashworth) Date: Thu, 23 Dec 2010 13:37:13 -0500 (EST) Subject: .gov DNSSEC operational message In-Reply-To: <20101222211500.GF97136@DUL1MLARSON-M1.vcorp.ad.vrsn.com> Message-ID: <11421501.2054.1293129433092.JavaMail.root@benjamin.baylink.com> ----- Original Message ----- > From: "Matt Larson" > The new KSK will not be published in an authenticated manner outside > DNS (e.g., on an SSL-protected web page). Rather, the intended > mechanism for trusting the new KSK is via the signed root zone: DS > records corresponding to the new KSK are already present in the root > zone. That sounds like a policy decision... and I'm not sure I think it sounds like a *good* policy decision, but since no reasons were provided, it's difficult to tell. Why was that decision taken, Matt? Cheers, -- jra From nathan at atlasnetworks.us Thu Dec 23 12:47:09 2010 From: nathan at atlasnetworks.us (Nathan Eisenberg) Date: Thu, 23 Dec 2010 18:47:09 +0000 Subject: Muni Fiber Last Mile - a contrary opinion In-Reply-To: <26612496.2020.1293125278405.JavaMail.root@benjamin.baylink.com> References: <26612496.2020.1293125278405.JavaMail.root@benjamin.baylink.com> Message-ID: <8C26A4FDAE599041A13EB499117D3C286B2BFC6B@ex-mb-1.corp.atlasnetworks.us> > I'd be interested to see what comments nanogers have on this piece. I'm not > well enough read to critically evaluate the guy's assertions. I'm not familiar with a GPON system that provides gigabit to every subscriber under 'high congestion'. I do know of FTTN systems that can provide a lot more than 10/50 service to the end user (VDSL2 or ethernet over coax). What I really want to know is why 'Active Ethernet' didn't even make the chart... I got a chuckle out of this: "Provo County?s iProvo was hoping for 10,000 subscribers by July 2006 with the assumption that 75% of those customers would subscribe to lucrative triple play services, but the reality was 10,000 customers in late 2007 with only 17% of those customers subscribing to triple play" A 75% upsell rate to triple play packages seems ludicrous. I can't think of any industry that sees an upsell rate of 75% - can you (hell, I sold running shoes in high school, and the -target- upsell rate on shoestrings/socks/whatever-else was 15%). Nathan From tariq198487 at hotmail.com Thu Dec 23 12:48:17 2010 From: tariq198487 at hotmail.com (Tarig Yassin) Date: Thu, 23 Dec 2010 21:48:17 +0300 Subject: Router only speaks IGP in BGP network In-Reply-To: References: , Message-ID: Hi Andre That actually what I had done.. I thought it might be another solution many thanks -- Tarig Y. Adam SUIN Network Date: Thu, 23 Dec 2010 13:41:12 -0500 Subject: Re: Router only speaks IGP in BGP network From: anfoju at gmail.com To: tariq198487 at hotmail.com how about sending only a default into your OSPF domain from BGP? of course this can be a "conditional" type of redistribution;if you want no redistribution at all, then consider generating the default at your ASBR, which also can be conditional. without much more details on your topology, this is as vague an answer i can provide. cheers On Thu, Dec 23, 2010 at 1:18 PM, Tarig Yassin wrote: Dear all In my network, I have a router in a middle only speaks OSPF. is there any solution (without redistribute BGP into OSPF) for this kind of problem? thanks -- Tarig Y. Adam CTO - SUIN www.suin.edu.sd From gbonser at seven.com Thu Dec 23 13:09:50 2010 From: gbonser at seven.com (George Bonser) Date: Thu, 23 Dec 2010 11:09:50 -0800 Subject: Muni Fiber Last Mile - a contrary opinion In-Reply-To: <8C26A4FDAE599041A13EB499117D3C286B2BFC6B@ex-mb-1.corp.atlasnetworks.us> References: <26612496.2020.1293125278405.JavaMail.root@benjamin.baylink.com> <8C26A4FDAE599041A13EB499117D3C286B2BFC6B@ex-mb-1.corp.atlasnetworks.us> Message-ID: <5A6D953473350C4B9995546AFE9939EE0BC1313E@RWC-EX1.corp.seven.com> > > A 75% upsell rate to triple play packages seems ludicrous. I can't > think of any industry that sees an upsell rate of 75% - can you (hell, > I sold running shoes in high school, and the -target- upsell rate on > shoestrings/socks/whatever-else was 15%). > > Nathan Well, I won't get rid of my "wired" phone for VOIP. The power where I live is subject to outage during storms but the phones work. I want a phone that works when the power is out for an extended period of time. At most, they would get "double play" from me (TV and Internet) and that' it. And based on discussions with others, many feel the same way about having their telephone depend on their cable box having power. From josmon at rigozsaurus.com Thu Dec 23 13:11:39 2010 From: josmon at rigozsaurus.com (John Osmon) Date: Thu, 23 Dec 2010 12:11:39 -0700 Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: <4D13924A.9000509@bogus.com> References: <28631642.2014.1293124778689.JavaMail.root@benjamin.baylink.com> <4D13924A.9000509@bogus.com> Message-ID: <20101223191139.GA32500@jeeves.rigozsaurus.com> On Thu, Dec 23, 2010 at 10:17:46AM -0800, Joel Jaeggli wrote: [...] > The fact that I can get a wavelength to county dump in Eugene OR the > composting facility in Palo Alto doesn't really do anything for the > residential access market. Why not? You have to start with connectivity *somewhere*. If the economics work out, *someone* will build the residential access market from those access points. The first phone in a community was boon to everyone. Later, the local communications were build out to encompass others. The last mile ended up getting regulated to ensure everyone had access to the new technology. Unfortunately, the regulatory regime got based on the service (voice) rather than the infrastructure -- because no one ever guessed that the two would be separable. Some places could have local infrastructure monopolies run by municpalities, others might be run by local co-ops, the state, county, or even the feds. And they all might start with municipal fiber to the city dump that allows others access lamdas... From jra at baylink.com Thu Dec 23 13:17:29 2010 From: jra at baylink.com (Jay Ashworth) Date: Thu, 23 Dec 2010 14:17:29 -0500 (EST) Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: <20101223191139.GA32500@jeeves.rigozsaurus.com> Message-ID: <18549381.2064.1293131849716.JavaMail.root@benjamin.baylink.com> ----- Original Message ----- > From: "John Osmon" > On Thu, Dec 23, 2010 at 10:17:46AM -0800, Joel Jaeggli wrote: > [...] > > The fact that I can get a wavelength to county dump in Eugene OR the > > composting facility in Palo Alto doesn't really do anything for the > > residential access market. > > Why not? > > You have to start with connectivity *somewhere*. If the economics work > out, *someone* will build the residential access market from those > access points. Well, I think Joel's real point was that it's not necessarily a given that just because fiber's being installed by (or under contract to) a city or other municipality, that it will necessarily be run to *every single premise* in that municipality. And of course he's right, but there are lots of good reasons to do it that way; buildings often change occupancy and purpose, and the dump, of course, is *run* by the municipality very often, and you want all your official facilities connected up anyway. And doing it all as one build probably makes it easier to finance. My personal favorite reason to do this is that it *increases the property values in the municipality*, an assertion for which I have no documentary evidence or studies. :-) (To clarify there, by "this" I mean muni fiber in general, not necessarily passing every premise, though Metcalfe's Law probably applies here as well...) Cheers, -- jra From jra at baylink.com Thu Dec 23 13:19:50 2010 From: jra at baylink.com (Jay Ashworth) Date: Thu, 23 Dec 2010 14:19:50 -0500 (EST) Subject: Muni Fiber Last Mile - a contrary opinion In-Reply-To: <8C26A4FDAE599041A13EB499117D3C286B2BFC6B@ex-mb-1.corp.atlasnetworks.us> Message-ID: <11104913.2066.1293131990011.JavaMail.root@benjamin.baylink.com> ----- Original Message ----- > From: "Nathan Eisenberg" > I got a chuckle out of this: > "Provo County?s iProvo was hoping for 10,000 subscribers by July 2006 > with the assumption that 75% of those customers would subscribe to > lucrative triple play services, but the reality was 10,000 customers > in late 2007 with only 17% of those customers subscribing to triple > play" > > A 75% upsell rate to triple play packages seems ludicrous. I can't > think of any industry that sees an upsell rate of 75% - can you (hell, > I sold running shoes in high school, and the -target- upsell rate on > shoestrings/socks/whatever-else was 15%). Indeed. And it seems worth noting that, unless I'm missing something, iProvo specifically violated the condition we all seem to agree is most important in such a build: they were not only the fiber op, but the content transport provider (ie, cable company/IAP). Cheers, -- jra From bicknell at ufp.org Thu Dec 23 14:25:37 2010 From: bicknell at ufp.org (Leo Bicknell) Date: Thu, 23 Dec 2010 12:25:37 -0800 Subject: Muni Fiber Last Mile - a contrary opinion In-Reply-To: <26612496.2020.1293125278405.JavaMail.root@benjamin.baylink.com> References: <26612496.2020.1293125278405.JavaMail.root@benjamin.baylink.com> Message-ID: <20101223202537.GA41054@ussenterprise.ufp.org> There is a large difference between muni-fiber that attempts to compete for some of the best customers (e.g. the following the tranditional overbuild method) and muni-fiber who's goal is universal service of fiber to the home. Basically it is the difference between a small entity (the town) going up against a large one (iLEC, CableCo) compared to the small entity trying to be a supplier to those folks... -- Leo Bicknell - bicknell at ufp.org - CCIE 3440 PGP keys at http://www.ufp.org/~bicknell/ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 826 bytes Desc: not available URL: From bicknell at ufp.org Thu Dec 23 14:26:19 2010 From: bicknell at ufp.org (Leo Bicknell) Date: Thu, 23 Dec 2010 12:26:19 -0800 Subject: Router only speaks IGP in BGP network In-Reply-To: References: Message-ID: <20101223202619.GB41054@ussenterprise.ufp.org> In a message written on Thu, Dec 23, 2010 at 09:18:57PM +0300, Tarig Yassin wrote: > In my network, I have a router in a middle only speaks OSPF. > is there any solution (without redistribute BGP into OSPF) for this kind of problem? Sounds like the textbook case of how folks use MPLS. -- Leo Bicknell - bicknell at ufp.org - CCIE 3440 PGP keys at http://www.ufp.org/~bicknell/ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 826 bytes Desc: not available URL: From wp at null0.nl Thu Dec 23 14:51:29 2010 From: wp at null0.nl (Wouter Prins) Date: Thu, 23 Dec 2010 21:51:29 +0100 Subject: Router only speaks IGP in BGP network In-Reply-To: References: Message-ID: Hello Tarig, Setup a gre tunnel between the two bgp speakers and do ibgp over the gre tunnel? (not clean but it works) or mpls.. If you implement the other solution mentioned you're creating routing loops. On 23 December 2010 19:18, Tarig Yassin wrote: > > Dear all > > In my network, I have a router in a middle only speaks OSPF. > is there any solution (without redistribute BGP into OSPF) for this kind of problem? > > thanks > > -- > Tarig Y. Adam > CTO - SUIN > www.suin.edu.sd > > > > -- Wouter Prins wp at null0.nl From bjohnson at drtel.com Thu Dec 23 14:52:15 2010 From: bjohnson at drtel.com (Brian Johnson) Date: Thu, 23 Dec 2010 14:52:15 -0600 Subject: Router only speaks IGP in BGP network In-Reply-To: References: Message-ID: <29A54911243620478FF59F00EBB12F470231F6B4@ex01.drtel.lan> You could use a GRE tunnel to get traffic from one edge BGP outer to the other edge BGP router. Then run BGP over this link. - Brian J. >-----Original Message----- >From: Tarig Yassin [mailto:tariq198487 at hotmail.com] >Sent: Thursday, December 23, 2010 12:19 PM >To: nanog; afnog at afnog.org >Subject: Router only speaks IGP in BGP network > > >Dear all > >In my network, I have a router in a middle only speaks OSPF. >is there any solution (without redistribute BGP into OSPF) for this kind of >problem? > >thanks > >-- >Tarig Y. Adam >CTO - SUIN >www.suin.edu.sd > > > > CONFIDENTIALITY NOTICE: This email message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, copying, use, disclosure, or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. Thank you. From mhelmest at uvic.ca Thu Dec 23 16:49:22 2010 From: mhelmest at uvic.ca (Michael Helmeste) Date: Thu, 23 Dec 2010 14:49:22 -0800 (PST) Subject: Good MPLS/VPLS book? Message-ID: Does anyone have a favorite book or resource discussing MPLS and all associated Lego blocks (e.g. LDP, TE, VPLS, martini, mBGP et. al.)? I understand the basics of what MPLS is and how you create a circuit from A to B but I'm afraid it still escapes me when trying to figure out how someone would, say, create a multicast capable VPN with 5 edge points. Any pointers to a good way to reduce my level of ignorance on this subject would be appreciated. Vendor literature doesn't bother me as long as the concepts are there. Regards, Michael H. From jason at lixfeld.ca Thu Dec 23 16:59:49 2010 From: jason at lixfeld.ca (Jason Lixfeld) Date: Thu, 23 Dec 2010 17:59:49 -0500 Subject: Good MPLS/VPLS book? In-Reply-To: References: Message-ID: <247B57A7-468B-486A-BFD1-730EC813284F@lixfeld.ca> While on a MPLS related TAC case recently, I was speaking to an engineer who helped vet portions of Cisco Press' MPLS Fundamentals (http://www.ciscopress.com/bookstore/product.asp?isbn=1587051974). He said it's one of the best he's come across, but there may perhaps be some bias there ;) Not knowing any better, I picked it up and I'm learning quite a bit. It's also seems to be a great reference manual to keep around too. The Kindle version is handy for quick reference from mobile devices too. On 2010-12-23, at 5:49 PM, Michael Helmeste wrote: > Does anyone have a favorite book or resource discussing MPLS and all associated Lego blocks (e.g. LDP, TE, VPLS, martini, mBGP et. al.)? > > I understand the basics of what MPLS is and how you create a circuit from > A to B but I'm afraid it still escapes me when trying to figure out how someone would, say, create a multicast capable VPN with 5 edge points. > > Any pointers to a good way to reduce my level of ignorance on this subject would be appreciated. Vendor literature doesn't bother me as long as the concepts are there. > > Regards, > Michael H. > > From sfouant at shortestpathfirst.net Thu Dec 23 17:06:03 2010 From: sfouant at shortestpathfirst.net (Stefan Fouant) Date: Thu, 23 Dec 2010 18:06:03 -0500 Subject: Good MPLS/VPLS book? In-Reply-To: References: Message-ID: <018c01cba2f5$f9698340$ec3c89c0$@net> IMO the best book on the market is 'MPLS-Enabled Applications' by Ina Minei, Julian Lucek. It has the best coverage all the things you mentioned plus VPLS, P2MP LSP, draft-rosen and NG-VPN multicast architectures and the explanations are clear and concise. I wrote a review of this book a while back: http://www.shortestpathfirst.net/2009/11/30/book-review-mpls-aplications/ This book is awesome. You won't regret buying it. Stefan Fouant > -----Original Message----- > From: Michael Helmeste [mailto:mhelmest at uvic.ca] > Sent: Thursday, December 23, 2010 5:49 PM > To: nanog at nanog.org > Subject: Good MPLS/VPLS book? > > Does anyone have a favorite book or resource discussing MPLS and all > associated Lego blocks (e.g. LDP, TE, VPLS, martini, mBGP et. al.)? > > I understand the basics of what MPLS is and how you create a circuit > from > A to B but I'm afraid it still escapes me when trying to figure out how > someone would, say, create a multicast capable VPN with 5 edge points. > > Any pointers to a good way to reduce my level of ignorance on this > subject would be appreciated. Vendor literature doesn't bother me as > long > as the concepts are there. > > Regards, > Michael H. > From aharrison at gmail.com Thu Dec 23 17:12:17 2010 From: aharrison at gmail.com (Andy Harrison) Date: Thu, 23 Dec 2010 18:12:17 -0500 Subject: .gov registrar problem Message-ID: In case anyone else notices spotty problems resolving .gov names, I just sent the following message to?registrar at dotgov.gov: ---- I started investigating a dns issue after we received a few customer complaints regarding intermittent problems resolving hostnames under noaa.gov.? After some in-depth investigation, I believe I?ve identified the issue. First, the query to see the list of authoritative name servers for .gov: # dig NS gov @c.root-servers.net ; <<>> DiG 9.6.1-P3 <<>> NS gov @c.root-servers.net ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53495 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 7, ADDITIONAL: 7 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;gov.?????????????????????????? IN????? NS ;; AUTHORITY SECTION: gov.??????????????????? 172800? IN????? NS????? f.usadotgov.net. gov.??????????????? ????172800? IN????? NS????? a.usadotgov.net. gov.??????????????????? 172800? IN????? NS????? g.usadotgov.net. gov.??????????????????? 172800? IN????? NS????? b.usadotgov.net. gov.??????????????????? 172800? IN????? NS????? d.usadotgov.net. gov.??????????? ????????172800? IN????? NS????? e.usadotgov.net. gov.??????????????????? 172800? IN????? NS????? c.usadotgov.net. ;; ADDITIONAL SECTION: a.usadotgov.net.??????? 172800? IN????? A?????? 74.208.172.129 b.usadotgov.net.??????? 172800? IN????? A?????? 206.204.217.151 c.usadotgov.net.??????? 172800? IN????? A?????? 69.72.142.35 d.usadotgov.net.??????? 172800? IN????? A?????? 204.168.112.71 e.usadotgov.net.??????? 172800? IN????? A?????? 213.165.80.240 f.usadotgov.net.??????? 172800? IN????? A?????? 66.207.175.172 g.usadotgov.net.??????? 172800? IN????? A?????? 64.62.200.134 ;; Query time: 9 msec ;; SERVER: 192.33.4.12#53(192.33.4.12) ;; WHEN: Thu Dec 23 17:37:59 2010 ;; MSG SIZE? rcvd: 258 The glue records show a.usadotgov.net with an ip of 74.208.172.129. Next, using one of the authoritative name servers for usadotgov.net, we resolve the a.usadotgov.net name: # dig a.usadotgov.net @DNSSEC7.DATAMTN.COM ; <<>> DiG 9.6.1-P3 <<>> a.usadotgov.net @DNSSEC7.DATAMTN.COM ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61276 ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 6, ADDITIONAL: 10 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;a.usadotgov.net.?????????????? IN????? A ;; ANSWER SECTION: a.usadotgov.net.??????? 86400?? IN????? A?????? 76.73.18.236 You can see that the ip address is incorrect for that hostname.? This is going to cause an issue where some responses for .gov addresses will come from a non-authoritative source and should be taken care of as soon as possible as this could potentially affect all .gov domains. -- Andy Harrison Lead Systems Engineer Metrocast Cablevision From randy at psg.com Thu Dec 23 17:26:43 2010 From: randy at psg.com (Randy Bush) Date: Fri, 24 Dec 2010 08:26:43 +0900 Subject: Router only speaks IGP in BGP network In-Reply-To: References: Message-ID: > In my network, I have a router in a middle only speaks OSPF. > is there any solution (without redistribute BGP into OSPF) for this > kind of problem? uh, what exactly is the problem? i.e. what do you want to accomplish? and do NOT redistribute bgp into ospf. randy From johnc at hush.ai Thu Dec 23 17:32:33 2010 From: johnc at hush.ai (johnc at hush.ai) Date: Thu, 23 Dec 2010 18:32:33 -0500 Subject: Throttle traffic for a single local IP on a Linux router? Message-ID: <20101223233234.0DAD0FEBF@smtp.hushmail.com> Hi, I know this might not be 100% on-topic and might be better suited for a Linux-distro mailinglist, but I hope to get more diverse methods from you networking experts. Basically, I have a small residential connection, 5 Mbit down, 0.5 Mbit up. A user on my local network, who we will call 192.168.1.105, is using too much bandwidth. I have tried social engineering to get him to stop, he claims to, but iftop says otherwise. My network is setup like this: Cable modem goes to eth0 on router running Ubuntu server, eth1 on the Ubuntu box goes to a wrt54gl (behaving purely as a bridge), and all clients are connected wirelessly. The Ubuntu box handles everything. So I have tried this script, and it does not work -- download speed gets limited just fine, but upload remains unlimited for some reason: TC=/sbin/tc OUTIF=eth0 # Interface for WAN (internet) INIF=eth1 # Interface for LAN (internal network) DNLD=0.5mbit # DOWNLOAD Limit UPLD=0.1mbit # UPLOAD Limit IP=192.168.1.105 U32="$TC filter add dev $IF protocol ip parent 1:0 prio 1 u32" $TC qdisc del dev $INIF root $TC qdisc del dev $OUTIF root $TC qdisc add dev $INIF root handle 1: htb default 30 $TC qdisc add dev $OUTIF root handle 1: htb default 30 $TC class add dev $INIF parent 1: classid 1:1 htb rate $DNLD ceil $DNLD $TC class add dev $OUTIF parent 1: classid 1:1 htb rate $UPLD ceil $UPLD $TC filter add dev $INIF parent 1:0 ip pref 1 u32 match ip src $IP/32 0xFFFFFFFF flowid 1:1 $TC filter add dev $OUTIF parent 1:0 ip pref 1 u32 match ip dst $IP/32 0xFFFFFFFF flowid 1:1 Anyone see any problems in my setup, this script, or have any idea how I can limit the speeds of Mr. 192.168.1.105 without social engineering? Thank you for your time. From marka at isc.org Thu Dec 23 17:39:46 2010 From: marka at isc.org (Mark Andrews) Date: Fri, 24 Dec 2010 10:39:46 +1100 Subject: .gov registrar problem In-Reply-To: Your message of "Thu, 23 Dec 2010 18:12:17 CDT." References: Message-ID: <20101223233946.A62A384F3BC@drugs.dv.isc.org> In message , Andy Harrison writes: > In case anyone else notices spotty problems resolving .gov names, I > just sent the following message to registrar at dotgov.gov: > > ---- > > I started investigating a dns issue after we received a few customer > complaints regarding intermittent problems resolving hostnames under > noaa.gov. After some in-depth investigation, I believe I've > identified the issue. > > First, the query to see the list of authoritative name servers for .gov: > > # dig NS gov @c.root-servers.net > > ; <<>> DiG 9.6.1-P3 <<>> NS gov @c.root-servers.net > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53495 > ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 7, ADDITIONAL: 7 > ;; WARNING: recursion requested but not available > > ;; QUESTION SECTION: > ;gov. IN NS > > ;; AUTHORITY SECTION: > gov. 17280 0 IN NS f.usadotgov.net. > gov. 17280 0 IN NS a.usadotgov.net. > gov. 17280 0 IN NS g.usadotgov.net. > gov. 17280 0 IN NS b.usadotgov.net. > gov. 17280 0 IN NS d.usadotgov.net. > gov. 17280 0 IN NS e.usadotgov.net. > gov. 17280 0 IN NS c.usadotgov.net. > > ;; ADDITIONAL SECTION: > a.usadotgov.net. 172800 IN A 74.208.172.129 > b.usadotgov.net. 172800 IN A 206.204.217.151 > c.usadotgov.net. 172800 IN A 69.72.142.35 > d.usadotgov.net. 172800 IN A 204.168.112.71 > e.usadotgov.net. 172800 IN A 213.165.80.240 > f.usadotgov.net. 172800 IN A 66.207.175.172 > g.usadotgov.net. 172800 IN A 64.62.200.134 > > ;; Query time: 9 msec > ;; SERVER: 192.33.4.12#53(192.33.4.12) > ;; WHEN: Thu Dec 23 17:37:59 2010 > ;; MSG SIZE rcvd: 258 > > The glue records show a.usadotgov.net with an ip of 74.208.172.129. > > Next, using one of the authoritative name servers for usadotgov.net, > we resolve the a.usadotgov.net name: > > # dig a.usadotgov.net @DNSSEC7.DATAMTN.COM > > ; <<>> DiG 9.6.1-P3 <<>> a.usadotgov.net @DNSSEC7.DATAMTN.COM > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61276 > ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 6, ADDITIONAL: 1 > 0 > ;; WARNING: recursion requested but not available > > ;; QUESTION SECTION: > ;a.usadotgov.net. IN A > > ;; ANSWER SECTION: > a.usadotgov.net. 86400 IN A 76.73.18.236 > > You can see that the ip address is incorrect for that hostname. This > is going to cause an issue where some responses for .gov addresses > will come from a non-authoritative source and should be taken care of > as soon as possible as this could potentially affect all .gov domains. No, 76.73.18.236 is authoritative for gov as is 74.208.172.129. It would appear that a.usadotgov.net is being moved / re-hosted. Discrepencies such as this are normal when this is happening. ; <<>> DiG 9.6.0-APPLE-P2 <<>> soa gov +norec @76.73.18.236 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1312 ;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 7, ADDITIONAL: 0 ;; QUESTION SECTION: ;gov. IN SOA ;; ANSWER SECTION: gov. 259200 IN SOA A.USADOTGOV.NET. support.datamtn.com. 1293146225 3600 900 1814400 86400 ;; AUTHORITY SECTION: gov. 259200 IN NS F.USADOTGOV.NET. gov. 259200 IN NS E.USADOTGOV.NET. gov. 259200 IN NS A.USADOTGOV.NET. gov. 259200 IN NS D.USADOTGOV.NET. gov. 259200 IN NS G.USADOTGOV.NET. gov. 259200 IN NS B.USADOTGOV.NET. gov. 259200 IN NS C.USADOTGOV.NET. ;; Query time: 231 msec ;; SERVER: 76.73.18.236#53(76.73.18.236) ;; WHEN: Fri Dec 24 10:38:24 2010 ;; MSG SIZE rcvd: 201 Mark > -- > Andy Harrison > Lead Systems Engineer > Metrocast Cablevision > -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka at isc.org From steve at grommit.com Thu Dec 23 17:47:10 2010 From: steve at grommit.com (Stephen Lau) Date: Thu, 23 Dec 2010 15:47:10 -0800 Subject: Sprint data network contact? Message-ID: <4D13DF7E.807@grommit.com> I'm trying to find a contact for someone who might know something about the proxies running on Sprint's data network. Basically our Android app uses a local http server to serve content to the Android media player, i.e. listening via 127.0.0.1. Unfortunately, a system update that Sprint pushed last week seems to enforce a Sprint proxy (pd.vog.sprintpcs.com:8085) on all HTTP & RTSP traffic... including traffic to 127.0.0.1, which as you can imagine, predictably fails. The EVO is our most popular Android device amongst our subscribers, and we're rapidly losing subscribers because of this problem. This breaks streaming for many Android apps that have to use a local content server (for a variety of reasons, some for playing encrypted content like ourselves, others who need to maintain backwards compatibility with <2.2 Android which lacked RTSP streaming). I'm running into brick walls so far and hoping that someone in NANOG might know a responsible network engineer at Sprint who could help resolve the issue quickly? cheers, steve -- stephen lau | steve at grommit.com | http://whacked.net | @stevel From sliplever at gmail.com Thu Dec 23 17:49:46 2010 From: sliplever at gmail.com (Dan Snyder) Date: Thu, 23 Dec 2010 18:49:46 -0500 Subject: Good MPLS/VPLS book? In-Reply-To: References: Message-ID: <1BC07AB7-A9F0-40C4-A897-6954355FEADE@gmail.com> On Dec 23, 2010, at 5:49 PM, Michael Helmeste wrote: > Does anyone have a favorite book or resource discussing MPLS and all associated Lego blocks (e.g. LDP, TE, VPLS, martini, mBGP et. al.)? > > I understand the basics of what MPLS is and how you create a circuit from > A to B but I'm afraid it still escapes me when trying to figure out how someone would, say, create a multicast capable VPN with 5 edge points. > > Any pointers to a good way to reduce my level of ignorance on this subject would be appreciated. Vendor literature doesn't bother me as long as the concepts are there. > > Regards, > Michael H. > > Designing and Implementing IP/MPLS-Based Ethernet Layer 2 VPN Services: An Advanced Guide for VPLS and VLL (Paperback) Zhuo Xu I thought was pretty good. From tshaw at oitc.com Thu Dec 23 18:15:14 2010 From: tshaw at oitc.com (TR Shaw) Date: Thu, 23 Dec 2010 19:15:14 -0500 Subject: Anyone have a contact for CANTV.NET In-Reply-To: <1BC07AB7-A9F0-40C4-A897-6954355FEADE@gmail.com> References: <1BC07AB7-A9F0-40C4-A897-6954355FEADE@gmail.com> Message-ID: <04559C88-6F44-4574-9F0D-7F9AFFF91F56@oitc.com> Anyone have a contact for CANTV.NET without using CANTV.NET mailserver which is hosed, at least for abuse, support, and ipadmin which all fail? TIA, Tom From brandon.kim at brandontek.com Thu Dec 23 19:15:40 2010 From: brandon.kim at brandontek.com (Brandon Kim) Date: Thu, 23 Dec 2010 20:15:40 -0500 Subject: Good MPLS/VPLS book? In-Reply-To: <018c01cba2f5$f9698340$ec3c89c0$@net> References: , <018c01cba2f5$f9698340$ec3c89c0$@net> Message-ID: Looks like a good book to add to my bookshelf. Cisco's MPLS fundamentals is also a good book although I'm only halfway through it.... > From: sfouant at shortestpathfirst.net > To: mhelmest at uvic.ca; nanog at nanog.org > Subject: RE: Good MPLS/VPLS book? > Date: Thu, 23 Dec 2010 18:06:03 -0500 > > IMO the best book on the market is 'MPLS-Enabled Applications' by Ina Minei, > Julian Lucek. It has the best coverage all the things you mentioned plus > VPLS, P2MP LSP, draft-rosen and NG-VPN multicast architectures and the > explanations are clear and concise. > > I wrote a review of this book a while back: > > http://www.shortestpathfirst.net/2009/11/30/book-review-mpls-aplications/ > > This book is awesome. You won't regret buying it. > > Stefan Fouant > > > -----Original Message----- > > From: Michael Helmeste [mailto:mhelmest at uvic.ca] > > Sent: Thursday, December 23, 2010 5:49 PM > > To: nanog at nanog.org > > Subject: Good MPLS/VPLS book? > > > > Does anyone have a favorite book or resource discussing MPLS and all > > associated Lego blocks (e.g. LDP, TE, VPLS, martini, mBGP et. al.)? > > > > I understand the basics of what MPLS is and how you create a circuit > > from > > A to B but I'm afraid it still escapes me when trying to figure out how > > someone would, say, create a multicast capable VPN with 5 edge points. > > > > Any pointers to a good way to reduce my level of ignorance on this > > subject would be appreciated. Vendor literature doesn't bother me as > > long > > as the concepts are there. > > > > Regards, > > Michael H. > > > > > From sethm at rollernet.us Thu Dec 23 19:37:28 2010 From: sethm at rollernet.us (Seth Mattinen) Date: Thu, 23 Dec 2010 17:37:28 -0800 Subject: IPv6 BGP table size comparisons In-Reply-To: References: <4D10F85B.2050800@bryanfields.net> Message-ID: <4D13F958.9000806@rollernet.us> On 12/21/10 2:18 PM, Frank Bulk wrote: > There are 4,035 routes in the global IPv6 routing table. This is what one > provider passed on to me for routes (/48 or larger prefixes), extracted from > public route-view servers. > AT&T AS7018: 2,851 (70.7%) > Cogent AS174: 2,864 (71.0%) > GLBX AS3549: 3,706 (91.8%) > Hurricane Electric AS6939: 3,790 (93.9%) > Qwest AS209: 3,918 (97.1%) > TINET (formerly Tiscali) AS3257: 3,825 (94.8%) > Verizon AS701: 3,938 (97.6%) Sprint (AS1239) is sending 3,779 routes. ~Seth From mhelmest at uvic.ca Thu Dec 23 19:51:55 2010 From: mhelmest at uvic.ca (Michael Helmeste) Date: Thu, 23 Dec 2010 17:51:55 -0800 Subject: Good MPLS/VPLS book? In-Reply-To: <1BC07AB7-A9F0-40C4-A897-6954355FEADE@gmail.com> References: <1BC07AB7-A9F0-40C4-A897-6954355FEADE@gmail.com> Message-ID: <20101223175155.a29c483f.mhelmest@uvic.ca> Thanks for the suggestions, all! Looks like I have some reading to do. On Thu, 23 Dec 2010 18:49:46 -0500 Dan Snyder wrote: > > > On Dec 23, 2010, at 5:49 PM, Michael Helmeste wrote: > > > Does anyone have a favorite book or resource discussing MPLS and all associated Lego blocks (e.g. LDP, TE, VPLS, martini, mBGP et. al.)? > > > > I understand the basics of what MPLS is and how you create a circuit from > > A to B but I'm afraid it still escapes me when trying to figure out how someone would, say, create a multicast capable VPN with 5 edge points. > > > > Any pointers to a good way to reduce my level of ignorance on this subject would be appreciated. Vendor literature doesn't bother me as long as the concepts are there. > > > > Regards, > > Michael H. > > > > > > Designing and Implementing IP/MPLS-Based Ethernet Layer 2 VPN Services: An Advanced Guide for VPLS and VLL (Paperback) > Zhuo Xu > > I thought was pretty good. From visitorlnx at gmail.com Thu Dec 23 20:02:02 2010 From: visitorlnx at gmail.com (Scott Taylor) Date: Thu, 23 Dec 2010 21:02:02 -0500 Subject: IPv6 BGP table size comparisons In-Reply-To: <4D13F958.9000806@rollernet.us> References: <4D10F85B.2050800@bryanfields.net> <4D13F958.9000806@rollernet.us> Message-ID: On Thu, Dec 23, 2010 at 20:37, Seth Mattinen wrote: > On 12/21/10 2:18 PM, Frank Bulk wrote: >> There are 4,035 routes in the global IPv6 routing table. ?This is what one >> provider passed on to me for routes (/48 or larger prefixes), extracted from >> public route-view servers. >> ? ? ? AT&T AS7018: 2,851 (70.7%) >> ? ? ? Cogent AS174: 2,864 (71.0%) >> ? ? ? GLBX AS3549: 3,706 (91.8%) >> ? ? ? Hurricane Electric AS6939: 3,790 (93.9%) >> ? ? ? Qwest AS209: 3,918 (97.1%) >> ? ? ? TINET (formerly Tiscali) AS3257: 3,825 (94.8%) >> ? ? ? Verizon AS701: 3,938 (97.6%) > > Sprint (AS1239) is sending 3,779 routes. I'm seeing the following that haven't been mentioned yet: Internet 2 is sending - 4037 QWest AS209 is sending - 3974 From joelja at bogus.com Thu Dec 23 20:36:17 2010 From: joelja at bogus.com (Joel Jaeggli) Date: Thu, 23 Dec 2010 18:36:17 -0800 Subject: IPv6 BGP table size comparisons In-Reply-To: References: <4D10F85B.2050800@bryanfields.net> <4D13F958.9000806@rollernet.us> Message-ID: <4D140721.8020807@bogus.com> On 12/23/10 6:02 PM, Scott Taylor wrote: > On Thu, Dec 23, 2010 at 20:37, Seth Mattinen wrote: >> On 12/21/10 2:18 PM, Frank Bulk wrote: >>> There are 4,035 routes in the global IPv6 routing table. This is what one >>> provider passed on to me for routes (/48 or larger prefixes), extracted from >>> public route-view servers. >>> AT&T AS7018: 2,851 (70.7%) >>> Cogent AS174: 2,864 (71.0%) >>> GLBX AS3549: 3,706 (91.8%) >>> Hurricane Electric AS6939: 3,790 (93.9%) >>> Qwest AS209: 3,918 (97.1%) >>> TINET (formerly Tiscali) AS3257: 3,825 (94.8%) >>> Verizon AS701: 3,938 (97.6%) >> >> Sprint (AS1239) is sending 3,779 routes. > > I'm seeing the following that haven't been mentioned yet: > Internet 2 is sending - 4037 > QWest AS209 is sending - 3974 internap 14745 is sending 3985 Nokia backbone 1248 has 3967 in it. 14803's fib has 4007 active external routes in it. > From joelja at bogus.com Thu Dec 23 22:41:06 2010 From: joelja at bogus.com (Joel Jaeggli) Date: Thu, 23 Dec 2010 20:41:06 -0800 Subject: Wake on LAN in the enterprise In-Reply-To: <4D064AB4.5080706@brightok.net> References: <4D064AB4.5080706@brightok.net> Message-ID: <4D142462.3090101@bogus.com> On 12/13/10 8:32 AM, Jack Bates wrote: > On 12/13/2010 10:20 AM, Owen DeLong wrote: >> WOL is unfortunately terribly deficient in that the spec. never >> envisioned the possibility >> of a need for wake on WAN. >> >> Bottom line, it's a non-routeable layer 2 protocol. Your choices boil >> down to the >> helper address nightmare you describe or proxy servers on every subnet. >> > > I would suspect that proxy servers being the better deal, though my > experience with Cisco is that you may have to use ASR type gear to get a > nicer layout (similar to service providers) where you can backend > everything to a radius server (I'm still waiting to test this myself, > but IOS is really weak on DHCP support). assuming you don't mind burning an ip address per subnet you can do this with a static arp entry for an ethernet multicast address even if your l3 platform doesn't allow subnet directed multicast. on a firewall platform basied on linux I specifically worked around the deliberate lack of subnet directed broadcast by natting from the broadcast address of the target subnet to an rfc 1918 address on the subnet with a static arp entry pointing at a multicast address. it worked fine, exploited the fact that rewrite occurs before forwarding on linux and allowed the use of a pre-existing management tool that used subnet directed broadcasts. > > Jack > From frnkblk at iname.com Thu Dec 23 23:02:58 2010 From: frnkblk at iname.com (Frank Bulk - iName.com) Date: Thu, 23 Dec 2010 23:02:58 -0600 Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: <28631642.2014.1293124778689.JavaMail.root@benjamin.baylink.com> References: <201012210541.oBL5fqSQ003384@mail.r-bonomi.com> <28631642.2014.1293124778689.JavaMail.root@benjamin.baylink.com> Message-ID: Uhm, D-CATV is not IP just quite yet. Sometimes I wish that's the case, but it's still very much RF. There are several vendors that sell GPON solutions that support RF over fiber, and there's always IP TV. Frank -----Original Message----- From: Jay Ashworth [mailto:jra at baylink.com] Sent: Thursday, December 23, 2010 11:20 AM To: NANOG Subject: Re: Some truth about Comcast - WikiLeaks style And since D-CATV is pretty much delivered over IP these days *anyway*, it won't even be technically difficult for cable providers to hook up customers over such a backbone. From william.allen.simpson at gmail.com Fri Dec 24 03:22:35 2010 From: william.allen.simpson at gmail.com (William Allen Simpson) Date: Fri, 24 Dec 2010 04:22:35 -0500 Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: <4D13924A.9000509@bogus.com> References: <28631642.2014.1293124778689.JavaMail.root@benjamin.baylink.com> <4D13924A.9000509@bogus.com> Message-ID: <4D14665B.3040204@gmail.com> On 12/23/10 1:17 PM, Joel Jaeggli wrote: > On 12/23/10 9:19 AM, Jay Ashworth wrote: >> And that's just another argument in favor of muni fiber -- since it's municipal, >> it will by definition serve every address, and since it's monopoly, it will >> enable competition by making it practical for competitors to start up, since >> they'll have trival access to all comers. > > Muni-fiber builds do not "by definition serve every address." > But to keep this on topic, Comcast doesn't serve every address either! In Ann Arbor, Michigan (home of NANOG), I spent many hours attending the local cable board meetings. Comcast refused to build toward various *downtown* buildings, because the underground facilities would never pay back the cost ("never" being upwards of 30 years). This is not just an ex-urban issue. When the board explored non-renewal of Comcast's franchise for failing to comply with its contract, they learned that's almost impossible. Court cases around the country side with the industry over municipalities. In an unrelated Michigan case, where a large business signed a written contract (to expand) in exchange for tax abatement (but didn't expand), the Michigan Supreme Court ruled that the contract was mere "fluff and hyperbole" required to obtain tax breaks and government favors. http://www.michiganliberal.com/diary/7723/ It's a "right" to make taxpayers pick up the cost of subsidizing private industry.... From william.allen.simpson at gmail.com Fri Dec 24 03:39:35 2010 From: william.allen.simpson at gmail.com (William Allen Simpson) Date: Fri, 24 Dec 2010 04:39:35 -0500 Subject: Muni Fiber Last Mile - a contrary opinion In-Reply-To: <26612496.2020.1293125278405.JavaMail.root@benjamin.baylink.com> References: <26612496.2020.1293125278405.JavaMail.root@benjamin.baylink.com> Message-ID: <4D146A57.9040305@gmail.com> On 12/23/10 12:27 PM, Jay Ashworth wrote: > I was poking around to see what the current received wisdom was as to > average install cost per building for suburban municipal home-run fiber, > and ran across this article, which discusses the topic, and itemizes > several large such deployments that "failed" or had to be sold private. > > I'd be interested to see what comments nanogers have on this piece. I'm > not well enough read to critically evaluate the guy's assertions. > > http://www.digitalsociety.org/2010/03/why-municipal-fiber-has-not-succeeded/ > Always consider the source. Didn't we just have a George Ou cite that was debunked on this list? Subject: RE: Level 3 Communications Issues Statement Concerning Comcast's Actions Reminder: ITIF is an ultra-conservative, anti-government outfit: http://mailman.nanog.org/pipermail/nanog/2009-November/015552.html ITIF doesn't give out information about its funding, which usually means it's industry lobbyist funded. Apparently in this case, big cable and probably big telco. From jcdill.lists at gmail.com Fri Dec 24 03:46:26 2010 From: jcdill.lists at gmail.com (JC Dill) Date: Fri, 24 Dec 2010 01:46:26 -0800 Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: <4D14665B.3040204@gmail.com> References: <28631642.2014.1293124778689.JavaMail.root@benjamin.baylink.com> <4D13924A.9000509@bogus.com> <4D14665B.3040204@gmail.com> Message-ID: <4D146BF2.8020802@gmail.com> On 24/12/10 1:22 AM, William Allen Simpson wrote: > > In an unrelated Michigan case, where a large business signed a written > contract (to expand) in exchange for tax abatement (but didn't expand), > the Michigan Supreme Court ruled that the contract was mere "fluff and > hyperbole" required to obtain tax breaks and government favors. Moral of the story, municipalities need to write the contract so that they get their tax abatement only AFTER they have completed the agreed-upon expansion. No tax abatement now, promised expansion later "fluff and hyperbole". But even better, they need to stop writing monopoly contracts. It was a good idea 100/40 years ago, to get the first company to put in the first telephone/cable network. It is no longer working to serve citizen needs to keep giving monopoly contracts. jc From gordslater at ieee.org Fri Dec 24 04:29:41 2010 From: gordslater at ieee.org (gordon b slater) Date: Fri, 24 Dec 2010 10:29:41 +0000 Subject: Throttle traffic for a single local IP on a Linux router? In-Reply-To: <20101223233234.0DAD0FEBF@smtp.hushmail.com> References: <20101223233234.0DAD0FEBF@smtp.hushmail.com> Message-ID: <1293186581.10528.11.camel@ub-g-d2> On Thu, 2010-12-23 at 18:32 -0500, johnc at hush.ai wrote: > $TC class add dev $INIF parent 1: classid 1:1 htb rate $DNLD ceil > $DNLD > $TC class add dev $OUTIF parent 1: classid 1:1 htb rate $UPLD ceil > $UPLD > $TC filter add dev $INIF parent 1:0 ip pref 1 u32 match ip src > $IP/32 0xFFFFFFFF flowid 1:1 > $TC filter add dev $OUTIF parent 1:0 ip pref 1 u32 match ip dst > $IP/32 0xFFFFFFFF flowid 1:1 > > Anyone see any problems in my setup yes, I think you have the same IDs in the last 4 lines. classid's should be 1:1 and 1:2 flowid's shoild be 1:1 and 1:2 yours are 1:1 in both cases of each try :- $TC class add dev $INIF parent 1: classid 1:1 htb rate $DNLD ceil $DNLD $TC class add dev $OUTIF parent 1: classid 1:2 htb rate $UPLD ceil $UPLD # ^^^ $TC filter add dev $INIF parent 1:0 ip pref 1 u32 match ip src $IP/32 0xFFFFFFFF flowid 1:1 $TC filter add dev $OUTIF parent 1:0 ip pref 1 u32 match ip dst $IP/32 0xFFFFFFFF flowid 1:2 # ^^^ (line breaks may be affected by email formatting etc ) Gord -- # ~ TC , the undisputable leader of the gang ~ # -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: This is a digitally signed message part URL: From jeffrey.lyon at blacklotus.net Fri Dec 24 04:52:35 2010 From: jeffrey.lyon at blacklotus.net (Jeffrey Lyon) Date: Fri, 24 Dec 2010 05:52:35 -0500 Subject: Throttle traffic for a single local IP on a Linux router? In-Reply-To: References: <20101223233234.0DAD0FEBF@smtp.hushmail.com> <1293186581.10528.11.camel@ub-g-d2> Message-ID: Try a Linksys RV016, it has some decent traffic shaping tools for larger home and small business networks. Jeff On Dec 24, 2010 5:31 AM, "gordon b slater" wrote: On Thu, 2010-12-23 at 18:32 -0500, johnc at hush.ai wrote: > $TC class add dev $INIF parent 1: classid ... yes, I think you have the same IDs in the last 4 lines. classid's should be 1:1 and 1:2 flowid's shoild be 1:1 and 1:2 yours are 1:1 in both cases of each try :- $TC class add dev $INIF parent 1: classid 1:1 htb rate $DNLD ceil $DNLD $TC class add dev $OUTIF parent 1: classid 1:2 htb rate $UPLD ceil $UPLD # ^^^ $TC filter add dev $INIF parent 1:0 ip pref 1 ... $IP/32 0xFFFFFFFF flowid 1:2 # ^^^ (line breaks may be affected by email formatting etc ) Gord -- # ~ TC , the undisputable leader of the gang ~ # From gordslater at ieee.org Fri Dec 24 05:44:27 2010 From: gordslater at ieee.org (gordon b slater) Date: Fri, 24 Dec 2010 11:44:27 +0000 Subject: Throttle traffic for a single local IP on a Linux router? In-Reply-To: References: <20101223233234.0DAD0FEBF@smtp.hushmail.com> <1293186581.10528.11.camel@ub-g-d2> Message-ID: <1293191067.10528.21.camel@ub-g-d2> On Fri, 2010-12-24 at 05:52 -0500, Jeffrey Lyon wrote: > Try a Linksys RV016, it has some decent traffic shaping tools for > larger home and small business networks. > Yes indeed it does. Ironically that device runs a linux-y kernel so is probably also using iptools/tc to achieve the shaping/policing a GUI wrapped around it. The GPL parts of it are at ftp://ftp-eng.cisco.com/pub/opensource/linksys/RVxxxToolchain/ I was also planning to have a look at the hardware in it but that device is now out of my control :( Gord From mounir.mohamed at gmail.com Fri Dec 24 06:47:47 2010 From: mounir.mohamed at gmail.com (Mounir Mohamed) Date: Fri, 24 Dec 2010 14:47:47 +0200 Subject: Good MPLS/VPLS book? In-Reply-To: References: Message-ID: The most comprehensive text is MPLS Enabled Applications by Ina Minei http://www.amazon.com/MPLS-Enabled-Applications-Developments-Technologies-Communications/dp/0470986441/ref=sr_1_1?ie=UTF8&qid=1293194786&sr=8-1 On Fri, Dec 24, 2010 at 12:49 AM, Michael Helmeste wrote: > Does anyone have a favorite book or resource discussing MPLS and all > associated Lego blocks (e.g. LDP, TE, VPLS, martini, mBGP et. al.)? > > I understand the basics of what MPLS is and how you create a circuit from > A to B but I'm afraid it still escapes me when trying to figure out how > someone would, say, create a multicast capable VPN with 5 edge points. > > Any pointers to a good way to reduce my level of ignorance on this subject > would be appreciated. Vendor literature doesn't bother me as long as the > concepts are there. > > Regards, > Michael H. > > > -- Best Regards, Mounir Mohamed, CCIE#19573 (R&S/SP) Senior Network Engineer, Core Team. NOOR Data Networks, SAE Mobile# +2-010-2345-956 http://mounirmohamed.wordpress.com http://www.linkedin.com/in/mounirmohamed From pfunix at gmail.com Fri Dec 24 08:03:01 2010 From: pfunix at gmail.com (pfunix) Date: Fri, 24 Dec 2010 08:03:01 -0600 Subject: Throttle traffic for a single local IP on a Linux router? In-Reply-To: <20101223233234.0DAD0FEBF@smtp.hushmail.com> References: <20101223233234.0DAD0FEBF@smtp.hushmail.com> Message-ID: take a read on this link http://www.faqs.org/docs/Linux-HOWTO/Bandwidth-Limiting-HOWTO.html -beavis Sent from Space On Dec 23, 2010, at 5:32 PM, johnc at hush.ai wrote: > Hi, > > I know this might not be 100% on-topic and might be better suited > for a Linux-distro mailinglist, but I hope to get more diverse > methods from you networking experts. > > Basically, I have a small residential connection, 5 Mbit down, 0.5 > Mbit up. A user on my local network, who we will call > 192.168.1.105, is using too much bandwidth. I have tried social > engineering to get him to stop, he claims to, but iftop says > otherwise. > > My network is setup like this: Cable modem goes to eth0 on router > running Ubuntu server, eth1 on the Ubuntu box goes to a wrt54gl > (behaving purely as a bridge), and all clients are connected > wirelessly. The Ubuntu box handles everything. > > So I have tried this script, and it does not work -- download speed > gets limited just fine, but upload remains unlimited for some > reason: > > TC=/sbin/tc > OUTIF=eth0 # Interface for WAN (internet) > INIF=eth1 # Interface for LAN (internal network) > DNLD=0.5mbit # DOWNLOAD Limit > UPLD=0.1mbit # UPLOAD Limit > IP=192.168.1.105 > U32="$TC filter add dev $IF protocol ip parent 1:0 prio 1 u32" > $TC qdisc del dev $INIF root > $TC qdisc del dev $OUTIF root > $TC qdisc add dev $INIF root handle 1: htb default 30 > $TC qdisc add dev $OUTIF root handle 1: htb default 30 > $TC class add dev $INIF parent 1: classid 1:1 htb rate $DNLD ceil > $DNLD > $TC class add dev $OUTIF parent 1: classid 1:1 htb rate $UPLD ceil > $UPLD > $TC filter add dev $INIF parent 1:0 ip pref 1 u32 match ip src > $IP/32 0xFFFFFFFF flowid 1:1 > $TC filter add dev $OUTIF parent 1:0 ip pref 1 u32 match ip dst > $IP/32 0xFFFFFFFF flowid 1:1 > > Anyone see any problems in my setup, this script, or have any idea > how I can limit the speeds of Mr. 192.168.1.105 without social > engineering? > > Thank you for your time. > > From rsm at fast-serv.com Fri Dec 24 08:27:24 2010 From: rsm at fast-serv.com (Randy McAnally) Date: Fri, 24 Dec 2010 09:27:24 -0500 Subject: Throttle traffic for a single local IP on a Linux router? In-Reply-To: References: <20101223233234.0DAD0FEBF@smtp.hushmail.com> Message-ID: <20101224142703.M15874@fast-serv.com> > take a read on this link > > http://www.faqs.org/docs/Linux-HOWTO/Bandwidth-Limiting-HOWTO.html > > -beavis > Another: http://djlab.com/2009/10/limiting-bandwidth-in-linux/ -- Randy From jra at baylink.com Fri Dec 24 10:25:00 2010 From: jra at baylink.com (Jay Ashworth) Date: Fri, 24 Dec 2010 11:25:00 -0500 (EST) Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: Message-ID: <5111798.2342.1293207900312.JavaMail.root@benjamin.baylink.com> ----- Original Message ----- > From: "Frank Bulk - iName.com" > Uhm, D-CATV is not IP just quite yet. Sometimes I wish that's the > case, but it's still very much RF. > > There are several vendors that sell GPON solutions that support RF > over fiber, and there's always IP TV. Hmm. I had acquired the idea, from looking at the setup screens on the latest gen SciAt converters that it was, at very least, FDM IP multicast; that is, MPEG2 over IP multicast, and then multiplexed 4:1 or so into multiple broadband carriers, but sent as IP multicast streams and decoded that way. No? Cheers, -- jra From AElliott at xo.com Fri Dec 24 11:55:12 2010 From: AElliott at xo.com (Elliott, Andrew) Date: Fri, 24 Dec 2010 12:55:12 -0500 Subject: IPv6 BGP table size comparisons In-Reply-To: <4D13F958.9000806@rollernet.us> References: <4D10F85B.2050800@bryanfields.net> <4D13F958.9000806@rollernet.us> Message-ID: <6C615B75952DAB4DBBE65F473DDBC82B2169B1A1@vahernexch01.corp.inthosts.net> -----Original Message----- From: Seth Mattinen [mailto:sethm at rollernet.us] Sent: Thursday, December 23, 2010 8:37 PM To: nanog at nanog.org Subject: Re: IPv6 BGP table size comparisons On 12/21/10 2:18 PM, Frank Bulk wrote: > There are 4,035 routes in the global IPv6 routing table. This is what one > provider passed on to me for routes (/48 or larger prefixes), extracted from > public route-view servers. > AT&T AS7018: 2,851 (70.7%) > Cogent AS174: 2,864 (71.0%) > GLBX AS3549: 3,706 (91.8%) > Hurricane Electric AS6939: 3,790 (93.9%) > Qwest AS209: 3,918 (97.1%) > TINET (formerly Tiscali) AS3257: 3,825 (94.8%) > Verizon AS701: 3,938 (97.6%) Sprint (AS1239) is sending 3,779 routes. XO Communications (AS2828) is sending 3973 prefixes. From cidr-report at potaroo.net Fri Dec 24 16:00:18 2010 From: cidr-report at potaroo.net (cidr-report at potaroo.net) Date: Fri, 24 Dec 2010 22:00:18 GMT Subject: BGP Update Report Message-ID: <201012242200.oBOM0Iar028892@wattle.apnic.net> BGP Update Report Interval: 16-Dec-10 -to- 23-Dec-10 (7 days) Observation Point: BGP Peering with AS131072 TOP 20 Unstable Origin AS Rank ASN Upds % Upds/Pfx AS-Name 1 - AS17974 22015 1.3% 16.4 -- TELKOMNET-AS2-AP PT Telekomunikasi Indonesia 2 - AS32528 21046 1.2% 2630.8 -- ABBOTT Abbot Labs 3 - AS7633 19074 1.1% 112.2 -- SOFTNET-AS-AP Software Technology Parks of India - Bangalore 4 - AS8452 18545 1.1% 11.0 -- TE-AS TE-AS 5 - AS35931 13721 0.8% 2286.8 -- ARCHIPELAGO - ARCHIPELAGO HOLDINGS INC 6 - AS18025 12235 0.7% 330.7 -- ACE-1-WIFI-AS-AP Ace-1 Wifi Network 7 - AS27968 11972 0.7% 137.6 -- CORPORACION NACIONAL DE TELECOMUNICACIONES - CNT EP 8 - AS9498 10247 0.6% 14.0 -- BBIL-AP BHARTI Airtel Ltd. 9 - AS10113 9919 0.6% 121.0 -- DATAFAST-AP DATAFAST TELECOMMUNICATIONS LTD 10 - AS4323 9594 0.6% 3.6 -- TWTC - tw telecom holdings, inc. 11 - AS7552 9093 0.5% 14.3 -- VIETEL-AS-AP Vietel Corporation 12 - AS5800 9009 0.5% 40.0 -- DNIC-ASBLK-05800-06055 - DoD Network Information Center 13 - AS9829 8890 0.5% 13.1 -- BSNL-NIB National Internet Backbone 14 - AS2828 8047 0.5% 167.6 -- XO-AS15 - XO Communications 15 - AS6316 7918 0.5% 58.2 -- AS-PAETEC-NET - PaeTec Communications, Inc. 16 - AS33475 7796 0.5% 36.3 -- RSN-1 - RockSolid Network, Inc. 17 - AS4755 7737 0.5% 7.0 -- TATACOMM-AS TATA Communications formerly VSNL is Leading ISP 18 - AS6389 7710 0.5% 2.1 -- BELLSOUTH-NET-BLK - BellSouth.net Inc. 19 - AS45595 7658 0.5% 14.3 -- PKTELECOM-AS-PK Pakistan Telecom Company Limited 20 - AS9198 7589 0.4% 18.0 -- KAZTELECOM-AS JSC Kazakhtelecom TOP 20 Unstable Origin AS (Updates per announced prefix) Rank ASN Upds % Upds/Pfx AS-Name 1 - AS32528 21046 1.2% 2630.8 -- ABBOTT Abbot Labs 2 - AS35931 13721 0.8% 2286.8 -- ARCHIPELAGO - ARCHIPELAGO HOLDINGS INC 3 - AS17874 2244 0.1% 2244.0 -- NPC-AS-KR National Pension Corporation 4 - AS49600 2081 0.1% 2081.0 -- LASEDA La Seda de Barcelona, S.A 5 - AS34239 1632 0.1% 1632.0 -- INTERAMERICAN General Insurance Company 6 - AS3 1331 0.1% 134.0 -- AII-NET applied international informatics GmbH 7 - AS22575 2434 0.1% 811.3 -- MASSMUTUAL2 - MassMutual Financial Services 8 - AS27771 1388 0.1% 694.0 -- Instituto Venezolano de Investigaciones Cientificas 9 - AS12190 682 0.0% 682.0 -- OOCL-NET - OOCL (USA), Inc. 10 - AS43534 2431 0.1% 607.8 -- CREDITCALL CreditCall Ltd 11 - AS46302 467 0.0% 467.0 -- CINQUIX - Cinquix Networks 12 - AS46167 444 0.0% 444.0 -- LANDSERVICESUSA - Land Services USA, Inc 13 - AS26772 438 0.0% 438.0 -- TIE-SOLUTIONS - Tie Solutions Inc. 14 - AS39200 424 0.0% 424.0 -- IRNICANYCAST-AS .ir ccTLD of Iran 15 - AS21017 4089 0.2% 408.9 -- VSI-AS VSI AS 16 - AS37228 377 0.0% 377.0 -- RDB 17 - AS16934 2153 0.1% 358.8 -- LEACO-INTERNET - Leaco Rural Telephone 18 - AS40576 2086 0.1% 347.7 -- SHAWNEELINK - ShawneeLink Corporation 19 - AS18025 12235 0.7% 330.7 -- ACE-1-WIFI-AS-AP Ace-1 Wifi Network 20 - AS26999 317 0.0% 317.0 -- ATLANTA-COMMUNITY-FOOD-BANK - Atlanta Community Food Bank, Inc. TOP 20 Unstable Prefixes Rank Prefix Upds % Origin AS -- AS Name 1 - 130.36.34.0/24 10510 0.6% AS32528 -- ABBOTT Abbot Labs 2 - 130.36.35.0/24 10509 0.6% AS32528 -- ABBOTT Abbot Labs 3 - 202.182.78.0/23 9511 0.5% AS10113 -- DATAFAST-AP DATAFAST TELECOMMUNICATIONS LTD 4 - 63.211.68.0/22 8516 0.5% AS35931 -- ARCHIPELAGO - ARCHIPELAGO HOLDINGS INC 5 - 216.126.136.0/22 7616 0.4% AS6316 -- AS-PAETEC-NET - PaeTec Communications, Inc. 6 - 144.243.215.0/24 7294 0.4% AS22773 -- ASN-CXA-ALL-CCI-22773-RDC - Cox Communications Inc. AS4323 -- TWTC - tw telecom holdings, inc. 7 - 198.140.43.0/24 5158 0.3% AS35931 -- ARCHIPELAGO - ARCHIPELAGO HOLDINGS INC 8 - 202.92.235.0/24 4932 0.3% AS9498 -- BBIL-AP BHARTI Airtel Ltd. 9 - 182.54.148.0/22 4913 0.3% AS18025 -- ACE-1-WIFI-AS-AP Ace-1 Wifi Network 10 - 189.1.173.0/24 4603 0.3% AS28666 -- HOSTLOCATION LTDA 11 - 190.65.228.0/22 4083 0.2% AS3816 -- COLOMBIA TELECOMUNICACIONES S.A. ESP 12 - 192.122.247.0/24 3913 0.2% AS2828 -- XO-AS15 - XO Communications 13 - 192.122.246.0/24 3912 0.2% AS2828 -- XO-AS15 - XO Communications 14 - 206.184.16.0/24 3424 0.2% AS174 -- COGENT Cogent/PSI 15 - 68.65.152.0/22 3277 0.2% AS11915 -- TELWEST-NETWORK-SVCS-STATIC - TEL WEST COMMUNICATIONS LLC 16 - 91.197.95.0/24 2413 0.1% AS43534 -- CREDITCALL CreditCall Ltd 17 - 189.85.51.0/24 2403 0.1% AS28175 -- 18 - 101.78.24.0/22 2345 0.1% AS18025 -- ACE-1-WIFI-AS-AP Ace-1 Wifi Network 19 - 101.78.20.0/22 2344 0.1% AS18025 -- ACE-1-WIFI-AS-AP Ace-1 Wifi Network 20 - 208.54.82.0/24 2277 0.1% AS701 -- UUNET - MCI Communications Services, Inc. d/b/a Verizon Business Details at http://bgpupdates.potaroo.net ------------------------------------ Copies of this report are mailed to: nanog at merit.edu eof-list at ripe.net apops at apops.net routing-wg at ripe.net afnog at afnog.org From cidr-report at potaroo.net Fri Dec 24 16:00:00 2010 From: cidr-report at potaroo.net (cidr-report at potaroo.net) Date: Fri, 24 Dec 2010 22:00:00 GMT Subject: The Cidr Report Message-ID: <201012242200.oBOM00KD028862@wattle.apnic.net> This report has been generated at Fri Dec 24 21:12:03 2010 AEST. The report analyses the BGP Routing Table of AS2.0 router and generates a report on aggregation potential within the table. Check http://www.cidr-report.org for a current version of this report. Recent Table History Date Prefixes CIDR Agg 17-12-10 339290 208265 18-12-10 339408 208272 19-12-10 339482 208025 20-12-10 339239 208281 21-12-10 339598 199087 22-12-10 340439 199389 23-12-10 340769 199635 24-12-10 340958 199890 AS Summary 36356 Number of ASes in routing system 15481 Number of ASes announcing only one prefix 3726 Largest number of prefixes announced by an AS AS6389 : BELLSOUTH-NET-BLK - BellSouth.net Inc. 106110208 Largest address span announced by an AS (/32s) AS4134 : CHINANET-BACKBONE No.31,Jin-rong Street Aggregation Summary The algorithm used in this report proposes aggregation only when there is a precise match using the AS path, so as to preserve traffic transit policies. Aggregation is also proposed across non-advertised address space ('holes'). --- 24Dec10 --- ASnum NetsNow NetsAggr NetGain % Gain Description Table 340875 199881 140994 41.4% All ASes AS6389 3726 272 3454 92.7% BELLSOUTH-NET-BLK - BellSouth.net Inc. AS4323 2633 406 2227 84.6% TWTC - tw telecom holdings, inc. AS19262 1839 286 1553 84.4% VZGNI-TRANSIT - Verizon Online LLC AS4766 1892 541 1351 71.4% KIXS-AS-KR Korea Telecom AS22773 1259 83 1176 93.4% ASN-CXA-ALL-CCI-22773-RDC - Cox Communications Inc. AS6478 1440 266 1174 81.5% ATT-INTERNET3 - AT&T Services, Inc. AS4755 1412 345 1067 75.6% TATACOMM-AS TATA Communications formerly VSNL is Leading ISP AS1785 1791 765 1026 57.3% AS-PAETEC-NET - PaeTec Communications, Inc. AS10620 1344 375 969 72.1% Telmex Colombia S.A. AS28573 1213 342 871 71.8% NET Servicos de Comunicao S.A. AS7545 1554 711 843 54.2% TPG-INTERNET-AP TPG Internet Pty Ltd AS6503 1194 362 832 69.7% Axtel, S.A.B. de C.V. AS18101 908 149 759 83.6% RELIANCE-COMMUNICATIONS-IN Reliance Communications Ltd.DAKC MUMBAI AS7303 838 121 717 85.6% Telecom Argentina S.A. AS4808 1007 305 702 69.7% CHINA169-BJ CNCGROUP IP network China169 Beijing Province Network AS3356 1186 490 696 58.7% LEVEL3 Level 3 Communications AS8151 1353 665 688 50.8% Uninet S.A. de C.V. AS24560 1045 375 670 64.1% AIRTELBROADBAND-AS-AP Bharti Airtel Ltd., Telemedia Services AS17488 955 300 655 68.6% HATHWAY-NET-AP Hathway IP Over Cable Internet AS18566 1066 446 620 58.2% COVAD - Covad Communications Co. AS9498 729 111 618 84.8% BBIL-AP BHARTI Airtel Ltd. AS11492 1289 678 611 47.4% CABLEONE - CABLE ONE, INC. AS17676 644 68 576 89.4% GIGAINFRA Softbank BB Corp. AS855 630 55 575 91.3% CANET-ASN-4 - Bell Aliant Regional Communications, Inc. AS17908 629 64 565 89.8% TCISL Tata Communications AS22047 560 31 529 94.5% VTR BANDA ANCHA S.A. AS7552 633 120 513 81.0% VIETEL-AS-AP Vietel Corporation AS14420 588 91 497 84.5% CORPORACION NACIONAL DE TELECOMUNICACIONES - CNT EP AS9443 571 75 496 86.9% INTERNETPRIMUS-AS-AP Primus Telecommunications AS3549 854 360 494 57.8% GBLX Global Crossing Ltd. Total 36782 9258 27524 74.8% Top 30 total Possible Bogus Routes 5.0.0.0/16 AS12654 RIPE-NCC-RIS-AS RIPE NCC RIS project 5.1.0.0/21 AS12654 RIPE-NCC-RIS-AS RIPE NCC RIS project 5.1.24.0/24 AS12654 RIPE-NCC-RIS-AS RIPE NCC RIS project 23.0.0.0/8 AS237 MERIT-ASN Merit Network Inc. 24.129.192.0/19 AS7922 COMCAST-7922 - Comcast Cable Communications, Inc. 37.0.0.0/8 AS237 MERIT-ASN Merit Network Inc. 37.0.0.0/16 AS12654 RIPE-NCC-RIS-AS RIPE NCC RIS project 37.1.0.0/21 AS12654 RIPE-NCC-RIS-AS RIPE NCC RIS project 37.1.24.0/24 AS12654 RIPE-NCC-RIS-AS RIPE NCC RIS project 41.222.79.0/24 AS36938 AMSCOTELECOMS Amsco Telecommunications Nigeria Limited 41.223.92.0/22 AS36936 CELTEL-GABON Celtel Gabon Internet Service 46.242.0.0/17 AS42610 NCNET-AS National Cable Networks 62.61.220.0/24 AS24974 TACHYON-EU Tachyon Europe BV 62.61.221.0/24 AS24974 TACHYON-EU Tachyon Europe BV 64.21.192.0/20 AS11610 INETNEBR-1 - Internet Nebraska Corporation 64.21.212.0/22 AS11610 INETNEBR-1 - Internet Nebraska Corporation 64.21.216.0/21 AS11610 INETNEBR-1 - Internet Nebraska Corporation 66.180.239.0/24 AS35888 VIGNETTE - VIGNETTE CORPORATION 66.206.32.0/24 AS17787 PSEB-AS-PK Pakistan Software Export Board 66.206.33.0/24 AS17787 PSEB-AS-PK Pakistan Software Export Board 66.206.34.0/24 AS17787 PSEB-AS-PK Pakistan Software Export Board 66.206.35.0/24 AS17787 PSEB-AS-PK Pakistan Software Export Board 66.206.47.0/24 AS17557 PKTELECOM-AS-PK Pakistan Telecommunication Company Limited 66.207.32.0/20 AS23011 66.245.176.0/20 AS19318 NJIIX-AS-1 - NEW JERSEY INTERNATIONAL INTERNET EXCHANGE LLC 69.6.80.0/24 AS13442 69.6.81.0/24 AS13442 71.19.134.0/23 AS3313 INET-AS I.NET S.p.A. 72.22.32.0/19 AS33150 72.22.61.0/24 AS33150 72.22.62.0/24 AS33150 76.77.32.0/19 AS2828 XO-AS15 - XO Communications 80.88.10.0/24 AS33774 DJAWEB 80.88.12.0/24 AS33779 wataniya-telecom-as 96.45.161.0/24 AS3257 TINET-BACKBONE Tinet SpA 96.45.162.0/24 AS3257 TINET-BACKBONE Tinet SpA 96.45.163.0/24 AS3257 TINET-BACKBONE Tinet SpA 96.45.164.0/24 AS3257 TINET-BACKBONE Tinet SpA 96.45.165.0/24 AS3257 TINET-BACKBONE Tinet SpA 96.45.166.0/24 AS3257 TINET-BACKBONE Tinet SpA 96.45.167.0/24 AS3257 TINET-BACKBONE Tinet SpA 96.45.168.0/21 AS3257 TINET-BACKBONE Tinet SpA 100.0.0.0/8 AS237 MERIT-ASN Merit Network Inc. 110.34.44.0/22 AS12653 COMTONET KB Impuls Hellas 110.173.64.0/19 AS37963 CNNIC-ALIBABA-CN-NET-AP Alibaba (China) Technology Co., Ltd. 115.42.28.0/24 AS1221 ASN-TELSTRA Telstra Pty Ltd 115.42.30.0/24 AS1221 ASN-TELSTRA Telstra Pty Ltd 115.42.31.0/24 AS1221 ASN-TELSTRA Telstra Pty Ltd 115.42.40.0/24 AS1221 ASN-TELSTRA Telstra Pty Ltd 115.42.42.0/24 AS1221 ASN-TELSTRA Telstra Pty Ltd 115.42.43.0/24 AS1221 ASN-TELSTRA Telstra Pty Ltd 115.42.44.0/24 AS1221 ASN-TELSTRA Telstra Pty Ltd 115.42.47.0/24 AS1221 ASN-TELSTRA Telstra Pty Ltd 115.42.48.0/24 AS1221 ASN-TELSTRA Telstra Pty Ltd 115.42.49.0/24 AS1221 ASN-TELSTRA Telstra Pty Ltd 115.42.50.0/24 AS1221 ASN-TELSTRA Telstra Pty Ltd 115.42.51.0/24 AS1221 ASN-TELSTRA Telstra Pty Ltd 115.42.52.0/24 AS1221 ASN-TELSTRA Telstra Pty Ltd 115.42.53.0/24 AS1221 ASN-TELSTRA Telstra Pty Ltd 115.42.54.0/24 AS1221 ASN-TELSTRA Telstra Pty Ltd 115.42.55.0/24 AS1221 ASN-TELSTRA Telstra Pty Ltd 115.42.56.0/24 AS1221 ASN-TELSTRA Telstra Pty Ltd 115.42.57.0/24 AS1221 ASN-TELSTRA Telstra Pty Ltd 115.42.58.0/24 AS1221 ASN-TELSTRA Telstra Pty Ltd 115.42.59.0/24 AS1221 ASN-TELSTRA Telstra Pty Ltd 115.42.61.0/24 AS1221 ASN-TELSTRA Telstra Pty Ltd 115.42.62.0/24 AS1221 ASN-TELSTRA Telstra Pty Ltd 115.42.63.0/24 AS1221 ASN-TELSTRA Telstra Pty Ltd 116.68.136.0/21 AS28045 Pantel Communications 117.120.56.0/21 AS4755 TATACOMM-AS TATA Communications formerly VSNL is Leading ISP 121.46.0.0/16 AS4134 CHINANET-BACKBONE No.31,Jin-rong Street 121.50.168.0/21 AS9931 CAT-AP The Communication Authoity of Thailand, CAT 121.200.192.0/24 AS17767 122.200.32.0/20 AS7018 ATT-INTERNET4 - AT&T Services, Inc. 122.200.40.0/21 AS38272 142.54.0.0/19 AS23498 CDSI - Cogeco Data Services Inc. 158.222.70.0/23 AS6137 SISNA - SISNA, Inc. 158.222.72.0/23 AS6137 SISNA - SISNA, Inc. 158.222.224.0/20 AS19864 O1COMM - O1 COMMUNICATIONS 158.222.224.0/22 AS19864 O1COMM - O1 COMMUNICATIONS 158.222.229.0/24 AS19864 O1COMM - O1 COMMUNICATIONS 172.12.0.0/18 AS28665 PredialNet Provedor de Internet Ltda. 176.0.0.0/16 AS12654 RIPE-NCC-RIS-AS RIPE NCC RIS project 176.1.0.0/21 AS12654 RIPE-NCC-RIS-AS RIPE NCC RIS project 176.1.24.0/24 AS12654 RIPE-NCC-RIS-AS RIPE NCC RIS project 190.102.32.0/20 AS30058 FDCSERVERS - FDCservers.net 192.9.0.0/16 AS11479 BRM-SUN-AS - Sun Microsystems, Inc 192.64.85.0/24 AS1759 TSF-IP-CORE TeliaSonera Finland IP Network 192.69.108.0/24 AS1759 TSF-IP-CORE TeliaSonera Finland IP Network 192.101.46.0/24 AS6503 Axtel, S.A.B. de C.V. 192.101.64.0/21 AS702 AS702 Verizon Business EMEA - Commercial IP service provider in Europe 192.101.70.0/24 AS701 UUNET - MCI Communications Services, Inc. d/b/a Verizon Business 192.101.71.0/24 AS701 UUNET - MCI Communications Services, Inc. d/b/a Verizon Business 192.101.72.0/24 AS702 AS702 Verizon Business EMEA - Commercial IP service provider in Europe 192.101.74.0/24 AS1239 SPRINTLINK - Sprint 192.124.252.0/22 AS680 DFN-IP service G-WiN 192.131.233.0/24 AS6389 BELLSOUTH-NET-BLK - BellSouth.net Inc. 192.154.32.0/19 AS81 NCREN - MCNC 192.154.64.0/19 AS81 NCREN - MCNC 192.188.208.0/20 AS721 DNIC-ASBLK-00721-00726 - DoD Network Information Center 196.2.224.0/22 AS24863 LINKdotNET-AS 196.6.108.0/24 AS5713 SAIX-NET 196.13.201.0/24 AS2018 TENET-1 196.13.202.0/24 AS2018 TENET-1 196.13.203.0/24 AS2018 TENET-1 196.13.204.0/24 AS2018 TENET-1 196.110.105.0/24 AS8513 SKYVISION SkyVision Network Services 196.202.224.0/21 AS8818 TELE Greenland Autonomous System 198.1.2.0/24 AS4761 INDOSAT-INP-AP INDOSAT Internet Network Provider 198.23.26.0/24 AS4390 BELLATLANTIC-COM - Bell Atlantic, Inc. 198.73.210.0/24 AS21570 ACI-1 - Accelerated Connections Inc. 198.74.38.0/24 AS16966 SBCIDC-LSAN03 - AT&T Internet Services 198.74.39.0/24 AS16966 SBCIDC-LSAN03 - AT&T Internet Services 198.74.40.0/24 AS16966 SBCIDC-LSAN03 - AT&T Internet Services 198.97.72.0/21 AS721 DNIC-ASBLK-00721-00726 - DoD Network Information Center 198.97.96.0/19 AS721 DNIC-ASBLK-00721-00726 - DoD Network Information Center 198.97.240.0/20 AS721 DNIC-ASBLK-00721-00726 - DoD Network Information Center 198.99.241.0/24 AS11797 AC-NIELSEN-AS AC NIELSEN 198.161.87.0/24 AS6539 GT-BELL - Bell Canada 198.163.214.0/24 AS21804 ACCESS-SK - Access Communications Co-operative Limited 198.167.0.0/16 AS7456 INTERHOP - Interhop Network SERVICES Inc. 198.168.0.0/16 AS701 UUNET - MCI Communications Services, Inc. d/b/a Verizon Business 198.169.0.0/16 AS803 SASKTEL - Saskatchewan Telecommunications 198.180.198.0/24 AS23715 SEOUL-INTGW-GXS-AP Global Exchange Services 198.182.235.0/24 AS3356 LEVEL3 Level 3 Communications 199.16.32.0/19 AS6389 BELLSOUTH-NET-BLK - BellSouth.net Inc. 199.121.0.0/16 AS721 DNIC-ASBLK-00721-00726 - DoD Network Information Center 199.123.16.0/20 AS721 DNIC-ASBLK-00721-00726 - DoD Network Information Center 199.185.130.0/23 AS19662 UNISERVE-ONLINE - Uniserve On Line 199.202.0.0/16 AS701 UUNET - MCI Communications Services, Inc. d/b/a Verizon Business 199.202.216.0/21 AS577 BACOM - Bell Canada 199.233.92.0/24 AS26896 D102-ITC - Data 102, LLC 199.246.116.0/24 AS813 UUNET-CANADA - MCI Communications Services, Inc. d/b/a Verizon Business 200.1.112.0/24 AS29754 GO2TEL GO2TEL.COM INC. 200.24.73.0/24 AS26061 Equant Colombia 200.24.78.0/26 AS3549 GBLX Global Crossing Ltd. 200.24.78.64/26 AS3549 GBLX Global Crossing Ltd. 202.1.224.0/24 AS10097 FLOWCOM Flow Communications 2/541 Kent St Sydney NSW 2000 202.9.55.0/24 AS2764 AAPT AAPT Limited 202.9.57.0/24 AS2764 AAPT AAPT Limited 202.38.63.0/24 AS17557 PKTELECOM-AS-PK Pakistan Telecommunication Company Limited 202.58.113.0/24 AS19161 202.61.75.0/24 AS9927 PHILCOMNET-PH A Multihomed ISP Company 202.73.144.0/20 AS4788 TMNET-AS-AP TM Net, Internet Service Provider 202.86.252.0/22 AS4748 RESOLINK-AS-AP Resources Link Network Limited 202.86.252.0/24 AS9304 HUTCHISON-AS-AP Hutchison Global Communications 202.86.253.0/24 AS9304 HUTCHISON-AS-AP Hutchison Global Communications 202.86.254.0/24 AS9304 HUTCHISON-AS-AP Hutchison Global Communications 202.86.255.0/24 AS9304 HUTCHISON-AS-AP Hutchison Global Communications 202.94.1.0/24 AS4808 CHINA169-BJ CNCGROUP IP network China169 Beijing Province Network 202.133.37.0/24 AS17557 PKTELECOM-AS-PK Pakistan Telecommunication Company Limited 202.133.70.0/24 AS38616 WORLDCALL-AS-KHI Worldcall Telecom Limited 202.133.73.0/24 AS38616 WORLDCALL-AS-KHI Worldcall Telecom Limited 202.136.254.0/24 AS4808 CHINA169-BJ CNCGROUP IP network China169 Beijing Province Network 202.136.255.0/24 AS4808 CHINA169-BJ CNCGROUP IP network China169 Beijing Province Network 202.150.227.0/24 AS17727 NAPINFO-AS-AP PT. NAP Info Lintas Nusa 202.174.125.0/24 AS9498 BBIL-AP BHARTI Airtel Ltd. 202.176.1.0/24 AS9942 COMINDICO-AP SOUL Converged Communications Australia 202.179.130.0/24 AS17557 PKTELECOM-AS-PK Pakistan Telecommunication Company Limited 202.179.131.0/24 AS17557 PKTELECOM-AS-PK Pakistan Telecommunication Company Limited 202.179.133.0/24 AS17557 PKTELECOM-AS-PK Pakistan Telecommunication Company Limited 202.179.134.0/24 AS23966 LDN-AS-PK LINKdotNET Telecom Limited 202.179.144.0/24 AS17557 PKTELECOM-AS-PK Pakistan Telecommunication Company Limited 202.179.149.0/24 AS17557 PKTELECOM-AS-PK Pakistan Telecommunication Company Limited 202.179.150.0/24 AS17557 PKTELECOM-AS-PK Pakistan Telecommunication Company Limited 202.181.32.0/24 AS4645 ASN-HKNET-AP HKNet Co. Ltd 203.18.156.0/24 AS1221 ASN-TELSTRA Telstra Pty Ltd 203.23.1.0/24 AS18111 NETSPEED-AS-AP Netspeed Internet Communications 203.24.38.0/24 AS18111 NETSPEED-AS-AP Netspeed Internet Communications 203.27.123.0/24 AS4739 CIX-ADELAIDE-AS Internode Systems Pty Ltd 203.30.127.0/24 AS18111 NETSPEED-AS-AP Netspeed Internet Communications 203.32.86.0/23 AS18111 NETSPEED-AS-AP Netspeed Internet Communications 203.32.86.0/24 AS18111 NETSPEED-AS-AP Netspeed Internet Communications 203.32.87.0/24 AS18111 NETSPEED-AS-AP Netspeed Internet Communications 203.32.188.0/24 AS1221 ASN-TELSTRA Telstra Pty Ltd 203.62.0.0/17 AS7575 AARNET-AS-AP Australian Academic and Reasearch Network (AARNet) 203.76.161.0/24 AS45465 203.78.48.0/20 AS9299 IPG-AS-AP Philippine Long Distance Telephone Company 203.112.111.0/24 AS7474 OPTUSCOM-AS01-AU SingTel Optus Pty Ltd 203.112.113.0/24 AS7474 OPTUSCOM-AS01-AU SingTel Optus Pty Ltd 203.112.114.0/24 AS4802 ASN-IINET iiNet Limited 203.112.116.0/24 AS7474 OPTUSCOM-AS01-AU SingTel Optus Pty Ltd 203.112.117.0/24 AS7474 OPTUSCOM-AS01-AU SingTel Optus Pty Ltd 203.112.118.0/24 AS7474 OPTUSCOM-AS01-AU SingTel Optus Pty Ltd 203.112.119.0/24 AS7474 OPTUSCOM-AS01-AU SingTel Optus Pty Ltd 203.112.120.0/24 AS7474 OPTUSCOM-AS01-AU SingTel Optus Pty Ltd 203.112.121.0/24 AS7474 OPTUSCOM-AS01-AU SingTel Optus Pty Ltd 203.112.127.0/24 AS7474 OPTUSCOM-AS01-AU SingTel Optus Pty Ltd 203.128.128.0/24 AS23849 CNNIC-NET263-AP Beijing Capital-online science development Co.,Ltd. 203.142.219.0/24 AS45149 203.175.107.0/24 AS45595 PKTELECOM-AS-PK Pakistan Telecom Company Limited 204.9.216.0/23 AS6389 BELLSOUTH-NET-BLK - BellSouth.net Inc. 204.10.232.0/21 AS33150 204.19.14.0/23 AS577 BACOM - Bell Canada 204.209.114.0/24 AS13768 PEER1 - Peer 1 Network Inc. 205.150.0.0/15 AS701 UUNET - MCI Communications Services, Inc. d/b/a Verizon Business 205.189.134.0/24 AS11814 DISTRIBUTEL-AS11814 - DISTRIBUTEL COMMUNICATIONS LTD. 205.207.148.0/23 AS812 ROGERS-CABLE - Rogers Cable Communications Inc. 205.210.145.0/24 AS11814 DISTRIBUTEL-AS11814 - DISTRIBUTEL COMMUNICATIONS LTD. 206.72.192.0/23 AS16526 BIRCH-TELECOM - Birch Telecom, Inc. 206.72.194.0/23 AS16526 BIRCH-TELECOM - Birch Telecom, Inc. 206.123.129.0/24 AS10790 INREACH-AS - InReach Internet 206.180.240.0/20 AS12083 KNOLOGY-NET - Knology Holdings 206.197.184.0/24 AS23304 DATOTEL-STL-AS - Datotel LLC, a NetLabs LLC Company 207.174.131.0/24 AS26116 INDRA - Indra's Net Inc. 207.174.132.0/23 AS26116 INDRA - Indra's Net Inc. 207.174.152.0/23 AS26116 INDRA - Indra's Net Inc. 207.174.154.0/24 AS26116 INDRA - Indra's Net Inc. 207.174.155.0/24 AS26116 INDRA - Indra's Net Inc. 207.174.188.0/24 AS26116 INDRA - Indra's Net Inc. 207.174.189.0/24 AS26116 INDRA - Indra's Net Inc. 207.174.190.0/24 AS26116 INDRA - Indra's Net Inc. 207.174.191.0/24 AS26116 INDRA - Indra's Net Inc. 207.174.200.0/24 AS22658 EARTHNET - Earthnet, Inc. 207.174.248.0/21 AS6653 PRIVATEI - privateI, LLC 207.231.96.0/19 AS11194 NUNETPA - NuNet Inc. 208.64.200.0/22 AS11730 CIL-ASN - Circle Internet LTD 208.64.240.0/21 AS13871 TELEBYTE-NW - Telebyte NW 208.73.160.0/24 AS32767 208.78.165.0/24 AS16565 208.83.53.0/24 AS40569 YGOMI-AS - Ygomi LLC 208.83.54.0/24 AS23485 SEI-LLC-AS-NUM - SEI LLC 208.92.196.0/22 AS10929 NETELLIGENT - Netelligent Hosting Services Inc. 208.92.199.0/24 AS26198 3MENATWORK - 3Men at Work Integrated Networks, Inc. 209.54.123.0/24 AS6062 NETPLEX - NETPLEX 209.105.224.0/19 AS20074 209.165.239.0/24 AS209 ASN-QWEST - Qwest Communications Company, LLC 209.177.64.0/20 AS6461 MFNX MFN - Metromedia Fiber Network 209.213.0.0/20 AS33005 ELTOPIA - Eltopia.com, LLC 209.213.1.0/24 AS7849 CROCKERCOM - CROCKER COMMUNICATIONS 209.213.4.0/24 AS7849 CROCKERCOM - CROCKER COMMUNICATIONS 210.5.128.0/20 AS4837 CHINA169-BACKBONE CNCGROUP China169 Backbone 210.56.150.0/23 AS38138 INTECH-TRANSIT-BD InTech Online Limited, INTERNET SERVICE LIMITED 216.10.235.0/24 AS13780 NTNCOMMUNICATIONS - NTN 216.10.236.0/24 AS13780 NTNCOMMUNICATIONS - NTN 216.21.196.0/24 AS12251 INVISION - Invision.com, Inc. 216.21.201.0/24 AS12251 INVISION - Invision.com, Inc. 216.21.202.0/24 AS12251 INVISION - Invision.com, Inc. 216.21.206.0/23 AS12251 INVISION - Invision.com, Inc. 216.58.192.0/24 AS22702 X5SOLUTIONS - X5 Solutions, Inc. 216.58.197.0/24 AS22702 X5SOLUTIONS - X5 Solutions, Inc. 216.58.200.0/24 AS18530 ISOMEDIA-1 - Isomedia Inc. 216.172.198.0/24 AS22773 ASN-CXA-ALL-CCI-22773-RDC - Cox Communications Inc. 216.172.199.0/24 AS22773 ASN-CXA-ALL-CCI-22773-RDC - Cox Communications Inc. 216.250.112.0/20 AS7296 ALCHEMYNET - Alchemy Communications, Inc. Please see http://www.cidr-report.org for the full report ------------------------------------ Copies of this report are mailed to: nanog at merit.edu eof-list at ripe.net apops at apops.net routing-wg at ripe.net afnog at afnog.org From frnkblk at iname.com Fri Dec 24 22:17:37 2010 From: frnkblk at iname.com (Frank Bulk - iName.com) Date: Fri, 24 Dec 2010 22:17:37 -0600 Subject: Some truth about Comcast - WikiLeaks style In-Reply-To: <5111798.2342.1293207900312.JavaMail.root@benjamin.baylink.com> References: <5111798.2342.1293207900312.JavaMail.root@benjamin.baylink.com> Message-ID: That's not my understanding. Frank -----Original Message----- From: Jay Ashworth [mailto:jra at baylink.com] Sent: Friday, December 24, 2010 10:25 AM To: NANOG Subject: Re: Some truth about Comcast - WikiLeaks style ----- Original Message ----- > From: "Frank Bulk - iName.com" > Uhm, D-CATV is not IP just quite yet. Sometimes I wish that's the > case, but it's still very much RF. > > There are several vendors that sell GPON solutions that support RF > over fiber, and there's always IP TV. Hmm. I had acquired the idea, from looking at the setup screens on the latest gen SciAt converters that it was, at very least, FDM IP multicast; that is, MPEG2 over IP multicast, and then multiplexed 4:1 or so into multiple broadband carriers, but sent as IP multicast streams and decoded that way. No? Cheers, -- jra From ryan.finnesey at HarrierInvestments.com Sat Dec 25 01:35:47 2010 From: ryan.finnesey at HarrierInvestments.com (Ryan Finnesey) Date: Fri, 24 Dec 2010 23:35:47 -0800 Subject: Hotel Internet? Message-ID: <6EFFEFBAC68377459A2E972105C759EC0342B072@EXVBE005-2.exch005intermedia.net> Is anyone within the group providing Internet access to Hotels? It seems most of this market is controlled by Lodge Net. Cheers Ryan From nathan at atlasnetworks.us Sat Dec 25 01:53:07 2010 From: nathan at atlasnetworks.us (Nathan Eisenberg) Date: Sat, 25 Dec 2010 07:53:07 +0000 Subject: Hotel Internet? In-Reply-To: <6EFFEFBAC68377459A2E972105C759EC0342B072@EXVBE005-2.exch005intermedia.net> References: <6EFFEFBAC68377459A2E972105C759EC0342B072@EXVBE005-2.exch005intermedia.net> Message-ID: <8C26A4FDAE599041A13EB499117D3C286B2C2433@ex-mb-1.corp.atlasnetworks.us> > -----Original Message----- > From: Ryan Finnesey [mailto:ryan.finnesey at HarrierInvestments.com] > Sent: Friday, December 24, 2010 11:36 PM > To: nanog at nanog.org > Subject: Hotel Internet? > > Is anyone within the group providing Internet access to Hotels? It > seems most of this market is controlled by Lodge Net. Yep, my employer does. And yes, yes it is. Which is too bad. Because their product is... crap. (My personal opinion, and not that of my employer, who probably completely disagrees). From mtinka at globaltransit.net Sat Dec 25 02:36:31 2010 From: mtinka at globaltransit.net (Mark Tinka) Date: Sat, 25 Dec 2010 16:36:31 +0800 Subject: Router only speaks IGP in BGP network In-Reply-To: References: Message-ID: <201012251636.32869.mtinka@globaltransit.net> On Friday, December 24, 2010 07:26:43 am Randy Bush wrote: > and do NOT redistribute bgp into ospf. This is good truth. Don't redistribute your BGP into the IGP (or vice versa). I'm not even sure OSPF would handle it in this day - but you don't want to find out. Mark. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 836 bytes Desc: This is a digitally signed message part. URL: From ml at kenweb.org Sat Dec 25 07:52:42 2010 From: ml at kenweb.org (ML) Date: Sat, 25 Dec 2010 08:52:42 -0500 Subject: Router only speaks IGP in BGP network In-Reply-To: <201012251636.32869.mtinka@globaltransit.net> References: <201012251636.32869.mtinka@globaltransit.net> Message-ID: <4D15F72A.4060401@kenweb.org> On 12/25/2010 3:36 AM, Mark Tinka wrote: > On Friday, December 24, 2010 07:26:43 am Randy Bush wrote: > >> and do NOT redistribute bgp into ospf. > > This is good truth. Don't redistribute your BGP into the IGP > (or vice versa). I'm not even sure OSPF would handle it in > this day - but you don't want to find out. > > Mark. If you're only redistributing 10 prefixes into OSPF? Problem? From mike at sentex.net Sat Dec 25 08:32:26 2010 From: mike at sentex.net (Mike Tancsa) Date: Sat, 25 Dec 2010 09:32:26 -0500 Subject: IPv6 BGP table size comparisons In-Reply-To: <6C615B75952DAB4DBBE65F473DDBC82B2169B1A1@vahernexch01.corp.inthosts.net> References: <4D10F85B.2050800@bryanfields.net> <4D13F958.9000806@rollernet.us> <6C615B75952DAB4DBBE65F473DDBC82B2169B1A1@vahernexch01.corp.inthosts.net> Message-ID: <4D16007A.5060405@sentex.net> On 12/24/2010 12:55 PM, Elliott, Andrew wrote: > -----Original Message----- > From: Seth Mattinen [mailto:sethm at rollernet.us] > Sent: Thursday, December 23, 2010 8:37 PM > To: nanog at nanog.org > Subject: Re: IPv6 BGP table size comparisons > > On 12/21/10 2:18 PM, Frank Bulk wrote: >> There are 4,035 routes in the global IPv6 routing table. This is what one >> provider passed on to me for routes (/48 or larger prefixes), extracted from >> public route-view servers. >> AT&T AS7018: 2,851 (70.7%) >> Cogent AS174: 2,864 (71.0%) >> GLBX AS3549: 3,706 (91.8%) >> Hurricane Electric AS6939: 3,790 (93.9%) >> Qwest AS209: 3,918 (97.1%) >> TINET (formerly Tiscali) AS3257: 3,825 (94.8%) >> Verizon AS701: 3,938 (97.6%) > > > Sprint (AS1239) is sending 3,779 routes. > > XO Communications (AS2828) is sending 3973 prefixes. I had a quick look at the diff between routes given to me by AS174 and 6453 and other v6 peers and here is what I found based on missing /32s. (I excluded /48s for now) There are some 490 /32s missing from Cogent from my network in Toronto, Canada. The majority are paths via just 6939. Of those that are not just 6939, I see them via the following AS paths. 11647 6453 293 11647 6453 701 668 11647 6453 30071 13645 11647 13030 15716 11647 6453 5511 11647 6453 6830 11647 6453 25137 11647 6453 30071 2549 11647 6453 30071 10318 11647 6453 6762 7303 11647 6453 30071 11647 6453 6762 8280 11647 6453 13030 11647 13030 11647 6453 701 11647 6453 6762 11647 6453 5511 8346 11647 6453 30071 11647 6453 13030 8271 11647 13030 8271 11647 6453 13030 33845 11647 6453 701 18061 9555 11647 6453 6762 7642 11647 6453 30071 6536 11647 6453 701 18750 11647 6453 30071 19151 11647 6453 701 26773 11647 6453 30071 10326 11647 6453 30071 19151 16842 11647 6453 30071 19151 31877 11647 6453 30071 19151 22911 11647 6453 30071 13911 11647 6453 30071 7786 11647 6453 30071 13911 14595 11647 6453 6762 7303 4270 11647 6453 6762 7303 4270 27770 11647 6453 6762 7303 4270 5692 11647 6453 13030 48218 11647 13030 48218 11647 6453 13030 20634 11647 13030 20634 11647 6453 701 12702 24807 11647 6453 6830 11647 6453 5511 8697 11647 6453 6762 31463 11647 13030 9191 11647 6453 13030 25164 11647 13030 25164 11647 6453 13030 16242 11647 13030 16242 11647 6453 13030 28717 11647 6453 13030 25563 11647 13030 25563 11647 6453 5511 3215 11647 6453 5511 3215 11647 6453 5511 3215 11647 6453 5511 12493 11647 6453 13030 44573 11647 6453 13030 35366 11647 6453 13030 29430 11647 13030 29430 11647 6453 13030 21232 11647 13030 21232 11647 6453 13030 47617 11647 13030 47617 11647 6453 6830 20825 11647 6453 6762 8953 11647 6453 13030 15216 11647 13030 15216 11647 6453 13030 11647 13030 e.g. 2607:f078::/32 11647 6453 701 18750 11647 6939 18750 and 2a01:c910::/32 11647 6453 5511 3215 11647 6939 5511 3215 From skurylo+nanog at gmail.com Sat Dec 25 14:54:14 2010 From: skurylo+nanog at gmail.com (Steven Kurylo) Date: Sat, 25 Dec 2010 12:54:14 -0800 Subject: Hotel Internet? In-Reply-To: <6EFFEFBAC68377459A2E972105C759EC0342B072@EXVBE005-2.exch005intermedia.net> References: <6EFFEFBAC68377459A2E972105C759EC0342B072@EXVBE005-2.exch005intermedia.net> Message-ID: On Fri, Dec 24, 2010 at 11:35 PM, Ryan Finnesey wrote: > Is anyone within the group providing Internet access to Hotels? ?It > seems most of this market is controlled by Lodge Net. > We're running the wifi at our hotels on our own. We use wifidog for the software (with radius hooked into our reservation system for auth). Some are using DSL to get APs into the rooms, newer properties have cat5 run throughout. From jeremy at evilrouters.net Sat Dec 25 15:08:05 2010 From: jeremy at evilrouters.net (Jeremy L. Gaddis) Date: Sat, 25 Dec 2010 16:08:05 -0500 Subject: Router only speaks IGP in BGP network In-Reply-To: <201012251636.32869.mtinka@globaltransit.net> References: <201012251636.32869.mtinka@globaltransit.net> Message-ID: <4D165D35.8040704@evilrouters.net> On 12/25/2010 3:36 AM, Mark Tinka wrote: > On Friday, December 24, 2010 07:26:43 am Randy Bush wrote: >> and do NOT redistribute bgp into ospf. > > This is good truth. Don't redistribute your BGP into the IGP > (or vice versa). I'm not even sure OSPF would handle it in > this day - but you don't want to find out. Oh please. OSPF loves it when you shove a few 100k routes into it. -- Jeremy L. Gaddis From nanog at 85d5b20a518b8f6864949bd940457dc124746ddc.nosense.org Sat Dec 25 15:30:21 2010 From: nanog at 85d5b20a518b8f6864949bd940457dc124746ddc.nosense.org (Mark Smith) Date: Sun, 26 Dec 2010 08:00:21 +1030 Subject: Router only speaks IGP in BGP network In-Reply-To: <4D15F72A.4060401@kenweb.org> References: <201012251636.32869.mtinka@globaltransit.net> <4D15F72A.4060401@kenweb.org> Message-ID: <20101226080021.5a21338c@opy.nosense.org> On Sat, 25 Dec 2010 08:52:42 -0500 ML wrote: > On 12/25/2010 3:36 AM, Mark Tinka wrote: > > On Friday, December 24, 2010 07:26:43 am Randy Bush wrote: > > > >> and do NOT redistribute bgp into ospf. > > > > This is good truth. Don't redistribute your BGP into the IGP > > (or vice versa). I'm not even sure OSPF would handle it in > > this day - but you don't want to find out. > > > > Mark. > > > If you're only redistributing 10 prefixes into OSPF? Problem? > > > I've had to do it when transitioning between a legacy ISP routing domain and a "BGP for everything" model. The old routing domain had customer routes in both OSPF and BGP, while the new one used BGP for customer routes only. As I had to make the new network customer routes visible in the old network, and the legacy network didn't have a complete BGP mesh or RR setup (i.e. a broken BGP model), pushing routes from new BGP into old OSPF was the only choice. I liberally used the OSPF external route tag and BGP communities to classify routes and to control redistribution and avoid redistribution loops. So you can do it, as long as you're very careful, and make sure you keep reminding yourself that you're playing with a loaded gun with the safety off. Something definitely worth avoiding if you can. Regards, Mark. From frnkblk at iname.com Sat Dec 25 17:52:01 2010 From: frnkblk at iname.com (Frank Bulk - iName.com) Date: Sat, 25 Dec 2010 17:52:01 -0600 Subject: Hotel Internet? In-Reply-To: <6EFFEFBAC68377459A2E972105C759EC0342B072@EXVBE005-2.exch005intermedia.net> References: <6EFFEFBAC68377459A2E972105C759EC0342B072@EXVBE005-2.exch005intermedia.net> Message-ID: Ethostream seems to have a good market share. That's what three hotels in our area are using for control. Frank -----Original Message----- From: Ryan Finnesey [mailto:ryan.finnesey at HarrierInvestments.com] Sent: Saturday, December 25, 2010 1:36 AM To: nanog at nanog.org Subject: Hotel Internet? Is anyone within the group providing Internet access to Hotels? It seems most of this market is controlled by Lodge Net. Cheers Ryan From francois at menards.ca Sat Dec 25 19:42:24 2010 From: francois at menards.ca (Francois Menard) Date: Sat, 25 Dec 2010 20:42:24 -0500 Subject: Good MPLS/VPLS book? In-Reply-To: References: Message-ID: Looks like a third edition is on the way slated for March 2011 http://www.amazon.com/MPLS-Enabled-Applications-Developments-Technologies-Communications/dp/0470665459/ref=ntt_at_ep_dpt_2 I would expect it to cover MPLS-TP and the struggling evolution of PBB-TE ... anybody has any idea if this is in ? F. On 2010-12-24, at 7:47 AM, Mounir Mohamed wrote: > The most comprehensive text is MPLS Enabled Applications by Ina Minei > > http://www.amazon.com/MPLS-Enabled-Applications-Developments-Technologies-Communications/dp/0470986441/ref=sr_1_1?ie=UTF8&qid=1293194786&sr=8-1 > > > On Fri, Dec 24, 2010 at 12:49 AM, Michael Helmeste wrote: > >> Does anyone have a favorite book or resource discussing MPLS and all >> associated Lego blocks (e.g. LDP, TE, VPLS, martini, mBGP et. al.)? >> >> I understand the basics of what MPLS is and how you create a circuit from >> A to B but I'm afraid it still escapes me when trying to figure out how >> someone would, say, create a multicast capable VPN with 5 edge points. >> >> Any pointers to a good way to reduce my level of ignorance on this subject >> would be appreciated. Vendor literature doesn't bother me as long as the >> concepts are there. >> >> Regards, >> Michael H. >> >> >> > > > -- > Best Regards, > Mounir Mohamed, CCIE#19573 (R&S/SP) > Senior Network Engineer, Core Team. > NOOR Data Networks, SAE > Mobile# +2-010-2345-956 > http://mounirmohamed.wordpress.com > http://www.linkedin.com/in/mounirmohamed From sshafi at gmail.com Sat Dec 25 20:42:17 2010 From: sshafi at gmail.com (Shahid Shafi) Date: Sat, 25 Dec 2010 18:42:17 -0800 Subject: Good MPLS/VPLS book? In-Reply-To: References: Message-ID: Amazon has detailed TOC and couple of chapters online so you should get all the info. MPLS-TP gets a decent coverage in this book. thanks, Shahid On Sat, Dec 25, 2010 at 5:42 PM, Francois Menard wrote: > Looks like a third edition is on the way slated for March 2011 > > > http://www.amazon.com/MPLS-Enabled-Applications-Developments-Technologies-Communications/dp/0470665459/ref=ntt_at_ep_dpt_2 > > I would expect it to cover MPLS-TP and the struggling evolution of PBB-TE > ... anybody has any idea if this is in ? > > F. > > On 2010-12-24, at 7:47 AM, Mounir Mohamed wrote: > > > The most comprehensive text is MPLS Enabled Applications by Ina Minei > > > > > http://www.amazon.com/MPLS-Enabled-Applications-Developments-Technologies-Communications/dp/0470986441/ref=sr_1_1?ie=UTF8&qid=1293194786&sr=8-1 > > > > > > On Fri, Dec 24, 2010 at 12:49 AM, Michael Helmeste > wrote: > > > >> Does anyone have a favorite book or resource discussing MPLS and all > >> associated Lego blocks (e.g. LDP, TE, VPLS, martini, mBGP et. al.)? > >> > >> I understand the basics of what MPLS is and how you create a circuit > from > >> A to B but I'm afraid it still escapes me when trying to figure out how > >> someone would, say, create a multicast capable VPN with 5 edge points. > >> > >> Any pointers to a good way to reduce my level of ignorance on this > subject > >> would be appreciated. Vendor literature doesn't bother me as long as the > >> concepts are there. > >> > >> Regards, > >> Michael H. > >> > >> > >> > > > > > > -- > > Best Regards, > > Mounir Mohamed, CCIE#19573 (R&S/SP) > > Senior Network Engineer, Core Team. > > NOOR Data Networks, SAE > > Mobile# +2-010-2345-956 > > http://mounirmohamed.wordpress.com > > http://www.linkedin.com/in/mounirmohamed > > > From randy at psg.com Sun Dec 26 02:59:01 2010 From: randy at psg.com (Randy Bush) Date: Sun, 26 Dec 2010 17:59:01 +0900 Subject: afnog.org and afnog mailing list Message-ID: the host afnog.org blew a power supply at 12-23-2010 22:26. it is hosted by afrinic folk. they are in the process of finding a power supply. no etr. randy From brandon.kim at brandontek.com Sun Dec 26 09:29:39 2010 From: brandon.kim at brandontek.com (Brandon Kim) Date: Sun, 26 Dec 2010 10:29:39 -0500 Subject: Good MPLS/VPLS book? In-Reply-To: References: , , Message-ID: Decisions decisions, I do have other MPLS books I have not finished. I suppose I can finish them before picking this up and then getting the 3rd edition.....might be good timing. Good thing I didn't order the 2nd edition the other day! > Subject: Re: Good MPLS/VPLS book? > From: francois at menards.ca > Date: Sat, 25 Dec 2010 20:42:24 -0500 > To: mounir.mohamed at gmail.com > CC: nanog at nanog.org > > Looks like a third edition is on the way slated for March 2011 > > http://www.amazon.com/MPLS-Enabled-Applications-Developments-Technologies-Communications/dp/0470665459/ref=ntt_at_ep_dpt_2 > > I would expect it to cover MPLS-TP and the struggling evolution of PBB-TE ... anybody has any idea if this is in ? > > F. > > On 2010-12-24, at 7:47 AM, Mounir Mohamed wrote: > > > The most comprehensive text is MPLS Enabled Applications by Ina Minei > > > > http://www.amazon.com/MPLS-Enabled-Applications-Developments-Technologies-Communications/dp/0470986441/ref=sr_1_1?ie=UTF8&qid=1293194786&sr=8-1 > > > > > > On Fri, Dec 24, 2010 at 12:49 AM, Michael Helmeste wrote: > > > >> Does anyone have a favorite book or resource discussing MPLS and all > >> associated Lego blocks (e.g. LDP, TE, VPLS, martini, mBGP et. al.)? > >> > >> I understand the basics of what MPLS is and how you create a circuit from > >> A to B but I'm afraid it still escapes me when trying to figure out how > >> someone would, say, create a multicast capable VPN with 5 edge points. > >> > >> Any pointers to a good way to reduce my level of ignorance on this subject > >> would be appreciated. Vendor literature doesn't bother me as long as the > >> concepts are there. > >> > >> Regards, > >> Michael H. > >> > >> > >> > > > > > > -- > > Best Regards, > > Mounir Mohamed, CCIE#19573 (R&S/SP) > > Senior Network Engineer, Core Team. > > NOOR Data Networks, SAE > > Mobile# +2-010-2345-956 > > http://mounirmohamed.wordpress.com > > http://www.linkedin.com/in/mounirmohamed > > From mlarson at verisign.com Sun Dec 26 11:07:03 2010 From: mlarson at verisign.com (Matt Larson) Date: Sun, 26 Dec 2010 12:07:03 -0500 Subject: .gov DNSSEC operational message In-Reply-To: <11421501.2054.1293129433092.JavaMail.root@benjamin.baylink.com> References: <20101222211500.GF97136@DUL1MLARSON-M1.vcorp.ad.vrsn.com> <11421501.2054.1293129433092.JavaMail.root@benjamin.baylink.com> Message-ID: <20101226170702.GA26276@DUL1MLARSON-M1.vcorp.ad.vrsn.com> On Thu, 23 Dec 2010, Jay Ashworth wrote: > > From: "Matt Larson" > > > The new KSK will not be published in an authenticated manner outside > > DNS (e.g., on an SSL-protected web page). Rather, the intended > > mechanism for trusting the new KSK is via the signed root zone: DS > > records corresponding to the new KSK are already present in the root > > zone. > > That sounds like a policy decision... and I'm not sure I think it sounds > like a *good* policy decision, but since no reasons were provided, it's > difficult to tell. > > Why was that decision taken, Matt? Having a zone's KSK statically configured on validators as a trust anchor can lead to a world of hurt: when rolling the KSK, the zone owner has to get everyone to update their trust anchor configuration. In theory, the protocol described in RFC 5011 allows an operator to signal a roll and validators will do the right thing. In practice, in these early days, you can't count on much 5011 deployment because implementations haven't been available for that long. This situation puts the operator of a popular signed zone, such as a TLD, in a difficult position and makes KSK rolls difficult--but only if the KSK is statically configured. Meanwhile, we now have a perfectly good signed root zone that can vouch for any TLD's KSK. As a result, as the impending registry operator for .gov, VeriSign doesn't want to encourage static configuration of the .gov KSK as a trust anchor. Such static configuration would be made easier and implicitly condoned if the .gov KSK were published and authenticatable outside of DNS. Note that the situation is the same today with the signed .net zone (and will be the same for the .com zone when it is signed in Q1 of 2011): the .net KSK is intentionally not published outside DNS. The path to trusting that key is via the signed DS record corresponding to it in the root zone. Matt From fw at deneb.enyo.de Sun Dec 26 11:23:01 2010 From: fw at deneb.enyo.de (Florian Weimer) Date: Sun, 26 Dec 2010 18:23:01 +0100 Subject: .gov DNSSEC operational message In-Reply-To: <11421501.2054.1293129433092.JavaMail.root@benjamin.baylink.com> (Jay Ashworth's message of "Thu, 23 Dec 2010 13:37:13 -0500 (EST)") References: <11421501.2054.1293129433092.JavaMail.root@benjamin.baylink.com> Message-ID: <87bp48mosq.fsf@mid.deneb.enyo.de> * Jay Ashworth: > ----- Original Message ----- >> From: "Matt Larson" > >> The new KSK will not be published in an authenticated manner outside >> DNS (e.g., on an SSL-protected web page). Rather, the intended >> mechanism for trusting the new KSK is via the signed root zone: DS >> records corresponding to the new KSK are already present in the root >> zone. > > That sounds like a policy decision... and I'm not sure I think it sounds > like a *good* policy decision, but since no reasons were provided, it's > difficult to tell. I don't know if it influenced the policy decision, but as it is currently specified, the protocol ensures that configuring an additional trust anchor never decreases availability when you've also got the root trust anchor configured, it can only increase it. This means that there is little reason to configure such a trust anchor, especially in the present scenario. From tglassey at earthlink.net Sun Dec 26 16:23:00 2010 From: tglassey at earthlink.net (todd glassey) Date: Sun, 26 Dec 2010 14:23:00 -0800 Subject: Muni Fiber Last Mile - a contrary opinion In-Reply-To: <4D146A57.9040305@gmail.com> References: <26612496.2020.1293125278405.JavaMail.root@benjamin.baylink.com> <4D146A57.9040305@gmail.com> Message-ID: <4D17C044.9030006@earthlink.net> On 12/24/2010 1:39 AM, William Allen Simpson wrote: > On 12/23/10 12:27 PM, Jay Ashworth wrote: >> I was poking around to see what the current received wisdom was as to >> average install cost per building for suburban municipal home-run fiber, >> and ran across this article, which discusses the topic, and itemizes >> several large such deployments that "failed" or had to be sold private. >> >> I'd be interested to see what comments nanogers have on this piece. I'm >> not well enough read to critically evaluate the guy's assertions. >> >> http://www.digitalsociety.org/2010/03/why-municipal-fiber-has-not-succeeded/ >> >> > Always consider the source. > > Didn't we just have a George Ou cite that was debunked on this list? > Subject: RE: Level 3 Communications Issues Statement Concerning > Comcast's Actions > > Reminder: ITIF is an ultra-conservative, anti-government outfit: > http://mailman.nanog.org/pipermail/nanog/2009-November/015552.html http://www.itif.org/content/about-us They are a wonk tank in DC. They have totally transparent funding and if you want to see it check their SEC and public filings. Todd > > ITIF doesn't give out information about its funding, which usually means > it's industry lobbyist funded. Apparently in this case, big cable and > probably big telco. > > From jared at puck.nether.net Sun Dec 26 18:37:15 2010 From: jared at puck.nether.net (Jared Mauch) Date: Sun, 26 Dec 2010 18:37:15 -0600 Subject: Muni Fiber Last Mile - a contrary opinion In-Reply-To: <5A6D953473350C4B9995546AFE9939EE0BC1313E@RWC-EX1.corp.seven.com> References: <26612496.2020.1293125278405.JavaMail.root@benjamin.baylink.com> <8C26A4FDAE599041A13EB499117D3C286B2BFC6B@ex-mb-1.corp.atlasnetworks.us> <5A6D953473350C4B9995546AFE9939EE0BC1313E@RWC-EX1.corp.seven.com> Message-ID: You are likely already at the mercy of some local hut for your dialtone. Very few things home run to the co these days. It's unlikely any hut has more than 24 hours of battery. I have talked to local techs that make the same trip each shift to fuel the generator during regular or minor power outages. Anything major, expect the service to die. Best bets: your state emergency operations center, hospitals, airports, grocery stores and possibly hotels. During the northeast power outage the biggest local problem was inability to pump gas out of underground tanks. The margin at the stations is low enough it's not worth it to have generators. Best off having the pipeline next to you and to use natural gas/propane if your needs can be easily met by it. Jared Mauch On Dec 23, 2010, at 1:09 PM, "George Bonser" wrote: >> >> A 75% upsell rate to triple play packages seems ludicrous. I can't >> think of any industry that sees an upsell rate of 75% - can you (hell, >> I sold running shoes in high school, and the -target- upsell rate on >> shoestrings/socks/whatever-else was 15%). >> >> Nathan > > Well, I won't get rid of my "wired" phone for VOIP. The power where I live is subject to outage during storms but the phones work. I want a phone that works when the power is out for an extended period of time. > > At most, they would get "double play" from me (TV and Internet) and that' it. And based on discussions with others, many feel the same way about having their telephone depend on their cable box having power. > > From sethm at rollernet.us Sun Dec 26 19:00:53 2010 From: sethm at rollernet.us (Seth Mattinen) Date: Sun, 26 Dec 2010 17:00:53 -0800 Subject: Muni Fiber Last Mile - a contrary opinion In-Reply-To: References: <26612496.2020.1293125278405.JavaMail.root@benjamin.baylink.com> <8C26A4FDAE599041A13EB499117D3C286B2BFC6B@ex-mb-1.corp.atlasnetworks.us> <5A6D953473350C4B9995546AFE9939EE0BC1313E@RWC-EX1.corp.seven.com> Message-ID: <4D17E545.6030308@rollernet.us> On 12/26/10 4:37 PM, Jared Mauch wrote: > You are likely already at the mercy of some local hut for your dialtone. Very few things home run to the co these days. It's unlikely any hut has more than 24 hours of battery. > > I have talked to local techs that make the same trip each shift to fuel the generator during regular or minor power outages. Anything major, expect the service to die. > > Best bets: your state emergency operations center, hospitals, airports, grocery stores and possibly hotels. > > During the northeast power outage the biggest local problem was inability to pump gas out of underground tanks. The margin at the stations is low enough it's not worth it to have generators. Best off having the pipeline next to you and to use natural gas/propane if your needs can be easily met by it. > During the last multi-hour power outage in my neighborhood I drove around to tour the area; sure enough there was a truck backed up to many (but not all) of them with a cable plugged in to the meter kiosk. I feel dirty using a facebook link, but: http://www.facebook.com/photo.php?pid=1265926&l=999da42e39&id=1327652570 However, residential internet access as a whole (DSL, cable) tends to have lower reliability than POTS or T1, so they still a leg to stand on if it matters to you. Power-wise though they're all on equal footing. ~Seth From gbonser at seven.com Sun Dec 26 20:55:44 2010 From: gbonser at seven.com (George Bonser) Date: Sun, 26 Dec 2010 18:55:44 -0800 Subject: Muni Fiber Last Mile - a contrary opinion In-Reply-To: References: <26612496.2020.1293125278405.JavaMail.root@benjamin.baylink.com> <8C26A4FDAE599041A13EB499117D3C286B2BFC6B@ex-mb-1.corp.atlasnetworks.us> <5A6D953473350C4B9995546AFE9939EE0BC1313E@RWC-EX1.corp.seven.com> Message-ID: <5A6D953473350C4B9995546AFE9939EE0BC13161@RWC-EX1.corp.seven.com> > From: Jared Mauch > Sent: Sunday, December 26, 2010 4:37 PM > To: George Bonser > Cc: Nathan Eisenberg; NANOG > Subject: Re: Muni Fiber Last Mile - a contrary opinion > > You are likely already at the mercy of some local hut for your > dialtone. Very few things home run to the co these days. It's unlikely > any hut has more than 24 hours of battery. > > I have talked to local techs that make the same trip each shift to fuel > the generator during regular or minor power outages. Anything major, > expect the service to die. > > Best bets: your state emergency operations center, hospitals, airports, > grocery stores and possibly hotels. > > During the northeast power outage the biggest local problem was > inability to pump gas out of underground tanks. The margin at the > stations is low enough it's not worth it to have generators. Best off > having the pipeline next to you and to use natural gas/propane if your > needs can be easily met by it. > > Jared Mauch I am pretty lucky, the CO is about 4 blocks from the house and as far as I can tell I'm wired directly (and the wiring was installed around 1960 and is all above ground from a box next to the CO). The local loop does to go a box about a half block from the CO but it has no generator. It is just jumper blocks from the looks of it when I have seen it open. +1 on the natural gas generator, or if you heat with oil, a diesel that feeds off the heating oil tank. Even agricultural diesel will be fine or WVO bio-diesel. No need to pay road tax on diesel used in a generator. Gasoline would be my last choice for a generator. From owen at delong.com Sun Dec 26 21:10:49 2010 From: owen at delong.com (Owen DeLong) Date: Sun, 26 Dec 2010 19:10:49 -0800 Subject: Muni Fiber Last Mile - a contrary opinion In-Reply-To: References: <26612496.2020.1293125278405.JavaMail.root@benjamin.baylink.com> <8C26A4FDAE599041A13EB499117D3C286B2BFC6B@ex-mb-1.corp.atlasnetworks.us> <5A6D953473350C4B9995546AFE9939EE0BC1313E@RWC-EX1.corp.seven.com> Message-ID: <958B75D2-3FD6-40E0-9454-0830467BCAAE@delong.com> On Dec 26, 2010, at 4:37 PM, Jared Mauch wrote: > You are likely already at the mercy of some local hut for your dialtone. Very few things home run to the co these days. It's unlikely any hut has more than 24 hours of battery. > I know this is true where FTTN overlays have been built. However, in the majority of California, at least, that is still more the exception than the rule and there is usually a Cat-3 Copper home-run for local dialtone. > I have talked to local techs that make the same trip each shift to fuel the generator during regular or minor power outages. Anything major, expect the service to die. > If nothing else, I expect various other components in the system (trunk overload, switch dialtone exhaustion, etc.) in anything major anyway. However, 24 hours of dialtone after something happens still exceeds the average cablemodem duration after the power flickers. Owen From frnkblk at iname.com Sun Dec 26 21:35:19 2010 From: frnkblk at iname.com (Frank Bulk - iName.com) Date: Sun, 26 Dec 2010 21:35:19 -0600 Subject: Muni Fiber Last Mile - a contrary opinion In-Reply-To: <958B75D2-3FD6-40E0-9454-0830467BCAAE@delong.com> References: <26612496.2020.1293125278405.JavaMail.root@benjamin.baylink.com> <8C26A4FDAE599041A13EB499117D3C286B2BFC6B@ex-mb-1.corp.atlasnetworks.us> <5A6D953473350C4B9995546AFE9939EE0BC1313E@RWC-EX1.corp.seven.com> <958B75D2-3FD6-40E0-9454-0830467BCAAE@delong.com> Message-ID: > -----Original Message----- > From: Owen DeLong [mailto:owen at delong.com] > Sent: Sunday, December 26, 2010 9:11 PM > To: Jared Mauch > Cc: NANOG > Subject: Re: Muni Fiber Last Mile - a contrary opinion > > On Dec 26, 2010, at 4:37 PM, Jared Mauch wrote: > > > You are likely already at the mercy of some local hut for your dialtone. > Very few things home run to the co these days. It's unlikely any hut has > more than 24 hours of battery. > > > I know this is true where FTTN overlays have been built. However, in the > majority of California, at least, that is still more the exception than > the > rule and there is usually a Cat-3 Copper home-run for local dialtone. [Frank Bulk] Here in the midwest each and every of the telcos that I've talked to or worked with feeds dialtone for their DSL customers from the same equipment that serves the DSL. To do otherwise would require a splitter shelf in each node. > > > I have talked to local techs that make the same trip each shift to fuel > the generator during regular or minor power outages. Anything major, > expect the service to die. > > > If nothing else, I expect various other components in the system (trunk > overload, switch dialtone exhaustion, etc.) > in anything major anyway. > > However, 24 hours of dialtone after something happens still exceeds the > average cablemodem duration after the > power flickers. [Frank Bulk] Some MSOs (including ourselves) have power systems (e.g. Alpha) in place throughout the plant to provide backup power for at least some time. From cmadams at hiwaay.net Sun Dec 26 22:07:20 2010 From: cmadams at hiwaay.net (Chris Adams) Date: Sun, 26 Dec 2010 22:07:20 -0600 Subject: Muni Fiber Last Mile - a contrary opinion In-Reply-To: References: <26612496.2020.1293125278405.JavaMail.root@benjamin.baylink.com> <8C26A4FDAE599041A13EB499117D3C286B2BFC6B@ex-mb-1.corp.atlasnetworks.us> <5A6D953473350C4B9995546AFE9939EE0BC1313E@RWC-EX1.corp.seven.com> Message-ID: <20101227040720.GA18820@hiwaay.net> Once upon a time, Jared Mauch said: > You are likely already at the mercy of some local hut for your > dialtone. Very few things home run to the co these days. It's unlikely > any hut has more than 24 hours of battery. The AT&T (formerly BellSouth) cabinets around here mostly have natural gas generators included, so they almost never go out. The cable companies, on the other hand, might have enough battery to last through a brownout. -- Chris Adams Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble. From don at bowenvale.co.nz Sun Dec 26 22:22:38 2010 From: don at bowenvale.co.nz (Don Gould) Date: Mon, 27 Dec 2010 17:22:38 +1300 Subject: Muni Fiber Last Mile - a contrary opinion In-Reply-To: <20101227040720.GA18820@hiwaay.net> References: <26612496.2020.1293125278405.JavaMail.root@benjamin.baylink.com> <8C26A4FDAE599041A13EB499117D3C286B2BFC6B@ex-mb-1.corp.atlasnetworks.us> <5A6D953473350C4B9995546AFE9939EE0BC1313E@RWC-EX1.corp.seven.com> <20101227040720.GA18820@hiwaay.net> Message-ID: <4D18148E.3080207@bowenvale.co.nz> This thread is really interesting to see what's happening in .us with power. I've been following what's going on in .au with their ftth project (doing the whole country and pulling out the legacy copper systems, both tp and hfc) and there's been a bit of talk about issues in power cuts. I'm in Christchurch.nz where we've been having earth quakes every day, it's interesting to see the mobile networks go to half service (2G, no 3G on one network yesterday) when the quakes take out the suburban line transformers. D On 27/12/2010 5:07 p.m., Chris Adams wrote: > Once upon a time, Jared Mauch said: >> You are likely already at the mercy of some local hut for your >> dialtone. Very few things home run to the co these days. It's unlikely >> any hut has more than 24 hours of battery. > The AT&T (formerly BellSouth) cabinets around here mostly have natural > gas generators included, so they almost never go out. The cable > companies, on the other hand, might have enough battery to last through > a brownout. > -- Don Gould 31 Acheson Ave, Mairehau, Christchurch, NZ Ph +64 3 348 7235 or + 64 21 114 0699 www.bowenvale.co.nz/ipv6 - Taking on the IPv6 Challenge! From nanog at deman.com Sun Dec 26 23:21:58 2010 From: nanog at deman.com (Michael DeMan) Date: Sun, 26 Dec 2010 21:21:58 -0800 Subject: Muni Fiber Last Mile - a contrary opinion In-Reply-To: <20101227040720.GA18820@hiwaay.net> References: <26612496.2020.1293125278405.JavaMail.root@benjamin.baylink.com> <8C26A4FDAE599041A13EB499117D3C286B2BFC6B@ex-mb-1.corp.atlasnetworks.us> <5A6D953473350C4B9995546AFE9939EE0BC1313E@RWC-EX1.corp.seven.com> <20101227040720.GA18820@hiwaay.net> Message-ID: <0211E4B4-C717-4315-8FFF-15A09971680D@deman.com> On Dec 26, 2010, at 8:07 PM, Chris Adams wrote: > The AT&T (formerly BellSouth) cabinets around here mostly have natural > gas generators included, so they almost never go out. The cable > companies, on the other hand, might have enough battery to last through > a brownout. Interesting - out of curiosity, how big are these cabinets/pedestals? Or would you by chance know details on the natgas power system they are using? Natgas is not ideal in a full-on disaster scenario like an earthquake, but probably could add another '9' onto service levels? I have never heard of or seen such a thing, but it is a really good idea. - Michael DeMan From cmadams at hiwaay.net Sun Dec 26 23:34:37 2010 From: cmadams at hiwaay.net (Chris Adams) Date: Sun, 26 Dec 2010 23:34:37 -0600 Subject: Muni Fiber Last Mile - a contrary opinion In-Reply-To: <0211E4B4-C717-4315-8FFF-15A09971680D@deman.com> References: <26612496.2020.1293125278405.JavaMail.root@benjamin.baylink.com> <8C26A4FDAE599041A13EB499117D3C286B2BFC6B@ex-mb-1.corp.atlasnetworks.us> <5A6D953473350C4B9995546AFE9939EE0BC1313E@RWC-EX1.corp.seven.com> <20101227040720.GA18820@hiwaay.net> <0211E4B4-C717-4315-8FFF-15A09971680D@deman.com> Message-ID: <20101227053437.GB18820@hiwaay.net> Once upon a time, Michael DeMan said: > On Dec 26, 2010, at 8:07 PM, Chris Adams wrote: > > The AT&T (formerly BellSouth) cabinets around here mostly have natural > > gas generators included, so they almost never go out. The cable > > companies, on the other hand, might have enough battery to last through > > a brownout. > > Interesting - out of curiosity, how big are these cabinets/pedestals? Or would you by chance know details on the natgas power system they are using? I don't know; I've just seen them driving by (since other cabinets don't have a gas meter, they stand out). It looks like they set up two cabinets about 6-8 feet wide, 3 feet deep, and 4-5 feet high (just guestimating). Maybe one cabinet for power/batteries/generator and one for the telco gear? > Natgas is not ideal in a full-on disaster scenario like an earthquake, > but probably could add another '9' onto service levels? I have never > heard of or seen such a thing, but it is a really good idea. I'm in north Alabama; earthquakes aren't a significant problem here. The biggest I can remember was something like a 3.2, just enough to hear and feel. We're far enough from New Madrid that it shouldn't be an issue. Our main problem is severe storms (thunderstorms and tornados), the once-every-few-decades ice storm, and the random exploding transformer. -- Chris Adams Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble. From owen at delong.com Mon Dec 27 00:04:33 2010 From: owen at delong.com (Owen DeLong) Date: Sun, 26 Dec 2010 22:04:33 -0800 Subject: Muni Fiber Last Mile - a contrary opinion In-Reply-To: References: <26612496.2020.1293125278405.JavaMail.root@benjamin.baylink.com> <8C26A4FDAE599041A13EB499117D3C286B2BFC6B@ex-mb-1.corp.atlasnetworks.us> <5A6D953473350C4B9995546AFE9939EE0BC1313E@RWC-EX1.corp.seven.com> <958B75D2-3FD6-40E0-9454-0830467BCAAE@delong.com> Message-ID: <27362167-FDAC-45D7-BD67-EEBCC1BA13B6@delong.com> On Dec 26, 2010, at 7:35 PM, Frank Bulk - iName.com wrote: > >> -----Original Message----- >> From: Owen DeLong [mailto:owen at delong.com] >> Sent: Sunday, December 26, 2010 9:11 PM >> To: Jared Mauch >> Cc: NANOG >> Subject: Re: Muni Fiber Last Mile - a contrary opinion >> >> On Dec 26, 2010, at 4:37 PM, Jared Mauch wrote: >> >>> You are likely already at the mercy of some local hut for your dialtone. >> Very few things home run to the co these days. It's unlikely any hut has >> more than 24 hours of battery. >>> >> I know this is true where FTTN overlays have been built. However, in the >> majority of California, at least, that is still more the exception than >> the >> rule and there is usually a Cat-3 Copper home-run for local dialtone. > > [Frank Bulk] > Here in the midwest each and every of the telcos that I've talked to or > worked with feeds dialtone for their DSL customers from the same equipment > that serves the DSL. To do otherwise would require a splitter shelf in each > node. > In California, that is, by and large, the CO. >> >>> I have talked to local techs that make the same trip each shift to fuel >> the generator during regular or minor power outages. Anything major, >> expect the service to die. >>> >> If nothing else, I expect various other components in the system (trunk >> overload, switch dialtone exhaustion, etc.) >> in anything major anyway. >> >> However, 24 hours of dialtone after something happens still exceeds the >> average cablemodem duration after the >> power flickers. > > [Frank Bulk] > Some MSOs (including ourselves) have power systems (e.g. Alpha) in place > throughout the plant to provide backup power for at least some time. > Does that back up the cablemodem in the residence? If not, game over. Owen From joelja at bogus.com Mon Dec 27 00:16:39 2010 From: joelja at bogus.com (Joel Jaeggli) Date: Sun, 26 Dec 2010 22:16:39 -0800 Subject: Muni Fiber Last Mile - a contrary opinion In-Reply-To: <27362167-FDAC-45D7-BD67-EEBCC1BA13B6@delong.com> References: <26612496.2020.1293125278405.JavaMail.root@benjamin.baylink.com> <8C26A4FDAE599041A13EB499117D3C286B2BFC6B@ex-mb-1.corp.atlasnetworks.us> <5A6D953473350C4B9995546AFE9939EE0BC1313E@RWC-EX1.corp.seven.com> <958B75D2-3FD6-40E0-9454-0830467BCAAE@delong.com> <27362167-FDAC-45D7-BD67-EEBCC1BA13B6@delong.com> Message-ID: <4D182F47.3010309@bogus.com> On 12/26/10 10:04 PM, Owen DeLong wrote: > > On Dec 26, 2010, at 7:35 PM, Frank Bulk - iName.com wrote: >> [Frank Bulk] >> Some MSOs (including ourselves) have power systems (e.g. Alpha) in place >> throughout the plant to provide backup power for at least some time. >> > > Does that back up the cablemodem in the residence? If not, game over. this is a not-uncommon example of cable modem + voice cpe installed to insure that voip continues when the power is out, there are others... http://www.amazon.com/Motorola-SURFboard-SBV5220-Digital-Integrated/dp/B000TKHW5M > Owen > > > From adrian at creative.net.au Mon Dec 27 03:21:00 2010 From: adrian at creative.net.au (Adrian Chadd) Date: Mon, 27 Dec 2010 17:21:00 +0800 Subject: Muni Fiber Last Mile - a contrary opinion In-Reply-To: <27362167-FDAC-45D7-BD67-EEBCC1BA13B6@delong.com> References: <26612496.2020.1293125278405.JavaMail.root@benjamin.baylink.com> <8C26A4FDAE599041A13EB499117D3C286B2BFC6B@ex-mb-1.corp.atlasnetworks.us> <5A6D953473350C4B9995546AFE9939EE0BC1313E@RWC-EX1.corp.seven.com> <958B75D2-3FD6-40E0-9454-0830467BCAAE@delong.com> <27362167-FDAC-45D7-BD67-EEBCC1BA13B6@delong.com> Message-ID: <20101227092059.GJ7793@skywalker.creative.net.au> On Sun, Dec 26, 2010, Owen DeLong wrote: > > [Frank Bulk] > > Some MSOs (including ourselves) have power systems (e.g. Alpha) in place > > throughout the plant to provide backup power for at least some time. > > > > Does that back up the cablemodem in the residence? If not, game over. Thing is, not enough noise was made about that in the Australian National Broadband Plan until late in the game. I'm patiently waiting for a time when a major power outage incident occurs and the cellular network system locally fails. Adrian From peter.hicks at poggs.co.uk Mon Dec 27 05:18:33 2010 From: peter.hicks at poggs.co.uk (Peter Hicks) Date: Mon, 27 Dec 2010 11:18:33 +0000 Subject: SDSL circuits in UK? In-Reply-To: References: <20101220212934.GM97456@reptiles.org> Message-ID: <1293448713.23095.22.camel@angel> On Mon, 2010-12-20 at 21:51 +0000, Paul Cupis wrote: > There are a number of network operators capable of supplying SDSL (Annex > B) in the UK depending on the location. Really? I heard BT were phasing out SDSL due to the low take-up, and the likes of TalkTalk are providing Annex M services with 2Mbps upstream, capped to 2Mbps downstream, to provide SDSL-like speeds. 21CN Ethernet Access Direct circuits are probably a better choice than SDSL, and bonding two Annex M circuits, a la Be/O2, is probably a better choice than SDSL. Peter From braaen at zcorum.com Mon Dec 27 06:30:16 2010 From: braaen at zcorum.com (Brian Christopher Raaen) Date: Mon, 27 Dec 2010 07:30:16 -0500 Subject: Muni Fiber Last Mile - a contrary opinion In-Reply-To: <27362167-FDAC-45D7-BD67-EEBCC1BA13B6@delong.com> References: <26612496.2020.1293125278405.JavaMail.root@benjamin.baylink.com> <27362167-FDAC-45D7-BD67-EEBCC1BA13B6@delong.com> Message-ID: <201012270730.16650.braaen@zcorum.com> On Monday, December 27, 2010 01:04:33 am Owen DeLong wrote: > On Dec 26, 2010, at 7:35 PM, Frank Bulk - iName.com wrote: > Does that back up the cablemodem in the residence? If not, game over. > > Owen All of the Arris eMTA models have a version with built in battery backup, and as I recall drop net access and continue to provide phone power for some time. I know in our lab the one of the first things we make sure of, is that the batteries are not in them so we can do powercycle testing. --- Brian Raaen Network Architech Zcorum From mike-nanog at tiedyenetworks.com Mon Dec 27 09:10:15 2010 From: mike-nanog at tiedyenetworks.com (Mike) Date: Mon, 27 Dec 2010 07:10:15 -0800 Subject: Cheap home CPE troubles Message-ID: <4D18AC57.50505@tiedyenetworks.com> Hi, Well as is customary in our part of the country (Northern California), with the stormy weather comes brownouts and blackouts comes a massive influx of end users with locked up and malfunctioning home networking equipment. Every single time the power sneezes, massive waves of customers just 'go down' and then I get to pick the pieces all up by talking to each individual and instructing them how to pull the power and then plug it back in, or worse, their cpe needs to have it's settings restored since the internal flash memories got cleared or corrupted. We see this in the cheap home gear all the time. Makes me mad since linksys/netgear/motorola got away with the customers money and incurs ZERO support costs or any apparent liability for their product, where we in turn get to deal with upset subscribers who have been 'down for days...' while all the time the solution - powercycling - was within reach. Is there anyone who has a script or process or policy concerning unreliable customer equipments and how to effectively deal with unsophisticated home users? I mean, users with business oriented gear (eg: cisco 26xx, 8xx, pix, and the like), and doubly especially those with working standby UPS, we never ever hear from and they have extreme uptimes, but home users aren't willing to hear $500 - $800 in gear is required to 'make it work all the time'. They interpret that to mean that there's just something wrong with us since WE 'require' such expensive and exotic equipment in order to work right, and they would be better off somewhere else. Any comments? Mike- From blewis at hottopic.com Mon Dec 27 12:15:55 2010 From: blewis at hottopic.com (Bill Lewis) Date: Mon, 27 Dec 2010 12:15:55 -0600 Subject: Public Wireless access (ticket / token / schedule based) Message-ID: <26CF6BC367161D4BAFC39B6ED6F885F30289ECB6@TNEXPRD.hottopic.com> What is everyone using for enterprise grade wireless authentication for simple public access (i.e. users that are non-employee that need internet access (non-PCI) while in your building). Obviously I will hang this off a DMZ switch outside of my private LAN. Looking for something vendor driven, don't have time for anything home grown or unsupported / community based. Thanks, Bill Lewis Hot Topic From peter.phaal at gmail.com Mon Dec 27 12:21:43 2010 From: peter.phaal at gmail.com (Peter Phaal) Date: Mon, 27 Dec 2010 10:21:43 -0800 Subject: ipfix/netflow/sflow generator for Linux Message-ID: The latest version of Host sFlow adds support for ULOG traffic monitoring (with ingress/egress ifIndex numbers): http://host-sflow.sourceforge.net/ Cheers, Peter > My only issue is that I can't seem to find any good software for Linux that > works with multiple interfaces to generate the flow information. I've tried > ndsad, nprobe, softflowd, host sflow, and ipcad without much luck. Most of > the software only works on one interface (which is useless as I need to do > accounting for numerous interfaces). From owen at delong.com Mon Dec 27 13:53:29 2010 From: owen at delong.com (Owen DeLong) Date: Mon, 27 Dec 2010 11:53:29 -0800 Subject: Cheap home CPE troubles In-Reply-To: <4D18AC57.50505@tiedyenetworks.com> References: <4D18AC57.50505@tiedyenetworks.com> Message-ID: <49AE117E-328B-4E48-A932-BC82E1E5BB52@delong.com> On Dec 27, 2010, at 7:10 AM, Mike wrote: > Hi, > > Well as is customary in our part of the country (Northern California), with the stormy weather comes brownouts and blackouts comes a massive influx of end users with locked up and malfunctioning home networking equipment. Every single time the power sneezes, massive waves of customers just 'go down' and then I get to pick the pieces all up by talking to each individual and instructing them how to pull the power and then plug it back in, or worse, their cpe needs to have it's settings restored since the internal flash memories got cleared or corrupted. > Yep... > We see this in the cheap home gear all the time. Makes me mad since linksys/netgear/motorola got away with the customers money and incurs ZERO support costs or any apparent liability for their product, where we in turn get to deal with upset subscribers who have been 'down for days...' while all the time the solution - powercycling - was within reach. > I think your only option potentially effective option would be to engage the great american tradition of legal reparations. (IOW, sue them for causing you harm by unleashing a product with a known defect and foreseeable harmful consequences). > Is there anyone who has a script or process or policy concerning unreliable customer equipments and how to effectively deal with unsophisticated home users? I mean, users with business oriented gear (eg: cisco 26xx, 8xx, pix, and the like), and doubly especially those with working standby UPS, we never ever hear from and they have extreme uptimes, but home users aren't willing to hear $500 - $800 in gear is required to 'make it work all the time'. They interpret that to mean that there's just something wrong with us since WE 'require' such expensive and exotic equipment in order to work right, and they would be better off somewhere else. > Amusingly, I could turn this around in my situation... My gear comes from the providers in both cases. In one case, I purchased the cheap DSL modem from the provider (which, admittedly, has been rock solid through many power outages). In the other case, I'm renting the CMTS box from Comcast which doesn't even require a power failure to lose its mind periodically. (Apparently there is a known problem where every time Comcast does a firmware update to the boxes, N% of them loose their minds). Arguably, at $5/month, over the life of my service I will likely pay quite a bit more for the CMTS box than I did for the DSL modem ($40). In fact, being a little more than a year since I got Comcast Business Class, I have already done so. Indeed, the running joke is "I need fast reliable internet service, so, I get fast service from Comcast and Reliable service from Raw Bandwidth." Unfortunately, as amusing as the quip may be, it's also an absolutely true statement about my network. Owen From trelane at trelane.net Mon Dec 27 10:36:37 2010 From: trelane at trelane.net (Andrew Kirch) Date: Mon, 27 Dec 2010 11:36:37 -0500 Subject: Cheap home CPE troubles In-Reply-To: <4D18AC57.50505@tiedyenetworks.com> References: <4D18AC57.50505@tiedyenetworks.com> Message-ID: <4D18C095.6070900@trelane.net> Send each customer out to buy this: http://www.apc.com/resource/include/techspec_index.cfm?base_sku=BE350G problem solved. Andrew On 12/27/2010 10:10 AM, Mike wrote: > Hi, > > Well as is customary in our part of the country (Northern > California), with the stormy weather comes brownouts and blackouts > comes a massive influx of end users with locked up and malfunctioning > home networking equipment. Every single time the power sneezes, > massive waves of customers just 'go down' and then I get to pick the > pieces all up by talking to each individual and instructing them how > to pull the power and then plug it back in, or worse, their cpe needs > to have it's settings restored since the internal flash memories got > cleared or corrupted. > > We see this in the cheap home gear all the time. Makes me mad > since linksys/netgear/motorola got away with the customers money and > incurs ZERO support costs or any apparent liability for their product, > where we in turn get to deal with upset subscribers who have been > 'down for days...' while all the time the solution - powercycling - > was within reach. > > Is there anyone who has a script or process or policy concerning > unreliable customer equipments and how to effectively deal with > unsophisticated home users? I mean, users with business oriented gear > (eg: cisco 26xx, 8xx, pix, and the like), and doubly especially those > with working standby UPS, we never ever hear from and they have > extreme uptimes, but home users aren't willing to hear $500 - $800 in > gear is required to 'make it work all the time'. They interpret that > to mean that there's just something wrong with us since WE 'require' > such expensive and exotic equipment in order to work right, and they > would be better off somewhere else. > > Any comments? > > Mike- > From patrick at zill.net Mon Dec 27 14:43:35 2010 From: patrick at zill.net (Patrick Giagnocavo) Date: Mon, 27 Dec 2010 15:43:35 -0500 Subject: Cheap home CPE troubles In-Reply-To: <4D18AC57.50505@tiedyenetworks.com> References: <4D18AC57.50505@tiedyenetworks.com> Message-ID: <4D18FA77.7000609@zill.net> On 12/27/2010 10:10 AM, Mike wrote: > Is there anyone who has a script or process or policy concerning > unreliable customer equipments and how to effectively deal with > unsophisticated home users? I mean, users with business oriented gear If power glitches are the problem, doing a bulk buy of UPS units and offering them cheap/at your cost to your customers as a bonus of them doing business with you, may solve the problem. --Patrick From tglassey at earthlink.net Mon Dec 27 14:52:53 2010 From: tglassey at earthlink.net (todd glassey) Date: Mon, 27 Dec 2010 12:52:53 -0800 Subject: Cheap home CPE troubles In-Reply-To: <4D18AC57.50505@tiedyenetworks.com> References: <4D18AC57.50505@tiedyenetworks.com> Message-ID: <4D18FCA5.9090304@earthlink.net> On 12/27/2010 7:10 AM, Mike wrote: > Hi, > > Well as is customary in our part of the country (Northern > California), with the stormy weather comes brownouts and blackouts > comes a massive influx of end users with locked up and malfunctioning > home networking equipment. Every single time the power sneezes, > massive waves of customers just 'go down' and then I get to pick the > pieces all up by talking to each individual and instructing them how > to pull the power and then plug it back in, or worse, their cpe needs > to have it's settings restored since the internal flash memories got > cleared or corrupted. > > We see this in the cheap home gear all the time. Makes me mad > since linksys/netgear/motorola got away with the customers money and > incurs ZERO support costs or any apparent liability for their product, > where we in turn get to deal with upset subscribers who have been > 'down for days...' while all the time the solution - powercycling - > was within reach. > > Is there anyone who has a script or process or policy concerning > unreliable customer equipments and how to effectively deal with > unsophisticated home users? I mean, users with business oriented gear > (eg: cisco 26xx, 8xx, pix, and the like), and doubly especially those > with working standby UPS, we never ever hear from and they have > extreme uptimes, but home users aren't willing to hear $500 - $800 in > gear is required to 'make it work all the time'. They interpret that > to mean that there's just something wrong with us since WE 'require' > such expensive and exotic equipment in order to work right, and they > would be better off somewhere else. > > Any comments? > > Mike- > > Yes - you need to have a basic troubleshooting guide for the victims of the manufacturers bad documentation. The most important thing is to tell the client how to reboot whatever device is providing their DHCP leases so that they can restore their service. The other thing which is of value we find is to close that sheet out with a request that the customers contact the manufacturer directly to tell them what they think of their product and you give them the proper email/web links to make that happen. Trust me if at Netgear Patrick Lo gets 500 emails from upset customers they will change that process immediately. Todd From tglassey at earthlink.net Mon Dec 27 14:54:39 2010 From: tglassey at earthlink.net (todd glassey) Date: Mon, 27 Dec 2010 12:54:39 -0800 Subject: Cheap home CPE troubles In-Reply-To: <49AE117E-328B-4E48-A932-BC82E1E5BB52@delong.com> References: <4D18AC57.50505@tiedyenetworks.com> <49AE117E-328B-4E48-A932-BC82E1E5BB52@delong.com> Message-ID: <4D18FD0F.9040906@earthlink.net> On 12/27/2010 11:53 AM, Owen DeLong wrote: > On Dec 27, 2010, at 7:10 AM, Mike wrote: > >> Hi, >> >> Well as is customary in our part of the country (Northern California), with the stormy weather comes brownouts and blackouts comes a massive influx of end users with locked up and malfunctioning home networking equipment. Every single time the power sneezes, massive waves of customers just 'go down' and then I get to pick the pieces all up by talking to each individual and instructing them how to pull the power and then plug it back in, or worse, their cpe needs to have it's settings restored since the internal flash memories got cleared or corrupted. >> > Yep... > >> We see this in the cheap home gear all the time. Makes me mad since linksys/netgear/motorola got away with the customers money and incurs ZERO support costs or any apparent liability for their product, where we in turn get to deal with upset subscribers who have been 'down for days...' while all the time the solution - powercycling - was within reach. >> > I think your only option potentially effective option would be to engage the great american tradition of legal reparations. (IOW, sue them for causing you harm by unleashing a product with a known defect and foreseeable harmful consequences). > >> Is there anyone who has a script or process or policy concerning unreliable customer equipments and how to effectively deal with unsophisticated home users? I mean, users with business oriented gear (eg: cisco 26xx, 8xx, pix, and the like), and doubly especially those with working standby UPS, we never ever hear from and they have extreme uptimes, but home users aren't willing to hear $500 - $800 in gear is required to 'make it work all the time'. They interpret that to mean that there's just something wrong with us since WE 'require' such expensive and exotic equipment in order to work right, and they would be better off somewhere else. >> > Amusingly, I could turn this around in my situation... My gear comes from the providers in both cases. In one case, I purchased the cheap DSL modem from > the provider (which, admittedly, has been rock solid through many power outages). In the other case, I'm renting the CMTS box from Comcast which doesn't > even require a power failure to lose its mind periodically. (Apparently there is a known problem where every time Comcast does a firmware update to the > boxes, N% of them loose their minds). Arguably, at $5/month, over the life of my service I will likely pay quite a bit more for the CMTS box than I did for the DSL modem ($40). In fact, being a little more than a year since I got Comcast Business Class, I have already done so. > > Indeed, the running joke is "I need fast reliable internet service, so, I get fast service from Comcast and Reliable service from Raw Bandwidth." > Unfortunately, as amusing as the quip may be, it's also an absolutely true statement about my network. > > Owen yep! > > From simon at darkmere.gen.nz Mon Dec 27 15:18:00 2010 From: simon at darkmere.gen.nz (Simon Lyall) Date: Tue, 28 Dec 2010 10:18:00 +1300 (NZDT) Subject: Cheap home CPE troubles In-Reply-To: <4D18FD0F.9040906@earthlink.net> References: <4D18AC57.50505@tiedyenetworks.com> <49AE117E-328B-4E48-A932-BC82E1E5BB52@delong.com> <4D18FD0F.9040906@earthlink.net> Message-ID: Happened a few years back to one ISP I know. The common ADSL Modem given away free with the accounts (Dynalink DSL302G is the one I'm using right now, might be a few other models) had a problem that if authenticated failed (due to the account being locked say) and logins failed continuously for several minutes in a row the box would lock up and could only be fixed via a power cycle (NOT a restart from the the menu options). So the ISP had a few little problems and the authenticated servers were unhappy for a few hours and 10-20% of the not-trivial customer base ended up in this mode. Took the helpdesk about a week to get everybody working again - They had to talk people though resetting the right piece of equipment (not rebooting their computer etc) and obviously some had changed their passwords or settings to try and make it work so those had to be fixed. Dynalink put out a firmware fix for that bug and the ISP pushed it to customers after that and made sure the newer equipment didn't have it. -- Simon Lyall | Very Busy | Web: http://www.darkmere.gen.nz/ "To stay awake all night adds a day to your life" - Stilgar | eMT. From frnkblk at iname.com Mon Dec 27 16:10:51 2010 From: frnkblk at iname.com (Frank Bulk) Date: Mon, 27 Dec 2010 16:10:51 -0600 Subject: Muni Fiber Last Mile - a contrary opinion In-Reply-To: <27362167-FDAC-45D7-BD67-EEBCC1BA13B6@delong.com> References: <26612496.2020.1293125278405.JavaMail.root@benjamin.baylink.com> <8C26A4FDAE599041A13EB499117D3C286B2BFC6B@ex-mb-1.corp.atlasnetworks.us> <5A6D953473350C4B9995546AFE9939EE0BC1313E@RWC-EX1.corp.seven.com> <958B75D2-3FD6-40E0-9454-0830467BCAAE@delong.com> <27362167-FDAC-45D7-BD67-EEBCC1BA13B6@delong.com> Message-ID: Cable modem is no different than a DSL modem, right? ;) If it's an eMTA, it may have battery backup, though the operational default is to disable the Ethernet port after a few minutes to provide the maximum amount of dial-tone. Frank -----Original Message----- From: Owen DeLong [mailto:owen at delong.com] Sent: Monday, December 27, 2010 12:05 AM To: frnkblk at iname.com Cc: NANOG; Jared Mauch Subject: Re: Muni Fiber Last Mile - a contrary opinion On Dec 26, 2010, at 7:35 PM, Frank Bulk - iName.com wrote: >>> You are likely already at the mercy of some local hut for your dialtone. >> Very few things home run to the co these days. It's unlikely any hut has >> more than 24 hours of battery. >>> >> I know this is true where FTTN overlays have been built. However, in the >> majority of California, at least, that is still more the exception than >> the >> rule and there is usually a Cat-3 Copper home-run for local dialtone. > > [Frank Bulk] > Here in the midwest each and every of the telcos that I've talked to or > worked with feeds dialtone for their DSL customers from the same equipment > that serves the DSL. To do otherwise would require a splitter shelf in each > node. > In California, that is, by and large, the CO. >> However, 24 hours of dialtone after something happens still exceeds the >> average cablemodem duration after the >> power flickers. > > [Frank Bulk] > Some MSOs (including ourselves) have power systems (e.g. Alpha) in place > throughout the plant to provide backup power for at least some time. > Does that back up the cablemodem in the residence? If not, game over. Owen From j at arpa.com Mon Dec 27 19:31:52 2010 From: j at arpa.com (jamie rishaw) Date: Mon, 27 Dec 2010 19:31:52 -0600 Subject: .gov DNSSEC operational message In-Reply-To: <87bp48mosq.fsf@mid.deneb.enyo.de> References: <11421501.2054.1293129433092.JavaMail.root@benjamin.baylink.com> <87bp48mosq.fsf@mid.deneb.enyo.de> Message-ID: Clearly this will require 3 years of subcommittee conferences in order to prove. .j On Sun, Dec 26, 2010 at 11:23, Florian Weimer wrote: > * Jay Ashworth: > >> ----- Original Message ----- >>> From: "Matt Larson" >> >>> The new KSK will not be published in an authenticated manner outside >>> DNS (e.g., on an SSL-protected web page). Rather, the intended >>> mechanism for trusting the new KSK is via the signed root zone: DS >>> records corresponding to the new KSK are already present in the root >>> zone. >> >> That sounds like a policy decision... and I'm not sure I think it sounds >> like a *good* policy decision, but since no reasons were provided, it's >> difficult to tell. > > I don't know if it influenced the policy decision, but as it is > currently specified, the protocol ensures that configuring an > additional trust anchor never decreases availability when you've also > got the root trust anchor configured, it can only increase it. ?This > means that there is little reason to configure such a trust anchor, > especially in the present scenario. > > From rs at seastrom.com Mon Dec 27 22:50:50 2010 From: rs at seastrom.com (Robert E. Seastrom) Date: Mon, 27 Dec 2010 23:50:50 -0500 Subject: Public Wireless access (ticket / token / schedule based) In-Reply-To: <26CF6BC367161D4BAFC39B6ED6F885F30289ECB6@TNEXPRD.hottopic.com> (Bill Lewis's message of "Mon, 27 Dec 2010 12:15:55 -0600") References: <26CF6BC367161D4BAFC39B6ED6F885F30289ECB6@TNEXPRD.hottopic.com> Message-ID: <861v525wlx.fsf@seastrom.com> "Bill Lewis" writes: > What is everyone using for enterprise grade wireless authentication for > simple public access (i.e. users that are non-employee that need > internet access (non-PCI) while in your building). Obviously I will hang > this off a DMZ switch outside of my private LAN. Looking for something > vendor driven, don't have time for anything home grown or unsupported / > community based. Assuming that this is for your offices not your retail outlets... Is there some reason you can't run it wide open without even so much as a captive-portal-check-the-box thing? All of the commercial boxes I've seen for doing what you say you want to do have been Deeply Unsatisfactory in some way (Nomadix is at the top of the list here). If you lose the authentication altogether and just make sure that there is a bandwidth lid on per host overall usage plus more conservative limits for things like the usual torrent ports and of course blocking certain other ports entirely... you've just eliminated the administrative overhead of issuing credentials to your visitors and streamlined your entire process. Doable? -r From morrowc.lists at gmail.com Mon Dec 27 23:30:30 2010 From: morrowc.lists at gmail.com (Christopher Morrow) Date: Tue, 28 Dec 2010 00:30:30 -0500 Subject: Public Wireless access (ticket / token / schedule based) In-Reply-To: <861v525wlx.fsf@seastrom.com> References: <26CF6BC367161D4BAFC39B6ED6F885F30289ECB6@TNEXPRD.hottopic.com> <861v525wlx.fsf@seastrom.com> Message-ID: On Mon, Dec 27, 2010 at 11:50 PM, Robert E. Seastrom wrote: > Assuming that this is for your offices not your retail outlets... > > Is there some reason you can't run it wide open without even so much > as a captive-portal-check-the-box thing? ?All of the commercial boxes > I've seen for doing what you say you want to do have been Deeply > Unsatisfactory in some way (Nomadix is at the top of the list here). yea, just buy a dsl line from your local telco, plug in a dlink and ... call it done. From cb.list6 at gmail.com Tue Dec 28 09:58:10 2010 From: cb.list6 at gmail.com (Cameron Byrne) Date: Tue, 28 Dec 2010 07:58:10 -0800 Subject: Wireless IPv6 Message-ID: Folks, I googled around and could not find anything on this. Can anyone share their experience with IPv6 on the Verizon's LTE network? It is my understanding that it would be a dual-stack service, but i have not seen any screenshots or reviews that mention anything about IPv6 at all from a users perspective. Cameron ps. T-Mobile USA has an IPv6 beta with nokia device http://bit.ly/9s0Ed3 pps. 22 pages of reviews and such focused on the N900 operating with IPv6 here http://goo.gl/cUUga From rgraves at ColumbusAirports.com Tue Dec 28 10:15:02 2010 From: rgraves at ColumbusAirports.com (Richard Graves (RHT)) Date: Tue, 28 Dec 2010 16:15:02 +0000 Subject: Intelsat Message-ID: <8578763A31E3DC43BE4A1409B145D9D81E6101AD@CMH-MAIL2.caa.local> Is there a contact on the list for Intelsat Corporation? If so, please contact me off-line. Thanks, Richard rgraves at vysystems.net From sfouant at shortestpathfirst.net Tue Dec 28 10:18:45 2010 From: sfouant at shortestpathfirst.net (Stefan Fouant) Date: Tue, 28 Dec 2010 11:18:45 -0500 Subject: Public Wireless access (ticket / token / schedule based) In-Reply-To: <861v525wlx.fsf@seastrom.com> References: <26CF6BC367161D4BAFC39B6ED6F885F30289ECB6@TNEXPRD.hottopic.com> <861v525wlx.fsf@seastrom.com> Message-ID: <011301cba6aa$e750bb70$b5f23250$@net> > -----Original Message----- > From: Robert E. Seastrom [mailto:rs at seastrom.com] > Sent: Monday, December 27, 2010 11:51 PM > To: Bill Lewis > Cc: nanog at nanog.org > Subject: Re: Public Wireless access (ticket / token / schedule based) > > Is there some reason you can't run it wide open without even so much > as a captive-portal-check-the-box thing? All of the commercial boxes > I've seen for doing what you say you want to do have been Deeply > Unsatisfactory in some way (Nomadix is at the top of the list here). > > If you lose the authentication altogether and just make sure that > there is a bandwidth lid on per host overall usage plus more > conservative limits for things like the usual torrent ports and of > course blocking certain other ports entirely... you've just > eliminated the administrative overhead of issuing credentials to your > visitors and streamlined your entire process. As Robert mentioned, all the current solutions are deeply unsatisfactory and full of holes. Most of the authentication based solutions simply whitelist the user based on their MAC address which is altogether easy to spoof (simply clone the MAC of an authenticated user and you are clear for takeoff)... Why incur the overhead of managing credentials with something that can so easily circumvented. Leave things wide open on a sandboxed subnet with the usual protections (rate limits, blocked ports), IMO is the easiest approach... Stefan Fouant From jeff-kell at utc.edu Tue Dec 28 10:37:32 2010 From: jeff-kell at utc.edu (Jeff Kell) Date: Tue, 28 Dec 2010 11:37:32 -0500 Subject: Public Wireless access (ticket / token / schedule based) In-Reply-To: <011301cba6aa$e750bb70$b5f23250$@net> References: <26CF6BC367161D4BAFC39B6ED6F885F30289ECB6@TNEXPRD.hottopic.com> <861v525wlx.fsf@seastrom.com> <011301cba6aa$e750bb70$b5f23250$@net> Message-ID: <4D1A124C.7040808@utc.edu> On 12/28/2010 11:18 AM, Stefan Fouant wrote: > Leave things wide open on a sandboxed subnet with the usual protections > (rate limits, blocked ports), IMO is the easiest approach... One concern in higher ed that was amplified by CALEA was the notion that an "open" network precluded you from the private network exemption. So "free open unauthenticated WiFi" carries some excess baggage with it. Jeff From james at jamesstewartsmith.com Tue Dec 28 10:55:26 2010 From: james at jamesstewartsmith.com (james at jamesstewartsmith.com) Date: Tue, 28 Dec 2010 16:55:26 +0000 Subject: Public Wireless access (ticket / token / schedule based) In-Reply-To: <26CF6BC367161D4BAFC39B6ED6F885F30289ECB6@TNEXPRD.hottopic.com> References: <26CF6BC367161D4BAFC39B6ED6F885F30289ECB6@TNEXPRD.hottopic.com> Message-ID: <927692545-1293555329-cardhu_decombobulator_blackberry.rim.net-683802757-@bda343.bisx.prod.on.blackberry> We've had some good success with the Cisco wireless LAN controllers in our office. The reception staff are given "Lobby Admin" access that let's them create users with a default expiry of a day (but can go up to 90 days I think). The wireless is technically open, but they can't do anything until they authenticate through the controller's web GUI. They we have access lists to control what they can do while on the wireless. Sent from my ?contract free? BlackBerry? smartphone on the WIND network. -----Original Message----- From: "Bill Lewis" Date: Mon, 27 Dec 2010 12:15:55 To: Subject: Public Wireless access (ticket / token / schedule based) What is everyone using for enterprise grade wireless authentication for simple public access (i.e. users that are non-employee that need internet access (non-PCI) while in your building). Obviously I will hang this off a DMZ switch outside of my private LAN. Looking for something vendor driven, don't have time for anything home grown or unsupported / community based. Thanks, Bill Lewis Hot Topic From sfouant at shortestpathfirst.net Tue Dec 28 10:58:26 2010 From: sfouant at shortestpathfirst.net (Stefan Fouant) Date: Tue, 28 Dec 2010 11:58:26 -0500 Subject: Public Wireless access (ticket / token / schedule based) In-Reply-To: <927692545-1293555329-cardhu_decombobulator_blackberry.rim.net-683802757-@bda343.bisx.prod.on.blackberry> References: <26CF6BC367161D4BAFC39B6ED6F885F30289ECB6@TNEXPRD.hottopic.com> <927692545-1293555329-cardhu_decombobulator_blackberry.rim.net-683802757-@bda343.bisx.prod.on.blackberry> Message-ID: <011c01cba6b0$733e0390$59ba0ab0$@net> > -----Original Message----- > From: james at jamesstewartsmith.com [mailto:james at jamesstewartsmith.com] > Sent: Tuesday, December 28, 2010 11:55 AM > To: Bill Lewis; nanog at nanog.org > Subject: Re: Public Wireless access (ticket / token / schedule based) > > We've had some good success with the Cisco wireless LAN controllers in > our office. The reception staff are given "Lobby Admin" access that > let's them create users with a default expiry of a day (but can go up > to 90 days I think). The wireless is technically open, but they can't > do anything until they authenticate through the controller's web GUI. > They we have access lists to control what they can do while on the > wireless. James, Just out of curiosity, how does this solution prevent unauthorized users from gaining access to the system by the aforementioned MAC spoofing technique? Stefan Fouant From morrowc.lists at gmail.com Tue Dec 28 11:49:37 2010 From: morrowc.lists at gmail.com (Christopher Morrow) Date: Tue, 28 Dec 2010 12:49:37 -0500 Subject: Wireless IPv6 In-Reply-To: References: Message-ID: On Tue, Dec 28, 2010 at 10:58 AM, Cameron Byrne wrote: > Folks, > > I googled around and could not find anything on this. ?Can anyone > share their experience with IPv6 on the Verizon's LTE network? ?It is I had thought the capable devices weren't hitting the market for ~2-3 weeks still?[0] > my understanding that it would be a dual-stack service, but i have not The hype and the reality... maybe not the same thing :( I suspect, reading the wording of the press releases and such the devices and network gear are supposed to be v6 capable, that doesn't mean they'll be deploying v6 on day-0 :( I'm personally taking a 'show me' stance on this, I HOPE vzw does the right thing and launches with v4/v6 dualstack on the devices in all regions where deployment happens. I don't have much hope that this will actually happen though :( > seen any screenshots or reviews that mention anything about IPv6 at > all from a users perspective. I suspect you'll see something like a private-ipv4 and maybe public-ipv6, but that's just a guess on my part. -chris 0: - CES[1] stated timeframe for 'smartphones' to launch on LTE 1: - Jan 6-9 - so ~2wks till launch of LTE smartphones on vzw. From nanog at jima.tk Tue Dec 28 12:12:53 2010 From: nanog at jima.tk (Jima) Date: Tue, 28 Dec 2010 12:12:53 -0600 Subject: Wireless IPv6 In-Reply-To: References: Message-ID: <4D1A28A5.9070600@jima.tk> On 12/28/2010 09:58 AM, Cameron Byrne wrote: > I googled around and could not find anything on this. Can anyone > share their experience with IPv6 on the Verizon's LTE network? It is > my understanding that it would be a dual-stack service, but i have not > seen any screenshots or reviews that mention anything about IPv6 at > all from a users perspective. I briefly chatted with someone on IRC (freenode, #ipv6) last week who recently discovered that the connection software for their Verizon aircard is now picking up an IPv6 address and -- since that change -- a NATted IPv4 address. Unfortunately I don't have contact info for this person, but they were kind enough to share the IPv6 address they were assigned (under 2600:1007:*, not sure if the remainder is user-identifiable). Not terribly helpful, I'm aware, but it at least implies that there's still IPv4, albeit with NAT. Jima From Valdis.Kletnieks at vt.edu Tue Dec 28 12:15:40 2010 From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks at vt.edu) Date: Tue, 28 Dec 2010 13:15:40 -0500 Subject: Wireless IPv6 In-Reply-To: Your message of "Tue, 28 Dec 2010 12:49:37 EST." References: Message-ID: <5786.1293560140@localhost> On Tue, 28 Dec 2010 12:49:37 EST, Christopher Morrow said: > on this, I HOPE vzw does the right thing and launches with v4/v6 > dualstack on the devices in all regions where deployment happens. I > don't have much hope that this will actually happen though :( Personally, I hope they roll it out a region at a time (even a "new time zone each day" would probably be good enough), so they can shake the bugs out of each region and lower the amount of stress on the network engineers having to get *everything* staged at the same time.. Rolling a totally new thing out to 100% of the user base on the same day will rarely end well. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 227 bytes Desc: not available URL: From cb.list6 at gmail.com Tue Dec 28 12:25:31 2010 From: cb.list6 at gmail.com (Cameron Byrne) Date: Tue, 28 Dec 2010 10:25:31 -0800 Subject: Wireless IPv6 In-Reply-To: <5786.1293560140@localhost> References: <5786.1293560140@localhost> Message-ID: On Tue, Dec 28, 2010 at 10:15 AM, wrote: > On Tue, 28 Dec 2010 12:49:37 EST, Christopher Morrow said: > >> on this, I HOPE vzw does the right thing and launches with v4/v6 >> dualstack on the devices in all regions where deployment happens. I >> don't have much hope that this will actually happen though :( > > Personally, I hope they roll it out a region at a time (even a "new time zone > each day" would probably be good enough), so they can shake the bugs out of > each region and lower the amount of stress on the network engineers having to > get *everything* staged at the same time.. ?Rolling a totally new thing out to > 100% of the user base on the same day will rarely end well. > Just to update the group, a helpful person sent me a screenshot of the VZW LTE connection manager, and it does indeed have a public IPv6 address an a 10.x.x.x IPv4 address. So, true to claim, the new LTE service available today on USB sticks is production dual-stack. Bravo! Cameron ====== http://groups.google.com/group/tmoipv6beta ====== From swmike at swm.pp.se Tue Dec 28 12:28:09 2010 From: swmike at swm.pp.se (Mikael Abrahamsson) Date: Tue, 28 Dec 2010 19:28:09 +0100 (CET) Subject: Wireless IPv6 In-Reply-To: <5786.1293560140@localhost> References: <5786.1293560140@localhost> Message-ID: On Tue, 28 Dec 2010, Valdis.Kletnieks at vt.edu wrote: > Rolling a totally new thing out to 100% of the user base on the same day > will rarely end well. If this is LTE only the it's a "totally new thing" anyway and I doubt some extra IPv6 troubles will hurt that much more :P -- Mikael Abrahamsson email: swmike at swm.pp.se From richard.barnes at gmail.com Tue Dec 28 12:35:31 2010 From: richard.barnes at gmail.com (Richard Barnes) Date: Tue, 28 Dec 2010 13:35:31 -0500 Subject: Wireless IPv6 In-Reply-To: References: <5786.1293560140@localhost> Message-ID: FWIW, the same does not appear to be true of the Verizon 3G network. (Not that anyone expected it to be.) My VZW device has a NATted v4 address and only link-local v6. On Dec 28, 2010 1:26 PM, "Cameron Byrne" wrote: On Tue, Dec 28, 2010 at 10:15 AM, wrote: > On Tue, 28 Dec 2010 12:49:37 E... Just to update the group, a helpful person sent me a screenshot of the VZW LTE connection manager, and it does indeed have a public IPv6 address an a 10.x.x.x IPv4 address. So, true to claim, the new LTE service available today on USB sticks is production dual-stack. Bravo! Cameron ====== http://groups.google.com/group/tmoipv6beta ====== From morrowc.lists at gmail.com Tue Dec 28 12:54:38 2010 From: morrowc.lists at gmail.com (Christopher Morrow) Date: Tue, 28 Dec 2010 13:54:38 -0500 Subject: Wireless IPv6 In-Reply-To: <5786.1293560140@localhost> References: <5786.1293560140@localhost> Message-ID: On Tue, Dec 28, 2010 at 1:15 PM, wrote: > On Tue, 28 Dec 2010 12:49:37 EST, Christopher Morrow said: > >> on this, I HOPE vzw does the right thing and launches with v4/v6 >> dualstack on the devices in all regions where deployment happens. I ^^^^^^^^^^^^^^^^^^^^^^^^^^ (note critical caveat) >> don't have much hope that this will actually happen though :( > > Personally, I hope they roll it out a region at a time (even a "new time zone > each day" would probably be good enough), so they can shake the bugs out of > each region and lower the amount of stress on the network engineers having to > get *everything* staged at the same time.. ?Rolling a totally new thing out to > 100% of the user base on the same day will rarely end well. see note. From M.Hotze at hotze.com Tue Dec 28 13:03:20 2010 From: M.Hotze at hotze.com (Martin Hotze) Date: Tue, 28 Dec 2010 19:03:20 +0000 Subject: Public Wireless access (ticket / token / schedule based) In-Reply-To: References: Message-ID: <2EAA64100D553F448A3BC8EAEB3D0FDA1F1C35@EXSRV.hotzecom.local> > -----Original Message----- > From: "Bill Lewis" > Date: Mon, 27 Dec 2010 12:15:55 > To: > Subject: Public Wireless access (ticket / token / schedule based) > > What is everyone using for enterprise grade wireless authentication for > simple public access (i.e. users that are non-employee that need > internet access (non-PCI) while in your building). Obviously I will hang > this off a DMZ switch outside of my private LAN. Looking for something > vendor driven, don't have time for anything home grown or unsupported / > community based. either more or less out of the box: ZyXEL Hotspot http://shorl.com/vesakyfremaho or a Mikrotik Routerboard (w/IPv6) http://www.mikrotik.com/testdocs/ros/2.9/ip/hotspot.php #m From joelja at bogus.com Tue Dec 28 13:04:40 2010 From: joelja at bogus.com (Joel Jaeggli) Date: Tue, 28 Dec 2010 11:04:40 -0800 Subject: Wireless IPv6 In-Reply-To: References: <5786.1293560140@localhost> Message-ID: <4D1A34C8.50803@bogus.com> On 12/28/10 10:35 AM, Richard Barnes wrote: > FWIW, the same does not appear to be true of the Verizon 3G network. (Not > that anyone expected it to be.) My VZW device has a NATted v4 address and > only link-local v6. lack of a chipset support is a notable problem there.... joel > On Dec 28, 2010 1:26 PM, "Cameron Byrne" wrote: > > On Tue, Dec 28, 2010 at 10:15 AM, wrote: >> On Tue, 28 Dec 2010 12:49:37 E... > Just to update the group, a helpful person sent me a screenshot of the > VZW LTE connection manager, and it does indeed have a public IPv6 > address an a 10.x.x.x IPv4 address. So, true to claim, the new LTE > service available today on USB sticks is production dual-stack. > Bravo! > > Cameron > ====== > http://groups.google.com/group/tmoipv6beta > ====== > From cb.list6 at gmail.com Tue Dec 28 13:16:49 2010 From: cb.list6 at gmail.com (Cameron Byrne) Date: Tue, 28 Dec 2010 11:16:49 -0800 Subject: Wireless IPv6 In-Reply-To: <4D1A34C8.50803@bogus.com> References: <5786.1293560140@localhost> <4D1A34C8.50803@bogus.com> Message-ID: On Tue, Dec 28, 2010 at 11:04 AM, Joel Jaeggli wrote: > On 12/28/10 10:35 AM, Richard Barnes wrote: >> FWIW, the same does not appear to be true of the Verizon 3G network. ?(Not >> that anyone expected it to be.) ?My VZW device has a NATted v4 address and >> only link-local v6. > > lack of a chipset support is a notable problem there.... My guess is that VZW 3G will never have IPv6 support. But, it appears that anything they label as 4G or LTE will be IPv6 enabled on day 0 for all devices designed to operate on that network. This is a very very good thing, if i understand it correctly. I also assume that the 4G devices that have fallen back to 3G network will not have IPv6 while attached to 3G, only 4G. The reason i say this is that VZW is doing all the device management in 4G via IMS, which is IPv6-only in their implementation..... so 4G attached devices must be v6 to receive management functions, like over the air updates. The next functional question, is the services on the google whitelist so that it starts to move some real IPv6 traffic? The T-Mobile beta is on the Google whitelist and it makes a big different WRT to real IPv6 traffic in a meaningful volume being sent on the network Cameron > > joel > >> On Dec 28, 2010 1:26 PM, "Cameron Byrne" wrote: >> >> On Tue, Dec 28, 2010 at 10:15 AM, wrote: >>> On Tue, 28 Dec 2010 12:49:37 E... >> Just to update the group, a helpful person sent me a screenshot of the >> VZW LTE connection manager, and it does indeed have a public IPv6 >> address an a 10.x.x.x IPv4 address. ?So, true to claim, the new LTE >> service available today on USB sticks is production dual-stack. >> Bravo! >> >> Cameron >> ====== >> http://groups.google.com/group/tmoipv6beta >> ====== >> > > From dougb at dougbarton.us Tue Dec 28 13:41:18 2010 From: dougb at dougbarton.us (Doug Barton) Date: Tue, 28 Dec 2010 11:41:18 -0800 Subject: .gov DNSSEC operational message In-Reply-To: <20101226170702.GA26276@DUL1MLARSON-M1.vcorp.ad.vrsn.com> References: <20101222211500.GF97136@DUL1MLARSON-M1.vcorp.ad.vrsn.com> <11421501.2054.1293129433092.JavaMail.root@benjamin.baylink.com> <20101226170702.GA26276@DUL1MLARSON-M1.vcorp.ad.vrsn.com> Message-ID: <4D1A3D5E.2020003@dougbarton.us> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 12/26/2010 09:07, Matt Larson wrote: | On Thu, 23 Dec 2010, Jay Ashworth wrote: |>> From: "Matt Larson" |> |>> The new KSK will not be published in an authenticated manner outside |>> DNS (e.g., on an SSL-protected web page). Rather, the intended |>> mechanism for trusting the new KSK is via the signed root zone: DS |>> records corresponding to the new KSK are already present in the root |>> zone. |> |> That sounds like a policy decision... and I'm not sure I think it sounds |> like a *good* policy decision, but since no reasons were provided, it's |> difficult to tell. Actually I thought Matt went to great lengths in his original post to explain both the current landscape and the reasons why you'd want to make a change. |> Why was that decision taken, Matt? | | Having a zone's KSK statically configured on validators as a trust | anchor can lead to a world of hurt: when rolling the KSK, the zone | owner has to get everyone to update their trust anchor configuration. | In theory, the protocol described in RFC 5011 allows an operator to | signal a roll and validators will do the right thing. In practice, in | these early days, you can't count on much 5011 deployment because | implementations haven't been available for that long. | | This situation puts the operator of a popular signed zone, such as a | TLD, in a difficult position and makes KSK rolls difficult--but only | if the KSK is statically configured. Meanwhile, we now have a | perfectly good signed root zone that can vouch for any TLD's KSK. As | a result, as the impending registry operator for .gov, VeriSign | doesn't want to encourage static configuration of the .gov KSK as a | trust anchor. Such static configuration would be made easier and | implicitly condoned if the .gov KSK were published and authenticatable | outside of DNS. To the extent my opinion counts for anything, this all sounds perfectly reasonable to me. Now OTOH if someone wants to demonstrate the value in having a publication channel for TLD DNSKEYs outside of the root zone, I'm certainly willing to listen. Just be forewarned that you will have an uphill battle in trying to prove your case. :) Doug - -- Nothin' ever doesn't change, but nothin' changes much. -- OK Go Breadth of IT experience, and depth of knowledge in the DNS. Yours for the right price. :) http://SupersetSolutions.com/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (FreeBSD) iQEcBAEBCAAGBQJNGj1eAAoJEFzGhvEaGryE6BAH/3rIXuCIxl3YDvw5NysbbO+S mbrYHl5ISaYxMBemXtZcqkN+MU2V62mFx1Oj7f0W0t59QZxn6l9/yUrGvvpZszr/ AIaoiYJ+gMx/OO6l8UZ1nfX7lb2UEAoLEL3kxkr4f0hpengT9H+7j/Uj7w0kQGD0 rJ98LnDFdQzegFAISKb9kHgDdUtLI7/hYFCquvZFWVzobkzh4/TdDYIyE2nidASc 5FgDf3wuEpJHWFkTvG/W34UTQA6o4D+3ffrOSERxFugWddsBiMvfk+JfTek962wM fLN0IKl3xVkwL/fLX7g1aLf2FBb+SH+FWXXAPx7eXcr3NYKug5OryqE6ORiorUE= =nMlB -----END PGP SIGNATURE----- From Valdis.Kletnieks at vt.edu Tue Dec 28 14:20:02 2010 From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks at vt.edu) Date: Tue, 28 Dec 2010 15:20:02 -0500 Subject: Wireless IPv6 In-Reply-To: Your message of "Tue, 28 Dec 2010 13:54:38 EST." References: <5786.1293560140@localhost> Message-ID: <9862.1293567602@localhost> On Tue, 28 Dec 2010 13:54:38 EST, Christopher Morrow said: > On Tue, Dec 28, 2010 at 1:15 PM, wrote: > > On Tue, 28 Dec 2010 12:49:37 EST, Christopher Morrow said: > > > >> on this, I HOPE vzw does the right thing and launches with v4/v6 > >> dualstack on the devices in all regions where deployment happens. I > > ^^^^^^^^^^^^^^^^^^^^^^^^^^ > (note critical caveat) Sorry, I read the original note as "it's all launching that day", not "starting on".... -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 227 bytes Desc: not available URL: From morrowc.lists at gmail.com Tue Dec 28 14:32:53 2010 From: morrowc.lists at gmail.com (Christopher Morrow) Date: Tue, 28 Dec 2010 15:32:53 -0500 Subject: Wireless IPv6 In-Reply-To: <9862.1293567602@localhost> References: <5786.1293560140@localhost> <9862.1293567602@localhost> Message-ID: On Tue, Dec 28, 2010 at 3:20 PM, wrote: > On Tue, 28 Dec 2010 13:54:38 EST, Christopher Morrow said: >> On Tue, Dec 28, 2010 at 1:15 PM, ? wrote: >> > On Tue, 28 Dec 2010 12:49:37 EST, Christopher Morrow said: >> > >> >> on this, I HOPE vzw does the right thing and launches with v4/v6 >> >> dualstack on the devices in all regions where deployment happens. I >> >> ^^^^^^^^^^^^^^^^^^^^^^^^^^ >> (note critical caveat) > > Sorry, I read the original note as "it's all launching that day", not "starting on".... no biggie, I get that they'll be launching 'cities' at a time, I'm just hoping they'll be doing dualstack on each as they roll them out. it'd be super nice if the only devices they permitted on were dualstack as well (more incentive for OS and HW vendors to play ball). -chris From ryan at u13.net Tue Dec 28 14:38:24 2010 From: ryan at u13.net (Ryan Rawdon) Date: Tue, 28 Dec 2010 15:38:24 -0500 Subject: Wireless IPv6 In-Reply-To: References: <5786.1293560140@localhost> <9862.1293567602@localhost> Message-ID: <146CF1A1-50DC-4E87-9324-D71FED848903@u13.net> I believe Verizon's specs for 4G devices required v6 support from the start: http://www.personal.psu.edu/dvm105/blogs/ipv6/2009/06/verizon-mandates-ipv6-support.html I seem to recall IPv6 support being a requirement for smartphones on their 3G network as well, but I can't find a reference for that. On Dec 28, 2010, at 3:32 PM, Christopher Morrow wrote: > On Tue, Dec 28, 2010 at 3:20 PM, wrote: >> On Tue, 28 Dec 2010 13:54:38 EST, Christopher Morrow said: >>> On Tue, Dec 28, 2010 at 1:15 PM, wrote: >>>> On Tue, 28 Dec 2010 12:49:37 EST, Christopher Morrow said: >>>> >>>>> on this, I HOPE vzw does the right thing and launches with v4/v6 >>>>> dualstack on the devices in all regions where deployment happens. I >>> >>> ^^^^^^^^^^^^^^^^^^^^^^^^^^ >>> (note critical caveat) >> >> Sorry, I read the original note as "it's all launching that day", not "starting on".... > > no biggie, I get that they'll be launching 'cities' at a time, I'm > just hoping they'll be doing dualstack on each as they roll them out. > it'd be super nice if the only devices they permitted on were > dualstack as well (more incentive for OS and HW vendors to play ball). > > -chris > From ekim.ittag at gmail.com Tue Dec 28 15:32:07 2010 From: ekim.ittag at gmail.com (Mike Gatti) Date: Tue, 28 Dec 2010 16:32:07 -0500 Subject: off topic - purchase Cisco GLC-LH-SM in ashburn, VA area Message-ID: <04A235F3-8231-43D1-B2BA-71B4E8AAB7EC@gmail.com> Would anyone know were I could purchase a Cisco GLC-LH-SM Gbic in the ashburn, sterling, VA area ? =+=+=+=+=+=+=+=+=+=+=+=+= Michael Gatti cell.703.347.4412 ekim.ittag at gmail.com =+=+=+=+=+=+=+=+=+=+=+=+= From bmanning at vacation.karoshi.com Tue Dec 28 16:46:51 2010 From: bmanning at vacation.karoshi.com (bmanning at vacation.karoshi.com) Date: Tue, 28 Dec 2010 22:46:51 +0000 Subject: .gov DNSSEC operational message - picking a fight In-Reply-To: <4D1A3D5E.2020003@dougbarton.us> References: <20101222211500.GF97136@DUL1MLARSON-M1.vcorp.ad.vrsn.com> <11421501.2054.1293129433092.JavaMail.root@benjamin.baylink.com> <20101226170702.GA26276@DUL1MLARSON-M1.vcorp.ad.vrsn.com> <4D1A3D5E.2020003@dougbarton.us> Message-ID: <20101228224651.GC28346@vacation.karoshi.com.> On Tue, Dec 28, 2010 at 11:41:18AM -0800, Doug Barton wrote: > > Now OTOH if someone wants to demonstrate the value in having a > publication channel for TLD DNSKEYs outside of the root zone, I'm > certainly willing to listen. Just be forewarned that you will have an > uphill battle in trying to prove your case. :) > > > Doug well, not to pick on you, or the choices made by VSGN, but I -will- point out that there are many good reasons to support an out of band method for moving critical data. (lots of refs on the tradeoffs btwn OOB and IB channels are to be found by your fav search engine). the Internet of last century relied in most cases on in-band communications. and what we have seen is the creation of overlays or outright independent "control plane" or C&C networks to manage data flow with independent prioritization over other traffic as the Internet has evolved. In this case i think this DNSiSEC model is about 15 years behind the curve. IMHO, key management should be able to use an OOB channel when the in-band is corrupted or overlaoded. Reliance on strictly the IB channel presumes there will be no problems with that channel. EVER. For me, I don't want to take that risk. YMMV of course. I can't presume that you (or anyone else) share my values regarding system resilience. For me, the choice made by VSGN in regards to this zone presuposes bullet-proof and DDOS proof communications between servers. No packet overloads, no out of memory conditions, no link saturation, etc. I appreciate that some might think they live in such a world. I hope that you and VSGN are lucky. As for myself, I'm making plans to have more control over my DNS verification destiny. If this "proves" my case to you, wonderful! If not, no sweat, we'll agree to disagree. --bill From dougb at dougbarton.us Tue Dec 28 18:06:40 2010 From: dougb at dougbarton.us (Doug Barton) Date: Tue, 28 Dec 2010 16:06:40 -0800 Subject: .gov DNSSEC operational message - picking a fight In-Reply-To: <20101228224651.GC28346@vacation.karoshi.com.> References: <20101222211500.GF97136@DUL1MLARSON-M1.vcorp.ad.vrsn.com> <11421501.2054.1293129433092.JavaMail.root@benjamin.baylink.com> <20101226170702.GA26276@DUL1MLARSON-M1.vcorp.ad.vrsn.com> <4D1A3D5E.2020003@dougbarton.us> <20101228224651.GC28346@vacation.karoshi.com.> Message-ID: <4D1A7B90.80400@dougbarton.us> On 12/28/2010 14:46, bmanning at vacation.karoshi.com wrote: > On Tue, Dec 28, 2010 at 11:41:18AM -0800, Doug Barton wrote: >> >> Now OTOH if someone wants to demonstrate the value in having a >> publication channel for TLD DNSKEYs outside of the root zone, I'm >> certainly willing to listen. Just be forewarned that you will have an >> uphill battle in trying to prove your case. :) >> >> >> Doug > > well, not to pick on you, or the choices made by VSGN, > but I -will- point out that there are many good reasons > to support an out of band method for moving critical data. > (lots of refs on the tradeoffs btwn OOB and IB channels are > to be found by your fav search engine). ... and while as a general principle I tend to agree with you, I was pretty specific in what I asked for. > the Internet of last century relied in most cases on in-band > communications. Actually I think I can make a pretty convincing argument that the Internet of last century relied almost entirely on certain individuals meeting face to face at IETF, RIR, and other meetings. But with respect to the season I will attempt to be charitable. > and what we have seen is the creation of > overlays or outright independent "control plane" or C&C > networks to manage data flow with independent prioritization > over other traffic as the Internet has evolved. In this case > i think this DNSiSEC model is about 15 years behind the curve. > > IMHO, key management should be able to use an OOB channel > when the in-band is corrupted or overlaoded. Reliance on > strictly the IB channel presumes there will be no problems > with that channel. EVER. For me, I don't want to take > that risk. YMMV of course. I'm not sure I agree that an OOB channel would be useful here, even given your premise. Yes, to some extent DNS is distributed, but I think the degree of fate-sharing that is inherent in the system makes the OOB validation scheme _for TLD DNSKEYs_ (which, again, is what I asked about) at best useless, and at worst a giant waste of everyone's time to try and do well. > I can't presume that you (or anyone else) share my values You could have just stopped here. :) > regarding system resilience. For me, the choice made by > VSGN in regards to this zone presuposes bullet-proof and DDOS > proof communications between servers. No packet overloads, > no out of memory conditions, no link saturation, etc. I > appreciate that some might think they live in such a world. > I hope that you and VSGN are lucky. As for myself, I'm > making plans to have more control over my DNS verification > destiny. > > If this "proves" my case to you, wonderful! If not, no sweat, > we'll agree to disagree. Good plan. Doug -- Nothin' ever doesn't change, but nothin' changes much. -- OK Go Breadth of IT experience, and depth of knowledge in the DNS. Yours for the right price. :) http://SupersetSolutions.com/ From rlaager at wiktel.com Tue Dec 28 18:39:21 2010 From: rlaager at wiktel.com (Richard Laager) Date: Tue, 28 Dec 2010 18:39:21 -0600 Subject: medicare.gov / cms.gov DNSSEC Validation Failures Message-ID: <1293583161.2745.21.camel@watermelon.coderich.net> I'm looking for a DNS contact for medicare.gov (and cms.gov). They are failing DNSSEC validation. Emails to hostmaster, webmaster, and postmaster bounce, as does dnsadmin at rdcms.eds.com (from their SOA) and dnsadmin at eds.com (from eds.com's WHOIS). WHOIS for .gov is essentially empty. HHS_ITIO_Service_Desk at hhs.gov was suggested to me, but a person at that address said medicare.gov was not their responsibility and did not provide any further contact information. Thanks, Richard -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: This is a digitally signed message part URL: From jared at puck.nether.net Tue Dec 28 19:18:40 2010 From: jared at puck.nether.net (Jared Mauch) Date: Tue, 28 Dec 2010 20:18:40 -0500 Subject: medicare.gov / cms.gov DNSSEC Validation Failures In-Reply-To: <1293583161.2745.21.camel@watermelon.coderich.net> References: <1293583161.2745.21.camel@watermelon.coderich.net> Message-ID: <82E6D8F7-66BD-4C77-B545-5BD1EFD28CA1@puck.nether.net> You should contact the us-cert. They will have contacts to help you resolve the issue. Sent from my iThing On Dec 28, 2010, at 7:39 PM, Richard Laager wrote: > I'm looking for a DNS contact for medicare.gov (and cms.gov). They are > failing DNSSEC validation. > > Emails to hostmaster, webmaster, and postmaster bounce, as does > dnsadmin at rdcms.eds.com (from their SOA) and dnsadmin at eds.com (from > eds.com's WHOIS). WHOIS for .gov is essentially empty. > > HHS_ITIO_Service_Desk at hhs.gov was suggested to me, but a person at that > address said medicare.gov was not their responsibility and did not > provide any further contact information. > > Thanks, > Richard From nanog at konadogs.net Tue Dec 28 19:43:02 2010 From: nanog at konadogs.net (Nate Itkin) Date: Tue, 28 Dec 2010 15:43:02 -1000 Subject: medicare.gov / cms.gov DNSSEC Validation Failures In-Reply-To: <1293583161.2745.21.camel@watermelon.coderich.net> References: <1293583161.2745.21.camel@watermelon.coderich.net> Message-ID: <20101229014302.GA32655@li92-81.konadogs.net> On Tue, Dec 28, 2010 at 06:39:21PM -0600, Richard Laager wrote: > I'm looking for a DNS contact for medicare.gov (and cms.gov). They are > failing DNSSEC validation. Ditto. Similar to uspto.gov not too long ago. Try posting to dns-operations. https://lists.dns-oarc.net/mailman/listinfo/dns-operations Almost certainly some *.gov dns admins lurking there. Cheers, Nate Itkin From jra at baylink.com Tue Dec 28 20:07:47 2010 From: jra at baylink.com (Jay Ashworth) Date: Tue, 28 Dec 2010 21:07:47 -0500 (EST) Subject: .gov DNSSEC operational message In-Reply-To: <20101226170702.GA26276@DUL1MLARSON-M1.vcorp.ad.vrsn.com> Message-ID: <14790044.3040.1293588467819.JavaMail.root@benjamin.baylink.com> ----- Original Message ----- > From: "Matt Larson" > On Thu, 23 Dec 2010, Jay Ashworth wrote: > > > From: "Matt Larson" > > > > > The new KSK will not be published in an authenticated manner > > > outside DNS (e.g., on an SSL-protected web page). Rather, the intended > > > mechanism for trusting the new KSK is via the signed root zone: DS > > > records corresponding to the new KSK are already present in the > > > root zone. > > > > That sounds like a policy decision... and I'm not sure I think it > > sounds like a *good* policy decision, but since no reasons were provided, > > it's difficult to tell. > > > > Why was that decision taken, Matt? > > Having a zone's KSK statically configured on validators as a trust > anchor can lead to a world of hurt: when rolling the KSK, the zone > owner has to get everyone to update their trust anchor configuration. > In theory, the protocol described in RFC 5011 allows an operator to > signal a roll and validators will do the right thing. In practice, in > these early days, you can't count on much 5011 deployment because > implementations haven't been available for that long. Yes, I'd gathered that. > This situation puts the operator of a popular signed zone, such as a > TLD, in a difficult position and makes KSK rolls difficult--but only > if the KSK is statically configured. Meanwhile, we now have a > perfectly good signed root zone that can vouch for any TLD's KSK. As > a result, as the impending registry operator for .gov, VeriSign > doesn't want to encourage static configuration of the .gov KSK as a > trust anchor. Such static configuration would be made easier and > implicitly condoned if the .gov KSK were published and authenticatable > outside of DNS. Ok, having re-read this a third time, now on a full sized screen, I guess I see what you're driving at: you don't *want* an out-of-band auth channel, *because people will use it*. > Note that the situation is the same today with the signed .net zone > (and will be the same for the .com zone when it is signed in Q1 of > 2011): the .net KSK is intentionally not published outside DNS. The > path to trusting that key is via the signed DS record corresponding to > it in the root zone. Just remember what Lazarus Long said: "put all your eggs in one basket, certainly. But make sure it's a *very good* basket." Cheers, -- jr 'where am I going? And why am I in this handbasket?' a From jra at baylink.com Tue Dec 28 20:17:57 2010 From: jra at baylink.com (Jay Ashworth) Date: Tue, 28 Dec 2010 21:17:57 -0500 (EST) Subject: .gov DNSSEC operational message In-Reply-To: <87bp48mosq.fsf@mid.deneb.enyo.de> Message-ID: <11723331.3042.1293589077547.JavaMail.root@benjamin.baylink.com> ----- Original Message ----- > From: "Florian Weimer" > > That sounds like a policy decision... and I'm not sure I think it sounds > > like a *good* policy decision, but since no reasons were provided, it's > > difficult to tell. > > I don't know if it influenced the policy decision, but as it is > currently specified, the protocol ensures that configuring an > additional trust anchor never decreases availability when you've also > got the root trust anchor configured, it can only increase it. This > means that there is little reason to configure such a trust anchor, > especially in the present scenario. Not being a DNSSEC maven, the idea that there was no out-of-band way to confirm what the in-band method was telling you seemed bad to me; Matt's explanation, OTOH, seems sensible. Cheers, -- jra From jra at baylink.com Tue Dec 28 20:21:25 2010 From: jra at baylink.com (Jay Ashworth) Date: Tue, 28 Dec 2010 21:21:25 -0500 (EST) Subject: Muni Fiber Last Mile - a contrary opinion In-Reply-To: Message-ID: <16467161.3046.1293589285434.JavaMail.root@benjamin.baylink.com> ----- Original Message ----- > From: "Jared Mauch" > During the northeast power outage the biggest local problem was > inability to pump gas out of underground tanks. The margin at the > stations is low enough it's not worth it to have generators. Best off > having the pipeline next to you and to use natural gas/propane if your > needs can be easily met by it. Note that the state of Florida has mandated gensets for petroleum sellers. Cheers, -- jra From oberman at es.net Tue Dec 28 21:24:54 2010 From: oberman at es.net (Kevin Oberman) Date: Tue, 28 Dec 2010 19:24:54 -0800 Subject: .gov DNSSEC operational message In-Reply-To: Your message of "Tue, 28 Dec 2010 21:17:57 EST." <11723331.3042.1293589077547.JavaMail.root@benjamin.baylink.com> Message-ID: <20101229032454.591AD1CC16@ptavv.es.net> > Date: Tue, 28 Dec 2010 21:17:57 -0500 (EST) > From: Jay Ashworth > > ----- Original Message ----- > > From: "Florian Weimer" > > > That sounds like a policy decision... and I'm not sure I think it sounds > > > like a *good* policy decision, but since no reasons were provided, it's > > > difficult to tell. > > > > I don't know if it influenced the policy decision, but as it is > > currently specified, the protocol ensures that configuring an > > additional trust anchor never decreases availability when you've also > > got the root trust anchor configured, it can only increase it. This > > means that there is little reason to configure such a trust anchor, > > especially in the present scenario. > > Not being a DNSSEC maven, the idea that there was no out-of-band way to > confirm what the in-band method was telling you seemed bad to me; Matt's > explanation, OTOH, seems sensible. There is no reason that you could not do OOB transfers of keys, but it would be so cumbersome with the need to maintain keys for every TLD (and, for that matter, every zone under them) and deal with key rolls at random intervals and confirm that the new keys you were getting were, in fact legitimate would be more than overwhelming. It just does not scale. DNSSEC(bis) was designed to deal with this by being able to cryptographically confirm that all data is valid and all keys are legitimate as long as you have the root key. I am not about to go into how all of this is accomplished, but it does. Some parts of it are still a bit fragile, but the basic DNSSEC spec is now very solid and the implementations of it are getting to pretty good. (Can hardly wait for BIND 10!) I think the DNSSEC spec is a very good basket and I hope that the current implementations are, as well. At least I am very confident that they will fail-safe. -- R. Kevin Oberman, Network Engineer Energy Sciences Network (ESnet) Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab) E-mail: oberman at es.net Phone: +1 510 486-8634 Key fingerprint:059B 2DDF 031C 9BA3 14A4 EADA 927D EBB3 987B 3751 From jra at baylink.com Tue Dec 28 21:27:48 2010 From: jra at baylink.com (Jay Ashworth) Date: Tue, 28 Dec 2010 22:27:48 -0500 (EST) Subject: .gov DNSSEC operational message In-Reply-To: <4D1A3D5E.2020003@dougbarton.us> Message-ID: <13710334.3140.1293593268622.JavaMail.root@benjamin.baylink.com> ----- Original Message ----- > From: "Doug Barton" > Now OTOH if someone wants to demonstrate the value in having a > publication channel for TLD DNSKEYs outside of the root zone, I'm > certainly willing to listen. Just be forewarned that you will have an > uphill battle in trying to prove your case. :) If you do not, then your clients have little hope of spotting insider malfeasance changes, no? Or aren't such changes practical for other reasons which I don't understand, not being a DNSSEC maven? Cheers, -- jra From jra at baylink.com Tue Dec 28 21:34:20 2010 From: jra at baylink.com (Jay Ashworth) Date: Tue, 28 Dec 2010 22:34:20 -0500 (EST) Subject: .gov DNSSEC operational message In-Reply-To: <20101229032454.591AD1CC16@ptavv.es.net> Message-ID: <18464870.3164.1293593660041.JavaMail.root@benjamin.baylink.com> ---- Original Message ----- > From: "Kevin Oberman" > There is no reason that you could not do OOB transfers of keys, but it > would be so cumbersome with the need to maintain keys for every TLD > (and, for that matter, every zone under them) and deal with key rolls > at random intervals and confirm that the new keys you were getting were, > in fact legitimate would be more than overwhelming. It just does not > scale. I apologize; I was not clear. I was not suggesting OOB *production transfer of keying information*. I was rather suggesting that an additional publication of the keys, in an authenticatable manner, which could be used by anyone who believed that Something Hincky might be going on to confirm or deny, might be useful. Cheers, -- jra From oberman at es.net Tue Dec 28 22:07:22 2010 From: oberman at es.net (Kevin Oberman) Date: Tue, 28 Dec 2010 20:07:22 -0800 Subject: .gov DNSSEC operational message In-Reply-To: Your message of "Tue, 28 Dec 2010 22:34:20 EST." <18464870.3164.1293593660041.JavaMail.root@benjamin.baylink.com> Message-ID: <20101229040722.76F271CC26@ptavv.es.net> > Date: Tue, 28 Dec 2010 22:34:20 -0500 (EST) > From: Jay Ashworth > > ---- Original Message ----- > > From: "Kevin Oberman" > > > There is no reason that you could not do OOB transfers of keys, but it > > would be so cumbersome with the need to maintain keys for every TLD > > (and, for that matter, every zone under them) and deal with key rolls > > at random intervals and confirm that the new keys you were getting were, > > in fact legitimate would be more than overwhelming. It just does not > > scale. > > I apologize; I was not clear. > > I was not suggesting OOB *production transfer of keying information*. > > I was rather suggesting that an additional publication of the keys, in > an authenticatable manner, which could be used by anyone who believed > that Something Hincky might be going on to confirm or deny, might be > useful. Ahh. I did miss your point and I suspect others (other than Bill) might have, as well. Yes, having a verifiable source of keys OOB might have a small bit of value, but, assuming we get general adoption of RFC 5011, I think it's pretty limited value. Of course, this begs the question, how do we do a better job of verifying the keys received out of band than the root zone does of verifying the keys? Sort of a chicken and egg problem. -- R. Kevin Oberman, Network Engineer Energy Sciences Network (ESnet) Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab) E-mail: oberman at es.net Phone: +1 510 486-8634 Key fingerprint:059B 2DDF 031C 9BA3 14A4 EADA 927D EBB3 987B 3751 From bmanning at vacation.karoshi.com Tue Dec 28 22:25:27 2010 From: bmanning at vacation.karoshi.com (bmanning at vacation.karoshi.com) Date: Wed, 29 Dec 2010 04:25:27 +0000 Subject: .gov DNSSEC operational message In-Reply-To: <20101229040722.76F271CC26@ptavv.es.net> References: <18464870.3164.1293593660041.JavaMail.root@benjamin.baylink.com> <20101229040722.76F271CC26@ptavv.es.net> Message-ID: <20101229042527.GE28346@vacation.karoshi.com.> On Tue, Dec 28, 2010 at 08:07:22PM -0800, Kevin Oberman wrote: > > Yes, having a verifiable source of keys OOB might have a small bit of > value, but, assuming we get general adoption of RFC 5011, I think it's > pretty limited value. Of course, this begs the question, how do we do a > better job of verifying the keys received out of band than the root zone > does of verifying the keys? Sort of a chicken and egg problem. > -- > R. Kevin Oberman, Network Engineer presumes RFC 5011 is viable. fall outside the 30day window and your screwed. :) that said, what folks came up w/ for the root key roll might be a useful template, e.g. the use of TCR's and use an M/N assurance check - in those rare cases where your just foobarr'ed and you can't take your servers into the SCIF to rekey. and/or an alternative to the strict timing constraints in RFC 5011 with a protocol that gives more leyway for a node being offline over a keyroll interval. There -should- be a functional equivalent of OTAR for DNSSEC keys that is not constrained to a tight window... IMHO of course. --bill From hescominsoon at emmanuelcomputerconsulting.com Tue Dec 28 22:39:25 2010 From: hescominsoon at emmanuelcomputerconsulting.com (William Warren) Date: Tue, 28 Dec 2010 23:39:25 -0500 Subject: medicare.gov / cms.gov DNSSEC Validation Failures In-Reply-To: <20101229014302.GA32655@li92-81.konadogs.net> References: <1293583161.2745.21.camel@watermelon.coderich.net> <20101229014302.GA32655@li92-81.konadogs.net> Message-ID: <4D1ABB7D.4070504@emmanuelcomputerconsulting.com> On 12/28/2010 8:43 PM, Nate Itkin wrote: > On Tue, Dec 28, 2010 at 06:39:21PM -0600, Richard Laager wrote: >> I'm looking for a DNS contact for medicare.gov (and cms.gov). They are >> failing DNSSEC validation. > Ditto. Similar to uspto.gov not too long ago. > > Try posting to dns-operations. > https://lists.dns-oarc.net/mailman/listinfo/dns-operations > Almost certainly some *.gov dns admins lurking there. > > Cheers, > Nate Itkin > There's a thread going on about .gov dnssec changes going on. This could be the source of your issues. From semi.anonymoususer at gmail.com Tue Dec 28 22:48:13 2010 From: semi.anonymoususer at gmail.com (Anonymous List User) Date: Tue, 28 Dec 2010 20:48:13 -0800 Subject: 5.7/5.8 GHz 802.11n dual polarity MIMO through office building glass, 1.5 km distance Message-ID: For architectural and building management reasons we cannot mount our antennas in a rooftop or outdoor location at either end. The distance between two buildings is 1.5 km, and the fresnel zone is clear. Antennas need to be located indoors at both ends and will be placed on small speaker stand tripod pointing at windows. This has been done successfully before with 2.4 GHz 802.11g equipment and a link from an office in the Westin to a nearby apartment building, but I am unsure of what effect glass will have on 5 GHz. Has anyone tried this? The goal of this link is to achieve a 10 Mbps+ full duple bridge to a building which is only serviced by ADSL2+ Telus service in a Western Canadian city. Telus' upstream speed offering do not exceed 1 Mbps. Equipment. These have been used successfully for MCS13/MCS14 50 Mbps+ bridges at 11 km distance between towers. http://ubnt.com/nanobridge http://www.ubnt.com/downloads/nb5_datasheet.pdf From streiner at cluebyfour.org Tue Dec 28 22:56:45 2010 From: streiner at cluebyfour.org (Justin M. Streiner) Date: Tue, 28 Dec 2010 23:56:45 -0500 (EST) Subject: 5.7/5.8 GHz 802.11n dual polarity MIMO through office building glass, 1.5 km distance In-Reply-To: References: Message-ID: On Tue, 28 Dec 2010, Anonymous List User wrote: > For architectural and building management reasons we cannot mount our > antennas in a rooftop or outdoor location at either end. The distance > between two buildings is 1.5 km, and the fresnel zone is clear. Antennas > need to be located indoors at both ends and will be placed on small speaker > stand tripod pointing at windows. This has been done successfully before > with 2.4 GHz 802.11g equipment and a link from an office in the Westin to a > nearby apartment building, but I am unsure of what effect glass will have on > 5 GHz. Has anyone tried this? A lot depends on the windows themselves. Windows in some modern buildings have a thin metallic coating that can have a big impact on the ability to pass an RF signal. jms From tvhawaii at shaka.com Tue Dec 28 23:32:16 2010 From: tvhawaii at shaka.com (Michael Painter) Date: Tue, 28 Dec 2010 19:32:16 -1000 Subject: 5.7/5.8 GHz 802.11n dual polarity MIMO through office building glass, 1.5 km distance References: Message-ID: <9298ED1531904B1DAB5003E547E1281E@DELL16> Anonymous List User wrote: > For architectural and building management reasons we cannot mount our > antennas in a rooftop or outdoor location at either end. The distance > between two buildings is 1.5 km, and the fresnel zone is clear. Antennas > need to be located indoors at both ends and will be placed on small speaker > stand tripod pointing at windows. This has been done successfully before > with 2.4 GHz 802.11g equipment and a link from an office in the Westin to a > nearby apartment building, but I am unsure of what effect glass will have on > 5 GHz. Has anyone tried this? > > The goal of this link is to achieve a 10 Mbps+ full duple bridge to a > building which is only serviced by ADSL2+ Telus service in a Western > Canadian city. Telus' upstream speed offering do not exceed 1 Mbps. > > Equipment. These have been used successfully for MCS13/MCS14 50 Mbps+ > bridges at 11 km distance between towers. > > http://ubnt.com/nanobridge > > http://www.ubnt.com/downloads/nb5_datasheet.pdf Imo, Ubiquiti stuff is so cheap ($95 for the 25dBi version), it's probably more cost effective to just buy it and try it rather than spending the time analyzing the glass (on both ends). From joelja at bogus.com Tue Dec 28 23:51:48 2010 From: joelja at bogus.com (Joel Jaeggli) Date: Tue, 28 Dec 2010 21:51:48 -0800 Subject: 5.7/5.8 GHz 802.11n dual polarity MIMO through office building glass, 1.5 km distance In-Reply-To: References: Message-ID: <4D1ACC74.2020901@bogus.com> On 12/28/10 8:48 PM, Anonymous List User wrote: > For architectural and building management reasons we cannot mount our > antennas in a rooftop or outdoor location at either end. The distance > between two buildings is 1.5 km, and the fresnel zone is clear. Antennas > need to be located indoors at both ends and will be placed on small speaker > stand tripod pointing at windows. This has been done successfully before > with 2.4 GHz 802.11g equipment and a link from an office in the Westin to a > nearby apartment building, but I am unsure of what effect glass will have on > 5 GHz. Has anyone tried this? glazed windows (which is tin in general) are a problem... when most of your radiation as being thrown right back at you that is a challange. > The goal of this link is to achieve a 10 Mbps+ full duple bridge to a > building which is only serviced by ADSL2+ Telus service in a Western > Canadian city. Telus' upstream speed offering do not exceed 1 Mbps. > > Equipment. These have been used successfully for MCS13/MCS14 50 Mbps+ > bridges at 11 km distance between towers. > > http://ubnt.com/nanobridge > > http://www.ubnt.com/downloads/nb5_datasheet.pdf > From web at typo.org Wed Dec 29 00:07:44 2010 From: web at typo.org (Wayne E. Bouchard) Date: Tue, 28 Dec 2010 23:07:44 -0700 Subject: 5.7/5.8 GHz 802.11n dual polarity MIMO through office building glass, 1.5 km distance In-Reply-To: <4D1ACC74.2020901@bogus.com> References: <4D1ACC74.2020901@bogus.com> Message-ID: <20101229060744.GA28982@typo.org> Codes are usually defined in one of two ways... Either "cannot be above the building parapet" or "cannot be visible from the street below" (which allows you to position a stant at the center of the roof so you can clear the parapet) but when talking to building management, it can very easily be, "can't put anything on the roof" So to be certain we're not missing an opportunity, do you know that you don't actually have the second of those definitions as an option? In my area, neighboring jurisdictions adopt either the first or the second with building management usually adopting the first and making my life difficult. (IE, can do it in one place but not on the companion building.) On Tue, Dec 28, 2010 at 09:51:48PM -0800, Joel Jaeggli wrote: > On 12/28/10 8:48 PM, Anonymous List User wrote: > > For architectural and building management reasons we cannot mount our > > antennas in a rooftop or outdoor location at either end. The distance > > between two buildings is 1.5 km, and the fresnel zone is clear. Antennas > > need to be located indoors at both ends and will be placed on small speaker > > stand tripod pointing at windows. This has been done successfully before > > with 2.4 GHz 802.11g equipment and a link from an office in the Westin to a > > nearby apartment building, but I am unsure of what effect glass will have on > > 5 GHz. Has anyone tried this? > > glazed windows (which is tin in general) are a problem... when most of > your radiation as being thrown right back at you that is a challange. > > > The goal of this link is to achieve a 10 Mbps+ full duple bridge to a > > building which is only serviced by ADSL2+ Telus service in a Western > > Canadian city. Telus' upstream speed offering do not exceed 1 Mbps. > > > > Equipment. These have been used successfully for MCS13/MCS14 50 Mbps+ > > bridges at 11 km distance between towers. > > > > http://ubnt.com/nanobridge > > > > http://www.ubnt.com/downloads/nb5_datasheet.pdf > > > --- Wayne Bouchard web at typo.org Network Dude http://www.typo.org/~web/ From rs at seastrom.com Wed Dec 29 07:00:43 2010 From: rs at seastrom.com (Robert E. Seastrom) Date: Wed, 29 Dec 2010 08:00:43 -0500 Subject: .gov DNSSEC operational message In-Reply-To: <13710334.3140.1293593268622.JavaMail.root@benjamin.baylink.com> (Jay Ashworth's message of "Tue, 28 Dec 2010 22:27:48 -0500 (EST)") References: <13710334.3140.1293593268622.JavaMail.root@benjamin.baylink.com> Message-ID: <86tyhwg2dg.fsf@seastrom.com> Jay Ashworth writes: > ----- Original Message ----- >> From: "Doug Barton" > >> Now OTOH if someone wants to demonstrate the value in having a >> publication channel for TLD DNSKEYs outside of the root zone, I'm >> certainly willing to listen. Just be forewarned that you will have an >> uphill battle in trying to prove your case. :) > > If you do not, then your clients have little hope of spotting insider > malfeasance changes, no? > > Or aren't such changes practical for other reasons which I don't > understand, not being a DNSSEC maven? Can you provide us a scenario? -r From rs at seastrom.com Wed Dec 29 07:19:08 2010 From: rs at seastrom.com (Robert E. Seastrom) Date: Wed, 29 Dec 2010 08:19:08 -0500 Subject: 5.7/5.8 GHz 802.11n dual polarity MIMO through office building glass, 1.5 km distance In-Reply-To: <20101229060744.GA28982@typo.org> (Wayne E. Bouchard's message of "Tue, 28 Dec 2010 23:07:44 -0700") References: <4D1ACC74.2020901@bogus.com> <20101229060744.GA28982@typo.org> Message-ID: <86pqskg1ir.fsf@seastrom.com> "Wayne E. Bouchard" writes: > Codes are usually defined in one of two ways... Either "cannot be > above the building parapet" or "cannot be visible from the street > below" (which allows you to position a stant at the center of the roof > so you can clear the parapet) but when talking to building management, > it can very easily be, "can't put anything on the roof" > > So to be certain we're not missing an opportunity, do you know that > you don't actually have the second of those definitions as an option? > In my area, neighboring jurisdictions adopt either the first or the > second with building management usually adopting the first and making > my life difficult. (IE, can do it in one place but not on the > companion building.) The third consideration is "someone notices and cares". The Nanostation Loco (again from Ubiquiti) is easily capable of the distances that you're talking about and is an all-in-out unit (antenna plus radio, fed with POE) about twice the size of a pack of cigarettes (does anyone use that as a point of reference anymore or have enough of us quit smoking that it's irrelevant?). It has a built-in mount on the back and is intended to be zip tied to an existing vent pipe or mast. They even include a zip tie in the packaging. As someone else noted, it is cheaper to buy Ubiquiti equipment and see if it works than it is to do the engineering. In this case, it may well be worth the investment to buy the Ubiquiti equipment and bring it to a meeting with the building management folks to do some *social engineering*. Most of these regulations are centered on the concern that your building not look like a tower site. An antenna that is sufficiently small that it can not be seen from the ground without resorting to optics may be on their "oh, that's fine" list once they see one sitting on the table in front of them. -r From sgodmere at mtu.edu Wed Dec 29 07:27:25 2010 From: sgodmere at mtu.edu (Shane Godmere) Date: Wed, 29 Dec 2010 08:27:25 -0500 Subject: 5.7/5.8 GHz 802.11n dual polarity MIMO through office building glass, 1.5 km distance In-Reply-To: References: Message-ID: <4D1B373D.6080805@mtu.edu> On 12/28/2010 11:48 PM, Anonymous List User wrote: > For architectural and building management reasons we cannot mount our > antennas in a rooftop or outdoor location at either end. The distance > between two buildings is 1.5 km, and the fresnel zone is clear. Antennas > need to be located indoors at both ends and will be placed on small speaker > stand tripod pointing at windows. This has been done successfully before > with 2.4 GHz 802.11g equipment and a link from an office in the Westin to a > nearby apartment building, but I am unsure of what effect glass will have on > 5 GHz. Has anyone tried this? > Low-E glass is brutal on radio waves. If the windows are tinted, multi-layer, or have metalic particles success may be difficult. You may want to test with some 802.11a network cards in ad-hoc mode to see if you can actually communicate over the 1500m path. We have had to deal with a condo association to get approval to mount some panels outside at one site. It can usually be discussed when presented with the facts and some photo-shop edits to show what visual impact it will have. However, be prepared for a significant delay in some cases and success is never a sure thing. Another item of concern is you are looking at IC/FCC unlicensed bands. Ten years ago 5.8 was fairly clean, but more recently we have found a lot more consumer devices invading the spectrum. We had a 1km path with a $15K microwave system knocked out by a consumer $50 cordless phone that was 1/2 block away. (We purchased a DECT6 phone for them and 'solved' the immediate issue... until we could obtain a license/path and the equipment to install something that wouldn't be interfered with.) -- Shane Allan Godmere Senior Telecommunications Engineer II Michigan Technological University 1400 Townsend Dr. EERC-B31 Houghton, MI 49931 From cmaurand at xyonet.com Wed Dec 29 07:34:37 2010 From: cmaurand at xyonet.com (Curtis Maurand) Date: Wed, 29 Dec 2010 08:34:37 -0500 Subject: 5.7/5.8 GHz 802.11n dual polarity MIMO through office building glass, 1.5 km distance In-Reply-To: <86pqskg1ir.fsf@seastrom.com> References: <4D1ACC74.2020901@bogus.com> <20101229060744.GA28982@typo.org> <86pqskg1ir.fsf@seastrom.com> Message-ID: <4D1B38ED.3080704@xyonet.com> On 12/29/2010 8:19 AM, Robert E. Seastrom wrote: > The third consideration is "someone notices and cares". > The Nanostation Loco (again from Ubiquiti) is easily capable of the > distances that you're talking about and is an all-in-out unit (antenna > plus radio, fed with POE) about twice the size of a pack of cigarettes > (does anyone use that as a point of reference anymore or have enough > of us quit smoking that it's irrelevant?). Deck of cards, maybe? --Curtis From joel.esler at me.com Wed Dec 29 08:00:04 2010 From: joel.esler at me.com (Joel Esler) Date: Wed, 29 Dec 2010 09:00:04 -0500 Subject: medicare.gov / cms.gov DNSSEC Validation Failures In-Reply-To: <4D1ABB7D.4070504@emmanuelcomputerconsulting.com> References: <1293583161.2745.21.camel@watermelon.coderich.net> <20101229014302.GA32655@li92-81.konadogs.net> <4D1ABB7D.4070504@emmanuelcomputerconsulting.com> Message-ID: On Dec 28, 2010, at 11:39 PM, William Warren wrote: > On 12/28/2010 8:43 PM, Nate Itkin wrote: >> On Tue, Dec 28, 2010 at 06:39:21PM -0600, Richard Laager wrote: >>> I'm looking for a DNS contact for medicare.gov (and cms.gov). They are >>> failing DNSSEC validation. >> Ditto. Similar to uspto.gov not too long ago. >> >> Try posting to dns-operations. >> https://lists.dns-oarc.net/mailman/listinfo/dns-operations >> Almost certainly some *.gov dns admins lurking there. >> >> Cheers, >> Nate Itkin >> > There's a thread going on about .gov dnssec changes going on. This could be the source of your issues. > Did you get a contact? If not, I know someone over there. J From sil at infiltrated.net Wed Dec 29 08:01:46 2010 From: sil at infiltrated.net (J. Oquendo) Date: Wed, 29 Dec 2010 09:01:46 -0500 Subject: Specific Network Querying Message-ID: <4D1B3F4A.1040802@infiltrated.net> Good morning and happy holidays all. I'm in the process of creating an automated filtering application and would like to know if anyone can point me to the right place. I'd like to be able to query a site/db/etc., and pull out specific netblocks to create fw rules. Since IP space is always changing, it would be helpful if my queries can be tailored to something like: wget site | Parse IP space | grep Company | create rule Or: wget site | Parse IP space | grep {EDU_IP_SPACE,MIL_SPACE,GOV_SPACE} | create rule Follow? Right now I am using potaroo with something like : wget -qO - http://bgp.potaroo.net/ipv4-stats/allocated-{apnic.html,ripe.html, etc} But this just gives me entire blocks, not who is behind them. Is there any site I could use to query specifics? E.g., for a gov client: wget -qO - this.site.org | grep "\.gov" | parse_with_awk '{print "fw_rule"}' Thanks in advance and Happy New Year to everyone. -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT "It takes 20 years to build a reputation and five minutes to ruin it. If you think about that, you'll do things differently." - Warren Buffett 227C 5D35 7DCB 0893 95AA 4771 1DCE 1FD1 5CCD 6B5E http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x5CCD6B5E From dot at dotat.at Wed Dec 29 08:56:35 2010 From: dot at dotat.at (Tony Finch) Date: Wed, 29 Dec 2010 14:56:35 +0000 Subject: .gov DNSSEC operational message - picking a fight In-Reply-To: <20101228224651.GC28346@vacation.karoshi.com.> References: <20101222211500.GF97136@DUL1MLARSON-M1.vcorp.ad.vrsn.com> <11421501.2054.1293129433092.JavaMail.root@benjamin.baylink.com> <20101226170702.GA26276@DUL1MLARSON-M1.vcorp.ad.vrsn.com> <4D1A3D5E.2020003@dougbarton.us> <20101228224651.GC28346@vacation.karoshi.com.> Message-ID: On 28 Dec 2010, at 22:46, bmanning at vacation.karoshi.com wrote: > > IMHO, key management should be able to use an OOB channel > when the in-band is corrupted or overlaoded. Reliance on > strictly the IB channel presumes there will be no problems > with that channel. EVER. For me, I don't want to take > that risk. YMMV of course. If normal DNS resolution fails to work then there's no point in getting the keys from another source since there's no data for them to validate. Tony. -- f.anthony.n.finch http://dotat.at/ From dot at dotat.at Wed Dec 29 09:01:41 2010 From: dot at dotat.at (Tony Finch) Date: Wed, 29 Dec 2010 15:01:41 +0000 Subject: .gov DNSSEC operational message In-Reply-To: <13710334.3140.1293593268622.JavaMail.root@benjamin.baylink.com> References: <13710334.3140.1293593268622.JavaMail.root@benjamin.baylink.com> Message-ID: On 29 Dec 2010, at 03:27, Jay Ashworth wrote: > > If you do not, then your clients have little hope of spotting insider malfeasance changes, no? No cryptography can expose the difference between data that is correctly signed by the proper procedures and data that is correctly signed by a corrupt procedure. Tony. -- f.anthony.n.finch http://dotat.at/ From Bryan at bryanfields.net Wed Dec 29 09:30:13 2010 From: Bryan at bryanfields.net (Bryan Fields) Date: Wed, 29 Dec 2010 10:30:13 -0500 Subject: 5.7/5.8 GHz 802.11n dual polarity MIMO through office building glass, 1.5 km distance In-Reply-To: <86pqskg1ir.fsf@seastrom.com> References: <4D1ACC74.2020901@bogus.com> <20101229060744.GA28982@typo.org> <86pqskg1ir.fsf@seastrom.com> Message-ID: <4D1B5405.20701@bryanfields.net> On 12/29/2010 08:19, Robert E. Seastrom wrote: > > Most of these regulations are centered on the concern that your > building not look like a tower site. An antenna that is sufficiently > small that it can not be seen from the ground without resorting to > optics may be on their "oh, that's fine" list once they see one > sitting on the table in front of them. Don't forget about OTARD, where so long as you control the space in your lease, no local government regulations can prevent installation of a internet reception radio. Also, the Ubiquiti is crap from a build/reliability standpoint. If you're doing anything serious, it would be worth it to buy a better product. I'm partial to the Alvarion and Motorola PtP links. -- Bryan Fields 727-409-1194 - Voice 727-214-2508 - Fax http://bryanfields.net From graham at g-rock.net Wed Dec 29 09:43:00 2010 From: graham at g-rock.net (=?utf-8?B?R1AgV29vZGVu?=) Date: Wed, 29 Dec 2010 09:43:00 -0600 Subject: =?utf-8?B?UmU6IDUuNy81LjggR0h6IDgwMi4xMW4gZHVhbCBwb2xhcml0eSBNSU1PIHRocm91Z2ggb2ZmaWNlIGJ1aWxkaW5nCWdsYXNzLCAxLjUga20gZGlzdGFuY2U=?= Message-ID: <20101229154310.E0ED2FF80EB@sociald.mobis.leasedminds.com> +1 on Alvarion. ----- Reply message ----- From: "Bryan Fields" Date: Wed, Dec 29, 2010 9:30 am Subject: 5.7/5.8 GHz 802.11n dual polarity MIMO through office building glass, 1.5 km distance To: On 12/29/2010 08:19, Robert E. Seastrom wrote: > > Most of these regulations are centered on the concern that your > building not look like a tower site. An antenna that is sufficiently > small that it can not be seen from the ground without resorting to > optics may be on their "oh, that's fine" list once they see one > sitting on the table in front of them. Don't forget about OTARD, where so long as you control the space in your lease, no local government regulations can prevent installation of a internet reception radio. Also, the Ubiquiti is crap from a build/reliability standpoint. If you're doing anything serious, it would be worth it to buy a better product. I'm partial to the Alvarion and Motorola PtP links. -- Bryan Fields 727-409-1194 - Voice 727-214-2508 - Fax http://bryanfields.net From Valdis.Kletnieks at vt.edu Wed Dec 29 10:15:02 2010 From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks at vt.edu) Date: Wed, 29 Dec 2010 11:15:02 -0500 Subject: .gov DNSSEC operational message In-Reply-To: Your message of "Wed, 29 Dec 2010 15:01:41 GMT." References: <13710334.3140.1293593268622.JavaMail.root@benjamin.baylink.com> Message-ID: <37561.1293639302@localhost> On Wed, 29 Dec 2010 15:01:41 GMT, Tony Finch said: > No cryptography can expose the difference between data that is correctly > signed by the proper procedures and data that is correctly signed by a corrupt > procedure. Amen... Well, it *would* help detect an intruder that's smart enough to subvert the signing of the zones on the DNS server, but unable to also subvert the copy stored on some FTP site. Rather esoteric threat model, fast approaching the "Did you remember to take your meds?" level. Plus, if you're worried about foobar.com's zone being maliciously signed, do you *really* want to follow a pointer to www.foobar.com to fetch another copy? :) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 227 bytes Desc: not available URL: From ryanshea at google.com Wed Dec 29 10:23:21 2010 From: ryanshea at google.com (Ryan Shea) Date: Wed, 29 Dec 2010 11:23:21 -0500 Subject: Specific Network Querying In-Reply-To: <4D1B3F4A.1040802@infiltrated.net> References: <4D1B3F4A.1040802@infiltrated.net> Message-ID: You may want to look at Capirca (http://code.google.com/p/capirca/) for creating policy files from which to generate your firewall rulesets. I am not aware of a simple categorization of netblocks. My first thought is that an agreement with every RIR for bulk whois data and writing code to parse / categorize would be quite difficult and may not get you a reasonable result after all that work - maybe there is something commercially available. -Ryan On Wed, Dec 29, 2010 at 9:01 AM, J. Oquendo wrote: > > Good morning and happy holidays all. I'm in the process of creating an > automated filtering application and would like to know if anyone can > point me to the right place. I'd like to be able to query a > site/db/etc., and pull out specific netblocks to create fw rules. Since > IP space is always changing, it would be helpful if my queries can be > tailored to something like: > > wget site | Parse IP space | grep Company | create rule > > Or: > > wget site | Parse IP space | grep {EDU_IP_SPACE,MIL_SPACE,GOV_SPACE} | > create rule > > Follow? > > Right now I am using potaroo with something like : > > wget -qO - > http://bgp.potaroo.net/ipv4-stats/allocated-{apnic.html,ripe.html, etc} > > But this just gives me entire blocks, not who is behind them. Is there > any site I could use to query specifics? E.g., for a gov client: wget > -qO - this.site.org | grep "\.gov" | parse_with_awk '{print "fw_rule"}' > > Thanks in advance and Happy New Year to everyone. > > > -- > > =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ > J. Oquendo > SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT > > "It takes 20 years to build a reputation and five minutes to > ruin it. If you think about that, you'll do things > differently." - Warren Buffett > > 227C 5D35 7DCB 0893 95AA 4771 1DCE 1FD1 5CCD 6B5E > http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x5CCD6B5E > > > From juicewvu at gmail.com Wed Dec 29 10:24:15 2010 From: juicewvu at gmail.com (Josh Smith) Date: Wed, 29 Dec 2010 11:24:15 -0500 Subject: 5.7/5.8 GHz 802.11n dual polarity MIMO through office building glass, 1.5 km distance In-Reply-To: <4D1B5405.20701@bryanfields.net> References: <4D1ACC74.2020901@bogus.com> <20101229060744.GA28982@typo.org> <86pqskg1ir.fsf@seastrom.com> <4D1B5405.20701@bryanfields.net> Message-ID: On Wed, Dec 29, 2010 at 10:30 AM, Bryan Fields wrote: > On 12/29/2010 08:19, Robert E. Seastrom wrote: >> >> Most of these regulations are centered on the concern that your >> building not look like a tower site. ?An antenna that is sufficiently >> small that it can not be seen from the ground without resorting to >> optics may be on their "oh, that's fine" list once they see one >> sitting on the table in front of them. > > Don't forget about OTARD, where so long as you control the space in your > lease, no local government regulations can prevent installation of a internet > reception radio. > > Also, the Ubiquiti is crap from a build/reliability standpoint. ?If you're > doing anything serious, it would be worth it to buy a better product. ?I'm > partial to the Alvarion and Motorola PtP links. > > > -- > Bryan Fields > > 727-409-1194 - Voice > 727-214-2508 - Fax > http://bryanfields.net > > While certainly not the best stuff made I've found the ubiquiti equipment to be very nice for the price and have a few of their AP's which have been in service 24x7 for a couple of years now. Thanks, -- Josh Smith KD8HRX email/jabber:? juicewvu at gmail.com phone:? 304.237.9369(c) From bmanning at vacation.karoshi.com Wed Dec 29 10:36:30 2010 From: bmanning at vacation.karoshi.com (bmanning at vacation.karoshi.com) Date: Wed, 29 Dec 2010 16:36:30 +0000 Subject: .gov DNSSEC operational message - picking a fight In-Reply-To: References: <20101222211500.GF97136@DUL1MLARSON-M1.vcorp.ad.vrsn.com> <11421501.2054.1293129433092.JavaMail.root@benjamin.baylink.com> <20101226170702.GA26276@DUL1MLARSON-M1.vcorp.ad.vrsn.com> <4D1A3D5E.2020003@dougbarton.us> <20101228224651.GC28346@vacation.karoshi.com.> Message-ID: <20101229163630.GA2294@vacation.karoshi.com.> On Wed, Dec 29, 2010 at 02:56:35PM +0000, Tony Finch wrote: > On 28 Dec 2010, at 22:46, bmanning at vacation.karoshi.com wrote: > > > > IMHO, key management should be able to use an OOB channel > > when the in-band is corrupted or overlaoded. Reliance on > > strictly the IB channel presumes there will be no problems > > with that channel. EVER. For me, I don't want to take > > that risk. YMMV of course. > > If normal DNS resolution fails to work then there's no point in getting the keys from another source since there's no data for them to validate. oh resoultion works a treat. its the validation that gets hosed. :) --bill From bmanning at vacation.karoshi.com Wed Dec 29 10:56:52 2010 From: bmanning at vacation.karoshi.com (bmanning at vacation.karoshi.com) Date: Wed, 29 Dec 2010 16:56:52 +0000 Subject: .gov DNSSEC operational message In-Reply-To: <37561.1293639302@localhost> References: <13710334.3140.1293593268622.JavaMail.root@benjamin.baylink.com> <37561.1293639302@localhost> Message-ID: <20101229165652.GB2294@vacation.karoshi.com.> On Wed, Dec 29, 2010 at 11:15:02AM -0500, Valdis.Kletnieks at vt.edu wrote: > On Wed, 29 Dec 2010 15:01:41 GMT, Tony Finch said: > > No cryptography can expose the difference between data that is correctly > > signed by the proper procedures and data that is correctly signed by a corrupt > > procedure. > > Amen... > > Well, it *would* help detect an intruder that's smart enough to subvert the > signing of the zones on the DNS server, but unable to also subvert the copy > stored on some FTP site. Rather esoteric threat model, fast approaching > the "Did you remember to take your meds?" level. presuposes the attack was server directed. the DNS-sniper will take out your locally configured root KSK &/or replace it w/ their own. no need to "carpet-bomb" all users of the vt.edu caches - right? > Plus, if you're worried about foobar.com's zone being maliciously signed, do > you *really* want to follow a pointer to www.foobar.com to fetch another copy? :) who intimated that the OOB channel would be http? since that is based on the DNS, i'd like to think it was suspect as well. :) --bill From cjp at 0x1.net Wed Dec 29 11:32:28 2010 From: cjp at 0x1.net (Christopher J. Pilkington) Date: Wed, 29 Dec 2010 12:32:28 -0500 Subject: medicare.gov / cms.gov DNSSEC Validation Failures In-Reply-To: <1293583161.2745.21.camel@watermelon.coderich.net> References: <1293583161.2745.21.camel@watermelon.coderich.net> Message-ID: <20101229173228.GA15617@0x1.net> On Tue, Dec 28, 2010 at 06:39:21PM -0600, Richard Laager wrote: > I'm looking for a DNS contact for medicare.gov (and cms.gov). They are > failing DNSSEC validation. Seeing it still broken, I contacted someone over at Lockheed who works over at CMS. They're escalating to "the appropriate support vendor." -cjp From joel.esler at me.com Wed Dec 29 11:40:43 2010 From: joel.esler at me.com (Joel Esler) Date: Wed, 29 Dec 2010 12:40:43 -0500 Subject: medicare.gov / cms.gov DNSSEC Validation Failures In-Reply-To: <20101229173228.GA15617@0x1.net> References: <1293583161.2745.21.camel@watermelon.coderich.net> <20101229173228.GA15617@0x1.net> Message-ID: Ditto. On Dec 29, 2010, at 12:32 PM, Christopher J. Pilkington wrote: > On Tue, Dec 28, 2010 at 06:39:21PM -0600, Richard Laager wrote: >> I'm looking for a DNS contact for medicare.gov (and cms.gov). They are >> failing DNSSEC validation. > > Seeing it still broken, I contacted someone over at Lockheed who > works over at CMS. They're escalating to "the appropriate > support vendor." > > -cjp > From jna at retina.net Wed Dec 29 13:01:15 2010 From: jna at retina.net (John Adams) Date: Wed, 29 Dec 2010 11:01:15 -0800 Subject: Specific Network Querying In-Reply-To: <4D1B3F4A.1040802@infiltrated.net> References: <4D1B3F4A.1040802@infiltrated.net> Message-ID: On Wed, Dec 29, 2010 at 6:01 AM, J. Oquendo wrote: > > Good morning and happy holidays all. I'm in the process of creating an > automated filtering application and would like to know if anyone can > point me to the right place. I'd like to be able to query a > site/db/etc., and pull out specific netblocks to create fw rules. [...] > But this just gives me entire blocks, not who is behind them. Is there > any site I could use to query specifics? E.g., for a gov client: wget > -qO - this.site.org | grep "\.gov" | parse_with_awk '{print "fw_rule"}' > Given the current IPv4 climiate, this sounds like a terrible idea. The landscape has changed dramatically from what it once was. Large volumes of mobile carriers use NAT, many IPv6 to IPv4 gateways are out there routing traffic, and we'll soon see a time in which entire countries are transiting over small chunks of IPv4 space. Never mind the fact that applications on services like Google App Engine have a different IP nearly every time they connect because of outbound proxy pools. I think you're going to have a very difficult time resolving an IP to the appropriate owner. Coarse calculation of who might be in charge of a block is possible but fine-grained discovery and classification of an owner is a difficult task. That being said, the tools that I'm using on a daily basis to figure out who actually owns an IP block (or is sending traffic over it) are: - Senderbase (Cisco) - cymru whois (whois.cymru.com - good for fast bgp lookups and geo) - http://multirbl.valli.org/dnsbl-lookup (multi-rbl lookup , good for finding abusers and other issues) - SmartViper (Website ownership) http://www.markosweb.com/ -John From mruiz at lstfinancial.com Wed Dec 29 14:11:55 2010 From: mruiz at lstfinancial.com (Michael Ruiz) Date: Wed, 29 Dec 2010 14:11:55 -0600 Subject: Message-ID: <16E58A1FE7C64A46BAD0FE1558C43D92012A03CE@es1.ic-sa.com> Hello folks, I would like to the OID number for displaying the number of routers that your EBGP peer has received. Thank you in advanced. Michael Ruiz From surfer at mauigateway.com Wed Dec 29 14:22:43 2010 From: surfer at mauigateway.com (Scott Weeks) Date: Wed, 29 Dec 2010 12:22:43 -0800 Subject: Message-ID: <20101229122243.2F88EFDB@resin11.mta.everyone.net> --- mruiz at lstfinancial.com wrote: From: "Michael Ruiz" I would like to the OID number for displaying the number of routers that your EBGP peer has received. Thank you in advanced. --------------------------------------------- http://www.oidview.com/mibs/detail.html scott From rlaager at wiktel.com Wed Dec 29 15:37:39 2010 From: rlaager at wiktel.com (Richard Laager) Date: Wed, 29 Dec 2010 15:37:39 -0600 Subject: medicare.gov / cms.gov DNSSEC Validation Failures In-Reply-To: <20101229173228.GA15617@0x1.net> References: <1293583161.2745.21.camel@watermelon.coderich.net> <20101229173228.GA15617@0x1.net> Message-ID: <1293658659.2817.17.camel@watermelon.coderich.net> On Wed, 2010-12-29 at 12:32 -0500, Christopher J. Pilkington wrote: > On Tue, Dec 28, 2010 at 06:39:21PM -0600, Richard Laager wrote: > > I'm looking for a DNS contact for medicare.gov (and cms.gov). They are > > failing DNSSEC validation. > > Seeing it still broken, I contacted someone over at Lockheed who > works over at CMS. They're escalating to "the appropriate > support vendor." Thank you both for forwarding this. Some progress has been made: I received a response saying they believed they had it fixed. From my testing, medicare.gov is fixed, but cms.gov is still broken (though in a different way, I think). I replied as such and also requested corrected SOA records. Thanks again, Richard -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: This is a digitally signed message part URL: From jared at puck.nether.net Wed Dec 29 19:47:44 2010 From: jared at puck.nether.net (Jared Mauch) Date: Wed, 29 Dec 2010 20:47:44 -0500 Subject: 5.7/5.8 GHz 802.11n dual polarity MIMO through office building glass, 1.5 km distance In-Reply-To: References: <4D1ACC74.2020901@bogus.com> <20101229060744.GA28982@typo.org> <86pqskg1ir.fsf@seastrom.com> <4D1B5405.20701@bryanfields.net> Message-ID: On Dec 29, 2010, at 11:24 AM, Josh Smith wrote: > While certainly not the best stuff made I've found the ubiquiti > equipment to be very nice for the price and have a few of their AP's > which have been in service 24x7 for a couple of years now. Same here. The price performance is hard (impossible?) to beat. Combine that with the Linux/SDK stuff and you can do some interesting things with it that you can't do with other devices. - Jared From r.engehausen at gmail.com Wed Dec 29 19:57:39 2010 From: r.engehausen at gmail.com (Roy) Date: Wed, 29 Dec 2010 17:57:39 -0800 Subject: 5.7/5.8 GHz 802.11n dual polarity MIMO through office building glass, 1.5 km distance In-Reply-To: References: <4D1ACC74.2020901@bogus.com> <20101229060744.GA28982@typo.org> <86pqskg1ir.fsf@seastrom.com> <4D1B5405.20701@bryanfields.net> Message-ID: <4D1BE713.9060607@gmail.com> On 12/29/2010 5:47 PM, Jared Mauch wrote: > On Dec 29, 2010, at 11:24 AM, Josh Smith wrote: > >> While certainly not the best stuff made I've found the ubiquiti >> equipment to be very nice for the price and have a few of their AP's >> which have been in service 24x7 for a couple of years now. > Same here. > > The price performance is hard (impossible?) to beat. > > Combine that with the Linux/SDK stuff and you can do some interesting things with it that you can't do with other devices. > > - Jared > With prices so low, you can even afford redundant links :-) From juicewvu at gmail.com Wed Dec 29 20:02:05 2010 From: juicewvu at gmail.com (Josh Smith) Date: Wed, 29 Dec 2010 21:02:05 -0500 Subject: 5.7/5.8 GHz 802.11n dual polarity MIMO through office building glass, 1.5 km distance In-Reply-To: References: <4D1ACC74.2020901@bogus.com> <20101229060744.GA28982@typo.org> <86pqskg1ir.fsf@seastrom.com> <4D1B5405.20701@bryanfields.net> Message-ID: > Combine that with the Linux/SDK stuff and you can do some interesting things with it that you can't do with other devices. > > - Jared Jared, I don't really have any experience with the Linux/SDK stuff care to share what you're using it for? Thanks, -- Josh Smith KD8HRX email/jabber:? juicewvu at gmail.com phone:? 304.237.9369(c) From morrowc.lists at gmail.com Wed Dec 29 20:16:07 2010 From: morrowc.lists at gmail.com (Christopher Morrow) Date: Wed, 29 Dec 2010 21:16:07 -0500 Subject: Specific Network Querying In-Reply-To: References: <4D1B3F4A.1040802@infiltrated.net> Message-ID: On Wed, Dec 29, 2010 at 2:01 PM, John Adams wrote: > On Wed, Dec 29, 2010 at 6:01 AM, J. Oquendo wrote: >> >> Good morning and happy holidays all. I'm in the process of creating an >> automated filtering application and would like to know if anyone can >> point me to the right place. I'd like to be able to query a >> site/db/etc., and pull out specific netblocks to create fw rules. > [...] >> But this just gives me entire blocks, not who is behind them. Is there >> any site I could use to query specifics? E.g., for a gov client: wget >> -qO - this.site.org | grep "\.gov" | parse_with_awk '{print "fw_rule"}' >> given an ASN you can query their announcements from RouteViews DNS no? (or rsync that and do the lookup locally in whatever form you feel is helpful) That probably has some whois data easily tied to it as well... > > Given the current IPv4 climiate, this sounds like a terrible idea. The > landscape has changed dramatically from what it once was. Large if you are updating filters 'quickly' it shouldn't matter, right? you'll catch things (presuming whois is updated and/or BGP is and you can tie things back through asn/netblock relationships, oh... RPKI...) pretty quickly as they move. > volumes of mobile carriers use NAT, many IPv6 to IPv4 gateways are out > there routing traffic, and we'll soon see a time in which entire > countries are transiting over small chunks of IPv4 space. ?Never mind I don't recall the OP saying 'ipv4' only? > the fact that applications on services like Google App Engine have a > different IP nearly every time they connect because of outbound proxy > pools. it's probably not 'every time they connect' there's probably some sensible reasoning behind the decision process.. like your query that triggers it comes into "METRO-X" and thus outbound queries come from a netblock for NAT things inside "METRO-X", my query goes to "METRO-Y" so ... diff netblock. Inside a set of queries (10-100?) you'll see a repeated set of ips, I suspect. -chris From mmzinyi at yahoo.com Thu Dec 30 00:31:28 2010 From: mmzinyi at yahoo.com (jacob miller) Date: Wed, 29 Dec 2010 22:31:28 -0800 (PST) Subject: Best Customer Support Practices Message-ID: <326753.1288.qm@web39503.mail.mud.yahoo.com> Hi, Am looking towards formulating a document that will encompass best customer support practices. Am looking to formulate the document based on well known best practices and experience from different individuals. Any help will be greatly appreciated. Thanks. Regards, Jacob From marka at isc.org Thu Dec 30 07:17:02 2010 From: marka at isc.org (Mark Andrews) Date: Fri, 31 Dec 2010 00:17:02 +1100 Subject: medicare.gov / cms.gov DNSSEC Validation Failures In-Reply-To: Your message of "Wed, 29 Dec 2010 15:37:39 MDT." <1293658659.2817.17.camel@watermelon.coderich.net> References: <1293583161.2745.21.camel@watermelon.coderich.net> <20101229173228.GA15617@0x1.net><1293658659.2817.17.camel@watermelon.coderich.net> Message-ID: <20101230131702.90B0A85EA39@drugs.dv.isc.org> In message <1293658659.2817.17.camel at watermelon.coderich.net>, Richard Laager w > On Wed, 2010-12-29 at 12:32 -0500, Christopher J. Pilkington wrote: > > On Tue, Dec 28, 2010 at 06:39:21PM -0600, Richard Laager wrote: > > > I'm looking for a DNS contact for medicare.gov (and cms.gov). They are > > > failing DNSSEC validation. > >=20 > > Seeing it still broken, I contacted someone over at Lockheed who > > works over at CMS. They're escalating to "the appropriate > > support vendor." > > Thank you both for forwarding this. Some progress has been made: > > I received a response saying they believed they had it fixed. From my > testing, medicare.gov is fixed, but cms.gov is still broken (though in a > different way, I think). I replied as such and also requested corrected > SOA records. > > Thanks again, > Richard Correct cms.gov is still broken the DS records don't match any of the DNSKEY records. 10672 != 12456 or 27229 Mark ; <<>> DiG 9.6.0-APPLE-P2 <<>> ds cms.gov ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21811 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;cms.gov. IN DS ;; ANSWER SECTION: cms.gov. 30410 IN DS 10672 5 1 F11F940C51B90CEB818350F1C7049DD8D54050D8 cms.gov. 30410 IN DS 10672 5 2 A99B67A100FD5EFD0E393FD0C87A6B00424B6A4A032637BC7A11D732 E05AD5BB ;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Fri Dec 31 00:12:23 2010 ;; MSG SIZE rcvd: 109 ; <<>> DiG 9.6.0-APPLE-P2 <<>> +cd dnskey +multi cms.gov ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62756 ;; flags: qr rd ra cd; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;cms.gov. IN DNSKEY ;; ANSWER SECTION: cms.gov. 349199 IN DNSKEY 256 3 5 ( AwEAAaSsgUpPtXC4xOHnX//jDm4d4xegc9zupcXwICfm 4jeBD+ZNHJeTSrxPnILqDb310Jxy6UDi6ye0ipOWG8z6 b1oOwmF8LRnpWs+bi9X+AivagVXP2xQQe/pev8KrmMFs UcLZ1PX4w+GxNgsoUGre235fv9IM/EfdD33zSNxeA463 ) ; key id = 12456 cms.gov. 349199 IN DNSKEY 257 3 5 ( AwEAAbZbZW7J+O5/tSwDVrGsv5KDDB7HvItDVeQLvdpr GdyJPVlUvs+u87hsCDU96SwmicXTDGdWZFDmj3x22O4p dERsrKoKYpOAoNR3VLgXMToRZmUnaLZf/MqO+H/54PE7 Ij7oorWmPJpIZrYzn28MMIiOkH1xOS7eDL2NZ4q06oDN vSDefX3HA5i2sUcOureEFUo6gUkLFkY/uPJ3y35A8uz1 KvGd4851UAEfq76sawDl+3uKzETDS5grwmK58NbKKB2O 5SAcAS3OxBMriKLUHjsPpwoxKoG5Mc+jA0egIn7tUAQU zzI0HHnspZvZUEbW18uMTFAQX2du2eyGcMwvGEs= ) ; key id = 27229 ;; Query time: 304 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Fri Dec 31 00:12:47 2010 ;; MSG SIZE rcvd: 449 -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka at isc.org From bruns at 2mbit.com Thu Dec 30 13:47:27 2010 From: bruns at 2mbit.com (Brielle Bruns) Date: Thu, 30 Dec 2010 12:47:27 -0700 Subject: Looking for a Cisco network/server admin Message-ID: <4D1CE1CF.7070803@2mbit.com> Hello all, I was wondering if someone could direct me offlist to a Cisco network/admin that could fix a mail server on their network that is out of sync time wise. Not a big deal, but I figured I'd ask. :) -- Brielle Bruns The Summit Open Source Development Group http://www.sosdg.org / http://www.ahbl.org From dot at dotat.at Thu Dec 30 14:11:19 2010 From: dot at dotat.at (Tony Finch) Date: Thu, 30 Dec 2010 20:11:19 +0000 Subject: .gov DNSSEC operational message In-Reply-To: <20101229165652.GB2294@vacation.karoshi.com.> References: <13710334.3140.1293593268622.JavaMail.root@benjamin.baylink.com> <37561.1293639302@localhost> <20101229165652.GB2294@vacation.karoshi.com.> Message-ID: On 29 Dec 2010, at 16:56, bmanning at vacation.karoshi.com wrote: > > presuposes the attack was server directed. the DNS-sniper will take > out your locally configured root KSK &/or replace it w/ their own. If they can do that then you have MUCH bigger problems than authenticity of DNS replies. Tony. -- f.anthony.n.finch http://dotat.at/ From dmm at 1-4-5.net Thu Dec 30 17:19:52 2010 From: dmm at 1-4-5.net (David Meyer) Date: Thu, 30 Dec 2010 15:19:52 -0800 Subject: [NANOG-announce] NANOG 51 in coming up at the end of January....submit your talks now! Message-ID: Folks, NANOG 51 is coming up a the end of January. If you like to submit a talk or tutorial, please create an account on https://pc.nanog.org (if you don't have one) and submit your materials. Thanks, and everyone have a safe and happy new year. Dave (for the NANOG PC) -------------- next part -------------- _______________________________________________ NANOG-announce mailing list NANOG-announce at nanog.org https://mailman.nanog.org/mailman/listinfo/nanog-announce From bruns at 2mbit.com Thu Dec 30 18:38:26 2010 From: bruns at 2mbit.com (Brielle Bruns) Date: Thu, 30 Dec 2010 17:38:26 -0700 Subject: Looking for a Cisco network/server admin In-Reply-To: <4D1CE1CF.7070803@2mbit.com> References: <4D1CE1CF.7070803@2mbit.com> Message-ID: <4D1D2602.5010901@2mbit.com> On 12/30/10 12:47 PM, Brielle Bruns wrote: > Hello all, > > I was wondering if someone could direct me offlist to a Cisco > network/admin that could fix a mail server on their network that is out > of sync time wise. Not a big deal, but I figured I'd ask. :) > I believe I may have been a bit unclear with what I'm looking for. :) I meant, theres a cisco.com mail server that is out of sync time wise, was wondering if one of their network admins or server admins lurks on the list that could fix their server that is having issues if I provide them with the details. Sorry, been a busy day at the shop and I'm trying to multitask and its not working as well as I'd have hoped. -- Brielle Bruns The Summit Open Source Development Group http://www.sosdg.org / http://www.ahbl.org From jra at baylink.com Thu Dec 30 21:57:58 2010 From: jra at baylink.com (Jay Ashworth) Date: Thu, 30 Dec 2010 22:57:58 -0500 (EST) Subject: .gov DNSSEC operational message In-Reply-To: <20101229165652.GB2294@vacation.karoshi.com.> Message-ID: <16259115.3570.1293767878943.JavaMail.root@benjamin.baylink.com> Bill Manning saith: > who intimated that the OOB channel would be http? since that is based > on the DNS, i'd like to think it was suspect as well. :) No it's not, Bill, not *necessarily*; you know better than that. :-) Cheers, -- jra From tariq198487 at hotmail.com Fri Dec 31 08:34:07 2010 From: tariq198487 at hotmail.com (Tarig Ahmed) Date: Fri, 31 Dec 2010 06:34:07 -0800 Subject: Modify BGP AS Path Message-ID: Dear all Hi Is there any way to change AS Path "no prepend". I am in a situation needs some Prifixes to look like it comes from my ASN ( not private ASN). Thanks From rs at seastrom.com Fri Dec 31 09:00:40 2010 From: rs at seastrom.com (Robert E. Seastrom) Date: Fri, 31 Dec 2010 10:00:40 -0500 Subject: POE bump-in-the-wire conversion Message-ID: Perhaps someone from this august list can offer a clue here. Have: Cisco 3524-PWR (paleo-POE, pre-802.3af Cisco standard). It runs the 7960Gs great. Have: Wireless AP stuff that wants 12v on the unused pairs for passive POE. 48v will let the magic smoke out. Might buy: phone that does 802.3af Want to run these with the 3524-PWR. I can't imagine that nobody makes a bump-in-the-wire converter for this application, but haven't been able to find anything other than 802.3af to the passive POE use case. Anyone got a pointer for me? Thanks, -r From swm at emanon.com Fri Dec 31 09:14:00 2010 From: swm at emanon.com (Scott Morris) Date: Fri, 31 Dec 2010 10:14:00 -0500 Subject: Modify BGP AS Path In-Reply-To: References: Message-ID: <4D1DF338.5040502@emanon.com> Well, you could always aggregate them (even same prefix) in your own ASN and that would generate a fresh version of the route... Scott On 12/31/10 9:34 AM, Tarig Ahmed wrote: Dear all Hi Is there any way to change AS Path "no prepend". I am in a situation needs some Prifixes to look like it comes from my ASN ( not private ASN). Thanks From tagno25 at gmail.com Fri Dec 31 09:26:19 2010 From: tagno25 at gmail.com (Philip Dorr) Date: Fri, 31 Dec 2010 09:26:19 -0600 Subject: POE bump-in-the-wire conversion In-Reply-To: References: Message-ID: The Ubuquti Instant 802.3af seems to do what you want (as long as the equipment can handle 16v) http://ubnt.com/8023af http://ubnt.com/downloads/instant8023af.pdf On Fri, Dec 31, 2010 at 9:00 AM, Robert E. Seastrom wrote: > > Perhaps someone from this august list can offer a clue here. > > Have: ?Cisco 3524-PWR ?(paleo-POE, pre-802.3af Cisco standard). > > It runs the 7960Gs great. > > Have: ?Wireless AP stuff that wants 12v on the unused pairs for > passive POE. ?48v will let the magic smoke out. > > Might buy: ?phone that does 802.3af > > Want to run these with the 3524-PWR. > > I can't imagine that nobody makes a bump-in-the-wire converter for > this application, but haven't been able to find anything other than > 802.3af to the passive POE use case. > > Anyone got a pointer for me? > > Thanks, > > -r > > > From tad1214 at gmail.com Fri Dec 31 11:42:21 2010 From: tad1214 at gmail.com (Thomas Donnelly) Date: Fri, 31 Dec 2010 11:42:21 -0600 Subject: POE bump-in-the-wire conversion In-Reply-To: References: Message-ID: We have some Aastra 9480i phones that are 802.3 af running off of a cisco 3550 that are Pre-Standard power. http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps646/prod_qas09186a00800913d3.html "Q. Does the Cisco Catalyst 3550-24 PWR Switch support the 802.3af inline power standard? A. No, this switch supports Cisco Pre-Standard Power over Ethernet. The Catalyst 3750 Series and Catalyst 3560 Series support the Cisco Pre-Standard Power over Ethernet and IEEE 802.3af Power over Ethernet." I used the command power inline delay shutdown 20 initial 100 on the ports connected to the phones and it seems to be working just fine. It may just be a lucky break for us but something worth trying? -=Tom On Fri, 31 Dec 2010 09:00:40 -0600, Robert E. Seastrom wrote: > > Perhaps someone from this august list can offer a clue here. > > Have: Cisco 3524-PWR (paleo-POE, pre-802.3af Cisco standard). > > It runs the 7960Gs great. > > Have: Wireless AP stuff that wants 12v on the unused pairs for > passive POE. 48v will let the magic smoke out. > > Might buy: phone that does 802.3af > > Want to run these with the 3524-PWR. > > I can't imagine that nobody makes a bump-in-the-wire converter for > this application, but haven't been able to find anything other than > 802.3af to the passive POE use case. > > Anyone got a pointer for me? > > Thanks, > > -r > > -- Using Opera's revolutionary email client: http://www.opera.com/mail/ From rs at seastrom.com Fri Dec 31 11:49:19 2010 From: rs at seastrom.com (Robert E. Seastrom) Date: Fri, 31 Dec 2010 12:49:19 -0500 Subject: POE bump-in-the-wire conversion In-Reply-To: (Philip Dorr's message of "Fri, 31 Dec 2010 09:26:19 -0600") References: Message-ID: <86k4ipsuhs.fsf@seastrom.com> I was aware of this device (being a big Ubiquiti fan), but have yet to find anyone who has direct experience with using them on a 3524-PWR. Have you actually tried this (on a 3524-PWR, not a 3550 or anything later-but-pre-standard)? The equipment will be quite happy with 16v... -r Philip Dorr writes: > The Ubuquti Instant 802.3af seems to do what you want (as long as the > equipment can handle 16v) > > http://ubnt.com/8023af > http://ubnt.com/downloads/instant8023af.pdf > > On Fri, Dec 31, 2010 at 9:00 AM, Robert E. Seastrom wrote: >> >> Perhaps someone from this august list can offer a clue here. >> >> Have: ??Cisco 3524-PWR ??(paleo-POE, pre-802.3af Cisco standard). >> >> It runs the 7960Gs great. >> >> Have: ??Wireless AP stuff that wants 12v on the unused pairs for >> passive POE. ??48v will let the magic smoke out. >> >> Might buy: ??phone that does 802.3af >> >> Want to run these with the 3524-PWR. >> >> I can't imagine that nobody makes a bump-in-the-wire converter for >> this application, but haven't been able to find anything other than >> 802.3af to the passive POE use case. >> >> Anyone got a pointer for me? >> >> Thanks, >> >> -r >> >> >> From tariq198487 at hotmail.com Fri Dec 31 12:27:31 2010 From: tariq198487 at hotmail.com (Tarig Ahmed) Date: Fri, 31 Dec 2010 10:27:31 -0800 Subject: Modify BGP AS Path In-Reply-To: <4D1DF338.5040502@emanon.com> References: <4D1DF338.5040502@emanon.com> Message-ID: Hi all Thanks Scott, aggregate with suppress-map. I managed to solve my problem. Infact, I have customers get to my POPs via MPLS VPN L3, through other ISP, this why I have got to remove this ISP ASN from my customers AS path. Thanks Tarig Yassin Ahmed On Dec 31, 2010, at 7:14 AM, Scott Morris wrote: > Well, you could always aggregate them (even same prefix) in your own > ASN and that would generate a fresh version of the route... > > Scott > On 12/31/10 9:34 AM, Tarig Ahmed wrote: > > Dear all > Hi > Is there any way to change AS Path "no prepend". > I am in a situation needs some Prifixes to look like it comes from > my ASN ( not private ASN). > Thanks > From mloftis at wgops.com Fri Dec 31 13:08:04 2010 From: mloftis at wgops.com (Michael Loftis) Date: Fri, 31 Dec 2010 12:08:04 -0700 Subject: POE bump-in-the-wire conversion In-Reply-To: <86k4ipsuhs.fsf@seastrom.com> References: <86k4ipsuhs.fsf@seastrom.com> Message-ID: On Fri, Dec 31, 2010 at 10:49 AM, Robert E. Seastrom wrote: > > I was aware of this device (being a big Ubiquiti fan), but have yet to > find anyone who has direct experience with using them on a 3524-PWR. > > Have you actually tried this (on a 3524-PWR, not a 3550 or anything > later-but-pre-standard)? ?The equipment will be quite happy with > 16v... I've actually used them in other applications. They're a standard 802.3af device, and they just step-down to 16V @ 0.8A (max) though they seemed to get a bit warm at 0.8A but worked fine, haven't had one die yet. To the switch they are a 100% 802.3af device so may not work with the 3524-PWR. I've not tried any 802.3af devices with the 3524-PWR, I have gone the other way (802.3af injector/switch with pre-standard devices that accepted 48V) -- You might be better off upgrading to an 802.3af switch or using a seperate 802.3af power injector device/devices, enterasys for example makes a 20 port injector (last I checked) among others. Most almost all 802.3af units will also do a Cisco compatible 'pre standard' mode for the older 7900 series phones that aren't 802.3af. Pre standard cisco POE is limited to about 10W, as IIRC, it uses only one pair (pins 1,2) for DC power, the device has a low pass filter to get rid of the DC component for the ethernet receiver hardware. 802.3af doesn't define which wires/pins to use but generally will use the unused pairs, 4,5 and 7,8 for DC+ and DC-, unless it's gig-e, then it uses 1,2 and 3,6 (again this is just my experience with some Netgear and HP gear and doesn't necessarily represent anything else). The use of pins 1,2 for power is possibly also why you don't see pre-standard to 802.3af because there's far less available power, AND, you'd have to build a low pass filter and possibly regenerate the Ethernet signal to make it work too. Combine that with cheap 802.3af injectors (either rack/multiport units, or single units) there's not a lot of incentive for hardware manufacturers to build such devices either. > > -r > > Philip Dorr writes: > >> The Ubuquti Instant 802.3af seems to do what you want (as long as the >> equipment can handle 16v) >> >> http://ubnt.com/8023af >> http://ubnt.com/downloads/instant8023af.pdf >> >> On Fri, Dec 31, 2010 at 9:00 AM, Robert E. Seastrom wrote: >>> >>> Perhaps someone from this august list can offer a clue here. >>> >>> Have: ?Cisco 3524-PWR ?(paleo-POE, pre-802.3af Cisco standard). >>> >>> It runs the 7960Gs great. >>> >>> Have: ?Wireless AP stuff that wants 12v on the unused pairs for >>> passive POE. ?48v will let the magic smoke out. >>> >>> Might buy: ?phone that does 802.3af >>> >>> Want to run these with the 3524-PWR. >>> >>> I can't imagine that nobody makes a bump-in-the-wire converter for >>> this application, but haven't been able to find anything other than >>> 802.3af to the passive POE use case. >>> >>> Anyone got a pointer for me? >>> >>> Thanks, >>> >>> -r >>> >>> >>> > > From swm at emanon.com Fri Dec 31 14:17:57 2010 From: swm at emanon.com (Scott Morris) Date: Fri, 31 Dec 2010 15:17:57 -0500 Subject: Modify BGP AS Path In-Reply-To: References: <4D1DF338.5040502@emanon.com> Message-ID: <4D1E3A75.5020405@emanon.com> No worries. Scott Morris, CCIEx4 (R&S/ISP-Dial/Security/Service Provider) #4713, CCDE #2009::D, JNCIE-M #153, JNCIS-ER, CISSP, et al. CCSI #21903, JNCI-M, JNCI-ER [1]swm at emanon.com Knowledge is power. Power corrupts. Study hard and be Eeeeviiiil...... On 12/31/10 1:27 PM, Tarig Ahmed wrote: Hi all Thanks Scott, aggregate with suppress-map. I managed to solve my problem. Infact, I have customers get to my POPs via MPLS VPN L3, through other ISP, this why I have got to remove this ISP ASN from my customers AS path. Thanks Tarig Yassin Ahmed On Dec 31, 2010, at 7:14 AM, Scott Morris [2] wrote: Well, you could always aggregate them (even same prefix) in your own ASN and that would generate a fresh version of the route... Scott On 12/31/10 9:34 AM, Tarig Ahmed wrote: Dear all Hi Is there any way to change AS Path "no prepend". I am in a situation needs some Prifixes to look like it comes from my ASN ( not private ASN). Thanks References 1. mailto:swm at emanon.com 2. mailto:swm at emanon.com From cidr-report at potaroo.net Fri Dec 31 16:00:04 2010 From: cidr-report at potaroo.net (cidr-report at potaroo.net) Date: Fri, 31 Dec 2010 22:00:04 GMT Subject: BGP Update Report Message-ID: <201012312200.oBVM04va057076@wattle.apnic.net> BGP Update Report Interval: 23-Dec-10 -to- 30-Dec-10 (7 days) Observation Point: BGP Peering with AS131072 TOP 20 Unstable Origin AS Rank ASN Upds % Upds/Pfx AS-Name 1 - AS17974 23183 2.2% 22.0 -- TELKOMNET-AS2-AP PT Telekomunikasi Indonesia 2 - AS7633 21038 2.0% 146.1 -- SOFTNET-AS-AP Software Technology Parks of India - Bangalore 3 - AS18025 18863 1.8% 509.8 -- ACE-1-WIFI-AS-AP Ace-1 Wifi Network 4 - AS32528 18622 1.8% 4655.5 -- ABBOTT Abbot Labs 5 - AS25617 16279 1.6% 2325.6 -- SMITHNEPHEW - Smith and Nephew, Inc. 6 - AS33475 15760 1.5% 90.1 -- RSN-1 - RockSolid Network, Inc. 7 - AS9829 10889 1.0% 21.6 -- BSNL-NIB National Internet Backbone 8 - AS10113 9437 0.9% 555.1 -- DATAFAST-AP DATAFAST TELECOMMUNICATIONS LTD 9 - AS9498 8759 0.8% 36.2 -- BBIL-AP BHARTI Airtel Ltd. 10 - AS5800 8690 0.8% 40.0 -- DNIC-ASBLK-05800-06055 - DoD Network Information Center 11 - AS6714 8128 0.8% 95.6 -- ATOMNET ATOM SA 12 - AS27968 7422 0.7% 103.1 -- CORPORACION NACIONAL DE TELECOMUNICACIONES - CNT EP 13 - AS25019 6813 0.7% 46.0 -- SAUDINETSTC-AS Autonomus System Number for SaudiNet 14 - AS24554 6155 0.6% 54.0 -- FIVE-NET-AS-IN Fivenetwork Solution India Pvt Ltd Internet 15 - AS9198 6145 0.6% 23.2 -- KAZTELECOM-AS JSC Kazakhtelecom 16 - AS2828 5964 0.6% 497.0 -- XO-AS15 - XO Communications 17 - AS8402 5840 0.6% 10.4 -- CORBINA-AS Corbina Telecom 18 - AS36992 5693 0.6% 30.8 -- ETISALAT-MISR 19 - AS3475 5587 0.5% 242.9 -- LANT-AFLOAT - Navy Network Information Center (NNIC) 20 - AS21826 5292 0.5% 20.2 -- Internet Cable Plus C. A. TOP 20 Unstable Origin AS (Updates per announced prefix) Rank ASN Upds % Upds/Pfx AS-Name 1 - AS32528 18622 1.8% 4655.5 -- ABBOTT Abbot Labs 2 - AS17408 3090 0.3% 3090.0 -- ABOVE-AS-AP AboveNet Communications Taiwan 3 - AS4454 2951 0.3% 2951.0 -- TNET-AS - State of Tennessee 4 - AS17874 2843 0.3% 2843.0 -- NPC-AS-KR National Pension Corporation 5 - AS43534 2641 0.2% 2641.0 -- CREDITCALL CreditCall Ltd 6 - AS28666 4967 0.5% 2483.5 -- HOSTLOCATION LTDA 7 - AS25617 16279 1.6% 2325.6 -- SMITHNEPHEW - Smith and Nephew, Inc. 8 - AS35931 3130 0.3% 1565.0 -- ARCHIPELAGO - ARCHIPELAGO HOLDINGS INC 9 - AS49600 1562 0.1% 1562.0 -- LASEDA La Seda de Barcelona, S.A 10 - AS34239 1494 0.1% 1494.0 -- INTERAMERICAN General Insurance Company 11 - AS24923 5212 0.5% 1042.4 -- SETTC South-East Transtelecom Joint Stock Co. 12 - AS23493 1016 0.1% 1016.0 -- ACUITY - Acuity, A Mutual Insurance Company 13 - AS22575 2775 0.3% 925.0 -- MASSMUTUAL2 - MassMutual Financial Services 14 - AS27771 1772 0.2% 886.0 -- Instituto Venezolano de Investigaciones Cientificas 15 - AS52252 835 0.1% 835.0 -- Entel PCS Telecomunicaciones S.A. (Sis) 16 - AS1959 2483 0.2% 827.7 -- DMSLABNET - DoD Network Information Center 17 - AS16800 758 0.1% 758.0 -- NBS90 18 - AS2685 1425 0.1% 712.5 -- ASATTCA AT&T Global Network Services - CA 19 - AS45550 689 0.1% 689.0 -- NGT-AS-VN New Generations Telecommunications Corporation 20 - AS14251 589 0.1% 589.0 -- MLSLI - Multiple Lising Service of Long Island, Inc. TOP 20 Unstable Prefixes Rank Prefix Upds % Origin AS -- AS Name 1 - 202.182.78.0/23 9405 0.8% AS10113 -- DATAFAST-AP DATAFAST TELECOMMUNICATIONS LTD 2 - 130.36.34.0/24 9309 0.8% AS32528 -- ABBOTT Abbot Labs 3 - 130.36.35.0/24 9309 0.8% AS32528 -- ABBOTT Abbot Labs 4 - 202.92.235.0/24 7731 0.7% AS9498 -- BBIL-AP BHARTI Airtel Ltd. 5 - 144.243.215.0/24 5993 0.5% AS11228 -- ARINC - ARINC, Inc. AS22773 -- ASN-CXA-ALL-CCI-22773-RDC - Cox Communications Inc. AS4323 -- TWTC - tw telecom holdings, inc. 6 - 182.54.148.0/22 5504 0.5% AS18025 -- ACE-1-WIFI-AS-AP Ace-1 Wifi Network 7 - 213.129.96.0/19 5193 0.5% AS24923 -- SETTC South-East Transtelecom Joint Stock Co. 8 - 189.1.173.0/24 4962 0.4% AS28666 -- HOSTLOCATION LTDA 9 - 216.126.136.0/22 4912 0.4% AS6316 -- AS-PAETEC-NET - PaeTec Communications, Inc. 10 - 68.65.152.0/22 3776 0.3% AS11915 -- TELWEST-NETWORK-SVCS-STATIC - TEL WEST COMMUNICATIONS LLC 11 - 206.184.16.0/24 3529 0.3% AS174 -- COGENT Cogent/PSI 12 - 101.78.20.0/22 3386 0.3% AS18025 -- ACE-1-WIFI-AS-AP Ace-1 Wifi Network 13 - 101.78.24.0/22 3382 0.3% AS18025 -- ACE-1-WIFI-AS-AP Ace-1 Wifi Network 14 - 202.153.174.0/24 3090 0.3% AS17408 -- ABOVE-AS-AP AboveNet Communications Taiwan 15 - 192.122.247.0/24 2962 0.3% AS2828 -- XO-AS15 - XO Communications 16 - 192.122.246.0/24 2961 0.3% AS2828 -- XO-AS15 - XO Communications 17 - 170.141.231.0/24 2951 0.3% AS4454 -- TNET-AS - State of Tennessee 18 - 211.173.99.0/24 2843 0.2% AS17874 -- NPC-AS-KR National Pension Corporation 19 - 91.197.95.0/24 2641 0.2% AS43534 -- CREDITCALL CreditCall Ltd 20 - 189.85.51.0/24 2599 0.2% AS28175 -- Details at http://bgpupdates.potaroo.net ------------------------------------ Copies of this report are mailed to: nanog at merit.edu eof-list at ripe.net apops at apops.net routing-wg at ripe.net afnog at afnog.org From cidr-report at potaroo.net Fri Dec 31 16:00:00 2010 From: cidr-report at potaroo.net (cidr-report at potaroo.net) Date: Fri, 31 Dec 2010 22:00:00 GMT Subject: The Cidr Report Message-ID: <201012312200.oBVM007l057068@wattle.apnic.net> This report has been generated at Fri Dec 31 21:12:12 2010 AEST. The report analyses the BGP Routing Table of AS2.0 router and generates a report on aggregation potential within the table. Check http://www.cidr-report.org for a current version of this report. Recent Table History Date Prefixes CIDR Agg 24-12-10 340958 199907 25-12-10 341085 199874 26-12-10 341319 199908 27-12-10 341263 200181 28-12-10 341394 200262 29-12-10 340871 200480 30-12-10 341173 200707 31-12-10 341294 200724 AS Summary 36379 Number of ASes in routing system 15472 Number of ASes announcing only one prefix 3726 Largest number of prefixes announced by an AS AS6389 : BELLSOUTH-NET-BLK - BellSouth.net Inc. 106110208 Largest address span announced by an AS (/32s) AS4134 : CHINANET-BACKBONE No.31,Jin-rong Street Aggregation Summary The algorithm used in this report proposes aggregation only when there is a precise match using the AS path, so as to preserve traffic transit policies. Aggregation is also proposed across non-advertised address space ('holes'). --- 31Dec10 --- ASnum NetsNow NetsAggr NetGain % Gain Description Table 341532 200736 140796 41.2% All ASes AS6389 3726 272 3454 92.7% BELLSOUTH-NET-BLK - BellSouth.net Inc. AS4323 2638 406 2232 84.6% TWTC - tw telecom holdings, inc. AS19262 1840 286 1554 84.5% VZGNI-TRANSIT - Verizon Online LLC AS4766 1902 539 1363 71.7% KIXS-AS-KR Korea Telecom AS6478 1443 246 1197 83.0% ATT-INTERNET3 - AT&T Services, Inc. AS22773 1261 83 1178 93.4% ASN-CXA-ALL-CCI-22773-RDC - Cox Communications Inc. AS4755 1391 335 1056 75.9% TATACOMM-AS TATA Communications formerly VSNL is Leading ISP AS1785 1792 764 1028 57.4% AS-PAETEC-NET - PaeTec Communications, Inc. AS28573 1219 352 867 71.1% NET Servicos de Comunicao S.A. AS7545 1554 711 843 54.2% TPG-INTERNET-AP TPG Internet Pty Ltd AS6503 1194 361 833 69.8% Axtel, S.A.B. de C.V. AS10620 1344 550 794 59.1% Telmex Colombia S.A. AS18101 912 150 762 83.6% RELIANCE-COMMUNICATIONS-IN Reliance Communications Ltd.DAKC MUMBAI AS7303 839 122 717 85.5% Telecom Argentina S.A. AS4808 1019 315 704 69.1% CHINA169-BJ CNCGROUP IP network China169 Beijing Province Network AS24560 1056 352 704 66.7% AIRTELBROADBAND-AS-AP Bharti Airtel Ltd., Telemedia Services AS3356 1185 489 696 58.7% LEVEL3 Level 3 Communications AS8151 1350 661 689 51.0% Uninet S.A. de C.V. AS17488 939 299 640 68.2% HATHWAY-NET-AP Hathway IP Over Cable Internet AS9498 734 111 623 84.9% BBIL-AP BHARTI Airtel Ltd. AS18566 1095 475 620 56.6% COVAD - Covad Communications Co. AS11492 1289 678 611 47.4% CABLEONE - CABLE ONE, INC. AS17676 645 68 577 89.5% GIGAINFRA Softbank BB Corp. AS855 630 55 575 91.3% CANET-ASN-4 - Bell Aliant Regional Communications, Inc. AS22047 560 31 529 94.5% VTR BANDA ANCHA S.A. AS14420 590 86 504 85.4% CORPORACION NACIONAL DE TELECOMUNICACIONES - CNT EP AS3549 854 357 497 58.2% GBLX Global Crossing Ltd. AS9443 571 75 496 86.9% INTERNETPRIMUS-AS-AP Primus Telecommunications AS4804 571 77 494 86.5% MPX-AS Microplex PTY LTD AS7011 1174 683 491 41.8% FRONTIER-AND-CITIZENS - Frontier Communications of America, Inc. Total 37317 9989 27328 73.2% Top 30 total Possible Bogus Routes 5.0.0.0/16 AS12654 RIPE-NCC-RIS-AS RIPE NCC RIS project 5.1.0.0/21 AS12654 RIPE-NCC-RIS-AS RIPE NCC RIS project 5.1.24.0/24 AS12654 RIPE-NCC-RIS-AS RIPE NCC RIS project 23.0.0.0/8 AS237 MERIT-ASN Merit Network Inc. 24.129.192.0/19 AS7922 COMCAST-7922 - Comcast Cable Communications, Inc. 37.0.0.0/8 AS237 MERIT-ASN Merit Network Inc. 37.0.0.0/16 AS12654 RIPE-NCC-RIS-AS RIPE NCC RIS project 37.1.0.0/21 AS12654 RIPE-NCC-RIS-AS RIPE NCC RIS project 37.1.24.0/24 AS12654 RIPE-NCC-RIS-AS RIPE NCC RIS project 41.222.79.0/24 AS36938 AMSCOTELECOMS Amsco Telecommunications Nigeria Limited 41.223.92.0/22 AS36936 CELTEL-GABON Celtel Gabon Internet Service 46.245.0.0/17 AS47262 HAMARA-AS Hamara System Tabriz Engineering Company 62.61.220.0/24 AS24974 TACHYON-EU Tachyon Europe BV 62.61.221.0/24 AS24974 TACHYON-EU Tachyon Europe BV 64.21.192.0/20 AS11610 INETNEBR-1 - Internet Nebraska Corporation 64.21.212.0/22 AS11610 INETNEBR-1 - Internet Nebraska Corporation 64.21.216.0/21 AS11610 INETNEBR-1 - Internet Nebraska Corporation 66.180.239.0/24 AS35888 VIGNETTE - VIGNETTE CORPORATION 66.206.32.0/24 AS17787 PSEB-AS-PK Pakistan Software Export Board 66.206.33.0/24 AS17787 PSEB-AS-PK Pakistan Software Export Board 66.206.34.0/24 AS17787 PSEB-AS-PK Pakistan Software Export Board 66.206.35.0/24 AS17787 PSEB-AS-PK Pakistan Software Export Board 66.206.47.0/24 AS17557 PKTELECOM-AS-PK Pakistan Telecommunication Company Limited 66.207.32.0/20 AS23011 66.245.176.0/20 AS19318 NJIIX-AS-1 - NEW JERSEY INTERNATIONAL INTERNET EXCHANGE LLC 69.6.80.0/24 AS13442 69.6.81.0/24 AS13442 71.19.134.0/23 AS3313 INET-AS I.NET S.p.A. 72.22.32.0/19 AS33150 72.22.61.0/24 AS33150 72.22.62.0/24 AS33150 76.77.32.0/19 AS2828 XO-AS15 - XO Communications 80.88.10.0/24 AS33774 DJAWEB 80.88.12.0/24 AS33779 wataniya-telecom-as 96.45.161.0/24 AS3257 TINET-BACKBONE Tinet SpA 96.45.162.0/24 AS3257 TINET-BACKBONE Tinet SpA 96.45.163.0/24 AS3257 TINET-BACKBONE Tinet SpA 96.45.164.0/24 AS3257 TINET-BACKBONE Tinet SpA 96.45.165.0/24 AS3257 TINET-BACKBONE Tinet SpA 96.45.166.0/24 AS3257 TINET-BACKBONE Tinet SpA 96.45.167.0/24 AS3257 TINET-BACKBONE Tinet SpA 96.45.168.0/21 AS3257 TINET-BACKBONE Tinet SpA 100.0.0.0/8 AS237 MERIT-ASN Merit Network Inc. 110.34.44.0/22 AS12653 COMTONET KB Impuls Hellas 110.173.64.0/19 AS37963 CNNIC-ALIBABA-CN-NET-AP Alibaba (China) Technology Co., Ltd. 115.42.28.0/24 AS1221 ASN-TELSTRA Telstra Pty Ltd 115.42.30.0/24 AS1221 ASN-TELSTRA Telstra Pty Ltd 115.42.31.0/24 AS1221 ASN-TELSTRA Telstra Pty Ltd 115.42.40.0/24 AS1221 ASN-TELSTRA Telstra Pty Ltd 115.42.42.0/24 AS1221 ASN-TELSTRA Telstra Pty Ltd 115.42.43.0/24 AS1221 ASN-TELSTRA Telstra Pty Ltd 115.42.44.0/24 AS1221 ASN-TELSTRA Telstra Pty Ltd 115.42.47.0/24 AS1221 ASN-TELSTRA Telstra Pty Ltd 115.42.48.0/24 AS1221 ASN-TELSTRA Telstra Pty Ltd 115.42.49.0/24 AS1221 ASN-TELSTRA Telstra Pty Ltd 115.42.50.0/24 AS1221 ASN-TELSTRA Telstra Pty Ltd 115.42.51.0/24 AS1221 ASN-TELSTRA Telstra Pty Ltd 115.42.52.0/24 AS1221 ASN-TELSTRA Telstra Pty Ltd 115.42.53.0/24 AS1221 ASN-TELSTRA Telstra Pty Ltd 115.42.54.0/24 AS1221 ASN-TELSTRA Telstra Pty Ltd 115.42.55.0/24 AS1221 ASN-TELSTRA Telstra Pty Ltd 115.42.56.0/24 AS1221 ASN-TELSTRA Telstra Pty Ltd 115.42.57.0/24 AS1221 ASN-TELSTRA Telstra Pty Ltd 115.42.58.0/24 AS1221 ASN-TELSTRA Telstra Pty Ltd 115.42.59.0/24 AS1221 ASN-TELSTRA Telstra Pty Ltd 115.42.61.0/24 AS1221 ASN-TELSTRA Telstra Pty Ltd 115.42.62.0/24 AS1221 ASN-TELSTRA Telstra Pty Ltd 115.42.63.0/24 AS1221 ASN-TELSTRA Telstra Pty Ltd 116.68.136.0/21 AS28045 Pantel Communications 117.120.56.0/21 AS4755 TATACOMM-AS TATA Communications formerly VSNL is Leading ISP 121.46.0.0/16 AS4134 CHINANET-BACKBONE No.31,Jin-rong Street 121.200.192.0/24 AS17767 122.200.32.0/20 AS7018 ATT-INTERNET4 - AT&T Services, Inc. 122.200.40.0/21 AS38272 142.54.0.0/19 AS23498 CDSI - Cogeco Data Services Inc. 158.222.70.0/23 AS6137 SISNA - SISNA, Inc. 158.222.72.0/23 AS6137 SISNA - SISNA, Inc. 158.222.224.0/20 AS19864 O1COMM - O1 COMMUNICATIONS 158.222.224.0/22 AS19864 O1COMM - O1 COMMUNICATIONS 158.222.229.0/24 AS19864 O1COMM - O1 COMMUNICATIONS 172.12.0.0/18 AS28665 PredialNet Provedor de Internet Ltda. 176.0.0.0/16 AS12654 RIPE-NCC-RIS-AS RIPE NCC RIS project 176.1.0.0/21 AS12654 RIPE-NCC-RIS-AS RIPE NCC RIS project 176.1.24.0/24 AS12654 RIPE-NCC-RIS-AS RIPE NCC RIS project 190.102.32.0/20 AS30058 FDCSERVERS - FDCservers.net 192.9.0.0/16 AS11479 BRM-SUN-AS - Sun Microsystems, Inc 192.64.85.0/24 AS1759 TSF-IP-CORE TeliaSonera Finland IP Network 192.69.108.0/24 AS1759 TSF-IP-CORE TeliaSonera Finland IP Network 192.101.46.0/24 AS6503 Axtel, S.A.B. de C.V. 192.101.64.0/21 AS702 AS702 Verizon Business EMEA - Commercial IP service provider in Europe 192.101.70.0/24 AS701 UUNET - MCI Communications Services, Inc. d/b/a Verizon Business 192.101.71.0/24 AS701 UUNET - MCI Communications Services, Inc. d/b/a Verizon Business 192.101.72.0/24 AS702 AS702 Verizon Business EMEA - Commercial IP service provider in Europe 192.101.74.0/24 AS1239 SPRINTLINK - Sprint 192.124.252.0/22 AS680 DFN-IP service G-WiN 192.131.233.0/24 AS6389 BELLSOUTH-NET-BLK - BellSouth.net Inc. 192.154.32.0/19 AS81 NCREN - MCNC 192.154.64.0/19 AS81 NCREN - MCNC 192.188.208.0/20 AS721 DNIC-ASBLK-00721-00726 - DoD Network Information Center 196.2.224.0/22 AS24863 LINKdotNET-AS 196.6.108.0/24 AS5713 SAIX-NET 196.13.201.0/24 AS2018 TENET-1 196.13.202.0/24 AS2018 TENET-1 196.13.203.0/24 AS2018 TENET-1 196.13.204.0/24 AS2018 TENET-1 196.110.105.0/24 AS8513 SKYVISION SkyVision Network Services 196.202.224.0/21 AS8818 TELE Greenland Autonomous System 198.1.2.0/24 AS4761 INDOSAT-INP-AP INDOSAT Internet Network Provider 198.23.26.0/24 AS4390 BELLATLANTIC-COM - Bell Atlantic, Inc. 198.73.210.0/24 AS21570 ACI-1 - Accelerated Connections Inc. 198.74.38.0/24 AS16966 SBCIDC-LSAN03 - AT&T Internet Services 198.74.39.0/24 AS16966 SBCIDC-LSAN03 - AT&T Internet Services 198.74.40.0/24 AS16966 SBCIDC-LSAN03 - AT&T Internet Services 198.97.72.0/21 AS721 DNIC-ASBLK-00721-00726 - DoD Network Information Center 198.97.96.0/19 AS721 DNIC-ASBLK-00721-00726 - DoD Network Information Center 198.97.240.0/20 AS721 DNIC-ASBLK-00721-00726 - DoD Network Information Center 198.99.241.0/24 AS11797 AC-NIELSEN-AS AC NIELSEN 198.161.87.0/24 AS6539 GT-BELL - Bell Canada 198.163.214.0/24 AS21804 ACCESS-SK - Access Communications Co-operative Limited 198.167.0.0/16 AS7456 INTERHOP - Interhop Network SERVICES Inc. 198.168.0.0/16 AS701 UUNET - MCI Communications Services, Inc. d/b/a Verizon Business 198.169.0.0/16 AS803 SASKTEL - Saskatchewan Telecommunications 198.180.198.0/24 AS23715 SEOUL-INTGW-GXS-AP Global Exchange Services 198.182.235.0/24 AS3356 LEVEL3 Level 3 Communications 199.16.32.0/19 AS6389 BELLSOUTH-NET-BLK - BellSouth.net Inc. 199.121.0.0/16 AS721 DNIC-ASBLK-00721-00726 - DoD Network Information Center 199.123.16.0/20 AS721 DNIC-ASBLK-00721-00726 - DoD Network Information Center 199.185.130.0/23 AS19662 UNISERVE-ONLINE - Uniserve On Line 199.202.0.0/16 AS701 UUNET - MCI Communications Services, Inc. d/b/a Verizon Business 199.202.216.0/21 AS577 BACOM - Bell Canada 199.233.92.0/24 AS26896 D102-ITC - Data 102, LLC 199.246.116.0/24 AS813 UUNET-CANADA - MCI Communications Services, Inc. d/b/a Verizon Business 200.1.112.0/24 AS29754 GO2TEL GO2TEL.COM INC. 200.24.73.0/24 AS26061 Equant Colombia 200.24.78.0/26 AS3549 GBLX Global Crossing Ltd. 200.24.78.64/26 AS3549 GBLX Global Crossing Ltd. 202.1.224.0/24 AS10097 FLOWCOM Flow Communications 2/541 Kent St Sydney NSW 2000 202.9.55.0/24 AS2764 AAPT AAPT Limited 202.9.57.0/24 AS2764 AAPT AAPT Limited 202.38.63.0/24 AS17557 PKTELECOM-AS-PK Pakistan Telecommunication Company Limited 202.58.113.0/24 AS19161 202.61.75.0/24 AS9927 PHILCOMNET-PH A Multihomed ISP Company 202.66.128.0/18 AS9584 GENESIS-AP Diyixian.com Limited 202.66.160.0/19 AS9584 GENESIS-AP Diyixian.com Limited 202.66.160.0/20 AS9584 GENESIS-AP Diyixian.com Limited 202.66.176.0/20 AS9584 GENESIS-AP Diyixian.com Limited 202.66.184.0/24 AS9584 GENESIS-AP Diyixian.com Limited 202.66.186.0/24 AS9584 GENESIS-AP Diyixian.com Limited 202.66.188.0/24 AS9584 GENESIS-AP Diyixian.com Limited 202.66.189.0/24 AS9584 GENESIS-AP Diyixian.com Limited 202.66.190.0/24 AS9584 GENESIS-AP Diyixian.com Limited 202.73.144.0/20 AS4788 TMNET-AS-AP TM Net, Internet Service Provider 202.86.252.0/22 AS4748 RESOLINK-AS-AP Resources Link Network Limited 202.86.252.0/24 AS9304 HUTCHISON-AS-AP Hutchison Global Communications 202.86.253.0/24 AS9304 HUTCHISON-AS-AP Hutchison Global Communications 202.86.254.0/24 AS9304 HUTCHISON-AS-AP Hutchison Global Communications 202.86.255.0/24 AS9304 HUTCHISON-AS-AP Hutchison Global Communications 202.94.1.0/24 AS4808 CHINA169-BJ CNCGROUP IP network China169 Beijing Province Network 202.133.37.0/24 AS17557 PKTELECOM-AS-PK Pakistan Telecommunication Company Limited 202.133.70.0/24 AS38616 WORLDCALL-AS-KHI Worldcall Telecom Limited 202.133.73.0/24 AS38616 WORLDCALL-AS-KHI Worldcall Telecom Limited 202.136.254.0/24 AS4808 CHINA169-BJ CNCGROUP IP network China169 Beijing Province Network 202.136.255.0/24 AS4808 CHINA169-BJ CNCGROUP IP network China169 Beijing Province Network 202.150.227.0/24 AS17727 NAPINFO-AS-AP PT. NAP Info Lintas Nusa 202.174.125.0/24 AS9498 BBIL-AP BHARTI Airtel Ltd. 202.176.1.0/24 AS9942 COMINDICO-AP SOUL Converged Communications Australia 202.179.130.0/24 AS17557 PKTELECOM-AS-PK Pakistan Telecommunication Company Limited 202.179.131.0/24 AS17557 PKTELECOM-AS-PK Pakistan Telecommunication Company Limited 202.179.133.0/24 AS17557 PKTELECOM-AS-PK Pakistan Telecommunication Company Limited 202.179.134.0/24 AS23966 LDN-AS-PK LINKdotNET Telecom Limited 202.179.144.0/24 AS17557 PKTELECOM-AS-PK Pakistan Telecommunication Company Limited 202.179.149.0/24 AS17557 PKTELECOM-AS-PK Pakistan Telecommunication Company Limited 202.179.150.0/24 AS17557 PKTELECOM-AS-PK Pakistan Telecommunication Company Limited 202.181.32.0/24 AS4645 ASN-HKNET-AP HKNet Co. Ltd 203.18.156.0/24 AS1221 ASN-TELSTRA Telstra Pty Ltd 203.22.78.0/24 AS18117 HARBOURMSP-AU-AP Harbour MSP Pty. Ltd 203.23.1.0/24 AS18111 NETSPEED-AS-AP Netspeed Internet Communications 203.24.38.0/24 AS18111 NETSPEED-AS-AP Netspeed Internet Communications 203.27.123.0/24 AS4739 CIX-ADELAIDE-AS Internode Systems Pty Ltd 203.30.127.0/24 AS18111 NETSPEED-AS-AP Netspeed Internet Communications 203.32.86.0/23 AS18111 NETSPEED-AS-AP Netspeed Internet Communications 203.32.86.0/24 AS18111 NETSPEED-AS-AP Netspeed Internet Communications 203.32.87.0/24 AS18111 NETSPEED-AS-AP Netspeed Internet Communications 203.32.188.0/24 AS1221 ASN-TELSTRA Telstra Pty Ltd 203.62.0.0/17 AS7575 AARNET-AS-AP Australian Academic and Reasearch Network (AARNet) 203.78.48.0/20 AS9299 IPG-AS-AP Philippine Long Distance Telephone Company 203.112.111.0/24 AS7474 OPTUSCOM-AS01-AU SingTel Optus Pty Ltd 203.112.113.0/24 AS7474 OPTUSCOM-AS01-AU SingTel Optus Pty Ltd 203.112.114.0/24 AS4802 ASN-IINET iiNet Limited 203.112.116.0/24 AS7474 OPTUSCOM-AS01-AU SingTel Optus Pty Ltd 203.112.117.0/24 AS7474 OPTUSCOM-AS01-AU SingTel Optus Pty Ltd 203.112.118.0/24 AS7474 OPTUSCOM-AS01-AU SingTel Optus Pty Ltd 203.112.119.0/24 AS7474 OPTUSCOM-AS01-AU SingTel Optus Pty Ltd 203.112.120.0/24 AS7474 OPTUSCOM-AS01-AU SingTel Optus Pty Ltd 203.112.121.0/24 AS7474 OPTUSCOM-AS01-AU SingTel Optus Pty Ltd 203.112.127.0/24 AS7474 OPTUSCOM-AS01-AU SingTel Optus Pty Ltd 203.128.128.0/24 AS23849 CNNIC-NET263-AP Beijing Capital-online science development Co.,Ltd. 203.142.219.0/24 AS45149 203.175.107.0/24 AS45595 PKTELECOM-AS-PK Pakistan Telecom Company Limited 204.9.216.0/23 AS6389 BELLSOUTH-NET-BLK - BellSouth.net Inc. 204.10.232.0/21 AS33150 204.19.14.0/23 AS577 BACOM - Bell Canada 204.209.114.0/24 AS13768 PEER1 - Peer 1 Network Inc. 205.150.0.0/15 AS701 UUNET - MCI Communications Services, Inc. d/b/a Verizon Business 205.189.134.0/24 AS11814 DISTRIBUTEL-AS11814 - DISTRIBUTEL COMMUNICATIONS LTD. 205.207.148.0/23 AS812 ROGERS-CABLE - Rogers Cable Communications Inc. 205.210.145.0/24 AS11814 DISTRIBUTEL-AS11814 - DISTRIBUTEL COMMUNICATIONS LTD. 206.72.192.0/23 AS16526 BIRCH-TELECOM - Birch Telecom, Inc. 206.72.194.0/23 AS16526 BIRCH-TELECOM - Birch Telecom, Inc. 206.123.129.0/24 AS10790 INREACH-AS - InReach Internet 206.180.240.0/20 AS12083 KNOLOGY-NET - Knology Holdings 206.197.184.0/24 AS23304 DATOTEL-STL-AS - Datotel LLC, a NetLabs LLC Company 207.174.131.0/24 AS26116 INDRA - Indra's Net Inc. 207.174.132.0/23 AS26116 INDRA - Indra's Net Inc. 207.174.152.0/23 AS26116 INDRA - Indra's Net Inc. 207.174.154.0/24 AS26116 INDRA - Indra's Net Inc. 207.174.155.0/24 AS26116 INDRA - Indra's Net Inc. 207.174.188.0/24 AS26116 INDRA - Indra's Net Inc. 207.174.189.0/24 AS26116 INDRA - Indra's Net Inc. 207.174.190.0/24 AS26116 INDRA - Indra's Net Inc. 207.174.191.0/24 AS26116 INDRA - Indra's Net Inc. 207.174.200.0/24 AS22658 EARTHNET - Earthnet, Inc. 207.174.248.0/21 AS6653 PRIVATEI - privateI, LLC 207.231.96.0/19 AS11194 NUNETPA - NuNet Inc. 208.64.200.0/22 AS11730 CIL-ASN - Circle Internet LTD 208.64.240.0/21 AS13871 TELEBYTE-NW - Telebyte NW 208.73.160.0/24 AS32767 208.78.165.0/24 AS16565 208.83.53.0/24 AS40569 YGOMI-AS - Ygomi LLC 208.83.54.0/24 AS23485 SEI-LLC-AS-NUM - SEI LLC 208.92.196.0/22 AS10929 NETELLIGENT - Netelligent Hosting Services Inc. 208.92.199.0/24 AS26198 3MENATWORK - 3Men at Work Integrated Networks, Inc. 209.54.123.0/24 AS6062 NETPLEX - NETPLEX 209.105.224.0/19 AS20074 209.165.239.0/24 AS209 ASN-QWEST - Qwest Communications Company, LLC 209.177.64.0/20 AS6461 MFNX MFN - Metromedia Fiber Network 209.213.0.0/20 AS33005 ELTOPIA - Eltopia.com, LLC 209.213.1.0/24 AS7849 CROCKERCOM - CROCKER COMMUNICATIONS 209.213.4.0/24 AS7849 CROCKERCOM - CROCKER COMMUNICATIONS 210.5.128.0/20 AS4837 CHINA169-BACKBONE CNCGROUP China169 Backbone 210.56.150.0/23 AS38138 INTECH-TRANSIT-BD InTech Online Limited, INTERNET SERVICE LIMITED 216.10.235.0/24 AS13780 NTNCOMMUNICATIONS - NTN 216.10.236.0/24 AS13780 NTNCOMMUNICATIONS - NTN 216.21.196.0/24 AS12251 INVISION - Invision.com, Inc. 216.21.201.0/24 AS12251 INVISION - Invision.com, Inc. 216.21.202.0/24 AS12251 INVISION - Invision.com, Inc. 216.21.206.0/23 AS12251 INVISION - Invision.com, Inc. 216.58.192.0/24 AS22702 X5SOLUTIONS - X5 Solutions, Inc. 216.58.197.0/24 AS22702 X5SOLUTIONS - X5 Solutions, Inc. 216.58.200.0/24 AS18530 ISOMEDIA-1 - Isomedia Inc. 216.172.198.0/24 AS22773 ASN-CXA-ALL-CCI-22773-RDC - Cox Communications Inc. 216.172.199.0/24 AS22773 ASN-CXA-ALL-CCI-22773-RDC - Cox Communications Inc. 216.250.112.0/20 AS7296 ALCHEMYNET - Alchemy Communications, Inc. Please see http://www.cidr-report.org for the full report ------------------------------------ Copies of this report are mailed to: nanog at merit.edu eof-list at ripe.net apops at apops.net routing-wg at ripe.net afnog at afnog.org From jra at baylink.com Fri Dec 31 21:36:15 2010 From: jra at baylink.com (Jay Ashworth) Date: Fri, 31 Dec 2010 22:36:15 -0500 (EST) Subject: Happy New Year: Crazy Wiring Message-ID: <20388010.3852.1293852975157.JavaMail.root@benjamin.baylink.com> Here, for those who were involved in the "is that a picture of Manhattan with multiple phone companies" debate last week, is a link to the first of a series of linked blog posts, which contain a lot of those pics, somewhat better cited than I've seen before, along with a large collection of "thank ghod I don't have to deal with that" pictures of wiring catastrophes. http://www.darkroastedblend.com/2007/03/really-bad-wiring-jobs_20.html Happy Gregorian New Year! Cheers, -- jra