From mohta at necom830.hpcl.titech.ac.jp Sun Jan 1 06:21:38 2012 From: mohta at necom830.hpcl.titech.ac.jp (Masataka Ohta) Date: Sun, 01 Jan 2012 21:21:38 +0900 Subject: Misconceptions, was: IPv6 RA vs DHCPv6 - The chosen one? In-Reply-To: References: <1290980B-9003-4CD4-A713-A21111E877DA@delong.com> <4EF14814.2080709@bowenvale.co.nz> <4F214584-12C3-42BC-A38B-13D991B9B4A0@muada.com> <4EFB09D8.3000107@necom830.hpcl.titech.ac.jp> <4EFB11F3.1090007@necom830.hpcl.titech.ac.jp> <14160.1325099085@turing-police.cc.vt.edu> <4EFC611E.70601@necom830.hpcl.titech.ac.jp> Message-ID: <4F004FD2.5090504@necom830.hpcl.titech.ac.jp> Christian Esteve wrote: > May be there is some light with Multipath TCP: > http://www.ietf.org/proceedings/75/slides/mptcp-0.pdf > http://datatracker.ietf.org/wg/mptcp/charter/ Not bad. > If you can live without UDP and other issues discussed in this bizarre > discussion... UDP connection, if any, by definition, totally depends on users (applications) that handling of multiple addresses must depend on application protocols. A good news is that DNS, the most major application over UDP, supports multiple addresses of name servers from the beginning. Anyway, you can still live with applications over UDP without support for multiple addresses. Masataka Ohta From mohta at necom830.hpcl.titech.ac.jp Sun Jan 1 06:38:59 2012 From: mohta at necom830.hpcl.titech.ac.jp (Masataka Ohta) Date: Sun, 01 Jan 2012 21:38:59 +0900 Subject: L3 consequences of WLAN offload in cellular networks (was - endless DHCPv6 thread) In-Reply-To: <201112301415.32955.a.harrowell@gmail.com> References: <201112301415.32955.a.harrowell@gmail.com> Message-ID: <4F0053E3.6050404@necom830.hpcl.titech.ac.jp> Alexander Harrowell wrote: > Alternatively, you can work on the assumption that the WLAN > is solely for nomadic use rather than true mobility, but a > lot of devices will prefer the WLAN whenever possible. > > Thoughts/experiences? It depends on applications. If mobile devices act as clients to 3G servers, what is important is not IP addresses but 3G IDs, which must be authenticated even if the mobile devices use WLAN. On the other hand, if mobile devices act as servers to clients in the Internet, fixed IP addresses, not necessarily IETF standard mobile IP, are required. Application developers with their own IP address spaces may bundle services for fixed IP addresses with their applications requiring fixed IP addresses. The applications may use, to maintain the fixed IP addresses, their own protocols at the application layer, or IETF standard mobile IP at the IP layer. Masataka Ohta From mohta at necom830.hpcl.titech.ac.jp Sun Jan 1 06:59:31 2012 From: mohta at necom830.hpcl.titech.ac.jp (Masataka Ohta) Date: Sun, 01 Jan 2012 21:59:31 +0900 Subject: Misconceptions, was: IPv6 RA vs DHCPv6 - The chosen one? In-Reply-To: References: <1290980B-9003-4CD4-A713-A21111E877DA@delong.com> <4EF14814.2080709@bowenvale.co.nz> <4F214584-12C3-42BC-A38B-13D991B9B4A0@muada.com> <4EFB09D8.3000107@necom830.hpcl.titech.ac.jp> <4EFB11F3.1090007@necom830.hpcl.titech.ac.jp> <14160.1325099085@turing-police.cc.vt.edu> <4EFBD594.2000604@necom830.hpcl.titech.ac.jp> <30391.1325139437@turing-police.cc.vt.edu> <82ipkzwxhv.fsf@mid.bfk.de> <38375.1325160093@turing-police.cc.vt.edu> <4EFC62C9.9030101@necom830.hpcl.titech.ac.jp> <44691.1325175089@turing-police.cc.vt.edu> <4EFCE9F8.2040604@necom830.hpcl.titech.ac.jp> <4EFD893C.8010907@necom830.hpcl.titech.ac.jp> Message-ID: <4F0058B3.4040302@necom830.hpcl.titech.ac.jp> Ray Soucy wrote: > Well, it seems now you've also added the requirement that we also > dramatically re-write all software that makes use of networking. > Seemingly for the sake of never admitting that you can be wrong. Thank you for failing to point out where I am wrong. > You seem to think that the OSI model is this nice and clean model that > cleanly separates everything and that you can just freely replace > chunks of it. Not at all. Instead, IPv6 is damaged a lot because of ATM based on so nice and clean OSI model. > Again, it's like you live in a > theoretical world where physical limitations and operational realities > don't exist. A physical limitation and an operational reality is that we can not remember 16B addresses. > Go off and write up the RFCs to make this all work, and come back when > you have an model implementation we can all look at. As I warned that IPv6, as was, is not operational about ten years ago, it's not my responsibility to try to make IPv6 operational within a decade or two. Instead, I am interested in the fact that IPv4 scales well forever with end to end transparency, if port numbers, which may be 16b, 32b or 48b long, are used for routing. My most recent research result is how to modify client IPv4 stack to achieve end to end transparency for clients behind UPnP capable NAT. Masataka Ohta From jsmith4112003 at yahoo.co.uk Sun Jan 1 18:12:18 2012 From: jsmith4112003 at yahoo.co.uk (John Smith) Date: Mon, 2 Jan 2012 00:12:18 +0000 (GMT) Subject: Does anybody out there use Authentication Header (AH)? Message-ID: <1325463138.93312.YahooMailNeo@web29806.mail.ird.yahoo.com> Hi, I am trying to see if there are people who use AH specially since RFC 4301 has a MAY for AH and a MUST for ESP-NULL. While operators may not care about a MAY or a MUST in an RFC, but the IETF protocols and vendors do. So all protocols that require IPsec for authentication implicitly have a MAY for AH and a MUST for ESP-NULL. Given that there is hardly a difference between the two, I am trying to understand the scenarios where people might want to use AH? OR is it that people dont care and just use what their vendors provide them? Regards, John From tshaw at oitc.com Sun Jan 1 18:27:27 2012 From: tshaw at oitc.com (TR Shaw) Date: Sun, 1 Jan 2012 19:27:27 -0500 Subject: Does anybody out there use Authentication Header (AH)? In-Reply-To: <1325463138.93312.YahooMailNeo@web29806.mail.ird.yahoo.com> References: <1325463138.93312.YahooMailNeo@web29806.mail.ird.yahoo.com> Message-ID: <0C307FCB-55D2-49BD-90B1-6477FE5F4DE6@oitc.com> On Jan 1, 2012, at 7:12 PM, John Smith wrote: > Hi, > > I am trying to see if there are people who use AH specially since RFC 4301 has a MAY for AH and a MUST for ESP-NULL. While operators may not care about a MAY or a MUST in an RFC, but the IETF protocols and vendors do. So all protocols that require IPsec for authentication implicitly have a MAY for AH and a MUST for ESP-NULL. > > Given that there is hardly a difference between the two, I am trying to understand the scenarios where people might want to use AH? OR is it that people dont care and just use what their vendors provide them? > > Regards, > John AH provides for connectionless integrity and data origin authentication and provides protection against replay attacks. Many US Gov departments that have to follow NIST and do not understand what this means require it between internal point-to-point routers between one portion of their organization and another adding more expense for no increase in operational security. If you are following NIST or DCID-63, this is required to meet certain integrity requirements ESP provides confidentiality, data origin authentication, connectionless integrity, an anti-replay service, and limited traffic flow confidentiality. EG AH portion provides for the integrity requirement and the ESP encryption provides for the confidentiality requirement of NIST. Think of AH that it is like just signing a PGPMail and ESP as signing and encrypting a PGPMail. There are reasons for both. Tom From glen.kent at gmail.com Sun Jan 1 18:29:22 2012 From: glen.kent at gmail.com (Glen Kent) Date: Mon, 2 Jan 2012 05:59:22 +0530 Subject: Does anybody out there use Authentication Header (AH)? In-Reply-To: <1325463138.93312.YahooMailNeo@web29806.mail.ird.yahoo.com> References: <1325463138.93312.YahooMailNeo@web29806.mail.ird.yahoo.com> Message-ID: (Sigh) Here we go again. AH is a liability and a baggage that we're carrying over our weary shoulders. IMO we should have gotten rid of it long time back. There have been enough emails on multiple forums over this and google is probably your friend here. The only reason(s) we have AH is because (i) circa early 1990s, US had export restrictions on encryption keys > 40 bits and ESP thus had restrictions on how it could be used. AH otoh, only did authentication, for which the rules were much more relaxed AND (ii) people earlier naively believed that AH protected the IP header and ESP couldnt. AH is a mess if you have NATs deployed, as AH breaks NAT. IPv6 proponents thus saw AH as a tool to push IPv6, since they hated NATs (till someone discovered IPv6 NAT-PT, but thats a different story). Most people think ESP as "encryption" - they forget that it can be used for data integrity verification without encryption as well. Glen On Mon, Jan 2, 2012 at 5:42 AM, John Smith wrote: > Hi, > > I am trying to see if there are people who use AH specially since RFC 4301 has a MAY for AH and a MUST for ESP-NULL. While operators may not care about a MAY or a MUST in an RFC, but the IETF protocols and vendors do. So all protocols that require IPsec for authentication implicitly have a MAY for AH and a MUST for ESP-NULL. > > Given that there is hardly a difference between the two, I am trying to understand the scenarios where people might want to use AH? OR is it that people dont care and just use what their vendors provide them? > > Regards, > John From jsmith4112003 at yahoo.co.uk Sun Jan 1 18:32:08 2012 From: jsmith4112003 at yahoo.co.uk (John Smith) Date: Mon, 2 Jan 2012 00:32:08 +0000 (GMT) Subject: Does anybody out there use Authentication Header (AH)? In-Reply-To: <0C307FCB-55D2-49BD-90B1-6477FE5F4DE6@oitc.com> References: <1325463138.93312.YahooMailNeo@web29806.mail.ird.yahoo.com> <0C307FCB-55D2-49BD-90B1-6477FE5F4DE6@oitc.com> Message-ID: <1325464328.92852.YahooMailNeo@web29804.mail.ird.yahoo.com> Hi Tom, Thanks for the reply. Why cant we use ESP/NULL for meeting the NIST requirement? Is there something extra that AH offers here? Regards,? John ________________________________ From: TR Shaw To: John Smith Cc: "nanog at nanog.org" Sent: Monday, 2 January 2012, 5:57 Subject: Re: Does anybody out there use Authentication Header (AH)? On Jan 1, 2012, at 7:12 PM, John Smith wrote: > Hi, > > I am trying to see if there are people who use AH specially since RFC 4301 has a MAY for AH and a MUST for ESP-NULL. While operators may not care about a MAY or a MUST in an RFC, but the IETF protocols and vendors do. So all protocols that require IPsec for authentication implicitly have a MAY for AH and a MUST for ESP-NULL. > > Given that there is hardly a difference between the two, I am trying to understand the scenarios where people might want to use AH? OR is it that people dont care and just use what their vendors provide them? > > Regards, > John AH provides for? connectionless integrity and data origin authentication and provides protection against replay attacks.? Many US Gov departments that have to follow NIST and do not understand what this means require it between internal point-to-point routers between one portion of their organization and another adding more expense for no increase in operational security. If you are following NIST or DCID-63, this is required to meet certain integrity requirements ESP provides confidentiality,? data origin authentication,? connectionless integrity,? an anti-replay service,? and limited traffic flow confidentiality.? EG AH portion provides for the integrity requirement and the ESP encryption provides for the confidentiality requirement of NIST. Think of AH that it is like just signing a PGPMail and ESP as signing and encrypting a PGPMail. There are reasons for both. Tom From thegameiam at yahoo.com Sun Jan 1 18:36:24 2012 From: thegameiam at yahoo.com (David Barak) Date: Sun, 1 Jan 2012 16:36:24 -0800 (PST) Subject: Does anybody out there use Authentication Header (AH)? Message-ID: <1325464584.87152.YahooMailMobile@web31804.mail.mud.yahoo.com> It can be used to prevent NAT on an intermediate path, which can be useful under certain circumstances. I have seen it in the wild, both in Internet and private networking contexts. David Barak From cra at WPI.EDU Sun Jan 1 18:57:54 2012 From: cra at WPI.EDU (Chuck Anderson) Date: Sun, 1 Jan 2012 19:57:54 -0500 Subject: Does anybody out there use Authentication Header (AH)? In-Reply-To: <1325464584.87152.YahooMailMobile@web31804.mail.mud.yahoo.com> References: <1325464584.87152.YahooMailMobile@web31804.mail.mud.yahoo.com> Message-ID: <20120102005754.GR14970@angus.ind.WPI.EDU> I'm using AH for OSPFv2 and OSPFv3 authentication. For OSPFv3, there is no other option than some kind of IPsec for authentication. I'm also using it for OSPFv2 so I don't have to maintain multiple authentication methods and keys for the different protocols. From glen.kent at gmail.com Sun Jan 1 19:04:56 2012 From: glen.kent at gmail.com (Glen Kent) Date: Mon, 2 Jan 2012 06:34:56 +0530 Subject: Does anybody out there use Authentication Header (AH)? In-Reply-To: <20120102005754.GR14970@angus.ind.WPI.EDU> References: <1325464584.87152.YahooMailMobile@web31804.mail.mud.yahoo.com> <20120102005754.GR14970@angus.ind.WPI.EDU> Message-ID: On Mon, Jan 2, 2012 at 6:27 AM, Chuck Anderson wrote: > I'm using AH for OSPFv2 and OSPFv3 authentication. ?For OSPFv3, there > is no other option than some kind of IPsec for authentication. ?I'm > also using it for OSPFv2 so I don't have to maintain multiple > authentication methods and keys for the different protocols. OSPF WG has come out with a mechanism that can be used to secure OSPFv3 without IPsec - http://tools.ietf.org/html/draft-ietf-ospf-auth-trailer-ospfv3-11 It should get published as an RFC any time now. BTW, there isnt any standard for using IPsec with OSPFv2, so youre probably using a proprietary solution. I think a better solution is to move to OSPFv3-AT, as its very similar to OSPFv2 authentication. Glen From tshaw at oitc.com Sun Jan 1 19:34:28 2012 From: tshaw at oitc.com (TR Shaw) Date: Sun, 1 Jan 2012 20:34:28 -0500 Subject: Does anybody out there use Authentication Header (AH)? In-Reply-To: <1325464328.92852.YahooMailNeo@web29804.mail.ird.yahoo.com> References: <1325463138.93312.YahooMailNeo@web29806.mail.ird.yahoo.com> <0C307FCB-55D2-49BD-90B1-6477FE5F4DE6@oitc.com> <1325464328.92852.YahooMailNeo@web29804.mail.ird.yahoo.com> Message-ID: <78609533-6DDA-4A50-BFD4-DB4499178A80@oitc.com> John, Unlike AH, ESP in transport mode does not provide integrity and authentication for the entire IP packet. However, in Tunnel Mode, where the entire original IP packet is encapsulated with a new packet header added, ESP protection is afforded to the whole inner IP packet (including the inner header) while the outer header (including any outer IPv4 options or IPv6 extension headers) remains unprotected. Thus, you need AH to authenticate the integrity of the outer header packet information. Again, just like PGPMail as I explained before, Tom On Jan 1, 2012, at 7:32 PM, John Smith wrote: > Hi Tom, > > Thanks for the reply. > > Why cant we use ESP/NULL for meeting the NIST requirement? Is there something extra that AH offers here? > > Regards, > John > > From: TR Shaw > To: John Smith > Cc: "nanog at nanog.org" > Sent: Monday, 2 January 2012, 5:57 > Subject: Re: Does anybody out there use Authentication Header (AH)? > > > On Jan 1, 2012, at 7:12 PM, John Smith wrote: > > > Hi, > > > > I am trying to see if there are people who use AH specially since RFC 4301 has a MAY for AH and a MUST for ESP-NULL. While operators may not care about a MAY or a MUST in an RFC, but the IETF protocols and vendors do. So all protocols that require IPsec for authentication implicitly have a MAY for AH and a MUST for ESP-NULL. > > > > Given that there is hardly a difference between the two, I am trying to understand the scenarios where people might want to use AH? OR is it that people dont care and just use what their vendors provide them? > > > > Regards, > > John > > AH provides for connectionless integrity and data origin authentication and provides protection against replay attacks. Many US Gov departments that have to follow NIST and do not understand what this means require it between internal point-to-point routers between one portion of their organization and another adding more expense for no increase in operational security. > > If you are following NIST or DCID-63, this is required to meet certain integrity requirements > > ESP provides confidentiality, data origin authentication, connectionless integrity, an anti-replay service, and limited traffic flow confidentiality. EG AH portion provides for the integrity requirement and the ESP encryption provides for the confidentiality requirement of NIST. > > Think of AH that it is like just signing a PGPMail and ESP as signing and encrypting a PGPMail. > > There are reasons for both. > > Tom > > > From smb at cs.columbia.edu Sun Jan 1 19:50:29 2012 From: smb at cs.columbia.edu (Steven Bellovin) Date: Sun, 1 Jan 2012 20:50:29 -0500 Subject: Does anybody out there use Authentication Header (AH)? In-Reply-To: <78609533-6DDA-4A50-BFD4-DB4499178A80@oitc.com> References: <1325463138.93312.YahooMailNeo@web29806.mail.ird.yahoo.com> <0C307FCB-55D2-49BD-90B1-6477FE5F4DE6@oitc.com> <1325464328.92852.YahooMailNeo@web29804.mail.ird.yahoo.com> <78609533-6DDA-4A50-BFD4-DB4499178A80@oitc.com> Message-ID: <97DDC358-2C4A-4AAD-B176-72F2BC64A47B@cs.columbia.edu> On Jan 1, 2012, at 8:34 PM, TR Shaw wrote: > John, > > Unlike AH, ESP in transport mode does not provide integrity and authentication for the entire IP packet. However, in Tunnel Mode, where the entire original IP packet is encapsulated with a new packet header added, ESP protection is afforded to the whole inner IP packet (including the inner header) while the outer header (including any outer IPv4 options or IPv6 extension headers) remains unprotected. Thus, you need AH to authenticate the integrity of the outer header packet information. Not quite. While the cryptographic integrity check does not cover the source and destination addresses -- the really interesting part of the outer header -- they're bound to the security association, and hence checked separately. Below is a note I sent to the IPsec mailing list in 1999. That, however, is not the question that is being asked here. The IPsecme working group has been over those issues repeatedly; your (non)-issue and (slightly) more substantive issues about IPv6 have been rehashed ad nauseum. The questions on the table now are, first, are operators using AH, and if so is ESP with NULL encryption an option? --Steve Bellovin, https://www.cs.columbia.edu/~smb One of the biggest reasons we have AH is because there _are_ some things in the middle of the "IP header" that need to be authenticated for them to be simultaneously safe and useful. The biggest example of this is source routing. In my opinion -- and I've posted this before -- there's nothing in the IP header that's both interesting and protected. You can't protect the source routing option, since the next-hop pointer changes en route. Appendix A of the AH draft recognizes that, and lists it as 'mutable -- zeroed'. When you look over the list of IP header fields and options that are either immutable or predictable, you find that the only things that are really of interest are the source and destination addresses and the security label. To the extent that we want to protect the addresses -- a point that's very unclear to me -- they're bound to the security association. The security label certainly should be. If you're using security labels (almost no one does) and you don't have the facilities to bind it at key management time, use tunnel mode and be done with it. I'll admit that I've never been in the operations business, but I've been told that source routing is a very useful tool for diagnosing some classes of problems. AH allows source routing to be useful again w/o opening the holes it opens. Well, yes, but not for the reason you specify. The problem with source routing is that it makes address-spoofing trivial. With AH, people will either verify certificate names -- the right way to do things -- or they'll bind a certificate to the source address, and use AH to verify the legitimacy of it. The route specified has nothing to do with it, and ESP with null encryption does the same thing. I don't like AH, either in concept or design (and in particular I don't like the way it commits layer violations). Its only real use, as I see it, is to answer Greg Minshall's objections -- it leaves the port numbers in the clear, and visible in a context-independent fashion. With null encryption, the monitoring station has to know that that was selected. But I'm very far from convinced that these issues are important enough to justify AH. All that notwithstanding, this is not a new issue. We've been over this ground before in the working group. Several of us, myself included, suggested deleting AH. We lost. Fine; so be it. Let's ship the documents and be done with it. From kohn.jack at gmail.com Sun Jan 1 19:56:51 2012 From: kohn.jack at gmail.com (Jack Kohn) Date: Mon, 2 Jan 2012 07:26:51 +0530 Subject: Does anybody out there use Authentication Header (AH)? In-Reply-To: <97DDC358-2C4A-4AAD-B176-72F2BC64A47B@cs.columbia.edu> References: <1325463138.93312.YahooMailNeo@web29806.mail.ird.yahoo.com> <0C307FCB-55D2-49BD-90B1-6477FE5F4DE6@oitc.com> <1325464328.92852.YahooMailNeo@web29804.mail.ird.yahoo.com> <78609533-6DDA-4A50-BFD4-DB4499178A80@oitc.com> <97DDC358-2C4A-4AAD-B176-72F2BC64A47B@cs.columbia.edu> Message-ID: The __exact__ same discussion happening on IPsecME WG right now. http://www.ietf.org/mail-archive/web/ipsec/current/msg07346.html It seems there is yet another effort being made to "retire" AH so that we have less # of options to deal with. This time there is some support for it .. Jack On Mon, Jan 2, 2012 at 7:20 AM, Steven Bellovin wrote: > > On Jan 1, 2012, at 8:34 PM, TR Shaw wrote: > >> John, >> >> Unlike AH, ?ESP in transport mode does not provide integrity and authentication for the entire IP packet. However, ?in Tunnel Mode, ?where the entire original IP packet is encapsulated with a new packet header added, ?ESP protection is afforded to the whole inner IP packet (including the inner header) while the outer header (including any outer IPv4 options or IPv6 extension headers) remains unprotected. ?Thus, you need AH to authenticate the integrity of the outer header packet information. > > > Not quite. ?While the cryptographic integrity check does not cover the source and destination addresses -- the really interesting part of the outer header -- they're bound to the security association, and hence checked separately. ?Below is a note I sent to the IPsec mailing list in 1999. > > That, however, is not the question that is being asked here. ?The IPsecme working group has been over those issues repeatedly; your (non)-issue and (slightly) more substantive issues about IPv6 have been rehashed ad nauseum. ?The questions on the table now are, first, are operators using AH, and if so is ESP with NULL encryption an option? > > ? ? ? ? ? ? ? ?--Steve Bellovin, https://www.cs.columbia.edu/~smb > > > ? ? ? ?One of the biggest reasons we have AH is because there _are_ > ? ? ? ?some things in the middle of the "IP header" that need to be > ? ? ? ?authenticated for them to be simultaneously safe and useful. > ? ? ? ?The biggest example of this is source routing. > > In my opinion -- and I've posted this before -- there's nothing in the > IP header that's both interesting and protected. ?You can't protect the > source routing option, since the next-hop pointer changes en route. > Appendix A of the AH draft recognizes that, and lists it as 'mutable -- > zeroed'. > > When you look over the list of IP header fields and options that are > either immutable or predictable, you find that the only things that are > really of interest are the source and destination addresses and the > security label. ?To the extent that we want to protect the addresses -- > a point that's very unclear to me -- they're bound to the security > association. ?The security label certainly should be. ?If you're using > security labels (almost no one does) and you don't have the facilities > to bind it at key management time, use tunnel mode and be done with it. > > ? ? ? ?I'll admit that I've never been in the operations business, but > ? ? ? ?I've been told that source routing is a very useful tool for > ? ? ? ?diagnosing some classes of problems. ?AH allows source routing > ? ? ? ?to be useful again w/o opening the holes it opens. > > Well, yes, but not for the reason you specify. ?The problem with source > routing is that it makes address-spoofing trivial. ?With AH, people > will either verify certificate names -- the right way to do things -- > or they'll bind a certificate to the source address, and use AH to > verify the legitimacy of it. ?The route specified has nothing to do > with it, and ESP with null encryption does the same thing. > > I don't like AH, either in concept or design (and in particular I don't > like the way it commits layer violations). ?Its only real use, as I see > it, is to answer Greg Minshall's objections -- it leaves the port > numbers in the clear, and visible in a context-independent fashion. > With null encryption, the monitoring station has to know that that was > selected. ?But I'm very far from convinced that these issues are > important enough to justify AH. > > All that notwithstanding, this is not a new issue. ?We've been over > this ground before in the working group. ?Several of us, myself > included, suggested deleting AH. ?We lost. ?Fine; so be it. ?Let's ship > the documents and be done with it. From smb at cs.columbia.edu Sun Jan 1 20:03:02 2012 From: smb at cs.columbia.edu (Steven Bellovin) Date: Sun, 1 Jan 2012 21:03:02 -0500 Subject: Does anybody out there use Authentication Header (AH)? In-Reply-To: References: <1325463138.93312.YahooMailNeo@web29806.mail.ird.yahoo.com> <0C307FCB-55D2-49BD-90B1-6477FE5F4DE6@oitc.com> <1325464328.92852.YahooMailNeo@web29804.mail.ird.yahoo.com> <78609533-6DDA-4A50-BFD4-DB4499178A80@oitc.com> <97DDC358-2C4A-4AAD-B176-72F2BC64A47B@cs.columbia.edu> Message-ID: <042E9E42-4D3B-4F0D-B1C6-DBBE9F3AD4FE@cs.columbia.edu> Yes, I know; I'm on that list. John Smith decided to see if reality matched theory -- always a good thing to do -- and asked here. Btw, it's not just "this time there is some support for it"; AH was downgraded to "MAY" in RFC 4301 in 2005. On Jan 1, 2012, at 8:56 PM, Jack Kohn wrote: > The __exact__ same discussion happening on IPsecME WG right now. > > http://www.ietf.org/mail-archive/web/ipsec/current/msg07346.html > > It seems there is yet another effort being made to "retire" AH so that > we have less # of options to deal with. This time there is some > support for it .. > > Jack > > On Mon, Jan 2, 2012 at 7:20 AM, Steven Bellovin wrote: >> >> On Jan 1, 2012, at 8:34 PM, TR Shaw wrote: >> >>> John, >>> >>> Unlike AH, ESP in transport mode does not provide integrity and authentication for the entire IP packet. However, in Tunnel Mode, where the entire original IP packet is encapsulated with a new packet header added, ESP protection is afforded to the whole inner IP packet (including the inner header) while the outer header (including any outer IPv4 options or IPv6 extension headers) remains unprotected. Thus, you need AH to authenticate the integrity of the outer header packet information. >> >> >> Not quite. While the cryptographic integrity check does not cover the source and destination addresses -- the really interesting part of the outer header -- they're bound to the security association, and hence checked separately. Below is a note I sent to the IPsec mailing list in 1999. >> >> That, however, is not the question that is being asked here. The IPsecme working group has been over those issues repeatedly; your (non)-issue and (slightly) more substantive issues about IPv6 have been rehashed ad nauseum. The questions on the table now are, first, are operators using AH, and if so is ESP with NULL encryption an option? >> >> --Steve Bellovin, https://www.cs.columbia.edu/~smb >> >> >> One of the biggest reasons we have AH is because there _are_ >> some things in the middle of the "IP header" that need to be >> authenticated for them to be simultaneously safe and useful. >> The biggest example of this is source routing. >> >> In my opinion -- and I've posted this before -- there's nothing in the >> IP header that's both interesting and protected. You can't protect the >> source routing option, since the next-hop pointer changes en route. >> Appendix A of the AH draft recognizes that, and lists it as 'mutable -- >> zeroed'. >> >> When you look over the list of IP header fields and options that are >> either immutable or predictable, you find that the only things that are >> really of interest are the source and destination addresses and the >> security label. To the extent that we want to protect the addresses -- >> a point that's very unclear to me -- they're bound to the security >> association. The security label certainly should be. If you're using >> security labels (almost no one does) and you don't have the facilities >> to bind it at key management time, use tunnel mode and be done with it. >> >> I'll admit that I've never been in the operations business, but >> I've been told that source routing is a very useful tool for >> diagnosing some classes of problems. AH allows source routing >> to be useful again w/o opening the holes it opens. >> >> Well, yes, but not for the reason you specify. The problem with source >> routing is that it makes address-spoofing trivial. With AH, people >> will either verify certificate names -- the right way to do things -- >> or they'll bind a certificate to the source address, and use AH to >> verify the legitimacy of it. The route specified has nothing to do >> with it, and ESP with null encryption does the same thing. >> >> I don't like AH, either in concept or design (and in particular I don't >> like the way it commits layer violations). Its only real use, as I see >> it, is to answer Greg Minshall's objections -- it leaves the port >> numbers in the clear, and visible in a context-independent fashion. >> With null encryption, the monitoring station has to know that that was >> selected. But I'm very far from convinced that these issues are >> important enough to justify AH. >> >> All that notwithstanding, this is not a new issue. We've been over >> this ground before in the working group. Several of us, myself >> included, suggested deleting AH. We lost. Fine; so be it. Let's ship >> the documents and be done with it. > --Steve Bellovin, https://www.cs.columbia.edu/~smb From up at 3.am Sun Jan 1 20:03:53 2012 From: up at 3.am (James Smallacombe) Date: Sun, 1 Jan 2012 21:03:53 -0500 Subject: Hotmail / MSN blacklisting policies. Message-ID: <37685C95-AEED-4EBC-AEFE-A62D0E21F311@3.am> The IP address of our mail server was recently blacklisted by MSN/Hotmail. When I went through their steps for delisting, it was denied based on "reputation". AFAIK, we have not had a spam problem for several months. When we did it was due to a few accounts having been successfully phished. Since then our customers have been far more savvy and I have not seen the problem. I manually delisted us from all the known BLs back then and all has been ok. A current multi DNSBL lookup only shows 3 out of a couple hundred BLs listing us. You may be familiar with the ones that did (blackholes.five-ten-sg.com for example). No major, reputable, widely used DNSBL lists the IP. I have been doing this for 16 years. It has always been SOP to provide an offending email, with full headers to the complaint recipient, if not in advance of such blacklisting, then at least upon request. They sure require it of me when I report abuse of their servers. They flat out refuse to do this, claiming they have no access to this. I had this same issue with Cloudmark's BL a couple of months ago (which Comcast and other major providers use), so I suspect this is some kind of outsourced blacklist that does a poor job of updating their listings or one of my regular customers is sending out emails that are being incorrectly reported as spam. I have seen the latter happen several times with other servers I've worked with that auto generate legitimate emails of reports that customers pay for, but aggressive filters such as AOL's auto-report as spam (to be fair, AOL is excellent at resolving these). We do have SPF records for our main domains, but no DKIM or other whitelisting/authentication mechanisms. Is this sort of thing going to be widely required? From jfpn at clearfield.com Sun Jan 1 20:29:13 2012 From: jfpn at clearfield.com (Jean-Francois Pirus) Date: Mon, 02 Jan 2012 15:29:13 +1300 Subject: Hotmail / MSN blacklisting policies. In-Reply-To: <37685C95-AEED-4EBC-AEFE-A62D0E21F311@3.am> References: <37685C95-AEED-4EBC-AEFE-A62D0E21F311@3.am> Message-ID: <1325471353.11559.7.camel@caffeine> On Sun, 2012-01-01 at 21:03 -0500, James Smallacombe wrote: > The IP address of our mail server was recently blacklisted by MSN/Hotmail. When I went through their steps for delisting, it was denied based on "reputation". AFAIK, we have not had a spam problem for several months. When we did it was due to a few accounts having been successfully phished. Since then our customers have been far more savvy and I have not seen the problem. I manually delisted us from all the known BLs back then and all has been ok. > > A current multi DNSBL lookup only shows 3 out of a couple hundred BLs listing us. You may be familiar with the ones that did (blackholes.five-ten-sg.com for example). No major, reputable, widely used DNSBL lists the IP. > > I have been doing this for 16 years. It has always been SOP to provide an offending email, with full headers to the complaint recipient, if not in advance of such blacklisting, then at least upon request. They sure require it of me when I report abuse of their servers. They flat out refuse to do this, claiming they have no access to this. I had this same issue with Cloudmark's BL a couple of months ago (which Comcast and other major providers use), so I suspect this is some kind of outsourced blacklist that does a poor job of updating their listings or one of my regular customers is sending out emails that are being incorrectly reported as spam. I have seen the latter happen several times with other servers I've worked with that auto generate legitimate emails of reports that customers pay for, but aggressive filters such as AOL's auto-report as spam (to be fair, AOL is excellent at resolving these). > > We do have SPF records for our main domains, but no DKIM or other whitelisting/authentication mechanisms. Is this sort of thing going to be widely required? Yes. Also make sure your reverse dns doesn't look like XXX.XXX.XXX.XXX.mydomain.com. (where XXX is the reverse IP, that gives you a bad score.) This are the steps I went thought for Hotmail: Publish SPF and DKIM records Open a hotmail account login https://support.msn.com/ Register with the following "Programs" SenderID - Register you SPF records Sender Information for Hotmail Delivery - Tell them you want to send them emails Junk Mail Reporting Partner Program - Register an address that complaints about your emails will go to. #Register your IP address at https://postmaster.live.com/snds/index.aspx Then view data about your IP address at https://postmaster.live.com/snds/data.aspx -- Jean-Francois Pirus | Technical Manager francois at clearfield.com | Mob +64 21 640 779 | DDI +64 9 282 3401 Clearfield Software Ltd | Ph +64 9 358 2081 | www.clearfield.com From jlewis at lewis.org Sun Jan 1 20:35:15 2012 From: jlewis at lewis.org (Jon Lewis) Date: Sun, 1 Jan 2012 21:35:15 -0500 (EST) Subject: Hotmail / MSN blacklisting policies. In-Reply-To: <37685C95-AEED-4EBC-AEFE-A62D0E21F311@3.am> References: <37685C95-AEED-4EBC-AEFE-A62D0E21F311@3.am> Message-ID: On Sun, 1 Jan 2012, James Smallacombe wrote: > I have been doing this for 16 years. It has always been SOP to provide > an offending email, with full headers to the complaint recipient, if not > in advance of such blacklisting, then at least upon request. There are/have been a number of well respected (not to mention most of the private ones) anti-spam BLs that either don't always or never provide "offending email" evidence to support listings, and I'm not aware of any that ever made it SOP to provide such evidence in advance of listing an IP. Hotmail listing one of your servers for no obvious reason is certainly the pot calling the kettle black. I get a pretty regular stream of pills spam from hotmail servers, most of which should trivially be blocked by the sender if they gave even the slightest damn about their outgoing spam. > They flat out refuse to do this, claiming they have no access to this. With an org the size of hotmail, it's quite conceivable that the people dealing with you don't have access to the information you seek, assuming such information was even kept. ---------------------------------------------------------------------- Jon Lewis, MCP :) | I route Senior Network Engineer | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________ From tshaw at oitc.com Mon Jan 2 06:24:15 2012 From: tshaw at oitc.com (TR Shaw) Date: Mon, 2 Jan 2012 07:24:15 -0500 Subject: Does anybody out there use Authentication Header (AH)? In-Reply-To: <042E9E42-4D3B-4F0D-B1C6-DBBE9F3AD4FE@cs.columbia.edu> References: <1325463138.93312.YahooMailNeo@web29806.mail.ird.yahoo.com> <0C307FCB-55D2-49BD-90B1-6477FE5F4DE6@oitc.com> <1325464328.92852.YahooMailNeo@web29804.mail.ird.yahoo.com> <78609533-6DDA-4A50-BFD4-DB4499178A80@oitc.com> <97DDC358-2C4A-4AAD-B176-72F2BC64A47B@cs.columbia.edu> <042E9E42-4D3B-4F0D-B1C6-DBBE9F3AD4FE@cs.columbia.edu> Message-ID: As far as real world examples, I know of none that use AH only. All the operational uses I have seen in use are tunnels. I would guess that if there are any it would be because some minimally technical COI rep thought that by using it it would provide some minimalist support of their interpretation of FISMA. Tom On Jan 1, 2012, at 9:03 PM, Steven Bellovin wrote: > Yes, I know; I'm on that list. John Smith decided to see if > reality matched theory -- always a good thing to do -- and asked > here. > > Btw, it's not just "this time there is some support for it"; AH > was downgraded to "MAY" in RFC 4301 in 2005. > > > On Jan 1, 2012, at 8:56 PM, Jack Kohn wrote: > >> The __exact__ same discussion happening on IPsecME WG right now. >> >> http://www.ietf.org/mail-archive/web/ipsec/current/msg07346.html >> >> It seems there is yet another effort being made to "retire" AH so that >> we have less # of options to deal with. This time there is some >> support for it .. >> >> Jack >> >> On Mon, Jan 2, 2012 at 7:20 AM, Steven Bellovin wrote: >>> >>> On Jan 1, 2012, at 8:34 PM, TR Shaw wrote: >>> >>>> John, >>>> >>>> Unlike AH, ESP in transport mode does not provide integrity and authentication for the entire IP packet. However, in Tunnel Mode, where the entire original IP packet is encapsulated with a new packet header added, ESP protection is afforded to the whole inner IP packet (including the inner header) while the outer header (including any outer IPv4 options or IPv6 extension headers) remains unprotected. Thus, you need AH to authenticate the integrity of the outer header packet information. >>> >>> >>> Not quite. While the cryptographic integrity check does not cover the source and destination addresses -- the really interesting part of the outer header -- they're bound to the security association, and hence checked separately. Below is a note I sent to the IPsec mailing list in 1999. >>> >>> That, however, is not the question that is being asked here. The IPsecme working group has been over those issues repeatedly; your (non)-issue and (slightly) more substantive issues about IPv6 have been rehashed ad nauseum. The questions on the table now are, first, are operators using AH, and if so is ESP with NULL encryption an option? >>> >>> --Steve Bellovin, https://www.cs.columbia.edu/~smb >>> >>> >>> One of the biggest reasons we have AH is because there _are_ >>> some things in the middle of the "IP header" that need to be >>> authenticated for them to be simultaneously safe and useful. >>> The biggest example of this is source routing. >>> >>> In my opinion -- and I've posted this before -- there's nothing in the >>> IP header that's both interesting and protected. You can't protect the >>> source routing option, since the next-hop pointer changes en route. >>> Appendix A of the AH draft recognizes that, and lists it as 'mutable -- >>> zeroed'. >>> >>> When you look over the list of IP header fields and options that are >>> either immutable or predictable, you find that the only things that are >>> really of interest are the source and destination addresses and the >>> security label. To the extent that we want to protect the addresses -- >>> a point that's very unclear to me -- they're bound to the security >>> association. The security label certainly should be. If you're using >>> security labels (almost no one does) and you don't have the facilities >>> to bind it at key management time, use tunnel mode and be done with it. >>> >>> I'll admit that I've never been in the operations business, but >>> I've been told that source routing is a very useful tool for >>> diagnosing some classes of problems. AH allows source routing >>> to be useful again w/o opening the holes it opens. >>> >>> Well, yes, but not for the reason you specify. The problem with source >>> routing is that it makes address-spoofing trivial. With AH, people >>> will either verify certificate names -- the right way to do things -- >>> or they'll bind a certificate to the source address, and use AH to >>> verify the legitimacy of it. The route specified has nothing to do >>> with it, and ESP with null encryption does the same thing. >>> >>> I don't like AH, either in concept or design (and in particular I don't >>> like the way it commits layer violations). Its only real use, as I see >>> it, is to answer Greg Minshall's objections -- it leaves the port >>> numbers in the clear, and visible in a context-independent fashion. >>> With null encryption, the monitoring station has to know that that was >>> selected. But I'm very far from convinced that these issues are >>> important enough to justify AH. >>> >>> All that notwithstanding, this is not a new issue. We've been over >>> this ground before in the working group. Several of us, myself >>> included, suggested deleting AH. We lost. Fine; so be it. Let's ship >>> the documents and be done with it. >> > > > --Steve Bellovin, https://www.cs.columbia.edu/~smb > > > > > > From o.calvano at gmail.com Mon Jan 2 07:30:47 2012 From: o.calvano at gmail.com (Olivier CALVANO) Date: Mon, 2 Jan 2012 14:30:47 +0100 Subject: Ethernet From China to Singapor or Hong Kong ? Message-ID: Hi anyone have contact of a operator (CHina Telecom ? CPC ?) that can provide L2 Link from China to Singapor or if not direct link, China to Hong Kong. Thanks Olivier From rsk at gsp.org Mon Jan 2 07:53:25 2012 From: rsk at gsp.org (Rich Kulawiec) Date: Mon, 2 Jan 2012 08:53:25 -0500 Subject: Hotmail / MSN blacklisting policies. In-Reply-To: <37685C95-AEED-4EBC-AEFE-A62D0E21F311@3.am> References: <37685C95-AEED-4EBC-AEFE-A62D0E21F311@3.am> Message-ID: <20120102135325.GA15441@gsp.org> First, this should probably be on mailop instead of here. Second, given the unceasing torrent of spam emitted by Hotmail/MSN on a systemic, chronic basis, it's ironic that they'd block *anyone*. ---rsk From rol at witbe.net Mon Jan 2 08:05:12 2012 From: rol at witbe.net (Paul Rolland (=?UTF-8?B?44Od44O844Or44O744Ot44Op44Oz?=)) Date: Mon, 2 Jan 2012 15:05:12 +0100 Subject: Ethernet From China to Singapor or Hong Kong ? In-Reply-To: References: Message-ID: <20120102150512.72e71946@tux.DEF.witbe.net> Hello, On Mon, 2 Jan 2012 14:30:47 +0100 Olivier CALVANO wrote: > anyone have contact of a operator (CHina Telecom ? CPC ?) that can provide > L2 Link > from China to Singapor or if not direct link, China to Hong Kong. PCCW ? Paul -- TelcoTV Awards 2011 - Witbe winner in "Innovation in Test & Measurement" Paul Rolland E-Mail : rol(at)witbe.net CTO - Witbe.net SA Tel. +33 (0)1 47 67 77 77 Les Collines de l'Arche Fax. +33 (0)1 47 67 77 99 F-92057 Paris La Defense RIPE : PR12-RIPE LinkedIn : http://www.linkedin.com/in/paulrolland Skype : rollandpaul "I worry about my child and the Internet all the time, even though she's too young to have logged on yet. Here's what I worry about. I worry that 10 or 15 years from now, she will come to me and say 'Daddy, where were you when they took freedom of the press away from the Internet?'" --Mike Godwin, Electronic Frontier Foundation -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: not available URL: From leigh.porter at ukbroadband.com Mon Jan 2 10:22:30 2012 From: leigh.porter at ukbroadband.com (Leigh Porter) Date: Mon, 2 Jan 2012 16:22:30 +0000 Subject: Ethernet From China to Singapor or Hong Kong ? In-Reply-To: <20120102150512.72e71946@tux.DEF.witbe.net> References: , <20120102150512.72e71946@tux.DEF.witbe.net> Message-ID: I'd second PCCW. I have contacts there if you drop me a mail off list. -- Leigh Porter UKBroadband PCCW... On 2 Jan 2012, at 14:08, "Paul Rolland" wrote: > Hello, > > On Mon, 2 Jan 2012 14:30:47 +0100 > Olivier CALVANO wrote: > >> anyone have contact of a operator (CHina Telecom ? CPC ?) that can provide >> L2 Link >> from China to Singapor or if not direct link, China to Hong Kong. > > PCCW ? > > Paul > > -- > TelcoTV Awards 2011 - Witbe winner in "Innovation in Test & Measurement" > > Paul Rolland E-Mail : rol(at)witbe.net > CTO - Witbe.net SA Tel. +33 (0)1 47 67 77 77 > Les Collines de l'Arche Fax. +33 (0)1 47 67 77 99 > F-92057 Paris La Defense RIPE : PR12-RIPE > > LinkedIn : http://www.linkedin.com/in/paulrolland > Skype : rollandpaul > > "I worry about my child and the Internet all the time, even though she's > too young to have logged on yet. Here's what I worry about. I worry that 10 > or 15 years from now, she will come to me and say 'Daddy, where were you > when they took freedom of the press away from the Internet?'" > --Mike Godwin, Electronic Frontier Foundation > > ______________________________________________________________________ This email has been scanned by the Symantec Email Security.cloud service. For more information please visit http://www.symanteccloud.com ______________________________________________________________________ From copraphage at gmail.com Mon Jan 2 10:33:17 2012 From: copraphage at gmail.com (Chris McDonald) Date: Mon, 2 Jan 2012 11:33:17 -0500 Subject: Ethernet From China to Singapor or Hong Kong ? In-Reply-To: References: <20120102150512.72e71946@tux.DEF.witbe.net> Message-ID: Third and I also work there :) On Monday, January 2, 2012, Leigh Porter wrote: > I'd second PCCW. I have contacts there if you drop me a mail off list. > > > -- > Leigh Porter > UKBroadband PCCW... > > > > On 2 Jan 2012, at 14:08, "Paul Rolland" wrote: > >> Hello, >> >> On Mon, 2 Jan 2012 14:30:47 +0100 >> Olivier CALVANO wrote: >> >>> anyone have contact of a operator (CHina Telecom ? CPC ?) that can provide >>> L2 Link >>> from China to Singapor or if not direct link, China to Hong Kong. >> >> PCCW ? >> >> Paul >> >> -- >> TelcoTV Awards 2011 - Witbe winner in "Innovation in Test & Measurement" >> >> Paul Rolland E-Mail : rol(at)witbe.net >> CTO - Witbe.net SA Tel. +33 (0)1 47 67 77 77 >> Les Collines de l'Arche Fax. +33 (0)1 47 67 77 99 >> F-92057 Paris La Defense RIPE : PR12-RIPE >> >> LinkedIn : http://www.linkedin.com/in/paulrolland >> Skype : rollandpaul >> >> "I worry about my child and the Internet all the time, even though she's >> too young to have logged on yet. Here's what I worry about. I worry that 10 >> or 15 years from now, she will come to me and say 'Daddy, where were you >> when they took freedom of the press away from the Internet?'" >> --Mike Godwin, Electronic Frontier Foundation >> >> > > ______________________________________________________________________ > This email has been scanned by the Symantec Email Security.cloud service. > For more information please visit http://www.symanteccloud.com > ______________________________________________________________________ > > From morrowc.lists at gmail.com Mon Jan 2 11:39:40 2012 From: morrowc.lists at gmail.com (Christopher Morrow) Date: Mon, 2 Jan 2012 12:39:40 -0500 Subject: L3 consequences of WLAN offload in cellular networks (was - endless DHCPv6 thread) In-Reply-To: References: <201112301415.32955.a.harrowell@gmail.com> Message-ID: On Fri, Dec 30, 2011 at 9:34 AM, Cameron Byrne wrote: > The state of the industry is the support of nomadic mobility from cellular > to / from Wi-Fi , there is nearly no support of mobile IP that I have seen. > > It is going more and more in this direction. At T-Mobile USA we have > evolved our wifi calling features from fully mobile UMA / GAN to non-mobile > IMS wifi calling. great! is that now available on all tmo-us handsets? :) /troll From tom at ninjabadger.net Mon Jan 2 12:08:31 2012 From: tom at ninjabadger.net (Tom Hill) Date: Mon, 02 Jan 2012 18:08:31 +0000 Subject: next-best-transport! down with ethernet! In-Reply-To: References: <1325188667.2646.4.camel@teh-desktop> Message-ID: <1325527711.2404.4.camel@teh-desktop> On Fri, 2011-12-30 at 07:24 -0500, Ray Soucy wrote: > The speed of light is such a drag. It could be worse... You could've been born on a larger planet. From BEJones at semprautilities.com Mon Jan 2 14:27:34 2012 From: BEJones at semprautilities.com (Jones, Barry) Date: Mon, 2 Jan 2012 12:27:34 -0800 Subject: AD and enforced password policies Message-ID: Hello all. Happy New Year. I have a requirement to enforce password policies on AD (a tacacs and windows domain). I don't have a great deal of Windows AD knowledge - so a newbie ;-) this is a little off topic, but I thought I'd ask... Specifically, I need to enforce the use of length, special characters, and be able to validate the enforcement of such. Looking at Nfront, Quest, etc..., and wanted to see if anyone out there had thoughts? Thank you. From rluethje at gmail.com Mon Jan 2 15:09:25 2012 From: rluethje at gmail.com (Robert Luethje) Date: Mon, 2 Jan 2012 16:09:25 -0500 Subject: AD and enforced password policies References: Message-ID: <006f01ccc992$cf87bf50$0201a8c0@knightmareserv> You would set those in users section of AD. AD can be very quirky when it wants to. Robert ----- Original Message ----- From: "Jones, Barry" To: Sent: Monday, January 02, 2012 3:27 PM Subject: AD and enforced password policies Hello all. Happy New Year. I have a requirement to enforce password policies on AD (a tacacs and windows domain). I don't have a great deal of Windows AD knowledge - so a newbie ;-) this is a little off topic, but I thought I'd ask... Specifically, I need to enforce the use of length, special characters, and be able to validate the enforcement of such. Looking at Nfront, Quest, etc..., and wanted to see if anyone out there had thoughts? Thank you. From mysidia at gmail.com Mon Jan 2 16:32:54 2012 From: mysidia at gmail.com (Jimmy Hess) Date: Mon, 2 Jan 2012 16:32:54 -0600 Subject: AD and enforced password policies In-Reply-To: References: Message-ID: On Mon, Jan 2, 2012 at 2:27 PM, Jones, Barry wrote: > I have a requirement to enforce password policies on AD (a tacacs and > windows domain). I don't have a great deal of Windows AD knowledge - so a > newbie ;-) this is a little off topic, but I thought I'd ask... > This is very basic built-in functionality of AD, that those maintaining an AD implementation really ought to already be aware of; to implement it, you edit or create applicable group policy to apply a Password policy in the security section of the applicable group policy for the Computer account configuration at the domain level, specify the minimum length and, either check the "password must meet complexity requirements box", or supply a custom filter -- http://technet.microsoft.com/en-us/library/cc875814.aspx#ECAA http://technet.microsoft.com/en-us/library/cc786468%28WS.10%29.aspx My recommendation would be to not go too far with password policies. Implement only the least restrictive requirements in AD to achieve the best security benefits per unit of user annoyance; e.g. a minimum length of 8 is a good choice; if you try and force users to pick a minimum of 15, with complexity, and expire their password every 10 days, you'll actually get users with simple passwords (or password sticky notes on the monitor). The sole root cause for "easily guessable passwords" is not lack of technical restrictions. It's also: lazy or limited memory humans who need passwords that they can remember. Firstname1234! is very easy to guess, and meets complexity and usual length requirements. There are password filters on the market that can perform a simple dictionary check, which is a better check to perform than number of character classes. Use the custom password filter and a 30 minute account lockout after the 3th failed login attempt, to prevent most password guessing attacks. An event log monitoring tool should be used to alert a sysadmin. Specifically, I need to enforce the use of length, special characters, and > be able to validate the enforcement of such. You can ensure the enforcement by putting the password policy into effect; make sure it is enforced on all domain controllers. And then at a later date check the "must change password at next login" checkbox for all users you need to enforce against, and utilize the GPResult command for each user to ensure that the policy is applied. The last password change date will verify the user has updated their password at the time the policy was in effect Another thing to consider is to have user passwords expiring once every 365 days, with checks to prevent reuse of previously used passwords; then typical scripts to monitor applied policy and last password change times can be utilized to verify compliance. -- -JH From blake at pfankuch.me Mon Jan 2 17:15:08 2012 From: blake at pfankuch.me (Blake T. Pfankuch) Date: Mon, 2 Jan 2012 23:15:08 +0000 Subject: AD and enforced password policies In-Reply-To: References: Message-ID: I would very much agree with this as far as the "user annoyance" side. We have had customers enforce 12 characters and complexity for all users, and you end up with sticky notes under the keyboard or other objects on the desk. I would also make sure to set a reasonable timeout to force a workstation locking as well. However I would say 365 day expiration is a little long, 3 months is about the average in a non financial oriented network. Depending on your AD structure, you can easily enforce different policies for different types of users. Meaning you can give your average minion a 8 character password with 90 day expiration, 4 password history and 3 of 4 groups for characters. Then you can give your domain admin accounts (your normal support staff doesn't have domain admin on their day to day accounts do they??) a more restrictive policy like 12+ characters, 30 day expiration 24 history and full complexity (via third party modules). -- Blake -----Original Message----- From: Jimmy Hess [mailto:mysidia at gmail.com] Sent: Monday, January 02, 2012 3:33 PM To: Jones, Barry Cc: Nanog at nanog.org Subject: Re: AD and enforced password policies On Mon, Jan 2, 2012 at 2:27 PM, Jones, Barry wrote: > I have a requirement to enforce password policies on AD (a tacacs and > windows domain). I don't have a great deal of Windows AD knowledge - > so a newbie ;-) this is a little off topic, but I thought I'd ask... > This is very basic built-in functionality of AD, that those maintaining an AD implementation really ought to already be aware of; to implement it, you edit or create applicable group policy to apply a Password policy in the security section of the applicable group policy for the Computer account configuration at the domain level, specify the minimum length and, either check the "password must meet complexity requirements box", or supply a custom filter -- http://technet.microsoft.com/en-us/library/cc875814.aspx#ECAA http://technet.microsoft.com/en-us/library/cc786468%28WS.10%29.aspx My recommendation would be to not go too far with password policies. Implement only the least restrictive requirements in AD to achieve the best security benefits per unit of user annoyance; e.g. a minimum length of 8 is a good choice; if you try and force users to pick a minimum of 15, with complexity, and expire their password every 10 days, you'll actually get users with simple passwords (or password sticky notes on the monitor). The sole root cause for "easily guessable passwords" is not lack of technical restrictions. It's also: lazy or limited memory humans who need passwords that they can remember. Firstname1234! is very easy to guess, and meets complexity and usual length requirements. There are password filters on the market that can perform a simple dictionary check, which is a better check to perform than number of character classes. Use the custom password filter and a 30 minute account lockout after the 3th failed login attempt, to prevent most password guessing attacks. An event log monitoring tool should be used to alert a sysadmin. Specifically, I need to enforce the use of length, special characters, and > be able to validate the enforcement of such. You can ensure the enforcement by putting the password policy into effect; make sure it is enforced on all domain controllers. And then at a later date check the "must change password at next login" checkbox for all users you need to enforce against, and utilize the GPResult command for each user to ensure that the policy is applied. The last password change date will verify the user has updated their password at the time the policy was in effect Another thing to consider is to have user passwords expiring once every 365 days, with checks to prevent reuse of previously used passwords; then typical scripts to monitor applied policy and last password change times can be utilized to verify compliance. -- -JH From gary.buhrmaster at gmail.com Mon Jan 2 18:05:00 2012 From: gary.buhrmaster at gmail.com (Gary Buhrmaster) Date: Tue, 3 Jan 2012 00:05:00 +0000 Subject: AD and enforced password policies In-Reply-To: References: Message-ID: On Mon, Jan 2, 2012 at 22:32, Jimmy Hess wrote: .... > The sole root cause for "easily guessable passwords" is not lack of > technical restrictions. It's also: lazy or limited memory humans who need > passwords that they can remember. > > Firstname1234! ? ?is very easy to guess, and meets complexity and usual > length requirements. Obligatory xkcd reference: http://xkcd.com/936/ Gary From nick at foobar.org Mon Jan 2 18:21:12 2012 From: nick at foobar.org (Nick Hilliard) Date: Tue, 03 Jan 2012 00:21:12 +0000 Subject: AD and enforced password policies In-Reply-To: References: Message-ID: <4F0249F8.4050305@foobar.org> On 02/01/2012 20:27, Jones, Barry wrote: > Specifically, I need to enforce the use of length, special characters, > and be able to validate the enforcement of such. I always like to look at policies like this from an analytical point of view. Let's take a look at some numbers. Let's say that you insist on mixed case, numbers, punctuation, 8 characters. I find anything more than 8 characters really difficult to remember; probably lots of other people too, which is why they all write them down on post-it notes if they're longer - and then stick them to their monitors. This creates a pool of 26 + 26 + 10 + 10 = 72 possible characters. So in theory you're talking about a pool of 72^8 = 7.2*10^15 possibly passwords. Thing is, your password policy insists on punctuation, which means that your actual password pool is now 10*72^7. i.e. one character is pulled from the pool of 10 punctuation chars, and the rest are anything at all. And if you insist on at least one number + one item of punctuation, it's 10*10*72^6 - same reasoning. But really, you're also insisting that you use at least one upper case + one lower case letter, which means that your password pool becomes 10(punctuation)*10(number)*26(upper case)*26(lower case)*72^4 = 1.8*10^13. In other words, by enforcing a strict password policy on your users, you've just reduced your potential password pool size by a factor of 400, which means that your password is 400 times easier to brute-force. The next step in this process is to take a look around at the current capabilities of GPU based hash generators. E.g. whitepixel currently claims to be able to handle 3.3*10^11 md5 hashes per second (unsalted) on a computer with a very small capital outlay. If for some odd reason you were storing your passwords as unsalted md5 hashes, your entire password set would be cracked within about 1 minute. But real life is different; we don't use md5, we do use salt, and we don't choose stupid password policies. Oh but wait, we do. So the real question you need to ask yourself is this: "what is the intention of my password policy?" Is it to create a sequence of characters which is effectively impossible to brute-force? Or is it to create a sequence of hieroglyphics which your users will find difficult to remember and will cause them to grind their teeth in anger every time they are forced to type it in? At best, these hieroglyphics provide an elevated sense of security. At worst, they are a mockery of actual security. My favourite choice is "Pa$$w0rd". It scores top marks on pretty much all password strength checkers that I've ever tried it on. And every time the policy requires a change, I prepend a digit which apparently makes it secure for another 6 months. If you are more interested in creating passwords which are difficult to brute force and easier to remember, one useful approach is to take a list of a couple of thousand short-ish words, and to use a random list of five or six of these words for a password. Much easier for people to remember; gets around silly mistakes with typos; and there's no requirement for mixed case, punctuation and all those other silly things which look great on paper but serve only to confuse and annoy. Nick From smb at cs.columbia.edu Mon Jan 2 19:45:29 2012 From: smb at cs.columbia.edu (Steven Bellovin) Date: Mon, 2 Jan 2012 20:45:29 -0500 Subject: AD and enforced password policies In-Reply-To: References: Message-ID: On Jan 2, 2012, at 7:05 PM, Gary Buhrmaster wrote: > On Mon, Jan 2, 2012 at 22:32, Jimmy Hess wrote: > .... >> The sole root cause for "easily guessable passwords" is not lack of >> technical restrictions. It's also: lazy or limited memory humans who need >> passwords that they can remember. >> >> Firstname1234! is very easy to guess, and meets complexity and usual >> length requirements. > > Obligatory xkcd reference: http://xkcd.com/936/ > Thanks; you saved me the trouble. There's a discussion of the topic going on right now on a cryptography mailing list; check out http://lists.randombit.net/mailman/listinfo/cryptography if you want. Also see my (mostly tongue in cheek) blog post at https://www.cs.columbia.edu/~smb/blog/2011-12/2011-12-27.html and the very serious followup at https://www.cs.columbia.edu/~smb/blog/2011-12/2011-12-28.html I should add that except for targeted attacks, strong passwords are greatly overrated; neither phishing attacks nor keystroke loggers care how good your password is. I just went through some calculations for a (government) site that has the following rules: Minimum Length : 8 Maximum Length : 12 Maximum Repeated Characters : 2 Minimum Alphabetic Characters Required : 1 Minimum Numeric Characters Required : 1 Starts with a Numeric Character No User Name No past passwords At least one character must be ~!@#$%^&*()-_+\verb!+={}[]\|;:/?.,<>"'`! Under the plausible assumption that very many people will start with a string of digits, continue with a string of lower-case letters to reach seven characters, and then add a period, there are only ~5,000,000,000 choices. That's not many at all -- but the rules look just fine... --Steve Bellovin, https://www.cs.columbia.edu/~smb From lyndon at orthanc.ca Mon Jan 2 20:10:33 2012 From: lyndon at orthanc.ca (Lyndon Nerenberg) Date: Mon, 2 Jan 2012 18:10:33 -0800 (PST) Subject: AD and enforced password policies In-Reply-To: References: Message-ID: > I just went through some calculations for a (government) site that has the > following rules: [...] > Under the plausible assumption that very many people will start with a string > of digits, continue with a string of lower-case letters to reach seven characters, > and then add a period, there are only ~5,000,000,000 choices. That's not many at > all -- but the rules look just fine... 1234;lkj rolls off the fingers quite nicely, don't you think? From smb at cs.columbia.edu Mon Jan 2 20:16:28 2012 From: smb at cs.columbia.edu (Steven Bellovin) Date: Mon, 2 Jan 2012 21:16:28 -0500 Subject: AD and enforced password policies In-Reply-To: References: Message-ID: On Jan 2, 2012, at 9:10 PM, Lyndon Nerenberg wrote: >> I just went through some calculations for a (government) site that has the >> following rules: > [...] >> Under the plausible assumption that very many people will start with a string >> of digits, continue with a string of lower-case letters to reach seven characters, >> and then add a period, there are only ~5,000,000,000 choices. That's not many at >> all -- but the rules look just fine... > > 1234;lkj rolls off the fingers quite nicely, don't you think? > OK -- let's let the set of punctuation be .,; and allow seven choices for where it goes. That increases the work factor by 21 -- still not that large a space for someone with a good botnet. The real question is what you're trying to protect. If the attacker's goal is to get *some* password, then I think he or she will get succeed, because I think that very many people will follow my assumed pattern -- enough that the attacker has a good chance of winning. Sure, some people will pick stronger ones -- but that isn't the point of the exercise. Passwords and password rules are the *enemy* to most people. --Steve Bellovin, https://www.cs.columbia.edu/~smb From mysidia at gmail.com Mon Jan 2 22:34:45 2012 From: mysidia at gmail.com (Jimmy Hess) Date: Mon, 2 Jan 2012 22:34:45 -0600 Subject: AD and enforced password policies In-Reply-To: References: Message-ID: On Mon, Jan 2, 2012 at 8:16 PM, Steven Bellovin wrote: > On Jan 2, 2012, at 9:10 PM, Lyndon Nerenberg wrote: > OK -- let's let the set of punctuation be .,; and allow seven choices for > where > it goes. That increases the work factor by 21 -- still not that large a > space > for someone with a good botnet. Should an attacker get to the point of being able to mount a brute force attack, with only character class and length requirements, that means they have basically already won the battle for basic user level access --- user passwords do not have cryptographic strength, he chance that some passwords are guessed is so high, that you can legitimately treat the probability that no passwords are discovered by an informed attack is a 0% chance. Assuming you have a policy of account lockout after multiple attempts; the fact they a brute force attack can be mounted, indicates implementation of your account lockout policy failed, or the attacker stole the password hashes. If you have LANMAN hashes enabled or your passwords hashed with MD5 instead of PBKDF2 with 10000 or more rounds; the attacker has the keys to the kingdom, they are almost certain to guess some passwords very quickly. Not all passwords are equally likely to be chosen by a human given the task of setting their password. How some luser is going to respond to password complexity: pick a name or standard dictionary word, make the first letter capital, append a single digit or some well known number (such as the current year, a birthdate, anniversary, address, SSN, or other known quantity), add a period or ! to the end, to meet the punctuation mark requirement. Eminently guessable by methods other than brute force. It doesn't matter that 10 different punctuation marks are actually available to the user --- human chosen passwords have low entropy, you can anticipate the average human has higher chance of picking certain punctuation marks than others, based on where they are located on the keyboard, and the user's level of familiarity with the punctuation mark. ~ and _ may be valid choices; but the average english speaker is more familiar with ! . , ' ; & + - -- -JH From mtinka at globaltransit.net Tue Jan 3 02:40:07 2012 From: mtinka at globaltransit.net (Mark Tinka) Date: Tue, 3 Jan 2012 16:40:07 +0800 Subject: next-best-transport! down with ethernet! In-Reply-To: References: <1325188667.2646.4.camel@teh-desktop> Message-ID: <201201031640.10340.mtinka@globaltransit.net> On Friday, December 30, 2011 05:58:38 PM Vitkovsky, Adam wrote: > Actually an a Cisco presentation on Nexus 7k I asked > whether it's possible to transport the FCoE over let's > say EoMPLS or VPLS and did not get a straight answer > though that was half a year ago -but it would be really > cool to connect hard-drives directly over continents We looked at doing this back in 2010, and the problems are still the same - synchronous replications (which is the majority of your garden-variety fibre channel deployments) are very sensitive to latency and low bandwidth, and don't generally tend to exist outside the data centre or short- distance DWDM fibre channel networks. FCIP was the solution proposed for extending SAN's over IP (which invariably means over MPLS as well). But FCIP tends to work best with asynchronous replications, which is the only way to get around higher latency and lower bandwidth network properties. I know Brocade and Cisco both have boxes that support FCIP. I did come across a vendor, Orckit-Corrigent - http://www.orckit.com/ - that claimed they support FCoMPLS (I forget what their exact solution was, but it had to do with some buffering trickery if memory serves), but we didn't get a chance to test these as FCoDWDM ending up winning anyway. Come to think of it, maybe their solution was FCIP inside MPLS :-). Cheers, Mark. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 836 bytes Desc: This is a digitally signed message part. URL: From mansaxel at besserwisser.org Tue Jan 3 02:44:11 2012 From: mansaxel at besserwisser.org (=?utf-8?B?TcOlbnM=?= Nilsson) Date: Tue, 3 Jan 2012 09:44:11 +0100 Subject: AD and enforced password policies In-Reply-To: References: Message-ID: <20120103084411.GN7491@besserwisser.org> Subject: RE: AD and enforced password policies Date: Mon, Jan 02, 2012 at 11:15:08PM +0000 Quoting Blake T. Pfankuch (blake at pfankuch.me): > However I would say 365 day expiration is a little long, 3 months is about the average in a non financial oriented network. If you force me to change a password every three months, I'm going to start doing "g0ddw/\ssPOrd-01", ..-02, etc immediately. Net result, you lose. Let's face it, either the bad guys have LANMAN hashes/unsalted MD5 etc, and we're all doomed, or they will be lucky and guess. None of these attack modes will be mitigated by the 3-month scheme; success/fail as seen by the bad guys will be a lot quicker than three months. If they do not get lucky with john or rainbow tables, they'll move on. (Some scenarios still are affected by this, of course, but there is a lot to be done to stop bad things from happening like not getting your hashes stolen etc. On-line repeated login failures aren't going to work because you'll detect that, right? ) Either way, expiring often is the first and most effective step at making the lusers hate you and will only bring the Post-It(tm) makers happy. If your password crypto is NSA KW-26 or similar, OTOH, just don the Navy blues and start swapping punchcards at 0000 ZULU. (http://en.wikipedia.org/wiki/File:Kw-26.jpg) -- M?ns Nilsson primary/secondary/besserwisser/machina MN-1334-RIPE +46 705 989668 Life is a POPULARITY CONTEST! I'm REFRESHINGLY CANDID!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: Digital signature URL: From kompella at cs.purdue.edu Tue Jan 3 02:57:09 2012 From: kompella at cs.purdue.edu (Ramana Kompella) Date: Tue, 3 Jan 2012 14:27:09 +0530 Subject: HotICE 2012 -- paper registration deadline Friday Jan 6, 2012 In-Reply-To: <8EAAFC63-4899-41D3-9C62-3D70707F64B8@PURDUE.EDU> References: <8EAAFC63-4899-41D3-9C62-3D70707F64B8@PURDUE.EDU> Message-ID: <2C1BE052-9100-4623-9B43-AA18576381F2@cs.purdue.edu> [Apologies if you received multiple copies of this CFP] The 2nd USENIX Workshop on Hot Topics in Management of Internet, Cloud, and Enterprise Networks and Services (Hot-ICE '12) Program Co-Chairs invite you to contribute to the refereed papers. The Hot-ICE workshop seeks to bring together researchers and practitioners working on network and service management in the Internet, cloud, and enterprise domains. Paper registration is due *January 6, 2012*, by 11:59 p.m. PST (i.e. Friday !). Complete paper submissions are due January 13, 2012, by 11:59 p.m. PST. For more information and the submission guidelines, please visit http://www.usenix.org/hotice12/cfpa. Hot-ICE '12 will be held on April 24, 2012, in San Jose, CA, and will be co-located with NSDI '12: http://www.usenix.org/nsdi12 On behalf of the Hot-ICE '12 Program Committee, Olivier Bonaventure, Universite catholique de Louvain Ramana Kompella, Purdue University From os10rules at gmail.com Tue Jan 3 07:09:19 2012 From: os10rules at gmail.com (Greg Ihnen) Date: Tue, 3 Jan 2012 08:39:19 -0430 Subject: AD and enforced password policies In-Reply-To: <20120103084411.GN7491@besserwisser.org> References: <20120103084411.GN7491@besserwisser.org> Message-ID: <86734B35-DE1A-4141-9021-FBEB7428C6BB@gmail.com> On Jan 3, 2012, at 4:14 AM, M?ns Nilsson wrote: > Subject: RE: AD and enforced password policies Date: Mon, Jan 02, 2012 at 11:15:08PM +0000 Quoting Blake T. Pfankuch (blake at pfankuch.me): > >> However I would say 365 day expiration is a little long, 3 months is about the average in a non financial oriented network. > > If you force me to change a password every three months, I'm going > to start doing "g0ddw/\ssPOrd-01", ..-02, etc immediately. Net result, > you lose. > > Let's face it, either the bad guys have LANMAN hashes/unsalted MD5 etc, > and we're all doomed, or they will be lucky and guess. None of these > attack modes will be mitigated by the 3-month scheme; success/fail as > seen by the bad guys will be a lot quicker than three months. If they > do not get lucky with john or rainbow tables, they'll move on. > > (Some scenarios still are affected by this, of course, but there is a > lot to be done to stop bad things from happening like not getting your > hashes stolen etc. On-line repeated login failures aren't going to work > because you'll detect that, right? ) > > Either way, expiring often is the first and most effective step at making > the lusers hate you and will only bring the Post-It(tm) makers happy. > > If your password crypto is NSA KW-26 or similar, OTOH, just > don the Navy blues and start swapping punchcards at 0000 ZULU. > (http://en.wikipedia.org/wiki/File:Kw-26.jpg) > > -- > M?ns Nilsson primary/secondary/besserwisser/machina > MN-1334-RIPE +46 705 989668 > Life is a POPULARITY CONTEST! I'm REFRESHINGLY CANDID!! A side issue is the people who use the same password at fuzzykittens.com as they do at bankofamerica.com. Of course fuzzykittens doesn't need high security for their password management and storage. After all, what's worth stealing at fuzzykittens? All those passwords. I use and recommend and use a popular password manager, so I can have unique strong passwords without making a religion out of it. Greg From toddunder at gmail.com Tue Jan 3 07:22:09 2012 From: toddunder at gmail.com (Todd Underwood) Date: Tue, 3 Jan 2012 08:22:09 -0500 Subject: AD and enforced password policies In-Reply-To: <86734B35-DE1A-4141-9021-FBEB7428C6BB@gmail.com> References: <20120103084411.GN7491@besserwisser.org> <86734B35-DE1A-4141-9021-FBEB7428C6BB@gmail.com> Message-ID: http://www.diceware.com/ works well. has plausible analysis of the entropy of the passphrases created. it's 100% prescriptive and deterministic so can be used for large, unevenly skilled userbases. the passphrases are easy to remember and type for english speakers (and there are alternative dictionaries). and it wouldn't pass any of these silly requirements. what people really need to be doing is deploying: http://en.wikipedia.org/wiki/HOTP there are free apps for android and iphone to generate sequences as a 2nd factor. t On Tue, Jan 3, 2012 at 8:09 AM, Greg Ihnen wrote: > > On Jan 3, 2012, at 4:14 AM, M?ns Nilsson wrote: > >> Subject: RE: AD and enforced password policies Date: Mon, Jan 02, 2012 at 11:15:08PM +0000 Quoting Blake T. Pfankuch (blake at pfankuch.me): >> >>> However I would say 365 day expiration is a little long, 3 months is about the average in a non financial oriented network. >> >> If you force me to change a password every three months, I'm going >> to start doing "g0ddw/\ssPOrd-01", ..-02, etc immediately. Net result, >> you lose. >> >> Let's face it, either the bad guys have LANMAN hashes/unsalted MD5 etc, >> and we're all doomed, or they will be lucky and guess. None of these >> attack modes will be mitigated by the 3-month scheme; success/fail as >> seen by the bad guys will be a lot quicker than three months. If they >> do not get lucky with john or rainbow tables, they'll move on. >> >> (Some scenarios still are affected by this, of course, but there is a >> lot to be done to stop bad things from happening like not getting your >> hashes stolen etc. On-line repeated login failures aren't going to work >> because you'll detect that, right? ) >> >> Either way, expiring often is the first and most effective step at making >> the lusers hate you and will only bring the Post-It(tm) makers happy. >> >> If your password crypto is NSA KW-26 or similar, OTOH, just >> don the Navy blues and start swapping punchcards at 0000 ZULU. >> ? ? ? (http://en.wikipedia.org/wiki/File:Kw-26.jpg) >> >> -- >> M?ns Nilsson ? ? primary/secondary/besserwisser/machina >> MN-1334-RIPE ? ? ? ? ? ? ? ? ? ? ? ? ? ? +46 705 989668 >> Life is a POPULARITY CONTEST! ?I'm REFRESHINGLY CANDID!! > > > A side issue is the people who use the same password at fuzzykittens.com as they do at bankofamerica.com. Of course fuzzykittens doesn't need high security for their password management and storage. After all, what's worth stealing at fuzzykittens? All those passwords. ?I use and recommend and use a popular password manager, so I can have unique strong passwords without making a religion out of it. > > Greg From mike at mtcc.com Tue Jan 3 07:31:12 2012 From: mike at mtcc.com (Michael Thomas) Date: Tue, 03 Jan 2012 05:31:12 -0800 Subject: AD and enforced password policies In-Reply-To: <86734B35-DE1A-4141-9021-FBEB7428C6BB@gmail.com> References: <20120103084411.GN7491@besserwisser.org> <86734B35-DE1A-4141-9021-FBEB7428C6BB@gmail.com> Message-ID: <4F030320.1030804@mtcc.com> On 01/03/2012 05:09 AM, Greg Ihnen wrote: > A side issue is the people who use the same password at fuzzykittens.com as they do at bankofamerica.com. Of course fuzzykittens doesn't need high security for their password management and storage. After all, what's worth stealing at fuzzykittens? All those passwords. I use and recommend and use a popular password manager, so I can have unique strong passwords without making a religion out of it. Greg I've been doing something with my site/app (phresheez) that is helpful on that front: instead of having them use their password, the app auto-generates a password for the user instead. I did this mainly for convenience -- users hate typing on their phones -- but it has the nice property that you don't have a domino effect if a password on my site is compromised. Since most browsers auto-remember your passwords anyway, it even works in the web world too. For most need-to-join sites, I think this is a pretty reasonable solution. Maybe not for, oh say, financial sites where password recovery is a little bit scarier, but for the run of the mill app/site... it seems that this solution at least solves the domino problem. Mike From smb at cs.columbia.edu Tue Jan 3 07:40:47 2012 From: smb at cs.columbia.edu (Steven Bellovin) Date: Tue, 3 Jan 2012 08:40:47 -0500 Subject: AD and enforced password policies In-Reply-To: <86734B35-DE1A-4141-9021-FBEB7428C6BB@gmail.com> References: <20120103084411.GN7491@besserwisser.org> <86734B35-DE1A-4141-9021-FBEB7428C6BB@gmail.com> Message-ID: <2AC71587-2896-45FC-B77C-8C789B3C28F7@cs.columbia.edu> On Jan 3, 2012, at 8:09 19AM, Greg Ihnen wrote: > > On Jan 3, 2012, at 4:14 AM, M?ns Nilsson wrote: > >> Subject: RE: AD and enforced password policies Date: Mon, Jan 02, 2012 at 11:15:08PM +0000 Quoting Blake T. Pfankuch (blake at pfankuch.me): >> >>> However I would say 365 day expiration is a little long, 3 months is about the average in a non financial oriented network. >> >> If you force me to change a password every three months, I'm going >> to start doing "g0ddw/\ssPOrd-01", ..-02, etc immediately. Net result, >> you lose. >> >> Let's face it, either the bad guys have LANMAN hashes/unsalted MD5 etc, >> and we're all doomed, or they will be lucky and guess. None of these >> attack modes will be mitigated by the 3-month scheme; success/fail as >> seen by the bad guys will be a lot quicker than three months. If they >> do not get lucky with john or rainbow tables, they'll move on. >> >> (Some scenarios still are affected by this, of course, but there is a >> lot to be done to stop bad things from happening like not getting your >> hashes stolen etc. On-line repeated login failures aren't going to work >> because you'll detect that, right? ) >> >> Either way, expiring often is the first and most effective step at making >> the lusers hate you and will only bring the Post-It(tm) makers happy. >> >> If your password crypto is NSA KW-26 or similar, OTOH, just >> don the Navy blues and start swapping punchcards at 0000 ZULU. >> (http://en.wikipedia.org/wiki/File:Kw-26.jpg) >> >> -- >> M?ns Nilsson primary/secondary/besserwisser/machina >> MN-1334-RIPE +46 705 989668 >> Life is a POPULARITY CONTEST! I'm REFRESHINGLY CANDID!! > > > A side issue is the people who use the same password at fuzzykittens.com as they do at bankofamerica.com. Of course fuzzykittens doesn't need high security for their password management and storage. After all, what's worth stealing at fuzzykittens? All those passwords. I use and recommend and use a popular password manager, so I can have unique strong passwords without making a religion out of it. > It's not a side issue; in my opinion it's a far more important issue in most situations. I do the same thing that you do for all but my most critical passwords. --Steve Bellovin, https://www.cs.columbia.edu/~smb From mansaxel at besserwisser.org Tue Jan 3 07:43:55 2012 From: mansaxel at besserwisser.org (=?utf-8?B?TcOlbnM=?= Nilsson) Date: Tue, 3 Jan 2012 14:43:55 +0100 Subject: AD and enforced password policies In-Reply-To: <4F030320.1030804@mtcc.com> References: <20120103084411.GN7491@besserwisser.org> <86734B35-DE1A-4141-9021-FBEB7428C6BB@gmail.com> <4F030320.1030804@mtcc.com> Message-ID: <20120103134353.GQ7491@besserwisser.org> Subject: Re: AD and enforced password policies Date: Tue, Jan 03, 2012 at 05:31:12AM -0800 Quoting Michael Thomas (mike at mtcc.com): > For most need-to-join sites, I think this is a pretty reasonable solution. Maybe > not for, oh say, financial sites where password recovery is a little bit scarier, > but for the run of the mill app/site... it seems that this solution at least > solves the domino problem. There is indeed a difference between Europe (or is it only .SE?) and USA here; no bank in Sweden lets you login without at least a client certificate and password/pin code. Most banks have a hardware token, either challenge-response or HOTP/TOTP; some use the chip in chip-and-pin cards as certificate carrier, and combine it with a reader device to manage pin code entry. -- M?ns Nilsson primary/secondary/besserwisser/machina MN-1334-RIPE +46 705 989668 Hello? Enema Bondage? I'm calling because I want to be happy, I guess ... -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: Digital signature URL: From gary.buhrmaster at gmail.com Tue Jan 3 07:59:16 2012 From: gary.buhrmaster at gmail.com (Gary Buhrmaster) Date: Tue, 3 Jan 2012 05:59:16 -0800 Subject: AD and enforced password policies In-Reply-To: <86734B35-DE1A-4141-9021-FBEB7428C6BB@gmail.com> References: <20120103084411.GN7491@besserwisser.org> <86734B35-DE1A-4141-9021-FBEB7428C6BB@gmail.com> Message-ID: On Tue, Jan 3, 2012 at 05:09, Greg Ihnen wrote: .... > A side issue is the people who use the same password at fuzzykittens.com as they do at bankofamerica.com. Of course fuzzykittens doesn't need high security for their password management and storage. After all, what's worth stealing at fuzzykittens? All those passwords. Second obligatory xkcd reference (Password reuse): http://xkcd.com/792/ From tim at pelican.org Tue Jan 3 08:16:38 2012 From: tim at pelican.org (Tim Franklin) Date: Tue, 03 Jan 2012 14:16:38 -0000 (GMT) Subject: AD and enforced password policies In-Reply-To: <20120103134353.GQ7491@besserwisser.org> Message-ID: <23f7068e-b0bd-44a7-9e73-f0c81d6c7a12@mail.pelican.org> > There is indeed a difference between Europe (or is it only .SE?) and > USA here; no bank in Sweden lets you login without at least a client > certificate and password/pin code. Most banks have a hardware token, > either challenge-response or HOTP/TOTP; some use the chip in chip-and-pin > cards as certificate carrier, and combine it with a reader device to > manage pin code entry. Can't speak for Europe as a whole, but certainly in the UK it's not common - and I wish it was. I do have different passwords for my banking and other finance-type sites (pensions etc), both for each site and distinct from my "fuzzykittens" passwords (which do re-use a handful of variations on a couple of themes). A hardware token would be very nice though. Client cert worries me a bit - while it *should* be standards-based, I'm sure there's some way to implement it such that it only works on Windows. Given how long it took for banks to stop with the "Safari! Evil! Access denied!" routine, I don't hold much faith in their willingness or ability to build cross-platform solutions. Grumble for the day: Santander, who require so many different IDs, logins, codes, reference numbers etc to access their on-line services with no indication at all of how any of them relate to the documentation previously sent or any changes made since, that there's no way to deal with it other than to write them down. Oh, and some more different codes, with more different names, to access the same account by telephone. Strongly not recommended. Regards, Tim. From jared at puck.nether.net Tue Jan 3 08:22:31 2012 From: jared at puck.nether.net (Jared Mauch) Date: Tue, 3 Jan 2012 09:22:31 -0500 Subject: AD and enforced password policies In-Reply-To: References: Message-ID: <6501EF60-ADA9-4D98-BB93-82F3A6E24E22@puck.nether.net> On Jan 2, 2012, at 8:45 PM, Steven Bellovin wrote: > Minimum Length : 8 > Maximum Length : 12 > Maximum Repeated Characters : 2 > Minimum Alphabetic Characters Required : 1 > Minimum Numeric Characters Required : 1 > Starts with a Numeric Character > No User Name > No past passwords > At least one character must be ~!@#$%^&*()-_+\verb!+={}[]\|;:/?.,<>"'`! One site I saw would break when you exceeded the maximum length but silently accept it. Making the users jump through sufficient hoops to generate a password and keep it for the sake of "security" only serve to weaken the resolve of users and complexity of passwords used. Dare I say, if a password system is too cumbersome I may reject them as an employer at some point out of frustration, or just call the help desk daily to reset the password. back to the OP question. I've used the Quest system as a user and found it useful. Having this outside any VPN for your remote users is very helpful. - Jared From markrefresh12 at gmail.com Tue Jan 3 09:01:27 2012 From: markrefresh12 at gmail.com (Mark Smith) Date: Tue, 3 Jan 2012 17:01:27 +0200 Subject: Redundant multicast routing Message-ID: Hi What's your recipe to implement redundant multicast (stub) routing? Let's think about the simplest scenario. We have 2 routers, R1 and R2 and 3 ip networks. All 3 networks are directly connected to both routers and the routers are performing unicast routing between networks using VRRP as the redundancy protocol. Let's disregard L2 redundancy here and assume it works. Same goes with igmp snoop. net1: 192.168.1.0/24, VRRP .254, R1 .1, R2 .2 net2: 192.168.2.0/24, VRRP .254, R1 .1, R2 .2 net3: 192.168.3.0/24, VRRP .254, R1 .1, R2 .2 Say multicast source is in net1 and receiver in net2. If I did not need redundancy in multicast, I would just configure all interfaces on R1 as pim passive and it would (probably) work. But if I want the multicast routing to be redundant, what should I do? If I add the R2 interfaces as pim passive, the multicast is forwarded to net2 (and net3) twice because R1 and R2 do not know about each other. I tested this. If I configure all R1 and R2 interfaces as pim dense, the destination receives multicast fine, but it is flooded between R1 and R3 2 or 3 times (because pim dense floods the multicast to all pim neighbors and R1 and R2 are pim neighbors in all 2 networks). So, core links are unnecessarily consumed. I tested this, too. One choice could be to use pim sparse and configure R1 and R2 to be anycast RPs using loopback interface and configure MSDP peering between them. But given the simplicity of the topology, this seems unnecessarily complex configuration. I have not tested this yet. Maybe MVR could be solution but I think it will cause stream multiplication too. I have not tested MVR yet either. I would like to keep the recipe as vendor agnostic as possible. Thanks for help :) From olivier.benghozi at wifirst.fr Tue Jan 3 10:09:22 2012 From: olivier.benghozi at wifirst.fr (Olivier Benghozi) Date: Tue, 3 Jan 2012 17:09:22 +0100 Subject: Redundant multicast routing In-Reply-To: References: Message-ID: Hi, While anycast RP is better (redundancy is faster), it's not necessary: you can just use PIM-SM with BSR & 2 RPs with hash-mask distribution for the layer 3 redundancy. By design, igmp snooping forwards all multicast traffic to mrouter ports (that is, all router interfaces with pim activated), so to stop useless traffic between the routers, it will be necessary to do something at the layer 2 level; you can remove some of this by using something like cisco's ip pim snooping dr-flood on the layer 2 part (on the receiving vlans). regards, Olivier > Hi > > What's your recipe to implement redundant multicast (stub) routing? > Let's think about the simplest scenario. We have 2 routers, R1 and R2 > and 3 ip networks. All 3 networks are directly connected to both > routers and the routers are performing unicast routing between > networks using VRRP as the redundancy protocol. Let's disregard L2 > redundancy here and assume it works. Same goes with igmp snoop. > > net1: 192.168.1.0/24, VRRP .254, R1 .1, R2 .2 > net2: 192.168.2.0/24, VRRP .254, R1 .1, R2 .2 > net3: 192.168.3.0/24, VRRP .254, R1 .1, R2 .2 > > Say multicast source is in net1 and receiver in net2. > > If I did not need redundancy in multicast, I would just configure all > interfaces on R1 as pim passive and it would (probably) work. But if I > want the multicast routing to be redundant, what should I do? > > If I add the R2 interfaces as pim passive, the multicast is forwarded > to net2 (and net3) twice because R1 and R2 do not know about each > other. I tested this. > If I configure all R1 and R2 interfaces as pim dense, the destination > receives multicast fine, but it is flooded between R1 and R3 2 or 3 > times (because pim dense floods the multicast to all pim neighbors and > R1 and R2 are pim neighbors in all 2 networks). So, core links are > unnecessarily consumed. I tested this, too. > > One choice could be to use pim sparse and configure R1 and R2 to be > anycast RPs using loopback interface and configure MSDP peering > between them. But given the simplicity of the topology, this seems > unnecessarily complex configuration. I have not tested this yet. > > Maybe MVR could be solution but I think it will cause stream > multiplication too. I have not tested MVR yet either. > > I would like to keep the recipe as vendor agnostic as possible. > > Thanks for help :) > From m.d.bernardi at zitomedia.net Tue Jan 3 10:27:13 2012 From: m.d.bernardi at zitomedia.net (Matt Bernardi) Date: Tue, 03 Jan 2012 11:27:13 -0500 Subject: Multicast video stream to EIA analog channel Message-ID: <4F032C61.70108@zitomedia.net> Hello all, I am new to the mailing list and wanted to pick some of your guys brains about something. I work for a small cable service provider. What I am trying to do is receive a multicast stream, modulate it and send it out as an EIA analog channel. I know there is equipment built for this specific reason(RGP SEP, APEX1000, etc) but this is just going to be a temporary fix as we are doing a total video overhaul and moving to all MPEG4 capable equipment. I figured there is a way to accomplish this with linux as my budget isn't very large, but all of my reasearch hasn't really helped so I'm reaching out to you. Has anyone ever done this? or know of any good reference sites for this? Any info would be greatly appreciated. Thanks again, Matt Bernardi From ddevereauxweber at gmail.com Tue Jan 3 10:51:53 2012 From: ddevereauxweber at gmail.com (David Devereaux-Weber) Date: Tue, 3 Jan 2012 10:51:53 -0600 Subject: Multicast video stream to EIA analog channel In-Reply-To: <4F032C61.70108@zitomedia.net> References: <4F032C61.70108@zitomedia.net> Message-ID: Matt, Computers (Linux or otherwise) don't have RF modulators. I do not know of a single-channel IP-in analog modulator (I looked at Blonder Tongue, Drake and Pico Digital). It is possible to cobble together a Linux system running VideoLAN player, and get analog audio and video out of the computer, and pipe that into an analog modulator. Dave Devereaux-Weber University of Wisconsin-Madison From m.d.bernardi at zitomedia.net Tue Jan 3 11:21:42 2012 From: m.d.bernardi at zitomedia.net (Matt Bernardi) Date: Tue, 03 Jan 2012 12:21:42 -0500 Subject: Multicast video stream to EIA analog channel In-Reply-To: References: <4F032C61.70108@zitomedia.net> Message-ID: <4F033926.906@zitomedia.net> Dave, thanks for the advice. I thought about using VLC but could figure out how to modulate it to the proper EIA channel. I figured someone would've made a PCI-E card that has a RF interface w/ upconverter built-in. The only one I found was from DEKTEC and they only modulate to digital signals not analog. I'll start playing with that today! Thanks again. On 01/03/2012 11:51 AM, David Devereaux-Weber wrote: > Matt, > > Computers (Linux or otherwise) don't have RF modulators. I do not > know of a single-channel IP-in analog modulator (I looked at Blonder > Tongue, Drake and Pico Digital). > > It is possible to cobble together a Linux system running VideoLAN > player, and get analog audio and video out of > the computer, and pipe that into an analog modulator. > > Dave Devereaux-Weber > University of Wisconsin-Madison From joshbaird at gmail.com Tue Jan 3 11:42:44 2012 From: joshbaird at gmail.com (Josh Baird) Date: Tue, 3 Jan 2012 12:42:44 -0500 Subject: Problems with 100.42.32.0/20 Message-ID: Hi, We just received 100.42.32.0/20 from ARIN. ?According to ARIN, this block was received from IANA in November 2010 and was issued to us in November 2011. ?Since we started using it, we have seen many problems with different Geo-IP providers incorrectly classifying the block - both location and provider wise (lots of them think this is Verizon space for some reason in both Canada and Kansas). ?I have followed http://nanog.cluepon.net/index.php/GeoIP and contacted most of these providers already. Not one has returned my email/inquiry. The main problem that I am seeing is that Verizon/UUNET is filtering access to some of their networks from 100.42.32.0/20. ?We are currently unable to reach any of UUNET.net's authoritative DNS servers (198.6.1.83, 198.6.1.161, etc) and appear to be filtered by some Verizon Business/UUNET routers. $ traceroute 198.6.1.83 traceroute to 198.6.1.83 (198.6.1.83), 30 hops max, 40 byte packets 1 ?209.65.192.129 (209.65.192.129) ?1.491 ms ?1.716 ms ?1.942 ms 2 ?vl41-irtr1.dan100.net.kywimax.com (209.65.192.45) ?0.551 ms ?0.582 ms ?0.587 ms 3 ?rrcs-173-197-155-189.west.biz.rr.com (173.197.155.189) ?0.474 ms 0.519 ms ?0.505 ms 4 ?ae8.chcgill3-rtr1.kc.rr.com (65.28.199.197) ?20.349 ms ?20.340 ms ?20.409 ms 5 ?ae-5-1.cr0.chi30.tbone.rr.com (66.109.6.112) ?20.243 ms ?20.235 ms ?20.223 ms 6 ?107.14.17.147 (107.14.17.147) ?27.982 ms ?27.567 ms ?27.540 ms 7 ?216.156.72.165.ptr.us.xo.net (216.156.72.165) ?20.945 ms te1-2-0d0.cir1.chicago2-il.us.xo.net (216.156.72.5) ?20.920 ms 216.156.72.157.ptr.us.xo.net (216.156.72.157) ?20.912 ms 8 ? (204.255.168.97) ?20.868 ms ?20.826 ms ?20.910 ms 9 ? (152.63.66.77) ?36.133 ms ?36.243 ms ?36.233 ms 10 ? (152.63.43.109) ?45.859 ms ?45.853 ms ?45.843 ms 11 ? (152.63.38.9) ?45.177 ms ?45.175 ms ?45.168 ms 12 ?* * * 13 ?* * * 14 ?* ?(207.18.173.162) ?46.105 ms !X * (pos5-0.soesr1.ash.ops.us.uu.net) I have contacted VZW Business' IP-NOC and was not really given a contact that could help me with this situation. I have also emailed filters at lists.verizonbusiness.com and I'm awaiting a response (hopefully). Would anyone happen to have an idea of why I am seeing so many problems with this block, and who I may be able to reach out to at VZB to hopefully get this issue resolved? Thanks. From joshbaird at gmail.com Tue Jan 3 13:04:59 2012 From: joshbaird at gmail.com (Josh Baird) Date: Tue, 3 Jan 2012 14:04:59 -0500 Subject: Problems with 100.42.32.0/20 In-Reply-To: References: Message-ID: Verizon just contacted me off-list. The problem was identified as an outdated bogon filter on their end. Verizon - thanks for the quick response! Thanks, Josh On Tue, Jan 3, 2012 at 12:42 PM, Josh Baird wrote: > Hi, > > We just received 100.42.32.0/20 from ARIN. ?According to ARIN, this > block was received from IANA in November 2010 and was issued to us in > November 2011. ?Since we started using it, we have seen many problems > with different Geo-IP providers incorrectly classifying the block - > both location and provider wise (lots of them think this is Verizon > space for some reason in both Canada and Kansas). ?I have followed > http://nanog.cluepon.net/index.php/GeoIP and contacted most of these > providers already. ?Not one has returned my email/inquiry. > > The main problem that I am seeing is that Verizon/UUNET is filtering > access to some of their networks from 100.42.32.0/20. ?We are > currently unable to reach any of UUNET.net's authoritative DNS servers > (198.6.1.83, 198.6.1.161, etc) and appear to be filtered by some > Verizon Business/UUNET routers. > > $ traceroute 198.6.1.83 > traceroute to 198.6.1.83 (198.6.1.83), 30 hops max, 40 byte packets > 1 ?209.65.192.129 (209.65.192.129) ?1.491 ms ?1.716 ms ?1.942 ms > 2 ?vl41-irtr1.dan100.net.kywimax.com (209.65.192.45) ?0.551 ms ?0.582 > ms ?0.587 ms > 3 ?rrcs-173-197-155-189.west.biz.rr.com (173.197.155.189) ?0.474 ms > 0.519 ms ?0.505 ms > 4 ?ae8.chcgill3-rtr1.kc.rr.com (65.28.199.197) ?20.349 ms ?20.340 ms ?20.409 ms > 5 ?ae-5-1.cr0.chi30.tbone.rr.com (66.109.6.112) ?20.243 ms ?20.235 ms ?20.223 ms > 6 ?107.14.17.147 (107.14.17.147) ?27.982 ms ?27.567 ms ?27.540 ms > 7 ?216.156.72.165.ptr.us.xo.net (216.156.72.165) ?20.945 ms > te1-2-0d0.cir1.chicago2-il.us.xo.net (216.156.72.5) ?20.920 ms > 216.156.72.157.ptr.us.xo.net (216.156.72.157) ?20.912 ms > 8 ? (204.255.168.97) ?20.868 ms ?20.826 ms ?20.910 ms > 9 ? (152.63.66.77) ?36.133 ms ?36.243 ms ?36.233 ms > 10 ? (152.63.43.109) ?45.859 ms ?45.853 ms ?45.843 ms > 11 ? (152.63.38.9) ?45.177 ms ?45.175 ms ?45.168 ms > 12 ?* * * > 13 ?* * * > 14 ?* ?(207.18.173.162) ?46.105 ms !X * > > (pos5-0.soesr1.ash.ops.us.uu.net) > > I have contacted VZW Business' IP-NOC and was not really given a > contact that could help me with this situation. ?I have also emailed > filters at lists.verizonbusiness.com and I'm awaiting a response > (hopefully). > > Would anyone happen to have an idea of why I am seeing so many > problems with this block, and who I may be able to reach out to at VZB > to hopefully get this issue resolved? > > Thanks. From leigh.porter at ukbroadband.com Tue Jan 3 13:40:39 2012 From: leigh.porter at ukbroadband.com (Leigh Porter) Date: Tue, 3 Jan 2012 19:40:39 +0000 Subject: DC wiring standards Message-ID: <722D7606-AA61-4AA1-A7B3-B7520CDE73A3@ukbroadband.com> Hi all, Does anybody know where I can find standards for DC cabling for -48v systems? I'm looking for general best common practices, cable colouring etc. Thanks, -- Leigh Porter ______________________________________________________________________ This email has been scanned by the Symantec Email Security.cloud service. For more information please visit http://www.symanteccloud.com ______________________________________________________________________ From jackson.tim at gmail.com Tue Jan 3 13:49:02 2012 From: jackson.tim at gmail.com (Tim Jackson) Date: Tue, 3 Jan 2012 13:49:02 -0600 Subject: DC wiring standards In-Reply-To: <722D7606-AA61-4AA1-A7B3-B7520CDE73A3@ukbroadband.com> References: <722D7606-AA61-4AA1-A7B3-B7520CDE73A3@ukbroadband.com> Message-ID: https://ebiznet.sbc.com/sbcnebs/Documents/TP76300/index.html On Tue, Jan 3, 2012 at 1:40 PM, Leigh Porter wrote: > Hi all, > > Does anybody know where I can find standards for DC cabling for -48v systems? > > I'm looking for general best common practices, cable colouring etc. > > Thanks, > > -- > Leigh Porter > > > ______________________________________________________________________ > This email has been scanned by the Symantec Email Security.cloud service. > For more information please visit http://www.symanteccloud.com > ______________________________________________________________________ > From owen at delong.com Tue Jan 3 15:41:21 2012 From: owen at delong.com (Owen DeLong) Date: Tue, 3 Jan 2012 13:41:21 -0800 Subject: IPv6 RA vs DHCPv6 - The chosen one? In-Reply-To: <4EF4E24D.4020107@cis.vutbr.cz> References: <1290980B-9003-4CD4-A713-A21111E877DA@delong.com> <4EF23092.9090103@cis.vutbr.cz> <4EF4E24D.4020107@cis.vutbr.cz> Message-ID: > >> >>> - SLAAC is usually processed in a kernel, DHCPv6 is usually run as a >>> process in the user space. Diagnostic and troubleshooting is more >>> complicated. >> >> Some operating system do the SLAAC processing in user space. What is >> the problem. > > As I wrote. Troubleshooting is more difficult. > Having done a fair amount of troubleshooting for both SLAAC and DHCPv6 in real world deployments, I think your argument may be more theoretical than anecdotal in this case. In my general experience, it's been relatively easy to troubleshoot either protocol and neither is particularly more difficult than the other. Start by making sure that you are sending and/or receiving correctly formed packets with the right data. If not, then you know that the packet originator is the most likely culprit. Absent misconfiguration of the router, I've never seen an incorrect RA. I've never seen an incorrect RS packet. Malformed DHCPv6 packets have been extremely rare in my experience. Packets with incorrect data are almost always the result of a configuration error. The difference of whether this is processed in kernel or user space has very little impact on the troubleshooting process in most real world scenarios. Owen From owen at delong.com Tue Jan 3 15:52:07 2012 From: owen at delong.com (Owen DeLong) Date: Tue, 3 Jan 2012 13:52:07 -0800 Subject: IPv6 RA vs DHCPv6 - The chosen one? In-Reply-To: <4EF4E984.1050102@cis.vutbr.cz> References: <1290980B-9003-4CD4-A713-A21111E877DA@delong.com> <4EF23092.9090103@cis.vutbr.cz> <4EF38D5A.4070003@cis.vutbr.cz> <4EF4DBDE.7050706@cis.vutbr.cz> <4EF4E984.1050102@cis.vutbr.cz> Message-ID: <67CC2B8B-9071-40CA-B186-242C2538BECF@delong.com> > > I agree with you, that is not typical for many networks. For example in > our network we have enabled some of that features (not all) only in some > subnets. Unfortunately those subnets connects over 70% of our users > (6500). Is also great that many produces are going to take that issues > seriously. > > Actually we have quite big concerns with decision if: > > 1. to buy cheaper access switches (like HP 42xx) that have security > features for IPv4 but will never have support for IPv6. The hardware > does not support IPv6 at all. In that case we will be able to replace > access switches in quite short time - one year. And in next five years > we will be buy a brand new generation of switches that will have all > those problems solved (I hope). > > or > > 2. to buy much more expensive switches (like HP 54xx) that supports some > basic security features for IPv6 and there is some a probability that > other features will be implemented. So we will be able to use ra-guard > and ACLs immediately. In that case there is still a chance that some > features will not be implemented due to hardware limits. So we will have > to buy new generation of switches again in five years. > > Tomas To me, that question is a no-brainer. Buying a product without IPv6 support today as a cost-saving measure makes about as much sense as spending $20 to pay someone to recover $0.50 worth of screws from the factory floor sweepings every night. You might create the appearance of savings in the short run, but, the costs in the medium and long terms will vastly overwhelm any perceived short-term savings. Owen From owen at delong.com Tue Jan 3 15:56:57 2012 From: owen at delong.com (Owen DeLong) Date: Tue, 3 Jan 2012 13:56:57 -0800 Subject: IPv6 RA vs DHCPv6 - The chosen one? In-Reply-To: References: <1290980B-9003-4CD4-A713-A21111E877DA@delong.com> <4EF23092.9090103@cis.vutbr.cz> <4EF38D5A.4070003@cis.vutbr.cz> <4EF4DBDE.7050706@cis.vutbr.cz> Message-ID: On Dec 23, 2011, at 1:23 PM, Jeff Wheeler wrote: > On Fri, Dec 23, 2011 at 4:13 PM, Mohacsi Janos wrote: >> If you can limit number of ARP/NDP entries per interfaces and you complement >> RAGuard and DHCPv4 snooping your are done. > > That depends on how ARP/ND gleaning works on the box. In short, Cisco > already has a knob to limit the number of ND entries per interface on > some of their kit, and it is not a solution, only a damage mitigation > measure. http://inconcepts.biz/~jsw/IPv6_NDP_Exhaustion.pdf In the real world, sufficient damage prevention/mitigation qualifies as a solution. Owen From owen at delong.com Tue Jan 3 16:36:54 2012 From: owen at delong.com (Owen DeLong) Date: Tue, 3 Jan 2012 14:36:54 -0800 Subject: subnet prefix length > 64 breaks IPv6? In-Reply-To: References: <20111224.080822.74721455.sthaug@nethelp.no> <1324724331.2763.20.camel@karl> <4EF5B477.7040703@gmail.com> Message-ID: On Dec 24, 2011, at 6:48 AM, Glen Kent wrote: >> >> SLAAC only works with /64 - yes - but only if it runs on Ethernet-like >> Interface ID's of 64bit length (RFC2464). > > Ok, the last 64 bits of the 128 bit address identifies an Interface ID > which is uniquely derived from the 48bit MAC address (which exists > only in ethernet). > Not exactly. Most media have some form of link-layer addressing. For Firewire, it's native EUI-64. For Ethernet, it's EUI-48 MAC addresses. For token ring, I believe there are also EUI-48 addresses. For FDDI (Remember FDDI?) I believe it was EUI-48 addresses. ATM and Frame Relay also have EUI addresses built in to their interfaces (though I don't remember the exact format and am too lazy to look it up at the moment). >> SLAAC could work ok with /65 on non-Ethernet media, like a >> point-to-point link whose Interface ID's length be negotiated during the >> setup phase. > > If we can do this for a p2p link, then why cant the same be done for > an ethernet link? > I'm not so sure the statement above is actually true. Owen > Glen > >> >> Other non-64 Interface IDs could be constructed for 802.15.4 links, for >> example a 16bit MAC address could be converted into a 32bit Interface >> ID. SLAAC would thus use a /96 prefix in the RA and a 32bit IID. >> >> IP-over-USB misses an Interface ID altogether, so one is free to define >> its length. >> >> Alex >> >>> >>> Regards, K. >>> >> >> From owen at delong.com Tue Jan 3 17:19:08 2012 From: owen at delong.com (Owen DeLong) Date: Tue, 3 Jan 2012 15:19:08 -0800 Subject: IPv6 RA vs DHCPv6 - The chosen one? In-Reply-To: <4EF67019.1000309@necom830.hpcl.titech.ac.jp> References: <1290980B-9003-4CD4-A713-A21111E877DA@delong.com> <4EF23092.9090103@cis.vutbr.cz> <4EF4E24D.4020107@cis.vutbr.cz> <4EF4EBE0.4050609@necom830.hpcl.titech.ac.jp> <4EF58B34.6000904@rancid.berkeley.edu> <4EF59438.8040505@necom830.hpcl.titech.ac.jp> <1324724731.2763.26.camel@karl> <4EF6612F.2070901@necom830.hpcl.titech.ac.jp> <4EF66348.8040500@bogus.com> <4EF67019.1000309@necom830.hpcl.titech.ac.jp> Message-ID: <052FB5BB-4487-4940-87A7-0041A8AD6DF5@delong.com> On Dec 24, 2011, at 4:36 PM, Masataka Ohta wrote: > Joel jaeggli wrote: > >>> First of all, ND use is optional and, if ND is used, RA >>> must be used. >>> >>> It means that, if RA is not used, ND can't be used. >> >> Finding and maintaining the l2 address for a device on a subnet where RA >> is not used is a pretty common activity so I'm not sure how your would >> conclude that. 2461/4861/5942 certainly don't preclude that. > > RFC6434 has contradictory statements: > > Neighbor Discovery SHOULD be supported. > > and > > Hosts MUST support IPv6 Stateless Address Autoconfiguration as > defined in [RFC4862]. > These do not conflict. > and a reasonable interpretation is SLAAC MUST be supported if > ND is supported. > The implementation of IPv6 in a host MUST support SLAAC. That does not mean that the host must use that support in any particular environment. Owen From owen at delong.com Tue Jan 3 17:45:03 2012 From: owen at delong.com (Owen DeLong) Date: Tue, 3 Jan 2012 15:45:03 -0800 Subject: subnet prefix length > 64 breaks IPv6? In-Reply-To: References: Message-ID: On Dec 27, 2011, at 3:28 PM, Glen Kent wrote: > It seems ISIS and OSPFv3 use the link local next-hop in their route > advertisements. > > We discussed that SLAAC doesnt work with prefixes > 64 on the ethernet > medium (which i believe is quite, if not most, prevalent). If thats > the case then how are operators who assign netmasks > 64 use ISIS and > OSPF, since these protocols will use the link local address? > The global unicast prefix length is independent of the link local prefix length. Technically, link local is fe80::/10, though many implementations erroneously treat it as fe80::/64. In most cases, since the 54 bits between fe80 and the IID are almost always 0, this error has no impact. > I had assumed that nodes derive their link local address from the > Route Advertisements. They derive their least significant 64 bytes > from their MACs and the most significant 64 from the prefix announced > in the RAs. > No, nodes derive their link local address from the reserved prefix fe80::/10 and their EUI-64 IID based on their MAC address. They then use that link local address to send out an RS message in order to get global unicast prefixes from the RAs received in response. Owen > Glen > > On Tue, Dec 27, 2011 at 6:25 AM, Glen Kent wrote: >> Sven, >> >>> also various bgp implementations will send the autoconfigure crap ip as the >>> next-hop instead of the session ip, resulting in all kinds of crap in your >>> route table (if not fixed with nasty hacks on your end ;) which doesn't >>> exactly make it easy to figure out which one belongs to which peer >>> all the more reason not to use that autoconfigure crap ;) >> >> As per RFC 2545 BGP announces a global address as the next-hop. Its >> only in one particular case that it advertises both global and link >> local addresses. >> >> So, i guess, BGP is not broken. >> >> Its only RIPng afaik that mandates using a link local address. >> >> Glen From Valdis.Kletnieks at vt.edu Tue Jan 3 18:40:53 2012 From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks at vt.edu) Date: Tue, 03 Jan 2012 19:40:53 -0500 Subject: IPv6 RA vs DHCPv6 - The chosen one? In-Reply-To: Your message of "Tue, 03 Jan 2012 15:19:08 PST." <052FB5BB-4487-4940-87A7-0041A8AD6DF5@delong.com> References: <1290980B-9003-4CD4-A713-A21111E877DA@delong.com> <4EF23092.9090103@cis.vutbr.cz> <4EF4E24D.4020107@cis.vutbr.cz> <4EF4EBE0.4050609@necom830.hpcl.titech.ac.jp> <4EF58B34.6000904@rancid.berkeley.edu> <4EF59438.8040505@necom830.hpcl.titech.ac.jp> <1324724731.2763.26.camel@karl> <4EF6612F.2070901@necom830.hpcl.titech.ac.jp> <4EF66348.8040500@bogus.com> <4EF67019.1000309@necom830.hpcl.titech.ac.jp> <052FB5BB-4487-4940-87A7-0041A8AD6DF5@delong.com> Message-ID: <6205.1325637653@turing-police.cc.vt.edu> On Tue, 03 Jan 2012 15:19:08 PST, Owen DeLong said: > The implementation of IPv6 in a host MUST support SLAAC. That does not mean > that the host must use that support in any particular environment. The odd part is that the above paragraph is equally true if you replace SLAAC with IPSec - but in *that* case nobody has an issue with it. Just sayin'... -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 227 bytes Desc: not available URL: From kauer at biplane.com.au Tue Jan 3 20:41:41 2012 From: kauer at biplane.com.au (Karl Auer) Date: Wed, 04 Jan 2012 13:41:41 +1100 Subject: subnet prefix length > 64 breaks IPv6? In-Reply-To: References: Message-ID: <1325644901.2556.134.camel@karl> On Tue, 2012-01-03 at 15:45 -0800, Owen DeLong wrote: > Technically, link local is fe80::/10, though many implementations erroneously > treat it as fe80::/64. In most cases, since the 54 bits between fe80 and the > IID are almost always 0, this error has no impact. Yes, well, I'm a bit confused about that. Maybe I haven't read the trail of overlapping, obsoleting and conflicting RFCs carefully enough. RFC 4862 (section 5.3) says that the interface ID can run all the way up to the end of the link-local prefix. Since this is defined as a /10, an interface ID can be up to 118 bits long. In RFC 4862 the prefix length is not actually given; instead it says "the well-known link-local prefix FE80::0 [RFC4291] (of appropriate length)". RFC 4862 also says that the whole thing must be consistent with RFC 4291. RFC 4291 (section 2.5.6), defines the first ten bits as 1111111010, then the next 54 bits as zero - BUT does not specify a prefix length. Those implementations that use /64 can thus be forgiven, I think. So - are those 54 bits reserved and zero, or can an interface ID be anything up to 118 bits long? I'd be interested in a definitive answer, if there is one. Regards, K. -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Karl Auer (kauer at biplane.com.au) http://www.biplane.com.au/kauer GPG fingerprint: AE1D 4868 6420 AD9A A698 5251 1699 7B78 4EEE 6017 Old fingerprint: DA41 51B1 1481 16E1 F7E2 B2E9 3007 14ED 5736 F687 From randy at psg.com Tue Jan 3 21:52:40 2012 From: randy at psg.com (Randy Bush) Date: Wed, 04 Jan 2012 12:52:40 +0900 Subject: AD and enforced password policies In-Reply-To: <20120103134353.GQ7491@besserwisser.org> References: <20120103084411.GN7491@besserwisser.org> <86734B35-DE1A-4141-9021-FBEB7428C6BB@gmail.com> <4F030320.1030804@mtcc.com> <20120103134353.GQ7491@besserwisser.org> Message-ID: fwiw, citibank in the states uses normal passwording for personal accounts. but citibank business uses two-factor with a password and a customized vasco digipass 270. randy From toddunder at gmail.com Tue Jan 3 22:13:04 2012 From: toddunder at gmail.com (Todd Underwood) Date: Tue, 3 Jan 2012 23:13:04 -0500 Subject: AD and enforced password policies In-Reply-To: References: <20120103084411.GN7491@besserwisser.org> <86734B35-DE1A-4141-9021-FBEB7428C6BB@gmail.com> <4F030320.1030804@mtcc.com> <20120103134353.GQ7491@besserwisser.org> Message-ID: additionally, etrade in the states has had 2-factor authentication (RSA token) for over 8 or 9 years now. it's one reasonable reason to stay with them. t On Tue, Jan 3, 2012 at 10:52 PM, Randy Bush wrote: > fwiw, citibank in the states uses normal passwording for personal > accounts. ?but citibank business uses two-factor with a password > and a customized vasco digipass 270. > > randy > From graham at g-rock.net Tue Jan 3 22:23:34 2012 From: graham at g-rock.net (Graham Wooden) Date: Tue, 03 Jan 2012 22:23:34 -0600 Subject: CenturyLink - DNS admin needed Message-ID: Hello, Any CenturyLink DNS admin folks lingering around? If so, can you contact me off-list? I believe there is some erroneous data lingering in the DNS caching servers and would like to get that resolved. TTL has appeared to have come and gone and it?s not refreshing. FYI - I tried to go through our support channels (we?re a TDM based customer), but that isn?t proving to be getting us anywhere... Thank you, -graham From mysidia at gmail.com Tue Jan 3 22:58:35 2012 From: mysidia at gmail.com (Jimmy Hess) Date: Tue, 3 Jan 2012 22:58:35 -0600 Subject: AD and enforced password policies In-Reply-To: <20120103084411.GN7491@besserwisser.org> References: <20120103084411.GN7491@besserwisser.org> Message-ID: On Tue, Jan 3, 2012 at 2:44 AM, M?ns Nilsson wrote: > Subject: RE: AD and enforced password policies Date: Mon, Jan 02, 2012 at > 11:15:08PM +0000 Quoting Blake T. Pfankuch (blake at pfankuch.me): > > However I would say 365 day expiration is a little long, 3 months is > about the average in a non financial oriented network. > If you force me to change a password every three months, I'm going > to start doing "g0ddw/\ssPOrd-01", ..-02, etc immediately. Net result, > you lose. > [snip] A good use for expiration is to mitigate the risk that a password was guessed or accidentally leaked but not used yet to launch a detected attack / abuse the account -- expiration of the password doesn't destroy leaked data or uninstall malware, so it is not any sort of replacement for proper intrusion detection, security monitoring, and explicit incident response. It is more secure to have solid intrusion detection, alarms, or 2 factor auth. For internet-connected systems; 5 day, 10 day, 30 day, 60 day password expirations are fairly useless, because the intruder guesses the password one day, and probably abuses it in less than 24 hours; 6-month and 12-month expirations accomplish very similar, but much less of a nuisance. Chances are very good that if a password is leaked, it will be abused long before it expires, and if you don't detect the compromise, this means your intrusion detection systems have failed; expiration of the password doesn't erase the results of a successful compromise, or lock out the successful intruder. So password expiration is not a good crutch. A more effective expiration measure is to use 2-factor authentication, with one time passwords that expire within 30 seconds. Manual forced immediate password expiration should be in the security admin's toolbox as a possible response to observation of questionable or potentially remotely suspicious activity on a system that user had been logged into recently. -- -JH From mansaxel at besserwisser.org Wed Jan 4 03:00:40 2012 From: mansaxel at besserwisser.org (=?utf-8?B?TcOlbnM=?= Nilsson) Date: Wed, 4 Jan 2012 10:00:40 +0100 Subject: AD and enforced password policies In-Reply-To: <23f7068e-b0bd-44a7-9e73-f0c81d6c7a12@mail.pelican.org> References: <20120103134353.GQ7491@besserwisser.org> <23f7068e-b0bd-44a7-9e73-f0c81d6c7a12@mail.pelican.org> Message-ID: <20120104090039.GR7491@besserwisser.org> Subject: Re: AD and enforced password policies Date: Tue, Jan 03, 2012 at 02:16:38PM -0000 Quoting Tim Franklin (tim at pelican.org): > > There is indeed a difference between Europe (or is it only .SE?) and > > USA here; no bank in Sweden lets you login without at least a client > > certificate and password/pin code. Most banks have a hardware token, > > either challenge-response or HOTP/TOTP; some use the chip in chip-and-pin > > cards as certificate carrier, and combine it with a reader device to > > manage pin code entry. > > Can't speak for Europe as a whole, but certainly in the UK it's not common - and I wish it was. I do have different passwords for my banking and other finance-type sites (pensions etc), both for each site and distinct from my "fuzzykittens" passwords (which do re-use a handful of variations on a couple of themes). A hardware token would be very nice though. If it only was one token for all. Public services usually use most of the several national ID card "standards" that we have so for things like doing tax returns, applying for public health insurance payments, etc, one solution "works" -- but all the others have one each. Identity federations are probably the way to go. > Client cert worries me a bit - while it *should* be standards-based, I'm sure there's some way to implement it such that it only works on Windows. Given how long it took for banks to stop with the "Safari! Evil! Access denied!" routine, I don't hold much faith in their willingness or ability to build cross-platform solutions. It sometimes works. Sometimes not. I have chip-and-pin with cert on and reader. If I use it as a standalone authenticator I can even use elinks, but to use it as national ID card I need to run a bunch of apps, and must stay on Firefox3. This is for OSX. -- M?ns Nilsson primary/secondary/besserwisser/machina MN-1334-RIPE +46 705 989668 UH-OH!! I think KEN is OVER-DUE on his R.V. PAYMENTS and HE'S having a NERVOUS BREAKDOWN too!! Ha ha. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: Digital signature URL: From mansaxel at besserwisser.org Wed Jan 4 03:03:28 2012 From: mansaxel at besserwisser.org (=?utf-8?B?TcOlbnM=?= Nilsson) Date: Wed, 4 Jan 2012 10:03:28 +0100 Subject: AD and enforced password policies In-Reply-To: References: <20120103084411.GN7491@besserwisser.org> Message-ID: <20120104090327.GS7491@besserwisser.org> Subject: Re: AD and enforced password policies Date: Tue, Jan 03, 2012 at 10:58:35PM -0600 Quoting Jimmy Hess (mysidia at gmail.com): > Manual forced immediate password expiration should be in the security > admin's toolbox as a possible response to observation of questionable or > potentially remotely suspicious activity on a system that user had been > logged into recently. Indeed. If doubt arises, just change. Have been on the fringe of a kdc compromise. 10000 students and faculty were required to show up in person and change on approved terminals. -- M?ns Nilsson primary/secondary/besserwisser/machina MN-1334-RIPE +46 705 989668 Wow! Look!! A stray meatball!! Let's interview it! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: Digital signature URL: From randy at psg.com Wed Jan 4 04:10:06 2012 From: randy at psg.com (Randy Bush) Date: Wed, 04 Jan 2012 19:10:06 +0900 Subject: incoming smtp from v6 addresses Message-ID: for incoming mail that is *accepted*, i.e. not stuff like 2012-01-04 00:37:28 REJECT because 118.39.80.118 listed in rbl-plus.mail-abuse.org 2012-01-04 00:37:28 H=(nexo.es) [118.39.80.118] F= rejected RCPT : blocked because 118.39.80.118 is in blacklist at rbl-plus.mail-abuse.org: Mail from 118.39.80.118 blocked using Trend Micro Email Reputation database. Please see 2012-01-04 00:37:28 no host name found for IP address 118.39.80.118 2012-01-04 00:37:29 REJECT 118.39.80.118 too many bad recip 2012-01-04 00:37:29 REJECT because 118.39.80.118 listed in rbl-plus.mail-abuse.org 7.8% is over ipv6 transport but only 2% of outgoing deliveries are over ipv6. what do other folk see? randy From regnauld at nsrc.org Wed Jan 4 04:15:56 2012 From: regnauld at nsrc.org (Phil Regnauld) Date: Wed, 4 Jan 2012 11:15:56 +0100 Subject: incoming smtp from v6 addresses In-Reply-To: References: Message-ID: <20120104101556.GA8280@macbook.bluepipe.net> Randy Bush (randy) writes: > > 7.8% is over ipv6 transport > > but only 2% of outgoing deliveries are over ipv6. > > what do other folk see? What's your primary configuration ? Hub, end user system ? Care to share the methodology ? I can run some stats, but want to be sure we're comparing the same thing :) Cheers, Phil From joelja at bogus.com Wed Jan 4 04:16:34 2012 From: joelja at bogus.com (Joel jaeggli) Date: Wed, 04 Jan 2012 02:16:34 -0800 Subject: subnet prefix length > 64 breaks IPv6? In-Reply-To: References: <20111228.141052.104056686.sthaug@nethelp.no> <37f38f1f-369f-4056-8593-32b54e7fbc88@d8g2000yqk.googlegroups.com> <20111228.155045.85391394.sthaug@nethelp.no> Message-ID: <4F042702.4010004@bogus.com> On 12/28/11 07:30 , Ryan Malayter wrote: > Except nowhere in there is the prefix length for the test indicated, > and the exact halving of forwarding rate for IPv6 leads one to believe > that there are two TCAM lookups for IPv6 (hence 64-bit prefix lookups) > versus one for IPv4. A cam (assuming your router uses one) can easily be parititioned to support 144 bit words, and you can look up the whole address in one go. A router designer might well choose to fold the lookup and partion a cam table in a different fashion, to reduce memory consumption, save power etc. if they choose to split lookups (for example with the 72 most significant bits in the first lookup and the last 56 in a second) it's because they believe the tradeoff associated with two constant time lookups is acceptable. remember the cam table lookup is competing against a prefix trie lookup with a variable stride pattern done in really fast dram for mind/market share. > For example, what is the forwarding rate for IPv6 when the tables are > filled with /124 IPv6 routes that differ only in the last 60 bits? > > Even then EANTC test results you reference make no mention of the > prefix length for IPv4 or IPv6, or even the number of routes in the > lookup table during the testing: > http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps708/prod_white_paper0900aecd800c958a.pdf > > > From randy at psg.com Wed Jan 4 04:26:59 2012 From: randy at psg.com (Randy Bush) Date: Wed, 04 Jan 2012 19:26:59 +0900 Subject: incoming smtp from v6 addresses In-Reply-To: <20120104101556.GA8280@macbook.bluepipe.net> References: <20120104101556.GA8280@macbook.bluepipe.net> Message-ID: >> 7.8% is over ipv6 transport >> but only 2% of outgoing deliveries are over ipv6. > What's your primary configuration ? Hub, end user system ? the main smtp receiver and sender for maybe 100 users and a few dozen mailing list of small to lower middle class size. > Care to share the methodology ? I can run some stats, but want > to be sure we're comparing the same thing :) hold your nose zgrep '<=.*\[....:' /var/spool/exim/log/main* | wc zgrep '<=' /var/spool/exim/log/main* | wc and the ever failthful bc :) randy From s+Mailinglisten.nanog at sloc.de Wed Jan 4 05:37:09 2012 From: s+Mailinglisten.nanog at sloc.de (Sebastian Spies) Date: Wed, 04 Jan 2012 12:37:09 +0100 Subject: incoming smtp from v6 addresses In-Reply-To: References: Message-ID: <4F0439E5.1030306@sloc.de> Am 04.01.2012 11:10, schrieb Randy Bush: > for incoming mail that is *accepted*, i.e. not stuff like > 2012-01-04 00:37:28 REJECT because 118.39.80.118 listed in rbl-plus.mail-abuse.org > 2012-01-04 00:37:28 H=(nexo.es) [118.39.80.118] F= rejected RCPT : blocked because 118.39.80.118 is in blacklist at rbl-plus.mail-abuse.org: Mail from 118.39.80.118 blocked using Trend Micro Email Reputation database. Please see > 2012-01-04 00:37:28 no host name found for IP address 118.39.80.118 > 2012-01-04 00:37:29 REJECT 118.39.80.118 too many bad recip > 2012-01-04 00:37:29 REJECT because 118.39.80.118 listed in rbl-plus.mail-abuse.org > > 7.8% is over ipv6 transport > > but only 2% of outgoing deliveries are over ipv6. > > what do other folk see? > > randy Received $ grep 'amavis' mail.log | grep Passed | wc -l 448 $ grep 'amavis' mail.log | grep Passed | grep IPv6 | wc -l 91 $ grep 'amavis' mail.log | grep Passed | grep IPv6 | grep -v '2001:1838::cc5d:d48a' | wc -l 18 Sent $ grep 'postfix/smtp' mail.log | grep 'status=sent' | grep -v '127.0.0.1' |wc -l 253 enceladus:/var/log# grep 'postfix/smtp' mail.log | grep 'status=sent' | egrep '\[([a-f0-9]{0,4}:)+[a-f0-9]{0,4}\]' | wc -l 19 with most of them going to mailin.v6.t-online.de[2003:2:2:10:fee::32]:25 ~40 silent users Sebastian From mansaxel at besserwisser.org Wed Jan 4 06:02:55 2012 From: mansaxel at besserwisser.org (=?utf-8?B?TcOlbnM=?= Nilsson) Date: Wed, 4 Jan 2012 13:02:55 +0100 Subject: anycast load balancing issue Message-ID: <20120104120255.GT7491@besserwisser.org> Hi, I'm in the process of deploying an anycast DNS service internally. We're on a pretty provider-like network, where we run MPLS to provide several network overlays for different services. iBGP is used to distribute routing information, and ISIS is used as IGP. In one of the VRFen we would like to place name servers using a common IP address. To get speedy network updates when outages occur we'll be using OSPF on the name servers to inject the routes into the IGP. The P/E router then redistributes the route into the right VRF. (the name server OSPF process is not aware of MPLS; it just talks to a router.) So far so good. This works. Trouble is, we find that (untweaked) cost and metric are such that all nodes are equal. The last resort (peer router ID) gets invoked and all traffic goes to one single instance. Of course, when that instance falls off the net recalculation takes place and another node steps in, but I'd like true path lengths (IGP hop count) to influence more than iBGP (route-reflector-style) selection. Any clues? Oh, all-cisco, all ASR1000 series. All links GE. ~90 routers in IGP. -- M?ns Nilsson primary/secondary/besserwisser/machina MN-1334-RIPE +46 705 989668 ... this must be what it's like to be a COLLEGE GRADUATE!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: Digital signature URL: From jared at puck.nether.net Wed Jan 4 06:18:11 2012 From: jared at puck.nether.net (Jared Mauch) Date: Wed, 4 Jan 2012 07:18:11 -0500 Subject: incoming smtp from v6 addresses In-Reply-To: References: <20120104101556.GA8280@macbook.bluepipe.net> Message-ID: <3D93FC5B-C419-42CF-9441-508FF473C2E3@puck.nether.net> On Jan 4, 2012, at 5:26 AM, Randy Bush wrote: >>> 7.8% is over ipv6 transport >>> but only 2% of outgoing deliveries are over ipv6. >> What's your primary configuration ? Hub, end user system ? > > the main smtp receiver and sender for maybe 100 users and a few > dozen mailing list of small to lower middle class size. > >> Care to share the methodology ? I can run some stats, but want >> to be sure we're comparing the same thing :) > > hold your nose > > zgrep '<=.*\[....:' /var/spool/exim/log/main* | wc > zgrep '<=' /var/spool/exim/log/main* | wc > > and the ever failthful bc :) Similar footprint, and I have something like the following on puck: puck:~$ grep IPv6: /var/log/maillog | grep stat=Sent | wc -l 9043 puck:~$ grep stat=Sent /var/log/maillog | wc -l 110343 If gmail were to host AAAA for their MX I would see a lot more mail delivered over there. - Jared -- stats -- unique list delivery [mailman at puck jared]$ /home/mailman/bin/find_member @ | grep -v 'found in' | wc -l 26442 [mailman at puck jared]$ /home/mailman/bin/find_member @gmail | grep -v 'found in' | wc -l 7098 unique addresses [mailman at puck jared]$ /home/mailman/bin/find_member @ | grep 'found in' | wc -l 16044 [mailman at puck jared]$ /home/mailman/bin/find_member @gmail | grep 'found in' | wc -l 4076 From ops.lists at gmail.com Wed Jan 4 06:18:31 2012 From: ops.lists at gmail.com (Suresh Ramasubramanian) Date: Wed, 4 Jan 2012 17:48:31 +0530 Subject: incoming smtp from v6 addresses In-Reply-To: References: <20120104101556.GA8280@macbook.bluepipe.net> Message-ID: On Wed, Jan 4, 2012 at 3:56 PM, Randy Bush wrote: > zgrep '<=.*\[....:' /var/spool/exim/log/main* | wc > zgrep '<=' /var/spool/exim/log/main* | wc frodo:/home/suresh# zgrep '<=.*\[....:' /var/log/exim4/mainlog* | wc 16673 385620 7023087 frodo:/home/suresh# zgrep '<=' /var/log/exim4/mainlog* | wc 24277 559746 10110840 -- Suresh Ramasubramanian (ops.lists at gmail.com) From regnauld at nsrc.org Wed Jan 4 06:23:34 2012 From: regnauld at nsrc.org (Phil Regnauld) Date: Wed, 4 Jan 2012 13:23:34 +0100 Subject: incoming smtp from v6 addresses In-Reply-To: <4F0439E5.1030306@sloc.de> References: <4F0439E5.1030306@sloc.de> Message-ID: <20120104122334.GA9005@macbook.bluepipe.net> Received # grep 'amavis' mail.log | grep Passed | wc -l 1411 (1189 if only counting CLEAN, post amavisd) #grep 'amavis' mail.log | grep Passed | grep IPv6 | grep -v '::1' | wc -l 255 (253 if only counting CLEAN - so less spam in IPv6 :) Sent # grep 'postfix/smtp' mail.log | grep 'status=sent' | grep -v '127.0.0.1' | wc -l 1422 # grep 'postfix/smtp' mail.log | grep 'status=sent' | egrep '\[([a-f0-9]{0,4}:)+[a-f0-9]{0,4}\]' | wc -l 13 (filtered out a v6 IP that gets a copy of every mail) 18% incoming, .9% outgoing... From mansaxel at besserwisser.org Wed Jan 4 06:51:54 2012 From: mansaxel at besserwisser.org (=?utf-8?B?TcOlbnM=?= Nilsson) Date: Wed, 4 Jan 2012 13:51:54 +0100 Subject: anycast load balancing issue In-Reply-To: <20120104120255.GT7491@besserwisser.org> References: <20120104120255.GT7491@besserwisser.org> Message-ID: <20120104125154.GU7491@besserwisser.org> Subject: anycast load balancing issue Date: Wed, Jan 04, 2012 at 01:02:55PM +0100 Quoting M?ns Nilsson (mansaxel at besserwisser.org): > Trouble is, we find that (untweaked) cost and metric are such that all > nodes are equal. s/all nodes/all nodes in my pathetically small test case/ Was no issue. I just was unlucky in selecting test cases. Sorry. -- M?ns Nilsson primary/secondary/besserwisser/machina MN-1334-RIPE +46 705 989668 Do you have exactly what I want in a plaid poindexter bar bat?? -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: Digital signature URL: From bicknell at ufp.org Wed Jan 4 08:47:24 2012 From: bicknell at ufp.org (Leo Bicknell) Date: Wed, 4 Jan 2012 06:47:24 -0800 Subject: incoming smtp from v6 addresses In-Reply-To: <3D93FC5B-C419-42CF-9441-508FF473C2E3@puck.nether.net> References: <20120104101556.GA8280@macbook.bluepipe.net> <3D93FC5B-C419-42CF-9441-508FF473C2E3@puck.nether.net> Message-ID: <20120104144724.GA50083@ussenterprise.ufp.org> In a message written on Wed, Jan 04, 2012 at 07:18:11AM -0500, Jared Mauch wrote: > Similar footprint, and I have something like the following on puck: > > puck:~$ grep IPv6: /var/log/maillog | grep stat=Sent | wc -l > 9043 > puck:~$ grep stat=Sent /var/log/maillog | wc -l > 110343 I have a mail system that has almost 0 technical users on it. % grep IPv6: /var/log/maillog | grep stat=Sent | wc -l 4 % grep stat=Sent /var/log/maillog | wc -l 1298 :( > If gmail were to host AAAA for their MX I would see a lot more mail delivered over there. Agreed, gmail, yahoo, hotmail and AOL are probably 80% of the total mail on that box, so those four could make a huge swing, individually or collectively. -- Leo Bicknell - bicknell at ufp.org - CCIE 3440 PGP keys at http://www.ufp.org/~bicknell/ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 826 bytes Desc: not available URL: From cb.list6 at gmail.com Wed Jan 4 08:56:58 2012 From: cb.list6 at gmail.com (Cameron Byrne) Date: Wed, 4 Jan 2012 06:56:58 -0800 Subject: anycast load balancing issue In-Reply-To: <20120104125154.GU7491@besserwisser.org> References: <20120104120255.GT7491@besserwisser.org> <20120104125154.GU7491@besserwisser.org> Message-ID: On Jan 4, 2012 4:52 AM, "M?ns Nilsson" wrote: > > Subject: anycast load balancing issue Date: Wed, Jan 04, 2012 at 01:02:55PM +0100 Quoting M?ns Nilsson (mansaxel at besserwisser.org): > > > Trouble is, we find that (untweaked) cost and metric are such that all > > nodes are equal. > > s/all nodes/all nodes in my pathetically small test case/ > > Was no issue. I just was unlucky in selecting test cases. Sorry. > > > -- > M?ns Nilsson primary/secondary/besserwisser/machina > MN-1334-RIPE +46 705 989668 > Do you have exactly what I want in a plaid poindexter bar bat?? > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.10 (GNU/Linux) > > iEYEARECAAYFAk8ES2oACgkQ02/pMZDM1cUXpgCfQtLkFUBsbO5Z3wDPiWV1djQB > SukAnA7hBBWC83iTzjjogsxPIfI5GxmK > =L5pI > -----END PGP SIGNATURE----- > I use: Anycast = server loop back Protocol to server = bgp / bfd This allows for ecmp horizontal scaling for n number of dns servers (where n is less than Max ecmp paths) You may need to turn the bgp ecmp multipath knob. From simon.perreault at viagenie.ca Wed Jan 4 08:58:24 2012 From: simon.perreault at viagenie.ca (Simon Perreault) Date: Wed, 04 Jan 2012 09:58:24 -0500 Subject: incoming smtp from v6 addresses In-Reply-To: References: Message-ID: <4F046910.5010507@viagenie.ca> Randy Bush wrote, on 01/04/2012 05:10 AM: > 7.8% is over ipv6 transport > > but only 2% of outgoing deliveries are over ipv6. A consequence of AAAA whitelisting? Simon -- DTN made easy, lean, and smart --> http://postellation.viagenie.ca NAT64/DNS64 open-source --> http://ecdysis.viagenie.ca STUN/TURN server --> http://numb.viagenie.ca From mike at sentex.net Wed Jan 4 09:46:08 2012 From: mike at sentex.net (Mike Tancsa) Date: Wed, 04 Jan 2012 10:46:08 -0500 Subject: incoming smtp from v6 addresses In-Reply-To: References: Message-ID: <4F047440.6070500@sentex.net> On 1/4/2012 5:10 AM, Randy Bush wrote: > for incoming mail that is *accepted*, i.e. not stuff like > 2012-01-04 00:37:28 REJECT because 118.39.80.118 listed in rbl-plus.mail-abuse.org > 2012-01-04 00:37:28 H=(nexo.es) [118.39.80.118] F= rejected RCPT : blocked because 118.39.80.118 is in blacklist at rbl-plus.mail-abuse.org: Mail from 118.39.80.118 blocked using Trend Micro Email Reputation database. Please see > 2012-01-04 00:37:28 no host name found for IP address 118.39.80.118 > 2012-01-04 00:37:29 REJECT 118.39.80.118 too many bad recip > 2012-01-04 00:37:29 REJECT because 118.39.80.118 listed in rbl-plus.mail-abuse.org > > 7.8% is over ipv6 transport > > but only 2% of outgoing deliveries are over ipv6. For accepted mail today, 2% is v6 for outbound, 4% for v6 is inbound. I suspect the higher inbound values might be due to tech mailling lists which tend to come from IPv6 enabled hosts ? ---Mike -- ------------------- Mike Tancsa, tel +1 519 651 3400 Sentex Communications, mike at sentex.net Providing Internet services since 1994 www.sentex.net Cambridge, Ontario Canada http://www.tancsa.com/ From davei at otd.com Wed Jan 4 09:54:15 2012 From: davei at otd.com (Dave Israel) Date: Wed, 04 Jan 2012 10:54:15 -0500 Subject: incoming smtp from v6 addresses In-Reply-To: <4F047440.6070500@sentex.net> References: <4F047440.6070500@sentex.net> Message-ID: <4F047627.4010906@otd.com> On 1/4/2012 10:46 AM, Mike Tancsa wrote: > I suspect the higher inbound values might be due to tech mailling > lists which tend to come from IPv6 enabled hosts ? Yeah, all of my (non-internal) ipv6 mail is from such mailing lists. -Dave From kohn.jack at gmail.com Wed Jan 4 09:55:49 2012 From: kohn.jack at gmail.com (Jack Kohn) Date: Wed, 4 Jan 2012 21:25:49 +0530 Subject: Does anybody out there use Authentication Header (AH)? In-Reply-To: <0C307FCB-55D2-49BD-90B1-6477FE5F4DE6@oitc.com> References: <1325463138.93312.YahooMailNeo@web29806.mail.ird.yahoo.com> <0C307FCB-55D2-49BD-90B1-6477FE5F4DE6@oitc.com> Message-ID: Tom, It seems NIST recommends ESP over AH. You can look at the following 2 emails from Manav and Sriram on the IPsecME WG: http://www.ietf.org/mail-archive/web/ipsec/current/msg07403.html http://www.ietf.org/mail-archive/web/ipsec/current/msg07407.html Jack On Mon, Jan 2, 2012 at 5:57 AM, TR Shaw wrote: > > On Jan 1, 2012, at 7:12 PM, John Smith wrote: > >> Hi, >> >> I am trying to see if there are people who use AH specially since RFC 4301 has a MAY for AH and a MUST for ESP-NULL. While operators may not care about a MAY or a MUST in an RFC, but the IETF protocols and vendors do. So all protocols that require IPsec for authentication implicitly have a MAY for AH and a MUST for ESP-NULL. >> >> Given that there is hardly a difference between the two, I am trying to understand the scenarios where people might want to use AH? OR is it that people dont care and just use what their vendors provide them? >> >> Regards, >> John > > AH provides for ?connectionless integrity and data origin authentication and provides protection against replay attacks. ?Many US Gov departments that have to follow NIST and do not understand what this means require it between internal point-to-point routers between one portion of their organization and another adding more expense for no increase in operational security. > > If you are following NIST or DCID-63, this is required to meet certain integrity requirements > > ESP provides confidentiality, ?data origin authentication, ?connectionless integrity, ?an anti-replay service, ?and limited traffic flow confidentiality. ?EG AH portion provides for the integrity requirement and the ESP encryption provides for the confidentiality requirement of NIST. > > Think of AH that it is like just signing a PGPMail and ESP as signing and encrypting a PGPMail. > > There are reasons for both. > > Tom > > From rbonica at juniper.net Wed Jan 4 09:58:09 2012 From: rbonica at juniper.net (Ronald Bonica) Date: Wed, 4 Jan 2012 10:58:09 -0500 Subject: Trouble accessing www.nanog.org Message-ID: <13205C286662DE4387D9AF3AC30EF456D74ED694FD@EMBX01-WF.jnpr.net> Is anyone else having trouble accessing www.nanog.org. I can ping the site but don't get any response from HTTP requests. -------------------------- Ron Bonica vcard: www.bonica.org/ron/ronbonica.vcf From trelane at trelane.net Wed Jan 4 10:09:34 2012 From: trelane at trelane.net (Andrew D Kirch) Date: Wed, 04 Jan 2012 11:09:34 -0500 Subject: Trouble accessing www.nanog.org In-Reply-To: <13205C286662DE4387D9AF3AC30EF456D74ED694FD@EMBX01-WF.jnpr.net> References: <13205C286662DE4387D9AF3AC30EF456D74ED694FD@EMBX01-WF.jnpr.net> Message-ID: <4F0479BE.6030206@trelane.net> works for me From sean at seanharlow.info Wed Jan 4 10:12:20 2012 From: sean at seanharlow.info (Sean Harlow) Date: Wed, 4 Jan 2012 11:12:20 -0500 Subject: Trouble accessing www.nanog.org In-Reply-To: <4F0479BE.6030206@trelane.net> References: <13205C286662DE4387D9AF3AC30EF456D74ED694FD@EMBX01-WF.jnpr.net> <4F0479BE.6030206@trelane.net> Message-ID: <46B0986A-4AF3-4A59-BC96-BC502CF93E9A@seanharlow.info> I was seeing the same problem, but it seems to be working now. On Jan 4, 2012, at 11:09 AM, Andrew D Kirch wrote: > works for me > > From betty at newnog.org Wed Jan 4 10:14:59 2012 From: betty at newnog.org (Betty Burke ) Date: Wed, 4 Jan 2012 11:14:59 -0500 Subject: Trouble accessing www.nanog.org In-Reply-To: <4F0479BE.6030206@trelane.net> References: <13205C286662DE4387D9AF3AC30EF456D74ED694FD@EMBX01-WF.jnpr.net> <4F0479BE.6030206@trelane.net> Message-ID: Works for me as well :> I will check to see if there was some interruption in service and report as warranted. Betty On Wed, Jan 4, 2012 at 11:09 AM, Andrew D Kirch wrote: > works for me > > > -- Betty Burke NewNOG/NANOG Executive Director Office (810) 214-1218 Direct (510) 492-4030 From dwessels at verisign.com Wed Jan 4 12:41:03 2012 From: dwessels at verisign.com (Wessels, Duane) Date: Wed, 4 Jan 2012 10:41:03 -0800 Subject: Trouble accessing www.nanog.org In-Reply-To: References: <13205C286662DE4387D9AF3AC30EF456D74ED694FD@EMBX01-WF.jnpr.net> <4F0479BE.6030206@trelane.net> Message-ID: <175C077F-0B34-4995-A956-1517CDC10138@verisign.com> The brief problem in accessing www.nanog.org was due to numerous parallel downloads of a large video file by a single source IP address. We have no reason to believe it was malicious in intent, but the offender has been blocked anyway. Anyone from AS37986 around? Duane W. From alexandru.petrescu at gmail.com Wed Jan 4 12:50:30 2012 From: alexandru.petrescu at gmail.com (Alexandru Petrescu) Date: Wed, 04 Jan 2012 19:50:30 +0100 Subject: subnet prefix length > 64 breaks IPv6? In-Reply-To: References: <20111224.080822.74721455.sthaug@nethelp.no> <1324724331.2763.20.camel@karl> <4EF5B477.7040703@gmail.com> Message-ID: <4F049F76.8080309@gmail.com> Le 03/01/2012 23:36, Owen DeLong a ?crit : > > On Dec 24, 2011, at 6:48 AM, Glen Kent wrote: > >>> >>> SLAAC only works with /64 - yes - but only if it runs on >>> Ethernet-like Interface ID's of 64bit length (RFC2464). >> >> Ok, the last 64 bits of the 128 bit address identifies an Interface >> ID which is uniquely derived from the 48bit MAC address (which >> exists only in ethernet). >> > > Not exactly. Most media have some form of link-layer addressing. For > Firewire, it's native EUI-64. For Ethernet, it's EUI-48 MAC > addresses. For token ring, I believe there are also EUI-48 addresses. > For FDDI (Remember FDDI?) I believe it was EUI-48 addresses. ATM and > Frame Relay also have EUI addresses built in to their interfaces > (though I don't remember the exact format and am too lazy to look it > up at the moment). > >>> SLAAC could work ok with /65 on non-Ethernet media, like a >>> point-to-point link whose Interface ID's length be negotiated >>> during the setup phase. >> >> If we can do this for a p2p link, then why cant the same be done >> for an ethernet link? >> > > I'm not so sure the statement above is actually true. I think that's right, sorry. I mean - a reread of the PPPv6 RFC tells that the Interface ID negotiated by PPP is stricly 64bit length. (although it does refer to rfc4941 which specifically acks that "note that an IPv6 identifier does not necessarily have to be 64 bits in length"). It's a mess :-) Alex > > Owen > >> Glen >> >>> >>> Other non-64 Interface IDs could be constructed for 802.15.4 >>> links, for example a 16bit MAC address could be converted into a >>> 32bit Interface ID. SLAAC would thus use a /96 prefix in the RA >>> and a 32bit IID. >>> >>> IP-over-USB misses an Interface ID altogether, so one is free to >>> define its length. >>> >>> Alex >>> >>>> >>>> Regards, K. >>>> >>> >>> > > From hrlinneweh at sbcglobal.net Wed Jan 4 13:38:32 2012 From: hrlinneweh at sbcglobal.net (Henry Linneweh) Date: Wed, 4 Jan 2012 11:38:32 -0800 (PST) Subject: 2012-Big-Data-Big-Traffic Message-ID: <1325705912.46396.YahooMailNeo@web180309.mail.gq1.yahoo.com> New issues for massive data movement http://www.infineta.com/sites/default/files/pdf/IRG-2012-Big-Data-Big-Traffic-and-the-WAN.pdf Henry From seth.mos at dds.nl Wed Jan 4 14:00:26 2012 From: seth.mos at dds.nl (Seth Mos) Date: Wed, 4 Jan 2012 21:00:26 +0100 Subject: IPv6 resolvers Message-ID: Hi Nanog, Owen, I was wondering if many people are seeing horrendous latency on the free Hurricane Electric resolvers? Both accessing the v4 or v6 resolvers have horrendous latency. This could well be coupled to their free nature and popularity. So far when contacting Hurricane Electric they restart the resolver on their end and all is well again, but now other pfSense users in the US were noticing these latency issues as well, leading me to believe it is a larger issue. But I was wondering if a more permanent solution for these resolvers exist. 74.82.42.42 2373 msec 2001:470:20::2 2592 msec The google DNS server I'm using is doing swimmingly so far, OpenDNS seems ok too. 2001:4860:4860::8844 16 msec Kind regards, Seth Mos From wesley.george at twcable.com Wed Jan 4 14:10:13 2012 From: wesley.george at twcable.com (George, Wes) Date: Wed, 4 Jan 2012 15:10:13 -0500 Subject: Trouble accessing www.nanog.org In-Reply-To: <175C077F-0B34-4995-A956-1517CDC10138@verisign.com> References: <13205C286662DE4387D9AF3AC30EF456D74ED694FD@EMBX01-WF.jnpr.net> <4F0479BE.6030206@trelane.net> <175C077F-0B34-4995-A956-1517CDC10138@verisign.com> Message-ID: > From: Wessels, Duane [mailto:dwessels at verisign.com] > Sent: Wednesday, January 04, 2012 1:41 PM > Subject: Re: Trouble accessing www.nanog.org > > > The brief problem in accessing www.nanog.org was due to numerous > parallel > downloads of a large video file by a single source IP address. We have > no reason to believe it was malicious in intent, but the offender has > been > blocked anyway. [WEG] In the lovely CGN future, not only will you see this type of behavior (multiple pulls from the same IP) all of the time, your response to block it would have taken tens or hundreds of users out of service simultaneously. /troll Not meant to fault your response, merely to point out yet one more way that CGN is likely to break things where an assumption of 1 IP = 1 user/host/network exists. Wes George This E-mail and any of its attachments may contain Time Warner Cable proprietary information, which is privileged, confidential, or subject to copyright belonging to Time Warner Cable. This E-mail is intended solely for the use of the individual or entity to which it is addressed. If you are not the intended recipient of this E-mail, you are hereby notified that any dissemination, distribution, copying, or action taken in relation to the contents of and attachments to this E-mail is strictly prohibited and may be unlawful. If you have received this E-mail in error, please notify the sender immediately and permanently delete the original and any copy of this E-mail and any printout. From bmanning at vacation.karoshi.com Wed Jan 4 14:18:01 2012 From: bmanning at vacation.karoshi.com (bmanning at vacation.karoshi.com) Date: Wed, 4 Jan 2012 20:18:01 +0000 Subject: Trouble accessing www.nanog.org In-Reply-To: References: <13205C286662DE4387D9AF3AC30EF456D74ED694FD@EMBX01-WF.jnpr.net> <4F0479BE.6030206@trelane.net> <175C077F-0B34-4995-A956-1517CDC10138@verisign.com> Message-ID: <20120104201801.GA3917@vacation.karoshi.com.> On Wed, Jan 04, 2012 at 03:10:13PM -0500, George, Wes wrote: > > From: Wessels, Duane [mailto:dwessels at verisign.com] > > Sent: Wednesday, January 04, 2012 1:41 PM > > Subject: Re: Trouble accessing www.nanog.org > > > > > > The brief problem in accessing www.nanog.org was due to numerous > > parallel > > downloads of a large video file by a single source IP address. We have > > no reason to believe it was malicious in intent, but the offender has > > been > > blocked anyway. > > [WEG] In the lovely CGN future, not only will you see this type of behavior (multiple pulls from the same IP) all of the time, your response to block it would have taken tens or hundreds of users out of service simultaneously. > /troll > > Not meant to fault your response, merely to point out yet one more way that CGN is likely to break things where an assumption of 1 IP = 1 user/host/network exists. > > Wes George Hum... thats not how I read Duanes response at all.. I thought they blocked the (excessively) large video file from download... :) /bill From raymond at prolocation.net Wed Jan 4 14:21:05 2012 From: raymond at prolocation.net (Raymond Dijkxhoorn) Date: Wed, 4 Jan 2012 21:21:05 +0100 (CET) Subject: IPv6 resolvers In-Reply-To: References: Message-ID: Hi! > But I was wondering if a more permanent solution for these resolvers exist. > > 74.82.42.42 2373 msec > 2001:470:20::2 2592 msec > > The google DNS server I'm using is doing swimmingly so far, OpenDNS seems ok too. > 2001:4860:4860::8844 16 msec [root at ipv6proxy ~]# ping 74.82.42.42 PING 74.82.42.42 (74.82.42.42) 56(84) bytes of data. 64 bytes from 74.82.42.42: icmp_seq=1 ttl=61 time=0.664 ms 64 bytes from 74.82.42.42: icmp_seq=2 ttl=61 time=0.640 ms 64 bytes from 74.82.42.42: icmp_seq=3 ttl=61 time=0.551 ms 64 bytes from 74.82.42.42: icmp_seq=4 ttl=61 time=0.614 ms [root at ipv6proxy ~]# ping6 2001:470:20::2 PING 2001:470:20::2(2001:470:20::2) 56 data bytes 64 bytes from 2001:470:20::2: icmp_seq=1 ttl=61 time=0.488 ms 64 bytes from 2001:470:20::2: icmp_seq=2 ttl=61 time=0.478 ms 64 bytes from 2001:470:20::2: icmp_seq=3 ttl=61 time=0.739 ms 64 bytes from 2001:470:20::2: icmp_seq=4 ttl=61 time=0.515 ms Looks pretty normal here. Bye, Raymond. From morrowc.lists at gmail.com Wed Jan 4 14:21:24 2012 From: morrowc.lists at gmail.com (Christopher Morrow) Date: Wed, 4 Jan 2012 15:21:24 -0500 Subject: IPv6 resolvers In-Reply-To: References: Message-ID: On Wed, Jan 4, 2012 at 3:00 PM, Seth Mos wrote: > Hi Nanog, Owen, > > I was wondering if many people are seeing horrendous latency on the free Hurricane Electric resolvers? > > Both accessing the v4 or v6 resolvers have horrendous latency. This could well be coupled to their free nature and popularity. > > So far when contacting Hurricane Electric they restart the resolver on their end and all is well again, but now other pfSense users in the US were noticing these latency issues as well, leading me to believe it is a larger issue. err, are all pfsense people automatically configured to use he's servers? that seems sorta rude if so... > > But I was wondering if a more permanent solution for these resolvers exist. > > > ?74.82.42.42 ? ? 2373 msec > ?2001:470:20::2 ?2592 msec > > The google DNS server I'm using is doing swimmingly so far, OpenDNS seems ok too. > ?2001:4860:4860::8844 ? ?16 msec > > Kind regards, > > Seth Mos From prox at prolixium.com Wed Jan 4 14:33:10 2012 From: prox at prolixium.com (Mark Kamichoff) Date: Wed, 4 Jan 2012 15:33:10 -0500 Subject: IPv6 resolvers In-Reply-To: References: Message-ID: <20120104203310.GA14647@prolixium.com> On Wed, Jan 04, 2012 at 09:00:26PM +0100, Seth Mos wrote: > I was wondering if many people are seeing horrendous latency on the > free Hurricane Electric resolvers? Looks fine to me: (neodymium:15:27)% dig @74.82.42.42 cnn.com. A ; <<>> DiG 9.7.3 <<>> @74.82.42.42 cnn.com. A ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53277 ;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;cnn.com. IN A ;; ANSWER SECTION: cnn.com. 299 IN A 157.166.226.26 cnn.com. 299 IN A 157.166.255.19 cnn.com. 299 IN A 157.166.255.18 cnn.com. 299 IN A 157.166.226.25 ;; Query time: 38 msec ;; SERVER: 74.82.42.42#53(74.82.42.42) ;; WHEN: Wed Jan 4 15:27:17 2012 ;; MSG SIZE rcvd: 89 (neodymium:15:32)% dig @2001:470:20::2 cnn.com. A ; <<>> DiG 9.7.3 <<>> @2001:470:20::2 cnn.com. A ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41382 ;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;cnn.com. IN A ;; ANSWER SECTION: cnn.com. 295 IN A 157.166.226.25 cnn.com. 295 IN A 157.166.255.18 cnn.com. 295 IN A 157.166.255.19 cnn.com. 295 IN A 157.166.226.26 ;; Query time: 20 msec ;; SERVER: 2001:470:20::2#53(2001:470:20::2) ;; WHEN: Wed Jan 4 15:32:27 2012 ;; MSG SIZE rcvd: 89 That being said, keep in mind these are anycasted. I'm using 216.66.22.2 [tserv13.ash1.ipv6.he.net] for IPv4 and 209.51.161.14 [tserv4.nyc4.ipv6.he.net] according to the A record returned by whoami.akamai.net. I might not be hitting the same server you are. - Mark -- Mark Kamichoff prox at prolixium.com http://www.prolixium.com/ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: Digital signature URL: From seth.mos at dds.nl Wed Jan 4 14:39:39 2012 From: seth.mos at dds.nl (Seth Mos) Date: Wed, 4 Jan 2012 21:39:39 +0100 Subject: IPv6 resolvers In-Reply-To: <20120104203310.GA14647@prolixium.com> References: <20120104203310.GA14647@prolixium.com> Message-ID: Hi, Just pointing out to other responding to this thread that I was referring to the *query* response times, I said nothing about ICMP which is perfectly fine. So please stop responding with ping response times already :-) No, pfSense does not set these per default, they are in wide use because these are part of the Google DNS whitelist for V6 records. Op 4 jan 2012, om 21:33 heeft Mark Kamichoff het volgende geschreven: > ;; ANSWER SECTION: > cnn.com. 299 IN A 157.166.226.26 > cnn.com. 299 IN A 157.166.255.19 > cnn.com. 299 IN A 157.166.255.18 > cnn.com. 299 IN A 157.166.226.25 And a similar mistake I see others respond too as well, this is another domain with just a IPv4 record. That was not really what I was complaining about but I was not specific enough in my email When requesting the DNS for the hostname with a Quad A the story is entirely different! Try www.pfsense.com or www.didi.nl Those will definitely hit the issue, otherwise one can always use Nanog.org like below. 74.82.42.42 2204 msec 2001:4860:4860::8844 17 msec 2001:470:20::2 2890 msec Best regards, Seth > > ;; Query time: 38 msec > ;; SERVER: 74.82.42.42#53(74.82.42.42) > ;; WHEN: Wed Jan 4 15:27:17 2012 > ;; MSG SIZE rcvd: 89 > > (neodymium:15:32)% dig @2001:470:20::2 cnn.com. A > > ; <<>> DiG 9.7.3 <<>> @2001:470:20::2 cnn.com. A > ; (1 server found) > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41382 > ;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 0 > > ;; QUESTION SECTION: > ;cnn.com. IN A > > ;; ANSWER SECTION: > cnn.com. 295 IN A 157.166.226.25 > cnn.com. 295 IN A 157.166.255.18 > cnn.com. 295 IN A 157.166.255.19 > cnn.com. 295 IN A 157.166.226.26 > > ;; Query time: 20 msec > ;; SERVER: 2001:470:20::2#53(2001:470:20::2) > ;; WHEN: Wed Jan 4 15:32:27 2012 > ;; MSG SIZE rcvd: 89 > > That being said, keep in mind these are anycasted. I'm using > 216.66.22.2 [tserv13.ash1.ipv6.he.net] for IPv4 and 209.51.161.14 > [tserv4.nyc4.ipv6.he.net] according to the A record returned by > whoami.akamai.net. I might not be hitting the same server you are. > > - Mark > > -- > Mark Kamichoff > prox at prolixium.com > http://www.prolixium.com/ From raymond at prolocation.net Wed Jan 4 14:42:02 2012 From: raymond at prolocation.net (Raymond Dijkxhoorn) Date: Wed, 4 Jan 2012 21:42:02 +0100 (CET) Subject: IPv6 resolvers In-Reply-To: References: <20120104203310.GA14647@prolixium.com> Message-ID: Hi! > So please stop responding with ping response times already :-) > > No, pfSense does not set these per default, they are in wide use > because these are part of the Google DNS whitelist for V6 records. > And a similar mistake I see others respond too as well, this is another > domain with just a IPv4 record. That was not really what I was > complaining about but I was not specific enough in my email > > When requesting the DNS for the hostname with a Quad A the story is > entirely different! > > Try www.pfsense.com or www.didi.nl Tried those three for you and prolocation.net. All fine? This should not be on nanog i guess. Check with their support, or something :-) [root at ipv6proxy ~]# time host www.prolocation.net 2001:470:20::2 Using domain server: Name: 2001:470:20::2 Address: 2001:470:20::2#53 Aliases: www.prolocation.net has address 94.228.129.19 www.prolocation.net has IPv6 address 2a00:d00:ff:131:94:228:131:131 real 0m0.011s user 0m0.001s sys 0m0.008s [root at ipv6proxy ~]# [root at ipv6proxy ~]# time host pfsense.com 2001:470:20::2 Using domain server: Name: 2001:470:20::2 Address: 2001:470:20::2#53 Aliases: pfsense.com is an alias for pfsense.org. pfsense.org has address 69.64.6.21 pfsense.org has IPv6 address 2605:8000:d:1::167 pfsense.org mail is handled by 10 mail.pfsense.org. real 0m0.011s user 0m0.001s sys 0m0.007s [root at ipv6proxy ~]# time host www.didi.nl 2001:470:20::2 Using domain server: Name: 2001:470:20::2 Address: 2001:470:20::2#53 Aliases: www.didi.nl has address 82.94.161.132 www.didi.nl has IPv6 address 2001:888:2087:33::132 real 0m0.523s user 0m0.001s sys 0m0.006s Bye, Raymond. From prox at prolixium.com Wed Jan 4 14:46:56 2012 From: prox at prolixium.com (Mark Kamichoff) Date: Wed, 4 Jan 2012 15:46:56 -0500 Subject: IPv6 resolvers In-Reply-To: References: <20120104203310.GA14647@prolixium.com> Message-ID: <20120104204656.GB14647@prolixium.com> On Wed, Jan 04, 2012 at 09:39:39PM +0100, Seth Mos wrote: > And a similar mistake I see others respond too as well, this is > another domain with just a IPv4 record. That was not really what I was > complaining about but I was not specific enough in my email > > When requesting the DNS for the hostname with a Quad A the story is > entirely different! > > Try www.pfsense.com or www.didi.nl Still not seeing additional latency from here: (neodymium:15:44)% dig @2001:470:20::2 www.didi.nl. AAAA ; <<>> DiG 9.7.3 <<>> @2001:470:20::2 www.didi.nl. AAAA ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33979 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;www.didi.nl. IN AAAA ;; ANSWER SECTION: www.didi.nl. 3520 IN AAAA 2001:888:2087:33::132 ;; Query time: 20 msec ;; SERVER: 2001:470:20::2#53(2001:470:20::2) ;; WHEN: Wed Jan 4 15:44:06 2012 ;; MSG SIZE rcvd: 57 And if that is already cached, let's try something that should require a fresh lookup: (neodymium:15:44)% dig @2001:470:20::2 tengigabitethernet.com. AAAA ; <<>> DiG 9.7.3 <<>> @2001:470:20::2 tengigabitethernet.com. AAAA ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41662 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;tengigabitethernet.com. IN AAAA ;; ANSWER SECTION: tengigabitethernet.com. 3600 IN AAAA 2001:48c8:1:104::e ;; Query time: 84 msec ;; SERVER: 2001:470:20::2#53(2001:470:20::2) ;; WHEN: Wed Jan 4 15:44:41 2012 ;; MSG SIZE rcvd: 68 Again, not too bad.. - Mark -- Mark Kamichoff prox at prolixium.com http://www.prolixium.com/ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: Digital signature URL: From m.hallgren at free.fr Wed Jan 4 15:10:55 2012 From: m.hallgren at free.fr (Michael Hallgren) Date: Wed, 04 Jan 2012 22:10:55 +0100 Subject: Trouble accessing www.nanog.org In-Reply-To: <20120104201801.GA3917@vacation.karoshi.com.> References: <13205C286662DE4387D9AF3AC30EF456D74ED694FD@EMBX01-WF.jnpr.net> <4F0479BE.6030206@trelane.net> <175C077F-0B34-4995-A956-1517CDC10138@verisign.com> <20120104201801.GA3917@vacation.karoshi.com.> Message-ID: <1325711455.3241.98.camel@home> Le mercredi 04 janvier 2012 ? 20:18 +0000, bmanning at vacation.karoshi.com a ?crit : > On Wed, Jan 04, 2012 at 03:10:13PM -0500, George, Wes wrote: > > > From: Wessels, Duane [mailto:dwessels at verisign.com] > > > Sent: Wednesday, January 04, 2012 1:41 PM > > > Subject: Re: Trouble accessing www.nanog.org > > > > > > > > > The brief problem in accessing www.nanog.org was due to numerous > > > parallel > > > downloads of a large video file by a single source IP address. We have > > > no reason to believe it was malicious in intent, but the offender has > > > been > > > blocked anyway. > > > > [WEG] In the lovely CGN future, not only will you see this type of behavior (multiple pulls from the same IP) all of the time, your response to block it would have taken tens or hundreds of users out of service simultaneously. > > /troll > > > > Not meant to fault your response, merely to point out yet one more way that CGN is likely to break things where an assumption of 1 IP = 1 user/host/network exists. > > > > Wes George > > Hum... thats not how I read Duanes response at all.. I thought they blocked > the (excessively) large video file from download... :) Depends of how we (are supposed to) interpret ``the offender has been blocked anyway'' :) Cheers, mh > > /bill > From jeroen at mompl.net Wed Jan 4 15:58:41 2012 From: jeroen at mompl.net (Jeroen van Aart) Date: Wed, 04 Jan 2012 13:58:41 -0800 Subject: Looking for a Tier 1 ISP Mentor for career advice. In-Reply-To: References: <48778.1321883369@turing-police.cc.vt.edu> <4ECAB566.5070408@blakjak.net> Message-ID: <4F04CB91.8040208@mompl.net> randal k wrote: > This is a huge point. We've had a LOT of trouble finding good network > engineers who have all of the previously mentioned "soft" attributes - > anything, can't setup a syslog server, doesn't understand AD much less > LDAP, etc. Imagine, an employee who can help themselves 90% of the time ... > Finding the diamond that has strong niche skill, networking, with a broad & > just-deep-enough sysadmin background has been very, very hard. I cannot Raking up an older thread, but I have to comment on this. I understand it is hard to find the right person for the job. And even harder to find someone who has a wide range of knowledge and "deep" specialised knowledge to boot. When I was even more naive I always thought that in the world of IT most people knew a lot about many things, because it's not just a job but their hobby and passion (it is for me). So a sysadmin knows how to code and a coder knows how to set up a network and server etc. Yet what I noticed is that it is very rare to find such people. In fact I found people in one niche being almost ignorant of other fields. Say a coder gets confused when /tmp fills up and being unaware of this thing called a "search engine" and instead will virtually cry "help my puter b0rked, I stuck!" and vice versa. It looks to me it's just the nature of most people to be good at only one or a couple of things and be mostly ignorant about the rest. It's not going to change much, and we just have to accept that's how it is for the most part. However it can be mitigated to some extent: > emphasize enough the importance of cross-training. Immensely valuable. This indeed will help a lot and is very important. Sadly though in the USA this kind of thing is not found to be important at all. Besides that, it is actually quite hard to find the right job. Or, actually, to be even acknowledged or heard by the employer of such a job. As always this thing goes both ways. Employers in the USA need to invest more in training their employees and learning should be an important and constant part of one's job and be actively encouraged. I think in this they're quite behind their Western European counterparts. Regards, Jeroen -- Earthquake Magnitude: 3.2 Date: Wednesday, January 4, 2012 17:24:31 UTC Location: Southern Alaska Latitude: 59.8964; Longitude: -153.3298 Depth: 135.00 km From nathan at atlasnetworks.us Wed Jan 4 16:25:40 2012 From: nathan at atlasnetworks.us (Nathan Eisenberg) Date: Wed, 4 Jan 2012 22:25:40 +0000 Subject: Looking for a Tier 1 ISP Mentor for career advice. In-Reply-To: <4F04CB91.8040208@mompl.net> References: <48778.1321883369@turing-police.cc.vt.edu> <4ECAB566.5070408@blakjak.net> <4F04CB91.8040208@mompl.net> Message-ID: <8C26A4FDAE599041A13EB499117D3C286B65E23B@ex-mb-1.corp.atlasnetworks.us> > Say a > coder gets confused when /tmp fills up and being unaware of this thing > called a "search engine" and instead will virtually cry "help my puter > b0rked, I stuck!" and vice versa. Hah! In my experience, this phenomenon is not unique to coders, sysadmins, or any other specialization. People prefer to look to other people for their answers. This one has bugged me for a long time, as I'm not sure what to attribute it to - is it a desire to be social, or to have the answer personalized? Is it a compliment indicative of respect of ones peer, or is it an indication of laziness? > Employers in the USA need to invest more in training their employees > and > learning should be an important and constant part of one's job and be > actively encouraged. I think in this they're quite behind their Western > European counterparts. This is likely true in many larger corporations. I have found the startup and SMB sectors to be highly amenable to investing in their people. Cash-strapped businesses are most likely to consider the ROI of buying their employees skillsets (ie, training) vs hiring in new employees just to acquire those skillsets, whereas larger companies either already have a guy who knows how to do X, or doesn't really mind hiring an X specialist (or the all-too-common X consultant). Nathan From mksmith at adhost.com Wed Jan 4 17:10:22 2012 From: mksmith at adhost.com (Michael K. Smith - Adhost) Date: Wed, 4 Jan 2012 23:10:22 +0000 Subject: Trouble accessing www.nanog.org In-Reply-To: <1325711455.3241.98.camel@home> References: <13205C286662DE4387D9AF3AC30EF456D74ED694FD@EMBX01-WF.jnpr.net> <4F0479BE.6030206@trelane.net> <175C077F-0B34-4995-A956-1517CDC10138@verisign.com> <20120104201801.GA3917@vacation.karoshi.com.> <1325711455.3241.98.camel@home> Message-ID: > -----Original Message----- > From: Michael Hallgren [mailto:m.hallgren at free.fr] > Sent: Wednesday, January 04, 2012 1:11 PM > To: bmanning at vacation.karoshi.com > Cc: Wessels, Duane; nanog at nanog.org > Subject: Re: Trouble accessing www.nanog.org > > Le mercredi 04 janvier 2012 ? 20:18 +0000, bmanning at vacation.karoshi.com > a ?crit : > > On Wed, Jan 04, 2012 at 03:10:13PM -0500, George, Wes wrote: > > > > From: Wessels, Duane [mailto:dwessels at verisign.com] > > > > Sent: Wednesday, January 04, 2012 1:41 PM > > > > Subject: Re: Trouble accessing www.nanog.org > > > > > > > > > > > > The brief problem in accessing www.nanog.org was due to numerous > > > > parallel > > > > downloads of a large video file by a single source IP address. We have > > > > no reason to believe it was malicious in intent, but the offender has > > > > been > > > > blocked anyway. > > > > > > [WEG] In the lovely CGN future, not only will you see this type of > behavior (multiple pulls from the same IP) all of the time, your response to > block it would have taken tens or hundreds of users out of service > simultaneously. > > > /troll > > > > > > Not meant to fault your response, merely to point out yet one more way > that CGN is likely to break things where an assumption of 1 IP = 1 > user/host/network exists. > > > > > > Wes George > > > > Hum... thats not how I read Duanes response at all.. I thought they > blocked > > the (excessively) large video file from download... :) > > Depends of how we (are supposed to) interpret ``the offender has been > blocked anyway'' :) > > Cheers, > mh > > > > /bill > > > There was a single source IP with 200+ open, active http connections to a single large media file. The single IP address was blocked. The file itself is still available on the site. Mike From ryan at u13.net Wed Jan 4 17:40:39 2012 From: ryan at u13.net (Ryan Rawdon) Date: Wed, 4 Jan 2012 18:40:39 -0500 Subject: IPv6 resolvers In-Reply-To: <20120104204656.GB14647@prolixium.com> References: <20120104203310.GA14647@prolixium.com> <20120104204656.GB14647@prolixium.com> Message-ID: <79FBF1F6-F847-4A3D-85DF-9D1BF57FB59B@u13.net> On Jan 4, 2012, at 3:46 PM, Mark Kamichoff wrote: > On Wed, Jan 04, 2012 at 09:39:39PM +0100, Seth Mos wrote: >> And a similar mistake I see others respond too as well, this is >> another domain with just a IPv4 record. That was not really what I was >> complaining about but I was not specific enough in my email >> >> When requesting the DNS for the hostname with a Quad A the story is >> entirely different! >> >> Try www.pfsense.com or www.didi.nl > > Still not seeing additional latency from here: Try .pfsense.org (see below) to avoid caching, since the problem in question does not rely on the name existing. I am able to reproduce it roughly every 3rd random string I try, definitely not every time. I am unable to reproduce it with other domains so far, only pfsense.org and when it does occur I see a 1500-2200ms query time: nova-dhcp-host111:~ ryan$ dig @ordns.he.net awegawregwaefg.pfsense.org ; <<>> DiG 9.6.0-APPLE-P2 <<>> @ordns.he.net awegawregwaefg.pfsense.org ; (2 servers found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 24807 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;awegawregwaefg.pfsense.org. IN A ;; AUTHORITY SECTION: pfsense.org. 3600 IN SOA dns1.registrar-servers.com. hostmaster.registrar-servers.com. 2012010200 10001 1801 604801 3601 ;; Query time: 1695 msec ;; SERVER: 2001:470:20::2#53(2001:470:20::2) ;; WHEN: Wed Jan 4 18:34:17 2012 ;; MSG SIZE rcvd: 117 nova-dhcp-host111:~ ryan$ > > (neodymium:15:44)% dig @2001:470:20::2 www.didi.nl. AAAA > > ; <<>> DiG 9.7.3 <<>> @2001:470:20::2 www.didi.nl. AAAA > ; (1 server found) > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33979 > ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 > > ;; QUESTION SECTION: > ;www.didi.nl. IN AAAA > > ;; ANSWER SECTION: > www.didi.nl. 3520 IN AAAA 2001:888:2087:33::132 > > ;; Query time: 20 msec > ;; SERVER: 2001:470:20::2#53(2001:470:20::2) > ;; WHEN: Wed Jan 4 15:44:06 2012 > ;; MSG SIZE rcvd: 57 > > And if that is already cached, let's try something that should require a > fresh lookup: > > (neodymium:15:44)% dig @2001:470:20::2 tengigabitethernet.com. AAAA > > ; <<>> DiG 9.7.3 <<>> @2001:470:20::2 tengigabitethernet.com. AAAA > ; (1 server found) > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41662 > ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 > > ;; QUESTION SECTION: > ;tengigabitethernet.com. IN AAAA > > ;; ANSWER SECTION: > tengigabitethernet.com. 3600 IN AAAA 2001:48c8:1:104::e > > ;; Query time: 84 msec > ;; SERVER: 2001:470:20::2#53(2001:470:20::2) > ;; WHEN: Wed Jan 4 15:44:41 2012 > ;; MSG SIZE rcvd: 68 > > Again, not too bad.. > > - Mark > > -- > Mark Kamichoff > prox at prolixium.com > http://www.prolixium.com/ From cmadams at hiwaay.net Wed Jan 4 17:48:40 2012 From: cmadams at hiwaay.net (Chris Adams) Date: Wed, 4 Jan 2012 17:48:40 -0600 Subject: IPv6 resolvers In-Reply-To: <79FBF1F6-F847-4A3D-85DF-9D1BF57FB59B@u13.net> References: <20120104203310.GA14647@prolixium.com> <20120104204656.GB14647@prolixium.com> <79FBF1F6-F847-4A3D-85DF-9D1BF57FB59B@u13.net> Message-ID: <20120104234840.GA22334@hiwaay.net> Once upon a time, Ryan Rawdon said: > Try .pfsense.org (see below) to avoid caching, since the problem in question does not rely on the name existing. I am able to reproduce it roughly every 3rd random string I try, definitely not every time. I am unable to reproduce it with other domains so far, only pfsense.org and when it does occur I see a 1500-2200ms query time: This appears to be a problem with the authoritative servers for pfsense.org. They are dns[1-5].registrar-servers.com (which each have multiple IP addresses). If I try each IP, I get no response from 38.101.213.194 and 2+ second response time from 69.16.244.25. Both of those IPs are listed for dns1.registrar-servers.com. -- Chris Adams Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble. From cloos at jhcloos.com Wed Jan 4 20:23:20 2012 From: cloos at jhcloos.com (James Cloos) Date: Wed, 04 Jan 2012 21:23:20 -0500 Subject: incoming smtp from v6 addresses In-Reply-To: (Randy Bush's message of "Wed, 04 Jan 2012 19:26:59 +0900") References: <20120104101556.GA8280@macbook.bluepipe.net> Message-ID: >>>>> "RB" == Randy Bush writes: >>> 7.8% is over ipv6 transport >>> but only 2% of outgoing deliveries are over ipv6. This is incoming only, mostly mailing lists (including a few *busy* ones): :; zgrep -Ec 'client=[^[]+\[[^]]+:' /var/log/mail.info* |awk -F: '{i+=$NF} END {print i}' 33966 :; zgrep -Ec 'client=[^[]+\[[0-9]+\.' /var/log/mail.info* |awk -F: '{i+=$NF} END {print i}' 176978 so 19.19% ipv6. That is somewhat biased by the fact that debian and, IIRC, gnome lists are sent from ipv6-capable hosts and their bugs lists are among the busiest lists. For outgoing, s/client/relay/ which results in about 4.75% ipv6. -JimC -- James Cloos OpenPGP: 1024D/ED7DAEA6 grep --color=yes -Ec 'client=[^[]+\[[^]]+:' /var/log/mail.info From morrowc.lists at gmail.com Wed Jan 4 21:33:39 2012 From: morrowc.lists at gmail.com (Christopher Morrow) Date: Wed, 4 Jan 2012 22:33:39 -0500 Subject: IPv6 resolvers In-Reply-To: <20120104234840.GA22334@hiwaay.net> References: <20120104203310.GA14647@prolixium.com> <20120104204656.GB14647@prolixium.com> <79FBF1F6-F847-4A3D-85DF-9D1BF57FB59B@u13.net> <20120104234840.GA22334@hiwaay.net> Message-ID: does pfsense need real dns hosting maybe? I hear: http://puck.nether.net/dns ... works. On Wed, Jan 4, 2012 at 6:48 PM, Chris Adams wrote: > registrar-servers.com. From morrowc.lists at gmail.com Wed Jan 4 21:36:27 2012 From: morrowc.lists at gmail.com (Christopher Morrow) Date: Wed, 4 Jan 2012 22:36:27 -0500 Subject: Trouble accessing www.nanog.org In-Reply-To: References: <13205C286662DE4387D9AF3AC30EF456D74ED694FD@EMBX01-WF.jnpr.net> <4F0479BE.6030206@trelane.net> <175C077F-0B34-4995-A956-1517CDC10138@verisign.com> <20120104201801.GA3917@vacation.karoshi.com.> <1325711455.3241.98.camel@home> Message-ID: On Wed, Jan 4, 2012 at 6:10 PM, Michael K. Smith - Adhost wrote: > There was a single source IP with 200+ open, active http connections to a single large media file. ?The single IP address was blocked. ?The file itself is still available on the site. oh! so the 200 or so users on tulip.net that were downloading nanog content were blocked, bummer :( /troll-mode=on Err, while we're talking about video files and nanog, why is the video content still served off (stored content I mean) nanog.org servers? Why not use one of the many video serving services? some of which are free even :) (that part's not a troll, a real question, even!) -chris From mksmith at adhost.com Wed Jan 4 21:41:06 2012 From: mksmith at adhost.com (Michael K. Smith - Adhost) Date: Thu, 5 Jan 2012 03:41:06 +0000 Subject: Trouble accessing www.nanog.org In-Reply-To: References: <13205C286662DE4387D9AF3AC30EF456D74ED694FD@EMBX01-WF.jnpr.net> <4F0479BE.6030206@trelane.net> <175C077F-0B34-4995-A956-1517CDC10138@verisign.com> <20120104201801.GA3917@vacation.karoshi.com.> <1325711455.3241.98.camel@home> Message-ID: <1514023B-A622-4C03-B26A-84128290030A@adhost.com> On Jan 4, 2012, at 7:36 PM, Christopher Morrow wrote: > On Wed, Jan 4, 2012 at 6:10 PM, Michael K. Smith - Adhost > wrote: > >> There was a single source IP with 200+ open, active http connections to a single large media file. The single IP address was blocked. The file itself is still available on the site. > > oh! so the 200 or so users on tulip.net that were downloading nanog > content were blocked, bummer :( > > /troll-mode=on > "And now if everyone would open their laptop and go to the following address?" > Err, while we're talking about video files and nanog, why is the video > content still served off (stored content I mean) nanog.org servers? > Why not use one of the many video serving services? some of which are > free even :) > (that part's not a troll, a real question, even!) > -chris The website work hasn't yet begun, so that is certainly still on the table. If you would like to volunteer some of your time? Mike From morrowc.lists at gmail.com Wed Jan 4 21:45:18 2012 From: morrowc.lists at gmail.com (Christopher Morrow) Date: Wed, 4 Jan 2012 22:45:18 -0500 Subject: incoming smtp from v6 addresses In-Reply-To: References: <20120104101556.GA8280@macbook.bluepipe.net> Message-ID: On Wed, Jan 4, 2012 at 5:26 AM, Randy Bush wrote: > hold your nose > > zgrep '<=.*\[....:' /var/spool/exim/log/main* | wc > zgrep '<=' /var/spool/exim/log/main* | wc > > and the ever failthful bc :) err... one of 4 MX's for home email... (I'll catch the others later on) v6 inbound: $ egrep '\[2...:' /tmp/today.from |wc -l 244 v4 inbound: $ egrep -v '\[2...:' /tmp/today.from |wc -l 135591 percent v4: 135591/(244+135591) * 100 99.82 v6 outbound: $ egrep '\[2...:' /tmp/today.to |wc -l 198 v4 outbound: $ egrep -v '\[2...:' /tmp/today.to |wc -l 196 a note about the OUT numbers... I was apparently bouncing/connection-refusing to a relay over v6 :( so.... 2 REAL connections out, 196 failures, w00t! (this mailserver does little 'out' email apparently) From morrowc.lists at gmail.com Wed Jan 4 21:47:17 2012 From: morrowc.lists at gmail.com (Christopher Morrow) Date: Wed, 4 Jan 2012 22:47:17 -0500 Subject: Trouble accessing www.nanog.org In-Reply-To: <1514023B-A622-4C03-B26A-84128290030A@adhost.com> References: <13205C286662DE4387D9AF3AC30EF456D74ED694FD@EMBX01-WF.jnpr.net> <4F0479BE.6030206@trelane.net> <175C077F-0B34-4995-A956-1517CDC10138@verisign.com> <20120104201801.GA3917@vacation.karoshi.com.> <1325711455.3241.98.camel@home> <1514023B-A622-4C03-B26A-84128290030A@adhost.com> Message-ID: On Wed, Jan 4, 2012 at 10:41 PM, Michael K. Smith - Adhost wrote: >> Err, while we're talking about video files and nanog, why is the video >> content still served off (stored content I mean) nanog.org servers? >> Why not use one of the many video serving services? some of which are >> free even :) >> (that part's not a troll, a real question, even!) >> -chris > > > The website work hasn't yet begun, so that is certainly still on the table. ?If you would like to volunteer some of your time? I'm sure we could arrange some process to ingest videos to some form of video-hosting-website... a videotubes site let's say. who should I chat with? From mksmith at adhost.com Wed Jan 4 22:44:38 2012 From: mksmith at adhost.com (Michael K. Smith - Adhost) Date: Thu, 5 Jan 2012 04:44:38 +0000 Subject: Trouble accessing www.nanog.org In-Reply-To: References: <13205C286662DE4387D9AF3AC30EF456D74ED694FD@EMBX01-WF.jnpr.net> <4F0479BE.6030206@trelane.net> <175C077F-0B34-4995-A956-1517CDC10138@verisign.com> <20120104201801.GA3917@vacation.karoshi.com.> <1325711455.3241.98.camel@home> <1514023B-A622-4C03-B26A-84128290030A@adhost.com> Message-ID: <589A9865-53D5-4482-853C-F21D6DC6D053@adhost.com> Mike On Jan 4, 2012, at 7:47 PM, Christopher Morrow wrote: > On Wed, Jan 4, 2012 at 10:41 PM, Michael K. Smith - Adhost > wrote: > >>> Err, while we're talking about video files and nanog, why is the video >>> content still served off (stored content I mean) nanog.org servers? >>> Why not use one of the many video serving services? some of which are >>> free even :) >>> (that part's not a troll, a real question, even!) >>> -chris >> >> >> The website work hasn't yet begun, so that is certainly still on the table. If you would like to volunteer some of your time? > > I'm sure we could arrange some process to ingest videos to some form > of video-hosting-website... a videotubes site let's say. > > who should I chat with? -- Michael K. Smith - CISSP, GSEC, GISP Chief Technical Officer - Adhost Internet LLC mksmith at adhost.com w: +1 (206) 404-9500 f: +1 (206) 404-9050 PGP: B49A DDF5 8611 27F3 08B9 84BB E61E 38C0 (Key ID: 0x9A96777D) From bonomi at mail.r-bonomi.com Wed Jan 4 23:03:07 2012 From: bonomi at mail.r-bonomi.com (Robert Bonomi) Date: Wed, 4 Jan 2012 23:03:07 -0600 (CST) Subject: Looking for a Tier 1 ISP Mentor for career advice. In-Reply-To: <8C26A4FDAE599041A13EB499117D3C286B65E23B@ex-mb-1.corp.atlasnetworks.us> Message-ID: <201201050503.q05537dQ025987@mail.r-bonomi.com> Nathan Eisenberg wrote: > To: Jeroen van Aart , NANOG list > Subject: RE: Looking for a Tier 1 ISP Mentor for career advice. > Date: Wed, 4 Jan 2012 22:25:40 +0000 > > > Say a > > coder gets confused when /tmp fills up and being unaware of this thing > > called a "search engine" and instead will virtually cry "help my puter > > b0rked, I stuck!" and vice versa. > > Hah! In my experience, this phenomenon is not unique to coders, > sysadmins, or any other specialization. People prefer to look to other > people for their answers. This one has bugged me for a long time, as > I'm not sure what to attribute it to - is it a desire to be social, or > to have the answer personalized? Is it a compliment indicative of > respect of ones peer, or is it an indication of laziness? This phenomona has been recognized for, well, "forever". The 'reasons' are codified in 'traditional wisdom' like "two heads are better than one", or the modern "The solution to the most intractable problem is immediately obvious to the first unqualified observer." When ones own way of lookinng at a problem isn't working, it is necessary to find a "different way of looking at the problem". The most efficient way to do that is talk to some who thinks differently than you do. "Search engines" are good for finding facts; 'less good' for finding abstract/concept info -- It's much harder to formulate a search query to find something to 'fill in the blanks' in an _incomplete_ conceptualization. If yu can foumulate the search for "what you're missing" the search probably contains the answers you're looking for. Also, the act of 'organizing ones thoughts' to explain the problem to someone who is *NOT* familiar with the background of the problem can lead to _self-recognition_ of the solution. I have phoned a collegue, many times, and/or had a collegue phone me, where the _one-sided_ conversation has gone; <-- "Hello?" --> "Hi! I've got a problem. like _this_ {launches into description}... OH!! never mind, the light just dawned!" <-- " Glad I could help." "Troubleshooting", however, _is_ a special case situation. I can pontificate on this at some length. You have been warned. Troubleshooting problems is an 'art', not a 'science'. Either you know how to do it, or you don't. And, like any other "art", you can't teach it; you _can_ teach 'mechanics' that help people who have an 'instinctive' (for lack of a better word) grasp of the subject "do it better". But the _ability_ has to be there in the first place. It's similaar to integral calculus -- you have a result, and are looking for the question. (Remember how _hard_ integration was -- until the 'AHA!' moment when, all of a sudden, it all made sense. And you were shaking your head wondering *why* you had so much trouble 'getting it'.) Troubleshooting is much the same. If you've seen "that" problem before, you have an idea of what -may- be causing it. And can start checking for the existing of each possible 'what' that you know about. With experience, you know _which_ "what" is most likely and to start there. Also, what _additional_ things to check, to narrow down the list of 'possibles'. 'Search engines' are good when you have a 'question' and are looking for looking for an 'answer' (like 'differential calculus', to use the math metaphor). But they're "medium lousy", at best, at finding the 'question' that fits the 'answer'. There are some major attempts being made to build computers that _can_ reverse engineer the 'question' from an 'answer'. See 'Watson' -- the IBM research computer project that plays as a contestant on "Jeopardy!" The latest incarnation 'does good' a lot of the time, but when it's wrong it is *very* wrong. I don't think I've ever seen it be 'close, but incorrect'. From kmedcalf at dessus.com Thu Jan 5 03:51:00 2012 From: kmedcalf at dessus.com (Keith Medcalf) Date: Thu, 05 Jan 2012 02:51:00 -0700 Subject: Trouble accessing www.nanog.org In-Reply-To: Message-ID: <0034f79f5f0a0f4dab52881760e8fba3@mail.dessus.com> There is video hosting web sites on the intertubes? Now where would those be found, I wonder. All I have ever seen is macro-streaming that is fraudulently labeled and advertised as video -- the worst being something called FlashVirus, which was written by a company called MacroVirus Media or something like that, and currently owned and flogged by Adobe along with their "Proprietary Document Format" (the latest versions of which boast UVTD technology -- Unstoppable Virus Transport and Distribution). If the so-called video contains arbitrary executable code (or can run arbitrary executable code), or requires the use of a specific application to "play" (or infect the target), then it should not be described as "video". It is a streaming-macro. Microsoft was the first OS vendor to add the "Execute Payload" header to IP which saved much time and effort in the distribution of malicious code via the internet. Unfortunatly, Adobe and several other vendors have patents on what is called the method of "Executable Data" and made Microsoft remove their wonderous invention under pain of patent lawsuits. Of course, maybe whats meant is File hosting, where the File being hosted just happens to contain video data in standard data format (preferably a pure-data format that does not embed execution macros of any type). ;) --- ()? ascii ribbon campaign against html e-mail /\? www.asciiribbon.org > -----Original Message----- > From: Christopher Morrow [mailto:morrowc.lists at gmail.com] > Sent: Wednesday, 04 January, 2012 20:47 > To: Michael K. Smith - Adhost > Cc: bmanning at vacation.karoshi.com; Wessels, Duane; nanog at nanog.org > Subject: Re: Trouble accessing www.nanog.org > > On Wed, Jan 4, 2012 at 10:41 PM, Michael K. Smith - Adhost > wrote: > > >> Err, while we're talking about video files and nanog, why is the video > >> content still served off (stored content I mean) nanog.org servers? > >> Why not use one of the many video serving services? some of which are > >> free even :) > >> (that part's not a troll, a real question, even!) > >> -chris > > > > > > The website work hasn't yet begun, so that is certainly still on the > table. ?If you would like to volunteer some of your time... > > I'm sure we could arrange some process to ingest videos to some form > of video-hosting-website... a videotubes site let's say. > > who should I chat with? From jr at xor.at Thu Jan 5 09:12:33 2012 From: jr at xor.at (Johannes Resch) Date: Thu, 05 Jan 2012 16:12:33 +0100 Subject: anycast load balancing issue In-Reply-To: <20120104120255.GT7491@besserwisser.org> References: <20120104120255.GT7491@besserwisser.org> Message-ID: <4F05BDE1.3040103@xor.at> Hi, On 04.01.2012 13:02, M?ns Nilsson wrote: > > [..snipped..] > > Trouble is, we find that (untweaked) cost and metric are such that all > nodes are equal. The last resort (peer router ID) gets invoked and all > traffic goes to one single instance. Of course, when that instance falls > off the net recalculation takes place and another node steps in, but > I'd like true path lengths (IGP hop count) to influence more than iBGP > (route-reflector-style) selection. > > Any clues? > > Oh, all-cisco, all ASR1000 series. All links GE. ~90 routers in IGP. > Since you mention route-reflector route selection - are you already using per-VRF, per-PE route distinguishers for that L3VPN instance? If not, I'd recommend doing so - this will cause your RR to see all paths as unique routes, distributing all of them (instead just the best one from the RR perspective) to RR clients. As result all PEs will always have all paths for this particular prefix (and can then take the best path decision based on local IGP metric to the respective BGP next hops). Doing that can also significantly improve reconvergence times for certain failure scenarios (e.g. ingress PE failure), as PEs can start using alternative paths (already available in local BGP RIB) as soon as the IGP nexthop for the failed PE is invalidated and do not need to wait for BGP RR reconvergence. cheers, -jr From jra at baylink.com Thu Jan 5 09:22:52 2012 From: jra at baylink.com (Jay Ashworth) Date: Thu, 5 Jan 2012 10:22:52 -0500 (EST) Subject: Whacky Weekend: Is Internet Access a Human Right? Message-ID: <969790.3281.1325776972705.JavaMail.root@benjamin.baylink.com> Vint Cerf says no: http://j.mp/wwL9Ip But I wonder to what degree that's dependent on how much our governments make Internet access the most practical/only practical way to interact with them. Understand: I'm not saying that FiOS should be a human right. But as a society, America's recognized for decades that you gotta have a telephone, and subsidized local/lifeline service to that extent; that sort of subsidy applies to cellular phones now as well. Thoughts? Cheers, -- jr 'yes, I know I'm early...' a -- Jay R. Ashworth Baylink jra at baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://baylink.pitas.com 2000 Land Rover DII St Petersburg FL USA http://photo.imageinc.us +1 727 647 1274 From rsk at gsp.org Thu Jan 5 09:22:55 2012 From: rsk at gsp.org (Rich Kulawiec) Date: Thu, 5 Jan 2012 10:22:55 -0500 Subject: Internet Edge and Defense in Depth In-Reply-To: References: <922ACC42D498884AA02B3565688AF995340255F77F@USEXMBS01.mwd.h2o> Message-ID: <20120105152255.GC20575@gsp.org> On Tue, Dec 06, 2011 at 01:44:05PM -0800, Jonathan Lassoff wrote: > Cramming every little feature under the sun into one appliance makes for > great glossy brochures and Powerpoint decks, but I just don't think it's > practical. 1. It's an excellent way to create a single point-of-failure. 2. I prefer, when building defense-in-depth, to build the layers with different technology running on different operating systems on different architectures. There's no doubt this adds some complexity and that it requires judicious design to be scalable, maintainable, and so on. But it raises the bar for attackers considerably, and it gives defenders a fighting chance of discovering a breach in one layer before it becomes a breach in all layers. 3. One of the mistakes we all continue to make, whether we have our paws on integrated appliances or separate systems, is default-permit. We really need to make sure that the syntactic equivalent of "deny all from any to any" is the first rule installed in any of these, and then work from there. ---rsk p.s. In re Powerpoint, I've long held that the appropriate response to "I have a PowerPoint presentation..." is for everyone else in the room to find a strong rope and a sturdy tree, and do what must be done for the sake of humanity. From marshall.eubanks at gmail.com Thu Jan 5 09:29:46 2012 From: marshall.eubanks at gmail.com (Marshall Eubanks) Date: Thu, 5 Jan 2012 10:29:46 -0500 Subject: Trouble accessing www.nanog.org In-Reply-To: <0034f79f5f0a0f4dab52881760e8fba3@mail.dessus.com> References: <0034f79f5f0a0f4dab52881760e8fba3@mail.dessus.com> Message-ID: On Thu, Jan 5, 2012 at 4:51 AM, Keith Medcalf wrote: > > There is video hosting web sites on the intertubes? > > Now where would those be found, I wonder. ?All I have ever seen is macro-streaming that is fraudulently labeled and advertised as video -- the worst being something called FlashVirus, which was written by a company called MacroVirus Media or something like that, and currently owned and flogged by Adobe along with their "Proprietary Document Format" (the latest versions of which boast UVTD technology -- Unstoppable Virus Transport and Distribution). > > If the so-called video contains arbitrary executable code (or can run arbitrary executable code), or requires the use of a specific application to "play" (or infect the target), then it should not be described as "video". ?It is a streaming-macro. > Is H.264 Turing-complete ? Is Ogg-Vorbis ? (It seems like those are the two reasonable open standard choices.)) Regards Marshall > Microsoft was the first OS vendor to add the "Execute Payload" header to IP which saved much time and effort in the distribution of malicious code via the internet. ?Unfortunatly, Adobe and several other vendors have patents on what is called the method of "Executable Data" and made Microsoft remove their wonderous invention under pain of patent lawsuits. > > Of course, maybe whats meant is File hosting, where the File being hosted just happens to contain video data in standard data format (preferably a pure-data format that does not embed execution macros of any type). > > ;) > > --- > ()? ascii ribbon campaign against html e-mail > /\? www.asciiribbon.org > > >> -----Original Message----- >> From: Christopher Morrow [mailto:morrowc.lists at gmail.com] >> Sent: Wednesday, 04 January, 2012 20:47 >> To: Michael K. Smith - Adhost >> Cc: bmanning at vacation.karoshi.com; Wessels, Duane; nanog at nanog.org >> Subject: Re: Trouble accessing www.nanog.org >> >> On Wed, Jan 4, 2012 at 10:41 PM, Michael K. Smith - Adhost >> wrote: >> >> >> Err, while we're talking about video files and nanog, why is the video >> >> content still served off (stored content I mean) nanog.org servers? >> >> Why not use one of the many video serving services? some of which are >> >> free even :) >> >> (that part's not a troll, a real question, even!) >> >> -chris >> > >> > >> > The website work hasn't yet begun, so that is certainly still on the >> table. ?If you would like to volunteer some of your time... >> >> I'm sure we could arrange some process to ingest videos to some form >> of video-hosting-website... a videotubes site let's say. >> >> who should I chat with? > > > > > From mikea at mikea.ath.cx Thu Jan 5 09:33:15 2012 From: mikea at mikea.ath.cx (Mike Andrews) Date: Thu, 5 Jan 2012 09:33:15 -0600 Subject: Internet Edge and Defense in Depth In-Reply-To: <20120105152255.GC20575@gsp.org> References: <922ACC42D498884AA02B3565688AF995340255F77F@USEXMBS01.mwd.h2o> <20120105152255.GC20575@gsp.org> Message-ID: <20120105153315.GB92250@mikea.ath.cx> On Thu, Jan 05, 2012 at 10:22:55AM -0500, Rich Kulawiec wrote: > On Tue, Dec 06, 2011 at 01:44:05PM -0800, Jonathan Lassoff wrote: > > Cramming every little feature under the sun into one appliance makes for > > great glossy brochures and Powerpoint decks, but I just don't think it's > > practical. > > 1. It's an excellent way to create a single point-of-failure. > > 2. I prefer, when building defense-in-depth, to build the layers with different > technology running on different operating systems on different architectures. > There's no doubt this adds some complexity and that it requires judicious > design to be scalable, maintainable, and so on. But it raises the bar > for attackers considerably, and it gives defenders a fighting chance of > discovering a breach in one layer before it becomes a breach in all layers. > > 3. One of the mistakes we all continue to make, whether we have our > paws on integrated appliances or separate systems, is default-permit. > We really need to make sure that the syntactic equivalent of "deny > all from any to any" is the first rule installed in any of these, > and then work from there. > > p.s. In re Powerpoint, I've long held that the appropriate response to > "I have a PowerPoint presentation..." is for everyone else in the room > to find a strong rope and a sturdy tree, and do what must be done for > the sake of humanity. "Power corrupts. PowerPoint corrupts absolutely." As regards avoidance of SPOFs, I also prefer multiple layers in different technologies &c. A monoculture is horribly vulnerable. I grant that network hardware isn't exactly Ireland just before the potato famine, but the parallels are there and applicable in at least some senses. -- Mike Andrews, W5EGO mikea at mikea.ath.cx Tired old sysadmin From marshall.eubanks at gmail.com Thu Jan 5 09:36:44 2012 From: marshall.eubanks at gmail.com (Marshall Eubanks) Date: Thu, 5 Jan 2012 10:36:44 -0500 Subject: Whacky Weekend: Is Internet Access a Human Right? In-Reply-To: <969790.3281.1325776972705.JavaMail.root@benjamin.baylink.com> References: <969790.3281.1325776972705.JavaMail.root@benjamin.baylink.com> Message-ID: On Thu, Jan 5, 2012 at 10:22 AM, Jay Ashworth wrote: > Vint Cerf says no: http://j.mp/wwL9Ip With all due respect to Vint, I think that it isn't now, but it will be. Regards Marshall > > But I wonder to what degree that's dependent on how much our governments make > Internet access the most practical/only practical way to interact with them. > > Understand: I'm not saying that FiOS should be a human right. ?But as a > society, America's recognized for decades that you gotta have a telephone, > and subsidized local/lifeline service to that extent; that sort of subsidy > applies to cellular phones now as well. > > Thoughts? > > Cheers, > -- jr 'yes, I know I'm early...' a > -- > Jay R. Ashworth ? ? ? ? ? ? ? ? ?Baylink ? ? ? ? ? ? ? ? ? ? ? jra at baylink.com > Designer ? ? ? ? ? ? ? ? ? ? The Things I Think ? ? ? ? ? ? ? ? ? ? ? RFC 2100 > Ashworth & Associates ? ? http://baylink.pitas.com ? ? ? ? 2000 Land Rover DII > St Petersburg FL USA ? ? ?http://photo.imageinc.us ? ? ? ? ? ? +1 727 647 1274 > From bicknell at ufp.org Thu Jan 5 09:41:10 2012 From: bicknell at ufp.org (Leo Bicknell) Date: Thu, 5 Jan 2012 07:41:10 -0800 Subject: Whacky Weekend: Is Internet Access a Human Right? In-Reply-To: <969790.3281.1325776972705.JavaMail.root@benjamin.baylink.com> References: <969790.3281.1325776972705.JavaMail.root@benjamin.baylink.com> Message-ID: <20120105154110.GA6914@ussenterprise.ufp.org> In a message written on Thu, Jan 05, 2012 at 10:22:52AM -0500, Jay Ashworth wrote: > Understand: I'm not saying that FiOS should be a human right. But as a > society, America's recognized for decades that you gotta have a telephone, > and subsidized local/lifeline service to that extent; that sort of subsidy > applies to cellular phones now as well. There's a pretty big gap between providing subsidized service because it's good for people/society/the government/business/whatever and a "human right". The government subsidizes lots of things, roads, electric service, planting of wheat that doesn't make any of them human rights. A few years back I read the Wikipedia page on Human Rights, and it made me realize the topic is far deeper than I had initially thought. There really are a lot of nuances to the topic. http://en.wikipedia.org/wiki/Human_rights Broadband, to me, is not a human right. It is something that makes our society more efficient, and improves the quality of life for virtually every citizen, so I do think the government has a role and interest in seeing widespread, if not universal broadband deployment. Failure to provide broadband to someone is not a human rights violation though, and the idea that it is probably is offensive to those who have experienced real human rights violations. -- Leo Bicknell - bicknell at ufp.org - CCIE 3440 PGP keys at http://www.ufp.org/~bicknell/ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 826 bytes Desc: not available URL: From zaid at zaidali.com Thu Jan 5 09:45:25 2012 From: zaid at zaidali.com (Zaid Ali) Date: Thu, 05 Jan 2012 07:45:25 -0800 Subject: Whacky Weekend: Is Internet Access a Human Right? In-Reply-To: <969790.3281.1325776972705.JavaMail.root@benjamin.baylink.com> Message-ID: I agree with Vint here. Basic human rights are access to food, clothing and shelter. I think we are still struggling in the world with that. With your logic one would expect the radio and TV to be a basic human right but they are not, they are and will remain powerful medium which be enablers of something else and the Internet would fit there. Zaid On 1/5/12 7:22 AM, "Jay Ashworth" wrote: >Vint Cerf says no: http://j.mp/wwL9Ip > >But I wonder to what degree that's dependent on how much our governments >make >Internet access the most practical/only practical way to interact with >them. > >Understand: I'm not saying that FiOS should be a human right. But as a >society, America's recognized for decades that you gotta have a telephone, >and subsidized local/lifeline service to that extent; that sort of subsidy >applies to cellular phones now as well. > >Thoughts? > >Cheers, >-- jr 'yes, I know I'm early...' a >-- >Jay R. Ashworth Baylink >jra at baylink.com >Designer The Things I Think RFC >2100 >Ashworth & Associates http://baylink.pitas.com 2000 Land >Rover DII >St Petersburg FL USA http://photo.imageinc.us +1 727 647 >1274 > From aledm at qix.co.uk Thu Jan 5 09:47:56 2012 From: aledm at qix.co.uk (Aled Morris) Date: Thu, 5 Jan 2012 15:47:56 +0000 Subject: Whacky Weekend: Is Internet Access a Human Right? In-Reply-To: <969790.3281.1325776972705.JavaMail.root@benjamin.baylink.com> References: <969790.3281.1325776972705.JavaMail.root@benjamin.baylink.com> Message-ID: On 5 January 2012 15:22, Jay Ashworth wrote: > Understand: I'm not saying that FiOS should be a human right. But as a > society, America's recognized for decades that you gotta have a telephone, > and subsidized local/lifeline service to that extent; that sort of subsidy > applies to cellular phones now as well. > > There is a subtlety here too - when we grant a monopoly (e.g. to operate a physical loop or in licensing spectrum) in return we often place a "universal service obligation" on the operator in order they don't abuse their monoply by not providing service to "less profitable" customers. This isn't the same as a "right" to a phone. Aled From eesslinger at fpu-tn.com Thu Jan 5 09:56:46 2012 From: eesslinger at fpu-tn.com (Eric J Esslinger) Date: Thu, 5 Jan 2012 09:56:46 -0600 Subject: question regarding US requirements for journaling public email (possible legislation?) Message-ID: Hope yall had an 'eventless' holiday. (I.e. no pages at 2 am on a holiday morning). Sorry to drop what is possibly just someone misunderstanding something or pulling my leg on the list, but over the holidays I ran into one of my buddies that is also a network admin type and he was griping about mail journalling, which I already do for our corporate email accounts. However, his discussion was in terms of all customer email... Which I said was probably a bad thing to do. His response was there is legislation being pushed in both House and Senate that would require journalling for 2 or 5 years, all mail passing through all of your mail servers. I've seen nothing, and my google fu has turned up nothing other than corporate requirements, so I ask here. Has anyone heard of such a bill working it's way through either side of congress? (I am speaking specifically of full email journaling, not just logs, which I do archive for significant amounts of time.) I also don't want to discuss the pros, cons, merits, costs, goods, or evils of such a requirement, just wanted to know if this is something I should be looking forward towards maybe needing to implement. Thanks for your attention and may you have a low incident new year. __________________________ Eric Esslinger Information Services Manager - Fayetteville Public Utilities http://www.fpu-tn.com/ (931)433-1522 ext 165 This message may contain confidential and/or proprietary information and is intended for the person/entity to whom it was originally addressed. Any use by others is strictly prohibited. From jra at baylink.com Thu Jan 5 10:07:56 2012 From: jra at baylink.com (Jay Ashworth) Date: Thu, 5 Jan 2012 11:07:56 -0500 (EST) Subject: Whacky Weekend: Is Internet Access a Human Right? In-Reply-To: Message-ID: <22737847.3289.1325779676786.JavaMail.root@benjamin.baylink.com> ----- Original Message ----- > From: "Zaid Ali" > On 1/5/12 7:22 AM, "Jay Ashworth" wrote: > > >Vint Cerf says no: http://j.mp/wwL9Ip > > > >But I wonder to what degree that's dependent on how much our governments > >make Internet access the most practical/only practical way to interact > >with them. > > > >Understand: I'm not saying that FiOS should be a human right. But as a > >society, America's recognized for decades that you gotta have a telephone, > >and subsidized local/lifeline service to that extent; that sort of subsidy > >applies to cellular phones now as well. > I agree with Vint here. Basic human rights are access to food, clothing > and shelter. I think we are still struggling in the world with that. With > your logic one would expect the radio and TV to be a basic human right but > they are not, they are and will remain powerful medium which be enablers > of something else and the Internet would fit there. Well, I dunno... as I think was obvious from my other comments: TV and Radio are *broadcast* media; telephones and the internet are not; they're *two-way* communications media... and they're the communications media which have been chosen by the organs of government we've constituted to run things for us. You hit the important word, though, in your reply: "*access to* food, clothing, and shelter"... not the things themselves. The question here is "is *access to* the Internet a human right, something which the government ought to recognize and protect"? I sort of think it is, myself... and I think that Vint is missing the point: *all* of the things we generally view as human rights are enablers to other things, and we generally dub them *as those things*, by synecdoche... at least in my experience. If I'm not mistaken, Vint's on this list; perhaps he'll chime in. :-) Cheers, -- jra -- Jay R. Ashworth Baylink jra at baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://baylink.pitas.com 2000 Land Rover DII St Petersburg FL USA http://photo.imageinc.us +1 727 647 1274 From jra at baylink.com Thu Jan 5 10:09:59 2012 From: jra at baylink.com (Jay Ashworth) Date: Thu, 5 Jan 2012 11:09:59 -0500 (EST) Subject: Whacky Weekend: Is Internet Access a Human Right? In-Reply-To: <20120105154110.GA6914@ussenterprise.ufp.org> Message-ID: <33434306.3291.1325779799472.JavaMail.root@benjamin.baylink.com> ----- Original Message ----- > From: "Leo Bicknell" > Broadband, to me, is not a human right. It is something that makes our > society more efficient, and improves the quality of life for virtually > every citizen, so I do think the government has a role and interest in > seeing widespread, if not universal broadband deployment. Failure to > provide broadband to someone is not a human rights violation though, > and the idea that it is probably is offensive to those who have > experienced real human rights violations. Didn't *say* broadband. Didn't even say "Internet service". Said "Internet *access*", in the non-techspeak meaning of those words. Cheers, -- jra -- Jay R. Ashworth Baylink jra at baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://baylink.pitas.com 2000 Land Rover DII St Petersburg FL USA http://photo.imageinc.us +1 727 647 1274 From marshall.eubanks at gmail.com Thu Jan 5 10:26:50 2012 From: marshall.eubanks at gmail.com (Marshall Eubanks) Date: Thu, 5 Jan 2012 11:26:50 -0500 Subject: Whacky Weekend: Is Internet Access a Human Right? In-Reply-To: <22737847.3289.1325779676786.JavaMail.root@benjamin.baylink.com> References: <22737847.3289.1325779676786.JavaMail.root@benjamin.baylink.com> Message-ID: On Thu, Jan 5, 2012 at 11:07 AM, Jay Ashworth wrote: > ----- Original Message ----- >> From: "Zaid Ali" > >> On 1/5/12 7:22 AM, "Jay Ashworth" wrote: >> >> >Vint Cerf says no: http://j.mp/wwL9Ip >> > >> >But I wonder to what degree that's dependent on how much our governments >> >make Internet access the most practical/only practical way to interact >> >with them. >> > >> >Understand: I'm not saying that FiOS should be a human right. But as a >> >society, America's recognized for decades that you gotta have a telephone, >> >and subsidized local/lifeline service to that extent; that sort of subsidy >> >applies to cellular phones now as well. > >> I agree with Vint here. Basic human rights are access to food, clothing >> and shelter. I think we are still struggling in the world with that. With >> your logic one would expect the radio and TV to be a basic human right but >> they are not, they are and will remain powerful medium which be enablers >> of something else and the Internet would fit there. > > Well, I dunno... as I think was obvious from my other comments: TV and Radio > are *broadcast* media; telephones and the internet are not; they're *two-way* > communications media... and they're the communications media which have been > chosen by the organs of government we've constituted to run things for us. > > You hit the important word, though, in your reply: "*access to* food, clothing, > and shelter"... not the things themselves. > > The question here is "is *access to* the Internet a human right, something > which the government ought to recognize and protect"? ?I sort of think it is, > myself... and I think that Vint is missing the point: *all* of the things > we generally view as human rights are enablers to other things, and we > generally dub them *as those things*, by synecdoche... at least in my > experience. > > If I'm not mistaken, Vint's on this list; perhaps he'll chime in. ?:-) Here is a way to think about it - is denial of X a violation of human rights ? If so, access to X should be viewed as a human right. Denial of food, for example, is certainly a violation of human rights. That is not the same as saying that everyone always will be able to afford to eat anything they want, or in dire circumstances even all they need, but to deny food is certainly to violate human rights. I think that if we had heard that (say) Libya's Khaddafi had denied (say) the people of Benghazi all access to telephony, that that would be regarded as a violation of human rights. (Actually, he did and it was). People would, for example, start dying because no one could call an ambulance in an emergency. It would set the stage for further human rights violations, because no one could alert the world to what was happening. Etc. In 1880, that would not have been true, but today it is. Is the Internet at that level ? IMO, no, but it will be soon. That is not the same to say that everyone will get 100 Gbps for free, any more than everyone gets to eat at La Tour d'Argent in Paris. Regards Marshall > > Cheers, > -- jra > -- > Jay R. Ashworth ? ? ? ? ? ? ? ? ?Baylink ? ? ? ? ? ? ? ? ? ? ? jra at baylink.com > Designer ? ? ? ? ? ? ? ? ? ? The Things I Think ? ? ? ? ? ? ? ? ? ? ? RFC 2100 > Ashworth & Associates ? ? http://baylink.pitas.com ? ? ? ? 2000 Land Rover DII > St Petersburg FL USA ? ? ?http://photo.imageinc.us ? ? ? ? ? ? +1 727 647 1274 > From bicknell at ufp.org Thu Jan 5 10:29:05 2012 From: bicknell at ufp.org (Leo Bicknell) Date: Thu, 5 Jan 2012 08:29:05 -0800 Subject: Whacky Weekend: Is Internet Access a Human Right? In-Reply-To: <33434306.3291.1325779799472.JavaMail.root@benjamin.baylink.com> References: <20120105154110.GA6914@ussenterprise.ufp.org> <33434306.3291.1325779799472.JavaMail.root@benjamin.baylink.com> Message-ID: <20120105162905.GB6914@ussenterprise.ufp.org> In a message written on Thu, Jan 05, 2012 at 11:09:59AM -0500, Jay Ashworth wrote: > > Broadband, to me, is not a human right. It is something that makes our > > society more efficient, and improves the quality of life for virtually > > every citizen, so I do think the government has a role and interest in > > seeing widespread, if not universal broadband deployment. Failure to > > provide broadband to someone is not a human rights violation though, > > and the idea that it is probably is offensive to those who have > > experienced real human rights violations. > > Didn't *say* broadband. Didn't even say "Internet service". Said "Internet > *access*", in the non-techspeak meaning of those words. For the purposes of my e-mail and this point in time, they are all synonymous. That is, if "interenet access" is a right, providing someone a 9600bps dial up does not, in my mind, qualify. That might qualify for e-mail access, but you can not use a reasonable fraction of the Internet at that access speed. Similarly, denying someone internet service denies them internet access. The only difference between your terms and mine, is that mine are fixed to this point in time while yours is a general concept that may move in the future. One day 50Mbps broadband may not qualify anymore as "internet access" due to where the interernet ends up. But let's take a specific (famous) example. Kevin Mitnick. From his wikipedia page: "During his supervised release, which ended on January 21, 2003, he was initially forbidden to use any communications technology other than a landline telephone." If Internet access (to use your term) had been a human right than his human rights were violated by the government when they banned him from using any communications technology. Do we really want to suggest that banning him from using the computer is the same level of violation as enslaving him, torturing him, or even killing him? -- Leo Bicknell - bicknell at ufp.org - CCIE 3440 PGP keys at http://www.ufp.org/~bicknell/ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 826 bytes Desc: not available URL: From zaid at zaidali.com Thu Jan 5 10:37:07 2012 From: zaid at zaidali.com (Zaid Ali) Date: Thu, 05 Jan 2012 08:37:07 -0800 Subject: Whacky Weekend: Is Internet Access a Human Right? In-Reply-To: <22737847.3289.1325779676786.JavaMail.root@benjamin.baylink.com> Message-ID: On 1/5/12 8:07 AM, "Jay Ashworth" wrote: >----- Original Message ----- >> From: "Zaid Ali" > >> On 1/5/12 7:22 AM, "Jay Ashworth" wrote: >> >> >Vint Cerf says no: http://j.mp/wwL9Ip >> > >> >But I wonder to what degree that's dependent on how much our >>governments >> >make Internet access the most practical/only practical way to interact >> >with them. >> > >> >Understand: I'm not saying that FiOS should be a human right. But as a >> >society, America's recognized for decades that you gotta have a >>telephone, >> >and subsidized local/lifeline service to that extent; that sort of >>subsidy >> >applies to cellular phones now as well. > >> I agree with Vint here. Basic human rights are access to food, clothing >> and shelter. I think we are still struggling in the world with that. >>With >> your logic one would expect the radio and TV to be a basic human right >>but >> they are not, they are and will remain powerful medium which be enablers >> of something else and the Internet would fit there. > >Well, I dunno... as I think was obvious from my other comments: TV and >Radio >are *broadcast* media; telephones and the internet are not; they're >*two-way* >communications media... and they're the communications media which have >been >chosen by the organs of government we've constituted to run things for us. > >You hit the important word, though, in your reply: "*access to* food, >clothing, >and shelter"... not the things themselves. > >The question here is "is *access to* the Internet a human right, >something >which the government ought to recognize and protect"? I sort of think it >is, >myself... and I think that Vint is missing the point: *all* of the things >we generally view as human rights are enablers to other things, and we >generally dub them *as those things*, by synecdoche... at least in my >experience. If I wrote a blog article that criticized the government and it was shutdown along with my Internet access I wouldn't say that my right to the Internet was violated. I would say that my right to free speech was violated. Regardless of one way or two way communication it is communication. Zaid From mjkelly at gmail.com Thu Jan 5 10:36:54 2012 From: mjkelly at gmail.com (Matt Kelly) Date: Thu, 5 Jan 2012 11:36:54 -0500 Subject: Comcast Postmaster... Message-ID: <5ECF0F04-F1FC-453D-A75C-14CB6C782423@gmail.com> Would a comcast postmaster be so kind as to contact me off list? Thanks. -- Matt From davei at otd.com Thu Jan 5 10:48:06 2012 From: davei at otd.com (Dave Israel) Date: Thu, 05 Jan 2012 11:48:06 -0500 Subject: Whacky Weekend: Is Internet Access a Human Right? In-Reply-To: <20120105162905.GB6914@ussenterprise.ufp.org> References: <20120105154110.GA6914@ussenterprise.ufp.org> <33434306.3291.1325779799472.JavaMail.root@benjamin.baylink.com> <20120105162905.GB6914@ussenterprise.ufp.org> Message-ID: <4F05D446.2060208@otd.com> On 1/5/2012 11:29 AM, Leo Bicknell wrote: > In a message written on Thu, Jan 05, 2012 at 11:09:59AM -0500, Jay Ashworth wrote: >> Didn't *say* broadband. Didn't even say "Internet service". Said "Internet >> *access*", in the non-techspeak meaning of those words. > For the purposes of my e-mail and this point in time, they are all > synonymous. > > That is, if "interenet access" is a right, providing someone a > 9600bps dial up does not, in my mind, qualify. That might qualify > for e-mail access, but you can not use a reasonable fraction of the > Internet at that access speed. Similarly, denying someone internet > service denies them internet access. The only difference between your > terms and mine, is that mine are fixed to this point in time while > yours is a general concept that may move in the future. One day 50Mbps > broadband may not qualify anymore as "internet access" due to where the > interernet ends up. I think you're still thinking of service, as opposed to access. Public terminals, say at libraries, are also access. Free public wifi is also access. > > But let's take a specific (famous) example. Kevin Mitnick. From > his wikipedia page: > > "During his supervised release, which ended on January 21, 2003, he was > initially forbidden to use any communications technology other than a > landline telephone." > > If Internet access (to use your term) had been a human right than > his human rights were violated by the government when they banned > him from using any communications technology. Do we really want to > suggest that banning him from using the computer is the same level of > violation as enslaving him, torturing him, or even killing him? > Clearly not, at least at this point in history. Internet access is more like access to transportation; the law implicitly requires you to have it (in the form of being able to compel a person to appear at a given place and time), but not only fails to mandate its availability, but includes provisions for explicitly denying access to it in some cases. Internet access becomes a human right only when your other, more basic human rights depend on it. If a person without internet access cannot obtain food, shelter, or basic transportation, then it is a human right. As an aside, your example is flawed, because judicial punishment does involve a loss, or at least a curtailment, of what many people consider to be basic rights. -Dave From Valdis.Kletnieks at vt.edu Thu Jan 5 10:52:11 2012 From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks at vt.edu) Date: Thu, 05 Jan 2012 11:52:11 -0500 Subject: Whacky Weekend: Is Internet Access a Human Right? In-Reply-To: Your message of "Thu, 05 Jan 2012 08:29:05 PST." <20120105162905.GB6914@ussenterprise.ufp.org> References: <20120105154110.GA6914@ussenterprise.ufp.org> <33434306.3291.1325779799472.JavaMail.root@benjamin.baylink.com> <20120105162905.GB6914@ussenterprise.ufp.org> Message-ID: <3814.1325782331@turing-police.cc.vt.edu> On Thu, 05 Jan 2012 08:29:05 PST, Leo Bicknell said: > But let's take a specific (famous) example. Kevin Mitnick. From > his wikipedia page: > > "During his supervised release, which ended on January 21, 2003, he was > initially forbidden to use any communications technology other than a > landline telephone." > > If Internet access (to use your term) had been a human right than > his human rights were violated by the government when they banned > him from using any communications technology. Do we really want to > suggest that banning him from using the computer is the same level of > violation as enslaving him, torturing him, or even killing him? Convicted felons surrender a number of rights: freedom (jail terms), the right to vote, etc. And nobody seems to consider that concept a "violation" (though it *is* of course up for debate exactly what rights it's OK to remove from a felon, and for how long). -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 227 bytes Desc: not available URL: From Valdis.Kletnieks at vt.edu Thu Jan 5 10:55:53 2012 From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks at vt.edu) Date: Thu, 05 Jan 2012 11:55:53 -0500 Subject: Whacky Weekend: Is Internet Access a Human Right? In-Reply-To: Your message of "Thu, 05 Jan 2012 11:09:59 EST." <33434306.3291.1325779799472.JavaMail.root@benjamin.baylink.com> References: <33434306.3291.1325779799472.JavaMail.root@benjamin.baylink.com> Message-ID: <3949.1325782553@turing-police.cc.vt.edu> On Thu, 05 Jan 2012 11:09:59 EST, Jay Ashworth said: > Didn't *say* broadband. Didn't even say "Internet service". Said "Internet > *access*", in the non-techspeak meaning of those words. There are those who would say "Free Internet access is available at the Public Library and the Community Center" counts as "internet access". What say the peanut gallery? -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 227 bytes Desc: not available URL: From rps at maine.edu Thu Jan 5 11:00:04 2012 From: rps at maine.edu (Ray Soucy) Date: Thu, 5 Jan 2012 12:00:04 -0500 Subject: Whacky Weekend: Is Internet Access a Human Right? In-Reply-To: <969790.3281.1325776972705.JavaMail.root@benjamin.baylink.com> References: <969790.3281.1325776972705.JavaMail.root@benjamin.baylink.com> Message-ID: It's an interesting question. Most think of the Internet in the context of entertainment and productivity. I would ask that those who do remove themselves from the US (or any other prosperous nation) and think about Internet access in nations that are oppressed or depressed. 1. The Internet allows people to communicate (important in environments where the people are victims of oppression). 2. The Internet allows people to learn (if education is a human right, it's not a giant leap to say the Internet is how you deliver it). North Korea, at least, would be a very different nation with universal Internet access. I think a lot of smaller nations as well. There has never been a greater exporter for American ideals of freedom and democracy than the Internet. On the whole I think it has become something people shouldn't be denied access to. Is "boradband" a human right? I don't know the answer to that. But some level of access to the Internet (even if it's slow) is something that would make the world a better place if everyone had access. As we think about freedom and how our laws affect the Internet (SOPA, PROTECT IP, etc) this is something we should also keep in mind. On Thu, Jan 5, 2012 at 10:22 AM, Jay Ashworth wrote: > Vint Cerf says no: http://j.mp/wwL9Ip > > But I wonder to what degree that's dependent on how much our governments make > Internet access the most practical/only practical way to interact with them. > > Understand: I'm not saying that FiOS should be a human right. ?But as a > society, America's recognized for decades that you gotta have a telephone, > and subsidized local/lifeline service to that extent; that sort of subsidy > applies to cellular phones now as well. > > Thoughts? > > Cheers, > -- jr 'yes, I know I'm early...' a > -- > Jay R. Ashworth ? ? ? ? ? ? ? ? ?Baylink ? ? ? ? ? ? ? ? ? ? ? jra at baylink.com > Designer ? ? ? ? ? ? ? ? ? ? The Things I Think ? ? ? ? ? ? ? ? ? ? ? RFC 2100 > Ashworth & Associates ? ? http://baylink.pitas.com ? ? ? ? 2000 Land Rover DII > St Petersburg FL USA ? ? ?http://photo.imageinc.us ? ? ? ? ? ? +1 727 647 1274 > -- Ray Soucy Epic Communications Specialist Phone: +1 (207) 561-3526 Networkmaine, a Unit of the University of Maine System http://www.networkmaine.net/ From bicknell at ufp.org Thu Jan 5 11:00:53 2012 From: bicknell at ufp.org (Leo Bicknell) Date: Thu, 5 Jan 2012 09:00:53 -0800 Subject: Whacky Weekend: Is Internet Access a Human Right? In-Reply-To: <3814.1325782331@turing-police.cc.vt.edu> <4F05D446.2060208@otd.com> References: <20120105154110.GA6914@ussenterprise.ufp.org> <33434306.3291.1325779799472.JavaMail.root@benjamin.baylink.com> <20120105162905.GB6914@ussenterprise.ufp.org> <3814.1325782331@turing-police.cc.vt.edu> <20120105154110.GA6914@ussenterprise.ufp.org> <33434306.3291.1325779799472.JavaMail.root@benjamin.baylink.com> <20120105162905.GB6914@ussenterprise.ufp.org> <4F05D446.2060208@otd.com> Message-ID: <20120105170053.GA10161@ussenterprise.ufp.org> In a message written on Thu, Jan 05, 2012 at 11:48:06AM -0500, Dave Israel wrote: > As an aside, your example is flawed, because judicial punishment does > involve a loss, or at least a curtailment, of what many people consider > to be basic rights. In a message written on Thu, Jan 05, 2012 at 11:52:11AM -0500, Valdis.Kletnieks at vt.edu wrote: > Convicted felons surrender a number of rights: freedom (jail terms), the > right to vote, etc. And nobody seems to consider that concept a "violation" > (though it *is* of course up for debate exactly what rights it's OK to remove > from a felon, and for how long). You both make the same, very interesting point. I want to point folks back to the Wikipedia page: http://en.wikipedia.org/wiki/Human_rights Look at some the substantive rights: - Right to life. - Freeom from torture. - Freedom from slavery. - Right to a fair trial. - Freedom of speach. - Freedom of thought, conscience, and religion. For the most part we don't let judical punishment infringe on those rights. (Yes, there are exceptions, and yes, it depends a lot on the location in question. For instance the death peanlty infringes on the first substantive right.) However, for an ordinary criminal (Kevin Mitnick, in my example) we generally require the courts to uphold all of the substantive rights in most civilized societies. _Human_ rights is a very specific subset of a continium of rights. Note that the "right to vote" is not in the substantive list above, and is taken away by judical process in many societies. Not all rights are human rights. Should you have a right to internet access, just like a right to vote? Perhaps. Are either one the specific class of _human rights_, no. -- Leo Bicknell - bicknell at ufp.org - CCIE 3440 PGP keys at http://www.ufp.org/~bicknell/ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 826 bytes Desc: not available URL: From Timothy.Green at ManTech.com Thu Jan 5 11:11:32 2012 From: Timothy.Green at ManTech.com (Green, Timothy) Date: Thu, 5 Jan 2012 12:11:32 -0500 Subject: Router Assessment Tool Message-ID: Happy New Year All!!! I'm trying to perform STIG compliancy on various Cisco equipment. Has anybody used the Router Assessment Tool (RAT) for routers and switches? Any cheap (free) recommendations? As a last ditch effort I could use NMAP. Thanks, Tim From jonschipp at gmail.com Thu Jan 5 11:34:32 2012 From: jonschipp at gmail.com (Jon Schipp) Date: Thu, 5 Jan 2012 12:34:32 -0500 Subject: Whacky Weekend: Is Internet Access a Human Right? In-Reply-To: <20120105170053.GA10161@ussenterprise.ufp.org> References: <20120105154110.GA6914@ussenterprise.ufp.org> <33434306.3291.1325779799472.JavaMail.root@benjamin.baylink.com> <20120105162905.GB6914@ussenterprise.ufp.org> <3814.1325782331@turing-police.cc.vt.edu> <4F05D446.2060208@otd.com> <20120105170053.GA10161@ussenterprise.ufp.org> Message-ID: I think there's a fundamental difference between human and civil rights. Human rights come from our humanity, i.e. us being human. As humans, we can walk, talk, produce things, own property, etc. Assuming that isn't true, the next logical question is where do you draw the line? Vehicles are beneficial to society, can they be a human right? If you keep bringing these type of questions up and substitute any good in place of vehicles, you can see how absurd it is. There's no consistency. I think the idea that food, shelter etc. are human rights is absurd. Doesn't that imply that someone must provide those things for me? What if they don't want to? Does that mean they are forced to? Which would be a violation of their human rights. Civil rights are rights that are provided by societal institutions e.g. governments This makes the most sense to me anyway. I probably need to go read some John Locke. http://www.differencebetween.net/miscellaneous/politics/difference-between-human-and-civil-rights/ On Thu, Jan 5, 2012 at 12:00 PM, Leo Bicknell wrote: > In a message written on Thu, Jan 05, 2012 at 11:48:06AM -0500, Dave Israel wrote: >> As an aside, your example is flawed, because judicial punishment does >> involve a loss, or at least a curtailment, of what many people consider >> to be basic rights. > > In a message written on Thu, Jan 05, 2012 at 11:52:11AM -0500, Valdis.Kletnieks at vt.edu wrote: >> Convicted felons surrender a number of rights: freedom (jail terms), the >> right to vote, etc. ?And nobody seems to consider that concept a "violation" >> (though it *is* of course up for debate exactly what rights it's OK to remove >> from a felon, and for how long). > > You both make the same, very interesting point. ?I want to point > folks back to the Wikipedia page: > > http://en.wikipedia.org/wiki/Human_rights > > Look at some the substantive rights: > > ?- Right to life. > ?- Freeom from torture. > ?- Freedom from slavery. > ?- Right to a fair trial. > ?- Freedom of speach. > ?- Freedom of thought, conscience, and religion. > > For the most part we don't let judical punishment infringe on those > rights. ?(Yes, there are exceptions, and yes, it depends a lot on > the location in question. ?For instance the death peanlty infringes > on the first substantive right.) > > However, for an ordinary criminal (Kevin Mitnick, in my example) > we generally require the courts to uphold all of the substantive > rights in most civilized societies. > > _Human_ rights is a very specific subset of a continium of rights. > Note that the "right to vote" is not in the substantive list above, > and is taken away by judical process in many societies. ?Not all rights > are human rights. > > Should you have a right to internet access, just like a right to vote? > Perhaps. ?Are either one the specific class of _human rights_, no. > > -- > ? ? ? Leo Bicknell - bicknell at ufp.org - CCIE 3440 > ? ? ? ?PGP keys at http://www.ufp.org/~bicknell/ From Valdis.Kletnieks at vt.edu Thu Jan 5 11:49:51 2012 From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks at vt.edu) Date: Thu, 05 Jan 2012 12:49:51 -0500 Subject: Whacky Weekend: Is Internet Access a Human Right? In-Reply-To: Your message of "Thu, 05 Jan 2012 12:34:32 EST." References: <20120105154110.GA6914@ussenterprise.ufp.org> <33434306.3291.1325779799472.JavaMail.root@benjamin.baylink.com> <20120105162905.GB6914@ussenterprise.ufp.org> <3814.1325782331@turing-police.cc.vt.edu> <4F05D446.2060208@otd.com> <20120105170053.GA10161@ussenterprise.ufp.org> Message-ID: <7253.1325785791@turing-police.cc.vt.edu> On Thu, 05 Jan 2012 12:34:32 EST, Jon Schipp said: > I think the idea that food, shelter etc. are human rights is absurd. > Doesn't that imply that someone must provide those things for me? What > if they don't want to? Does that mean they are forced to? Which would > be a violation of their human rights. There are those who think that it's a government's responsibility to make sure that people don't die from starvation or lack of access to medical care. Then there are those who think it's OK to let people die in the gutter. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 227 bytes Desc: not available URL: From eesslinger at fpu-tn.com Thu Jan 5 11:54:55 2012 From: eesslinger at fpu-tn.com (Eric J Esslinger) Date: Thu, 5 Jan 2012 11:54:55 -0600 Subject: question regarding US requirements for journaling public email (possible legislation?) In-Reply-To: Message-ID: Based on a some I have received off list it seems no-one has ever heard of such a proposal that has had any serious traction so I assume the gentleman was either mistaken, paranoid, or trying to pull a joke on me. Thank you for the responses everyone. You can now get back to your regularly scheduled regulatory headaches. __________________________ Eric Esslinger Information Services Manager - Fayetteville Public Utilities http://www.fpu-tn.com/ (931)433-1522 ext 165 > -----Original Message----- > From: Eric J Esslinger [mailto:eesslinger at fpu-tn.com] > Sent: Thursday, January 05, 2012 9:57 AM > To: 'nanog at nanog.org' > Subject: question regarding US requirements for journaling > public email (possible legislation?) > > > Hope yall had an 'eventless' holiday. (I.e. no pages at 2 am > on a holiday morning). Sorry to drop what is possibly just > someone misunderstanding something or pulling my leg on the > list, but over the holidays I ran into one of my buddies that > is also a network admin type and he was griping about mail > journalling, which I already do for our corporate email > accounts. However, his discussion was in terms of all > customer email... Which I said was probably a bad thing to > do. His response was there is legislation being pushed in > both House and Senate that would require journalling for 2 or > 5 years, all mail passing through all of your mail servers. > > I've seen nothing, and my google fu has turned up nothing > other than corporate requirements, so I ask here. Has anyone > heard of such a bill working it's way through either side of congress? > > (I am speaking specifically of full email journaling, not > just logs, which I do archive for significant amounts of time.) > > I also don't want to discuss the pros, cons, merits, costs, > goods, or evils of such a requirement, just wanted to know if > this is something I should be looking forward towards maybe > needing to implement. > > Thanks for your attention and may you have a low incident new > year. __________________________ Eric Esslinger Information > Services Manager - Fayetteville Public Utilities > http://www.fpu-tn.com/ (931)433-1522 ext 165 > > This message may contain confidential and/or proprietary > information and is intended for the person/entity to whom it > was originally addressed. Any use by others is strictly prohibited. > > This message may contain confidential and/or proprietary information and is intended for the person/entity to whom it was originally addressed. Any use by others is strictly prohibited. From kevin at steadfast.net Thu Jan 5 12:01:01 2012 From: kevin at steadfast.net (Kevin Stange) Date: Thu, 05 Jan 2012 12:01:01 -0600 Subject: Whacky Weekend: Is Internet Access a Human Right? In-Reply-To: References: <20120105154110.GA6914@ussenterprise.ufp.org> <33434306.3291.1325779799472.JavaMail.root@benjamin.baylink.com> <20120105162905.GB6914@ussenterprise.ufp.org> <3814.1325782331@turing-police.cc.vt.edu> <4F05D446.2060208@otd.com> <20120105170053.GA10161@ussenterprise.ufp.org> Message-ID: <4F05E55D.4060106@steadfast.net> On 01/05/2012 11:34 AM, Jon Schipp wrote: > I think the idea that food, shelter etc. are human rights is absurd. > Doesn't that imply that someone must provide those things for me? What > if they don't want to? Does that mean they are forced to? Which would > be a violation of their human rights. Human rights are things that no government or person should have the right to *take away* from someone. For example, a government need not provide food to all people who need it necessarily, but they must not prevent people from gaining access to food if they want it. I would argue that the better societies have systems in place for providing access to things that are human rights via the government when no one else is able to step up. -- Kevin Stange Chief Technology Officer Steadfast Networks http://steadfast.net Phone: 312-602-2689 ext. 203 | Fax: 312-602-2688 | Cell: 312-320-5867 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 262 bytes Desc: OpenPGP digital signature URL: From zaid at zaidali.com Thu Jan 5 12:06:16 2012 From: zaid at zaidali.com (Zaid Ali) Date: Thu, 05 Jan 2012 10:06:16 -0800 Subject: Whacky Weekend: Is Internet Access a Human Right? In-Reply-To: Message-ID: On 1/5/12 9:34 AM, "Jon Schipp" wrote: >I think there's a fundamental difference between human and civil rights. > >Human rights come from our humanity, i.e. us being human. As humans, >we can walk, talk, produce things, own property, etc. > >Assuming that isn't true, the next logical question is where do you >draw the line? >Vehicles are beneficial to society, can they be a human right? If you >keep bringing these type of questions up and substitute any good in >place of vehicles, you can see how absurd it is. There's no >consistency. > >I think the idea that food, shelter etc. are human rights is absurd. >Doesn't that imply that someone must provide those things for me? What >if they don't want to? Does that mean they are forced to? Which would >be a violation of their human rights. No, it doesn't mean that someone must provide it for you. It means that "access" must not be denied. Take for example the homeless situation in San Francisco, if the city did not provide shelter for the homeless there would be an outcry our human right violation. If you walk around San Francisco you still see people sleeping in the streets and this is because they choose to but they do have the right to go to a shelter so the city of San Francisco is doing the right thing for basic human right. In India my observation is that people may be really poor but they do not go hungry or denied shelter even though they choose to make it out of a cardboard box. The government makes sure that the lands are protected which is why the slumps are not bulldozed by a developer. This is a good example of human right. Electricity, communication mediums are all things that people get together to bring either as an individual self or a community. Zaid From nathan at atlasnetworks.us Thu Jan 5 12:09:47 2012 From: nathan at atlasnetworks.us (Nathan Eisenberg) Date: Thu, 5 Jan 2012 18:09:47 +0000 Subject: Whacky Weekend: Is Internet Access a Human Right? In-Reply-To: <7253.1325785791@turing-police.cc.vt.edu> References: <20120105154110.GA6914@ussenterprise.ufp.org> <33434306.3291.1325779799472.JavaMail.root@benjamin.baylink.com> <20120105162905.GB6914@ussenterprise.ufp.org> <3814.1325782331@turing-police.cc.vt.edu> <4F05D446.2060208@otd.com> <20120105170053.GA10161@ussenterprise.ufp.org> <7253.1325785791@turing-police.cc.vt.edu> Message-ID: <8C26A4FDAE599041A13EB499117D3C286B6616DE@ex-mb-1.corp.atlasnetworks.us> > > I think the idea that food, shelter etc. are human rights is absurd. > > Doesn't that imply that someone must provide those things for me? > What > > if they don't want to? Does that mean they are forced to? Which would > > be a violation of their human rights. > > There are those who think that it's a government's responsibility to > make sure that people don't die from starvation or lack of access to > medical care. > Then there are those who think it's OK to let people die in the gutter. And as with most things - the 'truth' is probably somewhere between the extremes. Internet access, as a vehicle for free speech, is at least an important civil right. I wouldn't immediately discard the notion that, as a subset of free speech, it is a human right. Internet access, by way of cell phones, has increasingly enabled repressed peoples to expose their suffering to the outside world. One doesn't have to look any further than the protests in Iran after the reelection of Ahmadinejad to see that. When the reporters and cameras have been exiled, and all that remains is the general public armed with their cellphones against the military police armed with rifles, freedom of speech and internet access become the very same thing. Certainly, to an oppressive dictator, internet access and free speech are the very same right. In a modern world, to curtail one is to curtail the other. Nathan ? From dhc2 at dcrocker.net Thu Jan 5 12:29:10 2012 From: dhc2 at dcrocker.net (Dave CROCKER) Date: Thu, 05 Jan 2012 10:29:10 -0800 Subject: Whacky Weekend: Is Internet Access a Human Right? In-Reply-To: References: <969790.3281.1325776972705.JavaMail.root@benjamin.baylink.com> Message-ID: <4F05EBF6.4050203@dcrocker.net> On 1/5/2012 7:36 AM, Marshall Eubanks wrote: > On Thu, Jan 5, 2012 at 10:22 AM, Jay Ashworth wrote: >> Vint Cerf says no: http://j.mp/wwL9Ip > > With all due respect to Vint, I think that it isn't now, but it will be. With all due respect for the view that it will be, I'll suggest that this entirely misses the point of his op-ed. His point is to distinguish means versus ends and that something as basic as a human right needs to be about ends, not means. Means often change -- sometimes quickly -- but ends are typically quite stable. Discussion about means needs to be in terms of the ends they serve. From the US perspective, speech and assembly are examples of rights. The 'right' to telephone service is not a direct right; it's a derivative of the speech right, I believe. Onerous assembly laws are examples of unacceptable means. The Internet is a set of means. (Zaid's concrete example about blog blocking is also on point.) Broadly, we need to be careful to distinguish between core issues (rights, causes, and the like) from derivative and surface issues (means, symptoms, and the like. It's extremely easy to get caught up with the details of means and symptoms and entirely miss the underlying, strategic issues. d/ -- Dave Crocker Brandenburg InternetWorking bbiw.net From bill at herrin.us Thu Jan 5 12:37:15 2012 From: bill at herrin.us (William Herrin) Date: Thu, 5 Jan 2012 13:37:15 -0500 Subject: Whacky Weekend: Is Internet Access a Human Right? In-Reply-To: <969790.3281.1325776972705.JavaMail.root@benjamin.baylink.com> References: <969790.3281.1325776972705.JavaMail.root@benjamin.baylink.com> Message-ID: Free Speech is a human right. It's still a human right when that speech is conveyed over the Internet. To the extent that a government obstructs Internet access by its citizens, it is obstructing a human right. In a capitalist society, human rights are about obstruction, not compulsion. The right to life does not compel a government to provide you with medical care; it merely prevents the government from obstructing your ability to otherwise obtain treatment. Likewise, the right to free speech does not compel a government to provide you with an Internet account. Socialist societies have a different point of view. A socialist government has a compulsion to provide its citizens at least minimalist and at most egalitarian facilities for the exercise of their human rights. On Thu, Jan 5, 2012 at 10:22 AM, Jay Ashworth wrote: > as a > society, America's recognized for decades that you gotta have a telephone, > and subsidized local/lifeline service to that extent; that sort of subsidy > applies to cellular phones now as well. Personally, I've always thought it a tragedy that the universal service fund was diverted to provide laptops to kindergartners. I'd love to see it collected from all network service and be applicable to all unbundled rural basic network service. Regards, Bill Herrin -- William D. Herrin ................ herrin at dirtside.com? bill at herrin.us 3005 Crane Dr. ...................... Web: Falls Church, VA 22042-3004 From rps at maine.edu Thu Jan 5 12:39:44 2012 From: rps at maine.edu (Ray Soucy) Date: Thu, 5 Jan 2012 13:39:44 -0500 Subject: question regarding US requirements for journaling public email (possible legislation?) In-Reply-To: References: Message-ID: If you search for "email archiving" instead of journaling you'll come up with a lot more information. It dates back to court rule changes in 2006. Most of it is hype because of [largely incorrect] articles like this one (just one of the first hits): http://www.itworld.com/security/55954/law-requires-email-archiving It's really something that you would need a lawyer to give you an answer on (I am not a lawyer, this is not legal advice, etc). My [limited] understanding is that if you are required to disclose whether or not you have any electronic document (including email) requested as part of the discovery process. If you do have it, you're required to produce it. Since it being on some hard drive of an employee computer qualifies as having it, many larger companies decided to archive centrally. The rules only require 7 years back (I think), so that's the amount of time it's generally archived for. TL;DR you're not required to archive email, but if you need to know whether or not you have it if asked. Again, my understanding here is pretty limited. If anyone know for certain feel free to chime in. On Thu, Jan 5, 2012 at 12:54 PM, Eric J Esslinger wrote: > Based on a some I have received off list it seems no-one has ever heard of such a proposal that has had any serious traction so I assume the gentleman was either mistaken, paranoid, or trying to pull a joke on me. > > Thank you for the responses everyone. You can now get back to your regularly scheduled regulatory headaches. > > __________________________ > Eric Esslinger > Information Services Manager - Fayetteville Public Utilities > http://www.fpu-tn.com/ > (931)433-1522 ext 165 > > > >> -----Original Message----- >> From: Eric J Esslinger [mailto:eesslinger at fpu-tn.com] >> Sent: Thursday, January 05, 2012 9:57 AM >> To: 'nanog at nanog.org' >> Subject: question regarding US requirements for journaling >> public email (possible legislation?) >> >> >> Hope yall had an 'eventless' holiday. (I.e. no pages at 2 am >> on a holiday morning). Sorry to drop what is possibly just >> someone misunderstanding something or pulling my leg on the >> list, but over the holidays I ran into one of my buddies that >> is also a network admin type and he was griping about mail >> journalling, which I already do for our corporate email >> accounts. However, his discussion was in terms of all >> customer email... Which I said was probably a bad thing to >> do. His response was there is legislation being pushed in >> both House and Senate that would require journalling for 2 or >> 5 years, all mail passing through all of your mail servers. >> >> I've seen nothing, and my google fu has turned up nothing >> other than corporate requirements, so I ask here. Has anyone >> heard of such a bill working it's way through either side of congress? >> >> (I am speaking specifically of full email journaling, not >> just logs, which I do archive for significant amounts of time.) >> >> I also don't want to discuss the pros, cons, merits, costs, >> goods, or evils of such a requirement, just wanted to know if >> this is something I should be looking forward towards maybe >> needing to implement. >> >> Thanks for your attention and may you have a low incident new >> year. __________________________ Eric Esslinger Information >> Services Manager - Fayetteville Public Utilities >> http://www.fpu-tn.com/ (931)433-1522 ext 165 >> >> This message may contain confidential and/or proprietary >> information and is intended for the person/entity to whom it >> was originally addressed. Any use by others is strictly prohibited. >> >> > > This message may contain confidential and/or proprietary information and is intended for the person/entity to whom it was originally addressed. Any use by others is strictly prohibited. > -- Ray Soucy Epic Communications Specialist Phone: +1 (207) 561-3526 Networkmaine, a Unit of the University of Maine System http://www.networkmaine.net/ From bill at herrin.us Thu Jan 5 12:42:50 2012 From: bill at herrin.us (William Herrin) Date: Thu, 5 Jan 2012 13:42:50 -0500 Subject: question regarding US requirements for journaling public email (possible legislation?) In-Reply-To: References: Message-ID: On Thu, Jan 5, 2012 at 10:56 AM, Eric J Esslinger wrote: > His response was there is legislation being pushed in both > House and Senate that would require journalling for 2 or 5 > years, all mail passing through all of your mail servers. Hi Eric, The only relatively recent thing I'm aware of in the Congress is the Protecting Children From Internet Pornographers Act of 2011. http://thomas.loc.gov/cgi-bin/bdquery/z?d112:h.r.01981: What it actually says is: `(1) A commercial provider of an electronic communication service shall retain for a period of at least one year a log of the temporarily assigned network addresses the provider assigns to a subscriber to or customer of such service that enables the identification of the corresponding customer or subscriber information under subsection (c)(2) of this section.' That may mean journaling individual TCP connections in a NAT environment but it doesn't address content, email or otherwise. I'd say your friend was confused. The really odd thing is that the act also says: `(2) Access to a record or information required to be retained under this subsection may not be compelled by any person or other entity that is not a governmental entity.' What does that mean for the MPAA seeking the identity of a bit torrent user? Regards, Bill Herrin -- William D. Herrin ................ herrin at dirtside.com? bill at herrin.us 3005 Crane Dr. ...................... Web: Falls Church, VA 22042-3004 From Valdis.Kletnieks at vt.edu Thu Jan 5 12:52:34 2012 From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks at vt.edu) Date: Thu, 05 Jan 2012 13:52:34 -0500 Subject: question regarding US requirements for journaling public email (possible legislation?) In-Reply-To: Your message of "Thu, 05 Jan 2012 13:42:50 EST." References: Message-ID: <10278.1325789554@turing-police.cc.vt.edu> On Thu, 05 Jan 2012 13:42:50 EST, William Herrin said: > The really odd thing is that the act also says: > > `(2) Access to a record or information required to be retained under > this subsection may not be compelled by any person or other entity > that is not a governmental entity.' > > What does that mean for the MPAA seeking the identity of a bit torrent user? Means they need to get a subpoena (at which point it's the court, a governmental entity, doing the compelling). -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 227 bytes Desc: not available URL: From BEJones at semprautilities.com Thu Jan 5 13:01:55 2012 From: BEJones at semprautilities.com (Jones, Barry) Date: Thu, 5 Jan 2012 11:01:55 -0800 Subject: AD and enforced password policies In-Reply-To: <2AC71587-2896-45FC-B77C-8C789B3C28F7@cs.columbia.edu> References: <20120103084411.GN7491@besserwisser.org> <86734B35-DE1A-4141-9021-FBEB7428C6BB@gmail.com> <2AC71587-2896-45FC-B77C-8C789B3C28F7@cs.columbia.edu> Message-ID: 'Either way, expiring often is the first and most effective step at making the lusers hate you and will only bring the Post-It(tm) makers happy.' If you want to make them really, really unhappy, implement a rotating user ID coupled with an often expiring password policy. For example, User ID jjones1, jjones2, jjones3, jjones4 (for winter, summer, fall, spring). Works with clothing choices, but angers user communities... :-) -----Original Message----- From: Steven Bellovin [mailto:smb at cs.columbia.edu] Sent: Tuesday, January 03, 2012 5:41 AM To: Greg Ihnen Cc: Nanog at nanog.org Subject: Re: AD and enforced password policies On Jan 3, 2012, at 8:09 19AM, Greg Ihnen wrote: > > On Jan 3, 2012, at 4:14 AM, M?ns Nilsson wrote: > >> Subject: RE: AD and enforced password policies Date: Mon, Jan 02, 2012 at 11:15:08PM +0000 Quoting Blake T. Pfankuch (blake at pfankuch.me): >> >>> However I would say 365 day expiration is a little long, 3 months is about the average in a non financial oriented network. >> >> If you force me to change a password every three months, I'm going to >> start doing "g0ddw/\ssPOrd-01", ..-02, etc immediately. Net result, >> you lose. >> >> Let's face it, either the bad guys have LANMAN hashes/unsalted MD5 >> etc, and we're all doomed, or they will be lucky and guess. None of >> these attack modes will be mitigated by the 3-month scheme; >> success/fail as seen by the bad guys will be a lot quicker than three >> months. If they do not get lucky with john or rainbow tables, they'll move on. >> >> (Some scenarios still are affected by this, of course, but there is a >> lot to be done to stop bad things from happening like not getting >> your hashes stolen etc. On-line repeated login failures aren't going >> to work because you'll detect that, right? ) >> >> Either way, expiring often is the first and most effective step at >> making the lusers hate you and will only bring the Post-It(tm) makers happy. >> >> If your password crypto is NSA KW-26 or similar, OTOH, just don the >> Navy blues and start swapping punchcards at 0000 ZULU. >> (http://en.wikipedia.org/wiki/File:Kw-26.jpg) >> >> -- >> M?ns Nilsson primary/secondary/besserwisser/machina >> MN-1334-RIPE +46 705 989668 >> Life is a POPULARITY CONTEST! I'm REFRESHINGLY CANDID!! > > > A side issue is the people who use the same password at fuzzykittens.com as they do at bankofamerica.com. Of course fuzzykittens doesn't need high security for their password management and storage. After all, what's worth stealing at fuzzykittens? All those passwords. I use and recommend and use a popular password manager, so I can have unique strong passwords without making a religion out of it. > It's not a side issue; in my opinion it's a far more important issue in most situations. I do the same thing that you do for all but my most critical passwords. --Steve Bellovin, https://www.cs.columbia.edu/~smb From fred at cisco.com Thu Jan 5 13:16:15 2012 From: fred at cisco.com (Fred Baker) Date: Thu, 5 Jan 2012 11:16:15 -0800 Subject: question regarding US requirements for journaling public email (possible legislation?) In-Reply-To: References: Message-ID: On Jan 5, 2012, at 10:42 AM, William Herrin wrote: > On Thu, Jan 5, 2012 at 10:56 AM, Eric J Esslinger wrote: >> His response was there is legislation being pushed in both >> House and Senate that would require journalling for 2 or 5 >> years, all mail passing through all of your mail servers. > > Hi Eric, > > The only relatively recent thing I'm aware of in the Congress is the > Protecting Children From Internet Pornographers Act of 2011. Since you bring it up, I sent this to Eric a few moments ago. Like you, IANAL, and this is not legal advice. > From: Fred Baker > Date: January 5, 2012 10:46:30 AM PST > To: Eric J Esslinger > Subject: Re: question regarding US requirements for journaling public email (possible legislation?) > > I don't know of anything on email journaling, but you might look into section 4 of the "Protecting Children From Internet Pornographers Act of 2011", which asks you to log IP addresses allocated to subscribers. My guess is that the concern is correct, but the details have morphed into urban legend. > > http://www.govtrack.us/congress/billtext.xpd?bill=h112-1981 > http://www.techdirt.com/articles/20110707/04402514995/congress-tries-to-hide-massive-data-retention-law-pretending-its-anti-child-porn-law.shtml > > I'm not sure I see this as shrilly as the techdirt article does, but it is in fact enabling legislation for a part of Article 20 of the COE Cybercrime Convention http://conventions.coe.int/Treaty/en/Treaties/html/185.htm. US is a signatory. Article 21 is Lawful Intercept as specified in OCCSSS, FISA, CALEA, and PATRIOT. Article 20 essentially looks for retention of mail/web/etc logs, and in the Danish interpretation, maintaining Netflow records for every subscriber in Denmark along with a mapping between IP address and subscriber identity in a form that can be data mined with an appropriate warrant. I can't say (I don't know) whether the Danish Police have in fact implemented what they proposed in 2003. What they were looking for at the time was that the netflow records would be kept for something on the order of 6-18 months. From a US perspective, you might peruse http://en.wikipedia.org/wiki/Telecommunications_data_retention#United_States The Wikipedia article goes on to comment on the forensic value of data retention. I think it is fair to say that the use of telephone numbers in TV shows like CSI ("gee, he called X a lot, maybe we should too") is the comic book version of the use but not far from the mark. A law enforcement official once described it to me as "mapping criminal networks"; if Alice and Bob are known criminals that talk with each other, and both also talk regularly with Carol, Carol may simply be a mutual friend, but she might also be something else. Further, if Alice and Bob are known criminals in one organization, Dick and Jane are known criminals in another, and a change in communication patterns is observed - Alice and Bob don't talk with Dick or Jane for a long period, and then they start talking - it may signal a shift that law enforcement is interested in. From smb at cs.columbia.edu Thu Jan 5 14:10:45 2012 From: smb at cs.columbia.edu (Steven Bellovin) Date: Thu, 5 Jan 2012 15:10:45 -0500 Subject: question regarding US requirements for journaling public email (possible legislation?) In-Reply-To: References: Message-ID: <5FA8EC31-383E-4989-A9A4-F79449CF7735@cs.columbia.edu> On Jan 5, 2012, at 2:16 PM, Fred Baker wrote: > > On Jan 5, 2012, at 10:42 AM, William Herrin wrote: > >> On Thu, Jan 5, 2012 at 10:56 AM, Eric J Esslinger wrote: >>> His response was there is legislation being pushed in both >>> House and Senate that would require journalling for 2 or 5 >>> years, all mail passing through all of your mail servers. >> >> Hi Eric, >> >> The only relatively recent thing I'm aware of in the Congress is the >> Protecting Children From Internet Pornographers Act of 2011. > > Since you bring it up, I sent this to Eric a few moments ago. Like you, IANAL, and this is not legal advice. > >> From: Fred Baker >> Date: January 5, 2012 10:46:30 AM PST >> To: Eric J Esslinger >> Subject: Re: question regarding US requirements for journaling public email (possible legislation?) >> >> I don't know of anything on email journaling, but you might look into section 4 of the "Protecting Children From Internet Pornographers Act of 2011", which asks you to log IP addresses allocated to subscribers. My guess is that the concern is correct, but the details have morphed into urban legend. >> >> http://www.govtrack.us/congress/billtext.xpd?bill=h112-1981 >> http://www.techdirt.com/articles/20110707/04402514995/congress-tries-to-hide-massive-data-retention-law-pretending-its-anti-child-porn-law.shtml >> >> I'm not sure I see this as shrilly as the techdirt article does, but it is in fact enabling legislation for a part of Article 20 of the COE Cybercrime Convention http://conventions.coe.int/Treaty/en/Treaties/html/185.htm. US is a signatory. Article 21 is Lawful Intercept as specified in OCCSSS, FISA, CALEA, and PATRIOT. Article 20 essentially looks for retention of mail/web/etc logs, and in the Danish interpretation, maintaining Netflow records for every subscriber in Denmark along with a mapping between IP address and subscriber identity in a form that can be data mined with an appropriate warrant. > > I can't say (I don't know) whether the Danish Police have in fact implemented what they proposed in 2003. What they were looking for at the time was that the netflow records would be kept for something on the order of 6-18 months. > > From a US perspective, you might peruse > > http://en.wikipedia.org/wiki/Telecommunications_data_retention#United_States > > The Wikipedia article goes on to comment on the forensic value of data retention. I think it is fair to say that the use of telephone numbers in TV shows like CSI ("gee, he called X a lot, maybe we should too") is the comic book version of the use but not far from the mark. A law enforcement official once described it to me as "mapping criminal networks"; if Alice and Bob are known criminals that talk with each other, and both also talk regularly with Carol, Carol may simply be a mutual friend, but she might also be something else. Further, if Alice and Bob are known criminals in one organization, Dick and Jane are known criminals in another, and a change in communication patterns is observed - Alice and Bob don't talk with Dick or Jane for a long period, and then they start talking - it may signal a shift that law enforcement is interested in. > Yah, but that's all "non-content records"; it's a far cry from having to retain the body of every email, which is what he asked about. As far as I know -- and I'm on enough tech policy lists that I probably would know -- nothing like that is being proposed. That said, for a few industries -- finance comes to mind -- companies are required to do things like that by the SEC, but not ISPs per se. See http://www.archivecompliance.com/Laws-governing-email-archiving-compliance.html for some details. --Steve Bellovin, https://www.cs.columbia.edu/~smb From fmartin at linkedin.com Thu Jan 5 14:11:21 2012 From: fmartin at linkedin.com (Franck Martin) Date: Thu, 5 Jan 2012 20:11:21 +0000 Subject: Whacky Weekend: Is Internet Access a Human Right? In-Reply-To: <22737847.3289.1325779676786.JavaMail.root@benjamin.baylink.com> Message-ID: On 1/5/12 8:07 , "Jay Ashworth" wrote: >----- Original Message ----- >> From: "Zaid Ali" > >> On 1/5/12 7:22 AM, "Jay Ashworth" wrote: >> >> >Vint Cerf says no: http://j.mp/wwL9Ip >> > > >The question here is "is *access to* the Internet a human right, >something >which the government ought to recognize and protect"? I sort of think it >is, >myself... and I think that Vint is missing the point: *all* of the things >we generally view as human rights are enablers to other things, and we >generally dub them *as those things*, by synecdoche... at least in my >experience. The basic human right is free speech, this is how the Internet gets protected, by proxy. But then... I think only the US claims to have free speech as a constitutional right. This is not in the mind of many Europeans... From fmartin at linkedin.com Thu Jan 5 14:15:15 2012 From: fmartin at linkedin.com (Franck Martin) Date: Thu, 5 Jan 2012 20:15:15 +0000 Subject: Whacky Weekend: Is Internet Access a Human Right? In-Reply-To: <3949.1325782553@turing-police.cc.vt.edu> Message-ID: Universal Access vs Universal Service It is important to understand the difference. I have argued that Developing countries should only provide Universal Access as the weight of providing Universal Service is way too expensive and would tax too much the business community which is developing the economy so that Universal Service may become a reality one day. On 1/5/12 8:55 , "Valdis.Kletnieks at vt.edu" wrote: >On Thu, 05 Jan 2012 11:09:59 EST, Jay Ashworth said: > >> Didn't *say* broadband. Didn't even say "Internet service". Said >>"Internet >> *access*", in the non-techspeak meaning of those words. > >There are those who would say "Free Internet access is available at the >Public Library and the Community Center" counts as "internet access". > >What say the peanut gallery? From kmedcalf at dessus.com Thu Jan 5 14:21:53 2012 From: kmedcalf at dessus.com (Keith Medcalf) Date: Thu, 05 Jan 2012 13:21:53 -0700 Subject: Trouble accessing www.nanog.org In-Reply-To: Message-ID: --- ()? ascii ribbon campaign against html e-mail /\? www.asciiribbon.org > On Thursday, 05 January, 2012 08:30, Marshall Eubanks said: > > On Thu, Jan 5, 2012 at 4:51 AM, Keith Medcalf wrote: > > > There is video hosting web sites on the intertubes? > > > Now where would those be found, I wonder. ?All I have ever seen is macro- > > > streaming that is fraudulently labeled and advertised as video -- the worst > > > being something called FlashVirus, which was written by a company called > > > MacroVirus Media or something like that, and currently owned and flogged by > > > Adobe along with their "Proprietary Document Format" (the latest versions of > > > which boast UVTD technology -- Unstoppable Virus Transport and Distribution). > > > If the so-called video contains arbitrary executable code (or can run > > > arbitrary executable code), or requires the use of a specific application to > > > "play" (or infect the target), then it should not be described as > > > "video". ?It is a streaming-macro. > Is H.264 Turing-complete ? Is Ogg-Vorbis ? (It seems like those are > the two reasonable open standard choices.)) Okay by me. Just no "Flash Video Streams" if you please. > Regards > Marshall > > Microsoft was the first OS vendor to add the "Execute Payload" header to IP > which saved much time and effort in the distribution of malicious code via > the internet. ?Unfortunatly, Adobe and several other vendors have patents on > what is called the method of "Executable Data" and made Microsoft remove > their wonderous invention under pain of patent lawsuits. > > > > Of course, maybe whats meant is File hosting, where the File being hosted > just happens to contain video data in standard data format (preferably a > pure-data format that does not embed execution macros of any type). > > > > ;) > > > > --- > > ()? ascii ribbon campaign against html e-mail > > /\? www.asciiribbon.org > > > > > >> -----Original Message----- > >> From: Christopher Morrow [mailto:morrowc.lists at gmail.com] > >> Sent: Wednesday, 04 January, 2012 20:47 > >> To: Michael K. Smith - Adhost > >> Cc: bmanning at vacation.karoshi.com; Wessels, Duane; nanog at nanog.org > >> Subject: Re: Trouble accessing www.nanog.org > >> > >> On Wed, Jan 4, 2012 at 10:41 PM, Michael K. Smith - Adhost > >> wrote: > >> > >> >> Err, while we're talking about video files and nanog, why is the video > >> >> content still served off (stored content I mean) nanog.org servers? > >> >> Why not use one of the many video serving services? some of which are > >> >> free even :) > >> >> (that part's not a troll, a real question, even!) > >> >> -chris > >> > > >> > > >> > The website work hasn't yet begun, so that is certainly still on the > >> table. ?If you would like to volunteer some of your time... > >> > >> I'm sure we could arrange some process to ingest videos to some form > >> of video-hosting-website... a videotubes site let's say. > >> > >> who should I chat with? > > > > > > > > > > From cjp at 0x1.net Thu Jan 5 14:42:23 2012 From: cjp at 0x1.net (Christopher J. Pilkington) Date: Thu, 5 Jan 2012 15:42:23 -0500 Subject: "Non-vendor neutral" hosting/colocation Message-ID: <-4642010466787914164@unknownmsgid> We are experiencing an issue in NYCMNY where the hosting facility's owner, a large IXC and CLEC, is being less than cooperative in allowing the ILEC delivering a private circuit to the hosting facility. They will allow ILEC to deliver the circuit elsewhere in the building, but will not provide us a cross connect to this facility. Hosting provider will however gladly use their own CLEC to provide us the service and provide cross connect to same. I have no details on whether this is contractually permitted or not. Another circuit from a third IXC/CLEC ran into a similar problem. This carrier "resolved it" by using the hosting company's CLEC for local loop, even though third carrier has lit facilities elsewhere in said facility. We have concerns for future issues involving the merger of a previous vendor-neutral hosting facility company and another telco provider. Any experiences or advice, on or off list, would be helpful. Also, comments from regulatory geeks would be interesting as well. -cjp From askoorb+nanog at gmail.com Thu Jan 5 14:57:02 2012 From: askoorb+nanog at gmail.com (Alex Brooks) Date: Thu, 5 Jan 2012 20:57:02 +0000 Subject: Trouble accessing www.nanog.org In-Reply-To: References: Message-ID: On Thu, Jan 5, 2012 at 8:21 PM, Keith Medcalf wrote: > > > > > > --- > ()? ascii ribbon campaign against html e-mail > /\? www.asciiribbon.org > > > > On Thursday, 05 January, 2012 08:30, Marshall Eubanks said: > > > > On Thu, Jan 5, 2012 at 4:51 AM, Keith Medcalf wrote: > > > > > There is video hosting web sites on the intertubes? > > > > Now where would those be found, I wonder. ?All I have ever seen is macro- > > > > streaming that is fraudulently labeled and advertised as video -- the worst > > > > being something called FlashVirus, which was written by a company called > > > > MacroVirus Media or something like that, and currently owned and flogged by > > > > Adobe along with their "Proprietary Document Format" (the latest versions of > > > > which boast UVTD technology -- Unstoppable Virus Transport and Distribution). > > > > > > If the so-called video contains arbitrary executable code (or can run > > > > arbitrary executable code), or requires the use of a specific application to > > > > "play" (or infect the target), then it should not be described as > > > > "video". ?It is a streaming-macro. > > > > Is H.264 Turing-complete ? Is Ogg-Vorbis ? (It seems like those are > > the two reasonable open standard choices.)) > > Okay by me. ?Just no "Flash Video Streams" if you please. > FWIW many of the big video hosting sites have this option now, and many send an appropriate format for the browser being used: http://www.youtube.com/html5 http://www.dailymotion.com/html5 http://vimeo.com/blog:268 http://blip.tv/html5/ http://www.archive.org/details/Html5DemoVideo Alex From joly at punkcast.com Thu Jan 5 14:57:29 2012 From: joly at punkcast.com (Joly MacFie) Date: Thu, 5 Jan 2012 15:57:29 -0500 Subject: Whacky Weekend: Is Internet Access a Human Right? In-Reply-To: <3949.1325782553@turing-police.cc.vt.edu> References: <33434306.3291.1325779799472.JavaMail.root@benjamin.baylink.com> <3949.1325782553@turing-police.cc.vt.edu> Message-ID: I know here in NYC, when the government talks, access is defined as availability, whether utilized or not. j On Thu, Jan 5, 2012 at 11:55 AM, wrote: > On Thu, 05 Jan 2012 11:09:59 EST, Jay Ashworth said: > > > Didn't *say* broadband. Didn't even say "Internet service". Said > "Internet > > *access*", in the non-techspeak meaning of those words. > > There are those who would say "Free Internet access is available at the > Public Library and the Community Center" counts as "internet access". > > What say the peanut gallery? > -- --------------------------------------------------------------- Joly MacFie 218 565 9365 Skype:punkcast WWWhatsup NYC - http://wwwhatsup.com http://pinstand.com - http://punkcast.com VP (Admin) - ISOC-NY - http://isoc-ny.org -------------------------------------------------------------- - From joly at punkcast.com Thu Jan 5 15:06:07 2012 From: joly at punkcast.com (Joly MacFie) Date: Thu, 5 Jan 2012 16:06:07 -0500 Subject: Whacky Weekend: Is Internet Access a Human Right? In-Reply-To: <969790.3281.1325776972705.JavaMail.root@benjamin.baylink.com> References: <969790.3281.1325776972705.JavaMail.root@benjamin.baylink.com> Message-ID: Not a new line of thinking for Vint. He said much the same thing at our INET in NYC. http://www.youtube.com/watch?v=XPc79dlLs0U What's notable is that as a "father" Vint is more aware than many of the ephemerality of the Internet, and when speculating futurewise at the INET he consistently referred to it as "the Internet or whatever may replace it." On Thu, Jan 5, 2012 at 10:22 AM, Jay Ashworth wrote: > Vint Cerf says no: http://j.mp/wwL9Ip > > -- --------------------------------------------------------------- Joly MacFie 218 565 9365 Skype:punkcast WWWhatsup NYC - http://wwwhatsup.com http://pinstand.com - http://punkcast.com VP (Admin) - ISOC-NY - http://isoc-ny.org -------------------------------------------------------------- - From morrowc.lists at gmail.com Thu Jan 5 15:09:54 2012 From: morrowc.lists at gmail.com (Christopher Morrow) Date: Thu, 5 Jan 2012 16:09:54 -0500 Subject: Router Assessment Tool In-Reply-To: References: Message-ID: On Thu, Jan 5, 2012 at 12:11 PM, Green, Timothy wrote: > Happy New Year All!!! > > I'm trying to perform STIG compliancy on various Cisco equipment. ?Has anybody used the Router Assessment Tool (RAT) for routers and switches? ? Any cheap (free) recommendations? ?As a last ditch effort I could use NMAP. > uunet did for a time use a variant of RAT... you may get some mileage asking George Jones about it. From morrowc.lists at gmail.com Thu Jan 5 15:13:38 2012 From: morrowc.lists at gmail.com (Christopher Morrow) Date: Thu, 5 Jan 2012 16:13:38 -0500 Subject: Trouble accessing www.nanog.org In-Reply-To: References: Message-ID: On Thu, Jan 5, 2012 at 3:21 PM, Keith Medcalf wrote: > >> Is H.264 Turing-complete ? Is Ogg-Vorbis ? (It seems like those are >> the two reasonable open standard choices.)) > > Okay by me. ?Just no "Flash Video Streams" if you please. what about html5? From DStaal at usa.net Thu Jan 5 15:43:51 2012 From: DStaal at usa.net (Daniel Staal) Date: Thu, 5 Jan 2012 16:43:51 -0500 Subject: Whacky Weekend: Is Internet Access a Human Right? In-Reply-To: References: Message-ID: <088ae21864bf835f1c147baffaca6c3d.squirrel@www.magehandbook.com> On Thu, January 5, 2012 11:37 am, Zaid Ali wrote: > > If I wrote a blog article that criticized the government and it was > shutdown along with my Internet access I wouldn't say that my right to the > Internet was violated. I would say that my right to free speech was > violated. Regardless of one way or two way communication it is > communication. The Internet is quickly becoming more than just a medium for speech. It is access to services, education, markets, and tools of analysis, among *many* others. Many of the specifics are covered under other rights, so the question is does the whole become more than the parts, and is *that* a right? I'm with the 'probably not quite yet, but soon' group. I don't think it will be long before it is impossible to participate in modern society in any meaningful way without access to the Internet. Vint does have one other point: the tool is not the whole of the thing. What we currently call 'the Internet' could be replaced by a different network, if someone were to invent something that was a good enough replacement. But at this point, I think *that* network would be called 'the Internet' then, and we don't *have* a separate name for the tool from what it does. (With the possible exception of some terms in cyberpunk novels...) Daniel T. Staal --------------------------------------------------------------- This email copyright the author. Unless otherwise noted, you are expressly allowed to retransmit, quote, or otherwise use the contents for non-commercial purposes. This copyright will expire 5 years after the author's death, or in 30 years, whichever is longer, unless such a period is in excess of local copyright law. --------------------------------------------------------------- From sh.vahabzadeh at gmail.com Thu Jan 5 15:59:30 2012 From: sh.vahabzadeh at gmail.com (Shahab Vahabzadeh) Date: Fri, 6 Jan 2012 01:29:30 +0330 Subject: OSS Systems Message-ID: Hi there, Has anybody experience about running and OSS System in enterprise level? And do you have any idea about it? For example for an ISP who is running users more than 20K or 30K, there must be some good solutions to integrate all systems like: Radius, Billing Systems and CRM For example after searching and asking friends I have some ideas about Radius to use: radiator Is there anybody who has analyse such a systems before in his ISP? Need sharing here :) Thanks -- Regards, Shahab Vahabzadeh, Network Engineer and System Administrator PGP Key Fingerprint = 8E34 B335 D702 0CA7 5A81 C2EE 76A2 46C2 5367 BF90 From leigh.porter at ukbroadband.com Thu Jan 5 16:15:22 2012 From: leigh.porter at ukbroadband.com (Leigh Porter) Date: Thu, 5 Jan 2012 22:15:22 +0000 Subject: OSS Systems In-Reply-To: References: Message-ID: <6E5615AD-CD76-4599-8164-2B6B41687751@ukbroadband.com> On 5 Jan 2012, at 22:02, "Shahab Vahabzadeh" wrote: > Hi there, > Has anybody experience about running and OSS System in enterprise level? > And do you have any idea about it? > For example for an ISP who is running users more than 20K or 30K, there > must be some good solutions to integrate all systems like: > Radius, Billing Systems and CRM > For example after searching and asking friends I have some ideas about > Radius to use: radiator > Is there anybody who has analyse such a systems before in his ISP? Need > sharing here :) > Thanks We did this a few years ago and ended up writing the while thing ourselves. This included billing, subscriber management etc etc. We integrates to salesforce.com for the internal front end and the user facing stuff we did ourselves. It was a big project and took a team of six about six months. But we ended up with a perfect solution that did exactly what we needed and it was pretty good. It handled within the order of users you mention, but we designed to 100k users. We used radiator (highly recommended) with openldap back end. Multiple load balanced servers etc etc. The worst thing we did was to build our own mail system. Not that it was an issue, it never went wrong, but these days I'd just send people to gmail or something. -- Leigh Porter ______________________________________________________________________ This email has been scanned by the Symantec Email Security.cloud service. For more information please visit http://www.symanteccloud.com ______________________________________________________________________ From sh.vahabzadeh at gmail.com Thu Jan 5 16:21:04 2012 From: sh.vahabzadeh at gmail.com (Shahab Vahabzadeh) Date: Fri, 6 Jan 2012 01:51:04 +0330 Subject: OSS Systems In-Reply-To: <6E5615AD-CD76-4599-8164-2B6B41687751@ukbroadband.com> References: <6E5615AD-CD76-4599-8164-2B6B41687751@ukbroadband.com> Message-ID: Dear Leigh, Thanks for you answer, So you recommend radiator? What about analyses, you know always thinking about billing systems with staffs who does not have any idea about backend is hard ... You always have problems with operators and they make lots of exceptions, Is'nt it? And if you have time would you please tell me more about your load balancers? I am really confused really with designing and analysing this project :( Thanks On Fri, Jan 6, 2012 at 1:45 AM, Leigh Porter wrote: > > > On 5 Jan 2012, at 22:02, "Shahab Vahabzadeh" > wrote: > > > Hi there, > > Has anybody experience about running and OSS System in enterprise level? > > And do you have any idea about it? > > For example for an ISP who is running users more than 20K or 30K, there > > must be some good solutions to integrate all systems like: > > Radius, Billing Systems and CRM > > For example after searching and asking friends I have some ideas about > > Radius to use: radiator > > Is there anybody who has analyse such a systems before in his ISP? Need > > sharing here :) > > Thanks > > We did this a few years ago and ended up writing the while thing > ourselves. This included billing, subscriber management etc etc. > > We integrates to salesforce.com for the internal front end and the user > facing stuff we did ourselves. > > It was a big project and took a team of six about six months. But we ended > up with a perfect solution that did exactly what we needed and it was > pretty good. > > It handled within the order of users you mention, but we designed to 100k > users. > > We used radiator (highly recommended) with openldap back end. Multiple > load balanced servers etc etc. > > The worst thing we did was to build our own mail system. Not that it was > an issue, it never went wrong, but these days I'd just send people to gmail > or something. > > -- > Leigh Porter > > > ______________________________________________________________________ > This email has been scanned by the Symantec Email Security.cloud service. > For more information please visit http://www.symanteccloud.com > ______________________________________________________________________ > -- Regards, Shahab Vahabzadeh, Network Engineer and System Administrator PGP Key Fingerprint = 8E34 B335 D702 0CA7 5A81 C2EE 76A2 46C2 5367 BF90 From jna at retina.net Thu Jan 5 16:24:49 2012 From: jna at retina.net (John Adams) Date: Thu, 5 Jan 2012 14:24:49 -0800 Subject: question regarding US requirements for journaling public email (possible legislation?) In-Reply-To: References: Message-ID: On Thu, Jan 5, 2012 at 7:56 AM, Eric J Esslinger wrote: > > (I am speaking specifically of full email journaling, not just logs, which > I do archive for significant amounts of time.) > > I also don't want to discuss the pros, cons, merits, costs, goods, or > evils of such a requirement, just wanted to know if this is something I > should be looking forward towards maybe needing to implement. > This is probably not what you want to hear, but you should really read through EFF's "Best Practices for Online Service Providers." https://www.eff.org/wp/osp Specifically: OSPs cannot be forced to provide data that does not exist. EFF suggests that OSPs draft an internal policy that states that they collect only limited information and do not retain any logs of user activity on their networks for more than a few weeks. If a court order requests data that is more than a few weeks old, the OSP can simply point to the policy and explain that it cannot furnish the requested data. Likewise, if unnecessary PII is regularly deleted, the OSP cannot supply what it does not retain. This saves the OSP time and money, while also providing the OSP with sufficient data for its own administrative and business purposes. From bzs at world.std.com Thu Jan 5 17:06:15 2012 From: bzs at world.std.com (Barry Shein) Date: Thu, 5 Jan 2012 18:06:15 -0500 Subject: Whacky Weekend: Is Internet Access a Human Right? In-Reply-To: References: <22737847.3289.1325779676786.JavaMail.root@benjamin.baylink.com> Message-ID: <20230.11495.643459.352921@world.std.com> Sorry if someone said this but I think it's interesting that the first amendment to the US Constitution specifically lists freedom of speech AND freedom of press, rather than perhaps allowing one (speech) to imply the other (press, i.e., that speech fixed to a medium.) If we use that as a signficiant guide that would seem to say that mere speech is not enough, the right to disseminate that speech to others is also necessary. -- -Barry Shein The World | bzs at TheWorld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: 800-THE-WRLD | Dial-Up: US, PR, Canada Software Tool & Die | Public Access Internet | SINCE 1989 *oo* From avg at kotovnik.com Thu Jan 5 21:05:31 2012 From: avg at kotovnik.com (Vadim Antonov) Date: Thu, 05 Jan 2012 19:05:31 -0800 Subject: Whacky Weekend: Is Internet Access a Human Right? In-Reply-To: References: Message-ID: <4F0664FB.4010009@kotovnik.com> There are no such rights. Each positive right is somebody else's obligation. Being forced to feed, clothe, and house somebody else is called slavery. So is providing Internet access, TV, or whatever else. Doesn't matter if this slavery is part-time, the principle remains the same -- some people gang up on you and force you to work for their benefit. On the other hand the ability to exchange any information with any other consenting parties and at your own expense - without being censored, interfered with, or snooped upon - is indeed a basic human right. --vadim On 01/05/2012 07:45 AM, Zaid Ali wrote: > I agree with Vint here. Basic human rights are access to food, clothing > and shelter. I think we are still struggling in the world with that. With > your logic one would expect the radio and TV to be a basic human right but > they are not, they are and will remain powerful medium which be enablers > of something else and the Internet would fit there. > > Zaid From nathan at atlasnetworks.us Thu Jan 5 21:24:43 2012 From: nathan at atlasnetworks.us (Nathan Eisenberg) Date: Fri, 6 Jan 2012 03:24:43 +0000 Subject: Whacky Weekend: Is Internet Access a Human Right? In-Reply-To: <4F0664FB.4010009@kotovnik.com> References: <4F0664FB.4010009@kotovnik.com> Message-ID: <8C26A4FDAE599041A13EB499117D3C286B6623EF@ex-mb-1.corp.atlasnetworks.us> > There are no such rights. Each positive right is somebody else's obligation. > Being forced to feed, clothe, and house somebody else is called slavery. So is > providing Internet access, TV, or whatever else. Doesn't matter if this slavery > is part-time, the principle remains the same -- some people gang up on you > and force you to work for their benefit. This is antisocial nonsense. Governed societies exist because the supporting output of the group is greater than that of the same number of individuals. That infrastructure of government - the social building blocks that obligate us to each other - are not slavery, they are freedom from the anarchists, the equal opportunists (those that hold that we all have, inherently, have the same opportunity to succeed), and the Darwinists. By your logic, librarians are slaves, as are all civil servants. Radio is another of the greatest examples of a means of speech that is universally accessible, and yet we would not call broadcasters slaves either. Absolute nonsense. Nathan From ops.lists at gmail.com Thu Jan 5 21:41:30 2012 From: ops.lists at gmail.com (Suresh Ramasubramanian) Date: Fri, 6 Jan 2012 09:11:30 +0530 Subject: question regarding US requirements for journaling public email (possible legislation?) In-Reply-To: References: Message-ID: I would love to ask the EFF just what you do when you don't log stuff, and then need to troubleshoot someone causing a DDoS or something from your network in a hurry. Not that I'd get any sort of a useful answer from them, beyond random propaganda that spam filtering is evil, DPI is demoniacal etc etc. On Fri, Jan 6, 2012 at 3:54 AM, John Adams wrote: > > OSPs cannot be forced to provide data that does not exist. EFF suggests > that OSPs draft an internal policy that states that they collect only > limited information and do not retain any logs of user activity on their > networks for more than a few weeks. If a court order requests data that is > more than a few weeks old, the OSP can simply point to the policy and > explain that it cannot furnish the requested data. Likewise, if unnecessary > PII is regularly deleted, the OSP cannot supply what it does not retain. > This saves the OSP time and money, while also providing the OSP with > sufficient data for its own administrative and business purposes. -- Suresh Ramasubramanian (ops.lists at gmail.com) From Valdis.Kletnieks at vt.edu Thu Jan 5 22:00:15 2012 From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks at vt.edu) Date: Thu, 05 Jan 2012 23:00:15 -0500 Subject: question regarding US requirements for journaling public email (possible legislation?) In-Reply-To: Your message of "Fri, 06 Jan 2012 09:11:30 +0530." References: Message-ID: <14188.1325822415@turing-police.cc.vt.edu> On Fri, 06 Jan 2012 09:11:30 +0530, Suresh Ramasubramanian said: > I would love to ask the EFF just what you do when you don't log stuff, > and then need to troubleshoot someone causing a DDoS or something from > your network in a hurry. What John actually said: > OSPs cannot be forced to provide data that does not exist. EFF suggests > that OSPs draft an internal policy that states that they collect only > limited information and do not retain any logs of user activity on their > networks for more than a few weeks. You need to track down a miscreant user *right now*? You got the last 48 hours of logs right at hand. It's been a week? Meh, if somebody's been getting hit by a DDoS for a week and is just now calling you, the fact they have a DDoS is the least of their problems. Toss the logs. :) > Not that I'd get any sort of a useful answer from them, beyond random > propaganda that spam filtering is evil, DPI is demoniacal etc etc. Might want to go and actually read https://www.eff.org/wp/osp before you say that. The PDF version runs to about 15 pages of detailed and useful info for an OSP.; -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 227 bytes Desc: not available URL: From ops.lists at gmail.com Thu Jan 5 22:05:37 2012 From: ops.lists at gmail.com (Suresh Ramasubramanian) Date: Fri, 6 Jan 2012 09:35:37 +0530 Subject: question regarding US requirements for journaling public email (possible legislation?) In-Reply-To: <14188.1325822415@turing-police.cc.vt.edu> References: <14188.1325822415@turing-police.cc.vt.edu> Message-ID: There's no shortage of stuff that reaches you 80..90 days after the fact The UK voluntary retention rules make a lot more sense, compared to "a few days", which is entirely impractical On Fri, Jan 6, 2012 at 9:30 AM, wrote: > > You need to track down a miscreant user *right now*? You got the last 48 hours > of logs right at hand. ?It's been a week? Meh, if somebody's been getting hit by > a DDoS for a week and is just now calling you, the fact they have a DDoS is the > least of their problems. Toss the logs. :) -- Suresh Ramasubramanian (ops.lists at gmail.com) From richard.barnes at gmail.com Thu Jan 5 22:52:58 2012 From: richard.barnes at gmail.com (Richard Barnes) Date: Thu, 5 Jan 2012 23:52:58 -0500 Subject: Whacky Weekend: Is Internet Access a Human Right? In-Reply-To: <969790.3281.1325776972705.JavaMail.root@benjamin.baylink.com> References: <969790.3281.1325776972705.JavaMail.root@benjamin.baylink.com> Message-ID: The analogy that occurs to me is to roads. People generally have a right of free movement, which implies that if they are capable of using roads (e.g., if they have a car and can drive it), then they should be generally free to do so, certain reasonable legal constraints notwithstanding. And in this case, the reasonableness of constraints arises from the fact that things like driving licenses and road signs are based on clear safety concerns. Mapping this over to the Internet: People generally have a right of free expression, which implies that if they are capable of using the Internet, they should be generally free to use it, certain reasonable legal constraints not withstanding. The human right in question, then, isn't a right to Internet access per se; people aren't entitled to a broadband link any more than they're entitled to live near good roads. (Note, however, that communities typically try to maintain their roads to a certain standard.) Rather, the right is to a certain *class* of Internet access, free of unnecessary constraints. The question of legal constraints and "reasonableness" is much thornier in this domain; you're not going to kill someone by sending them spam. (Well, maybe with SCADA systems, but we'll put that aside for now.) The obvious cases (e.g., child porn) are to some degree already covered, although there's some variation around the globe (Nazi propaganda in France). The debate over PROTECT-IP is at some level about whether and which constraints on Internet usage based on copyright constraints are reasonable. --Richard On Thu, Jan 5, 2012 at 10:22 AM, Jay Ashworth wrote: > Vint Cerf says no: http://j.mp/wwL9Ip > > But I wonder to what degree that's dependent on how much our governments make > Internet access the most practical/only practical way to interact with them. > > Understand: I'm not saying that FiOS should be a human right. ?But as a > society, America's recognized for decades that you gotta have a telephone, > and subsidized local/lifeline service to that extent; that sort of subsidy > applies to cellular phones now as well. > > Thoughts? > > Cheers, > -- jr 'yes, I know I'm early...' a > -- > Jay R. Ashworth ? ? ? ? ? ? ? ? ?Baylink ? ? ? ? ? ? ? ? ? ? ? jra at baylink.com > Designer ? ? ? ? ? ? ? ? ? ? The Things I Think ? ? ? ? ? ? ? ? ? ? ? RFC 2100 > Ashworth & Associates ? ? http://baylink.pitas.com ? ? ? ? 2000 Land Rover DII > St Petersburg FL USA ? ? ?http://photo.imageinc.us ? ? ? ? ? ? +1 727 647 1274 > From avg at kotovnik.com Fri Jan 6 00:58:58 2012 From: avg at kotovnik.com (Vadim Antonov) Date: Thu, 05 Jan 2012 22:58:58 -0800 Subject: Whacky Weekend: Is Internet Access a Human Right? In-Reply-To: <8C26A4FDAE599041A13EB499117D3C286B6623EF@ex-mb-1.corp.atlasnetworks.us> References: <4F0664FB.4010009@kotovnik.com> <8C26A4FDAE599041A13EB499117D3C286B6623EF@ex-mb-1.corp.atlasnetworks.us> Message-ID: <4F069BB2.2010300@kotovnik.com> Nathan Eisenberg wrote: >> There are no such rights. Each positive right is somebody else's obligation. > This is antisocial nonsense. If you want to be a slave, that's your right. But leave me out of your schemes, please. May I ask you to remove the guns and violence your "representatives" are threatening me with if I refuse to "participate"? Because I don't think it's possible to have a civilized discussion when one party insists on forcing the other to obey. By the way, it takes a really twisted mindset to consider violence towards people who didn't do anything bad to you as socially acceptable. --vadim From joly at punkcast.com Fri Jan 6 01:07:02 2012 From: joly at punkcast.com (Joly MacFie) Date: Fri, 6 Jan 2012 02:07:02 -0500 Subject: "Non-vendor neutral" hosting/colocation In-Reply-To: <-4642010466787914164@unknownmsgid> References: <-4642010466787914164@unknownmsgid> Message-ID: I could be mistaken but I think similar circumstances were what originally led to the establishment of Telx's IXP at 60 Hudson. j On Thu, Jan 5, 2012 at 3:42 PM, Christopher J. Pilkington wrote: > We are experiencing an issue in NYCMNY where the hosting facility's > owner, a large IXC and CLEC, is being less than cooperative in > allowing the ILEC delivering a private circuit to the hosting > facility. They will allow ILEC to deliver the circuit elsewhere in the > building, but will not provide us a cross connect to this facility. > Hosting provider will however gladly use their own CLEC to provide us > the service and provide cross connect to same. I have no details on > whether this is contractually permitted or not. > > Another circuit from a third IXC/CLEC ran into a similar problem. This > carrier "resolved it" by using the hosting company's CLEC for local > loop, even though third carrier has lit facilities elsewhere in said > facility. > > We have concerns for future issues involving the merger of a previous > vendor-neutral hosting facility company and another telco provider. > > Any experiences or advice, on or off list, would be helpful. Also, > comments from regulatory geeks would be interesting as well. > > -cjp > > -- --------------------------------------------------------------- Joly MacFie 218 565 9365 Skype:punkcast WWWhatsup NYC - http://wwwhatsup.com http://pinstand.com - http://punkcast.com VP (Admin) - ISOC-NY - http://isoc-ny.org -------------------------------------------------------------- - From mansaxel at besserwisser.org Fri Jan 6 01:16:03 2012 From: mansaxel at besserwisser.org (=?utf-8?B?TcOlbnM=?= Nilsson) Date: Fri, 6 Jan 2012 08:16:03 +0100 Subject: anycast load balancing issue In-Reply-To: <4F05BDE1.3040103@xor.at> References: <20120104120255.GT7491@besserwisser.org> <4F05BDE1.3040103@xor.at> Message-ID: <20120106071603.GH7491@besserwisser.org> Subject: Re: anycast load balancing issue Date: Thu, Jan 05, 2012 at 04:12:33PM +0100 Quoting Johannes Resch (jr at xor.at): > >Any clues? > Since you mention route-reflector route selection - are you already > using per-VRF, per-PE route distinguishers for that L3VPN instance? Problem solved - what I did not tell (shame on me) was that there are two islands of IGP (growing pains...) redistributing to each other... The metric in that redistribution was too low, resulting in artificially "cheap" paths to the wrong places. Thanks all who made me think a second round and solve this. -- M?ns Nilsson primary/secondary/besserwisser/machina MN-1334-RIPE +46 705 989668 Hold the MAYO & pass the COSMIC AWARENESS ... -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: Digital signature URL: From randy at psg.com Fri Jan 6 01:34:36 2012 From: randy at psg.com (Randy Bush) Date: Fri, 06 Jan 2012 16:34:36 +0900 Subject: "Non-vendor neutral" hosting/colocation In-Reply-To: <-4642010466787914164@unknownmsgid> References: <-4642010466787914164@unknownmsgid> Message-ID: > We are experiencing an issue in NYCMNY where the hosting facility's > owner, a large IXC and CLEC, is being less than cooperative in > allowing the ILEC delivering a private circuit to the hosting > facility. move to a carrier-neutral facility. unless you do that, the beatings will continue. randy From leigh.porter at ukbroadband.com Fri Jan 6 06:40:27 2012 From: leigh.porter at ukbroadband.com (Leigh Porter) Date: Fri, 6 Jan 2012 12:40:27 +0000 Subject: anycast load balancing issue In-Reply-To: <20120106071603.GH7491@besserwisser.org> References: <20120104120255.GT7491@besserwisser.org> <4F05BDE1.3040103@xor.at>,<20120106071603.GH7491@besserwisser.org> Message-ID: <49EB8AD6-1BCE-4F68-953C-7742B04EE2F7@ukbroadband.com> On 6 Jan 2012, at 07:33, "M?ns Nilsson" wrote: > > Thanks all who made me think a second round and solve this. Hence why people prefer to ask people and not GOOG et-al. -- Leigh Porter ______________________________________________________________________ This email has been scanned by the Symantec Email Security.cloud service. For more information please visit http://www.symanteccloud.com ______________________________________________________________________ From smb at cs.columbia.edu Fri Jan 6 07:59:50 2012 From: smb at cs.columbia.edu (Steven Bellovin) Date: Fri, 6 Jan 2012 08:59:50 -0500 Subject: question regarding US requirements for journaling public email (possible legislation?) In-Reply-To: References: <14188.1325822415@turing-police.cc.vt.edu> Message-ID: On Jan 5, 2012, at 11:05 37PM, Suresh Ramasubramanian wrote: > There's no shortage of stuff that reaches you 80..90 days after the fact > > The UK voluntary retention rules make a lot more sense, compared to "a > few days", which is entirely impractical > > On Fri, Jan 6, 2012 at 9:30 AM, wrote: >> >> You need to track down a miscreant user *right now*? You got the last 48 hours >> of logs right at hand. It's been a week? Meh, if somebody's been getting hit by >> a DDoS for a week and is just now calling you, the fact they have a DDoS is the >> least of their problems. Toss the logs. :) The answer from the EFF is the same: retain what *you* have an operational or administrative need for. This is very different from a legislative mandate for multiyear retention. --Steve Bellovin, https://www.cs.columbia.edu/~smb From mcarey at kinber.org Fri Jan 6 08:15:13 2012 From: mcarey at kinber.org (Michael Carey) Date: Fri, 6 Jan 2012 09:15:13 -0500 Subject: SSL Certificates Message-ID: Looking for a recommendation on who to buy affordable and reputable SSL certificates from? Symantec, Thawte, and Comodo are the names that come to mind, just wondering if there are others folks use. Thanks, -- Michael D. Carey KINBER Network Engineer mcarey at kinber.org M: 814.777.5027 GV: (814) 205-6773 Skype: KINBER.Mike.Carey KINBER - Keystone Initiative for Network Based Education and Research - www.kinber.org PennREN - Pennsylvania's Research and Education Network From amcmillen at sliqua.com Fri Jan 6 08:18:11 2012 From: amcmillen at sliqua.com (Alexander McMillen) Date: Fri, 6 Jan 2012 09:18:11 -0500 Subject: SSL Certificates In-Reply-To: References: Message-ID: <47F96507-F894-4379-A4B9-2DFFC341DA1E@sliqua.com> AlphaSSL is pretty solid, priced right too. -- Alexander McMillen Chief Executive Officer Sliqua Enterprise Hosting, Inc. - AS32740 Serving up scale and service since 2002. Is your mission critical?? 1-877-4-SLIQUA - http://www.sliqua.com - http://www.isyourmissioncritical.com On Jan 6, 2012, at 9:15 AM, Michael Carey wrote: > Looking for a recommendation on who to buy affordable and reputable SSL > certificates from? Symantec, Thawte, and Comodo are the names that come to > mind, just wondering if there are others folks use. > > Thanks, > > -- > Michael D. Carey > KINBER Network Engineer > mcarey at kinber.org > M: 814.777.5027 > GV: (814) 205-6773 > Skype: KINBER.Mike.Carey > > KINBER - Keystone Initiative for Network Based Education and Research - > www.kinber.org > PennREN - Pennsylvania's Research and Education Network From joshbaird at gmail.com Fri Jan 6 08:27:27 2012 From: joshbaird at gmail.com (Josh Baird) Date: Fri, 6 Jan 2012 09:27:27 -0500 Subject: SSL Certificates In-Reply-To: References: Message-ID: We typically stick with Network Solutions, and DigiCert for SANcertificates. ?VeriSign's prices are just insane. On Fri, Jan 6, 2012 at 9:15 AM, Michael Carey wrote: > Looking for a recommendation on who to buy affordable and reputable SSL > certificates from? ?Symantec, Thawte, and Comodo are the names that come to > mind, just wondering if there are others folks use. > > Thanks, > > -- > Michael D. Carey > KINBER Network Engineer > mcarey at kinber.org > M: 814.777.5027 > GV: (814) 205-6773 > Skype: KINBER.Mike.Carey > > KINBER - Keystone Initiative for Network Based Education and Research - > www.kinber.org > PennREN - Pennsylvania's Research and Education Network From mhuff at ox.com Fri Jan 6 08:32:15 2012 From: mhuff at ox.com (Matthew Huff) Date: Fri, 6 Jan 2012 09:32:15 -0500 Subject: SSL Certificates In-Reply-To: References: Message-ID: <483E6B0272B0284BA86D7596C40D29F901212BB19CAD@PUR-EXCH07.ox.com> I've had good experience with Entrust. One thing to be careful with is some mobile devices (especially older Android ones) have limited root certificates. Network Solutions and Entrust work, some others, not so much. From my experience Android 2.3+ has most of the common root certs, but previous versions don't. I wonder if someone has a list comparing root certificate support across platforms? ---- Matthew Huff? | 1 Manhattanville Rd Director of Operations???| Purchase, NY 10577 OTA Management LLC | Phone: 914-460-4039 aim: matthewbhuff? | Fax:?? 914-460-4139 > -----Original Message----- > From: Michael Carey [mailto:mcarey at kinber.org] > Sent: Friday, January 06, 2012 9:15 AM > To: nanog at nanog.org > Subject: SSL Certificates > > Looking for a recommendation on who to buy affordable and reputable SSL > certificates from? Symantec, Thawte, and Comodo are the names that > come to mind, just wondering if there are others folks use. > > Thanks, > > -- > Michael D. Carey > KINBER Network Engineer > mcarey at kinber.org > M: 814.777.5027 > GV: (814) 205-6773 > Skype: KINBER.Mike.Carey > > KINBER - Keystone Initiative for Network Based Education and Research - > www.kinber.org PennREN - Pennsylvania's Research and Education Network From blake at pfankuch.me Fri Jan 6 08:55:07 2012 From: blake at pfankuch.me (Blake T. Pfankuch) Date: Fri, 6 Jan 2012 14:55:07 +0000 Subject: SSL Certificates In-Reply-To: <483E6B0272B0284BA86D7596C40D29F901212BB19CAD@PUR-EXCH07.ox.com> References: <483E6B0272B0284BA86D7596C40D29F901212BB19CAD@PUR-EXCH07.ox.com> Message-ID: We have been using GoDaddy for quite some time as they offer good deals if you call them in and buy in bulk. Mind you we manage certs for about 50-100 customers as well. Haven't had any issues with them not being trusted on mobile devices except for old windows mobile 5 and early 6 devices. -----Original Message----- From: Matthew Huff [mailto:mhuff at ox.com] Sent: Friday, January 06, 2012 7:32 AM To: 'Michael Carey'; nanog at nanog.org Subject: RE: SSL Certificates I've had good experience with Entrust. One thing to be careful with is some mobile devices (especially older Android ones) have limited root certificates. Network Solutions and Entrust work, some others, not so much. From my experience Android 2.3+ has most of the common root certs, but previous versions don't. I wonder if someone has a list comparing root certificate support across platforms? ---- Matthew Huff? | 1 Manhattanville Rd Director of Operations???| Purchase, NY 10577 OTA Management LLC | Phone: 914-460-4039 aim: matthewbhuff? | Fax:?? 914-460-4139 > -----Original Message----- > From: Michael Carey [mailto:mcarey at kinber.org] > Sent: Friday, January 06, 2012 9:15 AM > To: nanog at nanog.org > Subject: SSL Certificates > > Looking for a recommendation on who to buy affordable and reputable > SSL certificates from? Symantec, Thawte, and Comodo are the names > that come to mind, just wondering if there are others folks use. > > Thanks, > > -- > Michael D. Carey > KINBER Network Engineer > mcarey at kinber.org > M: 814.777.5027 > GV: (814) 205-6773 > Skype: KINBER.Mike.Carey > > KINBER - Keystone Initiative for Network Based Education and Research > - www.kinber.org PennREN - Pennsylvania's Research and Education > Network From graham at g-rock.net Fri Jan 6 09:08:28 2012 From: graham at g-rock.net (=?utf-8?B?Z3JhaGFtQGctcm9jay5uZXQ=?=) Date: Fri, 06 Jan 2012 09:08:28 -0600 Subject: =?utf-8?B?UmU6IFNTTCBDZXJ0aWZpY2F0ZXM=?= Message-ID: We use rapidssl. Seems to be ok across the board. No reports otherwise. Sent from my HTC on the Now Network from Sprint! ----- Reply message ----- From: "Michael Carey" Date: Fri, Jan 6, 2012 8:15 am Subject: SSL Certificates To: Looking for a recommendation on who to buy affordable and reputable SSL certificates from? Symantec, Thawte, and Comodo are the names that come to mind, just wondering if there are others folks use. Thanks, -- Michael D. Carey KINBER Network Engineer mcarey at kinber.org M: 814.777.5027 GV: (814) 205-6773 Skype: KINBER.Mike.Carey KINBER - Keystone Initiative for Network Based Education and Research - www.kinber.org PennREN - Pennsylvania's Research and Education Network From morrowc.lists at gmail.com Fri Jan 6 09:08:55 2012 From: morrowc.lists at gmail.com (Christopher Morrow) Date: Fri, 6 Jan 2012 10:08:55 -0500 Subject: SSL Certificates In-Reply-To: References: <483E6B0272B0284BA86D7596C40D29F901212BB19CAD@PUR-EXCH07.ox.com> Message-ID: >> From: Michael Carey [mailto:mcarey at kinber.org] >> Sent: Friday, January 06, 2012 9:15 AM >> To: nanog at nanog.org >> Subject: SSL Certificates >> >> Looking for a recommendation on who to buy affordable and reputable >> SSL certificates from? ?Symantec, Thawte, and Comodo are the names >> that come to mind, just wondering if there are others folks use. startssl.com - free certs that work in apple-mail, chrome, ff, ie, tbird, across mac/linux/windows... you can't beat free. (you do have to update yearly, but it's not painful, and is probably worth doing as practice anyway) -chris From alan at clegg.com Fri Jan 6 09:12:37 2012 From: alan at clegg.com (Alan Clegg) Date: Fri, 06 Jan 2012 10:12:37 -0500 Subject: looking for traffic sources aimed at 192.153.154.124 Message-ID: <4F070F65.20605@clegg.com> If anyone has some spare cycles and wants to help disrupt a DDoS, if you can look for traffic sourced within your network, destination 192.153.154.124 port 80, I'd appreciate it. I've been under attack for about the last 12 hours. Other pointers to resources to trace the miscreants responsible would also be appreciated. Thanks, AlanC -- alan at clegg.com | aclegg at infoblox.com 1.919.355.8851 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 260 bytes Desc: OpenPGP digital signature URL: From Valdis.Kletnieks at vt.edu Fri Jan 6 09:31:13 2012 From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks at vt.edu) Date: Fri, 06 Jan 2012 10:31:13 -0500 Subject: looking for traffic sources aimed at 192.153.154.124 In-Reply-To: Your message of "Fri, 06 Jan 2012 10:12:37 EST." <4F070F65.20605@clegg.com> References: <4F070F65.20605@clegg.com> Message-ID: <45901.1325863873@turing-police.cc.vt.edu> On Fri, 06 Jan 2012 10:12:37 EST, Alan Clegg said: > I've been under attack for about the last 12 hours. > > Other pointers to resources to trace the miscreants responsible would > also be appreciated. To tie this in to another thread - Alan is somebody who understands you probably have operational logs going back 12 hours, but won't have them 90 days from now, so he's asking now. :) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 227 bytes Desc: not available URL: From ka at pacific.net Fri Jan 6 09:31:46 2012 From: ka at pacific.net (Ken A) Date: Fri, 06 Jan 2012 09:31:46 -0600 Subject: SSL Certificates In-Reply-To: References: Message-ID: <4F0713E2.4060004@pacific.net> theSSLstore has good reseller pricing on a variety of certs. ~ $10 domain validated rapidssl certs in about 5 minutes. More expensive and time consuming certs are available, Verisign, Geotrust, Thawte, greenbars, wildcards, etc.. Ken On 1/6/2012 8:15 AM, Michael Carey wrote: > Looking for a recommendation on who to buy affordable and reputable SSL > certificates from? Symantec, Thawte, and Comodo are the names that come to > mind, just wondering if there are others folks use. > > Thanks, > -- Ken Anderson Pacific Internet - http://www.pacific.net From ryanshea at google.com Fri Jan 6 10:13:45 2012 From: ryanshea at google.com (Ryan Shea) Date: Fri, 6 Jan 2012 11:13:45 -0500 Subject: Router Assessment Tool In-Reply-To: References: Message-ID: I think it is actually Router Audit Tool rather than assessment no? I'm not sure that NMAP is an appropriate substitute for for a configuration audit tool, but it's not a bad idea to do some accounting of what ports are open for business on your devices. I have had some limited success with RAT at prior jobs, and in fact at UUNet/VzB, but IIRC it really was not a tool which could be readily used to build new audit rules. Although it is an okay starting point for some generic audits, you may be best served by rolling your own, which is what I did there. On Thu, Jan 5, 2012 at 4:09 PM, Christopher Morrow wrote: > On Thu, Jan 5, 2012 at 12:11 PM, Green, Timothy > wrote: > > Happy New Year All!!! > > > > I'm trying to perform STIG compliancy on various Cisco equipment. Has > anybody used the Router Assessment Tool (RAT) for routers and switches? > Any cheap (free) recommendations? As a last ditch effort I could use NMAP. > > > > uunet did for a time use a variant of RAT... you may get some mileage > asking George Jones about it. > > From berni at birkenwald.de Fri Jan 6 13:16:50 2012 From: berni at birkenwald.de (Bernhard Schmidt) Date: Fri, 6 Jan 2012 19:16:50 +0000 (UTC) Subject: incoming smtp from v6 addresses References: Message-ID: Randy Bush wrote: > for incoming mail that is *accepted*, i.e. not stuff like > 2012-01-04 00:37:28 REJECT because 118.39.80.118 listed in rbl-plus.mail-abuse.org > 2012-01-04 00:37:28 H=(nexo.es) [118.39.80.118] F= rejected RCPT : blocked because 118.39.80.118 is in blacklist at rbl-plus.mail-abuse.org: Mail from 118.39.80.118 blocked using Trend Micro Email Reputation database. Please see > 2012-01-04 00:37:28 no host name found for IP address 118.39.80.118 > 2012-01-04 00:37:29 REJECT 118.39.80.118 too many bad recip > 2012-01-04 00:37:29 REJECT because 118.39.80.118 listed in rbl-plus.mail-abuse.org > > 7.8% is over ipv6 transport > > but only 2% of outgoing deliveries are over ipv6. > > what do other folk see? Main inbound MX for a large educational institution sees around 5% of mails coming in via IPv6. Might be a bit biased due to holiday season. Outbound is mostly running on legacy servers without IPv6, yet :-( Bernhard From cscora at apnic.net Fri Jan 6 13:25:22 2012 From: cscora at apnic.net (Routing Analysis Role Account) Date: Sat, 7 Jan 2012 05:25:22 +1000 (EST) Subject: Weekly Routing Table Report Message-ID: <201201061925.q06JPMSr007491@thyme.rand.apnic.net> This is an automated weekly mailing describing the state of the Internet Routing Table as seen from APNIC's router in Japan. The posting is sent to APOPS, NANOG, AfNOG, AusNOG, SANOG, PacNOG, LacNOG, TRNOG, CaribNOG and the RIPE Routing Working Group. Daily listings are sent to bgp-stats at lists.apnic.net For historical data, please see http://thyme.rand.apnic.net. If you have any comments please contact Philip Smith . Routing Table Report 04:00 +10GMT Sat 07 Jan, 2012 Report Website: http://thyme.rand.apnic.net Detailed Analysis: http://thyme.rand.apnic.net/current/ Analysis Summary ---------------- BGP routing table entries examined: 388994 Prefixes after maximum aggregation: 168547 Deaggregation factor: 2.31 Unique aggregates announced to Internet: 190697 Total ASes present in the Internet Routing Table: 39774 Prefixes per ASN: 9.78 Origin-only ASes present in the Internet Routing Table: 32587 Origin ASes announcing only one prefix: 15529 Transit ASes present in the Internet Routing Table: 5365 Transit-only ASes present in the Internet Routing Table: 140 Average AS path length visible in the Internet Routing Table: 4.3 Max AS path length visible: 33 Max AS path prepend of ASN (48687) 24 Prefixes from unregistered ASNs in the Routing Table: 2082 Unregistered ASNs in the Routing Table: 1044 Number of 32-bit ASNs allocated by the RIRs: 2160 Number of 32-bit ASNs visible in the Routing Table: 1822 Prefixes from 32-bit ASNs in the Routing Table: 4340 Special use prefixes present in the Routing Table: 2 Prefixes being announced from unallocated address space: 120 Number of addresses announced to Internet: 2506673712 Equivalent to 149 /8s, 104 /16s and 206 /24s Percentage of available address space announced: 67.6 Percentage of allocated address space announced: 67.6 Percentage of available address space allocated: 100.0 Percentage of address space in use by end-sites: 91.9 Total number of prefixes smaller than registry allocations: 164906 APNIC Region Analysis Summary ----------------------------- Prefixes being announced by APNIC Region ASes: 96263 Total APNIC prefixes after maximum aggregation: 31431 APNIC Deaggregation factor: 3.06 Prefixes being announced from the APNIC address blocks: 92611 Unique aggregates announced from the APNIC address blocks: 38795 APNIC Region origin ASes present in the Internet Routing Table: 4630 APNIC Prefixes per ASN: 20.00 APNIC Region origin ASes announcing only one prefix: 1254 APNIC Region transit ASes present in the Internet Routing Table: 730 Average APNIC Region AS path length visible: 4.3 Max APNIC Region AS path length visible: 18 Number of APNIC region 32-bit ASNs visible in the Routing Table: 125 Number of APNIC addresses announced to Internet: 633118080 Equivalent to 37 /8s, 188 /16s and 157 /24s Percentage of available APNIC address space announced: 80.3 APNIC AS Blocks 4608-4864, 7467-7722, 9216-10239, 17408-18431 (pre-ERX allocations) 23552-24575, 37888-38911, 45056-46079, 55296-56319, 58368-59391, 131072-132095, 132096-133119 APNIC Address Blocks 1/8, 14/8, 27/8, 36/8, 39/8, 42/8, 43/8, 49/8, 58/8, 59/8, 60/8, 61/8, 101/8, 103/8, 106/8, 110/8, 111/8, 112/8, 113/8, 114/8, 115/8, 116/8, 117/8, 118/8, 119/8, 120/8, 121/8, 122/8, 123/8, 124/8, 125/8, 126/8, 133/8, 175/8, 180/8, 182/8, 183/8, 202/8, 203/8, 210/8, 211/8, 218/8, 219/8, 220/8, 221/8, 222/8, 223/8, ARIN Region Analysis Summary ---------------------------- Prefixes being announced by ARIN Region ASes: 147034 Total ARIN prefixes after maximum aggregation: 74945 ARIN Deaggregation factor: 1.96 Prefixes being announced from the ARIN address blocks: 119074 Unique aggregates announced from the ARIN address blocks: 49000 ARIN Region origin ASes present in the Internet Routing Table: 14841 ARIN Prefixes per ASN: 8.02 ARIN Region origin ASes announcing only one prefix: 5683 ARIN Region transit ASes present in the Internet Routing Table: 1574 Average ARIN Region AS path length visible: 4.0 Max ARIN Region AS path length visible: 25 Number of ARIN region 32-bit ASNs visible in the Routing Table: 14 Number of ARIN addresses announced to Internet: 804838592 Equivalent to 47 /8s, 248 /16s and 220 /24s Percentage of available ARIN address space announced: 64.0 ARIN AS Blocks 1-1876, 1902-2042, 2044-2046, 2048-2106 (pre-ERX allocations) 2138-2584, 2615-2772, 2823-2829, 2880-3153 3354-4607, 4865-5119, 5632-6655, 6912-7466 7723-8191, 10240-12287, 13312-15359, 16384-17407 18432-20479, 21504-23551, 25600-26591, 26624-27647, 29696-30719, 31744-33791 35840-36863, 39936-40959, 46080-47103 53248-55295, 393216-394239 ARIN Address Blocks 3/8, 4/8, 6/8, 7/8, 8/8, 9/8, 11/8, 12/8, 13/8, 15/8, 16/8, 17/8, 18/8, 19/8, 20/8, 21/8, 22/8, 23/8, 24/8, 26/8, 28/8, 29/8, 30/8, 32/8, 33/8, 34/8, 35/8, 38/8, 40/8, 44/8, 45/8, 47/8, 48/8, 50/8, 52/8, 53/8, 54/8, 55/8, 56/8, 57/8, 63/8, 64/8, 65/8, 66/8, 67/8, 68/8, 69/8, 70/8, 71/8, 72/8, 73/8, 74/8, 75/8, 76/8, 96/8, 97/8, 98/8, 99/8, 100/8, 104/8, 107/8, 108/8, 173/8, 174/8, 184/8, 199/8, 204/8, 205/8, 206/8, 207/8, 208/8, 209/8, 214/8, 215/8, 216/8, RIPE Region Analysis Summary ---------------------------- Prefixes being announced by RIPE Region ASes: 95494 Total RIPE prefixes after maximum aggregation: 51954 RIPE Deaggregation factor: 1.84 Prefixes being announced from the RIPE address blocks: 87490 Unique aggregates announced from the RIPE address blocks: 55635 RIPE Region origin ASes present in the Internet Routing Table: 16229 RIPE Prefixes per ASN: 5.39 RIPE Region origin ASes announcing only one prefix: 7979 RIPE Region transit ASes present in the Internet Routing Table: 2578 Average RIPE Region AS path length visible: 4.6 Max RIPE Region AS path length visible: 33 Number of RIPE region 32-bit ASNs visible in the Routing Table: 1269 Number of RIPE addresses announced to Internet: 496218056 Equivalent to 29 /8s, 147 /16s and 175 /24s Percentage of available RIPE address space announced: 79.9 RIPE AS Blocks 1877-1901, 2043, 2047, 2107-2136, 2585-2614 (pre-ERX allocations) 2773-2822, 2830-2879, 3154-3353, 5377-5631 6656-6911, 8192-9215, 12288-13311, 15360-16383 20480-21503, 24576-25599, 28672-29695 30720-31743, 33792-35839, 38912-39935 40960-45055, 47104-52223, 56320-58367 196608-198655 RIPE Address Blocks 2/8, 5/8, 25/8, 31/8, 37/8, 46/8, 51/8, 62/8, 77/8, 78/8, 79/8, 80/8, 81/8, 82/8, 83/8, 84/8, 85/8, 86/8, 87/8, 88/8, 89/8, 90/8, 91/8, 92/8, 93/8, 94/8, 95/8, 109/8, 176/8, 178/8, 185/8, 193/8, 194/8, 195/8, 212/8, 213/8, 217/8, LACNIC Region Analysis Summary ------------------------------ Prefixes being announced by LACNIC Region ASes: 37108 Total LACNIC prefixes after maximum aggregation: 8068 LACNIC Deaggregation factor: 4.60 Prefixes being announced from the LACNIC address blocks: 36658 Unique aggregates announced from the LACNIC address blocks: 19174 LACNIC Region origin ASes present in the Internet Routing Table: 1561 LACNIC Prefixes per ASN: 23.48 LACNIC Region origin ASes announcing only one prefix: 448 LACNIC Region transit ASes present in the Internet Routing Table: 287 Average LACNIC Region AS path length visible: 4.5 Max LACNIC Region AS path length visible: 24 Number of LACNIC region 32-bit ASNs visible in the Routing Table: 410 Number of LACNIC addresses announced to Internet: 95243144 Equivalent to 5 /8s, 173 /16s and 75 /24s Percentage of available LACNIC address space announced: 63.1 LACNIC AS Blocks 26592-26623, 27648-28671, 52224-53247, 262144-263167 plus ERX transfers LACNIC Address Blocks 177/8, 179/8, 181/8, 186/8, 187/8, 189/8, 190/8, 200/8, 201/8, AfriNIC Region Analysis Summary ------------------------------- Prefixes being announced by AfriNIC Region ASes: 8593 Total AfriNIC prefixes after maximum aggregation: 2076 AfriNIC Deaggregation factor: 4.14 Prefixes being announced from the AfriNIC address blocks: 6622 Unique aggregates announced from the AfriNIC address blocks: 2089 AfriNIC Region origin ASes present in the Internet Routing Table: 509 AfriNIC Prefixes per ASN: 13.01 AfriNIC Region origin ASes announcing only one prefix: 165 AfriNIC Region transit ASes present in the Internet Routing Table: 116 Average AfriNIC Region AS path length visible: 4.6 Max AfriNIC Region AS path length visible: 25 Number of AfriNIC region 32-bit ASNs visible in the Routing Table: 4 Number of AfriNIC addresses announced to Internet: 30739456 Equivalent to 1 /8s, 213 /16s and 12 /24s Percentage of available AfriNIC address space announced: 45.8 AfriNIC AS Blocks 36864-37887, 327680-328703 & ERX transfers AfriNIC Address Blocks 41/8, 102/8, 105/8, 197/8, APNIC Region per AS prefix count summary ---------------------------------------- ASN No of nets /20 equiv MaxAgg Description 4766 2467 11099 965 Korea Telecom (KIX) 17974 1719 503 37 PT TELEKOMUNIKASI INDONESIA 7545 1630 303 86 TPG Internet Pty Ltd 4755 1517 385 157 TATA Communications formerly 7552 1409 1064 7 Vietel Corporation 9829 1172 989 28 BSNL National Internet Backbo 9583 1111 81 496 Sify Limited 4808 1091 2036 310 CNCGROUP IP network: China169 24560 986 381 164 Bharti Airtel Ltd., Telemedia 18101 975 131 156 Reliance Infocom Ltd Internet Complete listing at http://thyme.rand.apnic.net/current/data-ASnet-APNIC ARIN Region per AS prefix count summary --------------------------------------- ASN No of nets /20 equiv MaxAgg Description 6389 3476 3814 217 bellsouth.net, inc. 7029 3161 1017 200 Windstream Communications Inc 18566 2093 382 177 Covad Communications 1785 1864 680 122 PaeTec Communications, Inc. 4323 1620 1065 385 Time Warner Telecom 20115 1616 1551 619 Charter Communications 22773 1518 2909 107 Cox Communications, Inc. 30036 1484 264 691 Mediacom Communications Corp 19262 1389 4683 401 Verizon Global Networks 7018 1302 7013 853 AT&T WorldNet Services Complete listing at http://thyme.rand.apnic.net/current/data-ASnet-ARIN RIPE Region per AS prefix count summary --------------------------------------- ASN No of nets /20 equiv MaxAgg Description 8402 1564 480 15 Corbina telecom 15557 1096 2161 64 LDCOM NETWORKS 2118 672 99 14 EUnet/RELCOM Autonomous Syste 6830 645 1928 414 UPC Distribution Services 34984 636 132 198 BILISIM TELEKOM 20940 563 183 449 Akamai Technologies European 12479 551 636 53 Uni2 Autonomous System 3320 531 8162 397 Deutsche Telekom AG 8551 504 360 81 Bezeq International 3292 480 2106 407 TDC Tele Danmark Complete listing at http://thyme.rand.apnic.net/current/data-ASnet-RIPE LACNIC Region per AS prefix count summary ----------------------------------------- ASN No of nets /20 equiv MaxAgg Description 10620 1721 319 159 TVCABLE BOGOTA 28573 1573 1064 76 NET Servicos de Comunicao S.A 8151 1459 2989 346 UniNet S.A. de C.V. 7303 1255 756 178 Telecom Argentina Stet-France 27947 632 73 95 Telconet S.A 22047 582 322 17 VTR PUNTO NET S.A. 7738 551 1050 31 Telecomunicacoes da Bahia S.A 3816 547 237 91 Empresa Nacional de Telecomun 6503 538 434 67 AVANTEL, S.A. 11172 533 86 99 Servicios Alestra S.A de C.V Complete listing at http://thyme.rand.apnic.net/current/data-ASnet-LACNIC AfriNIC Region per AS prefix count summary ------------------------------------------ ASN No of nets /20 equiv MaxAgg Description 8452 1032 958 13 TEDATA 24863 794 146 36 LINKdotNET AS number 3741 280 939 229 The Internet Solution 6713 250 649 18 Itissalat Al-MAGHRIB 15706 242 32 6 Sudatel Internet Exchange Aut 33776 240 13 8 Starcomms Nigeria Limited 29571 217 17 13 Ci Telecom Autonomous system 12258 195 28 60 Vodacom Internet Company 24835 191 80 8 RAYA Telecom - Egypt 16637 160 664 82 MTN Network Solutions Complete listing at http://thyme.rand.apnic.net/current/data-ASnet-AFRINIC Global Per AS prefix count summary ---------------------------------- ASN No of nets /20 equiv MaxAgg Description 6389 3476 3814 217 bellsouth.net, inc. 7029 3161 1017 200 Windstream Communications Inc 4766 2467 11099 965 Korea Telecom (KIX) 18566 2093 382 177 Covad Communications 1785 1864 680 122 PaeTec Communications, Inc. 10620 1721 319 159 TVCABLE BOGOTA 17974 1719 503 37 PT TELEKOMUNIKASI INDONESIA 7545 1630 303 86 TPG Internet Pty Ltd 4323 1620 1065 385 Time Warner Telecom 20115 1616 1551 619 Charter Communications Complete listing at http://thyme.rand.apnic.net/current/data-ASnet Global Per AS Maximum Aggr summary ---------------------------------- ASN No of nets Net Savings Description 7029 3161 2961 Windstream Communications Inc 18566 2093 1916 Covad Communications 1785 1864 1742 PaeTec Communications, Inc. 17974 1719 1682 PT TELEKOMUNIKASI INDONESIA 10620 1721 1562 TVCABLE BOGOTA 8402 1564 1549 Corbina telecom 7545 1630 1544 TPG Internet Pty Ltd 4766 2467 1502 Korea Telecom (KIX) 28573 1573 1497 NET Servicos de Comunicao S.A 22773 1518 1411 Cox Communications, Inc. Complete listing at http://thyme.rand.apnic.net/current/data-CIDRnet List of Unregistered Origin ASNs (Global) ----------------------------------------- Bad AS Designation Network Transit AS Description 15132 UNALLOCATED 12.9.150.0/24 7018 AT&T WorldNet Servic 32567 UNALLOCATED 12.14.170.0/24 4323 Time Warner Telecom 32567 UNALLOCATED 12.25.107.0/24 4323 Time Warner Telecom 25639 UNALLOCATED 12.41.169.0/24 7018 AT&T WorldNet Servic 13317 UNALLOCATED 12.44.10.0/24 7018 AT&T WorldNet Servic 23502 UNALLOCATED 12.44.44.0/24 7018 AT&T WorldNet Servic 17300 UNALLOCATED 12.45.103.0/24 7018 AT&T WorldNet Servic 17300 UNALLOCATED 12.45.110.0/24 701 UUNET Technologies, 16476 UNALLOCATED 12.46.27.0/24 7018 AT&T WorldNet Servic 32873 UNALLOCATED 12.46.100.0/23 10912 InterNAP Network Ser Complete listing at http://thyme.rand.apnic.net/current/data-badAS Prefixes from private and non-routed address space (Global) ----------------------------------------------------------- Prefix Origin AS Description 128.0.0.0/21 12654 RIPE NCC RIS Project 128.0.24.0/24 12654 RIPE NCC RIS Project Complete listing at http://thyme.rand.apnic.net/current/data-dsua Advertised Unallocated Addresses -------------------------------- Network Origin AS Description 14.192.0.0/22 45464 Room 201, TGU Bldg 14.192.4.0/22 45464 Room 201, TGU Bldg 14.192.8.0/22 45464 Room 201, TGU Bldg 14.192.12.0/22 45464 Room 201, TGU Bldg 14.192.16.0/22 45464 Room 201, TGU Bldg 14.192.20.0/22 45464 Room 201, TGU Bldg 14.192.24.0/22 45464 Room 201, TGU Bldg 14.192.28.0/22 45464 Room 201, TGU Bldg 37.35.8.0/21 8400 "TELEKOM SRBIJA" a.d. 37.35.64.0/21 33983 IP network of ARTMOTION n.p.s Complete listing at http://thyme.rand.apnic.net/current/data-add-IANA Number of prefixes announced per prefix length (Global) ------------------------------------------------------- /1:0 /2:0 /3:0 /4:0 /5:0 /6:0 /7:0 /8:19 /9:12 /10:27 /11:81 /12:237 /13:465 /14:815 /15:1453 /16:12097 /17:6127 /18:10171 /19:20180 /20:27922 /21:28372 /22:38717 /23:36054 /24:202631 /25:1177 /26:1403 /27:780 /28:167 /29:55 /30:14 /31:0 /32:18 Advertised prefixes smaller than registry allocations ----------------------------------------------------- ASN No of nets Total ann. Description 7029 2789 3161 Windstream Communications Inc 6389 2121 3476 bellsouth.net, inc. 18566 2042 2093 Covad Communications 10620 1616 1721 TVCABLE BOGOTA 8402 1543 1564 Corbina telecom 30036 1443 1484 Mediacom Communications Corp 11492 1115 1152 Cable One 1785 1066 1864 PaeTec Communications, Inc. 7011 1051 1168 Citizens Utilities 15557 1046 1096 LDCOM NETWORKS Complete listing at http://thyme.rand.apnic.net/current/data-sXXas-nos Number of /24s announced per /8 block (Global) ---------------------------------------------- 1:494 2:417 4:15 5:1 6:3 8:364 12:1949 13:1 14:583 15:11 16:3 17:7 20:9 23:85 24:1717 27:1171 31:787 32:67 33:2 34:2 36:4 37:15 38:794 40:114 41:3004 42:85 43:1 44:3 46:1166 47:3 49:297 50:501 52:13 55:6 56:2 57:41 58:942 59:487 60:343 61:1177 62:938 63:1966 64:4116 65:2302 66:4368 67:1989 68:1165 69:3147 70:921 71:419 72:1787 74:2645 75:442 76:321 77:940 78:894 79:501 80:1187 81:859 82:523 83:530 84:581 85:1167 86:748 87:911 88:349 89:1583 90:261 91:4403 92:534 93:1523 94:1336 95:1049 96:401 97:295 98:788 99:38 100:18 101:127 103:612 106:10 107:126 108:101 109:1422 110:681 111:835 112:429 113:494 114:599 115:738 116:867 117:724 118:889 119:1234 120:386 121:673 122:1621 123:1051 124:1338 125:1351 128:536 129:192 130:189 131:586 132:163 133:21 134:226 135:54 136:213 137:151 138:286 139:135 140:490 141:261 142:379 143:403 144:501 145:67 146:474 147:222 148:632 149:276 150:165 151:192 152:444 153:169 154:7 155:393 156:210 157:366 158:155 159:511 160:345 161:221 162:336 163:187 164:523 165:393 166:552 167:454 168:816 169:147 170:828 171:95 172:4 173:1785 174:588 175:417 176:333 177:442 178:1169 180:1215 181:43 182:686 183:267 184:422 185:1 186:1479 187:816 188:1006 189:1169 190:5328 192:5988 193:5447 194:3788 195:3192 196:1286 197:174 198:3619 199:4256 200:5570 201:1690 202:8512 203:8592 204:4342 205:2423 206:2701 207:2803 208:4009 209:3545 210:2747 211:1477 212:1963 213:1813 214:837 215:93 216:4909 217:1478 218:568 219:338 220:1243 221:563 222:324 223:266 End of report From packetjockey at gmail.com Fri Jan 6 13:38:19 2012 From: packetjockey at gmail.com (Rafael Rodriguez) Date: Fri, 6 Jan 2012 14:38:19 -0500 Subject: Automate Peering Maintenance Message-ID: Hello list, Want to ping the list and see how the operational community automates peering maintenance. I've spoken to a few folks and this seem completely foreign to them. By 'automate' I mean creating and updating dynamically (runs periodically) prefix and/ord AS-Path filters from IRR data and directly applying configuration to routers. I'm currently looking at bgpq, RtConfig, and IRRToolSet for generating the prefix and AS-Path filters but haven't been able to find anything that does the automatic re-provisioning/re-configuration on the peering sessions. Would be looking for tool(s) that's Junos friendly. Thanks! Cheers, RR From bonald at gmail.com Fri Jan 6 14:31:22 2012 From: bonald at gmail.com (Bonald) Date: Fri, 6 Jan 2012 16:31:22 -0400 Subject: QinQ switch or similar Message-ID: Hi, We need to purchase some switch that support 1gbit QinQ. Any suggestions ? We need to connect 9 schools together in layer2. All 9 schools have 1gb link from our provider, provider gaves us 5 vlan to work with. We have around 35 vlan in-house. We are low budget. Any recommendation beside QinQ ? From mike.lyon at gmail.com Fri Jan 6 14:39:16 2012 From: mike.lyon at gmail.com (Mike Lyon) Date: Fri, 6 Jan 2012 12:39:16 -0800 Subject: QinQ switch or similar In-Reply-To: References: Message-ID: <-3847818410115600494@unknownmsgid> Checkout the Milrotik Routerboards. Low cost and extremely versatile. Www.mikrotik.com Cheers, Mike Sent from my iPhone On Jan 6, 2012, at 12:32, Bonald wrote: > Hi, > We need to purchase some switch that support 1gbit QinQ. > Any suggestions ? We need to connect 9 schools together in layer2. > All 9 schools have 1gb link from our provider, provider gaves us 5 vlan to > work with. > We have around 35 vlan in-house. > > We are low budget. Any recommendation beside QinQ ? From cidr-report at potaroo.net Fri Jan 6 16:00:00 2012 From: cidr-report at potaroo.net (cidr-report at potaroo.net) Date: Fri, 6 Jan 2012 22:00:00 GMT Subject: BGP Update Report Message-ID: <201201062200.q06M00oE000120@wattle.apnic.net> BGP Update Report Interval: 29-Dec-11 -to- 05-Jan-12 (7 days) Observation Point: BGP Peering with AS131072 TOP 20 Unstable Origin AS Rank ASN Upds % Upds/Pfx AS-Name 1 - AS17665 166462 12.0% 2107.1 -- IN2CABLE-AP AS Number of In2cable.com (India) Ltd. 2 - AS42116 99564 7.2% 1914.7 -- ERTH-NCHLN-AS CJSC "ER-Telecom Holding" 3 - AS8402 38327 2.8% 58.4 -- CORBINA-AS OJSC "Vimpelcom" 4 - AS9829 37920 2.7% 66.5 -- BSNL-NIB National Internet Backbone 5 - AS32528 24000 1.7% 12000.0 -- ABBOTT Abbot Labs 6 - AS7552 21159 1.5% 21.4 -- VIETEL-AS-AP Vietel Corporation 7 - AS24560 20453 1.5% 21.0 -- AIRTELBROADBAND-AS-AP Bharti Airtel Ltd., Telemedia Services 8 - AS20632 20290 1.5% 20290.0 -- PETERSTAR-AS PeterStar 9 - AS6072 16016 1.2% 1144.0 -- UNISYS-6072 For routing issues, email hostmaster at unisys.com 10 - AS19223 12809 0.9% 12809.0 -- NTEGRATED-SOLUTIONS - Ntegrated Solutions 11 - AS5800 11895 0.9% 42.5 -- DNIC-ASBLK-05800-06055 - DoD Network Information Center 12 - AS17639 10537 0.8% 114.5 -- COMCLARK-AS ComClark Network & Technology Corp. 13 - AS28885 10272 0.7% 79.0 -- OMANTEL-NAP-AS OmanTel NAP 14 - AS9498 9372 0.7% 8.7 -- BBIL-AP BHARTI Airtel Ltd. 15 - AS27738 9066 0.7% 26.6 -- Ecuadortelecom S.A. 16 - AS27947 8433 0.6% 15.2 -- Telconet S.A 17 - AS27051 7814 0.6% 244.2 -- DNIC-ASBLK-27032-27159 - DoD Network Information Center 18 - AS5089 7793 0.6% 185.5 -- NTL Virgin Media Limited 19 - AS14522 7792 0.6% 29.1 -- Satnet 20 - AS30036 7403 0.5% 7.1 -- MEDIACOM-ENTERPRISE-BUSINESS - Mediacom Communications Corp TOP 20 Unstable Origin AS (Updates per announced prefix) Rank ASN Upds % Upds/Pfx AS-Name 1 - AS20632 20290 1.5% 20290.0 -- PETERSTAR-AS PeterStar 2 - AS19223 12809 0.9% 12809.0 -- NTEGRATED-SOLUTIONS - Ntegrated Solutions 3 - AS32528 24000 1.7% 12000.0 -- ABBOTT Abbot Labs 4 - AS27295 6636 0.5% 6636.0 -- GENICA - Genica Corporation 5 - AS39353 5728 0.4% 5728.0 -- PRINCAST-AS Gobierno del Principado de Asturias 6 - AS10209 4914 0.4% 4914.0 -- SYNOPSYS-AS-JP-AP Japan HUB and Data Center 7 - AS45723 3797 0.3% 3797.0 -- OMADATA-AS-ID Omadata Indonesia, PT 8 - AS17408 3277 0.2% 3277.0 -- ABOVE-AS-AP AboveNet Communications Taiwan 9 - AS17665 166462 12.0% 2107.1 -- IN2CABLE-AP AS Number of In2cable.com (India) Ltd. 10 - AS42116 99564 7.2% 1914.7 -- ERTH-NCHLN-AS CJSC "ER-Telecom Holding" 11 - AS6072 16016 1.2% 1144.0 -- UNISYS-6072 For routing issues, email hostmaster at unisys.com 12 - AS45704 2031 0.1% 1015.5 -- INTERDATA-AS-ID MEDIA INTERDATA, PT 13 - AS14240 1910 0.1% 955.0 -- PMC-AS-1 - PMC-Sierra, INC. 14 - AS53362 938 0.1% 938.0 -- MIXIT-AS - Mixit, Inc. 15 - AS3 743 0.1% 1587.0 -- FIRSTEASY-AS 1st Easy Limited 16 - AS56939 602 0.0% 602.0 -- CREDOS Credo-S Ltd. 17 - AS21271 572 0.0% 572.0 -- SOTELMABGP 18 - AS17370 565 0.0% 565.0 -- MCAFEE-COM - McAfee, Inc. 19 - AS18804 1061 0.1% 530.5 -- AKCIN - AKCIN INC. 20 - AS46510 530 0.0% 530.0 -- ACS-EDUCATION-SERVICES - ACS Education Services TOP 20 Unstable Prefixes Rank Prefix Upds % Origin AS -- AS Name 1 - 84.204.132.0/24 20290 1.4% AS20632 -- PETERSTAR-AS PeterStar 2 - 67.97.156.0/24 12809 0.9% AS19223 -- NTEGRATED-SOLUTIONS - Ntegrated Solutions 3 - 130.36.34.0/24 12000 0.8% AS32528 -- ABBOTT Abbot Labs 4 - 130.36.35.0/24 12000 0.8% AS32528 -- ABBOTT Abbot Labs 5 - 203.192.248.0/23 10339 0.7% AS17665 -- IN2CABLE-AP AS Number of In2cable.com (India) Ltd. 6 - 203.194.96.0/20 10223 0.7% AS17665 -- IN2CABLE-AP AS Number of In2cable.com (India) Ltd. 7 - 202.56.215.0/24 7441 0.5% AS24560 -- AIRTELBROADBAND-AS-AP Bharti Airtel Ltd., Telemedia Services 8 - 12.202.99.0/24 6636 0.5% AS27295 -- GENICA - Genica Corporation 9 - 46.147.124.0/22 6574 0.5% AS42116 -- ERTH-NCHLN-AS CJSC "ER-Telecom Holding" 10 - 46.147.108.0/22 6570 0.5% AS42116 -- ERTH-NCHLN-AS CJSC "ER-Telecom Holding" 11 - 46.147.120.0/22 6563 0.5% AS42116 -- ERTH-NCHLN-AS CJSC "ER-Telecom Holding" 12 - 95.78.4.0/22 6556 0.5% AS42116 -- ERTH-NCHLN-AS CJSC "ER-Telecom Holding" 13 - 95.78.84.0/22 6544 0.5% AS42116 -- ERTH-NCHLN-AS CJSC "ER-Telecom Holding" 14 - 95.78.20.0/22 6537 0.5% AS42116 -- ERTH-NCHLN-AS CJSC "ER-Telecom Holding" 15 - 95.78.88.0/22 6525 0.4% AS42116 -- ERTH-NCHLN-AS CJSC "ER-Telecom Holding" 16 - 95.78.96.0/22 6508 0.4% AS42116 -- ERTH-NCHLN-AS CJSC "ER-Telecom Holding" 17 - 95.78.92.0/22 6507 0.4% AS42116 -- ERTH-NCHLN-AS CJSC "ER-Telecom Holding" 18 - 95.78.100.0/22 6499 0.4% AS42116 -- ERTH-NCHLN-AS CJSC "ER-Telecom Holding" 19 - 95.78.108.0/22 6497 0.4% AS42116 -- ERTH-NCHLN-AS CJSC "ER-Telecom Holding" 20 - 95.78.116.0/22 6471 0.4% AS42116 -- ERTH-NCHLN-AS CJSC "ER-Telecom Holding" Details at http://bgpupdates.potaroo.net ------------------------------------ Copies of this report are mailed to: nanog at nanog.org eof-list at ripe.net apops at apops.net routing-wg at ripe.net afnog at afnog.org From cidr-report at potaroo.net Fri Jan 6 16:00:00 2012 From: cidr-report at potaroo.net (cidr-report at potaroo.net) Date: Fri, 6 Jan 2012 22:00:00 GMT Subject: The Cidr Report Message-ID: <201201062200.q06M0021000114@wattle.apnic.net> This report has been generated at Fri Jan 6 21:12:32 2012 AEST. The report analyses the BGP Routing Table of AS2.0 router and generates a report on aggregation potential within the table. Check http://www.cidr-report.org for a current version of this report. Recent Table History Date Prefixes CIDR Agg 30-12-11 390109 227812 31-12-11 390100 227934 01-01-12 390038 227925 02-01-12 390086 227921 03-01-12 390131 228113 04-01-12 390399 228366 05-01-12 390766 228275 06-01-12 391121 228173 AS Summary 39862 Number of ASes in routing system 16752 Number of ASes announcing only one prefix 3476 Largest number of prefixes announced by an AS AS6389 : BELLSOUTH-NET-BLK - BellSouth.net Inc. 109506048 Largest address span announced by an AS (/32s) AS4134 : CHINANET-BACKBONE No.31,Jin-rong Street Aggregation Summary The algorithm used in this report proposes aggregation only when there is a precise match using the AS path, so as to preserve traffic transit policies. Aggregation is also proposed across non-advertised address space ('holes'). --- 06Jan12 --- ASnum NetsNow NetsAggr NetGain % Gain Description Table 391113 228127 162986 41.7% All ASes AS6389 3476 220 3256 93.7% BELLSOUTH-NET-BLK - BellSouth.net Inc. AS7029 3202 1486 1716 53.6% WINDSTREAM - Windstream Communications Inc AS18566 2093 413 1680 80.3% COVAD - Covad Communications Co. AS4766 2475 992 1483 59.9% KIXS-AS-KR Korea Telecom AS22773 1518 116 1402 92.4% ASN-CXA-ALL-CCI-22773-RDC - Cox Communications Inc. AS4755 1514 198 1316 86.9% TATACOMM-AS TATA Communications formerly VSNL is Leading ISP AS4323 1621 387 1234 76.1% TWTC - tw telecom holdings, inc. AS28573 1573 394 1179 75.0% NET Servicos de Comunicao S.A. AS1785 1867 784 1083 58.0% AS-PAETEC-NET - PaeTec Communications, Inc. AS7552 1409 419 990 70.3% VIETEL-AS-AP Vietel Corporation AS19262 1389 402 987 71.1% VZGNI-TRANSIT - Verizon Online LLC AS10620 1721 760 961 55.8% Telmex Colombia S.A. AS7303 1255 367 888 70.8% Telecom Argentina S.A. AS18101 976 157 819 83.9% RELIANCE-COMMUNICATIONS-IN Reliance Communications Ltd.DAKC MUMBAI AS8151 1461 660 801 54.8% Uninet S.A. de C.V. AS8402 1523 732 791 51.9% CORBINA-AS OJSC "Vimpelcom" AS30036 1484 699 785 52.9% MEDIACOM-ENTERPRISE-BUSINESS - Mediacom Communications Corp AS4808 1091 341 750 68.7% CHINA169-BJ CNCGROUP IP network China169 Beijing Province Network AS15557 1096 368 728 66.4% LDCOMNET Societe Francaise du Radiotelephone S.A AS24560 985 271 714 72.5% AIRTELBROADBAND-AS-AP Bharti Airtel Ltd., Telemedia Services AS7545 1630 948 682 41.8% TPG-INTERNET-AP TPG Internet Pty Ltd AS3356 1104 458 646 58.5% LEVEL3 Level 3 Communications AS2118 672 61 611 90.9% RELCOM-AS OOO "NPO Relcom" AS17974 1720 1109 611 35.5% TELKOMNET-AS2-AP PT Telekomunikasi Indonesia AS17676 677 74 603 89.1% GIGAINFRA Softbank BB Corp. AS4804 662 95 567 85.6% MPX-AS Microplex PTY LTD AS9498 862 300 562 65.2% BBIL-AP BHARTI Airtel Ltd. AS20115 1616 1059 557 34.5% CHARTER-NET-HKY-NC - Charter Communications AS4780 786 235 551 70.1% SEEDNET Digital United Inc. AS3549 969 420 549 56.7% GBLX Global Crossing Ltd. Total 44427 14925 29502 66.4% Top 30 total Possible Bogus Routes 10.86.64.32/30 AS65530 -Private Use AS- 10.86.64.36/30 AS65530 -Private Use AS- 10.86.65.32/30 AS65530 -Private Use AS- 10.86.65.36/30 AS65530 -Private Use AS- 10.255.255.0/30 AS65530 -Private Use AS- 10.255.255.4/30 AS65530 -Private Use AS- 10.255.255.8/30 AS65530 -Private Use AS- 14.192.0.0/22 AS45464 NEXTWEB-AS-AP Room 201, TGU Bldg 14.192.4.0/22 AS45464 NEXTWEB-AS-AP Room 201, TGU Bldg 14.192.8.0/22 AS45464 NEXTWEB-AS-AP Room 201, TGU Bldg 14.192.12.0/22 AS45464 NEXTWEB-AS-AP Room 201, TGU Bldg 14.192.16.0/22 AS45464 NEXTWEB-AS-AP Room 201, TGU Bldg 14.192.20.0/22 AS45464 NEXTWEB-AS-AP Room 201, TGU Bldg 14.192.24.0/22 AS45464 NEXTWEB-AS-AP Room 201, TGU Bldg 14.192.28.0/22 AS45464 NEXTWEB-AS-AP Room 201, TGU Bldg 37.44.64.0/18 AS6697 BELPAK-AS Republican Association BELTELECOM 37.45.0.0/16 AS6697 BELPAK-AS Republican Association BELTELECOM 41.222.79.0/24 AS36938 AMSCOTELECOMS Amsco Telecommunications Nigeria Limited 41.223.92.0/22 AS36936 CELTEL-GABON Celtel Gabon Internet Service 62.61.220.0/24 AS24974 TACHYON-EU Tachyon Europe BV 62.61.221.0/24 AS24974 TACHYON-EU Tachyon Europe BV 64.21.192.0/20 AS11610 INETNEBR-1 - Internet Nebraska Corporation 64.21.212.0/22 AS11610 INETNEBR-1 - Internet Nebraska Corporation 64.21.216.0/21 AS11610 INETNEBR-1 - Internet Nebraska Corporation 66.129.0.0/19 AS3901 ARRAKIS - Higher Technology Services 66.180.239.0/24 AS35888 VIGNETTE - VIGNETTE CORPORATION 66.207.32.0/20 AS23011 66.245.176.0/20 AS19318 NJIIX-AS-1 - NEW JERSEY INTERNATIONAL INTERNET EXCHANGE LLC 66.251.128.0/24 AS33227 BLUEBRIDGE-NETWORKS - Blue Bridge Networks 66.251.133.0/24 AS33227 BLUEBRIDGE-NETWORKS - Blue Bridge Networks 66.251.134.0/24 AS33227 BLUEBRIDGE-NETWORKS - Blue Bridge Networks 66.251.136.0/21 AS33227 BLUEBRIDGE-NETWORKS - Blue Bridge Networks 66.251.140.0/24 AS33227 BLUEBRIDGE-NETWORKS - Blue Bridge Networks 66.251.141.0/24 AS33227 BLUEBRIDGE-NETWORKS - Blue Bridge Networks 66.251.142.0/24 AS33227 BLUEBRIDGE-NETWORKS - Blue Bridge Networks 66.251.143.0/24 AS3356 LEVEL3 Level 3 Communications 69.46.224.0/20 AS32592 HUNT-BROTHERS-OF-LOUISIANA-LLC - Hunt Brothers 69.46.233.0/24 AS32592 HUNT-BROTHERS-OF-LOUISIANA-LLC - Hunt Brothers 69.46.236.0/24 AS32592 HUNT-BROTHERS-OF-LOUISIANA-LLC - Hunt Brothers 71.19.134.0/23 AS3313 INET-AS BT Italia S.p.A. 72.44.16.0/20 AS15054 HAMELTRONICS - Hameltronics, LLC 80.88.10.0/24 AS33774 DJAWEB 98.159.96.0/20 AS46975 110.34.44.0/22 AS12653 COMTONET KB Impuls Hellas 116.206.72.0/24 AS6461 MFNX MFN - Metromedia Fiber Network 116.206.85.0/24 AS6461 MFNX MFN - Metromedia Fiber Network 116.206.103.0/24 AS6461 MFNX MFN - Metromedia Fiber Network 117.120.56.0/21 AS4755 TATACOMM-AS TATA Communications formerly VSNL is Leading ISP 121.46.0.0/16 AS4134 CHINANET-BACKBONE No.31,Jin-rong Street 142.54.0.0/19 AS23498 CDSI - Cogeco Data Services Inc. 172.45.1.0/24 AS29571 CITelecom-AS 172.45.2.0/24 AS29571 CITelecom-AS 172.45.3.0/24 AS29571 CITelecom-AS 172.102.0.0/22 AS4812 CHINANET-SH-AP China Telecom (Group) 190.104.32.0/21 AS27882 Telef?nica Celular de Bolivia S.A. 192.146.137.0/24 AS25376 NETNORTH-ASN Netnorth Limited 193.0.22.0/23 AS3333 RIPE-NCC-AS RIPE Network Coordination Centre 200.6.93.0/24 AS6400 Compa??a Dominicana de Tel?fonos, C. por A. - CODETEL 200.6.94.0/24 AS6400 Compa??a Dominicana de Tel?fonos, C. por A. - CODETEL 200.6.95.0/24 AS6400 Compa??a Dominicana de Tel?fonos, C. por A. - CODETEL 200.23.84.0/24 AS8151 Uninet S.A. de C.V. 200.24.73.0/24 AS26061 Equant Colombia 200.33.40.0/24 AS11172 Alestra, S. de R.L. de C.V. 200.34.0.0/20 AS6342 Instituto Tecnol?gico y de Estudios Superiores de Monterrey 200.53.0.0/19 AS13878 Diveo do Brasil Telecomunicacoes Ltda 202.1.224.0/24 AS10097 FLOWCOM Flow Communications 2/541 Kent St Sydney NSW 2000 202.8.106.0/24 AS9530 SHINSEGAE-AS SHINSEGAE I&C Co., Ltd. 202.9.55.0/24 AS2764 AAPT AAPT Limited 202.58.113.0/24 AS19161 202.61.75.0/24 AS9927 PHILCOMNET-PH A Multihomed ISP Company 202.83.120.0/21 AS37972 202.83.124.0/24 AS37972 202.83.125.0/24 AS37972 202.83.126.0/24 AS37972 202.94.1.0/24 AS4808 CHINA169-BJ CNCGROUP IP network China169 Beijing Province Network 202.133.70.0/24 AS38616 WORLDCALL-AS-KHI Worldcall Telecom Limited 202.160.152.0/22 AS10113 DATAFAST-AP DATAFAST TELECOMMUNICATIONS LTD 202.174.125.0/24 AS9498 BBIL-AP BHARTI Airtel Ltd. 202.176.1.0/24 AS9942 COMINDICO-AP SOUL Converged Communications Australia 202.179.134.0/24 AS23966 LDN-AS-PK LINKdotNET Telecom Limited 203.23.1.0/24 AS18111 NETSPEED-AS-AP Netspeed Internet Communications 203.24.38.0/24 AS18111 NETSPEED-AS-AP Netspeed Internet Communications 203.30.127.0/24 AS18111 NETSPEED-AS-AP Netspeed Internet Communications 203.32.86.0/23 AS18111 NETSPEED-AS-AP Netspeed Internet Communications 203.32.86.0/24 AS18111 NETSPEED-AS-AP Netspeed Internet Communications 203.32.87.0/24 AS18111 NETSPEED-AS-AP Netspeed Internet Communications 203.32.188.0/24 AS1221 ASN-TELSTRA Telstra Pty Ltd 203.142.219.0/24 AS45149 205.150.0.0/15 AS701 UUNET - MCI Communications Services, Inc. d/b/a Verizon Business 205.175.214.0/24 AS5583 ORANGE-BUSINESS-SERVICES-BENELUX France Telecom S.A. 206.123.129.0/24 AS10790 INREACH-AS - InReach Internet 206.180.240.0/20 AS12083 KNOLOGY-NET - KNOLOGY, Inc. 206.197.184.0/24 AS23304 DATOTEL-STL-AS - Datotel LLC, a NetLabs LLC Company 207.174.131.0/24 AS26116 INDRA - Indra's Net Inc 207.174.132.0/23 AS26116 INDRA - Indra's Net Inc 207.174.152.0/23 AS26116 INDRA - Indra's Net Inc 207.174.154.0/24 AS26116 INDRA - Indra's Net Inc 207.174.155.0/24 AS26116 INDRA - Indra's Net Inc 207.174.200.0/24 AS22658 EARTHNET - Earthnet, Inc. 207.174.248.0/21 AS6653 PRIVATEI - privateI, LLC 207.231.96.0/19 AS11194 NUNETPA - NuNet Inc. 208.83.53.0/24 AS40569 YGOMI-AS - Ygomi LLC 208.91.56.0/21 AS22241 IC2NET - IC2NET 208.91.56.0/24 AS22241 IC2NET - IC2NET 208.91.57.0/24 AS22241 IC2NET - IC2NET 208.91.58.0/24 AS22241 IC2NET - IC2NET 208.91.59.0/24 AS22241 IC2NET - IC2NET 208.91.60.0/24 AS22241 IC2NET - IC2NET 208.91.61.0/24 AS22241 IC2NET - IC2NET 208.91.62.0/24 AS22241 IC2NET - IC2NET 208.91.63.0/24 AS22241 IC2NET - IC2NET 209.133.224.0/19 AS4323 TWTC - tw telecom holdings, inc. 209.148.64.0/19 AS13773 TELNETCOMM - Telnet Communications 209.177.64.0/20 AS6461 MFNX MFN - Metromedia Fiber Network 209.213.0.0/20 AS33005 ELTOPIA - Eltopia.com, LLC 209.222.240.0/22 AS19747 210.56.150.0/23 AS38138 INTECH-TRANSIT-BD InTech Online Limited, INTERNET SERVICE LIMITED 216.12.160.0/20 AS26627 AS-PILOSOFT - Pilosoft, Inc. 216.21.160.0/20 AS13818 PHX-INTL-TELEPORT - Phoenix International Teleport 216.194.160.0/20 AS13818 PHX-INTL-TELEPORT - Phoenix International Teleport 217.26.128.0/20 AS48111 Please see http://www.cidr-report.org for the full report ------------------------------------ Copies of this report are mailed to: nanog at nanog.org eof-list at ripe.net apops at apops.net routing-wg at ripe.net afnog at afnog.org From matt.addison at lists.evilgeni.us Fri Jan 6 17:36:22 2012 From: matt.addison at lists.evilgeni.us (Matt Addison) Date: Fri, 6 Jan 2012 18:36:22 -0500 Subject: QinQ switch or similar In-Reply-To: References: Message-ID: <-4843177455144437189@unknownmsgid> Sent from my mobile device, so please excuse any horrible misspellings. On Jan 6, 2012, at 15:32, Bonald wrote: > Hi, > We need to purchase some switch that support 1gbit QinQ. > Any suggestions ? We need to connect 9 schools together in layer2. > All 9 schools have 1gb link from our provider, provider gaves us 5 vlan to > work with. > We have around 35 vlan in-house. > > We are low budget. Any recommendation beside QinQ ? Your provider won't do QinQ for you? Have you verified they support the appropriate MTU for you to do your own QinQ under their tag (at least 1502)? As far as equipment, most Cisco kit from 3550 on up will do QinQ. Other alternatives would be to light it with routers and do EoMPLS or VPLS, but it'll be more expensive than just doing QinQ but potentially more scalable/stable. From christopher.morrow at gmail.com Fri Jan 6 19:47:49 2012 From: christopher.morrow at gmail.com (Christopher Morrow) Date: Fri, 6 Jan 2012 20:47:49 -0500 Subject: Misreporting abuse, it's not actually helpful: root@fireslayer.maxihost.com.br Message-ID: [ABUSE] Attack comming from IP 90.185.110.92 to 189.1.164.138 So... FireSlayer, did you get a cold? or perhaps have too much to drink? sending reports of what looks like CoD4: 16:36:58.728250 IP 90.185.110.92.27005 > 189.1.172.238.28960: UDP, length 14 16:36:58.741473 IP 90.185.110.92.27005 > 189.1.169.243.28922: UDP, length 14 16:36:58.754083 IP 90.185.110.92.27005 > 189.1.164.56.28947: UDP, length 14 server traffic to your customers is cool, it's not so cool if you send the reports to the wrong origin asn... AS15169 doesn't actually originate 90.185.110.0/24, it looks to me like: AS39554 | 90.185.110.0 | FULLRATE Fullrate A/S probably does though... I'm not sure what math tricks you may have tried, but 39554 is in no way like 15169. Could you take some time to disable your report generation canon and fix it before re-enabling it? I'm not the only person getting mis-fired reports, if you want to help everyone please turn off the canon. thnx! -chris (note, we've asked privately, you don't seem to respond/listen, perhaps publicly noting this will get: 1) your attention 2) you to stop the insanity) From paul at neoverve.com Fri Jan 6 19:50:32 2012 From: paul at neoverve.com (Paul Norton) Date: Fri, 06 Jan 2012 17:50:32 -0800 Subject: SSL Certificates In-Reply-To: <4F0713E2.4060004@pacific.net> References: <4F0713E2.4060004@pacific.net> Message-ID: <4F07A4E8.6060308@neoverve.com> I second The SSL Store (http://www.thesslstore.com/) -- Paul Norton Systems Administrator Neoverve - www.neoverve.com Neoverve Blog - http://blog.neoverve.com/ On 1/6/2012 7:31 AM, Ken A wrote: > theSSLstore has good reseller pricing on a variety of certs. > ~ $10 domain validated rapidssl certs in about 5 minutes. > More expensive and time consuming certs are available, Verisign, > Geotrust, Thawte, greenbars, wildcards, etc.. > Ken > > On 1/6/2012 8:15 AM, Michael Carey wrote: >> Looking for a recommendation on who to buy affordable and reputable SSL >> certificates from? Symantec, Thawte, and Comodo are the names that >> come to >> mind, just wondering if there are others folks use. >> >> Thanks, >> > From randy at psg.com Fri Jan 6 21:46:42 2012 From: randy at psg.com (Randy Bush) Date: Sat, 07 Jan 2012 12:46:42 +0900 Subject: Misreporting abuse, it's not actually helpful: root@fireslayer.maxihost.com.br In-Reply-To: References: Message-ID: > probably does though... I'm not sure what math tricks you may have > tried, but 39554 is in no way like 15169. Could you take some time to > disable your report generation canon and fix it before re-enabling it? > I'm not the only person getting mis-fired reports, if you want to help > everyone please turn off the canon. procmail them back to the ceo or c.o of the idiots. randy From bjorn at mork.no Sat Jan 7 06:00:43 2012 From: bjorn at mork.no (=?utf-8?Q?Bj=C3=B8rn_Mork?=) Date: Sat, 07 Jan 2012 13:00:43 +0100 Subject: subnet prefix length > 64 breaks IPv6? In-Reply-To: <20111228.164544.39172608.sthaug@nethelp.no> (sthaug@nethelp.no's message of "Wed, 28 Dec 2011 16:45:44 +0100 (CET)") References: <37f38f1f-369f-4056-8593-32b54e7fbc88@d8g2000yqk.googlegroups.com> <20111228.155045.85391394.sthaug@nethelp.no> <20111228.164544.39172608.sthaug@nethelp.no> Message-ID: <87lipjg1sk.fsf@nemi.mork.no> sthaug at nethelp.no writes: > And yes, we know equipment that cannot *filter* on full IPv6 + port > number headers exists (e.g. Cisco 6500/7600 with 144 bit TCAMs) - my > original point was that I still haven't seen equipment with forwarding > problems for prefixes > 64 bits. Depends on what you consider a problem and whether you consider a layer 3 switch a "router" at all, but there are certainly some switches which will be more or less effective depending on prefix length. Ref e.g. http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_55_se/configuration/guide/swsdm.html#wp1257279 where you'll find this carefully worded hint: "Note: An IPv4 route requires only one TCAM entry. Because of the hardware compression scheme used for IPv6, an IPv6 route can take more than one TCAM entry, reducing the number of entries forwarded in hardware. For example, for IPv6 directly connected IP addresses, the desktop template might allow less than two thousand entries." Translated: "The stated numbers for IPv6 routes are twice the real max. However, prefix compression may give better utilisation under certain conditions". Bj?rn From sthaug at nethelp.no Sat Jan 7 07:24:28 2012 From: sthaug at nethelp.no (sthaug at nethelp.no) Date: Sat, 07 Jan 2012 14:24:28 +0100 (CET) Subject: subnet prefix length > 64 breaks IPv6? In-Reply-To: <87lipjg1sk.fsf@nemi.mork.no> References: <20111228.164544.39172608.sthaug@nethelp.no> <87lipjg1sk.fsf@nemi.mork.no> Message-ID: <20120107.142428.74717744.sthaug@nethelp.no> > "Note: An IPv4 route requires only one TCAM entry. Because of the > hardware compression scheme used for IPv6, an IPv6 route can take > more than one TCAM entry, reducing the number of entries forwarded > in hardware. For example, for IPv6 directly connected IP addresses, > the desktop template might allow less than two thousand entries." > > > Translated: "The stated numbers for IPv6 routes are twice the real max. > However, prefix compression may give better utilisation under certain > conditions". Thanks, that's the first *specific* information I've seen of equipment that might have problems (reduced number of entries) with longer than 64 bit prefixes. Fortunately we're not using 3560/3750 for IPv6 routing at the moment. Any other takers? Steinar Haug, Nethelp consulting, sthaug at nethelp.no From lists at mtin.net Sat Jan 7 14:17:56 2012 From: lists at mtin.net (Justin Wilson) Date: Sat, 07 Jan 2012 15:17:56 -0500 Subject: OT: Consultant for Dial-up needed Message-ID: Sorry for the post but I havent made much headway on finding some help. I know several of you still run dialup modem pools. I need some help. I have a single USR total control chassis talking to cistron radius. The cistron box died today. I was able to get the files from the server, but am missing something. Looking for a consultant ASAP to help with this. Thanks, Justin -- Justin Wilson Aol & Yahoo IM: j2sw http://www.mtin.net/blog ? xISP News http://www.twitter.com/j2sw ? Follow me on Twitter From frnkblk at iname.com Sat Jan 7 15:30:05 2012 From: frnkblk at iname.com (Frank Bulk) Date: Sat, 7 Jan 2012 15:30:05 -0600 Subject: IPv6 version of www.qwest.com/www.centurylink.com has been down for 10 days In-Reply-To: <000a01ccb061$5d60c100$18224300$@iname.com> References: <000001cc5d68$93fc01d0$bbf40570$@iname.com> <0C6A4A8DD60DBF4A99C300DDA771BFAB01E8192746C7@server3.MUTUALTEL.MTCNET.NET> <000a01ccb061$5d60c100$18224300$@iname.com> Message-ID: <009401cccd83$85a625d0$90f27170$@iname.com> HTTP both www.qwest.com and www.centurylink.com have been in and out since December 27. Sometimes it responds in less than 10 seconds, other times it connects and there's no TCP response for minutes. This was tested from two different networks. If anyone from CenturyLink is lurking, could you please notify your NOC or IT department? Frank -----Original Message----- From: Frank Bulk [mailto:frnkblk at iname.com] Sent: Thursday, December 01, 2011 1:43 PM To: nanog at nanog.org Subject: RE: IPv6 version of www.qwest.com/www.centurylink.com has been down for 10 days AAAA and IPv6 access to www.centurylink.com were restored around 11:30 am U.S. Central. Frank -----Original Message----- From: Frank Bulk [mailto:frnkblk at iname.com] Sent: Wednesday, November 30, 2011 6:59 AM To: 'nanog at nanog.org' Subject: RE: IPv6 version of www.qwest.com/www.centurylink.com has been down for 10 days Well, sometime yesterday www.centurylink.com removed it AAAA record(s). www.qwest.com still has them. Frank -----Original Message----- From: Frank Bulk [mailto:frnkblk at iname.com] Sent: Monday, October 24, 2011 1:47 PM To: 'nanog at nanog.org' Subject: RE: IPv6 version of www.qwest.com/www.centurylink.com has been down for 10 days Good news: access to the v6 version of www.qwest.com came up at 12:30 pm today -- it redirects to www.centurylink.com, but at least it's working. Only www.savvis.com remains in my list of service provider websites that have non-working IPv6. Frank -----Original Message----- From: Frank Bulk [mailto:frnkblk at iname.com] Sent: Thursday, August 18, 2011 12:35 AM To: nanog at nanog.org Subject: IPv6 version of www.qwest.com/www.centurylink.com has been down for 10 days The IPv6 version of www.qwest.com has been down for 10 days. Wget shows a 301 to www.centurylink.com, but that also fails. Emails to the nocs at both companies have gone unanswered. Unless HE is deployed in a web browser, this behavior leads to a bad end-user experience. If anyone can prod either of these two companies that would be much appreciated. Frank nagios:/home/fbulk# wget -6 www.qwest.com --2011-08-18 00:32:40-- http://www.qwest.com/ Resolving www.qwest.com... 2001:428:b21:1::20 Connecting to www.qwest.com|2001:428:b21:1::20|:80... connected. HTTP request sent, awaiting response... 301 Moved Permanently Location: http://www.centurylink.com/ [following] --2011-08-18 00:32:40-- http://www.centurylink.com/ Resolving www.centurylink.com... 2001:428:b21:1::22 Connecting to www.centurylink.com|2001:428:b21:1::22|:80... failed: Connection timed out. Retrying. --2011-08-18 00:33:02-- (try: 2) http://www.centurylink.com/ Connecting to www.centurylink.com|2001:428:b21:1::22|:80... failed: Connection timed out. Retrying. --2011-08-18 00:33:25-- (try: 3) http://www.centurylink.com/ Connecting to www.centurylink.com|2001:428:b21:1::22|:80... failed: Connection timed out. Retrying. --2011-08-18 00:33:49-- (try: 4) http://www.centurylink.com/ Connecting to www.centurylink.com|2001:428:b21:1::22|:80... failed: Connection timed out. Retrying. Etc... From david at davidswafford.com Sun Jan 8 06:05:50 2012 From: david at davidswafford.com (David Swafford) Date: Sun, 8 Jan 2012 07:05:50 -0500 Subject: QinQ switch or similar In-Reply-To: <-4843177455144437189@unknownmsgid> References: <-4843177455144437189@unknownmsgid> Message-ID: I'd check w/ the provider. They may be giving you only 5 VLANs to avoid explaining/configuring QinQ -- remember, most small school environments are limited on their IT knowledge. I bet if you ask, they already support it, or have the gear/people to help with your need. David. On Fri, Jan 6, 2012 at 6:36 PM, Matt Addison wrote: > Sent from my mobile device, so please excuse any horrible misspellings. > > On Jan 6, 2012, at 15:32, Bonald wrote: > >> Hi, >> We need to purchase some switch that support 1gbit QinQ. >> Any suggestions ? We need to connect 9 schools together in layer2. >> All 9 schools have 1gb link from our provider, provider gaves us 5 vlan to >> work with. >> We have around 35 vlan in-house. >> >> We are low budget. Any recommendation beside QinQ ? > > Your provider won't do QinQ for you? Have you verified they support > the appropriate MTU for you to do your own QinQ under their tag (at > least 1502)? > > As far as equipment, most Cisco kit from 3550 on up will do QinQ. > > Other alternatives would be to light it with routers and do EoMPLS or > VPLS, but it'll be more expensive than just doing QinQ but potentially > more scalable/stable. > From neal.rauhauser at gmail.com Sun Jan 8 11:13:03 2012 From: neal.rauhauser at gmail.com (N Rauhauser) Date: Sun, 8 Jan 2012 12:13:03 -0500 Subject: shell access to BGP router, CALEA tips?? Message-ID: Ladies & Gentlemen, I wanted to check something on an IP address block this morning and, much to my surprise, I don't have access to a single router that has a full table in it - first time since 1999 this is the case. I see route views is still happily serving up shells, but I'm curious to know if there are any other viewpoints available. I am probably going to script something for this particular problem, so I want boxes that have shell access, not graphical looking glass type stuff. I am also plunged into the world of lawful intercept after a long absence. Other than providing muddled responses ten minutes before the deadline on obvious MPAA/RIAA trolls I haven't had to do a subpoena response since 2005 and I've not installed anything that needed to meet requirements since 2009. Is there a good write up somewhere on the current state of affairs? Neal Rauhauser From joelja at bogus.com Sun Jan 8 12:45:13 2012 From: joelja at bogus.com (Joel jaeggli) Date: Sun, 08 Jan 2012 10:45:13 -0800 Subject: QinQ switch or similar In-Reply-To: References: Message-ID: <4F09E439.7000407@bogus.com> On 1/6/12 12:31 , Bonald wrote: > Hi, > We need to purchase some switch that support 1gbit QinQ. > Any suggestions ? We need to connect 9 schools together in layer2. > All 9 schools have 1gb link from our provider, provider gaves us 5 vlan to > work with. > We have around 35 vlan in-house. > > We are low budget. Any recommendation beside QinQ ? The alternative to QinQ would be the exercise would probably be more scalable if the broadcast domains vlans of each, were constrained to their respective sites. Something like force10 s25n would be all the l3 switch you'd need to make this routed. From JTyler at fiberutilities.com Sun Jan 8 14:06:36 2012 From: JTyler at fiberutilities.com (Jensen Tyler) Date: Sun, 8 Jan 2012 14:06:36 -0600 Subject: QinQ switch or similar In-Reply-To: References: Message-ID: <1A8A762BD508624A8BDAB9F5E1638F94601CBB76F5@comsrv01.fg.local> We have been using Ciena switches for QinQ. CN3920 would fit best for low cost. Pretty easy to use. -----Original Message----- From: Bonald [mailto:bonald at gmail.com] Sent: Friday, January 06, 2012 2:31 PM To: nanog at nanog.org Subject: QinQ switch or similar Hi, We need to purchase some switch that support 1gbit QinQ. Any suggestions ? We need to connect 9 schools together in layer2. All 9 schools have 1gb link from our provider, provider gaves us 5 vlan to work with. We have around 35 vlan in-house. We are low budget. Any recommendation beside QinQ ? From dcp at dcptech.com Sun Jan 8 18:31:08 2012 From: dcp at dcptech.com (David Prall) Date: Sun, 8 Jan 2012 19:31:08 -0500 Subject: shell access to BGP router, CALEA tips?? In-Reply-To: References: Message-ID: <019501ccce65$fca9d8b0$f5fd8a10$@com> Both AT&T and Hurricane Electric have access for this. A quick list of them. http://www.netdigix.com/servers.html Majority of these are telnet:// links. David -- http://dcp.dcptech.com -----Original Message----- From: N Rauhauser [mailto:neal.rauhauser at gmail.com] Sent: Sunday, January 08, 2012 12:13 PM To: nanog at nanog.org Subject: shell access to BGP router, CALEA tips?? Ladies & Gentlemen, I wanted to check something on an IP address block this morning and, much to my surprise, I don't have access to a single router that has a full table in it - first time since 1999 this is the case. I see route views is still happily serving up shells, but I'm curious to know if there are any other viewpoints available. I am probably going to script something for this particular problem, so I want boxes that have shell access, not graphical looking glass type stuff. I am also plunged into the world of lawful intercept after a long absence. Other than providing muddled responses ten minutes before the deadline on obvious MPAA/RIAA trolls I haven't had to do a subpoena response since 2005 and I've not installed anything that needed to meet requirements since 2009. Is there a good write up somewhere on the current state of affairs? Neal Rauhauser From ops.lists at gmail.com Sun Jan 8 19:48:01 2012 From: ops.lists at gmail.com (Suresh Ramasubramanian) Date: Mon, 9 Jan 2012 07:18:01 +0530 Subject: Misreporting abuse, it's not actually helpful: root@fireslayer.maxihost.com.br In-Reply-To: References: Message-ID: And maybe ask the author of whatever "goober with firewall" script that is to rm -rf and securely delete his code? [old term from the nanae days, abbreviated to GWF] On Sat, Jan 7, 2012 at 9:16 AM, Randy Bush wrote: >> probably does though... I'm not sure what math tricks you may have >> tried, but 39554 is in no way like 15169. Could you take some time to >> disable your report generation canon and fix it before re-enabling it? >> I'm not the only person getting mis-fired reports, if you want to help >> everyone please turn off the canon. > > procmail them back to the ceo or c.o of the idiots. -- Suresh Ramasubramanian (ops.lists at gmail.com) From trelane at trelane.net Mon Jan 9 00:34:47 2012 From: trelane at trelane.net (Andrew D Kirch) Date: Mon, 09 Jan 2012 01:34:47 -0500 Subject: Misreporting abuse, it's not actually helpful: root@fireslayer.maxihost.com.br In-Reply-To: References: Message-ID: <4F0A8A87.1090500@trelane.net> On 1/8/2012 8:48 PM, Suresh Ramasubramanian wrote: > And maybe ask the author of whatever "goober with firewall" script > that is to rm -rf and securely delete his code? > > [old term from the nanae days, abbreviated to GWF] > > On Sat, Jan 7, 2012 at 9:16 AM, Randy Bush wrote: >>> probably does though... I'm not sure what math tricks you may have >>> tried, but 39554 is in no way like 15169. Could you take some time to >>> disable your report generation canon and fix it before re-enabling it? >>> I'm not the only person getting mis-fired reports, if you want to help >>> everyone please turn off the canon. >> procmail them back to the ceo or c.o of the idiots. > > I find that contacting the upstream of errant bulk abuse reports about the UBE problem tends to get things solved quickly. Abuse desk droids that have to sift through 8 gallons of crap every day tend to frown on their own users contributions to the smelly pile on someone else's abuse desk. Andrew From sh.vahabzadeh at gmail.com Mon Jan 9 14:40:37 2012 From: sh.vahabzadeh at gmail.com (Shahab Vahabzadeh) Date: Tue, 10 Jan 2012 00:10:37 +0330 Subject: "PPPoE Intermediate Agent or TR101" in Huawei MA5600 Message-ID: Hi Everybody, I have lots of Huawei MA5600 in my pop sites and my "display version" output is "VERSION: MA5600V300R003C05". Can any body help me to know how I can enable "PPPoE Intermediate Agent or TR101" in these DSLAM's? Or let me know if this version of DSLAM support this feature or not? I want to have port attributes too when users send to NAS and from that to Radius. Thanks -- Regards, Shahab Vahabzadeh, Network Engineer and System Administrator PGP Key Fingerprint = 8E34 B335 D702 0CA7 5A81 C2EE 76A2 46C2 5367 BF90 From arturo.servin at gmail.com Mon Jan 9 14:59:47 2012 From: arturo.servin at gmail.com (Arturo Servin) Date: Mon, 9 Jan 2012 18:59:47 -0200 Subject: shell access to BGP router, CALEA tips?? In-Reply-To: <019501ccce65$fca9d8b0$f5fd8a10$@com> References: <019501ccce65$fca9d8b0$f5fd8a10$@com> Message-ID: <34BCE5B6-2465-4CB9-98BE-F0DB3B6D17EF@gmail.com> Not sure if this is what you are looking for: http://www.traceroute.org/#Route%20Servers /as On 8 Jan 2012, at 22:31, David Prall wrote: > Both AT&T and Hurricane Electric have access for this. > > A quick list of them. > http://www.netdigix.com/servers.html > > Majority of these are telnet:// links. > > David > > -- > http://dcp.dcptech.com > > > > -----Original Message----- > From: N Rauhauser [mailto:neal.rauhauser at gmail.com] > Sent: Sunday, January 08, 2012 12:13 PM > To: nanog at nanog.org > Subject: shell access to BGP router, CALEA tips?? > > Ladies & Gentlemen, > > I wanted to check something on an IP address block this morning and, > much to my surprise, I don't have access to a single router that has a full > table in it - first time since 1999 this is the case. I see route views is > still happily serving up shells, but I'm curious to know if there are any > other viewpoints available. I am probably going to script something for > this particular problem, so I want boxes that have shell access, not > graphical looking glass type stuff. > > > I am also plunged into the world of lawful intercept after a long > absence. Other than providing muddled responses ten minutes before the > deadline on obvious MPAA/RIAA trolls I haven't had to do a subpoena > response since 2005 and I've not installed anything that needed to meet > requirements since 2009. Is there a good write up somewhere on the current > state of affairs? > > > > > > Neal Rauhauser > From vanwolfe at gmail.com Mon Jan 9 17:41:07 2012 From: vanwolfe at gmail.com (Van Wolfe) Date: Mon, 9 Jan 2012 16:41:07 -0700 Subject: AWS VPC Network Outage (US East) Message-ID: Is anyone else having issues with VPN access into a dedicated VPC (AWS US East)? We are unable to access our VM's across our tunnel. AWS alluded to a service wide network outage. Thank you, /Van From kelly at hawknetworks.com Mon Jan 9 17:52:14 2012 From: kelly at hawknetworks.com (Kelly Kane) Date: Mon, 9 Jan 2012 15:52:14 -0800 Subject: AWS VPC Network Outage (US East) In-Reply-To: References: Message-ID: On Mon, Jan 9, 2012 at 15:41, Van Wolfe wrote: > Is anyone else having issues with VPN access into a dedicated VPC (AWS US > East)? ?We are unable to access our VM's across our tunnel. ?AWS alluded to > a service wide network outage. We are seeing this as well. Kelly From snow at teardrop.org Mon Jan 9 17:55:05 2012 From: snow at teardrop.org (James Snow) Date: Mon, 9 Jan 2012 15:55:05 -0800 Subject: AWS VPC Network Outage (US East) In-Reply-To: References: Message-ID: <20120109235505.GE14990@teardrop.org> On Mon, Jan 09, 2012 at 04:41:07PM -0700, Van Wolfe wrote: > Is anyone else having issues with VPN access into a dedicated VPC (AWS US > East)? We are unable to access our VM's across our tunnel. AWS alluded to > a service wide network outage. Yes. Our tunnels and peering stayed up, but we lost all traffic. Silly as it may seem, forcefully bouncing our end seems to have resurrected it. -Snow From vanwolfe at gmail.com Mon Jan 9 18:12:56 2012 From: vanwolfe at gmail.com (Van Wolfe) Date: Mon, 9 Jan 2012 17:12:56 -0700 Subject: AWS VPC Network Outage (US East) In-Reply-To: <20120109235505.GE14990@teardrop.org> References: <20120109235505.GE14990@teardrop.org> Message-ID: We tried bouncing our tunnels without success. Amazon has updated their service dashboard: 3:56 PM PST We are investigating increased packet loss impacting VPN connections in the US-EAST-1 region. Thank you for your responses. /Van On Mon, Jan 9, 2012 at 4:55 PM, James Snow wrote: > On Mon, Jan 09, 2012 at 04:41:07PM -0700, Van Wolfe wrote: > > Is anyone else having issues with VPN access into a dedicated VPC (AWS US > > East)? We are unable to access our VM's across our tunnel. AWS alluded > to > > a service wide network outage. > > Yes. Our tunnels and peering stayed up, but we lost all traffic. > > Silly as it may seem, forcefully bouncing our end seems to have > resurrected it. > > > -Snow > > From djahandarie at gmail.com Mon Jan 9 18:49:51 2012 From: djahandarie at gmail.com (Darius Jahandarie) Date: Mon, 9 Jan 2012 19:49:51 -0500 Subject: AWS VPC Network Outage (US East) In-Reply-To: References: <20120109235505.GE14990@teardrop.org> Message-ID: On Mon, Jan 9, 2012 at 19:12, Van Wolfe wrote:> 3:56 PM PST We are investigating increased packet loss impacting VPN> connections in the US-EAST-1 region. I didn't know a cloud could be heavy enough to crash. -- Darius Jahandarie From vanwolfe at gmail.com Mon Jan 9 19:40:44 2012 From: vanwolfe at gmail.com (Van Wolfe) Date: Mon, 9 Jan 2012 18:40:44 -0700 Subject: AWS VPC Network Outage (US East) In-Reply-To: References: <20120109235505.GE14990@teardrop.org> Message-ID: Your network just evaporates. On Mon, Jan 9, 2012 at 5:49 PM, Darius Jahandarie wrote: > On Mon, Jan 9, 2012 at 19:12, Van Wolfe wrote:> > 3:56 PM PST We are investigating increased packet loss impacting VPN> > connections in the US-EAST-1 region. > I didn't know a cloud could be heavy enough to crash. > > -- > Darius Jahandarie > From henry at AegisInfoSys.com Mon Jan 9 20:50:00 2012 From: henry at AegisInfoSys.com (Henry Yen) Date: Mon, 9 Jan 2012 21:50:00 -0500 Subject: SSL Certificates In-Reply-To: References: Message-ID: <20120110025000.GF27517@nntp.AegisInfoSys.com> verisign, who used to own geotrust (who owns rapidssl) was sold to symantec last year. or some similar swapping of chain links. anyway, for some, the symantec umbrella might be a polarizing factor. On Fri, Jan 06, 2012 at 09:08:28AM -0600, graham at g-rock.net wrote: > We use rapidssl. Seems to be ok across the board. No reports otherwise. > > ----- Reply message ----- > From: "Michael Carey" > Date: Fri, Jan 6, 2012 8:15 am > Subject: SSL Certificates > To: > > Looking for a recommendation on who to buy affordable and reputable SSL > certificates from? Symantec, Thawte, and Comodo are the names that come to > mind, just wondering if there are others folks use. -- Henry Yen Aegis Information Systems, Inc. Senior Systems Programmer Hicksville, New York From henry at AegisInfoSys.com Mon Jan 9 21:00:01 2012 From: henry at AegisInfoSys.com (Henry Yen) Date: Mon, 9 Jan 2012 22:00:01 -0500 Subject: SSL Certificates In-Reply-To: References: <483E6B0272B0284BA86D7596C40D29F901212BB19CAD@PUR-EXCH07.ox.com> Message-ID: <20120110030001.GG27517@nntp.AegisInfoSys.com> On Fri, Jan 06, 2012 at 10:08:55AM -0500, Christopher Morrow wrote: > >> From: Michael Carey [mailto:mcarey at kinber.org] > >> Sent: Friday, January 06, 2012 9:15 AM > >> To: nanog at nanog.org > >> Subject: SSL Certificates > >> > >> Looking for a recommendation on who to buy affordable and reputable > >> SSL certificates from? ?Symantec, Thawte, and Comodo are the names > >> that come to mind, just wondering if there are others folks use. > > startssl.com - free certs that work in apple-mail, chrome, ff, ie, > tbird, across mac/linux/windows... you can't beat free. > > (you do have to update yearly, but it's not painful, and is probably > worth doing as practice anyway) i think their "free" certificates are for personal/individual use only, and may not be as useful for company/business usage. -- Henry Yen Aegis Information Systems, Inc. Senior Systems Programmer Hicksville, New York From henry at AegisInfoSys.com Mon Jan 9 21:11:56 2012 From: henry at AegisInfoSys.com (Henry Yen) Date: Mon, 9 Jan 2012 22:11:56 -0500 Subject: SSL Certificates In-Reply-To: References: Message-ID: <20120110031156.GH27517@nntp.AegisInfoSys.com> netsol was bought by web.com. "out of the frying pan ... "? On Fri, Jan 06, 2012 at 09:27:27AM -0500, Josh Baird wrote: > We typically stick with Network Solutions, and DigiCert for > SANcertificates. ?VeriSign's prices are just insane. > > On Fri, Jan 6, 2012 at 9:15 AM, Michael Carey wrote: > > Looking for a recommendation on who to buy affordable and reputable SSL > > certificates from? ?Symantec, Thawte, and Comodo are the names that come to > > mind, just wondering if there are others folks use. -- Henry Yen Aegis Information Systems, Inc. Senior Systems Programmer Hicksville, New York From sergey at lobanov.in Mon Jan 9 22:55:24 2012 From: sergey at lobanov.in (Sergey V. Lobanov) Date: Tue, 10 Jan 2012 08:55:24 +0400 Subject: "PPPoE Intermediate Agent or TR101" in Huawei MA5600 In-Reply-To: References: Message-ID: <4F0BC4BC.4020600@lobanov.in> (config)#pitp enable On 01/10/2012 12:40 AM, Shahab Vahabzadeh wrote: > Hi Everybody, > I have lots of Huawei MA5600 in my pop sites and my "display version" > output is "VERSION: MA5600V300R003C05". > Can any body help me to know how I can enable "PPPoE Intermediate Agent or > TR101" in these DSLAM's? > Or let me know if this version of DSLAM support this feature or not? > I want to have port attributes too when users send to NAS and from that to > Radius. > Thanks > -- wbr, Sergey V. Lobanov E-mail: sergey at lobanov.in From jra at baylink.com Tue Jan 10 09:58:04 2012 From: jra at baylink.com (Jay Ashworth) Date: Tue, 10 Jan 2012 10:58:04 -0500 (EST) Subject: So... my colo was just bought. Message-ID: <27377930.4226.1326211084098.JavaMail.root@benjamin.baylink.com> By Knology. Should I be scared? My experiences with Knology have been fairly thin, but uniformly negative, for at least the last 5 years. But I know that the plural of 'anecdote' is not 'data'. That said, I'm accepting all anecdotes. :-) Cheers, -- jra -- Jay R. Ashworth Baylink jra at baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://baylink.pitas.com 2000 Land Rover DII St Petersburg FL USA http://photo.imageinc.us +1 727 647 1274 From bhmccie at gmail.com Tue Jan 10 10:05:27 2012 From: bhmccie at gmail.com (-Hammer-) Date: Tue, 10 Jan 2012 10:05:27 -0600 Subject: So... my colo was just bought. In-Reply-To: <27377930.4226.1326211084098.JavaMail.root@benjamin.baylink.com> References: <27377930.4226.1326211084098.JavaMail.root@benjamin.baylink.com> Message-ID: <4F0C61C7.7070401@gmail.com> Jay, Do you know if they'll be keeping/maintaining your colo? Or is it too early for that kind of information? -Hammer- "I was a normal American nerd" -Jack Herer On 1/10/2012 9:58 AM, Jay Ashworth wrote: > By Knology. > > Should I be scared? > > My experiences with Knology have been fairly thin, but uniformly negative, > for at least the last 5 years. But I know that the plural of 'anecdote' is > not 'data'. That said, I'm accepting all anecdotes. :-) > > Cheers, > -- jra From dylan.ebner at crlmed.com Tue Jan 10 10:28:51 2012 From: dylan.ebner at crlmed.com (Dylan Ebner) Date: Tue, 10 Jan 2012 16:28:51 +0000 Subject: So... my colo was just bought. In-Reply-To: <27377930.4226.1326211084098.JavaMail.root@benjamin.baylink.com> References: <27377930.4226.1326211084098.JavaMail.root@benjamin.baylink.com> Message-ID: <017265BF3B9640499754DD48777C3D207206E5B110@MBX9.EXCHPROD.USA.NET> Jay- We experianced a similar situation 5 or 6 years ago. We were in a SAS70-II colo that had great staff and an impressive track record. They were national, but not huge. When we picked them, we had two colo providers that were competing for our business. The other was the company that bought our colo. In the end, we made our decision not on price/options, but we felt the smaller company would give us better service. We were right. The new owners are enormous and corprate thinks they are the best thing since sliced bread. I can tell you they are not. Since the buyout, we have had too many account reps to count on one hand, they are never local and they never seem to care. Getting anything done inside the DC is so complicated we almost never use our remote hands. Even getting into the DC now takes 15 minutes because of all the checks we have to go through. Unfortuneatly where I am located there are only 2 colos that can provide 15kw/rack reliably, and one company owns both of them. -----Original Message----- From: Jay Ashworth [mailto:jra at baylink.com] Sent: Tuesday, January 10, 2012 9:58 AM To: NANOG Subject: So... my colo was just bought. By Knology. Should I be scared? My experiences with Knology have been fairly thin, but uniformly negative, for at least the last 5 years. But I know that the plural of 'anecdote' is not 'data'. That said, I'm accepting all anecdotes. :-) Cheers, -- jra -- Jay R. Ashworth Baylink jra at baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://baylink.pitas.com 2000 Land Rover DII St Petersburg FL USA http://photo.imageinc.us +1 727 647 1274 From dholmes at mwdh2o.com Tue Jan 10 11:23:53 2012 From: dholmes at mwdh2o.com (Holmes,David A) Date: Tue, 10 Jan 2012 09:23:53 -0800 Subject: So... my colo was just bought. In-Reply-To: <27377930.4226.1326211084098.JavaMail.root@benjamin.baylink.com> References: <27377930.4226.1326211084098.JavaMail.root@benjamin.baylink.com> Message-ID: <922ACC42D498884AA02B3565688AF9953402FBA519@USEXMBS01.mwd.h2o> In the 2002-2003 time frame I worked for a company that colo'd strategic business servers in various telco facilities (big names, some that are still in business today), but these telco's had no problem with closing down the colo and giving 6 months notice to all tenants, with very little advanced notice. So this created a situation where a replacement site had to be found, space leased, equipment purchased, network bandwidth negotiated and purchased, etc. within that 6 month timeframe, or face the consequences of being essentially out of business. I can't speak for the company that is the subject of the email though, only of what has happened to me in the past. -----Original Message----- From: Jay Ashworth [mailto:jra at baylink.com] Sent: Tuesday, January 10, 2012 7:58 AM To: NANOG Subject: So... my colo was just bought. By Knology. Should I be scared? My experiences with Knology have been fairly thin, but uniformly negative, for at least the last 5 years. But I know that the plural of 'anecdote' is not 'data'. That said, I'm accepting all anecdotes. :-) Cheers, -- jra -- Jay R. Ashworth Baylink jra at baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://baylink.pitas.com 2000 Land Rover DII St Petersburg FL USA http://photo.imageinc.us +1 727 647 1274 This communication, together with any attachments or embedded links, is for the sole use of the intended recipient(s) and may contain information that is confidential or legally protected. If you are not the intended recipient, you are hereby notified that any review, disclosure, copying, dissemination, distribution or use of this communication is strictly prohibited. If you have received this communication in error, please notify the sender immediately by return e-mail message and delete the original and all copies of the communication, along with any attachments or embedded links, from your system. From patrick at zill.net Tue Jan 10 11:31:28 2012 From: patrick at zill.net (Patrick Giagnocavo) Date: Tue, 10 Jan 2012 12:31:28 -0500 Subject: So... my colo was just bought. In-Reply-To: <27377930.4226.1326211084098.JavaMail.root@benjamin.baylink.com> References: <27377930.4226.1326211084098.JavaMail.root@benjamin.baylink.com> Message-ID: <4F0C75F0.9000100@zill.net> On 1/10/2012 10:58 AM, Jay Ashworth wrote: > By Knology. > > Should I be scared? > > My experiences with Knology have been fairly thin, but uniformly negative, > for at least the last 5 years. But I know that the plural of 'anecdote' is > not 'data'. That said, I'm accepting all anecdotes. :-) > > Cheers, > -- jra You have to read the contract you signed. If it is still valid ("survivable" I think is the phrase?) then you have less to worry about. If not, they can mess with you a lot. Expect all the local guys you dealt with to be gone in 6 months. --Patrick From gfitzpatrick at telx.com Tue Jan 10 12:20:20 2012 From: gfitzpatrick at telx.com (George Fitzpatrick) Date: Tue, 10 Jan 2012 12:20:20 -0600 Subject: So... my colo was just bought. In-Reply-To: <4F0C75F0.9000100@zill.net> References: <27377930.4226.1326211084098.JavaMail.root@benjamin.baylink.com> <4F0C75F0.9000100@zill.net> Message-ID: If folks are having colo. issues please take a look at Telx. We will be in San Diego as well. In the meantime let's talk. Thanks, George 917.371.7257 -----Original Message----- From: Patrick Giagnocavo [mailto:patrick at zill.net] Sent: Tuesday, January 10, 2012 12:31 PM To: nanog at nanog.org Subject: Re: So... my colo was just bought. On 1/10/2012 10:58 AM, Jay Ashworth wrote: > By Knology. > > Should I be scared? > > My experiences with Knology have been fairly thin, but uniformly > negative, for at least the last 5 years. But I know that the plural > of 'anecdote' is not 'data'. That said, I'm accepting all anecdotes. > :-) > > Cheers, > -- jra You have to read the contract you signed. If it is still valid ("survivable" I think is the phrase?) then you have less to worry about. If not, they can mess with you a lot. Expect all the local guys you dealt with to be gone in 6 months. --Patrick ______________________________________________________________________ This email has been scanned by the Symantec Email Security.cloud service. ______________________________________________________________________ From pauldotwall at gmail.com Tue Jan 10 12:58:33 2012 From: pauldotwall at gmail.com (Paul WALL) Date: Tue, 10 Jan 2012 18:58:33 +0000 Subject: So... my colo was just bought. In-Reply-To: References: <27377930.4226.1326211084098.JavaMail.root@benjamin.baylink.com> <4F0C75F0.9000100@zill.net> Message-ID: George, We appreciate your sponsorship but using the NANOG mailing list to sell your colo is inappropriate. Best Regards, Paul On Tue, Jan 10, 2012 at 6:20 PM, George Fitzpatrick wrote: > If folks are having colo. issues please take a look at Telx. > We will be in San Diego as well. > In the meantime let's talk. > > Thanks, > George > 917.371.7257 > > -----Original Message----- > From: Patrick Giagnocavo [mailto:patrick at zill.net] > Sent: Tuesday, January 10, 2012 12:31 PM > To: nanog at nanog.org > Subject: Re: So... my colo was just bought. > > On 1/10/2012 10:58 AM, Jay Ashworth wrote: >> By Knology. >> >> Should I be scared? >> >> My experiences with Knology have been fairly thin, but uniformly >> negative, for at least the last 5 years. ?But I know that the plural >> of 'anecdote' is not 'data'. ?That said, I'm accepting all anecdotes. >> :-) >> >> Cheers, >> -- jra > > You have to read the contract you signed. ?If it is still valid ("survivable" I think is the phrase?) then you have less to worry about. > ?If not, they can mess with you a lot. > > Expect all the local guys you dealt with to be gone in 6 months. > > --Patrick > > > ______________________________________________________________________ > This email has been scanned by the Symantec Email Security.cloud service. > ______________________________________________________________________ From gfitzpatrick at telx.com Tue Jan 10 13:01:26 2012 From: gfitzpatrick at telx.com (George Fitzpatrick) Date: Tue, 10 Jan 2012 13:01:26 -0600 Subject: So... my colo was just bought. In-Reply-To: References: <27377930.4226.1326211084098.JavaMail.root@benjamin.baylink.com> <4F0C75F0.9000100@zill.net> Message-ID: Yes sorry for the post, Thanks. -----Original Message----- From: Paul WALL [mailto:pauldotwall at gmail.com] Sent: Tuesday, January 10, 2012 1:59 PM To: George Fitzpatrick Cc: nanog at nanog.org Subject: Re: So... my colo was just bought. George, We appreciate your sponsorship but using the NANOG mailing list to sell your colo is inappropriate. Best Regards, Paul On Tue, Jan 10, 2012 at 6:20 PM, George Fitzpatrick wrote: > If folks are having colo. issues please take a look at Telx. > We will be in San Diego as well. > In the meantime let's talk. > > Thanks, > George > 917.371.7257 > > -----Original Message----- > From: Patrick Giagnocavo [mailto:patrick at zill.net] > Sent: Tuesday, January 10, 2012 12:31 PM > To: nanog at nanog.org > Subject: Re: So... my colo was just bought. > > On 1/10/2012 10:58 AM, Jay Ashworth wrote: >> By Knology. >> >> Should I be scared? >> >> My experiences with Knology have been fairly thin, but uniformly >> negative, for at least the last 5 years. ?But I know that the plural >> of 'anecdote' is not 'data'. ?That said, I'm accepting all anecdotes. >> :-) >> >> Cheers, >> -- jra > > You have to read the contract you signed. ?If it is still valid ("survivable" I think is the phrase?) then you have less to worry about. > ?If not, they can mess with you a lot. > > Expect all the local guys you dealt with to be gone in 6 months. > > --Patrick > > > ______________________________________________________________________ > This email has been scanned by the Symantec Email Security.cloud service. > ______________________________________________________________________ ______________________________________________________________________ This email has been scanned by the Symantec Email Security.cloud service. ______________________________________________________________________ From bmanning at vacation.karoshi.com Tue Jan 10 13:07:28 2012 From: bmanning at vacation.karoshi.com (bmanning at vacation.karoshi.com) Date: Tue, 10 Jan 2012 19:07:28 +0000 Subject: So... my colo was just bought. In-Reply-To: References: <27377930.4226.1326211084098.JavaMail.root@benjamin.baylink.com> <4F0C75F0.9000100@zill.net> Message-ID: <20120110190728.GB28224@vacation.karoshi.com.> darn... and I was going to sublease some rack space in my sub-basement... /bill On Tue, Jan 10, 2012 at 06:58:33PM +0000, Paul WALL wrote: > George, > > We appreciate your sponsorship but using the NANOG mailing list to > sell your colo is inappropriate. > > Best Regards, > Paul > > On Tue, Jan 10, 2012 at 6:20 PM, George Fitzpatrick > wrote: > > If folks are having colo. issues please take a look at Telx. > > We will be in San Diego as well. > > In the meantime let's talk. > > > > Thanks, > > George > > 917.371.7257 > > > > -----Original Message----- > > From: Patrick Giagnocavo [mailto:patrick at zill.net] > > Sent: Tuesday, January 10, 2012 12:31 PM > > To: nanog at nanog.org > > Subject: Re: So... my colo was just bought. > > > > On 1/10/2012 10:58 AM, Jay Ashworth wrote: > >> By Knology. > >> > >> Should I be scared? > >> > >> My experiences with Knology have been fairly thin, but uniformly > >> negative, for at least the last 5 years. But I know that the plural > >> of 'anecdote' is not 'data'. That said, I'm accepting all anecdotes. > >> :-) > >> > >> Cheers, > >> -- jra > > > > You have to read the contract you signed. If it is still valid ("survivable" I think is the phrase?) then you have less to worry about. > > If not, they can mess with you a lot. > > > > Expect all the local guys you dealt with to be gone in 6 months. > > > > --Patrick > > > > > > ______________________________________________________________________ > > This email has been scanned by the Symantec Email Security.cloud service. > > ______________________________________________________________________ > From bclark at spectraaccess.com Tue Jan 10 13:56:53 2012 From: bclark at spectraaccess.com (Bret Clark) Date: Tue, 10 Jan 2012 14:56:53 -0500 Subject: So... my colo was just bought. In-Reply-To: <4F0C75F0.9000100@zill.net> References: <27377930.4226.1326211084098.JavaMail.root@benjamin.baylink.com> <4F0C75F0.9000100@zill.net> Message-ID: <4F0C9805.7070409@spectraaccess.com> On 01/10/2012 12:31 PM, Patrick Giagnocavo wrote: > Expect all the local guys you dealt with to be gone in 6 months. > --Patrick It's unfortunate just how true this will be. Bret From deric.kwok2000 at gmail.com Tue Jan 10 16:43:03 2012 From: deric.kwok2000 at gmail.com (Deric Kwok) Date: Tue, 10 Jan 2012 17:43:03 -0500 Subject: bgp question Message-ID: Hi all When we get newip, we should let the upstream know to expor it as there should have rule in their side. how about upstream provider, does they need to let their all bgp interconnect to know those our newip? If no, Can I know how it works? If they don't have rules each other, ls it any problems? Thank you so much From jof at thejof.com Tue Jan 10 16:48:30 2012 From: jof at thejof.com (Jonathan Lassoff) Date: Tue, 10 Jan 2012 14:48:30 -0800 Subject: bgp question In-Reply-To: References: Message-ID: On Tue, Jan 10, 2012 at 2:43 PM, Deric Kwok wrote: > Hi all > > When we get newip, we should let the upstream know to expor it as > there should have rule in their side. > > how about upstream provider, does they need to let their all bgp > interconnect to know those our newip? > > If no, Can I know how it works? > > If they don't have rules each other, ls it any problems? > It depends on your upstream ISPs. Conventionally, some choose to place exact filters in place on BGP announcements that exactly match IP space that is registered with a RIR or LIR, some build those filters from IRR sources, and others just filter on the number of prefixes your sending (to avoid sending a whole table out on accident). I'm sure there are some other filtering schemes in place around the world. In the case of exact filters, you'll need to contact your upstream ISPs and ask them to update their filters. In the case of IRR-sourced filtering information, update the prefixes that you originate with your IRR provider. And in the case of max-prefix filtering, ask your ISP what they have their equipment set to. Cheers, jof From brez at brezworks.com Tue Jan 10 17:24:47 2012 From: brez at brezworks.com (Jeremy Bresley) Date: Tue, 10 Jan 2012 17:24:47 -0600 Subject: Comcast DNSSEC Message-ID: <4F0CC8BF.1080009@brezworks.com> Hadn't seen this mentioned yet. http://blog.comcast.com/2012/01/comcast-completes-dnssec-deployment.html Comcast has signed all their managed domains, as well as deployed DNSSEC resolvers for their customers. And they're encouraging others to make the jump to DNSSEC now as well, especially e-comm/banking sites. Nice work guys, any of the Comcast guys on the list want to give us an idea how much work is involved in this from a large-scale service provider perspective to do it? Any big caveats you encountered that people should watch out for? Jeremy "TheBrez" Bresley brez at brezworks.com From alter3d at alter3d.ca Tue Jan 10 19:10:56 2012 From: alter3d at alter3d.ca (Peter Kristolaitis) Date: Tue, 10 Jan 2012 20:10:56 -0500 Subject: Comcast DNSSEC In-Reply-To: <4F0CC8BF.1080009@brezworks.com> References: <4F0CC8BF.1080009@brezworks.com> Message-ID: <4F0CE1A0.6030603@alter3d.ca> Wow! Congrats to the Comcast crew, that's absolutely awesome! Definitely interested in hearing any "lessons learned" that you can share from the exercise. - Pete On 1/10/2012 6:24 PM, Jeremy Bresley wrote: > Hadn't seen this mentioned yet. > > http://blog.comcast.com/2012/01/comcast-completes-dnssec-deployment.html > > Comcast has signed all their managed domains, as well as deployed > DNSSEC resolvers for their customers. And they're encouraging others > to make the jump to DNSSEC now as well, especially e-comm/banking sites. > > Nice work guys, any of the Comcast guys on the list want to give us an > idea how much work is involved in this from a large-scale service > provider perspective to do it? Any big caveats you encountered that > people should watch out for? > > Jeremy "TheBrez" Bresley > brez at brezworks.com > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 4418 bytes Desc: S/MIME Cryptographic Signature URL: From cb.list6 at gmail.com Tue Jan 10 19:43:28 2012 From: cb.list6 at gmail.com (Cameron Byrne) Date: Tue, 10 Jan 2012 17:43:28 -0800 Subject: Comcast DNSSEC In-Reply-To: <4F0CE1A0.6030603@alter3d.ca> References: <4F0CC8BF.1080009@brezworks.com> <4F0CE1A0.6030603@alter3d.ca> Message-ID: On Jan 10, 2012 5:11 PM, "Peter Kristolaitis" wrote: > > Wow! Congrats to the Comcast crew, that's absolutely awesome! > +1 Between dnssec and ipv6 Comcast has shown true internet evolution leadership in their *actions*, which really stands out in an industry full of talk. Cb > Definitely interested in hearing any "lessons learned" that you can share from the exercise. > > - Pete > > > > > On 1/10/2012 6:24 PM, Jeremy Bresley wrote: >> >> Hadn't seen this mentioned yet. >> >> http://blog.comcast.com/2012/01/comcast-completes-dnssec-deployment.html >> >> Comcast has signed all their managed domains, as well as deployed DNSSEC resolvers for their customers. And they're encouraging others to make the jump to DNSSEC now as well, especially e-comm/banking sites. >> >> Nice work guys, any of the Comcast guys on the list want to give us an idea how much work is involved in this from a large-scale service provider perspective to do it? Any big caveats you encountered that people should watch out for? >> >> Jeremy "TheBrez" Bresley >> brez at brezworks.com >> > From streiner at cluebyfour.org Tue Jan 10 18:58:09 2012 From: streiner at cluebyfour.org (Justin M. Streiner) Date: Tue, 10 Jan 2012 19:58:09 -0500 (EST) Subject: bgp question In-Reply-To: References: Message-ID: On Tue, 10 Jan 2012, Deric Kwok wrote: > When we get newip, we should let the upstream know to expor it as > there should have rule in their side. Correct. Ideally, two things happen: 1. You tell your upstreams and peers about the new space, and they update whatever prefix filters they have in place for your network. 2. You update you own outbound BGP filters wherever necessary so that you can announce the new prefix, aggregated to the extent possible, when you're ready. > how about upstream provider, does they need to let their all bgp > interconnect to know those our newip? They might. It depends on the relationship your upstreams have with their neighbors. Different providers have different criteria for what they'll accept and how they manage their filters. If your upstreams need to have their upstreams and/or peers update their BGP filters, it is their responsibility to notify them. Note that this can add to the amount of time it will take before your direct upstreams are ready to accept and propagate your new prefix. Some providers might require that your new prefix be registered in one of several routing registries, and they'll update their filters based on your new registry data. jms From i.grok at comcast.net Tue Jan 10 23:58:31 2012 From: i.grok at comcast.net (Scott Schmit) Date: Wed, 11 Jan 2012 00:58:31 -0500 Subject: Comcast DNSSEC In-Reply-To: <4F0CC8BF.1080009@brezworks.com> References: <4F0CC8BF.1080009@brezworks.com> Message-ID: <20120111055831.GA2427@odin.ulthar.us> On Tue, Jan 10, 2012 at 05:24:47PM -0600, Jeremy Bresley wrote: > Hadn't seen this mentioned yet. > > http://blog.comcast.com/2012/01/comcast-completes-dnssec-deployment.html > > Comcast has signed all their managed domains, as well as deployed > DNSSEC resolvers for their customers. And they're encouraging > others to make the jump to DNSSEC now as well, especially > e-comm/banking sites. Very cool, but they haven't signed *all* of them. comcast.net still isn't signed, nor are any of the reverse zones, nor is comcastonline.com (in Comcast's SOAs). You can probably quibble about whether the reverse zones are important, but comcast.net is quite a significant miss. (Email, DNS, their "more information links", etc.) Still, I'm glad they're doing it, and hopefully reality will catch up with their announcement soon. :-) -- Scott Schmit From bonomi at mail.r-bonomi.com Wed Jan 11 01:05:26 2012 From: bonomi at mail.r-bonomi.com (Robert Bonomi) Date: Wed, 11 Jan 2012 01:05:26 -0600 (CST) Subject: Comcast DNSSEC In-Reply-To: <20120111055831.GA2427@odin.ulthar.us> Message-ID: <201201110705.q0B75QF4088053@mail.r-bonomi.com> > From nanog-bounces+bonomi=mail.r-bonomi.com at nanog.org Wed Jan 11 00:02:13 2012 > Date: Wed, 11 Jan 2012 00:58:31 -0500 > From: Scott Schmit > To: nanog at nanog.org > Subject: Re: Comcast DNSSEC > > On Tue, Jan 10, 2012 at 05:24:47PM -0600, Jeremy Bresley wrote: > > Hadn't seen this mentioned yet. > > > > http://blog.comcast.com/2012/01/comcast-completes-dnssec-deployment.html > > > > Comcast has signed all their managed domains, as well as deployed > > DNSSEC resolvers for their customers. And they're encouraging > > others to make the jump to DNSSEC now as well, especially > > e-comm/banking sites. > > Very cool, but they haven't signed *all* of them. comcast.net still > isn't signed, nor are any of the reverse zones, nor is comcastonline.com > (in Comcast's SOAs). > > You can probably quibble about whether the reverse zones are important, > but comcast.net is quite a significant miss. (Email, DNS, their "more > information links", etc.) > > Still, I'm glad they're doing it, and hopefully reality will catch up > with their announcement soon. :-) > > -- > Scott Schmit > From joelja at bogus.com Wed Jan 11 01:34:33 2012 From: joelja at bogus.com (Joel jaeggli) Date: Tue, 10 Jan 2012 23:34:33 -0800 Subject: BOF at NANOG 54 - IPV4 runout, doing more with less. Message-ID: <4F0D3B89.6040204@bogus.com> Greetings, The BOF topic that I proposed during the recent thread: Re: Sad IPv4 story? Got approved, I'm still looking for 1-2 additional speakers to round out the agenda. To recap: * IPV4 run-out means new entrants will from the outset deploy techniques the present operators consider undesirable. * IPV6 should be appearing as part and parcel of new greenfield projects I would think. * On the vendor side CGN hardware is becoming a mature product space. * Datacenter/ICP operators confront a similar set of problems both supporting outgoing connections for large pools and incoming termination. I you have thoughts on any or all of these subjects your fellow NANOG participants are likely to be a receptive audience. In particular I think our colleagues running access networks would be potentially interested in thoughtful commentary on some of the following: * Port constrained or determistic nat mappings e.g. draft-donley-behave-deterministic-cgn-00 * What the near term state of residential/small business cpe are, and what if anything they're still missing to be suitable for ipv6 deployment. * What scaling properties pitfalls have been encountered with big stateful translation systems either nat44 or nat64. If you like a formal slot on the agenda, please reach out to me. If you simply have an interest in this area let me know and we'll see if we can fit your topic in the plan. Thanks joel From mohta at necom830.hpcl.titech.ac.jp Wed Jan 11 08:58:25 2012 From: mohta at necom830.hpcl.titech.ac.jp (Masataka Ohta) Date: Wed, 11 Jan 2012 23:58:25 +0900 Subject: Misconceptions, was: IPv6 RA vs DHCPv6 - The chosen one? In-Reply-To: <68424.1325204802@turing-police.cc.vt.edu> References: <1290980B-9003-4CD4-A713-A21111E877DA@delong.com> <4EF14814.2080709@bowenvale.co.nz> <4F214584-12C3-42BC-A38B-13D991B9B4A0@muada.com> <4EFB09D8.3000107@necom830.hpcl.titech.ac.jp> <4EFB11F3.1090007@necom830.hpcl.titech.ac.jp> <14160.1325099085@turing-police.cc.vt.edu> <4EFBD594.2000604@necom830.hpcl.titech.ac.jp> <30391.1325139437@turing-police.cc.vt.edu> <82ipkzwxhv.fsf@mid.bfk.de> <38375.1325160093@turing-police.cc.vt.edu> <4EFC62C9.9030101@necom830.hpcl.titech.ac.jp> <44691.1325175089@turing-police.cc.vt.edu> <4EFCE9F8.2040604@necom830.hpcl.titech.ac.jp> <68424.1325204802@turing-police.cc.vt.edu> Message-ID: <4F0DA391.9090900@necom830.hpcl.titech.ac.jp> Valdis.Kletnieks at vt.edu wrote: >> Beyond that, if there are multiple routers, having a default >> router and relying > Yes yes we know, and we've understood this for a quarter century or so. My > disagreement is that even though 99.8% of machines *don't* have multiple > routers, you seem to be pedantically insisting that some sort of IGP is > mandatory for *all* end hosts, even though only 0.2% or so will actually see > any benefit at all.. Not. Though hosts should implement some IGPs, the default can be to just depend on default routers supplied from DHCP. A better default could be that IGP will be automatically invoked if DHCP does not supply a default router. If there are multiple IGPs are implemented, snooping IGPs' advertisement to know which is the locally available IGP may also be a good idea. My point w.r.t. multiple next hop routers is that RA supplied information is not good enough, which means DHCP is no worse than RA even if there are multiple next hop routers. Masataka Ohta From Jason_Livingood at cable.comcast.com Wed Jan 11 14:03:32 2012 From: Jason_Livingood at cable.comcast.com (Livingood, Jason) Date: Wed, 11 Jan 2012 20:03:32 +0000 Subject: Comcast DNSSEC In-Reply-To: <20120111055831.GA2427@odin.ulthar.us> Message-ID: >Very cool, but they haven't signed *all* of them. comcast.net still >isn't signed, nor are any of the reverse zones, nor is comcastonline.com >(in Comcast's SOAs). We'll be there very soon. Sometimes unplanned work in other areas pulls resources temporarily, conspiring against the best plans. ;-) - JL >Still, I'm glad they're doing it, and hopefully reality will catch up >with their announcement soon. :-) > >-- >Scott Schmit > From william.allen.simpson at gmail.com Wed Jan 11 14:12:38 2012 From: william.allen.simpson at gmail.com (William Allen Simpson) Date: Wed, 11 Jan 2012 15:12:38 -0500 Subject: Misconceptions, was: IPv6 RA vs DHCPv6 - The chosen one? In-Reply-To: <4F0DA391.9090900@necom830.hpcl.titech.ac.jp> References: <1290980B-9003-4CD4-A713-A21111E877DA@delong.com> <4EF14814.2080709@bowenvale.co.nz> <4F214584-12C3-42BC-A38B-13D991B9B4A0@muada.com> <4EFB09D8.3000107@necom830.hpcl.titech.ac.jp> <4EFB11F3.1090007@necom830.hpcl.titech.ac.jp> <14160.1325099085@turing-police.cc.vt.edu> <4EFBD594.2000604@necom830.hpcl.titech.ac.jp> <30391.1325139437@turing-police.cc.vt.edu> <82ipkzwxhv.fsf@mid.bfk.de> <38375.1325160093@turing-police.cc.vt.edu> <4EFC62C9.9030101@necom830.hpcl.titech.ac.jp> <44691.1325175089@turing-police.cc.vt.edu> <4EFCE9F8.2040604@necom830.hpcl.titech.ac.jp> <68424.1325204802@turing-police.cc.vt.edu> <4F0DA391.9090900@necom830.hpcl.titech.ac.jp> Message-ID: <4F0DED36.9000005@gmail.com> On 1/11/12 9:58 AM, Masataka Ohta wrote: > A better default could be that IGP will be automatically invoked > if DHCP does not supply a default router. > That's ridiculous. You need some link state to even find a DHCP server. So, the very idea that DHCP would tell you where your routers are is preposterous on its face. Besides, that's terrible system design. You should never design a system where some code paths aren't exercised regularly. > If there are multiple IGPs are implemented, snooping IGPs' > advertisement to know which is the locally available IGP may > also be a good idea. > > My point w.r.t. multiple next hop routers is that RA supplied > information is not good enough, which means DHCP is no > worse than RA even if there are multiple next hop routers. > I've not read the whole thread yet (I had read the start what seems to be weeks ago), but I'll pipe up here and point out that in my _original_ design, every host was running a link state IGP. Even without any router at all, you need link state to handle mobile nodes, hidden terminals, partitioned networks, satellite versus land-line unidirectional links, etc, etc, etc. Of course, all that was ripped out by the ignorant folks who came later. Thus, IPv6 is much worse at self-configuration, security, mobility, and *everything* than originally envisioned. From mailinglists.chk at gmail.com Wed Jan 11 14:14:29 2012 From: mailinglists.chk at gmail.com (chk) Date: Wed, 11 Jan 2012 12:14:29 -0800 Subject: RoadRunner/Adelphia AS14065 contact Message-ID: <4F0DEDA5.7070000@gmail.com> If there is a Roadrunner contact monitoring the list can you please contact me off list regarding a routing issue from ns1/2.adelphia.net Thanks. From jra at baylink.com Wed Jan 11 15:36:32 2012 From: jra at baylink.com (Jay Ashworth) Date: Wed, 11 Jan 2012 16:36:32 -0500 (EST) Subject: So... my colo was just bought. In-Reply-To: <27377930.4226.1326211084098.JavaMail.root@benjamin.baylink.com> Message-ID: <24438852.4514.1326317792792.JavaMail.root@benjamin.baylink.com> ----- Original Message ----- > From: "Jay Ashworth" > By Knology. > > Should I be scared? > > My experiences with Knology have been fairly thin, but uniformly negative, > for at least the last 5 years. But I know that the plural of 'anecdote' is > not 'data'. That said, I'm accepting all anecdotes. :-) And what I got was lots of stories about how bad "my colo just got bought by $BIGCO" can suck. For which, thanks... but I already knew that. I had been more interested in whether people had opinions about *the buyer*, Knology, which might counteract my personal, but anecdotal, bad impression. No one actually appears to have anything specifically bad to say about them, so I guess that's good. Cheers, -- jr 'waggles finger at the people who *called* them cause of my post' a -- Jay R. Ashworth Baylink jra at baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://baylink.pitas.com 2000 Land Rover DII St Petersburg FL USA http://photo.imageinc.us +1 727 647 1274 From jra at baylink.com Wed Jan 11 15:38:02 2012 From: jra at baylink.com (Jay Ashworth) Date: Wed, 11 Jan 2012 16:38:02 -0500 (EST) Subject: So... my colo was just bought. In-Reply-To: <24438852.4514.1326317792792.JavaMail.root@benjamin.baylink.com> Message-ID: <21369785.4516.1326317882787.JavaMail.root@benjamin.baylink.com> ----- Original Message ----- > From: "Jay Ashworth" > No one actually appears to have anything specifically bad to say about > them, so I guess that's good. And for the record, I've been quite happy with E-Sol; as long as Knology plays no games with the staff, I don't expect any problems. Cheers, -- jra -- Jay R. Ashworth Baylink jra at baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://baylink.pitas.com 2000 Land Rover DII St Petersburg FL USA http://photo.imageinc.us +1 727 647 1274 From bclark at spectraaccess.com Wed Jan 11 16:00:39 2012 From: bclark at spectraaccess.com (Bret Clark) Date: Wed, 11 Jan 2012 17:00:39 -0500 Subject: So... my colo was just bought. In-Reply-To: <21369785.4516.1326317882787.JavaMail.root@benjamin.baylink.com> References: <21369785.4516.1326317882787.JavaMail.root@benjamin.baylink.com> Message-ID: <4F0E0687.1030205@spectraaccess.com> On 01/11/2012 04:38 PM, Jay Ashworth wrote: > And for the record, I've been quite happy with E-Sol; as long as Knology > plays no games with the staff, I don't expect any problems. > > Cheers, > -- jra It's extremely important you let the right people in Knology know that. Bret From jra at baylink.com Wed Jan 11 16:18:41 2012 From: jra at baylink.com (Jay Ashworth) Date: Wed, 11 Jan 2012 17:18:41 -0500 (EST) Subject: So... my colo was just bought. In-Reply-To: <4F0E0687.1030205@spectraaccess.com> Message-ID: <20342361.4522.1326320321578.JavaMail.root@benjamin.baylink.com> ----- Original Message ----- > From: "Bret Clark" > On 01/11/2012 04:38 PM, Jay Ashworth wrote: > > And for the record, I've been quite happy with E-Sol; as long as > > Knology plays no games with the staff, I don't expect any problems. > > It's extremely important you let the right people in Knology know > that. Wouldn't it be pretty to think The Right People just saw it? :-) Cheers, -- jra -- Jay R. Ashworth Baylink jra at baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://baylink.pitas.com 2000 Land Rover DII St Petersburg FL USA http://photo.imageinc.us +1 727 647 1274 From jra at baylink.com Wed Jan 11 16:41:15 2012 From: jra at baylink.com (Jay Ashworth) Date: Wed, 11 Jan 2012 17:41:15 -0500 (EST) Subject: Monday Night Footbal -- on Google? Message-ID: <8099304.4608.1326321675642.JavaMail.root@benjamin.baylink.com> In this week's CES coverage on Marketplace, venture capitalist Mark Suster of GRP Partners opines that Google will bid on the broadcast rights to MNF within the next 5 years. http://www.marketplace.org/topics/tech/ces-2012/future-television-way-we-watch Is 'The Internet' ready to deliver live 1080p HD with very close to zero dropouts to 25-30 million viewers for 4 hours straight every week, yet? People don't mind buffering in cat videos, but I'm pretty sure they don't want Tim Tebow's last pass of the game interrupted by an hourglass for 5 seconds. Will CDN's help this? Multicast? Or is this just a yawn story for you guys who run "the backbone" these days? Cheers, -- jra -- Jay R. Ashworth Baylink jra at baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://baylink.pitas.com 2000 Land Rover DII St Petersburg FL USA http://photo.imageinc.us +1 727 647 1274 From Valdis.Kletnieks at vt.edu Wed Jan 11 18:11:54 2012 From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks at vt.edu) Date: Wed, 11 Jan 2012 19:11:54 -0500 Subject: Monday Night Footbal -- on Google? In-Reply-To: Your message of "Wed, 11 Jan 2012 17:41:15 EST." <8099304.4608.1326321675642.JavaMail.root@benjamin.baylink.com> References: <8099304.4608.1326321675642.JavaMail.root@benjamin.baylink.com> Message-ID: <4221.1326327114@turing-police.cc.vt.edu> On Wed, 11 Jan 2012 17:41:15 EST, Jay Ashworth said: > Is 'The Internet' ready to deliver live 1080p HD with very close to zero > dropouts to 25-30 million viewers for 4 hours straight every week, yet? Depends how much compression you use. :) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 227 bytes Desc: not available URL: From djahandarie at gmail.com Wed Jan 11 19:04:06 2012 From: djahandarie at gmail.com (Darius Jahandarie) Date: Wed, 11 Jan 2012 20:04:06 -0500 Subject: Monday Night Footbal -- on Google? In-Reply-To: <4221.1326327114@turing-police.cc.vt.edu> References: <8099304.4608.1326321675642.JavaMail.root@benjamin.baylink.com> <4221.1326327114@turing-police.cc.vt.edu> Message-ID: On Wed, Jan 11, 2012 at 19:11, wrote: > On Wed, 11 Jan 2012 17:41:15 EST, Jay Ashworth said: > >> Is 'The Internet' ready to deliver live 1080p HD with very close to zero >> dropouts to 25-30 million viewers for 4 hours straight every week, yet? > > Depends how much compression you use. ?:) We will certainly see the next frontier of bitrate starvation. And y'all thought shoving 50 channels on a single satellite transceiver tier was bad! -- Darius Jahandarie From gfitzpatrick at telx.com Wed Jan 11 19:19:57 2012 From: gfitzpatrick at telx.com (George Fitzpatrick) Date: Thu, 12 Jan 2012 01:19:57 +0000 Subject: Monday Night Footbal -- on Google? In-Reply-To: Message-ID: <3CC3117A8EF6FF439254141C02BF6E1417FF9FF8@mbx027-e1-nj-2.exch027.domain.local> Smart tv's should help, no? ----- Original Message ----- From: Darius Jahandarie [mailto:djahandarie at gmail.com] Sent: Wednesday, January 11, 2012 08:04 PM To: NANOG Subject: Re: Monday Night Footbal -- on Google? On Wed, Jan 11, 2012 at 19:11, wrote: > On Wed, 11 Jan 2012 17:41:15 EST, Jay Ashworth said: > >> Is 'The Internet' ready to deliver live 1080p HD with very close to zero >> dropouts to 25-30 million viewers for 4 hours straight every week, yet? > > Depends how much compression you use. ?:) We will certainly see the next frontier of bitrate starvation. And y'all thought shoving 50 channels on a single satellite transceiver tier was bad! -- Darius Jahandarie ______________________________________________________________________ This email has been scanned by the Symantec Email Security.cloud service. ______________________________________________________________________ From Valdis.Kletnieks at vt.edu Wed Jan 11 19:32:23 2012 From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks at vt.edu) Date: Wed, 11 Jan 2012 20:32:23 -0500 Subject: Monday Night Footbal -- on Google? In-Reply-To: Your message of "Thu, 12 Jan 2012 01:19:57 GMT." <3CC3117A8EF6FF439254141C02BF6E1417FF9FF8@mbx027-e1-nj-2.exch027.domain.local> References: <3CC3117A8EF6FF439254141C02BF6E1417FF9FF8@mbx027-e1-nj-2.exch027.domain.local> Message-ID: <8359.1326331943@turing-police.cc.vt.edu> On Thu, 12 Jan 2012 01:19:57 GMT, George Fitzpatrick said: > Smart tv's should help, no? Only so much. No matter what they show on CSI about enhancing video, if that stream got compressed so the football Tim Tebow just threw is just a brown ellipse, there;s no legitimate way to put the seams back on that sucker. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 227 bytes Desc: not available URL: From tagno25 at gmail.com Wed Jan 11 20:20:32 2012 From: tagno25 at gmail.com (Philip Dorr) Date: Wed, 11 Jan 2012 20:20:32 -0600 Subject: Monday Night Footbal -- on Google? In-Reply-To: <8359.1326331943@turing-police.cc.vt.edu> References: <3CC3117A8EF6FF439254141C02BF6E1417FF9FF8@mbx027-e1-nj-2.exch027.domain.local> <8359.1326331943@turing-police.cc.vt.edu> Message-ID: On Wed, Jan 11, 2012 at 7:32 PM, wrote: > On Thu, 12 Jan 2012 01:19:57 GMT, George Fitzpatrick said: >> Smart tv's should help, no? > > Only so much. > > No matter what they show on CSI about enhancing video, if that stream got > compressed so the football Tim Tebow just threw is just a brown ellipse, > there;s no legitimate way to put the seams back on that sucker. > But the TV should only be receiving one stream at a time, unless there is pip. Each stream would probably be around 5mbps. If multicast is used it shouldn't take 150pbps, it should be much lower. From streiner at cluebyfour.org Wed Jan 11 16:45:37 2012 From: streiner at cluebyfour.org (Justin M. Streiner) Date: Wed, 11 Jan 2012 17:45:37 -0500 (EST) Subject: Monday Night Footbal -- on Google? In-Reply-To: References: <3CC3117A8EF6FF439254141C02BF6E1417FF9FF8@mbx027-e1-nj-2.exch027.domain.local> <8359.1326331943@turing-police.cc.vt.edu> Message-ID: On Wed, 11 Jan 2012, Philip Dorr wrote: > But the TV should only be receiving one stream at a time, unless there > is pip. Each stream would probably be around 5mbps. > > If multicast is used it shouldn't take 150pbps, it should be much lower. That could be one of the things that helps spur v6 adoption - multicast being somewhat less of an afterthought :) While v4 multicast works, and delivering video is one of the things it can do very well, some networks don't route v4 multicast or exchange v4 multicast prefixes, so its utility on a wide scale can be limited. jms From tvhawaii at shaka.com Wed Jan 11 20:40:51 2012 From: tvhawaii at shaka.com (Michael Painter) Date: Wed, 11 Jan 2012 16:40:51 -1000 Subject: Monday Night Footbal -- on Google? References: <8099304.4608.1326321675642.JavaMail.root@benjamin.baylink.com> <4221.1326327114@turing-police.cc.vt.edu> Message-ID: <7FD35F1C279D440E934534B59FCEF247@owner59e1f1502> Darius Jahandarie wrote: > On Wed, Jan 11, 2012 at 19:11, wrote: >> On Wed, 11 Jan 2012 17:41:15 EST, Jay Ashworth said: >> >>> Is 'The Internet' ready to deliver live 1080p HD with very close to zero >>> dropouts to 25-30 million viewers for 4 hours straight every week, yet? >> >> Depends how much compression you use. :) > > We will certainly see the next frontier of bitrate starvation. And > y'all thought shoving 50 channels on a single satellite transceiver > tier was bad! Not sure where/what you're talking about, but here in the U.S.A, Dish Network and DirecTV seem to put a max of 7 MPEG 4 HD channels on a *transponder*. http://www.satelliteguys.us/thelist/index.php?page=sub --Michael From djahandarie at gmail.com Wed Jan 11 20:54:50 2012 From: djahandarie at gmail.com (Darius Jahandarie) Date: Wed, 11 Jan 2012 21:54:50 -0500 Subject: Monday Night Footbal -- on Google? In-Reply-To: <7FD35F1C279D440E934534B59FCEF247@owner59e1f1502> References: <8099304.4608.1326321675642.JavaMail.root@benjamin.baylink.com> <4221.1326327114@turing-police.cc.vt.edu> <7FD35F1C279D440E934534B59FCEF247@owner59e1f1502> Message-ID: On Wed, Jan 11, 2012 at 21:40, Michael Painter wrote: > Not sure where/what you're talking about, but here in the U.S.A, Dish > Network and DirecTV seem to put a max of 7 MPEG 4 HD channels on a > *transponder*. > http://www.satelliteguys.us/thelist/index.php?page=sub > > --Michael > Referring to some Japanese stations, like ATX-HD. It's not actually 30, but it's pretty bad. It's a brilliant stream of blocks you get back, not sure if you'd call it video... :p -- Darius Jahandarie From jra at baylink.com Wed Jan 11 22:00:06 2012 From: jra at baylink.com (Jay Ashworth) Date: Wed, 11 Jan 2012 23:00:06 -0500 (EST) Subject: Monday Night Football -- on Google? In-Reply-To: <3CC3117A8EF6FF439254141C02BF6E1417FF9FF8@mbx027-e1-nj-2.exch027.domain.local> Message-ID: <4476842.4624.1326340806015.JavaMail.root@benjamin.baylink.com> ----- Original Message ----- > From: "George Fitzpatrick" > Smart tv's should help, no? Maybe, maybe not. I think not, and for the reason I just posted as a comment on Marketplace's story: I call it the Compatible Color problem. Due to DMCA, SOPA, and other such corporate paranoia legislation purchased by the large media conglomerates, we may end up in a situation where you need one box to watch Netflix, another box to watch Google, and so on and so on, yada yada. Once Congress gets over thinking it's cute to be ignorant of how the internet works ("series of tubes, right?"), that probably won't play in Washington anymore than it plays in Peoria... but I hope it doesn't wait to *start* getting worked on until "The Super Bowl is next Sunday! And my TV doesn't *do* Google!!!" Cause that Would Be Bad. (These problems have, of course, Already Been Solved. But the media companies aren't interested in those solutions, cause they don't make it possible for those companies to charge you for the same product 14 times, for your TV, your computer, your smartphone, your game console, your car....) Cheers, -- jra -- Jay R. Ashworth Baylink jra at baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://baylink.pitas.com 2000 Land Rover DII St Petersburg FL USA http://photo.imageinc.us +1 727 647 1274 From jra at baylink.com Wed Jan 11 22:06:42 2012 From: jra at baylink.com (Jay Ashworth) Date: Wed, 11 Jan 2012 23:06:42 -0500 (EST) Subject: Monday Night Footbal -- on Google? In-Reply-To: Message-ID: <15429452.4628.1326341202514.JavaMail.root@benjamin.baylink.com> ----- Original Message ----- > From: "Philip Dorr" > But the TV should only be receiving one stream at a time, unless there > is pip. Each stream would probably be around 5mbps. I believe you're an optimist. Weekly football is probably the second most important thing on a TV network behind the championships for whatever sport they're carrying, in a year. I'm not saying you need the whole 19mbps (though, remember here, we are not talking about "Additional Carriage"; we are talking about *being the only way people can see that game* -- and my example was the Super Bowl).. but unless MPEG algorithms have gotten *much* better than I'm aware of, 5mb/s is probably not enough for the Super Bowl. And you'd really be better off with some FEC, too, even if it costs you a couple frames extra delay. Cheers, -- jra -- Jay R. Ashworth Baylink jra at baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://baylink.pitas.com 2000 Land Rover DII St Petersburg FL USA http://photo.imageinc.us +1 727 647 1274 From jra at baylink.com Wed Jan 11 22:08:15 2012 From: jra at baylink.com (Jay Ashworth) Date: Wed, 11 Jan 2012 23:08:15 -0500 (EST) Subject: Monday Night Footbal -- on Google? In-Reply-To: <7FD35F1C279D440E934534B59FCEF247@owner59e1f1502> Message-ID: <16554396.4630.1326341295740.JavaMail.root@benjamin.baylink.com> ----- Original Message ----- > From: "Michael Painter" > Not sure where/what you're talking about, but here in the U.S.A, Dish > Network and DirecTV seem to put a max of 7 MPEG 4 HD > channels on a *transponder*. > http://www.satelliteguys.us/thelist/index.php?page=sub Yup; at varying bit rates; I worked for a program provider to both, and I know just how fast the price goes up if you need enough signal to handle even *slow* motion. :-) Cheers, -- jra -- Jay R. Ashworth Baylink jra at baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://baylink.pitas.com 2000 Land Rover DII St Petersburg FL USA http://photo.imageinc.us +1 727 647 1274 From tvhawaii at shaka.com Wed Jan 11 23:14:52 2012 From: tvhawaii at shaka.com (Michael Painter) Date: Wed, 11 Jan 2012 19:14:52 -1000 Subject: Monday Night Footbal -- on Google? References: <16554396.4630.1326341295740.JavaMail.root@benjamin.baylink.com> Message-ID: <0254F3C559F64AC4A85BAA64761A144B@owner59e1f1502> Jay Ashworth wrote: > ----- Original Message ----- >> From: "Michael Painter" > >> Not sure where/what you're talking about, but here in the U.S.A, Dish >> Network and DirecTV seem to put a max of 7 MPEG 4 HD >> channels on a *transponder*. >> http://www.satelliteguys.us/thelist/index.php?page=sub > > Yup; at varying bit rates; I worked for a program provider to both, and I > know just how fast the price goes up if you need enough signal to handle > even *slow* motion. :-) > > Cheers, > -- jra Cool. Is information about who buys what, closely guarded? If you have seen the effects of 'starving' content with fast motion, I'd be interested in hearing what that looked like. I'm familiar with resolution vs. screen size vs. viewing distance factors, btw. Thanks, --Michael From oscar.vives at gmail.com Thu Jan 12 03:33:08 2012 From: oscar.vives at gmail.com (Tei) Date: Thu, 12 Jan 2012 10:33:08 +0100 Subject: Whacky Weekend: Is Internet Access a Human Right? In-Reply-To: <969790.3281.1325776972705.JavaMail.root@benjamin.baylink.com> References: <969790.3281.1325776972705.JavaMail.root@benjamin.baylink.com> Message-ID: On 5 January 2012 16:22, Jay Ashworth wrote: > Vint Cerf says no: http://j.mp/wwL9Ip > > But I wonder to what degree that's dependent on how much our governments make > Internet access the most practical/only practical way to interact with them. > > Understand: I'm not saying that FiOS should be a human right. ?But as a > society, America's recognized for decades that you gotta have a telephone, > and subsidized local/lifeline service to that extent; that sort of subsidy > applies to cellular phones now as well. > > Thoughts? > You don't need a new right. The human rights include education and access to be able to participate in your culture. A human banned from using the internet would not have access to culture, and will be banned from participate in it. Based on this page: http://en.wikipedia.org/wiki/Human_rights 5.5 5.7 5.7.* Practical terms: The ugly conclusion is that you can put a men in jail, but that don't include ban such men to access the internet. Say, you put in jail a cracker. The judge as to remove him from two rights, the right to freelly walk anywhere, and the right to post in his favorite forum/mail list. -- -- ?in del ?ensaje. From paul at impletec.com Thu Jan 12 10:11:49 2012 From: paul at impletec.com (Paul Kaminsky) Date: Thu, 12 Jan 2012 18:11:49 +0200 Subject: In search of uplink vendor Message-ID: Hi all, We are at a stage where we need an all-out uplink vendor to fuel our business endeavor. The bells and whistles we need are: 1. 1 Gbps link with complete block of UDP/ICMP protocol 2. BGP session with our AS 3. Ability to blackhole (no route to host) by /32 prefix 4. Presence in Equinix SV1 or SV5 (San Jose) DC's - this is not mandatory, we're open for suggestions If you feel your company measures up or is a cut above the rest, please get in touch with us to discuss the specific details. Cheers Paul From streiner at cluebyfour.org Thu Jan 12 07:01:58 2012 From: streiner at cluebyfour.org (Justin M. Streiner) Date: Thu, 12 Jan 2012 08:01:58 -0500 (EST) Subject: In search of uplink vendor In-Reply-To: References: Message-ID: On Thu, 12 Jan 2012, Paul Kaminsky wrote: > We are at a stage where we need an all-out uplink vendor to fuel our business endeavor. The bells and whistles we need are: > > 1. 1 Gbps link with complete block of UDP/ICMP protocol > 2. BGP session with our AS > 3. Ability to blackhole (no route to host) by /32 prefix > 4. Presence in Equinix SV1 or SV5 (San Jose) DC's - this is not mandatory, we're open for suggestions > > If you feel your company measures up or is a cut above the rest, please >get in touch with us to discuss the specific details. Note: I am not a vendor. One question: 1. Not knowing anything about your business, is there a specific reason that you want "a complete block of UDP/ICMP protocol"? That can be problematic with IPv4, and downright foolish with IPv6. jms From bmanning at vacation.karoshi.com Thu Jan 12 11:07:35 2012 From: bmanning at vacation.karoshi.com (bmanning at vacation.karoshi.com) Date: Thu, 12 Jan 2012 17:07:35 +0000 Subject: In search of uplink vendor In-Reply-To: References: Message-ID: <20120112170735.GB29157@vacation.karoshi.com.> On Thu, Jan 12, 2012 at 08:01:58AM -0500, Justin M. Streiner wrote: > On Thu, 12 Jan 2012, Paul Kaminsky wrote: > > >We are at a stage where we need an all-out uplink vendor to fuel our > >business endeavor. The bells and whistles we need are: > > > >1. 1 Gbps link with complete block of UDP/ICMP protocol > >2. BGP session with our AS > >3. Ability to blackhole (no route to host) by /32 prefix > >4. Presence in Equinix SV1 or SV5 (San Jose) DC's - this is not mandatory, > >we're open for suggestions > > > >If you feel your company measures up or is a cut above the rest, please > >get in touch with us to discuss the specific details. > > Note: I am not a vendor. > > One question: > 1. Not knowing anything about your business, is there a specific reason > that you want "a complete block of UDP/ICMP protocol"? That can be > problematic with IPv4, and downright foolish with IPv6. > > jms perhaps we are walking around w/ incomplete notions of what constitutes a "complete block of UDP/ICMP protocol"... for me, literally,this makes no sense whatsoever. ratcheting back on my literal filter (be liberal in what you accept) I beleive what he is asking for is a contigious block of IP addresses for use in his network. am also making the inference that he is only looking for IPv4 (no route to host by /32 prefix). so the only remaining, burning question is - what size block? a /33? a /31? maybe a /28? or a /22? a /19? (the /33 is right out... filtering on /32 would block both hosts!) I think its quite reasonable to expect a contigious block of addresses, regardless of address family. Not at all "downright foolish". It is rare to see someone -not- get a contigious block. ymmv of course. /bill From morrowc.lists at gmail.com Thu Jan 12 11:16:04 2012 From: morrowc.lists at gmail.com (Christopher Morrow) Date: Thu, 12 Jan 2012 12:16:04 -0500 Subject: In search of uplink vendor In-Reply-To: References: Message-ID: On Thu, Jan 12, 2012 at 8:01 AM, Justin M. Streiner wrote: > On Thu, 12 Jan 2012, Paul Kaminsky wrote: > >> We are at a stage where we need an all-out uplink vendor to fuel our >> business endeavor. The bells and whistles we need are: >> >> 1. 1 Gbps link with complete block of UDP/ICMP protocol >> 2. BGP session with our AS you have an asn? >> 3. Ability to blackhole (no route to host) by /32 prefix >> 4. Presence in Equinix SV1 or SV5 (San Jose) DC's - this is not mandatory, >> we're open for suggestions >> >> If you feel your company measures up or is a cut above the rest, please >> get in touch with us to discuss the specific details. > > > Note: I am not a vendor. > > One question: > 1. Not knowing anything about your business, is there a specific reason that > you want "a complete block of UDP/ICMP protocol"? ?That can be problematic > with IPv4, and downright foolish with IPv6. > maybe he's upset that his current EU provider is in Sannyvale not Sunnyvale? inetnum: 109.206.160.0 - 109.206.191.255 netname: SERVEREL descr: Serverel Corp. country: EU org: ORG-SC64-RIPE admin-c: SN2485-RIPE tech-c: SN2485-RIPE status: ASSIGNED PI mnt-by: RIPE-NCC-END-MNT mnt-by: SERVEREL-MNT mnt-lower: RIPE-NCC-END-MNT mnt-routes: SERVEREL-MNT mnt-domains: SERVEREL-MNT source: RIPE # Filtered organisation: ORG-SC64-RIPE org-name: Serverel Corp org-type: OTHER address: 970 Corte Madera ave, Sannyvale, CA, US phone: +18772467863 abuse-mailbox: abuse at serverel.com admin-c: AN495-RIPE ripe.. you may want to clean up some data here :) Also, that small townhouse, it surprises me that someone was able to get a gig pipe into it... especially with a /19 assigned. Odd, why is RIPE supplying space to what seems like clearly a ARIN region endpoint? -chris > jms > From streiner at cluebyfour.org Thu Jan 12 07:41:23 2012 From: streiner at cluebyfour.org (Justin M. Streiner) Date: Thu, 12 Jan 2012 08:41:23 -0500 (EST) Subject: In search of uplink vendor In-Reply-To: <20120112170735.GB29157@vacation.karoshi.com.> References: <20120112170735.GB29157@vacation.karoshi.com.> Message-ID: On Thu, 12 Jan 2012, bmanning at vacation.karoshi.com wrote: > On Thu, Jan 12, 2012 at 08:01:58AM -0500, Justin M. Streiner wrote: >> On Thu, 12 Jan 2012, Paul Kaminsky wrote: >>> 1. 1 Gbps link with complete block of UDP/ICMP protocol >> One question: >> 1. Not knowing anything about your business, is there a specific reason >> that you want "a complete block of UDP/ICMP protocol"? That can be >> problematic with IPv4, and downright foolish with IPv6. > perhaps we are walking around w/ incomplete notions of what > constitutes a "complete block of UDP/ICMP protocol"... My notion of the original statement was that the OP was looking for a provider that would block all UDP and ICMP, as in firewalls and packet filters. I also made the possibly-incorrect assumption that if the OP has an ASN from which to announce prefixes, it would also be reasonable to expect that they already have at least one prefix to announce. >From that angle, 'problematic' and 'downright foolish' is not such a far walk ;) jms From bmanning at vacation.karoshi.com Thu Jan 12 11:43:08 2012 From: bmanning at vacation.karoshi.com (bmanning at vacation.karoshi.com) Date: Thu, 12 Jan 2012 17:43:08 +0000 Subject: In search of uplink vendor In-Reply-To: References: <20120112170735.GB29157@vacation.karoshi.com.> Message-ID: <20120112174308.GD29157@vacation.karoshi.com.> On Thu, Jan 12, 2012 at 08:41:23AM -0500, Justin M. Streiner wrote: > On Thu, 12 Jan 2012, bmanning at vacation.karoshi.com wrote: > > >On Thu, Jan 12, 2012 at 08:01:58AM -0500, Justin M. Streiner wrote: > >>On Thu, 12 Jan 2012, Paul Kaminsky wrote: > >>>1. 1 Gbps link with complete block of UDP/ICMP protocol > >>One question: > >>1. Not knowing anything about your business, is there a specific reason > >>that you want "a complete block of UDP/ICMP protocol"? That can be > >>problematic with IPv4, and downright foolish with IPv6. > > > perhaps we are walking around w/ incomplete notions of what > > constitutes a "complete block of UDP/ICMP protocol"... > > My notion of the original statement was that the OP was looking for a > provider that would block all UDP and ICMP, as in firewalls and packet > filters. I also made the possibly-incorrect assumption that if the OP > has an ASN from which to announce prefixes, it would also be reasonable to > expect that they already have at least one prefix to announce. > > >From that angle, 'problematic' and 'downright foolish' is not such a far > walk ;) > > jms ndeed. and now i am curious.. what business plan/product/service could make money w/o ICMP or UDP access.. ??? /bill From bicknell at ufp.org Thu Jan 12 11:50:06 2012 From: bicknell at ufp.org (Leo Bicknell) Date: Thu, 12 Jan 2012 09:50:06 -0800 Subject: In search of uplink vendor In-Reply-To: <20120112174308.GD29157@vacation.karoshi.com.> References: <20120112170735.GB29157@vacation.karoshi.com.> <20120112174308.GD29157@vacation.karoshi.com.> Message-ID: <20120112175006.GA64623@ussenterprise.ufp.org> In a message written on Thu, Jan 12, 2012 at 05:43:08PM +0000, bmanning at vacation.karoshi.com wrote: > ndeed. and now i am curious.. what business plan/product/service > could make money w/o ICMP or UDP access.. ??? Turn the OP's e-mail into a URL: http://www.impletec.com/ Impletec Traffic Laboratory was established with the aim to develop and provide high-load solutions for Network Engineering, CDN, DDoS Protection and other high-level network services. At the highest possible standards, with minimum hassle and lowest expense to you - our valued customer. I know of a half dozen "DDoS Protection ISP's" that block all UDP and ICMP. It also fits with his desire to have a blackhole community by the /32 with his upstream. I don't know if this sort of filter all ICMP behavior is more a symtom of the providers or their customer bases, but regardless of the source it makes most of the sites behind these services very slow and/or unreachable from some locations. I'm not sure posting "I'm a DDoS magnet" on NANOG will get a lot of people jumping up to offer service, or good rates! :) -- Leo Bicknell - bicknell at ufp.org - CCIE 3440 PGP keys at http://www.ufp.org/~bicknell/ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 826 bytes Desc: not available URL: From morrowc.lists at gmail.com Thu Jan 12 12:59:36 2012 From: morrowc.lists at gmail.com (Christopher Morrow) Date: Thu, 12 Jan 2012 13:59:36 -0500 Subject: In search of uplink vendor In-Reply-To: <20120112175006.GA64623@ussenterprise.ufp.org> References: <20120112170735.GB29157@vacation.karoshi.com.> <20120112174308.GD29157@vacation.karoshi.com.> <20120112175006.GA64623@ussenterprise.ufp.org> Message-ID: On Thu, Jan 12, 2012 at 12:50 PM, Leo Bicknell wrote: > Turn the OP's e-mail into a URL: http://www.impletec.com/ > > ?Impletec Traffic Laboratory was established with the aim to develop and > ?provide high-load solutions for Network Engineering, CDN, DDoS > ?Protection and other high-level network services. At the highest > ?possible standards, with minimum hassle and lowest expense to you - our > ?valued customer. wait, they are a dos mitigation service provider and they can't handle udp/icmp traffic? so ... really: "We do dos mitigation for tcp services, we outsource the udp/icmp to someone else" ? From network.ipdog at gmail.com Thu Jan 12 13:45:58 2012 From: network.ipdog at gmail.com (Network IP Dog) Date: Thu, 12 Jan 2012 11:45:58 -0800 Subject: In search of uplink vendor In-Reply-To: <20120112175006.GA64623@ussenterprise.ufp.org> References: <20120112170735.GB29157@vacation.karoshi.com.> <20120112174308.GD29157@vacation.karoshi.com.> <20120112175006.GA64623@ussenterprise.ufp.org> Message-ID: <4f0f3882.e52a320a.612a.ffffe7c5@mx.google.com> QUOTE " I know of a half dozen "DDoS Protection ISP's" that block all UDP and ICMP" Isn't this Internet censorship? Ephesians 4:32 & Cheers!!! -----Original Message----- From: Leo Bicknell [mailto:bicknell at ufp.org] Sent: Thursday, January 12, 2012 9:50 AM To: NANOG Subject: Re: In search of uplink vendor In a message written on Thu, Jan 12, 2012 at 05:43:08PM +0000, bmanning at vacation.karoshi.com wrote: > ndeed. and now i am curious.. what business plan/product/service > could make money w/o ICMP or UDP access.. ??? Turn the OP's e-mail into a URL: http://www.impletec.com/ Impletec Traffic Laboratory was established with the aim to develop and provide high-load solutions for Network Engineering, CDN, DDoS Protection and other high-level network services. At the highest possible standards, with minimum hassle and lowest expense to you - our valued customer. I know of a half dozen "DDoS Protection ISP's" that block all UDP and ICMP. It also fits with his desire to have a blackhole community by the /32 with his upstream. I don't know if this sort of filter all ICMP behavior is more a symtom of the providers or their customer bases, but regardless of the source it makes most of the sites behind these services very slow and/or unreachable from some locations. I'm not sure posting "I'm a DDoS magnet" on NANOG will get a lot of people jumping up to offer service, or good rates! :) -- Leo Bicknell - bicknell at ufp.org - CCIE 3440 PGP keys at http://www.ufp.org/~bicknell/ From bicknell at ufp.org Thu Jan 12 13:53:24 2012 From: bicknell at ufp.org (Leo Bicknell) Date: Thu, 12 Jan 2012 11:53:24 -0800 Subject: In search of uplink vendor In-Reply-To: <4f0f3882.e52a320a.612a.ffffe7c5@mx.google.com> References: <20120112170735.GB29157@vacation.karoshi.com.> <20120112174308.GD29157@vacation.karoshi.com.> <20120112175006.GA64623@ussenterprise.ufp.org> <4f0f3882.e52a320a.612a.ffffe7c5@mx.google.com> Message-ID: <20120112195324.GA69767@ussenterprise.ufp.org> In a message written on Thu, Jan 12, 2012 at 11:45:58AM -0800, Network IP Dog wrote: > QUOTE " I know of a half dozen "DDoS Protection ISP's" that block all UDP > and ICMP" > > Isn't this Internet censorship? It's not censorship when you pay someone to stuff a sock in your own mouth. -- Leo Bicknell - bicknell at ufp.org - CCIE 3440 PGP keys at http://www.ufp.org/~bicknell/ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 826 bytes Desc: not available URL: From bmanning at vacation.karoshi.com Thu Jan 12 13:58:25 2012 From: bmanning at vacation.karoshi.com (bmanning at vacation.karoshi.com) Date: Thu, 12 Jan 2012 19:58:25 +0000 Subject: In search of uplink vendor In-Reply-To: <20120112195324.GA69767@ussenterprise.ufp.org> References: <20120112170735.GB29157@vacation.karoshi.com.> <20120112174308.GD29157@vacation.karoshi.com.> <20120112175006.GA64623@ussenterprise.ufp.org> <4f0f3882.e52a320a.612a.ffffe7c5@mx.google.com> <20120112195324.GA69767@ussenterprise.ufp.org> Message-ID: <20120112195825.GA4598@vacation.karoshi.com.> On Thu, Jan 12, 2012 at 11:53:24AM -0800, Leo Bicknell wrote: > In a message written on Thu, Jan 12, 2012 at 11:45:58AM -0800, Network IP Dog wrote: > > QUOTE " I know of a half dozen "DDoS Protection ISP's" that block all UDP > > and ICMP" > > > > Isn't this Internet censorship? > > It's not censorship when you pay someone to stuff a sock in your > own mouth. > yes it is... :) when you do it yourself or pay to have t done for you. /bill From Valdis.Kletnieks at vt.edu Thu Jan 12 14:02:00 2012 From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks at vt.edu) Date: Thu, 12 Jan 2012 15:02:00 -0500 Subject: In search of uplink vendor In-Reply-To: Your message of "Thu, 12 Jan 2012 11:53:24 PST." <20120112195324.GA69767@ussenterprise.ufp.org> References: <20120112170735.GB29157@vacation.karoshi.com> <20120112174308.GD29157@vacation.karoshi.com> <20120112175006.GA64623@ussenterprise.ufp.org> <4f0f3882.e52a320a.612a.ffffe7c5@mx.google.com> <20120112195324.GA69767@ussenterprise.ufp.org> Message-ID: <17127.1326398520@turing-police.cc.vt.edu> On Thu, 12 Jan 2012 11:53:24 PST, Leo Bicknell said: > In a message written on Thu, Jan 12, 2012 at 11:45:58AM -0800, Network IP Dog wrote: > > Isn't this Internet censorship? > > It's not censorship when you pay someone to stuff a sock in your > own mouth. Collorary: It is, however, censorship when somebody tries to shut down websites about the practice. ;) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 227 bytes Desc: not available URL: From jra at baylink.com Thu Jan 12 14:16:56 2012 From: jra at baylink.com (Jay Ashworth) Date: Thu, 12 Jan 2012 15:16:56 -0500 (EST) Subject: In search of uplink vendor In-Reply-To: <20120112170735.GB29157@vacation.karoshi.com.> Message-ID: <9053814.4748.1326399416279.JavaMail.root@benjamin.baylink.com> ----- Original Message ----- > From: bmanning at vacation.karoshi.com > > >1. 1 Gbps link with complete block of UDP/ICMP protocol > > One question: > > 1. Not knowing anything about your business, is there a specific reason > > that you want "a complete block of UDP/ICMP protocol"? That can be > > problematic with IPv4, and downright foolish with IPv6. > > perhaps we are walking around w/ incomplete notions of what > constitutes a "complete block of UDP/ICMP protocol"... > > for me, literally,this makes no sense whatsoever. ratcheting back > on my literal filter (be liberal in what you accept) I beleive > what he is asking for is a contigious block of IP addresses > for use in his network. am also making the inference that he is > only looking for IPv4 (no route to host by /32 prefix). Well, I dunno; I concur with jms: I assumed he meant "where the provider drops all incoming UDP and ICMP traffic addressed towards my IP space on the floor". Cheers, -- jra -- Jay R. Ashworth Baylink jra at baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://baylink.pitas.com 2000 Land Rover DII St Petersburg FL USA http://photo.imageinc.us +1 727 647 1274 From jra at baylink.com Thu Jan 12 14:18:59 2012 From: jra at baylink.com (Jay Ashworth) Date: Thu, 12 Jan 2012 15:18:59 -0500 (EST) Subject: In search of uplink vendor In-Reply-To: <4f0f3882.e52a320a.612a.ffffe7c5@mx.google.com> Message-ID: <13924436.4750.1326399539460.JavaMail.root@benjamin.baylink.com> ----- Original Message ----- > From: "Network IP Dog" > Isn't this Internet censorship? Repeat after me: It's not censorship unless it's imposed by a government. I don't know that "per speaker" or "per topic" are required, but they're common. Cheers, -- jra -- Jay R. Ashworth Baylink jra at baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://baylink.pitas.com 2000 Land Rover DII St Petersburg FL USA http://photo.imageinc.us +1 727 647 1274 From whtn0ise at goeaston.net Thu Jan 12 14:38:04 2012 From: whtn0ise at goeaston.net (whtn0ise) Date: Thu, 12 Jan 2012 15:38:04 -0500 Subject: Looking for Capitol One, NA POC Message-ID: <4F0F44AC.1080208@goeaston.net> If there is a member Capitol One North America's IT/Security on this distro please contact me off line please. From paul at paulstewart.org Thu Jan 12 15:02:49 2012 From: paul at paulstewart.org (Paul Stewart) Date: Thu, 12 Jan 2012 16:02:49 -0500 Subject: Linux Centralized Administration Message-ID: <00f001ccd16d$8bfc7400$a3f55c00$@paulstewart.org> Hey folks. just curious what people are using for automating updates to Linux boxes? Today, we manually do YUM updates to all the CentOS servers . just an example but a good one. I have heard there are some open source solutions similar to that of Red Hat Network? Cheers, Paul From Valdis.Kletnieks at vt.edu Thu Jan 12 15:07:53 2012 From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks at vt.edu) Date: Thu, 12 Jan 2012 16:07:53 -0500 Subject: Linux Centralized Administration In-Reply-To: Your message of "Thu, 12 Jan 2012 16:02:49 EST." <00f001ccd16d$8bfc7400$a3f55c00$@paulstewart.org> References: <00f001ccd16d$8bfc7400$a3f55c00$@paulstewart.org> Message-ID: <20681.1326402473@turing-police.cc.vt.edu> On Thu, 12 Jan 2012 16:02:49 EST, Paul Stewart said: > Today, we manually do YUM updates to all the CentOS servers . just an > example but a good one. I have heard there are some open source solutions > similar to that of Red Hat Network? You can configure yum-updatesd to download and/or apply new updates automagically. Whether that's a good idea is a different question. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 227 bytes Desc: not available URL: From cra at WPI.EDU Thu Jan 12 15:09:54 2012 From: cra at WPI.EDU (Chuck Anderson) Date: Thu, 12 Jan 2012 16:09:54 -0500 Subject: Linux Centralized Administration In-Reply-To: <00f001ccd16d$8bfc7400$a3f55c00$@paulstewart.org> References: <00f001ccd16d$8bfc7400$a3f55c00$@paulstewart.org> Message-ID: <20120112210954.GE5069@angus.ind.WPI.EDU> On Thu, Jan 12, 2012 at 04:02:49PM -0500, Paul Stewart wrote: > Hey folks. just curious what people are using for automating updates to > Linux boxes? yum > Today, we manually do YUM updates to all the CentOS servers . just an > example but a good one. I have heard there are some open source solutions > similar to that of Red Hat Network? yum install yum-cron chkconfig yum-cron on service yum-cron start From md1clv at md1clv.com Thu Jan 12 15:10:20 2012 From: md1clv at md1clv.com (Daniel Ankers) Date: Thu, 12 Jan 2012 21:10:20 +0000 Subject: Linux Centralized Administration In-Reply-To: <00f001ccd16d$8bfc7400$a3f55c00$@paulstewart.org> References: <00f001ccd16d$8bfc7400$a3f55c00$@paulstewart.org> Message-ID: On 12 January 2012 21:02, Paul Stewart wrote: > Hey folks. just curious what people are using for automating updates to > Linux boxes? > > Today, we manually do YUM updates to all the CentOS servers . just an > example but a good one. ?I have heard there are some open source solutions > similar to that of Red Hat Network? It so happens that just yesterday I stumbled across Spacewalk (http://spacewalk.redhat.com) - which is the open source version of RHN Satellite. I ran into a few problems setting the server up - but nothing too difficult to solve, and client installation is a breeze. Dan From jof at thejof.com Thu Jan 12 15:11:21 2012 From: jof at thejof.com (Jonathan Lassoff) Date: Thu, 12 Jan 2012 13:11:21 -0800 Subject: Linux Centralized Administration In-Reply-To: <00f001ccd16d$8bfc7400$a3f55c00$@paulstewart.org> References: <00f001ccd16d$8bfc7400$a3f55c00$@paulstewart.org> Message-ID: On Thu, Jan 12, 2012 at 1:02 PM, Paul Stewart wrote: > Hey folks. just curious what people are using for automating updates to > Linux boxes? > > > > Today, we manually do YUM updates to all the CentOS servers . just an > example but a good one. ?I have heard there are some open source solutions > similar to that of Red Hat Network? There's no tool I could recommend that would be very close to RHN. However, for solving the problem of keeping packages up to date and systems in a known-state, I would recommend checking out some configuration management tools. There are several popular ones nowadays, though I personally prefer Puppet or Chef. Both are tools that allow administrators to declare what a system should look like, and abstract away the hard work of making that happen on a variety of platforms. In both cases, it's possible to monitor how well those tools are working and what they're doing in the background so that you can get an idea of what's up to date and what's not. Are you just trying to solve for making sure that packages are up to date? Making sure that running daemons are also up to date? Cheers, jof From Timothy.Green at ManTech.com Thu Jan 12 15:11:53 2012 From: Timothy.Green at ManTech.com (Green, Timothy) Date: Thu, 12 Jan 2012 16:11:53 -0500 Subject: Linux Centralized Administration In-Reply-To: <20120112210954.GE5069@angus.ind.WPI.EDU> References: <00f001ccd16d$8bfc7400$a3f55c00$@paulstewart.org> <20120112210954.GE5069@angus.ind.WPI.EDU> Message-ID: We are using Security Blanket. It's a COTs product that works really well.... -----Original Message----- From: Chuck Anderson [mailto:cra at WPI.EDU] Sent: Thursday, January 12, 2012 4:10 PM To: nanog at nanog.org Subject: Re: Linux Centralized Administration On Thu, Jan 12, 2012 at 04:02:49PM -0500, Paul Stewart wrote: > Hey folks. just curious what people are using for automating updates to > Linux boxes? yum > Today, we manually do YUM updates to all the CentOS servers . just an > example but a good one. I have heard there are some open source solutions > similar to that of Red Hat Network? yum install yum-cron chkconfig yum-cron on service yum-cron start From nmehrotra at riorey.com Thu Jan 12 15:13:01 2012 From: nmehrotra at riorey.com (Nitin Mehrotra) Date: Thu, 12 Jan 2012 16:13:01 -0500 (EST) Subject: Linux Centralized Administration In-Reply-To: <00f001ccd16d$8bfc7400$a3f55c00$@paulstewart.org> Message-ID: <1591778071.1934.1326402781450.JavaMail.root@zmail.riorey.com> We use puppet - http://puppetlabs.com/. Works good for us. Nitin ----- Original Message ----- From: "Paul Stewart" To: nanog at nanog.org Sent: Thursday, January 12, 2012 4:02:49 PM Subject: Linux Centralized Administration Hey folks. just curious what people are using for automating updates to Linux boxes? Today, we manually do YUM updates to all the CentOS servers . just an example but a good one. I have heard there are some open source solutions similar to that of Red Hat Network? Cheers, Paul From bret at getjive.com Thu Jan 12 15:16:31 2012 From: bret at getjive.com (Bret Palsson) Date: Thu, 12 Jan 2012 14:16:31 -0700 Subject: Linux Centralized Administration In-Reply-To: <1591778071.1934.1326402781450.JavaMail.root@zmail.riorey.com> References: <1591778071.1934.1326402781450.JavaMail.root@zmail.riorey.com> Message-ID: <09956662-73C2-4F69-A191-9D8310034D69@getjive.com> We use SALT, written in python and setup in 10 minutes. Seriously easy! Wickedly fast! http://saltstack.org/ -Bret On Jan 12, 2012, at 2:13 PM, Nitin Mehrotra wrote: > We use puppet - http://puppetlabs.com/. > > Works good for us. > > Nitin > > ----- Original Message ----- > From: "Paul Stewart" > To: nanog at nanog.org > Sent: Thursday, January 12, 2012 4:02:49 PM > Subject: Linux Centralized Administration > > Hey folks. just curious what people are using for automating updates to > Linux boxes? > > > > Today, we manually do YUM updates to all the CentOS servers . just an > example but a good one. I have heard there are some open source solutions > similar to that of Red Hat Network? > > > > Cheers, > > > > Paul > > > > From tom at ninjabadger.net Thu Jan 12 15:20:39 2012 From: tom at ninjabadger.net (Tom Hill) Date: Thu, 12 Jan 2012 21:20:39 +0000 Subject: QinQ switch or similar In-Reply-To: <1A8A762BD508624A8BDAB9F5E1638F94601CBB76F5@comsrv01.fg.local> References: <1A8A762BD508624A8BDAB9F5E1638F94601CBB76F5@comsrv01.fg.local> Message-ID: <1326403239.2441.2.camel@teh-desktop> On Sun, 2012-01-08 at 14:06 -0600, Jensen Tyler wrote: > We have been using Ciena switches for QinQ. > > CN3920 would fit best for low cost. Pretty easy to use. The 3916 is one generation newer, cheaper, has a hardware FIB and therefore also does all the MPLS bits and bobs (though don't use that until 6.10, we're told.) If I remember rightly a 3920 can't pop-off an S-tag on egress, too. There's some silly limitation like that. Tom From orangewinds at gmail.com Thu Jan 12 15:24:10 2012 From: orangewinds at gmail.com (Jacob Taylor) Date: Thu, 12 Jan 2012 13:24:10 -0800 Subject: Linux Centralized Administration In-Reply-To: <09956662-73C2-4F69-A191-9D8310034D69@getjive.com> References: <1591778071.1934.1326402781450.JavaMail.root@zmail.riorey.com> <09956662-73C2-4F69-A191-9D8310034D69@getjive.com> Message-ID: Fabric is also a fine one, if you *don't* want abstraction of what you're doing: http://fabfile.org On Thu, Jan 12, 2012 at 1:16 PM, Bret Palsson wrote: > We use SALT, written in python and setup in 10 minutes. Seriously easy! Wickedly fast! > http://saltstack.org/ > > -Bret > On Jan 12, 2012, at 2:13 PM, Nitin Mehrotra wrote: > >> We use puppet - http://puppetlabs.com/. >> >> Works good for us. >> >> Nitin >> >> ----- Original Message ----- >> From: "Paul Stewart" >> To: nanog at nanog.org >> Sent: Thursday, January 12, 2012 4:02:49 PM >> Subject: Linux Centralized Administration >> >> Hey folks. just curious what people are using for automating updates to >> Linux boxes? >> >> >> >> Today, we manually do YUM updates to all the CentOS servers . just an >> example but a good one. ?I have heard there are some open source solutions >> similar to that of Red Hat Network? >> >> >> >> Cheers, >> >> >> >> Paul >> >> >> >> > > From ikiris at gmail.com Thu Jan 12 15:26:06 2012 From: ikiris at gmail.com (Blake Dunlap) Date: Thu, 12 Jan 2012 15:26:06 -0600 Subject: Linux Centralized Administration In-Reply-To: References: <1591778071.1934.1326402781450.JavaMail.root@zmail.riorey.com> <09956662-73C2-4F69-A191-9D8310034D69@getjive.com> Message-ID: I run spacewalk (as mentioned above), and have for some time. Once you get the errata importing set up, it's pretty much full RHN. -Blake From paul at paulstewart.org Thu Jan 12 15:30:22 2012 From: paul at paulstewart.org (Paul Stewart) Date: Thu, 12 Jan 2012 16:30:22 -0500 Subject: Linux Centralized Administration In-Reply-To: References: <00f001ccd16d$8bfc7400$a3f55c00$@paulstewart.org> Message-ID: <011801ccd171$65ff1fb0$31fd5f10$@paulstewart.org> Awesome! I remember someone telling me about this before and couldn't remember the name til now... Cheers, Paul -----Original Message----- From: Daniel Ankers [mailto:md1clv at md1clv.com] Sent: Thursday, January 12, 2012 4:08 PM To: Paul Stewart Subject: Re: Linux Centralized Administration On 12 January 2012 21:02, Paul Stewart wrote: > Hey folks. just curious what people are using for automating updates > to Linux boxes? > > Today, we manually do YUM updates to all the CentOS servers . just an > example but a good one. ?I have heard there are some open source > solutions similar to that of Red Hat Network? It so happens that just yesterday I stumbled across Spacewalk (http://spacewalk.redhat.com) - which is the open source version of RHN Satellite. I ran into a few problems setting the server up - but nothing too difficult to solve, and client installation is a breeze. Dan From jcdill.lists at gmail.com Thu Jan 12 15:56:38 2012 From: jcdill.lists at gmail.com (JC Dill) Date: Thu, 12 Jan 2012 13:56:38 -0800 Subject: In search of uplink vendor In-Reply-To: <13924436.4750.1326399539460.JavaMail.root@benjamin.baylink.com> References: <13924436.4750.1326399539460.JavaMail.root@benjamin.baylink.com> Message-ID: <4F0F5716.5090907@gmail.com> On 12/01/12 12:18 PM, Jay Ashworth wrote: > ----- Original Message ----- >> From: "Network IP Dog" >> Isn't this Internet censorship? > Repeat after me: It's not censorship unless it's imposed by a government. The wikipedia definition seems more accurate: http://en.wikipedia.org/wiki/Censorship " *Censorship* is the suppression of speech or other public communication which may be considered objectionable, harmful, sensitive, or inconvenient to the general body of people as determined by a government, media outlet, or other controlling body." The key aspect that makes something censorship is that you can't easily get around the block by the "controlling body". Obviously, if you do it yourself or ask someone to do it for you (e.g. ask your upstream to filter) it's not censorship. If it's done by someone else, you have no say in the matter and no (easy and/or legal) opportunity to avoid the filtering, then it's censorship. If Comcast or AT&T decided to filter/block requested data from reaching their customers (e.g. access to .xxx sites, access to torrents), we would all agree that this was censorship. jc From mpalmer at hezmatt.org Thu Jan 12 16:27:19 2012 From: mpalmer at hezmatt.org (Matthew Palmer) Date: Fri, 13 Jan 2012 09:27:19 +1100 Subject: Linux Centralized Administration In-Reply-To: <00f001ccd16d$8bfc7400$a3f55c00$@paulstewart.org> References: <00f001ccd16d$8bfc7400$a3f55c00$@paulstewart.org> Message-ID: <20120112222719.GC2949@hezmatt.org> On Thu, Jan 12, 2012 at 04:02:49PM -0500, Paul Stewart wrote: > Hey folks. just curious what people are using for automating updates to > Linux boxes? > > Today, we manually do YUM updates to all the CentOS servers . just an > example but a good one. I have heard there are some open source solutions > similar to that of Red Hat Network? At work, we use (and built) a tool called 'tingle' (https://github.com/anchor/tingle), which handles it all for us across our internal and managed-for-customers infrastructures. Personally, I don't run CentOS, but I use unattended-upgrades on my personal herd of Debian machines, which works well enough. - Matt -- A woman in liquor production / Owns a still of exquisite construction. The alcohol boils / Through magnetic coils. She says that it's "proof by induction." -- http://limerickdb.com/?34 From jna at retina.net Thu Jan 12 16:42:39 2012 From: jna at retina.net (John Adams) Date: Thu, 12 Jan 2012 14:42:39 -0800 Subject: Linux Centralized Administration In-Reply-To: <20120112222719.GC2949@hezmatt.org> References: <00f001ccd16d$8bfc7400$a3f55c00$@paulstewart.org> <20120112222719.GC2949@hezmatt.org> Message-ID: Here at Twitter we make extensive use of Puppet. It's great, but we had a hard learning curve and much customization to get it to work the way we wanted to. I'd also recommend Chef, which is like Puppet but includes more tools (like a machine database) out of the box. -j On Thu, Jan 12, 2012 at 2:27 PM, Matthew Palmer wrote: > On Thu, Jan 12, 2012 at 04:02:49PM -0500, Paul Stewart wrote: > > Hey folks. just curious what people are using for automating updates to > > Linux boxes? > > > > Today, we manually do YUM updates to all the CentOS servers . just an > > example but a good one. I have heard there are some open source > solutions > > similar to that of Red Hat Network? > > At work, we use (and built) a tool called 'tingle' > (https://github.com/anchor/tingle), which handles it all for us across our > internal and managed-for-customers infrastructures. > > Personally, I don't run CentOS, but I use unattended-upgrades on my > personal > herd of Debian machines, which works well enough. > > - Matt > > -- > A woman in liquor production / Owns a still of exquisite construction. > The alcohol boils / Through magnetic coils. > She says that it's "proof by induction." > -- http://limerickdb.com/?34 > > > From source_route at yahoo.com Thu Jan 12 16:57:10 2012 From: source_route at yahoo.com (Philip Lavine) Date: Thu, 12 Jan 2012 14:57:10 -0800 (PST) Subject: community strings for Reliance Globalcom Message-ID: <1326409030.30705.YahooMailNeo@web30808.mail.mud.yahoo.com> does anybody have the community strings for Reliance Globalcom From sfouant at shortestpathfirst.net Thu Jan 12 17:12:48 2012 From: sfouant at shortestpathfirst.net (Stefan Fouant) Date: Thu, 12 Jan 2012 18:12:48 -0500 Subject: community strings for Reliance Globalcom In-Reply-To: <1326409030.30705.YahooMailNeo@web30808.mail.mud.yahoo.com> References: <1326409030.30705.YahooMailNeo@web30808.mail.mud.yahoo.com> Message-ID: Not sure how up to date this is, but I believe this is what you are looking for: http://www.onesc.net/communities/as15412/ Cheers, Stefan Fouant JNCIE-SEC, JNCIE-SP, JNCIE-ER, JNCI Technical Trainer, Juniper Networks Follow us on Twitter @JuniperEducate Sent from my iPad On Jan 12, 2012, at 5:57 PM, Philip Lavine wrote: > does anybody have the community strings for Reliance Globalcom From mysidia at gmail.com Thu Jan 12 18:43:39 2012 From: mysidia at gmail.com (Jimmy Hess) Date: Thu, 12 Jan 2012 18:43:39 -0600 Subject: Linux Centralized Administration In-Reply-To: <00f001ccd16d$8bfc7400$a3f55c00$@paulstewart.org> References: <00f001ccd16d$8bfc7400$a3f55c00$@paulstewart.org> Message-ID: On Thu, Jan 12, 2012 at 3:02 PM, Paul Stewart wrote: > > Today, we manually do YUM updates to all the CentOS servers . just an > example but a good one. I have heard there are some open source solutions > similar to that of Red Hat Network? > Something to think about before attempting to centrally manage, your systems actually have to be centrally manageable -- that doesn't happen automatically and requires extra work. The just run yum update strategy is only reliable when all packages on the system were installed from RPM and all software RPMs installed are properly maintained by the vendor using Yum. Some packages have updates that are distributed with Yum, but yum updating "breaks" the application, until a manual update procedure is completed. Sometimes an updated kernel won't boot. Sometimes, a third-party driver for RAID card X won't load in the patched kernel, and after a reboot, the OS never comes back up because it's sitting at a kernel panic message indicating no hard drive found. Cacti/OpenNMS are good examples -- after a yum update to a new version, you must manually invoke, a potentially dangerous "installer" program or web page has to be used, after a new update, config files, or database schema have to be edited or patched by hand; until you manually take some action to "fix" the config, the application is broken after update. As soon as you attempt to restart the application it will shutdown OK, but not come back up. Occassionally, there is a library update that breaks binary compatibility with existing applications, for example a certain update to net-snmp-libs in Centos 5.something. yum-updatesd surely doesn't know when auto-applying an update will cause an important service to suddenly break To centrally manage effectively, you basically need a homogenous environment with a configuration that is very close to stock config, so that effective testing is possible; homogenous meaning an identical list of installed packages and software all installed the same way on every system centrally managed as a group, identical SKUs for every hardware component in every installation configured identically, same hw revisions, etc. No "extra" applications or files floating around on a one-off server. So yum-updatesd would be a bad idea for production systems that have any third-party packages; even if YUM maintained. And even if YUM maintained, third party YUM repos may become neglected, or change into 404 errors, causing yum to break entirely. Often commercial third-party software used on CentOS systems will be distributed in another format, such as .tar.gz. Yum cannot do much with that; the third party package will likely get neglected and not updated. Often various applications you require may need versions of libraries or applications that are not yet available in RPM format, or they're part of Fedora instead. In any case, if you wind up rebuilding the RPM for CentOS using rpmbuild or installing from source, Yum update won't help you with those packages, and may break their dependencies later. That might just be a testament to how poor the available packaged software selections are in CentOS, that commonly needed packages aren't part of the distribution; and commonly outdated versions of libraries are present. But YUM-updatesd's usefulness certainly applies to less than 100% of systems. -- -JH From chaim.rieger at gmail.com Thu Jan 12 19:51:58 2012 From: chaim.rieger at gmail.com (chaim.rieger at gmail.com) Date: Thu, 12 Jan 2012 17:51:58 -0800 Subject: Linux Centralized Administration In-Reply-To: References: <00f001ccd16d$8bfc7400$a3f55c00$@paulstewart.org> Message-ID: <4F0F8E3E.2020705@gmail.com> On 1/12/2012 4:43 PM, Jimmy Hess wrote: > On Thu, Jan 12, 2012 at 3:02 PM, Paul Stewart wrote: > >> Today, we manually do YUM updates to all the CentOS servers . just an >> example but a good one. I have heard there are some open source solutions >> similar to that of Red Hat Network? >> > Something to think about before attempting to centrally manage, your > systems actually have to be centrally manageable -- that doesn't happen > automatically and requires extra work. > > this is why i never update. i would rather build a new image and deploy it to the thousands of servers than worry about updates. be it an openssh security notice, or new ntp configuration, for me it is easier to rebuild servers than update config files. From paul at paulgraydon.co.uk Thu Jan 12 19:55:35 2012 From: paul at paulgraydon.co.uk (Paul Graydon) Date: Thu, 12 Jan 2012 15:55:35 -1000 Subject: Linux Centralized Administration In-Reply-To: <4F0F8E3E.2020705@gmail.com> References: <00f001ccd16d$8bfc7400$a3f55c00$@paulstewart.org> <4F0F8E3E.2020705@gmail.com> Message-ID: <4F0F8F17.3020107@paulgraydon.co.uk> On 01/12/2012 03:51 PM, chaim.rieger at gmail.com wrote: > On 1/12/2012 4:43 PM, Jimmy Hess wrote: >> On Thu, Jan 12, 2012 at 3:02 PM, Paul Stewart >> wrote: >> >>> Today, we manually do YUM updates to all the CentOS servers . just an >>> example but a good one. I have heard there are some open source >>> solutions >>> similar to that of Red Hat Network? >>> >> Something to think about before attempting to centrally manage, your >> systems actually have to be centrally manageable -- that doesn't happen >> automatically and requires extra work. >> >> > this is why i never update. i would rather build a new image and > deploy it to the thousands of servers than worry about updates. be it > an openssh security notice, or new ntp configuration, for me it is > easier to rebuild servers than update config files. > .. you never update? How frequently do you rebuild your entire server stack, weekly? Paul From paul at paulgraydon.co.uk Thu Jan 12 19:57:19 2012 From: paul at paulgraydon.co.uk (Paul Graydon) Date: Thu, 12 Jan 2012 15:57:19 -1000 Subject: Linux Centralized Administration In-Reply-To: <4F0F8E3E.2020705@gmail.com> References: <00f001ccd16d$8bfc7400$a3f55c00$@paulstewart.org> <4F0F8E3E.2020705@gmail.com> Message-ID: <4F0F8F7F.8090208@paulgraydon.co.uk> On 01/12/2012 03:51 PM, chaim.rieger at gmail.com wrote: > On 1/12/2012 4:43 PM, Jimmy Hess wrote: >> On Thu, Jan 12, 2012 at 3:02 PM, Paul Stewart >> wrote: >> >>> Today, we manually do YUM updates to all the CentOS servers . just an >>> example but a good one. I have heard there are some open source >>> solutions >>> similar to that of Red Hat Network? >>> >> Something to think about before attempting to centrally manage, your >> systems actually have to be centrally manageable -- that doesn't happen >> automatically and requires extra work. >> >> > this is why i never update. i would rather build a new image and > deploy it to the thousands of servers than worry about updates. be it > an openssh security notice, or new ntp configuration, for me it is > easier to rebuild servers than update config files. > For that matter, imaging is a bad way to go about handling this, you'd be better served by setting up something like Puppet or Chef and have them handle configuration management for you centrally, along with necessary software packages. Paul From bmanning at vacation.karoshi.com Thu Jan 12 21:32:30 2012 From: bmanning at vacation.karoshi.com (bmanning at vacation.karoshi.com) Date: Fri, 13 Jan 2012 03:32:30 +0000 Subject: In search of uplink vendor In-Reply-To: <4F0F5716.5090907@gmail.com> References: <13924436.4750.1326399539460.JavaMail.root@benjamin.baylink.com> <4F0F5716.5090907@gmail.com> Message-ID: <20120113033230.GB5074@vacation.karoshi.com.> On Thu, Jan 12, 2012 at 01:56:38PM -0800, JC Dill wrote: > On 12/01/12 12:18 PM, Jay Ashworth wrote: > >----- Original Message ----- > >>From: "Network IP Dog" > >>Isn't this Internet censorship? > >Repeat after me: It's not censorship unless it's imposed by a government. > > The wikipedia definition seems more accurate: > > http://en.wikipedia.org/wiki/Censorship > > " *Censorship* is the suppression of speech or other public > communication which may be considered objectionable, harmful, sensitive, > or inconvenient to the general body of people as determined by a > government, media outlet, or other controlling body." > time to update the wikipedia entry then... think parents suppression of "communication [] considered objectionable, harmful, sensitive or inconvenient" wrt their children. the key is "controlling body"... be it ISP, Government, CorporateIT, your mom, or the school board. It might even be -YOU- (you do have control, right?) /bill From md1clv at md1clv.com Fri Jan 13 02:56:42 2012 From: md1clv at md1clv.com (Daniel Ankers) Date: Fri, 13 Jan 2012 08:56:42 +0000 Subject: Linux Centralized Administration In-Reply-To: <4F0F8F7F.8090208@paulgraydon.co.uk> References: <00f001ccd16d$8bfc7400$a3f55c00$@paulstewart.org> <4F0F8E3E.2020705@gmail.com> <4F0F8F7F.8090208@paulgraydon.co.uk> Message-ID: On 13 January 2012 01:57, Paul Graydon wrote: > On 01/12/2012 03:51 PM, chaim.rieger at gmail.com wrote: >> >> On 1/12/2012 4:43 PM, Jimmy Hess wrote: >>> Something to think about before attempting to centrally manage, your >>> systems actually have to be centrally manageable -- that doesn't happen >>> automatically and requires extra work. >>> >>> >> this is why i never update. i would rather build a new image and deploy it >> to the thousands of servers than worry about updates. be it an openssh >> security notice, or new ntp configuration, for me it is easier to rebuild >> servers than update config files. >> > For that matter, imaging is a bad way to go about handling this, you'd be > better served by setting up something like Puppet or Chef and have them > handle configuration management for you centrally, along with necessary > software packages. > > Paul I looked into Puppet and though I've got it managing parts of our infrastructure it seems quite difficult to bolt on to an existing setup. There are also some things that I can't see how to do easily with Puppet ("Don't upgrade packages on the live environment until we've tested them in staging" being a big one.) I'm starting to look at Blueprint (http://devstructure.com) to help build the Puppet manifests so that we can deploy Puppet without breaking any existing machines, Puppet for configuration management and Spacewalk to audit what is up-to-date and help schedule security updates. Dan From mpetach at netflight.com Thu Jan 12 17:06:42 2012 From: mpetach at netflight.com (Matthew Petach) Date: Thu, 12 Jan 2012 15:06:42 -0800 Subject: community strings for Reliance Globalcom In-Reply-To: <1326409030.30705.YahooMailNeo@web30808.mail.mud.yahoo.com> References: <1326409030.30705.YahooMailNeo@web30808.mail.mud.yahoo.com> Message-ID: On Thu, Jan 12, 2012 at 2:57 PM, Philip Lavine wrote: > does anybody have the community strings for Reliance Globalcom > You might check to see if they left the default "public" read-only string in place, but I highly doubt it. Most people are pretty careful to pick at least somewhat hard to guess community strings, and to ACL them off from external querying. Matt From mark at streamservice.nl Fri Jan 13 05:04:42 2012 From: mark at streamservice.nl (Mark Scholten) Date: Fri, 13 Jan 2012 12:04:42 +0100 Subject: Linux Centralized Administration In-Reply-To: <00f001ccd16d$8bfc7400$a3f55c00$@paulstewart.org> References: <00f001ccd16d$8bfc7400$a3f55c00$@paulstewart.org> Message-ID: <017d01ccd1e3$269b11e0$73d135a0$@nl> > Hey folks. just curious what people are using for automating updates to > Linux boxes? > > > > Today, we manually do YUM updates to all the CentOS servers . just an > example but a good one. I have heard there are some open source > solutions similar to that of Red Hat Network? We did create our own solution and are still expanding it. Currently we set what a server should look like at the servers, we want to change it to the central system. This would make it easier to deploy extra servers (only entering a MAC address, selecting software and starting a server should be enough to auto-deploy it). Our current solution is designed for Debian/Ubuntu, but should also work on other Linux distributions. A working copy might be available; please contact me offlist and I'll look what I can do. Kind regards, Mark From jared at puck.nether.net Fri Jan 13 05:58:10 2012 From: jared at puck.nether.net (Jared Mauch) Date: Fri, 13 Jan 2012 06:58:10 -0500 Subject: Linux Centralized Administration In-Reply-To: References: <00f001ccd16d$8bfc7400$a3f55c00$@paulstewart.org> Message-ID: <6FA43C09-7D3C-45B6-A0CC-B0DB7DAD3877@puck.nether.net> Sounds like a poorly designed package. Wordpress does a good job of allowing back end updates without impacting the services provided, even with database changes. Part of a well designed and maintained system is the ability to do painless upgrades. Jared Mauch On Jan 12, 2012, at 7:43 PM, Jimmy Hess wrote: > Cacti/OpenNMS are good examples -- after a yum update to a new version, > you must manually invoke, a potentially dangerous "installer" program or > web page has to be used, after a new update, config files, or database > schema have to be edited or patched by hand; until you manually take some > action to "fix" the config, the application is broken after update. > As soon as you attempt to restart the application it will shutdown OK, but > not come back up. From james.braunegg at micron21.com Fri Jan 13 06:36:41 2012 From: james.braunegg at micron21.com (James Braunegg) Date: Fri, 13 Jan 2012 12:36:41 +0000 Subject: Possible New Zero Day Microsoft Windows 3389 vulnerability - outbound traffic 3389 Message-ID: Hey All, Just posting to see if anyone has seen any strange outbound traffic on port 3389 from Microsoft Windows Server over the last few hours. We witnessed an alarming amount of completely independent Microsoft Windows Servers, each on separate vlan and subnets (ie all /30 and /29 allocations) with separate gateways on and completely separate customers, but all services were within the same 1.x.x.x/16 allocation all simultaneously send around 2mbit or so data to a specific target IP address. The only common link was / is terminal services port 3389 is open to the public. Obviously someone (Mr 133t dude) scanned an allocation within our network, and like a worm was able to simultaneously control every Microsoft Windows Server to send outbound traffic. Microsoft Windows Servers within the 1.x.x.x/16 allocation which were behind a firewall or VPN and did not have public 3389 access did not send the unknown traffic Would be very interested if anyone else has seen this behavior before ! Or is this the start of a lovely new Zero Day Vulnerability with Windows RDP, if so I name it "ohDeer-RDP" A sample of the traffic is as per below, collected from netflow Source Destination Application Src Port Dst x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 51534 TCP x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 52699 TCP x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 60824 TCP x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 51669 TCP x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 49215 TCP x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 62099 TCP x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 65429 TCP x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 51965 TCP x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 50381 TCP x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 59379 TCP x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 58103 TCP x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 59514 TCP x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 58298 TCP This occurred around 10:30pm AEST Friday the 13th of January 2012 We had many other Microsoft Windows Servers in other 2.x.x.x/16 IP ranges which were totally unaffected. Kindest Regards James Braunegg W: 1300 769 972 | M: 0488 997 207 | D: (03) 9751 7616 E: james.braunegg at micron21.com | ABN: 12 109 977 666 [Description: Description: Description: M21.jpg] This message is intended for the addressee named above. It may contain privileged or confidential information. If you are not the intended recipient of this message you must not use, copy, distribute or disclose it to anyone other than the addressee. If you have received this message in error please return the message to the sender by replying to it and then delete the message from your computer. -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.jpg Type: image/jpeg Size: 2683 bytes Desc: image001.jpg URL: From erik.soosalu at calyxinc.com Fri Jan 13 07:17:28 2012 From: erik.soosalu at calyxinc.com (Erik Soosalu) Date: Fri, 13 Jan 2012 08:17:28 -0500 Subject: Possible New Zero Day Microsoft Windows 3389 vulnerability - outbound traffic 3389 In-Reply-To: References: Message-ID: <0B224A2FE01CC54C860290D42474BF6005230CAB@exchange.nff.local> Wouldn't this just be an indication of that block being scanned for open 3389 ports from that IP? You're just looking at the return traffic to the scanning host. -----Original Message----- From: James Braunegg [mailto:james.braunegg at micron21.com] Sent: Friday, January 13, 2012 7:37 AM To: nanog at nanog.org Subject: Possible New Zero Day Microsoft Windows 3389 vulnerability - outbound traffic 3389 Hey All, Just posting to see if anyone has seen any strange outbound traffic on port 3389 from Microsoft Windows Server over the last few hours. We witnessed an alarming amount of completely independent Microsoft Windows Servers, each on separate vlan and subnets (ie all /30 and /29 allocations) with separate gateways on and completely separate customers, but all services were within the same 1.x.x.x/16 allocation all simultaneously send around 2mbit or so data to a specific target IP address. The only common link was / is terminal services port 3389 is open to the public. Obviously someone (Mr 133t dude) scanned an allocation within our network, and like a worm was able to simultaneously control every Microsoft Windows Server to send outbound traffic. Microsoft Windows Servers within the 1.x.x.x/16 allocation which were behind a firewall or VPN and did not have public 3389 access did not send the unknown traffic Would be very interested if anyone else has seen this behavior before ! Or is this the start of a lovely new Zero Day Vulnerability with Windows RDP, if so I name it "ohDeer-RDP" A sample of the traffic is as per below, collected from netflow Source Destination Application Src Port Dst x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 51534 TCP x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 52699 TCP x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 60824 TCP x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 51669 TCP x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 49215 TCP x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 62099 TCP x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 65429 TCP x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 51965 TCP x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 50381 TCP x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 59379 TCP x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 58103 TCP x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 59514 TCP x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 58298 TCP This occurred around 10:30pm AEST Friday the 13th of January 2012 We had many other Microsoft Windows Servers in other 2.x.x.x/16 IP ranges which were totally unaffected. Kindest Regards James Braunegg W: 1300 769 972 | M: 0488 997 207 | D: (03) 9751 7616 E: james.braunegg at micron21.com | ABN: 12 109 977 666 [Description: Description: Description: M21.jpg] This message is intended for the addressee named above. It may contain privileged or confidential information. If you are not the intended recipient of this message you must not use, copy, distribute or disclose it to anyone other than the addressee. If you have received this message in error please return the message to the sender by replying to it and then delete the message from your computer. From james.braunegg at micron21.com Fri Jan 13 07:28:47 2012 From: james.braunegg at micron21.com (James Braunegg) Date: Fri, 13 Jan 2012 13:28:47 +0000 Subject: Possible New Zero Day Microsoft Windows 3389 vulnerability - outbound traffic 3389 In-Reply-To: <0B224A2FE01CC54C860290D42474BF6005230CAB@exchange.nff.local> References: <0B224A2FE01CC54C860290D42474BF6005230CAB@exchange.nff.local> Message-ID: Dear Erik 2mbits to 4mbits of outbound traffic is a fair bit for just a port scan.. We saw around 100ks of inbound traffic to each server and around 2mbits to 4mbits outbound traffic from the servers to the same destination 58.162.67.45 The traffic pattern occurred for around 30 minutes and then simultaneously every host (server) stopped sending traffic. Kindest Regards James Braunegg W:? 1300 769 972? |? M:? 0488 997 207 |? D:? (03) 9751 7616 E:?? james.braunegg at micron21.com? |? ABN:? 12 109 977 666?? This message is intended for the addressee named above. It may contain privileged or confidential information. If you are not the intended recipient of this message you must not use, copy, distribute or disclose it to anyone other than the addressee. If you have received this message in error please return the message to the sender by replying to it and then delete the message from your computer. -----Original Message----- From: Erik Soosalu [mailto:erik.soosalu at calyxinc.com] Sent: Saturday, January 14, 2012 12:17 AM To: James Braunegg; nanog at nanog.org Subject: RE: Possible New Zero Day Microsoft Windows 3389 vulnerability - outbound traffic 3389 Wouldn't this just be an indication of that block being scanned for open 3389 ports from that IP? You're just looking at the return traffic to the scanning host. -----Original Message----- From: James Braunegg [mailto:james.braunegg at micron21.com] Sent: Friday, January 13, 2012 7:37 AM To: nanog at nanog.org Subject: Possible New Zero Day Microsoft Windows 3389 vulnerability - outbound traffic 3389 Hey All, Just posting to see if anyone has seen any strange outbound traffic on port 3389 from Microsoft Windows Server over the last few hours. We witnessed an alarming amount of completely independent Microsoft Windows Servers, each on separate vlan and subnets (ie all /30 and /29 allocations) with separate gateways on and completely separate customers, but all services were within the same 1.x.x.x/16 allocation all simultaneously send around 2mbit or so data to a specific target IP address. The only common link was / is terminal services port 3389 is open to the public. Obviously someone (Mr 133t dude) scanned an allocation within our network, and like a worm was able to simultaneously control every Microsoft Windows Server to send outbound traffic. Microsoft Windows Servers within the 1.x.x.x/16 allocation which were behind a firewall or VPN and did not have public 3389 access did not send the unknown traffic Would be very interested if anyone else has seen this behavior before ! Or is this the start of a lovely new Zero Day Vulnerability with Windows RDP, if so I name it "ohDeer-RDP" A sample of the traffic is as per below, collected from netflow Source Destination Application Src Port Dst x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 51534 TCP x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 52699 TCP x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 60824 TCP x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 51669 TCP x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 49215 TCP x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 62099 TCP x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 65429 TCP x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 51965 TCP x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 50381 TCP x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 59379 TCP x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 58103 TCP x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 59514 TCP x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 58298 TCP This occurred around 10:30pm AEST Friday the 13th of January 2012 We had many other Microsoft Windows Servers in other 2.x.x.x/16 IP ranges which were totally unaffected. Kindest Regards James Braunegg W: 1300 769 972 | M: 0488 997 207 | D: (03) 9751 7616 E: james.braunegg at micron21.com | ABN: 12 109 977 666 [Description: Description: Description: M21.jpg] This message is intended for the addressee named above. It may contain privileged or confidential information. If you are not the intended recipient of this message you must not use, copy, distribute or disclose it to anyone other than the addressee. If you have received this message in error please return the message to the sender by replying to it and then delete the message from your computer. From erik.soosalu at calyxinc.com Fri Jan 13 07:38:19 2012 From: erik.soosalu at calyxinc.com (Erik Soosalu) Date: Fri, 13 Jan 2012 08:38:19 -0500 Subject: Possible New Zero Day Microsoft Windows 3389 vulnerability - outbound traffic 3389 In-Reply-To: References: <0B224A2FE01CC54C860290D42474BF6005230CAB@exchange.nff.local> Message-ID: <0B224A2FE01CC54C860290D42474BF6005230CB2@exchange.nff.local> I would agree that it is a large stream. The other thing would be a password crack attempt. There was tool out a couple of years, and I've forgotten the name of it now, that worked at brute forcing RDP passwords. It worked without ending up in the Windows logs, because at the time Windows would only log incorrect RDP password attempts on the 5th try. So it would try 4 passwords, disconnect and then connect again. If it was such a program, trying as fast as it could, there would be a lot of initial "screen renders" being sent to the attack IP with very little traffic coming back - just the login attempts. Thanks, Erik -----Original Message----- From: James Braunegg [mailto:james.braunegg at micron21.com] Sent: Friday, January 13, 2012 8:29 AM To: Erik Soosalu; nanog at nanog.org Subject: RE: Possible New Zero Day Microsoft Windows 3389 vulnerability - outbound traffic 3389 Dear Erik 2mbits to 4mbits of outbound traffic is a fair bit for just a port scan.. We saw around 100ks of inbound traffic to each server and around 2mbits to 4mbits outbound traffic from the servers to the same destination 58.162.67.45 The traffic pattern occurred for around 30 minutes and then simultaneously every host (server) stopped sending traffic. Kindest Regards James Braunegg W:? 1300 769 972? |? M:? 0488 997 207 |? D:? (03) 9751 7616 E:?? james.braunegg at micron21.com? |? ABN:? 12 109 977 666?? This message is intended for the addressee named above. It may contain privileged or confidential information. If you are not the intended recipient of this message you must not use, copy, distribute or disclose it to anyone other than the addressee. If you have received this message in error please return the message to the sender by replying to it and then delete the message from your computer. -----Original Message----- From: Erik Soosalu [mailto:erik.soosalu at calyxinc.com] Sent: Saturday, January 14, 2012 12:17 AM To: James Braunegg; nanog at nanog.org Subject: RE: Possible New Zero Day Microsoft Windows 3389 vulnerability - outbound traffic 3389 Wouldn't this just be an indication of that block being scanned for open 3389 ports from that IP? You're just looking at the return traffic to the scanning host. -----Original Message----- From: James Braunegg [mailto:james.braunegg at micron21.com] Sent: Friday, January 13, 2012 7:37 AM To: nanog at nanog.org Subject: Possible New Zero Day Microsoft Windows 3389 vulnerability - outbound traffic 3389 Hey All, Just posting to see if anyone has seen any strange outbound traffic on port 3389 from Microsoft Windows Server over the last few hours. We witnessed an alarming amount of completely independent Microsoft Windows Servers, each on separate vlan and subnets (ie all /30 and /29 allocations) with separate gateways on and completely separate customers, but all services were within the same 1.x.x.x/16 allocation all simultaneously send around 2mbit or so data to a specific target IP address. The only common link was / is terminal services port 3389 is open to the public. Obviously someone (Mr 133t dude) scanned an allocation within our network, and like a worm was able to simultaneously control every Microsoft Windows Server to send outbound traffic. Microsoft Windows Servers within the 1.x.x.x/16 allocation which were behind a firewall or VPN and did not have public 3389 access did not send the unknown traffic Would be very interested if anyone else has seen this behavior before ! Or is this the start of a lovely new Zero Day Vulnerability with Windows RDP, if so I name it "ohDeer-RDP" A sample of the traffic is as per below, collected from netflow Source Destination Application Src Port Dst x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 51534 TCP x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 52699 TCP x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 60824 TCP x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 51669 TCP x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 49215 TCP x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 62099 TCP x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 65429 TCP x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 51965 TCP x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 50381 TCP x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 59379 TCP x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 58103 TCP x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 59514 TCP x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 58298 TCP This occurred around 10:30pm AEST Friday the 13th of January 2012 We had many other Microsoft Windows Servers in other 2.x.x.x/16 IP ranges which were totally unaffected. Kindest Regards James Braunegg W: 1300 769 972 | M: 0488 997 207 | D: (03) 9751 7616 E: james.braunegg at micron21.com | ABN: 12 109 977 666 [Description: Description: Description: M21.jpg] This message is intended for the addressee named above. It may contain privileged or confidential information. If you are not the intended recipient of this message you must not use, copy, distribute or disclose it to anyone other than the addressee. If you have received this message in error please return the message to the sender by replying to it and then delete the message from your computer. From askoorb+nanog at gmail.com Fri Jan 13 07:38:44 2012 From: askoorb+nanog at gmail.com (Alex Brooks) Date: Fri, 13 Jan 2012 13:38:44 +0000 Subject: Possible New Zero Day Microsoft Windows 3389 vulnerability - outbound traffic 3389 In-Reply-To: References: Message-ID: Hello, On Fri, Jan 13, 2012 at 12:36 PM, James Braunegg wrote: > > Hey All, > > Just posting to see if anyone has seen any strange outbound traffic on port 3389 from Microsoft Windows Server over the last few hours. > > We witnessed an alarming amount of completely independent Microsoft Windows Servers, ?each on separate vlan and subnets (ie all /30 and /29 allocations) with separate gateways on and completely separate customers, but all services were within the same 1.x.x.x/16 allocation all simultaneously send around 2mbit or so data to a specific target IP address. > Have you contacted Microsoft yet? https://support.microsoft.com/oas/default.aspx?gprid=1163&st=1&wfxredirect=1&sd=gn If you have a support contract (which you probably do) you'll get a very quick response if you choose the "security" option. Whatever you do, do let everyone know what the problem turns out to be. Alex From me at anuragbhatia.com Fri Jan 13 08:19:29 2012 From: me at anuragbhatia.com (Anurag Bhatia) Date: Fri, 13 Jan 2012 19:49:29 +0530 Subject: community strings for Reliance Globalcom In-Reply-To: References: <1326409030.30705.YahooMailNeo@web30808.mail.mud.yahoo.com> Message-ID: Additionally, http://ubs.flagtel.com/lg Their looking glass. You can do basic traceroute and BGP from here. On Fri, Jan 13, 2012 at 4:36 AM, Matthew Petach wrote: > On Thu, Jan 12, 2012 at 2:57 PM, Philip Lavine > wrote: > > does anybody have the community strings for Reliance Globalcom > > > > You might check to see if they left the default "public" read-only > string in place, but I highly doubt it. Most people are pretty careful > to pick at least somewhat hard to guess community strings, and > to ACL them off from external querying. > > Matt > > -- Anurag Bhatia anuragbhatia.com or simply - http://[2001:470:26:78f::5] if you are on IPv6 connected network! Twitter: @anurag_bhatia From sfouant at shortestpathfirst.net Fri Jan 13 08:41:47 2012 From: sfouant at shortestpathfirst.net (Stefan Fouant) Date: Fri, 13 Jan 2012 09:41:47 -0500 Subject: community strings for Reliance Globalcom In-Reply-To: References: <1326409030.30705.YahooMailNeo@web30808.mail.mud.yahoo.com> Message-ID: I could be wrong, but I think OP was requesting for BGP communities. I don't think he was asking for their SNMP community strings - I've never heard of a situation where a provider would allow their customers to poll their routers via SNMP. Or did I miss something? Stefan Fouant JNCIE-SEC, JNCIE-SP, JNCIE-ER, JNCI Technical Trainer, Juniper Networks Follow us on Twitter @JuniperEducate Sent from my iPad On Jan 12, 2012, at 6:06 PM, Matthew Petach wrote: > On Thu, Jan 12, 2012 at 2:57 PM, Philip Lavine wrote: >> does anybody have the community strings for Reliance Globalcom >> > > You might check to see if they left the default "public" read-only > string in place, but I highly doubt it. Most people are pretty careful > to pick at least somewhat hard to guess community strings, and > to ACL them off from external querying. > > Matt > From source_route at yahoo.com Fri Jan 13 08:57:19 2012 From: source_route at yahoo.com (Philip Lavine) Date: Fri, 13 Jan 2012 06:57:19 -0800 (PST) Subject: community strings for Reliance Globalcom In-Reply-To: References: <1326409030.30705.YahooMailNeo@web30808.mail.mud.yahoo.com> Message-ID: <1326466639.3892.YahooMailNeo@web30805.mail.mud.yahoo.com> nail on the head. I need the XXXX:XXXX notation for the BGP preference. I need to be able to set a provider as a backup, for example: qwest would be 209:70 ________________________________ From: Stefan Fouant To: Matthew Petach Cc: Philip Lavine ; "nanog at nanog.org" Sent: Friday, January 13, 2012 6:41 AM Subject: Re: community strings for Reliance Globalcom I could be wrong, but I think OP was requesting for BGP communities. I don't think he was asking for their SNMP community strings - I've never heard of a situation where a provider would allow their customers to poll their routers via SNMP. Or did I miss something? Stefan Fouant JNCIE-SEC, JNCIE-SP, JNCIE-ER, JNCI Technical Trainer, Juniper Networks Follow us on Twitter @JuniperEducate Sent from my iPad On Jan 12, 2012, at 6:06 PM, Matthew Petach wrote: > On Thu, Jan 12, 2012 at 2:57 PM, Philip Lavine wrote: >> does anybody have the community strings for Reliance Globalcom >> > > You might check to see if they left the default "public" read-only > string in place, but I highly doubt it.? Most people are pretty careful > to pick at least somewhat hard to guess community strings, and > to ACL them off from external querying. > > Matt > From me at anuragbhatia.com Fri Jan 13 09:04:02 2012 From: me at anuragbhatia.com (Anurag Bhatia) Date: Fri, 13 Jan 2012 20:34:02 +0530 Subject: community strings for Reliance Globalcom In-Reply-To: <1326466639.3892.YahooMailNeo@web30805.mail.mud.yahoo.com> References: <1326409030.30705.YahooMailNeo@web30808.mail.mud.yahoo.com> <1326466639.3892.YahooMailNeo@web30805.mail.mud.yahoo.com> Message-ID: Here's the info from their IRR: remarks: Communities applied at ingress remarks: ======================================================= remarks: 15412:1xxx PoP remarks: 15412:1101 New York remarks: 15412:1201 Los Angeles remarks: 15412:1202 Palo Alto remarks: 15412:1301 Tokyo remarks: 15412:1311 Hong Kong remarks: 15412:1316 Singapore remarks: 15412:1321 Seoul remarks: 15412:1331 Singapore remarks: 15412:1341 Taipei remarks: 15412:1401 Cairo remarks: 15412:1411 Bahrain remarks: 15412:1402 Alexandria remarks: 15412:1412 Jeddah remarks: 15412:1413 Al Khobar remarks: 15412:1414 Dubai remarks: 15412:1415 Doha remarks: 15412:1431 Mumbai remarks: 15412:1432 Chennai remarks: 15412:1501 London remarks: 15412:1511 Paris remarks: 15412:1521 Madrid remarks: 15412:1531 Frankfurt remarks: 15412:1514 Amsterdam remarks: ======================================================= remarks: 15412:7xx Customer remarks: 15412:701 Aggregate remarks: 15412:702 Statically Routed remarks: 15412:703 BGP Routed remarks: 15412:705 BGP Routed (Suppress MED to upstreams) remarks: ======================================================= remarks: 15412:8xx Peer remarks: 15412:800 PRIVATE PEER remarks: 15412:801 PAIX remarks: 15412:802 NYIIX remarks: 15412:803 JPIX remarks: 15412:804 KINX remarks: 15412:805 HKIX remarks: 15412:806 LINX remarks: 15412:807 SFINX remarks: 15412:808 LAIX remarks: 15412:809 AMSIX remarks: 15412:810 DECIX remarks: 15412:813 JPNAP remarks: 15412:814 EQUINIX ASHBURN VA remarks: 15412:815 EQUINIX SINGAPORE remarks: 15412:816 EQUINIX TOKYO remarks: 15412:817 ANY2 remarks: 15412:820 EQUINIX PARIS remarks: 15412:821 EQUINIX HONG KONG remarks: ======================================================= remarks: 15412:9xx Upstream remarks: 15412:902 LEVEL3 AS3356remarks: 15412:903 NTT/VERIO AS2914 remarks: ======================================================= remarks: BGP Communities available to customers for traffic engineering remarks: ======================================================= remarks: Modify LocalPref remarks: remarks: 15412:80 = 80 remarks: 15412:200 = 200 (e.g. backup link) remarks: 15412:300 = 300 remarks: Default (Customer/Transit/Peer) = 250/100/100 remarks: ======================================================= remarks: Suppression/Prepend remarks: ======================================================= remarks: 15412:4100 Do not announce to any upstream remarks: ======================================================= remarks: 15412:4120 Do not announce to LEVEL3 AS3356 remarks: 15412:4121 Prepend 15412 to LEVEL3 AS3356 remarks: 15412:4122 Prepend 15412 15412 to LEVEL3 AS3356 remarks: ======================================================= remarks: 15412:4130 Do not announce to NTT/Verio AS2914 remarks: 15412:4131 Prepend 15412 to NTT/Verio AS2914 remarks: 15412:4132 Prepend 15412 15412 to NTT/Verio AS2914 remarks: ======================================================= remarks: 15412:4500 Do not announce to FLAG peers remarks: ======================================================= remarks: 15412:4510 Do not announce to PAIX Peers remarks: 15412:4511 Prepend 15412 to PAIX Peers remarks: 15412:4512 Prepend 15412 15412 to PAIX Peers remarks: ======================================================= remarks: 15412:4520 Do not announce to NYIIX Peers remarks: 15412:4521 Prepend 15412 to NYIIX Peers remarks: 15412:4522 Prepend 15412 15412 to NYIIX Peers remarks: ======================================================= remarks: 15412:4530 Do not announce to JPIX Peers remarks: 15412:4531 Prepend 15412 to JPIX Peers remarks: 15412:4532 Prepend 15412 15412 to JPIX Peers remarks: ======================================================= remarks: 15412:4540 Do not announce to KINX Peers remarks: 15412:4541 Prepend 15412 to KINX Peers remarks: 15412:4542 Prepend 15412 15412 to KINX Peers remarks: ======================================================= remarks: 15412:4550 Do not announce to HKIX Peers remarks: 15412:4551 Prepend 15412 to HKIX Peers remarks: 15412:4552 Prepend 15412 15412 to HKIX Peers remarks: ======================================================= remarks: 15412:4560 Do not announce to LINX Peers remarks: 15412:4561 Prepend 15412 to LINX Peers remarks: 15412:4562 Prepend 15412 15412 to LINX Peers remarks: ======================================================= remarks: 15412:4570 Do not announce to SFINX Peers remarks: 15412:4571 Prepend 15412 to SFINX Peers remarks: 15412:4572 Prepend 15412 15412 to SFINX Peers remarks: ======================================================= remarks: 15412:4580 Do not announce to LAIX Peers remarks: 15412:4581 Prepend 15412 to LAIX Peers remarks: 15412:4582 Prepend 15412 15412 to LAIX Peers remarks: ======================================================= remarks: 15412:4590 Do not announce to DECIX Peers remarks: 15412:4591 Prepend 15412 to DECIX Peers remarks: 15412:4592 Prepend 15412 15412 to DECIX Peers remarks: ======================================================= remarks: 15412:4600 Do not announce to AMSIX Peers remarks: 15412:4601 Prepend 15412 to AMSIX Peers remarks: 15412:4602 Prepend 15412 15412 to AMSIX Peers remarks: ======================================================= remarks: 15412:4610 Do not announce to EQUINIX ASHBURN peers remarks: 15412:4611 Prepend 15412 to EQUINIX ASHBURN peers remarks: 15412:4612 Prepend 15412 15412 to EQUINIX ASHBURN peers remarks: ======================================================= remarks: 15412:4620 Do not announce to JPNAP peers remarks: 15412:4621 Prepend 15412 to JPNAP peers remarks: 15412:4622 Prepend 15412 15412 to JPNAP peers remarks: ======================================================= remarks: 15412:4640 Do not announce to EQUINIX SINGAPORE peers remarks: 15412:4641 Prepend 15412 to EQUINIX SINGAPORE peers remarks: 15412:4642 Prepend 15412 15412 to EQUINIX SINGAPORE peers remarks: ======================================================= remarks: 15412:4660 Do not announce to EQUINIX TOKYO peers remarks: 15412:4661 Prepend 15412 to EQUINIX TOKYO peers remarks: 15412:4662 Prepend 15412 15412 to EQUINIX TOKYO peers remarks: ======================================================= remarks: 15412:4670 Do not announce to ANY2 peers remarks: 15412:4671 Prepend 15412 to ANY2 peers remarks: 15412:4672 Prepend 15412 15412 to ANY2 peers remarks: ======================================================= remarks: 15412:4700 Do not announce to EQUINIX PARIS peers remarks: 15412:4701 Prepend 15412 to EQUINIX PARIS peers remarks: 15412:4702 Prepend 15412 15412 to EQUINIX PARIS peers Hope that will help you. On Fri, Jan 13, 2012 at 8:27 PM, Philip Lavine wrote: > nail on the head. I need the XXXX:XXXX notation for the BGP preference. I > need to be able to set a provider as a backup, for example: qwest would be > 209:70 > > > > ________________________________ > From: Stefan Fouant > To: Matthew Petach > Cc: Philip Lavine ; "nanog at nanog.org" < > nanog at nanog.org> > Sent: Friday, January 13, 2012 6:41 AM > Subject: Re: community strings for Reliance Globalcom > > I could be wrong, but I think OP was requesting for BGP communities. I > don't think he was asking for their SNMP community strings - I've never > heard of a situation where a provider would allow their customers to poll > their routers via SNMP. > > Or did I miss something? > > Stefan Fouant > JNCIE-SEC, JNCIE-SP, JNCIE-ER, JNCI > Technical Trainer, Juniper Networks > > Follow us on Twitter @JuniperEducate > > Sent from my iPad > > On Jan 12, 2012, at 6:06 PM, Matthew Petach wrote: > > > On Thu, Jan 12, 2012 at 2:57 PM, Philip Lavine > wrote: > >> does anybody have the community strings for Reliance Globalcom > >> > > > > You might check to see if they left the default "public" read-only > > string in place, but I highly doubt it. Most people are pretty careful > > to pick at least somewhat hard to guess community strings, and > > to ACL them off from external querying. > > > > Matt > > > -- Anurag Bhatia anuragbhatia.com or simply - http://[2001:470:26:78f::5] if you are on IPv6 connected network! Twitter: @anurag_bhatia From mark at viviotech.net Fri Jan 13 11:02:03 2012 From: mark at viviotech.net (Mark Keymer) Date: Fri, 13 Jan 2012 09:02:03 -0800 Subject: Possible New Zero Day Microsoft Windows 3389 vulnerability - outbound traffic 3389 In-Reply-To: References: Message-ID: <4F10638B.3060109@viviotech.net> Hi, We have had 2 of the below hit us this week. First time was apx 11:20am 1/10/2012 (PST). The 2nd was 1/12/2012 (Yesterday) 4:45pm. We had done some research and had already planed to switch to Network Level Authentication (NLA) as it looks like that would help with the screen not getting dumped. Unfortunately we had not done the change to that yet as we were getting looking for and found a new RDP client on linux that would support it. However last night we did start doing the changes to NLA. I am not saying NLA is a fix or that it is the best option. Just one of the things we are trying. When we can, locking down access to the RDP port I think would be best. Ohh, as for the destination. The first day was to 221.251.194.42. Yesterday was for 115.236.185.167. Sincerely, Mark Keymer On 1/13/2012 4:36 AM, James Braunegg wrote: > Hey All, > > Just posting to see if anyone has seen any strange outbound traffic on port 3389 from Microsoft Windows Server over the last few hours. > > We witnessed an alarming amount of completely independent Microsoft Windows Servers, each on separate vlan and subnets (ie all /30 and /29 allocations) with separate gateways on and completely separate customers, but all services were within the same 1.x.x.x/16 allocation all simultaneously send around 2mbit or so data to a specific target IP address. > > The only common link was / is terminal services port 3389 is open to the public. Obviously someone (Mr 133t dude) scanned an allocation within our network, and like a worm was able to simultaneously control every Microsoft Windows Server to send outbound traffic. > > Microsoft Windows Servers within the 1.x.x.x/16 allocation which were behind a firewall or VPN and did not have public 3389 access did not send the unknown traffic > > Would be very interested if anyone else has seen this behavior before ! Or is this the start of a lovely new Zero Day Vulnerability with Windows RDP, if so I name it "ohDeer-RDP" > > A sample of the traffic is as per below, collected from netflow > > Source Destination Application Src Port Dst > x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 51534 TCP > x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 52699 TCP > x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 60824 TCP > x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 51669 TCP > x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 49215 TCP > x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 62099 TCP > x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 65429 TCP > x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 51965 TCP > x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 50381 TCP > x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 59379 TCP > x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 58103 TCP > x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 59514 TCP > x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 58298 TCP > > This occurred around 10:30pm AEST Friday the 13th of January 2012 > > We had many other Microsoft Windows Servers in other 2.x.x.x/16 IP ranges which were totally unaffected. > > Kindest Regards > > James Braunegg > W: 1300 769 972 | M: 0488 997 207 | D: (03) 9751 7616 > E: james.braunegg at micron21.com | ABN: 12 109 977 666 > > [Description: Description: Description: M21.jpg] > > This message is intended for the addressee named above. It may contain privileged or confidential information. If you are not the intended recipient of this message you must not use, copy, distribute or disclose it to anyone other than the addressee. If you have received this message in error please return the message to the sender by replying to it and then delete the message from your computer. > > From jerry at jdixon.com Fri Jan 13 11:07:20 2012 From: jerry at jdixon.com (Jerry Dixon) Date: Fri, 13 Jan 2012 12:07:20 -0500 Subject: Possible New Zero Day Microsoft Windows 3389 vulnerability - outbound traffic 3389 In-Reply-To: <4F10638B.3060109@viviotech.net> References: <4F10638B.3060109@viviotech.net> Message-ID: Another possibility is the use of this tool as well: http://www.sensepost.com/labs/tools/pentest/reduh (Reduh) Jerry jerry at jdixon.com On Fri, Jan 13, 2012 at 12:02 PM, Mark Keymer wrote: > Hi, > > We have had 2 of the below hit us this week. First time was apx 11:20am > 1/10/2012 (PST). The 2nd was 1/12/2012 (Yesterday) 4:45pm. We had done some > research and had already planed to switch to Network Level Authentication > (NLA) as it looks like that would help with the screen not getting dumped. > Unfortunately we had not done the change to that yet as we were getting > looking for and found a new RDP client on linux that would support it. > However last night we did start doing the changes to NLA. > > I am not saying NLA is a fix or that it is the best option. Just one of > the things we are trying. When we can, locking down access to the RDP port > I think would be best. > > Ohh, as for the destination. The first day was to 221.251.194.42. > Yesterday was for 115.236.185.167. > > Sincerely, > > Mark Keymer > > > On 1/13/2012 4:36 AM, James Braunegg wrote: > >> Hey All, >> >> Just posting to see if anyone has seen any strange outbound traffic on >> port 3389 from Microsoft Windows Server over the last few hours. >> >> We witnessed an alarming amount of completely independent Microsoft >> Windows Servers, each on separate vlan and subnets (ie all /30 and /29 >> allocations) with separate gateways on and completely separate customers, >> but all services were within the same 1.x.x.x/16 allocation all >> simultaneously send around 2mbit or so data to a specific target IP address. >> >> The only common link was / is terminal services port 3389 is open to the >> public. Obviously someone (Mr 133t dude) scanned an allocation within our >> network, and like a worm was able to simultaneously control every Microsoft >> Windows Server to send outbound traffic. >> >> Microsoft Windows Servers within the 1.x.x.x/16 allocation which were >> behind a firewall or VPN and did not have public 3389 access did not send >> the unknown traffic >> >> Would be very interested if anyone else has seen this behavior before ! >> Or is this the start of a lovely new Zero Day Vulnerability with Windows >> RDP, if so I name it "ohDeer-RDP" >> >> A sample of the traffic is as per below, collected from netflow >> >> Source Destination Application Src >> Port Dst >> x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 51534 >> TCP >> x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 52699 >> TCP >> x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 60824 >> TCP >> x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 51669 >> TCP >> x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 49215 >> TCP >> x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 62099 >> TCP >> x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 65429 >> TCP >> x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 51965 >> TCP >> x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 50381 >> TCP >> x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 59379 >> TCP >> x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 58103 >> TCP >> x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 59514 >> TCP >> x.x.x.x/16 58.162.67.45 ms-wbt-server 3389 58298 >> TCP >> >> This occurred around 10:30pm AEST Friday the 13th of January 2012 >> >> We had many other Microsoft Windows Servers in other 2.x.x.x/16 IP ranges >> which were totally unaffected. >> >> Kindest Regards >> >> James Braunegg >> W: 1300 769 972 | M: 0488 997 207 | D: (03) 9751 7616 >> E: james.braunegg at micron21.com<**mailto:james.braunegg@**micron21.com> >> | ABN: 12 109 977 666 >> >> [Description: Description: Description: M21.jpg] >> >> This message is intended for the addressee named above. It may contain >> privileged or confidential information. If you are not the intended >> recipient of this message you must not use, copy, distribute or disclose it >> to anyone other than the addressee. If you have received this message in >> error please return the message to the sender by replying to it and then >> delete the message from your computer. >> >> >> > > -- Jerry jerry at jdixon.com From mpetach at netflight.com Fri Jan 13 11:22:40 2012 From: mpetach at netflight.com (Matthew Petach) Date: Fri, 13 Jan 2012 09:22:40 -0800 Subject: community strings for Reliance Globalcom In-Reply-To: References: <1326409030.30705.YahooMailNeo@web30808.mail.mud.yahoo.com> Message-ID: On Fri, Jan 13, 2012 at 6:41 AM, Stefan Fouant wrote: > I could be wrong, but I think OP was requesting for BGP communities. I don't think he was asking for their SNMP community strings - I've never heard of a situation where a provider would allow their customers to poll their routers via SNMP. > > Or did I miss something? Sorry--I was knee-deep in digging through IPv6 OIDs, so my brain was all awash with SNMP community strings when I saw the post. You're right, in retrospect BGP communities made more sense. Apologies for the confusion. Matt > Stefan Fouant > JNCIE-SEC, JNCIE-SP, JNCIE-ER, JNCI > Technical Trainer, Juniper Networks > > Follow us on Twitter @JuniperEducate > > Sent from my iPad > > On Jan 12, 2012, at 6:06 PM, Matthew Petach wrote: > >> On Thu, Jan 12, 2012 at 2:57 PM, Philip Lavine wrote: >>> does anybody have the community strings for Reliance Globalcom >>> >> >> You might check to see if they left the default "public" read-only >> string in place, but I highly doubt it. ?Most people are pretty careful >> to pick at least somewhat hard to guess community strings, and >> to ACL them off from external querying. >> >> Matt >> > From jlewis at lewis.org Fri Jan 13 11:42:30 2012 From: jlewis at lewis.org (Jon Lewis) Date: Fri, 13 Jan 2012 12:42:30 -0500 (EST) Subject: Linux Centralized Administration In-Reply-To: References: <00f001ccd16d$8bfc7400$a3f55c00$@paulstewart.org> <4F0F8E3E.2020705@gmail.com> <4F0F8F7F.8090208@paulgraydon.co.uk> Message-ID: On Fri, 13 Jan 2012, Daniel Ankers wrote: > I looked into Puppet and though I've got it managing parts of our > infrastructure it seems quite difficult to bolt on to an existing > setup. There are also some things that I can't see how to do easily > with Puppet ("Don't upgrade packages on the live environment until > we've tested them in staging" being a big one.) Has anyone mentioned cluster ssh yet? Depending on your scale, cluster ssh and a "really big screen" may be a suitable way to manage N servers and do things like apply updates or make identical changes to all at once (or in groups). It also gives you the flexibility to apply commands to all or single out a system and do things just in the one window, then to back to talking to all. ---------------------------------------------------------------------- Jon Lewis, MCP :) | I route Senior Network Engineer | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________ From David at crmls.org Fri Jan 13 12:01:45 2012 From: David at crmls.org (David Siegrist) Date: Fri, 13 Jan 2012 18:01:45 +0000 Subject: Verizon FIOS/DSL - Southern California DNS Issues Message-ID: <92C7B37E445C314BB2AF771D119F244A7FB608@MrMAILp02.MRODD.MRMLS> Hi, Has anyone been experiencing Verizon FIOS/DSL DNS issues for the past 72 hours? Looks like Verizon FIOS/DSL is blocking legitimate sites, ours being one of them. We have over 300 of our members throughout California on Verizon FIOS/DSL experiencing issues getting to sites. One of the big ones is Bank of America. I have started a post on Verizon's site and directed our members to post their issues there. http://forums.verizon.com/t5/FiOS-Internet/DNS-issues-in-SoCal/td-p/393781/highlight/true I can't seem to get the issue escalated. Thought I would get the opinion of the group to see how to get this issue to the actually engineers that have access to Verizon's DNS servers. Thanks in advance. David Siegrist IT Systems Manager david at crmls.org From rchen at mpi-sws.org Fri Jan 13 12:02:01 2012 From: rchen at mpi-sws.org (Ruichuan Chen) Date: Fri, 13 Jan 2012 19:02:01 +0100 Subject: Address-based Route Reflection Message-ID: Dear all, The document below may be of interest: "Address-based Route Reflection" at http://bgp.mpi-sws.org/papers/abrr-CoNEXT11.pdf by Ruichuan Chen (MPI-SWS), Aman Shaikh (AT&T Labs Research), Jia Wang (AT&T Labs Research), Paul Francis (MPI-SWS) ==== Abstract ==== This work presents Address-Based Route Reflection (ABRR): the first iBGP solution that completely solves all oscillation and looping problems, has no path inefficiencies, and puts no constraints on RR placement. ABRR does this by emulating the semantics of full-mesh iBGP, and thereby adopting the correctness and path efficiency properties of full-mesh iBGP. Both traditional Topology-Based Route Reflection (TBRR) and ABRR take a divide-and-conquer approach. While TBRR scales by making each RR responsible for all prefixes from some fraction of routers, ABRR scales by making each RR responsible for some fraction of prefixes from all routers. Best regards, --Ruichuan From me at anuragbhatia.com Fri Jan 13 12:14:53 2012 From: me at anuragbhatia.com (Anurag Bhatia) Date: Fri, 13 Jan 2012 23:44:53 +0530 Subject: Verizon FIOS/DSL - Southern California DNS Issues In-Reply-To: <92C7B37E445C314BB2AF771D119F244A7FB608@MrMAILp02.MRODD.MRMLS> References: <92C7B37E445C314BB2AF771D119F244A7FB608@MrMAILp02.MRODD.MRMLS> Message-ID: Hello David Can you share dig result along with +trace ? Something like: dig store.steampowered.com +trace This will give exact idea of where DNS resolution is failing. It might be that one of these servers failed: ns3.valvesoftware.com. ns1.valvesoftware.com. ns2.valvesoftware.com. or something like that. On Fri, Jan 13, 2012 at 11:31 PM, David Siegrist wrote: > Hi, > > Has anyone been experiencing Verizon FIOS/DSL DNS issues for the past 72 > hours? > Looks like Verizon FIOS/DSL is blocking legitimate sites, ours being one > of them. We have over 300 of our members throughout California on Verizon > FIOS/DSL experiencing issues getting to sites. One of the big ones is Bank > of America. I have started a post on Verizon's site and directed our > members to post their issues there. > > > http://forums.verizon.com/t5/FiOS-Internet/DNS-issues-in-SoCal/td-p/393781/highlight/true > > I can't seem to get the issue escalated. Thought I would get the opinion > of the group to see how to get this issue to the actually engineers that > have access to Verizon's DNS servers. > > Thanks in advance. > > David Siegrist > IT Systems Manager > david at crmls.org > > -- Anurag Bhatia anuragbhatia.com or simply - http://[2001:470:26:78f::5] if you are on IPv6 connected network! Twitter: @anurag_bhatia From jamesl at mythostech.com Fri Jan 13 12:21:59 2012 From: jamesl at mythostech.com (James Laszko) Date: Fri, 13 Jan 2012 18:21:59 +0000 Subject: Verizon FIOS/DSL - Southern California DNS Issues In-Reply-To: <92C7B37E445C314BB2AF771D119F244A7FB608@MrMAILp02.MRODD.MRMLS> References: <92C7B37E445C314BB2AF771D119F244A7FB608@MrMAILp02.MRODD.MRMLS> Message-ID: <8078ED370ADA824281219A7B5BADC39B1444F522@MBX023-W1-CA-5> >Has anyone been experiencing Verizon FIOS/DSL DNS issues for the past 72 hours? >Looks like Verizon FIOS/DSL is blocking legitimate sites, ours being one of them. We have over 300 of our members throughout California on Verizon FIOS/DSL experiencing issues getting to sites. >One of the big ones is Bank of America. I have started a post on Verizon's site and directed our members to post their issues there. > >http://forums.verizon.com/t5/FiOS-Internet/DNS-issues-in-SoCal/td-p/393781/highlight/true > >I can't seem to get the issue escalated. Thought I would get the opinion of the group to see how to get this issue to the actually engineers that have access to Verizon's DNS servers. > >Thanks in advance. > >David Siegrist >IT Systems Manager >david at crmls.org We are seeing all kinds of oddities through Verizon FIOS for a ton of our customers in the Riverside County area as well. Looks like HTTP / HTTPS filtering or something. Some sites can get to places that others (right next door) cant. Pings and traceroutes work, but HTTP / HTTPS connections fail to various places. We are also seeing HORRIBLE performance of VOIP to multiple providers for every one of our FIOS customers..... We have been unable to get any support from Verizon ourselves... If anyone knows anyone who knows anything at Verizon, please pass the information along! Thanks, James Laszko Mythos Technology Inc jamesl at mythostech.com From David at crmls.org Fri Jan 13 12:25:40 2012 From: David at crmls.org (David Siegrist) Date: Fri, 13 Jan 2012 18:25:40 +0000 Subject: Verizon FIOS/DSL - Southern California DNS Issues In-Reply-To: <8078ED370ADA824281219A7B5BADC39B1444F522@MBX023-W1-CA-5> References: <92C7B37E445C314BB2AF771D119F244A7FB608@MrMAILp02.MRODD.MRMLS> <8078ED370ADA824281219A7B5BADC39B1444F522@MBX023-W1-CA-5> Message-ID: <92C7B37E445C314BB2AF771D119F244A7FB642@MrMAILp02.MRODD.MRMLS> Hi James, Can you do me a favor and post what you are seeing on the link I provided. http://forums.verizon.com/t5/FiOS-Internet/DNS-issues-in-SoCal/td-p/393781/highlight/true Maybe enough of the community post it may get Verizon's attention. David Siegrist IT Systems Manager david at crmls.org -----Original Message----- From: James Laszko [mailto:jamesl at mythostech.com] Sent: Friday, January 13, 2012 10:22 AM To: David Siegrist; nanog at nanog.org Subject: RE: Verizon FIOS/DSL - Southern California DNS Issues >Has anyone been experiencing Verizon FIOS/DSL DNS issues for the past 72 hours? >Looks like Verizon FIOS/DSL is blocking legitimate sites, ours being one of them. We have over 300 of our members throughout California on Verizon FIOS/DSL experiencing issues getting to sites. >One of the big ones is Bank of America. I have started a post on Verizon's site and directed our members to post their issues there. > >http://forums.verizon.com/t5/FiOS-Internet/DNS-issues-in-SoCal/td-p/393781/highlight/true > >I can't seem to get the issue escalated. Thought I would get the opinion of the group to see how to get this issue to the actually engineers that have access to Verizon's DNS servers. > >Thanks in advance. > >David Siegrist >IT Systems Manager >david at crmls.org We are seeing all kinds of oddities through Verizon FIOS for a ton of our customers in the Riverside County area as well. Looks like HTTP / HTTPS filtering or something. Some sites can get to places that others (right next door) cant. Pings and traceroutes work, but HTTP / HTTPS connections fail to various places. We are also seeing HORRIBLE performance of VOIP to multiple providers for every one of our FIOS customers..... We have been unable to get any support from Verizon ourselves... If anyone knows anyone who knows anything at Verizon, please pass the information along! Thanks, James Laszko Mythos Technology Inc jamesl at mythostech.com From bhmccie at gmail.com Fri Jan 13 13:19:31 2012 From: bhmccie at gmail.com (-Hammer-) Date: Fri, 13 Jan 2012 13:19:31 -0600 Subject: VPC=S/MLT? Message-ID: <4F1083C3.9030804@gmail.com> OK, So I'm doing a lot of reading lately on Nexus as we are about to get into the 7k/5k game and of course a lot of the marketing revolves around VPC. Every time I see it referenced, I keep remembering a reasonably reliable Nortel implementation called Split MLT (Multi Link Trunk). Is there something fancy here that I'm missing in the docs or am I wrong in equating the two? Isn't VPC just S/MLT? It's just that Cisco has shown up 8 years late and is trying to hype it up to compensate? -- -Hammer- "I was a normal American nerd" -Jack Herer From nikky at mnet.bg Fri Jan 13 13:22:31 2012 From: nikky at mnet.bg (Nickola Kolev) Date: Fri, 13 Jan 2012 21:22:31 +0200 Subject: Linux Centralized Administration In-Reply-To: References: <00f001ccd16d$8bfc7400$a3f55c00$@paulstewart.org> <4F0F8E3E.2020705@gmail.com> <4F0F8F7F.8090208@paulgraydon.co.uk> Message-ID: <20120113212231.e2bb797d.nikky@mnet.bg> Hello, On Fri, 13 Jan 2012 12:42:30 -0500 (EST) Jon Lewis wrote: > On Fri, 13 Jan 2012, Daniel Ankers wrote: > > > I looked into Puppet and though I've got it managing parts of our > > infrastructure it seems quite difficult to bolt on to an existing > > setup. There are also some things that I can't see how to do easily > > with Puppet ("Don't upgrade packages on the live environment until > > we've tested them in staging" being a big one.) > > Has anyone mentioned cluster ssh yet? Depending on your scale, > cluster ssh and a "really big screen" may be a suitable way to manage > N servers and do things like apply updates or make identical changes > to all at once (or in groups). It also gives you the flexibility to > apply commands to all or single out a system and do things just in > the one window, then to back to talking to all. Continuing that line of tools, I'm using parallel-ssh (http://code.google.com/p/parallel-ssh/) with great success for managing several hundred servers, spread all over the world. -- Best regards, Nickola Kolev From cscora at apnic.net Fri Jan 13 13:29:10 2012 From: cscora at apnic.net (Routing Analysis Role Account) Date: Sat, 14 Jan 2012 05:29:10 +1000 (EST) Subject: Weekly Routing Table Report Message-ID: <201201131929.q0DJTA6o023161@thyme.rand.apnic.net> This is an automated weekly mailing describing the state of the Internet Routing Table as seen from APNIC's router in Japan. The posting is sent to APOPS, NANOG, AfNOG, AusNOG, SANOG, PacNOG, LacNOG, TRNOG, CaribNOG and the RIPE Routing Working Group. Daily listings are sent to bgp-stats at lists.apnic.net For historical data, please see http://thyme.rand.apnic.net. If you have any comments please contact Philip Smith . Routing Table Report 04:00 +10GMT Sat 14 Jan, 2012 Report Website: http://thyme.rand.apnic.net Detailed Analysis: http://thyme.rand.apnic.net/current/ Analysis Summary ---------------- BGP routing table entries examined: 390792 Prefixes after maximum aggregation: 168714 Deaggregation factor: 2.32 Unique aggregates announced to Internet: 190828 Total ASes present in the Internet Routing Table: 39823 Prefixes per ASN: 9.81 Origin-only ASes present in the Internet Routing Table: 32590 Origin ASes announcing only one prefix: 15510 Transit ASes present in the Internet Routing Table: 5382 Transit-only ASes present in the Internet Routing Table: 143 Average AS path length visible in the Internet Routing Table: 4.3 Max AS path length visible: 33 Max AS path prepend of ASN (48687) 24 Prefixes from unregistered ASNs in the Routing Table: 2098 Unregistered ASNs in the Routing Table: 1058 Number of 32-bit ASNs allocated by the RIRs: 2178 Number of 32-bit ASNs visible in the Routing Table: 1851 Prefixes from 32-bit ASNs in the Routing Table: 4455 Special use prefixes present in the Routing Table: 2 Prefixes being announced from unallocated address space: 120 Number of addresses announced to Internet: 2509165880 Equivalent to 149 /8s, 142 /16s and 213 /24s Percentage of available address space announced: 67.7 Percentage of allocated address space announced: 67.7 Percentage of available address space allocated: 100.0 Percentage of address space in use by end-sites: 91.9 Total number of prefixes smaller than registry allocations: 165725 APNIC Region Analysis Summary ----------------------------- Prefixes being announced by APNIC Region ASes: 96436 Total APNIC prefixes after maximum aggregation: 31482 APNIC Deaggregation factor: 3.06 Prefixes being announced from the APNIC address blocks: 92792 Unique aggregates announced from the APNIC address blocks: 38873 APNIC Region origin ASes present in the Internet Routing Table: 4636 APNIC Prefixes per ASN: 20.02 APNIC Region origin ASes announcing only one prefix: 1249 APNIC Region transit ASes present in the Internet Routing Table: 731 Average APNIC Region AS path length visible: 4.3 Max APNIC Region AS path length visible: 18 Number of APNIC region 32-bit ASNs visible in the Routing Table: 133 Number of APNIC addresses announced to Internet: 634071944 Equivalent to 37 /8s, 203 /16s and 43 /24s Percentage of available APNIC address space announced: 80.4 APNIC AS Blocks 4608-4864, 7467-7722, 9216-10239, 17408-18431 (pre-ERX allocations) 23552-24575, 37888-38911, 45056-46079, 55296-56319, 58368-59391, 131072-132095, 132096-133119 APNIC Address Blocks 1/8, 14/8, 27/8, 36/8, 39/8, 42/8, 43/8, 49/8, 58/8, 59/8, 60/8, 61/8, 101/8, 103/8, 106/8, 110/8, 111/8, 112/8, 113/8, 114/8, 115/8, 116/8, 117/8, 118/8, 119/8, 120/8, 121/8, 122/8, 123/8, 124/8, 125/8, 126/8, 133/8, 175/8, 180/8, 182/8, 183/8, 202/8, 203/8, 210/8, 211/8, 218/8, 219/8, 220/8, 221/8, 222/8, 223/8, ARIN Region Analysis Summary ---------------------------- Prefixes being announced by ARIN Region ASes: 147469 Total ARIN prefixes after maximum aggregation: 75118 ARIN Deaggregation factor: 1.96 Prefixes being announced from the ARIN address blocks: 119452 Unique aggregates announced from the ARIN address blocks: 49103 ARIN Region origin ASes present in the Internet Routing Table: 14847 ARIN Prefixes per ASN: 8.05 ARIN Region origin ASes announcing only one prefix: 5677 ARIN Region transit ASes present in the Internet Routing Table: 1584 Average ARIN Region AS path length visible: 4.0 Max ARIN Region AS path length visible: 25 Number of ARIN region 32-bit ASNs visible in the Routing Table: 14 Number of ARIN addresses announced to Internet: 804708544 Equivalent to 47 /8s, 246 /16s and 224 /24s Percentage of available ARIN address space announced: 64.0 ARIN AS Blocks 1-1876, 1902-2042, 2044-2046, 2048-2106 (pre-ERX allocations) 2138-2584, 2615-2772, 2823-2829, 2880-3153 3354-4607, 4865-5119, 5632-6655, 6912-7466 7723-8191, 10240-12287, 13312-15359, 16384-17407 18432-20479, 21504-23551, 25600-26591, 26624-27647, 29696-30719, 31744-33791 35840-36863, 39936-40959, 46080-47103 53248-55295, 393216-394239 ARIN Address Blocks 3/8, 4/8, 6/8, 7/8, 8/8, 9/8, 11/8, 12/8, 13/8, 15/8, 16/8, 17/8, 18/8, 19/8, 20/8, 21/8, 22/8, 23/8, 24/8, 26/8, 28/8, 29/8, 30/8, 32/8, 33/8, 34/8, 35/8, 38/8, 40/8, 44/8, 45/8, 47/8, 48/8, 50/8, 52/8, 53/8, 54/8, 55/8, 56/8, 57/8, 63/8, 64/8, 65/8, 66/8, 67/8, 68/8, 69/8, 70/8, 71/8, 72/8, 73/8, 74/8, 75/8, 76/8, 96/8, 97/8, 98/8, 99/8, 100/8, 104/8, 107/8, 108/8, 173/8, 174/8, 184/8, 199/8, 204/8, 205/8, 206/8, 207/8, 208/8, 209/8, 214/8, 215/8, 216/8, RIPE Region Analysis Summary ---------------------------- Prefixes being announced by RIPE Region ASes: 96603 Total RIPE prefixes after maximum aggregation: 51929 RIPE Deaggregation factor: 1.86 Prefixes being announced from the RIPE address blocks: 88466 Unique aggregates announced from the RIPE address blocks: 55570 RIPE Region origin ASes present in the Internet Routing Table: 16238 RIPE Prefixes per ASN: 5.45 RIPE Region origin ASes announcing only one prefix: 7979 RIPE Region transit ASes present in the Internet Routing Table: 2582 Average RIPE Region AS path length visible: 4.6 Max RIPE Region AS path length visible: 33 Number of RIPE region 32-bit ASNs visible in the Routing Table: 1284 Number of RIPE addresses announced to Internet: 497328072 Equivalent to 29 /8s, 164 /16s and 159 /24s Percentage of available RIPE address space announced: 80.1 RIPE AS Blocks 1877-1901, 2043, 2047, 2107-2136, 2585-2614 (pre-ERX allocations) 2773-2822, 2830-2879, 3154-3353, 5377-5631 6656-6911, 8192-9215, 12288-13311, 15360-16383 20480-21503, 24576-25599, 28672-29695 30720-31743, 33792-35839, 38912-39935 40960-45055, 47104-52223, 56320-58367 196608-198655 RIPE Address Blocks 2/8, 5/8, 25/8, 31/8, 37/8, 46/8, 51/8, 62/8, 77/8, 78/8, 79/8, 80/8, 81/8, 82/8, 83/8, 84/8, 85/8, 86/8, 87/8, 88/8, 89/8, 90/8, 91/8, 92/8, 93/8, 94/8, 95/8, 109/8, 176/8, 178/8, 185/8, 193/8, 194/8, 195/8, 212/8, 213/8, 217/8, LACNIC Region Analysis Summary ------------------------------ Prefixes being announced by LACNIC Region ASes: 37209 Total LACNIC prefixes after maximum aggregation: 8038 LACNIC Deaggregation factor: 4.63 Prefixes being announced from the LACNIC address blocks: 36808 Unique aggregates announced from the LACNIC address blocks: 19247 LACNIC Region origin ASes present in the Internet Routing Table: 1560 LACNIC Prefixes per ASN: 23.59 LACNIC Region origin ASes announcing only one prefix: 446 LACNIC Region transit ASes present in the Internet Routing Table: 287 Average LACNIC Region AS path length visible: 4.4 Max LACNIC Region AS path length visible: 28 Number of LACNIC region 32-bit ASNs visible in the Routing Table: 416 Number of LACNIC addresses announced to Internet: 95387016 Equivalent to 5 /8s, 175 /16s and 125 /24s Percentage of available LACNIC address space announced: 63.2 LACNIC AS Blocks 26592-26623, 27648-28671, 52224-53247, 262144-263167 plus ERX transfers LACNIC Address Blocks 177/8, 179/8, 181/8, 186/8, 187/8, 189/8, 190/8, 200/8, 201/8, AfriNIC Region Analysis Summary ------------------------------- Prefixes being announced by AfriNIC Region ASes: 8459 Total AfriNIC prefixes after maximum aggregation: 2074 AfriNIC Deaggregation factor: 4.08 Prefixes being announced from the AfriNIC address blocks: 6501 Unique aggregates announced from the AfriNIC address blocks: 2075 AfriNIC Region origin ASes present in the Internet Routing Table: 506 AfriNIC Prefixes per ASN: 12.85 AfriNIC Region origin ASes announcing only one prefix: 159 AfriNIC Region transit ASes present in the Internet Routing Table: 115 Average AfriNIC Region AS path length visible: 4.5 Max AfriNIC Region AS path length visible: 25 Number of AfriNIC region 32-bit ASNs visible in the Routing Table: 4 Number of AfriNIC addresses announced to Internet: 30834432 Equivalent to 1 /8s, 214 /16s and 127 /24s Percentage of available AfriNIC address space announced: 45.9 AfriNIC AS Blocks 36864-37887, 327680-328703 & ERX transfers AfriNIC Address Blocks 41/8, 102/8, 105/8, 197/8, APNIC Region per AS prefix count summary ---------------------------------------- ASN No of nets /20 equiv MaxAgg Description 4766 2473 11100 971 Korea Telecom (KIX) 17974 1715 503 36 PT TELEKOMUNIKASI INDONESIA 7545 1609 303 83 TPG Internet Pty Ltd 4755 1516 385 156 TATA Communications formerly 7552 1425 1064 7 Vietel Corporation 9829 1163 989 28 BSNL National Internet Backbo 9583 1118 81 495 Sify Limited 4808 1103 2053 314 CNCGROUP IP network: China169 24560 1010 384 167 Bharti Airtel Ltd., Telemedia 18101 976 130 155 Reliance Infocom Ltd Internet Complete listing at http://thyme.rand.apnic.net/current/data-ASnet-APNIC ARIN Region per AS prefix count summary --------------------------------------- ASN No of nets /20 equiv MaxAgg Description 6389 3455 3807 207 bellsouth.net, inc. 7029 3222 1017 200 Windstream Communications Inc 18566 2093 382 177 Covad Communications 1785 1865 680 123 PaeTec Communications, Inc. 20115 1618 1552 619 Charter Communications 4323 1604 1062 382 Time Warner Telecom 22773 1517 2909 108 Cox Communications, Inc. 30036 1489 264 696 Mediacom Communications Corp 19262 1388 4683 401 Verizon Global Networks 7018 1299 7012 850 AT&T WorldNet Services Complete listing at http://thyme.rand.apnic.net/current/data-ASnet-ARIN RIPE Region per AS prefix count summary --------------------------------------- ASN No of nets /20 equiv MaxAgg Description 8402 1665 480 15 Corbina telecom 15557 1096 2161 64 LDCOM NETWORKS 2118 927 99 14 EUnet/RELCOM Autonomous Syste 31148 657 35 9 FreeNet ISP 6830 644 1928 413 UPC Distribution Services 34984 639 188 174 BILISIM TELEKOM 20940 562 182 448 Akamai Technologies European 12479 551 636 53 Uni2 Autonomous System 8551 521 360 81 Bezeq International 3320 517 8157 393 Deutsche Telekom AG Complete listing at http://thyme.rand.apnic.net/current/data-ASnet-RIPE LACNIC Region per AS prefix count summary ----------------------------------------- ASN No of nets /20 equiv MaxAgg Description 10620 1738 321 159 TVCABLE BOGOTA 28573 1579 1066 77 NET Servicos de Comunicao S.A 8151 1462 2997 343 UniNet S.A. de C.V. 7303 1256 756 179 Telecom Argentina Stet-France 27947 634 73 95 Telconet S.A 22047 582 322 17 VTR PUNTO NET S.A. 7738 551 1050 31 Telecomunicacoes da Bahia S.A 3816 550 238 92 Empresa Nacional de Telecomun 6503 541 434 68 AVANTEL, S.A. 11172 535 102 101 Servicios Alestra S.A de C.V Complete listing at http://thyme.rand.apnic.net/current/data-ASnet-LACNIC AfriNIC Region per AS prefix count summary ------------------------------------------ ASN No of nets /20 equiv MaxAgg Description 8452 1013 958 13 TEDATA 24863 795 146 36 LINKdotNET AS number 3741 280 939 229 The Internet Solution 6713 250 649 18 Itissalat Al-MAGHRIB 33776 240 13 8 Starcomms Nigeria Limited 15706 239 32 6 Sudatel Internet Exchange Aut 29571 218 17 12 Ci Telecom Autonomous system 12258 195 28 60 Vodacom Internet Company 24835 188 80 8 RAYA Telecom - Egypt 16637 160 664 82 MTN Network Solutions Complete listing at http://thyme.rand.apnic.net/current/data-ASnet-AFRINIC Global Per AS prefix count summary ---------------------------------- ASN No of nets /20 equiv MaxAgg Description 6389 3455 3807 207 bellsouth.net, inc. 7029 3222 1017 200 Windstream Communications Inc 4766 2473 11100 971 Korea Telecom (KIX) 18566 2093 382 177 Covad Communications 1785 1865 680 123 PaeTec Communications, Inc. 10620 1738 321 159 TVCABLE BOGOTA 17974 1715 503 36 PT TELEKOMUNIKASI INDONESIA 8402 1665 480 15 Corbina telecom 20115 1618 1552 619 Charter Communications 7545 1609 303 83 TPG Internet Pty Ltd Complete listing at http://thyme.rand.apnic.net/current/data-ASnet Global Per AS Maximum Aggr summary ---------------------------------- ASN No of nets Net Savings Description 7029 3222 3022 Windstream Communications Inc 18566 2093 1916 Covad Communications 1785 1865 1742 PaeTec Communications, Inc. 17974 1715 1679 PT TELEKOMUNIKASI INDONESIA 8402 1665 1650 Corbina telecom 10620 1738 1579 TVCABLE BOGOTA 7545 1609 1526 TPG Internet Pty Ltd 4766 2473 1502 Korea Telecom (KIX) 28573 1579 1502 NET Servicos de Comunicao S.A 7552 1425 1418 Vietel Corporation Complete listing at http://thyme.rand.apnic.net/current/data-CIDRnet List of Unregistered Origin ASNs (Global) ----------------------------------------- Bad AS Designation Network Transit AS Description 15132 UNALLOCATED 12.9.150.0/24 7018 AT&T WorldNet Servic 32567 UNALLOCATED 12.14.170.0/24 4323 Time Warner Telecom 32567 UNALLOCATED 12.25.107.0/24 4323 Time Warner Telecom 25639 UNALLOCATED 12.41.169.0/24 7018 AT&T WorldNet Servic 13317 UNALLOCATED 12.44.10.0/24 7018 AT&T WorldNet Servic 23502 UNALLOCATED 12.44.44.0/24 7018 AT&T WorldNet Servic 17300 UNALLOCATED 12.45.103.0/24 7018 AT&T WorldNet Servic 17300 UNALLOCATED 12.45.110.0/24 701 UUNET Technologies, 16476 UNALLOCATED 12.46.27.0/24 7018 AT&T WorldNet Servic 32873 UNALLOCATED 12.46.100.0/23 10912 InterNAP Network Ser Complete listing at http://thyme.rand.apnic.net/current/data-badAS Prefixes from private and non-routed address space (Global) ----------------------------------------------------------- Prefix Origin AS Description 128.0.0.0/21 12654 RIPE NCC RIS Project 128.0.24.0/24 12654 RIPE NCC RIS Project Complete listing at http://thyme.rand.apnic.net/current/data-dsua Advertised Unallocated Addresses -------------------------------- Network Origin AS Description 14.192.0.0/22 45464 Room 201, TGU Bldg 14.192.4.0/22 45464 Room 201, TGU Bldg 14.192.8.0/22 45464 Room 201, TGU Bldg 14.192.12.0/22 45464 Room 201, TGU Bldg 14.192.16.0/22 45464 Room 201, TGU Bldg 14.192.20.0/22 45464 Room 201, TGU Bldg 14.192.24.0/22 45464 Room 201, TGU Bldg 14.192.28.0/22 45464 Room 201, TGU Bldg 37.46.80.0/21 23456 32-bit ASN transition 41.222.79.0/24 37345 MEDALLION Communications Complete listing at http://thyme.rand.apnic.net/current/data-add-IANA Number of prefixes announced per prefix length (Global) ------------------------------------------------------- /1:0 /2:0 /3:0 /4:0 /5:0 /6:0 /7:0 /8:19 /9:12 /10:27 /11:81 /12:234 /13:463 /14:817 /15:1459 /16:12118 /17:6147 /18:10195 /19:20203 /20:27995 /21:28534 /22:38863 /23:36419 /24:203565 /25:1181 /26:1420 /27:782 /28:171 /29:56 /30:13 /31:0 /32:18 Advertised prefixes smaller than registry allocations ----------------------------------------------------- ASN No of nets Total ann. Description 7029 2842 3222 Windstream Communications Inc 6389 2116 3455 bellsouth.net, inc. 18566 2042 2093 Covad Communications 8402 1644 1665 Corbina telecom 10620 1633 1738 TVCABLE BOGOTA 30036 1448 1489 Mediacom Communications Corp 11492 1115 1152 Cable One 1785 1066 1865 PaeTec Communications, Inc. 15557 1046 1096 LDCOM NETWORKS 7011 1042 1159 Citizens Utilities Complete listing at http://thyme.rand.apnic.net/current/data-sXXas-nos Number of /24s announced per /8 block (Global) ---------------------------------------------- 1:494 2:464 4:15 5:1 6:3 8:368 12:1950 13:1 14:586 15:11 16:3 17:6 20:9 23:98 24:1710 27:1170 31:812 32:67 33:2 34:2 36:8 37:87 38:794 40:114 41:2895 42:85 43:1 44:3 46:1216 47:3 49:317 50:506 52:13 55:7 56:2 57:41 58:946 59:491 60:344 61:1182 62:950 63:1966 64:4119 65:2298 66:4375 67:2005 68:1155 69:3149 70:918 71:427 72:1805 74:2649 75:446 76:320 77:948 78:899 79:497 80:1187 81:863 82:550 83:530 84:586 85:1155 86:748 87:908 88:338 89:1598 90:267 91:4418 92:534 93:1543 94:1351 95:1062 96:394 97:296 98:798 99:38 100:18 101:127 103:637 106:10 107:133 108:125 109:1422 110:684 111:839 112:427 113:519 114:610 115:756 116:868 117:726 118:907 119:1235 120:357 121:679 122:1624 123:1050 124:1336 125:1352 128:535 129:192 130:201 131:588 132:162 133:21 134:226 135:58 136:213 137:151 138:288 139:144 140:490 141:261 142:379 143:393 144:504 145:68 146:484 147:223 148:635 149:279 150:166 151:193 152:447 153:170 154:7 155:393 156:210 157:366 158:155 159:511 160:320 161:222 162:337 163:188 164:529 165:391 166:562 167:456 168:853 169:147 170:830 171:103 172:4 173:1778 174:589 175:418 176:348 177:454 178:1183 180:1219 181:43 182:687 183:264 184:430 185:1 186:1490 187:831 188:1034 189:1156 190:5321 192:5991 193:5462 194:3943 195:3313 196:1281 197:167 198:3627 199:4295 200:5583 201:1703 202:8417 203:8588 204:4353 205:2430 206:2734 207:2806 208:4020 209:3551 210:2742 211:1480 212:1968 213:1818 214:838 215:94 216:4938 217:1472 218:560 219:337 220:1247 221:557 222:324 223:267 End of report From joelja at bogus.com Fri Jan 13 13:31:56 2012 From: joelja at bogus.com (Joel jaeggli) Date: Fri, 13 Jan 2012 11:31:56 -0800 Subject: VPC=S/MLT? In-Reply-To: <4F1083C3.9030804@gmail.com> References: <4F1083C3.9030804@gmail.com> Message-ID: <4F1086AC.9050201@bogus.com> On 1/13/12 11:19 , -Hammer- wrote: > OK, So I'm doing a lot of reading lately on Nexus as we are about to get > into the 7k/5k game and of course a lot of the marketing revolves around > VPC. Every time I see it referenced, I keep remembering a reasonably > reliable Nortel implementation called Split MLT (Multi Link Trunk). Is > there something fancy here that I'm missing in the docs or am I wrong in > equating the two? Isn't VPC just S/MLT? It's just that Cisco has shown > up 8 years late and is trying to hype it up to compensate? vpc/vlt/mlag/s/mlt From bhmccie at gmail.com Fri Jan 13 13:38:49 2012 From: bhmccie at gmail.com (-Hammer-) Date: Fri, 13 Jan 2012 13:38:49 -0600 Subject: VPC=S/MLT? In-Reply-To: <4F1086AC.9050201@bogus.com> References: <4F1083C3.9030804@gmail.com> <4F1086AC.9050201@bogus.com> Message-ID: <4F108849.8040002@gmail.com> Wow. A fellow greybeard. OK. That's what I needed to know. I'm trying to understand if VPC has any more recent enhancements that weren't around for some older multi-chassis channel methods but I don't see anything specific in the docs other than some FHRP (HSRP only it appears) and PIM tweaks. If anyone has some really deep docs on VPC I'd appreciate the links. Thanks. -Hammer- "I was a normal American nerd" -Jack Herer On 1/13/2012 1:31 PM, Joel jaeggli wrote: > On 1/13/12 11:19 , -Hammer- wrote: >> OK, So I'm doing a lot of reading lately on Nexus as we are about to get >> into the 7k/5k game and of course a lot of the marketing revolves around >> VPC. Every time I see it referenced, I keep remembering a reasonably >> reliable Nortel implementation called Split MLT (Multi Link Trunk). Is >> there something fancy here that I'm missing in the docs or am I wrong in >> equating the two? Isn't VPC just S/MLT? It's just that Cisco has shown >> up 8 years late and is trying to hype it up to compensate? > vpc/vlt/mlag/s/mlt > > > From leigh.porter at ukbroadband.com Fri Jan 13 14:10:49 2012 From: leigh.porter at ukbroadband.com (Leigh Porter) Date: Fri, 13 Jan 2012 20:10:49 +0000 Subject: VPC=S/MLT? In-Reply-To: <4F1086AC.9050201@bogus.com> References: <4F1083C3.9030804@gmail.com>,<4F1086AC.9050201@bogus.com> Message-ID: <01A2B25C-719F-4A99-A681-A5BA5B7FB9EF@ukbroadband.com> On 13 Jan 2012, at 19:35, "Joel jaeggli" wrote: > On 1/13/12 11:19 , -Hammer- wrote: >> OK, So I'm doing a lot of reading lately on Nexus as we are about to get >> into the 7k/5k game and of course a lot of the marketing revolves around >> VPC. Every time I see it referenced, I keep remembering a reasonably >> reliable Nortel implementation called Split MLT (Multi Link Trunk). Is >> there something fancy here that I'm missing in the docs or am I wrong in >> equating the two? Isn't VPC just S/MLT? It's just that Cisco has shown >> up 8 years late and is trying to hype it up to compensate? > > vpc/vlt/mlag/s/mlt > I am using the Brocade version, Multi Chassis Trunking (MCT), and it really does make things a lot nicer. -- Leigh Porter ______________________________________________________________________ This email has been scanned by the Symantec Email Security.cloud service. For more information please visit http://www.symanteccloud.com ______________________________________________________________________ From c.spurgeon at mail.utexas.edu Fri Jan 13 14:10:00 2012 From: c.spurgeon at mail.utexas.edu (Charles Spurgeon) Date: Fri, 13 Jan 2012 14:10:00 -0600 Subject: VPC=S/MLT? In-Reply-To: <4F108849.8040002@gmail.com> References: <4F1083C3.9030804@gmail.com> <4F1086AC.9050201@bogus.com> <4F108849.8040002@gmail.com> Message-ID: <20120113201000.GA88108@argus.gw.utexas.edu> On Fri, Jan 13, 2012 at 01:38:26PM -0600, -Hammer- wrote: > Wow. A fellow greybeard. OK. That's what I needed to know. I'm trying to > understand if VPC has any more recent enhancements that weren't around > for some older multi-chassis channel methods but I don't see anything > specific in the docs other than some FHRP (HSRP only it appears) and PIM > tweaks. If anyone has some really deep docs on VPC I'd appreciate the > links. Thanks. These two docs provide a lot of details: vPC fundamental concepts: http://www.cisco.com/en/US/prod/collateral/switches/ps9441/ps9670/C07-572835-00_NX-OS_vPC_DG.pdf "Data Center Access Design with Cisco Nexus 5000 Series Switches and 2000 Series Fabric Extenders and Virtual PortChannels Updated to Cisco NX-OS Software Release 5.1(3)N1(1): http://www.cisco.com/en/US/prod/collateral/switches/ps9441/ps9670/C07-572829-01_Design_N5K_N2K_vPC_DG.pdf -Charles Charles E. Spurgeon / UTnet UT Austin ITS / Networking c.spurgeon at its.utexas.edu / 512.475.9265 From bhmccie at gmail.com Fri Jan 13 14:14:40 2012 From: bhmccie at gmail.com (-Hammer-) Date: Fri, 13 Jan 2012 14:14:40 -0600 Subject: VPC=S/MLT? In-Reply-To: <20120113201000.GA88108@argus.gw.utexas.edu> References: <4F1083C3.9030804@gmail.com> <4F1086AC.9050201@bogus.com> <4F108849.8040002@gmail.com> <20120113201000.GA88108@argus.gw.utexas.edu> Message-ID: <4F1090B0.6030609@gmail.com> Thanks Charles. Good stuff. -Hammer- "I was a normal American nerd" -Jack Herer On 1/13/2012 2:10 PM, Charles Spurgeon wrote: > On Fri, Jan 13, 2012 at 01:38:26PM -0600, -Hammer- wrote: >> Wow. A fellow greybeard. OK. That's what I needed to know. I'm trying to >> understand if VPC has any more recent enhancements that weren't around >> for some older multi-chassis channel methods but I don't see anything >> specific in the docs other than some FHRP (HSRP only it appears) and PIM >> tweaks. If anyone has some really deep docs on VPC I'd appreciate the >> links. Thanks. > These two docs provide a lot of details: > > vPC fundamental concepts: > http://www.cisco.com/en/US/prod/collateral/switches/ps9441/ps9670/C07-572835-00_NX-OS_vPC_DG.pdf > > "Data Center Access Design with Cisco Nexus 5000 Series Switches and 2000 Series Fabric Extenders and Virtual PortChannels Updated to Cisco NX-OS Software Release 5.1(3)N1(1): > http://www.cisco.com/en/US/prod/collateral/switches/ps9441/ps9670/C07-572829-01_Design_N5K_N2K_vPC_DG.pdf > > -Charles > > Charles E. Spurgeon / UTnet > UT Austin ITS / Networking > c.spurgeon at its.utexas.edu / 512.475.9265 > From mkarir at merit.edu Fri Jan 13 14:19:04 2012 From: mkarir at merit.edu (Manish Karir) Date: Fri, 13 Jan 2012 15:19:04 -0500 Subject: ANNOUNCE: bgptables.merit.edu - understanding visibility of your prefix/AS Message-ID: <8E839F27-A2F7-4E1B-9BD8-C0679A65EC64@merit.edu> All, We would like to announce the availability of the bgpTables Project at Merit at: http://bgptables.merit.edu bgpTables allows users to easily navigate global routing table data collected via routviews.org. bgptables essentially processes the data collected at routeviews and makes is available in a somewhat easier to use interface. The goal of bgpTables is to represent global prefix and AS visibility information from the vantage point of the various bgp table views as seen at routeviews. The data is currently updated nightly (EST) but we hope to improve this over time. Please see the FAQ (http://bgptables.merit.edu/faq.php) for some simple examples of how you can use bgpTables. Some examples: - You can query for a specific ASN by entering the text 'as' followed by the AS number into the search box. For example to query for information about AS 237 you would enter 'as237' [without quotation marks] into the search box and then click 'search'. You can then use the view navigator map to switch to different routing table views for this ASN - You can query for a specific prefix by directly entering the prefix into the search box. For example to query for information about prefix 12.0.0.0/8 you would simply enter '12.0.0.0/8' [without quotation marks] into the search box and then click 'search'. You can then use the view navigator map to switch to different routing table views for the prefix. - You can find a particular prefix that you might be interested in by running a 'contained within' query via the search box. For example to quickly browse a list of prefixes contained within 1.0.0.0/8 to find the particular prefix you might be interested in, you can enter the text 'cw1.0.0.0/8' [without quotation marks] into the search box and click 'search'. You can then browse the resulting table to select the particular prefix you might be interested in. - You can simply enter the text 'as' followed by the company name into the search box then click search to view a list of possible matches for that text. For example, to view all matching google ASNs you can simply enter 'asgoogle' into the search box and click search. A list of possible matching ASNs that reference Google by name will be returned from which you an then select the particular ASN that is of interest to you. Comments, corrections, and suggestions are very welcome. Please send them to mkarir at merit.edu. Hopefully folks will find this useful. Thanks. -The Merit Network Research and Development Team From bhmccie at gmail.com Fri Jan 13 15:06:08 2012 From: bhmccie at gmail.com (-Hammer-) Date: Fri, 13 Jan 2012 15:06:08 -0600 Subject: VPC=S/MLT? In-Reply-To: <20120113201000.GA88108@argus.gw.utexas.edu> References: <4F1083C3.9030804@gmail.com> <4F1086AC.9050201@bogus.com> <4F108849.8040002@gmail.com> <20120113201000.GA88108@argus.gw.utexas.edu> Message-ID: <4F109CC0.8000800@gmail.com> Charles, The first link references "chapter 3". I found chapter 5 as well but I can't find the full index. Do you have that link by any chance? -Hammer- "I was a normal American nerd" -Jack Herer On 1/13/2012 2:10 PM, Charles Spurgeon wrote: > On Fri, Jan 13, 2012 at 01:38:26PM -0600, -Hammer- wrote: >> Wow. A fellow greybeard. OK. That's what I needed to know. I'm trying to >> understand if VPC has any more recent enhancements that weren't around >> for some older multi-chassis channel methods but I don't see anything >> specific in the docs other than some FHRP (HSRP only it appears) and PIM >> tweaks. If anyone has some really deep docs on VPC I'd appreciate the >> links. Thanks. > These two docs provide a lot of details: > > vPC fundamental concepts: > http://www.cisco.com/en/US/prod/collateral/switches/ps9441/ps9670/C07-572835-00_NX-OS_vPC_DG.pdf > > "Data Center Access Design with Cisco Nexus 5000 Series Switches and 2000 Series Fabric Extenders and Virtual PortChannels Updated to Cisco NX-OS Software Release 5.1(3)N1(1): > http://www.cisco.com/en/US/prod/collateral/switches/ps9441/ps9670/C07-572829-01_Design_N5K_N2K_vPC_DG.pdf > > -Charles > > Charles E. Spurgeon / UTnet > UT Austin ITS / Networking > c.spurgeon at its.utexas.edu / 512.475.9265 > From sh.vahabzadeh at gmail.com Fri Jan 13 15:24:27 2012 From: sh.vahabzadeh at gmail.com (Shahab Vahabzadeh) Date: Sat, 14 Jan 2012 00:54:27 +0330 Subject: IP Management Software In-Reply-To: References: Message-ID: Hi, Would you please tell me what is the advantages of noc-project? It takes hours to install it and it looks like a software with lots of bugs? I have it now but many problems in their scripts, Isn't it? Thanks On Fri, Dec 16, 2011 at 7:46 PM, Payam Poursaied wrote: > Try noc project > > > On Friday, December 16, 2011, Shahab Vahabzadeh > wrote: > > Hi everybody, > > Can anybody share his/her experience with IP Management software's? > Which I > > can use it managing near 100K IP Address? > > IPPlan is not good enough, I think its > > > -- Regards, Shahab Vahabzadeh, Network Engineer and System Administrator PGP Key Fingerprint = 8E34 B335 D702 0CA7 5A81 C2EE 76A2 46C2 5367 BF90 From joshbaird at gmail.com Fri Jan 13 15:50:03 2012 From: joshbaird at gmail.com (Josh Baird) Date: Fri, 13 Jan 2012 16:50:03 -0500 Subject: IP Management Software In-Reply-To: References: Message-ID: We use Men & Mice, but it is a commercial product. ?Solarwinds andInfoblox also have commercial offerings that are worth looking at. Ifyou looking at an IPAM platform with emphasis on IPv6, check outwww.6connect.com. ?They offer a free product that is prettycomprehensive. Josh On Fri, Jan 13, 2012 at 4:24 PM, Shahab Vahabzadeh wrote: > Hi, > Would you please tell me what is the advantages of noc-project? > It takes hours to install it and it looks like a software with lots of bugs? > I have it now but many problems in their scripts, Isn't it? > Thanks > > On Fri, Dec 16, 2011 at 7:46 PM, Payam Poursaied wrote: > >> Try noc project >> >> >> On Friday, December 16, 2011, Shahab Vahabzadeh >> wrote: >> > Hi everybody, >> > Can anybody share his/her experience with IP Management software's? >> Which I >> > can use it managing near 100K IP Address? >> > IPPlan is not good enough, I think its >> > >> > > > > -- > Regards, > Shahab Vahabzadeh, Network Engineer and System Administrator > > PGP Key Fingerprint = 8E34 B335 D702 0CA7 5A81 ?C2EE 76A2 46C2 5367 BF90 From sh.vahabzadeh at gmail.com Fri Jan 13 15:51:18 2012 From: sh.vahabzadeh at gmail.com (Shahab Vahabzadeh) Date: Sat, 14 Jan 2012 01:21:18 +0330 Subject: IP Management Software In-Reply-To: References: Message-ID: I am looking for an open source one, nocproject.org is good but it need lots of patches to be normal, I think they are not developing it too much because its internal project for them. On Sat, Jan 14, 2012 at 1:20 AM, Josh Baird wrote: > We use Men & Mice, but it is a commercial product. Solarwinds > andInfoblox also have commercial offerings that are worth looking at. > Ifyou looking at an IPAM platform with emphasis on IPv6, check > outwww.6connect.com. They offer a free product that is > prettycomprehensive. > > Josh > On Fri, Jan 13, 2012 at 4:24 PM, Shahab Vahabzadeh > wrote: > > Hi, > > Would you please tell me what is the advantages of noc-project? > > It takes hours to install it and it looks like a software with lots of > bugs? > > I have it now but many problems in their scripts, Isn't it? > > Thanks > > > > On Fri, Dec 16, 2011 at 7:46 PM, Payam Poursaied > wrote: > > > >> Try noc project > >> > >> > >> On Friday, December 16, 2011, Shahab Vahabzadeh < > sh.vahabzadeh at gmail.com> > >> wrote: > >> > Hi everybody, > >> > Can anybody share his/her experience with IP Management software's? > >> Which I > >> > can use it managing near 100K IP Address? > >> > IPPlan is not good enough, I think its > >> > > >> > > > > > > > > -- > > Regards, > > Shahab Vahabzadeh, Network Engineer and System Administrator > > > > PGP Key Fingerprint = 8E34 B335 D702 0CA7 5A81 C2EE 76A2 46C2 5367 BF90 > -- Regards, Shahab Vahabzadeh, Network Engineer and System Administrator PGP Key Fingerprint = 8E34 B335 D702 0CA7 5A81 C2EE 76A2 46C2 5367 BF90 From cidr-report at potaroo.net Fri Jan 13 16:00:01 2012 From: cidr-report at potaroo.net (cidr-report at potaroo.net) Date: Fri, 13 Jan 2012 22:00:01 GMT Subject: BGP Update Report Message-ID: <201201132200.q0DM01L2070557@wattle.apnic.net> BGP Update Report Interval: 05-Jan-12 -to- 12-Jan-12 (7 days) Observation Point: BGP Peering with AS131072 TOP 20 Unstable Origin AS Rank ASN Upds % Upds/Pfx AS-Name 1 - AS42116 102673 6.3% 1711.2 -- ERTH-NCHLN-AS CJSC "ER-Telecom Holding" 2 - AS15706 62272 3.8% 322.7 -- Sudatel 3 - AS9829 43384 2.7% 65.2 -- BSNL-NIB National Internet Backbone 4 - AS8402 38569 2.4% 46.6 -- CORBINA-AS OJSC "Vimpelcom" 5 - AS32528 24044 1.5% 6011.0 -- ABBOTT Abbot Labs 6 - AS7552 23372 1.4% 16.5 -- VIETEL-AS-AP Vietel Corporation 7 - AS24560 22324 1.4% 52.4 -- AIRTELBROADBAND-AS-AP Bharti Airtel Ltd., Telemedia Services 8 - AS5800 21762 1.3% 81.8 -- DNIC-ASBLK-05800-06055 - DoD Network Information Center 9 - AS6072 20608 1.3% 1472.0 -- UNISYS-6072 For routing issues, email hostmaster at unisys.com 10 - AS20632 20374 1.2% 20374.0 -- PETERSTAR-AS PeterStar 11 - AS27738 14226 0.9% 41.6 -- Ecuadortelecom S.A. 12 - AS27947 14084 0.9% 27.1 -- Telconet S.A 13 - AS19223 12795 0.8% 12795.0 -- NTEGRATED-SOLUTIONS - Ntegrated Solutions 14 - AS17639 12159 0.8% 2026.5 -- COMCLARK-AS ComClark Network & Technology Corp. 15 - AS3215 11844 0.7% 3.0 -- AS3215 France Telecom - Orange 16 - AS12479 11527 0.7% 72.5 -- UNI2-AS France Telecom Espana SA 17 - AS14522 10593 0.7% 38.5 -- Satnet 18 - AS9498 8907 0.6% 15.2 -- BBIL-AP BHARTI Airtel Ltd. 19 - AS25620 8587 0.5% 53.0 -- COTAS LTDA. 20 - AS28683 7966 0.5% 137.3 -- BENINTELECOM TOP 20 Unstable Origin AS (Updates per announced prefix) Rank ASN Upds % Upds/Pfx AS-Name 1 - AS20632 20374 1.2% 20374.0 -- PETERSTAR-AS PeterStar 2 - AS19223 12795 0.8% 12795.0 -- NTEGRATED-SOLUTIONS - Ntegrated Solutions 3 - AS32528 24044 1.5% 6011.0 -- ABBOTT Abbot Labs 4 - AS10209 4808 0.3% 4808.0 -- SYNOPSYS-AS-JP-AP Japan HUB and Data Center 5 - AS49648 3507 0.2% 3507.0 -- SVTEL-AS "SvyazTelecom" LTD 6 - AS17408 3191 0.2% 3191.0 -- ABOVE-AS-AP AboveNet Communications Taiwan 7 - AS17639 12159 0.8% 2026.5 -- COMCLARK-AS ComClark Network & Technology Corp. 8 - AS26341 1904 0.1% 1904.0 -- OSI-ASP - Open Solutions Inc. 9 - AS42116 102673 6.3% 1711.2 -- ERTH-NCHLN-AS CJSC "ER-Telecom Holding" 10 - AS6072 20608 1.3% 1472.0 -- UNISYS-6072 For routing issues, email hostmaster at unisys.com 11 - AS65273 1329 0.1% 1329.0 -- -Private Use AS- 12 - AS45723 1031 0.1% 1031.0 -- OMADATA-AS-ID Omadata Indonesia, PT 13 - AS53362 852 0.1% 852.0 -- MIXIT-AS - Mixit, Inc. 14 - AS34480 3348 0.2% 837.0 -- GSC-AS GrandService PP. 15 - AS3 720 0.0% 1587.0 -- BANKPERSHIY-AS PJSC Bank Pershyi 16 - AS56915 702 0.0% 702.0 -- ASELITTELECOM Elit Telecom Ltd. 17 - AS52849 584 0.0% 584.0 -- 18 - AS21271 557 0.0% 557.0 -- SOTELMABGP 19 - AS6719 535 0.0% 535.0 -- KNOPP-AS Limited Liability Company KNOPP 20 - AS10445 1966 0.1% 491.5 -- HTG - Huntleigh Telcom TOP 20 Unstable Prefixes Rank Prefix Upds % Origin AS -- AS Name 1 - 84.204.132.0/24 20374 1.2% AS20632 -- PETERSTAR-AS PeterStar 2 - 67.97.156.0/24 12795 0.7% AS19223 -- NTEGRATED-SOLUTIONS - Ntegrated Solutions 3 - 130.36.34.0/24 12015 0.7% AS32528 -- ABBOTT Abbot Labs 4 - 130.36.35.0/24 12015 0.7% AS32528 -- ABBOTT Abbot Labs 5 - 122.161.0.0/16 7240 0.4% AS24560 -- AIRTELBROADBAND-AS-AP Bharti Airtel Ltd., Telemedia Services 6 - 202.92.235.0/24 6706 0.4% AS9498 -- BBIL-AP BHARTI Airtel Ltd. 7 - 202.56.215.0/24 6597 0.4% AS24560 -- AIRTELBROADBAND-AS-AP Bharti Airtel Ltd., Telemedia Services 8 - 111.125.126.0/24 6489 0.4% AS17639 -- COMCLARK-AS ComClark Network & Technology Corp. 9 - 95.78.4.0/22 6342 0.4% AS42116 -- ERTH-NCHLN-AS CJSC "ER-Telecom Holding" 10 - 46.147.88.0/22 6341 0.4% AS42116 -- ERTH-NCHLN-AS CJSC "ER-Telecom Holding" 11 - 46.147.120.0/22 6333 0.4% AS42116 -- ERTH-NCHLN-AS CJSC "ER-Telecom Holding" 12 - 95.78.96.0/22 6325 0.4% AS42116 -- ERTH-NCHLN-AS CJSC "ER-Telecom Holding" 13 - 95.78.88.0/22 6323 0.4% AS42116 -- ERTH-NCHLN-AS CJSC "ER-Telecom Holding" 14 - 46.147.124.0/22 6321 0.4% AS42116 -- ERTH-NCHLN-AS CJSC "ER-Telecom Holding" 15 - 46.147.108.0/22 6319 0.4% AS42116 -- ERTH-NCHLN-AS CJSC "ER-Telecom Holding" 16 - 95.78.116.0/22 6314 0.4% AS42116 -- ERTH-NCHLN-AS CJSC "ER-Telecom Holding" 17 - 95.78.84.0/22 6311 0.4% AS42116 -- ERTH-NCHLN-AS CJSC "ER-Telecom Holding" 18 - 95.78.100.0/22 6309 0.4% AS42116 -- ERTH-NCHLN-AS CJSC "ER-Telecom Holding" 19 - 95.78.92.0/22 6301 0.4% AS42116 -- ERTH-NCHLN-AS CJSC "ER-Telecom Holding" 20 - 176.213.100.0/22 6293 0.4% AS42116 -- ERTH-NCHLN-AS CJSC "ER-Telecom Holding" Details at http://bgpupdates.potaroo.net ------------------------------------ Copies of this report are mailed to: nanog at nanog.org eof-list at ripe.net apops at apops.net routing-wg at ripe.net afnog at afnog.org From cidr-report at potaroo.net Fri Jan 13 16:00:00 2012 From: cidr-report at potaroo.net (cidr-report at potaroo.net) Date: Fri, 13 Jan 2012 22:00:00 GMT Subject: The Cidr Report Message-ID: <201201132200.q0DM00jN070550@wattle.apnic.net> This report has been generated at Fri Jan 13 21:12:24 2012 AEST. The report analyses the BGP Routing Table of AS2.0 router and generates a report on aggregation potential within the table. Check http://www.cidr-report.org for a current version of this report. Recent Table History Date Prefixes CIDR Agg 06-01-12 391121 227929 07-01-12 390649 228024 08-01-12 391004 228100 09-01-12 390964 228214 10-01-12 391281 228081 11-01-12 391432 228387 12-01-12 391955 228706 13-01-12 392583 228745 AS Summary 39939 Number of ASes in routing system 16759 Number of ASes announcing only one prefix 3454 Largest number of prefixes announced by an AS AS6389 : BELLSOUTH-NET-BLK - BellSouth.net Inc. 109424128 Largest address span announced by an AS (/32s) AS4134 : CHINANET-BACKBONE No.31,Jin-rong Street Aggregation Summary The algorithm used in this report proposes aggregation only when there is a precise match using the AS path, so as to preserve traffic transit policies. Aggregation is also proposed across non-advertised address space ('holes'). --- 13Jan12 --- ASnum NetsNow NetsAggr NetGain % Gain Description Table 392867 228759 164108 41.8% All ASes AS6389 3454 209 3245 93.9% BELLSOUTH-NET-BLK - BellSouth.net Inc. AS7029 3204 1488 1716 53.6% WINDSTREAM - Windstream Communications Inc AS18566 2093 413 1680 80.3% COVAD - Covad Communications Co. AS4766 2477 994 1483 59.9% KIXS-AS-KR Korea Telecom AS22773 1517 117 1400 92.3% ASN-CXA-ALL-CCI-22773-RDC - Cox Communications Inc. AS4755 1512 196 1316 87.0% TATACOMM-AS TATA Communications formerly VSNL is Leading ISP AS4323 1605 384 1221 76.1% TWTC - tw telecom holdings, inc. AS28573 1579 398 1181 74.8% NET Servicos de Comunicao S.A. AS1785 1867 783 1084 58.1% AS-PAETEC-NET - PaeTec Communications, Inc. AS7552 1425 391 1034 72.6% VIETEL-AS-AP Vietel Corporation AS19262 1388 402 986 71.0% VZGNI-TRANSIT - Verizon Online LLC AS10620 1738 759 979 56.3% Telmex Colombia S.A. AS7303 1256 368 888 70.7% Telecom Argentina S.A. AS8402 1600 741 859 53.7% CORBINA-AS OJSC "Vimpelcom" AS2118 927 77 850 91.7% RELCOM-AS OOO "NPO Relcom" AS8151 1464 662 802 54.8% Uninet S.A. de C.V. AS18101 946 155 791 83.6% RELIANCE-COMMUNICATIONS-IN Reliance Communications Ltd.DAKC MUMBAI AS30036 1489 704 785 52.7% MEDIACOM-ENTERPRISE-BUSINESS - Mediacom Communications Corp AS4808 1103 345 758 68.7% CHINA169-BJ CNCGROUP IP network China169 Beijing Province Network AS15557 1096 368 728 66.4% LDCOMNET Societe Francaise du Radiotelephone S.A AS24560 1010 290 720 71.3% AIRTELBROADBAND-AS-AP Bharti Airtel Ltd., Telemedia Services AS7545 1597 923 674 42.2% TPG-INTERNET-AP TPG Internet Pty Ltd AS3356 1105 459 646 58.5% LEVEL3 Level 3 Communications AS17676 677 74 603 89.1% GIGAINFRA Softbank BB Corp. AS17974 1716 1132 584 34.0% TELKOMNET-AS2-AP PT Telekomunikasi Indonesia AS4804 661 95 566 85.6% MPX-AS Microplex PTY LTD AS9498 867 302 565 65.2% BBIL-AP BHARTI Airtel Ltd. AS4780 785 227 558 71.1% SEEDNET Digital United Inc. AS20115 1618 1061 557 34.4% CHARTER-NET-HKY-NC - Charter Communications AS3549 977 424 553 56.6% GBLX Global Crossing Ltd. Total 44753 14941 29812 66.6% Top 30 total Possible Bogus Routes 10.86.64.32/30 AS65530 -Private Use AS- 10.86.64.36/30 AS65530 -Private Use AS- 10.86.65.32/30 AS65530 -Private Use AS- 10.86.65.36/30 AS65530 -Private Use AS- 10.255.255.0/30 AS65530 -Private Use AS- 10.255.255.4/30 AS65530 -Private Use AS- 10.255.255.8/30 AS65530 -Private Use AS- 14.192.0.0/22 AS45464 NEXTWEB-AS-AP Room 201, TGU Bldg 14.192.4.0/22 AS45464 NEXTWEB-AS-AP Room 201, TGU Bldg 14.192.8.0/22 AS45464 NEXTWEB-AS-AP Room 201, TGU Bldg 14.192.12.0/22 AS45464 NEXTWEB-AS-AP Room 201, TGU Bldg 14.192.16.0/22 AS45464 NEXTWEB-AS-AP Room 201, TGU Bldg 14.192.20.0/22 AS45464 NEXTWEB-AS-AP Room 201, TGU Bldg 14.192.24.0/22 AS45464 NEXTWEB-AS-AP Room 201, TGU Bldg 14.192.28.0/22 AS45464 NEXTWEB-AS-AP Room 201, TGU Bldg 41.222.79.0/24 AS37345 MEDALLION 41.223.92.0/22 AS36936 CELTEL-GABON Celtel Gabon Internet Service 62.61.220.0/24 AS24974 TACHYON-EU Tachyon Europe BV 62.61.221.0/24 AS24974 TACHYON-EU Tachyon Europe BV 64.21.192.0/20 AS11610 INETNEBR-1 - Internet Nebraska Corporation 64.21.212.0/22 AS11610 INETNEBR-1 - Internet Nebraska Corporation 64.21.216.0/21 AS11610 INETNEBR-1 - Internet Nebraska Corporation 66.129.0.0/19 AS3901 ARRAKIS - Higher Technology Services 66.180.239.0/24 AS35888 VIGNETTE - VIGNETTE CORPORATION 66.207.32.0/20 AS23011 66.245.176.0/20 AS19318 NJIIX-AS-1 - NEW JERSEY INTERNATIONAL INTERNET EXCHANGE LLC 66.251.128.0/24 AS33227 BLUEBRIDGE-NETWORKS - Blue Bridge Networks 66.251.133.0/24 AS33227 BLUEBRIDGE-NETWORKS - Blue Bridge Networks 66.251.134.0/24 AS33227 BLUEBRIDGE-NETWORKS - Blue Bridge Networks 66.251.136.0/21 AS33227 BLUEBRIDGE-NETWORKS - Blue Bridge Networks 66.251.140.0/24 AS33227 BLUEBRIDGE-NETWORKS - Blue Bridge Networks 66.251.141.0/24 AS33227 BLUEBRIDGE-NETWORKS - Blue Bridge Networks 66.251.142.0/24 AS33227 BLUEBRIDGE-NETWORKS - Blue Bridge Networks 66.251.143.0/24 AS3356 LEVEL3 Level 3 Communications 69.46.224.0/20 AS32592 HUNT-BROTHERS-OF-LOUISIANA-LLC - Hunt Brothers 69.46.233.0/24 AS32592 HUNT-BROTHERS-OF-LOUISIANA-LLC - Hunt Brothers 69.46.236.0/24 AS32592 HUNT-BROTHERS-OF-LOUISIANA-LLC - Hunt Brothers 71.19.134.0/23 AS3313 INET-AS BT Italia S.p.A. 72.44.16.0/20 AS15054 HAMELTRONICS - Hameltronics, LLC 80.88.10.0/24 AS33774 DJAWEB 98.159.96.0/20 AS46975 110.34.44.0/22 AS12653 COMTONET KB Impuls Hellas 116.206.72.0/24 AS6461 MFNX MFN - Metromedia Fiber Network 116.206.85.0/24 AS6461 MFNX MFN - Metromedia Fiber Network 116.206.103.0/24 AS6461 MFNX MFN - Metromedia Fiber Network 117.120.56.0/21 AS4755 TATACOMM-AS TATA Communications formerly VSNL is Leading ISP 121.46.0.0/16 AS4134 CHINANET-BACKBONE No.31,Jin-rong Street 142.54.0.0/19 AS23498 CDSI - Cogeco Data Services Inc. 171.25.183.0/24 AS29649 LIMES-AS LIMES Internet Communication 172.45.1.0/24 AS3356 LEVEL3 Level 3 Communications 172.45.2.0/24 AS29571 CITelecom-AS 172.45.3.0/24 AS29571 CITelecom-AS 172.102.0.0/22 AS4812 CHINANET-SH-AP China Telecom (Group) 190.104.32.0/21 AS27882 Telef?nica Celular de Bolivia S.A. 193.0.22.0/23 AS3333 RIPE-NCC-AS RIPE Network Coordination Centre 200.6.93.0/24 AS6400 Compa??a Dominicana de Tel?fonos, C. por A. - CODETEL 200.6.94.0/24 AS6400 Compa??a Dominicana de Tel?fonos, C. por A. - CODETEL 200.6.95.0/24 AS6400 Compa??a Dominicana de Tel?fonos, C. por A. - CODETEL 200.23.84.0/24 AS8151 Uninet S.A. de C.V. 200.24.73.0/24 AS26061 Equant Colombia 200.33.40.0/24 AS11172 Alestra, S. de R.L. de C.V. 200.34.0.0/20 AS6342 Instituto Tecnol?gico y de Estudios Superiores de Monterrey 200.53.0.0/19 AS13878 Diveo do Brasil Telecomunicacoes Ltda 202.1.224.0/24 AS10097 FLOWCOM Flow Communications 2/541 Kent St Sydney NSW 2000 202.8.106.0/24 AS9530 SHINSEGAE-AS SHINSEGAE I&C Co., Ltd. 202.9.55.0/24 AS2764 AAPT AAPT Limited 202.58.113.0/24 AS19161 202.61.75.0/24 AS9927 PHILCOMNET-PH A Multihomed ISP Company 202.61.108.0/24 AS55812 202.61.118.0/24 AS55833 202.83.120.0/21 AS37972 202.83.124.0/24 AS37972 202.83.125.0/24 AS37972 202.83.126.0/24 AS37972 202.94.1.0/24 AS4808 CHINA169-BJ CNCGROUP IP network China169 Beijing Province Network 202.133.70.0/24 AS38616 WORLDCALL-AS-KHI Worldcall Telecom Limited 202.160.152.0/22 AS10113 DATAFAST-AP DATAFAST TELECOMMUNICATIONS LTD 202.174.125.0/24 AS9498 BBIL-AP BHARTI Airtel Ltd. 202.176.1.0/24 AS9942 COMINDICO-AP SOUL Converged Communications Australia 202.179.134.0/24 AS23966 LDN-AS-PK LINKdotNET Telecom Limited 203.23.1.0/24 AS18111 NETSPEED-AS-AP Netspeed Internet Communications 203.24.38.0/24 AS18111 NETSPEED-AS-AP Netspeed Internet Communications 203.30.127.0/24 AS18111 NETSPEED-AS-AP Netspeed Internet Communications 203.32.86.0/23 AS18111 NETSPEED-AS-AP Netspeed Internet Communications 203.32.86.0/24 AS18111 NETSPEED-AS-AP Netspeed Internet Communications 203.32.87.0/24 AS18111 NETSPEED-AS-AP Netspeed Internet Communications 203.32.188.0/24 AS1221 ASN-TELSTRA Telstra Pty Ltd 203.142.219.0/24 AS45149 205.150.0.0/15 AS701 UUNET - MCI Communications Services, Inc. d/b/a Verizon Business 205.175.214.0/24 AS5583 ORANGE-BUSINESS-SERVICES-BENELUX France Telecom S.A. 206.123.129.0/24 AS10790 INREACH-AS - InReach Internet 206.180.240.0/20 AS12083 KNOLOGY-NET - KNOLOGY, Inc. 206.197.184.0/24 AS23304 DATOTEL-STL-AS - Datotel LLC, a NetLabs LLC Company 207.174.131.0/24 AS26116 INDRA - Indra's Net Inc 207.174.132.0/23 AS26116 INDRA - Indra's Net Inc 207.174.152.0/23 AS26116 INDRA - Indra's Net Inc 207.174.154.0/24 AS26116 INDRA - Indra's Net Inc 207.174.155.0/24 AS26116 INDRA - Indra's Net Inc 207.174.200.0/24 AS22658 EARTHNET - Earthnet, Inc. 207.174.248.0/21 AS6653 PRIVATEI - privateI, LLC 207.231.96.0/19 AS11194 NUNETPA - NuNet Inc. 208.83.53.0/24 AS40569 YGOMI-AS - Ygomi LLC 208.91.56.0/21 AS22241 IC2NET - IC2NET 208.91.56.0/24 AS22241 IC2NET - IC2NET 208.91.57.0/24 AS22241 IC2NET - IC2NET 208.91.58.0/24 AS22241 IC2NET - IC2NET 208.91.59.0/24 AS22241 IC2NET - IC2NET 208.91.60.0/24 AS22241 IC2NET - IC2NET 208.91.61.0/24 AS22241 IC2NET - IC2NET 208.91.62.0/24 AS22241 IC2NET - IC2NET 208.91.63.0/24 AS22241 IC2NET - IC2NET 209.133.224.0/19 AS4323 TWTC - tw telecom holdings, inc. 209.148.64.0/19 AS13773 TELNETCOMM - Telnet Communications 209.177.64.0/20 AS6461 MFNX MFN - Metromedia Fiber Network 209.213.0.0/20 AS33005 ELTOPIA - Eltopia.com, LLC 209.222.240.0/22 AS19747 210.56.150.0/23 AS38138 INTECH-TRANSIT-BD InTech Online Limited, INTERNET SERVICE LIMITED 216.12.160.0/20 AS26627 AS-PILOSOFT - Pilosoft, Inc. 216.21.160.0/20 AS13818 PHX-INTL-TELEPORT - Phoenix International Teleport 216.194.160.0/20 AS13818 PHX-INTL-TELEPORT - Phoenix International Teleport Please see http://www.cidr-report.org for the full report ------------------------------------ Copies of this report are mailed to: nanog at nanog.org eof-list at ripe.net apops at apops.net routing-wg at ripe.net afnog at afnog.org From brett at the-watsons.org Fri Jan 13 16:18:02 2012 From: brett at the-watsons.org (Brett Watson) Date: Fri, 13 Jan 2012 15:18:02 -0700 Subject: IP Management Software In-Reply-To: References: Message-ID: <21302280-0687-4F2F-AE77-375FB2F87E3E@the-watsons.org> Infoblox is pretty nice but not a stand-alone IPAM solution. It's bundled DNS, DHCP, and IPAM. 6Connect definitely has a nice IPAM solution, right now more tailored for service providers but it's linked to the regional registries and helps you do requests for address space, etc. I think they're working on an enterprise-based version as well. -b On Jan 13, 2012, at 2:50 PM, Josh Baird wrote: > We use Men & Mice, but it is a commercial product. Solarwinds > andInfoblox also have commercial offerings that are worth looking at. > Ifyou looking at an IPAM platform with emphasis on IPv6, check > outwww.6connect.com. They offer a free product that is > prettycomprehensive. > > Josh > On Fri, Jan 13, 2012 at 4:24 PM, Shahab Vahabzadeh > wrote: >> Hi, >> Would you please tell me what is the advantages of noc-project? >> It takes hours to install it and it looks like a software with lots of bugs? >> I have it now but many problems in their scripts, Isn't it? >> Thanks >> >> On Fri, Dec 16, 2011 at 7:46 PM, Payam Poursaied wrote: >> >>> Try noc project >>> >>> >>> On Friday, December 16, 2011, Shahab Vahabzadeh >>> wrote: >>>> Hi everybody, >>>> Can anybody share his/her experience with IP Management software's? >>> Which I >>>> can use it managing near 100K IP Address? >>>> IPPlan is not good enough, I think its >>>> >>> >> >> >> >> -- >> Regards, >> Shahab Vahabzadeh, Network Engineer and System Administrator >> >> PGP Key Fingerprint = 8E34 B335 D702 0CA7 5A81 C2EE 76A2 46C2 5367 BF90 > From joshbaird at gmail.com Fri Jan 13 16:20:03 2012 From: joshbaird at gmail.com (Josh Baird) Date: Fri, 13 Jan 2012 17:20:03 -0500 Subject: IP Management Software In-Reply-To: References: Message-ID: In that case, there aren't too many options. I have used IPPLAN in the past, and I have found it difficult to use and manage. Most of the other open source IPAM packages are now vaporware. Josh On Fri, Jan 13, 2012 at 4:51 PM, Shahab Vahabzadeh wrote: > I am looking for an open source one, nocproject.org is good but it need lots > of patches to be normal, I think they are not developing it too much because > its internal project for them. > > > On Sat, Jan 14, 2012 at 1:20 AM, Josh Baird wrote: >> >> We use Men & Mice, but it is a commercial product. ?Solarwinds >> andInfoblox also have commercial offerings that are worth looking at. >> Ifyou looking at an IPAM platform with emphasis on IPv6, check >> outwww.6connect.com. ?They offer a free product that is >> prettycomprehensive. >> >> Josh >> On Fri, Jan 13, 2012 at 4:24 PM, Shahab Vahabzadeh >> wrote: >> > Hi, >> > Would you please tell me what is the advantages of noc-project? >> > It takes hours to install it and it looks like a software with lots of >> > bugs? >> > I have it now but many problems in their scripts, Isn't it? >> > Thanks >> > >> > On Fri, Dec 16, 2011 at 7:46 PM, Payam Poursaied >> > wrote: >> > >> >> Try noc project >> >> >> >> >> >> On Friday, December 16, 2011, Shahab Vahabzadeh >> >> >> >> wrote: >> >> > Hi everybody, >> >> > Can anybody share his/her experience with IP Management software's? >> >> Which I >> >> > can use it managing near 100K IP Address? >> >> > IPPlan is not good enough, I think its >> >> > >> >> >> > >> > >> > >> > -- >> > Regards, >> > Shahab Vahabzadeh, Network Engineer and System Administrator >> > >> > PGP Key Fingerprint = 8E34 B335 D702 0CA7 5A81 ?C2EE 76A2 46C2 5367 BF90 > > > > > -- > Regards, > Shahab Vahabzadeh, Network Engineer and System Administrator > > PGP Key Fingerprint = 8E34 B335 D702 0CA7 5A81? C2EE 76A2 46C2 5367 BF90 > From regnauld at nsrc.org Fri Jan 13 16:31:23 2012 From: regnauld at nsrc.org (Phil Regnauld) Date: Fri, 13 Jan 2012 22:31:23 +0000 Subject: IP Management Software In-Reply-To: References: Message-ID: <20120113223123.GF24045@macbook.bluepipe.net> Josh Baird (joshbaird) writes: > In that case, there aren't too many options. I have used IPPLAN in > the past, and I have found it difficult to use and manage. Most of > the other open source IPAM packages are now vaporware. Like, TIPP or Netdot ? http://tipp.tobez.org/ http://netdot.uoregon.edu/ From nick at foobar.org Fri Jan 13 17:00:43 2012 From: nick at foobar.org (Nick Hilliard) Date: Fri, 13 Jan 2012 23:00:43 +0000 Subject: IP Management Software In-Reply-To: <20120113223123.GF24045@macbook.bluepipe.net> References: <20120113223123.GF24045@macbook.bluepipe.net> Message-ID: <4F10B79B.3000607@foobar.org> On 13/01/2012 22:31, Phil Regnauld wrote: > Like, TIPP or Netdot ? > > http://tipp.tobez.org/ > http://netdot.uoregon.edu/ Unfortunately, netdot is a complete curse to install. It's not necessarily a bad idea to use the preinstalled VM image, although I don't know how they intend to deal with upgrade. Once it's up and running, it actually works quite well. Certainly a lot better than nocproject (which looks like it could be awesome in lots of other ways, if only I could figure out how on earth to use it...). I built myself a freebsd Port for netdot 0.99, which I really ought to do something about like getting it put into the ports tree. The dependency list is pretty astounding, but it does work. When some copious free time appears (any day now), I'll get around do doing something with it.. Nick From matt.addison at lists.evilgeni.us Fri Jan 13 20:16:23 2012 From: matt.addison at lists.evilgeni.us (Matt Addison) Date: Fri, 13 Jan 2012 21:16:23 -0500 Subject: IP Management Software In-Reply-To: <21302280-0687-4F2F-AE77-375FB2F87E3E@the-watsons.org> References: <21302280-0687-4F2F-AE77-375FB2F87E3E@the-watsons.org> Message-ID: On Fri, Jan 13, 2012 at 17:18, Brett Watson wrote: > 6Connect definitely has a nice IPAM solution, right now more tailored for service providers but it's linked to the regional registries and helps you do requests for address space, etc. I think they're working on an enterprise-based version as well. I'd love 6connect if they supported VRF in some fashion. The only decent tool (in the foss/inexpensive corner of the market) I've found so far which supports multiple overlapping address space for VRF management (and enforcing uniqueness within VRF) is nocproject which has it's own set of quirks/problems. I can kind of fake it in 6connect with tags and adding duplicate blocks, but then I'm doing a lot of legwork on the human side to make sure the blocks are actually unique within VRF. From Brent.Bowers at cox.com Fri Jan 13 20:48:01 2012 From: Brent.Bowers at cox.com (Brent.Bowers at cox.com) Date: Fri, 13 Jan 2012 21:48:01 -0500 Subject: Verizon FIOS MTU issues in Southern California Message-ID: <8512DE788D9BA54FB3E515EFF888AB313F9974FF42@CATL0MS100.corp.cox.com> Can anyone from the Verizon FiOS NOC contact me off-list. We believe we've identified a network issue in the Southern California FiOS network impacting your residential subscribers. Brent Bowers Director, CB/Network/Transport Engineering CCIE #13530 Cox Communications, Inc. From betty at newnog.org Fri Jan 13 22:06:23 2012 From: betty at newnog.org (Betty Burke ) Date: Fri, 13 Jan 2012 23:06:23 -0500 Subject: [NANOG-announce] NANOG 54 Agenda and Reminders Message-ID: Colleagues: A short NANOG 54 reminder and update. NANOG 54 will be held in San Diego, CA February 5 - 8, 2012. NANOG 54 will begin with tutorials starting early Sunday afternoon, February 5. The meeting will adjourn approximately 12 noon on Wednesday, February 8. Thank you to our NANOG 54 Speakers and to the NANOG Program Committee. Attendees are sure to enjoy another fantastic program! The posted agenda continues to be updated, however, the largest part of the NANOG 54 program is now posted. Do not delay, register for NANOG 54 now as the registration rate will increase on Monday, January 30, 2012. http://www.nanog.org/meetings/nanog54/agenda.html http://www.nanog.org/meetings/nanog54/nanog54_registration.html Please note the Westin Gaslamp Hotel Group Rate Expires on Friday, January 20, 2012. Make your reservation as soon as possible. http://www.nanog.org/meetings/nanog54/hotel.php In addition to a wonderful program, attendees will be treated to our famous "Sponsor Socials". NANOG 54 Attendees will have ample social networking opportunities during each day and through out the evening. After 16 years, NANOG is pleased to return to San Diego. There are a number of local activities and attractions for all to take advantage of. Make your travel plans, become a NANOG member, register for NANOG 54 and become be a part of the NANOG experience. Should you have any questions or concerns regarding your reservation, the hotel, or NANOG 54 in general, please be sure to send a note to nanog-support at nanog.org or phone us at +1 510 492 4030. Betty -- Betty Burke NewNOG/NANOG Executive Director Office (810) 214-1218 NANOG Office (510) 492-4030 -------------- next part -------------- _______________________________________________ NANOG-announce mailing list NANOG-announce at nanog.org https://mailman.nanog.org/mailman/listinfo/nanog-announce From me at anuragbhatia.com Sat Jan 14 01:33:12 2012 From: me at anuragbhatia.com (Anurag Bhatia) Date: Sat, 14 Jan 2012 13:03:12 +0530 Subject: ANNOUNCE: bgptables.merit.edu - understanding visibility of your prefix/AS In-Reply-To: <8E839F27-A2F7-4E1B-9BD8-C0679A65EC64@merit.edu> References: <8E839F27-A2F7-4E1B-9BD8-C0679A65EC64@merit.edu> Message-ID: Hello Manish Nice work on bgptables.merit.edu Couple of things: 1. It doesn't recognizes individual IP directly but needs complete block in CIDR to get info about it like e.g search for 8.8.8.8 gives nothing but 8.8.8.0/24 gives information about Google. It would be worth it to have it looking at block to which an IP belongs to. 2. You might consider adding graphs on AS connections - those are best for easy & quick reading. Something like for Google (AS15169) - http://bgp.he.net/AS15169#_graph4 Nice work, keep it going! On Sat, Jan 14, 2012 at 1:49 AM, Manish Karir wrote: > > All, > > We would like to announce the availability of the bgpTables Project at > Merit at: http://bgptables.merit.edu > bgpTables allows users to easily navigate global routing table data > collected via routviews.org. bgptables > essentially processes the data collected at routeviews and makes is > available in a somewhat easier > to use interface. The goal of bgpTables is to represent global prefix and > AS visibility information from the > vantage point of the various bgp table views as seen at routeviews. > The data is currently updated nightly (EST) but we hope to improve this > over time. > Please see the FAQ (http://bgptables.merit.edu/faq.php) for some simple > examples of how you can use bgpTables. > > Some examples: > - You can query for a specific ASN by entering the text 'as' followed by > the AS number into the search box. For example to query for information > about AS 237 you would enter 'as237' [without quotation marks] into the > search box and then click 'search'. You can then use the view navigator map > to switch to different routing table views for this ASN > > - You can query for a specific prefix by directly entering the prefix into > the search box. For example to query for information about prefix > 12.0.0.0/8 you would simply enter '12.0.0.0/8' [without quotation marks] > into the search box and then click 'search'. You can then use the view > navigator map to switch to different routing table views for the prefix. > > - You can find a particular prefix that you might be interested in by > running a 'contained within' query via the search box. For example to > quickly browse a list of prefixes contained within 1.0.0.0/8 to find the > particular prefix you might be interested in, you can enter the text > 'cw1.0.0.0/8' [without quotation marks] into the search box and click > 'search'. You can then browse the resulting table to select the particular > prefix you might be interested in. > > - You can simply enter the text 'as' followed by the company name into the > search box then click search to view a list of possible matches for that > text. For example, to view all matching google ASNs you can simply enter > 'asgoogle' into the search box and click search. A list of possible > matching ASNs that reference Google by name will be returned from which you > an then select the particular ASN that is of interest to you. > > > Comments, corrections, and suggestions are very welcome. Please send them > to mkarir at merit.edu. Hopefully folks will find this useful. > > Thanks. > -The Merit Network Research and Development Team > > > -- Anurag Bhatia anuragbhatia.com or simply - http://[2001:470:26:78f::5] if you are on IPv6 connected network! Twitter: @anurag_bhatia From c.spurgeon at mail.utexas.edu Sat Jan 14 19:10:15 2012 From: c.spurgeon at mail.utexas.edu (Charles Spurgeon) Date: Sat, 14 Jan 2012 19:10:15 -0600 Subject: VPC=S/MLT? In-Reply-To: <4F109CC0.8000800@gmail.com> References: <4F1083C3.9030804@gmail.com> <4F1086AC.9050201@bogus.com> <4F108849.8040002@gmail.com> <20120113201000.GA88108@argus.gw.utexas.edu> <4F109CC0.8000800@gmail.com> Message-ID: <20120115011015.GA14746@argus.gw.utexas.edu> On Fri, Jan 13, 2012 at 03:05:45PM -0600, -Hammer- wrote: > > The first link references "chapter 3". I found chapter 5 as well > but I can't find the full index. Do you have that link by any chance? I don't have a link to a full index. The links I sent are from a set of Nexus design and operation chapters I've found. Each chapter is a guide to a specific aspect of Nexus and vPC operation and DC design. The set doesn't appear to have been turned into standard Cisco docs with indexes etc. Here are the links that I've been able to find: Chapter 1: Data Center Design with Cisco Nexus Switches and Virtual PortChannel: Overview http://www.cisco.com/en/US/prod/collateral/switches/ps9441/ps9670/C07-572831-00_Dsgn_Nexus_vPC_DG.pdf Chapter 2: Cisco NX-OS Software Command-Line Interface Primer http://www.cisco.com/en/US/prod/collateral/switches/ps9441/ps9670/C07-572833-00_NX-OS_CLI.pdf Chapter 3: Cisco NX-OS Software Virtual PortChannel: Fundamental Concepts http://www.cisco.com/en/US/prod/collateral/switches/ps9441/ps9670/C07-572835-00_NX-OS_vPC_DG.pdf Chapter 4: Spanning Tree Design Guidelines for Cisco NX-OS Software and Virtual PortChannels http://www.cisco.com/en/US/prod/collateral/switches/ps9441/ps9670/C07-572834-00_STDG_NX-OS_vPC_DG.pdf Chapter 5: Data Center Aggregation Layer Design and Configuration with Cisco Nexus Switches and Virtual PortChannels http://www.cisco.com/en/US/prod/collateral/switches/ps9441/ps9670/C07-572830-00_Agg_Dsgn_Config_DG.pdf Chapter 6 Data Center Access Design with Cisco Nexus 5000 Series Switches and 2000 Series Fabric Extenders and Virtual PortChannels http://www.cisco.com/en/US/prod/collateral/switches/ps9441/ps9670/C07-572829-01_Design_N5K_N2K_vPC_DG.pdf Chapter 7 10 Gigabit Ethernet Connectivity with Microsoft Windows Servers http://www.cisco.com/en/US/prod/collateral/switches/ps9441/ps9670/C07-572828-00_10Gb_Conn_Win_DG.pdf Chapter 8 Data Center Design with VMware ESX 4.0 and Cisco Nexus 5000 and 1000V Series Switches 4.0(4)SV1(1) and 2000 Series Fabric Extenders http://www.cisco.com/en/US/prod/collateral/switches/ps9441/ps9670/C07-572832-00_VMware_ESX4_Nexus_DG.pdf -Charles Charles E. Spurgeon / UTnet UT Austin ITS / Networking c.spurgeon at its.utexas.edu / 512.475.9265 From nathan at atlasnetworks.us Sat Jan 14 21:36:53 2012 From: nathan at atlasnetworks.us (Nathan Eisenberg) Date: Sun, 15 Jan 2012 03:36:53 +0000 Subject: IP Management Software In-Reply-To: References: Message-ID: <8C26A4FDAE599041A13EB499117D3C286B671AB1@ex-mb-1.corp.atlasnetworks.us> Racktables seems pretty decent, and it's open source. Seems to still be alive, too! http://racktables.org/demo.php > -----Original Message----- > From: Josh Baird [mailto:joshbaird at gmail.com] > Sent: Friday, January 13, 2012 2:20 PM > To: Shahab Vahabzadeh > Cc: nanog at nanog.org > Subject: Re: IP Management Software > > In that case, there aren't too many options. I have used IPPLAN in the past, > and I have found it difficult to use and manage. Most of the other open > source IPAM packages are now vaporware. > > Josh > > On Fri, Jan 13, 2012 at 4:51 PM, Shahab Vahabzadeh > wrote: > > I am looking for an open source one, nocproject.org is good but it > > need lots of patches to be normal, I think they are not developing it > > too much because its internal project for them. > > > > > > On Sat, Jan 14, 2012 at 1:20 AM, Josh Baird wrote: > >> > >> We use Men & Mice, but it is a commercial product. ?Solarwinds > >> andInfoblox also have commercial offerings that are worth looking at. > >> Ifyou looking at an IPAM platform with emphasis on IPv6, check > >> outwww.6connect.com. ?They offer a free product that is > >> prettycomprehensive. > >> > >> Josh > >> On Fri, Jan 13, 2012 at 4:24 PM, Shahab Vahabzadeh > >> wrote: > >> > Hi, > >> > Would you please tell me what is the advantages of noc-project? > >> > It takes hours to install it and it looks like a software with lots > >> > of bugs? > >> > I have it now but many problems in their scripts, Isn't it? > >> > Thanks > >> > > >> > On Fri, Dec 16, 2011 at 7:46 PM, Payam Poursaied > > >> > wrote: > >> > > >> >> Try noc project > >> >> > >> >> > >> >> On Friday, December 16, 2011, Shahab Vahabzadeh > >> >> > >> >> wrote: > >> >> > Hi everybody, > >> >> > Can anybody share his/her experience with IP Management > software's? > >> >> Which I > >> >> > can use it managing near 100K IP Address? > >> >> > IPPlan is not good enough, I think its > >> >> > > >> >> > >> > > >> > > >> > > >> > -- > >> > Regards, > >> > Shahab Vahabzadeh, Network Engineer and System Administrator > >> > > >> > PGP Key Fingerprint = 8E34 B335 D702 0CA7 5A81 ?C2EE 76A2 46C2 5367 > >> > BF90 > > > > > > > > > > -- > > Regards, > > Shahab Vahabzadeh, Network Engineer and System Administrator > > > > PGP Key Fingerprint = 8E34 B335 D702 0CA7 5A81? C2EE 76A2 46C2 5367 > > BF90 > > > From ted at fred.net Sun Jan 15 01:37:25 2012 From: ted at fred.net (Ted Fischer) Date: Sun, 15 Jan 2012 02:37:25 -0500 Subject: Whois 172/12 Message-ID: <3bb23a18d74082eb94003592c718b9f4.squirrel@secure.xecu.net> Hi all, Tearing what's left of my hair out. A customer is getting scanned by a host claiming to be "172.0.1.216". I know this is bogus, but I want to go back to the customer with as much authoritative umph as I can (heaven forbid they just take my word). I'm pretty sure I read somewhere once that 172/12 was "reserved" or something like that. All I can find now is that 172/8 is "administered by ARIN". Lots of information on 172.16/12, but not a peep about 172/12. If anybody could provide some insight as to the allocation/non-allocation of this block, it would be much appreciated. Thanks. Ted Fischer From r.hyunseog at ieee.org Sun Jan 15 01:53:17 2012 From: r.hyunseog at ieee.org (Alex Ryu) Date: Sun, 15 Jan 2012 01:53:17 -0600 Subject: Whois 172/12 In-Reply-To: <3bb23a18d74082eb94003592c718b9f4.squirrel@secure.xecu.net> References: <3bb23a18d74082eb94003592c718b9f4.squirrel@secure.xecu.net> Message-ID: As far as I know, 172.0.1.216 is not assigned, yet. whois -h whois.arin.net 172.0.1.216 [whois.arin.net] # # Query terms are ambiguous. The query is assumed to be: # "n 172.0.1.216" # # Use "?" to get help. # No match found for 172.0.1.216. # # ARIN WHOIS data and services are subject to the Terms of Use # available at: https://www.arin.net/whois_tou.html # Also, when you check BGP routing table, it is not routed at all. route-server.as3257.net>sh ip bgp 172.0.1.216 % Network not in table route-server.as3257.net> So it seems like forged IP address. Alex On Sun, Jan 15, 2012 at 1:37 AM, Ted Fischer wrote: > Hi all, > > ? Tearing what's left of my hair out. > > ? A customer is getting scanned by a host claiming to be "172.0.1.216". > > ? I know this is bogus, but I want to go back to the customer with as > much authoritative umph as I can (heaven forbid they just take my > word). > > ? I'm pretty sure I read somewhere once that 172/12 was "reserved" or > something like that. ?All I can find now is that 172/8 is "administered by > ARIN". ?Lots of information on 172.16/12, but not a peep about > 172/12. > > ? If anybody could provide some insight as to the > allocation/non-allocation of this block, it would be much appreciated. > > ? Thanks. > > Ted Fischer > > > > > > > From patrick at ianai.net Sun Jan 15 01:58:11 2012 From: patrick at ianai.net (Patrick W. Gilmore) Date: Sun, 15 Jan 2012 02:58:11 -0500 Subject: Whois 172/12 In-Reply-To: References: <3bb23a18d74082eb94003592c718b9f4.squirrel@secure.xecu.net> Message-ID: <36A214A4-0627-4921-83B0-37766996844A@ianai.net> Read RFC1918. Likely a machine on his local network (i.e. behind the same NAT box) is hitting him. But that is not guaranteed. A packet with a source address of 172.0.x.x could be hitting his machine. Depends on how well you filter. Many networks only look at destination IP address, source can be anything - spoofed, un-NAT'ed, etc. He just wouldn't be able to send anything back to it (unless it was on the local LAN, as I mention above). -- TTFN, patrick On Jan 15, 2012, at 2:53 AM, Alex Ryu wrote: > As far as I know, 172.0.1.216 is not assigned, yet. > > whois -h whois.arin.net 172.0.1.216 > [whois.arin.net] > # > # Query terms are ambiguous. The query is assumed to be: > # "n 172.0.1.216" > # > # Use "?" to get help. > # > > No match found for 172.0.1.216. > > > > # > # ARIN WHOIS data and services are subject to the Terms of Use > # available at: https://www.arin.net/whois_tou.html > # > > Also, when you check BGP routing table, it is not routed at all. > > route-server.as3257.net>sh ip bgp 172.0.1.216 > % Network not in table > route-server.as3257.net> > > So it seems like forged IP address. > > Alex > > > On Sun, Jan 15, 2012 at 1:37 AM, Ted Fischer wrote: >> Hi all, >> >> Tearing what's left of my hair out. >> >> A customer is getting scanned by a host claiming to be "172.0.1.216". >> >> I know this is bogus, but I want to go back to the customer with as >> much authoritative umph as I can (heaven forbid they just take my >> word). >> >> I'm pretty sure I read somewhere once that 172/12 was "reserved" or >> something like that. All I can find now is that 172/8 is "administered by >> ARIN". Lots of information on 172.16/12, but not a peep about >> 172/12. >> >> If anybody could provide some insight as to the >> allocation/non-allocation of this block, it would be much appreciated. >> >> Thanks. >> >> Ted Fischer >> >> >> >> >> >> >> > From leigh.porter at ukbroadband.com Sun Jan 15 02:17:20 2012 From: leigh.porter at ukbroadband.com (Leigh Porter) Date: Sun, 15 Jan 2012 08:17:20 +0000 Subject: Whois 172/12 In-Reply-To: <3bb23a18d74082eb94003592c718b9f4.squirrel@secure.xecu.net> References: <3bb23a18d74082eb94003592c718b9f4.squirrel@secure.xecu.net> Message-ID: <5D0DB325-557B-440F-B308-8F70670036F4@ukbroadband.com> On 15 Jan 2012, at 07:39, "Ted Fischer" wrote: > Hi all, > > Tearing what's left of my hair out. > > A customer is getting scanned by a host claiming to be "172.0.1.216". > > I know this is bogus, but I want to go back to the customer with as > much authoritative umph as I can (heaven forbid they just take my > word). > > I'm pretty sure I read somewhere once that 172/12 was "reserved" or > something like that. All I can find now is that 172/8 is "administered by > ARIN". Lots of information on 172.16/12, but not a peep about > 172/12. > > If anybody could provide some insight as to the > allocation/non-allocation of this block, it would be much appreciated. > > Thanks. > > Ted Fischer I would look for the prefix in your BGP table and in a couple of looking glasses and show the empty output. If its not there, then it is bogus. -- Leigh ______________________________________________________________________ This email has been scanned by the Symantec Email Security.cloud service. For more information please visit http://www.symanteccloud.com ______________________________________________________________________ From ted at fred.net Sun Jan 15 02:20:17 2012 From: ted at fred.net (Ted Fischer) Date: Sun, 15 Jan 2012 03:20:17 -0500 Subject: Whois 172/12 In-Reply-To: <36A214A4-0627-4921-83B0-37766996844A@ianai.net> References: <3bb23a18d74082eb94003592c718b9f4.squirrel@secure.xecu.net> <36A214A4-0627-4921-83B0-37766996844A@ianai.net> Message-ID: <3726cbbfb38c55f08812d244272f261d.squirrel@secure.xecu.net> Thanks for the replies so far, but not what I was looking for. I should have specified that I've done several ns & dig lookups just to make sure. We were supposed to have lit up the last of IPv4 last year. I would have presumed that meant that there was nothing left. Since I can't find a reference to 172/12 anywhere, one might be led to presume that it was allocated somehow, to someone (perhaps inadvertently not recorded) since there are - supposedly - no fresh IPv4 addresses left to allocate, and the only reference to this block is that 172/8 is allocated to ARIN. It doesn't even appear in RFC 5735. We all know about 172.16/12 - nothing left of that horse but glue. My question is about 172/12. Where is it, what is it's supposed purpose. I'm almost sure it's an internal box. I just find it better to give a professional answer to "why can't I use this" than just "you can't use this and why is this address scanning you for udp/137 anyway". If someone can point out to me what was done with 172/12 I'd appreciate it. Patrick opined: > Read RFC1918. I didn't remember seeing anything about 172/12 in RFC1918. Looked at it again. Is there something about 172/12 I missed? Thanks. > Likely a machine on his local network (i.e. behind the same NAT box) is > hitting him. > > But that is not guaranteed. A packet with a source address of 172.0.x.x > could be hitting his machine. Depends on how well you filter. Many > networks only look at destination IP address, source can be anything - > spoofed, un-NAT'ed, etc. He just wouldn't be able to send anything back > to it (unless it was on the local LAN, as I mention above). > > -- > TTFN, > patrick > > > On Jan 15, 2012, at 2:53 AM, Alex Ryu wrote: > >> As far as I know, 172.0.1.216 is not assigned, yet. >> >> whois -h whois.arin.net 172.0.1.216 >> [whois.arin.net] >> # >> # Query terms are ambiguous. The query is assumed to be: >> # "n 172.0.1.216" >> # >> # Use "?" to get help. >> # >> >> No match found for 172.0.1.216. >> >> >> >> # >> # ARIN WHOIS data and services are subject to the Terms of Use >> # available at: https://www.arin.net/whois_tou.html >> # >> >> Also, when you check BGP routing table, it is not routed at all. >> >> route-server.as3257.net>sh ip bgp 172.0.1.216 >> % Network not in table >> route-server.as3257.net> >> >> So it seems like forged IP address. >> >> Alex >> >> >> On Sun, Jan 15, 2012 at 1:37 AM, Ted Fischer wrote: >>> Hi all, >>> >>> Tearing what's left of my hair out. >>> >>> A customer is getting scanned by a host claiming to be "172.0.1.216". >>> >>> I know this is bogus, but I want to go back to the customer with as >>> much authoritative umph as I can (heaven forbid they just take my >>> word). >>> >>> I'm pretty sure I read somewhere once that 172/12 was "reserved" or >>> something like that. All I can find now is that 172/8 is "administered >>> by >>> ARIN". Lots of information on 172.16/12, but not a peep about >>> 172/12. >>> >>> If anybody could provide some insight as to the >>> allocation/non-allocation of this block, it would be much appreciated. >>> >>> Thanks. >>> >>> Ted Fischer >>> >>> >>> >>> >>> >>> >>> >> > > > From ops.lists at gmail.com Sun Jan 15 02:35:17 2012 From: ops.lists at gmail.com (Suresh Ramasubramanian) Date: Sun, 15 Jan 2012 14:05:17 +0530 Subject: Whois 172/12 In-Reply-To: <36A214A4-0627-4921-83B0-37766996844A@ianai.net> References: <3bb23a18d74082eb94003592c718b9f4.squirrel@secure.xecu.net> <36A214A4-0627-4921-83B0-37766996844A@ianai.net> Message-ID: Jesus. 172.16/12 fine .. that's rfc1918. The rest of 172/8 is mostly unallocated. On Sun, Jan 15, 2012 at 1:28 PM, Patrick W. Gilmore wrote: > Read RFC1918. > > Likely a machine on his local network (i.e. behind the same NAT box) is hitting him. > > But that is not guaranteed. ?A packet with a source address of 172.0.x.x -- Suresh Ramasubramanian (ops.lists at gmail.com) From jeroen at unfix.org Sun Jan 15 02:43:46 2012 From: jeroen at unfix.org (Jeroen Massar) Date: Sun, 15 Jan 2012 09:43:46 +0100 Subject: Whois 172/12 In-Reply-To: <3726cbbfb38c55f08812d244272f261d.squirrel@secure.xecu.net> References: <3bb23a18d74082eb94003592c718b9f4.squirrel@secure.xecu.net> <36A214A4-0627-4921-83B0-37766996844A@ianai.net> <3726cbbfb38c55f08812d244272f261d.squirrel@secure.xecu.net> Message-ID: On 15 Jan 2012, at 09:20, "Ted Fischer" wrote: > My question is about 172/12. Where is it, what is it's supposed purpose. See IANA which tells you at http://www.iana.org/assignments/ipv4-address-space/ipv4-address-space.xml That ARIN is handling it. As their whois does not have anything for it, and BGP does not have it it obviously is unused as of yet and somebody is just spoofing. Solution: implement BCP38 in your network. Note that IANA has run out of v4, the RIRs themselves have quite a bit left, obviously, ARIN still has big chunks of 172/8. > I'm almost sure it's an internal box. Then apply BCP38 and figure out where it lives. > I just find it better to give a > professional answer to "why can't I use this" than just "you can't use > this and why is this address scanning you for udp/137 anyway" It is not their address space, as such they are not supposed to use it. What is so difficult about that answer?! Greets, Jeroen From mysidia at gmail.com Sun Jan 15 02:44:29 2012 From: mysidia at gmail.com (Jimmy Hess) Date: Sun, 15 Jan 2012 02:44:29 -0600 Subject: Whois 172/12 In-Reply-To: <3726cbbfb38c55f08812d244272f261d.squirrel@secure.xecu.net> References: <3bb23a18d74082eb94003592c718b9f4.squirrel@secure.xecu.net> <36A214A4-0627-4921-83B0-37766996844A@ianai.net> <3726cbbfb38c55f08812d244272f261d.squirrel@secure.xecu.net> Message-ID: On Sun, Jan 15, 2012 at 2:20 AM, Ted Fischer wrote: > We were supposed to have lit up the last of IPv4 last year. I would have > presumed that meant that there was nothing left. Since I can't find a > Not a good assumption. There remains IPv4 address space that has not yet been assigned to any network, but is available for assignment. 172/12 appears to likely fall into that category. there are - supposedly - no fresh IPv4 addresses left to allocate, and the > only reference to this block is that 172/8 is allocated to ARIN. It > doesn't even appear in RFC 5735. > Just because ARIN does not appear to have allocated networks from 172/12 yet does not mean this address space is unavailable, not part of the free pool, or will not be allocated from by ARIN in the future. Just a /12 is a very small shard of IP address space. This is also part of a legacy /8. My question is about 172/12. Where is it, what is it's supposed purpose. > This falls under IP addresses that can be assigned to networks but have not yet been recorded as assigned to any networks. > I'm almost sure it's an internal box. I just find it better to give a > professional answer to "why can't I use this" than just "you can't use > Only the RFC1918 IP address space is reserved for use by private networks. 172/12 is not reserved by RFC, therefore portions of it that are unallocated could be allocated at any time. this and why is this address scanning you for udp/137 anyway". > Something is generating packets sourced with an IP address in that range which should not be using that source IP address. It could be a device misconfiguration, or it could be intentional IP address spoofing. > If someone can point out to me what was done with 172/12 I'd appreciate it. > -- -JH From bonomi at mail.r-bonomi.com Sun Jan 15 06:36:12 2012 From: bonomi at mail.r-bonomi.com (Robert Bonomi) Date: Sun, 15 Jan 2012 06:36:12 -0600 (CST) Subject: Whois 172/12 In-Reply-To: <36A214A4-0627-4921-83B0-37766996844A@ianai.net> Message-ID: <201201151236.q0FCaCSF047779@mail.r-bonomi.com> > From nanog-bounces+bonomi=mail.r-bonomi.com at nanog.org Sun Jan 15 02:02:00 2012 > Subject: Re: Whois 172/12 > From: "Patrick W. Gilmore" > Date: Sun, 15 Jan 2012 02:58:11 -0500 > To: NANOG list > > Read RFC1918. > > Likely a machine on his local network (i.e. behind the same NAT box) is hitting him. Patrick, I'v read RFC-1918. I cannot find *any* reference to 172.0/12, as the OP was asking about. 172.16/12, yes. but not 172.0/12. Can you please clarify your advice? ZZ From bmanning at vacation.karoshi.com Sun Jan 15 06:47:19 2012 From: bmanning at vacation.karoshi.com (bmanning at vacation.karoshi.com) Date: Sun, 15 Jan 2012 12:47:19 +0000 Subject: Whois 172/12 In-Reply-To: <201201151236.q0FCaCSF047779@mail.r-bonomi.com> References: <36A214A4-0627-4921-83B0-37766996844A@ianai.net> <201201151236.q0FCaCSF047779@mail.r-bonomi.com> Message-ID: <20120115124719.GA20706@vacation.karoshi.com.> On Sun, Jan 15, 2012 at 06:36:12AM -0600, Robert Bonomi wrote: > > From nanog-bounces+bonomi=mail.r-bonomi.com at nanog.org Sun Jan 15 02:02:00 2012 > > Subject: Re: Whois 172/12 > > From: "Patrick W. Gilmore" > > Date: Sun, 15 Jan 2012 02:58:11 -0500 > > To: NANOG list > > > > Read RFC1918. > > > > Likely a machine on his local network (i.e. behind the same NAT box) is hitting him. > > > Patrick, > I'v read RFC-1918. I cannot find *any* reference to 172.0/12, as the OP > was asking about. 172.16/12, yes. but not 172.0/12. Can you please clarify > your advice? > > ZZ so as a stylistic point, 172/12 is supposed to equal 172.0.0.0/12? if memory serves, back in the day, there were records of allocations in this space, pre-ARIN. When RFC 1918 was settled on, there were some folks blocking 172.0.0.0/8 so there was talk of relocating those folks into other space. /bill From jlewis at lewis.org Sun Jan 15 07:54:34 2012 From: jlewis at lewis.org (Jon Lewis) Date: Sun, 15 Jan 2012 08:54:34 -0500 (EST) Subject: Whois 172/12 In-Reply-To: <20120115124719.GA20706@vacation.karoshi.com.> References: <36A214A4-0627-4921-83B0-37766996844A@ianai.net> <201201151236.q0FCaCSF047779@mail.r-bonomi.com> <20120115124719.GA20706@vacation.karoshi.com.> Message-ID: On Sun, 15 Jan 2012 bmanning at vacation.karoshi.com wrote: > so as a stylistic point, 172/12 is supposed to equal 172.0.0.0/12? Yeah...it's pretty common to drop the zeros when talkind CIDR. > if memory serves, back in the day, there were records of allocations in this space, > pre-ARIN. When RFC 1918 was settled on, there were some folks blocking 172.0.0.0/8 > so there was talk of relocating those folks into other space. AOL has and uses (publicly) a bunch of space in 172/8. In fact, looking at a BGP table, I'd say they're by far the largest user (one of the only) in that /8. For the OP...that scan traffic coming from 172.0.1.216 could be locally generated, or could be coming from the internet, either from someone announcing it briefly, or from a leaky NAT (just because it's not rfc1918 space doesn't mean someone didn't pick it out of their nether regions as the "private network" for some NAT'd network). There are resources where you can check to see if 172.0.1/24 or larger networks have been announced recently (left as an exercise for the reader). If it hasn't, then the "scans" probably aren't being very effective since there can be no reply. ---------------------------------------------------------------------- Jon Lewis, MCP :) | I route Senior Network Engineer | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________ From patrick at ianai.net Sun Jan 15 08:46:41 2012 From: patrick at ianai.net (Patrick W. Gilmore) Date: Sun, 15 Jan 2012 09:46:41 -0500 Subject: Whois 172/12 In-Reply-To: <201201151236.q0FCaCSF047779@mail.r-bonomi.com> References: <201201151236.q0FCaCSF047779@mail.r-bonomi.com> Message-ID: On Jan 15, 2012, at 7:36 AM, Robert Bonomi wrote: > I'v read RFC-1918. I cannot find *any* reference to 172.0/12, as the OP > was asking about. 172.16/12, yes. but not 172.0/12. Can you please clarify > your advice? My advice is not to post when you are tired. :) -- TTFN, patrick From r.hyunseog at ieee.org Sun Jan 15 09:43:24 2012 From: r.hyunseog at ieee.org (Alex Ryu) Date: Sun, 15 Jan 2012 09:43:24 -0600 Subject: Whois 172/12 In-Reply-To: <4f12ccbd.84c6e00a.78a9.19a3SMTPIN_ADDED@mx.google.com> References: <36A214A4-0627-4921-83B0-37766996844A@ianai.net> <201201151236.q0FCaCSF047779@mail.r-bonomi.com> <4f12ccbd.84c6e00a.78a9.19a3SMTPIN_ADDED@mx.google.com> Message-ID: Similar to 1.0.0.0/8 case, which was allocated to APNIC last year or so... On Sun, Jan 15, 2012 at 6:47 AM, wrote: > On Sun, Jan 15, 2012 at 06:36:12AM -0600, Robert Bonomi wrote: >> > From nanog-bounces+bonomi=mail.r-bonomi.com at nanog.org ?Sun Jan 15 02:02:00 2012 >> > Subject: Re: Whois 172/12 >> > From: "Patrick W. Gilmore" >> > Date: Sun, 15 Jan 2012 02:58:11 -0500 >> > To: NANOG list >> > >> > Read RFC1918. >> > >> > Likely a machine on his local network (i.e. behind the same NAT box) is hitting him. >> >> >> Patrick, >> ? I'v read RFC-1918. ? I cannot find *any* reference to ?172.0/12, as the OP >> was asking about. ?172.16/12, yes. but not 172.0/12. ?Can you please clarify >> your advice? >> >> ZZ > > > ? ? ? ?so as a stylistic point, ? 172/12 ?is supposed to equal 172.0.0.0/12? > > ? ? ? ?if memory serves, back in the day, there were records of allocations in this space, > ? ? ? ?pre-ARIN. When RFC 1918 was settled on, there were some folks blocking 172.0.0.0/8 > ? ? ? ?so there was talk of relocating those folks into other space. > > /bill > From network.ipdog at gmail.com Sun Jan 15 10:16:42 2012 From: network.ipdog at gmail.com (Network IP Dog) Date: Sun, 15 Jan 2012 08:16:42 -0800 Subject: Whois 172/12 In-Reply-To: References: <3bb23a18d74082eb94003592c718b9f4.squirrel@secure.xecu.net> <36A214A4-0627-4921-83B0-37766996844A@ianai.net> Message-ID: <4f12fbf5.a24de70a.66e1.fffff79b@mx.google.com> Jesus. 172.16/12 fine .. that's rfc1918. The rest of 172/8 is mostly unallocated. What's with the language? Ephesians 4:32 & Cheers!!! -----Original Message----- From: Suresh Ramasubramanian [mailto:ops.lists at gmail.com] Sent: Sunday, January 15, 2012 12:35 AM To: Patrick W. Gilmore Cc: NANOG list Subject: Re: Whois 172/12 Jesus. 172.16/12 fine .. that's rfc1918. The rest of 172/8 is mostly unallocated. On Sun, Jan 15, 2012 at 1:28 PM, Patrick W. Gilmore wrote: > Read RFC1918. > > Likely a machine on his local network (i.e. behind the same NAT box) is hitting him. > > But that is not guaranteed. A packet with a source address of 172.0.x.x -- Suresh Ramasubramanian (ops.lists at gmail.com) From mtinka at globaltransit.net Sun Jan 15 10:17:55 2012 From: mtinka at globaltransit.net (Mark Tinka) Date: Mon, 16 Jan 2012 00:17:55 +0800 Subject: Monday Night Footbal -- on Google? In-Reply-To: <15429452.4628.1326341202514.JavaMail.root@benjamin.baylink.com> References: <15429452.4628.1326341202514.JavaMail.root@benjamin.baylink.com> Message-ID: <201201160017.59546.mtinka@globaltransit.net> On Thursday, January 12, 2012 12:06:42 PM Jay Ashworth wrote: > I'm not saying you need the whole 19mbps (though, > remember here, we are not talking about "Additional > Carriage"; we are talking about *being the only way > people can see that game* -- and my example was the > Super Bowl).. but unless MPEG algorithms have gotten > *much* better than I'm aware of, 5mb/s is probably not > enough for the Super Bowl. And you'd really be better > off with some FEC, too, even if it costs you a couple > frames extra delay. For broadcast networks, what we're seeing they like is that unlike satellite transmissions, there is more flexibility for them on IP (IPTv), which would let them lift compression rates and pack more data into a stream. But because most of them are primarily satellite broadcasting houses, only starting to roll-out IPTv, they need to maintain parity on both transmission media. Whatever the case, 5Mbps would be too low. At 1080i, we have a customer pushing HD channels at about 13Mbps a piece, give or take. Mark. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 836 bytes Desc: This is a digitally signed message part. URL: From ops.lists at gmail.com Sun Jan 15 10:29:53 2012 From: ops.lists at gmail.com (Suresh Ramasubramanian) Date: Sun, 15 Jan 2012 21:59:53 +0530 Subject: Whois 172/12 In-Reply-To: <4f12fbf5.a24de70a.66e1.fffff79b@mx.google.com> References: <3bb23a18d74082eb94003592c718b9f4.squirrel@secure.xecu.net> <36A214A4-0627-4921-83B0-37766996844A@ianai.net> <4f12fbf5.a24de70a.66e1.fffff79b@mx.google.com> Message-ID: So kind, compassionate and forgiving that I'll buy Patrick a beer when I see him next, its been a long time. --srs On Sun, Jan 15, 2012 at 9:46 PM, Network IP Dog wrote: > Jesus. 172.16/12 fine .. that's rfc1918. ? The rest of 172/8 is mostly unallocated. > > What's with the language? > > Ephesians 4:32 ?& ?Cheers!!! -- Suresh Ramasubramanian (ops.lists at gmail.com) From jay+NANOG at tp.org Sun Jan 15 10:39:48 2012 From: jay+NANOG at tp.org (Jay Moran) Date: Sun, 15 Jan 2012 11:39:48 -0500 Subject: Whois 172/12 In-Reply-To: References: <36A214A4-0627-4921-83B0-37766996844A@ianai.net> <201201151236.q0FCaCSF047779@mail.r-bonomi.com> <20120115124719.GA20706@vacation.karoshi.com.> Message-ID: On Sun, Jan 15, 2012 at 8:54 AM, Jon Lewis wrote: > AOL has and uses (publicly) a bunch of space in 172/8. In fact, looking > at a BGP table, I'd say they're by far the largest user (one of the only) > in that /8. > We, AOL, have 172.128/10, 172.192/12, 172.208/13, 172.216/16. These blocks represent our dial-up ISP customers that can't seem to get broadband or for whatever reason, stay on dial-up. Also pretty amazingly is how high the simultaneous user count has stayed, guess the folks that left weren't the ones on in the evenings between 7-10pm ET. We (mostly me) are looking into solutions to be able to remove the reliance on this space. Unfortunately, most of the developers, who created the various servers/applications that dole out these addresses, all left in the late 90's with some pretty fat wallets; at this point... it's an archeology dig. Jay -- Jay Moran http://tp.org/jay From a.almalki1402 at gmail.com Sun Jan 15 11:52:50 2012 From: a.almalki1402 at gmail.com (Abdullah Al-Malki) Date: Sun, 15 Jan 2012 20:52:50 +0300 Subject: accessing multiple devices via a script Message-ID: Hi fellows, I am supporting a big service provider and sometimes I face this problem. Sometimes I want to access my customer network and want to extract some verification output "show commands" from a large number of devices. What kind of scripting solutions you guys are using this case. Appreciate the feedback, Abdullah From regnauld at nsrc.org Sun Jan 15 11:56:55 2012 From: regnauld at nsrc.org (Phil Regnauld) Date: Sun, 15 Jan 2012 18:56:55 +0100 Subject: accessing multiple devices via a script In-Reply-To: References: Message-ID: <20120115175655.GB35765@macbook.bluepipe.net> Abdullah Al-Malki (a.almalki1402) writes: > Hi fellows, > I am supporting a big service provider and sometimes I face this problem. > Sometimes I want to access my customer network and want to extract some > verification output "show commands" from a large number of devices. > > What kind of scripting solutions you guys are using this case. Hi Abdullah, rancid ? http://www.shrubbery.net/rancid/ Cheers, Phil From joelja at bogus.com Sun Jan 15 12:01:29 2012 From: joelja at bogus.com (Joel jaeggli) Date: Sun, 15 Jan 2012 10:01:29 -0800 Subject: accessing multiple devices via a script In-Reply-To: <20120115175655.GB35765@macbook.bluepipe.net> References: <20120115175655.GB35765@macbook.bluepipe.net> Message-ID: <4F131479.6040805@bogus.com> On 1/15/12 09:56 , Phil Regnauld wrote: > Abdullah Al-Malki (a.almalki1402) writes: >> Hi fellows, >> I am supporting a big service provider and sometimes I face this problem. >> Sometimes I want to access my customer network and want to extract some >> verification output "show commands" from a large number of devices. >> >> What kind of scripting solutions you guys are using this case. > > Hi Abdullah, > > rancid ? > > http://www.shrubbery.net/rancid/ clogin from rancid features prominently in a lot of our network level automation... so does pdsh... http://code.google.com/p/pdsh/ Particularly when it involves hosts. > Cheers, > Phil > From jkrejci at usinternet.com Sun Jan 15 12:41:09 2012 From: jkrejci at usinternet.com (Justin Krejci) Date: Sun, 15 Jan 2012 18:41:09 +0000 Subject: accessing multiple devices via a script Message-ID: <1400261429-1326652872-cardhu_decombobulator_blackberry.rim.net-359265357-@b1.c4.bise6.blackberry> Parallel ssh (pssh) might help you too ------Original Message------ From: Abdullah Al-Malki To: nanog at nanog.org Subject: accessing multiple devices via a script Sent: Jan 15, 2012 11:52 AM Hi fellows, I am supporting a big service provider and sometimes I face this problem. Sometimes I want to access my customer network and want to extract some verification output "show commands" from a large number of devices. What kind of scripting solutions you guys are using this case. Appreciate the feedback, Abdullah From kurth.bemis at gmail.com Sun Jan 15 12:46:13 2012 From: kurth.bemis at gmail.com (Kurth Bemis) Date: Sun, 15 Jan 2012 13:46:13 -0500 Subject: accessing multiple devices via a script In-Reply-To: <20120115175655.GB35765@macbook.bluepipe.net> References: <20120115175655.GB35765@macbook.bluepipe.net> Message-ID: <1326653173.3288.4.camel@kurth-gsm> On Sun, 2012-01-15 at 18:56 +0100, Phil Regnauld wrote: > Abdullah Al-Malki (a.almalki1402) writes: > > Hi fellows, > > I am supporting a big service provider and sometimes I face this problem. > > Sometimes I want to access my customer network and want to extract some > > verification output "show commands" from a large number of devices. > > > > What kind of scripting solutions you guys are using this case. > > Hi Abdullah, > > rancid ? > > http://www.shrubbery.net/rancid/ > > Cheers, > Phil > Back in the day (~2001 era) I used expect to do a lot of tasks across (in that day) telnet. http://www.linuxjournal.com/article/3065 Good Luck, ~k From kmedcalf at dessus.com Sun Jan 15 12:49:22 2012 From: kmedcalf at dessus.com (Keith Medcalf) Date: Sun, 15 Jan 2012 11:49:22 -0700 Subject: Whois 172/12 In-Reply-To: <3726cbbfb38c55f08812d244272f261d.squirrel@secure.xecu.net> Message-ID: <4317db7bf189e74dad2ded425777378e@mail.dessus.com> As port 137 is the Netbios Name Service port are you *sure* this is a port scan and not a windows box (or other OS running NetBIOS crud) that simply has fat-fingered addresses configured? --- ()? ascii ribbon campaign against html e-mail /\? www.asciiribbon.org > -----Original Message----- > From: Ted Fischer [mailto:ted at fred.net] > Sent: Sunday, 15 January, 2012 01:20 > To: nanog at nanog.org > Subject: Re: Whois 172/12 > > Thanks for the replies so far, but not what I was looking for. > > I should have specified that I've done several ns & dig lookups just to > make sure. > > We were supposed to have lit up the last of IPv4 last year. I would have > presumed that meant that there was nothing left. Since I can't find a > reference to 172/12 anywhere, one might be led to presume that it was > allocated somehow, to someone (perhaps inadvertently not recorded) since > there are - supposedly - no fresh IPv4 addresses left to allocate, and the > only reference to this block is that 172/8 is allocated to ARIN. It > doesn't even appear in RFC 5735. > > We all know about 172.16/12 - nothing left of that horse but glue. > > My question is about 172/12. Where is it, what is it's supposed purpose. > I'm almost sure it's an internal box. I just find it better to give a > professional answer to "why can't I use this" than just "you can't use > this and why is this address scanning you for udp/137 anyway". > > If someone can point out to me what was done with 172/12 I'd appreciate it. > > > Patrick opined: > > Read RFC1918. > > I didn't remember seeing anything about 172/12 in RFC1918. Looked at it > again. Is there something about 172/12 I missed? Thanks. > > > Likely a machine on his local network (i.e. behind the same NAT box) is > > hitting him. > > > > But that is not guaranteed. A packet with a source address of 172.0.x.x > > could be hitting his machine. Depends on how well you filter. Many > > networks only look at destination IP address, source can be anything - > > spoofed, un-NAT'ed, etc. He just wouldn't be able to send anything back > > to it (unless it was on the local LAN, as I mention above). > > > > -- > > TTFN, > > patrick > > > > > > On Jan 15, 2012, at 2:53 AM, Alex Ryu wrote: > > > >> As far as I know, 172.0.1.216 is not assigned, yet. > >> > >> whois -h whois.arin.net 172.0.1.216 > >> [whois.arin.net] > >> # > >> # Query terms are ambiguous. The query is assumed to be: > >> # "n 172.0.1.216" > >> # > >> # Use "?" to get help. > >> # > >> > >> No match found for 172.0.1.216. > >> > >> > >> > >> # > >> # ARIN WHOIS data and services are subject to the Terms of Use > >> # available at: https://www.arin.net/whois_tou.html > >> # > >> > >> Also, when you check BGP routing table, it is not routed at all. > >> > >> route-server.as3257.net>sh ip bgp 172.0.1.216 > >> % Network not in table > >> route-server.as3257.net> > >> > >> So it seems like forged IP address. > >> > >> Alex > >> > >> > >> On Sun, Jan 15, 2012 at 1:37 AM, Ted Fischer wrote: > >>> Hi all, > >>> > >>> Tearing what's left of my hair out. > >>> > >>> A customer is getting scanned by a host claiming to be "172.0.1.216". > >>> > >>> I know this is bogus, but I want to go back to the customer with as > >>> much authoritative umph as I can (heaven forbid they just take my > >>> word). > >>> > >>> I'm pretty sure I read somewhere once that 172/12 was "reserved" or > >>> something like that. All I can find now is that 172/8 is "administered > >>> by > >>> ARIN". Lots of information on 172.16/12, but not a peep about > >>> 172/12. > >>> > >>> If anybody could provide some insight as to the > >>> allocation/non-allocation of this block, it would be much appreciated. > >>> > >>> Thanks. > >>> > >>> Ted Fischer > >>> > >>> > >>> > >>> > >>> > >>> > >>> > >> > > > > > > > > From scot.loach at gmail.com Sun Jan 15 12:56:45 2012 From: scot.loach at gmail.com (Scot Loach) Date: Sun, 15 Jan 2012 13:56:45 -0500 Subject: NANOG Digest, Vol 48, Issue 41 In-Reply-To: References: Message-ID: On 1/15/12, nanog-request at nanog.org wrote: > Send NANOG mailing list submissions to > nanog at nanog.org > > To subscribe or unsubscribe via the World Wide Web, visit > https://mailman.nanog.org/mailman/listinfo/nanog > or, via email, send a message with subject or body 'help' to > nanog-request at nanog.org > > You can reach the person managing the list at > nanog-owner at nanog.org > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of NANOG digest..." > > > Today's Topics: > > 1. Re: Whois 172/12 (Alex Ryu) > 2. RE: Whois 172/12 (Network IP Dog) > 3. Re: Monday Night Footbal -- on Google? (Mark Tinka) > 4. Re: Whois 172/12 (Suresh Ramasubramanian) > 5. Re: Whois 172/12 (Jay Moran) > 6. accessing multiple devices via a script (Abdullah Al-Malki) > 7. Re: accessing multiple devices via a script (Phil Regnauld) > 8. Re: accessing multiple devices via a script (Joel jaeggli) > 9. Re: accessing multiple devices via a script (Justin Krejci) > 10. Re: accessing multiple devices via a script (Kurth Bemis) > 11. RE: Whois 172/12 (Keith Medcalf) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Sun, 15 Jan 2012 09:43:24 -0600 > From: Alex Ryu > To: bmanning at vacation.karoshi.com > Cc: nanog at nanog.org > Subject: Re: Whois 172/12 > Message-ID: > > Content-Type: text/plain; charset=ISO-8859-1 > > Similar to 1.0.0.0/8 case, which was allocated to APNIC last year or so... > > > On Sun, Jan 15, 2012 at 6:47 AM, wrote: >> On Sun, Jan 15, 2012 at 06:36:12AM -0600, Robert Bonomi wrote: >>> > From nanog-bounces+bonomi=mail.r-bonomi.com at nanog.org ?Sun Jan 15 >>> > 02:02:00 2012 >>> > Subject: Re: Whois 172/12 >>> > From: "Patrick W. Gilmore" >>> > Date: Sun, 15 Jan 2012 02:58:11 -0500 >>> > To: NANOG list >>> > >>> > Read RFC1918. >>> > >>> > Likely a machine on his local network (i.e. behind the same NAT box) is >>> > hitting him. >>> >>> >>> Patrick, >>> ? I'v read RFC-1918. ? I cannot find *any* reference to ?172.0/12, as the >>> OP >>> was asking about. ?172.16/12, yes. but not 172.0/12. ?Can you please >>> clarify >>> your advice? >>> >>> ZZ >> >> >> ? ? ? ?so as a stylistic point, ? 172/12 ?is supposed to equal >> 172.0.0.0/12? >> >> ? ? ? ?if memory serves, back in the day, there were records of >> allocations in this space, >> ? ? ? ?pre-ARIN. When RFC 1918 was settled on, there were some folks >> blocking 172.0.0.0/8 >> ? ? ? ?so there was talk of relocating those folks into other space. >> >> /bill >> > > > > ------------------------------ > > Message: 2 > Date: Sun, 15 Jan 2012 08:16:42 -0800 > From: "Network IP Dog" > To: "'Suresh Ramasubramanian'" , "'Patrick W. > Gilmore'" > Cc: 'NANOG list' > Subject: RE: Whois 172/12 > Message-ID: <4f12fbf5.a24de70a.66e1.fffff79b at mx.google.com> > Content-Type: text/plain; charset="UTF-8" > > Jesus. 172.16/12 fine .. that's rfc1918. The rest of 172/8 is > mostly unallocated. > > What's with the language? > > Ephesians 4:32 & Cheers!!! > > -----Original Message----- > From: Suresh Ramasubramanian [mailto:ops.lists at gmail.com] > Sent: Sunday, January 15, 2012 12:35 AM > To: Patrick W. Gilmore > Cc: NANOG list > Subject: Re: Whois 172/12 > > Jesus. 172.16/12 fine .. that's rfc1918. The rest of 172/8 is mostly > unallocated. > > On Sun, Jan 15, 2012 at 1:28 PM, Patrick W. Gilmore > wrote: >> Read RFC1918. >> >> Likely a machine on his local network (i.e. behind the same NAT box) is >> hitting him. >> >> But that is not guaranteed. A packet with a source address of 172.0.x.x > > > > -- > Suresh Ramasubramanian (ops.lists at gmail.com) > > > > > ------------------------------ > > Message: 3 > Date: Mon, 16 Jan 2012 00:17:55 +0800 > From: Mark Tinka > To: nanog at nanog.org > Subject: Re: Monday Night Footbal -- on Google? > Message-ID: <201201160017.59546.mtinka at globaltransit.net> > Content-Type: text/plain; charset="us-ascii" > > On Thursday, January 12, 2012 12:06:42 PM Jay Ashworth > wrote: > >> I'm not saying you need the whole 19mbps (though, >> remember here, we are not talking about "Additional >> Carriage"; we are talking about *being the only way >> people can see that game* -- and my example was the >> Super Bowl).. but unless MPEG algorithms have gotten >> *much* better than I'm aware of, 5mb/s is probably not >> enough for the Super Bowl. And you'd really be better >> off with some FEC, too, even if it costs you a couple >> frames extra delay. > > For broadcast networks, what we're seeing they like is that > unlike satellite transmissions, there is more flexibility > for them on IP (IPTv), which would let them lift compression > rates and pack more data into a stream. > > But because most of them are primarily satellite > broadcasting houses, only starting to roll-out IPTv, they > need to maintain parity on both transmission media. > > Whatever the case, 5Mbps would be too low. At 1080i, we have > a customer pushing HD channels at about 13Mbps a piece, give > or take. > > Mark. > -------------- next part -------------- > A non-text attachment was scrubbed... > Name: signature.asc > Type: application/pgp-signature > Size: 836 bytes > Desc: This is a digitally signed message part. > URL: > > > ------------------------------ > > Message: 4 > Date: Sun, 15 Jan 2012 21:59:53 +0530 > From: Suresh Ramasubramanian > To: Network IP Dog > Cc: NANOG list > Subject: Re: Whois 172/12 > Message-ID: > > Content-Type: text/plain; charset=UTF-8 > > So kind, compassionate and forgiving that I'll buy Patrick a beer when > I see him next, its been a long time. > > --srs > > On Sun, Jan 15, 2012 at 9:46 PM, Network IP Dog > wrote: >> Jesus. 172.16/12 fine .. that's rfc1918. ? The rest of 172/8 is >> mostly unallocated. >> >> What's with the language? >> >> Ephesians 4:32 ?& ?Cheers!!! > > > > -- > Suresh Ramasubramanian (ops.lists at gmail.com) > > > > ------------------------------ > > Message: 5 > Date: Sun, 15 Jan 2012 11:39:48 -0500 > From: Jay Moran > To: NANOG > Subject: Re: Whois 172/12 > Message-ID: > > Content-Type: text/plain; charset=ISO-8859-1 > > On Sun, Jan 15, 2012 at 8:54 AM, Jon Lewis wrote: > > >> AOL has and uses (publicly) a bunch of space in 172/8. In fact, looking >> at a BGP table, I'd say they're by far the largest user (one of the only) >> in that /8. >> > > We, AOL, have 172.128/10, 172.192/12, 172.208/13, 172.216/16. These blocks > represent our dial-up ISP customers that can't seem to get broadband or for > whatever reason, stay on dial-up. Also pretty amazingly is how high the > simultaneous user count has stayed, guess the folks that left weren't the > ones on in the evenings between 7-10pm ET. We (mostly me) are looking into > solutions to be able to remove the reliance on this space. Unfortunately, > most of the developers, who created the various servers/applications that > dole out these addresses, all left in the late 90's with some pretty fat > wallets; at this point... it's an archeology dig. > > Jay > -- > Jay Moran > http://tp.org/jay > > > ------------------------------ > > Message: 6 > Date: Sun, 15 Jan 2012 20:52:50 +0300 > From: Abdullah Al-Malki > To: nanog at nanog.org > Subject: accessing multiple devices via a script > Message-ID: > > Content-Type: text/plain; charset=ISO-8859-1 > > Hi fellows, > I am supporting a big service provider and sometimes I face this problem. > Sometimes I want to access my customer network and want to extract some > verification output "show commands" from a large number of devices. > > What kind of scripting solutions you guys are using this case. > > Appreciate the feedback, > Abdullah > > > ------------------------------ > > Message: 7 > Date: Sun, 15 Jan 2012 18:56:55 +0100 > From: Phil Regnauld > To: Abdullah Al-Malki > Cc: nanog at nanog.org > Subject: Re: accessing multiple devices via a script > Message-ID: <20120115175655.GB35765 at macbook.bluepipe.net> > Content-Type: text/plain; charset=us-ascii > > Abdullah Al-Malki (a.almalki1402) writes: >> Hi fellows, >> I am supporting a big service provider and sometimes I face this problem. >> Sometimes I want to access my customer network and want to extract some >> verification output "show commands" from a large number of devices. >> >> What kind of scripting solutions you guys are using this case. > > Hi Abdullah, > > rancid ? > > http://www.shrubbery.net/rancid/ > > Cheers, > Phil > > > > ------------------------------ > > Message: 8 > Date: Sun, 15 Jan 2012 10:01:29 -0800 > From: Joel jaeggli > To: Phil Regnauld > Cc: nanog at nanog.org > Subject: Re: accessing multiple devices via a script > Message-ID: <4F131479.6040805 at bogus.com> > Content-Type: text/plain; charset=ISO-8859-1 > > On 1/15/12 09:56 , Phil Regnauld wrote: >> Abdullah Al-Malki (a.almalki1402) writes: >>> Hi fellows, >>> I am supporting a big service provider and sometimes I face this problem. >>> Sometimes I want to access my customer network and want to extract some >>> verification output "show commands" from a large number of devices. >>> >>> What kind of scripting solutions you guys are using this case. >> >> Hi Abdullah, >> >> rancid ? >> >> http://www.shrubbery.net/rancid/ > > clogin from rancid features prominently in a lot of our network level > automation... > > so does pdsh... > > http://code.google.com/p/pdsh/ > > Particularly when it involves hosts. > >> Cheers, >> Phil >> > > > > > ------------------------------ > > Message: 9 > Date: Sun, 15 Jan 2012 18:41:09 +0000 > From: "Justin Krejci" > To: "Abdullah Al-Malki" , nanog at nanog.org > Subject: Re: accessing multiple devices via a script > Message-ID: > <1400261429-1326652872-cardhu_decombobulator_blackberry.rim.net-359265357- at b1.c4.bise6.blackberry> > > Content-Type: text/plain > > Parallel ssh (pssh) might help you too > > > ------Original Message------ > From: Abdullah Al-Malki > To: nanog at nanog.org > Subject: accessing multiple devices via a script > Sent: Jan 15, 2012 11:52 AM > > Hi fellows, > I am supporting a big service provider and sometimes I face this problem. > Sometimes I want to access my customer network and want to extract some > verification output "show commands" from a large number of devices. > > What kind of scripting solutions you guys are using this case. > > Appreciate the feedback, > Abdullah > > > > > ------------------------------ > > Message: 10 > Date: Sun, 15 Jan 2012 13:46:13 -0500 > From: Kurth Bemis > To: Phil Regnauld > Cc: nanog at nanog.org > Subject: Re: accessing multiple devices via a script > Message-ID: <1326653173.3288.4.camel at kurth-gsm> > Content-Type: text/plain; charset="UTF-8" > > On Sun, 2012-01-15 at 18:56 +0100, Phil Regnauld wrote: >> Abdullah Al-Malki (a.almalki1402) writes: >> > Hi fellows, >> > I am supporting a big service provider and sometimes I face this >> > problem. >> > Sometimes I want to access my customer network and want to extract some >> > verification output "show commands" from a large number of devices. >> > >> > What kind of scripting solutions you guys are using this case. >> >> Hi Abdullah, >> >> rancid ? >> >> http://www.shrubbery.net/rancid/ >> >> Cheers, >> Phil >> > > Back in the day (~2001 era) I used expect to do a lot of tasks across > (in that day) telnet. > > http://www.linuxjournal.com/article/3065 > > Good Luck, > ~k > > > > > ------------------------------ > > Message: 11 > Date: Sun, 15 Jan 2012 11:49:22 -0700 > From: "Keith Medcalf" > To: "nanog at nanog.org" > Subject: RE: Whois 172/12 > Message-ID: <4317db7bf189e74dad2ded425777378e at mail.dessus.com> > Content-Type: text/plain; charset="iso-8859-1" > > > As port 137 is the Netbios Name Service port are you *sure* this is a port > scan and not a windows box (or other OS running NetBIOS crud) that simply > has fat-fingered addresses configured? > > > --- > ()? ascii ribbon campaign against html e-mail > /\? www.asciiribbon.org > > >> -----Original Message----- >> From: Ted Fischer [mailto:ted at fred.net] >> Sent: Sunday, 15 January, 2012 01:20 >> To: nanog at nanog.org >> Subject: Re: Whois 172/12 >> >> Thanks for the replies so far, but not what I was looking for. >> >> I should have specified that I've done several ns & dig lookups just to >> make sure. >> >> We were supposed to have lit up the last of IPv4 last year. I would have >> presumed that meant that there was nothing left. Since I can't find a >> reference to 172/12 anywhere, one might be led to presume that it was >> allocated somehow, to someone (perhaps inadvertently not recorded) since >> there are - supposedly - no fresh IPv4 addresses left to allocate, and the >> only reference to this block is that 172/8 is allocated to ARIN. It >> doesn't even appear in RFC 5735. >> >> We all know about 172.16/12 - nothing left of that horse but glue. >> >> My question is about 172/12. Where is it, what is it's supposed purpose. >> I'm almost sure it's an internal box. I just find it better to give a >> professional answer to "why can't I use this" than just "you can't use >> this and why is this address scanning you for udp/137 anyway". >> >> If someone can point out to me what was done with 172/12 I'd appreciate >> it. >> >> >> Patrick opined: >> > Read RFC1918. >> >> I didn't remember seeing anything about 172/12 in RFC1918. Looked at it >> again. Is there something about 172/12 I missed? Thanks. >> >> > Likely a machine on his local network (i.e. behind the same NAT box) is >> > hitting him. >> > >> > But that is not guaranteed. A packet with a source address of 172.0.x.x >> > could be hitting his machine. Depends on how well you filter. Many >> > networks only look at destination IP address, source can be anything - >> > spoofed, un-NAT'ed, etc. He just wouldn't be able to send anything back >> > to it (unless it was on the local LAN, as I mention above). >> > >> > -- >> > TTFN, >> > patrick >> > >> > >> > On Jan 15, 2012, at 2:53 AM, Alex Ryu wrote: >> > >> >> As far as I know, 172.0.1.216 is not assigned, yet. >> >> >> >> whois -h whois.arin.net 172.0.1.216 >> >> [whois.arin.net] >> >> # >> >> # Query terms are ambiguous. The query is assumed to be: >> >> # "n 172.0.1.216" >> >> # >> >> # Use "?" to get help. >> >> # >> >> >> >> No match found for 172.0.1.216. >> >> >> >> >> >> >> >> # >> >> # ARIN WHOIS data and services are subject to the Terms of Use >> >> # available at: https://www.arin.net/whois_tou.html >> >> # >> >> >> >> Also, when you check BGP routing table, it is not routed at all. >> >> >> >> route-server.as3257.net>sh ip bgp 172.0.1.216 >> >> % Network not in table >> >> route-server.as3257.net> >> >> >> >> So it seems like forged IP address. >> >> >> >> Alex >> >> >> >> >> >> On Sun, Jan 15, 2012 at 1:37 AM, Ted Fischer wrote: >> >>> Hi all, >> >>> >> >>> Tearing what's left of my hair out. >> >>> >> >>> A customer is getting scanned by a host claiming to be >> >>> "172.0.1.216". >> >>> >> >>> I know this is bogus, but I want to go back to the customer with as >> >>> much authoritative umph as I can (heaven forbid they just take my >> >>> word). >> >>> >> >>> I'm pretty sure I read somewhere once that 172/12 was "reserved" or >> >>> something like that. All I can find now is that 172/8 is >> >>> "administered >> >>> by >> >>> ARIN". Lots of information on 172.16/12, but not a peep about >> >>> 172/12. >> >>> >> >>> If anybody could provide some insight as to the >> >>> allocation/non-allocation of this block, it would be much appreciated. >> >>> >> >>> Thanks. >> >>> >> >>> Ted Fischer >> >>> >> >>> >> >>> >> >>> >> >>> >> >>> >> >>> >> >> >> > >> > >> > >> >> > > > > > > > > End of NANOG Digest, Vol 48, Issue 41 > ************************************* > -- Sent from my mobile device From tayeb.meftah at gmail.com Sat Jan 14 11:28:22 2012 From: tayeb.meftah at gmail.com (Meftah Tayeb) Date: Sat, 14 Jan 2012 19:28:22 +0200 Subject: OpenTransit contact needed Message-ID: hello, if someone from opentransit is on this list, please contact me thank you Meftah Tayeb IT Consulting http://www.tmvoip.com/ phone: +21321656139 Mobile: +213660347746 __________ Information from ESET NOD32 Antivirus, version of virus signature database 6793 (20120113) __________ The message was checked by ESET NOD32 Antivirus. http://www.eset.com From jhell at DataIX.net Sun Jan 15 13:11:02 2012 From: jhell at DataIX.net (Jason Hellenthal) Date: Sun, 15 Jan 2012 14:11:02 -0500 Subject: NANOG Digest, Vol 48, Issue 41 In-Reply-To: References: Message-ID: <20120115191102.GA7697@DataIX.net> On Sun, Jan 15, 2012 at 01:56:45PM -0500, Scot Loach wrote: > On 1/15/12, nanog-request at nanog.org wrote: > > > > When replying, please edit your Subject line so it is more specific > > than "Re: Contents of NANOG digest..." > > These are good tips. Might also help to strip some of the context from what you are replying as well. From rhys at rhavenindustrys.com Sun Jan 15 13:13:24 2012 From: rhys at rhavenindustrys.com (Rhys Rhaven) Date: Sun, 15 Jan 2012 13:13:24 -0600 Subject: accessing multiple devices via a script In-Reply-To: References: Message-ID: <4F132554.3030805@rhavenindustrys.com> I do this with cluster-ssh, as in some networks I have a generic script-daemon login that use to log into them all simultaneously. cssh uses tk and xterm, so its a bit long in the tooth. New hotness to do this is something like keyboardcast, which can broadcast keyboard input to however many windows you want. Its currently broken on Ubuntu 11.10, but I think it works in .04. On 01/15/2012 11:52 AM, Abdullah Al-Malki wrote: > Hi fellows, > I am supporting a big service provider and sometimes I face this problem. > Sometimes I want to access my customer network and want to extract some > verification output "show commands" from a large number of devices. > > What kind of scripting solutions you guys are using this case. > > Appreciate the feedback, > Abdullah From saku at ytti.fi Sun Jan 15 13:14:56 2012 From: saku at ytti.fi (Saku Ytti) Date: Sun, 15 Jan 2012 21:14:56 +0200 Subject: Monday Night Footbal -- on Google? In-Reply-To: References: <3CC3117A8EF6FF439254141C02BF6E1417FF9FF8@mbx027-e1-nj-2.exch027.domain.local> <8359.1326331943@turing-police.cc.vt.edu> Message-ID: <20120115191456.GA25486@pob.ytti.fi> On (2012-01-11 17:45 -0500), Justin M. Streiner wrote: > >If multicast is used it shouldn't take 150pbps, it should be much lower. > > That could be one of the things that helps spur v6 adoption - > multicast being somewhat less of an afterthought :) > > While v4 multicast works, and delivering video is one of the things > it can do very well, some networks don't route v4 multicast or > exchange v4 multicast prefixes, so its utility on a wide scale can > be limited. This is misguided, IPV6 does no magic to help scale multicast to Internet scale compared to IPV4. Scaling multicast to Internet scale would make our core routers essentially flow based routers. And as there is finite amount of how many of these flows you could hold, we would need some way to globally regulate how and who can push their content as multicast and save lot of money and who will have to pay the full price. Those who are left out, might feel like multicast is used to stop competition. Now maybe we could specify some sort of stateless 'manycast' in IPv6, where you'd map destination AS numbers as source address. Needing to send only one copy of traffic per destination ASN (or less if you can map multiple ASN in source address), and then destination ASN would need to have Magic Box to do stateful magic and could cherry-pick what they care about. But that's lot of complexity for very incomplete solution, as it would only remove states from transit. -- ++ytti From creynolds at tsieda.com Sun Jan 15 13:21:43 2012 From: creynolds at tsieda.com (Chuck Reynolds) Date: Sun, 15 Jan 2012 14:21:43 -0500 Subject: accessing multiple devices via a script In-Reply-To: References: Message-ID: <007e01ccd3ba$ec07be50$c4173af0$@com> Hi Abdullah - Have you seen the new Resource Manager product from QualiSystems? It has this capability built into it and out of the box to support large numbers of devices. Let me know off line where you are located and I can hook you up. Regards, Chuck -----Original Message----- From: Abdullah Al-Malki [mailto:a.almalki1402 at gmail.com] Sent: Sunday, January 15, 2012 12:53 PM To: nanog at nanog.org Subject: accessing multiple devices via a script Hi fellows, I am supporting a big service provider and sometimes I face this problem. Sometimes I want to access my customer network and want to extract some verification output "show commands" from a large number of devices. What kind of scripting solutions you guys are using this case. Appreciate the feedback, Abdullah From kking at yammer-inc.com Sun Jan 15 13:30:46 2012 From: kking at yammer-inc.com (Ken King) Date: Sun, 15 Jan 2012 11:30:46 -0800 Subject: enterprise 802.11 Message-ID: <36170983-EAA1-4BDD-B0AF-5B045FD53321@yammer-inc.com> I need to choose a wireless solution for a new office. up to 600 devices will connect. most devices are mac books and mobile phones. we can see hundreds of access points in close proximity to our new office space. what are the thoughts these days on the best enterprise solution/vendor? Thanks for your replies. Ken King From streiner at cluebyfour.org Sun Jan 15 09:39:12 2012 From: streiner at cluebyfour.org (Justin M. Streiner) Date: Sun, 15 Jan 2012 10:39:12 -0500 (EST) Subject: Whois 172/12 In-Reply-To: <3726cbbfb38c55f08812d244272f261d.squirrel@secure.xecu.net> References: <3bb23a18d74082eb94003592c718b9f4.squirrel@secure.xecu.net> <36A214A4-0627-4921-83B0-37766996844A@ianai.net> <3726cbbfb38c55f08812d244272f261d.squirrel@secure.xecu.net> Message-ID: On Sun, 15 Jan 2012, Ted Fischer wrote: > Thanks for the replies so far, but not what I was looking for. > > I should have specified that I've done several ns & dig lookups just to > make sure. > > We were supposed to have lit up the last of IPv4 last year. I would have > presumed that meant that there was nothing left. Since I can't find a > reference to 172/12 anywhere, one might be led to presume that it was > allocated somehow, to someone (perhaps inadvertently not recorded) since > there are - supposedly - no fresh IPv4 addresses left to allocate, and the > only reference to this block is that 172/8 is allocated to ARIN. It > doesn't even appear in RFC 5735. While IANA allocated the last of the free IPv4 address pool to the 5 recognized RIRs on 3 Feb 2011, that doesn't mean that all of those IPv4 addresses were immediately assigned to providers or end-users. The RIRs will exhaust their supplies of assignable IPv4 address space at different times, depend on their 'end game' assignment strategies and their overall consumption rate. APNIC exhausted most of their available address space by last April. 172/8 was a legacy block, from which 172.16/12 was allocated for RFC 1918. Looking at http://www.iana.org/assignments/ipv4-address-space/ipv4-address-space.xml shows many of the legacy allocations being administered by ARIN, but also a few being administered by RIPE and APNIC. There is a difference between an RIR being tasked with administering a chunk of legacy space and being officially allocated a chunk of space by IANA. In the case of 172/8, it was allocated in the InterNIC days, so users could be scattered all over the world, but ARIN handles in-addr.arpa delegation for it. Since ARIN was not (as far as I know) formally tasked with allocating remaining space from 172/8, that space it will not be assigned to SPs or users by ARIN. > My question is about 172/12. Where is it, what is it's supposed purpose. > I'm almost sure it's an internal box. I just find it better to give a > professional answer to "why can't I use this" than just "you can't use > this and why is this address scanning you for udp/137 anyway". As others have pointed out, if 172.0.0.0/12 or some subset of it doesn't exist in the global routing table, then the packets you saw are either coming from outside of your network - spoofed - or coming from somewhere inside your network. > If someone can point out to me what was done with 172/12 I'd appreciate it. I'm not aware of anything more detailed that what I've noted above or what other posted have contributed to this thread. jms From tayeb.meftah at gmail.com Sat Jan 14 11:59:03 2012 From: tayeb.meftah at gmail.com (Meftah Tayeb) Date: Sat, 14 Jan 2012 19:59:03 +0200 Subject: enterprise 802.11 References: <36170983-EAA1-4BDD-B0AF-5B045FD53321@yammer-inc.com> Message-ID: Ubiquity or ubikity, maybe is miss spelled Someone correct the spelling for him please thank you ----- Original Message ----- From: "Ken King" To: Sent: Sunday, January 15, 2012 9:30 PM Subject: enterprise 802.11 I need to choose a wireless solution for a new office. up to 600 devices will connect. most devices are mac books and mobile phones. we can see hundreds of access points in close proximity to our new office space. what are the thoughts these days on the best enterprise solution/vendor? Thanks for your replies. Ken King __________ Information from ESET NOD32 Antivirus, version of virus signature database 6793 (20120113) __________ The message was checked by ESET NOD32 Antivirus. http://www.eset.com __________ Information from ESET NOD32 Antivirus, version of virus signature database 6793 (20120113) __________ The message was checked by ESET NOD32 Antivirus. http://www.eset.com From rhys at rhavenindustrys.com Sun Jan 15 13:42:29 2012 From: rhys at rhavenindustrys.com (Rhys Rhaven) Date: Sun, 15 Jan 2012 13:42:29 -0600 Subject: accessing multiple devices via a script In-Reply-To: <007e01ccd3ba$ec07be50$c4173af0$@com> References: <007e01ccd3ba$ec07be50$c4173af0$@com> Message-ID: <4F132C25.3080608@rhavenindustrys.com> Is "full disclosure" expected on NANOG, or is it just polite? Like mentioning that Chuck Reynolds is a salesman for QualiSystems, and not just another network operator passing on what they might think will help? On 01/15/2012 01:21 PM, Chuck Reynolds wrote: > Hi Abdullah - Have you seen the new Resource Manager product from > QualiSystems? It has this capability built into it and out of the box to > support large numbers of devices. > > Let me know off line where you are located and I can hook you up. > > Regards, > > Chuck > > > -----Original Message----- > From: Abdullah Al-Malki [mailto:a.almalki1402 at gmail.com] > Sent: Sunday, January 15, 2012 12:53 PM > To: nanog at nanog.org > Subject: accessing multiple devices via a script > > Hi fellows, > I am supporting a big service provider and sometimes I face this problem. > Sometimes I want to access my customer network and want to extract some > verification output "show commands" from a large number of devices. > > What kind of scripting solutions you guys are using this case. > > Appreciate the feedback, > Abdullah > > From tony at lavanauts.org Sun Jan 15 13:47:19 2012 From: tony at lavanauts.org (Antonio Querubin) Date: Sun, 15 Jan 2012 09:47:19 -1000 (HST) Subject: Monday Night Footbal -- on Google? In-Reply-To: <20120115191456.GA25486@pob.ytti.fi> References: <3CC3117A8EF6FF439254141C02BF6E1417FF9FF8@mbx027-e1-nj-2.exch027.domain.local> <8359.1326331943@turing-police.cc.vt.edu> <20120115191456.GA25486@pob.ytti.fi> Message-ID: On Sun, 15 Jan 2012, Saku Ytti wrote: > This is misguided, IPV6 does no magic to help scale multicast to Internet > scale compared to IPV4. Actually, IPv6 embedded RP improves scalability over IPv4 MSDP peering and ASM. -- Antonio Querubin e-mail: tony at lavanauts.org xmpp: antonioquerubin at gmail.com From sh.vahabzadeh at gmail.com Sun Jan 15 13:48:28 2012 From: sh.vahabzadeh at gmail.com (Shahab Vahabzadeh) Date: Sun, 15 Jan 2012 23:18:28 +0330 Subject: accessing multiple devices via a script In-Reply-To: <4F132C25.3080608@rhavenindustrys.com> References: <007e01ccd3ba$ec07be50$c4173af0$@com> <4F132C25.3080608@rhavenindustrys.com> Message-ID: Like Rhys Rhaven. On Sun, Jan 15, 2012 at 11:12 PM, Rhys Rhaven wrote: > Is "full disclosure" expected on NANOG, or is it just polite? Like > mentioning that Chuck Reynolds is a salesman for QualiSystems, and not > just another network operator passing on what they might think will help? > > On 01/15/2012 01:21 PM, Chuck Reynolds wrote: > > Hi Abdullah - Have you seen the new Resource Manager product from > > QualiSystems? It has this capability built into it and out of the box to > > support large numbers of devices. > > > > Let me know off line where you are located and I can hook you up. > > > > Regards, > > > > Chuck > > > > > > -----Original Message----- > > From: Abdullah Al-Malki [mailto:a.almalki1402 at gmail.com] > > Sent: Sunday, January 15, 2012 12:53 PM > > To: nanog at nanog.org > > Subject: accessing multiple devices via a script > > > > Hi fellows, > > I am supporting a big service provider and sometimes I face this problem. > > Sometimes I want to access my customer network and want to extract some > > verification output "show commands" from a large number of devices. > > > > What kind of scripting solutions you guys are using this case. > > > > Appreciate the feedback, > > Abdullah > > > > > > > -- Regards, Shahab Vahabzadeh, Network Engineer and System Administrator PGP Key Fingerprint = 8E34 B335 D702 0CA7 5A81 C2EE 76A2 46C2 5367 BF90 From mike.lyon at gmail.com Sun Jan 15 13:53:40 2012 From: mike.lyon at gmail.com (Mike Lyon) Date: Sun, 15 Jan 2012 11:53:40 -0800 Subject: enterprise 802.11 In-Reply-To: References: <36170983-EAA1-4BDD-B0AF-5B045FD53321@yammer-inc.com> Message-ID: <-6994651995925716053@unknownmsgid> Ubiquity (www.ubnt.com) has their Unifi line of products. It's still pretty new in the marketspace and this, working out the bugs. I use their other products exclusively for outdoor wireless. However, in the offices ive done, ive used Cisco's WLC 4402 controller which supports 12 access points. They have controllers which support more APs as well. Hit me up offlist if you have any quesrions. -mike Sent from my iPhone On Jan 15, 2012, at 11:39, Meftah Tayeb wrote: > Ubiquity > or ubikity, maybe is miss spelled > Someone correct the spelling for him please > thank you > ----- Original Message ----- From: "Ken King" > To: > Sent: Sunday, January 15, 2012 9:30 PM > Subject: enterprise 802.11 > > > I need to choose a wireless solution for a new office. > > up to 600 devices will connect. most devices are mac books and mobile phones. > > we can see hundreds of access points in close proximity to our new office space. > > what are the thoughts these days on the best enterprise solution/vendor? > > Thanks for your replies. > > > Ken King > > > > > > > > __________ Information from ESET NOD32 Antivirus, version of virus signature database 6793 (20120113) __________ > > The message was checked by ESET NOD32 Antivirus. > > http://www.eset.com > > > > > __________ Information from ESET NOD32 Antivirus, version of virus signature database 6793 (20120113) __________ > > The message was checked by ESET NOD32 Antivirus. > > http://www.eset.com > > > > From saku at ytti.fi Sun Jan 15 13:56:18 2012 From: saku at ytti.fi (Saku Ytti) Date: Sun, 15 Jan 2012 21:56:18 +0200 Subject: Monday Night Footbal -- on Google? In-Reply-To: References: <3CC3117A8EF6FF439254141C02BF6E1417FF9FF8@mbx027-e1-nj-2.exch027.domain.local> <8359.1326331943@turing-police.cc.vt.edu> <20120115191456.GA25486@pob.ytti.fi> Message-ID: <20120115195618.GA25502@pob.ytti.fi> On (2012-01-15 09:47 -1000), Antonio Querubin wrote: > >This is misguided, IPV6 does no magic to help scale multicast to Internet > >scale compared to IPV4. > > Actually, IPv6 embedded RP improves scalability over IPv4 MSDP > peering and ASM. Unfortunately that does exactly nothing to help with Internet scale. Now scaling for your local environment embedded RP might be beneficial, but actual practical applications where you need ASM are very few. -- ++ytti From eyeronic.design at gmail.com Sun Jan 15 13:57:01 2012 From: eyeronic.design at gmail.com (Mike Hale) Date: Sun, 15 Jan 2012 11:57:01 -0800 Subject: enterprise 802.11 In-Reply-To: <-6994651995925716053@unknownmsgid> References: <36170983-EAA1-4BDD-B0AF-5B045FD53321@yammer-inc.com> <-6994651995925716053@unknownmsgid> Message-ID: Cisco's wireless solutions are pretty badass. The APs I've used are absolutely rock solid. Set up will take a bit of time, but once you're done, maintenance is minimal. On Jan 15, 2012 11:54 AM, "Mike Lyon" wrote: > Ubiquity (www.ubnt.com) has their Unifi line of products. It's still > pretty new in the marketspace and this, working out the bugs. I use > their other products exclusively for outdoor wireless. > > However, in the offices ive done, ive used Cisco's WLC 4402 controller > which supports 12 access points. They have controllers which support > more APs as well. > > Hit me up offlist if you have any quesrions. > > -mike > > Sent from my iPhone > > On Jan 15, 2012, at 11:39, Meftah Tayeb wrote: > > > Ubiquity > > or ubikity, maybe is miss spelled > > Someone correct the spelling for him please > > thank you > > ----- Original Message ----- From: "Ken King" > > To: > > Sent: Sunday, January 15, 2012 9:30 PM > > Subject: enterprise 802.11 > > > > > > I need to choose a wireless solution for a new office. > > > > up to 600 devices will connect. most devices are mac books and mobile > phones. > > > > we can see hundreds of access points in close proximity to our new > office space. > > > > what are the thoughts these days on the best enterprise solution/vendor? > > > > Thanks for your replies. > > > > > > Ken King > > > > > > > > > > > > > > > > __________ Information from ESET NOD32 Antivirus, version of virus > signature database 6793 (20120113) __________ > > > > The message was checked by ESET NOD32 Antivirus. > > > > http://www.eset.com > > > > > > > > > > __________ Information from ESET NOD32 Antivirus, version of virus > signature database 6793 (20120113) __________ > > > > The message was checked by ESET NOD32 Antivirus. > > > > http://www.eset.com > > > > > > > > > > From streiner at cluebyfour.org Sun Jan 15 10:14:38 2012 From: streiner at cluebyfour.org (Justin M. Streiner) Date: Sun, 15 Jan 2012 11:14:38 -0500 (EST) Subject: accessing multiple devices via a script In-Reply-To: <4F132C25.3080608@rhavenindustrys.com> References: <007e01ccd3ba$ec07be50$c4173af0$@com> <4F132C25.3080608@rhavenindustrys.com> Message-ID: On Sun, 15 Jan 2012, Rhys Rhaven wrote: > Is "full disclosure" expected on NANOG, or is it just polite? Like > mentioning that Chuck Reynolds is a salesman for QualiSystems, and not > just another network operator passing on what they might think will help? I think it's reasonable to expect that sales people identify themselves as such - including what vendor or re-seller they represent - on technical mailing lists. If sales solicitations are not permitted on the list, then it's also reasonable to expect that sales people respect that rule, same as everyone else on the list. jms From rhys at rhavenindustrys.com Sun Jan 15 14:13:11 2012 From: rhys at rhavenindustrys.com (Rhys Rhaven) Date: Sun, 15 Jan 2012 14:13:11 -0600 Subject: accessing multiple devices via a script In-Reply-To: References: <007e01ccd3ba$ec07be50$c4173af0$@com> <4F132C25.3080608@rhavenindustrys.com> Message-ID: <4F133357.60902@rhavenindustrys.com> Pseudonyms and declaring conflicts of interest are two separate things. On 01/15/2012 01:48 PM, Shahab Vahabzadeh wrote: > Like Rhys Rhaven. > > On Sun, Jan 15, 2012 at 11:12 PM, Rhys Rhaven > > wrote: > > Is "full disclosure" expected on NANOG, or is it just polite? Like > mentioning that Chuck Reynolds is a salesman for QualiSystems, and not > just another network operator passing on what they might think > will help? > > On 01/15/2012 01:21 PM, Chuck Reynolds wrote: > > Hi Abdullah - Have you seen the new Resource Manager product from > > QualiSystems? It has this capability built into it and out of > the box to > > support large numbers of devices. > > > > Let me know off line where you are located and I can hook you up. > > > > Regards, > > > > Chuck > > > > > > -----Original Message----- > > From: Abdullah Al-Malki [mailto:a.almalki1402 at gmail.com > ] > > Sent: Sunday, January 15, 2012 12:53 PM > > To: nanog at nanog.org > > Subject: accessing multiple devices via a script > > > > Hi fellows, > > I am supporting a big service provider and sometimes I face this > problem. > > Sometimes I want to access my customer network and want to > extract some > > verification output "show commands" from a large number of devices. > > > > What kind of scripting solutions you guys are using this case. > > > > Appreciate the feedback, > > Abdullah > > > > > > > > > > -- > Regards, > Shahab Vahabzadeh, Network Engineer and System Administrator > > PGP Key Fingerprint = 8E34 B335 D702 0CA7 5A81 C2EE 76A2 46C2 5367 BF90 > From nathan at atlasnetworks.us Sun Jan 15 14:52:49 2012 From: nathan at atlasnetworks.us (Nathan Eisenberg) Date: Sun, 15 Jan 2012 20:52:49 +0000 Subject: enterprise 802.11 In-Reply-To: <-6994651995925716053@unknownmsgid> References: <36170983-EAA1-4BDD-B0AF-5B045FD53321@yammer-inc.com> <-6994651995925716053@unknownmsgid> Message-ID: <8C26A4FDAE599041A13EB499117D3C286B673130@ex-mb-1.corp.atlasnetworks.us> Ubiquiti's Unifi products are decent, and have *MUCH* improved since their original release (amazing what you can do with better code!). In the original release, you had to have a management server running on the same L2 network as the Aps - they've moved the management to a L3 model so you can put the controller elsewhere. The big PITA with their system is that any change requires 'reprovisioning' the APs, which means rebooting all of them in sequence. They've added VLANs, multiple SSID's/AP, wireless backhaul/chaining, guest portalling, and limiters to balance the # of clients / AP. In a noisy environment, I've found that they top out at around 30 devices / AP for good performance, and 50 devices / AP for 'working/not working'. In a clean environment, I've seen decent performance with 70 - 100 devices / AP. Of course, if one bad client comes along (with a card that doesn't backoff its TX power, etc), it can wreak havoc with higher densities. You really can't argue with Unifi's price. If you move up the price scale, Meraki seems to be a good midrange solution, and they have some really sweet reporting functionality. They're more expensive, though. And then, yes, Cisco is the gold standard, but it will cost you some gold to get it. Nathan > -----Original Message----- > From: Mike Lyon [mailto:mike.lyon at gmail.com] > Sent: Sunday, January 15, 2012 11:54 AM > To: Meftah Tayeb > Cc: nanog at nanog.org > Subject: Re: enterprise 802.11 > > Ubiquity (www.ubnt.com) has their Unifi line of products. It's still pretty new > in the marketspace and this, working out the bugs. I use their other products > exclusively for outdoor wireless. > > However, in the offices ive done, ive used Cisco's WLC 4402 controller which > supports 12 access points. They have controllers which support more APs as > well. > > Hit me up offlist if you have any quesrions. > > -mike > > Sent from my iPhone > > On Jan 15, 2012, at 11:39, Meftah Tayeb wrote: > > > Ubiquity > > or ubikity, maybe is miss spelled > > Someone correct the spelling for him please thank you > > ----- Original Message ----- From: "Ken King" > > To: > > Sent: Sunday, January 15, 2012 9:30 PM > > Subject: enterprise 802.11 > > > > > > I need to choose a wireless solution for a new office. > > > > up to 600 devices will connect. most devices are mac books and mobile > phones. > > > > we can see hundreds of access points in close proximity to our new office > space. > > > > what are the thoughts these days on the best enterprise solution/vendor? > > > > Thanks for your replies. > > > > > > Ken King > > > > > > > > > > > > > > > > __________ Information from ESET NOD32 Antivirus, version of virus > signature database 6793 (20120113) __________ > > > > The message was checked by ESET NOD32 Antivirus. > > > > http://www.eset.com > > > > > > > > > > __________ Information from ESET NOD32 Antivirus, version of virus > signature database 6793 (20120113) __________ > > > > The message was checked by ESET NOD32 Antivirus. > > > > http://www.eset.com > > > > > > > > > From seth.mos at dds.nl Sun Jan 15 14:55:24 2012 From: seth.mos at dds.nl (Seth Mos) Date: Sun, 15 Jan 2012 21:55:24 +0100 Subject: enterprise 802.11 In-Reply-To: References: <36170983-EAA1-4BDD-B0AF-5B045FD53321@yammer-inc.com> <-6994651995925716053@unknownmsgid> Message-ID: Hi, We chose the 3Com, now H3C wx3012 controller and AP9552 accesspoints. Initial issues where that blackberries could not connect to the wifi, the support initially was mediocre. Do note that this was at the time that everything got sold to HP. And they did pick up the issue and came around with a fix in about a month time. It's been working swell since then, I mean, the spelling errors in the UI I can live with. It's been stable so far. It was also by far the most reasonably priced. That counts for something. Vlans, radius, captive portal etc, worked for me. Ui is good enough to use and diagnose clients. Wireless coverage, is ... well, it's wireless. Reliable wireless isn't. Unless it's 5Ghz, and stopped by 1 floor or wall. I digress. Regards, Seth Op 15 jan 2012, om 20:57 heeft Mike Hale het volgende geschreven: > Cisco's wireless solutions are pretty badass. The APs I've used are > absolutely rock solid. Set up will take a bit of time, but once you're > done, maintenance is minimal. > On Jan 15, 2012 11:54 AM, "Mike Lyon" wrote: > >> Ubiquity (www.ubnt.com) has their Unifi line of products. It's still >> pretty new in the marketspace and this, working out the bugs. I use >> their other products exclusively for outdoor wireless. >> >> However, in the offices ive done, ive used Cisco's WLC 4402 controller >> which supports 12 access points. They have controllers which support >> more APs as well. >> >> Hit me up offlist if you have any quesrions. >> >> -mike >> >> Sent from my iPhone >> >> On Jan 15, 2012, at 11:39, Meftah Tayeb wrote: >> >>> Ubiquity >>> or ubikity, maybe is miss spelled >>> Someone correct the spelling for him please >>> thank you >>> ----- Original Message ----- From: "Ken King" >>> To: >>> Sent: Sunday, January 15, 2012 9:30 PM >>> Subject: enterprise 802.11 >>> >>> >>> I need to choose a wireless solution for a new office. >>> >>> up to 600 devices will connect. most devices are mac books and mobile >> phones. >>> >>> we can see hundreds of access points in close proximity to our new >> office space. >>> >>> what are the thoughts these days on the best enterprise solution/vendor? >>> >>> Thanks for your replies. >>> >>> >>> Ken King >>> >>> >>> >>> >>> >>> >>> >>> __________ Information from ESET NOD32 Antivirus, version of virus >> signature database 6793 (20120113) __________ >>> >>> The message was checked by ESET NOD32 Antivirus. >>> >>> http://www.eset.com >>> >>> >>> >>> >>> __________ Information from ESET NOD32 Antivirus, version of virus >> signature database 6793 (20120113) __________ >>> >>> The message was checked by ESET NOD32 Antivirus. >>> >>> http://www.eset.com >>> >>> >>> >>> >> >> From leigh.porter at ukbroadband.com Sun Jan 15 15:02:41 2012 From: leigh.porter at ukbroadband.com (Leigh Porter) Date: Sun, 15 Jan 2012 21:02:41 +0000 Subject: enterprise 802.11 In-Reply-To: <36170983-EAA1-4BDD-B0AF-5B045FD53321@yammer-inc.com> References: <36170983-EAA1-4BDD-B0AF-5B045FD53321@yammer-inc.com> Message-ID: <0F9F2509-8BEB-42F2-8D3D-FD1486894551@ukbroadband.com> I use ruckus in town and city installs and despite rather a lot of other APs it performs very well. I don't have experience of them in high connected station density though. -- Leigh Porter On 15 Jan 2012, at 19:33, "Ken King" wrote: > I need to choose a wireless solution for a new office. > > up to 600 devices will connect. most devices are mac books and mobile phones. > > we can see hundreds of access points in close proximity to our new office space. > > what are the thoughts these days on the best enterprise solution/vendor? > > Thanks for your replies. > > > Ken King > > > > > > > ______________________________________________________________________ > This email has been scanned by the Symantec Email Security.cloud service. > For more information please visit http://www.symanteccloud.com > ______________________________________________________________________ ______________________________________________________________________ This email has been scanned by the Symantec Email Security.cloud service. For more information please visit http://www.symanteccloud.com ______________________________________________________________________ From sh.vahabzadeh at gmail.com Sun Jan 15 15:26:02 2012 From: sh.vahabzadeh at gmail.com (Shahab Vahabzadeh) Date: Mon, 16 Jan 2012 00:56:02 +0330 Subject: OSS Systems In-Reply-To: <6E5615AD-CD76-4599-8164-2B6B41687751@ukbroadband.com> References: <6E5615AD-CD76-4599-8164-2B6B41687751@ukbroadband.com> Message-ID: Hi there again, I think Leigh is not available this week, anybody else idea about such a system? Which loadbalancer is good to use? LVS or hardware one? or radius as a proxy? How database must be placed? How radius servers talk to DB? And which radius server you suggest? Radiator? Thanks On Fri, Jan 6, 2012 at 1:45 AM, Leigh Porter wrote: > > > On 5 Jan 2012, at 22:02, "Shahab Vahabzadeh" > wrote: > > > Hi there, > > Has anybody experience about running and OSS System in enterprise level? > > And do you have any idea about it? > > For example for an ISP who is running users more than 20K or 30K, there > > must be some good solutions to integrate all systems like: > > Radius, Billing Systems and CRM > > For example after searching and asking friends I have some ideas about > > Radius to use: radiator > > Is there anybody who has analyse such a systems before in his ISP? Need > > sharing here :) > > Thanks > > We did this a few years ago and ended up writing the while thing > ourselves. This included billing, subscriber management etc etc. > > We integrates to salesforce.com for the internal front end and the user > facing stuff we did ourselves. > > It was a big project and took a team of six about six months. But we ended > up with a perfect solution that did exactly what we needed and it was > pretty good. > > It handled within the order of users you mention, but we designed to 100k > users. > > We used radiator (highly recommended) with openldap back end. Multiple > load balanced servers etc etc. > > The worst thing we did was to build our own mail system. Not that it was > an issue, it never went wrong, but these days I'd just send people to gmail > or something. > > -- > Leigh Porter > > > ______________________________________________________________________ > This email has been scanned by the Symantec Email Security.cloud service. > For more information please visit http://www.symanteccloud.com > ______________________________________________________________________ > -- Regards, Shahab Vahabzadeh, Network Engineer and System Administrator PGP Key Fingerprint = 8E34 B335 D702 0CA7 5A81 C2EE 76A2 46C2 5367 BF90 From packetjockey at gmail.com Sun Jan 15 15:31:14 2012 From: packetjockey at gmail.com (Rafael Rodriguez) Date: Sun, 15 Jan 2012 16:31:14 -0500 Subject: enterprise 802.11 In-Reply-To: <36170983-EAA1-4BDD-B0AF-5B045FD53321@yammer-inc.com> References: <36170983-EAA1-4BDD-B0AF-5B045FD53321@yammer-inc.com> Message-ID: I'd recommend Aruba. Not a fan of the Cisco wifi controller gear. On Sun, Jan 15, 2012 at 2:30 PM, Ken King wrote: > I need to choose a wireless solution for a new office. > > up to 600 devices will connect. most devices are mac books and mobile > phones. > > we can see hundreds of access points in close proximity to our new office > space. > > what are the thoughts these days on the best enterprise solution/vendor? > > Thanks for your replies. > > > Ken King > > > > > > From network.ipdog at gmail.com Sun Jan 15 15:34:42 2012 From: network.ipdog at gmail.com (Network IP Dog) Date: Sun, 15 Jan 2012 13:34:42 -0800 Subject: enterprise 802.11 In-Reply-To: <36170983-EAA1-4BDD-B0AF-5B045FD53321@yammer-inc.com> References: <36170983-EAA1-4BDD-B0AF-5B045FD53321@yammer-inc.com> Message-ID: <4f13467f.c557320a.721a.ffff9f84@mx.google.com> Meraki... ;^) http://www.meraki.com/ Ephesians 4:32 & Cheers!!! -----Original Message----- From: Ken King [mailto:kking at yammer-inc.com] Sent: Sunday, January 15, 2012 11:31 AM To: nanog at nanog.org Subject: enterprise 802.11 I need to choose a wireless solution for a new office. up to 600 devices will connect. most devices are mac books and mobile phones. we can see hundreds of access points in close proximity to our new office space. what are the thoughts these days on the best enterprise solution/vendor? Thanks for your replies. Ken King From tayeb.meftah at gmail.com Sat Jan 14 13:58:45 2012 From: tayeb.meftah at gmail.com (Meftah Tayeb) Date: Sat, 14 Jan 2012 21:58:45 +0200 Subject: enterprise 802.11 References: <36170983-EAA1-4BDD-B0AF-5B045FD53321@yammer-inc.com> Message-ID: <1F1F6DCFA8A84E958CBFCEA9F7277801@work> cisco made the controller only to buy it? ubiquity or Mikrotik. END! ----- Original Message ----- From: "Rafael Rodriguez" To: "Ken King" Cc: Sent: Sunday, January 15, 2012 11:31 PM Subject: Re: enterprise 802.11 > I'd recommend Aruba. Not a fan of the Cisco wifi controller gear. > > On Sun, Jan 15, 2012 at 2:30 PM, Ken King wrote: > >> I need to choose a wireless solution for a new office. >> >> up to 600 devices will connect. most devices are mac books and mobile >> phones. >> >> we can see hundreds of access points in close proximity to our new office >> space. >> >> what are the thoughts these days on the best enterprise solution/vendor? >> >> Thanks for your replies. >> >> >> Ken King >> >> >> >> >> >> > > > __________ Information from ESET NOD32 Antivirus, version of virus > signature database 6797 (20120115) __________ > > The message was checked by ESET NOD32 Antivirus. > > http://www.eset.com > > > __________ Information from ESET NOD32 Antivirus, version of virus signature database 6797 (20120115) __________ The message was checked by ESET NOD32 Antivirus. http://www.eset.com From jared at puck.nether.net Sun Jan 15 15:40:03 2012 From: jared at puck.nether.net (Jared Mauch) Date: Sun, 15 Jan 2012 16:40:03 -0500 Subject: Monday Night Footbal -- on Google? In-Reply-To: <20120115195618.GA25502@pob.ytti.fi> References: <3CC3117A8EF6FF439254141C02BF6E1417FF9FF8@mbx027-e1-nj-2.exch027.domain.local> <8359.1326331943@turing-police.cc.vt.edu> <20120115191456.GA25486@pob.ytti.fi> <20120115195618.GA25502@pob.ytti.fi> Message-ID: <3A75F85F-AE00-499E-9052-0005F506ADA6@puck.nether.net> On Jan 15, 2012, at 2:56 PM, Saku Ytti wrote: > Unfortunately that does exactly nothing to help with Internet scale. > > Now scaling for your local environment embedded RP might be beneficial, but > actual practical applications where you need ASM are very few. > Most vendors took out hardware multicast support and do it via recirculation these days. I'm more interested in other topics, this would likely be served by a CDN, and I'm curious if any CDNs have started placing gear behind CGN/LSN. I've also noticed some hotels and other 'guest net' folks capturing 4.2.2.1 and comparable open recursive name servers in-house. Two weeks ago I could ping 4.2.2.1 and get responses when TTL was set to 1 on my outgoing packets. - Jared From sh.vahabzadeh at gmail.com Sun Jan 15 15:41:40 2012 From: sh.vahabzadeh at gmail.com (Shahab Vahabzadeh) Date: Mon, 16 Jan 2012 01:11:40 +0330 Subject: enterprise 802.11 In-Reply-To: <36170983-EAA1-4BDD-B0AF-5B045FD53321@yammer-inc.com> References: <36170983-EAA1-4BDD-B0AF-5B045FD53321@yammer-inc.com> Message-ID: Any body tried "Proxim ORiNOCO AP-8000", I have them in two airport and they really sucks ;) On Sun, Jan 15, 2012 at 11:00 PM, Ken King wrote: > I need to choose a wireless solution for a new office. > > up to 600 devices will connect. most devices are mac books and mobile > phones. > > we can see hundreds of access points in close proximity to our new office > space. > > what are the thoughts these days on the best enterprise solution/vendor? > > Thanks for your replies. > > > Ken King > > > > > > -- Regards, Shahab Vahabzadeh, Network Engineer and System Administrator PGP Key Fingerprint = 8E34 B335 D702 0CA7 5A81 C2EE 76A2 46C2 5367 BF90 From joe at riversidecg.com Sun Jan 15 15:44:06 2012 From: joe at riversidecg.com (Joe Johnson) Date: Sun, 15 Jan 2012 15:44:06 -0600 Subject: enterprise 802.11 In-Reply-To: <4f13467f.c557320a.721a.ffff9f84@mx.google.com> References: <36170983-EAA1-4BDD-B0AF-5B045FD53321@yammer-inc.com> <4f13467f.c557320a.721a.ffff9f84@mx.google.com> Message-ID: > Meraki... ;^) Seconded! Joe Johnson Chief Information Officer Riverside Consulting Group, Ltd. Innovative Technology Solutions 365 Addison Road Riverside, Illinois 60546 Phone: 708.442.6033 x3456 Fax: 708.443.4496 joe at riversidecg.com www.riversidecg.com From cb.list6 at gmail.com Sun Jan 15 15:51:18 2012 From: cb.list6 at gmail.com (Cameron Byrne) Date: Sun, 15 Jan 2012 13:51:18 -0800 Subject: Monday Night Footbal -- on Google? In-Reply-To: <3A75F85F-AE00-499E-9052-0005F506ADA6@puck.nether.net> References: <3CC3117A8EF6FF439254141C02BF6E1417FF9FF8@mbx027-e1-nj-2.exch027.domain.local> <8359.1326331943@turing-police.cc.vt.edu> <20120115191456.GA25486@pob.ytti.fi> <20120115195618.GA25502@pob.ytti.fi> <3A75F85F-AE00-499E-9052-0005F506ADA6@puck.nether.net> Message-ID: On Jan 15, 2012 1:40 PM, "Jared Mauch" wrote: > > > On Jan 15, 2012, at 2:56 PM, Saku Ytti wrote: > > > Unfortunately that does exactly nothing to help with Internet scale. > > > > Now scaling for your local environment embedded RP might be beneficial, but > > actual practical applications where you need ASM are very few. > > > > Most vendors took out hardware multicast support and do it via recirculation > these days. > > I'm more interested in other topics, this would likely be served by a CDN, > and I'm curious if any CDNs have started placing gear behind CGN/LSN. > CDNs have shown hesitation to receiving traffic from non-unique ipv4 space despite the obvious benefits of CGN bypass. Cb > I've also noticed some hotels and other 'guest net' folks capturing 4.2.2.1 > and comparable open recursive name servers in-house. Two weeks ago I could ping > 4.2.2.1 and get responses when TTL was set to 1 on my outgoing packets. > > - Jared From netfortius at gmail.com Sun Jan 15 16:05:41 2012 From: netfortius at gmail.com (Stefan) Date: Sun, 15 Jan 2012 16:05:41 -0600 Subject: enterprise 802.11 In-Reply-To: References: <36170983-EAA1-4BDD-B0AF-5B045FD53321@yammer-inc.com> Message-ID: +1 f/Aruba ... and check out the BlackHat conferences, also. On Jan 15, 2012 3:31 PM, "Rafael Rodriguez" wrote: > I'd recommend Aruba. Not a fan of the Cisco wifi controller gear. > > On Sun, Jan 15, 2012 at 2:30 PM, Ken King wrote: > > > I need to choose a wireless solution for a new office. > > > > up to 600 devices will connect. most devices are mac books and mobile > > phones. > > > > we can see hundreds of access points in close proximity to our new office > > space. > > > > what are the thoughts these days on the best enterprise solution/vendor? > > > > Thanks for your replies. > > > > > > Ken King > > > > > > > > > > > > > From brent at brentrjones.com Sun Jan 15 15:09:13 2012 From: brent at brentrjones.com (Brent Jones) Date: Sun, 15 Jan 2012 13:09:13 -0800 Subject: enterprise 802.11 In-Reply-To: <36170983-EAA1-4BDD-B0AF-5B045FD53321@yammer-inc.com> References: <36170983-EAA1-4BDD-B0AF-5B045FD53321@yammer-inc.com> Message-ID: On Sun, Jan 15, 2012 at 11:30 AM, Ken King wrote: > I need to choose a wireless solution for a new office. > > up to 600 devices will connect. most devices are mac books and mobile > phones. > > we can see hundreds of access points in close proximity to our new office > space. > > what are the thoughts these days on the best enterprise solution/vendor? > > Thanks for your replies. > > > Ken King > > I have had great success with Ruckus Wireless gear, specifically their 7962 access points. Our offices are pretty noisy radio environments, typically over 70 access points show up on scans, mostly in the 2.4 range though. We use WPA2 with 802.11X for auth, plus a guest zone managed by the Ruckus wireless controller, works smooth haven't had any problems so far. Part of my decision was based on a Tom's Hardware review of access points: http://www.tomshardware.com/reviews/beamforming-wifi-ruckus,2390.html http://www.tomshardware.com/reviews/wi-fi-performance,2985.html Brent Jones From scott at virtuaprise.com Sun Jan 15 17:26:26 2012 From: scott at virtuaprise.com (Scott Bethke) Date: Sun, 15 Jan 2012 18:26:26 -0500 Subject: enterprise 802.11 In-Reply-To: References: <36170983-EAA1-4BDD-B0AF-5B045FD53321@yammer-inc.com> <4f13467f.c557320a.721a.ffff9f84@mx.google.com> Message-ID: <718EA5C8-C0ED-45DC-87B5-CD972100CD92@virtuaprise.com> On Jan 15, 2012, at 4:44 PM, Joe Johnson wrote: >> Meraki... ;^) > > Seconded! > I'd like to stick my neck out for Meraki also.. They rock. -Scott From os10rules at gmail.com Sun Jan 15 17:36:26 2012 From: os10rules at gmail.com (Greg Ihnen) Date: Sun, 15 Jan 2012 19:06:26 -0430 Subject: enterprise 802.11 In-Reply-To: <8C26A4FDAE599041A13EB499117D3C286B673130@ex-mb-1.corp.atlasnetworks.us> References: <36170983-EAA1-4BDD-B0AF-5B045FD53321@yammer-inc.com> <-6994651995925716053@unknownmsgid> <8C26A4FDAE599041A13EB499117D3C286B673130@ex-mb-1.corp.atlasnetworks.us> Message-ID: Since we're already top-posting? I've heard a lot of talk on the WISPA (wireless ISP) forum that 802.11g/n starts to fall apart with more than 30 clients associated if they're all reasonably active. I believe this is a limitation of 802.11g/n's media access control (MAC) mechanism, regardless of who's brand is on the box. This is most important if you're doing VoIP or anything else where latency and jitter is an issue. To get around that limitation, folks are using proprietary protocols with "polling" media access control. Ubiquiti calls theirs AirMax. Cisco uses something different in the "Canopy" line. But of course then you've gone to something proprietary and only their gear can connect. So it's meant more for back-hauls and distribution networks, not for end users unless they use a proprietary CPE. Since you need consumer gear to be able to connect, you need to stick with 802.11g/n. You should limit to 30 clients per AP. You should stagger your 2.4GHZ APs on channels 1, 6 and 11, and turn the TX power down and have them spaced close enough that no more than 30 will end up connecting to a single AP. 5.8GHz APs would be better, and you'll want to stagger their channels too and turn the TX power down so each one has a small footprint to only serve those clients that are nearby. Stay away from "mesh" solutions and WDS where one AP repeats another, that kills throughput because it hogs airtime. You'll want to feed all the APs with Ethernet. Greg On Jan 15, 2012, at 4:22 PM, Nathan Eisenberg wrote: > Ubiquiti's Unifi products are decent, and have *MUCH* improved since their original release (amazing what you can do with better code!). In the original release, you had to have a management server running on the same L2 network as the Aps - they've moved the management to a L3 model so you can put the controller elsewhere. The big PITA with their system is that any change requires 'reprovisioning' the APs, which means rebooting all of them in sequence. They've added VLANs, multiple SSID's/AP, wireless backhaul/chaining, guest portalling, and limiters to balance the # of clients / AP. > > In a noisy environment, I've found that they top out at around 30 devices / AP for good performance, and 50 devices / AP for 'working/not working'. In a clean environment, I've seen decent performance with 70 - 100 devices / AP. Of course, if one bad client comes along (with a card that doesn't backoff its TX power, etc), it can wreak havoc with higher densities. You really can't argue with Unifi's price. > > If you move up the price scale, Meraki seems to be a good midrange solution, and they have some really sweet reporting functionality. They're more expensive, though. > > And then, yes, Cisco is the gold standard, but it will cost you some gold to get it. > > Nathan > >> -----Original Message----- >> From: Mike Lyon [mailto:mike.lyon at gmail.com] >> Sent: Sunday, January 15, 2012 11:54 AM >> To: Meftah Tayeb >> Cc: nanog at nanog.org >> Subject: Re: enterprise 802.11 >> >> Ubiquity (www.ubnt.com) has their Unifi line of products. It's still pretty new >> in the marketspace and this, working out the bugs. I use their other products >> exclusively for outdoor wireless. >> >> However, in the offices ive done, ive used Cisco's WLC 4402 controller which >> supports 12 access points. They have controllers which support more APs as >> well. >> >> Hit me up offlist if you have any quesrions. >> >> -mike >> >> Sent from my iPhone >> >> On Jan 15, 2012, at 11:39, Meftah Tayeb wrote: >> >>> Ubiquity >>> or ubikity, maybe is miss spelled >>> Someone correct the spelling for him please thank you >>> ----- Original Message ----- From: "Ken King" >>> To: >>> Sent: Sunday, January 15, 2012 9:30 PM >>> Subject: enterprise 802.11 >>> >>> >>> I need to choose a wireless solution for a new office. >>> >>> up to 600 devices will connect. most devices are mac books and mobile >> phones. >>> >>> we can see hundreds of access points in close proximity to our new office >> space. >>> >>> what are the thoughts these days on the best enterprise solution/vendor? >>> >>> Thanks for your replies. >>> >>> >>> Ken King >>> >>> >>> >>> >>> >>> >>> >>> __________ Information from ESET NOD32 Antivirus, version of virus >> signature database 6793 (20120113) __________ >>> >>> The message was checked by ESET NOD32 Antivirus. >>> >>> http://www.eset.com >>> >>> >>> >>> >>> __________ Information from ESET NOD32 Antivirus, version of virus >> signature database 6793 (20120113) __________ >>> >>> The message was checked by ESET NOD32 Antivirus. >>> >>> http://www.eset.com >>> >>> >>> >>> >> > > From khatfield at socllc.net Sun Jan 15 17:40:11 2012 From: khatfield at socllc.net (khatfield at socllc.net) Date: Sun, 15 Jan 2012 18:40:11 -0500 (EST) Subject: OSS Systems In-Reply-To: References: <6E5615AD-CD76-4599-8164-2B6B41687751@ukbroadband.com> Message-ID: <1326670811.98616415@apps.rackspace.com> My personal opinion has been that we have seen great success in large environments with FreeRadius and using radrelay for mysql synchronization then an OpenLDAP-backend. We used FreeBSD/CARP and/or FreeVRRPd for failover but this can be accomplished in other methods. FreeRadius has a built-in CLUSTERIP module which allows clustering/load-balancing/failover or you could AnyCast the systems for redundancy. As for load balancing other Radius servers which may not have it built in - I would say a hardware solution is usually great because you get support, etc. However, if you don't need the support then there are a ton of options available. You could go as far as load balancing it with LVS (which I personally do not like but MANY do :)) or software load balancers like pen/pound/haproxy. Best of luck! -----Original Message----- From: "Shahab Vahabzadeh" Sent: Sunday, January 15, 2012 4:26pm To: "Leigh Porter" Cc: "nanog at nanog.org" Subject: Re: OSS Systems Hi there again, I think Leigh is not available this week, anybody else idea about such a system? Which loadbalancer is good to use? LVS or hardware one? or radius as a proxy? How database must be placed? How radius servers talk to DB? And which radius server you suggest? Radiator? Thanks On Fri, Jan 6, 2012 at 1:45 AM, Leigh Porter wrote: > > > On 5 Jan 2012, at 22:02, "Shahab Vahabzadeh" > wrote: > > > Hi there, > > Has anybody experience about running and OSS System in enterprise level? > > And do you have any idea about it? > > For example for an ISP who is running users more than 20K or 30K, there > > must be some good solutions to integrate all systems like: > > Radius, Billing Systems and CRM > > For example after searching and asking friends I have some ideas about > > Radius to use: radiator > > Is there anybody who has analyse such a systems before in his ISP? Need > > sharing here :) > > Thanks > > We did this a few years ago and ended up writing the while thing > ourselves. This included billing, subscriber management etc etc. > > We integrates to salesforce.com for the internal front end and the user > facing stuff we did ourselves. > > It was a big project and took a team of six about six months. But we ended > up with a perfect solution that did exactly what we needed and it was > pretty good. > > It handled within the order of users you mention, but we designed to 100k > users. > > We used radiator (highly recommended) with openldap back end. Multiple > load balanced servers etc etc. > > The worst thing we did was to build our own mail system. Not that it was > an issue, it never went wrong, but these days I'd just send people to gmail > or something. > > -- > Leigh Porter > > > ______________________________________________________________________ > This email has been scanned by the Symantec Email Security.cloud service. > For more information please visit http://www.symanteccloud.com > ______________________________________________________________________ > -- Regards, Shahab Vahabzadeh, Network Engineer and System Administrator PGP Key Fingerprint = 8E34 B335 D702 0CA7 5A81 C2EE 76A2 46C2 5367 BF90 From mike.lyon at gmail.com Sun Jan 15 17:42:51 2012 From: mike.lyon at gmail.com (Mike Lyon) Date: Sun, 15 Jan 2012 15:42:51 -0800 Subject: enterprise 802.11 In-Reply-To: References: <36170983-EAA1-4BDD-B0AF-5B045FD53321@yammer-inc.com> <-6994651995925716053@unknownmsgid> <8C26A4FDAE599041A13EB499117D3C286B673130@ex-mb-1.corp.atlasnetworks.us> Message-ID: <-7665060707062421807@unknownmsgid> Another one which looks promising for high-density locations is Xirrus (www.xirrus.com) Haven't ever used them though. -mike Sent from my iPhone On Jan 15, 2012, at 15:36, Greg Ihnen wrote: > Since we're already top-posting? > > I've heard a lot of talk on the WISPA (wireless ISP) forum that 802.11g/n starts to fall apart with more than 30 clients associated if they're all reasonably active. I believe this is a limitation of 802.11g/n's media access control (MAC) mechanism, regardless of who's brand is on the box. This is most important if you're doing VoIP or anything else where latency and jitter is an issue. > > To get around that limitation, folks are using proprietary protocols with "polling" media access control. Ubiquiti calls theirs AirMax. Cisco uses something different in the "Canopy" line. But of course then you've gone to something proprietary and only their gear can connect. So it's meant more for back-hauls and distribution networks, not for end users unless they use a proprietary CPE. > > Since you need consumer gear to be able to connect, you need to stick with 802.11g/n. You should limit to 30 clients per AP. You should stagger your 2.4GHZ APs on channels 1, 6 and 11, and turn the TX power down and have them spaced close enough that no more than 30 will end up connecting to a single AP. 5.8GHz APs would be better, and you'll want to stagger their channels too and turn the TX power down so each one has a small footprint to only serve those clients that are nearby. > > Stay away from "mesh" solutions and WDS where one AP repeats another, that kills throughput because it hogs airtime. You'll want to feed all the APs with Ethernet. > > Greg > > On Jan 15, 2012, at 4:22 PM, Nathan Eisenberg wrote: > >> Ubiquiti's Unifi products are decent, and have *MUCH* improved since their original release (amazing what you can do with better code!). In the original release, you had to have a management server running on the same L2 network as the Aps - they've moved the management to a L3 model so you can put the controller elsewhere. The big PITA with their system is that any change requires 'reprovisioning' the APs, which means rebooting all of them in sequence. They've added VLANs, multiple SSID's/AP, wireless backhaul/chaining, guest portalling, and limiters to balance the # of clients / AP. >> >> In a noisy environment, I've found that they top out at around 30 devices / AP for good performance, and 50 devices / AP for 'working/not working'. In a clean environment, I've seen decent performance with 70 - 100 devices / AP. Of course, if one bad client comes along (with a card that doesn't backoff its TX power, etc), it can wreak havoc with higher densities. You really can't argue with Unifi's price. >> >> If you move up the price scale, Meraki seems to be a good midrange solution, and they have some really sweet reporting functionality. They're more expensive, though. >> >> And then, yes, Cisco is the gold standard, but it will cost you some gold to get it. >> >> Nathan >> >>> -----Original Message----- >>> From: Mike Lyon [mailto:mike.lyon at gmail.com] >>> Sent: Sunday, January 15, 2012 11:54 AM >>> To: Meftah Tayeb >>> Cc: nanog at nanog.org >>> Subject: Re: enterprise 802.11 >>> >>> Ubiquity (www.ubnt.com) has their Unifi line of products. It's still pretty new >>> in the marketspace and this, working out the bugs. I use their other products >>> exclusively for outdoor wireless. >>> >>> However, in the offices ive done, ive used Cisco's WLC 4402 controller which >>> supports 12 access points. They have controllers which support more APs as >>> well. >>> >>> Hit me up offlist if you have any quesrions. >>> >>> -mike >>> >>> Sent from my iPhone >>> >>> On Jan 15, 2012, at 11:39, Meftah Tayeb wrote: >>> >>>> Ubiquity >>>> or ubikity, maybe is miss spelled >>>> Someone correct the spelling for him please thank you >>>> ----- Original Message ----- From: "Ken King" >>>> To: >>>> Sent: Sunday, January 15, 2012 9:30 PM >>>> Subject: enterprise 802.11 >>>> >>>> >>>> I need to choose a wireless solution for a new office. >>>> >>>> up to 600 devices will connect. most devices are mac books and mobile >>> phones. >>>> >>>> we can see hundreds of access points in close proximity to our new office >>> space. >>>> >>>> what are the thoughts these days on the best enterprise solution/vendor? >>>> >>>> Thanks for your replies. >>>> >>>> >>>> Ken King >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> __________ Information from ESET NOD32 Antivirus, version of virus >>> signature database 6793 (20120113) __________ >>>> >>>> The message was checked by ESET NOD32 Antivirus. >>>> >>>> http://www.eset.com >>>> >>>> >>>> >>>> >>>> __________ Information from ESET NOD32 Antivirus, version of virus >>> signature database 6793 (20120113) __________ >>>> >>>> The message was checked by ESET NOD32 Antivirus. >>>> >>>> http://www.eset.com >>>> >>>> >>>> >>>> >>> >> >> > From jmkeller at houseofzen.org Sun Jan 15 18:12:07 2012 From: jmkeller at houseofzen.org (James Michael Keller) Date: Sun, 15 Jan 2012 19:12:07 -0500 Subject: accessing multiple devices via a script In-Reply-To: References: Message-ID: <4F136B57.9080207@houseofzen.org> On 01/15/2012 12:52 PM, Abdullah Al-Malki wrote: > Hi fellows, > I am supporting a big service provider and sometimes I face this problem. > Sometimes I want to access my customer network and want to extract some > verification output "show commands" from a large number of devices. > > What kind of scripting solutions you guys are using this case. > > Appreciate the feedback, > Abdullah > clogin which is part of the RANCID suite. I've even done wrapper front ends that give operations device lists and configlets they can push with it. Or you can feed it command line options for one off pushes, etc. -- -James From sgtcasey at gmail.com Sun Jan 15 18:50:22 2012 From: sgtcasey at gmail.com (David Casey) Date: Sun, 15 Jan 2012 17:50:22 -0700 Subject: enterprise 802.11 In-Reply-To: References: <36170983-EAA1-4BDD-B0AF-5B045FD53321@yammer-inc.com> <-6994651995925716053@unknownmsgid> Message-ID: I like Cisco's WLC's as well. Where I am working we have a few hundred AP's at one of our sites with WLC's running the show. The 5500 controllers with CleanAir AP's is awesome. Dave Sent from my iPad On Jan 15, 2012, at 12:57, Mike Hale wrote: > Cisco's wireless solutions are pretty badass. The APs I've used are > absolutely rock solid. Set up will take a bit of time, but once you're > done, maintenance is minimal. > On Jan 15, 2012 11:54 AM, "Mike Lyon" wrote: > >> Ubiquity (www.ubnt.com) has their Unifi line of products. It's still >> pretty new in the marketspace and this, working out the bugs. I use >> their other products exclusively for outdoor wireless. >> >> However, in the offices ive done, ive used Cisco's WLC 4402 controller >> which supports 12 access points. They have controllers which support >> more APs as well. >> >> Hit me up offlist if you have any quesrions. >> >> -mike >> >> Sent from my iPhone >> >> On Jan 15, 2012, at 11:39, Meftah Tayeb wrote: >> >>> Ubiquity >>> or ubikity, maybe is miss spelled >>> Someone correct the spelling for him please >>> thank you >>> ----- Original Message ----- From: "Ken King" >>> To: >>> Sent: Sunday, January 15, 2012 9:30 PM >>> Subject: enterprise 802.11 >>> >>> >>> I need to choose a wireless solution for a new office. >>> >>> up to 600 devices will connect. most devices are mac books and mobile >> phones. >>> >>> we can see hundreds of access points in close proximity to our new >> office space. >>> >>> what are the thoughts these days on the best enterprise solution/vendor? >>> >>> Thanks for your replies. >>> >>> >>> Ken King >>> >>> >>> >>> >>> >>> >>> >>> __________ Information from ESET NOD32 Antivirus, version of virus >> signature database 6793 (20120113) __________ >>> >>> The message was checked by ESET NOD32 Antivirus. >>> >>> http://www.eset.com >>> >>> >>> >>> >>> __________ Information from ESET NOD32 Antivirus, version of virus >> signature database 6793 (20120113) __________ >>> >>> The message was checked by ESET NOD32 Antivirus. >>> >>> http://www.eset.com >>> >>> >>> >>> >> >> From jof at thejof.com Sun Jan 15 19:05:57 2012 From: jof at thejof.com (Jonathan Lassoff) Date: Sun, 15 Jan 2012 17:05:57 -0800 Subject: enterprise 802.11 In-Reply-To: References: <36170983-EAA1-4BDD-B0AF-5B045FD53321@yammer-inc.com> <-6994651995925716053@unknownmsgid> <8C26A4FDAE599041A13EB499117D3C286B673130@ex-mb-1.corp.atlasnetworks.us> Message-ID: On Sun, Jan 15, 2012 at 3:36 PM, Greg Ihnen wrote: > Since we're already top-posting? > > I've heard a lot of talk on the WISPA (wireless ISP) forum that 802.11g/n starts to fall apart with more than 30 clients associated if they're all reasonably active. I believe this is a limitation of 802.11g/n's media access control (MAC) mechanism, regardless of who's brand is on the box. This is most important if you're doing VoIP or anything else where latency and jitter is an issue. > > To get around that limitation, folks are using proprietary protocols with "polling" media access control. Ubiquiti calls theirs AirMax. Cisco uses something different in the "Canopy" line. But of course then you've gone to something proprietary and only their gear can connect. So it's meant more for back-hauls and distribution networks, not for end users unless they use a proprietary CPE. > > Since you need consumer gear to be able to connect, you need to stick with 802.11g/n. You should limit to 30 clients per AP. You should stagger your 2.4GHZ APs on channels 1, 6 and 11, and turn the TX power down and have them spaced close enough that no more than 30 will end up connecting to a single AP. 5.8GHz APs would be better, and you'll want to stagger their channels too and turn the TX power down so each one has a small footprint to only serve those clients that are nearby. > > Stay away from "mesh" solutions and WDS where one AP repeats another, that kills throughput because it hogs airtime. You'll want to feed all the APs with Ethernet. After working in some WISP-like and access environments, I con corroborate that this is pretty much true. It becomes worse the lower the SNR is and the more that clients are spread out. It just makes the 'hidden node' problem worse. Making APs as low power and "local" as possible is good advice. Where possible, feed everything with hardlines back to your Ethernet switching environment. If client roaming and client-client traffic is important, using a central controller that can tunnel 802.11 frames over whatever wired L2 network you like is a good win. It means that to clients they can associate and/or authenticate to one AP and roam from place to place while keeping the same session to the controller. As far as vendor gear goes, if roaming and client-client stuff isn't as important, Ubiquiti UnFi is great stuff for the price. Next rung up in my book would be Meraki, followed by Cisco or Aruba. Good luck! Cheers, jof From blake at pfankuch.me Sun Jan 15 19:39:23 2012 From: blake at pfankuch.me (Blake T. Pfankuch) Date: Mon, 16 Jan 2012 01:39:23 +0000 Subject: accessing multiple devices via a script In-Reply-To: References: Message-ID: I have been using PLINK (putty's lesser known sibling) scripts for some of our smaller customers to execute information gathering before a project in case of "excellent" documentation. I can usually whip up a script in a few minutes to get sh ru, sh ver and sh diag from 20 devices. Also been using it for a couple of small customers for config backup from webservers, switches, routers, firewalls and anything else with a telnet/ssh login. Blake -----Original Message----- From: Abdullah Al-Malki [mailto:a.almalki1402 at gmail.com] Sent: Sunday, January 15, 2012 10:53 AM To: nanog at nanog.org Subject: accessing multiple devices via a script Hi fellows, I am supporting a big service provider and sometimes I face this problem. Sometimes I want to access my customer network and want to extract some verification output "show commands" from a large number of devices. What kind of scripting solutions you guys are using this case. Appreciate the feedback, Abdullah From dale.shaw+nanog at gmail.com Sun Jan 15 20:02:18 2012 From: dale.shaw+nanog at gmail.com (Dale Shaw) Date: Mon, 16 Jan 2012 13:02:18 +1100 Subject: accessing multiple devices via a script In-Reply-To: References: Message-ID: Hi Abdullah, On Mon, Jan 16, 2012 at 4:52 AM, Abdullah Al-Malki wrote: > I am supporting a big service provider and sometimes I face this problem. > Sometimes I want to access my customer network and want to extract some > verification output "show commands" from a large number of devices. > > What kind of scripting solutions you guys are using this case. Have a look at Notch: http://code.google.com/p/notch/ Other people have already mentioned RANCID, which I agree is a very handy set of tools and is worth investigating also. Cheers, Dale From packetjockey at gmail.com Sun Jan 15 20:05:12 2012 From: packetjockey at gmail.com (Rafael Rodriguez) Date: Sun, 15 Jan 2012 21:05:12 -0500 Subject: accessing multiple devices via a script In-Reply-To: References: Message-ID: If your looking for something interactive, check out Mr. CLI Sent from my iPhone On Jan 15, 2012, at 12:52, Abdullah Al-Malki wrote: > Hi fellows, > I am supporting a big service provider and sometimes I face this problem. > Sometimes I want to access my customer network and want to extract some > verification output "show commands" from a large number of devices. > > What kind of scripting solutions you guys are using this case. > > Appreciate the feedback, > Abdullah From jkrejci at usinternet.com Sun Jan 15 20:09:22 2012 From: jkrejci at usinternet.com (Justin Krejci) Date: Mon, 16 Jan 2012 02:09:22 +0000 Subject: enterprise 802.11 In-Reply-To: References: <36170983-EAA1-4BDD-B0AF-5B045FD53321@yammer-inc.com> <-6994651995925716053@unknownmsgid> <8C26A4FDAE599041A13EB499117D3C286B673130@ex-mb-1.corp.atlasnetworks.us> Message-ID: <905504983-1326679762-cardhu_decombobulator_blackberry.rim.net-779541151-@b1.c4.bise6.blackberry> No one has mentioned Belair yet? Serves the Minneapolis network pretty well. http://www.belairnetworks.com/ -----Original Message----- From: Greg Ihnen Date: Sun, 15 Jan 2012 19:06:26 To: Nathan Eisenberg Cc: nanog at nanog.org Subject: Re: enterprise 802.11 Since we're already top-posting? I've heard a lot of talk on the WISPA (wireless ISP) forum that 802.11g/n starts to fall apart with more than 30 clients associated if they're all reasonably active. I believe this is a limitation of 802.11g/n's media access control (MAC) mechanism, regardless of who's brand is on the box. This is most important if you're doing VoIP or anything else where latency and jitter is an issue. To get around that limitation, folks are using proprietary protocols with "polling" media access control. Ubiquiti calls theirs AirMax. Cisco uses something different in the "Canopy" line. But of course then you've gone to something proprietary and only their gear can connect. So it's meant more for back-hauls and distribution networks, not for end users unless they use a proprietary CPE. Since you need consumer gear to be able to connect, you need to stick with 802.11g/n. You should limit to 30 clients per AP. You should stagger your 2.4GHZ APs on channels 1, 6 and 11, and turn the TX power down and have them spaced close enough that no more than 30 will end up connecting to a single AP. 5.8GHz APs would be better, and you'll want to stagger their channels too and turn the TX power down so each one has a small footprint to only serve those clients that are nearby. Stay away from "mesh" solutions and WDS where one AP repeats another, that kills throughput because it hogs airtime. You'll want to feed all the APs with Ethernet. Greg On Jan 15, 2012, at 4:22 PM, Nathan Eisenberg wrote: > Ubiquiti's Unifi products are decent, and have *MUCH* improved since their original release (amazing what you can do with better code!). In the original release, you had to have a management server running on the same L2 network as the Aps - they've moved the management to a L3 model so you can put the controller elsewhere. The big PITA with their system is that any change requires 'reprovisioning' the APs, which means rebooting all of them in sequence. They've added VLANs, multiple SSID's/AP, wireless backhaul/chaining, guest portalling, and limiters to balance the # of clients / AP. > > In a noisy environment, I've found that they top out at around 30 devices / AP for good performance, and 50 devices / AP for 'working/not working'. In a clean environment, I've seen decent performance with 70 - 100 devices / AP. Of course, if one bad client comes along (with a card that doesn't backoff its TX power, etc), it can wreak havoc with higher densities. You really can't argue with Unifi's price. > > If you move up the price scale, Meraki seems to be a good midrange solution, and they have some really sweet reporting functionality. They're more expensive, though. > > And then, yes, Cisco is the gold standard, but it will cost you some gold to get it. > > Nathan > >> -----Original Message----- >> From: Mike Lyon [mailto:mike.lyon at gmail.com] >> Sent: Sunday, January 15, 2012 11:54 AM >> To: Meftah Tayeb >> Cc: nanog at nanog.org >> Subject: Re: enterprise 802.11 >> >> Ubiquity (www.ubnt.com) has their Unifi line of products. It's still pretty new >> in the marketspace and this, working out the bugs. I use their other products >> exclusively for outdoor wireless. >> >> However, in the offices ive done, ive used Cisco's WLC 4402 controller which >> supports 12 access points. They have controllers which support more APs as >> well. >> >> Hit me up offlist if you have any quesrions. >> >> -mike >> >> Sent from my iPhone >> >> On Jan 15, 2012, at 11:39, Meftah Tayeb wrote: >> >>> Ubiquity >>> or ubikity, maybe is miss spelled >>> Someone correct the spelling for him please thank you >>> ----- Original Message ----- From: "Ken King" >>> To: >>> Sent: Sunday, January 15, 2012 9:30 PM >>> Subject: enterprise 802.11 >>> >>> >>> I need to choose a wireless solution for a new office. >>> >>> up to 600 devices will connect. most devices are mac books and mobile >> phones. >>> >>> we can see hundreds of access points in close proximity to our new office >> space. >>> >>> what are the thoughts these days on the best enterprise solution/vendor? >>> >>> Thanks for your replies. >>> >>> >>> Ken King >>> >>> >>> >>> >>> >>> >>> >>> __________ Information from ESET NOD32 Antivirus, version of virus >> signature database 6793 (20120113) __________ >>> >>> The message was checked by ESET NOD32 Antivirus. >>> >>> http://www.eset.com >>> >>> >>> >>> >>> __________ Information from ESET NOD32 Antivirus, version of virus >> signature database 6793 (20120113) __________ >>> >>> The message was checked by ESET NOD32 Antivirus. >>> >>> http://www.eset.com >>> >>> >>> >>> >> > > From r.engehausen at gmail.com Sun Jan 15 23:26:28 2012 From: r.engehausen at gmail.com (Roy) Date: Sun, 15 Jan 2012 21:26:28 -0800 Subject: enterprise 802.11 In-Reply-To: <36170983-EAA1-4BDD-B0AF-5B045FD53321@yammer-inc.com> References: <36170983-EAA1-4BDD-B0AF-5B045FD53321@yammer-inc.com> Message-ID: <4F13B504.2090504@gmail.com> On 1/15/2012 11:30 AM, Ken King wrote: > I need to choose a wireless solution for a new office. > > up to 600 devices will connect. most devices are mac books and mobile phones. > > we can see hundreds of access points in close proximity to our new office space. > > what are the thoughts these days on the best enterprise solution/vendor? > > Thanks for your replies. > > > Ken King > > > > > > How about Unifi? http://www.ubnt.com/unifi From nathan at atlasnetworks.us Sun Jan 15 23:38:24 2012 From: nathan at atlasnetworks.us (Nathan Eisenberg) Date: Mon, 16 Jan 2012 05:38:24 +0000 Subject: enterprise 802.11 In-Reply-To: References: <36170983-EAA1-4BDD-B0AF-5B045FD53321@yammer-inc.com> <-6994651995925716053@unknownmsgid> <8C26A4FDAE599041A13EB499117D3C286B673130@ex-mb-1.corp.atlasnetworks.us> Message-ID: <8C26A4FDAE599041A13EB499117D3C286B67383F@ex-mb-1.corp.atlasnetworks.us> > Making APs as low power and "local" as possible is good advice ^ Ignoring this advice is one of the biggest mistakes people make. They think "Oh, I'll just drown out the noise", but the problem is almost never how well the clients can see the AP - it's the AP seeing the clients. It's hard to hear anyone talking when you're shouting! ;) Low power, high AP density, and small channel widths are the way to go. The smaller channels keep theoretical bandwidth lower, but you end up with higher throughput in the end. One other thing specific to the unifi's - they are meant to be ceiling or wallmounted. They transmit and receive in a cone. They *DO NOT* work well if you set them on a table pointed at the ceiling. I've already seen a half dozen deployments of them done this way, just slapped on tables, and it *does not work*. In one case, moving them from the tables to the walls resulted in a 20x performance increase. Nathan From eugen at imacandi.net Sun Jan 15 23:49:48 2012 From: eugen at imacandi.net (Eugeniu Patrascu) Date: Mon, 16 Jan 2012 07:49:48 +0200 Subject: enterprise 802.11 In-Reply-To: <36170983-EAA1-4BDD-B0AF-5B045FD53321@yammer-inc.com> References: <36170983-EAA1-4BDD-B0AF-5B045FD53321@yammer-inc.com> Message-ID: On Sun, Jan 15, 2012 at 21:30, Ken King wrote: > I need to choose a wireless solution for a new office. > > up to 600 devices will connect. ?most devices are mac books and mobile phones. > > we can see hundreds of access points in close proximity to our new office space. > > what are the thoughts these days on the best enterprise solution/vendor? > You may want to look at Ruckus Wireless. They are extremely easy to setup and they just work. Eugeniu From ryan.g at atwgpc.net Mon Jan 16 00:46:51 2012 From: ryan.g at atwgpc.net (Ryan Gelobter) Date: Mon, 16 Jan 2012 00:46:51 -0600 Subject: Monday Night Footbal -- on Google? In-Reply-To: References: <3CC3117A8EF6FF439254141C02BF6E1417FF9FF8@mbx027-e1-nj-2.exch027.domain.local> <8359.1326331943@turing-police.cc.vt.edu> <20120115191456.GA25486@pob.ytti.fi> <20120115195618.GA25502@pob.ytti.fi> <3A75F85F-AE00-499E-9052-0005F506ADA6@puck.nether.net> Message-ID: It will be at least 9-10 years before Google could bid. I think the TV networks get a chance to renew before anyone else can even bid. Unless the NFL decides to do something with the NFL Network games they are likely SOL. ESPN renewed their MNF contract through 2021. http://www.nytimes.com/2011/09/09/sports/football/espn-extends-deal-with-nfl-for-15-billion.html CBS, FOX, and NBC have renewed their contracts through 2022. http://www.engadget.com/2011/12/19/nfl-renews-tv-deals-with-cbs-fox-nbc-for-nine-more-years-mone/ From ops.lists at gmail.com Mon Jan 16 03:16:20 2012 From: ops.lists at gmail.com (Suresh Ramasubramanian) Date: Mon, 16 Jan 2012 14:46:20 +0530 Subject: Paging Occaid - can someone please contact me Message-ID: I have a (grandfathered) free v6 tunnel from y'all and it went away today. The endpoint isn't pingable, and email to occaid (@) cnacs.occaid.org and haesu (@) towardex.com both bounce. thanks --srs -- Suresh Ramasubramanian (ops.lists at gmail.com) From m.hotze at hotze.com Mon Jan 16 06:47:14 2012 From: m.hotze at hotze.com (Martin Hotze) Date: Mon, 16 Jan 2012 12:47:14 +0000 Subject: enterprise 802.11 Message-ID: <9DDD3733AE0DB544B7E2B78F81BFDCD31DA365F9@SBSSRV.hotze.local> Hi, the wireless itself is not the big problem, most of your devices (Mac) will be the problem (BTDTGNS). And my wild guess is that mobile phones will also be mostly iphones, plus some ipads. ZyXEL has good WLAN controllers, as does LANCOM. Both have very good products for the money. No need - IMHO - to look into $isco. As for the iOS problem, read on here: http://www.net.princeton.edu/apple-ios/ios41-allows-lease-to-expire-keeps-using-IP-address.html #m > -----Original Message----- > Date: Sun, 15 Jan 2012 11:30:46 -0800 > From: Ken King > To: nanog at nanog.org > Subject: enterprise 802.11 > Message-ID: <36170983-EAA1-4BDD-B0AF-5B045FD53321 at yammer-inc.com> > Content-Type: text/plain; charset=us-ascii > > I need to choose a wireless solution for a new office. > > up to 600 devices will connect. most devices are mac books and mobile > phones. > > we can see hundreds of access points in close proximity to our new office > space. > > what are the thoughts these days on the best enterprise solution/vendor? > > Thanks for your replies. > > > Ken King > From me at anuragbhatia.com Mon Jan 16 07:04:54 2012 From: me at anuragbhatia.com (Anurag Bhatia) Date: Mon, 16 Jan 2012 18:34:54 +0530 Subject: Paging Occaid - can someone please contact me In-Reply-To: References: Message-ID: I would suggest using Tunnel Broker for v6 tunnel. It performs pretty well and quite a large number of end points is available. http://tunnelbroker.com On Mon, Jan 16, 2012 at 2:46 PM, Suresh Ramasubramanian wrote: > I have a (grandfathered) free v6 tunnel from y'all and it went away today. > > The endpoint isn't pingable, and email to occaid (@) cnacs.occaid.org > and haesu (@) towardex.com both bounce. > > thanks > --srs > > -- > Suresh Ramasubramanian (ops.lists at gmail.com) > > -- Anurag Bhatia anuragbhatia.com or simply - http://[2001:470:26:78f::5] if you are on IPv6 connected network! Twitter: @anurag_bhatia From ops.lists at gmail.com Mon Jan 16 07:37:00 2012 From: ops.lists at gmail.com (Suresh Ramasubramanian) Date: Mon, 16 Jan 2012 19:07:00 +0530 Subject: Paging Occaid - can someone please contact me In-Reply-To: References: Message-ID: On Mon, Jan 16, 2012 at 2:46 PM, Suresh Ramasubramanian wrote: > I have a (grandfathered) free v6 tunnel from y'all and it went away today. Fixed. Thanks for the response -- Suresh Ramasubramanian (ops.lists at gmail.com) From me at anuragbhatia.com Mon Jan 16 09:44:22 2012 From: me at anuragbhatia.com (Anurag Bhatia) Date: Mon, 16 Jan 2012 21:14:22 +0530 Subject: enterprise 802.11 In-Reply-To: <9DDD3733AE0DB544B7E2B78F81BFDCD31DA365F9@SBSSRV.hotze.local> References: <9DDD3733AE0DB544B7E2B78F81BFDCD31DA365F9@SBSSRV.hotze.local> Message-ID: Hi I personally feel more then devices what matters is topology in deployment. I have used Cisco AP's and they are pretty much fine. Ubnt - true used lot more for outside wifi deployment specially for point to point (and multipoint links). You need to do a bit of site survey to get idea of how many AP's you really need. Remember it's open spectrum and running different bands from adjacent AP's, you get really high capacity. With more AP's you can eventually re-use lot of spectrum running them at low power till an extent it doesn't effect coverage. Hope that will help. On Mon, Jan 16, 2012 at 6:17 PM, Martin Hotze wrote: > Hi, > > the wireless itself is not the big problem, most of your devices (Mac) > will be the problem (BTDTGNS). And my wild guess is that mobile phones will > also be mostly iphones, plus some ipads. > > ZyXEL has good WLAN controllers, as does LANCOM. Both have very good > products for the money. No need - IMHO - to look into $isco. > > As for the iOS problem, read on here: > > http://www.net.princeton.edu/apple-ios/ios41-allows-lease-to-expire-keeps-using-IP-address.html > > #m > > > > -----Original Message----- > > Date: Sun, 15 Jan 2012 11:30:46 -0800 > > From: Ken King > > To: nanog at nanog.org > > Subject: enterprise 802.11 > > Message-ID: <36170983-EAA1-4BDD-B0AF-5B045FD53321 at yammer-inc.com> > > Content-Type: text/plain; charset=us-ascii > > > > I need to choose a wireless solution for a new office. > > > > up to 600 devices will connect. most devices are mac books and mobile > > phones. > > > > we can see hundreds of access points in close proximity to our new office > > space. > > > > what are the thoughts these days on the best enterprise solution/vendor? > > > > Thanks for your replies. > > > > > > Ken King > > > > > -- Anurag Bhatia anuragbhatia.com or simply - http://[2001:470:26:78f::5] if you are on IPv6 connected network! Twitter: @anurag_bhatia From m.hotze at hotze.com Mon Jan 16 09:49:20 2012 From: m.hotze at hotze.com (Martin Hotze) Date: Mon, 16 Jan 2012 15:49:20 +0000 Subject: enterprise 802.11 In-Reply-To: References: <9DDD3733AE0DB544B7E2B78F81BFDCD31DA365F9@SBSSRV.hotze.local> Message-ID: <9DDD3733AE0DB544B7E2B78F81BFDCD31DA37CCD@SBSSRV.hotze.local> a WLAN controller will help you detect rogue APs, rescan the area and also changing frequencies/channels in use (depending on configuration, etc.). but this will not replace a site survey. :) and it will not prevent you from having Macs on your network. #m From: Anurag Bhatia [mailto:me at anuragbhatia.com] Sent: Monday, January 16, 2012 4:44 PM To: Martin Hotze Cc: nanog at nanog.org Subject: Re: enterprise 802.11 (...) You need to do a bit of site survey to get idea of how many AP's you really need. Remember it's open spectrum and running different bands from adjacent AP's, you get really high capacity. With more AP's you can eventually re-use lot of spectrum running them at low power till an extent it doesn't effect coverage. (...) From os10rules at gmail.com Sun Jan 15 17:58:19 2012 From: os10rules at gmail.com (Greg Ihnen) Date: Sun, 15 Jan 2012 19:28:19 -0430 Subject: enterprise 802.11 In-Reply-To: <-7665060707062421807@unknownmsgid> References: <36170983-EAA1-4BDD-B0AF-5B045FD53321@yammer-inc.com> <-6994651995925716053@unknownmsgid> <8C26A4FDAE599041A13EB499117D3C286B673130@ex-mb-1.corp.atlasnetworks.us> <-7665060707062421807@unknownmsgid> Message-ID: <4116F547-151D-4B2C-B100-8BA706DF7D55@gmail.com> Very cool. Because all the individual APs are in one enclosure and I assume are under control of one central controller, I bet they're sync'ing all the AP's transmitters to transmit and listen at the same time so the APs don't interfere with each other. Cisco does that in their Canopy line with GPS sync. Greg On Jan 15, 2012, at 7:12 PM, Mike Lyon wrote: > Another one which looks promising for high-density locations is Xirrus > (www.xirrus.com) > > Haven't ever used them though. > > -mike > > Sent from my iPhone > > On Jan 15, 2012, at 15:36, Greg Ihnen wrote: > >> Since we're already top-posting? >> >> I've heard a lot of talk on the WISPA (wireless ISP) forum that 802.11g/n starts to fall apart with more than 30 clients associated if they're all reasonably active. I believe this is a limitation of 802.11g/n's media access control (MAC) mechanism, regardless of who's brand is on the box. This is most important if you're doing VoIP or anything else where latency and jitter is an issue. >> >> To get around that limitation, folks are using proprietary protocols with "polling" media access control. Ubiquiti calls theirs AirMax. Cisco uses something different in the "Canopy" line. But of course then you've gone to something proprietary and only their gear can connect. So it's meant more for back-hauls and distribution networks, not for end users unless they use a proprietary CPE. >> >> Since you need consumer gear to be able to connect, you need to stick with 802.11g/n. You should limit to 30 clients per AP. You should stagger your 2.4GHZ APs on channels 1, 6 and 11, and turn the TX power down and have them spaced close enough that no more than 30 will end up connecting to a single AP. 5.8GHz APs would be better, and you'll want to stagger their channels too and turn the TX power down so each one has a small footprint to only serve those clients that are nearby. >> >> Stay away from "mesh" solutions and WDS where one AP repeats another, that kills throughput because it hogs airtime. You'll want to feed all the APs with Ethernet. >> >> Greg >> >> On Jan 15, 2012, at 4:22 PM, Nathan Eisenberg wrote: >> >>> Ubiquiti's Unifi products are decent, and have *MUCH* improved since their original release (amazing what you can do with better code!). In the original release, you had to have a management server running on the same L2 network as the Aps - they've moved the management to a L3 model so you can put the controller elsewhere. The big PITA with their system is that any change requires 'reprovisioning' the APs, which means rebooting all of them in sequence. They've added VLANs, multiple SSID's/AP, wireless backhaul/chaining, guest portalling, and limiters to balance the # of clients / AP. >>> >>> In a noisy environment, I've found that they top out at around 30 devices / AP for good performance, and 50 devices / AP for 'working/not working'. In a clean environment, I've seen decent performance with 70 - 100 devices / AP. Of course, if one bad client comes along (with a card that doesn't backoff its TX power, etc), it can wreak havoc with higher densities. You really can't argue with Unifi's price. >>> >>> If you move up the price scale, Meraki seems to be a good midrange solution, and they have some really sweet reporting functionality. They're more expensive, though. >>> >>> And then, yes, Cisco is the gold standard, but it will cost you some gold to get it. >>> >>> Nathan >>> >>>> -----Original Message----- >>>> From: Mike Lyon [mailto:mike.lyon at gmail.com] >>>> Sent: Sunday, January 15, 2012 11:54 AM >>>> To: Meftah Tayeb >>>> Cc: nanog at nanog.org >>>> Subject: Re: enterprise 802.11 >>>> >>>> Ubiquity (www.ubnt.com) has their Unifi line of products. It's still pretty new >>>> in the marketspace and this, working out the bugs. I use their other products >>>> exclusively for outdoor wireless. >>>> >>>> However, in the offices ive done, ive used Cisco's WLC 4402 controller which >>>> supports 12 access points. They have controllers which support more APs as >>>> well. >>>> >>>> Hit me up offlist if you have any quesrions. >>>> >>>> -mike >>>> >>>> Sent from my iPhone >>>> >>>> On Jan 15, 2012, at 11:39, Meftah Tayeb wrote: >>>> >>>>> Ubiquity >>>>> or ubikity, maybe is miss spelled >>>>> Someone correct the spelling for him please thank you >>>>> ----- Original Message ----- From: "Ken King" >>>>> To: >>>>> Sent: Sunday, January 15, 2012 9:30 PM >>>>> Subject: enterprise 802.11 >>>>> >>>>> >>>>> I need to choose a wireless solution for a new office. >>>>> >>>>> up to 600 devices will connect. most devices are mac books and mobile >>>> phones. >>>>> >>>>> we can see hundreds of access points in close proximity to our new office >>>> space. >>>>> >>>>> what are the thoughts these days on the best enterprise solution/vendor? >>>>> >>>>> Thanks for your replies. >>>>> >>>>> >>>>> Ken King >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> __________ Information from ESET NOD32 Antivirus, version of virus >>>> signature database 6793 (20120113) __________ >>>>> >>>>> The message was checked by ESET NOD32 Antivirus. >>>>> >>>>> http://www.eset.com >>>>> >>>>> >>>>> >>>>> >>>>> __________ Information from ESET NOD32 Antivirus, version of virus >>>> signature database 6793 (20120113) __________ >>>>> >>>>> The message was checked by ESET NOD32 Antivirus. >>>>> >>>>> http://www.eset.com >>>>> >>>>> >>>>> >>>>> >>>> >>> >>> >> From tim at pelican.org Mon Jan 16 10:52:56 2012 From: tim at pelican.org (Tim Franklin) Date: Mon, 16 Jan 2012 16:52:56 -0000 (GMT) Subject: enterprise 802.11 In-Reply-To: <9DDD3733AE0DB544B7E2B78F81BFDCD31DA365F9@SBSSRV.hotze.local> Message-ID: <696f037e-ac55-496e-89ed-3392a5b06c21@mail.pelican.org> > As for the iOS problem, read on here: > http://www.net.princeton.edu/apple-ios/ios41-allows-lease-to-expire-keeps-using-IP-address.html That's the iOS issue - out of curiosity, what's the Mac issue? Regards, Tim. From jared at puck.nether.net Mon Jan 16 11:05:17 2012 From: jared at puck.nether.net (Jared Mauch) Date: Mon, 16 Jan 2012 12:05:17 -0500 Subject: enterprise 802.11 In-Reply-To: <696f037e-ac55-496e-89ed-3392a5b06c21@mail.pelican.org> References: <696f037e-ac55-496e-89ed-3392a5b06c21@mail.pelican.org> Message-ID: <416410D3-653F-4716-BF68-84E0F81E3F1F@puck.nether.net> On Jan 16, 2012, at 11:52 AM, Tim Franklin wrote: >> As for the iOS problem, read on here: >> http://www.net.princeton.edu/apple-ios/ios41-allows-lease-to-expire-keeps-using-IP-address.html > > That's the iOS issue - out of curiosity, what's the Mac issue? That's a poorly maintained device issue. The good news is the DHCP requests for those devices (if you log them) commonly include information about the device owner, e.g.: Jan 15 16:56:35 nat dhcpd[1046]: DHCPACK on 10.0.0.168 to 18:e7:f4:5c:b1:d7 (MATTS-IPOD-3) via eth0 or client-hostname "iPhone-Touch"; client-hostname "Her-iPod"; client-hostname "iPad"; client-hostname "Amys-iPod"; Also, citing a single software release with a defect can be done for any platform. http://support.microsoft.com/kb/928233 These issues are commonly solved by upgrading to the most recent release of software. Reading the princeton article says setting your lease time to 3600 seconds seems to workaround the problem from the network side. I'm personally not convinced of the value of very short lease times (less than an hour). Even IPv6 privacy addresses stay around longer than that. MacOS Kernel (11.2.0) net.inet6.ip6.temppltime: 86400 net.inet6.ip6.tempvltime: 604800 Linux Kernel (3.1.1) net.ipv6.conf.default.use_tempaddr = 0 net.ipv6.conf.default.temp_valid_lft = 604800 net.ipv6.conf.default.temp_prefered_lft = 86400 FreeBSD 9.0-RELEASE (GENERIC) net.inet6.ip6.use_tempaddr: 0 net.inet6.ip6.temppltime: 86400 net.inet6.ip6.tempvltime: 604800 - Jared From brent at brentrjones.com Sun Jan 15 13:43:48 2012 From: brent at brentrjones.com (Brent Jones) Date: Sun, 15 Jan 2012 11:43:48 -0800 Subject: enterprise 802.11 In-Reply-To: <36170983-EAA1-4BDD-B0AF-5B045FD53321@yammer-inc.com> References: <36170983-EAA1-4BDD-B0AF-5B045FD53321@yammer-inc.com> Message-ID: On Sun, Jan 15, 2012 at 11:30 AM, Ken King wrote: > I need to choose a wireless solution for a new office. > > up to 600 devices will connect. most devices are mac books and mobile > phones. > > we can see hundreds of access points in close proximity to our new office > space. > > what are the thoughts these days on the best enterprise solution/vendor? > > Thanks for your replies. > > > Ken King > > I have had great success with Ruckus Wireless gear, specifically their 7962 access points. Our offices are pretty noisy radio environments, typically over 70 access points show up on scans, mostly in the 2.4 range though. We use WPA2 with 802.11X for auth, plus a guest zone managed by the Ruckus wireless controller, works smooth haven't had any problems so far. Part of my decision was based on a Tom's Hardware review of access points: http://www.tomshardware.com/reviews/beamforming-wifi-ruckus,2390.html http://www.tomshardware.com/reviews/wi-fi-performance,2985.html Brent Jones From joelja at bogus.com Mon Jan 16 11:38:49 2012 From: joelja at bogus.com (Joel jaeggli) Date: Mon, 16 Jan 2012 09:38:49 -0800 Subject: enterprise 802.11 In-Reply-To: <36170983-EAA1-4BDD-B0AF-5B045FD53321@yammer-inc.com> References: <36170983-EAA1-4BDD-B0AF-5B045FD53321@yammer-inc.com> Message-ID: <4F1460A9.50502@bogus.com> On 1/15/12 11:30 , Ken King wrote: > I need to choose a wireless solution for a new office. > > up to 600 devices will connect. most devices are mac books and mobile phones. > > we can see hundreds of access points in close proximity to our new office space. > > what are the thoughts these days on the best enterprise solution/vendor? My normal advice is fairly vendor independant. use dual band dual radio APs. 802.11A attenuates much more effectively in residential/commercial construction so the cells are smaller and there's a lot more spectrum... you'll attract all macs, as well as ipads and most enterprise laptops to 802.11a/n Don't run mixed mode in the 2.4ghz band. drop the output power on the 2.4ghz radios to ~30mw, turn off the 802.11b rates, and increase the multicast rate to at least 12Mb/s plan for not more that 50 people per ap (remember the aps have dual radios). if you're going to use 40mhz channels (and n-rates) do so only on 5.8ghz where the map coloring problem is tractable. > Thanks for your replies. > > > Ken King > > > > > > From jra at baylink.com Mon Jan 16 11:43:33 2012 From: jra at baylink.com (Jay Ashworth) Date: Mon, 16 Jan 2012 12:43:33 -0500 (EST) Subject: enterprise 802.11 In-Reply-To: <416410D3-653F-4716-BF68-84E0F81E3F1F@puck.nether.net> Message-ID: <5290984.5313.1326735813483.JavaMail.root@benjamin.baylink.com> ----- Original Message ----- > From: "Jared Mauch" > network side. I'm personally not convinced of the value of very short > lease times (less than an hour) Less than an hour, perhaps not. On small residential networks, though -- generally, anything where the router (which will need to get rebooted occasionally) *is* the DHCP server -- I tend to set the timeout to 30-60 minutes, to reduce the race window between when a router is rebooted, and when a new device shows up and conflicts because it's given an IP another device still thinks it owns. Cheers, -- jra -- Jay R. Ashworth Baylink jra at baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://baylink.pitas.com 2000 Land Rover DII St Petersburg FL USA http://photo.imageinc.us +1 727 647 1274 From mdavids at forfun.net Mon Jan 16 11:43:38 2012 From: mdavids at forfun.net (Marco Davids (Prive)) Date: Mon, 16 Jan 2012 18:43:38 +0100 (CET) Subject: Paging OpenDNS Message-ID: Hi, Can someone responsible for 'malware-block at opendns.com' please contact me offline? Thank you. -- Marco From arturo.servin at gmail.com Mon Jan 16 11:53:51 2012 From: arturo.servin at gmail.com (Arturo Servin) Date: Mon, 16 Jan 2012 15:53:51 -0200 Subject: ANNOUNCE: bgptables.merit.edu - understanding visibility of your prefix/AS In-Reply-To: <8E839F27-A2F7-4E1B-9BD8-C0679A65EC64@merit.edu> References: <8E839F27-A2F7-4E1B-9BD8-C0679A65EC64@merit.edu> Message-ID: Manish, Nice tool. Is it possible to see the "history" of a prefix? Regards, .as On 13 Jan 2012, at 18:19, Manish Karir wrote: > > All, > > We would like to announce the availability of the bgpTables Project at Merit at: http://bgptables.merit.edu > bgpTables allows users to easily navigate global routing table data collected via routviews.org. bgptables > essentially processes the data collected at routeviews and makes is available in a somewhat easier > to use interface. The goal of bgpTables is to represent global prefix and AS visibility information from the > vantage point of the various bgp table views as seen at routeviews. > The data is currently updated nightly (EST) but we hope to improve this over time. > Please see the FAQ (http://bgptables.merit.edu/faq.php) for some simple examples of how you can use bgpTables. > > Some examples: > - You can query for a specific ASN by entering the text 'as' followed by the AS number into the search box. For example to query for information about AS 237 you would enter 'as237' [without quotation marks] into the search box and then click 'search'. You can then use the view navigator map to switch to different routing table views for this ASN > > - You can query for a specific prefix by directly entering the prefix into the search box. For example to query for information about prefix 12.0.0.0/8 you would simply enter '12.0.0.0/8' [without quotation marks] into the search box and then click 'search'. You can then use the view navigator map to switch to different routing table views for the prefix. > > - You can find a particular prefix that you might be interested in by running a 'contained within' query via the search box. For example to quickly browse a list of prefixes contained within 1.0.0.0/8 to find the particular prefix you might be interested in, you can enter the text 'cw1.0.0.0/8' [without quotation marks] into the search box and click 'search'. You can then browse the resulting table to select the particular prefix you might be interested in. > > - You can simply enter the text 'as' followed by the company name into the search box then click search to view a list of possible matches for that text. For example, to view all matching google ASNs you can simply enter 'asgoogle' into the search box and click search. A list of possible matching ASNs that reference Google by name will be returned from which you an then select the particular ASN that is of interest to you. > > > Comments, corrections, and suggestions are very welcome. Please send them to mkarir at merit.edu. Hopefully folks will find this useful. > > Thanks. > -The Merit Network Research and Development Team > From jon.p.sevier at gmail.com Mon Jan 16 11:55:29 2012 From: jon.p.sevier at gmail.com (Jon Sevier) Date: Mon, 16 Jan 2012 09:55:29 -0800 Subject: enterprise 802.11 In-Reply-To: <36170983-EAA1-4BDD-B0AF-5B045FD53321@yammer-inc.com> References: <36170983-EAA1-4BDD-B0AF-5B045FD53321@yammer-inc.com> Message-ID: On Sun, Jan 15, 2012 at 11:30 AM, Ken King wrote: > I need to choose a wireless solution for a new office. > up to 600 devices will connect. most devices are mac books and mobile > phones. > > we can see hundreds of access points in close proximity to our new office > space. > > what are the thoughts these days on the best enterprise solution/vendor? > > Thanks for your replies. > > > Ken King > > Others have mentioned Ubiquiti- while a great and affordable solution for point-to-point/backhaul and WISPs, their Unifi product has a ways to go to be considered 'enterprise ready'. It's at best coffee shop ready based on their latest updates. Their support is basically their forums (which have very good participation of both users and vendor folks). The Unifi AP is 2.4GHz only as well. -Jon From Valdis.Kletnieks at vt.edu Mon Jan 16 13:37:54 2012 From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks at vt.edu) Date: Mon, 16 Jan 2012 14:37:54 -0500 Subject: enterprise 802.11 In-Reply-To: Your message of "Mon, 16 Jan 2012 09:55:29 PST." References: <36170983-EAA1-4BDD-B0AF-5B045FD53321@yammer-inc.com> Message-ID: <113303.1326742674@turing-police.cc.vt.edu> On Mon, 16 Jan 2012 09:55:29 PST, Jon Sevier said: > be considered 'enterprise ready'. It's at best coffee shop ready based on "coffee shop ready". I'll have to remember that one, thanks. ;) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 227 bytes Desc: not available URL: From colin.gibbons at neovera.com Mon Jan 16 13:52:36 2012 From: colin.gibbons at neovera.com (Colin Gibbons) Date: Mon, 16 Jan 2012 14:52:36 -0500 Subject: Public route server in Hawaii Message-ID: <4F148004.9000103@neovera.com> Can anyone recommend a public route server in Hawaii? Efforts to locate one through conventional means have so far been unsuccessful. Any helpful suggestions are appreciated. From andreas.larsen at ip-only.se Mon Jan 16 13:54:18 2012 From: andreas.larsen at ip-only.se (Andreas Larsen) Date: Mon, 16 Jan 2012 20:54:18 +0100 Subject: SV: enterprise 802.11 In-Reply-To: <36170983-EAA1-4BDD-B0AF-5B045FD53321@yammer-inc.com> References: <36170983-EAA1-4BDD-B0AF-5B045FD53321@yammer-inc.com> Message-ID: I have made a couple of school installations with Ubiquiti products and they are rock solid for enterprise they are very good. Easy to setup etc. And very affordable. Regards -----Ursprungligt meddelande----- Fr?n: Ken King [mailto:kking at yammer-inc.com] Skickat: den 15 januari 2012 20:31 Till: nanog at nanog.org ?mne: enterprise 802.11 I need to choose a wireless solution for a new office. up to 600 devices will connect. most devices are mac books and mobile phones. we can see hundreds of access points in close proximity to our new office space. what are the thoughts these days on the best enterprise solution/vendor? Thanks for your replies. Ken King From brandon.kim at brandontek.com Mon Jan 16 14:19:29 2012 From: brandon.kim at brandontek.com (Brandon Kim) Date: Mon, 16 Jan 2012 15:19:29 -0500 Subject: ANNOUNCE: bgptables.merit.edu - understanding visibility of your prefix/AS In-Reply-To: References: <8E839F27-A2F7-4E1B-9BD8-C0679A65EC64@merit.edu>, Message-ID: I'm getting a database error when I search for an AS.... > Subject: Re: ANNOUNCE: bgptables.merit.edu - understanding visibility of your prefix/AS > From: arturo.servin at gmail.com > Date: Mon, 16 Jan 2012 15:53:51 -0200 > To: mkarir at merit.edu > CC: nanog at nanog.org > > Manish, > > Nice tool. > > Is it possible to see the "history" of a prefix? > > > Regards, > ..as > > > > On 13 Jan 2012, at 18:19, Manish Karir wrote: > > > > > All, > > > > We would like to announce the availability of the bgpTables Project at Merit at: http://bgptables.merit.edu > > bgpTables allows users to easily navigate global routing table data collected via routviews.org. bgptables > > essentially processes the data collected at routeviews and makes is available in a somewhat easier > > to use interface. The goal of bgpTables is to represent global prefix and AS visibility information from the > > vantage point of the various bgp table views as seen at routeviews. > > The data is currently updated nightly (EST) but we hope to improve this over time. > > Please see the FAQ (http://bgptables.merit.edu/faq.php) for some simple examples of how you can use bgpTables. > > > > Some examples: > > - You can query for a specific ASN by entering the text 'as' followed by the AS number into the search box. For example to query for information about AS 237 you would enter 'as237' [without quotation marks] into the search box and then click 'search'. You can then use the view navigator map to switch to different routing table views for this ASN > > > > - You can query for a specific prefix by directly entering the prefix into the search box. For example to query for information about prefix 12.0.0.0/8 you would simply enter '12.0.0.0/8' [without quotation marks] into the search box and then click 'search'. You can then use the view navigator map to switch to different routing table views for the prefix. > > > > - You can find a particular prefix that you might be interested in by running a 'contained within' query via the search box. For example to quickly browse a list of prefixes contained within 1.0.0.0/8 to find the particular prefix you might be interested in, you can enter the text 'cw1.0.0.0/8' [without quotation marks] into the search box and click 'search'. You can then browse the resulting table to select the particular prefix you might be interested in. > > > > - You can simply enter the text 'as' followed by the company name into the search box then click search to view a list of possible matches for that text. For example, to view all matching google ASNs you can simply enter 'asgoogle' into the search box and click search. A list of possible matching ASNs that reference Google by name will be returned from which you an then select the particular ASN that is of interest to you. > > > > > > Comments, corrections, and suggestions are very welcome. Please send them to mkarir at merit.edu. Hopefully folks will find this useful. > > > > Thanks. > > -The Merit Network Research and Development Team > > > > From mkarir at merit.edu Mon Jan 16 14:44:08 2012 From: mkarir at merit.edu (Manish Karir) Date: Mon, 16 Jan 2012 15:44:08 -0500 Subject: ANNOUNCE: bgptables.merit.edu - understanding visibility of your prefix/AS In-Reply-To: References: <8E839F27-A2F7-4E1B-9BD8-C0679A65EC64@merit.edu>, Message-ID: Please remember to add the "as" before the number for your query. so for AS 65000 your search term should be "as65000" Thanks. -manish On Jan 16, 2012, at 3:19 PM, Brandon Kim wrote: > I'm getting a database error when I search for an AS.... > > > > > Subject: Re: ANNOUNCE: bgptables.merit.edu - understanding visibility of your prefix/AS > > From: arturo.servin at gmail.com > > Date: Mon, 16 Jan 2012 15:53:51 -0200 > > To: mkarir at merit.edu > > CC: nanog at nanog.org > > > > Manish, > > > > Nice tool. > > > > Is it possible to see the "history" of a prefix? > > > > > > Regards, > > ..as > > > > > > > > On 13 Jan 2012, at 18:19, Manish Karir wrote: > > > > > > > > All, > > > > > > We would like to announce the availability of the bgpTables Project at Merit at: http://bgptables.merit.edu > > > bgpTables allows users to easily navigate global routing table data collected via routviews.org. bgptables > > > essentially processes the data collected at routeviews and makes is available in a somewhat easier > > > to use interface. The goal of bgpTables is to represent global prefix and AS visibility information from the > > > vantage point of the various bgp table views as seen at routeviews. > > > The data is currently updated nightly (EST) but we hope to improve this over time. > > > Please see the FAQ (http://bgptables.merit.edu/faq.php) for some simple examples of how you can use bgpTables. > > > > > > Some examples: > > > - You can query for a specific ASN by entering the text 'as' followed by the AS number into the search box. For example to query for information about AS 237 you would enter 'as237' [without quotation marks] into the search box and then click 'search'. You can then use the view navigator map to switch to different routing table views for this ASN > > > > > > - You can query for a specific prefix by directly entering the prefix into the search box. For example to query for information about prefix 12.0.0.0/8 you would simply enter '12.0.0.0/8' [without quotation marks] into the search box and then click 'search'. You can then use the view navigator map to switch to different routing table views for the prefix. > > > > > > - You can find a particular prefix that you might be interested in by running a 'contained within' query via the search box. For example to quickly browse a list of prefixes contained within 1.0.0.0/8 to find the particular prefix you might be interested in, you can enter the text 'cw1.0.0.0/8' [without quotation marks] into the search box and click 'search'. You can then browse the resulting table to select the particular prefix you might be interested in. > > > > > > - You can simply enter the text 'as' followed by the company name into the search box then click search to view a list of possible matches for that text. For example, to view all matching google ASNs you can simply enter 'asgoogle' into the search box and click search. A list of possible matching ASNs that reference Google by name will be returned from which you an then select the particular ASN that is of interest to you. > > > > > > > > > Comments, corrections, and suggestions are very welcome. Please send them to mkarir at merit.edu. Hopefully folks will find this useful. > > > > > > Thanks. > > > -The Merit Network Research and Development Team > > > > > > > From brandon.kim at brandontek.com Mon Jan 16 15:15:15 2012 From: brandon.kim at brandontek.com (Brandon Kim) Date: Mon, 16 Jan 2012 16:15:15 -0500 Subject: ANNOUNCE: bgptables.merit.edu - understanding visibility of your prefix/AS In-Reply-To: References: <8E839F27-A2F7-4E1B-9BD8-C0679A65EC64@merit.edu>, , Message-ID: Thanks everyone, yes adding AS works... Will it be updated to just accept 65000 without the "AS" in the near future? > Subject: Re: ANNOUNCE: bgptables.merit.edu - understanding visibility of your prefix/AS > From: mkarir at merit.edu > Date: Mon, 16 Jan 2012 15:44:08 -0500 > CC: nanog at nanog.org > To: brandon.kim at brandontek.com > > > Please remember to add the "as" before the number for your query. > so for AS 65000 your search term should be "as65000" > > Thanks. > -manish > > > On Jan 16, 2012, at 3:19 PM, Brandon Kim wrote: > > > I'm getting a database error when I search for an AS.... > > > > > > > > > Subject: Re: ANNOUNCE: bgptables.merit.edu - understanding visibility of your prefix/AS > > > From: arturo.servin at gmail.com > > > Date: Mon, 16 Jan 2012 15:53:51 -0200 > > > To: mkarir at merit.edu > > > CC: nanog at nanog.org > > > > > > Manish, > > > > > > Nice tool. > > > > > > Is it possible to see the "history" of a prefix? > > > > > > > > > Regards, > > > ..as > > > > > > > > > > > > On 13 Jan 2012, at 18:19, Manish Karir wrote: > > > > > > > > > > > All, > > > > > > > > We would like to announce the availability of the bgpTables Project at Merit at: http://bgptables.merit.edu > > > > bgpTables allows users to easily navigate global routing table data collected via routviews.org. bgptables > > > > essentially processes the data collected at routeviews and makes is available in a somewhat easier > > > > to use interface. The goal of bgpTables is to represent global prefix and AS visibility information from the > > > > vantage point of the various bgp table views as seen at routeviews. > > > > The data is currently updated nightly (EST) but we hope to improve this over time. > > > > Please see the FAQ (http://bgptables.merit.edu/faq.php) for some simple examples of how you can use bgpTables. > > > > > > > > Some examples: > > > > - You can query for a specific ASN by entering the text 'as' followed by the AS number into the search box. For example to query for information about AS 237 you would enter 'as237' [without quotation marks] into the search box and then click 'search'. You can then use the view navigator map to switch to different routing table views for this ASN > > > > > > > > - You can query for a specific prefix by directly entering the prefix into the search box. For example to query for information about prefix 12.0.0.0/8 you would simply enter '12.0.0.0/8' [without quotation marks] into the search box and then click 'search'. You can then use the view navigator map to switch to different routing table views for the prefix. > > > > > > > > - You can find a particular prefix that you might be interested in by running a 'contained within' query via the search box. For example to quickly browse a list of prefixes contained within 1.0.0.0/8 to find the particular prefix you might be interested in, you can enter the text 'cw1.0.0.0/8' [without quotation marks] into the search box and click 'search'. You can then browse the resulting table to select the particular prefix you might be interested in. > > > > > > > > - You can simply enter the text 'as' followed by the company name into the search box then click search to view a list of possible matches for that text. For example, to view all matching google ASNs you can simply enter 'asgoogle' into the search box and click search. A list of possible matching ASNs that reference Google by name will be returned from which you an then select the particular ASN that is of interest to you. > > > > > > > > > > > > Comments, corrections, and suggestions are very welcome. Please send them to mkarir at merit.edu. Hopefully folks will find this useful. > > > > > > > > Thanks. > > > > -The Merit Network Research and Development Team > > > > > > > > > > > From leon at dexterous.org Mon Jan 16 16:55:37 2012 From: leon at dexterous.org (Leon Kyneur) Date: Tue, 17 Jan 2012 09:55:37 +1100 Subject: IP Management Software In-Reply-To: References: Message-ID: I have been playing phpipam as a replacement for ipplan.. Support for IPv6, VRF and VLAN tracking as well. My only limiting factor has been that it only supports 2 levels of subnet nesting.. http://sourceforge.net/projects/phpipam/ Leon On Sat, Dec 17, 2011 at 3:03 AM, Shahab Vahabzadeh wrote: > Hi everybody, > Can anybody share his/her experience with IP Management software's? Which I > can use it managing near 100K IP Address? > IPPlan is not good enough, I think its covering all my need and not fully > flexible. > If you have discuss this before here please share me the link. > Thanks > > -- > Regards, > Shahab Vahabzadeh, IP Engineer, *nix Admin and Geek From sgtcasey at gmail.com Mon Jan 16 17:22:58 2012 From: sgtcasey at gmail.com (David Casey) Date: Mon, 16 Jan 2012 16:22:58 -0700 Subject: Southwest US DNS issues? Message-ID: My organization is getting SERVFAIL when attempting to look up www.wikipedia.org and some other URL's. Is anyone else seeing similar issues? Dave Sent from my iPhone From shortdudey123 at gmail.com Mon Jan 16 17:24:48 2012 From: shortdudey123 at gmail.com (Grant Ridder) Date: Mon, 16 Jan 2012 17:24:48 -0600 Subject: Southwest US DNS issues? In-Reply-To: References: Message-ID: Hi Dave, What DNS servers are you using and who is your internet provider? -Grant On Mon, Jan 16, 2012 at 5:22 PM, David Casey wrote: > My organization is getting SERVFAIL when attempting to look up > www.wikipedia.org and some other URL's. > > Is anyone else seeing similar issues? > > Dave > > Sent from my iPhone > From sgtcasey at gmail.com Mon Jan 16 17:39:35 2012 From: sgtcasey at gmail.com (David Casey) Date: Mon, 16 Jan 2012 16:39:35 -0700 Subject: Southwest US DNS issues? In-Reply-To: References: Message-ID: <7FB04FE5-54DC-4F52-BDC7-ED9311176492@gmail.com> Never mind everyone. Security made a change on the firewall. Backed out and all good now. I was concerned because we were seeing this issue with just specific websites and only when we tried to lookup their IP addresses. Thanks for the quick replies! Dave Sent from my iPad On Jan 16, 2012, at 16:24, Grant Ridder wrote: > Hi Dave, > > What DNS servers are you using and who is your internet provider? > > -Grant > > On Mon, Jan 16, 2012 at 5:22 PM, David Casey wrote: > My organization is getting SERVFAIL when attempting to look up www.wikipedia.org and some other URL's. > > Is anyone else seeing similar issues? > > Dave > > Sent from my iPhone > From cburwell at gmail.com Mon Jan 16 11:44:22 2012 From: cburwell at gmail.com (Chris Burwell) Date: Mon, 16 Jan 2012 12:44:22 -0500 Subject: enterprise 802.11 In-Reply-To: <-7665060707062421807@unknownmsgid> References: <36170983-EAA1-4BDD-B0AF-5B045FD53321@yammer-inc.com> <-6994651995925716053@unknownmsgid> <8C26A4FDAE599041A13EB499117D3C286B673130@ex-mb-1.corp.atlasnetworks.us> <-7665060707062421807@unknownmsgid> Message-ID: I used Xirrus before about 2-3 years ago. They are great for addressing density issues without adding a large amount of APs in one area. As with any wireless solution, it does have it's limitations. In our case the building was very challenging with solid concrete walls on top of lockers on each wall. The number of APs (IIRC they call them arrays) needed didn't really save us much in the end. One thing I did not like is that you had to use their power injectors because, at the time, their arrays needed more power than any switch could provide. Pricing ended up being the ultimate fall of Xirrus in our environment. To get the coverage that we needed (real world) they were considerably more than the early HP/Colubris solution that we ended up with. - Chris On Sun, Jan 15, 2012 at 6:42 PM, Mike Lyon wrote: > Another one which looks promising for high-density locations is Xirrus > (www.xirrus.com) > > Haven't ever used them though. > > -mike > > Sent from my iPhone > > On Jan 15, 2012, at 15:36, Greg Ihnen wrote: > >> Since we're already top-posting? >> >> I've heard a lot of talk on the WISPA (wireless ISP) forum that 802.11g/n starts to fall apart with more than 30 clients associated if they're all reasonably active. I believe this is a limitation of 802.11g/n's media access control (MAC) mechanism, regardless of who's brand is on the box. This is most important if you're doing VoIP or anything else where latency and jitter is an issue. >> >> To get around that limitation, folks are using proprietary protocols with "polling" media access control. Ubiquiti calls theirs AirMax. Cisco uses something different in the "Canopy" line. But of course then you've gone to something proprietary and only their gear can connect. So it's meant more for back-hauls and distribution networks, not for end users unless they use a proprietary CPE. >> >> Since you need consumer gear to be able to connect, you need to stick with 802.11g/n. You should limit to 30 clients per AP. You should stagger your 2.4GHZ APs on channels 1, 6 and 11, and turn the TX power down and have them spaced close enough that no more than 30 will end up connecting to a single AP. 5.8GHz APs would be better, and you'll want to stagger their channels too and turn the TX power down so each one has a small footprint to only serve those clients that are nearby. >> >> Stay away from "mesh" solutions and WDS where one AP repeats another, that kills throughput because it hogs airtime. You'll want to feed all the APs with Ethernet. >> >> Greg >> >> On Jan 15, 2012, at 4:22 PM, Nathan Eisenberg wrote: >> >>> Ubiquiti's Unifi products are decent, and have *MUCH* improved since their original release (amazing what you can do with better code!). ?In the original release, you had to have a management server running on the same L2 network as the Aps - they've moved the management to a L3 model so you can put the controller elsewhere. ?The big PITA with their system is that any change requires 'reprovisioning' the APs, which means rebooting all of them in sequence. ?They've added VLANs, multiple SSID's/AP, wireless backhaul/chaining, guest portalling, and limiters to balance the # of clients / AP. >>> >>> In a noisy environment, I've found that they top out at around 30 devices / AP for good performance, and 50 devices / AP for 'working/not working'. ?In a clean environment, I've seen decent performance with 70 - 100 devices / AP. ?Of course, if one bad client comes along (with a card that doesn't backoff its TX power, etc), it can wreak havoc with higher densities. ?You really can't argue with Unifi's price. >>> >>> If you move up the price scale, Meraki seems to be a good midrange solution, and they have some really sweet reporting functionality. ?They're more expensive, though. >>> >>> And then, yes, Cisco is the gold standard, but it will cost you some gold to get it. >>> >>> Nathan >>> >>>> -----Original Message----- >>>> From: Mike Lyon [mailto:mike.lyon at gmail.com] >>>> Sent: Sunday, January 15, 2012 11:54 AM >>>> To: Meftah Tayeb >>>> Cc: nanog at nanog.org >>>> Subject: Re: enterprise 802.11 >>>> >>>> Ubiquity (www.ubnt.com) has their Unifi line of products. It's still pretty new >>>> in the marketspace and this, working out the bugs. I use their other products >>>> exclusively for outdoor wireless. >>>> >>>> However, in the offices ive done, ive used Cisco's WLC 4402 controller which >>>> supports 12 access points. They have controllers which support more APs as >>>> well. >>>> >>>> Hit me up offlist if you have any quesrions. >>>> >>>> -mike >>>> >>>> Sent from my iPhone >>>> >>>> On Jan 15, 2012, at 11:39, Meftah Tayeb wrote: >>>> >>>>> Ubiquity >>>>> or ubikity, maybe is miss spelled >>>>> Someone correct the spelling for him please thank you >>>>> ----- Original Message ----- From: "Ken King" >>>>> To: >>>>> Sent: Sunday, January 15, 2012 9:30 PM >>>>> Subject: enterprise 802.11 >>>>> >>>>> >>>>> I need to choose a wireless solution for a new office. >>>>> >>>>> up to 600 devices will connect. ?most devices are mac books and mobile >>>> phones. >>>>> >>>>> we can see hundreds of access points in close proximity to our new office >>>> space. >>>>> >>>>> what are the thoughts these days on the best enterprise solution/vendor? >>>>> >>>>> Thanks for your replies. >>>>> >>>>> >>>>> Ken King >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> __________ Information from ESET NOD32 Antivirus, version of virus >>>> signature database 6793 (20120113) __________ >>>>> >>>>> The message was checked by ESET NOD32 Antivirus. >>>>> >>>>> http://www.eset.com >>>>> >>>>> >>>>> >>>>> >>>>> __________ Information from ESET NOD32 Antivirus, version of virus >>>> signature database 6793 (20120113) __________ >>>>> >>>>> The message was checked by ESET NOD32 Antivirus. >>>>> >>>>> http://www.eset.com >>>>> >>>>> >>>>> >>>>> >>>> >>> >>> >> > From labguy at gmail.com Mon Jan 16 21:24:58 2012 From: labguy at gmail.com (Troy Martin) Date: Mon, 16 Jan 2012 20:24:58 -0700 Subject: enterprise 802.11 In-Reply-To: References: <36170983-EAA1-4BDD-B0AF-5B045FD53321@yammer-inc.com> <-6994651995925716053@unknownmsgid> Message-ID: <-4257578966735167716@unknownmsgid> Why not avoid controllers entirely? I recommend Aerohive. In their solution, there is NO controller, rather the APs communicate with each other. (Imagine what OSPF would be like with a centralized router) Check them out www.aerohive.com Kindest regards, Troy Sent from my iPhone. Apologies for spelling and grammatical errors. On Jan 15, 2012, at 5:50 PM, David Casey wrote: > I like Cisco's WLC's as well. Where I am working we have a few hundred AP's at one of our sites with WLC's running the show. The 5500 controllers with CleanAir AP's is awesome. > > Dave > > Sent from my iPad > > On Jan 15, 2012, at 12:57, Mike Hale wrote: > >> Cisco's wireless solutions are pretty badass. The APs I've used are >> absolutely rock solid. Set up will take a bit of time, but once you're >> done, maintenance is minimal. >> On Jan 15, 2012 11:54 AM, "Mike Lyon" wrote: >> >>> Ubiquity (www.ubnt.com) has their Unifi line of products. It's still >>> pretty new in the marketspace and this, working out the bugs. I use >>> their other products exclusively for outdoor wireless. >>> >>> However, in the offices ive done, ive used Cisco's WLC 4402 controller >>> which supports 12 access points. They have controllers which support >>> more APs as well. >>> >>> Hit me up offlist if you have any quesrions. >>> >>> -mike >>> >>> Sent from my iPhone >>> >>> On Jan 15, 2012, at 11:39, Meftah Tayeb wrote: >>> >>>> Ubiquity >>>> or ubikity, maybe is miss spelled >>>> Someone correct the spelling for him please >>>> thank you >>>> ----- Original Message ----- From: "Ken King" >>>> To: >>>> Sent: Sunday, January 15, 2012 9:30 PM >>>> Subject: enterprise 802.11 >>>> >>>> >>>> I need to choose a wireless solution for a new office. >>>> >>>> up to 600 devices will connect. most devices are mac books and mobile >>> phones. >>>> >>>> we can see hundreds of access points in close proximity to our new >>> office space. >>>> >>>> what are the thoughts these days on the best enterprise solution/vendor? >>>> >>>> Thanks for your replies. >>>> >>>> >>>> Ken King >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> __________ Information from ESET NOD32 Antivirus, version of virus >>> signature database 6793 (20120113) __________ >>>> >>>> The message was checked by ESET NOD32 Antivirus. >>>> >>>> http://www.eset.com >>>> >>>> >>>> >>>> >>>> __________ Information from ESET NOD32 Antivirus, version of virus >>> signature database 6793 (20120113) __________ >>>> >>>> The message was checked by ESET NOD32 Antivirus. >>>> >>>> http://www.eset.com >>>> >>>> >>>> >>>> >>> >>> > From estover at stoversnc.com Tue Jan 17 09:05:41 2012 From: estover at stoversnc.com (Eugene Stover) Date: Tue, 17 Jan 2012 10:05:41 -0500 Subject: CoLo Alwaysonline..... offline..... Message-ID: <8CB2A246FE084B4E95EB379B64296ECC01D6266C8EF6@SERVER-001.127-001.local> Anyone have any info? Not responding to anything. Enjoy the day! From bhmccie at gmail.com Tue Jan 17 09:16:26 2012 From: bhmccie at gmail.com (-Hammer-) Date: Tue, 17 Jan 2012 09:16:26 -0600 Subject: VPC=S/MLT? In-Reply-To: <20120115011015.GA14746@argus.gw.utexas.edu> References: <4F1083C3.9030804@gmail.com> <4F1086AC.9050201@bogus.com> <4F108849.8040002@gmail.com> <20120113201000.GA88108@argus.gw.utexas.edu> <4F109CC0.8000800@gmail.com> <20120115011015.GA14746@argus.gw.utexas.edu> Message-ID: <4F1590CA.6090609@gmail.com> Thanks Charles. It's a start. -Hammer- "I was a normal American nerd" -Jack Herer On 1/14/2012 7:10 PM, Charles Spurgeon wrote: > On Fri, Jan 13, 2012 at 03:05:45PM -0600, -Hammer- wrote: >> The first link references "chapter 3". I found chapter 5 as well >> but I can't find the full index. Do you have that link by any chance? > I don't have a link to a full index. The links I sent are from a set > of Nexus design and operation chapters I've found. Each chapter is a > guide to a specific aspect of Nexus and vPC operation and DC design. > The set doesn't appear to have been turned into standard Cisco docs > with indexes etc. > > Here are the links that I've been able to find: > > Chapter 1: Data Center Design with Cisco Nexus Switches and Virtual PortChannel: Overview > http://www.cisco.com/en/US/prod/collateral/switches/ps9441/ps9670/C07-572831-00_Dsgn_Nexus_vPC_DG.pdf > > Chapter 2: Cisco NX-OS Software Command-Line Interface Primer > http://www.cisco.com/en/US/prod/collateral/switches/ps9441/ps9670/C07-572833-00_NX-OS_CLI.pdf > > Chapter 3: Cisco NX-OS Software Virtual PortChannel: Fundamental Concepts > http://www.cisco.com/en/US/prod/collateral/switches/ps9441/ps9670/C07-572835-00_NX-OS_vPC_DG.pdf > > Chapter 4: Spanning Tree Design Guidelines for Cisco NX-OS Software and Virtual PortChannels > http://www.cisco.com/en/US/prod/collateral/switches/ps9441/ps9670/C07-572834-00_STDG_NX-OS_vPC_DG.pdf > > Chapter 5: Data Center Aggregation Layer Design and Configuration with > Cisco Nexus Switches and Virtual PortChannels > http://www.cisco.com/en/US/prod/collateral/switches/ps9441/ps9670/C07-572830-00_Agg_Dsgn_Config_DG.pdf > > Chapter 6 Data Center Access Design with Cisco Nexus 5000 Series > Switches and 2000 Series Fabric Extenders and Virtual PortChannels > http://www.cisco.com/en/US/prod/collateral/switches/ps9441/ps9670/C07-572829-01_Design_N5K_N2K_vPC_DG.pdf > > Chapter 7 10 Gigabit Ethernet Connectivity with Microsoft Windows Servers > http://www.cisco.com/en/US/prod/collateral/switches/ps9441/ps9670/C07-572828-00_10Gb_Conn_Win_DG.pdf > > Chapter 8 Data Center Design with VMware ESX 4.0 and Cisco Nexus 5000 > and 1000V Series Switches 4.0(4)SV1(1) and 2000 Series Fabric > Extenders > http://www.cisco.com/en/US/prod/collateral/switches/ps9441/ps9670/C07-572832-00_VMware_ESX4_Nexus_DG.pdf > > -Charles > > Charles E. Spurgeon / UTnet > UT Austin ITS / Networking > c.spurgeon at its.utexas.edu / 512.475.9265 > From mikea at mikea.ath.cx Tue Jan 17 11:41:16 2012 From: mikea at mikea.ath.cx (Mike Andrews) Date: Tue, 17 Jan 2012 11:41:16 -0600 Subject: CoLo Alwaysonline..... offline..... In-Reply-To: <8CB2A246FE084B4E95EB379B64296ECC01D6266C8EF6@SERVER-001.127-001.local> References: <8CB2A246FE084B4E95EB379B64296ECC01D6266C8EF6@SERVER-001.127-001.local> Message-ID: <20120117174116.GC9070@mikea.ath.cx> On Tue, Jan 17, 2012 at 10:05:41AM -0500, Eugene Stover wrote: > Anyone have any info? Not responding to anything. I don't see anything that I can ID as anomalous. What are you (not) seeing? -- Mike Andrews, W5EGO mikea at mikea.ath.cx Tired old sysadmin From a.almalki1402 at gmail.com Tue Jan 17 13:44:50 2012 From: a.almalki1402 at gmail.com (Abdullah Al-Malki) Date: Tue, 17 Jan 2012 22:44:50 +0300 Subject: accessing multiple devices via a script In-Reply-To: References: Message-ID: Thank you all for your recommendations. I will sit this weekend and evaluate what fits into my requirements. Thanks all On Mon, Jan 16, 2012 at 5:05 AM, Rafael Rodriguez wrote: > If your looking for something interactive, check out Mr. CLI > > Sent from my iPhone > > On Jan 15, 2012, at 12:52, Abdullah Al-Malki > wrote: > > > Hi fellows, > > I am supporting a big service provider and sometimes I face this problem. > > Sometimes I want to access my customer network and want to extract some > > verification output "show commands" from a large number of devices. > > > > What kind of scripting solutions you guys are using this case. > > > > Appreciate the feedback, > > Abdullah > From mike.lyon at gmail.com Tue Jan 17 13:59:16 2012 From: mike.lyon at gmail.com (Mike Lyon) Date: Tue, 17 Jan 2012 11:59:16 -0800 Subject: Slighty OT: GoDaddy and SPF records... Message-ID: Howdy folks, Was curious to see if anyone on the list has ever been successful with setting up SPF records on their domains that are hosted on GD nameservers... It appears they only let you configure TXT spf records, not actual SPF records. Anyone ever come across this before? Cheers, Mike From me at anuragbhatia.com Tue Jan 17 14:12:12 2012 From: me at anuragbhatia.com (Anurag Bhatia) Date: Wed, 18 Jan 2012 01:42:12 +0530 Subject: Slighty OT: GoDaddy and SPF records... In-Reply-To: References: Message-ID: Hi Mike spf records are actually a special syntax based txt records starting with v=spf1 you can checkout http://openspf.org for bit of details. It is project's official site and also has simple wizard tool for generating req. spf which is published as txt record. Hope that will help you. On 1/18/12, Mike Lyon wrote: > Howdy folks, > > Was curious to see if anyone on the list has ever been successful with > setting up SPF records on their domains that are hosted on GD > nameservers... It appears they only let you configure TXT spf records, not > actual SPF records. > > Anyone ever come across this before? > > Cheers, > Mike > -- Sent from my mobile device Anurag Bhatia anuragbhatia.com or simply - http://[2001:470:26:78f::5] if you are on IPv6 connected network! Twitter: @anurag_bhatia From rohan at rs3net.net Tue Jan 17 14:20:09 2012 From: rohan at rs3net.net (Rohan Sheth) Date: Tue, 17 Jan 2012 12:20:09 -0800 Subject: Slighty OT: GoDaddy and SPF records... In-Reply-To: References: Message-ID: On Tue, Jan 17, 2012 at 11:59 AM, Mike Lyon wrote: > Howdy folks, > > Was curious to see if anyone on the list has ever been successful with > setting up SPF records on their domains that are hosted on GD > nameservers... It appears they only let you configure TXT spf records, not > actual SPF records. > I believe this is because historically GoDaddy used bboy's MyDNS[1] which does not support SPF type records[2]. However it seems they are now using Verisign's ATLAS[3] so perhaps the UI and some backend code simply has yet to be developed? -Rohan [1] http://mydns.bboy.net/ [2] http://mydns.bboy.net/doc/html/mydns_11.html#SEC11 [3] rohan at dragonite:~> fpdns ns35.domaincontrol.com 2>/dev/null fingerprint (ns35.domaincontrol.com, 216.69.185.18): VeriSign ATLAS From shrdlu at deaddrop.org Tue Jan 17 14:29:03 2012 From: shrdlu at deaddrop.org (Lynda) Date: Tue, 17 Jan 2012 12:29:03 -0800 Subject: Slighty OT: GoDaddy and SPF records... In-Reply-To: References: Message-ID: <4F15DA0F.6010508@deaddrop.org> On 1/17/2012 11:59 AM, Mike Lyon wrote: > Was curious to see if anyone on the list has ever been successful with > setting up SPF records on their domains that are hosted on GD > nameservers... It appears they only let you configure TXT spf records, not > actual SPF records. Let me quickly reiterate what Anurag Bhatia has already told you. TXT records are what you need. I went through a LOT of completely unnecessary suffering, and discovered that while you CAN create an SPF record, what you really need is a TXT record that performs this service. Save yourself some suffering, and don't even bother with the SPF record (this is for those of you who are just now considering making such a thing). GoDaddy (for once) has saved you some sadness, here. -- Those proud of keeping an orderly desk never know the thrill of finding something they thought they had irretrievably lost. From mysidia at gmail.com Tue Jan 17 14:32:25 2012 From: mysidia at gmail.com (Jimmy Hess) Date: Tue, 17 Jan 2012 14:32:25 -0600 Subject: Slighty OT: GoDaddy and SPF records... In-Reply-To: References: Message-ID: On Tue, Jan 17, 2012 at 2:12 PM, Anurag Bhatia wrote: > Hi Mike > > spf records are actually a special syntax based txt records starting with > v=spf1 > > A SPF DNS record is RR TYPE CODE 99 http://www.iana.org/assignments/dns-parameters RFC4408 A SPF compliant domain should have BOTH the TXT RR and a SPF RR. -- -JH From fdelmotte1 at mac.com Tue Jan 17 14:43:33 2012 From: fdelmotte1 at mac.com (Fabien Delmotte) Date: Tue, 17 Jan 2012 21:43:33 +0100 Subject: accessing multiple devices via a script In-Reply-To: References: Message-ID: Hello, You can use also rancid. Regards Fabien Le 17 janv. 2012 ? 20:44, Abdullah Al-Malki a ?crit : > Thank you all for your recommendations. > I will sit this weekend and evaluate what fits into my requirements. > > Thanks all > > On Mon, Jan 16, 2012 at 5:05 AM, Rafael Rodriguez wrote: > >> If your looking for something interactive, check out Mr. CLI >> >> Sent from my iPhone >> >> On Jan 15, 2012, at 12:52, Abdullah Al-Malki >> wrote: >> >>> Hi fellows, >>> I am supporting a big service provider and sometimes I face this problem. >>> Sometimes I want to access my customer network and want to extract some >>> verification output "show commands" from a large number of devices. >>> >>> What kind of scripting solutions you guys are using this case. >>> >>> Appreciate the feedback, >>> Abdullah >> From mkarir at merit.edu Tue Jan 17 15:52:21 2012 From: mkarir at merit.edu (Manish Karir) Date: Tue, 17 Jan 2012 16:52:21 -0500 Subject: ANNOUNCE: bgptables.merit.edu - understanding visibility of your prefix/AS In-Reply-To: References: <8E839F27-A2F7-4E1B-9BD8-C0679A65EC64@merit.edu> Message-ID: <9E11240C-22DA-4B1D-8806-579F398B5284@merit.edu> Hi Arturo, We could easily archive older copies of the database when we update the data, but I think our issue right now is that we dont fully understand how to add the notion of time to the user interface and we dont understand how folks might want to use it. Do you have a simple use case description of an example which might help us figure out how the notion of time can help answer a question.? What would be an example of a query that uses time? Thanks. -manish On Jan 16, 2012, at 12:53 PM, Arturo Servin wrote: > Manish, > > Nice tool. > > Is it possible to see the "history" of a prefix? > > > Regards, > .as > > > > On 13 Jan 2012, at 18:19, Manish Karir wrote: > >> >> All, >> >> We would like to announce the availability of the bgpTables Project at Merit at: http://bgptables.merit.edu >> bgpTables allows users to easily navigate global routing table data collected via routviews.org. bgptables >> essentially processes the data collected at routeviews and makes is available in a somewhat easier >> to use interface. The goal of bgpTables is to represent global prefix and AS visibility information from the >> vantage point of the various bgp table views as seen at routeviews. >> The data is currently updated nightly (EST) but we hope to improve this over time. >> Please see the FAQ (http://bgptables.merit.edu/faq.php) for some simple examples of how you can use bgpTables. >> >> Some examples: >> - You can query for a specific ASN by entering the text 'as' followed by the AS number into the search box. For example to query for information about AS 237 you would enter 'as237' [without quotation marks] into the search box and then click 'search'. You can then use the view navigator map to switch to different routing table views for this ASN >> >> - You can query for a specific prefix by directly entering the prefix into the search box. For example to query for information about prefix 12.0.0.0/8 you would simply enter '12.0.0.0/8' [without quotation marks] into the search box and then click 'search'. You can then use the view navigator map to switch to different routing table views for the prefix. >> >> - You can find a particular prefix that you might be interested in by running a 'contained within' query via the search box. For example to quickly browse a list of prefixes contained within 1.0.0.0/8 to find the particular prefix you might be interested in, you can enter the text 'cw1.0.0.0/8' [without quotation marks] into the search box and click 'search'. You can then browse the resulting table to select the particular prefix you might be interested in. >> >> - You can simply enter the text 'as' followed by the company name into the search box then click search to view a list of possible matches for that text. For example, to view all matching google ASNs you can simply enter 'asgoogle' into the search box and click search. A list of possible matching ASNs that reference Google by name will be returned from which you an then select the particular ASN that is of interest to you. >> >> >> Comments, corrections, and suggestions are very welcome. Please send them to mkarir at merit.edu. Hopefully folks will find this useful. >> >> Thanks. >> -The Merit Network Research and Development Team >> > From rcarpen at network1.net Tue Jan 17 16:04:02 2012 From: rcarpen at network1.net (Randy Carpenter) Date: Tue, 17 Jan 2012 17:04:02 -0500 (EST) Subject: How are you doing DHCPv6 ? In-Reply-To: <36695b3d-02a4-466c-a19a-1fe4747d38e1@zimbra.network1.net> Message-ID: <52477a71-0a98-445b-a083-1844d37ac71e@zimbra.network1.net> I am wondering how people out there are using DHCPv6 to handle assigning prefixes to end users. We have a requirement for it to be a redundant server that is centrally located. DHCPv6 will be relayed from each customer access segment. We have been looking at using ISC dhcpd, as that is what we use for v4. However, it currently does not support any redundancy. It also does not do very much useful logging for DHCPv6 requests. Certainly not enough to keep track of users and devices. So, my questions are: How are you doing DHCPv6 with Prefix Delegation? What software are you using? When DHCPv6 with Prefix Delegation seems to be about the only way to deploy IPv6 to end users in a generic device-agnostic fashion, I am wondering why it is so difficult to find a working solution. thanks, -Randy -- | Randy Carpenter | Vice President - IT Services | Red Hat Certified Engineer | First Network Group, Inc. | (800)578-6381, Opt. 1 ---- From tayeb.meftah at gmail.com Mon Jan 16 14:33:32 2012 From: tayeb.meftah at gmail.com (Meftah Tayeb) Date: Mon, 16 Jan 2012 22:33:32 +0200 Subject: How are you doing DHCPv6 ? References: <52477a71-0a98-445b-a083-1844d37ac71e@zimbra.network1.net> Message-ID: Mikrotik Routeros ----- Original Message ----- From: "Randy Carpenter" To: "Nanog" Sent: Wednesday, January 18, 2012 12:04 AM Subject: How are you doing DHCPv6 ? > > I am wondering how people out there are using DHCPv6 to handle assigning > prefixes to end users. > > We have a requirement for it to be a redundant server that is centrally > located. DHCPv6 will be relayed from each customer access segment. > > We have been looking at using ISC dhcpd, as that is what we use for v4. > However, it currently does not support any redundancy. It also does not do > very much useful logging for DHCPv6 requests. Certainly not enough to keep > track of users and devices. > > So, my questions are: > > > How are you doing DHCPv6 with Prefix Delegation? > > What software are you using? > > > When DHCPv6 with Prefix Delegation seems to be about the only way to > deploy IPv6 to end users in a generic device-agnostic fashion, I am > wondering why it is so difficult to find a working solution. > > thanks, > -Randy > > -- > | Randy Carpenter > | Vice President - IT Services > | Red Hat Certified Engineer > | First Network Group, Inc. > | (800)578-6381, Opt. 1 > ---- > > > > > __________ Information from ESET NOD32 Antivirus, version of virus > signature database 6804 (20120117) __________ > > The message was checked by ESET NOD32 Antivirus. > > http://www.eset.com > > > __________ Information from ESET NOD32 Antivirus, version of virus signature database 6804 (20120117) __________ The message was checked by ESET NOD32 Antivirus. http://www.eset.com From dwessels at verisign.com Tue Jan 17 16:51:58 2012 From: dwessels at verisign.com (Wessels, Duane) Date: Tue, 17 Jan 2012 17:51:58 -0500 Subject: DNS Track at NANOG 54 Message-ID: <47211D96-BA5C-4111-A6B2-747B4BCBBEA4@verisign.com> Greetings, The DNS Track takes place at NANOG 54 on Tuesday from 4:30 to 6:00. This is a very informal (BOF-like) gathering for folks interested in DNS topics. If you have material to present or suggested topics for discussion, I'd welcome your contribution. Duane W. From John_Brzozowski at Cable.Comcast.com Tue Jan 17 17:06:54 2012 From: John_Brzozowski at Cable.Comcast.com (Brzozowski, John) Date: Tue, 17 Jan 2012 23:06:54 +0000 Subject: How are you doing DHCPv6 ? In-Reply-To: <52477a71-0a98-445b-a083-1844d37ac71e@zimbra.network1.net> References: <36695b3d-02a4-466c-a19a-1fe4747d38e1@zimbra.network1.net>, <52477a71-0a98-445b-a083-1844d37ac71e@zimbra.network1.net> Message-ID: You might want to give this a read: http://www.ietf.org/id/draft-ietf-dhc-dhcpv6-redundancy-consider-02.txt -------- Original Message -------- From: Randy Carpenter Sent: Tue, Jan 17, 2012 5:4 PM To: Nanog CC: Subject: How are you doing DHCPv6 ? I am wondering how people out there are using DHCPv6 to handle assigning prefixes to end users. We have a requirement for it to be a redundant server that is centrally located. DHCPv6 will be relayed from each customer access segment. We have been looking at using ISC dhcpd, as that is what we use for v4. However, it currently does not support any redundancy. It also does not do very much useful logging for DHCPv6 requests. Certainly not enough to keep track of users and devices. So, my questions are: How are you doing DHCPv6 with Prefix Delegation? What software are you using? When DHCPv6 with Prefix Delegation seems to be about the only way to deploy IPv6 to end users in a generic device-agnostic fashion, I am wondering why it is so difficult to find a working solution. thanks, -Randy -- | Randy Carpenter | Vice President - IT Services | Red Hat Certified Engineer | First Network Group, Inc. | (800)578-6381, Opt. 1 ---- From rcarpen at network1.net Tue Jan 17 17:19:28 2012 From: rcarpen at network1.net (Randy Carpenter) Date: Tue, 17 Jan 2012 18:19:28 -0500 (EST) Subject: How are you doing DHCPv6 ? In-Reply-To: Message-ID: <3957a03c-881d-46aa-a26a-862d1f7dfa58@zimbra.network1.net> > You might want to give this a read: > > http://www.ietf.org/id/draft-ietf-dhc-dhcpv6-redundancy-consider-02.txt That doesn't really help us if we want to deploy before that draft becomes a standard. Are there any DHCPv6 servers currently that actually function in a fashion that is suitable for service providers? -Randy > -------- Original Message -------- > From: Randy Carpenter > Sent: Tue, Jan 17, 2012 5:4 PM > To: Nanog > CC: > Subject: How are you doing DHCPv6 ? > > > I am wondering how people out there are using DHCPv6 to handle > assigning prefixes to end users. > > We have a requirement for it to be a redundant server that is > centrally located. DHCPv6 will be relayed from each customer access > segment. > > We have been looking at using ISC dhcpd, as that is what we use for > v4. However, it currently does not support any redundancy. It also > does not do very much useful logging for DHCPv6 requests. Certainly > not enough to keep track of users and devices. > > So, my questions are: > > > How are you doing DHCPv6 with Prefix Delegation? > > What software are you using? > > > When DHCPv6 with Prefix Delegation seems to be about the only way to > deploy IPv6 to end users in a generic device-agnostic fashion, I am > wondering why it is so difficult to find a working solution. > > thanks, > -Randy > > -- > | Randy Carpenter > | Vice President - IT Services > | Red Hat Certified Engineer > | First Network Group, Inc. > | (800)578-6381, Opt. 1 > ---- > > > > From dr at cluenet.de Tue Jan 17 17:37:01 2012 From: dr at cluenet.de (Daniel Roesen) Date: Wed, 18 Jan 2012 00:37:01 +0100 Subject: How are you doing DHCPv6 ? In-Reply-To: <3957a03c-881d-46aa-a26a-862d1f7dfa58@zimbra.network1.net> References: <3957a03c-881d-46aa-a26a-862d1f7dfa58@zimbra.network1.net> Message-ID: <20120117233701.GA13633@srv03.cluenet.de> On Tue, Jan 17, 2012 at 06:19:28PM -0500, Randy Carpenter wrote: > > You might want to give this a read: > > > > http://www.ietf.org/id/draft-ietf-dhc-dhcpv6-redundancy-consider-02.txt > > That doesn't really help us if we want to deploy before that draft > becomes a standard. Well, it more or less just presents options (workarounds for missing proper HA sync). > Are there any DHCPv6 servers currently that actually function in a > fashion that is suitable for service providers? Without specifying your requirements, that's hard to say. If you're looking for fully state-sync'ed DHCPv6 server HA, I'm not aware of any. Cisco unfortunately pushed that another year into the future for CNR, so we're resorting for now to the "Split Prefixes" model described in abovementioned draft, effectively halving our DHCPv6-PD pools and thus exacerbates the negative effects of RIPE's overly converservative policy (HD-Ratio 0.94) on IPv6 by effectively stealing one bit (half the address space) just for redundancy. :-( Best regards, Daniel -- CLUE-RIPE -- Jabber: dr at cluenet.de -- dr at IRCnet -- PGP: 0xA85C8AA0 From paul4004 at gmail.com Tue Jan 17 17:58:52 2012 From: paul4004 at gmail.com (PC) Date: Tue, 17 Jan 2012 16:58:52 -0700 Subject: How are you doing DHCPv6 ? In-Reply-To: <20120117233701.GA13633@srv03.cluenet.de> References: <3957a03c-881d-46aa-a26a-862d1f7dfa58@zimbra.network1.net> <20120117233701.GA13633@srv03.cluenet.de> Message-ID: The good news is that doubling your IP address allocation requirements for v6 is far better than doubling v4... On Tue, Jan 17, 2012 at 4:37 PM, Daniel Roesen wrote: > On Tue, Jan 17, 2012 at 06:19:28PM -0500, Randy Carpenter wrote: > > > You might want to give this a read: > > > > > > > http://www.ietf.org/id/draft-ietf-dhc-dhcpv6-redundancy-consider-02.txt > > > > That doesn't really help us if we want to deploy before that draft > > becomes a standard. > > Well, it more or less just presents options (workarounds for missing > proper HA sync). > > > Are there any DHCPv6 servers currently that actually function in a > > fashion that is suitable for service providers? > > Without specifying your requirements, that's hard to say. If you're > looking for fully state-sync'ed DHCPv6 server HA, I'm not aware of any. > > Cisco unfortunately pushed that another year into the future for CNR, so > we're resorting for now to the "Split Prefixes" model described in > abovementioned draft, effectively halving our DHCPv6-PD pools and thus > exacerbates the negative effects of RIPE's overly converservative > policy (HD-Ratio 0.94) on IPv6 by effectively stealing one bit (half > the address space) just for redundancy. :-( > > Best regards, > Daniel > > -- > CLUE-RIPE -- Jabber: dr at cluenet.de -- dr at IRCnet -- PGP: 0xA85C8AA0 > > From ekim.ittag at gmail.com Tue Jan 17 18:05:43 2012 From: ekim.ittag at gmail.com (Mike Gatti) Date: Tue, 17 Jan 2012 16:05:43 -0800 Subject: accessing multiple devices via a script In-Reply-To: References: Message-ID: <11ACED16-F364-497A-8FBE-0741A1CD823B@gmail.com> Hey did anyone mention Rancid..., just kidding.... I've used ciscocmd in the past, a little outdated but worth looking at (http://sourceforge.net/projects/cosi-nms/files/ciscocmd/) You might also have some fun writing your own expect scripts. -- Michael Gatti main. 949.371.5474 (UTC -8) On Jan 17, 2012, at 12:43 PM, Fabien Delmotte wrote: > Hello, > > You can use also rancid. > > Regards > > Fabien > > Le 17 janv. 2012 ? 20:44, Abdullah Al-Malki a ?crit : > >> Thank you all for your recommendations. >> I will sit this weekend and evaluate what fits into my requirements. >> >> Thanks all >> >> On Mon, Jan 16, 2012 at 5:05 AM, Rafael Rodriguez wrote: >> >>> If your looking for something interactive, check out Mr. CLI >>> >>> Sent from my iPhone >>> >>> On Jan 15, 2012, at 12:52, Abdullah Al-Malki >>> wrote: >>> >>>> Hi fellows, >>>> I am supporting a big service provider and sometimes I face this problem. >>>> Sometimes I want to access my customer network and want to extract some >>>> verification output "show commands" from a large number of devices. >>>> >>>> What kind of scripting solutions you guys are using this case. >>>> >>>> Appreciate the feedback, >>>> Abdullah >>> > > From John_Brzozowski at Cable.Comcast.com Tue Jan 17 18:27:48 2012 From: John_Brzozowski at Cable.Comcast.com (Brzozowski, John) Date: Wed, 18 Jan 2012 00:27:48 +0000 Subject: How are you doing DHCPv6 ? In-Reply-To: <3957a03c-881d-46aa-a26a-862d1f7dfa58@zimbra.network1.net> Message-ID: The draft does help you, it is a BCP and does not specify a standard. It outlines some BCPs that are usable today. I believe I tested and verified that what I outlined works with the ISC DHCPv6 server. It also works with other DHCPv6 servers as well. John ========================================= John Jason Brzozowski Comcast Cable e) mailto:john_brzozowski at cable.comcast.com o) 609-377-6594 m) 484-962-0060 w) http://www.comcast6.net ========================================= On 1/17/12 6:19 PM, "Randy Carpenter" wrote: > >> You might want to give this a read: >> >> http://www.ietf.org/id/draft-ietf-dhc-dhcpv6-redundancy-consider-02.txt > >That doesn't really help us if we want to deploy before that draft >becomes a standard. > >Are there any DHCPv6 servers currently that actually function in a >fashion that is suitable for service providers? > >-Randy > > >> -------- Original Message -------- >> From: Randy Carpenter >> Sent: Tue, Jan 17, 2012 5:4 PM >> To: Nanog >> CC: >> Subject: How are you doing DHCPv6 ? >> >> >> I am wondering how people out there are using DHCPv6 to handle >> assigning prefixes to end users. >> >> We have a requirement for it to be a redundant server that is >> centrally located. DHCPv6 will be relayed from each customer access >> segment. >> >> We have been looking at using ISC dhcpd, as that is what we use for >> v4. However, it currently does not support any redundancy. It also >> does not do very much useful logging for DHCPv6 requests. Certainly >> not enough to keep track of users and devices. >> >> So, my questions are: >> >> >> How are you doing DHCPv6 with Prefix Delegation? >> >> What software are you using? >> >> >> When DHCPv6 with Prefix Delegation seems to be about the only way to >> deploy IPv6 to end users in a generic device-agnostic fashion, I am >> wondering why it is so difficult to find a working solution. >> >> thanks, >> -Randy >> >> -- >> | Randy Carpenter >> | Vice President - IT Services >> | Red Hat Certified Engineer >> | First Network Group, Inc. >> | (800)578-6381, Opt. 1 >> ---- >> >> >> >> From John_Brzozowski at Cable.Comcast.com Tue Jan 17 18:31:25 2012 From: John_Brzozowski at Cable.Comcast.com (Brzozowski, John) Date: Wed, 18 Jan 2012 00:31:25 +0000 Subject: How are you doing DHCPv6 ? In-Reply-To: <20120117233701.GA13633@srv03.cluenet.de> Message-ID: On 1/17/12 6:37 PM, "Daniel Roesen" wrote: >On Tue, Jan 17, 2012 at 06:19:28PM -0500, Randy Carpenter wrote: >> > You might want to give this a read: >> > >> > >>http://www.ietf.org/id/draft-ietf-dhc-dhcpv6-redundancy-consider-02.txt >> >> That doesn't really help us if we want to deploy before that draft >> becomes a standard. > >Well, it more or less just presents options (workarounds for missing >proper HA sync). [jjmb] correct. FWIW the IETF dhcwg is currently working on DHCPv6 failover/redundancy. See here for the requirements: http://tools.ietf.org/html/draft-mrugalski-dhc-dhcpv6-failover-requirements -00 > >> Are there any DHCPv6 servers currently that actually function in a >> fashion that is suitable for service providers? > >Without specifying your requirements, that's hard to say. If you're >looking for fully state-sync'ed DHCPv6 server HA, I'm not aware of any. [jjmb] same here, I expect a specification would be required first. > >Cisco unfortunately pushed that another year into the future for CNR, so >we're resorting for now to the "Split Prefixes" model described in >abovementioned draft, effectively halving our DHCPv6-PD pools and thus >exacerbates the negative effects of RIPE's overly converservative >policy (HD-Ratio 0.94) on IPv6 by effectively stealing one bit (half >the address space) just for redundancy. :-( [jjmb] we have to do what we have to do, the good news migration to a proper failover model should be straight forward. > >Best regards, >Daniel > >-- >CLUE-RIPE -- Jabber: dr at cluenet.de -- dr at IRCnet -- PGP: 0xA85C8AA0 > From rcarpen at network1.net Tue Jan 17 19:01:50 2012 From: rcarpen at network1.net (Randy Carpenter) Date: Tue, 17 Jan 2012 20:01:50 -0500 (EST) Subject: How are you doing DHCPv6 ? In-Reply-To: Message-ID: <149d723c-2418-443a-9b9f-c0ca3b033ae0@zimbra.network1.net> ----- Original Message ----- > > On 1/17/12 6:37 PM, "Daniel Roesen" wrote: > > >On Tue, Jan 17, 2012 at 06:19:28PM -0500, Randy Carpenter wrote: > >> > You might want to give this a read: > >> > > >> > > >>http://www.ietf.org/id/draft-ietf-dhc-dhcpv6-redundancy-consider-02.txt > >> > >> That doesn't really help us if we want to deploy before that draft > >> becomes a standard. > > > >Well, it more or less just presents options (workarounds for missing > >proper HA sync). > [jjmb] correct. FWIW the IETF dhcwg is currently working on DHCPv6 > failover/redundancy. See here for the requirements: > > http://tools.ietf.org/html/draft-mrugalski-dhc-dhcpv6-failover-requirements > -00 I already had the two documents up and got them mixed up when I was reading through them. I'll have to go over the link from John in detail, and see if it gives us some ways to work around the limitations in our situation. thanks, -Randy From derek at derekivey.com Tue Jan 17 19:02:22 2012 From: derek at derekivey.com (Derek Ivey) Date: Tue, 17 Jan 2012 20:02:22 -0500 Subject: World IPv6 Launch Day - June 6, 2012 Message-ID: <4F161A1E.7040903@derekivey.com> Just saw this new site: http://www.worldipv6launch.org/ Many large companies and ISPs are planning to finally go live with IPv6 by June 6, 2012. I don't see Verizon (my ISP) on the list though :(. I'm glad to see companies moving forward with IPv6! Derek From sethm at rollernet.us Tue Jan 17 19:17:45 2012 From: sethm at rollernet.us (Seth Mattinen) Date: Tue, 17 Jan 2012 17:17:45 -0800 Subject: World IPv6 Launch Day - June 6, 2012 In-Reply-To: <4F161A1E.7040903@derekivey.com> References: <4F161A1E.7040903@derekivey.com> Message-ID: <4F161DB9.7000806@rollernet.us> On 1/17/12 5:02 PM, Derek Ivey wrote: > Just saw this new site: http://www.worldipv6launch.org/ > > Many large companies and ISPs are planning to finally go live with IPv6 > by June 6, 2012. > > I don't see Verizon (my ISP) on the list though :(. I'm glad to see > companies moving forward with IPv6! > I kind of feel left out with all the fanfare now, having launched IPv6 many years ago. ~Seth From robertg at garlic.com Tue Jan 17 19:26:11 2012 From: robertg at garlic.com (Robert Glover) Date: Tue, 17 Jan 2012 17:26:11 -0800 Subject: Postini / Google admin needed Message-ID: <4F161FB3.3090505@garlic.com> I apologize for the noise. We are not getting anywhere regarding issues with Postini through the normal support channels. Can someone from Postini please contact me off-list? Sincerely, Bobby Glover Director of Information Services SVI Incorporated From xenophage at godshell.com Tue Jan 17 20:24:18 2012 From: xenophage at godshell.com (Jason 'XenoPhage' Frisvold) Date: Tue, 17 Jan 2012 21:24:18 -0500 Subject: World IPv6 Launch Day - June 6, 2012 In-Reply-To: <4F161DB9.7000806@rollernet.us> References: <4F161A1E.7040903@derekivey.com> <4F161DB9.7000806@rollernet.us> Message-ID: <042EAE0F-04C0-48C5-B977-2E3649DD7CFA@godshell.com> On Jan 17, 2012, at 8:17 PM, Seth Mattinen wrote: > I kind of feel left out with all the fanfare now, having launched IPv6 > many years ago. You can always do the Grand Re-Opening thing.. :P > ~Seth --------------------------- Jason 'XenoPhage' Frisvold xenophage at godshell.com --------------------------- "Any sufficiently advanced magic is indistinguishable from technology." - Niven's Inverse of Clarke's Third Law -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 203 bytes Desc: Message signed with OpenPGP using GPGMail URL: From Valdis.Kletnieks at vt.edu Tue Jan 17 20:28:45 2012 From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks at vt.edu) Date: Tue, 17 Jan 2012 21:28:45 -0500 Subject: World IPv6 Launch Day - June 6, 2012 In-Reply-To: Your message of "Tue, 17 Jan 2012 21:24:18 EST." <042EAE0F-04C0-48C5-B977-2E3649DD7CFA@godshell.com> References: <4F161A1E.7040903@derekivey.com> <4F161DB9.7000806@rollernet.us> <042EAE0F-04C0-48C5-B977-2E3649DD7CFA@godshell.com> Message-ID: <36160.1326853725@turing-police.cc.vt.edu> On Tue, 17 Jan 2012 21:24:18 EST, "Jason 'XenoPhage' Frisvold" said: > On Jan 17, 2012, at 8:17 PM, Seth Mattinen wrote: > > I kind of feel left out with all the fanfare now, having launched IPv6 > > many years ago. > > You can always do the Grand Re-Opening thing.. :P Can we have a "What took you guys so long?" banner? :) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 227 bytes Desc: not available URL: From ops.lists at gmail.com Tue Jan 17 22:16:35 2012 From: ops.lists at gmail.com (Suresh Ramasubramanian) Date: Wed, 18 Jan 2012 09:46:35 +0530 Subject: Slighty OT: GoDaddy and SPF records... In-Reply-To: <4F15DA0F.6010508@deaddrop.org> References: <4F15DA0F.6010508@deaddrop.org> Message-ID: I fully agree. http://www.circleid.com/posts/spf_loses_mindshare/ dates back to 2005. On Wed, Jan 18, 2012 at 1:59 AM, Lynda wrote: > Let me quickly reiterate what Anurag Bhatia has already told you. TXT > records are what you need. I went through a LOT of completely unnecessary > suffering, and discovered that while you CAN create an SPF record, what you > really need is a TXT record that performs this service. > > Save yourself some suffering, and don't even bother with the SPF record > (this is for those of you who are just now considering making such a thing). > GoDaddy (for once) has saved you some sadness, here. -- Suresh Ramasubramanian (ops.lists at gmail.com) From owen at delong.com Tue Jan 17 22:17:40 2012 From: owen at delong.com (Owen DeLong) Date: Tue, 17 Jan 2012 20:17:40 -0800 Subject: World IPv6 Launch Day - June 6, 2012 In-Reply-To: <4F161A1E.7040903@derekivey.com> References: <4F161A1E.7040903@derekivey.com> Message-ID: Another very sad thing about it: delong-dhcp202:owen (9) ~ % host www.worldipv6launch.org 2012/01/16 21:24:21 www.worldipv6launch.org is an alias for www.worldipv6launch.org.edgesuite.net. www.worldipv6launch.org.edgesuite.net is an alias for a1448.b.akamai.net. a1448.b.akamai.net has address 72.246.53.104 a1448.b.akamai.net has address 72.246.53.8 I don't seem to be able to get to the site on IPv6. Owen On Jan 17, 2012, at 5:02 PM, Derek Ivey wrote: > Just saw this new site: http://www.worldipv6launch.org/ > > Many large companies and ISPs are planning to finally go live with IPv6 by June 6, 2012. > > I don't see Verizon (my ISP) on the list though :(. I'm glad to see companies moving forward with IPv6! > > Derek From ops.lists at gmail.com Tue Jan 17 22:22:19 2012 From: ops.lists at gmail.com (Suresh Ramasubramanian) Date: Wed, 18 Jan 2012 09:52:19 +0530 Subject: ANNOUNCE: bgptables.merit.edu - understanding visibility of your prefix/AS In-Reply-To: <9E11240C-22DA-4B1D-8806-579F398B5284@merit.edu> References: <8E839F27-A2F7-4E1B-9BD8-C0679A65EC64@merit.edu> <9E11240C-22DA-4B1D-8806-579F398B5284@merit.edu> Message-ID: Well - for starters, if you get a prefix that was announced by ASN xxxx from [timestamp] to [timestamp], went to ASN yyyy on [timestamp] etc. Quite useful if you want to tie this into route leak, prefix hijack, malicious ASN etc tracking tools. --srs On Wed, Jan 18, 2012 at 3:22 AM, Manish Karir wrote: > > Hi Arturo, > > We could easily archive older copies of the database when we update the data, but I think our issue right now > is that we dont fully understand how to add the notion of time to the user interface and we dont understand how > folks might want to use it. ?Do you have a simple use case description of an example which might help us > figure out how the notion of time can help answer a question.? ?What would be an example of a query > that uses time? > > Thanks. > -manish > > > On Jan 16, 2012, at 12:53 PM, Arturo Servin wrote: > >> Manish, >> >> ? ? ? Nice tool. >> >> ? ? ? Is it possible to see the "history" of a prefix? >> >> >> Regards, >> .as >> >> >> >> On 13 Jan 2012, at 18:19, Manish Karir wrote: >> >>> >>> All, >>> >>> We would like to announce the availability of the bgpTables Project at Merit at: http://bgptables.merit.edu >>> bgpTables allows users to easily navigate global routing table data collected via routviews.org. ?bgptables >>> essentially processes the data collected at routeviews and makes is available in a somewhat easier >>> to use interface. The goal of bgpTables is to represent global prefix and AS visibility information from the >>> vantage point of the various bgp table views as seen at routeviews. >>> The data is currently updated nightly (EST) but we hope to improve this over time. >>> Please see the FAQ (http://bgptables.merit.edu/faq.php) for some simple examples of how you can use bgpTables. >>> >>> Some examples: >>> - You can query for a specific ASN by entering the text 'as' followed by the AS number into the search box. For example to query for information about AS 237 you would enter 'as237' [without quotation marks] into the search box and then click 'search'. You can then use the view navigator map to switch to different routing table views for this ASN >>> >>> - You can query for a specific prefix by directly entering the prefix into the search box. For example to query for information about prefix 12.0.0.0/8 you would simply enter '12.0.0.0/8' [without quotation marks] into the search box and then click 'search'. You can then use the view navigator map to switch to different routing table views for the prefix. >>> >>> - You can find a particular prefix that you might be interested in by running a 'contained within' query via the search box. For example to quickly browse a list of prefixes contained within 1.0.0.0/8 to find the particular prefix you might be interested in, you can enter the text 'cw1.0.0.0/8' [without quotation marks] into the search box and click 'search'. You can then browse the resulting table to select the particular prefix you might be interested in. >>> >>> - You can simply enter the text 'as' followed by the company name into the search box then click search to view a list of possible matches for that text. For example, to view all matching google ASNs you can simply enter 'asgoogle' into the search box and click search. A list of possible matching ASNs that reference Google by name will be returned from which you an then select the particular ASN that is of interest to you. >>> >>> >>> Comments, corrections, and suggestions are very welcome. ?Please send them to mkarir at merit.edu. ?Hopefully folks will find this useful. >>> >>> Thanks. >>> -The Merit Network Research and Development Team >>> >> > > -- Suresh Ramasubramanian (ops.lists at gmail.com) From dave.nanog at alfordmedia.com Tue Jan 17 22:23:54 2012 From: dave.nanog at alfordmedia.com (Dave Pooser) Date: Tue, 17 Jan 2012 22:23:54 -0600 Subject: World IPv6 Launch Day - June 6, 2012 In-Reply-To: Message-ID: On 1/17/12 10:17 PM, "Owen DeLong" wrote: >I don't seem to be able to get to the site on IPv6. Well not before June 6, duh! You don't open Christmas presents in August either! :^) -- Dave Pooser Manager of Information Services Alford Media http://www.alfordmedia.com From shuque at isc.upenn.edu Tue Jan 17 22:38:05 2012 From: shuque at isc.upenn.edu (Shumon Huque) Date: Tue, 17 Jan 2012 23:38:05 -0500 Subject: World IPv6 Launch Day - June 6, 2012 In-Reply-To: References: <4F161A1E.7040903@derekivey.com> Message-ID: <20120118043805.GA5455@isc.upenn.edu> On Tue, Jan 17, 2012 at 08:17:40PM -0800, Owen DeLong wrote: > Another very sad thing about it: > > delong-dhcp202:owen (9) ~ % host www.worldipv6launch.org 2012/01/16 21:24:21 > www.worldipv6launch.org is an alias for www.worldipv6launch.org.edgesuite.net. > www.worldipv6launch.org.edgesuite.net is an alias for a1448.b.akamai.net. > a1448.b.akamai.net has address 72.246.53.104 > a1448.b.akamai.net has address 72.246.53.8 > > > I don't seem to be able to get to the site on IPv6. > > Owen I heard that it initially had AAAA records. After the site couldn't keep up with the initial load, it was migrated to Akamai's CDN (the DNS records you see now are those), and Akamai doesn't yet offer IPv6 in production, so no IPv6. Akamai does have a trial IPv6 program though - we host IPv6 capable Akamai nodes on our campus for example, and a non production version of our university website is using it - so ISOC could try seeing if they could be hosted on that infrastructure. -- Shumon Huque University of Pennsylvania. From lists at 1337.mx Tue Jan 17 23:04:54 2012 From: lists at 1337.mx (toor) Date: Wed, 18 Jan 2012 13:04:54 +0800 Subject: DNS Attacks Message-ID: Hi list, I am wondering if anyone else has seen a large amount of DNS queries coming from various IP ranges in China. I have been trying to find a pattern in the attacks but so far I have come up blank. I am completly guessing these are possibly DNS amplification attacks but I am not sure. Usually what I see is this: - Attacks most commonly between the hours of 4AM-4PM UTC - DNS queries appear to be for real domains that the DNS servers in question are authoritive for (I can't really see any pattern there, there are about 150,000 zones on the servers in question) - From a range of IP's there will be an attack for approximately 5-10 minutes before stopping and then a break of 30 minutes or so before another attack from a different IP range - Every IP range has been from China I have limited the number of queries that can be done to mitigate this but its messing up my pretty netflow graphs due to the spikes in flows/packets being sent. Does anyone have any ideas what the reasoning behind this could be? I would also be interested to hear from anyone else experiencing this too. I can provide IP ranges from where I am seeing the issue but it does vary a lot between the attacks with the only pattern every time being the source address is located in China. I read a thread earlier, http://seclists.org/nanog/2011/Nov/920, which sounds like the exact thing I am seeing. Thanks From marka at isc.org Tue Jan 17 23:15:19 2012 From: marka at isc.org (Mark Andrews) Date: Wed, 18 Jan 2012 16:15:19 +1100 Subject: DNS Attacks In-Reply-To: Your message of "Wed, 18 Jan 2012 13:04:54 +0800." References: Message-ID: <20120118051519.7D6241B8BF06@drugs.dv.isc.org> In message , toor writes: > Hi list, > > I am wondering if anyone else has seen a large amount of DNS queries > coming from various IP ranges in China. I have been trying to find a > pattern in the attacks but so far I have come up blank. I am completly > guessing these are possibly DNS amplification attacks but I am not > sure. Usually what I see is this: > > - Attacks most commonly between the hours of 4AM-4PM UTC > - DNS queries appear to be for real domains that the DNS servers in > question are authoritive for (I can't really see any pattern there, > there are about 150,000 zones on the servers in question) > - From a range of IP's there will be an attack for approximately 5-10 > minutes before stopping and then a break of 30 minutes or so before > another attack from a different IP range > - Every IP range has been from China > > I have limited the number of queries that can be done to mitigate this > but its messing up my pretty netflow graphs due to the spikes in > flows/packets being sent. > > Does anyone have any ideas what the reasoning behind this could be? I > would also be interested to hear from anyone else experiencing this > too. > > I can provide IP ranges from where I am seeing the issue but it does > vary a lot between the attacks with the only pattern every time being > the source address is located in China. I read a thread earlier, > http://seclists.org/nanog/2011/Nov/920, which sounds like the exact > thing I am seeing. > > Thanks Most of the time you will be being used as a amplifier and the source traffic is spoofed. The short periods are so that it is harder to trace the compromised machines. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka at isc.org From morrowc.lists at gmail.com Tue Jan 17 23:34:19 2012 From: morrowc.lists at gmail.com (Christopher Morrow) Date: Wed, 18 Jan 2012 00:34:19 -0500 Subject: DNS Attacks In-Reply-To: References: Message-ID: On Wed, Jan 18, 2012 at 12:04 AM, toor wrote: > Hi list, > > I am wondering if anyone else has seen a large amount of DNS queries > coming from various IP ranges in China. I have been trying to find a china is a big country.... > pattern in the attacks but so far I have come up blank. I am completly > guessing these are possibly DNS amplification attacks but I am not > sure. Usually what I see is this: > > - Attacks most commonly between the hours of 4AM-4PM UTC > - DNS queries appear to be for real domains that the DNS servers in > question are authoritive for (I can't really see any pattern there, > there are about 150,000 zones on the servers in question) yup > - From a range of IP's there will be an attack for approximately 5-10 > minutes before stopping and then a break of 30 minutes or so before > another attack from a different IP range marka noted that the source is really the thing being attacked, that seems to be the case in the incidents I've seen (and which I"ve seen other folks also make note of, over the last ~2-3 months) > - Every IP range has been from China > yup, probably over .cn peer links? if you have them... > I have limited the number of queries that can be done to mitigate this > but its messing up my pretty netflow graphs due to the spikes in > flows/packets being sent. yea... you can't really limit queries, unless you can react in almost real-time to drop the queries on the floor before your servers see them :( or capacity-plan for the spikes, which is... rough. > > Does anyone have any ideas what the reasoning behind this could be? I > would also be interested to hear from anyone else experiencing this > too. > lots of folks are chattering privately about this, it's something in china attacking chinese users.The BW and PPS rates involved are likely quite high... > I can provide IP ranges from where I am seeing the issue but it does > vary a lot between the attacks with the only pattern every time being > the source address is located in China. I read a thread earlier, > http://seclists.org/nanog/2011/Nov/920, which sounds like the exact > thing I am seeing. > it probably is... if you run decently large auth complexes with lots of domains, welcome to the party. -chris > Thanks > From tcannon at c2company.com Tue Jan 17 23:40:39 2012 From: tcannon at c2company.com (Thomas Cannon) Date: Wed, 18 Jan 2012 05:40:39 +0000 Subject: World IPv6 Launch Day - June 6, 2012 In-Reply-To: <042EAE0F-04C0-48C5-B977-2E3649DD7CFA@godshell.com> References: <4F161A1E.7040903@derekivey.com> <4F161DB9.7000806@rollernet.us> <042EAE0F-04C0-48C5-B977-2E3649DD7CFA@godshell.com> Message-ID: "Under new mismanagement!" :) -t > > You can always do the Grand Re-Opening thing.. :P > >> ~Seth > > --------------------------- > Jason 'XenoPhage' Frisvold > xenophage at godshell.com > --------------------------- > "Any sufficiently advanced magic is indistinguishable from technology." > - Niven's Inverse of Clarke's Third Law > > > From tcannon at c2company.com Tue Jan 17 23:53:26 2012 From: tcannon at c2company.com (Thomas Cannon) Date: Wed, 18 Jan 2012 05:53:26 +0000 Subject: World IPv6 Launch Day - June 6, 2012 In-Reply-To: <042EAE0F-04C0-48C5-B977-2E3649DD7CFA@godshell.com> References: <4F161A1E.7040903@derekivey.com> <4F161DB9.7000806@rollernet.us> <042EAE0F-04C0-48C5-B977-2E3649DD7CFA@godshell.com> Message-ID: "Under new mismanagement!" :) -t > > You can always do the Grand Re-Opening thing.. :P > >> ~Seth > > --------------------------- > Jason 'XenoPhage' Frisvold > xenophage at godshell.com > --------------------------- > "Any sufficiently advanced magic is indistinguishable from technology." > - Niven's Inverse of Clarke's Third Law > > > From dr at cluenet.de Wed Jan 18 00:14:59 2012 From: dr at cluenet.de (Daniel Roesen) Date: Wed, 18 Jan 2012 07:14:59 +0100 Subject: How are you doing DHCPv6 ? In-Reply-To: References: <20120117233701.GA13633@srv03.cluenet.de> Message-ID: <20120118061459.GA27784@srv03.cluenet.de> On Wed, Jan 18, 2012 at 12:31:25AM +0000, Brzozowski, John wrote: > >> Are there any DHCPv6 servers currently that actually function in a > >> fashion that is suitable for service providers? > > > >Without specifying your requirements, that's hard to say. If you're > >looking for fully state-sync'ed DHCPv6 server HA, I'm not aware of any. > [jjmb] same here, I expect a specification would be required first. Well, there's nothing preventing vendors to implement proprietary state synchronization schemes like they did for DHCPv4 too. I think that "we need to wait for the standard" is just a mere excuse. Revamping CI of the user interface is a much higher priority these days. :) Best regards, Daniel -- CLUE-RIPE -- Jabber: dr at cluenet.de -- dr at IRCnet -- PGP: 0xA85C8AA0 From leigh.porter at ukbroadband.com Wed Jan 18 01:45:22 2012 From: leigh.porter at ukbroadband.com (Leigh Porter) Date: Wed, 18 Jan 2012 07:45:22 +0000 Subject: DNS Attacks In-Reply-To: References: Message-ID: <2996806E-AFD9-442A-948B-82118461845E@ukbroadband.com> On 18 Jan 2012, at 05:06, "toor" wrote: > Hi list, > > I am wondering if anyone else has seen a large amount of DNS queries > coming from various IP ranges in China. I have been trying to find a > pattern in the attacks but so far I have come up blank. I am completly > guessing these are possibly DNS amplification attacks but I am not > sure. Usually what I see is this: > At various seemingly random times over the past week I have had a DNS which is behind a firewall come under attack. The firewall is significant because the attacks killed the firewall as it is rather under specified (not my idea..). It did originate from Chinese address space and consisted of DNS queries for lots of hosts. There was also a port-scan in the traffic and a SYN attack on a few hosts on the same small subnet as the DNS, a web server and an open SSH port. -- Leigh Porter ______________________________________________________________________ This email has been scanned by the Symantec Email Security.cloud service. For more information please visit http://www.symanteccloud.com ______________________________________________________________________ From rdobbins at arbor.net Wed Jan 18 02:05:36 2012 From: rdobbins at arbor.net (Dobbins, Roland) Date: Wed, 18 Jan 2012 08:05:36 +0000 Subject: DNS Attacks In-Reply-To: <2996806E-AFD9-442A-948B-82118461845E@ukbroadband.com> References: <2996806E-AFD9-442A-948B-82118461845E@ukbroadband.com> Message-ID: On Jan 18, 2012, at 2:45 AM, Leigh Porter wrote: > The firewall is significant because the attacks killed the firewall as it is rather under specified (not my idea..). DNS servers (nor any other kind of server, for that matter) should never be placed behind stateful firewalls - the largest firewall one can build or buy will choke under even moderate DDoS attacks due to state-table exhaustion: ----------------------------------------------------------------------- Roland Dobbins // The basis of optimism is sheer terror. -- Oscar Wilde From joelja at bogus.com Wed Jan 18 02:35:07 2012 From: joelja at bogus.com (Joel jaeggli) Date: Wed, 18 Jan 2012 00:35:07 -0800 Subject: DNS Attacks In-Reply-To: <2996806E-AFD9-442A-948B-82118461845E@ukbroadband.com> References: <2996806E-AFD9-442A-948B-82118461845E@ukbroadband.com> Message-ID: <4F16843B.50600@bogus.com> On 1/17/12 23:45 , Leigh Porter wrote: > > > On 18 Jan 2012, at 05:06, "toor" wrote: > >> Hi list, >> >> I am wondering if anyone else has seen a large amount of DNS >> queries coming from various IP ranges in China. I have been trying >> to find a pattern in the attacks but so far I have come up blank. I >> am completly guessing these are possibly DNS amplification attacks >> but I am not sure. Usually what I see is this: >> > > At various seemingly random times over the past week I have had a DNS > which is behind a firewall come under attack. The firewall is > significant because the attacks killed the firewall as it is rather > under specified (not my idea..). Given the the pps rate and the cps rate of DNS requests are rather similar one expects the value of inspecting unsolicited queries to your nameserver to be rather low. > It did originate from Chinese address space and consisted of DNS > queries for lots of hosts. There was also a port-scan in the traffic > and a SYN attack on a few hosts on the same small subnet as the DNS, > a web server and an open SSH port. > From dennis at justipit.com Wed Jan 18 06:53:23 2012 From: dennis at justipit.com (Dennis) Date: Wed, 18 Jan 2012 07:53:23 -0500 Subject: DNS Attacks Message-ID: I agree with Roland on the firewall placement. I add that the attack would have likely succeeded to exhaust the servers. There is alot of recent ddos activity on DNS with what looks like legitimate queries. You should also look at some DOS/ application level protections; Radware and Arbor top the list. Leigh Porter wrote: > > >On 18 Jan 2012, at 05:06, "toor" wrote: > >> Hi list, >> >> I am wondering if anyone else has seen a large amount of DNS queries >> coming from various IP ranges in China. I have been trying to find a >> pattern in the attacks but so far I have come up blank. I am completly >> guessing these are possibly DNS amplification attacks but I am not >> sure. Usually what I see is this: >> > >At various seemingly random times over the past week I have had a DNS which is behind a firewall come under attack. The firewall is significant because the attacks killed the firewall as it is rather under specified (not my idea..). > >It did originate from Chinese address space and consisted of DNS queries for lots of hosts. There was also a port-scan in the traffic and a SYN attack on a few hosts on the same small subnet as the DNS, a web server and an open SSH port. > >-- >Leigh Porter > > >______________________________________________________________________ >This email has been scanned by the Symantec Email Security.cloud service. >For more information please visit http://www.symanteccloud.com >______________________________________________________________________ > > From virendra.rode at gmail.com Wed Jan 18 07:57:42 2012 From: virendra.rode at gmail.com (virendra rode) Date: Wed, 18 Jan 2012 05:57:42 -0800 Subject: DNS Attacks In-Reply-To: References: Message-ID: <4F16CFD6.9080106@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hi - We've been victims of these attacks many a times and more recently towards our customer dns servers which was rated at ~ 4gbps for a duration of 30mins. Tracking the source of an attack is simplified when the source is more likely to be "valid". The nature of these attacks for us was a combination of amplification and spoofed, however implementing anti-spoofing (uRFP) specially bcp38 is a good idea not saying its a fix but certainly the attack methodology will significantly lessen. As Matt Katz put it rightly so, "Distributed denial of service can only be solved with distributed delivery of service". regards, /virendra On 01/17/2012 09:04 PM, toor wrote: > Hi list, > > I am wondering if anyone else has seen a large amount of DNS queries > coming from various IP ranges in China. I have been trying to find a > pattern in the attacks but so far I have come up blank. I am completly > guessing these are possibly DNS amplification attacks but I am not > sure. Usually what I see is this: > > - Attacks most commonly between the hours of 4AM-4PM UTC > - DNS queries appear to be for real domains that the DNS servers in > question are authoritive for (I can't really see any pattern there, > there are about 150,000 zones on the servers in question) > - From a range of IP's there will be an attack for approximately 5-10 > minutes before stopping and then a break of 30 minutes or so before > another attack from a different IP range > - Every IP range has been from China > > I have limited the number of queries that can be done to mitigate this > but its messing up my pretty netflow graphs due to the spikes in > flows/packets being sent. > > Does anyone have any ideas what the reasoning behind this could be? I > would also be interested to hear from anyone else experiencing this > too. > > I can provide IP ranges from where I am seeing the issue but it does > vary a lot between the attacks with the only pattern every time being > the source address is located in China. I read a thread earlier, > http://seclists.org/nanog/2011/Nov/920, which sounds like the exact > thing I am seeing. > > Thanks > > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iF4EAREIAAYFAk8Wz9YACgkQ3HuimOHfh+EupAD+MkS8Z0+j1D53txQTqMOVDRWe vve+Ov/im9y87mEqxhsA/0IJKkntI8w11QTMZGgbw55A4V4VQvj7WchKnMNKaT2L =HsEg -----END PGP SIGNATURE----- From deric.kwok2000 at gmail.com Wed Jan 18 07:58:09 2012 From: deric.kwok2000 at gmail.com (Deric Kwok) Date: Wed, 18 Jan 2012 08:58:09 -0500 Subject: bgp question In-Reply-To: References: Message-ID: Hi Justin Thank you Could you tell me more about "routing registries"? I would like to learn it 2nd questions? Are you familiar to quagga? ls it supporting equally multipath in different bgp connections? Thank you so much On Tue, Jan 10, 2012 at 7:58 PM, Justin M. Streiner wrote: > On Tue, 10 Jan 2012, Deric Kwok wrote: > >> When we get ?newip, we should let the upstream know to expor it as >> there should have rule in their side. > > > Correct. ?Ideally, two things happen: > 1. You tell your upstreams and peers about the new space, and they update > whatever prefix filters they have in place for your network. > 2. You update you own outbound BGP filters wherever necessary so that you > can announce the new prefix, aggregated to the extent possible, when you're > ready. > > >> how about upstream provider, does they need to let their all bgp >> interconnect to know those our newip? > > > They might. ?It depends on the relationship your upstreams have with their > neighbors. ?Different providers have different criteria for what they'll > accept and how they manage their filters. > > If your upstreams need to have their upstreams and/or peers update their BGP > filters, it is their responsibility to notify them. ?Note that this can add > to the amount of time it will take before your direct upstreams are ready to > accept and propagate your new prefix. > > Some providers might require that your new prefix be registered in one of > several routing registries, and they'll update their filters based on your > new registry data. > > jms > From drew.weaver at thenap.com Wed Jan 18 08:01:08 2012 From: drew.weaver at thenap.com (Drew Weaver) Date: Wed, 18 Jan 2012 09:01:08 -0500 Subject: DNS Attacks In-Reply-To: <4F16CFD6.9080106@gmail.com> References: <4F16CFD6.9080106@gmail.com> Message-ID: We ran into a 25Gbps SNMP 'reply/amplification attack' from a cable modem network about a month ago. Hopefully the particular network has fixed that issue now, but it was a banner day to be sure. Thanks, -Drew -----Original Message----- From: virendra rode [mailto:virendra.rode at gmail.com] Sent: Wednesday, January 18, 2012 8:58 AM To: nanog at nanog.org Subject: Re: DNS Attacks -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hi - We've been victims of these attacks many a times and more recently towards our customer dns servers which was rated at ~ 4gbps for a duration of 30mins. Tracking the source of an attack is simplified when the source is more likely to be "valid". The nature of these attacks for us was a combination of amplification and spoofed, however implementing anti-spoofing (uRFP) specially bcp38 is a good idea not saying its a fix but certainly the attack methodology will significantly lessen. As Matt Katz put it rightly so, "Distributed denial of service can only be solved with distributed delivery of service". regards, /virendra On 01/17/2012 09:04 PM, toor wrote: > Hi list, > > I am wondering if anyone else has seen a large amount of DNS queries > coming from various IP ranges in China. I have been trying to find a > pattern in the attacks but so far I have come up blank. I am completly > guessing these are possibly DNS amplification attacks but I am not > sure. Usually what I see is this: > > - Attacks most commonly between the hours of 4AM-4PM UTC > - DNS queries appear to be for real domains that the DNS servers in > question are authoritive for (I can't really see any pattern there, > there are about 150,000 zones on the servers in question) > - From a range of IP's there will be an attack for approximately 5-10 > minutes before stopping and then a break of 30 minutes or so before > another attack from a different IP range > - Every IP range has been from China > > I have limited the number of queries that can be done to mitigate this > but its messing up my pretty netflow graphs due to the spikes in > flows/packets being sent. > > Does anyone have any ideas what the reasoning behind this could be? I > would also be interested to hear from anyone else experiencing this > too. > > I can provide IP ranges from where I am seeing the issue but it does > vary a lot between the attacks with the only pattern every time being > the source address is located in China. I read a thread earlier, > http://seclists.org/nanog/2011/Nov/920, which sounds like the exact > thing I am seeing. > > Thanks > > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iF4EAREIAAYFAk8Wz9YACgkQ3HuimOHfh+EupAD+MkS8Z0+j1D53txQTqMOVDRWe vve+Ov/im9y87mEqxhsA/0IJKkntI8w11QTMZGgbw55A4V4VQvj7WchKnMNKaT2L =HsEg -----END PGP SIGNATURE----- From leigh.porter at ukbroadband.com Wed Jan 18 08:18:32 2012 From: leigh.porter at ukbroadband.com (Leigh Porter) Date: Wed, 18 Jan 2012 14:18:32 +0000 Subject: DNS Attacks In-Reply-To: References: Message-ID: Yeah like I say, it wasn't my idea to put DNS behind firewalls. As long as it is not *my* firewalls I really don't care what they do ;-) -- Leigh Porter > -----Original Message----- > From: Dennis [mailto:dennis at justipit.com] > Sent: 18 January 2012 12:55 > To: Leigh Porter; toor > Cc: nanog at nanog.org > Subject: Re: DNS Attacks > > I agree with Roland on the firewall placement. I add that the attack > would have likely succeeded to exhaust the servers. There is alot of > recent ddos activity on DNS with what looks like legitimate queries. > You should also look at some DOS/ application level protections; > Radware and Arbor top the list. > > > Leigh Porter wrote: > > > > > > >On 18 Jan 2012, at 05:06, "toor" wrote: > > > >> Hi list, > >> > >> I am wondering if anyone else has seen a large amount of DNS queries > >> coming from various IP ranges in China. I have been trying to find a > >> pattern in the attacks but so far I have come up blank. I am > completly > >> guessing these are possibly DNS amplification attacks but I am not > >> sure. Usually what I see is this: > >> > > > >At various seemingly random times over the past week I have had a DNS > which is behind a firewall come under attack. The firewall is > significant because the attacks killed the firewall as it is rather > under specified (not my idea..). > > > >It did originate from Chinese address space and consisted of DNS > queries for lots of hosts. There was also a port-scan in the traffic > and a SYN attack on a few hosts on the same small subnet as the DNS, a > web server and an open SSH port. > > > >-- > >Leigh Porter > > > > > >______________________________________________________________________ > >This email has been scanned by the Symantec Email Security.cloud > service. > >For more information please visit http://www.symanteccloud.com > >______________________________________________________________________ > > > > > > ______________________________________________________________________ > This email has been scanned by the Symantec Email Security.cloud > service. > For more information please visit http://www.symanteccloud.com > ______________________________________________________________________ ______________________________________________________________________ This email has been scanned by the Symantec Email Security.cloud service. For more information please visit http://www.symanteccloud.com ______________________________________________________________________ From arturo.servin at gmail.com Wed Jan 18 08:22:46 2012 From: arturo.servin at gmail.com (Arturo Servin) Date: Wed, 18 Jan 2012 12:22:46 -0200 Subject: ANNOUNCE: bgptables.merit.edu - understanding visibility of your prefix/AS In-Reply-To: <9E11240C-22DA-4B1D-8806-579F398B5284@merit.edu> References: <8E839F27-A2F7-4E1B-9BD8-C0679A65EC64@merit.edu> <9E11240C-22DA-4B1D-8806-579F398B5284@merit.edu> Message-ID: <28673266-0FE2-408D-BAAC-4297ED92AA41@gmail.com> For example for any given prefix to get which ASNs have originated that prefix over time and when. I think that could be interesting for discovering if a prefix has been hijacked in the past. RIS from RIPE NCC provides something like this: http://www.ripe.net/data-tools/stats/ris/routing-information-service We have used it to verify some "suspicious" announcements of prefixes. Regards, as On 17 Jan 2012, at 19:52, Manish Karir wrote: > > Hi Arturo, > > We could easily archive older copies of the database when we update the data, but I think our issue right now > is that we dont fully understand how to add the notion of time to the user interface and we dont understand how > folks might want to use it. Do you have a simple use case description of an example which might help us > figure out how the notion of time can help answer a question.? What would be an example of a query > that uses time? > > Thanks. > -manish > > > On Jan 16, 2012, at 12:53 PM, Arturo Servin wrote: > >> Manish, >> >> Nice tool. >> >> Is it possible to see the "history" of a prefix? >> >> >> Regards, >> .as >> >> >> >> On 13 Jan 2012, at 18:19, Manish Karir wrote: >> >>> >>> All, >>> >>> We would like to announce the availability of the bgpTables Project at Merit at: http://bgptables.merit.edu >>> bgpTables allows users to easily navigate global routing table data collected via routviews.org. bgptables >>> essentially processes the data collected at routeviews and makes is available in a somewhat easier >>> to use interface. The goal of bgpTables is to represent global prefix and AS visibility information from the >>> vantage point of the various bgp table views as seen at routeviews. >>> The data is currently updated nightly (EST) but we hope to improve this over time. >>> Please see the FAQ (http://bgptables.merit.edu/faq.php) for some simple examples of how you can use bgpTables. >>> >>> Some examples: >>> - You can query for a specific ASN by entering the text 'as' followed by the AS number into the search box. For example to query for information about AS 237 you would enter 'as237' [without quotation marks] into the search box and then click 'search'. You can then use the view navigator map to switch to different routing table views for this ASN >>> >>> - You can query for a specific prefix by directly entering the prefix into the search box. For example to query for information about prefix 12.0.0.0/8 you would simply enter '12.0.0.0/8' [without quotation marks] into the search box and then click 'search'. You can then use the view navigator map to switch to different routing table views for the prefix. >>> >>> - You can find a particular prefix that you might be interested in by running a 'contained within' query via the search box. For example to quickly browse a list of prefixes contained within 1.0.0.0/8 to find the particular prefix you might be interested in, you can enter the text 'cw1.0.0.0/8' [without quotation marks] into the search box and click 'search'. You can then browse the resulting table to select the particular prefix you might be interested in. >>> >>> - You can simply enter the text 'as' followed by the company name into the search box then click search to view a list of possible matches for that text. For example, to view all matching google ASNs you can simply enter 'asgoogle' into the search box and click search. A list of possible matching ASNs that reference Google by name will be returned from which you an then select the particular ASN that is of interest to you. >>> >>> >>> Comments, corrections, and suggestions are very welcome. Please send them to mkarir at merit.edu. Hopefully folks will find this useful. >>> >>> Thanks. >>> -The Merit Network Research and Development Team >>> >> > From robert at ripe.net Wed Jan 18 08:37:11 2012 From: robert at ripe.net (Robert Kisteleki) Date: Wed, 18 Jan 2012 15:37:11 +0100 Subject: ANNOUNCE: bgptables.merit.edu - understanding visibility of your prefix/AS In-Reply-To: <28673266-0FE2-408D-BAAC-4297ED92AA41@gmail.com> References: <8E839F27-A2F7-4E1B-9BD8-C0679A65EC64@merit.edu> <9E11240C-22DA-4B1D-8806-579F398B5284@merit.edu> <28673266-0FE2-408D-BAAC-4297ED92AA41@gmail.com> Message-ID: <4F16D917.2060408@ripe.net> On 2012.01.18. 15:22, Arturo Servin wrote: > > For example for any given prefix to get which ASNs have originated that prefix over time and when. > > I think that could be interesting for discovering if a prefix has been hijacked in the past. > > RIS from RIPE NCC provides something like this: > > http://www.ripe.net/data-tools/stats/ris/routing-information-service > > We have used it to verify some "suspicious" announcements of prefixes. > > Regards, > as One can also try RIPEstat for this: http://stat.ripe.net/ Amongst other modules it gives full (~10 year) BGP history for prefixes. (Disclaimer: our team is working on this tool.) Robert From nick at foobar.org Wed Jan 18 09:05:06 2012 From: nick at foobar.org (Nick Hilliard) Date: Wed, 18 Jan 2012 15:05:06 +0000 Subject: DNS Attacks In-Reply-To: References: Message-ID: <4F16DFA2.8030208@foobar.org> On 18/01/2012 14:18, Leigh Porter wrote: > Yeah like I say, it wasn't my idea to put DNS behind firewalls. As long > as it is not *my* firewalls I really don't care what they do ;-) As you're posting here, it looks like it's become your problem. :-D Seriously, though, there is no value to maintaining state for DNS queries. You would be much better off to put your firewall production interfaces on a routed port on a hardware router so that you can implement ASIC packet filtering. This will operate at wire speed without dumping you into the colloquial poo every time someone decides to take out your critical infrastructure. Nick From morrowc.lists at gmail.com Wed Jan 18 09:41:30 2012 From: morrowc.lists at gmail.com (Christopher Morrow) Date: Wed, 18 Jan 2012 10:41:30 -0500 Subject: DNS Attacks In-Reply-To: <4F16DFA2.8030208@foobar.org> References: <4F16DFA2.8030208@foobar.org> Message-ID: On Wed, Jan 18, 2012 at 10:05 AM, Nick Hilliard wrote: > On 18/01/2012 14:18, Leigh Porter wrote: >> Yeah like I say, it wasn't my idea to put DNS behind firewalls. As long >> as it is not *my* firewalls I really don't care what they do ;-) > > As you're posting here, it looks like it's become your problem. :-D > > Seriously, though, there is no value to maintaining state for DNS queries. > ?You would be much better off to put your firewall production interfaces on > a routed port on a hardware router so that you can implement ASIC packet > filtering. ?This will operate at wire speed without dumping you into the > colloquial poo every time someone decides to take out your critical > infrastructure. I get the feeling that leigh had implemented this against his own advice for a client... that he's onboard with 'putting a firewall in front of a dns server is dumb' meme... From smb at cs.columbia.edu Wed Jan 18 10:34:19 2012 From: smb at cs.columbia.edu (Steven Bellovin) Date: Wed, 18 Jan 2012 11:34:19 -0500 Subject: DNS Attacks In-Reply-To: References: <4F16DFA2.8030208@foobar.org> Message-ID: <0C0D0264-E925-4CE0-8F6A-5BE4DE70F543@cs.columbia.edu> On Jan 18, 2012, at 10:41 30AM, Christopher Morrow wrote: > On Wed, Jan 18, 2012 at 10:05 AM, Nick Hilliard wrote: >> On 18/01/2012 14:18, Leigh Porter wrote: >>> Yeah like I say, it wasn't my idea to put DNS behind firewalls. As long >>> as it is not *my* firewalls I really don't care what they do ;-) >> >> As you're posting here, it looks like it's become your problem. :-D >> >> Seriously, though, there is no value to maintaining state for DNS queries. >> You would be much better off to put your firewall production interfaces on >> a routed port on a hardware router so that you can implement ASIC packet >> filtering. This will operate at wire speed without dumping you into the >> colloquial poo every time someone decides to take out your critical >> infrastructure. > > I get the feeling that leigh had implemented this against his own > advice for a client... that he's onboard with 'putting a firewall in > front of a dns server is dumb' meme... In principle, this is certainly correct (and I've often said the same thing about web servers); in practice, though, a lot depends on the specs. For example: can the firewall discard useless requests more quickly? Does it do a better job of discarding malformed packets? Is the vendor better about supplying patches to new vulnerabilities? Can it do a better job filtering on source IP address? Does it do load-balancing? Are there other services on the same server IP address that do require stateful filtering? As I said, most of the time a dedicated DNS appliance doesn't benefit from firewall protection. Occasionally, though, it might. --Steve Bellovin, https://www.cs.columbia.edu/~smb From morrowc.lists at gmail.com Wed Jan 18 10:42:42 2012 From: morrowc.lists at gmail.com (Christopher Morrow) Date: Wed, 18 Jan 2012 11:42:42 -0500 Subject: DNS Attacks In-Reply-To: <0C0D0264-E925-4CE0-8F6A-5BE4DE70F543@cs.columbia.edu> References: <4F16DFA2.8030208@foobar.org> <0C0D0264-E925-4CE0-8F6A-5BE4DE70F543@cs.columbia.edu> Message-ID: On Wed, Jan 18, 2012 at 11:34 AM, Steven Bellovin wrote: > > On Jan 18, 2012, at 10:41 30AM, Christopher Morrow wrote: > >> On Wed, Jan 18, 2012 at 10:05 AM, Nick Hilliard wrote: >>> On 18/01/2012 14:18, Leigh Porter wrote: >>>> Yeah like I say, it wasn't my idea to put DNS behind firewalls. As long >>>> as it is not *my* firewalls I really don't care what they do ;-) >>> >>> As you're posting here, it looks like it's become your problem. :-D >>> >>> Seriously, though, there is no value to maintaining state for DNS queries. >>> ?You would be much better off to put your firewall production interfaces on >>> a routed port on a hardware router so that you can implement ASIC packet >>> filtering. ?This will operate at wire speed without dumping you into the >>> colloquial poo every time someone decides to take out your critical >>> infrastructure. >> >> I get the feeling that leigh had implemented this against his own >> advice for a client... that he's onboard with 'putting a firewall in >> front of a dns server is dumb' meme... > > In principle, this is certainly correct (and I've often said the same thing > about web servers); in practice, though, a lot depends on the specs. ?For > example: can the firewall discard useless requests more quickly? ?Does it do > a better job of discarding malformed packets? ?Is the vendor better about > supplying patches to new vulnerabilities? ?Can it do a better job filtering > on source IP address? ?Does it do load-balancing? ?Are there other services > on the same server IP address that do require stateful filtering? yup... I think roland and nick (he can correct me, roland I KNOW is saying this) are basically saying: permit tcp any any eq 80 permit tcp any any eq 443 deny ip any any is far, far better than state management in a firewall. Anything more complex and your firewall fails long before the 7206's interface/filter will :( Some folks would say you'd be better off doing some LB/filtering-in-software behind said router interface filter, I can't argue with that. > As I said, most of the time a dedicated DNS appliance doesn't benefit from > firewall protection. ?Occasionally, though, it might. I suspect the cases where it MAY benefit are the 'lower packet rate, ping-o-death-type' attacks only though. Essentially 'use a proxy to remove unknown cruft' as a frontend to your more complex dns/web answering system, eh? under load though, high pps rate attacks/instances (victoria secret fashion-show sorts of things) your firewall/proxy is likely to die before the backend does ;( -chris > > ? ? ? ? ? ? ? ?--Steve Bellovin, https://www.cs.columbia.edu/~smb > > > > > From morrowc.lists at gmail.com Wed Jan 18 10:46:24 2012 From: morrowc.lists at gmail.com (Christopher Morrow) Date: Wed, 18 Jan 2012 11:46:24 -0500 Subject: World IPv6 Launch Day - June 6, 2012 In-Reply-To: <20120118043805.GA5455@isc.upenn.edu> References: <4F161A1E.7040903@derekivey.com> <20120118043805.GA5455@isc.upenn.edu> Message-ID: On Tue, Jan 17, 2012 at 11:38 PM, Shumon Huque wrote: > On Tue, Jan 17, 2012 at 08:17:40PM -0800, Owen DeLong wrote: >> Another very sad thing about it: >> >> delong-dhcp202:owen (9) ~ % host www.worldipv6launch.org ? ? ? ? ? ? ? ? ? 2012/01/16 21:24:21 >> www.worldipv6launch.org is an alias for www.worldipv6launch.org.edgesuite.net. >> www.worldipv6launch.org.edgesuite.net is an alias for a1448.b.akamai.net. >> a1448.b.akamai.net has address 72.246.53.104 >> a1448.b.akamai.net has address 72.246.53.8 >> >> >> I don't seem to be able to get to the site on IPv6. >> >> Owen > > I heard that it initially had AAAA records. After the site > couldn't keep up with the initial load, it was migrated to > Akamai's CDN (the DNS records you see now are those), and > Akamai doesn't yet offer IPv6 in production, so no IPv6. there are places in this world with working v6 at scale.... the folk involved COULD use them. (I thought, actually, that akamai's v6 offering was actually production, just not wide-spread?) > Akamai does have a trial IPv6 program though - we host IPv6 > capable Akamai nodes on our campus for example, and a non > production version of our university website is using it - > so ISOC could try seeing if they could be hosted on that > infrastructure. My question is when is FiOS going to get v6 natively? could we get the engineers there to actually do something as opposed to trials of non-production systems that'll never actually get deployed? :) -chris > > -- > Shumon Huque > University of Pennsylvania. > From chip.gwyn at gmail.com Wed Jan 18 10:48:02 2012 From: chip.gwyn at gmail.com (chip) Date: Wed, 18 Jan 2012 11:48:02 -0500 Subject: accessing multiple devices via a script In-Reply-To: References: Message-ID: Like many others on here, I utilize rancid's set of scripts to handle all the different platform's quirks for access. I then wrap that inside a perl script that can do things in parallel. I'm no developer by any stretch of the imagination but I can poke around in perl badly enough to write some tools. One perl module I've come across is Parallel::Fork::BossWorkerAsync. Using this module makes it incredibly easily to run many instances in parallel while each instance is just a bit different and then can gather data back from each session. Using some form of parallelization can significantly decrease the amount of time things take. I hope you find it as useful as I have. http://search.cpan.org/~jvannucci/Parallel-Fork-BossWorkerAsync-0.06/lib/Parallel/Fork/BossWorkerAsync.pm Good Luck! --chip On Sun, Jan 15, 2012 at 12:52 PM, Abdullah Al-Malki wrote: > Hi fellows, > I am supporting a big service provider and sometimes I face this problem. > Sometimes I want to access my customer network and want to extract some > verification output "show commands" from a large number of devices. > > What kind of scripting solutions you guys are using this case. > > Appreciate the feedback, > Abdullah -- Just my $.02, your mileage may vary,? batteries not included, etc.... From shuque at upenn.edu Wed Jan 18 11:03:55 2012 From: shuque at upenn.edu (Shumon Huque) Date: Wed, 18 Jan 2012 12:03:55 -0500 Subject: World IPv6 Launch Day - June 6, 2012 In-Reply-To: References: <4F161A1E.7040903@derekivey.com> <20120118043805.GA5455@isc.upenn.edu> Message-ID: <20120118170355.GA1918@isc.upenn.edu> On Wed, Jan 18, 2012 at 11:46:24AM -0500, Christopher Morrow wrote: > On Tue, Jan 17, 2012 at 11:38 PM, Shumon Huque wrote: > > > > I heard that it initially had AAAA records. After the site > > couldn't keep up with the initial load, it was migrated to > > Akamai's CDN (the DNS records you see now are those), and > > Akamai doesn't yet offer IPv6 in production, so no IPv6. > > there are places in this world with working v6 at scale.... the folk > involved COULD use them. > (I thought, actually, that akamai's v6 offering was actually > production, just not wide-spread?) Not sure - our Akamai support people have so far not told us that it's production ready (we ask periodically; maybe we aren't talking to the right people). And thus far, they haven't permitted us to point the www.upenn.edu AAAA record to Akamai. A non production name (ipv6.upenn.edu) mirroring the same content does have a AAAA to Akamai though. But, checking www.worldipv6launch.org just now shows that it have IPv6 records now: ;; QUESTION SECTION: ;www.worldipv6launch.org. IN AAAA ;; ANSWER SECTION: www.worldipv6launch.org. 297 IN CNAME www.worldipv6launch.org.edgesuite.net. www.worldipv6launch.org.edgesuite.net. 6167 IN CNAME a1448.dscb.akamai.net. a1448.dscb.akamai.net. 20 IN AAAA 2001:590:1:400::451f:4859 a1448.dscb.akamai.net. 20 IN AAAA 2001:590:1:400::451f:4868 -- Shumon Huque University of Pennsylvania. From owen at delong.com Wed Jan 18 11:04:20 2012 From: owen at delong.com (Owen DeLong) Date: Wed, 18 Jan 2012 09:04:20 -0800 Subject: World IPv6 Launch Day - June 6, 2012 In-Reply-To: References: <4F161A1E.7040903@derekivey.com> <20120118043805.GA5455@isc.upenn.edu> Message-ID: On Jan 18, 2012, at 8:46 AM, Christopher Morrow wrote: > On Tue, Jan 17, 2012 at 11:38 PM, Shumon Huque wrote: >> On Tue, Jan 17, 2012 at 08:17:40PM -0800, Owen DeLong wrote: >>> Another very sad thing about it: >>> >>> delong-dhcp202:owen (9) ~ % host www.worldipv6launch.org 2012/01/16 21:24:21 >>> www.worldipv6launch.org is an alias for www.worldipv6launch.org.edgesuite.net. >>> www.worldipv6launch.org.edgesuite.net is an alias for a1448.b.akamai.net. >>> a1448.b.akamai.net has address 72.246.53.104 >>> a1448.b.akamai.net has address 72.246.53.8 >>> >>> >>> I don't seem to be able to get to the site on IPv6. >>> >>> Owen >> >> I heard that it initially had AAAA records. After the site >> couldn't keep up with the initial load, it was migrated to >> Akamai's CDN (the DNS records you see now are those), and >> Akamai doesn't yet offer IPv6 in production, so no IPv6. > > there are places in this world with working v6 at scale.... the folk > involved COULD use them. > (I thought, actually, that akamai's v6 offering was actually > production, just not wide-spread?) > In fairness, it is up on IPv6 today. I don't know exactly when that happened, but, kudos to ISOC and Akamai for getting it done fairly quickly. >> Akamai does have a trial IPv6 program though - we host IPv6 >> capable Akamai nodes on our campus for example, and a non >> production version of our university website is using it - >> so ISOC could try seeing if they could be hosted on that >> infrastructure. > > My question is when is FiOS going to get v6 natively? could we get the > engineers there to actually do something as opposed to trials of > non-production systems that'll never actually get deployed? :) > My understanding is that some areas have native IPv6 on FIOS. Owen From me at anuragbhatia.com Wed Jan 18 11:12:18 2012 From: me at anuragbhatia.com (Anurag Bhatia) Date: Wed, 18 Jan 2012 22:42:18 +0530 Subject: World IPv6 Launch Day - June 6, 2012 In-Reply-To: References: <4F161A1E.7040903@derekivey.com> <20120118043805.GA5455@isc.upenn.edu> Message-ID: Btw did someone noticed DNS setup of project site is really crazy! anurag at laptop:~$ ping worldipv6launch.org ping: unknown host worldipv6launch.org anurag at laptop:~$ dig worldipv6launch.org ns +short ns5.he.net. ns4.he.net. ns2.he.net. ns3.he.net. anurag at laptop:~$ dig worldipv6launch.org soa +short ns1.he.net. hostmaster.he.net. 2012011801 10800 1800 604800 86400 anurag at laptop:~$ dig worldipv6launch.org a +short anurag at laptop:~$ dig worldipv6launch.org aaaa +short anurag at laptop:~$ dig www.worldipv6launch.org +short www.worldipv6launch.org.edgesuite.net. a1448.dscb.akamai.net. 58.27.22.162 58.27.22.163 1. No A or AAAA record on main worldipv6launch.org 2. www.worldipv6launch.org has cname to Akamai -- Anurag Bhatia anuragbhatia.com or simply - http://[2001:470:26:78f::5] if you are on IPv6 connected network! Twitter: @anurag_bhatia From cb.list6 at gmail.com Wed Jan 18 11:15:22 2012 From: cb.list6 at gmail.com (Cameron Byrne) Date: Wed, 18 Jan 2012 09:15:22 -0800 Subject: DNS Attacks In-Reply-To: References: <4F16DFA2.8030208@foobar.org> <0C0D0264-E925-4CE0-8F6A-5BE4DE70F543@cs.columbia.edu> Message-ID: On Jan 18, 2012 8:43 AM, "Christopher Morrow" wrote: > > On Wed, Jan 18, 2012 at 11:34 AM, Steven Bellovin wrote: > > > > On Jan 18, 2012, at 10:41 30AM, Christopher Morrow wrote: > > > >> On Wed, Jan 18, 2012 at 10:05 AM, Nick Hilliard wrote: > >>> On 18/01/2012 14:18, Leigh Porter wrote: > >>>> Yeah like I say, it wasn't my idea to put DNS behind firewalls. As long > >>>> as it is not *my* firewalls I really don't care what they do ;-) > >>> > >>> As you're posting here, it looks like it's become your problem. :-D > >>> > >>> Seriously, though, there is no value to maintaining state for DNS queries. > >>> You would be much better off to put your firewall production interfaces on > >>> a routed port on a hardware router so that you can implement ASIC packet > >>> filtering. This will operate at wire speed without dumping you into the > >>> colloquial poo every time someone decides to take out your critical > >>> infrastructure. > >> > >> I get the feeling that leigh had implemented this against his own > >> advice for a client... that he's onboard with 'putting a firewall in > >> front of a dns server is dumb' meme... > > > > In principle, this is certainly correct (and I've often said the same thing > > about web servers); in practice, though, a lot depends on the specs. For > > example: can the firewall discard useless requests more quickly? Does it do > > a better job of discarding malformed packets? Is the vendor better about > > supplying patches to new vulnerabilities? Can it do a better job filtering > > on source IP address? Does it do load-balancing? Are there other services > > on the same server IP address that do require stateful filtering? > > > yup... I think roland and nick (he can correct me, roland I KNOW is > saying this) are basically saying: > > permit tcp any any eq 80 > permit tcp any any eq 443 > deny ip any any > > is far, far better than state management in a firewall. Anything more > complex and your firewall fails long before the 7206's > interface/filter will :( Some folks would say you'd be better off > doing some LB/filtering-in-software behind said router interface > filter, I can't argue with that. > > > As I said, most of the time a dedicated DNS appliance doesn't benefit from > > firewall protection. Occasionally, though, it might. > > I suspect the cases where it MAY benefit are the 'lower packet rate, > ping-o-death-type' attacks only though. Essentially 'use a proxy to > remove unknown cruft' as a frontend to your more complex dns/web > answering system, eh? > > under load though, high pps rate attacks/instances (victoria secret > fashion-show sorts of things) your firewall/proxy is likely to die > before the backend does ;( > Very refreshing tone of conversation. Normally I hear a chorus of "defense in depth" blah when we should be talking about fundamental host / protocol based robustness.... and matching risks with controls ...not boxes with places on a network map. It leads to: security is like an onion, it makes you cry The ng stateful firewall is no firewall (tm) I like https://www.opengroup.org/jericho/index.htm Cb > -chris > > > > > --Steve Bellovin, https://www.cs.columbia.edu/~smb > > > > > > > > > > > From fred at cisco.com Wed Jan 18 11:27:16 2012 From: fred at cisco.com (Fred Baker) Date: Wed, 18 Jan 2012 09:27:16 -0800 Subject: World IPv6 Launch Day - June 6, 2012 In-Reply-To: <20120118170355.GA1918@isc.upenn.edu> References: <4F161A1E.7040903@derekivey.com> <20120118043805.GA5455@isc.upenn.edu> <20120118170355.GA1918@isc.upenn.edu> Message-ID: <4EAEABEB-1F53-4B74-8B4F-28F204DE3D87@cisco.com> On Jan 18, 2012, at 9:03 AM, Shumon Huque wrote: > But, checking www.worldipv6launch.org just now shows that it > have IPv6 records now: I just successfully accessed it using IPv6. The service is real, not just the DNS record. The address I accessed it at was 2600:809:600::3f50:411. From me at anuragbhatia.com Wed Jan 18 11:30:50 2012 From: me at anuragbhatia.com (Anurag Bhatia) Date: Wed, 18 Jan 2012 23:00:50 +0530 Subject: World IPv6 Launch Day - June 6, 2012 In-Reply-To: <4EAEABEB-1F53-4B74-8B4F-28F204DE3D87@cisco.com> References: <4F161A1E.7040903@derekivey.com> <20120118043805.GA5455@isc.upenn.edu> <20120118170355.GA1918@isc.upenn.edu> <4EAEABEB-1F53-4B74-8B4F-28F204DE3D87@cisco.com> Message-ID: Hi Fred You can access on www.worldipv6launch.org but not http://worldipv6launch.org (without www) It's available on IPv6 on www since Akami node has AAAA and seems fine. anurag at laptop:~$ dig www.worldipv6launch.org aaaa +short www.worldipv6launch.org.edgesuite.net. a1448.dscb.akamai.net. 2600:140e:1::3cfe:83ca 2600:140e:1::3cfe:83d1 Someone missed a redirection record for worldipv6launch.org to www.worldipv6launch.org On Wed, Jan 18, 2012 at 10:57 PM, Fred Baker wrote: > > On Jan 18, 2012, at 9:03 AM, Shumon Huque wrote: > > > But, checking www.worldipv6launch.org just now shows that it > > have IPv6 records now: > > I just successfully accessed it using IPv6. The service is real, not just > the DNS record. The address I accessed it at was 2600:809:600::3f50:411. > -- Anurag Bhatia anuragbhatia.com or simply - http://[2001:470:26:78f::5] if you are on IPv6 connected network! Twitter: @anurag_bhatia From morrowc.lists at gmail.com Wed Jan 18 11:31:30 2012 From: morrowc.lists at gmail.com (Christopher Morrow) Date: Wed, 18 Jan 2012 12:31:30 -0500 Subject: World IPv6 Launch Day - June 6, 2012 In-Reply-To: References: <4F161A1E.7040903@derekivey.com> <20120118043805.GA5455@isc.upenn.edu> Message-ID: On Wed, Jan 18, 2012 at 12:04 PM, Owen DeLong wrote: >> >> My question is when is FiOS going to get v6 natively? could we get the >> engineers there to actually do something as opposed to trials of >> non-production systems that'll never actually get deployed? :) >> > > My understanding is that some areas have native IPv6 on FIOS. really? I terminate on the same CO/l3 device the testing was done (you know, the one that was press-released ~1.5 years ago?) ... no v6 for me... and as near as I can tell each sales/support person I talk to says: "ipvwhat?" I would bet that the VERIZON fios deployments are non-v6 everywhere... which is just sad, for the internet and for verizon. -chris From morrowc.lists at gmail.com Wed Jan 18 11:31:57 2012 From: morrowc.lists at gmail.com (Christopher Morrow) Date: Wed, 18 Jan 2012 12:31:57 -0500 Subject: World IPv6 Launch Day - June 6, 2012 In-Reply-To: References: <4F161A1E.7040903@derekivey.com> <20120118043805.GA5455@isc.upenn.edu> <20120118170355.GA1918@isc.upenn.edu> <4EAEABEB-1F53-4B74-8B4F-28F204DE3D87@cisco.com> Message-ID: On Wed, Jan 18, 2012 at 12:30 PM, Anurag Bhatia wrote: > Hi Fred > > You can access on www.worldipv6launch.org but not > http://worldipv6launch.org (without > www) > > not everyone puts their web content on their domain? nothing to see here, please drive through... From jsahala at gmail.com Wed Jan 18 11:57:05 2012 From: jsahala at gmail.com (joshua sahala) Date: Wed, 18 Jan 2012 10:57:05 -0700 Subject: VPC=S/MLT? In-Reply-To: <4F1590CA.6090609@gmail.com> References: <4F1083C3.9030804@gmail.com> <4F1086AC.9050201@bogus.com> <4F108849.8040002@gmail.com> <20120113201000.GA88108@argus.gw.utexas.edu> <4F109CC0.8000800@gmail.com> <20120115011015.GA14746@argus.gw.utexas.edu> <4F1590CA.6090609@gmail.com> Message-ID: vpc has a long list of unclear and/or seemingly contradictory caveats (spread across multiple cisco docs/webpages). when it doesn't work (as expected), it can be challenging to find someone with tac who can actually tell you why (or how to fix it properly). if your needs are fairly basic, are all cisco, follow their dc3.0 verbatim, and don't mind the lack of features on the nexus platform, then it isn't a bad box (if rather expensive for the lack of features...like ipv6 for is-is). also, be prepared to keep spanning-tree around and keep bugging your cisco se/am about trill support (as opposed to fabricpath...see tdp vs ldp) if you *might* want to involve the n7k in routing at all, then http://bradhedlund.com/2010/12/16/routing-over-nexus-7000-vpc-peer-link-yes-and-no/ offers a much clearer explanation than cisco.com about what works and what doesn't (and whether-or-not tac might try to help) hth /joshua From rs at seastrom.com Wed Jan 18 12:00:37 2012 From: rs at seastrom.com (Robert E. Seastrom) Date: Wed, 18 Jan 2012 13:00:37 -0500 Subject: enterprise 802.11 In-Reply-To: <5290984.5313.1326735813483.JavaMail.root@benjamin.baylink.com> (Jay Ashworth's message of "Mon, 16 Jan 2012 12:43:33 -0500 (EST)") References: <5290984.5313.1326735813483.JavaMail.root@benjamin.baylink.com> Message-ID: <86ipk8lwl6.fsf@seastrom.com> Jay Ashworth writes: > ----- Original Message ----- >> From: "Jared Mauch" > >> network side. I'm personally not convinced of the value of very short >> lease times (less than an hour) > > Less than an hour, perhaps not. > > On small residential networks, though -- generally, anything where the > router (which will need to get rebooted occasionally) *is* the DHCP server -- > I tend to set the timeout to 30-60 minutes, to reduce the race window between > when a router is rebooted, and when a new device shows up and conflicts > because it's given an IP another device still thinks it owns. Another thing that works (in environments where you can get away with it) is an enormous dhcp pool and super long leases with walking-the-whole-space behavior and persistent-across-reboots behavior on the part of the DHCP server. The built-in server on the Mikrotik platforms will do this. Configuring a /16 worth of 1918 space with a 3 week lease for a campground that typically hosts 1 week long events has handily dodged the issue for me. Admittedly this is a corner case... -r From bhmccie at gmail.com Wed Jan 18 12:12:19 2012 From: bhmccie at gmail.com (-Hammer-) Date: Wed, 18 Jan 2012 12:12:19 -0600 Subject: VPC=S/MLT? In-Reply-To: <20120115011015.GA14746@argus.gw.utexas.edu> References: <4F1083C3.9030804@gmail.com> <4F1086AC.9050201@bogus.com> <4F108849.8040002@gmail.com> <20120113201000.GA88108@argus.gw.utexas.edu> <4F109CC0.8000800@gmail.com> <20120115011015.GA14746@argus.gw.utexas.edu> Message-ID: <4F170B83.4010207@gmail.com> Found them all on the same page. Not exactly what I was looking for but it's worth sharing. http://www.cisco.com/en/US/products/ps9670/products_implementation_design_guides_list.html -Hammer- "I was a normal American nerd" -Jack Herer On 1/14/2012 7:10 PM, Charles Spurgeon wrote: > On Fri, Jan 13, 2012 at 03:05:45PM -0600, -Hammer- wrote: >> The first link references "chapter 3". I found chapter 5 as well >> but I can't find the full index. Do you have that link by any chance? > I don't have a link to a full index. The links I sent are from a set > of Nexus design and operation chapters I've found. Each chapter is a > guide to a specific aspect of Nexus and vPC operation and DC design. > The set doesn't appear to have been turned into standard Cisco docs > with indexes etc. > > Here are the links that I've been able to find: > > Chapter 1: Data Center Design with Cisco Nexus Switches and Virtual PortChannel: Overview > http://www.cisco.com/en/US/prod/collateral/switches/ps9441/ps9670/C07-572831-00_Dsgn_Nexus_vPC_DG.pdf > > Chapter 2: Cisco NX-OS Software Command-Line Interface Primer > http://www.cisco.com/en/US/prod/collateral/switches/ps9441/ps9670/C07-572833-00_NX-OS_CLI.pdf > > Chapter 3: Cisco NX-OS Software Virtual PortChannel: Fundamental Concepts > http://www.cisco.com/en/US/prod/collateral/switches/ps9441/ps9670/C07-572835-00_NX-OS_vPC_DG.pdf > > Chapter 4: Spanning Tree Design Guidelines for Cisco NX-OS Software and Virtual PortChannels > http://www.cisco.com/en/US/prod/collateral/switches/ps9441/ps9670/C07-572834-00_STDG_NX-OS_vPC_DG.pdf > > Chapter 5: Data Center Aggregation Layer Design and Configuration with > Cisco Nexus Switches and Virtual PortChannels > http://www.cisco.com/en/US/prod/collateral/switches/ps9441/ps9670/C07-572830-00_Agg_Dsgn_Config_DG.pdf > > Chapter 6 Data Center Access Design with Cisco Nexus 5000 Series > Switches and 2000 Series Fabric Extenders and Virtual PortChannels > http://www.cisco.com/en/US/prod/collateral/switches/ps9441/ps9670/C07-572829-01_Design_N5K_N2K_vPC_DG.pdf > > Chapter 7 10 Gigabit Ethernet Connectivity with Microsoft Windows Servers > http://www.cisco.com/en/US/prod/collateral/switches/ps9441/ps9670/C07-572828-00_10Gb_Conn_Win_DG.pdf > > Chapter 8 Data Center Design with VMware ESX 4.0 and Cisco Nexus 5000 > and 1000V Series Switches 4.0(4)SV1(1) and 2000 Series Fabric > Extenders > http://www.cisco.com/en/US/prod/collateral/switches/ps9441/ps9670/C07-572832-00_VMware_ESX4_Nexus_DG.pdf > > -Charles > > Charles E. Spurgeon / UTnet > UT Austin ITS / Networking > c.spurgeon at its.utexas.edu / 512.475.9265 > From bhmccie at gmail.com Wed Jan 18 12:25:33 2012 From: bhmccie at gmail.com (-Hammer-) Date: Wed, 18 Jan 2012 12:25:33 -0600 Subject: VPC=S/MLT? In-Reply-To: References: <4F1083C3.9030804@gmail.com> <4F1086AC.9050201@bogus.com> <4F108849.8040002@gmail.com> <20120113201000.GA88108@argus.gw.utexas.edu> <4F109CC0.8000800@gmail.com> <20120115011015.GA14746@argus.gw.utexas.edu> <4F1590CA.6090609@gmail.com> Message-ID: <4F170E9D.6010504@gmail.com> Nice link. Thanks Joshua. -Hammer- "I was a normal American nerd" -Jack Herer On 1/18/2012 11:57 AM, joshua sahala wrote: > vpc has a long list of unclear and/or seemingly contradictory caveats > (spread across multiple cisco docs/webpages). when it doesn't work > (as expected), it can be challenging to find someone with tac who can > actually tell you why (or how to fix it properly). if your needs are > fairly basic, are all cisco, follow their dc3.0 verbatim, and don't > mind the lack of features on the nexus platform, then it isn't a bad > box (if rather expensive for the lack of features...like ipv6 for > is-is). also, be prepared to keep spanning-tree around and keep > bugging your cisco se/am about trill support (as opposed to > fabricpath...see tdp vs ldp) > > if you *might* want to involve the n7k in routing at all, then > http://bradhedlund.com/2010/12/16/routing-over-nexus-7000-vpc-peer-link-yes-and-no/ > offers a much clearer explanation than cisco.com about what works and > what doesn't (and whether-or-not tac might try to help) > > hth > /joshua > > From drew.weaver at thenap.com Wed Jan 18 13:26:57 2012 From: drew.weaver at thenap.com (Drew Weaver) Date: Wed, 18 Jan 2012 14:26:57 -0500 Subject: DNS Attacks In-Reply-To: References: <4F16DFA2.8030208@foobar.org> <0C0D0264-E925-4CE0-8F6A-5BE4DE70F543@cs.columbia.edu> Message-ID: -----Original Message----- From: Christopher Morrow [mailto:morrowc.lists at gmail.com] Sent: Wednesday, January 18, 2012 11:43 AM To: Steven Bellovin Cc: nanog at nanog.org Subject: Re: DNS Attacks yup... I think roland and nick (he can correct me, roland I KNOW is saying this) are basically saying: permit tcp any any eq 80 permit tcp any any eq 443 deny ip any any is far, far better than state management in a firewall. Anything more complex and your firewall fails long before the 7206's interface/filter will :( Some folks would say you'd be better off doing some LB/filtering-in-software behind said router interface filter, I can't argue with that. >>>>> But you don't get the benefit of UNIFIED THREAT MANAGEMENT or syn-authentication with an access-list or what happens if someone sends your wordpress blog a malformed GET request which causes it to give the attacker root? Or Slowloris, or one of any thousand other HTTP protocol based attacks? (I'm being sarcastic but that is the argument you will hear). Seriously though if there is one thing I wish people would stop doing it is releasing web vulnerability scanners for free (like acunetix), they're easy enough to catch because they use sitemaps but they can be a bit annoying and generate a lot of load =) -Drew From me at anuragbhatia.com Wed Jan 18 13:36:56 2012 From: me at anuragbhatia.com (Anurag Bhatia) Date: Thu, 19 Jan 2012 01:06:56 +0530 Subject: Tata AS6453 not peering with NTT AS2914 in Japan Message-ID: Hello everyone! Was wondering is there's anyone from Tata Communications (VSNL/TeleGlobe) or NTT Communications? I can see Tata Comm's AS6453 is not exchanging traffic with NTT AS2914 in Japan. Is there's any specific reason for that? I can see traffic exchange is being done at London, New York, San Jose but not in Japan. Thus packets from Tokyo (Tata) to Tokyo (NTT) and having a round trip to US. This is screwing up performance of networks which are in downstream for NTT e.g Akamai. Route to Akamai.com webserver from Indian networks is going like India - UK - Japan adding over 200ms of overhead latency. If someone is interested in detailed data, I have blogged about it here . Any ideas what's preventing them peering in Japan itself? -- Anurag Bhatia anuragbhatia.com or simply - http://[2001:470:26:78f::5] if you are on IPv6 connected network! Twitter: @anurag_bhatia From me at anuragbhatia.com Wed Jan 18 16:10:17 2012 From: me at anuragbhatia.com (Anurag Bhatia) Date: Thu, 19 Jan 2012 03:40:17 +0530 Subject: Tata AS6453 not peering with NTT AS2914 in Japan In-Reply-To: References: Message-ID: Call it funny or what - so far I have got 4 replies and in total 10emails in one to one discussion. No one replied in mailing list! On Thu, Jan 19, 2012 at 1:06 AM, Anurag Bhatia wrote: > Hello everyone! > > Was wondering is there's anyone from Tata Communications (VSNL/TeleGlobe) > or NTT Communications? I can see Tata Comm's AS6453 is not exchanging > traffic with NTT AS2914 in Japan. Is there's any specific reason for that? > I can see traffic exchange is being done at London, New York, San Jose but > not in Japan. Thus packets from Tokyo (Tata) to Tokyo (NTT) and having a > round trip to US. This is screwing up performance of networks which are in > downstream for NTT e.g Akamai. Route to Akamai.com webserver from Indian > networks is going like India - UK - Japan adding over 200ms of overhead > latency. If someone is interested in detailed data, I have blogged about it > here . > > > Any ideas what's preventing them peering in Japan itself? > -- > > Anurag Bhatia > > anuragbhatia.com > > or simply - http://[2001:470:26:78f::5] if you are on IPv6 connected > network! > > Twitter: @anurag_bhatia > > -- Anurag Bhatia anuragbhatia.com or simply - http://[2001:470:26:78f::5] if you are on IPv6 connected network! Twitter: @anurag_bhatia From jrhett at netconsonance.com Wed Jan 18 17:01:07 2012 From: jrhett at netconsonance.com (Jo Rhett) Date: Wed, 18 Jan 2012 15:01:07 -0800 Subject: bgp question In-Reply-To: References: Message-ID: On Jan 18, 2012, at 5:58 AM, Deric Kwok wrote: > Could you tell me more about "routing registries"? > I would like to learn it google it, and RADB for example. > 2nd questions? Are you familiar to quagga? > ls it supporting equally multipath in different bgp connections? Yes, absolutely. -- Jo Rhett Net Consonance : consonant endings by net philanthropy, open source and other randomness From randy at psg.com Wed Jan 18 17:08:38 2012 From: randy at psg.com (Randy Bush) Date: Thu, 19 Jan 2012 08:08:38 +0900 Subject: ANNOUNCE: bgptables.merit.edu - understanding visibility of your prefix/AS In-Reply-To: <4F16D917.2060408@ripe.net> References: <8E839F27-A2F7-4E1B-9BD8-C0679A65EC64@merit.edu> <9E11240C-22DA-4B1D-8806-579F398B5284@merit.edu> <28673266-0FE2-408D-BAAC-4297ED92AA41@gmail.com> <4F16D917.2060408@ripe.net> Message-ID: > One can also try RIPEstat for this: http://stat.ripe.net/ wfm > (Disclaimer: our team is working on this tool.) and you used your work email address. thank you. randy From streiner at cluebyfour.org Wed Jan 18 17:48:12 2012 From: streiner at cluebyfour.org (Justin M. Streiner) Date: Wed, 18 Jan 2012 18:48:12 -0500 (EST) Subject: bgp question In-Reply-To: References: Message-ID: On Wed, 18 Jan 2012, Deric Kwok wrote: > Could you tell me more about "routing registries"? > I would like to learn it In a nutshell, Internet Routing Registries (IRRs) are places where networks can store information that describes their routing policies. Other networks can query this information and use the results to build or update their filtering policies. You can find an extensive list of registries and more background information at http://www.irr.net/ > 2nd questions? Are you familiar to quagga? > ls it supporting equally multipath in different bgp connections? I haven't messed around too much with quagga, so I can't give you a good answer on that at the moment. jms From streiner at cluebyfour.org Wed Jan 18 17:56:28 2012 From: streiner at cluebyfour.org (Justin M. Streiner) Date: Wed, 18 Jan 2012 18:56:28 -0500 (EST) Subject: World IPv6 Launch Day - June 6, 2012 In-Reply-To: References: <4F161A1E.7040903@derekivey.com> <20120118043805.GA5455@isc.upenn.edu> Message-ID: On Wed, 18 Jan 2012, Christopher Morrow wrote: > My question is when is FiOS going to get v6 natively? could we get the > engineers there to actually do something as opposed to trials of > non-production systems that'll never actually get deployed? :) I wonder when Comcast and Verizon will get into an IPv6 advertising war. "v6... smhee-6! Ditch that cable modem and switch to Fios!" jms From joelja at bogus.com Wed Jan 18 18:18:38 2012 From: joelja at bogus.com (Joel jaeggli) Date: Wed, 18 Jan 2012 16:18:38 -0800 Subject: World IPv6 Launch Day - June 6, 2012 In-Reply-To: References: <4F161A1E.7040903@derekivey.com> <20120118043805.GA5455@isc.upenn.edu> Message-ID: <4F17615E.1090108@bogus.com> On 1/18/12 15:56 , Justin M. Streiner wrote: > On Wed, 18 Jan 2012, Christopher Morrow wrote: > >> My question is when is FiOS going to get v6 natively? could we get the >> engineers there to actually do something as opposed to trials of >> non-production systems that'll never actually get deployed? :) > > I wonder when Comcast and Verizon will get into an IPv6 advertising war. > "v6... smhee-6! Ditch that cable modem and switch to Fios!" LTE has V6 natively and it gets used today... joel > jms > From jof at thejof.com Wed Jan 18 18:24:28 2012 From: jof at thejof.com (Jonathan Lassoff) Date: Wed, 18 Jan 2012 16:24:28 -0800 Subject: bgp question In-Reply-To: References: Message-ID: On Wed, Jan 18, 2012 at 5:58 AM, Deric Kwok wrote: > ls it supporting equally multipath in different bgp connections? Most software routing protocols have support for this in their RIBs, but the actual forwarding ability of the underlying kernel will determine the support for this. What platform do you route on? Cheers, jof From streiner at cluebyfour.org Wed Jan 18 18:45:16 2012 From: streiner at cluebyfour.org (Justin M. Streiner) Date: Wed, 18 Jan 2012 19:45:16 -0500 (EST) Subject: World IPv6 Launch Day - June 6, 2012 In-Reply-To: <4F17615E.1090108@bogus.com> References: <4F161A1E.7040903@derekivey.com> <20120118043805.GA5455@isc.upenn.edu> <4F17615E.1090108@bogus.com> Message-ID: On Wed, 18 Jan 2012, Joel jaeggli wrote: > On 1/18/12 15:56 , Justin M. Streiner wrote: >> On Wed, 18 Jan 2012, Christopher Morrow wrote: >> >> I wonder when Comcast and Verizon will get into an IPv6 advertising war. >> "v6... smhee-6! Ditch that cable modem and switch to Fios!" > > LTE has V6 natively and it gets used today... True, but VZW and VZO are two different animals. jms From mpetach at netflight.com Wed Jan 18 19:17:15 2012 From: mpetach at netflight.com (Matthew Petach) Date: Wed, 18 Jan 2012 17:17:15 -0800 Subject: Tata AS6453 not peering with NTT AS2914 in Japan In-Reply-To: References: Message-ID: On Wed, Jan 18, 2012 at 2:10 PM, Anurag Bhatia wrote: > Call it funny or what - so far I have got 4 replies and in total 10emails > in one to one discussion. > > No one replied in mailing list! People are often hesitant to discuss dirty laundry in public; not least because it can sometimes have employment implications. Most requests on the lists are thus phrased as "please contact me about X" or "It would be really nice if you could fix your misconfiguration at site Y" so that there's no onus placed on an engineer to discuss the issue publicly; fixing the issue, or responding with a private message about the issue is usually considered sufficient response. Matt From tony at lavanauts.org Wed Jan 18 22:41:32 2012 From: tony at lavanauts.org (Antonio Querubin) Date: Wed, 18 Jan 2012 18:41:32 -1000 (HST) Subject: World IPv6 Launch Day - June 6, 2012 In-Reply-To: References: <4F161A1E.7040903@derekivey.com> <20120118043805.GA5455@isc.upenn.edu> Message-ID: On Wed, 18 Jan 2012, Anurag Bhatia wrote: > 1. No A or AAAA record on main worldipv6launch.org Odd and annoying. So 20th century... :) Antonio Querubin e-mail: tony at lavanauts.org xmpp: antonioquerubin at gmail.com From joelja at bogus.com Thu Jan 19 00:10:58 2012 From: joelja at bogus.com (Joel Jaeggli) Date: Wed, 18 Jan 2012 22:10:58 -0800 Subject: World IPv6 Launch Day - June 6, 2012 In-Reply-To: References: <4F161A1E.7040903@derekivey.com> <20120118043805.GA5455@isc.upenn.edu> <4F17615E.1090108@bogus.com> Message-ID: <73AF1D48-8A9D-45CA-B740-6D8C922091DF@bogus.com> By the same token, The mobile broadband network is not some also-ran adjunct to the residential broadband service. On Jan 18, 2012, at 16:45, "Justin M. Streiner" wrote: > On Wed, 18 Jan 2012, Joel jaeggli wrote: > >> On 1/18/12 15:56 , Justin M. Streiner wrote: >>> On Wed, 18 Jan 2012, Christopher Morrow wrote: >>> >>> I wonder when Comcast and Verizon will get into an IPv6 advertising war. >>> "v6... smhee-6! Ditch that cable modem and switch to Fios!" >> >> LTE has V6 natively and it gets used today... > > True, but VZW and VZO are two different animals. > > jms > From ops.lists at gmail.com Thu Jan 19 00:57:45 2012 From: ops.lists at gmail.com (Suresh Ramasubramanian) Date: Thu, 19 Jan 2012 12:27:45 +0530 Subject: ANNOUNCE: bgptables.merit.edu - understanding visibility of your prefix/AS In-Reply-To: <4F16D917.2060408@ripe.net> References: <8E839F27-A2F7-4E1B-9BD8-C0679A65EC64@merit.edu> <9E11240C-22DA-4B1D-8806-579F398B5284@merit.edu> <28673266-0FE2-408D-BAAC-4297ED92AA41@gmail.com> <4F16D917.2060408@ripe.net> Message-ID: On Wed, Jan 18, 2012 at 8:07 PM, Robert Kisteleki wrote: > One can also try RIPEstat for this: http://stat.ripe.net/ > > Amongst other modules it gives full (~10 year) BGP history for prefixes. Does it also give a similar history for ASN announcements? I see a lot many shady ASNs that simply move from one prefix to another, in batches -- Suresh Ramasubramanian (ops.lists at gmail.com) From robert at ripe.net Thu Jan 19 02:28:37 2012 From: robert at ripe.net (Robert Kisteleki) Date: Thu, 19 Jan 2012 09:28:37 +0100 Subject: ANNOUNCE: bgptables.merit.edu - understanding visibility of your prefix/AS In-Reply-To: References: <8E839F27-A2F7-4E1B-9BD8-C0679A65EC64@merit.edu> <9E11240C-22DA-4B1D-8806-579F398B5284@merit.edu> <28673266-0FE2-408D-BAAC-4297ED92AA41@gmail.com> <4F16D917.2060408@ripe.net> Message-ID: <4F17D435.6030204@ripe.net> On 2012.01.19. 7:57, Suresh Ramasubramanian wrote: > On Wed, Jan 18, 2012 at 8:07 PM, Robert Kisteleki wrote: >> One can also try RIPEstat for this: http://stat.ripe.net/ >> >> Amongst other modules it gives full (~10 year) BGP history for prefixes. > > Does it also give a similar history for ASN announcements? I see a > lot many shady ASNs that simply move from one prefix to another, in > batches > Yes. See for example (only the routing module): http://stat.ripe.net/query/routing-history/AS3333?params={%27value%27:+%27AS3333%27} You can turn on the "first transit AS" with the checkbox on the top right. Robert From ops.lists at gmail.com Thu Jan 19 02:35:39 2012 From: ops.lists at gmail.com (Suresh Ramasubramanian) Date: Thu, 19 Jan 2012 14:05:39 +0530 Subject: ANNOUNCE: bgptables.merit.edu - understanding visibility of your prefix/AS In-Reply-To: <4F17D435.6030204@ripe.net> References: <8E839F27-A2F7-4E1B-9BD8-C0679A65EC64@merit.edu> <9E11240C-22DA-4B1D-8806-579F398B5284@merit.edu> <28673266-0FE2-408D-BAAC-4297ED92AA41@gmail.com> <4F16D917.2060408@ripe.net> <4F17D435.6030204@ripe.net> Message-ID: Superb. Thank you. On Thu, Jan 19, 2012 at 1:58 PM, Robert Kisteleki wrote: > > > Yes. See for example (only the routing module): > > http://stat.ripe.net/query/routing-history/AS3333?params={%27value%27:+%27AS3333%27} > > You can turn on the "first transit AS" with the checkbox on the top right. -- Suresh Ramasubramanian (ops.lists at gmail.com) From andra.lutu at imdea.org Thu Jan 19 05:24:04 2012 From: andra.lutu at imdea.org (andra.lutu at imdea.org) Date: Thu, 19 Jan 2012 12:24:04 +0100 (CET) Subject: RIS raw data Message-ID: <47242.163.117.139.80.1326972244.squirrel@mail.imdea.org> Hi all, I am working on getting a better grasp on what data we have in the RIS project from RIPE. To this end, I am checking the export policies of the ASes peering with RIPE AS12654 at different IXPs. I am wondering if anybody knows what these ASes actually announce to the RIPE repositories? Do they dump their entire routing tables (including their internal routes) ?? In some cases I saw the export policy ANNOUNCE ANY, is this consistent with a particular AS behaving like the RIPE AS was its customer? Another type of export policy is for example 'to AS12654:? ANNOUNCE AS "YYY" '(where? "YYY" is any AS peering with RIPE in the RIS project). How is this policy different from the previous one from the point of view of the routing feed the RIPE repository receives? Thank you for your help! Best regards, Andra From nick at foobar.org Thu Jan 19 06:12:14 2012 From: nick at foobar.org (Nick Hilliard) Date: Thu, 19 Jan 2012 12:12:14 +0000 Subject: RIS raw data In-Reply-To: <47242.163.117.139.80.1326972244.squirrel@mail.imdea.org> References: <47242.163.117.139.80.1326972244.squirrel@mail.imdea.org> Message-ID: <4F18089E.9070609@foobar.org> On 19/01/2012 11:24, andra.lutu at imdea.org wrote: > I am working on getting a better grasp on what data we > have in the RIS project from RIPE. > To this end, I am checking the > export policies of the ASes peering with RIPE AS12654 at different > IXPs. > I am wondering if anybody knows what these ASes actually > announce to the RIPE repositories? Do they dump their entire routing > tables (including their internal routes) ? > In some cases I saw > the export policy ANNOUNCE ANY, is this consistent with a particular AS > behaving like the RIPE AS was its customer? > Another type of export > policy is for example 'to AS12654: ANNOUNCE AS "YYY" > '(where "YYY" is any AS peering with RIPE in the RIS > project). > How is this policy different from the previous one from > the point of view of the routing feed the RIPE repository receives? Hi Andra, INEX used to maintain two peering matrices. One was based on RIPE IRRDB data; the other was based on netflow/sflow BGP data sampled from the IXP infrastructure. The difference between the two was shocking. Nick From greg at bestnet.kharkov.ua Thu Jan 19 06:20:29 2012 From: greg at bestnet.kharkov.ua (Gregory Edigarov) Date: Thu, 19 Jan 2012 14:20:29 +0200 Subject: dial-peer authenticaton in ios 12.3? Message-ID: <20120119142029.7c4d67e7@greg.bestnet.kharkov.ua> Hello everybody, Is there a good person who could try to remember how to configure authentication in dial-peer on IOS (tm) MC3810 Software (MC3810-A2ISV5-M), Version 12.3(13), RELEASE SOFTWARE (fc2)? dial-peer voice 1 pots authentication username someuser password somepassword does not seem to be any help as it points an error on "authentication" keyword. Is there anything I could try to do about this before I through it out from my balcony? Thank you. -- With best regards, Gregory Edigarov From randy at psg.com Thu Jan 19 06:52:52 2012 From: randy at psg.com (Randy Bush) Date: Thu, 19 Jan 2012 21:52:52 +0900 Subject: RIS raw data In-Reply-To: <47242.163.117.139.80.1326972244.squirrel@mail.imdea.org> References: <47242.163.117.139.80.1326972244.squirrel@mail.imdea.org> Message-ID: > In some cases I saw the export policy ANNOUNCE ANY, is this consistent > with a particular AS behaving like the RIPE AS was its customer? well, if i was to take that literally, that would include internal prefixes, e.g. some of p2p inter-router links, loopbacks, ... of course, taking anything from the IRR literally is na?ve at best. some years back, i asked for a *simple minimal* tagging of announcements to route views, just peer, customer, internal. it got ietfed to utter uselessness, with more crap welded on to it than envisioned in mad max. randy From deric.kwok2000 at gmail.com Thu Jan 19 07:27:45 2012 From: deric.kwok2000 at gmail.com (Deric Kwok) Date: Thu, 19 Jan 2012 08:27:45 -0500 Subject: bgp question In-Reply-To: References: Message-ID: Hi Thank you all of you Can I have one question? We are planning to have 3 x 1G bgp connections (full tables) eg: Path A, B, C Can I say that we have 3G output totally? >From my understanding, the bgp chooses the best path to route automatically If the path A is best route and that path 1G bandwidth is used up, will bgp try to use path B and path C automatically? or the bgp still choose to path A whatever the bandwidth is used up How can I use up those 3G? Thank you so much PS: my platform is linu On Wed, Jan 18, 2012 at 7:24 PM, Jonathan Lassoff wrote: > On Wed, Jan 18, 2012 at 5:58 AM, Deric Kwok wrote: >> ls it supporting equally multipath in different bgp connections? > > Most software routing protocols have support for this in their RIBs, > but the actual forwarding ability of the underlying kernel will > determine the support for this. > What platform do you route on? > > Cheers, > jof From danny at tcb.net Thu Jan 19 07:51:42 2012 From: danny at tcb.net (Danny McPherson) Date: Thu, 19 Jan 2012 08:51:42 -0500 Subject: RIS raw data In-Reply-To: References: <47242.163.117.139.80.1326972244.squirrel@mail.imdea.org> Message-ID: <44E1EB40-903A-4C8B-A512-26B0931AA5D3@tcb.net> On Jan 19, 2012, at 7:52 AM, Randy Bush wrote: > of course, taking anything from the IRR literally is na?ve at best. Unfortunately, if the BGPSEC, RPKI and SIDR work stays course in the IETF, we're still going to need IRR-esque policy capabilities (outside of route server and prefix origin bindings in that work), so we best starting figuring out how to make them suck less. > some years back, i asked for a *simple minimal* tagging of announcements > to route views, just peer, customer, internal. it got ietfed to utter > uselessness, with more crap welded on to it than envisioned in mad max. I agree, it's important to analyze systemic cost/benefit and complexity analysis and new operational impacts various standards work is introducing. -danny From jmaslak at antelope.net Thu Jan 19 08:23:11 2012 From: jmaslak at antelope.net (Joel Maslak) Date: Thu, 19 Jan 2012 07:23:11 -0700 Subject: bgp question In-Reply-To: References: Message-ID: On Thu, Jan 19, 2012 at 6:27 AM, Deric Kwok wrote: > We are planning to have 3 x 1G bgp connections (full tables) eg: Path A, B, C > > Can I say that we have 3G output totally? Sure. > From my understanding, the bgp chooses the best path to route automatically It doesn't. It typically chooses the path with the least number of autonomous systems for a given destination. That can actually result in longer physical paths in many cases. Let's say provider C buys bandwidth from A and B (and nobody else). If that's the case, you will only use C for things directly connected to C's network (typically only things that pay C), but every other internet destination would use A or B. (unless you adjust things to not do this). > If the path A is best route and that path 1G bandwidth is used up, > will bgp try to use path B and path C automatically? No, with one caveat. If you fill up the pipe enough that routing messages don't get through, those routes will eventually time out and the path won't be used at all. > How can I use up those 3G? You will need to manually adjust routes, preferences, etc. You'll still have one path that is hotter than the others (although hopefully not too much hotter). Are you worried about incoming or outgoing bandwidth, or both? For incoming, you will need to do things like: 1) Announce all of your prefixes aggregated out all 3 links 2) Announce parts of your prefixes out ONLY ONE link. So announce /24 #1 out A, /24 #2 out B, /24 #3 out C. This means you're forcing incoming traffic to generally come in one link per /24. The problem with this is that a really active /24 will get more traffic still. It also requires you to have at least 3 /24s (you can't route longer prefixes, which means you can't route PART of a /24). For outbound, the easy and obvious way would be for your providers to just announce 0/0 to you and for you to do some sort of flow-based load balancing. But if one provider had reachability problems, you'd go down. So without that, you'll have to adjust the preferences of incoming routes. Alternatively use BGP multipath and buy from one provider (and connect to the same router on the provider side). Bandwidth from one provider isn't necessarily a horrible thing, if you pick a good one provider. Even with multiple BGP feeds, unless you are really, really careful (and, most likely, spend tons of money for things like fiber redundancy so the different fibers don't all end up on one pole or going into the same telco building) you'll still have single points of failure. From andra.lutu at imdea.org Thu Jan 19 08:30:05 2012 From: andra.lutu at imdea.org (andra.lutu at imdea.org) Date: Thu, 19 Jan 2012 15:30:05 +0100 (CET) Subject: RIS raw data In-Reply-To: References: <47242.163.117.139.80.1326972244.squirrel@mail.imdea.org> Message-ID: <47839.163.117.139.80.1326983405.squirrel@mail.imdea.org> Hi Randy, Thank you for your reply. I do, however, have one more question, please find it bellow. >> In some cases I saw the export policy ANNOUNCE ANY, is this consistent >> with a particular AS behaving like the RIPE AS was its customer? > > well, if i was to take that literally, that would include internal > prefixes, e.g. some of p2p inter-router links, loopbacks, ... > What would be then the difference between this ANNOUNCE ANY policy and this other policy I have found "ANNOUNCE AS-YYY" (where AS YYY is the AS exporting its routes)? What are the ASes actually exporting in this case? > of course, taking anything from the IRR literally is na?ve at best. > > some years back, i asked for a *simple minimal* tagging of announcements > to route views, just peer, customer, internal. it got ietfed to utter > uselessness, with more crap welded on to it than envisioned in mad max. > > randy > Best regards, Andra From shane at castlepoint.net Thu Jan 19 09:26:05 2012 From: shane at castlepoint.net (Shane Amante) Date: Thu, 19 Jan 2012 08:26:05 -0700 Subject: RIS raw data In-Reply-To: References: <47242.163.117.139.80.1326972244.squirrel@mail.imdea.org> Message-ID: <85D843DC-9481-47E1-904A-035C758A66DE@castlepoint.net> On Jan 19, 2012, at 5:52 AM, Randy Bush wrote: >> In some cases I saw the export policy ANNOUNCE ANY, is this consistent >> with a particular AS behaving like the RIPE AS was its customer? > > well, if i was to take that literally, that would include internal > prefixes, e.g. some of p2p inter-router links, loopbacks, ... > > of course, taking anything from the IRR literally is na?ve at best. Please don't conflate the policy mechanisms enabled by the IRR policy *language*/specification itself with the *data* contained in the IRR ... > some years back, i asked for a *simple minimal* tagging of announcements > to route views, just peer, customer, internal. it got ietfed to utter > uselessness, with more crap welded on to it than envisioned in mad max. Wrt your last paragraph: care to share a link the I-D (or, RFC) that you allude to above? I think your last paragraph is alluding to tagging routes with standard BGP communities, based on your "simple minimal" criteria, before they are sent to route-views. That strikes me as potentially orthogonal to issues with the present data in the IRR. -shane From Valdis.Kletnieks at vt.edu Thu Jan 19 09:46:32 2012 From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks at vt.edu) Date: Thu, 19 Jan 2012 10:46:32 -0500 Subject: RIS raw data In-Reply-To: Your message of "Thu, 19 Jan 2012 21:52:52 +0900." References: <47242.163.117.139.80.1326972244.squirrel@mail.imdea.org> Message-ID: <3547.1326987992@turing-police.cc.vt.edu> On Thu, 19 Jan 2012 21:52:52 +0900, Randy Bush said: > uselessness, with more crap welded on to it than envisioned in mad max. oooh... steampunk BGP. ;) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 227 bytes Desc: not available URL: From ka at pacific.net Thu Jan 19 09:54:21 2012 From: ka at pacific.net (Ken A) Date: Thu, 19 Jan 2012 09:54:21 -0600 Subject: DNS Attacks In-Reply-To: <2996806E-AFD9-442A-948B-82118461845E@ukbroadband.com> References: <2996806E-AFD9-442A-948B-82118461845E@ukbroadband.com> Message-ID: <4F183CAD.9060802@pacific.net> On 1/18/2012 1:45 AM, Leigh Porter wrote: > > > On 18 Jan 2012, at 05:06, "toor" wrote: > >> Hi list, >> >> I am wondering if anyone else has seen a large amount of DNS >> queries coming from various IP ranges in China. I have been trying >> to find a pattern in the attacks but so far I have come up blank. I >> am completly guessing these are possibly DNS amplification attacks >> but I am not sure. Usually what I see is this: >> > > At various seemingly random times over the past week I have had a DNS > which is behind a firewall come under attack. The firewall is > significant because the attacks killed the firewall as it is rather > under specified (not my idea..). > > It did originate from Chinese address space and consisted of DNS > queries for lots of hosts. There was also a port-scan in the traffic > and a SYN attack on a few hosts on the same small subnet as the DNS, > a web server and an open SSH port. > We are seeing this too, though we don't have the kind of exposure some of the larger providers do. fwiw.. If for some reason, you can't use a dedicated box for DNS and/or a simple acl to protect services on a box, you can turn off connection tracking in iptables per-port using the NOTRACK target. iptables -t raw -I PREROUTING -p udp --dport 53 -j NOTRACK iptables -t raw -I OUTPUT -p udp --sport 53 -j NOTRACK http://www.frozentux.net/iptables-tutorial/iptables-tutorial.html#NOTRACKTARGET Ken -- Ken Anderson From alter3d at alter3d.ca Thu Jan 19 10:01:13 2012 From: alter3d at alter3d.ca (Peter Kristolaitis) Date: Thu, 19 Jan 2012 11:01:13 -0500 Subject: RIS raw data In-Reply-To: <3547.1326987992@turing-police.cc.vt.edu> References: <47242.163.117.139.80.1326972244.squirrel@mail.imdea.org> <3547.1326987992@turing-police.cc.vt.edu> Message-ID: <4F183E49.7090306@alter3d.ca> On 12-01-19 10:46 AM, Valdis.Kletnieks at vt.edu wrote: > On Thu, 19 Jan 2012 21:52:52 +0900, Randy Bush said: > >> uselessness, with more crap welded on to it than envisioned in mad max. > oooh... steampunk BGP. ;) The Internet is like a series of (steam) tubes? ;) - Peter From leigh.porter at ukbroadband.com Thu Jan 19 10:05:38 2012 From: leigh.porter at ukbroadband.com (Leigh Porter) Date: Thu, 19 Jan 2012 16:05:38 +0000 Subject: RIS raw data In-Reply-To: <4F183E49.7090306@alter3d.ca> References: <47242.163.117.139.80.1326972244.squirrel@mail.imdea.org> <3547.1326987992@turing-police.cc.vt.edu> <4F183E49.7090306@alter3d.ca> Message-ID: > -----Original Message----- > From: Peter Kristolaitis [mailto:alter3d at alter3d.ca] > Sent: 19 January 2012 16:04 > To: nanog at nanog.org > Subject: Re: RIS raw data > > On 12-01-19 10:46 AM, Valdis.Kletnieks at vt.edu wrote: > > On Thu, 19 Jan 2012 21:52:52 +0900, Randy Bush said: > > > >> uselessness, with more crap welded on to it than envisioned in mad > max. > > oooh... steampunk BGP. ;) > > The Internet is like a series of (steam) tubes? ;) > > - Peter When they break, do you see little clouds of 1s and 0s ? -- Leigh ______________________________________________________________________ This email has been scanned by the Symantec Email Security.cloud service. For more information please visit http://www.symanteccloud.com ______________________________________________________________________ From ekim.ittag at gmail.com Thu Jan 19 10:32:54 2012 From: ekim.ittag at gmail.com (Mike Gatti) Date: Thu, 19 Jan 2012 08:32:54 -0800 Subject: Skype in the Enterprise Message-ID: <26A04B09-927D-49F2-8E46-185C670F178A@gmail.com> Hello Everyone, I wanted to get the groups opinions/thought on how you would or currently handle users wanting or using Skype in the enterprise. Recently what has brought this to light was the fact that our firewalls started to deny/shun users randomly from access to the internet. After a couple of dozen packet captures and cross checking software installed on the clients machines we narrowed down the culprit to be Skype, which later we validated in Lab. What we saw was in random intervals all skype clients would send a burst of requests to the internet which would trigger the intrusion detection threshold of our security appliances. Given that there were no changes to those thresholds I am left to ask what caused this behavior to start, a software update or an update to the skype network (if it can be called that)? I am trying to educate myself a little more before facing the lynch mobs when I start advising on a solution. Thanks for taking the time, -- Michael Gatti main. 949.371.5474 (UTC -8) From simon.lucy at bbc.co.uk Thu Jan 19 10:43:05 2012 From: simon.lucy at bbc.co.uk (Simon Lucy) Date: Thu, 19 Jan 2012 16:43:05 +0000 Subject: Skype in the Enterprise In-Reply-To: <26A04B09-927D-49F2-8E46-185C670F178A@gmail.com> References: <26A04B09-927D-49F2-8E46-185C670F178A@gmail.com> Message-ID: <4F184819.6020209@bbc.co.uk> Mike Gatti wrote: > Hello Everyone, > > I wanted to get the groups opinions/thought on how you would or currently handle users wanting or using Skype in the enterprise. > Recently what has brought this to light was the fact that our firewalls started to deny/shun users randomly from access to the internet. > After a couple of dozen packet captures and cross checking software installed on the clients machines we narrowed down the culprit to be Skype, which later we validated in Lab. > What we saw was in random intervals all skype clients would send a burst of requests to the internet which would trigger the intrusion detection threshold of our security appliances. > Given that there were no changes to those thresholds I am left to ask what caused this behavior to start, a software update or an update to the skype network (if it can be called that)? > I am trying to educate myself a little more before facing the lynch mobs when I start advising on a solution. You can start with the network admin's guide if gives the basic characteristics of normal Skype network behaviour and how it punches through NAT, STUN etc. http://download.skype.com/share/business/guides/skype-it-administrators-guide.pdf S > > Thanks for taking the time, > -- > Michael Gatti > main. 949.371.5474 > (UTC -8) > > > > From bonomi at mail.r-bonomi.com Thu Jan 19 12:00:55 2012 From: bonomi at mail.r-bonomi.com (Robert Bonomi) Date: Thu, 19 Jan 2012 12:00:55 -0600 (CST) Subject: RIS raw data In-Reply-To: <4F183E49.7090306@alter3d.ca> Message-ID: <201201191800.q0JI0t12027853@mail.r-bonomi.com> > From nanog-bounces+bonomi=mail.r-bonomi.com at nanog.org Thu Jan 19 10:06:17 2012 > Date: Thu, 19 Jan 2012 11:01:13 -0500 > From: Peter Kristolaitis > To: nanog at nanog.org > Subject: Re: RIS raw data > > On 12-01-19 10:46 AM, Valdis.Kletnieks at vt.edu wrote: > > On Thu, 19 Jan 2012 21:52:52 +0900, Randy Bush said: > > > >> uselessness, with more crap welded on to it than envisioned in mad max. > > oooh... steampunk BGP. ;) > > The Internet is like a series of (steam) tubes? ;) It is widely known that some people _do_ let off a lot of steam via that mechanism. *chuckle* From tim.donahue at gmail.com Thu Jan 19 12:26:09 2012 From: tim.donahue at gmail.com (Tim Donahue) Date: Thu, 19 Jan 2012 13:26:09 -0500 Subject: Security Contact for PlusServer.de (AS8972) Message-ID: Hi all, Sorry for the noise, but I am looking for a contact for PlusServer.de (AS8972) to get a security issue resolved. Email to their abuse@ address has gone unanswered for nearly 24 hours at this point and the malicious traffic has not been stopped yet. Hopefully someone here has a security or noc contact that can I can reach out to. Thank you, Tim From hrlinneweh at sbcglobal.net Thu Jan 19 12:39:03 2012 From: hrlinneweh at sbcglobal.net (Henry Linneweh) Date: Thu, 19 Jan 2012 10:39:03 -0800 (PST) Subject: AlcaLu Adds Security to Routers Message-ID: <1326998343.98190.YahooMailNeo@web180316.mail.gq1.yahoo.com> http://www.lightreading.com/document.asp?doc_id=216514&f_src=lrdailynewsletter -Henry From morrowc.lists at gmail.com Thu Jan 19 13:11:11 2012 From: morrowc.lists at gmail.com (Christopher Morrow) Date: Thu, 19 Jan 2012 14:11:11 -0500 Subject: AlcaLu Adds Security to Routers In-Reply-To: <1326998343.98190.YahooMailNeo@web180316.mail.gq1.yahoo.com> References: <1326998343.98190.YahooMailNeo@web180316.mail.gq1.yahoo.com> Message-ID: On Thu, Jan 19, 2012 at 1:39 PM, Henry Linneweh wrote: > > > http://www.lightreading.com/document.asp?doc_id=216514&f_src=lrdailynewsletter riverhead on a blade in your 6500 anyone? From jon at smugmug.com Thu Jan 19 14:10:01 2012 From: jon at smugmug.com (jon Heise) Date: Thu, 19 Jan 2012 12:10:01 -0800 Subject: juniper mx80 vs cisco asr 1000 Message-ID: <44EDB6D0-C480-4232-8FCD-4124D152849B@smugmug.com> Does anyone have any experience with these two routers, we're looking to buy one of them but i have little experience dealing with cisco routers and zero experience with juniper. From tad1214 at gmail.com Thu Jan 19 14:34:56 2012 From: tad1214 at gmail.com (Thomas Donnelly) Date: Thu, 19 Jan 2012 12:34:56 -0800 Subject: juniper mx80 vs cisco asr 1000 In-Reply-To: <44EDB6D0-C480-4232-8FCD-4124D152849B@smugmug.com> References: <44EDB6D0-C480-4232-8FCD-4124D152849B@smugmug.com> Message-ID: I have used the ASR1002-F in a previous life and I was very pleased with it. Performance was a massive increase from the 3845 we had. The warm standby IOS is a nice feature for in service upgrades and crash avoidance. I don't have much experience with the MX series of things but you would be happy with the ASR assuming it meets your bandwidth/port density requirements. -=Tom On Thu, Jan 19, 2012 at 12:10 PM, jon Heise wrote: > Does anyone have any experience with these two routers, we're looking to > buy one of them but i have little experience dealing with cisco routers and > zero experience with juniper. > From paul4004 at gmail.com Thu Jan 19 14:45:01 2012 From: paul4004 at gmail.com (PC) Date: Thu, 19 Jan 2012 13:45:01 -0700 Subject: juniper mx80 vs cisco asr 1000 In-Reply-To: <44EDB6D0-C480-4232-8FCD-4124D152849B@smugmug.com> References: <44EDB6D0-C480-4232-8FCD-4124D152849B@smugmug.com> Message-ID: Which specific models are you looking at? Both contain a large product range. On Thu, Jan 19, 2012 at 1:10 PM, jon Heise wrote: > Does anyone have any experience with these two routers, we're looking to > buy one of them but i have little experience dealing with cisco routers and > zero experience with juniper. > From jay at west.net Thu Jan 19 14:59:41 2012 From: jay at west.net (Jay Hennigan) Date: Thu, 19 Jan 2012 12:59:41 -0800 Subject: US DOJ victim letter Message-ID: <4F18843D.3050101@west.net> We have received three emails from the US Department of Justice Victim Notification System to our ARIN POC address advising us that we may be the victim of a crime. Headers look legit. We have been frustrated in trying to follow the rabbit hole to get any useful information. we've jumped through hoops to get passwords that don't work and attempted to navigate a voice-mail system that resembles the "twisty maze of passages all different" from an old text adventure game. This *seems* to be legit, and I would think that the end result is likely to be a list of IP addresses associated with infected hosts. Has anyone else received the email? Is it legit? If so has anyone successfully navigated the maze, and if so how? Is it worth it? (And why don't they just send the list of infected IPs to the ARIN contact in the first place?) -- Jay Hennigan - CCIE #7880 - Network Engineering - jay at impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV From michael.hare at doit.wisc.edu Thu Jan 19 15:01:37 2012 From: michael.hare at doit.wisc.edu (Michael Hare) Date: Thu, 19 Jan 2012 15:01:37 -0600 Subject: US DOJ victim letter In-Reply-To: <4F18843D.3050101@west.net> References: <4F18843D.3050101@west.net> Message-ID: <4F1884B1.5020200@doit.wisc.edu> AS2381 has also received them, we are no further along in this than you are. On 1/19/2012 2:59 PM, Jay Hennigan wrote: > We have received three emails from the US Department of Justice Victim > Notification System to our ARIN POC address advising us that we may be > the victim of a crime. Headers look legit. > > We have been frustrated in trying to follow the rabbit hole to get any > useful information. we've jumped through hoops to get passwords that > don't work and attempted to navigate a voice-mail system that resembles > the "twisty maze of passages all different" from an old text adventure > game. > > This *seems* to be legit, and I would think that the end result is > likely to be a list of IP addresses associated with infected hosts. > > Has anyone else received the email? Is it legit? If so has anyone > successfully navigated the maze, and if so how? Is it worth it? > > (And why don't they just send the list of infected IPs to the ARIN > contact in the first place?) > > -- > Jay Hennigan - CCIE #7880 - Network Engineering - jay at impulse.net > Impulse Internet Service - http://www.impulse.net/ > Your local telephone and internet company - 805 884-6323 - WB6RDV > From jackson.tim at gmail.com Thu Jan 19 15:03:00 2012 From: jackson.tim at gmail.com (Tim Jackson) Date: Thu, 19 Jan 2012 15:03:00 -0600 Subject: US DOJ victim letter In-Reply-To: <4F18843D.3050101@west.net> References: <4F18843D.3050101@west.net> Message-ID: The 3rd email they sent: This email is intended to provide clarification on a previous email sent to you. You will be receiving a letter by U.S. Postal Service in the coming days. In the meantime, please visit the link below which provides more details on the investigation and identifying you as a possible victim: www.fbi.gov/news/stories/2011/november/malware_110911 -- Tim From dave at colo4.com Thu Jan 19 15:04:18 2012 From: dave at colo4.com (Dave Ellis) Date: Thu, 19 Jan 2012 15:04:18 -0600 Subject: US DOJ victim letter In-Reply-To: <4F1884B1.5020200@doit.wisc.edu> References: <4F18843D.3050101@west.net> <4F1884B1.5020200@doit.wisc.edu> Message-ID: <4F188552.3090405@colo4.com> We've also received the emails and ignored them. If the US DOJ needs to contact us they use the postal service. On 01/19/2012 03:01 PM, Michael Hare wrote: > AS2381 has also received them, we are no further along in this than > you are. > > On 1/19/2012 2:59 PM, Jay Hennigan wrote: >> We have received three emails from the US Department of Justice Victim >> Notification System to our ARIN POC address advising us that we may be >> the victim of a crime. Headers look legit. >> >> We have been frustrated in trying to follow the rabbit hole to get any >> useful information. we've jumped through hoops to get passwords that >> don't work and attempted to navigate a voice-mail system that resembles >> the "twisty maze of passages all different" from an old text adventure >> game. >> >> This *seems* to be legit, and I would think that the end result is >> likely to be a list of IP addresses associated with infected hosts. >> >> Has anyone else received the email? Is it legit? If so has anyone >> successfully navigated the maze, and if so how? Is it worth it? >> >> (And why don't they just send the list of infected IPs to the ARIN >> contact in the first place?) >> >> -- >> Jay Hennigan - CCIE #7880 - Network Engineering - jay at impulse.net >> Impulse Internet Service - http://www.impulse.net/ >> Your local telephone and internet company - 805 884-6323 - WB6RDV >> > From jay at west.net Thu Jan 19 15:04:56 2012 From: jay at west.net (Jay Hennigan) Date: Thu, 19 Jan 2012 13:04:56 -0800 Subject: US DOJ victim letter In-Reply-To: <4F1884BF.3060902@colo4.com> References: <4F18843D.3050101@west.net> <4F1884BF.3060902@colo4.com> Message-ID: <4F188578.6000100@west.net> On 1/19/12 1:01 PM, Dave Ellis wrote: > I've also received the emails, I assumed they were fake as our normal > contacts haven't mentioned anything. The body of the email indeed reads like a poorly-executed phish including elements such as "null" and "" but headers seem legit. -- Jay Hennigan - CCIE #7880 - Network Engineering - jay at impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV From mike at m5computersecurity.com Thu Jan 19 15:05:18 2012 From: mike at m5computersecurity.com (Michael J McCafferty) Date: Thu, 19 Jan 2012 13:05:18 -0800 Subject: US DOJ victim letter In-Reply-To: <4F18843D.3050101@west.net> References: <4F18843D.3050101@west.net> Message-ID: <1327007118.15021.4831.camel@mike-desktop> We've been getting them too. I haven't event thought to follow up. DOJ won't email you with a do not reply. On Thu, 2012-01-19 at 12:59 -0800, Jay Hennigan wrote: > We have received three emails from the US Department of Justice Victim > Notification System to our ARIN POC address advising us that we may be > the victim of a crime. Headers look legit. > > We have been frustrated in trying to follow the rabbit hole to get any > useful information. we've jumped through hoops to get passwords that > don't work and attempted to navigate a voice-mail system that resembles > the "twisty maze of passages all different" from an old text adventure > game. > > This *seems* to be legit, and I would think that the end result is > likely to be a list of IP addresses associated with infected hosts. > > Has anyone else received the email? Is it legit? If so has anyone > successfully navigated the maze, and if so how? Is it worth it? > > (And why don't they just send the list of infected IPs to the ARIN > contact in the first place?) > > -- > Jay Hennigan - CCIE #7880 - Network Engineering - jay at impulse.net > Impulse Internet Service - http://www.impulse.net/ > Your local telephone and internet company - 805 884-6323 - WB6RDV > -- ************************************************************ Michael J. McCafferty CEO M5 Hosting http://www.m5hosting.com Like us on Facebook for updates and photos: https://www.facebook.com/m5hosting ************************************************************ From ml at kenweb.org Thu Jan 19 15:05:49 2012 From: ml at kenweb.org (ML) Date: Thu, 19 Jan 2012 16:05:49 -0500 Subject: US DOJ victim letter In-Reply-To: <4F1884B1.5020200@doit.wisc.edu> References: <4F18843D.3050101@west.net> <4F1884B1.5020200@doit.wisc.edu> Message-ID: <4F1885AD.6030405@kenweb.org> On 01/19/2012 04:01 PM, Michael Hare wrote: > AS2381 has also received them, we are no further along in this than you > are. > > On 1/19/2012 2:59 PM, Jay Hennigan wrote: >> We have received three emails from the US Department of Justice Victim >> Notification System to our ARIN POC address advising us that we may be >> the victim of a crime. Headers look legit. >> >> We have been frustrated in trying to follow the rabbit hole to get any >> useful information. we've jumped through hoops to get passwords that >> don't work and attempted to navigate a voice-mail system that resembles >> the "twisty maze of passages all different" from an old text adventure >> game. >> >> This *seems* to be legit, and I would think that the end result is >> likely to be a list of IP addresses associated with infected hosts. >> >> Has anyone else received the email? Is it legit? If so has anyone >> successfully navigated the maze, and if so how? Is it worth it? >> >> (And why don't they just send the list of infected IPs to the ARIN >> contact in the first place?) >> >> -- >> Jay Hennigan - CCIE #7880 - Network Engineering - jay at impulse.net >> Impulse Internet Service - http://www.impulse.net/ >> Your local telephone and internet company - 805 884-6323 - WB6RDV >> > If it's related to the same emails I've received from the DOJ over the past 3 days: It's related to a case against a few Estonians involved with DNSChanger malware. www.fbi.gov/news/stories/2011/november/malware_110911 From rcarpen at network1.net Thu Jan 19 15:06:08 2012 From: rcarpen at network1.net (Randy Carpenter) Date: Thu, 19 Jan 2012 16:06:08 -0500 (EST) Subject: US DOJ victim letter In-Reply-To: <4F1884B1.5020200@doit.wisc.edu> Message-ID: Same here. No idea who the intended recipient organization is, as it was sent to our generic tech contact email address that is used for a bunch of ASes, ARIN accounts, domains, etc. There are pretty much no details in the message. -Randy ----- Original Message ----- > AS2381 has also received them, we are no further along in this than > you are. > > On 1/19/2012 2:59 PM, Jay Hennigan wrote: > > We have received three emails from the US Department of Justice > > Victim > > Notification System to our ARIN POC address advising us that we may > > be > > the victim of a crime. Headers look legit. > > > > We have been frustrated in trying to follow the rabbit hole to get > > any > > useful information. we've jumped through hoops to get passwords > > that > > don't work and attempted to navigate a voice-mail system that > > resembles > > the "twisty maze of passages all different" from an old text > > adventure > > game. > > > > This *seems* to be legit, and I would think that the end result is > > likely to be a list of IP addresses associated with infected hosts. > > > > Has anyone else received the email? Is it legit? If so has anyone > > successfully navigated the maze, and if so how? Is it worth it? > > > > (And why don't they just send the list of infected IPs to the ARIN > > contact in the first place?) > > > > -- > > Jay Hennigan - CCIE #7880 - Network Engineering - jay at impulse.net > > Impulse Internet Service - http://www.impulse.net/ > > Your local telephone and internet company - 805 884-6323 - WB6RDV > > > > > From alan at clegg.com Thu Jan 19 15:08:23 2012 From: alan at clegg.com (Alan Clegg) Date: Thu, 19 Jan 2012 16:08:23 -0500 Subject: US DOJ victim letter In-Reply-To: <4F188578.6000100@west.net> References: <4F18843D.3050101@west.net> <4F1884BF.3060902@colo4.com> <4F188578.6000100@west.net> Message-ID: <4F188647.6090601@clegg.com> On 1/19/2012 4:04 PM, Jay Hennigan wrote: > The body of the email indeed reads like a poorly-executed phish > including elements such as "null" and "" but > headers seem legit. I asked a local contact if it was legit and he confirmed that it is. Wait for the paper mail. I was amused to discover that to proceed on the web, I had to enter my last name as "Representative" -- as in "Dear Business Representative". Yep, really. AlanC -- alan at clegg.com | aclegg at infoblox.com 1.919.355.8851 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 260 bytes Desc: OpenPGP digital signature URL: From adibble at quantcast.com Thu Jan 19 15:15:28 2012 From: adibble at quantcast.com (Andrew D. Dibble) Date: Thu, 19 Jan 2012 13:15:28 -0800 Subject: US DOJ victim letter In-Reply-To: References: <4F18843D.3050101@west.net> Message-ID: <76F24853-BBF7-4627-8417-CF53B3D6C70C@quantcast.com> Operation Ghost Click - someone in your AS has malware which changes their DNS server to an evil IP. ICANN (IIRC) replaced these servers with clean ones around November 2011 and now it seems like the FBI is trying to contact everyone who is still talking to that server. FBI seems to have a list of netblocks hosting rogue DNS servers here: https://forms.fbi.gov/check-to-see-if-your-computer-is-using-rogue-DNS So if one of the computers inside your network is talking to one of those IPs for DNS, you probably have malware. Drew On Jan 19, 2012, at 1:03 PM, Tim Jackson wrote: > The 3rd email they sent: > > This email is intended to provide clarification on a previous email > sent to you. You will be receiving a letter by U.S. Postal Service in > the coming days. In the meantime, please visit the link below which > provides more details on the investigation and identifying you as a > possible victim: > > www.fbi.gov/news/stories/2011/november/malware_110911 > > -- > Tim > From cmadams at hiwaay.net Thu Jan 19 15:16:55 2012 From: cmadams at hiwaay.net (Chris Adams) Date: Thu, 19 Jan 2012 15:16:55 -0600 Subject: US DOJ victim letter In-Reply-To: <4F188647.6090601@clegg.com> References: <4F18843D.3050101@west.net> <4F1884BF.3060902@colo4.com> <4F188578.6000100@west.net> <4F188647.6090601@clegg.com> Message-ID: <20120119211655.GF32702@hiwaay.net> Once upon a time, Alan Clegg said: > I was amused to discover that to proceed on the web, I had to enter my > last name as "Representative" -- as in "Dear Business Representative". > Yep, really. me too After I got yet more such generic and useless info, I lost interest. I tried to go back and log in again, only to get this error from clicking "Login" on the main page: The page you have requested does not exist, or can not be accessed. Please log in to the application from the main login page. The link is back to the same login page. Hope it isn't anything actually important, as the emails and website have been a complete useless joke (that some contractor probably got millions for). -- Chris Adams Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble. From cmadams at hiwaay.net Thu Jan 19 15:19:22 2012 From: cmadams at hiwaay.net (Chris Adams) Date: Thu, 19 Jan 2012 15:19:22 -0600 Subject: US DOJ victim letter In-Reply-To: <76F24853-BBF7-4627-8417-CF53B3D6C70C@quantcast.com> References: <4F18843D.3050101@west.net> <76F24853-BBF7-4627-8417-CF53B3D6C70C@quantcast.com> Message-ID: <20120119211922.GG32702@hiwaay.net> Once upon a time, Andrew D. Dibble said: > FBI seems to have a list of netblocks hosting rogue DNS servers here: > https://forms.fbi.gov/check-to-see-if-your-computer-is-using-rogue-DNS So should I try to type in all the IPs on my network, one at a time? Oh wait, that page requires Javascript to check an IP; like I'm going to allow the FBI to run JS on my computer. -- Chris Adams Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble. From lane.powers at swat.coop Thu Jan 19 15:27:43 2012 From: lane.powers at swat.coop (Lane Powers) Date: Thu, 19 Jan 2012 15:27:43 -0600 Subject: US DOJ victim letter In-Reply-To: <20120119211922.GG32702@hiwaay.net> Message-ID: We took the CIDR blocks listed here; http://www.fbi.gov/news/stories/2011/november/malware_110911/DNS-changer-ma lware.pdf And ran them against net flow data from our external links and were able to generate a list of subscriber IP addresses that were using the rogue DNS servers. Lane -- Lane Powers Southwest Arkansas Tel On 1/19/12 3:19 PM, "Chris Adams" wrote: >Once upon a time, Andrew D. Dibble said: >> FBI seems to have a list of netblocks hosting rogue DNS servers here: >> https://forms.fbi.gov/check-to-see-if-your-computer-is-using-rogue-DNS > >So should I try to type in all the IPs on my network, one at a time? Oh >wait, that page requires Javascript to check an IP; like I'm going to >allow the FBI to run JS on my computer. > >-- >Chris Adams >Systems and Network Administrator - HiWAAY Internet Services >I don't speak for anybody but myself - that's enough trouble. > > From paul4004 at gmail.com Thu Jan 19 15:34:12 2012 From: paul4004 at gmail.com (PC) Date: Thu, 19 Jan 2012 14:34:12 -0700 Subject: US DOJ victim letter In-Reply-To: <20120119211922.GG32702@hiwaay.net> References: <4F18843D.3050101@west.net> <76F24853-BBF7-4627-8417-CF53B3D6C70C@quantcast.com> <20120119211922.GG32702@hiwaay.net> Message-ID: Knowing it's JS, I looked at the source, and here's the "rogue" ranges: var IP_RANGES = [ [[85, 255, 112, 0], [85, 255, 127, 255]], [[67, 210, 0, 0], [67, 210, 15, 255]], [[93, 188, 160, 0], [93, 188, 167, 255]], [[77, 67, 83, 0], [77, 67, 83, 255]], [[213, 109, 64, 0], [213, 109, 79, 255]], [[64, 28, 176, 0], [64, 28, 191, 255]] ]; On Thu, Jan 19, 2012 at 2:19 PM, Chris Adams wrote: > Once upon a time, Andrew D. Dibble said: > > FBI seems to have a list of netblocks hosting rogue DNS servers here: > > https://forms.fbi.gov/check-to-see-if-your-computer-is-using-rogue-DNS > > So should I try to type in all the IPs on my network, one at a time? Oh > wait, that page requires Javascript to check an IP; like I'm going to > allow the FBI to run JS on my computer. > > -- > Chris Adams > Systems and Network Administrator - HiWAAY Internet Services > I don't speak for anybody but myself - that's enough trouble. > > From carlos at race.com Thu Jan 19 15:39:37 2012 From: carlos at race.com (Carlos Alcantar) Date: Thu, 19 Jan 2012 21:39:37 +0000 Subject: US DOJ victim letter In-Reply-To: <20120119211655.GF32702@hiwaay.net> Message-ID: +1 on these emails we have received 3 of them. Carlos Alcantar Race Communications / Race Team Member 101 Haskins Way, So. San Francisco, CA. 94080 Phone: +1 415 376 3314 / carlos at race.com / http://www.race.com Once upon a time, Alan Clegg said: > I was amused to discover that to proceed on the web, I had to enter my > last name as "Representative" -- as in "Dear Business Representative". > Yep, really. me too After I got yet more such generic and useless info, I lost interest. I tried to go back and log in again, only to get this error from clicking "Login" on the main page: The page you have requested does not exist, or can not be accessed. Please log in to the application from the main login page. The link is back to the same login page. Hope it isn't anything actually important, as the emails and website have been a complete useless joke (that some contractor probably got millions for). -- Chris Adams Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble. From randy at psg.com Thu Jan 19 15:34:49 2012 From: randy at psg.com (Randy Bush) Date: Fri, 20 Jan 2012 06:34:49 +0900 Subject: RIS raw data In-Reply-To: <85D843DC-9481-47E1-904A-035C758A66DE@castlepoint.net> References: <47242.163.117.139.80.1326972244.squirrel@mail.imdea.org> <85D843DC-9481-47E1-904A-035C758A66DE@castlepoint.net> Message-ID: > Please don't conflate the policy mechanisms enabled by the IRR policy > *language*/specification itself with the *data* contained in the IRR i don't. the former is called rpsl. >> some years back, i asked for a *simple minimal* tagging of announcements >> to route views, just peer, customer, internal. it got ietfed to utter >> uselessness, with more crap welded on to it than envisioned in mad max. > > Wrt your last paragraph: care to share a link the I-D (or, RFC) that > you allude to above? http://tools.ietf.org/html/draft-ietf-grow-collection-communities-08 > I think your last paragraph is alluding to tagging routes with > standard BGP communities, based on your "simple minimal" criteria, > before they are sent to route-views. That strikes me as potentially > orthogonal to issues with the present data in the IRR. but not orthogonal to the op's direct question. randy From simon at slimey.org Thu Jan 19 15:36:13 2012 From: simon at slimey.org (Simon Lockhart) Date: Thu, 19 Jan 2012 21:36:13 +0000 Subject: US DOJ victim letter In-Reply-To: <76F24853-BBF7-4627-8417-CF53B3D6C70C@quantcast.com> References: <4F18843D.3050101@west.net> <76F24853-BBF7-4627-8417-CF53B3D6C70C@quantcast.com> Message-ID: <20120119213613.GE17969@virtual.bogons.net> On Thu Jan 19, 2012 at 01:15:28PM -0800, Andrew D. Dibble wrote: > So if one of the computers inside your network is talking to one of those IPs > for DNS, you probably have malware. Show me an ISP which doesn't have end-user PCs infected with malware :) Simon From tlyons at ivenue.com Thu Jan 19 15:37:32 2012 From: tlyons at ivenue.com (Todd Lyons) Date: Thu, 19 Jan 2012 13:37:32 -0800 Subject: US DOJ victim letter In-Reply-To: References: <20120119211655.GF32702@hiwaay.net> Message-ID: On Thu, Jan 19, 2012 at 1:39 PM, Carlos Alcantar wrote: > > +1 on these emails we have received 3 of them. Three here as well. -- SOPA: Any attempt to [use legal means to] reverse technological advances is doomed. ?--Leo Leporte From leigh.porter at ukbroadband.com Thu Jan 19 15:40:10 2012 From: leigh.porter at ukbroadband.com (Leigh Porter) Date: Thu, 19 Jan 2012 21:40:10 +0000 Subject: juniper mx80 vs cisco asr 1000 In-Reply-To: <44EDB6D0-C480-4232-8FCD-4124D152849B@smugmug.com> References: <44EDB6D0-C480-4232-8FCD-4124D152849B@smugmug.com> Message-ID: > -----Original Message----- > From: jon Heise [mailto:jon at smugmug.com] > Sent: 19 January 2012 21:37 > To: nanog at nanog.org > Subject: juniper mx80 vs cisco asr 1000 > > Does anyone have any experience with these two routers, we're looking > to buy one of them but i have little experience dealing with cisco > routers and zero experience with juniper. I have lots of MX80s and they have all been fantastic. But if you have no experience of Juniper it will be a different learning curve (one that is, IMO, worth the effort). I have not used the asr1000 but it looks like a capable box. You would do well to look at the MX80 fixed chassis, it comes with 48 1G interfaces and 4 10G interfaces. They are pretty good value, I think. -- Leigh Porter ______________________________________________________________________ This email has been scanned by the Symantec Email Security.cloud service. For more information please visit http://www.symanteccloud.com ______________________________________________________________________ From josh.hoppes at gmail.com Thu Jan 19 15:40:13 2012 From: josh.hoppes at gmail.com (Josh Hoppes) Date: Thu, 19 Jan 2012 15:40:13 -0600 Subject: juniper mx80 vs cisco asr 1000 In-Reply-To: References: <44EDB6D0-C480-4232-8FCD-4124D152849B@smugmug.com> Message-ID: I would also be interested in peoples experiences with the MX80 platform. Currently considering the MX40 license level of MX80 platform for a project. We have had good experiences with the ASR1002 but want to keep our options open. On Thu, Jan 19, 2012 at 2:45 PM, PC wrote: > Which specific models are you looking at? > > Both contain a large product range. > > On Thu, Jan 19, 2012 at 1:10 PM, jon Heise wrote: > >> Does anyone have any experience with these two routers, we're looking to >> buy one of them but i have little experience dealing with cisco routers and >> zero experience with juniper. >> From ariel at post.tau.ac.il Thu Jan 19 15:43:34 2012 From: ariel at post.tau.ac.il (Ariel Biener) Date: Thu, 19 Jan 2012 23:43:34 +0200 Subject: juniper mx80 vs cisco asr 1000 In-Reply-To: References: <44EDB6D0-C480-4232-8FCD-4124D152849B@smugmug.com> Message-ID: <4F188E86.9080509@post.tau.ac.il> On 01/19/2012 11:40 PM, Leigh Porter wrote: >> -----Original Message----- >> From: jon Heise [mailto:jon at smugmug.com] >> Sent: 19 January 2012 21:37 >> To: nanog at nanog.org >> Subject: juniper mx80 vs cisco asr 1000 >> >> Does anyone have any experience with these two routers, we're looking >> to buy one of them but i have little experience dealing with cisco >> routers and zero experience with juniper. > I have lots of MX80s and they have all been fantastic. But if you have no experience of Juniper it will be a different learning curve (one that is, IMO, worth the effort). > > I have not used the asr1000 but it looks like a capable box. You would do well to look at the MX80 fixed chassis, it comes with 48 1G interfaces and 4 10G interfaces. They are pretty good value, I think. It well depends on your requirements (not talking about throughput). The ASR1000 series is a "services" box. It does more in terms of services (using license enablers) than the MX80 does, and it costs more. So, it very much depends on what you want to do with the boxes. --Ariel > > -- > Leigh Porter > > > > ______________________________________________________________________ > This email has been scanned by the Symantec Email Security.cloud service. > For more information please visit http://www.symanteccloud.com > ______________________________________________________________________ > -- -- Ariel Biener e-mail: ariel at post.tau.ac.il PGP: http://www.tau.ac.il/~ariel/pgp.html From ryan.g at atwgpc.net Thu Jan 19 16:36:24 2012 From: ryan.g at atwgpc.net (Ryan Gelobter) Date: Thu, 19 Jan 2012 16:36:24 -0600 Subject: US DOJ victim letter In-Reply-To: References: <20120119211655.GF32702@hiwaay.net> Message-ID: They are related to the DNSChanger and Ghostclick malware as ML said. The e-mails to us did come from the DOJ e-mail servers and were legitimate. The phone number is legit as well. On Thu, Jan 19, 2012 at 3:37 PM, Todd Lyons wrote: > On Thu, Jan 19, 2012 at 1:39 PM, Carlos Alcantar wrote: > > > > +1 on these emails we have received 3 of them. > > Three here as well. > -- > SOPA: Any attempt to [use legal means to] reverse technological > advances is doomed. --Leo Leporte > > From ryan.g at atwgpc.net Thu Jan 19 16:41:02 2012 From: ryan.g at atwgpc.net (Ryan Gelobter) Date: Thu, 19 Jan 2012 16:41:02 -0600 Subject: Megaupload.com seized Message-ID: The megaupload.com domain was seized today, has anyone noticed significant drops in network traffic as a result? http://www.scribd.com/doc/78786408/Mega-Indictment http://techland.time.com/2012/01/19/feds-shut-down-megaupload-com-file-sharing-website/ From derek at derekivey.com Thu Jan 19 16:48:13 2012 From: derek at derekivey.com (Derek Ivey) Date: Thu, 19 Jan 2012 17:48:13 -0500 Subject: Megaupload.com seized In-Reply-To: References: Message-ID: <782A2443-71F9-4788-9268-35507B662605@derekivey.com> Interesting? it looks like they seized the servers and didn't touch DNS. -bash-3.00$ nslookup megaupload.com Non-authoritative answer: Name: megaupload.com Address: 174.140.154.22 Name: megaupload.com Address: 174.140.154.23 Name: megaupload.com Address: 174.140.154.24 Name: megaupload.com Address: 174.140.154.20 Name: megaupload.com Address: 174.140.154.21 DNS still points to Mega Upload's IPs. On Jan 19, 2012, at 5:41 PM, Ryan Gelobter wrote: > The megaupload.com domain was seized today, has anyone noticed significant > drops in network traffic as a result? > > http://www.scribd.com/doc/78786408/Mega-Indictment > http://techland.time.com/2012/01/19/feds-shut-down-megaupload-com-file-sharing-website/ From tom at ninjabadger.net Thu Jan 19 16:47:38 2012 From: tom at ninjabadger.net (Tom Hill) Date: Thu, 19 Jan 2012 22:47:38 +0000 Subject: Whois 172/12 In-Reply-To: References: <3bb23a18d74082eb94003592c718b9f4.squirrel@secure.xecu.net> <36A214A4-0627-4921-83B0-37766996844A@ianai.net> Message-ID: <1327013258.4831.13.camel@teh-desktop> On Sun, 2012-01-15 at 14:05 +0530, Suresh Ramasubramanian wrote: > Jesus. 172.16/12 fine .. that's rfc1918. The rest of 172/8 is mostly > unallocated. And for almost all of it, there is Team Cymru: >show ip route 172.0.0.0 Routing entry for 172.0.0.0/9, supernet Known via "bgp", distance 20, metric 0 Tag 65332, type external Last update from 192.0.2.1 3w1d ago Routing Descriptor Blocks: * 192.0.2.1, from 38.229.66.20, 3w1d ago Route metric is 0, traffic share count is 1 AS Hops 1 Route tag 65332 MPLS label: none (192.0.2.1 is null routed statically) http://www.team-cymru.org/Services/Bogons/ A very handy service! Tom From corbe at corbe.net Thu Jan 19 16:53:16 2012 From: corbe at corbe.net (Daniel Corbe) Date: Thu, 19 Jan 2012 14:53:16 -0800 Subject: Megaupload.com seized In-Reply-To: References: Message-ID: <20120119225316.GA42620@apollo.corbe.net> Anon has already retaliated http://rt.com/usa/news/anonymous-doj-universal-sopa-235/ On Thu, Jan 19, 2012 at 04:41:02PM -0600, Ryan Gelobter wrote: > The megaupload.com domain was seized today, has anyone noticed significant > drops in network traffic as a result? > > http://www.scribd.com/doc/78786408/Mega-Indictment > http://techland.time.com/2012/01/19/feds-shut-down-megaupload-com-file-sharing-website/ > From surfer at mauigateway.com Thu Jan 19 17:24:07 2012 From: surfer at mauigateway.com (Scott Weeks) Date: Thu, 19 Jan 2012 15:24:07 -0800 Subject: Megaupload.com seized Message-ID: <20120119152407.D49D4682@m0005297.ppops.net> On Jan 19, 2012, at 5:41 PM, Ryan Gelobter wrote: > The megaupload.com domain was seized today, has anyone noticed significant > drops in network traffic as a result? > > http://www.scribd.com/doc/78786408/Mega-Indictment > http://techland.time.com/2012/01/19/feds-shut-down-megaupload-com-file-sharing-website/ ----------------------------------------------------------------- ------------ derek at derekivey.com wrote: -------------- From: Derek Ivey Interesting? it looks like they seized the servers and didn't touch DNS. -bash-3.00$ nslookup megaupload.com Non-authoritative answer: Name: megaupload.com Address: 174.140.154.22 Name: megaupload.com Address: 174.140.154.23 Name: megaupload.com Address: 174.140.154.24 Name: megaupload.com Address: 174.140.154.20 Name: megaupload.com Address: 174.140.154.21 DNS still points to Mega Upload's IPs. --------------------------------------------------------------- Collecting client IP addresses to send notices to? >;-) I notice other IPs in the range ( for example, .223 and .123) say the same thing about UDP/53. scott ku# nmap -P0 -sU -p U:53 174.140.154.22 PORT STATE SERVICE 53/udp open|filtered domain ku# nmap -P0 -sU -p U:53 174.140.154.21 PORT STATE SERVICE 53/udp open|filtered domain ku# nmap -P0 -sU -p U:53 174.140.154.20 PORT STATE SERVICE 53/udp open|filtered domain ku# nmap -P0 -sU -p U:53 174.140.154.223 PORT STATE SERVICE 53/udp open|filtered domain ku# nmap -P0 -sU -p U:53 174.140.154.123 PORT STATE SERVICE 53/udp open|filtered domain ku# nmap -P0 -A 174.140.154.20 All 1000 scanned ports on 174.140.154.20 are filtered Too many fingerprints match this host to give specific OS details From paul at paulgraydon.co.uk Thu Jan 19 17:27:21 2012 From: paul at paulgraydon.co.uk (Paul Graydon) Date: Thu, 19 Jan 2012 13:27:21 -1000 Subject: Megaupload.com seized In-Reply-To: References: Message-ID: <4F18A6D9.6040703@paulgraydon.co.uk> On 01/19/2012 12:41 PM, Ryan Gelobter wrote: > The megaupload.com domain was seized today, has anyone noticed significant > drops in network traffic as a result? > > http://www.scribd.com/doc/78786408/Mega-Indictment > http://techland.time.com/2012/01/19/feds-shut-down-megaupload-com-file-sharing-website/ Ars Technica are implying it was quite a source of bandwidth usage within companies. I'm curious, are any interesting charts on an ISP side? http://arstechnica.com/business/news/2012/01/before-shutdown-megaupload-ate-up-more-corporate-bandwidth-than-dropbox.ars From james at smithwaysecurity.com Thu Jan 19 17:44:12 2012 From: james at smithwaysecurity.com (=?utf-8?B?amFtZXNAc21pdGh3YXlzZWN1cml0eS5jb20=?=) Date: Thu, 19 Jan 2012 19:44:12 -0400 Subject: =?utf-8?B?UmU6IE1lZ2F1cGxvYWQuY29tIHNlaXplZA==?= Message-ID: You guys serous, when did the order come in to sezie the domain? Sent from my HTC ----- Reply message ----- From: "Ryan Gelobter" To: "NANOG" Subject: Megaupload.com seized Date: Thu, Jan 19, 2012 6:41 pm The megaupload.com domain was seized today, has anyone noticed significant drops in network traffic as a result? http://www.scribd.com/doc/78786408/Mega-Indictment http://techland.time.com/2012/01/19/feds-shut-down-megaupload-com-file-sharing-website/ From sakamura at gmail.com Thu Jan 19 17:52:39 2012 From: sakamura at gmail.com (Ishmael Rufus) Date: Thu, 19 Jan 2012 17:52:39 -0600 Subject: Megaupload.com seized In-Reply-To: References: Message-ID: It's your typical FBI raid operation. Arrest everyone and seize all electronics. Then ask questions, weeks later. On Thu, Jan 19, 2012 at 5:44 PM, james at smithwaysecurity.com wrote: > You guys serous, ?when did the order come in to sezie the domain? > > Sent from my HTC > > ----- Reply message ----- > From: "Ryan Gelobter" > To: "NANOG" > Subject: Megaupload.com seized > Date: Thu, Jan 19, 2012 6:41 pm > > > The megaupload.com domain was seized today, has anyone noticed significant > drops in network traffic as a result? > > http://www.scribd.com/doc/78786408/Mega-Indictment > http://techland.time.com/2012/01/19/feds-shut-down-megaupload-com-file-sharing-website/ From james at smithwaysecurity.com Thu Jan 19 17:53:42 2012 From: james at smithwaysecurity.com (=?utf-8?B?amFtZXNAc21pdGh3YXlzZWN1cml0eS5jb20=?=) Date: Thu, 19 Jan 2012 19:53:42 -0400 Subject: =?utf-8?B?UmU6IE1lZ2F1cGxvYWQuY29tIHNlaXplZA==?= Message-ID: Wow, what suprised the servers were, all located offshore. Sent from my HTC ----- Reply message ----- From: "Paul Graydon" To: Subject: Megaupload.com seized Date: Thu, Jan 19, 2012 7:27 pm On 01/19/2012 12:41 PM, Ryan Gelobter wrote: > The megaupload.com domain was seized today, has anyone noticed significant > drops in network traffic as a result? > > http://www.scribd.com/doc/78786408/Mega-Indictment > http://techland.time.com/2012/01/19/feds-shut-down-megaupload-com-file-sharing-website/ Ars Technica are implying it was quite a source of bandwidth usage within companies. I'm curious, are any interesting charts on an ISP side? http://arstechnica.com/business/news/2012/01/before-shutdown-megaupload-ate-up-more-corporate-bandwidth-than-dropbox.ars From sakamura at gmail.com Thu Jan 19 17:56:28 2012 From: sakamura at gmail.com (Ishmael Rufus) Date: Thu, 19 Jan 2012 17:56:28 -0600 Subject: Megaupload.com seized In-Reply-To: References: Message-ID: That doesn't stop the power of our US government. On Thu, Jan 19, 2012 at 5:53 PM, james at smithwaysecurity.com wrote: > Wow, what suprised the servers were, all located offshore. > > Sent from my HTC > > ----- Reply message ----- > From: "Paul Graydon" > To: > Subject: Megaupload.com seized > Date: Thu, Jan 19, 2012 7:27 pm > > > On 01/19/2012 12:41 PM, Ryan Gelobter wrote: >> The megaupload.com domain was seized today, has anyone noticed significant >> drops in network traffic as a result? >> >> http://www.scribd.com/doc/78786408/Mega-Indictment >> http://techland.time.com/2012/01/19/feds-shut-down-megaupload-com-file-sharing-website/ > Ars Technica are implying it was quite a source of bandwidth usage within companies. ?I'm curious, are any interesting charts on an ISP side? > > http://arstechnica.com/business/news/2012/01/before-shutdown-megaupload-ate-up-more-corporate-bandwidth-than-dropbox.ars > From bonomi at mail.r-bonomi.com Thu Jan 19 18:00:35 2012 From: bonomi at mail.r-bonomi.com (Robert Bonomi) Date: Thu, 19 Jan 2012 18:00:35 -0600 (CST) Subject: Megaupload.com seized In-Reply-To: <4F18A6D9.6040703@paulgraydon.co.uk> Message-ID: <201201200000.q0K00ZX1032577@mail.r-bonomi.com> Paul Graydon wrote > > http://arstechnica.com/business/news/2012/01/before-shutdown-megaupload-ate-up-more-corporate-bandwidth-than-dropbox.ars > Ars Technica are implying it was quite a source of bandwidth usage > within companies. I'm curious, are any interesting charts on an ISP side? As a matter of techincal accuracy, The Ars Technica article reports that monitored corporate networks had more traffic to/from megaupload.com than to/from several other 'cyberlocker' operations, inncluding ones that were more focused on the 'corporate' market. 'quite a source of bandwidth usage' is a bit of an overstatement, as the traffic to/from Megaupload was somewhat over 20 terabyes, out of a total of 10,900+ terabytes of monitored traffic. Or about 0.189% of corporate usage on the monitored networks. From james at smithwaysecurity.com Thu Jan 19 17:58:23 2012 From: james at smithwaysecurity.com (=?utf-8?B?amFtZXNAc21pdGh3YXlzZWN1cml0eS5jb20=?=) Date: Thu, 19 Jan 2012 19:58:23 -0400 Subject: =?utf-8?B?UmU6IE1lZ2F1cGxvYWQuY29tIHNlaXplZA==?= Message-ID: Yes that's right, just would of slowed down the process. Sent from my HTC ----- Reply message ----- From: "Ishmael Rufus" To: "james at smithwaysecurity.com" Cc: , Subject: Megaupload.com seized Date: Thu, Jan 19, 2012 7:56 pm That doesn't stop the power of our US government. On Thu, Jan 19, 2012 at 5:53 PM, james at smithwaysecurity.com wrote: > Wow, what suprised the servers were, all located offshore. > > Sent from my HTC > > ----- Reply message ----- > From: "Paul Graydon" > To: > Subject: Megaupload.com seized > Date: Thu, Jan 19, 2012 7:27 pm > > > On 01/19/2012 12:41 PM, Ryan Gelobter wrote: >> The megaupload.com domain was seized today, has anyone noticed significant >> drops in network traffic as a result? >> >> http://www.scribd.com/doc/78786408/Mega-Indictment >> http://techland.time.com/2012/01/19/feds-shut-down-megaupload-com-file-sharing-website/ > Ars Technica are implying it was quite a source of bandwidth usage within companies. ?I'm curious, are any interesting charts on an ISP side? > > http://arstechnica.com/business/news/2012/01/before-shutdown-megaupload-ate-up-more-corporate-bandwidth-than-dropbox.ars > From paul at paulstewart.org Thu Jan 19 18:07:03 2012 From: paul at paulstewart.org (Paul Stewart) Date: Thu, 19 Jan 2012 19:07:03 -0500 Subject: Megaupload.com seized In-Reply-To: <4F18A6D9.6040703@paulgraydon.co.uk> References: <4F18A6D9.6040703@paulgraydon.co.uk> Message-ID: <01e901ccd707$7193db40$54bb91c0$@paulstewart.org> For us (AS11666), about 3-4% of total traffic typically.... Paul -----Original Message----- From: Paul Graydon [mailto:paul at paulgraydon.co.uk] Sent: Thursday, January 19, 2012 6:27 PM To: nanog at nanog.org Subject: Re: Megaupload.com seized On 01/19/2012 12:41 PM, Ryan Gelobter wrote: > The megaupload.com domain was seized today, has anyone noticed > significant drops in network traffic as a result? > > http://www.scribd.com/doc/78786408/Mega-Indictment > http://techland.time.com/2012/01/19/feds-shut-down-megaupload-com-file > -sharing-website/ Ars Technica are implying it was quite a source of bandwidth usage within companies. I'm curious, are any interesting charts on an ISP side? http://arstechnica.com/business/news/2012/01/before-shutdown-megaupload-ate- up-more-corporate-bandwidth-than-dropbox.ars From ryan.g at atwgpc.net Thu Jan 19 18:19:43 2012 From: ryan.g at atwgpc.net (Ryan Gelobter) Date: Thu, 19 Jan 2012 18:19:43 -0600 Subject: Megaupload.com seized In-Reply-To: References: Message-ID: Most of there servers were located in the US. According to the indictment Megaupload leases about 25 petabytes of data storage from Carpathia to store content. They have over 1,000 servers and more than 525 of them are located in Virginia with Carpathia. They were paying Cogent around $1 million a month for bandwidth or hosting services. The U.S. District Court in Alexandria, Va., ordered the seizure of 18 domain names associated with the alleged Mega conspiracy. http://bit.ly/wx9DBE (google cache of justice.gov) Megastuff.com, Megaworld.com, Megaclicks.com, Megastuff.info, Megaclicks.org, Megaworld.mobi, Megastuff.org, Megaclick.us, Mageclick.com, HDmegaporn.com, Megavkdeo.com ,Megaupload.com, Megaupload.org, Megarotic.com On Thu, Jan 19, 2012 at 5:53 PM, james at smithwaysecurity.com < james at smithwaysecurity.com> wrote: > Wow, what suprised the servers were, all located offshore. > > Sent from my HTC > > ----- Reply message ----- > From: "Paul Graydon" > To: > Subject: Megaupload.com seized > Date: Thu, Jan 19, 2012 7:27 pm > > > On 01/19/2012 12:41 PM, Ryan Gelobter wrote: > > The megaupload.com domain was seized today, has anyone noticed > significant > > drops in network traffic as a result? > > > > http://www.scribd.com/doc/78786408/Mega-Indictment > > > http://techland.time.com/2012/01/19/feds-shut-down-megaupload-com-file-sharing-website/ > Ars Technica are implying it was quite a source of bandwidth usage within > companies. I'm curious, are any interesting charts on an ISP side? > > > http://arstechnica.com/business/news/2012/01/before-shutdown-megaupload-ate-up-more-corporate-bandwidth-than-dropbox.ars > > From tvhawaii at shaka.com Thu Jan 19 18:27:49 2012 From: tvhawaii at shaka.com (Michael Painter) Date: Thu, 19 Jan 2012 14:27:49 -1000 Subject: Megaupload.com seized References: Message-ID: james at smithwaysecurity.com wrote: > Wow, what suprised the servers were, all located offshore. > > Sent from my HTC Huh? "65. It was further part of the Conspiracy that the content available onMegaupload.com and Megavideo.com was provided by known and unknown members of theMega Conspiracy, including several of the defendants, who uploaded infringing copies of copyrighted works onto computer servers leased by the Mega Conspiracy in North America tofurther the reproduction and distribution of copyrighted works; in particular, copyright infringingcontent was hosted by the Conspiracy on various servers in Toronto, Canada; Los Angeles,California; and Ashburn, Virginia (the last of which is in the Eastern District of Virginia)." From tknchris at gmail.com Thu Jan 19 18:28:02 2012 From: tknchris at gmail.com (chris) Date: Thu, 19 Jan 2012 19:28:02 -0500 Subject: Megaupload.com seized In-Reply-To: References: Message-ID: thats the same reaction i had On Thu, Jan 19, 2012 at 7:27 PM, Michael Painter wrote: > james at smithwaysecurity.com wrote: > >> Wow, what suprised the servers were, all located offshore. >> >> Sent from my HTC >> > > Huh? > > "65. > > It was further part of the Conspiracy that the content available > onMegaupload.com and Megavideo.com was provided by known and unknown > members of theMega Conspiracy, including several of the defendants, who > uploaded infringing copies of copyrighted works onto computer servers > leased by the Mega Conspiracy in North America tofurther the reproduction > and distribution of copyrighted works; in particular, copyright > infringingcontent was hosted by the Conspiracy on various servers in > Toronto, Canada; Los Angeles,California; and Ashburn, Virginia (the last of > which is in the Eastern District of Virginia)." > > From smb at cs.columbia.edu Thu Jan 19 20:09:31 2012 From: smb at cs.columbia.edu (Steven Bellovin) Date: Thu, 19 Jan 2012 21:09:31 -0500 Subject: Megaupload.com seized In-Reply-To: References: Message-ID: <64CFB59E-BB47-4D9F-8E14-AC9AA1D9D280@cs.columbia.edu> On Jan 19, 2012, at 6:44 PM, james at smithwaysecurity.com wrote: > You guys serous, when did the order come in to sezie the domain? http://arstechnica.com/tech-policy/news/2012/01/why-the-feds-smashed-megaupload.ars has a good analysis; also see http://online.wsj.com/article_email/SB10001424052970204616504577171060611948408-lMyQjAxMTAyMDEwOTExNDkyWj.html (which seems to be outside their paywall). What differentiates this from many of the earlier domain name seizures is that this is based on a grand jury indictment, not just an administrative decision by Immigration and Customs Enforcement. It may be heavy-handed or questionable, per the Ars Technica analysis, but as a matter of process it's about as good as you'll get. > > Sent from my HTC > > ----- Reply message ----- > From: "Ryan Gelobter" > To: "NANOG" > Subject: Megaupload.com seized > Date: Thu, Jan 19, 2012 6:41 pm > > > The megaupload.com domain was seized today, has anyone noticed significant > drops in network traffic as a result? > > http://www.scribd.com/doc/78786408/Mega-Indictment > http://techland.time.com/2012/01/19/feds-shut-down-megaupload-com-file-sharing-website/ --Steve Bellovin, https://www.cs.columbia.edu/~smb From Sandra.Murphy at sparta.com Thu Jan 19 20:17:59 2012 From: Sandra.Murphy at sparta.com (Murphy, Sandra) Date: Fri, 20 Jan 2012 02:17:59 +0000 Subject: interim SIDR meeting at NANOG 54 Message-ID: <24B20D14B2CD29478C8D5D6E9CBB29F6075206@Hermes.columbia.ads.sparta.com> The IETF SIDR wg plans an interim meeting, to be held in San Diego the Thu after the end of NANOG 54 (Thu Feb 9). The intent is to get operator input into two topics that have been energetically discussed on the sidr mailing list: replay-freshness protection and route leaks. The discussion of both topics has concentrated on operational impacts, so the opinions of operators would be useful. The announcement can be seen at: http://www.ietf.org/mail-archive/web/sidr/current/msg03881.html. I am working on logistic details with the NANOG hotel or others nearby. When details are final, I will post them to both this list as well as the IETF SIDR mailing list. --Sandy From ops.lists at gmail.com Thu Jan 19 21:07:07 2012 From: ops.lists at gmail.com (Suresh Ramasubramanian) Date: Fri, 20 Jan 2012 08:37:07 +0530 Subject: Megaupload.com seized In-Reply-To: <64CFB59E-BB47-4D9F-8E14-AC9AA1D9D280@cs.columbia.edu> References: <64CFB59E-BB47-4D9F-8E14-AC9AA1D9D280@cs.columbia.edu> Message-ID: I would agree. They've dotted every i and crossed every t here. This will inevitably be followed by a prosecution of some sort and/or there's also scope for Megaupload to sue the USG for restitution. It'll be interesting to see how this pans out - especially wrt any safe harbor provisions in the DMCA for providers (which do have a provision for due diligence being exercised etc). Probable cause for seizure should have been easy to establish - no shortage of warez, cp etc on these free upload sites. On Fri, Jan 20, 2012 at 7:39 AM, Steven Bellovin wrote: > What differentiates this from many of the earlier domain name seizures is that > this is based on a grand jury indictment, not just an administrative decision > by Immigration and Customs Enforcement. ?It may be heavy-handed or questionable, > per the Ars Technica analysis, but as a matter of process it's about as good > as you'll get. -- Suresh Ramasubramanian (ops.lists at gmail.com) From smb at cs.columbia.edu Thu Jan 19 21:19:34 2012 From: smb at cs.columbia.edu (Steven Bellovin) Date: Thu, 19 Jan 2012 22:19:34 -0500 Subject: Megaupload.com seized In-Reply-To: References: <64CFB59E-BB47-4D9F-8E14-AC9AA1D9D280@cs.columbia.edu> Message-ID: <72B69C18-552A-4E5A-8CE7-3EB3548012D3@cs.columbia.edu> On Jan 19, 2012, at 10:07 PM, Suresh Ramasubramanian wrote: > I would agree. They've dotted every i and crossed every t here. > > This will inevitably be followed by a prosecution of some sort and/or > there's also scope for Megaupload to sue the USG for restitution. > > It'll be interesting to see how this pans out - especially wrt any > safe harbor provisions in the DMCA for providers (which do have a > provision for due diligence being exercised etc). Note this from the NY Times article: The Megaupload case is unusual, said Orin S. Kerr, a law professor at George Washington University, in that federal prosecutors obtained the private e-mails of Megaupload?s operators in an effort to show they were operating in bad faith. "The government hopes to use their private words against them," Mr. Kerr said. "This should scare the owners and operators of similar sites." And see 17 USC 512(c)(1)(A) (http://www.law.cornell.edu/uscode/17/512.html) for why that's significant. --Steve Bellovin, https://www.cs.columbia.edu/~smb From tvhawaii at shaka.com Thu Jan 19 21:34:33 2012 From: tvhawaii at shaka.com (Michael Painter) Date: Thu, 19 Jan 2012 17:34:33 -1000 Subject: Megaupload.com seized References: <64CFB59E-BB47-4D9F-8E14-AC9AA1D9D280@cs.columbia.edu> Message-ID: Suresh Ramasubramanian wrote: > It'll be interesting to see how this pans out - especially wrt any > safe harbor provisions in the DMCA for providers (which do have a > provision for due diligence being exercised etc). I quickly read through the indictment, but the gov't claims that when given a takedown notice, MU would only remove the *link* and not the file itself. They specifically mention some movies that were still on the site years after the notice, thus negating MU's eligibility for safe harbor. As you say, interesting for sure with the dotted i s and crossed t s. From ops.lists at gmail.com Thu Jan 19 21:48:26 2012 From: ops.lists at gmail.com (Suresh Ramasubramanian) Date: Fri, 20 Jan 2012 09:18:26 +0530 Subject: Megaupload.com seized In-Reply-To: <72B69C18-552A-4E5A-8CE7-3EB3548012D3@cs.columbia.edu> References: <64CFB59E-BB47-4D9F-8E14-AC9AA1D9D280@cs.columbia.edu> <72B69C18-552A-4E5A-8CE7-3EB3548012D3@cs.columbia.edu> Message-ID: Er I'm sorry but do you mean joeschmoe at corp.megaupload.com type emails, or joeschmoe at hotmail.com type emails? If megaupload's corporate email was siezed to provide due diligence in such a prosecution - it would quite probably not constitute private mail On Fri, Jan 20, 2012 at 8:49 AM, Steven Bellovin wrote: > > > ? ? ? ?The Megaupload case is unusual, said Orin S. Kerr, a law professor > ? ? ? ?at George Washington University, in that federal prosecutors obtained > ? ? ? ?the private e-mails of Megaupload?s operators in an effort to show they > ? ? ? ?were operating in bad faith. > > ? ? ? ?"The government hopes to use their private words against them," Mr. Kerr > ? ? ? ?said. "This should scare the owners and operators of similar sites." -- Suresh Ramasubramanian (ops.lists at gmail.com) From keegan.holley at sungard.com Thu Jan 19 21:50:56 2012 From: keegan.holley at sungard.com (Keegan Holley) Date: Thu, 19 Jan 2012 19:50:56 -0800 Subject: Polling Bandwidth as an Aggregate Message-ID: Has anyone had to aggregate bandwidth data from multiple interfaces for billing. For example I'd like to poll with an open source tool and aggregate data from multiple interfaces connected to the same customer or multiple customers for the purpose of billing and capacity management. Is there an easy way to do this with cacti/rrd or another open source kit? Keegan Holley ? Network Architect? ? SunGard Availability Services ? 401 North Broad St. Philadelphia, PA 19108 ? (215) 446-1242 ? keegan.holley at sungard.com Keeping People and Information Connected? ? http://www.availability.sungard.com/ Think before you print CONFIDENTIALITY:? This e-mail (including any attachments) may contain confidential, proprietary and privileged information, and unauthorized disclosure or use is prohibited.? If you received this e-mail in error, please notify the sender and delete this e-mail from your system. From smb at cs.columbia.edu Thu Jan 19 22:07:50 2012 From: smb at cs.columbia.edu (Steven Bellovin) Date: Thu, 19 Jan 2012 23:07:50 -0500 Subject: Megaupload.com seized In-Reply-To: References: <64CFB59E-BB47-4D9F-8E14-AC9AA1D9D280@cs.columbia.edu> <72B69C18-552A-4E5A-8CE7-3EB3548012D3@cs.columbia.edu> Message-ID: <5907C44A-8758-4078-BAE4-97E20F362600@cs.columbia.edu> I don't mean either -- I've only skimmed the indictment. But from the news stories, it would *appear* that they got a search or wiretap warrant to get at employees' email. I don't see how that would make it "not private". (Btw -- "due diligence" is a civil suit concept; this is a criminal case.) The prosecution is trying to claim that the targets had actual knowledge of what was going on. I do know Orin Kerr, however. He's a former federal prosecutor and he's *very* sharp, and I've never known him to be wrong on straight-forward legal issues like this. He himself may not have all the facts himself. But here are two sample paragraphs from the indictment: On or about August 31, 2006, VAN DER KOLK sent an e-mail to an associate entitled lol. Attached to the message was a screenshot of a Megaupload.com file download page for the file Alcohol 120 1.9.5 3105complete.rar with a description of Alcohol 120, con crack!!!! By ChaOtiX!. The copyrighted software Alcohol 120 is a CD/DVD burning software program sold by www.alcohol-soft.com. and On or about June 24, 2010, members of the Mega Conspiracy were informed, pursuant to a criminal search warrant from the U.S. District Court for the Eastern District of Virginia, that thirty-nine infringing copies of copyrighted motion pictures were believed to be present on their leased servers at Carpathia Hosting in Ashburn, Virginia. On or about June 29, 2010, after receiving a copy of the criminal search warrant, ORTMANN sent an e-mail entitled Re: Search Warrant Urgent to DOTCOM and three representatives of Carpathia Hosting in the Eastern District of Virginia. In the e-mail, ORTMANN stated, The user/payment credentials supplied in the warrant identify seven Mega user accounts, and further that The 39 supplied MD5 hashes identify mostly very popular files that have been uploaded by over 2000 different users so far[.] The Mega Conspiracy has continued to store copies of at least thirty-six of the thirty-nine motion pictures on its servers after the Mega Conspiracy was informed of the infringing content. (I got the indictment from http://static2.stuff.co.nz/files/MegaUpload.pdf -- while I'd prefer to use a DoJ site cite, for some reason their web server is very slow right now...) On Jan 19, 2012, at 10:48 PM, Suresh Ramasubramanian wrote: > Er I'm sorry but do you mean joeschmoe at corp.megaupload.com type > emails, or joeschmoe at hotmail.com type emails? > > If megaupload's corporate email was siezed to provide due diligence in > such a prosecution - it would quite probably not constitute private > mail > > On Fri, Jan 20, 2012 at 8:49 AM, Steven Bellovin wrote: >> >> >> The Megaupload case is unusual, said Orin S. Kerr, a law professor >> at George Washington University, in that federal prosecutors obtained >> the private e-mails of Megaupload?s operators in an effort to show they >> were operating in bad faith. >> >> "The government hopes to use their private words against them," Mr. Kerr >> said. "This should scare the owners and operators of similar sites." > > > > -- > Suresh Ramasubramanian (ops.lists at gmail.com) > --Steve Bellovin, https://www.cs.columbia.edu/~smb From skeeve at eintellego.net Thu Jan 19 22:19:14 2012 From: skeeve at eintellego.net (Skeeve Stevens) Date: Fri, 20 Jan 2012 15:19:14 +1100 Subject: juniper mx80 vs cisco asr 1000 In-Reply-To: <4F188E86.9080509@post.tau.ac.il> References: <44EDB6D0-C480-4232-8FCD-4124D152849B@smugmug.com> <4F188E86.9080509@post.tau.ac.il> Message-ID: The ASR1000 series are like most Ciscos, they can be used for a lot of things. They are a swiss-army knife of routers and basically are the upgrade from the Cisco 7200 series. If you want low level LNS functionality, then the Cisco is the way to go as the Juniper MX80 does not have LNS functionality (and looks like it never will). But if you are looking for a beast of a border router for BGP and so on, then the MX80 (MX5/10/40/80) kick ass with their throughput. MX80 series are also supposed to be supporting Virtual Chassis at some point (was supposed to be now, but I hear it is delayed). We're deploying a variety of MX5, MX10's for different projects at the moment. The other thing is that the MX80 platform, comes in very cheap options like the MX5 - with 20Gb of TP and 20Gig interfaces at under 25k, that is awesome. The MX5/10/40 are the exact same hardware and you can just upgrade with a license. The base MX5 has 4 * 10GbE interfaces which aren't usable until you go to MX40 (2 of them) or MX80 (all 4). But in an MX10, with the second slot active, you can put in a 2 port 10GbE card which works just fine. ?Skeeve On Fri, Jan 20, 2012 at 8:43 AM, Ariel Biener wrote: > On 01/19/2012 11:40 PM, Leigh Porter wrote: > >> -----Original Message----- >>> From: jon Heise [mailto:jon at smugmug.com] >>> Sent: 19 January 2012 21:37 >>> To: nanog at nanog.org >>> Subject: juniper mx80 vs cisco asr 1000 >>> >>> Does anyone have any experience with these two routers, we're looking >>> to buy one of them but i have little experience dealing with cisco >>> routers and zero experience with juniper. >>> >> I have lots of MX80s and they have all been fantastic. But if you have no >> experience of Juniper it will be a different learning curve (one that is, >> IMO, worth the effort). >> >> I have not used the asr1000 but it looks like a capable box. You would do >> well to look at the MX80 fixed chassis, it comes with 48 1G interfaces and >> 4 10G interfaces. They are pretty good value, I think. >> > > It well depends on your requirements (not talking about throughput). > The ASR1000 series is a "services" box. It does more in terms of > services (using license enablers) than the MX80 does, and it costs > more. > > So, it very much depends on what you want to do with the boxes. > > > --Ariel > >> >> -- >> Leigh Porter >> >> >> >> ______________________________**______________________________** >> __________ >> This email has been scanned by the Symantec Email Security.cloud service. >> For more information please visit http://www.symanteccloud.com >> ______________________________**______________________________** >> __________ >> >> > > -- > -- > Ariel Biener > e-mail: ariel at post.tau.ac.il > PGP: http://www.tau.ac.il/~ariel/**pgp.html > > > -- *Skeeve Stevens, CEO* eintellego Pty Ltd skeeve at eintellego.net.au ; www.eintellego.net Phone: 1300 753 383 ; Fax: (+612) 8572 9954 Cell +61 (0)414 753 383 ; skype://skeeve facebook.com/eintellego twitter.com/networkceoau ; www.linkedin.com/in/skeeve PO Box 7726, Baulkham Hills, NSW 1755 Australia The Experts Who The Experts Call Juniper - Cisco ? Brocade - IBM From james at smithwaysecurity.com Thu Jan 19 22:20:24 2012 From: james at smithwaysecurity.com (James Smith) Date: Fri, 20 Jan 2012 00:20:24 -0400 Subject: Megaupload.com seized In-Reply-To: <5907C44A-8758-4078-BAE4-97E20F362600@cs.columbia.edu> References: <64CFB59E-BB47-4D9F-8E14-AC9AA1D9D280@cs.columbia.edu> <72B69C18-552A-4E5A-8CE7-3EB3548012D3@cs.columbia.edu> <5907C44A-8758-4078-BAE4-97E20F362600@cs.columbia.edu> Message-ID: Interesting, going to do some more digging. -----Original Message----- From: Steven Bellovin Sent: Friday, January 20, 2012 12:07 AM To: Suresh Ramasubramanian Cc: james at smithwaysecurity.com ; NANOG Subject: Re: Megaupload.com seized I don't mean either -- I've only skimmed the indictment. But from the news stories, it would *appear* that they got a search or wiretap warrant to get at employees' email. I don't see how that would make it "not private". (Btw -- "due diligence" is a civil suit concept; this is a criminal case.) The prosecution is trying to claim that the targets had actual knowledge of what was going on. I do know Orin Kerr, however. He's a former federal prosecutor and he's *very* sharp, and I've never known him to be wrong on straight-forward legal issues like this. He himself may not have all the facts himself. But here are two sample paragraphs from the indictment: On or about August 31, 2006, VAN DER KOLK sent an e-mail to an associate entitled lol. Attached to the message was a screenshot of a Megaupload.com file download page for the file Alcohol 120 1.9.5 3105complete.rar with a description of Alcohol 120, con crack!!!! By ChaOtiX!. The copyrighted software Alcohol 120 is a CD/DVD burning software program sold by www.alcohol-soft.com. and On or about June 24, 2010, members of the Mega Conspiracy were informed, pursuant to a criminal search warrant from the U.S. District Court for the Eastern District of Virginia, that thirty-nine infringing copies of copyrighted motion pictures were believed to be present on their leased servers at Carpathia Hosting in Ashburn, Virginia. On or about June 29, 2010, after receiving a copy of the criminal search warrant, ORTMANN sent an e-mail entitled Re: Search Warrant Urgent to DOTCOM and three representatives of Carpathia Hosting in the Eastern District of Virginia. In the e-mail, ORTMANN stated, The user/payment credentials supplied in the warrant identify seven Mega user accounts, and further that The 39 supplied MD5 hashes identify mostly very popular files that have been uploaded by over 2000 different users so far[.] The Mega Conspiracy has continued to store copies of at least thirty-six of the thirty-nine motion pictures on its servers after the Mega Conspiracy was informed of the infringing content. (I got the indictment from http://static2.stuff.co.nz/files/MegaUpload.pdf -- while I'd prefer to use a DoJ site cite, for some reason their web server is very slow right now...) On Jan 19, 2012, at 10:48 PM, Suresh Ramasubramanian wrote: > Er I'm sorry but do you mean joeschmoe at corp.megaupload.com type > emails, or joeschmoe at hotmail.com type emails? > > If megaupload's corporate email was siezed to provide due diligence in > such a prosecution - it would quite probably not constitute private > mail > > On Fri, Jan 20, 2012 at 8:49 AM, Steven Bellovin > wrote: >> >> >> The Megaupload case is unusual, said Orin S. Kerr, a law professor >> at George Washington University, in that federal prosecutors >> obtained >> the private e-mails of Megaupload?s operators in an effort to show >> they >> were operating in bad faith. >> >> "The government hopes to use their private words against them," >> Mr. Kerr >> said. "This should scare the owners and operators of similar >> sites." > > > > -- > Suresh Ramasubramanian (ops.lists at gmail.com) > --Steve Bellovin, https://www.cs.columbia.edu/~smb From packetjockey at gmail.com Thu Jan 19 22:26:07 2012 From: packetjockey at gmail.com (Rafael Rodriguez) Date: Thu, 19 Jan 2012 23:26:07 -0500 Subject: Automate Peering Maintenance In-Reply-To: References: Message-ID: Hi Mauricio, thanks for the reply. I believe there are quite a few folks who automate their peering up keep with the help of the data contained within the IRRs. With the IRRs providing a mechanism for validating routing information and RPSL providing a common language for describing routing policy - automating the creation of prefix and AS-Path filters for peering sessions becomes attractive. Check out http://www.irr.net/docs/faq.html for additional reasons for using IRR data to generate routing policy. IRRToolSet is a tool that can create router configurations based on IRR data. The portion I'm trying to figure out is the 'pushing' of these configurations. From what I gather, it seems that this is usually something thats homegrown. Anyone willing to share their homegrown tools? :) Cheers, RR On Sat, Jan 7, 2012 at 6:20 PM, Rodriguez, Mauricio wrote: > Rafael, > > Hello! Nice to see you post on the list... > > This sounds like a nice idea. Do you know of anyone that's currently > running such an automated system? If you end up finding something, or > rolling it yourself, I would suggest being careful with his approach. > You're assuming that your peers are actually keeping the IRR records up to > date or that the information contained therein is appropriate for > non-transit peering sessions. If you have the right leverage, perhaps you > can make that a condition for peering. If you're manually keeping > prefix-list filters for each of your peers now, consider the return on that > level of detailed configuration. Is the risk mitigated really worth the > overhead? > > I would recommend that you keep your peer filters as simple as possible. > Inbound, certainly filter bogons, martians, your own prefixes, and any > prefixes received from other peers. Try using communities vs. individual > prefix entries as much as possible. Perhaps enforce the peer ASN with an > AS Path filter on the leading ASN on each prefix received. If you're > concerned about FIB size explosion, decide on a bit boundary for prefixes > to be accepted and filter on that. Certainly agree on a prefix-limit with > your peer and configure that on the peering session. You may have to be > diligent on monitoring sessions that drop due to prefix-limit violations > (SNMP Traps, syslog) and follow up to correct those as needed, since most > peers won't keep you informed on changes in their quantity of advertised > prefixes. Juniper routers can be configured to send warnings on certain > thresholds so you can catch normal growth vs. a fat-fingered configuration > by a peer. You can then take care of those proactively before sessions > start dropping. > > Outbound, don't let anything out other than your own prefixes or those > advertised to you by your customers. Otherwise, you may be providing free > transit to your upstreams and other peers. > > Just my $0.02, others will likely disagree and recommend that you keep > your prefix filters in place. I digress if there's some BCP out there that > I don't know about that indicates that prefix filters be used in this case. > > Regards, > Mauricio Rodriguez > Owner / Principal Engineer > Fletnet Network Engineering > > Mauricio.Rodriguez at fletnet.com > http://www.fletnet.com > > ***** Email confidentiality notice ***** > > This message is private and confidential. If you have received this message in error, please notify us and remove it from your system. > > > From james at smithwaysecurity.com Thu Jan 19 22:28:38 2012 From: james at smithwaysecurity.com (James Smith) Date: Fri, 20 Jan 2012 00:28:38 -0400 Subject: Megaupload.com seized In-Reply-To: <5907C44A-8758-4078-BAE4-97E20F362600@cs.columbia.edu> References: <64CFB59E-BB47-4D9F-8E14-AC9AA1D9D280@cs.columbia.edu> <72B69C18-552A-4E5A-8CE7-3EB3548012D3@cs.columbia.edu> <5907C44A-8758-4078-BAE4-97E20F362600@cs.columbia.edu> Message-ID: Well they did take down megaupload.com and the sister website mega video. But now with one of the worlds biggest websites down. Others will step up to take over Megaupload's place. Well maybe depending on trial etc. -----Original Message----- From: Steven Bellovin Sent: Friday, January 20, 2012 12:07 AM To: Suresh Ramasubramanian Cc: james at smithwaysecurity.com ; NANOG Subject: Re: Megaupload.com seized I don't mean either -- I've only skimmed the indictment. But from the news stories, it would *appear* that they got a search or wiretap warrant to get at employees' email. I don't see how that would make it "not private". (Btw -- "due diligence" is a civil suit concept; this is a criminal case.) The prosecution is trying to claim that the targets had actual knowledge of what was going on. I do know Orin Kerr, however. He's a former federal prosecutor and he's *very* sharp, and I've never known him to be wrong on straight-forward legal issues like this. He himself may not have all the facts himself. But here are two sample paragraphs from the indictment: On or about August 31, 2006, VAN DER KOLK sent an e-mail to an associate entitled lol. Attached to the message was a screenshot of a Megaupload.com file download page for the file Alcohol 120 1.9.5 3105complete.rar with a description of Alcohol 120, con crack!!!! By ChaOtiX!. The copyrighted software Alcohol 120 is a CD/DVD burning software program sold by www.alcohol-soft.com. and On or about June 24, 2010, members of the Mega Conspiracy were informed, pursuant to a criminal search warrant from the U.S. District Court for the Eastern District of Virginia, that thirty-nine infringing copies of copyrighted motion pictures were believed to be present on their leased servers at Carpathia Hosting in Ashburn, Virginia. On or about June 29, 2010, after receiving a copy of the criminal search warrant, ORTMANN sent an e-mail entitled Re: Search Warrant Urgent to DOTCOM and three representatives of Carpathia Hosting in the Eastern District of Virginia. In the e-mail, ORTMANN stated, The user/payment credentials supplied in the warrant identify seven Mega user accounts, and further that The 39 supplied MD5 hashes identify mostly very popular files that have been uploaded by over 2000 different users so far[.] The Mega Conspiracy has continued to store copies of at least thirty-six of the thirty-nine motion pictures on its servers after the Mega Conspiracy was informed of the infringing content. (I got the indictment from http://static2.stuff.co.nz/files/MegaUpload.pdf -- while I'd prefer to use a DoJ site cite, for some reason their web server is very slow right now...) On Jan 19, 2012, at 10:48 PM, Suresh Ramasubramanian wrote: > Er I'm sorry but do you mean joeschmoe at corp.megaupload.com type > emails, or joeschmoe at hotmail.com type emails? > > If megaupload's corporate email was siezed to provide due diligence in > such a prosecution - it would quite probably not constitute private > mail > > On Fri, Jan 20, 2012 at 8:49 AM, Steven Bellovin > wrote: >> >> >> The Megaupload case is unusual, said Orin S. Kerr, a law professor >> at George Washington University, in that federal prosecutors >> obtained >> the private e-mails of Megaupload?s operators in an effort to show >> they >> were operating in bad faith. >> >> "The government hopes to use their private words against them," >> Mr. Kerr >> said. "This should scare the owners and operators of similar >> sites." > > > > -- > Suresh Ramasubramanian (ops.lists at gmail.com) > --Steve Bellovin, https://www.cs.columbia.edu/~smb From james at smithwaysecurity.com Thu Jan 19 22:30:15 2012 From: james at smithwaysecurity.com (James Smith) Date: Fri, 20 Jan 2012 00:30:15 -0400 Subject: Megaupload.com seized In-Reply-To: <5907C44A-8758-4078-BAE4-97E20F362600@cs.columbia.edu> References: <64CFB59E-BB47-4D9F-8E14-AC9AA1D9D280@cs.columbia.edu> <72B69C18-552A-4E5A-8CE7-3EB3548012D3@cs.columbia.edu> <5907C44A-8758-4078-BAE4-97E20F362600@cs.columbia.edu> Message-ID: <4A41FC6DBA124A25B6BBA6D8F2877AAD@smithwaIntell> I can only imagine the bloodbath this will cause.!! -----Original Message----- From: Steven Bellovin Sent: Friday, January 20, 2012 12:07 AM To: Suresh Ramasubramanian Cc: james at smithwaysecurity.com ; NANOG Subject: Re: Megaupload.com seized I don't mean either -- I've only skimmed the indictment. But from the news stories, it would *appear* that they got a search or wiretap warrant to get at employees' email. I don't see how that would make it "not private". (Btw -- "due diligence" is a civil suit concept; this is a criminal case.) The prosecution is trying to claim that the targets had actual knowledge of what was going on. I do know Orin Kerr, however. He's a former federal prosecutor and he's *very* sharp, and I've never known him to be wrong on straight-forward legal issues like this. He himself may not have all the facts himself. But here are two sample paragraphs from the indictment: On or about August 31, 2006, VAN DER KOLK sent an e-mail to an associate entitled lol. Attached to the message was a screenshot of a Megaupload.com file download page for the file Alcohol 120 1.9.5 3105complete.rar with a description of Alcohol 120, con crack!!!! By ChaOtiX!. The copyrighted software Alcohol 120 is a CD/DVD burning software program sold by www.alcohol-soft.com. and On or about June 24, 2010, members of the Mega Conspiracy were informed, pursuant to a criminal search warrant from the U.S. District Court for the Eastern District of Virginia, that thirty-nine infringing copies of copyrighted motion pictures were believed to be present on their leased servers at Carpathia Hosting in Ashburn, Virginia. On or about June 29, 2010, after receiving a copy of the criminal search warrant, ORTMANN sent an e-mail entitled Re: Search Warrant Urgent to DOTCOM and three representatives of Carpathia Hosting in the Eastern District of Virginia. In the e-mail, ORTMANN stated, The user/payment credentials supplied in the warrant identify seven Mega user accounts, and further that The 39 supplied MD5 hashes identify mostly very popular files that have been uploaded by over 2000 different users so far[.] The Mega Conspiracy has continued to store copies of at least thirty-six of the thirty-nine motion pictures on its servers after the Mega Conspiracy was informed of the infringing content. (I got the indictment from http://static2.stuff.co.nz/files/MegaUpload.pdf -- while I'd prefer to use a DoJ site cite, for some reason their web server is very slow right now...) On Jan 19, 2012, at 10:48 PM, Suresh Ramasubramanian wrote: > Er I'm sorry but do you mean joeschmoe at corp.megaupload.com type > emails, or joeschmoe at hotmail.com type emails? > > If megaupload's corporate email was siezed to provide due diligence in > such a prosecution - it would quite probably not constitute private > mail > > On Fri, Jan 20, 2012 at 8:49 AM, Steven Bellovin > wrote: >> >> >> The Megaupload case is unusual, said Orin S. Kerr, a law professor >> at George Washington University, in that federal prosecutors >> obtained >> the private e-mails of Megaupload?s operators in an effort to show >> they >> were operating in bad faith. >> >> "The government hopes to use their private words against them," >> Mr. Kerr >> said. "This should scare the owners and operators of similar >> sites." > > > > -- > Suresh Ramasubramanian (ops.lists at gmail.com) > --Steve Bellovin, https://www.cs.columbia.edu/~smb From dwcarder at wisc.edu Thu Jan 19 22:48:52 2012 From: dwcarder at wisc.edu (Dale W. Carder) Date: Thu, 19 Jan 2012 22:48:52 -0600 Subject: Polling Bandwidth as an Aggregate In-Reply-To: References: Message-ID: <906AD6F0-AACB-4612-9635-7CC988E5A993@wisc.edu> Hi Keegan, On Jan 19, 2012, at 9:50 PM, Keegan Holley wrote: > Has anyone had to aggregate bandwidth data from multiple interfaces > for billing. For example I'd like to poll with an open source tool > and aggregate data from multiple interfaces connected to the same > customer or multiple customers for the purpose of billing and capacity > management. Is there an easy way to do this with cacti/rrd or another > open source kit? With the rrdtool backend, you can certainly define and add multiple sources from different files together. Using 'AREA' first and subsequently 'STACK' to view multiple data sources is particularly nice for visualization. Otherwise, the RRDs and Statistics::Descriptive libraries in Perl can probably go a long way towards what you might be wanting for reporting. Dale From rodrick.brown at gmail.com Fri Jan 20 00:07:01 2012 From: rodrick.brown at gmail.com (Rodrick Brown) Date: Fri, 20 Jan 2012 01:07:01 -0500 Subject: Megaupload.com seized In-Reply-To: <4A41FC6DBA124A25B6BBA6D8F2877AAD@smithwaIntell> References: <64CFB59E-BB47-4D9F-8E14-AC9AA1D9D280@cs.columbia.edu> <72B69C18-552A-4E5A-8CE7-3EB3548012D3@cs.columbia.edu> <5907C44A-8758-4078-BAE4-97E20F362600@cs.columbia.edu> <4A41FC6DBA124A25B6BBA6D8F2877AAD@smithwaIntell> Message-ID: On Thu, Jan 19, 2012 at 11:30 PM, James Smith wrote: > I can only imagine the bloodbath this will cause.!! Show me a file sharing site with no illegal content! This is just insane. What's quite interesting is that Rapper/Producer Swiss BeatZ is the current CEO of megaupload how ironic. > > -----Original Message----- From: Steven Bellovin > Sent: Friday, January 20, 2012 12:07 AM > To: Suresh Ramasubramanian > Cc: james at smithwaysecurity.com ; NANOG > Subject: Re: Megaupload.com seized > > I don't mean either -- I've only skimmed the indictment. But from the > news stories, it would *appear* that they got a search or wiretap warrant > to get at employees' email. I don't see how that would make it "not > private". (Btw -- "due diligence" is a civil suit concept; this is a > criminal case.) The prosecution is trying to claim that the targets > had actual knowledge of what was going on. > > I do know Orin Kerr, however. He's a former federal prosecutor and he's > *very* sharp, and I've never known him to be wrong on straight-forward > legal issues like this. He himself may not have all the facts himself. > But here are two sample paragraphs from the indictment: > > On or about August 31, 2006, VAN DER KOLK sent an e-mail to an > associate entitled lol. Attached to the message was a screenshot > of a Megaupload.com file download page for the file Alcohol 120 > 1.9.5 3105complete.rar with a description of Alcohol 120, con > crack!!!! By ChaOtiX!. The copyrighted software Alcohol 120 is > a CD/DVD burning software program sold by www.alcohol-soft.com. > > and > > On or about June 24, 2010, members of the Mega Conspiracy were > informed, pursuant to a criminal search warrant from the U.S. > District Court for the Eastern District of Virginia, that thirty-nine > infringing copies of copyrighted motion pictures were believed to > be present on their leased servers at Carpathia Hosting in Ashburn, > Virginia. On or about June 29, 2010, after receiving a copy of > the criminal search warrant, ORTMANN sent an e-mail entitled Re: > Search Warrant Urgent to DOTCOM and three representatives of > Carpathia Hosting in the Eastern District of Virginia. In the > e-mail, ORTMANN stated, The user/payment credentials supplied in > the warrant identify seven Mega user accounts, and further that > The 39 supplied MD5 hashes identify mostly very popular files that > have been uploaded by over 2000 different users so far[.] The Mega > Conspiracy has continued to store copies of at least thirty-six > of the thirty-nine motion pictures on its servers after the Mega > Conspiracy was informed of the infringing content. > > (I got the indictment from http://static2.stuff.co.nz/** > files/MegaUpload.pdf > -- while I'd prefer to use a DoJ site cite, for some reason their web > server is very slow right now...) > > On Jan 19, 2012, at 10:48 PM, Suresh Ramasubramanian wrote: > > Er I'm sorry but do you mean joeschmoe at corp.megaupload.com type >> emails, or joeschmoe at hotmail.com type emails? >> >> If megaupload's corporate email was siezed to provide due diligence in >> such a prosecution - it would quite probably not constitute private >> mail >> >> On Fri, Jan 20, 2012 at 8:49 AM, Steven Bellovin >> wrote: >> >>> >>> >>> The Megaupload case is unusual, said Orin S. Kerr, a law professor >>> at George Washington University, in that federal prosecutors >>> obtained >>> the private e-mails of Megaupload?s operators in an effort to show >>> they >>> were operating in bad faith. >>> >>> "The government hopes to use their private words against them," >>> Mr. Kerr >>> said. "This should scare the owners and operators of similar >>> sites." >>> >> >> >> >> -- >> Suresh Ramasubramanian (ops.lists at gmail.com) >> >> > > --Steve Bellovin, https://www.cs.columbia.edu/~**smb > > > > > > From mysidia at gmail.com Fri Jan 20 00:16:14 2012 From: mysidia at gmail.com (Jimmy Hess) Date: Fri, 20 Jan 2012 00:16:14 -0600 Subject: Polling Bandwidth as an Aggregate In-Reply-To: <906AD6F0-AACB-4612-9635-7CC988E5A993@wisc.edu> References: <906AD6F0-AACB-4612-9635-7CC988E5A993@wisc.edu> Message-ID: On Thu, Jan 19, 2012 at 10:48 PM, Dale W. Carder wrote: > With the rrdtool backend, you can certainly define and add multiple > sources from different files together. Using 'AREA' first and > subsequently 'STACK' to view multiple data sources is particularly > nice for visualization. > Except Cacti/RRDTOOL is really just a great visualization tool, while you can build stacks, it is not something that accurately meters data for billing purposes. The right kind of tool to use would be a netflow or network tap-based billing tool, that actually meters/samples specific datapoints at a specific interval and applies the billing business logic for reporting based on sampled data points, instead of smoothed averages of approximations. RRDTOOL is clearly not designed to accurately report on information for billing. To a great extent, RRDTOOL aggregates, averages, interpolates, smooths what it reports. http://oss.oetiker.ch/rrdtool/tut/rrdtutorial.en.html See "Data Resampling" Aggregation could be mitigated by including a large number of data rows at step=1 while creating the RRD file, eg for 5 minute polling 1440*(ndays) data rows; (enough rows to include the whole bill period + some number of days without aggregating), but not the rest of the issues with RRD, and including so many rows greatly increases .rrd file size. I would look at Torrus or RTG before RRDTOOL for that, but even then... If data is not gathered using a mechanism that communicates timestamp to the poller, datapoints will still be imprecise, SNMP would be an example -- the cacti application may assume the SNMP response is current data, but possibly on the actual hardware, the internal MIB on the device was actually updated 10 seconds ago, which means there will be small spikes in traffic rate graphs that do not represent actual spikes in traffic. -- -JH From marka at isc.org Fri Jan 20 01:42:02 2012 From: marka at isc.org (Mark Andrews) Date: Fri, 20 Jan 2012 18:42:02 +1100 Subject: Megaupload.com seized In-Reply-To: Your message of "Fri, 20 Jan 2012 01:07:01 CDT." References: <64CFB59E-BB47-4D9F-8E14-AC9AA1D9D280@cs.columbia.edu> <72B69C18-552A-4E5A-8CE7-3EB3548012D3@cs.columbia.edu> <5907C44A-8758-4078-BAE4-97E20F362600@cs.columbia.edu> <4A41FC6DBA124A25B6BBA6D8F2877AAD@smithwaIntell> Message-ID: <20120120074202.35FB91BB355B@drugs.dv.isc.org> In message , Rodrick Brown writes: > On Thu, Jan 19, 2012 at 11:30 PM, James Smith w= > rote: > > > I can only imagine the bloodbath this will cause.!! > > Show me a file sharing site with no illegal content! This is just insane. > What's quite interesting is that Rapper/Producer Swiss BeatZ is the current > CEO of megaupload how ironic. I suspect most file sharing site don't have illegal content. Most would have some content that is there without the permission of the copyright holder. These are different things. This case is not that there is copyrighted content there without the permission of the copyright holder. It's that they, allegedly, failed to remove such content when explictly notified of it which put them outside the safe harbour provision of DMCA. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka at isc.org From saku at ytti.fi Fri Jan 20 02:14:35 2012 From: saku at ytti.fi (Saku Ytti) Date: Fri, 20 Jan 2012 10:14:35 +0200 Subject: juniper mx80 vs cisco asr 1000 In-Reply-To: <44EDB6D0-C480-4232-8FCD-4124D152849B@smugmug.com> References: <44EDB6D0-C480-4232-8FCD-4124D152849B@smugmug.com> Message-ID: <20120120081435.GA17097@pob.ytti.fi> On (2012-01-19 12:10 -0800), jon Heise wrote: > Does anyone have any experience with these two routers, we're looking to > buy one of them but i have little experience dealing with cisco routers > and zero experience with juniper. It might be because of your schedule/timetable, but you are comparing apples to oranges. MX80 is not competing against ASR1k, and JNPR has no product to compete with ASR1k. MX80 competes directly with ASR9001. Notable differences include: ASR9001 has lot more memory (2GB/8GB) and lot faster control-plane ASR9001 has 120G of capacity, MX80 80G ASR9001 BOM is higher, as it is not fabricless design like MX80 (this shouldn't affect sale price in relevant way) ASR9001 does not ship just now As others have pointed out ASR1k is 'high touch' router, it does NAPT, IPSEC, pretty much anything and everything, it is the next-gen VXR really. ASR9001 and MX80 both do relatively few things, but at high capacity. -- ++ytti From xiangy08 at csnet1.cs.tsinghua.edu.cn Fri Jan 20 03:47:21 2012 From: xiangy08 at csnet1.cs.tsinghua.edu.cn (Yang Xiang) Date: Fri, 20 Jan 2012 17:47:21 +0800 Subject: Argus: a hijacking alarm system Message-ID: Hi, I build a system ?Argus? to real-timely alert prefix hijackings. Argus monitors the Internet and discovers anomaly BGP updates which caused by prefix hijacking. When Argus discovers a potential prefix hijacking, it will advertise it in a very short time, both in our website (http://argus.csnet1.cs.tsinghua.edu.cn) and the mailing list (argus at csnet1.cs.tsinghua.edu.cn). Argus has been running in the Internet for more than eight months, it usually can discover potential prefix hijackings in ten seconds after the first anomaly BGP update announced. Several hijacking alarms have been confirmed by network operators. For example: http://argus.csnet1.cs.tsinghua.edu.cn/fingerprints/61544/ has been confirmed by the network operators of AS23910 and AS4538, it was a prefix hijacking caused by a mis-configuration of route filter. If you are interest in BGP security, welcome to visit our website and subscribe the mailing list. If you are interest in the system itself, you can find our paper which published in ICNP 2011 (FIST workshop) http://ieeexplore.ieee.org/xpl/freeabs_all.jsp?arnumber=6089080. Hope Argus will be useful for you. _________________________________ Yang Xiang . about.me/xiangyang Ph.D candidate. Tsinghua University Argus: argus.csnet1.cs.tsinghua.edu.cn From jeroen at unfix.org Fri Jan 20 04:21:29 2012 From: jeroen at unfix.org (Jeroen Massar) Date: Fri, 20 Jan 2012 11:21:29 +0100 Subject: Argus: a hijacking alarm system In-Reply-To: References: Message-ID: <4F194029.7020105@unfix.org> On 2012-01-20 10:47 , Yang Xiang wrote: > Hi, > > I build a system ?Argus? to real-timely alert prefix hijackings. > Argus monitors the Internet and discovers anomaly BGP updates which caused > by prefix hijacking. > When Argus discovers a potential prefix hijacking, it will advertise it in > a very short time, > both in our website (http://argus.csnet1.cs.tsinghua.edu.cn) and the > mailing list (argus at csnet1.cs.tsinghua.edu.cn). But the big question of 2012 [*] is: does it do IPv6. The last 99 anomalies don't show any info there. Greets, Jeroen [*] We got a http://ipv6week.org/ and http://www.worldipv6launch.org/ this year ;) From bonomi at mail.r-bonomi.com Fri Jan 20 04:25:39 2012 From: bonomi at mail.r-bonomi.com (Robert Bonomi) Date: Fri, 20 Jan 2012 04:25:39 -0600 (CST) Subject: Megaupload.com seized In-Reply-To: <20120120074202.35FB91BB355B@drugs.dv.isc.org> Message-ID: <201201201025.q0KAPdM5040190@mail.r-bonomi.com> Mark Andrews wrote: > > I suspect most file sharing site don't have illegal content. Most > would have some content that is there without the permission of the > copyright holder. These are different things. "Without the permission of the copyright holder" _is_ contrary to statute, and thus 'against the law'. As such 'illegal' is _not_ an incorrect term to apply to the situation. It may not be a _criminal_ violation, but it is still proscribed by law. "Illegal" and "criminal" -- _these_ are different things. Junk faxing is illegal, Telemarketing calls to cell phones are illegal, Public distribution without the permission of the copyright owner is illegal. Except in special cases, none of those actions are _criminal_, but they are all violations of law, and thus _illegal_. Claiming that a thing is not 'illegal' if it is not 'criminal', is similar to asserting "it's not a crime if you don't get caught". From xiangy08 at csnet1.cs.tsinghua.edu.cn Fri Jan 20 04:39:23 2012 From: xiangy08 at csnet1.cs.tsinghua.edu.cn (Yang Xiang) Date: Fri, 20 Jan 2012 18:39:23 +0800 Subject: Argus: a hijacking alarm system In-Reply-To: <4F194029.7020105@unfix.org> References: <4F194029.7020105@unfix.org> Message-ID: _________________________________ Yang Xiang . about.me/xiangyang Ph.D candidate. Tsinghua University Argus: argus.csnet1.cs.tsinghua.edu.cn 2012/1/20 Jeroen Massar > On 2012-01-20 10:47 , Yang Xiang wrote: > > Hi, > > > > I build a system ?Argus? to real-timely alert prefix hijackings. > > Argus monitors the Internet and discovers anomaly BGP updates which > caused > > by prefix hijacking. > > When Argus discovers a potential prefix hijacking, it will advertise it > in > > a very short time, > > both in our website (http://argus.csnet1.cs.tsinghua.edu.cn) and the > > mailing list (argus at csnet1.cs.tsinghua.edu.cn). > > But the big question of 2012 [*] is: does it do IPv6. > > The last 99 anomalies don't show any info there. > Yes, it's only v4 now :( But I'm trying to do so. It needs enough (dozens of) public IPv6 router-servers to do the job. Actually the system only need to execute 'ping6' and 'show ipv6 bgp' in the IPv6 route-server. Hope I can find enough v6 route-servers before Jun 6 :) > > > Greets, > Jeroen > > > [*] We got a http://ipv6week.org/ and http://www.worldipv6launch.org/ > this year ;) > > > From lists at internetpolicyagency.com Fri Jan 20 04:40:13 2012 From: lists at internetpolicyagency.com (Roland Perry) Date: Fri, 20 Jan 2012 10:40:13 +0000 Subject: Megaupload.com seized In-Reply-To: <201201201025.q0KAPdM5040190@mail.r-bonomi.com> References: <20120120074202.35FB91BB355B@drugs.dv.isc.org> <201201201025.q0KAPdM5040190@mail.r-bonomi.com> Message-ID: In article <201201201025.q0KAPdM5040190 at mail.r-bonomi.com>, Robert Bonomi writes >> I suspect most file sharing site don't have illegal content. Most >> would have some content that is there without the permission of the >> copyright holder. These are different things. > > > "Without the permission of the copyright holder" _is_ contrary to > statute, and thus 'against the law'. As such 'illegal' is _not_ > an incorrect term to apply to the situation. > > It may not be a _criminal_ violation, but it is still proscribed by law. > > "Illegal" and "criminal" -- _these_ are different things. > > Junk faxing is illegal, Telemarketing calls to cell phones are illegal, > Public distribution without the permission of the copyright owner is > illegal. > > Except in special cases, none of those actions are _criminal_, but > they are all violations of law, and thus _illegal_. > > Claiming that a thing is not 'illegal' if it is not 'criminal', is similar > to asserting "it's not a crime if you don't get caught". > > As is common in most industries there are expressions in the world of Internet Governance that are jargon, and have agreed meanings in that context. "Illegal Material" is reserved for content which is illegal to possesses and/or distribute (even if, and possibly even more so, if you originated it). "Harmful Material" is content which is legal to possess but is nevertheless regarded by many as immoral or highly undesirable within some framework of commonly held values. "Infringing Material" is content which is held without a legitimate rightsholder's permission. -- Roland Perry From cabo at tzi.org Fri Jan 20 04:48:36 2012 From: cabo at tzi.org (Carsten Bormann) Date: Fri, 20 Jan 2012 11:48:36 +0100 Subject: "Illegal content" (Re: Megaupload.com seized) In-Reply-To: <201201201025.q0KAPdM5040190@mail.r-bonomi.com> References: <201201201025.q0KAPdM5040190@mail.r-bonomi.com> Message-ID: <9DDC84D5-D802-431A-8267-5E8557EE41D7@tzi.org> On Jan 20, 2012, at 11:25, Robert Bonomi wrote: > Public distribution without the permission of the copyright owner is > illegal. This is veering off the purpose of this list, but maybe it is operationally significant to be able to use the right terms when a law enforcement officer is standing in the door. Mark Andrews was pointing out that content being file-shared is rarely illegal. By itself. Examples of "illegal content" might be hate speech, child pornography, l?se-majest?, blasphemy, with the meaning of these terms depending on your jurisdiction. What you are pointing out is that distribution of content may be illegal. That does not make the content itself illegal. The legality of transfer under copyright is bound to many legal issues, such as fair use, right to personal copies, and of course licensing, again depending on your jurisdiction. But all this is divorced from the content. Content is never illegal with respect to copyright. (It might have been copied illegally, but once it's sitting somewhere, it's not illegal by itself. A license would suddenly make it legal.) The point is important because a lot of idiots are running around shouting "he had all this copyrighted material on his computer!". Of course he had! There are very few computers that don't carry copyrighted material, starting from the BIOS. Without examining the legal context, such as purchasing histories, supreme court decisions etc., it is sometime really hard to say whether all of it got there in a legal way, and its presence may be an indication of previous illegal activity. But (at least wrt copyright law) it is never illegal while sitting somewhere on a computer. So the next time somebody says "illegal content", think "hate speech" or "child pornography", "l?se-majest?" or "blasphemy", not copyrighted content. Almost everything on a computer is copyrighted. Now let's return to the impact of this heist on network utilization... Gr??e, Carsten From ops.lists at gmail.com Fri Jan 20 04:52:09 2012 From: ops.lists at gmail.com (Suresh Ramasubramanian) Date: Fri, 20 Jan 2012 16:22:09 +0530 Subject: Argus: a hijacking alarm system In-Reply-To: References: <4F194029.7020105@unfix.org> Message-ID: On Fri, Jan 20, 2012 at 4:09 PM, Yang Xiang wrote: > > Hope I can find enough v6 route-servers before Jun 6 :) Jeroen is just the guy to suggest where you can find them :) Till then, if google is an acceptable substitute - http://www.bgp4.net/wiki/doku.php?id=tools:ipv6_route_servers Enjoy - your system sounds great. And of course gong xi fa cai! -- Suresh Ramasubramanian (ops.lists at gmail.com) From oscar.vives at gmail.com Fri Jan 20 05:00:15 2012 From: oscar.vives at gmail.com (Tei) Date: Fri, 20 Jan 2012 12:00:15 +0100 Subject: Megaupload.com seized In-Reply-To: References: <20120120074202.35FB91BB355B@drugs.dv.isc.org> <201201201025.q0KAPdM5040190@mail.r-bonomi.com> Message-ID: What sould fileshares must do, is to store files in these services in a encrypted way, and anonimized name. So these services have absolutelly no way to tell what are hosting. Fileshares can organize thenselves in sites based on a forum software that is private by default (open with registration), then share some "information" file that include the url to the files hosted, and the key to unencrypt these files, and some metadata. A special desktop program* would load that information file, and start the http download. This way can combine the best of the old "BBS" systems to the best of the current caching and hosting technologies. These http hosting services seems to operate well enough. A % of the users go premium to allow more and better downloads. *Maybe is time to write such program. -- -- ?in del ?ensaje. From xiangy08 at csnet1.cs.tsinghua.edu.cn Fri Jan 20 05:01:59 2012 From: xiangy08 at csnet1.cs.tsinghua.edu.cn (Yang Xiang) Date: Fri, 20 Jan 2012 19:01:59 +0800 Subject: Argus: a hijacking alarm system In-Reply-To: References: <4F194029.7020105@unfix.org> Message-ID: _________________________________ Yang Xiang . about.me/xiangyang 2012/1/20 Suresh Ramasubramanian > On Fri, Jan 20, 2012 at 4:09 PM, Yang Xiang > wrote: > > Hope I can find enough v6 route-servers before Jun 6 :) > > Jeroen is just the guy to suggest where you can find them :) > Till then, if google is an acceptable substitute - > http://www.bgp4.net/wiki/doku.php?id=tools:ipv6_route_servers Thanks very much. I will check these servers. > > > Enjoy - your system sounds great. And of course gong xi fa cai! > Gong xi fa cai, happy Chinese New Year :) > > -- > Suresh Ramasubramanian (ops.lists at gmail.com) > > From owen at delong.com Fri Jan 20 05:05:47 2012 From: owen at delong.com (Owen DeLong) Date: Fri, 20 Jan 2012 03:05:47 -0800 Subject: Megaupload.com seized In-Reply-To: <201201201025.q0KAPdM5040190@mail.r-bonomi.com> References: <201201201025.q0KAPdM5040190@mail.r-bonomi.com> Message-ID: On Jan 20, 2012, at 2:25 AM, Robert Bonomi wrote: > > Mark Andrews wrote: >> >> I suspect most file sharing site don't have illegal content. Most >> would have some content that is there without the permission of the >> copyright holder. These are different things. > > > "Without the permission of the copyright holder" _is_ contrary to > statute, and thus 'against the law'. As such 'illegal' is _not_ > an incorrect term to apply to the situation. > > It may not be a _criminal_ violation, but it is still proscribed by law. > > "Illegal" and "criminal" -- _these_ are different things. > > Junk faxing is illegal, Telemarketing calls to cell phones are illegal, > Public distribution without the permission of the copyright owner is > illegal. > > Except in special cases, none of those actions are _criminal_, but > they are all violations of law, and thus _illegal_. > Actually, they are all criminal violations. They may be infractions, or, they may not often get prosecuted, but, each is, in fact, a criminal violation. Owen From alec.muffett at gmail.com Fri Jan 20 05:14:26 2012 From: alec.muffett at gmail.com (Alec Muffett) Date: Fri, 20 Jan 2012 11:14:26 +0000 Subject: Megaupload.com seized In-Reply-To: References: <20120120074202.35FB91BB355B@drugs.dv.isc.org> <201201201025.q0KAPdM5040190@mail.r-bonomi.com> Message-ID: On 20 Jan 2012, at 11:00, Tei wrote: > Fileshares can organize thenselves in sites based on a forum software > that is private by default (open with registration), then share some > "information" file that include the url to the files hosted, and the > key to unencrypt these files, and some metadata. A special desktop > program* would load that information file, and start the http > download. At the risk of kicking over old ground, there are a bunch of privacy solutions like this; possibly the most complete attempt (in terms of attempted privacy and distribution) is Freenet: http://freenetproject.org/whatis.html ...but it's slow; then there's Tahoe-LAFS - a decentralised filesystem: https://tahoe-lafs.org/trac/tahoe-lafs ...but it's slow; then there are connection anonymisation tools like I2P and Tor, but - wonderful as they are - they're slow. Can you see a pattern developing that would be relevant to the downloader of 700Mb+ AVIs? :-) It would be great to speed them through wider adoption, but until then... -a From bmanning at vacation.karoshi.com Fri Jan 20 05:17:50 2012 From: bmanning at vacation.karoshi.com (bmanning at vacation.karoshi.com) Date: Fri, 20 Jan 2012 11:17:50 +0000 Subject: Megaupload.com seized In-Reply-To: References: <201201201025.q0KAPdM5040190@mail.r-bonomi.com> Message-ID: <20120120111750.GA8326@vacation.karoshi.com.> On Fri, Jan 20, 2012 at 03:05:47AM -0800, Owen DeLong wrote: > > On Jan 20, 2012, at 2:25 AM, Robert Bonomi wrote: > > > > > Mark Andrews wrote: > >> > >> I suspect most file sharing site don't have illegal content. Most > >> would have some content that is there without the permission of the > >> copyright holder. These are different things. > > > > > > "Without the permission of the copyright holder" _is_ contrary to > > statute, and thus 'against the law'. As such 'illegal' is _not_ > > an incorrect term to apply to the situation. > > > > It may not be a _criminal_ violation, but it is still proscribed by law. > > > > "Illegal" and "criminal" -- _these_ are different things. > > > > Junk faxing is illegal, Telemarketing calls to cell phones are illegal, > > Public distribution without the permission of the copyright owner is > > illegal. > > > > Except in special cases, none of those actions are _criminal_, but > > they are all violations of law, and thus _illegal_. > > > > Actually, they are all criminal violations. They may be infractions, or, they > may not often get prosecuted, but, each is, in fact, a criminal violation. > > Owen > depends on the jurisdiction me thinks. Do US laws apply in India? Nigeria? Mars? Your broad generlizations may not hold. /bill From oscar.vives at gmail.com Fri Jan 20 05:42:35 2012 From: oscar.vives at gmail.com (Tei) Date: Fri, 20 Jan 2012 12:42:35 +0100 Subject: Megaupload.com seized In-Reply-To: References: <20120120074202.35FB91BB355B@drugs.dv.isc.org> <201201201025.q0KAPdM5040190@mail.r-bonomi.com> Message-ID: On 20 January 2012 12:14, Alec Muffett wrote: > > On 20 Jan 2012, at 11:00, Tei wrote: > >> Fileshares can organize thenselves in sites based on a forum software >> that is private by default (open with registration), then share some >> "information" file that include the url to the files hosted, and the >> key to unencrypt these files, and some metadata. A special desktop >> program* would load that information file, and start the http >> download. > > > At the risk of kicking over old ground, there are a bunch of privacy solutions like this; possibly the most complete attempt (in terms of attempted privacy and distribution) is Freenet: > > ? ? ? ?http://freenetproject.org/whatis.html > > ...but it's slow; then there's Tahoe-LAFS - a decentralised filesystem: > > ? ? ? ?https://tahoe-lafs.org/trac/tahoe-lafs > > ...but it's slow; then there are connection anonymisation tools like I2P and Tor, but - wonderful as they are - they're slow. > > Can you see a pattern developing that would be relevant to the downloader of 700Mb+ AVIs? :-) > > It would be great to speed them through wider adoption, but until then... > > ? ? ? ?-a > These services are not needed yet. But is good that are under study, in case changes in laws or balance of power make it needed. For now, I think people will continue using HTTP download/stream movies and tv series. Perhaps countries where the 3 strikes legislation is aprobed will make one of these systems necesary. But I think speed is a important factor, and no slow system will suceed. -- -- ?in del ?ensaje. From marshall.eubanks at gmail.com Fri Jan 20 05:47:33 2012 From: marshall.eubanks at gmail.com (Marshall Eubanks) Date: Fri, 20 Jan 2012 06:47:33 -0500 Subject: "Illegal content" (Re: Megaupload.com seized) In-Reply-To: <9DDC84D5-D802-431A-8267-5E8557EE41D7@tzi.org> References: <201201201025.q0KAPdM5040190@mail.r-bonomi.com> <9DDC84D5-D802-431A-8267-5E8557EE41D7@tzi.org> Message-ID: On Fri, Jan 20, 2012 at 5:48 AM, Carsten Bormann wrote: > On Jan 20, 2012, at 11:25, Robert Bonomi wrote: > >> ?Public distribution without the permission of the copyright owner is >> ?illegal. > > This is veering off the purpose of this list, but maybe it is operationally significant to be able to use the right terms when a law enforcement officer is standing in the door. > > > Mark Andrews was pointing out that content being file-shared is rarely illegal. ?By itself. ?Examples of "illegal content" might be hate speech, child pornography, l?se-majest?, blasphemy, with the meaning of these terms depending on your jurisdiction. > > What you are pointing out is that distribution of content may be illegal. ?That does not make the content itself illegal. ?The legality of transfer under copyright is bound to many legal issues, such as fair use, right to personal copies, and of course licensing, again depending on your jurisdiction. ?But all this is divorced from the content. ?Content is never illegal with respect to copyright. ?(It might have been copied illegally, but once it's sitting somewhere, it's not illegal by itself. ?A license would suddenly make it legal.) > > The point is important because a lot of idiots are running around shouting "he had all this copyrighted material on his computer!". ?Of course he had! ?There are very few computers that don't carry copyrighted material, starting from the BIOS. ?Without examining the legal context, such as purchasing histories, supreme court decisions etc., it is sometime really hard to say whether all of it got there in a legal way, and its presence may be an indication of previous illegal activity. ?But (at least wrt copyright law) it is never illegal while sitting somewhere on a computer. > > So the next time somebody says "illegal content", think "hate speech" or "child pornography", "l?se-majest?" or "blasphemy", not copyrighted content. ?Almost everything on a computer is copyrighted. > There is a lot of disinformation in this area, with loaded words with no legal meaning being used to make political points or engender desired reactions. I am not a lawyer, and this is certainly not legal advice, but in the US copyright infringement is not theft, the shear possession of infringing material is not illegal, nor is listening / watching / reading such material in private, and the terms "piracy" and "intellectual property" are not to be found in US copyright law. That you would not know this reading the press releases is a feature, not a bug. And, since 1976, registration is not required for copyright and almost everything written, sung, videoed, etc., including these emails, is copyrighted from the time it is created. But, indeed, this is far the purpose of this mail list. Regards Marshall > > Now let's return to the impact of this heist on network utilization... > > Gr??e, Carsten > > From jeroen at unfix.org Fri Jan 20 05:49:15 2012 From: jeroen at unfix.org (Jeroen Massar) Date: Fri, 20 Jan 2012 12:49:15 +0100 Subject: Argus: a hijacking alarm system In-Reply-To: References: <4F194029.7020105@unfix.org> Message-ID: <4F1954BB.3030702@unfix.org> On 2012-01-20 12:01 , Yang Xiang wrote: > 2012/1/20 Suresh Ramasubramanian > > > On Fri, Jan 20, 2012 at 4:09 PM, Yang Xiang > > wrote: > > Hope I can find enough v6 route-servers before Jun 6 :) > > Jeroen is just the guy to suggest where you can find them :) > Till then, if google is an acceptable substitute - > http://www.bgp4.net/wiki/doku.php?id=tools:ipv6_route_servers > > > Thanks very much. > I will check these servers. Please note that automated polling of route servers without prior consent of the owner of said route server might not be completely acceptable as it puts serious loads on them. A better way is to get proper BGP sessions set up towards various locations. You might also want to look at http://www.ripe.net/data-tools/stats/ris/ris-raw-data which describes how to get access to RIPE's RIS system raw data, this is what BGPMon also uses. Greets, Jeroen From aservin at lacnic.net Fri Jan 20 06:08:17 2012 From: aservin at lacnic.net (Arturo Servin) Date: Fri, 20 Jan 2012 10:08:17 -0200 Subject: Why not to use RPKI (Was Re: Argus: a hijacking alarm system) In-Reply-To: References: Message-ID: <01DD4FF2-3DA9-4225-AD62-5629DEF541C2@lacnic.net> You could use RPKI and origin validation as well. We have an application that does that. http://www.labs.lacnic.net/rpkitools/looking_glass/ For example you can periodically check if your prefix is valid: http://www.labs.lacnic.net/rpkitools/looking_glass/rest/valid/cidr/200.7.84.0/23/ If it were invalid for a possible hijack it would look like: http://www.labs.lacnic.net/rpkitools/looking_glass/rest/invalid/cidr/200.31.18.0/24/ Or you can just query for any state: http://www.labs.lacnic.net/rpkitools/looking_glass/rest/all/cidr/200.31.12.0/22/ Regards, as On 20 Jan 2012, at 07:47, Yang Xiang wrote: > Hi, > > I build a system ?Argus? to real-timely alert prefix hijackings. > Argus monitors the Internet and discovers anomaly BGP updates which caused > by prefix hijacking. > When Argus discovers a potential prefix hijacking, it will advertise it in > a very short time, > both in our website (http://argus.csnet1.cs.tsinghua.edu.cn) and the > mailing list (argus at csnet1.cs.tsinghua.edu.cn). > > Argus has been running in the Internet for more than eight months, > it usually can discover potential prefix hijackings in ten seconds after > the first anomaly BGP update announced. > Several hijacking alarms have been confirmed by network operators. > For example: http://argus.csnet1.cs.tsinghua.edu.cn/fingerprints/61544/ has > been confirmed by the network operators of AS23910 and AS4538, > it was a prefix hijacking caused by a mis-configuration of route filter. > > If you are interest in BGP security, welcome to visit our website and > subscribe the mailing list. > If you are interest in the system itself, you can find our paper which > published in ICNP 2011 (FIST workshop) > http://ieeexplore.ieee.org/xpl/freeabs_all.jsp?arnumber=6089080. > > Hope Argus will be useful for you. > _________________________________ > Yang Xiang . about.me/xiangyang > Ph.D candidate. Tsinghua University > Argus: argus.csnet1.cs.tsinghua.edu.cn From xiangy08 at csnet1.cs.tsinghua.edu.cn Fri Jan 20 06:14:25 2012 From: xiangy08 at csnet1.cs.tsinghua.edu.cn (Yang Xiang) Date: Fri, 20 Jan 2012 20:14:25 +0800 Subject: Argus: a hijacking alarm system In-Reply-To: <4F1954BB.3030702@unfix.org> References: <4F194029.7020105@unfix.org> <4F1954BB.3030702@unfix.org> Message-ID: _________________________________ Yang Xiang . about.me/xiangyang Ph.D candidate. Tsinghua University Argus: argus.csnet1.cs.tsinghua.edu.cn 2012/1/20 Jeroen Massar > On 2012-01-20 12:01 , Yang Xiang wrote: > > > 2012/1/20 Suresh Ramasubramanian > > > > > > > Please note that automated polling of route servers without prior > consent of the owner of said route server might not be completely > acceptable as it puts serious loads on them. > > A better way is to get proper BGP sessions set up towards various > locations. > > You might also want to look at > http://www.ripe.net/data-tools/stats/ris/ris-raw-data which describes > how to get access to RIPE's RIS system raw data, this is what BGPMon > also uses. > Argus receives BGP update from BGPmon, and only access route servers when it find one BGP update is 'anomalous'. We also controlled the load to these route servers. After login to the route server, Argus only execute 'ping' for a given IP address, and 'show ip bgp' for a given prefix, and will logout from the route server after two minutes. > > Greets, > Jeroen > > From xiangy08 at csnet1.cs.tsinghua.edu.cn Fri Jan 20 06:38:55 2012 From: xiangy08 at csnet1.cs.tsinghua.edu.cn (Yang Xiang) Date: Fri, 20 Jan 2012 20:38:55 +0800 Subject: Why not to use RPKI (Was Re: Argus: a hijacking alarm system) In-Reply-To: <01DD4FF2-3DA9-4225-AD62-5629DEF541C2@lacnic.net> References: <01DD4FF2-3DA9-4225-AD62-5629DEF541C2@lacnic.net> Message-ID: RPKI is great. But, firstly, ROA doesn't cover all the prefixes now, we need an alternative service to alert hijackings. secondly, ROA can only secure the 'Origin AS' of a prefix, while Argus can discover potential hijackings caused by anomalous AS path. After ROA and BGPsec deployed in the entire Internet (or, in all of your network), Argus will stop the service :) 2012/1/20 Arturo Servin > > You could use RPKI and origin validation as well. > > We have an application that does that. > > http://www.labs.lacnic.net/rpkitools/looking_glass/ > > For example you can periodically check if your prefix is valid: > > > http://www.labs.lacnic.net/rpkitools/looking_glass/rest/valid/cidr/200.7.84.0/23/ > > If it were invalid for a possible hijack it would look like: > > > http://www.labs.lacnic.net/rpkitools/looking_glass/rest/invalid/cidr/200.31.18.0/24/ > > Or you can just query for any state: > > > http://www.labs.lacnic.net/rpkitools/looking_glass/rest/all/cidr/200.31.12.0/22/ > > > > Regards, > as > > > -- _________________________________________ Yang Xiang. Ph.D candidate. Tsinghua University Argus: argus.csnet1.cs.tsinghua.edu.cn From aservin at lacnic.net Fri Jan 20 06:45:31 2012 From: aservin at lacnic.net (Arturo Servin) Date: Fri, 20 Jan 2012 10:45:31 -0200 Subject: Why not to use RPKI (Was Re: Argus: a hijacking alarm system) In-Reply-To: References: <01DD4FF2-3DA9-4225-AD62-5629DEF541C2@lacnic.net> Message-ID: <7C38D0B5-EE31-4237-9EB9-31F9279F70F1@lacnic.net> On 20 Jan 2012, at 10:38, Yang Xiang wrote: > RPKI is great. > > But, firstly, ROA doesn't cover all the prefixes now, > we need an alternative service to alert hijackings. Or to sign your prefixes. > > secondly, ROA can only secure the 'Origin AS' of a prefix, That's true. > while Argus can discover potential hijackings caused by anomalous AS path. Can you explain how? > > After ROA and BGPsec deployed in the entire Internet (or, in all of your network), > Argus will stop the service :) I was just suggesting to add a more deterministic way to detecting hijacks. Regards, as > > 2012/1/20 Arturo Servin > > You could use RPKI and origin validation as well. > > We have an application that does that. > > http://www.labs.lacnic.net/rpkitools/looking_glass/ > > For example you can periodically check if your prefix is valid: > > http://www.labs.lacnic.net/rpkitools/looking_glass/rest/valid/cidr/200.7.84.0/23/ > > If it were invalid for a possible hijack it would look like: > > http://www.labs.lacnic.net/rpkitools/looking_glass/rest/invalid/cidr/200.31.18.0/24/ > > Or you can just query for any state: > > http://www.labs.lacnic.net/rpkitools/looking_glass/rest/all/cidr/200.31.12.0/22/ > > > > Regards, > as > > > > > > -- > _________________________________________ > Yang Xiang. Ph.D candidate. Tsinghua University > Argus: argus.csnet1.cs.tsinghua.edu.cn > From bjorn at mork.no Fri Jan 20 07:06:52 2012 From: bjorn at mork.no (=?utf-8?Q?Bj=C3=B8rn_Mork?=) Date: Fri, 20 Jan 2012 14:06:52 +0100 Subject: How are you doing DHCPv6 ? In-Reply-To: <52477a71-0a98-445b-a083-1844d37ac71e@zimbra.network1.net> (Randy Carpenter's message of "Tue, 17 Jan 2012 17:04:02 -0500 (EST)") References: <52477a71-0a98-445b-a083-1844d37ac71e@zimbra.network1.net> Message-ID: <871uqur09f.fsf@nemi.mork.no> Randy Carpenter writes: > I am wondering how people out there are using DHCPv6 to handle > assigning prefixes to end users. > > We have a requirement for it to be a redundant server that is > centrally located. OK, so then you've already made your choice. Another solution is having the DHCPv6 servers distributed while keeping the database centrally managed. This is the route the delegated prefix will travel: central MySQL master => local MySQL slave on each RADIUS server => RADIUS based per client provisioning => local DHCPv6 server running on each access router => DHCPv6 client on customer CPE This is about as redundant as it gets if you have multiple RADIUS servers in multiple sites. No need for any cooperation between the DHCPv6 servers to be fully redundant. The only assumption is that either will the client always connect to the same access router, or the prefix must move between the access routers the client uses. Whether this is a deaggregation problem for you or not depends on how those access routers can be grouped, if at all. But that problem is really unrelated to DHCPv6 Bj?rn From xiangy08 at csnet1.cs.tsinghua.edu.cn Fri Jan 20 07:08:22 2012 From: xiangy08 at csnet1.cs.tsinghua.edu.cn (Yang Xiang) Date: Fri, 20 Jan 2012 21:08:22 +0800 Subject: Why not to use RPKI (Was Re: Argus: a hijacking alarm system) In-Reply-To: <7C38D0B5-EE31-4237-9EB9-31F9279F70F1@lacnic.net> References: <01DD4FF2-3DA9-4225-AD62-5629DEF541C2@lacnic.net> <7C38D0B5-EE31-4237-9EB9-31F9279F70F1@lacnic.net> Message-ID: 2012/1/20 Arturo Servin > > On 20 Jan 2012, at 10:38, Yang Xiang wrote: > > > RPKI is great. > > > > But, firstly, ROA doesn't cover all the prefixes now, > > we need an alternative service to alert hijackings. > > Or to sign your prefixes. > Sign prefixes is the best way. Before sign all prefixes, it is better if we have a detection service. > > > > > secondly, ROA can only secure the 'Origin AS' of a prefix, > > That's true. > > > while Argus can discover potential hijackings caused by anomalous AS > path. > > Can you explain how? > Only a imprecisely detection. Section III.C in our paper http://argus.csnet1.cs.tsinghua.edu.cn/static/Argus.FIST11.pdf A brief explanation is: If an anomalous AS path hijacked a prefix, I can get replies in normal route-server, and can not get reply in abnormal route-servers. Here we only consider hijackings that black-hole the prefix. If a hijacking doesn't black-hole the prefix (i.e., redirect, interception, ...), is hard to detect :( I think network operators are only careless, but not trust-less, so black-hole hijacking is the majority case. > > > > > After ROA and BGPsec deployed in the entire Internet (or, in all of your > network), > > Argus will stop the service :) > > I was just suggesting to add a more deterministic way to detecting > hijacks. > Sorry for my poor English :( What I want to say is, RPKI is really good, Argus is just an alternative, before we can protect ourself using signatures, honestly :-) Best regards! > > > Regards, > as > > > > > > -- > > _________________________________________ > > Yang Xiang. Ph.D candidate. Tsinghua University > > Argus: argus.csnet1.cs.tsinghua.edu.cn > > > > -- _________________________________________ Yang Xiang. Ph.D candidate. Tsinghua University Argus: argus.csnet1.cs.tsinghua.edu.cn From drew.weaver at thenap.com Fri Jan 20 07:09:10 2012 From: drew.weaver at thenap.com (Drew Weaver) Date: Fri, 20 Jan 2012 08:09:10 -0500 Subject: juniper mx80 vs cisco asr 1000 In-Reply-To: <44EDB6D0-C480-4232-8FCD-4124D152849B@smugmug.com> References: <44EDB6D0-C480-4232-8FCD-4124D152849B@smugmug.com> Message-ID: Isn't the ASR9001 closer to the MX80? Thanks, -Drew -----Original Message----- From: jon Heise [mailto:jon at smugmug.com] Sent: Thursday, January 19, 2012 3:10 PM To: nanog at nanog.org Subject: juniper mx80 vs cisco asr 1000 Does anyone have any experience with these two routers, we're looking to buy one of them but i have little experience dealing with cisco routers and zero experience with juniper. From drew.weaver at thenap.com Fri Jan 20 07:15:45 2012 From: drew.weaver at thenap.com (Drew Weaver) Date: Fri, 20 Jan 2012 08:15:45 -0500 Subject: Polling Bandwidth as an Aggregate In-Reply-To: References: Message-ID: RTG uses MySQL for it's backend, so you can basically setup queries however you like and you can use RTGPOLL to graph multiple interfaces as well. It's a super good tool and I think there is a group working on RTG2 at googlecode (I think). -Drew -----Original Message----- From: Keegan Holley [mailto:keegan.holley at sungard.com] Sent: Thursday, January 19, 2012 10:51 PM To: NANOG Subject: Polling Bandwidth as an Aggregate Has anyone had to aggregate bandwidth data from multiple interfaces for billing. For example I'd like to poll with an open source tool and aggregate data from multiple interfaces connected to the same customer or multiple customers for the purpose of billing and capacity management. Is there an easy way to do this with cacti/rrd or another open source kit? Keegan Holley ? Network Architect? ? SunGard Availability Services ? 401 North Broad St. Philadelphia, PA 19108 ? (215) 446-1242 ? keegan.holley at sungard.com Keeping People and Information Connected? ? http://www.availability.sungard.com/ Think before you print CONFIDENTIALITY:? This e-mail (including any attachments) may contain confidential, proprietary and privileged information, and unauthorized disclosure or use is prohibited.? If you received this e-mail in error, please notify the sender and delete this e-mail from your system. From bhmccie at gmail.com Fri Jan 20 08:07:10 2012 From: bhmccie at gmail.com (-Hammer-) Date: Fri, 20 Jan 2012 08:07:10 -0600 Subject: US DOJ victim letter In-Reply-To: References: <20120119211655.GF32702@hiwaay.net> Message-ID: <4F19750E.5060200@gmail.com> On a less serious note, did anyone notice the numbers on the fbi.gov link? I'm pretty sure they are implying those are IP addresses. 123.456.789 and 987.654.321. Must be the same folks that do the Nexus documentation for Cisco. -Hammer- "I was a normal American nerd" -Jack Herer On 1/19/2012 4:36 PM, Ryan Gelobter wrote: > They are related to the DNSChanger and Ghostclick malware as ML said. The > e-mails to us did come from the DOJ e-mail servers and were legitimate. The > phone number is legit as well. > > On Thu, Jan 19, 2012 at 3:37 PM, Todd Lyons wrote: > >> On Thu, Jan 19, 2012 at 1:39 PM, Carlos Alcantar wrote: >>> +1 on these emails we have received 3 of them. >> Three here as well. >> -- >> SOPA: Any attempt to [use legal means to] reverse technological >> advances is doomed. --Leo Leporte >> >> From danny at tcb.net Fri Jan 20 08:11:41 2012 From: danny at tcb.net (Danny McPherson) Date: Fri, 20 Jan 2012 09:11:41 -0500 Subject: Why not to use RPKI (Was Re: Argus: a hijacking alarm system) In-Reply-To: References: <01DD4FF2-3DA9-4225-AD62-5629DEF541C2@lacnic.net> <7C38D0B5-EE31-4237-9EB9-31F9279F70F1@lacnic.net> Message-ID: <2E486C73-A973-4B96-A7C5-55F5E0D09175@tcb.net> On Jan 20, 2012, at 8:08 AM, Yang Xiang wrote: > > I think network operators are only careless, but not trust-less, > so black-hole hijacking is the majority case. This is aligned with the discussion on route leaks at the proposed interim SIDR meeting just after NANOG. Even with RPKI and BGPSEC fully deployed we still have this vulnerability, which commonly manifests itself today even by accident. RPKI-enabled BGPSEC would give you some assurances that the ASes in the AS_PATH represent the list of ASes through which the NLRI traveled, but nothing about whether it should have traversed those ASes in the first place -- so we still need something somewhere to mitigate that threat. See this draft for more information: -danny From Valdis.Kletnieks at vt.edu Fri Jan 20 08:38:27 2012 From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks at vt.edu) Date: Fri, 20 Jan 2012 09:38:27 -0500 Subject: Megaupload.com seized In-Reply-To: Your message of "Fri, 20 Jan 2012 12:00:15 +0100." References: <20120120074202.35FB91BB355B@drugs.dv.isc.org> <201201201025.q0KAPdM5040190@mail.r-bonomi.com> Message-ID: <15389.1327070307@turing-police.cc.vt.edu> On Fri, 20 Jan 2012 12:00:15 +0100, Tei said: > What sould fileshares must do, is to store files in these services in > a encrypted way, and anonimized name. So these services have > absolutelly no way to tell what are hosting. http://freenetproject.org/ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 227 bytes Desc: not available URL: From alexb at ripe.net Fri Jan 20 08:39:19 2012 From: alexb at ripe.net (Alex Band) Date: Fri, 20 Jan 2012 15:39:19 +0100 Subject: Why not to use RPKI (Was Re: Argus: a hijacking alarm system) In-Reply-To: <01DD4FF2-3DA9-4225-AD62-5629DEF541C2@lacnic.net> References: <01DD4FF2-3DA9-4225-AD62-5629DEF541C2@lacnic.net> Message-ID: If you want to play around with RPKI Origin Validation, you can download the RIPE NCC RPKI Validator here: http://ripe.net/certification/tools-and-resources It's simple to set up and use: just unzip the package on a *NIX system, run ./bin/rpki-validator and browse to http://localhost:8080 EuroTransit have a public one running here: http://rpki01.fra2.de.euro-transit.net:8080/ You can see it's pointing to several Trust Anchors, downloads and validates all ROA periodically, you can apply ignore filters and white lists, see a BGP announcement validity preview based on route collector data, integrates with existing (RPSL based) workflows and can talk to RPKI-capable routers. If you want to get an idea of how an RPKI-capable router would be configured, here's some sample config for Cisco and Juniper: http://www.ripe.net/certification/router-configuration You can also log into a public RPKI-capable Juniper here: 193.34.50.25, 193.34.50.26 telnet username: rpki password: testbed With additional documentation available here: http://rpki01.fra2.de.euro-transit.net/documentation.html Have fun, Alex On 20 Jan 2012, at 13:08, Arturo Servin wrote: > > You could use RPKI and origin validation as well. > > We have an application that does that. > > http://www.labs.lacnic.net/rpkitools/looking_glass/ > > For example you can periodically check if your prefix is valid: > > http://www.labs.lacnic.net/rpkitools/looking_glass/rest/valid/cidr/200.7.84.0/23/ > > If it were invalid for a possible hijack it would look like: > > http://www.labs.lacnic.net/rpkitools/looking_glass/rest/invalid/cidr/200.31.18.0/24/ > > Or you can just query for any state: > > http://www.labs.lacnic.net/rpkitools/looking_glass/rest/all/cidr/200.31.12.0/22/ > > > > Regards, > as > > On 20 Jan 2012, at 07:47, Yang Xiang wrote: > >> Hi, >> >> I build a system ?Argus? to real-timely alert prefix hijackings. >> Argus monitors the Internet and discovers anomaly BGP updates which caused >> by prefix hijacking. >> When Argus discovers a potential prefix hijacking, it will advertise it in >> a very short time, >> both in our website (http://argus.csnet1.cs.tsinghua.edu.cn) and the >> mailing list (argus at csnet1.cs.tsinghua.edu.cn). >> >> Argus has been running in the Internet for more than eight months, >> it usually can discover potential prefix hijackings in ten seconds after >> the first anomaly BGP update announced. >> Several hijacking alarms have been confirmed by network operators. >> For example: http://argus.csnet1.cs.tsinghua.edu.cn/fingerprints/61544/ has >> been confirmed by the network operators of AS23910 and AS4538, >> it was a prefix hijacking caused by a mis-configuration of route filter. >> >> If you are interest in BGP security, welcome to visit our website and >> subscribe the mailing list. >> If you are interest in the system itself, you can find our paper which >> published in ICNP 2011 (FIST workshop) >> http://ieeexplore.ieee.org/xpl/freeabs_all.jsp?arnumber=6089080. >> >> Hope Argus will be useful for you. >> _________________________________ >> Yang Xiang . about.me/xiangyang >> Ph.D candidate. Tsinghua University >> Argus: argus.csnet1.cs.tsinghua.edu.cn > > From mikea at mikea.ath.cx Fri Jan 20 08:56:22 2012 From: mikea at mikea.ath.cx (Mike Andrews) Date: Fri, 20 Jan 2012 08:56:22 -0600 Subject: US DOJ victim letter In-Reply-To: <4F19750E.5060200@gmail.com> References: <20120119211655.GF32702@hiwaay.net> <4F19750E.5060200@gmail.com> Message-ID: <20120120145622.GB60515@mikea.ath.cx> On Fri, Jan 20, 2012 at 08:07:10AM -0600, -Hammer- wrote: > On a less serious note, did anyone notice the numbers on the fbi.gov > link? I'm pretty sure they are implying those are IP addresses. > 123.456.789 and 987.654.321. Must be the same folks that do the Nexus > documentation for Cisco. And write the scripts for various TV shows. "Able to reconstruct an HD image from a single pixel. It's _CSI_!" -- Mike Andrews, W5EGO mikea at mikea.ath.cx Tired old sysadmin From bicknell at ufp.org Fri Jan 20 09:32:20 2012 From: bicknell at ufp.org (Leo Bicknell) Date: Fri, 20 Jan 2012 07:32:20 -0800 Subject: Polling Bandwidth as an Aggregate In-Reply-To: References: <906AD6F0-AACB-4612-9635-7CC988E5A993@wisc.edu> Message-ID: <20120120153220.GA51083@ussenterprise.ufp.org> In a message written on Fri, Jan 20, 2012 at 12:16:14AM -0600, Jimmy Hess wrote: > Except Cacti/RRDTOOL is really just a great visualization tool, while you > can build stacks, it is not something that accurately meters data for > billing purposes. The right kind of tool to use would be a netflow or > network tap-based billing tool, that actually meters/samples specific > datapoints at a specific interval and applies the billing business logic > for reporting based on sampled data points, instead of smoothed averages > of approximations. To suggest Netflow is more accurate than rrdtool seems rather strange to me. It can be as accurate, but is not the way most people deploy it. RRDTool pulls the SNMP counters from an interface and records them to a file. With no aggregation, and assuming your device has accurate SNMP, this should be 100% accurate. While you are right that the defaults for RRDTOOL aggregate data (after a day, week, and month, approximately) those aggregates can be disabled keeping the raw data. I know several ISP's that keep the raw data and use it for billing using these tools. Netflow often suffers right at the source. If you want to bill off netflow data 1:1 netflow is almost required, while most ISP's do sampled Netflow at 1:100 or 1:1000. Those sampling levels produce more inaccuracy than RRDTool's aggregation function. What's more, once the data is put into the Netflow collector, they all do aggregation as well, just like RRDTool. Again, you can disable much of it with careful configuration. But let's compare apples to apples. Let's consider RRDTool configured to not aggregate with 1:1 netflow configured to not aggregate. RRDTool polls a monotonically increasing counter. Should a poll be missed no data is lost about the total number of bytes transferred. Thus you can bill by the number of bytes transferred with 100% accuracy, even with missed polls. If you bill by the bit-rate, you can interpolate a single missing data point which high accuracy as well. Netflow is a continuous stream of UDP across the network. If a UDP packet is lost between the router and the collector there is no way to reconstruct that data, and it is lost forever. Thus any network events means you won't have the data to bill your customer, and you're pretty much stuck always underbilling them with the data actually collected. > If data is not gathered using a mechanism that communicates timestamp to > the poller, datapoints will still be imprecise, SNMP would be an example > -- the cacti application may assume the SNMP response is current data, but > possibly on the actual hardware, the internal MIB on the device was > actually updated 10 seconds ago, which means there will be small spikes > in traffic rate graphs that do not represent actual spikes in traffic. Most of the large ISP's I know of moved away from both of the solutions above to propretary, custom solutions. They SNMP poll the counters and store that data in a database with high resolution counters, forever, never aggregated. The necessary perl/python/ruby code to do that and stick it in mysql or postgres is only a few pages long and easy to audit. -- Leo Bicknell - bicknell at ufp.org - CCIE 3440 PGP keys at http://www.ufp.org/~bicknell/ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 826 bytes Desc: not available URL: From keegan.holley at sungard.com Fri Jan 20 09:36:38 2012 From: keegan.holley at sungard.com (Keegan Holley) Date: Fri, 20 Jan 2012 10:36:38 -0500 Subject: Polling Bandwidth as an Aggregate In-Reply-To: <20120120153220.GA51083@ussenterprise.ufp.org> References: <906AD6F0-AACB-4612-9635-7CC988E5A993@wisc.edu> <20120120153220.GA51083@ussenterprise.ufp.org> Message-ID: Thanks all for the responses. I think I'm going to use cacti and plugins to aggregate. Aggregated billing is kind of something that would be nice to have but wasn't required. It's nice to know there are concerns with using cacti for this. My last question is if there is any easy/automated way to pull interfaces into cacti and configure graphs for them either via SNMP or reading from a mysql DB. I suddenly remember how much I hate importing large routers into cacti and configuring the graphs. 2012/1/20 Leo Bicknell > In a message written on Fri, Jan 20, 2012 at 12:16:14AM -0600, Jimmy Hess > wrote: > > Except Cacti/RRDTOOL is really just a great visualization tool, while you > > can build stacks, it is not something that accurately meters data for > > billing purposes. The right kind of tool to use would be a netflow or > > network tap-based billing tool, that actually meters/samples specific > > datapoints at a specific interval and applies the billing business logic > > for reporting based on sampled data points, instead of smoothed > averages > > of approximations. > > To suggest Netflow is more accurate than rrdtool seems rather strange > to me. It can be as accurate, but is not the way most people > deploy it. > > RRDTool pulls the SNMP counters from an interface and records them to a > file. With no aggregation, and assuming your device has accurate SNMP, > this should be 100% accurate. While you are right that the defaults for > RRDTOOL aggregate data (after a day, week, and month, approximately) > those aggregates can be disabled keeping the raw data. I know several > ISP's that keep the raw data and use it for billing using these tools. > > Netflow often suffers right at the source. If you want to bill off > netflow data 1:1 netflow is almost required, while most ISP's do sampled > Netflow at 1:100 or 1:1000. Those sampling levels produce more > inaccuracy than RRDTool's aggregation function. What's more, once the > data is put into the Netflow collector, they all do aggregation as well, > just like RRDTool. Again, you can disable much of it with careful > configuration. > > But let's compare apples to apples. Let's consider RRDTool configured > to not aggregate with 1:1 netflow configured to not aggregate. RRDTool > polls a monotonically increasing counter. Should a poll be missed no > data is lost about the total number of bytes transferred. Thus you can > bill by the number of bytes transferred with 100% accuracy, even with > missed polls. If you bill by the bit-rate, you can interpolate a single > missing data point which high accuracy as well. > > Netflow is a continuous stream of UDP across the network. If a UDP > packet is lost between the router and the collector there is no way to > reconstruct that data, and it is lost forever. Thus any network events > means you won't have the data to bill your customer, and you're pretty > much stuck always underbilling them with the data actually collected. > > > If data is not gathered using a mechanism that communicates timestamp to > > the poller, datapoints will still be imprecise, SNMP would be an example > > -- the cacti application may assume the SNMP response is current data, > but > > possibly on the actual hardware, the internal MIB on the device was > > actually updated 10 seconds ago, which means there will be small spikes > > in traffic rate graphs that do not represent actual spikes in traffic. > > Most of the large ISP's I know of moved away from both of the solutions > above to propretary, custom solutions. They SNMP poll the counters and > store that data in a database with high resolution counters, forever, > never aggregated. The necessary perl/python/ruby code to do that and > stick it in mysql or postgres is only a few pages long and easy to > audit. > > -- > Leo Bicknell - bicknell at ufp.org - CCIE 3440 > PGP keys at http://www.ufp.org/~bicknell/ > From nick at foobar.org Fri Jan 20 09:44:01 2012 From: nick at foobar.org (Nick Hilliard) Date: Fri, 20 Jan 2012 15:44:01 +0000 Subject: Polling Bandwidth as an Aggregate In-Reply-To: References: <906AD6F0-AACB-4612-9635-7CC988E5A993@wisc.edu> <20120120153220.GA51083@ussenterprise.ufp.org> Message-ID: <4F198BC1.3040206@foobar.org> On 20/01/2012 15:36, Keegan Holley wrote: > using cacti for this. My last question is if there is any easy/automated > way to pull interfaces into cacti and configure graphs for them either via > SNMP or reading from a mysql DB. I suddenly remember how much I hate > importing large routers into cacti and configuring the graphs. No. This is one of cacti's major failings: there is no externally accessible API. You're going to end up injecting SQL directly into the cacti database and hoping that version upgrades don't screw up the schema layout too much. Nick From bicknell at ufp.org Fri Jan 20 09:48:03 2012 From: bicknell at ufp.org (Leo Bicknell) Date: Fri, 20 Jan 2012 07:48:03 -0800 Subject: Polling Bandwidth as an Aggregate In-Reply-To: References: <906AD6F0-AACB-4612-9635-7CC988E5A993@wisc.edu> <20120120153220.GA51083@ussenterprise.ufp.org> Message-ID: <20120120154803.GA52070@ussenterprise.ufp.org> In a message written on Fri, Jan 20, 2012 at 10:36:38AM -0500, Keegan Holley wrote: > using cacti for this. My last question is if there is any easy/automated > way to pull interfaces into cacti and configure graphs for them either via > SNMP or reading from a mysql DB. I suddenly remember how much I hate > importing large routers into cacti and configuring the graphs. I find using MRTG is easier than Cacti for _automation_ purposes. It's configmaker script will generate a config file for a single router. I've written about 5 different versions of a small script that's basically a customized config maker so the graphs get named with customer names or the like. The job can be fully automated with a few hours of coding; run it out of Cron to rebuild your interface list automatically and you'll never miss a customer turn up because someone forgot to configure a graph. -- Leo Bicknell - bicknell at ufp.org - CCIE 3440 PGP keys at http://www.ufp.org/~bicknell/ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 826 bytes Desc: not available URL: From keegan.holley at sungard.com Fri Jan 20 09:52:00 2012 From: keegan.holley at sungard.com (Keegan Holley) Date: Fri, 20 Jan 2012 10:52:00 -0500 Subject: Polling Bandwidth as an Aggregate In-Reply-To: <20120120154803.GA52070@ussenterprise.ufp.org> References: <906AD6F0-AACB-4612-9635-7CC988E5A993@wisc.edu> <20120120153220.GA51083@ussenterprise.ufp.org> <20120120154803.GA52070@ussenterprise.ufp.org> Message-ID: Is there a plugin for MRTG that allows you to go back to specific times? I like MRTG better for this as well but cacti's graphs are much more flexible. 2012/1/20 Leo Bicknell > In a message written on Fri, Jan 20, 2012 at 10:36:38AM -0500, Keegan > Holley wrote: > > using cacti for this. My last question is if there is any easy/automated > > way to pull interfaces into cacti and configure graphs for them either > via > > SNMP or reading from a mysql DB. I suddenly remember how much I hate > > importing large routers into cacti and configuring the graphs. > > I find using MRTG is easier than Cacti for _automation_ purposes. > It's configmaker script will generate a config file for a single > router. I've written about 5 different versions of a small script > that's basically a customized config maker so the graphs get named > with customer names or the like. The job can be fully automated > with a few hours of coding; run it out of Cron to rebuild your interface > list automatically and you'll never miss a customer turn up because > someone forgot to configure a graph. > > -- > Leo Bicknell - bicknell at ufp.org - CCIE 3440 > PGP keys at http://www.ufp.org/~bicknell/ > From rsk at gsp.org Fri Jan 20 09:53:27 2012 From: rsk at gsp.org (Rich Kulawiec) Date: Fri, 20 Jan 2012 10:53:27 -0500 Subject: Argus: a hijacking alarm system In-Reply-To: References: Message-ID: <20120120155327.GA6432@gsp.org> On Fri, Jan 20, 2012 at 05:47:21PM +0800, Yang Xiang wrote: > I build a system ?Argus? to real-timely alert prefix hijackings. A suggestion: pick a different name. There's already a network tool named Argus (it's been around for years): http://www.qosient.com/argus/ I suggest using the name of a different Wishbone Ash album: "Bona Fide". ;-) ---rsk From cmadams at hiwaay.net Fri Jan 20 09:53:44 2012 From: cmadams at hiwaay.net (Chris Adams) Date: Fri, 20 Jan 2012 09:53:44 -0600 Subject: Polling Bandwidth as an Aggregate In-Reply-To: <20120120153220.GA51083@ussenterprise.ufp.org> References: <906AD6F0-AACB-4612-9635-7CC988E5A993@wisc.edu> <20120120153220.GA51083@ussenterprise.ufp.org> Message-ID: <20120120155344.GB13300@hiwaay.net> Once upon a time, Leo Bicknell said: > To suggest Netflow is more accurate than rrdtool seems rather strange > to me. It can be as accurate, but is not the way most people > deploy it. Comparing Netflow to RRDTool is comparing apples to cabinets; one is a source of information and one is a way of storing information. > RRDTool pulls the SNMP counters from an interface and records them to a > file. No, RRDTool stores data given to it by a front end such as MRTG, Cricket, Cacti, etc. That front end can fetch data from any number of sources, including (but not limited to) SNMP. RRDTool then stores information in its database. > With no aggregation, and assuming your device has accurate SNMP, > this should be 100% accurate. While you are right that the defaults for > RRDTOOL aggregate data (after a day, week, and month, approximately) > those aggregates can be disabled keeping the raw data. RRDTool does not store the raw data. Even for 5-minute intervals, it adjusts the data vs. the timestamp to fit the desired interval. Since you don't read every counter at the exact time of your interval, RRDTool is always manipulating the numbers to fit. The only numbers that are not changed before storing are the timestamp and value for the most recent update (which get overwritten at each update); everything else is adjusted to fit. -- Chris Adams Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble. From sclark at netwolves.com Fri Jan 20 09:59:37 2012 From: sclark at netwolves.com (Steve Clark) Date: Fri, 20 Jan 2012 10:59:37 -0500 Subject: Polling Bandwidth as an Aggregate In-Reply-To: <20120120155344.GB13300@hiwaay.net> References: <906AD6F0-AACB-4612-9635-7CC988E5A993@wisc.edu> <20120120153220.GA51083@ussenterprise.ufp.org> <20120120155344.GB13300@hiwaay.net> Message-ID: <4F198F69.8050806@netwolves.com> On 01/20/2012 10:53 AM, Chris Adams wrote: > Once upon a time, Leo Bicknell said: >> To suggest Netflow is more accurate than rrdtool seems rather strange >> to me. It can be as accurate, but is not the way most people >> deploy it. > Comparing Netflow to RRDTool is comparing apples to cabinets; one is a > source of information and one is a way of storing information. > >> RRDTool pulls the SNMP counters from an interface and records them to a >> file. > No, RRDTool stores data given to it by a front end such as MRTG, > Cricket, Cacti, etc. That front end can fetch data from any number of > sources, including (but not limited to) SNMP. RRDTool then stores > information in its database. > >> With no aggregation, and assuming your device has accurate SNMP, >> this should be 100% accurate. While you are right that the defaults for >> RRDTOOL aggregate data (after a day, week, and month, approximately) >> those aggregates can be disabled keeping the raw data. > RRDTool does not store the raw data. Even for 5-minute intervals, it > adjusts the data vs. the timestamp to fit the desired interval. Since > you don't read every counter at the exact time of your interval, RRDTool > is always manipulating the numbers to fit. The only numbers that are > not changed before storing are the timestamp and value for the most > recent update (which get overwritten at each update); everything else is > adjusted to fit. > I suggest reading http://oss.oetiker.ch/rrdtool/tut/rrd-beginners.en.html -- Stephen Clark *NetWolves* Director of Technology Phone: 813-579-3200 Fax: 813-882-0209 Email: steve.clark at netwolves.com http://www.netwolves.com From nanog at ijg.me.uk Fri Jan 20 10:00:58 2012 From: nanog at ijg.me.uk (Ian Goodall) Date: Fri, 20 Jan 2012 16:00:58 +0000 Subject: Polling Bandwidth as an Aggregate In-Reply-To: <4F198BC1.3040206@foobar.org> Message-ID: On 20/01/2012 15:44, "Nick Hilliard" wrote: >No. This is one of cacti's major failings: there is no externally >accessible API. Not an external API but scripts have been available for some time now: http://www.cacti.net/downloads/docs/html/scripts.html Ian From keegan.holley at sungard.com Fri Jan 20 10:01:25 2012 From: keegan.holley at sungard.com (Keegan Holley) Date: Fri, 20 Jan 2012 11:01:25 -0500 Subject: Polling Bandwidth as an Aggregate In-Reply-To: <20120120155344.GB13300@hiwaay.net> References: <906AD6F0-AACB-4612-9635-7CC988E5A993@wisc.edu> <20120120153220.GA51083@ussenterprise.ufp.org> <20120120155344.GB13300@hiwaay.net> Message-ID: 2012/1/20 Chris Adams > Once upon a time, Leo Bicknell said: > > To suggest Netflow is more accurate than rrdtool seems rather strange > > to me. It can be as accurate, but is not the way most people > > deploy it. > > Comparing Netflow to RRDTool is comparing apples to cabinets; one is a > source of information and one is a way of storing information. > I assumed he meant an RRDTool kit that creates graphs with RRDTool. Technically, mysql is the "way of storing information". RRDTool processes it and has the ability to make it pretty for us humons. > > > RRDTool pulls the SNMP counters from an interface and records them to a > > file. > > No, RRDTool stores data given to it by a front end such as MRTG, > Cricket, Cacti, etc. That front end can fetch data from any number of > sources, including (but not limited to) SNMP. RRDTool then stores > information in its database. > Same as above > > > With no aggregation, and assuming your device has accurate SNMP, > > this should be 100% accurate. While you are right that the defaults for > > RRDTOOL aggregate data (after a day, week, and month, approximately) > > those aggregates can be disabled keeping the raw data. > > RRDTool does not store the raw data. Even for 5-minute intervals, it > adjusts the data vs. the timestamp to fit the desired interval. Since > you don't read every counter at the exact time of your interval, RRDTool > is always manipulating the numbers to fit. The only numbers that are > not changed before storing are the timestamp and value for the most > recent update (which get overwritten at each update); everything else is > adjusted to fit. > > I think every graphing tool does this. I pretty much ignored this though since I was asking about aggregating data from multiple objects not aggregating data over time. Cheers > -- > Chris Adams > Systems and Network Administrator - HiWAAY Internet Services > I don't speak for anybody but myself - that's enough trouble. > > > From jra at baylink.com Fri Jan 20 10:14:16 2012 From: jra at baylink.com (Jay Ashworth) Date: Fri, 20 Jan 2012 11:14:16 -0500 (EST) Subject: Megaupload.com seized In-Reply-To: <201201201025.q0KAPdM5040190@mail.r-bonomi.com> Message-ID: <13475259.5729.1327076056517.JavaMail.root@benjamin.baylink.com> ----- Original Message ----- > From: "Robert Bonomi" > Mark Andrews wrote: > > I suspect most file sharing site don't have illegal content. Most > > would have some content that is there without the permission of the > > copyright holder. These are different things. > > > "Without the permission of the copyright holder" _is_ contrary to > statute, and thus 'against the law'. As such 'illegal' is _not_ > an incorrect term to apply to the situation. > > It may not be a _criminal_ violation, but it is still proscribed by > law. > > "Illegal" and "criminal" -- _these_ are different things. The *act of making the copy (available)* may be contrary to law (and whether the law should make this particular category of copyright infringement a criminal offense, rather than the civil one it's been for over a century is a completely different topic :-)... but whether the *contents of the file themselves* contravene some law is, I think, the issue that Mark was talking about, and clearly we all agree, a copy of Gigli, while a crime against nature, is not inherently criminal, in the way that a Traci Lords film is. Cheers, -- jra -- Jay R. Ashworth Baylink jra at baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://baylink.pitas.com 2000 Land Rover DII St Petersburg FL USA http://photo.imageinc.us +1 727 647 1274 From nick at foobar.org Fri Jan 20 10:19:06 2012 From: nick at foobar.org (Nick Hilliard) Date: Fri, 20 Jan 2012 16:19:06 +0000 Subject: Polling Bandwidth as an Aggregate In-Reply-To: <20120120154803.GA52070@ussenterprise.ufp.org> References: <906AD6F0-AACB-4612-9635-7CC988E5A993@wisc.edu> <20120120153220.GA51083@ussenterprise.ufp.org> <20120120154803.GA52070@ussenterprise.ufp.org> Message-ID: <4F1993FA.8000508@foobar.org> On 20/01/2012 15:48, Leo Bicknell wrote: > I find using MRTG is easier than Cacti for _automation_ purposes. It also has another slightly subtle but hugely useful advantage: the primary index reference of a graph does not refer to an interface name or a number, but can be defined as an arbitrary unique token. This is ridiculously useful when it comes to 3rd party scripting and moving customers around the place Nick From richard.barnes at gmail.com Fri Jan 20 10:29:51 2012 From: richard.barnes at gmail.com (Richard Barnes) Date: Fri, 20 Jan 2012 11:29:51 -0500 Subject: Why not to use RPKI (Was Re: Argus: a hijacking alarm system) In-Reply-To: References: <01DD4FF2-3DA9-4225-AD62-5629DEF541C2@lacnic.net> Message-ID: BBN has also released an initial version of their relying party software. Core features are basically the same as the other validators (namely, RPKI certificate validation), with -- more fine-grained error diagnostics and -- more robust support for the RTR protocol for distributing validated information to routers. On Fri, Jan 20, 2012 at 9:39 AM, Alex Band wrote: > If you want to play around with RPKI Origin Validation, you can download the RIPE NCC RPKI Validator here: http://ripe.net/certification/tools-and-resources > It's simple to set up and use: just unzip the package on a *NIX system, run ./bin/rpki-validator and browse to http://localhost:8080 > > EuroTransit have a public one running here: > http://rpki01.fra2.de.euro-transit.net:8080/ > > You can see it's pointing to several Trust Anchors, downloads and validates all ROA periodically, you can apply ignore filters and white lists, see a BGP announcement validity preview based on route collector data, integrates with existing (RPSL based) workflows and can talk to RPKI-capable routers. > > If you want to get an idea of how an RPKI-capable router would be configured, here's some sample config for Cisco and Juniper: > http://www.ripe.net/certification/router-configuration > > You can also log into a public RPKI-capable Juniper here: 193.34.50.25, 193.34.50.26 > telnet username: rpki > password: testbed > > With additional documentation available here: > http://rpki01.fra2.de.euro-transit.net/documentation.html > > Have fun, > > Alex > > On 20 Jan 2012, at 13:08, Arturo Servin wrote: > >> >> ? ? ? You could use RPKI and origin validation as well. >> >> ? ? ? We have an application that does that. >> >> ? ? ? http://www.labs.lacnic.net/rpkitools/looking_glass/ >> >> ? ? ? For example you can periodically check if your prefix is valid: >> >> http://www.labs.lacnic.net/rpkitools/looking_glass/rest/valid/cidr/200.7.84.0/23/ >> >> ? ? ? If it were invalid for a possible hijack it would look like: >> >> http://www.labs.lacnic.net/rpkitools/looking_glass/rest/invalid/cidr/200.31.18.0/24/ >> >> ? ? ? Or you can just query for any state: >> >> http://www.labs.lacnic.net/rpkitools/looking_glass/rest/all/cidr/200.31.12.0/22/ >> >> >> >> Regards, >> as >> >> On 20 Jan 2012, at 07:47, Yang Xiang wrote: >> >>> Hi, >>> >>> I build a system ?Argus? to real-timely alert prefix hijackings. >>> Argus monitors the Internet and discovers anomaly BGP updates which caused >>> by prefix hijacking. >>> When Argus discovers a potential prefix hijacking, it will advertise it in >>> a very short time, >>> both in our website (http://argus.csnet1.cs.tsinghua.edu.cn) and the >>> mailing list (argus at csnet1.cs.tsinghua.edu.cn). >>> >>> Argus has been running in the Internet for more than eight months, >>> it usually can discover potential prefix hijackings in ten seconds after >>> the first anomaly BGP update announced. >>> Several hijacking alarms have been confirmed by network operators. >>> For example: http://argus.csnet1.cs.tsinghua.edu.cn/fingerprints/61544/ has >>> been confirmed by the network operators of AS23910 and AS4538, >>> it was a prefix hijacking caused by a mis-configuration of route filter. >>> >>> If you are interest in BGP security, welcome to visit our website and >>> subscribe the mailing list. >>> If you are interest in the system itself, you can find our paper which >>> published in ICNP 2011 (FIST workshop) >>> http://ieeexplore.ieee.org/xpl/freeabs_all.jsp?arnumber=6089080. >>> >>> Hope Argus will be useful for you. >>> _________________________________ >>> Yang Xiang . about.me/xiangyang >>> Ph.D candidate. Tsinghua University >>> Argus: argus.csnet1.cs.tsinghua.edu.cn >> >> > From paul4004 at gmail.com Fri Jan 20 10:50:32 2012 From: paul4004 at gmail.com (PC) Date: Fri, 20 Jan 2012 09:50:32 -0700 Subject: juniper mx80 vs cisco asr 1000 In-Reply-To: <20120120081435.GA17097@pob.ytti.fi> References: <44EDB6D0-C480-4232-8FCD-4124D152849B@smugmug.com> <20120120081435.GA17097@pob.ytti.fi> Message-ID: While the ASR1002 does offer more services, I generally disagree with some parts of this comparison. Juniper has some very aggressive pricing on mx80 bundles license-locked to 5gb, which are cheaper and blow the performance specifications of the equivalent low end ASR1002 out of the water for internet edge BGP applications. Unlike the ASR, a simple upgrade license can unlock the boxes full potential. Just my opinion as a customer of both vendors... On Fri, Jan 20, 2012 at 1:14 AM, Saku Ytti wrote: > On (2012-01-19 12:10 -0800), jon Heise wrote: > > > Does anyone have any experience with these two routers, we're looking to > > buy one of them but i have little experience dealing with cisco routers > > and zero experience with juniper. > > It might be because of your schedule/timetable, but you are comparing > apples to oranges. > > MX80 is not competing against ASR1k, and JNPR has no product to compete > with ASR1k. > MX80 competes directly with ASR9001. Notable differences include: > > ASR9001 has lot more memory (2GB/8GB) and lot faster control-plane > ASR9001 has 120G of capacity, MX80 80G > ASR9001 BOM is higher, as it is not fabricless design like MX80 (this > shouldn't affect sale price in relevant way) > ASR9001 does not ship just now > > As others have pointed out ASR1k is 'high touch' router, it does NAPT, > IPSEC, pretty much anything and everything, it is the next-gen VXR really. > > ASR9001 and MX80 both do relatively few things, but at high capacity. > > -- > ++ytti > > From rijilv at riji.lv Fri Jan 20 11:15:56 2012 From: rijilv at riji.lv (RijilV) Date: Fri, 20 Jan 2012 09:15:56 -0800 Subject: Argus: a hijacking alarm system In-Reply-To: <20120120155327.GA6432@gsp.org> References: <20120120155327.GA6432@gsp.org> Message-ID: On 20 January 2012 07:53, Rich Kulawiec wrote: > On Fri, Jan 20, 2012 at 05:47:21PM +0800, Yang Xiang wrote: >> I build a system ?Argus? to real-timely alert prefix hijackings. > > A suggestion: pick a different name. ?There's already a network tool > named Argus (it's been around for years): http://www.qosient.com/argus/ > > I suggest using the name of a different Wishbone Ash album: "Bona Fide". ;-) > > ---rsk > Ha, there are already two with the name Argus: http://argus.tcp4me.com/ also been around for years... .r' From nathan at atlasnetworks.us Fri Jan 20 11:48:44 2012 From: nathan at atlasnetworks.us (Nathan Eisenberg) Date: Fri, 20 Jan 2012 17:48:44 +0000 Subject: Polling Bandwidth as an Aggregate In-Reply-To: References: Message-ID: <8C26A4FDAE599041A13EB499117D3C286B67FB16@ex-mb-1.corp.atlasnetworks.us> > RTG uses MySQL for it's backend, so you can basically setup queries > however you like and you can use RTGPOLL to graph multiple interfaces > as well. > > It's a super good tool and I think there is a group working on RTG2 at > googlecode (I think). Another RTG user! I didn't know many of us existed! RTG is a great tool. It's design (perl and PHP and MySQL) lends itself to being modified at will; integration with tools like PHP NetworkWeathermap is very straightforward (http://pastebin.com/9RiZx4A8), and the MySQL backend makes it super flexible. There's no aggregation of data, unless you hack it in yourself with some fancy queries. RTG's data is ideal for doing MySQL partitioning, and there are some indexes that need to be added. But when you get those things in place, it becomes fast and powerful - and it's easy to drop out old data without a lengthy query (just drop the partition). The fact that each SNMP device gets its own table is also a big performance win over the more popular tools. The web interface allows for interface aggregation, and the code for doing that could probably be reverse engineered easily enough for other reporting mechanisms as well. Nathan Eisenberg From bonomi at mail.r-bonomi.com Fri Jan 20 12:46:51 2012 From: bonomi at mail.r-bonomi.com (Robert Bonomi) Date: Fri, 20 Jan 2012 12:46:51 -0600 (CST) Subject: "Illegal content" (Re: Megaupload.com seized) In-Reply-To: <9DDC84D5-D802-431A-8267-5E8557EE41D7@tzi.org> Message-ID: <201201201846.q0KIkpR2044821@mail.r-bonomi.com> Carsten Bormann wrote: >On Jan 20, 2012, at 11:25, Robert Bonomi wrote: > >> Public distribution without the permission of the copyright owner is >> illegal. > >This is veering off the purpose of this list, but maybe it is operationally s >This is veering off the purpose of this list, but maybe it is operationally s >ignificant to be able to use the right terms when a law enforcement officer i >s standing in the door. >The point is important because a lot of idiots are running around shouting "h >e had all this copyrighted material on his computer!". Of course he had! Th >ere are very few computers that don't carry copyrighted material, startinug f >rom the BIOS. By law, _EVERYTHING_ stored on a computer is copyrighted. Whether it is 'in memory', or on some more 'durable' media (disk,tape, etc.) the material has been 'fixed in a tangible medium of expression', and is thus covered by copyright. Copyright is automatic, and occurs when anything is first 'fixed' as described. > Without examining the legal context, such as purchasing histor >ies, supreme court decisions etc., it is sometime really hard to say whether >all of it got there in a legal way, and its presence may be an indication of >previous illegal activity. But (at least wrt copyright law) it is never ille >gal while sitting somewhere on a computer. Sorry, but the last sentence is simply _not_ true. If the making of the copy was a violation of 17 USC 106 (1) or (2), it's existance is proscribed by law. if it is, by virtue of 'sitting somewhere on a computer', being 'offered to the public' [without benefit of express permission for that activity from the copyright owner(s)], that is a violation of 17 USC 106 (3), >So the next time somebody says "illegal content", think "hate speech" or "chi >ld pornography", "lese-majeste" or "blasphemy", not copyrighted content. Alm >ost everything on a computer is copyrighted. Repeating: not 'almost everyting', but _absolutely_ everything. Nitpicking again, but the original references were to computers with 'illegal content' on them, and _not_ "files containing illegal content". A file, or other document, can be 'illegal', by reason of a 'making' in violation of 17 USC 106, or because it is being 'offered to the public, in violation of the same law, without the content of the file being illegal. Thus, content on a computer can be legally proscribed -- for reasons not involving the 'content of the content' as it were. :) Responsible (in _all_ meanings of that word :) parties are strongly advised _not_ to rely on any opinions expressed by any individual here, and to professionally consult competent legal counsel with expertise in this specific area for an authoritative opinion. From bonomi at mail.r-bonomi.com Fri Jan 20 13:08:56 2012 From: bonomi at mail.r-bonomi.com (Robert Bonomi) Date: Fri, 20 Jan 2012 13:08:56 -0600 (CST) Subject: US DOJ victim letter In-Reply-To: <4F19750E.5060200@gmail.com> Message-ID: <201201201908.q0KJ8u6C045030@mail.r-bonomi.com> > From nanog-bounces+bonomi=mail.r-bonomi.com at nanog.org Fri Jan 20 08:11:24 2012 > Date: Fri, 20 Jan 2012 08:07:10 -0600 > From: -Hammer- > To: nanog at nanog.org > Subject: Re: US DOJ victim letter > > On a less serious note, did anyone notice the numbers on the fbi.gov > link? I'm pretty sure they are implying those are IP addresses. > 123.456.789 and 987.654.321. Must be the same folks that do the Nexus > documentation for Cisco. > For illustration purposes, for a non-techincal audience, it seems (at least somewhat) reasonable to use 'nonets' instead of octets. After all, 'no nets' are clearly not what DNS -should- be returning. *GRIN* And, of course, systems using the traditional unix dotted-quad to binary conversion logic _will_ happily convert those strings to a 32-bit int. From Valdis.Kletnieks at vt.edu Fri Jan 20 13:07:29 2012 From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks at vt.edu) Date: Fri, 20 Jan 2012 14:07:29 -0500 Subject: "Illegal content" (Re: Megaupload.com seized) In-Reply-To: Your message of "Fri, 20 Jan 2012 12:46:51 CST." <201201201846.q0KIkpR2044821@mail.r-bonomi.com> References: <201201201846.q0KIkpR2044821@mail.r-bonomi.com> Message-ID: <36716.1327086449@turing-police.cc.vt.edu> On Fri, 20 Jan 2012 12:46:51 CST, Robert Bonomi said: > Sorry, but the last sentence is simply _not_ true. If the making of the > copy was a violation of 17 USC 106 (1) or (2), it's existance is proscribed > by law. Nice try, but reading 17 USC 503 (b) we see: "As part of a final judgment or decree, the court may order the destruction or other reasonable disposition of all copies or phonorecords found to have been made or used in violation of the copyright owner's exclusive rights, and of all plates, molds, matrices, masters, tapes, film negatives, or other articles by means of which such copies or phonorecords may be reproduced." Note - the court *may* order the destruction. It's not mandatory. And there's no implied mandatory destruction elsewhere - if there was, 503(b) wouldn't need to exist because the destruction would already be required, so a court couldn't order additional destruction. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 227 bytes Desc: not available URL: From jfbeam at gmail.com Fri Jan 20 13:11:04 2012 From: jfbeam at gmail.com (Ricky Beam) Date: Fri, 20 Jan 2012 14:11:04 -0500 Subject: Megaupload.com seized In-Reply-To: References: <64CFB59E-BB47-4D9F-8E14-AC9AA1D9D280@cs.columbia.edu> Message-ID: On Thu, 19 Jan 2012 22:34:33 -0500, Michael Painter wrote: > I quickly read through the indictment, but the gov't claims that when > given a takedown notice, MU would only remove the *link* and not the > file itself. That's actually a standard practice. It allows the uploader to file a counterclaim and have the content restored. One cannot "restore" what has already been deleted. However, never going back and cleaning up the undisputed content is a whole other mess of dead monkeys. From cscora at apnic.net Fri Jan 20 13:29:44 2012 From: cscora at apnic.net (Routing Analysis Role Account) Date: Sat, 21 Jan 2012 05:29:44 +1000 (EST) Subject: Weekly Routing Table Report Message-ID: <201201201929.q0KJTik4001381@thyme.rand.apnic.net> This is an automated weekly mailing describing the state of the Internet Routing Table as seen from APNIC's router in Japan. The posting is sent to APOPS, NANOG, AfNOG, AusNOG, SANOG, PacNOG, LacNOG, TRNOG, CaribNOG and the RIPE Routing Working Group. Daily listings are sent to bgp-stats at lists.apnic.net For historical data, please see http://thyme.rand.apnic.net. If you have any comments please contact Philip Smith . Routing Table Report 04:00 +10GMT Sat 21 Jan, 2012 Report Website: http://thyme.rand.apnic.net Detailed Analysis: http://thyme.rand.apnic.net/current/ Analysis Summary ---------------- BGP routing table entries examined: 393115 Prefixes after maximum aggregation: 169030 Deaggregation factor: 2.33 Unique aggregates announced to Internet: 191068 Total ASes present in the Internet Routing Table: 39874 Prefixes per ASN: 9.86 Origin-only ASes present in the Internet Routing Table: 32616 Origin ASes announcing only one prefix: 15498 Transit ASes present in the Internet Routing Table: 5384 Transit-only ASes present in the Internet Routing Table: 140 Average AS path length visible in the Internet Routing Table: 4.3 Max AS path length visible: 33 Max AS path prepend of ASN (48687) 24 Prefixes from unregistered ASNs in the Routing Table: 2141 Unregistered ASNs in the Routing Table: 1089 Number of 32-bit ASNs allocated by the RIRs: 2200 Number of 32-bit ASNs visible in the Routing Table: 1874 Prefixes from 32-bit ASNs in the Routing Table: 4540 Special use prefixes present in the Routing Table: 2 Prefixes being announced from unallocated address space: 118 Number of addresses announced to Internet: 2511238896 Equivalent to 149 /8s, 174 /16s and 118 /24s Percentage of available address space announced: 67.8 Percentage of allocated address space announced: 67.8 Percentage of available address space allocated: 100.0 Percentage of address space in use by end-sites: 91.9 Total number of prefixes smaller than registry allocations: 166200 APNIC Region Analysis Summary ----------------------------- Prefixes being announced by APNIC Region ASes: 97520 Total APNIC prefixes after maximum aggregation: 31610 APNIC Deaggregation factor: 3.09 Prefixes being announced from the APNIC address blocks: 93822 Unique aggregates announced from the APNIC address blocks: 38983 APNIC Region origin ASes present in the Internet Routing Table: 4637 APNIC Prefixes per ASN: 20.23 APNIC Region origin ASes announcing only one prefix: 1240 APNIC Region transit ASes present in the Internet Routing Table: 726 Average APNIC Region AS path length visible: 4.3 Max APNIC Region AS path length visible: 19 Number of APNIC region 32-bit ASNs visible in the Routing Table: 134 Number of APNIC addresses announced to Internet: 635145824 Equivalent to 37 /8s, 219 /16s and 142 /24s Percentage of available APNIC address space announced: 80.5 APNIC AS Blocks 4608-4864, 7467-7722, 9216-10239, 17408-18431 (pre-ERX allocations) 23552-24575, 37888-38911, 45056-46079, 55296-56319, 58368-59391, 131072-132095, 132096-133119 APNIC Address Blocks 1/8, 14/8, 27/8, 36/8, 39/8, 42/8, 43/8, 49/8, 58/8, 59/8, 60/8, 61/8, 101/8, 103/8, 106/8, 110/8, 111/8, 112/8, 113/8, 114/8, 115/8, 116/8, 117/8, 118/8, 119/8, 120/8, 121/8, 122/8, 123/8, 124/8, 125/8, 126/8, 133/8, 175/8, 180/8, 182/8, 183/8, 202/8, 203/8, 210/8, 211/8, 218/8, 219/8, 220/8, 221/8, 222/8, 223/8, ARIN Region Analysis Summary ---------------------------- Prefixes being announced by ARIN Region ASes: 147631 Total ARIN prefixes after maximum aggregation: 75140 ARIN Deaggregation factor: 1.96 Prefixes being announced from the ARIN address blocks: 119589 Unique aggregates announced from the ARIN address blocks: 49078 ARIN Region origin ASes present in the Internet Routing Table: 14859 ARIN Prefixes per ASN: 8.05 ARIN Region origin ASes announcing only one prefix: 5677 ARIN Region transit ASes present in the Internet Routing Table: 1587 Average ARIN Region AS path length visible: 4.0 Max ARIN Region AS path length visible: 25 Number of ARIN region 32-bit ASNs visible in the Routing Table: 14 Number of ARIN addresses announced to Internet: 805016256 Equivalent to 47 /8s, 251 /16s and 146 /24s Percentage of available ARIN address space announced: 64.0 ARIN AS Blocks 1-1876, 1902-2042, 2044-2046, 2048-2106 (pre-ERX allocations) 2138-2584, 2615-2772, 2823-2829, 2880-3153 3354-4607, 4865-5119, 5632-6655, 6912-7466 7723-8191, 10240-12287, 13312-15359, 16384-17407 18432-20479, 21504-23551, 25600-26591, 26624-27647, 29696-30719, 31744-33791 35840-36863, 39936-40959, 46080-47103 53248-55295, 393216-394239 ARIN Address Blocks 3/8, 4/8, 6/8, 7/8, 8/8, 9/8, 11/8, 12/8, 13/8, 15/8, 16/8, 17/8, 18/8, 19/8, 20/8, 21/8, 22/8, 23/8, 24/8, 26/8, 28/8, 29/8, 30/8, 32/8, 33/8, 34/8, 35/8, 38/8, 40/8, 44/8, 45/8, 47/8, 48/8, 50/8, 52/8, 53/8, 54/8, 55/8, 56/8, 57/8, 63/8, 64/8, 65/8, 66/8, 67/8, 68/8, 69/8, 70/8, 71/8, 72/8, 73/8, 74/8, 75/8, 76/8, 96/8, 97/8, 98/8, 99/8, 100/8, 104/8, 107/8, 108/8, 173/8, 174/8, 184/8, 199/8, 204/8, 205/8, 206/8, 207/8, 208/8, 209/8, 214/8, 215/8, 216/8, RIPE Region Analysis Summary ---------------------------- Prefixes being announced by RIPE Region ASes: 97168 Total RIPE prefixes after maximum aggregation: 52047 RIPE Deaggregation factor: 1.87 Prefixes being announced from the RIPE address blocks: 89044 Unique aggregates announced from the RIPE address blocks: 55638 RIPE Region origin ASes present in the Internet Routing Table: 16253 RIPE Prefixes per ASN: 5.48 RIPE Region origin ASes announcing only one prefix: 7981 RIPE Region transit ASes present in the Internet Routing Table: 2588 Average RIPE Region AS path length visible: 4.7 Max RIPE Region AS path length visible: 33 Number of RIPE region 32-bit ASNs visible in the Routing Table: 1301 Number of RIPE addresses announced to Internet: 497788360 Equivalent to 29 /8s, 171 /16s and 165 /24s Percentage of available RIPE address space announced: 80.2 RIPE AS Blocks 1877-1901, 2043, 2047, 2107-2136, 2585-2614 (pre-ERX allocations) 2773-2822, 2830-2879, 3154-3353, 5377-5631 6656-6911, 8192-9215, 12288-13311, 15360-16383 20480-21503, 24576-25599, 28672-29695 30720-31743, 33792-35839, 38912-39935 40960-45055, 47104-52223, 56320-58367 196608-198655 RIPE Address Blocks 2/8, 5/8, 25/8, 31/8, 37/8, 46/8, 51/8, 62/8, 77/8, 78/8, 79/8, 80/8, 81/8, 82/8, 83/8, 84/8, 85/8, 86/8, 87/8, 88/8, 89/8, 90/8, 91/8, 92/8, 93/8, 94/8, 95/8, 109/8, 176/8, 178/8, 185/8, 193/8, 194/8, 195/8, 212/8, 213/8, 217/8, LACNIC Region Analysis Summary ------------------------------ Prefixes being announced by LACNIC Region ASes: 37373 Total LACNIC prefixes after maximum aggregation: 8078 LACNIC Deaggregation factor: 4.63 Prefixes being announced from the LACNIC address blocks: 36993 Unique aggregates announced from the LACNIC address blocks: 19328 LACNIC Region origin ASes present in the Internet Routing Table: 1563 LACNIC Prefixes per ASN: 23.67 LACNIC Region origin ASes announcing only one prefix: 440 LACNIC Region transit ASes present in the Internet Routing Table: 283 Average LACNIC Region AS path length visible: 4.5 Max LACNIC Region AS path length visible: 24 Number of LACNIC region 32-bit ASNs visible in the Routing Table: 421 Number of LACNIC addresses announced to Internet: 95480968 Equivalent to 5 /8s, 176 /16s and 236 /24s Percentage of available LACNIC address space announced: 63.2 LACNIC AS Blocks 26592-26623, 27648-28671, 52224-53247, 262144-263167 plus ERX transfers LACNIC Address Blocks 177/8, 179/8, 181/8, 186/8, 187/8, 189/8, 190/8, 200/8, 201/8, AfriNIC Region Analysis Summary ------------------------------- Prefixes being announced by AfriNIC Region ASes: 8721 Total AfriNIC prefixes after maximum aggregation: 2083 AfriNIC Deaggregation factor: 4.19 Prefixes being announced from the AfriNIC address blocks: 6744 Unique aggregates announced from the AfriNIC address blocks: 2086 AfriNIC Region origin ASes present in the Internet Routing Table: 506 AfriNIC Prefixes per ASN: 13.33 AfriNIC Region origin ASes announcing only one prefix: 160 AfriNIC Region transit ASes present in the Internet Routing Table: 118 Average AfriNIC Region AS path length visible: 4.6 Max AfriNIC Region AS path length visible: 25 Number of AfriNIC region 32-bit ASNs visible in the Routing Table: 4 Number of AfriNIC addresses announced to Internet: 30813184 Equivalent to 1 /8s, 214 /16s and 44 /24s Percentage of available AfriNIC address space announced: 45.9 AfriNIC AS Blocks 36864-37887, 327680-328703 & ERX transfers AfriNIC Address Blocks 41/8, 102/8, 105/8, 197/8, APNIC Region per AS prefix count summary ---------------------------------------- ASN No of nets /20 equiv MaxAgg Description 4766 2473 11101 975 Korea Telecom (KIX) 17974 1715 503 36 PT TELEKOMUNIKASI INDONESIA 7545 1638 303 86 TPG Internet Pty Ltd 4755 1524 385 154 TATA Communications formerly 7552 1424 1064 7 Vietel Corporation 9829 1163 989 28 BSNL National Internet Backbo 9583 1119 81 490 Sify Limited 4808 1100 2050 311 CNCGROUP IP network: China169 24560 1007 383 166 Bharti Airtel Ltd., Telemedia 18101 946 130 155 Reliance Infocom Ltd Internet Complete listing at http://thyme.rand.apnic.net/current/data-ASnet-APNIC ARIN Region per AS prefix count summary --------------------------------------- ASN No of nets /20 equiv MaxAgg Description 6389 3449 3807 202 bellsouth.net, inc. 7029 3223 1016 199 Windstream Communications Inc 18566 2093 382 177 Covad Communications 1785 1865 679 122 PaeTec Communications, Inc. 20115 1620 1553 615 Charter Communications 4323 1607 1062 382 Time Warner Telecom 30036 1487 266 707 Mediacom Communications Corp 22773 1486 2909 108 Cox Communications, Inc. 19262 1386 4683 400 Verizon Global Networks 7018 1298 7008 849 AT&T WorldNet Services Complete listing at http://thyme.rand.apnic.net/current/data-ASnet-ARIN RIPE Region per AS prefix count summary --------------------------------------- ASN No of nets /20 equiv MaxAgg Description 8402 1714 480 15 Corbina telecom 2118 1241 99 14 EUnet/RELCOM Autonomous Syste 15557 1095 2161 64 LDCOM NETWORKS 6830 644 1928 413 UPC Distribution Services 34984 638 188 172 BILISIM TELEKOM 31148 613 35 9 FreeNet ISP 20940 571 185 453 Akamai Technologies European 12479 557 639 55 Uni2 Autonomous System 8551 528 360 81 Bezeq International 3320 517 8157 393 Deutsche Telekom AG Complete listing at http://thyme.rand.apnic.net/current/data-ASnet-RIPE LACNIC Region per AS prefix count summary ----------------------------------------- ASN No of nets /20 equiv MaxAgg Description 10620 1723 321 167 TVCABLE BOGOTA 28573 1616 1068 77 NET Servicos de Comunicao S.A 8151 1460 2999 342 UniNet S.A. de C.V. 7303 1256 756 179 Telecom Argentina Stet-France 27947 642 73 96 Telconet S.A 22047 581 322 17 VTR PUNTO NET S.A. 7738 551 1050 31 Telecomunicacoes da Bahia S.A 3816 550 238 92 Empresa Nacional de Telecomun 6503 539 434 68 AVANTEL, S.A. 11172 532 85 106 Servicios Alestra S.A de C.V Complete listing at http://thyme.rand.apnic.net/current/data-ASnet-LACNIC AfriNIC Region per AS prefix count summary ------------------------------------------ ASN No of nets /20 equiv MaxAgg Description 8452 1031 958 13 TEDATA 24863 797 146 36 LINKdotNET AS number 6713 485 649 18 Itissalat Al-MAGHRIB 3741 280 939 229 The Internet Solution 15706 239 32 6 Sudatel Internet Exchange Aut 33776 234 13 14 Starcomms Nigeria Limited 29571 214 17 12 Ci Telecom Autonomous system 12258 196 28 61 Vodacom Internet Company 24835 189 80 8 RAYA Telecom - Egypt 16637 160 664 82 MTN Network Solutions Complete listing at http://thyme.rand.apnic.net/current/data-ASnet-AFRINIC Global Per AS prefix count summary ---------------------------------- ASN No of nets /20 equiv MaxAgg Description 6389 3449 3807 202 bellsouth.net, inc. 7029 3223 1016 199 Windstream Communications Inc 4766 2473 11101 975 Korea Telecom (KIX) 18566 2093 382 177 Covad Communications 1785 1865 679 122 PaeTec Communications, Inc. 10620 1723 321 167 TVCABLE BOGOTA 17974 1715 503 36 PT TELEKOMUNIKASI INDONESIA 8402 1714 480 15 Corbina telecom 7545 1638 303 86 TPG Internet Pty Ltd 20115 1620 1553 615 Charter Communications Complete listing at http://thyme.rand.apnic.net/current/data-ASnet Global Per AS Maximum Aggr summary ---------------------------------- ASN No of nets Net Savings Description 7029 3223 3024 Windstream Communications Inc 18566 2093 1916 Covad Communications 1785 1865 1743 PaeTec Communications, Inc. 8402 1714 1699 Corbina telecom 17974 1715 1679 PT TELEKOMUNIKASI INDONESIA 10620 1723 1556 TVCABLE BOGOTA 7545 1638 1552 TPG Internet Pty Ltd 28573 1616 1539 NET Servicos de Comunicao S.A 4766 2473 1498 Korea Telecom (KIX) 7552 1424 1417 Vietel Corporation Complete listing at http://thyme.rand.apnic.net/current/data-CIDRnet List of Unregistered Origin ASNs (Global) ----------------------------------------- Bad AS Designation Network Transit AS Description 15132 UNALLOCATED 12.9.150.0/24 7018 AT&T WorldNet Servic 32567 UNALLOCATED 12.14.170.0/24 4323 Time Warner Telecom 32567 UNALLOCATED 12.25.107.0/24 4323 Time Warner Telecom 25639 UNALLOCATED 12.41.169.0/24 7018 AT&T WorldNet Servic 13317 UNALLOCATED 12.44.10.0/24 7018 AT&T WorldNet Servic 23502 UNALLOCATED 12.44.44.0/24 7018 AT&T WorldNet Servic 17300 UNALLOCATED 12.45.103.0/24 7018 AT&T WorldNet Servic 17300 UNALLOCATED 12.45.110.0/24 701 UUNET Technologies, 16476 UNALLOCATED 12.46.27.0/24 7018 AT&T WorldNet Servic 32873 UNALLOCATED 12.46.100.0/23 10912 InterNAP Network Ser Complete listing at http://thyme.rand.apnic.net/current/data-badAS Prefixes from private and non-routed address space (Global) ----------------------------------------------------------- Prefix Origin AS Description 128.0.0.0/21 12654 RIPE NCC RIS Project 128.0.24.0/24 12654 RIPE NCC RIS Project Complete listing at http://thyme.rand.apnic.net/current/data-dsua Advertised Unallocated Addresses -------------------------------- Network Origin AS Description 14.192.0.0/22 45464 Room 201, TGU Bldg 14.192.4.0/22 45464 Room 201, TGU Bldg 14.192.8.0/22 45464 Room 201, TGU Bldg 14.192.12.0/22 45464 Room 201, TGU Bldg 14.192.16.0/22 45464 Room 201, TGU Bldg 14.192.20.0/22 45464 Room 201, TGU Bldg 14.192.24.0/22 45464 Room 201, TGU Bldg 14.192.28.0/22 45464 Room 201, TGU Bldg 37.60.208.0/20 31214 TIS-DIALOG Autonomous system 37.61.144.0/20 34977 PROCONO S.A. Complete listing at http://thyme.rand.apnic.net/current/data-add-IANA Number of prefixes announced per prefix length (Global) ------------------------------------------------------- /1:0 /2:0 /3:0 /4:0 /5:0 /6:0 /7:0 /8:19 /9:12 /10:27 /11:80 /12:232 /13:458 /14:817 /15:1462 /16:12139 /17:6159 /18:10248 /19:20303 /20:28150 /21:29098 /22:39196 /23:36683 /24:204402 /25:1171 /26:1422 /27:782 /28:168 /29:55 /30:14 /31:0 /32:18 Advertised prefixes smaller than registry allocations ----------------------------------------------------- ASN No of nets Total ann. Description 7029 2843 3223 Windstream Communications Inc 6389 2120 3449 bellsouth.net, inc. 18566 2042 2093 Covad Communications 8402 1693 1714 Corbina telecom 10620 1618 1723 TVCABLE BOGOTA 30036 1444 1487 Mediacom Communications Corp 11492 1116 1153 Cable One 1785 1067 1865 PaeTec Communications, Inc. 15557 1046 1095 LDCOM NETWORKS 7011 1031 1148 Citizens Utilities Complete listing at http://thyme.rand.apnic.net/current/data-sXXas-nos Number of /24s announced per /8 block (Global) ---------------------------------------------- 1:501 2:464 4:15 5:1 6:3 8:377 12:1950 13:1 14:583 15:11 16:3 17:6 20:9 23:112 24:1675 27:1178 31:821 32:65 33:2 34:2 36:8 37:102 38:794 40:114 41:2937 42:87 43:1 44:3 46:1204 47:3 49:319 50:517 52:13 54:1 55:7 56:2 57:41 58:948 59:491 60:345 61:1180 62:920 63:1978 64:4108 65:2286 66:4404 67:2022 68:1155 69:3142 70:920 71:428 72:1799 74:2653 75:445 76:320 77:966 78:904 79:500 80:1189 81:870 82:559 83:533 84:586 85:1153 86:743 87:905 88:341 89:1583 90:257 91:4432 92:531 93:1557 94:1363 95:1104 96:425 97:299 98:789 99:38 100:18 101:132 103:652 106:10 107:134 108:125 109:1467 110:688 111:839 112:429 113:525 114:601 115:757 116:851 117:727 118:901 119:1247 120:355 121:681 122:1630 123:1061 124:1338 125:1341 128:537 129:193 130:213 131:588 132:160 133:21 134:231 135:59 136:213 137:152 138:288 139:145 140:491 141:260 142:377 143:400 144:510 145:68 146:486 147:227 148:640 149:281 150:165 151:193 152:446 153:170 154:7 155:400 156:210 157:367 158:154 159:510 160:320 161:221 162:339 163:188 164:530 165:391 166:561 167:457 168:852 169:147 170:835 171:105 172:4 173:1779 174:584 175:416 176:371 177:464 178:1202 180:1227 181:43 182:693 183:274 184:404 185:1 186:1503 187:840 188:980 189:1164 190:5373 192:5988 193:5459 194:4198 195:3384 196:1290 197:168 198:3621 199:4324 200:5640 201:1697 202:8410 203:8602 204:4339 205:2429 206:2746 207:2803 208:4010 209:3544 210:2745 211:1474 212:1974 213:1825 214:847 215:95 216:4975 217:1473 218:557 219:341 220:1250 221:558 222:324 223:270 End of report From paul at paulgraydon.co.uk Fri Jan 20 13:37:16 2012 From: paul at paulgraydon.co.uk (Paul Graydon) Date: Fri, 20 Jan 2012 09:37:16 -1000 Subject: Megaupload.com seized In-Reply-To: References: <64CFB59E-BB47-4D9F-8E14-AC9AA1D9D280@cs.columbia.edu> Message-ID: <4F19C26C.4010909@paulgraydon.co.uk> On 01/20/2012 09:11 AM, Ricky Beam wrote: > On Thu, 19 Jan 2012 22:34:33 -0500, Michael Painter > wrote: >> I quickly read through the indictment, but the gov't claims that when >> given a takedown notice, MU would only remove the *link* and not the >> file itself. > > That's actually a standard practice. It allows the uploader to file a > counterclaim and have the content restored. One cannot "restore" what > has already been deleted. > > However, never going back and cleaning up the undisputed content is a > whole other mess of dead monkeys. > From what I understand about MegaUpload's approach, they created a hash of every file that they stored. If they'd already got a copy of the file that was to be uploaded they'd just put an appropriate link in a users space, saving them storage space, and bandwidth for both parties. Fairly straight forward. Whenever they received a DMCA take-down they would remove the link, not the underlying file, so even though they knew that a file was illegally hosted, they never actually removed it. That comes up for some argument about the ways the company should be practically enforcing a DMCA take-down notice, whether each take-down should apply to just an individual user's link to a file or whether the file itself should be removed. That could be different from circumstance to circumstance. Paul From tony.mccrory at gmail.com Fri Jan 20 14:01:15 2012 From: tony.mccrory at gmail.com (Tony McCrory) Date: Fri, 20 Jan 2012 20:01:15 +0000 Subject: Megaupload.com seized In-Reply-To: <4F19C26C.4010909@paulgraydon.co.uk> References: <64CFB59E-BB47-4D9F-8E14-AC9AA1D9D280@cs.columbia.edu> <4F19C26C.4010909@paulgraydon.co.uk> Message-ID: On 20 January 2012 19:37, Paul Graydon wrote: > From what I understand about MegaUpload's approach, they created a hash of > every file that they stored. If they'd already got a copy of the file that > was to be uploaded they'd just put an appropriate link in a users space, > saving them storage space, and bandwidth for both parties. > This sounds very similar to data deduplication eg http://www.netapp.com/uk/products/platform-os/dedupe.html From bicknell at ufp.org Fri Jan 20 14:02:16 2012 From: bicknell at ufp.org (Leo Bicknell) Date: Fri, 20 Jan 2012 12:02:16 -0800 Subject: Megaupload.com seized In-Reply-To: <4F19C26C.4010909@paulgraydon.co.uk> References: <64CFB59E-BB47-4D9F-8E14-AC9AA1D9D280@cs.columbia.edu> <4F19C26C.4010909@paulgraydon.co.uk> Message-ID: <20120120200216.GA62670@ussenterprise.ufp.org> In a message written on Fri, Jan 20, 2012 at 09:37:16AM -1000, Paul Graydon wrote: > From what I understand about MegaUpload's approach, they created a hash > of every file that they stored. If they'd already got a copy of the > file that was to be uploaded they'd just put an appropriate link in a > users space, saving them storage space, and bandwidth for both parties. > Fairly straight forward. Whenever they received a DMCA take-down they > would remove the link, not the underlying file, so even though they knew > that a file was illegally hosted, they never actually removed it. That > comes up for some argument about the ways the company should be > practically enforcing a DMCA take-down notice, whether each take-down > should apply to just an individual user's link to a file or whether the > file itself should be removed. That could be different from > circumstance to circumstance. Note that with A DMCA take down the original uploader can issue a counter-notice to get the content put back. Most sites don't immediately delete the content but rather disable it in some way so that should the file be counter noticed it can be put back up. Also, when using a hashed file store, it's possible that some uses are infringing and some are not. I might make a movie, put it on Megaupload, and then give the links only to the 5 people who bought it from them. One of them might turn around, upload it again to Megaupload, and share it with the world, infringing on my content. I would hope that when I issue a takedown notice they take down the infringers copy (link), but leave mine in place. None of this should be taken to mean I'm behind Megaupload. I have a greater concern here wondering if law enforcement, the courts, and most importantly the law makers understand the technolgy and can craft and apply laws in a reasonable way. One major issue that already came up is that a whole lot of people used Megaupload for storing perfectly legal content. It's now offline, and there appears to be no way for them to retrieve that data. At what percentage is that reasonable? If 99% of your users are infringing? 50%? 1%? Could this be used to take down your competitors? Buy some Amazon instances and put a bunch of infringing content on them, and then watch the feds seize all of Amazon's servers? Lots of troubling questions, no good answers. -- Leo Bicknell - bicknell at ufp.org - CCIE 3440 PGP keys at http://www.ufp.org/~bicknell/ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 826 bytes Desc: not available URL: From scott at virtuaprise.com Fri Jan 20 14:02:25 2012 From: scott at virtuaprise.com (Administrator) Date: Fri, 20 Jan 2012 20:02:25 -0000 (UTC) Subject: Megaupload.com seized In-Reply-To: <4F19C26C.4010909@paulgraydon.co.uk> Message-ID: <786577f5-580c-4d84-85f3-956fe6a9f1a1@DESKTOP002> ----- Original Message ----- > From: "Paul Graydon" > To: nanog at nanog.org > Sent: Friday, January 20, 2012 2:37:16 PM > Subject: Re: Megaupload.com seized > From what I understand about MegaUpload's approach, they created a > hash of every file that they stored. > So Megaupload did de-dupe.. Compare that to selecting the "de-dupe" option in your NetApp (or having someone else do it for you) and in that case other instances can exist on your site and you really don't know because, well De-Dupe is magic right? Are you doing the wrong thing by only removing the instance of that file that was complained about? Or are you required to dig further? I would think not. Is it possible that a file could be legal and illegal at the same time based on context of use? Like some guy is backing up his legitimate copy in his "locker" and some other guy is putting it out there for all his buddies.. Its the same file, de-dupe does its thing and now we need to re-think what do when we get a complaint. -Scott From jfbeam at gmail.com Fri Jan 20 14:06:04 2012 From: jfbeam at gmail.com (Ricky Beam) Date: Fri, 20 Jan 2012 15:06:04 -0500 Subject: Megaupload.com seized In-Reply-To: <4F19C26C.4010909@paulgraydon.co.uk> References: <64CFB59E-BB47-4D9F-8E14-AC9AA1D9D280@cs.columbia.edu> <4F19C26C.4010909@paulgraydon.co.uk> Message-ID: On Fri, 20 Jan 2012 14:37:16 -0500, Paul Graydon wrote: > ... Whenever they received a DMCA take-down they would remove the link, > not the underlying file, so even though they knew that a file was > illegally hosted, they never actually removed it. And that's where their safe harbour evaporated. Upon receiving notice a file is infinging, they know that *file* is illegal, and must now remove all the links to it, not just the one that was reported. Mega is in a possition to know all the links, where as the copyright holder is not. They thought they had a gaping loophole. Well, the DOJ is about to teach them how wrong they are. From skeeve at eintellego.net Fri Jan 20 14:06:56 2012 From: skeeve at eintellego.net (Skeeve Stevens) Date: Sat, 21 Jan 2012 07:06:56 +1100 Subject: juniper mx80 vs cisco asr 1000 In-Reply-To: References: <44EDB6D0-C480-4232-8FCD-4124D152849B@smugmug.com> <20120120081435.GA17097@pob.ytti.fi> Message-ID: The MX80 license locked is not 5Gb The MX5 is 20Gb TP - 20 SFP ports card, only one MIC slot active The MX10 is 40Gb TP - 20 SFP ports card. both MIC slots active The MX40 is 60Gb TP - 20 SFP ports card, both MIC slots + 2 of the onboard 10GbE ports The MX80 is 80Gb TP - 20 SFP ports card, both MIC slots + all 4 of the onboard 10GbE ports The MX80-48T is 80Gb TP - 48 Copper ports, both MIC slots + all 4 of the onboard 10GbE ports Last year the licensed versions were called MX80-5G, MX8-10G and so on, but as on this month they've renamed them to MX5, MX10, MX40's - note that the old MX80 could come with or without -T timing support, the new ones ONLY have timing. ?Skeeve On Sat, Jan 21, 2012 at 3:50 AM, PC wrote: > While the ASR1002 does offer more services, I generally disagree with some > parts of this comparison. > > Juniper has some very aggressive pricing on mx80 bundles license-locked to > 5gb, which are cheaper and blow the performance specifications of the > equivalent low end ASR1002 out of the water for internet edge BGP > applications. Unlike the ASR, a simple upgrade license can unlock the > boxes full potential. > > Just my opinion as a customer of both vendors... > > > > > On Fri, Jan 20, 2012 at 1:14 AM, Saku Ytti wrote: > > > On (2012-01-19 12:10 -0800), jon Heise wrote: > > > > > Does anyone have any experience with these two routers, we're looking > to > > > buy one of them but i have little experience dealing with cisco routers > > > and zero experience with juniper. > > > > It might be because of your schedule/timetable, but you are comparing > > apples to oranges. > > > > MX80 is not competing against ASR1k, and JNPR has no product to compete > > with ASR1k. > > MX80 competes directly with ASR9001. Notable differences include: > > > > ASR9001 has lot more memory (2GB/8GB) and lot faster control-plane > > ASR9001 has 120G of capacity, MX80 80G > > ASR9001 BOM is higher, as it is not fabricless design like MX80 (this > > shouldn't affect sale price in relevant way) > > ASR9001 does not ship just now > > > > As others have pointed out ASR1k is 'high touch' router, it does NAPT, > > IPSEC, pretty much anything and everything, it is the next-gen VXR > really. > > > > ASR9001 and MX80 both do relatively few things, but at high capacity. > > > > -- > > ++ytti > > > > > -- *Skeeve Stevens, CEO* eintellego Pty Ltd skeeve at eintellego.net.au ; www.eintellego.net Phone: 1300 753 383 ; Fax: (+612) 8572 9954 Cell +61 (0)414 753 383 ; skype://skeeve facebook.com/eintellego twitter.com/networkceoau ; www.linkedin.com/in/skeeve PO Box 7726, Baulkham Hills, NSW 1755 Australia The Experts Who The Experts Call Juniper - Cisco ? Brocade - IBM From joly at punkcast.com Fri Jan 20 14:06:35 2012 From: joly at punkcast.com (Joly MacFie) Date: Fri, 20 Jan 2012 15:06:35 -0500 Subject: Megaupload.com seized In-Reply-To: <4F19C26C.4010909@paulgraydon.co.uk> References: <64CFB59E-BB47-4D9F-8E14-AC9AA1D9D280@cs.columbia.edu> <4F19C26C.4010909@paulgraydon.co.uk> Message-ID: aka "deduplication". In Viacom vs. YouTube it was pretty successfully argued that there was no way for YT to know that *every* instance of a work was illegally uploaded. However they *were* able to produce 'smoking gun' evidence of Viacom agents uploading material. j On Fri, Jan 20, 2012 at 2:37 PM, Paul Graydon wrote: > >> From what I understand about MegaUpload's approach, they created a hash > of every file that they stored. If they'd already got a copy of the file > that was to be uploaded they'd just put an appropriate link in a users > space, saving them storage space, and bandwidth for both parties. Fairly > straight forward. Whenever they received a DMCA take-down they would > remove the link, not the underlying file, so even though they knew that a > file was illegally hosted, they never actually removed it. That comes up > for some argument about the ways the company should be practically > enforcing a DMCA take-down notice, whether each take-down should apply to > just an individual user's link to a file or whether the file itself should > be removed. That could be different from circumstance to circumstance. > > Paul > > -- --------------------------------------------------------------- Joly MacFie 218 565 9365 Skype:punkcast WWWhatsup NYC - http://wwwhatsup.com http://pinstand.com - http://punkcast.com VP (Admin) - ISOC-NY - http://isoc-ny.org -------------------------------------------------------------- - From paul4004 at gmail.com Fri Jan 20 14:17:53 2012 From: paul4004 at gmail.com (PC) Date: Fri, 20 Jan 2012 13:17:53 -0700 Subject: juniper mx80 vs cisco asr 1000 In-Reply-To: References: <44EDB6D0-C480-4232-8FCD-4124D152849B@smugmug.com> <20120120081435.GA17097@pob.ytti.fi> Message-ID: Thank you, that is great to know and have for reference. Yeah, looking at this invoice from a a few months back, I have a "MX80 Promotional 5G Bundle for channels"... So I'm guessing that's now the MX5. (I had assumed it was a mx80 in my response). My first Juniper box ever, so forgive my confusion. As you might guess, I'm only pushing ~3 gig through it... but am very happy with it so far. On Fri, Jan 20, 2012 at 1:06 PM, Skeeve Stevens wrote: > The MX80 license locked is not 5Gb > > The MX5 is 20Gb TP - 20 SFP ports card, only one MIC slot active > The MX10 is 40Gb TP - 20 SFP ports card. both MIC slots active > The MX40 is 60Gb TP - 20 SFP ports card, both MIC slots + 2 of the onboard > 10GbE ports > The MX80 is 80Gb TP - 20 SFP ports card, both MIC slots + all 4 of the > onboard 10GbE ports > The MX80-48T is 80Gb TP - 48 Copper ports, both MIC slots + all 4 of the > onboard 10GbE ports > > Last year the licensed versions were called MX80-5G, MX8-10G and so on, > but as on this month they've renamed them to MX5, MX10, MX40's - note that > the old MX80 could come with or without -T timing support, the new ones > ONLY have timing. > > ?Skeeve > > > On Sat, Jan 21, 2012 at 3:50 AM, PC wrote: > >> While the ASR1002 does offer more services, I generally disagree with some >> parts of this comparison. >> >> Juniper has some very aggressive pricing on mx80 bundles license-locked to >> 5gb, which are cheaper and blow the performance specifications of the >> equivalent low end ASR1002 out of the water for internet edge BGP >> applications. Unlike the ASR, a simple upgrade license can unlock the >> boxes full potential. >> >> Just my opinion as a customer of both vendors... >> >> >> >> >> On Fri, Jan 20, 2012 at 1:14 AM, Saku Ytti wrote: >> >> > On (2012-01-19 12:10 -0800), jon Heise wrote: >> > >> > > Does anyone have any experience with these two routers, we're looking >> to >> > > buy one of them but i have little experience dealing with cisco >> routers >> > > and zero experience with juniper. >> > >> > It might be because of your schedule/timetable, but you are comparing >> > apples to oranges. >> > >> > MX80 is not competing against ASR1k, and JNPR has no product to compete >> > with ASR1k. >> > MX80 competes directly with ASR9001. Notable differences include: >> > >> > ASR9001 has lot more memory (2GB/8GB) and lot faster control-plane >> > ASR9001 has 120G of capacity, MX80 80G >> > ASR9001 BOM is higher, as it is not fabricless design like MX80 (this >> > shouldn't affect sale price in relevant way) >> > ASR9001 does not ship just now >> > >> > As others have pointed out ASR1k is 'high touch' router, it does NAPT, >> > IPSEC, pretty much anything and everything, it is the next-gen VXR >> really. >> > >> > ASR9001 and MX80 both do relatively few things, but at high capacity. >> > >> > -- >> > ++ytti >> > >> > >> > > > > -- > > *Skeeve Stevens, CEO* > eintellego Pty Ltd > skeeve at eintellego.net.au ; www.eintellego.net > > Phone: 1300 753 383 ; Fax: (+612) 8572 9954 > > Cell +61 (0)414 753 383 ; skype://skeeve > > facebook.com/eintellego > > twitter.com/networkceoau ; www.linkedin.com/in/skeeve > > PO Box 7726, Baulkham Hills, NSW 1755 Australia > > > The Experts Who The Experts Call > Juniper - Cisco ? Brocade - IBM > > From rj.bacon at verizon.com Fri Jan 20 14:50:13 2012 From: rj.bacon at verizon.com (Bacon, Ricky) Date: Fri, 20 Jan 2012 15:50:13 -0500 Subject: accessing multiple devices via a script (Abdullah Al-Malki) In-Reply-To: References: Message-ID: <2B7669201D58CD4C8A2150DB12B129CF14FC6B5FB0@FHDP1LUMXC7V43.us.one.verizon.com> This is Expect's creator Don Libes' tool. I have been using it for years. http://expect.sourceforge.net/example/multixterm.man.html --RJ From joly at punkcast.com Fri Jan 20 14:52:45 2012 From: joly at punkcast.com (Joly MacFie) Date: Fri, 20 Jan 2012 15:52:45 -0500 Subject: Megaupload.com seized In-Reply-To: References: <64CFB59E-BB47-4D9F-8E14-AC9AA1D9D280@cs.columbia.edu> <4F19C26C.4010909@paulgraydon.co.uk> Message-ID: Incidentally, some traffic stats on http://gigaom.com/2012/01/20/follow-the-traffic-what-megauploads-downfall-did-to-the-web/ MegaUpload was indeed one of the more popular sites on the web for storing > and sharing content. It ranked as .98 percent of the total web traffic in > the U.S. and 11.39 of the total web traffic in Brazil. It garnered 1.95 > percent of the traffic in Asia-Pac and a less substantial .86 percent in > Europe. -- --------------------------------------------------------------- Joly MacFie 218 565 9365 Skype:punkcast WWWhatsup NYC - http://wwwhatsup.com http://pinstand.com - http://punkcast.com VP (Admin) - ISOC-NY - http://isoc-ny.org -------------------------------------------------------------- - From avg at kotovnik.com Fri Jan 20 15:19:57 2012 From: avg at kotovnik.com (Vadim Antonov) Date: Fri, 20 Jan 2012 13:19:57 -0800 Subject: Megaupload.com seized In-Reply-To: <20120120111750.GA8326@vacation.karoshi.com.> References: <201201201025.q0KAPdM5040190@mail.r-bonomi.com> <20120120111750.GA8326@vacation.karoshi.com.> Message-ID: <4F19DA7D.3060709@kotovnik.com> >>> "Without the permission of the copyright holder" _is_ contrary to >>> statute, and thus 'against the law'. As such 'illegal' is _not_ >>> an incorrect term to apply to the situation. >>> >>> It may not be a _criminal_ violation, but it is still proscribed by law. >>> >>> "Illegal" and "criminal" -- _these_ are different things. >>> Storing copyrighted material in *any* place, file-sharing server or not, is _not_ illegal under the current law as it stands. There is no law which dictates the location of file with a legally obtained content I keep for my personal use. I have no obligation to prevent unauthorized access to copyrighted material by any third parties. I don't need permission of copyright owner to make copies for my own personal use, and I don't need permission to entrust keeping of these copies in any place by any agent - as long as that agent does not *use* these copies. What is illegal is the act of publishing this material (making a public performance) and making copies for use by other people without permission from copyright holder. In the digital world it is, basically, publishing a reference (and a decryption password) in a public forum or otherwise sharing it with others. That's the dirty secret behind all that PIPA/SOPA lawmaking - as it stands now, as long as file sharing services refrain from *publishing* the material (as opposed to merely storing it and allowing the rightful owner(s) to download it - but without any obligation to actually verify that the posession of ownership rights) and have a procedure for dealing with takedowns they are in the clear, legally. This places the burden of finding infringing content and proving infringement to the copyright holders. They cannot efficiently do that, and so they want to off-load that burden to the user content hosters. The less charitable interpretation is that PIPA/SOPA is a massive shakedown attempt by Hollywood; by basically threatening to shut down social networks and user-generated content hosters they'll be able to hold hostage the business of some very wealthy companies. If the law passes, these large companies will have to come to terms with Hollywood and music industry by means of purchasing blanket licenses (it is impossible to monitor all user content for copyright violations), resulting in transfer of billions of dollars from high-tech to Hollywood. The worst part is that companies like Google and Facebook may end up seeing PIPA/SOPA or future bills of the same nature as beneficial to them - after all, they already have enough money to pay copyright extortionists off, but their upstart competitors won't be able to get into the field at all. Paying a portion of their income in exchange for exclusion of future competition may be looked at as a good bargain, without negative P.R. normally associated with explicit attempts to cartelize. --vadim From lists at internetpolicyagency.com Fri Jan 20 15:26:11 2012 From: lists at internetpolicyagency.com (Roland Perry) Date: Fri, 20 Jan 2012 21:26:11 +0000 Subject: Megaupload.com seized In-Reply-To: <20120120200216.GA62670@ussenterprise.ufp.org> References: <64CFB59E-BB47-4D9F-8E14-AC9AA1D9D280@cs.columbia.edu> <4F19C26C.4010909@paulgraydon.co.uk> <20120120200216.GA62670@ussenterprise.ufp.org> Message-ID: In article <20120120200216.GA62670 at ussenterprise.ufp.org>, Leo Bicknell writes >Also, when using a hashed file store, it's possible that some uses >are infringing and some are not. I might make a movie, put it on >Megaupload, and then give the links only to the 5 people who bought >it from them. One of them might turn around, upload it again to >Megaupload, and share it with the world, infringing on my content. >I would hope that when I issue a takedown notice they take down the >infringers copy (link), but leave mine in place. It's been suggested that many movies which have been made widely available without the film company's permission were derived from legitimate copies supplied to reviewers. This is a similar issue to the unfortunate AUP of some access providers that say users are prohibited from downloading any copyrighted material, when the majority of websites are exactly that. In Europe we have a Copyright Directive which seeks to legitimise what could be termed "incidental copying" involved in using a browser, and I'm happy to say I was one of the industry people who persuaded a sceptical previous generation of media lawyers that this was OK. -- Roland Perry From marshall.eubanks at gmail.com Fri Jan 20 15:41:40 2012 From: marshall.eubanks at gmail.com (Marshall Eubanks) Date: Fri, 20 Jan 2012 16:41:40 -0500 Subject: Megaupload.com seized In-Reply-To: <20120120200216.GA62670@ussenterprise.ufp.org> References: <64CFB59E-BB47-4D9F-8E14-AC9AA1D9D280@cs.columbia.edu> <4F19C26C.4010909@paulgraydon.co.uk> <20120120200216.GA62670@ussenterprise.ufp.org> Message-ID: On Fri, Jan 20, 2012 at 3:02 PM, Leo Bicknell wrote: > In a message written on Fri, Jan 20, 2012 at 09:37:16AM -1000, Paul Graydon wrote: >> From what I understand about MegaUpload's approach, they created a hash >> of every file that they stored. ?If they'd already got a copy of the >> file that was to be uploaded they'd just put an appropriate link in a >> users space, saving them storage space, and bandwidth for both parties. >> Fairly straight forward. ?Whenever they received a DMCA take-down they >> would remove the link, not the underlying file, so even though they knew >> that a file was illegally hosted, they never actually removed it. ?That >> comes up for some argument about the ways the company should be >> practically enforcing a DMCA take-down notice, whether each take-down >> should apply to just an individual user's link to a file or whether the >> file itself should be removed. ?That could be different from >> circumstance to circumstance. > > Note that with A DMCA take down the original uploader can issue a > counter-notice to get the content put back. ?Most sites don't > immediately delete the content but rather disable it in some way > so that should the file be counter noticed it can be put back up. > > Also, when using a hashed file store, it's possible that some uses > are infringing and some are not. ?I might make a movie, put it on > Megaupload, and then give the links only to the 5 people who bought > it from them. ?One of them might turn around, upload it again to > Megaupload, and share it with the world, infringing on my content. > I would hope that when I issue a takedown notice they take down the > infringers copy (link), but leave mine in place. > > None of this should be taken to mean I'm behind Megaupload. ?I have My take only, of course > a greater concern here wondering if law enforcement, maybe > the courts, probably not > and most importantly the law makers You've got to be kidding. > understand the technolgy and > can craft and apply laws in a reasonable way. "A new scientific truth does not triumph by convincing its opponents and making them see the light, but rather because its opponents eventually die, and a new generation grows up that is familiar with it." -- Max Planck, We're in for an interesting few years. >?One major issue that > already came up is that a whole lot of people used Megaupload for > storing perfectly legal content. ?It's now offline, and there appears to > be no way for them to retrieve that data. ?At what percentage is that > reasonable? ?If 99% of your users are infringing? ?50%? ?1%? ?Could this > be used to take down your competitors? ?Buy some Amazon instances and > put a bunch of infringing content on them, and then watch the feds seize > all of Amazon's servers? > Maybe. It would help if you had a budget to lobby Congress sufficiently. Regards Marshall > Lots of troubling questions, no good answers. > > -- > ? ? ? Leo Bicknell - bicknell at ufp.org - CCIE 3440 > ? ? ? ?PGP keys at http://www.ufp.org/~bicknell/ From saku at ytti.fi Fri Jan 20 15:54:45 2012 From: saku at ytti.fi (Saku Ytti) Date: Fri, 20 Jan 2012 23:54:45 +0200 Subject: juniper mx80 vs cisco asr 1000 In-Reply-To: References: <44EDB6D0-C480-4232-8FCD-4124D152849B@smugmug.com> <20120120081435.GA17097@pob.ytti.fi> Message-ID: <20120120215445.GA17687@pob.ytti.fi> On (2012-01-20 09:50 -0700), PC wrote: > Juniper has some very aggressive pricing on mx80 bundles license-locked to > 5gb, which are cheaper and blow the performance specifications of the > equivalent low end ASR1002 out of the water for internet edge BGP > applications. Unlike the ASR, a simple upgrade license can unlock the > boxes full potential. ASR1002 list price is 18kUSD, MX5 list price is 29.5kUSD. Upgrade license for MX5 -> MX80 literally costs more than new MX80 (with all but jflow license, two psu and 20SFP MIC) Sure MX5 will do line rate on 20 SFP ports, vastly more than ASR1002, but this is little consolation if you need high touch services such as NAPT, IPSEC etc. So applications for these boxes are quite different. -- ++ytti From cidr-report at potaroo.net Fri Jan 20 16:00:01 2012 From: cidr-report at potaroo.net (cidr-report at potaroo.net) Date: Fri, 20 Jan 2012 22:00:01 GMT Subject: BGP Update Report Message-ID: <201201202200.q0KM01A8010888@wattle.apnic.net> BGP Update Report Interval: 12-Jan-12 -to- 19-Jan-12 (7 days) Observation Point: BGP Peering with AS131072 TOP 20 Unstable Origin AS Rank ASN Upds % Upds/Pfx AS-Name 1 - AS34205 50143 3.1% 5571.4 -- MRBD-AS OJSC Rostelecom 2 - AS8402 45021 2.8% 31.8 -- CORBINA-AS OJSC "Vimpelcom" 3 - AS9829 38928 2.4% 43.9 -- BSNL-NIB National Internet Backbone 4 - AS42116 28307 1.7% 505.5 -- ERTH-NCHLN-AS CJSC "ER-Telecom Holding" 5 - AS5800 25683 1.6% 88.9 -- DNIC-ASBLK-05800-06055 - DoD Network Information Center 6 - AS28683 25418 1.6% 385.1 -- BENINTELECOM 7 - AS32528 24552 1.5% 12276.0 -- ABBOTT Abbot Labs 8 - AS12479 24301 1.5% 86.8 -- UNI2-AS France Telecom Espana SA 9 - AS24560 22794 1.4% 26.6 -- AIRTELBROADBAND-AS-AP Bharti Airtel Ltd., Telemedia Services 10 - AS20632 20437 1.2% 704.7 -- PETERSTAR-AS PeterStar 11 - AS7552 19776 1.2% 22.1 -- VIETEL-AS-AP Vietel Corporation 12 - AS17488 18392 1.1% 51.4 -- HATHWAY-NET-AP Hathway IP Over Cable Internet 13 - AS11617 17168 1.1% 1073.0 -- BT Latam Mexico, S.A. de C.V. 14 - AS2118 14076 0.9% 11.3 -- RELCOM-AS OOO "NPO Relcom" 15 - AS31148 14029 0.9% 21.1 -- FREENET-AS FreeNet ISP 16 - AS19223 13187 0.8% 13187.0 -- NTEGRATED-SOLUTIONS - Ntegrated Solutions 17 - AS6066 12172 0.8% 6086.0 -- VERIZON-BUSINESS-MAE-AS6066 - Verizon Business Network Services Inc. 18 - AS17639 12045 0.7% 2409.0 -- COMCLARK-AS ComClark Network & Technology Corp. 19 - AS28573 10447 0.6% 10.1 -- NET Servicos de Comunicao S.A. 20 - AS9498 10165 0.6% 16.7 -- BBIL-AP BHARTI Airtel Ltd. TOP 20 Unstable Origin AS (Updates per announced prefix) Rank ASN Upds % Upds/Pfx AS-Name 1 - AS19223 13187 0.8% 13187.0 -- NTEGRATED-SOLUTIONS - Ntegrated Solutions 2 - AS32528 24552 1.5% 12276.0 -- ABBOTT Abbot Labs 3 - AS26341 6395 0.4% 6395.0 -- OSI-ASP - Open Solutions Inc. 4 - AS6066 12172 0.8% 6086.0 -- VERIZON-BUSINESS-MAE-AS6066 - Verizon Business Network Services Inc. 5 - AS34205 50143 3.1% 5571.4 -- MRBD-AS OJSC Rostelecom 6 - AS17639 12045 0.7% 2409.0 -- COMCLARK-AS ComClark Network & Technology Corp. 7 - AS65273 1916 0.1% 1916.0 -- -Private Use AS- 8 - AS48806 1349 0.1% 1349.0 -- SMARTS-IVANOVO-AS OJSC SMARTS 9 - AS18688 1179 0.1% 1179.0 -- TGIX - Thaumaturgix, Inc 10 - AS11617 17168 1.1% 1073.0 -- BT Latam Mexico, S.A. de C.V. 11 - AS49369 934 0.1% 934.0 -- AORS-AS Staff Governor and Government of the Orenburg region 12 - AS51825 4608 0.3% 921.6 -- TELZAR-ASN TELZAR INTERNATIONAL TELECOMINICATIONS LTD 13 - AS53362 884 0.1% 884.0 -- MIXIT-AS - Mixit, Inc. 14 - AS20632 20437 1.2% 704.7 -- PETERSTAR-AS PeterStar 15 - AS57405 1096 0.1% 548.0 -- MIHAN-NOC2 MIHAN COMMUNICATION SYSTEMS CO.,LTD 16 - AS42116 28307 1.7% 505.5 -- ERTH-NCHLN-AS CJSC "ER-Telecom Holding" 17 - AS6072 6440 0.4% 460.0 -- UNISYS-6072 For routing issues, email hostmaster at unisys.com 18 - AS22386 459 0.0% 459.0 -- SARB 19 - AS56931 447 0.0% 447.0 -- KKDD-AS "Trest Spetsstroymontazh" LTD 20 - AS7099 443 0.0% 443.0 -- NORTELRCH - NORTEL TOP 20 Unstable Prefixes Rank Prefix Upds % Origin AS -- AS Name 1 - 84.204.132.0/24 20335 1.2% AS20632 -- PETERSTAR-AS PeterStar 2 - 67.97.156.0/24 13187 0.8% AS19223 -- NTEGRATED-SOLUTIONS - Ntegrated Solutions 3 - 130.36.34.0/24 12277 0.7% AS32528 -- ABBOTT Abbot Labs 4 - 130.36.35.0/24 12275 0.7% AS32528 -- ABBOTT Abbot Labs 5 - 182.64.0.0/16 8538 0.5% AS24560 -- AIRTELBROADBAND-AS-AP Bharti Airtel Ltd., Telemedia Services 6 - 62.36.252.0/22 7614 0.4% AS12479 -- UNI2-AS France Telecom Espana SA 7 - 202.92.235.0/24 6626 0.4% AS9498 -- BBIL-AP BHARTI Airtel Ltd. 8 - 111.125.126.0/24 6527 0.4% AS17639 -- COMCLARK-AS ComClark Network & Technology Corp. 9 - 81.89.122.0/24 6513 0.4% AS34205 -- MRBD-AS OJSC Rostelecom AS34584 -- KHBDSV OJSC Rostelecom 10 - 81.89.118.0/24 6502 0.4% AS34205 -- MRBD-AS OJSC Rostelecom AS34584 -- KHBDSV OJSC Rostelecom 11 - 81.89.119.0/24 6501 0.4% AS34205 -- MRBD-AS OJSC Rostelecom AS34584 -- KHBDSV OJSC Rostelecom 12 - 109.236.224.0/20 6410 0.4% AS34205 -- MRBD-AS OJSC Rostelecom 13 - 81.89.123.0/24 6405 0.4% AS34205 -- MRBD-AS OJSC Rostelecom AS34584 -- KHBDSV OJSC Rostelecom 14 - 81.89.117.0/24 6405 0.4% AS34205 -- MRBD-AS OJSC Rostelecom AS34584 -- KHBDSV OJSC Rostelecom 15 - 63.94.193.0/24 6395 0.4% AS26341 -- OSI-ASP - Open Solutions Inc. 16 - 212.14.221.0/24 6318 0.4% AS34205 -- MRBD-AS OJSC Rostelecom AS34584 -- KHBDSV OJSC Rostelecom 17 - 212.14.217.0/24 6315 0.4% AS34205 -- MRBD-AS OJSC Rostelecom AS34584 -- KHBDSV OJSC Rostelecom 18 - 202.56.215.0/24 6296 0.4% AS24560 -- AIRTELBROADBAND-AS-AP Bharti Airtel Ltd., Telemedia Services 19 - 204.29.239.0/24 6086 0.3% AS6066 -- VERIZON-BUSINESS-MAE-AS6066 - Verizon Business Network Services Inc. 20 - 150.225.0.0/16 6086 0.3% AS6066 -- VERIZON-BUSINESS-MAE-AS6066 - Verizon Business Network Services Inc. Details at http://bgpupdates.potaroo.net ------------------------------------ Copies of this report are mailed to: nanog at nanog.org eof-list at ripe.net apops at apops.net routing-wg at ripe.net afnog at afnog.org From cidr-report at potaroo.net Fri Jan 20 16:00:00 2012 From: cidr-report at potaroo.net (cidr-report at potaroo.net) Date: Fri, 20 Jan 2012 22:00:00 GMT Subject: The Cidr Report Message-ID: <201201202200.q0KM006S010880@wattle.apnic.net> This report has been generated at Fri Jan 20 21:12:30 2012 AEST. The report analyses the BGP Routing Table of AS2.0 router and generates a report on aggregation potential within the table. Check http://www.cidr-report.org for a current version of this report. Recent Table History Date Prefixes CIDR Agg 13-01-12 392583 228838 14-01-12 392821 228780 15-01-12 392844 229047 16-01-12 393080 229050 17-01-12 393027 229536 18-01-12 393112 229862 19-01-12 393937 229748 20-01-12 394336 229909 AS Summary 39989 Number of ASes in routing system 16755 Number of ASes announcing only one prefix 3448 Largest number of prefixes announced by an AS AS6389 : BELLSOUTH-NET-BLK - BellSouth.net Inc. 109817344 Largest address span announced by an AS (/32s) AS4134 : CHINANET-BACKBONE No.31,Jin-rong Street Aggregation Summary The algorithm used in this report proposes aggregation only when there is a precise match using the AS path, so as to preserve traffic transit policies. Aggregation is also proposed across non-advertised address space ('holes'). --- 20Jan12 --- ASnum NetsNow NetsAggr NetGain % Gain Description Table 395364 229885 165479 41.9% All ASes AS6389 3448 204 3244 94.1% BELLSOUTH-NET-BLK - BellSouth.net Inc. AS7029 3264 1536 1728 52.9% WINDSTREAM - Windstream Communications Inc AS18566 2093 413 1680 80.3% COVAD - Covad Communications Co. AS4766 2477 998 1479 59.7% KIXS-AS-KR Korea Telecom AS22773 1486 117 1369 92.1% ASN-CXA-ALL-CCI-22773-RDC - Cox Communications Inc. AS4755 1523 213 1310 86.0% TATACOMM-AS TATA Communications formerly VSNL is Leading ISP AS4323 1608 384 1224 76.1% TWTC - tw telecom holdings, inc. AS28573 1616 404 1212 75.0% NET Servicos de Comunicao S.A. AS2118 1241 89 1152 92.8% RELCOM-AS OOO "NPO Relcom" AS1785 1868 784 1084 58.0% AS-PAETEC-NET - PaeTec Communications, Inc. AS7552 1424 391 1033 72.5% VIETEL-AS-AP Vietel Corporation AS10620 1723 728 995 57.7% Telmex Colombia S.A. AS19262 1386 401 985 71.1% VZGNI-TRANSIT - Verizon Online LLC AS7303 1256 368 888 70.7% Telecom Argentina S.A. AS8402 1675 823 852 50.9% CORBINA-AS OJSC "Vimpelcom" AS8151 1461 664 797 54.6% Uninet S.A. de C.V. AS18101 947 156 791 83.5% RELIANCE-COMMUNICATIONS-IN Reliance Communications Ltd.DAKC MUMBAI AS30036 1487 715 772 51.9% MEDIACOM-ENTERPRISE-BUSINESS - Mediacom Communications Corp AS4808 1100 342 758 68.9% CHINA169-BJ CNCGROUP IP network China169 Beijing Province Network AS15557 1095 368 727 66.4% LDCOMNET Societe Francaise du Radiotelephone S.A AS24560 1011 289 722 71.4% AIRTELBROADBAND-AS-AP Bharti Airtel Ltd., Telemedia Services AS9394 878 197 681 77.6% CRNET CHINA RAILWAY Internet(CRNET) AS9498 871 205 666 76.5% BBIL-AP BHARTI Airtel Ltd. AS3356 1105 460 645 58.4% LEVEL3 Level 3 Communications AS7545 1638 997 641 39.1% TPG-INTERNET-AP TPG Internet Pty Ltd AS17676 677 74 603 89.1% GIGAINFRA Softbank BB Corp. AS17974 1715 1131 584 34.1% TELKOMNET-AS2-AP PT Telekomunikasi Indonesia AS4804 660 95 565 85.6% MPX-AS Microplex PTY LTD AS4780 787 229 558 70.9% SEEDNET Digital United Inc. AS20115 1620 1063 557 34.4% CHARTER-NET-HKY-NC - Charter Communications Total 45140 14838 30302 67.1% Top 30 total Possible Bogus Routes 10.86.64.32/30 AS65530 -Private Use AS- 10.86.64.36/30 AS65530 -Private Use AS- 10.86.65.32/30 AS65530 -Private Use AS- 10.86.65.36/30 AS65530 -Private Use AS- 10.255.255.0/30 AS65530 -Private Use AS- 10.255.255.4/30 AS65530 -Private Use AS- 10.255.255.8/30 AS65530 -Private Use AS- 14.192.0.0/22 AS45464 NEXTWEB-AS-AP Room 201, TGU Bldg 14.192.4.0/22 AS45464 NEXTWEB-AS-AP Room 201, TGU Bldg 14.192.8.0/22 AS45464 NEXTWEB-AS-AP Room 201, TGU Bldg 14.192.12.0/22 AS45464 NEXTWEB-AS-AP Room 201, TGU Bldg 14.192.16.0/22 AS45464 NEXTWEB-AS-AP Room 201, TGU Bldg 14.192.20.0/22 AS45464 NEXTWEB-AS-AP Room 201, TGU Bldg 14.192.24.0/22 AS45464 NEXTWEB-AS-AP Room 201, TGU Bldg 14.192.28.0/22 AS45464 NEXTWEB-AS-AP Room 201, TGU Bldg 37.61.144.0/20 AS34977 PROCONO-AS PROCONO S.A. 41.222.79.0/24 AS36938 AMSCOTELECOMS Amsco Telecommunications Nigeria Limited 41.223.92.0/22 AS36936 CELTEL-GABON Celtel Gabon Internet Service 62.61.220.0/24 AS24974 TACHYON-EU Tachyon Europe BV 62.61.221.0/24 AS24974 TACHYON-EU Tachyon Europe BV 64.21.192.0/20 AS11610 INETNEBR-1 - Internet Nebraska Corporation 64.21.212.0/22 AS11610 INETNEBR-1 - Internet Nebraska Corporation 64.21.216.0/21 AS11610 INETNEBR-1 - Internet Nebraska Corporation 66.129.0.0/19 AS3901 ARRAKIS - Higher Technology Services 66.180.239.0/24 AS35888 VIGNETTE - VIGNETTE CORPORATION 66.207.32.0/20 AS23011 66.245.176.0/20 AS19318 NJIIX-AS-1 - NEW JERSEY INTERNATIONAL INTERNET EXCHANGE LLC 66.251.128.0/24 AS33227 BLUEBRIDGE-NETWORKS - Blue Bridge Networks 66.251.133.0/24 AS33227 BLUEBRIDGE-NETWORKS - Blue Bridge Networks 66.251.134.0/24 AS33227 BLUEBRIDGE-NETWORKS - Blue Bridge Networks 66.251.136.0/21 AS33227 BLUEBRIDGE-NETWORKS - Blue Bridge Networks 66.251.140.0/24 AS33227 BLUEBRIDGE-NETWORKS - Blue Bridge Networks 66.251.141.0/24 AS33227 BLUEBRIDGE-NETWORKS - Blue Bridge Networks 66.251.142.0/24 AS33227 BLUEBRIDGE-NETWORKS - Blue Bridge Networks 66.251.143.0/24 AS3356 LEVEL3 Level 3 Communications 69.46.224.0/20 AS32592 HUNT-BROTHERS-OF-LOUISIANA-LLC - Hunt Brothers 69.46.233.0/24 AS32592 HUNT-BROTHERS-OF-LOUISIANA-LLC - Hunt Brothers 69.46.236.0/24 AS32592 HUNT-BROTHERS-OF-LOUISIANA-LLC - Hunt Brothers 71.19.134.0/23 AS3313 INET-AS BT Italia S.p.A. 72.44.16.0/20 AS15054 HAMELTRONICS - Hameltronics, LLC 80.88.10.0/24 AS33774 DJAWEB 98.159.96.0/20 AS46975 110.34.44.0/22 AS12653 COMTONET Com-ToNet 116.206.72.0/24 AS6461 MFNX MFN - Metromedia Fiber Network 116.206.85.0/24 AS6461 MFNX MFN - Metromedia Fiber Network 116.206.103.0/24 AS6461 MFNX MFN - Metromedia Fiber Network 117.120.56.0/21 AS4755 TATACOMM-AS TATA Communications formerly VSNL is Leading ISP 121.46.0.0/16 AS4134 CHINANET-BACKBONE No.31,Jin-rong Street 142.54.0.0/19 AS23498 CDSI - Cogeco Data Services Inc. 172.45.1.0/24 AS3356 LEVEL3 Level 3 Communications 172.45.2.0/24 AS29571 CITelecom-AS 172.45.3.0/24 AS29571 CITelecom-AS 172.102.0.0/22 AS4812 CHINANET-SH-AP China Telecom (Group) 190.104.32.0/21 AS27882 Telef?nica Celular de Bolivia S.A. 193.0.22.0/23 AS3333 RIPE-NCC-AS RIPE Network Coordination Centre 200.6.93.0/24 AS6400 Compa??a Dominicana de Tel?fonos, C. por A. - CODETEL 200.6.94.0/24 AS6400 Compa??a Dominicana de Tel?fonos, C. por A. - CODETEL 200.6.95.0/24 AS6400 Compa??a Dominicana de Tel?fonos, C. por A. - CODETEL 200.23.84.0/24 AS8151 Uninet S.A. de C.V. 200.24.73.0/24 AS26061 Equant Colombia 200.33.40.0/24 AS11172 Alestra, S. de R.L. de C.V. 200.34.0.0/20 AS6342 Instituto Tecnol?gico y de Estudios Superiores de Monterrey 200.53.0.0/19 AS13878 Diveo do Brasil Telecomunicacoes Ltda 202.1.224.0/24 AS10097 FLOWCOM Flow Communications 2/541 Kent St Sydney NSW 2000 202.8.106.0/24 AS9530 SHINSEGAE-AS SHINSEGAE I&C Co., Ltd. 202.9.55.0/24 AS2764 AAPT AAPT Limited 202.58.113.0/24 AS19161 202.61.75.0/24 AS9927 PHILCOMNET-PH A Multihomed ISP Company 202.61.108.0/24 AS55812 202.61.118.0/24 AS55833 202.83.120.0/21 AS37972 202.83.124.0/24 AS37972 202.83.125.0/24 AS37972 202.83.126.0/24 AS37972 202.94.1.0/24 AS4808 CHINA169-BJ CNCGROUP IP network China169 Beijing Province Network 202.133.70.0/24 AS38616 WORLDCALL-AS-KHI Worldcall Telecom Limited 202.160.152.0/22 AS10113 DATAFAST-AP DATAFAST TELECOMMUNICATIONS LTD 202.174.125.0/24 AS9498 BBIL-AP BHARTI Airtel Ltd. 202.176.1.0/24 AS9942 COMINDICO-AP SOUL Converged Communications Australia 202.179.134.0/24 AS23966 LDN-AS-PK LINKdotNET Telecom Limited 203.23.1.0/24 AS18111 NETSPEED-AS-AP Netspeed Internet Communications 203.24.38.0/24 AS18111 NETSPEED-AS-AP Netspeed Internet Communications 203.30.127.0/24 AS18111 NETSPEED-AS-AP Netspeed Internet Communications 203.32.86.0/23 AS18111 NETSPEED-AS-AP Netspeed Internet Communications 203.32.86.0/24 AS18111 NETSPEED-AS-AP Netspeed Internet Communications 203.32.87.0/24 AS18111 NETSPEED-AS-AP Netspeed Internet Communications 203.32.188.0/24 AS1221 ASN-TELSTRA Telstra Pty Ltd 203.142.219.0/24 AS45149 205.150.0.0/15 AS701 UUNET - MCI Communications Services, Inc. d/b/a Verizon Business 205.175.214.0/24 AS5583 ORANGE-BUSINESS-SERVICES-BENELUX France Telecom S.A. 206.123.129.0/24 AS10790 INREACH-AS - InReach Internet 206.180.240.0/20 AS12083 KNOLOGY-NET - KNOLOGY, Inc. 206.197.184.0/24 AS23304 DATOTEL-STL-AS - Datotel LLC, a NetLabs LLC Company 207.174.131.0/24 AS26116 INDRA - Indra's Net Inc 207.174.132.0/23 AS26116 INDRA - Indra's Net Inc 207.174.152.0/23 AS26116 INDRA - Indra's Net Inc 207.174.154.0/24 AS26116 INDRA - Indra's Net Inc 207.174.155.0/24 AS26116 INDRA - Indra's Net Inc 207.174.200.0/24 AS22658 EARTHNET - Earthnet, Inc. 207.174.248.0/21 AS6653 PRIVATEI - privateI, LLC 207.231.96.0/19 AS11194 NUNETPA - NuNet Inc. 208.83.53.0/24 AS40569 YGOMI-AS - Ygomi LLC 208.91.56.0/21 AS22241 IC2NET - IC2NET 208.91.56.0/24 AS22241 IC2NET - IC2NET 208.91.57.0/24 AS22241 IC2NET - IC2NET 208.91.58.0/24 AS22241 IC2NET - IC2NET 208.91.59.0/24 AS22241 IC2NET - IC2NET 208.91.60.0/24 AS22241 IC2NET - IC2NET 208.91.61.0/24 AS22241 IC2NET - IC2NET 208.91.62.0/24 AS22241 IC2NET - IC2NET 208.91.63.0/24 AS22241 IC2NET - IC2NET 209.133.224.0/19 AS4323 TWTC - tw telecom holdings, inc. 209.148.64.0/19 AS13773 TELNETCOMM - Telnet Communications 209.177.64.0/20 AS6461 MFNX MFN - Metromedia Fiber Network 209.213.0.0/20 AS33005 ELTOPIA - Eltopia.com, LLC 209.222.240.0/22 AS19747 210.56.150.0/23 AS38138 INTECH-TRANSIT-BD InTech Online Limited, INTERNET SERVICE LIMITED 216.12.160.0/20 AS26627 AS-PILOSOFT - Pilosoft, Inc. 216.21.160.0/20 AS13818 PHX-INTL-TELEPORT - Phoenix International Teleport 216.194.160.0/20 AS13818 PHX-INTL-TELEPORT - Phoenix International Teleport Please see http://www.cidr-report.org for the full report ------------------------------------ Copies of this report are mailed to: nanog at nanog.org eof-list at ripe.net apops at apops.net routing-wg at ripe.net afnog at afnog.org From josh.hoppes at gmail.com Fri Jan 20 17:23:02 2012 From: josh.hoppes at gmail.com (Josh Hoppes) Date: Fri, 20 Jan 2012 17:23:02 -0600 Subject: juniper mx80 vs cisco asr 1000 In-Reply-To: <20120120215445.GA17687@pob.ytti.fi> References: <44EDB6D0-C480-4232-8FCD-4124D152849B@smugmug.com> <20120120081435.GA17097@pob.ytti.fi> <20120120215445.GA17687@pob.ytti.fi> Message-ID: I certainly agree they have very different applications, and hopefully that will help those looking for this kind of insight. On Fri, Jan 20, 2012 at 3:54 PM, Saku Ytti wrote: > On (2012-01-20 09:50 -0700), PC wrote: > >> Juniper has some very aggressive pricing on mx80 bundles license-locked to >> 5gb, which are cheaper and blow the performance specifications of the >> equivalent low end ASR1002 out of the water for internet edge BGP >> applications. ?Unlike the ASR, a simple upgrade license can unlock the >> boxes full potential. > > ASR1002 list price is 18kUSD, MX5 list price is 29.5kUSD. Upgrade license > for MX5 -> MX80 literally costs more than new MX80 (with all but jflow > license, two psu and 20SFP MIC) > > Sure MX5 will do line rate on 20 SFP ports, vastly more than ASR1002, but > this is little consolation if you need high touch services such as NAPT, > IPSEC etc. So applications for these boxes are quite different. > > -- > ?++ytti > From ops.lists at gmail.com Fri Jan 20 17:45:26 2012 From: ops.lists at gmail.com (Suresh Ramasubramanian) Date: Sat, 21 Jan 2012 05:15:26 +0530 Subject: Argus: a hijacking alarm system In-Reply-To: References: <20120120155327.GA6432@gsp.org> Message-ID: On Fri, Jan 20, 2012 at 10:45 PM, RijilV wrote: >> A suggestion: pick a different name. ?There's already a network tool >> named Argus (it's been around for years): http://www.qosient.com/argus/ >> >> I suggest using the name of a different Wishbone Ash album: "Bona Fide". ;-) > Ha, there are already two with the name Argus: > http://argus.tcp4me.com/ Argus being a many eyed dog from greek myth .. no surprise a lot of tools that do this kind of thing have the very same name. Call it panopticon maybe? [nastier connotations - originally a prison design by jeremy bentham where a warder sitting in the center could see everything around him] --srs From matt.addison at lists.evilgeni.us Fri Jan 20 18:44:23 2012 From: matt.addison at lists.evilgeni.us (Matt Addison) Date: Fri, 20 Jan 2012 19:44:23 -0500 Subject: Polling Bandwidth as an Aggregate In-Reply-To: <8C26A4FDAE599041A13EB499117D3C286B67FB16@ex-mb-1.corp.atlasnetworks.us> References: <8C26A4FDAE599041A13EB499117D3C286B67FB16@ex-mb-1.corp.atlasnetworks.us> Message-ID: <5623758599637889492@unknownmsgid> On Jan 20, 2012, at 12:49, Nathan Eisenberg wrote: > The web interface allows for interface aggregation, and the code for doing that could probably be reverse engineered easily enough for other reporting mechanisms as well. On this point (of nice aggregation UIs) is anyone here using Graphite as a backend for their time series data stores? You have to supply/write the poller yourself but it seems an ideal backend for a "just graph everything" approach which allows the poller to use SNMP get-bulk requests which I haven't seen other pollers (rtg/mrtg/spine) doing. ~Matt From jeffg at opennms.org Fri Jan 20 18:58:44 2012 From: jeffg at opennms.org (Jeff Gehlbach) Date: Fri, 20 Jan 2012 19:58:44 -0500 Subject: Polling Bandwidth as an Aggregate In-Reply-To: <5623758599637889492@unknownmsgid> References: <8C26A4FDAE599041A13EB499117D3C286B67FB16@ex-mb-1.corp.atlasnetworks.us> <5623758599637889492@unknownmsgid> Message-ID: <3b3f08a3-79e8-4ed2-b37e-32bffa14e63f@email.android.com> Matt Addison wrote: >On this point (of nice aggregation UIs) is anyone here using Graphite >as a backend for their time series data stores? I'm not personally, but I know some of our support clients are happily using it along with OpenNMS' support for outboarding of data storage via TCP and Google protobuf. -jeff From mysidia at gmail.com Fri Jan 20 19:59:48 2012 From: mysidia at gmail.com (Jimmy Hess) Date: Fri, 20 Jan 2012 19:59:48 -0600 Subject: How are you doing DHCPv6 ? In-Reply-To: <52477a71-0a98-445b-a083-1844d37ac71e@zimbra.network1.net> References: <36695b3d-02a4-466c-a19a-1fe4747d38e1@zimbra.network1.net> <52477a71-0a98-445b-a083-1844d37ac71e@zimbra.network1.net> Message-ID: On Tue, Jan 17, 2012 at 4:04 PM, Randy Carpenter wrote: > We have a requirement for it to be a redundant server that is centrally > located. DHCPv6 will be relayed from each customer access segment. > > We have been looking at using ISC dhcpd, as that is what we use for v4. > However, it currently does not support any redundancy. > [snip] When you say you require redundant DHCPD, what do you mean by that? The DHCP protocol is mostly stateless, aside from offers made, which are stored persistently in a database. Therefore, you can cluster the DHCPD daemon, without modifications to the ISC DHCPD software. There is no shortage of cluster management software that is up to the task of keeping a service active on an active node, and keeping the service inactive on a standby (or failed) node. Achieving redundancy against DHCPD failure is mostly a design and configuration question, not a matter of "finding a DHCPD implementation" that has redundancy. If by redundancy you mean active/active pair of servers, for load balancing rather than failover, that implies DHCP servers with non-overlapping pools to assign from, and is generally a much more complicated objective to achieve with DHCP whether v4 or v6. -- -JH From jra at baylink.com Fri Jan 20 20:20:45 2012 From: jra at baylink.com (Jay Ashworth) Date: Fri, 20 Jan 2012 21:20:45 -0500 (EST) Subject: Megaupload.com seized In-Reply-To: Message-ID: <12460417.5979.1327112445543.JavaMail.root@benjamin.baylink.com> ----- Original Message ----- > From: "Ricky Beam" > On Fri, 20 Jan 2012 14:37:16 -0500, Paul Graydon > > wrote: > > ... Whenever they received a DMCA take-down they would remove the > > link, > > not the underlying file, so even though they knew that a file was > > illegally hosted, they never actually removed it. > > And that's where their safe harbour evaporated. Upon receiving notice a > file is infinging, they know that *file* is illegal, and must now remove > all the links to it, not just the one that was reported. Mega is in a > possition to know all the links, where as the copyright holder is not. > > They thought they had a gaping loophole. Well, the DOJ is about to teach > them how wrong they are. Nope; I agree with the amusingly psuedonymmed "Administrator" who posted immediately before you: the possibility exists that there's a copy of that file uploaded legally because some other client of the site has the right to do so... and if you delete the underlying file, you're then screwing over that other paying customer who isn't breaking the law. Is everyone beginning to see how "legislators and LEOs who simply don't understand the playing field" are a critically dangerous condition, here? This is precisely the grounds on which we opposed SOPA. Cheers, -- jra -- Jay R. Ashworth Baylink jra at baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://baylink.pitas.com 2000 Land Rover DII St Petersburg FL USA http://photo.imageinc.us +1 727 647 1274 From rcarpen at network1.net Fri Jan 20 20:22:23 2012 From: rcarpen at network1.net (Randy Carpenter) Date: Fri, 20 Jan 2012 21:22:23 -0500 (EST) Subject: How are you doing DHCPv6 ? In-Reply-To: Message-ID: ----- Original Message ----- > > On Tue, Jan 17, 2012 at 4:04 PM, Randy Carpenter < > rcarpen at network1.net > wrote: > > > We have a requirement for it to be a redundant server that is > centrally located. DHCPv6 will be relayed from each customer access > segment. > > We have been looking at using ISC dhcpd, as that is what we use for > v4. However, it currently does not support any redundancy. > > [snip] > > When you say you require redundant DHCPD, what do you mean by that? > The DHCP protocol is mostly stateless, aside from offers made, which > are stored persistently in a database. > > Therefore, you can cluster the DHCPD daemon, without modifications to > the ISC DHCPD > software. DHCP is certainly not stateless, which is why there is a concept of leases, which are stored in a file. You can't have 2 servers answering for the same subnet without some sort of coordination, or you would have a potential for duplicate addresses being assigned. > There is no shortage of cluster management software that is up to the > task of keeping a service active on an active node, and keeping the > service inactive on a standby (or failed) node. > > Achieving redundancy against DHCPD failure is mostly a design and > configuration question, > not a matter of "finding a DHCPD implementation" that has redundancy. > > > If by redundancy you mean active/active pair of servers, for load > balancing rather than failover, that implies DHCP servers with > non-overlapping pools to assign from, and is generally a much more > complicated objective to achieve with DHCP whether v4 or v6. I mean for failover, not load balancing. The other issue we are encountering with IPv6 is that ISC DHCPD does not log very much at all for DHCPv6. Also, we have yet to find something reliable to identify a particular client. It looks the only thing that is sent is the link local address, which is randomized on windows machines. The MAC address does not appear to ever be sent. This makes it impossible to apply any policies based on client. -Randy From joly at punkcast.com Fri Jan 20 21:17:46 2012 From: joly at punkcast.com (Joly MacFie) Date: Fri, 20 Jan 2012 22:17:46 -0500 Subject: Megaupload.com seized In-Reply-To: <12460417.5979.1327112445543.JavaMail.root@benjamin.baylink.com> References: <12460417.5979.1327112445543.JavaMail.root@benjamin.baylink.com> Message-ID: Technical nuances notwithsatnding, isn't the guts of the case that the megaupload team wilfully engaged in harbouring infringing files as evidenced by the email snooping, eg boasting to each other about having feature movies available prior to release etc. Similar evidence brought grokster down, and was confirmed by the US Supreme Court. j -- --------------------------------------------------------------- Joly MacFie 218 565 9365 Skype:punkcast WWWhatsup NYC - http://wwwhatsup.com http://pinstand.com - http://punkcast.com VP (Admin) - ISOC-NY - http://isoc-ny.org -------------------------------------------------------------- - From xiangy08 at csnet1.cs.tsinghua.edu.cn Sat Jan 21 03:06:42 2012 From: xiangy08 at csnet1.cs.tsinghua.edu.cn (Yang Xiang) Date: Sat, 21 Jan 2012 17:06:42 +0800 Subject: Argus: a hijacking alarm system In-Reply-To: References: <20120120155327.GA6432@gsp.org> Message-ID: ah, bad news ~ too many Argus :) 2012/1/21 RijilV > On 20 January 2012 07:53, Rich Kulawiec wrote: > > On Fri, Jan 20, 2012 at 05:47:21PM +0800, Yang Xiang wrote: > >> I build a system ?Argus? to real-timely alert prefix hijackings. > > > > A suggestion: pick a different name. There's already a network tool > > named Argus (it's been around for years): http://www.qosient.com/argus/ > > > > I suggest using the name of a different Wishbone Ash album: "Bona Fide". > ;-) > > > > ---rsk > > > > Ha, there are already two with the name Argus: > > http://argus.tcp4me.com/ > > also been around for years... > > .r' > > -- _________________________________________ Yang Xiang. Ph.D candidate. Tsinghua University Argus: argus.csnet1.cs.tsinghua.edu.cn From xiangy08 at csnet1.cs.tsinghua.edu.cn Sat Jan 21 03:07:51 2012 From: xiangy08 at csnet1.cs.tsinghua.edu.cn (Yang Xiang) Date: Sat, 21 Jan 2012 17:07:51 +0800 Subject: Argus: a hijacking alarm system In-Reply-To: References: <20120120155327.GA6432@gsp.org> Message-ID: 2012/1/21 Suresh Ramasubramanian > On Fri, Jan 20, 2012 at 10:45 PM, RijilV wrote: > >> A suggestion: pick a different name. There's already a network tool > >> named Argus (it's been around for years): http://www.qosient.com/argus/ > >> > >> I suggest using the name of a different Wishbone Ash album: "Bona > Fide". ;-) > > > Ha, there are already two with the name Argus: > > http://argus.tcp4me.com/ > > Argus being a many eyed dog from greek myth .. no surprise a lot of > tools that do this kind of thing have the very same name. > > Call it panopticon maybe? [nastier connotations - originally a prison > design by jeremy bentham where a warder sitting in the center could > see everything around him] > sounds cool :) panopticon > > --srs > > -- _________________________________________ Yang Xiang. Ph.D candidate. Tsinghua University Argus: argus.csnet1.cs.tsinghua.edu.cn From rsk at gsp.org Sat Jan 21 06:11:50 2012 From: rsk at gsp.org (Rich Kulawiec) Date: Sat, 21 Jan 2012 07:11:50 -0500 Subject: Megaupload.com seized In-Reply-To: References: <64CFB59E-BB47-4D9F-8E14-AC9AA1D9D280@cs.columbia.edu> <4F19C26C.4010909@paulgraydon.co.uk> Message-ID: <20120121121149.GA14055@gsp.org> On Fri, Jan 20, 2012 at 03:06:04PM -0500, Ricky Beam wrote: > Upon receiving notice a file is infinging, they know that *file* > is illegal, and must now remove all the links to it, not just the > one that was reported. But what -- *exactly* -- is an "illegal file"? As Leo Bicknell astutely pointed out in this thread: "Also, when using a hashed file store, it's possible that some uses are infringing and some are not." His example goes on to explain how this is so. (And I'll point out that his example applies, for example, to Amazon. There are coprighted files there -- e.g., books, music -- which may be used legally by those who have purchased them. Do they become infringing if someone finds a way to access them without authorization/payment because Amazon's programmers made an error and left a backdoor open that allow them to be retrieved via static links? No, they don't. Should Amazon delete them in this instance? No. Amazon should fix the backdoors, i.e., remove the spurious links.) Suppose that Joe and Jane are photographers. Joe has produced image X (to which he holds copyright) and Jane has produced image Y (similarly). Digital images X and Y are used as inputs to program P which produces output Z that is visually unrecognizable -- that is, anyone who looks at it sees what appears to be random noise. Does Z infringe on Joe or Jane's copyrights? How? Why? How does this change (or does it change) if program P' which can reverse the actions of P exists? Let me give another example, this time using content that is intrinsically illegal -- and to avoid triggering hot-button responses, I'm going to posit a hypothetical: marshmallow peep dioramas. Let's suppose that these are illegal in every country on the planet, that those responsible for them are universally reviled, that it's a crime to photograph them, possess photographs of them, etc. We thus conclude that a file consisting of a picture of one of these is always illegal: that is, it's illegal no matter where it's found. Now what happens if that picture is decomposed into individual files, each consisting of one row of pixels from the original? None of those files contain anything recognizable as a marshmallow peep diorama. The original cannot be reconstructed from any one of them. Is any one of them illegal? Further: reassembling these will require something: an index, an algorithm, some construct that allows the individual files to be recombined. (This construct contains no content of any kind, marshmallow peep or otherwise. It's merely a recipe for putting together files.) Is that construct illegal? If those individual files are spread across a multitude of hosts, are any of those hosts holding an illegal file? How would they know? (If you're going to argue that those individual rows of pixels are illegal because the original is illegal, then replace the above with "individual pixels". I trust nobody will argue that a single pixel is illegal. Ever.) One more scenario: a photo of a marshmalllow peep diorama is encrypted and uploaded onto server A. Does server A hold an illegal file? How would the operators of server A know? How would anyone (other than the uploader) know? Now suppose that the uploader, the only person on the planet with the decryption key for that file, dies; therefore, the file is reduced to -- for all practical purposes -- a random collection of bits. Is that file still illegal? Why? How? Who will be able to determine this? (Schrodinger's cat paradox in 1...2...) I posit these thought experiments (and I'll stop here, although many others suggest themselves) to highlight some serious problems with terminology, and with the law: it's an attempt to apply the principles of the physical world to the digital one, and it's a total failure. The putative sharp dividing line between "legal file" and "illegal file" doesn't really exist -- although many people would like it to exist, hope it exists, etc., because it serves their agendas or would make things easier for them. That doesn't make it so. Sometimes the world changes, and sometimes when it does, it's time to discard outdated philosophy that no longer applies to current reality -- because stubborn attempts to hang onto it at all costs, especially by warping it into something completely unrecognizable from the original framework, really DO cost, often dearly. (It's 2012, and there are still inferior people living on this planet who assign more credibility to astrology and ghosts than to evolution or anthropocentric global warming. This isn't funny or quaint any more. It's stupid and dangerous.) Schneier famously said "Trying to make bits uncopyable is like trying to make water not wet". What we are witnessing is precisely an attempt to do that, via a combination of anti-security technology (e.g., DRM) and purchased legislation, orchestrated by failing, legacy companies run by insatiably greedy people. These people simply don't care how much damage they do, how many lives they destroy, how much they hold back civilization, how much they twist the law, -- as long as they get paid. They are *exactly* like one of their own famous characters: "It can't be bargained with. It can't be reasoned with. It doesn't feel pity, or remorse, or fear. And it absolutely will not stop, ever, until you are dead." See, for example: http://www.techdirt.com/articles/20120120/16442117496/clay-shirky-why-sopas-not-going-away.shtml which points to an excellent exposition by Clay Shirky on this very point. So: {Internet, Hollywood}: choose one. ---rsk From bjorn at mork.no Sat Jan 21 07:03:32 2012 From: bjorn at mork.no (=?utf-8?Q?Bj=C3=B8rn_Mork?=) Date: Sat, 21 Jan 2012 14:03:32 +0100 Subject: How are you doing DHCPv6 ? In-Reply-To: (Randy Carpenter's message of "Fri, 20 Jan 2012 21:22:23 -0500 (EST)") References: Message-ID: <87bopxp5qz.fsf@nemi.mork.no> Randy Carpenter writes: > DHCP is certainly not stateless, which is why there is a concept of > leases, which are stored in a file. You can't have 2 servers answering > for the same subnet without some sort of coordination, or you would > have a potential for duplicate addresses being assigned. Duplicate assignments are not a problem as long as you ensure that the client is the same. I.e. if the prefix delegating DHCPv6 server serves a statically assigned prefix to an end user based on information *uniquely identifying that user*, then you can replicate that setup to as many completely independent DHCPv6 servers as you like. Different end users will still not receive duplicate assignments. But if you want the DHCPv6 server to dynamically allocate a new prefix to each client, then you are up for problems of course. Don't see why you would want to do that though. Redundant DHCPv6 will be only one of many problems in such a setup. Bj?rn From xiangy08 at csnet1.cs.tsinghua.edu.cn Sat Jan 21 07:08:12 2012 From: xiangy08 at csnet1.cs.tsinghua.edu.cn (Yang Xiang) Date: Sat, 21 Jan 2012 21:08:12 +0800 Subject: Fwd: [Argus] 190.144.248.64/27 is 'hijacked' by anomalous origin 'AS27817' In-Reply-To: <20120121122903.025287108A8B@mail.csnet1.cs.tsinghua.edu.cn> References: <20120121122903.025287108A8B@mail.csnet1.cs.tsinghua.edu.cn> Message-ID: FYI, Argus detected a hijacking just now. It seems, I should send this email to South America NOG. ---------- Forwarded message ---------- From: argus-alarm Date: 2012/1/21 Subject: [Argus] 190.144.248.64/27 is 'hijacked' by anomalous origin 'AS27817' To: argus Prefix hijacking alarm: Start Time(UTC): Jan-21-2012 12:30:15 IP Prefix: 190.144.248.64/27 Origin AS change: AS14080 -> AS27817 Details: http://argus.csnet1.cs.tsinghua.edu.cn/fingerprints/90856/ _______________________________________________ Argus mailing list Argus at csnet1.cs.tsinghua.edu.cn http://csnet1.cs.tsinghua.edu.cn/mailman/listinfo/argus -- _________________________________________ Yang Xiang. Ph.D candidate. Tsinghua University Argus: argus.csnet1.cs.tsinghua.edu.cn From lists at internetpolicyagency.com Sat Jan 21 10:42:29 2012 From: lists at internetpolicyagency.com (Roland Perry) Date: Sat, 21 Jan 2012 16:42:29 +0000 Subject: Megaupload.com seized In-Reply-To: <20120121121149.GA14055@gsp.org> References: <64CFB59E-BB47-4D9F-8E14-AC9AA1D9D280@cs.columbia.edu> <4F19C26C.4010909@paulgraydon.co.uk> <20120121121149.GA14055@gsp.org> Message-ID: In article <20120121121149.GA14055 at gsp.org>, Rich Kulawiec writes >But what -- *exactly* -- is an "illegal file"? Perhaps you mean "infringing"? -- Roland Perry From mysidia at gmail.com Sat Jan 21 11:31:25 2012 From: mysidia at gmail.com (Jimmy Hess) Date: Sat, 21 Jan 2012 11:31:25 -0600 Subject: How are you doing DHCPv6 ? In-Reply-To: <87bopxp5qz.fsf@nemi.mork.no> References: <87bopxp5qz.fsf@nemi.mork.no> Message-ID: On Sat, Jan 21, 2012 at 7:03 AM, Bj?rn Mork wrote: > Randy Carpenter writes: > > Duplicate assignments are not a problem as long as you ensure that the > client is the same. > Duplicate assignments to different clients also won't be established if your standby server has access to an identical lease database at the moment your clustering software determines that the primary server has failed, kills the primary, and places the secondary in service. A sufficiently long lease duration should also be as good as a static lease, in that case. Because all the important details are in the database. You don't have to have any coordination in the DHCP software; you just in some cases, need to exclude the DHCPD daemon from simultaneously being active on multiple machines. -- -JH From gbonser at seven.com Sat Jan 21 12:38:29 2012 From: gbonser at seven.com (George Bonser) Date: Sat, 21 Jan 2012 18:38:29 +0000 Subject: Megaupload.com seized In-Reply-To: <20120121121149.GA14055@gsp.org> References: <64CFB59E-BB47-4D9F-8E14-AC9AA1D9D280@cs.columbia.edu> <4F19C26C.4010909@paulgraydon.co.uk> <20120121121149.GA14055@gsp.org> Message-ID: <596B74B410EE6B4CA8A30C3AF1A155EA09C8CDBA@RWC-MBX1.corp.seven.com> > > that was reported. > > But what -- *exactly* -- is an "illegal file"? > > As Leo Bicknell astutely pointed out in this thread: > > "Also, when using a hashed file store, it's possible that > some uses are infringing and some are not." The problem is going to be the thousands of people who have now lost their legitimate files, research data, personal recordings, etc. that they were using Megaupload to share. http://torrentfreak.com/feds-please-return-my-personal-files-megaupload-120120/ From rcarpen at network1.net Sat Jan 21 13:05:03 2012 From: rcarpen at network1.net (Randy Carpenter) Date: Sat, 21 Jan 2012 14:05:03 -0500 (EST) Subject: How are you doing DHCPv6 ? In-Reply-To: References: <87bopxp5qz.fsf@nemi.mork.no> Message-ID: Several people have mentioned clustering software. Does any one have any examples of such a thing that supports v4 and v6? We have always used the built in failover in ISC dhcpd, and it works nicely. I don't understand why they felt it would not be needed in v6. -Randy On Jan 21, 2012, at 12:31, Jimmy Hess wrote: > On Sat, Jan 21, 2012 at 7:03 AM, Bj?rn Mork wrote: > Randy Carpenter writes: > > Duplicate assignments are not a problem as long as you ensure that the > client is the same. > > Duplicate assignments to different clients also won't be established if your > standby server has access to an identical lease database at the moment > your clustering software determines that the primary server has failed, > kills the primary, and places the secondary in service. > > A sufficiently long lease duration should also be as good as a static lease, in that case. > Because all the important details are in the database. > > You don't have to have any coordination in the DHCP software; you just in some cases, need to exclude the DHCPD daemon from simultaneously being active on multiple machines. > > > -- > -JH From lyle at lcrcomputer.net Sat Jan 21 13:11:45 2012 From: lyle at lcrcomputer.net (Lyle Giese) Date: Sat, 21 Jan 2012 13:11:45 -0600 Subject: Megaupload.com seized In-Reply-To: <596B74B410EE6B4CA8A30C3AF1A155EA09C8CDBA@RWC-MBX1.corp.seven.com> References: <64CFB59E-BB47-4D9F-8E14-AC9AA1D9D280@cs.columbia.edu> <4F19C26C.4010909@paulgraydon.co.uk> <20120121121149.GA14055@gsp.org> <596B74B410EE6B4CA8A30C3AF1A155EA09C8CDBA@RWC-MBX1.corp.seven.com> Message-ID: <4F1B0DF1.7030809@lcrcomputer.net> On 01/21/12 12:38, George Bonser wrote: >>> that was reported. >> But what -- *exactly* -- is an "illegal file"? >> >> As Leo Bicknell astutely pointed out in this thread: >> >> "Also, when using a hashed file store, it's possible that >> some uses are infringing and some are not." > The problem is going to be the thousands of people who have now lost their legitimate files, research data, personal recordings, etc. that they were using Megaupload to share. > > > http://torrentfreak.com/feds-please-return-my-personal-files-megaupload-120120/ > > > Not that I would not be a bit miffed if personal files disappeared, but that's one of the risks associated with using a cloud service for file storage. It could have been a fire, a virus erasing file, bankruptcy, malicious insider damage... Doesn't matter, you lost access to legit content in the crossfire. There is always a risk of losing access to cloud resources. And for years, we always joked in my computer buddy circles, computers know when you don't have a backup. It's your fault(not theirs) if that was your only copy. Lyle Giese LCR Computer Services, Inc. From gbonser at seven.com Sat Jan 21 13:38:23 2012 From: gbonser at seven.com (George Bonser) Date: Sat, 21 Jan 2012 19:38:23 +0000 Subject: Megaupload.com seized In-Reply-To: <4F1B0DF1.7030809@lcrcomputer.net> References: <64CFB59E-BB47-4D9F-8E14-AC9AA1D9D280@cs.columbia.edu> <4F19C26C.4010909@paulgraydon.co.uk> <20120121121149.GA14055@gsp.org> <596B74B410EE6B4CA8A30C3AF1A155EA09C8CDBA@RWC-MBX1.corp.seven.com> <4F1B0DF1.7030809@lcrcomputer.net> Message-ID: <596B74B410EE6B4CA8A30C3AF1A155EA09C8CE2E@RWC-MBX1.corp.seven.com> > Not that I would not be a bit miffed if personal files disappeared, but > that's one of the risks associated with using a cloud service for file > storage. It could have been a fire, a virus erasing file, bankruptcy, > malicious insider damage... Doesn't matter, you lost access to legit > content in the crossfire. > > There is always a risk of losing access to cloud resources. And for > years, we always joked in my computer buddy circles, computers know > when you don't have a backup. > > It's your fault(not theirs) if that was your only copy. > > Lyle Giese > LCR Computer Services, Inc. Entire governments in the US are using "cloud storage" for their documentation these days. It is my understanding (which is hearsay) that Google has an entire service aimed at small governments (county and municipal mostly) in Google Docs for just this purpose and I know of at least one city on California that is using Google for their document repository and their city email. In case of an emergency where Google is unreachable, they are in a world of hurt and won't even be able to send email from one department to another in city hall because all their mail and documents are now "in the cloud" which would then be inaccessible to them rather than on a server in their local data center. So ... and Earthquake in Santa Clara county might take out city governments in Monterey or Santa Cruz counties which might otherwise be perfectly able to conduct their business. Point is, MANY people are using "the cloud" as their primary storage because it is marketed as being safe and secure (backed up and with better access security than they could manage themselves). From mike at mtcc.com Sat Jan 21 13:49:34 2012 From: mike at mtcc.com (Michael Thomas) Date: Sat, 21 Jan 2012 11:49:34 -0800 Subject: Megaupload.com seized In-Reply-To: <596B74B410EE6B4CA8A30C3AF1A155EA09C8CE2E@RWC-MBX1.corp.seven.com> References: <64CFB59E-BB47-4D9F-8E14-AC9AA1D9D280@cs.columbia.edu> <4F19C26C.4010909@paulgraydon.co.uk> <20120121121149.GA14055@gsp.org> <596B74B410EE6B4CA8A30C3AF1A155EA09C8CDBA@RWC-MBX1.corp.seven.com> <4F1B0DF1.7030809@lcrcomputer.net> <596B74B410EE6B4CA8A30C3AF1A155EA09C8CE2E@RWC-MBX1.corp.seven.com> Message-ID: <4F1B16CE.3050000@mtcc.com> On 01/21/2012 11:38 AM, George Bonser wrote: > Entire governments in the US are using "cloud storage" for their documentation these days. It is my understanding (which is hearsay) that Google has an entire service aimed at small governments (county and municipal mostly) in Google Docs for just this purpose and I know of at least one city on California that is using Google for their document repository and their city email. In case of an emergency where Google is unreachable, they are in a world of hurt and won't even be able to send email from one department to another in city hall because all their mail and documents are now "in the cloud" which would then be inaccessible to them rather than on a server in their local data center. So ... and Earthquake in Santa Clara county might take out city governments in Monterey or Santa Cruz counties which might otherwise be perfectly able to conduct their business. Sure, but balance that with podunk.usa's possibly incompetent IT staff? It costs a lot of money to run a state of the art shop, but only incrementally more as you add more and more instances of essentially identical shops. I guess I have more trust that Google is going to get the redundancy, etc right than your average IT operation. Now whether you should *trust* Google with all of that information from a security standpoint is another kettle of fish. Mike From gbonser at seven.com Sat Jan 21 14:19:05 2012 From: gbonser at seven.com (George Bonser) Date: Sat, 21 Jan 2012 20:19:05 +0000 Subject: Megaupload.com seized In-Reply-To: <4F1B16CE.3050000@mtcc.com> References: <64CFB59E-BB47-4D9F-8E14-AC9AA1D9D280@cs.columbia.edu> <4F19C26C.4010909@paulgraydon.co.uk> <20120121121149.GA14055@gsp.org> <596B74B410EE6B4CA8A30C3AF1A155EA09C8CDBA@RWC-MBX1.corp.seven.com> <4F1B0DF1.7030809@lcrcomputer.net> <596B74B410EE6B4CA8A30C3AF1A155EA09C8CE2E@RWC-MBX1.corp.seven.com> <4F1B16CE.3050000@mtcc.com> Message-ID: <596B74B410EE6B4CA8A30C3AF1A155EA09C8CE85@RWC-MBX1.corp.seven.com> > > Sure, but balance that with podunk.usa's possibly incompetent IT staff? > It costs a lot of money to run a state of the art shop, but only > incrementally more as you add more and more instances of essentially > identical shops. I guess I have more trust that Google is going to get > the redundancy, etc right than your average IT operation. > > Now whether you should *trust* Google with all of that information from > a security standpoint is another kettle of fish. > > Mike I agree, Mike. Problem is that the communications infrastructure that enables these sorts of options is generally so reliable people don't think about what will happen if something happens between them and their data that takes out their access to those services. Imagine a situation where several municipal governments in, say, Santa Cruz County, California are using such services and there is a repeat of the Loma Prieta quake. Their data survives in Santa Clara county, their city offices survive but there is considerable damage to infrastructure and structures in their jurisdiction. But the communications is cut off between them and their data and time to repair is unknown. The city is now without email service. Employees in one department can't communicate with other departments. Access to their files is gone. They can't get the maps that show where those gas lines are. The local file server that had all that information was retired after the documents were transferred to "the cloud" and the same happened to the local mail server. At this point they are "flying blind" or relying on people's memories or maybe a scattering of documents people had printed out or saved local copies of. It's going to be a mess. The point is that "the cloud" seems like a great option but it relies on being able to reach that "cloud". Your data may be safe and sound and your office may have survived without much wear, but if something happens in between, you might be sunk. And out in "Podunk", there aren't often multiple paths. You are stuck with what you get. Or your cloud provider might announce they are going out of that business next week. From toasty at dragondata.com Sat Jan 21 14:22:33 2012 From: toasty at dragondata.com (Kevin Day) Date: Sat, 21 Jan 2012 14:22:33 -0600 Subject: Megaupload.com seized In-Reply-To: <20120121121149.GA14055@gsp.org> References: <64CFB59E-BB47-4D9F-8E14-AC9AA1D9D280@cs.columbia.edu> <4F19C26C.4010909@paulgraydon.co.uk> <20120121121149.GA14055@gsp.org> Message-ID: On Jan 21, 2012, at 6:11 AM, Rich Kulawiec wrote: > On Fri, Jan 20, 2012 at 03:06:04PM -0500, Ricky Beam wrote: >> Upon receiving notice a file is infinging, they know that *file* >> is illegal, and must now remove all the links to it, not just the >> one that was reported. > > But what -- *exactly* -- is an "illegal file"? > > As Leo Bicknell astutely pointed out in this thread: > > "Also, when using a hashed file store, it's possible that > some uses are infringing and some are not." This is a personal anecdote, and I'm not really trying to take sides in this. But I think what Megaupload's problem was that when they were told that a specific file was not authorized to be distributed at all, they claimed they couldn't stop their users from reuploading it, could only prevent distribution of the file if you were somehow able to give them a list of all their URLs that held identical copies, etc. We had a client that had some data stolen - a laptop was physically stolen, and data from it uploaded to Megaupload. She jumped through the DMCA hoops to get them to take it down, they took more than 72 hours to finally remove it, and less than an hour later the same data was uploaded again. Another 72 hour wait to get them to remove it, rinse, repeat. We finally contacted someone there directly on our client's behalf, who insisted they had no ability to block specific files/hashes/etc -OR- locate additional identical copies on their system. If they didn't have this ability, it was because they were specifically trying not to, since they admitted elsewhere they hash everything that comes in to save space/time on their side, and writing something to block based on a hash they were already making would fall under pretty trivial work. Which may have been the MPAA/RIAA/etc's issue with them as opposed to Dropbox/etc. With Megaupload it was like playing whack-a-mole trying to get something removed, they kept trying to say with a straight face they couldn't stop it from happening, and actually paid uploaders of popular files to keep doing it. I'm not defending the practices of the copyright nazis, but Megaupload was frustratingly difficult to deal with in what should have been a very simple "The owner/creator of this file has not authorized it to be distributed anywhere, don't allow it on your service again" request. From d3e3e3 at gmail.com Sat Jan 21 15:22:53 2012 From: d3e3e3 at gmail.com (Donald Eastlake) Date: Sat, 21 Jan 2012 16:22:53 -0500 Subject: Megaupload.com seized In-Reply-To: <596B74B410EE6B4CA8A30C3AF1A155EA09C8CE85@RWC-MBX1.corp.seven.com> References: <64CFB59E-BB47-4D9F-8E14-AC9AA1D9D280@cs.columbia.edu> <4F19C26C.4010909@paulgraydon.co.uk> <20120121121149.GA14055@gsp.org> <596B74B410EE6B4CA8A30C3AF1A155EA09C8CDBA@RWC-MBX1.corp.seven.com> <4F1B0DF1.7030809@lcrcomputer.net> <596B74B410EE6B4CA8A30C3AF1A155EA09C8CE2E@RWC-MBX1.corp.seven.com> <4F1B16CE.3050000@mtcc.com> <596B74B410EE6B4CA8A30C3AF1A155EA09C8CE85@RWC-MBX1.corp.seven.com> Message-ID: I have always had a certain fondness for paper. Thanks, Donald ============================= ?Donald E. Eastlake 3rd?? +1-508-333-2270 (cell) ?155 Beaver Street,?Milford, MA 01757 USA ?d3e3e3 at gmail.com On Sat, Jan 21, 2012 at 3:19 PM, George Bonser wrote: >> >> Sure, but balance that with podunk.usa's possibly incompetent IT staff? >> It costs a lot of money to run a state of the art shop, but only >> incrementally more as you add more and more instances of essentially >> identical shops. I guess I have more trust that Google is going to get >> the redundancy, etc right than your average IT operation. >> >> Now whether you should *trust* Google with all of that information from >> a security standpoint is another kettle of fish. >> >> Mike > > I agree, Mike. ?Problem is that the communications infrastructure that enables these sorts of options is generally so reliable people don't think about what will happen if something happens between them and their data that takes out their access to those services. ?Imagine a situation where several municipal governments in, say, Santa Cruz County, California are using such services and there is a repeat of the Loma Prieta quake. ?Their data survives in Santa Clara county, their city offices survive but there is considerable damage to infrastructure and structures in their jurisdiction. ?But the communications is cut off between them and their data and time to repair is unknown. ?The city is now without email service. ?Employees in one department can't communicate with other departments. ?Access to their files is gone. ?They can't get the maps that show where those gas lines are. ?The local file server that had all that information was retired after the documents were transferred to "the cloud" and the same happened to the local mail server. ?At this point they are "flying blind" or relying on people's memories or maybe a scattering of documents people had printed out or saved local copies of. ?It's going to be a mess. > > The point is that "the cloud" seems like a great option but it relies on being able to reach that "cloud". ?Your data may be safe and sound and your office may have survived without much wear, but if something happens in between, you might be sunk. ?And out in "Podunk", there aren't often multiple paths. ?You are stuck with what you get. > > Or your cloud provider might announce they are going out of that business next week. > > From mysidia at gmail.com Sat Jan 21 16:52:39 2012 From: mysidia at gmail.com (Jimmy Hess) Date: Sat, 21 Jan 2012 16:52:39 -0600 Subject: How are you doing DHCPv6 ? In-Reply-To: References: <87bopxp5qz.fsf@nemi.mork.no> Message-ID: On Sat, Jan 21, 2012 at 1:05 PM, Randy Carpenter wrote: > Several people have mentioned clustering software. Does any one have any > examples of such a thing that supports v4 and v6? > > Linux-HA, RSF-1, Oracle Solaris Cluster, Veritas cluster, are a few examples of clustering software. ocf_heartbeat_anything + ocf_heartbeat_IPv6addr http://linux-ha.org/doc/man-pages/man-pages.html Obviously, building a DHCPD failover cluster involves some scripting and significant design considerations, but as far as clusters go, DNS and DHCPD failover clusters are very simple. And don't require special application support to achieve redundancy, unlike, say Firewalls, SQL, FTP, SMTP or HTTPD clusters, where a requirement may exist not to drop a single TCP connection, or fail a single query, in case of server failure. DHCPD doesn't even use TCP connections; and some amount of automatic retry by the client is a feature of the protocol. Database servers, HTTP, Firewalls, etc, are "stateful services", because there is an "in-flight" status which is not recorded in a database, and must be preserved by the application itself for graceful failover. If the Firewall connection table is not synchronized online, the failover between clustered firewalls would cause a disruption in the form of lost TCP connections, and online users will experience an immediate temporary issue at the moment of failover. The same for HTTP... a TCP connection dropping is a "permanent" error. The in-flight transactions would result in the user seeing an error page. Those are the types of applications that actually require special support or coordination from the application itself. Graceful DHCPD failover to deal with server issues can be achieved by using one of the open source or commercial clustering packages, plus a little bit of scripting. -- -JH From joelja at bogus.com Sat Jan 21 17:28:57 2012 From: joelja at bogus.com (Joel jaeggli) Date: Sat, 21 Jan 2012 15:28:57 -0800 Subject: Megaupload.com seized In-Reply-To: <596B74B410EE6B4CA8A30C3AF1A155EA09C8CE2E@RWC-MBX1.corp.seven.com> References: <64CFB59E-BB47-4D9F-8E14-AC9AA1D9D280@cs.columbia.edu> <4F19C26C.4010909@paulgraydon.co.uk> <20120121121149.GA14055@gsp.org> <596B74B410EE6B4CA8A30C3AF1A155EA09C8CDBA@RWC-MBX1.corp.seven.com> <4F1B0DF1.7030809@lcrcomputer.net> <596B74B410EE6B4CA8A30C3AF1A155EA09C8CE2E@RWC-MBX1.corp.seven.com> Message-ID: <4F1B4A39.2030902@bogus.com> On 1/21/12 11:38 , George Bonser wrote: >> Not that I would not be a bit miffed if personal files disappeared, >> but that's one of the risks associated with using a cloud service >> for file storage. It could have been a fire, a virus erasing file, >> bankruptcy, malicious insider damage... Doesn't matter, you lost >> access to legit content in the crossfire. >> >> There is always a risk of losing access to cloud resources. And >> for years, we always joked in my computer buddy circles, computers >> know when you don't have a backup. >> >> It's your fault(not theirs) if that was your only copy. >> >> Lyle Giese LCR Computer Services, Inc. > > Entire governments in the US are using "cloud storage" for their > documentation these days. It is my understanding (which is hearsay) > that Google has an entire service aimed at small governments (county > and municipal mostly) in Google Docs for just this purpose and I know > of at least one city on California that is using Google for their > document repository and their city email. In case of an emergency > where Google is unreachable, they are in a world of hurt and won't > even be able to send email from one department to another in city > hall because all their mail and documents are now "in the cloud" > which would then be inaccessible to them rather than on a server in > their local data center. So ... and Earthquake in Santa Clara county > might take out city governments in Monterey or Santa Cruz counties > which might otherwise be perfectly able to conduct their business. > > Point is, MANY people are using "the cloud" as their primary storage > because it is marketed as being safe and secure (backed up and with > better access security than they could manage themselves). It may also be the case that your cloud service may be uncoupled from the fate of your geography which may will allow it to survive a regional failure that might otherwise render you inoperable. All eggs in one basket is to my mind a bigger problem than who's basket they're in. If your network is wiped out it may not matter where the data is from an availability perspective unless alternatives are in place. > > From mike at mtcc.com Sat Jan 21 18:22:53 2012 From: mike at mtcc.com (Michael Thomas) Date: Sat, 21 Jan 2012 16:22:53 -0800 Subject: Megaupload.com seized In-Reply-To: <4F1B4A39.2030902@bogus.com> References: <64CFB59E-BB47-4D9F-8E14-AC9AA1D9D280@cs.columbia.edu> <4F19C26C.4010909@paulgraydon.co.uk> <20120121121149.GA14055@gsp.org> <596B74B410EE6B4CA8A30C3AF1A155EA09C8CDBA@RWC-MBX1.corp.seven.com> <4F1B0DF1.7030809@lcrcomputer.net> <596B74B410EE6B4CA8A30C3AF1A155EA09C8CE2E@RWC-MBX1.corp.seven.com> <4F1B4A39.2030902@bogus.com> Message-ID: <4F1B56DD.1080607@mtcc.com> On 01/21/2012 03:28 PM, Joel jaeggli wrote: > On 1/21/12 11:38 , George Bonser wrote: >> Entire governments in the US are using "cloud storage" for their >> documentation these days. It is my understanding (which is hearsay) >> that Google has an entire service aimed at small governments (county >> and municipal mostly) in Google Docs for just this purpose and I know >> of at least one city on California that is using Google for their >> document repository and their city email. In case of an emergency >> where Google is unreachable, they are in a world of hurt and won't >> even be able to send email from one department to another in city >> hall because all their mail and documents are now "in the cloud" >> which would then be inaccessible to them rather than on a server in >> their local data center. So ... and Earthquake in Santa Clara county >> might take out city governments in Monterey or Santa Cruz counties >> which might otherwise be perfectly able to conduct their business. >> >> Point is, MANY people are using "the cloud" as their primary storage >> because it is marketed as being safe and secure (backed up and with >> better access security than they could manage themselves). > It may also be the case that your cloud service may be uncoupled from > the fate of your geography which may will allow it to survive a regional > failure that might otherwise render you inoperable. > > All eggs in one basket is to my mind a bigger problem than who's basket > they're in. > > If your network is wiped out it may not matter where the data is from an > availability perspective unless alternatives are in place. > I think that the larger issue here is resilience. If you're completely dependent on IP, then when IP fails you're hosed. We have a situation where that is becoming more and more true, however. When the last vestiges of TDM are rooted out of the telephony network, we will be less resilient than before. When paper record trails are replaced by the cloud, we are less resilient. It's sort of scarey in some ways how much of an information monoculture we're building: it's a huge strength and a glaring vulnerability. Mike From jra at baylink.com Sat Jan 21 19:00:57 2012 From: jra at baylink.com (Jay Ashworth) Date: Sat, 21 Jan 2012 20:00:57 -0500 (EST) Subject: Megaupload.com seized In-Reply-To: <4F1B0DF1.7030809@lcrcomputer.net> Message-ID: <2860625.5997.1327194057231.JavaMail.root@benjamin.baylink.com> ----- Original Message ----- > From: "Lyle Giese" > Not that I would not be a bit miffed if personal files disappeared, but > that's one of the risks associated with using a cloud service for file > storage. It could have been a fire, a virus erasing file, bankruptcy, > malicious insider damage... Doesn't matter, you lost access to legit > content in the crossfire. I'm not sure this is actually true. The Law generally recognizes 'accident' as a means for relieving people of responsibility for criminal acts -- it can't *be* a criminal act without scienter on the part of the doer. In this case, the doer was negligent, rather than purposefully malicious, but we have solutions for that as well. I hope that we don't see a class-action lawsuit against the feds... I wanna see them have to defend each case individually. Cheers, -- jra -- Jay R. Ashworth Baylink jra at baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://baylink.pitas.com 2000 Land Rover DII St Petersburg FL USA http://photo.imageinc.us +1 727 647 1274 From jra at baylink.com Sat Jan 21 19:04:00 2012 From: jra at baylink.com (Jay Ashworth) Date: Sat, 21 Jan 2012 20:04:00 -0500 (EST) Subject: Megaupload.com seized In-Reply-To: <27869135.5999.1327194220330.JavaMail.root@benjamin.baylink.com> Message-ID: <12405320.6001.1327194240245.JavaMail.root@benjamin.baylink.com> ----- Original Message ----- > From: "Donald Eastlake" > I have always had a certain fondness for paper. Well, I was wondering where the Whacky Weekend thread was this week. "You can't grep dead trees." Cheers, -- jra -- Jay R. Ashworth Baylink jra at baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://baylink.pitas.com 2000 Land Rover DII St Petersburg FL USA http://photo.imageinc.us +1 727 647 1274 From jra at baylink.com Sat Jan 21 20:26:53 2012 From: jra at baylink.com (Jay Ashworth) Date: Sat, 21 Jan 2012 21:26:53 -0500 (EST) Subject: Megaupload.com seized In-Reply-To: Message-ID: <14609391.6073.1327199213415.JavaMail.root@benjamin.baylink.com> ----- Original Message ----- > From: "Joly MacFie" > Technical nuances notwithsatnding, isn't the guts of the case that the > megaupload team wilfully engaged in harbouring infringing files as > evidenced by the email snooping, eg boasting to each other about > having feature movies available prior to release etc. That appears to be the case at this time, based on things which are hearsay to we the public, and should not have been released. But "has a substantially non-infringing use" is, if not a defense, a fact which should have made them *much* more careful in how they did the take down, a response which is all of a piece with our objections to SOPA. Cheers, -- jra -- Jay R. Ashworth Baylink jra at baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://baylink.pitas.com 2000 Land Rover DII St Petersburg FL USA http://photo.imageinc.us +1 727 647 1274 From jcdill.lists at gmail.com Sat Jan 21 21:39:22 2012 From: jcdill.lists at gmail.com (JC Dill) Date: Sat, 21 Jan 2012 19:39:22 -0800 Subject: Megaupload.com seized In-Reply-To: <596B74B410EE6B4CA8A30C3AF1A155EA09C8CE85@RWC-MBX1.corp.seven.com> References: <64CFB59E-BB47-4D9F-8E14-AC9AA1D9D280@cs.columbia.edu> <4F19C26C.4010909@paulgraydon.co.uk> <20120121121149.GA14055@gsp.org> <596B74B410EE6B4CA8A30C3AF1A155EA09C8CDBA@RWC-MBX1.corp.seven.com> <4F1B0DF1.7030809@lcrcomputer.net> <596B74B410EE6B4CA8A30C3AF1A155EA09C8CE2E@RWC-MBX1.corp.seven.com> <4F1B16CE.3050000@mtcc.com> <596B74B410EE6B4CA8A30C3AF1A155EA09C8CE85@RWC-MBX1.corp.seven.com> Message-ID: <4F1B84EA.1030503@gmail.com> On 21/01/12 12:19 PM, George Bonser wrote: > Imagine a situation where several municipal governments in, say, Santa > Cruz County, California are using such services and there is a repeat > of the Loma Prieta quake. Their data survives in Santa Clara county, > their city offices survive but there is considerable damage to > infrastructure and structures in their jurisdiction. But the > communications is cut off between them and their data and time to > repair is unknown. The city is now without email service. Employees in > one department can't communicate with other departments. Access to > their files is gone. They can't get the maps that show where those gas > lines are. The local file server that had all that information was > retired after the documents were transferred to "the cloud" and the > same happened to the local mail server. At this point they are "flying > blind" or relying on people's memories or maybe a scattering of > documents people had printed out or saved local copies of. It's going > to be a mess. This is what disaster simulations are for, to suss out these problems before a disaster and put in systems to avoid the mess. In the real world, while a city might keep the digital documents "in the cloud" they would also (always) have paper copies, because in a big emergency their computers (local mail/file servers or internet access to the cloud) are likely to be unavailable, power or internet access is likely to be disrupted. In a true emergency such as Loma Prieta, they are going to reach for the paper maps that were printed and saved for just this eventuality, and part of the emergency preparedness is to have a regular process to print and save updated maps (every year or 6 months or month or whenever there's a major change - each department will undoubtedly have their own metrics depending on how critical their maps are). If you haven't participated in your city/county CERT training and disaster simulation exercises, I highly suggest you get involved. CERT is a great program and will really help open your eyes to many types of emergency planning you probably haven't thought about. Plus, the more involved you are with CERT the more you are "known" to your local disaster management teams, and the better access you will have to them in the event of a major disaster. jc From smb at cs.columbia.edu Sat Jan 21 22:03:00 2012 From: smb at cs.columbia.edu (Steven Bellovin) Date: Sat, 21 Jan 2012 23:03:00 -0500 Subject: Megaupload.com seized In-Reply-To: <2860625.5997.1327194057231.JavaMail.root@benjamin.baylink.com> References: <2860625.5997.1327194057231.JavaMail.root@benjamin.baylink.com> Message-ID: On Jan 21, 2012, at 8:00 PM, Jay Ashworth wrote: > ----- Original Message ----- >> From: "Lyle Giese" > >> Not that I would not be a bit miffed if personal files disappeared, but >> that's one of the risks associated with using a cloud service for file >> storage. It could have been a fire, a virus erasing file, bankruptcy, >> malicious insider damage... Doesn't matter, you lost access to legit >> content in the crossfire. > > I'm not sure this is actually true. The Law generally recognizes 'accident' > as a means for relieving people of responsibility for criminal acts -- it > can't *be* a criminal act without scienter on the part of the doer. Actually, that's often not true in recent laws. There was an article in the Wall Street Journal a month or so ago that gave some glaring examples of not just laws but actual convictions. > > In this case, the doer was negligent, rather than purposefully malicious, > but we have solutions for that as well. I'm not sure what you mean by "doer" here. http://opinion.latimes.com/opinionla/2012/01/copyrights-feds-push-novel-theories-in-megaupload-case.html has an interesting analysis. It presents a number of factual statements that are capable of multiple interpretations. This in turn means that much of the case is likely to turn on scienter, which in turn means heavy reliance on the seized emails. This will be an interesting case to watch. --Steve Bellovin, https://www.cs.columbia.edu/~smb From matthew at matthew.at Sat Jan 21 22:49:42 2012 From: matthew at matthew.at (Matthew Kaufman) Date: Sat, 21 Jan 2012 20:49:42 -0800 Subject: Megaupload.com seized In-Reply-To: <596B74B410EE6B4CA8A30C3AF1A155EA09C8CE85@RWC-MBX1.corp.seven.com> References: <64CFB59E-BB47-4D9F-8E14-AC9AA1D9D280@cs.columbia.edu> <4F19C26C.4010909@paulgraydon.co.uk> <20120121121149.GA14055@gsp.org> <596B74B410EE6B4CA8A30C3AF1A155EA09C8CDBA@RWC-MBX1.corp.seven.com> <4F1B0DF1.7030809@lcrcomputer.net> <596B74B410EE6B4CA8A30C3AF1A155EA09C8CE2E@RWC-MBX1.corp.seven.com> <4F1B16CE.3050000@mtcc.com> <596B74B410EE6B4CA8A30C3AF1A155EA09C8CE85@RWC-MBX1.corp.seven.com> Message-ID: <4F1B9566.9040006@matthew.at> On 1/21/2012 12:19 PM, George Bonser wrote: > I agree, Mike. Problem is that the communications infrastructure that > enables these sorts of options is generally so reliable people don't > think about what will happen if something happens between them and > their data that takes out their access to those services. Imagine a > situation where several municipal governments in, say, Santa Cruz > County, California are using such services and there is a repeat of > the Loma Prieta quake. Their data survives in Santa Clara county, > their city offices survive but there is considerable damage to > infrastructure and structures in their jurisdiction. But the > communications is cut off between them and their data and time to > repair is unknown. The city is now without email service.... > But fortunately the data is also replicated in another data center nowhere near the quake, so once they pull out the mobile emergency operations center and aim the VSAT dish, they're back online with everything as it was moments before the quake hit... far superior to what formerly happened when the power or phone lines were down at their own facility, never mind what would have happened if their own facility with its infrequent backups to unreliable tape were destroyed. Matthew Kaufman From james at smithwaysecurity.com Sat Jan 21 23:15:29 2012 From: james at smithwaysecurity.com (James Smith) Date: Sun, 22 Jan 2012 01:15:29 -0400 Subject: Megaupload.com seized In-Reply-To: <4F1B9566.9040006@matthew.at> References: <64CFB59E-BB47-4D9F-8E14-AC9AA1D9D280@cs.columbia.edu> <4F19C26C.4010909@paulgraydon.co.uk> <20120121121149.GA14055@gsp.org> <596B74B410EE6B4CA8A30C3AF1A155EA09C8CDBA@RWC-MBX1.corp.seven.com> <4F1B0DF1.7030809@lcrcomputer.net> <596B74B410EE6B4CA8A30C3AF1A155EA09C8CE2E@RWC-MBX1.corp.seven.com> <4F1B16CE.3050000@mtcc.com> <596B74B410EE6B4CA8A30C3AF1A155EA09C8CE85@RWC-MBX1.corp.seven.com> <4F1B9566.9040006@matthew.at> Message-ID: <5929A59AA5FB4F7DB245167A33FB5326@smithwaIntell> Well I have a question which is off the top of megaupload.com But it's regarding governments around the world using cloud services. Do we have others Canadians on this list who can confirm, what branches of the Canada Government are actively using public cloud services like google cloud services. or are in the process are currently setting it up. -----Original Message----- From: Matthew Kaufman Sent: Sunday, January 22, 2012 12:49 AM To: George Bonser Cc: nanog at nanog.org Subject: Re: Megaupload.com seized On 1/21/2012 12:19 PM, George Bonser wrote: > I agree, Mike. Problem is that the communications infrastructure that > enables these sorts of options is generally so reliable people don't think > about what will happen if something happens between them and their data > that takes out their access to those services. Imagine a situation where > several municipal governments in, say, Santa Cruz County, California are > using such services and there is a repeat of the Loma Prieta quake. Their > data survives in Santa Clara county, their city offices survive but there > is considerable damage to infrastructure and structures in their > jurisdiction. But the communications is cut off between them and their > data and time to repair is unknown. The city is now without email > service.... > But fortunately the data is also replicated in another data center nowhere near the quake, so once they pull out the mobile emergency operations center and aim the VSAT dish, they're back online with everything as it was moments before the quake hit... far superior to what formerly happened when the power or phone lines were down at their own facility, never mind what would have happened if their own facility with its infrequent backups to unreliable tape were destroyed. Matthew Kaufman From mike at mtcc.com Sun Jan 22 00:16:01 2012 From: mike at mtcc.com (Michael Thomas) Date: Sat, 21 Jan 2012 22:16:01 -0800 Subject: Megaupload.com seized In-Reply-To: <596B74B410EE6B4CA8A30C3AF1A155EA09C8CE85@RWC-MBX1.corp.seven.com> References: <64CFB59E-BB47-4D9F-8E14-AC9AA1D9D280@cs.columbia.edu> <4F19C26C.4010909@paulgraydon.co.uk> <20120121121149.GA14055@gsp.org> <596B74B410EE6B4CA8A30C3AF1A155EA09C8CDBA@RWC-MBX1.corp.seven.com> <4F1B0DF1.7030809@lcrcomputer.net> <596B74B410EE6B4CA8A30C3AF1A155EA09C8CE2E@RWC-MBX1.corp.seven.com> <4F1B16CE.3050000@mtcc.com> <596B74B410EE6B4CA8A30C3AF1A155EA09C8CE85@RWC-MBX1.corp.seven.com> Message-ID: <4F1BA9A1.7090104@mtcc.com> On 01/21/2012 12:19 PM, George Bonser wrote: >> Sure, but balance that with podunk.usa's possibly incompetent IT staff? >> It costs a lot of money to run a state of the art shop, but only >> incrementally more as you add more and more instances of essentially >> identical shops. I guess I have more trust that Google is going to get >> the redundancy, etc right than your average IT operation. >> >> Now whether you should *trust* Google with all of that information from >> a security standpoint is another kettle of fish. >> >> Mike > I agree, Mike. Problem is that the communications infrastructure that enables these sorts of options is generally so reliable people don't think about what will happen if something happens between them and their data that takes out their access to those services. Imagine a situation where several municipal governments in, say, Santa Cruz County, California are using such services and there is a repeat of the Loma Prieta quake. Their data survives in Santa Clara county, their city offices survive but there is considerable damage to infrastructure and structures in their jurisdiction. But the communications is cut off between them and their data and time to repair is unknown. The city is now without email service. Employees in one department can't communicate with other departments. Access to their files is gone. They can't get the maps that show where those gas lines are. The local file server that had all that information was retired after the documents were transferred to "the cloud" and the same happened to the local mail server. At this point they are "flying blind" or relying on people's memories or maybe a scattering of documents people had printed out or saved local copies of. It's going to be a mess. > > The point is that "the cloud" seems like a great option but it relies on being able to reach that "cloud". Your data may be safe and sound and your office may have survived without much wear, but if something happens in between, you might be sunk. And out in "Podunk", there aren't often multiple paths. You are stuck with what you get. > > Or your cloud provider might announce they are going out of that business next week. The problem is that the local infrastructure might just as easily get taken out too. Here in SF, I'm sure that the entirety of the data center capabilities aren't, say, housed in city hall itself, so we're just as vulnerable to partition whether they run their own infrastructure as we would be if we hosted in the "cloud" too. The larger issue here is diversity and resilience. The internet is guaranteed to fail us at the worst possible time, full stop. We need to make certain that we keep at least _some_ terribly inefficient and thoroughly antiquated means of doing the same thing viable for critical tasks. When I was at Cisco, there was a push to getting emergency responders to coordinate their communication infrastructure both for cross coordination as well as of course cost down. Makes perfect sense... so long as the unthinkable doesn't happen (ie the internet failing us). That's why our new IP monoculture sort of gives me the creeps. Mike From gbonser at seven.com Sun Jan 22 01:20:59 2012 From: gbonser at seven.com (George Bonser) Date: Sun, 22 Jan 2012 07:20:59 +0000 Subject: Megaupload.com seized In-Reply-To: <4F1B84EA.1030503@gmail.com> References: <64CFB59E-BB47-4D9F-8E14-AC9AA1D9D280@cs.columbia.edu> <4F19C26C.4010909@paulgraydon.co.uk> <20120121121149.GA14055@gsp.org> <596B74B410EE6B4CA8A30C3AF1A155EA09C8CDBA@RWC-MBX1.corp.seven.com> <4F1B0DF1.7030809@lcrcomputer.net> <596B74B410EE6B4CA8A30C3AF1A155EA09C8CE2E@RWC-MBX1.corp.seven.com> <4F1B16CE.3050000@mtcc.com> <596B74B410EE6B4CA8A30C3AF1A155EA09C8CE85@RWC-MBX1.corp.seven.com> <4F1B84EA.1030503@gmail.com> Message-ID: <596B74B410EE6B4CA8A30C3AF1A155EA09C8D510@RWC-MBX1.corp.seven.com> > This is what disaster simulations are for, to suss out these problems > before a disaster and put in systems to avoid the mess. > > In the real world, while a city might keep the digital documents "in > the cloud" they would also (always) have paper copies, because in a big > emergency their computers (local mail/file servers or internet access > to the cloud) are likely to be unavailable, power or internet access is > likely to be disrupted. Nope, no paper copies. In fact, many of the documents such as maps and drawings are not even provided on paper anymore at any stage of the process. It's all electronic. The engineering drawings, maps, reports, plans, everything's electronic copy now. If you want a copy to take to the field, you print one off and dispose of it when done unless you keep it in your personal storage (desk file drawer). > In a true emergency such as Loma Prieta, they > are going to reach for the paper maps that were printed and saved for > just this eventuality Nope, the paper maps have been disposed of as they have become obsolete and replaced with electronic copy. It requires space to store all those documents. Space costs money. I'm being absolutely serious here. Not only are many of these municipalities no longer storing paper copies, they are storing them "in the cloud" that might become completely unreachable during an emergency. My jaw just about hit the floor when it was explained to me what one town in California was doing. Those people are going to be just about completely helpless in an emergency but they are doing it because they are running out of money. Pensions are eating that town alive. Their emergency drills do not include a loss of connectivity to the cloud. > CERT is a great program and will really help open your eyes > to many types of emergency planning you probably haven't thought about. > Plus, the more involved you are with CERT the more you are "known" to > your local disaster management teams, and the better access you will > have to them in the event of a major disaster. > I am talking here about the process internal to the government agency, not drills concerning the public. In case of an emergency where they are cut off from Google, that town government will have no email and no access to their documents. They have no other mechanism, they can't afford it. The days when a city could actually have contingency plans are just about over. Pensions are eating them up so badly, they are just barely able to function at all. I'm being dead serious. Larger cities such as San Jose have about 10 years left. The Mayor of SJC said that in about 12 years the city will not be able to provide any services whatsoever. Pensions will take 100% of city revenue. They have already started closing the libraries. From gbonser at seven.com Sun Jan 22 03:11:47 2012 From: gbonser at seven.com (George Bonser) Date: Sun, 22 Jan 2012 09:11:47 +0000 Subject: Megaupload.com seized In-Reply-To: <5929A59AA5FB4F7DB245167A33FB5326@smithwaIntell> References: <64CFB59E-BB47-4D9F-8E14-AC9AA1D9D280@cs.columbia.edu> <4F19C26C.4010909@paulgraydon.co.uk> <20120121121149.GA14055@gsp.org> <596B74B410EE6B4CA8A30C3AF1A155EA09C8CDBA@RWC-MBX1.corp.seven.com> <4F1B0DF1.7030809@lcrcomputer.net> <596B74B410EE6B4CA8A30C3AF1A155EA09C8CE2E@RWC-MBX1.corp.seven.com> <4F1B16CE.3050000@mtcc.com> <596B74B410EE6B4CA8A30C3AF1A155EA09C8CE85@RWC-MBX1.corp.seven.com> <4F1B9566.9040006@matthew.at> <5929A59AA5FB4F7DB245167A33FB5326@smithwaIntell> Message-ID: <596B74B410EE6B4CA8A30C3AF1A155EA09C8D633@RWC-MBX1.corp.seven.com> > -----Original Message----- > From: James Smith > > Well I have a question which is off the top of megaupload.com But it's > regarding governments around the world using cloud services. > Do we have others Canadians on this list who can confirm, what branches > of the Canada Government are actively using public cloud services like > google cloud services. > or are in the process are currently setting it up. I believe this is the product http://www.google.com/apps/intl/en/government/trust.html I'm not sure they offer it to Canadian governments. Here's the partial list they give on the web site, I don't see any non-US listed. http://www.google.com/apps/intl/en/customers/index.html#tab5 From jamie at photon.com Sun Jan 22 10:10:17 2012 From: jamie at photon.com (Jamie Bowden) Date: Sun, 22 Jan 2012 16:10:17 +0000 Subject: VZ FiOS DNS issues: Message-ID: <5941B69EF8C7764DAE18F85A6A5A6AD00DA394@east-mail.photon.com> Any Verizon techs around today? I don't know why you can't pass DNS traffic this morning, but it's the second time in as many weeks as it has been an issue, and it's rather annoying (Google is the example, but the exact same failure happens using any destination, on VZ's own or any other public DNS servers, phone support are of course, useless): C:\Users\jamie>tracert -d 71.252.0.12 Tracing route to 71.252.0.12 over a maximum of 30 hops 1 <1 ms <1 ms <1 ms 192.168.2.254 2 <1 ms <1 ms <1 ms 192.168.1.1 3 8 ms 9 ms 13 ms 96.231.199.1 4 14 ms 9 ms 9 ms 130.81.183.118 5 9 ms 9 ms 9 ms 130.81.151.232 6 9 ms 9 ms * 130.81.20.19 7 11 ms 9 ms 9 ms 71.252.0.12 Trace complete. C:\Users\jamie>nslookup www.google.com 71.252.0.12 Server: nsrest01.verizon.net Address: 71.252.0.12 DNS request timed out. timeout was 2 seconds. DNS request timed out. timeout was 2 seconds. DNS request timed out. timeout was 2 seconds. DNS request timed out. timeout was 2 seconds. *** Request to nsrest01.verizon.net timed-out C:\Users\jamie>tracert -d 8.8.8.8 Tracing route to 8.8.8.8 over a maximum of 30 hops 1 <1 ms <1 ms <1 ms 192.168.2.254 2 <1 ms <1 ms <1 ms 192.168.1.1 3 7 ms 8 ms 9 ms 96.231.199.1 4 8 ms 9 ms 8 ms 130.81.183.118 5 9 ms 28 ms 10 ms 130.81.22.56 6 8 ms 9 ms 9 ms 152.63.36.237 7 20 ms 19 ms 19 ms 152.63.0.153 8 21 ms 18 ms 18 ms 152.63.21.73 9 41 ms 47 ms 49 ms 152.179.72.66 10 17 ms 18 ms 19 ms 209.85.255.68 11 * * * Request timed out. 12 * * * Request timed out. 13 22 ms 19 ms 19 ms 72.14.236.200 14 20 ms 31 ms 18 ms 216.239.49.145 15 18 ms 19 ms 19 ms 8.8.8.8 Trace complete. C:\Users\jamie>nslookup www.google.com 8.8.8.8 Server: google-public-dns-a.google.com Address: 8.8.8.8 DNS request timed out. timeout was 2 seconds. DNS request timed out. timeout was 2 seconds. DNS request timed out. timeout was 2 seconds. DNS request timed out. timeout was 2 seconds. *** Request to google-public-dns-a.google.com timed-out C:\Users\jamie> From brandon.kim at brandontek.com Sun Jan 22 10:29:49 2012 From: brandon.kim at brandontek.com (Brandon Kim) Date: Sun, 22 Jan 2012 11:29:49 -0500 Subject: VZ FiOS DNS issues: In-Reply-To: <5941B69EF8C7764DAE18F85A6A5A6AD00DA394@east-mail.photon.com> References: <5941B69EF8C7764DAE18F85A6A5A6AD00DA394@east-mail.photon.com> Message-ID: I have FIOS and I have no issues. However I do know awhile back they had issues and I was affected by the outage.... Maybe it hasn't made its way to me yet.... > From: jamie at photon.com > To: nanog at nanog.org > Subject: VZ FiOS DNS issues: > Date: Sun, 22 Jan 2012 16:10:17 +0000 > > > Any Verizon techs around today? I don't know why you can't pass DNS traffic this morning, but it's the second time in as many weeks as it has been an issue, and it's rather annoying (Google is the example, but the exact same failure happens using any destination, on VZ's own or any other public DNS servers, phone support are of course, useless): > > C:\Users\jamie>tracert -d 71.252.0.12 > > Tracing route to 71.252.0.12 over a maximum of 30 hops > > 1 <1 ms <1 ms <1 ms 192.168.2.254 > 2 <1 ms <1 ms <1 ms 192.168.1.1 > 3 8 ms 9 ms 13 ms 96.231.199.1 > 4 14 ms 9 ms 9 ms 130.81.183.118 > 5 9 ms 9 ms 9 ms 130.81.151.232 > 6 9 ms 9 ms * 130.81.20.19 > 7 11 ms 9 ms 9 ms 71.252.0.12 > > Trace complete. > > C:\Users\jamie>nslookup www.google.com 71.252.0.12 > Server: nsrest01.verizon.net > Address: 71.252.0.12 > > DNS request timed out. > timeout was 2 seconds. > DNS request timed out. > timeout was 2 seconds. > DNS request timed out. > timeout was 2 seconds. > DNS request timed out. > timeout was 2 seconds. > *** Request to nsrest01.verizon.net timed-out > > C:\Users\jamie>tracert -d 8.8.8.8 > > Tracing route to 8.8.8.8 over a maximum of 30 hops > > 1 <1 ms <1 ms <1 ms 192.168.2.254 > 2 <1 ms <1 ms <1 ms 192.168.1.1 > 3 7 ms 8 ms 9 ms 96.231.199.1 > 4 8 ms 9 ms 8 ms 130.81.183.118 > 5 9 ms 28 ms 10 ms 130.81.22.56 > 6 8 ms 9 ms 9 ms 152.63.36.237 > 7 20 ms 19 ms 19 ms 152.63.0.153 > 8 21 ms 18 ms 18 ms 152.63.21.73 > 9 41 ms 47 ms 49 ms 152.179.72.66 > 10 17 ms 18 ms 19 ms 209.85.255.68 > 11 * * * Request timed out. > 12 * * * Request timed out. > 13 22 ms 19 ms 19 ms 72.14.236.200 > 14 20 ms 31 ms 18 ms 216.239.49.145 > 15 18 ms 19 ms 19 ms 8.8.8.8 > > Trace complete. > > C:\Users\jamie>nslookup www.google.com 8.8.8.8 > Server: google-public-dns-a.google.com > Address: 8.8.8.8 > > DNS request timed out. > timeout was 2 seconds. > DNS request timed out. > timeout was 2 seconds. > DNS request timed out. > timeout was 2 seconds. > DNS request timed out. > timeout was 2 seconds. > *** Request to google-public-dns-a.google.com timed-out > > C:\Users\jamie> From morrowc.lists at gmail.com Sun Jan 22 10:41:25 2012 From: morrowc.lists at gmail.com (Christopher Morrow) Date: Sun, 22 Jan 2012 11:41:25 -0500 Subject: VZ FiOS DNS issues: In-Reply-To: References: <5941B69EF8C7764DAE18F85A6A5A6AD00DA394@east-mail.photon.com> Message-ID: On Sun, Jan 22, 2012 at 11:29 AM, Brandon Kim wrote: > > I have FIOS and I have no issues. However I do know awhile back they had issues and I was affected by > the outage.... > > Maybe it hasn't made its way to me yet.... > there have been instances over the time i've been a fios customer that 'upgrades' to devices in the field have caused this problem (last was ~2wks ago? in the washington, dc area). Could be you are seeing this problem affecting you :( -chris From lists at internetpolicyagency.com Sun Jan 22 10:58:49 2012 From: lists at internetpolicyagency.com (Roland Perry) Date: Sun, 22 Jan 2012 16:58:49 +0000 Subject: Megaupload.com seized In-Reply-To: <596B74B410EE6B4CA8A30C3AF1A155EA09C8CDBA@RWC-MBX1.corp.seven.com> References: <64CFB59E-BB47-4D9F-8E14-AC9AA1D9D280@cs.columbia.edu> <4F19C26C.4010909@paulgraydon.co.uk> <20120121121149.GA14055@gsp.org> <596B74B410EE6B4CA8A30C3AF1A155EA09C8CDBA@RWC-MBX1.corp.seven.com> Message-ID: In article <596B74B410EE6B4CA8A30C3AF1A155EA09C8CDBA at RWC-MBX1.corp.seven.com>, George Bonser writes >The problem is going to be the thousands of people who have now lost >their legitimate files, research data, personal recordings, etc. that >they were using Megaupload to share. But that's an operational risk of using any commercial entity as a filestore. Thousands of people lost[1] a lot of work when fotopic.net collapsed: http://en.wikipedia.org/wiki/Fotopic.net [1] As it's getting on for a year since an apparent rescue attempt, and nothing has emerged, this seems a reasonable assumption. -- Roland Perry From jamesl at mythostech.com Sun Jan 22 11:20:41 2012 From: jamesl at mythostech.com (James Laszko) Date: Sun, 22 Jan 2012 17:20:41 +0000 Subject: VZ FiOS DNS issues: In-Reply-To: <5941B69EF8C7764DAE18F85A6A5A6AD00DA394@east-mail.photon.com> References: <5941B69EF8C7764DAE18F85A6A5A6AD00DA394@east-mail.photon.com> Message-ID: <0564164D-9DDC-448F-8EB5-DB7FF4CD17FD@mythostech.com> On Jan 22, 2012, at 8:11 AM, "Jamie Bowden" wrote: > > Any Verizon techs around today? I don't know why you can't pass DNS traffic this morning, but it's the second time in as many weeks as it has been an issue, and it's rather annoying (Google is the example, but the exact same failure happens using any destination, on VZ's own or any other public DNS servers, phone support are of course, useless): Have a look at: http://forums.verizon.com/t5/FiOS-Internet/DNS-issues-in-SoCal/td-p/393781/page/11 Are you by chance in So Cal? VZ has been having some serious pot holes on their information super highway of late. Regards, James Laszko Mythos Technology Inc > > C:\Users\jamie>tracert -d 71.252.0.12 > > Tracing route to 71.252.0.12 over a maximum of 30 hops > > 1 <1 ms <1 ms <1 ms 192.168.2.254 > 2 <1 ms <1 ms <1 ms 192.168.1.1 > 3 8 ms 9 ms 13 ms 96.231.199.1 > 4 14 ms 9 ms 9 ms 130.81.183.118 > 5 9 ms 9 ms 9 ms 130.81.151.232 > 6 9 ms 9 ms * 130.81.20.19 > 7 11 ms 9 ms 9 ms 71.252.0.12 > > Trace complete. > > C:\Users\jamie>nslookup www.google.com 71.252.0.12 > Server: nsrest01.verizon.net > Address: 71.252.0.12 > > DNS request timed out. > timeout was 2 seconds. > DNS request timed out. > timeout was 2 seconds. > DNS request timed out. > timeout was 2 seconds. > DNS request timed out. > timeout was 2 seconds. > *** Request to nsrest01.verizon.net timed-out > > C:\Users\jamie>tracert -d 8.8.8.8 > > Tracing route to 8.8.8.8 over a maximum of 30 hops > > 1 <1 ms <1 ms <1 ms 192.168.2.254 > 2 <1 ms <1 ms <1 ms 192.168.1.1 > 3 7 ms 8 ms 9 ms 96.231.199.1 > 4 8 ms 9 ms 8 ms 130.81.183.118 > 5 9 ms 28 ms 10 ms 130.81.22.56 > 6 8 ms 9 ms 9 ms 152.63.36.237 > 7 20 ms 19 ms 19 ms 152.63.0.153 > 8 21 ms 18 ms 18 ms 152.63.21.73 > 9 41 ms 47 ms 49 ms 152.179.72.66 > 10 17 ms 18 ms 19 ms 209.85.255.68 > 11 * * * Request timed out. > 12 * * * Request timed out. > 13 22 ms 19 ms 19 ms 72.14.236.200 > 14 20 ms 31 ms 18 ms 216.239.49.145 > 15 18 ms 19 ms 19 ms 8.8.8.8 > > Trace complete. > > C:\Users\jamie>nslookup www.google.com 8.8.8.8 > Server: google-public-dns-a.google.com > Address: 8.8.8.8 > > DNS request timed out. > timeout was 2 seconds. > DNS request timed out. > timeout was 2 seconds. > DNS request timed out. > timeout was 2 seconds. > DNS request timed out. > timeout was 2 seconds. > *** Request to google-public-dns-a.google.com timed-out > > C:\Users\jamie> From nick at pelagiris.org Sun Jan 22 13:32:10 2012 From: nick at pelagiris.org (Nick B) Date: Sun, 22 Jan 2012 14:32:10 -0500 Subject: Megaupload.com seized In-Reply-To: References: <64CFB59E-BB47-4D9F-8E14-AC9AA1D9D280@cs.columbia.edu> <4F19C26C.4010909@paulgraydon.co.uk> <20120121121149.GA14055@gsp.org> <596B74B410EE6B4CA8A30C3AF1A155EA09C8CDBA@RWC-MBX1.corp.seven.com> Message-ID: I just made the brain melting mistake of trying to read the DMCA. The text which jumps out at me is: `(2) EXCEPTION- Paragraph (1) shall not apply with respect to material residing at the direction of a subscriber of the service provider on a system or network controlled or operated by or for the service provider that is removed, or to which access is disabled by the service provider, pursuant to a notice provided under subsection (c)(1)(C), unless the service provider-- `(A) takes reasonable steps promptly to notify the subscriber that it has removed or disabled access to the material; `(B) upon receipt of a counter notification described in paragraph (3), promptly provides the person who provided the notification under subsection (c)(1)(C) with a copy of the counter notification, and informs that person that it will replace the removed material or cease disabling access to it in 10 business days; and `(C) replaces the removed material and ceases disabling access to it not less than 10, nor more than 14, business days following receipt of the counter notice, unless its designated agent first receives notice from the person who submitted the notification under subsection (c)(1)(C) that such person has filed an action seeking a court order to restrain the subscriber from engaging in infringing activity relating to the material on the service provider's system or network. I'm about 90% sure that in a fair court, it would be concluded that disabling the reported URL qualifies as disabling access to the material. The court might then issue an injunction to, in the future, disable *all* *possible* access to the material, but that's not the current text of the law. YMMV Nick B On Sun, Jan 22, 2012 at 11:58 AM, Roland Perry < lists at internetpolicyagency.com> wrote: > In article <596B74B410EE6B4CA8A30C3AF1A15**5EA09C8CDBA at RWC-MBX1.corp.** > seven.com<596B74B410EE6B4CA8A30C3AF1A155EA09C8CDBA at RWC-MBX1.corp.seven.com>>, > George Bonser writes > > The problem is going to be the thousands of people who have now lost >> their legitimate files, research data, personal recordings, etc. that >> they were using Megaupload to share. >> > > But that's an operational risk of using any commercial entity as a > filestore. Thousands of people lost[1] a lot of work when fotopic.netcollapsed: > http://en.wikipedia.org/wiki/**Fotopic.net > > [1] As it's getting on for a year since an apparent rescue attempt, and > nothing has emerged, this seems a reasonable assumption. > -- > Roland Perry > > From joseph.snyder at gmail.com Sun Jan 22 14:53:06 2012 From: joseph.snyder at gmail.com (Joseph Snyder) Date: Sun, 22 Jan 2012 15:53:06 -0500 Subject: Megaupload.com seized In-Reply-To: References: <64CFB59E-BB47-4D9F-8E14-AC9AA1D9D280@cs.columbia.edu> <4F19C26C.4010909@paulgraydon.co.uk> <20120121121149.GA14055@gsp.org> <596B74B410EE6B4CA8A30C3AF1A155EA09C8CDBA@RWC-MBX1.corp.seven.com> Message-ID: <33cf5a26-142c-43df-8469-b748e6dc023e@email.android.com> I would disagree, to me I would guess that the court would interpret the disabling of access or removal to refer to the material and not the url. The url is just a reference to the material in question. If you build a bashing system that does not let you comply with the law, that becomes your problem, not the courts. If you show good faith explain the issue and propose a reasonable timeline to resolve the issue or show financial hardship and appeal to the court for more time, then you can avoid, a lot of headaches. Nick B wrote: I just made the brain melting mistake of trying to read the DMCA. The text which jumps out at me is: `(2) EXCEPTION- Paragraph (1) shall not apply with respect to material residing at the direction of a subscriber of the service provider on a system or network controlled or operated by or for the service provider that is removed, or to which access is disabled by the service provider, pursuant to a notice provided under subsection (c)(1)(C), unless the service provider-- `(A) takes reasonable steps promptly to notify the subscriber that it has removed or disabled access to the material; `(B) upon receipt of a counter notification described in paragraph (3), promptly provides the person who provided the notification under subsection (c)(1)(C) with a copy of the counter notification, and informs that person that it will replace the removed material or cease disabling access to it in 10 business days; and `(C) replaces the removed material and ceases disabling access to it not less than 10, nor more than 14, business days following receipt of the counter notice, unless its designated agent first receives notice from the person who submitted the notification under subsection (c)(1)(C) that such person has filed an action seeking a court order to restrain the subscriber from engaging in infringing activity relating to the material on the service provider's system or network. I'm about 90% sure that in a fair court, it would be concluded that disabling the reported URL qualifies as disabling access to the material. The court might then issue an injunction to, in the future, disable *all* *possible* access to the material, but that's not the current text of the law. YMMV Nick B On Sun, Jan 22, 2012 at 11:58 AM, Roland Perry < lists at internetpolicyagency.com> wrote: > In article <596B74B410EE6B4CA8A30C3AF1A15**5EA09C8CDBA at RWC-MBX1.corp.** > seven.com<596B74B410EE6B4CA8A30C3AF1A155EA09C8CDBA at RWC-MBX1.corp.seven.com>>, > George Bonser writes > > The problem is going to be the thousands of people who have now lost >> their legitimate files, research data, personal recordings, etc. that >> they were using Megaupload to share. >> > > But that's an operational risk of using any commercial entity as a > filestore. Thousands of people lost[1] a lot of work when fotopic.netcollapsed: > http://en.wikipedia.org/wiki/**Fotopic.net; > > [1] As it's getting on for a year since an apparent rescue attempt, and > nothing has emerged, this seems a reasonable assumption. > -- > Roland Perry > > From joseph.snyder at gmail.com Sun Jan 22 15:06:56 2012 From: joseph.snyder at gmail.com (Joseph Snyder) Date: Sun, 22 Jan 2012 16:06:56 -0500 Subject: VZ FiOS DNS issues: In-Reply-To: <0564164D-9DDC-448F-8EB5-DB7FF4CD17FD@mythostech.com> References: <5941B69EF8C7764DAE18F85A6A5A6AD00DA394@east-mail.photon.com> <0564164D-9DDC-448F-8EB5-DB7FF4CD17FD@mythostech.com> Message-ID: <5ddbc31a-f543-4e1e-8dc8-0b2767c52ce1@email.android.com> Try a full rebind on your cpe or power cycle, whichever is easier. This seems to have worked for a few on the forums. -- Sent from my Android phone with K-9 Mail. Please excuse my brevity. James Laszko wrote: On Jan 22, 2012, at 8:11 AM, "Jamie Bowden" wrote: > > Any Verizon techs around today? I don't know why you can't pass DNS traffic this morning, but it's the second time in as many weeks as it has been an issue, and it's rather annoying (Google is the example, but the exact same failure happens using any destination, on VZ's own or any other public DNS servers, phone support are of course, useless): Have a look at: http://forums.verizon.com/t5/FiOS-Internet/DNS-issues-in-SoCal/td-p/393781/page/11 Are you by chance in So Cal? VZ has been having some serious pot holes on their information super highway of late. Regards, James Laszko Mythos Technology Inc > > C:\Users\jamie>tracert -d 71.252.0.12 > > Tracing route to 71.252.0.12 over a maximum of 30 hops > > 1 <1 ms <1 ms <1 ms 192.168.2.254 > 2 <1 ms <1 ms <1 ms 192.168.1.1 > 3 8 ms 9 ms 13 ms 96.231.199.1 > 4 14 ms 9 ms 9 ms 130.81.183.118 > 5 9 ms 9 ms 9 ms 130.81.151.232 > 6 9 ms 9 ms * 130.81.20.19 > 7 11 ms 9 ms 9 ms 71.252.0.12 > > Trace complete. > > C:\Users\jamie>nslookup www.google.com 71.252.0.12 > Server: nsrest01.verizon.net > Address: 71.252.0.12 > > DNS request timed out. > timeout was 2 seconds. > DNS request timed out. > timeout was 2 seconds. > DNS request timed out. > timeout was 2 seconds. > DNS request timed out. > timeout was 2 seconds. > *** Request to nsrest01.verizon.net timed-out > > C:\Users\jamie>tracert -d 8.8.8.8 > > Tracing route to 8.8.8.8 over a maximum of 30 hops > > 1 <1 ms <1 ms <1 ms 192.168.2.254 > 2 <1 ms <1 ms <1 ms 192.168.1.1 > 3 7 ms 8 ms 9 ms 96.231.199.1 > 4 8 ms 9 ms 8 ms 130.81.183.118 > 5 9 ms 28 ms 10 ms 130.81.22.56 > 6 8 ms 9 ms 9 ms 152.63.36.237 > 7 20 ms 19 ms 19 ms 152.63.0.153 > 8 21 ms 18 ms 18 ms 152.63.21.73 > 9 41 ms 47 ms 49 ms 152.179.72.66 > 10 17 ms 18 ms 19 ms 209.85.255.68 > 11 * * * Request timed out. > 12 * * * Request timed out. > 13 22 ms 19 ms 19 ms 72.14.236.200 > 14 20 ms 31 ms 18 ms 216.239.49.145 > 15 18 ms 19 ms 19 ms 8.8.8.8 > > Trace complete. > > C:\Users\jamie>nslookup www.google.com 8.8.8.8 > Server: google-public-dns-a.google.com > Address: 8.8.8.8 > > DNS request timed out. > timeout was 2 seconds. > DNS request timed out. > timeout was 2 seconds. > DNS request timed out. > timeout was 2 seconds. > DNS request timed out. > timeout was 2 seconds. > *** Request to google-public-dns-a.google.com timed-out > > C:\Users\jamie> From jra at baylink.com Sun Jan 22 15:45:18 2012 From: jra at baylink.com (Jay Ashworth) Date: Sun, 22 Jan 2012 16:45:18 -0500 (EST) Subject: AkamaiHD/Facebook problem? Message-ID: <24743154.6079.1327268718649.JavaMail.root@benjamin.baylink.com> I'm seeing, when trying to view images I posted to a facebook album, grey boxes instead of thumbnails. If I click all the way through and View Image, I get either 502 Bad Gateway from nginx, or the odd message "All blocks down", which I can't successfully google. This seems intermittent, or slowly-clearing, but I thought someone from A might want to know. I can supply full URLs off list if desired. Cheers, -- jra -- Jay R. Ashworth Baylink jra at baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://baylink.pitas.com 2000 Land Rover DII St Petersburg FL USA http://photo.imageinc.us +1 727 647 1274 From bonomi at mail.r-bonomi.com Sun Jan 22 16:00:15 2012 From: bonomi at mail.r-bonomi.com (Robert Bonomi) Date: Sun, 22 Jan 2012 16:00:15 -0600 (CST) Subject: Megaupload.com seized In-Reply-To: Message-ID: <201201222200.q0MM0FTF070369@mail.r-bonomi.com> Nick B wrote: > I'm about 90% sure that in a fair court, it would be concluded that > disabling the reported URL qualifies as disabling access to the material. > The court might then issue an injunction to, in the future, disable *all* > *possible* access to the material, but that's not the current text of the > law. YMMV The crux of the issue is whether a single DMCA take down notice refers only to the content itemized in the notice, or to _all_ content that matches the identification in the notice. It is a *significant* difference, because the former requires the _complainant_ to identify all the 'infringing' items, while the latter requires the notice _recipient_ to search out all other content that matches the notice. Obviously, each side would rather have the other guy do all the work.` From jra at baylink.com Sun Jan 22 16:08:06 2012 From: jra at baylink.com (Jay Ashworth) Date: Sun, 22 Jan 2012 17:08:06 -0500 (EST) Subject: Megaupload.com seized In-Reply-To: Message-ID: <10848825.6121.1327270086275.JavaMail.root@benjamin.baylink.com> ----- Original Message ----- > From: "Nick B" > I'm about 90% sure that in a fair court, it would be concluded that > disabling the reported URL qualifies as disabling access to the > material. > The court might then issue an injunction to, in the future, disable > *all* *possible* access to the material, but that's not the current text of > the law. YMMV I believe we're all conflating 2 separate and, really, disparate things: 1) what does the law actually require and is that realistic? 2) how were MU actually behaving, and does that relieve The Law of cutting them any slack? The former isn't really affected by the latter; it can still be unreasonable, even if that is *not* the reason why MU proper won't be getting cut any slack which might exist. Cheers, -- jra -- Jay R. Ashworth Baylink jra at baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://baylink.pitas.com 2000 Land Rover DII St Petersburg FL USA http://photo.imageinc.us +1 727 647 1274 From apishdadi at gmail.com Sun Jan 22 19:16:39 2012 From: apishdadi at gmail.com (A. Pishdadi) Date: Sun, 22 Jan 2012 19:16:39 -0600 Subject: LAw Enforcement Contact Message-ID: Hello, We recently tracked down a botnet that attacked our network. We found the C&C server, it has approximately 40-50 servers, consisting of mostly *nix machines with high speed connections, for example AWS servers or dedicated, attack capacity is 4-5Gb/s or more. Is there any contacts with law enforcement here that I can send over the info too? . From bmanning at vacation.karoshi.com Sun Jan 22 19:19:55 2012 From: bmanning at vacation.karoshi.com (bmanning at vacation.karoshi.com) Date: Mon, 23 Jan 2012 01:19:55 +0000 Subject: LAw Enforcement Contact In-Reply-To: References: Message-ID: <20120123011955.GC27872@vacation.karoshi.com.> On Sun, Jan 22, 2012 at 07:16:39PM -0600, A. Pishdadi wrote: > Hello, > > We recently tracked down a botnet that attacked our network. We found the > C&C server, it has approximately 40-50 servers, consisting of mostly *nix > machines with high speed connections, for example AWS servers or dedicated, > attack capacity is 4-5Gb/s or more. Is there any contacts with law > enforcement here that I can send over the info too? > > . Sure is. Check with your local FBI office. /bill From ops.lists at gmail.com Sun Jan 22 19:26:19 2012 From: ops.lists at gmail.com (Suresh Ramasubramanian) Date: Mon, 23 Jan 2012 06:56:19 +0530 Subject: LAw Enforcement Contact In-Reply-To: References: Message-ID: FBI sure - but if you have AWS servers in the mix, contact Amazon security first. On Mon, Jan 23, 2012 at 6:46 AM, A. Pishdadi wrote: > > We recently tracked down a botnet that attacked our network. We found the > C&C server, it has approximately 40-50 servers, consisting of mostly *nix > machines with high speed connections, for example AWS servers or dedicated, > attack capacity is 4-5Gb/s or more. Is there any contacts with law > enforcement here that I can send over the info too? -- Suresh Ramasubramanian (ops.lists at gmail.com) From tshaw at oitc.com Sun Jan 22 19:29:59 2012 From: tshaw at oitc.com (TR Shaw) Date: Sun, 22 Jan 2012 20:29:59 -0500 Subject: LAw Enforcement Contact In-Reply-To: <20120123011955.GC27872@vacation.karoshi.com.> References: <20120123011955.GC27872@vacation.karoshi.com.> Message-ID: <2DF47FC8-7D2B-4D5E-B3C7-217AA4B0CFE6@oitc.com> On Jan 22, 2012, at 8:19 PM, bmanning at vacation.karoshi.com wrote: > On Sun, Jan 22, 2012 at 07:16:39PM -0600, A. Pishdadi wrote: >> Hello, >> >> We recently tracked down a botnet that attacked our network. We found the >> C&C server, it has approximately 40-50 servers, consisting of mostly *nix >> machines with high speed connections, for example AWS servers or dedicated, >> attack capacity is 4-5Gb/s or more. Is there any contacts with law >> enforcement here that I can send over the info too? >> >> . > > Sure is. Check with your local FBI office. > Do you know how responsive and effective that is out here in rural america? usually nada even if you can even find someone who speaks tech. I gave my local a C&C complete with location in Phoenix and details on all the Italian bank intercepts that were stored there (open directory) and 2 weeks later it was still operating. Tom From apishdadi at gmail.com Sun Jan 22 19:31:09 2012 From: apishdadi at gmail.com (A. Pishdadi) Date: Sun, 22 Jan 2012 19:31:09 -0600 Subject: LAw Enforcement Contact In-Reply-To: References: Message-ID: The IP's are masked, you only see part of the IP/hostname, if there is someone from amazon here, feel free to contact me. The C&C is hosted at theplanet/softlayer On Sun, Jan 22, 2012 at 7:26 PM, Suresh Ramasubramanian wrote: > FBI sure - but if you have AWS servers in the mix, contact Amazon > security first. > > On Mon, Jan 23, 2012 at 6:46 AM, A. Pishdadi wrote: > > > > We recently tracked down a botnet that attacked our network. We found the > > C&C server, it has approximately 40-50 servers, consisting of mostly *nix > > machines with high speed connections, for example AWS servers or > dedicated, > > attack capacity is 4-5Gb/s or more. Is there any contacts with law > > enforcement here that I can send over the info too? > > > > -- > Suresh Ramasubramanian (ops.lists at gmail.com) > From djahandarie at gmail.com Sun Jan 22 19:32:49 2012 From: djahandarie at gmail.com (Darius Jahandarie) Date: Sun, 22 Jan 2012 20:32:49 -0500 Subject: LAw Enforcement Contact In-Reply-To: References: Message-ID: On Sun, Jan 22, 2012 at 20:26, Suresh Ramasubramanian wrote: > FBI I bet the FBI is going to be _particularly_ focused on dealing with botnets in the coming months. :o) But yes, the FBI is the place to go after contacting whatever abuse departments you can. (It's good to have a little courtesy before bringing out the sledge hammer). -- Darius Jahandarie From apishdadi at gmail.com Sun Jan 22 19:36:01 2012 From: apishdadi at gmail.com (A. Pishdadi) Date: Sun, 22 Jan 2012 19:36:01 -0600 Subject: LAw Enforcement Contact In-Reply-To: References: Message-ID: We've been contacted by the Secret Service before regarding customer servers that have been doing shady stuff. apparently they do alot of the cybercrime work for the federal government. from what I've seen we've been contacted more by them then the FBI. I did email a contact from the SS from a issue early in 2011, hopefully he responds. On Sun, Jan 22, 2012 at 7:32 PM, Darius Jahandarie wrote: > On Sun, Jan 22, 2012 at 20:26, Suresh Ramasubramanian > wrote: > > FBI > > I bet the FBI is going to be _particularly_ focused on dealing with > botnets in the coming months. :o) > > > But yes, the FBI is the place to go after contacting whatever abuse > departments you can. (It's good to have a little courtesy before > bringing out the sledge hammer). > > -- > Darius Jahandarie > > From jamesl at mythostech.com Sun Jan 22 19:50:14 2012 From: jamesl at mythostech.com (James Laszko) Date: Mon, 23 Jan 2012 01:50:14 +0000 Subject: LAw Enforcement Contact In-Reply-To: References: Message-ID: <8078ED370ADA824281219A7B5BADC39B14497518@MBX023-W1-CA-5> Perhaps: http://www.cybercrime.gov/reporting.htm James Laszko Mythos Technology Inc -----Original Message----- From: A. Pishdadi [mailto:apishdadi at gmail.com] Sent: Sunday, January 22, 2012 5:36 PM To: Darius Jahandarie Cc: NANOG Subject: Re: LAw Enforcement Contact We've been contacted by the Secret Service before regarding customer servers that have been doing shady stuff. apparently they do alot of the cybercrime work for the federal government. from what I've seen we've been contacted more by them then the FBI. I did email a contact from the SS from a issue early in 2011, hopefully he responds. On Sun, Jan 22, 2012 at 7:32 PM, Darius Jahandarie wrote: > On Sun, Jan 22, 2012 at 20:26, Suresh Ramasubramanian > wrote: > > FBI > > I bet the FBI is going to be _particularly_ focused on dealing with > botnets in the coming months. :o) > > > But yes, the FBI is the place to go after contacting whatever abuse > departments you can. (It's good to have a little courtesy before > bringing out the sledge hammer). > > -- > Darius Jahandarie > > From mfine at fineonline.com Sun Jan 22 20:28:23 2012 From: mfine at fineonline.com (Michael Fine) Date: Sun, 22 Jan 2012 18:28:23 -0800 Subject: LAw Enforcement Contact In-Reply-To: <8078ED370ADA824281219A7B5BADC39B14497518@MBX023-W1-CA-5> References: <8078ED370ADA824281219A7B5BADC39B14497518@MBX023-W1-CA-5> Message-ID: <3C939BAD927D3C4C8A21BAAA3FD49DCDF5ED9D2B3E@borabora.ftsnet.local> I attended a Cisco seminar on infrastructure security where the speaker was a former FBI agent. For reporting computer-related crimes, he recommended contacting your local Infragard office. http://www.infragard.net/ Of course I noticed that Infragard was hacked by LulzSec last June, so YMMV. -----Original Message----- From: James Laszko [mailto:jamesl at mythostech.com] Sent: Sunday, January 22, 2012 5:50 PM To: A. Pishdadi Cc: nanog (nanog at nanog.org) Subject: RE: LAw Enforcement Contact Perhaps: http://www.cybercrime.gov/reporting.htm James Laszko Mythos Technology Inc -----Original Message----- From: A. Pishdadi [mailto:apishdadi at gmail.com] Sent: Sunday, January 22, 2012 5:36 PM To: Darius Jahandarie Cc: NANOG Subject: Re: LAw Enforcement Contact We've been contacted by the Secret Service before regarding customer servers that have been doing shady stuff. apparently they do alot of the cybercrime work for the federal government. from what I've seen we've been contacted more by them then the FBI. I did email a contact from the SS from a issue early in 2011, hopefully he responds. On Sun, Jan 22, 2012 at 7:32 PM, Darius Jahandarie wrote: > On Sun, Jan 22, 2012 at 20:26, Suresh Ramasubramanian > wrote: > > FBI > > I bet the FBI is going to be _particularly_ focused on dealing with > botnets in the coming months. :o) > > > But yes, the FBI is the place to go after contacting whatever abuse > departments you can. (It's good to have a little courtesy before > bringing out the sledge hammer). > > -- > Darius Jahandarie > > From orangewinds at gmail.com Sun Jan 22 21:05:47 2012 From: orangewinds at gmail.com (Jacob Taylor) Date: Sun, 22 Jan 2012 19:05:47 -0800 Subject: Megaupload.com seized In-Reply-To: References: <20120120074202.35FB91BB355B@drugs.dv.isc.org> <201201201025.q0KAPdM5040190@mail.r-bonomi.com> Message-ID: <1327287947.22754.3.camel@debian.explodie.org> On Fri, 2012-01-20 at 11:14 +0000, Alec Muffett wrote: > On 20 Jan 2012, at 11:00, Tei wrote: > > > Fileshares can organize thenselves in sites based on a forum software > > that is private by default (open with registration), then share some > > "information" file that include the url to the files hosted, and the > > key to unencrypt these files, and some metadata. A special desktop > > program* would load that information file, and start the http > > download. > > > At the risk of kicking over old ground, there are a bunch of privacy solutions like this; possibly the most complete attempt (in terms of attempted privacy and distribution) is Freenet: > > http://freenetproject.org/whatis.html > > ...but it's slow; then there's Tahoe-LAFS - a decentralised filesystem: > > https://tahoe-lafs.org/trac/tahoe-lafs > > ...but it's slow; then there are connection anonymisation tools like I2P and Tor, but - wonderful as they are - they're slow. > > Can you see a pattern developing that would be relevant to the downloader of 700Mb+ AVIs? :-) > > It would be great to speed them through wider adoption, but until then... > > -a Tahoe-lafs can be fast. A grid I help out with is often capable of 600kilobyte/per/second downloads (or faster), and I personally have several files stored on there in excess of 500mb. Close enough to your 700mb movie example. I use this storage as a CDN of sorts, as a friend wrote an HTTP interface to the Tahoe-lafs grid. Should you wish to see it in action, the code and download links are over here --> http://cryto.net/projects/tahoe.html From morrowc.lists at gmail.com Sun Jan 22 23:27:19 2012 From: morrowc.lists at gmail.com (Christopher Morrow) Date: Mon, 23 Jan 2012 00:27:19 -0500 Subject: Why not to use RPKI (Was Re: Argus: a hijacking alarm system) In-Reply-To: References: <01DD4FF2-3DA9-4225-AD62-5629DEF541C2@lacnic.net> <7C38D0B5-EE31-4237-9EB9-31F9279F70F1@lacnic.net> Message-ID: On Fri, Jan 20, 2012 at 8:08 AM, Yang Xiang wrote: > 2012/1/20 Arturo Servin >> > while Argus can discover potential hijackings caused by anomalous AS >> path. >> >> ? ? ? ? Can you explain how? >> > > Only a imprecisely detection. > > Section III.C in our paper > http://argus.csnet1.cs.tsinghua.edu.cn/static/Argus.FIST11.pdf > > A brief explanation is: > If an anomalous AS path hijacked a prefix, > I can get replies in normal route-server, and can not get reply in abnormal > route-servers. > > Here we only consider hijackings that black-hole the prefix. > If a hijacking doesn't black-hole the prefix (i.e., redirect, interception, > ...), is hard to detect :( > > I think network operators are only careless, but not trust-less, > so black-hole hijacking is the majority case. reading the preceding section (III.B) you check 3 things in the AMM (anomaly monitoring module) 1) proper origin (based on what?) 2) anomalous neighbour (based on what?) 3) policy anomaly (where did you determine the policy?) later text seems to imply you track some history (1 months worth) and use that as a baseline, for at least the neighbour and origin data. The policy data isn't clearly outlined though, where did that come from? (there's a note about use of whois, which could cover some of this, but certainly not all) The data plane testing you propose is from the public route-servers (eyes), which don't import the path you want, well routeviews I think doesn't import routes to it's FIB (or maybe I'm mistaken...) but point being with more than one peer on the routeserver it's not clear you would be taking the path you actually want to test anyway, is it? -chris From caldcv at gmail.com Mon Jan 23 01:46:21 2012 From: caldcv at gmail.com (Chris) Date: Mon, 23 Jan 2012 02:46:21 -0500 Subject: LAw Enforcement Contact In-Reply-To: References: Message-ID: The appropriately named SS mainly deals with counterfeit currency, widespread ID theft (See also: Ryan1918) and threats to the President. There is nothing really you can do and this is why: 1. If you contact the domain name provider, a backup domain is likely being used, so if that is shutdown you loose you mole in your "whack a mole" game. 2. If you contact TP/Softlayer, see point #1 3. I've had law enforcement become more interested in questionable images, which were probable cause, hosted on a third party public image sharing service than actually handing over information of law enforcement value because you'll get that "we are looking into it" response. The probable cause example turned into a quick warrant and the suspect was arrested later that week. 4. I used to chase botnets. The emphasis is on "used to". It will burn you out dealing it so much. I would heed the advice of contacting cybercrime.gov and if you catch bits and pieces of a domain name, send an email to the abuse contact. EDU abuse contacts are wonderfully helpful if they are a decent sized school. If they are some art college near Boston, good luck. On Sun, Jan 22, 2012 at 8:36 PM, A. Pishdadi wrote: > We've been contacted by the Secret Service before regarding customer > servers that have been doing shady stuff. apparently they do alot of the > cybercrime work for the federal government. from what I've seen we've been > contacted more by them then the FBI. I did email a contact from the SS from > a issue early in 2011, hopefully he responds. > -- --C "The dumber people think you are, the more surprised they're going to be when you kill them." - Sir William Clayton From ken.gilmour at gmail.com Mon Jan 23 02:09:59 2012 From: ken.gilmour at gmail.com (Ken Gilmour) Date: Mon, 23 Jan 2012 09:09:59 +0100 Subject: LAw Enforcement Contact In-Reply-To: References: Message-ID: Depends where they are located. I found Europol and the NHTCU somewhat helpful (but slow) to deal with some botnets controlled in Macedonia and Latvia. NHTCU were contacted because of the location of one of the attacked hosts. -- Sent from my smart phone. Please excuse my brevity On Jan 23, 2012 1:17 a.m., "A. Pishdadi" wrote: > Hello, > > We recently tracked down a botnet that attacked our network. We found the > C&C server, it has approximately 40-50 servers, consisting of mostly *nix > machines with high speed connections, for example AWS servers or dedicated, > attack capacity is 4-5Gb/s or more. Is there any contacts with law > enforcement here that I can send over the info too? > > . > From rs at seastrom.com Mon Jan 23 05:20:59 2012 From: rs at seastrom.com (Robert E. Seastrom) Date: Mon, 23 Jan 2012 06:20:59 -0500 Subject: VZ FiOS DNS issues: In-Reply-To: (Christopher Morrow's message of "Sun, 22 Jan 2012 11:41:25 -0500") References: <5941B69EF8C7764DAE18F85A6A5A6AD00DA394@east-mail.photon.com> Message-ID: <867h0izmuc.fsf@seastrom.com> Christopher Morrow writes: > On Sun, Jan 22, 2012 at 11:29 AM, Brandon Kim > wrote: >> >> I have FIOS and I have no issues. However I do know awhile back they had issues and I was affected by >> the outage.... >> >> Maybe it hasn't made its way to me yet.... >> > > there have been instances over the time i've been a fios customer that > 'upgrades' to devices in the field have caused this problem (last was > ~2wks ago? in the washington, dc area). > > Could be you are seeing this problem affecting you :( I'm a FIOS customer (LATA 246 not 236 like Chris), and haven't had any issues with the network. On the other hand, between my location and the fact that I'm on an old BPON build, perhaps the software upgrades haven't affected me. To further complicate things, ever suspicious of ISP nameservers that don't do DNSSEC validation and monetize rcode 3, and not a fan of the Actiontec boxes that Verizon hands out I run my own cacheing nameserver (hand-built openbsd+pf on embedded hardware with latest bind or unbound and isc dhcpd). Do things magically start working for you if you hard-code 8.8.8.8 or 4.2.2.1 or one of the other usual suspects? That would seem to be a quick way of narrowing it down a bit. -r From jamie at photon.com Mon Jan 23 06:51:55 2012 From: jamie at photon.com (Jamie Bowden) Date: Mon, 23 Jan 2012 12:51:55 +0000 Subject: VZ FiOS DNS issues: In-Reply-To: <867h0izmuc.fsf@seastrom.com> References: <5941B69EF8C7764DAE18F85A6A5A6AD00DA394@east-mail.photon.com> <867h0izmuc.fsf@seastrom.com> Message-ID: <5941B69EF8C7764DAE18F85A6A5A6AD00DAA45@east-mail.photon.com> I don't care for the Actiontec boxes either, but the STB program guides and other features don't work without it, so I have mine forward all IP traffic unmolested to my own as the DMZ host (thus the dual layer of [P|N]AT you see). It's just UDP/TCP 53 traffic that's not flowing for whatever reason; it's every device in the house phones, tablets, computers, you name it, so I'm not inclined to attribute it to malware. My neighbor was also seeing it (and like last time, it seems to have magically resolved itself after ~1.5h). I'm just wondering what Verizon is DOING that they are screwing up their own DNS traffic. If they were capturing my queries and sending them to their own servers (I actually have Google's public facing servers at the top of the list handed out by DHCP) that would be one thing (irritating to be sure, but they aren't, so it's not), but when I'm explicitly hitting a name server down the street in Reston that VZ run and it's failing the same way? It makes me wonder. Jamie > -----Original Message----- > From: Robert E. Seastrom [mailto:rs at seastrom.com] > Sent: Monday, January 23, 2012 6:21 AM > To: Christopher Morrow > Cc: nanog group > Subject: Re: VZ FiOS DNS issues: > > > Christopher Morrow writes: > > > On Sun, Jan 22, 2012 at 11:29 AM, Brandon Kim > > wrote: > >> > >> I have FIOS and I have no issues. However I do know awhile back they > had issues and I was affected by > >> the outage.... > >> > >> Maybe it hasn't made its way to me yet.... > >> > > > > there have been instances over the time i've been a fios customer > that > > 'upgrades' to devices in the field have caused this problem (last was > > ~2wks ago? in the washington, dc area). > > > > Could be you are seeing this problem affecting you :( > > I'm a FIOS customer (LATA 246 not 236 like Chris), and haven't had any > issues with the network. On the other hand, between my location and > the fact that I'm on an old BPON build, perhaps the software upgrades > haven't affected me. To further complicate things, ever suspicious of > ISP nameservers that don't do DNSSEC validation and monetize rcode 3, > and not a fan of the Actiontec boxes that Verizon hands out I run my > own cacheing nameserver (hand-built openbsd+pf on embedded hardware > with latest bind or unbound and isc dhcpd). > > Do things magically start working for you if you hard-code 8.8.8.8 or > 4.2.2.1 or one of the other usual suspects? That would seem to be a > quick way of narrowing it down a bit. > > -r > From don at sandvine.com Mon Jan 23 07:28:49 2012 From: don at sandvine.com (Don Bowman) Date: Mon, 23 Jan 2012 13:28:49 +0000 Subject: Megaupload.com seized In-Reply-To: References: <64CFB59E-BB47-4D9F-8E14-AC9AA1D9D280@cs.columbia.edu> <4F19C26C.4010909@paulgraydon.co.uk> Message-ID: From: Joly MacFie [mailto:joly at punkcast.com] > > Incidentally, some traffic stats on > http://gigaom.com/2012/01/20/follow-the-traffic-what-megauploads- > downfall-did-to-the-web/ > > MegaUpload was indeed one of the more popular sites on the web for > storing > > and sharing content. It ranked as .98 percent of the total web > traffic > > in the U.S. and 11.39 of the total web traffic in Brazil. It garnered > > 1.95 percent of the traffic in Asia-Pac and a less substantial .86 > > percent in Europe. Our (Sandvine) report shows the amounts of traffic for various storage and backup sites such as megaupload, rapidshare, etc. In the US residential ISP traffic megaupload was ~1% of downstream. Other sites are starting to 'voluntarily' shut down access to the US (e.g. filesonic), and you can see the fairly sharp cut-off as below image. [note the chart doesn't give you an absolute sense since you know neither the number of customers nor the amount of the total bandwidth used, but it gives you a relative view. In this particular chart, there was approximately 10Gbps of traffic from all protocols present, yielding the ~1% for Megaupload] Given that filesonic cut off sharing, but still allows users to fetch links they themself posted, one could make the assumption from the below that there was negligible traffic due to people re-fetching their own content. [cid:image001.png at 01CCD9A8.2AB2B630] Some more stats on http://www.betterbroadbandblog.com/2012/01/megaupload-gets-shut-down/ --don -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.png Type: image/png Size: 35193 bytes Desc: image001.png URL: From Valdis.Kletnieks at vt.edu Mon Jan 23 08:15:16 2012 From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks at vt.edu) Date: Mon, 23 Jan 2012 09:15:16 -0500 Subject: Megaupload.com seized In-Reply-To: Your message of "Mon, 23 Jan 2012 13:28:49 GMT." References: <64CFB59E-BB47-4D9F-8E14-AC9AA1D9D280@cs.columbia.edu> <4F19C26C.4010909@paulgraydon.co.uk> Message-ID: <197338.1327328116@turing-police.cc.vt.edu> On Mon, 23 Jan 2012 13:28:49 GMT, Don Bowman said: > Given that filesonic cut off sharing, but still allows users to fetch > links they themself posted, one could make the assumption from the below > that there was negligible traffic due to people re-fetching their > own content. Note that the filesonic cutoff appears to have happened around 18:00 last night in whatever timezone the graph was made. There's a good chance that most of the customers don't *know* yet about the cutoff - what happens tonight once the news has spread will be indicative. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 227 bytes Desc: not available URL: From mtinka at globaltransit.net Mon Jan 23 08:58:45 2012 From: mtinka at globaltransit.net (Mark Tinka) Date: Mon, 23 Jan 2012 22:58:45 +0800 Subject: juniper mx80 vs cisco asr 1000 In-Reply-To: References: <44EDB6D0-C480-4232-8FCD-4124D152849B@smugmug.com> Message-ID: <201201232258.48714.mtinka@globaltransit.net> On Friday, January 20, 2012 04:34:56 AM Thomas Donnelly wrote: > The warm standby IOS is a nice > feature for in service upgrades and crash avoidance. Except that some times, it did lead to crash (for us anyway), because it eats up half the router's memory, and if you're running 3x full tables or more, you ran out of the other half and BOOM! And that was IOS XR 2, which is generally old now. We now turn off software redundancy now on all ASR1000 boxes that don't have a 2nd RP. Mark. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 836 bytes Desc: This is a digitally signed message part. URL: From jimmy.changa007 at gmail.com Mon Jan 23 09:02:41 2012 From: jimmy.changa007 at gmail.com (Jimmy Changa) Date: Mon, 23 Jan 2012 10:02:41 -0500 Subject: Fiber outage in Miami Message-ID: Was anyone impacted by a botched fiber move in Miami this weekend? I lost 2 pieces of dark fiber for over almost 24 hours due to a fiber move being performed by FiberLight. I'm curious if anyone else was impacted. Sent from mobile device From mtinka at globaltransit.net Mon Jan 23 09:08:53 2012 From: mtinka at globaltransit.net (Mark Tinka) Date: Mon, 23 Jan 2012 23:08:53 +0800 Subject: juniper mx80 vs cisco asr 1000 In-Reply-To: References: <44EDB6D0-C480-4232-8FCD-4124D152849B@smugmug.com> Message-ID: <201201232308.57327.mtinka@globaltransit.net> On Friday, January 20, 2012 05:40:10 AM Leigh Porter wrote: > I have not used the asr1000 but it looks like a capable > box. You would do well to look at the MX80 fixed > chassis, it comes with 48 1G interfaces and 4 10G > interfaces. They are pretty good value, I think. The thing the MX80 has that the ASR1000 is port density. You get lots of Gig-E ports in there and a couple of 10Gbps ports too. Not too bad. The ASR1000 has an 8-port Gig-E card (called a SPA - Shared Port Adapter) that offers the most dense Gig-E port capacity in a single-height line card. There is a 10-port Gig-E SPA, but that is a double-height unit, i.e., it eats up 2x slots. 10Gbps port density on the ASR1000 sucks a bit; there is only a 1-port SPA, and no built-in 10Gbps ports unlike the MX80. But on the other hand, the ASR1000 is great if you're looking to throw in some non-Ethernet SPA's, e.g., serial, E1, T1, SONET, SDH, e.t.c. The MX80 won't do this efficiently today, and is really best deployed in Ethernet scenarios. Also, the MX80 can come with rather complicated licensing structures even for the ports you want enabled, if you want to take advantage of their cheaper offers. This can get hairy. Mark. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 836 bytes Desc: This is a digitally signed message part. URL: From xiangy08 at csnet1.cs.tsinghua.edu.cn Mon Jan 23 09:19:35 2012 From: xiangy08 at csnet1.cs.tsinghua.edu.cn (Yang Xiang) Date: Mon, 23 Jan 2012 23:19:35 +0800 Subject: Why not to use RPKI (Was Re: Argus: a hijacking alarm system) In-Reply-To: References: <01DD4FF2-3DA9-4225-AD62-5629DEF541C2@lacnic.net> <7C38D0B5-EE31-4237-9EB9-31F9279F70F1@lacnic.net> Message-ID: Hi chris, 2012/1/23 Christopher Morrow > On Fri, Jan 20, 2012 at 8:08 AM, Yang Xiang > wrote: > > 2012/1/20 Arturo Servin > > >> > while Argus can discover potential hijackings caused by anomalous AS > >> path. > > reading the preceding section (III.B) you check 3 things in the AMM > (anomaly monitoring module) > 1) proper origin (based on what?) > 2) anomalous neighbour (based on what?) > 3) policy anomaly (where did you determine the policy?) > > later text seems to imply you track some history (1 months worth) and > use that as a baseline, for at least the neighbour and origin data. > The policy data isn't clearly outlined though, where did that come > from? (there's a note about use of whois, which could cover some of > this, but certainly not all) > yes, we use history as a baseline for both the origin, neighbor and policy data. origin data: a history of mappings, neighbor data: a history of every "adjacent two ASes" in all AS paths received from BGPmon, policy data: a history of every "adjacent three ASes" (AS triple) in all AS paths. origin and neighbor data is intuitive. for policy data, we do not gather the exact routing policies, since they are usually private. In Argus, we use all "adjacent three ASes" in all AS paths as the policy data. this is because: 1), AS triples reflect the import/export routing policies; 2), while monitoring BGP updates, we only need to discover 'possible? hijackings, but not 'exact' hijackings. after figure out a possible hijacking, the hijacking identification process will be launched and make the final judgement. > > The data plane testing you propose is from the public route-servers > (eyes), which don't import the path you want, well routeviews I think > doesn't import routes to it's FIB (or maybe I'm mistaken...) but point > being with more than one peer on the routeserver it's not clear you > would be taking the path you actually want to test anyway, is it? > yes, each route-server usually has several route to the target prefix. In Argus, we use the commands (i.e., "show route exact active-path?) to get the 'best routes' of the prefix, and consider it as the route in FIB: > > -chris > > -- _________________________________________ Yang Xiang. Ph.D candidate. Tsinghua University Argus: argus.csnet1.cs.tsinghua.edu.cn From faisal at snappydsl.net Mon Jan 23 09:28:10 2012 From: faisal at snappydsl.net (Faisal Imtiaz) Date: Mon, 23 Jan 2012 10:28:10 -0500 Subject: Fiber outage in Miami In-Reply-To: References: Message-ID: <4F1D7C8A.8060907@snappydsl.net> Yes, quiet a few folks were affected, due to Fiberlight fiber cutover...event. But the effects were very localized Faisal Imtiaz Snappy Internet& Telecom 7266 SW 48 Street Miami, Fl 33155 Tel: 305 663 5518 x 232 Helpdesk: 305 663 5518 option 2 Email: Support at Snappydsl.net On 1/23/2012 10:02 AM, Jimmy Changa wrote: > Was anyone impacted by a botched fiber move in Miami this weekend? I lost 2 pieces of dark fiber for over almost 24 hours due to a fiber move being performed by FiberLight. I'm curious if anyone else was impacted. > > Sent from mobile device > From morrowc.lists at gmail.com Mon Jan 23 09:28:36 2012 From: morrowc.lists at gmail.com (Christopher Morrow) Date: Mon, 23 Jan 2012 10:28:36 -0500 Subject: Why not to use RPKI (Was Re: Argus: a hijacking alarm system) In-Reply-To: References: <01DD4FF2-3DA9-4225-AD62-5629DEF541C2@lacnic.net> <7C38D0B5-EE31-4237-9EB9-31F9279F70F1@lacnic.net> Message-ID: On Mon, Jan 23, 2012 at 10:19 AM, Yang Xiang wrote: > Hi chris, > > 2012/1/23 Christopher Morrow >> >> On Fri, Jan 20, 2012 at 8:08 AM, Yang Xiang >> wrote: >> > 2012/1/20 Arturo Servin >> >> >> > while Argus can discover potential hijackings caused by anomalous AS >> >> path. >> >> reading the preceding section (III.B) you check 3 things in the AMM >> (anomaly monitoring module) >> ?1) proper origin (based on what?) >> ?2) anomalous neighbour (based on what?) >> ?3) policy anomaly (where did you determine the policy?) >> >> later text seems to imply you track some history (1 months worth) and >> use that as a baseline, for at least the neighbour and origin data. >> The policy data isn't clearly outlined though, where did that come >> from? (there's a note about use of whois, which could cover some of >> this, but certainly not all) > > yes, we use history as a baseline for both the origin,?neighbor?and policy > data. > origin data: a history of mappings, > neighbor data: a history of every "adjacent two ASes" in all AS paths > received from BGPmon, > policy data: a history of every "adjacent three ASes" (AS triple) in all AS > paths. > > origin and neighbor data is intuitive. > for policy data, we do not gather the exact routing policies, > since they are usually private. > In Argus, we use all "adjacent three ASes" in all AS paths as the policy > data. > this is because: > 1), AS triples reflect the import/export routing policies; > 2), while monitoring BGP updates, we only need to discover 'possible? > hijackings, but not 'exact' hijackings. > ? after figure out a possible hijacking, the hijacking identification > process will be launched and make the final judgement. ok, that seems squirrelly still :( > >> >> >> The data plane testing you propose is from the public route-servers >> (eyes), which don't import the path you want, well routeviews I think >> doesn't import routes to it's FIB (or maybe I'm mistaken...) but point >> being with more than one peer on the routeserver it's not clear you >> would be taking the path you actually want to test anyway, is it? > > yes, each route-server usually has several route to the target prefix. > In Argus, we use the commands (i.e., "show route exact active-path?) to get > the 'best routes' of the prefix, > and consider it as the route in FIB: so, take routeviews for example, they peer almost exclusively ebgp-multi-hop, so any 'best path' you see there isn't actually usable by the route-server... all traffic has to take the local transport out of the routeviews system, off to the internet and beyond. So, your blackhole testing isn't actually testing what you want, I think :( -chris From amaged at gmail.com Mon Jan 23 09:29:57 2012 From: amaged at gmail.com (amaged at gmail.com) Date: Mon, 23 Jan 2012 15:29:57 +0000 Subject: juniper mx80 vs cisco asr 1000 In-Reply-To: <201201232258.48714.mtinka@globaltransit.net> References: <44EDB6D0-C480-4232-8FCD-4124D152849B@smugmug.com> <201201232258.48714.mtinka@globaltransit.net> Message-ID: <47329025-1327332595-cardhu_decombobulator_blackberry.rim.net-1993554740-@b3.c16.bise7.blackberry> ASR 1000 does not run XR. You probably mean XE. The high availability features that requires maintaining state and stateful switch over never seem to work out of the box on early releases and need some time until the feature gets mature. I've found this across different vendors. The dual IOS process works best with two Routing Engines/ESPs on higher models. contact your local vendor engineering representatives asking them for more details on the the ASR1K High Availability features and they should tell you how it works in detail. Regards, Ahmed Sent using BlackBerry? from mobinil -----Original Message----- From: Mark Tinka Date: Mon, 23 Jan 2012 22:58:45 To: Reply-To: mtinka at globaltransit.net Subject: Re: juniper mx80 vs cisco asr 1000 On Friday, January 20, 2012 04:34:56 AM Thomas Donnelly wrote: > The warm standby IOS is a nice > feature for in service upgrades and crash avoidance. Except that some times, it did lead to crash (for us anyway), because it eats up half the router's memory, and if you're running 3x full tables or more, you ran out of the other half and BOOM! And that was IOS XR 2, which is generally old now. We now turn off software redundancy now on all ASR1000 boxes that don't have a 2nd RP. Mark. From mtinka at globaltransit.net Mon Jan 23 09:30:47 2012 From: mtinka at globaltransit.net (Mark Tinka) Date: Mon, 23 Jan 2012 23:30:47 +0800 Subject: juniper mx80 vs cisco asr 1000 In-Reply-To: <20120120081435.GA17097@pob.ytti.fi> References: <44EDB6D0-C480-4232-8FCD-4124D152849B@smugmug.com> <20120120081435.GA17097@pob.ytti.fi> Message-ID: <201201232330.50370.mtinka@globaltransit.net> On Friday, January 20, 2012 04:14:35 PM Saku Ytti wrote: > MX80 is not competing against ASR1k, and JNPR has no > product to compete with ASR1k. And this is something I've been telling Juniper for years (not that they don't already know). The M7i and M10i have really done all they can - but trying to get an Ethernet box to do non-Ethernet things, while possible, is simply not economically viable for operators (FlexWAN's, SIP's, MX FPC's, anyone?). They really need to solve this one. The MX80 had no competition from Cisco, until the ASR9001 came out (and it supports 40Gbps line cards when they come out). Juniper are dropping the ball on this one. But hopefully, they're busy in the lab building a decent ASR1000 challenger. Mark. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 836 bytes Desc: This is a digitally signed message part. URL: From xiangy08 at csnet1.cs.tsinghua.edu.cn Mon Jan 23 09:51:00 2012 From: xiangy08 at csnet1.cs.tsinghua.edu.cn (Yang Xiang) Date: Mon, 23 Jan 2012 23:51:00 +0800 Subject: Why not to use RPKI (Was Re: Argus: a hijacking alarm system) In-Reply-To: References: <01DD4FF2-3DA9-4225-AD62-5629DEF541C2@lacnic.net> <7C38D0B5-EE31-4237-9EB9-31F9279F70F1@lacnic.net> Message-ID: 2012/1/23 Christopher Morrow > > ok, that seems squirrelly still :( > > so, take routeviews for example, they peer almost exclusively > ebgp-multi-hop, so any 'best path' you see there isn't actually usable > by the route-server... all traffic has to take the local transport out > of the routeviews system, off to the internet and beyond. So, your > blackhole testing isn't actually testing what you want, I think :( > it is not a serious problem, I think. 1). we do not use routeviews-like routeservers for hijacking identification, we only use router. 2). there is a high possibility that, the 'best path' is the path in FIB table. 3). if the 'best path' is not the path in FIB, there is still a high possibility that the 'best path' is the path in the FIB of other routes in the same AS. 4), our criterion is a threshold of a fingerprint, not a extremum. the fingerprint evaluated the possibility. hope I'm not wrong. :) > -chris > > -- _________________________________________ Yang Xiang. Ph.D candidate. Tsinghua University Argus: argus.csnet1.cs.tsinghua.edu.cn From rps at maine.edu Mon Jan 23 09:56:58 2012 From: rps at maine.edu (Ray Soucy) Date: Mon, 23 Jan 2012 10:56:58 -0500 Subject: How are you doing DHCPv6 ? In-Reply-To: <52477a71-0a98-445b-a083-1844d37ac71e@zimbra.network1.net> References: <36695b3d-02a4-466c-a19a-1fe4747d38e1@zimbra.network1.net> <52477a71-0a98-445b-a083-1844d37ac71e@zimbra.network1.net> Message-ID: This is a problem that would be nice for ISC to resolve (or another dependable FOSS implementation). For a while now (about 20 years I believe) we've used ISC DHCPd in a distributed model for our public IPv4 space. In a nutshell, each DHCP server is configured only with static assignments, their log files are monitored (simple event correlator), and scripts are fired off to perform tasks like new assignments against a centralized database (MySQL). The database is responsible for keeping track of address assignments centrally and is used to generate configuration files for DHCPd. Dynamic updates are made using OMAPI. Unfortunately, the ISC DHCPv6 implementation makes replicating this impossible due to the lack of information logged. Another problem with the ISC DHCPv6 implementation is that it doesn't allow you to assign fixed-address information based on the DUID _and_ IAID, which becomes a problem when a host has more than one active adapter. The only options are hacking the source code if you feel comfortable doing so, or waiting for ISC to make the change (if they ever plan to). For now, we get by with static assignments made in the database and no dynamic allocation via DHCPv6, which does OK in a dual-stack environment where IPv6 isn't considered necessary yet, but in the near future that will change. On Tue, Jan 17, 2012 at 5:04 PM, Randy Carpenter wrote: > > I am wondering how people out there are using DHCPv6 to handle assigning prefixes to end users. > > We have a requirement for it to be a redundant server that is centrally located. DHCPv6 will be relayed from each customer access segment. > > We have been looking at using ISC dhcpd, as that is what we use for v4. However, it currently does not support any redundancy. It also does not do very much useful logging for DHCPv6 requests. Certainly not enough to keep track of users and devices. > > So, my questions are: > > > How are you doing DHCPv6 with Prefix Delegation? > > What software are you using? > > > When DHCPv6 with Prefix Delegation seems to be about the only way to deploy IPv6 to end users in a generic device-agnostic fashion, I am wondering why it is so difficult to find a working solution. > > thanks, > -Randy > > -- > | Randy Carpenter > | Vice President - IT Services > | Red Hat Certified Engineer > | First Network Group, Inc. > | (800)578-6381, Opt. 1 > ---- > > -- Ray Soucy Epic Communications Specialist Phone: +1 (207) 561-3526 Networkmaine, a Unit of the University of Maine System http://www.networkmaine.net/ From rs at seastrom.com Mon Jan 23 10:36:17 2012 From: rs at seastrom.com (Robert E. Seastrom) Date: Mon, 23 Jan 2012 11:36:17 -0500 Subject: VZ FiOS DNS issues: In-Reply-To: <5941B69EF8C7764DAE18F85A6A5A6AD00DAA45@east-mail.photon.com> (Jamie Bowden's message of "Mon, 23 Jan 2012 12:51:55 +0000") References: <5941B69EF8C7764DAE18F85A6A5A6AD00DA394@east-mail.photon.com> <867h0izmuc.fsf@seastrom.com> <5941B69EF8C7764DAE18F85A6A5A6AD00DAA45@east-mail.photon.com> Message-ID: <86pqeawf3y.fsf@seastrom.com> Jamie Bowden writes: > I don't care for the Actiontec boxes either, but the STB program > guides and other features don't work without it, so I have mine > forward all IP traffic unmolested to my own as the DMZ host Actually this can be worked around. My config has SA, er, Cisco STBs and a Netgear MCAB1001 MOCA to Ethernet bridge. This configuration is very unsupported, which is why I keep a completely unmolested Actiontec around to plug in if I have to have the guys at Verizon take a look at it. A little magic in dhcpd.conf: subnet 192.168.1.0 netmask 255.255.255.0 { option routers 192.168.1.1 ; option domain-name-servers 71.252.0.12 ; default-lease-time 86400 ; max-lease-time 172800 ; host stb100 { hardware ethernet 0:23:be:xx:xx:xx ; fixed-address 192.168.1.100 ; } host stb101 { hardware ethernet 0:21:be:xx:xx:xx ; fixed-address 192.168.1.101 ; } host stb102 { hardware ethernet 0:25:2e:xx:xx:xx ; fixed-address 192.168.1.102 ; } host stb103 { hardware ethernet 0:21:be:xx:xx:xx ; fixed-address 192.168.1.103 ; } } and then some appropriate holes in the firewall (/etc/pf.conf): # for STBs pass in quick on $extif inet proto tcp from any to ($extif) port 35000 rdr-to 192.168.1.100 port 7547 pass in quick on $extif inet proto tcp from any to ($extif) port 35001 rdr-to 192.168.1.101 port 7547 pass in quick on $extif inet proto udp from any to ($extif) port 63145 rdr-to 192.168.1.100 port 63145 (I only have one DVR and one STB - the definitions for extra STBs came out of the Actiontek. Not sure what I'll end up needing to do if I get another DVR or STB in order to get them properly provisioned...) Guide and VOD work fine. I don't feel like playing stuff from a PC on the STBs badly enough to be willing to cram my whole life into a flat 192.168.1/24, so I give those up. I've often wondered whether the boxes care about double-hopped NAT. Perhaps one of these days I'll try putting the Actiontek and some new pf.conf rules in place of the Netgear and give that a try. > (thus > the dual layer of [P|N]AT you see). It's just UDP/TCP 53 traffic > that's not flowing for whatever reason; it's every device in the > house phones, tablets, computers, you name it, so I'm not inclined > to attribute it to malware. My neighbor was also seeing it (and > like last time, it seems to have magically resolved itself after > ~1.5h). I'm just wondering what Verizon is DOING that they are > screwing up their own DNS traffic. If they were capturing my > queries and sending them to their own servers (I actually have > Google's public facing servers at the top of the list handed out by > DHCP) that would be one thing (irritating to be sure, but they > aren't, so it's not), but when I'm explicitly hitting a name server > down the street in Reston that VZ run and it's failing the same way? > It makes me wonder. No idea, just a datapoint that we're Not Seeing That Here... but if it is failing on google's public dns servers that's troubling to say the least. -r From ml at kenweb.org Mon Jan 23 11:56:18 2012 From: ml at kenweb.org (ML) Date: Mon, 23 Jan 2012 12:56:18 -0500 Subject: Fiber outage in Miami In-Reply-To: References: Message-ID: <4F1D9F42.1090808@kenweb.org> On 01/23/2012 10:02 AM, Jimmy Changa wrote: > Was anyone impacted by a botched fiber move in Miami this weekend? I lost 2 pieces of dark fiber for over almost 24 hours due to a fiber move being performed by FiberLight. I'm curious if anyone else was impacted. > > Sent from mobile device Yes many people were affected. Many carriers who thought they had redundancy found out fast they did not... From mtinka at globaltransit.net Mon Jan 23 12:32:31 2012 From: mtinka at globaltransit.net (Mark Tinka) Date: Tue, 24 Jan 2012 02:32:31 +0800 Subject: juniper mx80 vs cisco asr 1000 In-Reply-To: <47329025-1327332595-cardhu_decombobulator_blackberry.rim.net-1993554740-@b3.c16.bise7.blackberry> References: <44EDB6D0-C480-4232-8FCD-4124D152849B@smugmug.com> <201201232258.48714.mtinka@globaltransit.net> <47329025-1327332595-cardhu_decombobulator_blackberry.rim.net-1993554740-@b3.c16.bise7.blackberry> Message-ID: <201201240232.31598.mtinka@globaltransit.net> On Monday, January 23, 2012 11:29:57 PM amaged at gmail.com wrote: > ASR 1000 does not run XR. You probably mean XE. Indeed, I did, as I clarified in some private responses as well. I thought it would be obvious so I decided not to publicly correct it :-). > The high availability features that requires maintaining > state and stateful switch over never seem to work out of > the box on early releases and need some time until the > feature gets mature. I've found this across different > vendors. To be fair, I've only ever used SSO on the CRS and ASR1000; fairly happy with those jobs. The same on a 6500 was an utter fail, but we mostly kit those out with single SUP720's anyway, so no point for SSO. The rest of our Cisco is 7200's, which are just a single control plane. GRES on Juniper works pretty well, provided you understand the caveats, e.g., Multicast isn't maintained across failovers, e.t.c. Other kinky HA features like ISSU for this or that protocol is too sexy for us. BFD is as exotic as we'll get, plus a little bit of IETF Graceful Restart (not NSR here). > The dual IOS process works best with two Routing > Engines/ESPs on higher models. Well, if you have dual RP's, you don't need the dual IOS XE software process then :-). Mark. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 836 bytes Desc: This is a digitally signed message part. URL: From kemp at network-services.uoregon.edu Mon Jan 23 13:07:50 2012 From: kemp at network-services.uoregon.edu (John Kemp) Date: Mon, 23 Jan 2012 11:07:50 -0800 Subject: Why not to use RPKI (Was Re: Argus: a hijacking alarm system) In-Reply-To: References: <01DD4FF2-3DA9-4225-AD62-5629DEF541C2@lacnic.net> <7C38D0B5-EE31-4237-9EB9-31F9279F70F1@lacnic.net> Message-ID: <4F1DB006.4080208@network-services.uoregon.edu> On 1/23/2012 7:28 AM, Christopher Morrow wrote: > On Mon, Jan 23, 2012 at 10:19 AM, Yang Xiang > wrote: >> Hi chris, >> >> 2012/1/23 Christopher Morrow >>> On Fri, Jan 20, 2012 at 8:08 AM, Yang Xiang >>> wrote: >>>> 2012/1/20 Arturo Servin >>>>>> while Argus can discover potential hijackings caused by anomalous AS >>>>> path. >>> reading the preceding section (III.B) you check 3 things in the AMM >>> (anomaly monitoring module) >>> 1) proper origin (based on what?) >>> 2) anomalous neighbour (based on what?) >>> 3) policy anomaly (where did you determine the policy?) >>> >>> later text seems to imply you track some history (1 months worth) and >>> use that as a baseline, for at least the neighbour and origin data. >>> The policy data isn't clearly outlined though, where did that come >>> from? (there's a note about use of whois, which could cover some of >>> this, but certainly not all) >> yes, we use history as a baseline for both the origin, neighbor and policy >> data. >> origin data: a history of mappings, >> neighbor data: a history of every "adjacent two ASes" in all AS paths >> received from BGPmon, >> policy data: a history of every "adjacent three ASes" (AS triple) in all AS >> paths. >> >> origin and neighbor data is intuitive. >> for policy data, we do not gather the exact routing policies, >> since they are usually private. >> In Argus, we use all "adjacent three ASes" in all AS paths as the policy >> data. >> this is because: >> 1), AS triples reflect the import/export routing policies; >> 2), while monitoring BGP updates, we only need to discover 'possible? >> hijackings, but not 'exact' hijackings. >> after figure out a possible hijacking, the hijacking identification >> process will be launched and make the final judgement. > ok, that seems squirrelly still :( > >>> >>> The data plane testing you propose is from the public route-servers >>> (eyes), which don't import the path you want, well routeviews I think >>> doesn't import routes to it's FIB (or maybe I'm mistaken...) but point >>> being with more than one peer on the routeserver it's not clear you >>> would be taking the path you actually want to test anyway, is it? >> yes, each route-server usually has several route to the target prefix. >> In Argus, we use the commands (i.e., "show route exact active-path?) to get >> the 'best routes' of the prefix, >> and consider it as the route in FIB: > so, take routeviews for example, they peer almost exclusively > ebgp-multi-hop, so any 'best path' you see there isn't actually usable > by the route-server... all traffic has to take the local transport out > of the routeviews system, off to the internet and beyond. So, your > blackhole testing isn't actually testing what you want, I think :( > > -chris > Minor correction there. If you are talking about our IX collectors (LINX, PAIX, EQIX Ashburn, SYDNEY, etc.) those are at exchanges and peering directly. The collectors at Univ of Oregon (rv,rv2,rv3,rv4, rv6), yeah, those are multi-hop. Doesn't detract from your point, but I think it helps if people are aware of whether they are on the exchange or on a multihop when using routeviews collectors. Only other thing to add, I don't think anyone mentioned Cyclops in this thread. Just as another data point, see also: http://cyclops.6watch.net or http://cyclops.cs.ucla.edu John Kemp (kemp at routeviews.org) From jared at puck.nether.net Mon Jan 23 13:23:48 2012 From: jared at puck.nether.net (Jared Mauch) Date: Mon, 23 Jan 2012 14:23:48 -0500 Subject: AT&T and IPv6 Launch Message-ID: <6CADAFC3-A4AF-420D-91B0-854EE35A7A98@puck.nether.net> Is there someone who can talk about how to get IPv6 on AT&T residential:? Thanks, - Jared -- snip -- ISPs participating in World IPv6 Launch will enable IPv6 for enough users so that at least 1% of their wireline residential subscribers who visit participating websites will do so using IPv6 by 6 June 2012. These ISPs have committed that IPv6 will be available automatically as the normal course of business for a significant portion of their subscribers. Committed ISPs are: ? AT&T -- snip -- From rcarpen at network1.net Mon Jan 23 13:44:55 2012 From: rcarpen at network1.net (Randy Carpenter) Date: Mon, 23 Jan 2012 14:44:55 -0500 (EST) Subject: How are you doing DHCPv6 ? In-Reply-To: Message-ID: <31c6fa01-0ec1-4d1e-bf07-5c137906833e@zimbra.network1.net> We have also recently realized that the DUID is pretty much completely random, and there is no way to tie the MAC address to a client. This pretty much makes it impossible to manage a large customer base. -Randy ----- Original Message ----- > This is a problem that would be nice for ISC to resolve (or another > dependable FOSS implementation). > > For a while now (about 20 years I believe) we've used ISC DHCPd in a > distributed model for our public IPv4 space. In a nutshell, each > DHCP > server is configured only with static assignments, their log files > are > monitored (simple event correlator), and scripts are fired off to > perform tasks like new assignments against a centralized database > (MySQL). The database is responsible for keeping track of address > assignments centrally and is used to generate configuration files for > DHCPd. Dynamic updates are made using OMAPI. > > Unfortunately, the ISC DHCPv6 implementation makes replicating this > impossible due to the lack of information logged. > > Another problem with the ISC DHCPv6 implementation is that it doesn't > allow you to assign fixed-address information based on the DUID _and_ > IAID, which becomes a problem when a host has more than one active > adapter. > > The only options are hacking the source code if you feel comfortable > doing so, or waiting for ISC to make the change (if they ever plan > to). > > For now, we get by with static assignments made in the database and > no > dynamic allocation via DHCPv6, which does OK in a dual-stack > environment where IPv6 isn't considered necessary yet, but in the > near > future that will change. > > > > > On Tue, Jan 17, 2012 at 5:04 PM, Randy Carpenter > wrote: > > > > I am wondering how people out there are using DHCPv6 to handle > > assigning prefixes to end users. > > > > We have a requirement for it to be a redundant server that is > > centrally located. DHCPv6 will be relayed from each customer > > access segment. > > > > We have been looking at using ISC dhcpd, as that is what we use for > > v4. However, it currently does not support any redundancy. It also > > does not do very much useful logging for DHCPv6 requests. > > Certainly not enough to keep track of users and devices. > > > > So, my questions are: > > > > > > How are you doing DHCPv6 with Prefix Delegation? > > > > What software are you using? > > > > > > When DHCPv6 with Prefix Delegation seems to be about the only way > > to deploy IPv6 to end users in a generic device-agnostic fashion, > > I am wondering why it is so difficult to find a working solution. > > > > thanks, > > -Randy > > > > -- > > | Randy Carpenter > > | Vice President - IT Services > > | Red Hat Certified Engineer > > | First Network Group, Inc. > > | (800)578-6381, Opt. 1 > > ---- > > > > > > > > -- > Ray Soucy > > Epic Communications Specialist > > Phone: +1 (207) 561-3526 > > Networkmaine, a Unit of the University of Maine System > http://www.networkmaine.net/ > > From eric at ericheather.com Mon Jan 23 14:46:49 2012 From: eric at ericheather.com (Eric C. Miller) Date: Mon, 23 Jan 2012 20:46:49 +0000 Subject: Populating BGP from Connected or IGP routes Message-ID: Hi all, I'm looking for a best practice sort of answer, plus maybe comments on why your network may or may not follow this. First, when running a small ISP with about the equivilent of a /18 or /19 in different blocks, how should you decide what should be in the IGP and what should be in BGP? I assume that it's somewhere between all and none, and one site that I found made some good sense saying something to the following, "Use a link-state protocol to track interconnections and loopbacks only, and place all of the networks including customer networks into BGP." Secondly, when is it ok, or preferable to utilize "redistribute connected" for gathering networks for BGP over using a network statement? I know that this influences the origin code, but past that, why else? Would it ever be permissible to redistribute from the IGP into BGP? Thanks for everyone's input! Eric Miller From jml at packetpimp.org Mon Jan 23 14:57:44 2012 From: jml at packetpimp.org (Jason LeBlanc) Date: Mon, 23 Jan 2012 15:57:44 -0500 Subject: Fiber outage in Miami In-Reply-To: References: Message-ID: <4F1DC9C8.3060205@packetpimp.org> We are still impacted from what I understand. On 01/23/2012 10:02 AM, Jimmy Changa wrote: > Was anyone impacted by a botched fiber move in Miami this weekend? I lost 2 pieces of dark fiber for over almost 24 hours due to a fiber move being performed by FiberLight. I'm curious if anyone else was impacted. > > Sent from mobile device From jof at thejof.com Mon Jan 23 15:04:20 2012 From: jof at thejof.com (Jonathan Lassoff) Date: Mon, 23 Jan 2012 13:04:20 -0800 Subject: Populating BGP from Connected or IGP routes In-Reply-To: References: Message-ID: On Mon, Jan 23, 2012 at 12:46 PM, Eric C. Miller wrote: > Hi all, > > I'm looking for a best practice sort of answer, plus maybe comments on why your network may or may not follow this. > > First, when running a small ISP with about the equivilent of a /18 or /19 in different blocks, how should you decide what should be in the IGP and what should be in BGP? I assume that it's somewhere between all and none, and one site that I found made some good sense saying something to the following, "Use a link-state protocol to track interconnections and loopbacks only, and place all of the networks including customer networks into BGP." > > Secondly, when is it ok, or preferable to utilize "redistribute connected" for gathering networks for BGP over using a network statement? I know that this influences the origin code, but past that, why else? Would it ever be permissible to redistribute from the IGP into BGP? This is one of those questions where the answer will depend heavily on who you ask. In my opinion, I would - Keep externally-learned eBGP routes in one table. The "Internet" table. - Keep internal links (loopbacks, single-homed (to me) customers, networks containing next-hops outside your AS) in an IGP (like OSPF or IS-IS). These routes should very rarely get exchanged outside the AS. - Where possible, have multi-homed customers speak BGP to your AS and just treat those routes as those you'll provide transit for (re-announcing them to other external peers) -- In cases where customers multi or single-home with their own address space that they'd like you to address, put very specific filters and tagging on the routes. This way, you can perform careful filtering on allowing those routes to cross the boundary from IGP to EGP (and onto your external peers). Cheers, jof From smb at cs.columbia.edu Mon Jan 23 15:17:57 2012 From: smb at cs.columbia.edu (Steven Bellovin) Date: Mon, 23 Jan 2012 16:17:57 -0500 Subject: LAw Enforcement Contact In-Reply-To: References: Message-ID: <6B0CE433-91D2-438F-9DB8-F89E6EF56911@cs.columbia.edu> On Jan 23, 2012, at 2:46 AM, Chris wrote: > The appropriately named SS mainly deals with counterfeit currency, > widespread ID theft (See also: Ryan1918) and threats to the President. Actually, they have statutory authority to deal with computer crime, too; see http://www.secretservice.gov/criminal.shtml and http://www.law.cornell.edu/uscode/18/1030.html --Steve Bellovin, https://www.cs.columbia.edu/~smb From trelane at trelane.net Mon Jan 23 15:21:11 2012 From: trelane at trelane.net (Andrew D Kirch) Date: Mon, 23 Jan 2012 16:21:11 -0500 Subject: LAw Enforcement Contact In-Reply-To: References: Message-ID: <4F1DCF47.50704@trelane.net> From memory Ameen Pishdadi is the owner of GIGENET, run by Paul Ashley (Aka XEROX), and comprised of the IP space and assets of FOONET. One would think that he has much contact with law enforcement. Or does my memory fail me? Andrew On 1/22/2012 8:16 PM, A. Pishdadi wrote: > Hello, > > We recently tracked down a botnet that attacked our network. We found the > C&C server, it has approximately 40-50 servers, consisting of mostly *nix > machines with high speed connections, for example AWS servers or dedicated, > attack capacity is 4-5Gb/s or more. Is there any contacts with law > enforcement here that I can send over the info too? > > . From streiner at cluebyfour.org Mon Jan 23 15:25:08 2012 From: streiner at cluebyfour.org (Justin M. Streiner) Date: Mon, 23 Jan 2012 16:25:08 -0500 (EST) Subject: Populating BGP from Connected or IGP routes In-Reply-To: References: Message-ID: On Mon, 23 Jan 2012, Eric C. Miller wrote: > I'm looking for a best practice sort of answer, plus maybe comments on > why your network may or may not follow this. > > First, when running a small ISP with about the equivilent of a /18 or > /19 in different blocks, how should you decide what should be in the IGP > and what should be in BGP? I assume that it's somewhere between all and > none, and one site that I found made some good sense saying something to > the following, "Use a link-state protocol to track interconnections and > loopbacks only, and place all of the networks including customer > networks into BGP." That depends on your architecture. There are several ways to deploy sane/scalable IGP and EGP architectures. > Secondly, when is it ok, or preferable to utilize "redistribute > connected" for gathering networks for BGP over using a network > statement? I know that this influences the origin code, but past that, > why else? Would it ever be permissible to redistribute from the IGP into > BGP? Keep in mind that "redistribute connected" and a "network" statement in your IGP do two different things. For example, in OSPF, adding a network statement for an interface will enable OSPF on that interface, and your router will try to find other OSPF speaking devices that are connected to that interface and form an adjacency with them, unless you make the interface passive, which would negate the network statement. Routes for connected interfaces that are imported/redistributed into your IGP might carry a different origin, LSA type and/or metric, depending on how you import them. "passive-interface default" is your friend :) jms From jlewis at lewis.org Mon Jan 23 15:26:02 2012 From: jlewis at lewis.org (Jon Lewis) Date: Mon, 23 Jan 2012 16:26:02 -0500 (EST) Subject: Populating BGP from Connected or IGP routes In-Reply-To: References: Message-ID: On Mon, 23 Jan 2012, Eric C. Miller wrote: > First, when running a small ISP with about the equivilent of a /18 or > /19 in different blocks, how should you decide what should be in the IGP > and what should be in BGP? I assume that it's somewhere between all and > none, and one site that I found made some good sense saying something to > the following, "Use a link-state protocol to track interconnections and > loopbacks only, and place all of the networks including customer > networks into BGP." The simple answer, for an ISP of small size, is use a traditional IGP such as OSPF or ISIS for internal routing (if any dynamic routing is even needed), and BGP for internet routing, with iBGP between your transit routers if you have more than one transit router. > Secondly, when is it ok, or preferable to utilize "redistribute > connected" for gathering networks for BGP over using a network > statement? I know that this influences the origin code, but past that, > why else? Would it ever be permissible to redistribute from the IGP into > BGP? I haven't seen one. It's too easy to screw up and let routes out that shouldn't if you redistribute into BGP...the only exception being a well filtered setup for real time blackhole routing. For a small ISP, I'd suggest just using network statements and high metric static routes to null0 to make those network statements always advertise. If you're a little bigger and have BGP customers, then I highly recommend use of BGP communities to control your outbound route filtering. By defining and setting communties on received customer routes, you can turn up new BGP customers without having to modify anything beyond the router they're connected to. It amazes me that there are large networks still not setup this way. "You need an after hours maintenance window to turn up a BGP customer?" "Yeah, we have to modify the prefix list filters on all our backbone routers." WTF? ---------------------------------------------------------------------- Jon Lewis, MCP :) | I route Senior Network Engineer | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________ From sethm at rollernet.us Mon Jan 23 15:51:48 2012 From: sethm at rollernet.us (Seth Mattinen) Date: Mon, 23 Jan 2012 13:51:48 -0800 Subject: AT&T and IPv6 Launch In-Reply-To: <6CADAFC3-A4AF-420D-91B0-854EE35A7A98@puck.nether.net> References: <6CADAFC3-A4AF-420D-91B0-854EE35A7A98@puck.nether.net> Message-ID: <4F1DD674.30407@rollernet.us> On 1/23/12 11:23 AM, Jared Mauch wrote: > Is there someone who can talk about how to get IPv6 on AT&T residential:? > > Thanks, > > - Jared > > -- snip -- > ISPs participating in World IPv6 Launch will enable IPv6 for enough users so that at least 1% of their wireline residential subscribers who visit participating websites will do so using IPv6 by 6 June 2012. These ISPs have committed that IPv6 will be available automatically as the normal course of business for a significant portion of their subscribers. Committed ISPs are: > > ? AT&T > -- snip -- > I'm interested too and willing to experiment, although I suspect my city is too small to make the first cut. ~Seth From marka at isc.org Mon Jan 23 16:05:02 2012 From: marka at isc.org (Mark Andrews) Date: Tue, 24 Jan 2012 09:05:02 +1100 Subject: How are you doing DHCPv6 ? In-Reply-To: Your message of "Mon, 23 Jan 2012 10:56:58 CDT." References: <36695b3d-02a4-466c-a19a-1fe4747d38e1@zimbra.network1.net> <52477a71-0a98-445b-a083-1844d37ac71e@zimbra.network1.net> Message-ID: <20120123220502.612E51BD89B5@drugs.dv.isc.org> In message , Ray Soucy writes: > This is a problem that would be nice for ISC to resolve (or another > dependable FOSS implementation). > > For a while now (about 20 years I believe) we've used ISC DHCPd in a > distributed model for our public IPv4 space. In a nutshell, each DHCP > server is configured only with static assignments, their log files are > monitored (simple event correlator), and scripts are fired off to > perform tasks like new assignments against a centralized database > (MySQL). The database is responsible for keeping track of address > assignments centrally and is used to generate configuration files for > DHCPd. Dynamic updates are made using OMAPI. > > Unfortunately, the ISC DHCPv6 implementation makes replicating this > impossible due to the lack of information logged. > > Another problem with the ISC DHCPv6 implementation is that it doesn't > allow you to assign fixed-address information based on the DUID _and_ > IAID, which becomes a problem when a host has more than one active > adapter. > > The only options are hacking the source code if you feel comfortable > doing so, or waiting for ISC to make the change (if they ever plan > to). I can't see any request to add this feature to ISC DHCPv6 so I've opened 27564 request for duid+iaid as selection criteria If we don't know you need a feature we can't put it on the roadmap. > For now, we get by with static assignments made in the database and no > dynamic allocation via DHCPv6, which does OK in a dual-stack > environment where IPv6 isn't considered necessary yet, but in the near > future that will change. > > > > > On Tue, Jan 17, 2012 at 5:04 PM, Randy Carpenter wrote > : > > > > I am wondering how people out there are using DHCPv6 to handle assigning pr > efixes to end users. > > > > We have a requirement for it to be a redundant server that is centrally loc > ated. DHCPv6 will be relayed from each customer access segment. > > > > We have been looking at using ISC dhcpd, as that is what we use for v4. How > ever, it currently does not support any redundancy. It also does not do very > much useful logging for DHCPv6 requests. Certainly not enough to keep track o > f users and devices. > > > > So, my questions are: > > > > > > How are you doing DHCPv6 with Prefix Delegation? > > > > What software are you using? > > > > > > When DHCPv6 with Prefix Delegation seems to be about the only way to deploy > IPv6 to end users in a generic device-agnostic fashion, I am wondering why i > t is so difficult to find a working solution. > > > > thanks, > > -Randy > > > > -- > > | Randy Carpenter > > | Vice President - IT Services > > | Red Hat Certified Engineer > > | First Network Group, Inc. > > | (800)578-6381, Opt. 1 > > ---- > > > > > > > > -- > Ray Soucy > > Epic Communications Specialist > > Phone: +1 (207) 561-3526 > > Networkmaine, a Unit of the University of Maine System > http://www.networkmaine.net/ > -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka at isc.org From kauer at biplane.com.au Mon Jan 23 16:17:29 2012 From: kauer at biplane.com.au (Karl Auer) Date: Tue, 24 Jan 2012 09:17:29 +1100 Subject: How are you doing DHCPv6 ? In-Reply-To: <31c6fa01-0ec1-4d1e-bf07-5c137906833e@zimbra.network1.net> References: <31c6fa01-0ec1-4d1e-bf07-5c137906833e@zimbra.network1.net> Message-ID: <1327357049.5290.154.camel@karl> On Mon, 2012-01-23 at 14:44 -0500, Randy Carpenter wrote: > We have also recently realized that the DUID is pretty much completely > random, and there is no way to tie the MAC address to a client. This > pretty much makes it impossible to manage a large customer base. Not sure about that. The DUID is not random, at least not if it is being generated according to RFC 3315, which it probably should be. A DUID should be generated by a client[1] the first time it needs one, then be stored and never change[2]. All clients are supposed to provide a mechanism for setting the DUID to a specific value. Once generated, the DUID is indeed tied to the client unless something intervenes. In particular, a DUID is not affected by a change of NIC and is identical for all connected interfaces. I have to confess that we are not actually doing it, but the plan[3] is to capture new DUIDs as they happen and record the address->DUID mapping in our database. That's pretty much what we do now for boxes where the MAC address is not printed on the outside! But only where we need a reservation. The servers we use will always give the same address to the same DUID. Since we do not expect to use actual reserved addresses very much, this should be all we need. We are a) not really a large enterprise and b) not an ISP or carrier, so perhaps our needs are not the same as those you envisage. Vendors delivering pre-installed operating systems can set up vendor-assigned unique DUIDs and print them on the box, much as MAC addresses now are. It seems to me that DUIDs are better handles for clients than MAC addresses, but will require a change in the way people do things. Regards, K. [1] The algorithm for generating the DUID can include the MAC of any available interface, the time of day etc, but is supposed to be treated as opaque (RFC3315, section 9). Since RFC 3315 defines precisely how the DUIDs are to be generated, it should be very easy to extract the MAC address part, but given that the MAC address used may not actually exist on the device any more, I'm not sure that's very useful. It might be useful the first time a new DUID is seen, on the assumption that the NIC was not changed before the machine was first run. Then one could note the MAC address when provisioning the machine, and recognise the DUID of that machine when it pops up on the network. Mind you, the assumption is not foolproof. [2] Obviously devices with no long-term storage (or no storage at al! - will use a different generation algorithm than ones that do have storage. [2] "No battle plan survives contact with the enemy" - Helmuth von Moltke the Elder. -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Karl Auer (kauer at biplane.com.au) http://www.biplane.com.au/kauer GPG fingerprint: AE1D 4868 6420 AD9A A698 5251 1699 7B78 4EEE 6017 Old fingerprint: DA41 51B1 1481 16E1 F7E2 B2E9 3007 14ED 5736 F687 From rps at maine.edu Mon Jan 23 16:23:30 2012 From: rps at maine.edu (Ray Soucy) Date: Mon, 23 Jan 2012 17:23:30 -0500 Subject: How are you doing DHCPv6 ? In-Reply-To: <31c6fa01-0ec1-4d1e-bf07-5c137906833e@zimbra.network1.net> References: <31c6fa01-0ec1-4d1e-bf07-5c137906833e@zimbra.network1.net> Message-ID: The requirement of the DUID is a big hurdle to DHCPv6 adoption, I agree. Currently, a DUID can be generated in 1 of 3 ways, 2 of which include _any_ MAC address of the system at the time of generation.? After that, the DUID is stored in software. The idea is that the DUID identifies the system and the IAID identifies the interface, and that over time, the system will keep its DUID even if the network adapter changes. This is obviously different from how we use DHCP for legacy IP. There are a few problems as a result: 1. Systems that are built using disk images can all have the same DUID unless the admin takes care to remove any generated DUID on the image (already see this on Windows 7 and even Linux). 2. Networks where the MAC addresses for systems are already known can?t simply build a DHCPv6 configuration based on those MACs. If someone were to modify DHCPv6 to address these concerns, I think the easiest way to do so would be to extend DHCPv6 relay messages to include the MAC address of the system making the request (DHCPv6 servers on local sub-networks would be able to determine the MAC from the packet).? This would allow transitional DHCPv6 configurations to be built on MAC addresses rather than DUID without client modification (which is key). Perhaps this is already possible through the use of RFC 6422 (which shouldn?t break anything). I think more important, though, is a good DHCPv6 server implementation with verbose logging capabilities, and the ability to specify a DUID, DUID+IAID, or MAC for static assignments. I know there are people from ISC on-list.? It would be great to hear someone who works on DHCPd chime in. How about we start with modifying ISC DHCPd for IPv6 to have proper logging and support for configuring IAID, then work on the MAC awareness piece.? ISC DHCPd makes use of RAW sockets, so it should always have the MAC for a non-relayed request.? Then we just need to work with router vendors on adding MACs as a relay option. On Mon, Jan 23, 2012 at 2:44 PM, Randy Carpenter wrote: > > We have also recently realized that the DUID is pretty much completely random, and there is no way to tie the MAC address to a client. This pretty much makes it impossible to manage a large customer base. > > -Randy > > > ----- Original Message ----- >> This is a problem that would be nice for ISC to resolve (or another >> dependable FOSS implementation). >> >> For a while now (about 20 years I believe) we've used ISC DHCPd in a >> distributed model for our public IPv4 space. ?In a nutshell, each >> DHCP >> server is configured only with static assignments, their log files >> are >> monitored (simple event correlator), and scripts are fired off to >> perform tasks like new assignments against a centralized database >> (MySQL). ?The database is responsible for keeping track of address >> assignments centrally and is used to generate configuration files for >> DHCPd. ?Dynamic updates are made using OMAPI. >> >> Unfortunately, the ISC DHCPv6 implementation makes replicating this >> impossible due to the lack of information logged. >> >> Another problem with the ISC DHCPv6 implementation is that it doesn't >> allow you to assign fixed-address information based on the DUID _and_ >> IAID, which becomes a problem when a host has more than one active >> adapter. >> >> The only options are hacking the source code if you feel comfortable >> doing so, or waiting for ISC to make the change (if they ever plan >> to). >> >> For now, we get by with static assignments made in the database and >> no >> dynamic allocation via DHCPv6, which does OK in a dual-stack >> environment where IPv6 isn't considered necessary yet, but in the >> near >> future that will change. >> >> >> >> >> On Tue, Jan 17, 2012 at 5:04 PM, Randy Carpenter >> wrote: >> > >> > I am wondering how people out there are using DHCPv6 to handle >> > assigning prefixes to end users. >> > >> > We have a requirement for it to be a redundant server that is >> > centrally located. DHCPv6 will be relayed from each customer >> > access segment. >> > >> > We have been looking at using ISC dhcpd, as that is what we use for >> > v4. However, it currently does not support any redundancy. It also >> > does not do very much useful logging for DHCPv6 requests. >> > Certainly not enough to keep track of users and devices. >> > >> > So, my questions are: >> > >> > >> > How are you doing DHCPv6 with Prefix Delegation? >> > >> > What software are you using? >> > >> > >> > When DHCPv6 with Prefix Delegation seems to be about the only way >> > to deploy IPv6 to end users in a generic device-agnostic fashion, >> > I am wondering why it is so difficult to find a working solution. >> > >> > thanks, >> > -Randy >> > >> > -- >> > | Randy Carpenter >> > | Vice President - IT Services >> > | Red Hat Certified Engineer >> > | First Network Group, Inc. >> > | (800)578-6381, Opt. 1 >> > ---- >> > >> > >> >> >> >> -- >> Ray Soucy >> >> Epic Communications Specialist >> >> Phone: +1 (207) 561-3526 >> >> Networkmaine, a Unit of the University of Maine System >> http://www.networkmaine.net/ >> >> > -- Ray Soucy Epic Communications Specialist Phone: +1 (207) 561-3526 Networkmaine, a Unit of the University of Maine System http://www.networkmaine.net/ From rcarpen at network1.net Mon Jan 23 16:26:32 2012 From: rcarpen at network1.net (Randy Carpenter) Date: Mon, 23 Jan 2012 17:26:32 -0500 (EST) Subject: How are you doing DHCPv6 ? In-Reply-To: <1327357049.5290.154.camel@karl> Message-ID: <9a70c401-18fb-498e-9cc6-bfe548965ebb@zimbra.network1.net> One major issue is that there is no way to associate a user's MAC (for IPv4) with their DUID. I haven't been able to find a way to account for this without making the user authenticate once for IPv4, and then again for IPv6. This is cumbersome to the user. Also, in the past there have been various reason why we want to pre-authenticate a client's MAC address (mostly for game consoles, and such, which have the MAC written on the outside of the machine). How can this be done with IPv6, which the DUID is not constant? -Randy ----- Original Message ----- > On Mon, 2012-01-23 at 14:44 -0500, Randy Carpenter wrote: > > We have also recently realized that the DUID is pretty much > > completely > > random, and there is no way to tie the MAC address to a client. > > This > > pretty much makes it impossible to manage a large customer base. > > Not sure about that. The DUID is not random, at least not if it is > being > generated according to RFC 3315, which it probably should be. > > A DUID should be generated by a client[1] the first time it needs > one, > then be stored and never change[2]. All clients are supposed to > provide > a mechanism for setting the DUID to a specific value. Once generated, > the DUID is indeed tied to the client unless something intervenes. In > particular, a DUID is not affected by a change of NIC and is > identical > for all connected interfaces. > > I have to confess that we are not actually doing it, but the plan[3] > is > to capture new DUIDs as they happen and record the address->DUID > mapping > in our database. That's pretty much what we do now for boxes where > the > MAC address is not printed on the outside! But only where we need a > reservation. > > The servers we use will always give the same address to the same > DUID. > Since we do not expect to use actual reserved addresses very much, > this > should be all we need. We are a) not really a large enterprise and b) > not an ISP or carrier, so perhaps our needs are not the same as those > you envisage. > > Vendors delivering pre-installed operating systems can set up > vendor-assigned unique DUIDs and print them on the box, much as MAC > addresses now are. > > It seems to me that DUIDs are better handles for clients than MAC > addresses, but will require a change in the way people do things. > > Regards, K. > > [1] The algorithm for generating the DUID can include the MAC of any > available interface, the time of day etc, but is supposed to be > treated > as opaque (RFC3315, section 9). Since RFC 3315 defines precisely how > the > DUIDs are to be generated, it should be very easy to extract the MAC > address part, but given that the MAC address used may not actually > exist > on the device any more, I'm not sure that's very useful. It might be > useful the first time a new DUID is seen, on the assumption that the > NIC > was not changed before the machine was first run. Then one could note > the MAC address when provisioning the machine, and recognise the DUID > of > that machine when it pops up on the network. Mind you, the assumption > is > not foolproof. > > [2] Obviously devices with no long-term storage (or no storage at al! > - > will use a different generation algorithm than ones that do have > storage. > > [2] "No battle plan survives contact with the enemy" - Helmuth von > Moltke the Elder. > > -- > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > Karl Auer (kauer at biplane.com.au) > http://www.biplane.com.au/kauer > > GPG fingerprint: AE1D 4868 6420 AD9A A698 5251 1699 7B78 4EEE 6017 > Old fingerprint: DA41 51B1 1481 16E1 F7E2 B2E9 3007 14ED 5736 F687 > > > > From rps at maine.edu Mon Jan 23 16:52:42 2012 From: rps at maine.edu (Ray Soucy) Date: Mon, 23 Jan 2012 17:52:42 -0500 Subject: How are you doing DHCPv6 ? In-Reply-To: <20120123220502.612E51BD89B5@drugs.dv.isc.org> References: <36695b3d-02a4-466c-a19a-1fe4747d38e1@zimbra.network1.net> <52477a71-0a98-445b-a083-1844d37ac71e@zimbra.network1.net> <20120123220502.612E51BD89B5@drugs.dv.isc.org> Message-ID: Thanks, Mark. The ISC website isn't very clear on how to make such requests unless you have a support contract. Also make note of my last response to the thread on logging and MAC awareness, as it may also be worth consideration. On Mon, Jan 23, 2012 at 5:05 PM, Mark Andrews wrote: > > In message > , Ray Soucy writes: >> This is a problem that would be nice for ISC to resolve (or another >> dependable FOSS implementation). >> >> For a while now (about 20 years I believe) we've used ISC DHCPd in a >> distributed model for our public IPv4 space. ?In a nutshell, each DHCP >> server is configured only with static assignments, their log files are >> monitored (simple event correlator), and scripts are fired off to >> perform tasks like new assignments against a centralized database >> (MySQL). ?The database is responsible for keeping track of address >> assignments centrally and is used to generate configuration files for >> DHCPd. ?Dynamic updates are made using OMAPI. >> >> Unfortunately, the ISC DHCPv6 implementation makes replicating this >> impossible due to the lack of information logged. >> >> Another problem with the ISC DHCPv6 implementation is that it doesn't >> allow you to assign fixed-address information based on the DUID _and_ >> IAID, which becomes a problem when a host has more than one active >> adapter. >> >> The only options are hacking the source code if you feel comfortable >> doing so, or waiting for ISC to make the change (if they ever plan >> to). > > I can't see any request to add this feature to ISC DHCPv6 so I've opened > > ? ? ? ?27564 ? request for duid+iaid as selection criteria > > If we don't know you need a feature we can't put it on the roadmap. > >> For now, we get by with static assignments made in the database and no >> dynamic allocation via DHCPv6, which does OK in a dual-stack >> environment where IPv6 isn't considered necessary yet, but in the near >> future that will change. >> >> >> >> >> On Tue, Jan 17, 2012 at 5:04 PM, Randy Carpenter wrote >> : >> > >> > I am wondering how people out there are using DHCPv6 to handle assigning pr >> efixes to end users. >> > >> > We have a requirement for it to be a redundant server that is centrally loc >> ated. DHCPv6 will be relayed from each customer access segment. >> > >> > We have been looking at using ISC dhcpd, as that is what we use for v4. How >> ever, it currently does not support any redundancy. It also does not do very >> much useful logging for DHCPv6 requests. Certainly not enough to keep track o >> f users and devices. >> > >> > So, my questions are: >> > >> > >> > How are you doing DHCPv6 with Prefix Delegation? >> > >> > What software are you using? >> > >> > >> > When DHCPv6 with Prefix Delegation seems to be about the only way to deploy >> ?IPv6 to end users in a generic device-agnostic fashion, I am wondering why i >> t is so difficult to find a working solution. >> > >> > thanks, >> > -Randy >> > >> > -- >> > | Randy Carpenter >> > | Vice President - IT Services >> > | Red Hat Certified Engineer >> > | First Network Group, Inc. >> > | (800)578-6381, Opt. 1 >> > ---- >> > >> > >> >> >> >> -- >> Ray Soucy >> >> Epic Communications Specialist >> >> Phone: +1 (207) 561-3526 >> >> Networkmaine, a Unit of the University of Maine System >> http://www.networkmaine.net/ >> > -- > Mark Andrews, ISC > 1 Seymour St., Dundas Valley, NSW 2117, Australia > PHONE: +61 2 9871 4742 ? ? ? ? ? ? ? ? INTERNET: marka at isc.org -- Ray Soucy Epic Communications Specialist Phone: +1 (207) 561-3526 Networkmaine, a Unit of the University of Maine System http://www.networkmaine.net/ From kauer at biplane.com.au Mon Jan 23 16:56:58 2012 From: kauer at biplane.com.au (Karl Auer) Date: Tue, 24 Jan 2012 09:56:58 +1100 Subject: How are you doing DHCPv6 ? In-Reply-To: <9a70c401-18fb-498e-9cc6-bfe548965ebb@zimbra.network1.net> References: <9a70c401-18fb-498e-9cc6-bfe548965ebb@zimbra.network1.net> Message-ID: <1327359418.5290.168.camel@karl> On Mon, 2012-01-23 at 17:26 -0500, Randy Carpenter wrote: > One major issue is that there is no way to associate a user's MAC (for > IPv4) with their DUID. I haven't been able to find a way to account > for this without making the user authenticate once for IPv4, and then > again for IPv6. This is cumbersome to the user. Also, in the past > there have been various reason why we want to pre-authenticate a > client's MAC address (mostly for game consoles, and such, which have > the MAC written on the outside of the machine). How can this be done > with IPv6, which the DUID is not constant? Perhaps I misunderstand you (or the RFCs) but it seems to me that the DUID *is* constant. Reading section 9 of RFC 3315, it's pretty clear that a DUID is generated once, according to simple rules, and does not change once it has been generated. Barring intervention, of course. The problem is how to either find out ahead of time what DUID a client has OR how to impose a specific DUID on a client as part of provisioning it. Neither of those issues looks particularly intractable, especially if vendors start shipping with pre-configured DUIDs that are written on the boxes. What do you mean by "authenticate"? Do you mean something like 802.1x? Regards, K. -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Karl Auer (kauer at biplane.com.au) http://www.biplane.com.au/kauer GPG fingerprint: AE1D 4868 6420 AD9A A698 5251 1699 7B78 4EEE 6017 Old fingerprint: DA41 51B1 1481 16E1 F7E2 B2E9 3007 14ED 5736 F687 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 230 bytes Desc: This is a digitally signed message part URL: From rps at maine.edu Mon Jan 23 17:07:55 2012 From: rps at maine.edu (Ray Soucy) Date: Mon, 23 Jan 2012 18:07:55 -0500 Subject: How are you doing DHCPv6 ? In-Reply-To: <1327359418.5290.168.camel@karl> References: <9a70c401-18fb-498e-9cc6-bfe548965ebb@zimbra.network1.net> <1327359418.5290.168.camel@karl> Message-ID: Yes, DUID and IAID should be persistent on systems. If they are not then they are not following the RFC. Note that bad practices, though, can remove that persistence (e.g. deleting the DUID, or replicating the DUID on other systems). On Mon, Jan 23, 2012 at 5:56 PM, Karl Auer wrote: > On Mon, 2012-01-23 at 17:26 -0500, Randy Carpenter wrote: >> One major issue is that there is no way to associate a user's MAC (for >> IPv4) with their DUID. I haven't been able to find a way to account >> for this without making the user authenticate once for IPv4, and then >> again for IPv6. This is cumbersome to the user. Also, in the past >> there have been various reason why we want to pre-authenticate a >> client's MAC address (mostly for game consoles, and such, which have >> the MAC written on the outside of the machine). How can this be done >> with IPv6, which the DUID is not constant? > > Perhaps I misunderstand you (or the RFCs) but it seems to me that the > DUID *is* constant. Reading section 9 of RFC 3315, it's pretty clear > that a DUID is generated once, according to simple rules, and does not > change once it has been generated. Barring intervention, of course. > > The problem is how to either find out ahead of time what DUID a client > has OR how to impose a specific DUID on a client as part of provisioning > it. Neither of those issues looks particularly intractable, especially > if vendors start shipping with pre-configured DUIDs that are written on > the boxes. > > What do you mean by "authenticate"? Do you mean something like 802.1x? > > Regards, K. > > -- > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > Karl Auer (kauer at biplane.com.au) > http://www.biplane.com.au/kauer > > GPG fingerprint: AE1D 4868 6420 AD9A A698 5251 1699 7B78 4EEE 6017 > Old fingerprint: DA41 51B1 1481 16E1 F7E2 B2E9 3007 14ED 5736 F687 -- Ray Soucy Epic Communications Specialist Phone: +1 (207) 561-3526 Networkmaine, a Unit of the University of Maine System http://www.networkmaine.net/ From rcarpen at network1.net Mon Jan 23 17:12:07 2012 From: rcarpen at network1.net (Randy Carpenter) Date: Mon, 23 Jan 2012 18:12:07 -0500 (EST) Subject: How are you doing DHCPv6 ? In-Reply-To: Message-ID: Controlled by software = not constant. It is also not likely to be something that is knowable on a piece of electronic gear that is not a PC, nor will it be something that can be printed on the outside of the device, like most today. -Randy ----- Original Message ----- > Yes, DUID and IAID should be persistent on systems. If they are not > then they are not following the RFC. > > Note that bad practices, though, can remove that persistence (e.g. > deleting the DUID, or replicating the DUID on other systems). > > On Mon, Jan 23, 2012 at 5:56 PM, Karl Auer > wrote: > > On Mon, 2012-01-23 at 17:26 -0500, Randy Carpenter wrote: > >> One major issue is that there is no way to associate a user's MAC > >> (for > >> IPv4) with their DUID. I haven't been able to find a way to > >> account > >> for this without making the user authenticate once for IPv4, and > >> then > >> again for IPv6. This is cumbersome to the user. Also, in the past > >> there have been various reason why we want to pre-authenticate a > >> client's MAC address (mostly for game consoles, and such, which > >> have > >> the MAC written on the outside of the machine). How can this be > >> done > >> with IPv6, which the DUID is not constant? > > > > Perhaps I misunderstand you (or the RFCs) but it seems to me that > > the > > DUID *is* constant. Reading section 9 of RFC 3315, it's pretty > > clear > > that a DUID is generated once, according to simple rules, and does > > not > > change once it has been generated. Barring intervention, of course. > > > > The problem is how to either find out ahead of time what DUID a > > client > > has OR how to impose a specific DUID on a client as part of > > provisioning > > it. Neither of those issues looks particularly intractable, > > especially > > if vendors start shipping with pre-configured DUIDs that are > > written on > > the boxes. > > > > What do you mean by "authenticate"? Do you mean something like > > 802.1x? > > > > Regards, K. > > > > -- > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > Karl Auer (kauer at biplane.com.au) > > http://www.biplane.com.au/kauer > > > > GPG fingerprint: AE1D 4868 6420 AD9A A698 5251 1699 7B78 4EEE 6017 > > Old fingerprint: DA41 51B1 1481 16E1 F7E2 B2E9 3007 14ED 5736 F687 > > > > -- > Ray Soucy > > Epic Communications Specialist > > Phone: +1 (207) 561-3526 > > Networkmaine, a Unit of the University of Maine System > http://www.networkmaine.net/ > > > From kauer at biplane.com.au Mon Jan 23 17:35:08 2012 From: kauer at biplane.com.au (Karl Auer) Date: Tue, 24 Jan 2012 10:35:08 +1100 Subject: How are you doing DHCPv6 ? In-Reply-To: References: Message-ID: <1327361708.5290.188.camel@karl> On Mon, 2012-01-23 at 18:12 -0500, Randy Carpenter wrote: > Controlled by software = not constant. OK - fair point. But these days many MACs can be controlled by software too. In the world of virtual computing they don't exist in hardware at all. The world hasn't ended. Examples abound of codes that are software controlled but long-lived. SSIDs and other access codes on commodity wifi routers, for example. Or licence numbers for some operating systems e.g., Windows. Written on the box, too. > It is also not likely to be something that is knowable on a piece of > electronic gear that is not a PC, nor will it be something that can be > printed on the outside of the device, like most today. Well, that's not really true. There is nothing stopping OEMs shipping equipment with preconfigured DUIDs and printing those DUIDs on the side of the box or the bottom of the device or whatever. As to being "knowable", well, neither is a MAC. Short of starting up a device and seeing what MAC it uses, there is no way to know ahead of time what MAC addresses a device has unless the manufacturer was kind enough to print them on the box. Don't get me wrong; I'm not trying to be an apologist for DUIDs. But I think we do need to see the problems clearly in order to solve them. Regards, K. -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Karl Auer (kauer at biplane.com.au) http://www.biplane.com.au/kauer GPG fingerprint: AE1D 4868 6420 AD9A A698 5251 1699 7B78 4EEE 6017 Old fingerprint: DA41 51B1 1481 16E1 F7E2 B2E9 3007 14ED 5736 F687 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 230 bytes Desc: This is a digitally signed message part URL: From marka at isc.org Mon Jan 23 17:42:53 2012 From: marka at isc.org (Mark Andrews) Date: Tue, 24 Jan 2012 10:42:53 +1100 Subject: How are you doing DHCPv6 ? In-Reply-To: Your message of "Mon, 23 Jan 2012 17:52:42 CDT." References: <36695b3d-02a4-466c-a19a-1fe4747d38e1@zimbra.network1.net> <52477a71-0a98-445b-a083-1844d37ac71e@zimbra.network1.net> <20120123220502.612E51BD89B5@drugs.dv.isc.org> Message-ID: <20120123234253.0A5961BDA17C@drugs.dv.isc.org> In message , Ray Soucy writes: > Thanks, Mark. > > The ISC website isn't very clear on how to make such requests unless > you have a support contract. For reference email to "dhcp-suggest at isc.org" (or even "dhcp-bugs at isc.org") well get it logged. > Also make note of my last response to the thread on logging and MAC > awareness, as it may also be worth consideration. -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka at isc.org From jared at puck.nether.net Mon Jan 23 17:52:05 2012 From: jared at puck.nether.net (Jared Mauch) Date: Mon, 23 Jan 2012 18:52:05 -0500 Subject: AT&T and IPv6 Launch In-Reply-To: <6CADAFC3-A4AF-420D-91B0-854EE35A7A98@puck.nether.net> References: <6CADAFC3-A4AF-420D-91B0-854EE35A7A98@puck.nether.net> Message-ID: <7A66826C-489D-41B8-810F-88EBEE7B7856@puck.nether.net> So i have been privately referred to att.com/ipv6 where you can find supporting CPE devices. It sounds like if you have equipment supporting ipv6 it may just appear one day "soon". Jared Mauch On Jan 23, 2012, at 2:23 PM, Jared Mauch wrote: > Is there someone who can talk about how to get IPv6 on AT&T residential:? > > Thanks, > > - Jared > > -- snip -- > ISPs participating in World IPv6 Launch will enable IPv6 for enough users so that at least 1% of their wireline residential subscribers who visit participating websites will do so using IPv6 by 6 June 2012. These ISPs have committed that IPv6 will be available automatically as the normal course of business for a significant portion of their subscribers. Committed ISPs are: > > ? AT&T > -- snip -- > From Curtis.Starnes at granburyisd.org Mon Jan 23 18:15:42 2012 From: Curtis.Starnes at granburyisd.org (STARNES, CURTIS) Date: Mon, 23 Jan 2012 18:15:42 -0600 Subject: AT&T and IPv6 Launch In-Reply-To: <7A66826C-489D-41B8-810F-88EBEE7B7856@puck.nether.net> References: <6CADAFC3-A4AF-420D-91B0-854EE35A7A98@puck.nether.net> <7A66826C-489D-41B8-810F-88EBEE7B7856@puck.nether.net> Message-ID: -----Original Message----- From: Jared Mauch [mailto:jared at puck.nether.net] Sent: Monday, January 23, 2012 5:52 PM To: Jared Mauch Cc: nanog at nanog.org Group Subject: Re: AT&T and IPv6 Launch So i have been privately referred to att.com/ipv6 where you can find supporting CPE devices. It sounds like if you have equipment supporting ipv6 it may just appear one day "soon". Jared Mauch On Jan 23, 2012, at 2:23 PM, Jared Mauch wrote: > Is there someone who can talk about how to get IPv6 on AT&T residential:? > > Thanks, > > - Jared > > -- snip -- > ISPs participating in World IPv6 Launch will enable IPv6 for enough users so that at least 1% of their wireline residential subscribers who visit participating websites will do so using IPv6 by 6 June 2012. These ISPs have committed that IPv6 will be available automatically as the normal course of business for a significant portion of their subscribers. Committed ISPs are: > > ? AT&T > -- snip -- > I am still waiting for our switched Ethernet circuits (Opt-E-MAN) to be supported. Curtis From jcdill.lists at gmail.com Mon Jan 23 19:08:55 2012 From: jcdill.lists at gmail.com (JC Dill) Date: Mon, 23 Jan 2012 17:08:55 -0800 Subject: Megaupload.com seized In-Reply-To: <596B74B410EE6B4CA8A30C3AF1A155EA09C8D510@RWC-MBX1.corp.seven.com> References: <64CFB59E-BB47-4D9F-8E14-AC9AA1D9D280@cs.columbia.edu> <4F19C26C.4010909@paulgraydon.co.uk> <20120121121149.GA14055@gsp.org> <596B74B410EE6B4CA8A30C3AF1A155EA09C8CDBA@RWC-MBX1.corp.seven.com> <4F1B0DF1.7030809@lcrcomputer.net> <596B74B410EE6B4CA8A30C3AF1A155EA09C8CE2E@RWC-MBX1.corp.seven.com> <4F1B16CE.3050000@mtcc.com> <596B74B410EE6B4CA8A30C3AF1A155EA09C8CE85@RWC-MBX1.corp.seven.com> <4F1B84EA.1030503@gmail.com> <596B74B410EE6B4CA8A30C3AF1A155EA09C8D510@RWC-MBX1.corp.seven.com> Message-ID: <4F1E04A7.9080001@gmail.com> On 21/01/12 11:20 PM, George Bonser wrote: >> This is what disaster simulations are for, to suss out these problems >> before a disaster and put in systems to avoid the mess. >> >> In the real world, while a city might keep the digital documents "in >> the cloud" they would also (always) have paper copies, because in a big >> emergency their computers (local mail/file servers or internet access >> to the cloud) are likely to be unavailable, power or internet access is >> likely to be disrupted. > Nope, no paper copies. I personally know Lynn Brown, OES (Office of Emergency Services) Coordinator for the City of Mountain View, CA[1]. I asked Lynn about the status of the maps the MV EOC (Emergency Operations Center) uses. Here is the reply: > While we rely on electronic and digital information a lot more these days, the City of Mountain View still has printed maps on hand. I just updated the master map in our EOC, in fact. > > The computerized maps are great but we also plan for the worst case scenario with no access to them. > > I don't think paper will ever go away completely. > > Lynn Brown > OES Coordinator > Mountain View Fire Department > 650-903-6825 > lynn(dot)brown(at)mountainview(dot)gov If you believe that this is not the norm for EOCs across the country, I suggest you personally ask the OES Coordinator for whatever city you think is putting everything in the computer and no longer keeping any paper copies. You may be surprised to learn how well they have indeed thought this thru, and that they do maintain paper maps in the EOC, just as Mountain View does. jc [1] Given that Google has wired MV with free public WiFi, if there were ever a city that would be in a good position to use and rely on Google's cloud services for data storage, Mountain View would be it. From bmanning at vacation.karoshi.com Mon Jan 23 19:23:40 2012 From: bmanning at vacation.karoshi.com (bmanning at vacation.karoshi.com) Date: Tue, 24 Jan 2012 01:23:40 +0000 Subject: is it -really- global? Message-ID: <20120124012340.GA32568@vacation.karoshi.com.> anyone keeping track of their RTTs? i'm finishing up some work on latency and all i have are my numbers. its going to be highly variable based on where you are and where you go, but it would be nice to have other sets of numbers. roughly my targets are :: 43% are "cloud" oriented - CBN stuff that tried to place bits near me 22% are US/CA targets 14% are kcj 12% are eu 4% are africaan 5% are other and the source moves, East/Best coast of the US, Africa, Japan, NZ /bill From apishdadi at gmail.com Mon Jan 23 20:48:30 2012 From: apishdadi at gmail.com (A. Pishdadi) Date: Mon, 23 Jan 2012 20:48:30 -0600 Subject: LAw Enforcement Contact In-Reply-To: <4F1DCF47.50704@trelane.net> References: <4F1DCF47.50704@trelane.net> Message-ID: Andrew , it does fail you. The 35+ employees that work for GigeNET would be really insulted by you insinuating that there job roles have no merit. The combination of all the things they do is what makes the company run. So no Paul does not run the company, put down the crack pipe. Why don't you find something else to troll beside a mailing list of industry professionals and a legitimate request for help. On Mon, Jan 23, 2012 at 3:21 PM, Andrew D Kirch wrote: > From memory Ameen Pishdadi is the owner of GIGENET, run by Paul Ashley > (Aka XEROX), and comprised of the IP space and assets of FOONET. One would > think that he has much contact with law enforcement. > > Or does my memory fail me? > > Andrew > > > On 1/22/2012 8:16 PM, A. Pishdadi wrote: > >> Hello, >> >> We recently tracked down a botnet that attacked our network. We found the >> C&C server, it has approximately 40-50 servers, consisting of mostly *nix >> machines with high speed connections, for example AWS servers or >> dedicated, >> attack capacity is 4-5Gb/s or more. Is there any contacts with law >> enforcement here that I can send over the info too? >> >> . >> > > > From xiangy08 at csnet1.cs.tsinghua.edu.cn Mon Jan 23 21:43:23 2012 From: xiangy08 at csnet1.cs.tsinghua.edu.cn (Yang Xiang) Date: Tue, 24 Jan 2012 11:43:23 +0800 Subject: Why not to use RPKI (Was Re: Argus: a hijacking alarm system) In-Reply-To: <4F1DB006.4080208@network-services.uoregon.edu> References: <01DD4FF2-3DA9-4225-AD62-5629DEF541C2@lacnic.net> <7C38D0B5-EE31-4237-9EB9-31F9279F70F1@lacnic.net> <4F1DB006.4080208@network-services.uoregon.edu> Message-ID: 2012/1/24 John Kemp > > > Minor correction there. If you are talking about our IX collectors > (LINX, PAIX, > EQIX Ashburn, SYDNEY, etc.) those are at exchanges and peering > directly. The > collectors at Univ of Oregon (rv,rv2,rv3,rv4, rv6), yeah, those are > multi-hop. > Doesn't detract from your point, but I think it helps if people are > aware of whether > they are on the exchange or on a multihop when using routeviews collectors. > We talk about routeservers, not collectors. Argus doesn't use routeservers in RouteViews to identify hijacking. > > Only other thing to add, I don't think anyone mentioned Cyclops in this > thread. > Just as another data point, see also: http://cyclops.6watch.net or > http://cyclops.cs.ucla.edu > > John Kemp (kemp at routeviews.org) > > -- _________________________________________ Yang Xiang. Ph.D candidate. Tsinghua University Argus: argus.csnet1.cs.tsinghua.edu.cn From randy at psg.com Mon Jan 23 23:12:22 2012 From: randy at psg.com (Randy Bush) Date: Tue, 24 Jan 2012 14:12:22 +0900 Subject: is it -really- global? In-Reply-To: <20120124012340.GA32568@vacation.karoshi.com.> Message-ID: only intl links on which smokeping shows anything is ashburn to tokyo. but that only covers us, joburg, linx, tokyo -------------- next part -------------- A non-text attachment was scrubbed... Name: ash-tok-400-days.jpg Type: image/jpeg Size: 36745 bytes Desc: not available URL: From mohacsi at niif.hu Tue Jan 24 02:17:33 2012 From: mohacsi at niif.hu (Mohacsi Janos) Date: Tue, 24 Jan 2012 09:17:33 +0100 (CET) Subject: How are you doing DHCPv6 ? In-Reply-To: <9a70c401-18fb-498e-9cc6-bfe548965ebb@zimbra.network1.net> References: <9a70c401-18fb-498e-9cc6-bfe548965ebb@zimbra.network1.net> Message-ID: Hi Randy On Mon, 23 Jan 2012, Randy Carpenter wrote: > > One major issue is that there is no way to associate a user's MAC (for > IPv4) with their DUID. I haven't been able to find a way to account for > this without making the user authenticate once for IPv4, and then again > for IPv6. This is cumbersome to the user. Also, in the past there have > been various reason why we want to pre-authenticate a client's MAC > address (mostly for game consoles, and such, which have the MAC written > on the outside of the machine). How can this be done with IPv6, which > the DUID is not constant? There are several possible DUIDs exist: DUID-LLT, DUID-EN, DUID-LL - have a look at slide 36 and 37 at https://openwiki.uninett.no//_media/geantcampus:2011-gn3na3t4-ipv6-mohacsi.pdf or section 9. of RFC 3315: http://tools.ietf.org/html/rfc3315#section-9 You should use DUID type 3 which is tied to MAC address in case of Ethernet. So it is not random. You should warn your device vendors that they should use DUID-LL (or type 3) as a default - or should be able to preconfigure to use DUID-LL. In reality some vendors - due to some lazyness? - only implement DUID-LLT (or type 1) and sometimes does not store the first time value - therefore generated again and again - seemingly generating pseudo random DUID. However DUID-LLT has a structure: http://tools.ietf.org/html/rfc3315#section-9.1 Best Regards, Janos Mohacsi > > -Randy > > > ----- Original Message ----- >> On Mon, 2012-01-23 at 14:44 -0500, Randy Carpenter wrote: >>> We have also recently realized that the DUID is pretty much >>> completely >>> random, and there is no way to tie the MAC address to a client. >>> This >>> pretty much makes it impossible to manage a large customer base. >> >> Not sure about that. The DUID is not random, at least not if it is >> being >> generated according to RFC 3315, which it probably should be. >> >> A DUID should be generated by a client[1] the first time it needs >> one, >> then be stored and never change[2]. All clients are supposed to >> provide >> a mechanism for setting the DUID to a specific value. Once generated, >> the DUID is indeed tied to the client unless something intervenes. In >> particular, a DUID is not affected by a change of NIC and is >> identical >> for all connected interfaces. >> >> I have to confess that we are not actually doing it, but the plan[3] >> is >> to capture new DUIDs as they happen and record the address->DUID >> mapping >> in our database. That's pretty much what we do now for boxes where >> the >> MAC address is not printed on the outside! But only where we need a >> reservation. >> >> The servers we use will always give the same address to the same >> DUID. >> Since we do not expect to use actual reserved addresses very much, >> this >> should be all we need. We are a) not really a large enterprise and b) >> not an ISP or carrier, so perhaps our needs are not the same as those >> you envisage. >> >> Vendors delivering pre-installed operating systems can set up >> vendor-assigned unique DUIDs and print them on the box, much as MAC >> addresses now are. >> >> It seems to me that DUIDs are better handles for clients than MAC >> addresses, but will require a change in the way people do things. >> >> Regards, K. >> >> [1] The algorithm for generating the DUID can include the MAC of any >> available interface, the time of day etc, but is supposed to be >> treated >> as opaque (RFC3315, section 9). Since RFC 3315 defines precisely how >> the >> DUIDs are to be generated, it should be very easy to extract the MAC >> address part, but given that the MAC address used may not actually >> exist >> on the device any more, I'm not sure that's very useful. It might be >> useful the first time a new DUID is seen, on the assumption that the >> NIC >> was not changed before the machine was first run. Then one could note >> the MAC address when provisioning the machine, and recognise the DUID >> of >> that machine when it pops up on the network. Mind you, the assumption >> is >> not foolproof. >> >> [2] Obviously devices with no long-term storage (or no storage at al! >> - >> will use a different generation algorithm than ones that do have >> storage. >> >> [2] "No battle plan survives contact with the enemy" - Helmuth von >> Moltke the Elder. >> >> -- >> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ >> Karl Auer (kauer at biplane.com.au) >> http://www.biplane.com.au/kauer >> >> GPG fingerprint: AE1D 4868 6420 AD9A A698 5251 1699 7B78 4EEE 6017 >> Old fingerprint: DA41 51B1 1481 16E1 F7E2 B2E9 3007 14ED 5736 F687 >> >> >> >> > > From oscar.vives at gmail.com Tue Jan 24 03:12:04 2012 From: oscar.vives at gmail.com (Tei) Date: Tue, 24 Jan 2012 10:12:04 +0100 Subject: Megaupload.com seized In-Reply-To: <1327287947.22754.3.camel@debian.explodie.org> References: <20120120074202.35FB91BB355B@drugs.dv.isc.org> <201201201025.q0KAPdM5040190@mail.r-bonomi.com> <1327287947.22754.3.camel@debian.explodie.org> Message-ID: On 23 January 2012 04:05, Jacob Taylor wrote: .. > > Tahoe-lafs can be fast. A grid I help out with is often capable of > 600kilobyte/per/second downloads (or faster), and I personally have > several files stored on there in excess of 500mb. Close enough to your > 700mb movie example. > > I use this storage as a CDN of sorts, as a friend wrote an HTTP > interface to the Tahoe-lafs grid. > Fast and not centralized seems good traits. Urls are ugly, but thats manageable, are not human readable, but humans can copy it around. > Should you wish to see it in action, the code and download links are > over here --> http://cryto.net/projects/tahoe.html > I get this: 2012-01-24 10:01:22 ERROR 504: Gateway Time-out. Googling for VVJJOkNISzp3NWo1aWd2M3NmYnlsM21pczZ5enRjN2thbTpmMjdjenBtNW13ZmxkY2Rud2NpM3NxeGVkamRncmt0ZGljYTd4bXFsNWN3bGh0c2x4bWdhOjM6NjozMTM2 finds only this site. (I somehow expected to find other servers hosting a gateway to the same file). -- -- ?in del ?ensaje. From dave at temk.in Tue Jan 24 07:01:24 2012 From: dave at temk.in (Dave Temkin) Date: Tue, 24 Jan 2012 08:01:24 -0500 Subject: [NANOG-announce] NANOG 54: Final agenda posted and late registration starts 01/30/2012 Message-ID: <4F1EABA4.1060901@temk.in> All, The NANOG Program Committee is proud to announce that the final agenda for NANOG 54 has been posted at http://www.nanog.org/meetings/nanog54/agenda.php . We encourage you to get in early on Sunday to take advantage of the great tutorials that we have lined up: Introduction to Shell and Perl Scripting for Network Operators Intermediate Perl Scripting for Network Operators The Service Provider Tool Kit IPv6 and IPv4: Twins or Distant Relatives An Introduction to DNSSEC and of course encourage our members to attend the Member Meeting, starting at 5:45pm. The program will kick off on Monday at 9:30AM Regular registration ends on 01/29/2012 and late registration starts on 01/30/2012. Save $75 and register today! Thanks to our host, Telx, for bringing us to sunny San Diego. We are all set to have a great meeting! -Dave Temkin NANOG PC Chair _______________________________________________ NANOG-announce mailing list NANOG-announce at nanog.org https://mailman.nanog.org/mailman/listinfo/nanog-announce From rps at maine.edu Tue Jan 24 07:49:23 2012 From: rps at maine.edu (Ray Soucy) Date: Tue, 24 Jan 2012 08:49:23 -0500 Subject: How are you doing DHCPv6 ? In-Reply-To: References: Message-ID: You shouldn't assume a MAC isn't constant. Our students spoof their MACs all the time (thinking it will save them from getting a DMCA notice). The RFC suggests that DUIDs are stored in non-volatile memory or that an algorithm be used that can consistently reproduce the DUID (and IAID) for a system in the absence of persistent storage. For fixed hardware devices, I suspect most would opt for the use of DUID-LL type, which essentially the MAC with a DUID preamble, and doesn't need to be stored in memory since it's based on a MAC that can not be changed. It would be simple to create a DUID sticker at that point, even retroactively. I think the idea that DUID is random and getting worked up that it's not written on the side of the device is a little more FUD than fact. There _are_ things we need to address to make DHCPv6 easier to roll out (mainly on the server side), but just making bogus nitpick attacks distracts from the real issues, IMHO. On Mon, Jan 23, 2012 at 6:12 PM, Randy Carpenter wrote: > > Controlled by software = not constant. > > It is also not likely to be something that is knowable on a piece of electronic gear that is not a PC, nor will it be something that can be printed on the outside of the device, like most today. > > -Randy > > > ----- Original Message ----- >> Yes, DUID and IAID should be persistent on systems. ?If they are not >> then they are not following the RFC. >> >> Note that bad practices, though, can remove that persistence (e.g. >> deleting the DUID, or replicating the DUID on other systems). >> >> On Mon, Jan 23, 2012 at 5:56 PM, Karl Auer >> wrote: >> > On Mon, 2012-01-23 at 17:26 -0500, Randy Carpenter wrote: >> >> One major issue is that there is no way to associate a user's MAC >> >> (for >> >> IPv4) with their DUID. I haven't been able to find a way to >> >> account >> >> for this without making the user authenticate once for IPv4, and >> >> then >> >> again for IPv6. This is cumbersome to the user. Also, in the past >> >> there have been various reason why we want to pre-authenticate a >> >> client's MAC address (mostly for game consoles, and such, which >> >> have >> >> the MAC written on the outside of the machine). How can this be >> >> done >> >> with IPv6, which the DUID is not constant? >> > >> > Perhaps I misunderstand you (or the RFCs) but it seems to me that >> > the >> > DUID *is* constant. Reading section 9 of RFC 3315, it's pretty >> > clear >> > that a DUID is generated once, according to simple rules, and does >> > not >> > change once it has been generated. Barring intervention, of course. >> > >> > The problem is how to either find out ahead of time what DUID a >> > client >> > has OR how to impose a specific DUID on a client as part of >> > provisioning >> > it. Neither of those issues looks particularly intractable, >> > especially >> > if vendors start shipping with pre-configured DUIDs that are >> > written on >> > the boxes. >> > >> > What do you mean by "authenticate"? Do you mean something like >> > 802.1x? >> > >> > Regards, K. >> > >> > -- >> > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ >> > Karl Auer (kauer at biplane.com.au) >> > http://www.biplane.com.au/kauer >> > >> > GPG fingerprint: AE1D 4868 6420 AD9A A698 5251 1699 7B78 4EEE 6017 >> > Old fingerprint: DA41 51B1 1481 16E1 F7E2 B2E9 3007 14ED 5736 F687 >> >> >> >> -- >> Ray Soucy >> >> Epic Communications Specialist >> >> Phone: +1 (207) 561-3526 >> >> Networkmaine, a Unit of the University of Maine System >> http://www.networkmaine.net/ >> >> >> -- Ray Soucy Epic Communications Specialist Phone: +1 (207) 561-3526 Networkmaine, a Unit of the University of Maine System http://www.networkmaine.net/ From rps at maine.edu Tue Jan 24 07:51:20 2012 From: rps at maine.edu (Ray Soucy) Date: Tue, 24 Jan 2012 08:51:20 -0500 Subject: How are you doing DHCPv6 ? In-Reply-To: References: Message-ID: "You shouldn't assume a MAC isn't constant" should read "is", double negative failure. On Tue, Jan 24, 2012 at 8:49 AM, Ray Soucy wrote: > You shouldn't assume a MAC isn't constant. ?Our students spoof their > MACs all the time (thinking it will save them from getting a DMCA > notice). > > The RFC suggests that DUIDs are stored in non-volatile memory or that > an algorithm be used that can consistently reproduce the DUID (and > IAID) for a system in the absence of persistent storage. > > For fixed hardware devices, I suspect most would opt for the use of > DUID-LL type, which essentially the MAC with a DUID preamble, and > doesn't need to be stored in memory since it's based on a MAC that can > not be changed. ?It would be simple to create a DUID sticker at that > point, even retroactively. ?I think the idea that DUID is random and > getting worked up that it's not written on the side of the device is a > little more FUD than fact. > > There _are_ things we need to address to make DHCPv6 easier to roll > out (mainly on the server side), but just making bogus nitpick attacks > distracts from the real issues, IMHO. > > > > > On Mon, Jan 23, 2012 at 6:12 PM, Randy Carpenter wrote: >> >> Controlled by software = not constant. >> >> It is also not likely to be something that is knowable on a piece of electronic gear that is not a PC, nor will it be something that can be printed on the outside of the device, like most today. >> >> -Randy >> >> >> ----- Original Message ----- >>> Yes, DUID and IAID should be persistent on systems. ?If they are not >>> then they are not following the RFC. >>> >>> Note that bad practices, though, can remove that persistence (e.g. >>> deleting the DUID, or replicating the DUID on other systems). >>> >>> On Mon, Jan 23, 2012 at 5:56 PM, Karl Auer >>> wrote: >>> > On Mon, 2012-01-23 at 17:26 -0500, Randy Carpenter wrote: >>> >> One major issue is that there is no way to associate a user's MAC >>> >> (for >>> >> IPv4) with their DUID. I haven't been able to find a way to >>> >> account >>> >> for this without making the user authenticate once for IPv4, and >>> >> then >>> >> again for IPv6. This is cumbersome to the user. Also, in the past >>> >> there have been various reason why we want to pre-authenticate a >>> >> client's MAC address (mostly for game consoles, and such, which >>> >> have >>> >> the MAC written on the outside of the machine). How can this be >>> >> done >>> >> with IPv6, which the DUID is not constant? >>> > >>> > Perhaps I misunderstand you (or the RFCs) but it seems to me that >>> > the >>> > DUID *is* constant. Reading section 9 of RFC 3315, it's pretty >>> > clear >>> > that a DUID is generated once, according to simple rules, and does >>> > not >>> > change once it has been generated. Barring intervention, of course. >>> > >>> > The problem is how to either find out ahead of time what DUID a >>> > client >>> > has OR how to impose a specific DUID on a client as part of >>> > provisioning >>> > it. Neither of those issues looks particularly intractable, >>> > especially >>> > if vendors start shipping with pre-configured DUIDs that are >>> > written on >>> > the boxes. >>> > >>> > What do you mean by "authenticate"? Do you mean something like >>> > 802.1x? >>> > >>> > Regards, K. >>> > >>> > -- >>> > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ >>> > Karl Auer (kauer at biplane.com.au) >>> > http://www.biplane.com.au/kauer >>> > >>> > GPG fingerprint: AE1D 4868 6420 AD9A A698 5251 1699 7B78 4EEE 6017 >>> > Old fingerprint: DA41 51B1 1481 16E1 F7E2 B2E9 3007 14ED 5736 F687 >>> >>> >>> >>> -- >>> Ray Soucy >>> >>> Epic Communications Specialist >>> >>> Phone: +1 (207) 561-3526 >>> >>> Networkmaine, a Unit of the University of Maine System >>> http://www.networkmaine.net/ >>> >>> >>> > > > > -- > Ray Soucy > > Epic Communications Specialist > > Phone: +1 (207) 561-3526 > > Networkmaine, a Unit of the University of Maine System > http://www.networkmaine.net/ -- Ray Soucy Epic Communications Specialist Phone: +1 (207) 561-3526 Networkmaine, a Unit of the University of Maine System http://www.networkmaine.net/ From greg.rabil at jagornet.com Tue Jan 24 09:28:23 2012 From: greg.rabil at jagornet.com (A. Gregory Rabil) Date: Tue, 24 Jan 2012 10:28:23 -0500 Subject: How are you doing DHCPv6 ? Message-ID: Hello folks, I would like to chime in on this thread. I have great interest in how this plays out. The Jagornet DHCPv6 Server is capable of providing specific addresses to clients based upon DUID and IAID using a filtering mechanism supported in the configuration file. Of course, predicting what the DUID/IAID may be from various clients is still a challenge. However, if this information is available, the Jagornet DHCPv6 server can support this model. Also, specific binding reservations will soon be supported. Logging is rather extensive as well. The server is Certified IPv6 Phase II Ready. Furthermore, version 2.0 beta will be available soon, which will include support for DHCPv4! Please find the free, open-source version of the IPv6 Phase II Ready Jagornet DHCPv6 server here: http://code.google.com/p/jagornet-dhcpv6/ Best regards, Greg Rabil Jagornet Technologies, LLC. From matcraig at nmsu.edu Tue Jan 24 09:50:37 2012 From: matcraig at nmsu.edu (Matt Craig) Date: Tue, 24 Jan 2012 08:50:37 -0700 Subject: juniper mx80 vs cisco asr 1000 In-Reply-To: <201201232330.50370.mtinka@globaltransit.net> References: <44EDB6D0-C480-4232-8FCD-4124D152849B@smugmug.com> <20120120081435.GA17097@pob.ytti.fi> <201201232330.50370.mtinka@globaltransit.net> Message-ID: <4F1ED34D.5080309@nmsu.edu> They are competing in some things. There are differences that will make you choose ASR1000 over MX series, but alot of people are choosing either one of the other for many of the same jobs, mainly upgrading to straight-forward L3 1/10 gig aggregation. I know some people who've had ASR1000s and MXs on the plate and chose the MXs. I've also known some who's chosen the ASR1000s. It just really depends on what you need. Actually something as an alternative to both I am researching is the Brocade MLX series. They have different, more efficient, and refreshing architecture; and phenomenal cost (half the cost of ASR1000/MX or less). Gonna do a trial shortly to see if it all lives up to the marketing or if its too good to be true. I also know some peer institutions who have dumped both Cisco and Juniper for Brocade's Ethernet/IP lines. Not a single bad word so far. Matt On 1/23/12 8:30 AM, Mark Tinka wrote: > On Friday, January 20, 2012 04:14:35 PM Saku Ytti wrote: > >> MX80 is not competing against ASR1k, and JNPR has no >> product to compete with ASR1k. > And this is something I've been telling Juniper for years > (not that they don't already know). The M7i and M10i have > really done all they can - but trying to get an Ethernet box > to do non-Ethernet things, while possible, is simply not > economically viable for operators (FlexWAN's, SIP's, MX > FPC's, anyone?). > > They really need to solve this one. > > The MX80 had no competition from Cisco, until the ASR9001 > came out (and it supports 40Gbps line cards when they come > out). > > Juniper are dropping the ball on this one. But hopefully, > they're busy in the lab building a decent ASR1000 > challenger. > > Mark. From rcarpen at network1.net Tue Jan 24 10:18:04 2012 From: rcarpen at network1.net (Randy Carpenter) Date: Tue, 24 Jan 2012 11:18:04 -0500 (EST) Subject: How are you doing DHCPv6 ? In-Reply-To: Message-ID: <1187a76b-1234-43cd-9906-e1c4bf71f006@zimbra.network1.net> I understand that MACs can be changed/spoofed. But that is the exception, not the rule. That isn't the biggest issue, though. The biggest issue is how to correlate the MAC and the DUID. That is the only way to properly authenticate and account for users that have both v4 and v6 (which is everyone) I don't care if their MAC changes, if that happens, they just need to reauthenticate. But, not having any way to know what their DUID is going to be, makes it impossible to also give them v6. -Randy ----- Original Message ----- > "You shouldn't assume a MAC isn't constant" should read "is", double > negative failure. > > On Tue, Jan 24, 2012 at 8:49 AM, Ray Soucy wrote: > > You shouldn't assume a MAC isn't constant. ?Our students spoof > > their > > MACs all the time (thinking it will save them from getting a DMCA > > notice). > > > > The RFC suggests that DUIDs are stored in non-volatile memory or > > that > > an algorithm be used that can consistently reproduce the DUID (and > > IAID) for a system in the absence of persistent storage. > > > > For fixed hardware devices, I suspect most would opt for the use of > > DUID-LL type, which essentially the MAC with a DUID preamble, and > > doesn't need to be stored in memory since it's based on a MAC that > > can > > not be changed. ?It would be simple to create a DUID sticker at > > that > > point, even retroactively. ?I think the idea that DUID is random > > and > > getting worked up that it's not written on the side of the device > > is a > > little more FUD than fact. > > > > There _are_ things we need to address to make DHCPv6 easier to roll > > out (mainly on the server side), but just making bogus nitpick > > attacks > > distracts from the real issues, IMHO. > > > > > > > > > > On Mon, Jan 23, 2012 at 6:12 PM, Randy Carpenter > > wrote: > >> > >> Controlled by software = not constant. > >> > >> It is also not likely to be something that is knowable on a piece > >> of electronic gear that is not a PC, nor will it be something > >> that can be printed on the outside of the device, like most > >> today. > >> > >> -Randy > >> > >> > >> ----- Original Message ----- > >>> Yes, DUID and IAID should be persistent on systems. ?If they are > >>> not > >>> then they are not following the RFC. > >>> > >>> Note that bad practices, though, can remove that persistence > >>> (e.g. > >>> deleting the DUID, or replicating the DUID on other systems). > >>> > >>> On Mon, Jan 23, 2012 at 5:56 PM, Karl Auer > >>> wrote: > >>> > On Mon, 2012-01-23 at 17:26 -0500, Randy Carpenter wrote: > >>> >> One major issue is that there is no way to associate a user's > >>> >> MAC > >>> >> (for > >>> >> IPv4) with their DUID. I haven't been able to find a way to > >>> >> account > >>> >> for this without making the user authenticate once for IPv4, > >>> >> and > >>> >> then > >>> >> again for IPv6. This is cumbersome to the user. Also, in the > >>> >> past > >>> >> there have been various reason why we want to pre-authenticate > >>> >> a > >>> >> client's MAC address (mostly for game consoles, and such, > >>> >> which > >>> >> have > >>> >> the MAC written on the outside of the machine). How can this > >>> >> be > >>> >> done > >>> >> with IPv6, which the DUID is not constant? > >>> > > >>> > Perhaps I misunderstand you (or the RFCs) but it seems to me > >>> > that > >>> > the > >>> > DUID *is* constant. Reading section 9 of RFC 3315, it's pretty > >>> > clear > >>> > that a DUID is generated once, according to simple rules, and > >>> > does > >>> > not > >>> > change once it has been generated. Barring intervention, of > >>> > course. > >>> > > >>> > The problem is how to either find out ahead of time what DUID a > >>> > client > >>> > has OR how to impose a specific DUID on a client as part of > >>> > provisioning > >>> > it. Neither of those issues looks particularly intractable, > >>> > especially > >>> > if vendors start shipping with pre-configured DUIDs that are > >>> > written on > >>> > the boxes. > >>> > > >>> > What do you mean by "authenticate"? Do you mean something like > >>> > 802.1x? > >>> > > >>> > Regards, K. > >>> > > >>> > -- > >>> > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > >>> > Karl Auer (kauer at biplane.com.au) > >>> > http://www.biplane.com.au/kauer > >>> > > >>> > GPG fingerprint: AE1D 4868 6420 AD9A A698 5251 1699 7B78 4EEE > >>> > 6017 > >>> > Old fingerprint: DA41 51B1 1481 16E1 F7E2 B2E9 3007 14ED 5736 > >>> > F687 > >>> > >>> > >>> > >>> -- > >>> Ray Soucy > >>> > >>> Epic Communications Specialist > >>> > >>> Phone: +1 (207) 561-3526 > >>> > >>> Networkmaine, a Unit of the University of Maine System > >>> http://www.networkmaine.net/ > >>> > >>> > >>> > > > > > > > > -- > > Ray Soucy > > > > Epic Communications Specialist > > > > Phone: +1 (207) 561-3526 > > > > Networkmaine, a Unit of the University of Maine System > > http://www.networkmaine.net/ > > > > -- > Ray Soucy > > Epic Communications Specialist > > Phone: +1 (207) 561-3526 > > Networkmaine, a Unit of the University of Maine System > http://www.networkmaine.net/ > > From mtinka at globaltransit.net Tue Jan 24 10:28:13 2012 From: mtinka at globaltransit.net (Mark Tinka) Date: Wed, 25 Jan 2012 00:28:13 +0800 Subject: juniper mx80 vs cisco asr 1000 In-Reply-To: <4F1ED34D.5080309@nmsu.edu> References: <44EDB6D0-C480-4232-8FCD-4124D152849B@smugmug.com> <201201232330.50370.mtinka@globaltransit.net> <4F1ED34D.5080309@nmsu.edu> Message-ID: <201201250028.17005.mtinka@globaltransit.net> On Tuesday, January 24, 2012 11:50:37 PM Matt Craig wrote: > They are competing in some things. There are differences > that will make you choose ASR1000 over MX series, but > alot of people are choosing either one of the other for > many of the same jobs, mainly upgrading to > straight-forward L3 1/10 gig aggregation. I know some > people who've had ASR1000s and MXs on the plate and > chose the MXs. I've also known some who's chosen the > ASR1000s. It just really depends on what you need. When it comes to peering or upstream boxes, we've always gone with smaller, multiple units rather than bigger, single ones, e.g., ASR1002 vs. CRS or MX80 vs. M120, sort of thing. As one wants to spread peering/upstream links across different boxes to enhance redundancy, one can't afford to be buying bigger boxes for each these links. What this has meant is that for a while now, we've been happy with the ASR1000 because at some point, it was more feature-ready than the MX80. However, the MX80 has now caught up, and is certainly a serious contender if we're looking at new purchases (but then, there is now the ASR9001, whenever it starts shipping). However, this only works if our connectivity arrangements are Ethernet. If we plan to have both Gig-E and non-Gig-E capacity in a router, and we need to be able to push a couple of Gbps through it (including one or more 10Gbps hook-ups), then the ASR1000 is still a winner. This is where the MX80 can't compete; and while the MX80 and ASR1000 are somewhat of an apples vs. oranges comparison, there really ins't anything coming from Juniper at all in this space. So one is forced to compare what comes closest. > Actually something as an alternative to both I am > researching is the Brocade MLX series. They have > different, more efficient, and refreshing architecture; > and phenomenal cost (half the cost of ASR1000/MX or > less). Gonna do a trial shortly to see if it all lives > up to the marketing or if its too good to be true. I > also know some peer institutions who have dumped both > Cisco and Juniper for Brocade's Ethernet/IP lines. Not > a single bad word so far. We reviewd the MLX against the 7600 and M320 many years ago. These days it would be the MLX against the ASR9000 and MX240/480/960. It didn't have the feature set we needed, but that was a while back. Our national exchange point have been happy with them, using VPLS to run the fabric (I think AMS-IX do the same, too). But that's a relatively simple deployment. I know some large carriers using them extensively, but not intimately enough to tell you whether they're really happy or not. Mark. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 836 bytes Desc: This is a digitally signed message part. URL: From rps at maine.edu Tue Jan 24 11:09:56 2012 From: rps at maine.edu (Ray Soucy) Date: Tue, 24 Jan 2012 12:09:56 -0500 Subject: How are you doing DHCPv6 ? In-Reply-To: <1187a76b-1234-43cd-9906-e1c4bf71f006@zimbra.network1.net> References: <1187a76b-1234-43cd-9906-e1c4bf71f006@zimbra.network1.net> Message-ID: As we're talking about "the exception, not the rule" I'll note that the majority of systems generate their DUID based on the MAC address of their adapter. ISC DHCPd does in fact allow you to configure static assignments using MAC and will match a DUID that was generated for that MAC. Assuming the MAC of 01:23:45:67:89:ab, and a DUID of 00:03:00:01:01:23:45:67:89:ab The ISC DHCPd configuration for a static host using a DUID: ----8<---- host my-pc.example.com { host-identifier option dhcp6.client-id 00:03:00:01:01:23:45:67:89:ab; fixed-address6 2001:db8:1:2::3; } ----8<---- For a MAC: ----8<---- host my-pc.example.com { host-identifier option dhcp6.client-id 00:03:00:01:01:23:45:67:89:ab; hardware ethernet 01:23:45:67:89:ab; } ----8<---- As with DHCPd for IPv4, you can make multiple entries to support both the MAC and DUID method by using the option host-name directive for additional entries: ----8<---- host my-pc.example.com { host-identifier option dhcp6.client-id 00:03:00:01:01:23:45:67:89:ab; fixed-address6 2001:db8:1:2::3; } host my-pc.example.com-1 { option host-name "my-pc.example.com"; hardware ethernet 01:23:45:67:89:ab; fixed-address6 2001:db8:1:2::3; } ----8<---- Note that this is checking the MAC address used in DUID type 1 or type 3, not the actual MAC address of the system. What we do right now (as a transition mechanism) in our IPAM is say that if we see a DUID that is based on a known MAC, then it's probably the same host, and add the association in the database. Generating a DHCPv6 configuration file using the "hardware ethernet" directive will get the majority of systems a v6 address in a dual stack environment. On a side note, DHCPv6 isn't the only place to address concerns. Before DHCPv6 was an option, we implemented a system that polls network routers and switches for ARP tables, IPv6 neighbor tables, and MAC address tables, then throws the full association (IP, MAC, Device, Port) into a MySQL database. Data is compressed into rows with "first seen" and "last seen" timestamps to save on table sizes (along with monthly rotation of tables). This provides us with the ability to see what MAC had what IP (or IPv6) address and where it was connected. Mainly for incident response. We also poll for IPv6 routers seen to catch rogue RA, though that has mostly gone away since putting PACLs in place to filter unauthorized RA. This database allows us to make the association of IPv4 and IPv6, even in a SLAAC environment; it also provides us with the history of that association (and even logs link-local addresses). When we disable a host, the database is checked so both IPv4 and IPv6 address can be disabled. As far as DUID discovery, though. It would be nice if logging changes previously mentioned were made to ISC DHCPd so we can see the DUIDs attempting to get an address along with the MAC requesting it. On Tue, Jan 24, 2012 at 11:18 AM, Randy Carpenter wrote: > > I understand that MACs can be changed/spoofed. But that is the exception, not the rule. > > That isn't the biggest issue, though. The biggest issue is how to correlate the MAC and the DUID. That is the only way to properly authenticate and account for users that have both v4 and v6 (which is everyone) > > I don't care if their MAC changes, if that happens, they just need to reauthenticate. But, not having any way to know what their DUID is going to be, makes it impossible to also give them v6. > > > -Randy > > ----- Original Message ----- >> "You shouldn't assume a MAC isn't constant" should read "is", double >> negative failure. >> >> On Tue, Jan 24, 2012 at 8:49 AM, Ray Soucy wrote: >> > You shouldn't assume a MAC isn't constant. ?Our students spoof >> > their >> > MACs all the time (thinking it will save them from getting a DMCA >> > notice). >> > >> > The RFC suggests that DUIDs are stored in non-volatile memory or >> > that >> > an algorithm be used that can consistently reproduce the DUID (and >> > IAID) for a system in the absence of persistent storage. >> > >> > For fixed hardware devices, I suspect most would opt for the use of >> > DUID-LL type, which essentially the MAC with a DUID preamble, and >> > doesn't need to be stored in memory since it's based on a MAC that >> > can >> > not be changed. ?It would be simple to create a DUID sticker at >> > that >> > point, even retroactively. ?I think the idea that DUID is random >> > and >> > getting worked up that it's not written on the side of the device >> > is a >> > little more FUD than fact. >> > >> > There _are_ things we need to address to make DHCPv6 easier to roll >> > out (mainly on the server side), but just making bogus nitpick >> > attacks >> > distracts from the real issues, IMHO. >> > >> > >> > >> > >> > On Mon, Jan 23, 2012 at 6:12 PM, Randy Carpenter >> > wrote: >> >> >> >> Controlled by software = not constant. >> >> >> >> It is also not likely to be something that is knowable on a piece >> >> of electronic gear that is not a PC, nor will it be something >> >> that can be printed on the outside of the device, like most >> >> today. >> >> >> >> -Randy >> >> >> >> >> >> ----- Original Message ----- >> >>> Yes, DUID and IAID should be persistent on systems. ?If they are >> >>> not >> >>> then they are not following the RFC. >> >>> >> >>> Note that bad practices, though, can remove that persistence >> >>> (e.g. >> >>> deleting the DUID, or replicating the DUID on other systems). >> >>> >> >>> On Mon, Jan 23, 2012 at 5:56 PM, Karl Auer >> >>> wrote: >> >>> > On Mon, 2012-01-23 at 17:26 -0500, Randy Carpenter wrote: >> >>> >> One major issue is that there is no way to associate a user's >> >>> >> MAC >> >>> >> (for >> >>> >> IPv4) with their DUID. I haven't been able to find a way to >> >>> >> account >> >>> >> for this without making the user authenticate once for IPv4, >> >>> >> and >> >>> >> then >> >>> >> again for IPv6. This is cumbersome to the user. Also, in the >> >>> >> past >> >>> >> there have been various reason why we want to pre-authenticate >> >>> >> a >> >>> >> client's MAC address (mostly for game consoles, and such, >> >>> >> which >> >>> >> have >> >>> >> the MAC written on the outside of the machine). How can this >> >>> >> be >> >>> >> done >> >>> >> with IPv6, which the DUID is not constant? >> >>> > >> >>> > Perhaps I misunderstand you (or the RFCs) but it seems to me >> >>> > that >> >>> > the >> >>> > DUID *is* constant. Reading section 9 of RFC 3315, it's pretty >> >>> > clear >> >>> > that a DUID is generated once, according to simple rules, and >> >>> > does >> >>> > not >> >>> > change once it has been generated. Barring intervention, of >> >>> > course. >> >>> > >> >>> > The problem is how to either find out ahead of time what DUID a >> >>> > client >> >>> > has OR how to impose a specific DUID on a client as part of >> >>> > provisioning >> >>> > it. Neither of those issues looks particularly intractable, >> >>> > especially >> >>> > if vendors start shipping with pre-configured DUIDs that are >> >>> > written on >> >>> > the boxes. >> >>> > >> >>> > What do you mean by "authenticate"? Do you mean something like >> >>> > 802.1x? >> >>> > >> >>> > Regards, K. >> >>> > >> >>> > -- >> >>> > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ >> >>> > Karl Auer (kauer at biplane.com.au) >> >>> > http://www.biplane.com.au/kauer >> >>> > >> >>> > GPG fingerprint: AE1D 4868 6420 AD9A A698 5251 1699 7B78 4EEE >> >>> > 6017 >> >>> > Old fingerprint: DA41 51B1 1481 16E1 F7E2 B2E9 3007 14ED 5736 >> >>> > F687 >> >>> >> >>> >> >>> >> >>> -- >> >>> Ray Soucy >> >>> >> >>> Epic Communications Specialist >> >>> >> >>> Phone: +1 (207) 561-3526 >> >>> >> >>> Networkmaine, a Unit of the University of Maine System >> >>> http://www.networkmaine.net/ >> >>> >> >>> >> >>> >> > >> > >> > >> > -- >> > Ray Soucy >> > >> > Epic Communications Specialist >> > >> > Phone: +1 (207) 561-3526 >> > >> > Networkmaine, a Unit of the University of Maine System >> > http://www.networkmaine.net/ >> >> >> >> -- >> Ray Soucy >> >> Epic Communications Specialist >> >> Phone: +1 (207) 561-3526 >> >> Networkmaine, a Unit of the University of Maine System >> http://www.networkmaine.net/ >> >> -- Ray Soucy Epic Communications Specialist Phone: +1 (207) 561-3526 Networkmaine, a Unit of the University of Maine System http://www.networkmaine.net/ From gbonser at seven.com Tue Jan 24 12:24:28 2012 From: gbonser at seven.com (George Bonser) Date: Tue, 24 Jan 2012 18:24:28 +0000 Subject: juniper mx80 vs cisco asr 1000 In-Reply-To: <201201250028.17005.mtinka@globaltransit.net> References: <44EDB6D0-C480-4232-8FCD-4124D152849B@smugmug.com> <201201232330.50370.mtinka@globaltransit.net> <4F1ED34D.5080309@nmsu.edu> <201201250028.17005.mtinka@globaltransit.net> Message-ID: <596B74B410EE6B4CA8A30C3AF1A155EA09C91E0C@RWC-MBX1.corp.seven.com> > > We reviewd the MLX against the 7600 and M320 many years ago. > These days it would be the MLX against the ASR9000 and MX240/480/960. > It didn't have the feature set we needed, but that was a while back. > > Our national exchange point have been happy with them, using VPLS to > run the fabric (I think AMS-IX do the same, too). > But that's a relatively simple deployment. > > I know some large carriers using them extensively, but not intimately > enough to tell you whether they're really happy or not. > > Mark. You might get by these days at a peering point with something smaller if you are a smaller network and don't need a lot of 10G. Something like a Brocade CER-RT series. A 1U box with 136 Gbps of throughput that will handle 1.5 million v4 routes in FIB and 256k v6 routes. Sips power, doesn't take up a lot of space, has up to 48 GigE ports but only 2x10G. If they had a model with 6x10G, it would be a killer little box. It is basically a 1U MLX. From mtinka at globaltransit.net Tue Jan 24 12:58:16 2012 From: mtinka at globaltransit.net (Mark Tinka) Date: Wed, 25 Jan 2012 02:58:16 +0800 Subject: juniper mx80 vs cisco asr 1000 In-Reply-To: <596B74B410EE6B4CA8A30C3AF1A155EA09C91E0C@RWC-MBX1.corp.seven.com> References: <44EDB6D0-C480-4232-8FCD-4124D152849B@smugmug.com> <201201250028.17005.mtinka@globaltransit.net> <596B74B410EE6B4CA8A30C3AF1A155EA09C91E0C@RWC-MBX1.corp.seven.com> Message-ID: <201201250258.19904.mtinka@globaltransit.net> On Wednesday, January 25, 2012 02:24:28 AM George Bonser wrote: > You might get by these days at a peering point with > something smaller if you are a smaller network and don't > need a lot of 10G. Something like a Brocade CER-RT > series. A 1U box with 136 Gbps of throughput that will > handle 1.5 million v4 routes in FIB and 256k v6 routes. > Sips power, doesn't take up a lot of space, has up to 48 > GigE ports but only 2x10G. If they had a model with > 6x10G, it would be a killer little box. We looked at their CER/CES line back in 2009/2010 when we were scoping for kit to deploy our MPLS In The Access topology. That time, the box only did 512,000 entries in the FIB, but clearly the newer iron has had an upgrade on the inside :-). This is good! Inevitably, we settled for Cisco's ME3600X, after realizing we didn't need to carry a full table in the Access (and could still provide IP Transit services in the Access easily), and at the time, even though the Cisco was much newer, the mid-term feature road map was better. Mark. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 836 bytes Desc: This is a digitally signed message part. URL: From gbonser at seven.com Tue Jan 24 18:45:41 2012 From: gbonser at seven.com (George Bonser) Date: Wed, 25 Jan 2012 00:45:41 +0000 Subject: juniper mx80 vs cisco asr 1000 In-Reply-To: <201201250258.19904.mtinka@globaltransit.net> References: <44EDB6D0-C480-4232-8FCD-4124D152849B@smugmug.com> <201201250028.17005.mtinka@globaltransit.net> <596B74B410EE6B4CA8A30C3AF1A155EA09C91E0C@RWC-MBX1.corp.seven.com> <201201250258.19904.mtinka@globaltransit.net> Message-ID: <596B74B410EE6B4CA8A30C3AF1A155EA09C9229A@RWC-MBX1.corp.seven.com> > We looked at their CER/CES line back in 2009/2010 when we were scoping > for kit to deploy our MPLS In The Access topology. > > That time, the box only did 512,000 entries in the FIB, but clearly the > newer iron has had an upgrade on the inside :-). > This is good! > > Inevitably, we settled for Cisco's ME3600X, after realizing we didn't > need to carry a full table in the Access (and could still provide IP > Transit services in the Access easily), and at the time, even though > the Cisco was much newer, the mid-term feature road map was better. > > Mark. That upgrade is for the -RT only, not the standard unit. I suggested they provide four ports that would be standard GigE SFP ports that could be enabled for 10G SFP+ by license key in addition to the 2x10G expansion module. So if you had a unit with a capability of 6x10G and 12xGigE, it would be a killer little peering point switch in 1U of rack space. From dstickney at optilian.com Wed Jan 25 08:41:36 2012 From: dstickney at optilian.com (Daniel STICKNEY) Date: Wed, 25 Jan 2012 15:41:36 +0100 Subject: Choice of address for IPv6 default gateway Message-ID: <4F2014A0.20008@optilian.com> I'm having trouble finding authoritative sources on the best common practice (if there even is one) for the choice of address for an IPv6 default gateway in a production server environment (not desktops). For example in IPv4 it is common to chose the first or last address in the subnet (.1 or .254 for example) as the VIP for VRRP/HSRP. I'm interested in input from production environments and or ARIN/RIPE/IANA/etc or top vendors. I've seen some documentation using ::1 with either a global prefix or link-local (fe80::1). Anyone use either of these in production and have negative or positive feedback? fe80::1 is seductive because it is short and the idea of having the same default gateway configured everywhere might be simple. At the same time using the same address all around the network seems to invite confusion or problems if two interfaces with the address ever ended up in the same broadcast domain. What about using RAs to install the default route on the servers? The 'priority' option (high/medium/low) easy fits with an architecture using an active/standby router setup where the active router is configured with the 'high' priority and the standby 'medium'. With the timeout values tuned for relatively rapid (~3 seconds) failover this might be feasible. Anyone use this in production? I note that VRRPv3 (and keepalived) and HSRP both support IPv6. Since we use VRRP for IPv4, using it for IPv6 would keep our architecture the same, which has merit too. Thanks in advance, Daniel STICKNEY From mhuff at ox.com Wed Jan 25 08:52:36 2012 From: mhuff at ox.com (Matthew Huff) Date: Wed, 25 Jan 2012 09:52:36 -0500 Subject: Choice of address for IPv6 default gateway In-Reply-To: <4F2014A0.20008@optilian.com> References: <4F2014A0.20008@optilian.com> Message-ID: <483E6B0272B0284BA86D7596C40D29F9015881E3DC2A@PUR-EXCH07.ox.com> I've had good luck in a corporate environment using fe80::1 on Cisco 6500/7600 with newer IOS. However, some software routers still won't let you use a link-local as a VIP (at least in HSRP). I'm upgrading one of our 7200 tonight running 15.1(4)M1 to M3, hopefully that will fix it (we are upgrading it for other reasons). For example: int vlan110 standby 110 ipv6 FE80::1 standby 110 timers msec 250 msec 750 standby 110 priority 110 standby 110 preempt delay minimum 180 ---- Matthew Huff? | 1 Manhattanville Rd Director of Operations???| Purchase, NY 10577 OTA Management LLC | Phone: 914-460-4039 aim: matthewbhuff? | Fax:?? 914-460-4139 > -----Original Message----- > From: Daniel STICKNEY [mailto:dstickney at optilian.com] > Sent: Wednesday, January 25, 2012 9:42 AM > To: nanog at nanog.org > Subject: Choice of address for IPv6 default gateway > > I'm having trouble finding authoritative sources on the best common > practice (if there even is one) for the choice of address for an IPv6 > default gateway in a production server environment (not desktops). For > example in IPv4 it is common to chose the first or last address in the > subnet (.1 or .254 for example) as the VIP for VRRP/HSRP. I'm > interested in input from production environments and or > ARIN/RIPE/IANA/etc or top vendors. > > I've seen some documentation using ::1 with either a global > prefix or link-local (fe80::1). Anyone use either of these in > production and have negative or positive feedback? fe80::1 is seductive > because it is short and the idea of having the same default gateway > configured everywhere might be simple. At the same time using the same > address all around the network seems to invite confusion or problems if > two interfaces with the address ever ended up in the same broadcast > domain. > > What about using RAs to install the default route on the servers? The > 'priority' option (high/medium/low) easy fits with an architecture > using an active/standby router setup where the active router is > configured with the 'high' priority and the standby 'medium'. With the > timeout values tuned for relatively rapid (~3 seconds) failover this > might be feasible. Anyone use this in production? > > I note that VRRPv3 (and keepalived) and HSRP both support IPv6. Since > we use VRRP for IPv4, using it for IPv6 would keep our architecture the > same, which has merit too. > > Thanks in advance, > > Daniel STICKNEY > From bicknell at ufp.org Wed Jan 25 09:06:40 2012 From: bicknell at ufp.org (Leo Bicknell) Date: Wed, 25 Jan 2012 07:06:40 -0800 Subject: Choice of address for IPv6 default gateway In-Reply-To: <4F2014A0.20008@optilian.com> References: <4F2014A0.20008@optilian.com> Message-ID: <20120125150640.GA87865@ussenterprise.ufp.org> In a message written on Wed, Jan 25, 2012 at 03:41:36PM +0100, Daniel STICKNEY wrote: > I've seen some documentation using ::1 with either a global > prefix or link-local (fe80::1). Anyone use either of these in production > and have negative or positive feedback? fe80::1 is seductive because it > is short and the idea of having the same default gateway configured > everywhere might be simple. At the same time using the same address all > around the network seems to invite confusion or problems if two > interfaces with the address ever ended up in the same broadcast domain. I don't think the industry has really found a best practice to document yet. There are people trying different ideas. We find the following convention allows us to keep things organized: ::1 - Default gateway :: - Statically assigned servers. : - Auto-configured host If you need them to co-exist, you can also do things like: ::<10240-20480> - DHCP Pool And if a host learns a default gateway via RA, it will show up as fe80:: in the routing table. A static server at 10.0.1.34 has an IPv6 address of ::34. It's visually very easy for an admin to see everything is configured correctly, and helps reduce confusion a lot when troubleshooting. We use .1 in IPv4 for a default gateway, so ::1 similarly reduces confusion. > What about using RAs to install the default route on the servers? The > 'priority' option (high/medium/low) easy fits with an architecture using > an active/standby router setup where the active router is configured > with the 'high' priority and the standby 'medium'. With the timeout > values tuned for relatively rapid (~3 seconds) failover this might be > feasible. Anyone use this in production? No. We avoid RA's where possible, because of the "rogue RA" problem. Rogue in this case usually means an admin fat fingering something or plugging into the wrong port, not an actual, but it quickly causes an outage. Unless you happen to have new enough switches that support RA Guard extreme care is warranted. (Note, we're also a server enviornment, not an end user one, and servers tend to end up "statically" configured (possibly via script) anyway for reasons that have nothing to do with IPv4 or IPv6.) That said, it can be used where redundancy is required, and your routers do not yet support the VRRP or HSRP protocols that support IPv6. Generally speaking across the board we find it makes a lot of sense to treat IPv6 as "IPv4 with bigger addresses", and do things the same way as before. That's not to say we don't take advantage of /64's on LAN's, or RA's in some cases, but it reduces admin confusion where you can make things operate the same way. In a lot of cases, like a default gateway of ::1, or a BGP policy that looks the same config parity can be achieved and works out really well. -- Leo Bicknell - bicknell at ufp.org - CCIE 3440 PGP keys at http://www.ufp.org/~bicknell/ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 826 bytes Desc: not available URL: From nanog at studio442.com.au Wed Jan 25 09:17:19 2012 From: nanog at studio442.com.au (Julien Goodwin) Date: Thu, 26 Jan 2012 02:17:19 +1100 Subject: juniper mx80 vs cisco asr 1000 In-Reply-To: <4F1ED34D.5080309@nmsu.edu> References: <44EDB6D0-C480-4232-8FCD-4124D152849B@smugmug.com> <20120120081435.GA17097@pob.ytti.fi> <201201232330.50370.mtinka@globaltransit.net> <4F1ED34D.5080309@nmsu.edu> Message-ID: <4F201CFF.20905@studio442.com.au> On 25/01/12 02:50, Matt Craig wrote: > Actually something as an alternative to both I am researching is the > Brocade MLX series. They have different, more efficient, and refreshing > architecture; and phenomenal cost (half the cost of ASR1000/MX or > less). Gonna do a trial shortly to see if it all lives up to the > marketing or if its too good to be true. I also know some peer > institutions who have dumped both Cisco and Juniper for Brocade's > Ethernet/IP lines. Not a single bad word so far. Sorry I can't let a line like that slide. I used to use ServerIron's in my last job, and while generally wonderful they had two big issues that also occur on other Foundry kit like the MLX. 1. Multiple firmware files that must be upgraded in sync. While getting more common (I've seen kit from Extreme, Cisco, and Juniper that have done this to some extent), some of these boxes require on the order of four firmware files which must be upgraded in lock-step 2. Backspace doesn't work. Seriously (ok Ctrl-h works, and you can patch your terminal emulator for it, but it's the only hardware I've used in the last 15 years like that) From dwcarder at wisc.edu Wed Jan 25 09:39:51 2012 From: dwcarder at wisc.edu (Dale W. Carder) Date: Wed, 25 Jan 2012 09:39:51 -0600 Subject: Choice of address for IPv6 default gateway In-Reply-To: <4F2014A0.20008@optilian.com> References: <4F2014A0.20008@optilian.com> Message-ID: <787B3E25-9697-41AB-9D5F-E8B47C8E66AE@wisc.edu> Hi Daniel, On Jan 25, 2012, at 8:41 AM, Daniel STICKNEY wrote: > I'm having trouble finding authoritative sources on the best common > practice (if there even is one) for the choice of address for an IPv6 > default gateway in a production server environment (not desktops). For > example in IPv4 it is common to chose the first or last address in the > subnet (.1 or .254 for example) as the VIP for VRRP/HSRP. I'm interested > in input from production environments and or ARIN/RIPE/IANA/etc or top > vendors. Well, you're not going to find anything authoritative per se, but we are using fe80::1 with HSRP on every LAN with v6 enabled. More recent HSRP implementations also support ::1, but that doesn't seem to make any sense to me since link-local is where your gateway lives. > What about using RAs to install the default route on the servers? The > 'priority' option (high/medium/low) easy fits with an architecture using > an active/standby router setup where the active router is configured > with the 'high' priority and the standby 'medium'. With the timeout > values tuned for relatively rapid (~3 seconds) failover this might be > feasible. Anyone use this in production? Our servers are statically assigned with prefix::1000 and counting up, and fe80::1%int for the gateway. Some servers are doing an IP per service / customer. In some initial deployments I did, RA Priority did not seem to be observed. That was 8 or 9 years ago so maybe that has changed, but it was not comforting. We were more worried about unintentional & rogue RA vs active/standby routers. Now that we have RA Guard deployed on > 100,000 edge ports, that doesn't really matter anymore. Dale From nick at foobar.org Wed Jan 25 09:50:19 2012 From: nick at foobar.org (Nick Hilliard) Date: Wed, 25 Jan 2012 15:50:19 +0000 Subject: juniper mx80 vs cisco asr 1000 In-Reply-To: <4F201CFF.20905@studio442.com.au> References: <44EDB6D0-C480-4232-8FCD-4124D152849B@smugmug.com> <20120120081435.GA17097@pob.ytti.fi> <201201232330.50370.mtinka@globaltransit.net> <4F1ED34D.5080309@nmsu.edu> <4F201CFF.20905@studio442.com.au> Message-ID: <4F2024BB.7070508@foobar.org> On 25/01/2012 15:17, Julien Goodwin wrote: > 2. Backspace doesn't work. Seriously (ok Ctrl-h works, and you can patch > your terminal emulator for it, but it's the only hardware I've used in > the last 15 years like that) I ended up remapping backspace to too. Yeah, seriously, this is totally bizarre dysfunction. There might have been some excuse for it in the late 1980s, maybe even the early 1990s. But the world moved on many, many years ago. Nick From streiner at cluebyfour.org Wed Jan 25 09:51:46 2012 From: streiner at cluebyfour.org (Justin M. Streiner) Date: Wed, 25 Jan 2012 10:51:46 -0500 (EST) Subject: using ULA for 'hidden' v6 devices? Message-ID: Is anyone using ULA (RFC 4193) address space for v6 infrastructure that does not need to be exposed to the outside world? I understand the concept of having fc00::/8 being doled out by the RIRs never went anywhere, and using space out of fd00::/8 can be a bit of a crap-shoot because of the likelihood of many organizations that do so not following the algorithm for picking a /48 that is outlined in the RFC. There would appear to be reasonable arguments for and against using ULA. I'm just curious about what people are doing in practice. jms From cb.list6 at gmail.com Wed Jan 25 10:06:08 2012 From: cb.list6 at gmail.com (Cameron Byrne) Date: Wed, 25 Jan 2012 08:06:08 -0800 Subject: using ULA for 'hidden' v6 devices? In-Reply-To: References: Message-ID: On Jan 25, 2012 7:52 AM, "Justin M. Streiner" wrote: > > Is anyone using ULA (RFC 4193) address space for v6 infrastructure that does not need to be exposed to the outside world? I understand the concept of having fc00::/8 being doled out by the RIRs never went anywhere, and using space out of fd00::/8 can be a bit of a crap-shoot because of the likelihood of many organizations that do so not following the algorithm for picking a /48 that is outlined in the RFC. > > There would appear to be reasonable arguments for and against using ULA. I'm just curious about what people are doing in practice. > Yes. Uses may include the DNS interface that you only want your customers to query.... or pretty much any service, as you said, that does not need to be connected to the internet. Beware of ULA haters. Cb > jms > From jay-ford at uiowa.edu Wed Jan 25 10:11:00 2012 From: jay-ford at uiowa.edu (Jay Ford) Date: Wed, 25 Jan 2012 10:11:00 -0600 (CST) Subject: using ULA for 'hidden' v6 devices? In-Reply-To: References: Message-ID: On Wed, 25 Jan 2012, Justin M. Streiner wrote: > Is anyone using ULA (RFC 4193) address space for v6 infrastructure that does > not need to be exposed to the outside world? I understand the concept of > having fc00::/8 being doled out by the RIRs never went anywhere, and using > space out of fd00::/8 can be a bit of a crap-shoot because of the likelihood > of many organizations that do so not following the algorithm for picking a > /48 that is outlined in the RFC. > > There would appear to be reasonable arguments for and against using ULA. I'm > just curious about what people are doing in practice. Yep. It works great for strictly local devices which don't need Internet access. ________________________________________________________________________ Jay Ford, Network Engineering Group, Information Technology Services University of Iowa, Iowa City, IA 52242 email: jay-ford at uiowa.edu, phone: 319-335-5555, fax: 319-335-2951 From dwcarder at wisc.edu Wed Jan 25 10:15:24 2012 From: dwcarder at wisc.edu (Dale W. Carder) Date: Wed, 25 Jan 2012 10:15:24 -0600 Subject: using ULA for 'hidden' v6 devices? In-Reply-To: References: Message-ID: <3B3D95F0-7E5E-417B-889B-3E5ABC660AD3@wisc.edu> On Jan 25, 2012, at 9:51 AM, Justin M. Streiner wrote: > Is anyone using ULA (RFC 4193) address space for v6 infrastructure that does not need to be exposed to the outside world? I understand the concept of having fc00::/8 being doled out by the RIRs never went anywhere, and using space out of fd00::/8 can be a bit of a crap-shoot because of the likelihood of many organizations that do so not following the algorithm for picking a /48 that is outlined in the RFC. > > There would appear to be reasonable arguments for and against using ULA. I'm just curious about what people are doing in practice. Our site would be in the against ULA camp. For that matter we had survived until very recently in the anti-1918 camp, too. So, take that as an inherent bias. We have one customer in particular with a substantial non-publicly reachable v6 deployment with globally assigned addresses. I believe there is no need to replicate the headaches of rfc1918 in the next address-family eternity. Dale From nick at foobar.org Wed Jan 25 10:28:13 2012 From: nick at foobar.org (Nick Hilliard) Date: Wed, 25 Jan 2012 16:28:13 +0000 Subject: using ULA for 'hidden' v6 devices? In-Reply-To: <3B3D95F0-7E5E-417B-889B-3E5ABC660AD3@wisc.edu> References: <3B3D95F0-7E5E-417B-889B-3E5ABC660AD3@wisc.edu> Message-ID: <4F202D9D.4060002@foobar.org> On 25/01/2012 16:15, Dale W. Carder wrote: > I believe there is no need to replicate the headaches of rfc1918 in the > next address-family eternity. I wish you luck selling this notion to enterprise network people, most of who appear to believe that rfc1918 address space is a feature, not a bug. Nick From rps at maine.edu Wed Jan 25 10:30:41 2012 From: rps at maine.edu (Ray Soucy) Date: Wed, 25 Jan 2012 11:30:41 -0500 Subject: using ULA for 'hidden' v6 devices? In-Reply-To: References: Message-ID: We've used RFC1918 space for years (without NAT) for non-routed device management (switches, printers, IP phones, etc). The same idea applies to ULA. Just another tool in the box. The idea behind the random bits was to avoid conflicts should organizations making use of ULA merge. Locally managed means locally manage, though. The RFC is more of a suggestion than a requirement at that point. Since it's unenforceable, and the standards require it to function regardless, I do suspect that many will opt for a "random" value of zero to keep the notation short and sweet, despite the RFC, or develop an internal addressing schema for ULA space that works for them operationally. On Wed, Jan 25, 2012 at 10:51 AM, Justin M. Streiner < streiner at cluebyfour.org> wrote: > Is anyone using ULA (RFC 4193) address space for v6 infrastructure that > does not need to be exposed to the outside world? I understand the concept > of having fc00::/8 being doled out by the RIRs never went anywhere, and > using space out of fd00::/8 can be a bit of a crap-shoot because of the > likelihood of many organizations that do so not following the algorithm for > picking a /48 that is outlined in the RFC. > > There would appear to be reasonable arguments for and against using ULA. > I'm just curious about what people are doing in practice. > > jms > > -- Ray Soucy Epic Communications Specialist Phone: +1 (207) 561-3526 Networkmaine, a Unit of the University of Maine System http://www.networkmaine.net/ From dave.nanog at alfordmedia.com Wed Jan 25 10:34:53 2012 From: dave.nanog at alfordmedia.com (Dave Pooser) Date: Wed, 25 Jan 2012 10:34:53 -0600 Subject: using ULA for 'hidden' v6 devices? In-Reply-To: <4F202D9D.4060002@foobar.org> Message-ID: On 1/25/12 10:28 AM, "Nick Hilliard" wrote: >I wish you luck selling this notion to enterprise network people, most of >who appear to believe that rfc1918 address space is a feature, not a bug. Until they've gone through an M&A where they had to connect multiple sites using overlapping RFC1918 space, of course. Then the idea of globally unique addressing, even if it's not globally routable, starts looking awfully useful. -- Dave Pooser Manager of Information Services Alford Media http://www.alfordmedia.com From rps at maine.edu Wed Jan 25 10:40:12 2012 From: rps at maine.edu (Ray Soucy) Date: Wed, 25 Jan 2012 11:40:12 -0500 Subject: Choice of address for IPv6 default gateway In-Reply-To: <20120125150640.GA87865@ussenterprise.ufp.org> References: <4F2014A0.20008@optilian.com> <20120125150640.GA87865@ussenterprise.ufp.org> Message-ID: On Wed, Jan 25, 2012 at 10:06 AM, Leo Bicknell wrote: > I don't think the industry has really found a best practice to > document yet. ?There are people trying different ideas. ?We find > the following convention allows us to keep things organized: > > ::1 ? ? ? ? ? ? ? ? ?- Default gateway > :: - Statically assigned servers. > : ? ? ? ? ? ?- Auto-configured host This is essentially what we do (except we use the hex value of the last octet, so .34 would be ::22, probably just the purist in me). If you have an environment where hosts will be statically configured, then you probably want to use a global default, if only to avoid confusion from users or poorly written software that expects the default to be in the same prefix as the address. If people understand their prefix is 2001:DB8::/64, and the gateway is 2001:DB8::1 it raises a lot less questions than "your prefix is 2001:DB8::/64 but your default router is FE80...". -- Ray Soucy Epic Communications Specialist Phone: +1 (207) 561-3526 Networkmaine, a Unit of the University of Maine System http://www.networkmaine.net/ From streiner at cluebyfour.org Wed Jan 25 11:55:11 2012 From: streiner at cluebyfour.org (Justin M. Streiner) Date: Wed, 25 Jan 2012 12:55:11 -0500 (EST) Subject: using ULA for 'hidden' v6 devices? In-Reply-To: References: Message-ID: On Wed, 25 Jan 2012, Ray Soucy wrote: > We've used RFC1918 space for years (without NAT) for non-routed device > management (switches, printers, IP phones, etc). And we've done the same. > The idea behind the random bits was to avoid conflicts should organizations > making use of ULA merge. I'm also thinking down the road to possible cases where an internal host needs to be able to communicate with an internal host at another organization over a VPN tunnel, and a convincing argument can't be made for using public addresses - something that's pretty common today in the v4 world. The thought of having to something equivalent to NAT-T for v6 doesn't fill my heart (or my VPN termination devices) with joy... Along somewhat similar lines, I don't know if any of the relevant regulatory bodies have made any specific comments related to securing networks that are interconnected using v6. Also being in the higher-ed world, I'm thinking along the lines of HIPAA, GLB, SOX, and friends. The answer might be out there - I just haven't looked into it yet. > Locally managed means locally manage, though. The RFC is more of > a suggestion than a requirement at that point. Right, though it's a shame that the registry-assigned ULA concept didn't take off. > Since it's unenforceable, and the standards require it > to function regardless, I do suspect that many will opt for a "random" > value of zero to keep the notation short and sweet, despite the RFC, or > develop an internal addressing schema for ULA space that works for them > operationally. So it stands a good chance of turning into the wild west ;) jms From streiner at cluebyfour.org Wed Jan 25 12:03:52 2012 From: streiner at cluebyfour.org (Justin M. Streiner) Date: Wed, 25 Jan 2012 13:03:52 -0500 (EST) Subject: using ULA for 'hidden' v6 devices? In-Reply-To: <3B3D95F0-7E5E-417B-889B-3E5ABC660AD3@wisc.edu> References: <3B3D95F0-7E5E-417B-889B-3E5ABC660AD3@wisc.edu> Message-ID: On Wed, 25 Jan 2012, Dale W. Carder wrote: > We have one customer in particular with a substantial non-publicly > reachable v6 deployment with globally assigned addresses. I believe > there is no need to replicate the headaches of rfc1918 in the next > address-family eternity. The one big issue I could see with doing that is that the vulnerability exposure, particularly from the outside world, is larger if devices that don't need public addresses have them. For example, if a network engineer or NOC person accidentally removes a "hide my public infrastructure from the outside world" from an interface on a border router... As others have mentioned, things like management interfaces on access switches, printers, and IP phones would be good candidates to hide with ULA. jms From rps at maine.edu Wed Jan 25 12:08:06 2012 From: rps at maine.edu (Ray Soucy) Date: Wed, 25 Jan 2012 13:08:06 -0500 Subject: using ULA for 'hidden' v6 devices? In-Reply-To: References: Message-ID: On Wed, Jan 25, 2012 at 12:55 PM, Justin M. Streiner wrote: > So it stands a good chance of turning into the wild west ;) Isn't this what's made the Internet great? ;-) -- Ray Soucy Epic Communications Specialist Phone: +1 (207) 561-3526 Networkmaine, a Unit of the University of Maine System http://www.networkmaine.net/ From jeroen at unfix.org Wed Jan 25 12:08:10 2012 From: jeroen at unfix.org (Jeroen Massar) Date: Wed, 25 Jan 2012 19:08:10 +0100 Subject: "Registered ULA" (Was: using ULA for 'hidden' v6 devices?) In-Reply-To: References: Message-ID: <4F20450A.5020106@unfix.org> On 2012-01-25 18:55 , Justin M. Streiner wrote: [..] >> Locally managed means locally manage, though. The RFC is more of >> a suggestion than a requirement at that point. > > Right, though it's a shame that the registry-assigned ULA concept didn't > take off. What everybody calls "Registered ULA" or ULA-C(entral) is what the RIRs already provide. Also entities that have such a strict requirement are perfectly served with address space the RIRs provide. And from my POV unless one is deploying devices which set up ad-hoc networks, there is no real reason to use ULA at all. Just take a chunk from your RIR assigned space, firewall it off, or simply do not route it and presto, you got a globally registered unique block of address space. >From that POV the only reason one might not want RIR space is that one has to pay a wee bit of money for the RIR space, guess what, any kind of ULA-C space with guarantees for being global unique will have that same problem. But if you want to stick to ULA anyway and you want a bit more certainty that your ULA prefix does not clash, you can generate a random one as per the RFC and register it: https://www.sixxs.net/tools/grh/ula/ As long as everybody looks at that list, one will be clash free. And yes, ULA comes in chunks of /48 if you need more than that you can just register multiple disjunct ones or... what about that RIR space? Likely one site or another will start using that thing called the Internet anyway at one point. Greets, Jeroen From bill at herrin.us Wed Jan 25 12:51:18 2012 From: bill at herrin.us (William Herrin) Date: Wed, 25 Jan 2012 08:51:18 -1000 Subject: "Registered ULA" (Was: using ULA for 'hidden' v6 devices?) In-Reply-To: <4F20450A.5020106@unfix.org> References: <4F20450A.5020106@unfix.org> Message-ID: On Wed, Jan 25, 2012 at 8:08 AM, Jeroen Massar wrote: > On 2012-01-25 18:55 , Justin M. Streiner wrote: > [..] >>> Locally managed means locally manage, though. ?The RFC is more of >>> a suggestion than a requirement at that point. >> >> Right, though it's a shame that the registry-assigned ULA concept didn't >> take off. > > What everybody calls "Registered ULA" or ULA-C(entral) is what the RIRs > already provide. Also entities that have such a strict requirement are > perfectly served with address space the RIRs provide. Jeroen, Not so. The registries provide GUA, not ULA. Not everybody considers the difference significant, but many if not most of the folks who want to use ULA for anything at all do. > But if you want to stick to ULA anyway and you want a bit more certainty > that your ULA prefix does not clash, you can generate a random one as > per the RFC and register it: > > https://www.sixxs.net/tools/grh/ula/ My "registration" was erased from that page. Don't know when. Don't know why. But it speaks poorly for its function as a registry. Regards, Bill Herrin -- William D. Herrin ................ herrin at dirtside.com? bill at herrin.us 3005 Crane Dr. ...................... Web: Falls Church, VA 22042-3004 From gbonser at seven.com Wed Jan 25 12:57:59 2012 From: gbonser at seven.com (George Bonser) Date: Wed, 25 Jan 2012 18:57:59 +0000 Subject: juniper mx80 vs cisco asr 1000 In-Reply-To: <4F201CFF.20905@studio442.com.au> References: <44EDB6D0-C480-4232-8FCD-4124D152849B@smugmug.com> <20120120081435.GA17097@pob.ytti.fi> <201201232330.50370.mtinka@globaltransit.net> <4F1ED34D.5080309@nmsu.edu> <4F201CFF.20905@studio442.com.au> Message-ID: <596B74B410EE6B4CA8A30C3AF1A155EA09C92BD6@RWC-MBX1.corp.seven.com> > > Sorry I can't let a line like that slide. > > I used to use ServerIron's in my last job, and while generally > wonderful they had two big issues that also occur on other Foundry kit > like the MLX. > > 1. Multiple firmware files that must be upgraded in sync. While getting > more common (I've seen kit from Extreme, Cisco, and Juniper that have > done this to some extent), some of these boxes require on the order of > four firmware files which must be upgraded in lock-step They're a little better here these days. So IF the monitor and boot images change you might need to upgrade those but those don't change on every rev. I think Cisco sometimes requires updates of things like that, too, from time to time. Another thing is due to the nature of the beast. The MLX/XMR is FPGA hardware. In other words, the hardware itself can be reconfigured with a firmware update. Most other gear doesn't have programmable hardware. So in a release two things might have to change. In addition to a software update, there might also be an associated hardware change that requires an FPGA code update in addition to the OS. This is actually a good thing from my perspective in that it allows improvements in the hardware without having to get a new rev of blade. In the "old days" you had to manually update each FPGA image for each blade, that is now a combined file. There's one FPGA file for all blades. These are not always required for updates. The OS is also a combined image so that is just one file. So to recap: For some updates you will simply need to update one file: the combined OS image If there is a hardware change, you might need to update the FPGA images. That is a second file but doesn't happen with every release. In fact, you might not even need it of they DO release a new one because the change might be for the addition of FPGA images or changes to an image for blade you don't even have. But again, it is one combined file for all blades. If there is a boot rom / monitor change you might need to update those files but that doesn't happen with every release. If you update the application (OS) image and do a "reload-check" command, it will tell you if you need to update anything else. Often you don't. I just went from 5.1 to 5.2 on a couple of MLX units (two more are being upgraded soon and updating some from 5.2b to 5.2c soon) and it was fairly painless. I think what people don't "get" is that the hardware on the things is reprogrammable and that sometimes requires an additional set of files that has nothing to do with the OS running on the system, it is a hardware upgrade in addition to a software upgrade. Once people realize that, it takes some of the sting out of it. Point is they have combined these images now. You don't need to load the management module OS, line card OS, management module FPGA and line card FPGA files separately anymore. You just update one combined OS image. The FPGA image is updated only if required and again, that is also now one combined file for all modules. So most updates will be one or sometimes two files with the boot and monitor images updated only infrequently. > 2. Backspace doesn't work. Seriously (ok Ctrl-h works, and you can > patch your terminal emulator for it, but it's the only hardware I've > used in the last 15 years like that) I've noticed that though I think that is only on the hardware console port. Most of the work I do is via the management port. If I'm on the console serial port, then I am working manually and just deal with the ^H thing. I don't think that issue by itself is enough to prevent me from buying a piece of gear. The applications where we use the MLX units is pretty straightforward and their price/performance is great for that application. But I'm not married to any vendor and if there is a better tool for a particular job, I'll use it. Each vendor seems to have their "sweet spot" for various applications. From jon at smugmug.com Wed Jan 25 13:26:54 2012 From: jon at smugmug.com (jon Heise) Date: Wed, 25 Jan 2012 11:26:54 -0800 Subject: LX sfp minimum range Message-ID: <9CA8D3E3-1747-4EDF-B2FC-6CDD878D70B3@smugmug.com> we are moving a router between 2 data centers and we only have LX sfp's for connection, is there any issue using LX sfp's in a short range deployment ? From tom at ninjabadger.net Wed Jan 25 13:32:01 2012 From: tom at ninjabadger.net (Tom Hill) Date: Wed, 25 Jan 2012 19:32:01 +0000 Subject: juniper mx80 vs cisco asr 1000 In-Reply-To: <596B74B410EE6B4CA8A30C3AF1A155EA09C92BD6@RWC-MBX1.corp.seven.com> References: <44EDB6D0-C480-4232-8FCD-4124D152849B@smugmug.com> <20120120081435.GA17097@pob.ytti.fi> <201201232330.50370.mtinka@globaltransit.net> <4F1ED34D.5080309@nmsu.edu> <4F201CFF.20905@studio442.com.au> <596B74B410EE6B4CA8A30C3AF1A155EA09C92BD6@RWC-MBX1.corp.seven.com> Message-ID: <4F2058B1.4030007@ninjabadger.net> On 25/01/12 18:57, George Bonser wrote: > I've noticed that though I think that is only on the hardware console port. Most of the work I do is via the management port. If I'm on the console serial port, then I am working manually and just deal with the ^H thing. I don't think that issue by itself is enough to prevent me from buying a piece of gear. The CES (at least) does it via SSH, too. (I use the standard Gnome terminal, so we're talking the same application for serial and SSH/telnet use.) Annoyingly the Dell 5400 series switches do it on their console ports, too. Thankfully they don't once you're in via SSH. But no-one cares about those! Tom From tdurack at gmail.com Wed Jan 25 13:45:38 2012 From: tdurack at gmail.com (Tim Durack) Date: Wed, 25 Jan 2012 14:45:38 -0500 Subject: LX sfp minimum range In-Reply-To: <9CA8D3E3-1747-4EDF-B2FC-6CDD878D70B3@smugmug.com> References: <9CA8D3E3-1747-4EDF-B2FC-6CDD878D70B3@smugmug.com> Message-ID: On Wed, Jan 25, 2012 at 2:26 PM, jon Heise wrote: > we are moving a router between 2 data centers and we only have LX sfp's for connection, is there any issue using LX sfp's in a short range deployment ? A Cisco 1000BASE-LX optic has the following spec: http://www.cisco.com/en/US/prod/collateral/modules/ps5455/ps6577/product_data_sheet0900aecd8033f885.html -3dBm maximum transmit power, -3dBm maximum receive. That means you can run it over any length. (We use LX for everything.) -- Tim:> From vinny at abellohome.net Wed Jan 25 13:45:40 2012 From: vinny at abellohome.net (Vinny Abello) Date: Wed, 25 Jan 2012 14:45:40 -0500 Subject: juniper mx80 vs cisco asr 1000 In-Reply-To: <4F2024BB.7070508@foobar.org> References: <44EDB6D0-C480-4232-8FCD-4124D152849B@smugmug.com> <20120120081435.GA17097@pob.ytti.fi> <201201232330.50370.mtinka@globaltransit.net> <4F1ED34D.5080309@nmsu.edu> <4F201CFF.20905@studio442.com.au> <4F2024BB.7070508@foobar.org> Message-ID: <4F205BE4.60905@abellohome.net> On 1/25/2012 10:50 AM, Nick Hilliard wrote: > On 25/01/2012 15:17, Julien Goodwin wrote: >> 2. Backspace doesn't work. Seriously (ok Ctrl-h works, and you can patch >> your terminal emulator for it, but it's the only hardware I've used in >> the last 15 years like that) > > I ended up remapping backspace to too. > > Yeah, seriously, this is totally bizarre dysfunction. There might have > been some excuse for it in the late 1980s, maybe even the early 1990s. But > the world moved on many, many years ago. Same here... Likewise, up to a certain firmware version, the input would wrap to a second line making it difficult to backspace. Thankfully that is now fixed. The biggest issue I have now is modern security patched versions of putty just explode when talking to that gear with "type 2 (protocol error) Bad String Length" messages. It's one of those things where putty works fine with everything else as well as every other terminal program works fine with Brocade... so who's at fault? :-P I've got 4 of the XMR 4000's and been running them for years. Most of the problems have been firmware bugs... Early ones were killers and caused inconsistencies in the routing topology, but I haven't seen anything to that extent again. The last major issue I had was the management cards on two of the boxes, about 2500 miles apart, both decided to go insane within hours of each other. I think a line card crashed if I remember right, the boxes stayed up, the management module stopped responding. Some traffic was being black-holed while other traffic continued flowing. After we already fixed it, a Brocade tech said that it sounded like a bus hang or something of that nature which can usually be fixed by re-seating the fan tray(??!?) so you don't need to reboot. We simply power cycled both. Another annoying bug I ran into which prompted a call to Brocade in the middle of the night... I couldn't update the firmware via SSH (nor could they). It kept failing on committing one of the firmware files after it was transferred. Turns out it was a bug and the workaround was to use telnet. The fix was in the version I was upgrading to. It also would have been nice to know that before the tech said just reboot it and it should be fine and we followed all the upgrade steps (despite the errors saying it failed)... the line card's firmware didn't match and wouldn't boot as a result. Luckily this XMR was two blocks from where I was sitting and I recovered it, but still annoying. This is what someone else mentioned about all the firmware files needed just to upgrade. There is a combo file, but it doesn't cover everything. One might try to seek out a Telehouse IIX engineer for another opinion. Being a customer of theirs on the NYIIX peering exchange, I know of many issues and outages that were all seemingly related to the MLXe's on which they now run the exchange. On the flip side, find some Hurricane Electric folk. I could be wrong, but I believe their entire backbone is built on the XMR. I know I've seen them in carrier hotels with their name on the equipment. One is two cabinets down from my own in the same cage. Personally, I like the products on paper. Using them in production slightly lowers my satisfaction with them, but you definitely get a lot for your money... bugs and all. -Vinny From vinny at abellohome.net Wed Jan 25 13:55:49 2012 From: vinny at abellohome.net (Vinny Abello) Date: Wed, 25 Jan 2012 14:55:49 -0500 Subject: juniper mx80 vs cisco asr 1000 In-Reply-To: <596B74B410EE6B4CA8A30C3AF1A155EA09C92BD6@RWC-MBX1.corp.seven.com> References: <44EDB6D0-C480-4232-8FCD-4124D152849B@smugmug.com> <20120120081435.GA17097@pob.ytti.fi> <201201232330.50370.mtinka@globaltransit.net> <4F1ED34D.5080309@nmsu.edu> <4F201CFF.20905@studio442.com.au> <596B74B410EE6B4CA8A30C3AF1A155EA09C92BD6@RWC-MBX1.corp.seven.com> Message-ID: <4F205E45.3080902@abellohome.net> On 1/25/2012 1:57 PM, George Bonser wrote: >> 2. Backspace doesn't work. Seriously (ok Ctrl-h works, and you can >> patch your terminal emulator for it, but it's the only hardware I've >> used in the last 15 years like that) > > I've noticed that though I think that is only on the hardware console port. Frustratingly, it's also via SSH... but not telnet. Backspace mapped as Control-(127) doesn't work whereas backspace mapped as Control-h does when connected via SSH. -Vinny From jra at baylink.com Wed Jan 25 14:11:42 2012 From: jra at baylink.com (Jay Ashworth) Date: Wed, 25 Jan 2012 15:11:42 -0500 (EST) Subject: Equinix Miami 1 condemnation In-Reply-To: <3138360.6602.1327522020934.JavaMail.root@benjamin.baylink.com> Message-ID: <22786388.6606.1327522302701.JavaMail.root@benjamin.baylink.com> Last week, we saw some traffic about the Lightfiber problems because EqM1 is apparently in a building that's been condemned by the city or county of Miami. That struck me curious, so I wanted to look into it further. Amazingly, there doesn't seem to be any coverage of the incident, even in technical circles. Does anyone know anything they're permitted to tell about how a building which contained a datacenter managed to get itself condemned? Cheers, -- jra -- Jay R. Ashworth Baylink jra at baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://baylink.pitas.com 2000 Land Rover DII St Petersburg FL USA http://photo.imageinc.us +1 727 647 1274 From vinny at abellohome.net Wed Jan 25 14:14:33 2012 From: vinny at abellohome.net (Vinny Abello) Date: Wed, 25 Jan 2012 15:14:33 -0500 Subject: juniper mx80 vs cisco asr 1000 In-Reply-To: <4F2058B1.4030007@ninjabadger.net> References: <44EDB6D0-C480-4232-8FCD-4124D152849B@smugmug.com> <20120120081435.GA17097@pob.ytti.fi> <201201232330.50370.mtinka@globaltransit.net> <4F1ED34D.5080309@nmsu.edu> <4F201CFF.20905@studio442.com.au> <596B74B410EE6B4CA8A30C3AF1A155EA09C92BD6@RWC-MBX1.corp.seven.com> <4F2058B1.4030007@ninjabadger.net> Message-ID: <4F2062A9.7050109@abellohome.net> On 1/25/2012 2:32 PM, Tom Hill wrote: > On 25/01/12 18:57, George Bonser wrote: >> I've noticed that though I think that is only on the hardware console port. Most of the work I do is via the management port. If I'm on the console serial port, then I am working manually and just deal with the ^H thing. I don't think that issue by itself is enough to prevent me from buying a piece of gear. > > The CES (at least) does it via SSH, too. > > (I use the standard Gnome terminal, so we're talking the same application for serial and SSH/telnet use.) > > Annoyingly the Dell 5400 series switches do it on their console ports, too. Thankfully they don't once you're in via SSH. But no-one cares about those! So do the 55xx's, unfortunately. I'm not sure about the other PowerConnect series. The firmware largely varies in syntax from one model to the next but the 54xx and 55xx seem largely the same. If I get some spare time, I'll look into digging up some contacts from the PowerConnect team and suggest they fix the backspace console issue. -Vinny From tom at ninjabadger.net Wed Jan 25 14:18:47 2012 From: tom at ninjabadger.net (Tom Hill) Date: Wed, 25 Jan 2012 20:18:47 +0000 Subject: juniper mx80 vs cisco asr 1000 In-Reply-To: <4F2062A9.7050109@abellohome.net> References: <44EDB6D0-C480-4232-8FCD-4124D152849B@smugmug.com> <20120120081435.GA17097@pob.ytti.fi> <201201232330.50370.mtinka@globaltransit.net> <4F1ED34D.5080309@nmsu.edu> <4F201CFF.20905@studio442.com.au> <596B74B410EE6B4CA8A30C3AF1A155EA09C92BD6@RWC-MBX1.corp.seven.com> <4F2058B1.4030007@ninjabadger.net> <4F2062A9.7050109@abellohome.net> Message-ID: <4F2063A7.4060706@ninjabadger.net> On 25/01/12 20:14, Vinny Abello wrote: > On 1/25/2012 2:32 PM, Tom Hill wrote: >> Annoyingly the Dell 5400 series switches do it on their console ports, too. Thankfully they don't once you're in via SSH. But no-one cares about those! > > So do the 55xx's, unfortunately. I'm not sure about the other PowerConnect series. The firmware largely varies in syntax from one model to the next but the 54xx and 55xx seem largely the same. If I get some spare time, I'll look into digging up some contacts from the PowerConnect team and suggest they fix the backspace console issue. I didn't have the same problem with the 62xx (or the lone 52xx I used, for that matter) but then, it's all Broadcom software; it doesn't matter how competent/understanding the guys at Dell are, Broadcom won't lift a finger without a smoking gun. I think of the three or four bugs that Dell passed through to Broadcom on my behalf (i.e. I'd had to convince at least one other person that it wasn't appropriate behaviour), only one was acknowledged and fixed. With that in mind, I wouldn't waste your time! Tom From Bryan at bryanfields.net Wed Jan 25 14:22:29 2012 From: Bryan at bryanfields.net (Bryan Fields) Date: Wed, 25 Jan 2012 15:22:29 -0500 Subject: Equinix Miami 1 condemnation In-Reply-To: <22786388.6606.1327522302701.JavaMail.root@benjamin.baylink.com> References: <22786388.6606.1327522302701.JavaMail.root@benjamin.baylink.com> Message-ID: <4F206485.70805@bryanfields.net> On 1/25/2012 15:11, Jay Ashworth wrote: > Amazingly, there doesn't seem to be any coverage of the incident, even in > technical circles. Does anyone know anything they're permitted to tell > about how a building which contained a datacenter managed to get itself > condemned? I've been in a few Data Centers and CO's that should have been condemned. :) -- Bryan Fields 727-409-1194 - Voice 727-214-2508 - Fax http://bryanfields.net From gdendy at equinix.com Wed Jan 25 14:23:48 2012 From: gdendy at equinix.com (Greg Dendy) Date: Wed, 25 Jan 2012 12:23:48 -0800 Subject: [NANOG-announce] Lightning talks open for NANOG 54 Message-ID: <32EBFCA9-7D76-4C91-93E1-272553B33557@equinix.com> Submit yours now at https://pc.nanog.org/ See you in San Diego! Greg NANOG Program Committee _______________________________________________ NANOG-announce mailing list NANOG-announce at nanog.org https://mailman.nanog.org/mailman/listinfo/nanog-announce From drais at icantclick.org Wed Jan 25 14:28:07 2012 From: drais at icantclick.org (david raistrick) Date: Wed, 25 Jan 2012 15:28:07 -0500 (EST) Subject: Equinix Miami 1 condemnation In-Reply-To: <22786388.6606.1327522302701.JavaMail.root@benjamin.baylink.com> References: <22786388.6606.1327522302701.JavaMail.root@benjamin.baylink.com> Message-ID: On Wed, 25 Jan 2012, Jay Ashworth wrote: > Last week, we saw some traffic about the Lightfiber problems because EqM1 > is apparently in a building that's been condemned by the city or county > of Miami. If I were to toss out purely random semieducated guess - a lot of south florida datacenter buildings were pretty damaged by Ivan (and his friends, floyd, charlie, francis, and katrina) some years back. I'd venture to guess that they've managed to keep things running (or put it back together enough to keep things running) for a while and have been fighting the condemnation order for a number of years...and finally lost. Fun part about those is you usually have nearly zero time to gtfo, especially if you've fought it... of course, my memory of that time is pretty fuzzy (but I did watch as the company that borged my employeer at the time had to scramble massively to recover from having their gear destroyed, flooded, and otherwise put out of service by the storms, basically moving everything that was down south up to orlando). It definitely affected our ability to get paychecks - and for the next few months the were having to literally truck the only remaining check printer back and forth from S.Fl to Orlando every week to print checks.... . o O ( and I don't know where equinix's building was in south florida, either. but I know they never showed up on our radar when we were hunting for space with dark fiber back to the NAP to feed our southern customers their dose of WCQ...) ...david -- david raistrick http://www.netmeister.org/news/learn2quote.html drais at icantclick.org http://www.expita.com/nomime.html From nanog at hostleasing.net Wed Jan 25 14:39:51 2012 From: nanog at hostleasing.net (Randy Epstein) Date: Wed, 25 Jan 2012 15:39:51 -0500 Subject: Equinix Miami 1 condemnation In-Reply-To: Message-ID: > >. o O ( and I don't know where equinix's building was in south florida, >either. but I know they never showed up on our radar when we were >hunting >for space with dark fiber back to the NAP to feed our southern customers >their dose of WCQ...) > >...david This was the Metro Mall facility, operated by Switch and Data until Equinix's acquisition of S&D a few years ago. It is now known as Equinix-Miami 1. 1 NE 1st Street. The issue here has nothing to do with any hurricanes in the past. My opinion is that they lacked proper documentation and planning. Having a bit of insider knowledge here and knowing where this fiber came from originally (ACSI) and how FiberLight came to acquire it, I'm fairly sure I'm on the money. Randy From marka at isc.org Wed Jan 25 16:51:13 2012 From: marka at isc.org (Mark Andrews) Date: Thu, 26 Jan 2012 09:51:13 +1100 Subject: using ULA for 'hidden' v6 devices? In-Reply-To: Your message of "Wed, 25 Jan 2012 10:51:46 CDT." References: Message-ID: <20120125225113.E44231C0389E@drugs.dv.isc.org> In message , "Justin M . Streiner" writes: > Is anyone using ULA (RFC 4193) address space for v6 infrastructure that > does not need to be exposed to the outside world? I understand the > concept of having fc00::/8 being doled out by the RIRs never went > anywhere, and using space out of fd00::/8 can be a bit of a crap-shoot > because of the likelihood of many organizations that do so not following > the algorithm for picking a /48 that is outlined in the RFC. > > There would appear to be reasonable arguments for and against using ULA. > I'm just curious about what people are doing in practice. > > jms A lot has to do with whether you have PA addresses of not. As for picking a random prefix I suspect most home CPE devices will do the right thing. It's also easy to do the right thing. I just did "dd if=/dev/random count=1 bs=5 | od -x" and pulled the hex dig digits out to construct the ULA I use at home. A little bit prettier version is below. #!/bin/sh dd bs=5 count=1 if=/dev/random 2> /dev/null | od -t x1 | awk 'NF == 6 { print "f8" $2 ":" $3 $4 ":" $5 $6 }' If you don't want to use /dev/random (ifconfig -a ; date ; netstat -na) | md5 | sed 's/\(..\)\(....\)\(....\).*/f8\1:\2:\3/' There are lots of ways to generate a suitable prefix. -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka at isc.org From owen at delong.com Wed Jan 25 16:53:23 2012 From: owen at delong.com (Owen DeLong) Date: Wed, 25 Jan 2012 14:53:23 -0800 Subject: Choice of address for IPv6 default gateway In-Reply-To: <4F2014A0.20008@optilian.com> References: <4F2014A0.20008@optilian.com> Message-ID: On Jan 25, 2012, at 6:41 AM, Daniel STICKNEY wrote: > I'm having trouble finding authoritative sources on the best common > practice (if there even is one) for the choice of address for an IPv6 > default gateway in a production server environment (not desktops). For > example in IPv4 it is common to chose the first or last address in the > subnet (.1 or .254 for example) as the VIP for VRRP/HSRP. I'm interested > in input from production environments and or ARIN/RIPE/IANA/etc or top > vendors. > It's mostly a matter of personal preference. If you want to just use RAs (which is a perfectly fine alternative in most server environments if you're not especially paranoid), then that will automatically use the link local address of the router as next-hop. If you want to go with something configured via static configuration (note, you CANNOT currently provide default gateway information in DHCPv6), then ::1 or :::1 or whatever is a perfectly viable alternative, so long as your ops folks can all agree on using pretty much the same thing on every subnet. Using different default gateways on different subnets is perfectly functional, but, leads to human factors complications that tend to outweigh any perceived benefit to doing so. > I've seen some documentation using ::1 with either a global > prefix or link-local (fe80::1). Anyone use either of these in production > and have negative or positive feedback? fe80::1 is seductive because it > is short and the idea of having the same default gateway configured > everywhere might be simple. At the same time using the same address all > around the network seems to invite confusion or problems if two > interfaces with the address ever ended up in the same broadcast domain. > I don't recommend fe80::1 because not all platforms support configuration of link local addresses vs. using the IID based address or in addition to the IID based address. Also, HSRP/VRRP comes with overhead which you can avoid by using RA. Note, you can use RA for default gateway while still using static addressing. > What about using RAs to install the default route on the servers? The > 'priority' option (high/medium/low) easy fits with an architecture using > an active/standby router setup where the active router is configured > with the 'high' priority and the standby 'medium'. With the timeout > values tuned for relatively rapid (~3 seconds) failover this might be > feasible. Anyone use this in production? > Yes, many people use RA in production. The timeout is, I believe, usually more on the order of 1,000 ms or less. > I note that VRRPv3 (and keepalived) and HSRP both support IPv6. Since we > use VRRP for IPv4, using it for IPv6 would keep our architecture the > same, which has merit too. > Support for VRRP IPv6 varies from vendor to vendor and while you might keep the same architecture, there are likely differences in the vendor- specific behaviors and/or bugs for their IPv6 VRRP implementations. RA being a much simpler protocol is somewhat less likely to get screwed up in the implementation process by the vendors. It's also the part of the code that gets exercised by more of their IPv6 using customers at this point. Owen From nicotine at warningg.com Wed Jan 25 17:11:37 2012 From: nicotine at warningg.com (Brandon Ewing) Date: Wed, 25 Jan 2012 17:11:37 -0600 Subject: Polling Bandwidth as an Aggregate In-Reply-To: References: Message-ID: <20120125231137.GD14132@radiological.warningg.com> On Fri, Jan 20, 2012 at 08:15:45AM -0500, Drew Weaver wrote: > RTG uses MySQL for it's backend, so you can basically setup queries however you like and you can use RTGPOLL to graph multiple interfaces as well. > > It's a super good tool and I think there is a group working on RTG2 at googlecode (I think). > > -Drew > I agree with Drew -- I have several functions that do their best to correlate readings amount multiple interfaces, combine them with other readings near the same time intervals, and output a single set of aggregate bandwidth data. One of RTG's big problems is scalability -- as you monitor more and more devices, going further and further back in time, you're ending up with a gigantic MySQL dataset that can be difficult to manage. Fortunately, there are open-source tools to help manage this. There's a Ruby program that automates consolidation of multiple rows into single rows based on configuration data -- allowing you to keep 5-minute readings of interface data for 2 months, then condensing it to 1 hour readings after that, with the flexibility to identify specific tables and specific timeframes to give you maximum control. -- Brandon Ewing (nicotine at warningg.com) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available URL: From nicotine at warningg.com Wed Jan 25 17:18:07 2012 From: nicotine at warningg.com (Brandon Ewing) Date: Wed, 25 Jan 2012 17:18:07 -0600 Subject: AT&T and IPv6 Launch In-Reply-To: <7A66826C-489D-41B8-810F-88EBEE7B7856@puck.nether.net> References: <6CADAFC3-A4AF-420D-91B0-854EE35A7A98@puck.nether.net> <7A66826C-489D-41B8-810F-88EBEE7B7856@puck.nether.net> Message-ID: <20120125231807.GE14132@radiological.warningg.com> On Mon, Jan 23, 2012 at 06:52:05PM -0500, Jared Mauch wrote: > So i have been privately referred to att.com/ipv6 where you can find supporting CPE devices. > > It sounds like if you have equipment supporting ipv6 it may just appear one day "soon". > > Jared Mauch That's slightly depressing. From their Residential Q&A: Devices supporting IPv6 Pace 4111N Netgear 7550 B90 Netgear 6200 A90 Motorola 3360 Only AT&T-certified versions of the devices listed above will be able to utilize IPv6 on the AT&T network. I have my own DSL modem, that I know has IPv6 support. Will AT&T be doing some sort of wizardry to ensure it will work for their CPE, but not mine? -- Brandon Ewing (nicotine at warningg.com) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available URL: From owen at delong.com Wed Jan 25 17:22:37 2012 From: owen at delong.com (Owen DeLong) Date: Wed, 25 Jan 2012 15:22:37 -0800 Subject: Choice of address for IPv6 default gateway In-Reply-To: <20120125150640.GA87865@ussenterprise.ufp.org> References: <4F2014A0.20008@optilian.com> <20120125150640.GA87865@ussenterprise.ufp.org> Message-ID: <6F062664-B163-42BA-BD1E-1788BD4D9D9D@delong.com> On Jan 25, 2012, at 7:06 AM, Leo Bicknell wrote: > In a message written on Wed, Jan 25, 2012 at 03:41:36PM +0100, Daniel STICKNEY wrote: >> I've seen some documentation using ::1 with either a global >> prefix or link-local (fe80::1). Anyone use either of these in production >> and have negative or positive feedback? fe80::1 is seductive because it >> is short and the idea of having the same default gateway configured >> everywhere might be simple. At the same time using the same address all >> around the network seems to invite confusion or problems if two >> interfaces with the address ever ended up in the same broadcast domain. > > I don't think the industry has really found a best practice to > document yet. There are people trying different ideas. We find > the following convention allows us to keep things organized: > > ::1 - Default gateway > :: - Statically assigned servers. > : - Auto-configured host > > If you need them to co-exist, you can also do things like: > > ::<10240-20480> - DHCP Pool > I'll note that 10240-20480 are not valid IPv6 suffixes and that you would need to represent that as ::<2800-5000> and would probably be better off to use something more like ::8:* as your DHCP pool. Owen From jscott962 at gmail.com Wed Jan 25 17:24:43 2012 From: jscott962 at gmail.com (Jared Scott) Date: Wed, 25 Jan 2012 18:24:43 -0500 Subject: Interesting Articles regarding more colocation space in the DC area Message-ID: http://www.washingtonpost.com/business/capitalbusiness/after-dramatic-growth-ashburn-expects-even-more-data-centers/2011/06/09/gIQAZduLjJ_story.html http://www.datacenterknowledge.com/archives/2012/01/18/the-coming-colo-crunch/ From rafael at cresci.org Wed Jan 25 17:38:47 2012 From: rafael at cresci.org (Rafael Cresci) Date: Wed, 25 Jan 2012 21:38:47 -0200 Subject: NANOG Digest, Vol 48, Issue 89 In-Reply-To: References: Message-ID: On 25/01/2012, at 20:51, nanog-request at nanog.org wrote: > Message: 4 > Date: Wed, 25 Jan 2012 15:11:42 -0500 (EST) > From: Jay Ashworth > To: NANOG > Subject: Equinix Miami 1 condemnation > Message-ID: > <22786388.6606.1327522302701.JavaMail.root at benjamin.baylink.com> > Content-Type: text/plain; charset=utf-8 > > Last week, we saw some traffic about the Lightfiber problems because EqM1 > is apparently in a building that's been condemned by the city or county > of Miami. > > That struck me curious, so I wanted to look into it further. > > Amazingly, there doesn't seem to be any coverage of the incident, even in > technical circles. Does anyone know anything they're permitted to tell > about how a building which contained a datacenter managed to get itself > condemned? > This was the Metro Mall facility, operated by Switch and Data until > Equinix's acquisition of S&D a few years ago. It is now known as > Equinix-Miami 1. 1 NE 1st Street. > And... > The issue here has nothing to do with any hurricanes in the past. My > opinion is that they lacked proper documentation and planning. Having a > bit of insider knowledge here and knowing where this fiber came from > originally (ACSI) and how FiberLight came to acquire it, I'm fairly sure > I'm on the money. I have no NDA on this so I can talk better in details. Equinix Miami 1 (formerly Switch & Data, formerly another company name I don't recall now) was the temporary building that the NAP was built on, before moving to the current location that Terremark is (if not wrong, they called it the "T-Rex project" and the NOTA exchange started there in that place). Thus, (nearly) every major fiber strands that come from the submarine cable landing stations in SFl come into EQX MIA1 first, physically, before going into Terremark at 9th Street. The building itself (Metromall) is not a datacenter by design, it's a normal commercial building. Some handfuls of jewelry stores, coffee shop, travel agency, a hair dresser, in the lobby and ground and basement levels. The loading dock of the building is on the same alley as Equinix Miami 2 (36 NE 2nd Street/Telesource building/Telx/Colohouse/Fibermedia/Savvis) loading dock entrance. Global Crossing's datacenter also was in the Metromall at another floor before going into Terremark's 6th floor. Equinix/S&D was on the 5th floor (whole floor). They were the biggest lease there, but they had no word on the building administration or maintenance, only on their own floor, that was pretty empty (no more than two or three dozen of customers). S&D considered Miami more of a strategic network PoP than a real customer datacenter (as does Savvis, that has a full floor in the 36 NE 2nd St building, but no customers, and doesn't announce it as a datacenter/colocation PoP even having all that square footage and huge generators), they had only a small number of customers and the two facilities (MIA1 and MIA2) were acquisitions of former small/broken telco companies. They were not built by S&D, less yet by Equinix. The building failed the 40-year inspection by the city of Miami. The landlord/owner of the building decided not to fix the numerous issues that were presented by the inspectors, and then decided to just let it go, close everything, expel all stores (mostly were on monthly leases) with little to no notice, and maybe sell the building or the ruins to someone who wanted it to fix or to demolish. Equinix (or better, Switch and Data) was in negotiations with a company I worked for as an outsourced partner, to build a pipe between both buildings, when they faced a long delay on approval by the landlord, When they pressed, they got the real reason why he was holding it. Last June Equinix started to evacuate the building preemptively, moving all customers to Miami 2 (it's in the same block, just two corners or a backdoor away) and paying their moving costs (materials, manpower, telco circuit movings) up to a ceiling of $10k (in service credits, not cash, power install was covered by Equinix). They did some preparation work on Miami 2 for receiving these customers - not many - and started that, with an ETA to move everybody out by October 2011. The "secret" ingredient was more of a "let's not annouce it so no one tries to signup to Miami 1 and then take advantage of service credits", until the unavoidable was unavoidable and until Miami 2 was ready for deployment of these customers. Only the customers, partners and the Digital Realty Trust management (Miami 2 is a DRL building)/security were aware of that while the move was not completed or at least mass moved. Some competitors got to the knowledge after the customers were notified (in June 2011) and some customers leaked that information by accident or intentionally at that time. AFAIK, Fiberlight spliced all Fiber on the manhole during 3 nights in July/August 2011, to reroute them out of MIA1. What happened these couple days ago was something completely different and probably the result of something they forgot to do on that manhole, or pure stupidity of doing maintenance/upgrades on both sides of the ring at the same time. -- rc From owen at delong.com Wed Jan 25 17:39:52 2012 From: owen at delong.com (Owen DeLong) Date: Wed, 25 Jan 2012 15:39:52 -0800 Subject: Choice of address for IPv6 default gateway In-Reply-To: References: <4F2014A0.20008@optilian.com> <20120125150640.GA87865@ussenterprise.ufp.org> Message-ID: On Jan 25, 2012, at 8:40 AM, Ray Soucy wrote: > On Wed, Jan 25, 2012 at 10:06 AM, Leo Bicknell wrote: > >> I don't think the industry has really found a best practice to >> document yet. There are people trying different ideas. We find >> the following convention allows us to keep things organized: >> >> ::1 - Default gateway >> :: - Statically assigned servers. >> : - Auto-configured host > > This is essentially what we do (except we use the hex value of the > last octet, so .34 would be ::22, probably just the purist in me). > Having done both hex-conversion and BCD (in fact I mention both possibilities in the IPv6 courses that I teach), I have to say that the purist loses to the pragmatist in my mind and BCD makes much more sense. You can, actually, safely BCD up to the last three IPv4 octets in an IPv6 address without violating the 12-bits of zeroes rule to avoid EUI-64 collisions, so, for example, 10.1.2.3 could become ::1:2:3, or, 10.209.198.144 could be ::209:198:144. > If you have an environment where hosts will be statically configured, > then you probably want to use a global default, if only to avoid > confusion from users or poorly written software that expects the > default to be in the same prefix as the address. > Well, any software should be able to handle a link-local default, but, otherwise, yes. > If people understand their prefix is 2001:DB8::/64, and the gateway is > 2001:DB8::1 it raises a lot less questions than "your prefix is > 2001:DB8::/64 but your default router is FE80...". > People will have to get used to the fe80 thing pretty quickly anyway, since that's what you get with RAs regardless. Owen From owen at delong.com Wed Jan 25 17:46:54 2012 From: owen at delong.com (Owen DeLong) Date: Wed, 25 Jan 2012 15:46:54 -0800 Subject: using ULA for 'hidden' v6 devices? In-Reply-To: References: <3B3D95F0-7E5E-417B-889B-3E5ABC660AD3@wisc.edu> Message-ID: <168C9CFC-60E3-4947-999A-15334E07BFB0@delong.com> On Jan 25, 2012, at 10:03 AM, Justin M. Streiner wrote: > On Wed, 25 Jan 2012, Dale W. Carder wrote: > >> We have one customer in particular with a substantial non-publicly >> reachable v6 deployment with globally assigned addresses. I believe >> there is no need to replicate the headaches of rfc1918 in the next >> address-family eternity. > > The one big issue I could see with doing that is that the vulnerability exposure, particularly from the outside world, is larger if devices that don't need public addresses have them. For example, if a network engineer or NOC person accidentally removes a "hide my public infrastructure from the outside world" from an interface on a border router... > Use different GUA ranges for internal and external. It's easy enough to get an additional prefix. > As others have mentioned, things like management interfaces on access switches, printers, and IP phones would be good candidates to hide with ULA. Or non-advertised, filtered GUA. Works just as well either way. Owen From if at xip.at Wed Jan 25 17:51:05 2012 From: if at xip.at (Ingo Flaschberger) Date: Thu, 26 Jan 2012 00:51:05 +0100 (CET) Subject: mysql.org down? Message-ID: Hi, from my location / austria, mysql.org seems to be down: traceroute to 213.136.52.82 (213.136.52.82), 30 hops max, 40 byte packets 7 at-vie-xion-pe01-vl-2061.upc.at (84.116.229.21) 39.009 ms 38.957 ms 39.001 ms 8 at-vie01a-rd1-vl-2050.aorta.net (84.116.228.193) 36.824 ms 35.930 ms 61.089 ms 9 nl-ams05a-rd2-xe-0-1-0.aorta.net (213.46.160.145) 38.910 ms nl-ams05a-rd2-xe-0-0-2.aorta.net (84.116.130.73) 36.573 ms nl-ams05a-rd2-xe-0-1-0.aorta.net (213.46.160.145) 38.631 ms 10 84.116.134.145 (84.116.134.145) 36.539 ms 84.116.134.61 (84.116.134.61) 40.418 ms 84.116.136.22 (84.116.136.22) 36.507 ms 11 ams-ix.ams-cr1.bahnhof.net (195.69.144.99) 38.430 ms 38.473 ms 42.336 ms 12 ams-cr1.cph-cr1.bahnhof.net (46.59.112.26) 42.201 ms 38.980 ms 36.493 ms 13 cph-cr1.mmo-cr1.bahnhof.net (85.24.151.246) 47.877 ms 49.929 ms 49.882 ms 14 mmo-cr1.sto-cr3.bahnhof.net (85.24.151.108) 46.963 ms 46.938 ms 55.098 ms 15 sto-cr1.pio-dr3.bahnhof.net (85.24.151.225) 53.173 ms 52.898 ms 52.927 ms 16 pio-dr3.pio-dr2.bahnhof.net (85.24.151.72) 52.863 ms 51.261 ms 49.389 ms 17 sto-cr1.sto-cr2.bahnhof.net (85.24.151.1) 51.399 ms 46.986 ms 49.730 ms Kind regards, Ingo Flaschberger From jeroen at unfix.org Wed Jan 25 17:55:58 2012 From: jeroen at unfix.org (Jeroen Massar) Date: Thu, 26 Jan 2012 00:55:58 +0100 Subject: "Registered ULA" (Was: using ULA for 'hidden' v6 devices?) In-Reply-To: References: <4F20450A.5020106@unfix.org> Message-ID: <4F20968E.5010908@unfix.org> On 2012-01-25 19:51 , William Herrin wrote: > On Wed, Jan 25, 2012 at 8:08 AM, Jeroen Massar wrote: >> On 2012-01-25 18:55 , Justin M. Streiner wrote: >> [..] >>>> Locally managed means locally manage, though. The RFC is more of >>>> a suggestion than a requirement at that point. >>> >>> Right, though it's a shame that the registry-assigned ULA concept didn't >>> take off. >> >> What everybody calls "Registered ULA" or ULA-C(entral) is what the RIRs >> already provide. Also entities that have such a strict requirement are >> perfectly served with address space the RIRs provide. > > Jeroen, > > Not so. The registries provide GUA, not ULA. Not everybody considers > the difference significant, but many if not most of the folks who want > to use ULA for anything at all do. I think you misunderstood my terminology, which is afaik the one used by the relevant documents, but lets see where we go astray. ULA consists out of two portions inside fc00::/7 which are: fd00::/8 for ULA-L (local) as the one defined by RFC4193 fc00::/8 reserved for ULA-C which for instance is mentioned in http://tools.ietf.org/html/draft-hain-ipv6-ulac-02 ULA-L is the one everybody uses and what most people just call ULA. ULA-C is very close to GUA as they are both registered at some entity. ULA-C does not exist though, the prime reason for that being that nobody could come up with extensive reasons why it would be any different from GUA and thus why anyone would bother having a registry for it (well, apart from earning more money by registering numbers of course, like what the rest of the industry is doing). The only other reason would be that one can filter fc00::/7 away completely and be done with both of them in one go. But, the moment that one is using ULA space in one's network one is likely not applying that rule, also, it does not come per default in boxes. And as we all know, folks don't filter per BCP-38 either, thus it will be very unlikely that there will be a global fc00::/7 block (and if that was one's line of defense in their network then good luck with that ;) >> But if you want to stick to ULA anyway and you want a bit more certainty >> that your ULA prefix does not clash, you can generate a random one as >> per the RFC and register it: >> >> https://www.sixxs.net/tools/grh/ula/ > > My "registration" was erased from that page. Don't know when. Don't > know why. But it speaks poorly for its function as a registry. This was likely caused by the little note at the bottom: "Prefixes which are not generated using the ULA generator will be silently removed; ULAs are not supposed to look pretty." Various folks are registering fd00::/48 or 'fun' stuff like fd00:b00b::/48 or whole series of /48s (fd01::/48, fd02::/48 etc) and then claim that they generated that prefix. For some obvious reason the system does not agree with those statements. Unfortunately there is no drop log, thus in case that the system did make a wrong decision, there is a contact page where one can notify to and we'll dig into it. Greets, Jeroen From shaun at shaun.net Wed Jan 25 17:56:26 2012 From: shaun at shaun.net (Shaun Ewing) Date: Thu, 26 Jan 2012 10:56:26 +1100 Subject: mysql.org down? In-Reply-To: References: Message-ID: On 26/01/2012, at 10:51 AM, Ingo Flaschberger wrote: > Hi, > > from my location / austria, mysql.org seems to be down: http://www.downforeveryoneorjustme.com/mysql.org "It's not just you! http://mysql.org looks down from here." -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 5922 bytes Desc: not available URL: From tony.mccrory at gmail.com Wed Jan 25 17:56:41 2012 From: tony.mccrory at gmail.com (Tony McCrory) Date: Wed, 25 Jan 2012 23:56:41 +0000 Subject: mysql.org down? In-Reply-To: References: Message-ID: On 25 January 2012 23:51, Ingo Flaschberger wrote: > Hi, > > from my location / austria, mysql.org seems to be down: > traceroute to 213.136.52.82 (213.136.52.82), 30 hops max, 40 byte packets > 7 at-vie-xion-pe01-vl-2061.upc.**at(84.116.229.21) 39.009 ms 38.957 ms 39.001 ms > 8 at-vie01a-rd1-vl-2050.aorta.**net(84.116.228.193) 36.824 ms 35.930 ms 61.089 ms > 9 nl-ams05a-rd2-xe-0-1-0.aorta.**net(213.46.160.145) 38.910 ms > nl-ams05a-rd2-xe-0-0-2.aorta.**net(84.116.130.73) 36.573 ms > nl-ams05a-rd2-xe-0-1-0.aorta.**net(213.46.160.145) 38.631 ms > 10 84.116.134.145 (84.116.134.145) 36.539 ms > 84.116.134.61 (84.116.134.61) 40.418 ms > 84.116.136.22 (84.116.136.22) 36.507 ms > 11 ams-ix.ams-cr1.bahnhof.net (195.69.144.99) 38.430 ms 38.473 ms > 42.336 ms > 12 ams-cr1.cph-cr1.bahnhof.net (46.59.112.26) 42.201 ms 38.980 ms > 36.493 ms > 13 cph-cr1.mmo-cr1.bahnhof.net (85.24.151.246) 47.877 ms 49.929 ms > 49.882 ms > 14 mmo-cr1.sto-cr3.bahnhof.net (85.24.151.108) 46.963 ms 46.938 ms > 55.098 ms > 15 sto-cr1.pio-dr3.bahnhof.net (85.24.151.225) 53.173 ms 52.898 ms > 52.927 ms > 16 pio-dr3.pio-dr2.bahnhof.net (85.24.151.72) 52.863 ms 51.261 ms > 49.389 ms > 17 sto-cr1.sto-cr2.bahnhof.net (85.24.151.1) 51.399 ms 46.986 ms > 49.730 ms > > Kind regards, > Ingo Flaschberger > > mtr from a host in Germany: Packets Pings Host Loss% Last Avg Best Wrst StDev 1. 172.29.206.204 0.0% 0.1 0.1 0.1 0.2 0.0 2. vl-1995.gw-distp-a.bad.oneandone.net 0.0% 0.3 0.3 0.3 0.3 0.0 3. te-1-1.bb-c.bap.rhr.de.oneandone.net 0.0% 9.9 0.9 0.2 9.9 2.5 4. te-1-1.bb-c.the.lon.gb.oneandone.net 0.0% 20.0 15.0 14.5 20.0 1.4 5. te-1-2.bb-c.nkf.ams.nl.oneandone.net 0.0% 15.6 15.6 15.6 15.8 0.1 6. ams-ix.ams-cr1.bahnhof.net 0.0% 16.0 16.0 15.9 16.1 0.0 7. ams-cr1.cph-cr1.bahnhof.net 0.0% 34.1 33.8 33.6 34.1 0.2 8. cph-cr1.mmo-cr1.bahnhof.net 0.0% 35.8 35.8 35.5 36.3 0.2 9. mmo-cr1.sto-cr3.bahnhof.net 0.0% 35.7 36.1 35.7 38.6 0.7 10. sto-cr1.pio-dr3.bahnhof.net 0.0% 35.1 35.1 34.9 35.2 0.1 11. pio-dr3.pio-dr2.bahnhof.net 0.0% 35.2 35.3 34.9 36.7 0.5 12. sto-cr1.sto-cr2.bahnhof.net 0.0% 35.8 38.5 35.6 73.4 10.0 13. pio-dr3.pio-dr2.bahnhof.net 0.0% 35.6 35.4 35.1 35.8 0.2 14. sto-cr1.sto-cr2.bahnhof.net 0.0% 36.1 38.3 35.8 67.4 8.4 [...] From ryan at u13.net Wed Jan 25 17:56:55 2012 From: ryan at u13.net (Ryan Rawdon) Date: Wed, 25 Jan 2012 18:56:55 -0500 Subject: mysql.org down? In-Reply-To: References: Message-ID: On Jan 25, 2012, at 6:51 PM, Ingo Flaschberger wrote: > Hi, > > from my location / austria, mysql.org seems to be down: > traceroute to 213.136.52.82 (213.136.52.82), 30 hops max, 40 byte packets > 7 at-vie-xion-pe01-vl-2061.upc.at (84.116.229.21) 39.009 ms 38.957 ms 39.001 ms > 8 at-vie01a-rd1-vl-2050.aorta.net (84.116.228.193) 36.824 ms 35.930 ms 61.089 ms > 9 nl-ams05a-rd2-xe-0-1-0.aorta.net (213.46.160.145) 38.910 ms > nl-ams05a-rd2-xe-0-0-2.aorta.net (84.116.130.73) 36.573 ms > nl-ams05a-rd2-xe-0-1-0.aorta.net (213.46.160.145) 38.631 ms > 10 84.116.134.145 (84.116.134.145) 36.539 ms > 84.116.134.61 (84.116.134.61) 40.418 ms > 84.116.136.22 (84.116.136.22) 36.507 ms > 11 ams-ix.ams-cr1.bahnhof.net (195.69.144.99) 38.430 ms 38.473 ms 42.336 ms > 12 ams-cr1.cph-cr1.bahnhof.net (46.59.112.26) 42.201 ms 38.980 ms 36.493 ms > 13 cph-cr1.mmo-cr1.bahnhof.net (85.24.151.246) 47.877 ms 49.929 ms 49.882 ms > 14 mmo-cr1.sto-cr3.bahnhof.net (85.24.151.108) 46.963 ms 46.938 ms 55.098 ms > 15 sto-cr1.pio-dr3.bahnhof.net (85.24.151.225) 53.173 ms 52.898 ms 52.927 ms > 16 pio-dr3.pio-dr2.bahnhof.net (85.24.151.72) 52.863 ms 51.261 ms 49.389 ms > 17 sto-cr1.sto-cr2.bahnhof.net (85.24.151.1) 51.399 ms 46.986 ms 49.730 ms > > Kind regards, > Ingo Flaschberger > Routing loop inside bahnhof.net: nova-dhcp-host111:~ ryan$ mtr --report mysql.org HOST: nova-dhcp-host111.u13.net Loss% Snt Last Avg Best Wrst StDev 1.|-- vlan11.net5501-a.u13.net 0.0% 10 0.2 0.6 0.2 3.6 1.1 2.|-- l100.washdc-vfttp-93.veri 0.0% 10 59.6 41.9 6.8 59.6 19.0 3.|-- g0-12-4-3.washdc-lcr-21.v 0.0% 10 47.0 40.6 9.0 91.8 28.5 4.|-- so-13-1-0-0.lcc2-res-bb-r 0.0% 10 39.3 24.2 5.7 66.9 22.7 5.|-- 0.xe-4-1-0.xl3.iad8.alter 0.0% 10 11.4 19.0 4.4 66.0 18.0 6.|-- 0.tengige0-4-4-0.gw1.iad8 0.0% 10 8.1 10.4 6.5 25.5 5.5 | `|-- 152.63.38.246 | |-- 152.63.35.137 | |-- 152.63.32.233 | |-- 152.63.35.141 7.|-- teliasonera-gw.customer.a 0.0% 10 110.5 192.7 32.6 377.0 100.0 8.|-- nyk-bb1-link.telia.net 0.0% 10 72.6 69.6 22.6 80.9 16.7 9.|-- kbn-bb1-link.telia.net 0.0% 10 142.7 155.7 136.6 197.3 17.3 10.|-- kbn-b3-link.telia.net 0.0% 10 153.7 152.8 117.0 195.3 18.9 11.|-- bahnhof-ic-133084-kbn-b3. 0.0% 10 164.1 158.8 133.6 168.3 9.8 12.|-- cph-cr1.mmo-cr1.bahnhof.n 0.0% 10 161.8 157.5 109.1 166.5 17.3 13.|-- mmo-cr1.sto-cr3.bahnhof.n 0.0% 10 165.8 161.9 159.1 165.8 2.2 14.|-- sto-cr1.pio-dr3.bahnhof.n 0.0% 10 162.5 161.6 156.4 167.1 3.7 15.|-- pio-dr3.pio-dr2.bahnhof.n 0.0% 10 163.6 157.0 141.3 163.6 5.9 16.|-- sto-cr1.sto-cr2.bahnhof.n 0.0% 10 169.9 156.6 118.0 172.7 17.7 17.|-- pio-dr3.pio-dr2.bahnhof.n 0.0% 10 150.7 142.5 103.6 160.4 22.7 18.|-- sto-cr1.sto-cr2.bahnhof.n 0.0% 10 123.2 138.3 119.1 191.8 24.5 19.|-- pio-dr3.pio-dr2.bahnhof.n 0.0% 10 109.4 114.5 102.3 160.6 20.4 20.|-- sto-cr1.sto-cr2.bahnhof.n 0.0% 10 115.6 121.6 111.6 167.4 16.4 21.|-- pio-dr3.pio-dr2.bahnhof.n 0.0% 10 101.8 110.1 101.8 145.7 12.7 22.|-- sto-cr1.sto-cr2.bahnhof.n 0.0% 10 187.1 180.1 114.1 209.4 34.3 23.|-- pio-dr3.pio-dr2.bahnhof.n 0.0% 10 164.6 156.1 121.2 164.6 12.5 24.|-- sto-cr1.sto-cr2.bahnhof.n 0.0% 10 171.1 164.6 116.7 176.7 17.3 25.|-- pio-dr3.pio-dr2.bahnhof.n 0.0% 10 157.1 156.4 133.9 164.4 9.9 26.|-- sto-cr1.sto-cr2.bahnhof.n 0.0% 10 162.9 160.8 115.8 179.3 18.4 27.|-- pio-dr3.pio-dr2.bahnhof.n 10.0% 10 111.6 146.3 110.7 165.2 21.1 28.|-- sto-cr1.sto-cr2.bahnhof.n 10.0% 10 186.9 166.9 118.5 186.9 19.1 29.|-- pio-dr3.pio-dr2.bahnhof.n 10.0% 10 163.5 160.0 154.7 165.0 4.0 30.|-- sto-cr1.sto-cr2.bahnhof.n 10.0% 10 182.6 171.5 163.8 182.6 6.5 From owen at delong.com Wed Jan 25 18:09:08 2012 From: owen at delong.com (Owen DeLong) Date: Wed, 25 Jan 2012 16:09:08 -0800 Subject: AT&T and IPv6 Launch In-Reply-To: <20120125231807.GE14132@radiological.warningg.com> References: <6CADAFC3-A4AF-420D-91B0-854EE35A7A98@puck.nether.net> <7A66826C-489D-41B8-810F-88EBEE7B7856@puck.nether.net> <20120125231807.GE14132@radiological.warningg.com> Message-ID: Far more likely that they have some specific DHCPv6 or other feature requirement that may or may not be present in all IPv6 CPE and they won't promise that other CPE will work and don't want to have to maintain a laundry list and support customers that don't understand. Owen On Jan 25, 2012, at 3:18 PM, Brandon Ewing wrote: > On Mon, Jan 23, 2012 at 06:52:05PM -0500, Jared Mauch wrote: >> So i have been privately referred to att.com/ipv6 where you can find supporting CPE devices. >> >> It sounds like if you have equipment supporting ipv6 it may just appear one day "soon". >> >> Jared Mauch > > That's slightly depressing. From their Residential Q&A: > Devices supporting IPv6 > > Pace 4111N > Netgear 7550 B90 > Netgear 6200 A90 > Motorola 3360 > > Only AT&T-certified versions of the devices listed above will be able to > utilize IPv6 on the AT&T network. > > I have my own DSL modem, that I know has IPv6 support. Will AT&T be doing > some sort of wizardry to ensure it will work for their CPE, but not mine? > > -- > Brandon Ewing (nicotine at warningg.com) From tmagill at providecommerce.com Wed Jan 25 18:14:23 2012 From: tmagill at providecommerce.com (Thomas Magill) Date: Thu, 26 Jan 2012 00:14:23 +0000 Subject: Akamai/Integra issue? Message-ID: This morning we began having issues at one of our sites. Eventually the systems teams tracked it down to some Akamai hosted content. I did some debugs and found that traffic transiting Integra is getting back RST packets for anything at *.akamaiedge.net. I rerouted the known bad hosts through our backup provider and that resolved the issue, but more keep popping up due to DNS changes. Has anyone else had any issues with akamaiedge.net today? If an Akamai operator is on please email me offline. Thomas Magill Sr. Network Engineer Office: (858) 909-3777 Cell: (858) 869-9685 mailto:tmagill at providecommerce.com provide-commerce 4840 Eastgate Mall San Diego, CA 92121 ProFlowers | redENVELOPE | Cherry Moon Farms | Shari's Berries From bill at herrin.us Wed Jan 25 19:21:42 2012 From: bill at herrin.us (William Herrin) Date: Wed, 25 Jan 2012 15:21:42 -1000 Subject: "Registered ULA" (Was: using ULA for 'hidden' v6 devices?) In-Reply-To: <4F20968E.5010908@unfix.org> References: <4F20450A.5020106@unfix.org> <4F20968E.5010908@unfix.org> Message-ID: On Wed, Jan 25, 2012 at 1:55 PM, Jeroen Massar wrote: > On 2012-01-25 19:51 , William Herrin wrote: >> On Wed, Jan 25, 2012 at 8:08 AM, Jeroen Massar wrote: >>> What everybody calls "Registered ULA" or ULA-C(entral) is what the RIRs >>> already provide. Also entities that have such a strict requirement are >>> perfectly served with address space the RIRs provide. >> >> Not so. The registries provide GUA, not ULA. Not everybody considers >> the difference significant, but many if not most of the folks who want >> to use ULA for anything at all do. > > I think you misunderstood my terminology, which is afaik the one used by > the relevant documents, Jeroen, I knew I should have used the longer explanation. >From what I've been able to determine, the folks who want Unique Local Addresses usually want a block of addresses which only function on private networks. Should their packets ever leak on to the public Internet, the ULA users want them to fail. By contrast, the registries hand out Global Unicast Addresses. If packets with these addresses make it to the public Internet, they'll probably work. This is not a good thing if you're implementing a SCADA network whose hosts may need to talk to another company network, or even a remote monitoring company's network, but should never talk to hosts on the public Internet. I don't want to get into an argument over the security implications (or non-implications) of addresses which are or are not publicly routable. Suffice it to say there are networking professionals to whom a GUA address is not a satisfactory substitute for a ULA address. Hence, a registered ULA address IS NOT equivalent to what the RIRs provide. >>> https://www.sixxs.net/tools/grh/ula/ >> >> My "registration" was erased from that page. Don't know when. Don't >> know why. But it speaks poorly for its function as a registry. > > This was likely caused by the little note at the bottom: > > "Prefixes which are not generated using the ULA generator will be > silently removed; ULAs are not supposed to look pretty." > > Various folks are registering fd00::/48 or 'fun' stuff like > fd00:b00b::/48 Hey, do you realize how many tries it took me to randomly generate fd00:b00b::/48? In all seriousness, though, while protecting against someone blindly registering lots of naughts is probably reasonable, a registry isn't worth much if it won't record the address ranges folks actually choose to use. Regardless of how closely the RFC was followed in those ranges' selection. In a sense, such a registry makes a net negative contribution because its existence discourages the creation of another organized effort. Regards, Bill -- William D. Herrin ................ herrin at dirtside.com? bill at herrin.us 3005 Crane Dr. ...................... Web: Falls Church, VA 22042-3004 From jeroen at unfix.org Wed Jan 25 19:38:58 2012 From: jeroen at unfix.org (Jeroen Massar) Date: Thu, 26 Jan 2012 02:38:58 +0100 Subject: "Registered ULA" (Was: using ULA for 'hidden' v6 devices?) In-Reply-To: References: <4F20450A.5020106@unfix.org> <4F20968E.5010908@unfix.org> Message-ID: <4F20AEB2.7030709@unfix.org> On 2012-01-26 02:21 , William Herrin wrote: > On Wed, Jan 25, 2012 at 1:55 PM, Jeroen Massar wrote: >> On 2012-01-25 19:51 , William Herrin wrote: >>> On Wed, Jan 25, 2012 at 8:08 AM, Jeroen Massar wrote: >>>> What everybody calls "Registered ULA" or ULA-C(entral) is what the RIRs >>>> already provide. Also entities that have such a strict requirement are >>>> perfectly served with address space the RIRs provide. >>> >>> Not so. The registries provide GUA, not ULA. Not everybody considers >>> the difference significant, but many if not most of the folks who want >>> to use ULA for anything at all do. >> >> I think you misunderstood my terminology, which is afaik the one used by >> the relevant documents, > > Jeroen, > > I knew I should have used the longer explanation. > > From what I've been able to determine, the folks who want Unique Local > Addresses usually want a block of addresses which only function on > private networks. You mean similar to the fact that the RFC1918 prefixes people use at home can be reached because they are using NAT-PMP or uPNP on their NAT box? > Should their packets ever leak on to the public > Internet, the ULA users want them to fail. If one does not want packets to get to the Internet then don't connect it to the Internet. > By contrast, the registries > hand out Global Unicast Addresses. If packets with these addresses > make it to the public Internet, they'll probably work. Unless they are firewalled or the route is simply not announced at all. Please remember that there is no requirement for a RIR-provided prefix to be announced onto the Internet. [..] > I don't want to get into an argument over the security implications > (or non-implications) of addresses which are or are not publicly > routable. Suffice it to say there are networking professionals to whom > a GUA address is not a satisfactory substitute for a ULA address. > Hence, a registered ULA address IS NOT equivalent to what the RIRs > provide. Hmmm ah, yes, "Network professionals", they obviously know what they are doing as they call them self professional, it is at least a very nice imaginary line they have ;) But yes, there are people who bill their customers a lot for things that are not correct. People need to earn money one way or another. >>>> https://www.sixxs.net/tools/grh/ula/ >>> >>> My "registration" was erased from that page. Don't know when. Don't >>> know why. But it speaks poorly for its function as a registry. >> >> This was likely caused by the little note at the bottom: >> >> "Prefixes which are not generated using the ULA generator will be >> silently removed; ULAs are not supposed to look pretty." >> >> Various folks are registering fd00::/48 or 'fun' stuff like >> fd00:b00b::/48 > > Hey, do you realize how many tries it took me to randomly generate > fd00:b00b::/48? It is indeed possible, but it likely took you a lot of time on a very nice fat supercomputer. Better spend your resources on something else I would say. > In all seriousness, though, while protecting against someone blindly > registering lots of naughts is probably reasonable, a registry isn't > worth much if it won't record the address ranges folks actually choose > to use. It is a registry for ULA addresses, these are random, not hand-picked. If one cannot simply use the button which is located a bit above it, then well, that is not the purpose of it. We could have opted to allow only to register prefixes that where generated by that output, but we chose to allow people who have generated the prefixes locally to submit those too. > Regardless of how closely the RFC was followed in those > ranges' selection. In a sense, such a registry makes a net negative > contribution because its existence discourages the creation of another > organized effort. I don't see how it makes a negative contribution. The people registering non-ULA registered prefixes are doing so though, then again, they automatically disappear thus it is a non-issue. The script for generating the ULA is linked at the bottom of the page and I am sure that anybody with 30 minutes of time can fix up a way of storing prefixes into a file/db from a HTTP form... next to the complete list being downloadable so if people want to clone it, it would be quite easily done, note also that the offer for a RIR to take it over still stands as stated on the page. Greets, Jeroen From rubensk at gmail.com Wed Jan 25 19:48:39 2012 From: rubensk at gmail.com (Rubens Kuhl) Date: Wed, 25 Jan 2012 23:48:39 -0200 Subject: Akamai/Integra issue? In-Reply-To: References: Message-ID: May be the attack on Facebook put Akamai into DEFCON 1 ? http://www.readwriteweb.com/archives/anonymous_claims_responsibility_for_facebook_outag.php Rubens On Wed, Jan 25, 2012 at 10:14 PM, Thomas Magill wrote: > This morning we began having issues at one of our sites. ?Eventually the systems teams tracked it down to some Akamai hosted content. ?I did some debugs and found that traffic transiting Integra is getting back RST packets for anything at *.akamaiedge.net. ?I rerouted the known bad hosts through our backup provider and that resolved the issue, but more keep popping up ?due to DNS changes. ?Has anyone else had any issues with akamaiedge.net today? > > If an Akamai operator is on please email me offline. > > Thomas Magill > Sr. Network Engineer > Office: (858) 909-3777 > Cell: (858) 869-9685 > mailto:tmagill at providecommerce.com > > provide-commerce > 4840 Eastgate Mall > San Diego, CA ?92121 > > ProFlowers | redENVELOPE | Cherry Moon Farms | Shari's Berries > From morrowc.lists at gmail.com Wed Jan 25 19:58:34 2012 From: morrowc.lists at gmail.com (Christopher Morrow) Date: Wed, 25 Jan 2012 20:58:34 -0500 Subject: AT&T and IPv6 Launch In-Reply-To: <20120125231807.GE14132@radiological.warningg.com> References: <6CADAFC3-A4AF-420D-91B0-854EE35A7A98@puck.nether.net> <7A66826C-489D-41B8-810F-88EBEE7B7856@puck.nether.net> <20120125231807.GE14132@radiological.warningg.com> Message-ID: On Wed, Jan 25, 2012 at 6:18 PM, Brandon Ewing wrote: > On Mon, Jan 23, 2012 at 06:52:05PM -0500, Jared Mauch wrote: >> So i have been privately referred to att.com/ipv6 where you can find supporting CPE devices. >> >> It sounds like if you have equipment supporting ipv6 it may just appear one day "soon". >> >> Jared Mauch > > That's slightly depressing. ?From their Residential Q&A: > Devices supporting IPv6 > > Pace 4111N > Netgear 7550 B90 > Netgear 6200 A90 > Motorola 3360 > > Only AT&T-certified versions of the devices listed above will be able to > utilize IPv6 on the AT&T network. > ebony phone anyone? > I have my own DSL modem, that I know has IPv6 support. ?Will AT&T be doing > some sort of wizardry to ensure it will work for their CPE, but not mine? > > -- > Brandon Ewing ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?(nicotine at warningg.com) From bicknell at ufp.org Wed Jan 25 20:13:41 2012 From: bicknell at ufp.org (Leo Bicknell) Date: Wed, 25 Jan 2012 18:13:41 -0800 Subject: Choice of address for IPv6 default gateway In-Reply-To: <6F062664-B163-42BA-BD1E-1788BD4D9D9D@delong.com> References: <4F2014A0.20008@optilian.com> <20120125150640.GA87865@ussenterprise.ufp.org> <6F062664-B163-42BA-BD1E-1788BD4D9D9D@delong.com> Message-ID: <20120126021341.GA15079@ussenterprise.ufp.org> In a message written on Wed, Jan 25, 2012 at 03:22:37PM -0800, Owen DeLong wrote: > On Jan 25, 2012, at 7:06 AM, Leo Bicknell wrote: > > ::<10240-20480> - DHCP Pool > > > > I'll note that 10240-20480 are not valid IPv6 suffixes and that you > would need to represent that as ::<2800-5000> and would > probably be better off to use something more like ::8:* as > your DHCP pool. Yeah, I'm not sure why my brain put 0's on the end when typing. I intended to say ::1024-2048, but as you point out using ::1:1-n works just as well. -- Leo Bicknell - bicknell at ufp.org - CCIE 3440 PGP keys at http://www.ufp.org/~bicknell/ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 826 bytes Desc: not available URL: From bill at herrin.us Wed Jan 25 21:02:56 2012 From: bill at herrin.us (William Herrin) Date: Wed, 25 Jan 2012 17:02:56 -1000 Subject: "Registered ULA" (Was: using ULA for 'hidden' v6 devices?) In-Reply-To: <4F20AEB2.7030709@unfix.org> References: <4F20450A.5020106@unfix.org> <4F20968E.5010908@unfix.org> <4F20AEB2.7030709@unfix.org> Message-ID: On Wed, Jan 25, 2012 at 3:38 PM, Jeroen Massar wrote: > On 2012-01-26 02:21 , William Herrin wrote: >> Should their packets ever leak on to the public >> Internet, the ULA users want them to fail. > > If one does not want packets to get to the Internet then don't connect > it to the Internet. Jeroen, I once worked with an otherwise brilliant gentleman who in his rigid mindset earnestly believed that the correct solution to contingency planning was: don't make mistakes. He gave notice when he figured out that hiring me was the owner's contingency plan. Regards, Bill Herrin -- William D. Herrin ................ herrin at dirtside.com? bill at herrin.us 3005 Crane Dr. ...................... Web: Falls Church, VA 22042-3004 From aftab.siddiqui at gmail.com Wed Jan 25 23:27:17 2012 From: aftab.siddiqui at gmail.com (Aftab Siddiqui) Date: Thu, 26 Jan 2012 10:27:17 +0500 Subject: LX sfp minimum range In-Reply-To: References: <9CA8D3E3-1747-4EDF-B2FC-6CDD878D70B3@smugmug.com> Message-ID: Theoretically speaking Yes there should be an issue while using the LX SFP for short range because it may damage the receiver part. But we've been using it for quite a long time within datacenter for rack to rack switch connectivity without harming the SFP or the performance. Regards, Aftab A. Siddiqui On Thu, Jan 26, 2012 at 12:45 AM, Tim Durack wrote: > On Wed, Jan 25, 2012 at 2:26 PM, jon Heise wrote: > > we are moving a router between 2 data centers and we only have LX sfp's > for connection, is there any issue using LX sfp's in a short range > deployment ? > > A Cisco 1000BASE-LX optic has the following spec: > > > http://www.cisco.com/en/US/prod/collateral/modules/ps5455/ps6577/product_data_sheet0900aecd8033f885.html > > -3dBm maximum transmit power, -3dBm maximum receive. That means you > can run it over any length. (We use LX for everything.) > > -- > Tim:> > > From trelane at trelane.net Thu Jan 26 01:43:54 2012 From: trelane at trelane.net (Andrew D Kirch) Date: Thu, 26 Jan 2012 02:43:54 -0500 Subject: LX sfp minimum range In-Reply-To: References: <9CA8D3E3-1747-4EDF-B2FC-6CDD878D70B3@smugmug.com> Message-ID: <4F21043A.8020200@trelane.net> I can confirm using LX SFP's for under 100' runs with no problems. Except for the one site that ordered Multi-Mode fiber... Andrew On 1/26/2012 12:27 AM, Aftab Siddiqui wrote: > Theoretically speaking Yes there should be an issue while using the LX SFP > for short range because it may damage the receiver part. But we've been > using it for quite a long time within datacenter for rack to rack switch > connectivity without harming the SFP or the performance. > > Regards, > > Aftab A. Siddiqui > > > On Thu, Jan 26, 2012 at 12:45 AM, Tim Durack wrote: > >> On Wed, Jan 25, 2012 at 2:26 PM, jon Heise wrote: >>> we are moving a router between 2 data centers and we only have LX sfp's >> for connection, is there any issue using LX sfp's in a short range >> deployment ? >> >> A Cisco 1000BASE-LX optic has the following spec: >> >> >> http://www.cisco.com/en/US/prod/collateral/modules/ps5455/ps6577/product_data_sheet0900aecd8033f885.html >> >> -3dBm maximum transmit power, -3dBm maximum receive. That means you >> can run it over any length. (We use LX for everything.) >> >> -- >> Tim:> >> >> From joelja at bogus.com Thu Jan 26 02:03:16 2012 From: joelja at bogus.com (Joel jaeggli) Date: Thu, 26 Jan 2012 00:03:16 -0800 Subject: LX sfp minimum range In-Reply-To: <9CA8D3E3-1747-4EDF-B2FC-6CDD878D70B3@smugmug.com> References: <9CA8D3E3-1747-4EDF-B2FC-6CDD878D70B3@smugmug.com> Message-ID: <4F2108C4.4020706@bogus.com> vendors that specify a minimum distance for lx typically spec 2 meters. even EX shouldn't spike the receiver at that distance as long as the max RX is about +1. On 1/25/12 11:26 , jon Heise wrote: > we are moving a router between 2 data centers and we only have LX sfp's for connection, is there any issue using LX sfp's in a short range deployment ? > From mohacsi at niif.hu Thu Jan 26 02:18:21 2012 From: mohacsi at niif.hu (Mohacsi Janos) Date: Thu, 26 Jan 2012 09:18:21 +0100 (CET) Subject: Choice of address for IPv6 default gateway In-Reply-To: <4F2014A0.20008@optilian.com> References: <4F2014A0.20008@optilian.com> Message-ID: On Wed, 25 Jan 2012, Daniel STICKNEY wrote: > I'm having trouble finding authoritative sources on the best common > practice (if there even is one) for the choice of address for an IPv6 > default gateway in a production server environment (not desktops). For > example in IPv4 it is common to chose the first or last address in the > subnet (.1 or .254 for example) as the VIP for VRRP/HSRP. I'm interested > in input from production environments and or ARIN/RIPE/IANA/etc or top > vendors. > > I've seen some documentation using ::1 with either a global > prefix or link-local (fe80::1). Anyone use either of these in production > and have negative or positive feedback? fe80::1 is seductive because it > is short and the idea of having the same default gateway configured > everywhere might be simple. At the same time using the same address all > around the network seems to invite confusion or problems if two > interfaces with the address ever ended up in the same broadcast domain. Up to your taste. Most cases it is recommended to use link-local default gateway. If you use the same address - even link local - your node should complain about the duplicate address on the same link. You can rely on the autoconfigured link-local address for default gateways (and use RA). > > What about using RAs to install the default route on the servers? The > 'priority' option (high/medium/low) easy fits with an architecture using > an active/standby router setup where the active router is configured > with the 'high' priority and the standby 'medium'. With the timeout > values tuned for relatively rapid (~3 seconds) failover this might be > feasible. Anyone use this in production? Yes we are using NUD (and using RA to install default gateway) to switch from primary rotuer to secondary - due to no VRRP support on a particular platform. But in case of RA usage you should also use RA-guard especially if you don't have full control on servers connected to your switches. > > I note that VRRPv3 (and keepalived) and HSRP both support IPv6. Since we > use VRRP for IPv4, using it for IPv6 would keep our architecture the > same, which has merit too. If you want consistent and more predictable behavoir use VRRP or maybe HSRP if your vendor supports it. Best Regards, Janos Mohacsi From tias at netnod.se Thu Jan 26 03:16:46 2012 From: tias at netnod.se (Mathias Wolkert) Date: Thu, 26 Jan 2012 10:16:46 +0100 Subject: Choice of address for IPv6 default gateway In-Reply-To: References: <4F2014A0.20008@optilian.com> Message-ID: <4F2119FE.3020502@netnod.se> Hi On 1/25/12 23:53 , Owen DeLong wrote: [...] > Note, you can use RA for default gateway while still using static addressing. Could you give me a little bit more on this? It seems to me that most platforms stop listening to RAs once you give them a static address. Letting a host run slaac and then add a static address is not good enough as the slaac address might be chosen for locally generated packets. If it works with listening on RAs when running with statically configured address, why HSRP/VRRP? [...]> > Owen > > /Tias From dstickney at optilian.com Thu Jan 26 03:49:06 2012 From: dstickney at optilian.com (Daniel STICKNEY) Date: Thu, 26 Jan 2012 10:49:06 +0100 Subject: Choice of address for IPv6 default gateway In-Reply-To: References: <4F2014A0.20008@optilian.com> Message-ID: <4F212192.6010107@optilian.com> Thanks everyone for your input! I now have a more complete perspective on the pros and cons of the options available. -Daniel Le 26/01/2012 09:18, Mohacsi Janos a ?crit : > > > > On Wed, 25 Jan 2012, Daniel STICKNEY wrote: > >> I'm having trouble finding authoritative sources on the best common >> practice (if there even is one) for the choice of address for an IPv6 >> default gateway in a production server environment (not desktops). For >> example in IPv4 it is common to chose the first or last address in the >> subnet (.1 or .254 for example) as the VIP for VRRP/HSRP. I'm interested >> in input from production environments and or ARIN/RIPE/IANA/etc or top >> vendors. >> >> I've seen some documentation using ::1 with either a global >> prefix or link-local (fe80::1). Anyone use either of these in production >> and have negative or positive feedback? fe80::1 is seductive because it >> is short and the idea of having the same default gateway configured >> everywhere might be simple. At the same time using the same address all >> around the network seems to invite confusion or problems if two >> interfaces with the address ever ended up in the same broadcast domain. > > Up to your taste. Most cases it is recommended to use link-local default > gateway. If you use the same address - even link local - your node should > complain about the duplicate address on the same link. You can rely on > the > autoconfigured link-local address for default gateways (and use RA). > >> >> What about using RAs to install the default route on the servers? The >> 'priority' option (high/medium/low) easy fits with an architecture using >> an active/standby router setup where the active router is configured >> with the 'high' priority and the standby 'medium'. With the timeout >> values tuned for relatively rapid (~3 seconds) failover this might be >> feasible. Anyone use this in production? > > Yes we are using NUD (and using RA to install default gateway) to switch > from primary rotuer to secondary - due to no VRRP support on a particular > platform. But in case of RA usage you should also use RA-guard especially > if you don't have full control on servers connected to your switches. > >> >> I note that VRRPv3 (and keepalived) and HSRP both support IPv6. Since we >> use VRRP for IPv4, using it for IPv6 would keep our architecture the >> same, which has merit too. > > If you want consistent and more predictable behavoir use VRRP or maybe > HSRP if your vendor supports it. > Best Regards, > Janos Mohacsi > From mohacsi at niif.hu Thu Jan 26 03:50:36 2012 From: mohacsi at niif.hu (Mohacsi Janos) Date: Thu, 26 Jan 2012 10:50:36 +0100 (CET) Subject: Choice of address for IPv6 default gateway In-Reply-To: <4F2119FE.3020502@netnod.se> References: <4F2014A0.20008@optilian.com> <4F2119FE.3020502@netnod.se> Message-ID: On Thu, 26 Jan 2012, Mathias Wolkert wrote: > Hi > > On 1/25/12 23:53 , Owen DeLong wrote: > [...] >> Note, you can use RA for default gateway while still using static addressing. > > Could you give me a little bit more on this? > > It seems to me that most platforms stop listening to RAs once you give > them a static address. Static address + RA working on FreeBSD and Linux. Sorry we don't have other servers, where we are using statically configured IPv6 addresses. > > Letting a host run slaac and then add a static address is not good > enough as the slaac address might be chosen for locally generated packets. Define for every application your bind address - locally generated packets will use it. If it is not possible Use RFC 3484 source address selection for selecting static source addresses. > > If it works with listening on RAs when running with statically > configured address, why HSRP/VRRP? Statically configured default gateways worked for us with VRRP/HSRP. VRRP/HSRP is for first-hop redundancy. Best Regards, Janos Mohacsi From gbonser at seven.com Thu Jan 26 04:00:20 2012 From: gbonser at seven.com (George Bonser) Date: Thu, 26 Jan 2012 10:00:20 +0000 Subject: using ULA for 'hidden' v6 devices? In-Reply-To: <168C9CFC-60E3-4947-999A-15334E07BFB0@delong.com> References: <3B3D95F0-7E5E-417B-889B-3E5ABC660AD3@wisc.edu> <168C9CFC-60E3-4947-999A-15334E07BFB0@delong.com> Message-ID: <596B74B410EE6B4CA8A30C3AF1A155EA09C93432@RWC-MBX1.corp.seven.com> > Use different GUA ranges for internal and external. It's easy enough to > get an additional prefix. > > > As others have mentioned, things like management interfaces on access > switches, printers, and IP phones would be good candidates to hide with > ULA. > > Or non-advertised, filtered GUA. Works just as well either way. > > Owen > If one is obtaining "another" prefix for local addressing, I see no benefit. I am assuming that anyone that is using ULA is using it for things that don't communicate off the site such as management interfaces of things, etc. This won't be a subnet you are connecting by VPN to another organization, usually, but even if you do the chances of collision is pretty low if you select your nets properly. But for the most absolutely paranoid site, I can see some appeal in using ULA in conjunction with DNS64/NAT64 and see them giving the devices internet access via v4. Not that I agree with the notion, mind you, just that I can see someone looking at that as an appealing solution for some things. Even if someone managed to get through the NAT device via v4, they would have nothing to talk to on the other side as the other side is all v6. From thilo.bangert at gmail.com Thu Jan 26 04:02:18 2012 From: thilo.bangert at gmail.com (Thilo Bangert) Date: Thu, 26 Jan 2012 11:02:18 +0100 Subject: Populating BGP from Connected or IGP routes In-Reply-To: References: Message-ID: <201201261102.18598.thilo.bangert@gmail.com> > > If you're a little bigger and have BGP customers, then I highly recommend > use of BGP communities to control your outbound route filtering. By > defining and setting communties on received customer routes, you can turn > up new BGP customers without having to modify anything beyond the router > they're connected to. It amazes me that there are large networks still > not setup this way. "You need an after hours maintenance window to turn > up a BGP customer?" "Yeah, we have to modify the prefix list filters on > all our backbone routers." WTF? What about traffic filtering? You may use RPF for ingress traffic, but what to do about egress? Or does your router write those ACLs based on BGP community? thanks Thilo From tjc at ecs.soton.ac.uk Thu Jan 26 04:41:17 2012 From: tjc at ecs.soton.ac.uk (Tim Chown) Date: Thu, 26 Jan 2012 10:41:17 +0000 Subject: using ULA for 'hidden' v6 devices? In-Reply-To: References: <06704517-398C-4FD4-9AC4-4D4A83D9D493@ecs.soton.ac.uk> Message-ID: So the issue of ULAs has come up in the IETF homenet WG. The homenet WG is considering routing, prefix delegation, security, naming and service discovery. ULA support is written into RFC6204 (basic IPv6 requirements for CPE routers) so home CPEs should have the capability, and should be able to generate "random" ULA prefixes. The potential advantage of ULAs is that you have a stable internal addressing scheme within the homenet, while your ISP-assigned prefix may change over time. You run ULAs alongside your PA prefix. ULAs are not used for host-based NAT. The implication is that all homenet devices carry a ULA, though whether some do not also have a global PA address is open for debate. There's a suggestion that ULAs could be used to assist security to some extent, allowing ULA to ULA communications as they are known to be within the homenet. The naming and service discovery elements should remove the need to ever manually enter a ULA prefix; thus the temptation to use 0 instead of random bits for the ULA prefix should be reduced (even if the CPE allows it). Prefix delegation of ULAs within a homenet would be done the same way as for the global PA prefix. There is a proposal (not from within the homenet WG) to use ULAs with NPT66 (RFC6296). That obviously has some architectural implications. Tim From gbonser at seven.com Thu Jan 26 05:10:12 2012 From: gbonser at seven.com (George Bonser) Date: Thu, 26 Jan 2012 11:10:12 +0000 Subject: using ULA for 'hidden' v6 devices? In-Reply-To: References: <06704517-398C-4FD4-9AC4-4D4A83D9D493@ecs.soton.ac.uk> Message-ID: <596B74B410EE6B4CA8A30C3AF1A155EA09C934BC@RWC-MBX1.corp.seven.com> > > The potential advantage of ULAs is that you have a stable internal > addressing scheme within the homenet, while your ISP-assigned prefix > may change over time. You run ULAs alongside your PA prefix. ULAs are > not used for host-based NAT. The implication is that all homenet > devices carry a ULA, though whether some do not also have a global PA > address is open for debate. Yeah, there's some advantage to that. Have a "corp.foo.com" domain that is the native domain for the internal machines while the foo.com domain that is visible to the outside world has outside accessible addressing. > There's a suggestion that ULAs could be used to assist security to some > extent, allowing ULA to ULA communications as they are known to be > within the homenet. Not sure how that assists security unless you simply want to limit site-site communications to your ULA ranges only, then sure. In practice, sites often back each other up and you can have external traffic for site A using site B for its internet access, but that's not a big deal, just need to keep your internal and external traffic separated which any good admin will do as a matter of course, anyway. From tjc at ecs.soton.ac.uk Thu Jan 26 05:15:55 2012 From: tjc at ecs.soton.ac.uk (Tim Chown) Date: Thu, 26 Jan 2012 11:15:55 +0000 Subject: using ULA for 'hidden' v6 devices? In-Reply-To: <596B74B410EE6B4CA8A30C3AF1A155EA09C934BC@RWC-MBX1.corp.seven.com> References: <06704517-398C-4FD4-9AC4-4D4A83D9D493@ecs.soton.ac.uk> <596B74B410EE6B4CA8A30C3AF1A155EA09C934BC@RWC-MBX1.corp.seven.com> <9E13525B-E1D0-4F51-8AD0-68359095466A@ecs.soton.ac.uk> Message-ID: On 26 Jan 2012, at 11:10, George Bonser wrote: >> The potential advantage of ULAs is that you have a stable internal >> addressing scheme within the homenet, while your ISP-assigned prefix >> may change over time. You run ULAs alongside your PA prefix. ULAs are >> not used for host-based NAT. The implication is that all homenet >> devices carry a ULA, though whether some do not also have a global PA >> address is open for debate. > > Yeah, there's some advantage to that. Have a "corp.foo.com" domain that is the native domain for the internal machines while the foo.com domain that is visible to the outside world has outside accessible addressing. Perhaps host.local or host.home internally and host.foo.com externally, though the latter could/should work internally as well. >> There's a suggestion that ULAs could be used to assist security to some >> extent, allowing ULA to ULA communications as they are known to be >> within the homenet. > > Not sure how that assists security unless you simply want to limit site-site communications to your ULA ranges only, then sure. In practice, sites often back each other up and you can have external traffic for site A using site B for its internet access, but that's not a big deal, just need to keep your internal and external traffic separated which any good admin will do as a matter of course, anyway. It was a suggestion a previous homenet session, but the security aspect of homenet is lagging rather behind the current focus of routing and prefix delegation. The usefulness of the suggestion does depend on ULA filtering at borders, and defining the borders. I'm interested in views as one of the editors of the homenet architecture text. Tim From gbonser at seven.com Thu Jan 26 06:19:07 2012 From: gbonser at seven.com (George Bonser) Date: Thu, 26 Jan 2012 12:19:07 +0000 Subject: using ULA for 'hidden' v6 devices? In-Reply-To: References: <06704517-398C-4FD4-9AC4-4D4A83D9D493@ecs.soton.ac.uk> <596B74B410EE6B4CA8A30C3AF1A155EA09C934BC@RWC-MBX1.corp.seven.com> <9E13525B-E1D0-4F51-8AD0-68359095466A@ecs.soton.ac.uk> Message-ID: <596B74B410EE6B4CA8A30C3AF1A155EA09C93566@RWC-MBX1.corp.seven.com> > It was a suggestion a previous homenet session, but the security aspect > of homenet is lagging rather behind the current focus of routing and > prefix delegation. The usefulness of the suggestion does depend on ULA > filtering at borders, and defining the borders. > > I'm interested in views as one of the editors of the homenet > architecture text. > > Tim > I filter the entire space at the borders. Besides, if someone leaks the space, most people won't accept it, certainly any provider worth their salt won't. But one of the problems with ULA and the U part. With RFC 1918 everyone is using the same space. So let's say 10 million networks are using 10/8 and 10,000 of them are leaking bits of it. IF their providers accept their leaks and IF their providers' peers accept it, that leaves only 10,000 different places a 10/8 destined packet could go. In other words, 1918 becomes a maze of twisty caverns each one looking the same as the other. The chances of being able to target any specific network is pretty darned low. With ULA and v6, if it leaks and the addresses were chosen properly, the chances of targeting a specific network are much better. I rather like the notion of everyone using the same v6 space for internal stuff and maybe using nat64/dns64 to talk to each other over VPN. That way if the space leaks in only .1% of cases, the chances of a packet ending up at its intended destination is pretty much random and not guaranteed to end up in the same network an hour from now as it is now. If you want LA, fine, assign ONE /32 for that and everyone uses it. It's like having a million people named "Bob". If you should "Bob", there's no guarantee you will be answered by the Bob you intended and 5 minutes from now you might be answered by a completely different Bob. In other words, you turn leakage into a feature. You make the fact that routes might leak add to the uncertainty by having everyone use the same nets. The more people that leak, the less likely you are to reach an intended destination. V6 ULA makes it MORE likely a leak will result in a security breach because it reduces the chances that two nets will leak the same routes. From gbonser at seven.com Thu Jan 26 06:28:04 2012 From: gbonser at seven.com (George Bonser) Date: Thu, 26 Jan 2012 12:28:04 +0000 Subject: using ULA for 'hidden' v6 devices? In-Reply-To: <596B74B410EE6B4CA8A30C3AF1A155EA09C93566@RWC-MBX1.corp.seven.com> References: <06704517-398C-4FD4-9AC4-4D4A83D9D493@ecs.soton.ac.uk> <596B74B410EE6B4CA8A30C3AF1A155EA09C934BC@RWC-MBX1.corp.seven.com> <9E13525B-E1D0-4F51-8AD0-68359095466A@ecs.soton.ac.uk> <596B74B410EE6B4CA8A30C3AF1A155EA09C93566@RWC-MBX1.corp.seven.com> Message-ID: <596B74B410EE6B4CA8A30C3AF1A155EA09C935A4@RWC-MBX1.corp.seven.com> > In other words, you turn leakage into a feature. You make the fact > that routes might leak add to the uncertainty by having everyone use > the same nets. The more people that leak, the less likely you are to > reach an intended destination. V6 ULA makes it MORE likely a leak will > result in a security breach because it reduces the chances that two > nets will leak the same routes. > > To put it another way, if you mandated that EVERY network announce the entire ULA space, it would make reaching any particular network in a predictable manner impossible. Just as if every network announced RFC 1918 space and everyone accepted it, it would make that address space completely unusable for anything, particularly if everyone announced it and black holed it. That might even be more effective than filtering it. Everyone on the planet announces a route to 10/8 and everyone black holes it at their peering/transit points. So even if someone forgot to filter it, it wouldn't matter because it would be intercepted long before it ever gets to them or at least the chances of anyone being able to reliably reach them would be just about zero. From rps at maine.edu Thu Jan 26 06:43:07 2012 From: rps at maine.edu (Ray Soucy) Date: Thu, 26 Jan 2012 07:43:07 -0500 Subject: using ULA for 'hidden' v6 devices? In-Reply-To: References: <06704517-398C-4FD4-9AC4-4D4A83D9D493@ecs.soton.ac.uk> <9E13525B-E1D0-4F51-8AD0-68359095466A@ecs.soton.ac.uk> <596B74B410EE6B4CA8A30C3AF1A155EA09C934BC@RWC-MBX1.corp.seven.com> Message-ID: Local traffic shouldn't need to touch the CPE regardless of ULA or GUA. Also note that we already have the link local scope for traffic between hosts on the same link (which is all hosts in a typical home network); ULA only becomes useful if routing is involved which is not the typical deployment for the home. ULA is useful, on the other hand, if NPT is used. NPT is not NAT, and doesn't have any of the nastiness of NAT. Using NPT to maintain consistent addressing internally would keep things more simple for end-users, and would allow for things like CPE being able to perform flow-based load-balancing between multiple providers (which would fall more in line with the expectations of the SMB and power-user audience). I'm also not sure what the correct answer is to using a randomly generated prefix vs. a predictable prefix for home networks. ULA was an attempt to resolve address overlap for routed private networks in the event of mergers. The majority of home users will never have this concern. Having a predictable prefix for home environments (ambiguous local addressing?) might be useful for documentation, troubleshooting, and support. I think a lot of the question has to do with what the role of CPE will be going forward. As long as we're talking dual-stack, having operational consistency between IPv4 and IPv6 makes sense. If it's an IPv6-only environment, then things become a lot more flexible (do we even need CPE to include a firewall, or do we say host-based firewalls are sufficient, for example). Glad to see thoughtful consideration is being put into these topics, though. Thank you, Tim. On Thu, Jan 26, 2012 at 6:15 AM, Tim Chown wrote: > On 26 Jan 2012, at 11:10, George Bonser wrote: > >>> The potential advantage of ULAs is that you have a stable internal >>> addressing scheme within the homenet, while your ISP-assigned prefix >>> may change over time. ?You run ULAs alongside your PA prefix. ?ULAs are >>> not used for host-based NAT. ?The implication is that all homenet >>> devices carry a ULA, though whether some do not also have a global PA >>> address is open for debate. >> >> Yeah, there's some advantage to that. ?Have a "corp.foo.com" domain that is the native domain for the internal machines while the foo.com domain that is visible to the outside world has outside accessible addressing. > > Perhaps host.local or host.home internally and host.foo.com externally, though the latter could/should work internally as well. > >>> There's a suggestion that ULAs could be used to assist security to some >>> extent, allowing ULA to ULA communications as they are known to be >>> within the homenet. >> >> Not sure how that assists security unless you simply want to limit site-site communications to your ULA ranges only, then sure. ?In practice, sites often back each other up and you can have external traffic for site A using site B for its internet access, but that's not a big deal, just need to keep your internal and external traffic separated which any good admin will do as a matter of course, anyway. > > It was a suggestion a previous homenet session, but the security aspect of homenet is lagging rather behind the current focus of routing and prefix delegation. ?The usefulness of the suggestion does depend on ULA filtering at borders, and defining the borders. > > I'm interested in views as one of the editors of the homenet architecture text. > > Tim > > -- Ray Soucy Epic Communications Specialist Phone: +1 (207) 561-3526 Networkmaine, a Unit of the University of Maine System http://www.networkmaine.net/ From algold at lncc.br Thu Jan 26 06:53:19 2012 From: algold at lncc.br (Alexandre Grojsgold) Date: Thu, 26 Jan 2012 10:53:19 -0200 Subject: is it -really- global? In-Reply-To: References: Message-ID: <4F214CBF.4050300@lncc.br> On 01/24/2012 03:12 AM, Randy Bush wrote: > only intl links on which smokeping shows anything is ashburn to tokyo. > but that only covers us, joburg, linx, tokyo > Anything that can explain the 50 ms rtt increase during 1 month by the end of the year? From trejrco at gmail.com Thu Jan 26 06:57:13 2012 From: trejrco at gmail.com (TJ) Date: Thu, 26 Jan 2012 07:57:13 -0500 Subject: Choice of address for IPv6 default gateway In-Reply-To: <4F2119FE.3020502@netnod.se> References: <4F2014A0.20008@optilian.com> <4F2119FE.3020502@netnod.se> Message-ID: On Thu, Jan 26, 2012 at 04:16, Mathias Wolkert wrote: > > Note, you can use RA for default gateway while still using static > addressing. > > Could you give me a little bit more on this? > Easy: have the RAs sent w/ a prefix information option included, but w/o the A bit being set. > It seems to me that most platforms stop listening to RAs once you give > them a static address. > That is (IMHO) a broken implementation. A static address, or even a statically configured default gateway, should not prevent RAs from being processed. /TJ From jeroen at unfix.org Thu Jan 26 07:05:02 2012 From: jeroen at unfix.org (Jeroen Massar) Date: Thu, 26 Jan 2012 14:05:02 +0100 Subject: using ULA for 'hidden' v6 devices? In-Reply-To: References: <06704517-398C-4FD4-9AC4-4D4A83D9D493@ecs.soton.ac.uk> <9E13525B-E1D0-4F51-8AD0-68359095466A@ecs.soton.ac.uk> <596B74B410EE6B4CA8A30C3AF1A155EA09C934BC@RWC-MBX1.corp.seven.com> Message-ID: <4F214F7E.10106@unfix.org> On 2012-01-26 13:43 , Ray Soucy wrote: > Local traffic shouldn't need to touch the CPE regardless of ULA or > GUA. Also note that we already have the link local scope for traffic > between hosts on the same link (which is all hosts in a typical home > network); ULA only becomes useful if routing is involved which is not > the typical deployment for the home. Lots of networks today already at home have separated wired and wireless prefixes in the same home... it is getting more and more typical. The thing is most home-kind-people tend to care that their devices can talk to each other, they do care that those devices talk to the Internet. > ULA is useful, on the other hand, if NPT is used. NPT is not NAT, and > doesn't have any of the nastiness of NAT. The "nastiness of NAT" comes in at least two parts: - state in the NAT for tracking incoming/outgoing packets - NAT 'helpers': rewriting IP addresses inside packets the latter is the worse of the two as when a protocol contains IP addresses inside packets, eg like FTP has as the standard NAT example or heck SIP for something more of today, then even with NPT where you just swap out prefixes you will have a need for a helper as that internal prefix is going to be embedded in those packets and will not be available on the $internet for them to connect to. As such, though the NPT trick sounds nice, it will not work and it is still a NAT and will require helper modules for protocols that embed addresses in their protocol. And those helper modules do squat when the protocol is being crypted end to end, eg using SSL/TLS or even IPSEC. [..] > I'm also not sure what the correct answer is to using a randomly > generated prefix vs. a predictable prefix for home networks. ULA was > an attempt to resolve address overlap for routed private networks in > the event of mergers. The majority of home users will never have this > concern. I guess you never tried to play a LAN version of a multi-player game with friends that are still at home and then trying to route packets between 192.168.0.0/24 at your own home and at the friends home, times 4 others in the same segment? Indeed, that is why in ~1996 we where using 10.100.person.0/24 for the 100mbit segment and VPNd people together. Indeed, that is not a majority (far from ;), but there are definitely cases where this happens. Also, it is mostly a non-issue, as ULA allows to be automatically generated and various IPv6-enabled-router/IPv4-NAT boxes already do just that: generate the ULA on bootup and store it in their config for $lifetime. This works like a charm and is the way it was intended to work. > Having a predictable prefix for home environments (ambiguous > local addressing?) might be useful for documentation, troubleshooting, > and support. Don't let people bother with addresses, they have this wonderful thing called Multicast DNS that gives them a nice router.local hostname etc. (M-DNS is not something you want to have in a datacenter but for a home network it is pretty nice) Greets, Jeroen From dstorandt at teljet.com Thu Jan 26 07:47:36 2012 From: dstorandt at teljet.com (David Storandt) Date: Thu, 26 Jan 2012 08:47:36 -0500 Subject: LX sfp minimum range In-Reply-To: <4F2108C4.4020706@bogus.com> References: <9CA8D3E3-1747-4EDF-B2FC-6CDD878D70B3@smugmug.com> <4F2108C4.4020706@bogus.com> Message-ID: You can put a 3dB or 5dB optical pad on the link if the receiver can't handle zero-distance optical power. On Thu, Jan 26, 2012 at 3:03 AM, Joel jaeggli wrote: > vendors that specify a minimum distance for lx typically spec 2 meters. > > even EX shouldn't spike the receiver at that distance as long as the max > RX is about +1. > > On 1/25/12 11:26 , jon Heise wrote: >> we are moving a router between 2 data centers and we only have LX sfp's for connection, is there any issue using LX sfp's in a short range deployment ? >> > From owen at delong.com Thu Jan 26 07:48:47 2012 From: owen at delong.com (Owen DeLong) Date: Thu, 26 Jan 2012 05:48:47 -0800 Subject: using ULA for 'hidden' v6 devices? In-Reply-To: <596B74B410EE6B4CA8A30C3AF1A155EA09C93432@RWC-MBX1.corp.seven.com> References: <3B3D95F0-7E5E-417B-889B-3E5ABC660AD3@wisc.edu> <168C9CFC-60E3-4947-999A-15334E07BFB0@delong.com> <596B74B410EE6B4CA8A30C3AF1A155EA09C93432@RWC-MBX1.corp.seven.com> Message-ID: On Jan 26, 2012, at 2:00 AM, George Bonser wrote: >> Use different GUA ranges for internal and external. It's easy enough to >> get an additional prefix. >> >>> As others have mentioned, things like management interfaces on access >> switches, printers, and IP phones would be good candidates to hide with >> ULA. >> >> Or non-advertised, filtered GUA. Works just as well either way. >> >> Owen >> > > If one is obtaining "another" prefix for local addressing, I see no benefit. I am assuming that anyone that is using ULA is using it for things that don't communicate off the site such as management interfaces of things, etc. This won't be a subnet you are connecting by VPN to another organization, usually, but even if you do the chances of collision is pretty low if you select your nets properly. But for the most absolutely paranoid site, I can see some appeal in using ULA in conjunction with DNS64/NAT64 and see them giving the devices internet access via v4. Not that I agree with the notion, mind you, just that I can see someone looking at that as an appealing solution for some things. Even if someone managed to get through the NAT device via v4, they would have nothing to talk to on the other side as the other side is all v6. > Even if you don't see an advantage to GUA, can you point to a disadvantage? IMHO, it would be far less wasteful of addressing overall to deprecate fc00::/7 and use unique secondary GUA prefixes for this purpose than to use ULA. If you can't point to some specific advantage of ULA over secondary non-routed GUA prefixes, then, ULA doesn't have a reason to live. I'm not sure where DNS64/NAT64 comes into play here for v6 to v6 communication. For IPv4, I don't see any advantage in ULA+NAT64 vs. the more reliable and easier RFC-1918 with NAT44 possibilities, even if you have to run multiple RFC-1918 domains to get enough addresses, that will generally be less complicated and break fewer things than a NAT64 implementation. Owen From owen at delong.com Thu Jan 26 07:44:20 2012 From: owen at delong.com (Owen DeLong) Date: Thu, 26 Jan 2012 05:44:20 -0800 Subject: Choice of address for IPv6 default gateway In-Reply-To: References: <4F2014A0.20008@optilian.com> <4F2119FE.3020502@netnod.se> Message-ID: <893E95D0-65EA-44ED-9171-6B0D632FFE00@delong.com> >> >> Letting a host run slaac and then add a static address is not good >> enough as the slaac address might be chosen for locally generated packets. > > > Define for every application your bind address - locally generated packets will use it. If it is not possible Use RFC 3484 source address selection for selecting static source addresses. > Actually, RFC 3484 would be the preferred mechanism over configuring every application. Application specific address binding should only be used for applications that need an exception to the host-wide source address selection choice. + Fewer surprises for your ops team + Lower probability of a mistake leading to incorrect source address selection + Reduced probability of configuration mistake time-bombs + Reduces the amount of configuration required for a host Owen From tjc at ecs.soton.ac.uk Thu Jan 26 08:05:05 2012 From: tjc at ecs.soton.ac.uk (Tim Chown) Date: Thu, 26 Jan 2012 14:05:05 +0000 Subject: using ULA for 'hidden' v6 devices? In-Reply-To: References: <06704517-398C-4FD4-9AC4-4D4A83D9D493@ecs.soton.ac.uk> <9E13525B-E1D0-4F51-8AD0-68359095466A@ecs.soton.ac.uk> <596B74B410EE6B4CA8A30C3AF1A155EA09C934BC@RWC-MBX1.corp.seven.com> <70BC767C-FDC2-458E-A23B-01C4F0A85112@ecs.soton.ac.uk> Message-ID: Thanks for the comments Ray, a couple of comments in-line. On 26 Jan 2012, at 12:43, Ray Soucy wrote: > Local traffic shouldn't need to touch the CPE regardless of ULA or > GUA. Also note that we already have the link local scope for traffic > between hosts on the same link (which is all hosts in a typical home > network); ULA only becomes useful if routing is involved which is not > the typical deployment for the home. The assumption in homenet is that it will become so. > ULA is useful, on the other hand, if NPT is used. NPT is not NAT, and > doesn't have any of the nastiness of NAT. Well, you still have address rewriting, but prefix-based. > I think a lot of the question has to do with what the role of CPE will > be going forward. As long as we're talking dual-stack, having > operational consistency between IPv4 and IPv6 makes sense. If it's an > IPv6-only environment, then things become a lot more flexible (do we > even need CPE to include a firewall, or do we say host-based firewalls > are sufficient, for example). The initial assumption in homenet is a stateful firewall with hosts inside the homenet using PCP or something similar. Tim From nanog at maunier.org Thu Jan 26 08:24:01 2012 From: nanog at maunier.org (Pierre-Yves Maunier) Date: Thu, 26 Jan 2012 15:24:01 +0100 Subject: LX sfp minimum range In-Reply-To: References: <9CA8D3E3-1747-4EDF-B2FC-6CDD878D70B3@smugmug.com> <4F2108C4.4020706@bogus.com> Message-ID: 2012/1/26 David Storandt > You can put a 3dB or 5dB optical pad on the link if the receiver can't > handle zero-distance optical power. > We're using SFP LX for a couple of years even in back to back configuration for equipments within the same rack with a 1 meter patch cord without any problem. Max TX is -3dBm, Max RX sensivity is -3dBm so there is no problem. 1. I don't think I've ever had a LX SFP that TX at -3 dBm, they're usually around -5 to -7 dBm. and example in a live router : pymaunier at re1.tcr1.rb.par> show interfaces diagnostics optics ge-7/3/* | match "Laser output power " Laser output power : 0.3160 mW / -5.00 dBm Laser output power : 0.1800 mW / -7.45 dBm Laser output power : 0.2600 mW / -5.85 dBm Laser output power : 0.3210 mW / -4.93 dBm Laser output power : 0.3070 mW / -5.13 dBm Laser output power : 0.3200 mW / -4.95 dBm Laser output power : 0.3180 mW / -4.98 dBm Laser output power : 0.3140 mW / -5.03 dBm 2. You can assume a patch cord add between 0.2 to 0.5 dB of attenuation so even with a SFP TX at -3dBm, you won't receive at the Max RX sensitivity. -- Pierre-Yves Maunier From nanog at jima.tk Thu Jan 26 08:39:58 2012 From: nanog at jima.tk (Jima) Date: Thu, 26 Jan 2012 07:39:58 -0700 (MST) Subject: using ULA for 'hidden' v6 devices? In-Reply-To: References: <3B3D95F0-7E5E-417B-889B-3E5ABC660AD3@wisc.edu> <168C9CFC-60E3-4947-999A-15334E07BFB0@delong.com> <596B74B410EE6B4CA8A30C3AF1A155EA09C93432@RWC-MBX1.corp.seven.com> Message-ID: <57748.2001:49f0:a057:0:e445:864a:3cd0:5c9a.1327588798.squirrel@laughton.us> On 2012-01-26, Owen DeLong wrote: > If you can't point to some specific advantage of ULA over secondary > non-routed GUA prefixes, then, ULA doesn't have a reason to live. My biggest concern with secondary non-routed GUA would be source address selection. If you're trying to talk to something in 2000::/3, it's obvious to the OS that it should be using its address in 2000::/3 rather than the one in fc00::/7. When both the "external" and "internal" addresses live in 2000::/3, more care has to be taken to ensure the system DTRT. > I'm not sure where DNS64/NAT64 comes into play here for v6 to v6 > communication. For IPv4, I don't see any advantage in ULA+NAT64 vs. the > more reliable and easier RFC-1918 with NAT44 possibilities, even if you > have to run multiple RFC-1918 domains to get enough addresses, that will > generally be less complicated and break fewer things than a NAT64 > implementation. My best guess there is the ability to a) only manage a single-stack network (I really wish more software supported IPv6 so this could be a more feasible reality), and b) use the same NAT64 prefix across various NAT64 instances (64:ff9b::/96 is a blocker if you actually want to allow NAT64 to RFC1918 space). While I can see the potential appeal of the second point, I'm not sure I'd agree with it myself. Jima From cb.list6 at gmail.com Thu Jan 26 09:35:39 2012 From: cb.list6 at gmail.com (Cameron Byrne) Date: Thu, 26 Jan 2012 07:35:39 -0800 Subject: using ULA for 'hidden' v6 devices? In-Reply-To: References: <3B3D95F0-7E5E-417B-889B-3E5ABC660AD3@wisc.edu> <168C9CFC-60E3-4947-999A-15334E07BFB0@delong.com> <596B74B410EE6B4CA8A30C3AF1A155EA09C93432@RWC-MBX1.corp.seven.com> Message-ID: On Jan 26, 2012 5:49 AM, "Owen DeLong" wrote: > > > On Jan 26, 2012, at 2:00 AM, George Bonser wrote: > > >> Use different GUA ranges for internal and external. It's easy enough to > >> get an additional prefix. > >> > >>> As others have mentioned, things like management interfaces on access > >> switches, printers, and IP phones would be good candidates to hide with > >> ULA. > >> > >> Or non-advertised, filtered GUA. Works just as well either way. > >> > >> Owen > >> > > > > If one is obtaining "another" prefix for local addressing, I see no benefit. I am assuming that anyone that is using ULA is using it for things that don't communicate off the site such as management interfaces of things, etc. This won't be a subnet you are connecting by VPN to another organization, usually, but even if you do the chances of collision is pretty low if you select your nets properly. But for the most absolutely paranoid site, I can see some appeal in using ULA in conjunction with DNS64/NAT64 and see them giving the devices internet access via v4. Not that I agree with the notion, mind you, just that I can see someone looking at that as an appealing solution for some things. Even if someone managed to get through the NAT device via v4, they would have nothing to talk to on the other side as the other side is all v6. > > > > Even if you don't see an advantage to GUA, can you point to a disadvantage? > > IMHO, it would be far less wasteful of addressing overall to deprecate fc00::/7 and use unique secondary GUA prefixes for this purpose than to use ULA. > > If you can't point to some specific advantage of ULA over secondary non-routed GUA prefixes, then, ULA doesn't have a reason to live. > 1. You don't want to disclose what addresses you are using on your internal network, including to the rir 2. You require or desire an address plan that your rir may consider wasteful. 3. You don't want to talk to an rir for a variety of personal or business process reasons 4. When troubleshooting both with network engineers familiar with the network as well as tac engineers, seeing the network for the first time, ula sticks out like a sore thumb and can lead to some meaningful and clarifying discussions about the devices and flows. 5. Routes and packets leak. Filtering at the perimeter? Which perimeter? Mistakes happen. Ula provides a reasonable assumption that the ISP will not route the leaked packets. It is one of many possible layers of security and fail-safes. Cb > I'm not sure where DNS64/NAT64 comes into play here for v6 to v6 communication. For IPv4, I don't see any advantage in ULA+NAT64 vs. the more reliable and easier RFC-1918 with NAT44 possibilities, even if you have to run multiple RFC-1918 domains to get enough addresses, that will generally be less complicated and break fewer things than a NAT64 implementation. > > Owen > > From lowen at pari.edu Thu Jan 26 10:04:32 2012 From: lowen at pari.edu (Lamar Owen) Date: Thu, 26 Jan 2012 11:04:32 -0500 Subject: DC wiring standards In-Reply-To: <722D7606-AA61-4AA1-A7B3-B7520CDE73A3@ukbroadband.com> References: <722D7606-AA61-4AA1-A7B3-B7520CDE73A3@ukbroadband.com> Message-ID: <201201261104.33057.lowen@pari.edu> [Digging up an older post; I let a couple of thousand NANOG posts pile up in my NANOG folder] On Tuesday, January 03, 2012 02:40:39 PM Leigh Porter wrote: > Does anybody know where I can find standards for DC cabling for -48v systems? Book Resource that anyone dealing with telecom DC power systems should have on their shelf: 'DC Power System Design for Telecommunications" by Whitham D. Reeve, published by Wiley, ISBN (print) 97680471681618 and is available in the Wiley online library. It is not an inexpensive book, but is written from the point of view of someone with 30 years of practical 'in-the-CO' experience. The various standards for DC distribution are referenced in this volume. If you have access to the Telcordia standards, the relevant standard is referenced in this volume (I left my copy at home, so can't quote the Telcordia standard right now). Saying all that, the NEC does have covering articles, and a good rule of thumb is to use black or red (or other normal AC 'HOT' color like blue, brown, orange, or yellow) for the ungrounded conductor, white or gray for the grounded conductor, and green, yellow with a green stripe, or bare for the grounding conductor (using the definitions in the NEC for those conductors). (In an AC circuit the grounded conductor is commonly referred to as the 'neutral' for center-tapped or wye systems, but grounded phase three-phase systems (corner-grounded) are known that have no neutral.) In the typical 'protect the outside plant's lead sheathed buried cable' -48VDC system, the battery/rectifier positive is the grounded conductor and should be white or gray per NEC, with the negative ungrounded conductor being black, red, blue, or other approved NEC ungrounded conductor color (basically anything except an approved color for the grounded or grounding conductors) or using other site-specific and posted identifiers per the relevant NEC article(s). I'm citing the 2008 edition of the NEC here, even though the 2011 edition is out, simply because I don't have a 2011 edition handy, and I do have a 2008 edition....and article numbers have been known to change between editions.... You can find the requirements for identifying conductors in NEC (2008) articles 250.119 (grounding conductors), 200.6 (grounded conductors), 210.5(C) (branch circuit ungrounded conductors), and 215.12 (feeder ungrounded conductors). Examples of the colors are found in the Handbook version's exhibit 200.3, and accompanying commentary around that exhibit. (The handbook version of the NEC is worth the extra expense for the exhibits and commentary alone). Now, having said all that, I have seen common 'in the rack DC rectifiers with no battery' setups with black and red as negative and positive, respectively. And, as long as neither positive nor negative are grounded, that seems to meet NEC. As soon as you ground one conductor, and get into NEC-covered territory, you need to use white or gray (or other 200.6 approved means with the 200.7 exceptions allowed) for the grounded conductor, regardless of polarity. Hope that helps, and doesn't overwhelm. From rps at maine.edu Thu Jan 26 10:14:39 2012 From: rps at maine.edu (Ray Soucy) Date: Thu, 26 Jan 2012 11:14:39 -0500 Subject: using ULA for 'hidden' v6 devices? In-Reply-To: References: <06704517-398C-4FD4-9AC4-4D4A83D9D493@ecs.soton.ac.uk> <9E13525B-E1D0-4F51-8AD0-68359095466A@ecs.soton.ac.uk> <596B74B410EE6B4CA8A30C3AF1A155EA09C934BC@RWC-MBX1.corp.seven.com> <70BC767C-FDC2-458E-A23B-01C4F0A85112@ecs.soton.ac.uk> Message-ID: Inline On Thu, Jan 26, 2012 at 9:05 AM, Tim Chown wrote: > Thanks for the comments Ray, a couple of comments in-line. > > On 26 Jan 2012, at 12:43, Ray Soucy wrote: > >> Local traffic shouldn't need to touch the CPE regardless of ULA or >> GUA. ?Also note that we already have the link local scope for traffic >> between hosts on the same link (which is all hosts in a typical home >> network); ULA only becomes useful if routing is involved which is not >> the typical deployment for the home. > > The assumption in homenet is that it will become so. Does this mean we're also looking at residential allocations larger than a /64 as the norm? >> ULA is useful, on the other hand, if NPT is used. ?NPT is not NAT, and >> doesn't have any of the nastiness of NAT. > > Well, you still have address rewriting, but prefix-based. I think that the port rewriting, and as a consequence not being able to map to specific hosts easily, was the bigger problem with NAT. As for the comments made by others regarding "helpers" for NAT, there really aren't many that are needed aside from older pre-NAT protocols like H.323 which decided it would be a good idea to use the IP in the packet payload for authentication. Thankfully, over a decade of NAT has helped end this practice. >> I think a lot of the question has to do with what the role of CPE will >> be going forward. ?As long as we're talking dual-stack, having >> operational consistency between IPv4 and IPv6 makes sense. ?If it's an >> IPv6-only environment, then things become a lot more flexible (do we >> even need CPE to include a firewall, or do we say host-based firewalls >> are sufficient, for example). > > The initial assumption in homenet is a stateful firewall with hosts inside the homenet using PCP or something similar. > > Tim So a CPE device with a stateful firewall that accepts a prefix via DHCPv6-PD and makes use of SLAAC for internal network(s) is the foundation, correct? Then use random a ULA allocation that exists to route internally (sounds a lot like a site-local scope; which I never understood the reason we abandoned). I'm just not seeing the value in adding ULA as a requirement unless bundled with NPT for a multi-homed environment, especially if a stateful firewall is already included. If anything, it might slow down adoption due to increased complexity. -- Ray Soucy Epic Communications Specialist Phone: +1 (207) 561-3526 Networkmaine, a Unit of the University of Maine System http://www.networkmaine.net/ From jra at baylink.com Thu Jan 26 10:29:03 2012 From: jra at baylink.com (Jay Ashworth) Date: Thu, 26 Jan 2012 11:29:03 -0500 (EST) Subject: DC wiring standards In-Reply-To: <201201261104.33057.lowen@pari.edu> Message-ID: <23242570.6664.1327595343107.JavaMail.root@benjamin.baylink.com> > 'DC Power System Design for Telecommunications" by Whitham D. Reeve, > published by Wiley, ISBN (print) 97680471681618 and is available in > the Wiley online library. Disappointingly, that book does *not* appear to be in Safari, unless you've misremembered the title... Cheers, -- jra -- Jay R. Ashworth Baylink jra at baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://baylink.pitas.com 2000 Land Rover DII St Petersburg FL USA http://photo.imageinc.us +1 727 647 1274 From owen at delong.com Thu Jan 26 10:41:58 2012 From: owen at delong.com (Owen DeLong) Date: Thu, 26 Jan 2012 08:41:58 -0800 Subject: using ULA for 'hidden' v6 devices? In-Reply-To: <57748.2001:49f0:a057:0:e445:864a:3cd0:5c9a.1327588798.squirrel@laughton.us> References: <3B3D95F0-7E5E-417B-889B-3E5ABC660AD3@wisc.edu> <168C9CFC-60E3-4947-999A-15334E07BFB0@delong.com> <596B74B410EE6B4CA8A30C3AF1A155EA09C93432@RWC-MBX1.corp.seven.com> <57748.2001:49f0:a057:0:e445:864a:3cd0:5c9a.1327588798.squirrel@laughton.us> Message-ID: <0E87A1C3-17A2-43AD-9395-CD2B359FBD43@delong.com> On Jan 26, 2012, at 6:39 AM, Jima wrote: > On 2012-01-26, Owen DeLong wrote: >> If you can't point to some specific advantage of ULA over secondary >> non-routed GUA prefixes, then, ULA doesn't have a reason to live. > > My biggest concern with secondary non-routed GUA would be source address > selection. If you're trying to talk to something in 2000::/3, it's > obvious to the OS that it should be using its address in 2000::/3 rather > than the one in fc00::/7. When both the "external" and "internal" > addresses live in 2000::/3, more care has to be taken to ensure the > system DTRT. > It's very easy to configure SAS to handle this. Frankly, you have the same challenge with ULA in many scenarios. >> I'm not sure where DNS64/NAT64 comes into play here for v6 to v6 >> communication. For IPv4, I don't see any advantage in ULA+NAT64 vs. the >> more reliable and easier RFC-1918 with NAT44 possibilities, even if you >> have to run multiple RFC-1918 domains to get enough addresses, that will >> generally be less complicated and break fewer things than a NAT64 >> implementation. > > My best guess there is the ability to a) only manage a single-stack > network (I really wish more software supported IPv6 so this could be a > more feasible reality), and b) use the same NAT64 prefix across various > NAT64 instances (64:ff9b::/96 is a blocker if you actually want to allow > NAT64 to RFC1918 space). While I can see the potential appeal of the > second point, I'm not sure I'd agree with it myself. > But with NAT64, you're supporting both stacks, you just move the problem around. Having done experiments with both methods, I assure you it is a true statement based on experience. NAT64 really offers more problems than it solves, not the least of which is the stateful DNS interaction problem. Owen From owen at delong.com Thu Jan 26 10:45:39 2012 From: owen at delong.com (Owen DeLong) Date: Thu, 26 Jan 2012 08:45:39 -0800 Subject: using ULA for 'hidden' v6 devices? In-Reply-To: References: <3B3D95F0-7E5E-417B-889B-3E5ABC660AD3@wisc.edu> <168C9CFC-60E3-4947-999A-15334E07BFB0@delong.com> <596B74B410EE6B4CA8A30C3AF1A155EA09C93432@RWC-MBX1.corp.seven.com> Message-ID: <85F65E0D-F83C-4C9D-81E7-EC7A9ED9CB54@delong.com> On Jan 26, 2012, at 7:35 AM, Cameron Byrne wrote: > > On Jan 26, 2012 5:49 AM, "Owen DeLong" wrote: > > > > > > On Jan 26, 2012, at 2:00 AM, George Bonser wrote: > > > > >> Use different GUA ranges for internal and external. It's easy enough to > > >> get an additional prefix. > > >> > > >>> As others have mentioned, things like management interfaces on access > > >> switches, printers, and IP phones would be good candidates to hide with > > >> ULA. > > >> > > >> Or non-advertised, filtered GUA. Works just as well either way. > > >> > > >> Owen > > >> > > > > > > If one is obtaining "another" prefix for local addressing, I see no benefit. I am assuming that anyone that is using ULA is using it for things that don't communicate off the site such as management interfaces of things, etc. This won't be a subnet you are connecting by VPN to another organization, usually, but even if you do the chances of collision is pretty low if you select your nets properly. But for the most absolutely paranoid site, I can see some appeal in using ULA in conjunction with DNS64/NAT64 and see them giving the devices internet access via v4. Not that I agree with the notion, mind you, just that I can see someone looking at that as an appealing solution for some things. Even if someone managed to get through the NAT device via v4, they would have nothing to talk to on the other side as the other side is all v6. > > > > > > > Even if you don't see an advantage to GUA, can you point to a disadvantage? > > > > IMHO, it would be far less wasteful of addressing overall to deprecate fc00::/7 and use unique secondary GUA prefixes for this purpose than to use ULA. > > > > If you can't point to some specific advantage of ULA over secondary non-routed GUA prefixes, then, ULA doesn't have a reason to live. > > > > 1. You don't want to disclose what addresses you are using on your internal network, including to the rir > Seriously? > 2. You require or desire an address plan that your rir may consider wasteful. > Have you looked at current IPv6 policies? It's pretty hard to imagine implementing one. > 3. You don't want to talk to an rir for a variety of personal or business process reasons > Meh. I have little or no sympathy for this. > 4. When troubleshooting both with network engineers familiar with the network as well as tac engineers, seeing the network for the first time, ula sticks out like a sore thumb and can lead to some meaningful and clarifying discussions about the devices and flows. > I can see this, but, to me it seems like a double edged sword. Most things that stick out like a sore thumb are inflamed and painful. I don't see this as an exception. > 5. Routes and packets leak. Filtering at the perimeter? Which perimeter? Mistakes happen. Ula provides a reasonable assumption that the ISP will not route the leaked packets. It is one of many possible layers of security and fail-safes. > Routes only leak if the routes exist on the border routers in the first place. If I were using multiple GUA prefixes and one was intended not to cross the border, I wouldn't feed it to the border routers to begin with. You can't leak what you don't know. Owen From owen at delong.com Thu Jan 26 10:53:28 2012 From: owen at delong.com (Owen DeLong) Date: Thu, 26 Jan 2012 08:53:28 -0800 Subject: using ULA for 'hidden' v6 devices? In-Reply-To: References: <06704517-398C-4FD4-9AC4-4D4A83D9D493@ecs.soton.ac.uk> <9E13525B-E1D0-4F51-8AD0-68359095466A@ecs.soton.ac.uk> <596B74B410EE6B4CA8A30C3AF1A155EA09C934BC@RWC-MBX1.corp.seven.com> <70BC767C-FDC2-458E-A23B-01C4F0A85112@ecs.soton.ac.uk> Message-ID: <26066EA7-A326-4CD2-BF88-F31D2BBE5F0A@delong.com> On Jan 26, 2012, at 8:14 AM, Ray Soucy wrote: > Inline > > On Thu, Jan 26, 2012 at 9:05 AM, Tim Chown wrote: >> Thanks for the comments Ray, a couple of comments in-line. >> >> On 26 Jan 2012, at 12:43, Ray Soucy wrote: >> >>> Local traffic shouldn't need to touch the CPE regardless of ULA or >>> GUA. Also note that we already have the link local scope for traffic >>> between hosts on the same link (which is all hosts in a typical home >>> network); ULA only becomes useful if routing is involved which is not >>> the typical deployment for the home. >> >> The assumption in homenet is that it will become so. > > Does this mean we're also looking at residential allocations larger > than a /64 as the norm? > We certainly should be. I still think that /48s for residential is the right answer. My /48 is working quite nicely in my house. >>> ULA is useful, on the other hand, if NPT is used. NPT is not NAT, and >>> doesn't have any of the nastiness of NAT. >> >> Well, you still have address rewriting, but prefix-based. > > I think that the port rewriting, and as a consequence not being able > to map to specific hosts easily, was the bigger problem with NAT. > No, the need for ALGs is the biggest problem with NAT. NPT does not resolve that issue. Yes, port rewriting and other issues are also problematic, but, they are less problematic than the need for ALGs. > As for the comments made by others regarding "helpers" for NAT, there > really aren't many that are needed aside from older pre-NAT protocols > like H.323 which decided it would be a good idea to use the IP in the > packet payload for authentication. Thankfully, over a decade of NAT > has helped end this practice. Yes, it has blocked innovation in protocols that can't easily engineer around NAT. Hopefully we can stop doing that soon. > >>> I think a lot of the question has to do with what the role of CPE will >>> be going forward. As long as we're talking dual-stack, having >>> operational consistency between IPv4 and IPv6 makes sense. If it's an >>> IPv6-only environment, then things become a lot more flexible (do we >>> even need CPE to include a firewall, or do we say host-based firewalls >>> are sufficient, for example). >> >> The initial assumption in homenet is a stateful firewall with hosts inside the homenet using PCP or something similar. >> >> Tim > > So a CPE device with a stateful firewall that accepts a prefix via > DHCPv6-PD and makes use of SLAAC for internal network(s) is the > foundation, correct? > I would expect it to be a combination of SLAAC, DHCPv6, and/or DHCPv6-PD. Which combination may be vendor dependent, but, hopefully the norm will include support for downstream routers and possibly chosen address style configuration (allowing the user to pick an address for their host and configure it at the CPE) which would require DHCP support. > Then use random a ULA allocation that exists to route internally > (sounds a lot like a site-local scope; which I never understood the > reason we abandoned). > I can actually see this as a reasonable use of ULA, but, I agree site-local scope would have been a better choice. The maybe you can maybe you cant route it nature of ULA is, IMHO it's only advantage over site-local and at the same time the greatest likelihood that it will be misused in a variety of harmful ways, not the least of which is to bring the brain-damage of NAT forward into the IPv6 enterprise. > I'm just not seeing the value in adding ULA as a requirement unless > bundled with NPT for a multi-homed environment, especially if a > stateful firewall is already included. If anything, it might slow > down adoption due to increased complexity. I don't believe it adds visible complexity. I think it should be relatively transparent to the end-user. Basically, you have one prefix for communications within the house (ULA) and another prefix for communications outside. The prefix for external sessions may not be stable (may change periodically for operational or German reasons), but, the internal prefix remains stable and you can depend on it for configuring access to (e.g. printers, etc.). Sure, service discovery (mDNS, et. al) should obviate the need for most such configuration, but, there will likely always be something that doesn't quite get SD right somehow. Also, the ULA addresses don't mysteriously stop working when your connection to your ISP goes down, so, at least your LAN stuff doesn't die from ISP death. Owen From acv at miniguru.ca Thu Jan 26 11:07:58 2012 From: acv at miniguru.ca (acv) Date: Thu, 26 Jan 2012 12:07:58 -0500 Subject: DC wiring standards In-Reply-To: <23242570.6664.1327595343107.JavaMail.root@benjamin.baylink.com> References: <201201261104.33057.lowen@pari.edu> <23242570.6664.1327595343107.JavaMail.root@benjamin.baylink.com> Message-ID: <20120126170758.GA46928@miniguru.ca> On Thu, Jan 26, 2012 at 11:29:03AM -0500, Jay Ashworth wrote: > > Disappointingly, that book does *not* appear to be in Safari, unless you've > misremembered the title... It is on Wiley's online library however: http://onlinelibrary.wiley.com/book/10.1002/0470045035 Alex > > Cheers, > -- jra > -- > Jay R. Ashworth Baylink jra at baylink.com > Designer The Things I Think RFC 2100 > Ashworth & Associates http://baylink.pitas.com 2000 Land Rover DII > St Petersburg FL USA http://photo.imageinc.us +1 727 647 1274 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 196 bytes Desc: not available URL: From jra at baylink.com Thu Jan 26 11:06:43 2012 From: jra at baylink.com (Jay Ashworth) Date: Thu, 26 Jan 2012 12:06:43 -0500 (EST) Subject: DC wiring standards In-Reply-To: <20120126170758.GA46928@miniguru.ca> Message-ID: <4665576.6670.1327597603127.JavaMail.root@benjamin.baylink.com> ----- Original Message ----- > From: "acv" > On Thu, Jan 26, 2012 at 11:29:03AM -0500, Jay Ashworth wrote: > > Disappointingly, that book does *not* appear to be in Safari, unless > > you've misremembered the title... > > It is on Wiley's online library however: > > http://onlinelibrary.wiley.com/book/10.1002/0470045035 > A decade ago, Wiley pioneered the online book concept I suspect Tim would be very interested to hear that Wiley thinks that. And I hate to tell Wiley this, but I ain't got $3k laying around right now to subscribe to their service, though I'm sure it's very handy if you're, say, Level(3). Cheers, -- jra -- Jay R. Ashworth Baylink jra at baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://baylink.pitas.com 2000 Land Rover DII St Petersburg FL USA http://photo.imageinc.us +1 727 647 1274 From dotis at mail-abuse.org Thu Jan 26 11:07:14 2012 From: dotis at mail-abuse.org (Douglas Otis) Date: Thu, 26 Jan 2012 09:07:14 -0800 Subject: using ULA for 'hidden' v6 devices? In-Reply-To: References: <3B3D95F0-7E5E-417B-889B-3E5ABC660AD3@wisc.edu> <168C9CFC-60E3-4947-999A-15334E07BFB0@delong.com> <596B74B410EE6B4CA8A30C3AF1A155EA09C93432@RWC-MBX1.corp.seven.com> Message-ID: <4F218842.1010800@mail-abuse.org> On 1/26/12 7:35 AM, Cameron Byrne wrote: > 1. You don't want to disclose what addresses you are using on your > internal network, including to the rir > > 2. You require or desire an address plan that your rir may consider > wasteful. > > 3. You don't want to talk to an rir for a variety of personal or > business process reasons > > 4. When troubleshooting both with network engineers familiar with > the network as well as tac engineers, seeing the network for the > first time, ula sticks out like a sore thumb and can lead to some > meaningful and clarifying discussions about the devices and flows. > > 5. Routes and packets leak. Filtering at the perimeter? Which > perimeter? Mistakes happen. Ula provides a reasonable assumption that > the ISP will not route the leaked packets. It is one of many possible > layers of security and fail-safes. > > Cb Dear Cameron, For a reference to something taking advantage of ULAs per RFC4193 See: http://tools.ietf.org/html/rfc6281#page-11 Regards, Doug Otis From lowen at pari.edu Thu Jan 26 11:07:19 2012 From: lowen at pari.edu (Lamar Owen) Date: Thu, 26 Jan 2012 12:07:19 -0500 Subject: DC wiring standards In-Reply-To: <23242570.6664.1327595343107.JavaMail.root@benjamin.baylink.com> References: <23242570.6664.1327595343107.JavaMail.root@benjamin.baylink.com> Message-ID: <201201261207.20160.lowen@pari.edu> On Thursday, January 26, 2012 11:29:03 AM Jay Ashworth wrote: > > 'DC Power System Design for Telecommunications" by Whitham D. Reeve, > > published by Wiley, ISBN (print) 97680471681618 and is available in > > the Wiley online library. > > Disappointingly, that book does *not* appear to be in Safari, unless you've > misremembered the title... It wasn't in Safari when I last checked (last year, right before I canceled my subscription, since I didn't really use Safari like I once had). I looked on the Wiley site for the ISBN and double-checked the title prior to the post. This book is worth its price, even though it's steep. Here's an Amazon link (wraps): http://www.amazon.com/Power-System-Design-Telecommunications-Handbook/dp/047168161X/ $80.95 lowest new copy found. I paid more than that for my copy in 2007. What's interesting here is that this is the third book I've seen on Amazon where the used price is higher than the new; last week I ordered a new paperback copy of 'Pierce's Piano Atlas, 12th Edition' for 30-something dollars, but the used price was like a thousand dollars.... odd. Not that high today, just $118 (versus $37.57 new)... But that's still higher than new (and way OT... sorry). From cb.list6 at gmail.com Thu Jan 26 11:09:53 2012 From: cb.list6 at gmail.com (Cameron Byrne) Date: Thu, 26 Jan 2012 09:09:53 -0800 Subject: using ULA for 'hidden' v6 devices? In-Reply-To: <0E87A1C3-17A2-43AD-9395-CD2B359FBD43@delong.com> References: <3B3D95F0-7E5E-417B-889B-3E5ABC660AD3@wisc.edu> <168C9CFC-60E3-4947-999A-15334E07BFB0@delong.com> <596B74B410EE6B4CA8A30C3AF1A155EA09C93432@RWC-MBX1.corp.seven.com> <0E87A1C3-17A2-43AD-9395-CD2B359FBD43@delong.com> Message-ID: On Jan 26, 2012 8:44 AM, "Owen DeLong" wrote: > > > On Jan 26, 2012, at 6:39 AM, Jima wrote: > > > On 2012-01-26, Owen DeLong wrote: > >> If you can't point to some specific advantage of ULA over secondary > >> non-routed GUA prefixes, then, ULA doesn't have a reason to live. > > > > My biggest concern with secondary non-routed GUA would be source address > > selection. If you're trying to talk to something in 2000::/3, it's > > obvious to the OS that it should be using its address in 2000::/3 rather > > than the one in fc00::/7. When both the "external" and "internal" > > addresses live in 2000::/3, more care has to be taken to ensure the > > system DTRT. > > > > It's very easy to configure SAS to handle this. Frankly, you have the same challenge with ULA in many scenarios. > > >> I'm not sure where DNS64/NAT64 comes into play here for v6 to v6 > >> communication. For IPv4, I don't see any advantage in ULA+NAT64 vs. the > >> more reliable and easier RFC-1918 with NAT44 possibilities, even if you > >> have to run multiple RFC-1918 domains to get enough addresses, that will > >> generally be less complicated and break fewer things than a NAT64 > >> implementation. > > > > My best guess there is the ability to a) only manage a single-stack > > network (I really wish more software supported IPv6 so this could be a > > more feasible reality), and b) use the same NAT64 prefix across various > > NAT64 instances (64:ff9b::/96 is a blocker if you actually want to allow > > NAT64 to RFC1918 space). While I can see the potential appeal of the > > second point, I'm not sure I'd agree with it myself. > > > > But with NAT64, you're supporting both stacks, you just move the problem around. > > Having done experiments with both methods, I assure you it is a true statement based on experience. NAT64 really offers more problems than it solves, not the least of which is the stateful DNS interaction problem. > I have a very different opinion. Nat64/ dns64 fits my needs great Horses for courses. Cb > > Owen > > From cb.list6 at gmail.com Thu Jan 26 11:18:29 2012 From: cb.list6 at gmail.com (Cameron Byrne) Date: Thu, 26 Jan 2012 09:18:29 -0800 Subject: using ULA for 'hidden' v6 devices? In-Reply-To: <85F65E0D-F83C-4C9D-81E7-EC7A9ED9CB54@delong.com> References: <3B3D95F0-7E5E-417B-889B-3E5ABC660AD3@wisc.edu> <168C9CFC-60E3-4947-999A-15334E07BFB0@delong.com> <596B74B410EE6B4CA8A30C3AF1A155EA09C93432@RWC-MBX1.corp.seven.com> <85F65E0D-F83C-4C9D-81E7-EC7A9ED9CB54@delong.com> Message-ID: On Jan 26, 2012 8:49 AM, "Owen DeLong" wrote: > > > On Jan 26, 2012, at 7:35 AM, Cameron Byrne wrote: > >> >> On Jan 26, 2012 5:49 AM, "Owen DeLong" wrote: >> > >> > >> > On Jan 26, 2012, at 2:00 AM, George Bonser wrote: >> > >> > >> Use different GUA ranges for internal and external. It's easy enough to >> > >> get an additional prefix. >> > >> >> > >>> As others have mentioned, things like management interfaces on access >> > >> switches, printers, and IP phones would be good candidates to hide with >> > >> ULA. >> > >> >> > >> Or non-advertised, filtered GUA. Works just as well either way. >> > >> >> > >> Owen >> > >> >> > > >> > > If one is obtaining "another" prefix for local addressing, I see no benefit. I am assuming that anyone that is using ULA is using it for things that don't communicate off the site such as management interfaces of things, etc. This won't be a subnet you are connecting by VPN to another organization, usually, but even if you do the chances of collision is pretty low if you select your nets properly. But for the most absolutely paranoid site, I can see some appeal in using ULA in conjunction with DNS64/NAT64 and see them giving the devices internet access via v4. Not that I agree with the notion, mind you, just that I can see someone looking at that as an appealing solution for some things. Even if someone managed to get through the NAT device via v4, they would have nothing to talk to on the other side as the other side is all v6. >> > > >> > >> > Even if you don't see an advantage to GUA, can you point to a disadvantage? >> > >> > IMHO, it would be far less wasteful of addressing overall to deprecate fc00::/7 and use unique secondary GUA prefixes for this purpose than to use ULA. >> > >> > If you can't point to some specific advantage of ULA over secondary non-routed GUA prefixes, then, ULA doesn't have a reason to live. >> > >> >> 1. You don't want to disclose what addresses you are using on your internal network, including to the rir > > Seriously? > Yes. >> 2. You require or desire an address plan that your rir may consider wasteful. > > Have you looked at current IPv6 policies? It's pretty hard to imagine implementing one. > Yes. Think m2m as 1 example >> 3. You don't want to talk to an rir for a variety of personal or business process reasons > > Meh. I have little or no sympathy for this. > Of course. The view from inside the system is different from outside the system. >> 4. When troubleshooting both with network engineers familiar with the network as well as tac engineers, seeing the network for the first time, ula sticks out like a sore thumb and can lead to some meaningful and clarifying discussions about the devices and flows. > > I can see this, but, to me it seems like a double edged sword. Most things that stick out like a sore thumb are inflamed and painful. I don't see this as an exception. > Ymmv >> 5. Routes and packets leak. Filtering at the perimeter? Which perimeter? Mistakes happen. Ula provides a reasonable assumption that the ISP will not route the leaked packets. It is one of many possible layers of security and fail-safes. > > Routes only leak if the routes exist on the border routers in the first place. If I were using multiple GUA prefixes and one was intended not to cross the border, I wouldn't feed it to the border routers to begin with. You can't leak what you don't know. > Like many things, we can disagree on this too. Net net, folks need to consider their own requirements. Ula is a tool. If it has a place in your toolbox, great . Cb > Owen > From Valdis.Kletnieks at vt.edu Thu Jan 26 11:24:54 2012 From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks at vt.edu) Date: Thu, 26 Jan 2012 12:24:54 -0500 Subject: DC wiring standards In-Reply-To: Your message of "Thu, 26 Jan 2012 12:07:19 EST." <201201261207.20160.lowen@pari.edu> References: <23242570.6664.1327595343107.JavaMail.root@benjamin.baylink.com> <201201261207.20160.lowen@pari.edu> Message-ID: <49926.1327598694@turing-police.cc.vt.edu> On Thu, 26 Jan 2012 12:07:19 EST, Lamar Owen said: > What's interesting here is that this is the third book I've seen on Amazon > where the used price is higher than the new; Off-topic, but this usually happens when the book has a "new" price listed, but is in fact unavailable/out-of-print. So it would be $34.95 if there were new copies to be had.... -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 865 bytes Desc: not available URL: From jon at smugmug.com Thu Jan 26 11:41:17 2012 From: jon at smugmug.com (Jon Heise) Date: Thu, 26 Jan 2012 09:41:17 -0800 Subject: LX sfp minimum range In-Reply-To: References: <9CA8D3E3-1747-4EDF-B2FC-6CDD878D70B3@smugmug.com> <4F2108C4.4020706@bogus.com> Message-ID: Awesome, i got some single mode LC LC fiber off monoprice, sounds like i should be all set for this. Thanks for everyones info - Jon On Thu, Jan 26, 2012 at 6:24 AM, Pierre-Yves Maunier wrote: > 2012/1/26 David Storandt > > > You can put a 3dB or 5dB optical pad on the link if the receiver can't > > handle zero-distance optical power. > > > > We're using SFP LX for a couple of years even in back to back configuration > for equipments within the same rack with a 1 meter patch cord without any > problem. > > Max TX is -3dBm, Max RX sensivity is -3dBm so there is no problem. > > 1. I don't think I've ever had a LX SFP that TX at -3 dBm, they're usually > around -5 to -7 dBm. > > and example in a live router : > > pymaunier at re1.tcr1.rb.par> show interfaces diagnostics optics ge-7/3/* | > match "Laser output power " > Laser output power : 0.3160 mW / -5.00 dBm > Laser output power : 0.1800 mW / -7.45 dBm > Laser output power : 0.2600 mW / -5.85 dBm > Laser output power : 0.3210 mW / -4.93 dBm > Laser output power : 0.3070 mW / -5.13 dBm > Laser output power : 0.3200 mW / -4.95 dBm > Laser output power : 0.3180 mW / -4.98 dBm > Laser output power : 0.3140 mW / -5.03 dBm > > 2. You can assume a patch cord add between 0.2 to 0.5 dB of attenuation so > even with a SFP TX at -3dBm, you won't receive at the Max RX sensitivity. > > -- > Pierre-Yves Maunier > From shrdlu at deaddrop.org Thu Jan 26 11:49:55 2012 From: shrdlu at deaddrop.org (Lynda) Date: Thu, 26 Jan 2012 09:49:55 -0800 Subject: DC wiring standards In-Reply-To: <49926.1327598694@turing-police.cc.vt.edu> References: <23242570.6664.1327595343107.JavaMail.root@benjamin.baylink.com> <201201261207.20160.lowen@pari.edu> <49926.1327598694@turing-police.cc.vt.edu> Message-ID: <4F219243.8010801@deaddrop.org> On 1/26/2012 9:24 AM, Valdis.Kletnieks at vt.edu wrote: > On Thu, 26 Jan 2012 12:07:19 EST, Lamar Owen said: > >> What's interesting here is that this is the third book I've seen on Amazon >> where the used price is higher than the new; > > Off-topic, but this usually happens when the book has a "new" price listed, but > is in fact unavailable/out-of-print. So it would be $34.95 if there were new copies > to be had.... This is correct. I collect certain old books. For a real shocker, take a look at this slim volume on quantitative analysis and the stock market. http://www.amazon.com/Beat-Market-Scientific-Stock-System/dp/0394424395/ref=sr_1_3?s=books&ie=UTF8&qid=1327599598&sr=1-3 The used copies range from a few hundred to a significant amount, and the collectible ones (including a signed first edition) top out at $2,495.00 (anyone who likes is welcome to purchase that signed first edition and send it to me as a gift). I really wish they would just reissue the book. I'd buy it. It doesn't even need updating (I'd prefer that it wasn't). It could be a celebration of the 35th year since its publication. Sometimes a paper book is better (the wiring book is another excellent example). -- Gambling is tax for people that can't do math. Agent X From dholmes at mwdh2o.com Thu Jan 26 12:46:44 2012 From: dholmes at mwdh2o.com (Holmes,David A) Date: Thu, 26 Jan 2012 10:46:44 -0800 Subject: LX sfp minimum range In-Reply-To: References: <9CA8D3E3-1747-4EDF-B2FC-6CDD878D70B3@smugmug.com> <4F2108C4.4020706@bogus.com> Message-ID: <922ACC42D498884AA02B3565688AF995340328222D@USEXMBS01.mwd.h2o> I have found that -5dB or -10dB attenuators must be used on the send or receive strands between Cisco LX connected switches at relatively short distances of < 1 km over standard singlemode fiber. Other Vendors' SFPs rated up to 25 km do not need attenuators at distances <1 km. -----Original Message----- From: Jon Heise [mailto:jon at smugmug.com] Sent: Thursday, January 26, 2012 9:41 AM To: Pierre-Yves Maunier Cc: nanog at nanog.org Subject: Re: LX sfp minimum range Awesome, i got some single mode LC LC fiber off monoprice, sounds like i should be all set for this. Thanks for everyones info - Jon On Thu, Jan 26, 2012 at 6:24 AM, Pierre-Yves Maunier wrote: > 2012/1/26 David Storandt > > > You can put a 3dB or 5dB optical pad on the link if the receiver can't > > handle zero-distance optical power. > > > > We're using SFP LX for a couple of years even in back to back configuration > for equipments within the same rack with a 1 meter patch cord without any > problem. > > Max TX is -3dBm, Max RX sensivity is -3dBm so there is no problem. > > 1. I don't think I've ever had a LX SFP that TX at -3 dBm, they're usually > around -5 to -7 dBm. > > and example in a live router : > > pymaunier at re1.tcr1.rb.par> show interfaces diagnostics optics ge-7/3/* | > match "Laser output power " > Laser output power : 0.3160 mW / -5.00 dBm > Laser output power : 0.1800 mW / -7.45 dBm > Laser output power : 0.2600 mW / -5.85 dBm > Laser output power : 0.3210 mW / -4.93 dBm > Laser output power : 0.3070 mW / -5.13 dBm > Laser output power : 0.3200 mW / -4.95 dBm > Laser output power : 0.3180 mW / -4.98 dBm > Laser output power : 0.3140 mW / -5.03 dBm > > 2. You can assume a patch cord add between 0.2 to 0.5 dB of attenuation so > even with a SFP TX at -3dBm, you won't receive at the Max RX sensitivity. > > -- > Pierre-Yves Maunier > This communication, together with any attachments or embedded links, is for the sole use of the intended recipient(s) and may contain information that is confidential or legally protected. If you are not the intended recipient, you are hereby notified that any review, disclosure, copying, dissemination, distribution or use of this communication is strictly prohibited. If you have received this communication in error, please notify the sender immediately by return e-mail message and delete the original and all copies of the communication, along with any attachments or embedded links, from your system. From gbonser at seven.com Thu Jan 26 13:53:18 2012 From: gbonser at seven.com (George Bonser) Date: Thu, 26 Jan 2012 19:53:18 +0000 Subject: using ULA for 'hidden' v6 devices? In-Reply-To: References: <3B3D95F0-7E5E-417B-889B-3E5ABC660AD3@wisc.edu> <168C9CFC-60E3-4947-999A-15334E07BFB0@delong.com> <596B74B410EE6B4CA8A30C3AF1A155EA09C93432@RWC-MBX1.corp.seven.com> Message-ID: <596B74B410EE6B4CA8A30C3AF1A155EA09C93B66@RWC-MBX1.corp.seven.com> > Even if you don't see an advantage to GUA, can you point to a > disadvantage? Just a matter of convenience. If you have a lot of management IPs or some other IP addresses that are never going to need internet access (an array of 10,000 sensors or something) you don't need to dip into your global allocation to address them. If it is routed within the organization but never goes to the Internet, ULA is ok. If it doesn't get routed at all, link local will do fine. It's good to keep in mind that more things than computers with web browsers are going to get an IP address. > IMHO, it would be far less wasteful of addressing overall to deprecate > fc00::/7 and use unique secondary GUA prefixes for this purpose than to > use ULA. Possibly so. I do, however, see some utility in having a block of addresses that can't be reliably routed over the Internet. Heck, for traffic that might get routed within a site between local networks but not routed off the site (even within the organization's network between sites), there's some utility of having each site use the same subnet. That would ensure that traffic destined for that address range doesn't leave the site regardless of any configuration errors someone might make in filtration. > If you can't point to some specific advantage of ULA over secondary > non-routed GUA prefixes, then, ULA doesn't have a reason to live. The only advantage is using an address range that can't be reliably routed over the Internet and that is important in the minds of some. GUA addresses can be reliably routed, that's their purpose. While there is a possibility ULA could possibly be routed over the internet, the cascade of mistakes that it would take for that to happen makes it unlikely. I don't accept ULA routes at my peering/transit routers and I would imagine most other networks are configured the same. In addition, I have the entire block of space static routed to null0 so even if I do get traffic for it (in either direction, in or out), it just goes into the hole. > I'm not sure where DNS64/NAT64 comes into play here for v6 to v6 > communication. No, I wasn't intending that for v6 to v6. Let's say you have some devices that you want to give ULA but they *will* need Internet access infrequently for something such as software updates or statistics reporting or something. You could arrange to do that using NAT64/DNS64 to a v4 destination. Again, I am not advocating configuring such a thing, it's just a thought experiment where I'm trying to anticipate what some "clever" network might do at some point and the sorts of issues we might run into. For example, there are a lot of places that have policies that mandate certain systems may not use public address space. Those policies were developed by corporate bureaucrats, not engineers. The engineers don't make policy but are tasked to implement policy and there are probably many creative ways in which those policy goals will be met. If they use v6 ULA but infrequently need to reach someone offsite, they might be tempted to use NAT64 to reach it. It isn't so much about providing "security" as it is providing barriers to making unwanted traffic easy to route. If you pick an address range that isn't routable in a predictable fashion, it just adds another barrier of entry. It is like living in a town named "One Way Street". People see signs pointing toward it all over the place but following them leads you no closer to your destination. If you use GUA, one mistake could make something very reliably reachable by the entire world. That scares some people. The consensus should be that the contingency plan be, as someone else mentioned, "don't make mistakes". Well, people make em all the time. I would rather get a call from a peer complaining about receiving a ULA route than learning that someone accidently opened up an important internal FTP site to the world. Let me turn it around. What advantage does GUA give you for a subnet that is never going to communicate outside the organization? Configuring LUA is no more or less difficult than GUA. > For IPv4, I don't see any advantage in ULA+NAT64 vs. the > more reliable and easier RFC-1918 with NAT44 possibilities, even if you > have to run multiple RFC-1918 domains to get enough addresses, that > will generally be less complicated and break fewer things than a NAT64 > implementation. Agreed. For v4 to v4 that will likely be the case for years. From deric.kwok2000 at gmail.com Thu Jan 26 14:20:51 2012 From: deric.kwok2000 at gmail.com (Deric Kwok) Date: Thu, 26 Jan 2012 15:20:51 -0500 Subject: 10G switchrecommendaton Message-ID: Hi all I would like to have 10G switchrecommendaton Ipref software can test around 9.2G but we can have congestion over 6G in single port! Thank you From gbonser at seven.com Thu Jan 26 14:27:07 2012 From: gbonser at seven.com (George Bonser) Date: Thu, 26 Jan 2012 20:27:07 +0000 Subject: LX sfp minimum range In-Reply-To: References: <9CA8D3E3-1747-4EDF-B2FC-6CDD878D70B3@smugmug.com> <4F2108C4.4020706@bogus.com> Message-ID: <596B74B410EE6B4CA8A30C3AF1A155EA09C93BE0@RWC-MBX1.corp.seven.com> > -----Original Message----- > From: Jon Heise > Sent: Thursday, January 26, 2012 9:41 AM > To: Pierre-Yves Maunier > Cc: nanog at nanog.org > Subject: Re: LX sfp minimum range > > Awesome, i got some single mode LC LC fiber off monoprice, sounds like > i should be all set for this. Thanks for everyones info > > - Jon SX can actually be a little more versatile. LX works only over single mode fiber. SX is designed to work over either. As long as you have SX at both ends, you can connect them with either single or multimode fiber as long as the fiber type is consistent over the entire run. From gbonser at seven.com Thu Jan 26 14:36:34 2012 From: gbonser at seven.com (George Bonser) Date: Thu, 26 Jan 2012 20:36:34 +0000 Subject: LX sfp minimum range In-Reply-To: References: <9CA8D3E3-1747-4EDF-B2FC-6CDD878D70B3@smugmug.com> <4F2108C4.4020706@bogus.com> , <596B74B410EE6B4CA8A30C3AF1A155EA09C93BE0@RWC-MBX1.corp.seven.com> Message-ID: <596B74B410EE6B4CA8A30C3AF1A155EA09C93C06@RWC-MBX1.corp.seven.com> > > I believe you've got that backwards. See ciscos's sfp pages. Lx will go > 550m on mm, 10k on sm. (though it doesn't tend to do that well on mm in > my experience. ) I sure did! Thanks for pointing that out. George From basilbaby at gmail.com Thu Jan 26 14:59:10 2012 From: basilbaby at gmail.com (Basil Baby) Date: Thu, 26 Jan 2012 15:59:10 -0500 Subject: volunteer.gov dns admin Message-ID: We tried many ways to get a dns admin for volunteer.gov. If anyone available in this list, please contact me off the list. Sorry to spam on this list. Thanks, -Basil Baby From rodrick.brown at gmail.com Thu Jan 26 15:02:20 2012 From: rodrick.brown at gmail.com (Rodrick Brown) Date: Thu, 26 Jan 2012 16:02:20 -0500 Subject: 10G switchrecommendaton In-Reply-To: References: Message-ID: <9890E31B-1D18-415B-AACF-65F193E19332@gmail.com> http://www.aristanetworks.com/ Sent from my iPhone On Jan 26, 2012, at 3:20 PM, Deric Kwok wrote: > Hi all > > I would like to have 10G switchrecommendaton > Ipref software can test around 9.2G but we can have congestion over 6G > in single port! > > Thank you > From ios.run at gmail.com Thu Jan 26 15:13:10 2012 From: ios.run at gmail.com (Raul Rodriguez) Date: Thu, 26 Jan 2012 21:13:10 +0000 Subject: 10G switchrecommendaton In-Reply-To: References: Message-ID: Juniper EX4500. -RR On 1/26/12, Deric Kwok wrote: > Hi all > > I would like to have 10G switchrecommendaton > Ipref software can test around 9.2G but we can have congestion over 6G > in single port! > > Thank you > > From leigh.porter at ukbroadband.com Thu Jan 26 15:18:12 2012 From: leigh.porter at ukbroadband.com (Leigh Porter) Date: Thu, 26 Jan 2012 21:18:12 +0000 Subject: 10G switchrecommendaton In-Reply-To: References: Message-ID: <8B03CD73-D008-46FD-9567-77F8B69D5FC9@ukbroadband.com> Let's see how many vendors you get listed! I would go for Brocade. -- Leigh Porter On 26 Jan 2012, at 20:24, "Deric Kwok" wrote: > Hi all > > I would like to have 10G switchrecommendaton > Ipref software can test around 9.2G but we can have congestion over 6G > in single port! > > Thank you > > > ______________________________________________________________________ > This email has been scanned by the Symantec Email Security.cloud service. > For more information please visit http://www.symanteccloud.com > ______________________________________________________________________ ______________________________________________________________________ This email has been scanned by the Symantec Email Security.cloud service. For more information please visit http://www.symanteccloud.com ______________________________________________________________________ From jfbeam at gmail.com Thu Jan 26 15:16:20 2012 From: jfbeam at gmail.com (Ricky Beam) Date: Thu, 26 Jan 2012 16:16:20 -0500 Subject: AT&T and IPv6 Launch In-Reply-To: <20120125231807.GE14132@radiological.warningg.com> References: <6CADAFC3-A4AF-420D-91B0-854EE35A7A98@puck.nether.net> <7A66826C-489D-41B8-810F-88EBEE7B7856@puck.nether.net> <20120125231807.GE14132@radiological.warningg.com> Message-ID: On Wed, 25 Jan 2012 18:18:07 -0500, Brandon Ewing wrote: > Pace 4111N > Netgear 7550 B90 > Netgear 6200 A90 > Motorola 3360 Those are the devices for which they will be testing and releasing IPv6 capable firmware. I wouldn't expect the decade old Westel 2100 to ever see IPv6 capability. I use a cisco router myself (old 1720 + WIC-1ADSL), so I've been IPv6 capable for *years*. I really doubt AT&T will be doing anything at all to roll IPv6 out to old PPPoE-ATM/ADSL customers. (and there's ZERO chance of upgrading this setup to Uverse PTM/ADSL.) From tayeb.meftah at gmail.com Wed Jan 25 13:41:36 2012 From: tayeb.meftah at gmail.com (Meftah Tayeb) Date: Wed, 25 Jan 2012 21:41:36 +0200 Subject: volunteer.gov dns admin References: Message-ID: <0D4EC170E0E54F758D0F1455030346E1@work> sory, that's not a spam. ----- Original Message ----- From: "Basil Baby" To: Sent: Thursday, January 26, 2012 10:59 PM Subject: volunteer.gov dns admin > We tried many ways to get a dns admin for volunteer.gov. If anyone > available in this list, please contact me off the list. > Sorry to spam on this list. > > Thanks, > -Basil Baby > > > __________ Information from ESET NOD32 Antivirus, version of virus > signature database 6830 (20120126) __________ > > The message was checked by ESET NOD32 Antivirus. > > http://www.eset.com > > > __________ Information from ESET NOD32 Antivirus, version of virus signature database 6830 (20120126) __________ The message was checked by ESET NOD32 Antivirus. http://www.eset.com From ep at eddieparra.net Thu Jan 26 15:23:00 2012 From: ep at eddieparra.net (Eddie Parra) Date: Thu, 26 Jan 2012 13:23:00 -0800 Subject: 10G switchrecommendaton In-Reply-To: <9890E31B-1D18-415B-AACF-65F193E19332@gmail.com> References: <9890E31B-1D18-415B-AACF-65F193E19332@gmail.com> Message-ID: +1 Arista -Eddie On Jan 26, 2012, at 1:02 PM, Rodrick Brown wrote: > http://www.aristanetworks.com/ > > Sent from my iPhone > > On Jan 26, 2012, at 3:20 PM, Deric Kwok wrote: > >> Hi all >> >> I would like to have 10G switchrecommendaton >> Ipref software can test around 9.2G but we can have congestion over 6G >> in single port! >> >> Thank you >> > From mike-nanog at tiedyenetworks.com Thu Jan 26 15:26:06 2012 From: mike-nanog at tiedyenetworks.com (Mike) Date: Thu, 26 Jan 2012 13:26:06 -0800 Subject: Scaled broadband access with pppoe Message-ID: <4F21C4EE.8000508@tiedyenetworks.com> Hi, I am looking for pointers or stories from the field concerning the operational challenges faced by operators of large scale broadband access, particularly those who serve lots of PPPoE. I'm interested in hearining about your pain, what heroics you have had to jump thru to get what you wanted, what kinds of things keep you up at night (or let you sleep, your choice). No sales, I'm an operator too and have my own list of pain points and just wanna compare notes is all. Thank you. Mike- From ahobach at cyberlynk.net Thu Jan 26 15:28:49 2012 From: ahobach at cyberlynk.net (Adam Hobach) Date: Thu, 26 Jan 2012 15:28:49 -0600 Subject: Hotmail.com/live.com email admin needed Message-ID: <02e501ccdc71$7ebd4490$7c37cdb0$@cyberlynk.net> I apologize but we are not getting anywhere regarding spam issues with Hotmail.com/live.com through the normal support channels. Can someone from hotmail please contact me off-list? Let me know... Thanks, Adam ------------------------------------------------ Adam Hobach CyberLynk Sales/Support - 414-858-9335 support at cyberlynk.net or sales at cyberlynk.net http://www.CyberLynk.net https://secure.CyberLynk.net ------------------------------------------------ From marka at isc.org Thu Jan 26 15:32:40 2012 From: marka at isc.org (Mark Andrews) Date: Fri, 27 Jan 2012 08:32:40 +1100 Subject: volunteer.gov dns admin In-Reply-To: Your message of "Thu, 26 Jan 2012 15:59:10 CDT." References: Message-ID: <20120126213240.E71541C09B00@drugs.dv.isc.org> In message , Basil Baby writes: > We tried many ways to get a dns admin for volunteer.gov. If anyone > available in this list, please contact me off the list. > Sorry to spam on this list. > > Thanks, > -Basil Baby I'd say use "whois" but DOTGOV's whois server is a joke. Can all the US citizens on this list please complain to your representatives that DOTGOV is not doing a good job with the whois service. The point of whois is to provide contact details. The current whois service does not do that. Mark % DOTGOV WHOIS Server ready Domain Name: VOLUNTEER.GOV Status: ACTIVE >>> Last update of whois database: Thu, 26 Jan 2012 17:05:19 UTC <<< Please be advised that this whois server only contains information pertaining to the .GOV domain. For information for other domains please use the whois server at RS.INTERNIC.NET. -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka at isc.org From lstewart at superb.net Thu Jan 26 15:35:09 2012 From: lstewart at superb.net (Landon Stewart) Date: Thu, 26 Jan 2012 13:35:09 -0800 Subject: Hotmail.com/live.com email admin needed In-Reply-To: <02e501ccdc71$7ebd4490$7c37cdb0$@cyberlynk.net> References: <02e501ccdc71$7ebd4490$7c37cdb0$@cyberlynk.net> Message-ID: Me too please, seriously. We have a blocked /24 but no information on why in SNDS. No response to our postmaster.live.com attempt either. Thank you. On 26 January 2012 13:28, Adam Hobach wrote: > I apologize but we are not getting anywhere regarding spam issues with > Hotmail.com/live.com through the normal support channels. Can someone > from > hotmail please contact me off-list? > > Let me know... > > Thanks, > > Adam > > > ------------------------------------------------ > Adam Hobach > CyberLynk Sales/Support - 414-858-9335 > support at cyberlynk.net or sales at cyberlynk.net > http://www.CyberLynk.net > https://secure.CyberLynk.net > ------------------------------------------------ > > > > > > -- Landon Stewart Manager of Systems and Engineering Superb Internet Corp - 888-354-6128 x 4199 Web hosting and more "Ahead of the Rest": http://www.superbhosting.net From me at anuragbhatia.com Thu Jan 26 15:39:27 2012 From: me at anuragbhatia.com (Anurag Bhatia) Date: Fri, 27 Jan 2012 03:09:27 +0530 Subject: mysql.org down? In-Reply-To: References: Message-ID: Yeah down here too. AS8473 (BAHNHOF Bahnhof AB) seems having some issue. On Thu, Jan 26, 2012 at 5:26 AM, Ryan Rawdon wrote: > > On Jan 25, 2012, at 6:51 PM, Ingo Flaschberger wrote: > > > Hi, > > > > from my location / austria, mysql.org seems to be down: > > traceroute to 213.136.52.82 (213.136.52.82), 30 hops max, 40 byte packets > > 7 at-vie-xion-pe01-vl-2061.upc.at (84.116.229.21) 39.009 ms 38.957 > ms 39.001 ms > > 8 at-vie01a-rd1-vl-2050.aorta.net (84.116.228.193) 36.824 ms 35.930 > ms 61.089 ms > > 9 nl-ams05a-rd2-xe-0-1-0.aorta.net (213.46.160.145) 38.910 ms > > nl-ams05a-rd2-xe-0-0-2.aorta.net (84.116.130.73) 36.573 ms > > nl-ams05a-rd2-xe-0-1-0.aorta.net (213.46.160.145) 38.631 ms > > 10 84.116.134.145 (84.116.134.145) 36.539 ms > > 84.116.134.61 (84.116.134.61) 40.418 ms > > 84.116.136.22 (84.116.136.22) 36.507 ms > > 11 ams-ix.ams-cr1.bahnhof.net (195.69.144.99) 38.430 ms 38.473 ms > 42.336 ms > > 12 ams-cr1.cph-cr1.bahnhof.net (46.59.112.26) 42.201 ms 38.980 ms > 36.493 ms > > 13 cph-cr1.mmo-cr1.bahnhof.net (85.24.151.246) 47.877 ms 49.929 ms > 49.882 ms > > 14 mmo-cr1.sto-cr3.bahnhof.net (85.24.151.108) 46.963 ms 46.938 ms > 55.098 ms > > 15 sto-cr1.pio-dr3.bahnhof.net (85.24.151.225) 53.173 ms 52.898 ms > 52.927 ms > > 16 pio-dr3.pio-dr2.bahnhof.net (85.24.151.72) 52.863 ms 51.261 ms > 49.389 ms > > 17 sto-cr1.sto-cr2.bahnhof.net (85.24.151.1) 51.399 ms 46.986 ms > 49.730 ms > > > > Kind regards, > > Ingo Flaschberger > > > > > Routing loop inside bahnhof.net: > > nova-dhcp-host111:~ ryan$ mtr --report mysql.org > HOST: nova-dhcp-host111.u13.net Loss% Snt Last Avg Best Wrst > StDev > 1.|-- vlan11.net5501-a.u13.net 0.0% 10 0.2 0.6 0.2 3.6 > 1.1 > 2.|-- l100.washdc-vfttp-93.veri 0.0% 10 59.6 41.9 6.8 59.6 19.0 > 3.|-- g0-12-4-3.washdc-lcr-21.v 0.0% 10 47.0 40.6 9.0 91.8 28.5 > 4.|-- so-13-1-0-0.lcc2-res-bb-r 0.0% 10 39.3 24.2 5.7 66.9 22.7 > 5.|-- 0.xe-4-1-0.xl3.iad8.alter 0.0% 10 11.4 19.0 4.4 66.0 18.0 > 6.|-- 0.tengige0-4-4-0.gw1.iad8 0.0% 10 8.1 10.4 6.5 25.5 5.5 > | `|-- 152.63.38.246 > | |-- 152.63.35.137 > | |-- 152.63.32.233 > | |-- 152.63.35.141 > 7.|-- teliasonera-gw.customer.a 0.0% 10 110.5 192.7 32.6 377.0 100.0 > 8.|-- nyk-bb1-link.telia.net 0.0% 10 72.6 69.6 22.6 80.9 > 16.7 > 9.|-- kbn-bb1-link.telia.net 0.0% 10 142.7 155.7 136.6 197.3 > 17.3 > 10.|-- kbn-b3-link.telia.net 0.0% 10 153.7 152.8 117.0 195.3 > 18.9 > 11.|-- bahnhof-ic-133084-kbn-b3. 0.0% 10 164.1 158.8 133.6 168.3 > 9.8 > 12.|-- cph-cr1.mmo-cr1.bahnhof.n 0.0% 10 161.8 157.5 109.1 166.5 > 17.3 > 13.|-- mmo-cr1.sto-cr3.bahnhof.n 0.0% 10 165.8 161.9 159.1 165.8 > 2.2 > 14.|-- sto-cr1.pio-dr3.bahnhof.n 0.0% 10 162.5 161.6 156.4 167.1 > 3.7 > 15.|-- pio-dr3.pio-dr2.bahnhof.n 0.0% 10 163.6 157.0 141.3 163.6 > 5.9 > 16.|-- sto-cr1.sto-cr2.bahnhof.n 0.0% 10 169.9 156.6 118.0 172.7 > 17.7 > 17.|-- pio-dr3.pio-dr2.bahnhof.n 0.0% 10 150.7 142.5 103.6 160.4 > 22.7 > 18.|-- sto-cr1.sto-cr2.bahnhof.n 0.0% 10 123.2 138.3 119.1 191.8 > 24.5 > 19.|-- pio-dr3.pio-dr2.bahnhof.n 0.0% 10 109.4 114.5 102.3 160.6 > 20.4 > 20.|-- sto-cr1.sto-cr2.bahnhof.n 0.0% 10 115.6 121.6 111.6 167.4 > 16.4 > 21.|-- pio-dr3.pio-dr2.bahnhof.n 0.0% 10 101.8 110.1 101.8 145.7 > 12.7 > 22.|-- sto-cr1.sto-cr2.bahnhof.n 0.0% 10 187.1 180.1 114.1 209.4 > 34.3 > 23.|-- pio-dr3.pio-dr2.bahnhof.n 0.0% 10 164.6 156.1 121.2 164.6 > 12.5 > 24.|-- sto-cr1.sto-cr2.bahnhof.n 0.0% 10 171.1 164.6 116.7 176.7 > 17.3 > 25.|-- pio-dr3.pio-dr2.bahnhof.n 0.0% 10 157.1 156.4 133.9 164.4 > 9.9 > 26.|-- sto-cr1.sto-cr2.bahnhof.n 0.0% 10 162.9 160.8 115.8 179.3 > 18.4 > 27.|-- pio-dr3.pio-dr2.bahnhof.n 10.0% 10 111.6 146.3 110.7 165.2 > 21.1 > 28.|-- sto-cr1.sto-cr2.bahnhof.n 10.0% 10 186.9 166.9 118.5 186.9 > 19.1 > 29.|-- pio-dr3.pio-dr2.bahnhof.n 10.0% 10 163.5 160.0 154.7 165.0 > 4.0 > 30.|-- sto-cr1.sto-cr2.bahnhof.n 10.0% 10 182.6 171.5 163.8 182.6 > 6.5 > -- Anurag Bhatia anuragbhatia.com or simply - http://[2001:470:26:78f::5] if you are on IPv6 connected network! Twitter: @anurag_bhatia Linkedin: http://linkedin.anuragbhatia.com From intensifysecurity at gmail.com Thu Jan 26 16:04:24 2012 From: intensifysecurity at gmail.com (Jeff Hartley) Date: Thu, 26 Jan 2012 17:04:24 -0500 Subject: AT&T and IPv6 Launch In-Reply-To: References: <6CADAFC3-A4AF-420D-91B0-854EE35A7A98@puck.nether.net> <7A66826C-489D-41B8-810F-88EBEE7B7856@puck.nether.net> <20120125231807.GE14132@radiological.warningg.com> Message-ID: Chris Chase gave a good presentation on this subject in ~November. Here's the abstract, quoted from: http://gogonet.gogo6.com/profile/ChrisChase | | ? ? Posted by Chris Chase on October 28, 2011 at 5:59pm | ? ? Send Message ? View Blog | | IPv6 service at AT&T. | | AT&T has dual stack service available for its enterprise ISP | service (some speed/feeds/footprint issues are still being | filled out). Fall 2011 AT&T is conducting internal (employee) | trials for IPv6 for AT&T broadband. Expect to see IPv6 for | legacy DSL EOY 2011 and on U-Verse 2Q2012. ?I will share | our initial plans for deploying IPv6 for broadband using 6rd. (It doesn't appear that any of the presentation videos or decks have been posted to the conference site yet.) From intensifysecurity at gmail.com Thu Jan 26 16:26:24 2012 From: intensifysecurity at gmail.com (Jeff Hartley) Date: Thu, 26 Jan 2012 17:26:24 -0500 Subject: Choice of address for IPv6 default gateway In-Reply-To: <893E95D0-65EA-44ED-9171-6B0D632FFE00@delong.com> References: <4F2014A0.20008@optilian.com> <4F2119FE.3020502@netnod.se> <893E95D0-65EA-44ED-9171-6B0D632FFE00@delong.com> Message-ID: I have sites using "all of the above", and concur with Owen's comment regarding it being a "personal preference" issue. RA route learning simply "works", and I (surprisingly) have not yet had problems where the high/med/low settings were not correctly honored (95% Cent/Deb environments, FWIW). FAIR WARNING: You should tune your advertisement interval, valid lifetime, etc. to values appropriate to your environment, as most router defaults I've worked with are quite high. The issue of using FE80::1 everywhere (as the virtual IP in your FHRP of choice) is operationally a wash, in terms of perceived complexity from the front lines. Do people give me quizzical expressions the first time they learn/use it? Absolutely. But a small amount of "getting comfortable" with def.gwy subnet =/= the intentionally provisioned subnet is outweighed by the ease of "oh, it's the same everywhere now." FHRPs gaining the use of global prefixes seems to be coming along nicely across product lines, although not yet universally supported. ...and on the front, I'd just as soon use the VRRP virtual MAC + ID formula converted to EUI-64, but the RFC says you're not supposed to. :) From jra at baylink.com Thu Jan 26 16:30:22 2012 From: jra at baylink.com (Jay Ashworth) Date: Thu, 26 Jan 2012 17:30:22 -0500 (EST) Subject: Who is IANA, these days? Message-ID: <29040836.6752.1327617022107.JavaMail.root@benjamin.baylink.com> Specifically, who manages the TCP and UDP port number registries? Cheers, -- jra -- Jay R. Ashworth Baylink jra at baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://baylink.pitas.com 2000 Land Rover DII St Petersburg FL USA http://photo.imageinc.us +1 727 647 1274 From nanog at maunier.org Thu Jan 26 16:32:56 2012 From: nanog at maunier.org (Pierre-Yves Maunier) Date: Thu, 26 Jan 2012 23:32:56 +0100 Subject: LX sfp minimum range In-Reply-To: References: <9CA8D3E3-1747-4EDF-B2FC-6CDD878D70B3@smugmug.com> <4F2108C4.4020706@bogus.com> <922ACC42D498884AA02B3565688AF995340328222D@USEXMBS01.mwd.h2o> Message-ID: 2012/1/26 Pierre-Yves Maunier > > > 2012/1/26 Holmes,David A > > I have found that -5dB or -10dB attenuators must be used on the send or >> receive strands between Cisco LX connected switches at relatively short >> distances of < 1 km over standard singlemode fiber. >> >> Other Vendors' SFPs rated up to 25 km do not need attenuators at >> distances <1 km. >> > > Cisco standard LX TX between -3dBm and -9dBm > RX sensitivity is from -9dBm to -19dBm > Oups typo, RX from -3 dBm to -19 dBm -- Pierre-Yves Maunier From nanog at maunier.org Thu Jan 26 16:33:41 2012 From: nanog at maunier.org (Pierre-Yves Maunier) Date: Thu, 26 Jan 2012 23:33:41 +0100 Subject: LX sfp minimum range In-Reply-To: <596B74B410EE6B4CA8A30C3AF1A155EA09C93BE0@RWC-MBX1.corp.seven.com> References: <9CA8D3E3-1747-4EDF-B2FC-6CDD878D70B3@smugmug.com> <4F2108C4.4020706@bogus.com> <596B74B410EE6B4CA8A30C3AF1A155EA09C93BE0@RWC-MBX1.corp.seven.com> Message-ID: 2012/1/26 George Bonser > > SX can actually be a little more versatile. LX works only over single > mode fiber. SX is designed to work over either. As long as you have SX at > both ends, you can connect them with either single or multimode fiber as > long as the fiber type is consistent over the entire run. > > > It's the contrary. SX only works on multimode fibre, not on singlemode. LX can work on both. It can happends that SX works on singlemode but it can fail anytime. LX over multimode fibre is documented on Cisco SFP/GBICs datasheets. http://www.cisco.com/en/US/products/hw/modules/ps4999/products_tech_note09186a00807a30d6.shtml Cisco 1000BASE-LX/LH SFPGLC-LH-SM1SFP-GE-L2Operates on standard single-mode fiber-optic link spans of up to 10 km and up to 550 m on any multimode fibers. -- Pierre-Yves Maunier From leo.vegoda at icann.org Thu Jan 26 16:39:01 2012 From: leo.vegoda at icann.org (Leo Vegoda) Date: Thu, 26 Jan 2012 14:39:01 -0800 Subject: Who is IANA, these days? In-Reply-To: <29040836.6752.1327617022107.JavaMail.root@benjamin.baylink.com> References: <29040836.6752.1327617022107.JavaMail.root@benjamin.baylink.com> Message-ID: <41F6C547EA49EC46B4EE1EB2BC2F34184A95ECFACA@EXVPMBX100-1.exc.icann.org> Hi Jay, Jay Ashworth wrote: > Specifically, who manages the TCP and UDP port number registries? Us. The registry is here: http://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xml although it loads faster as: http://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.txt And you can apply for new registrations and changes using these forms: http://www.iana.org/form/ports-services http://www.iana.org/cgi-bin/mod_portno.pl HTH, Leo From gary.buhrmaster at gmail.com Thu Jan 26 16:48:05 2012 From: gary.buhrmaster at gmail.com (Gary Buhrmaster) Date: Thu, 26 Jan 2012 22:48:05 +0000 Subject: LX sfp minimum range In-Reply-To: References: <9CA8D3E3-1747-4EDF-B2FC-6CDD878D70B3@smugmug.com> <4F2108C4.4020706@bogus.com> Message-ID: On Thu, Jan 26, 2012 at 13:47, David Storandt wrote: > You can put a 3dB or 5dB optical pad on the link if the receiver can't > handle zero-distance optical power. As I recall, the problem may not only be the power (which can cause receiver saturation), but issue that fibre paths shorter than (around) 2-10m do not properly condition the light(*), which can result in some issues at the receiver. Gary (*) My memory says modal distribution issues. While 'single mode' fibre only supports one mode of transmission, it takes a short distance for the fibre to really be single mode. You can use a mode filter to address the problem, or just use fibres that are at least a few meters. From randy at psg.com Thu Jan 26 16:57:01 2012 From: randy at psg.com (Randy Bush) Date: Fri, 27 Jan 2012 07:57:01 +0900 Subject: 10G switchrecommendaton In-Reply-To: References: Message-ID: arista From tmagill at providecommerce.com Thu Jan 26 17:15:53 2012 From: tmagill at providecommerce.com (Thomas Magill) Date: Thu, 26 Jan 2012 23:15:53 +0000 Subject: Akamai/Integra issue? In-Reply-To: References: Message-ID: I worked with Akamai this morning but by the time they got someone to work with me the issue had resolved itself. They didn't know of any cause from their end. All seems fine now though. -----Original Message----- From: Rubens Kuhl [mailto:rubensk at gmail.com] Sent: Wednesday, January 25, 2012 5:49 PM To: Thomas Magill Cc: nanog at nanog.org Subject: Re: Akamai/Integra issue? May be the attack on Facebook put Akamai into DEFCON 1 ? http://www.readwriteweb.com/archives/anonymous_claims_responsibility_for_facebook_outag.php Rubens On Wed, Jan 25, 2012 at 10:14 PM, Thomas Magill wrote: > This morning we began having issues at one of our sites. ?Eventually the systems teams tracked it down to some Akamai hosted content. ?I did some debugs and found that traffic transiting Integra is getting back RST packets for anything at *.akamaiedge.net. ?I rerouted the known bad hosts through our backup provider and that resolved the issue, but more keep popping up ?due to DNS changes. ?Has anyone else had any issues with akamaiedge.net today? > > If an Akamai operator is on please email me offline. > > Thomas Magill > Sr. Network Engineer > Office: (858) 909-3777 > Cell: (858) 869-9685 > mailto:tmagill at providecommerce.com > > provide-commerce > 4840 Eastgate Mall > San Diego, CA ?92121 > > ProFlowers | > redENVELOPE | Cherry Moon Farms | Shari's Berries > From web at typo.org Thu Jan 26 17:19:38 2012 From: web at typo.org (Wayne E Bouchard) Date: Thu, 26 Jan 2012 16:19:38 -0700 Subject: LX sfp minimum range In-Reply-To: References: <9CA8D3E3-1747-4EDF-B2FC-6CDD878D70B3@smugmug.com> <4F2108C4.4020706@bogus.com> Message-ID: <20120126231938.GA96211@wakko.typo.org> On Thu, Jan 26, 2012 at 10:48:05PM +0000, Gary Buhrmaster wrote: > On Thu, Jan 26, 2012 at 13:47, David Storandt wrote: > > You can put a 3dB or 5dB optical pad on the link if the receiver can't > > handle zero-distance optical power. > > As I recall, the problem may not only be the power > (which can cause receiver saturation), but issue that > fibre paths shorter than (around) 2-10m do not properly > condition the light(*), which can result in some issues > at the receiver. > > Gary > > (*) My memory says modal distribution issues. > While 'single mode' fibre only supports one > mode of transmission, it takes a short distance > for the fibre to really be single mode. You can > use a mode filter to address the problem, or just > use fibres that are at least a few meters. When optics started to become scarce at various times, I've done a number of back-to-back connections using SM fiber and have had zero issues. I wouldn't even worry about it. Remember, many carriers won't even touch MM and they aren't chronically reporting issues or going to lengths to work around them. -Wayne --- Wayne Bouchard web at typo.org Network Dude http://www.typo.org/~web/ From paul4004 at gmail.com Thu Jan 26 17:31:08 2012 From: paul4004 at gmail.com (PC) Date: Thu, 26 Jan 2012 16:31:08 -0700 Subject: LX sfp minimum range In-Reply-To: References: <9CA8D3E3-1747-4EDF-B2FC-6CDD878D70B3@smugmug.com> <4F2108C4.4020706@bogus.com> <596B74B410EE6B4CA8A30C3AF1A155EA09C93BE0@RWC-MBX1.corp.seven.com> Message-ID: In some enterprise applications, SX is "good enough" for the distances at hand, and SX optics are cheap... On Thu, Jan 26, 2012 at 3:33 PM, Pierre-Yves Maunier wrote: > 2012/1/26 George Bonser > > > > > SX can actually be a little more versatile. LX works only over single > > mode fiber. SX is designed to work over either. As long as you have SX > at > > both ends, you can connect them with either single or multimode fiber as > > long as the fiber type is consistent over the entire run. > > > > > > > It's the contrary. > SX only works on multimode fibre, not on singlemode. > > LX can work on both. > > > It can happends that SX works on singlemode but it can fail anytime. > > LX over multimode fibre is documented on Cisco SFP/GBICs datasheets. > > > http://www.cisco.com/en/US/products/hw/modules/ps4999/products_tech_note09186a00807a30d6.shtml > > Cisco 1000BASE-LX/LH SFPGLC-LH-SM1SFP-GE-L2Operates on standard single-mode > fiber-optic link spans of up to 10 km and up to 550 m on any multimode > fibers. > > > -- > Pierre-Yves Maunier > From tjc at ecs.soton.ac.uk Thu Jan 26 17:31:41 2012 From: tjc at ecs.soton.ac.uk (Tim Chown) Date: Thu, 26 Jan 2012 23:31:41 +0000 Subject: using ULA for 'hidden' v6 devices? In-Reply-To: <26066EA7-A326-4CD2-BF88-F31D2BBE5F0A@delong.com> References: <06704517-398C-4FD4-9AC4-4D4A83D9D493@ecs.soton.ac.uk> <9E13525B-E1D0-4F51-8AD0-68359095466A@ecs.soton.ac.uk> <596B74B410EE6B4CA8A30C3AF1A155EA09C934BC@RWC-MBX1.corp.seven.com> <70BC767C-FDC2-458E-A23B-01C4F0A85112@ecs.soton.ac.uk> <26066EA7-A326-4CD2-BF88-F31D2BBE5F0A@delong.com> <5CCCFAC0-5442-4946-857F-8695E0CE0902@ecs.soton.ac.uk> Message-ID: On 26 Jan 2012, at 16:53, Owen DeLong wrote: > On Jan 26, 2012, at 8:14 AM, Ray Soucy wrote: > >> Does this mean we're also looking at residential allocations larger >> than a /64 as the norm? >> > > We certainly should be. I still think that /48s for residential is the right answer. > > My /48 is working quite nicely in my house. There seems to be a lot of discussion happening around a /60 or /56. I wouldn't assume a /48 for residential networks, or a static prefix. >> So a CPE device with a stateful firewall that accepts a prefix via >> DHCPv6-PD and makes use of SLAAC for internal network(s) is the >> foundation, correct? > > I would expect it to be a combination of SLAAC, DHCPv6, and/or DHCPv6-PD. Which combination may be vendor dependent, but, hopefully the norm will include support for downstream routers and possibly chosen address style configuration (allowing the user to pick an address for their host and configure it at the CPE) which would require DHCP support. Yes, the assumption is multi-subnet in the homenet, with a method for (efficient) prefix delegation internally. >> Then use random a ULA allocation that exists to route internally >> (sounds a lot like a site-local scope; which I never understood the >> reason we abandoned). > > I can actually see this as a reasonable use of ULA, but, I agree site-local scope would have been a better choice. The maybe you can maybe you cant route it nature of ULA is, IMHO it's only advantage over site-local and at the same time the greatest likelihood that it will be misused in a variety of harmful ways, not the least of which is to bring the brain-damage of NAT forward into the IPv6 enterprise. Site-locals didn't include the "random" prefix element, thus increasing the chance of collision should two site-local sites communicate. See RFC3879 for the issues. >> I'm just not seeing the value in adding ULA as a requirement unless >> bundled with NPT for a multi-homed environment, especially if a >> stateful firewall is already included. If anything, it might slow >> down adoption due to increased complexity. > > I don't believe it adds visible complexity. I think it should be relatively transparent to the end-user. > > Basically, you have one prefix for communications within the house (ULA) and another prefix for communications outside. The prefix for external sessions may not be stable (may change periodically for operational or German reasons), but, the internal prefix remains stable and you can depend on it for configuring access to (e.g. printers, etc.). > > Sure, service discovery (mDNS, et. al) should obviate the need for most such configuration, but, there will likely always be something that doesn't quite get SD right somehow. > > Also, the ULA addresses don't mysteriously stop working when your connection to your ISP goes down, so, at least your LAN stuff doesn't die from ISP death. Consider also long-lived connections for example. I don't think there's a conclusion as yet in homenet about ULAs, nor will a conclusion prevent people doing as they please if they really want to. Tim From patrick at ianai.net Thu Jan 26 17:38:22 2012 From: patrick at ianai.net (Patrick W. Gilmore) Date: Thu, 26 Jan 2012 18:38:22 -0500 Subject: Akamai/Integra issue? In-Reply-To: References: Message-ID: Akamai has a 24/7 NOC, noc at akamai.com or +1-617-444-3007. These are published at and other places. Akamai does not watch NANOG-l 24/7. -- TTFN, patrick Composed on a virtual keyboard, please forgive typos. On Jan 26, 2012, at 18:15, Thomas Magill wrote: > I worked with Akamai this morning but by the time they got someone to work with me the issue had resolved itself. They didn't know of any cause from their end. All seems fine now though. > > -----Original Message----- > From: Rubens Kuhl [mailto:rubensk at gmail.com] > Sent: Wednesday, January 25, 2012 5:49 PM > To: Thomas Magill > Cc: nanog at nanog.org > Subject: Re: Akamai/Integra issue? > > May be the attack on Facebook put Akamai into DEFCON 1 ? > http://www.readwriteweb.com/archives/anonymous_claims_responsibility_for_facebook_outag.php > > > Rubens > > > On Wed, Jan 25, 2012 at 10:14 PM, Thomas Magill wrote: >> This morning we began having issues at one of our sites. Eventually the systems teams tracked it down to some Akamai hosted content. I did some debugs and found that traffic transiting Integra is getting back RST packets for anything at *.akamaiedge.net. I rerouted the known bad hosts through our backup provider and that resolved the issue, but more keep popping up due to DNS changes. Has anyone else had any issues with akamaiedge.net today? >> >> If an Akamai operator is on please email me offline. >> >> Thomas Magill >> Sr. Network Engineer >> Office: (858) 909-3777 >> Cell: (858) 869-9685 >> mailto:tmagill at providecommerce.com >> >> provide-commerce >> 4840 Eastgate Mall >> San Diego, CA 92121 >> >> ProFlowers | >> redENVELOPE | Cherry Moon Farms | Shari's Berries >> > From james.braunegg at micron21.com Thu Jan 26 19:27:32 2012 From: james.braunegg at micron21.com (James Braunegg) Date: Fri, 27 Jan 2012 01:27:32 +0000 Subject: 10G switchrecommendaton In-Reply-To: References: <9890E31B-1D18-415B-AACF-65F193E19332@gmail.com> Message-ID: Arista sounds interesting, although never knew of them ! How do they compare price wise / feature wise to Brocade / Juniper / Force10 ? That being said my preference is the S4810 - Force10 Kindest Regards James Braunegg W:? 1300 769 972? |? M:? 0488 997 207 |? D:? (03) 9751 7616 E:?? james.braunegg at micron21.com? |? ABN:? 12 109 977 666?? This message is intended for the addressee named above. It may contain privileged or confidential information. If you are not the intended recipient of this message you must not use, copy, distribute or disclose it to anyone other than the addressee. If you have received this message in error please return the message to the sender by replying to it and then delete the message from your computer. -----Original Message----- From: Eddie Parra [mailto:ep at eddieparra.net] Sent: Friday, January 27, 2012 8:23 AM To: Rodrick Brown Cc: nanog list Subject: Re: 10G switchrecommendaton +1 Arista -Eddie On Jan 26, 2012, at 1:02 PM, Rodrick Brown wrote: > http://www.aristanetworks.com/ > > Sent from my iPhone > > On Jan 26, 2012, at 3:20 PM, Deric Kwok wrote: > >> Hi all >> >> I would like to have 10G switchrecommendaton Ipref software can test >> around 9.2G but we can have congestion over 6G in single port! >> >> Thank you >> > From dholmes at mwdh2o.com Thu Jan 26 19:53:08 2012 From: dholmes at mwdh2o.com (Holmes,David A) Date: Thu, 26 Jan 2012 17:53:08 -0800 Subject: 10G switchrecommendaton In-Reply-To: References: <9890E31B-1D18-415B-AACF-65F193E19332@gmail.com> Message-ID: <922ACC42D498884AA02B3565688AF99534032822D7@USEXMBS01.mwd.h2o> Check out Arista's white papers on low-latency networking, the use of merchant silicon, and queueing theory applied to serialization delay. -----Original Message----- From: James Braunegg [mailto:james.braunegg at micron21.com] Sent: Thursday, January 26, 2012 5:28 PM To: Eddie Parra; Rodrick Brown Cc: nanog list Subject: RE: 10G switchrecommendaton Arista sounds interesting, although never knew of them ! How do they compare price wise / feature wise to Brocade / Juniper / Force10 ? That being said my preference is the S4810 - Force10 Kindest Regards James Braunegg W: 1300 769 972 | M: 0488 997 207 | D: (03) 9751 7616 E: james.braunegg at micron21.com | ABN: 12 109 977 666 This message is intended for the addressee named above. It may contain privileged or confidential information. If you are not the intended recipient of this message you must not use, copy, distribute or disclose it to anyone other than the addressee. If you have received this message in error please return the message to the sender by replying to it and then delete the message from your computer. -----Original Message----- From: Eddie Parra [mailto:ep at eddieparra.net] Sent: Friday, January 27, 2012 8:23 AM To: Rodrick Brown Cc: nanog list Subject: Re: 10G switchrecommendaton +1 Arista -Eddie On Jan 26, 2012, at 1:02 PM, Rodrick Brown wrote: > http://www.aristanetworks.com/ > > Sent from my iPhone > > On Jan 26, 2012, at 3:20 PM, Deric Kwok wrote: > >> Hi all >> >> I would like to have 10G switchrecommendaton Ipref software can test >> around 9.2G but we can have congestion over 6G in single port! >> >> Thank you >> > This communication, together with any attachments or embedded links, is for the sole use of the intended recipient(s) and may contain information that is confidential or legally protected. If you are not the intended recipient, you are hereby notified that any review, disclosure, copying, dissemination, distribution or use of this communication is strictly prohibited. If you have received this communication in error, please notify the sender immediately by return e-mail message and delete the original and all copies of the communication, along with any attachments or embedded links, from your system. From cra at WPI.EDU Thu Jan 26 19:58:42 2012 From: cra at WPI.EDU (Chuck Anderson) Date: Thu, 26 Jan 2012 20:58:42 -0500 Subject: using ULA for 'hidden' v6 devices? In-Reply-To: <596B74B410EE6B4CA8A30C3AF1A155EA09C93B66@RWC-MBX1.corp.seven.com> References: <3B3D95F0-7E5E-417B-889B-3E5ABC660AD3@wisc.edu> <168C9CFC-60E3-4947-999A-15334E07BFB0@delong.com> <596B74B410EE6B4CA8A30C3AF1A155EA09C93432@RWC-MBX1.corp.seven.com> <596B74B410EE6B4CA8A30C3AF1A155EA09C93B66@RWC-MBX1.corp.seven.com> Message-ID: <20120127015842.GH6332@angus.ind.WPI.EDU> On Thu, Jan 26, 2012 at 07:53:18PM +0000, George Bonser wrote: > > Even if you don't see an advantage to GUA, can you point to a > > disadvantage? > > Just a matter of convenience. If you have a lot of management IPs or some other IP addresses that are never going to need internet access (an array of 10,000 sensors or something) you don't need to dip into your global allocation to address them. If it is routed within the organization but never goes to the Internet, ULA is ok. If it doesn't get routed at all, link local will do fine. It's good to keep in mind that more things than computers with web browsers are going to get an IP address. Link-local won't do fine in many cases due to poor application compatibilty with address scopes. From tsands at rackspace.com Thu Jan 26 20:02:58 2012 From: tsands at rackspace.com (Tom Sands) Date: Fri, 27 Jan 2012 02:02:58 +0000 Subject: 10G switchrecommendaton In-Reply-To: References: <9890E31B-1D18-415B-AACF-65F193E19332@gmail.com> , Message-ID: <7B378EB3C047B74A899746268AB04539250D0B99@ORD1EXD04.RACKSPACE.CORP> Arista is good but depends on the application. They have some of the most Jr code but they are coming along with features fast. Weve chosen them for several applications when compared to Brocade, Cisco, Extreme, And Blade. There pricing is on par with the others. ________________________________________ From: James Braunegg [james.braunegg at micron21.com] Sent: Thursday, January 26, 2012 7:27 PM To: Eddie Parra; Rodrick Brown Cc: nanog list Subject: RE: 10G switchrecommendaton Arista sounds interesting, although never knew of them ! How do they compare price wise / feature wise to Brocade / Juniper / Force10 ? That being said my preference is the S4810 - Force10 Kindest Regards James Braunegg W: 1300 769 972 |? M: 0488 997 207 |? D: (03) 9751 7616 E: james.braunegg at micron21.com |? ABN: 12 109 977 666 This message is intended for the addressee named above. It may contain privileged or confidential information. If you are not the intended recipient of this message you must not use, copy, distribute or disclose it to anyone other than the addressee. If you have received this message in error please return the message to the sender by replying to it and then delete the message from your computer. -----Original Message----- From: Eddie Parra [mailto:ep at eddieparra.net] Sent: Friday, January 27, 2012 8:23 AM To: Rodrick Brown Cc: nanog list Subject: Re: 10G switchrecommendaton +1 Arista -Eddie On Jan 26, 2012, at 1:02 PM, Rodrick Brown wrote: > http://www.aristanetworks.com/ > > Sent from my iPhone > > On Jan 26, 2012, at 3:20 PM, Deric Kwok wrote: > >> Hi all >> >> I would like to have 10G switchrecommendaton Ipref software can test >> around 9.2G but we can have congestion over 6G in single port! >> >> Thank you >> > From Curtis.Starnes at granburyisd.org Thu Jan 26 20:49:40 2012 From: Curtis.Starnes at granburyisd.org (STARNES, CURTIS) Date: Thu, 26 Jan 2012 20:49:40 -0600 Subject: AT&T and IPv6 Launch In-Reply-To: References: <6CADAFC3-A4AF-420D-91B0-854EE35A7A98@puck.nether.net> <7A66826C-489D-41B8-810F-88EBEE7B7856@puck.nether.net> <20120125231807.GE14132@radiological.warningg.com> Message-ID: -----Original Message----- From: Jeff Hartley [mailto:intensifysecurity at gmail.com] Sent: Thursday, January 26, 2012 4:04 PM To: NANOG list Subject: Re: AT&T and IPv6 Launch Chris Chase gave a good presentation on this subject in ~November. Here's the abstract, quoted from: http://gogonet.gogo6.com/profile/ChrisChase | | ? ? Posted by Chris Chase on October 28, 2011 at 5:59pm | ? ? Send Message ? View Blog | | IPv6 service at AT&T. | | AT&T has dual stack service available for its enterprise ISP | service (some speed/feeds/footprint issues are still being | filled out). Fall 2011 AT&T is conducting internal (employee) | trials for IPv6 for AT&T broadband. Expect to see IPv6 for | legacy DSL EOY 2011 and on U-Verse 2Q2012. ?I will share | our initial plans for deploying IPv6 for broadband using 6rd. As an "Enterprise" AT&T customer, I get real tired of hearing that AT&T has dual stack services available for its enterprise customers. This simply is not true in all cases. Try getting a dual stack feed on a "switched Ethernet" circuit! I was first told spring of 2011, then fall of 2011, and now maybe in the 4th quarter of 2012! If you request it and your technical rep is savvy enough, they can get you set up with an AT&T tunnel broker. As an Uverse customer, the last time I talked to them the only response I received was "IPv-what"? Oh well, Curtis From marka at isc.org Thu Jan 26 21:11:33 2012 From: marka at isc.org (Mark Andrews) Date: Fri, 27 Jan 2012 14:11:33 +1100 Subject: using ULA for 'hidden' v6 devices? In-Reply-To: Your message of "Thu, 26 Jan 2012 20:58:42 CDT." <20120127015842.GH6332@angus.ind.WPI.EDU> References: <3B3D95F0-7E5E-417B-889B-3E5ABC660AD3@wisc.edu> <168C9CFC-60E3-4947-999A-15334E07BFB0@delong.com> <596B74B410EE6B4CA8A30C3AF1A155EA09C93432@RWC-MBX1.corp.seven.com> <596B74B410EE6B4CA8A30C3AF1A155EA09C93B66@RWC-MBX1.corp.seven.com> <20120127015842.GH6332@angus.ind.WPI.EDU> Message-ID: <20120127031133.E94471C1D65B@drugs.dv.isc.org> In message <20120127015842.GH6332 at angus.ind.WPI.EDU>, Chuck Anderson writes: > On Thu, Jan 26, 2012 at 07:53:18PM +0000, George Bonser wrote: > > > Even if you don't see an advantage to GUA, can you point to a > > > disadvantage? > > > > Just a matter of convenience. If you have a lot of management IPs or some > other IP addresses that are never going to need internet access (an array of > 10,000 sensors or something) you don't need to dip into your global allocatio > n to address them. If it is routed within the organization but never goes to > the Internet, ULA is ok. If it doesn't get routed at all, link local will d > o fine. It's good to keep in mind that more things than computers with web > browsers are going to get an IP address. > > Link-local won't do fine in many cases due to poor application > compatibilty with address scopes. Link local is a right royal pain for applications. The DNS does not support it. It requires passing arount 150 bits of address information instead of 128. -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka at isc.org From owen at delong.com Thu Jan 26 21:47:15 2012 From: owen at delong.com (Owen DeLong) Date: Thu, 26 Jan 2012 19:47:15 -0800 Subject: using ULA for 'hidden' v6 devices? In-Reply-To: References: <06704517-398C-4FD4-9AC4-4D4A83D9D493@ecs.soton.ac.uk> <9E13525B-E1D0-4F51-8AD0-68359095466A@ecs.soton.ac.uk> <596B74B410EE6B4CA8A30C3AF1A155EA09C934BC@RWC-MBX1.corp.seven.com> <70BC767C-FDC2-458E-A23B-01C4F0A85112@ecs.soton.ac.uk> <26066EA7-A326-4CD2-BF88-F31D2BBE5F0A@delong.com> <5CCCFAC0-5442-4946-857F-8695E0CE0902@ecs.soton.ac.uk> Message-ID: <7DC30DBC-AC6B-4B70-B65B-3999850B50BD@delong.com> On Jan 26, 2012, at 3:31 PM, Tim Chown wrote: > > On 26 Jan 2012, at 16:53, Owen DeLong wrote: > >> On Jan 26, 2012, at 8:14 AM, Ray Soucy wrote: >> >>> Does this mean we're also looking at residential allocations larger >>> than a /64 as the norm? >>> >> >> We certainly should be. I still think that /48s for residential is the right answer. >> >> My /48 is working quite nicely in my house. > > There seems to be a lot of discussion happening around a /60 or /56. I wouldn't assume a /48 for residential networks, or a static prefix. > I wouldn't assume anything. That doesn't change the fact that it is, really, the best thing to do. >>> So a CPE device with a stateful firewall that accepts a prefix via >>> DHCPv6-PD and makes use of SLAAC for internal network(s) is the >>> foundation, correct? >> >> I would expect it to be a combination of SLAAC, DHCPv6, and/or DHCPv6-PD. Which combination may be vendor dependent, but, hopefully the norm will include support for downstream routers and possibly chosen address style configuration (allowing the user to pick an address for their host and configure it at the CPE) which would require DHCP support. > > Yes, the assumption is multi-subnet in the homenet, with a method for (efficient) prefix delegation internally. > Where the definition of (efficient) is highly flexible and almost certainly does not refer to bit conservation. >>> Then use random a ULA allocation that exists to route internally >>> (sounds a lot like a site-local scope; which I never understood the >>> reason we abandoned). >> >> I can actually see this as a reasonable use of ULA, but, I agree site-local scope would have been a better choice. The maybe you can maybe you cant route it nature of ULA is, IMHO it's only advantage over site-local and at the same time the greatest likelihood that it will be misused in a variety of harmful ways, not the least of which is to bring the brain-damage of NAT forward into the IPv6 enterprise. > > Site-locals didn't include the "random" prefix element, thus increasing the chance of collision should two site-local sites communicate. See RFC3879 for the issues. > True, but, it would have been easy enough to correct that or provide registered site-specific site local addressing if that was desired. >>> I'm just not seeing the value in adding ULA as a requirement unless >>> bundled with NPT for a multi-homed environment, especially if a >>> stateful firewall is already included. If anything, it might slow >>> down adoption due to increased complexity. >> >> I don't believe it adds visible complexity. I think it should be relatively transparent to the end-user. >> >> Basically, you have one prefix for communications within the house (ULA) and another prefix for communications outside. The prefix for external sessions may not be stable (may change periodically for operational or German reasons), but, the internal prefix remains stable and you can depend on it for configuring access to (e.g. printers, etc.). >> >> Sure, service discovery (mDNS, et. al) should obviate the need for most such configuration, but, there will likely always be something that doesn't quite get SD right somehow. >> >> Also, the ULA addresses don't mysteriously stop working when your connection to your ISP goes down, so, at least your LAN stuff doesn't die from ISP death. > > Consider also long-lived connections for example. > Long lived connections are still doomed unless you go to the complexity of BGP-based multihoming, LISP, or something similar to one of those two. Personally, I use BGP multihoming for my home and it's working pretty well. YMMV. > I don't think there's a conclusion as yet in homenet about ULAs, nor will a conclusion prevent people doing as they please if they really want to. > Sad, but true. Owen From Valdis.Kletnieks at vt.edu Thu Jan 26 21:55:02 2012 From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks at vt.edu) Date: Thu, 26 Jan 2012 22:55:02 -0500 Subject: using ULA for 'hidden' v6 devices? In-Reply-To: Your message of "Thu, 26 Jan 2012 19:47:15 PST." <7DC30DBC-AC6B-4B70-B65B-3999850B50BD@delong.com> References: <06704517-398C-4FD4-9AC4-4D4A83D9D493@ecs.soton.ac.uk> <9E13525B-E1D0-4F51-8AD0-68359095466A@ecs.soton.ac.uk> <596B74B410EE6B4CA8A30C3AF1A155EA09C934BC@RWC-MBX1.corp.seven.com> <70BC767C-FDC2-458E-A23B-01C4F0A85112@ecs.soton.ac.uk> <26066EA7-A326-4CD2-BF88-F31D2BBE5F0A@delong.com> <5CCCFAC0! -5442-4946-857F-8695E0CE0902@ecs.soton.ac.uk> <7DC30DBC-AC6B-4B70-B65B-3999850B50BD@delong.com> Message-ID: <7852.1327636502@turing-police.cc.vt.edu> On Thu, 26 Jan 2012 19:47:15 PST, Owen DeLong said: > Where the definition of (efficient) is highly flexible and almost > certainly does not refer to bit conservation. There's a reason we put 128 bits in there. :) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 865 bytes Desc: not available URL: From gbonser at seven.com Thu Jan 26 22:40:02 2012 From: gbonser at seven.com (George Bonser) Date: Fri, 27 Jan 2012 04:40:02 +0000 Subject: 10G switchrecommendaton In-Reply-To: References: <9890E31B-1D18-415B-AACF-65F193E19332@gmail.com> Message-ID: <596B74B410EE6B4CA8A30C3AF1A155EA09C9413F@RWC-MBX1.corp.seven.com> > -----Original Message----- > From: Eddie Parra > Sent: Thursday, January 26, 2012 1:23 PM > To: Rodrick Brown > Cc: nanog list > Subject: Re: 10G switchrecommendaton > > +1 Arista > > -Eddie Good gear, I have some deployed with good results. I have some Brocade TurboIrons, too. Depends on what features you need. From rodrick.brown at gmail.com Thu Jan 26 22:40:24 2012 From: rodrick.brown at gmail.com (Rodrick Brown) Date: Thu, 26 Jan 2012 23:40:24 -0500 Subject: 10G switchrecommendaton In-Reply-To: <7B378EB3C047B74A899746268AB04539250D0B99@ORD1EXD04.RACKSPACE.CORP> References: <9890E31B-1D18-415B-AACF-65F193E19332@gmail.com> <7B378EB3C047B74A899746268AB04539250D0B99@ORD1EXD04.RACKSPACE.CORP> Message-ID: <2666B4D5-ECD6-44C8-BF8C-26336E71770E@gmail.com> Not to mention Arista's cli runs a busybox Linux inside! Sent from my iPhone On Jan 26, 2012, at 9:02 PM, Tom Sands wrote: > Arista is good but depends on the application. They have some of the most Jr code but they are coming along with features fast. Weve chosen them for several applications when compared to Brocade, Cisco, Extreme, And Blade. There pricing is on par with the others. > > ________________________________________ > From: James Braunegg [james.braunegg at micron21.com] > Sent: Thursday, January 26, 2012 7:27 PM > To: Eddie Parra; Rodrick Brown > Cc: nanog list > Subject: RE: 10G switchrecommendaton > > Arista sounds interesting, although never knew of them ! > > How do they compare price wise / feature wise to Brocade / Juniper / Force10 ? > > That being said my preference is the S4810 - Force10 > > Kindest Regards > > James Braunegg > W: 1300 769 972 | M: 0488 997 207 | D: (03) 9751 7616 > E: james.braunegg at micron21.com | ABN: 12 109 977 666 > > > > This message is intended for the addressee named above. It may contain privileged or confidential information. If you are not the intended recipient of this message you must not use, copy, distribute or disclose it to anyone other than the addressee. If you have received this message in error please return the message to the sender by replying to it and then delete the message from your computer. > > > -----Original Message----- > From: Eddie Parra [mailto:ep at eddieparra.net] > Sent: Friday, January 27, 2012 8:23 AM > To: Rodrick Brown > Cc: nanog list > Subject: Re: 10G switchrecommendaton > > +1 Arista > > -Eddie > > > > > On Jan 26, 2012, at 1:02 PM, Rodrick Brown wrote: > >> http://www.aristanetworks.com/ >> >> Sent from my iPhone >> >> On Jan 26, 2012, at 3:20 PM, Deric Kwok wrote: >> >>> Hi all >>> >>> I would like to have 10G switchrecommendaton Ipref software can test >>> around 9.2G but we can have congestion over 6G in single port! >>> >>> Thank you >>> >> > > From gbonser at seven.com Thu Jan 26 22:44:01 2012 From: gbonser at seven.com (George Bonser) Date: Fri, 27 Jan 2012 04:44:01 +0000 Subject: LX sfp minimum range In-Reply-To: References: <9CA8D3E3-1747-4EDF-B2FC-6CDD878D70B3@smugmug.com> <4F2108C4.4020706@bogus.com> <596B74B410EE6B4CA8A30C3AF1A155EA09C93BE0@RWC-MBX1.corp.seven.com> Message-ID: <596B74B410EE6B4CA8A30C3AF1A155EA09C94161@RWC-MBX1.corp.seven.com> Yes, you are correct, I had them backwards in my head when I typed that. On Behalf Of Pierre-Yves Maunier Sent: Thursday, January 26, 2012 2:27 PM To: George Bonser Subject: Re: LX sfp minimum range It's the contrary. SX only works on multimode fibre, not on singlemode. LX can work on both.? From freddavidfreddavid at gmail.com Fri Jan 27 00:00:49 2012 From: freddavidfreddavid at gmail.com (Fred David) Date: Fri, 27 Jan 2012 11:30:49 +0530 Subject: BFD over every 802.1ax member port? Message-ID: Hi, I want to track individual member links inside a .1ax trunk (LAG) using BFD since the best timer that we can get with efm-oam is around 100ms as opposed to BFD which can get as low as 10ms (on most platforms). Its while "googling" on this that i came across work being done in IETF that describes exactly this - draft-mmm-bfd-on-lags-02 [BFD]. Wanted to ask folks if there are any implementations of this draft or if there are vendors that are already doing something similar to what is described in this draft? We dont want to use LACP as thats a slow protocol and it takes an order of seconds to detect a failed link before its removed from use. We are also not keen on using .1ag and .3ah and would want to rely on BFD to detect the failed link for us. Freddy "Dave" [BFD] "Bidirectional Forwarding Detection (BFD) on Link Aggregation Group (LAG) Interfaces" http://tools.ietf.org/id/draft-mmm-bfd-on-lags-02.txt From brent at brentrjones.com Fri Jan 27 00:30:28 2012 From: brent at brentrjones.com (Brent Jones) Date: Thu, 26 Jan 2012 22:30:28 -0800 Subject: 10G switchrecommendaton In-Reply-To: <2666B4D5-ECD6-44C8-BF8C-26336E71770E@gmail.com> References: <9890E31B-1D18-415B-AACF-65F193E19332@gmail.com> <7B378EB3C047B74A899746268AB04539250D0B99@ORD1EXD04.RACKSPACE.CORP> <2666B4D5-ECD6-44C8-BF8C-26336E71770E@gmail.com> Message-ID: On Thu, Jan 26, 2012 at 8:40 PM, Rodrick Brown wrote: > Not to mention Arista's cli runs a busybox Linux inside! > > Sent from my iPhone > > > Last I checked, Arista used Fedora Linux, with x86 dual-core CPUs and 4GB RAM. Their CLI was written in Python or Perl as well, and they encourage hacking it for cool new things. -- Brent Jones brent at brentrjones.com From ebais at A2B-Internet.com Fri Jan 27 02:32:26 2012 From: ebais at A2B-Internet.com (Erik Bais) Date: Fri, 27 Jan 2012 09:32:26 +0100 Subject: 10G switchrecommendaton In-Reply-To: References: Message-ID: <9C40116D-53A4-41E5-BB4D-101820B2A7D7@A2B-Internet.com> We have a full purple network, so my answer for this would be Extreme Networks. Check out the Lipis report on the X670 / x670v 48 port 10G 1U switches. vs other vendor equipment : http://www.extremenetworks.com/libraries/products/ExtremeX670V_Lippis%20Report_Fall.pdf Regards, Erik Bais Verstuurd vanaf mijn iPad Op Jan 26, 2012 om 21:20 heeft Deric Kwok het volgende geschreven: > Hi all > > I would like to have 10G switchrecommendaton > Ipref software can test around 9.2G but we can have congestion over 6G > in single port! > > Thank you > From sander at steffann.nl Fri Jan 27 02:49:01 2012 From: sander at steffann.nl (Sander Steffann) Date: Fri, 27 Jan 2012 09:49:01 +0100 Subject: Choice of address for IPv6 default gateway In-Reply-To: References: <4F2014A0.20008@optilian.com> <4F2119FE.3020502@netnod.se> <893E95D0-65EA-44ED-9171-6B0D632FFE00@delong.com> Message-ID: Hi, > The issue of using FE80::1 everywhere (as the virtual IP in your FHRP > of choice) is operationally a wash, in terms of perceived complexity > from the front lines. Do people give me quizzical expressions the > first time they learn/use it? Absolutely. But a small amount of > "getting comfortable" with def.gwy subnet =/= the intentionally > provisioned subnet is outweighed by the ease of "oh, it's the same > everywhere now." I agree. I only had problems with VMWare ESXi here. You can't explicitly specify the interface for the default route there. With VMWare ESX you could, but since VSphere5 we don't have that option anymore :-( - Sander From shortdudey123 at gmail.com Fri Jan 27 02:54:19 2012 From: shortdudey123 at gmail.com (Grant Ridder) Date: Fri, 27 Jan 2012 02:54:19 -0600 Subject: 10G switchrecommendaton In-Reply-To: <9C40116D-53A4-41E5-BB4D-101820B2A7D7@A2B-Internet.com> References: <9C40116D-53A4-41E5-BB4D-101820B2A7D7@A2B-Internet.com> Message-ID: I have experience with the Extreme's Alpine, Blackdiamond, x250, and x450 and i discovered that the command line is fairly different than Cisco, HP, or Dell. However, since they are a relatively small company with a small but strong customer base, their support is fairly good. I can't speak for 10G/40G implementations, but from my experiences, they support has a quick response time and they do quite a bit of lab replication to figure out the exact root cause. -Grant On Fri, Jan 27, 2012 at 2:32 AM, Erik Bais wrote: > We have a full purple network, so my answer for this would be Extreme > Networks. > > Check out the Lipis report on the X670 / x670v 48 port 10G 1U switches. > > vs other vendor equipment : > > http://www.extremenetworks.com/libraries/products/ExtremeX670V_Lippis%20Report_Fall.pdf > > > Regards, > Erik Bais > > Verstuurd vanaf mijn iPad > > Op Jan 26, 2012 om 21:20 heeft Deric Kwok het > volgende geschreven: > > > Hi all > > > > I would like to have 10G switchrecommendaton > > Ipref software can test around 9.2G but we can have congestion over 6G > > in single port! > > > > Thank you > > > > From tim at interworx.nl Fri Jan 27 03:35:21 2012 From: tim at interworx.nl (Tim Vollebregt) Date: Fri, 27 Jan 2012 10:35:21 +0100 Subject: 10G switchrecommendaton In-Reply-To: References: Message-ID: <4F226FD9.4050104@interworx.nl> I would not recommend EX4500 as an 10G aggregator switch, it has really small buffers. EX3300 as TOR EX82** as 10G aggregator -Tim On 26-01-12 22:13, Raul Rodriguez wrote: > Juniper EX4500. > > -RR > > On 1/26/12, Deric Kwok wrote: >> Hi all >> >> I would like to have 10G switchrecommendaton >> Ipref software can test around 9.2G but we can have congestion over 6G >> in single port! >> >> Thank you >> >> From fdelmotte1 at mac.com Fri Jan 27 04:19:33 2012 From: fdelmotte1 at mac.com (Fabien Delmotte) Date: Fri, 27 Jan 2012 11:19:33 +0100 Subject: 10G switchrecommendaton In-Reply-To: References: <9C40116D-53A4-41E5-BB4D-101820B2A7D7@A2B-Internet.com> Message-ID: <8FC22B9F-D792-483E-AB3F-2BF9F1DC6304@mac.com> I worked for Extreme, and I deployed a lot of X650 (24 10G ports) for DataCenter environment. The box is really good. In fact if you use the box at a layer 2 it is perfect, BUT DON'T use their BGP code, they never understood what is BGP :) Regards Fabien Le 27 janv. 2012 ? 09:54, Grant Ridder a ?crit : > I have experience with the Extreme's Alpine, Blackdiamond, x250, and x450 > and i discovered that the command line is fairly different than Cisco, HP, > or Dell. However, since they are a relatively small company with a small > but strong customer base, their support is fairly good. I can't speak for > 10G/40G implementations, but from my experiences, they support has a quick > response time and they do quite a bit of lab replication to figure out the > exact root cause. > > -Grant > > On Fri, Jan 27, 2012 at 2:32 AM, Erik Bais wrote: > >> We have a full purple network, so my answer for this would be Extreme >> Networks. >> >> Check out the Lipis report on the X670 / x670v 48 port 10G 1U switches. >> >> vs other vendor equipment : >> >> http://www.extremenetworks.com/libraries/products/ExtremeX670V_Lippis%20Report_Fall.pdf >> >> >> Regards, >> Erik Bais >> >> Verstuurd vanaf mijn iPad >> >> Op Jan 26, 2012 om 21:20 heeft Deric Kwok het >> volgende geschreven: >> >>> Hi all >>> >>> I would like to have 10G switchrecommendaton >>> Ipref software can test around 9.2G but we can have congestion over 6G >>> in single port! >>> >>> Thank you >>> >> >> From leigh.porter at ukbroadband.com Fri Jan 27 04:25:42 2012 From: leigh.porter at ukbroadband.com (Leigh Porter) Date: Fri, 27 Jan 2012 10:25:42 +0000 Subject: 10G switchrecommendaton In-Reply-To: <8FC22B9F-D792-483E-AB3F-2BF9F1DC6304@mac.com> References: <9C40116D-53A4-41E5-BB4D-101820B2A7D7@A2B-Internet.com> , <8FC22B9F-D792-483E-AB3F-2BF9F1DC6304@mac.com> Message-ID: <0942DBB7-18C5-46AF-810B-C27705DFBCF5@ukbroadband.com> On 27 Jan 2012, at 10:21, "Fabien Delmotte" wrote: > I worked for Extreme, and I deployed a lot of X650 (24 10G ports) for DataCenter environment. The box is really good. > In fact if you use the box at a layer 2 it is perfect, BUT DON'T use their BGP code, they never understood what is BGP :) Is that don't use for Internet facing full table BGP or do you include iBGP for say VPN as well? -- Leigh ______________________________________________________________________ This email has been scanned by the Symantec Email Security.cloud service. For more information please visit http://www.symanteccloud.com ______________________________________________________________________ From oscar.vives at gmail.com Fri Jan 27 04:35:49 2012 From: oscar.vives at gmail.com (Tei) Date: Fri, 27 Jan 2012 11:35:49 +0100 Subject: XBOX 720: possible digital download mass service. Message-ID: This seems the right mail list to ask this. Consoles have a lifespan of 5 years. The current generation is 6 years old. There are rumours that production of the GPU's for the new generation has started in asia. So the new consoles can come in 2013. Theres also a rumour that these new consoles will require internet to download games. These games can weigth 9 to 20 GB. That may be 30 million users in USA, maybe 50 worldwide. The question is: Can internet in USA support that? Call of Duty 15 releases may 2014 and 30 million gamers start downloading a 20 GB files. Would the internet collapse like a house of cards?. If not, will be internet USA ready for the next next generation? ( 2018 ). -- -- ?in del ?ensaje. From randy at psg.com Fri Jan 27 04:56:19 2012 From: randy at psg.com (Randy Bush) Date: Fri, 27 Jan 2012 19:56:19 +0900 Subject: XBOX 720: possible digital download mass service. In-Reply-To: References: Message-ID: > Can internet in USA support that? Call of Duty 15 releases may 2014 > and 30 million gamers start downloading a 20 GB files. Would the > internet collapse like a house of cards?. not a problem. the vast majority of the states is like a developing country [0], the last mile is pretty much a tin can and a string. so this will effectively throttle the load. randy [0] - no insult to the dev cons intended From me at anuragbhatia.com Fri Jan 27 04:59:38 2012 From: me at anuragbhatia.com (Anurag Bhatia) Date: Fri, 27 Jan 2012 16:29:38 +0530 Subject: XBOX 720: possible digital download mass service. In-Reply-To: References: Message-ID: Just curious to know at what bandwidth big ISP's like AT&T, Verizon, Level3, Cogent etc are operating? Are all at or above 40Gbps core bandwidth? On Fri, Jan 27, 2012 at 4:26 PM, Randy Bush wrote: > > Can internet in USA support that? Call of Duty 15 releases may 2014 > > and 30 million gamers start downloading a 20 GB files. Would the > > internet collapse like a house of cards?. > > not a problem. the vast majority of the states is like a developing > country [0], the last mile is pretty much a tin can and a string. so > this will effectively throttle the load. > > randy > > [0] - no insult to the dev cons intended > > -- Anurag Bhatia anuragbhatia.com or simply - http://[2001:470:26:78f::5] if you are on IPv6 connected network! Twitter: @anurag_bhatia Linkedin: http://linkedin.anuragbhatia.com From randy at psg.com Fri Jan 27 05:01:45 2012 From: randy at psg.com (Randy Bush) Date: Fri, 27 Jan 2012 20:01:45 +0900 Subject: XBOX 720: possible digital download mass service. In-Reply-To: References: Message-ID: > Just curious to know at what bandwidth big ISP's like AT&T, Verizon, > Level3, Cogent etc are operating? Are all at or above 40Gbps core > bandwidth? yes From saku at ytti.fi Fri Jan 27 05:06:08 2012 From: saku at ytti.fi (Saku Ytti) Date: Fri, 27 Jan 2012 13:06:08 +0200 Subject: XBOX 720: possible digital download mass service. In-Reply-To: References: Message-ID: <20120127110608.GA1927@pob.ytti.fi> On (2012-01-27 11:35 +0100), Tei wrote: > Theres also a rumour that these new consoles will require internet to > download games. These games can weigth 9 to 20 GB. That may be 30 > million users in USA, maybe 50 worldwide. Source to these rumours? It seems ridiculous thought, considering you can literally find PS2 today in Siberia in a tent behind generator in a middle of nowhere, with seemingly legally acquired titles. Without having any data to back this up, I'm going to claim significant portion of revenue is generated by late adopters in emerging markets. -- ++ytti From rsk at gsp.org Fri Jan 27 05:10:37 2012 From: rsk at gsp.org (Rich Kulawiec) Date: Fri, 27 Jan 2012 06:10:37 -0500 Subject: Hotmail.com/live.com email admin needed In-Reply-To: <02e501ccdc71$7ebd4490$7c37cdb0$@cyberlynk.net> References: <02e501ccdc71$7ebd4490$7c37cdb0$@cyberlynk.net> Message-ID: <20120127111037.GA2103@gsp.org> You'll probably have better luck with such requests on the mailop list; that's what it's for (among other things). ---rsk From james.braunegg at micron21.com Fri Jan 27 05:33:11 2012 From: james.braunegg at micron21.com (James Braunegg) Date: Fri, 27 Jan 2012 11:33:11 +0000 Subject: 10G switchrecommendaton In-Reply-To: <4F226FD9.4050104@interworx.nl> References: <4F226FD9.4050104@interworx.nl> Message-ID: How small is the buffer on the EX4500 ?? Kindest Regards James Braunegg W:? 1300 769 972? |? M:? 0488 997 207 |? D:? (03) 9751 7616 E:?? james.braunegg at micron21.com? |? ABN:? 12 109 977 666?? This message is intended for the addressee named above. It may contain privileged or confidential information. If you are not the intended recipient of this message you must not use, copy, distribute or disclose it to anyone other than the addressee. If you have received this message in error please return the message to the sender by replying to it and then delete the message from your computer. -----Original Message----- From: Tim Vollebregt [mailto:tim at interworx.nl] Sent: Friday, January 27, 2012 8:35 PM To: nanog at nanog.org Subject: Re: 10G switchrecommendaton I would not recommend EX4500 as an 10G aggregator switch, it has really small buffers. EX3300 as TOR EX82** as 10G aggregator -Tim On 26-01-12 22:13, Raul Rodriguez wrote: > Juniper EX4500. > > -RR > > On 1/26/12, Deric Kwok wrote: >> Hi all >> >> I would like to have 10G switchrecommendaton Ipref software can test >> around 9.2G but we can have congestion over 6G in single port! >> >> Thank you >> >> From tim at interworx.nl Fri Jan 27 06:23:50 2012 From: tim at interworx.nl (Tim Vollebregt) Date: Fri, 27 Jan 2012 13:23:50 +0100 Subject: 10G switchrecommendaton In-Reply-To: References: <4F226FD9.4050104@interworx.nl> Message-ID: <4F229756.1060109@interworx.nl> 2,5MB shared approximately. Aggregating 10G with microbursts is definately a no-go on such box. -Tim On 27-01-12 12:33, James Braunegg wrote: > How small is the buffer on the EX4500 ?? > > Kindest Regards > > James Braunegg > W: 1300 769 972 | M: 0488 997 207 | D: (03) 9751 7616 > E: james.braunegg at micron21.com | ABN: 12 109 977 666 > > > > This message is intended for the addressee named above. It may contain privileged or confidential information. If you are not the intended recipient of this message you must not use, copy, distribute or disclose it to anyone other than the addressee. If you have received this message in error please return the message to the sender by replying to it and then delete the message from your computer. > > > -----Original Message----- > From: Tim Vollebregt [mailto:tim at interworx.nl] > Sent: Friday, January 27, 2012 8:35 PM > To: nanog at nanog.org > Subject: Re: 10G switchrecommendaton > > I would not recommend EX4500 as an 10G aggregator switch, it has really small buffers. > > EX3300 as TOR > EX82** as 10G aggregator > > -Tim > > On 26-01-12 22:13, Raul Rodriguez wrote: >> Juniper EX4500. >> >> -RR >> >> On 1/26/12, Deric Kwok wrote: >>> Hi all >>> >>> I would like to have 10G switchrecommendaton Ipref software can test >>> around 9.2G but we can have congestion over 6G in single port! >>> >>> Thank you >>> >>> From Valdis.Kletnieks at vt.edu Fri Jan 27 06:46:14 2012 From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks at vt.edu) Date: Fri, 27 Jan 2012 07:46:14 -0500 Subject: XBOX 720: possible digital download mass service. In-Reply-To: Your message of "Fri, 27 Jan 2012 11:35:49 +0100." References: Message-ID: <36671.1327668374@turing-police.cc.vt.edu> On Fri, 27 Jan 2012 11:35:49 +0100, Tei said: > Theres also a rumour that these new consoles will require internet to > download games. Apply some logic here - is it in the vendor's best interests to *require* internet to download games? As somebody else pointed out, there's an awful lot of current-gen consoles in tents in Mongolia and farmhouses in Montana - do you want to make a product that those people can't buy and use *at all*? There's also a large segment of the gaming community that will, in fact, be rather upset if you take away the ritual of camping out in front of GameStop. > Can internet in USA support that? Call of Duty 15 releases may 2014 > and 30 million gamers start downloading a 20 GB files. Would the > internet collapse like a house of cards?. I'll go out on a limb and say that neither Sony, Microsoft, or Nintendo are stupid enough to release the sort of console your rumors predict until after the guys at NetFlix have made it safe for them to do so. :) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 865 bytes Desc: not available URL: From jared at puck.nether.net Fri Jan 27 07:34:49 2012 From: jared at puck.nether.net (Jared Mauch) Date: Fri, 27 Jan 2012 06:34:49 -0700 Subject: XBOX 720: possible digital download mass service. In-Reply-To: References: Message-ID: <542D6664-AF6F-40D6-84FD-B768A7A0E6B8@puck.nether.net> It's already done on a similar scale when apple releases new software for their mobile devices. Just don't do it if you are on a low cap plan (eg: mobile, satellite etc). Caps will be the new market discriminator IMHO. Jared Mauch On Jan 27, 2012, at 3:35 AM, Tei wrote: > Can internet in USA support that? Call of Duty 15 releases may 2014 > and 30 million gamers start downloading a 20 GB files. Would the > internet collapse like a house of cards?. From drew.weaver at thenap.com Fri Jan 27 07:53:51 2012 From: drew.weaver at thenap.com (Drew Weaver) Date: Fri, 27 Jan 2012 08:53:51 -0500 Subject: 10G switchrecommendaton In-Reply-To: References: <9C40116D-53A4-41E5-BB4D-101820B2A7D7@A2B-Internet.com> Message-ID: I would like to point out that in my experience if you do a lot of coding/devops/automation work with SNMP extreme is a lot harder to work with than Cisco and some of their OIDs/MIBs produce unusual results. Thanks, -Drew -----Original Message----- From: Grant Ridder [mailto:shortdudey123 at gmail.com] Sent: Friday, January 27, 2012 3:54 AM To: Erik Bais Cc: nanog list Subject: Re: 10G switchrecommendaton I have experience with the Extreme's Alpine, Blackdiamond, x250, and x450 and i discovered that the command line is fairly different than Cisco, HP, or Dell. However, since they are a relatively small company with a small but strong customer base, their support is fairly good. I can't speak for 10G/40G implementations, but from my experiences, they support has a quick response time and they do quite a bit of lab replication to figure out the exact root cause. -Grant On Fri, Jan 27, 2012 at 2:32 AM, Erik Bais wrote: > We have a full purple network, so my answer for this would be Extreme > Networks. > > Check out the Lipis report on the X670 / x670v 48 port 10G 1U switches. > > vs other vendor equipment : > > http://www.extremenetworks.com/libraries/products/ExtremeX670V_Lippis% > 20Report_Fall.pdf > > > Regards, > Erik Bais > > Verstuurd vanaf mijn iPad > > Op Jan 26, 2012 om 21:20 heeft Deric Kwok > het volgende geschreven: > > > Hi all > > > > I would like to have 10G switchrecommendaton Ipref software can test > > around 9.2G but we can have congestion over 6G in single port! > > > > Thank you > > > > From bhmccie at gmail.com Fri Jan 27 08:02:06 2012 From: bhmccie at gmail.com (-Hammer-) Date: Fri, 27 Jan 2012 08:02:06 -0600 Subject: XBOX 720: possible digital download mass service. In-Reply-To: <542D6664-AF6F-40D6-84FD-B768A7A0E6B8@puck.nether.net> References: <542D6664-AF6F-40D6-84FD-B768A7A0E6B8@puck.nether.net> Message-ID: <4F22AE5E.6030708@gmail.com> Here's your baseline: Sony Vita. They already tossed the UMD out with the PSP-GO and that failed miserably. Now they are trying again to go to digital only with the Vita. It's not the scale of PS3 or XBOX360 but it may be a good way to gauge the potential success of the concept. -Hammer- "I was a normal American nerd" -Jack Herer On 1/27/2012 7:34 AM, Jared Mauch wrote: > It's already done on a similar scale when apple releases new software for their mobile devices. > > Just don't do it if you are on a low cap plan (eg: mobile, satellite etc). Caps will be the new market discriminator IMHO. > > Jared Mauch > > On Jan 27, 2012, at 3:35 AM, Tei wrote: > >> Can internet in USA support that? Call of Duty 15 releases may 2014 >> and 30 million gamers start downloading a 20 GB files. Would the >> internet collapse like a house of cards?. > From eric-list at truenet.com Fri Jan 27 08:13:15 2012 From: eric-list at truenet.com (Eric Tykwinski) Date: Fri, 27 Jan 2012 09:13:15 -0500 Subject: XBOX 720: possible digital download mass service. In-Reply-To: <4F22AE5E.6030708@gmail.com> References: <542D6664-AF6F-40D6-84FD-B768A7A0E6B8@puck.nether.net> <4F22AE5E.6030708@gmail.com> Message-ID: <019f01ccdcfd$cffa8480$6fef8d80$@truenet.com> The PS Vita still uses a proprietary memory card format, so it's not just download only. The best example of download only would be OnLive, which basically is a game system that only delivers on demand games. IMHO, it's the market that will determine whether this is the right choice in the long run. It's a creative way to eliminate the used market and stop piracy, but if the consumers don't join up like the PSP Go, it will eventually fail. Sincerely, Eric Tykwinski TrueNet, Inc. P: 610-429-8300 F: 610-429-3222 -----Original Message----- From: -Hammer- [mailto:bhmccie at gmail.com] Sent: Friday, January 27, 2012 9:02 AM To: nanog at nanog.org Subject: Re: XBOX 720: possible digital download mass service. Here's your baseline: Sony Vita. They already tossed the UMD out with the PSP-GO and that failed miserably. Now they are trying again to go to digital only with the Vita. It's not the scale of PS3 or XBOX360 but it may be a good way to gauge the potential success of the concept. -Hammer- "I was a normal American nerd" -Jack Herer On 1/27/2012 7:34 AM, Jared Mauch wrote: > It's already done on a similar scale when apple releases new software for their mobile devices. > > Just don't do it if you are on a low cap plan (eg: mobile, satellite etc). Caps will be the new market discriminator IMHO. > > Jared Mauch > > On Jan 27, 2012, at 3:35 AM, Tei wrote: > >> Can internet in USA support that? Call of Duty 15 releases may 2014 >> and 30 million gamers start downloading a 20 GB files. Would the >> internet collapse like a house of cards?. > From bhmccie at gmail.com Fri Jan 27 08:21:05 2012 From: bhmccie at gmail.com (-Hammer-) Date: Fri, 27 Jan 2012 08:21:05 -0600 Subject: XBOX 720: possible digital download mass service. In-Reply-To: <019f01ccdcfd$cffa8480$6fef8d80$@truenet.com> References: <542D6664-AF6F-40D6-84FD-B768A7A0E6B8@puck.nether.net> <4F22AE5E.6030708@gmail.com> <019f01ccdcfd$cffa8480$6fef8d80$@truenet.com> Message-ID: <4F22B2D1.8040004@gmail.com> Now we are venturing OT but I thought the format was proprietary but you still had to get the content on the memory via the glorious Internet? Are you saying I can go to Gamestop and buy a stick with whatever game I'm looking for? Is that the plan? -Hammer- "I was a normal American nerd" -Jack Herer On 1/27/2012 8:13 AM, Eric Tykwinski wrote: > The PS Vita still uses a proprietary memory card format, so it's not just > download only. > The best example of download only would be OnLive, which basically is a game > system that only delivers on demand games. > > IMHO, it's the market that will determine whether this is the right choice > in the long run. > It's a creative way to eliminate the used market and stop piracy, but if the > consumers don't join up like the PSP Go, it will eventually fail. > > Sincerely, > > Eric Tykwinski > TrueNet, Inc. > P: 610-429-8300 > F: 610-429-3222 > > -----Original Message----- > From: -Hammer- [mailto:bhmccie at gmail.com] > Sent: Friday, January 27, 2012 9:02 AM > To: nanog at nanog.org > Subject: Re: XBOX 720: possible digital download mass service. > > Here's your baseline: Sony Vita. They already tossed the UMD out with the > PSP-GO and that failed miserably. Now they are trying again to go to digital > only with the Vita. It's not the scale of PS3 or XBOX360 but it may be a > good way to gauge the potential success of the concept. > > -Hammer- > > "I was a normal American nerd" > -Jack Herer > > > > On 1/27/2012 7:34 AM, Jared Mauch wrote: >> It's already done on a similar scale when apple releases new software for > their mobile devices. >> Just don't do it if you are on a low cap plan (eg: mobile, satellite etc). > Caps will be the new market discriminator IMHO. >> Jared Mauch >> >> On Jan 27, 2012, at 3:35 AM, Tei wrote: >> >>> Can internet in USA support that? Call of Duty 15 releases may 2014 >>> and 30 million gamers start downloading a 20 GB files. Would the >>> internet collapse like a house of cards?. > > > From eric at truenet.com Fri Jan 27 08:24:53 2012 From: eric at truenet.com (Eric Tykwinski) Date: Fri, 27 Jan 2012 09:24:53 -0500 Subject: XBOX 720: possible digital download mass service. In-Reply-To: <4F22B2D1.8040004@gmail.com> References: <542D6664-AF6F-40D6-84FD-B768A7A0E6B8@puck.nether.net> <4F22AE5E.6030708@gmail.com> <019f01ccdcfd$cffa8480$6fef8d80$@truenet.com> <4F22B2D1.8040004@gmail.com> Message-ID: <01aa01ccdcff$724111e0$56c335a0$@truenet.com> That's the case, but yeah, definitely off-topic... http://www.gamestop.com/ps-vita/games/uncharted-golden-abyss-ps-vita/91436 Which would be on-topic, though. If anyone knows of an OnLive box just to check out the bandwidth usage, I would be interested. Sincerely, Eric Tykwinski TrueNet, Inc. P: 610-429-8300 F: 610-429-3222 -----Original Message----- From: -Hammer- [mailto:bhmccie at gmail.com] Sent: Friday, January 27, 2012 9:21 AM To: nanog at nanog.org Subject: Re: XBOX 720: possible digital download mass service. Now we are venturing OT but I thought the format was proprietary but you still had to get the content on the memory via the glorious Internet? Are you saying I can go to Gamestop and buy a stick with whatever game I'm looking for? Is that the plan? -Hammer- "I was a normal American nerd" -Jack Herer On 1/27/2012 8:13 AM, Eric Tykwinski wrote: > The PS Vita still uses a proprietary memory card format, so it's not > just download only. > The best example of download only would be OnLive, which basically is > a game system that only delivers on demand games. > > IMHO, it's the market that will determine whether this is the right > choice in the long run. > It's a creative way to eliminate the used market and stop piracy, but > if the consumers don't join up like the PSP Go, it will eventually fail. > > Sincerely, > > Eric Tykwinski > TrueNet, Inc. > P: 610-429-8300 > F: 610-429-3222 > > -----Original Message----- > From: -Hammer- [mailto:bhmccie at gmail.com] > Sent: Friday, January 27, 2012 9:02 AM > To: nanog at nanog.org > Subject: Re: XBOX 720: possible digital download mass service. > > Here's your baseline: Sony Vita. They already tossed the UMD out with > the PSP-GO and that failed miserably. Now they are trying again to go > to digital only with the Vita. It's not the scale of PS3 or XBOX360 > but it may be a good way to gauge the potential success of the concept. > > -Hammer- > > "I was a normal American nerd" > -Jack Herer > > > > On 1/27/2012 7:34 AM, Jared Mauch wrote: >> It's already done on a similar scale when apple releases new software >> for > their mobile devices. >> Just don't do it if you are on a low cap plan (eg: mobile, satellite etc). > Caps will be the new market discriminator IMHO. >> Jared Mauch >> >> On Jan 27, 2012, at 3:35 AM, Tei wrote: >> >>> Can internet in USA support that? Call of Duty 15 releases may 2014 >>> and 30 million gamers start downloading a 20 GB files. Would the >>> internet collapse like a house of cards?. > > > From fdelmotte1 at mac.com Fri Jan 27 08:34:21 2012 From: fdelmotte1 at mac.com (Fabien Delmotte) Date: Fri, 27 Jan 2012 15:34:21 +0100 Subject: 10G switchrecommendaton In-Reply-To: <0942DBB7-18C5-46AF-810B-C27705DFBCF5@ukbroadband.com> References: <9C40116D-53A4-41E5-BB4D-101820B2A7D7@A2B-Internet.com> <8FC22B9F-D792-483E-AB3F-2BF9F1DC6304@mac.com> <0942DBB7-18C5-46AF-810B-C27705DFBCF5@ukbroadband.com> Message-ID: <489100EF-C120-4D6B-9F39-03F6EF2812F5@mac.com> Only for a full table BGP, in fact it is not able to learn a full BGP table. The X480 could do it, but it is very slow and they miss some features Fabien Le 27 janv. 2012 ? 11:25, Leigh Porter a ?crit : > > On 27 Jan 2012, at 10:21, "Fabien Delmotte" wrote: > >> I worked for Extreme, and I deployed a lot of X650 (24 10G ports) for DataCenter environment. The box is really good. >> In fact if you use the box at a layer 2 it is perfect, BUT DON'T use their BGP code, they never understood what is BGP :) > > Is that don't use for Internet facing full table BGP or do you include iBGP for say VPN as well? > > -- > Leigh > > > ______________________________________________________________________ > This email has been scanned by the Symantec Email Security.cloud service. > For more information please visit http://www.symanteccloud.com > ______________________________________________________________________ From fdelmotte1 at mac.com Fri Jan 27 08:41:40 2012 From: fdelmotte1 at mac.com (Fabien Delmotte) Date: Fri, 27 Jan 2012 15:41:40 +0100 Subject: 10G switchrecommendaton In-Reply-To: <489100EF-C120-4D6B-9F39-03F6EF2812F5@mac.com> References: <9C40116D-53A4-41E5-BB4D-101820B2A7D7@A2B-Internet.com> <8FC22B9F-D792-483E-AB3F-2BF9F1DC6304@mac.com> <0942DBB7-18C5-46AF-810B-C27705DFBCF5@ukbroadband.com> <489100EF-C120-4D6B-9F39-03F6EF2812F5@mac.com> Message-ID: You can use BGP only for the default route no more :) forget a full view Le 27 janv. 2012 ? 15:34, Fabien Delmotte a ?crit : > Only for a full table BGP, in fact it is not able to learn a full BGP table. The X480 could do it, but it is very slow and they miss some features > > Fabien > > > Le 27 janv. 2012 ? 11:25, Leigh Porter a ?crit : > >> >> On 27 Jan 2012, at 10:21, "Fabien Delmotte" wrote: >> >>> I worked for Extreme, and I deployed a lot of X650 (24 10G ports) for DataCenter environment. The box is really good. >>> In fact if you use the box at a layer 2 it is perfect, BUT DON'T use their BGP code, they never understood what is BGP :) >> >> Is that don't use for Internet facing full table BGP or do you include iBGP for say VPN as well? >> >> -- >> Leigh >> >> >> ______________________________________________________________________ >> This email has been scanned by the Symantec Email Security.cloud service. >> For more information please visit http://www.symanteccloud.com >> ______________________________________________________________________ > From fdelmotte1 at mac.com Fri Jan 27 08:42:04 2012 From: fdelmotte1 at mac.com (Fabien Delmotte) Date: Fri, 27 Jan 2012 15:42:04 +0100 Subject: 10G switchrecommendaton In-Reply-To: References: <9C40116D-53A4-41E5-BB4D-101820B2A7D7@A2B-Internet.com> Message-ID: Partially agree, Extreme has a "quit" good TCL implementation, and you can develop a lot of things around that. The system is able to reconfigure itself without external management console (SNMP) Fabien Le 27 janv. 2012 ? 14:53, Drew Weaver a ?crit : > I would like to point out that in my experience if you do a lot of coding/devops/automation work with SNMP extreme is a lot harder to work with than Cisco and some of their OIDs/MIBs produce unusual results. > > Thanks, > -Drew > > > -----Original Message----- > From: Grant Ridder [mailto:shortdudey123 at gmail.com] > Sent: Friday, January 27, 2012 3:54 AM > To: Erik Bais > Cc: nanog list > Subject: Re: 10G switchrecommendaton > > I have experience with the Extreme's Alpine, Blackdiamond, x250, and x450 and i discovered that the command line is fairly different than Cisco, HP, or Dell. However, since they are a relatively small company with a small but strong customer base, their support is fairly good. I can't speak for 10G/40G implementations, but from my experiences, they support has a quick response time and they do quite a bit of lab replication to figure out the exact root cause. > > -Grant > > On Fri, Jan 27, 2012 at 2:32 AM, Erik Bais wrote: > >> We have a full purple network, so my answer for this would be Extreme >> Networks. >> >> Check out the Lipis report on the X670 / x670v 48 port 10G 1U switches. >> >> vs other vendor equipment : >> >> http://www.extremenetworks.com/libraries/products/ExtremeX670V_Lippis% >> 20Report_Fall.pdf >> >> >> Regards, >> Erik Bais >> >> Verstuurd vanaf mijn iPad >> >> Op Jan 26, 2012 om 21:20 heeft Deric Kwok >> het volgende geschreven: >> >>> Hi all >>> >>> I would like to have 10G switchrecommendaton Ipref software can test >>> around 9.2G but we can have congestion over 6G in single port! >>> >>> Thank you >>> >> >> > From mhuff at ox.com Fri Jan 27 09:08:27 2012 From: mhuff at ox.com (Matthew Huff) Date: Fri, 27 Jan 2012 10:08:27 -0500 Subject: XBOX 720: possible digital download mass service. In-Reply-To: <01aa01ccdcff$724111e0$56c335a0$@truenet.com> References: <542D6664-AF6F-40D6-84FD-B768A7A0E6B8@puck.nether.net> <4F22AE5E.6030708@gmail.com> <019f01ccdcfd$cffa8480$6fef8d80$@truenet.com> <4F22B2D1.8040004@gmail.com> <01aa01ccdcff$724111e0$56c335a0$@truenet.com> Message-ID: <483E6B0272B0284BA86D7596C40D29F9015881E3EBE8@PUR-EXCH07.ox.com> >From what I've read, the XBOX 720 is still going to have traditional distribution but also including online purchasing (think Steam). The goal is to go with a key system to play the game. I think the idea you will be able to register the game via phone, or other means as well. However, their idea is to rid the world of the secondary market of used games. ---- Matthew Huff? | 1 Manhattanville Rd Director of Operations???| Purchase, NY 10577 OTA Management LLC | Phone: 914-460-4039 aim: matthewbhuff? | Fax:?? 914-460-4139 > -----Original Message----- > From: Eric Tykwinski [mailto:eric at truenet.com] > Sent: Friday, January 27, 2012 9:25 AM > To: nanog > Subject: RE: XBOX 720: possible digital download mass service. > > That's the case, but yeah, definitely off-topic... > http://www.gamestop.com/ps-vita/games/uncharted-golden-abyss-ps- > vita/91436 > > Which would be on-topic, though. If anyone knows of an OnLive box just > to check out the bandwidth usage, I would be interested. > > Sincerely, > > Eric Tykwinski > TrueNet, Inc. > P: 610-429-8300 > F: 610-429-3222 > > > -----Original Message----- > From: -Hammer- [mailto:bhmccie at gmail.com] > Sent: Friday, January 27, 2012 9:21 AM > To: nanog at nanog.org > Subject: Re: XBOX 720: possible digital download mass service. > > Now we are venturing OT but I thought the format was proprietary but > you still had to get the content on the memory via the glorious > Internet? > Are you saying I can go to Gamestop and buy a stick with whatever game > I'm looking for? Is that the plan? > > -Hammer- > > "I was a normal American nerd" > -Jack Herer > > > > On 1/27/2012 8:13 AM, Eric Tykwinski wrote: > > The PS Vita still uses a proprietary memory card format, so it's not > > just download only. > > The best example of download only would be OnLive, which basically is > > a game system that only delivers on demand games. > > > > IMHO, it's the market that will determine whether this is the right > > choice in the long run. > > It's a creative way to eliminate the used market and stop piracy, but > > if the consumers don't join up like the PSP Go, it will eventually > fail. > > > > Sincerely, > > > > Eric Tykwinski > > TrueNet, Inc. > > P: 610-429-8300 > > F: 610-429-3222 > > > > -----Original Message----- > > From: -Hammer- [mailto:bhmccie at gmail.com] > > Sent: Friday, January 27, 2012 9:02 AM > > To: nanog at nanog.org > > Subject: Re: XBOX 720: possible digital download mass service. > > > > Here's your baseline: Sony Vita. They already tossed the UMD out with > > the PSP-GO and that failed miserably. Now they are trying again to go > > to digital only with the Vita. It's not the scale of PS3 or XBOX360 > > but it may be a good way to gauge the potential success of the > concept. > > > > -Hammer- > > > > "I was a normal American nerd" > > -Jack Herer > > > > > > > > On 1/27/2012 7:34 AM, Jared Mauch wrote: > >> It's already done on a similar scale when apple releases new > software > >> for > > their mobile devices. > >> Just don't do it if you are on a low cap plan (eg: mobile, satellite > etc). > > Caps will be the new market discriminator IMHO. > >> Jared Mauch > >> > >> On Jan 27, 2012, at 3:35 AM, Tei wrote: > >> > >>> Can internet in USA support that? Call of Duty 15 releases may > 2014 > >>> and 30 million gamers start downloading a 20 GB files. Would the > >>> internet collapse like a house of cards?. > > > > > > > > > From ahebert at pubnix.net Fri Jan 27 09:13:17 2012 From: ahebert at pubnix.net (Alain Hebert) Date: Fri, 27 Jan 2012 10:13:17 -0500 Subject: 10G switchrecommendaton In-Reply-To: <9C40116D-53A4-41E5-BB4D-101820B2A7D7@A2B-Internet.com> References: <9C40116D-53A4-41E5-BB4D-101820B2A7D7@A2B-Internet.com> Message-ID: <4F22BF0D.9020700@pubnix.net> Hi, We like the purple too. But their licensing scheme is starting to get in our way. We're going to choose Brocade for a our new 10G Metro rings. ( Watch out for Brocade 10G licensing per set of ports... ) PS: OP you never told us for which application. Good luck. ----- Alain Hebert ahebert at pubnix.net PubNIX Inc. 50 boul. St-Charles P.O. Box 26770 Beaconsfield, Quebec H9W 6G7 Tel: 514-990-5911 http://www.pubnix.net Fax: 514-990-9443 On 01/27/12 03:32, Erik Bais wrote: > We have a full purple network, so my answer for this would be Extreme Networks. > > Check out the Lipis report on the X670 / x670v 48 port 10G 1U switches. > > vs other vendor equipment : > http://www.extremenetworks.com/libraries/products/ExtremeX670V_Lippis%20Report_Fall.pdf > > > Regards, > Erik Bais > > Verstuurd vanaf mijn iPad > > Op Jan 26, 2012 om 21:20 heeft Deric Kwok het volgende geschreven: > >> Hi all >> >> I would like to have 10G switchrecommendaton >> Ipref software can test around 9.2G but we can have congestion over 6G >> in single port! >> >> Thank you >> > From sean at seanharlow.info Fri Jan 27 09:29:59 2012 From: sean at seanharlow.info (Sean Harlow) Date: Fri, 27 Jan 2012 10:29:59 -0500 Subject: XBOX 720: possible digital download mass service. In-Reply-To: References: Message-ID: <5209CA01-61D2-4C96-88CB-6A2976C1AACD@seanharlow.info> It doesn't have to. Look at Steam on the PC, where digital distribution has been the norm for years (I literally can't remember the last physical copy PC game I purchased). Preorder a game and it gets preloaded in an encrypted form days to weeks in advance of release. On release day, the content is simply activated, you get the key, your PC decrypts it, and you go play. On a well designed digital distribution system the release second traffic spike should be a lot less than you'd think. ---------- Sean Harlow sean at seanharlow.info On Jan 27, 2012, at 5:35 AM, Tei wrote: > The question is: > > Can internet in USA support that? Call of Duty 15 releases may 2014 > and 30 million gamers start downloading a 20 GB files. Would the > internet collapse like a house of cards?. From sean at seanharlow.info Fri Jan 27 09:39:54 2012 From: sean at seanharlow.info (Sean Harlow) Date: Fri, 27 Jan 2012 10:39:54 -0500 Subject: XBOX 720: possible digital download mass service. In-Reply-To: <01aa01ccdcff$724111e0$56c335a0$@truenet.com> References: <542D6664-AF6F-40D6-84FD-B768A7A0E6B8@puck.nether.net> <4F22AE5E.6030708@gmail.com> <019f01ccdcfd$cffa8480$6fef8d80$@truenet.com> <4F22B2D1.8040004@gmail.com> <01aa01ccdcff$724111e0$56c335a0$@truenet.com> Message-ID: I don't know if the box uses any different settings, but using the Windows client on my PC with quality maxed just now I saw a consistent 5.35mbit/sec during action sequences and fast-paced cutscenes, much less of course in menus and such. ---------- Sean Harlow sean at seanharlow.info On Jan 27, 2012, at 9:24 AM, Eric Tykwinski wrote: > Which would be on-topic, though. If anyone knows of an OnLive box just to > check out the bandwidth usage, I would be interested. From streiner at cluebyfour.org Fri Jan 27 09:45:07 2012 From: streiner at cluebyfour.org (Justin M. Streiner) Date: Fri, 27 Jan 2012 10:45:07 -0500 (EST) Subject: XBOX 720: possible digital download mass service. In-Reply-To: References: Message-ID: On Fri, 27 Jan 2012, Tei wrote: > Can internet in USA support that? Call of Duty 15 releases may 2014 > and 30 million gamers start downloading a 20 GB files. Would the > internet collapse like a house of cards?. I don't see a problem with supporting this. As other posters have said, any congestion that results from this would likely be concentrated at or near 'the last mile' - the downloader's location or the download server's location. Even then, the result would be that it takes longer to download the game data - not a total meltdown. Also, while there would very likely be a big rush to download Call of Duty 15 the millisecond it's released, it's not likely that every one of those 30 million gamers will do that at the same time. I would hope that Microsoft/Sony/other major game producers do some sort of geographic disribution of their downloads, or use one of the several CDNs that are available, if those logistics can be worked out. jms From streiner at cluebyfour.org Fri Jan 27 09:49:23 2012 From: streiner at cluebyfour.org (Justin M. Streiner) Date: Fri, 27 Jan 2012 10:49:23 -0500 (EST) Subject: XBOX 720: possible digital download mass service. In-Reply-To: References: Message-ID: On Fri, 27 Jan 2012, Anurag Bhatia wrote: > Just curious to know at what bandwidth big ISP's like AT&T, Verizon, > Level3, Cogent etc are operating? Are all at or above 40Gbps core bandwidth? Probably a mix of 10G, 40G and 100G as appropriate. By 2014, that might tilt more heavily toward 40G and 100G. From what I've seen, most peering connections at public IXPs are one or more 10G links. Private peering connections could certainly be higher, if the providers at both ends feel it makes good business sense. jms > On Fri, Jan 27, 2012 at 4:26 PM, Randy Bush wrote: > >>> Can internet in USA support that? Call of Duty 15 releases may 2014 >>> and 30 million gamers start downloading a 20 GB files. Would the >>> internet collapse like a house of cards?. >> >> not a problem. the vast majority of the states is like a developing >> country [0], the last mile is pretty much a tin can and a string. so >> this will effectively throttle the load. >> >> randy >> >> [0] - no insult to the dev cons intended >> >> > > > -- > > Anurag Bhatia > anuragbhatia.com > or simply - http://[2001:470:26:78f::5] if you are on IPv6 connected > network! > > Twitter: @anurag_bhatia > Linkedin: http://linkedin.anuragbhatia.com > From rps at maine.edu Fri Jan 27 09:52:59 2012 From: rps at maine.edu (Ray Soucy) Date: Fri, 27 Jan 2012 10:52:59 -0500 Subject: XBOX 720: possible digital download mass service. In-Reply-To: <36671.1327668374@turing-police.cc.vt.edu> References: <36671.1327668374@turing-police.cc.vt.edu> Message-ID: This is already very normal (tens of millions of people doing this). World of Warcraft, RIFT, and Star Wars: The Old Republic, etc. are all around 20G of downloads. Sure they have boxed versions, but after you install them they need another 10G of patches to download (looking at you, Blizzard). The majority of players buy the digital download (instant gratification). Some companies, like Blizzard, have even created streaming game clients that prioritizes what is downloaded to get people playing right away. On Fri, Jan 27, 2012 at 7:46 AM, wrote: > On Fri, 27 Jan 2012 11:35:49 +0100, Tei said: > > > Theres also a rumour that these new consoles will require internet to > > download games. > > Apply some logic here - is it in the vendor's best interests to *require* > internet to download games? As somebody else pointed out, there's an > awful lot > of current-gen consoles in tents in Mongolia and farmhouses in Montana - > do you > want to make a product that those people can't buy and use *at all*? > > There's also a large segment of the gaming community that will, in fact, be > rather upset if you take away the ritual of camping out in front of > GameStop. > > > Can internet in USA support that? Call of Duty 15 releases may 2014 > > and 30 million gamers start downloading a 20 GB files. Would the > > internet collapse like a house of cards?. > > I'll go out on a limb and say that neither Sony, Microsoft, or Nintendo > are stupid > enough to release the sort of console your rumors predict until after the > guys > at NetFlix have made it safe for them to do so. :) > > > > -- Ray Soucy Epic Communications Specialist Phone: +1 (207) 561-3526 Networkmaine, a Unit of the University of Maine System http://www.networkmaine.net/ From rps at maine.edu Fri Jan 27 10:08:37 2012 From: rps at maine.edu (Ray Soucy) Date: Fri, 27 Jan 2012 11:08:37 -0500 Subject: XBOX 720: possible digital download mass service. In-Reply-To: References: Message-ID: Well, those are the numbers we can see from a single transceiver (right now mostly 10G and some 40G right now, and 100G on its way); but most of the big players are using multiples of these with DWDM and link aggregation. I'd say the actual numbers are closer to 680G average right now, per path. On Fri, Jan 27, 2012 at 10:49 AM, Justin M. Streiner < streiner at cluebyfour.org> wrote: > On Fri, 27 Jan 2012, Anurag Bhatia wrote: > > Just curious to know at what bandwidth big ISP's like AT&T, Verizon, >> Level3, Cogent etc are operating? Are all at or above 40Gbps core >> bandwidth? >> > > Probably a mix of 10G, 40G and 100G as appropriate. By 2014, that might > tilt more heavily toward 40G and 100G. From what I've seen, most peering > connections at public IXPs are one or more 10G links. Private peering > connections could certainly be higher, if the providers at both ends feel > it makes good business sense. > > jms > > > On Fri, Jan 27, 2012 at 4:26 PM, Randy Bush wrote: >> >> Can internet in USA support that? Call of Duty 15 releases may 2014 >>>> and 30 million gamers start downloading a 20 GB files. Would the >>>> internet collapse like a house of cards?. >>>> >>> >>> not a problem. the vast majority of the states is like a developing >>> country [0], the last mile is pretty much a tin can and a string. so >>> this will effectively throttle the load. >>> >>> randy >>> >>> [0] - no insult to the dev cons intended >>> >>> >>> >> >> -- >> >> Anurag Bhatia >> anuragbhatia.com >> or simply - http://[2001:470:26:78f::5] if you are on IPv6 connected >> network! >> >> Twitter: @anurag_bhatia >> > >> Linkedin: http://linkedin.anuragbhatia.**com >> >> > -- Ray Soucy Epic Communications Specialist Phone: +1 (207) 561-3526 Networkmaine, a Unit of the University of Maine System http://www.networkmaine.net/ From me at anuragbhatia.com Fri Jan 27 10:10:25 2012 From: me at anuragbhatia.com (Anurag Bhatia) Date: Fri, 27 Jan 2012 21:40:25 +0530 Subject: XBOX 720: possible digital download mass service. In-Reply-To: References: Message-ID: Hello Ray You are refering to dark fiber capacity or is that lit capacity and already in use? On Fri, Jan 27, 2012 at 9:38 PM, Ray Soucy wrote: > Well, those are the numbers we can see from a single transceiver (right now > mostly 10G and some 40G right now, and 100G on its way); but most of the > big players are using multiples of these with DWDM and link aggregation. > I'd say the actual numbers are closer to 680G average right now, per path. > > On Fri, Jan 27, 2012 at 10:49 AM, Justin M. Streiner < > streiner at cluebyfour.org> wrote: > > > On Fri, 27 Jan 2012, Anurag Bhatia wrote: > > > > Just curious to know at what bandwidth big ISP's like AT&T, Verizon, > >> Level3, Cogent etc are operating? Are all at or above 40Gbps core > >> bandwidth? > >> > > > > Probably a mix of 10G, 40G and 100G as appropriate. By 2014, that might > > tilt more heavily toward 40G and 100G. From what I've seen, most peering > > connections at public IXPs are one or more 10G links. Private peering > > connections could certainly be higher, if the providers at both ends feel > > it makes good business sense. > > > > jms > > > > > > On Fri, Jan 27, 2012 at 4:26 PM, Randy Bush wrote: > >> > >> Can internet in USA support that? Call of Duty 15 releases may 2014 > >>>> and 30 million gamers start downloading a 20 GB files. Would the > >>>> internet collapse like a house of cards?. > >>>> > >>> > >>> not a problem. the vast majority of the states is like a developing > >>> country [0], the last mile is pretty much a tin can and a string. so > >>> this will effectively throttle the load. > >>> > >>> randy > >>> > >>> [0] - no insult to the dev cons intended > >>> > >>> > >>> > >> > >> -- > >> > >> Anurag Bhatia > >> anuragbhatia.com > >> or simply - http://[2001:470:26:78f::5] if you are on IPv6 connected > >> network! > >> > >> Twitter: @anurag_bhatia https://twitter.com/#!/anurag_bhatia> > >> > > >> Linkedin: http://linkedin.anuragbhatia.**com< > http://linkedin.anuragbhatia.com> > >> > >> > > > > > -- > Ray Soucy > > Epic Communications Specialist > > Phone: +1 (207) 561-3526 > > Networkmaine, a Unit of the University of Maine System > http://www.networkmaine.net/ > -- Anurag Bhatia anuragbhatia.com or simply - http://[2001:470:26:78f::5] if you are on IPv6 connected network! Twitter: @anurag_bhatia Linkedin: http://linkedin.anuragbhatia.com From cthomas at ca.ibm.com Fri Jan 27 10:07:42 2012 From: cthomas at ca.ibm.com (Thomas Cooper) Date: Fri, 27 Jan 2012 11:07:42 -0500 Subject: XBOX 720: possible digital download mass service Message-ID: Digital distribution like Steam have the infrastructure built for it. The entry fee for independent and smaller devs to Steam is way way lower than all the licensing crap that Microsoft offers with their XBLA, and for the larger companies, it costs next to nothing to host it digitally as opposed to the brick-and-mortar packaging (especially when the game requires Steam and you essential buy a CD key at the retail store, with added taxes, etc....) Besides, those console games are marked up to hell so I bet they make a pretty penny for brick-and-mortar sales. I doubt MS will try a full-blown Steam-like console digital distribution. -Thomas Cooper From ngqbao at gmail.com Fri Jan 27 10:26:51 2012 From: ngqbao at gmail.com (Bao Nguyen) Date: Fri, 27 Jan 2012 08:26:51 -0800 Subject: 10G switchrecommendaton In-Reply-To: <2666B4D5-ECD6-44C8-BF8C-26336E71770E@gmail.com> References: <9890E31B-1D18-415B-AACF-65F193E19332@gmail.com> <7B378EB3C047B74A899746268AB04539250D0B99@ORD1EXD04.RACKSPACE.CORP> <2666B4D5-ECD6-44C8-BF8C-26336E71770E@gmail.com> Message-ID: +1 Arista. -bn 0216331C On Thu, Jan 26, 2012 at 8:40 PM, Rodrick Brown wrote: > Not to mention Arista's cli runs a busybox Linux inside! > > Sent from my iPhone > > On Jan 26, 2012, at 9:02 PM, Tom Sands wrote: > > > Arista is good but depends on the application. They have some of the > most Jr code but they are coming along with features fast. Weve chosen them > for several applications when compared to Brocade, Cisco, Extreme, And > Blade. There pricing is on par with the others. > > > > ________________________________________ > > From: James Braunegg [james.braunegg at micron21.com] > > Sent: Thursday, January 26, 2012 7:27 PM > > To: Eddie Parra; Rodrick Brown > > Cc: nanog list > > Subject: RE: 10G switchrecommendaton > > > > Arista sounds interesting, although never knew of them ! > > > > How do they compare price wise / feature wise to Brocade / Juniper / > Force10 ? > > > > That being said my preference is the S4810 - Force10 > > > > Kindest Regards > > > > James Braunegg > > W: 1300 769 972 | M: 0488 997 207 | D: (03) 9751 7616 > > E: james.braunegg at micron21.com | ABN: 12 109 977 666 > > > > > > > > This message is intended for the addressee named above. It may contain > privileged or confidential information. If you are not the intended > recipient of this message you must not use, copy, distribute or disclose it > to anyone other than the addressee. If you have received this message in > error please return the message to the sender by replying to it and then > delete the message from your computer. > > > > > > -----Original Message----- > > From: Eddie Parra [mailto:ep at eddieparra.net] > > Sent: Friday, January 27, 2012 8:23 AM > > To: Rodrick Brown > > Cc: nanog list > > Subject: Re: 10G switchrecommendaton > > > > +1 Arista > > > > -Eddie > > > > > > > > > > On Jan 26, 2012, at 1:02 PM, Rodrick Brown > wrote: > > > >> http://www.aristanetworks.com/ > >> > >> Sent from my iPhone > >> > >> On Jan 26, 2012, at 3:20 PM, Deric Kwok > wrote: > >> > >>> Hi all > >>> > >>> I would like to have 10G switchrecommendaton Ipref software can test > >>> around 9.2G but we can have congestion over 6G in single port! > >>> > >>> Thank you > >>> > >> > > > > > > From kilobit at gmail.com Fri Jan 27 10:35:16 2012 From: kilobit at gmail.com (bas) Date: Fri, 27 Jan 2012 17:35:16 +0100 Subject: 10GE TOR port buffers (was Re: 10G switch recommendaton) Message-ID: Hi, Is there a reason switch vendors 1U TOR 10GE aggregation switches are all cut-through and there are no models with deep buffers? I've ben looking at all vendors I can think of and all have the same models. TOR switches as cut-through with little buffers, and chassis based boxes with deep buffers. TOR: Juniper EX4500 208KB/10GE (4MB shared per PFE) Cisco 4900M 728KB/10GE (17.5MB shared) Cisco Nexus 3064 140KB/10GE (9MB shared) Cisco Nexus 5000 680KB/10GE Force10 S2410 I can't find it anymore, but it wasn't much Arista 7148SX 123KB/10GE (80KB per port plus 5MB dynamic) Arista 7050S 173KB/10GE (9MB shared) Brocade VDX 6730-32 170KB/10GE Brocade TurboIron 24X 85KB/10GE HP 6600-24XG 4500KB/10GE HP 5820-24XG-SFP+ 87KB/10GE Extreme Summit X650 375KB/10GE Chassis: Juniper EX8200-8XS 512MB/10GE Cisco WS-X6708-10GE 32MB/10GE (or 24MB) Cisco N7K-M132XP-12 36MB/10GE Arista DCS-7548S-LC 48MB/10GE Brocade BR-MLX-10Gx8-X 128MB/10GE (not sure) 1GE aggregation. Force10 S60 1250MB shared HP 5830 3000MB shared I am at a loss why there are no 10GE TOR switches with deep buffers. Apparently there is a need for deep buffers as the vendors make them available in the chassis linecards. There also are deep buffer 1GE aggregation switches. Is there some (technical) reason for this? I can imagine some vendors would say that you need to scale up to a chassis if you need deep buffers, but at least one vendor should be able to get quite some customers with a 10G deep buffer TOR switch. I understand that flow-control should prevent loss with microbursts, but in my customers get adverse effects, with strong negative performance if they let flow-control do its thing. Any pointers why this is, or if there is a solution for microburst loss would be greatly appreciated. Thanks, Bas From sjt5 at its.msstate.edu Fri Jan 27 10:45:36 2012 From: sjt5 at its.msstate.edu (Steven Tardy) Date: Fri, 27 Jan 2012 10:45:36 -0600 Subject: LX sfp minimum range In-Reply-To: References: <9CA8D3E3-1747-4EDF-B2FC-6CDD878D70B3@smugmug.com> <4F2108C4.4020706@bogus.com> <596B74B410EE6B4CA8A30C3AF1A155EA09C93BE0@RWC-MBX1.corp.seven.com> Message-ID: <4F22D4B0.8000803@its.msstate.edu> On 01/26/12 16:33, Pierre-Yves Maunier wrote: > LX can work on both. > > > It can happends that SX works on singlemode but it can fail anytime. > > LX over multimode fibre is documented on Cisco SFP/GBICs datasheets. > > http://www.cisco.com/en/US/products/hw/modules/ps4999/products_tech_note09186a00807a30d6.shtml > > Cisco 1000BASE-LX/LH SFPGLC-LH-SM1SFP-GE-L2Operates on standard single-mode > fiber-optic link spans of up to 10 km and up to 550 m on any multimode > fibers. just because you can doesn't mean you should. we have experience multiple cases where LX-MMF-LX works great for 3-5+ years... then one day no longer gets link. swapping to a different fiber pair restores link. can't remember SX-MMF-SX failing after years of service. -- Steven Tardy Systems Analyst Information Technology Infrastructure Information Technology Services Mississippi State University sjt5 at its.msstate.edu From rps at maine.edu Fri Jan 27 10:47:21 2012 From: rps at maine.edu (Ray Soucy) Date: Fri, 27 Jan 2012 11:47:21 -0500 Subject: XBOX 720: possible digital download mass service. In-Reply-To: References: Message-ID: Cogent, for example, openly advertises 680G lit capacity for its intercity links; I have not idea if that's just marketing or not. Perhaps some people on list who work for these providers can provide some data. On Fri, Jan 27, 2012 at 11:10 AM, Anurag Bhatia wrote: > Hello Ray > > You are refering to dark fiber capacity or is that lit capacity and > already in use? > > On Fri, Jan 27, 2012 at 9:38 PM, Ray Soucy wrote: > >> Well, those are the numbers we can see from a single transceiver (right >> now >> mostly 10G and some 40G right now, and 100G on its way); but most of the >> big players are using multiples of these with DWDM and link aggregation. >> I'd say the actual numbers are closer to 680G average right now, per >> path. >> >> On Fri, Jan 27, 2012 at 10:49 AM, Justin M. Streiner < >> streiner at cluebyfour.org> wrote: >> >> > On Fri, 27 Jan 2012, Anurag Bhatia wrote: >> > >> > Just curious to know at what bandwidth big ISP's like AT&T, Verizon, >> >> Level3, Cogent etc are operating? Are all at or above 40Gbps core >> >> bandwidth? >> >> >> > >> > Probably a mix of 10G, 40G and 100G as appropriate. By 2014, that might >> > tilt more heavily toward 40G and 100G. From what I've seen, most >> peering >> > connections at public IXPs are one or more 10G links. Private peering >> > connections could certainly be higher, if the providers at both ends >> feel >> > it makes good business sense. >> > >> > jms >> > >> > >> > On Fri, Jan 27, 2012 at 4:26 PM, Randy Bush wrote: >> >> >> >> Can internet in USA support that? Call of Duty 15 releases may 2014 >> >>>> and 30 million gamers start downloading a 20 GB files. Would the >> >>>> internet collapse like a house of cards?. >> >>>> >> >>> >> >>> not a problem. the vast majority of the states is like a developing >> >>> country [0], the last mile is pretty much a tin can and a string. so >> >>> this will effectively throttle the load. >> >>> >> >>> randy >> >>> >> >>> [0] - no insult to the dev cons intended >> >>> >> >>> >> >>> >> >> >> >> -- >> >> >> >> Anurag Bhatia >> >> anuragbhatia.com >> >> or simply - http://[2001:470:26:78f::5] if you are on IPv6 connected >> >> network! >> >> >> >> Twitter: @anurag_bhatia > https://twitter.com/#!/anurag_bhatia> >> >> > >> >> Linkedin: http://linkedin.anuragbhatia.**com< >> http://linkedin.anuragbhatia.com> >> >> >> >> >> >> > >> >> >> -- >> Ray Soucy >> >> Epic Communications Specialist >> >> Phone: +1 (207) 561-3526 >> >> Networkmaine, a Unit of the University of Maine System >> http://www.networkmaine.net/ >> > > > > -- > > Anurag Bhatia > anuragbhatia.com > or simply - http://[2001:470:26:78f::5] if you are on IPv6 connected > network! > > Twitter: @anurag_bhatia > Linkedin: http://linkedin.anuragbhatia.com > > -- Ray Soucy Epic Communications Specialist Phone: +1 (207) 561-3526 Networkmaine, a Unit of the University of Maine System http://www.networkmaine.net/ From nanog at maunier.org Fri Jan 27 10:47:27 2012 From: nanog at maunier.org (Pierre-Yves Maunier) Date: Fri, 27 Jan 2012 17:47:27 +0100 Subject: LX sfp minimum range In-Reply-To: <4F22D4B0.8000803@its.msstate.edu> References: <9CA8D3E3-1747-4EDF-B2FC-6CDD878D70B3@smugmug.com> <4F2108C4.4020706@bogus.com> <596B74B410EE6B4CA8A30C3AF1A155EA09C93BE0@RWC-MBX1.corp.seven.com> <4F22D4B0.8000803@its.msstate.edu> Message-ID: 2012/1/27 Steven Tardy > On 01/26/12 16:33, Pierre-Yves Maunier wrote: > >> >> >> It can happends that SX works on singlemode but it can fail anytime. >> >> just because you can doesn't mean you should. > > we have experience multiple cases where LX-MMF-LX works great for 3-5+ > years... > then one day no longer gets link. swapping to a different fiber pair > restores link. > can't remember SX-MMF-SX failing after years of service. > > That's why I wrote 'but it can fail anytime' meaning, I strongly recommand to NOT do it. -- Pierre-Yves Maunier From saku at ytti.fi Fri Jan 27 10:55:15 2012 From: saku at ytti.fi (Saku Ytti) Date: Fri, 27 Jan 2012 18:55:15 +0200 Subject: 10GE TOR port buffers (was Re: 10G switch recommendaton) In-Reply-To: References: Message-ID: <20120127165515.GA2697@pob.ytti.fi> On (2012-01-27 17:35 +0100), bas wrote: > Chassis: > Juniper EX8200-8XS 512MB/10GE > Cisco WS-X6708-10GE 32MB/10GE (or 24MB) > Cisco N7K-M132XP-12 36MB/10GE > Arista DCS-7548S-LC 48MB/10GE > Brocade BR-MLX-10Gx8-X 128MB/10GE (not sure) > > 1GE aggregation. > Force10 S60 1250MB shared > HP 5830 3000MB shared I'd take some of these with grain of salt, take EX8200-8XS, PDF indeed does agree: --- Total buffer size is 512 MB on each EX8200-8XS 10-Gigabit Ethernet port or each EX8200-40XS port group, and 42 MB on each EX8200-48T and EX8200-48F Gigabit Ethernet port, providing 50-100 ms of bandwidth delay buffering --- However 512MB is about 400ms of buffering, while 512Mb is 50ms. So I think JNPR PDF is just wrong. Similar error may exist for some other quoted numbers. But generally nice list, especially the 10GE fixed config looked realistic, sometimes I wish we'd have 'dpreview' style page for routers and switches, especially now with dozen or more vendors selling 'same' trident+ switch, differentiating them is hard. -- ++ytti From mkarir at merit.edu Fri Jan 27 10:59:17 2012 From: mkarir at merit.edu (Manish Karir) Date: Fri, 27 Jan 2012 11:59:17 -0500 Subject: ANNOUNCE: bgptables.merit.edu - understanding visibility of your prefix/AS In-Reply-To: References: <8E839F27-A2F7-4E1B-9BD8-C0679A65EC64@merit.edu> Message-ID: All, Just a quick update on various feedback we have received from folks on the bgpTables Project (http://bgptables.merit.edu) 1: You can now simply enter an AS number in the search/query box without the need to prepend the letters "as" before the number 2: You can now lookup an IP address and the result will be the best matching prefix e.g. a query for "8.8.8.8" will now work. 3: We have made a few css fixes for opera 4: On the issue of history: We have a parallel effort that tracks historical BGP origin information over time which we will work on merging into the bgptable.merit.edu web site. 5: On the issue of graphics to show AS adjacency relationships. Yes we do plan on doing some nicer graphics but the hard part is always in making the layout presentation consistent but we do have some good ideas on how to do this. 6: Additional information: RPKI status, RTT measurements, etc. We are hoping to work with other folks in integrating their datasets into our website as suitable. Anything that is organized by prefix/AS can be pulled into our existing system. Thanks for all the feedback! Hopefully we can continue to evolve this over time. -manish On Jan 14, 2012, at 2:33 AM, Anurag Bhatia wrote: > Hello Manish > > Nice work on bgptables.merit.edu > > > Couple of things: > > ? It doesn't recognizes individual IP directly but needs complete block in CIDR to get info about it like e.g search for 8.8.8.8 gives nothing but 8.8.8.0/24 gives information about Google. It would be worth it to have it looking at block to which an IP belongs to. > > ? You might consider adding graphs on AS connections - those are best for easy & quick reading. Something like for Google (AS15169) - http://bgp.he.net/AS15169#_graph4 > > > Nice work, keep it going! > > On Sat, Jan 14, 2012 at 1:49 AM, Manish Karir wrote: > > All, > > We would like to announce the availability of the bgpTables Project at Merit at: http://bgptables.merit.edu > bgpTables allows users to easily navigate global routing table data collected via routviews.org. bgptables > essentially processes the data collected at routeviews and makes is available in a somewhat easier > to use interface. The goal of bgpTables is to represent global prefix and AS visibility information from the > vantage point of the various bgp table views as seen at routeviews. > The data is currently updated nightly (EST) but we hope to improve this over time. > Please see the FAQ (http://bgptables.merit.edu/faq.php) for some simple examples of how you can use bgpTables. > > Some examples: > - You can query for a specific ASN by entering the text 'as' followed by the AS number into the search box. For example to query for information about AS 237 you would enter 'as237' [without quotation marks] into the search box and then click 'search'. You can then use the view navigator map to switch to different routing table views for this ASN > > - You can query for a specific prefix by directly entering the prefix into the search box. For example to query for information about prefix 12.0.0.0/8 you would simply enter '12.0.0.0/8' [without quotation marks] into the search box and then click 'search'. You can then use the view navigator map to switch to different routing table views for the prefix. > > - You can find a particular prefix that you might be interested in by running a 'contained within' query via the search box. For example to quickly browse a list of prefixes contained within 1.0.0.0/8 to find the particular prefix you might be interested in, you can enter the text 'cw1.0.0.0/8' [without quotation marks] into the search box and click 'search'. You can then browse the resulting table to select the particular prefix you might be interested in. > > - You can simply enter the text 'as' followed by the company name into the search box then click search to view a list of possible matches for that text. For example, to view all matching google ASNs you can simply enter 'asgoogle' into the search box and click search. A list of possible matching ASNs that reference Google by name will be returned from which you an then select the particular ASN that is of interest to you. > > > Comments, corrections, and suggestions are very welcome. Please send them to mkarir at merit.edu. Hopefully folks will find this useful. > > Thanks. > -The Merit Network Research and Development Team > > > > > > -- > > Anurag Bhatia > > anuragbhatia.com > > or simply - http://[2001:470:26:78f::5] if you are on IPv6 connected network! > > Twitter: @anurag_bhatia > From sethm at rollernet.us Fri Jan 27 10:59:37 2012 From: sethm at rollernet.us (Seth Mattinen) Date: Fri, 27 Jan 2012 08:59:37 -0800 Subject: XBOX 720: possible digital download mass service. In-Reply-To: References: <36671.1327668374@turing-police.cc.vt.edu> Message-ID: <4F22D7F9.40408@rollernet.us> On 1/27/12 7:52 AM, Ray Soucy wrote: > This is already very normal (tens of millions of people doing this). > > World of Warcraft, RIFT, and Star Wars: The Old Republic, etc. are all > around 20G of downloads. Sure they have boxed versions, but after you > install them they need another 10G of patches to download (looking at you, > Blizzard). > > The majority of players buy the digital download (instant gratification). > Well, I can tell you from my experience using AT&T at home that there is no such thing as instant gratification with digital downloads of large games. ;) If I start something in the morning it will probably be done by the time I get back from the office. Even if I buy a box set these days it's more likely just a serial number carrier than not, which is a waste of time for side trip to a store through rush hour traffic on the way home. ~Seth From tom.ammon at utah.edu Fri Jan 27 11:55:20 2012 From: tom.ammon at utah.edu (Tom Ammon) Date: Fri, 27 Jan 2012 17:55:20 +0000 Subject: 10GE TOR port buffers (was Re: 10G switch recommendaton) In-Reply-To: References: Message-ID: <34FB1D1922F27F439B677D238AF0A4AC074783@X-MB10.xds.umail.utah.edu> The HP6600 is a store and forward, not a cut-through. The HP reps that I have dealt with seem to be pretty open to sharing architecture drawings of their stuff, so I bet you could probably get your hands on the same one that I have. Their NDA is a mutual disclosure, though, so that might make things tough depending on your organization's policies. Tom -----Original Message----- From: bas [mailto:kilobit at gmail.com] Sent: Friday, January 27, 2012 9:35 AM To: nanog Subject: 10GE TOR port buffers (was Re: 10G switch recommendaton) Hi, Is there a reason switch vendors 1U TOR 10GE aggregation switches are all cut-through and there are no models with deep buffers? I've ben looking at all vendors I can think of and all have the same models. TOR switches as cut-through with little buffers, and chassis based boxes with deep buffers. TOR: Juniper EX4500 208KB/10GE (4MB shared per PFE) Cisco 4900M 728KB/10GE (17.5MB shared) Cisco Nexus 3064 140KB/10GE (9MB shared) Cisco Nexus 5000 680KB/10GE Force10 S2410 I can't find it anymore, but it wasn't much Arista 7148SX 123KB/10GE (80KB per port plus 5MB dynamic) Arista 7050S 173KB/10GE (9MB shared) Brocade VDX 6730-32 170KB/10GE Brocade TurboIron 24X 85KB/10GE HP 6600-24XG 4500KB/10GE HP 5820-24XG-SFP+ 87KB/10GE Extreme Summit X650 375KB/10GE Chassis: Juniper EX8200-8XS 512MB/10GE Cisco WS-X6708-10GE 32MB/10GE (or 24MB) Cisco N7K-M132XP-12 36MB/10GE Arista DCS-7548S-LC 48MB/10GE Brocade BR-MLX-10Gx8-X 128MB/10GE (not sure) 1GE aggregation. Force10 S60 1250MB shared HP 5830 3000MB shared I am at a loss why there are no 10GE TOR switches with deep buffers. Apparently there is a need for deep buffers as the vendors make them available in the chassis linecards. There also are deep buffer 1GE aggregation switches. Is there some (technical) reason for this? I can imagine some vendors would say that you need to scale up to a chassis if you need deep buffers, but at least one vendor should be able to get quite some customers with a 10G deep buffer TOR switch. I understand that flow-control should prevent loss with microbursts, but in my customers get adverse effects, with strong negative performance if they let flow-control do its thing. Any pointers why this is, or if there is a solution for microburst loss would be greatly appreciated. Thanks, Bas From ebais at A2B-Internet.com Fri Jan 27 12:05:24 2012 From: ebais at A2B-Internet.com (Erik Bais) Date: Fri, 27 Jan 2012 19:05:24 +0100 Subject: 10G switchrecommendaton In-Reply-To: References: <9C40116D-53A4-41E5-BB4D-101820B2A7D7@A2B-Internet.com> <8FC22B9F-D792-483E-AB3F-2BF9F1DC6304@mac.com> <0942DBB7-18C5-46AF-810B-C27705DFBCF5@ukbroadband.com> <489100EF-C120-4D6B-9F39-03F6EF2812F5@mac.com> Message-ID: <581E0AA7-5761-42D3-8985-8A9C247E053E@A2B-Internet.com> Hi Fabien, I strongly have to disagree with you. We run a full bgp implementation on Extreme in our network and are very pleased with it and the support that we get from Extreme. One of our x480's we run has about 1.4 milj learned routes and another has around 200 bgp peers on the AMS-iX... So what is your point ? As an ex-Extreme employee making such strong statements, while you don't know the current status at customers, it may be best to ask who is using it and how, instead of acting like a grumpy ex-employee. Feel free to ask about our setup. Regards, Erik Bais Verstuurd vanaf mijn iPad Op Jan 27, 2012 om 15:41 heeft Fabien Delmotte het volgende geschreven: > You can use BGP only for the default route no more :) forget a full view > > Le 27 janv. 2012 ? 15:34, Fabien Delmotte a ?crit : > >> Only for a full table BGP, in fact it is not able to learn a full BGP table. The X480 could do it, but it is very slow and they miss some features >> >> Fabien >> >> >> Le 27 janv. 2012 ? 11:25, Leigh Porter a ?crit : >> >>> >>> On 27 Jan 2012, at 10:21, "Fabien Delmotte" wrote: >>> >>>> I worked for Extreme, and I deployed a lot of X650 (24 10G ports) for DataCenter environment. The box is really good. >>>> In fact if you use the box at a layer 2 it is perfect, BUT DON'T use their BGP code, they never understood what is BGP :) >>> >>> Is that don't use for Internet facing full table BGP or do you include iBGP for say VPN as well? >>> >>> -- >>> Leigh >>> >>> >>> ______________________________________________________________________ >>> This email has been scanned by the Symantec Email Security.cloud service. >>> For more information please visit http://www.symanteccloud.com >>> ______________________________________________________________________ >> > > From shortdudey123 at gmail.com Fri Jan 27 12:10:40 2012 From: shortdudey123 at gmail.com (Grant Ridder) Date: Fri, 27 Jan 2012 12:10:40 -0600 Subject: 10G switchrecommendaton In-Reply-To: <581E0AA7-5761-42D3-8985-8A9C247E053E@A2B-Internet.com> References: <9C40116D-53A4-41E5-BB4D-101820B2A7D7@A2B-Internet.com> <8FC22B9F-D792-483E-AB3F-2BF9F1DC6304@mac.com> <0942DBB7-18C5-46AF-810B-C27705DFBCF5@ukbroadband.com> <489100EF-C120-4D6B-9F39-03F6EF2812F5@mac.com> <581E0AA7-5761-42D3-8985-8A9C247E053E@A2B-Internet.com> Message-ID: I agree with the previous statement. The previous company i worked for had a pair of x450's with the full bgp internet routing table and they worked just fine. -Grant On Fri, Jan 27, 2012 at 12:05 PM, Erik Bais wrote: > Hi Fabien, > > I strongly have to disagree with you. We run a full bgp implementation on > Extreme in our network and are very pleased with it and the support that we > get from Extreme. One of our x480's we run has about 1.4 milj learned > routes and another has around 200 bgp peers on the AMS-iX... So what is > your point ? > > As an ex-Extreme employee making such strong statements, while you don't > know the current status at customers, it may be best to ask who is using it > and how, instead of acting like a grumpy ex-employee. > > Feel free to ask about our setup. > > Regards, > Erik Bais > > Verstuurd vanaf mijn iPad > > Op Jan 27, 2012 om 15:41 heeft Fabien Delmotte het > volgende geschreven: > > > You can use BGP only for the default route no more :) forget a full view > > > > Le 27 janv. 2012 ? 15:34, Fabien Delmotte a ?crit : > > > >> Only for a full table BGP, in fact it is not able to learn a full BGP > table. The X480 could do it, but it is very slow and they miss some features > >> > >> Fabien > >> > >> > >> Le 27 janv. 2012 ? 11:25, Leigh Porter a ?crit : > >> > >>> > >>> On 27 Jan 2012, at 10:21, "Fabien Delmotte" > wrote: > >>> > >>>> I worked for Extreme, and I deployed a lot of X650 (24 10G ports) for > DataCenter environment. The box is really good. > >>>> In fact if you use the box at a layer 2 it is perfect, BUT DON'T use > their BGP code, they never understood what is BGP :) > >>> > >>> Is that don't use for Internet facing full table BGP or do you include > iBGP for say VPN as well? > >>> > >>> -- > >>> Leigh > >>> > >>> > >>> ______________________________________________________________________ > >>> This email has been scanned by the Symantec Email Security.cloud > service. > >>> For more information please visit http://www.symanteccloud.com > >>> ______________________________________________________________________ > >> > > > > > > From carlos at race.com Fri Jan 27 12:12:16 2012 From: carlos at race.com (Carlos Alcantar) Date: Fri, 27 Jan 2012 18:12:16 +0000 Subject: US DOJ victim letter In-Reply-To: <201201201908.q0KJ8u6C045030@mail.r-bonomi.com> Message-ID: Today it looks like we have received the letter from the DOJ which gives us login information, for listing of ip's within our network that where affected with date and time stamps. Anyone else get these yet? Carlos Alcantar Race Communications / Race Team Member 101 Haskins Way, So. San Francisco, CA. 94080 Phone: +1 415 376 3314 / carlos at race.com / http://www.race.com -----Original Message----- From: Robert Bonomi Date: Fri, 20 Jan 2012 13:08:56 -0600 To: "nanog at nanog.org" Subject: Re: US DOJ victim letter > From nanog-bounces+bonomi=mail.r-bonomi.com at nanog.org Fri Jan 20 >08:11:24 2012 > Date: Fri, 20 Jan 2012 08:07:10 -0600 > From: -Hammer- > To: nanog at nanog.org > Subject: Re: US DOJ victim letter > > On a less serious note, did anyone notice the numbers on the fbi.gov > link? I'm pretty sure they are implying those are IP addresses. > 123.456.789 and 987.654.321. Must be the same folks that do the Nexus > documentation for Cisco. > For illustration purposes, for a non-techincal audience, it seems (at least somewhat) reasonable to use 'nonets' instead of octets. After all, 'no nets' are clearly not what DNS -should- be returning. *GRIN* And, of course, systems using the traditional unix dotted-quad to binary conversion logic _will_ happily convert those strings to a 32-bit int. From bdha at mirrorshades.net Fri Jan 27 12:16:27 2012 From: bdha at mirrorshades.net (Bryan Horstmann-Allen) Date: Fri, 27 Jan 2012 13:16:27 -0500 Subject: US DOJ victim letter In-Reply-To: References: <201201201908.q0KJ8u6C045030@mail.r-bonomi.com> Message-ID: <20120127181626.GC21814@lab.pobox.com> +------------------------------------------------------------------------------ | On 2012-01-27 18:12:16, Carlos Alcantar wrote: | | Today it looks like we have received the letter from the DOJ which gives | us login information, for listing of ip's within our network that where | affected with date and time stamps. Anyone else get these yet? I have. The login doesn't work (for me). htauth pops up on fbi.gov, creds don't auth. Bit odd, if it's a phish. Even more odd if it's actually from the Fed. Cheers. -- bdha cyberpunk is dead. long live cyberpunk. From nanog at hostleasing.net Fri Jan 27 12:20:50 2012 From: nanog at hostleasing.net (Randy Epstein) Date: Fri, 27 Jan 2012 13:20:50 -0500 Subject: US DOJ victim letter In-Reply-To: <20120127181626.GC21814@lab.pobox.com> Message-ID: > >Bit odd, if it's a phish. Even more odd if it's actually from the Fed. > >Cheers. >-- >bdha >cyberpunk is dead. long live cyberpunk. It's for real. Yes, it's really odd and wasteful. Randy From mike-nanog at tiedyenetworks.com Fri Jan 27 12:21:43 2012 From: mike-nanog at tiedyenetworks.com (Mike) Date: Fri, 27 Jan 2012 10:21:43 -0800 Subject: US DOJ victim letter In-Reply-To: <20120127181626.GC21814@lab.pobox.com> References: <201201201908.q0KJ8u6C045030@mail.r-bonomi.com> <20120127181626.GC21814@lab.pobox.com> Message-ID: <4F22EB37.60905@tiedyenetworks.com> On 01/27/2012 10:16 AM, Bryan Horstmann-Allen wrote: > +------------------------------------------------------------------------------ > | On 2012-01-27 18:12:16, Carlos Alcantar wrote: > | > | Today it looks like we have received the letter from the DOJ which gives > | us login information, for listing of ip's within our network that where > | affected with date and time stamps. Anyone else get these yet? > Yeah we got ours and after all this it's just a list of customer IP's that have been detected as having altered dns settings. Honestly, I could care less about customer virus infections. I am not going to do anything with the information and am likely to ignore future occurrences from the fbi if this is all they got. Mike- From Valdis.Kletnieks at vt.edu Fri Jan 27 12:23:08 2012 From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks at vt.edu) Date: Fri, 27 Jan 2012 13:23:08 -0500 Subject: US DOJ victim letter In-Reply-To: Your message of "Fri, 27 Jan 2012 13:16:27 EST." <20120127181626.GC21814@lab.pobox.com> References: <201201201908.q0KJ8u6C045030@mail.r-bonomi.com> <20120127181626.GC21814@lab.pobox.com> Message-ID: <30970.1327688588@turing-police.cc.vt.edu> On Fri, 27 Jan 2012 13:16:27 EST, Bryan Horstmann-Allen said: > Bit odd, if it's a phish. Even more odd if it's actually from the Fed. What if it's a phish from a compromised Fed box? :) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 865 bytes Desc: not available URL: From jim at miltonsecurity.com Fri Jan 27 12:27:27 2012 From: jim at miltonsecurity.com (James McMurry) Date: Fri, 27 Jan 2012 10:27:27 -0800 Subject: 10G switchrecommendaton In-Reply-To: References: <9890E31B-1D18-415B-AACF-65F193E19332@gmail.com> <7B378EB3C047B74A899746268AB04539250D0B99@ORD1EXD04.RACKSPACE.CORP> <2666B4D5-ECD6-44C8-BF8C-26336E71770E@gmail.com> Message-ID: We have used both Arista and the LG-Ericsson switches, both have done very well, and both have a great $/value proposition. We use the Solarflare boards in an upcoming product ourselves, and they have been quite dependable, and again the performance is great. Just our 2 cents jim office: (888) 674-9001 x6101 email: jim at miltonsecurity.com http://www.miltonsecurity.com On Jan 26, 2012, at 10:30 PM, Brent Jones wrote: > On Thu, Jan 26, 2012 at 8:40 PM, Rodrick Brown wrote: > >> Not to mention Arista's cli runs a busybox Linux inside! >> >> Sent from my iPhone >> >> >> > Last I checked, Arista used Fedora Linux, with x86 dual-core CPUs and 4GB > RAM. > Their CLI was written in Python or Perl as well, and they encourage hacking > it for cool new things. > > > -- > Brent Jones > brent at brentrjones.com -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 495 bytes Desc: Message signed with OpenPGP using GPGMail URL: From nanog at hostleasing.net Fri Jan 27 12:32:20 2012 From: nanog at hostleasing.net (Randy Epstein) Date: Fri, 27 Jan 2012 13:32:20 -0500 Subject: US DOJ victim letter In-Reply-To: <30970.1327688588@turing-police.cc.vt.edu> Message-ID: On 1/27/12 1:23 PM, "Valdis.Kletnieks at vt.edu" wrote: >On Fri, 27 Jan 2012 13:16:27 EST, Bryan Horstmann-Allen said: > >> Bit odd, if it's a phish. Even more odd if it's actually from the Fed. > >What if it's a phish from a compromised Fed box? :) We've spoken to folks at various FBI field offices and at 26 Plaza in New York which is handling this case. Further, John Curran (ARIN CEO) has confirmed it's real via their own liaison and Paul Vixie is actually working with them on this. Randy From carlos at race.com Fri Jan 27 12:46:19 2012 From: carlos at race.com (Carlos Alcantar) Date: Fri, 27 Jan 2012 18:46:19 +0000 Subject: US DOJ victim letter In-Reply-To: <20120127181626.GC21814@lab.pobox.com> Message-ID: I'll admit there tokens are a bit crazy I had to enter it in about 5 times to figure out if the characters where 1's l's I's ect. Carlos Alcantar Race Communications / Race Team Member 101 Haskins Way, So. San Francisco, CA. 94080 Phone: +1 415 376 3314 / carlos at race.com / http://www.race.com -----Original Message----- From: Bryan Horstmann-Allen Reply-To: Date: Fri, 27 Jan 2012 13:16:27 -0500 To: Carlos Alcantar Cc: "nanog at nanog.org" Subject: Re: US DOJ victim letter +-------------------------------------------------------------------------- ---- | On 2012-01-27 18:12:16, Carlos Alcantar wrote: | | Today it looks like we have received the letter from the DOJ which gives | us login information, for listing of ip's within our network that where | affected with date and time stamps. Anyone else get these yet? I have. The login doesn't work (for me). htauth pops up on fbi.gov, creds don't auth. Bit odd, if it's a phish. Even more odd if it's actually from the Fed. Cheers. -- bdha cyberpunk is dead. long live cyberpunk. From sean at donelan.com Fri Jan 27 12:52:26 2012 From: sean at donelan.com (Sean Donelan) Date: Fri, 27 Jan 2012 13:52:26 -0500 (EST) Subject: Customer service (was Re: US DOJ victim letter) In-Reply-To: <4F22EB37.60905@tiedyenetworks.com> References: <201201201908.q0KJ8u6C045030@mail.r-bonomi.com> <20120127181626.GC21814@lab.pobox.com> <4F22EB37.60905@tiedyenetworks.com> Message-ID: On Fri, 27 Jan 2012, Mike wrote: > Honestly, I could care less about customer virus infections. I am not going > to do anything with the information and am likely to ignore future > occurrences from the fbi if this is all they got. Each ISP will makes its own business decision what they want to do. I'm not involved with it, and this is just my personal opinion., The idea is DNS resolution will stop working for those customers after the court order expires and the temporary DNS server stops. Those customers will likely start calling your customer service lines saying "The Internet is broken." Instead of ISP call centers being overloaded with customer calls all at once when the temporary DNS servers answering on the DNSchanger IP addresses are shutdown, the FBI is trying to give those ISPs a heads up their customers' DNS will break in the near future. The FBI hasn't done this before, so its a bit of a learning experience for everyone. Like many first time things, it hasn't gone as smoothly as anyone wanted. It is up to individual ISPs to decide if they want to inform their customers proactively, or wait until DNS stops working for the customer and the customer calls the ISP help desk complaining the Internet is down. Yes, I know, the Internet isn't down; but ask your customer service manager what they want to do. From cscora at apnic.net Fri Jan 27 12:59:47 2012 From: cscora at apnic.net (Routing Analysis Role Account) Date: Sat, 28 Jan 2012 04:59:47 +1000 (EST) Subject: Weekly Routing Table Report Message-ID: <201201271859.q0RIxlqw014576@thyme.rand.apnic.net> This is an automated weekly mailing describing the state of the Internet Routing Table as seen from APNIC's router in Japan. The posting is sent to APOPS, NANOG, AfNOG, AusNOG, SANOG, PacNOG, LacNOG, TRNOG, CaribNOG and the RIPE Routing Working Group. Daily listings are sent to bgp-stats at lists.apnic.net For historical data, please see http://thyme.rand.apnic.net. If you have any comments please contact Philip Smith . Routing Table Report 04:00 +10GMT Sat 28 Jan, 2012 Report Website: http://thyme.rand.apnic.net Detailed Analysis: http://thyme.rand.apnic.net/current/ Analysis Summary ---------------- BGP routing table entries examined: 394446 Prefixes after maximum aggregation: 169250 Deaggregation factor: 2.33 Unique aggregates announced to Internet: 191523 Total ASes present in the Internet Routing Table: 39956 Prefixes per ASN: 9.87 Origin-only ASes present in the Internet Routing Table: 32670 Origin ASes announcing only one prefix: 15524 Transit ASes present in the Internet Routing Table: 5393 Transit-only ASes present in the Internet Routing Table: 138 Average AS path length visible in the Internet Routing Table: 4.3 Max AS path length visible: 34 Max AS path prepend of ASN (38964) 31 Prefixes from unregistered ASNs in the Routing Table: 320 Unregistered ASNs in the Routing Table: 120 Number of 32-bit ASNs allocated by the RIRs: 2225 Number of 32-bit ASNs visible in the Routing Table: 1893 Prefixes from 32-bit ASNs in the Routing Table: 4552 Special use prefixes present in the Routing Table: 2 Prefixes being announced from unallocated address space: 124 Number of addresses announced to Internet: 2512489808 Equivalent to 149 /8s, 193 /16s and 141 /24s Percentage of available address space announced: 67.8 Percentage of allocated address space announced: 67.8 Percentage of available address space allocated: 100.0 Percentage of address space in use by end-sites: 92.0 Total number of prefixes smaller than registry allocations: 166987 APNIC Region Analysis Summary ----------------------------- Prefixes being announced by APNIC Region ASes: 97720 Total APNIC prefixes after maximum aggregation: 31635 APNIC Deaggregation factor: 3.09 Prefixes being announced from the APNIC address blocks: 94001 Unique aggregates announced from the APNIC address blocks: 39037 APNIC Region origin ASes present in the Internet Routing Table: 4647 APNIC Prefixes per ASN: 20.23 APNIC Region origin ASes announcing only one prefix: 1245 APNIC Region transit ASes present in the Internet Routing Table: 732 Average APNIC Region AS path length visible: 4.3 Max APNIC Region AS path length visible: 18 Number of APNIC region 32-bit ASNs visible in the Routing Table: 138 Number of APNIC addresses announced to Internet: 635145056 Equivalent to 37 /8s, 219 /16s and 139 /24s Percentage of available APNIC address space announced: 80.5 APNIC AS Blocks 4608-4864, 7467-7722, 9216-10239, 17408-18431 (pre-ERX allocations) 23552-24575, 37888-38911, 45056-46079, 55296-56319, 58368-59391, 131072-132095, 132096-133119 APNIC Address Blocks 1/8, 14/8, 27/8, 36/8, 39/8, 42/8, 43/8, 49/8, 58/8, 59/8, 60/8, 61/8, 101/8, 103/8, 106/8, 110/8, 111/8, 112/8, 113/8, 114/8, 115/8, 116/8, 117/8, 118/8, 119/8, 120/8, 121/8, 122/8, 123/8, 124/8, 125/8, 126/8, 133/8, 175/8, 180/8, 182/8, 183/8, 202/8, 203/8, 210/8, 211/8, 218/8, 219/8, 220/8, 221/8, 222/8, 223/8, ARIN Region Analysis Summary ---------------------------- Prefixes being announced by ARIN Region ASes: 147868 Total ARIN prefixes after maximum aggregation: 75244 ARIN Deaggregation factor: 1.97 Prefixes being announced from the ARIN address blocks: 119897 Unique aggregates announced from the ARIN address blocks: 49172 ARIN Region origin ASes present in the Internet Routing Table: 14873 ARIN Prefixes per ASN: 8.06 ARIN Region origin ASes announcing only one prefix: 5685 ARIN Region transit ASes present in the Internet Routing Table: 1582 Average ARIN Region AS path length visible: 4.0 Max ARIN Region AS path length visible: 25 Number of ARIN region 32-bit ASNs visible in the Routing Table: 14 Number of ARIN addresses announced to Internet: 805162560 Equivalent to 47 /8s, 253 /16s and 206 /24s Percentage of available ARIN address space announced: 64.0 ARIN AS Blocks 1-1876, 1902-2042, 2044-2046, 2048-2106 (pre-ERX allocations) 2138-2584, 2615-2772, 2823-2829, 2880-3153 3354-4607, 4865-5119, 5632-6655, 6912-7466 7723-8191, 10240-12287, 13312-15359, 16384-17407 18432-20479, 21504-23551, 25600-26591, 26624-27647, 29696-30719, 31744-33791 35840-36863, 39936-40959, 46080-47103 53248-55295, 393216-394239 ARIN Address Blocks 3/8, 4/8, 6/8, 7/8, 8/8, 9/8, 11/8, 12/8, 13/8, 15/8, 16/8, 17/8, 18/8, 19/8, 20/8, 21/8, 22/8, 23/8, 24/8, 26/8, 28/8, 29/8, 30/8, 32/8, 33/8, 34/8, 35/8, 38/8, 40/8, 44/8, 45/8, 47/8, 48/8, 50/8, 52/8, 53/8, 54/8, 55/8, 56/8, 57/8, 63/8, 64/8, 65/8, 66/8, 67/8, 68/8, 69/8, 70/8, 71/8, 72/8, 73/8, 74/8, 75/8, 76/8, 96/8, 97/8, 98/8, 99/8, 100/8, 104/8, 107/8, 108/8, 173/8, 174/8, 184/8, 199/8, 204/8, 205/8, 206/8, 207/8, 208/8, 209/8, 214/8, 215/8, 216/8, RIPE Region Analysis Summary ---------------------------- Prefixes being announced by RIPE Region ASes: 97463 Total RIPE prefixes after maximum aggregation: 52172 RIPE Deaggregation factor: 1.87 Prefixes being announced from the RIPE address blocks: 89393 Unique aggregates announced from the RIPE address blocks: 55863 RIPE Region origin ASes present in the Internet Routing Table: 16289 RIPE Prefixes per ASN: 5.49 RIPE Region origin ASes announcing only one prefix: 7995 RIPE Region transit ASes present in the Internet Routing Table: 2592 Average RIPE Region AS path length visible: 4.7 Max RIPE Region AS path length visible: 34 Number of RIPE region 32-bit ASNs visible in the Routing Table: 1312 Number of RIPE addresses announced to Internet: 498545288 Equivalent to 29 /8s, 183 /16s and 50 /24s Percentage of available RIPE address space announced: 80.3 RIPE AS Blocks 1877-1901, 2043, 2047, 2107-2136, 2585-2614 (pre-ERX allocations) 2773-2822, 2830-2879, 3154-3353, 5377-5631 6656-6911, 8192-9215, 12288-13311, 15360-16383 20480-21503, 24576-25599, 28672-29695 30720-31743, 33792-35839, 38912-39935 40960-45055, 47104-52223, 56320-58367 196608-198655 RIPE Address Blocks 2/8, 5/8, 25/8, 31/8, 37/8, 46/8, 51/8, 62/8, 77/8, 78/8, 79/8, 80/8, 81/8, 82/8, 83/8, 84/8, 85/8, 86/8, 87/8, 88/8, 89/8, 90/8, 91/8, 92/8, 93/8, 94/8, 95/8, 109/8, 176/8, 178/8, 185/8, 193/8, 194/8, 195/8, 212/8, 213/8, 217/8, LACNIC Region Analysis Summary ------------------------------ Prefixes being announced by LACNIC Region ASes: 37647 Total LACNIC prefixes after maximum aggregation: 8038 LACNIC Deaggregation factor: 4.68 Prefixes being announced from the LACNIC address blocks: 37201 Unique aggregates announced from the LACNIC address blocks: 19337 LACNIC Region origin ASes present in the Internet Routing Table: 1567 LACNIC Prefixes per ASN: 23.74 LACNIC Region origin ASes announcing only one prefix: 440 LACNIC Region transit ASes present in the Internet Routing Table: 289 Average LACNIC Region AS path length visible: 4.4 Max LACNIC Region AS path length visible: 24 Number of LACNIC region 32-bit ASNs visible in the Routing Table: 425 Number of LACNIC addresses announced to Internet: 95771016 Equivalent to 5 /8s, 181 /16s and 89 /24s Percentage of available LACNIC address space announced: 63.4 LACNIC AS Blocks 26592-26623, 27648-28671, 52224-53247, 262144-263167 plus ERX transfers LACNIC Address Blocks 177/8, 179/8, 181/8, 186/8, 187/8, 189/8, 190/8, 200/8, 201/8, AfriNIC Region Analysis Summary ------------------------------- Prefixes being announced by AfriNIC Region ASes: 9026 Total AfriNIC prefixes after maximum aggregation: 2089 AfriNIC Deaggregation factor: 4.32 Prefixes being announced from the AfriNIC address blocks: 7047 Unique aggregates announced from the AfriNIC address blocks: 2156 AfriNIC Region origin ASes present in the Internet Routing Table: 507 AfriNIC Prefixes per ASN: 13.90 AfriNIC Region origin ASes announcing only one prefix: 159 AfriNIC Region transit ASes present in the Internet Routing Table: 118 Average AfriNIC Region AS path length visible: 4.6 Max AfriNIC Region AS path length visible: 25 Number of AfriNIC region 32-bit ASNs visible in the Routing Table: 4 Number of AfriNIC addresses announced to Internet: 30775040 Equivalent to 1 /8s, 213 /16s and 151 /24s Percentage of available AfriNIC address space announced: 45.9 AfriNIC AS Blocks 36864-37887, 327680-328703 & ERX transfers AfriNIC Address Blocks 41/8, 102/8, 105/8, 197/8, APNIC Region per AS prefix count summary ---------------------------------------- ASN No of nets /20 equiv MaxAgg Description 4766 2472 11101 979 Korea Telecom (KIX) 17974 1714 503 35 PT TELEKOMUNIKASI INDONESIA 7545 1642 303 86 TPG Internet Pty Ltd 4755 1527 385 155 TATA Communications formerly 7552 1424 1064 7 Vietel Corporation 9829 1167 989 28 BSNL National Internet Backbo 4808 1099 2051 312 CNCGROUP IP network: China169 9583 1068 78 505 Sify Limited 24560 1015 385 167 Bharti Airtel Ltd., Telemedia 18101 945 130 154 Reliance Infocom Ltd Internet Complete listing at http://thyme.rand.apnic.net/current/data-ASnet-APNIC ARIN Region per AS prefix count summary --------------------------------------- ASN No of nets /20 equiv MaxAgg Description 6389 3446 3807 201 bellsouth.net, inc. 7029 3227 1017 200 Windstream Communications Inc 18566 2093 382 177 Covad Communications 1785 1864 679 123 PaeTec Communications, Inc. 20115 1624 1552 628 Charter Communications 4323 1608 1062 384 Time Warner Telecom 22773 1520 2910 109 Cox Communications, Inc. 30036 1453 255 729 Mediacom Communications Corp 19262 1386 4683 400 Verizon Global Networks 7018 1301 7008 848 AT&T WorldNet Services Complete listing at http://thyme.rand.apnic.net/current/data-ASnet-ARIN RIPE Region per AS prefix count summary --------------------------------------- ASN No of nets /20 equiv MaxAgg Description 8402 1744 480 15 Corbina telecom 2118 1241 99 14 EUnet/RELCOM Autonomous Syste 15557 1095 2161 64 LDCOM NETWORKS 6830 642 1927 412 UPC Distribution Services 34984 641 188 172 BILISIM TELEKOM 20940 589 193 463 Akamai Technologies European 12479 549 636 53 Uni2 Autonomous System 3320 531 8162 397 Deutsche Telekom AG 8551 529 360 81 Bezeq International 31148 524 36 8 FreeNet ISP Complete listing at http://thyme.rand.apnic.net/current/data-ASnet-RIPE LACNIC Region per AS prefix count summary ----------------------------------------- ASN No of nets /20 equiv MaxAgg Description 10620 1729 322 168 TVCABLE BOGOTA 28573 1637 1069 71 NET Servicos de Comunicao S.A 8151 1460 2999 344 UniNet S.A. de C.V. 7303 1256 756 179 Telecom Argentina Stet-France 11172 687 95 72 Servicios Alestra S.A de C.V 27947 650 73 99 Telconet S.A 22047 582 322 17 VTR PUNTO NET S.A. 3816 551 238 92 Empresa Nacional de Telecomun 7738 550 1050 31 Telecomunicacoes da Bahia S.A 6503 539 434 68 AVANTEL, S.A. Complete listing at http://thyme.rand.apnic.net/current/data-ASnet-LACNIC AfriNIC Region per AS prefix count summary ------------------------------------------ ASN No of nets /20 equiv MaxAgg Description 8452 1207 958 13 TEDATA 24863 833 156 44 LINKdotNET AS number 6713 487 649 18 Itissalat Al-MAGHRIB 3741 280 939 229 The Internet Solution 15706 242 32 6 Sudatel Internet Exchange Aut 33776 232 12 18 Starcomms Nigeria Limited 29571 214 17 12 Ci Telecom Autonomous system 12258 196 28 61 Vodacom Internet Company 24835 190 80 8 RAYA Telecom - Egypt 16637 163 664 82 MTN Network Solutions Complete listing at http://thyme.rand.apnic.net/current/data-ASnet-AFRINIC Global Per AS prefix count summary ---------------------------------- ASN No of nets /20 equiv MaxAgg Description 6389 3446 3807 201 bellsouth.net, inc. 7029 3227 1017 200 Windstream Communications Inc 4766 2472 11101 979 Korea Telecom (KIX) 18566 2093 382 177 Covad Communications 1785 1864 679 123 PaeTec Communications, Inc. 8402 1744 480 15 Corbina telecom 10620 1729 322 168 TVCABLE BOGOTA 17974 1714 503 35 PT TELEKOMUNIKASI INDONESIA 7545 1642 303 86 TPG Internet Pty Ltd 28573 1637 1069 71 NET Servicos de Comunicao S.A Complete listing at http://thyme.rand.apnic.net/current/data-ASnet Global Per AS Maximum Aggr summary ---------------------------------- ASN No of nets Net Savings Description 7029 3227 3027 Windstream Communications Inc 18566 2093 1916 Covad Communications 1785 1864 1741 PaeTec Communications, Inc. 8402 1744 1729 Corbina telecom 17974 1714 1679 PT TELEKOMUNIKASI INDONESIA 28573 1637 1566 NET Servicos de Comunicao S.A 10620 1729 1561 TVCABLE BOGOTA 7545 1642 1556 TPG Internet Pty Ltd 4766 2472 1493 Korea Telecom (KIX) 7552 1424 1417 Vietel Corporation Complete listing at http://thyme.rand.apnic.net/current/data-CIDRnet List of Unregistered Origin ASNs (Global) ----------------------------------------- Bad AS Designation Network Transit AS Description 15132 UNALLOCATED 12.9.150.0/24 7018 AT&T WorldNet Servic 32567 UNALLOCATED 12.14.170.0/24 4323 Time Warner Telecom 32567 UNALLOCATED 12.25.107.0/24 4323 Time Warner Telecom 25639 UNALLOCATED 12.41.169.0/24 7018 AT&T WorldNet Servic 13317 UNALLOCATED 12.44.10.0/24 7018 AT&T WorldNet Servic 23502 UNALLOCATED 12.44.44.0/24 7018 AT&T WorldNet Servic 17300 UNALLOCATED 12.45.103.0/24 7018 AT&T WorldNet Servic 17300 UNALLOCATED 12.45.110.0/24 701 UUNET Technologies, 16476 UNALLOCATED 12.46.27.0/24 7018 AT&T WorldNet Servic 32873 UNALLOCATED 12.46.100.0/23 10912 InterNAP Network Ser Complete listing at http://thyme.rand.apnic.net/current/data-badAS Prefixes from private and non-routed address space (Global) ----------------------------------------------------------- Prefix Origin AS Description 128.0.0.0/21 12654 RIPE NCC RIS Project 128.0.24.0/24 12654 RIPE NCC RIS Project Complete listing at http://thyme.rand.apnic.net/current/data-dsua Advertised Unallocated Addresses -------------------------------- Network Origin AS Description 14.192.0.0/22 45464 Room 201, TGU Bldg 14.192.4.0/22 45464 Room 201, TGU Bldg 14.192.8.0/22 45464 Room 201, TGU Bldg 14.192.12.0/22 45464 Room 201, TGU Bldg 14.192.16.0/22 45464 Room 201, TGU Bldg 14.192.20.0/22 45464 Room 201, TGU Bldg 14.192.24.0/22 45464 Room 201, TGU Bldg 14.192.28.0/22 45464 Room 201, TGU Bldg 37.72.0.0/19 29119 ServiHosting Autonomous Syste 37.72.48.0/20 23456 32-bit ASN transition Complete listing at http://thyme.rand.apnic.net/current/data-add-IANA Number of prefixes announced per prefix length (Global) ------------------------------------------------------- /1:0 /2:0 /3:0 /4:0 /5:0 /6:0 /7:0 /8:19 /9:12 /10:27 /11:80 /12:232 /13:455 /14:817 /15:1463 /16:12154 /17:6161 /18:10269 /19:20310 /20:28154 /21:29112 /22:39487 /23:36820 /24:205227 /25:1181 /26:1421 /27:785 /28:168 /29:60 /30:14 /31:0 /32:18 Advertised prefixes smaller than registry allocations ----------------------------------------------------- ASN No of nets Total ann. Description 7029 2847 3227 Windstream Communications Inc 6389 2116 3446 bellsouth.net, inc. 18566 2042 2093 Covad Communications 8402 1723 1744 Corbina telecom 10620 1624 1729 TVCABLE BOGOTA 30036 1412 1453 Mediacom Communications Corp 11492 1089 1125 Cable One 1785 1064 1864 PaeTec Communications, Inc. 15557 1046 1095 LDCOM NETWORKS 7011 1033 1149 Citizens Utilities Complete listing at http://thyme.rand.apnic.net/current/data-sXXas-nos Number of /24s announced per /8 block (Global) ---------------------------------------------- 1:510 2:478 4:14 5:1 6:3 8:378 12:1957 13:1 14:591 15:11 16:3 17:6 20:9 23:121 24:1716 27:1186 31:827 32:65 33:2 34:2 36:8 37:106 38:794 40:114 41:3175 42:87 43:1 44:3 46:1262 47:3 49:320 50:515 52:13 54:1 55:7 56:3 57:38 58:954 59:491 60:345 61:1178 62:922 63:1977 64:4130 65:2285 66:4409 67:2034 68:1168 69:3148 70:915 71:431 72:1799 74:2647 75:446 76:321 77:967 78:921 79:512 80:1208 81:872 82:561 83:532 84:583 85:1152 86:748 87:912 88:342 89:1544 90:258 91:4473 92:536 93:1554 94:1319 95:1125 96:414 97:306 98:793 99:38 100:20 101:130 103:688 106:4 107:137 108:129 109:1459 110:690 111:835 112:428 113:527 114:598 115:756 116:868 117:723 118:901 119:1254 120:354 121:681 122:1625 123:1058 124:1323 125:1359 128:538 129:190 130:211 131:591 132:162 133:21 134:233 135:59 136:213 137:153 138:290 139:145 140:488 141:260 142:378 143:400 144:508 145:68 146:487 147:226 148:695 149:271 150:166 151:192 152:446 153:170 154:7 155:398 156:210 157:367 158:154 159:509 160:333 161:237 162:339 163:188 164:532 165:391 166:561 167:458 168:765 169:147 170:833 171:112 172:4 173:1779 174:570 175:414 176:392 177:458 178:1234 180:1224 181:43 182:700 183:276 184:443 185:1 186:1506 187:829 188:974 189:1175 190:5395 192:5974 193:5483 194:4209 195:3392 196:1290 197:171 198:3588 199:4341 200:5704 201:1721 202:8424 203:8599 204:4348 205:2437 206:2749 207:2818 208:4046 209:3557 210:2733 211:1477 212:1978 213:1828 214:852 215:98 216:4975 217:1474 218:557 219:342 220:1252 221:549 222:321 223:273 End of report From bstengel at kinber.org Fri Jan 27 13:26:04 2012 From: bstengel at kinber.org (Brian Stengel) Date: Fri, 27 Jan 2012 14:26:04 -0500 Subject: MD5? Message-ID: We have a potential customer that is asking for us to enable MD5 authentication on a TCP connection between two BGP peers? Is this still common practice today? Any potential problems or gotchas to keep in mind? Thanks! -- Brian Stengel KINBER Director of Operations bstengel at kinber.org 412.254.3481 Skype: brian_stengel KINBER - Keystone Initiative for Network Based Education and Research - www.kinber.org PennREN - Pennsylvania's Research and Education Network From gbonser at seven.com Fri Jan 27 13:48:47 2012 From: gbonser at seven.com (George Bonser) Date: Fri, 27 Jan 2012 19:48:47 +0000 Subject: 10G switchrecommendaton In-Reply-To: <8FC22B9F-D792-483E-AB3F-2BF9F1DC6304@mac.com> References: <9C40116D-53A4-41E5-BB4D-101820B2A7D7@A2B-Internet.com> <8FC22B9F-D792-483E-AB3F-2BF9F1DC6304@mac.com> Message-ID: <596B74B410EE6B4CA8A30C3AF1A155EA09C96427@RWC-MBX1.corp.seven.com> > -----Original Message----- > From: Fabien Delmotte > Sent: Friday, January 27, 2012 2:20 AM > To: Grant Ridder > Cc: nanog list > Subject: Re: 10G switchrecommendaton > > I worked for Extreme, and I deployed a lot of X650 (24 10G ports) for > DataCenter environment. The box is really good. > In fact if you use the box at a layer 2 it is perfect, BUT DON'T use > their BGP code, they never understood what is BGP :) > > Regards > > Fabien A place I worked around 2000-ish was an Extreme shop. My perception at the time was that they were probably the best switch in the world at layer 2. I used BGP on the 1i and 5i products. The problem we had with them was when I asked when they were going to support multiple path BGP (as in the maximum-paths command for Cisco / Brocade). They told me at the time that they had no plans to support that option, it wasn't on the road map, and frankly, BGP was not a priority for them as they were concentrating on layer2 metro and data center features at the time. That meeting resulted in a call to Foundry and the eventual purchase of several BigIron switches. As the application was just plain IP routing, they worked great. I haven't used Extreme since so can't attest to their BGP feature set but my gut feeling seems to be the same ... great gear at layer 2 but layer 3 seems to be a back burner priority for them. I would have no problem using their gear in an office or data center but would have to take a good long look at it for internet peering/transit. Arista is really good gear and I use them for 10G aggregation from top of rack switches in an application where pods of connectivity are scattered about in various leased cages in a commercial data center. The TOR switches link to the Aristas in an MLAG configuration which might look like an "end of row" configuration. Those uplink to the core in another bit of space in the data center to keep the number of cross-connects down. Performance has so far been perfect, not so much as a glitch from those units. I've also recently deployed them as TOR switches for a 10G cluster of machines and would have chosen TurboIrons if they would stack or had MCT features. The benefit of the TurboIron, if they will work for you, is the lifetime warranty. No annual support cost is a huge deal. Arista is also lagging in layer 3 and ipv6 features, or were the last time I looked at them at layer 3. That might have changed recently. They had only recently come out with OSPF support on their chassis units. One question I would have re: deep buffers. It wouldn't seem to me to make much difference if you are buffering on the TOR switch or buffering on the host. If flow control is giving you problems, maybe you just need more buffering on the host or maybe you should just let tcp back off a bit and mitigate the congestion using the protocol. More buffering can sometimes cause more performance problems than it solves but depends on the application. If I have a lot of "fan in" such as several front end hosts taking to a few back end hosts, I generally try to ease that congestion by giving that back end host considerably more BW. Such as GigE from the front end hosts and 2x10G to the back end servers. For example, an Intel X520-T2 card with 2x10G RJ-45 ports to a pair of Aristas in an MLAG configuration works pretty well provided you use the latest Intel driver for the cards. From sethm at rollernet.us Fri Jan 27 13:51:29 2012 From: sethm at rollernet.us (Seth Mattinen) Date: Fri, 27 Jan 2012 11:51:29 -0800 Subject: MD5? In-Reply-To: References: Message-ID: <4F230041.5020701@rollernet.us> On 1/27/12 11:26 AM, Brian Stengel wrote: > We have a potential customer that is asking for us to enable MD5 > authentication on a TCP connection between two BGP peers? Is this still > common practice today? Any potential problems or gotchas to keep in mind? > Sprint requires it to enable remote triggered blackhole. ~Seth From morrowc.lists at gmail.com Fri Jan 27 13:59:43 2012 From: morrowc.lists at gmail.com (Christopher Morrow) Date: Fri, 27 Jan 2012 14:59:43 -0500 Subject: MD5? In-Reply-To: <4F230041.5020701@rollernet.us> References: <4F230041.5020701@rollernet.us> Message-ID: On Fri, Jan 27, 2012 at 2:51 PM, Seth Mattinen wrote: > On 1/27/12 11:26 AM, Brian Stengel wrote: >> We have a potential customer that is asking for us to enable MD5 >> authentication on a TCP connection between two BGP peers? ?Is this still >> common practice today? ?Any potential problems or gotchas ?to keep in mind? >> > > Sprint requires it to enable remote triggered blackhole. lots of folks still use it yes. is it helpful? maybe? maybe not? is this peering over a shared media (like a 10base-T hub). You might point out that you'll be enabling this, then promptly writing the 'secret' on a large whiteboard in your noc... because chances are the config won't include it in rancid and ... you don't have a place to store these securely that's not prone also to outages :( also, customers wander through your NOC, so... From Sandra.Murphy at sparta.com Fri Jan 27 14:06:24 2012 From: Sandra.Murphy at sparta.com (Murphy, Sandra) Date: Fri, 27 Jan 2012 20:06:24 +0000 Subject: interim SIDR meeting at NANOG 54 In-Reply-To: <24B20D14B2CD29478C8D5D6E9CBB29F6075206@Hermes.columbia.ads.sparta.com> References: <24B20D14B2CD29478C8D5D6E9CBB29F6075206@Hermes.columbia.ads.sparta.com> Message-ID: <24B20D14B2CD29478C8D5D6E9CBB29F607725E@Hermes.columbia.ads.sparta.com> I previously announced (http://mailman.nanog.org/pipermail/nanog/2012-January/044095.html) the interim IETF SIDR (Secure Inter-Domain Routing) working group meeting that is being held on Thu Feb 7 in San Diego. Room arrangements are now complete. If you wish to attend, please register by sending a message to interim-sidr at tislabs.com. Please provide: Name: Affiliation: E-mail address: There is NO registration fee for this meeting, but please do register so room setup is suitable for the number of attendees. Updates on meeting logistics will be sent to those who register. A wiki page on the SIDR wiki at the tools.ietf.org site has been created: http://trac.tools.ietf.org/wg/sidr/trac/wiki/InterimMeeting20120209. The agenda at the moment is just as was originally announced. Updates to the agenda will be posted to that wiki page. A list of those registered will be maintained at trac.tools.ietf.org/wg/sidr/trac/wiki/InterimMeeting20120209-attendees. The e-mail addresses will not be noted on the wiki attendees page. --Sandy Murphy, sidr co-chair From jlewis at lewis.org Fri Jan 27 14:23:00 2012 From: jlewis at lewis.org (Jon Lewis) Date: Fri, 27 Jan 2012 15:23:00 -0500 (EST) Subject: US DOJ victim letter In-Reply-To: <20120127181626.GC21814@lab.pobox.com> References: <201201201908.q0KJ8u6C045030@mail.r-bonomi.com> <20120127181626.GC21814@lab.pobox.com> Message-ID: On Fri, 27 Jan 2012, Bryan Horstmann-Allen wrote: > +------------------------------------------------------------------------------ > | On 2012-01-27 18:12:16, Carlos Alcantar wrote: > | > | Today it looks like we have received the letter from the DOJ which gives > | us login information, for listing of ip's within our network that where > | affected with date and time stamps. Anyone else get these yet? > > I have. The login doesn't work (for me). htauth pops up on fbi.gov, creds don't > auth. Ours didn't work initially either. Eventually it did. > Bit odd, if it's a phish. Even more odd if it's actually from the Fed. It's definitely real, but seems like they're handling it as incompetently as possible. We got numerous copies to the same email address, the logins didn't work initially. The phone numbers given are of questionable utility. Virtually no useful information was provided. My attitude at this point is, ignore it until they provide some useful information. ---------------------------------------------------------------------- Jon Lewis, MCP :) | I route Senior Network Engineer | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________ From Sandra.Murphy at sparta.com Fri Jan 27 14:22:53 2012 From: Sandra.Murphy at sparta.com (Murphy, Sandra) Date: Fri, 27 Jan 2012 20:22:53 +0000 Subject: interim SIDR meeting at NANOG 54 In-Reply-To: <24B20D14B2CD29478C8D5D6E9CBB29F607725E@Hermes.columbia.ads.sparta.com> References: <24B20D14B2CD29478C8D5D6E9CBB29F6075206@Hermes.columbia.ads.sparta.com>, <24B20D14B2CD29478C8D5D6E9CBB29F607725E@Hermes.columbia.ads.sparta.com> Message-ID: <24B20D14B2CD29478C8D5D6E9CBB29F6077277@Hermes.columbia.ads.sparta.com> Thanks for the eyes who noticed my typo below. The meeting is being held Thu Feb 9. No matter how often I read over what I type, ..... --Sandy ________________________________________ From: Murphy, Sandra Sent: Friday, January 27, 2012 3:06 PM To: nanog at nanog.org Subject: RE: interim SIDR meeting at NANOG 54 I previously announced (http://mailman.nanog.org/pipermail/nanog/2012-January/044095.html) the interim IETF SIDR (Secure Inter-Domain Routing) working group meeting that is being held on Thu Feb 7 in San Diego. Room arrangements are now complete. If you wish to attend, please register by sending a message to interim-sidr at tislabs.com. Please provide: Name: Affiliation: E-mail address: There is NO registration fee for this meeting, but please do register so room setup is suitable for the number of attendees. Updates on meeting logistics will be sent to those who register. A wiki page on the SIDR wiki at the tools.ietf.org site has been created: http://trac.tools.ietf.org/wg/sidr/trac/wiki/InterimMeeting20120209. The agenda at the moment is just as was originally announced. Updates to the agenda will be posted to that wiki page. A list of those registered will be maintained at trac.tools.ietf.org/wg/sidr/trac/wiki/InterimMeeting20120209-attendees. The e-mail addresses will not be noted on the wiki attendees page. --Sandy Murphy, sidr co-chair From hhoffman at ip-solutions.net Fri Jan 27 14:29:35 2012 From: hhoffman at ip-solutions.net (Harry Hoffman) Date: Fri, 27 Jan 2012 15:29:35 -0500 Subject: US DOJ victim letter Message-ID: We get these letters all of the time. They are indeed legit but pretty much worthless. About as good as some of our DMCA letters. -------- Original Message -------- From: Jon Lewis Sent: Fri, Jan 27, 2012 3:23 PM To: Bryan Horstmann-Allen CC: nanog at nanog.org Subject: Re: US DOJ victim letter >On Fri, 27 Jan 2012, Bryan Horstmann-Allen wrote: > >> +------------------------------------------------------------------------------ >> | On 2012-01-27 18:12:16, Carlos Alcantar wrote: >> | >> | Today it looks like we have received the letter from the DOJ which gives >> | us login information, for listing of ip's within our network that where >> | affected with date and time stamps. Anyone else get these yet? >> >> I have. The login doesn't work (for me). htauth pops up on fbi.gov, creds don't >> auth. > >Ours didn't work initially either. Eventually it did. > >> Bit odd, if it's a phish. Even more odd if it's actually from the Fed. > >It's definitely real, but seems like they're handling it as incompetently >as possible. We got numerous copies to the same email address, the logins >didn't work initially. The phone numbers given are of questionable >utility. Virtually no useful information was provided. My attitude at >this point is, ignore it until they provide some useful information. > >---------------------------------------------------------------------- > Jon Lewis, MCP :) | I route > Senior Network Engineer | therefore you are > Atlantic Net | >_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________ > > From jlewis at lewis.org Fri Jan 27 14:32:42 2012 From: jlewis at lewis.org (Jon Lewis) Date: Fri, 27 Jan 2012 15:32:42 -0500 (EST) Subject: MD5? In-Reply-To: References: <4F230041.5020701@rollernet.us> Message-ID: On Fri, 27 Jan 2012, Christopher Morrow wrote: > lots of folks still use it yes. is it helpful? maybe? maybe not? is > this peering over a shared media (like a 10base-T hub). > > You might point out that you'll be enabling this, then promptly > writing the 'secret' on a large whiteboard in your noc... because > chances are the config won't include it in rancid and ... you don't > have a place to store these securely that's not prone also to outages > :( > > also, customers wander through your NOC, so... All that may be true, but still, the random hacker in Romania who wants in on their BGP session won't know the secret...probably. ---------------------------------------------------------------------- Jon Lewis, MCP :) | I route Senior Network Engineer | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________ From morrowc.lists at gmail.com Fri Jan 27 14:35:28 2012 From: morrowc.lists at gmail.com (Christopher Morrow) Date: Fri, 27 Jan 2012 15:35:28 -0500 Subject: MD5? In-Reply-To: References: <4F230041.5020701@rollernet.us> Message-ID: On Fri, Jan 27, 2012 at 3:32 PM, Jon Lewis wrote: > On Fri, 27 Jan 2012, Christopher Morrow wrote: > >> lots of folks still use it yes. is it helpful? maybe? maybe not? is >> this peering over a shared media (like a 10base-T hub). >> >> You might point out that you'll be enabling this, then promptly >> writing the 'secret' on a large whiteboard in your noc... because >> chances are the config won't include it in rancid and ... you don't >> have a place to store these securely that's not prone also to outages >> :( >> >> also, customers wander through your NOC, so... > > > All that may be true, but still, the random hacker in Romania who wants in > on their BGP session won't know the secret...probably. 1) that person doesn't exist 2) they need a LOT more info about what's going on anyway 3) I bet they will get a copy of the config from at least: a) vendor data sources b) ebay purchases of gear c) pwning a noc-worker and getting things done from there. There are far better ways to skin this cat. From gbonser at seven.com Fri Jan 27 14:40:57 2012 From: gbonser at seven.com (George Bonser) Date: Fri, 27 Jan 2012 20:40:57 +0000 Subject: MD5? In-Reply-To: References: <4F230041.5020701@rollernet.us> Message-ID: <596B74B410EE6B4CA8A30C3AF1A155EA09C964CD@RWC-MBX1.corp.seven.com> > All that may be true, but still, the random hacker in Romania who wants > in on their BGP session won't know the secret...probably. > > ---------------------------------------------------------------------- > Jon Lewis, MCP :) | I route > Senior Network Engineer | therefore you are > Atlantic Net | One thing I will do at shared peering switches is to also configure static ARP or IPv6 neighbor entries in the router for my peers. This protects against some new arrival on the switch accidentally configuring one of my peer's IP addresses on their gear and blowing up my session. That does cause some problems when a peer does maintenance that changes their MAC address, but I notice it fairly quickly. From patrick at ianai.net Fri Jan 27 14:52:41 2012 From: patrick at ianai.net (Patrick W. Gilmore) Date: Fri, 27 Jan 2012 15:52:41 -0500 Subject: MD5 considered harmful In-Reply-To: References: <4F230041.5020701@rollernet.us> Message-ID: <0B6DEEFE-0049-4223-BB76-4A6A52D929E2@ianai.net> MD5 on BGP sessions is the canonical example of a cure worse than the disease. There has been /infinitely/ more downtime caused by MD5 than the mythical attack it protects again. (This is true because anything times zero is still zero.) It is far easier to take a router out than try to calculate the number of RSTs per second you can get through to the RE without your guesses being dropped / throttled, then waiting hours or days to watch a BGP session flap. Amazingly awesome attack, because as everyone knows BGP sessions never flap on their own, so a random session flapping every day or six will totally freak out the provider in question. And all that ignores the fact every router vendor fixed the ephemeral port selection & window size issues half a decade ago, so those "days" it takes to reset a single BGP session are actually more like months or years. Remember, miscreants are lazy, impatient, and frequently clueless. Who would want to reset a BGP that will come back up in 30-90 seconds when you can packet an entire router off the 'Net easier, more quickly, and for longer a period? Unfortunately, Network Engineers are lazy, impatient, and frequently clueless as well. They read something from 1906 that says "$FOO IS GOOD!!1!1!" and force every peer to subscribe to their own ideal without understanding the underlying technology or rationale. Your network, your decision. On my network, we do not do MD5. We do more traffic than anyone and have to be in the top 10 of total eBGP peering sessions on the planet. Guess how many times we've seen anyone even attempt this attack? If you guessed more than zero, guess again. I am fully well aware saying this in a public place means someone, probably many someones, will try it now just to prove me wrong. I still don't care. What does that tell you? STOP USING MD5 ON BGP. -- TTFN, patrick From morrowc.lists at gmail.com Fri Jan 27 15:21:49 2012 From: morrowc.lists at gmail.com (Christopher Morrow) Date: Fri, 27 Jan 2012 16:21:49 -0500 Subject: MD5 considered harmful In-Reply-To: <0B6DEEFE-0049-4223-BB76-4A6A52D929E2@ianai.net> References: <4F230041.5020701@rollernet.us> <0B6DEEFE-0049-4223-BB76-4A6A52D929E2@ianai.net> Message-ID: On Fri, Jan 27, 2012 at 3:52 PM, Patrick W. Gilmore wrote: > MD5 on BGP sessions is the canonical example of a cure worse than the disease. ?There has been /infinitely/ more downtime caused by MD5 than the mythical attack it protects again. ?(This is true because anything times zero is still zero.) > I don't disagree with patrick here... but 'infinitely more', is hard to measure :) "Most likely there have been far more lengthy outages due to lost/changed/incorrect key material than were caused by the problem this is meant to solve for." -chris > It is From kilobit at gmail.com Fri Jan 27 15:40:03 2012 From: kilobit at gmail.com (bas) Date: Fri, 27 Jan 2012 22:40:03 +0100 Subject: 10GE TOR port buffers (was Re: 10G switch recommendaton) In-Reply-To: <20120127165515.GA2697@pob.ytti.fi> References: <20120127165515.GA2697@pob.ytti.fi> Message-ID: On Fri, Jan 27, 2012 at 5:55 PM, Saku Ytti wrote: > On (2012-01-27 17:35 +0100), bas wrote: > But generally nice list, especially the 10GE fixed config looked realistic, > sometimes I wish we'd have 'dpreview' style page for routers and switches, > especially now with dozen or more vendors selling 'same' trident+ switch, > differentiating them is hard. But do you generally agree that "the market" has a requirement for a deep-buffer TOR switch? Or am I crazy for thinking that my customers need such a solution? Bas From bicknell at ufp.org Fri Jan 27 15:52:27 2012 From: bicknell at ufp.org (Leo Bicknell) Date: Fri, 27 Jan 2012 13:52:27 -0800 Subject: 10GE TOR port buffers (was Re: 10G switch recommendaton) In-Reply-To: References: <20120127165515.GA2697@pob.ytti.fi> Message-ID: <20120127215227.GA28688@ussenterprise.ufp.org> In a message written on Fri, Jan 27, 2012 at 10:40:03PM +0100, bas wrote: > But do you generally agree that "the market" has a requirement for a > deep-buffer TOR switch? > > Or am I crazy for thinking that my customers need such a solution? You're crazy. :) You need to google "bufferbloat", which while the aim has been more at (SOHO) routers that have absurd (multi-second) buffers, the concepts at play work here as well. Let's say you have a VOIP application with 250ms of jitter tolerance, and you're going 80ms across country. You then add in a switch on one end that has 300ms of buffer. Ooops, you go way over, but only from time to time when the switch is full, getting 300+80ms of latency for a few packets. Dropped packets are a _GOOD_ thing. If your ethernet switch can't get the packet out another port in ~1-2ms it should drop it. The output port is congested, congestion is what tells the sender to back off. If you buffer the packets you get congestion collapse, which is far worse for throughput in the end, and in particular has severely detremental effects on the others on the LAN, not just the box filling the buffers. A network dropping packets is healthy, telling the upstream boxes to throttle to the appropiate speeds with packet loss which is how TCP operates. I can' tell you how many times I've seen network engineers tell me "no matter how big I make the buffers performance gets worse and worse". Well duh, you're just introducing more and more latency in your network, and making TCP backoff fail, rather than work properly. I go in and slash their 50-100 packet buffers down to 5 and magically the network performs great, even when full. Now, how much buffer do you need? One packet is the minimum. If you can't buffer one packet it becomes hard to reach 100% utilization on a link. Anyone who's tried with a pure cut-through switch can tell you it tops out around 90% (with multiple senders to a single egress). Amazing one packet of buffer almost entirely fixes the problem. When I can manually set the buffers, I generally go for 1ms of buffers on high speed (e.g. 10GE) links, and might increase that to as much as 15 ms of buffers on extremely low speed links, like sub-T1. Remember, your RTT will vary (jitter) +- the sum of all buffers on all hops along the path. A 10 hop path with 15ms per hop could see 150ms of jitter if all links go between full and not full! Buffers in most network gear is bad, don't do it. -- Leo Bicknell - bicknell at ufp.org - CCIE 3440 PGP keys at http://www.ufp.org/~bicknell/ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 826 bytes Desc: not available URL: From cidr-report at potaroo.net Fri Jan 27 16:00:01 2012 From: cidr-report at potaroo.net (cidr-report at potaroo.net) Date: Fri, 27 Jan 2012 22:00:01 GMT Subject: BGP Update Report Message-ID: <201201272200.q0RM01gQ067092@wattle.apnic.net> BGP Update Report Interval: 19-Jan-12 -to- 26-Jan-12 (7 days) Observation Point: BGP Peering with AS131072 TOP 20 Unstable Origin AS Rank ASN Upds % Upds/Pfx AS-Name 1 - AS8402 53911 3.0% 32.8 -- CORBINA-AS OJSC "Vimpelcom" 2 - AS28683 46880 2.6% 768.5 -- BENINTELECOM 3 - AS12322 33500 1.9% 3.8 -- PROXAD Free SAS 4 - AS9829 27354 1.6% 41.0 -- BSNL-NIB National Internet Backbone 5 - AS12479 25908 1.5% 62.7 -- UNI2-AS France Telecom Espana SA 6 - AS5800 25435 1.4% 87.7 -- DNIC-ASBLK-05800-06055 - DoD Network Information Center 7 - AS7029 24866 1.4% 6.8 -- WINDSTREAM - Windstream Communications Inc 8 - AS24560 24520 1.4% 24.5 -- AIRTELBROADBAND-AS-AP Bharti Airtel Ltd., Telemedia Services 9 - AS32528 23709 1.3% 11854.5 -- ABBOTT Abbot Labs 10 - AS15706 23091 1.3% 97.4 -- Sudatel 11 - AS3352 22988 1.3% 851.4 -- TELEFONICA-DATA-ESPANA TELEFONICA DE ESPANA 12 - AS20632 20400 1.1% 637.5 -- PETERSTAR-AS PeterStar 13 - AS8151 19453 1.1% 15.9 -- Uninet S.A. de C.V. 14 - AS37004 15152 0.9% 522.5 -- SUBURBAN-AS 15 - AS17639 13254 0.8% 1656.8 -- COMCLARK-AS ComClark Network & Technology Corp. 16 - AS6066 13135 0.7% 6567.5 -- VERIZON-BUSINESS-MAE-AS6066 - Verizon Business Network Services Inc. 17 - AS10201 11899 0.7% 37.4 -- DWL-AS-IN Dishnet Wireless Limited. Broadband Wireless 18 - AS5976 10180 0.6% 102.8 -- DNIC-ASBLK-05800-06055 - DoD Network Information Center 19 - AS27947 10127 0.6% 16.5 -- Telconet S.A 20 - AS19223 10049 0.6% 10049.0 -- NTEGRATED-SOLUTIONS - Ntegrated Solutions TOP 20 Unstable Origin AS (Updates per announced prefix) Rank ASN Upds % Upds/Pfx AS-Name 1 - AS32528 23709 1.3% 11854.5 -- ABBOTT Abbot Labs 2 - AS19223 10049 0.6% 10049.0 -- NTEGRATED-SOLUTIONS - Ntegrated Solutions 3 - AS6066 13135 0.7% 6567.5 -- VERIZON-BUSINESS-MAE-AS6066 - Verizon Business Network Services Inc. 4 - AS27295 4839 0.3% 4839.0 -- GENICA - Genica Corporation 5 - AS10209 3831 0.2% 3831.0 -- SYNOPSYS-AS-JP-AP Japan HUB and Data Center 6 - AS26341 6942 0.4% 3471.0 -- OSI-ASP - Open Solutions Inc. 7 - AS17408 3112 0.2% 3112.0 -- ABOVE-AS-AP AboveNet Communications Taiwan 8 - AS65273 2447 0.1% 2447.0 -- -Private Use AS- 9 - AS53360 4308 0.2% 2154.0 -- CUMULUS - Integral Solutions Group 10 - AS17639 13254 0.8% 1656.8 -- COMCLARK-AS ComClark Network & Technology Corp. 11 - AS23154 5955 0.3% 1488.8 -- SANMINA-SCI Sanmina-SCI Corporation 12 - AS53362 974 0.1% 974.0 -- MIXIT-AS - Mixit, Inc. 13 - AS3352 22988 1.3% 851.4 -- TELEFONICA-DATA-ESPANA TELEFONICA DE ESPANA 14 - AS51825 4167 0.2% 833.4 -- TELZAR-ASN TELZAR INTERNATIONAL TELECOMINICATIONS LTD 15 - AS26678 824 0.1% 824.0 -- ASN-QMFI - QUINCY MUTUAL FIRE INSURANCE, CO. 16 - AS8360 1544 0.1% 772.0 -- Allianz Shared Infrastructure Services SE 17 - AS28683 46880 2.6% 768.5 -- BENINTELECOM 18 - AS6072 9926 0.6% 709.0 -- UNISYS-6072 For routing issues, email hostmaster at unisys.com 19 - AS17370 658 0.0% 658.0 -- MCAFEE-COM - McAfee, Inc. 20 - AS20632 20400 1.1% 637.5 -- PETERSTAR-AS PeterStar TOP 20 Unstable Prefixes Rank Prefix Upds % Origin AS -- AS Name 1 - 84.204.132.0/24 20259 1.1% AS20632 -- PETERSTAR-AS PeterStar 2 - 130.36.34.0/24 11855 0.6% AS32528 -- ABBOTT Abbot Labs 3 - 130.36.35.0/24 11854 0.6% AS32528 -- ABBOTT Abbot Labs 4 - 122.161.0.0/16 10282 0.5% AS24560 -- AIRTELBROADBAND-AS-AP Bharti Airtel Ltd., Telemedia Services 5 - 67.97.156.0/24 10049 0.5% AS19223 -- NTEGRATED-SOLUTIONS - Ntegrated Solutions 6 - 62.36.252.0/22 7791 0.4% AS12479 -- UNI2-AS France Telecom Espana SA 7 - 63.94.193.0/24 6933 0.4% AS26341 -- OSI-ASP - Open Solutions Inc. 8 - 111.125.126.0/24 6601 0.3% AS17639 -- COMCLARK-AS ComClark Network & Technology Corp. 9 - 150.225.0.0/16 6568 0.3% AS6066 -- VERIZON-BUSINESS-MAE-AS6066 - Verizon Business Network Services Inc. 10 - 204.29.239.0/24 6567 0.3% AS6066 -- VERIZON-BUSINESS-MAE-AS6066 - Verizon Business Network Services Inc. 11 - 148.164.14.0/24 5894 0.3% AS23154 -- SANMINA-SCI Sanmina-SCI Corporation 12 - 62.36.249.0/24 5891 0.3% AS12479 -- UNI2-AS France Telecom Espana SA 13 - 194.63.9.0/24 5527 0.3% AS1273 -- CW Cable and Wireless Worldwide plc 14 - 202.92.235.0/24 5349 0.3% AS9498 -- BBIL-AP BHARTI Airtel Ltd. 15 - 62.36.241.0/24 5326 0.3% AS12479 -- UNI2-AS France Telecom Espana SA 16 - 62.36.210.0/24 5114 0.3% AS12479 -- UNI2-AS France Telecom Espana SA 17 - 12.202.99.0/24 4839 0.2% AS27295 -- GENICA - Genica Corporation 18 - 182.64.0.0/16 4648 0.2% AS24560 -- AIRTELBROADBAND-AS-AP Bharti Airtel Ltd., Telemedia Services 19 - 205.73.118.0/24 4014 0.2% AS5976 -- DNIC-ASBLK-05800-06055 - DoD Network Information Center 20 - 205.73.116.0/23 3960 0.2% AS5976 -- DNIC-ASBLK-05800-06055 - DoD Network Information Center Details at http://bgpupdates.potaroo.net ------------------------------------ Copies of this report are mailed to: nanog at nanog.org eof-list at ripe.net apops at apops.net routing-wg at ripe.net afnog at afnog.org From cidr-report at potaroo.net Fri Jan 27 16:00:00 2012 From: cidr-report at potaroo.net (cidr-report at potaroo.net) Date: Fri, 27 Jan 2012 22:00:00 GMT Subject: The Cidr Report Message-ID: <201201272200.q0RM00KZ067087@wattle.apnic.net> This report has been generated at Fri Jan 27 21:12:43 2012 AEST. The report analyses the BGP Routing Table of AS2.0 router and generates a report on aggregation potential within the table. Check http://www.cidr-report.org for a current version of this report. Recent Table History Date Prefixes CIDR Agg 20-01-12 394336 229812 21-01-12 395205 229827 22-01-12 395134 229934 23-01-12 395186 230016 24-01-12 395528 230193 25-01-12 395659 229919 26-01-12 396003 230021 27-01-12 396272 230119 AS Summary 40048 Number of ASes in routing system 16796 Number of ASes announcing only one prefix 3446 Largest number of prefixes announced by an AS AS6389 : BELLSOUTH-NET-BLK - BellSouth.net Inc. 109817344 Largest address span announced by an AS (/32s) AS4134 : CHINANET-BACKBONE No.31,Jin-rong Street Aggregation Summary The algorithm used in this report proposes aggregation only when there is a precise match using the AS path, so as to preserve traffic transit policies. Aggregation is also proposed across non-advertised address space ('holes'). --- 27Jan12 --- ASnum NetsNow NetsAggr NetGain % Gain Description Table 396296 230149 166147 41.9% All ASes AS6389 3446 204 3242 94.1% BELLSOUTH-NET-BLK - BellSouth.net Inc. AS7029 3268 1541 1727 52.8% WINDSTREAM - Windstream Communications Inc AS18566 2093 413 1680 80.3% COVAD - Covad Communications Co. AS4766 2476 1002 1474 59.5% KIXS-AS-KR Korea Telecom AS22773 1521 118 1403 92.2% ASN-CXA-ALL-CCI-22773-RDC - Cox Communications Inc. AS4755 1526 197 1329 87.1% TATACOMM-AS TATA Communications formerly VSNL is Leading ISP AS28573 1637 409 1228 75.0% NET Servicos de Comunicao S.A. AS4323 1609 386 1223 76.0% TWTC - tw telecom holdings, inc. AS2118 1241 89 1152 92.8% RELCOM-AS OOO "NPO Relcom" AS1785 1867 787 1080 57.8% AS-PAETEC-NET - PaeTec Communications, Inc. AS7552 1424 390 1034 72.6% VIETEL-AS-AP Vietel Corporation AS10620 1723 710 1013 58.8% Telmex Colombia S.A. AS8402 1688 759 929 55.0% CORBINA-AS OJSC "Vimpelcom" AS7303 1256 365 891 70.9% Telecom Argentina S.A. AS8151 1464 672 792 54.1% Uninet S.A. de C.V. AS18101 946 155 791 83.6% RELIANCE-COMMUNICATIONS-IN Reliance Communications Ltd.DAKC MUMBAI AS4808 1099 343 756 68.8% CHINA169-BJ CNCGROUP IP network China169 Beijing Province Network AS24560 1015 290 725 71.4% AIRTELBROADBAND-AS-AP Bharti Airtel Ltd., Telemedia Services AS30036 1453 737 716 49.3% MEDIACOM-ENTERPRISE-BUSINESS - Mediacom Communications Corp AS9498 875 204 671 76.7% BBIL-AP BHARTI Airtel Ltd. AS9394 878 210 668 76.1% CRNET CHINA RAILWAY Internet(CRNET) AS3356 1104 460 644 58.3% LEVEL3 Level 3 Communications AS7545 1641 997 644 39.2% TPG-INTERNET-AP TPG Internet Pty Ltd AS17676 687 74 613 89.2% GIGAINFRA Softbank BB Corp. AS19262 994 403 591 59.5% VZGNI-TRANSIT - Verizon Online LLC AS15557 1095 511 584 53.3% LDCOMNET Societe Francaise du Radiotelephone S.A AS17974 1714 1131 583 34.0% TELKOMNET-AS2-AP PT Telekomunikasi Indonesia AS11172 689 110 579 84.0% Alestra, S. de R.L. de C.V. AS4804 659 95 564 85.6% MPX-AS Microplex PTY LTD AS4780 788 230 558 70.8% SEEDNET Digital United Inc. Total 43876 13992 29884 68.1% Top 30 total Possible Bogus Routes 10.86.64.32/30 AS65530 -Private Use AS- 10.86.64.36/30 AS65530 -Private Use AS- 10.86.65.32/30 AS65530 -Private Use AS- 10.86.65.36/30 AS65530 -Private Use AS- 10.255.255.0/30 AS65530 -Private Use AS- 10.255.255.4/30 AS65530 -Private Use AS- 10.255.255.8/30 AS65530 -Private Use AS- 14.192.0.0/22 AS45464 NEXTWEB-AS-AP Room 201, TGU Bldg 14.192.4.0/22 AS45464 NEXTWEB-AS-AP Room 201, TGU Bldg 14.192.8.0/22 AS45464 NEXTWEB-AS-AP Room 201, TGU Bldg 14.192.12.0/22 AS45464 NEXTWEB-AS-AP Room 201, TGU Bldg 14.192.16.0/22 AS45464 NEXTWEB-AS-AP Room 201, TGU Bldg 14.192.20.0/22 AS45464 NEXTWEB-AS-AP Room 201, TGU Bldg 14.192.24.0/22 AS45464 NEXTWEB-AS-AP Room 201, TGU Bldg 14.192.28.0/22 AS45464 NEXTWEB-AS-AP Room 201, TGU Bldg 37.72.144.0/21 AS51827 FREMAKS Fremaks GmbH 41.222.79.0/24 AS36938 AMSCOTELECOMS Amsco Telecommunications Nigeria Limited 62.61.220.0/24 AS24974 TACHYON-EU Tachyon Europe BV 62.61.221.0/24 AS24974 TACHYON-EU Tachyon Europe BV 64.21.192.0/20 AS11610 INETNEBR-1 - Internet Nebraska Corporation 64.21.212.0/22 AS11610 INETNEBR-1 - Internet Nebraska Corporation 64.21.216.0/21 AS11610 INETNEBR-1 - Internet Nebraska Corporation 66.129.0.0/19 AS3901 ARRAKIS - Higher Technology Services 66.180.239.0/24 AS35888 VIGNETTE - VIGNETTE CORPORATION 66.207.32.0/20 AS23011 66.245.176.0/20 AS19318 NJIIX-AS-1 - NEW JERSEY INTERNATIONAL INTERNET EXCHANGE LLC 66.251.128.0/24 AS33227 BLUEBRIDGE-NETWORKS - Blue Bridge Networks 66.251.133.0/24 AS33227 BLUEBRIDGE-NETWORKS - Blue Bridge Networks 66.251.134.0/24 AS33227 BLUEBRIDGE-NETWORKS - Blue Bridge Networks 66.251.136.0/21 AS33227 BLUEBRIDGE-NETWORKS - Blue Bridge Networks 66.251.140.0/24 AS33227 BLUEBRIDGE-NETWORKS - Blue Bridge Networks 66.251.141.0/24 AS33227 BLUEBRIDGE-NETWORKS - Blue Bridge Networks 66.251.142.0/24 AS33227 BLUEBRIDGE-NETWORKS - Blue Bridge Networks 66.251.143.0/24 AS3356 LEVEL3 Level 3 Communications 69.46.224.0/20 AS32592 HUNT-BROTHERS-OF-LOUISIANA-LLC - Hunt Brothers 69.46.233.0/24 AS32592 HUNT-BROTHERS-OF-LOUISIANA-LLC - Hunt Brothers 69.46.236.0/24 AS32592 HUNT-BROTHERS-OF-LOUISIANA-LLC - Hunt Brothers 71.19.134.0/23 AS3313 INET-AS BT Italia S.p.A. 72.44.16.0/20 AS15054 HAMELTRONICS - Hameltronics, LLC 80.88.10.0/24 AS33774 DJAWEB 91.234.190.0/23 AS39377 INTERCOM Samostalna Zanatska i Trgovinska Radnja Intercom Computers 91.234.194.0/23 AS16347 RMI-FITECH RMI SAS 98.159.96.0/20 AS46975 110.34.44.0/22 AS12653 COMTONET Com-ToNet 116.206.72.0/24 AS6461 MFNX MFN - Metromedia Fiber Network 116.206.85.0/24 AS6461 MFNX MFN - Metromedia Fiber Network 116.206.103.0/24 AS6461 MFNX MFN - Metromedia Fiber Network 117.120.56.0/21 AS4755 TATACOMM-AS TATA Communications formerly VSNL is Leading ISP 121.46.0.0/16 AS4134 CHINANET-BACKBONE No.31,Jin-rong Street 142.54.0.0/19 AS23498 CDSI - Cogeco Data Services Inc. 172.45.1.0/24 AS3356 LEVEL3 Level 3 Communications 172.45.2.0/24 AS29571 CITelecom-AS 172.45.3.0/24 AS29571 CITelecom-AS 172.102.0.0/22 AS4812 CHINANET-SH-AP China Telecom (Group) 190.104.32.0/21 AS27882 Telef?nica Celular de Bolivia S.A. 193.0.22.0/23 AS3333 RIPE-NCC-AS RIPE Network Coordination Centre 200.6.93.0/24 AS6400 Compa??a Dominicana de Tel?fonos, C. por A. - CODETEL 200.6.94.0/24 AS6400 Compa??a Dominicana de Tel?fonos, C. por A. - CODETEL 200.6.95.0/24 AS6400 Compa??a Dominicana de Tel?fonos, C. por A. - CODETEL 200.23.84.0/24 AS8151 Uninet S.A. de C.V. 200.24.73.0/24 AS26061 Equant Colombia 200.33.40.0/24 AS11172 Alestra, S. de R.L. de C.V. 200.34.0.0/20 AS6342 Instituto Tecnol?gico y de Estudios Superiores de Monterrey 200.53.0.0/19 AS13878 Diveo do Brasil Telecomunicacoes Ltda 202.1.224.0/24 AS10097 FLOWCOM Flow Communications 2/541 Kent St Sydney NSW 2000 202.8.106.0/24 AS9530 SHINSEGAE-AS SHINSEGAE I&C Co., Ltd. 202.9.55.0/24 AS2764 AAPT AAPT Limited 202.58.113.0/24 AS19161 202.61.75.0/24 AS9927 PHILCOMNET-PH A Multihomed ISP Company 202.61.108.0/24 AS55812 202.61.118.0/24 AS55833 202.83.120.0/21 AS37972 202.83.124.0/24 AS37972 202.83.125.0/24 AS37972 202.83.126.0/24 AS37972 202.94.1.0/24 AS4808 CHINA169-BJ CNCGROUP IP network China169 Beijing Province Network 202.133.70.0/24 AS38616 WORLDCALL-AS-KHI Worldcall Telecom Limited 202.160.152.0/22 AS10113 DATAFAST-AP DATAFAST TELECOMMUNICATIONS LTD 202.174.125.0/24 AS9498 BBIL-AP BHARTI Airtel Ltd. 202.176.1.0/24 AS9942 COMINDICO-AP SOUL Converged Communications Australia 202.179.134.0/24 AS23966 LDN-AS-PK LINKdotNET Telecom Limited 203.23.1.0/24 AS18111 NETSPEED-AS-AP Netspeed Internet Communications 203.24.38.0/24 AS18111 NETSPEED-AS-AP Netspeed Internet Communications 203.30.127.0/24 AS18111 NETSPEED-AS-AP Netspeed Internet Communications 203.32.86.0/23 AS18111 NETSPEED-AS-AP Netspeed Internet Communications 203.32.86.0/24 AS18111 NETSPEED-AS-AP Netspeed Internet Communications 203.32.87.0/24 AS18111 NETSPEED-AS-AP Netspeed Internet Communications 203.32.188.0/24 AS1221 ASN-TELSTRA Telstra Pty Ltd 203.80.130.0/23 AS9260 MULTINET-PK NSP,ISP,HFC,DSL,DIALUP,Data Network Connectivity solutions, 203.142.219.0/24 AS45149 205.150.0.0/15 AS701 UUNET - MCI Communications Services, Inc. d/b/a Verizon Business 205.175.214.0/24 AS5583 ORANGE-BUSINESS-SERVICES-BENELUX France Telecom S.A. 206.123.129.0/24 AS10790 INREACH-AS - InReach Internet 206.180.240.0/20 AS12083 KNOLOGY-NET - KNOLOGY, Inc. 206.197.184.0/24 AS23304 DATOTEL-STL-AS - Datotel LLC, a NetLabs LLC Company 207.174.131.0/24 AS26116 INDRA - Indra's Net Inc 207.174.132.0/23 AS26116 INDRA - Indra's Net Inc 207.174.152.0/23 AS26116 INDRA - Indra's Net Inc 207.174.154.0/24 AS26116 INDRA - Indra's Net Inc 207.174.155.0/24 AS26116 INDRA - Indra's Net Inc 207.174.200.0/24 AS22658 EARTHNET - Earthnet, Inc. 207.174.248.0/21 AS6653 PRIVATEI - privateI, LLC 207.231.96.0/19 AS11194 NUNETPA - NuNet Inc. 208.83.53.0/24 AS40569 YGOMI-AS - Ygomi LLC 208.91.56.0/21 AS22241 IC2NET - IC2NET 208.91.56.0/24 AS22241 IC2NET - IC2NET 208.91.57.0/24 AS22241 IC2NET - IC2NET 208.91.58.0/24 AS22241 IC2NET - IC2NET 208.91.59.0/24 AS22241 IC2NET - IC2NET 208.91.60.0/24 AS22241 IC2NET - IC2NET 208.91.61.0/24 AS22241 IC2NET - IC2NET 208.91.62.0/24 AS22241 IC2NET - IC2NET 208.91.63.0/24 AS22241 IC2NET - IC2NET 209.133.224.0/19 AS4323 TWTC - tw telecom holdings, inc. 209.148.64.0/19 AS13773 TELNETCOMM - Telnet Communications 209.177.64.0/20 AS6461 MFNX MFN - Metromedia Fiber Network 209.213.0.0/20 AS33005 ELTOPIA - Eltopia.com, LLC 209.222.240.0/22 AS19747 210.56.150.0/23 AS38138 INTECH-TRANSIT-BD InTech Online Limited, INTERNET SERVICE LIMITED 216.12.160.0/20 AS26627 AS-PILOSOFT - Pilosoft, Inc. 216.21.160.0/20 AS13818 PHX-INTL-TELEPORT - Phoenix International Teleport 216.194.160.0/20 AS13818 PHX-INTL-TELEPORT - Phoenix International Teleport Please see http://www.cidr-report.org for the full report ------------------------------------ Copies of this report are mailed to: nanog at nanog.org eof-list at ripe.net apops at apops.net routing-wg at ripe.net afnog at afnog.org From Grzegorz at Janoszka.pl Fri Jan 27 16:11:50 2012 From: Grzegorz at Janoszka.pl (Grzegorz Janoszka) Date: Fri, 27 Jan 2012 23:11:50 +0100 Subject: MD5 considered harmful In-Reply-To: <0B6DEEFE-0049-4223-BB76-4A6A52D929E2@ianai.net> References: <4F230041.5020701@rollernet.us> <0B6DEEFE-0049-4223-BB76-4A6A52D929E2@ianai.net> Message-ID: <4F232126.8020108@Janoszka.pl> On 27-01-12 21:52, Patrick W. Gilmore wrote: > Who would want to reset a BGP that will come back up in 30-90 seconds when you can packet an entire router off the 'Net easier, more quickly, and for longer a period? +1 Actually, when you have lot of MD5 BGP session coming up at the same time (a connection to internet exchanges went up), you have longer convergence time because of higher cpu load. MD5 offers no security advantages and in some cases it causes more downtime by slowing down convergence. -- Grzegorz Janoszka From kilobit at gmail.com Fri Jan 27 16:30:14 2012 From: kilobit at gmail.com (bas) Date: Fri, 27 Jan 2012 23:30:14 +0100 Subject: 10GE TOR port buffers (was Re: 10G switch recommendaton) In-Reply-To: <20120127215227.GA28688@ussenterprise.ufp.org> References: <20120127165515.GA2697@pob.ytti.fi> <20120127215227.GA28688@ussenterprise.ufp.org> Message-ID: Hi, On Fri, Jan 27, 2012 at 10:52 PM, Leo Bicknell wrote: > In a message written on Fri, Jan 27, 2012 at 10:40:03PM +0100, bas wrote: >> But do you generally agree that "the market" has a requirement for a >> deep-buffer TOR switch? >> >> Or am I crazy for thinking that my customers need such a solution? > > You're crazy. :) > > You need to google "bufferbloat", which while the aim has been more > at (SOHO) routers that have absurd (multi-second) buffers, the > concepts at play work here as well. While your reasoning holds truth it does not explain why the expensive chassis solution (good) makes my customers happy, and the cheaper TOR solution makes my customers unhappy..... Bufferbloat does not matter to them as jitter and latency does not matter. As long as the TCP window size negotioation is not reset the total amount of bit/sec increases for them. If deep buffers are bad I would expect high-end chassis solutions not to offer them either. But the market seems to offer expensive deep buffer chassis solutions and cheap (per 10GE) TOR solutions. IMHO there is no reasoning why.... (why the expensive solution is not offered in a 1U box) My customers want to buffer 10 to 24 * 10GE in a 1 or 2 10GE uplinks to do this they need some buffers.... Bas From gbonser at seven.com Fri Jan 27 16:36:10 2012 From: gbonser at seven.com (George Bonser) Date: Fri, 27 Jan 2012 22:36:10 +0000 Subject: 10GE TOR port buffers (was Re: 10G switch recommendaton) In-Reply-To: <20120127215227.GA28688@ussenterprise.ufp.org> References: <20120127165515.GA2697@pob.ytti.fi> <20120127215227.GA28688@ussenterprise.ufp.org> Message-ID: <596B74B410EE6B4CA8A30C3AF1A155EA09C965B5@RWC-MBX1.corp.seven.com> > > Buffers in most network gear is bad, don't do it. > +1 I'm amazed at how many will spend money on switches with more buffering but won't take steps to ease the congestion. Part of the reason is trying to convince non-technical people that packet loss in and of itself doesn't have to be a bad thing, that it allows applications to adapt to network conditions. They can use tools to see packet loss, that gives them something to complain about. They don't know how to interpret jitter or understand what impact that has on their applications. They just know that they can run some placket blaster and see a packet dropped and want that to go away, so we end up in "every packet is precious" mode. They would rather have a download that starts and stops and starts and stops rather than have one that progresses smoothly from start to finish and trying to explain to them that performance is "bursty" because nobody wants to allow a packet to be dropped sails right over their heads. They'll accept crappy performance with no packet loss before they will accept better overall performance with an occasional packet lost. If an applications is truly intolerant of packet loss, then you need to address the congestion, not get bigger buffers. From kilobit at gmail.com Fri Jan 27 16:53:35 2012 From: kilobit at gmail.com (bas) Date: Fri, 27 Jan 2012 23:53:35 +0100 Subject: 10GE TOR port buffers (was Re: 10G switch recommendaton) In-Reply-To: <596B74B410EE6B4CA8A30C3AF1A155EA09C965B5@RWC-MBX1.corp.seven.com> References: <20120127165515.GA2697@pob.ytti.fi> <20120127215227.GA28688@ussenterprise.ufp.org> <596B74B410EE6B4CA8A30C3AF1A155EA09C965B5@RWC-MBX1.corp.seven.com> Message-ID: While I agree _again_!!!!! It does not explain why TOR boxes have little buffers and chassis box have many..... On Fri, Jan 27, 2012 at 11:36 PM, George Bonser wrote: >> >> Buffers in most network gear is bad, don't do it. >> > > +1 > > I'm amazed at how many will spend money on switches with more buffering but won't take steps to ease the congestion. ?Part of the reason is trying to convince non-technical people that packet loss in and of itself doesn't have to be a bad thing, that it allows applications to adapt to network conditions. ?They can use tools to see packet loss, that gives them something to complain about. ?They don't know how to interpret jitter or understand what impact that has on their applications. ?They just know that they can run some placket blaster and see a packet dropped and want that to go away, so we end up in "every packet is precious" mode. > > They would rather have a download that starts and stops and starts and stops rather than have one that progresses smoothly from start to finish and trying to explain to them that performance is "bursty" because nobody wants to allow a packet to be dropped sails right over their heads. > > They'll accept crappy performance with no packet loss before they will accept better overall performance with an occasional packet lost. > > If an applications is truly intolerant of packet loss, then you need to address the congestion, not get bigger buffers. > > From joelja at bogus.com Fri Jan 27 17:00:53 2012 From: joelja at bogus.com (Joel jaeggli) Date: Fri, 27 Jan 2012 15:00:53 -0800 Subject: MD5? In-Reply-To: References: <4F230041.5020701@rollernet.us> Message-ID: <4F232CA5.70101@bogus.com> On 1/27/12 12:35 , Christopher Morrow wrote: > On Fri, Jan 27, 2012 at 3:32 PM, Jon Lewis wrote: >> On Fri, 27 Jan 2012, Christopher Morrow wrote: >> >>> lots of folks still use it yes. is it helpful? maybe? maybe not? is >>> this peering over a shared media (like a 10base-T hub). >>> >>> You might point out that you'll be enabling this, then promptly >>> writing the 'secret' on a large whiteboard in your noc... because >>> chances are the config won't include it in rancid and ... you don't >>> have a place to store these securely that's not prone also to outages >>> :( >>> >>> also, customers wander through your NOC, so... >> >> >> All that may be true, but still, the random hacker in Romania who wants in >> on their BGP session won't know the secret...probably. > > 1) that person doesn't exist > 2) they need a LOT more info about what's going on anyway > 3) I bet they will get a copy of the config from at least: > a) vendor data sources > b) ebay purchases of gear > c) pwning a noc-worker and getting things done from there. > > There are far better ways to skin this cat. I don't think md5 is that great, but I absolutely wouldn't use a clear text password if I'm going to use anything at all. I don't think shared seceret management is dramatically harder than any other form of of configuration management, modula rekeying requires coordination with a third party and is therefore hard. joel From gbonser at seven.com Fri Jan 27 17:01:10 2012 From: gbonser at seven.com (George Bonser) Date: Fri, 27 Jan 2012 23:01:10 +0000 Subject: 10GE TOR port buffers (was Re: 10G switch recommendaton) In-Reply-To: References: <20120127165515.GA2697@pob.ytti.fi> <20120127215227.GA28688@ussenterprise.ufp.org> <596B74B410EE6B4CA8A30C3AF1A155EA09C965B5@RWC-MBX1.corp.seven.com> Message-ID: <596B74B410EE6B4CA8A30C3AF1A155EA09C965FC@RWC-MBX1.corp.seven.com> > -----Original Message----- > From: bas > Sent: Friday, January 27, 2012 2:54 PM > To: George Bonser > Subject: Re: 10GE TOR port buffers (was Re: 10G switch recommendaton) > > While I agree _again_!!!!! > > It does not explain why TOR boxes have little buffers and chassis box > have many..... Because that is what customers think they want so that is what they sell. Customers don't realize that the added buffers are killing performance. I have had network sales reps tell me "you want this switch over here, it has bigger buffers" when that is exactly the opposite of what I want unless I am sending a bunch of UDP through very brief microbursts. If you are sending TCP streams, what you want is less buffering. Spend the extra money on more bandwidth to relieve the congestion. Going to 4 10G aggregated uplinks instead of 2 might get you a much better performance boost than increasing buffers. But it really depends on the end to end application. From bicknell at ufp.org Fri Jan 27 17:03:49 2012 From: bicknell at ufp.org (Leo Bicknell) Date: Fri, 27 Jan 2012 15:03:49 -0800 Subject: 10GE TOR port buffers (was Re: 10G switch recommendaton) In-Reply-To: References: <20120127165515.GA2697@pob.ytti.fi> <20120127215227.GA28688@ussenterprise.ufp.org> Message-ID: <20120127230349.GA31350@ussenterprise.ufp.org> In a message written on Fri, Jan 27, 2012 at 11:30:14PM +0100, bas wrote: > While your reasoning holds truth it does not explain why the expensive > chassis solution (good) makes my customers happy, and the cheaper TOR > solution makes my customers unhappy..... > > Bufferbloat does not matter to them as jitter and latency does not matter. > As long as the TCP window size negotioation is not reset the total > amount of bit/sec increases for them. I obviously don't know your application. The bufferbloat problem exists for 99.99% of the standard applications in the world. There are, however, a few corner cases. For instance, if you want to move a _single_ TCP stream at more than 1Gbps you need deep buffers. Dropping a single packet slows throughput too much due to a slow-start event. For most of the world with hundreds or thousands of TCP streams across a single port, such problems never occur. > If deep buffers are bad I would expect high-end chassis solutions not > to offer them either. > But the market seems to offer expensive deep buffer chassis solutions > and cheap (per 10GE) TOR solutions. The margin on a top-of-rack switch is very low. 48 port gige with 10GE uplinks are basically commodity boxes, with plenty of competition. Saving $100 on the bill of materials by cutting out some buffer makes the box more competitive when it's at a $2k price point. In contrast, large, modular chasses have a much higher margin. They are designed with great flexability, to take things like firewall modules and SSL accelerator cards. There are configs where you want some (not much) buffer due to these active appliances in the chassis, plus it is easier to hide an extra $100 of RAM in a $100k box. Also, as was pointed out to me privately, it is also important to loook at adaptive queue management features. The most famous is WRED, but there are other choices. Having a queue management solution on your routers and switches that works in concert with the congestion control mechanism used by the end stations always results in better goodput. Many of the low end switches have limited or no AQM choices, while the higher end switches with fancier ASICs can default to something like WRED. Be sure it is the deeper buffers that are making the difference, and not simply some queue management. -- Leo Bicknell - bicknell at ufp.org - CCIE 3440 PGP keys at http://www.ufp.org/~bicknell/ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 826 bytes Desc: not available URL: From kilobit at gmail.com Fri Jan 27 17:08:02 2012 From: kilobit at gmail.com (bas) Date: Sat, 28 Jan 2012 00:08:02 +0100 Subject: 10GE TOR port buffers (was Re: 10G switch recommendaton) In-Reply-To: <596B74B410EE6B4CA8A30C3AF1A155EA09C965E4@RWC-MBX1.corp.seven.com> References: <20120127165515.GA2697@pob.ytti.fi> <20120127215227.GA28688@ussenterprise.ufp.org> <596B74B410EE6B4CA8A30C3AF1A155EA09C965E4@RWC-MBX1.corp.seven.com> Message-ID: Hi, On Fri, Jan 27, 2012 at 11:54 PM, George Bonser wrote: >> >> My customers want to buffer 10 to 24 * 10GE in a 1 or 2 10GE uplinks to >> do this they need some buffers.... >> >> Bas > > It might be cheaper for them to go to 3 or 4 10G uplinks than to replace all their switch hardware. Im my (our) busines model _is_ the internet connectivity... We could give the customer double the port capacity, if they were willing to pay, but in real life they do not care... While all respondents replies hold truth a (technial business) logic. None shed a light why there isn't TOR box that does 10GE deepbuffers... From jared at puck.nether.net Fri Jan 27 17:20:17 2012 From: jared at puck.nether.net (Jared Mauch) Date: Fri, 27 Jan 2012 18:20:17 -0500 Subject: MD5 considered harmful In-Reply-To: <0B6DEEFE-0049-4223-BB76-4A6A52D929E2@ianai.net> References: <4F230041.5020701@rollernet.us> <0B6DEEFE-0049-4223-BB76-4A6A52D929E2@ianai.net> Message-ID: <32B1BC9B-C529-499A-A59B-219C3BF0A227@puck.nether.net> On Jan 27, 2012, at 3:52 PM, Patrick W. Gilmore wrote: > Your network, your decision. On my network, we do not do MD5. We do more traffic than anyone and have to be in the top 10 of total eBGP peering sessions on the planet. Guess how many times we've seen anyone even attempt this attack? If you guessed more than zero, guess again. > > I am fully well aware saying this in a public place means someone, probably many someones, will try it now just to prove me wrong. I still don't care. What does that tell you? > > STOP USING MD5 ON BGP. I would generally say: If you are on a p2p link or control the network, then yeah, you don't need md5. If you are at a shared medium (e.g.: IX) I do recommend it there, as it will help mitigate cases where someone can hijack your session by putting your IP/ASN whatnot on the router. The threat (Attack) never became real and we've now had enough time that even the slowest carriers are running fixed code. - Jared From kilobit at gmail.com Fri Jan 27 17:24:06 2012 From: kilobit at gmail.com (bas) Date: Sat, 28 Jan 2012 00:24:06 +0100 Subject: 10GE TOR port buffers (was Re: 10G switch recommendaton) In-Reply-To: <596B74B410EE6B4CA8A30C3AF1A155EA09C965FC@RWC-MBX1.corp.seven.com> References: <20120127165515.GA2697@pob.ytti.fi> <20120127215227.GA28688@ussenterprise.ufp.org> <596B74B410EE6B4CA8A30C3AF1A155EA09C965B5@RWC-MBX1.corp.seven.com> <596B74B410EE6B4CA8A30C3AF1A155EA09C965FC@RWC-MBX1.corp.seven.com> Message-ID: On Sat, Jan 28, 2012 at 12:01 AM, George Bonser wrote: > Going to 4 10G aggregated uplinks instead of 2 might get you a much better performance boost than increasing buffers. > But it really depends on the end to end application. Also these TOR boxes go to my (more expensive ASR9K and MX) boxes, so from an CAPEX standpoint I simply do not want to give them more ports than required. From kilobit at gmail.com Fri Jan 27 17:30:35 2012 From: kilobit at gmail.com (bas) Date: Sat, 28 Jan 2012 00:30:35 +0100 Subject: 10GE TOR port buffers (was Re: 10G switch recommendaton) In-Reply-To: <20120127230349.GA31350@ussenterprise.ufp.org> References: <20120127165515.GA2697@pob.ytti.fi> <20120127215227.GA28688@ussenterprise.ufp.org> <20120127230349.GA31350@ussenterprise.ufp.org> Message-ID: Hi, > The margin on a top-of-rack switch is very low. ?48 port gige with > 10GE uplinks are basically commodity boxes, with plenty of competition. > Saving $100 on the bill of materials by cutting out some buffer > makes the box more competitive when it's at a $2k price point. The list of 10GE TOR switches I sent earlier are list from $20K to $100K So actual purchase cost for us would be $10K to $30K $500 for some (S)(Q)(bla)RAM shouldn't hold back a vendor from releasing a bitchin switch.... Again this argument does not explain why there are 1GE aggregation switches with deep buffers.. > Also, as was pointed out to me privately, it is also important to loook > at adaptive queue management features. ?The most famous is WRED, but > there are other choices. ?Having a queue management solution on your > routers and switches that works in concert with the congestion control > mechanism used by the end stations always results in better goodput. > Many of the low end switches have limited or no AQM choices, while the > higher end switches with fancier ASICs can default to something like > WRED. ?Be sure it is the deeper buffers that are making the difference, > and not simply some queue management. All true... Still no reason why not to offer a deep buffer TOR... From joelja at bogus.com Fri Jan 27 17:32:20 2012 From: joelja at bogus.com (Joel jaeggli) Date: Fri, 27 Jan 2012 15:32:20 -0800 Subject: 10GE TOR port buffers (was Re: 10G switch recommendaton) In-Reply-To: References: <20120127165515.GA2697@pob.ytti.fi> <20120127215227.GA28688@ussenterprise.ufp.org> <596B74B410EE6B4CA8A30C3AF1A155EA09C965B5@RWC-MBX1.corp.seven.com> Message-ID: <4F233404.2060004@bogus.com> On 1/27/12 14:53 , bas wrote: > While I agree _again_!!!!! > > It does not explain why TOR boxes have little buffers and chassis box > have many..... you need purportionally more buffer when you need to drain 16 x 10 gig into 4 x 10Gig then when you're trying to drain 10Gb/s into 2 x 1Gb/s there's a big incentive bom wise to not use offchip dram buffer in a merchant silicon single chip switch vs something that's more complex. > On Fri, Jan 27, 2012 at 11:36 PM, George Bonser wrote: >>> >>> Buffers in most network gear is bad, don't do it. >>> >> >> +1 >> >> I'm amazed at how many will spend money on switches with more buffering but won't take steps to ease the congestion. Part of the reason is trying to convince non-technical people that packet loss in and of itself doesn't have to be a bad thing, that it allows applications to adapt to network conditions. They can use tools to see packet loss, that gives them something to complain about. They don't know how to interpret jitter or understand what impact that has on their applications. They just know that they can run some placket blaster and see a packet dropped and want that to go away, so we end up in "every packet is precious" mode. >> >> They would rather have a download that starts and stops and starts and stops rather than have one that progresses smoothly from start to finish and trying to explain to them that performance is "bursty" because nobody wants to allow a packet to be dropped sails right over their heads. >> >> They'll accept crappy performance with no packet loss before they will accept better overall performance with an occasional packet lost. >> >> If an applications is truly intolerant of packet loss, then you need to address the congestion, not get bigger buffers. >> >> > > From keegan.holley at sungard.com Fri Jan 27 17:35:00 2012 From: keegan.holley at sungard.com (Keegan Holley) Date: Fri, 27 Jan 2012 18:35:00 -0500 Subject: MD5 considered harmful In-Reply-To: <32B1BC9B-C529-499A-A59B-219C3BF0A227@puck.nether.net> References: <4F230041.5020701@rollernet.us> <0B6DEEFE-0049-4223-BB76-4A6A52D929E2@ianai.net> <32B1BC9B-C529-499A-A59B-219C3BF0A227@puck.nether.net> Message-ID: 2012/1/27 Jared Mauch : > > On Jan 27, 2012, at 3:52 PM, Patrick W. Gilmore wrote: > >> Your network, your decision. ?On my network, we do not do MD5. ?We do more traffic than anyone and have to be in the top 10 of total eBGP peering sessions on the planet. ?Guess how many times we've seen anyone even attempt this attack? ?If you guessed more than zero, guess again. >> >> I am fully well aware saying this in a public place means someone, probably many someones, will try it now just to prove me wrong. ?I still don't care. ?What does that tell you? >> >> STOP USING MD5 ON BGP. > > I would generally say: If you are on a p2p link or control the network, then yeah, you don't need md5. ?If you are at a shared medium (e.g.: IX) I do recommend it there, as it will help mitigate cases where someone can hijack your session by putting your IP/ASN whatnot on the router. > > The threat (Attack) never became real and we've now had enough time that even the slowest carriers are running fixed code. > > - Jared > I kind of agree that there isn't much of a vector here, but I don't agree that MD5 hurts if done correctly. Is it really that hard to find a semi-secure place to store passwords for an entire company? There's also the question of engineering standards. Is it an aging practice? Probably... Is it worth spending time to update it and train everyone not to use it? Probably not. I'll be happy when the world realizes that it's ok to let gig-e auto-negotiate. I've never really seen MD5 cause issues. From joelja at bogus.com Fri Jan 27 17:38:53 2012 From: joelja at bogus.com (Joel jaeggli) Date: Fri, 27 Jan 2012 15:38:53 -0800 Subject: 10GE TOR port buffers (was Re: 10G switch recommendaton) In-Reply-To: <596B74B410EE6B4CA8A30C3AF1A155EA09C965FC@RWC-MBX1.corp.seven.com> References: <20120127165515.GA2697@pob.ytti.fi> <20120127215227.GA28688@ussenterprise.ufp.org> <596B74B410EE6B4CA8A30C3AF1A155EA09C965B5@RWC-MBX1.corp.seven.com> <596B74B410EE6B4CA8A30C3AF1A155EA09C965FC@RWC-MBX1.corp.seven.com> Message-ID: <4F23358D.4080308@bogus.com> On 1/27/12 15:01 , George Bonser wrote: > > >> -----Original Message----- From: bas Sent: Friday, January 27, 2012 >> 2:54 PM To: George Bonser Subject: Re: 10GE TOR port buffers (was >> Re: 10G switch recommendaton) >> >> While I agree _again_!!!!! >> >> It does not explain why TOR boxes have little buffers and chassis >> box have many..... > > Because that is what customers think they want so that is what they > sell. Customers don't realize that the added buffers are killing > performance. It is possible, trivial in fact to buy a switch that has a buffer too small to provide stable performance at some high fraction of it's uplink utilization. You can differentiate between the enterprise/soho 1gig switch you bought to support your ip-phones and wireless APs and the datacenter spec 1u tor along these lines. It is also possible and in fact easy to have enough to accumulate latency in places where you should be discarding packets earlier. I'd rather not be in either situation, but in the later I can police my way out of it. > I have had network sales reps tell me "you want this switch over > here, it has bigger buffers" when that is exactly the opposite of > what I want unless I am sending a bunch of UDP through very brief > microbursts. If you are sending TCP streams, what you want is less > buffering. Spend the extra money on more bandwidth to relieve the > congestion. > > Going to 4 10G aggregated uplinks instead of 2 might get you a much > better performance boost than increasing buffers. But it really > depends on the end to end application. > > > From kilobit at gmail.com Fri Jan 27 17:40:48 2012 From: kilobit at gmail.com (bas) Date: Sat, 28 Jan 2012 00:40:48 +0100 Subject: 10GE TOR port buffers (was Re: 10G switch recommendaton) In-Reply-To: <4F233404.2060004@bogus.com> References: <20120127165515.GA2697@pob.ytti.fi> <20120127215227.GA28688@ussenterprise.ufp.org> <596B74B410EE6B4CA8A30C3AF1A155EA09C965B5@RWC-MBX1.corp.seven.com> <4F233404.2060004@bogus.com> Message-ID: Hi All, On Sat, Jan 28, 2012 at 12:32 AM, Joel jaeggli wrote: > On 1/27/12 14:53 , bas wrote: >> While I agree _again_!!!!! >> >> It does not explain why TOR boxes have little buffers and chassis box >> have many..... > > you need purportionally more buffer when you need to drain 16 x 10 gig > into 4 x 10Gig then when you're trying to drain 10Gb/s into 2 x 1Gb/s > > there's a big incentive bom wise to not use offchip dram buffer in a > merchant silicon single chip switch vs something that's more complex. I'm almost ready to throw the towel in the ring, and declare myself a looney.. I can imagine at least one vendor ingnoring the extra BOM capex, and simpky try to please #$%^#@! like me. C NSP has been full with threads about appalling microburst performance of the 6500 for years.. One would think a vendor would jump to a copetitive edge like this... From jsw at inconcepts.biz Fri Jan 27 17:43:06 2012 From: jsw at inconcepts.biz (Jeff Wheeler) Date: Fri, 27 Jan 2012 18:43:06 -0500 Subject: MD5 considered harmful In-Reply-To: References: <4F230041.5020701@rollernet.us> <0B6DEEFE-0049-4223-BB76-4A6A52D929E2@ianai.net> <32B1BC9B-C529-499A-A59B-219C3BF0A227@puck.nether.net> Message-ID: On Fri, Jan 27, 2012 at 6:35 PM, Keegan Holley wrote: > realizes that it's ok to let gig-e auto-negotiate. ?I've never really > seen MD5 cause issues. I have run into plenty of problems caused by MD5-related bugs. 6500/7600 can still figure the MSS incorrectly when using it. It used to be possible for that particular box to send over-sized frames out Ethernet ports with MD5 enabled, which of course were likely to be dropped by the neighboring router or switching equipment (perhaps even carrier Ethernet equipment.) Obviously that can be a chore to troubleshoot. Sometimes we choose to use it. Sometimes we don't. -- Jeff S Wheeler Sr Network Operator? /? Innovative Network Concepts From keegan.holley at sungard.com Fri Jan 27 17:46:41 2012 From: keegan.holley at sungard.com (Keegan Holley) Date: Fri, 27 Jan 2012 18:46:41 -0500 Subject: MD5 considered harmful In-Reply-To: References: <4F230041.5020701@rollernet.us> <0B6DEEFE-0049-4223-BB76-4A6A52D929E2@ianai.net> <32B1BC9B-C529-499A-A59B-219C3BF0A227@puck.nether.net> Message-ID: 2012/1/27 Jeff Wheeler : > On Fri, Jan 27, 2012 at 6:35 PM, Keegan Holley > wrote: >> realizes that it's ok to let gig-e auto-negotiate. ?I've never really >> seen MD5 cause issues. > > I have run into plenty of problems caused by MD5-related bugs. > > 6500/7600 can still figure the MSS incorrectly when using it. ?It used > to be possible for that particular box to send over-sized frames out > Ethernet ports with MD5 enabled, which of course were likely to be > dropped by the neighboring router or switching equipment (perhaps even > carrier Ethernet equipment.) ?Obviously that can be a chore to > troubleshoot. > > Sometimes we choose to use it. ?Sometimes we don't. > > -- Bugs are a different argument though. If you could call something harmful because a single vendor codes it wrong there would be far fewer windows users in the world. (I know it's friday, but please no one change the subject to OS's) From joelja at bogus.com Fri Jan 27 18:00:36 2012 From: joelja at bogus.com (Joel jaeggli) Date: Fri, 27 Jan 2012 16:00:36 -0800 Subject: 10GE TOR port buffers (was Re: 10G switch recommendaton) In-Reply-To: References: <20120127165515.GA2697@pob.ytti.fi> <20120127215227.GA28688@ussenterprise.ufp.org> <596B74B410EE6B4CA8A30C3AF1A155EA09C965B5@RWC-MBX1.corp.seven.com> <4F233404.2060004@bogus.com> Message-ID: <4F233AA4.4030302@bogus.com> On 1/27/12 15:40 , bas wrote: > Hi All, > > On Sat, Jan 28, 2012 at 12:32 AM, Joel jaeggli wrote: >> On 1/27/12 14:53 , bas wrote: >>> While I agree _again_!!!!! >>> >>> It does not explain why TOR boxes have little buffers and chassis box >>> have many..... >> >> you need purportionally more buffer when you need to drain 16 x 10 gig >> into 4 x 10Gig then when you're trying to drain 10Gb/s into 2 x 1Gb/s >> >> there's a big incentive bom wise to not use offchip dram buffer in a >> merchant silicon single chip switch vs something that's more complex. > > I'm almost ready to throw the towel in the ring, and declare myself a looney.. > I can imagine at least one vendor ingnoring the extra BOM capex, and > simpky try to please #$%^#@! like me. > > C NSP has been full with threads about appalling microburst > performance of the 6500 for years.. And people who care have been using something other than a c6500 for years. it's a 15 year old architecture, and it's had a pretty good run, but it's 2012. An ex8200 has 512MB per port on non-oversuscribed 10Gig ports and 42MB per port on 1Gig ports. that's a lot of ram. to take this back to actual tors. a broadcom 56840 based switch has something in the neighborhood of 9MB available for packet buffer on chip if you need more then more drams are in order. while the TOR can cut-through-switch the chassis can't. the tor is also probably not built with offchip cam (there are examples of off chip cam as well) for much the same reason. > One would think a vendor would jump to a copetitive edge like this... > From zaid at zaidali.com Fri Jan 27 18:04:49 2012 From: zaid at zaidali.com (Zaid Ali) Date: Fri, 27 Jan 2012 16:04:49 -0800 Subject: MD5 considered harmful In-Reply-To: <32B1BC9B-C529-499A-A59B-219C3BF0A227@puck.nether.net> Message-ID: I am in the camp of no MD5 in general and more specifically IX. It is a real pain to manage MD5 and no network in my experience has ever implemented a sustainable solution. There is no BCP that folks follow so generally its a verbal agreement that someone in either party will maintain the record. This works until that operator leaves the job and the MD5 is in their email box which is no longer accessible. I would say this is pretty common, I have inherited quite a few networks where I had to deal with this problem. Also most common places where people store MD5's are not in secure locations. I would argue that even though you connect via shared medium in the case of an IX you can still use TTL. Zaid On 1/27/12 3:20 PM, "Jared Mauch" wrote: > >On Jan 27, 2012, at 3:52 PM, Patrick W. Gilmore wrote: > >> Your network, your decision. On my network, we do not do MD5. We do >>more traffic than anyone and have to be in the top 10 of total eBGP >>peering sessions on the planet. Guess how many times we've seen anyone >>even attempt this attack? If you guessed more than zero, guess again. >> >> I am fully well aware saying this in a public place means someone, >>probably many someones, will try it now just to prove me wrong. I still >>don't care. What does that tell you? >> >> STOP USING MD5 ON BGP. > >I would generally say: If you are on a p2p link or control the network, >then yeah, you don't need md5. If you are at a shared medium (e.g.: IX) >I do recommend it there, as it will help mitigate cases where someone can >hijack your session by putting your IP/ASN whatnot on the router. > >The threat (Attack) never became real and we've now had enough time that >even the slowest carriers are running fixed code. > >- Jared From patrick at ianai.net Fri Jan 27 18:40:07 2012 From: patrick at ianai.net (Patrick W. Gilmore) Date: Fri, 27 Jan 2012 19:40:07 -0500 Subject: MD5 considered harmful In-Reply-To: <32B1BC9B-C529-499A-A59B-219C3BF0A227@puck.nether.net> References: <4F230041.5020701@rollernet.us> <0B6DEEFE-0049-4223-BB76-4A6A52D929E2@ianai.net> <32B1BC9B-C529-499A-A59B-219C3BF0A227@puck.nether.net> Message-ID: <4CD01EE5-0755-4206-8064-FD32E033E3F1@ianai.net> On Jan 27, 2012, at 6:20 PM, Jared Mauch wrote: > On Jan 27, 2012, at 3:52 PM, Patrick W. Gilmore wrote: > >> Your network, your decision. On my network, we do not do MD5. We do more traffic than anyone and have to be in the top 10 of total eBGP peering sessions on the planet. Guess how many times we've seen anyone even attempt this attack? If you guessed more than zero, guess again. >> >> I am fully well aware saying this in a public place means someone, probably many someones, will try it now just to prove me wrong. I still don't care. What does that tell you? >> >> STOP USING MD5 ON BGP. > > I would generally say: If you are on a p2p link or control the network, then yeah, you don't need md5. If you are at a shared medium (e.g.: IX) I do recommend it there, as it will help mitigate cases where someone can hijack your session by putting your IP/ASN whatnot on the router. As much as this scares me, I am going to disagree with Jared. If another member on the IX fabric wants to do something bad, then spoofing your address and causing BGP sessions to flap is the least of your worries. I've personally configured thousand of sessions at dozens of IXes for well over a decade. I have yet to see a single case where MD5 would have been useful. OTOH, it has caused quite a bit of downtime. There is no perfect solution, everything has issues. Past performance is no guarantee of future profits. All you can do is try your level-headed best to keep the packets flowing as quickly, reliably, and cheaply as possible. MD5 is a detriment to _all three_ of those goals. -- TTFN, patrick From nick at foobar.org Fri Jan 27 18:51:20 2012 From: nick at foobar.org (Nick Hilliard) Date: Sat, 28 Jan 2012 00:51:20 +0000 Subject: 10GE TOR port buffers (was Re: 10G switch recommendaton) In-Reply-To: References: <20120127165515.GA2697@pob.ytti.fi> <20120127215227.GA28688@ussenterprise.ufp.org> <596B74B410EE6B4CA8A30C3AF1A155EA09C965E4@RWC-MBX1.corp.seven.com> Message-ID: <94F37437-583D-4470-B9FB-EF82A90E21DC@foobar.org> On 27 Jan 2012, at 23:08, bas wrote: > Im my (our) busines model _is_ the internet connectivity... > We could give the customer double the port capacity, if they were > willing to pay, but in real life they do not care... > > While all respondents replies hold truth a (technial business) logic. > None shed a light why there isn't TOR box that does 10GE deepbuffers There are a couple of reasons for this: first, dropping the amount of buffer space decreases the cost of the hardware. Secondly, you really only need large buffers when you need to shape traffic. Shaping traffic is important if you're down stepping from a faster port to a slower port (this is a common use case for a blade switch like a c6500), or else if you're running qos on the port and you need to implement sophisticated queuing and policing. You can't run qos effectively without having generous buffers which is why LAN switches typically have very little buffer space and metro Ethernet switches typically have lots. In the case of a tor switch, the use case is typically in a situation where you're not downstepping from a higher speed to a lower speed, and where you don't really need fancy qos. So as its not generally needed for the sort of things that tor switches are used for, its not added to the hardware spec. Nick From gbonser at seven.com Fri Jan 27 18:57:53 2012 From: gbonser at seven.com (George Bonser) Date: Sat, 28 Jan 2012 00:57:53 +0000 Subject: 10GE TOR port buffers (was Re: 10G switch recommendaton) In-Reply-To: <4F23358D.4080308@bogus.com> References: <20120127165515.GA2697@pob.ytti.fi> <20120127215227.GA28688@ussenterprise.ufp.org> <596B74B410EE6B4CA8A30C3AF1A155EA09C965B5@RWC-MBX1.corp.seven.com> <596B74B410EE6B4CA8A30C3AF1A155EA09C965FC@RWC-MBX1.corp.seven.com> <4F23358D.4080308@bogus.com> Message-ID: <596B74B410EE6B4CA8A30C3AF1A155EA09C966E7@RWC-MBX1.corp.seven.com> > > It is also possible and in fact easy to have enough to accumulate > latency in places where you should be discarding packets earlier. > > I'd rather not be in either situation, but in the later I can police my > way out of it. That is why I added the "it depends on the end to end application" caveat. From gbonser at seven.com Fri Jan 27 19:03:05 2012 From: gbonser at seven.com (George Bonser) Date: Sat, 28 Jan 2012 01:03:05 +0000 Subject: 10GE TOR port buffers (was Re: 10G switch recommendaton) In-Reply-To: <94F37437-583D-4470-B9FB-EF82A90E21DC@foobar.org> References: <20120127165515.GA2697@pob.ytti.fi> <20120127215227.GA28688@ussenterprise.ufp.org> <596B74B410EE6B4CA8A30C3AF1A155EA09C965E4@RWC-MBX1.corp.seven.com> <94F37437-583D-4470-B9FB-EF82A90E21DC@foobar.org> Message-ID: <596B74B410EE6B4CA8A30C3AF1A155EA09C96702@RWC-MBX1.corp.seven.com> I assumed since he was asking about a "top of rack" (TOR) switch, he was actually using it as a top of rack switch and adding a couple more uplinks to his core would be cheaper than replacing all the hardware. Not understanding the topology and the application makes good recommendations a crap shoot, at best. From: Nick Hilliard Sent: Friday, January 27, 2012 4:51 PM To: bas Cc: George Bonser; nanog Subject: Re: 10GE TOR port buffers (was Re: 10G switch recommendaton) In the case of a tor switch, the use case is typically in a situation where you're not downstepping from a higher speed to a lower speed, and where you don't really need fancy qos. ?So as its not generally needed for the sort of things that tor switches are used for, its not?added to the hardware spec.? Nick? From randy at psg.com Fri Jan 27 19:06:20 2012 From: randy at psg.com (Randy Bush) Date: Sat, 28 Jan 2012 10:06:20 +0900 Subject: pontification bloat (was 10GE TOR port buffers (was Re: 10G switch recommendaton)) In-Reply-To: <4F233AA4.4030302@bogus.com> References: <20120127165515.GA2697@pob.ytti.fi> <20120127215227.GA28688@ussenterprise.ufp.org> <596B74B410EE6B4CA8A30C3AF1A155EA09C965B5@RWC-MBX1.corp.seven.com> <4F233404.2060004@bogus.com> <4F233AA4.4030302@bogus.com> Message-ID: for those who say bufferbloat is a problem, do you have wred enabled on backbone or customer links? randy From bicknell at ufp.org Fri Jan 27 19:19:09 2012 From: bicknell at ufp.org (Leo Bicknell) Date: Fri, 27 Jan 2012 17:19:09 -0800 Subject: 10GE TOR port buffers (was Re: 10G switch recommendaton) In-Reply-To: <4F233AA4.4030302@bogus.com> References: <20120127165515.GA2697@pob.ytti.fi> <20120127215227.GA28688@ussenterprise.ufp.org> <596B74B410EE6B4CA8A30C3AF1A155EA09C965B5@RWC-MBX1.corp.seven.com> <4F233404.2060004@bogus.com> <4F233AA4.4030302@bogus.com> Message-ID: <20120128011909.GA35610@ussenterprise.ufp.org> In a message written on Fri, Jan 27, 2012 at 04:00:36PM -0800, Joel jaeggli wrote: > And people who care have been using something other than a c6500 for > years. it's a 15 year old architecture, and it's had a pretty good run, > but it's 2012. One of the frustrating things, which the c6500 embodies best, is that the chassis has had many generations of linecards. It came out in 1999, running CatOS, with a 32Gbps shared bus. It exists now as a IOS box with a 720Gbps bus, running distributed switching. While you can call both a 6500, they share little more than some sheet metal, fans, and copper traces on the backplane. Wisdom learned running CatOS on 1st generation cards flat out does not apply to current generation cards. And woe be the admin who mixes and matches generations of cards, there are a million different configurations and pitfalls. Cisco is not the only vendor, and the 6500 is not the only product with this problem. It makes conversation extremely difficult though, you can't say a "6500 has xyz property" without detailing a lot more about the config of the box. -- Leo Bicknell - bicknell at ufp.org - CCIE 3440 PGP keys at http://www.ufp.org/~bicknell/ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 826 bytes Desc: not available URL: From bicknell at ufp.org Fri Jan 27 19:22:49 2012 From: bicknell at ufp.org (Leo Bicknell) Date: Fri, 27 Jan 2012 17:22:49 -0800 Subject: pontification bloat (was 10GE TOR port buffers (was Re: 10G switch recommendaton)) In-Reply-To: References: <20120127165515.GA2697@pob.ytti.fi> <20120127215227.GA28688@ussenterprise.ufp.org> <596B74B410EE6B4CA8A30C3AF1A155EA09C965B5@RWC-MBX1.corp.seven.com> <4F233404.2060004@bogus.com> <4F233AA4.4030302@bogus.com> Message-ID: <20120128012249.GB35610@ussenterprise.ufp.org> In a message written on Sat, Jan 28, 2012 at 10:06:20AM +0900, Randy Bush wrote: > for those who say bufferbloat is a problem, do you have wred enabled on > backbone or customer links? For *most backbone networks* it is a no-op on the backbone. To be more precise, if the backbone is at least 10x, and preferably more like 50x faster than the largest single TCP flow from any customer it will be nearly impossible to measure the performance difference between a short FIFO queue and a WRED queue. To the customer, absolutely, whenever possible, which generally means when the hardware supports. Ideally with the queue length tuned to match the link speed of the customer port. The slower speed the customer port the more critical the tuning. -- Leo Bicknell - bicknell at ufp.org - CCIE 3440 PGP keys at http://www.ufp.org/~bicknell/ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 826 bytes Desc: not available URL: From randy at psg.com Fri Jan 27 19:31:20 2012 From: randy at psg.com (Randy Bush) Date: Sat, 28 Jan 2012 10:31:20 +0900 Subject: pontification bloat (was 10GE TOR port buffers (was Re: 10G switch recommendaton)) In-Reply-To: <20120128012249.GB35610@ussenterprise.ufp.org> References: <20120127165515.GA2697@pob.ytti.fi> <20120127215227.GA28688@ussenterprise.ufp.org> <596B74B410EE6B4CA8A30C3AF1A155EA09C965B5@RWC-MBX1.corp.seven.com> <4F233404.2060004@bogus.com> <4F233AA4.4030302@bogus.com> <20120128012249.GB35610@ussenterprise.ufp.org> Message-ID: >> for those who say bufferbloat is a problem, do you have wred enabled >> on backbone or customer links? > > For *most backbone networks* it is a no-op on the backbone. To be > more precise, if the backbone is at least 10x, and preferably more > like 50x faster than the largest single TCP flow from any customer > it will be nearly impossible to measure the performance difference > between a short FIFO queue and a WRED queue. when a line card is designed to buffer the b*d of a trans-pac 40g, the oddities on an intra-pop link have been observed to spike to multiple seconds. > To the customer, absolutely, whenever possible, which generally means > when the hardware supports. Ideally with the queue length tuned to > match the link speed of the customer port. The slower speed the > customer port the more critical the tuning. so, do you have wred enabled anywhere? who actually has it enabled? (embarrassed to say, but to set an honest example, i do not believe iij does) randy From bicknell at ufp.org Fri Jan 27 19:56:01 2012 From: bicknell at ufp.org (Leo Bicknell) Date: Fri, 27 Jan 2012 17:56:01 -0800 Subject: pontification bloat (was 10GE TOR port buffers (was Re: 10G switch recommendaton)) In-Reply-To: References: <20120127215227.GA28688@ussenterprise.ufp.org> <596B74B410EE6B4CA8A30C3AF1A155EA09C965B5@RWC-MBX1.corp.seven.com> <4F233404.2060004@bogus.com> <4F233AA4.4030302@bogus.com> <20120128012249.GB35610@ussenterprise.ufp.org> Message-ID: <20120128015601.GA36782@ussenterprise.ufp.org> In a message written on Sat, Jan 28, 2012 at 10:31:20AM +0900, Randy Bush wrote: > when a line card is designed to buffer the b*d of a trans-pac 40g, the > oddities on an intra-pop link have been observed to spike to multiple > seconds. Please turn that buffer down. It's bad enough to take a 100ms hop across the pacific. It's far worse when there is +0-100ms of additional buffer. :( Unless that 40G has like 4x10Gbps TCP flows on it you don't need b*d of buffer. I bet many of your other problems go away. 10ms of buffer would be a good number. > so, do you have wred enabled anywhere? who actually has it enabled? > > (embarrassed to say, but to set an honest example, i do not believe iij > does) My current employment offers few places where it is appropriate. However, cribbing from a previous ob where I rolled it out network wide: policy-map atm-queueing-out class class-default fair-queue random-detect random-detect precedence 0 10 40 10 random-detect precedence 1 13 40 10 random-detect precedence 2 16 40 10 random-detect precedence 3 19 40 10 random-detect precedence 4 22 40 10 random-detect precedence 5 25 40 10 random-detect precedence 6 28 40 10 random-detect precedence 7 31 40 10 int atm1/0.1 pvc 1/105 vbr-nrt 6000 5000 600 tx-ring-limit 4 service-policy output atm-queueing-out Those packet thresholds were computed as the best balance for 6-20MMbps PVC's on an ATM interface. Also notice that the hardware tx-ring-limit had to be reduced in order to make it effective. There is a hardware buffer that is way too big below the software wred on the platforms in question (7206XVR's). Here's one to wrap your head around. You have an ATM OC-3, it has on it 40 PVC's. Each PVC has a WRED config on it allowing up to 40 packets to be buffered. Some genius in security fires off a network scanning tool across all 40 sites. Yes, you now have 40*40, or 1600 packets of buffer on your single physical port. :( If you work with Frame or ATM, or even dot1q vlans you have to be careful of buffering per-subinterface. It can quickly get absurd. -- Leo Bicknell - bicknell at ufp.org - CCIE 3440 PGP keys at http://www.ufp.org/~bicknell/ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 826 bytes Desc: not available URL: From randy at psg.com Fri Jan 27 20:02:14 2012 From: randy at psg.com (Randy Bush) Date: Sat, 28 Jan 2012 11:02:14 +0900 Subject: pontification bloat (was 10GE TOR port buffers (was Re: 10G switch recommendaton)) In-Reply-To: <20120128015601.GA36782@ussenterprise.ufp.org> References: <20120127215227.GA28688@ussenterprise.ufp.org> <596B74B410EE6B4CA8A30C3AF1A155EA09C965B5@RWC-MBX1.corp.seven.com> <4F233404.2060004@bogus.com> <4F233AA4.4030302@bogus.com> <20120128012249.GB35610@ussenterprise.ufp.org> <20120128015601.GA36782@ussenterprise.ufp.org> Message-ID: >> when a line card is designed to buffer the b*d of a trans-pac 40g, the >> oddities on an intra-pop link have been observed to spike to multiple >> seconds. > Please turn that buffer down. not my router. research probes seeing fun anomalies around the global network. > cribbing from a previous ob where I rolled it out network wide: > > policy-map atm-queueing-out > class class-default > fair-queue > random-detect > random-detect precedence 0 10 40 10 > random-detect precedence 1 13 40 10 > random-detect precedence 2 16 40 10 > random-detect precedence 3 19 40 10 > random-detect precedence 4 22 40 10 > random-detect precedence 5 25 40 10 > random-detect precedence 6 28 40 10 > random-detect precedence 7 31 40 10 > > int atm1/0.1 > pvc 1/105 > vbr-nrt 6000 5000 600 > tx-ring-limit 4 > service-policy output atm-queueing-out > > Those packet thresholds were computed as the best balance for > 6-20MMbps PVC's on an ATM interface. while i hope few folk other than telephants still have atm , thanks for posting running code. one problem is that we do not have good tools to look at a link and suggest parms. how did you derive those? randy From bicknell at ufp.org Fri Jan 27 20:08:10 2012 From: bicknell at ufp.org (Leo Bicknell) Date: Fri, 27 Jan 2012 18:08:10 -0800 Subject: pontification bloat (was 10GE TOR port buffers (was Re: 10G switch recommendaton)) In-Reply-To: References: <20120127215227.GA28688@ussenterprise.ufp.org> <596B74B410EE6B4CA8A30C3AF1A155EA09C965B5@RWC-MBX1.corp.seven.com> <4F233404.2060004@bogus.com> <4F233AA4.4030302@bogus.com> <20120128012249.GB35610@ussenterprise.ufp.org> Message-ID: <20120128020810.GA37239@ussenterprise.ufp.org> In a message written on Sat, Jan 28, 2012 at 10:31:20AM +0900, Randy Bush wrote: > (embarrassed to say, but to set an honest example, i do not believe iij > does) I also want to take this opportunity to say there are some cool new features (that I have not had a chance to deploy myself) that may have been missed if queueing wasn't your day job for the last few years. "QoS: Time-Based Thresholds for WRED and Queue Limit for the Cisco 12000 Series Router" http://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/12stbwr.html Don't want to do math on how big the queue should be? Configure by ms: outer> enable Router# configure terminal Router (config)# policy-map policy1 Router(config-pmap)# class class-default Router(config-pmap-c)# bandwidth percent 80 Router(config-pmap-c)# random-detect Router(config-pmap-c)# random-detect precedence 2 4 ms 8 ms Router(config-pmap-c)# exit Router(config-pmap)# exit Router(config)# interface serial8/0/0:0.1000 Router(config-subif)# service-policy output policy1 Router(config-subif)# end That's a 4ms to 8ms buffer! Handy, nice! Another frame concept brought to IP is ECN, congestion notification. http://www.cisco.com/en/US/docs/ios-xml/ios/qos_conavd/configuration/15-0m/qos-conavd-wred-ecn.html Router(config)# policy-map pol1 Router(config-pmap)# class class-default Router(config-pmap-c)# bandwidth per 70 Router(config-pmap-c)# random-detect Router(config-pmap-c)# random-detect ecn Requires other bits in the network to be ECN aware, but if they are, good stuff. -- Leo Bicknell - bicknell at ufp.org - CCIE 3440 PGP keys at http://www.ufp.org/~bicknell/ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 826 bytes Desc: not available URL: From gbonser at seven.com Fri Jan 27 20:13:15 2012 From: gbonser at seven.com (George Bonser) Date: Sat, 28 Jan 2012 02:13:15 +0000 Subject: pontification bloat (was 10GE TOR port buffers (was Re: 10G switch recommendaton)) In-Reply-To: <20120128020810.GA37239@ussenterprise.ufp.org> References: <20120127215227.GA28688@ussenterprise.ufp.org> <596B74B410EE6B4CA8A30C3AF1A155EA09C965B5@RWC-MBX1.corp.seven.com> <4F233404.2060004@bogus.com> <4F233AA4.4030302@bogus.com> <20120128012249.GB35610@ussenterprise.ufp.org> <20120128020810.GA37239@ussenterprise.ufp.org> Message-ID: <596B74B410EE6B4CA8A30C3AF1A155EA09C967EB@RWC-MBX1.corp.seven.com> > Router(config)# policy-map pol1 > Router(config-pmap)# class class-default > Router(config-pmap-c)# bandwidth per 70 > Router(config-pmap-c)# random-detect > Router(config-pmap-c)# random-detect ecn > > Requires other bits in the network to be ECN aware, but if they are, > good stuff. > > -- +1 There is no excuse these days for stuff not to be ECN aware. That GREATLY mitigates things as it makes hosts aware pretty much immediately that there is congestion and they don't have to wait for a lost packet to time out. I brought it up to a Brocade engineer once asking for the option to set ECN rather than drop the packet and he said "nobody uses it". I told him nobody uses it because you don't have the feature available. How can anyone use it if you don't have the feature? From bicknell at ufp.org Fri Jan 27 20:21:05 2012 From: bicknell at ufp.org (Leo Bicknell) Date: Fri, 27 Jan 2012 18:21:05 -0800 Subject: pontification bloat (was 10GE TOR port buffers (was Re: 10G switch recommendaton)) In-Reply-To: References: <596B74B410EE6B4CA8A30C3AF1A155EA09C965B5@RWC-MBX1.corp.seven.com> <4F233404.2060004@bogus.com> <4F233AA4.4030302@bogus.com> <20120128012249.GB35610@ussenterprise.ufp.org> <20120128015601.GA36782@ussenterprise.ufp.org> Message-ID: <20120128022105.GB37239@ussenterprise.ufp.org> In a message written on Sat, Jan 28, 2012 at 11:02:14AM +0900, Randy Bush wrote: > one problem is that we do not have good tools to look at a link and > suggest parms. how did you derive those? It's actually simple math, it just can get moderate complex. Let's say you have a 10Mbps ethernet interface, and you want to set the queue size (in packets). 10Mbps is ~1250000 bytes/sec. Now, I pick an arbitrary value, this is where experience comes in. For this example I'm going to say I want no more than 5ms queuing latency. 5ms/1000sec/ms * 1250000 = 6250 bytes. I then look at my MTU, we'll go with 1500 here. 6250 / 1500 4.16 packets. So queueing around 4 full sized packets generates 0-5ms of jitter on a 10Mbps ethernet, worst case. How many ms is good? Well, that depends, a lot. However I suspect most people here have seen enough pings they have some idea what is good and what isn't. From there you have to look at if there is a hardware ring buffer under the software QOS (not on most interfaces, but yes on some), and then look if the buffer is per-VC (subint, whatever) on an interface with multiple subinterfaces. This is as much art as science. My rules of thumb: - High speed backbone interfaces, 1-3ms of buffer. - Medium to high speed links inside of a single pop/site, 2-5ms of buffer. - Low speed access/edge, 5-20ms of buffer. I have rarely seen an application benefit from more than 20ms of buffer. Remember, this is per hop. If you take a 20 hop traceroute and each hop that 20ms of buffer, you would be waiting 400ms if all the buffers were full! That's even if all 20 hops are in the same building, so the RTT is 1ms. Imagine how crappy a 1ms RTT would be with random 4/10ths of a second pauses would be! Now, here's where it gets non-intuitive. Reducing the buffers will _increase_ packet drops, which will make your customers _happier_. It will also generally smooth out sawtooth patterns (caused by congestion collapse syncronization, everyone fills the buffer at the same time, backs off at the same time, etc). So your links may go from spiky between 90-100%, to flatlined at 100%, but your customers will be happier. Run the math the other way to see how many ms your current buffer size allows the router to hold. -- Leo Bicknell - bicknell at ufp.org - CCIE 3440 PGP keys at http://www.ufp.org/~bicknell/ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 826 bytes Desc: not available URL: From lukasz at bromirski.net Fri Jan 27 20:32:17 2012 From: lukasz at bromirski.net (=?ISO-8859-2?Q?=A3ukasz_Bromirski?=) Date: Sat, 28 Jan 2012 03:32:17 +0100 Subject: 10GE TOR port buffers (was Re: 10G switch recommendaton) In-Reply-To: <4F233AA4.4030302@bogus.com> References: <20120127165515.GA2697@pob.ytti.fi> <20120127215227.GA28688@ussenterprise.ufp.org> <596B74B410EE6B4CA8A30C3AF1A155EA09C965B5@RWC-MBX1.corp.seven.com> <4F233404.2060004@bogus.com> <4F233AA4.4030302@bogus.com> Message-ID: <4F235E31.3080705@bromirski.net> On 2012-01-28 01:00, Joel jaeggli wrote: >> C NSP has been full with threads about appalling microburst >> performance of the 6500 for years.. > And people who care have been using something other than a c6500 for > years. it's a 15 year old architecture, and it's had a pretty good run, > but it's 2012. > An ex8200 has 512MB per port on non-oversuscribed 10Gig ports and 42MB > per port on 1Gig ports. that's a lot of ram. 6500 has up to 256MB for non-oversubscribed 10GE ports. People complaining about microburst tend to use the cheapest 6704 linecard, and 'microbursts' are a problem seen across most of the products that don't even try to have a 1/12th of a 6500 history. Everyone has it's own problems, and as people already said, not understanding the way properly sized buffers influence the way TCP traffic behaves can do more harm than good. -- "There's no sense in being precise when | ?ukasz Bromirski you don't know what you're talking | jid:lbromirski at jabber.org about." John von Neumann | http://lukasz.bromirski.net From hannigan at gmail.com Fri Jan 27 21:20:08 2012 From: hannigan at gmail.com (Martin Hannigan) Date: Fri, 27 Jan 2012 22:20:08 -0500 Subject: US DOJ victim letter In-Reply-To: References: <30970.1327688588@turing-police.cc.vt.edu> Message-ID: On Fri, Jan 27, 2012 at 1:32 PM, Randy Epstein wrote: > > > On 1/27/12 1:23 PM, "Valdis.Kletnieks at vt.edu" > wrote: > >>On Fri, 27 Jan 2012 13:16:27 EST, Bryan Horstmann-Allen said: >> >>> Bit odd, if it's a phish. Even more odd if it's actually from the Fed. >> >>What if it's a phish from a compromised Fed box? :) > > We've spoken to folks at various FBI field offices and at 26 Plaza in New > York which is handling this case. ?Further, John Curran (ARIN CEO) has > confirmed it's real via their own liaison and Paul Vixie is actually > working with them on this. > It's definitely real. Best, -M< From mtinka at globaltransit.net Fri Jan 27 22:53:25 2012 From: mtinka at globaltransit.net (Mark Tinka) Date: Sat, 28 Jan 2012 12:53:25 +0800 Subject: using ULA for 'hidden' v6 devices? In-Reply-To: <596B74B410EE6B4CA8A30C3AF1A155EA09C93566@RWC-MBX1.corp.seven.com> References: <596B74B410EE6B4CA8A30C3AF1A155EA09C93566@RWC-MBX1.corp.seven.com> Message-ID: <201201281253.29185.mtinka@globaltransit.net> On Thursday, January 26, 2012 08:19:07 PM George Bonser wrote: > I filter the entire space at the borders. Besides, if > someone leaks the space, most people won't accept it, > certainly any provider worth their salt won't. But one > of the problems with ULA and the U part. With RFC 1918 > everyone is using the same space. So let's say 10 > million networks are using 10/8 and 10,000 of them are > leaking bits of it. IF their providers accept their > leaks and IF their providers' peers accept it, that > leaves only 10,000 different places a 10/8 destined > packet could go. Just on this subject, we're peering with networks some may call "worth their salt", and what we've been seeing since we started peering with them is interesting. This is an ACL applied on ingress across the peering interfaces (note that sequences 90 - 150 are our own APNIC allocations): router-in-asia-1#sh ip access-lists filter-incoming Extended IP access list filter-incoming 10 deny ip 10.0.0.0 0.255.255.255 any (13685079 matches) 20 deny ip 127.0.0.0 0.255.255.255 any (5380 matches) 30 deny ip 169.254.0.0 0.0.255.255 any (270500 matches) 40 deny ip 172.16.0.0 0.15.255.255 any (5367880 matches) 50 deny ip 192.0.2.0 0.0.0.255 any (3478 matches) 60 deny ip 192.42.172.0 0.0.0.255 any 70 deny ip 192.168.0.0 0.0.255.255 any (10780785 matches) 80 deny ip 198.18.0.0 0.1.255.255 any (1691 matches) 90 deny ip 61.11.208.0 0.0.15.255 any (35 matches) 100 deny ip 119.110.128.0 0.0.127.255 any (50 matches) 110 deny ip 124.158.224.0 0.0.31.255 any (4667 matches) 120 deny ip 202.76.224.0 0.0.15.255 any (7747449 matches) 130 deny ip 116.0.96.0 0.0.31.255 any (124 matches) 140 deny ip 119.110.0.0 0.0.63.255 any (67 matches) 150 deny ip 203.223.128.0 0.0.31.255 any (7665942 matches) 160 permit ip any any (3080575612 matches) router-in-asia-1# router-in-asia-2#sh ip access-lists filter-incoming Extended IP access list filter-incoming 10 deny ip 10.0.0.0 0.255.255.255 any (35529145 matches) 20 deny ip 127.0.0.0 0.255.255.255 any (45 matches) 30 deny ip 169.254.0.0 0.0.255.255 any (12950353 matches) 40 deny ip 172.16.0.0 0.15.255.255 any (8902750 matches) 50 deny ip 192.0.2.0 0.0.0.255 any (4495 matches) 60 deny ip 192.42.172.0 0.0.0.255 any (7 matches) 70 deny ip 192.168.0.0 0.0.255.255 any (8805796 matches) 80 deny ip 198.18.0.0 0.1.255.255 any (3269 matches) 90 deny ip 61.11.208.0 0.0.15.255 any (20 matches) 100 deny ip 119.110.128.0 0.0.127.255 any 110 deny ip 124.158.224.0 0.0.31.255 any (4436 matches) 120 deny ip 202.76.224.0 0.0.15.255 any (6325852 matches) 130 deny ip 116.0.96.0 0.0.31.255 any (857940 matches) 140 deny ip 119.110.0.0 0.0.63.255 any (659 matches) 150 deny ip 203.223.128.0 0.0.31.255 any (6618486 matches) 160 permit ip any any (284108624 matches) router-in-asia-2# router-in-america#sh ip access-lists filter-incoming Extended IP access list filter-incoming 10 deny ip 10.0.0.0 0.255.255.255 any (1226939 matches) 20 deny ip 127.0.0.0 0.255.255.255 any (36 matches) 30 deny ip 169.254.0.0 0.0.255.255 any (2464 matches) 40 deny ip 172.16.0.0 0.15.255.255 any (379730 matches) 50 deny ip 192.0.2.0 0.0.0.255 any (4 matches) 60 deny ip 192.42.172.0 0.0.0.255 any 70 deny ip 192.168.0.0 0.0.255.255 any (987273 matches) 80 deny ip 198.18.0.0 0.1.255.255 any (43 matches) 90 deny ip 61.11.208.0 0.0.15.255 any 100 deny ip 119.110.128.0 0.0.127.255 any (4 matches) 110 deny ip 124.158.224.0 0.0.31.255 any (2514 matches) 120 deny ip 202.76.224.0 0.0.15.255 any (644354 matches) 130 deny ip 116.0.96.0 0.0.31.255 any (11 matches) 140 deny ip 119.110.0.0 0.0.63.255 any (22 matches) 150 deny ip 203.223.128.0 0.0.31.255 any (641830 matches) 160 permit ip any any (84287716 matches) router-in-america# For our v6 ingress filters on the same interfaces, we're seeing some matches for '3ffe::/16' and '2001:db8::/32' from Asia and the U.S. Mark. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 836 bytes Desc: This is a digitally signed message part. URL: From mtinka at globaltransit.net Fri Jan 27 23:38:57 2012 From: mtinka at globaltransit.net (Mark Tinka) Date: Sat, 28 Jan 2012 13:38:57 +0800 Subject: juniper mx80 vs cisco asr 1000 In-Reply-To: <596B74B410EE6B4CA8A30C3AF1A155EA09C92BD6@RWC-MBX1.corp.seven.com> References: <44EDB6D0-C480-4232-8FCD-4124D152849B@smugmug.com> <4F201CFF.20905@studio442.com.au> <596B74B410EE6B4CA8A30C3AF1A155EA09C92BD6@RWC-MBX1.corp.seven.com> Message-ID: <201201281339.01426.mtinka@globaltransit.net> On Thursday, January 26, 2012 02:57:59 AM George Bonser wrote: > If there is a hardware change, you might need to update > the FPGA images. That is a second file but doesn't > happen with every release. In fact, you might not even > need it of they DO release a new one because the change > might be for the addition of FPGA images or changes to > an image for blade you don't even have. But again, it is > one combined file for all blades. The issue we have now with IOS XR-based systems is the SMU's. Most times, the SMU's need to reload bits of the hardware, and it will be different files making different updates that each need to reload bits of the hardware (fabric, line cards, e.t.c.). Needless to say, a software upgrade of the main OS on IOS XR systems is very lengthy. I'm yet to do it in less than one hour, particularly if you're doing SMU's at the same time. Here, Junos wins (although, in all fairness, the systems aren't the same so maybe not a proper comparison to begin with). But I understand Cisco are working on streamlining this in future releases of IOS XR, which would be welcome. While I prefer SMU's to ISSU, the majority of them are not entirely hitless (contrary to the documentation accompanying an SMU), although it will take a shorter time to update via an SMU than the main OS, as of today anyway. Mark. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 836 bytes Desc: This is a digitally signed message part. URL: From randy at psg.com Fri Jan 27 23:42:54 2012 From: randy at psg.com (Randy Bush) Date: Sat, 28 Jan 2012 14:42:54 +0900 Subject: juniper mx80 vs cisco asr 1000 In-Reply-To: <201201281339.01426.mtinka@globaltransit.net> References: <44EDB6D0-C480-4232-8FCD-4124D152849B@smugmug.com> <4F201CFF.20905@studio442.com.au> <596B74B410EE6B4CA8A30C3AF1A155EA09C92BD6@RWC-MBX1.corp.seven.com> <201201281339.01426.mtinka@globaltransit.net> Message-ID: > But I understand Cisco are working on streamlining this in > future releases of IOS XR, which would be welcome. While I > prefer SMU's to ISSU my fear is that issu is a very complex hack to cover that it takes a week to boot the turkey. and adding more complexity will not make things better in the long run, probably worse in fact. fix the boot process. randy From mtinka at globaltransit.net Fri Jan 27 23:55:37 2012 From: mtinka at globaltransit.net (Mark Tinka) Date: Sat, 28 Jan 2012 13:55:37 +0800 Subject: juniper mx80 vs cisco asr 1000 In-Reply-To: References: <44EDB6D0-C480-4232-8FCD-4124D152849B@smugmug.com> <201201281339.01426.mtinka@globaltransit.net> Message-ID: <201201281355.38278.mtinka@globaltransit.net> On Saturday, January 28, 2012 01:42:54 PM Randy Bush wrote: > my fear is that issu is a very complex hack to cover that > it takes a week to boot the turkey. and adding more > complexity will not make things better in the long run, > probably worse in fact. True, and also to (well, in theory, anyway) not have to reload the box to launch new images in order to avoid any kind of downtime (even with a fixed boot process). The problem with ISSU is that it requires specific support across specific protocols, features and hardware in the router, which invariably means having to run the latest code that supports the features you feel need ISSU, and/or the latest hardware that meets the ISSU requirements per the vendor (it's like chasing your own tail). Since we schedule all maintenance in a maintenance window anyway (whether it's service-impacting or not), I see no point for ISSU. But to each their own. Mark. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 836 bytes Desc: This is a digitally signed message part. URL: From randy at psg.com Fri Jan 27 23:58:13 2012 From: randy at psg.com (Randy Bush) Date: Sat, 28 Jan 2012 14:58:13 +0900 Subject: juniper mx80 vs cisco asr 1000 In-Reply-To: <201201281355.38278.mtinka@globaltransit.net> References: <44EDB6D0-C480-4232-8FCD-4124D152849B@smugmug.com> <201201281339.01426.mtinka@globaltransit.net> <201201281355.38278.mtinka@globaltransit.net> Message-ID: > Since we schedule all maintenance in a maintenance window > anyway (whether it's service-impacting or not), I see no > point for ISSU. But to each their own. so i can run images where the code and hw have not been seriously complexified for issu. good. randy From mtinka at globaltransit.net Sat Jan 28 01:18:43 2012 From: mtinka at globaltransit.net (Mark Tinka) Date: Sat, 28 Jan 2012 15:18:43 +0800 Subject: XBOX 720: possible digital download mass service. In-Reply-To: <483E6B0272B0284BA86D7596C40D29F9015881E3EBE8@PUR-EXCH07.ox.com> References: <01aa01ccdcff$724111e0$56c335a0$@truenet.com> <483E6B0272B0284BA86D7596C40D29F9015881E3EBE8@PUR-EXCH07.ox.com> Message-ID: <201201281518.47292.mtinka@globaltransit.net> On Friday, January 27, 2012 11:08:27 PM Matthew Huff wrote: > >From what I've read, the XBOX 720 is still going to have > >traditional distribution but also including online > >purchasing (think Steam). The goal is to go with a key > >system to play the game. I think the idea you will be > >able to register the game via phone, or other means as > >well. However, their idea is to rid the world of the > >secondary market of used games. Or a hybrid. I bought a copy of F1 2011 for PS3 and fired it up. In order to access certain areas of the game, I had to input a code when signed up to the Sony PlayStation Network, which was verified via the Internet. If I had no connectivity, I'd never be able to access those portions of the game. Needless to say, a lot of games are now pushing massive updates via the Internet; on the order of hundreds of MB. Mark. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 836 bytes Desc: This is a digitally signed message part. URL: From Matthew.Black at csulb.edu Sat Jan 28 02:56:31 2012 From: Matthew.Black at csulb.edu (Matthew Black) Date: Sat, 28 Jan 2012 08:56:31 +0000 Subject: Craigslist outage Message-ID: Accessing from Southern California. Cannot get any pages to view, except a few "about" pages. http://www.craigslist.org/about/help/system-status.html Status says runs good, but cannot pull up any city sites or the basic home page http://www.craigslist.org. Anyone else having trouble or are you able to get in? matthew black information technology services california state university, long beach From davidj at mckendrick.ca Sat Jan 28 03:01:55 2012 From: davidj at mckendrick.ca (David) Date: Sat, 28 Jan 2012 01:01:55 -0800 Subject: Craigslist outage In-Reply-To: References: Message-ID: <1327741315.2318.6.camel@beast.deigratia.ca> Chicago loads, San Diego doesn't. Interesting. On Sat, 2012-01-28 at 08:56 +0000, Matthew Black wrote: > Accessing from Southern California. > > Cannot get any pages to view, except a few "about" pages. > http://www.craigslist.org/about/help/system-status.html > > Status says runs good, but cannot pull up any city sites or the basic home page http://www.craigslist.org. > > Anyone else having trouble or are you able to get in? > > matthew black > information technology services > california state university, long beach > > > > From Matthew.Black at csulb.edu Sat Jan 28 03:03:25 2012 From: Matthew.Black at csulb.edu (Matthew Black) Date: Sat, 28 Jan 2012 09:03:25 +0000 Subject: Craigslist outage In-Reply-To: <1327741315.2318.6.camel@beast.deigratia.ca> References: <1327741315.2318.6.camel@beast.deigratia.ca> Message-ID: www.craigslist.org, losangeles.craigslist.org and sfo.craigslist.org all ail. matthew black information technology services california state university, long beach 562-985-5144 -----Original Message----- From: David [mailto:davidj at mckendrick.ca] Sent: Saturday, January 28, 2012 1:02 AM To: Matthew Black Cc: nanog at nanog.org Subject: Re: Craigslist outage Chicago loads, San Diego doesn't. Interesting. On Sat, 2012-01-28 at 08:56 +0000, Matthew Black wrote: > Accessing from Southern California. > > Cannot get any pages to view, except a few "about" pages. > http://www.craigslist.org/about/help/system-status.html > > Status says runs good, but cannot pull up any city sites or the basic home page http://www.craigslist.org. > > Anyone else having trouble or are you able to get in? > > matthew black > information technology services > california state university, long beach > > > > From henry at AegisInfoSys.com Sat Jan 28 03:05:51 2012 From: henry at AegisInfoSys.com (Henry Yen) Date: Sat, 28 Jan 2012 04:05:51 -0500 Subject: Craigslist outage In-Reply-To: References: Message-ID: <20120128090551.GZ20061@nntp.AegisInfoSys.com> On Sat, Jan 28, 2012 at 08:56:31AM +0000, Matthew Black wrote: > Accessing from Southern California. > > Cannot get any pages to view, except a few "about" pages. > http://www.craigslist.org/about/help/system-status.html > > Status says runs good, but cannot pull up any city sites or the basic home page http://www.craigslist.org. > > Anyone else having trouble or are you able to get in? Works fine from Long Island, NY. I see that www.craigslist.org immediately loads geo.craigslist.org; maybe the latter is broken? (From here, it subsequently loads longisland.craigslist.org.) -- Henry Yen Aegis Information Systems, Inc. Senior Systems Programmer Hicksville, New York From Matthew.Black at csulb.edu Sat Jan 28 03:14:52 2012 From: Matthew.Black at csulb.edu (Matthew Black) Date: Sat, 28 Jan 2012 09:14:52 +0000 Subject: Craigslist outage In-Reply-To: <20120128090551.GZ20061@nntp.AegisInfoSys.com> References: <20120128090551.GZ20061@nntp.AegisInfoSys.com> Message-ID: Thanks everyone for the updates. It looks like www.craigslist.org redirects to the nearest geographical craigslist site. Mine redirects to losangeles.craigslist.org, which is down. Is it possible that some high-volume internet caching centers have gone down? matthew black information technology services california state university, long beach 562-985-5144 -----Original Message----- From: Henry Yen [mailto:henry at AegisInfoSys.com] Sent: Saturday, January 28, 2012 1:06 AM To: nanog at nanog.org Subject: Re: Craigslist outage On Sat, Jan 28, 2012 at 08:56:31AM +0000, Matthew Black wrote: > Accessing from Southern California. > > Cannot get any pages to view, except a few "about" pages. > http://www.craigslist.org/about/help/system-status.html > > Status says runs good, but cannot pull up any city sites or the basic home page http://www.craigslist.org. > > Anyone else having trouble or are you able to get in? Works fine from Long Island, NY. I see that www.craigslist.org immediately loads geo.craigslist.org; maybe the latter is broken? (From here, it subsequently loads longisland.craigslist.org.) -- Henry Yen Aegis Information Systems, Inc. Senior Systems Programmer Hicksville, New York From henry at AegisInfoSys.com Sat Jan 28 03:25:48 2012 From: henry at AegisInfoSys.com (Henry Yen) Date: Sat, 28 Jan 2012 04:25:48 -0500 Subject: Craigslist outage In-Reply-To: References: <20120128090551.GZ20061@nntp.AegisInfoSys.com> Message-ID: <20120128092548.GA20061@nntp.AegisInfoSys.com> On Sat, Jan 28, 2012 at 09:14:52AM +0000, Matthew Black wrote: > It looks like www.craigslist.org redirects to the nearest geographical > craigslist site. Mine redirects to losangeles.craigslist.org, which is > down. losangeles.craigslist.org is working from here (Long Island, NY). -- Henry Yen Aegis Information Systems, Inc. Senior Systems Programmer Hicksville, New York From Matthew.Black at csulb.edu Sat Jan 28 03:32:15 2012 From: Matthew.Black at csulb.edu (Matthew Black) Date: Sat, 28 Jan 2012 09:32:15 +0000 Subject: Craigslist outage In-Reply-To: <20120128092548.GA20061@nntp.AegisInfoSys.com> References: <20120128090551.GZ20061@nntp.AegisInfoSys.com> <20120128092548.GA20061@nntp.AegisInfoSys.com> Message-ID: Kind of supports my suspicion that a caching center (like Akamai) has gone down. What does nslookup return for you? I get losangeles.craigslist.org 208.82.238.129 DOS tracert finds that IP in 9 hops (20ms, 19ms, 19ms). Possible routing problems for http traffic with Verizon FIOS? The about page comes up matthew black information technology services california state university, long beach -----Original Message----- From: Henry Yen [mailto:henry at AegisInfoSys.com] Sent: Saturday, January 28, 2012 1:26 AM To: nanog at nanog.org Subject: Re: Craigslist outage On Sat, Jan 28, 2012 at 09:14:52AM +0000, Matthew Black wrote: > It looks like www.craigslist.org redirects to the nearest geographical > craigslist site. Mine redirects to losangeles.craigslist.org, which is > down. losangeles.craigslist.org is working from here (Long Island, NY). -- Henry Yen Aegis Information Systems, Inc. Senior Systems Programmer Hicksville, New York From Matthew.Black at csulb.edu Sat Jan 28 03:39:04 2012 From: Matthew.Black at csulb.edu (Matthew Black) Date: Sat, 28 Jan 2012 09:39:04 +0000 Subject: Craigslist outage In-Reply-To: References: <20120128090551.GZ20061@nntp.AegisInfoSys.com> <20120128092548.GA20061@nntp.AegisInfoSys.com> Message-ID: IE diagnose connection problem suggests a firewall issue. matthew black information technology services california state university, long beach -----Original Message----- From: Matthew Black [mailto:Matthew.Black at csulb.edu] Sent: Saturday, January 28, 2012 1:32 AM To: nanog at nanog.org Subject: RE: Craigslist outage Kind of supports my suspicion that a caching center (like Akamai) has gone down. What does nslookup return for you? I get losangeles.craigslist.org 208.82.238.129 DOS tracert finds that IP in 9 hops (20ms, 19ms, 19ms). Possible routing problems for http traffic with Verizon FIOS? The about page comes up matthew black information technology services california state university, long beach -----Original Message----- From: Henry Yen [mailto:henry at AegisInfoSys.com] Sent: Saturday, January 28, 2012 1:26 AM To: nanog at nanog.org Subject: Re: Craigslist outage On Sat, Jan 28, 2012 at 09:14:52AM +0000, Matthew Black wrote: > It looks like www.craigslist.org redirects to the nearest geographical > craigslist site. Mine redirects to losangeles.craigslist.org, which is > down. losangeles.craigslist.org is working from here (Long Island, NY). -- Henry Yen Aegis Information Systems, Inc. Senior Systems Programmer Hicksville, New York From Matthew.Black at csulb.edu Sat Jan 28 03:59:44 2012 From: Matthew.Black at csulb.edu (Matthew Black) Date: Sat, 28 Jan 2012 09:59:44 +0000 Subject: Craigslist outage In-Reply-To: References: <20120128090551.GZ20061@nntp.AegisInfoSys.com> <20120128092548.GA20061@nntp.AegisInfoSys.com> Message-ID: Confirmed that it's Verizon FIOS. I remote logged into a system at work and had no trouble. I'm dealing with tech support person that says "nobody blocks websites or changes routing tables." Big sigh. Tech trying to get a supervisor and just came back with "he has another customer with the same problem." Taking a deep breath. Thanks all for your help! matthew black information technology services california state university, long beach From: Matthew Black Sent: Saturday, January 28, 2012 1:39 AM To: Matthew Black; nanog at nanog.org Subject: RE: Craigslist outage IE diagnose connection problem suggests a firewall issue. matthew black information technology services california state university, long beach -----Original Message----- From: Matthew Black [mailto:Matthew.Black at csulb.edu] Sent: Saturday, January 28, 2012 1:32 AM To: nanog at nanog.org Subject: RE: Craigslist outage Kind of supports my suspicion that a caching center (like Akamai) has gone down. What does nslookup return for you? I get losangeles.craigslist.org 208.82.238.129 DOS tracert finds that IP in 9 hops (20ms, 19ms, 19ms). Possible routing problems for http traffic with Verizon FIOS? The about page comes up matthew black information technology services california state university, long beach -----Original Message----- From: Henry Yen [mailto:henry at AegisInfoSys.com] Sent: Saturday, January 28, 2012 1:26 AM To: nanog at nanog.org Subject: Re: Craigslist outage On Sat, Jan 28, 2012 at 09:14:52AM +0000, Matthew Black wrote: > It looks like www.craigslist.org redirects to the nearest geographical > craigslist site. Mine redirects to losangeles.craigslist.org, which is > down. losangeles.craigslist.org is working from here (Long Island, NY). -- Henry Yen Aegis Information Systems, Inc. Senior Systems Programmer Hicksville, New York From saku at ytti.fi Sat Jan 28 04:07:24 2012 From: saku at ytti.fi (Saku Ytti) Date: Sat, 28 Jan 2012 12:07:24 +0200 Subject: 10GE TOR port buffers (was Re: 10G switch recommendaton) In-Reply-To: References: <20120127165515.GA2697@pob.ytti.fi> Message-ID: <20120128100724.GA7455@pob.ytti.fi> On (2012-01-27 22:40 +0100), bas wrote: > But do you generally agree that "the market" has a requirement for a > deep-buffer TOR switch? > > Or am I crazy for thinking that my customers need such a solution? No, you're not crazy. If your core is higher rate than your customer, then you need at minimum serialization delay difference of buffering. If core is 10G and access 100M, you need buffer for minimum of 100 packets, to handle the single 10G incoming, without any extra buffering. Now if you add QoS on top of this, you probably need 100 per each class you are going to support. And if switch does support QoS but operator configures only BE, and operator does not limit BE queue size, operator will see buffer bloat, and think it's clueless vendor dropping expensive memory there for the lulz, while it's just misconfigured box. When it comes to these trident+ 64x10GE/48x10GE+4x40G, your serialization delay difference between interfaces is minimal, and so is buffering demand. -- ++ytti From henry at AegisInfoSys.com Sat Jan 28 04:34:59 2012 From: henry at AegisInfoSys.com (Henry Yen) Date: Sat, 28 Jan 2012 05:34:59 -0500 Subject: Craigslist outage In-Reply-To: References: <20120128090551.GZ20061@nntp.AegisInfoSys.com> <20120128092548.GA20061@nntp.AegisInfoSys.com> Message-ID: <20120128103459.GP20061@nntp.AegisInfoSys.com> On Sat, Jan 28, 2012 at 09:59:44AM +0000, Matthew Black wrote: > Confirmed that it's Verizon FIOS. I remote logged into a system at work > and had no trouble. FiOS connection from here to losangeles.craigslist.org works. > What does nslookup return for you? I get > losangeles.craigslist.org > 208.82.238.129 Same from here, but I don't use FiOS nameservers. dig +trace returns the same. -- Henry Yen Aegis Information Systems, Inc. Senior Systems Programmer Hicksville, New York From eugen at leitl.org Sat Jan 28 05:58:05 2012 From: eugen at leitl.org (Eugen Leitl) Date: Sat, 28 Jan 2012 12:58:05 +0100 Subject: photonic buffer bloat Message-ID: <20120128115805.GL7343@leitl.org> In future photonic networks (which will do relativistic cut-through directly in a photonic crossbar without converting photons to electrons and back) the fiber is not just a transport channel but also a photonic buffer (e.g. at 10 GBit/s Ethernet a short reach fiber already buffers a standard 1500 MTU). Of course photonic gates are expensive, individual delays do add up so even with slow light buffers or optical delay loops taken into consideration current TCP/IP header layout has not been optimized for leading edge containing most significant switching/routing information, or even local-knowledge routing (with no global routes). It's too bad IPv6 was not radical enough, so today's legacy protocols have to be tunneled through the networks of the future. I presume this future is some 20-30 years away still. From mohta at necom830.hpcl.titech.ac.jp Sat Jan 28 06:06:18 2012 From: mohta at necom830.hpcl.titech.ac.jp (Masataka Ohta) Date: Sat, 28 Jan 2012 21:06:18 +0900 Subject: 10GE TOR port buffers (was Re: 10G switch recommendaton) In-Reply-To: <20120128100724.GA7455@pob.ytti.fi> References: <20120127165515.GA2697@pob.ytti.fi> <20120128100724.GA7455@pob.ytti.fi> Message-ID: <4F23E4BA.1040800@necom830.hpcl.titech.ac.jp> Saku Ytti wrote: > No, you're not crazy. If your core is higher rate than your customer, then > you need at minimum serialization delay difference of buffering. > If core is 10G and access 100M, you need buffer for minimum of 100 packets, > to handle the single 10G incoming, without any extra buffering. The required amount of memory is merely 150KB. > Now if you add QoS on top of this, you probably need 100 per each class you > are going to support. If you have 10 classes, it is still 1.5MB. > And if switch does support QoS but operator configures only BE, and > operator does not limit BE queue size, operator will see buffer bloat, 1.5MB @ 10Gbps is only 1.2ms, which is not buffer bloat. Masataka Ohta From saku at ytti.fi Sat Jan 28 06:38:21 2012 From: saku at ytti.fi (Saku Ytti) Date: Sat, 28 Jan 2012 14:38:21 +0200 Subject: 10GE TOR port buffers (was Re: 10G switch recommendaton) In-Reply-To: <4F23E4BA.1040800@necom830.hpcl.titech.ac.jp> References: <20120127165515.GA2697@pob.ytti.fi> <20120128100724.GA7455@pob.ytti.fi> <4F23E4BA.1040800@necom830.hpcl.titech.ac.jp> Message-ID: <20120128123821.GA7545@pob.ytti.fi> On (2012-01-28 21:06 +0900), Masataka Ohta wrote: > The required amount of memory is merely 150KB. Assuming we don't support jumbo frames and switch cannot queue sub packet sizes (normally they can't but VXR at least has 512B cell concept, so tx-ring is packet size agnostic, but this is just PA-A3) > If you have 10 classes, it is still 1.5MB. Yup, that's not bad at all in 100M port, infact 10 classes would be quite much. > > And if switch does support QoS but operator configures only BE, and > > operator does not limit BE queue size, operator will see buffer bloat, > > 1.5MB @ 10Gbps is only 1.2ms, which is not buffer bloat. You can't buffer these in ingress or you risk HOLB issue, you must buffer these in the egress 100M and drop in ingress if egress buffer is full. But I fully agree, it's not buffer bloat. But having switch which does support very different traffic rates in ingress and egress (ingress could even be LACP, which further mandates larger buffers on egress) and if you also need to support QoS towards customer, the amount of buffer quickly reaches the level some of these vendors are supporting. When it becomes buffer bloat, is when inexperienced operator allows all of the buffer to be used for single class in matching ingress/egress rates. -- ++ytti From mohta at necom830.hpcl.titech.ac.jp Sat Jan 28 06:42:13 2012 From: mohta at necom830.hpcl.titech.ac.jp (Masataka Ohta) Date: Sat, 28 Jan 2012 21:42:13 +0900 Subject: photonic buffer bloat In-Reply-To: <20120128115805.GL7343@leitl.org> References: <20120128115805.GL7343@leitl.org> Message-ID: <4F23ED25.8040400@necom830.hpcl.titech.ac.jp> Eugen Leitl wrote: > In future photonic networks (which will do relativistic cut-through > directly in a photonic crossbar without converting photons to electrons > and back) the fiber is not just a transport channel but also a photonic > buffer Yes. > (e.g. at 10 GBit/s Ethernet a short reach fiber already buffers > a standard 1500 MTU). Wrong. 10Gbps is too slow for optical buffering. At 1Tbps, you can use 100 times less lengthy fiber than at 10Gbps to buffer packets. A 1Tbps packet can be constructed by simultaneously encoding 100 wavelengths at 10Gbps. > Of course photonic gates are expensive, individual delays do add up > so even with slow light buffers Don't try to make light slower. Slow light buffers have resonators, which means they have very very very narrow bandwidth. Instead, make communication speed faster, which shortens fiber length of fiber delay line buffers. > or optical delay loops taken into consideration > current TCP/IP header layout has not been optimized for leading edge > containing most significant switching/routing information, or even > local-knowledge routing (with no global routes). It's too bad IPv6 > was not radical enough, so today's legacy protocols have to be tunneled > through the networks of the future. Considering that, in practice, packet headers must be processed electrically, IPv4 at the photonic backbone is just fine, if most routing table entries are aggregated at /24 or better, which is the current practice. You only have to read a 16M entry SRAM. A problem of IPv6 with 128bit addresses is that route look up can not be performed within a constant time of a few nano seconds, which means packets have overrun fiber delay lines. > I presume this future is some 20-30 years away still. Not so much. Moore's law requires much rapid bandwidth increase. My slides presented at IEEE photonics society 2009 summer topical ftp://chacha.hpcl.titech.ac.jp/IEEE-ST.ppt might be interesting for you. Masataka Ohta From mohta at necom830.hpcl.titech.ac.jp Sat Jan 28 06:53:45 2012 From: mohta at necom830.hpcl.titech.ac.jp (Masataka Ohta) Date: Sat, 28 Jan 2012 21:53:45 +0900 Subject: 10GE TOR port buffers (was Re: 10G switch recommendaton) In-Reply-To: <20120128123821.GA7545@pob.ytti.fi> References: <20120127165515.GA2697@pob.ytti.fi> <20120128100724.GA7455@pob.ytti.fi> <4F23E4BA.1040800@necom830.hpcl.titech.ac.jp> <20120128123821.GA7545@pob.ytti.fi> Message-ID: <4F23EFD9.8000105@necom830.hpcl.titech.ac.jp> Saku Ytti wrote: >>> And if switch does support QoS but operator configures only BE, and >>> operator does not limit BE queue size, operator will see buffer bloat, >> >> 1.5MB @ 10Gbps is only 1.2ms, which is not buffer bloat. > > You can't buffer these in ingress or you risk HOLB issue, you must buffer > these in the egress 100M and drop in ingress if egress buffer is full. 1.5MB @ 100Mbps is 120ms, which is prohibitively lengthy even as BE. The solution is to have less number of classes. For QoS assurance, you only need to have two classes for infinitely many flows with different QoS, if flows in higher priority class receive policing against reserved bandwidths of the flow. Masataka Ohta > > But I fully agree, it's not buffer bloat. But having switch which does > support very different traffic rates in ingress and egress (ingress could > even be LACP, which further mandates larger buffers on egress) and if you > also need to support QoS towards customer, the amount of buffer quickly > reaches the level some of these vendors are supporting. > When it becomes buffer bloat, is when inexperienced operator allows all of > the buffer to be used for single class in matching ingress/egress rates. > From saku at ytti.fi Sat Jan 28 07:09:02 2012 From: saku at ytti.fi (Saku Ytti) Date: Sat, 28 Jan 2012 15:09:02 +0200 Subject: 10GE TOR port buffers (was Re: 10G switch recommendaton) In-Reply-To: <4F23EFD9.8000105@necom830.hpcl.titech.ac.jp> References: <20120127165515.GA2697@pob.ytti.fi> <20120128100724.GA7455@pob.ytti.fi> <4F23E4BA.1040800@necom830.hpcl.titech.ac.jp> <20120128123821.GA7545@pob.ytti.fi> <4F23EFD9.8000105@necom830.hpcl.titech.ac.jp> Message-ID: <20120128130902.GA7558@pob.ytti.fi> On (2012-01-28 21:53 +0900), Masataka Ohta wrote: > 1.5MB @ 100Mbps is 120ms, which is prohibitively lengthy > even as BE. > > The solution is to have less number of classes. The solution is to per class define max queue size, so user with fewer queues configured will not use all available buffer in remaining queues. JNPR MX is happy to buffer >4s on 10GE on QX interfaces. Reading some posts on this thread seems to imply vendor is not knowing what they are doing, but in this case there is good reason why there is potentially lot of buffer space and it's simply operator mistake not to limit it if application is just single class in single vlan/untagged 10G interface -- ++ytti From lists at internetpolicyagency.com Sat Jan 28 07:11:24 2012 From: lists at internetpolicyagency.com (Roland Perry) Date: Sat, 28 Jan 2012 13:11:24 +0000 Subject: XBOX 720: possible digital download mass service. In-Reply-To: <201201281518.47292.mtinka@globaltransit.net> References: <01aa01ccdcff$724111e0$56c335a0$@truenet.com> <483E6B0272B0284BA86D7596C40D29F9015881E3EBE8@PUR-EXCH07.ox.com> <201201281518.47292.mtinka@globaltransit.net> Message-ID: In article <201201281518.47292.mtinka at globaltransit.net>, Mark Tinka writes >Needless to say, a lot of games are now pushing massive >updates via the Internet; on the order of hundreds of MB. So does Microsoft Office (if you can call that a game). -- Roland Perry From mtinka at globaltransit.net Sat Jan 28 09:05:56 2012 From: mtinka at globaltransit.net (Mark Tinka) Date: Sat, 28 Jan 2012 23:05:56 +0800 Subject: XBOX 720: possible digital download mass service. In-Reply-To: References: <201201281518.47292.mtinka@globaltransit.net> Message-ID: <201201282306.00569.mtinka@globaltransit.net> On Saturday, January 28, 2012 09:11:24 PM Roland Perry wrote: > So does Microsoft Office (if you can call that a game). So does Mac OS X Lion (exclusively, more so). But I guess the trend the OP was raising was this distribution method shifting for console games. As many have already mentioned, since the majority of consoles are in the home, the last mile to the home router is likely the choke point in most cases. For consoles that will be sold outside "major" areas, one might not be able to get CDN coverage, so not only do they have to suffer with small last mile pipes, they also need to contend with higher latency to get to the nearest CDN (which may not be so close by). Then, of course, there are those who might not be in a position to get any kind of Internet access to their consoles. This isn't such a terrible thing if games are released both on digital and hard copies, but it's quite unlikely maintenance updates for the game might be available on disc. Mark. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 836 bytes Desc: This is a digitally signed message part. URL: From jg at freedesktop.org Sat Jan 28 09:28:08 2012 From: jg at freedesktop.org (Jim Gettys) Date: Sat, 28 Jan 2012 10:28:08 -0500 Subject: BDP discussion pointers: was: Re pontification bloat (was 10GE TOR port buffers (was Re: 10G switch recommendaton)) In-Reply-To: References: <20120127165515.GA2697@pob.ytti.fi> <20120127215227.GA28688@ussenterprise.ufp.org> <596B74B410EE6B4CA8A30C3AF1A155EA09C965B5@RWC-MBX1.corp.seven.com> <4F233404.2060004@bogus.com> <4F233AA4.4030302@bogus.com> <20120128012249.GB35610@ussenterprise.ufp.org> Message-ID: <4F241408.70205@freedesktop.org> On 01/27/2012 08:31 PM, Randy Bush wrote: >>> for those who say bufferbloat is a problem, do you have wred enabled >>> on backbone or customer links? >> For *most backbone networks* it is a no-op on the backbone. To be >> more precise, if the backbone is at least 10x, and preferably more >> like 50x faster than the largest single TCP flow from any customer >> it will be nearly impossible to measure the performance difference >> between a short FIFO queue and a WRED queue. > when a line card is designed to buffer the b*d of a trans-pac 40g, the > oddities on an intra-pop link have been observed to spike to multiple > seconds. See the CACM article Bufferbloat: Dark Buffers in the Internet, in the January CACM, by Kathy Nichols and myself or online at: http://cacm.acm.org/magazines/2012/1/144810-bufferbloat/fulltext The section entitled "Revisiting the Bandwidth Delay Product" is germain to the discussion here. Fundamentally, the b*d "rule" isn't really very useful under most circumstances, though it helps to understand what it tells you, and may be a useful upper bound under some circumstances, though very seldom for a network operator such as found on the NANOG list. The fundamental problem is most people don't know either the bandwidth, nor the delay. The BDP is what you need for a single long lived TCP flow; as soon as you have multiple flows, it's over-estimating the buffering needed, even if you know the bandwidth and the delay... And this work in particular for routers (or potentially switches) is important: Appenzeller, G., Keslassy, I., McKeown, N. 2004. Sizing router buffers. ACM SIGCOMM, Portland, OR, (August). http://yuba.stanford.edu/~nickm/papers/sigcomm2004-extended.pdf Ultimately, we need an AQM algorithm that works so well, and requires no configuration, so that we can just always have it on and we can forget about it; (W)RED and friends aren't it; but it's the best we've got for the moment that you can actually use. It's hopeless to try to use it in the home, where we have very highly variable bandwidth. In backbone networks, the biggest reason I can see for enabling (W)RED may be for robustness sake: if you have a link and it congests, you can quickly be in a world of hurt. I wonder what happened in Japan after the earthquake.... And it should always be on on congested links you know about, of course. There is hope on this front, but it's early days yet. - Jim From lists at internetpolicyagency.com Sat Jan 28 09:39:21 2012 From: lists at internetpolicyagency.com (Roland Perry) Date: Sat, 28 Jan 2012 15:39:21 +0000 Subject: XBOX 720: possible digital download mass service. In-Reply-To: <201201282306.00569.mtinka@globaltransit.net> References: <201201281518.47292.mtinka@globaltransit.net> <201201282306.00569.mtinka@globaltransit.net> Message-ID: <6fIHF7dpaBJPFAor@perry.co.uk> In article <201201282306.00569.mtinka at globaltransit.net>, Mark Tinka writes >Then, of course, there are those who might not be in a >position to get any kind of Internet access to their >consoles. This isn't such a terrible thing if games are >released both on digital and hard copies, but it's quite >unlikely maintenance updates for the game might be available >on disc. When did you last see a Windows or Office update available on disc? (And don't say "buy the latest version retail" - in my experience they are the ones that are hit with the biggest install-update.) -- Roland Perry From jg at freedesktop.org Sat Jan 28 09:45:03 2012 From: jg at freedesktop.org (Jim Gettys) Date: Sat, 28 Jan 2012 10:45:03 -0500 Subject: BDP discussion pointers: was: Re pontification bloat (was 10GE TOR port buffers (was Re: 10G switch recommendaton)) In-Reply-To: <4F241408.70205@freedesktop.org> References: <20120127165515.GA2697@pob.ytti.fi> <20120127215227.GA28688@ussenterprise.ufp.org> <596B74B410EE6B4CA8A30C3AF1A155EA09C965B5@RWC-MBX1.corp.seven.com> <4F233404.2060004@bogus.com> <4F233AA4.4030302@bogus.com> <20120128012249.GB35610@ussenterprise.ufp.org> <4F241408.70205@freedesktop.org> Message-ID: <4F2417FF.5000106@freedesktop.org> On 01/28/2012 10:28 AM, Jim Gettys wrote: > On 01/27/2012 08:31 PM, Randy Bush wrote: >>>> for those who say bufferbloat is a problem, do you have wred enabled >>>> on backbone or customer links? >>> For *most backbone networks* it is a no-op on the backbone. To be >>> more precise, if the backbone is at least 10x, and preferably more >>> like 50x faster than the largest single TCP flow from any customer >>> it will be nearly impossible to measure the performance difference >>> between a short FIFO queue and a WRED queue. >> when a line card is designed to buffer the b*d of a trans-pac 40g, the >> oddities on an intra-pop link have been observed to spike to multiple >> seconds. > See the CACM article Bufferbloat: Dark Buffers in the Internet, in the > January CACM, by Kathy Nichols and myself or online at: > http://cacm.acm.org/magazines/2012/1/144810-bufferbloat/fulltext > The section entitled "Revisiting the Bandwidth Delay Product" is germain > to the discussion here. Fundamentally, the b*d "rule" isn't really very > useful under most circumstances, though it helps to understand what it > tells you, and may be a useful upper bound under some circumstances, > though very seldom for a network operator such as found on the NANOG list. > > The fundamental problem is most people don't know either the bandwidth, > nor the delay. > > The BDP is what you need for a single long lived TCP flow; as soon as > you have multiple flows, it's over-estimating the buffering needed, even > if you know the bandwidth and the delay... > > And this work in particular for routers (or potentially switches) is > important: > > Appenzeller, G., Keslassy, I., McKeown, N. 2004. Sizing router buffers. > ACM SIGCOMM, Portland, OR, (August). > http://yuba.stanford.edu/~nickm/papers/sigcomm2004-extended.pdf > > > > Ultimately, we need an AQM algorithm that works so well, and requires > no configuration, so that we can just always have it on and we can > forget about it; (W)RED and friends aren't it; but it's the best we've > got for the moment that you can actually use. It's hopeless to try to > use it in the home, where we have very highly variable bandwidth. > > In backbone networks, the biggest reason I can see for enabling (W)RED > may be for robustness sake: if you have a link and it congests, you can > quickly be in a world of hurt. I wonder what happened in Japan after > the earthquake.... And it should always be on on congested links you > know about, of course. Also in particular see section 3.1 in the Sizing Router Buffers paper: if you don't have AQM enabled, *and* your router/switch is a bottleneck link, multiple long lived TCP flows will synchronise and you again need a full BDP sized buffer; this is why random drop in AQM algorithms is important. So your millage will vary. BDP really isn't useful most of the time, other than thinking about the problem in the first place. - Jim From mtinka at globaltransit.net Sat Jan 28 10:01:34 2012 From: mtinka at globaltransit.net (Mark Tinka) Date: Sun, 29 Jan 2012 00:01:34 +0800 Subject: XBOX 720: possible digital download mass service. In-Reply-To: <6fIHF7dpaBJPFAor@perry.co.uk> References: <201201282306.00569.mtinka@globaltransit.net> <6fIHF7dpaBJPFAor@perry.co.uk> Message-ID: <201201290001.35069.mtinka@globaltransit.net> On Saturday, January 28, 2012 11:39:21 PM Roland Perry wrote: > When did you last see a Windows or Office update > available on disc? In my experience (especially in places where Internet access to the home is "tight" or non-existent), Windows and Office is normally used in the office, where Internet access is "not as tight". If folk have Windows or Office on their laptops, they'll take those laptops into the office and run updates from there. If they're using PC's at home, they'll download the offline copies of those updates and go home and install them via disc, USB or whatever. Game consoles don't normally "make it to the office", hence my point earlier. Mark. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 836 bytes Desc: This is a digitally signed message part. URL: From bmanning at vacation.karoshi.com Sat Jan 28 10:30:47 2012 From: bmanning at vacation.karoshi.com (bmanning at vacation.karoshi.com) Date: Sat, 28 Jan 2012 16:30:47 +0000 Subject: US DOJ victim letter In-Reply-To: References: <30970.1327688588@turing-police.cc.vt.edu> Message-ID: <20120128163047.GA25420@vacation.karoshi.com.> On Fri, Jan 27, 2012 at 10:20:08PM -0500, Martin Hannigan wrote: > On Fri, Jan 27, 2012 at 1:32 PM, Randy Epstein wrote: > > > > > > On 1/27/12 1:23 PM, "Valdis.Kletnieks at vt.edu" > > wrote: > > > >>On Fri, 27 Jan 2012 13:16:27 EST, Bryan Horstmann-Allen said: > >> > >>> Bit odd, if it's a phish. Even more odd if it's actually from the Fed. > >> > >>What if it's a phish from a compromised Fed box? :) > > > > We've spoken to folks at various FBI field offices and at 26 Plaza in New > > York which is handling this case. Further, John Curran (ARIN CEO) has > > confirmed it's real via their own liaison and Paul Vixie is actually > > working with them on this. > > > > > It's definitely real. > > Best, > > -M< > I missed the part where ARIN turned over its address database w/ associatedd registration information to the Fed ... I mean I've always advocated for LEO access, but ther has been significant pushback fromm the community on unfettered access to that data. As I recall, there are even policies and processes to limit/restrict external queries to prevent a DDos of the whois servers. And some fairly strict policies on who gets dumps of the address space. As far as I know (not very far) bundling the address database -and- the registration data are not available to mere mortals. So - just how DID the Fed get the data w/o violating ARIN policy? /bill From lowen at pari.edu Sat Jan 28 10:35:59 2012 From: lowen at pari.edu (Lamar Owen) Date: Sat, 28 Jan 2012 11:35:59 -0500 Subject: XBOX 720: possible digital download mass service. In-Reply-To: References: Message-ID: <201201281136.00093.lowen@pari.edu> On Friday, January 27, 2012 05:56:19 AM Randy Bush wrote: > > Can internet in USA support that? Call of Duty 15 releases may 2014 > > and 30 million gamers start downloading a 20 GB files. Would the > > internet collapse like a house of cards?. > not a problem. the vast majority of the states is like a developing > country [0], the last mile is pretty much a tin can and a string. so > this will effectively throttle the load. Being in 'the middle of nowhere' as I write, even we are a few notches above RFC1149 capabilities. As one visitor to our site (who had been recently to NRAO Greenbank) said 'if this isn't the middle of nowhere, you can probably see it from here.' Our base DSL is 7Mb/s down, 0.5Mb/s up, with 11Mb/s down and 1Mb/s up available to over 99% of our very rural county. We (work) have 1Gb/s on the local loop fiber pair, throttled to the amount of IP we actually pay for at the ISP's PoP. Now if RFC1149 supported jumbo frames, it might give tin-cans-and-string a run for its money.... From john-nanog at johnpeach.com Sat Jan 28 10:39:33 2012 From: john-nanog at johnpeach.com (John Peach) Date: Sat, 28 Jan 2012 11:39:33 -0500 Subject: US DOJ victim letter In-Reply-To: <20120128163047.GA25420@vacation.karoshi.com> References: <30970.1327688588@turing-police.cc.vt.edu> <20120128163047.GA25420@vacation.karoshi.com> Message-ID: <20120128113933.695d3614@milhouse> On Sat, 28 Jan 2012 16:30:47 +0000 bmanning at vacation.karoshi.com wrote: > On Fri, Jan 27, 2012 at 10:20:08PM -0500, Martin Hannigan wrote: > > On Fri, Jan 27, 2012 at 1:32 PM, Randy Epstein wrote: > > > [snip] > I missed the part where ARIN turned over its address database w/ associatedd > registration information to the Fed ... I mean I've always advocated for > LEO access, but ther has been significant pushback fromm the community on > unfettered access to that data. As I recall, there are even policies and > processes to limit/restrict external queries to prevent a DDos of the whois > servers. And some fairly strict policies on who gets dumps of the address > space. As far as I know (not very far) bundling the address database > -and- the registration data are not available to mere mortals. > > So - just how DID the Fed get the data w/o violating ARIN policy? > > /bill > > Ours came from our whois information. -- John From nathan at atlasnetworks.us Sat Jan 28 11:11:00 2012 From: nathan at atlasnetworks.us (Nathan Eisenberg) Date: Sat, 28 Jan 2012 17:11:00 +0000 Subject: XBOX 720: possible digital download mass service. In-Reply-To: <201201281136.00093.lowen@pari.edu> References: <201201281136.00093.lowen@pari.edu> Message-ID: <8C26A4FDAE599041A13EB499117D3C286B68E20E@ex-mb-1.corp.atlasnetworks.us> > Now if RFC1149 supported jumbo frames, it might give tin-cans-and-string a > run for its money.... It's a simple matter of weight ratios. A 5 oz bird cannot carry a 9000 mtu coconut. From nanog at hostleasing.net Sat Jan 28 11:52:39 2012 From: nanog at hostleasing.net (Randy Epstein) Date: Sat, 28 Jan 2012 12:52:39 -0500 Subject: Fiber outage in Miami In-Reply-To: <4F1DC9C8.3060205@packetpimp.org> Message-ID: On 1/23/12 3:57 PM, "Jason LeBlanc" wrote: >We are still impacted from what I understand. > >On 01/23/2012 10:02 AM, Jimmy Changa wrote: >> Was anyone impacted by a botched fiber move in Miami this weekend? I >>lost 2 pieces of dark fiber for over almost 24 hours due to a fiber move >>being performed by FiberLight. I'm curious if anyone else was impacted. >> >> Sent from mobile device > This is what happens when you don't follow proper procedure: http://web.hostleasing.net/~repstein/FiberlightOrder.pdf Yes, we had to file a TRO against them. Randy From faisal at snappydsl.net Sat Jan 28 12:07:02 2012 From: faisal at snappydsl.net (Faisal Imtiaz) Date: Sat, 28 Jan 2012 13:07:02 -0500 Subject: Fiber outage in Miami In-Reply-To: References: Message-ID: <4F243946.6020500@snappydsl.net> hmm... an what exactly does this accomplish ? Faisal Imtiaz Snappy Internet& Telecom On 1/28/2012 12:52 PM, Randy Epstein wrote: > > On 1/23/12 3:57 PM, "Jason LeBlanc" wrote: > >> We are still impacted from what I understand. >> >> On 01/23/2012 10:02 AM, Jimmy Changa wrote: >>> Was anyone impacted by a botched fiber move in Miami this weekend? I >>> lost 2 pieces of dark fiber for over almost 24 hours due to a fiber move >>> being performed by FiberLight. I'm curious if anyone else was impacted. >>> >>> Sent from mobile device > This is what happens when you don't follow proper procedure: > http://web.hostleasing.net/~repstein/FiberlightOrder.pdf > > Yes, we had to file a TRO against them. > > Randy > > > > From nanog at hostleasing.net Sat Jan 28 12:09:17 2012 From: nanog at hostleasing.net (Randy Epstein) Date: Sat, 28 Jan 2012 13:09:17 -0500 Subject: Fiber outage in Miami In-Reply-To: <4F243946.6020500@snappydsl.net> Message-ID: On 1/28/12 1:07 PM, "Faisal Imtiaz" wrote: >hmm... an what exactly does this accomplish ? > >Faisal Imtiaz >Snappy Internet& Telecom It forces Fiberlight to follow a procedure that was outlined in the TRO filing. Yes, a maintenance procedure. From caldcv at gmail.com Sat Jan 28 12:11:11 2012 From: caldcv at gmail.com (Chris) Date: Sat, 28 Jan 2012 13:11:11 -0500 Subject: Paypal outage? Message-ID: Anyone getting a 400 Bad Request from Paypal when you try to login to your account or make a transaction? -- --C "The dumber people think you are, the more surprised they're going to be when you kill them." - Sir William Clayton From nanog at hostleasing.net Sat Jan 28 12:12:00 2012 From: nanog at hostleasing.net (Randy Epstein) Date: Sat, 28 Jan 2012 13:12:00 -0500 Subject: Fiber outage in Miami In-Reply-To: Message-ID: > > > >On 1/28/12 1:07 PM, "Faisal Imtiaz" wrote: > >>hmm... an what exactly does this accomplish ? >> >>Faisal Imtiaz >>Snappy Internet& Telecom > >It forces Fiberlight to follow a procedure that was outlined in the TRO >filing. Yes, a maintenance procedure. Oh, maybe you weren't aware. The maintenance was never completed. It was reverted back. Everyone is still feeding via Eqx-MI1. They wanted to perform the same maintenance again this weekend. Randy From blake at pfankuch.me Sat Jan 28 12:30:05 2012 From: blake at pfankuch.me (Blake Pfankuch) Date: Sat, 28 Jan 2012 18:30:05 +0000 Subject: Paypal outage? In-Reply-To: References: Message-ID: Seems to be working for me now. -----Original Message----- From: Chris [mailto:caldcv at gmail.com] Sent: Saturday, January 28, 2012 11:11 AM To: NANOG list Subject: Paypal outage? Anyone getting a 400 Bad Request from Paypal when you try to login to your account or make a transaction? -- --C "The dumber people think you are, the more surprised they're going to be when you kill them." - Sir William Clayton From faisal at snappydsl.net Sat Jan 28 12:33:55 2012 From: faisal at snappydsl.net (Faisal Imtiaz) Date: Sat, 28 Jan 2012 13:33:55 -0500 Subject: Fiber outage in Miami In-Reply-To: References: Message-ID: <4F243F93.7020001@snappydsl.net> ohh...... --------------------- They wanted to perform the same maintenance again this weekend. --------------------- This is new news to us.... ok, then it makes sense Anyone has seen on gotten a RFA or a deeper explanation of what happened from them ? Faisal Imtiaz Snappy Internet& Telecom 7266 SW 48 Street Miami, Fl 33155 Tel: 305 663 5518 x 232 Helpdesk: 305 663 5518 option 2 Email: Support at Snappydsl.net On 1/28/2012 1:12 PM, Randy Epstein wrote: >> >> >> On 1/28/12 1:07 PM, "Faisal Imtiaz" wrote: >> >>> hmm... an what exactly does this accomplish ? >>> >>> Faisal Imtiaz >>> Snappy Internet& Telecom >> It forces Fiberlight to follow a procedure that was outlined in the TRO >> filing. Yes, a maintenance procedure. > Oh, maybe you weren't aware. The maintenance was never completed. It was > reverted back. Everyone is still feeding via Eqx-MI1. > > They wanted to perform the same maintenance again this weekend. > > Randy > > > From nanog at hostleasing.net Sat Jan 28 12:36:47 2012 From: nanog at hostleasing.net (Randy Epstein) Date: Sat, 28 Jan 2012 13:36:47 -0500 Subject: Fiber outage in Miami In-Reply-To: <4F243F93.7020001@snappydsl.net> Message-ID: > >Anyone has seen on gotten a RFA or a deeper explanation of what >happened from them ? > > >Faisal Imtiaz >Snappy Internet& Telecom >7266 SW 48 Street >Miami, Fl 33155 >Tel: 305 663 5518 x 232 >Helpdesk: 305 663 5518 option 2 Email: Support at Snappydsl.net Yes. They blamed/burned the local crew and suggested that they fired them. Yes, they put this in the RFO. I have it, but I'm having legal determine if it can be made public record. Randy From frnkblk at iname.com Sat Jan 28 12:50:02 2012 From: frnkblk at iname.com (Frank Bulk) Date: Sat, 28 Jan 2012 12:50:02 -0600 Subject: Craigslist outage In-Reply-To: References: <20120128090551.GZ20061@nntp.AegisInfoSys.com> <20120128092548.GA20061@nntp.AegisInfoSys.com> Message-ID: <000001ccdded$a5144b20$ef3ce160$@iname.com> Much documented here: http://forums.verizon.com/t5/FiOS-Internet/DNS-issues-in-SoCal/td-p/393781 The thread is titled "DNS", but just ignore and read through. I don't understand how Verizon FiOS hasn't resolved this after two weeks. Frank -----Original Message----- From: Matthew Black [mailto:Matthew.Black at csulb.edu] Sent: Saturday, January 28, 2012 4:00 AM To: nanog at nanog.org Subject: RE: Craigslist outage Confirmed that it's Verizon FIOS. I remote logged into a system at work and had no trouble. I'm dealing with tech support person that says "nobody blocks websites or changes routing tables." Big sigh. Tech trying to get a supervisor and just came back with "he has another customer with the same problem." Taking a deep breath. Thanks all for your help! matthew black information technology services california state university, long beach From: Matthew Black Sent: Saturday, January 28, 2012 1:39 AM To: Matthew Black; nanog at nanog.org Subject: RE: Craigslist outage IE diagnose connection problem suggests a firewall issue. matthew black information technology services california state university, long beach -----Original Message----- From: Matthew Black [mailto:Matthew.Black at csulb.edu] Sent: Saturday, January 28, 2012 1:32 AM To: nanog at nanog.org Subject: RE: Craigslist outage Kind of supports my suspicion that a caching center (like Akamai) has gone down. What does nslookup return for you? I get losangeles.craigslist.org 208.82.238.129 DOS tracert finds that IP in 9 hops (20ms, 19ms, 19ms). Possible routing problems for http traffic with Verizon FIOS? The about page comes up matthew black information technology services california state university, long beach -----Original Message----- From: Henry Yen [mailto:henry at AegisInfoSys.com] Sent: Saturday, January 28, 2012 1:26 AM To: nanog at nanog.org Subject: Re: Craigslist outage On Sat, Jan 28, 2012 at 09:14:52AM +0000, Matthew Black wrote: > It looks like www.craigslist.org redirects to the nearest geographical > craigslist site. Mine redirects to losangeles.craigslist.org, which is > down. losangeles.craigslist.org is working from here (Long Island, NY). -- Henry Yen Aegis Information Systems, Inc. Senior Systems Programmer Hicksville, New York From joelja at bogus.com Sat Jan 28 12:53:16 2012 From: joelja at bogus.com (Joel jaeggli) Date: Sat, 28 Jan 2012 10:53:16 -0800 Subject: XBOX 720: possible digital download mass service. In-Reply-To: <019f01ccdcfd$cffa8480$6fef8d80$@truenet.com> References: <542D6664-AF6F-40D6-84FD-B768A7A0E6B8@puck.nether.net> <4F22AE5E.6030708@gmail.com> <019f01ccdcfd$cffa8480$6fef8d80$@truenet.com> Message-ID: <4F24441C.3090404@bogus.com> On 1/27/12 06:13 , Eric Tykwinski wrote: > The PS Vita still uses a proprietary memory card format, so it's not just > download only. > The best example of download only would be OnLive, which basically is a game > system that only delivers on demand games. Onlive isn't download at all. the games play in the cloud and the input/output is streaming to from your devices. Steam, EA Origin, Xbox live are all examples of download delivery systems. > IMHO, it's the market that will determine whether this is the right choice > in the long run. > It's a creative way to eliminate the used market and stop piracy, but if the > consumers don't join up like the PSP Go, it will eventually fail. > > Sincerely, > > Eric Tykwinski > TrueNet, Inc. > P: 610-429-8300 > F: 610-429-3222 > > -----Original Message----- > From: -Hammer- [mailto:bhmccie at gmail.com] > Sent: Friday, January 27, 2012 9:02 AM > To: nanog at nanog.org > Subject: Re: XBOX 720: possible digital download mass service. > > Here's your baseline: Sony Vita. They already tossed the UMD out with the > PSP-GO and that failed miserably. Now they are trying again to go to digital > only with the Vita. It's not the scale of PS3 or XBOX360 but it may be a > good way to gauge the potential success of the concept. > > -Hammer- > > "I was a normal American nerd" > -Jack Herer > > > > On 1/27/2012 7:34 AM, Jared Mauch wrote: >> It's already done on a similar scale when apple releases new software for > their mobile devices. >> >> Just don't do it if you are on a low cap plan (eg: mobile, satellite etc). > Caps will be the new market discriminator IMHO. >> >> Jared Mauch >> >> On Jan 27, 2012, at 3:35 AM, Tei wrote: >> >>> Can internet in USA support that? Call of Duty 15 releases may 2014 >>> and 30 million gamers start downloading a 20 GB files. Would the >>> internet collapse like a house of cards?. >> > > > From joelja at bogus.com Sat Jan 28 13:03:54 2012 From: joelja at bogus.com (Joel jaeggli) Date: Sat, 28 Jan 2012 11:03:54 -0800 Subject: XBOX 720: possible digital download mass service. In-Reply-To: References: Message-ID: <4F24469A.5000306@bogus.com> On 1/27/12 02:35 , Tei wrote: > Can internet in USA support that? Call of Duty 15 releases may 2014 > and 30 million gamers start downloading a 20 GB files. Would the > internet collapse like a house of cards?. Given the way the these things are staged, the pre-order/pre-load model works pretty well. I would expect that many users sufficiently interested in Battle Field 3 to acquire it for launch day, already had a copy cached locally that unlocked itself at the right time. Mine did. To the extent that cached content can be tweaked via patching the distribution system can substantially anticipate the release of product. > If not, will be internet USA ready for the next next generation? ( 2018 ). > > From caldcv at gmail.com Sat Jan 28 13:09:10 2012 From: caldcv at gmail.com (Chris) Date: Sat, 28 Jan 2012 14:09:10 -0500 Subject: Paypal outage? In-Reply-To: <4F2440B7.5010205@deaddrop.org> References: <4F2440B7.5010205@deaddrop.org> Message-ID: I switched browsers and it seemed to clear it up. Just never seen an odd error like that before.. From jml at packetpimp.org Sat Jan 28 13:23:03 2012 From: jml at packetpimp.org (Jason LeBlanc) Date: Sat, 28 Jan 2012 14:23:03 -0500 Subject: Fiber outage in Miami In-Reply-To: References: Message-ID: <4F244B17.4000704@packetpimp.org> We got the same RFO. BS. On 01/28/2012 01:36 PM, Randy Epstein wrote: >> Anyone has seen on gotten a RFA or a deeper explanation of what >> happened from them ? >> >> >> Faisal Imtiaz >> Snappy Internet& Telecom >> 7266 SW 48 Street >> Miami, Fl 33155 >> Tel: 305 663 5518 x 232 >> Helpdesk: 305 663 5518 option 2 Email: Support at Snappydsl.net > Yes. They blamed/burned the local crew and suggested that they fired > them. Yes, they put this in the RFO. I have it, but I'm having legal > determine if it can be made public record. > > Randy > > > From josh.hoppes at gmail.com Sat Jan 28 14:01:23 2012 From: josh.hoppes at gmail.com (Josh Hoppes) Date: Sat, 28 Jan 2012 14:01:23 -0600 Subject: XBOX 720: possible digital download mass service. In-Reply-To: <4F24469A.5000306@bogus.com> References: <4F24469A.5000306@bogus.com> Message-ID: I've seen this discussion show up in a number of venues lately. I'm not at all surprised about the trend as I've been using Steam for a few years now. I expect they will take a similar path and continue to sell physical medium with keys to tie the game to an account, and do staged downloads using encrypted data which is unlocked at release time. The biggest content for games is really art assets, and much of that work is done months ahead of release and unlikely to change, while fine tuning and game logic (binaries) are small enough that staging downloads in tiers should be easy. There is also the system Blizzard is using for World of Warcraft where the game can stream content down while playing. Most of these publishers/developers already have pretty good grasps on what capabilities are at their disposal thanks to the DLC model they have now, they will just be going an order of magnitude larger on the downloads. I wonder how many will also attempt to leverage P2P models as well to assist CDNs, cheaper for them and maybe even a revenue generator for ISPs charging for transfer overages. From pete at altadena.net Sat Jan 28 14:54:45 2012 From: pete at altadena.net (Pete Carah) Date: Sat, 28 Jan 2012 12:54:45 -0800 Subject: XBOX 720: possible digital download mass service. In-Reply-To: References: <4F24469A.5000306@bogus.com> Message-ID: <4F246095.3080802@altadena.net> On 01/28/2012 12:01 PM, Josh Hoppes wrote: > ... > There is also the system > Blizzard is using for World of Warcraft where the game can stream > content down while playing. Most of these publishers/developers > already have pretty good grasps on what capabilities are at their > disposal thanks to the DLC model they have now, they will just be > going an order of magnitude larger on the downloads. I wonder how many > will also attempt to leverage P2P models as well to assist CDNs, Blizzard already does this, torrent-like downloads for larger patch sets. At least, unlike torrent itself, the upload direction does stop when you stop the game... > cheaper for them and maybe even a revenue generator for ISPs charging > for transfer overages. -- Pete From ceo at inetdaemon.com Sat Jan 28 17:59:22 2012 From: ceo at inetdaemon.com (J. M. D. Patterson, CEO) Date: Sat, 28 Jan 2012 18:59:22 -0500 Subject: XBOX 720: possible digital download mass service. In-Reply-To: References: Message-ID: <001301ccde18$dbc4c930$934e5b90$@com> Ahem: "Never underestimate the bandwidth of a carrier pidgeon with a 4GB USB stick" http://news.bbc.co.uk/2/hi/8248056.stm John Patterson a.k.a "InetDaemon" -----Original Message----- Date: Sat, 28 Jan 2012 11:35:59 -0500 From: Lamar Owen To: nanog at nanog.org Subject: Re: XBOX 720: possible digital download mass service. Message-ID: <201201281136.00093.lowen at pari.edu> Content-Type: Text/Plain; charset="US-ASCII" On Friday, January 27, 2012 05:56:19 AM Randy Bush wrote: > > Can internet in USA support that? Call of Duty 15 releases may 2014 > > and 30 million gamers start downloading a 20 GB files. Would the > > internet collapse like a house of cards?. > not a problem. the vast majority of the states is like a developing > country [0], the last mile is pretty much a tin can and a string. so > this will effectively throttle the load. Being in 'the middle of nowhere' as I write, even we are a few notches above RFC1149 capabilities. As one visitor to our site (who had been recently to NRAO Greenbank) said 'if this isn't the middle of nowhere, you can probably see it from here.' Our base DSL is 7Mb/s down, 0.5Mb/s up, with 11Mb/s down and 1Mb/s up available to over 99% of our very rural county. We (work) have 1Gb/s on the local loop fiber pair, throttled to the amount of IP we actually pay for at the ISP's PoP. Now if RFC1149 supported jumbo frames, it might give tin-cans-and-string a run for its money.... From ryan.g at atwgpc.net Sat Jan 28 21:11:51 2012 From: ryan.g at atwgpc.net (Ryan Gelobter) Date: Sat, 28 Jan 2012 21:11:51 -0600 Subject: US DOJ victim letter In-Reply-To: <20120128113933.695d3614@milhouse> References: <30970.1327688588@turing-police.cc.vt.edu> <20120128163047.GA25420@vacation.karoshi.com> <20120128113933.695d3614@milhouse> Message-ID: The e-mail states it was sent to the specific e-mail address because it was listed as the contact in WHOIS. Although you can opt-out from these notices I believe as part of the DNS Changer case the court ordered the FBI to notify ISPs. On Sat, Jan 28, 2012 at 10:39 AM, John Peach wrote: > On Sat, 28 Jan 2012 16:30:47 +0000 > bmanning at vacation.karoshi.com wrote: > > > On Fri, Jan 27, 2012 at 10:20:08PM -0500, Martin Hannigan wrote: > > > On Fri, Jan 27, 2012 at 1:32 PM, Randy Epstein > wrote: > > > > > [snip] > > I missed the part where ARIN turned over its address database w/ > associatedd > > registration information to the Fed ... I mean I've always > advocated for > > LEO access, but ther has been significant pushback fromm the > community on > > unfettered access to that data. As I recall, there are even > policies and > > processes to limit/restrict external queries to prevent a DDos of > the whois > > servers. And some fairly strict policies on who gets dumps of the > address > > space. As far as I know (not very far) bundling the address > database > > -and- the registration data are not available to mere mortals. > > > > So - just how DID the Fed get the data w/o violating ARIN policy? > > > > /bill > > > > > > Ours came from our whois information. > > -- > John > > From jbaino at gmail.com Sun Jan 29 00:13:14 2012 From: jbaino at gmail.com (Jeremy) Date: Sun, 29 Jan 2012 01:13:14 -0500 Subject: MPLS Traffic Engineering Help Message-ID: Hi Everyone, I could use a little help on MPLS and Traffic Engineering. Right now I'm just trying to wrap my head around it. I currently have a couple tunnels going in either direction, those are working fine (but certainly took me long enough to get them working!) and I can direct traffic over them easy enough. Now I'm looking into allocating/reserving bandwidth for a given tunnel and if possible have it react to increased network loads and recalculate its path if need be. (Poor) Example: I have two paths that two different tunnels (A and B) that will go over a T-1 and 100mbps ethernet. A is more important than B. When traffic is low, I'd like them both to go over the 100mbps link so either tunnel can fill the pipe, but if Tunnel A requires more bandwidth, Tunnel B should react and move to the T-1. Is this possible? or am I horribly confused? I'm not really looking for the exact commands or the 'answer' to this problem, but some guidance would be greatly appreciated. I'm working with Cisco gear, 2800's and such. This is purely an academic exercise. Thanks! Jeremy From mtinka at globaltransit.net Sun Jan 29 01:33:58 2012 From: mtinka at globaltransit.net (Mark Tinka) Date: Sun, 29 Jan 2012 15:33:58 +0800 Subject: Paypal outage? In-Reply-To: References: <4F2440B7.5010205@deaddrop.org> Message-ID: <201201291534.01640.mtinka@globaltransit.net> On Sunday, January 29, 2012 03:09:10 AM Chris wrote: > I switched browsers and it seemed to clear it up. Just > never seen an odd error like that before.. Tried emptying your browser cache and limiting how much it grows over time? This helped solve a similar issue when my browser assumed my bank's Internet banking web site was under maintenance for 2 weeks :-). Mark. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 836 bytes Desc: This is a digitally signed message part. URL: From tom at snnap.net Sun Jan 29 06:35:40 2012 From: tom at snnap.net (Tom Storey) Date: Sun, 29 Jan 2012 12:35:40 +0000 Subject: LX sfp minimum range In-Reply-To: References: <9CA8D3E3-1747-4EDF-B2FC-6CDD878D70B3@smugmug.com> <4F2108C4.4020706@bogus.com> <596B74B410EE6B4CA8A30C3AF1A155EA09C93BE0@RWC-MBX1.corp.seven.com> <4F22D4B0.8000803@its.msstate.edu> Message-ID: I once tried an LX-SMF-MMF-LX type setup using mode conditioning patch leads between the SMF-MMF and MMF-LX portions of the span. I would be hesitant to recommend it, simply touching the patch lead on the MMF-LX portion would result in horrendous error counts. Suffice to say, we bit the bullet and got some SMF blown through (tubes ftw). I have also used LX-LX on short SMF runs of a couple of metres, for 1G and 10G, with no issues. On 27 January 2012 16:47, Pierre-Yves Maunier wrote: > 2012/1/27 Steven Tardy > > > On 01/26/12 16:33, Pierre-Yves Maunier wrote: > > > >> > >> > >> It can happends that SX works on singlemode but it can fail anytime. > >> > >> just because you can doesn't mean you should. > > > > we have experience multiple cases where LX-MMF-LX works great for 3-5+ > > years... > > then one day no longer gets link. swapping to a different fiber pair > > restores link. > > can't remember SX-MMF-SX failing after years of service. > > > > > That's why I wrote 'but it can fail anytime' meaning, I strongly recommand > to NOT do it. > > > -- > Pierre-Yves Maunier > From blake at pfankuch.me Sun Jan 29 08:36:44 2012 From: blake at pfankuch.me (Blake Pfankuch) Date: Sun, 29 Jan 2012 14:36:44 +0000 Subject: Paypal outage? In-Reply-To: <201201291534.01640.mtinka@globaltransit.net> References: <4F2440B7.5010205@deaddrop.org> <201201291534.01640.mtinka@globaltransit.net> Message-ID: Out of curiosity, are you using the latest Chrome Beta? I have seen a few complaints this morning of other sites misbehaving with Chrome in general, more with the latest beta. -----Original Message----- From: Mark Tinka [mailto:mtinka at globaltransit.net] Sent: Sunday, January 29, 2012 12:34 AM To: nanog at nanog.org Subject: Re: Paypal outage? On Sunday, January 29, 2012 03:09:10 AM Chris wrote: > I switched browsers and it seemed to clear it up. Just never seen an > odd error like that before.. Tried emptying your browser cache and limiting how much it grows over time? This helped solve a similar issue when my browser assumed my bank's Internet banking web site was under maintenance for 2 weeks :-). Mark. From jared at puck.nether.net Sun Jan 29 14:40:11 2012 From: jared at puck.nether.net (Jared Mauch) Date: Sun, 29 Jan 2012 15:40:11 -0500 Subject: pontification bloat (was 10GE TOR port buffers (was Re: 10G switch recommendaton)) In-Reply-To: <596B74B410EE6B4CA8A30C3AF1A155EA09C967EB@RWC-MBX1.corp.seven.com> References: <20120127215227.GA28688@ussenterprise.ufp.org> <596B74B410EE6B4CA8A30C3AF1A155EA09C965B5@RWC-MBX1.corp.seven.com> <4F233404.2060004@bogus.com> <4F233AA4.4030302@bogus.com> <20120128012249.GB35610@ussenterprise.ufp.org> <20120128020810.GA37239@ussenterprise.ufp.org> <596B74B410EE6B4CA8A30C3AF1A155EA09C967EB@RWC-MBX1.corp.seven.com> Message-ID: See below Jared Mauch On Jan 27, 2012, at 9:13 PM, George Bonser wrote: >> Router(config)# policy-map pol1 >> Router(config-pmap)# class class-default >> Router(config-pmap-c)# bandwidth per 70 >> Router(config-pmap-c)# random-detect >> Router(config-pmap-c)# random-detect ecn >> >> Requires other bits in the network to be ECN aware, but if they are, >> good stuff. >> >> -- > > +1 > > There is no excuse these days for stuff not to be ECN aware. That GREATLY mitigates things as it makes hosts aware pretty much immediately that there is congestion and they don't have to wait for a lost packet to time out. I brought it up to a Brocade engineer once asking for the option to set ECN rather than drop the packet and he said "nobody uses it". I told him nobody uses it because you don't have the feature available. How can anyone use it if you don't have the feature? > > > This sounds a lot like most peoples ipv6 rationale as well. I'm still feeling some scars from last time Ecn was enabled in my hosts. Many firewalls would eat packets with. Ecn enabled. From starthir at gmail.com Sun Jan 29 16:02:28 2012 From: starthir at gmail.com (Alvaro Pereira) Date: Sun, 29 Jan 2012 20:02:28 -0200 Subject: 10G switchrecommendaton In-Reply-To: <4F229756.1060109@interworx.nl> References: <4F226FD9.4050104@interworx.nl> <4F229756.1060109@interworx.nl> Message-ID: And note that the Juniper EX2500 does not run JUNOS, it is just an OEM box from someone else... Alvaro On Fri, Jan 27, 2012 at 10:23, Tim Vollebregt wrote: > 2,5MB shared approximately. > > Aggregating 10G with microbursts is definately a no-go on such box. > > -Tim > > > On 27-01-12 12:33, James Braunegg wrote: > >> How small is the buffer on the EX4500 ?? >> >> Kindest Regards >> >> James Braunegg >> W: 1300 769 972 | M: 0488 997 207 | D: (03) 9751 7616 >> E: james.braunegg at micron21.com | ABN: 12 109 977 666 >> >> >> This message is intended for the addressee named above. It may contain >> privileged or confidential information. If you are not the intended >> recipient of this message you must not use, copy, distribute or disclose it >> to anyone other than the addressee. If you have received this message in >> error please return the message to the sender by replying to it and then >> delete the message from your computer. >> >> >> -----Original Message----- >> From: Tim Vollebregt [mailto:tim at interworx.nl] >> Sent: Friday, January 27, 2012 8:35 PM >> To: nanog at nanog.org >> Subject: Re: 10G switchrecommendaton >> >> I would not recommend EX4500 as an 10G aggregator switch, it has really >> small buffers. >> >> EX3300 as TOR >> EX82** as 10G aggregator >> >> -Tim >> >> On 26-01-12 22:13, Raul Rodriguez wrote: >> >>> Juniper EX4500. >>> >>> -RR >>> >>> On 1/26/12, Deric Kwok wrote: >>> >>>> Hi all >>>> >>>> I would like to have 10G switchrecommendaton Ipref software can test >>>> around 9.2G but we can have congestion over 6G in single port! >>>> >>>> Thank you >>>> >>>> >>>> > From nanog-post at rsuc.gweep.net Sun Jan 29 16:27:21 2012 From: nanog-post at rsuc.gweep.net (Joe Provo) Date: Sun, 29 Jan 2012 17:27:21 -0500 Subject: 10G switchrecommendaton In-Reply-To: References: <4F226FD9.4050104@interworx.nl> <4F229756.1060109@interworx.nl> Message-ID: <20120129222721.GA4622@gweep.net> On Sun, Jan 29, 2012 at 08:02:28PM -0200, Alvaro Pereira wrote: > And note that the Juniper EX2500 does not run JUNOS, it is just an OEM box > from someone else... Blade Networks, now IBM. > > Alvaro > > On Fri, Jan 27, 2012 at 10:23, Tim Vollebregt wrote: > > > 2,5MB shared approximately. > > > > Aggregating 10G with microbursts is definately a no-go on such box. > > > > -Tim > > > > > > On 27-01-12 12:33, James Braunegg wrote: > > > >> How small is the buffer on the EX4500 ?? > >> > >> Kindest Regards > >> > >> James Braunegg > >> W: 1300 769 972 | M: 0488 997 207 | D: (03) 9751 7616 > >> E: james.braunegg at micron21.com | ABN: 12 109 977 666 > >> > >> > >> This message is intended for the addressee named above. It may contain > >> privileged or confidential information. If you are not the intended > >> recipient of this message you must not use, copy, distribute or disclose it > >> to anyone other than the addressee. If you have received this message in > >> error please return the message to the sender by replying to it and then > >> delete the message from your computer. > >> > >> > >> -----Original Message----- > >> From: Tim Vollebregt [mailto:tim at interworx.nl] > >> Sent: Friday, January 27, 2012 8:35 PM > >> To: nanog at nanog.org > >> Subject: Re: 10G switchrecommendaton > >> > >> I would not recommend EX4500 as an 10G aggregator switch, it has really > >> small buffers. > >> > >> EX3300 as TOR > >> EX82** as 10G aggregator > >> > >> -Tim > >> > >> On 26-01-12 22:13, Raul Rodriguez wrote: > >> > >>> Juniper EX4500. > >>> > >>> -RR > >>> > >>> On 1/26/12, Deric Kwok wrote: > >>> > >>>> Hi all > >>>> > >>>> I would like to have 10G switchrecommendaton Ipref software can test > >>>> around 9.2G but we can have congestion over 6G in single port! > >>>> > >>>> Thank you > >>>> > >>>> > >>>> > > -- RSUC / GweepNet / Spunk / FnB / Usenix / SAGE / NewNOG From gbonser at seven.com Sun Jan 29 16:57:53 2012 From: gbonser at seven.com (George Bonser) Date: Sun, 29 Jan 2012 22:57:53 +0000 Subject: pontification bloat (was 10GE TOR port buffers (was Re: 10G switch recommendaton)) In-Reply-To: References: <20120127215227.GA28688@ussenterprise.ufp.org> <596B74B410EE6B4CA8A30C3AF1A155EA09C965B5@RWC-MBX1.corp.seven.com> <4F233404.2060004@bogus.com> <4F233AA4.4030302@bogus.com> <20120128012249.GB35610@ussenterprise.ufp.org> <20120128020810.GA37239@ussenterprise.ufp.org> <596B74B410EE6B4CA8A30C3AF1A155EA09C967EB@RWC-MBX1.corp.seven.com> Message-ID: <596B74B410EE6B4CA8A30C3AF1A155EA09C974A6@RWC-MBX1.corp.seven.com> > > This sounds a lot like most peoples ipv6 rationale as well. > > > I'm still feeling some scars from last time Ecn was enabled in my > hosts. Many firewalls would eat packets with. Ecn enabled. That was, I believe, nearly 10 years ago, was it not? There has been considerable testing with ECN with the bufferbloat folks and I have done some myself and haven't noticed anyone blocking ECN lately. There might still be a few corner cases out there still, but none that I have noticed. What you will find, according to what I have read by others doing testing is that some networks will clobber the ECN bits (reset them) but pass the traffic. These days at worst you would not be able to negotiate ECN but the traffic wouldn't be blocked. Anyone clearing the entire DSCP byte on traffic entering their network, for example, would clobber ECN but not block the traffic. The key thing here would be to have people NOT clear ECN bits on traffic flowing through their network to allow it to be negotiated end to end by the hosts involved in the transaction. From gbonser at seven.com Sun Jan 29 18:07:00 2012 From: gbonser at seven.com (George Bonser) Date: Mon, 30 Jan 2012 00:07:00 +0000 Subject: pontification bloat (was 10GE TOR port buffers (was Re: 10G switch recommendaton)) In-Reply-To: References: <20120127215227.GA28688@ussenterprise.ufp.org> <596B74B410EE6B4CA8A30C3AF1A155EA09C965B5@RWC-MBX1.corp.seven.com> <4F233404.2060004@bogus.com> <4F233AA4.4030302@bogus.com> <20120128012249.GB35610@ussenterprise.ufp.org> <20120128020810.GA37239@ussenterprise.ufp.org> <596B74B410EE6B4CA8A30C3AF1A155EA09C967EB@RWC-MBX1.corp.seven.com> Message-ID: <596B74B410EE6B4CA8A30C3AF1A155EA09C974D2@RWC-MBX1.corp.seven.com> Additionally, ECN is just between hosts, end to end. If an flow is not ECN enabled (neither of the ECN bits set), then the routing gear does what it always has done, drop a packet. Only if one of the ECN bits is already set (meaning the flow is ECN aware, end to end) does the router set the other bit to signal congestion. So enabling this on routing gear would have no impact on user traffic except to allow a better experience for ECN aware flows. In other words, allowing this option in the network gear would have no impact on non-ECN flows and only help flows that negotiated ECN end-to-end at connection setup. These flows would already be known to be trouble-free for ECN else they wouldn't have been able to negotiate it. From piotr.salwerowicz at gmail.com Mon Jan 30 02:40:02 2012 From: piotr.salwerowicz at gmail.com (Piotr Salwerowicz) Date: Mon, 30 Jan 2012 09:40:02 +0100 Subject: 10G switchrecommendaton In-Reply-To: <9C40116D-53A4-41E5-BB4D-101820B2A7D7@A2B-Internet.com> References: <9C40116D-53A4-41E5-BB4D-101820B2A7D7@A2B-Internet.com> Message-ID: <4F265762.7010409@gmail.com> W dniu 2012-01-27 09:32, Erik Bais pisze: > We have a full purple network, so my answer for this would be Extreme Networks. > We have a few Black Diamond 8800. There is big problem with microburst, congestion. There is only 4MB buffers per slot allocated dynamicly. Extreme support said: make LAG or buy another switch. Maybe this switch will be ok as access but not core or aggregaitng. regards Piotr From rodrick.brown at gmail.com Mon Jan 30 06:00:15 2012 From: rodrick.brown at gmail.com (Rodrick Brown) Date: Mon, 30 Jan 2012 07:00:15 -0500 Subject: 10G switchrecommendaton In-Reply-To: <20120129222721.GA4622@gweep.net> References: <4F226FD9.4050104@interworx.nl> <4F229756.1060109@interworx.nl> <20120129222721.GA4622@gweep.net> Message-ID: <30EECD6D-94CB-46E5-AFEF-95FAE6EFD066@gmail.com> On Jan 29, 2012, at 5:27 PM, Joe Provo wrote: > On Sun, Jan 29, 2012 at 08:02:28PM -0200, Alvaro Pereira wrote: >> And note that the Juniper EX2500 does not run JUNOS, it is just an OEM box >> from someone else... > > Blade Networks, now IBM. If I remember correctly I believe Blade Networks licenses the same fulcrum ASIC's as the Arista's. >> >> Alvaro >> >> On Fri, Jan 27, 2012 at 10:23, Tim Vollebregt wrote: >> >>> 2,5MB shared approximately. >>> >>> Aggregating 10G with microbursts is definately a no-go on such box. >>> >>> -Tim >>> >>> >>> On 27-01-12 12:33, James Braunegg wrote: >>> >>>> How small is the buffer on the EX4500 ?? >>>> >>>> Kindest Regards >>>> >>>> James Braunegg >>>> W: 1300 769 972 | M: 0488 997 207 | D: (03) 9751 7616 >>>> E: james.braunegg at micron21.com | ABN: 12 109 977 666 >>>> >>>> >>>> This message is intended for the addressee named above. It may contain >>>> privileged or confidential information. If you are not the intended >>>> recipient of this message you must not use, copy, distribute or disclose it >>>> to anyone other than the addressee. If you have received this message in >>>> error please return the message to the sender by replying to it and then >>>> delete the message from your computer. >>>> >>>> >>>> -----Original Message----- >>>> From: Tim Vollebregt [mailto:tim at interworx.nl] >>>> Sent: Friday, January 27, 2012 8:35 PM >>>> To: nanog at nanog.org >>>> Subject: Re: 10G switchrecommendaton >>>> >>>> I would not recommend EX4500 as an 10G aggregator switch, it has really >>>> small buffers. >>>> >>>> EX3300 as TOR >>>> EX82** as 10G aggregator >>>> >>>> -Tim >>>> >>>> On 26-01-12 22:13, Raul Rodriguez wrote: >>>> >>>>> Juniper EX4500. >>>>> >>>>> -RR >>>>> >>>>> On 1/26/12, Deric Kwok wrote: >>>>> >>>>>> Hi all >>>>>> >>>>>> I would like to have 10G switchrecommendaton Ipref software can test >>>>>> around 9.2G but we can have congestion over 6G in single port! >>>>>> >>>>>> Thank you >>>>>> >>>>>> >>>>>> >>> > > -- > RSUC / GweepNet / Spunk / FnB / Usenix / SAGE / NewNOG > From andreas.larsen at ip-only.se Mon Jan 30 07:13:21 2012 From: andreas.larsen at ip-only.se (Andreas Larsen) Date: Mon, 30 Jan 2012 14:13:21 +0100 Subject: SV: 10G switchrecommendaton In-Reply-To: References: Message-ID: I would check out Extremes x670-48v they are very very affordable and have very low latency, We just bought a couple of them, And they do 40G module cards also. // Andreas -----Ursprungligt meddelande----- Fr?n: Deric Kwok [mailto:deric.kwok2000 at gmail.com] Skickat: den 26 januari 2012 21:21 Till: nanog list ?mne: 10G switchrecommendaton Hi all I would like to have 10G switchrecommendaton Ipref software can test around 9.2G but we can have congestion over 6G in single port! Thank you From jbates at brightok.net Mon Jan 30 09:54:02 2012 From: jbates at brightok.net (Jack Bates) Date: Mon, 30 Jan 2012 09:54:02 -0600 Subject: US DOJ victim letter In-Reply-To: References: <201201201908.q0KJ8u6C045030@mail.r-bonomi.com> <20120127181626.GC21814@lab.pobox.com> Message-ID: <4F26BD1A.4060707@brightok.net> On 1/27/2012 2:23 PM, Jon Lewis wrote: > > It's definitely real, but seems like they're handling it as > incompetently as possible. We got numerous copies to the same email > address, the logins didn't work initially. The phone numbers given are > of questionable utility. Virtually no useful information was provided. > My attitude at this point is, ignore it until they provide some useful > information. > We finally got the hard copy. No customer IP listed, just our recursive resolvers, both for the customers as well as the ones that handle the MX servers. All that waiting and work for apparently nothing. I'm going to guess that my bind servers aren't malware infected (outside of being bind j/king). Jack From matthew at corp.crocker.com Mon Jan 30 09:56:10 2012 From: matthew at corp.crocker.com (Matthew S. Crocker) Date: Mon, 30 Jan 2012 10:56:10 -0500 (EST) Subject: US DOJ victim letter In-Reply-To: <4F26BD1A.4060707@brightok.net> Message-ID: ----- Original Message ----- > From: "Jack Bates" > To: "Jon Lewis" > Cc: nanog at nanog.org > Sent: Monday, January 30, 2012 10:54:02 AM > Subject: Re: US DOJ victim letter > > On 1/27/2012 2:23 PM, Jon Lewis wrote: > > > > It's definitely real, but seems like they're handling it as > > incompetently as possible. We got numerous copies to the same email > > address, the logins didn't work initially. The phone numbers given > > are > > of questionable utility. Virtually no useful information was > > provided. > > My attitude at this point is, ignore it until they provide some > > useful > > information. > > > > We finally got the hard copy. No customer IP listed, just our > recursive > resolvers, both for the customers as well as the ones that handle the > MX > servers. > > All that waiting and work for apparently nothing. I'm going to guess > that my bind servers aren't malware infected (outside of being bind > j/king). > Same here, The hard copy came the other day with the access codes to download the IP list. Every IP on the list was for a resolving DNS server on our IP space. Total waste of time. From rps at maine.edu Mon Jan 30 10:08:45 2012 From: rps at maine.edu (Ray Soucy) Date: Mon, 30 Jan 2012 11:08:45 -0500 Subject: Console Server Recommendation Message-ID: What are people using for console servers these days? We've historically used retired routers with ASYNC ports, but it's time for an upgrade. OpenGear seems to have some nice stuff, anyone else? -- Ray Soucy Epic Communications Specialist Phone: +1 (207) 561-3526 Networkmaine, a Unit of the University of Maine System http://www.networkmaine.net/ From mhuff at ox.com Mon Jan 30 10:16:39 2012 From: mhuff at ox.com (Matthew Huff) Date: Mon, 30 Jan 2012 11:16:39 -0500 Subject: Console Server Recommendation In-Reply-To: References: Message-ID: <483E6B0272B0284BA86D7596C40D29F9019288BB68A2@PUR-EXCH07.ox.com> We use MRV, and are very happy with them: http://www.mrv.com/oobn/console-servers/ ---- Matthew Huff? | 1 Manhattanville Rd Director of Operations???| Purchase, NY 10577 OTA Management LLC | Phone: 914-460-4039 aim: matthewbhuff? | Fax:?? 914-460-4139 > -----Original Message----- > From: Ray Soucy [mailto:rps at maine.edu] > Sent: Monday, January 30, 2012 11:09 AM > To: NANOG > Subject: Console Server Recommendation > > What are people using for console servers these days? We've > historically used retired routers with ASYNC ports, but it's time for > an upgrade. > > OpenGear seems to have some nice stuff, anyone else? > > -- > Ray Soucy > > Epic Communications Specialist > > Phone: +1 (207) 561-3526 > > Networkmaine, a Unit of the University of Maine System > http://www.networkmaine.net/ From nanog at maunier.org Mon Jan 30 10:18:22 2012 From: nanog at maunier.org (Pierre-Yves Maunier) Date: Mon, 30 Jan 2012 17:18:22 +0100 Subject: Console Server Recommendation In-Reply-To: References: Message-ID: 2012/1/30 Ray Soucy > What are people using for console servers these days? We've > historically used retired routers with ASYNC ports, but it's time for > an upgrade. > > OpenGear seems to have some nice stuff, anyone else? > > -- > Ray Soucy > > We're using opengear CM4116 to have a remote console access to all our routers, switches and wdm transponders. They work well and do the job. Avocent is also another player you might consider with their ACS series. I don't know much about the others. -- Pierre-Yves Maunier From jackson.tim at gmail.com Mon Jan 30 10:22:24 2012 From: jackson.tim at gmail.com (Tim Jackson) Date: Mon, 30 Jan 2012 10:22:24 -0600 Subject: Console Server Recommendation In-Reply-To: <483E6B0272B0284BA86D7596C40D29F9019288BB68A2@PUR-EXCH07.ox.com> References: <483E6B0272B0284BA86D7596C40D29F9019288BB68A2@PUR-EXCH07.ox.com> Message-ID: On Mon, Jan 30, 2012 at 10:16 AM, Matthew Huff wrote: > We use MRV, and are very happy with them: > > http://www.mrv.com/oobn/console-servers/ At least someone is.. We couldn't keep their -48vdc products from dying every few months requiring a manual reboot, or hardware replacement. Outside of that, they did a few things nobody else seemed to do, but they had a few drawbacks such as pppd not supporting classless on inbound dial-in connections (hopefully that's fixed now). -- Tim From paul at paulstewart.org Mon Jan 30 10:24:32 2012 From: paul at paulstewart.org (Paul Stewart) Date: Mon, 30 Jan 2012 11:24:32 -0500 Subject: Console Server Recommendation In-Reply-To: References: Message-ID: <011d01ccdf6b$a78d6ce0$f6a846a0$@paulstewart.org> We really like Lantronix .. use them a lot. Paul -----Original Message----- From: Ray Soucy [mailto:rps at maine.edu] Sent: Monday, January 30, 2012 11:09 AM To: NANOG Subject: Console Server Recommendation What are people using for console servers these days? We've historically used retired routers with ASYNC ports, but it's time for an upgrade. OpenGear seems to have some nice stuff, anyone else? -- Ray Soucy Epic Communications Specialist Phone: +1 (207) 561-3526 Networkmaine, a Unit of the University of Maine System http://www.networkmaine.net/ From JTyler at fiberutilities.com Mon Jan 30 10:25:10 2012 From: JTyler at fiberutilities.com (Jensen Tyler) Date: Mon, 30 Jan 2012 10:25:10 -0600 Subject: Console Server Recommendation In-Reply-To: References: Message-ID: <1A8A762BD508624A8BDAB9F5E1638F94601CC98989@comsrv01.fg.local> +1 Opengear Jensen Tyler Sr Engineering Manager Fiberutilities Group, LLC (319) 297-6915 (office) *NEW (319) 364-8100 (fax) (319) 329-8578 (mobile) -----Original Message----- From: Ray Soucy [mailto:rps at maine.edu] Sent: Monday, January 30, 2012 10:09 AM To: NANOG Subject: Console Server Recommendation What are people using for console servers these days? We've historically used retired routers with ASYNC ports, but it's time for an upgrade. OpenGear seems to have some nice stuff, anyone else? -- Ray Soucy Epic Communications Specialist Phone: +1 (207) 561-3526 Networkmaine, a Unit of the University of Maine System http://www.networkmaine.net/ From bhmccie at gmail.com Mon Jan 30 10:26:19 2012 From: bhmccie at gmail.com (-Hammer-) Date: Mon, 30 Jan 2012 10:26:19 -0600 Subject: Console Server Recommendation In-Reply-To: References: Message-ID: <4F26C4AB.9050204@gmail.com> Avocent Cyclades ACS. Enterprise class. http://www.avocent.com/Products/Category/Serial_Appliances.aspx -Hammer- "I was a normal American nerd" -Jack Herer On 1/30/2012 10:08 AM, Ray Soucy wrote: > What are people using for console servers these days? We've > historically used retired routers with ASYNC ports, but it's time for > an upgrade. > > OpenGear seems to have some nice stuff, anyone else? > From dwhite at olp.net Mon Jan 30 10:31:39 2012 From: dwhite at olp.net (Dan White) Date: Mon, 30 Jan 2012 10:31:39 -0600 Subject: Console Server Recommendation In-Reply-To: <011d01ccdf6b$a78d6ce0$f6a846a0$@paulstewart.org> References: <011d01ccdf6b$a78d6ce0$f6a846a0$@paulstewart.org> Message-ID: <20120130163139.GC5166@dan.olp.net> +1 for the Lantronix SLC. On 01/30/12?11:24?-0500, Paul Stewart wrote: >We really like Lantronix .. use them a lot. > >Paul > > >-----Original Message----- >From: Ray Soucy [mailto:rps at maine.edu] >Sent: Monday, January 30, 2012 11:09 AM >To: NANOG >Subject: Console Server Recommendation > >What are people using for console servers these days? We've historically >used retired routers with ASYNC ports, but it's time for an upgrade. > >OpenGear seems to have some nice stuff, anyone else? > >-- >Ray Soucy > >Epic Communications Specialist > >Phone: +1 (207) 561-3526 > >Networkmaine, a Unit of the University of Maine System >http://www.networkmaine.net/ From leigh.porter at ukbroadband.com Mon Jan 30 10:47:03 2012 From: leigh.porter at ukbroadband.com (Leigh Porter) Date: Mon, 30 Jan 2012 16:47:03 +0000 Subject: Console Server Recommendation In-Reply-To: References: Message-ID: On 30 Jan 2012, at 16:10, "Ray Soucy" wrote: > What are people using for console servers these days? We've > historically used retired routers with ASYNC ports, but it's time for > an upgrade. > > OpenGear seems to have some nice stuff, anyone else? > +1 for OpenGear. I asked this same question about a year ago.. -- Leigh ______________________________________________________________________ This email has been scanned by the Symantec Email Security.cloud service. For more information please visit http://www.symanteccloud.com ______________________________________________________________________ From nanog at ijg.me.uk Mon Jan 30 10:46:50 2012 From: nanog at ijg.me.uk (Ian Goodall) Date: Mon, 30 Jan 2012 16:46:50 +0000 Subject: Console Server Recommendation In-Reply-To: Message-ID: On 30/01/2012 16:08, "Ray Soucy" wrote: >OpenGear seems to have some nice stuff, anyone else? +1 for OpenGear. They come in a range of port densities, AC or DC power, various OOB options and were significantly cheaper than the Avocet alternatives. I have used the IM4200 in larger sites and also ACM5000 and CM4000 in small POPs without issue. Ian From mvh at hosteurope.de Mon Jan 30 10:49:23 2012 From: mvh at hosteurope.de (Malte von dem Hagen) Date: Mon, 30 Jan 2012 17:49:23 +0100 Subject: Console Server Recommendation In-Reply-To: References: Message-ID: <4F26CA13.20103@hosteurope.de> Hi, leigh.porter at ukbroadband.com wrote on Mo, 2012-01-30 at 17:47+0100: > > On 30 Jan 2012, at 16:10, "Ray Soucy" wrote: > >> What are people using for console servers these days? We've >> historically used retired routers with ASYNC ports, but it's time for >> an upgrade. >> >> OpenGear seems to have some nice stuff, anyone else? >> > > +1 for OpenGear. I asked this same question about a year ago.. +1 from me. Their boxes really rock. It just saved my life you can fully access the underlying linux as root (in my case to debug the mgetty on the box). Rgds, Malte -- Malte von dem Hagen Head of Network Engineering & Operations ----------------------------------------------------------------------- Host Europe GmbH - http://www.hosteurope.de Welserstra?e 14 - 51149 K?ln - Germany Telefon: 0800 467 8387 - Fax: +49 180 5 66 3233 (*) HRB 28495 Amtsgericht K?ln - USt-IdNr.: DE187370678 Gesch?ftsf?hrer: Patrick Pulverm?ller, Thomas Vollrath (*) 0,14 EUR/Min. aus dem dt. Festnetz; maximal 0,42 EUR/Min. aus den dt. Mobilfunknetzen -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 259 bytes Desc: OpenPGP digital signature URL: From jimmy.changa007 at gmail.com Mon Jan 30 10:53:10 2012 From: jimmy.changa007 at gmail.com (Joe Marr) Date: Mon, 30 Jan 2012 11:53:10 -0500 Subject: Fiber outage in Miami In-Reply-To: <4F244B17.4000704@packetpimp.org> References: <4F244B17.4000704@packetpimp.org> Message-ID: I've yet to hear back from them on the reason for the outage and explanation on why our "redundant" darkfiber pairs both were down. On Sat, Jan 28, 2012 at 2:23 PM, Jason LeBlanc wrote: > We got the same RFO. BS. > > > On 01/28/2012 01:36 PM, Randy Epstein wrote: > >> Anyone has seen on gotten a RFA or a deeper explanation of what >>> happened from them ? >>> >>> >>> Faisal Imtiaz >>> Snappy Internet& Telecom >>> 7266 SW 48 Street >>> Miami, Fl 33155 >>> Tel: 305 663 5518 x 232 >>> Helpdesk: 305 663 5518 option 2 Email: Support at Snappydsl.net >>> >> Yes. They blamed/burned the local crew and suggested that they fired >> them. Yes, they put this in the RFO. I have it, but I'm having legal >> determine if it can be made public record. >> >> Randy >> >> >> >> > From jimmy.changa007 at gmail.com Mon Jan 30 11:01:30 2012 From: jimmy.changa007 at gmail.com (Joe Marr) Date: Mon, 30 Jan 2012 12:01:30 -0500 Subject: Route Management Best Practices Message-ID: My network has grown large enough that maintaining my prefix announcements to the rest of the world has become increasingly difficult. I currently use static routes and tags on my edge routers to inject route into BGP. The tags correspond to communities that reflect how the routes are announced per region. I would love to heat from others on how they handle this. From rps at maine.edu Mon Jan 30 11:13:22 2012 From: rps at maine.edu (Ray Soucy) Date: Mon, 30 Jan 2012 12:13:22 -0500 Subject: Console Server Recommendation In-Reply-To: <4F26CA13.20103@hosteurope.de> References: <4F26CA13.20103@hosteurope.de> Message-ID: Thanks, all. On Mon, Jan 30, 2012 at 11:49 AM, Malte von dem Hagen wrote: > Hi, > > leigh.porter at ukbroadband.com wrote on Mo, 2012-01-30 at 17:47+0100: >> >> On 30 Jan 2012, at 16:10, "Ray Soucy" wrote: >> >>> What are people using for console servers these days? ?We've >>> historically used retired routers with ASYNC ports, but it's time for >>> an upgrade. >>> >>> OpenGear seems to have some nice stuff, anyone else? >>> >> >> +1 for OpenGear. I asked this same question about a year ago.. > > +1 from me. Their boxes really rock. It just saved my life you can fully > access the underlying linux as root (in my case to debug the mgetty on > the box). > > Rgds, > > Malte > -- > Malte von dem Hagen > Head of Network Engineering & Operations > ----------------------------------------------------------------------- > Host Europe GmbH - http://www.hosteurope.de > Welserstra?e 14 - 51149 K?ln - Germany > Telefon: 0800 467 8387 - Fax: +49 180 5 66 3233 (*) > HRB 28495 Amtsgericht K?ln - USt-IdNr.: DE187370678 > Gesch?ftsf?hrer: Patrick Pulverm?ller, Thomas Vollrath > > (*) 0,14 EUR/Min. aus dem dt. Festnetz; maximal 0,42 EUR/Min. > aus den dt. Mobilfunknetzen > -- Ray Soucy Epic Communications Specialist Phone: +1 (207) 561-3526 Networkmaine, a Unit of the University of Maine System http://www.networkmaine.net/ From paul4004 at gmail.com Mon Jan 30 11:14:00 2012 From: paul4004 at gmail.com (PC) Date: Mon, 30 Jan 2012 10:14:00 -0700 Subject: Console Server Recommendation In-Reply-To: <4F26C4AB.9050204@gmail.com> References: <4F26C4AB.9050204@gmail.com> Message-ID: Love the boxes. Absolutely despise the ~50 mhz processor they put in them that takes 10 seconds to negotiate SSH. On Mon, Jan 30, 2012 at 9:26 AM, -Hammer- wrote: > Avocent Cyclades ACS. Enterprise class. > > http://www.avocent.com/**Products/Category/Serial_**Appliances.aspx > > -Hammer- > > "I was a normal American nerd" > -Jack Herer > > > > > On 1/30/2012 10:08 AM, Ray Soucy wrote: > >> What are people using for console servers these days? We've >> historically used retired routers with ASYNC ports, but it's time for >> an upgrade. >> >> OpenGear seems to have some nice stuff, anyone else? >> >> > From packetjockey at gmail.com Mon Jan 30 11:31:57 2012 From: packetjockey at gmail.com (Rafael Rodriguez) Date: Mon, 30 Jan 2012 12:31:57 -0500 Subject: Console Server Recommendation In-Reply-To: References: Message-ID: Opengear On Mon, Jan 30, 2012 at 11:08 AM, Ray Soucy wrote: > What are people using for console servers these days? We've > historically used retired routers with ASYNC ports, but it's time for > an upgrade. > > OpenGear seems to have some nice stuff, anyone else? > > -- > Ray Soucy > > Epic Communications Specialist > > Phone: +1 (207) 561-3526 > > Networkmaine, a Unit of the University of Maine System > http://www.networkmaine.net/ > > From blake at pfankuch.me Mon Jan 30 11:38:07 2012 From: blake at pfankuch.me (Blake Pfankuch) Date: Mon, 30 Jan 2012 17:38:07 +0000 Subject: IP KVM suggestions Message-ID: I have a need for a small, portable, web based IP kvm with decent features that doesn't break the bank. Preferably something that supports ISO mounting from http or ftp and USB connectivity. Would also prefer something browser independent. Small plugin like the Raritan devices would be acceptable too. It will be used internally for Remote access while building devices pre deployment to customers. Any suggestions? Thanks! Blake From arapoport at telepacific.com Mon Jan 30 11:40:26 2012 From: arapoport at telepacific.com (Asaf Rapoport) Date: Mon, 30 Jan 2012 17:40:26 +0000 Subject: Console Server Recommendation In-Reply-To: Message-ID: I use Opengear more often now on smaller installs.. Works well and they have some neat add ons (Nagios, UPS monitoring etc) Asaf Rapoport On 1/30/12 9:31 AM, "Rafael Rodriguez" wrote: >Opengear > >On Mon, Jan 30, 2012 at 11:08 AM, Ray Soucy wrote: > >> What are people using for console servers these days? We've >> historically used retired routers with ASYNC ports, but it's time for >> an upgrade. >> >> OpenGear seems to have some nice stuff, anyone else? >> >> -- >> Ray Soucy >> >> Epic Communications Specialist >> >> Phone: +1 (207) 561-3526 >> >> Networkmaine, a Unit of the University of Maine System >> http://www.networkmaine.net/ >> >> > From jm-nanog at vj8.net Mon Jan 30 11:56:11 2012 From: jm-nanog at vj8.net (James Triplett) Date: Mon, 30 Jan 2012 12:56:11 -0500 Subject: IP KVM suggestions In-Reply-To: References: Message-ID: <20120130175611.GA5410@datamat.net> > Thanks! > > Blake I have used dozens of these: Opengear IP-KVM 1001. It's a small, single box, that handles one machine and costs about $300. It has a lot of nice little convenience features, like a second RJ-45 port so it doesn't use up a position on the big switch. Tried the Raritan, but it's way expensive, and it can't do forwarded ports (you HAVE TO connect on 443; it that port is already in use, too bad). (I'm not affiliated with OpenGear, an Aussie company so far as I know). ----james From mailinglists at expresswebsystems.com Mon Jan 30 12:09:16 2012 From: mailinglists at expresswebsystems.com (Express Web Systems) Date: Mon, 30 Jan 2012 12:09:16 -0600 Subject: IP KVM suggestions In-Reply-To: References: Message-ID: <033601ccdf7a$481d0f90$d8572eb0$@com> > I have a need for a small, portable, web based IP kvm with decent > features that doesn't break the bank. Preferably something that > supports ISO mounting from http or ftp and USB connectivity. Would > also prefer something browser independent. Small plugin like the > Raritan devices would be acceptable too. It will be used internally for > Remote access while building devices pre deployment to customers. Any > suggestions? > > Thanks! > > Blake Lantronix Spider is a small, portable, affordable and web enabled IP KVM. Supports ISO mounting and has USB connections. http://www.lantronix.com/it-management/kvm-over-ip/securelinx-spider.html It is a single server unit. So if you want to connect many servers at the same time, it might not be the best option as the price quickly escalates. However, if you buy one and just move it from server to server (which is what I got from your email), then it is a pretty good fit. Java based web interface, not the greatest, but it works. For multiple server access from a single unit, look at the Dell 2161DS (rebranded Avocent units) line. They are abundant on ebay, and relatively inexpensive, and can expand to up to 128 servers (via add on PEM modules - the unit has 16 ports and you connect a PEM to one of the ports and you can connect up to 8 servers to the PEM 16 x 8 = 128). The 2161DS-2 also supports ISO mounting when using USB dongles (the 2161DS does not). Java based client software... Dell isn't supporting the 2161DS software any more apparently and won't install natively on Windows 7, but the software can be installed on an XP machine and then copied, this also works for linux, etc. Tom Walsh From brent at brentrjones.com Mon Jan 30 12:39:19 2012 From: brent at brentrjones.com (Brent Jones) Date: Mon, 30 Jan 2012 10:39:19 -0800 Subject: Console Server Recommendation In-Reply-To: References: Message-ID: Another +1 to Opengear Just buy the units that have the pinout for your devices, or you may need adapters. -- Brent Jones brent at brentrjones.com On Mon, Jan 30, 2012 at 9:40 AM, Asaf Rapoport wrote: > I use Opengear more often now on smaller installs.. Works well and they > have some neat add ons (Nagios, UPS monitoring etc) > > Asaf Rapoport > > > > > > > > On 1/30/12 9:31 AM, "Rafael Rodriguez" wrote: > > >Opengear > > > >On Mon, Jan 30, 2012 at 11:08 AM, Ray Soucy wrote: > > > >> What are people using for console servers these days? We've > >> historically used retired routers with ASYNC ports, but it's time for > >> an upgrade. > >> > >> OpenGear seems to have some nice stuff, anyone else? > >> > >> -- > >> Ray Soucy > >> > >> Epic Communications Specialist > >> > >> Phone: +1 (207) 561-3526 > >> > >> Networkmaine, a Unit of the University of Maine System > >> http://www.networkmaine.net/ > >> > >> > > > > > From g at 1337.io Mon Jan 30 12:41:05 2012 From: g at 1337.io (Gino) Date: Mon, 30 Jan 2012 10:41:05 -0800 Subject: Console Server Recommendation In-Reply-To: <4F26C4AB.9050204@gmail.com> References: <4F26C4AB.9050204@gmail.com> Message-ID: <4F26E441.3060801@1337.io> +1 for Cyclades .. we've been using a few of these with a bunch 20-port PDU strips (2 x 15A circuits) and they've worked out pretty well for us. We did have some overheating issues with the PDU's though, but this was fixed with an adjustment to the HVAC (CYCLADES-ACS-PM-MIB is your friend ;-) -- Gino PGP Info: http://1337.io/pgp On 1/30/12 8:26 AM, -Hammer- wrote: > Avocent Cyclades ACS. Enterprise class. > > http://www.avocent.com/Products/Category/Serial_Appliances.aspx > > -Hammer- > > "I was a normal American nerd" > -Jack Herer > > > > On 1/30/2012 10:08 AM, Ray Soucy wrote: >> What are people using for console servers these days? We've >> historically used retired routers with ASYNC ports, but it's time for >> an upgrade. >> >> OpenGear seems to have some nice stuff, anyone else? >> > From mike at mtcc.com Mon Jan 30 06:32:33 2012 From: mike at mtcc.com (Michael Thomas) Date: Mon, 30 Jan 2012 04:32:33 -0800 Subject: Console Server Recommendation In-Reply-To: <20120130163139.GC5166@dan.olp.net> References: <011d01ccdf6b$a78d6ce0$f6a846a0$@paulstewart.org> <20120130163139.GC5166@dan.olp.net> Message-ID: <4F268DE1.3010201@mtcc.com> Lantronix still makes terminal servers? Huh. I designed their first ones over 20 years ago! Mike Dan White wrote: > +1 for the Lantronix SLC. > > On 01/30/12 11:24 -0500, Paul Stewart wrote: >> We really like Lantronix .. use them a lot. >> >> Paul >> >> >> -----Original Message----- >> From: Ray Soucy [mailto:rps at maine.edu] >> Sent: Monday, January 30, 2012 11:09 AM >> To: NANOG >> Subject: Console Server Recommendation >> >> What are people using for console servers these days? We've historically >> used retired routers with ASYNC ports, but it's time for an upgrade. >> >> OpenGear seems to have some nice stuff, anyone else? >> >> -- >> Ray Soucy >> >> Epic Communications Specialist >> >> Phone: +1 (207) 561-3526 >> >> Networkmaine, a Unit of the University of Maine System >> http://www.networkmaine.net/ From gbonser at seven.com Mon Jan 30 13:05:07 2012 From: gbonser at seven.com (George Bonser) Date: Mon, 30 Jan 2012 19:05:07 +0000 Subject: Console Server Recommendation In-Reply-To: <4F26C4AB.9050204@gmail.com> References: <4F26C4AB.9050204@gmail.com> Message-ID: <596B74B410EE6B4CA8A30C3AF1A155EA09C9CCB2@RWC-MBX1.corp.seven.com> > -----Original Message----- > From: -Hammer- > Sent: Monday, January 30, 2012 8:26 AM > Subject: Re: Console Server Recommendation > > Avocent Cyclades ACS. Enterprise class. > > http://www.avocent.com/Products/Category/Serial_Appliances.aspx > > -Hammer- We're using some of those, no trouble with them to date. From leigh.porter at ukbroadband.com Mon Jan 30 13:12:14 2012 From: leigh.porter at ukbroadband.com (Leigh Porter) Date: Mon, 30 Jan 2012 19:12:14 +0000 Subject: Console Server Recommendation In-Reply-To: References: , Message-ID: On 30 Jan 2012, at 18:41, "Brent Jones" wrote: > Another +1 to Opengear > Just buy the units that have the pinout for your devices, or you may need > adapters. And making them gets boring very quickly! -- Leigh ______________________________________________________________________ This email has been scanned by the Symantec Email Security.cloud service. For more information please visit http://www.symanteccloud.com ______________________________________________________________________ From jcurran at arin.net Mon Jan 30 13:14:36 2012 From: jcurran at arin.net (John Curran) Date: Mon, 30 Jan 2012 19:14:36 +0000 Subject: FYI - New ARIN Legacy Registration Services Agreement (LRSA 3.0) Posted References: <4F26EA13.8080801@arin.net> Message-ID: <8B835B18-71CD-4D8A-A029-86011F68C545@corp.arin.net> Please note the availability of a revised Legacy RSA (version 3.0) from ARIN. This version addresses several issues raised with past versions and hence may be of particular interest to some folks in the region. The accompanying FAQ has a summary of the more significant changes. FYI, /John John Curran President and CEO ARIN Begin forwarded message: From: ARIN > Subject: [arin-announce] New Legacy Registration Services Agreement Posted Date: January 30, 2012 2:05:55 PM EST To: > ARIN is pleased to announce the release of Version 3.0 of its Legacy Registration Services Agreement ("LRSA"). On 4 November 2011 ARIN concluded its consultation with the community with regards to the Legacy Registration Services Agreement (LRSA) 3.0, the first fundamental rewrite of the LRSA introduced in 2007. The revisions found in version 3.0 were based on the information and feedback obtained during the execution of over 500 LRSAs as well as community feedback received during the community consultation referenced above. ARIN has simplified the LRSA language in order to more clearly identify and describe the respective rights, duties and obligations of ARIN and Legacy Holders. In addition, edits were made to narrow the differences between our Registration Services Agreement (?RSA?) and our LRSA. These changes also provide clarity with respect to conditions when ARIN will seek resource utilization from the Legacy holder and conditions when ARIN may revoke resources. Information regarding the differences between LRSA 2.2 and LRSA 3.0 can be found along with additional details and answers to many of the typical questions that ARIN receives about the Legacy RSA in the Frequently Asked Questions (?FAQ?) at: https://www.arin.net/resources/legacy/index.html#faq The previous version of the LRSA, version 2.2, will remain on our website for comparison and review for the next 90 days. Please feel free to compare the two documents and observe the updates and modifications that have been incorporated into LRSA 3.0. To view Version 3.0 of the Legacy RSA, please visit: https://www.arin.net/resources/agreements/legacy_rsa.pdf Anyone needing further information about the LRSA can call the Financial Services Help Desk at +1-703-227-9886 or send an email to billing at arin.net. Nothing in this announcement alters or otherwise modifies any terms of the LRSA. Regards, Financial Services American Registry for Internet Numbers (ARIN) From brandon at rd.bbc.co.uk Mon Jan 30 13:41:06 2012 From: brandon at rd.bbc.co.uk (Brandon Butterworth) Date: Mon, 30 Jan 2012 19:41:06 GMT Subject: Console Server Recommendation Message-ID: <201201301941.TAA09015@sunf10.rd.bbc.co.uk> > Just buy the units that have the pinout for your devices, or you may > need adapters. Hate that, I got a Cyclades by accident, never more. Lantronix is same pinout as cisco and everything else we use regularly. > Lantronix still makes terminal servers? Huh. I designed their first > ones over 20 years ago! If that was LRS16 we still have some running brandon From jra at baylink.com Mon Jan 30 14:17:37 2012 From: jra at baylink.com (Jay Ashworth) Date: Mon, 30 Jan 2012 15:17:37 -0500 (EST) Subject: Console Server Recommendation In-Reply-To: <4F268DE1.3010201@mtcc.com> Message-ID: <22491606.2.1327954657025.JavaMail.root@benjamin.baylink.com> ----- Original Message ----- > From: "Michael Thomas" > Lantronix still makes terminal servers? Huh. I designed their first > ones over 20 years ago! And Lantronix has the *delightful* policy that *they will still support those units (assuming they do at all) free*, even if I bought them used. +5 for Lantronix. Cheers, -- jra -- Jay R. Ashworth Baylink jra at baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://baylink.pitas.com 2000 Land Rover DII St Petersburg FL USA http://photo.imageinc.us +1 727 647 1274 From jim at impactbusiness.com Mon Jan 30 14:46:06 2012 From: jim at impactbusiness.com (Jim Gonzalez) Date: Mon, 30 Jan 2012 15:46:06 -0500 Subject: Wireless Recommendations Message-ID: <043e01ccdf90$38c96870$aa5c3950$@impactbusiness.com> Hi, I am looking for a Wireless bridge or Router that will support 600 wireless clients concurrently (mostly cell phones). I need it for a proof of concept. Thanks in advance Jim From jof at thejof.com Mon Jan 30 15:04:05 2012 From: jof at thejof.com (Jonathan Lassoff) Date: Mon, 30 Jan 2012 13:04:05 -0800 Subject: Wireless Recommendations In-Reply-To: <043e01ccdf90$38c96870$aa5c3950$@impactbusiness.com> References: <043e01ccdf90$38c96870$aa5c3950$@impactbusiness.com> Message-ID: On Mon, Jan 30, 2012 at 12:46 PM, Jim Gonzalez wrote: > Hi, > > ? ? ? ? ? ? ? ?I am looking for a Wireless bridge or Router that will > support 600 wireless clients concurrently (mostly cell phones). ?I need it > for a proof of concept. I've had some great luck with a variety of vendors, though never with this many clients on one AP. For a stable 802.11 stack, I've found Cisco AP1142N's to be great. That said, I'm not sure what you're trying to do here, but I think you'll be disappointed with any AP with 600 *active* stations associated to it. No AP can work around the congestive collapse of hundreds of stations all transmitting RTS frames at once. If you can split up your many stations across a swath of APs, bridging down to a couple L2 Ethernet LANs, I think you'll get something much more scalable. Cheers, jof From drais at icantclick.org Mon Jan 30 15:10:30 2012 From: drais at icantclick.org (david raistrick) Date: Mon, 30 Jan 2012 16:10:30 -0500 (EST) Subject: Wireless Recommendations In-Reply-To: References: <043e01ccdf90$38c96870$aa5c3950$@impactbusiness.com> Message-ID: On Mon, 30 Jan 2012, Jonathan Lassoff wrote: > > That said, I'm not sure what you're trying to do here, but I think > you'll be disappointed with any AP with 600 *active* stations > associated to it. No AP can work around the congestive collapse of > hundreds of stations all transmitting RTS frames at once. unless, of course, that's the concept you are trying to prove...? :) -- david raistrick http://www.netmeister.org/news/learn2quote.html drais at icantclick.org http://www.expita.com/nomime.html From dharmachris at gmail.com Mon Jan 30 15:11:35 2012 From: dharmachris at gmail.com (Chris Hunt) Date: Mon, 30 Jan 2012 13:11:35 -0800 Subject: IP KVM suggestions In-Reply-To: References: Message-ID: <4F270787.403@gmail.com> On 1/30/2012 11:05 AM, nanog-request at nanog.org wrote: > ------------------------------ > > Message: 8 > Date: Mon, 30 Jan 2012 12:09:16 -0600 > From: "Express Web Systems" > To: "'NANOG'" > Subject: RE: IP KVM suggestions > Message-ID: <033601ccdf7a$481d0f90$d8572eb0$@com> > Content-Type: text/plain; charset="us-ascii" > >> > I have a need for a small, portable, web based IP kvm with decent >> > features that doesn't break the bank. Preferably something that >> > supports ISO mounting from http or ftp and USB connectivity. Would >> > also prefer something browser independent. Small plugin like the >> > Raritan devices would be acceptable too. It will be used internally for >> > Remote access while building devices pre deployment to customers. Any >> > suggestions? >> > >> > Thanks! >> > >> > Blake > Lantronix Spider is a small, portable, affordable and web enabled IP KVM. > Supports ISO mounting and has USB connections. > > http://www.lantronix.com/it-management/kvm-over-ip/securelinx-spider.html > > It is a single server unit. So if you want to connect many servers at the > same time, it might not be the best option as the price quickly escalates. > However, if you buy one and just move it from server to server (which is > what I got from your email), then it is a pretty good fit. Java based web > interface, not the greatest, but it works. > > For multiple server access from a single unit, look at the Dell 2161DS > (rebranded Avocent units) line. They are abundant on ebay, and relatively > inexpensive, and can expand to up to 128 servers (via add on PEM modules - > the unit has 16 ports and you connect a PEM to one of the ports and you can > connect up to 8 servers to the PEM 16 x 8 = 128). The 2161DS-2 also supports > ISO mounting when using USB dongles (the 2161DS does not). Java based client > software... Dell isn't supporting the 2161DS software any more apparently > and won't install natively on Windows 7, I have it running on Windows7, but it has to be "Run As Administrator" > but the software can be installed > on an XP machine and then copied, this also works for linux, etc. > > Tom Walsh > If security is a concern, then you will probably want to only use the 2161-DS behind a VPN, if at all. The session authentication is fairly weak and supports no ACLs. It does support lock-out on multiple bad authentication attempts though. -Chris From jmaimon at ttec.com Mon Jan 30 15:27:50 2012 From: jmaimon at ttec.com (Joe Maimon) Date: Mon, 30 Jan 2012 16:27:50 -0500 Subject: ARP is sourced from loopback address Message-ID: <4F270B56.1050301@ttec.com> Hey All, Anycast related. Is this normal behavior? Whats the workaround? Why havent I run into this before? 192.168.76.1 is a HSRP address on a ring of routers transiting a private non routed vlan to the service addresses hosted on systems that have independent management interfaces. Best, Joe root at debian31:~# ifconfig lo:0 lo:0 Link encap:Local Loopback inet addr:209.54.140.64 Mask:255.255.255.255 UP LOOPBACK RUNNING MTU:16436 Metric:1 root at debian31:~# ip rule list 0: from all lookup local 32764: from 209.54.140.0/24 lookup pbr1-exit 32765: from 216.222.144.16/28 lookup pbr1-exit 32766: from all lookup main 32767: from all lookup default root at debian31:~# ip route list table pbr1-exit default via 192.168.76.1 dev eth1 192.168.34.0/24 dev eth1 scope link src 192.168.76.16 192.168.76.0/24 dev eth1 scope link src 192.168.76.16 root at debian31:~# tcpdump -i eth1 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes 11:08:09.053943 ARP, Request who-has 192.168.76.1 tell 209.54.140.64, length 28 11:08:10.035126 IP noc08rt08.noc08.chl.net > 209.54.140.64: ICMP echo request, id 517, seq 0, length 80 11:08:10.051276 ARP, Request who-has 192.168.76.1 tell 209.54.140.64, length 28 11:08:11.052548 ARP, Request who-has 192.168.76.1 tell 209.54.140.64, length 28 11:08:12.035964 IP noc08rt08.noc08.chl.net > 209.54.140.64: ICMP echo request, id 517, seq 1, length 80 ^C root at debian31:~# ip neigh fe80::230:71ff:fe3b:6808 dev eth0 lladdr 00:30:71:3b:68:08 router STALE 192.168.76.1 dev eth1 FAILED 192.168.34.254 dev eth0 lladdr 00:11:93:04:7a:1b DELAY 192.168.34.48 dev eth0 lladdr 00:0c:29:fd:64:8a STALE root at debian31:~# uname -a Linux debian31 3.2.0-1-686-pae #1 SMP Tue Jan 24 06:09:30 UTC 2012 i686 GNU/Linux root at debian31:~# ping 192.168.76.1 PING 192.168.76.1 (192.168.76.1) 56(84) bytes of data. 64 bytes from 192.168.76.1: icmp_req=1 ttl=255 time=2.95 ms ^C --- 192.168.76.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 2.952/2.952/2.952/0.000 ms root at debian31:~# ip neigh fe80::230:71ff:fe3b:6808 dev eth0 lladdr 00:30:71:3b:68:08 router STALE 192.168.76.1 dev eth1 lladdr 00:00:0c:9f:f0:01 REACHABLE 192.168.34.254 dev eth0 lladdr 00:11:93:04:7a:1b REACHABLE 192.168.34.48 dev eth0 lladdr 00:0c:29:fd:64:8a STALE 192.168.76.2 dev eth1 lladdr 00:b0:4a:9e:54:00 STALE root at debian31:~# !tcp tcpdump -i eth1 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes 11:12:22.476479 IP noc08rt08-l0.noc08.chl.net > 209.54.140.64: ICMP echo request, id 518, seq 0, length 80 11:12:22.476572 IP 209.54.140.64 > noc08rt08-l0.noc08.chl.net: ICMP echo reply, id 518, seq 0, length 80 11:12:22.479495 IP noc08rt08-l0.noc08.chl.net > 209.54.140.64: ICMP echo request, id 518, seq 1, length 80 11:12:22.479533 IP 209.54.140.64 > noc08rt08-l0.noc08.chl.net: ICMP echo reply, id 518, seq 1, length 80 11:12:22.484346 IP noc08rt08-l0.noc08.chl.net > 209.54.140.64: ICMP echo request, id 518, seq 2, length 80 11:12:22.484392 IP 209.54.140.64 > noc08rt08-l0.noc08.chl.net: ICMP echo reply, id 518, seq 2, length 80 11:12:22.487670 IP noc08rt08-l0.noc08.chl.net > 209.54.140.64: ICMP echo request, id 518, seq 3, length 80 11:12:22.487705 IP 209.54.140.64 > noc08rt08-l0.noc08.chl.net: ICMP echo reply, id 518, seq 3, length 80 11:12:22.490639 IP noc08rt08-l0.noc08.chl.net > 209.54.140.64: ICMP echo request, id 518, seq 4, length 80 11:12:22.490675 IP 209.54.140.64 > noc08rt08-l0.noc08.chl.net: ICMP echo reply, id 518, seq 4, length 80 ^C From lanning at lanning.cc Mon Jan 30 15:50:12 2012 From: lanning at lanning.cc (Robert Hajime Lanning) Date: Mon, 30 Jan 2012 13:50:12 -0800 Subject: Console Server Recommendation In-Reply-To: <201201301941.TAA09015@sunf10.rd.bbc.co.uk> References: <201201301941.TAA09015@sunf10.rd.bbc.co.uk> Message-ID: <4F271094.70408@lanning.cc> On 01/30/12 11:41, Brandon Butterworth wrote: >> Just buy the units that have the pinout for your devices, or you may >> need adapters. > > Hate that, I got a Cyclades by accident, never more. > > Lantronix is same pinout as cisco and everything else we use regularly. Avocent Cyclades ACS uses Cat5 straight through cables to Cisco consoles. I use them in our lab and production sites. -- END OF LINE -MCP From coy.hile at coyhile.com Mon Jan 30 16:05:57 2012 From: coy.hile at coyhile.com (Coy Hile) Date: Mon, 30 Jan 2012 22:05:57 +0000 Subject: Console Server Recommendation Message-ID: > > Avocent Cyclades ACS uses Cat5 straight through cables to Cisco consoles. > > I use them in our lab and production sites. > I personally use these as well; so does work. There's a dongle for some things like the older Sun Netra devices that used an RJ45 console connector. One of the nicest features of the ACS boxes over my previous solution (old cisco router with octopus cables) is the ability to share sessions. Very useful if I switch from my desktop to my laptop, for example. From grupo.ipv6 at gmail.com Mon Jan 30 16:12:55 2012 From: grupo.ipv6 at gmail.com (Grupo IPv6) Date: Mon, 30 Jan 2012 20:12:55 -0200 Subject: Cing Installers Message-ID: Hi all, Does anyone know where to find the installers for network measuring tool ?cing? ? All the links I found are down. I?m using Ubuntu 11.04 Many thanks, Gabriel From cjp at 0x1.net Mon Jan 30 16:38:10 2012 From: cjp at 0x1.net (Christopher J. Pilkington) Date: Mon, 30 Jan 2012 17:38:10 -0500 Subject: [c-nsp] ASR opinions.. In-Reply-To: <201109021756.56518.mtinka@globaltransit.net> References: <201108300031.09343.mtinka@globaltransit.net> <201109021756.56518.mtinka@globaltransit.net> Message-ID: On Fri, Sep 2, 2011 at 5:56 AM, Mark Tinka wrote: > Like the ASR1002-F, the ASR1001 is based on an ESP5 > forwarding processor. That comes with 512,000 FIB entries > maximum. > > As a side note, unlike the ASR1002-F, the ASR1001 can be > upgraded (software license) form the default 2.5Gbps > forwarding performance to 5Gbps. > >> To >> my knowledge this is not true as the 1001 has the Intel >> RP1.5... > > We're talking about FIB slots (the ESP) and not RIB slots > (the RP). Sorry to resurrect an old thread, but I'm also confused on this ASR1001 FIB question. The Cisco ASR 1000 ESP data sheet (http://www.cisco.com/en/US/prod/collateral/routers/ps9343/data_sheet_c78-450070.html) lists the ASR1001 separately from the ASR1002-5G. It claims the ASR1001 does 1M IPv4 and 1M IPv6 routes. (Not to be confused with the numbers on the ASR 1000 RP data sheet, which say it can do up to 9M with 8GB RAM doing selective download.) Does anyone have a link to a definitive document clearly showing FIB numbers for the ASR1001? I've got an email into our Cisco SE, but I don't think they're motivated to sell us a lower-end box. :-) -cjp From keegan.holley at sungard.com Mon Jan 30 16:53:59 2012 From: keegan.holley at sungard.com (Keegan Holley) Date: Mon, 30 Jan 2012 17:53:59 -0500 Subject: ARP is sourced from loopback address In-Reply-To: <4F270B56.1050301@ttec.com> References: <4F270B56.1050301@ttec.com> Message-ID: Even though TCP dump doesn't show it the ARP packets should have a source mac address that is reachable on the link. I think the reply is unicast to that mac address regardless of the IP in the request. Otherwise the receiving station would have to do an arp request for the source IP in the packet before it replied, in order to reply that station would need to have the very mapping it just requested making the whole thing useless. I've never seen arp sourced from a non-local interface IP unless there was some sort of tunnel or bridging configured, but then again I don't spend my days staring at ARP packets so I could be missing something. 2012/1/30 Joe Maimon : > > Hey All, > > Anycast related. > > Is this normal behavior? Whats the workaround? Why havent I run into this > before? > > 192.168.76.1 is a HSRP address on a ring of routers transiting a private non > routed vlan to the service addresses hosted on systems that have independent > management interfaces. > > Best, > > Joe > > > root at debian31:~# ifconfig lo:0 > lo:0 ? ? ?Link encap:Local Loopback > ? ? ? ? ?inet addr:209.54.140.64 ?Mask:255.255.255.255 > ? ? ? ? ?UP LOOPBACK RUNNING ?MTU:16436 ?Metric:1 > > root at debian31:~# ip rule list > 0: ? ? ?from all lookup local > 32764: ?from 209.54.140.0/24 lookup pbr1-exit > 32765: ?from 216.222.144.16/28 lookup pbr1-exit > 32766: ?from all lookup main > 32767: ?from all lookup default > root at debian31:~# ip route list table pbr1-exit > default via 192.168.76.1 dev eth1 > 192.168.34.0/24 dev eth1 ?scope link ?src 192.168.76.16 > 192.168.76.0/24 dev eth1 ?scope link ?src 192.168.76.16 > root at debian31:~# tcpdump -i eth1 > tcpdump: verbose output suppressed, use -v or -vv for full protocol decode > listening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes > > 11:08:09.053943 ARP, Request who-has 192.168.76.1 tell 209.54.140.64, length > 28 > 11:08:10.035126 IP noc08rt08.noc08.chl.net > 209.54.140.64: ICMP echo > request, id 517, seq 0, length 80 > 11:08:10.051276 ARP, Request who-has 192.168.76.1 tell 209.54.140.64, length > 28 > 11:08:11.052548 ARP, Request who-has 192.168.76.1 tell 209.54.140.64, length > 28 > 11:08:12.035964 IP noc08rt08.noc08.chl.net > 209.54.140.64: ICMP echo > request, id 517, seq 1, length 80 > ^C > > root at debian31:~# ip neigh > fe80::230:71ff:fe3b:6808 dev eth0 lladdr 00:30:71:3b:68:08 router STALE > 192.168.76.1 dev eth1 ?FAILED > 192.168.34.254 dev eth0 lladdr 00:11:93:04:7a:1b DELAY > 192.168.34.48 dev eth0 lladdr 00:0c:29:fd:64:8a STALE > > root at debian31:~# uname -a > Linux debian31 3.2.0-1-686-pae #1 SMP Tue Jan 24 06:09:30 UTC 2012 i686 > GNU/Linux > > root at debian31:~# ping 192.168.76.1 > PING 192.168.76.1 (192.168.76.1) 56(84) bytes of data. > 64 bytes from 192.168.76.1: icmp_req=1 ttl=255 time=2.95 ms > ^C > --- 192.168.76.1 ping statistics --- > 1 packets transmitted, 1 received, 0% packet loss, time 0ms > rtt min/avg/max/mdev = 2.952/2.952/2.952/0.000 ms > root at debian31:~# ip neigh > fe80::230:71ff:fe3b:6808 dev eth0 lladdr 00:30:71:3b:68:08 router STALE > 192.168.76.1 dev eth1 lladdr 00:00:0c:9f:f0:01 REACHABLE > 192.168.34.254 dev eth0 lladdr 00:11:93:04:7a:1b REACHABLE > 192.168.34.48 dev eth0 lladdr 00:0c:29:fd:64:8a STALE > 192.168.76.2 dev eth1 lladdr 00:b0:4a:9e:54:00 STALE > root at debian31:~# !tcp > tcpdump -i eth1 > tcpdump: verbose output suppressed, use -v or -vv for full protocol decode > listening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes > 11:12:22.476479 IP noc08rt08-l0.noc08.chl.net > 209.54.140.64: ICMP echo > request, id 518, seq 0, length 80 > 11:12:22.476572 IP 209.54.140.64 > noc08rt08-l0.noc08.chl.net: ICMP echo > reply, id 518, seq 0, length 80 > 11:12:22.479495 IP noc08rt08-l0.noc08.chl.net > 209.54.140.64: ICMP echo > request, id 518, seq 1, length 80 > 11:12:22.479533 IP 209.54.140.64 > noc08rt08-l0.noc08.chl.net: ICMP echo > reply, id 518, seq 1, length 80 > 11:12:22.484346 IP noc08rt08-l0.noc08.chl.net > 209.54.140.64: ICMP echo > request, id 518, seq 2, length 80 > 11:12:22.484392 IP 209.54.140.64 > noc08rt08-l0.noc08.chl.net: ICMP echo > reply, id 518, seq 2, length 80 > 11:12:22.487670 IP noc08rt08-l0.noc08.chl.net > 209.54.140.64: ICMP echo > request, id 518, seq 3, length 80 > 11:12:22.487705 IP 209.54.140.64 > noc08rt08-l0.noc08.chl.net: ICMP echo > reply, id 518, seq 3, length 80 > 11:12:22.490639 IP noc08rt08-l0.noc08.chl.net > 209.54.140.64: ICMP echo > request, id 518, seq 4, length 80 > 11:12:22.490675 IP 209.54.140.64 > noc08rt08-l0.noc08.chl.net: ICMP echo > reply, id 518, seq 4, length 80 > ^C > > > > From bill at herrin.us Mon Jan 30 17:07:15 2012 From: bill at herrin.us (William Herrin) Date: Mon, 30 Jan 2012 18:07:15 -0500 Subject: ARP is sourced from loopback address In-Reply-To: <4F270B56.1050301@ttec.com> References: <4F270B56.1050301@ttec.com> Message-ID: On Mon, Jan 30, 2012 at 4:27 PM, Joe Maimon wrote: > Is this normal behavior? Whats the workaround? Why havent I run into this > before? > > 192.168.76.1 is a HSRP address on a ring of routers transiting a private non > routed vlan to the service addresses hosted on systems that have independent > management interfaces. Hi Joe, Linux frequently does Really Stupid Things with ARP. You can generally force it to do the right thing with the arp_announce, arp_ignore and arp_filter sysctl's as well as the arptables command. If I understand your problem correctly, you have a virtual IP on a loopback interface and when that virtual IP is pinged, the Linux box uses it as the source address in the arp request instead of using the correct source address for that interface. Because the source address is not valid for that LAN, the router does not respond. Workaround: vi /etc/sysctl.conf: net.ipv4.conf.all.arp_announce = 1 net.ipv4.conf.eth1.arp_announce = 1 sysctl -p This forces the box to use eth1's IP address when making an ARP request from eth1 instead of using the VIP in the source address of the IP packet (the default behavior). #arp_announce - INTEGER # Define different restriction levels for announcing the local # source IP address from IP packets in ARP requests sent on # interface: # 0 - (default) Use any local address, configured on any interface # 1 - Try to avoid local addresses that are not in the target's # subnet for this interface. # 2 - Always use the best local address for this target. # In this mode we ignore the source address in the IP packet # and try to select local address that we prefer for talks with # the target host. Regards, Bill Herrin -- William D. Herrin ................ herrin at dirtside.com? bill at herrin.us 3005 Crane Dr. ...................... Web: Falls Church, VA 22042-3004 From jmaimon at ttec.com Mon Jan 30 17:11:23 2012 From: jmaimon at ttec.com (Joe Maimon) Date: Mon, 30 Jan 2012 18:11:23 -0500 Subject: ARP is sourced from loopback address In-Reply-To: References: <4F270B56.1050301@ttec.com> Message-ID: <4F27239B.2010007@ttec.com> Thanks for the reply. Yes, it does appear to have the correct mac. root at debian31:~# tcpdump -e -n -i eth1 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes 12:54:17.882537 00:03:fd:03:38:08 > 00:0c:29:b8:2a:14, ethertype IPv4 (0x0800), length 114: 69.90.15.224 > 216.222.144.24: ICMP echo request, id 161, seq 4, length 80 12:54:18.084320 00:0c:29:b8:2a:14 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 42: Request who-has 192.168.76.1 tell 209.54.140.64, length 28 12:54:19.083580 00:0c:29:b8:2a:14 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 42: Request who-has 192.168.76.1 tell 209.54.140.64, length 28 12:54:19.838376 00:03:fd:03:38:08 > 00:0c:29:b8:2a:14, ethertype IPv4 (0x0800), length 407: 69.90.15.224.179 > 216.222.144.24.60714: Flags [P.], seq 4062306194:4062306547, ack 170308540, win 16365, length 353: BGP, length: 353 12:54:20.083649 00:0c:29:b8:2a:14 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 42: Request who-has 192.168.76.1 tell 209.54.140.64, length 28 ^C root at debian31:~# ifconfig eth1 eth1 Link encap:Ethernet HWaddr 00:0c:29:b8:2a:14 inet addr:192.168.76.16 Bcast:192.168.76.255 Mask:255.255.255.0 Keegan Holley wrote: > Even though TCP dump doesn't show it the ARP packets should have a > source mac address that is reachable on the link. I think the reply > is unicast to that mac address regardless of the IP in the request. > Otherwise the receiving station would have to do an arp request for > the source IP in the packet before it replied, in order to reply that > station would need to have the very mapping it just requested making > the whole thing useless. I've never seen arp sourced from a > non-local interface IP unless there was some sort of tunnel or > bridging configured, but then again I don't spend my days staring at > ARP packets so I could be missing something. > > > 2012/1/30 Joe Maimon: >> >> Hey All, >> >> Anycast related. >> >> Is this normal behavior? Whats the workaround? Why havent I run into this >> before? >> >> 192.168.76.1 is a HSRP address on a ring of routers transiting a private non >> routed vlan to the service addresses hosted on systems that have independent >> management interfaces. >> >> Best, >> >> Joe >> >> >> root at debian31:~# ifconfig lo:0 >> lo:0 Link encap:Local Loopback >> inet addr:209.54.140.64 Mask:255.255.255.255 >> UP LOOPBACK RUNNING MTU:16436 Metric:1 >> >> root at debian31:~# ip rule list >> 0: from all lookup local >> 32764: from 209.54.140.0/24 lookup pbr1-exit >> 32765: from 216.222.144.16/28 lookup pbr1-exit >> 32766: from all lookup main >> 32767: from all lookup default >> root at debian31:~# ip route list table pbr1-exit >> default via 192.168.76.1 dev eth1 >> 192.168.34.0/24 dev eth1 scope link src 192.168.76.16 >> 192.168.76.0/24 dev eth1 scope link src 192.168.76.16 >> root at debian31:~# tcpdump -i eth1 >> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode >> listening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes >> >> 11:08:09.053943 ARP, Request who-has 192.168.76.1 tell 209.54.140.64, length >> 28 >> 11:08:10.035126 IP noc08rt08.noc08.chl.net> 209.54.140.64: ICMP echo >> request, id 517, seq 0, length 80 >> 11:08:10.051276 ARP, Request who-has 192.168.76.1 tell 209.54.140.64, length >> 28 >> 11:08:11.052548 ARP, Request who-has 192.168.76.1 tell 209.54.140.64, length >> 28 >> 11:08:12.035964 IP noc08rt08.noc08.chl.net> 209.54.140.64: ICMP echo >> request, id 517, seq 1, length 80 >> ^C >> >> root at debian31:~# ip neigh >> fe80::230:71ff:fe3b:6808 dev eth0 lladdr 00:30:71:3b:68:08 router STALE >> 192.168.76.1 dev eth1 FAILED >> 192.168.34.254 dev eth0 lladdr 00:11:93:04:7a:1b DELAY >> 192.168.34.48 dev eth0 lladdr 00:0c:29:fd:64:8a STALE >> >> root at debian31:~# uname -a >> Linux debian31 3.2.0-1-686-pae #1 SMP Tue Jan 24 06:09:30 UTC 2012 i686 >> GNU/Linux >> >> root at debian31:~# ping 192.168.76.1 >> PING 192.168.76.1 (192.168.76.1) 56(84) bytes of data. >> 64 bytes from 192.168.76.1: icmp_req=1 ttl=255 time=2.95 ms >> ^C >> --- 192.168.76.1 ping statistics --- >> 1 packets transmitted, 1 received, 0% packet loss, time 0ms >> rtt min/avg/max/mdev = 2.952/2.952/2.952/0.000 ms >> root at debian31:~# ip neigh >> fe80::230:71ff:fe3b:6808 dev eth0 lladdr 00:30:71:3b:68:08 router STALE >> 192.168.76.1 dev eth1 lladdr 00:00:0c:9f:f0:01 REACHABLE >> 192.168.34.254 dev eth0 lladdr 00:11:93:04:7a:1b REACHABLE >> 192.168.34.48 dev eth0 lladdr 00:0c:29:fd:64:8a STALE >> 192.168.76.2 dev eth1 lladdr 00:b0:4a:9e:54:00 STALE >> root at debian31:~# !tcp >> tcpdump -i eth1 >> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode >> listening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes >> 11:12:22.476479 IP noc08rt08-l0.noc08.chl.net> 209.54.140.64: ICMP echo >> request, id 518, seq 0, length 80 >> 11:12:22.476572 IP 209.54.140.64> noc08rt08-l0.noc08.chl.net: ICMP echo >> reply, id 518, seq 0, length 80 >> 11:12:22.479495 IP noc08rt08-l0.noc08.chl.net> 209.54.140.64: ICMP echo >> request, id 518, seq 1, length 80 >> 11:12:22.479533 IP 209.54.140.64> noc08rt08-l0.noc08.chl.net: ICMP echo >> reply, id 518, seq 1, length 80 >> 11:12:22.484346 IP noc08rt08-l0.noc08.chl.net> 209.54.140.64: ICMP echo >> request, id 518, seq 2, length 80 >> 11:12:22.484392 IP 209.54.140.64> noc08rt08-l0.noc08.chl.net: ICMP echo >> reply, id 518, seq 2, length 80 >> 11:12:22.487670 IP noc08rt08-l0.noc08.chl.net> 209.54.140.64: ICMP echo >> request, id 518, seq 3, length 80 >> 11:12:22.487705 IP 209.54.140.64> noc08rt08-l0.noc08.chl.net: ICMP echo >> reply, id 518, seq 3, length 80 >> 11:12:22.490639 IP noc08rt08-l0.noc08.chl.net> 209.54.140.64: ICMP echo >> request, id 518, seq 4, length 80 >> 11:12:22.490675 IP 209.54.140.64> noc08rt08-l0.noc08.chl.net: ICMP echo >> reply, id 518, seq 4, length 80 >> ^C >> >> >> >> > > From jmaimon at ttec.com Mon Jan 30 17:24:26 2012 From: jmaimon at ttec.com (Joe Maimon) Date: Mon, 30 Jan 2012 18:24:26 -0500 Subject: ARP is sourced from loopback address In-Reply-To: References: <4F270B56.1050301@ttec.com> Message-ID: <4F2726AA.6060701@ttec.com> Golden. Thank you, William. Joe William Herrin wrote: > net.ipv4.conf.all.arp_announce = 1 > net.ipv4.conf.eth1.arp_announce = 1 From jtk at cymru.com Mon Jan 30 17:57:41 2012 From: jtk at cymru.com (John Kristoff) Date: Mon, 30 Jan 2012 17:57:41 -0600 Subject: MD5 considered harmful In-Reply-To: <0B6DEEFE-0049-4223-BB76-4A6A52D929E2@ianai.net> References: <4F230041.5020701@rollernet.us> <0B6DEEFE-0049-4223-BB76-4A6A52D929E2@ianai.net> Message-ID: <20120130175741.61da35de@w520.localdomain> On Fri, 27 Jan 2012 15:52:41 -0500 "Patrick W. Gilmore" wrote: > Unfortunately, Network Engineers are lazy, impatient, and frequently > clueless as well. While the quantity of peering sessions I've had is far less than yours, once upon a time when I had tried to get MD5 on dozens of peering sessions I learned quite a bit about those engineers and those networks. I got to find out who couldn't do password management, who never heard of MD5 and who had been listening to Patrick. :-) All good input that inform what else I might want to do to protect myself from those networks or who I wouldn't mind having a business relationship with. John From bill at herrin.us Mon Jan 30 18:09:36 2012 From: bill at herrin.us (William Herrin) Date: Mon, 30 Jan 2012 19:09:36 -0500 Subject: ARP is sourced from loopback address In-Reply-To: <4F2726AA.6060701@ttec.com> References: <4F270B56.1050301@ttec.com> <4F2726AA.6060701@ttec.com> Message-ID: On Mon, Jan 30, 2012 at 6:24 PM, Joe Maimon wrote: > Golden. > Thank you, William. Hi Joe, You're welcome. The flip side of Linux's arp funkiness is that you can get it to do some nifty stuff. For example, a /32 ethernet looks more or less like this: ifconfig lo:1 198.51.100.1 netmask 255.255.255.255 ifconfig eth1 192.168.0.1 netmask 255.255.255.252 ip route add 198.51.100.44/32 dev eth1 src 198.51.100.1 arptables --out-interface eth1 -j mangle -s 192.168.0.1 --mangle-ip-s 198.51.100.1 The implicit proxy arp takes care of the rest with the machine hanging off the interface thinking that it's part of a /24. This sort of thing is how I'm using all 17 of the IP addresses in my Cox /28. :-) Regards, Bill Herrin -- William D. Herrin ................ herrin at dirtside.com? bill at herrin.us 3005 Crane Dr. ...................... Web: Falls Church, VA 22042-3004 From cjp at 0x1.net Mon Jan 30 18:42:56 2012 From: cjp at 0x1.net (Christopher J. Pilkington) Date: Mon, 30 Jan 2012 19:42:56 -0500 Subject: Console Server Recommendation In-Reply-To: <4F271094.70408@lanning.cc> References: <201201301941.TAA09015@sunf10.rd.bbc.co.uk> <4F271094.70408@lanning.cc> Message-ID: <-2489543172020911805@unknownmsgid> On Jan 30, 2012, at 16:52, Robert Hajime Lanning wrote: > Avocent Cyclades ACS uses Cat5 straight through cables to Cisco consoles. We have Cyclades ACS boxen also, but ours require rollover cables, not straight, when talking to a Cisco console. YMMV. From MGauvin at dryden.ca Mon Jan 30 19:08:40 2012 From: MGauvin at dryden.ca (Mark Gauvin) Date: Mon, 30 Jan 2012 19:08:40 -0600 Subject: Console Server Recommendation In-Reply-To: <-2489543172020911805@unknownmsgid> References: <201201301941.TAA09015@sunf10.rd.bbc.co.uk> <4F271094.70408@lanning.cc> <-2489543172020911805@unknownmsgid> Message-ID: <38850D43-6337-4465-AC5D-AD61F0A8E68A@dryden.ca> Currenly run 80+ raritan ksx boxes under the cc device with zero issue alot more expensive than othe solutions but the single point of touch is a life saver Sent from my iPhone On 2012-01-30, at 6:44 PM, "Christopher J. Pilkington" wrote: > On Jan 30, 2012, at 16:52, Robert Hajime Lanning > wrote: > >> Avocent Cyclades ACS uses Cat5 straight through cables to Cisco >> consoles. > > We have Cyclades ACS boxen also, but ours require rollover cables, not > straight, when talking to a Cisco console. YMMV. > From nanog at techmonkeys.org Mon Jan 30 20:11:56 2012 From: nanog at techmonkeys.org (Jeff Fisher) Date: Mon, 30 Jan 2012 20:11:56 -0600 Subject: IP KVM suggestions In-Reply-To: <033601ccdf7a$481d0f90$d8572eb0$@com> References: <033601ccdf7a$481d0f90$d8572eb0$@com> Message-ID: <4F274DEC.7010307@techmonkeys.org> > Lantronix Spider is a small, portable, affordable and web enabled IP KVM. > Supports ISO mounting and has USB connections. > > http://www.lantronix.com/it-management/kvm-over-ip/securelinx-spider.html > > It is a single server unit. So if you want to connect many servers at the > same time, it might not be the best option as the price quickly escalates. > However, if you buy one and just move it from server to server (which is > what I got from your email), then it is a pretty good fit. Java based web > interface, not the greatest, but it works. I've got a few Lantronix Spiders and I love them; however, I would opt to get the external power adapter instead of just relying on the unit drawing power from the computer it's connected to. Also, there is a PS2 + USB model available that I'd recommend getting if you have any older gear which doesn't support USB keyboards while in the BIOS. I think they go for around $260 + another $20 or so for the external power adapter. Jeff From joe at nethead.com Mon Jan 30 20:21:19 2012 From: joe at nethead.com (Joe Hamelin) Date: Mon, 30 Jan 2012 18:21:19 -0800 Subject: Console Server Recommendation In-Reply-To: <38850D43-6337-4465-AC5D-AD61F0A8E68A@dryden.ca> References: <201201301941.TAA09015@sunf10.rd.bbc.co.uk> <4F271094.70408@lanning.cc> <-2489543172020911805@unknownmsgid> <38850D43-6337-4465-AC5D-AD61F0A8E68A@dryden.ca> Message-ID: -1 for Cyclades. At least in Clear's DC plants the PCMCIA modems would often wedgie and require a re-insert. Also, if you have a DC power side fail, they beep and beep and beep. Very annoying when your power people are still catching up when you're trying to commission equipment. -- Joe Hamelin, W7COM, Tulalip, WA, 360-474-7474 From annkwok80 at gmail.com Mon Jan 30 20:27:04 2012 From: annkwok80 at gmail.com (Ann Kwok) Date: Mon, 30 Jan 2012 21:27:04 -0500 Subject: Please help our simple bgp Message-ID: Hello Our router is running simple bgp. "one BGP router, two upstreams (each 100M from ISP A and ISP B) We are getting full feeds tables from them We discover the routes is going to ISP A only even the bandwidth 100M is full Can we set the weight to change to ISP B to use ISP B as preference routes? Can the following configuration work? What suggest to this weight no. too? neighbor 1.2.3.4 description ISP B neighbor 1.2.3.4 remote-as 111 neighbor 1.2.3.4 weight 2000 If this works, how is ISP B upstream connection is down? Can it still be failover to ISP A automatically? If it won't work, Do you have any suggestion? Thank you for your help From jmaslak at antelope.net Mon Jan 30 21:06:14 2012 From: jmaslak at antelope.net (Joel Maslak) Date: Mon, 30 Jan 2012 20:06:14 -0700 Subject: Please help our simple bgp In-Reply-To: References: Message-ID: On Mon, Jan 30, 2012 at 7:27 PM, Ann Kwok wrote: > We discover the routes is going to ISP A only even the bandwidth 100M is > full There are several ways to handle this is, if you have at least two /24s of space. Let's say you just have two /24s, both part of the same /23. Option 1: Announce m.m.m.m/24 with no path prefixing on ISP A. Announce m.m.m.m/24 prefixed with your own ASN one or two times on ISP B. Announce n.n.n.n/24 with no path prefixing on ISP B Announce n.n.n.n/24 prefixed with your own ASN one or two times on ISP A. Most of the internet would probably prefer A for m.m.m.m/24, and prefer B for n.n.n.n/24. But if either A or B went down, there would still be a reachable route. Option 2: Announce m.m.m.m/23 on both ISP A and B Announce m.m.m.m/24 on ISP A Announce n.n.n.n/24 on ISP B The n.n.n.n/24 which is part of m.m.m.m/23 would use ISP B for inbound traffic, while ISP A would be used for m.m.m.m/24. If either A or B, the less specific /23 would provide a backup path. > Can we set the weight to change to ISP B to use ISP B as preference routes? Not really. You may be able to set a community that controls how ISP B advertises the routes or preferences your traffic. Weights generally aren't used for path selection. From streiner at cluebyfour.org Mon Jan 30 21:12:25 2012 From: streiner at cluebyfour.org (Justin M. Streiner) Date: Mon, 30 Jan 2012 22:12:25 -0500 (EST) Subject: Please help our simple bgp In-Reply-To: References: Message-ID: On Mon, 30 Jan 2012, Ann Kwok wrote: > Our router is running simple bgp. "one BGP router, two upstreams (each 100M > from ISP A and ISP B) > We are getting full feeds tables from them Are you sure you're getting a full table from each provider? A full IPv4 feed is close to 400,000 prefixes and a full IPv6 feed is getting close to 8,000 routes. It's also important to understand what the desired behavior is. Do you want to use both upstream links, or do you want to use provider B only when provider A is down? Based on your description above, I'm guessing you want to use both links at the same time. > We discover the routes is going to ISP A only even the bandwidth 100M is > full BGP doesn't know or care about link utilization. If all of your outbound traffic is using only one link, then it sounds like one (or more) of a few things is happening: 1. Provider B is only sending you a default route, or something less than a full table. If that's the case, then you need to get provider B to send you a full table, or verify that your BGP import policy isn't rejecting most of what provider B is sending you. Most specific route wins. 2. Provider B's routes are less preferred by your router for one or more reasons, with a longer AS path probably being the most common reason. Check if provider B is doing anything like prepending routes before they send them to you (generally a bad idea, but I've seen stranger things happen). 3. You are taking some action on provider B's routes to make them less preferred, such as lowering the local-preference. It might be helpful to post the whole "router bgp XXXX" section of your config, with any related items (route-maps, access-lists, prefix-lists, AS-path access-lists (if any, etc). > Can we set the weight to change to ISP B to use ISP B as preference routes? > > neighbor 1.2.3.4 description ISP B > neighbor 1.2.3.4 remote-as 111 > neighbor 1.2.3.4 weight 2000 If you are receiving a full table from both providers, you can write a policy to reset the local-preference on some of the routes you get from provider B to higher than the same routes you get from provider A. > If this works, how is ISP B upstream connection is down? > > Can it still be failover to ISP A automatically? If you receive a full table from both providers, you should be able to use either provider's link when the other one fails, with little to no intervention on your part. jms From rsm at fast-serv.com Mon Jan 30 21:55:25 2012 From: rsm at fast-serv.com (Randy McAnally) Date: Mon, 30 Jan 2012 22:55:25 -0500 Subject: IP KVM suggestions In-Reply-To: <4F274DEC.7010307@techmonkeys.org> References: <033601ccdf7a$481d0f90$d8572eb0$@com> <4F274DEC.7010307@techmonkeys.org> Message-ID: <1B6A2311-D0E6-491F-BAC0-A26E61C7226B@fast-serv.com> +1 on lantronix. Also does serial console. Lots of settings. Beats the pants off other units in terms of flexibility and configuration options. Sent from my IPhone (pardon the typo's) On Jan 30, 2012, at 9:11 PM, Jeff Fisher wrote: >> Lantronix Spider is a small, portable, affordable and web enabled IP KVM. >> Supports ISO mounting and has USB connections. >> >> http://www.lantronix.com/it-management/kvm-over-ip/securelinx-spider.html >> >> It is a single server unit. So if you want to connect many servers at the >> same time, it might not be the best option as the price quickly escalates. >> However, if you buy one and just move it from server to server (which is >> what I got from your email), then it is a pretty good fit. Java based web >> interface, not the greatest, but it works. > > I've got a few Lantronix Spiders and I love them; however, I would opt to get the external power adapter instead of just relying on the unit drawing power from the computer it's connected to. > > Also, there is a PS2 + USB model available that I'd recommend getting if you have any older gear which doesn't support USB keyboards while in the BIOS. > > I think they go for around $260 + another $20 or so for the external power adapter. > > Jeff From keegan.holley at sungard.com Mon Jan 30 23:39:29 2012 From: keegan.holley at sungard.com (Keegan Holley) Date: Tue, 31 Jan 2012 00:39:29 -0500 Subject: MD5 considered harmful In-Reply-To: <20120130175741.61da35de@w520.localdomain> References: <4F230041.5020701@rollernet.us> <0B6DEEFE-0049-4223-BB76-4A6A52D929E2@ianai.net> <20120130175741.61da35de@w520.localdomain> Message-ID: I suppose so but BFD certainly has alot more moving parts then adding MDF checksums to an existing control packet. I'm not saying everyone should turn it on or off for that matter. I just don't see what the big deal is. Most of the shops I've seen have it on because of some long forgotten engineering standard. 2012/1/30 John Kristoff : > On Fri, 27 Jan 2012 15:52:41 -0500 > "Patrick W. Gilmore" wrote: > >> Unfortunately, Network Engineers are lazy, impatient, and frequently >> clueless as well. > > While the quantity of peering sessions I've had is far less than > yours, once upon a time when I had tried to get MD5 on dozens of peering > sessions I learned quite a bit about those engineers and those > networks. ?I got to find out who couldn't do password management, who > never heard of MD5 and who had been listening to Patrick. ?:-) All good > input that inform what else I might want to do to protect myself from > those networks or who I wouldn't mind having a business relationship > with. > > John > > From mtinka at globaltransit.net Tue Jan 31 00:38:32 2012 From: mtinka at globaltransit.net (Mark Tinka) Date: Tue, 31 Jan 2012 14:38:32 +0800 Subject: Route Management Best Practices In-Reply-To: References: Message-ID: <201201311438.37139.mtinka@globaltransit.net> On Tuesday, January 31, 2012 01:01:30 AM Joe Marr wrote: > I currently use static routes and tags on my edge routers > to inject route into BGP. The tags correspond to > communities that reflect how the routes are announced > per region. > I would love to heat from others on how they handle this. We originate our allocations from our route reflectors. The route reflectors make sense for a number of reasons, e.g., they're always up, they aren't doing anything else, they aren't in the forwarding path, they aren't reachable from outside our AS, they're few enough to manage scalably, e.t.c. Like you, we attach communities to all originated allocations as the route reflector is announcing them to all iBGP neighbors, and those communities are used to determine how the routes are announced to peers, upstreams and customers. The problem with originating your routes at the edge (peering or customers) is you'll likely have more of these routers than route reflectors, so redundancy management of route origination will become a huge problem. Also, failure of your edge routers is probably more likely than your route reflectors just by the very nature of their functions. This is why most advice is not to originate routes on routers that are providing inter-AS connectivity, as it could lead to blackholes due to backhaul link failure. Cheers, Mark. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 836 bytes Desc: This is a digitally signed message part. URL: From mtinka at globaltransit.net Tue Jan 31 00:39:19 2012 From: mtinka at globaltransit.net (Mark Tinka) Date: Tue, 31 Jan 2012 14:39:19 +0800 Subject: Console Server Recommendation In-Reply-To: References: Message-ID: <201201311439.20400.mtinka@globaltransit.net> On Tuesday, January 31, 2012 12:08:45 AM Ray Soucy wrote: > What are people using for console servers these days? > We've historically used retired routers with ASYNC > ports, but it's time for an upgrade. Cisco 2811. Mark. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 836 bytes Desc: This is a digitally signed message part. URL: From jimmy.changa007 at gmail.com Tue Jan 31 01:04:15 2012 From: jimmy.changa007 at gmail.com (Joe Marr) Date: Tue, 31 Jan 2012 02:04:15 -0500 Subject: Route Management Best Practices In-Reply-To: <201201311438.37139.mtinka@globaltransit.net> References: <201201311438.37139.mtinka@globaltransit.net> Message-ID: Thanks Mark What do you use for reflectors, hardware(Cisco/Juniper) or software daemons(Quagga)? I've been toying with the idea of using Quagga route servers to announce our prefixes to our edge routers and redistribute BGP annoucements learned from downstream customers. Only drawback is the lack of support for tagged static routes, so it looks like I'm going to have to use a network statement w/ route-map to set the attributes. Has anyone tried this, or is it suicide? On Tue, Jan 31, 2012 at 1:38 AM, Mark Tinka wrote: > On Tuesday, January 31, 2012 01:01:30 AM Joe Marr wrote: > > > I currently use static routes and tags on my edge routers > > to inject route into BGP. The tags correspond to > > communities that reflect how the routes are announced > > per region. > > > I would love to heat from others on how they handle this. > > We originate our allocations from our route reflectors. The > route reflectors make sense for a number of reasons, e.g., > they're always up, they aren't doing anything else, they > aren't in the forwarding path, they aren't reachable from > outside our AS, they're few enough to manage scalably, > e.t.c. > > Like you, we attach communities to all originated > allocations as the route reflector is announcing them to all > iBGP neighbors, and those communities are used to determine > how the routes are announced to peers, upstreams and > customers. > > The problem with originating your routes at the edge > (peering or customers) is you'll likely have more of these > routers than route reflectors, so redundancy management of > route origination will become a huge problem. > > Also, failure of your edge routers is probably more likely > than your route reflectors just by the very nature of their > functions. This is why most advice is not to originate > routes on routers that are providing inter-AS connectivity, > as it could lead to blackholes due to backhaul link failure. > > Cheers, > > Mark. > From mtinka at globaltransit.net Tue Jan 31 01:17:25 2012 From: mtinka at globaltransit.net (Mark Tinka) Date: Tue, 31 Jan 2012 15:17:25 +0800 Subject: Route Management Best Practices In-Reply-To: References: <201201311438.37139.mtinka@globaltransit.net> Message-ID: <201201311517.28890.mtinka@globaltransit.net> On Tuesday, January 31, 2012 03:04:15 PM Joe Marr wrote: > What do you use for reflectors, hardware(Cisco/Juniper) > or software daemons(Quagga)? We operate 2x networks. One of them runs Cisco 7201 routers as route reflectors, while the other runs Juniper M120 routers. The large Juniper routers were due to particular BGP AFI's that Cisco IOS does not support (yet). > I've been toying with the idea of using Quagga route > servers to announce our prefixes to our edge routers and > redistribute BGP annoucements learned from downstream > customers. You can certainly use any device in your network to originate your allocations. We just use the route reflectors because it is a natural fit, but you can use any device provided it would be as stable and independent as a route reflector. The last thing you want is a blackhole or a route going away because your backhaul failed or your customer DoS'ed your edge router :-). > Only drawback is the lack of support for > tagged static routes, so it looks like I'm going to have > to use a network statement w/ route-map to set the > attributes. There was a time when networks were ran without prefix lists, BGP communities or even route maps. I'm too young to have ever experienced those times, but I always joke with a friend (from those times) about how good we have it today, and how hard life must have been for Internet engineers of old :-). If you have the opportunity, I'd advise against operating without these very useful tools. > Has anyone tried this, or is it suicide? I'm sure there are several networks out there that are intimidated by additional BGP features such as communities, advanced routing policy, e.t.c. They do survive without having to deal with this, probably because they're networks are small and the pain is better than trying something new. But I certainly wouldn't recommend it to anyone (except, as Randy would say, my competitors). Mark. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 836 bytes Desc: This is a digitally signed message part. URL: From mtinka at globaltransit.net Tue Jan 31 03:02:27 2012 From: mtinka at globaltransit.net (Mark Tinka) Date: Tue, 31 Jan 2012 17:02:27 +0800 Subject: http://tools.ietf.org - Down Message-ID: <201201311702.27882.mtinka@globaltransit.net> Is it just me? http://www.downforeveryoneorjustme.com/tools.ietf.org doesn't seem to think so. Mark. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 836 bytes Desc: This is a digitally signed message part. URL: From saku at ytti.fi Tue Jan 31 03:11:36 2012 From: saku at ytti.fi (Saku Ytti) Date: Tue, 31 Jan 2012 11:11:36 +0200 Subject: Console Server Recommendation In-Reply-To: References: Message-ID: <20120131091136.GA22047@pob.ytti.fi> On (2012-01-30 11:08 -0500), Ray Soucy wrote: > What are people using for console servers these days? We've > historically used retired routers with ASYNC ports, but it's time for > an upgrade. This is very very common thread, replaying couple times a year in various lists, with to my cursory look no new information between iterations. I'd be more curious if people listed what do they think good console server should have, and if or not given model has them. For me, required features are - multiplexed connect to console port, console port should never, ever be busy, blocking. You don't want to find your most competent people blocked from accessing console, because 1st line is in lunch keeping the port busy. - console port output always buffered persistently (if devices crashes and burns, at least you have post-network-reachability logs puked in console stored, good for troubleshooting) - IP address mappable to a console port. So that accessing device normally is 'ssh router' and via OOB 'ssh router.oob' no need to train people Nice to have - Configuration import/export as ascii, from single place, so configuration backups are easy - DC PSU support, redundantly - No moving parts - TACACS+ support - 3G support with IPSEC tunneling - Some clean and well designed webUI I also have to ask, why do we even need these? Why do we still get new gear with RS232 console only? Why only Cisco Nexus7k and SUP2T have seen the light? Dedicated management-plane separated from control-plane, so regardless of control-plane status, you can connect over ethernet to management-plane and copy images to control-plane, reset control-plane, check logs etc. Ethernet port is lot cheaper than RS232 port, so OOB gear would be cheaper. RS232 console on control-plane is ridiculously useless, you cannot copy images over it (even if supported, images are several hundreds megabytes). It is completely dependant on control-plane working which is very poor requirement for OOB. When 50bucks intel desktop mobo has proper OOB, why does not every router and switch have? -- ++ytti From nick at foobar.org Tue Jan 31 04:01:32 2012 From: nick at foobar.org (Nick Hilliard) Date: Tue, 31 Jan 2012 10:01:32 +0000 Subject: Console Server Recommendation In-Reply-To: <20120131091136.GA22047@pob.ytti.fi> References: <20120131091136.GA22047@pob.ytti.fi> Message-ID: <4F27BBFC.1000309@foobar.org> On 31/01/2012 09:11, Saku Ytti wrote: > For me, required features are This is part of the problem here. You want a terminal server which was designed for console access. Most of the terminal servers on the market are by-products of the modem dialin era and their development function was aimed at a different market. Consequently, they are better at stuff like modem dialin and stuff like that rather than console management. The problem is that there isn't a large market for console servers designed specifically for management console access, and there are a pile of incumbents in the existing market place. I like feature list you posted, btw. If there were any console servers out there with these features, I would buy a bunch of them. > RS232 console on control-plane is ridiculously useless, you cannot copy > images over it (even if supported, images are several hundreds megabytes). > It is completely dependant on control-plane working which is very poor > requirement for OOB. Yeah, indeed. And most of us have been stuck in the "omfg, the router is crashing and I'm in a hotel 2000km away, with crap OOB access, FML" situation more than once. Nick From saku at ytti.fi Tue Jan 31 04:23:57 2012 From: saku at ytti.fi (Saku Ytti) Date: Tue, 31 Jan 2012 12:23:57 +0200 Subject: Console Server Recommendation In-Reply-To: <4F27BBFC.1000309@foobar.org> References: <20120131091136.GA22047@pob.ytti.fi> <4F27BBFC.1000309@foobar.org> Message-ID: <20120131102357.GA22075@pob.ytti.fi> On (2012-01-31 10:01 +0000), Nick Hilliard wrote: > I like feature list you posted, btw. If there were any console servers out > there with these features, I would buy a bunch of them. I think OpenGear supports all of them (according to co-worker who tested them recently), but not 100% sure particularly of 3G with IPSEC (I couldn't use it anyhow, as I'd need DMVPN, so Cisco CPE) and clean and well designed UI is too subjectively defined requirement. -- ++ytti From kuenzler at init7.net Tue Jan 31 04:27:52 2012 From: kuenzler at init7.net (Fredy Kuenzler) Date: Tue, 31 Jan 2012 11:27:52 +0100 Subject: Please help our simple bgp In-Reply-To: References: Message-ID: <4F27C228.3020906@init7.net> Am 31.01.2012 04:06, schrieb Joel Maslak: > There are several ways to handle this is, if you have at least two > /24s of space. > > Let's say you just have two /24s, both part of the same /23. > > [...] Sad to see that deaggregation is still propagated to handle this issue. As a matter of fact deaggregation pollutes the global BGP table with more than 40% of rubbish, mainly caused by this silly type of traffic engineering. See the weekly routing table report or the CIDR report: > Analysis Summary > ---------------- > > BGP routing table entries examined: 394446 > Prefixes after maximum aggregation: 169250 > Deaggregation factor: 2.33 > Unique aggregates announced to Internet: 191523 There are many smarter ways to manage unbalanced links. See my slides presented on various occations (page 31 to 48) which describes the disadvantages and collateral damage of deaggregation: http://www.swinog.ch/meetings/swinog23/p/03_BGP-traffic-engineering-considerations-v0.2.pdf HTH, -- Fredy K?nzler Init7 / AS13030 From sr at swisscenter.com Tue Jan 31 04:59:10 2012 From: sr at swisscenter.com (=?ISO-8859-1?Q?S=E9bastien_Riccio?=) Date: Tue, 31 Jan 2012 11:59:10 +0100 Subject: http://tools.ietf.org - Down In-Reply-To: <201201311702.27882.mtinka@globaltransit.net> References: <201201311702.27882.mtinka@globaltransit.net> Message-ID: <4F27C97E.3020603@swisscenter.com> Up from here (.ch) S?bastien On 31.01.2012 10:02, Mark Tinka wrote: > Is it just me? > > http://www.downforeveryoneorjustme.com/tools.ietf.org > doesn't seem to think so. > > Mark. From matt at mt.au.com Tue Jan 31 05:59:50 2012 From: matt at mt.au.com (Matt Taylor) Date: Tue, 31 Jan 2012 22:59:50 +1100 Subject: http://tools.ietf.org - Down In-Reply-To: <4F27C97E.3020603@swisscenter.com> References: <201201311702.27882.mtinka@globaltransit.net> <4F27C97E.3020603@swisscenter.com> Message-ID: <4F27D7B6.8040706@mt.au.com> Fine for me, .au Matt. On 31/01/2012 9:59 PM, S?bastien Riccio wrote: > Up from here (.ch) > > S?bastien > > On 31.01.2012 10:02, Mark Tinka wrote: >> Is it just me? >> >> http://www.downforeveryoneorjustme.com/tools.ietf.org >> doesn't seem to think so. >> >> Mark. > > On 31/01/2012 9:59 PM, S?bastien Riccio wrote: > Up from here (.ch) > > S?bastien > > On 31.01.2012 10:02, Mark Tinka wrote: >> Is it just me? >> >> http://www.downforeveryoneorjustme.com/tools.ietf.org >> doesn't seem to think so. >> >> Mark. > > From richard.barnes at gmail.com Tue Jan 31 06:49:24 2012 From: richard.barnes at gmail.com (Richard Barnes) Date: Tue, 31 Jan 2012 12:49:24 +0000 Subject: http://tools.ietf.org - Down In-Reply-To: <4F27D7B6.8040706@mt.au.com> References: <201201311702.27882.mtinka@globaltransit.net> <4F27C97E.3020603@swisscenter.com> <4F27D7B6.8040706@mt.au.com> Message-ID: There was some discussion of this on tools-discuss at tools.ietf.org. There was a temporary issue that I believe has been resolved. --Richard On Tue, Jan 31, 2012 at 11:59 AM, Matt Taylor wrote: > Fine for me, .au > > Matt. > > > On 31/01/2012 9:59 PM, S?bastien Riccio wrote: >> >> Up from here (.ch) >> >> S?bastien >> >> On 31.01.2012 10:02, Mark Tinka wrote: >>> >>> Is it just me? >>> >>> http://www.downforeveryoneorjustme.com/tools.ietf.org >>> doesn't seem to think so. >>> >>> Mark. >> >> >> > > > On 31/01/2012 9:59 PM, S?bastien Riccio wrote: >> >> Up from here (.ch) >> >> S?bastien >> >> On 31.01.2012 10:02, Mark Tinka wrote: >>> >>> Is it just me? >>> >>> http://www.downforeveryoneorjustme.com/tools.ietf.org >>> doesn't seem to think so. >>> >>> Mark. >> >> >> > > From rps at maine.edu Tue Jan 31 07:09:00 2012 From: rps at maine.edu (Ray Soucy) Date: Tue, 31 Jan 2012 08:09:00 -0500 Subject: ARP is sourced from loopback address In-Reply-To: References: <4F270B56.1050301@ttec.com> <4F2726AA.6060701@ttec.com> Message-ID: We ran into a lot of quirkiness with Linux when we started rolling out Linux-based CPE with XORP as a routing engine. I've thrown some sane defaults you might want to consider into a text file at: http://soucy.org/xorp/xorp-1.7-pre/TUNING Specifically, you prob. want option 2 instead of 1 for arp_ignore, otherwise you'll see funkiness with ARPs coming from the wrong IP in a multi-interface configuration. ----8<---- ARP_IGNORE values: 0 - Reply for any local address. 1 - Reply only if the target IP is configured on the receiving interface. 2 - Like 1, but the source IP (sender's address) must belong to the same subnet as the target IP. 3 - Reply only if the scope of the target IP is not the local host (e.g., that address is not used to communicate with other hosts). 4-7 - Reserved. 8 - Do not reply. >8 - Unknown value; accept request. ----8<---- Hope this helps, On Mon, Jan 30, 2012 at 7:09 PM, William Herrin wrote: > On Mon, Jan 30, 2012 at 6:24 PM, Joe Maimon wrote: >> Golden. >> Thank you, William. > > Hi Joe, > > You're welcome. The flip side of Linux's arp funkiness is that you can > get it to do some nifty stuff. For example, a /32 ethernet looks more > or less like this: > > ifconfig lo:1 198.51.100.1 netmask 255.255.255.255 > ifconfig eth1 192.168.0.1 netmask 255.255.255.252 > ip route add 198.51.100.44/32 dev eth1 src 198.51.100.1 > arptables --out-interface eth1 -j mangle -s 192.168.0.1 --mangle-ip-s > 198.51.100.1 > > The implicit proxy arp takes care of the rest with the machine hanging > off the interface thinking that it's part of a /24. > > > This sort of thing is how I'm using all 17 of the IP addresses in my > Cox /28. :-) > > Regards, > Bill Herrin > > > > -- > William D. Herrin ................ herrin at dirtside.com? bill at herrin.us > 3005 Crane Dr. ...................... Web: > Falls Church, VA 22042-3004 > -- Ray Soucy Epic Communications Specialist Phone: +1 (207) 561-3526 Networkmaine, a Unit of the University of Maine System http://www.networkmaine.net/ From harbor235 at gmail.com Tue Jan 31 07:42:22 2012 From: harbor235 at gmail.com (harbor235) Date: Tue, 31 Jan 2012 08:42:22 -0500 Subject: MD5 considered harmful In-Reply-To: References: <4F230041.5020701@rollernet.us> <0B6DEEFE-0049-4223-BB76-4A6A52D929E2@ianai.net> <20120130175741.61da35de@w520.localdomain> Message-ID: My thoughts are that you should filter traffic routed directly to your BGP speaking devices, traffic routing through a edge device and to an edge device are treated differently. BGP session protection using a MD5 password by itself is not securing the control plane, but it is a component of an overall secure edge posture. For example, md5 protection, plus edge filtering polices, plus ttl security, plus ........., make for a more secure edge. Also, It does not matter how many attempts compromising a BGP session occurs, it only takes one, so why not nail it down. Mike On Tue, Jan 31, 2012 at 12:39 AM, Keegan Holley wrote: > I suppose so but BFD certainly has alot more moving parts then adding > MDF checksums to an existing control packet. I'm not saying everyone > should turn it on or off for that matter. I just don't see what the > big deal is. Most of the shops I've seen have it on because of some > long forgotten engineering standard. > > > 2012/1/30 John Kristoff : > > On Fri, 27 Jan 2012 15:52:41 -0500 > > "Patrick W. Gilmore" wrote: > > > >> Unfortunately, Network Engineers are lazy, impatient, and frequently > >> clueless as well. > > > > While the quantity of peering sessions I've had is far less than > > yours, once upon a time when I had tried to get MD5 on dozens of peering > > sessions I learned quite a bit about those engineers and those > > networks. I got to find out who couldn't do password management, who > > never heard of MD5 and who had been listening to Patrick. :-) All good > > input that inform what else I might want to do to protect myself from > > those networks or who I wouldn't mind having a business relationship > > with. > > > > John > > > > > > From paul at paulstewart.org Tue Jan 31 07:50:56 2012 From: paul at paulstewart.org (Paul Stewart) Date: Tue, 31 Jan 2012 08:50:56 -0500 Subject: Bid Software Message-ID: <015f01cce01f$5c865fe0$15931fa0$@paulstewart.org> Hi folks. I'm looking for an in-house solution for "circuit bidding". Today, when we get a request for WAN services, transport, transit etc we have folks that email out to a list of contacts and ask them for a price. I've seen some pretty neat systems in the past where vendors can send us their quotes via a web portal or similar - hoping to find something rather simple for our own use. open source would be awesome. Basically, we would notify potential vendors of that A and Z end of the circuit and any particulars such as speed that are required. What are folks using today and your experiences? Thanks, Paul From jared at puck.nether.net Tue Jan 31 08:20:17 2012 From: jared at puck.nether.net (Jared Mauch) Date: Tue, 31 Jan 2012 09:20:17 -0500 Subject: Please help our simple bgp In-Reply-To: References: Message-ID: <2BF78ABA-10D4-49D4-B46E-66985488A100@puck.nether.net> On Jan 30, 2012, at 9:27 PM, Ann Kwok wrote: > Hello > > Our router is running simple bgp. "one BGP router, two upstreams (each 100M > from ISP A and ISP B) > We are getting full feeds tables from them > > We discover the routes is going to ISP A only even the bandwidth 100M is > full > > Can we set the weight to change to ISP B to use ISP B as preference routes? > > Can the following configuration work? > What suggest to this weight no. too? > > neighbor 1.2.3.4 description ISP B > neighbor 1.2.3.4 remote-as 111 > neighbor 1.2.3.4 weight 2000 > > If this works, how is ISP B upstream connection is down? > > Can it still be failover to ISP A automatically? > > If it won't work, Do you have any suggestion? Please implement an AS-PATH filter on your outbound to your upstreams blocking yourself from re-annoucing their routes to them. You can see many of these cases here: http://puck.nether.net/bgp/leakinfo.cgi eg: 41.217.236.0/24 852 3561 6453 15399 15399 15399 174 3491 33770 36997 37063 37113 15399 (Wananchi Online Limited) is leaking their upstream (Cogent) routes to TATA (6453) - Jared From shacolby at bluejeans.com Tue Jan 31 09:20:46 2012 From: shacolby at bluejeans.com (Shacolby Jackson) Date: Tue, 31 Jan 2012 07:20:46 -0800 Subject: non-congested comcast peers? Message-ID: Are there any providers that Comcast doesn't regularly run hot? Seems like no matter who I deliver through at some magical point in the evening they start spiking jitter and a little loss. Almost like everyone hits PLAY on netflix at the same time. -shac From keegan.holley at sungard.com Tue Jan 31 09:21:46 2012 From: keegan.holley at sungard.com (Keegan Holley) Date: Tue, 31 Jan 2012 10:21:46 -0500 Subject: ARP is sourced from loopback address In-Reply-To: <4F27239B.2010007@ttec.com> References: <4F270B56.1050301@ttec.com> <4F27239B.2010007@ttec.com> Message-ID: That's still a different part of the packet. Below is the source address in the ethernet header used to deliver the arp request itself. In side the ARP payload there is also a field for source and destination mac. I couldn't get tcpdump to show it even with the -n and -vvv switches. Wireshark will show it though. You may be able to use -w and -s0 to save to a cap file and then look at arp in wireshark. There still seem to be no responses. You can try the tweaks suggested by others. I've sent traffic from a loopback before and I've never seen this problem though. 2012/1/30 Joe Maimon : > Thanks for the reply. > > Yes, it does appear to have the correct mac. > > > root at debian31:~# tcpdump -e -n -i eth1 > > tcpdump: verbose output suppressed, use -v or -vv for full protocol decode > listening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes > 12:54:17.882537 00:03:fd:03:38:08 > 00:0c:29:b8:2a:14, ethertype IPv4 > (0x0800), length 114: 69.90.15.224 > 216.222.144.24: ICMP echo request, id > 161, seq 4, length 80 > 12:54:18.084320 00:0c:29:b8:2a:14 > ff:ff:ff:ff:ff:ff, ethertype ARP > (0x0806), length 42: Request who-has 192.168.76.1 tell 209.54.140.64, length > 28 > 12:54:19.083580 00:0c:29:b8:2a:14 > ff:ff:ff:ff:ff:ff, ethertype ARP > (0x0806), length 42: Request who-has 192.168.76.1 tell 209.54.140.64, length > 28 > 12:54:19.838376 00:03:fd:03:38:08 > 00:0c:29:b8:2a:14, ethertype IPv4 > (0x0800), length 407: 69.90.15.224.179 > 216.222.144.24.60714: Flags [P.], > seq 4062306194:4062306547, ack 170308540, win 16365, length 353: BGP, > length: 353 > 12:54:20.083649 00:0c:29:b8:2a:14 > ff:ff:ff:ff:ff:ff, ethertype ARP > (0x0806), length 42: Request who-has 192.168.76.1 tell 209.54.140.64, length > 28 > > ^C > > > root at debian31:~# ifconfig eth1 > eth1 ? ? ?Link encap:Ethernet ?HWaddr 00:0c:29:b8:2a:14 > ? ? ? ? ?inet addr:192.168.76.16 ?Bcast:192.168.76.255 ?Mask:255.255.255.0 > > > > > Keegan Holley wrote: >> >> Even though TCP dump doesn't show it the ARP packets should have a >> source mac address that is reachable on the link. ?I think the reply >> is unicast to that mac address regardless of the IP in the request. >> Otherwise the receiving station would have to do an arp request for >> the source IP in the packet before it replied, in order to reply that >> station would need to have the very mapping it just requested making >> the whole thing useless. ? I've never seen arp sourced from a >> non-local interface IP unless there was some sort of tunnel or >> bridging configured, but then again I don't spend my days staring at >> ARP packets so I could be missing something. >> >> >> 2012/1/30 Joe Maimon: >>> >>> >>> Hey All, >>> >>> Anycast related. >>> >>> Is this normal behavior? Whats the workaround? Why havent I run into this >>> before? >>> >>> 192.168.76.1 is a HSRP address on a ring of routers transiting a private >>> non >>> routed vlan to the service addresses hosted on systems that have >>> independent >>> management interfaces. >>> >>> Best, >>> >>> Joe >>> >>> >>> root at debian31:~# ifconfig lo:0 >>> lo:0 ? ? ?Link encap:Local Loopback >>> ? ? ? ? ?inet addr:209.54.140.64 ?Mask:255.255.255.255 >>> ? ? ? ? ?UP LOOPBACK RUNNING ?MTU:16436 ?Metric:1 >>> >>> root at debian31:~# ip rule list >>> 0: ? ? ?from all lookup local >>> 32764: ?from 209.54.140.0/24 lookup pbr1-exit >>> 32765: ?from 216.222.144.16/28 lookup pbr1-exit >>> 32766: ?from all lookup main >>> 32767: ?from all lookup default >>> root at debian31:~# ip route list table pbr1-exit >>> default via 192.168.76.1 dev eth1 >>> 192.168.34.0/24 dev eth1 ?scope link ?src 192.168.76.16 >>> 192.168.76.0/24 dev eth1 ?scope link ?src 192.168.76.16 >>> root at debian31:~# tcpdump -i eth1 >>> tcpdump: verbose output suppressed, use -v or -vv for full protocol >>> decode >>> listening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes >>> >>> 11:08:09.053943 ARP, Request who-has 192.168.76.1 tell 209.54.140.64, >>> length >>> 28 >>> 11:08:10.035126 IP noc08rt08.noc08.chl.net> ?209.54.140.64: ICMP echo >>> request, id 517, seq 0, length 80 >>> 11:08:10.051276 ARP, Request who-has 192.168.76.1 tell 209.54.140.64, >>> length >>> 28 >>> 11:08:11.052548 ARP, Request who-has 192.168.76.1 tell 209.54.140.64, >>> length >>> 28 >>> 11:08:12.035964 IP noc08rt08.noc08.chl.net> ?209.54.140.64: ICMP echo >>> request, id 517, seq 1, length 80 >>> ^C >>> >>> root at debian31:~# ip neigh >>> fe80::230:71ff:fe3b:6808 dev eth0 lladdr 00:30:71:3b:68:08 router STALE >>> 192.168.76.1 dev eth1 ?FAILED >>> 192.168.34.254 dev eth0 lladdr 00:11:93:04:7a:1b DELAY >>> 192.168.34.48 dev eth0 lladdr 00:0c:29:fd:64:8a STALE >>> >>> root at debian31:~# uname -a >>> Linux debian31 3.2.0-1-686-pae #1 SMP Tue Jan 24 06:09:30 UTC 2012 i686 >>> GNU/Linux >>> >>> root at debian31:~# ping 192.168.76.1 >>> PING 192.168.76.1 (192.168.76.1) 56(84) bytes of data. >>> 64 bytes from 192.168.76.1: icmp_req=1 ttl=255 time=2.95 ms >>> ^C >>> --- 192.168.76.1 ping statistics --- >>> 1 packets transmitted, 1 received, 0% packet loss, time 0ms >>> rtt min/avg/max/mdev = 2.952/2.952/2.952/0.000 ms >>> root at debian31:~# ip neigh >>> fe80::230:71ff:fe3b:6808 dev eth0 lladdr 00:30:71:3b:68:08 router STALE >>> 192.168.76.1 dev eth1 lladdr 00:00:0c:9f:f0:01 REACHABLE >>> 192.168.34.254 dev eth0 lladdr 00:11:93:04:7a:1b REACHABLE >>> 192.168.34.48 dev eth0 lladdr 00:0c:29:fd:64:8a STALE >>> 192.168.76.2 dev eth1 lladdr 00:b0:4a:9e:54:00 STALE >>> root at debian31:~# !tcp >>> tcpdump -i eth1 >>> tcpdump: verbose output suppressed, use -v or -vv for full protocol >>> decode >>> listening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes >>> 11:12:22.476479 IP noc08rt08-l0.noc08.chl.net> ?209.54.140.64: ICMP echo >>> request, id 518, seq 0, length 80 >>> 11:12:22.476572 IP 209.54.140.64> ?noc08rt08-l0.noc08.chl.net: ICMP echo >>> reply, id 518, seq 0, length 80 >>> 11:12:22.479495 IP noc08rt08-l0.noc08.chl.net> ?209.54.140.64: ICMP echo >>> request, id 518, seq 1, length 80 >>> 11:12:22.479533 IP 209.54.140.64> ?noc08rt08-l0.noc08.chl.net: ICMP echo >>> reply, id 518, seq 1, length 80 >>> 11:12:22.484346 IP noc08rt08-l0.noc08.chl.net> ?209.54.140.64: ICMP echo >>> request, id 518, seq 2, length 80 >>> 11:12:22.484392 IP 209.54.140.64> ?noc08rt08-l0.noc08.chl.net: ICMP echo >>> reply, id 518, seq 2, length 80 >>> 11:12:22.487670 IP noc08rt08-l0.noc08.chl.net> ?209.54.140.64: ICMP echo >>> request, id 518, seq 3, length 80 >>> 11:12:22.487705 IP 209.54.140.64> ?noc08rt08-l0.noc08.chl.net: ICMP echo >>> reply, id 518, seq 3, length 80 >>> 11:12:22.490639 IP noc08rt08-l0.noc08.chl.net> ?209.54.140.64: ICMP echo >>> request, id 518, seq 4, length 80 >>> 11:12:22.490675 IP 209.54.140.64> ?noc08rt08-l0.noc08.chl.net: ICMP echo >>> reply, id 518, seq 4, length 80 >>> ^C >>> >>> >>> >>> >> >> > From aalejandro at alliedtechnologygrouppr.com Tue Jan 31 09:22:50 2012 From: aalejandro at alliedtechnologygrouppr.com (Abel Alejandro) Date: Tue, 31 Jan 2012 11:22:50 -0400 Subject: Microbursts on Ceragon IP-10G Message-ID: Hello, I have a Ceragon IP-10G to provide backhaul access for an LTE network. The client wants to have 50Mbps of throughput with an RTT of 50ms on a single TCP session. The problem are the packet drops due to microbursts due to tcp slow start come from a 1GE port and then they get dropped at the radio. I can burst about 60KB of data before experiencing packet loss. Has anyone has a similar problem with this problem and found a solution? PS: I already have a case open, its just going kind of slow. Thanks, Abel. From me at anuragbhatia.com Tue Jan 31 09:23:32 2012 From: me at anuragbhatia.com (Anurag Bhatia) Date: Tue, 31 Jan 2012 20:53:32 +0530 Subject: non-congested comcast peers? In-Reply-To: References: Message-ID: Hi Shacolby Can you share some mtr results to Netflix, Google, etc ? Curious to see how bad it is really. On Tue, Jan 31, 2012 at 8:50 PM, Shacolby Jackson wrote: > Are there any providers that Comcast doesn't regularly run hot? Seems like > no matter who I deliver through at some magical point in the evening they > start spiking jitter and a little loss. Almost like everyone hits PLAY on > netflix at the same time. > > -shac > -- Anurag Bhatia anuragbhatia.com or simply - http://[2001:470:26:78f::5] if you are on IPv6 connected network! Twitter: @anurag_bhatia Linkedin: http://linkedin.anuragbhatia.com From thegameiam at yahoo.com Tue Jan 31 10:40:54 2012 From: thegameiam at yahoo.com (David Barak) Date: Tue, 31 Jan 2012 08:40:54 -0800 (PST) Subject: MD5 considered harmful In-Reply-To: References: <4F230041.5020701@rollernet.us> <0B6DEEFE-0049-4223-BB76-4A6A52D929E2@ianai.net> <20120130175741.61da35de@w520.localdomain> Message-ID: <1328028054.22768.YahooMailNeo@web31807.mail.mud.yahoo.com> From: harbor235 > Also, It does not matter how many attempts compromising a BGP session > occurs, it only takes one, so why not nail it down. Because downtime is a security issue too, and MD5 is more likely to contribute to downtime (either via lost password, crypto load on CPU, or other) than the problem it purports to fix.? The goal of a network engineer is to move packets from A -> B.? The goal of a security engineer is to keep that from happening.? A business needs to weigh the cost and benefit of any given approach, and MD5 BGP auth does not come out well in?the?of situations. David Barak Need Geek Rock? Try The Franchise: http://www.listentothefranchise.com From chip.gwyn at gmail.com Tue Jan 31 10:42:43 2012 From: chip.gwyn at gmail.com (chip) Date: Tue, 31 Jan 2012 11:42:43 -0500 Subject: IPv6 BGP MIBs Message-ID: Hi all, Can anyone point me to ongoing discussion about IPv6 BGP SNMP MIBs going on in the IETF? As I understand it RFC 4293 was somewhat abandoned by most vendors. Cisco has a new BGPV4-2 Mib but that still doesn't address all the needs. While I can try and push all my vendors to come up with a MIB that has parity with IPv4 I assume our standards bodies are working towards that goal as well. I can't seem to locate where these discussions are happening within the IETF...or if they even are. Any pointers or education for my ignorance is appreciated. Thanks all, --chip -- Just my $.02, your mileage may vary,? batteries not included, etc.... From joelja at bogus.com Tue Jan 31 10:45:59 2012 From: joelja at bogus.com (Joel jaeggli) Date: Tue, 31 Jan 2012 08:45:59 -0800 Subject: Wireless Recommendations In-Reply-To: <043e01ccdf90$38c96870$aa5c3950$@impactbusiness.com> References: <043e01ccdf90$38c96870$aa5c3950$@impactbusiness.com> Message-ID: <4F281AC7.2050706@bogus.com> On 1/30/12 12:46 , Jim Gonzalez wrote: > Hi, > > I am looking for a Wireless bridge or Router that will > support 600 wireless clients concurrently (mostly cell phones). I need it > for a proof of concept. an aruba controller and 8 dual radio aps. > > > > > Thanks in advance > > Jim > > > > > From nick at foobar.org Tue Jan 31 10:47:19 2012 From: nick at foobar.org (Nick Hilliard) Date: Tue, 31 Jan 2012 16:47:19 +0000 Subject: IPv6 BGP MIBs In-Reply-To: References: Message-ID: <4F281B17.3030202@foobar.org> On 31/01/2012 16:42, chip wrote: > Can anyone point me to ongoing discussion about IPv6 BGP SNMP MIBs > going on in the IETF? As I understand it RFC 4293 was somewhat > abandoned by most vendors. Cisco has a new BGPV4-2 Mib but that still > doesn't address all the needs. While I can try and push all my > vendors to come up with a MIB that has parity with IPv4 I assume our > standards bodies are working towards that goal as well. I can't seem > to locate where these discussions are happening within the IETF...or > if they even are. Any pointers or education for my ignorance is > appreciated. bgp4-mibv2: http://tools.ietf.org/html/draft-ietf-idr-bgp4-mibv2 Nick From shortdudey123 at gmail.com Tue Jan 31 11:00:28 2012 From: shortdudey123 at gmail.com (Grant Ridder) Date: Tue, 31 Jan 2012 11:00:28 -0600 Subject: Wireless Recommendations In-Reply-To: <4F281AC7.2050706@bogus.com> References: <043e01ccdf90$38c96870$aa5c3950$@impactbusiness.com> <4F281AC7.2050706@bogus.com> Message-ID: Hi, I do not know all the details, but the high school i graduated from recently implemented an Aruba system. From what i hear, it has never worked as designed and the IT dept there says its hard to manage. I was told the school got it since it was the cheapest. -Grant On Tue, Jan 31, 2012 at 10:45 AM, Joel jaeggli wrote: > On 1/30/12 12:46 , Jim Gonzalez wrote: > > Hi, > > > > I am looking for a Wireless bridge or Router that will > > support 600 wireless clients concurrently (mostly cell phones). I need > it > > for a proof of concept. > > an aruba controller and 8 dual radio aps. > > > > > > > > > > > Thanks in advance > > > > Jim > > > > > > > > > > > > > From erikm at buh.org Tue Jan 31 11:12:31 2012 From: erikm at buh.org (Erik Muller) Date: Tue, 31 Jan 2012 12:12:31 -0500 Subject: IPv6 BGP MIBs In-Reply-To: References: Message-ID: <4F2820FF.4040503@buh.org> On 1/31/12 11:42 , chip wrote: > Hi all, > > Can anyone point me to ongoing discussion about IPv6 BGP SNMP MIBs > going on in the IETF? As I understand it RFC 4293 was somewhat > abandoned by most vendors. Cisco has a new BGPV4-2 Mib but that still > doesn't address all the needs. While I can try and push all my > vendors to come up with a MIB that has parity with IPv4 I assume our > standards bodies are working towards that goal as well. I can't seem > to locate where these discussions are happening within the IETF...or > if they even are. Any pointers or education for my ignorance is > appreciated. There's little-to-no ongoing discussion happening, but such as there is happens on the IDR working group list (https://datatracker.ietf.org/wg/idr/charter/). The latest rev is draft-ietf-idr-bgp4-mibv2-12.txt and draft-ietf-idr-bgp4-mibv2-tc-mib-03.txt; both just expired again. Jeff's been refreshing them periodically to keep them active, but there have been no substantial changes since -09 (Feb 2009). As I understand it, there are no known issues, it's just waiting on the chicken-and-egg problem of needing implementations to demonstrate that it's complete before publishing as an RFC, and vendors have been reluctant to implement it until it was actually a published RFC. I strongly encourage anyone who enjoys monitoring their BGP infrastructure to pressure their vendors to implement the draft as it stands with the idea of finally getting this to standard level. At one point I had multiple vendors committed to doing so, and I think at least C and B still have it on their respective roadmaps for RSN. -e From gbonser at seven.com Tue Jan 31 11:27:17 2012 From: gbonser at seven.com (George Bonser) Date: Tue, 31 Jan 2012 17:27:17 +0000 Subject: Console Server Recommendation In-Reply-To: <4F27BBFC.1000309@foobar.org> References: <20120131091136.GA22047@pob.ytti.fi> <4F27BBFC.1000309@foobar.org> Message-ID: <596B74B410EE6B4CA8A30C3AF1A155EA09C9D7D3@RWC-MBX1.corp.seven.com> > > I like feature list you posted, btw. If there were any console servers > out there with these features, I would buy a bunch of them. > Wouldn't a program such as "conserver" running on a linux box someplace potentially provide these (maybe with a little extra hackery)? We use that quite a bit. One interesting option is that it allows another person to also watch the console session. So, for example, I can give someone a console session while watching the progress of it. http://conserver.com/ In other words, combining some software on a cheapo box someplace can give many of those features with just about any hardware console server. From nick at foobar.org Tue Jan 31 11:56:26 2012 From: nick at foobar.org (Nick Hilliard) Date: Tue, 31 Jan 2012 17:56:26 +0000 Subject: MD5 considered harmful In-Reply-To: <1328028054.22768.YahooMailNeo@web31807.mail.mud.yahoo.com> References: <4F230041.5020701@rollernet.us> <0B6DEEFE-0049-4223-BB76-4A6A52D929E2@ianai.net> <20120130175741.61da35de@w520.localdomain> <1328028054.22768.YahooMailNeo@web31807.mail.mud.yahoo.com> Message-ID: <4F282B4A.7000603@foobar.org> On 31/01/2012 16:40, David Barak wrote: > Because downtime is a security issue too, and MD5 is more likely to > contribute to downtime (either via lost password, crypto load on CPU, or > other) than the problem it purports to fix. The goal of a network > engineer is to move packets from A -> B. The goal of a security > engineer is to keep that from happening. A business needs to weigh the > cost and benefit of any given approach, and MD5 BGP auth does not come > out well in the of situations. cpu load is negligible and is done in hardware on several platforms. Lost passwords can occur but if you have properly stored configuration backups, they shouldn't be a major problem. Also, they can be trivially decrypted from C/J configuration files. >From my point of view, MD5 passwords serve two purposes: 1. they prevent intentional session hijacking at IXPs when IP addresses get re-used and new IP address assignees suddenly notice that some people haven't torn down their old BGP sessions to the previous users of the address 2. they can be used to convince security auditors that the network is secure and that they can now sod off and stop harassing me, kthxbai Other people may have other reasons for liking / not liking them. Nick From kwilliams at altuscgi.com Tue Jan 31 12:00:33 2012 From: kwilliams at altuscgi.com (Kelvin Williams) Date: Tue, 31 Jan 2012 13:00:33 -0500 Subject: Hijacked Network Ranges Message-ID: Greetings all. We've been in a 12+ hour ordeal requesting that AS19181 (Cavecreek Internet Exchange) immediately filter out network blocks that are being advertised by ASAS33611 (SBJ Media, LLC) who provided to them a forged LOA. The routes for networks: 208.110.48.0/20, 63.246.112.0/20, and 68.66.112.0/20 are registered in various IRRs all as having an origin AS 11325 (ours), and are directly allocated to us. The malicious hijacking is being announced as /24s therefore making route selection pick them. Our customers and services have been impaired. Does anyone have any contacts for anyone at Cavecreek that would actually take a look at ARINs WHOIS, and IRRs so the networks can be restored and our services back in operation? Additionally, does anyone have any suggestion for mitigating in the interim? Since we can't announce as /25s and IRRs are apparently a pipe dream. -- Kelvin Williams Sr. Service Delivery Engineer Broadband & Carrier Services Altus Communications Group, Inc. "If you only have a hammer, you tend to see every problem as a nail." -- Abraham Maslow From harbor235 at gmail.com Tue Jan 31 12:15:10 2012 From: harbor235 at gmail.com (harbor235) Date: Tue, 31 Jan 2012 13:15:10 -0500 Subject: MD5 considered harmful In-Reply-To: <4F282B4A.7000603@foobar.org> References: <4F230041.5020701@rollernet.us> <0B6DEEFE-0049-4223-BB76-4A6A52D929E2@ianai.net> <20120130175741.61da35de@w520.localdomain> <1328028054.22768.YahooMailNeo@web31807.mail.mud.yahoo.com> <4F282B4A.7000603@foobar.org> Message-ID: Sounds like we want a well thought out plan in place in case there is a screw up with an org's lack of planning and management capabilities.......... Mike On Tue, Jan 31, 2012 at 12:56 PM, Nick Hilliard wrote: > On 31/01/2012 16:40, David Barak wrote: > > Because downtime is a security issue too, and MD5 is more likely to > > contribute to downtime (either via lost password, crypto load on CPU, or > > other) than the problem it purports to fix. The goal of a network > > engineer is to move packets from A -> B. The goal of a security > > engineer is to keep that from happening. A business needs to weigh the > > cost and benefit of any given approach, and MD5 BGP auth does not come > > out well in the of situations. > > cpu load is negligible and is done in hardware on several platforms. Lost > passwords can occur but if you have properly stored configuration backups, > they shouldn't be a major problem. Also, they can be trivially decrypted > from C/J configuration files. > > From my point of view, MD5 passwords serve two purposes: > > 1. they prevent intentional session hijacking at IXPs when IP addresses get > re-used and new IP address assignees suddenly notice that some people > haven't torn down their old BGP sessions to the previous users of the > address > > 2. they can be used to convince security auditors that the network is > secure and that they can now sod off and stop harassing me, kthxbai > > Other people may have other reasons for liking / not liking them. > > Nick > > From shortdudey123 at gmail.com Tue Jan 31 12:19:02 2012 From: shortdudey123 at gmail.com (Grant Ridder) Date: Tue, 31 Jan 2012 12:19:02 -0600 Subject: Hijacked Network Ranges In-Reply-To: References: Message-ID: Hi, What is keeping you from advertising a more specific route (i.e /25's)? -Grant On Tue, Jan 31, 2012 at 12:00 PM, Kelvin Williams wrote: > Greetings all. > > We've been in a 12+ hour ordeal requesting that AS19181 (Cavecreek Internet > Exchange) immediately filter out network blocks that are being advertised > by ASAS33611 (SBJ Media, LLC) who provided to them a forged LOA. > > The routes for networks: 208.110.48.0/20, 63.246.112.0/20, and > 68.66.112.0/20 are registered in various IRRs all as having an origin AS > 11325 (ours), and are directly allocated to us. > > The malicious hijacking is being announced as /24s therefore making route > selection pick them. > > Our customers and services have been impaired. Does anyone have any > contacts for anyone at Cavecreek that would actually take a look at ARINs > WHOIS, and IRRs so the networks can be restored and our services back in > operation? > > Additionally, does anyone have any suggestion for mitigating in the > interim? Since we can't announce as /25s and IRRs are apparently a pipe > dream. > > -- > Kelvin Williams > Sr. Service Delivery Engineer > Broadband & Carrier Services > Altus Communications Group, Inc. > > > "If you only have a hammer, you tend to see every problem as a nail." -- > Abraham Maslow > From streiner at cluebyfour.org Tue Jan 31 12:22:06 2012 From: streiner at cluebyfour.org (Justin M. Streiner) Date: Tue, 31 Jan 2012 13:22:06 -0500 (EST) Subject: Hijacked Network Ranges In-Reply-To: References: Message-ID: On Tue, 31 Jan 2012, Grant Ridder wrote: > What is keeping you from advertising a more specific route (i.e /25's)? Many providers filter out anything longer (smaller) than /24. jms > On Tue, Jan 31, 2012 at 12:00 PM, Kelvin Williams wrote: > >> Greetings all. >> >> We've been in a 12+ hour ordeal requesting that AS19181 (Cavecreek Internet >> Exchange) immediately filter out network blocks that are being advertised >> by ASAS33611 (SBJ Media, LLC) who provided to them a forged LOA. >> >> The routes for networks: 208.110.48.0/20, 63.246.112.0/20, and >> 68.66.112.0/20 are registered in various IRRs all as having an origin AS >> 11325 (ours), and are directly allocated to us. >> >> The malicious hijacking is being announced as /24s therefore making route >> selection pick them. >> >> Our customers and services have been impaired. Does anyone have any >> contacts for anyone at Cavecreek that would actually take a look at ARINs >> WHOIS, and IRRs so the networks can be restored and our services back in >> operation? >> >> Additionally, does anyone have any suggestion for mitigating in the >> interim? Since we can't announce as /25s and IRRs are apparently a pipe >> dream. >> >> -- >> Kelvin Williams >> Sr. Service Delivery Engineer >> Broadband & Carrier Services >> Altus Communications Group, Inc. >> >> >> "If you only have a hammer, you tend to see every problem as a nail." -- >> Abraham Maslow >> > From paul4004 at gmail.com Tue Jan 31 12:22:13 2012 From: paul4004 at gmail.com (PC) Date: Tue, 31 Jan 2012 11:22:13 -0700 Subject: Hijacked Network Ranges In-Reply-To: References: Message-ID: Many/most transit providers filter prefixes longer than /24, so the effectiveness may be minimal. At the very least I'd advertise /24s yourself because if the forger is geographically further away, some local sites may still work. Better than nothing. On Tue, Jan 31, 2012 at 11:19 AM, Grant Ridder wrote: > Hi, > > What is keeping you from advertising a more specific route (i.e /25's)? > > -Grant > > On Tue, Jan 31, 2012 at 12:00 PM, Kelvin Williams >wrote: > > > Greetings all. > > > > We've been in a 12+ hour ordeal requesting that AS19181 (Cavecreek > Internet > > Exchange) immediately filter out network blocks that are being advertised > > by ASAS33611 (SBJ Media, LLC) who provided to them a forged LOA. > > > > The routes for networks: 208.110.48.0/20, 63.246.112.0/20, and > > 68.66.112.0/20 are registered in various IRRs all as having an origin AS > > 11325 (ours), and are directly allocated to us. > > > > The malicious hijacking is being announced as /24s therefore making route > > selection pick them. > > > > Our customers and services have been impaired. Does anyone have any > > contacts for anyone at Cavecreek that would actually take a look at ARINs > > WHOIS, and IRRs so the networks can be restored and our services back in > > operation? > > > > Additionally, does anyone have any suggestion for mitigating in the > > interim? Since we can't announce as /25s and IRRs are apparently a pipe > > dream. > > > > -- > > Kelvin Williams > > Sr. Service Delivery Engineer > > Broadband & Carrier Services > > Altus Communications Group, Inc. > > > > > > "If you only have a hammer, you tend to see every problem as a nail." -- > > Abraham Maslow > > > From keegan.holley at sungard.com Tue Jan 31 12:22:04 2012 From: keegan.holley at sungard.com (Keegan Holley) Date: Tue, 31 Jan 2012 13:22:04 -0500 Subject: Hijacked Network Ranges In-Reply-To: References: Message-ID: You can break your blocks into /24's or smaller and readvertise them to your upstreams. You can also modify local preference using community tags with most upstreams. If you have tier 1 peerings you may be able to get them to filter the bad routes if you can prove they were assigned to you by ARIN. There's no real way to get 100% of your traffic back until you get the other company to stop advertising your routes though. You may also get traction from the AS's directly connected to the problem AS. I'm not sure how quickly you can get the other AS's to act on your behalf. The short blocks and local pref should get some of your traffic back though. 2012/1/31 Kelvin Williams > Greetings all. > > We've been in a 12+ hour ordeal requesting that AS19181 (Cavecreek Internet > Exchange) immediately filter out network blocks that are being advertised > by ASAS33611 (SBJ Media, LLC) who provided to them a forged LOA. > > The routes for networks: 208.110.48.0/20, 63.246.112.0/20, and > 68.66.112.0/20 are registered in various IRRs all as having an origin AS > 11325 (ours), and are directly allocated to us. > > The malicious hijacking is being announced as /24s therefore making route > selection pick them. > > Our customers and services have been impaired. Does anyone have any > contacts for anyone at Cavecreek that would actually take a look at ARINs > WHOIS, and IRRs so the networks can be restored and our services back in > operation? > > Additionally, does anyone have any suggestion for mitigating in the > interim? Since we can't announce as /25s and IRRs are apparently a pipe > dream. > > -- > Kelvin Williams > Sr. Service Delivery Engineer > Broadband & Carrier Services > Altus Communications Group, Inc. > > > "If you only have a hammer, you tend to see every problem as a nail." -- > Abraham Maslow > > From kwilliams at altuscgi.com Tue Jan 31 12:22:59 2012 From: kwilliams at altuscgi.com (Kelvin Williams) Date: Tue, 31 Jan 2012 13:22:59 -0500 Subject: Hijacked Network Ranges In-Reply-To: References: Message-ID: Upstream requirements. Additionally, I don't believe it would do us any good. If they're announcing /24 now, why would they not announce a /25. On Jan 31, 2012 1:19 PM, "Grant Ridder" wrote: > Hi, > > What is keeping you from advertising a more specific route (i.e /25's)? > > -Grant > > On Tue, Jan 31, 2012 at 12:00 PM, Kelvin Williams wrote: > >> Greetings all. >> >> We've been in a 12+ hour ordeal requesting that AS19181 (Cavecreek >> Internet >> Exchange) immediately filter out network blocks that are being advertised >> by ASAS33611 (SBJ Media, LLC) who provided to them a forged LOA. >> >> The routes for networks: 208.110.48.0/20, 63.246.112.0/20, and >> 68.66.112.0/20 are registered in various IRRs all as having an origin AS >> 11325 (ours), and are directly allocated to us. >> >> The malicious hijacking is being announced as /24s therefore making route >> selection pick them. >> >> Our customers and services have been impaired. Does anyone have any >> contacts for anyone at Cavecreek that would actually take a look at ARINs >> WHOIS, and IRRs so the networks can be restored and our services back in >> operation? >> >> Additionally, does anyone have any suggestion for mitigating in the >> interim? Since we can't announce as /25s and IRRs are apparently a pipe >> dream. >> >> -- >> Kelvin Williams >> Sr. Service Delivery Engineer >> Broadband & Carrier Services >> Altus Communications Group, Inc. >> >> >> "If you only have a hammer, you tend to see every problem as a nail." -- >> Abraham Maslow >> > > From nick at foobar.org Tue Jan 31 12:25:09 2012 From: nick at foobar.org (Nick Hilliard) Date: Tue, 31 Jan 2012 18:25:09 +0000 Subject: Console Server Recommendation In-Reply-To: <596B74B410EE6B4CA8A30C3AF1A155EA09C9D7D3@RWC-MBX1.corp.seven.com> References: <20120131091136.GA22047@pob.ytti.fi> <4F27BBFC.1000309@foobar.org> <596B74B410EE6B4CA8A30C3AF1A155EA09C9D7D3@RWC-MBX1.corp.seven.com> Message-ID: <4F283205.6030709@foobar.org> On 31/01/2012 17:27, George Bonser wrote: > Wouldn't a program such as "conserver" running on a linux box someplace > potentially provide these (maybe with a little extra hackery)? We use > that quite a bit. One interesting option is that it allows another > person to also watch the console session. So, for example, I can give > someone a console session while watching the progress of it. yes, except that I would prefer to spend money on getting a pre-packaged solution rather than spending time customising boxes, dealing with customised upgrades, and so on. Fascinating and all as they are, console servers are a means to an end, and the less time I'm forced to spend trashing them into submission and maintaining them on an ongoing basis, the more time I have for productive work. Nick From keegan.holley at sungard.com Tue Jan 31 12:24:58 2012 From: keegan.holley at sungard.com (Keegan Holley) Date: Tue, 31 Jan 2012 13:24:58 -0500 Subject: Hijacked Network Ranges In-Reply-To: References: Message-ID: 2012/1/31 Justin M. Streiner > On Tue, 31 Jan 2012, Grant Ridder wrote: > > What is keeping you from advertising a more specific route (i.e /25's)? >> > > Many providers filter out anything longer (smaller) than /24. > Some will accept it but not propagate it upstream. This may be useful in redirecting all the traffic from a large AS if you are directly connected. > > jms > > > On Tue, Jan 31, 2012 at 12:00 PM, Kelvin Williams > >wrote: >> >> Greetings all. >>> >>> We've been in a 12+ hour ordeal requesting that AS19181 (Cavecreek >>> Internet >>> Exchange) immediately filter out network blocks that are being advertised >>> by ASAS33611 (SBJ Media, LLC) who provided to them a forged LOA. >>> >>> The routes for networks: 208.110.48.0/20, 63.246.112.0/20, and >>> 68.66.112.0/20 are registered in various IRRs all as having an origin AS >>> 11325 (ours), and are directly allocated to us. >>> >>> The malicious hijacking is being announced as /24s therefore making route >>> selection pick them. >>> >>> Our customers and services have been impaired. Does anyone have any >>> contacts for anyone at Cavecreek that would actually take a look at ARINs >>> WHOIS, and IRRs so the networks can be restored and our services back in >>> operation? >>> >>> Additionally, does anyone have any suggestion for mitigating in the >>> interim? Since we can't announce as /25s and IRRs are apparently a pipe >>> dream. >>> >>> -- >>> Kelvin Williams >>> Sr. Service Delivery Engineer >>> Broadband & Carrier Services >>> Altus Communications Group, Inc. >>> >>> >>> "If you only have a hammer, you tend to see every problem as a nail." -- >>> Abraham Maslow >>> >>> >> > > From jof at thejof.com Tue Jan 31 12:27:28 2012 From: jof at thejof.com (Jonathan Lassoff) Date: Tue, 31 Jan 2012 10:27:28 -0800 Subject: Hijacked Network Ranges In-Reply-To: References: Message-ID: On Tue, Jan 31, 2012 at 10:19 AM, Grant Ridder wrote: > Hi, > > What is keeping you from advertising a more specific route (i.e /25's)? Most large transits and NSPs filter out prefixes more specific than a /24. Conventionally, at least in my experience, /24's are the most-specific prefix you can use and expect that it will end up in most places. Some shops with limited router processing or table storage capacity will filter even more restrictively, so a bigger aggregate is worth announcing as well. Cheers, jof From jof at thejof.com Tue Jan 31 12:27:48 2012 From: jof at thejof.com (Jonathan Lassoff) Date: Tue, 31 Jan 2012 10:27:48 -0800 Subject: Hijacked Network Ranges In-Reply-To: References: Message-ID: On Tue, Jan 31, 2012 at 10:00 AM, Kelvin Williams wrote: > We've been in a 12+ hour ordeal requesting that AS19181 (Cavecreek Internet > Exchange) immediately filter out network blocks that are being advertised > by ASAS33611 (SBJ Media, LLC) who provided to them a forged LOA. > > [ ...snip...] Ugh, what a hassle. I've been there, and it's really no fun. > Our customers and services have been impaired. ?Does anyone have any > contacts for anyone at Cavecreek that would actually take a look at ARINs > WHOIS, and IRRs so the networks can be restored and our services back in > operation? Have you tried the contacts listed at PeeringDB for AS19181? Check out: as19181.peeringdb.com > Additionally, does anyone have any suggestion for mitigating in the > interim? ?Since we can't announce as /25s and IRRs are apparently a pipe > dream. If you fail to get AS19181 to respond, you might consider contacting *their* upstreams and explaining the situation. Cheers, jof From chuckchurch at gmail.com Tue Jan 31 12:32:35 2012 From: chuckchurch at gmail.com (Chuck Church) Date: Tue, 31 Jan 2012 13:32:35 -0500 Subject: Hijacked Network Ranges In-Reply-To: References: Message-ID: <005801cce046$b9f2ee60$2dd8cb20$@gmail.com> Shouldn't a forged LOA be justification to contact law enforcement? Chuck -----Original Message----- From: Kelvin Williams [mailto:kwilliams at altuscgi.com] Sent: Tuesday, January 31, 2012 1:01 PM To: nanog at nanog.org Subject: Hijacked Network Ranges Greetings all. We've been in a 12+ hour ordeal requesting that AS19181 (Cavecreek Internet Exchange) immediately filter out network blocks that are being advertised by ASAS33611 (SBJ Media, LLC) who provided to them a forged LOA. The routes for networks: 208.110.48.0/20, 63.246.112.0/20, and 68.66.112.0/20 are registered in various IRRs all as having an origin AS 11325 (ours), and are directly allocated to us. The malicious hijacking is being announced as /24s therefore making route selection pick them. Our customers and services have been impaired. Does anyone have any contacts for anyone at Cavecreek that would actually take a look at ARINs WHOIS, and IRRs so the networks can be restored and our services back in operation? Additionally, does anyone have any suggestion for mitigating in the interim? Since we can't announce as /25s and IRRs are apparently a pipe dream. -- Kelvin Williams Sr. Service Delivery Engineer Broadband & Carrier Services Altus Communications Group, Inc. "If you only have a hammer, you tend to see every problem as a nail." -- Abraham Maslow From kwilliams at altuscgi.com Tue Jan 31 12:33:26 2012 From: kwilliams at altuscgi.com (Kelvin Williams) Date: Tue, 31 Jan 2012 13:33:26 -0500 Subject: Hijacked Network Ranges In-Reply-To: <005801cce046$b9f2ee60$2dd8cb20$@gmail.com> References: <005801cce046$b9f2ee60$2dd8cb20$@gmail.com> Message-ID: We are. On Tue, Jan 31, 2012 at 1:32 PM, Chuck Church wrote: > Shouldn't a forged LOA be justification to contact law enforcement? > > Chuck > > -----Original Message----- > From: Kelvin Williams [mailto:kwilliams at altuscgi.com] > Sent: Tuesday, January 31, 2012 1:01 PM > To: nanog at nanog.org > Subject: Hijacked Network Ranges > > Greetings all. > > We've been in a 12+ hour ordeal requesting that AS19181 (Cavecreek Internet > Exchange) immediately filter out network blocks that are being advertised > by > ASAS33611 (SBJ Media, LLC) who provided to them a forged LOA. > > The routes for networks: 208.110.48.0/20, 63.246.112.0/20, and > 68.66.112.0/20 are registered in various IRRs all as having an origin AS > 11325 (ours), and are directly allocated to us. > > The malicious hijacking is being announced as /24s therefore making route > selection pick them. > > Our customers and services have been impaired. Does anyone have any > contacts for anyone at Cavecreek that would actually take a look at ARINs > WHOIS, and IRRs so the networks can be restored and our services back in > operation? > > Additionally, does anyone have any suggestion for mitigating in the > interim? > Since we can't announce as /25s and IRRs are apparently a pipe dream. > > -- > Kelvin Williams > Sr. Service Delivery Engineer > Broadband & Carrier Services > Altus Communications Group, Inc. > > > "If you only have a hammer, you tend to see every problem as a nail." -- > Abraham Maslow > > -- Kelvin Williams Sr. Service Delivery Engineer Broadband & Carrier Services Altus Communications Group, Inc. Office - Direct: 404.682.2151 Office - Main: 404.682.2150 Mobile: 404.931.4888 Fax: 866.895.8557 "If you only have a hammer, you tend to see every problem as a nail." -- Abraham Maslow From jimmy.changa007 at gmail.com Tue Jan 31 12:52:44 2012 From: jimmy.changa007 at gmail.com (Joe Marr) Date: Tue, 31 Jan 2012 13:52:44 -0500 Subject: Route Management Best Practices In-Reply-To: <201201311517.28890.mtinka@globaltransit.net> References: <201201311438.37139.mtinka@globaltransit.net> <201201311517.28890.mtinka@globaltransit.net> Message-ID: Thanks Mark, This helps and definitely shows Im heading in the right direction. Thanks, On Tue, Jan 31, 2012 at 2:17 AM, Mark Tinka wrote: > On Tuesday, January 31, 2012 03:04:15 PM Joe Marr wrote: > > > What do you use for reflectors, hardware(Cisco/Juniper) > > or software daemons(Quagga)? > > We operate 2x networks. > > One of them runs Cisco 7201 routers as route reflectors, > while the other runs Juniper M120 routers. > > The large Juniper routers were due to particular BGP AFI's > that Cisco IOS does not support (yet). > > > I've been toying with the idea of using Quagga route > > servers to announce our prefixes to our edge routers and > > redistribute BGP annoucements learned from downstream > > customers. > > You can certainly use any device in your network to > originate your allocations. We just use the route reflectors > because it is a natural fit, but you can use any device > provided it would be as stable and independent as a route > reflector. > > The last thing you want is a blackhole or a route going away > because your backhaul failed or your customer DoS'ed your > edge router :-). > > > Only drawback is the lack of support for > > tagged static routes, so it looks like I'm going to have > > to use a network statement w/ route-map to set the > > attributes. > > There was a time when networks were ran without prefix > lists, BGP communities or even route maps. I'm too young to > have ever experienced those times, but I always joke with a > friend (from those times) about how good we have it today, > and how hard life must have been for Internet engineers of > old :-). > > If you have the opportunity, I'd advise against operating > without these very useful tools. > > > Has anyone tried this, or is it suicide? > > I'm sure there are several networks out there that are > intimidated by additional BGP features such as communities, > advanced routing policy, e.t.c. They do survive without > having to deal with this, probably because they're networks > are small and the pain is better than trying something new. > But I certainly wouldn't recommend it to anyone (except, as > Randy would say, my competitors). > > Mark. > From tony.mccrory at gmail.com Tue Jan 31 12:57:46 2012 From: tony.mccrory at gmail.com (Tony McCrory) Date: Tue, 31 Jan 2012 18:57:46 +0000 Subject: Hijacked Network Ranges In-Reply-To: References: Message-ID: Surely something is better than nothing. Advertise the /24's and the /25's, see what happens. At the least it's a step forwards until you get their routes filtered. Tony On 31 January 2012 18:22, Kelvin Williams wrote: > Upstream requirements. Additionally, I don't believe it would do us any > good. If they're announcing /24 now, why would they not announce a /25. > On Jan 31, 2012 1:19 PM, "Grant Ridder" wrote: > > > Hi, > > > > What is keeping you from advertising a more specific route (i.e /25's)? > > > > -Grant > > > > On Tue, Jan 31, 2012 at 12:00 PM, Kelvin Williams < > kwilliams at altuscgi.com>wrote: > > > >> Greetings all. > >> > >> We've been in a 12+ hour ordeal requesting that AS19181 (Cavecreek > >> Internet > >> Exchange) immediately filter out network blocks that are being > advertised > >> by ASAS33611 (SBJ Media, LLC) who provided to them a forged LOA. > >> > >> The routes for networks: 208.110.48.0/20, 63.246.112.0/20, and > >> 68.66.112.0/20 are registered in various IRRs all as having an origin > AS > >> 11325 (ours), and are directly allocated to us. > >> > >> The malicious hijacking is being announced as /24s therefore making > route > >> selection pick them. > >> > >> Our customers and services have been impaired. Does anyone have any > >> contacts for anyone at Cavecreek that would actually take a look at > ARINs > >> WHOIS, and IRRs so the networks can be restored and our services back in > >> operation? > >> > >> Additionally, does anyone have any suggestion for mitigating in the > >> interim? Since we can't announce as /25s and IRRs are apparently a pipe > >> dream. > >> > >> -- > >> Kelvin Williams > >> Sr. Service Delivery Engineer > >> Broadband & Carrier Services > >> Altus Communications Group, Inc. > >> > >> > >> "If you only have a hammer, you tend to see every problem as a nail." -- > >> Abraham Maslow > >> > > > > > From me at anuragbhatia.com Tue Jan 31 13:13:46 2012 From: me at anuragbhatia.com (Anurag Bhatia) Date: Wed, 1 Feb 2012 00:43:46 +0530 Subject: Hijacked Network Ranges In-Reply-To: References: Message-ID: I can routes are wrong for all /24 annoucements. May be contacting Level3+Telia+AboveNet+Hurricane Electric since all these are upstream providers of AS29791 which is your upstream carrier? I guess they would be able to neutralize effect significantly by filtering those routes? On Wed, Feb 1, 2012 at 12:27 AM, Tony McCrory wrote: > Surely something is better than nothing. Advertise the /24's and the > /25's, see what happens. > > At the least it's a step forwards until you get their routes filtered. > > Tony > > On 31 January 2012 18:22, Kelvin Williams wrote: > > > Upstream requirements. Additionally, I don't believe it would do us any > > good. If they're announcing /24 now, why would they not announce a /25. > > On Jan 31, 2012 1:19 PM, "Grant Ridder" wrote: > > > > > Hi, > > > > > > What is keeping you from advertising a more specific route (i.e /25's)? > > > > > > -Grant > > > > > > On Tue, Jan 31, 2012 at 12:00 PM, Kelvin Williams < > > kwilliams at altuscgi.com>wrote: > > > > > >> Greetings all. > > >> > > >> We've been in a 12+ hour ordeal requesting that AS19181 (Cavecreek > > >> Internet > > >> Exchange) immediately filter out network blocks that are being > > advertised > > >> by ASAS33611 (SBJ Media, LLC) who provided to them a forged LOA. > > >> > > >> The routes for networks: 208.110.48.0/20, 63.246.112.0/20, and > > >> 68.66.112.0/20 are registered in various IRRs all as having an origin > > AS > > >> 11325 (ours), and are directly allocated to us. > > >> > > >> The malicious hijacking is being announced as /24s therefore making > > route > > >> selection pick them. > > >> > > >> Our customers and services have been impaired. Does anyone have any > > >> contacts for anyone at Cavecreek that would actually take a look at > > ARINs > > >> WHOIS, and IRRs so the networks can be restored and our services back > in > > >> operation? > > >> > > >> Additionally, does anyone have any suggestion for mitigating in the > > >> interim? Since we can't announce as /25s and IRRs are apparently a > pipe > > >> dream. > > >> > > >> -- > > >> Kelvin Williams > > >> Sr. Service Delivery Engineer > > >> Broadband & Carrier Services > > >> Altus Communications Group, Inc. > > >> > > >> > > >> "If you only have a hammer, you tend to see every problem as a nail." > -- > > >> Abraham Maslow > > >> > > > > > > > > > -- Anurag Bhatia anuragbhatia.com or simply - http://[2001:470:26:78f::5] if you are on IPv6 connected network! Twitter: @anurag_bhatia Linkedin: http://linkedin.anuragbhatia.com From owen at delong.com Tue Jan 31 13:09:39 2012 From: owen at delong.com (Owen DeLong) Date: Tue, 31 Jan 2012 11:09:39 -0800 Subject: Console Server Recommendation In-Reply-To: <20120131091136.GA22047@pob.ytti.fi> References: <20120131091136.GA22047@pob.ytti.fi> Message-ID: <15445673-C219-467D-BB5F-98C873B04355@delong.com> On Jan 31, 2012, at 1:11 AM, Saku Ytti wrote: > On (2012-01-30 11:08 -0500), Ray Soucy wrote: > >> What are people using for console servers these days? We've >> historically used retired routers with ASYNC ports, but it's time for >> an upgrade. > > This is very very common thread, replaying couple times a year in various > lists, with to my cursory look no new information between iterations. > > I'd be more curious if people listed what do they think good console server > should have, and if or not given model has them. > > For me, required features are > > - multiplexed connect to console port, console port should never, ever be busy, > blocking. You don't want to find your most competent people blocked from > accessing console, because 1st line is in lunch keeping the port busy. > +1 for conserver software as interface to existing terminal servers. It's a really awesome package with very nice capabilities built by operations folks for operations folks. It provides this ability and much more. > - console port output always buffered persistently (if devices crashes and > burns, at least you have post-network-reachability logs puked in console > stored, good for troubleshooting) > Conserver does this, too with the added advantage that the logs are stored on an independent box not likely affected by whatever caused the crash. > - IP address mappable to a console port. So that accessing device normally > is 'ssh router' and via OOB 'ssh router.oob' no need to train people > How about normal is 'ssh device' and OOB is 'console device'? Conserver does that. > Nice to have > > - Configuration import/export as ascii, from single place, so configuration > backups are easy > There are other tools that do this, such as rancid. I'm not sure I see significant advantage to integrating it. > - DC PSU support, redundantly > > - No moving parts > > - TACACS+ support > > - 3G support with IPSEC tunneling > > - Some clean and well designed webUI > These get more into the hardware actually connecting to the console port, so they obviously aren't addressed by conserver. I believe that the MRV stuff has the first three covered. The web UI, well, clean/well designed is in the eye of the beholder, I suppose. I'm not overly impressed with any of the webUIs I've seen on any of these products. The 3G with IPSEC is a nice thought. I haven't seen anyone do that yet. > > > I also have to ask, why do we even need these? Why do we still get new gear > with RS232 console only? Why only Cisco Nexus7k and SUP2T have seen the > light? Dedicated management-plane separated from control-plane, so > regardless of control-plane status, you can connect over ethernet to > management-plane and copy images to control-plane, reset control-plane, > check logs etc. > Ethernet port is lot cheaper than RS232 port, so OOB gear would be cheaper. > I hink there are a few reasons. First, for all its failings, RS-232 is dirt-simple and extremely reliable without any configuration or external dependencies. Unless the box is a complete brick, the RS-232 console port probably works, or, at least works once the box is power- cycled. Ethernet, even ethernet on a dedicated management plane still depends on a lot of things outside of the ethernet chip. It needs configuration (whether DHCP or configuration file) and additional support hardware. Yes, much of this has become cheaper than UART/driver chipsets, but, cheaper doesn't necessarily mean more rock-solid reliable. > RS232 console on control-plane is ridiculously useless, you cannot copy > images over it (even if supported, images are several hundreds megabytes). > It is completely dependant on control-plane working which is very poor > requirement for OOB. I agree that RS232 on a management plane would be a better choice. Personally, I like the idea of having both RS232 and ethernet on dedicated management plane. The RS232 allows you to deal with failures on the ethernet and the ethernet provides support for image transfers, etc. > When 50bucks intel desktop mobo has proper OOB, why does not every router > and switch have? I will point out that the intel mobo OOB has not completely eliminated the need for IPKVM in the datacenter. YMMV. Owen From str8steelerfan at gmail.com Tue Jan 31 13:20:10 2012 From: str8steelerfan at gmail.com (John Schneider) Date: Tue, 31 Jan 2012 13:20:10 -0600 Subject: Hijacked Network Ranges Message-ID: If you both announce a /24, the BGP route selection process should begin to return some of the traffic to these prefixes back to your AS. Also, if you begin to advertise your prefixes as /24s and as a result, they try to advertise /25s, I would venture a guess that their /25s would get blocked entirely, effectively returning traffic to those prefixes to you. that would be best-case scenario until you can get someone at AS36111 to listen to you. Best of Luck to you >Upstream requirements. Additionally, I don't believe it would do us any >good. If they're announcing /24 now, why would they not announce a /25. From rs at seastrom.com Tue Jan 31 13:23:36 2012 From: rs at seastrom.com (Robert E. Seastrom) Date: Tue, 31 Jan 2012 14:23:36 -0500 Subject: using ULA for 'hidden' v6 devices? In-Reply-To: (Tim Chown's message of "Thu, 26 Jan 2012 23:31:41 +0000") References: <06704517-398C-4FD4-9AC4-4D4A83D9D493@ecs.soton.ac.uk> <9E13525B-E1D0-4F51-8AD0-68359095466A@ecs.soton.ac.uk> <596B74B410EE6B4CA8A30C3AF1A155EA09C934BC@RWC-MBX1.corp.seven.com> <70BC767C-FDC2-458E-A23B-01C4F0A85112@ecs.soton.ac.uk> <26066EA7-A326-4CD2-BF88-F31D2BBE5F0A@delong.com> <5CCCFAC0-5442-4946-857F-8695E0CE0902@ecs.soton.ac.uk> Message-ID: <868vknsmkn.fsf@seastrom.com> Tim Chown writes: > On 26 Jan 2012, at 16:53, Owen DeLong wrote: > >> On Jan 26, 2012, at 8:14 AM, Ray Soucy wrote: >> >>> Does this mean we're also looking at residential allocations larger >>> than a /64 as the norm? >>> >> >> We certainly should be. I still think that /48s for residential is >> the right answer. >> >> My /48 is working quite nicely in my house. > > There seems to be a lot of discussion happening around a /60 or /56. > I wouldn't assume a /48 for residential networks, or a static > prefix. The big question is what constitutes an "end site" and do we want/need to have multiple classes of "end site" in the interests of conserving IPv6 space, or do we want to have only a single class in the interests of conserving technical person brain cells? Food for thought: There are approximately 7 billion people in the world right now. US billion, 10^9. If we defined an "end site" as an "Internet provider access device that could allow subsidiary devices to connect downstream... AND Every human on the face of the earth was Avi Freedman or Vijay Gill and had ten cell phones that would act as APs, each of which with its own /48... THEN... We would be using between 2^36 and 2^37 end site allocations (70 billion). OR between a /11 and a /12 OR right around 0.03% of the space, assuming 100% utilization efficiency. If the goal in putting small chunks of space at residences is to conserve space in order to fit within the RIR's policies, then it is the policies that ought to change. Stewardship is not the same as parsimony. -r From heather.schiller at verizon.com Tue Jan 31 13:29:40 2012 From: heather.schiller at verizon.com (Schiller, Heather A) Date: Tue, 31 Jan 2012 14:29:40 -0500 Subject: Hijacked Network Ranges - paging Cogent and GBLX/L3 In-Reply-To: References: Message-ID: Or roll it up hill: 33611 looks like they get transit from 19181, who's only upstream appears to be 12189. 12189 gets connectivity from 174 and 3549. 174 = Cogent 3549 = GBLX/L3 --Heather -----Original Message----- From: Kelvin Williams [mailto:kwilliams at altuscgi.com] Sent: Tuesday, January 31, 2012 1:01 PM To: nanog at nanog.org Subject: Hijacked Network Ranges Greetings all. We've been in a 12+ hour ordeal requesting that AS19181 (Cavecreek Internet Exchange) immediately filter out network blocks that are being advertised by ASAS33611 (SBJ Media, LLC) who provided to them a forged LOA. The routes for networks: 208.110.48.0/20, 63.246.112.0/20, and 68.66.112.0/20 are registered in various IRRs all as having an origin AS 11325 (ours), and are directly allocated to us. The malicious hijacking is being announced as /24s therefore making route selection pick them. Our customers and services have been impaired. Does anyone have any contacts for anyone at Cavecreek that would actually take a look at ARINs WHOIS, and IRRs so the networks can be restored and our services back in operation? Additionally, does anyone have any suggestion for mitigating in the interim? Since we can't announce as /25s and IRRs are apparently a pipe dream. -- Kelvin Williams Sr. Service Delivery Engineer Broadband & Carrier Services Altus Communications Group, Inc. "If you only have a hammer, you tend to see every problem as a nail." -- Abraham Maslow From keegan.holley at sungard.com Tue Jan 31 13:50:10 2012 From: keegan.holley at sungard.com (Keegan Holley) Date: Tue, 31 Jan 2012 14:50:10 -0500 Subject: Hijacked Network Ranges - paging Cogent and GBLX/L3 In-Reply-To: References: Message-ID: To be honest I haven't had much success it convincing a tier 1 to modify someone else's routes on my behalf for whatever reason. I also have had limited success in getting them to do anything quickly. I'd first look to modify your advertisements as much as possible to mitigate the issue and then work with the other guys upstreams second. 2012/1/31 Schiller, Heather A : > > Or roll it up hill: > > 33611 looks like they get transit from 19181, who's only upstream appears to be 12189. > 12189 gets connectivity from 174 and 3549. > > 174 = Cogent > 3549 = GBLX/L3 > > ?--Heather > > -----Original Message----- > From: Kelvin Williams [mailto:kwilliams at altuscgi.com] > Sent: Tuesday, January 31, 2012 1:01 PM > To: nanog at nanog.org > Subject: Hijacked Network Ranges > > Greetings all. > > We've been in a 12+ hour ordeal requesting that AS19181 (Cavecreek Internet > Exchange) immediately filter out network blocks that are being advertised by ASAS33611 (SBJ Media, LLC) who provided to them a forged LOA. > > The routes for networks: 208.110.48.0/20, 63.246.112.0/20, and 68.66.112.0/20 are registered in various IRRs all as having an origin AS > 11325 (ours), and are directly allocated to us. > > The malicious hijacking is being announced as /24s therefore making route selection pick them. > > Our customers and services have been impaired. ?Does anyone have any contacts for anyone at Cavecreek that would actually take a look at ARINs WHOIS, and IRRs so the networks can be restored and our services back in operation? > > Additionally, does anyone have any suggestion for mitigating in the interim? ?Since we can't announce as /25s and IRRs are apparently a pipe dream. > > -- > Kelvin Williams > Sr. Service Delivery Engineer > Broadband & Carrier Services > Altus Communications Group, Inc. > > > "If you only have a hammer, you tend to see every problem as a nail." -- > Abraham Maslow > > From ler762 at gmail.com Tue Jan 31 13:56:52 2012 From: ler762 at gmail.com (Lee) Date: Tue, 31 Jan 2012 14:56:52 -0500 Subject: MD5 considered harmful In-Reply-To: <4F282B4A.7000603@foobar.org> References: <4F230041.5020701@rollernet.us> <0B6DEEFE-0049-4223-BB76-4A6A52D929E2@ianai.net> <20120130175741.61da35de@w520.localdomain> <1328028054.22768.YahooMailNeo@web31807.mail.mud.yahoo.com> <4F282B4A.7000603@foobar.org> Message-ID: On 1/31/12, Nick Hilliard wrote: > On 31/01/2012 16:40, David Barak wrote: >> Because downtime is a security issue too, and MD5 is more likely to >> contribute to downtime (either via lost password, crypto load on CPU, or >> other) than the problem it purports to fix. The goal of a network >> engineer is to move packets from A -> B. The goal of a security >> engineer is to keep that from happening. A business needs to weigh the >> cost and benefit of any given approach, and MD5 BGP auth does not come >> out well in the of situations. > > cpu load is negligible and is done in hardware on several platforms. Lost > passwords can occur but if you have properly stored configuration backups, > they shouldn't be a major problem. Also, they can be trivially decrypted > from C/J configuration files. > > From my point of view, MD5 passwords serve two purposes: .. snip .. > > 2. they can be used to convince security auditors that the network is > secure and that they can now sod off and stop harassing me, kthxbai +1 It isn't worth the time or effort trying to get an exception to their 'best practice'. Lee From ttauber at 1-4-5.net Tue Jan 31 13:59:47 2012 From: ttauber at 1-4-5.net (Tony Tauber) Date: Tue, 31 Jan 2012 14:59:47 -0500 Subject: Route Management Best Practices In-Reply-To: References: <201201311438.37139.mtinka@globaltransit.net> <201201311517.28890.mtinka@globaltransit.net> Message-ID: To elaborate slightly on what others have said in terms of protecting against leaks; it's a good idea to filter outbound in a conservative way such that you only send what you "expect" in terms of community values and/or prefixes and/or AS-paths. For instance, if something gets into your BGP that isn't tagged with one of your expected communities (e.g. applied where you inject your aggs), don't re-advertise it. If something has the right community, but not an expected AS-path (e.g. contains the AS of one of your transit providers), don't re-advertise. Implicitly deny all unexpected cases. Building that kind of restrictive logic will be less likely to you becoming a path for traffic you didn't expect (and might swamp you) and also you'll be a better citizen in general. Cheers, Tony On Tue, Jan 31, 2012 at 1:52 PM, Joe Marr wrote: > Thanks Mark, > > This helps and definitely shows Im heading in the right direction. > > Thanks, > > > On Tue, Jan 31, 2012 at 2:17 AM, Mark Tinka >wrote: > > > On Tuesday, January 31, 2012 03:04:15 PM Joe Marr wrote: > > > > > What do you use for reflectors, hardware(Cisco/Juniper) > > > or software daemons(Quagga)? > > > > We operate 2x networks. > > > > One of them runs Cisco 7201 routers as route reflectors, > > while the other runs Juniper M120 routers. > > > > The large Juniper routers were due to particular BGP AFI's > > that Cisco IOS does not support (yet). > > > > > I've been toying with the idea of using Quagga route > > > servers to announce our prefixes to our edge routers and > > > redistribute BGP annoucements learned from downstream > > > customers. > > > > You can certainly use any device in your network to > > originate your allocations. We just use the route reflectors > > because it is a natural fit, but you can use any device > > provided it would be as stable and independent as a route > > reflector. > > > > The last thing you want is a blackhole or a route going away > > because your backhaul failed or your customer DoS'ed your > > edge router :-). > > > > > Only drawback is the lack of support for > > > tagged static routes, so it looks like I'm going to have > > > to use a network statement w/ route-map to set the > > > attributes. > > > > There was a time when networks were ran without prefix > > lists, BGP communities or even route maps. I'm too young to > > have ever experienced those times, but I always joke with a > > friend (from those times) about how good we have it today, > > and how hard life must have been for Internet engineers of > > old :-). > > > > If you have the opportunity, I'd advise against operating > > without these very useful tools. > > > > > Has anyone tried this, or is it suicide? > > > > I'm sure there are several networks out there that are > > intimidated by additional BGP features such as communities, > > advanced routing policy, e.t.c. They do survive without > > having to deal with this, probably because they're networks > > are small and the pain is better than trying something new. > > But I certainly wouldn't recommend it to anyone (except, as > > Randy would say, my competitors). > > > > Mark. > > > From heather.schiller at verizon.com Tue Jan 31 14:04:37 2012 From: heather.schiller at verizon.com (Schiller, Heather A) Date: Tue, 31 Jan 2012 15:04:37 -0500 Subject: Hijacked Network Ranges - paging Cogent and GBLX/L3 In-Reply-To: References: Message-ID: Looks fixed now.. --heather -----Original Message----- From: Keegan Holley [mailto:keegan.holley at sungard.com] Sent: Tuesday, January 31, 2012 2:50 PM To: Schiller, Heather A Cc: Kelvin Williams; nanog at nanog.org Subject: Re: Hijacked Network Ranges - paging Cogent and GBLX/L3 To be honest I haven't had much success it convincing a tier 1 to modify someone else's routes on my behalf for whatever reason. I also have had limited success in getting them to do anything quickly. I'd first look to modify your advertisements as much as possible to mitigate the issue and then work with the other guys upstreams second. 2012/1/31 Schiller, Heather A : > > Or roll it up hill: > > 33611 looks like they get transit from 19181, who's only upstream appears to be 12189. > 12189 gets connectivity from 174 and 3549. > > 174 = Cogent > 3549 = GBLX/L3 > > ?--Heather > > -----Original Message----- > From: Kelvin Williams [mailto:kwilliams at altuscgi.com] > Sent: Tuesday, January 31, 2012 1:01 PM > To: nanog at nanog.org > Subject: Hijacked Network Ranges > > Greetings all. > > We've been in a 12+ hour ordeal requesting that AS19181 (Cavecreek > Internet > Exchange) immediately filter out network blocks that are being advertised by ASAS33611 (SBJ Media, LLC) who provided to them a forged LOA. > > The routes for networks: 208.110.48.0/20, 63.246.112.0/20, and > 68.66.112.0/20 are registered in various IRRs all as having an origin > AS > 11325 (ours), and are directly allocated to us. > > The malicious hijacking is being announced as /24s therefore making route selection pick them. > > Our customers and services have been impaired. ?Does anyone have any contacts for anyone at Cavecreek that would actually take a look at ARINs WHOIS, and IRRs so the networks can be restored and our services back in operation? > > Additionally, does anyone have any suggestion for mitigating in the interim? ?Since we can't announce as /25s and IRRs are apparently a pipe dream. > > -- > Kelvin Williams > Sr. Service Delivery Engineer > Broadband & Carrier Services > Altus Communications Group, Inc. > > > "If you only have a hammer, you tend to see every problem as a nail." > -- Abraham Maslow > > From heather.schiller at verizon.com Tue Jan 31 14:05:24 2012 From: heather.schiller at verizon.com (Schiller, Heather A) Date: Tue, 31 Jan 2012 15:05:24 -0500 Subject: Hijacked Network Ranges - paging Cogent and GBLX/L3 References: Message-ID: Sorry -- was looking at the wrong thing. Doh! --heather -----Original Message----- From: Schiller, Heather A Sent: Tuesday, January 31, 2012 3:05 PM To: 'Keegan Holley' Cc: Kelvin Williams; nanog at nanog.org Subject: RE: Hijacked Network Ranges - paging Cogent and GBLX/L3 Looks fixed now.. --heather -----Original Message----- From: Keegan Holley [mailto:keegan.holley at sungard.com] Sent: Tuesday, January 31, 2012 2:50 PM To: Schiller, Heather A Cc: Kelvin Williams; nanog at nanog.org Subject: Re: Hijacked Network Ranges - paging Cogent and GBLX/L3 To be honest I haven't had much success it convincing a tier 1 to modify someone else's routes on my behalf for whatever reason. I also have had limited success in getting them to do anything quickly. I'd first look to modify your advertisements as much as possible to mitigate the issue and then work with the other guys upstreams second. 2012/1/31 Schiller, Heather A : > > Or roll it up hill: > > 33611 looks like they get transit from 19181, who's only upstream appears to be 12189. > 12189 gets connectivity from 174 and 3549. > > 174 = Cogent > 3549 = GBLX/L3 > > ?--Heather > > -----Original Message----- > From: Kelvin Williams [mailto:kwilliams at altuscgi.com] > Sent: Tuesday, January 31, 2012 1:01 PM > To: nanog at nanog.org > Subject: Hijacked Network Ranges > > Greetings all. > > We've been in a 12+ hour ordeal requesting that AS19181 (Cavecreek > Internet > Exchange) immediately filter out network blocks that are being advertised by ASAS33611 (SBJ Media, LLC) who provided to them a forged LOA. > > The routes for networks: 208.110.48.0/20, 63.246.112.0/20, and > 68.66.112.0/20 are registered in various IRRs all as having an origin > AS > 11325 (ours), and are directly allocated to us. > > The malicious hijacking is being announced as /24s therefore making route selection pick them. > > Our customers and services have been impaired. ?Does anyone have any contacts for anyone at Cavecreek that would actually take a look at ARINs WHOIS, and IRRs so the networks can be restored and our services back in operation? > > Additionally, does anyone have any suggestion for mitigating in the interim? ?Since we can't announce as /25s and IRRs are apparently a pipe dream. > > -- > Kelvin Williams > Sr. Service Delivery Engineer > Broadband & Carrier Services > Altus Communications Group, Inc. > > > "If you only have a hammer, you tend to see every problem as a nail." > -- Abraham Maslow > > From ido at oasis-tech.net Tue Jan 31 14:06:03 2012 From: ido at oasis-tech.net (Ido Szargel) Date: Tue, 31 Jan 2012 22:06:03 +0200 Subject: Hijacked Network Ranges - paging Cogent and GBLX/L3 In-Reply-To: References: Message-ID: <7A848D4888ADA94B8A46A17296740133B38D3E5473@DEXTER.oasis-tech.local> I would go at first by advertising your prefixes as a /24 as well, just randomly checked 2 different locations and the as-path to 11325 is shorter than to 33611 This seems to be the case for customers of Tiscali and L3, so this will probably get most of your traffic back to you... Regards, Ido -----Original Message----- From: Kelvin Williams [mailto:kwilliams at altuscgi.com] Sent: Tuesday, January 31, 2012 1:01 PM To: nanog at nanog.org Subject: Hijacked Network Ranges Greetings all. We've been in a 12+ hour ordeal requesting that AS19181 (Cavecreek Internet Exchange) immediately filter out network blocks that are being advertised by ASAS33611 (SBJ Media, LLC) who provided to them a forged LOA. The routes for networks: 208.110.48.0/20, 63.246.112.0/20, and 68.66.112.0/20 are registered in various IRRs all as having an origin AS 11325 (ours), and are directly allocated to us. The malicious hijacking is being announced as /24s therefore making route selection pick them. Our customers and services have been impaired. Does anyone have any contacts for anyone at Cavecreek that would actually take a look at ARINs WHOIS, and IRRs so the networks can be restored and our services back in operation? Additionally, does anyone have any suggestion for mitigating in the interim? Since we can't announce as /25s and IRRs are apparently a pipe dream. -- Kelvin Williams Sr. Service Delivery Engineer Broadband & Carrier Services Altus Communications Group, Inc. "If you only have a hammer, you tend to see every problem as a nail." -- Abraham Maslow -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 6073 bytes Desc: not available URL: From eric-list at truenet.com Tue Jan 31 14:17:35 2012 From: eric-list at truenet.com (Eric Tykwinski) Date: Tue, 31 Jan 2012 15:17:35 -0500 Subject: Hijacked Network Ranges - paging Cogent and GBLX/L3 In-Reply-To: <7A848D4888ADA94B8A46A17296740133B38D3E5473@DEXTER.oasis-tech.local> References: <7A848D4888ADA94B8A46A17296740133B38D3E5473@DEXTER.oasis-tech.local> Message-ID: <009d01cce055$61632030$24296090$@truenet.com> Haven't really been following, but you've got a 50/50 shot for BGP on Cogent for us, but Level3 is shorter so would take precedence. 208.110.48.0/20 3356 29791 11325 i 174 1299 29791 11325 i 208.110.49.0 3356 12189 19181 33611 i 174 12189 19181 33611 i -----Original Message----- From: Ido Szargel [mailto:ido at oasis-tech.net] Sent: Tuesday, January 31, 2012 3:06 PM To: Schiller, Heather A; Kelvin Williams; nanog at nanog.org Subject: RE: Hijacked Network Ranges - paging Cogent and GBLX/L3 I would go at first by advertising your prefixes as a /24 as well, just randomly checked 2 different locations and the as-path to 11325 is shorter than to 33611 This seems to be the case for customers of Tiscali and L3, so this will probably get most of your traffic back to you... Regards, Ido -----Original Message----- From: Kelvin Williams [mailto:kwilliams at altuscgi.com] Sent: Tuesday, January 31, 2012 1:01 PM To: nanog at nanog.org Subject: Hijacked Network Ranges Greetings all. We've been in a 12+ hour ordeal requesting that AS19181 (Cavecreek Internet Exchange) immediately filter out network blocks that are being advertised by ASAS33611 (SBJ Media, LLC) who provided to them a forged LOA. The routes for networks: 208.110.48.0/20, 63.246.112.0/20, and 68.66.112.0/20 are registered in various IRRs all as having an origin AS 11325 (ours), and are directly allocated to us. The malicious hijacking is being announced as /24s therefore making route selection pick them. Our customers and services have been impaired. Does anyone have any contacts for anyone at Cavecreek that would actually take a look at ARINs WHOIS, and IRRs so the networks can be restored and our services back in operation? Additionally, does anyone have any suggestion for mitigating in the interim? Since we can't announce as /25s and IRRs are apparently a pipe dream. -- Kelvin Williams Sr. Service Delivery Engineer Broadband & Carrier Services Altus Communications Group, Inc. "If you only have a hammer, you tend to see every problem as a nail." -- Abraham Maslow From mkarir at merit.edu Tue Jan 31 14:30:57 2012 From: mkarir at merit.edu (Manish Karir) Date: Tue, 31 Jan 2012 15:30:57 -0500 Subject: Hijacked Network Ranges - paging Cogent and GBLX/L3 Message-ID: You can take a closer look at the aspaths (lengths) to various global locations by looking at the following: http://bgptables.merit.edu/prefix.php?z=&z=&prefixcw=208.110.48.0/20&view=all&count=1000 http://bgptables.merit.edu/prefix.php?z=&z=&prefixcw=63.246.112.0/20&view=all&count=1000 http://bgptables.merit.edu/prefix.php?z=&z=&prefixcw=68.66.112.0/20&view=all&count=1000 Hope that helps. -manish > Message: 7 > Date: Tue, 31 Jan 2012 22:06:03 +0200 > From: Ido Szargel > To: "Schiller, Heather A" , Kelvin > Williams , "nanog at nanog.org" > Subject: RE: Hijacked Network Ranges - paging Cogent and GBLX/L3 > Message-ID: > <7A848D4888ADA94B8A46A17296740133B38D3E5473 at DEXTER.oasis-tech.local> > Content-Type: text/plain; charset="us-ascii" > > I would go at first by advertising your prefixes as a /24 as well, just > randomly checked 2 different locations and the as-path to 11325 is shorter > than to 33611 > This seems to be the case for customers of Tiscali and L3, so this will > probably get most of your traffic back to you... > > Regards, > Ido >> >> -----Original Message----- >> From: Kelvin Williams [mailto:kwilliams at altuscgi.com] >> Sent: Tuesday, January 31, 2012 1:01 PM >> To: nanog at nanog.org >> Subject: Hijacked Network Ranges >> >> Greetings all. >> >> We've been in a 12+ hour ordeal requesting that AS19181 (Cavecreek Internet >> Exchange) immediately filter out network blocks that are being advertised by >> ASAS33611 (SBJ Media, LLC) who provided to them a forged LOA. >> >> The routes for networks: 208.110.48.0/20, 63.246.112.0/20, and >> 68.66.112.0/20 are registered in various IRRs all as having an origin AS >> 11325 (ours), and are directly allocated to us. >> >> The malicious hijacking is being announced as /24s therefore making route >> selection pick them. >> >> Our customers and services have been impaired. Does anyone have any >> contacts for anyone at Cavecreek that would actually take a look at ARINs >> WHOIS, and IRRs so the networks can be restored and our services back in >> operation? >> >> Additionally, does anyone have any suggestion for mitigating in the interim? >> Since we can't announce as /25s and IRRs are apparently a pipe dream. >> >> -- >> Kelvin Williams >> Sr. Service Delivery Engineer >> Broadband & Carrier Services >> Altus Communications Group, Inc. >> > > "If you only have a hammer, you tend to see every problem as a nail." -- > Abraham Maslow From jimmy.changa007 at gmail.com Tue Jan 31 15:02:11 2012 From: jimmy.changa007 at gmail.com (Joe Marr) Date: Tue, 31 Jan 2012 16:02:11 -0500 Subject: Route Management Best Practices In-Reply-To: References: <201201311438.37139.mtinka@globaltransit.net> <201201311517.28890.mtinka@globaltransit.net> Message-ID: Thanks for the advice. Filtering and route manipulation hasn?t been a problem for me. I?m very careful to prevent leakage, etc. My current issue is scaling my management of our prefix announcements. Every time I add a new block, I need to modify all of my edge routers etc. I understand I can use IRR etc. to automate prefix-list deployments, but the blocks need to still be injected into the network? So my thought was to use a routeserver (quagga or a 7200) to do this. Im looking to understand how others handle this. On Tue, Jan 31, 2012 at 2:59 PM, Tony Tauber wrote: > To elaborate slightly on what others have said in terms of protecting > against leaks; > it's a good idea to filter outbound in a conservative way such that you > only send > what you "expect" in terms of community values and/or prefixes and/or > AS-paths. > > For instance, if something gets into your BGP that isn't tagged with one > of your expected > communities (e.g. applied where you inject your aggs), don't re-advertise > it. > If something has the right community, but not an expected AS-path (e.g. > contains the AS > of one of your transit providers), don't re-advertise. > Implicitly deny all unexpected cases. > > Building that kind of restrictive logic will be less likely to you > becoming a path for traffic you > didn't expect (and might swamp you) and also you'll be a better citizen in > general. > > Cheers, > Tony > > > On Tue, Jan 31, 2012 at 1:52 PM, Joe Marr wrote: > >> Thanks Mark, >> >> This helps and definitely shows Im heading in the right direction. >> >> Thanks, >> >> >> On Tue, Jan 31, 2012 at 2:17 AM, Mark Tinka > >wrote: >> >> > On Tuesday, January 31, 2012 03:04:15 PM Joe Marr wrote: >> > >> > > What do you use for reflectors, hardware(Cisco/Juniper) >> > > or software daemons(Quagga)? >> > >> > We operate 2x networks. >> > >> > One of them runs Cisco 7201 routers as route reflectors, >> > while the other runs Juniper M120 routers. >> > >> > The large Juniper routers were due to particular BGP AFI's >> > that Cisco IOS does not support (yet). >> > >> > > I've been toying with the idea of using Quagga route >> > > servers to announce our prefixes to our edge routers and >> > > redistribute BGP annoucements learned from downstream >> > > customers. >> > >> > You can certainly use any device in your network to >> > originate your allocations. We just use the route reflectors >> > because it is a natural fit, but you can use any device >> > provided it would be as stable and independent as a route >> > reflector. >> > >> > The last thing you want is a blackhole or a route going away >> > because your backhaul failed or your customer DoS'ed your >> > edge router :-). >> > >> > > Only drawback is the lack of support for >> > > tagged static routes, so it looks like I'm going to have >> > > to use a network statement w/ route-map to set the >> > > attributes. >> > >> > There was a time when networks were ran without prefix >> > lists, BGP communities or even route maps. I'm too young to >> > have ever experienced those times, but I always joke with a >> > friend (from those times) about how good we have it today, >> > and how hard life must have been for Internet engineers of >> > old :-). >> > >> > If you have the opportunity, I'd advise against operating >> > without these very useful tools. >> > >> > > Has anyone tried this, or is it suicide? >> > >> > I'm sure there are several networks out there that are >> > intimidated by additional BGP features such as communities, >> > advanced routing policy, e.t.c. They do survive without >> > having to deal with this, probably because they're networks >> > are small and the pain is better than trying something new. >> > But I certainly wouldn't recommend it to anyone (except, as >> > Randy would say, my competitors). >> > >> > Mark. >> > >> > > From andrew.fried at gmail.com Tue Jan 31 15:16:31 2012 From: andrew.fried at gmail.com (Andrew Fried) Date: Tue, 31 Jan 2012 16:16:31 -0500 Subject: Hijacked Network Ranges In-Reply-To: References: Message-ID: <4F285A2F.4040508@gmail.com> The interesting thing is that I'm not seeing any new "hosts" from those subnets in passive dns. It almost seems that their purpose for hijacking the space was to direct traffic to themselves, possibly for collecting login attempts. Andrew Fried andrew.fried at gmail.com On 1/31/12 1:00 PM, Kelvin Williams wrote: > Greetings all. > > We've been in a 12+ hour ordeal requesting that AS19181 (Cavecreek Internet > Exchange) immediately filter out network blocks that are being advertised > by ASAS33611 (SBJ Media, LLC) who provided to them a forged LOA. > > The routes for networks: 208.110.48.0/20, 63.246.112.0/20, and > 68.66.112.0/20 are registered in various IRRs all as having an origin AS > 11325 (ours), and are directly allocated to us. > > The malicious hijacking is being announced as /24s therefore making route > selection pick them. > > Our customers and services have been impaired. Does anyone have any > contacts for anyone at Cavecreek that would actually take a look at ARINs > WHOIS, and IRRs so the networks can be restored and our services back in > operation? > > Additionally, does anyone have any suggestion for mitigating in the > interim? Since we can't announce as /25s and IRRs are apparently a pipe > dream. > From carlos at race.com Tue Jan 31 16:30:55 2012 From: carlos at race.com (Carlos Alcantar) Date: Tue, 31 Jan 2012 22:30:55 +0000 Subject: US DOJ victim letter In-Reply-To: Message-ID: +1 on only IP's on the list where our resolver dns servers for customers. Carlos Alcantar Race Communications / Race Team Member 101 Haskins Way, So. San Francisco, CA. 94080 Phone: +1 415 376 3314 / carlos at race.com / http://www.race.com -----Original Message----- From: Matthew Crocker Date: Mon, 30 Jan 2012 10:56:10 -0500 To: Jack Bates Cc: "nanog at nanog.org" Subject: Re: US DOJ victim letter ----- Original Message ----- > From: "Jack Bates" > To: "Jon Lewis" > Cc: nanog at nanog.org > Sent: Monday, January 30, 2012 10:54:02 AM > Subject: Re: US DOJ victim letter > > On 1/27/2012 2:23 PM, Jon Lewis wrote: > > > > It's definitely real, but seems like they're handling it as > > incompetently as possible. We got numerous copies to the same email > > address, the logins didn't work initially. The phone numbers given > > are > > of questionable utility. Virtually no useful information was > > provided. > > My attitude at this point is, ignore it until they provide some > > useful > > information. > > > > We finally got the hard copy. No customer IP listed, just our > recursive > resolvers, both for the customers as well as the ones that handle the > MX > servers. > > All that waiting and work for apparently nothing. I'm going to guess > that my bind servers aren't malware infected (outside of being bind > j/king). > Same here, The hard copy came the other day with the access codes to download the IP list. Every IP on the list was for a resolving DNS server on our IP space. Total waste of time. From phil at cluestick.net Tue Jan 31 18:38:46 2012 From: phil at cluestick.net (Phil Dyer) Date: Tue, 31 Jan 2012 19:38:46 -0500 Subject: US DOJ victim letter In-Reply-To: References: <201201201908.q0KJ8u6C045030@mail.r-bonomi.com> <20120127181626.GC21814@lab.pobox.com> Message-ID: On Fri, Jan 27, 2012 at 3:23 PM, Jon Lewis wrote: > On Fri, 27 Jan 2012, Bryan Horstmann-Allen wrote: >> Bit odd, if it's a phish. Even more odd if it's actually from the Fed. > > > It's definitely real, but seems like they're handling it as incompetently as > possible. Yep. That sounds about right. Man, I'm feeling left out. I kinda want one now. phil From graileanu at noction.com Tue Jan 31 18:41:36 2012 From: graileanu at noction.com (Greg Raileanu) Date: Wed, 01 Feb 2012 02:41:36 +0200 Subject: Route Optimization Software / Appliance In-Reply-To: <4E52A516.4010403@noction.com> References: <20110822172759.090dad1d@concur.batblue.com> <4E52A516.4010403@noction.com> Message-ID: <4F288A40.1040600@noction.com> Hi. Just FYI, we have already launched a stable release. Feel free to contact me off-list if interested. From paradox at nac.net Tue Jan 31 18:43:28 2012 From: paradox at nac.net (Ryan Pavely) Date: Tue, 31 Jan 2012 19:43:28 -0500 Subject: US DOJ victim letter In-Reply-To: References: <201201201908.q0KJ8u6C045030@mail.r-bonomi.com> <20120127181626.GC21814@lab.pobox.com> Message-ID: <4F288AB0.9060007@nac.net> I really enjoyed the fact that I called the number, on what I learned later was a "Sample", and when I picked the option to speak with an agent I got "The mailbox is full" message. I feel safe... Ryan Pavely Director Research And Development Net Access Corporation http://www.nac.net/ On 01/31/2012 7:38 PM, Phil Dyer wrote: > On Fri, Jan 27, 2012 at 3:23 PM, Jon Lewis wrote: >> On Fri, 27 Jan 2012, Bryan Horstmann-Allen wrote: >>> Bit odd, if it's a phish. Even more odd if it's actually from the Fed. >> >> It's definitely real, but seems like they're handling it as incompetently as >> possible. > > Yep. That sounds about right. > > Man, I'm feeling left out. I kinda want one now. > > phil From kwilliams at altuscgi.com Tue Jan 31 18:49:20 2012 From: kwilliams at altuscgi.com (Kelvin Williams) Date: Tue, 31 Jan 2012 19:49:20 -0500 Subject: Fwd: [#135346] Unauthorized BGP Announcements (follow up to Hijacked Networks) Message-ID: I hope none of you ever get hijacked by a spammer housed at Phoenix NAP. :) We're still not out of the woods, announcing /24s and working with upper tier carriers to filter out our lists. However, I just got this response from Phoenix NAP and found it funny. The "thief" is a former customer, whom we terminated their agreement with. They then forged an LOA, submitted it to CWIE.net and Phoenix NAP and resumed using space above and beyond their terminated agreement. So now any request for assistance to stop our networks from being announced is now responded to with an instruction to contact the thief's lawyer. kw ---------- Forwarded message ---------- From: Kelvin Williams Date: Tue, Jan 31, 2012 at 7:43 PM Subject: Re: [#135346] Unauthorized BGP Announcements To: noc at phoenixnap.com We'll be forwarding this to our peers in the industry--rather funny that Phoenix NAP would rather send us to the attorney of the people stealing our space than bothering to perform an ARIN WHOIS search, or querying any of the IRRs. Interesting... Very interesting... So, who all do you have there--spammers and child pornographers? Is this level of protection what you give to them all? On Tue, Jan 31, 2012 at 7:30 PM, Brandon S wrote: > Hello, > > Thank you for your email. Please direct any further questions regarding > this issue to the following contact. > > Bennet Kelley > 100 Wilshire Blvd. > Suite 950 > Santa Monica, CA 90401 > bkelley at internetlawcenter.net > > Telephone > 310-452-0401 > > Facsimile > 702-924-8740 > > -- > Brandon S. > NOC Services Technician > > ** We want to hear from you!** > We care about the quality of our service. If you?ve received > anything less than a prompt response or exceptional service or would like > to share any > feedback regarding your experience, please let us know by sending an email > to management: > supportfeedback at phoenixnap.com > > -- Kelvin Williams Sr. Service Delivery Engineer Broadband & Carrier Services Altus Communications Group, Inc. "If you only have a hammer, you tend to see every problem as a nail." -- Abraham Maslow From goemon at anime.net Tue Jan 31 18:56:19 2012 From: goemon at anime.net (goemon at anime.net) Date: Tue, 31 Jan 2012 16:56:19 -0800 (PST) Subject: Fwd: [#135346] Unauthorized BGP Announcements (follow up to Hijacked Networks) In-Reply-To: References: Message-ID: I think the correct term for this is "bullet proof hosting". Now you know where to go. -Dan On Tue, 31 Jan 2012, Kelvin Williams wrote: > I hope none of you ever get hijacked by a spammer housed at Phoenix NAP. :) > > We're still not out of the woods, announcing /24s and working with upper > tier carriers to filter out our lists. However, I just got this response > from Phoenix NAP and found it funny. The "thief" is a former customer, > whom we terminated their agreement with. They then forged an LOA, > submitted it to CWIE.net and Phoenix NAP and resumed using space above and > beyond their terminated agreement. So now any request for assistance to > stop our networks from being announced is now responded to with an > instruction to contact the thief's lawyer. > > kw > > ---------- Forwarded message ---------- > From: Kelvin Williams > Date: Tue, Jan 31, 2012 at 7:43 PM > Subject: Re: [#135346] Unauthorized BGP Announcements > To: noc at phoenixnap.com > > > We'll be forwarding this to our peers in the industry--rather funny that > Phoenix NAP would rather send us to the attorney of the people stealing our > space than bothering to perform an ARIN WHOIS search, or querying any of > the IRRs. > > Interesting... Very interesting... So, who all do you have > there--spammers and child pornographers? Is this level of protection what > you give to them all? > > > > On Tue, Jan 31, 2012 at 7:30 PM, Brandon S wrote: > >> Hello, >> >> Thank you for your email. Please direct any further questions regarding >> this issue to the following contact. >> >> Bennet Kelley >> 100 Wilshire Blvd. >> Suite 950 >> Santa Monica, CA 90401 >> bkelley at internetlawcenter.net >> >> Telephone >> 310-452-0401 >> >> Facsimile >> 702-924-8740 >> >> -- >> Brandon S. >> NOC Services Technician >> >> ** We want to hear from you!** >> We care about the quality of our service. If you?ve received >> anything less than a prompt response or exceptional service or would like >> to share any >> feedback regarding your experience, please let us know by sending an email >> to management: >> supportfeedback at phoenixnap.com >> >> -- > Kelvin Williams > Sr. Service Delivery Engineer > Broadband & Carrier Services > Altus Communications Group, Inc. > > > "If you only have a hammer, you tend to see every problem as a nail." -- > Abraham Maslow > From meirea at charterschoolit.com Tue Jan 31 19:09:11 2012 From: meirea at charterschoolit.com (Mario Eirea) Date: Wed, 1 Feb 2012 01:09:11 +0000 Subject: Wireless Recommendations In-Reply-To: <4F281AC7.2050706@bogus.com> References: <043e01ccdf90$38c96870$aa5c3950$@impactbusiness.com>, <4F281AC7.2050706@bogus.com> Message-ID: <4E0D68AD-773A-472D-B80F-0D7B628BBF39@charterschoolit.com> Aruba AP 105. This version comes with a virtual controller that can manage 16 APs without the need of an additional controller. For high capacity areas I would go with Ruckus. -Mario Eirea On Jan 31, 2012, at 11:46 AM, "Joel jaeggli" wrote: > On 1/30/12 12:46 , Jim Gonzalez wrote: >> Hi, >> >> I am looking for a Wireless bridge or Router that will >> support 600 wireless clients concurrently (mostly cell phones). I need it >> for a proof of concept. > > an aruba controller and 8 dual radio aps. > >> >> >> >> >> Thanks in advance >> >> Jim >> >> >> >> >> > > > > ----- > No virus found in this message. > Checked by AVG - www.avg.com > Version: 10.0.1416 / Virus Database: 2109/4778 - Release Date: 01/31/12 From drc at virtualized.org Tue Jan 31 19:15:29 2012 From: drc at virtualized.org (David Conrad) Date: Tue, 31 Jan 2012 17:15:29 -0800 Subject: [#135346] Unauthorized BGP Announcements (follow up to Hijacked Networks) In-Reply-To: References: Message-ID: <7B85F9D8-BA9E-4341-9242-5EB514895B4C@virtualized.org> > I hope none of you ever get hijacked by a spammer housed at Phoenix NAP. :) In the dim past, I had a somewhat similar situation: - A largish (national telco of a small country) ISP started announcing address space a customer of theirs provided. Unfortunately, the address space wasn't the ISP's customer's to provide. - When the ISP was notified by both their RIR and the organization to which the address space was rightfully delegated, the ISP's response was: "We have a contractual relationship with our customer to announce that space. We have neither a contractual relationship (in this context) with the RIR nor the RIR's customer. The RIR and/or the RIR's customer should resolve this issue with our customer." It as an eye-opening experience. Regards, -drc On Jan 31, 2012, at 4:49 PM, Kelvin Williams wrote: > > We're still not out of the woods, announcing /24s and working with upper > tier carriers to filter out our lists. However, I just got this response > from Phoenix NAP and found it funny. The "thief" is a former customer, > whom we terminated their agreement with. They then forged an LOA, > submitted it to CWIE.net and Phoenix NAP and resumed using space above and > beyond their terminated agreement. So now any request for assistance to > stop our networks from being announced is now responded to with an > instruction to contact the thief's lawyer. > > kw > > ---------- Forwarded message ---------- > From: Kelvin Williams > Date: Tue, Jan 31, 2012 at 7:43 PM > Subject: Re: [#135346] Unauthorized BGP Announcements > To: noc at phoenixnap.com > > > We'll be forwarding this to our peers in the industry--rather funny that > Phoenix NAP would rather send us to the attorney of the people stealing our > space than bothering to perform an ARIN WHOIS search, or querying any of > the IRRs. > > Interesting... Very interesting... So, who all do you have > there--spammers and child pornographers? Is this level of protection what > you give to them all? > > > > On Tue, Jan 31, 2012 at 7:30 PM, Brandon S wrote: > >> Hello, >> >> Thank you for your email. Please direct any further questions regarding >> this issue to the following contact. >> >> Bennet Kelley >> 100 Wilshire Blvd. >> Suite 950 >> Santa Monica, CA 90401 >> bkelley at internetlawcenter.net >> >> Telephone >> 310-452-0401 >> >> Facsimile >> 702-924-8740 >> >> -- >> Brandon S. >> NOC Services Technician >> >> ** We want to hear from you!** >> We care about the quality of our service. If you?ve received >> anything less than a prompt response or exceptional service or would like >> to share any >> feedback regarding your experience, please let us know by sending an email >> to management: >> supportfeedback at phoenixnap.com >> >> -- > Kelvin Williams > Sr. Service Delivery Engineer > Broadband & Carrier Services > Altus Communications Group, Inc. > > > "If you only have a hammer, you tend to see every problem as a nail." -- > Abraham Maslow From paul4004 at gmail.com Tue Jan 31 19:26:38 2012 From: paul4004 at gmail.com (PC) Date: Tue, 31 Jan 2012 18:26:38 -0700 Subject: [#135346] Unauthorized BGP Announcements (follow up to Hijacked Networks) In-Reply-To: <7B85F9D8-BA9E-4341-9242-5EB514895B4C@virtualized.org> References: <7B85F9D8-BA9E-4341-9242-5EB514895B4C@virtualized.org> Message-ID: Curious, What was the outcome of this? In any case, I'm hoping the major Tier-1s do the right thing and filter the rogue annoucements, while allowing the OP's. Hopefully after enough pressure and dysfunction, they will give it up. On Tue, Jan 31, 2012 at 6:15 PM, David Conrad wrote: > > I hope none of you ever get hijacked by a spammer housed at Phoenix NAP. > :) > > In the dim past, I had a somewhat similar situation: > > - A largish (national telco of a small country) ISP started announcing > address space a customer of theirs provided. Unfortunately, the address > space wasn't the ISP's customer's to provide. > - When the ISP was notified by both their RIR and the organization to > which the address space was rightfully delegated, the ISP's response was: > > "We have a contractual relationship with our customer to announce that > space. We have neither a contractual relationship (in this context) with > the RIR nor the RIR's customer. The RIR and/or the RIR's customer should > resolve this issue with our customer." > > It as an eye-opening experience. > > Regards, > -drc > > On Jan 31, 2012, at 4:49 PM, Kelvin Williams wrote: > > > > > We're still not out of the woods, announcing /24s and working with upper > > tier carriers to filter out our lists. However, I just got this response > > from Phoenix NAP and found it funny. The "thief" is a former customer, > > whom we terminated their agreement with. They then forged an LOA, > > submitted it to CWIE.net and Phoenix NAP and resumed using space above > and > > beyond their terminated agreement. So now any request for assistance to > > stop our networks from being announced is now responded to with an > > instruction to contact the thief's lawyer. > > > > kw > > > > ---------- Forwarded message ---------- > > From: Kelvin Williams > > Date: Tue, Jan 31, 2012 at 7:43 PM > > Subject: Re: [#135346] Unauthorized BGP Announcements > > To: noc at phoenixnap.com > > > > > > We'll be forwarding this to our peers in the industry--rather funny that > > Phoenix NAP would rather send us to the attorney of the people stealing > our > > space than bothering to perform an ARIN WHOIS search, or querying any of > > the IRRs. > > > > Interesting... Very interesting... So, who all do you have > > there--spammers and child pornographers? Is this level of protection > what > > you give to them all? > > > > > > > > On Tue, Jan 31, 2012 at 7:30 PM, Brandon S > wrote: > > > >> Hello, > >> > >> Thank you for your email. Please direct any further questions regarding > >> this issue to the following contact. > >> > >> Bennet Kelley > >> 100 Wilshire Blvd. > >> Suite 950 > >> Santa Monica, CA 90401 > >> bkelley at internetlawcenter.net > >> > >> Telephone > >> 310-452-0401 > >> > >> Facsimile > >> 702-924-8740 > >> > >> -- > >> Brandon S. > >> NOC Services Technician > >> > >> ** We want to hear from you!** > >> We care about the quality of our service. If you?ve received > >> anything less than a prompt response or exceptional service or would > like > >> to share any > >> feedback regarding your experience, please let us know by sending an > email > >> to management: > >> supportfeedback at phoenixnap.com > >> > >> -- > > Kelvin Williams > > Sr. Service Delivery Engineer > > Broadband & Carrier Services > > Altus Communications Group, Inc. > > > > > > "If you only have a hammer, you tend to see every problem as a nail." -- > > Abraham Maslow > > > From kwilliams at altuscgi.com Tue Jan 31 19:31:03 2012 From: kwilliams at altuscgi.com (Kelvin Williams) Date: Tue, 31 Jan 2012 20:31:03 -0500 Subject: [#135346] Unauthorized BGP Announcements (follow up to Hijacked Networks) In-Reply-To: References: <7B85F9D8-BA9E-4341-9242-5EB514895B4C@virtualized.org> Message-ID: We started announcing /24s, combined with the shorter path it seems to be fine. Still jumping through hoops upstream. On Jan 31, 2012 8:26 PM, "PC" wrote: > Curious, What was the outcome of this? > > In any case, I'm hoping the major Tier-1s do the right thing and filter > the rogue annoucements, while allowing the OP's. Hopefully after enough > pressure and dysfunction, they will give it up. > > On Tue, Jan 31, 2012 at 6:15 PM, David Conrad wrote: > >> > I hope none of you ever get hijacked by a spammer housed at Phoenix >> NAP. :) >> >> In the dim past, I had a somewhat similar situation: >> >> - A largish (national telco of a small country) ISP started announcing >> address space a customer of theirs provided. Unfortunately, the address >> space wasn't the ISP's customer's to provide. >> - When the ISP was notified by both their RIR and the organization to >> which the address space was rightfully delegated, the ISP's response was: >> >> "We have a contractual relationship with our customer to announce that >> space. We have neither a contractual relationship (in this context) with >> the RIR nor the RIR's customer. The RIR and/or the RIR's customer should >> resolve this issue with our customer." >> >> It as an eye-opening experience. >> >> Regards, >> -drc >> >> On Jan 31, 2012, at 4:49 PM, Kelvin Williams wrote: >> >> > >> > We're still not out of the woods, announcing /24s and working with upper >> > tier carriers to filter out our lists. However, I just got this >> response >> > from Phoenix NAP and found it funny. The "thief" is a former customer, >> > whom we terminated their agreement with. They then forged an LOA, >> > submitted it to CWIE.net and Phoenix NAP and resumed using space above >> and >> > beyond their terminated agreement. So now any request for assistance to >> > stop our networks from being announced is now responded to with an >> > instruction to contact the thief's lawyer. >> > >> > kw >> > >> > ---------- Forwarded message ---------- >> > From: Kelvin Williams >> > Date: Tue, Jan 31, 2012 at 7:43 PM >> > Subject: Re: [#135346] Unauthorized BGP Announcements >> > To: noc at phoenixnap.com >> > >> > >> > We'll be forwarding this to our peers in the industry--rather funny that >> > Phoenix NAP would rather send us to the attorney of the people stealing >> our >> > space than bothering to perform an ARIN WHOIS search, or querying any of >> > the IRRs. >> > >> > Interesting... Very interesting... So, who all do you have >> > there--spammers and child pornographers? Is this level of protection >> what >> > you give to them all? >> > >> > >> > >> > On Tue, Jan 31, 2012 at 7:30 PM, Brandon S >> wrote: >> > >> >> Hello, >> >> >> >> Thank you for your email. Please direct any further questions regarding >> >> this issue to the following contact. >> >> >> >> Bennet Kelley >> >> 100 Wilshire Blvd. >> >> Suite 950 >> >> Santa Monica, CA 90401 >> >> bkelley at internetlawcenter.net >> >> >> >> Telephone >> >> 310-452-0401 >> >> >> >> Facsimile >> >> 702-924-8740 >> >> >> >> -- >> >> Brandon S. >> >> NOC Services Technician >> >> >> >> ** We want to hear from you!** >> >> We care about the quality of our service. If you?ve received >> >> anything less than a prompt response or exceptional service or would >> like >> >> to share any >> >> feedback regarding your experience, please let us know by sending an >> email >> >> to management: >> >> supportfeedback at phoenixnap.com >> >> >> >> -- >> > Kelvin Williams >> > Sr. Service Delivery Engineer >> > Broadband & Carrier Services >> > Altus Communications Group, Inc. >> > >> > >> > "If you only have a hammer, you tend to see every problem as a nail." -- >> > Abraham Maslow >> >> >> > From rbonica at juniper.net Tue Jan 31 19:29:52 2012 From: rbonica at juniper.net (Ronald Bonica) Date: Tue, 31 Jan 2012 20:29:52 -0500 Subject: US DOJ victim letter In-Reply-To: References: <201201201908.q0KJ8u6C045030@mail.r-bonomi.com> <20120127181626.GC21814@lab.pobox.com> Message-ID: <13205C286662DE4387D9AF3AC30EF456D764925FAE@EMBX01-WF.jnpr.net> Folks, I received a DoJ Victim Notification letter yesterday, which was pretty amazing considering the fact that I don't run a network. My letter referenced "United States v. Menachem Youlus". I suspect that the letters that you guys received referenced a different case. Do I have that right? Ron > -----Original Message----- > From: Phil Dyer [mailto:phil at cluestick.net] > Sent: Tuesday, January 31, 2012 7:39 PM > To: nanog at nanog.org > Subject: Re: US DOJ victim letter > > On Fri, Jan 27, 2012 at 3:23 PM, Jon Lewis wrote: > > On Fri, 27 Jan 2012, Bryan Horstmann-Allen wrote: > > >> Bit odd, if it's a phish. Even more odd if it's actually from the > Fed. > > > > > > It's definitely real, but seems like they're handling it as > incompetently as > > possible. > > > Yep. That sounds about right. > > Man, I'm feeling left out. I kinda want one now. > > phil From str8steelerfan at gmail.com Tue Jan 31 19:33:35 2012 From: str8steelerfan at gmail.com (John Schneider) Date: Tue, 31 Jan 2012 19:33:35 -0600 Subject: Hijacked Network Ranges Message-ID: Another interesting thing that I noticed, is that AS33611 is not advertising any prefixes other than yours. Either they do not have any of their own (unlikely) or they are advertising their own legitimate prefixes from another AS however I doubt that is the case. It sounds like you were able to verify that this is indeed a malicious attack. If that is truly the case, I would certainly be in contact with your lawyers as this is certainly causing you financial loss and since it is easily verifiable, you would have a solid case i would think. I am no attorney but it seems like a no-brainer to me. So, it does look like you are finally announcing your prefixes as a /24 and that most traffic is again coming to your AS. that probably helped quite a bit right? Regards, John From marka at isc.org Tue Jan 31 19:52:57 2012 From: marka at isc.org (Mark Andrews) Date: Wed, 01 Feb 2012 12:52:57 +1100 Subject: [#135346] Unauthorized BGP Announcements (follow up to Hijacked Networks) In-Reply-To: Your message of "Tue, 31 Jan 2012 17:15:29 -0800." <7B85F9D8-BA9E-4341-9242-5EB514895B4C@virtualized.org> References: <7B85F9D8-BA9E-4341-9242-5EB514895B4C@virtualized.org> Message-ID: <20120201015257.39A071C95D68@drugs.dv.isc.org> In message <7B85F9D8-BA9E-4341-9242-5EB514895B4C at virtualized.org>, David Conrad writes: > > I hope none of you ever get hijacked by a spammer housed at Phoenix = > NAP. :) > > In the dim past, I had a somewhat similar situation: > > - A largish (national telco of a small country) ISP started announcing = > address space a customer of theirs provided. Unfortunately, the address = > space wasn't the ISP's customer's to provide. > - When the ISP was notified by both their RIR and the organization to = > which the address space was rightfully delegated, the ISP's response = > was: > > "We have a contractual relationship with our customer to announce that = > space. We have neither a contractual relationship (in this context) = > with the RIR nor the RIR's customer. The RIR and/or the RIR's customer = > should resolve this issue with our customer." > > It as an eye-opening experience. > > Regards, > -drc And if I have a contract to commit murder that doesn't mean that it is right nor legal. A contract can't get you out of dealing with the law of the land and in most place in the world "aiding and abetting" is illegal. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka at isc.org From paul4004 at gmail.com Tue Jan 31 19:58:00 2012 From: paul4004 at gmail.com (PC) Date: Tue, 31 Jan 2012 18:58:00 -0700 Subject: non-congested comcast peers? In-Reply-To: References: Message-ID: Some datapoints based on ~500mb constant UDP telemetry data feed (total) spread across many different comcast endpoints. All Cogent -> Comcast. Even though there's heavy forward error correction provisioned to accommodate 5-10% packet loss, it's hardly used. In fact, packet delivery is incredible impressive to comcast. Loss is well below 0.01% and often involves another zero in there, too. It's one of the best consumer access networks I've seen and I give them a huge thumbs up for it. Needless to say, I can't back up the same stats against some other carriers (Verizon being the biggest offender, with their congestion being localized to the ATM/DSLAM level and sometimes very high based on my metrics and sampling). That's why the FEC is there. On Tue, Jan 31, 2012 at 8:20 AM, Shacolby Jackson wrote: > Are there any providers that Comcast doesn't regularly run hot? Seems like > no matter who I deliver through at some magical point in the evening they > start spiking jitter and a little loss. Almost like everyone hits PLAY on > netflix at the same time. > > -shac > From drc at virtualized.org Tue Jan 31 20:00:44 2012 From: drc at virtualized.org (David Conrad) Date: Tue, 31 Jan 2012 18:00:44 -0800 Subject: [#135346] Unauthorized BGP Announcements (follow up to Hijacked Networks) In-Reply-To: <20120201015257.39A071C95D68@drugs.dv.isc.org> References: <7B85F9D8-BA9E-4341-9242-5EB514895B4C@virtualized.org> <20120201015257.39A071C95D68@drugs.dv.isc.org> Message-ID: On Jan 31, 2012, at 5:52 PM, Mark Andrews wrote: >> "We have a contractual relationship with our customer to announce that = >> space. We have neither a contractual relationship (in this context) = >> with the RIR nor the RIR's customer. The RIR and/or the RIR's customer = >> should resolve this issue with our customer." > > And if I have a contract to commit murder that doesn't mean that > it is right nor legal. A contract can't get you out of dealing > with the law of the land and in most place in the world "aiding and > abetting" is illegal. You appear to be making a large number of assumptions on limited evidence. In the case I'm familiar with, I can assure you that no laws were being broken (even if all the parties were in the same country, which they weren't). However, this is getting off-topic and I don't want to hijack the thread. The issue of route hijacking is quite serious and it will be interesting to see how this all works out. Regards, -drc From owen at delong.com Tue Jan 31 20:03:22 2012 From: owen at delong.com (Owen DeLong) Date: Tue, 31 Jan 2012 18:03:22 -0800 Subject: [#135346] Unauthorized BGP Announcements (follow up to Hijacked Networks) In-Reply-To: <20120201015257.39A071C95D68@drugs.dv.isc.org> References: <7B85F9D8-BA9E-4341-9242-5EB514895B4C@virtualized.org> <20120201015257.39A071C95D68@drugs.dv.isc.org> Message-ID: <65E48EB1-A51C-4C70-9629-CD7477D6877B@delong.com> On Jan 31, 2012, at 5:52 PM, Mark Andrews wrote: > > In message <7B85F9D8-BA9E-4341-9242-5EB514895B4C at virtualized.org>, David Conrad > writes: >>> I hope none of you ever get hijacked by a spammer housed at Phoenix = >> NAP. :) >> >> In the dim past, I had a somewhat similar situation: >> >> - A largish (national telco of a small country) ISP started announcing = >> address space a customer of theirs provided. Unfortunately, the address = >> space wasn't the ISP's customer's to provide. >> - When the ISP was notified by both their RIR and the organization to = >> which the address space was rightfully delegated, the ISP's response = >> was: >> >> "We have a contractual relationship with our customer to announce that = >> space. We have neither a contractual relationship (in this context) = >> with the RIR nor the RIR's customer. The RIR and/or the RIR's customer = >> should resolve this issue with our customer." >> >> It as an eye-opening experience. >> >> Regards, >> -drc > > And if I have a contract to commit murder that doesn't mean that > it is right nor legal. A contract can't get you out of dealing > with the law of the land and in most place in the world "aiding and > abetting" is illegal. > > Mark > -- > Mark Andrews, ISC > 1 Seymour St., Dundas Valley, NSW 2117, Australia > PHONE: +61 2 9871 4742 INTERNET: marka at isc.org Not to put a damper on things, but, is there actually any law that precludes use of integers as internet addresses contrary to the registration data contained in RIR databases? I can see how a case might be made for tortious interference, but I think it's quite nebulous and I believe a civil matter at best. IANAL, but, I actually wonder if there is any way to construe the behavior in question as criminal and if so, under what statute(s). Owen From jeroen at mompl.net Tue Jan 31 20:17:25 2012 From: jeroen at mompl.net (Jeroen van Aart) Date: Tue, 31 Jan 2012 18:17:25 -0800 Subject: Megaupload.com seized In-Reply-To: <72B69C18-552A-4E5A-8CE7-3EB3548012D3@cs.columbia.edu> References: <64CFB59E-BB47-4D9F-8E14-AC9AA1D9D280@cs.columbia.edu> <72B69C18-552A-4E5A-8CE7-3EB3548012D3@cs.columbia.edu> Message-ID: <4F28A0B5.5010206@mompl.net> Steven Bellovin wrote: > Note this from the NY Times article: > > The Megaupload case is unusual, said Orin S. Kerr, a law professor > at George Washington University, in that federal prosecutors obtained > the private e-mails of Megaupload?s operators in an effort to show they > were operating in bad faith. > > "The government hopes to use their private words against them," Mr. Kerr > said. "This should scare the owners and operators of similar sites." (I base my rant on the assumption megaupload had outsourced their email to one of those "enterprise level" offerings, such as gmail or yahoo). If this isn't a convincing argument for using your own physical email servers (with encrypted filesystems and limited log keeping and what have you) and against outsourcing your email, then I don't know. I understand they can seize your servers and get your email that way if you were not smart enough to delete it and/or use encrypted filesystems. However it's much much harder to use email against you in preparation of a case when you run your own servers. Because they can't just quietly ask your email provider to hand over the data and forbid them to talk about it... Besides, running an email server is almost a trivial exercise for any marginally competent IT person. If you can set up a system such as megaupload you for sure can run your own, secure, email servers. If not ask someone competent enough to do it for you. Greetings, Jeroen -- Earthquake Magnitude: 4.8 Date: Tuesday, January 31, 2012 07:26:11 UTC Location: Fiji region Latitude: -21.9943; Longitude: -179.4848 Depth: 596.00 km From danny at tcb.net Tue Jan 31 20:23:54 2012 From: danny at tcb.net (Danny McPherson) Date: Tue, 31 Jan 2012 21:23:54 -0500 Subject: [#135346] Unauthorized BGP Announcements (follow up to Hijacked Networks) In-Reply-To: References: Message-ID: Internet number resource certification and origin validation sure would be nice here ;-) -danny On Jan 31, 2012, at 7:49 PM, Kelvin Williams wrote: > I hope none of you ever get hijacked by a spammer housed at Phoenix NAP. :) > > We're still not out of the woods, announcing /24s and working with upper > tier carriers to filter out our lists. However, I just got this response > from Phoenix NAP and found it funny. The "thief" is a former customer, > whom we terminated their agreement with. They then forged an LOA, > submitted it to CWIE.net and Phoenix NAP and resumed using space above and > beyond their terminated agreement. So now any request for assistance to > stop our networks from being announced is now responded to with an > instruction to contact the thief's lawyer. From george.herbert at gmail.com Tue Jan 31 20:25:06 2012 From: george.herbert at gmail.com (George Herbert) Date: Tue, 31 Jan 2012 18:25:06 -0800 Subject: [#135346] Unauthorized BGP Announcements (follow up to Hijacked Networks) In-Reply-To: <65E48EB1-A51C-4C70-9629-CD7477D6877B@delong.com> References: <7B85F9D8-BA9E-4341-9242-5EB514895B4C@virtualized.org> <20120201015257.39A071C95D68@drugs.dv.isc.org> <65E48EB1-A51C-4C70-9629-CD7477D6877B@delong.com> Message-ID: On Tue, Jan 31, 2012 at 6:03 PM, Owen DeLong wrote: > > On Jan 31, 2012, at 5:52 PM, Mark Andrews wrote: > >> >> In message <7B85F9D8-BA9E-4341-9242-5EB514895B4C at virtualized.org>, David Conrad >> writes: >>>> I hope none of you ever get hijacked by a spammer housed at Phoenix = >>> NAP. ?:) >>> >>> In the dim past, I had a somewhat similar situation: >>> >>> - A largish (national telco of a small country) ISP started announcing = >>> address space a customer of theirs provided. ?Unfortunately, the address = >>> space wasn't the ISP's customer's to provide. >>> - When the ISP was notified by both their RIR and the organization to = >>> which the address space was rightfully delegated, the ISP's response = >>> was: >>> >>> "We have a contractual relationship with our customer to announce that = >>> space. ?We have neither a contractual relationship (in this context) = >>> with the RIR nor the RIR's customer. ?The RIR and/or the RIR's customer = >>> should resolve this issue with our customer." >>> >>> It as an eye-opening experience. >>> >>> Regards, >>> -drc >> >> And if I have a contract to commit murder that doesn't mean that >> it is right nor legal. ?A contract can't get you out of dealing >> with the law of the land and in most place in the world "aiding and >> abetting" is illegal. >> >> Mark >> -- >> Mark Andrews, ISC >> 1 Seymour St., Dundas Valley, NSW 2117, Australia >> PHONE: +61 2 9871 4742 ? ? ? ? ? ? ? ? INTERNET: marka at isc.org > > Not to put a damper on things, but, is there actually any law that precludes use of integers as internet addresses contrary to the registration data contained in RIR databases? > > I can see how a case might be made for tortious interference, but I think it's quite nebulous and I believe a civil matter at best. IANAL, but, I actually wonder if there is any way to construe the behavior in question as criminal and if so, under what statute(s). > > Owen > > An interesting thought experiment series: Imagine that instead of joe-random-small-ISP, this was Tier-1 ISP customer space being hijacked. Imagine that instead of Tier-1 customer, it was Tier-1 core services (www.company, etc). Imagine that instead of Tier-1 core services, it was the blocks www.apple.com/iTunes or www.google.com lived in. Imagine that instead of www.google.com, it was www.whitehouse.gov At some point, I suspect that this gets service to get it fixed RIGHT NOW. At some point, the guys informing you it's RIGHT NOW show up with badges. The question is, when is it badges? It can be construed as a denial of service attack on the addresses' rightful owners. They will respond to any major government site being hijacked. Probably to Apple or Google. Likely to a Tier-1 ISPs internal infrastructure. That they probably won't to the current situation is a matter of failure of the system to scale, not that the ethics, morality, or legality of the situation are any different now than www.whitehouse.gov going poof. IMHO. -- -george william herbert george.herbert at gmail.com From Valdis.Kletnieks at vt.edu Tue Jan 31 20:23:46 2012 From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks at vt.edu) Date: Tue, 31 Jan 2012 21:23:46 -0500 Subject: [#135346] Unauthorized BGP Announcements (follow up to Hijacked Networks) In-Reply-To: Your message of "Wed, 01 Feb 2012 12:52:57 +1100." <20120201015257.39A071C95D68@drugs.dv.isc.org> References: <7B85F9D8-BA9E-4341-9242-5EB514895B4C@virtualized.org> <20120201015257.39A071C95D68@drugs.dv.isc.org> Message-ID: <39512.1328063026@turing-police.cc.vt.edu> On Wed, 01 Feb 2012 12:52:57 +1100, Mark Andrews said: > > - A largish (national telco of a small country) ISP started announcing national telco. oooh kayyyy... > And if I have a contract to commit murder that doesn't mean that > it is right nor legal. A contract can't get you out of dealing > with the law of the land and in most place in the world "aiding and > abetting" is illegal. Vercotti ..... andd one night Dinsdale walked in with a couple of big lads, one of whom was carrying a tactical nuclear missile. They said I'd bought one of their fruit machines and would I pay for it. Interviewer How much did they want? Vercotti Three quarters of a million pounds. Then they went out. Interviewer Why didn't you call the police? Vercotti Well I had noticed that the lad with the thermo-nuclear device was the Chief Constable for the area. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 865 bytes Desc: not available URL: From bonomi at mail.r-bonomi.com Tue Jan 31 20:41:06 2012 From: bonomi at mail.r-bonomi.com (Robert Bonomi) Date: Tue, 31 Jan 2012 20:41:06 -0600 (CST) Subject: [#135346] Unauthorized BGP Announcements (follow up to Hijacked Networks) In-Reply-To: <20120201015257.39A071C95D68@drugs.dv.isc.org> Message-ID: <201202010241.q112f6Qv099408@mail.r-bonomi.com> > From nanog-bounces+bonomi=mail.r-bonomi.com at nanog.org Tue Jan 31 19:57:51 2012 > To: David Conrad > From: Mark Andrews > Subject: Re: [#135346] Unauthorized BGP Announcements (follow up to Hijacked > Networks) > Date: Wed, 01 Feb 2012 12:52:57 +1100 > Cc: nanog at nanog.org > > > In message <7B85F9D8-BA9E-4341-9242-5EB514895B4C at virtualized.org>, David Conrad > writes: > > > I hope none of you ever get hijacked by a spammer housed at Phoenix = > > NAP. :) > > > > In the dim past, I had a somewhat similar situation: > > > > - A largish (national telco of a small country) ISP started announcing = > > address space a customer of theirs provided. Unfortunately, the address = > > space wasn't the ISP's customer's to provide. > > - When the ISP was notified by both their RIR and the organization to = > > which the address space was rightfully delegated, the ISP's response = > > was: > > > > "We have a contractual relationship with our customer to announce that = > > space. We have neither a contractual relationship (in this context) = > > with the RIR nor the RIR's customer. The RIR and/or the RIR's customer = > > should resolve this issue with our customer." > > > > It as an eye-opening experience. > > > > Regards, > > -drc > > And if I have a contract to commit murder that doesn't mean that > it is right nor legal. A contract can't get you out of dealing > with the law of the land and in most place in the world "aiding and > abetting" is illegal. > > Mark > -- > Mark Andrews, ISC > 1 Seymour St., Dundas Valley, NSW 2117, Australia > PHONE: +61 2 9871 4742 INTERNET: marka at isc.org > From randy at psg.com Tue Jan 31 20:40:45 2012 From: randy at psg.com (Randy Bush) Date: Wed, 01 Feb 2012 11:40:45 +0900 Subject: [#135346] Unauthorized BGP Announcements (follow up to Hijacked Networks) In-Reply-To: References: Message-ID: > Internet number resource certification and origin validation sure > would be nice here ;-) this is arin address space. arin is the only rir which has not deployed and there is running code randy From carlos at race.com Tue Jan 31 20:52:54 2012 From: carlos at race.com (Carlos Alcantar) Date: Wed, 1 Feb 2012 02:52:54 +0000 Subject: US DOJ victim letter In-Reply-To: <13205C286662DE4387D9AF3AC30EF456D764925FAE@EMBX01-WF.jnpr.net> Message-ID: Mine is showing "United States v. Vladimir Tsastsin" Carlos Alcantar Race Communications / Race Team Member 101 Haskins Way, So. San Francisco, CA. 94080 Phone: +1 415 376 3314 / carlos at race.com / http://www.race.com -----Original Message----- From: Ronald Bonica Date: Tue, 31 Jan 2012 20:29:52 -0500 To: Phil Dyer , "nanog at nanog.org" Subject: RE: US DOJ victim letter Folks, I received a DoJ Victim Notification letter yesterday, which was pretty amazing considering the fact that I don't run a network. My letter referenced "United States v. Menachem Youlus". I suspect that the letters that you guys received referenced a different case. Do I have that right? Ron > -----Original Message----- > From: Phil Dyer [mailto:phil at cluestick.net] > Sent: Tuesday, January 31, 2012 7:39 PM > To: nanog at nanog.org > Subject: Re: US DOJ victim letter > > On Fri, Jan 27, 2012 at 3:23 PM, Jon Lewis wrote: > > On Fri, 27 Jan 2012, Bryan Horstmann-Allen wrote: > > >> Bit odd, if it's a phish. Even more odd if it's actually from the > Fed. > > > > > > It's definitely real, but seems like they're handling it as > incompetently as > > possible. > > > Yep. That sounds about right. > > Man, I'm feeling left out. I kinda want one now. > > phil From mysidia at gmail.com Tue Jan 31 21:25:17 2012 From: mysidia at gmail.com (Jimmy Hess) Date: Tue, 31 Jan 2012 21:25:17 -0600 Subject: [#135346] Unauthorized BGP Announcements (follow up to Hijacked Networks) In-Reply-To: <7B85F9D8-BA9E-4341-9242-5EB514895B4C@virtualized.org> References: <7B85F9D8-BA9E-4341-9242-5EB514895B4C@virtualized.org> Message-ID: On Tue, Jan 31, 2012 at 7:15 PM, David Conrad wrote: > "We have a contractual relationship with our customer to announce that > space. We have neither a contractual relationship (in this context) with > the RIR nor the RIR's customer. The RIR and/or the RIR's customer should > resolve this issue with our customer." > This is the point at which you really really want to turn the tables and get someone who desires to announce that very provider's own space approaching you, so you "enter a contractual relationship" with that party to do so, since (apparently) according to that provider you don't have an obligation to prevent this. And you have a nice letter from them to prove it to any upstreams, that resource issues are to be resolved with end users. If according to that provider those issues should be resolved between the RIR listed address space holder and the customer directly, (apparently), you are not to be involved in preventing a customer from hijacking theirown assigned prefix. Because the same logic must apply to their very own address space; it is up to them and the RIR to resolve their issue with the elusive end user. But then you realize the only party that could ever approach you with a request to route them another provider's space would be one of those evil spammers.... It as an eye-opening experience. > Regards, > -drc > -- -JH From pauldotwall at gmail.com Tue Jan 31 21:28:31 2012 From: pauldotwall at gmail.com (Paul WALL) Date: Wed, 1 Feb 2012 03:28:31 +0000 Subject: non-congested comcast peers? In-Reply-To: References: Message-ID: On 1/31/12, Shacolby Jackson wrote: > Are there any providers that Comcast doesn't regularly run hot? Seems like > no matter who I deliver through at some magical point in the evening they > start spiking jitter and a little loss. Almost like everyone hits PLAY on > netflix at the same time. You could try Cogent, AT&T, or Savvis, though they'll probably fill up now that I've mentioned it. Drive Slow (like a download going over Comcast-GBLX), Paul Wall From mtinka at globaltransit.net Tue Jan 31 21:50:48 2012 From: mtinka at globaltransit.net (Mark Tinka) Date: Wed, 1 Feb 2012 11:50:48 +0800 Subject: [c-nsp] ASR opinions.. In-Reply-To: References: <201109021756.56518.mtinka@globaltransit.net> Message-ID: <201202011150.48562.mtinka@globaltransit.net> On Tuesday, January 31, 2012 06:38:10 AM Christopher J. Pilkington wrote: > Does anyone have a link to a definitive document clearly > showing FIB numbers for the ASR1001? I've got an email > into our Cisco SE, but I don't think they're motivated > to sell us a lower-end box. :-) On that link, Tables 1 and 3 contradict each other re: the ASR1001. However, I confirmed with our SE, and he says no way the ASR1001 supports anything more than 512,000 v4 entries and 128,000 v6 entries (which is Table 3). Maybe someone on the list from Cisco can help fix the documentation. Mark. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 836 bytes Desc: This is a digitally signed message part. URL: From warren at kumari.net Tue Jan 31 22:04:52 2012 From: warren at kumari.net (Warren Kumari) Date: Tue, 31 Jan 2012 23:04:52 -0500 Subject: Arriving early... Message-ID: Hi there all, I'm arriving on Friday evening -- was wondering who all might be around on Saturday? Anyone interested in doing something? Sightseeing, wandering around, etc? W -- Some people are like Slinkies......Not really good for anything but they still bring a smile to your face when you push them down the stairs. From gbonser at seven.com Tue Jan 31 22:10:32 2012 From: gbonser at seven.com (George Bonser) Date: Wed, 1 Feb 2012 04:10:32 +0000 Subject: Hijacked Network Ranges In-Reply-To: References: Message-ID: <596B74B410EE6B4CA8A30C3AF1A155EA09C9DDF8@RWC-MBX1.corp.seven.com> > -----Original Message----- > From: John Schneider > Sent: Tuesday, January 31, 2012 5:34 PM > To: Kelvin Williams > Subject: Re: Hijacked Network Ranges > > Another interesting thing that I noticed, is that AS33611 is not > advertising any prefixes other than yours. Either they do not have any > of their own (unlikely) or they are advertising their own legitimate > prefixes from another AS however I doubt that is the case. It sounds > like you were able to verify that this is indeed a malicious attack. If I read the previous material correctly, it seems to have gone something like: Customer was initially a customer of Kelvin's firm and had the address assignments in question. Customer relationship with Kelvin's firm terminated and they contracted for service elsewhere but are apparently attempting to maintain the use of the address allocation(s) they received from Kelvin's firm. They apparently did this by misrepresenting the fact that they were entitled to use that address space. If that is the case, it isn't so much a "malicious attack" as it is just plain stealing the use of IP address space they aren't entitled to. From jfbeam at gmail.com Tue Jan 31 22:39:32 2012 From: jfbeam at gmail.com (Ricky Beam) Date: Tue, 31 Jan 2012 23:39:32 -0500 Subject: Hijacked Network Ranges In-Reply-To: <005801cce046$b9f2ee60$2dd8cb20$@gmail.com> References: <005801cce046$b9f2ee60$2dd8cb20$@gmail.com> Message-ID: On Tue, 31 Jan 2012 13:32:35 -0500, Chuck Church wrote: > Shouldn't a forged LOA be justification to contact law enforcement? It is, but if you want anything done about it before the polar ice caps melt, you'll seek other paths as well. a) law enforcement doesn't understand the problem. and b) the law moves very slowly. --Ricky From chaim.rieger at gmail.com Tue Jan 31 22:44:41 2012 From: chaim.rieger at gmail.com (Chaim Rieger) Date: Tue, 31 Jan 2012 20:44:41 -0800 Subject: Arriving early... In-Reply-To: References: Message-ID: Am a bit north of sd ... might make it down on Saturday. -- Sent from my Android phone with K-9 Mail. Please excuse my brevity. Warren Kumari wrote: Hi there all, I'm arriving on Friday evening -- was wondering who all might be around on Saturday? Anyone interested in doing something? Sightseeing, wandering around, etc? W -- Some people are like Slinkies......Not really good for anything but they still bring a smile to your face when you push them down the stairs. From tony at lavanauts.org Tue Jan 31 22:53:14 2012 From: tony at lavanauts.org (Antonio Querubin) Date: Tue, 31 Jan 2012 18:53:14 -1000 (HST) Subject: [#135346] Unauthorized BGP Announcements (follow up to Hijacked Networks) In-Reply-To: <7B85F9D8-BA9E-4341-9242-5EB514895B4C@virtualized.org> References: <7B85F9D8-BA9E-4341-9242-5EB514895B4C@virtualized.org> Message-ID: On Tue, 31 Jan 2012, David Conrad wrote: > In the dim past, I had a somewhat similar situation: > > - A largish (national telco of a small country) ISP started announcing address space a customer of theirs provided. Unfortunately, the address space wasn't the ISP's customer's to provide. > - When the ISP was notified by both their RIR and the organization to which the address space was rightfully delegated, the ISP's response was: > > "We have a contractual relationship with our customer to announce that space. We have neither a contractual relationship (in this context) with the RIR nor the RIR's customer. The RIR and/or the RIR's customer should resolve this issue with our customer." > > It as an eye-opening experience. Contracts are generally not a valid reason to be breaking laws. Antonio Querubin e-mail: tony at lavanauts.org xmpp: antonioquerubin at gmail.com From dariojaguilar at gmail.com Fri Jan 13 15:34:04 2012 From: dariojaguilar at gmail.com (Dario Aguilar) Date: Fri, 13 Jan 2012 21:34:04 -0000 Subject: Many dns queries to a.root-servers.net Message-ID: Hi, I'm seeing quite a lot of queries for "a.root-servers.net IN A" in the logs of my caching servers. They seem to be coming from home normal DSL customers (IPs who would be expected to be using the name servers) with each sending one query every 2 seconds. They all together represents more than de 10% of the total queries. I am guessing it is probably some sort of spyware/malware/virus/router/O.S. version but I was wondering if anyone knows offhand?